Commit Graph

78 Commits

Author SHA1 Message Date
Andrew Bonney 3c476298a8 Add missing magnum octavia client configuration
Omitting this config causes Magnum to use the public endpoint
by default.

Change-Id: I41122f166806b30e07067c539c182f98c6919134
2023-12-14 10:35:07 +00:00
Dmitriy Rabotyagov 1b7360802f Add quorum queues support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: Ic5b425564e494502722106f94e406dc2ed69dcde
2023-11-08 08:48:39 +00:00
Dmitriy Rabotyagov 97afbcce92 Use proper galera port in configuration
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.

Change-Id: Id8c269eeed160709f1f97c8e60b9fba484154bb5
2023-08-17 14:57:34 +00:00
Dmitriy Rabotyagov 4c4c70a376 Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/846142
Change-Id: Ic77d8645613d265997895b6742b334336ce00ec1
2022-06-17 08:29:33 +00:00
Dmitriy Rabotyagov 5e1780b809 Control amount of conductor workers
As of today we didn't manage amount of magnum-conductors that equal to
amount of CPU on host. So things can go off regarding CPU and memory
consumption. For better control on resources we add variable to control
conductor workers.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/846151
Change-Id: I3eedd74717b3b621b4e0b6ae4a8df4ee6f1eb739
2022-06-17 08:24:58 +00:00
Damian Dabrowski 03990bb4a0 Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I305c6f4fb0b20e6e916fff7c912e8664733a902e
2021-12-03 11:41:01 +01:00
Dmitriy Rabotyagov db5ac1dc35 Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: Ib9d0b810bf5aef475021f886dd19348548a7ec9a
2021-09-21 15:38:59 +03:00
Dmitriy Rabotyagov 9f3dfd20b0 Define region for Magnum trust
We were missing region definition for trust section which resulted in
issues in multiregion deployments

Change-Id: I8a569f47c0f3100f4c49dde01c58b31338ab1182
2021-05-28 12:55:04 +03:00
Zuul deeba4fb96 Merge "Add variables for rabbitmq ssl configuration" 2021-05-18 14:28:22 +00:00
Jonathan Rosser e5e064e055 Add variables for rabbitmq ssl configuration
Change-Id: I84a8cbf8f1bbfa40fbf107f346c4564905244ecd
2021-05-17 14:56:46 +00:00
Dmitriy Rabotyagov af92c6ae79 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.

config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.

We make a separate task not to restart service when it's not needed.

[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: Ie246d803b5c4e490af76351a595aedcf2fcff62b
2021-04-20 16:49:08 +00:00
Jonathan Rosser 7c90bb1729 Fix linter errors
We also fix magnum config in order to work with bind-to-mgmt,
until [1] got merged

[1] https://review.opendev.org/733408

Depends-On: https://review.opendev.org/763049
Change-Id: Iaa7a0aae186eaf080b7be3949821ed9e90c52456
2020-11-17 17:20:42 +00:00
Dmitriy Rabotyagov 200dcd89aa Add deployment of keystone_auth_default_policy
In case `keystone-auth-enabled` is true in k8s template, magnum requires
keystone_auth_default_policy file to be present.
At this point we suggest creating corresponding roles by deployers
manually, since it's not enabled by default or used widely.

Change-Id: I77bfd3026e3168d7504ef3dc5214cfe706c525dd
2020-09-14 14:37:23 +03:00
Guilherme Steinmüller d5be854362 Refactor memcached_servers
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.

We also add pymemcache based on [1]

[1] https://review.opendev.org/711429

Change-Id: If7bbef32ae1102ff586bd765052d984896bde43d
2020-03-16 16:18:50 +00:00
Dmitriy Rabotyagov 027224854d Start using uWSGI role
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.

Change-Id: I354ff3e81f4f4586aa2d52e1dcd8359c16a9e39a
2019-09-05 14:11:14 +03:00
Dmitriy Rabotyagov 2fe6aaa322 Use systemd-journald instead of log files
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.

Change-Id: I8be07495dd84f085de6d4409f2efd67a8359d82e
2019-07-17 16:12:34 +03:00
mb 3c4952376d Add ability to set keystone region_name in magnum.conf
Adding the ability to set region_name in keystone_authtoken section of
magnum.conf in the same wqy as for other services. Defaulting to
magnum_service_region.

Change-Id: I7f7e184c5eec6489505a6492ed2786a27bae29ab
Closes-Bug: #1819380
2019-03-10 23:36:10 +01:00
Kevin Carter 33b192bfd9 Correct notification driver
The notification driver setup was resulting in the driver and connection string
on the same line. This is caused by the case statement and how jinja formats
the template when a case statement is present. This change modifies how the
driver string is created using a ternary, which will eliminate the case
statement and render the value of the diver correctly.

Change-Id: I1c0296886a7cc37089233f241f79c92696ebac3a
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2019-02-07 22:38:15 +00:00
Mohammed Naser 175d1900cb Switch to www_authenticate_uri instead of auth_uri
auth_uri has been deprecated in Stein and also it must include
the URL which is publicly accessible by the user.  However, we
keep it in there still because Magnum depends on it for some
variables.

Change-Id: If04d0342dca0f60e1115db388c5e496672d0ab2f
2018-11-06 16:05:26 +01:00
Mohammed Naser 860d3635d8 Drop identity_uri usage in keystone_authtoken
These parameters have been deprecated since Mitaka.

Change-Id: I0636e0eeef9fd6f890b54e397f8b6075b7384b23
2018-11-06 15:43:33 +01:00
Zuul 1769545d04 Merge "Update messaging notification configuration" 2018-10-17 03:05:24 +00:00
Mohammed Naser fbdcdbd19c Add multi-region support for Magnum
Magnum currently tries to hit the first region that it finds
so it can fail to deploy clusters in multi-region deployments
non-determinsitically.

This patch makes sure that the region can be configured and
it defaults to the same one that Magnum is deployed on.

Change-Id: I136ba0caead3a5afe11152aaed7bae94af8906b4
2018-10-09 06:33:18 +02:00
ZhijunWei 9508e525ed Update messaging notification configuration
This patch add the conditional inclusion of the notification
section of the service configuration. This ensures that oslo.messaging
notifications use the correct transport for deployments that have
separate rpc and notify messaging backends. For example, if the
transport_url is not provided in the notification section of the
service configuration, the transport_url specified in the default
section will be used instead.

This patch conditionally selects the notifier driver. The noop
driver will be selected when notification publishing is disabled.
The messagingv2 driver is selected when notification publishing is
enabled.

Change-Id: Iaadc0d852c003e653e00b4736ddc28f16ddfec5a
Closes-Bug: #1794320
2018-09-27 02:15:30 +00:00
Zuul 73bd7c9bc4 Merge "Disable sending metrics for clusters" 2018-07-31 19:04:16 +00:00
Zuul 2bfb3b54c0 Merge "Use keystone_auth for credentials" 2018-07-31 19:04:15 +00:00
Mohammed Naser 0d5a2e1d77 Disable sending metrics for clusters
There is a reported issue in Magnum which makes clusters fail
to provision if the cluster stat reporting is enabled with
Kuberentes 4.0.0

This patch disables it as the recommended workaround until this
is resolved upstream.

Change-Id: I91d4873d94ce85a0768c441df9e0701da1706115
2018-07-26 18:58:16 -04:00
Mohammed Naser abf2d03b5b Use keystone_auth for credentials
Magnum requires credentials to be stored inside keystone_auth
in order to be able to properly talk to other services.  This
patch addresses that and moves those settings in the right place.

Change-Id: I8e8b3f769ae58aa8d7ceb22eaf264865790afeed
2018-07-26 18:58:14 -04:00
Andy Smith e587d74d29 Update to use oslo.messaging service for RPC and Notify
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and aure used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be transparent
to the magnum service.

This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Add transport_url generation to conf template
* Add oslo.messaging to tests inventory
* Update tests
* Update examples
* Add release note

Change-Id: Ib44af3b1d153742975351a321d65c8812a994370
2018-07-20 11:53:00 +00:00
Kevin Carter bc50224366 Convert role to use a common systemd service role
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed. The exterior role is built to be OSA compatible and may be pulled
into tree should we deem it necessary.

Change-Id: I77515f6c90541649e188737b839a6d43fff455f7
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-03-30 23:48:18 -05:00
Mohammed Naser f586967a56 Implement uWSGI for Magnum API
Change-Id: Iea6154c18070c82109b1d262d20c23476e4a2573
Implements: blueprint goal-deploy-api-in-wsgi
2018-02-18 12:59:16 -05:00
Mohammed Naser ad30f59319 Refactor services to magnum_services
This patch refactors the services into a dictionary
which should simply service management.

Change-Id: I3cd735209a0a40d7822377eeb1ca58c95bb51832
2018-02-18 12:58:54 -05:00
Jimmy McCrory e2c5cc2cee Add MySQL connection SSL support
When 'magnum_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.

A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.

Change-Id: I1ac622926542ff6a3dfca7be3703f33ede4013df
Partial-Bug: 1667789
2017-12-14 11:21:50 -08:00
Jean-Philippe Evrard cf0a3c9bac Fix cinder_service_region undefined
Due to the simplification of group vars [1], we've removed the
definition of cinder_service_region for magnum.

We could put cinder_service_region in all group vars instead,
but it looks like the scoping is done wrong.
We should instead rely on save defaults on the role, that can
be overriden.

Here, we introduce the variable magnum_cinder_service_region,
which defaults to magnum_service_region, i.e. "RegionOne".

We can remove the need for an override that way, and properly
scope variables.

[1]: https://review.openstack.org/#/c/504804/18/group_vars/all/cinder.yml

Depends-On: Ia8417bbdac3f515e42d1ed760110a63ae14f8f00

Change-Id: Id25c2d344859adfd09108b759d55f11ae83f97a9
2017-10-05 14:13:42 +00:00
ZhongShengping 38d4682754 Deprecate rpc_backend option
Option "rpc_backend" from group "DEFAULT" is deprecated for removal
(Replaced by [DEFAULT]/transport_url). Its value may be silently
ignored in the future.

Change-Id: I63c95f5e36669ffdd9eb63c8294138aea265a782
Implements: blueprint deprecate-rpc-backend
2017-06-09 08:32:18 +08:00
ZhongShengping 09e08d05ce Deprecate rabbit_use_ssl option
Option "rabbit_use_ssl" from group "oslo_messaging_rabbit" is deprecated.
Use option "ssl" from group "oslo_messaging_rabbit".

Change-Id: I570bd2df32018bf5187ea942da8e0037dc27bde3
Implements: blueprint deprecate-rabbit-use-ssl
2017-05-23 10:27:05 +08:00
Jenkins fe5871cba4 Merge "Enable custom keystone endpoint_type in templates" 2017-05-15 22:46:07 +00:00
ArchiFleKs 4b6f0444d6 Enable custom keystone endpoint_type in templates
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.

A new variable in trust section: trustee_keystone_interface which
default to public for OSA.

Also set magnum_client URL which is passed to instances to publicURL
also, this is similar to what is done with heat which default to
publicURL.

Related to this change: https://review.openstack.org/#/c/455353/

Change-Id: I51bf7615ca91f90b7d998e66327ed1bb662783b6
Partial-Bug: #1643197
2017-05-15 20:48:53 +02:00
Andy McCrae 1cbaa540f6 Update paste, policy and rootwrap configurations 2017-05-15
Change-Id: I0dc9a66ab4769f8ec14691317da576abcf258354
2017-05-15 09:19:35 +01:00
Adrien Cunin 3469c8982a Added debug variable support
Change-Id: I1376470ed942639b317547e06304b15a491024cd
2017-04-26 22:10:32 +00:00
Jesse Pretorius 09f4810b2f Reduce init restart/kill times
The systemd unit 'TimeoutSec' value which controls the time
between sending a SIGTERM signal and a SIGKILL signal when
stopping or restarting the service has been reduced from 300
seconds to 120 seconds. This provides 2 minutes for long-lived
sessions to drain while preventing new ones from starting
before a restart or a stop.

The 'RestartSec' value which controls the time between the
service stop and start when restarting has been reduced from
150 seconds to 2 seconds to make the restart happen faster.

These values can be adjusted by using the *_init_config_overrides
variables which use the config_template task to change template
defaults.

Change-Id: Iff717230b05e9dc05bcbfc7f64b8bc54662bbb4f
2017-04-26 13:07:55 +00:00
Jenkins 6d79217a31 Merge "Fix comment nit in unit file" 2017-04-17 17:33:24 +00:00
Jenkins 0b2a76d7a5 Merge "Enable cluster trust for magnum" 2017-04-17 13:51:14 +00:00
Major Hayden e8d3481a7e
Fix comment nit in unit file
This patch fixes the tiny nit left over
from commit I7f6d634eafeb47450127eed1e59f3e00ee3075a5.

Change-Id: Icd71f4764a366251ca4558e91efc12a4d7763555
2017-04-17 08:00:14 -05:00
ArchiFleKs aceaa3e5f1 Enable cluster trust for magnum
This enable cluster_user_trust which is needed to get Kubernetes
integration with Cinder and Neutron LBaaS

Change-Id: Ie95c45f84381b0d278dafa6a3227f787ece83323
2017-04-14 10:54:54 +02:00
Kevin Carter 562d330484 Ensure the components are isolated from the system
This creates a specific slice which all OpenStack services will operate
from. By creating an independent slice these components will be governed
away from the system slice allowing us to better optimise resource
consumption.

See the following for more information on slices:

* https://www.freedesktop.org/software/systemd/man/systemd.slice.html

See for following for more information on resource controls:

* https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html

Tools like ``systemd-cgtop`` and ``systemd-cgls`` will now give us
insight into specific processes, process groups, and resouce consumption
in ways that we've not had access to before. To enable some of this reporting
the accounting options have been added to the [Service] section of the unit
file.

Change-Id: I7f6d634eafeb47450127eed1e59f3e00ee3075a5
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2017-03-30 15:10:41 +00:00
ArchiFleKs 8329c257df Fix Magnum Cluster TLS assets generation
Change-Id: If18a447a38f0b8ac9f1bf076d4124ccceb018627
Fixes-Bug: #1670355
2017-03-07 09:58:28 +01:00
Andy McCrae 693298053c Update paste, policy and rootwrap configurations 2017-03-03
Change-Id: I8e9f3380d5434f9bf5a18616b7174bcab183e76b
2017-03-03 11:33:53 +00:00
Andy McCrae 5f574a6107 Update paste, policy and rootwrap configurations 2017-01-26
Change-Id: Id5adac759a79f314787ad0c540c7530e5530f50c
2017-01-26 14:32:25 +00:00
Andy McCrae 943f5df73c Update paste, policy and rootwrap configurations 2017-01-19
Change-Id: Ia89158660cee6f8096cf61f87e1d72703de4e356
2017-01-19 14:45:33 +00:00
ZhongShengping e692eea6a8 Remove pki support
Change-Id: I71135690948db5eb86a1f23c3cb02b0d9f5dd1a0
Implements: blueprint remove-pki
2016-12-29 13:38:44 +08:00