Add global_request_id according to oslo.log defaults [1],
also support lines like:

2024-12-23 20:48:29.905 2 ERROR oslo_service.periodic_task ['Traceback (most recent call last):\\n'

[1]: https://docs.openstack.org/oslo.log/latest/configuration/#DEFAULT.logging_context_format_string

Closes-Bug: #2044370

Change-Id: I80c3e20de0b7503de6331b55879e85892323b3d6
(cherry picked from commit 5a3fb2b4)

Change-Id: Ic0e33c4f2939c36ed80caa3ec1015cf53a4d93e2
(cherry picked from commit 638e1e30)

It can be useful to run Ironic commands on the public API if access to
the internal API is not possible.

Related-Bug: #2051837
Change-Id: Ice0eb62f2bb26ca6e3ac8d02c6ea787b60408a86
(cherry picked from commit 1916b3c2)

Change-Id: Idd143389534ef2195a07059efca732fb81f92171

Change-Id: If982d397e7c8ed8ac36f6274cbb3438cb04075b3
Closes-Bug: #2087537
(cherry picked from commit 51fb7f92)

Change from file to template

Closes-Bug: #2089229
Change-Id: I7cbc6a94608baf4f04ef231cc88397fc5dcf0a9b
(cherry picked from commit f30dd3e5)

Also rewrite/reformat while here.

Change-Id: Ife2acdb0d4360c58c7de68cf259a0ed4a86234c2
(cherry picked from commit 2339561e)

Closes-Bug: #2086171
Change-Id: I4001ddad198dcf40f71e9196e126cc78a19d1437
(cherry picked from commit fa54e69e)

As version-check.yml is added to deploy.yml, we must make sure the
tasks are only run when the rabbitmq container exists.

Change-Id: Iaa31bae739110094affb5e402ed9ac40b153ac3d
(cherry picked from commit f5ad7829)

Moving the CLI to python allows for easier
maintenance and larger feature-set.

This patch introduces a few breaking changes!
The changes stem the nature of the cliff package.
- the order of parameters must be
  kolla-ansible <action> <arguments>
- mariadb_backup and mariadb_recovery now are
  mariadb-backup and mariadb-recovery

Closes-bug: #1589020
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: I9749b320d4f5eeec601a055b597dfa7d8fb97ce2

This patch enables internal TLS database
connection for Keystone.

Change-Id: I816d051e933a560629d9b9c95362f668abe4ade7

This patch ads an ability to receive TLS connections
to ProxySQL. Certificates and variable lookups are
added in order for TLS to be enabled by
<project_name>_database_internal_tls_enable.
Note that in order for this to work, mysql
connection strings need to have TLS enabled,
which can be added in separate per-service patches

Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b

Change-Id: I33a3ec11b0cdef94b08cd7551008284755824cb7

This commit adds TLS connection between ProxySQL and MariaDB.
Frontend TLS ( between services and ProxySQL) will be
added in another commit.

Parialy Implements: mariadb-ssl-support

Change-Id: I154cbb096469c5515c9d8156c2c1c5dd07b95849
Signed-off-by: Matus Jenca <matus.jenca@dnation.cloud>

The backup user was missing the necessary CREATE
privilege for the mariadb_backup_history table
within the mysql schema, causing backups to fail
when attempting to create this table.

This patch addresses the issue by granting the backup
user the required CREATE permission specifically for
the mariadb_backup_history table. With this change,
the backup process can now complete successfully
without manual intervention for user permissions.

Closes-Bug: #2061889
Change-Id: Ic92c8959972329adbd4b89c521aa87678f25b4e4

It's been some time since ProxySQL has been
with us in Kolla. Let's switch the load balancer
for MariaDB connections from HAProxy to ProxySQL.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/928956
Change-Id: I42ba4fb83b5bb31058e888f0d39d47c27b844de5

In single-node clusters, ProxySQL shuns the server on MySQL
errors, causing failures during upgrades or container restarts.
This change increases the timeout to 10 seconds, allowing
the backend time to recover and preventing immediate errors
in CI environments.

Change-Id: I70becdc3fcb4ca8f7ae31d26097d95bdc6dd67eb

Add missing logrotate config for redis.

Closes-Bug: 2084523

Change-Id: Ic631a9c87f7be30f7694706928d9ede62015ed6d
Signed-off-by: Jan Horstmann <horstmann@osism.tech>

ubuntu-ceph is broken for now due to [1], also there are no
download.ceph.com packages for Noble - so we're using Ubuntu
provided ones from proposed - because current version
in regular repos is built from git sha instead of a release
and is not suitable for running outside of Ceph upstream CI.

[1]: https://tracker.ceph.com/issues/66389

Depends-On: https://review.opendev.org/c/openstack/kolla/+/907589

Change-Id: I384068572d8a1a495c60b401dc4144a0a80802f1

Closes-Bug: #2084128
Change-Id: I3b44c8f4ff3c55023d8bab4e9a88a86ca72cae5d

Since [1] Neutron puts requested-chassis entry with a name taken
from the agent, which results in FQDN-based name on FQDN-based
deployments. It does not match what we set in hostname in OVS.

[1]: I4e3c001dd3bb37b86fda8b9495a3c5178c3e736d

Closes-Bug: #2080552
Change-Id: I3ae03aa2e09bc445f0f5a95a43bf210f06685cc1

This patch fixes an issue where backend related
certificates are attempted to be copied when
``kolla_copy_ca_into_containers`` is enabled but
``kolla_enable_tls_backend`` is disabled.

The fix consists of these specific tasks now
being limited by the condition ``kolla_enable_tls_backend``

Closes-Bug: #2080381

Change-Id: I7ccae4c501ce332519edef336bcceefae9f9568b

Kolla-ansible itself requires ansible-core>=2.16,<2.18,
but ansible-core in this version no longer supports
python38 and python39 as per [1].

So let's just drop this old python support.

[1] https://github.com/ansible/ansible/blob/v2.16.11/setup.cfg

Change-Id: Ic8aaa57f75479a17c215c27ac5e6df0f18c74edc

This update enhances the monitoring of the databasecluster
in ProxySQL. The default monitoring intervals were insufficient
for reliably detecting failures in the Galera cluster environment.

A detailed configuration for monitoring intervals has been
introduced, providing better control over how quickly and accurately
ProxySQL can identify issues.

  - Variables such as `mariadb_monitor_connect_interval`,
    `mariadb_monitor_galera_healthcheck_interval, and
    `mariadb_monitor_ping_interval` significantly reduce
    the time between connection checks.

  - Timeouts like `mariadb_monitor_galera_healthcheck_timeout`
    and `mariadb_monitor_ping_timeout` allow faster failure
    detection, while `mariadb_monitor_galera_healthcheck_max_timeout_count`
    sets the maximum number of allowed timeouts before marking a node as down.

Calculation:

 - Galera healthcheck:

   4 seconds (interval) + 1 second (timeout) + 4 seconds (interval)
   + 1 second (timeout) = 10 seconds.

 - Ping healthcheck:

   3 seconds (interval) + 2 seconds (timeout) + 3 seconds (interval)
   + 2 seconds (timeout) = 10 seconds.

Both the health check and ping check mechanisms will detect a node failure
within a maximum of 10 seconds. Both processes (health check and ping)
operate independently, and failure in either mechanism will mark the node
as failed.

Health Check Failure Detection: Up to 10 seconds.
Ping Failure Detection: Up to 10 seconds.
Connect Attempts: ProxySQL also tries to connect every 2 seconds, which
helps monitor connectivity.

These changes ensure that ProxySQL can detect issues in 10 seconds
as haproxy, significantly reducing downtime compared to default settings.
This adjustment enables faster and more reliable monitoring, improving system
stability and reducing potential downtime in production environments.

Change-Id: Ic28801519cdb35ed2387a1468b9df661847a5476

Followup on Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a. This change
adds the ability to provide the NTP (time source) server for multiple
DHCP ranges in the Ironic Inspector DHCP server.

Change-Id: I4bbfef3a391b8582ae73cbe06138715b43584dec
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This change adds the ability to configure Huawei backends in Cinder
as described in [1] by adding the additional configuration XML files
to the cinder-volume containers. However, this change does not
provide the default configuration options for the cinder.conf due to
the wide range of Huawei hardware that is supported. Operators may
also wish to configure multiple backends, so they should use the
standard method of overriding backend sections to use these XML
files, as described in [2].

1. https://docs.openstack.org/cinder/latest/configuration/block-storage/drivers/huawei-storage-driver.html
2. https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-service-configuration-in-kolla



Implements: blueprint cinder-huawei-backend
Co-Authored-By: Juan Pablo Suazo <jsuazo@whitestack.com>
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
Change-Id: Ic8624b2e956b1f48f5fb96d6d8a0150b67236d20
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This patch resolves an issue where ProxySQL could not
bind due to incorrectly formatted IPv6 addresses in the
`mysql_ifaces` configuration. The kolla's
`put_address_in_context` filter is now used, ensuring
the addresses are properly enclosed in square brackets
for correct binding.

Closes-Bug: #2081106
Change-Id: Ic166b8d9a500023c8d23ec9fee03b28b268b26e7

Closes-Bug: #2081149
Change-Id: I9969492571e5e9864d4acb95b1af172264cfbd66

This patch removes the hardcoded `distro_python_version`
mapping and usage from the configuration and templates,
aligning with the dynamic Python version detection
introduced in the dependent patch below.

The changes simplify the kolla-ansible roles by using
general `python3` paths, ensuring compatibility across
distributions without requiring version-specific handling.

Template files for Horizon, Ironic, Skyline, and others
have been updated to reflect this,
improving maintainability and reducing complexity.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/926744
Change-Id: I85431b058b4184d96600cf17aaf8de871a018d61

This trivial fix simply consists of
adding the forgotten action after
the kolla-ansible was reworked in review [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/911417

Closes-Bug: #2080408
Change-Id: I26b5db3a3eeebd758ad05d9cb9aa689a68e1816f

From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

This patch fix issue when inventory file is deleted
by kolla-ansible -i /etc/kolla/inventory destroy call.

Now, inventories are available in tools/cleanup-host
so we can ignore their removal.

Closes-Bug: #2052706
Change-Id: If89e94356de515b40ca4e8c023979cd498146303

When using dnsmasq as a DHCP server, unless you use the noping option
(and that is not recommended), the NET_RAW capabilty is required so
that dnsmasq can send ICMP packets. These are used to check an address
is not currently in use[1].  Docker enables this capability by
default. Podman runs containers with a minimal set of capabilities[3].

[1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012840.html
[2] https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
[3] https://github.com/rhatdan/common/blob/f39f2a3f8c7680b9e456b9d235570e511807d6c6/docs/containers.conf.5.md?plain=1#L84-L101

Closes-Bug: #2055282
Change-Id: Ib3a1313df680d91c7f008063937ca7d37e82f690

This is a prerequisite for patchset #924651

Nova runs checks before upgrading. A new nova_upgrade_checks container
is started for that purpose. This container uses the new nova-api
image, but the old config.json file. The image expects CA certificates
in a certain location, but due to the old config.json file, they will
not be present. This results in the container not trusting keystone SSL
certificate and the upgrade fails, since it can't connect. Moving the
config section before the checks ensures that the new container has
all the certificates it needs to connect to Keystone.

Also nova_enable_rolling_upgrade is no longed used, so there was no
point in keeping upgrade tasks split.

Change-Id: I44bf48fb86f639d7f0acb786392573ebfed7ee97
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>

Inner modules called by the kolla_toolbox module were returning stdout
and stderr as a single output object. This could break JSON parsing if
any data was present in stderr, for example warnings such as:

    [WARNING]: Collection ansible.posix does not support Ansible version 2.14.17

Fix by using demux=True to separate the two streams. The stderr content
is logged as it could be useful for troubleshooting or catching
deprecation notices.

Change-Id: Iad0476d4511f28c837794352c9a3e2f47113d9a1
Closes-Bug: #2080544

Add a new variable keystone_federation_oidc_claim_delimiter
to make this configurable for keycloak OIDC federation.

Closes-Bug: #2080394

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: If14285f033ed4914fd3b28d7efcc95e1c9f273a5

Commit [1] introduced a bug into kolla-ansible
where there is incorrect indentation in the haproxy
configuration file. This patch fixes it.

[1] https://github.com/openstack/kolla-ansible/commit/b13fa5a92cb6d768c5839bd11667e2ca72a7cd2f

Closes-Bug: #2080034
Change-Id: I3375e303bc358fc79d1fa2e219e6ec1dba7a38ba

Change-Id: Ie73d7eef294e9e579314a61b39382f3ff3ba4b4b
Closes-Bug: 2078973

Fixes issue in PodmanWorker where it didn't set KOLLA_SERVICE_NAME
environment variable when creating new container.
Additionally, two methods were moved from DockerWorker
to ContainerWorker as they are applicable to both engines.

Closes-Bug: #2078940
Change-Id: I273444fc828678d3c6803bce1bc8db1c5366b9b6
Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>

Build upon changes in kolla which change strategy of installing projects
in containers when in dev mode. This fixes problems where when package
file manifest changes, the changes were not reflected in to
devmode-enabled container.

It changes the strategy of installing projects in dev mode in containers.
Instead of bind mounting the project's git repository to the venv
of the container, the repository is bind mounted to
/dev-mode/<project_name> from which the it is installed using pip
on every startup of the container using kolla_install_projects script.

Also updates docs to reflect the changes.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/925712


Closes-Bug: #1814515
Singed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: If191cd0e3fcf362ee058549a1b6c244d109b6d9a