Commit Graph

738 Commits

Author SHA1 Message Date
Aleksandr Chudinov e8de2a5f0b Add property protection configuration
Allows to configure property protection according to
https://docs.openstack.org/glance/latest/admin/property-protections.html

Change-Id: I9b4c0985969a4945ce8a1058206376b0347fbb27
2024-02-28 11:30:50 +02:00
Zuul f375f499c0 Merge "Enable uWSGI usage for Ceph backends" 2024-01-27 01:02:19 +00:00
Dmitriy Rabotyagov 2f4344550b Fix iteration over backends config
Backend config is a dictionary and it's attempted to be iterated as dict,
however it was missing items() call.

Issue has been introduced with the patch [1]

[1] https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/901034

Change-Id: I0a6a96a70f05815871a499935a61af9993186edb
2024-01-18 16:50:11 +01:00
Dmitriy Rabotyagov d0f6fd67cc Enable uWSGI usage for Ceph backends
Since upstream bug [1] preventing us to disable uWSGI for Ceph was fixed,
we can remove extra logic of disabling uWSGI usage when Ceph is among
configured storages.

[1] https://review.opendev.org/c/openstack/glance_store/+/885581

Change-Id: Ibcd9df6a547febb8f47b88d0c98277b46faf489c
2024-01-18 15:27:17 +01:00
Dmitriy Rabotyagov e4acad2bb6 Fix cinder store configuration
According to configuration guide of using cinder as a storage [1], some
auth data should be provided in storage section.
It also needs show_multiple_locations to be enabled.

[1] https://docs.openstack.org/cinder/latest/admin/volume-backed-image.html

Change-Id: Iacd5b74cbda1fdf48a073dc17b42caa37c2359e5
2023-11-27 11:36:42 +00:00
Dmitriy Rabotyagov aa69a6fe5c Make glance_additional_stores work nicely with multi-store
While we assume that glance_additional_stores can be list of mappings
for multistore glance support, bunch of other logic in role still treats
it as simple list and make verifications against it. So in case one
dares to override variable according to our suggestion, they also need
to override bunch of other things.

We change defaults for `glance_available_stores` variable and always
define it as a multistore list of mappings.

Then we introduce a variable `glance_available_store_types` that is a
list of types for each of configured storage.

Logic of how storages are defined in glance config is also changed now.
Storages won't be defined if there's no "default" record for them in
glance_available_stores.

For each new store that deployer wants to provision, they now can pass
`config` key for glance stores, rather then use config overrides.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/901041
Change-Id: I1416e0f6e3ed79abd10f468b52fc712d35a61bd2
2023-11-27 11:36:33 +00:00
Dmitriy Rabotyagov ff895d3bad Remove glance_cinder_store filters override
At the moment glance_cinder_store.filters is distributed through
glance_store [1] package.
Moreover, for quite some time glance has migrated to using privsep [2]
so internally maintained filters are not up to date anymore.

[1] f3f5bdb45b/etc/glance/rootwrap.d/glance_cinder_store.filters
[2] c369ba013f

Related-Bug: #900930
Change-Id: Ie097a019f058bac123acf14f51253c272c56aca5
2023-11-14 18:55:14 +01:00
Dmitriy Rabotyagov c2428ab8da Add glance_bin to rootwrap defenition
At the moment rootwrap can not find privsep-helper binary as it's located
in glance bin directory, which is inside the virtual environemnt.
In order to properly use privsep we must define venv bin directory in
allowed exec_dirs of rootwrap.

This also introduces new variable  `glance_rootwrap_conf_overrides`
that allows to manage some extra overrides for rootwrap if needed.

Closes-Bug: #2043503
Change-Id: I4ee3fc33fdbeb50fc7b102bf62d6134f83c5925f
2023-11-14 18:50:18 +01:00
Dmitriy Rabotyagov 289ce991c4 Use correct default for glance_mount_points
Back in Yoga we've refactored way of mounting remote filesystems
for glance while keeping backwards compatibiltiy [1]

However, there was a copy/paste error made while defining
glance_mount_points with old format of glance_nfs_client.

[1] https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/837550

Change-Id: I755822089bf406f532a718db5b84df553cbc2084
Closes-Bug: #2032771
2023-11-06 08:33:09 +00:00
Jonathan Rosser 2fcec5f55f Fix example playbook linters
Change-Id: I6962b83ec44db6d9edd0da6efbb58e1485f812a0
2023-11-06 08:32:26 +00:00
Dmitriy Rabotyagov 8e36b59745 Split lines to not exceed 160 characters limit
Change-Id: I05029ad2a2a8e351ecc7236cb779a045c3a44403
2023-09-18 15:38:17 +02:00
Zuul 4e0ca28c67 Merge "Add quorum support for glance" 2023-09-04 08:19:43 +00:00
Dmitriy Rabotyagov 946c452af7 Define constraints file for docs and renos
Right now we are not using any constraints for docs and releasenotes builds.
This has resulted in docs job failures once Sphinx 7.2.0 has been released.

The patch will ensure that constraints are used an we should not face
simmilar issue again.

TOX_CONSTRAINTS_FILE is updated by Release bot once new branch is created,
so it should always track relevant constraints.

Some extra syntax-related changes can apply, since patch is being passed
through ConfigParser, that does not preserve comments and align indenting.


Change-Id: Ic65b9abc930e151f06d69fb9474a813cb504d7ed
2023-08-17 16:32:10 +02:00
Zuul cb69874540 Merge "Use proper galera port in configuration" 2023-08-14 11:43:36 +00:00
Zuul 2b0da5f562 Merge "Fix linters and metadata" 2023-08-14 10:37:13 +00:00
Dmitriy Rabotyagov eeab8bf6c8 Use proper galera port in configuration
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.

Change-Id: I6967d3832396f375580039c73510ea4f02002b3b
2023-08-07 07:04:49 +00:00
Dmitriy Rabotyagov cf448d95c5 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Ifb3711157e77d5c917d05e4a384dead2abe72a7c
2023-07-14 14:56:14 +02:00
Dmitriy Rabotyagov bf912df1e3 Apply tags to systemd_service include
In order to be able to use tags to run systemd_service role solely,
they must be applied properly when role is included.

Change-Id: I121167e87b7aa68a75af17cbde084de5b1961264
2023-07-13 14:58:22 +02:00
Dmitriy Rabotyagov a5d922e4ed Add quorum support for glance
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

Depends-On: https://review.opendev.org/c/openstack/oslo.messaging/+/873630
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Change-Id: I87a5a1bb5028706e1768f53f53c4567cbdff64c9
2023-07-06 14:04:59 +02:00
Zuul 1f989219b4 Merge "Add TLS support to glance backends" 2023-05-03 12:20:41 +00:00
James Gibson 736d36b79d Add TLS support to glance backends
By overriding the variable `glance_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the glance backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I5a0302c2fcc73a869de5633b2332a3b53c99590e
2023-04-29 18:36:46 +02:00
Damian Dabrowski fafd49959e Move _glance_available_stores to defaults
We need to define _glance_available_stores outside glance role to
use it in haproxy service definition.

It's a good idea to make `_glance_available_stores` public by moving it
out of role variables to role defaults beforehand.

Change-Id: Ieb10a0e5c9faf72c6bea4c45f7e216469971a1f3
2023-04-20 20:51:58 +02:00
Zuul 3fac9b1985 Merge "Ensure service is restarted on unit file changes" 2023-04-11 20:37:35 +00:00
Dmitriy Rabotyagov f7c7e4864e Ensure service is restarted on unit file changes
At the moment we don't restart services if systemd unit file is changed.

We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now  we ensure that role handlers will also listen for systemd
unit changes.

Change-Id: I5a52c0de14ee3a6215edb64dbc3bd48512d57e2e
Closes-Bug: #2009029
2023-04-07 08:27:38 +00:00
Dmitriy Rabotyagov 295533132b Disable uWSGI if ceph is used as a store
At the moment there's an issue with chunking in case uwsgi is used
with ceph backend.

Change-Id: I48feac2ea789782e55bd49196e631cd4df9778ce
Related-Bug: #1916482
2023-04-03 19:48:46 +02:00
OpenStack Release Bot 7b88f5a74e Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I0e6b4917786b6b5d2d983db092bc45f635abea2c
2022-12-13 13:14:00 +00:00
Zuul dd9bb7aa84 Merge "Stop using need_service_restart local fact" 2022-12-10 18:57:00 +00:00
Dmitriy Rabotyagov ee521f91f2 Stop using need_service_restart local fact
We can reduce complexity of logic on when to restart glance as we
anyway leverage in-role handlers to restart service when needed.

Patch adds also triggering service restart when install_packages
are changed.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/866693
Change-Id: Ieeeb9bc3b8922700e0c70f150cf1af0a75c805ea
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/866126
2022-12-06 12:53:09 +01:00
Damian Dabrowski 5bc252de44 Add external_lb_vip_address to glance_cors_allowed_origin by default
Since ``horizon_images_upload_mode`` is enabled by default and
``glance_show_multiple_locations`` is disabled by default(turns out
it's not really required), we should add ``external_lb_vip_address`` to
``glance_cors_allowed_origin`` as default.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862167
Change-Id: I6d13e1e985f8e3bbb97b0af7063b469cb4b2dbca
2022-10-20 19:08:44 +02:00
Zuul 504e641ed4 Merge "Remove redundant vars line" 2022-09-20 19:50:19 +00:00
Erik Berg af3c839eb3 Remove redundant vars line
This line was introduced by I65d8e66673f5372fe880680a035842ffcd775ac2
for centos-7 support, and should already be covered by the
distribution_major_version line above.

Change-Id: I8a2a93aa3ecbb01451e940b7e71e5ac5bf48b880
2022-09-14 13:03:30 +02:00
Zuul 152abb5f6c Merge "Support service tokens" 2022-06-16 13:21:20 +00:00
Dmitriy Rabotyagov 613e645a20 Remove mention of haproxy-endpoints role
Role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.

Change-Id: I01225e479e22f3867e811055c8e5e87f644bf46e
2022-06-14 18:02:05 +00:00
Dmitriy Rabotyagov fc6f342194 Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Ib7fd1a80affe0fa8c6b030fdbfdd60693f104cd6
Related-Bug: #1948456
2022-06-14 14:36:52 +00:00
Dmitriy Rabotyagov c9a9e2f87b Fix glance mounts compatability
When default value has any concatenation, it tries to resolve variables
and always contcatenate even when it's not needed.

With that we need to set defaults for the variables that are inside
defaults, otherwise even if default not needed - task would fail on
default being undefined.

Change-Id: I4f445f280a71173f1b72a3b37bd9d54ea5694ac2
2022-06-14 16:36:14 +02:00
Dmitriy Rabotyagov 93c73e99b1 Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.


Change-Id: Iefc217495e209c30782c8bd8fb4de54b3e683992
2022-05-30 16:01:25 +02:00
Zuul 1d8cb0dbd9 Merge "Use systemd_mount native syntax for mounts" 2022-04-25 22:47:45 +00:00
Zuul 51e5f5f224 Merge "Do not deploy api-paste for CentOS distro deployment" 2022-04-25 22:47:43 +00:00
Dmitriy Rabotyagov 44b443dacb Allow os_glance to run in check mode
Let role fetch config file regardless of mode. This is safe operation
to run in check mode and shouldn't affect anything.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/837706
Change-Id: I5352028c967685e2b2d666fc4850afe9bf6ffd10
2022-04-13 17:31:39 +02:00
Dmitriy Rabotyagov 8c425490e7 Do not deploy api-paste for CentOS distro deployment
RDO stopped shipping api-paste file for glance, so we can't provide it
anymore. To avoid maintaining it for this usecase we simply stop
provisioning as well for this path.

Change-Id: I01440a4df4f4a1f7bb96d2bd672812c35963cdb3
2022-04-12 16:18:11 +02:00
Dmitriy Rabotyagov 887a59256e Use systemd_mount native syntax for mounts
Currently we have bunch of limitations related to the format
of ``glance_nfs_client``. While systemd_mount role is flexible enough
to allow mount cephfs or s3fs, variable format has weird assumptions
that we want to change for better flexability.

Since keys of variable are changing, new name for it was picked to
reflect purpose of the variable better.

Change-Id: Ic0d91a3a873b4253255beac79becf01b4a304695
2022-04-12 12:56:38 +02:00
OpenStack Proposal Bot a23f92c9c7 Updated from OpenStack Ansible Tests
Change-Id: I4dfc26d868292b8246caa1748978b2163f31a7d8
2022-03-31 20:15:46 +00:00
Marc Gariepy b0a2fa039a Cleanup setup.py config
Change-Id: I7f9ee0fbda74eccf429c40e31a1006cd75449563
2022-03-31 10:38:46 -04:00
Jonathan Rosser cab9cb90f5 Remove legacy policy.json cleanup handler
Change-Id: Icbf12fb0c09ef2e0a856e7339fa43aaf3557715a
2022-02-02 04:11:25 -05:00
Zuul b3a65f317f Merge "Use common service setup tasks from a collection rather than in-role" 2022-01-28 21:21:31 +00:00
Jonathan Rosser 9f54a5a634 Use common service setup tasks from a collection rather than in-role
Change-Id: Ica9144f21cd675112d07008a387f65f8e468d378
2022-01-13 11:30:16 +00:00
Jonathan Rosser c801091880 Refactor use of include_vars
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.

This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.

Change-Id: If4b1fe7ec14ffb03be79d29e9d21d9ab829cb4ec
2022-01-12 08:35:28 +00:00
James Denton a2694d3147 Add boto3 module for s3 backend
This patch adds the boto3 python module, which is a dependency
for the s3 glance backend.

Closes-Bug: #1955683
Change-Id: I5f5a921d8a08d5dfb09e2bca71d49c85115a60aa
2021-12-27 17:21:27 +00:00
Dmitriy Rabotyagov 091f33c8da Define _glance_available_stores in variables
Glance available stores is usefull outsie of the template as well, so we
move defining variable from Jinja template only to ansible variables.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/822998
Change-Id: I312fdede3c3bffa0c897588d33fcc5d5d6988ccd
2021-12-27 16:53:47 +00:00
Zuul 7a91492c6a Merge "Stop managing NFS mount destinations" 2021-12-18 10:43:58 +00:00