Skip to content
Snippets Groups Projects
Select Git revision
  • deployment default
1 result
Search by author
  • Any Author
  • KANAPA SYLVERE p1919734 KANAPA SYLVERE p1919734 p1919734
1 author
  1. Mar 23, 2022
  3. Mar 19, 2022
  5. Mar 18, 2022
  7. Mar 17, 2022
    • jinyuanliu's avatar
      ADD venus for kolla-ansible · 3ccb176f
      jinyuanliu authored 
      This project [1] can provide a one-stop solution to log collection,
cleaning, indexing, analysis, alarm, visualization, report generation
and other needs, which involves helping operator or maintainer to
quickly solve retrieve problems, grasp the operational health of the
platform, and improve the level of platform management.

[1] https://wiki.openstack.org/wiki/Venus

Change-Id: If3562bbed6181002b76831bab54f863041c5a885
      3ccb176f
  9. Mar 16, 2022
  11. Mar 12, 2022
  13. Mar 11, 2022
  15. Mar 10, 2022
    • Mark Goddard's avatar
      libvirt: support SASL authentication · d2d4b53d
      Mark Goddard authored 
      In Kolla Ansible OpenStack deployments, by default, libvirt is
configured to allow read-write access via an unauthenticated,
unencrypted TCP connection, using the internal API network.  This is to
facilitate migration between hosts.

By default, Kolla Ansible does not use encryption for services on the
internal network (and did not support it until Ussuri). However, most
other services on the internal network are at least authenticated
(usually via passwords), ensuring that they cannot be used by anyone
with access to the network, unless they have credentials.

The main issue here is the lack of authentication. Any client with
access to the internal network is able to connect to the libvirt TCP
port and make arbitrary changes to the hypervisor. This could include
starting a VM, modifying an existing VM, etc. Given the flexibility of
the domain options, it could be seen as equivalent to having root access
to the hypervisor.

Kolla Ansible supports libvirt TLS [1] since the Train release, using
client and server certificates for mutual authentication and encryption.
However, this feature is not enabled by default, and requires
certificates to be generated for each compute host.

This change adds support for libvirt SASL authentication, and enables it
by default. This provides base level of security. Deployments requiring
further security should use libvirt TLS.

[1] https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#libvirt-tls

Depends-On: https://review.opendev.org/c/openstack/kolla/+/833021
Closes-Bug: #1964013
Change-Id: Ia91ceeb609e4cdb144433122b443028c0278b71e
      d2d4b53d
    • Adrian Andreias's avatar
      docs: state supported Python version · 78b18ffc
      Adrian Andreias authored 
      Closes-Bug: #1880290
Change-Id: If9e66c505ab1672ae6b7639872a626ad5a9408ab
      78b18ffc
    • Zuul's avatar
      Merge "Fix prechecks for "Ironic iPXE" container" · f26b9cd8
      Zuul authored
      f26b9cd8
  17. Mar 09, 2022
  19. Mar 08, 2022
  21. Mar 07, 2022
    • Zuul's avatar
      Merge "[CI] Remove an old override" · 19b169e1
      Zuul authored
      19b169e1
    • Mark Goddard's avatar
      Explicitly unset net.ipv4.ip_forward sysctl · caf33be5
      Mark Goddard authored 
      While I8bb398e299aa68147004723a18d3a1ec459011e5 stopped setting
the net.ipv4.ip_forward sysctl, this change explicitly removes the
option from the Kolla sysctl config file. In the absence of another
source for this sysctl, it should revert to the default of 0 after the
next reboot.

A deployer looking to more aggressively change the value may set
neutron_l3_agent_host_ipv4_ip_forward to 0. Any deployments still
relying on the previous value may set
neutron_l3_agent_host_ipv4_ip_forward to 1.

Related-Bug: #1945453

Change-Id: I9b39307ad8d6c51e215fe3d3bc56aab998d218ec
      caf33be5
    • Radosław Piliszek's avatar
      [CI] Remove an old override · e818d312
      Radosław Piliszek authored 
      Since [1] we are not running keepalived directly on CI network,
and are therefore safeguarded against such collisions.

[1] 8e406291

Change-Id: Ie25b2d6d48f10c6b295795b3c82c1f8a213f2a8c
      e818d312
    • Radosław Piliszek's avatar
      [CI] Ironic: use ipmitool retries · a6145d67
      Radosław Piliszek authored 
      In Ironic jobs with Tenks, we saw issues with IPMI commands
failing, resuling in job failures:

  Error setting Chassis Boot Parameter 5

A metal3.io commit [1] was found that fixes the issue by moving IPMI
retries from ironic to ipmitool, which has a side-effect of increasing
the timeout. This change applies the same configuration.

This change has been adapted from an analogous change in
kayobe-config-dev. [2]

[1] https://github.com/metal3-io/ironic-image/commit/6bc1499d8bb04c2c859b970b3739c3a8ed66ae2a


[2] Ib4fce74cebebe85c31049eafe2eeb6b28dfab041

Co-Authored-By: default avatarMark Goddard <mark@stackhpc.com>
Change-Id: I552417b9da03b8dfc9406e0ff644092579bc7122
      a6145d67
  23. Mar 05, 2022
  25. Mar 04, 2022
  27. Mar 03, 2022
  29. Mar 02, 2022
  31. Feb 28, 2022
  33. Feb 25, 2022
    • Radosław Piliszek's avatar
      Enable Ironic iPXE support by default · baeca81a
      Radosław Piliszek authored 
      Ironic has changed the default PXE to be iPXE (as opposed to plain
PXE) in Yoga. Kolla Ansible supports either one or the other and
we tend to stick to upstream defaults so this change enables
iPXE instead of plain PXE - by default - the users are allowed
to change back and they need to take one other action so it is
good to remind them via upgrade notes either way.

Change-Id: If14ec83670d2212906c6e22c7013c475f3c4748a
      baeca81a
  35. Feb 24, 2022
  37. Feb 23, 2022