Introduce kolla_address filter.
Introduce put_address_in_context filter.
Add AF config to vars.
Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]
Other changes:
globals.yml - mention just IP in comment
prechecks/port_checks (api_intf) - kolla_address handles validation
3x interface conditional (swift configs: replication/storage)
2x interface variable definition with hostname
(haproxy listens; api intf)
1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)
neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network
basic multinode source CI job for IPv6
prechecks for rabbitmq and qdrouterd use proper NSS database now
MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)
Ceph naming workaround in CI
TODO: probably needs documenting
RabbitMQ IPv6-only proto_dist
Ceph ms switch to IPv6 mode
Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)
haproxy upgrade checks for slaves based on ipv6 addresses
TODO:
ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.
ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.
rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.
ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.
KNOWN ISSUES (beyond us):
One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN
RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982
For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227
Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689
Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Currently, swift-proxy config uses hosts in the swift-proxy-server group
to generate the list of memcached servers. However, memcached is
deployed to hosts in the memcached group.
This change fixes the memcached_servers option for swift-proxy to be the
same as other services.
Change-Id: Ib850a1bb2a504ac3e1396846ca3f1d9a30e8fca0
Closes-Bug: #1774313
This commit adds the necessary configuration to the Swift account,
container and object configuration files to enable the Swift recon
cli.
In order to give the object server on each Swift host access to the
recon files, a Docker volume is mounted into each container which
generates them. The volume is then mounted read only into the object
server container. Note that multiple containers append to the same
file. This should not be a problem since Swift uses a lock when
appending.
Change-Id: I343d8f45a78ebc3c11ed0c68fe8bec24f9ea7929
Co-authored-by: Doug Szumski <doug@stackhpc.com>
This feature is disabled by default, and can be enabled by setting
'enable_swift_s3api' to 'true' in globals.yml.
Two middlewares are required for Swift S3 - s3api and s3token. Additionally, we
need to configure the authtoken middleware to delay auth decisions to give
s3token a chance to authorise requests using EC2 credentials.
Change-Id: Ib8e8e3a1c2ab383100f3c60ec58066e588d3b4db
Adds support to seperate Swift access and replication traffic from other storage traffic.
In a deployment where both Ceph and Swift have been deployed,
this changes adds functionalality to support optional seperation
of storage network traffic. This adds two new network interfaces
'swift_storage_interface' and 'swift_replication_interface' which maintain
backwards compatibility.
The Swift access network interface is configured via 'swift_storage_interface',
which defaults to 'storage_interface'. The Swift replication network
interface is configured via 'swift_replication_interface', which
defaults to 'swift_storage_interface'.
If a separate replication network is used, Kolla Ansible now deploys separate
replication servers for the accounts, containers and objects, that listen on
this network. In this case, these services handle only replication traffic, and
the original account-, container- and object- servers only handle storage
user requests.
Change-Id: Ib39e081574e030126f2d08f51de89641ddb0d42e
This allows swift service endpoints to use custom hostnames, and adds the
following variables:
* swift_internal_fqdn
* swift_external_fqdn
These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.
This also adds a swift_proxy_server_listen_port option, which defaults to
swift_proxy_server_port for backward compatibility.
This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.
While we're in here, use the ``internal_protocol`` variable for the swift
endpoint in cinder's swift backup driver configuration, instead of hardcoding
to ``http``.
Change-Id: Ibc01618383c26e16c0067f7f6b9cf5160d968d1e
Implements: blueprint service-hostnames
We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.
Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a
The rsync prior to v3.1.0 the uid/gid parameter have no effect at
all if it runs as normal(non-root) user.
Since v3.1.0 these parameter are problematic for normal user
because now rsync, regardless of root or non-root, if the
parameters are given then it just tries to call setgroups() which
is not possible for normal user so errors may occur.
swift-object-replicator: @ERROR: setgroups failed\u0000
swift-object-replicator: rsync error: error starting
client-server protocol (code 5) at main.c(1648)
[sender=3.1.2]\u0000
Either way, these parameters are not needed for swift-rsync
container.
Change-Id: Ia7fe9f06d7a21a55f52b90c2cc1b2498300e6532
Signed-off-by: Minho Ban <mhban@samsung.com>
The authtoken config variable delay_auth_decision must be set to True.
The default is False, but that breaks public access, StaticWeb, FormPost,
TempURL, and authenticated capabilities requests (using Discoverability).
Change-Id: I420a95f5f9fda3321a4acfc5846e40294a8bd588
Closes-Bug: #1768795
The log_level in Swift is fixed to INFO. The patch make it changeable
according to the value of "openstack_logging_debug".
When "openstack_logging_debug" is "False", the log_level is set to
"INFO". It is default value. Otherwise, the log_level is set to
"DEBUG".
Closes-Bug: #1777982
Change-Id: I62f430abd8f332cc2ece56a6733776fa03b10f77
Signed-off-by: tone.zhang <tone.zhang@arm.com>
Swift configuration needs container and account quotas to
pass 'OpenStack Powered' certification test suite
Co-Authored-By: Alexander Reunov <alexander.reunov@oracle.com>
Change-Id: I7a31315754cbb46257d3d98379daa39d32205480
Closes-Bug: #1757451
This is required for some tempest tests and in turn to achieve 100%
refstack certification for clouds deployed by Kolla. tempurl is default in
Swift[0] but we're missing as we override the pipeline.
[0] https://github.com/openstack/swift/blob/\
b86bf15a644db4438770801a312fe074a09c91ef/\
etc/proxy-server.conf-sample#L97
Change-Id: I0e36fcd7a785f878005d51159eb51725c284229c
There are corresponding image changes to go with these ansible
changes - changes in rsyncd template, and add
environment settings for RSYNC_CONNECT_PROG (i.e. nc)
nc allows for rsync replication to easily target {{ swift_rsync_port }}
update the lock file and chroot settings in template - see bug
for more details.
Change-Id: Ic81b7de8fad8aec9416e4e27e8ffda6d03be293c
Closes-Bug: #1733851
This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends
This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note
Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
Object versioning is necessary to pass DefCore test suite,
i.e. allows Kolla version of OpenStack to be certified
as "OpenStack Powered Platform".
Change-Id: Id5003f7fe2aebdeffe1cf7ce1b6177a6bca8f5b6
Co-Authored-By: Alexander Reunov <alexander.reunov@oracle.com>
Closes-Bug: #1729583
This change adds enable_fluentd option and enables some other log shippers
to be integrated. When enable_fluentd is "no", syslog server is also disabled.
Then, this change also adds syslog parameters to use a syslog server
prepared by users.
Change-Id: I7c83ef7fe30a6b9ab7385bcee953ad07e96b0a83
Implements: blueprint fluentd-enable-option
ResellerAdmin role should be created always when Swift is enabled
and not only for Ceilometer. The role is needed for normal users
to get administration rights for their Swift projects and is
required to pass DefCore (OpenStack Powered) certification.
Change-Id: I4faa63b8fae1814e382de2794301248cc0f4a90a
Closes-Bug: #1700729
If enable swift and ceilometer.
Swift_proxy_server container start error
ValueError: invalid literal for int() with base 10: '5672driver = messagingv2'
Change-Id: Iff9135bfeece158de1c7159a51286cfe4da25ac4
Closes-Bug: #1691633
Currently it doesn't work in swift servers such as proxy-server,
object-server, account-server and container-server, in spite of
setting openstack_service_workers config in globals.yml.
Because it's not implement about workers in swift.
Closes-Bug: #1662751
Change-Id: Iae9a12952cd3fe285eed3d8fca2e667a68de15c7
Signed-off-by: jangseon ryu <jangseon.ryu@navercorp.com>
Default user group should be set much earlier in deployment
and should be used consistently accross all projects.
Change-Id: Id399f9ddebc903bb9c3eeb5a0ff6f33ca6d6828c
Closes-Bug: #1650501
The account, container, and object templates were incorrectly
using the api_interface as their bind_ip configuration setting.
Updated these templates to instead use the storage_interface.
Change-Id: I683102096cd6aa3c77a7900f5a1a248cdcddba42
Note: Rings must be generated accordingly.
The swift-object-auditor logs many complaints of missing
object-replicator configuration, as this section is undefined.
Move the header outside of the == 'swift-object-replicator' check,
so other services will get an empty section to stop complaints.
TrivialFix
Closes-Bug: #1637561
Change-Id: I9c8d960b0c31e448afdeaac5f3d38e1be5ff965d
This PS configures swift-rsyncd process to use non-default port
from the range above 1024.
Change-Id: I7c37c548a5185a2ffac789383fe012619e401131
Closes-Bug: #1573137
The in-process cache for keystone tokens has been deprecated due to
"incosistent results and high memory usage" with the expectation we
switch to memcached_servers if we want to stay performant.
Add memcache_servers [cache] section to the appropriate servers as the
[DEFAULT]\memcache_servers options was deprecated.
TrivialFix
Related-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a
Change-Id: Ic971bdddc0be3338b15924f7cc0f97d4a3ad2440
Due to poor planning on our variable names we have a situation where
we have "internal_address" which must be a VIP, but "external_address"
which should be a DNS name. Now with two vips "external_vip_address"
is a new variable.
This corrects that issue by deprecating kolla_internal_address and
replacing it with 4 nicely named variables.
kolla_internal_vip_address
kolla_internal_fqdn
kolla_external_vip_address
kolla_external_fqdn
The default behaviour will remain the same, and the way the variable
inheritance is setup the kolla_internal_address variable can still be
set in globals.yml and propogate out to these 4 new variables like it
normally would, but all reference to kolla_internal_address has been
completely removed.
Change-Id: I4556dcdbf4d91a8d2751981ef9c64bad44a719e5
Partially-Implements: blueprint ssl-kolla
Swift uses Syslog, but it uses a custom log format. So this commit
adds a specific Heka decoder for Swift.
It also increases the log level from "warning" to "info" to make
Swift more verbose. Note that "info" is the default log level in
Swift.
And it disables the Heka configuration for Swift when "enable_swift"
is set to "no". This prevents Heka from creating 15 empty Swift log
files in the logs volume.
Partially implements: blueprint heka
Change-Id: If7a7d0707e71be2957178e2d45b5de51b788232e
To allow for TLS to protect the service endpoints, the protocol
in the URLs for the endpoints will be either http or https.
This patch removes the hardcoded values of http and replaces them
with variables that can be adjusted accordingly in future patches.
Change-Id: Ibca6f8aac09c65115d1ac9957410e7f81ac7671e
Partially-implements: blueprint ssl-kolla
Convert config creation from a playbook to an action_plugin. This
reduces the complexity and confusion while retaining the same augment
structure and flexibility.
This allows us to remove the 0-byte files as requirements. They will
still be used if they are present (this means we require additional
documentation around them).
DocImpact
Closes-Bug: #1528430
Change-Id: I2c789f6be9f195c7771ca093a6d59499564b4740
In heterogeneous environment, api_interfaces are different each other.
So we should specify it from hostvars.
Implements: bp configure-network-interface
Change-Id: Id15d70bfb9ebb62a64a3847a6b77407efb171dbe
Use virtualenv for installation of OpenStack projects and
dependencies to avoid conflicts with Python libraries installed
by non-OpenStack binary packages.
Change-Id: I21ecd673b2e93335b1d3dd4e279e940c9d694c3c
Implements: blueprint virtualenv
For Swift, the *.json.j2 templates are looking under
{{ container_config_directory }} whereas they need to be looking in the
common location for swift which is /var/lib/kolla/swift
Change-Id: I6f0dcbc9a705b36d1d98275ba9ebc56404fe882d
backport: liberty
Closes-Bug: #1504210
This brings Kolla images inline with FHS and should make finding
locations of things more consistent and reliable with the linux world
at large.
Change-Id: Iece5b4da4bace0fb8b1f41a65ab2c852ec73e6f8
Closes-Bug: #1485742
