It looks like the only missing part was the actual mount of
/lib/modules
Now Cinder Backup volumes differ from Cinder Volume volumes only
by /etc/target which is not relevant (Cinder Backup does not
provide a target).
Change-Id: Iccf4298c4f9306eb0a95b6712815778555ef44fc
Closes-bug: #1863094
By default api_interface is set to public, masakari-monitor
on compute nodes should communicate via the internal API to
reach masakari-api.
Change-Id: I454f44e57d7b17d93d4aefc4cbbed93aefe874b1
Closes-Bug: #1858431
Kolla-Ansible Ceph deployment mechanism has been deprecated in Train [1].
This change removes the Ansible code and associated CI jobs.
[1]: https://review.opendev.org/669214
Change-Id: Ie2167f02ad2f525d3b0f553e2c047516acf55bc2
There are cases when a multinode deployment ends up in unusable
keystone public wsgi on some nodes.
The root cause is that keystone public wsgi doesn't find fernet
keys on startup - and then persists on sending 500 errors to any
requests - due to a race condition between
fernet_setup/fernet-push.sh and keystone startup.
Depends-On: https://review.opendev.org/703742/
Change-Id: I63709c2e3f6a893db82a05640da78f492bf8440f
Closes-Bug: #1846789
ceph.conf is loaded by qemu, not libvirt.
Since qemu runs as the nova user, ceph.conf owned by root
causes a permission error. The logs in
/var/log/libvirt/qemu/instance-*.log reveal the error.
This change fixes the issue by changing the ownership of ceph.conf
in nova-libvirt to the nova user.
Closes-Bug: #1861513
Change-Id: I1881f51a6c8508f0f186a5623443343dc1df41d4
Signed-off-by: Ning Yao <yaoning@unitedstack.com>
To make the configuration easier for the user, and to allow non-standard
ceph authentication ids - introduce ceph_*_user variables.
Change-Id: I24e01c43c826b62b6748d93a498f4b7d8ce9e309
Placement only needs its listen port to be free. During the Placement
split from Nova in commit 2fc6d4cfc5 the wrong variable got moved into
precheck for Placement, this fixes it.
Change-Id: I71e3607c50110763259bfcd70ffb2f4c76e27f62
Closes-Bug: #1861189
Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.
Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts
Delegate executing uri REST methods to the current module containers
using kolla_toolbox. This will allow self signed certificate that are
already copied into the container to be automatically validated. This
circumvents requiring Kolla Ansible to explicitly disable certificate
validation in the ansible uri module.
Partially-Implements: blueprint custom-cacerts
Change-Id: I2625db7b8000af980e4745734c834c5d9292290b
When kolla_copy_ca_into_containers is set to "yes", the Certificate
Authority in /etc/kolla/certificates will be copied into service
containers to enable trust for that CA. This is especially useful when
the CA is self signed, and would not be trusted by default.
Partially-Implements: blueprint custom-cacerts
Change-Id: I4368f8994147580460ebe7533850cf63a419d0b4
This change introduces prune-images command.
Uses docker_prune module of Ansible that comes with version 2.8.
Depends-On: https://review.opendev.org/#/c/699333/
Implements: blueprint docker-image-pruning
Change-Id: Icbf374dd50e1cc1f1604bb4fa779b34279efd50c
Introduce user modifiable variables instead of fixed-names
of Ceph keyring files for external Ceph functionality.
Change-Id: I1a33b3f9d6eca5babf53b91187461e43aef865ce
These affected both deploy (and reconfigure) and upgrade
resulting in WSREP issues, failed deploys or need to
recover the cluster.
This patch makes sure k-a does not abruptly terminate
nodes to break cluster.
This is achieved by cleaner separation between stages
(bootstrap, restart current, deploy new) and 3 phases
for restarts (to keep the quorum).
Upgrade actions, which operate on a healthy cluster,
went to its section.
Service restart was refactored.
We no longer rely on the master/slave distinction as
all nodes are masters in Galera.
Closes-bug: #1857908
Closes-bug: #1859145
Change-Id: I83600c69141714fc412df0976f49019a857655f5
To use an iSCSI Cinder backend as its store, glance_api must run
privileged and have /dev and /etc/iscsi properly mounted
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: I988d3c9d0564483440ae17203ad88a8049abbea4
Closes-Bug: #1855695
Since [1] nova-compute uses rbd python library instead of libvirt to cleanup
volumes and get pool info - so it requires cinder keyring on filesystem.
In external ceph case it is often that nova key does not exist (is simply a copied
cinder key) and the rbd user is set to cinder - therefore the earlier mentioned
operations will fail due to a missing keyring on the filesystem.
[1]: https://review.opendev.org/#/c/668564/
Change-Id: Idef21dc5f7e9ff512bc8920630a3de61a1e69eee
Backport: train
Closes-Bug: #1859408
Include a reference to the globally configured Certificate Authority to
all services. Services use the CA to verify HTTPs connections.
Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc
Partially-Implements: blueprint support-trusted-ca-certificate-file
This patch mounts the kolla_logs volume into the Elasticsearch
container so that logs are no longer written to the container
filesystem. It is up to the user to migrate any existing logs
into the kolla_logs volume, if they so desire.
Closes-Bug: #1859162
Change-Id: Ia1743e202e310fc88a61476c80eadf3855256c20
For the CentOS 7 to 8 transition, we will have a period where both
CentOS 7 and 8 images are available. We differentiate these images via a
tag - the CentOS 8 images will have a tag of train-centos8 (or
master-centos8 temporarily).
To achieve this, and maintain backwards compatibility for the
openstack_release variable, we introduce a new 'openstack_tag' variable.
This variable is based on openstack_release, but has a suffix of
'openstack_tag_suffix', which is empty except on CentOS 8 where it has a
value of '-centos8'.
Change-Id: I12ce4661afb3c255136cdc1aabe7cbd25560d625
Partially-Implements: blueprint centos-rhel-8
Maximum supported version is set to 2.9
Updated the minimum supported version to 2.8
Implements: blueprint ansible-max-version
Change-Id: I97cc95e37f49886e6d74f2d5a789b923b14b5a2d
In CentOS/RHEL 8 there is no scsi-target-utils package, nor is it
available in EPEL. It is removed from kolla in [1]. In RHEL 7 and beyond
the LIO kernel subsystem can be used instead of the tgtd daemon.
This change removes support for the SCSI target daemon on CentOS/RHEL 8.
The 'tgtd' image is no longer available for CentOS/RHEL 8.
[1] https://review.openstack.org/#/c/613815/5
Change-Id: I718fc16cde2dd177b2a1c2f79b932426034897fe
Related: blueprint centos-rhel-8
It advertises C7 as an IPv6-compatible platform.
This is possible thanks to fixes in [1] and [2].
[1] https://review.opendev.org/699458
aka 7054b27dbb8bc893c50f66b492b7e14e5bc92237
[2] https://review.opendev.org/699172
aka 908bffcfc2950e271fee1af24fb174fa6bee4aff
Change-Id: Ia353a1663a16f48ac83e5ee9a2cf1d6e183ac3a3
Closes-bug: #1848444
Closes-bug: #1848452
Related-bug: #1856532
Related-bug: #1856725
This change applys the HAProxy tag to the entire play, ensuring HAProxy
configuration is generated for all services when the HAProxy tag is
specified.
Change-Id: I67f57c831a713142d38c6e7b70f814a9ee8e5aae
Closes-Bug: #1855094
Currently External Ceph Cinder config requires the user to create cinder
service custom configuration.
This change alters the if/else statements to template out cinder backends
configuration when cinder_backend_ceph is True.
Change-Id: I143c3b44d2839e56d1dbf28484c0eaae0a753dc9
