Partially-Implements: blueprint networking-baremetal

Change-Id: I92b9505843f12692aef96764a314e5db49001a9b

Fixes a typo introduced in I93e53bad9727beb786b00bd7fcd6d78785c619c2.

Change-Id: I9fd6587913cccd5a29b3fc012b4ddeac8859a0ff
Related-Bug: #1782799
TrivialFix

Enables setting rp_filter mode on Neutron L3 agent and Nova compute
hosts whilst maintaining the default that it is disabled.

Closes-Bug: #1782799
Change-Id: I93e53bad9727beb786b00bd7fcd6d78785c619c2

While it is possible to implement countermeasures against some attacks
on TLS, migrating to a later version of TLS (TLS 1.2 is strongly
encouraged) is the only reliable method to protect against
the current protocol vulnerabilities.[1]

[1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b

It is possible to have an accessible swift API that is not managed by
kolla-ansible -- for example, ceph exposes a swift API, and using that
requires setting swift as the glance backend.

So, we should loosen the requirement that using the swift backend for
glance requires swift be enabled in kolla-ansible.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>

Change-Id: I17076d5412d2b1e1f13bb0badceaca85a5cee108

The word "action" is now an Ansible reserved word, and things have
transitioned to "kolla_action", but looks like this was missed.

Change-Id: Ie07a2a7d8b153a6d39b91129256727157f8dfa34

In this patch, the glance-registry service was disabled:
https://review.openstack.org/#/c/566804/

However, the config task still tries to copy files for it, which will
break due to path errors.

Change-Id: If39bb12bf830e6559342037ae2a2b99a784ee503

The rsync prior to v3.1.0 the uid/gid parameter have no effect at
all if it runs as normal(non-root) user.

Since v3.1.0 these parameter are problematic for normal user
because now rsync, regardless of root or non-root, if the
parameters are given then it just tries to call setgroups() which
is not possible for normal user so errors may occur.

    swift-object-replicator: @ERROR: setgroups failed\u0000
    swift-object-replicator: rsync error: error starting
    client-server protocol (code 5) at main.c(1648)
    [sender=3.1.2]\u0000

Either way, these parameters are not needed for swift-rsync
container.

Change-Id: Ia7fe9f06d7a21a55f52b90c2cc1b2498300e6532
Signed-off-by: Minho Ban <mhban@samsung.com>

Co-Authored-By: caowei <cao.wei@99cloud.net>
Co-Authored-By: yuqian <yu.qian@99cloud.net>

Change-Id: If8143b720203fe75cf586248f1fa1d3fde34c750
blueprint: onos-support

This patchset apply Ironic rolling upgrade logic [1][2]
[1] https://docs.openstack.org/ironic/latest/contributor/rolling-upgrades.html
[2] https://docs.openstack.org/ironic/latest/admin/upgrade-guide.html#rolling-upgrades

Depends-On: https://review.openstack.org/#/c/575594/

Co-author: Ha Manh Dong <donghm@vn.fujitsu.com>
Change-Id: Id68244951dc66d5c3423ef44324bd72058f4ba67
Implements: blueprint apply-service-upgrade-procedure

This service is only required if you want to support cold migration.
In some instances that is not a needed feature, and avoiding having
another key to manage is an advantage.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>

Change-Id: I0a55a91673d9178933f134832df4bd849ddf5af4

This commit will constrain the dimensions of service `Nova`
and sub-containers deployed along with it.

A user can give the dimension values in `/etc/kolla/globals.yml`
the data-types just like stated in this commit.

Reference-Docs:
https://docs.docker.com/config/containers/resource_constraints/

Added Test-cases for the same.

Partially-Implements: blueprint resource-constraints
Change-Id: I6458d8fb7b26a6e7c3a9fd0d674d9cf129b0bf5d

This is a Logstash component which reads processed logs from Kafka
and writes them to Elasticsearch (or some other backend supported by
Logstash).

Ingesting the logs from this service with Fluentd will be covered under
a different commit.

Change-Id: I2d722991ab2072c54c4715507b19a4c9279f921b
Partially-Implements: blueprint monasca-roles

To get forwarding to work in the kolla implementaion of designate,
I'm adding parameters to the named.conf.j2 template.  I'm adding
the ability to change the default values for dnssec-validation and
recursion and creating a new paramater for forwarders.

Change-Id: Ideef39034d75a0d99e8a3dc2a5f1a7203ccf51d5
Closes-Bug: #1781196

This patch extends the prometheus role for being able
to deploy the prometheus-alertmanager[0] container.

The variable enable_prometheus_alertmanager
decides if the container should be deployed and enabled.

If enabled, the following configuration and actions are performed:

- The alerting section on the prometheus-server configuration
is added pointing the prometheus-alertmanager host group as targets.

- HAProxy is configured to load-balance over the prometheus-alertmanager
host group. (external/internal).

Please note that a default (dummy) configuration is provided, that
allows the service to start, the operator should extend it via a node custom config

[0] https://github.com/openstack/kolla/tree/master/docker/prometheus/prometheus-alertmanager



Change-Id: I3a13342c67744a278cc8d52900a913c3ccc452ae
Closes-Bug: 1774725
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@linaro.org>

There are cases when we can lost original timestamp field given from
logs, like when we send our logs to the next fluentd forwarder in chain
of forwarders, it will rewrite our timestamp by default. Save
`Timestamp` field explicitly to avoid such situation and be able to
reconstruct messages date and time.

Closes-Bug: #1781046
Change-Id: I2b4486aedacbe16dc4c0fb2e4e4984bd80e59f2d

This makes the bootstrap-servers command more idempotent, since without
the append argument set the kolla user will be removed from the docker
group before being added to it again in a later task.

TrivialFix

Change-Id: Iab0f6b5e18a103e9140631ee3ebbbb48c490bc24

In I86bf5e1df3d6568c4f1ca6f4757f08a3dd22754d, creation of the kolla user
was moved to after package installation to ensure the sudo package is
installed when required. This change does not work when python
dependencies are installed in a virtual environment however - when the
virtualenv variable is set.

This change moves the ownership change of the virtualenv to after the
kolla user has been created. It also uses the kolla_user and kolla_group
variables to set the user and group appropriately.

Change-Id: I320e5d611099ad162945a98d5505a79606da0eba
TrivialFix

The Monasca Log Transformer takes raw, unstandardised logs from one
Kafka topic, standardises them with whatever rules the operator wants
to use, and then writes them to a standardised logs topic in Kafka. It
is currently implemented as a Logstash config file.

Since Kolla does a fairly good job of standardising logs, this service
does very little processing. However, when other sources of logs
are used, it may be useful to add rules to the Transformer, particularly
if it's not possible to standardise the logs at source.

Ingesting the logs from this service with Fluentd will be covered under
a different commit.

Change-Id: I31cbb7e9a40a848391f517a56a67e3fd5bc12529
Partially-Implements: blueprint monasca-roles

The authtoken config variable delay_auth_decision must be set to True.
The default is False, but that breaks public access, StaticWeb, FormPost,
TempURL, and authenticated capabilities requests (using Discoverability).

Change-Id: I420a95f5f9fda3321a4acfc5846e40294a8bd588
Closes-Bug: #1768795

Change-Id: I8b8631e1c215580dd7711a0c0b3683b06ddc47d3

User can use custom directory for nova instance.
For example using a shared file system as backend.

Change-Id: I11fe4891719a2e2a34888d8b798df5602e294e4f

Other lists of servers have the postfix _servers. To be consistent
this change uses the same format for Kafka.

Change-Id: Ia595f2ab485904e76fb76211f6715a7c019886ea
Partially-Implements: blueprint monasca-roles

As of the Queens release, Keystone solely implements the Identity
API v3. Support for Identity API v2.0 has been removed since Queens
in favor of the Identity API v3.

Change-Id: If65b26935e8bd1e6655d84259499f4013762e4e3
Closes-Bug: #1778846

Skydive recently splitted the OpenStack configuration:
one for the authentication - on the analyzer - 'auth.keystone'
and an other one for the Neutron probe on the agent
'agent.topology.neutron'.

Change-Id: Idce277d30f01e7a36499b1aee24c54779c54a807

This option's default value has changed since Newton.[1]

[1] https://github.com/openstack/heat/commit/aab01c00ff330d743fc15e97d7ae144eac5015bb

Change-Id: I981a59be716072aab40862b3e23bbb1fbd1d63fc

the zun is need kuryr to be enabled[0], add it into
prechecks is a good idea.

[0]: https://docs.openstack.org/zun/latest/install/compute-install-ubuntu.html#install-and-configure-components

Change-Id: I4f46907c9b47b9108a9aa7bfbd668b833db420af

It is not always convenient to use the the given
admin project and admin user; especially when some clouds
use different user and project for there keystone 'admin'

This allows setting the variables for these users to something
else, and defaults them to there current values of 'admin'.

Change-Id: I22b79a30f01c90a92ecc0974886edf3791518f2f

By default, kolla configure docker to use an insecure connection
with the private registry. If we want to use SSL verification we need
to add an option.

Change-Id: Id1805c9cfeb499da9bb56c70028f14c6f8bb20b6

In this way, keyring caps is updatable.

Change-Id: Idf7f222645b5073e2c72d59eecf3d47b3f1dc6ba

Change-Id: I1b0e1df0e91b7a4abc408ee4b0852e1278e441ef

the zun-wsproxy image is exists in kolla[0], but kolla-ansible
missing, this ps to add it.

[0]: https://github.com/openstack/kolla/tree/master/docker/zun/zun-wsproxy


Co-Authored-By: ZhijunWei <wzj334965317@outlook.com>

Change-Id: I89ef3463dfa5df8cf2d963ff0f0c7ddc382fc79b
Closes-Bug: #1765728

1. Add the role enabled check for some projects
2. adjust the file created positon for keystone to keep
consistence with others

Change-Id: Id2b893ba546b3adf41d97927f8d20dca403a0457

As reported in the bug, these can grow to 10s to 100s of GB
in a month. To reduce the chance of filling the disk and
bringing down the control plane this change defines
an expiry time.

Closes-Bug: 1720113
Change-Id: I508aad1f515d5108a3d08c90318b70d0a918908c

This reverts commit f8fd0601.

Based on the code, overall uses service_credentials, but looks like a
few parts is using keystonemiddleware.auth_*

Closes-Bug: #1775956

Change-Id: I766a5624737cae892fe77fa8151b20e0972ed5b2

Both the driver and the enabled_drivers options are being removed
this week. Stop setting them to avoid breakages.

Change-Id: I0e0bf851424b8f5839b159ef83f1cc65c30e2fb3

Kolla-ansible supports the deployment with specified tags,
"--tags, -t <tags> Only run plays and tasks tagged with
these values".
However, when specifying a tag, if the tag of the task
is not "always" or different from the specified tag,
it will not be run.
This task "Gather facts for all hosts (if using --limit)"
is not executed when the --limit parameter is added and
deployment with specified tag.

Closes-bug: #1711266

Change-Id: If50db2718b765f1d65b5d79eb042b0d95775bafc

Provide support for kolla dev mode in blazar. When
'kolla_dev_mode' or 'blazar_dev_mode' variables are
enabled, source code of blazar project will be  cloned
and mounted automatically

Partially implements: blueprint mount-sources

Change-Id: I50c5eb97be1123b76b1d42fbb25a0ecbaa2c1a44

Deploy multipathd with cinder-volume when multipathd is enabled

Change-Id: Ibc6cab29498508769d6c42a870cf34f587ec7cc7
Closes-Bug:1757379

sudo package is required when we use ubuntu base on centos to deploy.

The following tasks belong to the environment check after
installation of environment-related software packages.
So, move to the post-install module.

    Create kolla user
    Add public key to kolla user authorized keys
    Grant kolla user passwordless sudo
    Ensure node_config_directory directory exists for user kolla
    Ensure node_config_directory directory exists

Change-Id: I86bf5e1df3d6568c4f1ca6f4757f08a3dd22754d
Closes-Bug: #1777571