As of I3629b84d3255a8fe9d8a7cea8c6131d7c40899e8 nova
now requires the service_user section to be configured
to address CVE-2023-2088. This change adds
the service user section to the nova.conf template in
the nova and nova-cell roles.
Related-Bug: #2004555
Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I2189dafca070accfd8efcd4b8cc4221c6decdc9f
(cherry picked from commit a77ea13ef1991543df29b7eea14b1f91ef26f858)
(cherry picked from commit 03c12abbcc107bfec451f4558bc97d14facae01c)
(cherry picked from commit cb105dc293ff1cdb11ab63fa3e3bf39fd17e0ee0)
(cherry picked from commit efe6650d09441b02cf93738a94a59723d84c5b19)
The flags ``--db-nb-pid`` and ``--db-sb-pid`` are corected to be
``--db-nb-pidfile`` and ``--db-sb-pidfile`` respectively. See here for
reference:
6c6a7ad1c6/utilities/ovn-ctl (L1045)
Closes-Bug: #2018436
Change-Id: Ic1e8768374566eb2198302807ecc644a19cd3062
New openstack collection modules have changed output
dicts/variable names - adapting to that.
Also changing octavia amphora image to focal, since bionic
hasn't been rebuilt since May 2021.
Closes-Bug: #2012255
Change-Id: Icf38a52472d02ef7d69bcd3716afb16e859d44a2
Sometimes passwords, URLs and other values of the variables can
contain special symbols, for example the dollar sign, using these
values can lead to unpredictable attempts of the variable expansions
in the Bash scripts, such as openrc file, so we need to use single
quotes for all variables values.
Change-Id: Ib2aabadd0ffd6a8dc2591245f29b4478e03d92fc
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
When using externally managed certificates, according to [1],
one should set `kolla_externally_managed_cert: yes` and ensure
that the certificates are in the correct place.
However, RabbitMQ precheck still expects the certificates to be
available on the controller node. This is incorrect.
Fix by not running the tasks in question when `kolla_externally_managed_cert: yes`
[1] https://docs.openstack.org/kolla-ansible/latest/admin/tls.html
Closes-Bug: 1999081
Related-Bug: 1940286
Signed-off-by: Magnus Lööf <magnus.loof@basalt.se>
Change-Id: I9f845a7bdf5055165e199ab1887ed3ccbfb9d808
This reverts commit 9867060b6b3bd36aad121b53b9e5dddfca8a8e4c.
Reason for revert: seems this broke some jobs
Change-Id: I1ca81214ece403351c0a522ea05bf07802e4c4c0
Currently, the process of enabling RabbitMQ HA with the variable
``om_enable_rabbitmq_high_availbility`` requires some manual steps to
migrate from transient to mirrored queues. In preparation for setting
this variable to ``True`` by default, this adds a precheck that will
fail if a system is currently running non-mirrored queues and
``om_enable_rabbitmq_high_availbility`` is set to ``True``.
Includes a helpful message informing the operator of their choice.
Either follow the manual procedure to migrate the queues described in
the docs, or set ``om_enable_rabbitmq_high_availbility`` to ``False``.
The RabbitMQ HA section of the reference docs is updated to include
these instructions.
Change-Id: Ic5e64998bd01923162204f7bb289cc110187feec
This patch introduces distributed lock for masakari-api
service when handle the concurrent notifications for the same
host failure from multiple masakari-hostmonitor services.
Change-Id: I46985202dc8da22601357eefe2727599e7a413e5
The dib_env_vars variable in the Bifrost's dib.yml file can contain
the DIB_BLOCK_DEVICE_CONFIG environment variable which is always the
Multiline-YAML data. By default, the format of the data is not
preserved while the configuration is merged and saved for the
bifrost-deploy container.
This is because Ansible uses the PyYAML library which has a default
80 symbol string length limit. The official Ansible documentation [1]
recommends using to_yaml or to_nice_yaml filters with width parameter.
This change adds the same ability to the merge_yaml Ansible plugin.
1. https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#formatting-data-yaml-and-json
The related change for the diskimage-builder to solve the issue with
incorrect data provided by Kolla-Ansible is also provided:
I3b74ede69eb064ad813a9108ec68a228e549e8bb
Closes-Bug: #2014980
Related-Bug: #2014981
Change-Id: Id79445c0311916ac6c1beb3986e14f652ee5a63c
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
With the addition of the variable
`om_enable_rabbitmq_high_availability`, this feature in the upgrade
task should be brought back. It is also now used in the deploy task. The
`ha-all` policy is cleared only when
`om_enable_rabbitmq_high_availability` is set to `false`.
Change-Id: Ia056aa40e996b1f0fed43c0f672466c7e4a2f547
Puts the RabbitMQ node into maintenance mode before restarting the
container. This will make the node shutdown less disruptive. For details
on what maintenance mode does, see:
https://www.rabbitmq.com/upgrade.html#maintenance-mode
Change-Id: Ia61573f3fb95fe8fcde6b789ca77ef5b45fe0a65
Since CVE-2022-29404 is fixed [1,2] the default value for the
LimitRequestBody directive in the Apache HTTP Server has been changed
from 0 (unlimited) to 1 GiB. This limits the size of images (for
example) uploaded in Horizon. This change add the ability to
configure the limit.
1. https://access.redhat.com/articles/6975397
2. https://ubuntu.com/security/CVE-2022-29404
Closes-Bug: #2012588
Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
When upgrading Nova, we sometimes hit an error where an old hypervisor
that hasn’t been upgraded recently (for example due to broken hardware)
is preventing Nova API from starting properly. This can be detected
using the tool ``nova-status upgrade check`` to make sure that there are
no ``nova-compute`` that are older than N-1 releases. This is already
used in the Kolla Ansible upgrade task for Nova. However, this task uses
the current ``nova-api`` container, so computes which will be too old
after the upgrade are not caught.
This patch changes Kolla Ansible so that the upgraded ``nova-api`` image
is used to run the upgrade checks, allowing computes that will be too
old to be detected before the upgrades are performed.
Depends-On: https://review.opendev.org/c/openstack/kolla/+/878744
Closes-Bug: #1957080
Co-Authored-By: Pierre Riteau <pierre@stackhpc.com>
Change-Id: I3a899411001834a0c88e37f45a756247ee11563d
Following ideas here:
https://wiki.openstack.org/wiki/Large_Scale_Configuration_Rabbit
Make sure old messages with no consumer are dropped after the message
TTL of 10 mins, longer than the 1 min RPC timeout.
Also ensure queues expire after an hour of inactivity, so queues from
removed nodes or renamed nodes don't grow over time.
Change-Id: Ifb28ac68b6328adb604a7474d01e5f7a47b2e788
Adds two new flags to alter behaviour in RabbitMQ:
* `rabbitmq_message_ttl_ms`, which lets you set a TTL on messages.
* `rabbitmq_queue_expiry_ms`, which lets you set an expiry time on queues.
See https://www.rabbitmq.com/ttl.html for more information on both.
Change-Id: I51ca37ffbb1bb5c07f2d39873f0f33ca20263f2a
Changes the default value of `rabbitmq-ha-promote-on-shutdown` to
`"always"`.
We are seeing issues with RabbitMQ automatically recovering when nodes
are restarted. https://www.rabbitmq.com/ha.html#cluster-shutdown
Rather than waiting for operator interventions, it is better we allow
recovery to happen, even if that means we may loose some messages.
A few failed and timed out operations is better than a totaly broken
cloud. This is achieved using ha-promote-on-shutdown=always.
Note, when a node failure is detected, this is already the default
behaviour from 3.7.5 onwards:
https://www.rabbitmq.com/ha.html#promoting-unsynchronised-mirrors
Related-Bug: #1954925
Change-Id: I484a81163f703fa27112df22473d657e2a9ab964
