With this change, an operator may be able to stop a
service container without stopping all services in a host.
This change is the starting point to start
fast-forward upgrades support.
In next changes new flags will be introducced to disable
stop dataplane services during upgrades.
Change-Id: Ifde7a39d7d8596ef0d7405ecf1ac1d49a459d9ef
Implements: blueprint support-stop-containers
The dnsmasq PXE filter [1] provides far better scalability than the
iptables filter typically used. Inspector manages files in a dhcp-hostsdir
directory that is watched by dnsmasq via inotify. Dnsmasq then either
whitelists or blacklists MAC addresses based on the contents of these
files.
This change adds a new variable, ironic_inspector_pxe_filter, that can
be used to configure the PXE filter for ironic inspector. Currently
supported values are 'iptables' and 'dnsmasq', with 'iptables' being the
default for backwards compatibility.
[1]
https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html
Implements: blueprint ironic-inspector-dnsmasq-pxe-filter
Change-Id: I73cae9c33b49972342cf1984372a5c784df5cbc2
If the [processing] ramdisk_logs_dir option is set, logs returned by the
ironic inspection ramdisk following hardware inspection will be stored
at that location. This enables easier debugging if inspection fails.
Change-Id: I36bdf75c04b088b67b5f54fdf20251c10bdddb63
The firewall section has been renamed in upstream ironic inspector:
7b27585463
Consequently the iptables pxe filter does not work if the actual
dnsmasq interface name differs from the default (br-ctlplane), as can
be seen from this snippet of iptables-save output:
-A INPUT -i br-ctlplane -p udp -m udp --dport 67 -j ironic-inspector
Change-Id: Ic1d08b85e0b5992fbee489f2f9fd174982b5d493
Having all services in one giant haproxy file makes altering
configuration for a service both painful and dangerous. Each service
should be configured with a simple set of variables and rendered with a
single unified template.
Available are two new templates:
* haproxy_single_service_listen.cfg.j2: close to the original style, but
only one service per file
* haproxy_single_service_split.cfg.j2: using the newer haproxy syntax
for separated frontend and backend
For now the default will be the single listen block, for ease of
transition.
Change-Id: I6e237438fbc0aa3c89a3c8bd706a53b74e71904b
Now kolla dev mode only support clone master branch from git,
add version tag to support clone dedicated branch.
Change-Id: I88de238e5dc7461ba0662a3ecea9a2d80fd0db60
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ifd8527d404f1df807ae8196eac2b3849911ddc26
Closes-Bug: #1761907
The variable 'ironic_dnsmasq_interface' is used to configure the interface
used by the ironic inspector dnsmasq service for DHCP on the inspection
network. It is being used correctly in inspector.conf, but not in the
dnsmasq configuration file, which uses api_interface. This change modifies
the dnsmasq configuration file to also use ironic_dnsmasq_interface.
Change-Id: I7670544f4bc41c93ac1d081486502f9ffb8f2286
Closes-Bug: #1785574
Ironic requires the Keystone credentials to communicate with Cinder if
booting from volume.
Change-Id: Id9a90d986e391e84c8ad918af371a5aef33a3524
Closes-Bug: #1785201
This commit is to apply resource-constraints to a few more OpenStack services.
Commit to apply constraints to the last set of services will be made in
the upcoming commit.
Depends-on: Icafa54baca24d2de64238222a5677b9d8b90e2aa
Change-Id: I39004f54281f97d53dfa4b1dbcf248650ad6f186
Both the driver and the enabled_drivers options are being removed
this week. Stop setting them to avoid breakages.
Change-Id: I0e0bf851424b8f5839b159ef83f1cc65c30e2fb3
Add become to all tasks that use the module "kolla_docker"
Change-Id: I4309c4011687b88ec31d739fd8f834fe2326ff10
Partial-Implements: blueprint ansible-specific-task-become
When enable_ironic_ipxe is set in /etc/kolla/globals.yml,
the following happens:
- a new docker container, ironic_ipxe, is created. This contains
an apache webserver used to serve up the boot images
- ironic is configured to use ipxe
Change-Id: I08fca1864a00afb768494406c49e968920c83ae7
Implements: blueprint ironic-ipxe
By now, ironic-dnsmasq has default bootfile pxelinux.0,
which is correct only for x86.
Adding ironic_dnsmasq_boot_file parameter to globals.yml
to make it configuable.
For example: /etc/kolla/globals.yml
ironic_dnsmasq_boot_file: "debian-installer/arm64/bootnetaa64.efi"
Change-Id: I6eb57702d4dad549ef8c999c1c82e577f316d8d6
In change I78cb60168aaa40bb6439198283546b7faf33917c, action was changed
to kolla_action, and serial to kolla_serial, to avoid Ansible warnings
due to use of reserved keywords. In that change, some keywords were
missed, and some changes that were merged since then have not switched
to the new variables. This change fixes all current instances of those
issues.
Change-Id: I357dffdfcb2b405e280a962d366ee65eebf0a8d1
Implements: blueprint migrate-to-ansible-2-2-0
- rename action and serial to kolla_ansible and kolla_serial
- use become instead of "sudo <command>" in shell
- Remove quota for failed_when and changed_when in rabbitmq tasks
Change-Id: I78cb60168aaa40bb6439198283546b7faf33917c
Implements: blueprint migrate-to-ansible-2-2-0
When attempting to inspect a node with ironic, it seems at times
ironic_dnsmasq fails to process dhcp bootp requests, giving the
following error repeating:
dnsmasq-dhcp: DHCPDISCOVER(eth0) 52:54:00:ff:15:55
dnsmasq-dhcp: DHCPOFFER(eth0) 192.169.5.100 52:54:00:ff:15:55
dnsmasq-dhcp: ARP-cache injection failed: Operation not permitted
Adding NET_ADMIN fixes this.
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Closes-Bug: #1762805
Change-Id: I39acb81801710f849336380d3fde01c70cd8d8ce
The ironic_dnsmasq config for ironic inspector uses the internal VIP for
the TFTP server address DHCP option. This is not going to work,
since HAProxy is not configured to forward TFTP, and does not support
UDP forwarding anyway. The config should use the api_interface IP for
the host running ironic_dnsmasq.
Change-Id: I56a0d46e9b528041cacea7196a525891ed5922f0
Closes-Bug: #1761815
If SSL is enabled, api of multiple services returns
wrong external URL without https prefix.
Removal of condition for deletion of http header.
Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4
Closes-Bug: #1749155
Closes-Bug: #1717491
- remove uesless module_extra_vars, this is a historical issue. In the
past, we use 'docker exec kolla_toolbox ansible xxx' to run module on
target node, so complex data have to pass through extra_vars. Now we
are using kolla_toolbox module, no need to use extra_vars anymore.
- Remove some useless until.
Change-Id: I72ed28001202917f9a82a1c3ea33cd6319911ec8
When deploy ironic, the ironic_dnsmasq keep restaring if
ironic_dnsmasq_dhcp_range is missing, so it necessary to add a
prechecks to ensure it be set.
Change-Id: I0c1d91f62f4e5dad2d9a45a2a7bb51b5121dbfda
This change allows the following use cases:
1. Using an already-configured MariaDB / MySQL server / Cluster
2. Using already-created DB users, without requiring root DB access.
Update: added external mariadb precheck
Change-Id: I78b0d178306d7c5293b0bf53e445f19f18b4b824
Implements: blueprint external-mariadb-support.
Closes-Bug: #1603121
through the database_address has beed defined in groups_vars/all.yml, we should
better use it, this way, if we want to use external database, we just need to
redefined in all.yml
refer to https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L83
Co-Authored-By: chenqiaomin <chen.qiaomin@99cloud.net>
Change-Id: Ie559301451954e16347ceaabf02f594c5c5cbe56
Fixes a bug where the Baremetal Introspection service's public endpoint
registered in the Identity service referenced the internal API endpoint.
Also updates keystone endpoints for the Baremetal and Baremetal
Introspection services during reconfigure and upgrade operations.
Previously this was only done during deploy.
Change-Id: I32d475f288bb4a3834c13cc86f0c53b5437c3d25
Closes-Bug: #1738418
Kolla-ansible typically configures services to access the internal API
endpoint of other services, rather than the default public endpoint.
This change ensures that this is the case for ironic inspector.
Change-Id: I998f12435fc1bd306444f9a68bd7f99f5b78f6f8
Closes-Bug: #1740591
Support pxe uefi mode following guide
https://docs.openstack.org/ironic/latest/install/configure-pxe.html
In the meantime, ironic-agent kernel and initramfs does not have to
be provided as precondition under /etc/kolla/config in such mode.
Add condition check as well.
Change-Id: Ieefcf5f9fe839eab63f3fe4a1c5cf845f4fd4eb5
Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends
This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note
Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
flat network type is not mandatory. There are two cases,
1. ironic with flat network: we can use neutron vlan network to
provision baremetal nodes, as long as the interface of the baremetal
nodes are configured to use the same vlan.
2. ironic with neutron network: all provision and cleaning_network can
be vlan type and no flat is needed at all.
So we should remove the task.
Change-Id: I176ded6d2a8b14e350f665f63bc37eb488d32679
Closes-Bug: #1725170
