There is an issue where keystonemiddleware connections to memcached from
neutron-server grow beyond configured values [1], eventually reaching
the maximum number of connections accepted by memcached servers. Other
services do not appear to be affected by this issue.
A workaround is to use the advanced memcached pool. Despite its
documentation claiming to only work with Python 2, it appears to work
fine on Python 3.
[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1883659
Change-Id: Ifbbc2022839cbc575848d830600241c61603c80b
Closes-Bug: #1892210
Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.
This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Closes-Bug: #1891704
Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa
The "kolla_internal_address" variable is not documented or defined
anywhere. When "kolla_internal_vip_address" is undefined, the error
message is about "kolla_internal_address", which will confuse operators.
This change deprecates "kolla_internal_address", and adds a default
value for "kolla_internal_vip_address" when "kolla_internal_address" is
undefined.
Change-Id: I09694b38420ea67896bb8cf4ffd7ce6f131af10e
Closes-Bug: #1864206
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.
Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
This fix was premature as it completely ignores
the previously-respected umask.
Let's discuss a proper fix and revert this one
since CI is fixed elsewhere [1].
[1] https://review.opendev.org/743502
This reverts commit 87efdce24bc802777d4da58f9f63c8d0838e7120.
Change-Id: If38adbf124e793574a21ae986f9ee146d587f820
Ansible changed the default mode for files, even in stable
releases. [1]
This change restores the previous default (with the common
umask).
[1] https://github.com/ansible/ansible/pull/70221
Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab
Closes-Bug: #1891145
Add trove-guestagent.conf templates for trove-guestagent service.
Default the Guest Agent config file to be injected during instance creation.
Change-Id: Id0750b84fef8e19658b27f8ae16a857e1394216e
Glance role copies glance-image-import.conf
when enabled to allow configuration of
glance interoperable image import. Property
protection can be enabled and file is copied.
Change-Id: I5106675da5228a5d7e630871f0882269603e6571
Closesl-Bug: #1889272
Signed-off-by: nikparasyr <nik.parasyr@protonmail.com>
Masakari was introduced parallelly to deploy-containers action and
so we missed to add this functionality to it.
Change-Id: Ibef198d20d481bc92b38af786cdf0292b246bb12
Closes-Bug: #1889611
With an incorrectly named section, whatever's defined in here is
actually ignored which can result in unexpected behaviour.
Closes-Bug: 1889455
Change-Id: Ib2e2b53e9a3c0e62a2e997881c0cd1f92acfb39c
Signed-off-by: Nick Jones <nick@dischord.org>
If not running containerised chrony, we need to check that host
has its own means of system clock synchronization.
Change-Id: I31b3e9ed625d63a4bf82c674593522268c20ec4c
Partial-Bug: #1885689
Docker is manipulating iptables rules by default to provide network
isolation, and this might cause problems if the host already has an
iptables-based firewall.
This change introduces docker_disable_default_iptables_rules to
disable the iptables manipulation by putting "iptables: false" [1] to
daemon.json
For better defaults, this feature will be enabled by default in
Victoria.
[1] https://docs.docker.com/network/iptables/
Closes-Bug: #1849275
Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
This fixes an issue where multiple Grafana instances would race
to bootstrap the Grafana DB. The following changes are made:
- Only start additional Grafana instances after the DB has been
configured.
- During upgrade, don't allow old instances to run with an
upgraded DB schema.
Change-Id: I3e0e077ba6a6f43667df042eb593107418a06c39
Closes-Bug: #1888681
This ensures that when using automatic Kafka topic creation, with more than one
node in the Kafka cluster, all partitions in the topic are automatically
replicated. When a single node goes down in a >=3 node cluster, these topics will
continue to accept writes providing there are at least two insync replicas.
In a two node cluster, no failures are tolerated. In a three node cluster, only a
single node failure is tolerated. In a larger cluster the configuration may need
manual tuning.
This configuration follows advice given here:
[1] https://docs.cloudera.com/documentation/kafka/1-2-x/topics/kafka_ha.html#xd_583c10bfdbd326ba-590cb1d1-149e9ca9886--6fec__section_d2t_ff2_lq
Closes-Bug: #1888522
Change-Id: I7d38c6ccb22061aa88d9ac6e2e25c3e095fdb8c3
fluentd logs currently to stdout, which is known to produce big docker logs
in /var/lib/docker. This change makes fluentd to log to /var/log/kolla/fluentd.
Closes-Bug: #1888852
Change-Id: I8fe0e54cb764a26d26c6196cef68aadc6fd57b90
From Ussuri, if CA certificates are copied into
/etc/kolla/certificates/ca/, these should be copied into all containers.
This is not being done for masakari currently.
Additionally, we are not setting the [DEFAULT] nova_ca_certificates_file
option in masakari.conf. This depends on masakari bug 1873736 being
fixed to work.
This change fixes these issues.
Change-Id: I9a3633f58e5eb734fa32edc03a3022a500761bbb
Closes-Bug: #1888655
Some CloudKitty API responses include a Location header using http
instead of https. Seen with `openstack rating module enable hashmap`.
Change-Id: I11158bbfd2006e3574e165b6afc9c223b018d4bc
Closes-Bug: #1888544
we should clone freezer code before run bootstray,
otherwise, the directory /opt/stack/freezer which is empty will
mount into freezer_api container.
Closes-Bug: #1888242
Change-Id: I7c22dd380fd5b1dff7b421109c4ae37bab11834a
This makes use of udev rules to make it smarter and override
host-level packages settings.
Additionally, this masks Ubuntu-only service that is another
pain point in terms of /dev/kvm permissions.
Fingers crossed for no further surprises.
Change-Id: I61235b51e2e1325b8a9b4f85bf634f663c7ec3cc
Closes-bug: #1681461
