This change enables the use of Docker healthchecks for core OpenStack
services.
Also check-failures.sh has been updated to treat containers with
unhealthy status as failed.
Implements: blueprint container-health-check
Change-Id: I79c6b11511ce8af70f77e2f6a490b59b477fefbb
this patchset has implemented:
- network (lb-mgmt-net)
- security groups and rules (used by amphora and health manager)
- amphora flavor (used by amphora)
- nova keypair (used by amphora at the time of debugging)
Add a octavia_amp_listen_port variable which used by amphora
Add amp_image_owner_id in octavia.conf
Implements: blueprint implement-automatic-deploy-of-octavia
Co-Authored-By: zhangchun <zhangchun@yovole.com>
Depends-On: https://review.opendev.org/652030
Change-Id: I67009d046925cfc02c1e0073c80085c1471975f6
The kolla-cli is deprecation [1], it should be clean up from
kolla-ansible's cleanup-host script
[1]: https://review.opendev.org/#/c/749045/
Change-Id: I7072de235d9d629b0f538dc98c5258ee5f023376
It should be bumped by [1], but missing, this PS to
be supplement.
[1]: https://review.opendev.org/#/c/753776/2
Depends-On: I5befc72a4894d625ca352b27df9d3aa84a2f5b2c
Change-Id: I75742653cb62c27317abf297a0143399d6adc644
keystone-startup.sh is using fernet_token_expiry instead of
fernet_key_rotation_interval - which effects in restart loop of keystone
containers - when restarted after 2-3 days.
Closes-Bug: #1895723
Change-Id: Ifff77af3d25d9dc659fff34f2ae3c6f2670df0f4
This patch introduces an optional backend encryption for the Ironic API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Ironic service.
Change-Id: I9edf7545c174ca8839ceaef877bb09f49ef2b451
Partially-Implements: blueprint add-ssl-internal-network
When the internal VIP is moved in the event of a failure of the active
controller, OpenStack services can become unresponsive as they try to
talk with MariaDB using connections from the SQLAlchemy pool.
It has been argued that OpenStack doesn't really need to use connection
pooling with MariaDB [1]. This commit reduces the use of connection
pooling via two configuration options:
- max_pool_size is set to 1 to allow only a single connection in the
pool (it is not possible to disable connection pooling entirely via
oslo.db, and max_pool_size = 0 means unlimited pool size)
- lower connection_recycle_time from the default of one hour to 10
seconds, which means the single connection in the pool will be
recreated regularly
These settings have shown better reactivity of the system in the event
of a failover.
[1] http://lists.openstack.org/pipermail/openstack-dev/2015-April/061808.html
Change-Id: Ib6a62d4428db9b95569314084090472870417f3d
Closes-Bug: #1896635
This allows for more config flexibility - e.g. running multiple
backends with a common frontend.
It is not possible with the 'listen' approach (which enforces
frontend).
Additionally, it does not really make sense to support two ways
to do the exact same thing as the process is automated and
'listen' is really meant for humans not willing to write separate
sections.
Hence this deprecates 'listen' variant.
At the moment both templates work exactly the same.
The real flexibility comes in following patches.
Note this is a building block for future work on letsencrypt
validator (which should offer backend and share frontend with
any service running off 80/443 - which would be only horizon
in the current default config), as well as any work towards
single port (that is single frontend) and multiple services
anchored at paths of it (which is the new recommended default).
Change-Id: I2362aaa3e8069fe146d42947b8dddf49376174b5
Partially-Implements: blueprint letsencrypt-https
Currently there is no option to set container_proxy only for one service
(e.g. magnum). This change adds this option.
Change-Id: Ia938ee660ebe8ce84321f721b6292b0b58a06e20
tox command install dependencies from the ``requirements.txt``,
``test-requirements.txt`` and ``doc/requirements.txt`` files
Change-Id: I21ee208d2484615ee3f9d9eca7602275382c920b
Adds a new Zuul job, kolla-ansible-centos8-source-magnum, for testing
deployment of Magnum, Octavia and associated services.
Change-Id: I61b293ba6bb52064ea98a73e2dff0023fa01a2a2
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.
The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.
RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.
Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
Since change [1] merged we have two mariadb images (mariadb and mariadb-server)
Let's use mariadb-server in kolla-ansible, so we can deprecate mariadb image.
[1]: https://review.opendev.org/#/c/710217/
Change-Id: I4ae2ccaaba8fb516f469f4ce8628e8c61de03f0d
replace 'openstack aggregate create' command with ansible
os_nova_host_aggregate module and remove TODO
Change-Id: I727f9e4acc9e22f59735c65190ac38cc75e5f781
If we don't set it, then Zun chooses one randomly (the first one
from Neutron).
This may break if it is a network that is not available on
target hosts, e.g. external via L3 agent router.
Since capsules do not support nets yet [1], this patch ensures
desired network creation order in init-runonce instead.
[1] https://bugs.launchpad.net/zun/+bug/1895263
Change-Id: Iaa113dcfb826164a2772d2c91d34ec0236be0817
This reverts commit 316b0496b3dd7a9b33692b171391d9d17d535116, because
ironic-inspector is not ready to use WSGI. It would need to be split
into two separate containers, one running ironic-inspector-api-wsgi and
another running ironic-inspector-conductor.
Change-Id: I7e6c59dc8ad4fdee0cc6d96313fe66bc1d001bf7
Per the recent Kayobe brekage due to TLS support in Ironic [1],
let's test Ironic Inspector API as well.
[1] https://review.opendev.org/750804
Change-Id: I7ccf0c4286f8907bc2fa2eabc41ec2876c9815a9
