This trivial fix simply consists of
adding the forgotten action after
the kolla-ansible was reworked in review [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/911417

Closes-Bug: #2080408
Change-Id: I26b5db3a3eeebd758ad05d9cb9aa689a68e1816f

From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

When using dnsmasq as a DHCP server, unless you use the noping option
(and that is not recommended), the NET_RAW capabilty is required so
that dnsmasq can send ICMP packets. These are used to check an address
is not currently in use[1].  Docker enables this capability by
default. Podman runs containers with a minimal set of capabilities[3].

[1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012840.html
[2] https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
[3] https://github.com/rhatdan/common/blob/f39f2a3f8c7680b9e456b9d235570e511807d6c6/docs/containers.conf.5.md?plain=1#L84-L101

Closes-Bug: #2055282
Change-Id: Ib3a1313df680d91c7f008063937ca7d37e82f690

The --reload parameter ensures that any changes
in the proxysql configuration file are applied
to the already existing internal proxysql database.

Change-Id: I9215d6cef3795030676c44a8184d99ba46dcb60c

This is a prerequisite for patchset #924651

Nova runs checks before upgrading. A new nova_upgrade_checks container
is started for that purpose. This container uses the new nova-api
image, but the old config.json file. The image expects CA certificates
in a certain location, but due to the old config.json file, they will
not be present. This results in the container not trusting keystone SSL
certificate and the upgrade fails, since it can't connect. Moving the
config section before the checks ensures that the new container has
all the certificates it needs to connect to Keystone.

Also nova_enable_rolling_upgrade is no longed used, so there was no
point in keeping upgrade tasks split.

Change-Id: I44bf48fb86f639d7f0acb786392573ebfed7ee97
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>

In I70dd1751dea6bfc9bb265aeda04b3392e135324c we removed
Requires=docker.service and left only After=docker.service.

In a case where something starts docker.service that's enough,
but if docker.service is disabled or no service is dependent on
it - it won't be started.

This patch adds Wants=docker.service which will try to start
docker.service if it is not started or enabled but does not
impose a dependency which causes restart of kolla systemd units
when docker.service is restarted (see [1]).

Closes-Bug: #2065168

[1]: https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Wants=

Change-Id: Ic3acb15f7c6ba7269ef62ccc8895b6bea4fc1f4d

Inner modules called by the kolla_toolbox module were returning stdout
and stderr as a single output object. This could break JSON parsing if
any data was present in stderr, for example warnings such as:

    [WARNING]: Collection ansible.posix does not support Ansible version 2.14.17

Fix by using demux=True to separate the two streams. The stderr content
is logged as it could be useful for troubleshooting or catching
deprecation notices.

Change-Id: Iad0476d4511f28c837794352c9a3e2f47113d9a1
Closes-Bug: #2080544

Add a new variable keystone_federation_oidc_claim_delimiter
to make this configurable for keycloak OIDC federation.

Closes-Bug: #2080394

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: If14285f033ed4914fd3b28d7efcc95e1c9f273a5

Commit [1] introduced a bug into kolla-ansible
where there is incorrect indentation in the haproxy
configuration file. This patch fixes it.

[1] https://github.com/openstack/kolla-ansible/commit/b13fa5a92cb6d768c5839bd11667e2ca72a7cd2f

Closes-Bug: #2080034
Change-Id: I3375e303bc358fc79d1fa2e219e6ec1dba7a38ba

Change-Id: Ie73d7eef294e9e579314a61b39382f3ff3ba4b4b
Closes-Bug: 2078973

Fixes issue in PodmanWorker where it didn't set KOLLA_SERVICE_NAME
environment variable when creating new container.
Additionally, two methods were moved from DockerWorker
to ContainerWorker as they are applicable to both engines.

Closes-Bug: #2078940
Change-Id: I273444fc828678d3c6803bce1bc8db1c5366b9b6
Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>

Build upon changes in kolla which change strategy of installing projects
in containers when in dev mode. This fixes problems where when package
file manifest changes, the changes were not reflected in to
devmode-enabled container.

It changes the strategy of installing projects in dev mode in containers.
Instead of bind mounting the project's git repository to the venv
of the container, the repository is bind mounted to
/dev-mode/<project_name> from which the it is installed using pip
on every startup of the container using kolla_install_projects script.

Also updates docs to reflect the changes.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/925712


Closes-Bug: #1814515
Singed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: If191cd0e3fcf362ee058549a1b6c244d109b6d9a

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

Given we bump the RabbitMQ version each release, there is a manual
upgrade to an intermediary RabbitMQ version needed before a skip-level
upgrade can be performed.

Change-Id: Id8a5ebe19a50ebdc59d12667889472c803b8d7c8

When merging change [1], fluentd_enable_watch_timer was
unintentionally missed in Let’s Encrypt, as change [2] had been
merged earlier.

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/785309
[2] https://review.opendev.org/c/openstack/kolla-ansible/+/899895

Change-Id: I7c72faecbdb66c7fd196acd3e7b2351851983490

The prometheus-msteams project is no longer maintained [1]. As a result
support for deploying prometheus-msteams via kolla-ansible has been
dropped. Users are encouraged to migrate to the native Prometheus
Alertmanager integration with Microsoft Teams [2].

[1] https://github.com/prometheus-msteams/prometheus-msteams/issues/343
[2] https://prometheus.io/docs/alerting/latest/configuration/#msteams_config

Change-Id: I93d28ef138b4e784465f3a7eaa11101ea5877050

See [1].

[1]: https://opendev.org/openstack/ironic-inspector/commit/0b9b1756660b4ea63b44c0f01bbf3c1aa71c1f1a

Change-Id: I8866cdab396b805ec75bc4ccccdc5c1909e63bcf

check if generated prometheus config is valid
via promtool.

This should help prevent bugs like:
https://bugs.launchpad.net/kolla-ansible/+bug/2076660

prior art: haproxy config validation:
https://review.opendev.org/c/openstack/kolla-ansible/+/922840



also add some basic documentation for the
`kolla-ansible validate-config` command.

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ief90861b2c422e0e6c2dd9cb605c94e86c0f2ba1

Library "distutils" is deprecated in Python 3.10:
https://peps.python.org/pep-0632/

The versions previously referenced using StrictVersion should be old
enough that they will not be used in a Dalmatian deployment:

- Ansible 2.11
- Docker API 1.42, included since Docker engine 23.0.0

Change-Id: Ie315004715a1cb5a91dd54bc64b0a8fd0af650ec

From OpenStack 2023.2 (Bobcat) the Pure Storage Cinder driver
supports NVMe-TCP as a dataplane protocol. This patch adds support
for this new driver type.

Change-Id: I3c0ad7652a03388ab2eafa173c644a55b0405cc6

This patch adds REQUESTS_CA_BUNDLE as it's described
in requests documentation [1].

This is needed because some ansible modules inside uses
python request library and some users of course using
their own CAs.

[1] https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification

Closes-Bug: #1967132

Change-Id: I901c2bc8ac477f15d2833e68566b19e437f4b6d1

Change-Id: Ic87fb3e4c014d3090869d5631e02982829df6312

This patch removes the nova_libvirt_secret container volume because
it is a complete antipattern, and during testing, I found that
it causes problems. When it was necessary to copy libvirt secrets
from /etc/kolla/nova-libvirt/secrets, the container logs reported that
the resource is busy - precisely because it was a mounted container
volume. This, of course, is unnecessary because the secrets are copied
to the kolla host in /etc/kolla/nova-libvirt/secrets.

Closes-Bug: #2073678
Change-Id: I715a6a95f9d32d62a8199727ddbaddd0dd7baa2d

This change fixes a bug in the prometheus.yml template which breaks
alertmanager configuration

Closes-Bug: 2076660
Change-Id: I9adf34747a22d7d5aef31fad3f68f7880e18f022

Follow-up on I343d8f45a78ebc3c11ed0c68fe8bec24f9ea7929

According the documentation [1] we forgot to share statistics data
for swift-account-server and swift-container-server. This change will
fix the issue.

1. https://docs.openstack.org/swift/latest/admin_guide.html#cluster-telemetry-and-monitoring



Closes-Bug: #1941611
Change-Id: Ib9afd84cac1fcbd96f98b4720ea9c6503bbdb124
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

The variable kolla_same_external_internal_vip in group_vars/all.yml
was set to true or false depending on the jinja2 equality operator
- == - which only checks if two objects are the same.

This is problematic because IPs can be the same but have different
string representations, e.g. leading zeroes in some octets, but still
repesent the same instance of an IP.

Example: 192.168.1.1 and 192.168.001.001 are the same.

Fix this, by using the ansible.utils.ipaddr() jinja2 filter instead
to increase robustness.

Closes-Bug: #2076889
Introduced-By: https://review.opendev.org/c/openstack/kolla/+/285005



Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ied43b9d0c4b33bb514d367f3f99c2e30e104d139

Required before a SLURP upgrade

Change-Id: I09a45d26a6075554b204e007f64122f23de5f53c

For possible config options see docs
https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#memcache-protection



Closes-bug: #1850733
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: I169e27899f7350f5eb8adb1f81a062c51e6cbdfc

Refactor that prepares kolla_container_facts
module for introducing more actions that will be moved
from kolla_container module and kolla_container_volume_facts.

This change is based on a discussion about adding a new action
to kolla_container module that retrieves all names of the running
containers. It was agreed that kolla-ansible should follow Ansible's
direction of splitting modules between action modules and facts
modules. Because of this, kolla_container_facts needs to be able
to handle different requests for data about containers or volumes.

Change-Id: Ieaec8f64922e4e5a2199db2d6983518b124cb4aa
Signed-off-by: Ivan Halomi <ivan.halomi@tietoevry.com>

OpenvSwitch container needs to be restarted for hw offload to be
enabled/disabled properly [1].

OpenvSwitch container will also be restarted when system-id or
hostname changes.

Closes-Bug: #2076335

[1] https://docs.openstack.org/neutron/2024.1/admin/config-ovs-offload.html#configure-open-vswitch-hardware-offloading

Change-Id: I444fc345e5d21ed969f48aa9a6230905cc411149

By default, the watch timer in Fluentd is set to True.
To save CPU and I/O consumption this can be set to False, which
kolla-ansible has been hardcoding so far.

When the watch timer is disabled, in_tail relies entirely
on inotify. In certain constellations, this may not work
reliably. In these cases, the watch timer needs to be activated, so this
change adds a variable to make the setting configurable.

Change-Id: Ic8ce6fbc3ed8f31d5d090e114b35703532679729

Change I60162b54bc06e158534d29311d4474b34750c64d
removed the '/v3' suffix from horizon_keystone_url variable,
but the version is needed for some operations.
This patch fixes the "Change password" Horizon function
until Horizon bug #2073639 is resolved.

Closes-Bug: #2073159
Change-Id: I6ff46b47e9109d0757f2e5ce8019ba591b9892e1

A host that is in the manila-share group, but not in controllers
network, etc., will fail service deployment if it is not using the
generic manila driver (eg, if it is using the CephFS native driver).
This is because deployment of openvswitch-vswitchd is predicated on
the drivers enabled for manila-share.  However, this predicate is not
universally applied.  Where inventory group membership is used the
dependency on openvswitch-vswitchd presence will fail.

Closes-Bug: #1993285

Change-Id: I821e513d24f2a1c59240d65ad68c3b5f2080e439

Adapt files to match new requirements, add assertIn to whitelist

Change-Id: I516bbbb3a0f194e8fa08d04c0290b586963b8b55

Also stop using the old config name (td-agent.conf)

Change-Id: Ied2736b891cd8c6dfcc509a8fd6b1fc8bfe21cb4

This fixes an issue where it is not possible to customise the `host`
config option in the Nova Compute Ironic config file without breaking
detection of the service.

This is a backwards compatible fix, which allows a user to set the
`host` config option using Ansible host or group vars.

Other reasons for not using the default host setting of
`{{ ansible_hostname }}-ironic` are covered in [1].

[1] https://specs.openstack.org/openstack/nova-specs/specs/2024.1/approved/ironic-shards.html#migrate-from-peer-list-to-shard-key.

Closes-Bug: #2056571
Change-Id: I9b562f6a5722f21b7dbec2a4d53a46a57c829155

The Kolla project supports building images with
user-defined prefixes. However, Kolla-ansible is unable
to use those images for installation.

This patch fixes that issue.

Closes-Bug: #2073541
Change-Id: Ia8140b289aa76fcd584e0e72686e3786215c5a99

After OVN DB leader restarts there is a period before a new leader has
been elected where the old leader is returned in the cluster status.
This can result in a failure to apply the connection settings if a
different leader is elected.

Wait for a few seconds for the leader election to complete.

Change-Id: I20f08c986fa6b4b3ec668dad649e69f23119796b
Closes-Bug: #2059124

Added Restart=on-failure policy to octavia-interface systemd unit
Added octavia_interface_wait_timeout variable to control
TimeoutStartSec in octavia-interface systemd unit

Change-Id: I9de6c27131ce78e85aac56ea5d91d9740fd58354
Closes-Bug: 2067036

This patch modifies tasks that are delegated to
localhost to use local connection.
Firstly, this is correct since SSH connection is not used,
and secondly, it fixes the issue when kolla-ansible is
packaged in a docker container. If the local connection
is not used, the tasks will fail because temporary data are
stored outside the container, whereas we need it to be
stored inside the container so we can read them and set_facts.

Closes-Bug: #2073370
Change-Id: I9547d5da78da30bfeea8e97056cfa9308c977098