From 4a1032b3b0ff6aa5639aa74a79c8e72a4c0d0eab Mon Sep 17 00:00:00 2001 From: ramboman Date: Mon, 6 Jul 2020 16:37:52 +0800 Subject: [PATCH 01/29] Use internal API for Barbican communication This is a partial backport of two commits - I6a174468bd91d214c08477b93c88032a45c137be and I056f3eebcf87bcbaaf89fdd0dc1f46d143db7785. It includes the barbican_endpoint_type option, but excludes the verify_ssl_file option, since openstack_cacert is not used in configuration files in Train. Change-Id: I1c5790fd4717d12e8ff8ddbcabfa8f0ece8411e0 --- ansible/roles/cinder/templates/cinder.conf.j2 | 1 + ansible/roles/glance/templates/glance-api.conf.j2 | 6 ++++++ ansible/roles/nova-cell/templates/nova.conf.j2 | 1 + ansible/roles/nova/templates/nova.conf.j2 | 1 + 4 files changed, 9 insertions(+) diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index 2bf8e529f9..5e331a0c1f 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -206,6 +206,7 @@ connection_string = {{ osprofiler_backend_connection_string }} {% if enable_barbican | bool %} [barbican] auth_endpoint = {{ keystone_internal_url }} +barbican_endpoint_type = internal {% endif %} [coordination] diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2 index 3b9a40dceb..4cf588818e 100644 --- a/ansible/roles/glance/templates/glance-api.conf.j2 +++ b/ansible/roles/glance/templates/glance-api.conf.j2 @@ -110,3 +110,9 @@ trace_sqlalchemy = true hmac_keys = {{ osprofiler_secret }} connection_string = {{ osprofiler_backend_connection_string }} {% endif %} + +{% if enable_barbican | bool %} +[barbican] +auth_endpoint = {{ keystone_internal_url }} +barbican_endpoint_type = internal +{% endif %} diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2 index b61199ee2a..b798a296fd 100644 --- a/ansible/roles/nova-cell/templates/nova.conf.j2 +++ b/ansible/roles/nova-cell/templates/nova.conf.j2 @@ -231,6 +231,7 @@ connection_string = {{ osprofiler_backend_connection_string }} {% if enable_barbican | bool %} [barbican] auth_endpoint = {{ keystone_internal_url }} +barbican_endpoint_type = internal {% endif %} {% if nova_compute_virt_type == "xenapi" %} diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index 206be296fe..98cf559a28 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -197,4 +197,5 @@ connection_string = {{ osprofiler_backend_connection_string }} {% if enable_barbican | bool %} [barbican] auth_endpoint = {{ keystone_internal_url }} +barbican_endpoint_type = internal {% endif %} From 6b9b4a5c2cf04da0c770bfd0373648cc21db7384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= Date: Wed, 24 Feb 2021 16:19:22 +0100 Subject: [PATCH 02/29] CI: Add ssh retries Change-Id: I77791d504327ace880d0cc2438af2f8ced66d4eb (cherry picked from commit a8981a79aac09ab5529245a6348c0ed83e3a0211) --- tests/templates/ansible.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/templates/ansible.cfg.j2 b/tests/templates/ansible.cfg.j2 index 256a2efd70..29147b9ad9 100644 --- a/tests/templates/ansible.cfg.j2 +++ b/tests/templates/ansible.cfg.j2 @@ -4,3 +4,4 @@ host_key_checking = False [ssh_connection] pipelining = True +retries = 3 From 99ea10b28ef84151f07339ab2211a7284ee1aa4a Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 17 Mar 2021 08:57:58 +0000 Subject: [PATCH 03/29] CentOS 8: Make it clearer the 7 to 8 migration stays on Train In response to a mailing list post [1] trying to go from Train on CentOS 7 to Ussuri on CentOS 8. [1] http://lists.openstack.org/pipermail/openstack-discuss/2021-March/021129.html Change-Id: I3cc958665d9eb0d47c2f31e2c75bd7a3b1f64aea --- doc/source/user/centos8.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/source/user/centos8.rst b/doc/source/user/centos8.rst index fb1457f643..2b5586974c 100644 --- a/doc/source/user/centos8.rst +++ b/doc/source/user/centos8.rst @@ -52,8 +52,8 @@ is to differentiate CentOS 7 and CentOS 8 container images. Migrating from CentOS 7 to CentOS 8 ----------------------------------- -This section describes how to migrate an existing deployment from CentOS 7 to -CentOS 8. +This section describes how to migrate an existing Train deployment from CentOS +7 to CentOS 8. There is no supported upgrade path from CentOS 7 to CentOS 8. Since we want to use the same major versions of CentOS in the host and containers, the hosts @@ -65,8 +65,8 @@ level workflow is: * upgrade services to ensure compatibility with those available in CentOS 8 * migrate hosts to CentOS 8 in batches -Note that in a multi-node system it is possible to have a mix of CentOS 7 and -CentOS 8 hosts while the migration takes place. +Note that in a multi-node system on the Train release it is possible to have a +mix of CentOS 7 and CentOS 8 hosts while the migration takes place. Service compatibility ~~~~~~~~~~~~~~~~~~~~~ From a0c0d6e904072274ac0aaf5845355a38dc93125a Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 18 Mar 2021 09:38:11 +0000 Subject: [PATCH 04/29] docs: fix registry mirror example The docker configuration should be a URL, not a host:port. Closes-Bug: #1919932 Change-Id: I5025fdb7e48c79a107b45f1454f5d5e81367a2f9 (cherry picked from commit 608836d956b5d90bfaabc045a6fe428fc7709f62) --- doc/source/user/multinode.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/user/multinode.rst b/doc/source/user/multinode.rst index 030faac25f..af0ef031c2 100644 --- a/doc/source/user/multinode.rst +++ b/doc/source/user/multinode.rst @@ -75,7 +75,7 @@ IP address and port on which the registry is listening: docker_custom_config: registry-mirrors: - - 192.168.1.100:4000 + - http://192.168.1.100:4000 .. _edit-inventory: From 147951d0ba8fdd387b4a9ae54af17c37fab4f15b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= Date: Tue, 2 Mar 2021 16:23:49 +0100 Subject: [PATCH 05/29] nova-cell: Stop printing ceph keys in output Change-Id: Ib6719a033b37be3e248b682795b7243c60b22b84 (cherry picked from commit dbc63244abfb7ea63411f9bc40009aa95bec43c7) --- ansible/roles/nova-cell/tasks/external_ceph.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/nova-cell/tasks/external_ceph.yml b/ansible/roles/nova-cell/tasks/external_ceph.yml index f4634801f0..32b63729b8 100644 --- a/ansible/roles/nova-cell/tasks/external_ceph.yml +++ b/ansible/roles/nova-cell/tasks/external_ceph.yml @@ -131,6 +131,7 @@ enabled: "{{ cinder_backend_ceph }}" notify: - Restart nova-libvirt container + no_log: True - name: Ensuring config directory has correct owner and permission become: true From 437c6a1e30182462308903c98c95bbee7b6e001a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 9 Apr 2021 15:58:53 +0200 Subject: [PATCH 06/29] Fix installation errors with Python 2 Python 2 jobs recently started failing frequently with the following error: distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('pbr>=2.0.0') The root cause appears to be that indirect requirements are handled by easy_install which doesn't like some index servers [1]. Try updating setuptools first. [1] https://github.com/googleapis/google-cloud-python/issues/3757#issuecomment-422384453 Change-Id: I95303e52f2b462ceda21abaa4097cc9291362d33 --- tests/run.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/run.yml b/tests/run.yml index 72cdc095aa..47dababd57 100644 --- a/tests/run.yml +++ b/tests/run.yml @@ -162,6 +162,15 @@ state: directory become: true + # Workaround for distutils.errors.DistutilsError: Could not find suitable + # distribution for Requirement.parse('pbr>=2.0.0') in the next task + - name: ensure setuptools is updated + pip: + name: "setuptools" + executable: "pip{{ playbook_python_version }}" + extra_args: "-c {{ upper_constraints_file }} --user" + state: latest + - name: install kolla-ansible and dependencies vars: # Test latest ansible version on Ubuntu and CentOS 8, minimum supported on others. From 82ae334ffef7c053e2084d31eeb690c277938a3d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 19 Apr 2021 11:01:26 +0200 Subject: [PATCH 07/29] Update setuptools inside virtualenvs This is to avoid the following issue: distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('pbr>=2.0.0') Change I95303e52f2b462ceda21abaa4097cc9291362d33 fixed it for the kolla-ansible installation but it can also affect virtualenvs used by testing. Change-Id: I341df5ce7d850d6264895fe521ed5a22c271b3fd --- tools/setup_gate.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/setup_gate.sh b/tools/setup_gate.sh index 8fb9882021..c97a86aa08 100755 --- a/tools/setup_gate.sh +++ b/tools/setup_gate.sh @@ -25,6 +25,7 @@ function setup_openstack_clients { fi virtualenv ~/openstackclient-venv ~/openstackclient-venv/bin/pip install -U pip + ~/openstackclient-venv/bin/pip install -U setuptools ~/openstackclient-venv/bin/pip install -c $UPPER_CONSTRAINTS ${packages[@]} } @@ -112,6 +113,10 @@ EOF virtualenv ~/kolla-venv . ~/kolla-venv/bin/activate + # Install newest setuptools to avoid issues on Python 2 + pip install -U pip + pip install -U setuptools + pip install -c $UPPER_CONSTRAINTS "${KOLLA_SRC_DIR}" sudo ~/kolla-venv/bin/kolla-build From 5e3e2d366f55572f22ac2dce6bde3c2e2e66aece Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 19 Apr 2021 12:58:31 +0200 Subject: [PATCH 08/29] Document setuptools update Change-Id: If8af5a2a3fe628de15d644b4ffef0bffaa06b554 --- doc/source/user/quickstart.rst | 6 ++++-- doc/source/user/virtual-environments.rst | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/source/user/quickstart.rst b/doc/source/user/quickstart.rst index dab12be6e1..7f3d63e48e 100644 --- a/doc/source/user/quickstart.rst +++ b/doc/source/user/quickstart.rst @@ -98,11 +98,12 @@ If not installing Kolla Ansible in a virtual environment, skip this section. The virtual environment should be activated before running any commands that depend on packages installed in it. -#. Ensure the latest version of pip is installed: +#. Ensure the latest version of pip and setuptools are installed: .. code-block:: console pip install -U pip + pip install -U setuptools #. Install `Ansible `__. Currently, Kolla Ansible requires Ansible 2.6 to 2.9. @@ -130,11 +131,12 @@ If installing Kolla Ansible in a virtual environment, skip this section. sudo apt-get install python-pip -#. Ensure the latest version of pip is installed: +#. Ensure the latest version of pip and setuptools are installed: .. code-block:: console sudo pip install -U pip + sudo pip install -U setuptools #. Install `Ansible `__. Currently, Kolla Ansible requires Ansible 2.6 to 2.9. diff --git a/doc/source/user/virtual-environments.rst b/doc/source/user/virtual-environments.rst index 8af28527f9..5de5a11c2f 100644 --- a/doc/source/user/virtual-environments.rst +++ b/doc/source/user/virtual-environments.rst @@ -21,6 +21,7 @@ python virtual environment on the Ansible control host. For example: virtualenv /path/to/venv source /path/to/venv/bin/activate pip install -U pip + pip install -U setuptools pip install kolla-ansible deactivate From 26760b63933217b5beab427d921ef2b73d53a5d0 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 30 Mar 2021 10:04:07 +0100 Subject: [PATCH 09/29] docs: Improve policy documentation Change-Id: Iede747ceaafa54a00186761943fe2f4ac13f9559 (cherry picked from commit 030a9a28d74f98831cce2cd48c08e09102ae7cf0) --- doc/source/admin/advanced-configuration.rst | 35 ++++++++++++--------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst index 4834e891c7..45767d417e 100644 --- a/doc/source/admin/advanced-configuration.rst +++ b/doc/source/admin/advanced-configuration.rst @@ -265,27 +265,34 @@ operator needs to create ``/etc/kolla/config/global.conf`` with content: [database] max_pool_size = 100 -In case the operators want to customize ``policy.json`` file, they should -create a full policy file for specific project in the same directory like above -and Kolla will overwrite default policy file with it. Be aware, with some -projects are keeping full policy file in source code, operators just need to -copy it but with some others are defining default rules in codebase, they have -to generate it. +OpenStack policy customisation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -For example to overwrite ``policy.json`` file of Neutron project, the operator -needs to grab ``policy.json`` from Neutron project source code, update rules -and then put it to ``/etc/kolla/config/neutron/policy.json``. +OpenStack services allow customisation of policy. Since the Queens release, +default policy configuration is defined within the source code for each +service, meaning that operators only need to override rules they wish to +change. Projects typically provide documentation on their default policy +configuration, for example, :keystone-doc:`Keystone `. -.. note:: +Policy can be customised via JSON or YAML files. As of the Wallaby release, the +JSON format is deprecated in favour of YAML. One major benefit of YAML is that +it allows for the use of comments. - Currently kolla-ansible only support JSON and YAML format for policy file. +For example, to customise the Neutron policy in YAML format, the operator +should add the customised rules in ``/etc/kolla/config/neutron/policy.yaml``. -The operator can make these changes after services were already deployed by -using following command: +The operator can make these changes after services have been deployed by using +the following command: .. code-block:: console - kolla-ansible reconfigure + kolla-ansible deploy + +In order to present a user with the correct interface, Horizon includes policy +for other services. Customisations made to those services may need to be +replicated in Horizon. For example, to customise the Neutron policy in YAML +format for Horizon, the operator should add the customised rules in +``/etc/kolla/config/horizon/neutron_policy.yaml``. IP Address Constrained Environments ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From f3268ac5d8228527387ce401bd2f7acdceb99f52 Mon Sep 17 00:00:00 2001 From: fudunwei Date: Fri, 29 Jan 2021 11:06:11 +0800 Subject: [PATCH 10/29] Negative seqno need to be considered when comparing seqno Need to consider Negative seqno to compare in some cases, but the task does not support to do that, we need to make it work. 1.we use mariabackup to restore datas on control1, delete the mariadb data on control2 and control3, and then use cluster recovery, as a result that the seqno of the other two nodes will be '-1'. 2. add one more control node into our existing mariadb cluster, and then use cluster recovery, the seqno of the new node will be '-1'. Change-Id: Ic1ac8656f28c3835e091637014f075ac5479d390 (cherry picked from commit 068f3fea50d17c63ac527b84a7a3d39c6f6cb5e2) --- ansible/roles/mariadb/tasks/recover_cluster.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/mariadb/tasks/recover_cluster.yml b/ansible/roles/mariadb/tasks/recover_cluster.yml index 0aec1eaa71..f3ee6a90f7 100644 --- a/ansible/roles/mariadb/tasks/recover_cluster.yml +++ b/ansible/roles/mariadb/tasks/recover_cluster.yml @@ -73,7 +73,7 @@ shell: cmd: | if [[ ! -z {{ hostvars[inventory_hostname]['seqno'] }} && ! -z {{ hostvars[item]['seqno'] }} && - {{ hostvars[inventory_hostname]['seqno'] }} =~ ^[0-9]+$ && {{ hostvars[item]['seqno'] }} =~ ^[0-9]+$ && + {{ hostvars[inventory_hostname]['seqno'] }} =~ ^-?[0-9]+$ && {{ hostvars[item]['seqno'] }} =~ ^-?[0-9]+$ && {{ hostvars[inventory_hostname]['seqno'] }} -lt {{ hostvars[item]['seqno'] }} ]]; then echo {{ hostvars[item]['seqno'] }}; fi with_items: "{{ groups['mariadb'] }}" register: seqno_compare From 189a4e54ee6fb1fb0225139525593b1bc113a46c Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Mon, 10 May 2021 15:51:55 +0100 Subject: [PATCH 11/29] Use @type instead of type This is a follow up on the change with the following ID: I337f42e174393f68b43e876ef075a74c887a5314 TrivialFix Change-Id: Ibb67811d7b086ef9ef4c695ae589171af0c4d657 (cherry picked from commit fe66477475cd19884ee355561f31a3f001c610e9) --- ansible/roles/common/templates/conf/output/00-local.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/common/templates/conf/output/00-local.conf.j2 b/ansible/roles/common/templates/conf/output/00-local.conf.j2 index 169ec735e7..5e2064b29f 100644 --- a/ansible/roles/common/templates/conf/output/00-local.conf.j2 +++ b/ansible/roles/common/templates/conf/output/00-local.conf.j2 @@ -11,7 +11,7 @@ {% if log_direct_to_elasticsearch %} - type elasticsearch + @type elasticsearch host {{ elasticsearch_address }} port {{ elasticsearch_port }} scheme {{ fluentd_elasticsearch_scheme }} @@ -66,7 +66,7 @@ {% if log_direct_to_elasticsearch %} - type elasticsearch + @type elasticsearch host {{ elasticsearch_address }} port {{ elasticsearch_port }} scheme {{ fluentd_elasticsearch_scheme }} From 05b551b73c040c7c303ee07f134369582e9d574f Mon Sep 17 00:00:00 2001 From: Piotr Parczewski Date: Thu, 6 May 2021 14:45:10 +0200 Subject: [PATCH 12/29] Disable Alertmanager's peer gossip in non-HA deployments Reference: https://github.com/prometheus/alertmanager#turn-off-high-availability Closes-Bug: #1926463 Change-Id: I60e1dedeac25fa8fe9538a3a8e582bd8cc9324d7 (cherry picked from commit b300f7bc40bdcdeb0a520c1f3fcce85fe1b7ca72) --- .../prometheus/templates/prometheus-alertmanager.json.j2 | 2 +- .../disable-alertmanager-clustering-ec70f5f970c4933a.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/disable-alertmanager-clustering-ec70f5f970c4933a.yaml diff --git a/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 b/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 index d10aa8f0cb..562b910758 100644 --- a/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 @@ -1,5 +1,5 @@ { - "command": "/opt/prometheus_alertmanager/alertmanager --config.file=/etc/prometheus/alertmanager.yml --web.listen-address={{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} --web.external-url={{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} {% if groups["prometheus-alertmanager"] | length > 1 %} --cluster.listen-address={{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_cluster_port }} {% for host in groups["prometheus-alertmanager"] %} --cluster.peer={{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_cluster_port'] }}{% endfor %}{% endif %} --storage.path /var/lib/prometheus", + "command": "/opt/prometheus_alertmanager/alertmanager --config.file=/etc/prometheus/alertmanager.yml --web.listen-address={{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} --web.external-url={{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} --cluster.listen-address={% if groups["prometheus-alertmanager"] | length > 1 %}{{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_cluster_port }} {% for host in groups["prometheus-alertmanager"] %} --cluster.peer={{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_cluster_port'] }}{% endfor %}{% endif %} --storage.path /var/lib/prometheus", "config_files": [ { "source": "{{ container_config_directory }}/prometheus-alertmanager.yml", diff --git a/releasenotes/notes/disable-alertmanager-clustering-ec70f5f970c4933a.yaml b/releasenotes/notes/disable-alertmanager-clustering-ec70f5f970c4933a.yaml new file mode 100644 index 0000000000..2fc3503a11 --- /dev/null +++ b/releasenotes/notes/disable-alertmanager-clustering-ec70f5f970c4933a.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes potential issue with Alertmanger in non-HA deployments. In this + scenario, peer gossip protocol is now disabled and Alertmanager won't + try to form a cluster with non-existing other instances. + `LP#1926463 `__ From 56eefd8c429433480de5925d841de27d40c655e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= Date: Wed, 19 May 2021 08:08:42 +0200 Subject: [PATCH 13/29] baremetal: Install Docker SDK less than 5.0.0 Docker 5.0.0 [1] dropped requirement for six, but still imports it. [1]: https://github.com/docker/docker-py/issues/2807 Closes-Bug: #1928915 Change-Id: I726541f4b3fdc357387a44c6a2153593a10bf282 (cherry picked from commit b053bd8ecf2cdbbdf83aeb6777e9502e5db70256) --- ansible/roles/baremetal/tasks/install.yml | 3 ++- releasenotes/notes/bug-1928915-482b2d53bb2a4d92.yaml | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-1928915-482b2d53bb2a4d92.yaml diff --git a/ansible/roles/baremetal/tasks/install.yml b/ansible/roles/baremetal/tasks/install.yml index 3e7cbb1ff1..f1ff50c035 100644 --- a/ansible/roles/baremetal/tasks/install.yml +++ b/ansible/roles/baremetal/tasks/install.yml @@ -125,7 +125,8 @@ - name: Install docker SDK for python pip: - name: docker + # NOTE(mnasiadka): docker 5.0.0 lacks six in deps but requires it + name: docker<5.0.0 executable: "{{ virtualenv is none | ternary('pip' ~ host_python_major_version, omit) }}" virtualenv: "{{ virtualenv is none | ternary(omit, virtualenv) }}" virtualenv_site_packages: "{{ virtualenv is none | ternary(omit, virtualenv_site_packages) }}" diff --git a/releasenotes/notes/bug-1928915-482b2d53bb2a4d92.yaml b/releasenotes/notes/bug-1928915-482b2d53bb2a4d92.yaml new file mode 100644 index 0000000000..a009da5955 --- /dev/null +++ b/releasenotes/notes/bug-1928915-482b2d53bb2a4d92.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixed an issue where docker python SDK 5.0.0 was failing due to missing + six - introduced a constraint to install version lower than 5.x. + `LP#1928915 `__ From 26d310eea3f1c83dc4eb8f5806f9aad55d4a123e Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 17 May 2021 09:32:40 +0100 Subject: [PATCH 14/29] Ensure keepalived is upgraded Ussuri & earlier only After upgrading from Train to Ussuri, if the keepalived configuration is unchanged, it is possible that the primary keepalived container will not be upgraded. This happens because we do not import check-containers.yml in upgrade.yml, meaning that the 'Restart keepalived container' handler does not fire. This change fixes the issue. Closes-Bug: #1928362 Change-Id: I56775f1c0a8849c10ad5181cde6b50b2694a0512 (cherry picked from commit 2c728619301240c6f52894a4d0b48d0d888eaa81) --- ansible/roles/haproxy/tasks/upgrade.yml | 2 ++ .../notes/fix-keepalived-upgrade-a395e39dc946e618.yaml | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 releasenotes/notes/fix-keepalived-upgrade-a395e39dc946e618.yaml diff --git a/ansible/roles/haproxy/tasks/upgrade.yml b/ansible/roles/haproxy/tasks/upgrade.yml index 17fcbe07c0..6d515fc55c 100644 --- a/ansible/roles/haproxy/tasks/upgrade.yml +++ b/ansible/roles/haproxy/tasks/upgrade.yml @@ -16,6 +16,8 @@ notify: - Restart keepalived container +- import_tasks: check-containers.yml + # NOTE(yoctozepto): haproxy role handlers should not be flushed early. # site.yml handles all haproxy things in a dedicated play. # This is to avoid extra haproxy service restart. diff --git a/releasenotes/notes/fix-keepalived-upgrade-a395e39dc946e618.yaml b/releasenotes/notes/fix-keepalived-upgrade-a395e39dc946e618.yaml new file mode 100644 index 0000000000..f499cc5a22 --- /dev/null +++ b/releasenotes/notes/fix-keepalived-upgrade-a395e39dc946e618.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes an issue with keepalived which was not recreated during an upgrade if + configuration is unchanged. `LP#1928362 + `__ From e4662817393a75a64b59a1a8e30896a925163e90 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 26 May 2021 15:28:09 +0200 Subject: [PATCH 15/29] Remove [octavia]/base_url option from neutron.conf This configuration option was only used by neutron-lbaas, which is now retired. It should have been added to neutron_lbaas.conf.j2 instead. Change-Id: Iba591473abf4304413eca0d84e0b2be197c527fc (cherry picked from commit 7d1af053b5b144b7997748ec876ded03423fb9fb) --- ansible/roles/neutron/templates/neutron.conf.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2 index 19b07ad2cb..e08240197c 100644 --- a/ansible/roles/neutron/templates/neutron.conf.j2 +++ b/ansible/roles/neutron/templates/neutron.conf.j2 @@ -136,11 +136,6 @@ drivers = ovs drivers = ovs {% endif %} -{% if enable_octavia | bool %} -[octavia] -base_url = {{ internal_protocol }}://{{ octavia_internal_fqdn | put_address_in_context('url') }}:{{ octavia_api_port }} -{% endif %} - {% if enable_designate | bool %} [designate] url = {{ internal_protocol }}://{{ designate_internal_fqdn | put_address_in_context('url') }}:{{ designate_api_port }}/v2 From 018b997b1ec01188458563ea7c09cec5b7399e51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= Date: Tue, 6 Apr 2021 14:06:19 +0200 Subject: [PATCH 16/29] CI: pull images before deploy It will allow us to fail fast when pulling the image is a problem - instead of failing in the middle of deployment. Change-Id: I017cddcfbbc5449e63d807385216b94e74503c9b (cherry picked from commit 8dcb56f584255d9e307c58bbf7f01ea249bdc85f) --- tests/deploy.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/deploy.sh b/tests/deploy.sh index 18861e9336..60c4c076c1 100755 --- a/tests/deploy.sh +++ b/tests/deploy.sh @@ -17,8 +17,7 @@ function deploy { sudo chmod -R 777 /etc/kolla # Actually do the deployment tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/deploy-prechecks - # TODO(jeffrey4l): add pull action when we have a local registry - # service in CI + tools/kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull tools/kolla-ansible -i ${RAW_INVENTORY} -vvv deploy &> /tmp/logs/ansible/deploy tools/kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/post-deploy tools/kolla-ansible -i ${RAW_INVENTORY} -vvv check &> /tmp/logs/ansible/check-deploy From c12330f54ebbedf063e315e9c711ed383d570599 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Tue, 8 Sep 2020 09:41:34 +0200 Subject: [PATCH 17/29] [CI] Remove setup_gate.sh symlink This is confusing as it is not meant to be used by users. Also, various tools show duplicated matches due to both locations containing the exact same content. Change-Id: I2debe121f64954e57788270d3258775f29f1cbb0 (cherry picked from commit b21c07ac2f6f0a1852d6145805c0ff526448052e) --- tests/setup_gate.sh | 142 +++++++++++++++++++++++++++++++++++++++++++- tools/setup_gate.sh | 141 ------------------------------------------- 2 files changed, 141 insertions(+), 142 deletions(-) mode change 120000 => 100755 tests/setup_gate.sh delete mode 100755 tools/setup_gate.sh diff --git a/tests/setup_gate.sh b/tests/setup_gate.sh deleted file mode 120000 index fbacb3f920..0000000000 --- a/tests/setup_gate.sh +++ /dev/null @@ -1 +0,0 @@ -../tools/setup_gate.sh \ No newline at end of file diff --git a/tests/setup_gate.sh b/tests/setup_gate.sh new file mode 100755 index 0000000000..c97a86aa08 --- /dev/null +++ b/tests/setup_gate.sh @@ -0,0 +1,141 @@ +#!/bin/bash + +set -o xtrace +set -o errexit +set -o pipefail + +# Enable unbuffered output for Ansible in Jenkins. +export PYTHONUNBUFFERED=1 + + +function setup_openstack_clients { + # Prepare virtualenv for openstack deployment tests + local packages=(python-openstackclient python-heatclient) + if [[ $SCENARIO == zun ]]; then + packages+=(python-zunclient) + fi + if [[ $SCENARIO == ironic ]]; then + packages+=(python-ironicclient) + fi + if [[ $SCENARIO == masakari ]]; then + packages+=(python-masakariclient) + fi + if [[ $SCENARIO == scenario_nfv ]]; then + packages+=(python-tackerclient python-barbicanclient python-mistralclient) + fi + virtualenv ~/openstackclient-venv + ~/openstackclient-venv/bin/pip install -U pip + ~/openstackclient-venv/bin/pip install -U setuptools + ~/openstackclient-venv/bin/pip install -c $UPPER_CONSTRAINTS ${packages[@]} +} + +function prepare_images { + if [[ "${BUILD_IMAGE}" == "False" ]]; then + return + fi + + if [[ $SCENARIO != "bifrost" ]]; then + GATE_IMAGES="^cron,^fluentd,^glance,^haproxy,^keepalived,^keystone,^kolla-toolbox,^mariadb,^memcached,^neutron,^nova-,^openvswitch,^rabbitmq,^horizon,^chrony,^heat,^placement" + else + GATE_IMAGES="bifrost" + fi + + if [[ $SCENARIO == "ceph" ]]; then + GATE_IMAGES+=",^ceph,^cinder" + fi + + if [[ $SCENARIO == "zun" ]]; then + GATE_IMAGES+=",^zun,^kuryr,^etcd,^cinder,^iscsid" + if [[ $BASE_DISTRO != "centos" ]] || [[ $BASE_DISTRO_MAJOR_VERSION -eq 7 ]]; then + GATE_IMAGES+=",^tgtd" + fi + fi + + if [[ $SCENARIO == "scenario_nfv" ]]; then + GATE_IMAGES+=",^tacker,^mistral,^redis,^barbican" + fi + if [[ $SCENARIO == "ironic" ]]; then + GATE_IMAGES+=",^dnsmasq,^ironic,^iscsid" + fi + if [[ $SCENARIO == "masakari" ]]; then + GATE_IMAGES+=",^masakari" + fi + + if [[ $SCENARIO == "swift" ]]; then + GATE_IMAGES+=",^swift" + fi + + if [[ $SCENARIO == "mariadb" ]]; then + GATE_IMAGES="^cron,^haproxy,^keepalived,^kolla-toolbox,^mariadb" + fi + + if [[ $SCENARIO == "prometheus-efk" ]]; then + GATE_IMAGES="^cron,^elasticsearch,^fluentd,^grafana,^haproxy,^keepalived,^kibana,^kolla-toolbox,^mariadb,^memcached,^prometheus,^rabbitmq" + fi + + # NOTE(yoctozepto): we cannot build and push at the same time on debian + # buster see https://github.com/docker/for-linux/issues/711. + PUSH="true" + if [[ "debian" == $BASE_DISTRO ]]; then + PUSH="false" + fi + + sudo tee /etc/kolla/kolla-build.conf < /tmp/logs/ansible/bootstrap-servers + +prepare_images diff --git a/tools/setup_gate.sh b/tools/setup_gate.sh deleted file mode 100755 index c97a86aa08..0000000000 --- a/tools/setup_gate.sh +++ /dev/null @@ -1,141 +0,0 @@ -#!/bin/bash - -set -o xtrace -set -o errexit -set -o pipefail - -# Enable unbuffered output for Ansible in Jenkins. -export PYTHONUNBUFFERED=1 - - -function setup_openstack_clients { - # Prepare virtualenv for openstack deployment tests - local packages=(python-openstackclient python-heatclient) - if [[ $SCENARIO == zun ]]; then - packages+=(python-zunclient) - fi - if [[ $SCENARIO == ironic ]]; then - packages+=(python-ironicclient) - fi - if [[ $SCENARIO == masakari ]]; then - packages+=(python-masakariclient) - fi - if [[ $SCENARIO == scenario_nfv ]]; then - packages+=(python-tackerclient python-barbicanclient python-mistralclient) - fi - virtualenv ~/openstackclient-venv - ~/openstackclient-venv/bin/pip install -U pip - ~/openstackclient-venv/bin/pip install -U setuptools - ~/openstackclient-venv/bin/pip install -c $UPPER_CONSTRAINTS ${packages[@]} -} - -function prepare_images { - if [[ "${BUILD_IMAGE}" == "False" ]]; then - return - fi - - if [[ $SCENARIO != "bifrost" ]]; then - GATE_IMAGES="^cron,^fluentd,^glance,^haproxy,^keepalived,^keystone,^kolla-toolbox,^mariadb,^memcached,^neutron,^nova-,^openvswitch,^rabbitmq,^horizon,^chrony,^heat,^placement" - else - GATE_IMAGES="bifrost" - fi - - if [[ $SCENARIO == "ceph" ]]; then - GATE_IMAGES+=",^ceph,^cinder" - fi - - if [[ $SCENARIO == "zun" ]]; then - GATE_IMAGES+=",^zun,^kuryr,^etcd,^cinder,^iscsid" - if [[ $BASE_DISTRO != "centos" ]] || [[ $BASE_DISTRO_MAJOR_VERSION -eq 7 ]]; then - GATE_IMAGES+=",^tgtd" - fi - fi - - if [[ $SCENARIO == "scenario_nfv" ]]; then - GATE_IMAGES+=",^tacker,^mistral,^redis,^barbican" - fi - if [[ $SCENARIO == "ironic" ]]; then - GATE_IMAGES+=",^dnsmasq,^ironic,^iscsid" - fi - if [[ $SCENARIO == "masakari" ]]; then - GATE_IMAGES+=",^masakari" - fi - - if [[ $SCENARIO == "swift" ]]; then - GATE_IMAGES+=",^swift" - fi - - if [[ $SCENARIO == "mariadb" ]]; then - GATE_IMAGES="^cron,^haproxy,^keepalived,^kolla-toolbox,^mariadb" - fi - - if [[ $SCENARIO == "prometheus-efk" ]]; then - GATE_IMAGES="^cron,^elasticsearch,^fluentd,^grafana,^haproxy,^keepalived,^kibana,^kolla-toolbox,^mariadb,^memcached,^prometheus,^rabbitmq" - fi - - # NOTE(yoctozepto): we cannot build and push at the same time on debian - # buster see https://github.com/docker/for-linux/issues/711. - PUSH="true" - if [[ "debian" == $BASE_DISTRO ]]; then - PUSH="false" - fi - - sudo tee /etc/kolla/kolla-build.conf < /tmp/logs/ansible/bootstrap-servers - -prepare_images From 4920980add9f978499770e7ec9afcdc7e8a15ec2 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 12 Feb 2021 17:58:51 +0000 Subject: [PATCH 18/29] CI: Use PATH to find kolla-ansible script This change also updates the CI test scripts to use PATH to find the kolla-ansible script, rather than relying on the file in the source checkout. Using the script in the source checkout was hiding an issue with pip install --user, although that has now been fixed in I5b47a146627d06bb3fe4a747c5f20290c726b0f9. Related-Bug: #1915527 Change-Id: I2827a657c8716a9c40391c6bdb7ff1a2a9c1260e Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/793570 (cherry picked from commit 1ea99147c14068b7edbaf36a23199bc93a5ef493) --- tests/deploy-bifrost.sh | 2 +- tests/deploy.sh | 10 +++++----- tests/reconfigure.sh | 6 +++--- tests/setup_gate.sh | 2 +- tests/test-mariadb.sh | 4 ++-- tests/upgrade-bifrost.sh | 2 +- tests/upgrade.sh | 8 ++++---- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/deploy-bifrost.sh b/tests/deploy-bifrost.sh index 86e3d15363..1a3a414d59 100755 --- a/tests/deploy-bifrost.sh +++ b/tests/deploy-bifrost.sh @@ -14,7 +14,7 @@ function deploy_bifrost { # Deploy the bifrost container. # TODO(mgoddard): add pull action when we have a local registry service in # CI. - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv deploy-bifrost &> /tmp/logs/ansible/deploy-bifrost + kolla-ansible -i ${RAW_INVENTORY} -vvv deploy-bifrost &> /tmp/logs/ansible/deploy-bifrost } diff --git a/tests/deploy.sh b/tests/deploy.sh index 60c4c076c1..a413854a2a 100755 --- a/tests/deploy.sh +++ b/tests/deploy.sh @@ -16,11 +16,11 @@ function deploy { #TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there sudo chmod -R 777 /etc/kolla # Actually do the deployment - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/deploy-prechecks - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv deploy &> /tmp/logs/ansible/deploy - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/post-deploy - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv check &> /tmp/logs/ansible/check-deploy + kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/deploy-prechecks + kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull + kolla-ansible -i ${RAW_INVENTORY} -vvv deploy &> /tmp/logs/ansible/deploy + kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/post-deploy + kolla-ansible -i ${RAW_INVENTORY} -vvv check &> /tmp/logs/ansible/check-deploy } diff --git a/tests/reconfigure.sh b/tests/reconfigure.sh index db0854cff7..d513eb3efe 100755 --- a/tests/reconfigure.sh +++ b/tests/reconfigure.sh @@ -12,9 +12,9 @@ function reconfigure { # TODO(jeffrey4l): make some configure file change and # trigger a real reconfigure - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/reconfigure-prechecks - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv reconfigure &> /tmp/logs/ansible/reconfigure - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv check &> /tmp/logs/ansible/check-reconfigure + kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/reconfigure-prechecks + kolla-ansible -i ${RAW_INVENTORY} -vvv reconfigure &> /tmp/logs/ansible/reconfigure + kolla-ansible -i ${RAW_INVENTORY} -vvv check &> /tmp/logs/ansible/check-reconfigure } diff --git a/tests/setup_gate.sh b/tests/setup_gate.sh index c97a86aa08..2eaecaadd1 100755 --- a/tests/setup_gate.sh +++ b/tests/setup_gate.sh @@ -136,6 +136,6 @@ EOF setup_openstack_clients RAW_INVENTORY=/etc/kolla/inventory -tools/kolla-ansible -i ${RAW_INVENTORY} -e ansible_user=$USER -vvv bootstrap-servers &> /tmp/logs/ansible/bootstrap-servers +kolla-ansible -i ${RAW_INVENTORY} -e ansible_user=$USER -vvv bootstrap-servers &> /tmp/logs/ansible/bootstrap-servers prepare_images diff --git a/tests/test-mariadb.sh b/tests/test-mariadb.sh index 6d26e994a5..5fbccd7bae 100755 --- a/tests/test-mariadb.sh +++ b/tests/test-mariadb.sh @@ -11,7 +11,7 @@ export PYTHONUNBUFFERED=1 function mariadb_stop { echo "Stopping the database cluster" - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv stop --yes-i-really-really-mean-it --tags mariadb --skip-tags common + kolla-ansible -i ${RAW_INVENTORY} -vvv stop --yes-i-really-really-mean-it --tags mariadb --skip-tags common if [[ $(sudo docker ps -q | grep mariadb | wc -l) -ne 0 ]]; then echo "Failed to stop MariaDB cluster" return 1 @@ -21,7 +21,7 @@ function mariadb_stop { function mariadb_recovery { # Recover the database cluster. echo "Recovering the database cluster" - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv mariadb_recovery --tags mariadb --skip-tags common + kolla-ansible -i ${RAW_INVENTORY} -vvv mariadb_recovery --tags mariadb --skip-tags common } function test_recovery { diff --git a/tests/upgrade-bifrost.sh b/tests/upgrade-bifrost.sh index 72966166a4..c50c921ee0 100755 --- a/tests/upgrade-bifrost.sh +++ b/tests/upgrade-bifrost.sh @@ -15,7 +15,7 @@ function upgrade_bifrost { # CI. # TODO(mgoddard): make some configuration file changes and trigger a real # upgrade. - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv deploy-bifrost &> /tmp/logs/ansible/upgrade-bifrost + kolla-ansible -i ${RAW_INVENTORY} -vvv deploy-bifrost &> /tmp/logs/ansible/upgrade-bifrost } diff --git a/tests/upgrade.sh b/tests/upgrade.sh index c0ce10e441..a3a608f0da 100755 --- a/tests/upgrade.sh +++ b/tests/upgrade.sh @@ -10,10 +10,10 @@ export PYTHONUNBUFFERED=1 function upgrade { RAW_INVENTORY=/etc/kolla/inventory - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade - tools/kolla-ansible -i ${RAW_INVENTORY} -vvv check &> /tmp/logs/ansible/check-upgrade + kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks + kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade + kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade + kolla-ansible -i ${RAW_INVENTORY} -vvv check &> /tmp/logs/ansible/check-upgrade } From ebaa5bb8a16249b487448be1b7712a47d11396c3 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 7 Jun 2021 12:56:36 +0100 Subject: [PATCH 19/29] Fix RabbitMQ restart ordering The host list order seen during Ansible handlers may differ to the usual play host list order, due to race conditions in notifying handlers. This means that restart_services.yml for RabbitMQ may be included in a different order than the rabbitmq group, resulting in a node other than the 'first' being restarted first. This can cause some nodes to fail to join the cluster. The include_tasks loop was introduced in [1]. This change fixes the issue by splitting the handler into two tasks, and restarting the first node before all others. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/763137 Change-Id: I1823301d5889589bfd48326ed7de03c6061ea5ba Closes-Bug: #1930293 (cherry picked from commit 0cd5b027c985a8f6d3368ae0dc08b65f67f67fe0) --- ansible/roles/rabbitmq/handlers/main.yml | 18 +++++++++++++++++- .../notes/bug-1930293-d8a524f2070e6779.yaml | 5 +++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-1930293-d8a524f2070e6779.yaml diff --git a/ansible/roles/rabbitmq/handlers/main.yml b/ansible/roles/rabbitmq/handlers/main.yml index f3b78de856..cd5e39eb57 100644 --- a/ansible/roles/rabbitmq/handlers/main.yml +++ b/ansible/roles/rabbitmq/handlers/main.yml @@ -1,5 +1,19 @@ --- -- name: Restart rabbitmq container +# NOTE(mgoddard): These tasks perform a 'full stop upgrade', which is necessary when moving between +# major releases. In future kolla-ansible releases we may be able to change this to a rolling +# restart. For info on this process see https://www.rabbitmq.com/upgrade.html + +- name: Restart first rabbitmq container + vars: + service_name: "rabbitmq" + service: "{{ rabbitmq_services[service_name] }}" + include_tasks: 'restart_services.yml' + when: + - kolla_action != "config" + - inventory_hostname == groups[service.group] | first + listen: Restart rabbitmq container + +- name: Restart remaining rabbitmq containers vars: service_name: "rabbitmq" service: "{{ rabbitmq_services[service_name] }}" @@ -7,4 +21,6 @@ when: - kolla_action != "config" - inventory_hostname == item + - inventory_hostname != groups[service.group] | first loop: "{{ groups[service.group] }}" + listen: Restart rabbitmq container diff --git a/releasenotes/notes/bug-1930293-d8a524f2070e6779.yaml b/releasenotes/notes/bug-1930293-d8a524f2070e6779.yaml new file mode 100644 index 0000000000..f16c156556 --- /dev/null +++ b/releasenotes/notes/bug-1930293-d8a524f2070e6779.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes more-than-2-node RabbitMQ upgrade failing randomly. + `LP#1930293 `__. From 6966e6fae17d45d7497ff05b6a4456d402f0aa5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= Date: Mon, 7 Jun 2021 18:56:09 +0200 Subject: [PATCH 20/29] neutron: Add become for copying sriov_agent.ini This bug has been accidentally fixed in Victoria by [1]. [1]: https://review.opendev.org/c/openstack/kolla-ansible/+/742627 Closes-Bug: #1923467 Change-Id: Ie09beb79938ffbcdb5193299511e6eef0b98a258 (cherry picked from commit 6f3b611f34dfc1ef65517bfd0772d8eac6ef57db) --- ansible/roles/neutron/tasks/config.yml | 1 + releasenotes/notes/bug-1923467-80973d9fbe1f5287.yaml | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 releasenotes/notes/bug-1923467-80973d9fbe1f5287.yaml diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml index 2a8a80d2bb..b3a5e48363 100644 --- a/ansible/roles/neutron/tasks/config.yml +++ b/ansible/roles/neutron/tasks/config.yml @@ -136,6 +136,7 @@ - "Restart {{ item.key }} container" - name: Copying over sriov_agent.ini + become: true vars: service_name: "neutron-sriov-agent" neutron_sriov_agent: "{{ neutron_services[service_name] }}" diff --git a/releasenotes/notes/bug-1923467-80973d9fbe1f5287.yaml b/releasenotes/notes/bug-1923467-80973d9fbe1f5287.yaml new file mode 100644 index 0000000000..df5a3a7462 --- /dev/null +++ b/releasenotes/notes/bug-1923467-80973d9fbe1f5287.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + A bug where sriov_agent.ini wasn't copied due to ``Permission denied`` + error was fixed. + `LP#1923467 `__ From 3a1b9470584fa3644be15d933de399472ac64812 Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Thu, 8 Apr 2021 00:36:14 +0200 Subject: [PATCH 21/29] Support editable installation in all cases An editable installation allows changes to be made to the source code directly, and have those changes applied immediately without having to reinstall. pip install -e /path/to/kolla-ansible Above is currently working only in virtualenv, but there is no reason to not allow in all cases. This is usefull for example when user is building his own docker container with editable kolla-ansible installed from git without virtualenv. Change-Id: I185f7c09c3f026fd6926a26001393f066ff1860d (cherry picked from commit 22a6765f5e0ddae1527faaaeeff0260f5996a9e7) --- tools/kolla-ansible | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/tools/kolla-ansible b/tools/kolla-ansible index 077d3a71b8..ab23a8542c 100755 --- a/tools/kolla-ansible +++ b/tools/kolla-ansible @@ -22,6 +22,7 @@ function check_environment_coherence { local ansible_python_cmdline # NOTE(yoctozepto): may have multiple parts ansible_python_cmdline=${ansible_shebang_line#\#\!} + ansible_python_version=$($ansible_python_cmdline -c 'import sys; print(str(sys.version_info[0])+"."+str(sys.version_info[1]))') if ! $ansible_python_cmdline --version &>/dev/null; then echo "ERROR: Ansible Python is not functional." >&2 @@ -66,21 +67,38 @@ function check_environment_coherence { function find_base_dir { local dir_name + local python_dir dir_name=$(dirname "$0") # NOTE(yoctozepto): Fix the case where dir_name is a symlink and VIRTUAL_ENV might not be. This # happens with pyenv-virtualenv, see https://bugs.launchpad.net/kolla-ansible/+bug/1903887 dir_name=$(readlink -e "$dir_name") + python_dir="python${ansible_python_version}" if [ -z "$SNAP" ]; then if [[ ${dir_name} == "/usr/bin" ]]; then - BASEDIR=/usr/share/kolla-ansible + if test -f /usr/lib/${python_dir}/*-packages/kolla-ansible.egg-link; then + # Editable install. + BASEDIR="$(head -n1 /usr/lib/${python_dir}/*-packages/kolla-ansible.egg-link)" + else + BASEDIR=/usr/share/kolla-ansible + fi elif [[ ${dir_name} == "/usr/local/bin" ]]; then - BASEDIR=/usr/local/share/kolla-ansible + if test -f /usr/local/lib/${python_dir}/*-packages/kolla-ansible.egg-link; then + # Editable install. + BASEDIR="$(head -n1 /usr/local/lib/${python_dir}/*-packages/kolla-ansible.egg-link)" + else + BASEDIR=/usr/local/share/kolla-ansible + fi elif [[ ${dir_name} == ~/.local/bin ]]; then - BASEDIR=~/.local/share/kolla-ansible + if test -f ~/.local/lib/${python_dir}/*-packages/kolla-ansible.egg-link; then + # Editable install. + BASEDIR="$(head -n1 ~/.local/lib/${python_dir}/*-packages/kolla-ansible.egg-link)" + else + BASEDIR=~/.local/share/kolla-ansible + fi elif [[ -n ${VIRTUAL_ENV} ]] && [[ ${dir_name} == "$(readlink -e "${VIRTUAL_ENV}/bin")" ]]; then - if test -f ${VIRTUAL_ENV}/lib/python*/site-packages/kolla-ansible.egg-link; then + if test -f ${VIRTUAL_ENV}/lib/${python_dir}/site-packages/kolla-ansible.egg-link; then # Editable install. - BASEDIR="$(head -n1 ${VIRTUAL_ENV}/lib/python*/site-packages/kolla-ansible.egg-link)" + BASEDIR="$(head -n1 ${VIRTUAL_ENV}/lib/${python_dir}/*-packages/kolla-ansible.egg-link)" else BASEDIR="${VIRTUAL_ENV}/share/kolla-ansible" fi From 362838dec696485814b981168fed0ea1077ae27b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Sun, 20 Jun 2021 14:14:53 +0000 Subject: [PATCH 22/29] Do not set pid file for iscsid Kolla Ansible runs iscsid in the foreground (-f) and a recent change to iscsid in CentOS 8 (both Linux and Stream) caused it to reject setting pid file in such a case. PID file is irrelevant in this scenario so this commit removes its parameter. Closes-Bug: #1933033 Change-Id: Ic0c4beae0c812f3ca68a6ee5cc4daa2fee0f277d (cherry picked from commit 18a0af6954f48a03bc125fd690347e3ef259096f) --- ansible/roles/iscsi/templates/iscsid.json.j2 | 2 +- releasenotes/notes/bug-1933033-76746d127285cfe8.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-1933033-76746d127285cfe8.yaml diff --git a/ansible/roles/iscsi/templates/iscsid.json.j2 b/ansible/roles/iscsi/templates/iscsid.json.j2 index f44cf16c97..cfa4d9f358 100644 --- a/ansible/roles/iscsi/templates/iscsid.json.j2 +++ b/ansible/roles/iscsi/templates/iscsid.json.j2 @@ -1,4 +1,4 @@ { - "command": "iscsid -d 8 -f --pid=/run/iscsid.pid", + "command": "iscsid -d 8 -f", "config_files": [] } diff --git a/releasenotes/notes/bug-1933033-76746d127285cfe8.yaml b/releasenotes/notes/bug-1933033-76746d127285cfe8.yaml new file mode 100644 index 0000000000..88e4789cca --- /dev/null +++ b/releasenotes/notes/bug-1933033-76746d127285cfe8.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes ``iscsid`` failing in current CentOS 8 based images due to + pid file being needlessly set. + `LP#1933033 `__ From b882000e4a385a0ce8948efcdd119ef895b799a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= Date: Fri, 23 Apr 2021 12:41:43 +0200 Subject: [PATCH 23/29] baremetal: Don't start Docker after install on Debian/Ubuntu docker-ce on Debian/Ubuntu gets started just after installation, before baremetal role configures daemon.json - which results in iptables rules being implemented - but not removed on docker engine restart. Closes-Bug: #1923203 Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2 (cherry picked from commit bc96179195de171a693b83405a472dddda596bff) --- ansible/roles/baremetal/tasks/install.yml | 43 ++++++++++++++++++- .../roles/baremetal/tasks/post-install.yml | 9 ++-- .../notes/bug-1923203-f9ff247befc4bd75.yaml | 6 +++ 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml diff --git a/ansible/roles/baremetal/tasks/install.yml b/ansible/roles/baremetal/tasks/install.yml index 3e7cbb1ff1..e2afeacc55 100644 --- a/ansible/roles/baremetal/tasks/install.yml +++ b/ansible/roles/baremetal/tasks/install.yml @@ -46,6 +46,26 @@ changed_when: false register: running_containers +# APT starts Docker engine right after installation, which creates +# iptables rules before we disable iptables in Docker config + +- name: Check if docker systemd unit exists + stat: + path: /etc/systemd/system/docker.service + register: docker_unit_file + +- name: Mask the docker systemd unit on Debian/Ubuntu + file: + src: /dev/null + dest: /etc/systemd/system/docker.service + owner: root + group: root + state: link + become: true + when: + - ansible_os_family == 'Debian' + - not docker_unit_file.stat.exists + - name: Install apt packages package: name: "{{ (debian_pkg_install | join(' ')).split() }}" @@ -73,6 +93,26 @@ when: ansible_os_family == 'RedHat' register: rpm_install_result +# Workaround older Ansible that fails systemd tasks +# when unit is masked + +- name: Check if docker service is masked + become: True + stat: + path: /etc/systemd/system/docker.service + register: docker_unit_masked + when: ansible_os_family == 'Debian' + +- name: Unmask docker service + become: True + file: + path: /etc/systemd/system/docker.service + state: absent + when: + - ansible_os_family == 'Debian' + - docker_unit_masked.stat.islnk + - docker_unit_masked.stat.lnk_source == '/dev/null' + # If any packages were updated, and any containers were running, wait for the # daemon to come up and start all previously running containers. @@ -80,10 +120,11 @@ # At some point (at least on CentOS 7) Docker CE stopped starting # automatically after an upgrade from legacy docker . Start it manually. - name: Start docker - service: + systemd: name: docker state: started enabled: yes + masked: no become: True - name: Wait for Docker to start diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml index 5fa5da1ab5..b51b527864 100644 --- a/ansible/roles/baremetal/tasks/post-install.yml +++ b/ansible/roles/baremetal/tasks/post-install.yml @@ -189,22 +189,25 @@ when: create_kolla_user | bool - name: Start docker - service: + systemd: name: docker state: started + masked: no become: True - name: Restart docker - service: + systemd: name: docker state: restarted + masked: no become: True when: docker_configured.changed or docker_reloaded.changed - name: Enable docker - service: + systemd: name: docker enabled: yes + masked: no become: True - name: Stop time service diff --git a/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml b/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml new file mode 100644 index 0000000000..6073ed7b15 --- /dev/null +++ b/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixed an issue when Docker was configured after startup on Debian/Ubuntu, + which resulted in iptables rules being created - before they were disabled. + `LP#1923203 `__ From f1201f95fe8e317229750a5f2a5a60736c924f6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Sat, 26 Jun 2021 19:11:07 +0000 Subject: [PATCH 24/29] [CI] Do not set ansible_python_interpreter for Zuul Zuul 4.6.0 does not allow to set ansible_python_interpreter. [1] Instead, with the current Zuul and Ansible, this should be automatically set to the proper python. This patch is required to restore the jobs which are ignored otherwise. [2] [3] Additionally, this change avoids the use of Ansible's pip module because it tries to use setuptools from the ansible_python_interpreter first even if another executable is set. [1] http://lists.openstack.org/pipermail/openstack-discuss/2021-June/023291.html [2] http://lists.openstack.org/pipermail/openstack-discuss/2021-June/023326.html [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-June/023321.html Change-Id: I53e666d59d0cce26e38c6f66a39eb204bda502d3 --- tests/pre.yml | 8 ++-- tests/run.yml | 40 ++++++++--------- zuul.d/base.yaml | 7 --- zuul.d/jobs.yaml | 111 ----------------------------------------------- 4 files changed, 23 insertions(+), 143 deletions(-) diff --git a/tests/pre.yml b/tests/pre.yml index 339994c4b1..1d00c6f217 100644 --- a/tests/pre.yml +++ b/tests/pre.yml @@ -3,6 +3,8 @@ any_errors_fatal: true vars: logs_dir: "/tmp/logs" + # NOTE(mgoddard): Use Python 3 only for CentOS 8 on stable/train. + playbook_python_version: "{{ '3' if ansible_os_family == 'RedHat' and ansible_distribution_major_version == '8' else '2' }}" roles: - bindep - multi-node-firewall @@ -65,9 +67,9 @@ - name: Ensure latest pip is installed become: true - pip: - name: pip<21 - state: latest + command: >- + python{{ playbook_python_version }} -m pip install --upgrade + pip<21 - name: Ensure /tmp/logs/ dir file: diff --git a/tests/run.yml b/tests/run.yml index 47dababd57..41ea08409d 100644 --- a/tests/run.yml +++ b/tests/run.yml @@ -165,11 +165,9 @@ # Workaround for distutils.errors.DistutilsError: Could not find suitable # distribution for Requirement.parse('pbr>=2.0.0') in the next task - name: ensure setuptools is updated - pip: - name: "setuptools" - executable: "pip{{ playbook_python_version }}" - extra_args: "-c {{ upper_constraints_file }} --user" - state: latest + command: >- + python{{ playbook_python_version }} -m pip install --user --upgrade + setuptools - name: install kolla-ansible and dependencies vars: @@ -178,19 +176,17 @@ {{ base_distro == 'ubuntu' or (base_distro == 'centos' and groups['all'] | map('extract', hostvars, 'ansible_distribution_major_version') | map('int') | list | max == 8) }} ansible_version_constraint: "{{ '<2.10,!=2.9.12' if ansible_version_latest else '<2.7' }}" - pip: - name: - - "{{ kolla_ansible_src_dir }}" - - "ansible{{ ansible_version_constraint }}" - - "ara<1.0.0" - # NOTE(mgoddard): pyfakefs 4.0.0 dropped support for Python 2. - - "pyfakefs{% if playbook_python_version == '2' %}<4{% endif %}" - # NOTE(yoctozepto): alembic 1.5.0 dropped support for SQLAlchemy 1.2. - # This does not affect Python 3 where pip uses the new resolver. - - "alembic{% if playbook_python_version == '2' %}<1.5{% endif %}" - # TODO(mgoddard): Always use pip3 when previous_release is ussuri. - executable: "pip{{ playbook_python_version }}" - extra_args: "-c {{ upper_constraints_file }} --user" + # NOTE(mgoddard): pyfakefs 4.0.0 dropped support for Python 2. + # NOTE(yoctozepto): alembic 1.5.0 dropped support for SQLAlchemy 1.2. + # This does not affect Python 3 where pip uses the new resolver. + command: >- + python{{ playbook_python_version }} -m pip install --user + -c {{ upper_constraints_file }} + {{ kolla_ansible_src_dir }} + ansible{{ ansible_version_constraint }} + ara<1.0.0 + pyfakefs{% if playbook_python_version == '2' %}<4{% endif %} + alembic{% if playbook_python_version == '2' %}<1.5{% endif %} # TODO(mgoddard): Always use python3 when previous_release is ussuri. - name: get ARA callback plugin path @@ -435,10 +431,10 @@ when: item.when | default(true) - name: upgrade kolla-ansible - pip: - name: "{{ kolla_ansible_src_dir }}" - executable: "pip{{ playbook_python_version }}" - extra_args: "-c {{ upper_constraints_file }} --user" + command: >- + python{{ playbook_python_version }} -m pip install --user + -c {{ upper_constraints_file }} + {{ kolla_ansible_src_dir }} # Update passwords.yml to include any new passwords added in this # release. diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml index 22dd552e7d..db97691578 100644 --- a/zuul.d/base.yaml +++ b/zuul.d/base.yaml @@ -32,13 +32,6 @@ kolla_internal_vip_address: "192.0.2.10" address_family: 'ipv4' configure_swap_size: 0 - host-vars: - primary: - ansible_python_interpreter: python2 - secondary1: - ansible_python_interpreter: python2 - secondary2: - ansible_python_interpreter: python2 roles: - zuul: zuul/zuul-jobs diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 74edc0c7e7..d68ead2ff7 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -11,15 +11,6 @@ name: kolla-ansible-centos8-source parent: kolla-ansible-base nodeset: kolla-ansible-centos8 - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -29,13 +20,6 @@ parent: kolla-ansible-base nodeset: kolla-ansible-centos-mixed-7-8 voting: false - # NOTE(mgoddard): Use Python3 on CentOS 8 hosts, overriding the use of - # Python 2 from the base job. - host-vars: - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -79,15 +63,6 @@ parent: kolla-ansible-base nodeset: kolla-ansible-centos8 voting: false - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: binary @@ -151,15 +126,6 @@ name: kolla-ansible-centos8-source-mariadb parent: kolla-ansible-mariadb-base nodeset: kolla-ansible-centos8-multi - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -239,15 +205,6 @@ name: kolla-ansible-centos8-source-bifrost parent: kolla-ansible-bifrost-base nodeset: kolla-ansible-centos8 - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos @@ -263,15 +220,6 @@ name: kolla-ansible-centos8-source-zun parent: kolla-ansible-zun-base nodeset: kolla-ansible-centos8-multi - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -296,15 +244,6 @@ name: kolla-ansible-centos8-source-swift parent: kolla-ansible-swift-base nodeset: kolla-ansible-centos8-multi - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -332,15 +271,6 @@ name: kolla-ansible-centos8-source-scenario-nfv parent: kolla-ansible-scenario-nfv-base nodeset: kolla-ansible-centos8-multi - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -357,15 +287,6 @@ name: kolla-ansible-centos8-source-ironic parent: kolla-ansible-ironic-base nodeset: kolla-ansible-centos8 - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -382,15 +303,6 @@ name: kolla-ansible-centos8-binary-ironic parent: kolla-ansible-ironic-base nodeset: kolla-ansible-centos8 - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: binary @@ -437,15 +349,6 @@ name: kolla-ansible-centos8-source-masakari parent: kolla-ansible-masakari-base nodeset: kolla-ansible-centos8 - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -465,15 +368,6 @@ parent: kolla-ansible-base nodeset: kolla-ansible-centos8-multi voting: false - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 - secondary1: - ansible_python_interpreter: python3 - secondary2: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source @@ -491,11 +385,6 @@ name: kolla-ansible-centos8-source-prometheus-efk parent: kolla-ansible-prometheus-efk-base nodeset: kolla-ansible-centos8 - # NOTE(mgoddard): Use Python3 on CentOS 8 jobs, overriding the use of - # Python 2 from the base job. - host-vars: - primary: - ansible_python_interpreter: python3 vars: base_distro: centos install_type: source From 93e1ed14820f2c41f93ae1c746675f96073bfd57 Mon Sep 17 00:00:00 2001 From: Martin Chlumsky Date: Mon, 4 Nov 2019 11:54:58 -0500 Subject: [PATCH 25/29] Fix empty match while setting supported_policy_files When supported_policy_files gets set under python 3.7 [1], the regex '(.*)' matches twice, once for the policy file name and once more for the empty string that follows the policy file name. This is new behavior under python 3.7. [2] This leads to the replacement string being written out twice resulting in something like this: "nova_policy.yamlnova_". This patch changes the regex to '(.+)' ensuring there is no match success against the empty string. [1]: - set_fact: supported_policy_files: "{{ supported_policy_format_list | map('regex_replace', '(.*)', '{{ project_name }}_\\1') | list }}" [2]: https://docs.python.org/3/library/re.html#re.sub Change-Id: Ie5278832e293364c66d53ddb07dff9c5409f0cc6 Closes-Bug: 1851249 (cherry picked from commit 9d0ccad15aa358cdc6dc2f690bf181cb8354d150) --- ansible/roles/horizon/tasks/policy_item.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/horizon/tasks/policy_item.yml b/ansible/roles/horizon/tasks/policy_item.yml index 7e4e814be2..d8a777d207 100644 --- a/ansible/roles/horizon/tasks/policy_item.yml +++ b/ansible/roles/horizon/tasks/policy_item.yml @@ -2,7 +2,7 @@ # Update policy file name - set_fact: - supported_policy_files: "{{ supported_policy_format_list | map('regex_replace', '(.*)', '{{ project_name }}_\\1') | list }}" + supported_policy_files: "{{ supported_policy_format_list | map('regex_replace', '(.+)', '{{ project_name }}_\\1') | list }}" - name: Check if policies shall be overwritten local_action: stat path="{{ fullpath }}" From f63266a072cc5a166550525fcab184f7e8ef632d Mon Sep 17 00:00:00 2001 From: Dincer Celik Date: Mon, 21 Oct 2019 23:02:17 +0300 Subject: [PATCH 26/29] [docker] Added a new flag to disable default network Docker is using 172.17.0.0/16 by default for bridge networking on docker0, and this might cause routing problems for operator networks. This change introduces docker_disable_default_network to disable the bridge networking by putting "bridge: none"[1] to daemon.json Bridge networking does not work without iptables, so we set the default for docker_disable_default_network to docker_disable_default_iptables_rules. For better defaults, this feature will be enabled by default in Wallaby. [1] https://docs.docker.com/engine/reference/commandline/dockerd/ Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173 Closes-Bug: #1848249 Related-Bug: #1849275 (cherry picked from commit 4053a0afdb3d0a230557883453b89b06cf4d7057) --- ansible/group_vars/all.yml | 1 + ansible/roles/baremetal/tasks/post-install.yml | 16 +++++++++++++++- .../docker-disable-bridge-14df8b7fddbd5000.yaml | 9 +++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index ac3fb236cf..2143c08d53 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -103,6 +103,7 @@ docker_client_timeout: 120 # Docker networking options docker_disable_default_iptables_rules: "no" +docker_disable_default_network: "no" # Retention settings for Docker logs docker_log_max_file: "5" diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml index 5fa5da1ab5..0f1ba00f46 100644 --- a/ansible/roles/baremetal/tasks/post-install.yml +++ b/ansible/roles/baremetal/tasks/post-install.yml @@ -93,7 +93,7 @@ - name: Warn about docker default iptables debug: msg: >- - Docker default iptables rules will be disabled by default from the Victoria 11.0.0 + Docker default iptables rules will be disabled by default from the Wallaby 12.0.0 release. If you have any non-Kolla containers that need this functionality, you should plan a migration for this change, or set docker_disable_default_iptables_rules to false. when: not docker_disable_default_iptables_rules | bool @@ -103,6 +103,20 @@ docker_config: "{{ docker_config | combine({'iptables': false}) }}" when: docker_disable_default_iptables_rules | bool +- name: Warn about docker default networking + debug: + msg: >- + Docker default network on docker0 will be disabled by default from the + Wallaby 12.0.0 release. If you have any non-Kolla containers that need + this functionality, you should plan a migration for this change, or set + docker_disable_default_network to false. + when: not docker_disable_default_network | bool + +- name: Disable docker default network on docker0 + set_fact: + docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}" + when: docker_disable_default_network | bool + - name: Merge custom docker config set_fact: docker_config: "{{ docker_config | combine(docker_custom_config) }}" diff --git a/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml b/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml new file mode 100644 index 0000000000..23ab9632a9 --- /dev/null +++ b/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Adds a new flag, ``docker_disable_default_network``, which + defaults to ``no``. Docker is using ``172.17.0.0/16`` by default for bridge + networking on ``docker0``, and this might cause routing problems for + operator networks. Setting this flag to ``yes`` will disable Docker's + bridge networking. This feature will be enabled by default from the + Wallaby 12.0.0 release. From f725a500a11ee04144042676f393aec62bfed1c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Thu, 10 Jun 2021 17:26:38 +0000 Subject: [PATCH 27/29] Disable docker's ip-forward when iptables disabled With the new default since Wallaby, starting Docker makes it enable forwarding and not filter it at all. This may pose a security risk and should be mitigated. Closes-Bug: #1931615 Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d (cherry picked from commit 0fa4ee56eb86eb7d4b4e3bb9d9c9993f6906c1bd) --- ansible/group_vars/all.yml | 1 + ansible/roles/baremetal/tasks/post-install.yml | 14 ++++++++++++++ ...docker-disable-ip-forward-b0490b71f9f07cd6.yaml | 9 +++++++++ 3 files changed, 24 insertions(+) create mode 100644 releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 2143c08d53..cd62ba6c28 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -104,6 +104,7 @@ docker_client_timeout: 120 # Docker networking options docker_disable_default_iptables_rules: "no" docker_disable_default_network: "no" +docker_disable_ip_forward: "no" # Retention settings for Docker logs docker_log_max_file: "5" diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml index 0f1ba00f46..83b1d820b1 100644 --- a/ansible/roles/baremetal/tasks/post-install.yml +++ b/ansible/roles/baremetal/tasks/post-install.yml @@ -117,6 +117,20 @@ docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}" when: docker_disable_default_network | bool +- name: Warn about docker ip_forward + debug: + msg: >- + Docker ip_forward will be disabled by default from the + Wallaby 12.0.0 release. If you have any non-Kolla containers that need + this functionality, you should plan a migration for this change, or set + docker_disable_ip_forward to false. + when: not docker_disable_ip_forward | bool + +- name: Disable docker ip_forward + set_fact: + docker_config: "{{ docker_config | combine({'ip-forward': false}) }}" + when: docker_disable_ip_forward | bool + - name: Merge custom docker config set_fact: docker_config: "{{ docker_config | combine(docker_custom_config) }}" diff --git a/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml b/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml new file mode 100644 index 0000000000..025a53ba10 --- /dev/null +++ b/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + Adds a new flag, ``docker_disable_ip_forward``, which + defaults to ``no`` and can be used (by setting ``yes``) to + disable docker's ``ip-forward`` option which makes docker set + ``net.ipv4.ip_forward`` sysctl to ``1``. + This is to protect from creating all-forwarding hosts. + `LP#1931615 `__ From 5e17f619bd8aadf6cecded6e32a753f7e1b63652 Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Wed, 10 Feb 2021 12:57:14 +0300 Subject: [PATCH 28/29] Correctly configure S3 Token Middleware for Swift According the documentation [1] there need to configure auth_uri in the [filter:s3token] section instead of www_authenticate_uri which cause an error 'swift.common.wsgi.ConfigFileError: Invalid auth_uri; must include scheme and host' during start the swift-proxy-server container. 1. https://docs.openstack.org/swift/ussuri/middleware.html#s3-token-middleware Change-Id: I6b8f5807ebb746428a501dca13eae30763dede8d Closes-Bug: 1862765 Signed-off-by: Maksim Malchuk (cherry picked from commit 835920782fb48c4a750814fedd04126424334856) (cherry picked from commit a473d35e04a7e1d18a722fdb2b06176f217d7812) --- ansible/roles/swift/templates/proxy-server.conf.j2 | 2 +- releasenotes/notes/bug-1862765-a6cad9fd2d3f0f48.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-1862765-a6cad9fd2d3f0f48.yaml diff --git a/ansible/roles/swift/templates/proxy-server.conf.j2 b/ansible/roles/swift/templates/proxy-server.conf.j2 index 958b4bf535..4845ae402b 100644 --- a/ansible/roles/swift/templates/proxy-server.conf.j2 +++ b/ansible/roles/swift/templates/proxy-server.conf.j2 @@ -98,5 +98,5 @@ use = egg:swift#s3api [filter:s3token] use = egg:swift#s3token -www_authenticate_uri = {{ keystone_internal_url }}/v3 +auth_uri = {{ keystone_internal_url }}/v3 {% endif %} diff --git a/releasenotes/notes/bug-1862765-a6cad9fd2d3f0f48.yaml b/releasenotes/notes/bug-1862765-a6cad9fd2d3f0f48.yaml new file mode 100644 index 0000000000..52f899dbc0 --- /dev/null +++ b/releasenotes/notes/bug-1862765-a6cad9fd2d3f0f48.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fix the issue when Swift deployed with S3 Token Middleware enabled. + Fixes `LP#1862765 `__ From 992c7628424db1821796a9ed7c3abfbf52b47c2c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 8 Oct 2021 14:49:40 +0200 Subject: [PATCH 29/29] CI: Remove ara integration ara<1.0.0 fails to install because it requires SQLAlchemy<1.3.0 which is not compatible with train upper constraints. Since this branch is not actively used we can remove it. Change-Id: Ieb9f8f197f588dd2a4191bff777d510258f5bd6d --- tests/post.yml | 24 ------------------------ tests/run.yml | 12 ------------ tests/templates/ansible.cfg.j2 | 1 - 3 files changed, 37 deletions(-) diff --git a/tests/post.yml b/tests/post.yml index 400cf3c365..5f0eb18059 100644 --- a/tests/post.yml +++ b/tests/post.yml @@ -46,27 +46,3 @@ mode: pull rsync_opts: - "--quiet" - -- hosts: primary - environment: - PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}" - tasks: - - name: check for existence of ara sqlite - stat: - path: "{{ ansible_env.HOME }}/.ara/ansible.sqlite" - register: ara_stat_result - - - block: - - name: ensure ara-report folder existence - file: - path: "{{ zuul.executor.log_root }}/{{ inventory_hostname }}/ara-report" - state: directory - delegate_to: localhost - run_once: true - - - name: download ara sqlite - synchronize: - src: "{{ ansible_env.HOME }}/.ara/ansible.sqlite" - dest: "{{ zuul.executor.log_root }}/{{ inventory_hostname }}/ara-report/" - mode: pull - when: ara_stat_result.stat.exists diff --git a/tests/run.yml b/tests/run.yml index 41ea08409d..5a6a5cae7c 100644 --- a/tests/run.yml +++ b/tests/run.yml @@ -176,23 +176,11 @@ {{ base_distro == 'ubuntu' or (base_distro == 'centos' and groups['all'] | map('extract', hostvars, 'ansible_distribution_major_version') | map('int') | list | max == 8) }} ansible_version_constraint: "{{ '<2.10,!=2.9.12' if ansible_version_latest else '<2.7' }}" - # NOTE(mgoddard): pyfakefs 4.0.0 dropped support for Python 2. - # NOTE(yoctozepto): alembic 1.5.0 dropped support for SQLAlchemy 1.2. - # This does not affect Python 3 where pip uses the new resolver. command: >- python{{ playbook_python_version }} -m pip install --user -c {{ upper_constraints_file }} {{ kolla_ansible_src_dir }} ansible{{ ansible_version_constraint }} - ara<1.0.0 - pyfakefs{% if playbook_python_version == '2' %}<4{% endif %} - alembic{% if playbook_python_version == '2' %}<1.5{% endif %} - - # TODO(mgoddard): Always use python3 when previous_release is ussuri. - - name: get ARA callback plugin path - command: "python{{ playbook_python_version }} -m ara.setup.callback_plugins" - changed_when: false - register: ara_callback_plugins - name: template ansible.cfg template: diff --git a/tests/templates/ansible.cfg.j2 b/tests/templates/ansible.cfg.j2 index 29147b9ad9..49bbcdf40c 100644 --- a/tests/templates/ansible.cfg.j2 +++ b/tests/templates/ansible.cfg.j2 @@ -1,5 +1,4 @@ [defaults] -callback_plugins = {{ ara_callback_plugins.stdout }} host_key_checking = False [ssh_connection]