This adds a new variable to manage TLS v1.3 cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
The connection plugin no longer falls back on using the
inventory_hostname as the container_name. Set container_name as a host
var for each container in the test inventory.
Change-Id: I5b4a3923fce8bd649ef474ada67e230fd5e2b2d7
Now that the v2.0 API has been removed, with Keystone v3
the admin (35357) and public (5000) ports are the same
and use the same keystone code paths for authentication.
This patch set replace 35357 and only uses port 5000
Change-Id: I1bc6f11892b7ec883210f0d9065a5b7d8f5cc246
Now that we're using the general templates, we can slim down
the role test definitions. We can also remove tests which are
not being watched, or which are fundamentally broken. With
this we can also remove unused scripts/plays.
We do the following:
1. We remove the 'ssl' job, given that the person working on
that is no longer doing so, and no-one else has picked up
the work.
2. We remove the 'upgrade' job, given that it's been broken
all cycle due to the way the job executes and we need to
regroup to figure out another way to do it.
3. We promote the distro_install jobs, given that they are
all now working.
4. We promote the centos apache/uwsgi functional test, given
that it is working consistently.
Change-Id: I67e0d8f4ab52449a80adb5c479faefbc83617025
The tests were using our keystone module, and therefore
required the keystone client present. This patch changes
the tests to remove that requirement.
Now that we no longer use our own keystone module, but
instead make use of the ansible runtime venv's shade
library and upstream ansible modules, we can eliminate
this package/library being installed on the host.
Change-Id: I3b5066ef0f3f650beb9e057771d8636991d2bce2
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
With the dependent patches, the openstack_openrc role is now executed once
on the designated host, so it is no longer required as a meta-dependency for
the role.
Depends-On: https://review.openstack.org/579233
Depends-On: https://review.openstack.org/579959
Depends-On: https://review.openstack.org/580156
Change-Id: I8f193d5f6f1f6020b23a4c4eebf3ad537d61e0b7
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters
replace the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be
transparent to the keystone service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Update transport_url generation
* Update examples
* Add oslo.messaging to inventory
* Add release note
Depends-On: If4326a6848d2d32af284fdbb94798eb0b03734d5
Depends-On: I2b09145b60116c029fc85477399c24f94974b61d
Change-Id: I8d5b09dd0cb905e0dee40e260efbfeff1da180ce
This fixes the following problem
failed: [localhost] (item={'name': u'systemd_service', 'src':
u'https://github.com/openstack/ansible-role-systemd_service', 'scm':
u'git', 'version': u'master'}) => {"changed": false, "failed": true,
"item": {"name": "systemd_service", "scm": "git", "src":
"https://github.com/openstack/ansible-role-systemd_service", "version":
"master"}, "msg": "Failed to set a new url
https://github.com/openstack/ansible-role-systemd_service for origin:
fatal: No such remote 'origin'\n"}
This happens because zuul automatically clones dependant projects using
the git.openstack.org URLs but here we used the github.com one and that
led to module failures.
Change-Id: Id9b0f45af9f9393cd63e6f60b37e55cf16d08631
Now that run_tests.sh handles the tests repo clone, we can
remove the use of the older tests-repo-clone.sh script.
Change-Id: Icee36c34ecbdf5e3190c5839b00b1fa606763fa7
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.
In converting this role to use the common systemd_service role a
keystone_service dictionary was created in the defaults main.yml file.
This change follows the pattern of other services.
Change-Id: I65902f2483ef2f18ac2d229c5ebd9d090b6ae040
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
In order to allow tests to work as the use of the common
role is implemented in the various roles, we pre-implement
the addition of the role into the a-r-r file.
Change-Id: I69d9d1b8b5ea7c62425e1d38e7f551ebe3cc57c3
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Until all the roles are ready and have this new role in the
ansible-role-requirements, we should not be merging this. We
should also ensure that the integrated a-r-r includes this
role before merging this.
This reverts commit b42eef0dc4.
Change-Id: I8a944db87948ff783028240d3548016a52ab5af4
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.
In converting this role to use the common systemd_service role a
keystone_service dictionary was created in the defaults main.yml file.
This change follows the pattern of other services.
Change-Id: I70e1f6007d9f88f05ccdc737b210415274580a46
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
When doing the role upgrade, we run every playbook with current's
branch ansible. This is normal for the infrastructure bits (which
are running on current branch), but not for the installation of
the previous branch's role, which should use previous branch's
environment.
The tests repo now has this venv, so we should make use of it.
Depends-On: I7ebb045885dd645b820de2b7f75b46c755c015f6
Change-Id: I579a3f7b641e02f40ed1b21f523aecbb9f16835a
Related-Bug: #1741471
We are now using ARA for all the jobs, including the upgrades.
If ARA isn't installed, any playbook using the ansible-previous
venv would fail, because the callback plugin setup during the
first steps of the job is still in use.
Change-Id: Ibfb444aeacfecd3384314f0e9d92e096279c543a
When doing the role upgrade, we run every playbook with current's
branch ansible. This is normal for the infrastructure bits (which
are running on current branch), but not for the installation of
the previous branch's role, which should use previous branch's
environment.
This commit adds:
- A new venv build script, containing the previous version of ansible
- A split between the infrastructure bits (running current ansible),
the previous role run, and the upgrade of the role.
Change-Id: I91fe4e867750d7cee9ad7d84b005eb0231849df9
Signed-off-by: Jean-Philippe Evrard <jean-philippe@evrard.me>
Closes-Bug: #1741471
We are already collecting logs as part of the post-run playbook so we
don't need to do that as part of the exit trap. This avoid collecting
and compressing the logs twice.
Change-Id: Iaf00987dab9cdd108df6095e76321126f45a47b6
This patch implements an initial set of jobs intended to match
the current job execution method. It does not intend to improve
how the jobs are executed - only to replicate what is currently
in openstack-infra/openstack-zuul-jobs and provide the platform
to iterate on.
Change-Id: Ic04b7e658e7755c8e66e47a84442a5f3c791fa78
This changes the a-r-r with the proper version, and fixes
the repo path for role upgrades:
The role will, during test-upgrade-pre, have its current branch
checked out, and will deploy the current branch infrastructure,
including the generation of the constraints.
Then, the installation of previous branch of the role will use
the constraints for its previous version, but will have no
constraints for it, and fail.
We need to generate the constraints for the previous version too.
This should do it.
Co-Authored-By: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
Change-Id: I8305fce3ea5b6446692d15c642eccd798164f266
The tempest plugin for keystone was split out into its own repo.
In I1805b196b42b6a76c56e129a316e170e767455c1, it was removed from the
keystone repo.
Change-Id: I55a7e459ccb2b21e594c4add12164d8de45bc17c
The rolling upgrade test is currently not setting
the endpoint correctly due to 'keystone_upgrade'
not being defined.
This patch removes the requirement to define the
var by ensuring that the role always uses haproxy.
This prevents having to remember to set the var
when doing development and makes better sense for
test purposes anyway.
This patch also serialises the upgrade and ensures
that the backend is set into maintenance mode when
the upgrade is actioned.
Change-Id: I8f16495607abb871390d28c0b3e9b2b856dda097
Depends-On: I5cbb3824430dc09b36476f81e0cdfd4f0a15f497
We are adding a more generic approach to setting up developer mode for
testing, in I774343234a25063eb320cac85ba696d908f0a416. This will revert
the initial POC work that was done on the Keystone role, in favour of
the more generic approach.
This reverts commit c8631347e7.
Change-Id: I62d62e24123bae7b59deb6f0508608fdc1472481
When executing the tests repo clone in OpenStack-CI,
use zuul-cloner instead of git to enable cross-repo
testing. This ensures that if a dependent patch from
the tests repo is noted using 'Depends-On: <change-id>'
in the commit message, that patch will be included.
Change-Id: I516017d8d817d98a2b53d970ef93681ca7e969cf
Depends-On: Idce7abebf32f24c356a27e099fbca954d917402b
Move test host vars from the inventory to individual files for each
host. 'ansible_become' has been removed from localhost's vars since it
should be handled on a playbook basis.
Change-Id: I52645d09e83818416d6cd8a8ae4ec4e58848efd3
This patch allows a developer to customise the code for
keystone, then test the changes when executing any of
the tox tests we implement.
The workflow means that by default the git_repo will be cloned from
upstream (this ensures gating continues to work). If the developer
specifies a "keystone_dev_local_directory" then the repo will not be
cloned, and it assumes the developer has already cloned and edited that
repo. A clone can be forced using "keystone_dev_force_clone" to "True".
Change-Id: Ibb666a803e73b50e3ee1918e633a9bbb84b084da
This will separate out the runs so that varaibles and modules are not
re-used across runs - ensuring the latest modules and versions are used,
and ensuring multiple versions of the tests playbook aren't required on
non-upgrade runs.
Change-Id: Iacaf5919a468cf267418718fdac5c270674a3454
The locust benchmarks currently produce this warning:
UserWarning: WARNING: Using pure Python socket RPC implementation
instead of zmq. If running in distributed mode, this could cause a
performance decrease. We recommend you to install the pyzmq python
package when running in distributed mode.
http://docs.locust.io/en/latest/installation.html#installing-zeromq
Change-Id: Ib5a0459f9f5fd74cfb2cf053417753edefc9c2b0
Since we already have the load balancer vip available, we can use
that instead of hardcoding locust to use localhost.
Change-Id: I916b14bce56aac94d2810bf96ba15436d6bb2cae
When measuring availability, multiple clients effectively give you
additional resolution, but that resolution may be of negligible value
here.
More importantly, when measuring for response time consistency
(important for zero-impact upgrades), it's counter-productive to run
clients in parallel, as you're also measuring the effect of parallel
clients instead of just the impact of the upgrade process.
Change-Id: Ic9449a1050651a1285bf80e69c958c965c21cbc4
During upgrade testing, move Keystone containers behind an HAProxy
load balancer and run a benchmarking tool to make continuous requests
against the keystone API, providing summary output at the end of the
play. This should help ensure the upgrade process between releases
remains without downtime.
To avoid service interruptions because of files being replaced during
installations:
- set the 'keystone_venv_tag' var so that it changes between releases
- perform the 'Create WSGI symlinks' task only after the files being
linked to exist
Benchmarking scripts were provided by:
https://github.com/lbragstad/keystone-performance-upgrade
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I462e6496f125c7e263bbab188e86c45e1f4f7f1e
To avoid requiring all the os_previous_keystone tasks to be evaluated,
we should split the 2 tests up. This will help make the gate more
efficient and avoids unnecessary issues.
Change-Id: I391bddea8f5af67c73ed5c9fc85eb9a81643c88f
This patch implements upgrading keystone with zero downtime as the
default installation process. Handlers have been modified to ensure that
the first keystone node is stopped, facilitates the database migrations,
and that it is started and available before restarting any other keystone
nodes. Migrations also now only occur when there is a change within the
installed keystone venv.
This process is documented at
http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime
A new test scenario has been added for testing basic upgradability
between releases.
Implements: blueprint upgrade-testing
Change-Id: I0d3cfcb80b64d005d60f4c8445f991855f844796
Andrew Bonney