This was missed in the original patch.

Change-Id: I991b0563560cf4a0b1feb718951ffdf21ab81856

Change-Id: I8633f7d250f331ca96788d8f4796889c3c312406
Closes-Bug: #1882259

backport: ussuri, train

Without this the container returns an empty response.

Change-Id: Ic36845f3fc625c080c92904b58ace070dd24fbb2
Closes-Bug: #1881784

The __future__ module [1] was used in this context to ensure compatibility
between python 2 and python 3.

We previously dropped the support of python 2.7 [2] and now we only support
python 3 so we don't need to continue to use this module and the imports
listed below.

Imports commonly used and their related PEPs:
- `division` is related to PEP 238 [3]
- `print_function` is related to PEP 3105 [4]
- `unicode_literals` is related to PEP 3112 [5]
- `with_statement` is related to PEP 343 [6]
- `absolute_import` is related to PEP 328 [7]

[1] https://docs.python.org/3/library/__future__.html
[2] https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html
[3] https://www.python.org/dev/peps/pep-0238
[4] https://www.python.org/dev/peps/pep-3105
[5] https://www.python.org/dev/peps/pep-3112
[6] https://www.python.org/dev/peps/pep-0343
[7] https://www.python.org/dev/peps/pep-0328

Change-Id: I907008ff4102806a6f7c88572f89f3beb500d9d7

normally, api_interface is treated as internal and security network plane,
use it as default migration_interface is more meaningful.

Change-Id: Ib9f4bcc19147a49dc09bd905dcd06be165a91b5e

Fix glance configuration task to create the backend PEM only on hosts with
glance service enabled.

Change-Id: I641c51761a99828854aafcc1e7354d6932d86659

This is forwardport of [1].

[1] https://review.opendev.org/730496

Change-Id: I6523b915e0231c28b5cd91f821515f3d47309d66

The Monasca Log API has been removed and in this change we switch
to using the unified API. If dedicated log APIs are required then
this can be supported through configuration. Out of the box the
Monasca API is used for both logs and metrics which is envisaged to
work for most use cases.

In order to use the unified API for logs, we need to disable the
legacy Kafka client. We also rename the Monasca API config file
to remove a warning about using the old style name.

Depends-On: https://review.opendev.org/#/c/728638
Change-Id: I9b6bf5b6690f4b4b3445e7d15a40e45dd42d2e84

Since at least Stein, there is no visible effect from these tasks.
The Kibana dashboard seems to be working exactly the same,
greeting user on the first use with "please configure my index".
I tested on both Ubuntu and CentOS.
In new E*K stack (Ussuri+, CentOS8+) it even causes play errors.

Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: Iafc6986cce9cbaa0ea9e219ca85d7d01a61308cf
Closes-Bug: #1799689

you might refer to:
https://github.com/gophercloud/utils/blob/b0167b94122ca14ce50258a760b4e9b22788f0d7/openstack/clientconfig/results.go#L41

Change-Id: Ia326360c412aad9ca4d1735cc6486aa2fce22c1a
Closes-Bug: #1850812

Depends-On: https://review.opendev.org/710217/

Change-Id: I85652f23e487c40192106d23f2cdd45a3077deca

bump api version to v2[1]

[1]: https://review.opendev.org/#/c/700102/

Change-Id: I799f126a30081a85da4f3c41ce705c3756bbe6ba

Change-Id: Ib0916626b969336ec4bb43028f95f901d5c8cb91

* Reworked tox pep8 into linters job, that runs:
  - pep8
  - bandit
  - bashate
  - doc8
  - yamllint
  - ansible-lint (validate-all-files.py + ansible-lint)

* Skip E701 - missing galaxy_info in meta and E602 see [1].
* Skip E301 and E503 - followup later in a separate change
* Added ansible-role-jobs to zuul.d/project.yaml which will run
  openstack-tox-linters job in check queue
* Fixed remaining style issue
* Made tox and docs reference the new env for linters
* Dropped pype environment (not supported)

[1]: https://github.com/ansible/ansible-lint/issues/457

Change-Id: I494b4b151804aac8173120e6c6e42bc2fdb00234

W503 and W504 are incompatible and we need to choose one of them.
Existing codes follows W503, so we disable W504.

Change-Id: Ic745e956dd332eb0fa49b93c1e6acb12f8a7f26c

Change-Id: Ic0d0543b6ad93743eae2a144e8a3b07de54e6d96
Closes-Bug: #1878344

The pre-check was broken, see bug report for details.

Change-Id: I089f1e288bae6c093be66181c81a4373a6ef3de4
Closes-Bug: #1856021

Change-Id: I812665059783617d581d748e619b29426f89b353

The RabbitMQ 'openstack' user has the 'administrator' tag assigned via
the RabbitMQ definitions.json file.

Since the Train release, the nova-cell role also configures the RabbitMQ
user, but omits the tag. This causes the tag to be removed from the
user, which prevents it from accessing the management UI and API.

This change adds support for configuring user tags to the
service-rabbitmq role, and sets the administrator tag by default.

Change-Id: I7a5d6fe324dd133e0929804d431583e5b5c1853d
Closes-Bug: #1875786

The refactor in change I500cc8800c412bc0e95edb15babad5c1189e6ee4
broke the task `Enable Monasca Grafana datasource for control
plane organisation`. This change fixes the brackets.

Change-Id: I9167a312be107fbfddfd07740f67845c2eaafc3d
Closes-Bug: 1878878

Fix Heat WSGI logging directives and correct access log name.

Change-Id: Iac09e481ae46934fc26300eba8c5d81ccd0504e8
Partially-Implements: blueprint add-ssl-internal-network

Change-Id: I797bb5997e6a3391e82bff766c96f7855de4adc4
Closes-bug: #1878325

Keystone was not loading the correct mod_ssl library in centos 8
deployment.

Change-Id: I604d675ba7ad28922f360fdc729746f99c1507b4
Partially-Implements: blueprint add-ssl-internal-network

This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network

Change-Id: I146ea3d84efb83ec5d7405644ad372e57ecafc1e

This provides a generic mechanism to include extra files
that you can reference in prometheus.yml, for example:

scrape_targets:
  - job_name: ipmi
    params:
      module: default
    scrape_interval: 1m
    scrape_timeout: 30s
    metrics_path: /ipmi
    scheme: http
    file_sd_configs:
    - files:
      - /etc/prometheus/extras/file_sd/ipmi-exporter-targets.yml
      refresh_interval: 5m

Change-Id: Ie2f085204b71725b901a179ee51541f1f383c6fa
Related: blueprint custom-prometheus-targets

This provides a mechanism to scrape targets defined outside of kolla-ansible.

Depends-On: https://review.opendev.org/#/c/685671/
Change-Id: I0950341b147bb374b4128f09f807ef5a756f5dfa
Related: blueprint custom-prometheus-targets

This allows you to extend lists in yaml config. This is useful, for
example, in prometheus.yml, where it would be nice to be able to
extend the scrape_configs to include exporters that aren't packaged
with kolla-ansible. This would provide a mechanism to do so.

Change-Id: I7a10e363f42e8ffaae3c0d2c2a758853e2cab7e1
Related: blueprint custom-prometheus-targets

The removal of Kolla Ceph deploy [1] broke gnocchi & external Ceph
integration - the variable gnocchi_pool_name is referenced in the config
template, but should now be ceph_gnocchi_pool_name.

This change fixes the issue.

Reported by Nick Wilson.

[1] https://review.opendev.org/#/c/704309/12/ansible/roles/gnocchi/defaults/main.yml

Change-Id: I7089781c0c4d7bce8a44cb8b1fca847dd0b7efd1
Closes-Bug: #1877974

install sg3-utils-udev if multipath is enabled, else SCSI_IDENT*
vars are missing in udev.

Closes-Bug: 1877509
Change-Id: Ib205f3cdb775c9cfa719325f702f4fad196d346b

Nova cells support introduced a slight regression that triggers
odd behaviour when we tried switching to Apache (httpd) [1].
Bootstrap no longer applied permissions recursively to all log
files, creating a discrepancy between normal and bootstrap runs
and also Nova and other services such as Cinder (regarding
bootstrap logging).

This patch fixes it.

Backport to Train.

Not creating reno nor a bug record because it does not affect
any current standard usage in any currently known way.

Note this only really hides (standardizes?) the global issue that
we don't control file permissions on newly created files too well.

[1] https://review.opendev.org/724793

Change-Id: I35e9924ccede5edd2e1307043379aba944725143
Needed-By: https://review.opendev.org/724793

Switch URL composition from using VIP to FQDN to connect with Kibana and
Elasticsearch services.

Change-Id: I5d559ead1d6d5e928e76bb685e0f730868fd7b89
Closes-Bug: #1862419

This was addressed in I21689e22870c2f6206e37c60a3c33e19140f77ff but
accidentally reverted in I4f74bfe07d4b7ca18953b11e767cf0bb94dfd67e.

Change-Id: Id5fc458b0ca54bddfe9a43cb315dbcfeb2142395

Fixes:
- SB/NB DB address format (single host) for SB/NB DB daemon
- SB/NB DB address format (all hosts) for Neutron / northd /
  ovn-ovs bootstrap
- OVN tests

Change-Id: I539773c48f89b731d068280c228ce11782bf5788
Closes-Bug: #1875222

This patch introduces an optional backend encryption for Horizon and
Placement services. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to
end, from client through HAProxy to the Horizon and Placement services.

Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d
Partially-Implements: blueprint add-ssl-internal-network

Add TLS support for Glance api using HAProxy to perform TLS termination.

Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network

Zun has a new component "zun-cni-daemon" which should be
deployed in every compute nodes. It is basically an implementation
of CNI (Container Network Interface) that performs the neutron
port binding.

If users is using the capsule (pod) API, the recommended deployment
option is using "cri" as capsule driver. This is basically to use
a CRI runtime (i.e. CRI plugin for containerd) for supporting
capsules (pods). A CRI runtime needs a CNI plugin which is what
the "zun-cni-daemon" provides.

The configuration is based on the Zun installation guide [1].
It consits of the following steps:
* Configure the containerd daemon in the host. The "zun-compute"
  container will use grpc to communicate with this service.
* Install the "zun-cni" binary at host. The containerd process
  will invoke this binary to call the CNI plugin.
* Run a "zun-cni-daemon" container. The "zun-cni" binary will
  communicate with this container via HTTP.

Relevant patches:
Blueprint: https://blueprints.launchpad.net/zun/+spec/add-support-cri-runtime
Install guide: https://review.opendev.org/#/c/707948/
Devstack plugin: https://review.opendev.org/#/c/705338/
Kolla image: https://review.opendev.org/#/c/708273/

[1] https://docs.openstack.org/zun/latest/install/index.html

Depends-On: https://review.opendev.org/#/c/721044/
Change-Id: I9c361a99b355af27907cf80f5c88d97191193495

This patch updates the octavia controller deployment to use the
latest octavia certificate configuration guide [1]. The dual CA changes
were introduced in Train.

[1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Change-Id: If89ec0d631568db70690f1a69d00115c59abe678
Closes-Bug: #1862133

Change-Id: Ie3022d1721f43dc84e4228331d0d2f6f3a3c7ebd
Closes-Bug: 1875613

Change-Id: I18f8855a758703968aba032add68add24b31f673
Closes-bug: #1875588