If any nova compute service fails to register itself, Kolla Ansible will
fail the host that queries the Nova API. This is the first compute host
in the inventory, and fails in the task:

    Waiting for nova-compute services to register themselves

Other hosts continue, often leading to further errors later on. Clearly
this is not idea.

This change modifies the behaviour to query the compute service list
until all expected hosts are present, but does not fail the querying
host if they are not. A new task is added that executes for all hosts,
and fails only those hosts that have not registered successfully.

Alternatively, to fail all hosts in a cell when any compute service
fails to register, set nova_compute_registration_fatal to true.

Change-Id: I12c1928cf1f1fb9e28f1741e7fe4968004ea1816
Closes-Bug: #1940119

Designate sink is an optional service that consumes notifications,
users should have an option to disable it when they don't use them.

Change-Id: I1d5465d9845aea94cff39ff5158cd8b1dccc4834

Change Ia1239069ccee39416b20959cbabad962c56693cf added support for
running a libvirt daemon on the host, rather than using the nova_libvirt
container. It did not cover migration of existing hosts from using a
container to using a host daemon.

This change adds a kolla-ansible nova-libvirt-cleanup command which may
be used to clean up the nova_libvirt container, volumes and related
items on hosts, once it has been disabled.

The playbook assumes that compute hosts have been emptied of VMs before
it runs. A future extension could support migration of existing VMs, but
this is currently out of scope.

Change-Id: I46854ed7eaf1d5b5e3ccd8531c963427848bdc99

In some cases it may be desirable to run the libvirt daemon on the host.
For example, when mixing host and container OS distributions or
versions.

This change makes it possible to disable the nova_libvirt container, by
setting enable_nova_libvirt_container to false. The default values of
some Docker mounts and other paths have been updated to point to default
host directories rather than Docker volumes when using a host libvirt
daemon.

This change does not handle migration of existing systems from using
a nova_libvirt container to libvirt on the host.

Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/830504

Change-Id: Ia1239069ccee39416b20959cbabad962c56693cf

Consistently use template instead of copy. This has the added
advantage of allowing variables inside ceph conf files and keyrings.

Closes-Bug: 1959565

Signed-off-by: Imran Hussain <ih@imranh.co.uk>
Change-Id: Ibd0ff2641a54267ff06d3c89a26915a455dff1c1

In Kolla Ansible OpenStack deployments, by default, libvirt is
configured to allow read-write access via an unauthenticated,
unencrypted TCP connection, using the internal API network.  This is to
facilitate migration between hosts.

By default, Kolla Ansible does not use encryption for services on the
internal network (and did not support it until Ussuri). However, most
other services on the internal network are at least authenticated
(usually via passwords), ensuring that they cannot be used by anyone
with access to the network, unless they have credentials.

The main issue here is the lack of authentication. Any client with
access to the internal network is able to connect to the libvirt TCP
port and make arbitrary changes to the hypervisor. This could include
starting a VM, modifying an existing VM, etc. Given the flexibility of
the domain options, it could be seen as equivalent to having root access
to the hypervisor.

Kolla Ansible supports libvirt TLS [1] since the Train release, using
client and server certificates for mutual authentication and encryption.
However, this feature is not enabled by default, and requires
certificates to be generated for each compute host.

This change adds support for libvirt SASL authentication, and enables it
by default. This provides base level of security. Deployments requiring
further security should use libvirt TLS.

[1] https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#libvirt-tls

Depends-On: https://review.opendev.org/c/openstack/kolla/+/833021
Closes-Bug: #1964013
Change-Id: Ia91ceeb609e4cdb144433122b443028c0278b71e

NSXP is the OpenStack support for the NSX Policy platform.
This is supported from neutron in the Stein version. This patch
adds Kolla support

This adds a new neutron_plugin_agent type 'vmware_nsxp'. The plugin
does not run any neutron agents.

Change-Id: I9e9d8f07e586bdc143d293e572031368af7f3fca

Change-Id: I547ab4b05aa14ed3bbee8be2dc77a6840d4816f6

This is required as nova_compute tries to reach my_ip of the other
node when resizing an instance and my_ip is set to
api_interface_address.

This potential issue was introduced with [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/569131

Closes-Bug: #1956976
Change-Id: Id57a672c69a2d5aa74e55f252d05bb756bbc945a

Role vars have a higher precedence than role defaults. This allows to
import default vars from another role via vars_files without overriding
project_name (see related bug for details).

Change-Id: I3d919736e53d6f3e1a70d1267cf42c8d2c0ad221
Related-Bug: #1951785

The documentation for novncproxy_base_url says:

    If using noVNC >= 1.0.0, you should use ``vnc_lite.html`` instead of
    ``vnc_auto.html``.

While novnc packages in CentOS, Debian, and Ubuntu still provide
vnc_auto.html for compatibility, this could be dropped in the future.

Change-Id: I04883c877015c1835c8b6b2c8be1fb7156ceb340

This reverts commit 15259002.

Reason for revert: The iptables_firewall produces warnings without it.

Change-Id: Id046a3048436c4c18dd1fd9700ac9971d8c42c57

Nor set related sysctls.
More details in the reno.

Change-Id: I898548ecc6df3caa094c3222159b7ba1e16dc211
Closes-Bug: #1945789

A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible



Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>

This is required for libvirtd with cgroupsv2 (Debian Bullseye and
soon others).
Otherwise, device attachments simply fail.
The warning message suggests filtering will be disabled but it
actually just fails the action entirely.

Change-Id: Id1fbd49a31a6e6e51b667f646278b93897c05b21
Closes-Bug: #1941940

It was removed in [1] as part of cgroupsv2 cleanup.
However, the testing did not catch the fact that the legacy
cgroups behaviour was actually still breaking despite latest
Docker and setting to use host's cgroups namespace.

[1] 286a03ba

Closes-Bug: #1941706
Change-Id: I629bb9e70a3fd6bd1e26b2ca22ffcff5e9e8c731

This change enables the use of Docker healthchecks for
nova-spicehtml5proxy service.

Implements: blueprint container-health-check
Change-Id: I584c588c20781e6c6567429811aecf97967baea3

Kolla-ansible upgrade task is calling different
handlers as deploy task and these handlers are
missing healthcheck key. This patch is fixing
this.

Closes-Bug: #1939679
Change-Id: Id83d20bfd89c27ccf70a3a79938f428cdb5d40fc

We get a nice optimisation by using a filtered loop instead
of task skipping per service with 'when'.

Partially-Implements: blueprint performance-improvements
Change-Id: I8f68100870ab90cb2d6b68a66a4c97df9ea4ff52

This trivial patch is setting "timeout tunnel" in haproxy's
configuration for spicehtml5proxy. This option extends time
when spice's websocket connection is closed, so spice will
not be freezed. Default value is set to 1h as it is in novnc.

Closes-Bug: #1938549
Change-Id: I3a5cd98ecf4916ebd0748e7c08111ad0e4dca0b2

Nova always tries to create the rabbitmq user regardless of
whether RabbitMQ is enabled or not.
This ps also adds an external rabbitmq doc.

Change-Id: Iec517226e4c82ea351889b55689a3efceaadcc76

By default, Ansible injects a variable for every fact, prefixed with
ansible_. This can result in a large number of variables for each host,
which at scale can incur a performance penalty. Ansible provides a
configuration option [0] that can be set to False to prevent this
injection of facts. In this case, facts should be referenced via
ansible_facts.<fact>.

This change updates all references to Ansible facts within Kolla Ansible
from using individual fact variables to using the items in the
ansible_facts dictionary. This allows users to disable fact variable
injection in their Ansible configuration, which may provide some
performance improvement.

This change disables fact variable injection in the ansible
configuration used in CI, to catch any attempts to use the injected
variables.

[0] https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars

Change-Id: I7e9d5c9b8b9164d4aee3abb4e37c8f28d98ff5d1
Partially-Implements: blueprint performance-improvements

Follow up fix for Ia7e923dddb77ff6db3c9160af931354a2b305e8d, which
broke the cephadm jobs.

Change-Id: Ieb39b41a6f493bd00c687610ba043a1b4e5945e7
Related-Bug: #1821696

They are handled by Docker since at least 18.09 (tested).
Backport to Wallaby at most to not introduce needless restarts in
already stable branches.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/792583
Change-Id: Ia95355c529f1b0222dc1de06632984b6d130b9ec

Makes nova-libvirt container always run in 'host' CgroupnsMode
to ensure it works.

Change-Id: I75105baf434977c68bc5c8ca1f5213e602c52c8c

Change-Id: I1727a6706520130793d31f8b514d955993d2c2a5

We don't do the best job with it and it's better to rely on users'
and distros' default policies than try to water those down.

Closes-Bug: #1837551
Change-Id: I72b13adef60900fc31f1293c516030026f004216

In order to disable libvirt debug in CI (which takes vast amount of storage)
this change introduces nova_libvirt_logging_debug and disables that in CI.

Change-Id: I90bfd1b300ad3202ea4d139fda6d6beb44c5820f

Change-Id: Ib6719a033b37be3e248b682795b7243c60b22b84

Libvirt may reasonably expect that its secrets directory
(/etc/libvirt/secrets) is persistent. However, the nova_libvirt
container does not map the secrets directory to a volume, so it will not
survive a recreation of the container. Furthermore, if Cinder or Nova
Ceph RBD integration is enabled, nova_libvirt's config.json includes an
entry for /etc/libvirt/secrets which will wipe out the directory on a
restart of the container.

Previously, this appeared to cause an issue with encrypted volumes,
which could fail to attach in certain situations as described in bug
1821696. Nova has since made a related change, and the issue can no
longer be reproduced. However, making the secret store persistent seems
like a sensible thing to do, and may prevent hitting other corner cases.

This change maps /etc/libvirt/secrets to a Docker volume in the
nova_libvirt container.  We also modify config.json for the nova_libvirt
container to merge the /etc/libvirt/secrets directory, to ensure that
secrets added in the container during runtime are not overwritten when
the container restarts.

Change-Id: Ia7e923dddb77ff6db3c9160af931354a2b305e8d
Related-Bug: #1821696

Searchlight project is retiring in Wallaby cycle[1].
This commit removes the ansible roles of Searchlight project
before its code is removed.

Needed-By: https://review.opendev.org/c/openstack/searchlight/+/764526

[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-November/018637.html

Change-Id: I85aab66376ea4f1376c2705066ba3c7e5645644f

This reverts commit 9cae59be.

Reason for revert: This patch was found to introduce issues with fluentd customisation. The underlying issue is not currently fully understood, but could be a sign of other obscure issues.

Change-Id: Ia4859c23d85699621a3b734d6cedb70225576dfc
Closes-Bug: #1906288

Makes 'import_tasks' not change behaviour compared to
'include_tasks'.

Change-Id: I600be7c3bd763b3b924bd4a45b4e7b4dca7a33e3

Main plays are action-redirect-stubs, ideal for import_tasks.

This avoids 'include' penalty and makes logs/ara look nicer.

Fixes haproxy and rabbitmq not to check the host group as well.

Change-Id: I46136fc40b815e341befff80b54a91ef431eabc0
Partially-Implements: blueprint performance-improvements

Config plays do not need to check containers. This avoids skipping
tasks during the genconfig action.

Ironic and Glance rolling upgrades are handled specially.

Swift and Bifrost do not use the handlers at all.

Partially-Implements: blueprint performance-improvements
Change-Id: I140bf71d62e8f0932c96270d1f08940a5ba4542a

This change enables the use of Docker healthchecks for core OpenStack
services.
Also check-failures.sh has been updated to treat containers with
unhealthy status as failed.

Implements: blueprint container-health-check
Change-Id: I79c6b11511ce8af70f77e2f6a490b59b477fefbb

When the internal VIP is moved in the event of a failure of the active
controller, OpenStack services can become unresponsive as they try to
talk with MariaDB using connections from the SQLAlchemy pool.

It has been argued that OpenStack doesn't really need to use connection
pooling with MariaDB [1]. This commit reduces the use of connection
pooling via two configuration options:

- max_pool_size is set to 1 to allow only a single connection in the
  pool (it is not possible to disable connection pooling entirely via
  oslo.db, and max_pool_size = 0 means unlimited pool size)
- lower connection_recycle_time from the default of one hour to 10
  seconds, which means the single connection in the pool will be
  recreated regularly

These settings have shown better reactivity of the system in the event
of a failover.

[1] http://lists.openstack.org/pipermail/openstack-dev/2015-April/061808.html

Change-Id: Ib6a62d4428db9b95569314084090472870417f3d
Closes-Bug: #1896635

via KOLLA_SKIP and KOLLA_UNSET

Change-Id: I7d9af21c2dd8c303066eb1ee4dff7a72bca24283
Related-Bug: #1837551

via kolla_sysctl_conf_path

Change-Id: I09b20fa008a7fecedcb599b4792f24215179b853

replace harcode 'internal' with {{ openstack_interface }}

Change-Id: I885622967ffde2a7a1a08fedbde2eb0e4e330e22