We are chuffed to announce the release of: kolla-ansible 9.3.0: Ansible Deployment of Kolla containers This release is part of the train stable release series. The source is available from: https://opendev.org/openstack/kolla-ansible Download the package from: https://tarballs.openstack.org/kolla-ansible/ Please report issues through: https://bugs.launchpad.net/kolla-ansible/+bugs For more details, please see below. 9.3.0 ^^^^^ New Features ************ * Adds a new flag, "docker_disable_default_iptables_rules", which defaults to "no". Docker is manipulating iptables rules by default to provide network isolation, and this might cause problems if the host already has an iptables based firewall. A common problem is that Docker sets the default policy of the "FORWARD" chain in the "filter" to "DROP". Setting "docker_disable_default_iptables_rules" to "yes" will disable Docker's iptables manipulation. This feature will be enabled by default from the Victoria 11.0.0 release. * Improves performance of the "common" role by generating all fluentd configuration in a single file. * Improves performance of the "common" role by generating all logrotate configuration in a single file. Upgrade Notes ************* * The default value of "REST_API_REQUIRED_SETTINGS" was synchronized with Horizon. You may want to review settings exposed by the updated configuration. Security Issues *************** * The "admin-openrc.sh" file generated by "kolla-ansible post- deploy" was previously created with "root:root" ownership and "644" permissions. This would allow anyone with access to the same directory to read the file, including the admin credentials. The ownership of "admin-openrc.sh" is now set to the user executing "kolla-ansible", and the file is assigned a mode of "600". This change can be applied by running "kolla-ansible post-deploy". Bug Fixes ********* * Add support to use bifrost-deploy behind proxy. It uses existing container_proxy variable. * Fixes handling of */dev/kvm* permissions to be more robust against host-level actions. LP#1681461 * Rework keystone fernet bootstrap which had tendencies to fail on multinode setups. See bug 1846789 for details. * IPv6 fully-routed topology (/128 addressing) is now allowed (where applicable). LP#1848941 * Fixes deployment of fluentd without any enabled OpenStack services. LP#1867953 * This patch adds "kolla-ansible" internal logrotate config for Logstash. Logstash 2.4 uses integrated in container logrotate configuration which tries to rotate logs in /var/log/logstash while "kolla-ansible" deployed Logstash logs are in /var/log/kolla/logstash. LP#1886787 * Fixes "--configdir" parameter to apply to default "passwords.yml" location. LP#1887180 * "fluentd" is now logging to "/var/log/kolla/fluentd/fluentd.log" instead of "stdout". LP#1888852 * Fixes "deploy-containers" action missing for the Masakari role. LP#1889611 * An issue has been fixed when "keystone" container would be stuck in restart loop with a message that fernet key is stale. LP#1895723 * Fixes "haproxy_single_service_split" template to work with default for "mode" ("http"). LP#1896591 * Fixed invalid fernet cron file path on Debian/Ubuntu from "/var/spool/cron/crontabs/root/fernet-cron" to "/var/spool/cron/crontabs/root". LP#1898765 * Add with_first_found on placement for placement-api wsgi configuration to allow overwrite from users. LP#1898766 * RabbitMQ services are now restarted serially to avoid a split brain. LP#1904702 * Fixes LP#1906796 by adding notice and note loglevels to monasca log- metrics drop configuration * Fixes Swift's stop action. It will no longer try to start "swift- object-updater" container again. LP#1906944 * Fixes an issue with the "kolla-ansible prechecks" command with Docker 20.10. LP#1907436 * Fixes an issue with "kolla-ansible mariadb_recovery" when the "mariadb" container does not exist on one or more hosts. LP#1907658 * fix deploy freezer failed when use kolla_dev_mod LP#1888242 * Fixes issues with some CloudKitty commands trying to connect to an external TLS endpoint using HTTP. LP#1888544 * Fixes an issue where Docker may fail to start if "iptables" is not installed. LP#1899060 * The "admin-openrc.sh" file generated by "kolla-ansible post- deploy" was previously created with "root:root" ownership and "644" permissions. This would allow anyone with access to the same directory to read the file, including the admin credentials. The ownership of "admin-openrc.sh" is now set to the user executing "kolla-ansible", and the file is assigned a mode of "600". This change can be applied by running "kolla-ansible post-deploy". * Fixes an issue during deleting evacuated instances with encrypted block devices. LP#1891462 * Fixes an issue where Keystone Fernet key rotation may fail due to permission denied error if the Keystone rotation happens before the Keystone container starts. LP#1888512 * Fixes an issue with Keystone startup when Fernet key rotation does not occur within the configured interval. This may happen due to one of the Keystone hosts being down at the scheduled time of rotation, or due to uneven intervals between cron jobs. LP#1895723 * Fixes an issue where Grafana instances would race to bootstrap the Grafana DB. See LP#1888681. * Fixes LP#1892210 where the number of open connections to Memcached from "neutron-server" would grow over time until reaching the maximum set by "memcached_connection_limit" (5000 by default), at which point the Memcached instance would stop working. * An issue where when Kafka default topic creation was used to create a Kafka topic, no redundant replicas were created in a multi- node cluster. LP#1888522. This affects Monasca which uses Kafka, and was previously masked by the legacy Kafka client used by Monasca which has since been upgraded in Ussuri. Monasca users with multi- node Kafka clusters should consultant the Kafka documentation to increase the number of replicas. * Fixes an issue where the "br_netfilter" kernel module was not loaded on compute hosts. LP#1886796 * Prevents adding a new Keystone host to an existing cluster when not targeting all Keystone hosts (e.g. due to "--limit" or "-- serial" arguments), to avoid overwriting existing Fernet keys. LP#1891364 * Reduce the use of SQLAlchemy connection pooling, to improve service reliability during a failover of the controller with the internal VIP. LP#1896635 * No longer configures the Prometheus OpenStack exporter to use the "prometheus" Docker volume, which was never required. * Updates the default value of "REST_API_REQUIRED_SETTINGS" in Horizon "local_settings", which enables some features such as selecting the default boot source for instances. LP#1891024 Changes in kolla-ansible 9.2.0..9.3.0 ------------------------------------- 060267ec8 Use ansible_distribution_release instead of ansible_lsb.codename 0719b78dc Fix mariadb_recovery when mariadb container is missing bc6d69192 Backport ignore_missing support for kolla_docker 1c0f26818 Edit ironic inspector pxe filter driver name none to noop 7b55676f2 Do not start swift-object-updater on stop c54d34595 docs: Add magnum guide 5744a6273 Revert "Performance: Use import_tasks in the main plays" 020f9093f Monasca log-metrics - Drop "notice" and "note" loglevel metrics by default c34bc558c CI: Avoid tox (and clean up gate setup) 190d8a17e [CI] Drop periodics and multinode gating c34bf4529 Fix prechecks with Docker 20.10.0 and py27 job 6323f8096 RabbitMQ handler refactored to restart services in serial 46f27a8dc Do not set 'always' tag where unnecessary ae2b7fa18 Performance: Use import_tasks in the main plays 492fc8f9c Fix stop containers task in Swift rolling restart 1aa3ab5e5 Fix kolla-ansible to work with pyenv-virtualenv 2418a317a [CI] Set 0 swap size 6342da230 Fix permission denied during Fernet key rotation 5ede5d9db Fix keystone-startup.sh - remove Fernet key age check dc497edc7 Fix fernet cron path on Ubuntu/Debian 70fe644bc baremetal: Install iptables for Docker if enabled 4c25aedb0 replace internal with openstack_interface dd37b867c Delete the /var/log/kolla directory should use sudo 55f2c1c34 Performance: use a single config file for fluentd 0eeff529f Performance: optimize genconfig 059bc5c27 docs: more info on migrating from CentOS 7 to 8 838af93b5 Performance: use a single config file for logrotate 55b2eee95 Apply bool filter to all enable_prometheus_* variables 8be6606de Remove duplicate groups 51b69e9b1 docs: Add information on migrating to CentOS 8 c92325d01 Performance: use import_tasks for register and bootstrap ad9e82a99 Allow overwrite of placement-api wsgi config 6d03ac94c Add 'baremetal' to mechanism_drivers when using ironic+linuxbridge 903efc5a9 Reduce the use of SQLAlchemy connection pooling ecd899c9a Fix keystone-startup.sh b04819dd9 Fix default mode in haproxy_single_service_split 475a8ff0a Remove unused configuration for prometheus-openstack-exporter d1f1c5c33 Performance: replace unconditional include_tasks with import_tasks 5a9c89479 Performance: remove one include_tasks in nova-cell 55fe8c189 Synchronize REST_API_REQUIRED_SETTINGS with Horizon b27e0741b Fix test-ironic.sh not catching errors c5e8162ff Add default value for kolla_internal_address variable 024ce8be9 Fix external mariadb documentation for database_user c0e20dfd8 [CI] Fix Bifrost CentOS 8 job 8cd7b4d1a Fix fernet bootstrap and key distribution - follow up ac38a4875 Fix keystone fernet bootstrap 1432aa007 add region name for tasks 2750a0835 Prevent overwriting existing Keystone Fernet keys 1ae811932 change the timezone precheck task's condition dcc74b45e Add workaround for keystonemiddleware/neutron memcached issue 06c6e14e5 Fix kolla-ansible not reflect environment changed ad42c70f9 Add cinder auth config to nova-cell nova.conf.j2 27919beee Fix ownership and permissions of admin-openrc.sh f22643ff5 CI: enable Ansible SSH pipelining 84ccebf16 Mount /etc/timezone based on host OS 421246a33 Add support to use bifrost-deploy behind proxy 59cd154c1 Add missing mistral services log files 97f601cbe Fix fluentd warnings caused by "type copy" cf733fdde [CI] Temporarily block new Ansible 0c3bd2532 [docker] Added a new flag to disable default iptables rules df06eab19 Fix actions for Aodh and Swift 751d51b53 Fix play hosts for ironic, monasca, neutron, nova cc2889090 Fix kolla_address in IPv6 fully-routed topo case 4d53605ac Fix Masakari role missing deploy-containers 560d27839 Performance: use import_tasks for check-containers.yml 9648a0aa4 fluentd: log to a file instead of stdout f2031fc8a Improve Grafana DB bootstrap 410e66eec Set Kafka default replication factor 5433cbd8c Fix some CloudKitty API responses when behind SSL efbcf5285 Performance: remove unnecessary conditions from includes 3525b2c36 Update glance configuration file for backend 724c1c807 CI: add prometheus-efk scenario c30ed83fb fix deploy freezer failed when kolla_dev_mod enabled 574257dc2 Make /dev/kvm permissions handling more robust 0de9de494 Fix deprecation warnings in fluentd 678e24e5a Fix deployment of fluentd without any enabled OpenStack services 94c27865c Support editable virtualenv installation for development 6b51404a9 Manila - adjust logic for Open vSwitch configuration generation 0e353d3f5 Fix Logstash 2.4 log rotation 2aba54b88 Use openstack_tag for elasticsearch-curator image 8d7cc7239 Evaluate PASSWORDS_FILE later 921585a82 Load br_netfilter module in nova-cell role Diffstat (except docs and test files) ------------------------------------- ansible/group_vars/all.yml | 7 +- ansible/library/kolla_docker.py | 7 +- ansible/nova.yml | 2 + ansible/post-deploy.yml | 9 +- ansible/roles/aodh/defaults/main.yml | 8 +- ansible/roles/aodh/tasks/bootstrap.yml | 2 +- ansible/roles/aodh/tasks/config.yml | 3 - ansible/roles/aodh/tasks/deploy.yml | 14 +- ansible/roles/aodh/tasks/reconfigure.yml | 2 +- ansible/roles/aodh/tasks/register.yml | 1 - ansible/roles/aodh/tasks/stop.yml | 6 + ansible/roles/aodh/tasks/upgrade.yml | 6 +- ansible/roles/aodh/templates/aodh.conf.j2 | 2 + ansible/roles/barbican/defaults/main.yml | 6 +- ansible/roles/barbican/tasks/bootstrap.yml | 2 +- ansible/roles/barbican/tasks/config.yml | 3 - ansible/roles/barbican/tasks/deploy.yml | 13 +- ansible/roles/barbican/tasks/reconfigure.yml | 2 +- ansible/roles/barbican/tasks/register.yml | 1 - ansible/roles/barbican/tasks/upgrade.yml | 6 +- ansible/roles/baremetal/defaults/main.yml | 4 +- .../roles/baremetal/tasks/bootstrap-servers.yml | 6 +- ansible/roles/baremetal/tasks/post-install.yml | 13 + ansible/roles/bifrost/tasks/deploy.yml | 6 +- ansible/roles/bifrost/tasks/reconfigure.yml | 2 +- ansible/roles/bifrost/tasks/start.yml | 1 + ansible/roles/bifrost/tasks/upgrade.yml | 4 +- ansible/roles/blazar/defaults/main.yml | 4 +- ansible/roles/blazar/tasks/bootstrap.yml | 2 +- ansible/roles/blazar/tasks/config.yml | 3 - ansible/roles/blazar/tasks/deploy.yml | 12 +- ansible/roles/blazar/tasks/reconfigure.yml | 2 +- ansible/roles/blazar/tasks/register.yml | 1 - ansible/roles/blazar/tasks/upgrade.yml | 6 +- ansible/roles/blazar/templates/blazar.conf.j2 | 2 + ansible/roles/ceilometer/defaults/main.yml | 8 +- ansible/roles/ceilometer/tasks/bootstrap.yml | 2 +- ansible/roles/ceilometer/tasks/config.yml | 3 - ansible/roles/ceilometer/tasks/deploy.yml | 12 +- ansible/roles/ceilometer/tasks/reconfigure.yml | 2 +- ansible/roles/ceilometer/tasks/register.yml | 1 - ansible/roles/ceilometer/tasks/upgrade.yml | 6 +- ansible/roles/chrony/defaults/main.yml | 2 +- ansible/roles/chrony/tasks/config.yml | 3 - ansible/roles/chrony/tasks/deploy.yml | 4 +- ansible/roles/chrony/tasks/reconfigure.yml | 2 +- ansible/roles/chrony/tasks/upgrade.yml | 2 +- ansible/roles/cinder/defaults/main.yml | 8 +- ansible/roles/cinder/tasks/bootstrap.yml | 2 +- ansible/roles/cinder/tasks/config.yml | 3 - ansible/roles/cinder/tasks/deploy.yml | 21 +- ansible/roles/cinder/tasks/reconfigure.yml | 2 +- ansible/roles/cinder/tasks/register.yml | 1 - ansible/roles/cinder/tasks/upgrade.yml | 6 +- ansible/roles/cinder/templates/cinder.conf.j2 | 2 + ansible/roles/cloudkitty/defaults/main.yml | 4 +- ansible/roles/cloudkitty/tasks/bootstrap.yml | 4 +- ansible/roles/cloudkitty/tasks/config.yml | 3 - ansible/roles/cloudkitty/tasks/deploy.yml | 12 +- ansible/roles/cloudkitty/tasks/reconfigure.yml | 2 +- ansible/roles/cloudkitty/tasks/register.yml | 1 - ansible/roles/cloudkitty/tasks/upgrade.yml | 6 +- .../roles/cloudkitty/templates/cloudkitty.conf.j2 | 5 + ansible/roles/collectd/defaults/main.yml | 2 +- ansible/roles/collectd/tasks/config.yml | 3 - ansible/roles/collectd/tasks/deploy.yml | 4 +- ansible/roles/collectd/tasks/reconfigure.yml | 2 +- ansible/roles/collectd/tasks/upgrade.yml | 4 +- ansible/roles/common/defaults/main.yml | 97 ++++- ansible/roles/common/filter_plugins/filters.py | 22 ++ ansible/roles/common/tasks/config.yml | 409 ++++++++------------- ansible/roles/common/tasks/deploy.yml | 6 +- ansible/roles/common/tasks/reconfigure.yml | 2 +- ansible/roles/common/tasks/upgrade.yml | 4 +- .../templates/conf/filter/01-rewrite-0.12.conf.j2 | 2 +- .../templates/conf/filter/01-rewrite-0.14.conf.j2 | 2 +- .../common/templates/conf/input/00-global.conf.j2 | 46 +-- .../common/templates/conf/input/01-syslog.conf.j2 | 2 +- .../common/templates/conf/output/00-local.conf.j2 | 54 +-- .../templates/cron-logrotate-fluentd.conf.j2 | 3 + .../common/templates/cron-logrotate-global.conf.j2 | 5 +- .../templates/cron-logrotate-logstash.conf.j2 | 3 + ansible/roles/common/templates/cron.json.j2 | 78 +--- ansible/roles/common/templates/fluentd.json.j2 | 54 +-- ansible/roles/common/templates/td-agent.conf.j2 | 49 ++- ansible/roles/congress/defaults/main.yml | 6 +- ansible/roles/cyborg/defaults/main.yml | 6 +- ansible/roles/cyborg/tasks/bootstrap.yml | 2 +- ansible/roles/cyborg/tasks/config.yml | 3 - ansible/roles/cyborg/tasks/deploy.yml | 13 +- ansible/roles/cyborg/tasks/reconfigure.yml | 2 +- ansible/roles/cyborg/tasks/register.yml | 1 - ansible/roles/cyborg/tasks/upgrade.yml | 6 +- ansible/roles/cyborg/templates/cyborg.conf.j2 | 2 + ansible/roles/designate/defaults/main.yml | 14 +- ansible/roles/designate/tasks/bootstrap.yml | 2 +- ansible/roles/designate/tasks/config.yml | 3 - ansible/roles/designate/tasks/deploy.yml | 20 +- ansible/roles/designate/tasks/reconfigure.yml | 2 +- ansible/roles/designate/tasks/register.yml | 1 - ansible/roles/designate/tasks/update_pools.yml | 3 +- ansible/roles/designate/tasks/upgrade.yml | 8 +- ansible/roles/elasticsearch/defaults/main.yml | 5 +- ansible/roles/elasticsearch/tasks/config.yml | 3 - ansible/roles/elasticsearch/tasks/deploy.yml | 6 +- ansible/roles/elasticsearch/tasks/reconfigure.yml | 2 +- ansible/roles/elasticsearch/tasks/upgrade.yml | 6 +- ansible/roles/etcd/defaults/main.yml | 2 +- ansible/roles/etcd/tasks/config.yml | 3 - ansible/roles/etcd/tasks/deploy.yml | 4 +- ansible/roles/etcd/tasks/reconfigure.yml | 2 +- ansible/roles/etcd/tasks/upgrade.yml | 4 +- ansible/roles/freezer/defaults/main.yml | 4 +- ansible/roles/freezer/tasks/bootstrap.yml | 4 +- ansible/roles/freezer/tasks/config.yml | 3 - ansible/roles/freezer/tasks/deploy.yml | 15 +- ansible/roles/freezer/tasks/reconfigure.yml | 2 +- ansible/roles/freezer/tasks/register.yml | 1 - ansible/roles/freezer/tasks/upgrade.yml | 6 +- ansible/roles/freezer/templates/freezer.conf.j2 | 2 + ansible/roles/glance/defaults/main.yml | 4 +- ansible/roles/glance/tasks/bootstrap.yml | 2 +- ansible/roles/glance/tasks/config.yml | 3 - ansible/roles/glance/tasks/deploy.yml | 14 +- ansible/roles/glance/tasks/legacy_upgrade.yml | 6 +- ansible/roles/glance/tasks/reconfigure.yml | 2 +- ansible/roles/glance/tasks/register.yml | 1 - ansible/roles/glance/tasks/rolling_upgrade.yml | 2 + ansible/roles/glance/templates/glance-api.conf.j2 | 2 + ansible/roles/gnocchi/defaults/main.yml | 6 +- ansible/roles/gnocchi/tasks/bootstrap.yml | 2 +- ansible/roles/gnocchi/tasks/config.yml | 3 - ansible/roles/gnocchi/tasks/deploy.yml | 13 +- ansible/roles/gnocchi/tasks/reconfigure.yml | 2 +- ansible/roles/gnocchi/tasks/register.yml | 1 - ansible/roles/gnocchi/tasks/upgrade.yml | 6 +- ansible/roles/gnocchi/templates/gnocchi.conf.j2 | 3 +- ansible/roles/grafana/defaults/main.yml | 2 +- ansible/roles/grafana/handlers/main.yml | 39 +- ansible/roles/grafana/tasks/config.yml | 3 - ansible/roles/grafana/tasks/deploy.yml | 8 +- ansible/roles/grafana/tasks/reconfigure.yml | 2 +- ansible/roles/grafana/tasks/upgrade.yml | 30 +- .../templates/haproxy_single_service_split.cfg.j2 | 2 +- ansible/roles/haproxy/defaults/main.yml | 4 +- ansible/roles/haproxy/tasks/config.yml | 3 - ansible/roles/haproxy/tasks/deploy.yml | 6 +- ansible/roles/haproxy/tasks/reconfigure.yml | 2 +- ansible/roles/haproxy/tasks/upgrade.yml | 4 +- ansible/roles/heat/defaults/main.yml | 6 +- ansible/roles/heat/tasks/bootstrap.yml | 2 +- ansible/roles/heat/tasks/config.yml | 3 - ansible/roles/heat/tasks/deploy.yml | 16 +- ansible/roles/heat/tasks/reconfigure.yml | 2 +- ansible/roles/heat/tasks/register.yml | 1 - ansible/roles/heat/tasks/upgrade.yml | 6 +- ansible/roles/heat/templates/heat.conf.j2 | 2 + ansible/roles/horizon/defaults/main.yml | 2 +- ansible/roles/horizon/tasks/bootstrap.yml | 2 +- ansible/roles/horizon/tasks/config.yml | 3 - ansible/roles/horizon/tasks/deploy.yml | 4 +- ansible/roles/horizon/tasks/reconfigure.yml | 2 +- ansible/roles/horizon/tasks/upgrade.yml | 4 +- ansible/roles/horizon/templates/local_settings.j2 | 12 +- ansible/roles/influxdb/defaults/main.yml | 2 +- ansible/roles/influxdb/tasks/config.yml | 3 - ansible/roles/influxdb/tasks/deploy.yml | 4 +- ansible/roles/influxdb/tasks/reconfigure.yml | 2 +- ansible/roles/influxdb/tasks/upgrade.yml | 4 +- ansible/roles/ironic/defaults/main.yml | 14 +- ansible/roles/ironic/tasks/bootstrap.yml | 2 +- ansible/roles/ironic/tasks/config.yml | 3 - ansible/roles/ironic/tasks/deploy.yml | 22 +- ansible/roles/ironic/tasks/legacy_upgrade.yml | 8 +- ansible/roles/ironic/tasks/reconfigure.yml | 2 +- ansible/roles/ironic/tasks/register.yml | 1 - ansible/roles/ironic/tasks/rolling_upgrade.yml | 12 +- .../ironic/templates/ironic-inspector.conf.j2 | 2 + ansible/roles/ironic/templates/ironic.conf.j2 | 2 + ansible/roles/iscsi/defaults/main.yml | 4 +- ansible/roles/iscsi/tasks/config.yml | 3 - ansible/roles/iscsi/tasks/deploy.yml | 6 +- ansible/roles/iscsi/tasks/reconfigure.yml | 2 +- ansible/roles/iscsi/tasks/upgrade.yml | 2 +- ansible/roles/kafka/defaults/main.yml | 2 +- ansible/roles/kafka/tasks/config.yml | 3 - ansible/roles/kafka/tasks/deploy.yml | 4 +- ansible/roles/kafka/tasks/reconfigure.yml | 2 +- ansible/roles/kafka/tasks/upgrade.yml | 4 +- .../kafka/templates/kafka.server.properties.j2 | 1 + ansible/roles/karbor/defaults/main.yml | 6 +- ansible/roles/karbor/tasks/bootstrap.yml | 2 +- ansible/roles/karbor/tasks/config.yml | 3 - ansible/roles/karbor/tasks/deploy.yml | 13 +- ansible/roles/karbor/tasks/reconfigure.yml | 2 +- ansible/roles/karbor/tasks/register.yml | 1 - ansible/roles/karbor/tasks/upgrade.yml | 6 +- ansible/roles/karbor/templates/karbor.conf.j2 | 2 + ansible/roles/keystone/defaults/main.yml | 6 +- ansible/roles/keystone/handlers/main.yml | 12 +- ansible/roles/keystone/tasks/bootstrap.yml | 2 +- ansible/roles/keystone/tasks/bootstrap_service.yml | 54 +++ ansible/roles/keystone/tasks/config.yml | 17 +- ansible/roles/keystone/tasks/deploy.yml | 12 +- ansible/roles/keystone/tasks/distribute_fernet.yml | 19 + ansible/roles/keystone/tasks/init_fernet.yml | 27 -- ansible/roles/keystone/tasks/reconfigure.yml | 2 +- ansible/roles/keystone/tasks/register.yml | 2 +- ansible/roles/keystone/tasks/upgrade.yml | 4 +- .../keystone/templates/fernet-node-sync.sh.j2 | 28 +- ansible/roles/keystone/templates/fernet-push.sh.j2 | 3 + .../roles/keystone/templates/fernet-rotate.sh.j2 | 3 + .../keystone/templates/keystone-fernet.json.j2 | 9 +- .../roles/keystone/templates/keystone-ssh.json.j2 | 7 + .../keystone/templates/keystone-startup.sh.j2 | 24 ++ ansible/roles/keystone/templates/keystone.conf.j2 | 2 + ansible/roles/keystone/templates/keystone.json.j2 | 9 +- ansible/roles/kibana/defaults/main.yml | 2 +- ansible/roles/kibana/tasks/config.yml | 3 - ansible/roles/kibana/tasks/deploy.yml | 4 +- ansible/roles/kibana/tasks/reconfigure.yml | 2 +- ansible/roles/kibana/tasks/upgrade.yml | 4 +- ansible/roles/kuryr/defaults/main.yml | 2 +- ansible/roles/kuryr/tasks/config.yml | 3 - ansible/roles/kuryr/tasks/deploy.yml | 6 +- ansible/roles/kuryr/tasks/reconfigure.yml | 2 +- ansible/roles/kuryr/tasks/register.yml | 1 - ansible/roles/kuryr/tasks/upgrade.yml | 4 +- ansible/roles/magnum/defaults/main.yml | 4 +- ansible/roles/magnum/tasks/bootstrap.yml | 2 +- ansible/roles/magnum/tasks/config.yml | 3 - ansible/roles/magnum/tasks/deploy.yml | 12 +- ansible/roles/magnum/tasks/reconfigure.yml | 2 +- ansible/roles/magnum/tasks/register.yml | 4 +- ansible/roles/magnum/tasks/upgrade.yml | 6 +- ansible/roles/magnum/templates/magnum.conf.j2 | 2 + ansible/roles/manila/defaults/main.yml | 8 +- ansible/roles/manila/tasks/bootstrap.yml | 2 +- ansible/roles/manila/tasks/config.yml | 3 - ansible/roles/manila/tasks/deploy.yml | 14 +- ansible/roles/manila/tasks/reconfigure.yml | 2 +- ansible/roles/manila/tasks/register.yml | 1 - ansible/roles/manila/tasks/upgrade.yml | 6 +- ansible/roles/manila/templates/manila.conf.j2 | 2 + ansible/roles/mariadb/defaults/main.yml | 2 +- ansible/roles/mariadb/tasks/bootstrap.yml | 2 +- ansible/roles/mariadb/tasks/config.yml | 3 - ansible/roles/mariadb/tasks/deploy.yml | 10 +- ansible/roles/mariadb/tasks/reconfigure.yml | 2 +- ansible/roles/mariadb/tasks/recover_cluster.yml | 21 +- ansible/roles/mariadb/tasks/upgrade.yml | 2 +- ansible/roles/masakari/defaults/main.yml | 6 +- ansible/roles/masakari/tasks/bootstrap.yml | 2 +- ansible/roles/masakari/tasks/check-containers.yml | 17 + ansible/roles/masakari/tasks/config.yml | 18 - ansible/roles/masakari/tasks/deploy-containers.yml | 2 + ansible/roles/masakari/tasks/deploy.yml | 13 +- ansible/roles/masakari/tasks/reconfigure.yml | 2 +- ansible/roles/masakari/tasks/register.yml | 1 - ansible/roles/masakari/tasks/upgrade.yml | 6 +- ansible/roles/masakari/templates/masakari.conf.j2 | 2 + ansible/roles/memcached/defaults/main.yml | 2 +- ansible/roles/memcached/tasks/config.yml | 3 - ansible/roles/memcached/tasks/deploy.yml | 4 +- ansible/roles/memcached/tasks/reconfigure.yml | 2 +- ansible/roles/memcached/tasks/upgrade.yml | 4 +- ansible/roles/mistral/defaults/main.yml | 8 +- ansible/roles/mistral/tasks/bootstrap.yml | 2 +- ansible/roles/mistral/tasks/config.yml | 3 - ansible/roles/mistral/tasks/deploy.yml | 14 +- ansible/roles/mistral/tasks/reconfigure.yml | 2 +- ansible/roles/mistral/tasks/register.yml | 1 - ansible/roles/mistral/tasks/upgrade.yml | 6 +- ansible/roles/mistral/templates/mistral.conf.j2 | 2 + ansible/roles/monasca/defaults/main.yml | 24 +- ansible/roles/monasca/handlers/main.yml | 39 +- ansible/roles/monasca/tasks/bootstrap.yml | 2 +- ansible/roles/monasca/tasks/config.yml | 3 - ansible/roles/monasca/tasks/deploy.yml | 37 +- ansible/roles/monasca/tasks/reconfigure.yml | 2 +- ansible/roles/monasca/tasks/register.yml | 1 - ansible/roles/monasca/tasks/upgrade.yml | 35 +- .../monasca/templates/monasca-api/api.conf.j2 | 2 + .../monasca-log-metrics/log-metrics.conf.j2 | 2 +- ansible/roles/mongodb/defaults/main.yml | 2 +- ansible/roles/mongodb/tasks/config.yml | 2 +- ansible/roles/multipathd/defaults/main.yml | 2 +- ansible/roles/multipathd/tasks/config.yml | 3 - ansible/roles/multipathd/tasks/deploy.yml | 6 +- ansible/roles/multipathd/tasks/reconfigure.yml | 2 +- ansible/roles/multipathd/tasks/upgrade.yml | 6 +- ansible/roles/murano/defaults/main.yml | 4 +- ansible/roles/murano/tasks/bootstrap.yml | 2 +- ansible/roles/murano/tasks/config.yml | 3 - ansible/roles/murano/tasks/deploy.yml | 16 +- ansible/roles/murano/tasks/reconfigure.yml | 2 +- ansible/roles/murano/tasks/register.yml | 1 - ansible/roles/murano/tasks/upgrade.yml | 8 +- ansible/roles/murano/templates/murano.conf.j2 | 2 + ansible/roles/neutron/defaults/main.yml | 24 +- ansible/roles/neutron/tasks/bootstrap.yml | 2 +- ansible/roles/neutron/tasks/check-containers.yml | 1 + ansible/roles/neutron/tasks/config.yml | 3 - ansible/roles/neutron/tasks/deploy.yml | 12 +- ansible/roles/neutron/tasks/legacy_upgrade.yml | 8 +- ansible/roles/neutron/tasks/reconfigure.yml | 2 +- ansible/roles/neutron/tasks/register.yml | 1 - ansible/roles/neutron/tasks/rolling_upgrade.yml | 6 +- ansible/roles/neutron/templates/ml2_conf.ini.j2 | 2 +- ansible/roles/neutron/templates/neutron.conf.j2 | 5 + ansible/roles/nova-cell/defaults/main.yml | 23 +- ansible/roles/nova-cell/tasks/config-host.yml | 36 ++ .../roles/nova-cell/tasks/config-libvirt-tls.yml | 48 ++- ansible/roles/nova-cell/tasks/config.yml | 35 +- ansible/roles/nova-cell/tasks/deploy.yml | 6 +- .../roles/nova-cell/tasks/discover_computes.yml | 2 +- ansible/roles/nova-cell/tasks/rabbitmq.yml | 1 - ansible/roles/nova-cell/tasks/reconfigure.yml | 2 +- ansible/roles/nova-cell/tasks/rolling_upgrade.yml | 6 +- ansible/roles/nova-cell/tasks/upgrade.yml | 2 +- .../nova-cell/templates/99-kolla-kvm.rules.j2 | 4 + ansible/roles/nova-cell/templates/nova.conf.j2 | 12 +- ansible/roles/nova/defaults/main.yml | 8 +- ansible/roles/nova/tasks/config.yml | 3 - ansible/roles/nova/tasks/deploy.yml | 7 +- ansible/roles/nova/tasks/reconfigure.yml | 2 +- ansible/roles/nova/tasks/register.yml | 1 - ansible/roles/nova/tasks/rolling_upgrade.yml | 4 +- ansible/roles/nova/tasks/upgrade.yml | 2 +- ansible/roles/nova/templates/nova.conf.j2 | 5 +- ansible/roles/octavia/defaults/main.yml | 8 +- ansible/roles/octavia/tasks/bootstrap.yml | 2 +- ansible/roles/octavia/tasks/config.yml | 3 - ansible/roles/octavia/tasks/deploy.yml | 14 +- ansible/roles/octavia/tasks/reconfigure.yml | 2 +- ansible/roles/octavia/tasks/register.yml | 3 +- ansible/roles/octavia/tasks/upgrade.yml | 6 +- ansible/roles/octavia/templates/octavia.conf.j2 | 2 + ansible/roles/opendaylight/tasks/config.yml | 3 - ansible/roles/opendaylight/tasks/deploy.yml | 6 +- ansible/roles/opendaylight/tasks/reconfigure.yml | 2 +- ansible/roles/opendaylight/tasks/upgrade.yml | 6 +- ansible/roles/openvswitch/defaults/main.yml | 4 +- ansible/roles/openvswitch/tasks/config.yml | 7 +- ansible/roles/openvswitch/tasks/deploy.yml | 8 +- ansible/roles/openvswitch/tasks/reconfigure.yml | 2 +- ansible/roles/openvswitch/tasks/upgrade.yml | 8 +- ansible/roles/ovs-dpdk/defaults/main.yml | 4 +- ansible/roles/ovs-dpdk/tasks/config.yml | 3 - ansible/roles/ovs-dpdk/tasks/deploy.yml | 4 +- ansible/roles/ovs-dpdk/tasks/reconfigure.yml | 2 +- ansible/roles/ovs-dpdk/tasks/upgrade.yml | 2 +- ansible/roles/panko/defaults/main.yml | 2 +- ansible/roles/panko/tasks/bootstrap.yml | 2 +- ansible/roles/panko/tasks/config.yml | 3 - ansible/roles/panko/tasks/deploy.yml | 8 +- ansible/roles/panko/tasks/reconfigure.yml | 2 +- ansible/roles/panko/tasks/register.yml | 1 - ansible/roles/panko/tasks/upgrade.yml | 6 +- ansible/roles/panko/templates/panko.conf.j2 | 2 + ansible/roles/placement/defaults/main.yml | 2 +- ansible/roles/placement/tasks/bootstrap.yml | 2 +- ansible/roles/placement/tasks/config.yml | 9 +- ansible/roles/placement/tasks/deploy.yml | 10 +- ansible/roles/placement/tasks/reconfigure.yml | 2 +- ansible/roles/placement/tasks/register.yml | 1 - ansible/roles/placement/tasks/upgrade.yml | 10 +- .../roles/placement/templates/placement.conf.j2 | 3 +- ansible/roles/prechecks/tasks/datetime_checks.yml | 2 +- ansible/roles/prechecks/tasks/main.yml | 10 +- ansible/roles/prechecks/tasks/service_checks.yml | 2 +- ansible/roles/prometheus/defaults/main.yml | 27 +- ansible/roles/prometheus/tasks/config.yml | 3 - ansible/roles/prometheus/tasks/deploy.yml | 6 +- ansible/roles/prometheus/tasks/reconfigure.yml | 2 +- ansible/roles/prometheus/tasks/upgrade.yml | 4 +- .../prometheus-openstack-exporter.json.j2 | 5 - .../prometheus/templates/prometheus-server.json.j2 | 2 +- ansible/roles/qdrouterd/defaults/main.yml | 2 +- ansible/roles/qdrouterd/tasks/config.yml | 3 - ansible/roles/qdrouterd/tasks/deploy.yml | 6 +- ansible/roles/qdrouterd/tasks/reconfigure.yml | 2 +- ansible/roles/qdrouterd/tasks/upgrade.yml | 4 +- ansible/roles/qinling/defaults/main.yml | 4 +- ansible/roles/qinling/tasks/bootstrap.yml | 2 +- ansible/roles/qinling/tasks/config.yml | 3 - ansible/roles/qinling/tasks/deploy.yml | 12 +- ansible/roles/qinling/tasks/reconfigure.yml | 2 +- ansible/roles/qinling/tasks/register.yml | 1 - ansible/roles/qinling/tasks/upgrade.yml | 6 +- ansible/roles/qinling/templates/qinling.conf.j2 | 2 + ansible/roles/rabbitmq/defaults/main.yml | 2 +- ansible/roles/rabbitmq/handlers/main.yml | 43 +-- ansible/roles/rabbitmq/tasks/check-containers.yml | 3 +- ansible/roles/rabbitmq/tasks/config.yml | 18 +- ansible/roles/rabbitmq/tasks/deploy.yml | 6 +- ansible/roles/rabbitmq/tasks/reconfigure.yml | 2 +- ansible/roles/rabbitmq/tasks/restart_services.yml | 21 ++ ansible/roles/rabbitmq/tasks/upgrade.yml | 4 +- ansible/roles/rally/defaults/main.yml | 2 +- ansible/roles/rally/tasks/bootstrap.yml | 2 +- ansible/roles/rally/tasks/config.yml | 3 - ansible/roles/rally/tasks/deploy.yml | 6 +- ansible/roles/rally/tasks/reconfigure.yml | 2 +- ansible/roles/rally/tasks/upgrade.yml | 6 +- ansible/roles/rally/templates/rally.conf.j2 | 2 + ansible/roles/redis/defaults/main.yml | 4 +- ansible/roles/redis/tasks/config.yml | 3 - ansible/roles/redis/tasks/deploy.yml | 4 +- ansible/roles/redis/tasks/reconfigure.yml | 2 +- ansible/roles/redis/tasks/upgrade.yml | 4 +- ansible/roles/sahara/defaults/main.yml | 4 +- ansible/roles/sahara/tasks/bootstrap.yml | 2 +- ansible/roles/sahara/tasks/config.yml | 3 - ansible/roles/sahara/tasks/deploy.yml | 12 +- ansible/roles/sahara/tasks/reconfigure.yml | 2 +- ansible/roles/sahara/tasks/register.yml | 1 - ansible/roles/sahara/tasks/upgrade.yml | 6 +- ansible/roles/sahara/templates/sahara.conf.j2 | 2 + ansible/roles/searchlight/defaults/main.yml | 4 +- ansible/roles/searchlight/tasks/bootstrap.yml | 2 +- ansible/roles/searchlight/tasks/config.yml | 3 - ansible/roles/searchlight/tasks/deploy.yml | 8 +- ansible/roles/searchlight/tasks/reconfigure.yml | 2 +- ansible/roles/searchlight/tasks/register.yml | 1 - ansible/roles/searchlight/tasks/upgrade.yml | 6 +- ansible/roles/senlin/defaults/main.yml | 4 +- ansible/roles/senlin/tasks/bootstrap.yml | 2 +- ansible/roles/senlin/tasks/config.yml | 3 - ansible/roles/senlin/tasks/deploy.yml | 12 +- ansible/roles/senlin/tasks/reconfigure.yml | 2 +- ansible/roles/senlin/tasks/register.yml | 1 - ansible/roles/senlin/tasks/upgrade.yml | 6 +- ansible/roles/senlin/templates/senlin.conf.j2 | 2 + ansible/roles/skydive/defaults/main.yml | 4 +- ansible/roles/skydive/tasks/config.yml | 3 - ansible/roles/skydive/tasks/deploy.yml | 6 +- ansible/roles/skydive/tasks/reconfigure.yml | 2 +- ansible/roles/skydive/tasks/upgrade.yml | 4 +- ansible/roles/solum/defaults/main.yml | 8 +- ansible/roles/solum/tasks/bootstrap.yml | 2 +- ansible/roles/solum/tasks/config.yml | 3 - ansible/roles/solum/tasks/deploy.yml | 14 +- ansible/roles/solum/tasks/reconfigure.yml | 2 +- ansible/roles/solum/tasks/register.yml | 1 - ansible/roles/solum/tasks/upgrade.yml | 6 +- ansible/roles/solum/templates/solum.conf.j2 | 2 + ansible/roles/storm/defaults/main.yml | 4 +- ansible/roles/storm/tasks/config.yml | 3 - ansible/roles/storm/tasks/deploy.yml | 4 +- ansible/roles/storm/tasks/reconfigure.yml | 2 +- ansible/roles/storm/tasks/upgrade.yml | 2 +- ansible/roles/swift/tasks/deploy-containers.yml | 2 + ansible/roles/swift/tasks/deploy.yml | 8 +- ansible/roles/swift/tasks/legacy_upgrade.yml | 4 +- ansible/roles/swift/tasks/reconfigure.yml | 2 +- ansible/roles/swift/tasks/register.yml | 1 - ansible/roles/swift/tasks/rolling_upgrade.yml | 43 ++- ansible/roles/swift/tasks/stop.yml | 2 +- ansible/roles/tacker/defaults/main.yml | 4 +- ansible/roles/tacker/tasks/bootstrap.yml | 2 +- ansible/roles/tacker/tasks/config.yml | 3 - ansible/roles/tacker/tasks/deploy.yml | 14 +- ansible/roles/tacker/tasks/reconfigure.yml | 2 +- ansible/roles/tacker/tasks/register.yml | 1 - ansible/roles/tacker/tasks/upgrade.yml | 6 +- ansible/roles/tacker/templates/tacker.conf.j2 | 2 + ansible/roles/telegraf/defaults/main.yml | 2 +- ansible/roles/telegraf/tasks/config.yml | 3 - ansible/roles/telegraf/tasks/deploy.yml | 4 +- ansible/roles/telegraf/tasks/reconfigure.yml | 2 +- ansible/roles/telegraf/tasks/upgrade.yml | 4 +- ansible/roles/tempest/defaults/main.yml | 2 +- ansible/roles/tempest/tasks/config.yml | 3 - ansible/roles/tempest/tasks/deploy.yml | 4 +- ansible/roles/tempest/tasks/reconfigure.yml | 2 +- ansible/roles/tempest/tasks/upgrade.yml | 4 +- ansible/roles/trove/defaults/main.yml | 6 +- ansible/roles/trove/tasks/bootstrap.yml | 2 +- ansible/roles/trove/tasks/config.yml | 3 - ansible/roles/trove/tasks/deploy.yml | 13 +- ansible/roles/trove/tasks/reconfigure.yml | 2 +- ansible/roles/trove/tasks/register.yml | 1 - ansible/roles/trove/tasks/upgrade.yml | 6 +- .../roles/trove/templates/trove-conductor.conf.j2 | 2 + .../trove/templates/trove-taskmanager.conf.j2 | 2 + ansible/roles/trove/templates/trove.conf.j2 | 2 + ansible/roles/vitrage/defaults/main.yml | 8 +- ansible/roles/vitrage/tasks/bootstrap.yml | 2 +- ansible/roles/vitrage/tasks/config.yml | 3 - ansible/roles/vitrage/tasks/deploy.yml | 14 +- ansible/roles/vitrage/tasks/reconfigure.yml | 2 +- ansible/roles/vitrage/tasks/register.yml | 2 +- ansible/roles/vitrage/tasks/upgrade.yml | 6 +- ansible/roles/vitrage/templates/vitrage.conf.j2 | 2 + ansible/roles/vmtp/defaults/main.yml | 2 +- ansible/roles/vmtp/tasks/config.yml | 3 - ansible/roles/vmtp/tasks/deploy.yml | 5 +- ansible/roles/vmtp/tasks/reconfigure.yml | 2 +- ansible/roles/vmtp/tasks/upgrade.yml | 4 +- ansible/roles/watcher/defaults/main.yml | 6 +- ansible/roles/watcher/tasks/bootstrap.yml | 2 +- ansible/roles/watcher/tasks/config.yml | 3 - ansible/roles/watcher/tasks/deploy.yml | 13 +- ansible/roles/watcher/tasks/reconfigure.yml | 2 +- ansible/roles/watcher/tasks/register.yml | 1 - ansible/roles/watcher/tasks/upgrade.yml | 6 +- ansible/roles/watcher/templates/watcher.conf.j2 | 2 + ansible/roles/zookeeper/defaults/main.yml | 2 +- ansible/roles/zookeeper/tasks/config.yml | 3 - ansible/roles/zookeeper/tasks/deploy.yml | 4 +- ansible/roles/zookeeper/tasks/reconfigure.yml | 2 +- ansible/roles/zookeeper/tasks/upgrade.yml | 4 +- ansible/roles/zun/defaults/main.yml | 6 +- ansible/roles/zun/tasks/bootstrap.yml | 2 +- ansible/roles/zun/tasks/config.yml | 3 - ansible/roles/zun/tasks/deploy.yml | 12 +- ansible/roles/zun/tasks/reconfigure.yml | 2 +- ansible/roles/zun/tasks/register.yml | 1 - ansible/roles/zun/tasks/upgrade.yml | 6 +- ansible/roles/zun/templates/zun.conf.j2 | 2 + ansible/site.yml | 8 +- .../reference/databases/external-mariadb-guide.rst | 4 +- kolla_ansible/filters.py | 11 +- kolla_ansible/fluentd_filters.py | 44 +++ kolla_ansible/helpers.py | 21 ++ kolla_ansible/kolla_address.py | 30 +- ...frost-deploy-behind-proxy-e41f84e8d49a9ddf.yaml | 5 + .../notes/bug-1681461-761f0cdf71bcb962.yaml | 6 + ...6789-fix-fernet-bootstrap-36f87e36e4dc6ec9.yaml | 6 + .../notes/bug-1848941-7e192be1885af513.yaml | 6 + .../notes/bug-1867953-4897a2c05aba43c6.yaml | 5 + .../notes/bug-1886787-013164ffc2f67264.yaml | 9 + .../notes/bug-1887180-89450a4185c7449d.yaml | 6 + .../notes/bug-1888852-8735ee29f69f77b5.yaml | 5 + .../notes/bug-1889611-f08c228fca884bf2.yaml | 5 + .../notes/bug-1895723-910de90908de260a.yaml | 6 + .../notes/bug-1896591-47c829f8b72d567a.yaml | 6 + .../notes/bug-1898765-73881932a2ef1d32.yaml | 7 + .../notes/bug-1898766-ffc55c97230d8221.yaml | 6 + .../notes/bug-1904702-7451dd8c4caa309b.yaml | 5 + .../notes/bug-1906796-e52b9e113f36ceed.yaml | 6 + .../notes/bug-1906944-38798e1348ff9c97.yaml | 6 + .../notes/bug-1907436-2da50ed38d107127.yaml | 6 + .../notes/bug-1907658-a24ddc45f63893b5.yaml | 6 + ...ug-freezer-dev-mod-failed-af5bebb6c3eaabad.yaml | 5 + .../cloudkitty-proxy-headers-da4ea3297063e2e8.yaml | 5 + .../docker-disable-iptables-e9a248a0515f30a6.yaml | 12 + .../docker-install-iptables-f24fef8ce2418963.yaml | 6 + ...min-openrc-ownership-mode-310d89a6f50a9640.yaml | 19 + ...vacuate-cinder-encryption-489f8cf6a340e7be.yaml | 6 + ...fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml | 7 + .../fix-keystone-startup-66c5aa11a464a562.yaml | 8 + ...ance-grafana-db-bootstrap-298feba3e1750aca.yaml | 5 + ...emcached-connection-issue-84f5affa217b4612.yaml | 8 + .../fluentd-single-config-d5ae95fecbfb6e3e.yaml | 5 + ...default-topic-replication-0debd5eb89f0c50d.yaml | 11 + .../notes/load-br-netfilter-4ce9facd93e96af7.yaml | 6 + .../logrotate-single-config-663d6bf154218380.yaml | 5 + ...-keystone-bootstrap-limit-f0250725633c16de.yaml | 7 + ...uce-db-connection-pooling-b44da77eaa390f22.yaml | 6 + ...e-from-openstack-exporter-f6bb5da3093abef8.yaml | 5 + ...est-api-required-settings-099875e53248b62c.yaml | 14 + test-requirements.txt | 2 +- tools/cleanup-containers | 2 +- tools/kolla-ansible | 17 +- tools/setup_gate.sh | 54 ++- zuul.d/base.yaml | 14 + zuul.d/jobs.yaml | 31 +- zuul.d/project.yaml | 39 +- 588 files changed, 3201 insertions(+), 1844 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 7044225bd..899c0c6b3 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4 +4 @@ -bandit>=1.1.0 # Apache-2.0 +bandit<1.6.3,>=1.1.0 # Apache-2.0