Since upstream bug [1] preventing us to disable uWSGI for Ceph was fixed,
we can remove extra logic of disabling uWSGI usage when Ceph is among
configured storages.
[1] https://review.opendev.org/c/openstack/glance_store/+/885581
Change-Id: Ibcd9df6a547febb8f47b88d0c98277b46faf489c
According to configuration guide of using cinder as a storage [1], some
auth data should be provided in storage section.
It also needs show_multiple_locations to be enabled.
[1] https://docs.openstack.org/cinder/latest/admin/volume-backed-image.html
Change-Id: Iacd5b74cbda1fdf48a073dc17b42caa37c2359e5
While we assume that glance_additional_stores can be list of mappings
for multistore glance support, bunch of other logic in role still treats
it as simple list and make verifications against it. So in case one
dares to override variable according to our suggestion, they also need
to override bunch of other things.
We change defaults for `glance_available_stores` variable and always
define it as a multistore list of mappings.
Then we introduce a variable `glance_available_store_types` that is a
list of types for each of configured storage.
Logic of how storages are defined in glance config is also changed now.
Storages won't be defined if there's no "default" record for them in
glance_available_stores.
For each new store that deployer wants to provision, they now can pass
`config` key for glance stores, rather then use config overrides.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/901041
Change-Id: I1416e0f6e3ed79abd10f468b52fc712d35a61bd2
At the moment rootwrap can not find privsep-helper binary as it's located
in glance bin directory, which is inside the virtual environemnt.
In order to properly use privsep we must define venv bin directory in
allowed exec_dirs of rootwrap.
This also introduces new variable `glance_rootwrap_conf_overrides`
that allows to manage some extra overrides for rootwrap if needed.
Closes-Bug: #2043503
Change-Id: I4ee3fc33fdbeb50fc7b102bf62d6134f83c5925f
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Ifb3711157e77d5c917d05e4a384dead2abe72a7c
By overriding the variable `glance_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the glance backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I5a0302c2fcc73a869de5633b2332a3b53c99590e
We need to define _glance_available_stores outside glance role to
use it in haproxy service definition.
It's a good idea to make `_glance_available_stores` public by moving it
out of role variables to role defaults beforehand.
Change-Id: Ieb10a0e5c9faf72c6bea4c45f7e216469971a1f3
At the moment there's an issue with chunking in case uwsgi is used
with ceph backend.
Change-Id: I48feac2ea789782e55bd49196e631cd4df9778ce
Related-Bug: #1916482
Since ``horizon_images_upload_mode`` is enabled by default and
``glance_show_multiple_locations`` is disabled by default(turns out
it's not really required), we should add ``external_lb_vip_address`` to
``glance_cors_allowed_origin`` as default.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862167
Change-Id: I6d13e1e985f8e3bbb97b0af7063b469cb4b2dbca
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Ib7fd1a80affe0fa8c6b030fdbfdd60693f104cd6
Related-Bug: #1948456
Currently we have bunch of limitations related to the format
of ``glance_nfs_client``. While systemd_mount role is flexible enough
to allow mount cephfs or s3fs, variable format has weird assumptions
that we want to change for better flexability.
Since keys of variable are changing, new name for it was picked to
reflect purpose of the variable better.
Change-Id: Ic0d91a3a873b4253255beac79becf01b4a304695
This patch adds the boto3 python module, which is a dependency
for the s3 glance backend.
Closes-Bug: #1955683
Change-Id: I5f5a921d8a08d5dfb09e2bca71d49c85115a60aa
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I4fd6de7ca38d561306e8c868c063b68edeafc68a
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I71ebc2fc4e386f3a1599fe73d49fae185ec9d2ff
This is necessary to support the new pip resolver.
Depends-On: I9be6bbf4a29a4da2ddf96dc0336bc2a7d8ec9281
Depends-On: I49c75dd11d6c4e8d37fe013b7ffdfd56ff193fcd
Change-Id: I41fc05409433b4e22307ad604c15d30bcea32abd
In glance caching doc is stated[1], that some of the variables
should be defined in both glance-api and glance-cache config and should
be exactly the same, otherwise issues might raise.
We also introduce glance_image_cache_stall_time variable to control
cache time reliable across config files
[1] https://docs.openstack.org/glance/train/admin/cache.html#configuration-options-for-the-image-cache
Change-Id: Ic229e71978961546cec5f58a9c963c71e05ffba4
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: Idec510b7f2302b6db2fe5aba599e3c258043fee0
Even the most modest 4C/8T system would run with the maximum 16 processes
due to the calculation being VCPU*2.
This patch makes it clearer that glance_api_threads is the number of
physical CPU, and halves glance_wsgi_processes to physical CPU*2 for
a hyperthreaded CPU.
Change-Id: I71357a585a053d0b4e9316cc69c681caee2259da
When glance_use_uwsgi is set to false, glance is launched with native
service instead of the uwsgi. For that scenario, execstarts key is used
which had wrongly defaulted config-file location.
Eventually, providing this option is not required and we may rely on defaults
Change-Id: I48edcc48549e811aa96091f8ce838659d250ae04
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: I7da95890045b216ba8946616790b7cd33ef2db52
Glance-registry service has been removed in V cycle with [1]
We do all necessary cleanup to fully remove service deployment.
[1] https://review.opendev.org/738671/
Change-Id: I0b2e2e39040fd0daef04724f94a39f2d11e4d105
While running as uwsgi glance has malfunctioning interoperable image
import feature. So we add new variable `glance_use_uwsgi` based on which
glance will be either started via uwsgi or as a regular service.
Also once glance_use_uwsgi is true, enable_image_import will be disabled
Change-Id: Icf572c656c24b646110ce3fd90727205c22eff15
Some variables were deprecated in rocky and marked for removal in Ussuri
We do replace them not to have things broken afterwards.
Change-Id: I75d2e3631b0dfebb72efd946fd61252bb9b766b0
Related-Bug: #1846052
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: I19b74c3bc5119953256d3d8f2a98cb5f23787755
Glance has dropped default policy.json [1] which
was used by "smart sources". We are fixing this by setting content
to empty dict, that way the only content deployed will be the one
provided by overrides, so that won't change current behaviour.
Additionally `glance_policy_content` has been introduced, which
eventually is going to replace `glance_policy_overrides` in the future.
[1] dd1975bd3e
Change-Id: I3f365684542b390ea02c08ab56f76a447f65a814
Update the ownership of the directory about NFS mount point(s).
This patch could be also stand as an improvement for future use.
Making the filesystem directory configurable, we are able to store
the image in the different directory (or in a new path) under
glance_system_user_home repo, which is able to be configured
dynamically, for instance, via deployment of a scenario.
Change-Id: I7403ac9bd85ea3ed149e13cb57c51039602f6ba1
Signed-off-by: Panagiotis Karalis <pkaralis@intracom-telecom.com>
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Depends-On: https://review.opendev.org/678025/
Change-Id: I6f129940e55130c289d94138171cee54dbd28fc1
There are a number of missing dependencies in the role when using cinder
store with glance. Specifically rootwrap is required for elevating access
when using os-brick to connect to cinder iscsi/fc volume back end storage.
This patch addresses the following:
- olso.rootwrap is not included in glance_pip_packages
- files/rootwrap.d/glance_cinder_store.filters is missing
- glance user is not added to sudoers
glance_pip_packages updated, missing rootwrap.d and sudoer files now dropped in to
Their required locations by glance_post_install.yml task
Change-Id: I55162bc2bf3cbb8858950e4abcf60a3de9929008
Closes-Bug: #1833725
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: I12c5a117d9ca508f24a36a477d2d71c36e6c8c96