We are stoked to announce the release of: kolla-ansible 9.2.0: Ansible Deployment of Kolla containers This release is part of the train stable release series. The source is available from: https://opendev.org/openstack/kolla-ansible Download the package from: https://tarballs.openstack.org/kolla-ansible/ Please report issues through: https://bugs.launchpad.net/kolla-ansible/+bugs For more details, please see below. 9.2.0 ^^^^^ New Features ************ * Adds ability to provide a custom elasticsearch config. * Adds Elasticsearch Curator for managing aggregated log data. * Kolla Ansible checks now that the local Ansible Python environment is coherent, i.e. used Ansible can see Kolla Ansible. LP#1856346 Upgrade Notes ************* * Avoids unnecessary fact gathering using the "setup" module. This should improve the performance of environments using fact caching and the Ansible "smart" fact gathering policy. See blueprint for details. * Adds "elasticsearch_use_v6" and "kibana_use_v6" flags which can be set to "true" to deploy the "elasticsearch6" and "kibana6" images on CentOS 7 or 8. These flags are "true" by default on CentOS 8, and "false" elsewhere. The services should be upgraded from 5.x to 6.x via "kolla-ansible upgrade elasticsearch,kibana", and this can be used to provide an Elasticsearch 6.x cluster that is compatible between CentOS 7 and 8. * In the previous stable release, the octavia user was no longer given the admin role in the admin project, and a task was added to remove the role during upgrades. However, the octavia configuration was not updated to use the service project, causing load balancer creation to fail. There is also an issue for existing deployments in simply switching to the service project. While existing load balancers appear to continue to work, creating new load balancers fails due to the security group belonging to the admin project. For this reason, Train and Stein have been reverted to use the admin project by default, while from the Ussuri release the service project will be used by default. To provide flexibility, an "octavia_service_auth_project" variable has been added. In the Train and Stein releases this is set to "admin" by default, and from Ussuri it will be set to "service" by default. For users of Train and Stein, "octavia_service_auth_project" may be set to "service" in order to avoid a breaking change during the Ussuri upgrade. To switch an existing deployment from using the "admin" project to the "service" project, it will at least be necessary to create the required security group in the "service" project, and update "octavia_amp_secgroup_list" to this group's ID. Ideally the Amphora flavor and network would also be recreated in the "service" project, although this does not appear to be necessary for operation, and will impact existing Amphorae. See bug 1873176 for details. * Changes the default value of "kibana_elasticsearch_ssl_verify" from "false" to "true". LP#1885110 * Apache ZooKeeper will now be automatically deployed whenever Apache Storm is enabled. * When deploying Monasca with Logstash 6 (the default for Centos 8), any custom Logstash 2 configuration for Monasca will need to be updated to work with Logstash 6. Please consult the documentation. Bug Fixes ********* * Fixes Kibana deployment with the new E*K stack (6+). LP#1799689 * Fixes Grafana datasource update. LP#1881890 * Removing chrony package and AppArmor profile from docker host if containerized chrony is enabled. LP#1882513 * Escapes table names in mariadb upgrade procedure. LP#1883141 * Fixes an issue with Manila deployment starting "openvswitch" and "neutron-openvswitch-agent" containers when "enable_manila_backend_generic" was set to "False". LP#1884939 * Fixes the Elasticsearch Curator cron schedule run. LP#1885732 * Fixes an incorrect configuration for nova-conductor when a custom Nova policy was applied, preventing the "nova_conductor" container from starting successfully. LP#1886170 * Add missing "become: true" on some VMWare related tasks. Fixed on "Copying VMware vCenter CA file" and "Copying over nsx.ini". * fix deploy nova failed when use kolla_dev_mod. * In line with clients for other services used by Magnum, Cinder and Octavia also use endpoint_type = internalURL. In the same tune, these services also use the globally defined *openstack_region_name*. * Fixes the default CloudKitty configuration, which included the "gnocchi_collector" and "keystone_fetcher" options that were deprecated in Stein and removed in Train. See bug 1876985 for details. * Fixes an issue with Cinder upgrades that would cause online schema migration to fail. LP#1880753 * Fix cyborg api container failed to load api paste file. For details please see bug 1874028. * Fix the configuration of the etcd service so that its protocol is independant of the value of the "internal_protocol" parameter. The etcd service is not load balanced by HAProxy, so there is no proxy layer to do TLS termination when "internal_protocol" is configured to be "https". * Fixes an issue where "fernet_token_expiry" would fail the pre- checks despite being set to a valid value. Please see bug 1856021 (https://bugs.launchpad.net/kolla-ansible/+bug/1856021) for more details. * The kolla_logs Docker volume is now mounted into the Elasticsearch container to expose logs which were previously written erroneously to the container filesystem (bug 1859162). It is up to the user to migrate any existing logs if they so desire and this should be done before applying this fix. * In the previous stable release, the octavia user was no longer given the admin role in the admin project, and a task was added to remove the role during upgrades. However, the octavia configuration was not updated to use the service project, causing load balancer creation to fail. See upgrade notes for details. LP#1873176 * Fixes an issue with RabbitMQ where tags would be removed from the "openstack" user after deploying Nova. This prevents the user from accessing the RabbitMQ management UI. LP#1875786 * Adds a new variable "fluentd_elasticsearch_cacert", which defaults to the value of "openstack_cacert". If set, this will be used to set the path of the CA certificate bundle used by Fluentd when communicating with Elasticsearch. LP#1885109 * Improves error reporting in "kolla-genpwd" and "kolla-mergepwd" when input files are not in the expected format. LP#1880220. * Fixes Magnum trust operations in multi-region deployments. * Deploys Apache ZooKeeper if Apache Storm is enabled explicitly. ZooKeeper would only be deployed if Apache Kafka was also enabled, which is often done implicitly by enabling Monasca. * When deploying Elasticsearch 6 (the default for Centos 8), Logstash 2 was deployed by default which is not compatible with Elasticsearch 6. Logstash 6 is now deployed by default when using Centos 8 containers. Changes in kolla-ansible 9.1.0..9.2.0 ------------------------------------- 1629f5fe0 Manage octavia health manager worker through openstack_service worker 0c1b326e3 Use kolla_logs volume for Elasticsearch 767f0ad06 Use the children group for site.yml bd055912d Remove policy file from nova-conductor config.json template 6cbd4c520 Syntax error in Fluentd Monasca output config 8418b5ae8 Use public interface for Magnum client and trustee Keystone interface 5011b6bd1 Make ES Curator schedule multinode-friendly f1af365da Fix the Elasticsearch Curator cron schedule run dfd867ad1 Fix Zun configuration for TLS 953702532 Fix etcd protocol configuration 4e1225b04 Support using Logstash 6 image with Centos8 ff9a54d01 Support custom elasticsearch configuration files 358887866 Support deploying Elasticsearch Curator 74be7b86a Escape table names in mariadb upgrade procedure 2918bae99 octavia: Add documentation aa2d2b534 Verify TLS by default for Kibana to Elasticsearch 20a1de4ee Support CA certificate for fluentd & Elasticsearch 0498b5c45 Fix Magnum trust operations in multi-region clouds 1aa4565ff Use internalURL endpoint_type for all clients used by Magnum 5699f5a32 Skip storm play when not enabled 05a384920 Change neutron-ovs-agent deploy only with manila generic backend d8b05f4c1 Improve error reporting in password utilities 0715d0d86 Enable ZooKeeper when Storm is enabled 4009a2a17 barbican: Use python3 plugin in uwsgi config c2de7ac4e nova-cell role clone failed eba42fa8c Run tox in venv in case of building images 1851d8812 Make octavia service_auth project configurable 6f227c2cd Remove max count from Cinder online schema migration 9528e5944 fix deploy nova failed when use kolla_dev_mod 473775f14 CI: Install python dependencies 57f6475ee Add EL8 packages. c677690f3 Do not ask for a SSH key password 910b405ce Fix file extension in MariaDB backup docs fda520f82 Remove chrony package if containerized chrony is enabled cf70176c0 Fix Grafana datasource update db8c2dcc5 CI: Fix periodics 31fb5cc67 CI: Move NFV reqs installation to where it belongs a8d760c4c [elasticsearch] Add migration for Kibana 6.x index d8880dd32 [elasticsearch] Update config for 6.x 9463a7499 Add missing become to some VMWare tasks bb9e7d0e7 CI: add missing base jobs 166eb87c3 Fix bug in deploying monasca_agent_forwarder 8cfb1d7a0 Avoid unconditional fact gathering 467e6876a CentOS 8: Support Elasticsearch & Kibana 6.x cfc1ba2c3 Check that used Ansible can see Kolla Ansible d76ddcbad Remove confusing docs 71acc3ef9 Make openstack_release more obvious eccb6806c Remove post_config from the Kibana role 1959e0fcc Add First login steps back into Kibana doc 7b851bdb1 Fix cyborg api failed to load api-paste.ini file afc5c9974 fix can not generate ovs-dpdk.conf 49b58151b Improve fernet_token_expiry precheck c31b2505c Configure RabbitMQ user tags in nova-cell role 7f52e04b8 multipath requires udev-rules in host 7b22f394f Document and test maximum supported version of Ansible 16da9a4a9 CI: Discern between Ironic client and grep failure 653c7ba09 Ignore .vscode/ in Git 9e5afdc17 dpdk-vswitchd: some ovs tools require ovs daemons pidfiles 360330adc Add release note for CloudKitty configuration fixes a673a069c Make nova perms consistent between applications 3efd5d6e1 Update Advanced Config guide to clarify paths 812eeb30c Update section names in cloudkitty config Diffstat (except docs and test files) ------------------------------------- .gitignore | 3 + ansible/gather-facts.yml | 12 +- ansible/group_vars/all.yml | 10 +- ansible/inventory/all-in-one | 4 + ansible/inventory/multinode | 4 + .../roles/barbican/templates/barbican-api.ini.j2 | 2 +- ansible/roles/baremetal/defaults/main.yml | 3 + ansible/roles/baremetal/tasks/post-install.yml | 16 ++ ansible/roles/ceilometer/tasks/config.yml | 1 + ansible/roles/cinder/defaults/main.yml | 4 - ansible/roles/cinder/tasks/upgrade.yml | 1 - ansible/roles/cinder/templates/cinder.conf.j2 | 2 +- .../roles/cloudkitty/templates/cloudkitty.conf.j2 | 4 +- ansible/roles/common/defaults/main.yml | 1 + .../common/templates/conf/output/00-local.conf.j2 | 6 + .../common/templates/conf/output/01-es.conf.j2 | 3 + .../templates/conf/output/02-monasca.conf.j2 | 2 +- ansible/roles/cyborg/tasks/config.yml | 16 +- ansible/roles/elasticsearch/defaults/main.yml | 61 ++++- ansible/roles/elasticsearch/handlers/main.yml | 15 ++ .../roles/elasticsearch/tasks/check-containers.yml | 4 +- ansible/roles/elasticsearch/tasks/config.yml | 47 +++- ansible/roles/elasticsearch/tasks/pull.yml | 4 +- ansible/roles/elasticsearch/tasks/upgrade.yml | 10 +- .../templates/elasticsearch-curator-actions.yml.j2 | 33 +++ .../templates/elasticsearch-curator.crontab.j2 | 3 + .../templates/elasticsearch-curator.json.j2 | 32 +++ .../templates/elasticsearch-curator.yml.j2 | 8 + .../elasticsearch/templates/elasticsearch.json.j2 | 2 +- .../elasticsearch/templates/elasticsearch.yml.j2 | 4 +- ansible/roles/etcd/defaults/main.yml | 10 +- ansible/roles/grafana/tasks/post_config.yml | 2 +- ansible/roles/keystone/tasks/precheck.yml | 24 +- ansible/roles/kibana/defaults/main.yml | 18 +- ansible/roles/kibana/files/kibana-6-index.json | 264 +++++++++++++++++++++ ansible/roles/kibana/tasks/deploy.yml | 2 - .../roles/kibana/tasks/migrate-kibana-index.yml | 99 ++++++++ ansible/roles/kibana/tasks/post_config.yml | 72 ------ ansible/roles/kibana/tasks/upgrade.yml | 3 + ansible/roles/magnum/templates/magnum.conf.j2 | 11 + ansible/roles/mariadb/tasks/upgrade.yml | 2 +- ansible/roles/monasca/defaults/main.yml | 6 +- ansible/roles/monasca/tasks/post_config.yml | 3 +- .../monasca-agent-forwarder/agent-forwarder.yml.j2 | 2 +- .../monasca-log-metrics/log-metrics.conf.j2 | 29 +++ .../monasca-log-metrics.json.j2 | 3 +- .../monasca-log-persister/log-persister.conf.j2 | 13 + .../monasca-log-persister.json.j2 | 3 +- .../log-transformer.conf.j2 | 24 ++ .../monasca-log-transformer.json.j2 | 3 +- ansible/roles/neutron/defaults/main.yml | 2 +- ansible/roles/neutron/tasks/config.yml | 1 + ansible/roles/nova-cell/defaults/main.yml | 7 +- .../templates/nova-cell-bootstrap.json.j2 | 3 +- .../nova-cell/templates/nova-conductor.json.j2 | 8 +- ansible/roles/nova/tasks/bootstrap.yml | 3 + ansible/roles/nova/tasks/deploy.yml | 3 - .../nova/templates/nova-api-bootstrap.json.j2 | 3 +- ansible/roles/octavia/defaults/main.yml | 4 + ansible/roles/octavia/tasks/register.yml | 14 ++ ansible/roles/octavia/templates/octavia.conf.j2 | 5 +- ansible/roles/openvswitch/defaults/main.yml | 4 +- .../ovs-dpdk/templates/ovsdpdk-vswitchd.json.j2 | 2 +- ansible/roles/qinling/templates/qinling.conf.j2 | 2 +- ansible/roles/service-rabbitmq/defaults/main.yml | 1 + ansible/roles/service-rabbitmq/tasks/main.yml | 1 + .../roles/skydive/templates/skydive-agent.conf.j2 | 4 +- .../skydive/templates/skydive-analyzer.conf.j2 | 4 +- ansible/roles/zun/templates/zun.conf.j2 | 5 + ansible/site.yml | 14 +- .../central-logging-guide.rst | 49 ++++ etc/kolla/globals.yml | 7 +- kolla_ansible/cmd/genpwd.py | 4 + kolla_ansible/cmd/mergepwd.py | 9 + ...custom-elasticsearch-conf-6fc34fbc3b471997.yaml | 3 + ...add-elasticsearch-curator-88089d04f7ccd549.yaml | 4 + ...onditional-fact-gathering-94760984b2de0796.yaml | 8 + .../notes/bug-1799689-c8612c73649ac483.yaml | 5 + .../notes/bug-1856346-59d0f01005d56e81.yaml | 6 + .../notes/bug-1881890-72c76f5fc065588b.yaml | 5 + ...-chrony-permission-denied-917b3bffc5cdb38d.yaml | 6 + .../notes/bug-1883141-336fd12b89a3a5cc.yaml | 5 + .../notes/bug-1884939-7c77b8002d3ff52d.yaml | 7 + .../notes/bug-1885732-10803d46f9c73444.yaml | 5 + .../notes/bug-1886170-f76d9d3520ab86ec.yaml | 7 + ...-become-attributes-vmware-9ae97e49b4d7dc0d.yaml | 5 + .../bug-nova-dev-mod-failed-ad4e64f5a5bc2a6a.yaml | 4 + ...in-magnum-use-internalURL-af3ad82af71a88c6.yaml | 6 + ...ty-removed-config-options-6b656fb8bfa5431d.yaml | 7 + .../elasticsearch-kibana-6-6621548e948d9d23.yaml | 10 + ...-cinder-upgrade-max-count-ab928f85f224c63d.yaml | 5 + ...ed-to-find-api-paste-file-225cec3ec16b2265.yaml | 6 + .../notes/fix-etcd-protocol-3c9482f90070ee6e.yaml | 8 + .../fix-fernet-pre-check-5efbdfe43a2776e3.yaml | 6 + ...-elasticsearch-kolla-logs-a0ba85d91d1a2c31.yaml | 8 + ...avia-service-auth-project-849a4e5bd852e9c7.yaml | 40 ++++ .../fix-rabbitmq-user-tags-8c9d626b28ff5d51.yaml | 7 + ...entd-elasticsearch-cacert-0e8824dd57052913.yaml | 8 + .../notes/improve-pwd-errors-7563a3cc941c3091.yaml | 6 + .../notes/kibana-tls-verify-8bfcb822268ad0d8.yaml | 6 + ...stee-keystone-region-name-002162a45f855faf.yaml | 4 + .../storm-enable-zookeeper-2108156acced1c57.yaml | 10 + .../notes/support-logstash-6-d64bb51217b79a77.yaml | 12 + tools/init-runonce | 2 +- tools/kolla-ansible | 83 +++++-- tools/ovs-dpdkctl.sh | 6 +- tools/setup_gate.sh | 5 +- zuul.d/base.yaml | 22 ++ zuul.d/project.yaml | 3 +- 120 files changed, 1500 insertions(+), 243 deletions(-)