Commit Graph

147 Commits

Author SHA1 Message Date
Aleksandr Chudinov e8de2a5f0b Add property protection configuration
Allows to configure property protection according to
https://docs.openstack.org/glance/latest/admin/property-protections.html

Change-Id: I9b4c0985969a4945ce8a1058206376b0347fbb27
2024-02-28 11:30:50 +02:00
Dmitriy Rabotyagov d0f6fd67cc Enable uWSGI usage for Ceph backends
Since upstream bug [1] preventing us to disable uWSGI for Ceph was fixed,
we can remove extra logic of disabling uWSGI usage when Ceph is among
configured storages.

[1] https://review.opendev.org/c/openstack/glance_store/+/885581

Change-Id: Ibcd9df6a547febb8f47b88d0c98277b46faf489c
2024-01-18 15:27:17 +01:00
Dmitriy Rabotyagov e4acad2bb6 Fix cinder store configuration
According to configuration guide of using cinder as a storage [1], some
auth data should be provided in storage section.
It also needs show_multiple_locations to be enabled.

[1] https://docs.openstack.org/cinder/latest/admin/volume-backed-image.html

Change-Id: Iacd5b74cbda1fdf48a073dc17b42caa37c2359e5
2023-11-27 11:36:42 +00:00
Dmitriy Rabotyagov aa69a6fe5c Make glance_additional_stores work nicely with multi-store
While we assume that glance_additional_stores can be list of mappings
for multistore glance support, bunch of other logic in role still treats
it as simple list and make verifications against it. So in case one
dares to override variable according to our suggestion, they also need
to override bunch of other things.

We change defaults for `glance_available_stores` variable and always
define it as a multistore list of mappings.

Then we introduce a variable `glance_available_store_types` that is a
list of types for each of configured storage.

Logic of how storages are defined in glance config is also changed now.
Storages won't be defined if there's no "default" record for them in
glance_available_stores.

For each new store that deployer wants to provision, they now can pass
`config` key for glance stores, rather then use config overrides.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/901041
Change-Id: I1416e0f6e3ed79abd10f468b52fc712d35a61bd2
2023-11-27 11:36:33 +00:00
Dmitriy Rabotyagov c2428ab8da Add glance_bin to rootwrap defenition
At the moment rootwrap can not find privsep-helper binary as it's located
in glance bin directory, which is inside the virtual environemnt.
In order to properly use privsep we must define venv bin directory in
allowed exec_dirs of rootwrap.

This also introduces new variable  `glance_rootwrap_conf_overrides`
that allows to manage some extra overrides for rootwrap if needed.

Closes-Bug: #2043503
Change-Id: I4ee3fc33fdbeb50fc7b102bf62d6134f83c5925f
2023-11-14 18:50:18 +01:00
Zuul 4e0ca28c67 Merge "Add quorum support for glance" 2023-09-04 08:19:43 +00:00
Dmitriy Rabotyagov cf448d95c5 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Ifb3711157e77d5c917d05e4a384dead2abe72a7c
2023-07-14 14:56:14 +02:00
Dmitriy Rabotyagov a5d922e4ed Add quorum support for glance
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

Depends-On: https://review.opendev.org/c/openstack/oslo.messaging/+/873630
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Change-Id: I87a5a1bb5028706e1768f53f53c4567cbdff64c9
2023-07-06 14:04:59 +02:00
Zuul 1f989219b4 Merge "Add TLS support to glance backends" 2023-05-03 12:20:41 +00:00
James Gibson 736d36b79d Add TLS support to glance backends
By overriding the variable `glance_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the glance backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I5a0302c2fcc73a869de5633b2332a3b53c99590e
2023-04-29 18:36:46 +02:00
Damian Dabrowski fafd49959e Move _glance_available_stores to defaults
We need to define _glance_available_stores outside glance role to
use it in haproxy service definition.

It's a good idea to make `_glance_available_stores` public by moving it
out of role variables to role defaults beforehand.

Change-Id: Ieb10a0e5c9faf72c6bea4c45f7e216469971a1f3
2023-04-20 20:51:58 +02:00
Dmitriy Rabotyagov 295533132b Disable uWSGI if ceph is used as a store
At the moment there's an issue with chunking in case uwsgi is used
with ceph backend.

Change-Id: I48feac2ea789782e55bd49196e631cd4df9778ce
Related-Bug: #1916482
2023-04-03 19:48:46 +02:00
Damian Dabrowski 5bc252de44 Add external_lb_vip_address to glance_cors_allowed_origin by default
Since ``horizon_images_upload_mode`` is enabled by default and
``glance_show_multiple_locations`` is disabled by default(turns out
it's not really required), we should add ``external_lb_vip_address`` to
``glance_cors_allowed_origin`` as default.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862167
Change-Id: I6d13e1e985f8e3bbb97b0af7063b469cb4b2dbca
2022-10-20 19:08:44 +02:00
Dmitriy Rabotyagov fc6f342194 Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Ib7fd1a80affe0fa8c6b030fdbfdd60693f104cd6
Related-Bug: #1948456
2022-06-14 14:36:52 +00:00
Dmitriy Rabotyagov 887a59256e Use systemd_mount native syntax for mounts
Currently we have bunch of limitations related to the format
of ``glance_nfs_client``. While systemd_mount role is flexible enough
to allow mount cephfs or s3fs, variable format has weird assumptions
that we want to change for better flexability.

Since keys of variable are changing, new name for it was picked to
reflect purpose of the variable better.

Change-Id: Ic0d91a3a873b4253255beac79becf01b4a304695
2022-04-12 12:56:38 +02:00
James Denton a2694d3147 Add boto3 module for s3 backend
This patch adds the boto3 python module, which is a dependency
for the s3 glance backend.

Closes-Bug: #1955683
Change-Id: I5f5a921d8a08d5dfb09e2bca71d49c85115a60aa
2021-12-27 17:21:27 +00:00
Damian Dabrowski 5f599df051 Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I4fd6de7ca38d561306e8c868c063b68edeafc68a
2021-12-03 11:40:51 +01:00
Dmitriy Rabotyagov 7b719c7ffb Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: I71ebc2fc4e386f3a1599fe73d49fae185ec9d2ff
2021-09-17 13:58:42 +00:00
Zuul f1914463f3 Merge "Add variables for rabbitmq ssl configuration" 2021-05-17 13:22:57 +00:00
Jonathan Rosser ffdcbe7ff8 Add variables for rabbitmq ssl configuration
Change-Id: Ie87b33a672168e9ab54c8d7869a09010a25458ad
2021-05-13 14:37:02 +00:00
Dmitriy Rabotyagov 6ed40be146 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I03a29bab6663d1d0ee6130707ea5865ebbd916d5
2021-05-05 19:13:33 +00:00
Jonathan Rosser f249853c0e Convert remaining ansible_ fact variable to ansible_facts[]
Change-Id: I7eff6aa9bc0e3d635946343b2602ec9431794de3
2021-03-16 08:02:53 +00:00
Jonathan Rosser 36c09b5a9d Switch default virtualenv to python3
Change-Id: I752d3219172d04cb4ee0f962098b790b6820aae6
2021-03-10 08:49:40 +00:00
Jonathan Rosser ae6c72997c Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I03b51e2cf342b8b1434503f2bd0f4b30dcd5258e
2021-02-23 18:05:14 +00:00
Zuul e29ffd4e8e Merge "Move glance pip package from a constraint to a requirement" 2021-02-05 21:18:37 +00:00
Jonathan Rosser a6b1bc17d5 Move glance pip package from a constraint to a requirement
This is necessary to support the new pip resolver.

Depends-On: I9be6bbf4a29a4da2ddf96dc0336bc2a7d8ec9281
Depends-On: I49c75dd11d6c4e8d37fe013b7ffdfd56ff193fcd
Change-Id: I41fc05409433b4e22307ad604c15d30bcea32abd
2021-01-18 16:38:36 +00:00
Zuul ff21bac342 Merge "Add glance cache variables into glance-api" 2021-01-14 10:41:05 +00:00
Dmitriy Rabotyagov b7673143de Add glance cache variables into glance-api
In glance caching doc is stated[1], that some of the variables
should be defined in both glance-api and glance-cache config and should
be exactly the same, otherwise issues might raise.

We also introduce glance_image_cache_stall_time variable to control
cache time reliable across config files

[1] https://docs.openstack.org/glance/train/admin/cache.html#configuration-options-for-the-image-cache

Change-Id: Ic229e71978961546cec5f58a9c963c71e05ffba4
2021-01-13 13:58:22 +02:00
Dmitriy Rabotyagov 6c148e0b1c Use global service variables
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.

Change-Id: Idec510b7f2302b6db2fe5aba599e3c258043fee0
2021-01-08 17:44:16 +00:00
Jonathan Rosser cbbd0dee61 Reduce number of processes on small systems
Even the most modest 4C/8T system would run with the maximum 16 processes
due to the calculation being VCPU*2.

This patch makes it clearer that glance_api_threads is the number of
physical CPU, and halves glance_wsgi_processes to physical CPU*2 for
a hyperthreaded CPU.

Change-Id: I71357a585a053d0b4e9316cc69c681caee2259da
2020-10-06 10:30:32 +00:00
Dmitriy Rabotyagov 512f5736eb Fix native service path
When glance_use_uwsgi is set to false, glance is launched with native
service instead of the uwsgi. For that scenario, execstarts key is used
which had wrongly defaulted config-file location.
Eventually, providing this option is not required and we may rely on defaults

Change-Id: I48edcc48549e811aa96091f8ce838659d250ae04
2020-09-04 12:12:12 +03:00
Zuul ab5de45fa7 Merge "Use the utility host for db setup tasks" 2020-08-21 15:40:25 +00:00
Dmitriy Rabotyagov d480f24e3a Use the utility host for db setup tasks
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.

Change-Id: I7da95890045b216ba8946616790b7cd33ef2db52
2020-08-20 17:39:09 +03:00
Dmitriy Rabotyagov ed736fd783 Cleanup glance-registry service
Glance-registry service has been removed in V cycle with [1]

We do all necessary cleanup to fully remove service deployment.

[1] https://review.opendev.org/738671/

Change-Id: I0b2e2e39040fd0daef04724f94a39f2d11e4d105
2020-07-07 07:30:17 +03:00
Dmitriy Rabotyagov eaa83ca658 Cleanup after repo_build and pip_install retirement
Change-Id: I3a87a73e1452c6e7f6866767c0338d5aa2543b1a
2020-05-12 19:33:39 +03:00
Dmitriy Rabotyagov fbe7177e7d Make possible to run glance-api not with uwsgi
While running as uwsgi glance has malfunctioning interoperable image
import feature. So we add new variable `glance_use_uwsgi` based on which
glance will be either started via uwsgi or as a regular service.
Also once glance_use_uwsgi is true, enable_image_import will be disabled

Change-Id: Icf572c656c24b646110ce3fd90727205c22eff15
2020-04-27 10:54:15 +00:00
Dmitriy Rabotyagov 22c9bc06a9 Update glance_store variables
Some variables were deprecated in rocky and marked for removal in Ussuri
We do replace them not to have things broken afterwards.

Change-Id: I75d2e3631b0dfebb72efd946fd61252bb9b766b0
Related-Bug: #1846052
2020-04-15 18:00:18 +03:00
Guilherme Steinmüller 0b9bcc3e5a Refactor memcached_servers
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.

We also add pymemcache based on [1]

[1] https://review.opendev.org/711429

Change-Id: I19b74c3bc5119953256d3d8f2a98cb5f23787755
2020-03-13 22:14:53 +00:00
Dmitriy Rabotyagov 0f7971c9cb Fix glance policy.json deployment
Glance has dropped default policy.json [1] which
was used by "smart sources". We are fixing this by setting content
to empty dict, that way the only content deployed will be the one
provided by overrides, so that won't change current behaviour.
Additionally `glance_policy_content` has been introduced, which
eventually is going to replace `glance_policy_overrides` in the future.

[1] dd1975bd3e

Change-Id: I3f365684542b390ea02c08ab56f76a447f65a814
2020-03-10 14:27:33 +02:00
Dmitriy Rabotyagov b02cebc5e5 Change upper constraints url
To be consistent with other projects, we are changing upper constraints

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006478.html

Depends-On: https://review.opendev.org/693841/
Change-Id: I97705c4d839e67ba95b81bee7c9b386da8e7643c
2019-11-14 17:38:05 +00:00
Zuul b1e8e2337a Merge "Turn the filesystem directory to be configurable" 2019-10-09 15:46:17 +00:00
Jonathan Rosser 4aa90392d9 Add global override for service bind address
Depends-On: https://review.opendev.org/685974
Change-Id: I576a85884fb85bc936f031fa64afa1724a4cb87f
2019-10-01 16:33:55 +00:00
Panagiotis Karalis c27d0123ab Turn the filesystem directory to be configurable
Update the ownership of the directory about NFS mount point(s).

This patch could be also stand as an improvement for future use.

Making the filesystem directory configurable, we are able to store
the image in the different directory (or in a new path) under
glance_system_user_home repo, which is able to be configured
dynamically, for instance, via deployment of a scenario.

Change-Id: I7403ac9bd85ea3ed149e13cb57c51039602f6ba1
Signed-off-by: Panagiotis Karalis <pkaralis@intracom-telecom.com>
2019-09-19 19:45:04 +03:00
Zuul ae681ded4e Merge "Allow venv python interpreter to be overridden" 2019-09-10 05:03:16 +00:00
Jonathan Rosser a46cb9cfb2 Allow venv python interpreter to be overridden
Change-Id: I31d0d5bb3f65006a8b4b617aba70c3524df6e255
2019-09-05 17:34:23 +01:00
Dmitriy Rabotyagov 4b2724b44b Start using uWSGI role
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.

Depends-On: https://review.opendev.org/678025/
Change-Id: I6f129940e55130c289d94138171cee54dbd28fc1
2019-09-04 15:32:08 +03:00
Zuul cce497d5d6 Merge "Add missing pre-reqs for glance cinder store" 2019-07-30 20:32:56 +00:00
Craig McIntyre 2636d7eaea Add missing pre-reqs for glance cinder store
There are a number of missing dependencies in the role when using cinder
store with glance. Specifically rootwrap is required for elevating access
when using os-brick to connect to cinder iscsi/fc volume back end storage.
This patch addresses the following:

 - olso.rootwrap is not included in glance_pip_packages

 - files/rootwrap.d/glance_cinder_store.filters is missing

 - glance user is not added to sudoers

glance_pip_packages updated, missing rootwrap.d and sudoer files now dropped in to
Their required locations by glance_post_install.yml task

Change-Id: I55162bc2bf3cbb8858950e4abcf60a3de9929008
Closes-Bug: #1833725
2019-07-30 15:52:38 +01:00
Dmitriy Rabotyagov 002d2a91ea Use systemd-journald instead of log files
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.

Change-Id: I12c5a117d9ca508f24a36a477d2d71c36e6c8c96
2019-07-16 16:09:28 +03:00
Dmitriy Rabotjagov e01aed0d63 Replace git.openstack.org with opendev.org
This patch replaces git.openstack.org with opendev.org as redirection
from old path was enabled.

Change-Id: Ice94fbb7881061c2ce79dbc15eb3e062a655d45e
2019-05-30 09:38:22 +00:00