While <servuce>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I6b910817ddc6eab68f815f776faeee432e55012e
In order to cover OSSA-2023-003, a requirement to define service_user
section for all cinder services has been added by cinder.
Change-Id: I19c2b03c61f714fedb593da8489e50d3fa08d933
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I1d0156a2ad829aa730419e1d9dfa1cd49026a6be
Related-Bug: #1948456
This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.
Related-Bug: #1961603
Change-Id: I8155264b181d6f21728804ef8260979931597427
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ib445e0ddd01d52314e50ca6edd2fa20e5f6ef3eb
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: Ieab4ab2e36e4953961841be334ff16162f7daeb8
Usage of module path is a deprecated behaviour. All cinder docs
suggest using just `barbican` for [key_manager]/backend value.
We also explicitly specify for barbican to talk over internal
interface instead of public which is default behaviour.
Change-Id: I3d0d401c2024c6051b7fb61a929dd4e6975b0a30
By default cinder will use tenant token for interaction with nova.
However for resize of the in-use volume cinder needs to have admin
credentials set for such kind of interactions
Change-Id: Id32d3a5727fc96e07e09332beb7265610e5c8b10
Closes-Bug: #1902914
As deployers may have usecases with several different backends being
served with the same cinder volume,
we should provide an option to easily override default behaviour
Change-Id: Idc9a71d722b7443cf1437c2d95f75c615b6035a4
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: Ic83f6371c5d2bbed6a7d6d2f92a69fd3a2afd0d3
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Depends-On: https://review.opendev.org/678025/
Change-Id: Ieac6d03a436f6b706d7f12e292ffc98171a43246
This patch drops the hacky workaround of using backend_host which
is not recommended by the Cinder team and instead uses active-active
RBD which has been implemented since Rocky.
Closes-Bug: #1837403
Change-Id: I0c8aed4d0608c1f117e1baa1f428875956159ffd
Since cinder moved to policy-in-code, oslopolicy-policy-generator
must be used to compile a policy file that can be distributed to
Horizon for policy settings. For cinder, it will only output its
default policy unless cinder.conf contains an oslo_policy
configuration section pointing to the policy config file.
Change-Id: I66a76fdb30ae6afd8a8faf4119bef495600aec50
The debian packages for individual cinder services provide service
configs which automatically start after install, leading to all cinder
services running on each cinder volume host. Instead only install the
python3-cinder library package and rely on the service files OSA manages.
uwsgi packages are only required on hosts running cinder-api, so an
additional variable, 'cinder_api_distro_packages' has been added for
packages specific to those hosts.
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi
python3 plugin.
Change-Id: Iafcd9a8141fffb2226ec5103960064decc579bd5
While running smoke tests using
https://review.openstack.org/#/c/652060/ in os_tempest jobs, the
tempest volume and compute api tests are failing with
Invalid image identifier or unable to access requested image error.
Adding glance_api_version in cinder.conf fixes the issue.
Change-Id: I8ae1599b96ead1361ee82960fd5fb66c259ea0ff
Signed-off-by: Chandan Kumar <chkumar@redhat.com>
Change I12859167d19b9f40e3378ac08fed094a42f40bc7, merged just today,
put the evaluation of cinder_scheduler_default_filters inside an
{% if } block that it wasn't meant to be inside. As a consequence,
that setting would be ignored more often that it would be
honored.
What threw me (sorry about that) was that I had tested this patch
on a Queens box, and stubbornly copied into the template on master.
And changes I02d2bae8712c0ca223cafb5a43304806c4b83125 and
Ib5a128e82e5251077e341b5f428eb097bcc17590 had left the
template in a somewhat confusing state: the template had retained the
"## Cinder API's enabled" comment despite the fact that there were
no settings left to enable or disable any APIs.
So, with this change the evaluation of cinder_scheduler_default_filters
goes to the right place (i.e. outside the {% if } block), *and*
the confusing API comment is removed.
Change-Id: Ic5707615571e62ba2326e2ad436333bac246c8dd
Operators may want to define specific default filters. Previously,
they could only do so via cinder_cinder_conf_overrides.
Make the cinder.conf template understand cinder_scheduler_default_filters,
a list variable that, if defined, is folded into a comma-separated
list for scheduler_default_filters in the [DEFAULT] section.
Change-Id: I12859167d19b9f40e3378ac08fed094a42f40bc7
To the best of my knowledge, the [nova] section in cinder.conf
is only ever used if the Cinder scheduler is acting as a Nova client
when the operator has enabled the InstanceLocalityFilter.
Per https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/cinder.conf.html,
Cinder defaults to using the public Nova endpoint when using the
Nova API. This is contrary to OSA precedent, where services
normally use internal endpoints for service-to-service API requests.
When enabling the InstanceLocalityFilter in combination with Cinder
talking to the public Nova endpoint, this can create a very confusing
situation, particularly in pre-production clusters: if the public
endpoint has a self-signed SSL certificate, and Cinder is not
explicitly configured not to verify certificates, then this creates
a whole load of connection errors.
Thus, in order to follow POLA, configure the [nova] section to use
the internal endpoint, and (in case the internal endpoint does
use HTTPS) honor the keystone_service_internaluri_insecure setting,
as for other services.
Change-Id: Ie31a7e2917a188027db49ac51e6a77ee39a9abf0
The notification driver setup was resulting in the driver and connection string
on the same line. This is caused by the case statement and how jinja formats
the template when a case statement is present. This change modifies how the
driver string is created using a ternary, which will eliminate the case
statement and render the value of the diver correctly.
Change-Id: I94899d14906a0a4e51137dd066f25f8f0e0a2334
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.
* Source installs have the configuration files within the venv at
"<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
default configuration path to this directory. When the service is
upgraded the link will move to the new venv path.
* Distro installs package all of the required configuration files.
To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.
Change-Id: Ib3447cd5b0bcada4cdf82d9e4a9fe5160299f9c3
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Cinder supposes to see resource_filters.json in
/etc/cinder/resource_filters.json, but role doesn't distribute this file
It implements generalized filters, w/o which non-admins will
experience problems with some operations (i.e in horizon).
Closes-Bug: #1810537
Change-Id: I0f699c9869effc5ccc0d3f79422935975f698134
Cinder no longer supports using a driver name without
specifying the full class path.
This patch fixes all the documentation and adds a
release note for that.
Change-Id: Ia31748e3abb0fca54efd5e8e74bde0440760159e
Related-Change-Id: I3ada2dee1857074746b1893b82dd5f6641c6e579
This patch removes the conditional inclusion of the notification
section of the service configuration. This ensures that oslo.messaging
notifications use the correct transport for deployments that have
separate rpc and notify messaging backends. For example, if the
transport_url is not provided in the notification section of the
service configuration, the transport_url specified in the default
section will be used instead.
This patch conditionally selects the notifier driver. The noop
driver will be selected when notification publishing is disabled.
The messagingv2 driver is selected when notification publishing is
enabled.
Change-Id: I65ef897e78b5fb1c9ff6bb3d31cb6aa9e0c8429e
The change removes or updates options that have been changed in the
cinder.conf file and are throwing deprecation warnings in the logs.
Change-Id: Ib5a128e82e5251077e341b5f428eb097bcc17590
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
It seems when using Cinder backends, the value inside backend_defaults
in used which can default to the wrong value.
Change-Id: I771a2655545d0d006c882584657d97814e2fa8e1
When using debug, JSON logging is enabled due to a bug that
seems to occur when using unicode characters[1]. This patch drops
this in order to make sure that we resolve this in Cinder (or
test that it's already resolved).
[1]: https://bugs.launchpad.net/cinder/+bug/1703493
Change-Id: Ia5eea6b908459366d93d9ceac5d16908e99e051a
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.
The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.
OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>
A new variable `cinder_environment_overrides` has been added to ensure
the correct PATH is set for cinder services.
This reverts commit b219b90536.
Change-Id: I1cb10aa591a8262add47e2f5b61cfded9e28241d
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The iscsi_helper configuration option has been deprecated and
replaced by target_helper. This patch updates it to use the
correct helper.
Change-Id: I3bafacb7d483dd3b1132b3c3b4411e26fc117ad8
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters
replace the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be
transparent to the cinder service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Update transport_url generation
* Add oslo.messaging to inventory
* Add release note
Depends-On: If4326a6848d2d32af284fdbb94798eb0b03734d5
Depends-On: I2b09145b60116c029fc85477399c24f94974b61d
Change-Id: I6b29b89c80889eff34fe78674cd888ea9d398388
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Change-Id: I4ff3cbf5e1e1ce04cd4cdc9c1ce97afdeace5159
Depends-On: I5a78e2120e596d36629b4ba978b2b5df76b149b0
Implements: blueprint openstack-distribution-packages
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I6f7ba1de5152e62eae1e83f972830d61e37aede3
Implements: blueprint deprecate-auth-uri-option
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed. The exterior role is built to be OSA compatible and may be pulled
into tree should we deem it necessary.
Change-Id: Idf7513a22608a602fe4e53da070c11aac115b6d0
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>