If not running containerised chrony, we need to check that host
has its own means of system clock synchronization.
Change-Id: I31b3e9ed625d63a4bf82c674593522268c20ec4c
Partial-Bug: #1885689
Currently we generate multiple fluentd configuration files for inputs,
filters, formatters and outputs.
These are then included from the main td-agent.conf configuration file.
With a large number of hosts, this can take a long time to template.
Benchmarking of templating is available at [1].
This change switches to a single fluentd configuration file, with the
include done locally. For the default template files included with Kolla
Ansible we use Jinja includes, but this does not work with templates in
a different directory. We therefore use the Ansible template lookup
plugin, which has a slightly higher overhead than a jinja include, but
far lower than generating multiple templates. This should drastically
improve the performance of this task.
[1] https://github.com/stackhpc/ansible-scaling/blob/master/doc/template.md
Partially-Implements: blueprint performance-improvements
Change-Id: Ia8623be0aa861fea3e54d2c9e1c971dfd8e3afa9
Currently we generate a logrotate configuration file for each enabled
service. These are then included from a logrotate.d directory. With a
large number of hosts, this can take a long time to template.
Benchmarking of templating is available at [1].
This change switches to a single logrotate configuration file for all
services, with the include done locally using jinja. This should
drastically improve the performance of this task.
[1] https://github.com/stackhpc/ansible-scaling/blob/master/doc/template.md
Partially-Implements: blueprint performance-improvements
Change-Id: I39cfa70bef6560f615cad516c43aaef6a523b964
Including tasks has a performance penalty when compared with importing
tasks. If the include has a condition associated with it, then the
overhead of the include may be lower than the overhead of skipping all
imported tasks. In the case of the check-containers.yml include, the
included file only has a single task, so the overhead of skipping this
task will not be greater than the overhead of the task import. It
therefore makes sense to switch to use import_tasks there.
Partially-Implements: blueprint performance-improvements
Change-Id: I65d911670649960708b9f6a4c110d1a7df1ad8f7
This change disables services in the Prometheus openstack-exporter
if they are not enabled in the deployment. Such behaviour allows
to avoid warnings and errors in the log files and keep the
log file contents clean and informative.
Change-Id: I4dcac976620a5f451e3d273183199aefe400994a
Moved the TLS documentation from "advanced-configuration" doc to its
own TLS document. This is in preparation for improving it.
Change-Id: I4c83f1810ef1222aaa3560174c1ba39328853c4e
Co-Authored-By: James Kirsch <generalfuzz@gmail.com>
Docker is manipulating iptables rules by default to provide network
isolation, and this might cause problems if the host already has an
iptables-based firewall.
This change introduces docker_disable_default_iptables_rules to
disable the iptables manipulation by putting "iptables: false" [1] to
daemon.json
For better defaults, this feature will be enabled by default in
Victoria.
[1] https://docs.docker.com/network/iptables/
Closes-Bug: #1849275
Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
This fixes an issue where multiple Grafana instances would race
to bootstrap the Grafana DB. The following changes are made:
- Only start additional Grafana instances after the DB has been
configured.
- During upgrade, don't allow old instances to run with an
upgraded DB schema.
Change-Id: I3e0e077ba6a6f43667df042eb593107418a06c39
Closes-Bug: #1888681
This ensures that when using automatic Kafka topic creation, with more than one
node in the Kafka cluster, all partitions in the topic are automatically
replicated. When a single node goes down in a >=3 node cluster, these topics will
continue to accept writes providing there are at least two insync replicas.
In a two node cluster, no failures are tolerated. In a three node cluster, only a
single node failure is tolerated. In a larger cluster the configuration may need
manual tuning.
This configuration follows advice given here:
[1] https://docs.cloudera.com/documentation/kafka/1-2-x/topics/kafka_ha.html#xd_583c10bfdbd326ba-590cb1d1-149e9ca9886--6fec__section_d2t_ff2_lq
Closes-Bug: #1888522
Change-Id: I7d38c6ccb22061aa88d9ac6e2e25c3e095fdb8c3
fluentd logs currently to stdout, which is known to produce big docker logs
in /var/lib/docker. This change makes fluentd to log to /var/log/kolla/fluentd.
Closes-Bug: #1888852
Change-Id: I8fe0e54cb764a26d26c6196cef68aadc6fd57b90
This reverts commit 8fc86893893685e828600e21ddba147b64f0adc3.
It appears that it is still necessary to wait for ironic to be up, otherwise inspector may fail to start:
The baremetal service for 192.0.2.10:None exists but does not have any supported versions.
Change-Id: Ibc8314c91113618ce9e92b8933a63eba3cf3bbe1
From Ussuri, if CA certificates are copied into
/etc/kolla/certificates/ca/, these should be copied into all containers.
This is not being done for masakari currently.
Additionally, we are not setting the [DEFAULT] nova_ca_certificates_file
option in masakari.conf. This depends on masakari bug 1873736 being
fixed to work.
This change fixes these issues.
Change-Id: I9a3633f58e5eb734fa32edc03a3022a500761bbb
Closes-Bug: #1888655
Some CloudKitty API responses include a Location header using http
instead of https. Seen with `openstack rating module enable hashmap`.
Change-Id: I11158bbfd2006e3574e165b6afc9c223b018d4bc
Closes-Bug: #1888544
A "@type copy" statement is already present at the beginning of each
match element, so extra "type copy" are not needed. They are causing the
following warnings in fluentd logs:
[warn]: parameter 'type' in <match syslog.local0.**>
[warn]: parameter 'type' in <match syslog.local1.**>
This commit also harmonizes indentation of the Monasca config block.
Change-Id: I779c2b942d007acbdd43d999f2fc0cdc131d431f
Related-Bug: #1885873
we should clone freezer code before run bootstray,
otherwise, the directory /opt/stack/freezer which is empty will
mount into freezer_api container.
Closes-Bug: #1888242
Change-Id: I7c22dd380fd5b1dff7b421109c4ae37bab11834a
Option "trove_auth_url/os_region_name" from group "DEFAULT" is deprecated.
Use option "auth_url/region_name" from group service_credentials
Change-Id: I15d6891582c92c7fc813f280a2b47ebaaca77eba
This makes use of udev rules to make it smarter and override
host-level packages settings.
Additionally, this masks Ubuntu-only service that is another
pain point in terms of /dev/kvm permissions.
Fingers crossed for no further surprises.
Change-Id: I61235b51e2e1325b8a9b4f85bf634f663c7ec3cc
Closes-bug: #1681461
