This new role is now providing the ability for a user to pin apt
packages as they see fit. The idea is to allow someone to implement
pinning in a generic way that can be represented as a global variable
or as a hostvar. The new role has been added to all install roles as
a dependency which will allow it to ensure that packages are pinned
everywhere as would be expected.
Change-Id: I354e8515570fa7174366ba57d57aece3c304568e
This patch is version 1 (not tested) of adding erasure code support
to swift. It adds the following:
- Add policy_type, ec_type, ec_num_data_fragments,
ec_num_parity_fragments and ec_object_segment_size to the
policy definition.
- Update the ring.contents.j2 to set replica count for the ring
to ec_num_parity_fragments + ec_object_segment_size, if using
the erasure code policy_type.
- Adds extra EC options to swift.conf for EC policies.
I may have missed something and again this hasn't been tested yet.
NOTE: EC in Swift is strictly _BETA_ and shouldn't be run in
production, however, we do need to test it!
Change-Id: If2069a95e6ea92e34fb329cb6e0027188f15f0bb
The default values should use the local swift installation, since these
are only used when the glance backend is set to "swift" it won't matter
if there is no local swift when the backend is set to "file".
Adjust AIO script to use the defaults.
Move the configuration values from user_secrets.yml into
user_variables.yml since these are not passwords that should be set.
Additionally comment them out by default.
Change-Id: I579500a0287bc29f27fdbdb4f810212a2e194dea
Closes-Bug: #1450117
The repo_hosts group should be "repo-infra_hosts" this is correct in
the aio sample file, and this patch fixes it in the example
openstack_user_config.yml to avoid confusion.
Change-Id: Ib6eb17bb5f7ba33173bd0b32728b1127caf138f6
Closes-Bug: #1449053
The AIO example files have been renamed such that they are no longer
creating an issue where the deployer "could" cause problems in
deployment when the AIO configuration files are being used by
default. The issue is ever present when the deployer does a blind
copy of the etc/openstack_deloy directory into /etc/.
This change is to enhance the Kilo gating / deployment process.
Partially implements: blueprint master-kilofication
Change-Id: I0c76ae9012aeafcc8a39a03c0e11b68b2ee5ca9c
The md5sum check doesn't currently solve any issues we have, and with
the addition of a custom "env.d" directory this will only cause
frustration as the md5sum changes.
The initial idea was to prompt a user to update their
user_config/user_variables/environment files between updates in the
os-a-d repository but the md5sum check never really solved this problem,
since both the files being checked won't have changed if you update the
repo and don't copy the new versions over.
Change-Id: Id1e7d307aa5dbffe069d6d4fa4569dd13ad4e8c1
Partial-Bug: #1399430
Like etc/openstack_deploy/conf.d/ we need a way to add additional
containers to the infrastructure without modifying the provided
openstack_environment.yml file. This patch looks for an env.d
directory and merges their configurations into the inventory. An
example extra_container configuration file is also provided.
Closes-bug: 1440117
Change-Id: Ibc83770e69efb67996a012c96766b4a88774986e
The image_cache_size for glance defaults to 10G whilst our default
fs_size for glance is still 5G. Moving this up to 12G resolves this
issue.
Change-Id: I56ddcce0535fdc0aa9e47ec898a6568a3e118804
Closes-Bug: #1442115
In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's
Apache SSL settings. In order to keep all Apache SSL settings uniformly
configured, we also need to update Horizon's settings and centralize
where we define the cipher suite that the server supports and the
preferred protocol versions.
We also explicitly disable SSLCompression even though we tend to only
test against versions of Apache that have this off by default. If
someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise
have to explicitly turn this off. Preferring security by default, we
disable it explicitly to prevent insecure installations anywhere.
We also document how users can override specific service SSL settings in
the event one service needs to support older clients that require
certain protocols or ciphers. For example, it's very plausible that an
organization may need to enable RC4 and SSLv3 for Horizon since their
users are still using XP and an old version of Internet Explorer.
Related-Bug: 1437481
Change-Id: I85843452935710083253847d6e11f85e9d6d2e84
* API Versions 1.1 and 3 have been deprecated from nova, plays
have been modified to completely remove v1.1 and make v3
optional via nova_v3_deprecated_but_enabled boolean.
* Addition of v2.1 api configuration.
* Elimination of the unused nova_api_ec2 container.
* nova_spice_console has been renamed to nova_console and
nova_spice_console_container has been renamed to
nova_console_container to facilitate different consoles in
the future.
* Spice has been made the default console.
* A standalone task and init scripts for nova_spice.
- Fixed some typos
- Modified HAProxy role to remove nova_api_ec2 and rename
nova_spice_console to nova_console
- Updated user_secrets.yml
- Unbroke things that I broke
Partially Implements Blueprint: master-kilofication
Change-Id: Ia87dfb1e8c0316103a30e2121f11996a9ca87c25
To support a future release target deploying OpenStack Kilo release this
change applies the changes required to provide an updated role for
new deploys of Glance configured to run with the Kilo release.
Highlights:
- added template for glance-manage.conf
- changed api and registry paste.ini files to be templated
- added osprofiler filter to piplines in api and registry paste files
New user secrets:
- glance_profiler_hmac_key added for osprofiler use
New Tunables:
- glance_profiler_enabled for osprofiler use, default 'False'
- glance_http_keepalive for api and registry services, default 'True'
- glance_digest_algorithm for digital signatures, default 'SHA1'
- glance_task_executor for task execution, default 'taskflow'
- glance_policy_dirs & glance_policy_file for alternate policy config
sources, default 'policy.d' and 'policy.json' respectively
- glance_policy_default_rule for policy enforcement, default 'default'
Change-Id: I611a0ce3145861233c81c81084b1648b2b4b4423
Partially implements: blueprint master-kilofication
The project is moving to support kilo in master. This requires that the
cinder galaxy role be updated to support installing the kilo release of
cinder.
This commit makes changes not added by the minimum viable kilo install
patch - https://review.openstack.org/#/c/166986/
Changes:
cinder.conf
- [DEFAULT] backup_metadata_version is now configurable because the
version has changed. The default is 2, in juno it was 1.
- [DEFAULT] client_socket_timeout is now configurable because the value
has changed. The default is 900, in juno it was 0.
- [profiler] profiler_enabled is now configurable but disabled by
default. Although this feature is part of juno the api-paste.ini file
was not updated in os-a-d juno to make use of it.
- [profiler] trace_sqlalchemy is now configurable but disabled by
default.
- [DEFAULT] rabbit_port -> [oslo_messaging_rabbit] rabbit_port
- [DEFAULT] rabbit_userid -> [oslo_messaging_rabbit] rabbit_userid
- [DEFAULT] rabbit_password -> [oslo_messaging_rabbit] rabbit_password
- [DEFAULT] rabbit_hosts -> [oslo_messaging_rabbit] rabbit_hosts
- [DEFAULT] lock_path -> [oslo_concurrency] lock_path
- [DEFAULT] enable_v1_api is now configurable. The default is true.
This has been added because the v1 API is deprecated and will be
removed in liberty.
- [DEFAULT] enable_v2_api is now configurable. The default is true.
policy.json
- Update policy.json from icehouse default to kilo default version. This
adds/modifies a number of rules and also updates the format of the file
to the current version.
api-paste.ini
- Add the osprofiler filter. This file is now deployed using a template
so that the hmac_keys configuration option can be set using the var
cinder_profiler_hmac_key.
- replace deprecated middleware with oslo_middleware versions.
rootwrap.conf
Updates the file to match kilo default.
volume.filters
Updates the file to match the kilo default.
The volume_driver var has been updated to use the new LVM driver class.
The signing_dir, /var/cache/cinder, permissions changed from 0755 to
0700 for fix warning by keystonemiddleware.
Implements: blueprint master-kilofication
Change-Id: I91f2385969568b18635bc534a98138d3dd5c5af2
This commit does the following:
- refreshes files/environment.d/default.yaml and
files/templates/AWS_CloudWatch_Alarm.yaml from kilo
- adds heat_max_nested_stack_depth and heat_trusts_delegated_roles
variables (the default values of the config options these variables
represent changed between juno and kilo and we now default to the
kilo values while giving operators the ability to upgrade to kilo
with the juno values)
- adds heat_profiler_hmac_key, heat_profiler_enabled, and
heat_profiler_trace_sqlalchemy variables which control the enablement of
osprofiler
- removes unneeded [clients_*] sections from templates/heat.conf.j2
- renames heat_clients_endpoint variable to heat_clients_endpoint
- adds heat_clients_heat_endpoint so we can set [clients_heat] to use
externalURL rather than internalURL
Partially implements blueprint: master-kilofication
Change-Id: If445d2ad394539a13fece656cb4089b042df542a
This commit removes all of the rackspace related logging components.
This change is part 1 of 3 to update all of the logging bits within
the stack such that they're made more generic and community
consumable.
Plays removed:
* rsyslog-install.yml
Roles removed:
* rsyslog_setup
Variable changes:
* The default kibana and elasticsreach variables were removed.
Example config changes:
* The environment map was updated with the removed logging comonents.
Gate changes:
* rsyslog-install has been removed from the gating script as it no longer
serves the same purpose.
* The kibana variable override was removed.
* Kibana entries in `haproxy_config.yml` have been removed.
DocImpact
Implements: blueprint rsyslog-update
Change-Id: Icd25653a29c9936cecc63ba5dc82aeb1cfb7ebd8
When an AIO is built using the included scripts and networking config,
the public network has a gateway IP of 172.29.248.1 from the
172.29.248.0/22 network, which is not expected or configured to exist
anywhere. This can cause issues when using floats or in general if
some communication is desired which uses the public side gateway of
the neutron-routed network.
A simple solution is to simply drop 172.29.248.1/22 on br-vlan via the
interface config, which allows the traffic to do the needful, at least
as far as tempest's requirements are concerned. In modern
Debian/Ubuntu, this can be accomplished with another "iface" stanza
with its own "address" directive to add the additional address.
Change-Id: I79897bc4e4d7eb7d55ad3c12f55a339dfef869e1
Closes-Bug: #1425717
Related-Bug: #1425255
Currently, swift_hash_path_suffix and swift_hash_path_prefix are placed
in user_variables.yml file however they need to be placed in
user_secrets.yml in order for pw-token-gen.py (which is run against
user_secrets.yml) to generate values for these variables correctly.
Change-Id: Ie1bdee3fbfaf627c10f654d30c9b7af67280673f
Closes-Bug: 1424979
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.
Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
simplistic approach. This change duplicates code within the roles but
ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
anyone who may want or need to dive into the JSON blob that is created.
In the inventory a properties field is used for items that customize containers
within the inventory.
* The environment map has been modified to support additional host groups to
enable the seperation of infrastructure pieces. While the old infra_hosts group
will still work this change allows for groups to be divided up into seperate
chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
variables extracted into the separate file
etc/openstack_deploy/user_secrets.yml in order to allow seperate
security settings on that file.
Items Excised:
* All of the roles have had the LXC logic removed from within them which
should allow roles to be consumed outside of the `os-ansible-deployment`
reference architecture.
Note:
* the directory rpc_deployment still exists and is presently pointed at plays
containing a deprecation warning instructing the user to move to the standard
playbooks directory.
* While all of the rackspace specific components and variables have been removed
and or were refactored the repository still relies on an upstream mirror of
Openstack built python files and container images. This upstream mirror is hosted
at rackspace at "http://rpc-repo.rackspace.com" though this is
not locked to and or tied to rackspace specific installations. This repository
contains all of the needed code to create and/or clone your own mirror.
DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
This patch removes and/or renames anything that is Rackspace specific
from the playbooks, roles and variables.
It also removes items which appear to be orphaned/unused and flattens
the playbooks into a single directory in order to better match ansible
best practise (and remove some horrible fiddles we were doing).
The following have been removed due to RAX/RPC naming or RAX/RPC
specific usage:
- playbooks/monitoring
- playbooks/rax*
- playbooks/rpc*
- roles/maas*
- roles/rax*
- roles/rpc*
- scripts/f5-*
- scripts/maas*
- scripts/rpc*
- scripts/*lab*
- vars/repo_packages/rackspace*
- vars/repo_packages/rax*
- vars/repo_packages/rpc*
- vars/repo_packages/holland.yml
The following have been removed as they are unused:
- playbooks/setup/host-network-setup.yml
- roles/openssl_pem_request
- roles/host_interfaces
- scripts/elsa*
- ssh/
- vars/repo_packages/turbolift.yml
The following directories have been renamed:
- etc/rpc_deploy > etc/openstack_deploy
- rpc_deployment > playbooks
The playbooks have all been moved into a single directory:
- rpc_deployment/playbooks/infrastructure/* > playbooks/
- rpc_deployment/playbooks/openstack/* > playbooks/
- rpc_deployment/playbooks/setup/* > playbooks/
The following files have been renamed:
- lxc-rpc > lxc-openstack
- lxc-rpc.conf > lxc-openstack.conf
- rpc_environment > openstack_environment
- rpc_release > openstack_release (etc and pip)
- rpc_tempest_gate.sh > openstack_tempest_gate.sh
- rpc_user_config > openstack_user_config
The following variables have been renamed:
- rpc_release > openstack_release
- rpc_repo_url > openstack_repo_url
The following variables have been introduced:
- openstack_code_name: The code name of the upstream OpenStack release
(eg: Juno)
Notable variable/template value changes:
- rabbit_cluster_name: rpc > openstack
- wsrep_cluster_name: rpc_galera_cluster > openstack_galera_cluster
DocImpact
Closes-Bug: #1403676
Implements: blueprint rackspace-namesake
Change-Id: Ib480fdad500b03c7cb90684aa444da9946ba8032
This patch implements the following:
- scripts-library.sh which includes commonly used functions, variables
and other preparation commands for all other scripts
- bootstrap-ansible.sh which only deploys a selected version of ansible
and ensures that any other requirements are prepared on the
deployment host
- bootstrap-aio.sh which runs all host preparation actions for an
all-in-one build
- gate-check-lint.sh which runs a lint and syntax check
- gate-check-commit.sh which runs all actions required for a gate
commit check, utilising the other scripts where required
- run-smoke-test.sh which runs tempest from inside the utility container
- run-playbooks.sh which runs the playbooks
- the existing conf.d/swift.yml is renamed to be an example
configuration - the example configurations can be used as
documentation
- etc/network/interfaces.d/aio_interfaces.cfg,
etc/rpc_deploy/conf.d/swift.yml and
etc/rpc_deploy/rpc_user_config.yml are now configurations used for
the AIO deployment
- a workaround for https://bugs.launchpad.net/bugs/1244589 to ensure
that DHCP checksums are implemented by the host which is required for
the smoke tests to work
- the removal of the rpc heat templates as they're unusable in their
current state
- setting MAX_RETRIES to 0, ensuring that any failures cause an
immediate commit check failure in the gate - this prevents the
masking of failures by retry attempts
DocImpact
Co-Authored-By: Kevin Carter <kevin.carter@rackspace.com>
Closes-Bug: #1415883
Closes-Bug: #1417999
Closes-Bug: #1419807
Change-Id: I95242d48ad0fb055f16510803c8aa14dc183ac17
By default will generate a list of filesystems that are ext or xfs and
set these up to be monitored with a specified threshold set in
user_variables.
Can loop through list of filesystems/thresholds specifically set in
user_variables if needed, and the default for a server can be overridden
in the rpc_user_config.yml per host.
The user_variables.yml sample file, and the rpc_user_config.yml files
have been updated to reflect these changes.
Change-Id: I1959a630e2c603a76001f52db6b027bf71124c54
Closes-Bug: #1414249
image_cache_max_size should be less than the size of the container. It defaults
to 10GiB which is greater than the current default container size for glance of
5GB.
Change-Id: I58ad98ba3cf83a63dbe346659148aba53dafd140
Related-Bug: 1403487
This change adds a configuration setting for the Horizon session key. If
present, this key is set into all Horizon nodes, so that they can share
sessions.
Change-Id: I94f46f3adb8fa26965959d5e8c6473eff1b4591c
Closes-bug: 1403611
Previous update omitted the 's' suffix so the value was interpreted as
miliseconds. This patch corrects that.
Change-Id: Ie7fa32a472105b2e7ba1074122b3abd8b4467f4c
Closes-Bug: #1402580
Various gate jobs have failed with 504 timeouts. This patch makes the
hap client and server timeouts configurable in the user config so that
they can be raised in the gate.
closes-bug: #1402580
Change-Id: Ia9663eafd7934a76a1839a40a5e250eefdc2085e
Cinder requires temporary working space to convert images. This patch
exposes cinder_volume_lv_size_gb to the user config file, so the user
can decide how large the cinder volumes container should be based on
available space and the size of images that will need to be converted.
cinder_volume_lv_size_gb is used to override container_lvm_fssize in
group_vars/cinder_volume. Simple enough but doesn't work because
templated variables (or indirect variables) are not expanded when
accessed via hostvars[] see: ansible/ansible#7844. In order to work
around that, I have eliminated hostvars[] usage from the container
creation mechanism. This may have positive speed implications as the
limit of container creation parallelism is now forks rather than number
of hosts. However it does make this change larger than a small bug fix.
Also note that this patch makes use of delegate_to, so specific ansible
versions must be used to avoid ansible/ansible#8705. Our requirements
file currently specifies a version before this bug was introduced.
There are two commits in this PR as one is the actual bugfix, the other
is infrastructure changes required for that bugfix to work. Also only
the bugfix may be needed if the upstream bugs are fixed.
Closes-Bug: #1399427
Change-Id: I2b5c5e692d3d72b603fdd6298475cb76c52c66df
* Add dispersion.conf into /etc/swift
* Add dispersion keystone user
* Give swiftoperator role to dispersion user
Change-Id: Ieb41c9a9902c30240b106b462ba83d151708491e
Closes-Bug: 1398808
* Create "swift_allow_all_users" var - default to False
* Adjust swift-proxy-server.conf based on this value
* If true add _member_ to allowed users.
Fixes #610
* Move the logic out into ansible/templates
* Let the ring_builder just build the ring based on a list of devices
* Allows us to not have to specify the storage/repl ip as long as the bridge is specified
Fixes #603
As per support discussion, modify:
nova_cpu_allocation_ratio = 2.0
nova_ram_allocation_ratio = 1.0
Also add commented entry to user_variables to allow overriding