This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I2e3f464534bffe9edd9d969c8d6a24adce06c02c
There is no obvious need to have an SSH keypairs for zun and kuryr users
I was not able to find any proof in the project installation guide that
such keypairs were ever needed. Thus, such functionality is removed.
Change-Id: Icdaf2fec944aae95947ff421bf47d88e0cc0505e
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Ice967ef99da11e6bd5a7dffc0a5e3d377f8598f4
By overriding the variable `zun_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the zun backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I85f90c573007f422b004b41e785bd1c86a21ec92
This patch adds variables to easier control location of cluster-store
kv storage, including possibility to use zookeeper instead of etcd.
Change-Id: Ib413178268c4b5ae3ee7df57dcacbefde323819a
At the moment there are no repositories exists for Ubuntu/Debian
to install kata from. The only options are snap or source installation.
To avoid using snap, we're fetching kata release from github and
proceeding with source installation.
With that we also update docker version to existing in the repos,
as otherwise it get's 23.0.0 installed, which fails to startup
due to removal of standalone mode support.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/883194
Change-Id: I3ee976062d9288536270f9b1d80750749174af22
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Id451d06bcc40c94e9ef021dd7e3c1d14703e73cc
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ib258eeb4989236215d645b21ed25f9d35c3a2a0a
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I8b7b266d2a0633b40d38581e734ad00714b89885
Kata packages for debian 11 are not currently available without
involving Snap or source builds. As Kata is not essential to run
Zun, installation is disabled, but deployments could install it
themselves before switching 'zun_kata_enabled' back to True.
Bullseye CI is disabled temporarily as kernel panics are
encountered during tempest tests. This wastes a significant
amount of CI time.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/819304
Change-Id: I90fc8304dc7c398fdfccba31173c86f0cbf0ea7e
We implement `zun_policy_overrides` variable in order to allow
management of zun policy files when needed.
Change-Id: If58446a2ca1aa645e098df86c3d76c8ac94bf1a1
This adds periodic cleanup of the directory which zun uses to
temporarily cache images loaded from Glance to avoid it becoming
too large.
Docker image cleanup is adjusted to make it less aggressive as
the 'until' filtering has been seen to clear images which were
created more recently than one hour.
The network pruning is removed as this causes zun to become out
of sync with Docker which can prevent creation of new containers
on pruned networks.
Finally, the default is to leave cleanup disabled so that it can
be enabled purely based upon user preference.
As Systemd timers cannot be disabled, this is achieved via a file
presence check with can be overridden for manual execution.
Change-Id: I4532d9975a2e68a12a7755ca3798a59f4928593c
This fixes the configuration for the zun-wsproxy service which
relays messages from the Docker daemon, providing output from
containers' consoles to the Horizon dashboard.
Depends-On: https://review.opendev.org/769142
Change-Id: I7158e202be2e778a7a64e9ef2656f496caae97be
This issue is preventing metal upgrade jobs for
victoria->master from deploying haproxy correctly following the
merge of https://review.opendev.org/769142/.
This is intended to be a minimal patch to fix the binding
so that it can be backported in order to fix the upgrades.
Change-Id: I1c3dcbc21bee1bf6c66c9c2f77c4ff832db49f19
Even the most modest 4C/8T system would run with the maximum 16 processes
due to the calculation being VCPU*2.
We divide amount of CPUs to number of threads for hyperthreaded CPUs
Change-Id: I67a874a94e7ef5793f484599f92cd81f20f42df3
This adds support for kata containers by installing and configuring
the relevant runtime.
The default remains as 'runc' but can be adjusted using the
variable added to the defaults.
Change-Id: Iea07012d092333c656b397f97b541a2f0a5f0e44
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: Iced1c0986f448b2a19b1f81586e50a039c23f566
The Docker image cache does not get emptied automatically and
can take up significant disk space. In addition, old networks can
leave iptables rules, network devices and routing table entries
behind.
This patch adds a periodic timer job to delete this data where it
is safe to do so and won't impact existing containers.
Change-Id: I7045fcbb8bcd7a9744cc35fb2668016bacab4f1b
If Docker starts first, it gets stuck in a starting state waiting
for the kuryr service to become available. This change swaps the
order to start kuryr first instead.
Change-Id: Ib2395c317c34cfbd4b72b1d19932a236bcff7a30
Brings together a set of existing patches and attempts to address
permissions issues with the kuryr-libnetwork plugin.
Defaults are chosen to match the requirements of the tempest tests
Change-Id: Ie674947ba6673a92e53f85de2cc8acdae5788f8f
Depends-On: https://review.opendev.org/767469
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: Ic57de36d5d240e6a5dda6e1794aa04d1f77fb962
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1] and fix zun-docker
systemd config.
[1] https://review.opendev.org/711429
Change-Id: Ic7b31506177ebb0f4f24eaff4db134aace5c0b1a
Move service to use uWSGI role instead of internal python daemon.
This aims to unify deployments by using uwsgi for all services
api which support using them as wsgi applications.
Depends-On: https://review.opendev.org/693528
Change-Id: I69044a13106f16bbbef8ae83e79a08aa127a7d2a
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: Id466ac20d9d18fa86a4615a73433a51720bafc8e
The variables zun_developer_mode and zun_venv_download
no longer carry any meaning. This review changes zun to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.
As part of this, we move the installation out of its own file
because it's now a single task to include the venv build role.
This is just to make it easier to follow the code.
We also change include_tasks to import_tasks and include_role
to import_role so that the tags in the python_venv_build role
will work.
As part of commit xenial testing was removed. Instead centos 7
and opensuse 15 functional tests were added.
Change-Id: Ic8fc09372cf7397df6757c115b2c05dbb5db68f1
In order to enable the service setup host python interpreter to
be changed easily, we make it a variable. This will be useful
when someone sets the service setup host to be the utility
container, because we'll be able to set this var by default.
Change-Id: I7d801847f194d733bb2e5418f64571e68d8b42ad
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.
We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.
This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:
1. Replaces 'developer mode' with an equivalent mechanism
that uses the common role and is simpler to understand.
We will also simplify the provisioning of pip install
arguments when doing this.
Depends-On: https://review.openstack.org/598957
Change-Id: Ia3646f395a17c90de6ff7b23e31897573691b5d4
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
As of change https://review.openstack.org/#/c/596502/ nova
has deprecated the RamFilter and DiskFilter since they are
not necessary when using the default scheduler driver
(filter_scheduler). This change removes their usage from
this deployment project.
Change-Id: I9c05016817cb03933292f09d06119795f8f451a0
There is no record for why we implement the MQ vhost/user creation
outside of the role in the playbook, when we could do it inside the
role.
Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.
In this patch we implement two new variables:
- zun_oslomsg_rpc_setup_host
- zun_oslomsg_notify_setup_host
These are used in the role to allow delegation of the MQ vhost/user
setup for each type to any host, but they default to using the first
member of the applicable oslomsg host group.
We also adjust some of the defaults to automatically inherit existing
vars set in group_vars form the integrated build so that we do not
need to do the wiring in the integrated build's group vars. We still
default them in the role too for independent role usage.
Finally, we remove the test mq setup tasks and clean up any unused
or unnecessary variables configured in tests.
Change-Id: I639a3fa3e138b1ae190325b9794969820267ec23
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and are used to generate the messaging
transport_url for the service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Update transport_url generation
* Add oslo.messaging to tests inventory and update tests
* Install extra packages for optional drivers
Change-Id: I0b2138ca9eb49387948f2ca87800cf966a9414a8
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The openstack_openrc role is now executed once on the designated host, so
it is no longer necessary to execute it using include_role here.
The zun_requires_pip_packages variable is not used and is therefore removed.
Depends-On: https://review.openstack.org/579233
Depends-On: https://review.openstack.org/579959
Change-Id: I7108b43109136aac46bc87a0c59827a202f87be8
There is no record for why we implement the database creation outside
of the role in the playbook, when we could do it inside the role.
Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.
In this patch we implement a new variable called 'zun_db_setup_host'
which is used in the role to allow delegation of the database setup
task to any host, but defaults to the first member of the galera_all
host group. We also document the variable 'zun_galera_address' which
has been used for a long time, but never documented. A bunch of unused
variables have also been removed.
Change-Id: Ic1e3c870a220f67cc5220a1dbc644d8bf47b0f16
The following packages are required in-order to run osprofiler.
these packages will provide deployers the ability to profile
a service on demand should they choose to enable the profile
functionality.
Change-Id: I119ab6ab6f57b04fcedba36006d2a04de91cfae3
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Dmitriy Rabotyagov