Ceilometer image filter was incorrectly used. Thr filter
should be in the volume list instead.

Change-Id: I3ad8a1d85607004b28f9a25b9a4e9f8b914ae9df
Closes-Bug: #1784496

last patch have replaced include by include_tasks, but here have a
 omission

Change-Id: Ibfe2918eb5504bb5355489ab093200feb1d221d7

This commit is to apply resource-constraints to a few more OpenStack services.
Commit to  apply constraints to the last set of services will be made in
the upcoming commit.

Depends-on: Icafa54baca24d2de64238222a5677b9d8b90e2aa
Change-Id: I39004f54281f97d53dfa4b1dbcf248650ad6f186

Perform the refactoring of the auth field from change #552863

TrivialFix
Partially-Implements: blueprint monasca-roles

Change-Id: I0a87cc3cb40df5e1c927bcd8ff4bd33e44fe4172

Ironic Neutron Agent was added by
I92b9505843f12692aef96764a314e5db49001a9b.

Change-Id: Ib178bafc9907537fdd46dd374684b037db7f19df
TrivialFix

The include_tasks action was added in ansible 2.4.

Change-Id: Ieac4a39a95c6aa55754c9dde5e94fb293c103caa
Related-Bug: #1783456

This commit is to apply resource-constraints only to few OpenStack services.
Commit to apply constraints to other services will be made in coming commits.

Partially-Implements: blueprint resource-constraints

Change-Id: Icafa54baca24d2de64238222a5677b9d8b90e2aa

include is marked as deprecated since ansible 2.4[0]

[0] https://docs.ansible.com/ansible/2.4/include_module.html#deprecated



Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ic9d71e1865d1c728890625aeddf424a5734c0a8a

By default ceph-rgw is not completely comaptible with Swift API,
because of the restriction for Swift INFO API.[0]

The patch improve ceph-rgw compatibility with Swift API. It is
controlled by the option "ceph_rgw_compatibility" in
ansible/group_vars/all.yml.

After changing the option, run the "reconfigure" command to enable.

Closes-Bug: #1783456

[0] https://github.com/ceph/ceph/pull/17967



Change-Id: Ibf3eb52280e197965caef08a44ae226c4f884cb5
Signed-off-by: tone.zhang <tone.zhang@arm.com>

freezer's deploy.yml do not have when condition,here to add it.

Change-Id: Id275a5eb746783694248a6db5b7f3ee7b8b3b8c5

Partially-Implements: blueprint networking-baremetal

Change-Id: I92b9505843f12692aef96764a314e5db49001a9b

This commit is the final commit to apply resource-constraints
to all OpenStack services.

Depends-on: I39004f54281f97d53dfa4b1dbcf248650ad6f186
Change-Id: I072d69be9698be54775cb0ae286ea2b6ed78776c
Implements: blueprint resource-constraints

Fixes a typo introduced in I93e53bad9727beb786b00bd7fcd6d78785c619c2.

Change-Id: I9fd6587913cccd5a29b3fc012b4ddeac8859a0ff
Related-Bug: #1782799
TrivialFix

Enables setting rp_filter mode on Neutron L3 agent and Nova compute
hosts whilst maintaining the default that it is disabled.

Closes-Bug: #1782799
Change-Id: I93e53bad9727beb786b00bd7fcd6d78785c619c2

While it is possible to implement countermeasures against some attacks
on TLS, migrating to a later version of TLS (TLS 1.2 is strongly
encouraged) is the only reliable method to protect against
the current protocol vulnerabilities.[1]

[1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b

It is possible to have an accessible swift API that is not managed by
kolla-ansible -- for example, ceph exposes a swift API, and using that
requires setting swift as the glance backend.

So, we should loosen the requirement that using the swift backend for
glance requires swift be enabled in kolla-ansible.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>

Change-Id: I17076d5412d2b1e1f13bb0badceaca85a5cee108

The word "action" is now an Ansible reserved word, and things have
transitioned to "kolla_action", but looks like this was missed.

Change-Id: Ie07a2a7d8b153a6d39b91129256727157f8dfa34

In this patch, the glance-registry service was disabled:
https://review.openstack.org/#/c/566804/

However, the config task still tries to copy files for it, which will
break due to path errors.

Change-Id: If39bb12bf830e6559342037ae2a2b99a784ee503

The rsync prior to v3.1.0 the uid/gid parameter have no effect at
all if it runs as normal(non-root) user.

Since v3.1.0 these parameter are problematic for normal user
because now rsync, regardless of root or non-root, if the
parameters are given then it just tries to call setgroups() which
is not possible for normal user so errors may occur.

    swift-object-replicator: @ERROR: setgroups failed\u0000
    swift-object-replicator: rsync error: error starting
    client-server protocol (code 5) at main.c(1648)
    [sender=3.1.2]\u0000

Either way, these parameters are not needed for swift-rsync
container.

Change-Id: Ia7fe9f06d7a21a55f52b90c2cc1b2498300e6532
Signed-off-by: Minho Ban <mhban@samsung.com>

Co-Authored-By: caowei <cao.wei@99cloud.net>
Co-Authored-By: yuqian <yu.qian@99cloud.net>

Change-Id: If8143b720203fe75cf586248f1fa1d3fde34c750
blueprint: onos-support

This patchset apply Ironic rolling upgrade logic [1][2]
[1] https://docs.openstack.org/ironic/latest/contributor/rolling-upgrades.html
[2] https://docs.openstack.org/ironic/latest/admin/upgrade-guide.html#rolling-upgrades

Depends-On: https://review.openstack.org/#/c/575594/

Co-author: Ha Manh Dong <donghm@vn.fujitsu.com>
Change-Id: Id68244951dc66d5c3423ef44324bd72058f4ba67
Implements: blueprint apply-service-upgrade-procedure

This service is only required if you want to support cold migration.
In some instances that is not a needed feature, and avoiding having
another key to manage is an advantage.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>

Change-Id: I0a55a91673d9178933f134832df4bd849ddf5af4

Since chrony container is supported by kolla [1], we should enable it by
default.

[1] https://github.com/openstack/kolla-ansible/tree/master/ansible/roles/chrony

Change-Id: I1fd4dcae8da4e807b8eaefa65607671bf7a9a19a

This commit will constrain the dimensions of service `Nova`
and sub-containers deployed along with it.

A user can give the dimension values in `/etc/kolla/globals.yml`
the data-types just like stated in this commit.

Reference-Docs:
https://docs.docker.com/config/containers/resource_constraints/

Added Test-cases for the same.

Partially-Implements: blueprint resource-constraints
Change-Id: I6458d8fb7b26a6e7c3a9fd0d674d9cf129b0bf5d

This is a Logstash component which reads processed logs from Kafka
and writes them to Elasticsearch (or some other backend supported by
Logstash).

Ingesting the logs from this service with Fluentd will be covered under
a different commit.

Change-Id: I2d722991ab2072c54c4715507b19a4c9279f921b
Partially-Implements: blueprint monasca-roles

To get forwarding to work in the kolla implementaion of designate,
I'm adding parameters to the named.conf.j2 template.  I'm adding
the ability to change the default values for dnssec-validation and
recursion and creating a new paramater for forwarders.

Change-Id: Ideef39034d75a0d99e8a3dc2a5f1a7203ccf51d5
Closes-Bug: #1781196

This patch extends the prometheus role for being able
to deploy the prometheus-alertmanager[0] container.

The variable enable_prometheus_alertmanager
decides if the container should be deployed and enabled.

If enabled, the following configuration and actions are performed:

- The alerting section on the prometheus-server configuration
is added pointing the prometheus-alertmanager host group as targets.

- HAProxy is configured to load-balance over the prometheus-alertmanager
host group. (external/internal).

Please note that a default (dummy) configuration is provided, that
allows the service to start, the operator should extend it via a node custom config

[0] https://github.com/openstack/kolla/tree/master/docker/prometheus/prometheus-alertmanager



Change-Id: I3a13342c67744a278cc8d52900a913c3ccc452ae
Closes-Bug: 1774725
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@linaro.org>

There are cases when we can lost original timestamp field given from
logs, like when we send our logs to the next fluentd forwarder in chain
of forwarders, it will rewrite our timestamp by default. Save
`Timestamp` field explicitly to avoid such situation and be able to
reconstruct messages date and time.

Closes-Bug: #1781046
Change-Id: I2b4486aedacbe16dc4c0fb2e4e4984bd80e59f2d

Ironic creates hardlinks between the TFTP master image store and the
HTTP root path when iPXE is enabled. With Docker volumes used for these
locations we run into https://bugs.launchpad.net/ironic/+bug/1507894
during deployment. If we use a directory under /httpboot to store the
master images this issue is avoided.

This change uses the new bifrost config variable,
ironic_tftp_master_path added in [1] to configure the path, rather than
the existing hacked approach of modifying the ironic.conf config file
after the bifrost_deploy container has started.

[1] https://review.openstack.org/#/c/577071

Change-Id: I5c62999c4956bebd0d3920d756ce67ba194b0ebe

In some cases we may want a configuration in which the kolla user's
primary group name is not the same as their username. Doing this
currently breaks the sudoers configuration, since user entries should
reference a user, or a group prefixed with a '%'.

There does not seem to be a good reason to give root privileges to the
entire group (which sometimes may be a shared group), so let's revert to
giving only the user root privileges.

See kayobe CI test [1] in which a different user and group were
configured, leading to permission denied when using kolla ansible.

[1] http://logs.openstack.org/53/581053/2/check/kayobe-overcloud-centos/a70168e

TrivialFix

Change-Id: I677778ebd0de58df0adfa2a8705f161ec5552283

In some environments it may not be desirable to modify the sudoers
configuration. This change makes this part of bootstrap-servers
optional, based on the create_kolla_user_sudoers variable.

Change-Id: I653403bfc5431741807edef57df58e05e679900b

This makes the bootstrap-servers command more idempotent, since without
the append argument set the kolla user will be removed from the docker
group before being added to it again in a later task.

TrivialFix

Change-Id: Iab0f6b5e18a103e9140631ee3ebbbb48c490bc24

In I86bf5e1df3d6568c4f1ca6f4757f08a3dd22754d, creation of the kolla user
was moved to after package installation to ensure the sudo package is
installed when required. This change does not work when python
dependencies are installed in a virtual environment however - when the
virtualenv variable is set.

This change moves the ownership change of the virtualenv to after the
kolla user has been created. It also uses the kolla_user and kolla_group
variables to set the user and group appropriately.

Change-Id: I320e5d611099ad162945a98d5505a79606da0eba
TrivialFix

The Monasca Log Transformer takes raw, unstandardised logs from one
Kafka topic, standardises them with whatever rules the operator wants
to use, and then writes them to a standardised logs topic in Kafka. It
is currently implemented as a Logstash config file.

Since Kolla does a fairly good job of standardising logs, this service
does very little processing. However, when other sources of logs
are used, it may be useful to add rules to the Transformer, particularly
if it's not possible to standardise the logs at source.

Ingesting the logs from this service with Fluentd will be covered under
a different commit.

Change-Id: I31cbb7e9a40a848391f517a56a67e3fd5bc12529
Partially-Implements: blueprint monasca-roles

The authtoken config variable delay_auth_decision must be set to True.
The default is False, but that breaks public access, StaticWeb, FormPost,
TempURL, and authenticated capabilities requests (using Discoverability).

Change-Id: I420a95f5f9fda3321a4acfc5846e40294a8bd588
Closes-Bug: #1768795

Change-Id: I8b8631e1c215580dd7711a0c0b3683b06ddc47d3

User can use custom directory for nova instance.
For example using a shared file system as backend.

Change-Id: I11fe4891719a2e2a34888d8b798df5602e294e4f

Other lists of servers have the postfix _servers. To be consistent
this change uses the same format for Kafka.

Change-Id: Ia595f2ab485904e76fb76211f6715a7c019886ea
Partially-Implements: blueprint monasca-roles

As of the Queens release, Keystone solely implements the Identity
API v3. Support for Identity API v2.0 has been removed since Queens
in favor of the Identity API v3.

Change-Id: If65b26935e8bd1e6655d84259499f4013762e4e3
Closes-Bug: #1778846

Skydive recently splitted the OpenStack configuration:
one for the authentication - on the analyzer - 'auth.keystone'
and an other one for the Neutron probe on the agent
'agent.topology.neutron'.

Change-Id: Idce277d30f01e7a36499b1aee24c54779c54a807