openstack/kolla-ansible
Code Issues Proposed changes
7c2b4bead2
kolla-ansible/ansible/roles/zun/templates/zun.conf.j2

136 lines
4.1 KiB
Plaintext
Raw Normal View History

Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
[DEFAULT]
debug = {{ zun_logging_debug }}
Fix zun-api logging and state_path Zun-api is using app.wsgi as log filename. This change forzes zun-api.log to ease identification. Also changes group owner of log dir to kolla group. Remove glance version as is in zun's defaults Set state_path, this is where zun will store catched images, similar as nova cache. No need HA or volume as is only cached data. Change-Id: I20f8d311bfde1c0a07d7d35e9f1412c71efa8504
2017-07-06 12:25:56 +02:00
{% if service_name == 'zun-api' %}
# Force zun-api.log or will use app.wsgi
log_file = /var/log/kolla/zun/zun-api.log
{% endif %}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
log_dir = /var/log/kolla/zun
Add support for hybrid messaging backends This commit separates the messaging rpc and notify transports in order to support separate and different oslo.messaging backends This patch: * add rpc and notify variables * update service role conf templates * add example to globals.yaml * add release note Implements: blueprint hybrid-messaging Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
2017-05-29 18:14:06 -04:00
transport_url = {{ rpc_transport_url }}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
Fix zun-api logging and state_path Zun-api is using app.wsgi as log filename. This change forzes zun-api.log to ease identification. Also changes group owner of log dir to kolla group. Remove glance version as is in zun's defaults Set state_path, this is where zun will store catched images, similar as nova cache. No need HA or volume as is only cached data. Change-Id: I20f8d311bfde1c0a07d7d35e9f1412c71efa8504
2017-07-06 12:25:56 +02:00
state_path = /var/lib/zun
zun: load container driver from entry point Starting from U release, container driver is loaded from entry point. Deployers should specify the entry point (i.e. ``docker``) in config option ``container_driver`` under ``[DEFAULT]`` session. Zun patch: https://review.opendev.org/#/c/703259/ Change-Id: I96e38760e7b13a6e11737372e9e7fd36cca6f749
2020-02-23 17:36:46 +00:00
container_driver = docker
Zun: Add zun-cni-daemon to compute node Zun has a new component "zun-cni-daemon" which should be deployed in every compute nodes. It is basically an implementation of CNI (Container Network Interface) that performs the neutron port binding. If users is using the capsule (pod) API, the recommended deployment option is using "cri" as capsule driver. This is basically to use a CRI runtime (i.e. CRI plugin for containerd) for supporting capsules (pods). A CRI runtime needs a CNI plugin which is what the "zun-cni-daemon" provides. The configuration is based on the Zun installation guide [1]. It consits of the following steps: * Configure the containerd daemon in the host. The "zun-compute" container will use grpc to communicate with this service. * Install the "zun-cni" binary at host. The containerd process will invoke this binary to call the CNI plugin. * Run a "zun-cni-daemon" container. The "zun-cni" binary will communicate with this container via HTTP. Relevant patches: Blueprint: https://blueprints.launchpad.net/zun/+spec/add-support-cri-runtime Install guide: https://review.opendev.org/#/c/707948/ Devstack plugin: https://review.opendev.org/#/c/705338/ Kolla image: https://review.opendev.org/#/c/708273/ [1] https://docs.openstack.org/zun/latest/install/index.html Depends-On: https://review.opendev.org/#/c/721044/ Change-Id: I9c361a99b355af27907cf80f5c88d97191193495
2020-02-17 16:45:33 +00:00
capsule_driver = cri
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
Use kuryr for zun network Zun made mandatory to use kuryr for networking. This change update zun config to use kuryr. Also updates documentation. Change-Id: I9a55e390709b7e21d3efbd4be17a36db85cd8521
2017-06-13 14:39:26 +02:00
[network]
driver = kuryr
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
[api]
host_ip = {{ api_interface_address }}
port = {{ zun_api_port }}
workers = {{ openstack_service_workers }}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
[database]
connection = mysql+pymysql://{{ zun_database_user }}:{{ zun_database_password }}@{{ zun_database_address }}/{{ zun_database_name }}
Reduce the use of SQLAlchemy connection pooling When the internal VIP is moved in the event of a failure of the active controller, OpenStack services can become unresponsive as they try to talk with MariaDB using connections from the SQLAlchemy pool. It has been argued that OpenStack doesn't really need to use connection pooling with MariaDB [1]. This commit reduces the use of connection pooling via two configuration options: - max_pool_size is set to 1 to allow only a single connection in the pool (it is not possible to disable connection pooling entirely via oslo.db, and max_pool_size = 0 means unlimited pool size) - lower connection_recycle_time from the default of one hour to 10 seconds, which means the single connection in the pool will be recreated regularly These settings have shown better reactivity of the system in the event of a failover. [1] http://lists.openstack.org/pipermail/openstack-dev/2015-April/061808.html Change-Id: Ib6a62d4428db9b95569314084090472870417f3d Closes-Bug: #1896635
2020-09-22 17:52:36 +02:00
connection_recycle_time = {{ database_connection_recycle_time }}
max_pool_size = {{ database_max_pool_size }}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
max_retries = -1
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
# NOTE(yoctozepto): despite what the docs say, both keystone_auth and
# keystone_authtoken sections are used and Zun internals may use either -
# - best keep them both in sync
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
[keystone_auth]
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
www_authenticate_uri = {{ keystone_internal_url }}
Use keystone_*_url var in all configs We're duplicating code to build the keystone URLs in nearly every config, where we've already done it in group_vars. Replace the redundancy with a variable that does the same thing. Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a
2018-12-18 13:36:18 -05:00
auth_url = {{ keystone_admin_url }}
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
auth_type = password
Standardize Keystone domain variables As described here: https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L841 https://github.com/openstack/keystone/blob/master/keystone/conf/identity.py#L21 * default project domain name MUST be named 'Default' * default project domain id MUST be named 'default' * default project user name MUST be named 'Default' * default project user id MUST be named 'default' Change-Id: I610a0416647fdea31bb04889364da5395d8c8d74
2017-06-30 14:24:23 +02:00
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
project_name = service
username = {{ zun_keystone_user }}
password = {{ zun_keystone_password }}
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
service_token_roles_required = True
region_name = {{ openstack_region_name }}
Remove default(omit) from openstack_cacert in templates The use of default(omit) is for module parameters, not templates. We define a default value for openstack_cacert, so it should never be undefined anyway. Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28
2020-04-03 14:49:08 +01:00
cafile = {{ openstack_cacert }}
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
{% if enable_memcached | bool %}
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
Implement IPv6 support in the control plane Introduce kolla_address filter. Introduce put_address_in_context filter. Add AF config to vars. Address contexts: - raw (default): <ADDR> - memcache: inet6:[<ADDR>] - url: [<ADDR>] Other changes: globals.yml - mention just IP in comment prechecks/port_checks (api_intf) - kolla_address handles validation 3x interface conditional (swift configs: replication/storage) 2x interface variable definition with hostname (haproxy listens; api intf) 1x interface variable definition with hostname with bifrost exclusion (baremetal pre-install /etc/hosts; api intf) neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network basic multinode source CI job for IPv6 prechecks for rabbitmq and qdrouterd use proper NSS database now MariaDB Galera Cluster WSREP SST mariabackup workaround (socat and IPv6) Ceph naming workaround in CI TODO: probably needs documenting RabbitMQ IPv6-only proto_dist Ceph ms switch to IPv6 mode Remove neutron-server ml2_type_vxlan/vxlan_group setting as it is not used (let's avoid any confusion) and could break setups without proper multicast routing if it started working (also IPv4-only) haproxy upgrade checks for slaves based on ipv6 addresses TODO: ovs-dpdk grabs ipv4 network address (w/ prefix len / submask) not supported, invalid by default because neutron_external has no address No idea whether ovs-dpdk works at all atm. ml2 for xenapi Xen is not supported too well. This would require working with XenAPI facts. rp_filter setting This would require meddling with ip6tables (there is no sysctl param). By default nothing is dropped. Unlikely we really need it. ironic dnsmasq is configured IPv4-only dnsmasq needs DHCPv6 options and testing in vivo. KNOWN ISSUES (beyond us): One cannot use IPv6 address to reference the image for docker like we currently do, see: https://github.com/moby/moby/issues/39033 (docker_registry; docker API 400 - invalid reference format) workaround: use hostname/FQDN RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4. This is due to old RabbitMQ versions available in images. IPv4 is preferred by default and may fail in the IPv6-only scenario. This should be no problem in real life as IPv6-only is indeed IPv6-only. Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will no longer be relevant as we supply all the necessary config. See: https://github.com/rabbitmq/rabbitmq-server/pull/1982 For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed to work well). Older Ansible versions are known to miss IPv6 addresses in interface facts. This may affect redeploys, reconfigures and upgrades which run after VIP address is assigned. See: https://github.com/ansible/ansible/issues/63227 Bifrost Train does not support IPv6 deployments. See: https://storyboard.openstack.org/#!/story/2006689 Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c Implements: blueprint ipv6-control-plane Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-09-11 20:47:00 +02:00
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
{% endif %}
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
# NOTE(yoctozepto): despite what the docs say, both keystone_auth and
# keystone_authtoken sections are used and Zun internals may use either -
# - best keep them both in sync
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
[keystone_authtoken]
Use keystone_*_url var in all configs We're duplicating code to build the keystone URLs in nearly every config, where we've already done it in group_vars. Replace the redundancy with a variable that does the same thing. Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a
2018-12-18 13:36:18 -05:00
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_admin_url }}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
auth_type = password
Standardize Keystone domain variables As described here: https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L841 https://github.com/openstack/keystone/blob/master/keystone/conf/identity.py#L21 * default project domain name MUST be named 'Default' * default project domain id MUST be named 'default' * default project user name MUST be named 'Default' * default project user id MUST be named 'default' Change-Id: I610a0416647fdea31bb04889364da5395d8c8d74
2017-06-30 14:24:23 +02:00
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
project_name = service
username = {{ zun_keystone_user }}
password = {{ zun_keystone_password }}
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
service_token_roles_required = True
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
region_name = {{ openstack_region_name }}
Remove default(omit) from openstack_cacert in templates The use of default(omit) is for module parameters, not templates. We define a default value for openstack_cacert, so it should never be undefined anyway. Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28
2020-04-03 14:49:08 +01:00
cafile = {{ openstack_cacert }}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
{% if enable_memcached | bool %}
Add zun ansible role Change-Id: I13cf03d6a97fb94dd7cb309e99a417ad101dc21a Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com> Partially-implements: bp add-zun-ansible-role
2017-01-03 08:45:53 +00:00
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
Implement IPv6 support in the control plane Introduce kolla_address filter. Introduce put_address_in_context filter. Add AF config to vars. Address contexts: - raw (default): <ADDR> - memcache: inet6:[<ADDR>] - url: [<ADDR>] Other changes: globals.yml - mention just IP in comment prechecks/port_checks (api_intf) - kolla_address handles validation 3x interface conditional (swift configs: replication/storage) 2x interface variable definition with hostname (haproxy listens; api intf) 1x interface variable definition with hostname with bifrost exclusion (baremetal pre-install /etc/hosts; api intf) neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network basic multinode source CI job for IPv6 prechecks for rabbitmq and qdrouterd use proper NSS database now MariaDB Galera Cluster WSREP SST mariabackup workaround (socat and IPv6) Ceph naming workaround in CI TODO: probably needs documenting RabbitMQ IPv6-only proto_dist Ceph ms switch to IPv6 mode Remove neutron-server ml2_type_vxlan/vxlan_group setting as it is not used (let's avoid any confusion) and could break setups without proper multicast routing if it started working (also IPv4-only) haproxy upgrade checks for slaves based on ipv6 addresses TODO: ovs-dpdk grabs ipv4 network address (w/ prefix len / submask) not supported, invalid by default because neutron_external has no address No idea whether ovs-dpdk works at all atm. ml2 for xenapi Xen is not supported too well. This would require working with XenAPI facts. rp_filter setting This would require meddling with ip6tables (there is no sysctl param). By default nothing is dropped. Unlikely we really need it. ironic dnsmasq is configured IPv4-only dnsmasq needs DHCPv6 options and testing in vivo. KNOWN ISSUES (beyond us): One cannot use IPv6 address to reference the image for docker like we currently do, see: https://github.com/moby/moby/issues/39033 (docker_registry; docker API 400 - invalid reference format) workaround: use hostname/FQDN RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4. This is due to old RabbitMQ versions available in images. IPv4 is preferred by default and may fail in the IPv6-only scenario. This should be no problem in real life as IPv6-only is indeed IPv6-only. Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will no longer be relevant as we supply all the necessary config. See: https://github.com/rabbitmq/rabbitmq-server/pull/1982 For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed to work well). Older Ansible versions are known to miss IPv6 addresses in interface facts. This may affect redeploys, reconfigures and upgrades which run after VIP address is assigned. See: https://github.com/ansible/ansible/issues/63227 Bifrost Train does not support IPv6 deployments. See: https://storyboard.openstack.org/#!/story/2006689 Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c Implements: blueprint ipv6-control-plane Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-09-11 20:47:00 +02:00
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
{% endif %}
[zun_client]
region_name = {{ openstack_region_name }}
endpoint_type = internalURL
Fix Zun configuration for TLS The Zun configuration file does not set the CA for the clients the Zun service uses: zun_client, glance_client, neutron_client, cinder_client, and placement_client. This will cause the Zun service to fail when TLS is enabled in the OpenStack deployment. Depends-On: https://review.opendev.org/#/c/736809 Change-Id: Ieed843c890210608699c1a63deed66c9bb63986c
2020-06-26 11:16:08 -07:00
ca_file = {{ openstack_cacert }}
Fix zun deployment Configure zun-api to use apache. Fix zun endpoint (tenant_id) causes a 404 error. Fix zun.conf options Change zun port, correct port is 9517 Zun compute need privileged and mount docker lib volume Change-Id: Id9455e7dde62e1994a3f6ae8f30d378e5cda4262 Closes-Bug: #1682165
2017-04-12 16:28:33 +01:00
[glance_client]
region_name = {{ openstack_region_name }}
endpoint_type = internalURL
Fix Zun configuration for TLS The Zun configuration file does not set the CA for the clients the Zun service uses: zun_client, glance_client, neutron_client, cinder_client, and placement_client. This will cause the Zun service to fail when TLS is enabled in the OpenStack deployment. Depends-On: https://review.opendev.org/#/c/736809 Change-Id: Ieed843c890210608699c1a63deed66c9bb63986c
2020-06-26 11:16:08 -07:00
ca_file = {{ openstack_cacert }}
Support OSprofile usage OSprofile allows user/devs trace OpenStack requests. Implements: blueprint enable-osprofiler Co-Authored-By: Bertrand Lallau <bertrand.lallau@gmail.com> Change-Id: I82ea85d726011ef6cbf99380f395452d6d7f8053
2017-04-10 15:31:41 +01:00
Use kuryr for zun network Zun made mandatory to use kuryr for networking. This change update zun config to use kuryr. Also updates documentation. Change-Id: I9a55e390709b7e21d3efbd4be17a36db85cd8521
2017-06-13 14:39:26 +02:00
[neutron_client]
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
region_name = {{ openstack_region_name }}
endpoint_type = internalURL
Fix Zun configuration for TLS The Zun configuration file does not set the CA for the clients the Zun service uses: zun_client, glance_client, neutron_client, cinder_client, and placement_client. This will cause the Zun service to fail when TLS is enabled in the OpenStack deployment. Depends-On: https://review.opendev.org/#/c/736809 Change-Id: Ieed843c890210608699c1a63deed66c9bb63986c
2020-06-26 11:16:08 -07:00
ca_file = {{ openstack_cacert }}
Fix Zun connectivity to itself and Cinder Zun was misconfigured and defaulted to using public endpoints which are likely inaccessible from the internal network. This patch fixes that and removes unused and deprecated options. Validity of options confirmed from Queens to Train against respective docs. Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5 Closes-bug: #1840572 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-18 12:22:20 +02:00
[cinder_client]
Use kuryr for zun network Zun made mandatory to use kuryr for networking. This change update zun config to use kuryr. Also updates documentation. Change-Id: I9a55e390709b7e21d3efbd4be17a36db85cd8521
2017-06-13 14:39:26 +02:00
region_name = {{ openstack_region_name }}
endpoint_type = internalURL
Fix Zun configuration for TLS The Zun configuration file does not set the CA for the clients the Zun service uses: zun_client, glance_client, neutron_client, cinder_client, and placement_client. This will cause the Zun service to fail when TLS is enabled in the OpenStack deployment. Depends-On: https://review.opendev.org/#/c/736809 Change-Id: Ieed843c890210608699c1a63deed66c9bb63986c
2020-06-26 11:16:08 -07:00
ca_file = {{ openstack_cacert }}
Use kuryr for zun network Zun made mandatory to use kuryr for networking. This change update zun config to use kuryr. Also updates documentation. Change-Id: I9a55e390709b7e21d3efbd4be17a36db85cd8521
2017-06-13 14:39:26 +02:00
[train] Finish configuring Zun to use Placement This also enables Placement when Zun is enabled like Kolla Ansible already does with Nova. Change-Id: Id2a09f702e8503b49d2b9e73e06b2ce9f4d168a9 Closes-bug: #1840573
2019-10-20 19:33:56 +02:00
[placement_client]
region_name = {{ openstack_region_name }}
endpoint_type = internalURL
Fix Zun configuration for TLS The Zun configuration file does not set the CA for the clients the Zun service uses: zun_client, glance_client, neutron_client, cinder_client, and placement_client. This will cause the Zun service to fail when TLS is enabled in the OpenStack deployment. Depends-On: https://review.opendev.org/#/c/736809 Change-Id: Ieed843c890210608699c1a63deed66c9bb63986c
2020-06-26 11:16:08 -07:00
ca_file = {{ openstack_cacert }}
[train] Finish configuring Zun to use Placement This also enables Placement when Zun is enabled like Kolla Ansible already does with Nova. Change-Id: Id2a09f702e8503b49d2b9e73e06b2ce9f4d168a9 Closes-bug: #1840573
2019-10-20 19:33:56 +02:00
Use kuryr for zun network Zun made mandatory to use kuryr for networking. This change update zun config to use kuryr. Also updates documentation. Change-Id: I9a55e390709b7e21d3efbd4be17a36db85cd8521
2017-06-13 14:39:26 +02:00
{% if enable_osprofiler | bool %}
Support OSprofile usage OSprofile allows user/devs trace OpenStack requests. Implements: blueprint enable-osprofiler Co-Authored-By: Bertrand Lallau <bertrand.lallau@gmail.com> Change-Id: I82ea85d726011ef6cbf99380f395452d6d7f8053
2017-04-10 15:31:41 +01:00
[profiler]
enabled = true
trace_sqlalchemy = true
hmac_keys = {{ osprofiler_secret }}
osprofiler support redis Currently osprofiler only choose elasticsearch, which is only supported on x86. On other platform like aarch64 osprofiler can not be used since no elasticsearch package. Enable osprofiler by enable_osprofiler: "yes", which choose elasticsearch by default. Choose redis by enable_redis: "yes" & osprofiler_backend: "redis" On platform without elasticsearch support like aarch64 set enable_elasticsearch: "no" Change-Id: I68fe7a33e11d28684962fc5d0b3d326e90784d78
2018-04-24 14:08:28 +08:00
connection_string = {{ osprofiler_backend_connection_string }}
Support OSprofile usage OSprofile allows user/devs trace OpenStack requests. Implements: blueprint enable-osprofiler Co-Authored-By: Bertrand Lallau <bertrand.lallau@gmail.com> Change-Id: I82ea85d726011ef6cbf99380f395452d6d7f8053
2017-04-10 15:31:41 +01:00
{% endif %}
Add zun configuration about oslo.concurrency Zun use oslo.concurrency to achieve safely running multi-thread, multi-process applications. The lock_path is directory to use for lock files. If external locks are used, lock path must be set. Change-Id: I4f667d9699ec2231722bcfd7c5f84ba47fc8465c
2018-01-14 07:32:51 +08:00
[oslo_concurrency]
lock_path = /var/lib/zun/tmp
Support policy.yaml file [part 7] - Vitrage - Watcher - Zun This will copy only yaml or json policy file if they exist. Change-Id: I913b3b067237cc4694894cc00bcc363127dd3806 Implements: blueprint support-custom-policy-yaml Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
2018-01-08 17:36:42 +07:00
{% if zun_policy_file is defined %}
[oslo_policy]
policy_file = {{ zun_policy_file }}
{% endif %}
Add zun-wsproxy into kolla-ansible the zun-wsproxy image is exists in kolla[0], but kolla-ansible missing, this ps to add it. [0]: https://github.com/openstack/kolla/tree/master/docker/zun/zun-wsproxy Co-Authored-By: ZhijunWei <wzj334965317@outlook.com> Change-Id: I89ef3463dfa5df8cf2d963ff0f0c7ddc382fc79b Closes-Bug: #1765728
2018-04-20 22:14:13 +08:00
Configure Zun for Placement (Train+) After the integration with placement [1], we need to configure how zun-compute is going to work with nova-compute. * If zun-compute and nova-compute run on the same compute node, we need to set 'host_shared_with_nova' as true so that Zun will use the resource provider (compute node) created by nova. In this mode, containers and VMs could claim allocations against the same resource provider. * If zun-compute runs on a node without nova-compute, no extra configuration is needed. By default, each zun-compute will create a resource provider in placement to represent the compute node it manages. [1] https://blueprints.launchpad.net/zun/+spec/use-placement-resource-management Change-Id: I2d85911c4504e541d2994ce3d48e2fbb1090b813
2019-09-07 20:34:58 +00:00
[compute]
host_shared_with_nova = {{ inventory_hostname in groups['compute'] and enable_nova | bool and not enable_nova_fake | bool }}
Add zun-wsproxy into kolla-ansible the zun-wsproxy image is exists in kolla[0], but kolla-ansible missing, this ps to add it. [0]: https://github.com/openstack/kolla/tree/master/docker/zun/zun-wsproxy Co-Authored-By: ZhijunWei <wzj334965317@outlook.com> Change-Id: I89ef3463dfa5df8cf2d963ff0f0c7ddc382fc79b Closes-Bug: #1765728
2018-04-20 22:14:13 +08:00
[websocket_proxy]
wsproxy_host = {{ api_interface_address }}
wsproxy_port = {{ zun_wsproxy_port }}
Implement IPv6 support in the control plane Introduce kolla_address filter. Introduce put_address_in_context filter. Add AF config to vars. Address contexts: - raw (default): <ADDR> - memcache: inet6:[<ADDR>] - url: [<ADDR>] Other changes: globals.yml - mention just IP in comment prechecks/port_checks (api_intf) - kolla_address handles validation 3x interface conditional (swift configs: replication/storage) 2x interface variable definition with hostname (haproxy listens; api intf) 1x interface variable definition with hostname with bifrost exclusion (baremetal pre-install /etc/hosts; api intf) neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network basic multinode source CI job for IPv6 prechecks for rabbitmq and qdrouterd use proper NSS database now MariaDB Galera Cluster WSREP SST mariabackup workaround (socat and IPv6) Ceph naming workaround in CI TODO: probably needs documenting RabbitMQ IPv6-only proto_dist Ceph ms switch to IPv6 mode Remove neutron-server ml2_type_vxlan/vxlan_group setting as it is not used (let's avoid any confusion) and could break setups without proper multicast routing if it started working (also IPv4-only) haproxy upgrade checks for slaves based on ipv6 addresses TODO: ovs-dpdk grabs ipv4 network address (w/ prefix len / submask) not supported, invalid by default because neutron_external has no address No idea whether ovs-dpdk works at all atm. ml2 for xenapi Xen is not supported too well. This would require working with XenAPI facts. rp_filter setting This would require meddling with ip6tables (there is no sysctl param). By default nothing is dropped. Unlikely we really need it. ironic dnsmasq is configured IPv4-only dnsmasq needs DHCPv6 options and testing in vivo. KNOWN ISSUES (beyond us): One cannot use IPv6 address to reference the image for docker like we currently do, see: https://github.com/moby/moby/issues/39033 (docker_registry; docker API 400 - invalid reference format) workaround: use hostname/FQDN RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4. This is due to old RabbitMQ versions available in images. IPv4 is preferred by default and may fail in the IPv6-only scenario. This should be no problem in real life as IPv6-only is indeed IPv6-only. Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will no longer be relevant as we supply all the necessary config. See: https://github.com/rabbitmq/rabbitmq-server/pull/1982 For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed to work well). Older Ansible versions are known to miss IPv6 addresses in interface facts. This may affect redeploys, reconfigures and upgrades which run after VIP address is assigned. See: https://github.com/ansible/ansible/issues/63227 Bifrost Train does not support IPv6 deployments. See: https://storyboard.openstack.org/#!/story/2006689 Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c Implements: blueprint ipv6-control-plane Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-09-11 20:47:00 +02:00
base_url = ws://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ zun_wsproxy_port }}
zun: set docker api version to 1.24 Kolla is using Docker API version 1.24 but the default is 1.26 in Zun. We need to configure it to 1.24 so that Zun and Kolla can work together. Partial-Bug: #1782055 Change-Id: I072dccc06fe35dccf25068ef0ca8f39cad9fdc60
2018-07-16 03:13:09 +00:00
[docker]
Implement IPv6 support in the control plane Introduce kolla_address filter. Introduce put_address_in_context filter. Add AF config to vars. Address contexts: - raw (default): <ADDR> - memcache: inet6:[<ADDR>] - url: [<ADDR>] Other changes: globals.yml - mention just IP in comment prechecks/port_checks (api_intf) - kolla_address handles validation 3x interface conditional (swift configs: replication/storage) 2x interface variable definition with hostname (haproxy listens; api intf) 1x interface variable definition with hostname with bifrost exclusion (baremetal pre-install /etc/hosts; api intf) neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network basic multinode source CI job for IPv6 prechecks for rabbitmq and qdrouterd use proper NSS database now MariaDB Galera Cluster WSREP SST mariabackup workaround (socat and IPv6) Ceph naming workaround in CI TODO: probably needs documenting RabbitMQ IPv6-only proto_dist Ceph ms switch to IPv6 mode Remove neutron-server ml2_type_vxlan/vxlan_group setting as it is not used (let's avoid any confusion) and could break setups without proper multicast routing if it started working (also IPv4-only) haproxy upgrade checks for slaves based on ipv6 addresses TODO: ovs-dpdk grabs ipv4 network address (w/ prefix len / submask) not supported, invalid by default because neutron_external has no address No idea whether ovs-dpdk works at all atm. ml2 for xenapi Xen is not supported too well. This would require working with XenAPI facts. rp_filter setting This would require meddling with ip6tables (there is no sysctl param). By default nothing is dropped. Unlikely we really need it. ironic dnsmasq is configured IPv4-only dnsmasq needs DHCPv6 options and testing in vivo. KNOWN ISSUES (beyond us): One cannot use IPv6 address to reference the image for docker like we currently do, see: https://github.com/moby/moby/issues/39033 (docker_registry; docker API 400 - invalid reference format) workaround: use hostname/FQDN RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4. This is due to old RabbitMQ versions available in images. IPv4 is preferred by default and may fail in the IPv6-only scenario. This should be no problem in real life as IPv6-only is indeed IPv6-only. Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will no longer be relevant as we supply all the necessary config. See: https://github.com/rabbitmq/rabbitmq-server/pull/1982 For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed to work well). Older Ansible versions are known to miss IPv6 addresses in interface facts. This may affect redeploys, reconfigures and upgrades which run after VIP address is assigned. See: https://github.com/ansible/ansible/issues/63227 Bifrost Train does not support IPv6 deployments. See: https://storyboard.openstack.org/#!/story/2006689 Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c Implements: blueprint ipv6-control-plane Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-09-11 20:47:00 +02:00
api_url = tcp://{{ api_interface_address | put_address_in_context('url') }}:2375
Fix Zun Docker remote API host This makes WS (so e.g. console) always work with the way we deploy Zun. Otherwise it used the first IP address. Change-Id: Ib31c5944be2f6fa00cdf5da3e638a590e6bace40 Closes-bug: #1841243 Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-08-23 19:38:18 +02:00
docker_remote_api_host = {{ api_interface_address }}
docker_remote_api_port = 2375
Zun: Add zun-cni-daemon to compute node Zun has a new component "zun-cni-daemon" which should be deployed in every compute nodes. It is basically an implementation of CNI (Container Network Interface) that performs the neutron port binding. If users is using the capsule (pod) API, the recommended deployment option is using "cri" as capsule driver. This is basically to use a CRI runtime (i.e. CRI plugin for containerd) for supporting capsules (pods). A CRI runtime needs a CNI plugin which is what the "zun-cni-daemon" provides. The configuration is based on the Zun installation guide [1]. It consits of the following steps: * Configure the containerd daemon in the host. The "zun-compute" container will use grpc to communicate with this service. * Install the "zun-cni" binary at host. The containerd process will invoke this binary to call the CNI plugin. * Run a "zun-cni-daemon" container. The "zun-cni" binary will communicate with this container via HTTP. Relevant patches: Blueprint: https://blueprints.launchpad.net/zun/+spec/add-support-cri-runtime Install guide: https://review.opendev.org/#/c/707948/ Devstack plugin: https://review.opendev.org/#/c/705338/ Kolla image: https://review.opendev.org/#/c/708273/ [1] https://docs.openstack.org/zun/latest/install/index.html Depends-On: https://review.opendev.org/#/c/721044/ Change-Id: I9c361a99b355af27907cf80f5c88d97191193495
2020-02-17 16:45:33 +00:00
[cni_daemon]
cni_daemon_port = {{ zun_cni_daemon_port }}
Support TLS encryption of RabbitMQ client-server traffic This change adds support for encryption of communication between OpenStack services and RabbitMQ. Server certificates are supported, but currently client certificates are not. The kolla-ansible certificates command has been updated to support generating certificates for RabbitMQ for development and testing. RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when The Zuul 'tls_enabled' variable is true. Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5 Implements: blueprint message-queue-ssl-support
2020-05-14 15:18:56 +01:00
{% if om_enable_rabbitmq_tls | bool %}
[oslo_messaging_rabbit]
ssl = true
ssl_ca_file = {{ om_rabbitmq_cacert }}
{% endif %}
Copy Permalink