By default ProxySQL's default value of max_replication_lag
is 0 which is in fact disabling this feature [1].
If it is greater than 0, ProxySQL will regularly monitor
replication lag and if it goes beyond the configured threshold
it will temporary shun the host until replication catches up.

This should be configurable via kolla-ansible as every
openstack deployment can be different in terms of network
delays, database load etc.. , so user should have option
to configure when database backend will be shunned.

[1] https://proxysql.com/documentation/main-runtime/

Change-Id: I66171638abc712cb84b380042f1d29f54c499e73

Adds a deprecation notice for Monasca service together with
its dependecies: Kafka, Storm and Zookeeper.

Change-Id: Ia9daf170ce9157edb2132c69ee6a923bc4d6f980

By resetting image_upload_use_cinder_backend to upstream default.

When uploading volume to glance image, cinder looks at the backend's
image_upload_use_cinder_backend config knob to decide whether to try link
the glance image to a cloned volume made by cinder, i.e. by doing all work
locally and only updating glance's locations for the image (when the knob
is set to True). However, after all [1], [2] and [3], which happens since
Victoria, this option requires further config from user (using volume type
with image_service:store_id property (aka extra spec) set to the desired
glance store (even if there is only one cinder store configured).

Please read the bug report as to why the option removal is the
best option (TL;DR it is the most compatible approach).

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/708114
[2] https://review.opendev.org/c/openstack/glance_store/+/746556
[3] https://review.opendev.org/c/openstack/cinder/+/661676

Closes-Bug: #1991516
Change-Id: Ife87ee0241d907a0c407eb21811a354ed1734408

This is generally considered insecure because it may reveal
sensitive data [1].
Furthermore, it happens that the default Ceph perms cause fatal
ERRORs with this setting:
1) when Glance wants to remove an image, it cannot list children
because Cinder or Nova might have created a linked volume clone
behind the scenes and it is put in another pool (volumes/vms)
which Glance cannot normally access;
2) when Nova wants to create an image, it lacks permissions
to write to the images pool.

Thus, I propose that Kolla Ansible stops setting this by default
and relies on the working defaults.
The downside is that this disables optimisations in Cinder and Nova.
On the other hand, these optimisations have nasty behaviour of
being linked directly to the original image, preventing its removal.

[1] https://docs.openstack.org/glance/yoga/configuration/glance_api.html#DEFAULT.show_multiple_locations

Change-Id: I63ee9a6eefd8593f2169bba34dbb699f413d7cf8
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860093
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860291
Closes-Bug: #1992153

Currently kolla-ansible sets haproxy balance algorithm to source for
horizon. We can set it to round-robin if the cache backend is memcached
or using the database as the session storage backend. So we can
distribute http requests evenly to all available horizon instances.

Closes-Bug: #1990523
Change-Id: I0721cadcf53d59947bc0db6a193bfafe49c41ad3

JWT failed to validate on auth-oidc endpoint used by openstack cli
with "could not find key with kid: XX" error. To fix this we need
to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

Missing "ServerName" directive from vhost config causes redirection
to fail in some cases when external tls is enabled.

  - added "keystone_federation_oidc_jwks_uri" variable
  - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
  - added "ServerName" to keystone vhost config
  - jinja templating additional whitespace trimmed to
    correct end result indentation and empty newlines

Closes-bug: 1990375
Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb

With this option enabled, dnsmasq can offer the same IP address to
multiple hosts when their requests are close to each other. Remove this
option in order to use the built-in hashing mechanism which will
allocate random IP addresses, which should be less likely to conflict.

Closes-Bug: #1991390
Change-Id: I09a9fa2d0c54635b899ad7906cc2e2e4580ef5ad

Change-Id: Ia8acdf69cb3676ec939777c32f0568cb720c471f

Change-Id: Ic89097fdc72d4fa11754201ed6e388bf79ca40b6

Bind9 is running without limit for UDP listeners.
This patch is changing this behaviour and sets max 32
of UDP listeners. This is needed because of bug below [1].

[1] https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1827923

Change-Id: Ie4c2ac4d5e990ebdc30c3a94d855703d814f1fee

The admin endpoint is kept on upgrade to allow the upgrade to
happen (as it allows to rewrite the previous admin endpoint entry
to the new one).

Change-Id: I1c16892bab67f281d539843f1f0fa658df1c4874
Depends-On: https://review.opendev.org/c/openstack/kolla/+/854837

Kolla Ansible stopped setting them as they turned out to be
unnecessary for its operations, yet may have conflicted with
security policies of the hosts. [1] [2]

[1] https://launchpad.net/bugs/1837551
[2] https://launchpad.net/bugs/1945453

Change-Id: Ie8ccd3ab6f22a6f548b1da8d3acd334068dc48f5

The correct option to use is valid_interfaces [1], not os_endpoint_type.

[1] https://docs.openstack.org/networking-baremetal/latest/configuration/ironic-neutron-agent/config.html#ironic

Closes-Bug: #1990675
Change-Id: I35e7d3072c6340f4ecbe02f8961158bcb663954e

Closes-Bug: #1990819
Change-Id: I12c451077114b77b11810f25eb5b6187cdf08ad9

Remove hard-coded internal address; introduce variable to control
external web url.

Closes-bug: #1972817
Change-Id: Ib834a9f8b4a0238960dca65b2ebc1da840cec626

Fluentd has a default timeout of 5s for flushing data to ElasticSearch.
If there is a significant backlog of unsent log messages, this timeout
can be exceeded, resulting in Fluentd failing to make further progress.

Raise the default timeout to 60s.

This patch adopts the configuration parameters previously proposed by
Krzysztof Klimonda.

Closes-Bug: #1983031
Closes-Bug: #1896611
Change-Id: I1aaab654a5a0752fccef2cfb8cc0bde4a0ee2562

Signed-off-by: Franco Mariotti <fmariotti@whitestack.com>
Change-Id: Ie151cd97d3e0ba3bfec9e95a5b8bdfef0b54806c

Closes-Bug: #1987866
Change-Id: Iaf352a15b9e6c9607e0d33c803c132d9267ca727

In a multi-controller node, the presence of "run_once: True"
and "when: inventory_hostname == groups['keystone'][-1]"
will cause the task to be skipped

Closes-Bug: #1987982

Change-Id: I6a8f4ca285cda0675711b631aeed7ae4c992d879

Instead of specifying a custom member list for each service that should
be configured as active/passive, a new `active_passive` parameter can be
set to true. This only works if `custom_member_list` is not used.

Change-Id: I3758bc2377c25a277a29f02ebc20c946c7499093

This avoids root privileges in tftpd's unprivileged container.

Change-Id: I50366205c9cefe2af26c27580c02368f029b7605

This change enables the use of Docker healthchecks for
mariadb-server service.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/805613
Change-Id: I893687a0501ea0f281b879df3141a354bff9eca6

This allows you to use a more descriptive name if you desire.
For example, when using cinder with multiple ceph backends, rbd-1,
doesn't convey much information. You could include location, disk
technology, etc. in the name.

Change-Id: Icfdc2e5726fec8b645d6c2c63391a13c31f2ce9a

This can be used to forward Prometheus Alertmanager notifications to
Microsoft Teams.

Change-Id: I563f2438b3cb0895606b029b5269ce2e50c413e3
Depends-On: https://review.opendev.org/c/openstack/kolla/+/812678

This patch follows upstream and disables linuxbridge testing.
Users are notified of the situation via the release note.

Change-Id: I524682ceb5287c14ef0ba99baae0c081850f4c5e

Bifrost supports enabling TLS for the services it deploys, as well as
generating a self-signed TLS certificate. Let's use it.

Change-Id: I2a60ec780c37895e810cdba65bb485d0986a196d

By default Bifrost generates passwords for use by services, and stores
them in files in /root/.config/bifrost/ in the container. This directory
is not persistent, so the passwords are lost if the container is
recreated. This is generally not a problem, because recreating the
container is generally done when redeploying Bifrost, and new passwords
will be generated and written to configuration files. However, if you
access the Ironic or Inspector APIs outside of the Bifrost playbooks,
the credentials will have changed.

This change fixes the issue by persisting the credentials directory in a
Docker volume. Note that applying this change will cause existing
credentials to be removed.

Closes-Bug: #1983356

Change-Id: I45a899e228b7634ba86fab5822139252c48a7f07

Closes-Bug: 1982777

Change-Id: Ic752b981041b233ab55d5b9abef667b21b47857d

This change introduces automated configuration of firewalld and adds
a new filter for extracting services from the project_services dict.
the filter selects any enabled services and their haproxy element
and returns them so they can be iterated over.
This commit also enables automated configuration of firewalld from enabled
openstack services and adds them to the defined zone and reloads the
system firewall.

Change-Id: Iea3680142711873984efff2b701347b6a56dd355

Change-Id: I63673761959a560e97c848f092f086ceba25839a

This reverts commit 73fc230f.

Reason for revert: CI jobs failing with "msg": "{{ s3_url }}: 's3_url' is undefined"

Change-Id: Iba7099988cea0c0d8254b9e202309cd9c82a984d

Added options to configure S3 cinder backup driver, so cinder backup
can use S3 storage, for safekeeping backups.

Change-Id: Id6ff6206714581555baacecebfb6d8dd53bed8ac

Closes-bug: 1944699
Change-Id: I6d0bb3b88983846fdd9c8af09456a106a940d191

Closes-bug: 1966536
Change-Id: I66a0189511e4c937299442207459cf72165649dd

To use notifications with ironic, the notification_level
option in the [DEFAULT] section of the configuration file
must be set, we use ``info`` as a reasonable level.

Closes-Bug: #1969826

Change-Id: I38bb1e5404e917c788689a3181741022f875da06

Change-Id: I6d9ee98912120b9ece60ee22c7b0ad71dab8ed30

In a multi-region environment without a local keystone, we should still
use authentication.

Change-Id: I9df0ddf6e0d56f0817256b07ae0a0a7021209663

Change-Id: Iaf6bf36ae0adce3342981c36c859fc138b172f6b

With the ironic_http_interface/ironic_http_interface_address
parameters it is possible to set the addresses for the
ironic_http service.

Change-Id: I72c257ebedf283cdef1b98485a576631e2190657

Starting from v1.5.0 of the exporter, OS_COMPUTE_API_VERSION can be set
to configure the Nova API version to be used [1]. Microversion 2.1 can
be used to keep metrics unmodified from the previous exporter version
deployed by Kolla (v1.3.0).

Support it with prometheus_openstack_exporter_compute_api_version,
defaulting to using the latest version.

[1] https://github.com/openstack-exporter/openstack-exporter/pull/201

Change-Id: I7605a3f9f74effb29ecec3b28e4709fd5f7f8cd4