This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I9b9de6cdfac8ba3a89b874cd920df8d5b01e81f2
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I9aaf6680c274453a16b6f9879cf488ae2050e71f
By overriding the variable `tacker_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the tacker backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ib5dd3a2494bed81add670e331085294910d7f425
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: I4ebae4853fc0bc2840d3ea79546f10a12051bea9
There's a long-standing bug from 2017 that tacker requires scheduler
service to run. However it seemed no real interest to tacker among OSA
users. Nevertheless it's better late then never fixing it.
Change-Id: I70264ef5ffd6ebb851e4d3c4c86c28ea222f7139
Closes-Bug: #1710874
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I9fa323e544849f7c24ccd7b860160bb5756ada28
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I36f5315ad27904c817f4349151fca4181180e811
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I42d544d80d8fef5be9a68e6ef7090f85d0daa88c
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: I1dd906a82e3963d2b4f0497570195885abab0530
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: I065c079fb95f299f90b51e22e8aad42fc5dbb618
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: Id68c80b52fe72bd209e96dba230b4f2cb12f900d
The variables tacker_developer_mode and tacker_venv_download
no longer carry any meaning. This review changes tacker to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.
As part of this, we move the source build out of its own file
because it's now a single task to include the venv build role.
This is just to make it easier to follow the code.
We also change include_tasks to import_tasks and include_role
to import_role so that the tags in the python_venv_build role
will work.
In addition tacker init was replaced by the standard systemd_service
role. Due to this was added new variable tacker_init_config_overrides.
program_override variable has no influence now.
In config notification_driver was deprecated in favor of driver from
oslo_messaging_notifications
Change-Id: Id5629cb631b23887383fa23f472052477edbc4eb
In order to enable the service setup host python interpreter to
be changed easily, we make it a variable. This will be useful
when someone sets the service setup host to be the utility
container, because we'll be able to set this var by default.
Change-Id: Ia3b8ac0cc8ca895c39b20eac30763ad4873f78b1
Use the OpenStack Barbican component instead of OpenStack Keystone
as secret key handler.
The reason behind is the way that Tacker handles the secret keys of
complex scenarios (specially the scenarios with HA) and how they are
stored or retrieved between different VMs or Blades.
Change-Id: I63d40c5239d2585e8bb7ac3b9338252c9e28c4c6
Signed-off-by: Panagiotis Karalis <pkaralis@intracom-telecom.com>
The tacker horizon is been done in openstack-ansible-os_horiozn[0],
the temporary tacker horizon dashboard setup should be removed.
[0]: https://review.openstack.org/#/c/603832/
Change-Id: Iccbb526773694b486534ffe16927237cb7c76371
Closes-Bug: #1796015
This patch add the conditional inclusion of the notification
section of the service configuration. This ensures that oslo.messaging
notifications use the correct transport for deployments that have
separate rpc and notify messaging backends. For example, if the
transport_url is not provided in the notification section of the
service configuration, the transport_url specified in the default
section will be used instead.
This patch conditionally selects the notifier driver. The noop
driver will be selected when notification publishing is disabled.
The messagingv2 driver is selected when notification publishing is
enabled.
Change-Id: I60e92e14c0893b80f4023b6b6681864fee5228e5
Closes-Bug: #1794320
The mysql-python package is no longer maintained. We are using
pymysql instead, so this package does not need to be installed.
The tacker.conf file wasn't set to use pymysql, so we correct
that.
Change-Id: I7346071d52f2b12802af42236af69b362f2f9d9d
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.
We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.
This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:
1. Replaces 'developer mode' with an equivalent mechanism
that uses the common role and is simpler to understand.
We will also simplify the provisioning of pip install
arguments when doing this.
Depends-On: https://review.openstack.org/598957
Change-Id: I8b213b0590891b7862aa304f01504295371ea167
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
There is no record for why we implement the MQ vhost/user creation
outside of the role in the playbook, when we could do it inside the
role.
Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.
In this patch we implement two new variables:
- tacker_oslomsg_rpc_setup_host
- tacker_oslomsg_notify_setup_host
These are used in the role to allow delegation of the MQ vhost/user
setup for each type to any host, but they default to using the first
member of the applicable oslomsg host group.
We also adjust some of the defaults to automatically inherit existing
vars set in group_vars form the integrated build so that we do not
need to do the wiring in the integrated build's group vars. We still
default them in the role too for independent role usage.
Finally, we remove the test mq setup tasks and clean up any unused
or unnecessary variables configured in tests.
Change-Id: I481b2358bf3b93fba3057b825fc9e0f626d616ba
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and are used to generate the messaging
transport_url for the service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Add transport_url generation to conf
* Add oslo.messaging to tests inventory and update tests
* Install extra packages for optional drivers
Change-Id: I88fa6bd04ebad08211570d46ed464409b5896123
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
Change-Id: Ia6c57495b8d6090a0b98f17554288a310388c3e2
There is no record for why we implement the database creation outside
of the role in the playbook, when we could do it inside the role.
Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.
In this patch we implement a new variable called 'tacker_db_setup_host'
which is used in the role to allow delegation of the database setup
task to any host, but defaults to the first member of the galera_all
host group. We also document the variable 'tacker_galera_address' which
has been used for a long time, but never documented. A bunch of unused
variables have also been removed.
The extras folder is removed given that tacker's playbooks have been
merged into the integrated repository.
Change-Id: I7c300ca89657863d58f8dc1178f6c57400bcaa80
The following packages are required in-order to run osprofiler.
these packages will provide deployers the ability to profile
a service on demand should they choose to enable the profile
functionality.
Change-Id: Ib3ef07c8a9019245fa276c142246db2bb0249c41
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The following adjustments are made in order to modernise
bring the role into line with the other mainline roles:
1. Simplify the constraints mechanism.
2. Add the developer mode constraints functionality.
3. Clean up developer mode logic to allow pip installs
into an existing venv if the deployer chooses to do so.
4. Normalise the distro package install task to make it
use the same name, to add retries and ensure that the
cache updates appropriately.
5. Clean up some commented vars and tasks which were not
used.
6. Simplify the use of checksums for the venv downloads
to use modern Ansible functionality.
7. Add additional python venv prep for SuSE/CentOS.
8. Add the recording of the current venv tag deployed.
Change-Id: I9daa4352aa818db03f682eb0d1a65eefff9bb6f6
Following the example of other roles, we will use /etc/tacker as the conf.
directory instead of using the etc/ directory in the venv. Otherwise, the
permission handling gets a bit messy because the venv gets deleted and
recreated, so the creation of tacker directories should happen after that,
which will change the role structure a bit
Change-Id: Ie052dd7680218e31ed5a6e405db4167ee37471a8
virtualenv-tools has a bug which gets triggered in gates: it can't
change the shebang of a virtualenv python bin/ files if they
were generated with a virtualenv script whose shebang ends with
python2 instead of python.
Because we can't modify virtualenv-tools, we use shell scripts
instead.
Change-Id: I06b22225177c8c57995601d1ab39245965f66150
Partial-Bug: #1741634
When 'tacker_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Change-Id: I9165a04de869197ac05e60be799f59a263e98a7b
Partial-Bug: 1667789
This was meant for stable/pike branch and has now been properly PR'd
against stable/pike:
https://review.openstack.org/#/c/499955/
This reverts commit cff34226fe.
Change-Id: Ia8e04bfa674ef3beb4910666b59568d6cd1b83e3
If we want to use the tacker vnfo pluging to configure SFC, the networking-sfc
package must be installed in the venv. Otherwise, the neutron client is
missing required methods such as 'create_flow_classifier'
Change-Id: I4d1504deffbaec4e81091593acf0ac3dd5b43510
Signed-off-by: Manuel Buil <mbuil@suse.com>
https://review.openstack.org/#/c/485259/ is throwing linters problems related
to this role. I think all of them are fixed with this patch
Change-Id: If3924bb1b7823a9c70edf68d0127b9415885a2d9