this ps[0] uses new condition for timezone mounting
but we missed prechecks condition.
[0] https://review.opendev.org/#/c/745505/
Change-Id: I79323a392e171bebe36d06c19d34e458e05e194b
Closes-Bug: #1882553
Neutron's containers should use ENV from kolla_docker module's
environment parameter (defined in roles/neutron/defaults/main.yml)
after reconfigure, not only when deploying.
Currently this is working only for deploy, not for reconfigure.
How to test it ?
- Deploy neutron with "neutron_legacy_iptables" set to yes/no.
- Change value of "neutron_legacy_iptables" to opposite value as before.
- Reconfigure neutron.
Current result :
- "KOLLA_LEGACY_IPTABLES" in container's ENV is not changed
Expected result :
- "KOLLA_LEGACY_IPTABLES:" in container's ENV should be changed
This patch is fixing this behaviour by adding missing
environment parameter to neutron's "Check neutron containers" task.
Change-Id: Ibfbe2d4f49261fa766acbb6ff45da9994118bda8
Closes-Bug: #1853776
There is an issue where keystonemiddleware connections to memcached from
neutron-server grow beyond configured values [1], eventually reaching
the maximum number of connections accepted by memcached servers. Other
services do not appear to be affected by this issue.
A workaround is to use the advanced memcached pool. Despite its
documentation claiming to only work with Python 2, it appears to work
fine on Python 3.
[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1883659
Change-Id: Ifbbc2022839cbc575848d830600241c61603c80b
Closes-Bug: #1892210
Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.
This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Closes-Bug: #1891704
Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa
The goal for this push request is to normalize the construction and use
of internal, external, and admin URLs. While extending Kolla-ansible
to enable a more flexible method to manage external URLs, we noticed
that the same URL was constructed multiple times in different parts
of the code. This can make it difficult for people that want to work
with these URLs and create inconsistencies in a large code base with
time. Therefore, we are proposing here the use of
"single Kolla-ansible variable" per endpoint URL, which facilitates
for people that are interested in overriding/extending these URLs.
As an example, we extended Kolla-ansible to facilitate the "override"
of public (external) URLs with the following standard
"<component/serviceName>.<companyBaseUrl>".
Therefore, the "NAT/redirect" in the SSL termination system (HAproxy,
HTTPD or some other) is done via the service name, and not by the port.
This allows operators to easily and automatically create more friendly
URL names. To develop this feature, we first applied this patch that
we are sending now to the community. We did that to reduce the surface
of changes in Kolla-ansible.
Another example is the integration of Kolla-ansible and Consul, which
we also implemented internally, and also requires URLs changes.
Therefore, this PR is essential to reduce code duplicity, and to
facility users/developers to work/customize the services URLs.
Change-Id: I73d483e01476e779a5155b2e18dd5ea25f514e93
Signed-off-by: Rafael Weingärtner <rafael@apache.org>
The "kolla_internal_address" variable is not documented or defined
anywhere. When "kolla_internal_vip_address" is undefined, the error
message is about "kolla_internal_address", which will confuse operators.
This change deprecates "kolla_internal_address", and adds a default
value for "kolla_internal_vip_address" when "kolla_internal_address" is
undefined.
Change-Id: I09694b38420ea67896bb8cf4ffd7ce6f131af10e
Closes-Bug: #1864206
This patch introduces an optional backend encryption for the Nova API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Nova service.
Change-Id: I48e1540b973016079d5686b328e82239dcffacfd
Partially-Implements: blueprint add-ssl-internal-network
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.
Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
This fix was premature as it completely ignores
the previously-respected umask.
Let's discuss a proper fix and revert this one
since CI is fixed elsewhere [1].
[1] https://review.opendev.org/743502
This reverts commit 87efdce24bc802777d4da58f9f63c8d0838e7120.
Change-Id: If38adbf124e793574a21ae986f9ee146d587f820
Ansible changed the default mode for files, even in stable
releases. [1]
This change restores the previous default (with the common
umask).
[1] https://github.com/ansible/ansible/pull/70221
Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab
Closes-Bug: #1891145
There is a time once every 2 years when ubuntu team releases new LTS
release. And then UCA joins with binary packages for current OpenStack
development cycle.
It is this time for Ubuntu 20.04 'focal'.
Includes CI fix to pass:
[CI] Temporarily block new Ansible
The proper fix [1] needs fixing older branches before newer.
This one allows to fix CI first, in the usual order.
To revert after [1] gets merged in all relevant branches.
[1] https://review.opendev.org/745648
Old-Change-Id: Ifbd37d8addd4322773118e2e9d46494741a8ae66
Related-Bug: #1891145
Depends-on: https://review.opendev.org/#/c/738994/
Change-Id: Ib8b70ee40ec2d19509cc84c0f530612f81907721
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Previously we mounted /etc/timezone if the kolla_base_distro is debian
or ubuntu. This would fail prechecks if debian or ubuntu images were
deployed on CentOS. While this is not a supported combination, for
correctness we should fix the condition to reference the host OS rather
than the container OS, since that is where the /etc/timezone file is
located.
Change-Id: Ifc252ae793e6974356fcdca810b373f362d24ba5
Closes-Bug: #1882553
Add trove-guestagent.conf templates for trove-guestagent service.
Default the Guest Agent config file to be injected during instance creation.
Change-Id: Id0750b84fef8e19658b27f8ae16a857e1394216e
This patch is a continuation of
I6a174468bd91d214c08477b93c88032a45c137be for the nova-cell role, which
was missed.
The Castellan (Barbican client) has different parameters to control
the used CA file.
This patch uses them.
Moreover, this aligns Barbican with other services by defaulting
its client config to the internal endpoint.
See also [1].
[1] https://bugs.launchpad.net/castellan/+bug/1876102
Closes-Bug: #1886615
Change-Id: I056f3eebcf87bcbaaf89fdd0dc1f46d143db7785
