Due to the fact COPY_ONCE is not how most people expect the container
to work, as well as causing additional delays in the reconfigure
process by needing to delete and recreate teh container, we should
default to COPY_ALWAYS. It is both how operators and deployers expect
things to work and allows a quick restart to pull in a new config.

TrivialFix

Change-Id: Ie5f043fc66aa85378f456017c9e31ddbbe6d8880

Admin token has been deprecated upstream. It will be removed in O. We
switch over to the new `keystone-manage bootstrap` method for creating
the initial admin user, role, and project.

Co-Authored-By: Sam Yaple <sam@yaple.net>
Change-Id: I6ca90e8d4c3b71009e24b049b2efbc08c05ebfbf

This follows the structure we have for Ironic and Nova

Closes-Bug: #1551316
Change-Id: I609e3dda40c65b73bb5e1208f702740416a042ed

Use kolla_internal_vip_address for kolla_internal_fqdn in the all.yml
file. In this way, the global.yml no need set the old/deprecated
kolla_internal_address variable.

TrivialFix

Change-Id: I0768b9a2b615afb6a8b1f7c065189a495b8f9c9b

This runs first sanity check for swift. Once
swift is deployed it checks list()

Change-Id: I613bf9f2893d66814863893ec5acde5aa252548d
Partially-Implements: blueprint sanity-check-container

Closes-Bug: #1551052
Change-Id: Ic226287bbf1f1e8d5cc2e1d80ce2975448b1f95c

Run the keystone reconfigure only when inventory_hostname in
groups['keystone']

Partially-implements: bp kolla-reconfig
Change-Id: I9d4b5f39f2d68cfd2ae087e3f8a2ee4785eb9586

The path of the template file under the same role
can easily be omitted, and we are using this omitting
in most places except those this commit is fixing.

TrivialFix
Change-Id: I6d1563e235151669d9d9268d69555aae15e31926

This is introduced by I21904659b1789fa71118401bfb6ac2227ae564da

TrivialFix

Change-Id: I8ab62c5b6c69e198e29205518941a9b0054c105f

This runs first sanity check for cinder. Once
cinder is deployed it checks volumes.list()

Change-Id: I1b4cc57f21cf0fa52a391229c2c2b3fa995d32a8
Partially-Implements: blueprint sanity-check-container

Partially-implements: bp kolla-reconfig

Change-Id: Ied293e59bf4531e88a0e5e5bf9a5f5f495d2a0e7

Due to poor planning on our variable names we have a situation where
we have "internal_address" which must be a VIP, but "external_address"
which should be a DNS name. Now with two vips "external_vip_address"
is a new variable.

This corrects that issue by deprecating kolla_internal_address and
replacing it with 4 nicely named variables.

kolla_internal_vip_address
kolla_internal_fqdn
kolla_external_vip_address
kolla_external_fqdn

The default behaviour will remain the same, and the way the variable
inheritance is setup the kolla_internal_address variable can still be
set in globals.yml and propogate out to these 4 new variables like it
normally would, but all reference to kolla_internal_address has been
completely removed.

Change-Id: I4556dcdbf4d91a8d2751981ef9c64bad44a719e5
Partially-Implements: blueprint ssl-kolla

The generic driver for manila need the neutron agents
and OVS / Linuxbridge running on the same node as manila_share.
This is necessary when the DHSS (Driver Handles Share Servers)
is the value "True", so that the manila_share can talk
with NFS manager.

Change-Id: I21904659b1789fa71118401bfb6ac2227ae564da
Partially-Implements: blueprint enable-manila-containers

Working towards the blueprint that will add TLS protection
for the external endpoints, kolla needs certificates.

When kolla deploys OpenStack, the external VIP will need
a server side certifcate.  Clients that access those endpoints will
need the public CA certificate that signed that certificate.

This ansible script will create these two certificates to make
it easy to use TLS in a test environment.  The generated
certificate files are:

/etc/kolla/certificates/haproxy.pem  (server side certificate)
/etc/kolla/certificates/haproxy-ca.pem (CA certificate)

The generated certificates are not suitable for use in a
production environment, but will be useful for testing and
verifying operations.

Partially-implements: blueprint ssl-kolla

Change-Id: I208777f9e5eee3bfb06810c7b18a2727beda234d

Since openvswitch is handled in the kernel, it really is as simple as
upgrade the container since the container only has userspace tools in
it.

Partially-Implements: blueprint upgrade-kolla
Implements: blueprint upgrade-neutron
Change-Id: Iec57c67a1ccba8f48b752fe832cd714bcc658af0

Ceph is pretty easy to work with. Upgrade mons, then osds, then rgws

We want to eventually make these serial values configurable, but for
now due to cephs delicate distributed network nature it is safest to
only run 1 change at a time.

Change-Id: Icc721ab3651379c28fee853ca95f9e3ddf102998
Partially-Implements: blueprint upgrade-kolla
Implements: blueprint upgrade-ceph

Currently Heka fails to parse the RabbitMQ logs. There are two
problems:

1. The rabbit-sasl.log file is ignored but the file_match expression
   does not match.
2. The delimiter used in the RegexSplitter makes Heka stop on the
   very first log entry. '\n\n(=[^=]+====' (with two \n's) is
   a better delimiter. deliver_incomplete_final is used to get the
   final log entry.

TrivialFix

Change-Id: I94720340d5b2d6fd5d7641b9ff58733f6cd882ee

Changed hard-code keystone username for neutron and heat in the
neutron.conf template and heat.conf template.

TrivialFix

Change-Id: Ibdd1422bd4cae5011f9fc5f4de7dfc58601dca1d

This is single task to upgrade both haproxy and keepalived. It stops
slave nodes of keepalived and upgrades them separately to avoid
VIP migration and allow nearly no-downtime upgrade

Change-Id: I06124635a3f3553a4e8e91013cefbf897dd7179f
Implements: blueprint upgrade-haproxy
Implements: blueprint upgrade-keepalived
Partially-implements: blueprint upgrade-kolla

DocImpact

Partially-implements: bp kolla-reconfig
Change-Id: I9738e80960bcfbef18d1ef1b7942f81c45684e85

Ceph was not properly using storage network.

TrivialFix

Change-Id: Ibf3da5d19cd2ca874d251b455a7eb856154fc3f7

HAProxy: change to use option forwardfor to pass origin IP address
to backend via X-Forwarded-For header

Keystone: Apache does the audit logs for keystone.  Change the
LogFormat to display the passed address instead of the connection
address which is that of the load balancer.

Nova, Cinder, Glance: these services can make use of the address
passed in X-Forwarded-For.  With this setting the API logs for
these services include the client IP address.

Change-Id: Ia861ecc11a7c7d463d0366586926d1a842853f69
Closes-Bug: #1548935

To improve security, operators have asked for two VIPs for
their cloud.

VIP 1 is the internal VIP that can reach internal and admin endpoints.
In addition, the internal VIP can also reach other internal services,
such as the database and message services.
VIP 2 is the external VIP that can only reach public endpoints.

With one VIP only, all services are reached at the same address.

To add a second VIP, this patch adds two new configuration parameters.

kolla_external_vip_address: is an IPv4 address to use for created VIP
kolla_external_vip_interface: is the network interface to use for VIP
In this scenario, the first VIP (the internal VIP), is defined by
the original parameters (kolla_internal address and network_interface).

When using two VIPs, the existing kolla_external_address parameter
should be/point to/resolve to the kolla_external_vip_address.

Closes-bug: 1535333

Change-Id: I5bfcefaf7899298455cdade8209c34324aebfecb

This bootstrap was non-idempotent. This patch follows the style
first implemented with nova to make this idempotent.

TrivialFix

Change-Id: Id04e59c5274a7d8a5bffd3ce018f3bbb84839d75

Partially implements: blueprint heka

Change-Id: I1322d2dc870e6f8fe052926995d993e8a08a25db

Partially implements: blueprint heka

Change-Id: Ib6ac3228626360216c2c738ed601d61375b51675

This follows up on a review comment from sdake [*] and change the
Jinja2 expressions used in heka.json.j2.

[*] <https://review.openstack.org/#/c/283118/3/ansible/roles/common/templates/heka.json.j2@49>

TrivialFix

Change-Id: I20ee5084cfef6acf53a737757fe727df5b4e9fce

This should be later replaced with actual upgrade logic

Change-Id: I1c386a7f3bc0d15ebe4a47d2628833172a15f89b
Partially-implements: blueprint upgrade-kolla
Partially-implements: blueprint upgrade-elasticseatch

Change-Id: I1e5fd00eb3978db950f008e740d3b8130964909f
Closes-Bug: 1548445

Swift uses Syslog, but it uses a custom log format.  So this commit
adds a specific Heka decoder for Swift.

It also increases the log level from "warning" to "info" to make
Swift more verbose.  Note that "info" is the default log level in
Swift.

And it disables the Heka configuration for Swift when "enable_swift"
is set to "no".  This prevents Heka from creating 15 empty Swift log
files in the logs volume.

Partially implements: blueprint heka

Change-Id: If7a7d0707e71be2957178e2d45b5de51b788232e

New playbook for glance service upgrade.

Change-Id: I759e4eddf669112f752fe07d6b99a4bb9593d97f
Implements: blueprint upgrade-glance
Partially-Implements: blueprint upgrade-kolla

In order to avoid the neutron-dhcp-agent container from
failing, you need to change 'MountFlags' to 'shared' in
/var/lib/systemd/system/docker.serivce.  Add a precheck
so that this issue will not happen as often.

Closes-bug: #1546681
Change-Id: I339b5e93e870534fe16c6610f299ca789e5ada62

The new heka changed log path. It is necessary to change
the dnsmasq log path as well.

Change-Id: Iaffecb8baf87961931727ce653f6c72740896a8f
Closes-Bug: 1548199

Based on the Nova upgrade patch and recommendations from Swift PTL John
Dickinson at
https://swiftstack.com/blog/2013/12/20/upgrade-openstack-swift-no-downtime/

Notes:

As part of this upgrade I have chosen to *not* migrate any data from the
old style swift_data container. This is because it was never intended to
be used in production; this fact is made clear in the docs.

In regards to testing, as of this patch we do not yet have an upgrade
task for the common containers (rsyslog and kolla-toolbox), so
attempting to upgrade swift will result in it failing to find the
kolla-toolbox. This will be true of any other upgrade until upgrade for
common is added. It can be worked around by deploying another role such
as keystone which will drag in the common role and start up
kolla-toolbox, after which Swift can be successfully upgraded.

Change-Id: I138556932e9bddcd595d94a3dcb69603268880ff
Partially-Implements: blueprint upgrade-kolla
Implements: blueprint upgrade-swift

Partially implements: blueprint heka
Change-Id: I91a977c6a3632c570f7a6054c8de3f5e3cb6932c

Partially implements: blueprint heka
Change-Id: I17fc4b838d6ba8b6fcfc5c08314fef5fac1c7aff

Partially implements: blueprint heka
Change-Id: Ie22c4326c6ec2a3426b0c3b8fda4554b1b2541b0

Partially implements: blueprint heka
Change-Id: I9dcb71a9cf063fb520fcf3485e0376f1e90d87ad

Partially implements: blueprint heka
Change-Id: I893a0c4a4cab9d4d98821634ddd2ff67015c4e3f

Partially implements: blueprint heka
Change-Id: I70e94f4ef7380c6f376a3066d7ddda042c703637