Skip to content
Snippets Groups Projects
Select Git revision
  • deployment default
1 result
Search by author
  • Any Author
  • KANAPA SYLVERE p1919734 KANAPA SYLVERE p1919734 p1919734
1 author
  1. Mar 10, 2022
    • Mark Goddard's avatar
      libvirt: support SASL authentication · d2d4b53d
      Mark Goddard authored 
      In Kolla Ansible OpenStack deployments, by default, libvirt is
configured to allow read-write access via an unauthenticated,
unencrypted TCP connection, using the internal API network.  This is to
facilitate migration between hosts.

By default, Kolla Ansible does not use encryption for services on the
internal network (and did not support it until Ussuri). However, most
other services on the internal network are at least authenticated
(usually via passwords), ensuring that they cannot be used by anyone
with access to the network, unless they have credentials.

The main issue here is the lack of authentication. Any client with
access to the internal network is able to connect to the libvirt TCP
port and make arbitrary changes to the hypervisor. This could include
starting a VM, modifying an existing VM, etc. Given the flexibility of
the domain options, it could be seen as equivalent to having root access
to the hypervisor.

Kolla Ansible supports libvirt TLS [1] since the Train release, using
client and server certificates for mutual authentication and encryption.
However, this feature is not enabled by default, and requires
certificates to be generated for each compute host.

This change adds support for libvirt SASL authentication, and enables it
by default. This provides base level of security. Deployments requiring
further security should use libvirt TLS.

[1] https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#libvirt-tls

Depends-On: https://review.opendev.org/c/openstack/kolla/+/833021
Closes-Bug: #1964013
Change-Id: Ia91ceeb609e4cdb144433122b443028c0278b71e
      d2d4b53d
  3. Mar 03, 2022
  5. Feb 25, 2022
    • Radosław Piliszek's avatar
      Enable Ironic iPXE support by default · baeca81a
      Radosław Piliszek authored 
      Ironic has changed the default PXE to be iPXE (as opposed to plain
PXE) in Yoga. Kolla Ansible supports either one or the other and
we tend to stick to upstream defaults so this change enables
iPXE instead of plain PXE - by default - the users are allowed
to change back and they need to take one other action so it is
good to remind them via upgrade notes either way.

Change-Id: If14ec83670d2212906c6e22c7013c475f3c4748a
      baeca81a
  7. Feb 21, 2022
  9. Feb 18, 2022
    • alecorps's avatar
      Add support for VMware First Class Disk (FCD) · 812e03f7
      alecorps authored 
      An FCD, also known as an Improved Virtual Disk (IVD) or
Managed Virtual Disk, is a named virtual disk independent of
a virtual machine. Using FCDs for Cinder volumes eliminates
the need for shadow virtual machines.
This patch adds Kolla support.

Change-Id: Ic0b66269e6d32762e786c95cf6da78cb201d2765
      812e03f7
  11. Feb 17, 2022
    • Alban Lecorps's avatar
      Add support for VMware NSXP · 458c8b13
      Alban Lecorps authored 
      NSXP is the OpenStack support for the NSX Policy platform.
This is supported from neutron in the Stein version. This patch
adds Kolla support

This adds a new neutron_plugin_agent type 'vmware_nsxp'. The plugin
does not run any neutron agents.

Change-Id: I9e9d8f07e586bdc143d293e572031368af7f3fca
      458c8b13
  13. Feb 02, 2022
    • Buddhika Sanjeewa's avatar
      Deploy Zun with Cinder Ceph support · eb7e0f6f
      Buddhika Sanjeewa authored 
      Enables zun to access cinder volumes when cinder is configured to use
external ceph.
Copies ceph config file and ceph cinder keyring to /etc/ceph in
zun_compute container.

Closes-Bug: 1848934
Change-Id: Ie56868d5e9ed37a9274b8cbe65895f3634b895c8
      eb7e0f6f
  15. Jan 31, 2022
  17. Jan 20, 2022
  19. Jan 09, 2022
    • Stig Telfer's avatar
      OpenID Connect certifiate file is optional · 78f29fdc
      Stig Telfer authored 
      Some ID provider configurations do not require a certificate file.
Change the logic to allow this, and update documentation accordingly.

Change-Id: I2c34a6b5894402bbebeb3fb96768789bc3c7fe84
      78f29fdc
  21. Jan 07, 2022
  23. Jan 03, 2022
  25. Dec 31, 2021
  27. Dec 23, 2021
  29. Dec 21, 2021
  31. Dec 20, 2021
    • Radosław Piliszek's avatar
      [docs] Mark init-runonce properly · 1c93c8ea
      Radosław Piliszek authored 
      This is a docs amendment to let users know that calling
init-runonce is not a required deployment step and it may not work
for them if they modified the defaults.

Change-Id: Ia3922b53d91a1a820447fec6a8074b941edc2ee9
      1c93c8ea
  33. Nov 25, 2021
  35. Nov 11, 2021
  37. Nov 10, 2021
  39. Nov 09, 2021
  41. Nov 04, 2021
  43. Oct 27, 2021
  45. Oct 22, 2021
  47. Oct 20, 2021
  49. Oct 12, 2021
  51. Oct 06, 2021
  53. Oct 04, 2021
    • Gaël THEROND (Fl1nt)'s avatar
      Add missing CloudKitty documentation. · d5aa73c4
      Gaël THEROND (Fl1nt) authored 
      * Fix various typos and formatting.
* Add documentation about custom collector backend.
* Add documentation about custom storage backend.

Change-Id: If937afc5ce2a2747f464fbaf38a5dcf2e57ba04f
Closes-bug: #1940842
      d5aa73c4
  55. Sep 30, 2021
  57. Sep 28, 2021
    • Niklas Hagman's avatar
      Transition Keystone admin user to system scope · 2e933dce
      Niklas Hagman authored 
      A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible



Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: default avatarNiklas Hagman <ubuntu@post.blinkiz.com>
      2e933dce
  59. Sep 26, 2021
    • Michal Arbet's avatar
      Add way to change weight of haproxy backend per service · 7c2b4bea
      Michal Arbet authored 
      This patch adding option to control weight of haproxy
backends per service via host variable.

Example:

[control]
server1 haproxy_nova_api_weight=10
server2 haproxy_nova_api_weight=2 haproxy_keystone_internal_weight=10
server3 haproxy_keystone_admin_weight=50

If weight is not defined, everything is working as before.

Change-Id: Ie8cc228198651c57f8ffe3eb060875e45d1f0700
      7c2b4bea
  61. Sep 23, 2021
  63. Sep 16, 2021
  65. Aug 25, 2021
    • Mark Goddard's avatar
      docs: Add placeholder page for CI & testing information · d8641e90
      Mark Goddard authored 
      Change-Id: Iebcac0827c6f715c6b804223cdcf2cc2e425120b
      d8641e90
    • Mark Goddard's avatar
      Add kolla-ansible gather-facts command · d9a37589
      Mark Goddard authored 
      In some situations it may be helpful to populate the fact cache on
demand. The 'kolla-ansible gather-facts' command may be used to do this.

One specific case where this may be helpful is when running kolla-ansible
with a --limit argument, since in that case hosts that match the limit
will gather facts for hosts that fall outside the limit. In the extreme
case of a limit that matches only one host, it will serially gather
facts for all other hosts. To avoid this issue, run 'kolla-ansible
gather-facts' without a limit to populate the fact cache in parallel
before running the required command with a limit.

Change-Id: I79db9bca23aa1bd45bafa7e7500a90de5a684593
      d9a37589
  67. Aug 22, 2021