949 Commits

Author SHA1 Message Date
Zuul
d1e5de2120 Merge "Add Keep Alive Timeout for httpd" 2020-08-13 15:27:39 +00:00
James Kirsch
19b028e660 Add Keep Alive Timeout for httpd
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.

Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
2020-08-13 09:52:40 +00:00
Zuul
5a49f96c5a Merge "Revert "Fix post-deploy mode"" 2020-08-12 12:26:13 +00:00
Radosław Piliszek
137f79e49e Revert "Fix post-deploy mode"
This fix was premature as it completely ignores
the previously-respected umask.

Let's discuss a proper fix and revert this one
since CI is fixed elsewhere [1].

[1] https://review.opendev.org/743502

This reverts commit 87efdce24bc802777d4da58f9f63c8d0838e7120.

Change-Id: If38adbf124e793574a21ae986f9ee146d587f820
2020-08-12 09:00:52 +00:00
Zuul
b82ee26242 Merge "Fix post-deploy mode" 2020-08-11 16:49:43 +00:00
Radosław Piliszek
87efdce24b Fix post-deploy mode
Ansible changed the default mode for files, even in stable
releases. [1]

This change restores the previous default (with the common
umask).

[1] https://github.com/ansible/ansible/pull/70221

Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab
Closes-Bug: #1891145
2020-08-11 12:02:29 +00:00
Zuul
8dfab9675c Merge "Add trove-guestagent.conf" 2020-08-10 12:21:30 +00:00
likui
3888196334 Add trove-guestagent.conf
Add trove-guestagent.conf templates for trove-guestagent service.
Default the Guest Agent config file to be injected during instance creation.

Change-Id: Id0750b84fef8e19658b27f8ae16a857e1394216e
2020-08-10 16:14:24 +08:00
nikparasyr
6033b71d5e Enable glance role to copy extra configuration
Glance role copies glance-image-import.conf
when enabled to allow configuration of
glance interoperable image import. Property
protection can be enabled and file is copied.

Change-Id: I5106675da5228a5d7e630871f0882269603e6571
Closesl-Bug: #1889272
Signed-off-by: nikparasyr <nik.parasyr@protonmail.com>
2020-08-06 18:43:50 +02:00
Zuul
4e62c86236 Merge "Add timesync prechecks" 2020-08-04 09:12:43 +00:00
Zuul
c58a824e88 Merge "[docker] Added a new flag to disable default iptables rules" 2020-08-04 09:11:28 +00:00
Zuul
0cb9fca9ca Merge "linuxbridge: Fix name of securitygroup section" 2020-08-03 11:04:57 +00:00
Zuul
00ed275c44 Merge "Fix kolla_address in IPv6 fully-routed topo case" 2020-08-01 04:14:34 +00:00
Radosław Piliszek
5d3ca8b09e Fix Masakari role missing deploy-containers
Masakari was introduced parallelly to deploy-containers action and
so we missed to add this functionality to it.

Change-Id: Ibef198d20d481bc92b38af786cdf0292b246bb12
Closes-Bug: #1889611
2020-07-30 15:41:37 +02:00
Nick Jones
07f67f1b92 linuxbridge: Fix name of securitygroup section
With an incorrectly named section, whatever's defined in here is
actually ignored which can result in unexpected behaviour.

Closes-Bug: 1889455

Change-Id: Ib2e2b53e9a3c0e62a2e997881c0cd1f92acfb39c
Signed-off-by: Nick Jones <nick@dischord.org>
2020-07-30 09:43:51 +00:00
Radosław Piliszek
3018199f0b Add timesync prechecks
If not running containerised chrony, we need to check that host
has its own means of system clock synchronization.

Change-Id: I31b3e9ed625d63a4bf82c674593522268c20ec4c
Partial-Bug: #1885689
2020-07-28 18:35:27 +00:00
Zuul
21f5a02604 Merge "Remove Hyper-V integration" 2020-07-27 12:47:33 +00:00
Zuul
34ace98ff4 Merge "Improve Grafana DB bootstrap" 2020-07-27 11:57:49 +00:00
Zuul
cd9afc5ba3 Merge "Set Kafka default replication factor" 2020-07-27 11:57:45 +00:00
Zuul
676cfa5c1f Merge "fluentd: log to a file instead of stdout" 2020-07-27 10:57:43 +00:00
Christian Berendt
6eb02245d6 Remove Hyper-V integration
Change-Id: I2e22ec47f644de2f1509a0111c9e1fffe8da0a1a
2020-07-27 10:25:46 +01:00
Dincer Celik
fc7ce6cabe [docker] Added a new flag to disable default iptables rules
Docker is manipulating iptables rules by default to provide network
isolation, and this might cause problems if the host already has an
iptables-based firewall.

This change introduces docker_disable_default_iptables_rules to
disable the iptables manipulation by putting "iptables: false" [1] to
daemon.json

For better defaults, this feature will be enabled by default in
Victoria.

[1] https://docs.docker.com/network/iptables/

Closes-Bug: #1849275

Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
2020-07-27 09:09:45 +00:00
Doug Szumski
2c730590d7 Improve Grafana DB bootstrap
This fixes an issue where multiple Grafana instances would race
to bootstrap the Grafana DB. The following changes are made:

- Only start additional Grafana instances after the DB has been
  configured.

- During upgrade, don't allow old instances to run with an
  upgraded DB schema.

Change-Id: I3e0e077ba6a6f43667df042eb593107418a06c39
Closes-Bug: #1888681
2020-07-27 08:23:05 +00:00
Doug Szumski
a273e28e20 Set Kafka default replication factor
This ensures that when using automatic Kafka topic creation, with more than one
node in the Kafka cluster, all partitions in the topic are automatically
replicated. When a single node goes down in a >=3 node cluster, these topics will
continue to accept writes providing there are at least two insync replicas.

In a two node cluster, no failures are tolerated. In a three node cluster, only a
single node failure is tolerated. In a larger cluster the configuration may need
manual tuning.

This configuration follows advice given here:

[1] https://docs.cloudera.com/documentation/kafka/1-2-x/topics/kafka_ha.html#xd_583c10bfdbd326ba-590cb1d1-149e9ca9886--6fec__section_d2t_ff2_lq

Closes-Bug: #1888522

Change-Id: I7d38c6ccb22061aa88d9ac6e2e25c3e095fdb8c3
2020-07-27 08:23:05 +00:00
Michal Nasiadka
696533f228 fluentd: log to a file instead of stdout
fluentd logs currently to stdout, which is known to produce big docker logs
in /var/lib/docker. This change makes fluentd to log to /var/log/kolla/fluentd.

Closes-Bug: #1888852
Change-Id: I8fe0e54cb764a26d26c6196cef68aadc6fd57b90
2020-07-27 07:13:13 +00:00
Zuul
9a141eb144 Merge "Fix some CloudKitty API responses when behind SSL" 2020-07-24 10:38:57 +00:00
Zuul
ef38c505f8 Merge "Add support for encrypting etcd service" 2020-07-24 07:53:50 +00:00
Zuul
98f773d0be Merge "Masakari: copy TLS certificates into containers" 2020-07-24 07:53:48 +00:00
Mark Goddard
0b4c8a3c3d Masakari: copy TLS certificates into containers
From Ussuri, if CA certificates are copied into
/etc/kolla/certificates/ca/, these should be copied into all containers.
This is not being done for masakari currently.

Additionally, we are not setting the [DEFAULT] nova_ca_certificates_file
option in masakari.conf. This depends on masakari bug 1873736 being
fixed to work.

This change fixes these issues.

Change-Id: I9a3633f58e5eb734fa32edc03a3022a500761bbb
Closes-Bug: #1888655
2020-07-23 12:06:24 +01:00
Pierre Riteau
cd55c8f4b2 Fix some CloudKitty API responses when behind SSL
Some CloudKitty API responses include a Location header using http
instead of https. Seen with `openstack rating module enable hashmap`.

Change-Id: I11158bbfd2006e3574e165b6afc9c223b018d4bc
Closes-Bug: #1888544
2020-07-22 18:59:36 +02:00
Zuul
ca578c98b6 Merge "fix deploy freezer failed when kolla_dev_mod enabled" 2020-07-22 12:32:45 +00:00
Zuul
b0407ffb17 Merge "Make /dev/kvm permissions handling more robust" 2020-07-22 12:32:40 +00:00
Pierre Riteau
cf97aeeb83 Configure prometheus-openstack-exporter to use internal endpoints
Change-Id: Ia134a518b63bb59cfad631cc488181f5245160e6
2020-07-21 09:38:49 +02:00
wu.chunyang
7dc471323c fix deploy freezer failed when kolla_dev_mod enabled
we should clone freezer code before run bootstray,
otherwise, the directory /opt/stack/freezer which is empty will
mount into freezer_api container.

Closes-Bug: #1888242

Change-Id: I7c22dd380fd5b1dff7b421109c4ae37bab11834a
2020-07-21 10:32:21 +08:00
Radosław Piliszek
202365e702 Make /dev/kvm permissions handling more robust
This makes use of udev rules to make it smarter and override
host-level packages settings.
Additionally, this masks Ubuntu-only service that is another
pain point in terms of /dev/kvm permissions.
Fingers crossed for no further surprises.

Change-Id: I61235b51e2e1325b8a9b4f85bf634f663c7ec3cc
Closes-bug: #1681461
2020-07-17 17:51:18 +00:00
Zuul
9a8341c2a7 Merge "Performance: Run common role in a separate play" 2020-07-17 15:43:22 +00:00
Bartosz Bezak
17d8332604 Logstash 6 support
Co-Authored-By: Doug Szumski <doug@stackhpc.com>
Closes-Bug: #1884090
Depends-On: https://review.opendev.org/#/c/736768

Change-Id: If2d0dd1739e484b14e3c15a185a236918737b0ab
2020-07-15 08:54:53 +00:00
Zuul
f81aee5094 Merge "Fix Barbican client (Castellan) with TLS" 2020-07-14 08:57:54 +00:00
Zuul
8792250ee1 Merge "Evaluate PASSWORDS_FILE later" 2020-07-13 09:33:26 +00:00
Zuul
9ffb8ec337 Merge "Load br_netfilter module in nova-cell role" 2020-07-12 07:46:59 +00:00
Michal Nasiadka
bf985930d0 Evaluate PASSWORDS_FILE later
Currently seting --configdir on kolla-ansible CLI doesn't set properly the path
for the passwords file.

Change-Id: I38d215b721ec256be6cfdd6313b5ffb90c2a3f4c
Closes-Bug: #1887180
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2020-07-10 17:32:35 +02:00
ramboman
0e9a81fdca Fix Barbican client (Castellan) with TLS
The Castellan (Barbican client) has different parameters to control
the used CA file.
This patch uses them.
Moreover, this aligns Barbican with other services by defaulting
its client config to the internal endpoint.

See also [1].

[1] https://bugs.launchpad.net/castellan/+bug/1876102

Closes-Bug: #1886615

Change-Id: I6a174468bd91d214c08477b93c88032a45c137be
2020-07-09 16:18:16 +00:00
Zuul
e0f2e7d3df Merge "Remove the ml2_conf.ini merging for agents" 2020-07-08 19:47:02 +00:00
gugug
c7d92ed668 Remove the ml2_conf.ini merging for agents
planned removal

Change-Id: Ib37ea4d42f82096a682cebc724c45c9dd39c8b47
2020-07-08 15:31:49 +00:00
Mark Goddard
2f91be9f39 Load br_netfilter module in nova-cell role
The nova-cell role sets the following sysctls on compute hosts, which
require the br_netfilter kernel module to be loaded:

    net.bridge.bridge-nf-call-iptables
    net.bridge.bridge-nf-call-ip6tables

If it is not loaded, then we see the following errors:

    Failed to reload sysctl:
    sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
    sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

Loading the br_netfilter module resolves this issue.

Typically we do not see this since installing Docker and configuring it
to manage iptables rules causes the br_netfilter module to be loaded.
There are good reasons [1] to disable Docker's iptables management
however, in which case we are likely to hit this issue.

This change loads the br_netfilter module in the nova-cell role for
compute hosts.

[1] https://bugs.launchpad.net/kolla-ansible/+bug/1849275

Co-Authored-By: Dincer Celik <hello@dincercelik.com>

Change-Id: Id52668ba8dab460ad4c33fad430fc8611e70825e
2020-07-08 11:13:39 +01:00
Pierre Riteau
9a0f8c3193 Fix incorrect value of [storage]/ceph_keyring in gnocchi.conf
The value should be the full path to the keyring file, not just the
name. Without this fix Gnocchi fails to connect to Ceph.

Change-Id: Iaa69b2096b09a448345de50911e21436875d48d6
Closes-Bug: #1886711
2020-07-07 21:47:04 +02:00
Mark Goddard
56ae2db7ac Performance: Run common role in a separate play
The common role was previously added as a dependency to all other roles.
It would set a fact after running on a host to avoid running twice. This
had the nice effect that deploying any service would automatically pull
in the common services for that host. When using tags, any services with
matching tags would also run the common role. This could be both
surprising and sometimes useful.

When using Ansible at large scale, there is a penalty associated with
executing a task against a large number of hosts, even if it is skipped.
The common role introduces some overhead, just in determining that it
has already run.

This change extracts the common role into a separate play, and removes
the dependency on it from all other roles. New groups have been added
for cron, fluentd, and kolla-toolbox, similar to other services. This
changes the behaviour in the following ways:

* The common role is now run for all hosts at the beginning, rather than
  prior to their first enabled service
* Hosts must be in the necessary group for each of the common services
  in order to have that service deployed. This is mostly to avoid
  deploying on localhost or the deployment host
* If tags are specified for another service e.g. nova, the common role
  will *not* automatically run for matching hosts. The common tag must
  be specified explicitly

The last of these is probably the largest behaviour change. While it
would be possible to determine which hosts should automatically run the
common role, it would be quite complex, and would introduce some
overhead that would probably negate the benefit of splitting out the
common role.

Partially-Implements: blueprint performance-improvements

Change-Id: I6a4676bf6efeebc61383ec7a406db07c7a868b2a
2020-07-07 15:00:47 +00:00
Zuul
532599520a Merge "Add support for the Neutron service plugin "trunk"" 2020-07-06 12:32:51 +00:00
Zuul
94ddaad34e Merge "Remove policy file from nova-conductor config.json template" 2020-07-05 16:02:28 +00:00
Zuul
aac4b5a167 Merge "Remove the neutron-fwaas roles since it retired" 2020-07-05 16:02:26 +00:00