Change-Id: Ibe06fcece3a098781f8b55437727617b2727509f

Remove build.py reference from kolla-build for clarity.

Change-Id: I82db9428fe3b1697877e967e060843270574ae71
Closes-Bug: #1516040

Trivial patch to remove duplicated text.

Change-Id: Icb6046a6a3d0c31c1ad7ef58b0da79d4ececdd9b
Closes-Bug: #1516017

This playbook runs on hosts before deployment to be sure we don't
have any conflicting services running and systems are in expected
state.

DocImpact

Change-Id: If5f288b7fbdf269697ca834da4eb969b61683ca0
Partially-implements: blueprint precheck-tasks

Change-Id: Idb25ac4d3148c9b9400cf675ac2e47d35cce6224
Implements: blueprint ansible-magnum

Drop root privileges for rabbitmq.  Only the rabbitmq user
will be able to execute chown of /var/lib/rabbitmq.

Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb
Partially-Implements: blueprint drop-root

The USER operation affects all docker commands after it. This causes a
problem with our {{ include_footer }} implementation since commands in
that footer may require elevated permissions to perform.

In the current implementation I can no longer remove my proxy settings
once the USER has been changed.

Change-Id: I9b2bab5a15f595f6d52a46c64ddf59ba5608b938
Partially-Implements: blueprint drop-root

Drop root privileges for mariadb.  This isn't perfect.  If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.

Any container that uses sudo suffers from some extra attack vector
related to the sudo command.  That said, the sudo commands are
locked down to minimize harm.

Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root

Atleast in a script, sudo can be made to only allow the script to
run from the mysql process in the future, versus all the proceesses
being able to be executed as root presently.

Change-Id: I030b57086e37e4dc8f668f98c04335d94ab9d2b0
Partially-Implements: blueprint drop-root

Drop root privileges for Horizon service.  It is necesssary to set
a capability on the filesystem to allow binding to port 80 as a
non-root user.  I have tested this works correctly from a registry
on both CentOS and Ubuntu.

Change-Id: I4c26f28bb28b6633784e6842f3423a2425332c27
Partially-Implements: blueprint drop-root

Lots of tools rqeuire keystoneeauthv1 not just horizon

TrivialFix

Change-Id: I35eb958e35500b04657679371019f2e6f3c2f2dd

Drop root user for heat containers.

Change-Id: Ib07c0193f97bb18cc6154b4015b4056fd983f6c1
Partially-Implements: blueprint drop-root

the openstack-heat-common package installs the Heat UID/GID.
This is necessary pre-work for drop-root for heat services.

Change-Id: I247b0209248de144d20f5245973833be5cd8f14f
Partially-Implements: blueprint drop-root

This change ensures commands run in the kolla-ansible container are done
as the 'ansible' user rather than root.

By default Ansible tries to write it's temporary files to $HOME/.ansible
on the target, which in most cases won't exist when run as the new user.
Hence we now supply the kolla-ansible container with an ansible.cfg, to
tweak the remote_dir option to /tmp.

Change-Id: I838a8c8cd0c7dc1aeca4d12e38c346f252170e7c
Partially-Implements: blueprint drop-root

Added support for Vagrant VirtualBox provider to
provision an Ubuntu VM to run kolla. A new
bootstrap-ubuntu.sh script has been created which
provisions the Ubuntu VM with all kolla depdencies
including docker 1.8.2, ansible 1.9.6 and python-tools
Also created vars in the Vagrantfile to define the cpu and memory settings of the
VM nodes used to run kolla

DocImpact

Change-Id: I4609d7f577e948b04663901afd0c5d1d154c8ac4
Implements: blueprint vagrant-ubuntu-support

Due to the length of the job name and the tox target we run into an
uncommon limitation; the virtualenv that tox launches is nested in a
path that is too long. This leads to and error on our longest named
job which prevents tox from running at all.

This limitation is the limit for the line length of the first line
in a shell script. See `man execve` for more info. A quote from that
manpage: 'A maximum line length of 127 characters is allowed for the
first line in a #! executable shell script.'

Change-Id: I43fba2a5ff1890d699045496c9eaee5e849f3e75
Backport: Liberty
Partially-Implements: blueprint multinode-gate

(apply same fix that we did for keystone, to horizon)

In some cases we're seeing httpd not cleaning up properly after itself,
which results in the horizon container failing to restart. This is
confirmed to happen on rpm based distros, but have not had any reports
on Ubuntu.

Change-Id: I8ece6da1a8a1180730d68be0d129a656ddcede07
Closes-Bug: #1515214
backport: liberty

Change-Id: I1df05608be62cc008ccef1ca88d0b37983568d22
Partially-Implements: blueprint drop-root

Change-Id: I0d98399d7d573ea43689746dda59a647c307b25f
Closes-Bug: #1514697

Off by one error made the --retries option control the number of tries
rather than the number of retries.

Closes-Bug: #1514730
backport: Liberty

Change-Id: I976a8bb9e489d226f44926a6562d4d2af5de099c

This is just a basic test to make sure loading from file works.

Change-Id: I074f36023ac4198c436fcee1668d32f9d1f0e61b

We get an awful lot of questions about how to operate with a registry
on the IRC channel and the obvious way to fix that is to document it.

I don't know what to document about Ubuntu but if someone leaves the
appropriate commands in the review I'll be happy to update it to include
the correct operations to make the registry run on Ubuntu.  Another option
is perhaps we can get Sam to write those docs once this hits the repo since
the structure will be mostly in place.

TrivialFix

Change-Id: Ib88abbaf9bd6bcabddae994157d9288aab8be2bf

This uses the grouping feature of sudo to limit the amount of times
the base sudo file has to be modified to only once.  The container
contents always runs as the user root, except the software which is
controlled by Kolla.  This software may run as root, but it has
undergone a security audit and preserves permissions of the correct
files and does not permit the glance user to write any of the
set_config.py control files.

Change-Id: Ie3cd23edcde5b408a8f66970456279a1b15028e0
Partially-Implements: blueprint drop-root