Closes-Bug: #1866727
Change-Id: I455ef6026b39110791cd38dac053205550af1ce2

Change-Id: I68a40bebc174e8ebdaea36a0689b34cadb9009d2
Closes-bug: #1865840

The logrotate rotation interval and count are not configurable.
Currently, the configuration is a "default" that keeps 6 weeks of logs.

Change-Id: I4f55ee2a98f7861cb8de2724f5edc32da6d2f9ee

Change-Id: I1439aa923a9129b752abb4acfb88559930b2178a

Closes-Bug: #1864856
Change-Id: I725eeb18a22b3fa7838f16761d19f7e699ab5e82

Backport to: Train.

Change-Id: Ide96ea43739d47e623026f0aecd4163f3a2abe7f
Closes-bug: #1864615

Reno was missing in change https://review.opendev.org/#/c/708114/

Change-Id: I909ddf1f33634e4fe1fd05931eee69b12d57778a

Service configuration urls should be constructed using
kolla_internal_fqdn instead of kolla_internal_vip_address. Otherwise SSL
validation will fail when certificates are issued using domain names.

Change-Id: I21689e22870c2f6206e37c60a3c33e19140f77ff
Closes-Bug: 1862419

Change-Id: I9aa211ceefe7ad3524323be837ec090969f94557

Per http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012646.html

Deprecates support for deploying with Hyper-V integrations.
In Victoria support for these will be removed from Kolla Ansible.

This is dictated by lack of interest and maintenance.

Change-Id: Ic214699e0e501868e453c76929eef740e92ab90f

Currently we have a very wide /run mount for all Neutron/OVS services,
which allows sudo/rootwrap to contact with the hosts dbus - all symptoms
are documented in the related bug.

Since we use tcp connections to OVS from Neutron agents - removing
bind mounts.

Closes-Bug: #1861792

Change-Id: Ifee4bec7b2e9ef4e2d624b1411f1a9e6332325c6

This daemon is an additional piece of functionality supported by Gnocchi
and the general pattern in KA is to disable such things unless the user
explicitly wants them. This also helps avoid having to set the
resource_id, user_id, and project_id variables for Gnocchi if you don't
care about this daemon.

Change-Id: I5f14cee4b0bb0d781b1ff53200d11de972d20c82

This allows you to tune the performance of InfluxDB by locating the
volume on a drive that is separate to the default docker storage.

Change-Id: Iea555a2702b225b30f5d7035b8a703d4f3376ee7

Change-Id: I26206bece95d31c0182e75f2a585c50d6f0fad6f

Make it require uniqueness of resolution as well to avoid later
issues with RabbitMQ going crazy.

Change-Id: I000ba6c62ab44eac0abdf8d5d1f069adfbc6552f
Closes-bug: #1863363

It looks like the only missing part was the actual mount of
/lib/modules

Now Cinder Backup volumes differ from Cinder Volume volumes only
by /etc/target which is not relevant (Cinder Backup does not
provide a target).

Change-Id: Iccf4298c4f9306eb0a95b6712815778555ef44fc
Closes-bug: #1863094

Change-Id: I4f553bd0888e200ddf744604c5029e67a95ee2cd
Closes-bug: #1863041

line from /etc/hosts

Ubuntu always uses 127.0.1.1 for that with some tricky sauce
around `hostname` depending on whether it contains '.' or not.
And when I mean `hostname` it's the one returned by `hostname`
command with no arguments.

ansible_hostname is always a single word so we can match on that.

I did not want to remove just any 127.0.1.1 in case someone
is using it for other purposes. :-)

Change-Id: I8bd3d42a5e3bd0f63336ed60a0af90d52b1650d6
Closes-bug: #1862739

By default api_interface is set to public, masakari-monitor
on compute nodes should communicate via the internal API to
reach masakari-api.

Change-Id: I454f44e57d7b17d93d4aefc4cbbed93aefe874b1
Closes-Bug: #1858431

Kolla-Ansible Ceph deployment mechanism has been deprecated in Train [1].

This change removes the Ansible code and associated CI jobs.

[1]: https://review.opendev.org/669214

Change-Id: Ie2167f02ad2f525d3b0f553e2c047516acf55bc2

to clean old keys on merge.

Change-Id: Ifcc99e7c737707eea9e951db066dc94fd85bd9f7

Since version 1.2.2, InfluxDB uses 0 (unlimited) as default value for
[http]/max-row-limit [1].

Using the default value resolves an issue with the CloudKitty v1 API
returning only 10000 dataframes.

[1] https://docs.influxdata.com/influxdb/v1.7/about_the_project/releasenotes-changelog/#v1-2-2-2017-03-14

Change-Id: I6eb8c1216e3a9295b7d8cb7fbcbb8778ae7caf7e
Closes-Bug: #1862358

Remove the {meta} from the default settings in the account, container
and object services templates.

Change-Id: I079fddf8feb020bed93bf44b8aaec0882823e15c
Closes-Bug: #1862058

The old script name was 'python3-gnocchi-api'. It should be
'gnocchi-api' anymore.

Closes-Bug: #1861688

Change-Id: I78fb248859b43dc1636133dadc036028388ab564

There are cases when a multinode deployment ends up in unusable
keystone public wsgi on some nodes.

The root cause is that keystone public wsgi doesn't find fernet
keys on startup - and then persists on sending 500 errors to any
requests - due to a race condition between
fernet_setup/fernet-push.sh and keystone startup.

Depends-On: https://review.opendev.org/703742/
Change-Id: I63709c2e3f6a893db82a05640da78f492bf8440f
Closes-Bug: #1846789

ceph.conf is loaded by qemu, not libvirt.
Since qemu runs as the nova user, ceph.conf owned by root
causes a permission error. The logs in
/var/log/libvirt/qemu/instance-*.log reveal the error.

This change fixes the issue by changing the ownership of ceph.conf
in nova-libvirt to the nova user.

Closes-Bug: #1861513
Change-Id: I1881f51a6c8508f0f186a5623443343dc1df41d4
Signed-off-by: Ning Yao <yaoning@unitedstack.com>

To make the configuration easier for the user, and to allow non-standard
ceph authentication ids - introduce ceph_*_user variables.

Change-Id: I24e01c43c826b62b6748d93a498f4b7d8ce9e309

Placement only needs its listen port to be free. During the Placement
split from Nova in commit 2fc6d4cf the wrong variable got moved into
precheck for Placement, this fixes it.

Change-Id: I71e3607c50110763259bfcd70ffb2f4c76e27f62
Closes-Bug: #1861189

Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.

Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts

Delegate executing uri REST methods to the current module containers
using kolla_toolbox. This will allow self signed certificate that are
already copied into the container to be automatically validated. This
circumvents requiring Kolla Ansible to explicitly disable certificate
validation in the ansible uri module.

Partially-Implements: blueprint custom-cacerts

Change-Id: I2625db7b8000af980e4745734c834c5d9292290b

When kolla_copy_ca_into_containers is set to "yes", the Certificate
Authority in /etc/kolla/certificates will be copied into service
containers to enable trust for that CA. This is especially useful when
the CA is self signed, and would not be trusted by default.

Partially-Implements: blueprint custom-cacerts

Change-Id: I4368f8994147580460ebe7533850cf63a419d0b4

This change introduces prune-images command.

Uses docker_prune module of Ansible that comes with version 2.8.

Depends-On: https://review.opendev.org/#/c/699333/

Implements: blueprint docker-image-pruning

Change-Id: Icbf374dd50e1cc1f1604bb4fa779b34279efd50c

Introduce user modifiable variables instead of fixed-names
of Ceph keyring files for external Ceph functionality.

Change-Id: I1a33b3f9d6eca5babf53b91187461e43aef865ce

These affected both deploy (and reconfigure) and upgrade
resulting in WSREP issues, failed deploys or need to
recover the cluster.

This patch makes sure k-a does not abruptly terminate
nodes to break cluster.
This is achieved by cleaner separation between stages
(bootstrap, restart current, deploy new) and 3 phases
for restarts (to keep the quorum).

Upgrade actions, which operate on a healthy cluster,
went to its section.

Service restart was refactored.

We no longer rely on the master/slave distinction as
all nodes are masters in Galera.

Closes-bug: #1857908
Closes-bug: #1859145
Change-Id: I83600c69141714fc412df0976f49019a857655f5

To use an iSCSI Cinder backend as its store, glance_api must run
privileged and have /dev and /etc/iscsi properly mounted

Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: I988d3c9d0564483440ae17203ad88a8049abbea4
Closes-Bug: #1855695

Since [1] nova-compute uses rbd python library instead of libvirt to cleanup
volumes and get pool info - so it requires cinder keyring on filesystem.

In external ceph case it is often that nova key does not exist (is simply a copied
cinder key) and the rbd user is set to cinder - therefore the earlier mentioned
operations will fail due to a missing keyring on the filesystem.

[1]: https://review.opendev.org/#/c/668564/

Change-Id: Idef21dc5f7e9ff512bc8920630a3de61a1e69eee
Backport: train
Closes-Bug: #1859408

Include a reference to the globally configured Certificate Authority to
all services. Services use the CA to verify HTTPs connections.

Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc
Partially-Implements: blueprint support-trusted-ca-certificate-file

This patch mounts the kolla_logs volume into the Elasticsearch
container so that logs are no longer written to the container
filesystem. It is up to the user to migrate any existing logs
into the kolla_logs volume, if they so desire.

Closes-Bug: #1859162
Change-Id: Ia1743e202e310fc88a61476c80eadf3855256c20

For the CentOS 7 to 8 transition, we will have a period where both
CentOS 7 and 8 images are available. We differentiate these images via a
tag - the CentOS 8 images will have a tag of train-centos8 (or
master-centos8 temporarily).

To achieve this, and maintain backwards compatibility for the
openstack_release variable, we introduce a new 'openstack_tag' variable.
This variable is based on openstack_release, but has a suffix of
'openstack_tag_suffix', which is empty except on CentOS 8 where it has a
value of '-centos8'.

Change-Id: I12ce4661afb3c255136cdc1aabe7cbd25560d625
Partially-Implements: blueprint centos-rhel-8

Maximum supported version is set to 2.9

Updated the minimum supported version to 2.8

Implements: blueprint ansible-max-version

Change-Id: I97cc95e37f49886e6d74f2d5a789b923b14b5a2d