Moved the TLS documentation from "advanced-configuration" doc to its
own TLS document. This is in preparation for improving it.
Change-Id: I4c83f1810ef1222aaa3560174c1ba39328853c4e
Co-Authored-By: James Kirsch <generalfuzz@gmail.com>
Docker is manipulating iptables rules by default to provide network
isolation, and this might cause problems if the host already has an
iptables-based firewall.
This change introduces docker_disable_default_iptables_rules to
disable the iptables manipulation by putting "iptables: false" [1] to
daemon.json
For better defaults, this feature will be enabled by default in
Victoria.
[1] https://docs.docker.com/network/iptables/
Closes-Bug: #1849275
Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
This fixes an issue where multiple Grafana instances would race
to bootstrap the Grafana DB. The following changes are made:
- Only start additional Grafana instances after the DB has been
configured.
- During upgrade, don't allow old instances to run with an
upgraded DB schema.
Change-Id: I3e0e077ba6a6f43667df042eb593107418a06c39
Closes-Bug: #1888681
This ensures that when using automatic Kafka topic creation, with more than one
node in the Kafka cluster, all partitions in the topic are automatically
replicated. When a single node goes down in a >=3 node cluster, these topics will
continue to accept writes providing there are at least two insync replicas.
In a two node cluster, no failures are tolerated. In a three node cluster, only a
single node failure is tolerated. In a larger cluster the configuration may need
manual tuning.
This configuration follows advice given here:
[1] https://docs.cloudera.com/documentation/kafka/1-2-x/topics/kafka_ha.html#xd_583c10bfdbd326ba-590cb1d1-149e9ca9886--6fec__section_d2t_ff2_lq
Closes-Bug: #1888522
Change-Id: I7d38c6ccb22061aa88d9ac6e2e25c3e095fdb8c3
fluentd logs currently to stdout, which is known to produce big docker logs
in /var/lib/docker. This change makes fluentd to log to /var/log/kolla/fluentd.
Closes-Bug: #1888852
Change-Id: I8fe0e54cb764a26d26c6196cef68aadc6fd57b90
This reverts commit 8fc86893893685e828600e21ddba147b64f0adc3.
It appears that it is still necessary to wait for ironic to be up, otherwise inspector may fail to start:
The baremetal service for 192.0.2.10:None exists but does not have any supported versions.
Change-Id: Ibc8314c91113618ce9e92b8933a63eba3cf3bbe1
From Ussuri, if CA certificates are copied into
/etc/kolla/certificates/ca/, these should be copied into all containers.
This is not being done for masakari currently.
Additionally, we are not setting the [DEFAULT] nova_ca_certificates_file
option in masakari.conf. This depends on masakari bug 1873736 being
fixed to work.
This change fixes these issues.
Change-Id: I9a3633f58e5eb734fa32edc03a3022a500761bbb
Closes-Bug: #1888655
Some CloudKitty API responses include a Location header using http
instead of https. Seen with `openstack rating module enable hashmap`.
Change-Id: I11158bbfd2006e3574e165b6afc9c223b018d4bc
Closes-Bug: #1888544
A "@type copy" statement is already present at the beginning of each
match element, so extra "type copy" are not needed. They are causing the
following warnings in fluentd logs:
[warn]: parameter 'type' in <match syslog.local0.**>
[warn]: parameter 'type' in <match syslog.local1.**>
This commit also harmonizes indentation of the Monasca config block.
Change-Id: I779c2b942d007acbdd43d999f2fc0cdc131d431f
Related-Bug: #1885873
we should clone freezer code before run bootstray,
otherwise, the directory /opt/stack/freezer which is empty will
mount into freezer_api container.
Closes-Bug: #1888242
Change-Id: I7c22dd380fd5b1dff7b421109c4ae37bab11834a
Option "trove_auth_url/os_region_name" from group "DEFAULT" is deprecated.
Use option "auth_url/region_name" from group service_credentials
Change-Id: I15d6891582c92c7fc813f280a2b47ebaaca77eba
This makes use of udev rules to make it smarter and override
host-level packages settings.
Additionally, this masks Ubuntu-only service that is another
pain point in terms of /dev/kvm permissions.
Fingers crossed for no further surprises.
Change-Id: I61235b51e2e1325b8a9b4f85bf634f663c7ec3cc
Closes-bug: #1681461
Switch to the Confluent Kafka client in all remaining Python based
Monasca services. This should allow us to later un-pin the Kafka
messaging version for Monasca.
Change-Id: I42bc78ffe304ba21c448c2e08b025e93a70ddb44
Currently seting --configdir on kolla-ansible CLI doesn't set properly the path
for the passwords file.
Change-Id: I38d215b721ec256be6cfdd6313b5ffb90c2a3f4c
Closes-Bug: #1887180
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
