Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Iaed7f2b4a724aed0f4165e32f3d40aac9d74edd7
As of today we didn't manage amount of gnocchi-metricd that equal to
amount of CPU on host. So things can go off regarding CPU and memory
consumption. For better control of ressources we add a variable to
control the number of workers.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/846349
Change-Id: Idcaec649a4de03f5714c61fda694ada45da41dbc
To provide more convenience in configuring redis as Gnocchi driver,
we add 2 variables that can be used to control
URL to Redis when it's used for storage or incoming data.
Related-Bug: #1955676
Change-Id: Iba5186df3656c116cba48c3be0e39e87ddcb727f
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: Id986985e623896698d54496a8f0608e59516eec5
Previously we used different from other services project name to protect
swift from looping. However nowadays ceilometer middleware does
exclude service project by default. So no futher actions needed
unless deployer want to measure service project excluding gnocchi
In this scenario, deployer still can define custom
`gnocchi_service_project_name` in their user_variables.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/791107
Change-Id: Ic0ffa6908bfc55ffdb41ea9b8e7435e4dc88ddca
Related-Bug: #1879192
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: Iefac95507d189b86371026e17465adf15b1bf410
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: Iec03bd79279e694678336880460bcb83f68d9780
This patch moves gnocchi-api from usage of apache with mod_wsgi
to uWSGI, which means unification across another roles and
reduced maintenance costs
During migration period tasks that ensures apache won't listen
on gnocchi_service_port are present, but they are supposed to be removed
after train release.
Depends-On: https://review.opendev.org/671988
Change-Id: I06bbcb2f15108fc517742208ac5291719627ffe2
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: I3f6a1cee0e98372881b015ebf06e405c79495fe1
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing
features or functionality. The intention of this change is to ensure
uniformity and reduce the maintenance burden on the community when
sweeping changes are needed. The exterior role is built to be OSA
compatible and may be pulled into tree should we deem it necessary.
Change-Id: I54e3063d6e641a785377f9039641072f8001cf24
According to gnocchi docs, coordination_url should be placed in DEFAULT section now
Otherwise deprecation warning is shown.
https://gnocchi.xyz/install.html#gnocchi-configuration-sample
Fixed test-install-gnocchi.yml syntax
Change-Id: Ief9073cf2f9c876c4c1a91568aab6a79d22ab626
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I37fe1d95bf867e6ef3b68db69fc01fbda12648ca
Implements: blueprint deprecate-auth-uri-option
When 'gnocchi_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Change-Id: Ib5a87e9366cd9e5a78ccb774ced46e1791e7691d
Partial-Bug: 1667789
We need to ensure that /var/www/cgi-bin/ has proper user control since
different distributions place cgi-bin in different directories and as
such the default ones may not apply for aodh. For example, openSUSE
places it in /srv/www/cgi-bin and as such accessing the gnocchi
resources results to 403 HTTP errors.
Change-Id: I146190d56f2d68b84b52cc0c349add321fdf08cc
The systemd unit 'TimeoutSec' value which controls the time
between sending a SIGTERM signal and a SIGKILL signal when
stopping or restarting the service has been reduced from 300
seconds to 120 seconds. This provides 2 minutes for long-lived
sessions to drain while preventing new ones from starting
before a restart or a stop.
The 'RestartSec' value which controls the time between the
service stop and start when restarting has been reduced from
150 seconds to 2 seconds to make the restart happen faster.
These values can be adjusted by using the *_init_config_overrides
variables which use the config_template task to change template
defaults.
Change-Id: I61bf0fea745be12a636448abeeb62dc88370d22f
This creates a specific slice which all OpenStack services will operate
from. By creating an independent slice these components will be governed
away from the system slice allowing us to better optimise resource
consumption.
See the following for more information on slices:
* https://www.freedesktop.org/software/systemd/man/systemd.slice.html
See for following for more information on resource controls:
* https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
Tools like ``systemd-cgtop`` and ``systemd-cgls`` will now give us
insight into specific processes, process groups, and resouce consumption
in ways that we've not had access to before. To enable some of this reporting
the accounting options have been added to the [Service] section of the unit
file.
Change-Id: Ife7d6e3c0c11818d80484cf67a887026aaedb92c
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Gnocchi moved their api-paste file out of /etc/, but in order to benefit
from template overrides, whilst keeping the default gnocchi
api-paste.ini, we can use it as a source, but use config overrides.
Additionally, we need to specify auth_mode in the gnocchi.conf file,
which should default to "basic" if keystone is not used, although can be
set to "noauth" if needed. "basic" is the new upstream default.
The gnocchi_keystone_auth var is deprecated and scheduled for removal
in the Queen release.
Change-Id: I4e1a28a96f3b6870d9c9e100308aba1bbf294aa0
The *_services dict pattern present in other roles
has been adopted and systemd/upstart service enablement
of the gnocchi-api service is now directly tied to the
state of `gnocchi_use_mod_wsgi`.
Change-Id: Ibc15c37bbd5a1a70b0774a1184b5759e558a0efb
Closes-Bug: #1633205
Besides implementing the required configuration entries in gnocchi.conf,
this commit also introduces code to create a symlink for the Python
rados library when the Ceph storage driver is chosen by the deployer.
Creation of Ceph Python library symlinks is usually done by the
ceph_client role. However, Gnocchi is different because it needs Ceph
access to be working when the DB sync task is run. Because the venv may
not exist before the os_gnocchi role runs, or because it might be
destroyed and recreated by the role, we need to create the symlink in
the os_gnocchi role itself.
Change-Id: I6b831867079bc24964c323e2784782d4eae30763
The upstream default implementation of gnocchi is not
to use keystone authentication, but a preferred deployment
configuration in enterprise environments is to ensure that
keystone authentication is configured.
This patch creates a simple toggle to enable it.
Closes-Bug: 1622251
Change-Id: Ic41cf161af1d59e5b0f4b71c0d698cd7348c962c
OSLO logging currently defaults the 'use_stderr' option to True
which results duplicate logs in service daemon logs for both
upstart and systemd. To correct this issue the use_stderr
option has been set to false.
Change-Id: I4dc59c2deca63749470a7fdb779465362a5b9e0a
Closes-Bug: 1588051
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The role has historically used a different password variable.
Because the role is being maintained by the community now it makes
more sense to normalize the password for ease of maintenance.
The no-longer needed operations to create the DB and grant access
are removed from the role as these are in the integrated project's
playbook now. These tasks are added as pre_tasks for testing.
Similarly, the contents of the /ext directory are eliminated as
these are no longer needed since all of the contents have been
applied to the integrated gate.
Finally a run_tests.sh file is added for consistency and to fix the
bashate lint job which fails when there are not matching shell
scripts.
Change-Id: I7b9046dfe7ba258218b4d14ec8d4f270e917ca34
Remove all tasks and variables related to toggling between installation
of gnocchi inside or outside of a Python virtual environment.
Installing within a venv is now the only supported deployment.
Additionally, a few changes have been made to make the creation of the
venv more resistant to interruptions during a run of the role.
* unarchiving a pre-built venv will now also occur when the venv
directory is created, not only after being downloaded
* virtualenv-tools is run against both pre-built and non pre-built venvs
to account for interruptions during or prior to unarchiving
Change-Id: I7a75e87d4451d62ee4587654cf5dbfb3789991c8
Implements: blueprint only-install-venvs
Removes host and port from api section of config file template.
Also cleans up Ansible Lint warnings
Related-To: I2298f9cb94a684747f4b4dbc262cdcab7de49175
Change-Id: I56954df3d13b86cfcb4eb68e419ce13dfac2c051
This change updates the Gnocchi role to support Ubuntu 14.04 with
upstart init and 16.04 with a systemd init.
A change for the functional tests disables them. They will be
fixed properly in a following patch.
Change-Id: I6170a3bcc6ad61474a0a70c786b2607915868e17
Related: blueprint support-ubuntu-1604
The role has not been updated to the current pattern for independent
roles, to track master of the OpenStack role in test. This steps up
through about 3 months of development in Gnocchi, and includes the
necessary changes to paste and policy files to make Gnocci run as
expected while still including the healthcheck middleware which is
not included upstream.
During bootstrap/migration of the DB we now need to ensure that the
create-legacy-resource-types switch is given to ensure that these
are available to Ceilometer. The behavior has changed in Gnocchi to
require this for storage of standard metrics from Ceilometer.
Change-Id: I7f3cdd58bbee5bbb1704bf710397ca2ee390f03f
An initial convergence testing for the role is provided but it is
not installing or configuring ceilometer yet. That work is held back
until we have the role passing basic testing. This stage of testing
also attempts to avoid installing rabbit as an unnecessary
complexity.
A separate container is used for gnocchi so that gnocchi can be
deployed under mod_wsgi without conflicting with Keystone. In turn
some changes to the inventory pattern, and the use of group_vars for
internal and external _lb_vip_address values is introduced here as
there is no load balancer and traffic for each of Keystone and
Gnocchi needs to be addressed appropriately.
Partial-Blueprint: role-gnocchi
Change-Id: I27a76a62b2443787e5347f08e974a9eb3cc33dbe
This change makes it so that Gnocchi is expecting SSL termination
at the load balancer by default. This is more indicative of how a real
world deployment will be setup and is being added such that we can
test a more production like deployment system by default.
Related-Change: I913b4140e258b56d56f5323d55fd633288b3ef6a
Also adds a delay and more retries to policy setup in order to ensure that
step completes successfully since the API takes a moment to stop returning
Status 503s.
During testing of service registration unknown variables were identified
and values for them are provided in defaults now. These implied changes
to the README and other housekeeping was done while there. Similarly,
housekeeping was done in user_gnocchi_secrets to remove an unused
secret. Also, a gnocchi_storage_driver is defined in defaults and the
coordination url is defined to allow external system to be used for locks.
The gnocchi metricd service was excluded from running, is not configured.
Finally a couple of TODO notes were added to mark things that need to
be done for the role still.
Dmitriy Rabotyagov