Upstream Train sync 2021-12-02

ansible/group_vars/all.yml

@@ -103,6 +103,8 @@ docker_client_timeout: 120
 
 # Docker networking options
 docker_disable_default_iptables_rules: "no"
+docker_disable_default_network: "no"
+docker_disable_ip_forward: "no"
 
 # Retention settings for Docker logs
 docker_log_max_file: "5"

ansible/roles/baremetal/tasks/install.yml

@@ -46,6 +46,26 @@
   changed_when: false
   register: running_containers
 
+# APT starts Docker engine right after installation, which creates
+# iptables rules before we disable iptables in Docker config
+
+- name: Check if docker systemd unit exists
+  stat:
+    path: /etc/systemd/system/docker.service
+  register: docker_unit_file
+
+- name: Mask the docker systemd unit on Debian/Ubuntu
+  file:
+    src: /dev/null
+    dest: /etc/systemd/system/docker.service
+    owner: root
+    group: root
+    state: link
+  become: true
+  when:
+    - ansible_os_family == 'Debian'
+    - not docker_unit_file.stat.exists
+
 - name: Install apt packages
   package:
     name: "{{ (debian_pkg_install | join(' ')).split() }}"
@@ -73,17 +93,38 @@
   when: ansible_os_family == 'RedHat'
   register: rpm_install_result
 
+# Workaround older Ansible that fails systemd tasks
+# when unit is masked
+
+- name: Check if docker service is masked
+  become: True
+  stat:
+    path: /etc/systemd/system/docker.service
+  register: docker_unit_masked
+  when: ansible_os_family == 'Debian'
+
+- name: Unmask docker service
+  become: True
+  file:
+    path: /etc/systemd/system/docker.service
+    state: absent
+  when:
+    - ansible_os_family == 'Debian'
+    - docker_unit_masked.stat.islnk
+    - docker_unit_masked.stat.lnk_source == '/dev/null'
+
 # If any packages were updated, and any containers were running, wait for the
 # daemon to come up and start all previously running containers.
 
 - block:
     # At some point (at least on CentOS 7) Docker CE stopped starting
     # automatically after an upgrade from legacy docker . Start it manually.
     - name: Start docker
-      service:
+      systemd:
         name: docker
         state: started
         enabled: yes
+        masked: no
       become: True
 
     - name: Wait for Docker to start
@@ -125,7 +166,8 @@
 
 - name: Install docker SDK for python
   pip:
-    name: docker
+    # NOTE(mnasiadka): docker 5.0.0 lacks six in deps but requires it
+    name: docker<5.0.0
     executable: "{{ virtualenv is none | ternary('pip' ~ host_python_major_version, omit) }}"
     virtualenv: "{{ virtualenv is none | ternary(omit, virtualenv) }}"
     virtualenv_site_packages: "{{ virtualenv is none | ternary(omit, virtualenv_site_packages) }}"

ansible/roles/baremetal/tasks/post-install.yml

@@ -93,7 +93,7 @@
 - name: Warn about docker default iptables
   debug:
     msg: >-
-      Docker default iptables rules will be disabled by default from the Victoria 11.0.0
+      Docker default iptables rules will be disabled by default from the Wallaby 12.0.0
       release. If you have any non-Kolla containers that need this functionality, you should
       plan a migration for this change, or set docker_disable_default_iptables_rules to false.
   when: not docker_disable_default_iptables_rules | bool
@@ -103,6 +103,34 @@
     docker_config: "{{ docker_config | combine({'iptables': false}) }}"
   when: docker_disable_default_iptables_rules | bool
 
+- name: Warn about docker default networking
+  debug:
+    msg: >-
+      Docker default network on docker0 will be disabled by default from the
+      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
+      this functionality, you should plan a migration for this change, or set
+      docker_disable_default_network to false.
+  when: not docker_disable_default_network | bool
+
+- name: Disable docker default network on docker0
+  set_fact:
+    docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
+  when: docker_disable_default_network | bool
+
+- name: Warn about docker ip_forward
+  debug:
+    msg: >-
+      Docker ip_forward will be disabled by default from the
+      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
+      this functionality, you should plan a migration for this change, or set
+      docker_disable_ip_forward to false.
+  when: not docker_disable_ip_forward | bool
+
+- name: Disable docker ip_forward
+  set_fact:
+    docker_config: "{{ docker_config | combine({'ip-forward': false}) }}"
+  when: docker_disable_ip_forward | bool
+
 - name: Merge custom docker config
   set_fact:
     docker_config: "{{ docker_config | combine(docker_custom_config) }}"
@@ -189,22 +217,25 @@
   when: create_kolla_user | bool
 
 - name: Start docker
-  service:
+  systemd:
     name: docker
     state: started
+    masked: no
   become: True
 
 - name: Restart docker
-  service:
+  systemd:
     name: docker
     state: restarted
+    masked: no
   become: True
   when: docker_configured.changed or docker_reloaded.changed
 
 - name: Enable docker
-  service:
+  systemd:
     name: docker
     enabled: yes
+    masked: no
   become: True
 
 - name: Stop time service

ansible/roles/cinder/templates/cinder.conf.j2

@@ -209,6 +209,7 @@ connection_string = {{ osprofiler_backend_connection_string }}
 {% if enable_barbican | bool %}
 [barbican]
 auth_endpoint = {{ keystone_internal_url }}
+barbican_endpoint_type = internal
 {% endif %}
 
 [coordination]

ansible/roles/common/templates/conf/output/00-local.conf.j2

@@ -11,7 +11,7 @@
   </store>
 {% if log_direct_to_elasticsearch %}
   <store>
-       type elasticsearch
+       @type elasticsearch
        host {{ elasticsearch_address }}
        port {{ elasticsearch_port }}
        scheme {{ fluentd_elasticsearch_scheme }}
@@ -66,7 +66,7 @@
   </store>
 {% if log_direct_to_elasticsearch %}
   <store>
-       type elasticsearch
+       @type elasticsearch
        host {{ elasticsearch_address }}
        port {{ elasticsearch_port }}
        scheme {{ fluentd_elasticsearch_scheme }}

ansible/roles/glance/templates/glance-api.conf.j2

@@ -110,3 +110,9 @@ trace_sqlalchemy = true
 hmac_keys = {{ osprofiler_secret }}
 connection_string = {{ osprofiler_backend_connection_string }}
 {% endif %}
+
+{% if enable_barbican | bool %}
+[barbican]
+auth_endpoint = {{ keystone_internal_url }}
+barbican_endpoint_type = internal
+{% endif %}

ansible/roles/haproxy/tasks/upgrade.yml

@@ -16,6 +16,8 @@
   notify:
     - Restart keepalived container
 
+- import_tasks: check-containers.yml
+
 # NOTE(yoctozepto): haproxy role handlers should not be flushed early.
 # site.yml handles all haproxy things in a dedicated play.
 # This is to avoid extra haproxy service restart.

ansible/roles/horizon/tasks/policy_item.yml

@@ -2,7 +2,7 @@
 
 # Update policy file name
 - set_fact:
-    supported_policy_files: "{{ supported_policy_format_list | map('regex_replace', '(.*)', '{{ project_name }}_\\1') | list }}"
+    supported_policy_files: "{{ supported_policy_format_list | map('regex_replace', '(.+)', '{{ project_name }}_\\1') | list }}"
 
 - name: Check if policies shall be overwritten
   local_action: stat path="{{ fullpath }}"

ansible/roles/iscsi/templates/iscsid.json.j2

@@ -1,4 +1,4 @@
 {
-    "command": "iscsid -d 8 -f --pid=/run/iscsid.pid",
+    "command": "iscsid -d 8 -f",
     "config_files": []
 }

ansible/roles/mariadb/tasks/recover_cluster.yml

@@ -73,7 +73,7 @@
       shell:
         cmd: |
           if [[ ! -z {{ hostvars[inventory_hostname]['seqno'] }} && ! -z {{ hostvars[item]['seqno'] }} &&
-          {{ hostvars[inventory_hostname]['seqno'] }} =~ ^[0-9]+$ && {{ hostvars[item]['seqno'] }} =~ ^[0-9]+$ &&
+          {{ hostvars[inventory_hostname]['seqno'] }} =~ ^-?[0-9]+$ && {{ hostvars[item]['seqno'] }} =~ ^-?[0-9]+$ &&
           {{ hostvars[inventory_hostname]['seqno'] }} -lt {{ hostvars[item]['seqno'] }} ]]; then echo {{ hostvars[item]['seqno'] }}; fi
       with_items: "{{ groups['mariadb'] }}"
       register: seqno_compare

ansible/roles/neutron/tasks/config.yml

@@ -136,6 +136,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over sriov_agent.ini
+  become: true
   vars:
     service_name: "neutron-sriov-agent"
     neutron_sriov_agent: "{{ neutron_services[service_name] }}"

ansible/roles/neutron/templates/neutron.conf.j2

@@ -136,11 +136,6 @@ drivers = ovs
 drivers = ovs
 {% endif %}
 
-{% if enable_octavia | bool %}
-[octavia]
-base_url = {{ internal_protocol }}://{{ octavia_internal_fqdn | put_address_in_context('url') }}:{{ octavia_api_port }}
-{% endif %}
-
 {% if enable_designate | bool %}
 [designate]
 url = {{ internal_protocol }}://{{ designate_internal_fqdn | put_address_in_context('url') }}:{{ designate_api_port }}/v2

ansible/roles/nova-cell/tasks/external_ceph.yml

@@ -131,6 +131,7 @@
       enabled: "{{ cinder_backend_ceph }}"
   notify:
     - Restart nova-libvirt container
+  no_log: True
 
 - name: Ensuring config directory has correct owner and permission
   become: true

ansible/roles/nova-cell/templates/nova.conf.j2

@@ -231,6 +231,7 @@ connection_string = {{ osprofiler_backend_connection_string }}
 {% if enable_barbican | bool %}
 [barbican]
 auth_endpoint = {{ keystone_internal_url }}
+barbican_endpoint_type = internal
 {% endif %}
 
 {% if nova_compute_virt_type == "xenapi" %}

ansible/roles/nova/templates/nova.conf.j2

@@ -197,4 +197,5 @@ connection_string = {{ osprofiler_backend_connection_string }}
 {% if enable_barbican | bool %}
 [barbican]
 auth_endpoint = {{ keystone_internal_url }}
+barbican_endpoint_type = internal
 {% endif %}

ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2

@@ -1,5 +1,5 @@
 {
-    "command": "/opt/prometheus_alertmanager/alertmanager --config.file=/etc/prometheus/alertmanager.yml --web.listen-address={{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} --web.external-url={{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} {% if groups["prometheus-alertmanager"] | length > 1 %} --cluster.listen-address={{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_cluster_port }} {% for host in groups["prometheus-alertmanager"] %} --cluster.peer={{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_cluster_port'] }}{% endfor %}{% endif %} --storage.path /var/lib/prometheus",
+    "command": "/opt/prometheus_alertmanager/alertmanager --config.file=/etc/prometheus/alertmanager.yml --web.listen-address={{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} --web.external-url={{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_alertmanager_port }} --cluster.listen-address={% if groups["prometheus-alertmanager"] | length > 1 %}{{ api_interface_address | put_address_in_context('url') }}:{{ prometheus_alertmanager_cluster_port }} {% for host in groups["prometheus-alertmanager"] %} --cluster.peer={{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_cluster_port'] }}{% endfor %}{% endif %} --storage.path /var/lib/prometheus",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/prometheus-alertmanager.yml",

ansible/roles/rabbitmq/handlers/main.yml

@@ -1,10 +1,26 @@
 ---
-- name: Restart rabbitmq container
+# NOTE(mgoddard): These tasks perform a 'full stop upgrade', which is necessary when moving between
+# major releases. In future kolla-ansible releases we may be able to change this to a rolling
+# restart. For info on this process see https://www.rabbitmq.com/upgrade.html
+
+- name: Restart first rabbitmq container
+  vars:
+    service_name: "rabbitmq"
+    service: "{{ rabbitmq_services[service_name] }}"
+  include_tasks: 'restart_services.yml'
+  when:
+    - kolla_action != "config"
+    - inventory_hostname == groups[service.group] | first
+  listen: Restart rabbitmq container
+
+- name: Restart remaining rabbitmq containers
   vars:
     service_name: "rabbitmq"
     service: "{{ rabbitmq_services[service_name] }}"
   include_tasks: 'restart_services.yml'
   when:
     - kolla_action != "config"
     - inventory_hostname == item
+    - inventory_hostname != groups[service.group] | first
   loop: "{{ groups[service.group] }}"
+  listen: Restart rabbitmq container

ansible/roles/swift/templates/proxy-server.conf.j2

@@ -98,5 +98,5 @@ use = egg:swift#s3api
 
 [filter:s3token]
 use = egg:swift#s3token
-www_authenticate_uri = {{ keystone_internal_url }}/v3
+auth_uri = {{ keystone_internal_url }}/v3
 {% endif %}

doc/source/admin/advanced-configuration.rst

@@ -265,27 +265,34 @@ operator needs to create ``/etc/kolla/config/global.conf`` with content:
    [database]
    max_pool_size = 100
 
-In case the operators want to customize ``policy.json`` file, they should
-create a full policy file for specific project in the same directory like above
-and Kolla will overwrite default policy file with it. Be aware, with some
-projects are keeping full policy file in source code, operators just need to
-copy it but with some others are defining default rules in codebase, they have
-to generate it.
+OpenStack policy customisation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-For example to overwrite ``policy.json`` file of Neutron project, the operator
-needs to grab ``policy.json`` from Neutron project source code, update rules
-and then put it to ``/etc/kolla/config/neutron/policy.json``.
+OpenStack services allow customisation of policy. Since the Queens release,
+default policy configuration is defined within the source code for each
+service, meaning that operators only need to override rules they wish to
+change. Projects typically provide documentation on their default policy
+configuration, for example, :keystone-doc:`Keystone <configuration/policy>`.
 
-.. note::
+Policy can be customised via JSON or YAML files. As of the Wallaby release, the
+JSON format is deprecated in favour of YAML. One major benefit of YAML is that
+it allows for the use of comments.
 
-   Currently kolla-ansible only support JSON and YAML format for policy file.
+For example, to customise the Neutron policy in YAML format, the operator
+should add the customised rules in ``/etc/kolla/config/neutron/policy.yaml``.
 
-The operator can make these changes after services were already deployed by
-using following command:
+The operator can make these changes after services have been deployed by using
+the following command:
 
 .. code-block:: console
 
-   kolla-ansible reconfigure
+   kolla-ansible deploy
+
+In order to present a user with the correct interface, Horizon includes policy
+for other services. Customisations made to those services may need to be
+replicated in Horizon. For example, to customise the Neutron policy in YAML
+format for Horizon, the operator should add the customised rules in
+``/etc/kolla/config/horizon/neutron_policy.yaml``.
 
 IP Address Constrained Environments
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

doc/source/user/centos8.rst

@@ -52,8 +52,8 @@ is to differentiate CentOS 7 and CentOS 8 container images.
 Migrating from CentOS 7 to CentOS 8
 -----------------------------------
 
-This section describes how to migrate an existing deployment from CentOS 7 to
-CentOS 8.
+This section describes how to migrate an existing Train deployment from CentOS
+7 to CentOS 8.
 
 There is no supported upgrade path from CentOS 7 to CentOS 8. Since we want to
 use the same major versions of CentOS in the host and containers, the hosts
@@ -65,8 +65,8 @@ level workflow is:
 * upgrade services to ensure compatibility with those available in CentOS 8
 * migrate hosts to CentOS 8 in batches
 
-Note that in a multi-node system it is possible to have a mix of CentOS 7 and
-CentOS 8 hosts while the migration takes place.
+Note that in a multi-node system on the Train release it is possible to have a
+mix of CentOS 7 and CentOS 8 hosts while the migration takes place.
 
 Service compatibility
 ~~~~~~~~~~~~~~~~~~~~~

doc/source/user/multinode.rst

@@ -75,7 +75,7 @@ IP address and port on which the registry is listening:
 
    docker_custom_config:
      registry-mirrors:
-       - 192.168.1.100:4000
+       - http://192.168.1.100:4000
 
 .. _edit-inventory: