Currently, when there are some qemu processes which may be some useful
virtual machines running by the operator running on non compute node, the
cleanup script will fail the cleanup operation for that node. We need to
ignore the qemu process check for non compute nodes.

Change-Id: If49a1a30764063935b2a65312de8f3b2357c7fbc
Closes-bug: 1633005

Change-Id: I9779d5df65c5d560854dec55cc0a70cb82f895c4
Closes-Bug: #1632697

TrivialFix

Co-Authored-By: zhubingbing <zhubingbing10@gmail.com>

Change-Id: Idcd4c0024f93266746a00a2320980c08eca8b7e2

By default Barbican has not enabled the Keystone authentication:

[pipeline:barbican_api]
pipeline = cors unauthenticated-context apiapp

According to the Barbican install guide[1] this pipeline should be:

pipeline = cors authtoken context apiapp

[1]: http://docs.openstack.org/developer/barbican/setup/keystone.html

Change-Id: I941515a98772a72762b20507e100e7872f3b4ab8
Closes-bug: #1625337

By default barbican uwsgi is configured to listen all address on host
[1], we need to change this to the ip address of the host.

[1]:
https://github.com/openstack/barbican/blob/master/etc/barbican/vassals/barbican-api.ini

Change-Id: I4a1f9fb44ad55caf21f82c1b6d272a9743d65fd8
Closes-bug: #1632177

TrivialFix

Change-Id: If98f7aff71b5d003effc466cc8b6dbec219792cf

The provider_config is configured wrong. And Grafana only supports one
Memcached instance for session, which is bad for high available.

Use mysql to provider the session storage.

TrivialFix

Change-Id: I889a961d7f36f44701654fbac04b4bff05043506

Change-Id: I860fdc3268d0fdcb775ea345bb0eb621c8dafe07
Closes-bug: #1631902

Sahara api workers is hard-coded to 2 [1], it should be configurable as
other services do.

[1]:
https://github.com/openstack/kolla/blob/master/ansible/roles/sahara/templates/sahara.conf.j2#L9

Change-Id: Iefb487275c4e0d02f58a198e3995ca096f5e9218
Closes-bug: 1631835

Closes-Bug: #1630947

Change-Id: Ie28ec6399add384962cfdcf83c93c3bef132d57e

In cases where a proxy command is being used to access cluster
instances, rootwrap is needed for sahara user in docker container.

http://docs.openstack.org/developer/sahara/userdoc/advanced.configuration.guide.html#non-root-users

TrivialFix

Change-Id: Ic2b7deb6bd0e5f740944c32d89390fb56b88f4fa

When all mariadb nodes are stopped gracefully, mariadb galera will
write it's last executed position into the grastate.dat file. Need find
the node with largest seqno number in that file and recovery from that
node.

Closes-Bug: #1627717
Change-Id: I6e97c190eec99c966bffde0698f783e519ba14bd

Closes-Bug: #1626364
Change-Id: I9d586b950b7099a9b160f7b32c9ff00b189a0287

mistral create keystone client by using auth_uri to v3 explicitly[0]

[0] https://github.com/openstack/mistral/blob/7685cdb1b653ecbeda28ad45adcc3196cb52767e/mistral/utils/openstack/keystone.py#L174,#L184

Change-Id: Iff38204414289a9aa36232b2c461bc5bdde46e56
Closes-Bug: #1620630

The Heka bookstrap doesn't do anything different then
the start code.  Remove the boostrap step since it isn't
needed.

Change-Id: Id9906c6e2cef83fd6d1fcbcbef7a32d9948d07a3
Closes-bug: #1631651

Closes-Bug: #1631286

Change-Id: I874913a08e932766d9517bf4740de94146d7b5fb

Change-Id: Idecb70e90ae560d1c41756e3617225556087dd19
Closes-Bug: #1631048

Genconfig and reconfigure failing for magnum.
Chainging magnum trust configuretion parameters
to user/domain names instead of ids so they don't
depend on register.yml task anymore.

Change-Id: I55fddf48eafc44892fd0ab96835bfb0b51849d37
Closes-bug: #1630248

If enable_rabbitmq or enable_keystone are false, the configs will not be
copied to target nodes for these. This resulted in Heka failing to
start.

Change-Id: I93d15534802b671f1f42e8b2dfb523a17526ffb7
Closes-Bug: #1630613

Horizon was missing SESSION_ENGINE from it's conf which means it was not
making use of memcached.

Change-Id: I450aee05f59e344902f1e92d913f4c1ce9e8dcc6
Closes-Bug: 1630509

The if/else blocks in this file cause a rendering error on control nodes
when enable_neutron_dvr: yes

ParsingError: File contains parsing errors: <???>
        [line  3]: u'    external_network_bridge =\n'

Change-Id: Ia461dcbbec531c4c6295b3c7e10da12c57b7d58b
Closes-Bug: 1626995

Sahara endpoint need api version and tenant_id
in the URL, otherwise will fail with an incorrect
path/resource could not be found.

Change-Id: I348919b8ff1d00a1f6ce782f07ce2354201bac8b
Closes-Bug: #1629895

By default HAProxy send pre-4.1 authentication packets which are cause
warnings on server side. To use modern MySQl authentication mysql-check
configuration have to include post-41 option.

Change-Id: I88609d3a0cc3ce4a10e64ba65230ba4d97f34419
Closes-Bug: 1629911

We need install rabbitmq_clusterer plugin in the rabbitmq server folder.
create a rabbitmq_server-3.6 folder to handle the z stream change for
rabbitmq-server.

TrivialFix

Change-Id: I5254c1909f169e542d1a5efc910d5e17a53de7ff

When the iscsid containers is included in the kolla deployment it starts
successfully on a compute node but fails to start on a storage node, if
cinder is enabled because the config file is not copied to the container
BTW, if cinder is not enabled the iscsid container starts successfully
on both the compute and storage nodes.

Change-Id: I665535d858affebc9623b29f79c89c18f7cc399f
Closes-Bug: #1629381

command fails since it is a compound command. Changed to a single awk
command instead.

Closes-Bug: #1629206

Change-Id: Id7963b15c3321eca6f891a625b1ba140dc57aa22

* Mount system folder in ironic-conductor
* Add package need in ironic-conductor
* Fix the log path issue
* Add ironic sudoer in ironic-base
* Fix credential issue
* Do not start nova-compute when enable ironic

Closes-Bug: #1629334
Change-Id: If9d478c6513de37465403d458a88cf0da7ebd8a6

rabbitmq-server version upgrade to 3.6.5 in RDO repo. This patch set

* Download the rabbitmq_clusterer plugins to the correct path
* Install 3.6.5 rabbitmq-server for Ubuntu/Debian distro

Closes-Bug: #1611655
Co-Authored-by: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Change-Id: I8de9a553b506a15f4d96cc6b55f21e3a27887a1d

By default CADF events added even if they are disbaled in all.yml.
Boolean check is missing is added so that CADF configurations will
be added only if it is enabled.

Change-Id: I757ae176228cc4e74d06ce85b27200bdcdd5dd5c
Closes-Bug: #1607904

In cf0c25c3 [0] a play was added to run the common role against all
hosts. This ends up being redundant since every role includes the common
role as a dependancy. The reasoning behind this change as pointed out by
the author in the review comments [1] was so that an operator could run
with '--tags common' and just have the common role applied.

To avoid redundancy, the common play has been removed and tags have been
added to the common role. This allows for just the common role to run
when another role is including it while reducing redundancy.

A side affect of removing the common playbook which runs against all
hosts is that not all facts on all hosts are gathered at the beginning
of the site.yml. This breaks the haproxy role since it relies heavily on
facts to build out the haproxy.cfg file.

Previously, the haproxy role would include several hosts purely for fact
gathering purposes as pointed out in c68c9d95 [2] and a guard was put in
place so that the tasks would only run against the 'haproxy' group. In
423e3f3f [3] these hosts were removed. After reading the review [4],
this seems to have been done without fully understanding why the hosts
were there in the first place.

This change did not break anything however since the common role that
ran on all hosts mentioned previously would gather all of the facts
necessary.

To fix this fact gathering issue replace the common role play with a
play that will simply gather facts with an 'always' tag to ensure it is
run regardless of what might be passed in the '--tags' argument by the
operator.

Kudos to Paul Bourke for helping identify many of these issues.

[0] https://github.com/openstack/kolla/commit/cf0c25c37d4dd901a839a12247212c22493e1409
[1] https://review.openstack.org/#/c/369212/
[2] https://github.com/openstack/kolla/commit/c68c9d95fca6485c79a607b3716a88e284c7a64e
[3] https://github.com/openstack/kolla/commit/423e3f3fdf07f40b46fed1125076880660d14c53
[4] https://review.openstack.org/#/c/355861

TrivialFix
Closes-Bug: #1628472

Change-Id: Ia94146579e743935501f1ff4b4c1bf6cb7c43aa3

Gnocchi previously lacked high availability. We consider a lack of HA
in our a vast majority of operator oriented services to be a defective
design choice. this change integrates gnocchi with ceph to resolve the
the lack of HA.

Closes-Bug: #1626623
Change-Id: I71c5137842cb48bc4af0e50a2952df5631d0d6df

* mount gnocchi volume for gnocchi-api and gnocchi-statsd
* fix the failed of gnocchi-api
* use gnocchi user when running gnocchi-upgrade
* use the app.wsgi file in python path directly, rather than copy it to
  /var/www/cgi-bin/gnocchi/app file

TrivialFix

Change-Id: Ie026b8f44cd8e9703bf115cebb4e2d50b114a3a2

Cinder-backup containers require iscsid to mount iscsi volumes
to backup if the volumes are on different storage host. This
fix adds missing 'storage' group to iscsi playbook.

Change-Id: Iba3fb861b3f14c20b8a020075f2473ba7a0dd9a2
Closes-Bug: 1611330

TrivialFix

Change-Id: I23d74821c7f65cdf20c214f7622f4df0d3c0e172

Change-Id: Ia4a9e132683a8328cb2ff6d7e28e3560f2a8614e
Closes-Bug: #1628584

- Add mistral in HAproxy
- Set mistral api to bind on api_interface
- Fix mistral endpoint
- Add database population on bootstraping
- Add mistral port prechecks

Change-Id: If1617fb9dcd8b3bbd4f94c68ca87c36e39711016
Closes-Bug: #1626570

This patch set fixes all Magnum issues in kolla master.

The [trust] section set to magnum.conf
using created trustee domain and user for Magnum
in ansible/roles/magnum/tasks/register.yml using ansible
openstack modules.

Bump shade to 1.5.0 in kolla-toolbox because of
os_user_role ansible module dependency.

Certificate storage is changed from 'local' (non-production)
to magnum's internal storage (x509keypair) or barbican.

Co-Authored-By: Martin Matyas <martinx.maty@intel.com>
Change-Id: Ifcb016c0bc4c8c3fc20e063fa05dc8838aae838c
Closes-Bug: #1551992

"project_domain_id" and "project_name"
cannot be specified [trustee] section or keystone will throw a
"cannot be scoped to multiple targets" error when we attempt to get
a token scoped to a trust.

Change-Id: I167c0e31835d05b8069fd931ef76fb337dd99207
Closes-Bug: #1628353

TrivialFix

Change-Id: Ie836e1e12a40692b7da3cdd24b0a980ee6081b16

* Rename gnocchi-api-paste.ini to api-paste which is used in gnocchi
* Copy api-paste.ini to /etc/gnocchi in container

TrivialFix

Change-Id: I0ea5d947f3a4323e641a041fb190cae3031d36b2