This uses the grouping feature of sudo to limit the amount of times
the base sudo file has to be modified to only once.  The container
contents always runs as the user root, except the software which is
controlled by Kolla.  This software may run as root, but it has
undergone a security audit and preserves permissions of the correct
files and does not permit the glance user to write any of the
set_config.py control files.

Change-Id: Ie3cd23edcde5b408a8f66970456279a1b15028e0
Partially-Implements: blueprint drop-root

The reason we are doing drop root is so that a network exposed
software component (i.e. glance) cannot be used to affect the
immutability of the container which it runs in.  I have tried
several different approaches and this is the only approach which
puts glance in PID=1 while ensuring no files may be written by
the glance process in the container image except for the log files.

Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41
Partially-Implements: blueprint drop-root

database_user_create was not correctly referenced when parsing the
variable names. This could never actually lead to a situation that
reported a false change, but it could break an operation if you were
using the --step option with ansible and skipped the database create
task.

TrivialFix
Backport: Liberty

Change-Id: Idf69fffcc3814f509448ccea11b7d175f074ccf1

And fix the fallout.

Change-Id: Iccad3f4fdb0a6a7c14246df3408cae0425b833a5

RDO does not yet provide a CI tested Mitaka repository.
As such, the current-passed-ci repository is the last tested
repository before the stable/liberty branch was cut.

To be able to test against the latest packages, we need to
use the untested repositories until the CI tested repository
is in place.

TrivialFix

Change-Id: I4a125eb3c84fa790746a9a8eca19e4fb2d9ecf38

Fixed commands for disabling\stoping libvirt and ntpd in different OS

I encourage to install kolla tools via pip, so user could get rid
of relative paths to config and scripts and run it from everythere.

Change-Id: I77271ce2f72fbaa7d6586a84f7998a9888d9b3a2

pip install default prefix in Ubuntu is /usr/local, and Kolla tools scripts
didnt respect that. So I added few OS checks in this scripts.

I improve config path check in build.py. Added more verbose error if we can't
find config directory.

Change-Id: Ide521ed205b0dc1fc27e237a9a8f4da0168e664f
Closes-Bug: #1512302

The commands around installing docker on Centos7
in the quickstart guide needed a little tweaking
and a little spell checking.

Change-Id: Ia0367900ab9792a096f753d5fd943ffab0a005a4

build.py -b rhel -t [rdo|rhos|source|binary]

The last patch for this didn't quite fix the problem properly as
it only permitted RHOS builds.

backport: liberty

Change-Id: I27eed202560adce450c07d043cc224e7a6c6bbf6
Closes-Bug: #1513088

Use the absoluate path rather than that with `..`. This will be
helpfull for end-user to see where is the folder/file.

Closes-Bug: #1513726
Change-Id: I7169952d874ddf14469605444044de0163b033d3

This was conflicting with Percona-Server-devel-55 and broke centos
source build for openstack-base image.

Backport: Liberty
Change-Id: Ia2bb2106038e8e2eadb6668f4ae1ad1d95710c09
Closes-Bug: #1513711

Change-Id: I81d80c3bdb401a044d42abb568c35117f6ead51a

Due bad rebases there is a huge section of the spice patch missing
from the implementation unfortunately. This patch finishes the rest
of this patch out properly.

Change-Id: I693c6745e9594fd91eb6453f6de9dfcbd410e89c
Paritally-Implements: blueprint nova-proxies

Change-Id: I3e05e2d5c739794ae6ff0cc375dc6226f81bb542
Paritially-Implements: blueprint multinode-gate

- Remove ansible-deployment documentation link, it was moved
  to quickstart.
- Link to rendered documentation on docs.openstack.org instead

Change-Id: Ib97cfa23e7932c1d7012d1b36a26f32914431790
Closes-Bug: #1513582

The bootstrap must occur on the nova-api node due to binding in the
nova-api directory (same goes for all other services)

Closes-Bug: #1513439
Backport: Liberty
Change-Id: Iab88b49712828085e4d7e7f85e6d8f0b7999a9bf

The main reason for this change is to allow the DinD stuff to work. It
has limited use outside of that use case, but it may still be useful
to others in the future.

Change-Id: Ib3a4639cfb3fc0d378d33fc8b9ff8eb597f818ab
Partially-Implements: blueprint multinode-gate

Adjust all the configs to list all the rabbitmq hosts rather than
running rabbitmq through the VIP. This is made possible by clusterer
which has already merged.

Change-Id: I5db48f5f10ec68f4c8863a29bc13984f6845a4f9
Partially-Implements: blueprint rabbitmq-clusterer

The URL scheme has changed and the link was broken.

Change-Id: Id5e293d6addf1a70b3af51129b66e1a406628f59

In some cases we're seeing httpd not cleaning up properly after itself,
which results in the keystone container failing to restart. This is
confirmed to happen on rpm based distros, but have not had any reports
on Ubuntu.

Change-Id: I58b006189e700f1c851601b4f64dd0fae931103c
Closes-Bug: #1489676
Co-Authored-By: Tim Potter <tpot@hpe.com>

So we can respect DRY and share as much code as possible I have broken
out the common code between the aio and multinode gate scripts.

Additionally, this lays the ground work for removing our policy on
root-everywhere by using sudo. Once we get the non-root stuff worked
out we can gate as non-root user.

Change-Id: I781c597ab10f2296b95f51ae27e0fa617ffe0a66
Partially-Implements: blueprint multinode-gate

Change-Id: I3c953125ed0105b7e8b62e62da56bf3fa30889d1
Partially-Implements: blueprint multinode-gate

Mention `chrony` since thats what docs.openstack.org recommends for
WAN connections. It does do better than ntpd
Change-Id: I28caade26492294bf12b092ff949003c7bf0bb8e