Following up on [1].
The 3 variables are only introducing noise after we removed
the reliance on Keystone's admin port.
[1] I5099b08953789b280c915a6b7a22bdd4e3404076
Change-Id: I3f9dab93042799eda9174257e604fd1844684c1c
We run some nova tasks once per cell, using a condition to match a
single host in the cell. In other similar tasks, we use run_once, which
will fail all hosts if the task fails. Typically these tasks are
critical, and that is desirable. However, with the approach used in
nova-cell to support multiple cells, if a once-per-cell task fails, then
other hosts will continue to execute, which could lead to unexpected
results.
This change adds any_errors_fatal to the plays or blocks that run these
tasks.
Closes-Bug: #1948694
Change-Id: I2a5871ccd4e8198171ef3239ce95f475f3e4b051
This change addresses an issue in the nova-libvirt-cleanup command,
added in I46854ed7eaf1d5b5e3ccd8531c963427848bdc99.
Check for rc=1 pgrep command, since a lack of matches is a pass.
Also, use bash for set -o pipefail.
Change-Id: Iffda0dfffce8768324ffec55e629134c70e2e996
If any nova compute service fails to register itself, Kolla Ansible will
fail the host that queries the Nova API. This is the first compute host
in the inventory, and fails in the task:
Waiting for nova-compute services to register themselves
Other hosts continue, often leading to further errors later on. Clearly
this is not idea.
This change modifies the behaviour to query the compute service list
until all expected hosts are present, but does not fail the querying
host if they are not. A new task is added that executes for all hosts,
and fails only those hosts that have not registered successfully.
Alternatively, to fail all hosts in a cell when any compute service
fails to register, set nova_compute_registration_fatal to true.
Change-Id: I12c1928cf1f1fb9e28f1741e7fe4968004ea1816
Closes-Bug: #1940119
Designate sink is an optional service that consumes notifications,
users should have an option to disable it when they don't use them.
Change-Id: I1d5465d9845aea94cff39ff5158cd8b1dccc4834
Change Ia1239069ccee39416b20959cbabad962c56693cf added support for
running a libvirt daemon on the host, rather than using the nova_libvirt
container. It did not cover migration of existing hosts from using a
container to using a host daemon.
This change adds a kolla-ansible nova-libvirt-cleanup command which may
be used to clean up the nova_libvirt container, volumes and related
items on hosts, once it has been disabled.
The playbook assumes that compute hosts have been emptied of VMs before
it runs. A future extension could support migration of existing VMs, but
this is currently out of scope.
Change-Id: I46854ed7eaf1d5b5e3ccd8531c963427848bdc99
In some cases it may be desirable to run the libvirt daemon on the host.
For example, when mixing host and container OS distributions or
versions.
This change makes it possible to disable the nova_libvirt container, by
setting enable_nova_libvirt_container to false. The default values of
some Docker mounts and other paths have been updated to point to default
host directories rather than Docker volumes when using a host libvirt
daemon.
This change does not handle migration of existing systems from using
a nova_libvirt container to libvirt on the host.
Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/830504
Change-Id: Ia1239069ccee39416b20959cbabad962c56693cf
Consistently use template instead of copy. This has the added
advantage of allowing variables inside ceph conf files and keyrings.
Closes-Bug: 1959565
Signed-off-by: Imran Hussain <ih@imranh.co.uk>
Change-Id: Ibd0ff2641a54267ff06d3c89a26915a455dff1c1
In Kolla Ansible OpenStack deployments, by default, libvirt is
configured to allow read-write access via an unauthenticated,
unencrypted TCP connection, using the internal API network. This is to
facilitate migration between hosts.
By default, Kolla Ansible does not use encryption for services on the
internal network (and did not support it until Ussuri). However, most
other services on the internal network are at least authenticated
(usually via passwords), ensuring that they cannot be used by anyone
with access to the network, unless they have credentials.
The main issue here is the lack of authentication. Any client with
access to the internal network is able to connect to the libvirt TCP
port and make arbitrary changes to the hypervisor. This could include
starting a VM, modifying an existing VM, etc. Given the flexibility of
the domain options, it could be seen as equivalent to having root access
to the hypervisor.
Kolla Ansible supports libvirt TLS [1] since the Train release, using
client and server certificates for mutual authentication and encryption.
However, this feature is not enabled by default, and requires
certificates to be generated for each compute host.
This change adds support for libvirt SASL authentication, and enables it
by default. This provides base level of security. Deployments requiring
further security should use libvirt TLS.
[1] https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#libvirt-tls
Depends-On: https://review.opendev.org/c/openstack/kolla/+/833021
Closes-Bug: #1964013
Change-Id: Ia91ceeb609e4cdb144433122b443028c0278b71e
NSXP is the OpenStack support for the NSX Policy platform.
This is supported from neutron in the Stein version. This patch
adds Kolla support
This adds a new neutron_plugin_agent type 'vmware_nsxp'. The plugin
does not run any neutron agents.
Change-Id: I9e9d8f07e586bdc143d293e572031368af7f3fca
This is required as nova_compute tries to reach my_ip of the other
node when resizing an instance and my_ip is set to
api_interface_address.
This potential issue was introduced with [1].
[1] https://review.opendev.org/c/openstack/kolla-ansible/+/569131
Closes-Bug: #1956976
Change-Id: Id57a672c69a2d5aa74e55f252d05bb756bbc945a
Role vars have a higher precedence than role defaults. This allows to
import default vars from another role via vars_files without overriding
project_name (see related bug for details).
Change-Id: I3d919736e53d6f3e1a70d1267cf42c8d2c0ad221
Related-Bug: #1951785
The documentation for novncproxy_base_url says:
If using noVNC >= 1.0.0, you should use ``vnc_lite.html`` instead of
``vnc_auto.html``.
While novnc packages in CentOS, Debian, and Ubuntu still provide
vnc_auto.html for compatibility, this could be dropped in the future.
Change-Id: I04883c877015c1835c8b6b2c8be1fb7156ceb340
This reverts commit 15259002beb6b9f35f8eee6529132c6e1a126902.
Reason for revert: The iptables_firewall produces warnings without it.
Change-Id: Id046a3048436c4c18dd1fd9700ac9971d8c42c57
A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.
Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.
An etherpad with discussion about the transition to the new oslo
service policies is:
https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible
Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
This is required for libvirtd with cgroupsv2 (Debian Bullseye and
soon others).
Otherwise, device attachments simply fail.
The warning message suggests filtering will be disabled but it
actually just fails the action entirely.
Change-Id: Id1fbd49a31a6e6e51b667f646278b93897c05b21
Closes-Bug: #1941940
It was removed in [1] as part of cgroupsv2 cleanup.
However, the testing did not catch the fact that the legacy
cgroups behaviour was actually still breaking despite latest
Docker and setting to use host's cgroups namespace.
[1] 286a03bad20955aa4d3f7009cef5856d328b76f1
Closes-Bug: #1941706
Change-Id: I629bb9e70a3fd6bd1e26b2ca22ffcff5e9e8c731
This change enables the use of Docker healthchecks for
nova-spicehtml5proxy service.
Implements: blueprint container-health-check
Change-Id: I584c588c20781e6c6567429811aecf97967baea3
Kolla-ansible upgrade task is calling different
handlers as deploy task and these handlers are
missing healthcheck key. This patch is fixing
this.
Closes-Bug: #1939679
Change-Id: Id83d20bfd89c27ccf70a3a79938f428cdb5d40fc
We get a nice optimisation by using a filtered loop instead
of task skipping per service with 'when'.
Partially-Implements: blueprint performance-improvements
Change-Id: I8f68100870ab90cb2d6b68a66a4c97df9ea4ff52
This trivial patch is setting "timeout tunnel" in haproxy's
configuration for spicehtml5proxy. This option extends time
when spice's websocket connection is closed, so spice will
not be freezed. Default value is set to 1h as it is in novnc.
Closes-Bug: #1938549
Change-Id: I3a5cd98ecf4916ebd0748e7c08111ad0e4dca0b2
Nova always tries to create the rabbitmq user regardless of
whether RabbitMQ is enabled or not.
This ps also adds an external rabbitmq doc.
Change-Id: Iec517226e4c82ea351889b55689a3efceaadcc76
By default, Ansible injects a variable for every fact, prefixed with
ansible_. This can result in a large number of variables for each host,
which at scale can incur a performance penalty. Ansible provides a
configuration option [0] that can be set to False to prevent this
injection of facts. In this case, facts should be referenced via
ansible_facts.<fact>.
This change updates all references to Ansible facts within Kolla Ansible
from using individual fact variables to using the items in the
ansible_facts dictionary. This allows users to disable fact variable
injection in their Ansible configuration, which may provide some
performance improvement.
This change disables fact variable injection in the ansible
configuration used in CI, to catch any attempts to use the injected
variables.
[0] https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars
Change-Id: I7e9d5c9b8b9164d4aee3abb4e37c8f28d98ff5d1
Partially-Implements: blueprint performance-improvements
Follow up fix for Ia7e923dddb77ff6db3c9160af931354a2b305e8d, which
broke the cephadm jobs.
Change-Id: Ieb39b41a6f493bd00c687610ba043a1b4e5945e7
Related-Bug: #1821696
They are handled by Docker since at least 18.09 (tested).
Backport to Wallaby at most to not introduce needless restarts in
already stable branches.
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/792583
Change-Id: Ia95355c529f1b0222dc1de06632984b6d130b9ec
We don't do the best job with it and it's better to rely on users'
and distros' default policies than try to water those down.
Closes-Bug: #1837551
Change-Id: I72b13adef60900fc31f1293c516030026f004216
In order to disable libvirt debug in CI (which takes vast amount of storage)
this change introduces nova_libvirt_logging_debug and disables that in CI.
Change-Id: I90bfd1b300ad3202ea4d139fda6d6beb44c5820f
Libvirt may reasonably expect that its secrets directory
(/etc/libvirt/secrets) is persistent. However, the nova_libvirt
container does not map the secrets directory to a volume, so it will not
survive a recreation of the container. Furthermore, if Cinder or Nova
Ceph RBD integration is enabled, nova_libvirt's config.json includes an
entry for /etc/libvirt/secrets which will wipe out the directory on a
restart of the container.
Previously, this appeared to cause an issue with encrypted volumes,
which could fail to attach in certain situations as described in bug
1821696. Nova has since made a related change, and the issue can no
longer be reproduced. However, making the secret store persistent seems
like a sensible thing to do, and may prevent hitting other corner cases.
This change maps /etc/libvirt/secrets to a Docker volume in the
nova_libvirt container. We also modify config.json for the nova_libvirt
container to merge the /etc/libvirt/secrets directory, to ensure that
secrets added in the container during runtime are not overwritten when
the container restarts.
Change-Id: Ia7e923dddb77ff6db3c9160af931354a2b305e8d
Related-Bug: #1821696
