1791 Commits

Author SHA1 Message Date
Michal Nasiadka
e1ec02eddf Replace ElasticSearch and Kibana with OpenSearch
This change replaces ElasticSearch with OpenSearch, and Kibana
with OpenSearch Dashboards. It migrates the data from ElasticSearch
to OpenSearch upon upgrade.

No TLS support is in this patch (will be a followup).

A replacement for ElasticSearch Curator will be added as a followup.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/830373

Co-authored-by: Doug Szumski <doug@stackhpc.com>
Co-authored-by: Kyle Dean <kyle@stackhpc.com>
Change-Id: Iab10ce7ea5d5f21a40b1f99b28e3290b7e9ce895
2022-12-01 10:27:50 +00:00
Michal Nasiadka
63a7968d8d ovn: Break out role into ovn-db and ovn-controller roles
Instead of handling everything in one role - let's have small
fit-for-purpose roles, because in reality these are two hosts
roles and performance should be better with this approach.

[1]: https://docs.ovn.org/en/latest/intro/install/ovn-upgrades.html

Change-Id: I8f9dbe9d950323f16375ad5e1dbaedfb1be6585f
2022-11-28 13:52:30 +01:00
Zuul
093e28aba1 Merge "Revert "Generate ovn-chassis-mac-mappings on ovn-controller group"" 2022-11-23 16:57:17 +00:00
Bartosz Bezak
826fd12a11 Revert "Generate ovn-chassis-mac-mappings on ovn-controller group"
This reverts commit 8bf8656dbad3def707eca2d8ddd2c9bfed389b86.

Reason for revert: Setting ovn-chassis-mac-mappings on network nodes 
is causing mac flooding [1] [2] for traffic between external ports, 
and very slow troughput in consequence.
OVN HA Chassis priorities between gateways should probably be managed
by Neutron [3]

[1] https://mail.openvswitch.org/pipermail/ovs-discuss/2020-September/050691.html
[2] https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051837.html
[3] https://mail.openvswitch.org/pipermail/ovs-discuss/2022-October/052068.html

Change-Id: Ia3b279d7e2c08464fda1a5dc41518296f559e93f
2022-11-23 13:16:59 +00:00
Zuul
83a51bbb30 Merge "Allow setting any_errors_fatal true for gather-facts" 2022-11-22 10:08:57 +00:00
Zuul
cf1a2a9211 Merge "Adds a wrapper script to run ovs-vsctl commands in the container" 2022-11-22 10:02:51 +00:00
Zuul
0e4bdb9cac Merge "Generate ovn-chassis-mac-mappings on ovn-controller group" 2022-11-15 16:52:07 +00:00
Bartosz Bezak
8bf8656dba Generate ovn-chassis-mac-mappings on ovn-controller group
Previously ovn-chassis-mac-mappings [1] has been added only to
ovn-controller-compute group. However external ports are being
scheduled on network nodes, therefore we need also do that there.

Closes-Bug: 1995078

[1] https://github.com/ovn-org/ovn/blob/v22.09.0/controller/ovn-controller.8.xml#L239

Change-Id: Ie62e9220bad56262cad602ca1480e6ca65827819
2022-11-15 14:12:52 +01:00
Will Szumski
a82443481e Adds a wrapper script to run ovs-vsctl commands in the container
Libvirt needs to be able to plug ports into openvswitch bridges.
It does this using the ovs-vsctl command, which it searches for
in $PATH[1, 2]. This change will optionally install a wrapper
script that executes the ovs-vsctl commands in the context of the
openvswitchd container. This is useful when running libvirt on the
host whilst still running openvswitch in a container. The advantage
of this method over install the packages on the host is that it
ensures client compatability with the daemon. The default is set
to false as the wrapper could overwrite ovs-vsctl installed on the
host.

[1] ee51ab86c2/src/util/virnetdevopenvswitch.c (L59)
[2] a89b17c2a7/docs/kbase/internals/command.rst (id3)

Closes-Bug: #1995409
Change-Id: Iaa6bfb012ae847f5f6aa0a1fc1c27970ac265f93
2022-11-15 10:16:02 +00:00
Doug Szumski
adb8f89a36 Remove support for deploying OpenStack Monasca
Kolla Ansible is switching to OpenSearch and is dropping support for
deploying ElasticSearch. This is because the final OSS release of
ElasticSearch has exceeded its end of life.

Monasca is affected because it uses both Logstash and ElasticSearch.
Whilst it may continue to work with OpenSearch, Logstash remains an
issue.

In the absence of any renewed interest in the project, we remove
support for deploying it. This helps to reduce the complexity
of log processing configuration in Kolla Ansible, freeing up
development time.

Change-Id: I6fc7842bcda18e417a3fd21c11e28979a470f1cf
2022-11-11 15:48:11 +00:00
Zuul
4fa36cbe08 Merge "Fix ironic interface option for ironic-inspector" 2022-11-02 08:04:43 +00:00
Michal Arbet
6c9d1f9b55 Fix missing logrotate configuration for proxysql logs
This trivial patch is just adding missed logrotate
configuration for proxysql.

Closes-Bug: #1995248
Change-Id: I3ad88d03836930160b6db43a7cad63b34ffc62b0
2022-10-31 11:26:43 +01:00
Mark Goddard
fa96fd1a2f Fix ironic interface option for ironic-inspector
The correct option to use is valid_interfaces [1], not os_endpoint_type.
The os_endpoint_type option was removed in Train.

[1] https://docs.openstack.org/ironic-inspector/wallaby/configuration/sample-config.html

Change-Id: I3906d7b9a2bebfe5c323cba5f80add3e932468c8
Closes-Bug: #1995246
Related-Bug: #1990675
2022-10-31 09:45:38 +00:00
Zuul
c3dde9933e Merge "Mount /run directory into zun_cni_daemon container" 2022-10-28 12:03:36 +00:00
Zuul
bede68572a Merge "Support specifying Nova compute provider config" 2022-10-27 13:31:45 +00:00
Zuul
f9bc6b10a5 Merge "Default to Rocky Linux instead of CentOS Stream" 2022-10-26 12:20:31 +00:00
Michal Arbet
bee253e337 Adds ability to configure ProxySQL's max replication lag
By default ProxySQL's default value of max_replication_lag
is 0 which is in fact disabling this feature [1].
If it is greater than 0, ProxySQL will regularly monitor
replication lag and if it goes beyond the configured threshold
it will temporary shun the host until replication catches up.

This should be configurable via kolla-ansible as every
openstack deployment can be different in terms of network
delays, database load etc.. , so user should have option
to configure when database backend will be shunned.

[1] https://proxysql.com/documentation/main-runtime/

Change-Id: I66171638abc712cb84b380042f1d29f54c499e73
2022-10-20 11:41:34 +02:00
wuchunyang
ccbdfaea5c Mount /run directory into zun_cni_daemon container
During zun_cni_daemon binds the port to container netns,
zun_cni_damon creates a new net namepsaces(cni-xxx),
Currently, the namespace is only present inside the
zun_cni_daemon container, if this container restart or
rerun, all zun capsules will lost network capability.

Closes-Bug: #1993551

Change-Id: I3642bbf1ad8e8f4744b215fb8deff25fd4ceae75
2022-10-19 22:56:29 +08:00
Marcin Juszkiewicz
3c6959df33 Default to Rocky Linux instead of CentOS Stream
We agreed that CentOS Stream 9 images are not published as we keep it
for CI use only (to check potential failures before it hits RHEL).

We recommend Rocky Linux 9 instead.

Change-Id: I06e6746e5c2abbdcd97912ea2f99d82fc662531d
2022-10-18 14:50:11 +02:00
Piotr Parczewski
766a7827f9 Deprecate Monasca and dependencies
Adds a deprecation notice for Monasca service together with
its dependecies: Kafka, Storm and Zookeeper.

Change-Id: Ia9daf170ce9157edb2132c69ee6a923bc4d6f980
2022-10-12 10:33:47 +00:00
Zuul
2d56e829ac Merge "Make Keystone admin endpoint creation optional" 2022-10-10 12:28:16 +00:00
Radosław Piliszek
5b431f0f7f Allow setting any_errors_fatal true for gather-facts
Kolla Ansible now supports failing execution early if fact collection
fails on any of the hosts. This is to avoid late failures due to missing
facts (especially cross-host).

Change-Id: I7a74b937ded0b9da0621cf413f3a5d0d13a2cd68
Partial-Bug: #1833737
2022-10-10 11:11:15 +00:00
Zuul
2e2cd75979 Merge "Stop showing image locations" 2022-10-10 08:39:34 +00:00
Radosław Piliszek
a4b4043308 Fix image from volume upload ERRORs and WARNINGs with Ceph RBD
By resetting image_upload_use_cinder_backend to upstream default.

When uploading volume to glance image, cinder looks at the backend's
image_upload_use_cinder_backend config knob to decide whether to try link
the glance image to a cloned volume made by cinder, i.e. by doing all work
locally and only updating glance's locations for the image (when the knob
is set to True). However, after all [1], [2] and [3], which happens since
Victoria, this option requires further config from user (using volume type
with image_service:store_id property (aka extra spec) set to the desired
glance store (even if there is only one cinder store configured).

Please read the bug report as to why the option removal is the
best option (TL;DR it is the most compatible approach).

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/708114
[2] https://review.opendev.org/c/openstack/glance_store/+/746556
[3] https://review.opendev.org/c/openstack/cinder/+/661676

Closes-Bug: #1991516
Change-Id: Ife87ee0241d907a0c407eb21811a354ed1734408
2022-10-07 15:05:12 +00:00
Radosław Piliszek
da292982b1 Stop showing image locations
This is generally considered insecure because it may reveal
sensitive data [1].
Furthermore, it happens that the default Ceph perms cause fatal
ERRORs with this setting:
1) when Glance wants to remove an image, it cannot list children
because Cinder or Nova might have created a linked volume clone
behind the scenes and it is put in another pool (volumes/vms)
which Glance cannot normally access;
2) when Nova wants to create an image, it lacks permissions
to write to the images pool.

Thus, I propose that Kolla Ansible stops setting this by default
and relies on the working defaults.
The downside is that this disables optimisations in Cinder and Nova.
On the other hand, these optimisations have nasty behaviour of
being linked directly to the original image, preventing its removal.

[1] https://docs.openstack.org/glance/yoga/configuration/glance_api.html#DEFAULT.show_multiple_locations

Change-Id: I63ee9a6eefd8593f2169bba34dbb699f413d7cf8
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860093
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860291
Closes-Bug: #1992153
2022-10-07 14:20:08 +00:00
Doug Szumski
522c3291cd Support specifying Nova compute provider config
In the Victoria cycle, Nova merged improved support for
managing resource providers:
https://review.opendev.org/q/topic:bp%252Fprovider-config-file

See the blueprint for more details:
https://docs.openstack.org/nova/latest/admin/managing-resource-providers.html

This change allows us to copy the necessary configuration.

Change-Id: I0a3caaad73bc6fe27380e7f6bf6b792aca51c84c
2022-10-07 12:58:38 +00:00
Zuul
c2cbf061b6 Merge "Remove the deprecated enable_ironic_ipxe" 2022-10-04 14:21:23 +00:00
Zuul
2d37ce15e7 Merge "set haproxy balance algorithm to roundrobin for horizon" 2022-10-04 14:21:20 +00:00
Zuul
1cddf8050d Merge "Keystone OIDC JWKS fix" 2022-10-04 14:21:17 +00:00
Zuul
0052deac23 Merge "Remove dhcp-sequential-ip in ironic dnsmasq config" 2022-10-04 10:54:21 +00:00
Zuul
447ee7b269 Merge "Fix interface option for ironic-neutron-agent" 2022-10-04 10:40:02 +00:00
Serhat Rıfat Demircan
155ed969ae set haproxy balance algorithm to roundrobin for horizon
Currently kolla-ansible sets haproxy balance algorithm to source for
horizon. We can set it to round-robin if the cache backend is memcached
or using the database as the session storage backend. So we can
distribute http requests evenly to all available horizon instances.

Closes-Bug: #1990523
Change-Id: I0721cadcf53d59947bc0db6a193bfafe49c41ad3
2022-10-03 22:42:41 +03:00
Jakub Darmach
9892976119
Keystone OIDC JWKS fix
JWT failed to validate on auth-oidc endpoint used by openstack cli
with "could not find key with kid: XX" error. To fix this we need
to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

Missing "ServerName" directive from vhost config causes redirection
to fail in some cases when external tls is enabled.

  - added "keystone_federation_oidc_jwks_uri" variable
  - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
  - added "ServerName" to keystone vhost config
  - jinja templating additional whitespace trimmed to
    correct end result indentation and empty newlines

Closes-bug: 1990375
Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
2022-10-03 12:36:11 +02:00
Pierre Riteau
9ce47b2fff Remove dhcp-sequential-ip in ironic dnsmasq config
With this option enabled, dnsmasq can offer the same IP address to
multiple hosts when their requests are close to each other. Remove this
option in order to use the built-in hashing mechanism which will
allocate random IP addresses, which should be less likely to conflict.

Closes-Bug: #1991390
Change-Id: I09a9fa2d0c54635b899ad7906cc2e2e4580ef5ad
2022-09-30 13:26:23 +02:00
Radosław Piliszek
3029281c1d Remove the deprecated enable_ironic_ipxe
Change-Id: Ia8acdf69cb3676ec939777c32f0568cb720c471f
2022-09-29 10:39:19 +02:00
Zuul
6bff120d2d Merge "Introduce variables for cinder backend names" 2022-09-27 17:13:40 +00:00
Zuul
652bbe30c8 Merge "Fix Ironic API healthcheck with backend TLS" 2022-09-27 16:15:55 +00:00
Zuul
80c059a2a1 Merge "Do not enable nova_legacy service by default" 2022-09-27 16:09:02 +00:00
Radosław Piliszek
4277c1a1a4 Do not enable nova_legacy service by default
Change-Id: Ic89097fdc72d4fa11754201ed6e388bf79ca40b6
2022-09-27 08:37:05 +00:00
Michal Arbet
02ce483852 Specify number of threads for designate bind9 backend
Bind9 is running without limit for UDP listeners.
This patch is changing this behaviour and sets max 32
of UDP listeners. This is needed because of bug below [1].

[1] https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1827923

Change-Id: Ie4c2ac4d5e990ebdc30c3a94d855703d814f1fee
2022-09-26 20:18:25 +02:00
Radosław Piliszek
ee32736c15 Make Keystone admin endpoint creation optional
The admin endpoint is kept on upgrade to allow the upgrade to
happen (as it allows to rewrite the previous admin endpoint entry
to the new one).

Change-Id: I1c16892bab67f281d539843f1f0fa658df1c4874
Depends-On: https://review.opendev.org/c/openstack/kolla/+/854837
2022-09-26 18:17:39 +00:00
Radosław Piliszek
6a7e6a25bc Remove deprecated sysctl knobs
Kolla Ansible stopped setting them as they turned out to be
unnecessary for its operations, yet may have conflicted with
security policies of the hosts. [1] [2]

[1] https://launchpad.net/bugs/1837551
[2] https://launchpad.net/bugs/1945453

Change-Id: Ie8ccd3ab6f22a6f548b1da8d3acd334068dc48f5
2022-09-26 11:54:08 +00:00
Pierre Riteau
39eafd068b Fix interface option for ironic-neutron-agent
The correct option to use is valid_interfaces [1], not os_endpoint_type.

[1] https://docs.openstack.org/networking-baremetal/latest/configuration/ironic-neutron-agent/config.html#ironic

Closes-Bug: #1990675
Change-Id: I35e7d3072c6340f4ecbe02f8961158bcb663954e
2022-09-26 10:52:38 +02:00
Pierre Riteau
5c55583b04 Fix Ironic API healthcheck with backend TLS
Closes-Bug: #1990819
Change-Id: I12c451077114b77b11810f25eb5b6187cdf08ad9
2022-09-26 10:51:50 +02:00
Zuul
a396284a83 Merge "Fix AlertManager's external web url" 2022-09-09 13:17:03 +00:00
Piotr Parczewski
61ff6f811a Fix AlertManager's external web url
Remove hard-coded internal address; introduce variable to control
external web url.

Closes-bug: #1972817
Change-Id: Ib834a9f8b4a0238960dca65b2ebc1da840cec626
2022-09-09 10:05:07 +00:00
Zuul
a914b6668d Merge "Enable TLS in Bifrost" 2022-09-07 15:46:55 +00:00
Zuul
0411ff3bb4 Merge "Allow exposing OpenStack exporter via HAProxy" 2022-09-07 09:10:14 +00:00
Stig Telfer
ffb4767c05 Increase the Fluentd request timeout for ES
Fluentd has a default timeout of 5s for flushing data to ElasticSearch.
If there is a significant backlog of unsent log messages, this timeout
can be exceeded, resulting in Fluentd failing to make further progress.

Raise the default timeout to 60s.

This patch adopts the configuration parameters previously proposed by
Krzysztof Klimonda.

Closes-Bug: #1983031
Closes-Bug: #1896611
Change-Id: I1aaab654a5a0752fccef2cfb8cc0bde4a0ee2562
2022-09-05 10:33:16 +00:00
Franco Mariotti
7219279215 Allow exposing OpenStack exporter via HAProxy
Signed-off-by: Franco Mariotti <fmariotti@whitestack.com>
Change-Id: Ie151cd97d3e0ba3bfec9e95a5b8bdfef0b54806c
2022-08-31 13:29:02 -03:00