This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: Ic5b425564e494502722106f94e406dc2ed69dcde
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: Id8c269eeed160709f1f97c8e60b9fba484154bb5
As of today we didn't manage amount of magnum-conductors that equal to
amount of CPU on host. So things can go off regarding CPU and memory
consumption. For better control on resources we add variable to control
conductor workers.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/846151
Change-Id: I3eedd74717b3b621b4e0b6ae4a8df4ee6f1eb739
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I305c6f4fb0b20e6e916fff7c912e8664733a902e
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: Ib9d0b810bf5aef475021f886dd19348548a7ec9a
We were missing region definition for trust section which resulted in
issues in multiregion deployments
Change-Id: I8a569f47c0f3100f4c49dde01c58b31338ab1182
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.
config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.
We make a separate task not to restart service when it's not needed.
[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: Ie246d803b5c4e490af76351a595aedcf2fcff62b
In case `keystone-auth-enabled` is true in k8s template, magnum requires
keystone_auth_default_policy file to be present.
At this point we suggest creating corresponding roles by deployers
manually, since it's not enabled by default or used widely.
Change-Id: I77bfd3026e3168d7504ef3dc5214cfe706c525dd
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: If7bbef32ae1102ff586bd765052d984896bde43d
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: I354ff3e81f4f4586aa2d52e1dcd8359c16a9e39a
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: I8be07495dd84f085de6d4409f2efd67a8359d82e
Adding the ability to set region_name in keystone_authtoken section of
magnum.conf in the same wqy as for other services. Defaulting to
magnum_service_region.
Change-Id: I7f7e184c5eec6489505a6492ed2786a27bae29ab
Closes-Bug: #1819380
The notification driver setup was resulting in the driver and connection string
on the same line. This is caused by the case statement and how jinja formats
the template when a case statement is present. This change modifies how the
driver string is created using a ternary, which will eliminate the case
statement and render the value of the diver correctly.
Change-Id: I1c0296886a7cc37089233f241f79c92696ebac3a
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
auth_uri has been deprecated in Stein and also it must include
the URL which is publicly accessible by the user. However, we
keep it in there still because Magnum depends on it for some
variables.
Change-Id: If04d0342dca0f60e1115db388c5e496672d0ab2f
Magnum currently tries to hit the first region that it finds
so it can fail to deploy clusters in multi-region deployments
non-determinsitically.
This patch makes sure that the region can be configured and
it defaults to the same one that Magnum is deployed on.
Change-Id: I136ba0caead3a5afe11152aaed7bae94af8906b4
This patch add the conditional inclusion of the notification
section of the service configuration. This ensures that oslo.messaging
notifications use the correct transport for deployments that have
separate rpc and notify messaging backends. For example, if the
transport_url is not provided in the notification section of the
service configuration, the transport_url specified in the default
section will be used instead.
This patch conditionally selects the notifier driver. The noop
driver will be selected when notification publishing is disabled.
The messagingv2 driver is selected when notification publishing is
enabled.
Change-Id: Iaadc0d852c003e653e00b4736ddc28f16ddfec5a
Closes-Bug: #1794320
There is a reported issue in Magnum which makes clusters fail
to provision if the cluster stat reporting is enabled with
Kuberentes 4.0.0
This patch disables it as the recommended workaround until this
is resolved upstream.
Change-Id: I91d4873d94ce85a0768c441df9e0701da1706115
Magnum requires credentials to be stored inside keystone_auth
in order to be able to properly talk to other services. This
patch addresses that and moves those settings in the right place.
Change-Id: I8e8b3f769ae58aa8d7ceb22eaf264865790afeed
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and aure used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be transparent
to the magnum service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Add transport_url generation to conf template
* Add oslo.messaging to tests inventory
* Update tests
* Update examples
* Add release note
Change-Id: Ib44af3b1d153742975351a321d65c8812a994370
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed. The exterior role is built to be OSA compatible and may be pulled
into tree should we deem it necessary.
Change-Id: I77515f6c90541649e188737b839a6d43fff455f7
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
When 'magnum_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Change-Id: I1ac622926542ff6a3dfca7be3703f33ede4013df
Partial-Bug: 1667789
Due to the simplification of group vars [1], we've removed the
definition of cinder_service_region for magnum.
We could put cinder_service_region in all group vars instead,
but it looks like the scoping is done wrong.
We should instead rely on save defaults on the role, that can
be overriden.
Here, we introduce the variable magnum_cinder_service_region,
which defaults to magnum_service_region, i.e. "RegionOne".
We can remove the need for an override that way, and properly
scope variables.
[1]: https://review.openstack.org/#/c/504804/18/group_vars/all/cinder.yml
Depends-On: Ia8417bbdac3f515e42d1ed760110a63ae14f8f00
Change-Id: Id25c2d344859adfd09108b759d55f11ae83f97a9
Option "rpc_backend" from group "DEFAULT" is deprecated for removal
(Replaced by [DEFAULT]/transport_url). Its value may be silently
ignored in the future.
Change-Id: I63c95f5e36669ffdd9eb63c8294138aea265a782
Implements: blueprint deprecate-rpc-backend
Option "rabbit_use_ssl" from group "oslo_messaging_rabbit" is deprecated.
Use option "ssl" from group "oslo_messaging_rabbit".
Change-Id: I570bd2df32018bf5187ea942da8e0037dc27bde3
Implements: blueprint deprecate-rabbit-use-ssl
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public for OSA.
Also set magnum_client URL which is passed to instances to publicURL
also, this is similar to what is done with heat which default to
publicURL.
Related to this change: https://review.openstack.org/#/c/455353/
Change-Id: I51bf7615ca91f90b7d998e66327ed1bb662783b6
Partial-Bug: #1643197
The systemd unit 'TimeoutSec' value which controls the time
between sending a SIGTERM signal and a SIGKILL signal when
stopping or restarting the service has been reduced from 300
seconds to 120 seconds. This provides 2 minutes for long-lived
sessions to drain while preventing new ones from starting
before a restart or a stop.
The 'RestartSec' value which controls the time between the
service stop and start when restarting has been reduced from
150 seconds to 2 seconds to make the restart happen faster.
These values can be adjusted by using the *_init_config_overrides
variables which use the config_template task to change template
defaults.
Change-Id: Iff717230b05e9dc05bcbfc7f64b8bc54662bbb4f
This enable cluster_user_trust which is needed to get Kubernetes
integration with Cinder and Neutron LBaaS
Change-Id: Ie95c45f84381b0d278dafa6a3227f787ece83323
This creates a specific slice which all OpenStack services will operate
from. By creating an independent slice these components will be governed
away from the system slice allowing us to better optimise resource
consumption.
See the following for more information on slices:
* https://www.freedesktop.org/software/systemd/man/systemd.slice.html
See for following for more information on resource controls:
* https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
Tools like ``systemd-cgtop`` and ``systemd-cgls`` will now give us
insight into specific processes, process groups, and resouce consumption
in ways that we've not had access to before. To enable some of this reporting
the accounting options have been added to the [Service] section of the unit
file.
Change-Id: I7f6d634eafeb47450127eed1e59f3e00ee3075a5
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>