This could badly affect containerized chrony
on Debian family distros.

Change-Id: I3c57c0fe254b6166db55fa33358be646a4a23192
Closes-bug: #1847863

cloud-init to manage /etc/hosts

1) Ubuntu includes a line in /etc/hosts that makes the local hostname and
nodename (if different) point to 127.0.1.1. This can break RabbitMQ,
which expects the hostname to resolve to the API network address.

2) The distribution might come with cloud-init installed, and manage_etc_hosts
configuration enabled. If so, it will override the file /etc/hosts from cloud-init
templates at every boot, which will break RabbitMQ.

This change fixes these issues.

Change-Id: I53261d0403b983ab419bd44e705b89f7b7a1c316
Closes-Bug: #1837699

Using profiles in cephx is the recommended way since Mimic,
this also adds support for blacklist ops.

Change-Id: Ib9f65644637a5761c6cd7ca8925afc6bb2b8d5f5
Closes-Bug: #1760065

Currently, swift-proxy config uses hosts in the swift-proxy-server group
to generate the list of memcached servers. However, memcached is
deployed to hosts in the memcached group.

This change fixes the memcached_servers option for swift-proxy to be the
same as other services.

Change-Id: Ib850a1bb2a504ac3e1396846ca3f1d9a30e8fca0
Closes-Bug: #1774313

Depends-On: https://review.opendev.org/686316
Change-Id: I5f204541cc44bca94bed756bb3af3e102f81a1d2

Change-Id: I097082112b857444c3e2f73896be5832a776743b

The idea is to factor out a role for deploying Nova related services
to cells. Since all deployments use cells, this role can be used
in both regular deployments which have just cell0 and cell1,
and deployments with many cells.

Partially Implements: blueprint support-nova-cells
Change-Id: Ib1f36ec0a773c384f2c1eac1843782a3e766045a

This role can be used by other roles to register RabbitMQ resources.
Currently support is provided for creating virtual hosts and users.

Change-Id: Ie1774a10b4d629508584af679b8aa9e372847804
Partially Implements: blueprint support-nova-cells
Depends-On: https://review.opendev.org/684742

Since
https://opendev.org/openstack/kolla-ansible/commit/70b515bf1225e56b7df81677043d75be4bbb1ab4
was merged, we implicitly require Docker API version 1.25
(https://docs.docker.com/engine/api/v1.25/) to support passing
environment variables to docker exec. The version of docker we deployed
before the Docker CE upgrade was 1.12.0, which is Docker API version
1.24, and so does not support this. We get the following error:

    Setting environment for exec is not supported in API < 1.25

This change modifies the kolla_toolbox module to use the new JSON
method for parsing Ansible's output when Docker API 1.25 is available,
falling back to the old regex-based method otherwise.

This change can be reverted when we require a minimum Docker API version
of 1.25+.

Change-Id: Ie671624ecca5b43d7bd8fbd959d701d9e21d66b3
Closes-Bug: #1845681

Add coordination backend configuration to designate.conf which is
required in multinode environments. Fixes warning from designate:

WARNING designate.coordination [-] No coordination backend configured,
assuming we are the only worker. Please configure a coordination backend

Change-Id: I23c4d2de7e3f9368795c423000a4f9a6c3a431e2
Closes-Bug: #1843842
Related-Bug: #1840070

The deprecated ovsdb_interface configuration option has been removed,
the default native driver is now always used. [1]

[1] https://opendev.org/openstack/neutron/commit/cf37563c8393f964e7f390f13c43070791360cc1



Change-Id: Idd4e8ad4b00064d180a50c7b98a4568804939f50
Signed-off-by: ZijianGuo <guozijn@gmail.com>

The rolling upgrade has been the default since Stein. The legacy
upgrade has been removed because it doesn't follow the upgrade
guide [1].

[1] https://docs.openstack.org/nova/latest/user/upgrade.html

Change-Id: I2aa879699cb4e9955bf5c38053eada5a53fb6211

Sometimes as cloud admins, we want to only update code that is running
in a cloud.  But we dont need to do anything else.  Make an action in
kolla-ansible that allows us to do that.

Change-Id: I904f595c69f7276e71692696471e32fd1f88e6e8
Implements: blueprint deploy-containers-action

Some tasks were improperly generalized in change:
I4f1aa03e9a9faaf8aecd556dfeafdb834042e4cd
(simplify handlers)
This patch reverts that.

Change-Id: I38fbe319da50fc7d5a3fa3c4890f039ae900a60c
Closes-bug: #1845258
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Backport: stein

In the Stein release, cloudkitty switched the default storage backend
from sqlalchemy to influxdb. In kolla-ansible stein configuration, we
did not explicitly set the storage backend, and so we automatically
picked up this change. However, prior to
https://review.opendev.org/#/c/615928/ we did not have full support for
InfluxDB as a storage backend, and so this has broken the Rocky-Stein
upgrade (https://bugs.launchpad.net/kolla-ansible/+bug/1838641), which
fails with this during the DB sync:

ERROR cloudkitty InfluxDBClientError: get_list_retention_policies()
requires a database as a parameter or the client to be using a database

This change synchronises our default with cloudkitty's (influxdb), and
also provides an upgrade transition to create the influxdb database.

We also move the cloudkitty_storage_backend variable to
group_vars/all.yml, since it is used to determine whether to enable
influxdb.

Finally, the section name in cloudkitty.conf was incorrect - it was
storage_influx,  but should be storage_influxdb.

Change-Id: I71f2ed11bd06f58e141d222e2709835b7ddb2c71
Closes-Bug: #1838641

This ensures we execute the keystone os_* modules in one place.

Also rework some of the task names and loop item display.

Change-Id: I6764a71e8147410e7b24b0b73d0f92264f45240c

The current tasks only use a hardcoded list deploying only the required files.
When using multiple custom policies, additionnal object-*.builder and
object*.gz files are to be deployed as well.
This adds a new default-empty variable that can be overridden when needed

Change-Id: I29c8e349c7cc83e3a2e01ff702d235a0cd97340e
Closes-Bug: #1844752

During upgrade, we stop all slave keepalived containers. However, if the
keepalived container configuration has not changed, we never restart
them.

This change fixes the issue by notifying the restart handler when the
containers are stopped.

Change-Id: Ibe094b0c14a70a0eb811182d96f045027aa02c2a
Closes-Bug: #1836368

This allows the install type for the project to be different than
kolla_install_type

This can be used to avoid hitting bug 1786238, since kuryr only supports
the source type.

Change-Id: I2b6fc85bac092b1614bccfd22bee48442c55dda4
Closes-Bug: #1786238

This change introduces the way to pass extra options to prometheus.

Currently, prometheus runs with nearly default options, and when clouds
start getting bigger, you need to pass extra parameters to prometheus.

Change-Id: Ic773c0b73062cf3b2285343bafb25d5923911834

Heat's [DEFAULT] deferred_auth_method is deprecated, and we are setting
the default value of 'trusts'.

Glance's [DEFAULT] registry_host is deprecated, and we do not deploy a
registry.

Change-Id: I80024907c575982699ce323cd9a93bab94c988d3

Sometimes things go wrong. We shouldn't fail a Kolla Ansible run because
of a temporary failure when creating keystone resources.

This task adds retries to the tasks in the service-ks-tasks role.
Default is 5 retries with a 10 second delay, as is used in OpenStack
Ansible.

Change-Id: Ib692062fb93ba330bb9c8a35c684ad06652be8a2

Project name shouldn't be static as user may override it with
keystone_admin_project

Change-Id: If41b9d8de17985d960104c8daf27ea7d706c27c0

To securely support live migration between computenodes we should enable
tls, with cert auth, instead of TCP with no auth support.

Implements: blueprint libvirt-tls

Change-Id: I22ea6233933c840b853fdcc8e03400b2bf577271

Change-Id: I7f2b3a6f1eacd4cabcaa31de543b7489bc5e654b
Closes-bug: #1844636
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

We have agreed to remove support for Oracle Linux.

http://lists.openstack.org/pipermail/openstack-discuss/2019-June/006896.html

Change-Id: If11b4ff37af936a0cfd34443e8babb952307882b

This commit follows up the work in Kolla to provide deploy and configure the
Prometheus blackbox exporter.

An example blackbox-exporter module has been added (disabled by default)
called os_endpoint. This allows for the probing of endpoints over HTTP
and HTTPS. This can be used to monitor that OpenStack endpoints return a status
code of either 200 or 300, and the word 'versions' in the payload.

This change introduces a new variable `prometheus_blackbox_exporter_endpoints`.
Currently no defaults are specified because the configuration is heavily
dependent on the deployment.

Co-authored-by: Jack Heskett <Jack.Heskett@gresearch.co.uk>
Change-Id: I36ad4961078d90e2fd70c9a3368f5157d6fd89cd

Use upstream Ansible modules for registration of services, endpoints,
users, projects, roles, and role grants.

Change-Id: I7c9138d422cc91c177fd8992347176bb54156b5a

The kolla_toolbox Ansible module executes as-hoc ansible commands in the
kolla_toolbox container, and parses the output to make it look as if
ansible-playbook executed the command. Currently however, this module
sometimes fails to catch failures of the underlying command, and also
sometimes shows tasks as 'ok' when the underlying command was changed.
This has been tested both before and after the upgrade to ansible 2.8.

This change fixes this issue by configuring ansible to emit output in
JSON format, to make parsing simpler. We can now pick up errors and
changes, and signal them to the caller.

This change also adds an ansible playbook, tests/test-kolla-toolbox.yml,
that can be executed to test the module. It's not currently integrated
with any CI jobs.

Note that this change cannot be backported as the JSON output callback
plugin was added in Ansible 2.5.

Change-Id: I8236dd4165f760c819ca972b75cbebc62015fada
Closes-Bug: #1844114

These filters can be used to capture a lot of the logic that we
currently have in 'when' statements, about which services are enabled
for a particular host.

In order to use these filters, it is necessary to install the
kolla_ansible python module, and not just the dependencies listed in
requirements.txt. The CI test and quickstart install from source
documentation has been updated accordingly.

Ansible is not currently in OpenStack global requirements, so for unit
tests we avoid a direct dependency on Ansible and provide fakes where
necessary.

Change-Id: Ib91cac3c28e2b5a834c9746b1d2236a309529556

Since we use the release name as the default tag to publish images
to Dockerhub, we should use this by default.

This change also removes support for the magic value "auto".

Change-Id: I5610cc7729e9311709147ba5532199a033dfd156
Closes-Bug: #1843518

The admin api was never actually enabled,
and the admin extensions were added to the wrong
extension namespace.

Change-Id: I084b5cf05a786bde76cbf82381ba5f69cd5bce19

The pool manager has long been deperecated and
kolla-ansible does not currently have an option
to enable it. So we can safely remove the settings
around it.

Change-Id: I8e97d72421caebba979df0135fb65879e6ae3903

Also fixes similar issues introduced by the same recent change.
Added FIXME note about possible TLS malfunction regarding horizon.

Change-Id: I5f46a9306139eb550d3849757c8bdf0767537c78
Closes-Bug: #1844016
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Edited the
ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 file
to change the mesh.peer and mesh.listen-address to cluter.peer and
cluster.listen-address.  This stopped alertmanager from crashing with
error "--mesh.peer is an invalid flag"

Change-Id: Ia0447674b9ec377a814f37b70b4863a2bd1348ce
Signed-off-by: Mark Flynn <markandrewflynn@gmail.com>

Change-Id: I593b06c447d156c7a981d1c617f4f9baa82884de
Closes-Bug: #1841175

This commit adds the necessary configuration to the Swift account,
container and object configuration files to enable the Swift recon
cli.

In order to give the object server on each Swift host access to the
recon files, a Docker volume is mounted into each container which
generates them. The volume is then mounted read only into the object
server container. Note that multiple containers append to the same
file. This should not be a problem since Swift uses a lock when
appending.

Change-Id: I343d8f45a78ebc3c11ed0c68fe8bec24f9ea7929
Co-authored-by: Doug Szumski <doug@stackhpc.com>

This is required for the dict2items filter.

Change-Id: I60a04e839bf06506ff36c2631a286130d5fde972

When nova-api group have no hosts, we don't have to run create_cells
and discover_computes. Add conditional blocks to prevent to run them.

Change-Id: Ia1ba058c1b74b06b678f45544883e567e2b4eb55
Closes-Bug: #1843235

According to [1]:
IP address used in the IP options can be in either IPv4 or IPv6 format.
DNS can be used for IPv4 only, IPv6 only and dual stack.

Also should have FQDNs in subjectAltName per current[2].

[1] https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
[2] https://support.google.com/chrome/a/answer/7391219

Partially-Implements: blueprint ipv6-control-plane

Change-Id: Ibad8f8c734984aeda8ddac1a5db39875bc242bbf