- Mar 05, 2024
-
-
Michal Nasiadka authored
We replaced redis with etcd in that scenario, but GATE_IMAGES are not updated. Change-Id: Ie9d6642f8ce51bc2a35b800c6c149153c14378db
-
- Mar 01, 2024
-
-
Michal Nasiadka authored
Folowup for missing release note, see [1]. [1]: https://review.opendev.org/q/Ic121bf9f90c9865cd4d08890c80247570ef310ae Change-Id: Ia65e4e28d8a8dfdf439adbdd5a2516b6c064109a
-
- Feb 29, 2024
- Feb 28, 2024
-
-
Will Szumski authored
This is useful for backwards compatability. Depends-On: https://review.opendev.org/c/openstack/kolla/+/909865 Change-Id: Ib2936580db5e7ab3479722bc353c39063010b5f2
-
- Feb 27, 2024
-
-
Zuul authored
-
- Feb 21, 2024
-
-
Zuul authored
-
Alex-Welsh authored
Closes-Bug: #1793323 Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/903178 Depends-On: https://review.opendev.org/c/openstack/kolla/+/902057 Change-Id: Ibebd6e04de215e1a1aaff52c55d28c4741af98f2
-
- Feb 20, 2024
- Feb 19, 2024
- Feb 15, 2024
-
-
Zuul authored
-
Bartosz Bezak authored
This reverts commit d77372e8. Reason for revert: service role support has been fixed in Ironic [1] and added to Kolla-Ansible. [1] https://review.opendev.org/c/openstack/ironic/+/907148 Closes-Bug: #2051837 Change-Id: I49664e3a353f54e0d51f454c552a78846ba64101
-
Bartosz Bezak authored
Ironic enabled secure RBAC with system scoped enforcement [1]. Some API calls, for instance 'baremetal:driver:get' needs system scope role by design [2], even with elevated access project scope service role [3]. [1] https://review.opendev.org/c/openstack/ironic/+/902009 [2] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/ironic/common/policy.py#L1349-L1357 [3] https://review.opendev.org/c/openstack/kolla-ansible/+/908007 Related-Bug: #2051837 Change-Id: Id6313d7dd343b82d4c9ccf7bf429d340ea0e93d1
-
Zuul authored
-
Zuul authored
-
Bartosz Bezak authored
Add the service role to ironic service users. Ironic recently enforced new policy validation as part of the RBAC efforts. [1][2] Service user support was also added to Ironic. [3] Admin role needs to stay as not all services added service role support. [4][5] [1] https://review.opendev.org/c/openstack/ironic/+/902009 [2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2 [3] https://review.opendev.org/c/openstack/ironic/+/907148 [4] https://review.opendev.org/q/topic:bp%252Fpolicy-service-role-default [5] https://review.opendev.org/q/topic:%22New-Location-Apis%22 Related-Bug: #2051837 Change-Id: I048402c2247188cf57f35437f557f84ac25d4ff2
-
Bartosz Bezak authored
Ironic recently started to enforce new policies and scope [1]. And Ironic is one of the sole openstack project which need system scope for some admin related api calls [2]. However Ironic also started to allow project-scope behaviour for service role with setting ``rbac_service_role_elevated_access``[3] [4]. This change enables this setting to get similar behaviour of service role as other openstack projects. [1] https://review.opendev.org/c/openstack/ironic/+/902009 [2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst?display=source#L261 [3] https://review.opendev.org/c/openstack/ironic/+/907148 [4] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/releasenotes/notes/service-project-service-role-fix-e4d1a8c23856926a.yaml Related-Bug: #2051837 Change-Id: If8d7cf1663145d0398a2e936486e2b316d4df5e0
-
Michal Nasiadka authored
In order to do this - we need to add service role to Nova and Cinder. Closes-Bug: #2049762 Change-Id: Ic121bf9f90c9865cd4d08890c80247570ef310ae
-
Michal Nasiadka authored
Change-Id: I5bc50e390d0b8100a1b6bf5bd5c8b6ecdeb7cd6c
-
Doug Szumski authored
The upgrade job needs the haproxy exporter group, which was missing from the inventory. Change-Id: Ie4ecf283a2f4ac056ace5e76f2acc4ba1a8fe0b4
-
- Feb 14, 2024
-
-
Michal Nasiadka authored
Default timeout is 5 and we're often hitting that on our poor man's Ceph. Change-Id: Ide92b3c32150c0045b0723155f94b21ea9cdce66
-
- Feb 13, 2024
-
-
Michal Nasiadka authored
etcd is flakey and complaining over slow disk Change-Id: I1f5191015b53bdb218cfeaa43586ecf2d71a161e
-
- Feb 12, 2024
-
-
Dawud authored
Fixes not being able to add additional plugins at build time due to the `grafana` volume being mounted over the existing `/var/lib/grafana` directory. This is fixed by copying the dashboards into the container from an existing bind mount instead of using the ``grafana`` volume. This however leaves behind the volume which should be removed with `docker volume rm grafana` or by setting `grafana_remove_old_volume` to `True`. Closes-Bug: #2039498 Change-Id: Ibcffa5d8922c470f655f447558d4a9c73b1ba361
-
- Feb 09, 2024
- Feb 08, 2024
-
-
Zuul authored
-
Zuul authored
-
Michal Nasiadka authored
Change-Id: I246b14c9b547c6a0ff0be68ad57e723839cc3275
-
Zuul authored
-
- Feb 07, 2024
-
-
Michal Arbet authored
Change Ib7f72b2663199ef80844a412bc436c6ef09322cc disabled horizon testing. This patch enabling horizon tests again. Change-Id: Iff670525c91c8adbcf2a01288b12456cb4a31809
-
Michal Arbet authored
New horizon release use [1] for cache backend instead of [2] as it was in previous versions. This patch: 1. Removes override from config and configure only memcached endpoints, not backend specification itself. This will avoid bugs in future in case BACKEND will be switched again. 2. Remove 'memcached' context from kolla_address filter and use 'url' as [1] don't support inet6:[{address}] for ipv6 but supports [{address}] which 'url' provides. [1] django.core.cache.backends.memcached.PyMemcacheCache [2] django.core.cache.backends.memcached.MemcachedCache Change-Id: Ie3a8f47e7b776b6aa2bb9b1522fdd4514ea1484b -
Michal Arbet authored
This patch implements horizon's preferred way how to configure itself described in docs [1], [1] https://docs.openstack.org/horizon/latest/configuration/settings.html Depends-On: https://review.opendev.org/c/openstack/kolla/+/906339 Change-Id: I60ab4634bf4333c47d00b12fc4ec00570062bd18
-
Michal Nasiadka authored
That is the ovs-vsctl default but Ansible module is failing in reconfigure step - and secure breaks external connectivity in OVN. From OVS docs: fail_mode: optional string, either secure or standalone When a controller is configured, it is, ordinarily, responsible for setting up all flows on the switch. Thus, if the connection to the controller fails, no new network connections can be set up. If the connection to the controller stays down long enough, no packets can pass through the switch at all. This setting de‐ termines the switch’s response to such a situation. It may be set to one of the following: standalone If no message is received from the controller for three times the inactivity probe interval (see inactiv‐ ity_probe), then Open vSwitch will take over responsibil‐ ity for setting up flows. In this mode, Open vSwitch causes the bridge to act like an ordinary MAC-learning switch. Open vSwitch will continue to retry connecting to the controller in the background and, when the connection succeeds, it will discontinue its standalone behavior. secure Open vSwitch will not set up flows on its own when the controller connection fails or when no controllers are defined. The bridge will continue to retry connecting to any defined controllers forever. The default is standalone if the value is unset, but future ver‐ sions of Open vSwitch may change the default. Change-Id: Ica4dda2914113e8f8349e7227161cb81a02b33ee -
Zuul authored
-
Zuul authored
-
