This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.
Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
Sometimes ping & ssh to the instance are failing - outputting instance console
log can help in the case when there are metadata access issues (or other
issues).
Change-Id: I8437300d621448782e964d877b2614ca606f5849
Since fluentd is disabled in MariaDB jobs - haproxy logs are not getting
populated.
Change-Id: I56b3fc1be6940d97905cdb2c4452b846f106c071
Depends-on: https://review.opendev.org/713704
Fluentd cannot accept empty 'path' parameter.
I refactored the service list following the general pattern
we have.
Change-Id: I83d820efcc7e86bac9f8bda26a8f8bece72159e6
Closes-bug: #1867953
Currently, config folders lack the execute bit so Fluentd
cannot read the config and just does nothing when it starts up. This
change explicitly sets the execute bit on folders which need it,
rather than doing it in a more generic way which is more risky from
a security perspective.
Change-Id: Ia840f4b67043df4eaa654f47673dcdc973f13d9c
Closes-Bug: #1867754
ceph-ansible by default uses "latest" tag for ceph Docker Hub images,
but recently latest tag has been upgraded to be Octopus release,
not Nautilus.
Change-Id: I5247c10079ab91cce130cd5ba403f25ccaf7c1fb
tox will be removed from the base image. Install it before that happens.
This change is made in a simple way that can be easily backported.
Depends-On: https://review.opendev.org/713386
Change-Id: I4181654c88554c81940f0d079cf1d64326cdec79
ovs-ofctl is still being run by neutron-openvswitch-agent.
Potential removal is scheduled for Victoria.
Until then, we have to mount /run/openvswitch in there.
Change-Id: Ia73b5665cece523bb822f6a223335f6fae94fb6a
Closes-bug: #1867506
While supporting both CentOS 7 and 8, we used the tag 'master-centos8'
for CentOS 8 images. We are now ready to drop CentOS 7 support, and
Kolla is switching to publish CentOS 8 images using the master tag on
the master branch, so we should use this.
Depends-On: https://review.opendev.org/713265
Partially-Implements: blueprint centos-rhel-8
Change-Id: I07d2c285e3214a6dc827a8e8eacf263048ee099b
We are getting this randomly on neutron-server shutdown
for upgrade.
As it does not affect real operations (and if it did,
we would definitely see it now), let's ignore it.
Change-Id: Ibe561517d44a1108e8223442a71fab36b69c2258
Related-bug: #1863579
Add copy ca file to horizon container.
because:
Could not find a suitable TLS CA certificate bundle,
invalid path: /etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt
Closes-Bug: #1867121
Change-Id: I64d4dbeebd53048705005b61eb3c5b2104e8f2ed
Signed-off-by: yj.bai <bai.yongjun@99cloud.net>
We only log the release in the 'Checking host OS release or version'
precheck, but we allow either the release or version to be included in
the list. For example, on CentOS 7:
CentOS release Core is not supported. Supported releases are: 8
Include the version in the failure message too.
Change-Id: I0302cd4fc94a0c3a6aa1dbac7b9fedf37c11b81e
Related: blueprint improve-prechecks
grafana not support ipv6 in grafana.ini.j2.
Closes-Bug: #1866141
Change-Id: Ia89a9283e70c10a624f25108b487528dbb370ee4
Signed-off-by: yj.bai <bai.yongjun@99cloud.net>
I didn't use a for loop as the logic for omitting the
comma for the final element dirties the logic.
Change-Id: Id29d5deebcc5126d69a1bd8395e0df989f2081f0
This should help to ensure that users are running tested and supported
host OS distributions.
Change-Id: I6ee76463d284ad4f3646af1c7ec2b7e50e2f3b15
Partially-Implements: blueprint improve-prechecks
If haproxy is running somewhere in the cluster and listening on the VIP,
but not running locally, then the following precheck may fail:
TASK [haproxy : Checking free port for HAProxy monitor (vip interface)]
msg: Timeout when waiting for 192.0.2.10:61313 to stop.
This change fixes the issue by skipping the check if HAProxy is running
on any host.
Change-Id: I831eb2f700ef3fcf65b7e08382c3b4fcc4ce8d8d
Closes-Bug: #1866617
When change the cert file in /etc/kolla/certificate/.
The certificate in the container has not changed.
So I think can use kolla-ansible deploy when certificate is
changed. restart <container>
Partially-Implements: blueprint custom-cacerts
Change-Id: Iaac6f37e85ffdc0352e8062ae5049cc9a6b3db26
Signed-off-by: yj.bai <bai.yongjun@99cloud.net>
We already only include .conf files in fluent.conf:
(fluentd)[fluentd@cpu-e-1041 /etc/fluentd]$ cat fluent.conf
@include input/*.conf
@include filter/*.conf
@include format/*.conf
@include output/*.conf
so this change should not cause ill effect. This works because of the
merge option in config files:
merge: merges the source directory into the target directory instead of
replacing it. Boolean, defaults to false.
see https://docs.openstack.org/kolla/latest/admin/kolla_api.html#kolla-api-external-config
Change-Id: I28f63ec81f1ea5bc4a213d053bfb2c04388d5925
Closes-Bug: #1862211
