The "balance" keyword is not valid in a frontend section. From the
HAProxy documentation[1]:
balance <algorithm> [ <arguments> ]
balance url_param <param> [check_post [<max_wait>]]
Define the load balancing algorithm to be used in a backend.
May be used in sections : defaults | frontend | listen | backend
yes | no | yes | yes
When running HAProxy using the "split" template style, where a
frontend/backend pair are used instead of one listen section, HAProxy
will emit warnings for the Horizon config due to this.
[1]: https://www.haproxy.org/download/1.5/doc/configuration.txt
Closes-Bug: #1872540
Change-Id: I91cee275d91a51944298618493f4ea0cd80282cc
This fixes Octavia in scenarios requiring providing
CA cert (self-signed, internally-signed).
Change-Id: I60b7ec85f4fd8bbacf5df0ab7ed9a00658c91871
Closes-Bug: #1872404
Deploy a small cloud. Add one host to the compute group in the
inventory, and scale out:
$ kolla-ansible deploy --limit <new compute host>
The command succeeds, but creating an instance fails with the following:
Host 'compute0' is not mapped to any cell
This happens because we only discover computes on the first host in the
cell's nova conductor group. If that host is not in the specified limit,
the discovery will not happen.
This change fixes the issue by running compute discovery when any ironic
or virtualised compute hosts are in the play batch, and delegating it to
a conductor.
Change-Id: Ie984806240d147add825ffa8446ae6ff55ca4814
Closes-Bug: #1869371
When using the split config style, all backends would be empty, which
meant that HAProxy was unable to serve any traffic. This turned out to
be due to a bad default in the split config template.
Closes-Bug: #1872545
Change-Id: I952e526e735e1d31445963f04d41d66bbdbfdee4
Refactor service configuration to use the copy certificates task. This
reduces code duplication and simplifies implementing encrypting backend
HAProxy traffic for individual services.
Change-Id: I0474324b60a5f792ef5210ab336639edf7a8cd9e
In Ibecac60d1417269bbe25a280996ca9de6e6d018f, the services in the common
role were marked as being mapped to the 'all' group, since the
'service_mapped_to_host' filter expects every service definition to have
either a 'group' or 'host_in_groups' field. While this allows the filter
to pass the common services without error, it will not actually show
them as being mapped to any hosts. This is because the filter uses the
'group_names' variable, which contains all of the groups that a host
belongs to, except the default 'all' group.
This change fixes the issue by returning True from
service_mapped_to_host when the service's group is 'all'.
Change-Id: I39c8416f5d30a535c1743f9c43434b7d2a382196
Related-Bug: #1868596
etcd via tooz does not support group membership required by
Designate coordination.
The best k-a can do is not to configure etcd in Designate.
Change-Id: I2f64f928e730355142ac369d8868cf9f65ca357e
Closes-bug: #1872205
Related-bug: #1840070
Allow operators to use custom parameters with the ceilometer-upgrade
command. This is quite useful when using the dynamic pollster subsystem;
that sub-system provides flexibility to create and edit pollsters configs,
which affects gnocchi resource-type configurations. However, Ceilometer
uses default and hard-coded resource-type configurations; if one customizes
some of its default resource-types, he/she can get into trouble during
upgrades. Therefore, the only way to work around it is to use the
"--skip-gnocchi-resource-types" flag. This PR introduces a method for
operators to execute such customization, and many others if needed.
Depends-On: https://review.opendev.org/#/c/718190/
Change-Id: I92f0edba92c9e3707d89b3ff4033ac886b29cf6d
AArch64 needs a bit more time to boot testing instance. So give it more
time by doubling amount of connect attempts.
Change-Id: I87ca65691dfbac84349e8af24d2f36f1db1c8be1
Some services look for /etc/timezone on Debian/Ubuntu, so we should
introduce it to the containers.
In addition, added prechecks for /etc/localtime and /etc/timezone.
Closes-Bug: #1821592
Change-Id: I9fef14643d1bcc7eee9547eb87fa1fb436d8a6b3
In kolla ansible we typically configure services to communicate via IP
addresses rather than hostnames. One accidental exception to this was
live migration, which used the hostname of the destination even when
not required (i.e. TLS not being used for libvirt).
To make such hostnames work, k-a adds entries to /etc/hosts in the
bootstrap-servers command. Alternatively users may provide DNS.
One problem with using /etc/hosts is that, if a new compute host is
added to the cloud, or an IP address is changed, that will not be
reflected in the /etc/hosts file of other hosts. This would cause live
migration to the new host from an old host to fail, as the name cannot
be resolved.
The workaround for this was to update the /etc/hosts file (perhaps via
bootstrap-servers) on all hosts after adding new compute hosts. Then the
nova_libvirt container had to be restarted to pick up the change.
Similarly, if user has overridden the migration_interface, the used
hostname could point to a wrong address on which libvirt would not
listen.
This change adds the live_migration_inbound_addr option to nova.conf. If
TLS is not in use for libvirt, this will be set to the IP address of the
host on the migration network. If TLS is enabled for libvirt,
live_migration_inbound_addr will be set to migration_hostname, since
certificates will typically reference the hostname rather than the
host's IP. With libvirt TLS enabled, DNS is recommended to avoid the
/etc/hosts issue which is likely the case in production deployments.
Change-Id: I0201b46a9fbab21433a9f53685131aeb461543a8
Closes-Bug: #1729566
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.
Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
This is a follow up to I001defc75d1f1e6caa9b1e11246abc6ce17c775b. To
maintain previous behaviour, and ensure we catch any host configuration
changes, we should perform host configuration during upgrade.
Change-Id: I79fcbf1efb02b7187406d3c3fccea6f200bcea69
Related-Bug: #1860161
Elasticsearch 6.x dropped support for mapping types[1], which by default
the Kibana index used. This means that when deploying ELK 6.x, the
Kibana index must be migrated to the new schema to preserve dashboards
and visualizations. There is a process defined[2], which involves
creating a new index with the specified schema, then reindexing the old
index's data into the new index, then doing a rename/delete.
This adds support for that workflow via Ansible. It takes place after
the ES container is restarted after an upgrade, so there will be a
(short) period of time where the Kibana index is not migrated. During
this time, Kibana still loads, but presents the user with a status
screen informing that the index needs migration.
[1]:
https://www.elastic.co/guide/en/elasticsearch/reference/6.x/removal-of-types.html
[2]: https://www.elastic.co/guide/en/kibana/6.x/migrating-6.0-index.html
Implements: blueprint elasticsearch-kibana-version-upgrade
Depends-On: https://review.opendev.org/709624
Change-Id: I4550629e2113f3da7f1cecfeab0d5fe0d899dae8
This updates the elasticsearch configuration file (and loading
mechanism) for ELK 6.x.
The default location for the configuration for all package
distributions is /etc/elasticsearch[1], so now that is where we
overwrite the elasticsearch.yml.
The path.conf and path.scripts paths are no longer supported and will
raise exceptions if utilized in 6.x.
[1]:
https://www.elastic.co/guide/en/elasticsearch/reference/6.x/settings.html#config-files-location
Implements: blueprint elasticsearch-kibana-version-upgrade
Depends-On: https://review.opendev.org/#/c/647748/
Change-Id: I4f74bfe07d4b7ca18953b11e767cf0bb94dfd67e
manila share container name variable is fixed in some places,
but in the defaults directory, manila share container_name variable
is variable. If the manila share container_name variable is changed
during deployment, it will not be assigned to container name,
but a fixed 'manila_share' name.
Change-Id: Iea23c62518add8d6820b76b16edd3221906b0ffb
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found by updated hacking version.
Remove hacking and friends from lower-constraints, they are not needed
during installation.
Change-Id: I7ef5ac8a89e94f5da97780198619b6facc86ecfe
We don't need tox nor tell our users to use it when doing kolla
builds.
Tox is going away from base infra images.
It's already gone from aarch64 (arm64) ones.
Change-Id: I2eb5203ad93c011b8806f4b6fb56db081c14a2cb
The use of default(omit) is for module parameters, not templates. We
define a default value for openstack_cacert, so it should never be
undefined anyway.
Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28
