By default ProxySQL's default value of max_replication_lag
is 0 which is in fact disabling this feature [1].
If it is greater than 0, ProxySQL will regularly monitor
replication lag and if it goes beyond the configured threshold
it will temporary shun the host until replication catches up.

This should be configurable via kolla-ansible as every
openstack deployment can be different in terms of network
delays, database load etc.. , so user should have option
to configure when database backend will be shunned.

[1] https://proxysql.com/documentation/main-runtime/

Change-Id: I66171638abc712cb84b380042f1d29f54c499e73

Add noqa for:
Object of type PosixPath is not JSON serializable

Change-Id: Id6ef88bb8cd16120bf31da679d1129d99f4b9fd8

By resetting image_upload_use_cinder_backend to upstream default.

When uploading volume to glance image, cinder looks at the backend's
image_upload_use_cinder_backend config knob to decide whether to try link
the glance image to a cloned volume made by cinder, i.e. by doing all work
locally and only updating glance's locations for the image (when the knob
is set to True). However, after all [1], [2] and [3], which happens since
Victoria, this option requires further config from user (using volume type
with image_service:store_id property (aka extra spec) set to the desired
glance store (even if there is only one cinder store configured).

Please read the bug report as to why the option removal is the
best option (TL;DR it is the most compatible approach).

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/708114
[2] https://review.opendev.org/c/openstack/glance_store/+/746556
[3] https://review.opendev.org/c/openstack/cinder/+/661676

Closes-Bug: #1991516
Change-Id: Ife87ee0241d907a0c407eb21811a354ed1734408

These are not used by the relevant daemons and so can be dropped to,
e.g., avoid creating the cinder volume on hosts where there is no
cinder.

Change-Id: Ia8d906a9e0227f361883a7ec1ec8dcd73e4104dc

This is generally considered insecure because it may reveal
sensitive data [1].
Furthermore, it happens that the default Ceph perms cause fatal
ERRORs with this setting:
1) when Glance wants to remove an image, it cannot list children
because Cinder or Nova might have created a linked volume clone
behind the scenes and it is put in another pool (volumes/vms)
which Glance cannot normally access;
2) when Nova wants to create an image, it lacks permissions
to write to the images pool.

Thus, I propose that Kolla Ansible stops setting this by default
and relies on the working defaults.
The downside is that this disables optimisations in Cinder and Nova.
On the other hand, these optimisations have nasty behaviour of
being linked directly to the original image, preventing its removal.

[1] https://docs.openstack.org/glance/yoga/configuration/glance_api.html#DEFAULT.show_multiple_locations

Change-Id: I63ee9a6eefd8593f2169bba34dbb699f413d7cf8
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860093
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860291
Closes-Bug: #1992153

Change-Id: Ic267b0bc1153940f7595a1cf93ff2c62dd084d4e

Change-Id: Ie09bf108250a71d539002dd5ccfa63dd71bcfe90

Currently kolla-ansible sets haproxy balance algorithm to source for
horizon. We can set it to round-robin if the cache backend is memcached
or using the database as the session storage backend. So we can
distribute http requests evenly to all available horizon instances.

Closes-Bug: #1990523
Change-Id: I0721cadcf53d59947bc0db6a193bfafe49c41ad3

These are upstream defaults, no need to carry them around.

TrivialFix

Change-Id: I2907d5f38c6a74776961bd473553edf2d83f7257

This patch also changes python version and default tag for centos.
prometheus-efk and venus jobs commented out, elasticsearch images
are unbuildable
cells is commented out because proxysql is unbuildable

Change-Id: Ic358f8b600317d3c2fc45130a59785225aea1153

JWT failed to validate on auth-oidc endpoint used by openstack cli
with "could not find key with kid: XX" error. To fix this we need
to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

Missing "ServerName" directive from vhost config causes redirection
to fail in some cases when external tls is enabled.

  - added "keystone_federation_oidc_jwks_uri" variable
  - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
  - added "ServerName" to keystone vhost config
  - jinja templating additional whitespace trimmed to
    correct end result indentation and empty newlines

Closes-bug: 1990375
Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb

With this option enabled, dnsmasq can offer the same IP address to
multiple hosts when their requests are close to each other. Remove this
option in order to use the built-in hashing mechanism which will
allocate random IP addresses, which should be less likely to conflict.

Closes-Bug: #1991390
Change-Id: I09a9fa2d0c54635b899ad7906cc2e2e4580ef5ad

Fix bifrost stop.yml after I9faecfe6ece6d3c35396e3378c1e3930a487e130

Change-Id: I850cbbb83d10b1518cc73612a591b160c2d49f1c

Change-Id: Ia8acdf69cb3676ec939777c32f0568cb720c471f

Change-Id: Ib068117237a199db380fcdfb757d5d0e5d34326b

It's a followup to 73a1812c
addressing post-merge comments.

Change-Id: Idd458ad6ef29e4eee2f9e537b4eae39d26eb9f64

Change-Id: Ic89097fdc72d4fa11754201ed6e388bf79ca40b6

Bind9 is running without limit for UDP listeners.
This patch is changing this behaviour and sets max 32
of UDP listeners. This is needed because of bug below [1].

[1] https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1827923

Change-Id: Ie4c2ac4d5e990ebdc30c3a94d855703d814f1fee

The admin endpoint is kept on upgrade to allow the upgrade to
happen (as it allows to rewrite the previous admin endpoint entry
to the new one).

Change-Id: I1c16892bab67f281d539843f1f0fa658df1c4874
Depends-On: https://review.opendev.org/c/openstack/kolla/+/854837

Kolla Ansible stopped setting them as they turned out to be
unnecessary for its operations, yet may have conflicted with
security policies of the hosts. [1] [2]

[1] https://launchpad.net/bugs/1837551
[2] https://launchpad.net/bugs/1945453

Change-Id: Ie8ccd3ab6f22a6f548b1da8d3acd334068dc48f5

The correct option to use is valid_interfaces [1], not os_endpoint_type.

[1] https://docs.openstack.org/networking-baremetal/latest/configuration/ironic-neutron-agent/config.html#ironic

Closes-Bug: #1990675
Change-Id: I35e7d3072c6340f4ecbe02f8961158bcb663954e

Closes-Bug: #1990819
Change-Id: I12c451077114b77b11810f25eb5b6187cdf08ad9

mainly jinja spacing and jinja[invalid] related

Change-Id: I6f52f2b0c1ef76de626657d79486d31e0f47f384

Change to '{{ kolla_dev_repos_git }}/{{ project_name }}'

Change-Id: I78d133b58386d211464c15369265d1e192a7d7ff

Remove hard-coded internal address; introduce variable to control
external web url.

Closes-bug: #1972817
Change-Id: Ib834a9f8b4a0238960dca65b2ebc1da840cec626

Added c9s jobs are non voting, as agreed on PTG to focus on Rocky Linux 9.
Since both CS9 and RL9 have higher default fd limit (1073741816 vs
1048576 in CS8) - lowering that for:
* RMQ - because Erlang allocates memory based on this (see [1], [2], [3]).
* MariaDB - because Galera cluster bootstrap failed

Changed openvswitch_db healthcheck, because for unknown reason
the usual check (using lsof on /run/openvswitch/db.sock) is hanging
on "Bad file descriptor" (even with privileged: true).

[1]: https://github.com/docker-library/rabbitmq/issues/545
[2]: https://github.com/rabbitmq/cluster-operator/issues/959#issuecomment-1043280324
[3]: https://github.com/systemd/systemd/commit/a8b627aaed409a15260c25988970c795bf963812

Depends-On: https://review.opendev.org/c/openstack/tenks/+/856296
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/856328
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/856443
Needed-By: https://review.opendev.org/c/openstack/kolla/+/836664


Co-Authored-By: Michał Nasiadka <mnasiadka@gmail.com>
Change-Id: I3f7b480519aea38c3927bee7fb2c23eea178554d

Sometimes in CI we're seeing Address already in use on clustercheck restarts.
Adding reuseaddr that allows immediate restart of the server process.

Change-Id: Ib1c9dcf99381b6b9d1095f450d74c797d39f4cb2

Fluentd has a default timeout of 5s for flushing data to ElasticSearch.
If there is a significant backlog of unsent log messages, this timeout
can be exceeded, resulting in Fluentd failing to make further progress.

Raise the default timeout to 60s.

This patch adopts the configuration parameters previously proposed by
Krzysztof Klimonda.

Closes-Bug: #1983031
Closes-Bug: #1896611
Change-Id: I1aaab654a5a0752fccef2cfb8cc0bde4a0ee2562

Signed-off-by: Franco Mariotti <fmariotti@whitestack.com>
Change-Id: Ie151cd97d3e0ba3bfec9e95a5b8bdfef0b54806c

Prometheus is creating user and granting permissions
to database from which is gathering metrics. This
process is different when haproxy/proxysql is used.

Proxysql:

  - kolla-ansible should use root_shard_ID user to connect
    to ProxySQL endpoint and it is routed to proper shard.

Haproxy:

  - kolla-ansible should use root user to connect to HAProxy
    endpoint and that's all.

If proxysql is not used, mariadb role will not create user
shard_root_ID user in bootstrap (from my perspective of view
it should), and therefore it will fail when HAProxy is used.

This patch is just fixing user to connect.

Change-Id: Icd07807b2c404eb4d3f398879639b17f1e7949c2

HAProxy prechecks could fail if the ansible_user was not allowed
to access Docker API.

Change-Id: I09bfa35392bed77321d2de2424e44e60b60a8451

Closes-Bug: #1987866
Change-Id: Iaf352a15b9e6c9607e0d33c803c132d9267ca727

MariaDB is left unchanged because its custom_member_list uses a
different group (mariadb_default_database_shard_hosts).

Change-Id: Icefd5a3d02ae4dfeb27401696c35ca2c38e203d3

In a multi-controller node, the presence of "run_once: True"
and "when: inventory_hostname == groups['keystone'][-1]"
will cause the task to be skipped

Closes-Bug: #1987982

Change-Id: I6a8f4ca285cda0675711b631aeed7ae4c992d879

Instead of specifying a custom member list for each service that should
be configured as active/passive, a new `active_passive` parameter can be
set to true. This only works if `custom_member_list` is not used.

Change-Id: I3758bc2377c25a277a29f02ebc20c946c7499093

This avoids root privileges in tftpd's unprivileged container.

Change-Id: I50366205c9cefe2af26c27580c02368f029b7605

Change-Id: I6b03d7ec0eb84c9a2544c2ad13102028452c2ec1

This change enables the use of Docker healthchecks for
mariadb-server service.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/805613
Change-Id: I893687a0501ea0f281b879df3141a354bff9eca6

openEuler 20.03 LTS SP2 is out of date. This patch:
1. Upgrade openEuler to 22.03 TLS for host OS.
2. Switch guest OS from centOS 8 to ubuntu

Change-Id: If2ff036e965def141f67240945802611e1f4dc4e

This allows you to use a more descriptive name if you desire.
For example, when using cinder with multiple ceph backends, rbd-1,
doesn't convey much information. You could include location, disk
technology, etc. in the name.

Change-Id: Icfdc2e5726fec8b645d6c2c63391a13c31f2ce9a