Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.
There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_amp_secgroup_list' to match its ID. Ideally the flavor and
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.
This change adds a new variable, 'octavia_service_auth_project', that
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch it should be
switched to 'admin' to maintain compatibility.
If a deployer sets 'octavia_service_auth_project' to 'admin', the
octavia user will be assigned the admin role in the admin project, as
was done previously.
Closes-Bug: #1882643
Related-Bug: #1873176
[1] https://review.opendev.org/720243/
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Change-Id: I1efd0154ebaee69373ae5bccd391ee9c68d09b30
Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with
"kolla_admin_openrc_cacert". OS_CACERT is now set to the value of
"kolla_admin_openrc_cacert" in the generated admin-openrc.sh file.
Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/731344/
Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.
Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.
Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network
During an upgrade from Stein to Train, Kolla Ansible fails while running
TASK [cinder : Running Cinder online schema migration]
This is because the `--max_count 10` option is used, which returns 1
while migrations are processed. According to the upgrade documentation,
the command should be rerun while the exit status is 1:
https://docs.openstack.org/cinder/train/upgrade.html
This issue was introduced by a change to the image [1] which fixed a bug
in the way that the max count was interpreted, but exposed an issue in
using the max count.
This change fixes the issue by ceasing to pass MAX_NUMBER, which will
cause all migrations to occur in a single pass.
[1] https://review.opendev.org/#/c/712055
Change-Id: Ia786d037f5484f18294188639c956d4ed5ffbc2a
Closes-Bug: #1880753
The flag -es.uri is no longer accepted - it should be --es.uri.
Similarly with -web.listen-address. The following error is seen:
elasticsearch_exporter: error: unknown short flag '-e', try --help
This change switches to double dashed long options.
Change-Id: I039f4cad970352146462450742056f5990a81b06
Closes-Bug: #1880242
This patch is removing chrony package
from docker host when containerized chrony is enabled.
It is also fixing issue with chrony container running
under Ubuntu docker host as noted below.
+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied
Added also removal apparmor profile for ubuntu when
containerized chrony is enabled, as chrony's package
is not removing apparmor profile, and therefore
containerized chrony is not working.
Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
Closes-Bug: #1882513
Grafana changed the error message wording.
Match on the shortest sane string to play it safe.
Change-Id: Ic175ebdb1da6ef66047309ff07bcbba98fc67008
Closes-Bug: #1881890
related to newly introduced merge mechanism.
1) Per-host overrides cannot be run_once.
2) Since merge_yaml is silent about missing files, it ignored
the fact that no proper file was given due to wrong variable
being referenced (see the closed bug).
Change-Id: I6db4af4c6e3364838bdae510f300038b0c1560b0
Closes-Bug: #1882460
There's a logic error here, we call nova role from nova.yml file
under ansible folder. we should clone code before run
bootstrap_service task. if not, /opt/stack/nova which is empty
will mount to nova_api container.
Change-Id: Icc54c15080db9c2dc92709480e00b990e5a88662
This also uses the recommended machinery to set qemu instead
of relying on config file override so that we test what we
really want to test.
Change-Id: I560e4f9d0a69c347e6aaf3b970331157c1a56f18
When installing kolla with external ceph, ceph_cinder_user
var has to be set per documentation instead of ceph_cinder_volume_user.
This value is also rendered in example etc/kolla/globals.yml file.
This patch is fixing this bug or, let's say typo.
Change-Id: Id82b07867f4bc0e5d5e56363f0122014df6892bc
non-root user has no permission to create directory under /opt
directory. use "become: true" to resolve it.
Change-Id: I155efc4b1e0691da0aaf6ef19ca709e9dc2d9168
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
Update Sphinx version as well.
Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Set openstackdocs_auto_name to use 'project' as name.
Co-Authored-By: Andreas Jaeger <aj@suse.com>
Change-Id: If23546ac4cc2c19626e05b460651b61d5e82d948
STATIC_ROOT in local_settings.py should be configured
to path which is also configured in apache's config.
For debian, ubuntu binary setup it is
/var/lib/openstack-dashboard/static.
Reason why it is "accidentaly" working is:
For debian package:
Package is overriding STATIC_ROOT in
/etc/openstack-dashboard/local_settings.d/_0003_debian_static_root.py.
But this is going to be removed from settings in
https://review.opendev.org/733607.
For ubuntu package:
Ubuntu package is adding patch to package which is including
PYTHON_PATH do /usr/share/openstack-dashboard/
And also they are creating several dirty symlinks to get it working.
This patch is fixing this behaviour more clearly.
Change-Id: I9862ac7ab462ca9018b684d63f26458ddda9f73a
