38 Commits

Author SHA1 Message Date
Ghanshyam Mann
283fa242ca Remove system scope token to access services
As per the RBAC new direction in Zed cycle, we have dropped the
system scope from API policies and all the policies are hardcoded
to project scoped so that any user accessing APIs using system scope
will get 403 error. It is dropped from all the OpenStack services
except for the Ironic service which will have system scope and to
support ironic only deployment, we are keeping system as well as project
scope in Keystone.

Complete discussion and direction can be found in the below gerrit
change and TC goal direction:

- https://review.opendev.org/c/openstack/governance/+/847418
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept

As phase-2 of RBAC goal, services will start enabling the new
defaults and project scope by default. For example: Nova did in
- https://review.opendev.org/c/openstack/nova/+/866218

Kolla who start accessing the services using system scope token
- https://review.opendev.org/c/openstack/kolla-ansible/+/692179

This commit partially revert the above change except keeping
system scope usage for Keystone and Ironic. Rest all services are changed
to use the project scope token.

And enable the scope and new defaults for Nova which was disabled
by https://review.opendev.org/c/openstack/kolla-ansible/+/870804

Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d
2023-01-26 17:52:00 -06:00
Maksim Malchuk
9d5924cbc4 Fix freezer deployment
Following up on [1] and fix freezer deployment accidentally broken
after removing 'domain_name' from the 'openstack_auth'.

1. Ib631e2211682862296cce9ea179f2661c90fa585

Change-Id: Ie928f8a4506f41407d76edcb6b52ca7cddb52214
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
2022-10-18 16:13:36 +03:00
Michal Arbet
3e8db91a1e Add api_workers for each service to defaults
Render {{ openstack_service_workers }} for workers
of each openstack service is not enough. There are
several services which has to have more workers because
there are more requests sent to them.

This patch is just adding default value for workers for
each service and sets {{ openstack_service_workers }} as
default, so value can be overrided in hostvars per server.
Nothing changed for normal user.

Change-Id: Ifa5863f8ec865bbf8e39c9b2add42c92abe40616
2022-07-12 20:09:16 +02:00
Radosław Piliszek
72b63dfee7 Further Keystone-related cleanups
Per comments on [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/843727

Change-Id: I60162b54bc06e158534d29311d4474b34750c64d
2022-06-20 08:40:03 +00:00
Will Szumski
49006e56d9 Add keystone_authtoken.service_type
Fixes an issue where access rules failed to validate:

    Cannot validate request with restricted access rules. Set
    service_type in [keystone_authtoken] to allow access rule validation

I've used the values from the endpoint. This was mostly a straight
forward copy and paste, except:

- versioned endpoints e.g cinderv3 where I stripped the version
- monasca has multiple endpoints associated with a single service. For
  this, I concatenated logging and monitoring to be logging-monitoring.

Closes-Bug: #1965111
Change-Id: Ic4b3ab60abad8c3dd96cd4923a67f2a8f9d195d7
2022-06-09 22:49:38 +02:00
Radosław Piliszek
7ca9349b09 Do not use keystone_admin_url et al
Following up on [1].
The 3 variables are only introducing noise after we removed
the reliance on Keystone's admin port.

[1] I5099b08953789b280c915a6b7a22bdd4e3404076

Change-Id: I3f9dab93042799eda9174257e604fd1844684c1c
2022-05-28 18:19:01 +02:00
Marcin Juszkiewicz
463f10014e drop binary install type from templates and config
As we have only source image type then we do not need to handle other
option.

Change-Id: I753aa0182cfc975bb8b5cd1476ab2c336a7691fa
2022-04-05 15:31:21 +02:00
Niklas Hagman
2e933dceb5 Transition Keystone admin user to system scope
A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible

Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
2021-09-28 09:45:06 -07:00
Michal Arbet
7da770d290 Add missing region_name in keystoneauth sections
Closes-Bug: #1933025

Change-Id: Ib67d715ddfa986a5b70a55fdda39e6d0e3333162
2021-06-22 08:35:35 +02:00
Doug Szumski
647ff667e6 Add variable for changing Apache HTTP timeout
In services which use the Apache HTTP server to service HTTP requests,
there exists a TimeOut directive [1] which defaults to 60 seconds. APIs
which come under heavy load, such as Cinder, can sometimes exceed this
which results in a HTTP 504 Gateway timeout, or similar. However, the
request can still be serviced without error. For example, if Nova calls
the Cinder API to detach a volume, and this operation takes longer
than the shortest of the two timeouts, Nova will emit a stack trace
with a 504 Gateway timeout. At some time later, the request to detach
the volume will succeed. The Nova and Cinder DBs then become
out-of-sync with each other, and frequently DB surgery is required.

Although strictly this category of bugs should be fixed in OpenStack
services, it is not realistic to expect this to happen in the short
term. Therefore, this change makes it easier to set the Apache HTTP
timeout via a new variable.

An example of a related bug is here:

https://bugs.launchpad.net/nova/+bug/1888665

Whilst this timeout can currently be set by overriding the WSGI
config for individual services, this change makes it much easier.

Change-Id: Ie452516655cbd40d63bdad3635fd66693e40ce34
Closes-Bug: #1917648
2021-03-04 11:25:06 +00:00
Jeffrey Zhang
2c2d19c8e9 Use a better process name for httpd subprocess
Change-Id: I52cee3679e4a733daa165062d64884577e9acc1a
Closes-Bug: #1900082
2020-10-16 13:15:50 +08:00
Pierre Riteau
c81772024c Reduce the use of SQLAlchemy connection pooling
When the internal VIP is moved in the event of a failure of the active
controller, OpenStack services can become unresponsive as they try to
talk with MariaDB using connections from the SQLAlchemy pool.

It has been argued that OpenStack doesn't really need to use connection
pooling with MariaDB [1]. This commit reduces the use of connection
pooling via two configuration options:

- max_pool_size is set to 1 to allow only a single connection in the
  pool (it is not possible to disable connection pooling entirely via
  oslo.db, and max_pool_size = 0 means unlimited pool size)
- lower connection_recycle_time from the default of one hour to 10
  seconds, which means the single connection in the pool will be
  recreated regularly

These settings have shown better reactivity of the system in the event
of a failover.

[1] http://lists.openstack.org/pipermail/openstack-dev/2015-April/061808.html

Change-Id: Ib6a62d4428db9b95569314084090472870417f3d
Closes-Bug: #1896635
2020-09-22 17:54:45 +02:00
James Kirsch
19b028e660 Add Keep Alive Timeout for httpd
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.

Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
2020-08-13 09:52:40 +00:00
Mark Goddard
0edad7138c Remove default(omit) from openstack_cacert in templates
The use of default(omit) is for module parameters, not templates. We
define a default value for openstack_cacert, so it should never be
undefined anyway.

Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28
2020-04-03 14:49:11 +01:00
Mark Goddard
c56d273c93 Python 3: Use distro_python_version for WSGI python_path
Currently the WSGI configuration for binary images uses python2.7
site-packages in some places. This change uses distro_python_version to
select the correct python path.

Change-Id: Id5f3f0ede106498b9264942fa0399d7c7862c122
Partially-Implements: blueprint python-3
2020-01-30 14:08:13 +00:00
James Kirsch
c15dc20341 Configure services to use Certificate Authority
Include a reference to the globally configured Certificate Authority to
all services. Services use the CA to verify HTTPs connections.

Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc
Partially-Implements: blueprint support-trusted-ca-certificate-file
2020-01-13 11:00:11 -08:00
Michal Nasiadka
3f55b87069 Improve Apache logging
Currently we don't put global Apache error logs into /var/log/kolla,
this change adds statements that redirect those logs there.

Adapted the logfile names to catch into openstack wsgi logging fluentd
input config and existing logrotate cron entries.

Change-Id: I21216e688a1993239e3e81411a4e8b6f13e138c2
2019-12-06 13:11:49 +00:00
Michal Nasiadka
0240763d7d Add proper wsgi loglevel when openstack_logging_debug
Change-Id: I51144d92f34ed51c499a4119c059e6475d02eb46
2019-10-24 09:33:05 +00:00
Radosław Piliszek
bc053c09c1 Implement IPv6 support in the control plane
Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689

Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-10-16 10:24:35 +02:00
Marek Svensson
10bf6b05fa Fix default deployment of freezer, use mariadb.
This change defaults freezer to use mariadb as default backend for database
and adds elasticsearch as an optional backend due to the requirement of
freezer to use elasticsearch version 2.3.0. The default elasticsearch in
kolla-ansible is 5.6.x and that doesn't work with freezer.

Added needed options to the elasticsearch backend like:
 - protocol
 - address
 - port
 - number of replicas

Change-Id: I88616c285bdb297fd1f738846ddffe1b08a7a827
Signed-off-by: Marek Svensson <marek@marex.st>
2019-06-18 15:12:36 -04:00
Jim Rollenhagen
2e4e60503a Use keystone_*_url var in all configs
We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.

Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a
2019-03-06 15:08:26 -05:00
Kien Nguyen
043943117d Use <project>_install_type instead of kolla_install_type
Use <project>_install_type instead of kolla_install_type
to set python_path. For example, general kolla_install_type
is 'binary', but user wants to deploy Horizon from 'source'.
Horizon templates still use python_path=/usr/share/openstack-dashboard,
it is wrong.

Change-Id: Ide6a24e17b1f8ab6506aa5e53f70693706830418
2019-01-04 14:33:46 +07:00
Pierre Blanc
62222abc39 Freezer: Update freezer driver with elasticsearch
By default the driver used is elasticsearch in version 2
This change updates the driver with the good one.
It also updates backend with name used in the documentation.

Change-Id: I80f3020cb42903ae48ef65f52f67aae977c5a56b
2018-11-09 17:19:00 -05:00
ZhongShengping
ae246945a6 Deprecate auth_uri option
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/

Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ifd8527d404f1df807ae8196eac2b3849911ddc26
Closes-Bug: #1761907
2018-08-07 11:58:23 +05:30
Kevin TIBI
a81a5d5d5d Fix SSL api for multiple services
If SSL is enabled, api of multiple services returns
wrong external URL without https prefix.

Removal of condition for deletion of http  header.

Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4
Closes-Bug: #1749155
Closes-Bug: #1717491
2018-04-18 17:20:27 +02:00
caoyuan
b81442a082 Add freezer-scheduler role
Change-Id: I469800239bfc7f3bb5acc899edf7a971b792655c
Implements: blueprint kolla-freezer-scheduler-container
Co-Authored-By: wu.chunyang <wu.chunyang@99cloud.net>
2018-04-09 08:35:32 +00:00
Jeffrey Zhang
f8cb527f78 Security reinforce for apache server
Disable ServerSignature and Hide apache related infromation.

Change-Id: I9188ddb85988539087c922117bb9f53454b7507c
2018-03-14 18:14:26 +08:00
Dai Dang Van
4f8eb892c7 Support policy.yaml file [part 5]
- Freezer
- Gnocchi
- Kuryr
- Murano
- Panko

This will copy only yaml or json policy file if they exist.

Change-Id: I5450839cb06c515f2be445883421f8f987ca834d
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
2018-01-22 01:57:05 +00:00
ZhongShengping
a3f8c987f7 Use WSGIApplicationGroup %{GLOBAL} in mod_wsgi configuration
Change-Id: I419cd02aeb899d93bba5f330d7e4535afd8c0ed8
Closes-bug: #1708655
2018-01-11 00:50:42 +00:00
Eduardo Gonzalez
5c9d10fa58 Fix freezer elasticsearch config
storage settings for elasticsearch are not correct.
Need a backend and expecific options for the backend.

Change-Id: I71e35644389b6f97a20daf0f1dec29a30c3c34e3
Closes-Bug: #1713693
2017-08-29 12:34:31 +02:00
Tatsuma Matsuki
db0f469614 Unified Apache access log format
Apache access log formats are modified to be consistent with
the format defined in wsgi-keystone.conf, which includes
the response time (%D) and X-forwarder-For fields.

Change-Id: I02aa5eb106fb894196dfb6e22daf2968e27ed3cb
Closes-Bug: #1703571
2017-07-26 04:11:54 +00:00
Jeffrey Zhang
f5dd178fc5 Disable trace for all containers running httpd
Trace method is enabled in default for httpd. There is security risk
with trace enabled. So disable it in default. more info please check[0].

[0] https://security.stackexchange.com/a/7711

Change-Id: I4496a6d058d88e1abfb210085f189e7a610e0362
Closes-Bug: #1705160
2017-07-19 10:52:41 +08:00
Bertrand Lallau
372e991bec Standardize Keystone domain variables
As described here:
https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L841
https://github.com/openstack/keystone/blob/master/keystone/conf/identity.py#L21

* default project domain name MUST be named 'Default'
* default project domain id MUST be named 'default'
* default project user name MUST be named 'Default'
* default project user id MUST be named 'default'

Change-Id: I610a0416647fdea31bb04889364da5395d8c8d74
2017-07-06 14:34:11 +00:00
Bertrand Lallau
afdd11b9a2 Generalize api_interface_address variable usage
Useful api_interface_address variable has been define here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L57
In order to simplify codebase we must use it as much as possible.

Change-Id: I18fec19bf69e05a22a4142a9cd1165eccd022455
2017-05-23 08:35:15 +00:00
Bertrand Lallau
25597fe47d Freezer: remove oslo_messaging_notifications config
Freezer doesn't use notification

Change-Id: If28e6940310096221c0f645995e96f7d34dd4f3e
2017-03-10 17:53:34 +01:00
zhubingbing
c5ba70a089 Remove rabbitmq from freezer
freezer dont't user rabbitmq

https://github.com/openstack/freezer-api/blob/master/etc/freezer/freezer-api.conf.sample

Change-Id: I90a76275ab256ba8fc1c6d332e67af29fcbc22ef
2017-02-24 08:41:29 +00:00
caowei
3e3ab11749 Fix freezer auth issue
Change-Id: I14ba906cb688c935351ef296badccf720b0267f0
Closes-Bug: #1665195
2017-02-16 10:27:49 +08:00
caowei
9c82ed8071 Add freezer ansible role
Co-Authored-By: caoyuan <cao.yuan@99cloud.net>
Co-Authored-By: zhubingbing <zhubingbing10@gmail.com>

Change-Id: I419f7ceb219ea9643cfd225c130018f967ddd860
Partially-implements: bp freezer-ansible-role
2017-01-27 11:19:13 +00:00