To securely support live migration between computenodes we should enable
tls, with cert auth, instead of TCP with no auth support.
Implements: blueprint libvirt-tls
Change-Id: I22ea6233933c840b853fdcc8e03400b2bf577271
Also fixes similar issues introduced by the same recent change.
Added FIXME note about possible TLS malfunction regarding horizon.
Change-Id: I5f46a9306139eb550d3849757c8bdf0767537c78
Closes-Bug: #1844016
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
This commit adds the necessary configuration to the Swift account,
container and object configuration files to enable the Swift recon
cli.
In order to give the object server on each Swift host access to the
recon files, a Docker volume is mounted into each container which
generates them. The volume is then mounted read only into the object
server container. Note that multiple containers append to the same
file. This should not be a problem since Swift uses a lock when
appending.
Change-Id: I343d8f45a78ebc3c11ed0c68fe8bec24f9ea7929
Co-authored-by: Doug Szumski <doug@stackhpc.com>
After the integration with placement [1], we need to configure how
zun-compute is going to work with nova-compute.
* If zun-compute and nova-compute run on the same compute node,
we need to set 'host_shared_with_nova' as true so that Zun
will use the resource provider (compute node) created by nova.
In this mode, containers and VMs could claim allocations against
the same resource provider.
* If zun-compute runs on a node without nova-compute, no extra
configuration is needed. By default, each zun-compute will create
a resource provider in placement to represent the compute node
it manages.
[1] https://blueprints.launchpad.net/zun/+spec/use-placement-resource-management
Change-Id: I2d85911c4504e541d2994ce3d48e2fbb1090b813
Instead of changing Docker daemon command line let's change config
for Docker instead. In /etc/docker/daemon.json file as it should be.
Custom Docker options can be set with 'docker_custom_config' variable.
Old 'docker_custom_option' is still present but should be avoided.
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: I1215e04ec15b01c0b43bac8c0e81293f6724f278
add clear old environment
set openstack client to use internalURL
set manila client to use internalURL
Change-Id: I263fa11ff5439b28d63a6a9ce7ba460cb56fb8e2
The output from `nova-manage cell_v2 list_cells --verbose` contains
an extra column, stating whether the cell is enabled or not. This means
that the regex never matches, so existing_cells is always empty.
This fix updates the regex by adding a match group for this field which
may be used in a later change.
Unfortuately the CLI doesn't output in JSON format, which would make
this a lot less messy.
Closes-Bug: #1842460
Change-Id: Ib6400b33785f3ef674bffc9329feb3e33bd3f9a3
Allows enabling neutron port forwarding plugin
and l3 extension to forward ports from floating
IP to a fixed neutron port.
Change-Id: Ic25c96a0ddcf4f69acbfb7a58acafec82c3b0aed
Implements: blueprint enable-l3-port-forwarding
Commit d68644386f5c159ac646f70883ecf1349c153c76 disabled these
deprecated plugins more than three years ago.
Change-Id: I2dd2a89a7aa2c4a54882a8b0aa8d23d874c0e4cc
Closes-Bug: #1839172
nova.conf currently uses the [neutron] "url" parameter which has been
deprecated since 17.0.0. In multi-region environments this can
cause Nova to look up the Neutron endpoint for a different region.
Remove this parameter and set region_name and
valid_interfaces to allow the correct lookup to be performed.
Change-Id: I1bbc73728439a460447bc8edd264f9f2d3c814e0
Closes-Bug: #1836952
Upstream ironic went from $net_default_ip to $net_default_mac in
ironic/drivers/modules/master_grub_cfg.txt with
https://review.opendev.org/#/c/578959/
This commit makes the same change for
ansible/roles/ironic/templates/ironic_pxe_uefi.default.j2
Using $net_default_ip breaks ironic standalone deployments with
[dhcp]dhcp_provider = none
Change-Id: I2ca9a66d2bdb0aab5cd9936c8be8206e6ade3bd5
Closes-Bug: 1842078
This resolves an issue where the web browser would complain that it
was trying to connect to insecure websocket when using HTTPS with
horizon.
Change-Id: Ib75cc2bc1b3811bc31badd5fda3db3ed0c59b119
Closes-Bug: #1841914
octavia.conf is missing configuration values required to do service
catalog lookups in multiple region environments. Without them Octavia
can try to contact a service in a different region than its own. Specify
region_name and endpoint_type for the glance, neutron, and nova services
to prevent this from happening.
Change-Id: I753cf443c1506bbd7b69fc47e2e0a9b39857509c
Closes-Bug: #1841479
This makes WS (so e.g. console) always work with the way we
deploy Zun. Otherwise it used the first IP address.
Change-Id: Ib31c5944be2f6fa00cdf5da3e638a590e6bace40
Closes-bug: #1841243
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
The internal FQDN assumes that HAProxy is set up to route traffic to the
DB; other services default to the value of database_address.
Change-Id: I9a333a89adfa4f620f211c831d659b8d52e307d5
