Change-Id: I51054561af93f03e09fa86eeec7c579aca103cdf

1. Use the children group for site.yml
2. Add some missing groups

Change-Id: I01d686368b11a105a8965cf987d23772ecbf97de

Change I810aad7d49db3f5a7fd9a2f0f746fd912fe03917 for supporting multiple
Nova cells updated the list of containers that require a policy file to
only include nova-api, nova-compute, and nova-compute-ironic.

The nova-conductor config.json template was left unchanged and fails to
copy the nova policy file into its container. This can be seen on a
fresh deployment, but might be missed on an upgrade if an older policy
file is still available in /etc/kolla/nova-conductor.

This commit removes the nova_policy_file block from the nova-conductor
config.json template, as it shouldn't be required.

Backport: ussuri, train
Change-Id: I17256b182d207aeba3f92c65a6d7cf3611180558
Closes-Bug: #1886170

barbican alway use default notification driver (defalt '')
so we should change this value according to whether enable
notification

Change-Id: Ia17a64fe9bf31042369dec19f1f76b1ab8592288

Time format in Ruby Time.strptime is not accepting padding flags,
therefore we need to remove them for the Fluentd to be able
to parse MariaDB xinetd logs properly.

Change-Id: Iabfa9afdcad505106a5580eb2d058273ee5f7c1f
Closes-Bug: #1886002

In Fluentd v0.12, both the in memory and file buffer chunk size default
to 8MB. In v1.0 the file buffer defaults to 256MB. This can exceed the
Monasca Log or Unified API maximum chunk size which is set to 10MB.
This can result in logs being rejected and filling the local buffer
on disk.

Change-Id: I9c495773db726a3c5cd94b819dff4141737a1d6e
Closes-Bug: #1885885
Co-Authored-By: Sebastian Luna Valero <sebastian.luna.valero@gmail.com>

In the spirit of Kolla-Ansible, we generally try to provide
workable defaults.
The default for Elasticsearch curator schedule was fine except for
multinode deploys where it would cause all nodes to run at the
same time producing broken runs (race condition in the get-delete
cycle).
It is easy to improve this situation by embracing poor-man's
reimplementation of keystone's fernet key rotation schedule.
ES Curator does not need all the complexity of the former so it
can be handled very well by shifting by as many hours as the
instance's index dictates. It should rarely if ever need more time
(most likely still in minutes range rather than hours).

Change-Id: I9d6758c8550308d13d936de1a14afbe4124e593b

Resolve trivial syntax error in Fluentd output config for Monasca.

Change-Id: I20b37bb83a76bfabb1126925a1b4f1f59767b7a3
Co-Authored-By: Sebastian Luna Valero <sebastian.luna.valero@gmail.com>
Closes-Bug: #1885873

While all other clients should use internalURL, the Magnum client itself
and Keystone interface for trustee credentials should be publicly
accessible (upstream default when no config is specified) since
instances need to be able to reach them.

Closes-Bug: #1885420
Change-Id: I74359cec7147a80db24eb4aa4156c35d31a026bf

There were two issues with it. Lack of /usr/local/bin in PATH
for CentOS and wrong crontab path for Ubuntu/Debian.
This patch mirrors how it is handled in keystone.

Change-Id: Ib54b261e12c409d66b792648807646015826e83c
Closes-Bug: #1885732

The Zun configuration file does not set the CA for the clients the Zun
service uses: zun_client, glance_client, neutron_client, cinder_client,
and placement_client. This will cause the Zun service to fail when
TLS is enabled in the OpenStack deployment.

Depends-On: https://review.opendev.org/#/c/736809
Change-Id: Ieed843c890210608699c1a63deed66c9bb63986c

Change-Id: Ia22f286e85be90983ca79291b3a54596bba30d6c

The etcd service protocol is currently configured with internal_protocol.
The etcd service is not load balanced by a HAProxy container, so
there is no proxy layer to do TLS termination when internal_protocol
is configured to be "https".

Until the etcd service is configured to deploy with native TLS
termination, the etcd uses should be independent of
internal_protocol, and "http" by default.

Change-Id: I730c02331514244e44004aa06e9399c01264c65d
Closes-Bug: 1884137

Minor scalability improvement, not currently applied to storm.

Change-Id: I928d362067c52c3113bc0fbd3ae4b9be1810b7e5
TrivialFix

Currently openvswitch sets system-id based on inventory_hostname, but when
Ansible inventory contains ip addresses - then it will only take first ip
octet - resulting in multiple OVN chassis being named i.e. "10".
Then Neutron and OVN have problems functioning, because a chassis named "10"
will be created and deleted multiple times per second - this ends up in
ovsdb and neutron-server processes using up to 100% CPU.

Adding openvswitch role to ovn CI job triggers.

Change-Id: Id22eb3e74867230da02543abd93234a5fb12b31d
Closes-Bug: #1884734

Currently, if internal TLS communication is enabled, Kibana to
Elasticsearch communication is unverified. This is because we set
elasticsearch.ssl.verificationMode to 'none' by default (via
kibana_elasticsearch_ssl_verify). This is poor a security
posture.

This change changes the default value of
'kibana_elasticsearch_ssl_verify' to 'true'.

Change-Id: Ie4fa8e3a60d69cf5c4bdd975030c92be8113ffb1
Closes-Bug: #1885110

Currently there is no way to configure a CA certificate bundle file for
fluentd to Elasticsearch communication. This change adds a new variable,
'fluentd_elasticsearch_cacert' with a default value set to the value of
'openstack_cacert.

Closes-Bug: #1885109

Change-Id: I5bbf55a4dd4ccce9fa2635cee720139c088268e3

Change openvswitch & neutron-openvswitch-agent to deploy only
with manila generic backend - which uses ovs-vsctl functionality
when configuring share servers.

Change-Id: I124108cda62b38ea498612ff9ddb07d6122a330c
Closes-Bug: #1884939

Magnum, Cinder and Octavia clients in Magnum now use endpoint_type of
internalURL by default consistent with other clients also used by the
conductor. Additionally, they also use the globally defined
`openstack_region_name` for region_name.

Closes-Bug: #1885096

Change-Id: Ibec511013760cc4f681a2ec1b769b532be3daf2d

Change-Id: I7214ef38ea529f7585d7a0c75b8b0498ea4c58a2
Closes-Bug: #1885078

ZooKeeper is a dependency of Apache Storm.

TrivialFix

Change-Id: Icf952be2e0b53f2e82e8ce18a48bcfa100b41cd9

when enable kolla_dev_mod, nova-cell role clones code failed,
because we use nova-cell repository which is not exists.
in fact, nova-cell role should use nova repository too

Change-Id: I7fa62726d0d5b0aeb3bd5fa06dc0e59667f94fa0

Depends-On: I561504160e5548c54d1af31821c3366ab34cf0ec
Change-Id: I15e5c0e0a956ee181873cf002229532a15ff959d
Co-Authored-By: jacky06 <zhang.min@99cloud.net>

more info: https://review.opendev.org/#/c/721733/



Depends-On: I561ead226f714d98c8e06e6027715a64c3a8e47e
Depends-On: I21c9ab9820f78cf76adf11c5f0591c60f76372a8
Change-Id: Ic740d090211ee331b374a6dac69dfde466df7200
Co-Authored-By: jacky06 <zhang.min@99cloud.net>

more info: https://opendev.org/openstack/kolla-ansible/commit/a6c97d7284c7de437ebfc9f8ee289244f29e65d7



Change-Id: I778d472cc7f6ca19852482a3e309d793973d75a6
Co-Authored-By: jacky06 <zhang.min@99cloud.net>

Similarly to other OpenStack services octavia should support
kolla dev mod for debugging.

Change-Id: I81b79dc0a4c5e40a67af7120a4109dfe11098a97

I9b6bf5b6690f4b4b3445e7d15a40e45dd42d2e84 was updated to use the original
config file name during review, but the config file was not renamed
accordingly. The result is that an empty config file is written out.

TrivialFix
Change-Id: I5d0384b38ddb38133e5e11df85d8cf76f4044a64

The double quotation is not necessary for include_tasks, this
ps to cleanup it.

Change-Id: I0701035d185fdf19286cced7fe51fc277511e4c1

Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.

There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_amp_secgroup_list' to match its ID. Ideally the flavor and
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.

This change adds a new variable, 'octavia_service_auth_project', that
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch it should be
switched to 'admin' to maintain compatibility.

If a deployer sets 'octavia_service_auth_project' to 'admin', the
octavia user will be assigned the admin role in the admin project, as
was done previously.

Closes-Bug: #1882643
Related-Bug: #1873176

[1] https://review.opendev.org/720243/



Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Change-Id: I1efd0154ebaee69373ae5bccd391ee9c68d09b30

Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with
"kolla_admin_openrc_cacert". OS_CACERT is now set to the value of
"kolla_admin_openrc_cacert" in the generated admin-openrc.sh file.

Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/731344/

Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.

Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.

Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network

During an upgrade from Stein to Train, Kolla Ansible fails while running
TASK [cinder : Running Cinder online schema migration]

This is because the `--max_count 10` option is used, which returns 1
while migrations are processed. According to the upgrade documentation,
the command should be rerun while the exit status is 1:
https://docs.openstack.org/cinder/train/upgrade.html

This issue was introduced by a change to the image [1] which fixed a bug
in the way that the max count was interpreted, but exposed an issue in
using the max count.

This change fixes the issue by ceasing to pass MAX_NUMBER, which will
cause all migrations to occur in a single pass.

[1] https://review.opendev.org/#/c/712055

Change-Id: Ia786d037f5484f18294188639c956d4ed5ffbc2a
Closes-Bug: #1880753

more info: https://opendev.org/openstack/kolla-ansible/commit/a6c97d7284c7de437ebfc9f8ee289244f29e65d7



Change-Id: I44850d6bb77fec33aa93e1b523eadfe0ef9483a8
Co-Authored-By: jacky06 <zhang.min@99cloud.net>

The flag -es.uri is no longer accepted - it should be --es.uri.
Similarly with -web.listen-address. The following error is seen:

    elasticsearch_exporter: error: unknown short flag '-e', try --help

This change switches to double dashed long options.

Change-Id: I039f4cad970352146462450742056f5990a81b06
Closes-Bug: #1880242

This patch is removing chrony package
from docker host when containerized chrony is enabled.
It is also fixing issue with chrony container running
under Ubuntu docker host as noted below.

+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

Added also removal apparmor profile for ubuntu when
containerized chrony is enabled, as chrony's package
is not removing apparmor profile, and therefore
containerized chrony is not working.

Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
Closes-Bug: #1882513

Grafana changed the error message wording.
Match on the shortest sane string to play it safe.

Change-Id: Ic175ebdb1da6ef66047309ff07bcbba98fc67008
Closes-Bug: #1881890

related to newly introduced merge mechanism.
1) Per-host overrides cannot be run_once.
2) Since merge_yaml is silent about missing files, it ignored
   the fact that no proper file was given due to wrong variable
   being referenced (see the closed bug).

Change-Id: I6db4af4c6e3364838bdae510f300038b0c1560b0
Closes-Bug: #1882460

There's a logic error here, we call nova role from nova.yml file
under ansible folder. we should clone code before run
bootstrap_service task. if not, /opt/stack/nova which is empty
will mount to nova_api container.

Change-Id: Icc54c15080db9c2dc92709480e00b990e5a88662

planned task removal

Change-Id: I613794667b8c08f524a69e7e3f447b2217efb3f7

When installing kolla with external ceph, ceph_cinder_user
var has to be set per documentation instead of ceph_cinder_volume_user.
This value is also rendered in example etc/kolla/globals.yml file.

This patch is fixing this bug or, let's say typo.

Change-Id: Id82b07867f4bc0e5d5e56363f0122014df6892bc