User can use custom directory to store images.
For example using a shared file system as backend.

Change-Id: Iab7a9a51e619bdbf8f7bd4626ebe4d703e6d4819

According to [1], Ansible variable names should not include hyphens.
Kolla-Ansible fails with a wrong variable name 'barbican-api' when
deploying Barbican.

This patch fixes the issue that was recently introduced in [2].

[1] http://docs.ansible.com/ansible/playbooks_variables.html#id15
[2] 08ab3d8e

Change-Id: Ib962e31ad93316e56130c9fc38dabfc918de17ce
Closes-Bug: #1703287

As described here:
https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L841
https://github.com/openstack/keystone/blob/master/keystone/conf/identity.py#L21

* default project domain name MUST be named 'Default'
* default project domain id MUST be named 'default'
* default project user name MUST be named 'Default'
* default project user id MUST be named 'default'

Change-Id: I610a0416647fdea31bb04889364da5395d8c8d74

This change [0] reverted designate dashboard change because
designate was not finished, we forgot to enable again.

[0] https://review.openstack.org/#/c/408714/

Change-Id: Ibaf7e5a5dc8cbef619d86a0f2b240d384984e8bd

Custom file was check on remote target instead of local.

Change-Id: I9426056e7bb284eb8b3ad539d61ecb1e1f6370e4
Closes-Bug: #1702490

* fix wrong variable usage for horizon copy policy task
* notify restart keystone container when policy is changed

Change-Id: I3545205d5d3cfcf7bf893187ca6e65bbc152bf33
Closes-Bug: #1702486

In order to speed up deployment time some "local" actions should be run
only once using 'run_once: True'.
This will decrease deployment time in case of multihost configuration.

Change-Id: I6015d772d35c15e96c52f577013b6e41197cb41a

Kolla-ansible actually bring it's own barbican-api-paste.ini file to
enable Keystone authentication, in order to fix this
https://bugs.launchpad.net/kolla/+bug/1625337

auth_token middleware is actually managed by Barbican.

Furthermore barbican-api-paste.ini brings by Kolla-ansible is outdated:
* http_proxy_to_wsgi middleware is missing

Hence this file should not be managed statically by kolla-ansible.
This patch keep custom paste file feature. Just put the file to
/etc/kolla/config/barbican/barbican-api.ini path.

Change-Id: Ia50237f7df7f89526a976575b017145c71b11ec0
Closes-bug: #1695026

Change-Id: Id3ceaa27687fda3b773873501208dacbfa3536ab
Closes-bug: #1699680

Change-Id: Ia2afe54d37732ff33216738d7478ad98f6b84cc4

As of [1], the ironic configuration for neutron, glance, swift,
inspector and service_catalog requires explicit configuration of
authentication parameters for communication with these services.

This change adds the required parameters to [neutron], [glance] and
[inspector] sections of ironic.conf. Kolla-ansible does not configure
the [swift] or [service_discovery] sections currently.

We also replace option [glance] glance_hosts with [glance]
glance_api_servers as the former is deprecated.

Since we no longer need to support generating configuration for
kolla-kubernetes[2], some related options have been cleaned.

[1]
https://github.com/openstack/ironic/commit/4f9035c24f0465be5728ed9a8a6df76cd6f46ed3
[2]
https://blueprints.launchpad.net/kolla-ansible/+spec/clean-k8s-config

Change-Id: Ifc239af5f3e44a508fedc9dea08cb06160c4f7f3
Closes-Bug: #1701713

'elasticsearch_protocol' is define in group_vars but unused,
it must be removed.

Change-Id: I15cabb9a2d73dd60d06ec2a4fcececa76e14a1db

When an external Etcd server is used, config is generated like following:

etcd:
  client_timeout: 100
  embeded: no
  servers:
    - http://10.200.200.10:2379

"embeded" config has wrong spelling, the good one is "embedded".
Hence default config is used (yes), and external Etcd server is not used.

Closes-Bug: #1697614
Change-Id: I59ac990b0b865c926b53f829bdfea186fc1e10b1

SKIP_LOG_SETUP variable was used by Heka stuff.
Heka has been removed from Kolla and Kolla-ansible.

Change-Id: I4448b26ace899eb888d34a12a85b019597e25435

rpc_workers and rpc_state_report_workers are set to 1 by default in
Neutron:
https://github.com/openstack/neutron/blob/master/neutron/conf/service.py#L30

By design neutron-server is a central RPC service for all agents (L2
agents, L3 agents, Metadata agents, LB agents, VPN agents, ...).
For a production ready cloud, these variables must be set to a greater
value than 1.

Change-Id: Ib39be32748c3ee8077941fd1659db12c9d80055c
Closes-Bug: #1671734

* add additional options called 'endpoint_type' for each of config groups
related to openstack clients used by Magnum.
* add Glance, Neutron and Nova config groups.

Change-Id: Ie74979e05c4f5763674ba2fc5b9f07bd51ad9454

Some roles have a symlink to deploy.yml file
for reconfigure. This is causing some issues.
"included task files must contain a list of tasks"

Change-Id: Ie7ade52900a61bc1c5b867fa7a8f75fc541a6426
Closes-Bug: #1694251

The TFTP server used by ironic and ironic inspector (in.tftpd) requires
files to be world readable in order for them to be accessible via
TFTP[1].

The permissions of these files were recently changed to 0600 along with
a number of other files[2].

This change reverts the permissions to 0644 for the ironic inspector PXE
configuration files.

[1] https://linux.die.net/man/8/in.tftpd (security section)
[2]
https://github.com/openstack/kolla-ansible/commit/274291463e99eab805a4265adc856c1bffafa9ad

Change-Id: Ibc281949ebf5bab1e1d2e450ec943728aa00943b
Closes-Bug: #1701695

Logrotate configuration is missing for ironic-inspector. Prior to [1],
ironic-inspector logs were stored in
kolla_logs/ironic/ironic-inspector.log. After [1], the logs
are stored in kolla_logs/ironic-inspector/ironic-inspector.log
but the logrotate config was not updated.

[1]
https://github.com/openstack/kolla-ansible/commit/07453f346094b184a209380e375f6311987675be

Change-Id: I7e78faea361cd67069c1a96aaf0a2ffffc0e8666
Closes-Bug: #1701578

RDO packages a distribution configuration file
/usr/share/nova/nova-dist.conf which contains the following setting:

firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver

This causes the nova-compute-ironic service to fail to start as the
nova ironic virt driver attempts and fails to create a firewall driver
using this class.

This change reinstates the explicit setting of the [DEFAULT]
firewall_driver option to the noop driver which resolves this issue.
This comes at the cost of a WARN log message due to the option being
deprecated (see
https://github.com/openstack/kolla-ansible/commit/6d831db687a35a48a41ee581b979fb43350e0c72).

Change-Id: I41bd9d0671118ff256e7ada766e8653bb4b2b376
Closes-Bug: #1701564

Add additional options called 'endpoint_type' for each of config groups
related to nova, cinder and neutron clients.

Change-Id: I24dc11502b148fbe564dc63c6f78b7dcbfe44f01

As describe here:
https://github.com/openstack/cinder/blob/master/cinder/compute/nova.py#L42

* remove 'nova_catalog_info' deprecated option
* add new [nova] section

Change-Id: Ib89a589c8eb8d81839bd4d07d7174b3272136934

As described here:
https://github.com/openstack/neutron/blob/master/neutron/conf/agent/metadata/config.py#L47
nova_metadata_host must be used.

Change-Id: Idd1c2a8beebf39a3c420cbf1f1268f9935d938bb

Depends-On: Ie0e02253bd706cad6a568e1574aa4c4bd83744e5

Change-Id: I10e64ea5a104109a7ced3712b29b3b526c55f7f1
Closes-Bug: #1677922

Like elasticsearch is already deployed by Kolla-ansible it can be used
to store Graph events.

Closes-Bug: #1697638

Change-Id: I1f33e044d33c21516cb3bf8c6fd5bb0745b843c1

change api.log and registry.log to glance-api.log and glance-registry.log

Closes-bug: #1700718

Change-Id: Ifcde8699fa9537fa06445f79c4bd14b4ee0df32c

Removed code try to install Wily(15.10) kernel in case of Ubuntu
Trusty(14.04).
Last Openstack version supported on Ubuntu 14.04 is Mitaka.
Hence Ubuntu 14.04 related code can be safely remove from Ansible tasks
since Kolla Newton release.

Co-Authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Change-Id: Ieca7975a69fb0ba8b49cc522f05e4beca1c2f526

The static contents directory path of the openstack-dashboard
provided by Ubuntu Cloud Archive is different from RDO's.
This fixes the horizon.conf template to set the correct alias
when ubuntu+binary are specified.

Change-Id: I1b0c04cecc66b42bf764aa035e7ec24c37d805e3
Closes-Bug: #1700712

ResellerAdmin role should be created always when Swift is enabled
and not only for Ceilometer. The role is needed for normal users
to get administration rights for their Swift projects and is
required to pass DefCore (OpenStack Powered) certification.

Change-Id: I4faa63b8fae1814e382de2794301248cc0f4a90a
Closes-Bug: #1700729

In case of provider networks we need to configure external bridge
on compute nodes, like it is done in DVR. The only way to tell
if provider networks are to be used is a new flag.

Change-Id: I1aef197ee2b84e28f2131f058e6995551f873fe1
Closes-Bug: #1694726

No handler named "Restart tacker containers", and we should restart
the tacker container according to the context

Change-Id: Idad8843e85eeb536d7abf8332606801f5b6e78ce
Closes-Bug: #1700007

Removes precheck portion of NTP.
Corrects for redhat
Fixes typo

Change-Id: Ic8d2cd3c2ba02f9f672db862a74950dc73753f2d
Closes-Bug: #1700121

Change-Id: I5744784afc13f2ee884c8dca2b32c982ebebc542
Partially-implements: blueprint sanity-check-container

No handler named "Restart keystone containers", and we should restart
the keystone and the keystone-fernet container according to the context

Closes-Bug: #1699924

Change-Id: I62512dc022426cc762ff603d8554e48651fa621f

Change-Id: Ia766c1aa60d51fbff2c620394474597a7146b9cc
Closes-Bug: #1699658

When you add new nodes to existing cluster, docker will restart
all anyway and that will break a lot, including mariadb.

Change-Id: Ie46f99a141f99480a87218ead4b76ba65f2edae9
Closes-Bug: #1699335

When using the simple_crypto plugin, barbican expects the
[simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
value. However, kolla-ansible is providing a standard autogenerated
password.

There are two relevant variables in kolla-ansible -
barbican_crypto_password (a standard password) and barbican_crypto_key
(a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
when it is generated. barbican_crypto_password is used to set the
[simple_crypto_plugin] kek config value but causes an error when the
simple_crypto plugin is used as the value is not in the expected format.
Using barbican_crypto_key instead resolves the error. Clearly there is a
naming issue here and we should be using barbican_crypto_key instead of
barbican_crypto_password.

This change removes the barbican_crypto_password variable and uses
barbican_crypto_key instead.

Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
Closes-Bug: #1699014
Related-Bug: #1683216
Co-Authored-By: Stig Telfer <stig@stackhpc.com>

This patch add configuration options for tenant network types and type
drivers. Both lists are checked so that tenant types are listed in
drivers. For ironic 'flat' driver is mandatory and is added explicitly
into ironic prechecks.

Change-Id: Ie5775001165412910a258cbed2d2ebbb8ebbd879
Closes-Bug: #1694725

mDNS publish DNS services to designate service customers.
Only network node should be reachable by public networks.

Change-Id: Id2947df89d2d831d67e006a581ac88b4ecf8ce04
Closes-Bug: #1693918

Add webconsole support in ironic by pxe_ipmitool driver.
Serial speed must be the same as the serial configuration in
the BIOS settings, so that the operating system boot process
can be seen in the web console.

see:
https://docs.openstack.org/project-install-guide/baremetal/draft/advanced.html#appending-kernel-parameters-to-boot-instances

Change-Id: I967ed2f63a50d024c54e0762ec6c0ae09b66d6bd