This patch introduces an optional backend encryption for the Ironic API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Ironic service.

Change-Id: I9edf7545c174ca8839ceaef877bb09f49ef2b451
Partially-Implements: blueprint add-ssl-internal-network

This reverts commit 316b0496, because
ironic-inspector is not ready to use WSGI. It would need to be split
into two separate containers, one running ironic-inspector-api-wsgi and
another running ironic-inspector-conductor.

Change-Id: I7e6c59dc8ad4fdee0cc6d96313fe66bc1d001bf7

As per [1] and [2] - it solves a problem, where neutron-ovn-metadata-agent will
spawn high number of workers (defaults to half number of CPUs).

[1]: http://lists.openstack.org/pipermail/openstack-discuss/2020-September/016960.html
[2]: https://bugs.launchpad.net/neutron/+bug/1893656

Change-Id: Id69f9399fe76ff7c4e2e17b5ab5ec7df1a01c5c9

The Prometheus OpenStack exporter was needlessly configured to use the
prometheus Docker volume and change permissions of /data, which does
not exist in the container image.

This must have been copy-pasted from existing Prometheus code.

Change-Id: I96017c17e68ca7a00a2d5ac41f2f43ef87694514

This patch introduces an optional backend encryption for the Ironic API
and Ironic Inspector service. When used in conjunction with enabling
TLS for service API endpoints, network communcation will be encrypted
end to end, from client through HAProxy to the Ironic service.

Change-Id: I3e82c8ec112e53f907e89fea0c8c849072dcf957
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/742776/

Including tasks has a performance penalty when compared with importing
tasks. If the include has a condition associated with it, then the
overhead of the include may be lower than the overhead of skipping all
imported tasks. In the case of the register.yml and bootstrap.yml
includes, all of the tasks in the included file use run_once: True.
The run_once flag improves performance at scale drastically, so
importing these tasks unconditionally will have a lower overhead than a
conditional include task.  It therefore makes sense to switch to use
import_tasks there.

See [1] for benchmarks of run_once.

[1] https://github.com/stackhpc/ansible-scaling/blob/master/doc/run-once.md

Change-Id: Ic67631ca3ea3fb2081a6f8978e85b1522522d40d
Partially-Implements: blueprint performance-improvements

Including tasks has a performance penalty when compared with importing
tasks. The nova-cell role uses include_tasks twice when generating
certificates and keys for libvirt TLS. While a dynamic include makes
sense here for a non-default feature, we can use one include rather than
two with the same effect. Since this task runs against compute nodes the
overhead is significant.

See [1] for benchmarks of include_tasks and import_tasks.

[1] https://github.com/stackhpc/ansible-scaling/blob/master/doc/include-and-import.md

Partially-Implements: blueprint performance-improvements

Change-Id: Ic687d2f7d4625aede386e576ebb174da72142756

Including tasks has a performance penalty when compared with importing
tasks. If the include has a condition associated with it, then the
overhead of the include may be lower than the overhead of skipping all
imported tasks. For unconditionally included tasks, switching to
import_tasks provides a clear benefit.

Benchmarking of include vs. import is available at [1].

This change switches from include_tasks to import_tasks where there is
no condition applied to the include.

[1] https://github.com/stackhpc/ansible-scaling/blob/master/doc/include-and-import.md#task-include-and-import

Partially-Implements: blueprint performance-improvements

Change-Id: Ia45af4a198e422773d9f009c7f7b2e32ce9e3b97

Change-Id: I1318a5ea7f746012cc3055d4c03fd0508df921ff

We no longer support any OS distros that use /etc/modules.

Change-Id: Ic41cad64ed0479a0cef7321aeed191fe06a30e8f

when use multiple regions, those tasks always get a wrong endpoint.

Change-Id: Ie164687b2ffd80cedf8a00e7f705b73fccd416e2

Enabling both l2_population and arp_responder for LinuxBridge can cause
problems in some configurations [0].  This commit removes the explicit
'true', reverting it to the default which is 'False'.

Closes-Bug: #1892776

[0] https://bugs.launchpad.net/neutron/+bug/1661717



Change-Id: Ia9445a651fd7a082835a858964bcb9e8e325338d
Signed-off-by: Nick Jones <nick@dischord.org>

As per post-merge comments in [0] - following up.

[0]: https://review.opendev.org/#/c/698710

Change-Id: I92b3de7fb792f1fffe298ffaf6bbafab8e640742

Change-Id: I6910bcdb122e42337d7938405f792fa0fe32e49b
Closes-Bug: #1892686

It was found to be useless in [1].

It is one of distro_python_version usages.

Note Freezer and Horizon still use python_path (and hence
distro_python_version) for different purposes.

[1] https://review.opendev.org/675822

Change-Id: I6d6d9fdf4c28cb2b686d548955108c994b685bb1
Partially-Implements: blueprint drop-distro-python-version

precheck.yml and check.yml not used by destroy role.

Change-Id: Ic3c0b52dba15308a605c30abdd6d63d4dea5f25b

openstackclient doesn't supoort os-temant-name parameter
use os-project-name instead of os-tenant-name

https://docs.openstack.org/python-openstackclient/ussuri/cli/man/openstack.html

Change-Id: Ibf17424c49118b4c3b7e621e04b43c8cdcf308a4

this ps[0] uses new condition for timezone mounting
but we missed prechecks condition.

[0] https://review.opendev.org/#/c/745505/

Change-Id: I79323a392e171bebe36d06c19d34e458e05e194b
Closes-Bug: #1882553

refer to https://github.com/openstack/kolla-ansible/blob/master/ansible/inventory/multinode#L728

Change-Id: Ib6cd78cb2058a35f15b5affb98e0f63805b0edf3

Neutron's containers should use ENV from kolla_docker module's
environment parameter (defined in roles/neutron/defaults/main.yml)
after reconfigure, not only when deploying.

Currently this is working only for deploy, not for reconfigure.

How to test it ?
- Deploy neutron with "neutron_legacy_iptables" set to yes/no.
- Change value of "neutron_legacy_iptables" to opposite value as before.
- Reconfigure neutron.

Current result :
 - "KOLLA_LEGACY_IPTABLES" in container's ENV is not changed

Expected result :
 - "KOLLA_LEGACY_IPTABLES:" in container's ENV should be changed

This patch is fixing this behaviour by adding missing
environment parameter to neutron's "Check neutron containers" task.

Change-Id: Ibfbe2d4f49261fa766acbb6ff45da9994118bda8
Closes-Bug: #1853776

Change-Id: I3a31c74608b48919c1563bac88313a8c4219dedc
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>

remove cluster_interface from project.
update storage_interface docs.and remove
storage_interface_address variable

Change-Id: I3f811db988234f94b5ed0cc9d24233f70784f58d

There is an issue where keystonemiddleware connections to memcached from
neutron-server grow beyond configured values [1], eventually reaching
the maximum number of connections accepted by memcached servers. Other
services do not appear to be affected by this issue.

A workaround is to use the advanced memcached pool. Despite its
documentation claiming to only work with Python 2, it appears to work
fine on Python 3.

[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1883659

Change-Id: Ifbbc2022839cbc575848d830600241c61603c80b
Closes-Bug: #1892210

Fixes an issue during deleting evacuated instances with encrypted block
devices.

Change-Id: I9b9b689ef7e1e41b597e2c5f6b96f3ed011193c5
Closes-Bug: 1891462
Related-Bug: 1850279

* Multipath daemon allows to reach block devices
via multiple paths for better resiliency and performance.
Multipathd periodically checks the failed iscsi paths
and maintains a list of valid paths. Libvirt can use more
than one iSCSI path when option volume_use_multipath is set
and when multipathd enabled.

Change-Id: I54629656803c4989f7673e8c69d2a820609b5960
Implements: blueprint nova-libvirt-multipath-iscsi

Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.

This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Closes-Bug: #1891704

Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa

The goal for this push request is to normalize the construction and use
 of internal, external, and admin URLs. While extending Kolla-ansible
 to enable a more flexible method to manage external URLs, we noticed
 that the same URL was constructed multiple times in different parts
 of the code. This can make it difficult for people that want to work
 with these URLs and create inconsistencies in a large code base with
 time. Therefore, we are proposing here the use of
 "single Kolla-ansible variable" per endpoint URL, which facilitates
 for people that are interested in overriding/extending these URLs.

As an example, we extended Kolla-ansible to facilitate the "override"
of public (external) URLs with the following standard
"<component/serviceName>.<companyBaseUrl>".
Therefore, the "NAT/redirect" in the SSL termination system (HAproxy,
HTTPD or some other) is done via the service name, and not by the port.
This allows operators to easily and automatically create more friendly
 URL names. To develop this feature, we first applied this patch that
 we are sending now to the community. We did that to reduce the surface
  of changes in Kolla-ansible.

Another example is the integration of Kolla-ansible and Consul, which
we also implemented internally, and also requires URLs changes.
Therefore, this PR is essential to reduce code duplicity, and to
facility users/developers to work/customize the services URLs.

Change-Id: I73d483e01476e779a5155b2e18dd5ea25f514e93
Signed-off-by: Rafael Weingärtner <rafael@apache.org>

We missed to ensure new neutron switch use the new condition for
timezone file mounting.

Change-Id: I838e526b930d5276d3ce24f5188262af7eb33280
Closes-Bug: #1882553

Change-Id: If90c2dfd32c8bc50671f6dd38e5a82b434c07151
Depends-On: https://review.opendev.org/#/c/720338

The "kolla_internal_address" variable is not documented or defined
anywhere.  When "kolla_internal_vip_address" is undefined, the error
message is about "kolla_internal_address", which will confuse operators.

This change deprecates "kolla_internal_address", and adds a default
value for "kolla_internal_vip_address" when "kolla_internal_address" is
undefined.

Change-Id: I09694b38420ea67896bb8cf4ffd7ce6f131af10e
Closes-Bug: #1864206

This patch introduces an optional backend encryption for the Nova API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Nova service.

Change-Id: I48e1540b973016079d5686b328e82239dcffacfd
Partially-Implements: blueprint add-ssl-internal-network

Change-Id: I173669bdf92b1f2ea98907ba16808ca3c914944c

Steps to reproduce:

* Deploy a cloud
* Add another controller to the inventory
* Deploy to the new controller using --limit:

kolla-ansible deploy --limit new-controller

Expected results:

The new controller uses the cluster's existing fernet keys.

Actual results:

New fernet keys are generated on the new controller, and pushed out to
the existing controllers. This invalidates tokens created from those
keys.

This change prevents the above scenario from happening, by failing the
deployment if there are no hosts with existing Ferney keys to
distribute, and not all Keystone hosts are in the target host list.

Closes-Bug: #1891364

Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457

This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.

Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network

Backport to Ussuri unmodified. Backport to Train and Stein without
DEFAULT_BOOT_SOURCE.

Closes-Bug: #1891024

Change-Id: If8fe490c3f698ab3eb37735fbfcb8ab0d5fa8a06

This fix was premature as it completely ignores
the previously-respected umask.

Let's discuss a proper fix and revert this one
since CI is fixed elsewhere [1].

[1] https://review.opendev.org/743502

This reverts commit 87efdce2.

Change-Id: If38adbf124e793574a21ae986f9ee146d587f820

Ansible changed the default mode for files, even in stable
releases. [1]

This change restores the previous default (with the common
umask).

[1] https://github.com/ansible/ansible/pull/70221

Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab
Closes-Bug: #1891145

There is a time once every 2 years when ubuntu team releases new LTS
release. And then UCA joins with binary packages for current OpenStack
development cycle.

It is this time for Ubuntu 20.04 'focal'.

Includes CI fix to pass:

[CI] Temporarily block new Ansible

The proper fix [1] needs fixing older branches before newer.
This one allows to fix CI first, in the usual order.

To revert after [1] gets merged in all relevant branches.

[1] https://review.opendev.org/745648

Old-Change-Id: Ifbd37d8addd4322773118e2e9d46494741a8ae66
Related-Bug: #1891145

Depends-on: https://review.opendev.org/#/c/738994/


Change-Id: Ib8b70ee40ec2d19509cc84c0f530612f81907721
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Previously we mounted /etc/timezone if the kolla_base_distro is debian
or ubuntu. This would fail prechecks if debian or ubuntu images were
deployed on CentOS. While this is not a supported combination, for
correctness we should fix the condition to reference the host OS rather
than the container OS, since that is where the /etc/timezone file is
located.

Change-Id: Ifc252ae793e6974356fcdca810b373f362d24ba5
Closes-Bug: #1882553

Add trove-guestagent.conf templates for trove-guestagent service.
Default the Guest Agent config file to be injected during instance creation.

Change-Id: Id0750b84fef8e19658b27f8ae16a857e1394216e