When the nova_device_spec variable is provided as either a string or a
mapping, ensure that it's templated as a JSON string.
Also handle either strings or mappings within nova_device_spec if it's
provided as a list.
Closes-Bug: 2057961
Change-Id: I7041a19547af580408ff704578cb8f12d37da1ae
Instead of evaluating same condition of my_ip in multiple places across
the role this patch suggests doing this once in vars and using the
resulting variable afterwards.
This not only reduce amount of evaluations made throughout the role runtime,
but also solves possible corner cases where some syntax may go off.
Closes-Bug: #2052884
Change-Id: I454b53713ecacf844ac14f77b6d1e1adc1322c0e
It appears there was a change to remove the list option when
moving from pci_passthrough_whitelist. Instead device_spec
can be specified multiple times in the file.
This patch aims to resolve this whilst maintaining backwards
compatibility.
Change-Id: I12b38e45d7b41fbf4786d3320e511eb9127fe216
As of today we do not have any means of Blazar integration with Nova,
while we do provide roles for Blazar installation for a while now. This
patch aims to bring in more native integration and remove necessity
of overrides for such deployment.
Related-Bug: #2048048
Co-Authored-By: Alexey Rusetsky <fenuks@fenuks.ru>
Change-Id: Ica50a5504de1b1604f72123751cbb3f45c85ab46
Nova defaults to using public endpoint for Barbican API which would
require internet access from the compute node so change this to
use the internal API endpoint.
Change-Id: Iaa14a9bf80d2e02197e74d67e812afc518fe1b65
Defining barbican_service_user is required for succesfull attachement
of ecnrypted volumes to VMs. Without it being in place nova-compute
fails with not being able to get service_token.
Change-Id: I8ae3e263185b1cd8036a4fde12d9c950f2ce8b98
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I792595dac8b651debcd364cd245145721575a516
The region_name var is missing from the [glance] block in
the nova.conf template, and while a conf override can be used,
all other service blocks have region_name defined and overridable
with service_region.
Change-Id: I28ac078f9ebe24c8799638e93d0967003d0c0605
When Nova is deployed with a mix of x86 and arm systems
(for example), it may be necessary to deploy both 'novnc' and
'serialconsole' proxy services on the same host in order to
service the mixed compute estate.
This patch introduces a list which defines the required proxy
console types.
Change-Id: I93cece8babf35854e5a30938eeb9b25538fb37f6
Long time ago a variable `nova_ram_weight_multiplier` was implemented
and its default value was set to 5.0.
There are 2 issues with this:
1. Default value in nova is 1.0 [1] so our value is much bigger than
nova's default without having a strong reason for that.
2. OSA does not provide similar variables for other multipliers like
`cpu_weight_multiplier`.
Because there are a couple of different multipliers and more of them
can be implemented in the future(for ex.
`hypervisor_version_weight_multiplier` was implemented in 2023.2) it
would be hard for the OSA project to maintain variables for all of them.
It is better to deprecate `nova_ram_weight_multiplier` and let users
define multipliers with `nova_nova_conf_overrides` if necessary.
[1] https://docs.openstack.org/nova/2023.1/configuration/config.html#filter_scheduler.ram_weight_multiplier
Change-Id: I4f82840e94312d38696e3ddd05ef494821233f4d
Having auth credentials in service_user is required to interact with
other services. Otherwise nova won't be properly authenticated,
for example during volume detach request.
Change-Id: Ifd607d3acfb18ee4d1de0b8dc39350419cae9c22
In order to cover OSSA-2023-003, a requirement to define service_user
section for all nova services has been added by nova.
Change-Id: I81cd6431fec94f56b0ebd66c94e90c9623ba0e38
At the moment we don't really utilize neutron_provider_networks
mapping except of 2 quite specific drivers, that are NSX and Nuage.
For these 2 usecases we suggest using overrides functionality instead.
Change-Id: I7d905a1dbda1ec722b161b96742247c806bed162
use_forwarded_for option for api has been deprecated since 26.0.0
as this feature is the duplicate of the HTTPProxyToWSGI that
has being enabled by default now.
Change-Id: I45e70e42605455df944ced63f106a76f351052e8
Calico driver support has been removed from OpenStack-Ansible
starting in Antelope release [1]. We clean-up nove role to drop calico
support from it as well.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/866119
Change-Id: Ie9c118b8bab265e5bf06b6ec05731cd673ee4d95
Nova complains about an inability to access endpoint list for block
storage. This patch updates nova.conf with the respective configuration.:
Example errors in nova-compute log:
1. The [cinder] section of your nova configuration file must be configured
for authentication with the block-storage service endpoint.
2. Delete attachment failed for attachment <UUID>. Error: Unknown auth type:
None (HTTP 401) Code: 401: cinderclient.exceptions.Unauthorized:
Unknown auth type: None (HTTP 401)
Change-Id: I4c1ae32ed078a4412ff44b7ac3f921b223d0cba3
With original patch [1] I somehow missed to define enable_rbd_download
along with adding rbd_user/pool/conf. However, neither of these
options are taken into account if enable_rbd_download is set to false,
which is the default value.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/828897
Change-Id: I3220de5863c9c3af418e71774c103c4712b16086
Section
[os_vif_ovs]
isolate_vif = True
was placed in the middle of the [libvirt] section, causing
all migration settings to be placed in os_vif_ovs instead of libvirt.
Change-Id: Ief7eb74343f69912fa8a41a200edf22596adfea3
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Change-Id: I48e193ef29e56aa8639511c5b5dcddc70f5e1198
Currently Jinja trim_blocks function does remove newline from end of
proxyclient_address which makes port_range option appearing on the same
line.
Change-Id: If33021bd0453be3ca18753777e82da12f470b278
Closes-Bug: #1988337
Without that patch all deployers that did use OVS had to remember to
apply override for their deployments.
Now OSA will enable isolation of vif by default when OVS is used.
Change-Id: I4195153658c867f259226e80cefac0fcac4caac5
Related-Bug: #1734320
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I04b22722b32b6dc8b1dc95e18c3fe96ad17e51ac
When nova don't use rbd images (ie local storage) it still might be good
idea to use direct connection to rbd to get images rather then
connect through HTTP.
Change-Id: I4f2d7cf54e07376c7a25d45093f5d83be5422234
This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.
Change-Id: I7de034307da9352e6f5d1f5f175a330fb8c86463
Related-Bug: #1961603
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Change-Id: Ibc876f2744c271e9c4ad797597c15af8d73867c1
With new Ampere GPUs you need to explicitly define explicit lists of PCI
devices which length depends on picked type as placement can't pick them
automatically due to nvidia driver brokeness.
In order to have readable representation of the variable it's worth
to make it iterable but keep a simple string for
backwards compatability.
Change-Id: I2a1e85efc8ad4f6a2596e6d53b1d793b2f934758
To secure communications from the proxy server to the compute
nodes using VeNCrypt authentication scheme.
In a previous patch a TLS server certificate was deployed to
compute nodes, this patch makes use of this same server cert for
securing VNC sessions on compute nodes. It is recommended that
this certificate be issued by a dedicated certificate authority
solely for the VNC service, as libvirt does not currently have a
mechanism to restrict what certificates can be presented by the
proxy server. This has not been implemented to reduce complexity.
In addition the noVNC proxy needs to present a client certificate
so only approved VNC proxy servers can connect to the Compute nodes.
The PKI role has been used to create a client certificate for the
nova console nodes.
Related Nova docs:
https://docs.openstack.org/nova/latest/admin/remote-console-access.html
To help with the transition from from unencrypted VNC to VeNCrypt,
initially compute nodes auth scheme allows for both encrypted and
unencrypted sessions using the variable `nova_vencrypt_auth_scheme`, this
will be removed in future releases.
Change-Id: Iafb788f80fd401c6ce6e4576bafd06c92431bd65
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I99509b519c91d8fefc91745bb982866fe3fbc8e7
This always existed as a default value but was only used for service
setup, never in the runtime db connection url. Update the URL and
database connection template to include the port.
Change-Id: Ie404c117146c6bbd7eea79300f7c85515fa4e27d
Bunch of variables that were related to nova consoles were missused or
unneded at all.
Here we deprecate and remove them, along with
fixing behaviour to disable spice agent functionality.
Change-Id: I28f6d733db689eab879ae5939d1236e7c0d5f521
Closes-Bug: #1923184
Jimmy McCrory