5968 Commits

Author SHA1 Message Date
James Kirsch
d6251506f7 Add support for encrypting Nova API
This patch introduces an optional backend encryption for the Nova API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Nova service.

Change-Id: I48e1540b973016079d5686b328e82239dcffacfd
Partially-Implements: blueprint add-ssl-internal-network
2020-08-15 13:22:44 +00:00
Zuul
d1e5de2120 Merge "Add Keep Alive Timeout for httpd" 2020-08-13 15:27:39 +00:00
James Kirsch
19b028e660 Add Keep Alive Timeout for httpd
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.

Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
2020-08-13 09:52:40 +00:00
Zuul
516658f489 Merge "Mount /etc/timezone based on host OS" 2020-08-12 22:09:19 +00:00
Zuul
5a49f96c5a Merge "Revert "Fix post-deploy mode"" 2020-08-12 12:26:13 +00:00
Radosław Piliszek
137f79e49e Revert "Fix post-deploy mode"
This fix was premature as it completely ignores
the previously-respected umask.

Let's discuss a proper fix and revert this one
since CI is fixed elsewhere [1].

[1] https://review.opendev.org/743502

This reverts commit 87efdce24bc802777d4da58f9f63c8d0838e7120.

Change-Id: If38adbf124e793574a21ae986f9ee146d587f820
2020-08-12 09:00:52 +00:00
Zuul
b82ee26242 Merge "Fix post-deploy mode" 2020-08-11 16:49:43 +00:00
Zuul
580f929dfa Merge "ubuntu: move to 20.04 Focal" 2020-08-11 15:26:39 +00:00
Radosław Piliszek
87efdce24b Fix post-deploy mode
Ansible changed the default mode for files, even in stable
releases. [1]

This change restores the previous default (with the common
umask).

[1] https://github.com/ansible/ansible/pull/70221

Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab
Closes-Bug: #1891145
2020-08-11 12:02:29 +00:00
Marcin Juszkiewicz
352f91ac10 ubuntu: move to 20.04 Focal
There is a time once every 2 years when ubuntu team releases new LTS
release. And then UCA joins with binary packages for current OpenStack
development cycle.

It is this time for Ubuntu 20.04 'focal'.

Includes CI fix to pass:

[CI] Temporarily block new Ansible

The proper fix [1] needs fixing older branches before newer.
This one allows to fix CI first, in the usual order.

To revert after [1] gets merged in all relevant branches.

[1] https://review.opendev.org/745648

Old-Change-Id: Ifbd37d8addd4322773118e2e9d46494741a8ae66
Related-Bug: #1891145

Depends-on: https://review.opendev.org/#/c/738994/
Change-Id: Ib8b70ee40ec2d19509cc84c0f530612f81907721
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2020-08-11 13:55:01 +02:00
Zuul
5117eeb9fb Merge "keystone: all distros are Python3 - use /usr/bin/python3" 2020-08-10 20:48:44 +00:00
Zuul
8dfab9675c Merge "Add trove-guestagent.conf" 2020-08-10 12:21:30 +00:00
Mark Goddard
146b00efa7 Mount /etc/timezone based on host OS
Previously we mounted /etc/timezone if the kolla_base_distro is debian
or ubuntu. This would fail prechecks if debian or ubuntu images were
deployed on CentOS. While this is not a supported combination, for
correctness we should fix the condition to reference the host OS rather
than the container OS, since that is where the /etc/timezone file is
located.

Change-Id: Ifc252ae793e6974356fcdca810b373f362d24ba5
Closes-Bug: #1882553
2020-08-10 10:14:18 +01:00
likui
3888196334 Add trove-guestagent.conf
Add trove-guestagent.conf templates for trove-guestagent service.
Default the Guest Agent config file to be injected during instance creation.

Change-Id: Id0750b84fef8e19658b27f8ae16a857e1394216e
2020-08-10 16:14:24 +08:00
Mark Goddard
97e26b49cd Fix Barbican client (Castellan) with TLS (part 2)
This patch is a continuation of
I6a174468bd91d214c08477b93c88032a45c137be for the nova-cell role, which
was missed.

The Castellan (Barbican client) has different parameters to control
the used CA file.
This patch uses them.
Moreover, this aligns Barbican with other services by defaulting
its client config to the internal endpoint.

See also [1].

[1] https://bugs.launchpad.net/castellan/+bug/1876102

Closes-Bug: #1886615

Change-Id: I056f3eebcf87bcbaaf89fdd0dc1f46d143db7785
2020-08-07 14:16:04 +01:00
nikparasyr
6033b71d5e Enable glance role to copy extra configuration
Glance role copies glance-image-import.conf
when enabled to allow configuration of
glance interoperable image import. Property
protection can be enabled and file is copied.

Change-Id: I5106675da5228a5d7e630871f0882269603e6571
Closesl-Bug: #1889272
Signed-off-by: nikparasyr <nik.parasyr@protonmail.com>
2020-08-06 18:43:50 +02:00
Marcin Juszkiewicz
d7d4df2684 keystone: all distros are Python3 - use /usr/bin/python3
Change-Id: I59a15186bbe931efd8d99a990a3ceafbd264e1df
2020-08-06 11:30:15 +02:00
Zuul
54d8c92c7b Merge "Fix actions for Aodh and Swift" 2020-08-05 08:25:10 +00:00
Zuul
743df472d7 Merge "Fix play hosts for ironic, monasca, neutron, nova" 2020-08-04 13:36:27 +00:00
Radosław Piliszek
c1a6ca0d21 Fix actions for Aodh and Swift
These two roles were missing 'stop' and 'deploy-containers',
respectively.

Change-Id: Iaf434be9baf1973323bb177fad799aea39210fba
2020-08-04 14:32:37 +02:00
Zuul
4e62c86236 Merge "Add timesync prechecks" 2020-08-04 09:12:43 +00:00
Zuul
c58a824e88 Merge "[docker] Added a new flag to disable default iptables rules" 2020-08-04 09:11:28 +00:00
Zuul
0cb9fca9ca Merge "linuxbridge: Fix name of securitygroup section" 2020-08-03 11:04:57 +00:00
Mark Goddard
9bca246b10 Fix play hosts for ironic, monasca, neutron, nova
Some plays were not applied to all groups referenced by the services
they deploy. In most cases this works fine, but if the default inventory
is modified this may cause problems where containers are not deployed to
hosts in the missing groups, if they are not a member of other groups
that the play is targeted to.

This change syncs up the play hosts for all services.

Closes-Bug: #1889387

Change-Id: I6b92d8e53a29b06a065e0611840140d09c8a6695
2020-08-03 09:50:59 +01:00
Zuul
202dc899f4 Merge "Fix Masakari role missing deploy-containers" 2020-07-31 13:25:05 +00:00
Zuul
0048e3dd11 Merge "prometheus-openstack-exporter config service filtering" 2020-07-31 10:54:46 +00:00
Zuul
0a6a30b77a Merge "Remove deprecated options in Trove" 2020-07-30 15:29:19 +00:00
Radosław Piliszek
5d3ca8b09e Fix Masakari role missing deploy-containers
Masakari was introduced parallelly to deploy-containers action and
so we missed to add this functionality to it.

Change-Id: Ibef198d20d481bc92b38af786cdf0292b246bb12
Closes-Bug: #1889611
2020-07-30 15:41:37 +02:00
Nick Jones
07f67f1b92 linuxbridge: Fix name of securitygroup section
With an incorrectly named section, whatever's defined in here is
actually ignored which can result in unexpected behaviour.

Closes-Bug: 1889455

Change-Id: Ib2e2b53e9a3c0e62a2e997881c0cd1f92acfb39c
Signed-off-by: Nick Jones <nick@dischord.org>
2020-07-30 09:43:51 +00:00
likui
3660c77637 Remove deprecated options in Trove
Option "network_label_regex" from group "DEFAULT" is
deprecated for removal.

Change-Id: I8aab2ca322159e61e4cbe9a5b30825a71a991e7e
2020-07-29 17:39:00 +08:00
Radosław Piliszek
3018199f0b Add timesync prechecks
If not running containerised chrony, we need to check that host
has its own means of system clock synchronization.

Change-Id: I31b3e9ed625d63a4bf82c674593522268c20ec4c
Partial-Bug: #1885689
2020-07-28 18:35:27 +00:00
Mark Goddard
9702d4c3c3 Performance: use import_tasks for check-containers.yml
Including tasks has a performance penalty when compared with importing
tasks. If the include has a condition associated with it, then the
overhead of the include may be lower than the overhead of skipping all
imported tasks. In the case of the check-containers.yml include, the
included file only has a single task, so the overhead of skipping this
task will not be greater than the overhead of the task import. It
therefore makes sense to switch to use import_tasks there.

Partially-Implements: blueprint performance-improvements

Change-Id: I65d911670649960708b9f6a4c110d1a7df1ad8f7
2020-07-28 12:10:59 +01:00
Zuul
2966766fc2 Merge "Drop a no-longer-relevant note" 2020-07-28 10:30:40 +00:00
Radosław Piliszek
fffe9021ff Drop a no-longer-relevant note
Modern Ansible handles this just fine.

Change-Id: Iea4d0499b92e2449ef8bc01651af6d3548ceab20
2020-07-27 17:34:54 +02:00
Radosław Piliszek
e1e8533c89 Drop RDP console variables
These are noop after Hyper-V support was removed.

Change-Id: Ib451b154893e5cedc366aed83c35f48d92c7ab82
2020-07-27 15:38:56 +02:00
Justinas Balciunas
9fc98be11a prometheus-openstack-exporter config service filtering
This change disables services in the Prometheus openstack-exporter
if they are not enabled in the deployment. Such behaviour allows
to avoid warnings and errors in the log files and keep the
log file contents clean and informative.

Change-Id: I4dcac976620a5f451e3d273183199aefe400994a
2020-07-27 13:30:26 +00:00
Zuul
21f5a02604 Merge "Remove Hyper-V integration" 2020-07-27 12:47:33 +00:00
Zuul
34ace98ff4 Merge "Improve Grafana DB bootstrap" 2020-07-27 11:57:49 +00:00
Zuul
cd9afc5ba3 Merge "Set Kafka default replication factor" 2020-07-27 11:57:45 +00:00
Zuul
676cfa5c1f Merge "fluentd: log to a file instead of stdout" 2020-07-27 10:57:43 +00:00
Christian Berendt
6eb02245d6 Remove Hyper-V integration
Change-Id: I2e22ec47f644de2f1509a0111c9e1fffe8da0a1a
2020-07-27 10:25:46 +01:00
Dincer Celik
fc7ce6cabe [docker] Added a new flag to disable default iptables rules
Docker is manipulating iptables rules by default to provide network
isolation, and this might cause problems if the host already has an
iptables-based firewall.

This change introduces docker_disable_default_iptables_rules to
disable the iptables manipulation by putting "iptables: false" [1] to
daemon.json

For better defaults, this feature will be enabled by default in
Victoria.

[1] https://docs.docker.com/network/iptables/

Closes-Bug: #1849275

Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
2020-07-27 09:09:45 +00:00
Doug Szumski
2c730590d7 Improve Grafana DB bootstrap
This fixes an issue where multiple Grafana instances would race
to bootstrap the Grafana DB. The following changes are made:

- Only start additional Grafana instances after the DB has been
  configured.

- During upgrade, don't allow old instances to run with an
  upgraded DB schema.

Change-Id: I3e0e077ba6a6f43667df042eb593107418a06c39
Closes-Bug: #1888681
2020-07-27 08:23:05 +00:00
Doug Szumski
a273e28e20 Set Kafka default replication factor
This ensures that when using automatic Kafka topic creation, with more than one
node in the Kafka cluster, all partitions in the topic are automatically
replicated. When a single node goes down in a >=3 node cluster, these topics will
continue to accept writes providing there are at least two insync replicas.

In a two node cluster, no failures are tolerated. In a three node cluster, only a
single node failure is tolerated. In a larger cluster the configuration may need
manual tuning.

This configuration follows advice given here:

[1] https://docs.cloudera.com/documentation/kafka/1-2-x/topics/kafka_ha.html#xd_583c10bfdbd326ba-590cb1d1-149e9ca9886--6fec__section_d2t_ff2_lq

Closes-Bug: #1888522

Change-Id: I7d38c6ccb22061aa88d9ac6e2e25c3e095fdb8c3
2020-07-27 08:23:05 +00:00
Michal Nasiadka
696533f228 fluentd: log to a file instead of stdout
fluentd logs currently to stdout, which is known to produce big docker logs
in /var/lib/docker. This change makes fluentd to log to /var/log/kolla/fluentd.

Closes-Bug: #1888852
Change-Id: I8fe0e54cb764a26d26c6196cef68aadc6fd57b90
2020-07-27 07:13:13 +00:00
Zuul
61e32bb131 Merge "Revert "Remove the waiting for ironic-api to be accessible"" 2020-07-25 09:57:55 +00:00
Mark Goddard
4a6050a333 Revert "Remove the waiting for ironic-api to be accessible"
This reverts commit 8fc86893893685e828600e21ddba147b64f0adc3.

It appears that it is still necessary to wait for ironic to be up, otherwise inspector may fail to start:

The baremetal service for 192.0.2.10:None exists but does not have any supported versions.

Change-Id: Ibc8314c91113618ce9e92b8933a63eba3cf3bbe1
2020-07-24 14:55:13 +00:00
Zuul
9a141eb144 Merge "Fix some CloudKitty API responses when behind SSL" 2020-07-24 10:38:57 +00:00
Zuul
ef38c505f8 Merge "Add support for encrypting etcd service" 2020-07-24 07:53:50 +00:00
Zuul
98f773d0be Merge "Masakari: copy TLS certificates into containers" 2020-07-24 07:53:48 +00:00