- Feb 15, 2024
-
-
Bartosz Bezak authored
Add the service role to ironic service users. Ironic recently enforced new policy validation as part of the RBAC efforts. [1][2] Service user support was also added to Ironic. [3] Admin role needs to stay as not all services added service role support. [4][5] [1] https://review.opendev.org/c/openstack/ironic/+/902009 [2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2 [3] https://review.opendev.org/c/openstack/ironic/+/907148 [4] https://review.opendev.org/q/topic:bp%252Fpolicy-service-role-default [5] https://review.opendev.org/q/topic:%22New-Location-Apis%22 Related-Bug: #2051837 Change-Id: I048402c2247188cf57f35437f557f84ac25d4ff2
-
- Oct 20, 2023
-
-
Ivan Halomi authored
This change adds basic deployment based on Podman container manager as an alternative to Docker. Signed-off-by:
Ivan Halomi <i.halomi@partner.samsung.com> Signed-off-by:
Martin Hiner <m.hiner@partner.samsung.com> Signed-off-by:
Petr Tuma <p.tuma@partner.samsung.com> Change-Id: I2b52964906ba8b19b8b1098717b9423ab954fa3d Depends-On: Ie4b4c1cf8fe6e7ce41eaa703b423dedcb41e3afc
-
- Aug 30, 2023
-
-
Robin Klostermeyer authored
This commit adds the ironic-prometheus-exporter, following the conventions used by the previously integrated exporters. '[The] Ironic Prometheus Exporter is a Tool to expose hardware sensor data in the Prometheus format through an HTTP endpoint.'[0] Prometheus has been enabled in CI jobs to ensure test coverage. [0] https://opendev.org/openstack/ironic-prometheus-exporter Depends-On: https://review.opendev.org/c/openstack/kolla/+/874415 Change-Id: I6d421effd833d2e0524dd0b81736445c9a730ea9
-
- Aug 02, 2023
-
-
Christian Berendt authored
With the parameter ironic_agent_files_directory it is possible to provide the directory for the ironic-agent.kernel and ironic-agent.initramfs files. By default the parameter is set to the value of node_custom_config. This corresponds to the existing behaviour. Change-Id: I53bb0eddc5380713a967356c85897d8df8ce505f
-
- Jun 28, 2023
-
-
Michal Nasiadka authored
Use case: exposing single external https frontend and load balancing services using FQDNs. Support different ports for internal and external endpoints. Introduced kolla_url filter to normalize urls like: - https://magnum.external:443/v1 - http://magnum.external:80/v1 Change-Id: I9fb03fe1cebce5c7198d523e015280c69f139cd0 Co-Authored-By:
Jakub Darmach <jakub@stackhpc.com>
-
- Jun 22, 2023
-
-
yann.degat authored
ironic tftp service binds on 0.0.0.0. This may be an issue in some setup. This patch propose a better default, such as using the same listen address as the dnsmasq service Closes-Bug: #2024664 Change-Id: I0401bfc03cd31d72c5a2ae0a111889d5c29a8aa2
-
- Mar 15, 2023
-
-
Michal Nasiadka authored
Change-Id: I1649a389bdc3977b936402c3ce3e55056d74ba08
-
- Dec 21, 2022
-
-
Matt Crees authored
Regularly, we experience issues in Kolla Ansible deployments because we use wrong options in OpenStack configuration files. This is because OpenStack services ignore unknown options. We also need to keep on top of deprecated options that may be removed in the future. Integrating oslo-config-validator into Kolla Ansible will greatly help. Adds a shared role to run oslo-config-validator on each service. Takes into account that services have multiple containers, and these may also use multiple config files. Service roles are extended to use this shared role. Executed with the new command ``kolla-ansible validate-config``. Change-Id: Ic10b410fc115646d96d2ce39d9618e7c46cb3fbc
-
- Sep 29, 2022
-
-
Radosław Piliszek authored
Change-Id: Ia8acdf69cb3676ec939777c32f0568cb720c471f
-
- Sep 26, 2022
-
-
Pierre Riteau authored
Closes-Bug: #1990819 Change-Id: I12c451077114b77b11810f25eb5b6187cdf08ad9
-
- Sep 21, 2022
-
-
Michal Nasiadka authored
mainly jinja spacing and jinja[invalid] related Change-Id: I6f52f2b0c1ef76de626657d79486d31e0f47f384
-
- Aug 09, 2022
-
-
Michal Arbet authored
Depends-On: https://review.opendev.org/c/openstack/kolla/+/769385 Depends-On: https://review.opendev.org/c/openstack/kolla/+/765781 Change-Id: I3c4182a6556dafd2c936eaab109a068674058fca
-
- Jul 12, 2022
-
-
Michal Arbet authored
Render {{ openstack_service_workers }} for workers of each openstack service is not enough. There are several services which has to have more workers because there are more requests sent to them. This patch is just adding default value for workers for each service and sets {{ openstack_service_workers }} as default, so value can be overrided in hostvars per server. Nothing changed for normal user. Change-Id: Ifa5863f8ec865bbf8e39c9b2add42c92abe40616
-
- Jun 24, 2022
-
-
Christian Berendt authored
With the ironic_http_interface/ironic_http_interface_address parameters it is possible to set the addresses for the ironic_http service. Change-Id: I72c257ebedf283cdef1b98485a576631e2190657
-
- May 23, 2022
-
-
Radosław Piliszek authored
Change-Id: Ib4b15ed4feac82d8492b1c0f0238a752eac668e6
-
- Apr 20, 2022
-
-
Marcin Juszkiewicz authored
We have only one value for install_type now and it gets removed from image names. Change-Id: I8bf95fd7aa9dd26b80d618ca0fcb097003b4cb0a
-
- Apr 13, 2022
-
-
Maksim Malchuk authored
Add a new parameter 'ironic_dnsmasq_dhcp_ranges' and enable the configuration of the corresponding 'dhcp-range' and 'dhcp-option' blocks in Ironic Inspector dnsmasq for multiple ranges. The old parameters 'ironic_dnsmasq_dhcp_range' and 'ironic_dnsmasq_default_gateway' used for the only range are now removed. This change implements the same solution used in the TripleO several years ago in the: Ie49b07ffe948576f5d9330cf11ee014aef4b282d Also, this change contains: Iae15e9db0acc2ecd5b087a9ca430be948bc3e649 fix for lease time. The value can be changed globally or per range. Change-Id: Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a Signed-off-by:
Maksim Malchuk <maksim.malchuk@gmail.com> Co-Authored-By:
Radosław Piliszek <radoslaw.piliszek@gmail.com>
-
- Apr 06, 2022
-
-
Radosław Piliszek authored
Change-Id: I2ae1a402e723cd1063618d1b9fb18f6adb27a390
-
Radosław Piliszek authored
Change-Id: I8e4096d7136d0ce9e54f1af0bb9ba110487fb35b
-
Radosław Piliszek authored
Depends-On: https://review.opendev.org/c/openstack/kolla/+/832163 Change-Id: Ia2dba1854e925041ae23c731273b810bb2d5ec30
-
- Feb 10, 2022
-
-
Mark Goddard authored
The bootloader used to boot Ironic nodes in UEFI boot mode during inspection when iPXE is enabled has been changed from ipxe.efi to snponly.efi. This is in line with the default UEFI iPXE bootloader used in Ironic since the Xena release. The bootloader may be changed via ironic_dnsmasq_uefi_ipxe_boot_file. Note that snponly.efi was not available via in the ironic-pxe image prior to I79e78dca550262fc86b092a036f9ea96b214ab48. Related-Bug: #1959203 Change-Id: I879db340769cc1b076e77313dff15876e27fcac4
-
- Dec 31, 2021
-
-
Pierre Riteau authored
Role vars have a higher precedence than role defaults. This allows to import default vars from another role via vars_files without overriding project_name (see related bug for details). Change-Id: I3d919736e53d6f3e1a70d1267cf42c8d2c0ad221 Related-Bug: #1951785
-
- Dec 21, 2021
-
-
Dr. Jens Harbott authored
The admin interface for endpoints never had any real use, the functionality was the same as for the public or internal endpoints, except for Keystone. Even for Keystone with API v3 it would no longer really be needed, but it is still being required by some libraries that cannot be changed in order to stay backwards compatible. Signed-off-by:
Dr. Jens Harbott <harbott@osism.tech> Change-Id: Icf3bf08deab2c445361f0a0124d87ad8b0e4e9d9
-
- Aug 06, 2021
-
-
Ilya Popov authored
Basically, there are three main installation scenario: Scenario 1: Ironic installation together with other openstack services including keystone. In this case variable enable_keystone is set to true and keystone service will be installed together with ironic installation. It is possible realise this scenario, no fix needed Scenario 2: Ironic installation with connection to already installed keystone. In this scenario we have to set enable_keystone to “No” to prevent from new keystone service installation during the ironic installation process. But in other hand, we need to have correct sections in ironic.conf to provide all information needed to connect to existing keystone. But all sections for keystone are added to ironic.conf only if enable_keystone var is set to “Yes”. It isn’t possible to realise this scenario. Proposed fix provide support for this scenario, where multiple regions share the same keystone service. Scenario 3: No keystone integration. Ironic don't connect to Keystone. It is possible realise this scenario, no fix needed Proposed solution also keep the default behaviour: if no enable_keystone_integration is manually defined by default it takes value of enable_keystone variable and all behaviour is the same. But if we don't want to install keystone and want to connect to existing one at the same time, it will be possible to set enable_keystone var to “No” (preventing keystone from installation) and at the same time set ironic_enable_keystone_integration to Yes to allow needed section appear in ironic.conf through templating. Change-Id: I0c7e9a28876a1d4278fb2ed8555c2b08472864b9
-
- Jul 22, 2021
-
-
Mark Goddard authored
In the Xena release, Ironic removed the iSCSI driver [1]. The recommended driver is direct, which uses HTTP to transfer the disk image. This requires an HTTP server, and the simplest option is to use the one currently deployed when enable_ironic_ipxe is set to true. For this reason, this patch always enables the HTTP server running on the conductor. iPXE is still enabled separately, since it cannot currently be used at the same time as PXE. [1] https://review.opendev.org/c/openstack/ironic/+/789382 Change-Id: I30c2ad2bf2957ac544942aefae8898cdc8a61ec6
-
- Jul 21, 2021
-
-
Mark Goddard authored
The healthcheck checks for a process called httpd, but these distros call it apache2. This results in the ironic_ipxe container being marked as unhealthy. This change fixes the issue by making the process name distro dependent. Change-Id: I0b0126e3071146e7f8593ba970ecbed65b36fcfa Closes-Bug: #1937037
-
- Jun 23, 2021
-
-
Mark Goddard authored
By default, Ansible injects a variable for every fact, prefixed with ansible_. This can result in a large number of variables for each host, which at scale can incur a performance penalty. Ansible provides a configuration option [0] that can be set to False to prevent this injection of facts. In this case, facts should be referenced via ansible_facts.<fact>. This change updates all references to Ansible facts within Kolla Ansible from using individual fact variables to using the items in the ansible_facts dictionary. This allows users to disable fact variable injection in their Ansible configuration, which may provide some performance improvement. This change disables fact variable injection in the ansible configuration used in CI, to catch any attempts to use the injected variables. [0] https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars Change-Id: I7e9d5c9b8b9164d4aee3abb4e37c8f28d98ff5d1 Partially-Implements: blueprint performance-improvements
-
- Mar 08, 2021
-
-
LinPeiWen authored
This change enables the use of Docker healthchecks for ironic services. Implements: blueprint container-health-check Change-Id: If0a11db5470899c3a0e69ca94fdd0903daadcf8b
-
- Dec 08, 2020
-
-
douyali authored
Change-Id: I94005edeb95282619770b3310af8e6c5811bf8d8
-
- Sep 24, 2020
-
-
James Kirsch authored
This patch introduces an optional backend encryption for the Ironic API service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Ironic service. Change-Id: I9edf7545c174ca8839ceaef877bb09f49ef2b451 Partially-Implements: blueprint add-ssl-internal-network
-
- Sep 10, 2020
-
-
Pierre Riteau authored
This reverts commit 316b0496, because ironic-inspector is not ready to use WSGI. It would need to be split into two separate containers, one running ironic-inspector-api-wsgi and another running ironic-inspector-conductor. Change-Id: I7e6c59dc8ad4fdee0cc6d96313fe66bc1d001bf7
-
- Aug 29, 2020
-
-
James Kirsch authored
This patch introduces an optional backend encryption for the Ironic API and Ironic Inspector service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Ironic service. Change-Id: I3e82c8ec112e53f907e89fea0c8c849072dcf957 Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/#/c/742776/
-
- Aug 19, 2020
-
-
Rafael Weingärtner authored
The goal for this push request is to normalize the construction and use of internal, external, and admin URLs. While extending Kolla-ansible to enable a more flexible method to manage external URLs, we noticed that the same URL was constructed multiple times in different parts of the code. This can make it difficult for people that want to work with these URLs and create inconsistencies in a large code base with time. Therefore, we are proposing here the use of "single Kolla-ansible variable" per endpoint URL, which facilitates for people that are interested in overriding/extending these URLs. As an example, we extended Kolla-ansible to facilitate the "override" of public (external) URLs with the following standard "<component/serviceName>.<companyBaseUrl>". Therefore, the "NAT/redirect" in the SSL termination system (HAproxy, HTTPD or some other) is done via the service name, and not by the port. This allows operators to easily and automatically create more friendly URL names. To develop this feature, we first applied this patch that we are sending now to the community. We did that to reduce the surface of changes in Kolla-ansible. Another example is the integration of Kolla-ansible and Consul, which we also implemented internally, and also requires URLs changes. Therefore, this PR is essential to reduce code duplicity, and to facility users/developers to work/customize the services URLs. Change-Id: I73d483e01476e779a5155b2e18dd5ea25f514e93 Signed-off-by:
Rafael Weingärtner <rafael@apache.org>
-
- Aug 10, 2020
-
-
Mark Goddard authored
Previously we mounted /etc/timezone if the kolla_base_distro is debian or ubuntu. This would fail prechecks if debian or ubuntu images were deployed on CentOS. While this is not a supported combination, for correctness we should fix the condition to reference the host OS rather than the container OS, since that is where the /etc/timezone file is located. Change-Id: Ifc252ae793e6974356fcdca810b373f362d24ba5 Closes-Bug: #1882553
-
- Apr 09, 2020
-
-
Dincer Celik authored
Some services look for /etc/timezone on Debian/Ubuntu, so we should introduce it to the containers. In addition, added prechecks for /etc/localtime and /etc/timezone. Closes-Bug: #1821592 Change-Id: I9fef14643d1bcc7eee9547eb87fa1fb436d8a6b3
-
- Jan 30, 2020
-
-
Mark Goddard authored
In dev mode currently the python source is mounted under python2.7 site-packages. This change fixes this to use the distro_python_version variable to ensure dev mode works with Python 3 images. Change-Id: Ieae3778a02f1b79023b4f1c20eff27b37f481077 Partially-Implements: blueprint python-3
-
- Jan 10, 2020
-
-
Mark Goddard authored
For the CentOS 7 to 8 transition, we will have a period where both CentOS 7 and 8 images are available. We differentiate these images via a tag - the CentOS 8 images will have a tag of train-centos8 (or master-centos8 temporarily). To achieve this, and maintain backwards compatibility for the openstack_release variable, we introduce a new 'openstack_tag' variable. This variable is based on openstack_release, but has a suffix of 'openstack_tag_suffix', which is empty except on CentOS 8 where it has a value of '-centos8'. Change-Id: I12ce4661afb3c255136cdc1aabe7cbd25560d625 Partially-Implements: blueprint centos-rhel-8
-
- Dec 12, 2019
-
-
Mark Goddard authored
Ironic provides a feature to allow instance images to be served from a local HTTP server [1]. This is the same server used for PXE images with iPXE. This does not work currently because the ironic_ipxe container does not have access to /var/lib/ironic/images (ironic docker volume), where the images are cached. Note that to make use of this feature, the following is required in ironic.conf: [agent] image_download_source = http This change fixes the issue by giving ironic_ipxe container access to the ironic volume. [1] https://docs.openstack.org/ironic/latest/admin/interfaces/deploy.html#deploy-with-custom-http-servers Change-Id: I501d02cfd40fbacea32d551c3912640c5661d821 Closes-Bug: #1856194
-
- Oct 16, 2019
-
-
Radosław Piliszek authored
Introduce kolla_address filter. Introduce put_address_in_context filter. Add AF config to vars. Address contexts: - raw (default): <ADDR> - memcache: inet6:[<ADDR>] - url: [<ADDR>] Other changes: globals.yml - mention just IP in comment prechecks/port_checks (api_intf) - kolla_address handles validation 3x interface conditional (swift configs: replication/storage) 2x interface variable definition with hostname (haproxy listens; api intf) 1x interface variable definition with hostname with bifrost exclusion (baremetal pre-install /etc/hosts; api intf) neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network basic multinode source CI job for IPv6 prechecks for rabbitmq and qdrouterd use proper NSS database now MariaDB Galera Cluster WSREP SST mariabackup workaround (socat and IPv6) Ceph naming workaround in CI TODO: probably needs documenting RabbitMQ IPv6-only proto_dist Ceph ms switch to IPv6 mode Remove neutron-server ml2_type_vxlan/vxlan_group setting as it is not used (let's avoid any confusion) and could break setups without proper multicast routing if it started working (also IPv4-only) haproxy upgrade checks for slaves based on ipv6 addresses TODO: ovs-dpdk grabs ipv4 network address (w/ prefix len / submask) not supported, invalid by default because neutron_external has no address No idea whether ovs-dpdk works at all atm. ml2 for xenapi Xen is not supported too well. This would require working with XenAPI facts. rp_filter setting This would require meddling with ip6tables (there is no sysctl param). By default nothing is dropped. Unlikely we really need it. ironic dnsmasq is configured IPv4-only dnsmasq needs DHCPv6 options and testing in vivo. KNOWN ISSUES (beyond us): One cannot use IPv6 address to reference the image for docker like we currently do, see: https://github.com/moby/moby/issues/39033 (docker_registry; docker API 400 - invalid reference format) workaround: use hostname/FQDN RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4. This is due to old RabbitMQ versions available in images. IPv4 is preferred by default and may fail in the IPv6-only scenario. This should be no problem in real life as IPv6-only is indeed IPv6-only. Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will no longer be relevant as we supply all the necessary config. See: https://github.com/rabbitmq/rabbitmq-server/pull/1982 For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed to work well). Older Ansible versions are known to miss IPv6 addresses in interface facts. This may affect redeploys, reconfigures and upgrades which run after VIP address is assigned. See: https://github.com/ansible/ansible/issues/63227 Bifrost Train does not support IPv6 deployments. See: https://storyboard.openstack.org/#!/story/2006689 Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c Implements: blueprint ipv6-control-plane Signed-off-by:
Radosław Piliszek <radoslaw.piliszek@gmail.com>
-
- Sep 17, 2019
-
-
Mark Goddard authored
Use upstream Ansible modules for registration of services, endpoints, users, projects, roles, and role grants. Change-Id: I7c9138d422cc91c177fd8992347176bb54156b5a
-