The merge_configs action plugin is updated with an option to control
whether whitespace should be used around equal signs. The default
remains to use whitespace: only zookeeper.cfg doesn't use them.
This is to avoid issues with the zkCleanup.sh script which expects no
whitespace. The ZooKeeper documentation also uses no whitespace in
configuration file examples.
Change-Id: Ia082a1c002cc4e8b04f7696fdee827b747c6d13f
Closes-Bug: #1917490
In services which use the Apache HTTP server to service HTTP requests,
there exists a TimeOut directive [1] which defaults to 60 seconds. APIs
which come under heavy load, such as Cinder, can sometimes exceed this
which results in a HTTP 504 Gateway timeout, or similar. However, the
request can still be serviced without error. For example, if Nova calls
the Cinder API to detach a volume, and this operation takes longer
than the shortest of the two timeouts, Nova will emit a stack trace
with a 504 Gateway timeout. At some time later, the request to detach
the volume will succeed. The Nova and Cinder DBs then become
out-of-sync with each other, and frequently DB surgery is required.
Although strictly this category of bugs should be fixed in OpenStack
services, it is not realistic to expect this to happen in the short
term. Therefore, this change makes it easier to set the Apache HTTP
timeout via a new variable.
An example of a related bug is here:
https://bugs.launchpad.net/nova/+bug/1888665
Whilst this timeout can currently be set by overriding the WSGI
config for individual services, this change makes it much easier.
Change-Id: Ie452516655cbd40d63bdad3635fd66693e40ce34
Closes-Bug: #1917648
This change allows a user to forward control plane logs
directly to Elasticsearch from Fluentd, rather than via
the Monasca Log API when Monasca is enabled. The Monasca
Log API can continue to handle tenant logs.
For many use cases this is simpler, reduces resource
consumption and helps to decouple control plane logging
services from tenant logging services.
It may not always be desired, so is optional and off by
default.
Change-Id: I195e8e4b73ca8f573737355908eb30a3ef13b0d6
The Monasca alerting pipeline provides multi-tenancy alerts and
notifications. It runs as an Apache Storm topology and generally
places a significant memory and CPU burden on monitoring hosts,
particularly when there are lot of metrics. This is fine if the
alerting service is in use, but sometimes it is not. For example
you may use Prometheus for monitoring the control plane, and
wish to offer tenants a monitoring service via Monasca without
alerting and notification functionality. In this case it makes
sense to disable this part of the Monasca pipeline and this patch
adds support for that.
If the service is ever re-enabled, all alerts and notifications
should spawn back automatically since they are persisted in the
central mysql database cluster.
Change-Id: I84aa04125c621712f805f41c8efbc92c8e156db9
The Log Metrics service is an admin only service. We now have
support in Fluentd via the Prometheus plugin to create metrics
from logs. These metrics can be scraped into Monasca or Prometheus.
It therefore makes sense to deprecate this service, starting by
disabling it by default, and then removing it in the Xena release.
This should improve the stability of the Monasca metrics pipeline
by ensuring that all metrics pass via the Monasca API for
validation, and ensure that metrics generated from logs are
available to both Prometheus and Monasca users by default.
Change-Id: I704feb4434c1eece3eb00c19dc5f934fd4bc27b4
Historically Monasca Log Transformer has been for log
standardisation and processing. For example, logs from different
sources may use slightly different error levels such as WARN, 5,
or WARNING. Monasca Log Transformer is a place where these could
be 'squashed' into a single error level to simplify log searches
based on labels such as these.
However, in Kolla Ansible, we do this processing in Fluentd so
that the simpler Fluentd -> Elastic -> Kibana pipeline also
benefits. This helps to avoid spreading out log parsing
configuration over many services, with the Fluentd Monasca output
plugin being yet another potential place for processing (which
should be avoided). It therefore makes sense to remove this
service entirely, and squash any existing configuration which
can't be moved to Fluentd into the Log Perister service. I.e.
by removing this pipeline, we don't loose any functionality,
we encourage log processing to take place in Fluentd, or at least
outside of Monasca, and we make significant gains in efficiency
by removing a topic from Kafka which contains a copy of all logs
in transit.
Finally, users forwarding logs from outside the control plane,
eg. from tenant instances, should be encouraged to process the
logs at the point of sending using whichever framework they are
forwarding them with. This makes sense, because all Logstash
configuration in Monasca is only accessible by control plane
admins. A user can't typically do any processing inside Monasca,
with or without this change.
Change-Id: I65c76d0d1cd488725e4233b7e75a11d03866095c
This change enables the use of Docker healthchecks for watcher
services.
Implements: blueprint container-health-check
Change-Id: I0774063dd970507e566637138167ed1af9a2874c
This change enables the use of Docker healthchecks for senlin services.
Implements: blueprint container-health-check
Change-Id: I148a0174c46244241580265d0fedc0fb1b92602c
This change enables the use of Docker healthchecks for cyborg
services.
Implements: blueprint container-health-check
Change-Id: I5326b142eaa826f97c32498cd2a9a0cba65be698
This change enables the use of Docker healthchecks for octavia services.
Implements: blueprint container-health-check
Change-Id: I2ec11544b0e9c66a1821bfe0f9a40a9e9d88033b
This change enables the use of Docker healthchecks for skydive services.
Implements: blueprint container-health-check
Change-Id: I2e18f2d912dad92a327261e092da358911531ebe
This change enables the use of Docker healthchecks for redis services.
Implements: blueprint container-health-check
Change-Id: I0590c5b22ef8eb733211b029cdd73a055d58af11
This option disables copy of certificates from the operator host to
kolla-ansible managed hosts.
This is especially useful if you already have some mechanisms to handle
your certificates directly on your hosts.
Co-Authored-By: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Change-Id: Ie18b2464cb5a65a88c4ac191a921b8074a14f504
Deprecates support for Prometheus v1.x.
In Xena support for it will be removed from Kolla Ansible.
Change-Id: I027b19621196c698e09f79af294ba1b5dbfc0516
This change enables the use of Docker healthchecks for tacker
services.
Implements: blueprint container-health-check
Change-Id: Ib33863e4bf78f73a28d82b222ab349909ebb6671
This change enables the use of Docker healthchecks for trove services.
Implements: blueprint container-health-check
Change-Id: I55badd93f92f82e020ef80b06c788600e597d068
The Cinder API log is currently written to a file called
cinder-wsgi.log, and the WSGI logs to cinder-api.log. Fluentd
then tries to parse the WSGI log as an OpenStack log which
results in 'got incomplete line' errors and prevents proper
ingestion of these logs.
Co-Authored-By: yaoning <yaoning@unitedstack.com>
Closes-Bug: 1916752
Change-Id: I3296dcc4780160cbf88bd18285571276f58bb249
This commit adds possibility to deploy Neutron's DHCP agents in OVN
networking scenario.
Co-Authored-By: Michał Nasiadka <mnasiadka@gmail.com>
Change-Id: I073d04319b510182f5c1478e728c0c5bcc8799f1
This makes it possible for services to fetch the Elasticsearch endpoint
from Keystone. It is useful for both operators and Monasca Tempest.
Change-Id: Id60298582496a8959e82b970676669ca17e2e9d4
This change enables the use of Docker healthchecks for sahara
services.
Implements: blueprint container-health-check
Change-Id: I091ce194cc3180d500e287832810b499d7b100be
This change enables the use of Docker healthchecks for magnum
services.
Implements: blueprint container-health-check
Change-Id: I14d862aa599915c781d02b71a0e57d2124de9abc
it was confused to customize opts in trove-conductor.conf
or trove-taskmanager.conf now.
if we want to customize a opts,The operator needs
to know which service is using the configuration opts.
actually trove uses trove.conf is enough for all services
this change combines all trove config files.
Change-Id: I5a630109e3c4b59bff216146a3ed64c6d47e247f
This patch fixes the constant chrony container crash loop after (Debian 10) server is rebooted,
as described in Bug-ID: #1915528.
Due to permissions issue, before this fix is applied chronyd process will be exiting with
root cause error message:
Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied
This has to do with priviledges we configured for chrony. Relaxing them fixes the issue.
Tested on top of stable/victoria and Debian 10 Buster.
Not tested on CentOS/RHEL. If this does not work well on RHEL/CentOS we can maybe parametrise
the owner and make it configurable (just one idea).
Closes-Bug: #1915528
Change-Id: I71f45ba5b9d1d2227c95633d3de51e2ccd42a467
This pull request adds support for the OpenID Connect authentication
flow in Keystone and enables both ID and access token authentication
flows. The ID token configuration is designed to allow users to
authenticate via Horizon using an identity federation; whereas the
Access token is used to allow users to authenticate in the OpenStack CLI
using a federated user.
Without this PR, if one wants to configure OpenStack to use identity
federation, he/she needs to do a lot of configurations in the keystone,
Horizon, and register quite a good number of different parameters using
the CLI such as mappings, identity providers, federated protocols, and
so on. Therefore, with this PR, we propose a method for operators to
introduce/present the IdP's metadata to Kolla-ansible, and based on the
presented metadata, Kolla-ansible takes care of all of the
configurations to prepare OpenStack to work in a federated environment.
Implements: blueprint add-openid-support
Co-Authored-By: Jason Anderson <jasonanderson@uchicago.edu>
Change-Id: I0203a3470d7f8f2a54d5e126d947f540d93b8210
If kolla-ansible is installed via pip install --user, currently the
kolla-ansible script is unable to locate the installed playbooks.
This leads to a failure when running commands.
This change fixes the issue by checking for the user's .local directory
as a possible installation path.
This fixes some of the scenario tests which were failing after switching
to a user installation in Ifaf1948ed5d42eebaa62d7bad375bbfc12b134d5.
Most tests did not fail since the kolla-ansible script in the source
checkout was used.
Closes-Bug: #1915527
Change-Id: I5b47a146627d06bb3fe4a747c5f20290c726b0f9
One of the renos was causing issues due to a duplicated id.
This change makes tox doc8 env lint renos and fixes
the offending reno.
Change-Id: Id3ae6e144b4261c97726cdec172ea9bef093de9e
and prometheus collector backend support.
* Fix various remaining typos.
* Fix trailing character on reno.
* Enable Elasticsearch when selected as cloudkitty backend.
* Add a check for ES index creation when ES required.
* Add a release note
* Fix release note line length issue.
Change-Id: I18f3d8f2e10a2996b2ebf92733a1770bef548bda
Closes-bug: #1895945
This change enables the use of Docker healthchecks for manila services.
Implements: blueprint container-health-check
Change-Id: I3a2239764b7e3d6db51e535404388a512aba7629
There are a few issues fixed here:
- The Barbican API service doesn't set a log file, so all the Barbican API
service logs go to loadwsgi.py.log by default.
- The logs in loadwsgi.py.log are not ingested properly by Fluentd.
- uWSGI logs go to barbican-api.log. This would normally be used as the log
file for the Barbican API service logs.
This patch makes the following changes to address the above issues:
- All uWSGI logs (from the Emperor and Vassals) go to barbican_api_uwsgi_access.log
Although these logs aren't strictly all access logs, this follows the existing
pattern for WSGI logs.
- The Barbican API service logs are written to barbican-api.log instead of
loadwsgi.py.log. This follows the pattern used by other OpenStack services.
- Fluentd is configured to parse the Barbican API service logs as it would with
other OpenStack Python services.
Change-Id: I6d03fa8c81c52b6f061514a836bbd15bb6639aaf
Closes-Bug: #1891343
--db-sock JSON-RPC socket name
--db-nb-sock OVN_Northbound db socket
--db-sb-sock OVN_Southbound db socket [1]
so should use db-nb-sock and db-sb-sock
Closes-bug: #1913031
[1] https://github.com/ovn-org/ovn/blob/master/utilities/ovn-ctl
Change-Id: Ife38237a308c87465d5ac3faf7d8de93fd49de4e
Libvirt may reasonably expect that its secrets directory
(/etc/libvirt/secrets) is persistent. However, the nova_libvirt
container does not map the secrets directory to a volume, so it will not
survive a recreation of the container. Furthermore, if Cinder or Nova
Ceph RBD integration is enabled, nova_libvirt's config.json includes an
entry for /etc/libvirt/secrets which will wipe out the directory on a
restart of the container.
Previously, this appeared to cause an issue with encrypted volumes,
which could fail to attach in certain situations as described in bug
1821696. Nova has since made a related change, and the issue can no
longer be reproduced. However, making the secret store persistent seems
like a sensible thing to do, and may prevent hitting other corner cases.
This change maps /etc/libvirt/secrets to a Docker volume in the
nova_libvirt container. We also modify config.json for the nova_libvirt
container to merge the /etc/libvirt/secrets directory, to ensure that
secrets added in the container during runtime are not overwritten when
the container restarts.
Change-Id: Ia7e923dddb77ff6db3c9160af931354a2b305e8d
Related-Bug: #1821696
