In single-node clusters, ProxySQL shuns the server on MySQL
errors, causing failures during upgrades or container restarts.
This change increases the timeout to 10 seconds, allowing
the backend time to recover and preventing immediate errors
in CI environments.

Change-Id: I70becdc3fcb4ca8f7ae31d26097d95bdc6dd67eb

Change-Id: Ie2b0b2d5fca7b9d7c613a67a134c4650de2a5af6

Add missing logrotate config for redis.

Closes-Bug: 2084523

Change-Id: Ic631a9c87f7be30f7694706928d9ede62015ed6d
Signed-off-by: Jan Horstmann <horstmann@osism.tech>

ubuntu-ceph is broken for now due to [1], also there are no
download.ceph.com packages for Noble - so we're using Ubuntu
provided ones from proposed - because current version
in regular repos is built from git sha instead of a release
and is not suitable for running outside of Ceph upstream CI.

[1]: https://tracker.ceph.com/issues/66389

Depends-On: https://review.opendev.org/c/openstack/kolla/+/907589

Change-Id: I384068572d8a1a495c60b401dc4144a0a80802f1

Closes-Bug: #2084128
Change-Id: I3b44c8f4ff3c55023d8bab4e9a88a86ca72cae5d

Since [1] Neutron puts requested-chassis entry with a name taken
from the agent, which results in FQDN-based name on FQDN-based
deployments. It does not match what we set in hostname in OVS.

[1]: I4e3c001dd3bb37b86fda8b9495a3c5178c3e736d

Closes-Bug: #2080552
Change-Id: I3ae03aa2e09bc445f0f5a95a43bf210f06685cc1

This patch fixes an issue where backend related
certificates are attempted to be copied when
``kolla_copy_ca_into_containers`` is enabled but
``kolla_enable_tls_backend`` is disabled.

The fix consists of these specific tasks now
being limited by the condition ``kolla_enable_tls_backend``

Closes-Bug: #2080381

Change-Id: I7ccae4c501ce332519edef336bcceefae9f9568b

This update enhances the monitoring of the databasecluster
in ProxySQL. The default monitoring intervals were insufficient
for reliably detecting failures in the Galera cluster environment.

A detailed configuration for monitoring intervals has been
introduced, providing better control over how quickly and accurately
ProxySQL can identify issues.

  - Variables such as `mariadb_monitor_connect_interval`,
    `mariadb_monitor_galera_healthcheck_interval, and
    `mariadb_monitor_ping_interval` significantly reduce
    the time between connection checks.

  - Timeouts like `mariadb_monitor_galera_healthcheck_timeout`
    and `mariadb_monitor_ping_timeout` allow faster failure
    detection, while `mariadb_monitor_galera_healthcheck_max_timeout_count`
    sets the maximum number of allowed timeouts before marking a node as down.

Calculation:

 - Galera healthcheck:

   4 seconds (interval) + 1 second (timeout) + 4 seconds (interval)
   + 1 second (timeout) = 10 seconds.

 - Ping healthcheck:

   3 seconds (interval) + 2 seconds (timeout) + 3 seconds (interval)
   + 2 seconds (timeout) = 10 seconds.

Both the health check and ping check mechanisms will detect a node failure
within a maximum of 10 seconds. Both processes (health check and ping)
operate independently, and failure in either mechanism will mark the node
as failed.

Health Check Failure Detection: Up to 10 seconds.
Ping Failure Detection: Up to 10 seconds.
Connect Attempts: ProxySQL also tries to connect every 2 seconds, which
helps monitor connectivity.

These changes ensure that ProxySQL can detect issues in 10 seconds
as haproxy, significantly reducing downtime compared to default settings.
This adjustment enables faster and more reliable monitoring, improving system
stability and reducing potential downtime in production environments.

Change-Id: Ic28801519cdb35ed2387a1468b9df661847a5476

The ProxySQL startup script was incorrectly using
the `--reload` flag, which only reloads/merges the configuration
without initializing the database from the config file [1]. This
change corrects it to use the `--initial` flag, ensuring that
the database is always reloaded from the configuration at startup.

[1] https://proxysql.com/documentation/configuring-proxysql/#initialstartup

Change-Id: I9cc721555a6d19409b6ac24432b6b34a83efc42c

Followup on Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a. This change
adds the ability to provide the NTP (time source) server for multiple
DHCP ranges in the Ironic Inspector DHCP server.

Change-Id: I4bbfef3a391b8582ae73cbe06138715b43584dec
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This change adds the ability to configure Huawei backends in Cinder
as described in [1] by adding the additional configuration XML files
to the cinder-volume containers. However, this change does not
provide the default configuration options for the cinder.conf due to
the wide range of Huawei hardware that is supported. Operators may
also wish to configure multiple backends, so they should use the
standard method of overriding backend sections to use these XML
files, as described in [2].

1. https://docs.openstack.org/cinder/latest/configuration/block-storage/drivers/huawei-storage-driver.html
2. https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-service-configuration-in-kolla



Implements: blueprint cinder-huawei-backend
Co-Authored-By: Juan Pablo Suazo <jsuazo@whitestack.com>
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
Change-Id: Ic8624b2e956b1f48f5fb96d6d8a0150b67236d20
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This patch resolves an issue where ProxySQL could not
bind due to incorrectly formatted IPv6 addresses in the
`mysql_ifaces` configuration. The kolla's
`put_address_in_context` filter is now used, ensuring
the addresses are properly enclosed in square brackets
for correct binding.

Closes-Bug: #2081106
Change-Id: Ic166b8d9a500023c8d23ec9fee03b28b268b26e7

This patch adds missing ironic_database_shard_id
which is used by proxysql-config role to generate
proxysql configuration.

Change-Id: I11ddfe73c79cc59a97d119091c8b9a3f5eda001d

This patch removes the hardcoded `distro_python_version`
mapping and usage from the configuration and templates,
aligning with the dynamic Python version detection
introduced in the dependent patch below.

The changes simplify the kolla-ansible roles by using
general `python3` paths, ensuring compatibility across
distributions without requiring version-specific handling.

Template files for Horizon, Ironic, Skyline, and others
have been updated to reflect this,
improving maintainability and reducing complexity.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/926744
Change-Id: I85431b058b4184d96600cf17aaf8de871a018d61

This trivial fix simply consists of
adding the forgotten action after
the kolla-ansible was reworked in review [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/911417

Closes-Bug: #2080408
Change-Id: I26b5db3a3eeebd758ad05d9cb9aa689a68e1816f

From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

This patch fix issue when inventory file is deleted
by kolla-ansible -i /etc/kolla/inventory destroy call.

Now, inventories are available in tools/cleanup-host
so we can ignore their removal.

Closes-Bug: #2052706
Change-Id: If89e94356de515b40ca4e8c023979cd498146303

When using dnsmasq as a DHCP server, unless you use the noping option
(and that is not recommended), the NET_RAW capabilty is required so
that dnsmasq can send ICMP packets. These are used to check an address
is not currently in use[1].  Docker enables this capability by
default. Podman runs containers with a minimal set of capabilities[3].

[1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012840.html
[2] https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
[3] https://github.com/rhatdan/common/blob/f39f2a3f8c7680b9e456b9d235570e511807d6c6/docs/containers.conf.5.md?plain=1#L84-L101

Closes-Bug: #2055282
Change-Id: Ib3a1313df680d91c7f008063937ca7d37e82f690

The --reload parameter ensures that any changes
in the proxysql configuration file are applied
to the already existing internal proxysql database.

Change-Id: I9215d6cef3795030676c44a8184d99ba46dcb60c

This is a prerequisite for patchset #924651

Nova runs checks before upgrading. A new nova_upgrade_checks container
is started for that purpose. This container uses the new nova-api
image, but the old config.json file. The image expects CA certificates
in a certain location, but due to the old config.json file, they will
not be present. This results in the container not trusting keystone SSL
certificate and the upgrade fails, since it can't connect. Moving the
config section before the checks ensures that the new container has
all the certificates it needs to connect to Keystone.

Also nova_enable_rolling_upgrade is no longed used, so there was no
point in keeping upgrade tasks split.

Change-Id: I44bf48fb86f639d7f0acb786392573ebfed7ee97
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>

In I70dd1751dea6bfc9bb265aeda04b3392e135324c we removed
Requires=docker.service and left only After=docker.service.

In a case where something starts docker.service that's enough,
but if docker.service is disabled or no service is dependent on
it - it won't be started.

This patch adds Wants=docker.service which will try to start
docker.service if it is not started or enabled but does not
impose a dependency which causes restart of kolla systemd units
when docker.service is restarted (see [1]).

Closes-Bug: #2065168

[1]: https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Wants=

Change-Id: Ic3acb15f7c6ba7269ef62ccc8895b6bea4fc1f4d

Inner modules called by the kolla_toolbox module were returning stdout
and stderr as a single output object. This could break JSON parsing if
any data was present in stderr, for example warnings such as:

    [WARNING]: Collection ansible.posix does not support Ansible version 2.14.17

Fix by using demux=True to separate the two streams. The stderr content
is logged as it could be useful for troubleshooting or catching
deprecation notices.

Change-Id: Iad0476d4511f28c837794352c9a3e2f47113d9a1
Closes-Bug: #2080544

Add a new variable keystone_federation_oidc_claim_delimiter
to make this configurable for keycloak OIDC federation.

Closes-Bug: #2080394

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: If14285f033ed4914fd3b28d7efcc95e1c9f273a5

Commit [1] introduced a bug into kolla-ansible
where there is incorrect indentation in the haproxy
configuration file. This patch fixes it.

[1] https://github.com/openstack/kolla-ansible/commit/b13fa5a92cb6d768c5839bd11667e2ca72a7cd2f

Closes-Bug: #2080034
Change-Id: I3375e303bc358fc79d1fa2e219e6ec1dba7a38ba

Change-Id: Ie73d7eef294e9e579314a61b39382f3ff3ba4b4b
Closes-Bug: 2078973

Fixes issue in PodmanWorker where it didn't set KOLLA_SERVICE_NAME
environment variable when creating new container.
Additionally, two methods were moved from DockerWorker
to ContainerWorker as they are applicable to both engines.

Closes-Bug: #2078940
Change-Id: I273444fc828678d3c6803bce1bc8db1c5366b9b6
Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>

Build upon changes in kolla which change strategy of installing projects
in containers when in dev mode. This fixes problems where when package
file manifest changes, the changes were not reflected in to
devmode-enabled container.

It changes the strategy of installing projects in dev mode in containers.
Instead of bind mounting the project's git repository to the venv
of the container, the repository is bind mounted to
/dev-mode/<project_name> from which the it is installed using pip
on every startup of the container using kolla_install_projects script.

Also updates docs to reflect the changes.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/925712


Closes-Bug: #1814515
Singed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: If191cd0e3fcf362ee058549a1b6c244d109b6d9a

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

Given we bump the RabbitMQ version each release, there is a manual
upgrade to an intermediary RabbitMQ version needed before a skip-level
upgrade can be performed.

Change-Id: Id8a5ebe19a50ebdc59d12667889472c803b8d7c8

When merging change [1], fluentd_enable_watch_timer was
unintentionally missed in Let’s Encrypt, as change [2] had been
merged earlier.

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/785309
[2] https://review.opendev.org/c/openstack/kolla-ansible/+/899895

Change-Id: I7c72faecbdb66c7fd196acd3e7b2351851983490

The prometheus-msteams project is no longer maintained [1]. As a result
support for deploying prometheus-msteams via kolla-ansible has been
dropped. Users are encouraged to migrate to the native Prometheus
Alertmanager integration with Microsoft Teams [2].

[1] https://github.com/prometheus-msteams/prometheus-msteams/issues/343
[2] https://prometheus.io/docs/alerting/latest/configuration/#msteams_config

Change-Id: I93d28ef138b4e784465f3a7eaa11101ea5877050

See [1].

[1]: https://opendev.org/openstack/ironic-inspector/commit/0b9b1756660b4ea63b44c0f01bbf3c1aa71c1f1a

Change-Id: I8866cdab396b805ec75bc4ccccdc5c1909e63bcf

check if generated prometheus config is valid
via promtool.

This should help prevent bugs like:
https://bugs.launchpad.net/kolla-ansible/+bug/2076660

prior art: haproxy config validation:
https://review.opendev.org/c/openstack/kolla-ansible/+/922840



also add some basic documentation for the
`kolla-ansible validate-config` command.

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ief90861b2c422e0e6c2dd9cb605c94e86c0f2ba1

Library "distutils" is deprecated in Python 3.10:
https://peps.python.org/pep-0632/

The versions previously referenced using StrictVersion should be old
enough that they will not be used in a Dalmatian deployment:

- Ansible 2.11
- Docker API 1.42, included since Docker engine 23.0.0

Change-Id: Ie315004715a1cb5a91dd54bc64b0a8fd0af650ec

From OpenStack 2023.2 (Bobcat) the Pure Storage Cinder driver
supports NVMe-TCP as a dataplane protocol. This patch adds support
for this new driver type.

Change-Id: I3c0ad7652a03388ab2eafa173c644a55b0405cc6

This patch adds REQUESTS_CA_BUNDLE as it's described
in requests documentation [1].

This is needed because some ansible modules inside uses
python request library and some users of course using
their own CAs.

[1] https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification

Closes-Bug: #1967132

Change-Id: I901c2bc8ac477f15d2833e68566b19e437f4b6d1

Change-Id: Ic87fb3e4c014d3090869d5631e02982829df6312

This patch removes the nova_libvirt_secret container volume because
it is a complete antipattern, and during testing, I found that
it causes problems. When it was necessary to copy libvirt secrets
from /etc/kolla/nova-libvirt/secrets, the container logs reported that
the resource is busy - precisely because it was a mounted container
volume. This, of course, is unnecessary because the secrets are copied
to the kolla host in /etc/kolla/nova-libvirt/secrets.

Closes-Bug: #2073678
Change-Id: I715a6a95f9d32d62a8199727ddbaddd0dd7baa2d

This change fixes a bug in the prometheus.yml template which breaks
alertmanager configuration

Closes-Bug: 2076660
Change-Id: I9adf34747a22d7d5aef31fad3f68f7880e18f022

Follow-up on I343d8f45a78ebc3c11ed0c68fe8bec24f9ea7929

According the documentation [1] we forgot to share statistics data
for swift-account-server and swift-container-server. This change will
fix the issue.

1. https://docs.openstack.org/swift/latest/admin_guide.html#cluster-telemetry-and-monitoring



Closes-Bug: #1941611
Change-Id: Ib9afd84cac1fcbd96f98b4720ea9c6503bbdb124
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>