11253 Commits

Author SHA1 Message Date
jacky06
d40c11b22a Modify api-paste.ini v1 to v2 for cyborg
bump api version to v2[1]

[1]: https://review.opendev.org/#/c/700102/

Change-Id: I799f126a30081a85da4f3c41ce705c3756bbe6ba
2020-05-18 23:41:02 +08:00
Zuul
50359204b4 Merge "Improve fernet_token_expiry precheck" 2020-05-16 09:34:45 +00:00
Will Szumski
810acea6b1 Improve fernet_token_expiry precheck
The pre-check was broken, see bug report for details.

Change-Id: I089f1e288bae6c093be66181c81a4373a6ef3de4
Closes-Bug: #1856021
2020-05-15 16:50:35 +00:00
Zuul
fe1edb1baf Merge "Fix file extension in MariaDB backup docs" 2020-05-14 14:37:30 +00:00
Zuul
cd9f7faa6c Merge "dpdk-vswitchd: some ovs tools require ovs daemons pidfiles" 2020-05-14 14:37:29 +00:00
zhouhenglc
d47ffc7947 dpdk-vswitchd: some ovs tools require ovs daemons pidfiles
Change-Id: I797bb5997e6a3391e82bff766c96f7855de4adc4
Closes-bug: #1878325
2020-05-14 18:43:59 +08:00
Zuul
d10c5ac15c Merge "Ansible lint related fixes" 2020-05-14 09:52:29 +00:00
Pierre Riteau
cdd0eb6488 Fix file extension in MariaDB backup docs
Change-Id: I0495c1e33696cea36765f027bc453b9d3e8563e0
2020-05-13 18:47:39 +02:00
Zuul
9540f22e24 Merge "Add support for encrypting Barbican API" 2020-05-13 16:36:27 +00:00
Zuul
e51f3e0c5e Merge "Fix hacking min version to 3.0.1" 2020-05-13 15:07:34 +00:00
Zuul
43469d6fdb Merge "Add extras directory to prometheus config" 2020-05-13 14:31:51 +00:00
Zuul
e17cf01f82 Merge "Support customizing prometheus.cfg files" 2020-05-13 14:31:49 +00:00
Zuul
e2b25023d9 Merge "Add extend_lists option to merge_yaml" 2020-05-13 14:31:47 +00:00
James Kirsch
2e08ffd6d3 Add support for encrypting Barbican API
This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network
2020-05-13 10:26:09 +00:00
Ghanshyam Mann
7bb397a8eb Fix hacking min version to 3.0.1
flake8 new release 3.8.0 added new checks and gate pep8
job start failing. hacking 3.0.1 fix the pinning of flake8 to
avoid bringing in a new version with new checks.

Though it is fixed in latest hacking but 2.0 and 3.0 has cap for
flake8 as <4.0.0 which mean flake8 new version 3.9.0 can also
break the pep8 job if new check are added.

To avoid similar gate break in future, we need to bump the hacking min
version.

- http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014828.html

Change-Id: I4b11eaad9eac9985342a00e583f16e379a2ad04a
2020-05-12 19:26:30 -05:00
Zuul
c3a4f78d14 Merge "Stop mocking ansible modules globally" 2020-05-12 21:31:13 +00:00
Michal Nasiadka
2128075c6e Ansible lint related fixes
Change-Id: I146ea3d84efb83ec5d7405644ad372e57ecafc1e
2020-05-12 17:39:07 +00:00
Zuul
e53b3e69eb Merge "CI: Blacklist Ansible 2.9.8" 2020-05-12 15:44:43 +00:00
Mark Goddard
100f92563f CI: Blacklist Ansible 2.9.8
Ansible 2.9.8 includes a regression on the fileglob plugin [1] that
causes the HAProxy role to fail.

This change blacklists Ansible 2.9.8 to work around the issue.

[1] https://github.com/ansible/ansible/issues/69450

Change-Id: I12ca3b154fc7fed6a221880596e0acb5f6278bb7
Related-Bug: #1878192
2020-05-12 11:55:44 +00:00
Zuul
12ac15b5f7 Merge "Use FQDN to communicate with Kibana and Elasticsearch" 2020-05-11 20:18:53 +00:00
Zuul
5c193cbe95 Merge "Fixes Gnocchi & external Ceph integration" 2020-05-11 15:31:21 +00:00
Will Szumski
d05578f59f Add extras directory to prometheus config
This provides a generic mechanism to include extra files
that you can reference in prometheus.yml, for example:

scrape_targets:
  - job_name: ipmi
    params:
      module: default
    scrape_interval: 1m
    scrape_timeout: 30s
    metrics_path: /ipmi
    scheme: http
    file_sd_configs:
    - files:
      - /etc/prometheus/extras/file_sd/ipmi-exporter-targets.yml
      refresh_interval: 5m

Change-Id: Ie2f085204b71725b901a179ee51541f1f383c6fa
Related: blueprint custom-prometheus-targets
2020-05-11 13:47:12 +01:00
Will Szumski
956a29f83a Support customizing prometheus.cfg files
This provides a mechanism to scrape targets defined outside of kolla-ansible.

Depends-On: https://review.opendev.org/#/c/685671/
Change-Id: I0950341b147bb374b4128f09f807ef5a756f5dfa
Related: blueprint custom-prometheus-targets
2020-05-11 13:47:12 +01:00
Will Szumski
69a6acf7a8 Add extend_lists option to merge_yaml
This allows you to extend lists in yaml config. This is useful, for
example, in prometheus.yml, where it would be nice to be able to
extend the scrape_configs to include exporters that aren't packaged
with kolla-ansible. This would provide a mechanism to do so.

Change-Id: I7a10e363f42e8ffaae3c0d2c2a758853e2cab7e1
Related: blueprint custom-prometheus-targets
2020-05-11 13:47:12 +01:00
Will Szumski
4fcbdd7740 Stop mocking ansible modules globally
This causes non-local side effects that are hard to track down. E.g:

--- import errors ---
Failed to import test module: tests.test_merge_yaml
Traceback (most recent call last):
  File "/home/will/.pyenv/versions/3.7.7/lib/python3.7/unittest/loader.py", line 436, in _find_test_path
    module = self._get_module_from_name(name)
  File "/home/will/.pyenv/versions/3.7.7/lib/python3.7/unittest/loader.py", line 377, in _get_module_from_name
    __import__(name)
  File "/home/will/code/kolla-ansible/tests/test_merge_yaml.py", line 19, in <module>
    from ansible.errors import AnsibleModuleError
ModuleNotFoundError: No module named 'ansible.errors'; 'ansible' is not a package

This `'ansible' is not a package` message occurs because ansible is a Mock.

Depends-On: https://review.opendev.org/#/c/726768/
Change-Id: Iddbdd3d855daadbf12536cc990559e6b8e123051
2020-05-11 13:47:12 +01:00
Zuul
9768c266fd Merge "Add release note for CloudKitty configuration fixes" 2020-05-11 12:28:47 +00:00
Mark Goddard
82c5c1c75f Fixes Gnocchi & external Ceph integration
The removal of Kolla Ceph deploy [1] broke gnocchi & external Ceph
integration - the variable gnocchi_pool_name is referenced in the config
template, but should now be ceph_gnocchi_pool_name.

This change fixes the issue.

Reported by Nick Wilson.

[1] https://review.opendev.org/#/c/704309/12/ansible/roles/gnocchi/defaults/main.yml

Change-Id: I7089781c0c4d7bce8a44cb8b1fca847dd0b7efd1
Closes-Bug: #1877974
2020-05-11 10:23:58 +01:00
Zuul
a5c1d36626 Merge "Make nova perms consistent between applications" 2020-05-11 08:29:26 +00:00
Zuul
a44bba845f Merge "Update Advanced Config guide to clarify paths" 2020-05-07 11:41:54 +00:00
Radosław Piliszek
93c9ad892c Make nova perms consistent between applications
Nova cells support introduced a slight regression that triggers
odd behaviour when we tried switching to Apache (httpd) [1].
Bootstrap no longer applied permissions recursively to all log
files, creating a discrepancy between normal and bootstrap runs
and also Nova and other services such as Cinder (regarding
bootstrap logging).

This patch fixes it.

Backport to Train.

Not creating reno nor a bug record because it does not affect
any current standard usage in any currently known way.

Note this only really hides (standardizes?) the global issue that
we don't control file permissions on newly created files too well.

[1] https://review.opendev.org/724793

Change-Id: I35e9924ccede5edd2e1307043379aba944725143
Needed-By: https://review.opendev.org/724793
2020-05-06 18:36:10 +00:00
Pierre Riteau
4503bf2419 Add release note for CloudKitty configuration fixes
This note refers to configuration changes done in
I626dc7afe9eabfbeb6c08137a3e6bbeebde2b332.

Change-Id: I75a37b9d3b28964f353977baa3a9f49fc424d866
Closes-Bug: #1876985
2020-05-05 22:53:30 +02:00
generalfuzz
f165b81e2a Use FQDN to communicate with Kibana and Elasticsearch
Switch URL composition from using VIP to FQDN to connect with Kibana and
Elasticsearch services.

Change-Id: I5d559ead1d6d5e928e76bb685e0f730868fd7b89
Closes-Bug: #1862419
2020-05-05 09:55:50 -07:00
Mark Goddard
a87780cb96 Use FQDN for elasticsearch
This was addressed in I21689e22870c2f6206e37c60a3c33e19140f77ff but
accidentally reverted in I4f74bfe07d4b7ca18953b11e767cf0bb94dfd67e.

Change-Id: Id5fc458b0ca54bddfe9a43cb315dbcfeb2142395
2020-05-05 16:31:26 +00:00
Radosław Piliszek
7d73246fe7 OVN IPv6
Fixes:
- SB/NB DB address format (single host) for SB/NB DB daemon
- SB/NB DB address format (all hosts) for Neutron / northd /
  ovn-ovs bootstrap
- OVN tests

Change-Id: I539773c48f89b731d068280c228ce11782bf5788
Closes-Bug: #1875222
2020-05-01 18:03:14 +02:00
Zuul
bc22925906 Merge "Add support for encrypting Horizon and Placement API" 2020-05-01 09:05:56 +00:00
Zuul
76b6cf9f6d Merge "Add support for encrypting Glance api" 2020-04-30 21:16:13 +00:00
James Kirsch
e3d5a91a90 Add support for encrypting Horizon and Placement API
This patch introduces an optional backend encryption for Horizon and
Placement services. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to
end, from client through HAProxy to the Horizon and Placement services.

Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d
Partially-Implements: blueprint add-ssl-internal-network
2020-04-30 20:55:07 +01:00
James Kirsch
f87814f794 Add support for encrypting Glance api
Add TLS support for Glance api using HAProxy to perform TLS termination.

Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network
2020-04-30 17:31:58 +01:00
Hongbin Lu
91678f67af Zun: Add zun-cni-daemon to compute node
Zun has a new component "zun-cni-daemon" which should be
deployed in every compute nodes. It is basically an implementation
of CNI (Container Network Interface) that performs the neutron
port binding.

If users is using the capsule (pod) API, the recommended deployment
option is using "cri" as capsule driver. This is basically to use
a CRI runtime (i.e. CRI plugin for containerd) for supporting
capsules (pods). A CRI runtime needs a CNI plugin which is what
the "zun-cni-daemon" provides.

The configuration is based on the Zun installation guide [1].
It consits of the following steps:
* Configure the containerd daemon in the host. The "zun-compute"
  container will use grpc to communicate with this service.
* Install the "zun-cni" binary at host. The containerd process
  will invoke this binary to call the CNI plugin.
* Run a "zun-cni-daemon" container. The "zun-cni" binary will
  communicate with this container via HTTP.

Relevant patches:
Blueprint: https://blueprints.launchpad.net/zun/+spec/add-support-cri-runtime
Install guide: https://review.opendev.org/#/c/707948/
Devstack plugin: https://review.opendev.org/#/c/705338/
Kolla image: https://review.opendev.org/#/c/708273/

[1] https://docs.openstack.org/zun/latest/install/index.html

Depends-On: https://review.opendev.org/#/c/721044/
Change-Id: I9c361a99b355af27907cf80f5c88d97191193495
2020-04-30 02:22:20 +00:00
Zuul
70e7b1b0d8 Merge "Add feature to support managing dynamic pollsters" 2020-04-29 17:45:34 +00:00
Zuul
059fee1ea3 Merge "Add support for encrypting heat api" 2020-04-29 17:19:51 +00:00
Zuul
12a0ffa305 Merge "Fix telegraf invalid TOML syntax" 2020-04-29 12:00:56 +00:00
Zuul
8d4157a510 Merge "Adapt to Octavia Certificate Configuration Guide." 2020-04-29 11:46:54 +00:00
Noboru Iwamatsu
e84c968ed2 Adapt to Octavia Certificate Configuration Guide.
This patch updates the octavia controller deployment to use the
latest octavia certificate configuration guide [1]. The dual CA changes
were introduced in Train.

[1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Change-Id: If89ec0d631568db70690f1a69d00115c59abe678
Closes-Bug: #1862133
2020-04-29 08:30:12 +03:00
xiaojueguan
7ad7c88046 Fix telegraf invalid TOML syntax
Change-Id: Ie3022d1721f43dc84e4228331d0d2f6f3a3c7ebd
Closes-Bug: 1875613
2020-04-29 11:14:31 +08:00
Zuul
10036c0736 Merge "CI: Fix Debian aarch64 jobs" 2020-04-29 01:25:58 +00:00
Zuul
2f77670f7d Merge "ironic: handle Swift object storage" 2020-04-29 00:53:48 +00:00
Marcin Juszkiewicz
30b8eed1cd CI: Fix Debian aarch64 jobs
Debian defaults to Python2 which is not complete in aarch64 images.
This patch changes CI to always use Python3.

We need to install several Python modules to have working ussuri jobs.

"Failed to import the required Python library (setuptools) on primary's Python /usr/bin/python3."

And then several Python2 ones for train->ussuri upgrade jobs:

"Unable to find any of pip2 to use. pip needs to be installed."

Change-Id: Ia0d3ff15d97d1cabbb0b8e7f32e8712ca3f94732
2020-04-28 19:15:06 +02:00
Marcin Juszkiewicz
fee9ff9c9d ironic: handle Swift object storage
Change-Id: I18f8855a758703968aba032add68add24b31f673
Closes-bug: #1875588
2020-04-28 13:00:16 +02:00
Xing Zhang
01ae01ec26
Make sure octavia uses internal endpoint to barbican
The octavia service communicates to the barbican service with
public endpoint_type by default[1], it should use internal
like other services.

[1] 0056b5175f/octavia/common/config.py (L533-L537)

Closes-Bug: #1875618
Change-Id: I90d2b0aeac090a3e2366341e260232fc1f0d6492
2020-04-28 18:55:32 +08:00