We don't use dots in the image name

Change-Id: I29172448c14a1ca9a5fa23abe701366f875959e0

Closes-bug: #2077511
Change-Id: Icd15e8d04771cf50bc704f0c40006a8ac0aeb3ef

This trivial fix simply consists of
adding the forgotten action after
the kolla-ansible was reworked in review [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/911417

Closes-Bug: #2080408
Change-Id: I26b5db3a3eeebd758ad05d9cb9aa689a68e1816f

From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

Change-Id: I65fb8fb028a085f0f1c980417c021522b4eea20d

When using dnsmasq as a DHCP server, unless you use the noping option
(and that is not recommended), the NET_RAW capabilty is required so
that dnsmasq can send ICMP packets. These are used to check an address
is not currently in use[1].  Docker enables this capability by
default. Podman runs containers with a minimal set of capabilities[3].

[1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012840.html
[2] https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
[3] https://github.com/rhatdan/common/blob/f39f2a3f8c7680b9e456b9d235570e511807d6c6/docs/containers.conf.5.md?plain=1#L84-L101

Closes-Bug: #2055282
Change-Id: Ib3a1313df680d91c7f008063937ca7d37e82f690

The --reload parameter ensures that any changes
in the proxysql configuration file are applied
to the already existing internal proxysql database.

Change-Id: I9215d6cef3795030676c44a8184d99ba46dcb60c

This is a prerequisite for patchset #924651

Nova runs checks before upgrading. A new nova_upgrade_checks container
is started for that purpose. This container uses the new nova-api
image, but the old config.json file. The image expects CA certificates
in a certain location, but due to the old config.json file, they will
not be present. This results in the container not trusting keystone SSL
certificate and the upgrade fails, since it can't connect. Moving the
config section before the checks ensures that the new container has
all the certificates it needs to connect to Keystone.

Also nova_enable_rolling_upgrade is no longed used, so there was no
point in keeping upgrade tasks split.

Change-Id: I44bf48fb86f639d7f0acb786392573ebfed7ee97
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>

In I70dd1751dea6bfc9bb265aeda04b3392e135324c we removed
Requires=docker.service and left only After=docker.service.

In a case where something starts docker.service that's enough,
but if docker.service is disabled or no service is dependent on
it - it won't be started.

This patch adds Wants=docker.service which will try to start
docker.service if it is not started or enabled but does not
impose a dependency which causes restart of kolla systemd units
when docker.service is restarted (see [1]).

Closes-Bug: #2065168

[1]: https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Wants=

Change-Id: Ic3acb15f7c6ba7269ef62ccc8895b6bea4fc1f4d

Inner modules called by the kolla_toolbox module were returning stdout
and stderr as a single output object. This could break JSON parsing if
any data was present in stderr, for example warnings such as:

    [WARNING]: Collection ansible.posix does not support Ansible version 2.14.17

Fix by using demux=True to separate the two streams. The stderr content
is logged as it could be useful for troubleshooting or catching
deprecation notices.

Change-Id: Iad0476d4511f28c837794352c9a3e2f47113d9a1
Closes-Bug: #2080544

Commit [1] introduced a bug into kolla-ansible
where there is incorrect indentation in the haproxy
configuration file. This patch fixes it.

[1] https://github.com/openstack/kolla-ansible/commit/b13fa5a92cb6d768c5839bd11667e2ca72a7cd2f

Closes-Bug: #2080034
Change-Id: I3375e303bc358fc79d1fa2e219e6ec1dba7a38ba

prometheus-msteams group got removed with I93d28ef138b4e784465f3a7eaa11101ea5877050
and is needed in upgrade jobs

Change-Id: Ief26303993128e327228ee438fe4fec5ff5c46e7

Change-Id: I2dfb6f6d8b85d8b51e817b6f2a7abd6930383e9f

Change-Id: Ie73d7eef294e9e579314a61b39382f3ff3ba4b4b
Closes-Bug: 2078973

Fixes issue in PodmanWorker where it didn't set KOLLA_SERVICE_NAME
environment variable when creating new container.
Additionally, two methods were moved from DockerWorker
to ContainerWorker as they are applicable to both engines.

Closes-Bug: #2078940
Change-Id: I273444fc828678d3c6803bce1bc8db1c5366b9b6
Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>

Build upon changes in kolla which change strategy of installing projects
in containers when in dev mode. This fixes problems where when package
file manifest changes, the changes were not reflected in to
devmode-enabled container.

It changes the strategy of installing projects in dev mode in containers.
Instead of bind mounting the project's git repository to the venv
of the container, the repository is bind mounted to
/dev-mode/<project_name> from which the it is installed using pip
on every startup of the container using kolla_install_projects script.

Also updates docs to reflect the changes.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/925712


Closes-Bug: #1814515
Singed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: If191cd0e3fcf362ee058549a1b6c244d109b6d9a

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

When cert generation during upgrade was fixed
it was omitted to also redirect stderr to the log file.

This commit fixes that.

Introduced-By: Ib257f8342c392b78e02ae31588ce5c6f8943f5b8
Closes-Bug: #2078364

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I43ca7d782bdcc53dcbc59dcf82ac1daa48e85ad5

When merging change [1], fluentd_enable_watch_timer was
unintentionally missed in Let’s Encrypt, as change [2] had been
merged earlier.

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/785309
[2] https://review.opendev.org/c/openstack/kolla-ansible/+/899895

Change-Id: I7c72faecbdb66c7fd196acd3e7b2351851983490