It was found to be useless in [1].

It is one of distro_python_version usages.

Note Freezer and Horizon still use python_path (and hence
distro_python_version) for different purposes.

[1] https://review.opendev.org/675822

Change-Id: I6d6d9fdf4c28cb2b686d548955108c994b685bb1
Partially-Implements: blueprint drop-distro-python-version

Backport to Ussuri unmodified. Backport to Train and Stein without
DEFAULT_BOOT_SOURCE.

Closes-Bug: #1891024

Change-Id: If8fe490c3f698ab3eb37735fbfcb8ab0d5fa8a06

STATIC_ROOT in local_settings.py should be configured
to path which is also configured in apache's config.

For debian, ubuntu binary setup it is
/var/lib/openstack-dashboard/static.

Reason why it is "accidentaly" working is:

For debian package:
Package is overriding STATIC_ROOT in
/etc/openstack-dashboard/local_settings.d/_0003_debian_static_root.py.
But this is going to be removed from settings in
https://review.opendev.org/733607.

For ubuntu package:
Ubuntu package is adding patch to package which is including
PYTHON_PATH do /usr/share/openstack-dashboard/
And also they are creating several dirty symlinks to get it working.

This patch is fixing this behaviour more clearly.

Change-Id: I9862ac7ab462ca9018b684d63f26458ddda9f73a

This patch introduces an optional backend encryption for Horizon and
Placement services. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to
end, from client through HAProxy to the Horizon and Placement services.

Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d
Partially-Implements: blueprint add-ssl-internal-network

Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689



Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Depends-On: https://review.opendev.org/686316
Change-Id: I5f204541cc44bca94bed756bb3af3e102f81a1d2

Also fixes similar issues introduced by the same recent change.
Added FIXME note about possible TLS malfunction regarding horizon.

Change-Id: I5f46a9306139eb550d3849757c8bdf0767537c78
Closes-Bug: #1844016
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

This review is the first one in a series of patches and it introduces an
optional encryption for internal openstack endpoints, implementing part
of the add-ssl-internal-network spec.

Change-Id: I6589751626486279bf24725f22e71da8cd7f0a43

Change-Id: I71f3e8ab50426246b595755a8f3298ba7ca0a50d
Closes-Bug: #1803029

This commit adds the functionality for an operator to specify
their own trusted CA certificate file for interacting with the
Keystone API.

Implements: blueprint support-trusted-ca-certificate-file
Change-Id: I84f9897cc8e107658701fb309ec318c0f805883b

Change-Id: I7d0ed4ad94e3d07220de131b2a0fcd399d942782
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Masakari provides Instances High Availability Service for
OpenStack clouds by automatically recovering failed Instances.

Depends-On: https://review.openstack.org/#/c/615469/


Change-Id: I0b3457232ee86576022cff64eb2e227ff9bbf0aa
Implements: blueprint ansible-masakari
Co-Authored-By: Gaëtan Trellu <gaetan.trellu@incloudus.com>

Depends-On: https://review.opendev.org/675581
Closes-Bug: #1838719
Partially Implements: blueprint python3-support

Change-Id: Ib8bfb130b8490b583539cc264c2d2a2a034b270c

Change-Id: Ib5490d504a5b7c9a37dda7babf1257aa661c11de

Qinling is an OpenStack project to provide "Function as a Service".
This project aims to provide a platform to support serverless functions.

Change-Id: I239a0130f8c8b061b531dab530d65172b0914d7c
Implements: blueprint ansible-qinling-support
Story: 2005760
Task: 33468

deflate is disable because of breach attach[0] issue. But it has be
fixed on horizon size through[1], so we cloud enable deflate all the
time.

compress application/json too in default.

[0] https://wiki.openstack.org/wiki/OSSN/OSSN-0037
[1] https://review.openstack.org/#/c/596549/

Change-Id: I364c8a71633fac846dbaac8eaa0b78191e6d7d0e
Closes-Bug: #1827976

1.Use opendev.org instead of git.openstack.org.
2.Use review.opendev.org instead of review.openstack.org.

You can see the discussion below:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html

Change-Id: Ice4509204df788a1a44a06fb89fb44cfe6b54b94

This adds a horizon_listen_port option, which defaults to horizon_port
for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: I1e47e9524fd9c41bbb2cd2fc80560e53d9296599
Implements: blueprint service-hostnames

We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.

Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a

Use <project>_install_type instead of kolla_install_type
to set python_path. For example, general kolla_install_type
is 'binary', but user wants to deploy Horizon from 'source'.
Horizon templates still use python_path=/usr/share/openstack-dashboard,
it is wrong.

Change-Id: Ide6a24e17b1f8ab6506aa5e53f70693706830418

kolla-ansible should provide a mechanism to allow operators to overwrite
the default (or not exposed through configuration) options for the
local_settings.

local_settings.j2 may be good place to configure horizon but requires
operator to sync it every release.

custom_local_settings.j2 can be used to overwrite things from
local_settings.j2 without a need of syncing it first.

This patch also adds a release note and a documentation section
under the advanced configuration page.

Partial-Bug: #1769970
Depends-On: https://review.openstack.org/#/c/567006/
Change-Id: I84b54ba737276114e512d4577ac4b9010682bb98

This commit introduces a new variable, horizon_keystone_url, which
allows the administrator to specify the Keystone URL.

This defaults to the internal Keystone URL for backwards compatibility's
sake.

Closes-Bug: #1759623

Change-Id: Idf178a6398000fcb2d02b6f37b8ef408218b94ee
Signed-off-by: Nick Jones <nick@stackhpc.com>

Disable ServerSignature and Hide apache related infromation.

Change-Id: I9188ddb85988539087c922117bb9f53454b7507c

- Horizon

This will copy only yaml or json policy file if they exist.

Change-Id: Ib8875ca54dc9dc69abc8338413f7724d9d4ecc45
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>

Murano offers optional Barbican integration for apps using sensitive
data [0]

This patch adds the necessary config pieces to allow these apps to work out of
the box.

[0] https://docs.openstack.org/murano/latest/admin/appdev-guide/encrypting_properties.html

Change-Id: Ia78f53b12619deb518111a1c02c00d73bf5acdb1

Added ``horizon_keystone_domain_choices`` hash. It can be used to set the
available domains to choose from on the horizon login page. This feature
was introduced in pike release.

Change-Id: Ia7d2bc45e518848a04ce78e7833e1cf9a0ef21ce

Added horizon_keystone_multidomain flag. It can be now overriden
in globals.yml. Default set to False.

Change-Id: I6f8f261cf4b9779e57c2443ac219cdddb1731f52

WSGI configuration is missing the directive
"WSGIApplicationGroup %{GLOBAL}" after
WSGIProcessGroup" in the horizon template.
Of all WSGI configuration templates it is
the only one that does not have the
"WSGIApplicationGroup" line.

Change-Id: I3001901abbaae842f49179b6febf844337431afc
Closes-Bug: #1717922

Change-Id: I2d9fca7d4272c69c75b106ac4cea244a371d3b5f
Closes-bug: #1707163

Apache access log formats are modified to be consistent with
the format defined in wsgi-keystone.conf, which includes
the response time (%D) and X-forwarder-For fields.

Change-Id: I02aa5eb106fb894196dfb6e22daf2968e27ed3cb
Closes-Bug: #1703571

Introduced new option enable_cinder_backup, that controls
whether to deploy cinder-backup service.

Change-Id: Ibb0ca0a478748d4caba4df434456ead0df95ffca
Signed-off-by: Pavel Glushchak <pglushchak@virtuozzo.com>

Change-Id: I8c340cfe33789badb4f8df93f0c13f56fdea5dbf

Trace method is enabled in default for httpd. There is security risk
with trace enabled. So disable it in default. more info please check[0].

[0] https://security.stackexchange.com/a/7711

Change-Id: I4496a6d058d88e1abfb210085f189e7a610e0362
Closes-Bug: #1705160

kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config

This change [0] reverted designate dashboard change because
designate was not finished, we forgot to enable again.

[0] https://review.openstack.org/#/c/408714/

Change-Id: Ibaf7e5a5dc8cbef619d86a0f2b240d384984e8bd

The static contents directory path of the openstack-dashboard
provided by Ubuntu Cloud Archive is different from RDO's.
This fixes the horizon.conf template to set the correct alias
when ubuntu+binary are specified.

Change-Id: I1b0c04cecc66b42bf764aa035e7ec24c37d805e3
Closes-Bug: #1700712

Many of the templates use 600, remove unnecessary permission
on these templates to bring them in line with the others.

Change-Id: I30fe1b3822b9c7bb6ab98729fc519dc1d603db27

Add support for basic multiple regions, that is to say, many OpenStack
with a shared Keystone (same users) and Horizon. The shared Keystone
and Horizon are deployed into one region, for instance RegionOne.
Services of other regions have an access to this Keystone. This
support assumes that the operator knows the name of all OpenStack
regions in advance, and considers as many Kolla runs as there are
regions.

The new variable, multiple_regions_names, contains the name of
regions. It is needed by the region that includes Keystone and
Horizon. In register.yml, it specifies to create as many Keystone
endpoints as there are regiones, so that services of other regions can
connect to Keystone. In local_settings.j2, it changes the render to
support multiple regions in Horizon. The multi-regions.rst explains
how to perform a multiple regions deployment.

Implements: blueprint multi-kolla-config
Change-Id: Icab2aebfc4de0e3bc609950956e0af397705f403

New dashboard plugins are included in horizon,
new custom policies support need to be added for
those services.

Change conditional check to apply changes when
horizon plugin is enabled, not the service itself.

Closes-Bug: #1664505
Change-Id: I67fcb88fd432b4c7554ddf24e76b28c3aab7c01f

See bug for more details.

Change-Id: Ieb80b8edb122bba7cde85cb4840730ebdb31f0a9
Closes-Bug: #1659725