338 Commits

Author SHA1 Message Date
Zuul
1982c9809f Merge "Add <project>_install_type for all projects" 2019-09-24 16:05:38 +00:00
Mark Goddard
6f05f1b844 Ensure keepalived is restarted during upgrade
During upgrade, we stop all slave keepalived containers. However, if the
keepalived container configuration has not changed, we never restart
them.

This change fixes the issue by notifying the restart handler when the
containers are stopped.

Change-Id: Ibe094b0c14a70a0eb811182d96f045027aa02c2a
Closes-Bug: #1836368
2019-09-23 15:27:34 +01:00
Mark Goddard
cc555c4196 Add <project>_install_type for all projects
This allows the install type for the project to be different than
kolla_install_type

This can be used to avoid hitting bug 1786238, since kuryr only supports
the source type.

Change-Id: I2b6fc85bac092b1614bccfd22bee48442c55dda4
Closes-Bug: #1786238
2019-09-23 10:23:54 +00:00
Radosław Piliszek
70b4bf6cbf Fix for haproxy precheck failing on CentOS running non-root
Change-Id: I7f2b3a6f1eacd4cabcaa31de543b7489bc5e654b
Closes-bug: #1844636
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-09-19 11:02:28 +02:00
Radosław Piliszek
b4ef4638a6 Fix enforced horizon redirect to https
Also fixes similar issues introduced by the same recent change.
Added FIXME note about possible TLS malfunction regarding horizon.

Change-Id: I5f46a9306139eb550d3849757c8bdf0767537c78
Closes-Bug: #1844016
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-09-14 22:00:56 +02:00
Zuul
ff86c2f2e3 Merge "Implement TLS encryption for internal endpoints" 2019-09-12 09:20:54 +00:00
Zuul
f960a5b58e Merge "HAProxy backend connection limits" 2019-08-27 12:58:07 +00:00
Krzysztof Klimonda
b0ecd8b67c Implement TLS encryption for internal endpoints
This review is the first one in a series of patches and it introduces an
optional encryption for internal openstack endpoints, implementing part
of the add-ssl-internal-network spec.

Change-Id: I6589751626486279bf24725f22e71da8cd7f0a43
2019-08-22 16:39:21 -07:00
Kien Nguyen
577bb50a04 Add Masakari Ansible role
Masakari provides Instances High Availability Service for
OpenStack clouds by automatically recovering failed Instances.

Depends-On: https://review.openstack.org/#/c/615469/
Change-Id: I0b3457232ee86576022cff64eb2e227ff9bbf0aa
Implements: blueprint ansible-masakari
Co-Authored-By: Gaëtan Trellu <gaetan.trellu@incloudus.com>
2019-08-15 09:58:53 -04:00
Scott Solkhon
46f9ad3a96 HAProxy backend connection limits
The default connection limits for backends is 2000
however, mariadb defaults to a max of 10000 conections,
therefore changing this limit to match the mariadb limit.

'haproxy_max_connections' also needs to be bumped
for this to work.

Change-Id: I5ded328485855f3f3d4390282040b0d89d08d997
2019-08-14 10:44:31 +00:00
Mark Goddard
b123bf6621 Use become for all docker tasks
Many tasks that use Docker have become specified already, but
not all. This change ensures all tasks that use the following
modules have become:

* kolla_docker
* kolla_ceph_keyring
* kolla_toolbox
* kolla_container_facts

It also adds become for 'command' tasks that use docker CLI.

Change-Id: I4a5ebcedaccb9261dbc958ec67e8077d7980e496
2019-06-06 19:04:58 +01:00
Zuul
2208b0214e Merge "Adds Qinling Ansible role" 2019-06-03 20:29:41 +00:00
Gaetan Trellu
edb3489820 Adds Qinling Ansible role
Qinling is an OpenStack project to provide "Function as a Service".
This project aims to provide a platform to support serverless functions.

Change-Id: I239a0130f8c8b061b531dab530d65172b0914d7c
Implements: blueprint ansible-qinling-support
Story: 2005760
Task: 33468
2019-05-31 10:25:28 -04:00
binhong.hua
12ff28a693 Make kolla-ansible support extra volumes
When integrating 3rd party component into openstack with kolla-ansible,
maybe have to mount some extra volumes to container.

Change-Id: I69108209320edad4c4ffa37dabadff62d7340939
Implements: blueprint support-extra-volumes
2019-05-17 11:55:04 +08:00
Raimund Hook
6804a5a682 Ansible flush_handlers ignores conditional clauses
The flush_handlers clause doesn't honour conditional clauses.
Instead, it prints a warning and runs anyway:
[WARNING]: flush_handlers task does not support when conditional

See: https://github.com/ansible/ansible/pull/41126

TrivialFix

Change-Id: Iaf70c2e932ae6dfb723bdb2ba658acdbfe74ebe2
2019-05-09 11:51:59 +01:00
Raimund Hook
84ea42bd7c Updating Jinja filters to conform to Ansible 2.5+
Since Ansible 2.5, the use of jinja tests as filters has been
deprecated.

I've run the script provided by the ansible team to 'fix' the
jinja filters to conform to the newer syntax.

This fixes the deprecation warnings.

Change-Id: I844ecb7bec94e561afb09580f58b1bf83a6d00bd
Closes-bug: #1827370
2019-05-02 14:58:09 +01:00
Bai Yongjun
ed2fd243d1 Add cyborg to kolla-ansible
Because kolla-ansible not have cyborg so should add it.

Implements: blueprint add-cyborg-to-kolla-ansible

Depend-On: I497e67e3a754fccfd2ef5a82f13ccfaf890a6fcd

Change-Id: I6f7ae86f855c5c64697607356d0ff3161f91b239
2019-03-08 10:46:53 +08:00
Maciej Kucia
0d32b76a33 haproxy: Support for external IPv6 (VIP)
This change allows usage of IPv6 as public address

Change-Id: Ie82ec5fb0ac9106b39948c67d34d5ef611a8fa21
Signed-off-by: Maciej Kucia <m.kucia@partner.samsung.com>
2019-02-07 15:56:35 +01:00
Zuul
3af135d4fb Merge "Allow disabling keepalived for external LBs" 2018-12-17 12:52:07 +00:00
Zuul
63eccc6372 Merge "Remove the deprecate the Glance Registry" 2018-12-01 07:08:36 +00:00
Eduardo Gonzalez
1a682fab28 Support stop specific containers
With this change, an operator may be able to stop a
service container without stopping all services in a host.
This change is the starting point to start
fast-forward upgrades support.
In next changes new flags will be introducced to disable
stop dataplane services during upgrades.

Change-Id: Ifde7a39d7d8596ef0d7405ecf1ac1d49a459d9ef
Implements: blueprint support-stop-containers
2018-11-26 08:07:01 +00:00
caoyuan
03fd9715c5 Remove the deprecate the Glance Registry
A spec to Deprecate the Glance Registry Service[0] was accepted in Newton,
but it contained the ambiguous statement, "Mark the service as deprecated
and ready for removal in the Q release." kolla-ansible disable the
glance-registry in Q release[1], and since we are in S now,
remove glance-registry is safe.

[0]: http://specs.openstack.org/openstack/glance-specs/specs/newton/approved/glance/deprecate-registry.html
[1]: https://review.openstack.org/#/c/566804/

Change-Id: I48f794029e97aa6f76bbd500e33f28f51a3f2ac4
2018-11-21 20:51:51 +08:00
Doug Szumski
712c89760c Add support for deploying Monasca Grafana
The Monasca Grafana fork allows users to log into Grafana with their
OpenStack user credentials and see metrics associated with their
OpenStack project. The long term goal is to enable Keystone support
in upstream Grafana, but this work seems to have stalled.

Partially-Implements: blueprint monasca-grafana
Change-Id: Icc04613b2571c094ae23b66d0bcc38b58c0ee4e1
2018-11-02 13:35:35 +00:00
Doug Szumski
195fec4d8d Add missing HAProxy port checks for Monasca
TrivialFix
Change-Id: Iaf216016a6acf0e9c87fdb6b8902416f4849efa3
2018-11-02 13:04:06 +00:00
Cédric Jeanneret
778dba94a4 Load known, standard kernel modules from the host, not within containers
Known kernel modules are:
- dm-multipath (for multipathd)
- ip_vs (for keepalived)
- iscsi_tcp (for ironic-conductor)
- openvswitch (for openvswitch-vswitchd)

Change-Id: I1841ec30cde142c8019830ad3190847dfe493eb9
2018-10-11 10:26:34 +02:00
Adam Harwell
f1c8136556 Refactor haproxy config (split by service) V2.0
Having all services in one giant haproxy file makes altering
configuration for a service both painful and dangerous. Each service
should be configured with a simple set of variables and rendered with a
single unified template.

Available are two new templates:

* haproxy_single_service_listen.cfg.j2: close to the original style, but
only one service per file
* haproxy_single_service_split.cfg.j2: using the newer haproxy syntax
for separated frontend and backend

For now the default will be the single listen block, for ease of
transition.

Change-Id: I6e237438fbc0aa3c89a3c8bd706a53b74e71904b
2018-09-26 03:30:38 -07:00
Clint Byrum
a05e77d71a Allow disabling keepalived for external LBs
In some cases a deployer may want to use haproxy for SSL termination but
has external infrastructure for load balancing, and thus no need for
keepalived to manage the VIP.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>

Change-Id: I451d7e33f1e631038a8d198dbc33c9a8850571b7
2018-09-17 22:04:14 +00:00
jiangpch
d57c7019a9 Make haproxy proxy to the right glance_api backend
Since glance_api only start one container when using file
backend, the haproxy should follow this rule.

See: https://review.openstack.org/#/c/448654

Closes-Bug: #1722422

Change-Id: Id3519581e0f54509dacd24d0dd542c630342c771
2018-09-13 15:24:02 +01:00
Zuul
acb72ddbe1 Merge "Fix prechecks for adding a new haproxy node" 2018-08-15 09:56:20 +00:00
Zuul
3e45b2cbec Merge "Use include_tasks instead of include" 2018-07-27 08:16:08 +00:00
Zuul
d1e427b7c1 Merge "Apply Resource Constraints to Openstack Services" 2018-07-26 14:18:34 +00:00
Lakshmi Prasanna Goutham Pratapa
76210a2d85 Apply Resource Constraints to Openstack Services
This commit is to apply resource-constraints only to few OpenStack services.
Commit to apply constraints to other services will be made in coming commits.

Partially-Implements: blueprint resource-constraints

Change-Id: Icafa54baca24d2de64238222a5677b9d8b90e2aa
2018-07-25 17:05:04 +01:00
Jeffrey Zhang
b51eeed89e Use include_tasks instead of include
include is marked as deprecated since ansible 2.4[0]

[0] https://docs.ansible.com/ansible/2.4/include_module.html#deprecated

Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ic9d71e1865d1c728890625aeddf424a5734c0a8a
2018-07-25 23:57:22 +08:00
Victor Coutellier
6a9a0e927d Fix prechecks for adding a new haproxy node
Change-Id: I2615e4938ec6b4a525f7fddde5a51a139dced8de
Closes-Bug: #1783381
2018-07-24 14:00:32 -04:00
Kevin Tibi
16df54eaa5 Disable TLS 1.1 on haproxy
While it is possible to implement countermeasures against some attacks
on TLS, migrating to a later version of TLS (TLS 1.2 is strongly
encouraged) is the only reliable method to protect against
the current protocol vulnerabilities.[1]

[1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b
2018-07-20 11:10:33 +02:00
Jorge Niedbalski
1596475db6 [prometheus] Initial implementation of prometheus-alertmanager
This patch extends the prometheus role for being able
to deploy the prometheus-alertmanager[0] container.

The variable enable_prometheus_alertmanager
decides if the container should be deployed and enabled.

If enabled, the following configuration and actions are performed:

- The alerting section on the prometheus-server configuration
is added pointing the prometheus-alertmanager host group as targets.

- HAProxy is configured to load-balance over the prometheus-alertmanager
host group. (external/internal).

Please note that a default (dummy) configuration is provided, that
allows the service to start, the operator should extend it via a node custom config

[0] https://github.com/openstack/kolla/tree/master/docker/prometheus/prometheus-alertmanager

Change-Id: I3a13342c67744a278cc8d52900a913c3ccc452ae
Closes-Bug: 1774725
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@linaro.org>
2018-07-11 16:20:35 -04:00
caoyuan
1b2bb2ef36 Add zun-wsproxy into kolla-ansible
the zun-wsproxy image is exists in kolla[0], but kolla-ansible
missing, this ps to add it.

[0]: https://github.com/openstack/kolla/tree/master/docker/zun/zun-wsproxy
Co-Authored-By: ZhijunWei <wzj334965317@outlook.com>

Change-Id: I89ef3463dfa5df8cf2d963ff0f0c7ddc382fc79b
Closes-Bug: #1765728
2018-06-27 15:18:49 +00:00
Vladislav Belogrudov
fe70df356f Add possibility to increase Murano agent timeout
Some Murano applications require much longer time than default
1 hour to be deployed.

Change-Id: I395e9e3e8cccf70f316f313847648841822e639a
Closes-Bug: #1777670
2018-06-19 15:35:03 +00:00
Ha Manh Dong
30be04ea91 Specify 'become' for all tasks that use kolla_docker module
Add become to all tasks that use the module "kolla_docker"

Change-Id: I4309c4011687b88ec31d739fd8f834fe2326ff10
Partial-Implements: blueprint ansible-specific-task-become
2018-06-08 12:39:24 +00:00
Zuul
e3494638a2 Merge "Compatible with ubuntu 18.04" 2018-06-05 02:30:54 +00:00
Nikita Gerasimov
418a6c8896 Adds parameter to configure HAProxy defaults balance
Introduce new option "haproxy_defaults_balance" to set balance in
defaults section.

Change-Id: Iaf12717ffac94ac2308758bd8ec87f088af26b69
Closes-Bug: #1773178
2018-05-24 17:47:05 +03:00
Zuul
e38d95def5 Merge "Support deploying the Monasca Log API" 2018-05-21 13:53:34 +00:00
Doug Szumski
eab66ab02e Support deploying the Monasca Log API
Deploys the Monasca Log API with mod_wsgi + Apache.

Change-Id: I28f0aa31c59b0b6917be2b125b5f8a0d7a7035af
Partially-Implements: blueprint monasca-roles
2018-05-21 12:05:58 +01:00
Zuul
a672d4e730 Merge "Support deploying the Monasca API" 2018-05-21 11:05:54 +00:00
Doug Szumski
c11f9f521d Support deploying the Monasca API
Deploys the Monasca API with mod_wsgi + Apache.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Partially-Implements: blueprint monasca-roles
Change-Id: I3e03762217fbef1fb0cbff6239abb109cbec226b
2018-05-21 09:28:13 +00:00
Zuul
cbb7cce7c1 Merge "[haproxy] Enable global optimization options" 2018-05-16 12:25:09 +00:00
Jeffrey Zhang
be6798fc30 Compatible with ubuntu 18.04
Depends-On: https://review.openstack.org/568529
Change-Id: I8084e4c8406c818589ca984afe5b5364c00b08ca
2018-05-16 18:00:44 +08:00
Jorge Niedbalski
48231e1df0 [haproxy] Enable global optimization options
This patch enables 3 new configuration options for haproxy.cfg
global section.

  - haproxy_processes: number of haproxy processes (default:1).
  - haproxy_max_connections: number of concurrent connections (default:4000)
  - haproxy_process_cpu_map: enforces 1:1 mapping/affinity between
process and core. (default: no).

Closes-Bug: #1770060
Change-Id: I33fc499b083c7bcc548133498e44406a479389f1
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@linaro.org>
2018-05-11 10:28:09 -03:00
Jeffrey Zhang
c567055176 Fix ansible warning
- rename action and serial to kolla_ansible and kolla_serial
- use become instead of "sudo <command>" in shell
- Remove quota for failed_when and changed_when in rabbitmq tasks

Change-Id: I78cb60168aaa40bb6439198283546b7faf33917c
Implements: blueprint migrate-to-ansible-2-2-0
2018-05-11 02:54:02 +00:00
Zuul
ad2b856178 Merge "Let haproxy to be ODL websocket's frontend" 2018-05-04 04:09:21 +00:00