First part of patchset:
https://review.opendev.org/c/openstack/kolla-ansible/+/799229/
in which was suggested to split patch into smaller ones.
This implements kolla_container_engine variable
in command calls of docker,so later on it can be
also used for podman without further change.
Signed-off-by: Ivan Halomi <i.halomi@partner.samsung.com>
Change-Id: Ic30b67daa2e215524096ad1f4385c569e3d41b95
RHEL 9 are being compiled for the x86_64-v2 architecture which is
newer than the qemu default of qemu64. Nehalem is apparently the
oldest model that works for x86_64-v2 and is expected to work on
Intel and AMD cpus with kvm or qemu.
See devstack change [0].
[0]: Ibd6e11b59f3c8655bc60ace7383a08458b2177f2
Change-Id: Ia0a3620bae21984933756331bb5937ce681d3237
By default ProxySQL's default value of max_replication_lag
is 0 which is in fact disabling this feature [1].
If it is greater than 0, ProxySQL will regularly monitor
replication lag and if it goes beyond the configured threshold
it will temporary shun the host until replication catches up.
This should be configurable via kolla-ansible as every
openstack deployment can be different in terms of network
delays, database load etc.. , so user should have option
to configure when database backend will be shunned.
[1] https://proxysql.com/documentation/main-runtime/
Change-Id: I66171638abc712cb84b380042f1d29f54c499e73
During zun_cni_daemon binds the port to container netns,
zun_cni_damon creates a new net namepsaces(cni-xxx),
Currently, the namespace is only present inside the
zun_cni_daemon container, if this container restart or
rerun, all zun capsules will lost network capability.
Closes-Bug: #1993551
Change-Id: I3642bbf1ad8e8f4744b215fb8deff25fd4ceae75
Following up on [1] and fix freezer deployment accidentally broken
after removing 'domain_name' from the 'openstack_auth'.
1. Ib631e2211682862296cce9ea179f2661c90fa585
Change-Id: Ie928f8a4506f41407d76edcb6b52ca7cddb52214
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
We agreed that CentOS Stream 9 images are not published as we keep it
for CI use only (to check potential failures before it hits RHEL).
We recommend Rocky Linux 9 instead.
Change-Id: I06e6746e5c2abbdcd97912ea2f99d82fc662531d
Some time ago we dropped RHEL as one of possible options. During 'Zed'
cycle we added Rocky Linux 9 as alternative to CentOS Stream 9.
This change updates some mentions of both.
Change-Id: I9ed93efcb7d1ff97b1c7d8342db8252aba2a9887
Adds a deprecation notice for Monasca service together with
its dependecies: Kafka, Storm and Zookeeper.
Change-Id: Ia9daf170ce9157edb2132c69ee6a923bc4d6f980
Kolla Ansible now supports failing execution early if fact collection
fails on any of the hosts. This is to avoid late failures due to missing
facts (especially cross-host).
Change-Id: I7a74b937ded0b9da0621cf413f3a5d0d13a2cd68
Partial-Bug: #1833737
By resetting image_upload_use_cinder_backend to upstream default.
When uploading volume to glance image, cinder looks at the backend's
image_upload_use_cinder_backend config knob to decide whether to try link
the glance image to a cloned volume made by cinder, i.e. by doing all work
locally and only updating glance's locations for the image (when the knob
is set to True). However, after all [1], [2] and [3], which happens since
Victoria, this option requires further config from user (using volume type
with image_service:store_id property (aka extra spec) set to the desired
glance store (even if there is only one cinder store configured).
Please read the bug report as to why the option removal is the
best option (TL;DR it is the most compatible approach).
[1] https://review.opendev.org/c/openstack/kolla-ansible/+/708114
[2] https://review.opendev.org/c/openstack/glance_store/+/746556
[3] https://review.opendev.org/c/openstack/cinder/+/661676
Closes-Bug: #1991516
Change-Id: Ife87ee0241d907a0c407eb21811a354ed1734408
These are not used by the relevant daemons and so can be dropped to,
e.g., avoid creating the cinder volume on hosts where there is no
cinder.
Change-Id: Ia8d906a9e0227f361883a7ec1ec8dcd73e4104dc
This is generally considered insecure because it may reveal
sensitive data [1].
Furthermore, it happens that the default Ceph perms cause fatal
ERRORs with this setting:
1) when Glance wants to remove an image, it cannot list children
because Cinder or Nova might have created a linked volume clone
behind the scenes and it is put in another pool (volumes/vms)
which Glance cannot normally access;
2) when Nova wants to create an image, it lacks permissions
to write to the images pool.
Thus, I propose that Kolla Ansible stops setting this by default
and relies on the working defaults.
The downside is that this disables optimisations in Cinder and Nova.
On the other hand, these optimisations have nasty behaviour of
being linked directly to the original image, preventing its removal.
[1] https://docs.openstack.org/glance/yoga/configuration/glance_api.html#DEFAULT.show_multiple_locations
Change-Id: I63ee9a6eefd8593f2169bba34dbb699f413d7cf8
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860093
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860291
Closes-Bug: #1992153
Currently kolla-ansible sets haproxy balance algorithm to source for
horizon. We can set it to round-robin if the cache backend is memcached
or using the database as the session storage backend. So we can
distribute http requests evenly to all available horizon instances.
Closes-Bug: #1990523
Change-Id: I0721cadcf53d59947bc0db6a193bfafe49c41ad3
This patch also changes python version and default tag for centos.
prometheus-efk and venus jobs commented out, elasticsearch images
are unbuildable
cells is commented out because proxysql is unbuildable
Change-Id: Ic358f8b600317d3c2fc45130a59785225aea1153
JWT failed to validate on auth-oidc endpoint used by openstack cli
with "could not find key with kid: XX" error. To fix this we need
to use jwks provided in "jwks_uri" by OIDC metadata endpoint.
Missing "ServerName" directive from vhost config causes redirection
to fail in some cases when external tls is enabled.
- added "keystone_federation_oidc_jwks_uri" variable
- added "OIDCOAuthVerifyJwksUri" to keystone vhost config
- added "ServerName" to keystone vhost config
- jinja templating additional whitespace trimmed to
correct end result indentation and empty newlines
Closes-bug: 1990375
Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
With this option enabled, dnsmasq can offer the same IP address to
multiple hosts when their requests are close to each other. Remove this
option in order to use the built-in hashing mechanism which will
allocate random IP addresses, which should be less likely to conflict.
Closes-Bug: #1991390
Change-Id: I09a9fa2d0c54635b899ad7906cc2e2e4580ef5ad
Both venv and linters (and its children) environments install
kolla-ansible and thus also install the requirements.
However, they were doing this post-factum and thus without the
constraints pin.
This patch also removes the installation of test-requirements
in venv as it is meant to be used for running the software and
we already have environments for unit tests.
The doc requirements are left in place because docs mention
that ``tox -e venv -- reno`` should work. They should be harmless
but I am open to removing them as well.
Change-Id: I15f1ecc216c9ba81dad740c372d297adf279a945
