This patch is fixing docker healthcheck for horizon
by changing value of horizon_listen_port, so
both apache's virtualhost and healthcheck will have
same correct port always. Also removing useless
apache's redirect as all redirects are done on
haproxy side.

Closes-Bug: #1933846
Change-Id: Ibb5ad1a5d1bbc74bcb62610d77852d8124c4a323

Kolla-ansible install python docker library in role/baremetal
to group/baremetal, because of this get container facts
for timesync checks is failing on deployment host.

This patch adding when conditional, so deployment host
will be skipped as there is no need to run timesync
checks.

Closes-Bug: #1933347
Change-Id: Ifefb9c74ee6a80cdbc458992d0196850ddfe7ffa

This trivial patch is setting "timeout tunnel" in haproxy's
configuration for spicehtml5proxy. This option extends time
when spice's websocket connection is closed, so spice will
not be freezed. Default value is set to 1h as it is in novnc.

Closes-Bug: #1938549
Change-Id: I3a5cd98ecf4916ebd0748e7c08111ad0e4dca0b2

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
Change-Id: Iac1e82710df3ea82c17a6dcbf5d1821362aaa4a5

Delete the "haproxy_single_service_listen.cfg.j2" template,
which has been replaced by "haproxy_single_service_split.cfg.j2"
and deprecated in the Victoria version

Change-Id: I3599f85afe9d3045820ea1ea70481ea2500e49ac

Nova always tries to create the rabbitmq user regardless of
whether RabbitMQ is enabled or not.
This ps also adds an external rabbitmq doc.

Change-Id: Iec517226e4c82ea351889b55689a3efceaadcc76

multiple external networks are supported by linuxbridge and OVS.
Currently the config template only works for OVS

Closes-Bug: #1863935
Change-Id: I9da331e007c25c4a760839c566831769a68507a9

Co-Authored-By: Boris Lukashev

Change-Id: I52eaf823ae84e01a09a6dcfcbffd7221ff8abfac
Closes-Bug: #1937911

In the Xena release, Ironic removed the iSCSI driver [1]. The
recommended driver is direct, which uses HTTP to transfer the disk
image. This requires an HTTP server, and the simplest option is to use
the one currently deployed when enable_ironic_ipxe is set to true. For
this reason, this patch always enables the HTTP server running on the
conductor.

iPXE is still enabled separately, since it cannot currently be used at
the same time as PXE.

[1] https://review.opendev.org/c/openstack/ironic/+/789382

Change-Id: I30c2ad2bf2957ac544942aefae8898cdc8a61ec6

trivial fix

Change-Id: I43bc11183c2fa9773811a74a93c37cecceed7454

The healthcheck checks for a process called httpd, but these distros
call it apache2.  This results in the ironic_ipxe container being marked
as unhealthy.

This change fixes the issue by making the process name distro dependent.

Change-Id: I0b0126e3071146e7f8593ba970ecbed65b36fcfa
Closes-Bug: #1937037

Since the Victoria release, manila-share.conf requires a glance section
for some drivers. This change adds the missing section.

It also uses the correct cinder_keystone_user variable to reference the
cinder user.

Closes-Bug: #1921935

Change-Id: Ib7ce4ed79c28456281087eb4156577f910c072e7

Change-Id: I096971a0a69ff0fc29946fbdb70cf26ead922a8c

Closes-Bug: #1933209
Change-Id: I644ad475ca88aac0c22b14163d33a30193fe706a

These files got accidentally added back in
I7e9d5c9b8b9164d4aee3abb4e37c8f28d98ff5d1.

Change-Id: If17e5ae1cfe040f33f8309a97b4dcfa87af862a3

This patch is adding configuration option to
manipulate with kernel option sysctl_net_ipv4_tcp_retries2.

More informations about kernel option in [1][2]
and RedHat suggestion [3] to set for DBs and HA.

[1]: https://pracucci.com/linux-tcp-rto-min-max-and-tcp-retries2.html
[2]: https://blog.cloudflare.com/when-tcp-sockets-refuse-to-die/
[3]: https://access.redhat.com/solutions/726753

Closes-Bug: #1917068
Change-Id: Ia0decbbfa4e33b1889b635f8bb1c9094567a2ce6

By default, Ansible injects a variable for every fact, prefixed with
ansible_. This can result in a large number of variables for each host,
which at scale can incur a performance penalty. Ansible provides a
configuration option [0] that can be set to False to prevent this
injection of facts. In this case, facts should be referenced via
ansible_facts.<fact>.

This change updates all references to Ansible facts within Kolla Ansible
from using individual fact variables to using the items in the
ansible_facts dictionary. This allows users to disable fact variable
injection in their Ansible configuration, which may provide some
performance improvement.

This change disables fact variable injection in the ansible
configuration used in CI, to catch any attempts to use the injected
variables.

[0] https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars

Change-Id: I7e9d5c9b8b9164d4aee3abb4e37c8f28d98ff5d1
Partially-Implements: blueprint performance-improvements

Magnum has various sections in its configuration file for OpenStack
clients. When internal TLS is enabled, these may need a CA certificate
to be specified.

This change adds a CA certificate configuration, based on
openstack_cacert, for all clients using internal endpoints.

Note: we are explicitly not adding the configuration for the
[magnum_client] ca_file and [drivers] openstack_ca_file options, since
these use the public endpoint by default. These options may be
provided via custom configuration if necessary.

Change-Id: Ie59b3777c0a2c142b580addd67e279bc4b2f2c90
Co-Authored-By: Kyle Dean
Closes-Bug: #1919389

Closes-Bug: #1933025

Change-Id: Ib67d715ddfa986a5b70a55fdda39e6d0e3333162

The variable names are awful but this all agrees with the docs now.

Closes-Bug: #1933122
Change-Id: Icd3d140473886ba3c4847859cddccdb3c1376818

Following upstream which removed ZFSSA support in Ussuri [1].

[1] https://review.opendev.org/c/openstack/cinder/+/690137

Change-Id: Idb311e18b437fba696759ecb1cf2a6b4803aa5c5

Kolla Ansible runs iscsid in the foreground (-f) and
a recent change to iscsid in CentOS 8 (both Linux and Stream)
caused it to reject setting pid file in such a case.
PID file is irrelevant in this scenario so this commit
removes its parameter.

Closes-Bug: #1933033
Change-Id: Ic0c4beae0c812f3ca68a6ee5cc4daa2fee0f277d

This reverts commit c6259158.

Reason for revert: cAdvisor fails with:

invalid value "percpu,referenced_memory,cpu_topology,resctrl,udp,advtcp,sched,hugetlb,memory_numa,tcp,process" for flag -disable_metrics: unsupported metric "referenced_memory" specified in disable_metrics

Change-Id: I1a0eea5c20f95f38c707401b56b7d2454484377d

Follow up fix for Ia7e923dddb77ff6db3c9160af931354a2b305e8d, which
broke the cephadm jobs.

Change-Id: Ieb39b41a6f493bd00c687610ba043a1b4e5945e7
Related-Bug: #1821696

Part of agreed Xena release process cadence:
R-17 Switch source images to current release

Change-Id: I221998092715355dd8b972bf2575d65c3259a4da

Adds support for passing extra runtime options to cAdvisor.
By default new options disable exporting rarely useful metrics
and labels by cAdvisor. This helps reducing the load on Prometheus
and cAdvisor itself.

Change-Id: Id0144e8fa518e3236cb94ba2e3961fb455d36443

Remove rally role as planned

Change-Id: Ic898efe42b21b01c45d4621af2cf90ecd7afc398

They are handled by Docker since at least 18.09 (tested).
Backport to Wallaby at most to not introduce needless restarts in
already stable branches.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/792583
Change-Id: Ia95355c529f1b0222dc1de06632984b6d130b9ec

the project is deprecated and in the process of being removed
from OpenStack upstream.

Change-Id: I9d5ebed293a5fb25f4cd7daa473df152440e8b50

With the new default since Wallaby, starting Docker makes it
enable forwarding and not filter it at all.
This may pose a security risk and should be mitigated.

Closes-Bug: #1931615
Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d

The host list order seen during Ansible handlers may differ to the usual
play host list order, due to race conditions in notifying handlers. This
means that restart_services.yml for RabbitMQ may be included in a
different order than the rabbitmq group, resulting in a node other than
the 'first' being restarted first. This can cause some nodes to fail to
join the cluster. The include_tasks loop was introduced in [1].

This change fixes the issue by splitting the handler into two tasks, and
restarting the first node before all others.

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/763137

Change-Id: I1823301d5889589bfd48326ed7de03c6061ea5ba
Closes-Bug: #1930293

Since I0474324b60a5f792ef5210ab336639edf7a8cd9e swift role uses the new
service-cert-copy role introduced in the
I6351147ddaff8b2ae629179a9bc3bae2ebac9519 but the swift role itself
doesn't contain the handler used in the service-cert-copy. Right now,
restarting the swift container isn't necessary, but the handler should
exist. Also we should fix the name of the service used.

Closes-Bug: #1931097
Change-Id: I2d0615ce6914e1f875a2647c8a95b86dd17eeb22
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

On machines with many cores, we were seeing excessive CPU load on systems
that were not very busy. With the following Erlang VM argument we saw
RabbitMQ CPU usage drop from about 150% to around 20%, on a system with
40 hyperthreads.

    +S 2:2

By default RabbitMQ starts N schedulers where N is the number of CPU
cores, including hyper-threaded cores. This is fine when you assume all
your CPUs are dedicated to RabbitMQ. Its not a good idea in a typical
Kolla Ansible setup. Here we go for two scheduler threads.
More details can be found here:
https://www.rabbitmq.com/runtime.html#scheduling
and here:
https://erlang.org/doc/man/erl.html#emulator-flags

    +sbwt none

This stops busy waiting of the scheduler, for more details see:
https://www.rabbitmq.com/runtime.html#busy-waiting
Newer versions of rabbit may need additional flags:
"+sbwt none +sbwtdcpu none +sbwtdio none"
But this patch should be back portable to older versions of RabbitMQ
used in Train and Stein.

Note that information on this tuning was found by looking at data from:
rabbitmq-diagnostics runtime_thread_stats
More details on that can be found here:
https://www.rabbitmq.com/runtime.html#thread-stats

Related-Bug: #1846467

Change-Id: Iced014acee7e590c10848e73feca166f48b622dc

We really want elasticsearch or monasca to catch all logs,
to providd the required centrailsed logging.

While these appears to make little material difference,
it should make it harder for logs to not get caught by
any of the outputs we have configured.

TrivialFix

Change-Id: I3bb74dcdc3cbe78cd1e1657f44e2a0af9d6508ef

Interface names with dashes can cause problems in Ansible since dashes
are replaced with underscores when referencing facts. In the baremetal
role we reference the fact for api_interface without replacing dashes
with underscores. This may result in host entries being omitted from
/etc/hosts.

This change fixes the issue.

Change-Id: I667adc7d8a7dbd20dbfa293f389e02355f8275bb
Related-Bug: #1927357

Currently the logs tagged with infra.mariadb.xinetd flow into
elasticsearch with no hostname or programname attach, thus making
navigating the logs very hard.

The quick fix is renaming the tag to infra.mariadb-xinetd, which is just
enought to ensure the logs are processed correctly with the existing
filters.

TrivialFix

Change-Id: Icd72206de7c1f701bdf35c8fb3b128ef2dbe29a8

Currently when elasticsearch log output is enabled there are lots
of warnings going into elasticsearch about type being deprecated
and needing to move to @type. This change stops those warnings.

TrivialFix

Change-Id: Ideac1925cb764ad0d7d8416f56d5e4a993c6d8b6

The chrony container is deprecated in Wallaby, and disabled by default.
This change allows to remove the container if chrony is disabled.

Change-Id: I1c4436072c2d47a95625e64b731edb473384b395

Makes nova-libvirt container always run in 'host' CgroupnsMode
to ensure it works.

Change-Id: I75105baf434977c68bc5c8ca1f5213e602c52c8c

This change inform us that the file is 'Ansible managed'

TrivialFix

Change-Id: I99ebeb493ff9c3c7af0010ce1efea45c7f9a2559
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>