All other roles also use defaults/main.yml.

Change-Id: Ic03aba436a4f3c775ff8e815c93e1d52250d5411

Related: blueprint add-ssl-internal-network
Co-Authored-By: generalfuzz <generalfuzz@gmail.com>

Change-Id: Ib79796d49c415d8314ea5661a16bd2dac8ba7188

In source images, keystone-manage is installed to a virtualenv in
/var/lib/kolla/venv. This is not in the PATH for cron jobs, which always
use PATH=/usr/bin:/bin. This results in the following error:

/usr/bin/fernet-rotate.sh: line 3: keystone-manage: command not found

However this error is not typically visible, since cron logs to syslog
and we do not configure fluentd to collect these logs.

This change configures the PATH in the fernet-rotate.sh script for
source images.

Change-Id: Ib49ea586d36ae32d01b9610a48b13798db4a4cd5
Closes-Bug: #1850711

Change-Id: I49b24545501085d5a44f4de73f0c6dd21e06e2a0
Closes-Bug: #1835501

When supported_policy_files gets set under python 3.7 [1], the regex '(.*)'
matches twice, once for the policy file name and once more for the empty string
that follows the policy file name. This is new behavior under python
3.7. [2]

This leads to the replacement string being written out twice resulting
in something like this: "nova_policy.yamlnova_".

This patch changes the regex to '(.+)' ensuring there is no match success
against the empty string.

[1]:
- set_fact:
    supported_policy_files: "{{ supported_policy_format_list | map('regex_replace', '(.*)', '{{ project_name }}_\\1') | list }}"

[2]: https://docs.python.org/3/library/re.html#re.sub

Change-Id: Ie5278832e293364c66d53ddb07dff9c5409f0cc6
Closes-Bug: 1851249

Change-Id: I12fa6ae8dcec79485c30c4fea2977875aa8f4fae
Closes-Bug: #1850792

Currently, Xtrabackup is used for database backups. However, Xtrabackup
is not compatible with MariaDB 10.3. This change switches to use
mariabackup [1], which is available in the mariadb image.

The documented full and incremental restore procedures have been
modified to use mariabackup, following [2] and [3].

[1] https://mariadb.com/kb/en/library/mariabackup-overview/
[2] https://mariadb.com/kb/en/library/full-backup-and-restore-with-mariabackup/
[3] https://mariadb.com/kb/en/library/incremental-backup-and-restore-with-mariabackup/

Change-Id: Id52b9b1f7b013277e401b1f6b8aed34473d2b2c4
Closes-Bug: #1843043
Depends-On: https://review.opendev.org/691290

We use the wsrep_notify.sh script to notify changes in Galera cluster
membership to haproxy. When xtrabackup was used for the state transfer,
nodes in the Donor state would be included in the backend pool. However,
since the switch to mariabackup in the Stein cycle, we now remove nodes
in the Donor state from the backend pool.

This change ensures that nodes in the Donor state are included in the
backend pool when the SST method is either xtrabackup or mariabackup.

https://galeracluster.com/library/documentation/mysql-wsrep-options.html#wsrep-notify-cmd



Change-Id: Ide4301779a0d221ae5d4dbdd4873fb8a40eb7297
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Closes-Bug: #1850945

If "reclaim_instance_interval" has been set in nova conf,
attched volume may not be delete while instacne deleted.
Adding cinder auth in nova conf can solve the problem.

Change-Id: I9eb3a74c2f6976043cc35a94915f1fcecb9ef601
Closes-Bug:  1850279

The version_compare filter was renamed to version and changed to be a
test in 2.5. The old filter was removed in 2.9.

TrivialFix

Change-Id: Ib5d91b5fc53d0f6d16dd6eb38121cd9914e33d93

If ironic inspector starts up before ironic-api is accessible, we see
the following error:

AttributeError: StrictVersion instance has no attribute 'version'

This actually prevents startup of ironic inspector.

Example: http://paste.openstack.org/show/756342/

The underlying issue is in python-ironicclient:
https://storyboard.openstack.org/#!/story/2006393.

The workaround employed here is to wait for ironic-api to become
available before starting ironic-inspector.

Change-Id: I674982eba5082fdc951cdcb8247d706278c64c1a
Closes-Bug: #1839866

The MariaDB handlers require master_host to be set.

TrivialFix

Change-Id: I162efbd9e615b86dcdc6e8a4af081cda2f8b0b2b

Due to a Docker bug [1] we cannot use Docker to send
SIGHUP to the container because it will mark it as
stopped.
This patch sends the signal directly to the process,
bypassing Docker.

'changed_when: false' is also removed from the
relevant task as it definitely changes the state.
In the future we could do the refresh only if
there really is a need for another one.

[1] https://github.com/moby/moby/issues/11065



Change-Id: Ief73bbd24568d6941384ea3330ab45f11aa42d37
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Closes-Bug: #1845244

Adds rabbitmq_server_additional_erl_args variable which
is appended to RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
environment variable to RabbitMQ server startup script.

This can be used to configure the schedulers.

Docs attached.

Change-Id: Id683c8cc6dac61354ffd94f3b460335b42136ba2
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Related-bug: #1846467

Change-Id: Ie594f6cdbe332d64d3461d84da730111d0db5cf1
Related-Bug: #1844752

If docker_storage_driver is set in globals.yml, then kolla-ansible
bootstrap-servers is run, it fails like so:

The conditional check 'docker_storage_driver' failed. The error was: error
while evaluating conditional (docker_storage_driver): 'devicemapper' is
undefined

Ansible does not like evaluating strings as conditionals. This change switches
to using the length filter.

Change-Id: Ib95cbdac2a659e7a0d5f113fe48046de3a39dcda
Closes-Bug: #1849691

Change-Id: I51144d92f34ed51c499a4119c059e6475d02eb46

Both swift.conf and proxy-server.conf are affected be
/etc/kolla/config/swift/proxy-server.conf. However, some options in
proxy-server.conf are not valid in swift.conf.

This change keeps this path for proxy-server.conf, but modifies the path
for swift.conf to /etc/kolla/config/swift/proxy-server/swift.conf. The
same applies for other services, object-*, account-*, container-*.

Change-Id: I600891a15244ce705861f6ec93eec1d5ba83c1b8
Closes-Bug: #1849265

Fixes /dev volume, missed in the previous commit [1].
iscsid was installing the devices in /dev but zun-compute
could not see them due to the emulated /dev volume.

[1] I2c4aa666ff9f952e32c450347d31ddbf2e58209e

Change-Id: Ic72c910b92765b9a6f59224728e9c4ea2482bc5a
Related-bug: #1797448
Related-bug: #1848933

If swift_has_replication_network is false some containers do not exist on the
target node.
This commit adds steps to compute the final list of containers to act on.

Change-Id: I12f8de53724c3f24832df83597f36f9614af8e75
Closes-Bug: #1849189

Currently the database is only synced during deployment. This change
performs the sync during upgrade as well.

Change-Id: Ia45fc733a1ab69de9d4762f5d9c8767041eeaed3
Closes-Bug: #1832020

Cephx keys are not picked up by "local_action: shell cat [...]"
when using ansible-vault encrypted keyrings.
This commit changes the logic to use the file lookup plugin and
extracts the key using jinja2 regex filters. The raw keys are then
set as ansible facts.

Closes-Bug: 1849127

Change-Id: Iacb1e42307c4de6a7a379e8cf279e073995fd5d3

See https://bugs.launchpad.net/oslo.rootwrap/+bug/1760471, in particular
comment #1 for an explanation of why inheriting the defaults of the
docker daemon can cause poor performance:

The performance difference likely comes from close_fds=True of subprocess.
Popen. On Python 2, Popen calls close(fd) on all file descriptors from 3 to
SC_OPEN_MAX. On my Fedora 27 "host", SC_OPEN_MAX is 1,024. But in docker,
SC_OPEN_MAX is... 1,048,576: 1,000x larger. On Python 3, Popen is smarter. On
Linux, it lists the content of /proc/self/fd/ to only close open file
descriptors. It doesn't depend on SC_OPEN_MAX value.

Change-Id: Iefef6039644192420abbd3bf614329cbc0d9a62a
Closes-Bug: #1848737
Related-Bug: #1760471
Related-Bug: #1757556
Related-Bug: #1824020

Tacker requires config for storing CSAR vnf packages.
This patch adds it as well as relevant docs.
Only one Tacker Conductor is deployed by default due to
lack of a shared filesystem.

Change-Id: Iad391f35105e79fa9319502256528990915df9b7
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Closes-Bug: #1845142

This also enables Placement when Zun is enabled like Kolla Ansible
already does with Nova.

Change-Id: Id2a09f702e8503b49d2b9e73e06b2ce9f4d168a9
Closes-bug: #1840573

Adds "| bool".

Backportable to Stein.

Change-Id: Ifa2aa387be46beb6da1d3c5a5e0da1b561af8cee
Closes-bug: #1848937

This makes iSCSI with Zun and Cinder work out-of-the-box.
(LVM included)

Change-Id: I2c4aa666ff9f952e32c450347d31ddbf2e58209e
Related-bug: #1797448
Closes-bug: #1848933

This moves the Nova Cells filters alongside the service filters
for ease of testing.

Partially Implements: blueprint support-nova-cells
Change-Id: I32d35c065812c6b46c64bacdf283a0bdad0f8a0f

Depends-On: https://review.opendev.org/688636/

Change-Id: I9918ff6a91acde2a7d184e44b8a1014462596e39

Affects config with Blazar and fake Nova only.
The default does not include it.

Upstream docs:
RetryFilter - Deprecated since version 20.0.0 (Train)
Since the 17.0.0 (Queens) release, the scheduler has provided
alternate hosts for rescheduling so the scheduler does not need to
be called during a reschedule which makes the RetryFilter useless.

Change-Id: I26bf45997005124e9166b5bf1d44cb276624430b

IPv6 need not have been disabled in Tempest before either.

Change-Id: I77f691b6b028d1a7f57537442a79557ede5f861e

neutron_legacy_iptables option sets the KOLLA_LEGACY_IPTABLES
environment variable in the neutron-l3-agent, neutron-linuxbridge-agent
and neutron_openvswich_agent container where it should be consumed
by kolla_extended_start script resulting in setting iptables-legacy.

Depends-On: https://review.opendev.org/#/c/683679/
Change-Id: Iaa8b46a2227b61a729b8d54bbe4b20f389f251d1

OpenSSL certificate should default to FQDN if possible.
Using IP addresses is not recommended, complicates dual stack
and limits addressing flexibility.

IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: Ibfc02f933ddcc170e9d616d401e294ba0ff5e981

IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: I4c2bd81e77fc09a04838a62f008e5d6c5dc1483d

This patch adds initial support for deploying multiple Nova cells.

Splitting a nova-cell role out from the Nova role allows a more granular
approach to deploying and configuring Nova services.

A new enable_cells flag has been added that enables the support of
multiple cells via the introduction of a super conductor in addition to
cell-specific conductors. When this flag is not set (the default), nova
is configured in the same manner as before - with a single conductor.

The nova role now deploys the global services:

* nova-api
* nova-scheduler
* nova-super-conductor (if enable_cells is true)

The nova-cell role handles services specific to a cell:

* nova-compute
* nova-compute-ironic
* nova-conductor
* nova-libvirt
* nova-novncproxy
* nova-serialproxy
* nova-spicehtml5proxy
* nova-ssh

This patch does not support using a single cell controller for managing
more than one cell. Support for sharing a cell controller will be added
in a future patch.

This patch should be backwards compatible and is tested by existing CI
jobs. A new CI job has been added that tests a multi-cell environment.

ceph-mon has been removed from the play hosts list as it is not
necessary - delegate_to does not require the host to be in the play.

Documentation will be added in a separate patch.

Partially Implements: blueprint support-nova-cells
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Change-Id: I810aad7d49db3f5a7fd9a2f0f746fd912fe03917

Change-Id: I4050c243f05571bbebab07b08c101e61879cda67
Closes-Bug: 1848363

The missing boolean breaks Neutron FWaaS deployment.

Change-Id: I169246a6ce8b15af76fd84b32029437016bd3c42
Closes-Bug: #1847562

Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689



Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Deployment fails because the variable "glance_registry_port" in
"ansible/roles/glance/templates/glance-cache.conf.j2" hasn't been configured
anywhere.

Also, "registry_host" and "registry_port" were deprecated since Queens[1], so
they should be removed.

[1] https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/deprecate-registry.html

Closes-Bug: #1848146

Change-Id: I3dd5f5d2ba73d491366791986fdbdf16b75538ef

This is to avoid split-brain.

This change also adds relevant docs that sort out the
HA/quorum questions.

Change-Id: I9a8c2ec4dbbd0318beb488548b2cde8f4e487dc1
Closes-Bug: #1837761
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>