This patch ads an ability to receive TLS connections
to ProxySQL. Certificates and variable lookups are
added in order for TLS to be enabled by
<project_name>_database_internal_tls_enable.
Note that in order for this to work, mysql
connection strings need to have TLS enabled,
which can be added in separate per-service patches
Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b
This commit adds TLS connection between ProxySQL and MariaDB.
Frontend TLS ( between services and ProxySQL) will be
added in another commit.
Parialy Implements: mariadb-ssl-support
Change-Id: I154cbb096469c5515c9d8156c2c1c5dd07b95849
Signed-off-by: Matus Jenca <matus.jenca@dnation.cloud>
The backup user was missing the necessary CREATE
privilege for the mariadb_backup_history table
within the mysql schema, causing backups to fail
when attempting to create this table.
This patch addresses the issue by granting the backup
user the required CREATE permission specifically for
the mariadb_backup_history table. With this change,
the backup process can now complete successfully
without manual intervention for user permissions.
Closes-Bug: #2061889
Change-Id: Ic92c8959972329adbd4b89c521aa87678f25b4e4
It's been some time since ProxySQL has been
with us in Kolla. Let's switch the load balancer
for MariaDB connections from HAProxy to ProxySQL.
Depends-On: https://review.opendev.org/c/openstack/kolla/+/928956
Change-Id: I42ba4fb83b5bb31058e888f0d39d47c27b844de5
In single-node clusters, ProxySQL shuns the server on MySQL
errors, causing failures during upgrades or container restarts.
This change increases the timeout to 10 seconds, allowing
the backend time to recover and preventing immediate errors
in CI environments.
Change-Id: I70becdc3fcb4ca8f7ae31d26097d95bdc6dd67eb
ubuntu-ceph is broken for now due to [1], also there are no
download.ceph.com packages for Noble - so we're using Ubuntu
provided ones from proposed - because current version
in regular repos is built from git sha instead of a release
and is not suitable for running outside of Ceph upstream CI.
[1]: https://tracker.ceph.com/issues/66389
Depends-On: https://review.opendev.org/c/openstack/kolla/+/907589
Change-Id: I384068572d8a1a495c60b401dc4144a0a80802f1
Since [1] Neutron puts requested-chassis entry with a name taken
from the agent, which results in FQDN-based name on FQDN-based
deployments. It does not match what we set in hostname in OVS.
[1]: I4e3c001dd3bb37b86fda8b9495a3c5178c3e736d
Closes-Bug: #2080552
Change-Id: I3ae03aa2e09bc445f0f5a95a43bf210f06685cc1
This patch fixes an issue where backend related
certificates are attempted to be copied when
``kolla_copy_ca_into_containers`` is enabled but
``kolla_enable_tls_backend`` is disabled.
The fix consists of these specific tasks now
being limited by the condition ``kolla_enable_tls_backend``
Closes-Bug: #2080381
Change-Id: I7ccae4c501ce332519edef336bcceefae9f9568b
Kolla-ansible itself requires ansible-core>=2.16,<2.18,
but ansible-core in this version no longer supports
python38 and python39 as per [1].
So let's just drop this old python support.
[1] https://github.com/ansible/ansible/blob/v2.16.11/setup.cfg
Change-Id: Ic8aaa57f75479a17c215c27ac5e6df0f18c74edc
This update enhances the monitoring of the databasecluster
in ProxySQL. The default monitoring intervals were insufficient
for reliably detecting failures in the Galera cluster environment.
A detailed configuration for monitoring intervals has been
introduced, providing better control over how quickly and accurately
ProxySQL can identify issues.
- Variables such as `mariadb_monitor_connect_interval`,
`mariadb_monitor_galera_healthcheck_interval, and
`mariadb_monitor_ping_interval` significantly reduce
the time between connection checks.
- Timeouts like `mariadb_monitor_galera_healthcheck_timeout`
and `mariadb_monitor_ping_timeout` allow faster failure
detection, while `mariadb_monitor_galera_healthcheck_max_timeout_count`
sets the maximum number of allowed timeouts before marking a node as down.
Calculation:
- Galera healthcheck:
4 seconds (interval) + 1 second (timeout) + 4 seconds (interval)
+ 1 second (timeout) = 10 seconds.
- Ping healthcheck:
3 seconds (interval) + 2 seconds (timeout) + 3 seconds (interval)
+ 2 seconds (timeout) = 10 seconds.
Both the health check and ping check mechanisms will detect a node failure
within a maximum of 10 seconds. Both processes (health check and ping)
operate independently, and failure in either mechanism will mark the node
as failed.
Health Check Failure Detection: Up to 10 seconds.
Ping Failure Detection: Up to 10 seconds.
Connect Attempts: ProxySQL also tries to connect every 2 seconds, which
helps monitor connectivity.
These changes ensure that ProxySQL can detect issues in 10 seconds
as haproxy, significantly reducing downtime compared to default settings.
This adjustment enables faster and more reliable monitoring, improving system
stability and reducing potential downtime in production environments.
Change-Id: Ic28801519cdb35ed2387a1468b9df661847a5476
Followup on Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a. This change
adds the ability to provide the NTP (time source) server for multiple
DHCP ranges in the Ironic Inspector DHCP server.
Change-Id: I4bbfef3a391b8582ae73cbe06138715b43584dec
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
This change adds the ability to configure Huawei backends in Cinder
as described in [1] by adding the additional configuration XML files
to the cinder-volume containers. However, this change does not
provide the default configuration options for the cinder.conf due to
the wide range of Huawei hardware that is supported. Operators may
also wish to configure multiple backends, so they should use the
standard method of overriding backend sections to use these XML
files, as described in [2].
1. https://docs.openstack.org/cinder/latest/configuration/block-storage/drivers/huawei-storage-driver.html
2. https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-service-configuration-in-kolla
Implements: blueprint cinder-huawei-backend
Co-Authored-By: Juan Pablo Suazo <jsuazo@whitestack.com>
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
Change-Id: Ic8624b2e956b1f48f5fb96d6d8a0150b67236d20
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
This patch resolves an issue where ProxySQL could not
bind due to incorrectly formatted IPv6 addresses in the
`mysql_ifaces` configuration. The kolla's
`put_address_in_context` filter is now used, ensuring
the addresses are properly enclosed in square brackets
for correct binding.
Closes-Bug: #2081106
Change-Id: Ic166b8d9a500023c8d23ec9fee03b28b268b26e7
This patch removes the hardcoded `distro_python_version`
mapping and usage from the configuration and templates,
aligning with the dynamic Python version detection
introduced in the dependent patch below.
The changes simplify the kolla-ansible roles by using
general `python3` paths, ensuring compatibility across
distributions without requiring version-specific handling.
Template files for Horizon, Ironic, Skyline, and others
have been updated to reflect this,
improving maintainability and reducing complexity.
Depends-On: https://review.opendev.org/c/openstack/kolla/+/926744
Change-Id: I85431b058b4184d96600cf17aaf8de871a018d61
From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].
[1] https://proxysql.com/documentation/prometheus-exporter
Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f
This patch fix issue when inventory file is deleted
by kolla-ansible -i /etc/kolla/inventory destroy call.
Now, inventories are available in tools/cleanup-host
so we can ignore their removal.
Closes-Bug: #2052706
Change-Id: If89e94356de515b40ca4e8c023979cd498146303
