While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I6967d3832396f375580039c73510ea4f02002b3b
We need to define _glance_available_stores outside glance role to
use it in haproxy service definition.
It's a good idea to make `_glance_available_stores` public by moving it
out of role variables to role defaults beforehand.
Change-Id: Ieb10a0e5c9faf72c6bea4c45f7e216469971a1f3
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Ib7fd1a80affe0fa8c6b030fdbfdd60693f104cd6
Related-Bug: #1948456
Currently we have bunch of limitations related to the format
of ``glance_nfs_client``. While systemd_mount role is flexible enough
to allow mount cephfs or s3fs, variable format has weird assumptions
that we want to change for better flexability.
Since keys of variable are changing, new name for it was picked to
reflect purpose of the variable better.
Change-Id: Ic0d91a3a873b4253255beac79becf01b4a304695
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I4fd6de7ca38d561306e8c868c063b68edeafc68a
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I71ebc2fc4e386f3a1599fe73d49fae185ec9d2ff
Remove deprecated config options that no longer have effect.
We also set cinder_catalog_info to valid default.
Change-Id: Ic24f9a912fc0e7ef73e4e8de4a8440fbf5ddac17
In glance caching doc is stated[1], that some of the variables
should be defined in both glance-api and glance-cache config and should
be exactly the same, otherwise issues might raise.
We also introduce glance_image_cache_stall_time variable to control
cache time reliable across config files
[1] https://docs.openstack.org/glance/train/admin/cache.html#configuration-options-for-the-image-cache
Change-Id: Ic229e71978961546cec5f58a9c963c71e05ffba4
Glance-registry service has been removed in V cycle with [1]
We do all necessary cleanup to fully remove service deployment.
[1] https://review.opendev.org/738671/
Change-Id: I0b2e2e39040fd0daef04724f94a39f2d11e4d105
While running as uwsgi glance has malfunctioning interoperable image
import feature. So we add new variable `glance_use_uwsgi` based on which
glance will be either started via uwsgi or as a regular service.
Also once glance_use_uwsgi is true, enable_image_import will be disabled
Change-Id: Icf572c656c24b646110ce3fd90727205c22eff15
Some variables were deprecated in rocky and marked for removal in Ussuri
We do replace them not to have things broken afterwards.
Change-Id: I75d2e3631b0dfebb72efd946fd61252bb9b766b0
Related-Bug: #1846052
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: I19b74c3bc5119953256d3d8f2a98cb5f23787755
Update the ownership of the directory about NFS mount point(s).
This patch could be also stand as an improvement for future use.
Making the filesystem directory configurable, we are able to store
the image in the different directory (or in a new path) under
glance_system_user_home repo, which is able to be configured
dynamically, for instance, via deployment of a scenario.
Change-Id: I7403ac9bd85ea3ed149e13cb57c51039602f6ba1
Signed-off-by: Panagiotis Karalis <pkaralis@intracom-telecom.com>
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Depends-On: https://review.opendev.org/678025/
Change-Id: I6f129940e55130c289d94138171cee54dbd28fc1
There are a number of missing dependencies in the role when using cinder
store with glance. Specifically rootwrap is required for elevating access
when using os-brick to connect to cinder iscsi/fc volume back end storage.
This patch addresses the following:
- olso.rootwrap is not included in glance_pip_packages
- files/rootwrap.d/glance_cinder_store.filters is missing
- glance user is not added to sudoers
glance_pip_packages updated, missing rootwrap.d and sudoer files now dropped in to
Their required locations by glance_post_install.yml task
Change-Id: I55162bc2bf3cbb8858950e4abcf60a3de9929008
Closes-Bug: #1833725
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: I12c5a117d9ca508f24a36a477d2d71c36e6c8c96
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi
python3 plugin.
Install the 'python3-glance' package instead of 'glance-api'. glance-api
provides a service config file that conflicts with the one OSA provides.
Change-Id: I24e7a05372b6b1831529c620d3346889d5505f09
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.
* Source installs have the configuration files within the venv at
"<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
default configuration path to this directory. When the service is
upgraded the link will move to the new venv path.
* Distro installs package all of the required configuration files.
To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.
Change-Id: I3e7283bf778a9d686f3ae500b289c1fb43b42b92
Signed-off-by: cloudnull <kevin@cloudnull.com>
The notification driver setup was resulting in the driver and connection string
on the same line. This is caused by the case statement and how jinja formats
the template when a case statement is present. This change modifies how the
driver string is created using a ternary, which will eliminate the case
statement and render the value of the diver correctly.
Change-Id: If361de5d4112a9e7235972dc7bc5e857c68fef06
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch removes the conditional inclusion of the notification
section of the service configuration. This ensures that oslo.messaging
notifications use the correct transport for deployments that have
separate rpc and notify messaging backends.
This patch conditionally selects the notifier driver for when
ceilometer is enabled.
Change-Id: Ie73bf32a62d0e959e4905de31517b20b83b5c583
The patch introduces a variable `glance_cors_allowed_origin` which
allows a user to configure a specific origin that can do cross
domain requests.
Change-Id: I45f30d2ea7070e62d5d14ad87c872e98af1d7890
The systemd unit files are being converted to use common roles to reduce
code sprawl throughout the playbooks. This change allows us to use a
common systemd_mount role as an include which will give us a consistent
experience when deploying services and setting up their resournces on
OS's that uses systemd.
Closes-Bug: #1774037
Change-Id: I11d083788cd388dab0695878193ab18af1b5038b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
When the RPC and Notify service are the same, the credentials
must match - otherwise the tasks to create the user/password
will overwrite with each other.
If the two clusters are different, then the matching credentials
and vhost will not be a problem. However, if the deployer really
wishes to make sure they're different, then the vars can be
overridden.
Also, to ensure that the SSL value is consistently set in the
conf file, we apply the bool filter. We also use the 'notify'
SSL setting as the messaging system for Notifications is more
likely to remain rabbitmq in our default deployment with qrouterd
becoming the default for RPC messaging.
Change-Id: If95706a85c68767936e7e9d3618e95f5658f5200
The driver option is necessary as the transport_url query param
override requires a value. Default will be to use the rpc setting.
Change-Id: Ifc3414a7de6343ae4e7784ed9f7822c18211bb6c
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters
replace the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be
transparent to the glance service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Update transport_url generation
* Add oslo.messaging to inventory
* Add release note
Depends-On: If4326a6848d2d32af284fdbb94798eb0b03734d5
Change-Id: Ib647d87df040c77ee3906b1bf58764ca5f3d765d
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Change-Id: I026a440b6a0fda43b613e30f359b2a23c3c1151f
Depends-On: I5a78e2120e596d36629b4ba978b2b5df76b149b0
Implements: blueprint openstack-distribution-packages
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I5f439e371853921394698bf385b7f1fa012d476e
Implements: blueprint deprecate-auth-uri-option
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed. The exterior role is built to be OSA compatible and may be pulled
into tree should we deem it necessary.
Change-Id: Ie558875fcfbcd92c38d55e2d24087fce90889eaf
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The health check requests from haproxy cause uwsgi to write a
lot of useless log lines. This can make it more difficult to find
a problem with a particular service.
This patch adds a route to look for the `osa-haproxy-healthcheck`
user agent string, which haproxy uses when performing health checks.
Any requests with that user agent are not logged.
Closes-Bug: 1742718
Change-Id: Id06e939f25299d48f4054eec927505ed2ecdb554
A recent change in glance removed the glance-scrubber utility's
dependency on the glance registry client. The scrubber now connects
directly to the database and these options are no longer needed.
Change-Id: I7389b7e090882eed93a56a6d8bdb297a7a3f9442
Related-Change: https://review.openstack.org/#/c/510449/
When 'glance_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Partial-Bug: 1667789
Change-Id: I18e9d47e88e61ff287e5120dead49b02cdf1f8ac
Depends-On: I95cc994df5118fce7ce588fc0bff979bc283a6f3
Systemd has the ability to manage mounts and ensure functionality
/ resource management. Using a systemd mount has the benifit of not
requiring writes to the legacy fstab file which can impact OS
functionality especially when deploying on baremetal. This change
moves the glance NFS mount to a systemd unit file allowing systemd
to manage it independently with no potentially breaking impact to
the underlying operating system.
Changes:
- This PR corrects a long standing issue when using Glance+NFS where
initial deployment would work but if the playbooks were run again
it would fail due to the glance images location being an NFS mount
point with a potentially different UID/GID. To correct this we stat
the directory and if it does NOT exist it is created.
- Following the nova pattern options have been provided to set the UID
and GID of the glance user.
- To ensure out NFS backend solution works with the installation of
glance a test has been added to deploy glance using an NFS backend.
- An upgrade task has been added to this commit to clean up legacy
mounts, This task should be removed in R.
Change-Id: I716c9fe35391629532e67e212d45ea27a5422d1b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The systemd-init template was not looking at the program_override
variable within each service's dictionary.
This also fixes glance-api so that it's running under uWSGI when the v1
API is disabled. Creating images from a remote URL is exclusive to the
v1 API and does not work when glance-api is run under uWSGI.
The libxml2-dev package is required by uWSGI and has been added to the
distro package list.
Additional options have been added to the uWSGI configuration to better
support requests containing chunked data (image uploads).
Change-Id: I14f3162a4666d770beec9746469021466fa4d449
If a deployer sets the boolean vars to 'yes', 'no' or
other equivalent booleans valid for ansible, the glance
services will currently use those in the .conf files
and it will break.
This patch ensures that we cast the output into the
.conf files properly so that regardless of the input,
the output is correct.
The tests are adjusted to deliberately use one of the
Ansible boolean values instead of a python boolean to
validate that this works.
Change-Id: I267b97da618bbda05140d2a0332798fc77db06a5
The glance v1 API is deprecated and intended to be removed
from the glance code within the Queens or Rocky cycles.
When using the glance v2 API the glance-registry service is
optional, and the intention is to remove the glance-registry
service in the S cycle. The glance-registry service is required
when using the v1 API though.
Furthermore, when using the glance-registry service it is not
possible to execute a rolling upgrade without losing API
transactions.
Given the above information, this patch enables the deployment
of glance with only the v2 API enabled, and without the
glance-registry service. It adds a per-commit test to validate
that this configuration works.
This patch also corrects a previous misconfiguration which
enabled the v2 registry service, but did not set the data_api
correctly for the API service to inform it that the registry
was operating.
The glance_enable_v1_registry variable is also removed as it
is meaningless. The v1 API *requires* the registry to be
enabled, so we just enable it if glance_enable_v1_api is
enabled.
Change-Id: Ie95daed286798d139f0a35ffdd2a4dd1cdda6ff9
Glare was separated into its own project some time ago and this file
doesn't appear to have ever been deployed by the role anyway.
Change-Id: I6eaa0fef8f3877c0b4093b2a8d7adb5cbcdff583
As part of the Pike goals we are moving api services to run as WSGI
apps. glance-api service is set up as a wsgi app, and this patch moves
it over.
Since this is just a drop in replacement for the existing eventlet
service operators and deployers should notice no difference.
Implements: blueprint goal-deploy-api-in-wsgi
Change-Id: Ie5fbf437031be01682534c466b3737d090a81c57
Currently when multiple services share a host, the
restart order is random. This is due to an unordered
dict being used to facilitate the mapping of services
to their groups, names and other options.
This patch implements changes to the role to ensure
that services on the same host are restarted in the
correct order when the software/config changes.
Change-Id: I52fc66f861ce98cc8299c84edcfd5f18d74306b3
