This reverts commit 15259002.

Reason for revert: The iptables_firewall produces warnings without it.

Change-Id: Id046a3048436c4c18dd1fd9700ac9971d8c42c57

Nor set related sysctls.
More details in the reno.

Change-Id: I898548ecc6df3caa094c3222159b7ba1e16dc211
Closes-Bug: #1945789

chrony is not supported in Xena cycle, remove it from kolla

Moved tasks from chrony role to chrony-cleanup.yml playbook to avoid a
vestigial chrony role.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Change-Id: I5a730d55afb49d517c85aeb9208188c81e2c84cf

* Register Swift-compatible endpoints in Keystone
* Load balance across RadosGW API servers using HAProxy

The support is exercised in the cephadm CI jobs, but since RGW is
not currently enabled via cephadm, it is not yet tested.

https://docs.ceph.com/en/latest/radosgw/keystone/

Implements: blueprint ceph-rgw

Change-Id: I891c3ed4ed93512607afe65a42dd99596fd4dbf9

A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible



Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>

This patch adding option to control weight of haproxy
backends per service via host variable.

Example:

[control]
server1 haproxy_nova_api_weight=10
server2 haproxy_nova_api_weight=2 haproxy_keystone_internal_weight=10
server3 haproxy_keystone_admin_weight=50

If weight is not defined, everything is working as before.

Change-Id: Ie8cc228198651c57f8ffe3eb060875e45d1f0700

This change bumps up max supported Ansible version
to 4.x (ansible-core 2.11.x) and minimum to 2.10.

Change-Id: I8b9212934dfab3831986e8db55671baee32f4bbd

This allows one variable to specify the tag for all MariaDB images.

Change-Id: I164cdd41787f8bd52d8e08cb380d42625a8bbd84
TrivialFix

Haproxy was renamed in [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/770618

Change-Id: Ib2d7f0774fede570a8c4c315d83afd420c31da0b

Signed-off-by: Bernd Mueller <mueller@b1-systems.de>
Change-Id: Idb8a82acbd8193fd3fe71c080a1c57e8614d89ec

When running kolla-ansible upgrade with a host limit that does not
include controllers, the neutron upgrade fails.

Change-Id: I7125a6ef1f180db6997026ff27e84feb04ee239d
Closes-Bug: #1939691

Currently only operations done with default kolla_toolbox user are logged
to /var/log/kolla/ansible.log.

In order to fix logging, permissions to ansible.log must allow writing
for other users in kolla group - and then a separate patch will follow
to make custom ansible.cfg file usable by other toolbox users.

Partial-Bug: #1942846
Change-Id: I1be60ac7647b1a838e97f05f15ba5f0e39e8ae3c

This is required for libvirtd with cgroupsv2 (Debian Bullseye and
soon others).
Otherwise, device attachments simply fail.
The warning message suggests filtering will be disabled but it
actually just fails the action entirely.

Change-Id: Id1fbd49a31a6e6e51b667f646278b93897c05b21
Closes-Bug: #1941940

It was removed in [1] as part of cgroupsv2 cleanup.
However, the testing did not catch the fact that the legacy
cgroups behaviour was actually still breaking despite latest
Docker and setting to use host's cgroups namespace.

[1] 286a03ba

Closes-Bug: #1941706
Change-Id: I629bb9e70a3fd6bd1e26b2ca22ffcff5e9e8c731

to behave like it is most commonly expected - query Nova in the
same region.

Closes-Bug: #1939291
Change-Id: I584a83d352c747a799b5dab1d3b8159ba3805454

For now role haproxy is maintaining haproxy
and keepalived. In follow-up changes there is also
proxysql added.

This patch is *only* renaming/moving stuff to more
prominent role loadbalancer, and moving also specific
templates to subdirectory.

This was done only to better diff in follow-up
changes.

Change-Id: I1d39d5bcaefc4016983bf267a2736b742cc3a555

Sometimes, the registries may intermittently fail to deliver the
images. This is often seen in the CI, though it also happens with
production deployments, even those with internal registries and/or
registry mirrors - due to sheer load when trying to pull the
images from many hosts.

This patchs adds two new vars to control retry behaviour.
The default has been set to make users happier by default. :-)

Change-Id: I81ad7d8642654f8474f11084c6934aab40243d35

It seems to have been mistakenly introduced by
de00bf49
"Simplify handler conditionals"

Change-Id: I65b6e322fa11a870f32099bbfd62150cbea4feb5

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Closes-Bug: #1940286
Change-Id: I647f8615e9fd0cc0db7c737ce4afbd1bdd0d40d4

This change enables the use of Docker healthchecks for
keystone-fernet container. It checks if "key 0" has
right permissions, and if rsync is able to distribute
keys to other keystones.

Implements: blueprint container-health-check
Change-Id: I17bea723d4109e869cd05d211f6f8e4653f46e17

This change enables the use of Docker healthchecks for
nova-spicehtml5proxy service.

Implements: blueprint container-health-check
Change-Id: I584c588c20781e6c6567429811aecf97967baea3

Certain overrides for rabbitmq may need to be set for `rabbitmqctl` in
kolla-toolbox aswell.
This commit allows to override `rabbitmq-env.conf` and `erl_inetrc` in
kolla-toolbox.

Change-Id: Idef6adcf9700f75a2db503444a8de093ee21a9c5

Closes-Bug: #1939883
Change-Id: Ica311acba445cccac1d20757ced6f15a064ebcaa

Change-Id: I2fe738249018e25e79fd726bc931be6b7bd91934

Kolla-ansible upgrade task is calling different
handlers as deploy task and these handlers are
missing healthcheck key. This patch is fixing
this.

Closes-Bug: #1939679
Change-Id: Id83d20bfd89c27ccf70a3a79938f428cdb5d40fc

CentOS binary packages for Xena have moved Neutron's api-paste.ini file
to /etc/neutron [1]. Ubuntu packages already provide this file at this
location. Source images should also have api-paste.ini installed there.

[1] https://review.rdoproject.org/r/c/openstack/neutron-distgit/+/34845

Depends-On: https://review.opendev.org/c/openstack/kolla/+/804269

Change-Id: Ideb0247578afb8cc36bb6ac26d8ef7fda494bee3

We get a nice optimisation by using a filtered loop instead
of task skipping per service with 'when'.

Partially-Implements: blueprint performance-improvements
Change-Id: I8f68100870ab90cb2d6b68a66a4c97df9ea4ff52

Follow up for I0c7e9a28876a1d4278fb2ed8555c2b08472864b9 which added a
ironic_enable_keystone_integration variable to support Ironic in
multi-region environments. This change skips Keystone service
registration based on ironic_enable_keystone_integration rather than
enable_keystone. It also updates the ironic-inspector.conf template to
use the new variable.

Change-Id: I2ecba4999e194766258ac5beed62877d43829313

This patch adds support for integrating Prometheus with Fluentd.
This can be used to extract useful information about the status
of Fluentd, such as output buffer capacity and logging rate,
and also to extract metrics from logs via custom Fluentd
configuration. More information can be found here in [1].

[1] https://docs.fluentd.org/monitoring-fluentd/monitoring-prometheus

Change-Id: I233d6dd744848ef1f1589a462dbf272ed0f3aaae

Missing comma in config.json template rendered invalid JSON with VMware
plugin agent.

Closes-Bug: #1939080

Change-Id: I3d0c6421e3da7e1e753b99cf87c32fc238a21523

Basically, there are three main installation scenario:

Scenario 1:
Ironic installation together with other openstack services
including keystone. In this case variable enable_keystone
is set to true and keystone service will be installed
together with ironic installation. It is possible realise this
scenario, no fix needed

Scenario 2:
Ironic installation with connection to already installed
keystone. In this scenario we have to set enable_keystone
to “No” to prevent from new keystone service installation
during the ironic installation process. But in other hand,
we need to have correct sections in ironic.conf to provide
all information needed to connect to existing keystone.
But all sections for keystone are added to ironic.conf only
if enable_keystone var is set to “Yes”. It isn’t possible
to realise this scenario. Proposed fix provide support for
this scenario, where multiple regions share the same
keystone service.

Scenario 3:
No keystone integration. Ironic don't connect to Keystone.
It is possible realise this scenario, no fix needed

Proposed solution also keep the default behaviour: if no
enable_keystone_integration is manually defined by default
it takes value of enable_keystone variable and all behaviour
is the same. But if we don't want to install keystone and
want to connect to existing one at the same time, it will be
possible to set enable_keystone var to “No”
(preventing keystone from installation) and at the same
time set ironic_enable_keystone_integration to Yes to allow
needed section appear in ironic.conf through templating.

Change-Id: I0c7e9a28876a1d4278fb2ed8555c2b08472864b9

Change-Id: Ib9ea83dd0019a4c4703e673a783c45ab07afe4e7

Elevated (root) privileges are required to set owner/group/mode when
target owner does not math the user running Ansible. Without it the
playbook fails with 'Permission denied' error.

Change-Id: Ie7455a5f1ed709dfb9c9d7c653c6f808c00af4c2

Change-Id: I0d7c7f47e6653cf2903589a9c86798a8c6404af5

This patch is fixing docker healthcheck for horizon
by changing value of horizon_listen_port, so
both apache's virtualhost and healthcheck will have
same correct port always. Also removing useless
apache's redirect as all redirects are done on
haproxy side.

Closes-Bug: #1933846
Change-Id: Ibb5ad1a5d1bbc74bcb62610d77852d8124c4a323

Kolla-ansible install python docker library in role/baremetal
to group/baremetal, because of this get container facts
for timesync checks is failing on deployment host.

This patch adding when conditional, so deployment host
will be skipped as there is no need to run timesync
checks.

Closes-Bug: #1933347
Change-Id: Ifefb9c74ee6a80cdbc458992d0196850ddfe7ffa

This trivial patch is setting "timeout tunnel" in haproxy's
configuration for spicehtml5proxy. This option extends time
when spice's websocket connection is closed, so spice will
not be freezed. Default value is set to 1h as it is in novnc.

Closes-Bug: #1938549
Change-Id: I3a5cd98ecf4916ebd0748e7c08111ad0e4dca0b2

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
Change-Id: Iac1e82710df3ea82c17a6dcbf5d1821362aaa4a5

As mentioned in the Iced014acee7e590c10848e73feca166f48b622dc
commit message, in Ussuri+ we can use ``+sbwtdcpu none
+sbwtdio none`` as well. This is due to relying on RMQ-provided
erlang in version 23.x.

This change adds the extra arguments by default.
It should be backported down to Ussuri before we do a release with
Iced014acee7e590c10848e73feca166f48b622dc.

Change-Id: I32e247a6cb34d7f6763b544f247fd408dce2b3a2

Delete the "haproxy_single_service_listen.cfg.j2" template,
which has been replaced by "haproxy_single_service_split.cfg.j2"
and deprecated in the Victoria version

Change-Id: I3599f85afe9d3045820ea1ea70481ea2500e49ac