Now that it has its own branch and published images.
Depends-On: https://review.opendev.org/761822
Change-Id: I99924b52ee4e0aca1ca4c416190292e561b5c043
Follows designate guide, adding a default zone for fixed and
floating IPs, then boots an instance and verifies that its
name resolves.
Change-Id: Ifbfdab425e2c8a36a8f3ab8539f70dca4cce2abc
Adds a new Zuul job, kolla-ansible-centos8-source-magnum, for testing
deployment of Magnum, Octavia and associated services.
Change-Id: I61b293ba6bb52064ea98a73e2dff0023fa01a2a2
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.
The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.
RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.
Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
Tests prometheus, grafana, and centralised logging.
The tests could be improved in future by querying logs in elasticsearch,
and metrics in prometheus.
Change-Id: Iabad035d583d291169f23be3d71931cb260e87ae
The common role was previously added as a dependency to all other roles.
It would set a fact after running on a host to avoid running twice. This
had the nice effect that deploying any service would automatically pull
in the common services for that host. When using tags, any services with
matching tags would also run the common role. This could be both
surprising and sometimes useful.
When using Ansible at large scale, there is a penalty associated with
executing a task against a large number of hosts, even if it is skipped.
The common role introduces some overhead, just in determining that it
has already run.
This change extracts the common role into a separate play, and removes
the dependency on it from all other roles. New groups have been added
for cron, fluentd, and kolla-toolbox, similar to other services. This
changes the behaviour in the following ways:
* The common role is now run for all hosts at the beginning, rather than
prior to their first enabled service
* Hosts must be in the necessary group for each of the common services
in order to have that service deployed. This is mostly to avoid
deploying on localhost or the deployment host
* If tags are specified for another service e.g. nova, the common role
will *not* automatically run for matching hosts. The common tag must
be specified explicitly
The last of these is probably the largest behaviour change. While it
would be possible to determine which hosts should automatically run the
common role, it would be quite complex, and would introduce some
overhead that would probably negate the benefit of splitting out the
common role.
Partially-Implements: blueprint performance-improvements
Change-Id: I6a4676bf6efeebc61383ec7a406db07c7a868b2a
Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with
"kolla_admin_openrc_cacert". OS_CACERT is now set to the value of
"kolla_admin_openrc_cacert" in the generated admin-openrc.sh file.
Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/731344/
Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.
Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.
Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network
This also uses the recommended machinery to set qemu instead
of relying on config file override so that we test what we
really want to test.
Change-Id: I560e4f9d0a69c347e6aaf3b970331157c1a56f18
Ussuri is Py3 everywhere. We are free to drop any py2 leftovers.
Depends-On: https://review.opendev.org/731805
Change-Id: I1a9c9a14af351cd3e8b01a40f323a82ffa673d35
The Monasca Log API has been removed and in this change we switch
to using the unified API. If dedicated log APIs are required then
this can be supported through configuration. Out of the box the
Monasca API is used for both logs and metrics which is envisaged to
work for most use cases.
In order to use the unified API for logs, we need to disable the
legacy Kafka client. We also rename the Monasca API config file
to remove a warning about using the old style name.
Depends-On: https://review.opendev.org/#/c/728638
Change-Id: I9b6bf5b6690f4b4b3445e7d15a40e45dd42d2e84
Zun has a new component "zun-cni-daemon" which should be
deployed in every compute nodes. It is basically an implementation
of CNI (Container Network Interface) that performs the neutron
port binding.
If users is using the capsule (pod) API, the recommended deployment
option is using "cri" as capsule driver. This is basically to use
a CRI runtime (i.e. CRI plugin for containerd) for supporting
capsules (pods). A CRI runtime needs a CNI plugin which is what
the "zun-cni-daemon" provides.
The configuration is based on the Zun installation guide [1].
It consits of the following steps:
* Configure the containerd daemon in the host. The "zun-compute"
container will use grpc to communicate with this service.
* Install the "zun-cni" binary at host. The containerd process
will invoke this binary to call the CNI plugin.
* Run a "zun-cni-daemon" container. The "zun-cni" binary will
communicate with this container via HTTP.
Relevant patches:
Blueprint: https://blueprints.launchpad.net/zun/+spec/add-support-cri-runtime
Install guide: https://review.opendev.org/#/c/707948/
Devstack plugin: https://review.opendev.org/#/c/705338/
Kolla image: https://review.opendev.org/#/c/708273/
[1] https://docs.openstack.org/zun/latest/install/index.html
Depends-On: https://review.opendev.org/#/c/721044/
Change-Id: I9c361a99b355af27907cf80f5c88d97191193495
Drops support for creating Python 2 virtualenvs in bootstrap-servers,
and looking for a python2 interpreter in the kolla-ansible script.
Also forces the use of Python 3 as the remote interpreter in CI on
Debian and Ubuntu hosts, since they typically symlink the unversioned
interpreter to python2.7.
Change-Id: Id0e977de381e7faafed738674a140ba36184727e
Partially-Implements: blueprint drop-py2-support
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.
Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
CentOS 8 support is now fairly complete - time to drop CentOS 7.
Partially-Implements: blueprint centos-rhel-8
Change-Id: I940b1d3eceb98e16fa366c243672f588b1412d70
Since fluentd is disabled in MariaDB jobs - haproxy logs are not getting
populated.
Change-Id: I56b3fc1be6940d97905cdb2c4452b846f106c071
Depends-on: https://review.opendev.org/713704
ceph-ansible by default uses "latest" tag for ceph Docker Hub images,
but recently latest tag has been upgraded to be Octopus release,
not Nautilus.
Change-Id: I5247c10079ab91cce130cd5ba403f25ccaf7c1fb
Following I21dd51c82534704f31ca8d3f72cb2587ee216cd9, the test inventory
was synced with the multinode inventory. This removed some temporary
ceph groups used by the ceph-ansible-upgrade jobs, and broke them. This
change adds the groups back.
Change-Id: I37379258447ffde6b083f4e8d9a1644bc17cd165
In some resource-constrained environments, particularly during service
bootstrap Galera cluster nodes can experience timeouts in inter-node
communication.
This change sets the gmcast.peer_timeout based on the galera cluster
documentation:
https://galeracluster.com/library/documentation/galera-parameters.html
We are observing peer timeout issues on some CI runs - therefore raising
it to PT15S as in similar Ubuntu charms jobs.
Change-Id: Id036e41b62a88bab486c35a5f1fde5cfc2fa4803
global_physnet_mtu needs to be set in neutron.conf, because linuxbridge-agent
discovers underlying vxlan0 interface mtu and returns an error when creating
vxlan port
CentOS8 job will not be added, because CentOS 8 iptables-ebtables package
is missing broute (--among-src) tables support required for linuxbridge agent,
see [1].
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1720637
Change-Id: I6b12f7ba95401d3342359c57ceeee8bec8aefe49
