The backup user was missing the necessary CREATE
privilege for the mariadb_backup_history table
within the mysql schema, causing backups to fail
when attempting to create this table.

This patch addresses the issue by granting the backup
user the required CREATE permission specifically for
the mariadb_backup_history table. With this change,
the backup process can now complete successfully
without manual intervention for user permissions.

Closes-Bug: #2061889
Change-Id: Ic92c8959972329adbd4b89c521aa87678f25b4e4

It's been some time since ProxySQL has been
with us in Kolla. Let's switch the load balancer
for MariaDB connections from HAProxy to ProxySQL.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/928956
Change-Id: I42ba4fb83b5bb31058e888f0d39d47c27b844de5

In single-node clusters, ProxySQL shuns the server on MySQL
errors, causing failures during upgrades or container restarts.
This change increases the timeout to 10 seconds, allowing
the backend time to recover and preventing immediate errors
in CI environments.

Change-Id: I70becdc3fcb4ca8f7ae31d26097d95bdc6dd67eb

Add missing logrotate config for redis.

Closes-Bug: 2084523

Change-Id: Ic631a9c87f7be30f7694706928d9ede62015ed6d
Signed-off-by: Jan Horstmann <horstmann@osism.tech>

ubuntu-ceph is broken for now due to [1], also there are no
download.ceph.com packages for Noble - so we're using Ubuntu
provided ones from proposed - because current version
in regular repos is built from git sha instead of a release
and is not suitable for running outside of Ceph upstream CI.

[1]: https://tracker.ceph.com/issues/66389

Depends-On: https://review.opendev.org/c/openstack/kolla/+/907589

Change-Id: I384068572d8a1a495c60b401dc4144a0a80802f1

Closes-Bug: #2084128
Change-Id: I3b44c8f4ff3c55023d8bab4e9a88a86ca72cae5d

Since [1] Neutron puts requested-chassis entry with a name taken
from the agent, which results in FQDN-based name on FQDN-based
deployments. It does not match what we set in hostname in OVS.

[1]: I4e3c001dd3bb37b86fda8b9495a3c5178c3e736d

Closes-Bug: #2080552
Change-Id: I3ae03aa2e09bc445f0f5a95a43bf210f06685cc1

This patch fixes an issue where backend related
certificates are attempted to be copied when
``kolla_copy_ca_into_containers`` is enabled but
``kolla_enable_tls_backend`` is disabled.

The fix consists of these specific tasks now
being limited by the condition ``kolla_enable_tls_backend``

Closes-Bug: #2080381

Change-Id: I7ccae4c501ce332519edef336bcceefae9f9568b

Kolla-ansible itself requires ansible-core>=2.16,<2.18,
but ansible-core in this version no longer supports
python38 and python39 as per [1].

So let's just drop this old python support.

[1] https://github.com/ansible/ansible/blob/v2.16.11/setup.cfg

Change-Id: Ic8aaa57f75479a17c215c27ac5e6df0f18c74edc

This update enhances the monitoring of the databasecluster
in ProxySQL. The default monitoring intervals were insufficient
for reliably detecting failures in the Galera cluster environment.

A detailed configuration for monitoring intervals has been
introduced, providing better control over how quickly and accurately
ProxySQL can identify issues.

  - Variables such as `mariadb_monitor_connect_interval`,
    `mariadb_monitor_galera_healthcheck_interval, and
    `mariadb_monitor_ping_interval` significantly reduce
    the time between connection checks.

  - Timeouts like `mariadb_monitor_galera_healthcheck_timeout`
    and `mariadb_monitor_ping_timeout` allow faster failure
    detection, while `mariadb_monitor_galera_healthcheck_max_timeout_count`
    sets the maximum number of allowed timeouts before marking a node as down.

Calculation:

 - Galera healthcheck:

   4 seconds (interval) + 1 second (timeout) + 4 seconds (interval)
   + 1 second (timeout) = 10 seconds.

 - Ping healthcheck:

   3 seconds (interval) + 2 seconds (timeout) + 3 seconds (interval)
   + 2 seconds (timeout) = 10 seconds.

Both the health check and ping check mechanisms will detect a node failure
within a maximum of 10 seconds. Both processes (health check and ping)
operate independently, and failure in either mechanism will mark the node
as failed.

Health Check Failure Detection: Up to 10 seconds.
Ping Failure Detection: Up to 10 seconds.
Connect Attempts: ProxySQL also tries to connect every 2 seconds, which
helps monitor connectivity.

These changes ensure that ProxySQL can detect issues in 10 seconds
as haproxy, significantly reducing downtime compared to default settings.
This adjustment enables faster and more reliable monitoring, improving system
stability and reducing potential downtime in production environments.

Change-Id: Ic28801519cdb35ed2387a1468b9df661847a5476

Followup on Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a. This change
adds the ability to provide the NTP (time source) server for multiple
DHCP ranges in the Ironic Inspector DHCP server.

Change-Id: I4bbfef3a391b8582ae73cbe06138715b43584dec
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This change adds the ability to configure Huawei backends in Cinder
as described in [1] by adding the additional configuration XML files
to the cinder-volume containers. However, this change does not
provide the default configuration options for the cinder.conf due to
the wide range of Huawei hardware that is supported. Operators may
also wish to configure multiple backends, so they should use the
standard method of overriding backend sections to use these XML
files, as described in [2].

1. https://docs.openstack.org/cinder/latest/configuration/block-storage/drivers/huawei-storage-driver.html
2. https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-service-configuration-in-kolla



Implements: blueprint cinder-huawei-backend
Co-Authored-By: Juan Pablo Suazo <jsuazo@whitestack.com>
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
Change-Id: Ic8624b2e956b1f48f5fb96d6d8a0150b67236d20
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This patch resolves an issue where ProxySQL could not
bind due to incorrectly formatted IPv6 addresses in the
`mysql_ifaces` configuration. The kolla's
`put_address_in_context` filter is now used, ensuring
the addresses are properly enclosed in square brackets
for correct binding.

Closes-Bug: #2081106
Change-Id: Ic166b8d9a500023c8d23ec9fee03b28b268b26e7

Closes-Bug: #2081149
Change-Id: I9969492571e5e9864d4acb95b1af172264cfbd66

This patch removes the hardcoded `distro_python_version`
mapping and usage from the configuration and templates,
aligning with the dynamic Python version detection
introduced in the dependent patch below.

The changes simplify the kolla-ansible roles by using
general `python3` paths, ensuring compatibility across
distributions without requiring version-specific handling.

Template files for Horizon, Ironic, Skyline, and others
have been updated to reflect this,
improving maintainability and reducing complexity.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/926744
Change-Id: I85431b058b4184d96600cf17aaf8de871a018d61

This trivial fix simply consists of
adding the forgotten action after
the kolla-ansible was reworked in review [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/911417

Closes-Bug: #2080408
Change-Id: I26b5db3a3eeebd758ad05d9cb9aa689a68e1816f

From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

This patch fix issue when inventory file is deleted
by kolla-ansible -i /etc/kolla/inventory destroy call.

Now, inventories are available in tools/cleanup-host
so we can ignore their removal.

Closes-Bug: #2052706
Change-Id: If89e94356de515b40ca4e8c023979cd498146303

When using dnsmasq as a DHCP server, unless you use the noping option
(and that is not recommended), the NET_RAW capabilty is required so
that dnsmasq can send ICMP packets. These are used to check an address
is not currently in use[1].  Docker enables this capability by
default. Podman runs containers with a minimal set of capabilities[3].

[1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012840.html
[2] https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
[3] https://github.com/rhatdan/common/blob/f39f2a3f8c7680b9e456b9d235570e511807d6c6/docs/containers.conf.5.md?plain=1#L84-L101

Closes-Bug: #2055282
Change-Id: Ib3a1313df680d91c7f008063937ca7d37e82f690

This is a prerequisite for patchset #924651

Nova runs checks before upgrading. A new nova_upgrade_checks container
is started for that purpose. This container uses the new nova-api
image, but the old config.json file. The image expects CA certificates
in a certain location, but due to the old config.json file, they will
not be present. This results in the container not trusting keystone SSL
certificate and the upgrade fails, since it can't connect. Moving the
config section before the checks ensures that the new container has
all the certificates it needs to connect to Keystone.

Also nova_enable_rolling_upgrade is no longed used, so there was no
point in keeping upgrade tasks split.

Change-Id: I44bf48fb86f639d7f0acb786392573ebfed7ee97
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>

Inner modules called by the kolla_toolbox module were returning stdout
and stderr as a single output object. This could break JSON parsing if
any data was present in stderr, for example warnings such as:

    [WARNING]: Collection ansible.posix does not support Ansible version 2.14.17

Fix by using demux=True to separate the two streams. The stderr content
is logged as it could be useful for troubleshooting or catching
deprecation notices.

Change-Id: Iad0476d4511f28c837794352c9a3e2f47113d9a1
Closes-Bug: #2080544

Add a new variable keystone_federation_oidc_claim_delimiter
to make this configurable for keycloak OIDC federation.

Closes-Bug: #2080394

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: If14285f033ed4914fd3b28d7efcc95e1c9f273a5

Commit [1] introduced a bug into kolla-ansible
where there is incorrect indentation in the haproxy
configuration file. This patch fixes it.

[1] https://github.com/openstack/kolla-ansible/commit/b13fa5a92cb6d768c5839bd11667e2ca72a7cd2f

Closes-Bug: #2080034
Change-Id: I3375e303bc358fc79d1fa2e219e6ec1dba7a38ba

Change-Id: Ie73d7eef294e9e579314a61b39382f3ff3ba4b4b
Closes-Bug: 2078973

Fixes issue in PodmanWorker where it didn't set KOLLA_SERVICE_NAME
environment variable when creating new container.
Additionally, two methods were moved from DockerWorker
to ContainerWorker as they are applicable to both engines.

Closes-Bug: #2078940
Change-Id: I273444fc828678d3c6803bce1bc8db1c5366b9b6
Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>

Build upon changes in kolla which change strategy of installing projects
in containers when in dev mode. This fixes problems where when package
file manifest changes, the changes were not reflected in to
devmode-enabled container.

It changes the strategy of installing projects in dev mode in containers.
Instead of bind mounting the project's git repository to the venv
of the container, the repository is bind mounted to
/dev-mode/<project_name> from which the it is installed using pip
on every startup of the container using kolla_install_projects script.

Also updates docs to reflect the changes.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/925712


Closes-Bug: #1814515
Singed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: If191cd0e3fcf362ee058549a1b6c244d109b6d9a

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

The prometheus-msteams project is no longer maintained [1]. As a result
support for deploying prometheus-msteams via kolla-ansible has been
dropped. Users are encouraged to migrate to the native Prometheus
Alertmanager integration with Microsoft Teams [2].

[1] https://github.com/prometheus-msteams/prometheus-msteams/issues/343
[2] https://prometheus.io/docs/alerting/latest/configuration/#msteams_config

Change-Id: I93d28ef138b4e784465f3a7eaa11101ea5877050

check if generated prometheus config is valid
via promtool.

This should help prevent bugs like:
https://bugs.launchpad.net/kolla-ansible/+bug/2076660

prior art: haproxy config validation:
https://review.opendev.org/c/openstack/kolla-ansible/+/922840



also add some basic documentation for the
`kolla-ansible validate-config` command.

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ief90861b2c422e0e6c2dd9cb605c94e86c0f2ba1

From OpenStack 2023.2 (Bobcat) the Pure Storage Cinder driver
supports NVMe-TCP as a dataplane protocol. This patch adds support
for this new driver type.

Change-Id: I3c0ad7652a03388ab2eafa173c644a55b0405cc6

This patch adds REQUESTS_CA_BUNDLE as it's described
in requests documentation [1].

This is needed because some ansible modules inside uses
python request library and some users of course using
their own CAs.

[1] https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification

Closes-Bug: #1967132

Change-Id: I901c2bc8ac477f15d2833e68566b19e437f4b6d1

This patch removes the nova_libvirt_secret container volume because
it is a complete antipattern, and during testing, I found that
it causes problems. When it was necessary to copy libvirt secrets
from /etc/kolla/nova-libvirt/secrets, the container logs reported that
the resource is busy - precisely because it was a mounted container
volume. This, of course, is unnecessary because the secrets are copied
to the kolla host in /etc/kolla/nova-libvirt/secrets.

Closes-Bug: #2073678
Change-Id: I715a6a95f9d32d62a8199727ddbaddd0dd7baa2d

This change fixes a bug in the prometheus.yml template which breaks
alertmanager configuration

Closes-Bug: 2076660
Change-Id: I9adf34747a22d7d5aef31fad3f68f7880e18f022

The variable kolla_same_external_internal_vip in group_vars/all.yml
was set to true or false depending on the jinja2 equality operator
- == - which only checks if two objects are the same.

This is problematic because IPs can be the same but have different
string representations, e.g. leading zeroes in some octets, but still
repesent the same instance of an IP.

Example: 192.168.1.1 and 192.168.001.001 are the same.

Fix this, by using the ansible.utils.ipaddr() jinja2 filter instead
to increase robustness.

Closes-Bug: #2076889
Introduced-By: https://review.opendev.org/c/openstack/kolla/+/285005



Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ied43b9d0c4b33bb514d367f3f99c2e30e104d139

Required before a SLURP upgrade

Change-Id: I09a45d26a6075554b204e007f64122f23de5f53c

For possible config options see docs
https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#memcache-protection



Closes-bug: #1850733
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: I169e27899f7350f5eb8adb1f81a062c51e6cbdfc

By default, the watch timer in Fluentd is set to True.
To save CPU and I/O consumption this can be set to False, which
kolla-ansible has been hardcoding so far.

When the watch timer is disabled, in_tail relies entirely
on inotify. In certain constellations, this may not work
reliably. In these cases, the watch timer needs to be activated, so this
change adds a variable to make the setting configurable.

Change-Id: Ic8ce6fbc3ed8f31d5d090e114b35703532679729

Change I60162b54bc06e158534d29311d4474b34750c64d
removed the '/v3' suffix from horizon_keystone_url variable,
but the version is needed for some operations.
This patch fixes the "Change password" Horizon function
until Horizon bug #2073639 is resolved.

Closes-Bug: #2073159
Change-Id: I6ff46b47e9109d0757f2e5ce8019ba591b9892e1

A host that is in the manila-share group, but not in controllers
network, etc., will fail service deployment if it is not using the
generic manila driver (eg, if it is using the CephFS native driver).
This is because deployment of openvswitch-vswitchd is predicated on
the drivers enabled for manila-share.  However, this predicate is not
universally applied.  Where inventory group membership is used the
dependency on openvswitch-vswitchd presence will fail.

Closes-Bug: #1993285

Change-Id: I821e513d24f2a1c59240d65ad68c3b5f2080e439

Adapt files to match new requirements, add assertIn to whitelist

Change-Id: I516bbbb3a0f194e8fa08d04c0290b586963b8b55