Fix existing spelling errors

Change-Id: Ie689cf5a344aaa630a4860448b09242333a8e119

It's needed for Python3.12 support, because imp has been dropped [1].

Also shlex dropped s=None support [2].

[1]: https://docs.python.org/3/whatsnew/3.12.html
[2]: https://github.com/python/cpython/issues/94352

Change-Id: I23f37897ea08ac708f6df485f699122df647e552

Closes-Bug: #2058615

[1]: https://github.com/docker/cli/blob/v26.0.0/docs/deprecated.md#container-and-containerconfig-fields-in-image-inspect

Change-Id: I96ec812a482f017a48d978586c6f535fedd5fbe8

This patch fixes ovs-dpdk script as options
in DPDK changed and PCI whitelist config changed
from '-w' to '-a' as per [1].

[1] https://github.com/DPDK/dpdk/commit/db27370b57202632ad8830352c1c0ee2dde4542f

Closes-Bug: #2058372
Change-Id: Iae812a4a255c13a42b2d6a691e265922d220f4c8

Closes-Bug: #1998417

Change-Id: Ib6c725880caaa7f39bb269bd8398f3894eb033c5

Closes-Bug: #2058046
Change-Id: I9304f3546b20c0406e195163dccb1433fe802204

Change-Id: Iab40eb92c7e4a9092471bef9d4477a4fa34f1c85

This way the playbooks won't try to set ipv6 systemctl options
unless ipv6 is available on the system.

Closes-bug: #1906306
Change-Id: Icccfc1c509179c3cfd59650b7917a637f9af9646

Closes-Bug: #2057676

Change-Id: I9e0287a4e80b1ebcecf9e3b66c11d4233970a30b

This patch fixes ovs-dpdk images pull by adding
the variable kolla_role_name to the ovs-dpdk vars, so
services-image-pull can work correctly.

Closes-Bug: #2041864
Change-Id: I2e799290a57ebfacbc0ff9a0b1ca3dc956c513df
Signed-off-by: German Espinoza <gespinoza@whitestack.com>

Change-Id: I0a086c59076120aa53e6a05526dbab88e393c1c7

This patch fixes the creation of the openvswitch
bridge by fixing an ansible task that was rewritten
to use an ansible module, but unfortunately, its loop
was implemented incorrectly.

Closes-Bug: #2056332
Change-Id: Ia55a36c0f9b122b72d757ca973e7d8f76ae84344

Tooz 6.0.1 includes commit [1], which introduced
parsing the username from the Redis connection URL.
As a result, services started authenticating as admin
which, by the way, was incorrect even before, as either
a created user or the default one should have been used.

The reason it worked before is simply because the username
'admin' wasn't parsed anywhere.

This patch fixes the user being used and sets the correct
'default' one.

[1] https://review.opendev.org/c/openstack/tooz/+/907656

Closes-Bug: #2056667
Depends-On: https://review.opendev.org/c/openstack/kolla/+/911703
Change-Id: I5568dba15fa98e009ad4a9e41756aba0fa659371

As per [1].

[1]: https://rabbitmq-website.pages.dev/docs/feature-flags

Depends-On: https://review.opendev.org/c/openstack/kolla/+/911093

Change-Id: Ib5bfc99a5023e4b949c1ea38eca9bfd1ea9cd633

Change-Id: I84cc5ce25da2fcfe4f284d8b3197f40d3a6d7ce1

This is useful for backwards compatability.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/909865
Change-Id: Ib2936580db5e7ab3479722bc353c39063010b5f2

These were omitted from I387c9d8f5c01baf6054381834ecf4e554d0fff35 and
I387c9d8f5c01baf6054381834ecf4e554d0fff35.

Closes-Bug: #2041855
Change-Id: I25e5450d1caeebd9c900c190fc0079988f1ca574

This reverts commit d77372e8.

Reason for revert: service role support has been fixed in Ironic [1]
and added to Kolla-Ansible.

[1] https://review.opendev.org/c/openstack/ironic/+/907148

Closes-Bug: #2051837

Change-Id: I49664e3a353f54e0d51f454c552a78846ba64101

Ironic enabled secure RBAC with system scoped enforcement [1].

Some API calls, for instance 'baremetal:driver:get' needs system
scope role by design [2], even with elevated access project scope
service role [3].

[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/ironic/common/policy.py#L1349-L1357
[3] https://review.opendev.org/c/openstack/kolla-ansible/+/908007

Related-Bug: #2051837

Change-Id: Id6313d7dd343b82d4c9ccf7bf429d340ea0e93d1

Add the service role to ironic service users. Ironic recently enforced
new policy validation as part of the RBAC efforts. [1][2]
Service user support was also added to Ironic. [3]
Admin role needs to stay as not all services added service role support. [4][5]

[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2
[3] https://review.opendev.org/c/openstack/ironic/+/907148
[4] https://review.opendev.org/q/topic:bp%252Fpolicy-service-role-default
[5] https://review.opendev.org/q/topic:%22New-Location-Apis%22

Related-Bug: #2051837
Change-Id: I048402c2247188cf57f35437f557f84ac25d4ff2

Ironic recently started to enforce new policies and scope [1].
And Ironic is one of the sole openstack project which need
system scope for some admin related api calls [2].
However Ironic also started to allow project-scope behaviour
for service role with setting
``rbac_service_role_elevated_access``[3] [4]. This change enables
this setting to get similar behaviour of service role as other
openstack projects.

[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst?display=source#L261
[3] https://review.opendev.org/c/openstack/ironic/+/907148
[4] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/releasenotes/notes/service-project-service-role-fix-e4d1a8c23856926a.yaml

Related-Bug: #2051837

Change-Id: If8d7cf1663145d0398a2e936486e2b316d4df5e0

In order to do this - we need to add service role to Nova and Cinder.

Closes-Bug: #2049762

Change-Id: Ic121bf9f90c9865cd4d08890c80247570ef310ae

Fixes not being able to add additional plugins at build time due to the
`grafana` volume being mounted over the existing `/var/lib/grafana`
directory. This is fixed by copying the dashboards into the container
from an existing bind mount instead of using the ``grafana`` volume.
This however leaves behind the volume which should be removed with
`docker volume rm grafana` or by setting `grafana_remove_old_volume` to
`True`.

Closes-Bug: #2039498
Change-Id: Ibcffa5d8922c470f655f447558d4a9c73b1ba361

New horizon release use [1] for cache backend
instead of [2] as it was in previous versions.

This patch:

1. Removes override from config and
   configure only memcached endpoints, not backend
   specification itself. This will avoid bugs
   in future in case BACKEND will be switched again.

2. Remove 'memcached' context from kolla_address filter
   and use 'url' as [1] don't support inet6:[{address}]
   for ipv6 but supports [{address}] which 'url' provides.

[1] django.core.cache.backends.memcached.PyMemcacheCache
[2] django.core.cache.backends.memcached.MemcachedCache

Change-Id: Ie3a8f47e7b776b6aa2bb9b1522fdd4514ea1484b

This patch implements horizon's preferred way how
to configure itself described in docs [1],

[1] https://docs.openstack.org/horizon/latest/configuration/settings.html

Depends-On: https://review.opendev.org/c/openstack/kolla/+/906339
Change-Id: I60ab4634bf4333c47d00b12fc4ec00570062bd18

That is the ovs-vsctl default but Ansible module is failing in
reconfigure step - and secure breaks external connectivity in
OVN.

From OVS docs:
fail_mode: optional string, either secure or standalone

When  a controller is configured, it is, ordinarily, responsible
for setting up all flows on the switch. Thus, if the  connection
to  the  controller fails, no new network connections can be set
up. If the connection to the controller stays down long  enough,
no  packets can pass through the switch at all. This setting de‐
termines the switch’s response to such a situation.  It  may  be
set to one of the following:

standalone
    If  no  message is received from the controller for three
    times  the  inactivity  probe  interval   (see   inactiv‐
    ity_probe), then Open vSwitch will take over responsibil‐
    ity for setting up flows.  In  this  mode,  Open  vSwitch
    causes  the  bridge  to act like an ordinary MAC-learning
    switch. Open vSwitch will continue to retry connecting to
    the controller in the background and, when the connection
    succeeds, it will discontinue its standalone behavior.

secure 
    Open vSwitch will not set up flows on its  own  when  the
    controller  connection  fails  or when no controllers are
    defined. The bridge will continue to retry connecting  to
    any defined controllers forever.

The default is standalone if the value is unset, but future ver‐
sions of Open vSwitch may change the default.

Change-Id: Ica4dda2914113e8f8349e7227161cb81a02b33ee

This patch adds check_mode: false to tasks
in restart_services.yml which just checking
some WSREP status and if port is UP.

Closes-Bug: #2052501
Change-Id: I92a591900d85138a87991a18dd4339efd053ef1b

Change-Id: Iaf337c4a44bf065e96d6f30598e519ffc78de554

The purpose of this patch is to make it easier to
review changes, because renaming and changing the
file in one patch will generate diff when the entire
file will be deleted on the one hand and new file
(actually just renamed) will be new on the other hand,
which is hard to review.

Change-Id: I17a16ce746faa8898a457cadbb6f996f964a5b6f

It's been introduced in [1] and seems to be used by ovn-controller.

[1]: https://patchwork.ozlabs.org/project/openvswitch/patch/1458866450-1967-1-git-send-email-russell@ovn.org/

Change-Id: I90e91f2923d58eb3c70e8d6efdc4e1212fbdc14f

Closes-Bug: #2051731
Change-Id: Idf035bacbf5c2195d813ec4702362897f2ff907d
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Ironic started enforcing new RBAC policies [1]. Kolla/Kayobe
CI jobs are failing, as K-A doesn't have service role support.
Moreover Ironic RBAC is not yet stable enough [2].
Disable enforcing new policies until fix merges and Kolla
Ansible service role support is added.

[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] https://review.opendev.org/c/openstack/ironic/+/907148

Related-Bug: #2051837

Change-Id: I424cff6ac96dfe0dd5dc58afca2b785f494c9f02

Closes-Bug: #2049607

Change-Id: I14ae2be2e19ad06e3190e2e948bac7ce77e80d4b

This patch basically does a simple thing, on the basis
of a variable neutron_dns_integration it enables/disables
DNS integration.

There is also precheck added which checks whether dns_domain
in neutron.conf has a non-default value if DNS integration is
enabled as this is requirement.

[1] https://docs.openstack.org/neutron/latest/admin/config-dns-int.html
[2] https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html#config-dns-int-ext-serv

Closes-Bug: #2049503

Change-Id: I90f0f8dcec6fa0112179f050d96e9d9db5956cf8

This patch disables periodic compute.instance.exists
notifications when designate is enabled.

Related-Bug: #2049503
Change-Id: I39fe2db9182de23c1df814d911eec15e86317702

Service user passwords will now be updated in keystone if services are
reconfigured with new passwords set in config. This behaviour can be
overridden.

Closes-Bug: #2045990
Change-Id: I91671dda2242255e789b521d19348b0cccec266f

Change-Id: Ib0325c12cf965e7df7c1ac6b17ca87187a4cb91d

As horizon is now using Django 4 after a recent requirements update, we
need to clean our config from settings that were long deprecated and now
no longer work.

[0] https://review.opendev.org/c/openstack/horizon/+/891828
[1] https://review.opendev.org/c/openstack/horizon/+/827092

Change-Id: I47533a2ad436578c98503284c25db4fd51896506

This reverts commit f8d4db54.

Reason for revert: Zun was deprecated due to the hard dependency on old version of docker and etcd. Right now, the problem was fixed.

Change-Id: I9fe760e2b9b774b5ea623e6b305de004fc0c6dd2

* Remove docker's cluster-store option. This option was removed from
  the latest version of docker so we removed it.
* Switch kuryr's capability_scope from "global" to "local". The "global"
  scope relies on a cluster store but docker no longer supports it.

Change-Id: Ie62396184552938d099223f9d325a41c9a5067c3