This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: I7e4e8b3be33536545b5b4bcfb4855e8c160bb152
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: If10b9591f4a97eaf54cf5bd09865d29ae461d639
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Ib5d15aaf56112a776e2b9abb2396f9ea4f4fe319
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I78301a9d98854ba9f80cf6613e62a363f8327dfc
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I8e689330b76e72df780be3b2f8af066a5fe96a2a
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: Id853b46de4323b605ff6544b1e48bae30a0bf0a7
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: If539762d5de0730ce97d8f8aaefb4c096d850902
This patch changes the heat config so that communication between
the heat service and the other internal parts of openstack occurs over
the internal API endpoint, but a new heat configuration option [1] is set
which ensures that the keystone endpoint written into server configs
points to the external API endpoint.
This should address several long running SSL related failures when self
signed certificates are used, and allows heat to work correctly when the
internal and external endpoints are on different networks.
Change-Id: I533ab16557cb83e2791dbb7267a97fb0d44e9ba6
Fixes-Bug: 1811086
Fixes-Bug: 1820591
Related-Bug: 1824646
Related-Bug: 1814909
Depends-On: https://review.opendev.org/678062
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: I9f8a7f92d644775bd673dbade73fbaa1268712d5
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi
python3 plugin.
Install the 'python3-heat' package instead of individual service
packages since they provide service config files that conflict
with the ones OSA provides.
Change-Id: I8283fbacd4d014fb6652146f6b7750df750e6e76
The notification driver setup was resulting in the driver and connection string
on the same line. This is caused by the case statement and how jinja formats
the template when a case statement is present. This change modifies how the
driver string is created using a ternary, which will eliminate the case
statement and render the value of the diver correctly.
Change-Id: I8bb44ec141a19793b0c8d84bccf799c0e8f4cc4d
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.
* Source installs have the configuration files within the venv at
"<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
default configuration path to this directory. When the service is
upgraded the link will move to the new venv path.
* Distro installs package all of the required configuration files.
To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.
Change-Id: Ib26b25c1df483c2e31bccc91874a83292be6a3aa
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
With I610115dc1974b2182ce673bb086a1da15b022de3 merged there
is no longer a default policy.json file in the venv, so we
need to change how we implement the file, and should only do
so if there is a config override configured for it.
Change-Id: Ifd0e57e14d5691daf4d715a46bdea2f1d90050d5
The URI options in Heat all need to be public facing or otherwise
any instances spawned by Heat could have problems working with
things like SoftwareDeployment's such as Heat.
This patch makes the appropriate changes.
Change-Id: I210cedbdc527d981c49ff52264ee6028242202d2
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters
replace the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be
transparent to the heat service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Update transport_url generation
* Add oslo.messaging to inventory
* Add release note
Depends-On: If4326a6848d2d32af284fdbb94798eb0b03734d5
Depends-On: I2b09145b60116c029fc85477399c24f94974b61d
Change-Id: I4ee0a94028e7390b319d4e1ceb4ab7f7c28ad9ba
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Change-Id: I2435793b73e0a30131b4710b6e7d29dacbb7e6fa
Implements: blueprint openstack-distribution-packages
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I68e4c9e81b8f17ec076a03376342e7b166efbe44
Implements: blueprint deprecate-auth-uri-option
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed. The exterior role is built to be OSA compatible and may be pulled
into tree should we deem it necessary.
Change-Id: Ic46d7f9615a492a98abecc970b72413b727290ac
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The health check requests from haproxy cause uwsgi to write a
lot of useless log lines. This can make it more difficult to find
a problem with a particular service.
This patch adds a route to look for the `osa-haproxy-healthcheck`
user agent string, which haproxy uses when performing health checks.
Any requests with that user agent are not logged.
Closes-Bug: 1742718
Change-Id: I8b1bcd58fc0bea95ee0103901eb8f83b480b50ef
When 'heat_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Change-Id: I8d582a5fe18b33592461f3ea23551c97720b8e7d
Partial-Bug: 1667789
As part of the Pike goals we are moving api services to run as WSGI
apps. heat-api, heat-api-cfn, and heat-api-cloudwatch are now set
up as WSGI apps.
Since this is just a drop in replacement for existing eventlet services,
operators and deployers should not notice a difference.
Change-Id: I3dba17c33a7f1a1b9a03020a650e258099b4d20d
Implements: blueprint goal-deploy-api-in-wsgi
In order to optimise the role execution and
to improve consistency, the following is done:
1. The services dict is filtered per host to
prevent skipped tasks from spamming the
logs and wasting execution time.
2. The service restart is implemented in a
specific order to improve consistency. The
order implemented is a wild guess as there
is no upstream documentation about the
'correct' order.
3. The service enable/start is consolidated
into the handler to be more efficient.
4. A dynamic include is used instead of nesting
includes for the init prep.
Change-Id: I91d20b980f1b1a63ff2d6ef30bcec7ef58a5571a
Option "rpc_backend" from group "DEFAULT" is deprecated for removal
(Replaced by [DEFAULT]/transport_url). Its value may be silently
ignored in the future.
Change-Id: I77bb1e7f9513593cecf2ca95b9e2fa91e251b483
Implements: blueprint deprecate-rpc-backend
Option "profiler_enabled" from group "profiler" is deprecated.
Use option "enabled" from group "profiler".
Change-Id: Id309d21966e6aefae3e0a96581547f9551314faa
Closes-Bug: #1694892
Option "rabbit_use_ssl" from group "oslo_messaging_rabbit" is deprecated.
Use option "ssl" from group "oslo_messaging_rabbit".
Change-Id: I14394257d5a04329ecd137c0f7e6c0f58d0cfa78
Implements: blueprint deprecate-rabbit-use-ssl
The systemd unit 'TimeoutSec' value which controls the time
between sending a SIGTERM signal and a SIGKILL signal when
stopping or restarting the service has been reduced from 300
seconds to 120 seconds. This provides 2 minutes for long-lived
sessions to drain while preventing new ones from starting
before a restart or a stop.
The 'RestartSec' value which controls the time between the
service stop and start when restarting has been reduced from
150 seconds to 2 seconds to make the restart happen faster.
These values can be adjusted by using the *_init_config_overrides
variables which use the config_template task to change template
defaults.
Change-Id: I00bb78d822cc38792aa361e3d2854dfd3ce3ae05
This creates a specific slice which all OpenStack services will operate
from. By creating an independent slice these components will be governed
away from the system slice allowing us to better optimise resource
consumption.
See the following for more information on slices:
* https://www.freedesktop.org/software/systemd/man/systemd.slice.html
See for following for more information on resource controls:
* https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
Tools like ``systemd-cgtop`` and ``systemd-cgls`` will now give us
insight into specific processes, process groups, and resouce consumption
in ways that we've not had access to before. To enable some of this reporting
the accounting options have been added to the [Service] section of the unit
file.
Change-Id: I059e2027fb872f9cd2cf1f5e2f17cf02c4e536c8
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Setting the default SoftwareConfig Tranport method
and the default Signaling method to use Heat.
Closes-Bug: #1667471
Change-Id: Ic035794e00f02409ce081cafc17c3f42c75d57d6
Users can configure the number of worker threads however when it's
not specified the calculated number of workers can get too large on
hosts with a large number of CPUs.
Change-Id: Ie4fae6e015a58399cb8656e88d6b9aa514ecaa5d
Heat has moved to using oslo_middleware for the http proxy header
parsing, however the default is to not parse the headers. When
the external protocol differs from the internal protocol this
parsing is required in order for heat to work properly since it
will return 302 redirects to the client during some operations
(such as delete stack).
An example of this is when using haproxy with https configured
for the external protocol and http for the internal protocol.
If the oslo_middleware does not parse the headers, then any
302 redirects would specify a url with http rather than
correctly specifying https and the heat client would fail to
connect on the redirect url.
Change-Id: I0a331a0e766a77c8c8fed3fd22f0b36f2a5a9e5a
Closes-bug: #1654874
Heat has a `backups_enabled` configuration parameter that controls
whether heat will attempt to use cinder's backup service:
https://review.openstack.org/#/c/332851/
By default, this feature is enabled in heat, but heat doesn't have
any idea if the feature is enabled in cinder. If the backup service
is disabled in cinder but enabled in heat, deployers may create
undeletable stacks.
This patch adds a new variable, `heat_cinder_backups_enabled` that
controls heat's ability to use cinder's backup service. It is
disabled by default (to match the backup service configuration in
the cinder role, which is also disabled by default).
Closes-Bug: 1650035
Change-Id: I3875cc34ec92ba588d995a6d9c0341977a408ad7
Dmitriy Rabotyagov