diff --git a/ansible/inventory/all-in-one b/ansible/inventory/all-in-one
index 3eed0195e4..a878e29a6b 100644
--- a/ansible/inventory/all-in-one
+++ b/ansible/inventory/all-in-one
@@ -270,12 +270,26 @@ network
cinder
[cinder-backup:children]
+cinder
+
+[cinder-backup-lvm:children]
+storage
+
+[cinder-backup-multiple:children]
+cinder
storage
[cinder-scheduler:children]
cinder
[cinder-volume:children]
+cinder
+
+[cinder-volume-lvm:children]
+storage
+
+[cinder-volume-multiple:children]
+cinder
storage
# Cloudkitty
@@ -286,11 +300,12 @@ cloudkitty
cloudkitty
# iSCSI
+# NOTE(mnasiadka): We need iscsid on cinder-volume hosts and clients
[iscsid:children]
compute
storage
-ironic
+# NOTE(mnasiadka): We need tgtd on storage nodes for Cinder LVM
[tgtd:children]
storage
diff --git a/ansible/inventory/multinode b/ansible/inventory/multinode
index eb533b8f5f..2b3157b9c9 100644
--- a/ansible/inventory/multinode
+++ b/ansible/inventory/multinode
@@ -288,12 +288,26 @@ neutron
cinder
[cinder-backup:children]
+cinder
+
+[cinder-backup-lvm:children]
+storage
+
+[cinder-backup-multiple:children]
+cinder
storage
[cinder-scheduler:children]
cinder
[cinder-volume:children]
+cinder
+
+[cinder-volume-lvm:children]
+storage
+
+[cinder-volume-multiple:children]
+cinder
storage
# Cloudkitty
diff --git a/ansible/releasenotes/notes/drop-apache-wsgi-provider-5049b660249d0f20.yaml b/ansible/releasenotes/notes/drop-apache-wsgi-provider-5049b660249d0f20.yaml
new file mode 100644
index 0000000000..e5eda3f92f
--- /dev/null
+++ b/ansible/releasenotes/notes/drop-apache-wsgi-provider-5049b660249d0f20.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+ - |
+ Support for running WSGI services under Apache+mod_wsgi has been dropped.
+ All API services now run exclusively under uWSGI. The ``*_wsgi_provider``
+ variables (``keystone_wsgi_provider``, ``nova_wsgi_provider``,
+ ``cinder_wsgi_provider``, etc.) have been removed. If you had any of these
+ set to ``apache`` in your configuration, remove them before upgrading.
diff --git a/ansible/roles/aodh/defaults/main.yml b/ansible/roles/aodh/defaults/main.yml
index 0c6df039ca..21315cbd81 100644
--- a/ansible/roles/aodh/defaults/main.yml
+++ b/ansible/roles/aodh/defaults/main.yml
@@ -260,8 +260,3 @@ aodh_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
# Copy certificates
###################
aodh_copy_certs: "{{ kolla_copy_ca_into_containers | bool or aodh_database_enable_tls_internal | bool }}"
-
-####################
-# WSGI
-####################
-aodh_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/aodh/tasks/config.yml b/ansible/roles/aodh/tasks/config.yml
index a450746816..b90d7892de 100644
--- a/ansible/roles/aodh/tasks/config.yml
+++ b/ansible/roles/aodh/tasks/config.yml
@@ -78,17 +78,4 @@
service_uwsgi_config_uid: "aodh"
service_uwsgi_config_workers: "{{ aodh_api_workers }}"
when:
- - aodh_wsgi_provider == "uwsgi"
- - service | service_enabled_and_mapped_to_host
-
-- name: Copying over wsgi-aodh files for services
- vars:
- service: "{{ aodh_services['aodh-api'] }}"
- ansible.builtin.template:
- src: "wsgi-aodh.conf.j2"
- dest: "{{ node_config_directory }}/aodh-api/wsgi-aodh.conf"
- mode: "0660"
- become: true
- when:
- - aodh_wsgi_provider == "apache"
- service | service_enabled_and_mapped_to_host
diff --git a/ansible/roles/aodh/templates/aodh-api.json.j2 b/ansible/roles/aodh/templates/aodh-api.json.j2
index 844fe8db93..77fd4604b2 100644
--- a/ansible/roles/aodh/templates/aodh-api.json.j2
+++ b/ansible/roles/aodh/templates/aodh-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set aodh_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if aodh_wsgi_provider == 'apache' else 'uwsgi /etc/aodh/aodh-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/aodh/aodh-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/aodh.conf",
"dest": "/etc/aodh/aodh.conf",
"owner": "aodh",
"perm": "0600"
- }{% if aodh_wsgi_provider == "apache" %},
- {
- "source": "{{ container_config_directory }}/wsgi-aodh.conf",
- "dest": "/etc/{{ aodh_dir }}/wsgi-aodh.conf",
- "owner": "root",
- "perm": "0600"
- }{% elif aodh_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/aodh-api-uwsgi.ini",
"dest": "/etc/aodh/aodh-api-uwsgi.ini",
"owner": "aodh",
"perm": "0600"
- }{% endif %}{% if aodh_policy_file is defined %},
+ }{% if aodh_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ aodh_policy_file }}",
"dest": "/etc/aodh/{{ aodh_policy_file }}",
diff --git a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
deleted file mode 100644
index a1f61a0d0b..0000000000
--- a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
+++ /dev/null
@@ -1,38 +0,0 @@
-{% set aodh_log_dir = '/var/log/kolla/aodh' %}
-{% set binary_path = '/var/lib/kolla/venv/bin' %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ aodh_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-ErrorLog "{{ aodh_log_dir }}/apache-error.log"
-
- CustomLog "{{ aodh_log_dir }}/apache-access.log" common
-
-
-{% if aodh_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
-
- Options Indexes FollowSymLinks MultiViews
- AllowOverride None
- Require all granted
-
-
-
-
- ## Logging
- ErrorLog "{{ aodh_log_dir }}/aodh_wsgi_error.log"
- ServerSignature Off
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ aodh_log_dir }}/aodh_wsgi_access.log" logformat
- WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess aodh group=aodh processes={{ aodh_api_workers }} threads=1 user=aodh
- WSGIProcessGroup aodh
- WSGIScriptAlias / "{{ binary_path }}/aodh-api"
-
diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml
index 2110805792..5e1ad02871 100644
--- a/ansible/roles/barbican/defaults/main.yml
+++ b/ansible/roles/barbican/defaults/main.yml
@@ -236,8 +236,3 @@ barbican_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }
# Copy certificates
###################
barbican_copy_certs: "{{ kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool or barbican_database_enable_tls_internal | bool }}"
-
-###################
-# WSGI
-###################
-barbican_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml
index da7126fc13..52ebbff16a 100644
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@@ -50,7 +50,6 @@
service_uwsgi_config_workers: "{{ barbican_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - barbican_wsgi_provider == "uwsgi"
- name: Copying over config.json files for services
ansible.builtin.template:
diff --git a/ansible/roles/barbican/templates/barbican-api.ini.j2 b/ansible/roles/barbican/templates/barbican-api.ini.j2
deleted file mode 100644
index e3a88e2790..0000000000
--- a/ansible/roles/barbican/templates/barbican-api.ini.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-[uwsgi]
-{% if barbican_enable_tls_backend | bool %}
-https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem
-{% else %}
-http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
-{% endif %}
-processes = {{ barbican_api_workers }}
-lazy = true
-vacuum = true
-no-default-app = true
-memory-report = true
-plugins = python3
-paste = config:/etc/barbican/barbican-api-paste.ini
-add-header = Connection: close
-logto = /var/log/kolla/barbican/barbican_api_uwsgi_access.log
diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
index 4258d863e2..37f7f7aab5 100644
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@@ -41,7 +41,10 @@ cinder_services:
healthcheck: "{{ cinder_scheduler_healthcheck }}"
cinder-volume:
container_name: cinder_volume
- group: cinder-volume
+ group: >-
+ {{ 'cinder-volume-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else
+ 'cinder-volume-lvm' if enable_cinder_backend_lvm | bool else
+ 'cinder-volume' }}
enabled: true
image: "{{ cinder_volume_image_full }}"
privileged: true
@@ -52,7 +55,10 @@ cinder_services:
healthcheck: "{{ cinder_volume_healthcheck }}"
cinder-backup:
container_name: cinder_backup
- group: cinder-backup
+ group: >-
+ {{ 'cinder-backup-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else
+ 'cinder-backup-lvm' if enable_cinder_backend_lvm | bool else
+ 'cinder-backup' }}
enabled: "{{ enable_cinder_backup | bool }}"
image: "{{ cinder_backup_image_full }}"
privileged: true
@@ -382,11 +388,6 @@ cinder_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
cinder_cluster_name: ""
cinder_cluster_skip_precheck: false
-############
-# WSGI
-############
-cinder_wsgi_provider: "uwsgi"
-
# Database
cinder_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml
index d97cd080f4..e2022fdc0f 100644
--- a/ansible/roles/cinder/tasks/config.yml
+++ b/ansible/roles/cinder/tasks/config.yml
@@ -54,22 +54,6 @@
become: true
with_dict: "{{ cinder_services | select_services_enabled_and_mapped_to_host }}"
-- name: Copying over cinder-wsgi.conf
- vars:
- service: "{{ cinder_services['cinder-api'] }}"
- become: true
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ node_config_directory }}/cinder-api/cinder-wsgi.conf"
- mode: "0660"
- with_first_found:
- - "{{ node_custom_config }}/cinder/{{ inventory_hostname }}/cinder-wsgi.conf"
- - "{{ node_custom_config }}/cinder/cinder-wsgi.conf"
- - "cinder-wsgi.conf.j2"
- when:
- - service | service_enabled_and_mapped_to_host
- - cinder_wsgi_provider == "apache"
-
- name: "Configure uWSGI for Cinder"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -87,7 +71,6 @@
service_uwsgi_config_workers: "{{ cinder_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - cinder_wsgi_provider == "uwsgi"
- name: Copying over cinder.conf
vars:
diff --git a/ansible/roles/cinder/tasks/precheck.yml b/ansible/roles/cinder/tasks/precheck.yml
index ebaf913bf1..35870c8485 100644
--- a/ansible/roles/cinder/tasks/precheck.yml
+++ b/ansible/roles/cinder/tasks/precheck.yml
@@ -54,7 +54,7 @@
when:
- enable_cinder | bool
- enable_cinder_backend_lvm | bool
- - inventory_hostname in groups['cinder-volume']
+ - inventory_hostname in groups['cinder-volume-multiple'] if cinder_enabled_backends | length > 1 else inventory_hostname in groups['cinder-volume-lvm']
- name: Checking for coordination backend if Ceph backend is enabled
run_once: true
@@ -64,7 +64,7 @@
- not skip_cinder_backend_check | bool
- cinder_backend_ceph | bool
- cinder_coordination_backend == ''
- - groups['cinder-volume'] | length > 1
+ - groups['cinder-volume-multiple'] | length > 1 if enable_cinder_backend_lvm | bool else groups['cinder-volume'] | length > 1
- name: Check if S3 configurations are defined
ansible.builtin.assert:
diff --git a/ansible/roles/cinder/templates/cinder-api.json.j2 b/ansible/roles/cinder/templates/cinder-api.json.j2
index 1a332f1732..161597c6d4 100644
--- a/ansible/roles/cinder/templates/cinder-api.json.j2
+++ b/ansible/roles/cinder/templates/cinder-api.json.j2
@@ -1,27 +1,18 @@
-{% set cinder_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set cinder_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if cinder_wsgi_provider == 'apache' else 'uwsgi /etc/cinder/cinder-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/cinder/cinder-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/cinder.conf",
"dest": "/etc/cinder/cinder.conf",
"owner": "cinder",
"perm": "0600"
- }{% if cinder_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/cinder-wsgi.conf",
- "dest": "/etc/{{ cinder_dir }}/cinder-wsgi.conf",
- "owner": "cinder",
- "perm": "0600"
- }{% elif cinder_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/cinder-api-uwsgi.ini",
"dest": "/etc/cinder/cinder-api-uwsgi.ini",
"owner": "cinder",
"perm": "0600"
- }{% endif %}{% if cinder_policy_file is defined %},
+ }{% if cinder_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
"dest": "/etc/cinder/{{ cinder_policy_file }}",
diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
deleted file mode 100644
index d0f090bb0b..0000000000
--- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
+++ /dev/null
@@ -1,35 +0,0 @@
-{% if cinder_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cinder_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-{% if cinder_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- WSGIDaemonProcess cinder-api processes={{ cinder_api_workers }} threads=1 user=cinder group=cinder display-name=cinder-api
- WSGIProcessGroup cinder-api
- WSGIScriptAlias / /var/www/cgi-bin/cinder/cinder-wsgi
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog /var/log/kolla/cinder/cinder-api-error.log
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog /var/log/kolla/cinder/cinder-api-access.log logformat
-{% if cinder_enable_tls_backend | bool %}
- SSLEngine On
- SSLCertificateFile /etc/cinder/certs/cinder-cert.pem
- SSLCertificateKeyFile /etc/cinder/certs/cinder-key.pem
-{% endif %}
-
diff --git a/ansible/roles/cloudkitty/defaults/main.yml b/ansible/roles/cloudkitty/defaults/main.yml
index b1840642ec..0b74f8e278 100644
--- a/ansible/roles/cloudkitty/defaults/main.yml
+++ b/ansible/roles/cloudkitty/defaults/main.yml
@@ -235,8 +235,3 @@ cloudkitty_database_enable_tls_internal: "{{ database_enable_tls_internal | bool
# Copy certificates
###################
cloudkitty_copy_certs: "{{ kolla_copy_ca_into_containers | bool or cloudkitty_database_enable_tls_internal | bool }}"
-
-#######
-# WSGI
-#######
-cloudkitty_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/cloudkitty/tasks/config.yml b/ansible/roles/cloudkitty/tasks/config.yml
index e5f95f301a..15e994add2 100644
--- a/ansible/roles/cloudkitty/tasks/config.yml
+++ b/ansible/roles/cloudkitty/tasks/config.yml
@@ -90,19 +90,6 @@
service_uwsgi_config_workers: "{{ cloudkitty_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - cloudkitty_wsgi_provider == "uwsgi"
-
-- name: Copying over wsgi-cloudkitty.conf
- vars:
- service: "{{ cloudkitty_services['cloudkitty-api'] }}"
- ansible.builtin.template:
- src: "wsgi-cloudkitty.conf.j2"
- dest: "{{ node_config_directory }}/cloudkitty-api/wsgi-cloudkitty.conf"
- mode: "0660"
- become: true
- when:
- - cloudkitty_wsgi_provider == "apache"
- - service | service_enabled_and_mapped_to_host
- name: Copying over existing policy file
ansible.builtin.template:
diff --git a/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 b/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2
index c6fcca90e9..2bf756d20c 100644
--- a/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2
+++ b/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if cloudkitty_wsgi_provider == 'apache' else 'uwsgi /etc/cloudkitty/cloudkitty-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/cloudkitty/cloudkitty-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/cloudkitty.conf",
"dest": "/etc/cloudkitty/cloudkitty.conf",
"owner": "cloudkitty",
"perm": "0600"
- }{% if cloudkitty_wsgi_provider == "apache" %},
- {
- "source": "{{ container_config_directory }}/wsgi-cloudkitty.conf",
- "dest": "/etc/{{ apache_conf_dir }}/wsgi-cloudkitty.conf",
- "owner": "cloudkitty",
- "perm": "0600"
- }{% elif cloudkitty_wsgi_provider == "uwsgi" %},
+ },
{
"source": "{{ container_config_directory }}/cloudkitty-api-uwsgi.ini",
"dest": "/etc/cloudkitty/cloudkitty-api-uwsgi.ini",
"owner": "cloudkitty",
"perm": "0600"
- }{% endif %}{% if cloudkitty_policy_file is defined %},
+ }{% if cloudkitty_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ cloudkitty_policy_file }}",
"dest": "/etc/cloudkitty/{{ cloudkitty_policy_file }}",
diff --git a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
deleted file mode 100644
index 38a3150050..0000000000
--- a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
+++ /dev/null
@@ -1,36 +0,0 @@
-{% set cloudkitty_log_dir = '/var/log/kolla/cloudkitty' %}
-{% set binary_path = '/var/lib/kolla/venv/bin' %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cloudkitty_api_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-ErrorLog "{{ cloudkitty_log_dir }}/apache-error.log"
-
- CustomLog "{{ cloudkitty_log_dir }}/apache-access.log" common
-
-
-{% if cloudkitty_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
-
- ErrorLog "{{ cloudkitty_log_dir }}/cloudkitty-api-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ cloudkitty_log_dir }}/cloudkitty-api-access.log" logformat
- WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess cloudkitty group=cloudkitty processes={{ cloudkitty_api_workers }} threads=1 user=cloudkitty
- WSGIProcessGroup cloudkitty
- WSGIScriptAlias / "{{ binary_path }}/cloudkitty-api"
-
-
-
- Require all granted
-
-
-
-
diff --git a/ansible/roles/fluentd/tasks/config.yml b/ansible/roles/fluentd/tasks/config.yml
index 50e54a7ec2..830ce91484 100644
--- a/ansible/roles/fluentd/tasks/config.yml
+++ b/ansible/roles/fluentd/tasks/config.yml
@@ -85,8 +85,8 @@
enabled: true
- name: "conf/input/03-rabbitmq.conf.j2"
enabled: true
- - name: "conf/input/04-openstack-wsgi.conf.j2"
- enabled: true
+ - name: "conf/input/04-apache.conf.j2"
+ enabled: "{{ enable_keystone_federation | bool or enable_ironic | bool or enable_letsencrypt | bool or enable_skyline | bool }}"
- name: "conf/input/05-libvirt.conf.j2"
enabled: "{{ enable_nova | bool and enable_nova_libvirt_container | bool }}"
- name: "conf/input/08-prometheus.conf.j2"
@@ -111,9 +111,7 @@
customised_filter_files: "{{ find_custom_fluentd_filters.files | map(attribute='path') | list }}"
# Formats
fluentd_format_files: "{{ default_format_files | customise_fluentd(customised_format_files) }}"
- default_format_files:
- - "conf/format/apache_access.conf.j2"
- - "conf/format/wsgi_access.conf.j2"
+ default_format_files: []
customised_format_files: "{{ find_custom_fluentd_formats.files | map(attribute='path') | list }}"
# Outputs
fluentd_output_files: "{{ default_output_files_enabled | customise_fluentd(customised_output_files) }}"
diff --git a/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 b/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2
index 66a1897a20..d6bb684903 100644
--- a/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2
+++ b/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2
@@ -1,16 +1,6 @@
@type rewrite_tag_filter
capitalize_regex_backreference yes
-
- key programname
- pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access|trove-api-access)$
- tag apache_access
-
-
- key programname
- pattern ^(aodh_wsgi_access|barbican_api_uwsgi_access|zun_api_wsgi_access)$
- tag wsgi_access
-
key programname
pattern ^(nova-api|nova-compute|nova-compute-ironic|nova-conductor|nova-manage|nova-novncproxy|nova-scheduler|nova-placement-api|placement-api|privsep-helper)$
diff --git a/ansible/roles/fluentd/templates/conf/format/apache_access.conf.j2 b/ansible/roles/fluentd/templates/conf/format/apache_access.conf.j2
deleted file mode 100644
index ba12c6695d..0000000000
--- a/ansible/roles/fluentd/templates/conf/format/apache_access.conf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-
- @type parser
- reserve_data true
- key_name Payload
-
- @type grok
- grok_pattern \[%{HTTPDATE:Timestamp}\] "(?:%{WORD:http_method} %{NOTSPACE:http_url}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})" %{NUMBER:http_status} (?:%{NUMBER:http_bytes}|-) (?:%{NUMBER:http_response_time_us}|-) "%{DATA:referrer}" "%{DATA:agent}"
- time_key Timestamp
- time_format %d/%b/%Y:%H:%M:%S %z
- keep_time_key true
-
-
diff --git a/ansible/roles/fluentd/templates/conf/format/wsgi_access.conf.j2 b/ansible/roles/fluentd/templates/conf/format/wsgi_access.conf.j2
deleted file mode 100644
index fae0e52127..0000000000
--- a/ansible/roles/fluentd/templates/conf/format/wsgi_access.conf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-
- @type parser
- reserve_data true
- key_name Payload
-
- @type grok
- grok_pattern %{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:Timestamp}\] "(?:%{WORD:http_method} %{NOTSPACE:http_url}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})" %{NUMBER:http_status} (?:%{NUMBER:http_bytes}|-) (?:%{NUMBER:http_response_time_us}|-) %{QS:referrer} %{QS:agent}
- time_key Timestamp
- time_format %d/%b/%Y:%H:%M:%S %z
- keep_time_key true
-
-
diff --git a/ansible/roles/fluentd/templates/conf/input/04-apache.conf.j2 b/ansible/roles/fluentd/templates/conf/input/04-apache.conf.j2
new file mode 100644
index 0000000000..975e85f93f
--- /dev/null
+++ b/ansible/roles/fluentd/templates/conf/input/04-apache.conf.j2
@@ -0,0 +1,34 @@
+{% set apache_paths = [] %}
+{% if enable_keystone_federation | bool %}
+{% set _ = apache_paths.append('/var/log/kolla/keystone/apache-access.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/keystone/apache-error.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/keystone/keystone-apache-public-access.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/keystone/keystone-apache-public-error.log') %}
+{% endif %}
+{% if enable_ironic | bool %}
+{% set _ = apache_paths.append('/var/log/kolla/ironic/ironic-http-access.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/ironic/ironic-http-error.log') %}
+{% endif %}
+{% if enable_letsencrypt | bool %}
+{% set _ = apache_paths.append('/var/log/kolla/letsencrypt/letsencrypt-webserver-access.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/letsencrypt/letsencrypt-webserver-error.log') %}
+{% endif %}
+{% if enable_skyline | bool %}
+{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-access.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-error.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-nginx-access.log') %}
+{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-nginx-error.log') %}
+{% endif %}
+{% if apache_paths | length > 0 %}
+
+ @type tail
+ path {{ apache_paths | join(',') }}
+ pos_file /var/run/fluentd/kolla-apache.pos
+ tag kolla.*
+ enable_watch_timer {{ fluentd_enable_watch_timer }}
+
+ @type regexp
+ expression /^(?.*)$/
+
+
+{% endif %}
diff --git a/ansible/roles/fluentd/templates/conf/input/04-openstack-wsgi.conf.j2 b/ansible/roles/fluentd/templates/conf/input/04-openstack-wsgi.conf.j2
deleted file mode 100644
index 20d408f123..0000000000
--- a/ansible/roles/fluentd/templates/conf/input/04-openstack-wsgi.conf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-# Note (blallau): to manage Apache and WSGI log files
-
- @type tail
- path /var/log/kolla/*/*-access.log,/var/log/kolla/*/*-error.log,/var/log/kolla/*/*_access.log,/var/log/kolla/*/*_error.log
- pos_file /var/run/fluentd/kolla-openstack-wsgi.pos
- tag kolla.*
- enable_watch_timer {{ fluentd_enable_watch_timer }}
-
- @type regexp
- expression /^(?.*)$/
-
-
diff --git a/ansible/roles/gnocchi/defaults/main.yml b/ansible/roles/gnocchi/defaults/main.yml
index 401f143267..83a29d5979 100644
--- a/ansible/roles/gnocchi/defaults/main.yml
+++ b/ansible/roles/gnocchi/defaults/main.yml
@@ -203,8 +203,3 @@ gnocchi_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}
# Copy certificates
###################
gnocchi_copy_certs: "{{ kolla_copy_ca_into_containers | bool or gnocchi_database_enable_tls_internal | bool }}"
-
-####################
-# WSGI
-####################
-gnocchi_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/gnocchi/tasks/config.yml b/ansible/roles/gnocchi/tasks/config.yml
index b895d0a0f8..00ee883dd2 100644
--- a/ansible/roles/gnocchi/tasks/config.yml
+++ b/ansible/roles/gnocchi/tasks/config.yml
@@ -61,20 +61,6 @@
become: true
with_dict: "{{ gnocchi_services | select_services_enabled_and_mapped_to_host }}"
-- name: Copying over wsgi-gnocchi.conf
- vars:
- service: "{{ gnocchi_services['gnocchi-api'] }}"
- ansible.builtin.template:
- src: "wsgi-gnocchi.conf.j2"
- dest: "{{ node_config_directory }}/{{ item }}/wsgi-gnocchi.conf"
- mode: "0660"
- become: true
- when:
- - gnocchi_wsgi_provider == "apache"
- - service | service_enabled_and_mapped_to_host
- with_items:
- - "gnocchi-api"
-
- name: "Configure uWSGI for Gnocchi"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -87,7 +73,6 @@
service_uwsgi_config_uid: "gnocchi"
service_uwsgi_config_workers: "{{ gnocchi_api_workers }}"
when:
- - gnocchi_wsgi_provider == "uwsgi"
- service | service_enabled_and_mapped_to_host
- name: Copying over existing policy file
diff --git a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2
index 2fc22c6469..0880285efe 100644
--- a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set gnocchi_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if gnocchi_wsgi_provider == 'apache' else 'uwsgi /etc/gnocchi/gnocchi-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/gnocchi/gnocchi-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/gnocchi.conf",
"dest": "/etc/gnocchi/gnocchi.conf",
"owner": "gnocchi",
"perm": "0600"
- }{% if gnocchi_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/wsgi-gnocchi.conf",
- "dest": "/etc/{{ gnocchi_dir }}/wsgi-gnocchi.conf",
- "owner": "gnocchi",
- "perm": "0600"
- }{% elif gnocchi_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/gnocchi-api-uwsgi.ini",
"dest": "/etc/gnocchi/gnocchi-api-uwsgi.ini",
"owner": "gnocchi",
"perm": "0600"
- }{% endif %}{% if gnocchi_policy_file is defined %},
+ }{% if gnocchi_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ gnocchi_policy_file }}",
"dest": "/etc/gnocchi/{{ gnocchi_policy_file }}",
diff --git a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
deleted file mode 100644
index f3309bfef0..0000000000
--- a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
+++ /dev/null
@@ -1,34 +0,0 @@
-{% set gnocchi_log_dir = '/var/log/kolla/gnocchi' %}
-{% set wsgi_path = '/var/lib/kolla/venv/bin' %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ gnocchi_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-ErrorLog "{{ gnocchi_log_dir }}/apache-error.log"
-
- CustomLog "{{ gnocchi_log_dir }}/apache-access.log" common
-
-
-{% if gnocchi_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
-
- ErrorLog "{{ gnocchi_log_dir }}/gnocchi-api-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ gnocchi_log_dir }}/gnocchi-api-access.log" logformat
- WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess gnocchi group=gnocchi processes={{ gnocchi_api_workers }} threads=1 user=gnocchi
- WSGIProcessGroup gnocchi
- WSGIScriptAlias / "{{ wsgi_path }}/gnocchi-api"
-
-
- Require all granted
-
-
-
diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml
index bc22c1a352..ca2992c56c 100644
--- a/ansible/roles/heat/defaults/main.yml
+++ b/ansible/roles/heat/defaults/main.yml
@@ -276,8 +276,3 @@ heat_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
# Copy certificates
###################
heat_copy_certs: "{{ kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool or heat_database_enable_tls_internal | bool }}"
-
-######
-# WSGI
-######
-heat_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml
index 3e2c488cb5..d1641dfaaf 100644
--- a/ansible/roles/heat/tasks/config.yml
+++ b/ansible/roles/heat/tasks/config.yml
@@ -66,18 +66,6 @@
- heat_policy_file is defined
with_dict: "{{ heat_services | select_services_enabled_and_mapped_to_host }}"
-- name: Copying over heat-api wsgi config
- vars:
- service: "{{ heat_services['heat-api'] }}"
- ansible.builtin.template:
- src: "{{ role_path }}/templates/wsgi-heat-api.conf.j2"
- dest: "{{ node_config_directory }}/heat-api/wsgi-heat-api.conf"
- mode: "0660"
- become: true
- when:
- - service | service_enabled_and_mapped_to_host
- - heat_wsgi_provider == "apache"
-
- name: Configure uWSGI for heat-api
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -95,19 +83,6 @@
service_uwsgi_config_workers: "{{ heat_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - heat_wsgi_provider == "uwsgi"
-
-- name: Copying over heat-api-cfn wsgi config
- vars:
- service: "{{ heat_services['heat-api-cfn'] }}"
- ansible.builtin.template:
- src: "{{ role_path }}/templates/wsgi-heat-api-cfn.conf.j2"
- dest: "{{ node_config_directory }}/heat-api-cfn/wsgi-heat-api-cfn.conf"
- mode: "0660"
- become: true
- when:
- - service | service_enabled_and_mapped_to_host
- - heat_wsgi_provider == "apache"
- name: Configure uWSGI for heat-api-cfn
ansible.builtin.include_role:
@@ -126,4 +101,3 @@
service_uwsgi_config_workers: "{{ heat_api_cfn_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - heat_wsgi_provider == "uwsgi"
diff --git a/ansible/roles/heat/templates/heat-api-cfn.json.j2 b/ansible/roles/heat/templates/heat-api-cfn.json.j2
index 7868e4a1a1..1a308dfd80 100644
--- a/ansible/roles/heat/templates/heat-api-cfn.json.j2
+++ b/ansible/roles/heat/templates/heat-api-cfn.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if heat_wsgi_provider == 'apache' else 'uwsgi /etc/heat/heat-api-cfn-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/heat/heat-api-cfn-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/heat.conf",
"dest": "/etc/heat/heat.conf",
"owner": "heat",
"perm": "0600"
- }{% if heat_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/wsgi-heat-api-cfn.conf",
- "dest": "/etc/{{ apache_conf_dir }}/wsgi-heat-api-cfn.conf",
- "owner": "heat",
- "perm": "0600"
- }{% elif heat_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/heat-api-cfn-uwsgi.ini",
"dest": "/etc/heat/heat-api-cfn-uwsgi.ini",
"owner": "heat",
"perm": "0600"
- }{% endif %}{% if heat_policy_file is defined %},
+ }{% if heat_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
"dest": "/etc/heat/{{ heat_policy_file }}",
diff --git a/ansible/roles/heat/templates/heat-api.json.j2 b/ansible/roles/heat/templates/heat-api.json.j2
index b3afb81820..0792678475 100644
--- a/ansible/roles/heat/templates/heat-api.json.j2
+++ b/ansible/roles/heat/templates/heat-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if heat_wsgi_provider == 'apache' else 'uwsgi /etc/heat/heat-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/heat/heat-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/heat.conf",
"dest": "/etc/heat/heat.conf",
"owner": "heat",
"perm": "0600"
- }{% if heat_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/wsgi-heat-api.conf",
- "dest": "/etc/{{ apache_conf_dir }}/wsgi-heat-api.conf",
- "owner": "heat",
- "perm": "0600"
- }{% elif heat_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/heat-api-uwsgi.ini",
"dest": "/etc/heat/heat-api-uwsgi.ini",
"owner": "heat",
"perm": "0600"
- }{% endif %}{% if heat_policy_file is defined %},
+ }{% if heat_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
"dest": "/etc/heat/{{ heat_policy_file }}",
diff --git a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
deleted file mode 100644
index 1b339959fa..0000000000
--- a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
+++ /dev/null
@@ -1,46 +0,0 @@
-{% set heat_log_dir = '/var/log/kolla/heat' %}
-{% set binary_path = '/var/lib/kolla/venv/bin' %}
-{% if heat_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_cfn_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-
-
- AllowOverride None
- Options None
- Require all granted
-
-
-
-ErrorLog "{{ heat_log_dir }}/apache-cfn-error.log"
-
-CustomLog "{{ heat_log_dir }}/apache-cfn-access.log" common
-
-
-
- WSGIDaemonProcess heat-api-cfn processes={{ heat_api_cfn_workers }} threads=1 user=heat group=heat display-name=heat-api-cfn
- WSGIProcessGroup heat-api-cfn
- WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api-cfn
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog "{{ heat_log_dir }}/heat-api-cfn-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ heat_log_dir }}/heat-api-cfn-access.log" logformat
-{% if heat_enable_tls_backend | bool %}
- SSLEngine On
- SSLCertificateFile /etc/heat/certs/heat-cert.pem
- SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
-{% endif %}
-
diff --git a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api.conf.j2
deleted file mode 100644
index 175336f529..0000000000
--- a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2
+++ /dev/null
@@ -1,46 +0,0 @@
-{% set heat_log_dir = '/var/log/kolla/heat' %}
-{% set binary_path = '/var/lib/kolla/venv/bin' %}
-{% if heat_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-
-
- AllowOverride None
- Options None
- Require all granted
-
-
-
-ErrorLog "{{ heat_log_dir }}/apache-error.log"
-
-CustomLog "{{ heat_log_dir }}/apache-access.log" common
-
-
-
- WSGIDaemonProcess heat-api processes={{ heat_api_workers }} threads=1 user=heat group=heat display-name=heat-api
- WSGIProcessGroup heat-api
- WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog "{{ heat_log_dir }}/heat-api-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ heat_log_dir }}/heat-api-access.log" logformat
-{% if heat_enable_tls_backend | bool %}
- SSLEngine On
- SSLCertificateFile /etc/heat/certs/heat-cert.pem
- SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
-{% endif %}
-
diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml
index 2f69d04a5d..de4f6129a3 100644
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@@ -171,8 +171,3 @@ horizon_use_keystone_public_url: false
# Copy certificates
###################
horizon_copy_certs: "{{ kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool }}"
-
-############
-# WSGI
-############
-horizon_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml
index 8065779cf9..6f3564c603 100644
--- a/ansible/roles/horizon/tasks/config.yml
+++ b/ansible/roles/horizon/tasks/config.yml
@@ -48,22 +48,6 @@
mode: "0660"
when: service | service_enabled_and_mapped_to_host
-- name: Copying over horizon.conf
- become: true
- vars:
- service: "{{ horizon_services['horizon'] }}"
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ node_config_directory }}/horizon/horizon.conf"
- mode: "0660"
- with_first_found:
- - "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/horizon.conf"
- - "{{ node_custom_config }}/horizon/horizon.conf"
- - "horizon.conf.j2"
- when:
- - service | service_enabled_and_mapped_to_host
- - horizon_wsgi_provider == "apache"
-
- name: "Configure uWSGI for Horizon"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -78,9 +62,9 @@
service_uwsgi_config_tls_key: "/etc/horizon/certs/horizon-key.pem"
service_uwsgi_config_uid: "{{ 'horizon' if enable_haproxy | bool else 'root' }}"
service_uwsgi_config_workers: "{{ horizon_wsgi_processes }}"
+ service_uwsgi_config_threads: "{{ horizon_wsgi_threads }}"
when:
- service | service_enabled_and_mapped_to_host
- - horizon_wsgi_provider == "uwsgi"
- name: Copying over kolla-settings.py
become: true
diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
deleted file mode 100644
index 8d78f67a4f..0000000000
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ /dev/null
@@ -1,91 +0,0 @@
-{% if horizon_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-
-
- LogLevel warn
- ErrorLogFormat "%{cu}t %M"
- ErrorLog /var/log/kolla/horizon/horizon-error.log
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog /var/log/kolla/horizon/horizon-access.log logformat
-
- WSGIScriptReloading On
- WSGIDaemonProcess horizon-http processes={{ horizon_wsgi_processes }} threads={{ horizon_wsgi_threads }} user=horizon group=horizon display-name=horizon
- WSGIProcessGroup horizon-http
- WSGIScriptAlias / /var/lib/kolla/venv/lib/python3/site-packages/openstack_dashboard/wsgi.py
- WSGIPassAuthorization On
- WSGIApplicationGroup %{GLOBAL}
-
-
- Require all granted
-
-
-
- Require local
-
-
- Alias /static /var/lib/kolla/venv/lib/python3/site-packages/static
-
- SetHandler None
-
-
-{% if horizon_enable_tls_backend | bool %}
- SSLEngine On
- SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
- SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
-{% endif %}
-{% if horizon_httpd_limitrequestbody is defined %}
- LimitRequestBody {{ horizon_httpd_limitrequestbody }}
-{% endif %}
-
-
-
- # Compress HTML, CSS, JavaScript, Json, Text, XML and fonts
- AddOutputFilterByType DEFLATE application/javascript
- AddOutputFilterByType DEFLATE application/json
- AddOutputFilterByType DEFLATE application/rss+xml
- AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
- AddOutputFilterByType DEFLATE application/x-font
- AddOutputFilterByType DEFLATE application/x-font-opentype
- AddOutputFilterByType DEFLATE application/x-font-otf
- AddOutputFilterByType DEFLATE application/x-font-truetype
- AddOutputFilterByType DEFLATE application/x-font-ttf
- AddOutputFilterByType DEFLATE application/x-javascript
- AddOutputFilterByType DEFLATE application/xhtml+xml
- AddOutputFilterByType DEFLATE application/xml
- AddOutputFilterByType DEFLATE font/opentype
- AddOutputFilterByType DEFLATE font/otf
- AddOutputFilterByType DEFLATE font/ttf
- AddOutputFilterByType DEFLATE image/svg+xml
- AddOutputFilterByType DEFLATE image/x-icon
- AddOutputFilterByType DEFLATE text/css
- AddOutputFilterByType DEFLATE text/html
- AddOutputFilterByType DEFLATE text/javascript
- AddOutputFilterByType DEFLATE text/plain
- AddOutputFilterByType DEFLATE text/xml
-
-
-
-
- ExpiresActive on
- ExpiresDefault "access plus 1 month"
- ExpiresByType application/javascript "access plus 1 year"
- ExpiresByType text/css "access plus 1 year"
- ExpiresByType image/x-ico "access plus 1 year"
- ExpiresByType image/jpg "access plus 1 year"
- ExpiresByType image/jpeg "access plus 1 year"
- ExpiresByType image/gif "access plus 1 year"
- ExpiresByType image/png "access plus 1 year"
- Header merge Cache-Control public
- Header unset ETag
-
-
diff --git a/ansible/roles/horizon/templates/horizon.json.j2 b/ansible/roles/horizon/templates/horizon.json.j2
index 9b86503dca..f7859194ae 100644
--- a/ansible/roles/horizon/templates/horizon.json.j2
+++ b/ansible/roles/horizon/templates/horizon.json.j2
@@ -1,23 +1,11 @@
-{% set apache_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set apache_file = '000-default.conf' if kolla_base_distro in ['ubuntu', 'debian'] else 'horizon.conf' %}
-{% set uwsgi_cmd = 'uwsgi /etc/horizon/horizon-uwsgi.ini' %}
-{% set command = uwsgi_cmd if horizon_wsgi_provider == 'uwsgi' else ('/usr/sbin/' + apache_cmd + ' -DFOREGROUND') %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/horizon/horizon-uwsgi.ini",
"config_files": [
{
-{% if horizon_wsgi_provider == 'apache' %}
- "source": "{{ container_config_directory }}/horizon.conf",
- "dest": "/etc/{{ apache_dir }}/{{ apache_file }}",
- "owner": "horizon",
- "perm": "0600"
-{% elif horizon_wsgi_provider == 'uwsgi' %}
"source": "{{ container_config_directory }}/horizon-uwsgi.ini",
"dest": "/etc/horizon/horizon-uwsgi.ini",
"owner": "horizon",
"perm": "0600"
-{% endif %}
},
{% for path in custom_policy %}
{
diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
index 10b5a6d4f4..12ee3a1850 100644
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -359,11 +359,6 @@ ironic_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
###################
ironic_copy_certs: "{{ kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool or ironic_database_enable_tls_internal | bool }}"
-############
-# WSGI
-############
-ironic_wsgi_provider: "uwsgi"
-
############
# NTP
############
diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml
index cc1073081f..bfe7c600e4 100644
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@@ -153,22 +153,6 @@
- "ironic-http-httpd.conf.j2"
when: service | service_enabled_and_mapped_to_host
-- name: Copying over ironic-prometheus-exporter-wsgi.conf
- vars:
- service: "{{ ironic_services['ironic-prometheus-exporter'] }}"
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ node_config_directory }}/ironic-prometheus-exporter/ironic-prometheus-exporter-wsgi.conf"
- mode: "0660"
- become: true
- with_first_found:
- - "{{ node_config_directory }}/ironic/{{ inventory_hostname }}/ironic-prometheus-exporter-wsgi.conf"
- - "{{ node_config_directory }}/ironic/ironic-prometheus-exporter-wsgi.conf"
- - "ironic-prometheus-exporter-wsgi.conf.j2"
- when:
- - service | service_enabled_and_mapped_to_host
- - ironic_wsgi_provider == "apache"
-
- name: Copying over existing Ironic policy file
vars:
services_require_policy_json:
@@ -184,18 +168,6 @@
- item.key in services_require_policy_json
with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"
-- name: Copying over ironic-api-wsgi.conf
- vars:
- service: "{{ ironic_services['ironic-api'] }}"
- ansible.builtin.template:
- src: "ironic-api-wsgi.conf.j2"
- dest: "{{ node_config_directory }}/ironic-api/ironic-api-wsgi.conf"
- mode: "0660"
- become: true
- when:
- - service | service_enabled_and_mapped_to_host
- - ironic_wsgi_provider == "apache"
-
- name: "Configure uWSGI for ironic-api"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -213,7 +185,6 @@
service_uwsgi_config_workers: "{{ item.workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - ironic_wsgi_provider == "uwsgi"
loop:
- { name: "ironic-api", port: "{{ ironic_api_listen_port }}", workers: "{{ ironic_api_workers }}" }
- { name: "ironic-prometheus-exporter", port: "{{ ironic_prometheus_exporter_port }}", workers: "{{ ironic_prometheus_exporter_workers }}" }
diff --git a/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2 b/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2
deleted file mode 100644
index 03fce1104f..0000000000
--- a/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2
+++ /dev/null
@@ -1,49 +0,0 @@
-{% set ironic_log_dir = '/var/log/kolla/ironic' %}
-{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
-{% if ironic_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-
-
- Options None
- Require all granted
-
-
-
-ErrorLog "{{ ironic_log_dir }}/apache-error.log"
-
-CustomLog "{{ ironic_log_dir }}/apache-access.log" common
-
-
-{% if ironic_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- WSGIDaemonProcess ironic-api processes={{ ironic_api_workers }} threads=1 user=ironic group=ironic display-name=ironic-api
- WSGIProcessGroup ironic-api
- WSGIScriptAlias / {{ wsgi_directory }}/ironic-api-wsgi
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog "{{ ironic_log_dir }}/ironic-api-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ ironic_log_dir }}/ironic-api-access.log" logformat
-{% if ironic_enable_tls_backend | bool %}
- SSLEngine on
- SSLCertificateFile /etc/ironic/certs/ironic-cert.pem
- SSLCertificateKeyFile /etc/ironic/certs/ironic-key.pem
-{% endif %}
-
diff --git a/ansible/roles/ironic/templates/ironic-api.json.j2 b/ansible/roles/ironic/templates/ironic-api.json.j2
index 7765e421f5..d9c5d5f8b5 100644
--- a/ansible/roles/ironic/templates/ironic-api.json.j2
+++ b/ansible/roles/ironic/templates/ironic-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if ironic_wsgi_provider == 'apache' else 'uwsgi /etc/ironic/ironic-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/ironic/ironic-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/ironic.conf",
"dest": "/etc/ironic/ironic.conf",
"owner": "ironic",
"perm": "0600"
- }{% if ironic_wsgi_provider == "apache" %},
- {
- "source": "{{ container_config_directory }}/ironic-api-wsgi.conf",
- "dest": "/etc/{{ apache_conf_dir }}/ironic-api-wsgi.conf",
- "owner": "ironic",
- "perm": "0600"
- }{% elif ironic_wsgi_provider == "uwsgi" %},
+ },
{
"source": "{{ container_config_directory }}/ironic-api-uwsgi.ini",
"dest": "/etc/ironic/ironic-api-uwsgi.ini",
"owner": "ironic",
"perm": "0600"
- }{% endif %}{% if ironic_policy_file is defined %},
+ }{% if ironic_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
"dest": "/etc/ironic/{{ ironic_policy_file }}",
diff --git a/ansible/roles/ironic/templates/ironic-prometheus-exporter-wsgi.conf.j2 b/ansible/roles/ironic/templates/ironic-prometheus-exporter-wsgi.conf.j2
deleted file mode 100644
index 319bf2f888..0000000000
--- a/ansible/roles/ironic/templates/ironic-prometheus-exporter-wsgi.conf.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-{% set ironic_log_dir = '/var/log/kolla/ironic' %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_prometheus_exporter_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-
-
-
- AllowOverride None
- Options None
- Require all granted
-
-
-
-ErrorLog "{{ ironic_log_dir }}/apache-error.log"
-
- CustomLog "{{ ironic_log_dir }}/apache-access.log" common
-
-
-{% if ironic_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- ErrorLog "{{ ironic_log_dir }}/ironic-prometheus-exporter-wsgi-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ ironic_log_dir }}/ironic-prometheus-exporter-wsgi-access.log" logformat
-
- WSGIDaemonProcess ironic-prometheus-exporter processes={{ openstack_service_workers }} threads=1 user=ironic display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python3/site-packages
- WSGIProcessGroup ironic-prometheus-exporter
- WSGIScriptAlias / /var/lib/kolla/venv/lib/python3/site-packages/ironic_prometheus_exporter/app/wsgi.py
- WSGIApplicationGroup %{GLOBAL}
-
- Require all granted
-
-
diff --git a/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 b/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2
index 1075b312d3..a4d931effc 100644
--- a/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2
+++ b/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2
@@ -1,27 +1,18 @@
-{% set ironic_prometheus_exporter_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set ironic_prometheus_exporter_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if ironic_wsgi_provider == 'apache' else 'uwsgi /etc/ironic/ironic-prometheus-exporter-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/ironic/ironic-prometheus-exporter-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/ironic.conf",
"dest": "/etc/ironic/ironic.conf",
"owner": "ironic",
"perm": "0600"
- }{% if ironic_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/ironic-prometheus-exporter-wsgi.conf",
- "dest": "/etc/{{ ironic_prometheus_exporter_dir }}/ironic-prometheus-exporter-wsgi.conf",
- "owner": "ironic",
- "perm": "0600"
- }{% elif ironic_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/ironic-prometheus-exporter-uwsgi.ini",
"dest": "/etc/ironic/ironic-prometheus-exporter-uwsgi.ini",
"owner": "ironic",
"perm": "0600"
- }{% endif %}{% if kolla_copy_ca_into_containers | bool %},
+ }{% if kolla_copy_ca_into_containers | bool %},
{
"source": "{{ container_config_directory }}/ca-certificates",
"dest": "/var/lib/kolla/share/ca-certificates",
diff --git a/ansible/roles/iscsi/defaults/main.yml b/ansible/roles/iscsi/defaults/main.yml
index 8d94bcaf5b..ecf8ad6e11 100644
--- a/ansible/roles/iscsi/defaults/main.yml
+++ b/ansible/roles/iscsi/defaults/main.yml
@@ -57,10 +57,18 @@ tgtd_default_volumes:
iscsid_extra_volumes: "{{ default_extra_volumes }}"
tgtd_extra_volumes: "{{ default_extra_volumes }}"
+iscsid_cinder_backup_group: >-
+ {{ 'cinder-backup-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else
+ 'cinder-backup-lvm' if enable_cinder_backend_lvm | bool else
+ 'cinder-backup' }}
+iscsid_cinder_volume_group: >-
+ {{ 'cinder-volume-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else
+ 'cinder-volume-lvm' if enable_cinder_backend_lvm | bool else
+ 'cinder-volume' }}
enable_iscsid_for_cinder: >-
{{ (inventory_hostname in groups['compute']
- or inventory_hostname in groups['cinder-backup']
- or inventory_hostname in groups['cinder-volume'])
+ or inventory_hostname in groups[iscsid_cinder_backup_group] if enable_cinder_backend_lvm | bool
+ or inventory_hostname in groups[iscsid_cinder_volume_group] if enable_cinder_backend_lvm | bool)
and enable_cinder | bool
and enable_cinder_backend_iscsi | bool }}
enable_iscsid_for_ironic: >-
diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index bb3b352866..bb4efcd9d0 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -48,7 +48,7 @@ keystone_services:
keystone-httpd:
container_name: "keystone_httpd"
group: "keystone"
- enabled: "{{ enable_keystone_federation | bool and keystone_wsgi_provider == 'uwsgi' }}"
+ enabled: "{{ enable_keystone_federation | bool }}"
image: "{{ keystone_httpd_image_full }}"
volumes: "{{ keystone_httpd_default_volumes + keystone_httpd_extra_volumes }}"
dimensions: "{{ keystone_httpd_dimensions }}"
@@ -265,10 +265,7 @@ keystone_remote_id_attribute_oidc: "HTTP_OIDC_ISS"
keystone_container_federation_oidc_metadata_folder: "{{ '/etc/apache2/metadata' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/metadata' }}"
keystone_container_federation_oidc_idp_certificate_folder: "{{ '/etc/apache2/cert' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/cert' }}"
keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_config_directory }}/federation/oidc/attribute_maps"
-keystone_host_federation_base_folder: >-
- {{ node_config_directory }}/{{
- 'keystone-httpd' if keystone_wsgi_provider == 'uwsgi' else 'keystone'
- }}/federation
+keystone_host_federation_base_folder: "{{ node_config_directory }}/keystone-httpd/federation"
keystone_host_federation_oidc_metadata_folder: "{{ keystone_host_federation_base_folder }}/oidc/metadata"
keystone_host_federation_oidc_idp_certificate_folder: "{{ keystone_host_federation_base_folder }}/oidc/cert"
keystone_host_federation_oidc_attribute_mappings_folder: "{{ keystone_host_federation_base_folder }}/oidc/attribute_maps"
@@ -322,5 +319,4 @@ keystone_copy_certs: "{{ kolla_copy_ca_into_containers | bool or keystone_enable
############
# WSGI
############
-keystone_wsgi_provider: "uwsgi"
keystone_wsgi_socket_port: "5001"
diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index 2170135ddb..92c306d975 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -126,22 +126,6 @@
when:
- keystone_enable_federation_openid | bool
-- name: Copying over wsgi-keystone.conf
- vars:
- service: "{{ keystone_services['keystone'] }}"
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ node_config_directory }}/keystone/wsgi-keystone.conf"
- mode: "0660"
- become: true
- when:
- - service | service_enabled_and_mapped_to_host
- - keystone_wsgi_provider == "apache"
- with_first_found:
- - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/wsgi-keystone.conf"
- - "{{ node_custom_config }}/keystone/wsgi-keystone.conf"
- - "wsgi-keystone.conf.j2"
-
- name: "Configure uWSGI for Keystone"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -163,7 +147,6 @@
service_uwsgi_config_workers: "{{ keystone_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - keystone_wsgi_provider == "uwsgi"
- name: Copying over httpd-keystone.conf
vars:
@@ -175,7 +158,6 @@
become: true
when:
- service | service_enabled_and_mapped_to_host
- - keystone_wsgi_provider == "uwsgi"
with_first_found:
- "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/httpd-keystone.conf"
- "{{ node_custom_config }}/keystone/httpd-keystone.conf"
diff --git a/ansible/roles/keystone/templates/keystone-startup.sh.j2 b/ansible/roles/keystone/templates/keystone-startup.sh.j2
index 224e86f5dd..6ea097ba29 100644
--- a/ansible/roles/keystone/templates/keystone-startup.sh.j2
+++ b/ansible/roles/keystone/templates/keystone-startup.sh.j2
@@ -1,8 +1,4 @@
#!/bin/bash -x
-{% set apache_cmd = '/usr/sbin/apache2' if kolla_base_distro in ['ubuntu', 'debian'] else '/usr/sbin/httpd' %}
-{% set uwsgi_cmd = 'uwsgi /etc/keystone/keystone-api-uwsgi.ini' %}
-{% set keystone_cmd = uwsgi_cmd if keystone_wsgi_provider == 'uwsgi' else (apache_cmd + ' -DFOREGROUND') %}
-
set -o errexit
set -o pipefail
@@ -23,4 +19,4 @@ while [ ! -f "${FERNET_KEY_DIR}/0" ]; do
fi
done
-exec {{ keystone_cmd }} $@
+exec uwsgi /etc/keystone/keystone-api-uwsgi.ini
diff --git a/ansible/roles/keystone/templates/keystone.json.j2 b/ansible/roles/keystone/templates/keystone.json.j2
index a4cf8b7fa5..4ebfdce8e2 100644
--- a/ansible/roles/keystone/templates/keystone.json.j2
+++ b/ansible/roles/keystone/templates/keystone.json.j2
@@ -1,5 +1,3 @@
-{% set keystone_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set apache_user = 'www-data' if kolla_base_distro in ['ubuntu', 'debian'] else 'apache' %}
{
"command": "/usr/bin/keystone-startup.sh",
"config_files": [
@@ -28,22 +26,16 @@
"owner": "keystone",
"perm": "0600",
"optional": true
- }{% if keystone_policy_file is defined %},
- {
- "source": "{{ container_config_directory }}/{{ keystone_policy_file }}",
- "dest": "/etc/keystone/{{ keystone_policy_file }}",
- "owner": "keystone",
- "perm": "0600"
- }{% endif %}{% if keystone_wsgi_provider == 'apache' %},
+ },
{
- "source": "{{ container_config_directory }}/wsgi-keystone.conf",
- "dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf",
+ "source": "{{ container_config_directory }}/keystone-uwsgi.ini",
+ "dest": "/etc/keystone/keystone-api-uwsgi.ini",
"owner": "keystone",
"perm": "0600"
- }{% elif keystone_wsgi_provider == 'uwsgi' %},
+ }{% if keystone_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/keystone-uwsgi.ini",
- "dest": "/etc/keystone/keystone-api-uwsgi.ini",
+ "source": "{{ container_config_directory }}/{{ keystone_policy_file }}",
+ "dest": "/etc/keystone/{{ keystone_policy_file }}",
"owner": "keystone",
"perm": "0600"
}{% endif %}{% if keystone_enable_tls_backend | bool %},
@@ -58,28 +50,7 @@
"dest": "/etc/keystone/certs/keystone-key.pem",
"owner": "keystone",
"perm": "0600"
- }{% endif %}{% if keystone_enable_federation_openid | bool and keystone_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/federation/oidc/metadata",
- "dest": "{{ keystone_container_federation_oidc_metadata_folder }}",
- "owner": "{{ apache_user }}:{{ apache_user }}",
- "perm": "0600",
- "merge": true
- },
- {
- "source": "{{ container_config_directory }}/federation/oidc/cert",
- "dest": "{{ keystone_container_federation_oidc_idp_certificate_folder }}",
- "owner": "{{ apache_user }}:{{ apache_user }}",
- "perm": "0600",
- "merge": true
- },
- {
- "source": "{{ container_config_directory }}/federation/modoidc-error-page.html",
- "dest": "/var/www/html/modoidc-error-page.html",
- "owner": "{{ apache_user }}:{{ apache_user }}",
- "perm": "0600"
- }
- {% endif %}{% if kolla_copy_ca_into_containers | bool %},
+ }{% endif %}{% if kolla_copy_ca_into_containers | bool %},
{
"source": "{{ container_config_directory }}/ca-certificates",
"dest": "/var/lib/kolla/share/ca-certificates",
@@ -95,17 +66,7 @@
{
"path": "/var/log/kolla/keystone/keystone.log",
"owner": "keystone:keystone"
- },{% if keystone_enable_federation_openid | bool and keystone_wsgi_provider == 'apache' %}
- {
- "path": "{{ keystone_container_federation_oidc_metadata_folder }}",
- "owner": "{{ apache_user }}:{{ apache_user }}",
- "perm": "0700"
},
- {
- "path": "{{ keystone_container_federation_oidc_idp_certificate_folder }}",
- "owner": "{{ apache_user }}:{{ apache_user }}",
- "perm": "0700"
- },{% endif %}
{
"path": "/etc/keystone/fernet-keys",
"owner": "keystone:keystone",
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
deleted file mode 100644
index 13f9f56c5c..0000000000
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ /dev/null
@@ -1,121 +0,0 @@
-{% set keystone_log_dir = '/var/log/kolla/keystone' %}
-{% set binary_path = '/var/lib/kolla/venv/bin' %}
-{% if keystone_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-ErrorLog "{{ keystone_log_dir }}/apache-error.log"
-
- CustomLog "{{ keystone_log_dir }}/apache-access.log" common
-
-
-{% if keystone_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
-
- AllowOverride None
- Options None
- Require all granted
-
-
-
-
-
-{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#}
-{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#}
-{% if kolla_enable_tls_external | bool %}
- ServerName {{ keystone_public_url }}
-{% endif %}
- WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
- WSGIProcessGroup keystone-public
- WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat
-
-{% if keystone_enable_tls_backend | bool %}
- SSLEngine on
- SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
- SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
-{% endif %}
-
-{% if keystone_enable_federation_openid | bool %}
-{% if keystone_federation_oidc_forwarded_headers | length > 0 %}
- OIDCXForwardedHeaders "{{ keystone_federation_oidc_forwarded_headers }}"
-{% endif %}
- OIDCClaimPrefix "OIDC-"
- OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}"
- OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
- OIDCScope "{{ keystone_federation_oidc_scopes }}"
- OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
-{% if keystone_federation_oidc_jwks_uri | length > 0 %}
- OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }}
-{% endif %}
-{# TODO(mnasiadka): Drop this when introducing Ubuntu 26.04 or when Noble bumps package version #}
-{% if kolla_base_distro == "ubuntu" %}
- OIDCHTMLErrorTemplate /var/www/html/modoidc-error-page.html
-{% endif %}
-{% if keystone_federation_openid_certificate_key_ids | length > 0 %}
- OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
-{% endif %}
- OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }}
- OIDCRedirectURI {{ keystone_public_url }}/redirect_uri
-{% if enable_memcached | bool and keystone_oidc_enable_memcached | bool %}
- OIDCCacheType memcache
- OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}"
-{% endif %}
-{% for key, value in keystone_federation_oidc_additional_options.items() %}
- {{ key }} {{ value }}
-{% endfor %}
-
-
- Require valid-user
- AuthType openid-connect
-
-
- {# WebSSO authentication endpoint -#}
-
- Require valid-user
- AuthType openid-connect
-
-
-{% for idp in keystone_identity_providers %}
-{% if idp.protocol == 'openid' %}
-
- OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ idp.identifier | urlencode }}
- Require valid-user
- AuthType openid-connect
-
-{% endif %}
-{% endfor %}
-
- {# CLI / API authentication endpoint -#}
-{% for idp in keystone_identity_providers %}
-{% if idp.protocol == 'openid' %}
-
- Require valid-user
- {# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}
- {# additionally handle verifying bearer tokens -#}
- AuthType auth-openidc
-
-{% endif %}
-{% endfor %}
-{% endif %}
-
-
diff --git a/ansible/roles/masakari/defaults/main.yml b/ansible/roles/masakari/defaults/main.yml
index 12910a5b92..7c39e60d92 100644
--- a/ansible/roles/masakari/defaults/main.yml
+++ b/ansible/roles/masakari/defaults/main.yml
@@ -217,8 +217,3 @@ masakari_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }
# Copy certificates
###################
masakari_copy_certs: "{{ kolla_copy_ca_into_containers | bool or masakari_database_enable_tls_internal | bool }}"
-
-############
-# WSGI
-############
-masakari_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/masakari/tasks/config.yml b/ansible/roles/masakari/tasks/config.yml
index 350648efb9..26eb3573b0 100644
--- a/ansible/roles/masakari/tasks/config.yml
+++ b/ansible/roles/masakari/tasks/config.yml
@@ -89,18 +89,6 @@
- masakari-instancemonitor
- masakari-hostmonitor
-- name: Copying over wsgi-masakari file for services
- vars:
- service: "{{ masakari_services['masakari-api'] }}"
- ansible.builtin.template:
- src: "wsgi-masakari.conf.j2"
- dest: "{{ node_config_directory }}/masakari-api/wsgi-masakari.conf"
- mode: "0660"
- become: true
- when:
- - service | service_enabled_and_mapped_to_host
- - masakari_wsgi_provider == "apache"
-
- name: "Configure uWSGI for Masakari"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -115,7 +103,6 @@
service_uwsgi_config_workers: "{{ masakari_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - masakari_wsgi_provider == "uwsgi"
- name: Copying over masakari-api-paste.ini
vars:
diff --git a/ansible/roles/masakari/templates/masakari-api.json.j2 b/ansible/roles/masakari/templates/masakari-api.json.j2
index b0b2ca370d..55d1c103d0 100644
--- a/ansible/roles/masakari/templates/masakari-api.json.j2
+++ b/ansible/roles/masakari/templates/masakari-api.json.j2
@@ -1,8 +1,5 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if masakari_wsgi_provider == 'apache' else 'uwsgi /etc/masakari/masakari-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/masakari/masakari-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/masakari.conf",
@@ -15,19 +12,13 @@
"dest": "/etc/masakari/api-paste.ini",
"owner": "masakari",
"perm": "0600"
- }{% if masakari_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/wsgi-masakari.conf",
- "dest": "/etc/{{ apache_conf_dir }}/wsgi-masakari.conf",
- "owner": "root",
- "perm": "0600"
- }{% elif masakari_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/masakari-api-uwsgi.ini",
"dest": "/etc/masakari/masakari-api-uwsgi.ini",
"owner": "masakari",
"perm": "0600"
- }{% endif %}{% if masakari_policy_file is defined %},
+ }{% if masakari_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ masakari_policy_file }}",
"dest": "/etc/masakari/{{ masakari_policy_file }}",
diff --git a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 b/ansible/roles/masakari/templates/wsgi-masakari.conf.j2
deleted file mode 100644
index 1891dcde81..0000000000
--- a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-{% set masakari_log_dir = '/var/log/kolla/masakari' %}
-{% set binary_path = '/var/lib/kolla/venv/bin' %}
-
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ masakari_api_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-ErrorLog "{{ masakari_log_dir }}/apache-error.log"
-
- CustomLog "{{ masakari_log_dir }}/apache-access.log" common
-
-
-{% if masakari_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
-
- Options Indexes FollowSymLinks MultiViews
- Require all granted
-
-
-
-
- ## Logging
- ErrorLog "{{ masakari_log_dir }}/masakari_wsgi_error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ masakari_log_dir }}/masakari_wsgi_access.log" logformat
- WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess masakari group=masakari processes={{ masakari_api_workers }} threads=1 user=masakari
- WSGIProcessGroup masakari
- WSGIScriptAlias / "{{ binary_path }}/masakari-wsgi"
-
diff --git a/ansible/roles/nova-cell/defaults/main.yml b/ansible/roles/nova-cell/defaults/main.yml
index 6979408e93..790190fb08 100644
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@@ -72,6 +72,8 @@ nova_cell_services:
volumes: "{{ nova_compute_ironic_default_volumes + nova_compute_ironic_extra_volumes }}"
dimensions: "{{ nova_compute_ironic_dimensions }}"
healthcheck: "{{ nova_compute_ironic_healthcheck }}"
+ iterate: "{{ nova_multi_compute_ironic_config | length > 0 }}"
+ iterate_var: "{{ nova_multi_compute_ironic_config | length }}"
####################
# Config Validate
@@ -501,7 +503,7 @@ nova_compute_default_volumes:
- "{% if enable_shared_var_lib_nova_mnt | bool %}/var/lib/nova/mnt:/var/lib/nova/mnt:shared{% endif %}"
- "{{ kolla_dev_repos_directory ~ '/nova:/dev-mode/nova' if nova_dev_mode | bool else '' }}"
nova_compute_ironic_default_volumes:
- - "{{ node_config_directory }}/nova-compute-ironic/:{{ container_config_directory }}/:ro"
+ - "{{ node_config_directory }}/nova-compute-ironic{{ '-' ~ item if item|default(0)|int > 0 else '' }}/:{{ container_config_directory }}/:ro"
- "/etc/localtime:/etc/localtime:ro"
- "kolla_logs:/var/log/kolla/"
- "{{ '/dev/shm:/dev/shm' }}"
@@ -675,6 +677,17 @@ nova_libvirt_cleanup_remove_volumes: false
# Database
nova_cell_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
+##############################
+# Nova Compute Ironic scaling
+##############################
+
+# The following option can be used to deploy multiple instances of Nova
+# Compute Ironic per host. This is useful for deployments with a large
+# number of baremetal nodes (>200). Please see the advanced documentation
+# section for further details.
+
+nova_multi_compute_ironic_config: []
+
###################
# Copy certificates
###################
diff --git a/ansible/roles/nova-cell/handlers/main.yml b/ansible/roles/nova-cell/handlers/main.yml
index a67a1231f5..c6ac28da9a 100644
--- a/ansible/roles/nova-cell/handlers/main.yml
+++ b/ansible/roles/nova-cell/handlers/main.yml
@@ -162,16 +162,21 @@
vars:
service_name: "nova-compute-ironic"
service: "{{ nova_cell_services[service_name] }}"
+ item: "{{ changed_container.item }}"
+ container_name_postfix: "{{ '' if changed_container == 'legacy' else '_' ~ item }}"
become: true
kolla_container:
action: "recreate_or_restart_container"
common_options: "{{ docker_common_options }}"
- name: "{{ service.container_name }}"
+ name: "{{ service.container_name + container_name_postfix }}"
image: "{{ service.image }}"
privileged: "{{ service.privileged | default(False) }}"
volumes: "{{ service.volumes | reject('equalto', '') | list }}"
dimensions: "{{ service.dimensions }}"
healthcheck: "{{ service.healthcheck | default(omit) }}"
+ loop_control:
+ loop_var: changed_container
+ loop: "{{ nova_compute_ironic_changed_containers | default(['legacy']) }}"
# nova-compute-fake is special. It will start multi numbers of container
# so put all variables here rather than defaults/main.yml file
diff --git a/ansible/roles/nova-cell/tasks/cleanup.yml b/ansible/roles/nova-cell/tasks/cleanup.yml
new file mode 100644
index 0000000000..0f0952823e
--- /dev/null
+++ b/ansible/roles/nova-cell/tasks/cleanup.yml
@@ -0,0 +1,26 @@
+---
+- name: Stop and remove containers for unmanaged services
+ become: true
+ vars:
+ service_name: "nova-compute-ironic"
+ service: "{{ nova_cell_services[service_name] }}"
+ kolla_container:
+ action: "stop_and_remove_container"
+ name: "{{ service.container_name ~ '_' ~ item }}"
+ loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}"
+ when:
+ - service.iterate | bool
+ - inventory_hostname not in groups[nova_cell_compute_ironic_group ~ '-' ~ item]
+
+- name: Removing config for unmanaged services
+ vars:
+ service_name: "nova-compute-ironic"
+ service: "{{ nova_cell_services[service_name] }}"
+ ansible.builtin.file:
+ path: "{{ node_config_directory }}/{{ service_name ~ '-' ~ item }}"
+ state: "absent"
+ become: true
+ loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}"
+ when:
+ - service.iterate | bool
+ - inventory_hostname not in groups[nova_cell_compute_ironic_group ~ '-' ~ item]
diff --git a/ansible/roles/nova-cell/tasks/config-compute-ironic.yml b/ansible/roles/nova-cell/tasks/config-compute-ironic.yml
new file mode 100644
index 0000000000..0f1c05a9f0
--- /dev/null
+++ b/ansible/roles/nova-cell/tasks/config-compute-ironic.yml
@@ -0,0 +1,67 @@
+---
+- name: "Ensuring config directories exist for Nova Compute Ironic container {{ item }}"
+ vars:
+ nova_compute_ironic_id: "{{ item }}"
+ ansible.builtin.file:
+ path: "{{ node_config_directory }}/nova-compute-ironic-{{ item }}"
+ state: "directory"
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
+
+- name: "Copying over config.json files for Nova Compute Ironic container {{ item }}"
+ vars:
+ nova_compute_ironic_id: "{{ item }}"
+ ansible.builtin.template:
+ src: "nova-compute-ironic.json.j2"
+ dest: "{{ node_config_directory }}/nova-compute-ironic-{{ item }}/config.json"
+ mode: "0660"
+ become: true
+
+- name: "Get Nova Compute Ironic multi-instance configuration for instance {{ item }}"
+ ansible.builtin.set_fact:
+ nova_multi_compute_ironic_instance_config: "{{ nova_multi_compute_ironic_config[(item | int) - 1] }}"
+
+- name: "Generate config files for Nova Compute Ironic {{ item }}"
+ vars:
+ service_name: "nova-compute-ironic"
+ nova_compute_shard_key: "{{ nova_multi_compute_ironic_instance_config['shard_key'] | default('default') }}"
+ nova_compute_conductor_group: "{{ nova_multi_compute_ironic_instance_config['conductor_group'] | default('default') }}"
+ nova_compute_ironic_custom_host: "{{ nova_multi_compute_ironic_instance_config['custom_host'] | default('') }}"
+ nova_compute_ironic_id: "{{ item }}"
+ merge_configs:
+ sources:
+ - "{{ role_path }}/templates/nova.conf.j2"
+ - "{{ node_custom_config }}/global.conf"
+ - "{{ node_custom_config }}/nova.conf"
+ - "{{ node_custom_config }}/nova/{{ service_name }}.conf"
+ - "{{ node_custom_config }}/nova/{{ service_name }}-{{ item }}.conf"
+ - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/nova.conf"
+ - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ service_name }}.conf"
+ - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ service_name }}-{{ item }}.conf"
+ dest: "{{ node_config_directory }}/nova-compute-ironic-{{ item }}/nova.conf"
+ mode: "0660"
+ become: true
+
+- name: "Copying over existing policy file for item {{ item }}"
+ vars:
+ service_name: "nova-compute-ironic"
+ ansible.builtin.template:
+ src: "{{ nova_policy_file_path }}"
+ dest: "{{ node_config_directory }}/{{ service_name }}-{{ item }}/{{ nova_policy_file }}"
+ mode: "0660"
+ become: true
+ when:
+ - nova_policy_file is defined
+
+- name: "Copying over vendordata file for Nova Compute Ironic {{ item }}"
+ vars:
+ service_name: "nova-compute-ironic"
+ ansible.builtin.copy:
+ src: "{{ vendordata_file_path }}"
+ dest: "{{ node_config_directory }}/{{ service_name }}-{{ item }}/vendordata.json"
+ mode: "0660"
+ become: true
+ when:
+ - vendordata_file_path is defined
diff --git a/ansible/roles/nova-cell/tasks/config.yml b/ansible/roles/nova-cell/tasks/config.yml
index 87104f89e8..7f0cfca22e 100644
--- a/ansible/roles/nova-cell/tasks/config.yml
+++ b/ansible/roles/nova-cell/tasks/config.yml
@@ -7,6 +7,8 @@
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
+ when:
+ - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0
with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}"
- name: Copying over TLS certificates
@@ -58,6 +60,8 @@
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
mode: "0660"
+ when:
+ - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0
with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}"
- name: Copying over nova.conf
@@ -76,8 +80,18 @@
mode: "0660"
when:
- item.key in nova_cell_services_require_nova_conf
+ - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0
with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}"
+- name: Copying over config for Nova compute Ironic multi-instance
+ vars:
+ service: "{{ nova_cell_services['nova-compute-ironic'] }}"
+ ansible.builtin.include_tasks: config-compute-ironic.yml
+ loop: "{{ range(1, nova_multi_compute_ironic_config | length + 1) | list }}"
+ when:
+ - nova_multi_compute_ironic_config | length > 0
+ - inventory_hostname in groups[service.group ~ '-' ~ item]
+
- name: Copying over Nova compute provider config
become: true
vars:
@@ -196,6 +210,7 @@
when:
- nova_policy_file is defined
- item.key in nova_cell_services_require_policy_json
+ - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0
with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}"
- name: Copying over vendordata file to containers
@@ -209,6 +224,7 @@
when:
- vendordata_file_path is defined
- service | service_enabled_and_mapped_to_host
+ - item != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0
with_items:
- nova-compute
- nova-compute-ironic
diff --git a/ansible/roles/nova-cell/tasks/deploy.yml b/ansible/roles/nova-cell/tasks/deploy.yml
index 2a416d8d43..2885315576 100644
--- a/ansible/roles/nova-cell/tasks/deploy.yml
+++ b/ansible/roles/nova-cell/tasks/deploy.yml
@@ -6,6 +6,10 @@
- name: Import tasks from version-check.yml
ansible.builtin.import_tasks: version-check.yml
+# NOTE(dougszu): Currently only covers nova-compute-ironic
+- name: Cleanup stale configuration
+ ansible.builtin.import_tasks: cleanup.yml
+
- name: Import tasks from config-host.yml
ansible.builtin.import_tasks: config-host.yml
diff --git a/ansible/roles/nova-cell/tasks/precheck.yml b/ansible/roles/nova-cell/tasks/precheck.yml
index a509e790cd..9364c619e6 100644
--- a/ansible/roles/nova-cell/tasks/precheck.yml
+++ b/ansible/roles/nova-cell/tasks/precheck.yml
@@ -30,6 +30,20 @@
- groups[nova_cell_compute_group] | length < 1
- not nova_compute_ironic.enabled | bool
+- name: Checking nova multi-compute-ironic inventory
+ vars:
+ nova_compute_ironic: "{{ nova_cell_services['nova-compute-ironic'] }}"
+ ansible.builtin.assert:
+ msg: >
+ Each nova-compute-ironic-N group must contain a single host.
+ that:
+ - groups[nova_cell_compute_ironic_group ~ '-' ~ item] | length == 1
+ loop: "{{ range(1, (nova_compute_ironic.iterate_var | int) + 1) | list }}"
+ run_once: true
+ when:
+ - nova_compute_ironic.iterate | bool
+ - nova_compute_ironic.enabled | bool
+
- name: Checking free port for Nova NoVNC Proxy
vars:
service: "{{ nova_cell_services['nova-novncproxy'] }}"
diff --git a/ansible/roles/nova-cell/tasks/reload.yml b/ansible/roles/nova-cell/tasks/reload.yml
index 5724effdf2..5f5c05b4e5 100644
--- a/ansible/roles/nova-cell/tasks/reload.yml
+++ b/ansible/roles/nova-cell/tasks/reload.yml
@@ -37,4 +37,28 @@
when:
- kolla_action == 'upgrade'
- service | service_enabled_and_mapped_to_host
+ - item != 'nova-compute-ironic' or not service.iterate | bool
with_items: "{{ nova_cell_services_require_nova_conf }}"
+
+- name: Reload nova-compute-ironic to remove RPC version cap (iterated)
+ vars:
+ nova_compute_ironic: "{{ nova_cell_services['nova-compute-ironic'] }}"
+ become: true
+ kolla_container:
+ action: "recreate_or_restart_container"
+ common_options: "{{ docker_common_options }}"
+ name: "{{ nova_compute_ironic.container_name ~ '_' ~ item }}"
+ image: "{{ nova_compute_ironic.image }}"
+ environment: "{{ nova_compute_ironic.environment | default(omit) }}"
+ pid_mode: "{{ nova_compute_ironic.pid_mode | default('') }}"
+ ipc_mode: "{{ nova_compute_ironic.ipc_mode | default(omit) }}"
+ privileged: "{{ nova_compute_ironic.privileged | default(False) }}"
+ volumes: "{{ nova_compute_ironic.volumes | reject('equalto', '') | list }}"
+ dimensions: "{{ nova_compute_ironic.dimensions }}"
+ healthcheck: "{{ nova_compute_ironic.healthcheck | default(omit) }}"
+ when:
+ - kolla_action == 'upgrade'
+ - nova_compute_ironic | service_enabled
+ - nova_compute_ironic.iterate | bool
+ - inventory_hostname in groups[nova_compute_ironic.group ~ '-' ~ item]
+ loop: "{{ range(1, (nova_compute_ironic.iterate_var | int) + 1) | list }}"
diff --git a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
index d930f8dea5..eb7e80e83a 100644
--- a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
+++ b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
@@ -13,13 +13,14 @@
{{ virt_computes_in_batch |
map('extract', hostvars, ['ansible_facts', 'nodename']) |
list }}
- # For ironic, use {{ansible_facts.hostname}}-ironic since this is what we
- # configure for [DEFAULT] host in nova.conf.
ironic_compute_service_hosts: >-
{{ ironic_computes_in_batch |
- map('extract', hostvars) | json_query('[].nova_compute_ironic_custom_host || [].ansible_facts.hostname') |
- map('regex_replace', '^(.*)$', '\1-ironic') |
- list }}
+ map('extract', hostvars) |
+ json_query(
+ '{classic: [].nova_compute_ironic_custom_host || [].ansible_facts.hostname,
+ multi: [].group_names}') |
+ get_expected_ironic_compute_services(nova_multi_compute_ironic_config, nova_cell_compute_ironic_group) }}
+
expected_compute_service_hosts: "{{ virt_compute_service_hosts + ironic_compute_service_hosts }}"
block:
- name: Waiting for nova-compute services to register themselves
@@ -73,13 +74,19 @@
failed_compute_service_hosts: >-
{{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }}
# Whether any compute services failed on this host.
+ ironic_compute_service_config_for_host:
+ classic: "{{ [nova_compute_ironic_custom_host | default(ansible_facts.hostname)] if inventory_hostname in ironic_computes_in_batch else [] }}"
+ multi: "{{ [group_names] }}"
+ expected_ironic_compute_services: >-
+ {{ ironic_compute_service_config_for_host | get_expected_ironic_compute_services(nova_multi_compute_ironic_config, nova_cell_compute_ironic_group) }}
any_failed_services: >-
{{ (ansible_facts.nodename | default()) in failed_compute_service_hosts or
- ((ansible_facts.hostname | default()) ~ "-ironic") in failed_compute_service_hosts }}
+ expected_ironic_compute_services | intersect(failed_compute_service_hosts) | length > 0 }}
+
ansible.builtin.fail:
msg: >-
- The Nova compute service failed to register itself on the following
- hosts: {{ failed_compute_service_hosts | join(',') }}
+ The following Nova compute services failed to register
+ themselves: {{ failed_compute_service_hosts | join(',') }}
when: >-
any_failed_services or
(nova_compute_registration_fatal | bool and
diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2
index 2950dfcc4d..7d30dcfd08 100644
--- a/ansible/roles/nova-cell/templates/nova.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.j2
@@ -8,9 +8,27 @@ state_path = /var/lib/nova
allow_resize_to_same_host = true
+{% set nova_compute_shard_key = nova_compute_shard_key | default("") %}
+{% set nova_compute_conductor_group = nova_compute_conductor_group | default("") %}
+{% set nova_compute_ironic_custom_host = nova_compute_ironic_custom_host | default("") %}
{% if service_name == "nova-compute-ironic" %}
-host={{ nova_compute_ironic_custom_host | default(ansible_facts.hostname) }}-ironic
+{% if nova_compute_ironic_custom_host | length > 0 %}
+{# NOTE(dougszu): This is provided for backwards compatibility #}
+{% set host_value = nova_compute_ironic_custom_host ~ "-ironic" %}
+{% elif nova_compute_conductor_group | length > 0 or nova_compute_shard_key | length > 0 %}
+{% set host_value = (nova_compute_conductor_group ~ "-" ~ nova_compute_shard_key) ~ "-ironic" %}
+{% else %}
+{# NOTE(dougszu): This is to support legacy behaviour #}
+{% set host_value = ansible_facts.hostname ~ "-ironic" %}
+{% endif %}
+host = {{ host_value }}
+
+{% if nova_compute_ironic_id is defined %}
+log_file = /var/log/kolla/nova/nova-compute-ironic-{{ nova_compute_ironic_id }}.log
+{% else %}
log_file = /var/log/kolla/nova/nova-compute-ironic.log
+{% endif %}
+
compute_driver = ironic.IronicDriver
ram_allocation_ratio = 1.0
reserved_host_memory_mb = 0
@@ -101,6 +119,19 @@ project_name = service
user_domain_name = {{ default_user_domain_name }}
project_domain_name = {{ default_project_domain_name }}
endpoint_override = {{ ironic_internal_endpoint }}/v1
+
+{% if nova_compute_shard_key is not in ['default', ''] %}
+shard = {{ nova_compute_shard_key }}
+{% endif %}
+{% if nova_compute_conductor_group is not in ['default', ''] %}
+conductor_group = {{ nova_compute_conductor_group }}
+{% endif %}
+{% if nova_compute_conductor_group is not in ['default', ''] and nova_compute_shard_key is in ['default', ''] %}
+{# NOTE(dougszu): In this case only, Nova Compute Ironic won't start unless the peer_list #}
+{# is populated. peer_list is a deprecated config option and should never have more than #}
+{# one host in it. This appears to be a bug. #}
+peer_list = {{ host_value }}
+{% endif %}
{% endif %}
[oslo_concurrency]
@@ -180,7 +211,7 @@ driver = noop
[oslo_messaging_rabbit]
use_queue_manager = true
{% if service_name == "nova-compute-ironic" %}
-hostname = {{ nova_compute_ironic_custom_host | default(ansible_facts.hostname) }}-ironic
+hostname = {{ host_value }}
{% endif %}
heartbeat_in_pthread = false
{% if om_enable_rabbitmq_tls | bool %}
diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index faf44558a3..215826cddb 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -312,8 +312,3 @@ nova_source_version: "{{ kolla_source_version }}"
nova_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
nova_copy_certs: "{{ kolla_copy_ca_into_containers | bool or nova_enable_tls_backend | bool or nova_database_enable_tls_internal | bool }}"
nova_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
-
-####################
-# WSGI
-####################
-nova_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index 320563a6bf..b2ce4591f0 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -80,30 +80,6 @@
- item.key in nova_services_require_policy_json
with_dict: "{{ nova_services | select_services_enabled_and_mapped_to_host }}"
-- name: Copying over nova-api-wsgi.conf
- vars:
- service: "{{ nova_services['nova-api'] }}"
- ansible.builtin.template:
- src: "nova-api-wsgi.conf.j2"
- dest: "{{ node_config_directory }}/nova-api/nova-api-wsgi.conf"
- mode: "0660"
- become: true
- when:
- - service | service_enabled_and_mapped_to_host
- - nova_wsgi_provider == "apache"
-
-- name: Copying over nova-metadata-wsgi.conf
- vars:
- service: "{{ nova_services['nova-metadata'] }}"
- ansible.builtin.template:
- src: "nova-metadata-wsgi.conf.j2"
- dest: "{{ node_config_directory }}/nova-metadata/nova-metadata-wsgi.conf"
- mode: "0660"
- become: true
- when:
- - service | service_enabled_and_mapped_to_host
- - nova_wsgi_provider == "apache"
-
- name: Copying over vendordata file for nova services
vars:
service: "{{ nova_services[item] }}"
@@ -136,7 +112,6 @@
service_uwsgi_config_workers: "{{ item.workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - nova_wsgi_provider == "uwsgi"
loop:
- { name: "nova-api", port: "{{ nova_api_listen_port }}", workers: "{{ nova_api_workers }}" }
- { name: "nova-metadata", port: "{{ nova_metadata_listen_port }}", workers: "{{ nova_metadata_api_workers }}" }
diff --git a/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 b/ansible/roles/nova/templates/nova-api-wsgi.conf.j2
deleted file mode 100644
index 79f6956fd7..0000000000
--- a/ansible/roles/nova/templates/nova-api-wsgi.conf.j2
+++ /dev/null
@@ -1,49 +0,0 @@
-{% set nova_log_dir = '/var/log/kolla/nova' %}
-{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
-{% if nova_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-
-
- Options None
- Require all granted
-
-
-
-ErrorLog "{{ nova_log_dir }}/apache-error.log"
-
-CustomLog "{{ nova_log_dir }}/apache-access.log" common
-
-
-{% if nova_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- WSGIDaemonProcess nova-api processes={{ nova_api_workers }} threads=1 user=nova group=nova display-name=nova-api
- WSGIProcessGroup nova-api
- WSGIScriptAlias / {{ wsgi_directory }}/nova-api-wsgi
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog "{{ nova_log_dir }}/nova-api-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ nova_log_dir }}/nova-api-access.log" logformat
-{% if nova_enable_tls_backend | bool %}
- SSLEngine on
- SSLCertificateFile /etc/nova/certs/nova-cert.pem
- SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
-{% endif %}
-
diff --git a/ansible/roles/nova/templates/nova-api.json.j2 b/ansible/roles/nova/templates/nova-api.json.j2
index af6bc96b9d..71947010e4 100644
--- a/ansible/roles/nova/templates/nova-api.json.j2
+++ b/ansible/roles/nova/templates/nova-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if nova_wsgi_provider == 'apache' else 'uwsgi /etc/nova/nova-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/nova/nova-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/nova.conf",
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- }{% if nova_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/nova-api-wsgi.conf",
- "dest": "/etc/{{ apache_conf_dir }}/nova-api-wsgi.conf",
- "owner": "nova",
- "perm": "0600"
- }{% elif nova_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/nova-api-uwsgi.ini",
"dest": "/etc/nova/nova-api-uwsgi.ini",
"owner": "nova",
"perm": "0600"
- }{% endif %}{% if nova_policy_file is defined %},
+ }{% if nova_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/{{ nova_policy_file }}",
diff --git a/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 b/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2
deleted file mode 100644
index 471baac843..0000000000
--- a/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2
+++ /dev/null
@@ -1,49 +0,0 @@
-{% set nova_log_dir = '/var/log/kolla/nova' %}
-{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
-{% if nova_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-
-
- Options None
- Require all granted
-
-
-
-ErrorLog "{{ nova_log_dir }}/apache-error.log"
-
-CustomLog "{{ nova_log_dir }}/apache-access.log" common
-
-
-{% if nova_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- WSGIDaemonProcess nova-metadata processes={{ nova_metadata_api_workers }} threads=1 user=nova group=nova display-name=nova-metadata-api
- WSGIProcessGroup nova-metadata
- WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat
-{% if nova_enable_tls_backend | bool %}
- SSLEngine on
- SSLCertificateFile /etc/nova/certs/nova-cert.pem
- SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
-{% endif %}
-
diff --git a/ansible/roles/nova/templates/nova-metadata.json.j2 b/ansible/roles/nova/templates/nova-metadata.json.j2
index f33a6f96fa..0bbfa920e1 100644
--- a/ansible/roles/nova/templates/nova-metadata.json.j2
+++ b/ansible/roles/nova/templates/nova-metadata.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if nova_wsgi_provider == 'apache' else 'uwsgi /etc/nova/nova-metadata-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/nova/nova-metadata-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/nova.conf",
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- }{% if nova_wsgi_provider == 'apache' %},
- {
- "source": "{{ container_config_directory }}/nova-metadata-wsgi.conf",
- "dest": "/etc/{{ apache_conf_dir }}/nova-api-wsgi.conf",
- "owner": "nova",
- "perm": "0600"
- }{% elif nova_wsgi_provider == 'uwsgi' %},
+ },
{
"source": "{{ container_config_directory }}/nova-metadata-uwsgi.ini",
"dest": "/etc/nova/nova-metadata-uwsgi.ini",
"owner": "nova",
"perm": "0600"
- }{% endif %}{% if nova_policy_file is defined %},
+ }{% if nova_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/{{ nova_policy_file }}",
diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml
index 4e53dac618..1909af8cff 100644
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@@ -405,8 +405,3 @@ octavia_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}
# Copy certificates
###################
octavia_copy_certs: "{{ kolla_copy_ca_into_containers | bool or octavia_enable_tls_backend | bool or octavia_database_enable_tls_internal | bool }}"
-
-############
-# WSGI
-############
-octavia_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml
index aed1f7c4c2..709b4c02e0 100644
--- a/ansible/roles/octavia/tasks/config.yml
+++ b/ansible/roles/octavia/tasks/config.yml
@@ -55,22 +55,6 @@
become: true
with_dict: "{{ octavia_services | select_services_enabled_and_mapped_to_host }}"
-- name: Copying over octavia-wsgi.conf
- vars:
- service: "{{ octavia_services['octavia-api'] }}"
- become: true
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ node_config_directory }}/octavia-api/octavia-wsgi.conf"
- mode: "0660"
- with_first_found:
- - "{{ node_custom_config }}/octavia/{{ inventory_hostname }}/octavia-wsgi.conf"
- - "{{ node_custom_config }}/octavia/octavia-wsgi.conf"
- - "octavia-wsgi.conf.j2"
- when:
- - service | service_enabled_and_mapped_to_host
- - octavia_wsgi_provider == "apache"
-
- name: "Configure uWSGI for Octavia"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -88,7 +72,6 @@
service_uwsgi_config_workers: "{{ octavia_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - octavia_wsgi_provider == "uwsgi"
- name: Copying over octavia.conf
vars:
diff --git a/ansible/roles/octavia/templates/octavia-api.json.j2 b/ansible/roles/octavia/templates/octavia-api.json.j2
index f9b3ebfc52..7304e91504 100644
--- a/ansible/roles/octavia/templates/octavia-api.json.j2
+++ b/ansible/roles/octavia/templates/octavia-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ( '/usr/sbin/' + apache_binary + ' -DFOREGROUND' ) if octavia_wsgi_provider == 'apache' else 'uwsgi /etc/octavia/octavia-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/octavia/octavia-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/octavia.conf",
"dest": "/etc/octavia/octavia.conf",
"owner": "octavia",
"perm": "0600"
- }{% if octavia_wsgi_provider == "apache" %},
- {
- "source": "{{ container_config_directory }}/octavia-wsgi.conf",
- "dest": "/etc/{{ apache_conf_dir }}/octavia-wsgi.conf",
- "owner": "octavia",
- "perm": "0600"
- }{% elif octavia_wsgi_provider == "uwsgi" %},
+ },
{
"source": "{{ container_config_directory }}/octavia-api-uwsgi.ini",
"dest": "/etc/octavia/octavia-api-uwsgi.ini",
"owner": "octavia",
"perm": "0600"
- }{% endif %}{% if octavia_policy_file is defined %},
+ }{% if octavia_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ octavia_policy_file }}",
"dest": "/etc/octavia/{{ octavia_policy_file }}",
diff --git a/ansible/roles/octavia/templates/octavia-wsgi.conf.j2 b/ansible/roles/octavia/templates/octavia-wsgi.conf.j2
deleted file mode 100644
index d7fa10ac3b..0000000000
--- a/ansible/roles/octavia/templates/octavia-wsgi.conf.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
-{% if octavia_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ octavia_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-{% if octavia_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- WSGIDaemonProcess octavia-api processes={{ octavia_api_workers }} threads=1 user=octavia group=octavia display-name=octavia-api
- WSGIProcessGroup octavia-api
- WSGIScriptAlias / {{ wsgi_directory }}/octavia-wsgi
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog /var/log/kolla/octavia/octavia-api-error.log
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog /var/log/kolla/octavia/octavia-api-access.log logformat
-
-
- Require all granted
-
-
-{% if octavia_enable_tls_backend | bool %}
- SSLEngine On
- SSLCertificateFile /etc/octavia/certs/octavia-cert.pem
- SSLCertificateKeyFile /etc/octavia/certs/octavia-key.pem
-{% endif %}
-
diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index 8a145d6a3a..8e40506927 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -157,9 +157,16 @@ endpoint_type = internal
ca_certificates_file = {{ openstack_cacert }}
[neutron]
+auth_url = {{ keystone_internal_url }}
+auth_type = password
+username = {{ octavia_keystone_user }}
+password = {{ octavia_keystone_password }}
+user_domain_name = {{ default_user_domain_name }}
+project_name = {{ octavia_service_auth_project }}
+project_domain_name = {{ default_project_domain_name }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
-ca_certificates_file = {{ openstack_cacert }}
+cafile = {{ openstack_cacert }}
[nova]
region_name = {{ openstack_region_name }}
diff --git a/ansible/roles/placement/defaults/main.yml b/ansible/roles/placement/defaults/main.yml
index f70c496b9a..e40aa86a42 100644
--- a/ansible/roles/placement/defaults/main.yml
+++ b/ansible/roles/placement/defaults/main.yml
@@ -162,8 +162,3 @@ placement_database_enable_tls_internal: "{{ database_enable_tls_internal | bool
# Copy certificates
###################
placement_copy_certs: "{{ kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool or placement_database_enable_tls_internal | bool }}"
-
-####################
-# WSGI
-####################
-placement_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml
index 4e7252ab8b..da9ae4136f 100644
--- a/ansible/roles/placement/tasks/config.yml
+++ b/ansible/roles/placement/tasks/config.yml
@@ -56,24 +56,6 @@
mode: "0660"
with_dict: "{{ placement_services | select_services_enabled_and_mapped_to_host }}"
-- name: Copying over placement-api wsgi configuration
- become: true
- vars:
- service: "{{ placement_services['placement-api'] }}"
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ node_config_directory }}/placement-api/placement-api-wsgi.conf"
- mode: "0660"
- when:
- - service | service_enabled_and_mapped_to_host
- - placement_wsgi_provider == "apache"
- with_first_found:
- - "{{ node_custom_config }}/placement/{{ inventory_hostname }}/placement-api-wsgi.conf"
- - "{{ node_custom_config }}/placement/placement-api-wsgi.conf"
- - "placement-api-wsgi.conf.j2"
- notify:
- - "Restart placement-api container"
-
- name: "Configure uWSGI for Placement"
ansible.builtin.include_role:
name: service-uwsgi-config
@@ -90,7 +72,6 @@
service_uwsgi_config_workers: "{{ placement_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - placement_wsgi_provider == "uwsgi"
- name: Copying over migrate-db.rc.j2 configuration
become: true
diff --git a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
deleted file mode 100644
index 19925bae5e..0000000000
--- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
+++ /dev/null
@@ -1,42 +0,0 @@
-{% set log_dir = '/var/log/kolla/placement' %}
-{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
-{% if placement_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos', 'rocky'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-{% if placement_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- WSGIDaemonProcess placement-api processes={{ placement_api_workers }} threads=1 user=placement group=placement display-name=placement-api
- WSGIProcessGroup placement-api
- WSGIScriptAlias / {{ wsgi_directory }}/placement-api
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog "{{ log_dir }}/placement-api-error.log"
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ log_dir }}/placement-api-access.log" logformat
-
-
- Require all granted
-
-
-{% if placement_enable_tls_backend | bool %}
- SSLEngine on
- SSLCertificateFile /etc/placement/certs/placement-cert.pem
- SSLCertificateKeyFile /etc/placement/certs/placement-key.pem
-{% endif %}
-
diff --git a/ansible/roles/placement/templates/placement-api.json.j2 b/ansible/roles/placement/templates/placement-api.json.j2
index 29409eac37..9333e1459f 100644
--- a/ansible/roles/placement/templates/placement-api.json.j2
+++ b/ansible/roles/placement/templates/placement-api.json.j2
@@ -1,30 +1,21 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if placement_wsgi_provider == 'apache' else 'uwsgi /etc/placement/placement-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/placement/placement-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/placement.conf",
"dest": "/etc/placement/placement.conf",
"owner": "placement",
"perm": "0600"
- }{% if placement_policy_file is defined %},
- {
- "source": "{{ container_config_directory }}/{{ placement_policy_file }}",
- "dest": "/etc/placement/{{ placement_policy_file }}",
- "owner": "placement",
- "perm": "0600"
- }{% endif %}{% if placement_wsgi_provider == 'apache' %},
+ },
{
- "source": "{{ container_config_directory }}/placement-api-wsgi.conf",
- "dest": "/etc/{{ apache_conf_dir }}/00-placement-api.conf",
+ "source": "{{ container_config_directory }}/placement-api-uwsgi.ini",
+ "dest": "/etc/placement/placement-api-uwsgi.ini",
"owner": "placement",
"perm": "0600"
- }{% elif placement_wsgi_provider == 'uwsgi' %},
+ }{% if placement_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/placement-api-uwsgi.ini",
- "dest": "/etc/placement/placement-api-uwsgi.ini",
+ "source": "{{ container_config_directory }}/{{ placement_policy_file }}",
+ "dest": "/etc/placement/{{ placement_policy_file }}",
"owner": "placement",
"perm": "0600"
}{% endif %},
diff --git a/ansible/roles/prometheus/tasks/deploy.yml b/ansible/roles/prometheus/tasks/deploy.yml
index 8aba64ae63..89576f1449 100644
--- a/ansible/roles/prometheus/tasks/deploy.yml
+++ b/ansible/roles/prometheus/tasks/deploy.yml
@@ -6,7 +6,8 @@
ansible.builtin.import_tasks: check-containers.yml
- name: Bootstrap prometheus service
- ansible.builtin.import_tasks: bootstrap.yml
+ ansible.builtin.include_tasks: bootstrap.yml
+ when: inventory_hostname in groups['prometheus-mysqld-exporter']
- name: Flush handlers
ansible.builtin.meta: flush_handlers
diff --git a/ansible/roles/prometheus/templates/prometheus.yml.j2 b/ansible/roles/prometheus/templates/prometheus.yml.j2
index e6d95467e5..94dc84ac23 100644
--- a/ansible/roles/prometheus/templates/prometheus.yml.j2
+++ b/ansible/roles/prometheus/templates/prometheus.yml.j2
@@ -256,43 +256,43 @@ scrape_configs:
{% endfor %}
{% endif %}
-{% if enable_prometheus_alertmanager | bool %}
- - job_name: alertmanager
+{% if enable_prometheus_proxysql_exporter | bool %}
+ - job_name: proxysql
static_configs:
-{% for host in groups['prometheus-alertmanager'] %}
+{% for host in groups["loadbalancer"] %}
- targets:
- - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_port'] }}'
+ - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['proxysql_prometheus_exporter_port'] }}'
{% if hostvars[host].prometheus_instance_label | default(false, true) %}
labels:
instance: "{{ hostvars[host].prometheus_instance_label }}"
{% endif %}
{% endfor %}
+{% endif %}
-{% if enable_prometheus_proxysql_exporter | bool %}
- - job_name: proxysql
+{% if enable_prometheus_valkey_exporter | bool %}
+ - job_name: valkey_exporter
static_configs:
-{% for host in groups["loadbalancer"] %}
+{% for host in groups["prometheus-valkey-exporter"] %}
- targets:
- - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['proxysql_prometheus_exporter_port'] }}'
-{% if hostvars[host].prometheus_instance_label | default(false, true) %}
+ - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_valkey_exporter_port'] }}'
+{% if hostvars[host].prometheus_instance_label | default(false, true) %}
labels:
instance: "{{ hostvars[host].prometheus_instance_label }}"
-{% endif %}
-{% endfor %}
-{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
-{% if enable_prometheus_valkey_exporter | bool %}
- - job_name: valkey_exporter
+{% if enable_prometheus_alertmanager | bool %}
+ - job_name: alertmanager
static_configs:
-{% for host in groups["prometheus-valkey-exporter"] %}
+{% for host in groups['prometheus-alertmanager'] %}
- targets:
- - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_valkey_exporter_port'] }}'
-{% if hostvars[host].prometheus_instance_label | default(false, true) %}
+ - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_port'] }}'
+{% if hostvars[host].prometheus_instance_label | default(false, true) %}
labels:
instance: "{{ hostvars[host].prometheus_instance_label }}"
-{% endif %}
-{% endfor %}
-{% endif %}
+{% endif %}
+{% endfor %}
alerting:
alertmanagers:
diff --git a/ansible/roles/service-cert-copy/tasks/iterated.yml b/ansible/roles/service-cert-copy/tasks/iterated.yml
new file mode 100644
index 0000000000..4da5741fe6
--- /dev/null
+++ b/ansible/roles/service-cert-copy/tasks/iterated.yml
@@ -0,0 +1,10 @@
+---
+- name: "Copying over extra CA certificates for {{ project_name }}"
+ become: true
+ ansible.builtin.copy:
+ src: "{{ kolla_certificates_dir }}/ca/"
+ dest: "{{ node_config_directory }}/{{ outer_item.key }}-{{ item }}/ca-certificates"
+ mode: "0644"
+ loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}"
+ when:
+ - inventory_hostname in groups[service.group ~ '-' ~ item]
diff --git a/ansible/roles/service-cert-copy/tasks/main.yml b/ansible/roles/service-cert-copy/tasks/main.yml
index d96bf0ca62..ef7ac67175 100644
--- a/ansible/roles/service-cert-copy/tasks/main.yml
+++ b/ansible/roles/service-cert-copy/tasks/main.yml
@@ -7,8 +7,21 @@
mode: "0644"
when:
- kolla_copy_ca_into_containers | bool
+ - not (item.value.iterate | default(False)) | bool
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
+# NOTE(dougszu): For current iterable services, we only need CA certs
+- name: "Check containers that require iteration for {{ kolla_role_name | default(project_name) }}"
+ vars:
+ service: "{{ outer_item.value }}"
+ ansible.builtin.include_tasks: iterated.yml
+ loop: "{{ project_services | select_services_enabled_and_mapped_to_host | dict2items }}"
+ loop_control:
+ loop_var: outer_item
+ when:
+ - (service.iterate | default(False)) | bool
+ - kolla_copy_ca_into_containers | bool
+
- name: "Copying over backend internal TLS certificate for {{ project_name }}"
vars:
certs:
diff --git a/ansible/roles/service-check-containers/tasks/iterated.yml b/ansible/roles/service-check-containers/tasks/iterated.yml
index bd266b115f..c4f28e6d49 100644
--- a/ansible/roles/service-check-containers/tasks/iterated.yml
+++ b/ansible/roles/service-check-containers/tasks/iterated.yml
@@ -23,6 +23,12 @@
command: "{{ service.command | default(omit) }}"
cgroupns_mode: "{{ service.cgroupns_mode | default(omit) }}"
loop: "{{ range(1, (iterate_count | int) + 1) | list }}"
+ when:
+ # NOTE(dougszu): Due to issues with nova-compute-ironic HA, we can't have
+ # more than one instance for a given 'item'. Eg. nova_compute_ironic_1
+ # should never run on more than one host.
+ # See: https://specs.openstack.org/openstack/nova-specs/specs/2024.1/implemented/ironic-shards.html
+ - service_name != 'nova-compute-ironic' or inventory_hostname in groups[nova_cell_compute_ironic_group ~ '-' ~ item]
register: container_check
- name: "Store changed containers to pass to the handler"
diff --git a/ansible/roles/service-precheck/tasks/iterated.yml b/ansible/roles/service-precheck/tasks/iterated.yml
new file mode 100644
index 0000000000..d9157ddce3
--- /dev/null
+++ b/ansible/roles/service-precheck/tasks/iterated.yml
@@ -0,0 +1,13 @@
+---
+- name: "Validate inventory groups (iterated) for {{ project_name }}"
+ vars:
+ service_name: "{{ outer_item.key }}"
+ service: "{{ outer_item.value }}"
+ service_group: "{{ service.group ~ '-' ~ item }}"
+ ansible.builtin.fail:
+ msg: >-
+ Ansible inventory does not contain the expected group {{ service_group }}
+ for service {{ service_name }} in {{ project_name }}.
+ when:
+ - service_group not in groups
+ loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}"
diff --git a/ansible/roles/service-precheck/tasks/main.yml b/ansible/roles/service-precheck/tasks/main.yml
index 58448555e5..81b90f6a5d 100644
--- a/ansible/roles/service-precheck/tasks/main.yml
+++ b/ansible/roles/service-precheck/tasks/main.yml
@@ -9,7 +9,19 @@
for service {{ service_name }} in {{ project_name }}.
loop: "{{ query('dict', service_precheck_services) }}"
when:
+ - not (service.iterate | default(False)) | bool
- "'group' in service"
- service.group not in groups
loop_control:
label: "{{ service_name }}"
+
+- name: Include tasks
+ vars:
+ service: "{{ outer_item.value }}"
+ ansible.builtin.include_tasks: iterated.yml
+ loop: "{{ query('dict', service_precheck_services) }}"
+ loop_control:
+ loop_var: outer_item
+ when:
+ - (service.iterate | default(False)) | bool
+ - "'group' in service"
diff --git a/ansible/roles/service-stop/tasks/iterated.yml b/ansible/roles/service-stop/tasks/iterated.yml
index f25bf0c26a..cf4e8e4896 100644
--- a/ansible/roles/service-stop/tasks/iterated.yml
+++ b/ansible/roles/service-stop/tasks/iterated.yml
@@ -11,4 +11,5 @@
ignore_missing: "{{ kolla_action_stop_ignore_missing | bool }}"
when:
- service.container_name not in skip_stop_containers
+ - service_name != 'nova-compute-ironic' or inventory_hostname in groups[service.group ~ '-' ~ item]
loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}"
diff --git a/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 b/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2
index 2c93d4e1b5..ef0a5d3735 100644
--- a/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2
+++ b/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2
@@ -30,6 +30,9 @@ wsgi-file = {{ service_uwsgi_config_wsgi_file }}
plugins-dir = {{ '/usr/lib/uwsgi/plugins' if kolla_base_distro in ['ubuntu', 'debian'] else '/usr/lib64/uwsgi' }}
plugins = python3
processes = {{ service_uwsgi_config_workers }}
+{% if service_uwsgi_config_threads is defined %}
+threads = {{ service_uwsgi_config_threads }}
+{% endif %}
{% if service_uwsgi_config_socket_port | length > 0 %}
socket = {{ service_uwsgi_config_host }}:{{ service_uwsgi_config_socket_port }}
{% endif %}
diff --git a/ansible/roles/trove/defaults/main.yml b/ansible/roles/trove/defaults/main.yml
index 8dd251d4e6..5b481fad6d 100644
--- a/ansible/roles/trove/defaults/main.yml
+++ b/ansible/roles/trove/defaults/main.yml
@@ -230,8 +230,3 @@ trove_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
# Copy certificates
###################
trove_copy_certs: "{{ kolla_copy_ca_into_containers | bool or trove_enable_tls_backend | bool or trove_database_enable_tls_internal | bool }}"
-
-#######
-# WSGI
-#######
-trove_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml
index bd964c108e..0952c6c94d 100644
--- a/ansible/roles/trove/tasks/config.yml
+++ b/ansible/roles/trove/tasks/config.yml
@@ -55,23 +55,6 @@
service_uwsgi_config_workers: "{{ trove_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - trove_wsgi_provider == "uwsgi"
-
-- name: Copying over trove-wsgi.conf
- vars:
- service: "{{ trove_services['trove-api'] }}"
- become: true
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ node_config_directory }}/trove-api/trove-wsgi.conf"
- mode: "0660"
- with_first_found:
- - "{{ node_custom_config }}/trove/{{ inventory_hostname }}/trove-wsgi.conf"
- - "{{ node_custom_config }}/trove/trove-wsgi.conf"
- - "trove-wsgi.conf.j2"
- when:
- - trove_wsgi_provider == "apache"
- - service | service_enabled_and_mapped_to_host
- name: Copying over trove-guestagent.conf
vars:
diff --git a/ansible/roles/trove/templates/trove-api.json.j2 b/ansible/roles/trove/templates/trove-api.json.j2
index f487e3127e..a44c927de6 100644
--- a/ansible/roles/trove/templates/trove-api.json.j2
+++ b/ansible/roles/trove/templates/trove-api.json.j2
@@ -1,27 +1,18 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if trove_wsgi_provider == 'apache' else 'uwsgi /etc/trove/trove-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/trove/trove-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/trove.conf",
"dest": "/etc/trove/trove.conf",
"owner": "trove",
"perm": "0600"
- }{% if trove_wsgi_provider == "apache" %},
- {
- "source": "{{ container_config_directory }}/trove-wsgi.conf",
- "dest": "/etc/{{ apache_conf_dir }}/trove-wsgi.conf",
- "owner": "trove",
- "perm": "0600"
- }{% elif trove_wsgi_provider == "uwsgi" %},
+ },
{
"source": "{{ container_config_directory }}/trove-api-uwsgi.ini",
"dest": "/etc/trove/trove-api-uwsgi.ini",
"owner": "trove",
"perm": "0600"
- }{% endif %}{% if trove_policy_file is defined %},
+ }{% if trove_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ trove_policy_file }}",
"dest": "/etc/trove/{{ trove_policy_file }}",
diff --git a/ansible/roles/trove/templates/trove-wsgi.conf.j2 b/ansible/roles/trove/templates/trove-wsgi.conf.j2
deleted file mode 100644
index f623704bb7..0000000000
--- a/ansible/roles/trove/templates/trove-wsgi.conf.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
-{% if trove_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos'] %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ trove_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-{% if trove_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
- WSGIDaemonProcess trove-api processes={{ trove_api_workers }} threads=1 user=trove group=trove display-name=trove-api
- WSGIProcessGroup trove-api
- WSGIScriptAlias / {{ wsgi_directory }}/trove-wsgi
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
- ErrorLog /var/log/kolla/trove/trove-api-error.log
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog /var/log/kolla/trove/trove-api-access.log logformat
-
-
- Require all granted
-
-
-{% if trove_enable_tls_backend | bool %}
- SSLEngine On
- SSLCertificateFile /etc/trove/certs/trove-cert.pem
- SSLCertificateKeyFile /etc/trove/certs/trove-key.pem
-{% endif %}
-
diff --git a/ansible/roles/zun/defaults/main.yml b/ansible/roles/zun/defaults/main.yml
index 01a577f20c..69fce72c29 100644
--- a/ansible/roles/zun/defaults/main.yml
+++ b/ansible/roles/zun/defaults/main.yml
@@ -263,8 +263,3 @@ zun_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
# Copy certificates
###################
zun_copy_certs: "{{ kolla_copy_ca_into_containers | bool or zun_database_enable_tls_internal | bool }}"
-
-#######
-# WSGI
-#######
-zun_wsgi_provider: "uwsgi"
diff --git a/ansible/roles/zun/tasks/config.yml b/ansible/roles/zun/tasks/config.yml
index 60df39a4b6..1f50148125 100644
--- a/ansible/roles/zun/tasks/config.yml
+++ b/ansible/roles/zun/tasks/config.yml
@@ -76,19 +76,6 @@
service_uwsgi_config_workers: "{{ zun_api_workers }}"
when:
- service | service_enabled_and_mapped_to_host
- - zun_wsgi_provider == "uwsgi"
-
-- name: Copying over wsgi-zun files for services
- vars:
- service: "{{ zun_services['zun-api'] }}"
- ansible.builtin.template:
- src: "wsgi-zun.conf.j2"
- dest: "{{ node_config_directory }}/zun-api/wsgi-zun.conf"
- mode: "0660"
- become: true
- when:
- - zun_wsgi_provider == "apache"
- - service | service_enabled_and_mapped_to_host
- name: Copying over existing policy file
ansible.builtin.template:
diff --git a/ansible/roles/zun/templates/wsgi-zun.conf.j2 b/ansible/roles/zun/templates/wsgi-zun.conf.j2
deleted file mode 100644
index 725b95597f..0000000000
--- a/ansible/roles/zun/templates/wsgi-zun.conf.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-{% set zun_log_dir = '/var/log/kolla/zun' %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ zun_api_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-TimeOut {{ kolla_httpd_timeout }}
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-ErrorLog "{{ zun_log_dir }}/apache-error.log"
-
- CustomLog "{{ zun_log_dir }}/apache-access.log" common
-
-
-{% if zun_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-
-
- ## Vhost docroot
- DocumentRoot "/var/www/cgi-bin/zun"
-
- ## Directories, there should at least be a declaration for /var/www/cgi-bin/zun
-
-
- Options Indexes FollowSymLinks MultiViews
- AllowOverride None
- Require all granted
-
-
- ## Logging
- ErrorLog "{{ zun_log_dir }}/zun_api_wsgi_error.log"
- ServerSignature Off
- LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
- CustomLog "{{ zun_log_dir }}/zun_api_wsgi_access.log" logformat
- WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess zun group=zun processes={{ zun_api_workers }} threads=1 user=zun
- WSGIProcessGroup zun
- WSGIScriptAlias / "/var/www/cgi-bin/zun/app.wsgi"
-
diff --git a/ansible/roles/zun/templates/zun-api.json.j2 b/ansible/roles/zun/templates/zun-api.json.j2
index a1ea4c9736..27198a32b0 100644
--- a/ansible/roles/zun/templates/zun-api.json.j2
+++ b/ansible/roles/zun/templates/zun-api.json.j2
@@ -1,27 +1,18 @@
-{% set zun_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set zun_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
-{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if zun_wsgi_provider == 'apache' else 'uwsgi /etc/zun/zun-api-uwsgi.ini' %}
{
- "command": "{{ command }}",
+ "command": "uwsgi /etc/zun/zun-api-uwsgi.ini",
"config_files": [
{
"source": "{{ container_config_directory }}/zun.conf",
"dest": "/etc/zun/zun.conf",
"owner": "zun",
"perm": "0600"
- }{% if zun_wsgi_provider == "apache" %},
- {
- "source": "{{ container_config_directory }}/wsgi-zun.conf",
- "dest": "/etc/{{ zun_dir }}/wsgi-zun.conf",
- "owner": "zun",
- "perm": "0600"
- }{% elif zun_wsgi_provider == "uwsgi" %},
+ },
{
"source": "{{ container_config_directory }}/zun-api-uwsgi.ini",
"dest": "/etc/zun/zun-api-uwsgi.ini",
"owner": "zun",
"perm": "0600"
- }{% endif %}{% if zun_policy_file is defined %},
+ }{% if zun_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ zun_policy_file }}",
"dest": "/etc/zun/{{ zun_policy_file }}",
diff --git a/ansible/site.yml b/ansible/site.yml
index 51838593ce..911596dc1c 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -603,8 +603,12 @@
hosts:
- cinder-api
- cinder-backup
+ - cinder-backup-lvm
+ - cinder-backup-multiple
- cinder-scheduler
- cinder-volume
+ - cinder-volume-lvm
+ - cinder-volume-multiple
- "&enable_cinder_True"
serial: '{{ kolla_serial|default("0") }}'
max_fail_percentage: >-
diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst
index 7ece68e3ae..c85a498dca 100644
--- a/doc/source/admin/advanced-configuration.rst
+++ b/doc/source/admin/advanced-configuration.rst
@@ -178,6 +178,113 @@ operator needs to create ``/etc/kolla/config/global.conf`` with content:
[database]
max_pool_size = 100
+Large baremetal deployments
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Out of the box, a typical Kolla Ansible deployment can support managing a few
+hundred baremetal nodes. Beyond this number, it becomes necessary to configure
+scaling mechanisms built into Nova and Ironic.
+
+There are two mechanisms to consider:
+ - shards
+ - conductor groups
+
+Please see the Ironic documentation for further `information
+`_.
+
+As an example, consider a deployment of 700 baremetal nodes spread over two
+distinct locations. Location 1 consists of 500 baremetal nodes, and location 2
+consists of 200 baremetal nodes.
+
+For location 1, all 500 nodes are placed into the same Ironic conductor
+group. Ironic conductors configured to use this group are deployed on each
+of the three nodes in the control plane. A single Nova Compute Ironic service
+would struggle to manage this many nodes, so two shards are created. Due to
+HA limitations with Nova Compute Ironic, a single instance is created for
+each shard, and the instances may be deployed to any node in the control
+plane.
+
+For location 2, no shards are required due to the smaller number of baremetal
+nodes. A single conductor group is configured. The result is that three Ironic
+conductors are deployed (one on each node in the control plane), and a single
+instance of Nova Compute Ironic configured to use this conductor group.
+Furthermore, for this location ``custom_host`` is used to override the
+automatically generated host field in the configuration. This is useful for
+migrating to the multi-instance configuration described here.
+
+Finally, Ironic and Nova services are deployed with no configured shards or
+conductor groups as a catch all.
+
+.. code-block:: yaml
+
+ nova_multi_compute_ironic_config:
+ - "shard_key": "shard_1"
+ "conductor_group": "location_1"
+ - "shard_key": "shard_2"
+ "conductor_group": "location_1"
+ - "conductor_group": "location_2"
+ "custom_host": "some_custom_host_field"
+ - {}
+
+.. note::
+
+ ``nova_multi_compute_ironic_config`` must be defined as a global variable
+ and not customised via hostvars.
+
+.. note::
+
+ If you currently have the ``nova-compute-ironic`` service deployed,
+ you must manually remove it from the controllers before migrating to the
+ new mode. You will need to ensure that you configure a compatible service
+ in ``nova_multi_compute_ironic_config`` to replace the old one. This will
+ likely involve setting the ``custom_host`` field at the very minimum.
+
+The placement of the above services is managed via the inventory. This
+allows flexible placement, should a controller fail.
+
+.. code-block:: yaml
+
+ [nova-compute-ironic-1]
+ controller-01
+ [nova-compute-ironic-2]
+ controller-02
+ [nova-compute-ironic-3]
+ controller-03
+ [nova-compute-ironic-4]
+ controller-03
+
+ [nova-compute-ironic:children]
+ nova-compute-ironic-1
+ nova-compute-ironic-2
+ nova-compute-ironic-3
+ nova-compute-ironic-4
+
+.. note::
+
+ The number of ``nova-compute-ironic-N`` groups must equal the length of
+ ``nova_multi_compute_ironic_config``. This variable is an ordered list,
+ where the first item maps to ``nova-compute-ironic-1``, the second item
+ to ``nova-compute-ironic-2`` and so forth.
+
+.. note::
+
+ A 'cleanup' function is provided which assists in 'failing over'
+ service instances to other hosts. For example, if ``controller-01``
+ was to be taken down for maintenance, replacing it with ``controller-02``
+ in the ``nova-compute-ironic-1`` group and re-deploying the ``nova``
+ service would result in the service being removed from ``controller-01``
+ and re-deployed on ``controller-02``. The cleanup function cannot
+ currently handle downsizing the number of service instances. In this case
+ the redundant service instances must be cleaned up manually. For obvious
+ reasons the cleanup function cannot remove a service from a failed node,
+ and in such a case, you must be careful not to allow a second identical
+ service instance to start when the failed node is recovered.
+
+The ``nova-compute-ironic`` service instances may be configured
+individually via the existing override mechanism. For example, the
+creation of ``nova/nova-compute-ironic-1.conf`` will allow variables
+for that specific service to be overridden.
+
OpenStack policy customisation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/reference/storage/cinder-guide.rst b/doc/source/reference/storage/cinder-guide.rst
index 07192f0fb3..9766c053a0 100644
--- a/doc/source/reference/storage/cinder-guide.rst
+++ b/doc/source/reference/storage/cinder-guide.rst
@@ -67,6 +67,14 @@ Enable the ``lvm`` backend in ``/etc/kolla/globals.yml``:
enable_cinder_backend_lvm: true
+Edit the inventory file and add ``storage`` group as a child of
+``cinder-volume`` group:
+
+.. code-block:: ini
+
+ [cinder-volume:children]
+ storage
+
.. note::
There are currently issues using the LVM backend in a multi-controller setup,
@@ -151,9 +159,11 @@ Cinder LVM2 backend with iSCSI
As of Newton-1 milestone, Kolla supports LVM2 as cinder backend. It is
accomplished by introducing two new containers ``tgtd`` and ``iscsid``.
-``tgtd`` container serves as a bridge between cinder-volume process and a
-server hosting Logical Volume Groups (LVG). ``iscsid`` container serves as
-a bridge between nova-compute process and the server hosting LVG.
+``tgtd`` container is the target part of iSCSI setup which needs to run
+on the ``storage`` Ansible group for exposing volumes from LVM.
+``iscsid`` container is the client part of iSCSI setup which needs to run
+together with nova-compute for instance access to storage and on hosts
+running ``cinder-volume`` and ``cinder-backup`` for volume operations.
In order to use Cinder's LVM backend, a LVG named ``cinder-volumes`` should
exist on the server and following parameter must be specified in
@@ -163,37 +173,6 @@ exist on the server and following parameter must be specified in
enable_cinder_backend_lvm: true
-For Ubuntu and LVM2/iSCSI
--------------------------
-
-``iscsd`` process uses configfs which is normally mounted at
-``/sys/kernel/config`` to store discovered targets information, on centos/rhel
-type of systems this special file system gets mounted automatically, which is
-not the case on debian/ubuntu. Since ``iscsid`` container runs on every nova
-compute node, the following steps must be completed on every Ubuntu server
-targeted for nova compute role.
-
-* Add configfs module to ``/etc/modules``
-* Rebuild initramfs using: ``update-initramfs -u`` command
-* Stop ``open-iscsi`` system service due to its conflicts
- with iscsid container.
-
- Ubuntu 16.04 (systemd):
- ``systemctl stop open-iscsi; systemctl stop iscsid``
-
-* Make sure configfs gets mounted during a server boot up process. There are
- multiple ways to accomplish it, one example:
-
- .. code-block:: console
-
- mount -t configfs /etc/rc.local /sys/kernel/config
-
- .. note::
-
- There is currently an issue with the folder /sys/kernel/config as it is
- either empty or does not exist in several operating systems,
- see `_bug 1631072 `__ for more info
-
Cinder backend with external iSCSI storage
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py
index 89b7bbd0ab..7248a8f209 100755
--- a/kolla_ansible/cmd/genpwd.py
+++ b/kolla_ansible/cmd/genpwd.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/kolla_ansible/cmd/mergepwd.py b/kolla_ansible/cmd/mergepwd.py
index fa99f57fbc..8d7d1d4fe6 100755
--- a/kolla_ansible/cmd/mergepwd.py
+++ b/kolla_ansible/cmd/mergepwd.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/kolla_ansible/nova_filters.py b/kolla_ansible/nova_filters.py
index 4bb5cbdf66..f9be3eb98c 100644
--- a/kolla_ansible/nova_filters.py
+++ b/kolla_ansible/nova_filters.py
@@ -15,6 +15,8 @@
import jinja2
import re
+from kolla_ansible import exception
+
def extract_cell(list_cells_cli_output, cell_name):
"""Extract cell settings from nova_manage CLI
@@ -85,8 +87,57 @@ def _namespace(name):
return services
+def get_expected_ironic_compute_services(ironic_compute_batch_info,
+ multi_compute_conf,
+ nova_cell_compute_ironic_group):
+ """Return a List of expected Ironic compute services
+
+ :param ironic_compute_batch_info: A dict containing configuration
+ information about Ironic Compute hosts.
+ :param multi_compute_conf: Ironic multi-compute config
+ :param nova_cell_compute_ironic_group: Ansible group name for
+ nova-compute-ironic. Eg. 'nova-compute-ironic'.
+ :returns: A list of Nova Compute Ironic service hostnames.
+ """
+ classic_info = ironic_compute_batch_info['classic']
+ multi_compute_info = ironic_compute_batch_info['multi']
+ if len(multi_compute_conf) == 0:
+ return [f'{host}-ironic' for host in classic_info]
+
+ expected_services = []
+ group_prefix = nova_cell_compute_ironic_group + '-'
+ for host in multi_compute_info:
+ iterate_vars = [
+ int(group.split(group_prefix)[1])
+ for group in host if group_prefix in group]
+ for i in iterate_vars:
+ try:
+ service_conf = multi_compute_conf[i - 1]
+ except IndexError:
+ raise exception.FilterError(
+ "Unable to look up multi-compute Ironic config for "
+ "{g}-{i} inventory group. Check that "
+ "nova_multi_compute_ironic_config has an entry for "
+ "each defined group.".format(
+ g=nova_cell_compute_ironic_group,
+ i=i))
+ expected_services.append(
+ _get_expected_compute_service_name(service_conf))
+ return expected_services
+
+
+def _get_expected_compute_service_name(service_conf):
+ custom_host = service_conf.get('custom_host')
+ if custom_host:
+ return f"{custom_host}-ironic"
+ cg = service_conf.get('conductor_group', 'default')
+ sk = service_conf.get('shard_key', 'default')
+ return f"{cg}-{sk}-ironic"
+
+
def get_filters():
return {
"extract_cell": extract_cell,
"namespace_haproxy_for_cell": namespace_haproxy_for_cell,
+ "get_expected_ironic_compute_services": get_expected_ironic_compute_services, # noqa
}
diff --git a/kolla_ansible/tests/unit/test_nova_filters.py b/kolla_ansible/tests/unit/test_nova_filters.py
index e8d5c507aa..d436b0ef10 100644
--- a/kolla_ansible/tests/unit/test_nova_filters.py
+++ b/kolla_ansible/tests/unit/test_nova_filters.py
@@ -73,6 +73,92 @@ def test_extract_duplicate_cell(self):
self.assertRaisesRegex(jinja2.TemplateRuntimeError, 'duplicates',
self._test_extract_cell, test_data, 'cell0001')
+ def test_get_expected_ironic_compute_services_multi_compute(self):
+ example_ironic_compute_conf = {
+ # We expect the classic config to be ignored
+ 'classic': ['custom-host-nova-compute'],
+ # We have a batch of 2 Ironic compute hosts which should
+ # run a total of 3 Nova compute Ironic instances
+ 'multi': [
+ ['nova-compute-ironic-1',
+ 'nova-compute-ironic-2',
+ 'nova-compute-ironic',
+ 'something'],
+ ['nova-compute-ironic-3',
+ 'nova-compute-ironic',
+ 'something'],
+ ]
+ }
+ multi_conf = [
+ {"custom_host": "some_custom_host"},
+ {"shard_key": "shard_1", "conductor_group": "location_1"},
+ {"shard_key": "shard_2", "conductor_group": "location_1"},
+ {"conductor_group": "location_2"},
+ {"shard_key": "shard_1"}
+ ]
+ actual = filters.get_expected_ironic_compute_services(
+ example_ironic_compute_conf, multi_conf, 'nova-compute-ironic')
+ expected = [
+ 'some_custom_host-ironic',
+ 'location_1-shard_1-ironic',
+ 'location_1-shard_2-ironic',
+ ]
+ self.assertListEqual(actual, expected)
+
+ def test_get_expected_ironic_compute_services_no_compute(self):
+ example_ironic_compute_conf = {
+ 'classic': [],
+ 'multi': []
+ }
+ actual = filters.get_expected_ironic_compute_services(
+ example_ironic_compute_conf, [], 'nova-compute-ironic')
+ expected = []
+ self.assertListEqual(actual, expected)
+
+ def test_get_expected_ironic_compute_services_classic_compute(self):
+ example_ironic_compute_conf = {
+ 'classic': ['custom-foo'],
+ 'multi': []
+ }
+ actual = filters.get_expected_ironic_compute_services(
+ example_ironic_compute_conf, [], 'nova-compute-ironic')
+ expected = ['custom-foo-ironic']
+ self.assertListEqual(actual, expected)
+
+ def test_get_expected_ironic_compute_services_classic_compute_multi(self):
+ # NOTE(dougszu): This isn't a recommended configuration
+ example_ironic_compute_conf = {
+ 'classic': ['custom-foo', 'ctrl02', 'ctrl03'],
+ 'multi': []
+ }
+ actual = filters.get_expected_ironic_compute_services(
+ example_ironic_compute_conf, [], 'nova-compute-ironic')
+ expected = [
+ 'custom-foo-ironic',
+ 'ctrl02-ironic',
+ 'ctrl03-ironic',
+ ]
+ self.assertListEqual(actual, expected)
+
+ def test_get_expected_ironic_compute_services_bad_config(self):
+ example_ironic_compute_conf = {
+ 'classic': [],
+ 'multi': [
+ ['my-custom-group-1',
+ 'my-custom-group-2',
+ 'my-custom-group',
+ 'something'],
+ ]
+ }
+ multi_conf = [
+ {"shard_key": "shard_1", "conductor_group": "location_1"},
+ ]
+ with self.assertRaisesRegex(Exception,
+ 'Unable to look up multi-compute Ironic '
+ 'config for my-custom-group-2'):
+ filters.get_expected_ironic_compute_services(
+ example_ironic_compute_conf, multi_conf, 'my-custom-group')
+
def test_namespace_haproxy_for_cell_with_empty_name(self):
example_services = {
'nova-novncproxy': {
diff --git a/releasenotes/notes/add-nova-multi-compute-ironic-support-1bf5c64f8a530cc9.yaml b/releasenotes/notes/add-nova-multi-compute-ironic-support-1bf5c64f8a530cc9.yaml
new file mode 100644
index 0000000000..c99523feb3
--- /dev/null
+++ b/releasenotes/notes/add-nova-multi-compute-ironic-support-1bf5c64f8a530cc9.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - |
+ Adds support for deploying multiple instances of the Nova Compute Ironic
+ service on the same host. This is useful in large baremetal deployments.
+upgrade:
+ - |
+ If you are migrating to the new feature to deploy multiple instances of
+ Nova Compute Ironic, you are first required to manually remove the
+ existing Nova Compute Ironic Docker container, and config directories.
diff --git a/releasenotes/notes/bug-2148279-2ec0852b8bee0971.yaml b/releasenotes/notes/bug-2148279-2ec0852b8bee0971.yaml
new file mode 100644
index 0000000000..3e5d9c9e49
--- /dev/null
+++ b/releasenotes/notes/bug-2148279-2ec0852b8bee0971.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+ - |
+ Fixes an issue where Prometheus would not scrape ProxySQL or
+ Valkey metrics if Alertmanager was disabled. The configuration
+ blocks for these exporters were incorrectly nested within the
+ Alertmanager conditional block.
+ `LP#2148279 `__
diff --git a/releasenotes/notes/fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml b/releasenotes/notes/fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml
new file mode 100644
index 0000000000..b857b9d739
--- /dev/null
+++ b/releasenotes/notes/fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ Fixes bootstrapping of prometheus-mysqld-exporter which is failing creating
+ mariadb user when monitoring group is configured to be deployed on separate
+ hosts.
diff --git a/releasenotes/notes/move-cinder-volume-b4ee8e4378ea6828.yaml b/releasenotes/notes/move-cinder-volume-b4ee8e4378ea6828.yaml
new file mode 100644
index 0000000000..10cab61934
--- /dev/null
+++ b/releasenotes/notes/move-cinder-volume-b4ee8e4378ea6828.yaml
@@ -0,0 +1,16 @@
+---
+upgrade:
+ - |
+ ``cinder-volume`` and ``cinder-backup`` containers are now
+ deployed by default on ``cinder`` group - which effectively
+ is ``control`` by default (earlier it defaulted to ``storage``).
+ - |
+ New Ansible inventory groups have been introduced to support properly
+ Cinder LVM backend setup:
+
+ * ``cinder-backup-lvm``
+ * ``cinder-backup-multiple``
+ * ``cinder-volume-lvm``
+ * ``cinder-volume-multiple``
+
+ Please update your inventory overrides accordingly.
diff --git a/releasenotes/notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml b/releasenotes/notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml
new file mode 100644
index 0000000000..69224c3bdb
--- /dev/null
+++ b/releasenotes/notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Added ``service_uwsgi_config_threads`` to configure uWSGI thread count.
+ Horizon now applies ``horizon_wsgi_threads`` when using uWSGI.
diff --git a/roles/test-ovn-vpnaas/defaults/main.yml b/roles/kolla-ansible-test-ovn-vpnaas/defaults/main.yml
similarity index 100%
rename from roles/test-ovn-vpnaas/defaults/main.yml
rename to roles/kolla-ansible-test-ovn-vpnaas/defaults/main.yml
diff --git a/roles/test-ovn-vpnaas/tasks/cleanup_site.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/cleanup_site.yml
similarity index 100%
rename from roles/test-ovn-vpnaas/tasks/cleanup_site.yml
rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/cleanup_site.yml
diff --git a/roles/test-ovn-vpnaas/tasks/init_env.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/init_env.yml
similarity index 100%
rename from roles/test-ovn-vpnaas/tasks/init_env.yml
rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/init_env.yml
diff --git a/roles/test-ovn-vpnaas/tasks/main.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/main.yml
similarity index 100%
rename from roles/test-ovn-vpnaas/tasks/main.yml
rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/main.yml
diff --git a/roles/test-ovn-vpnaas/tasks/setup_site.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/setup_site.yml
similarity index 100%
rename from roles/test-ovn-vpnaas/tasks/setup_site.yml
rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/setup_site.yml
diff --git a/roles/openstack-clients/defaults/main.yml b/roles/openstack-clients/defaults/main.yml
index e1f53e2799..034618843a 100644
--- a/roles/openstack-clients/defaults/main.yml
+++ b/roles/openstack-clients/defaults/main.yml
@@ -11,7 +11,7 @@ openstack_clients_pip_packages:
- package: python-heatclient
enabled: true
- package: python-ironicclient
- enabled: "{{ scenario == 'ironic' }}"
+ enabled: "{{ scenario in ['ironic', 'multi-compute-ironic'] }}"
- package: python-magnumclient
enabled: "{{ scenario == 'magnum' }}"
- package: python-neutronclient
diff --git a/tests/check-logs.sh b/tests/check-logs.sh
index 650f2d7b25..2bc3ccee13 100755
--- a/tests/check-logs.sh
+++ b/tests/check-logs.sh
@@ -58,6 +58,10 @@ function check_fluentd_missing_logs {
/var/log/kolla/haproxy/*)
continue
;;
+ # TODO(mnasiadka): Remove me after G/2026.1 release
+ /var/log/kolla/keystone/*apache*)
+ continue
+ ;;
/var/log/kolla/ironic/dnsmasq.log)
continue
;;
diff --git a/tests/run.yml b/tests/run.yml
index 775eb2630d..efa817e24d 100644
--- a/tests/run.yml
+++ b/tests/run.yml
@@ -208,10 +208,10 @@
# ironic.conf
- src: "tests/templates/ironic-overrides.j2"
dest: /etc/kolla/config/ironic.conf
- when: "{{ scenario == 'ironic' }}"
+ when: "{{ scenario == 'ironic' or scenario == 'multi-compute-ironic' }}"
- src: "tests/templates/tenks-deploy-config.yml.j2"
dest: "{{ ansible_env.HOME }}/tenks.yml"
- when: "{{ scenario == 'ironic' }}"
+ when: "{{ scenario == 'ironic' or scenario == 'multi-compute-ironic' }}"
# keystone-federation config
- src: "tests/templates/keystone-federation/idp.example.org%2Frealms%2Fexample.conf.j2"
dest: "/etc/kolla/config/keystone-httpd/federation/oidc/metadata/idp.example.org%2Frealms%2Fexample.conf"
@@ -243,7 +243,7 @@
dest: ironic-agent.initramfs
- src: "ipa-centos9-{{ zuul.branch | replace('/', '-') }}.kernel"
dest: ironic-agent.kernel
- when: scenario == "ironic"
+ when: scenario == "ironic" or scenario == "multi-compute-ironic"
- block:
- name: Slurp requirements.yml
@@ -427,12 +427,13 @@
EXT_NET_GATEWAY: "{{ neutron_external_network_prefix }}1"
EXT_NET_DEMO_ROUTER_ADDR: "{{ neutron_external_network_prefix }}10"
SCENARIO: "{{ scenario }}"
- when: openstack_core_tested or scenario in ['ironic', 'magnum', 'nfv', 'zun', 'octavia']
+ when: openstack_core_tested or scenario in ['ironic', 'multi-compute-ironic' ,'magnum', 'nfv', 'zun', 'octavia']
- name: Test OVN VPNaaS
import_role:
- name: test-ovn-vpnaas
+ name: kolla-ansible-test-ovn-vpnaas
when:
+ - not is_upgrade
- scenario == 'ovn'
# FIXME(neutron): Enable when https://bugs.launchpad.net/neutron/+bug/2146308 is fixed
- not (ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '10')
@@ -493,7 +494,8 @@
chdir: "{{ kolla_ansible_src_dir }}"
environment:
TLS_ENABLED: "{{ tls_enabled }}"
- when: scenario == "ironic"
+ MULTI_COMPUTE_IRONIC: "{{ scenario == 'multi-compute-ironic' }}"
+ when: scenario == "ironic" or scenario == "multi-compute-ironic"
- name: Run test-magnum.sh script
script:
diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2
index 5ed9428101..ca2ad562e0 100644
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -138,6 +138,22 @@ enable_proxysql: "yes"
enable_prometheus_proxysql_exporter: "yes"
{% endif %}
+{% if scenario == "multi-compute-ironic" %}
+nova_multi_compute_ironic_config:
+ - {}
+ - "shard_key": "shard_1"
+ "conductor_group": "location_1"
+ - "shard_key": "shard_2"
+ "conductor_group": "location_1"
+ - "conductor_group": "location_2"
+
+enable_ironic: "yes"
+enable_ironic_pxe_filter: "yes"
+ironic_dnsmasq_dhcp_ranges:
+ - range: "10.42.0.2,10.42.0.254,255.255.255.0"
+ironic_internal_endpoint: http://192.0.2.1:6385
+{% endif %}
+
{% if scenario == "mariadb" %}
enable_fluentd: "yes"
enable_mariadb: "yes"
@@ -195,7 +211,9 @@ neutron_plugin_agent: "ovn"
neutron_ovn_distributed_fip: "yes"
neutron_enable_ovn_agent: "yes"
ovn_sb_db_relay_count: "3"
+{% if not is_upgrade %}
enable_neutron_vpnaas: "yes"
+{% endif %}
enable_octavia: "yes"
octavia_provider_drivers: "ovn:OVN provider"
octavia_provider_agents: "ovn"
diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2
index e9f5da5ad6..a3bea72130 100644
--- a/tests/templates/inventory.j2
+++ b/tests/templates/inventory.j2
@@ -6,7 +6,7 @@
# primary and secondary while the parent group (control) uses only primary.
[control]
-{% if scenario == 'masakari' %}
+{% if scenario in ['masakari', 'multi-compute-ironic'] %}
{% for host in hostvars if host in ['primary'] %}
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }}
{% endfor %}
@@ -299,8 +299,25 @@ nova
[nova-spicehtml5proxy:children]
nova
+{% if scenario == 'multi-compute-ironic' %}
+[nova-compute-ironic-1]
+primary
+[nova-compute-ironic-2]
+secondary1
+[nova-compute-ironic-3]
+secondary2
+[nova-compute-ironic-4]
+secondary2
+
+[nova-compute-ironic:children]
+nova-compute-ironic-1
+nova-compute-ironic-2
+nova-compute-ironic-3
+nova-compute-ironic-4
+{% else %}
[nova-compute-ironic:children]
nova
+{% endif %}
[nova-serialproxy:children]
nova
@@ -355,14 +372,31 @@ neutron
cinder
[cinder-backup:children]
+cinder
+
+[cinder-backup-lvm:children]
+storage
+
+[cinder-backup-multiple:children]
+cinder
storage
[cinder-scheduler:children]
cinder
[cinder-volume:children]
+cinder
+
+[cinder-volume-lvm:children]
storage
+[cinder-volume-multiple:children]
+cinder
+storage
+
+[cinder-scheduler:children]
+cinder
+
# Cloudkitty
[cloudkitty-api:children]
cloudkitty
diff --git a/tests/templates/ironic-overrides.j2 b/tests/templates/ironic-overrides.j2
index be944b3072..9603d6b2ca 100644
--- a/tests/templates/ironic-overrides.j2
+++ b/tests/templates/ironic-overrides.j2
@@ -2,6 +2,16 @@
enabled_inspect_interfaces = no-inspect, agent
default_inspect_interface = agent
+{% if scenario == "multi-compute-ironic" %}
+{% raw %}
+{% set cg = 'location_1' if inventory_hostname == 'secondary1' else 'location_2' if inventory_hostname == 'secondary2' %}
+{% if cg %}
+[conductor]
+conductor_group = {{ cg }}
+{% endif %}
+{% endraw %}
+{% endif %}
+
[neutron]
cleaning_network = public1
inspection_network = public1
diff --git a/tox.ini b/tox.ini
index 7e9beb8efe..30271d8a27 100644
--- a/tox.ini
+++ b/tox.ini
@@ -97,7 +97,6 @@ setenv =
ANSIBLE_ROLES_PATH = {toxinidir}/ansible/roles
deps =
- -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
-r{toxinidir}/requirements.txt
-r{toxinidir}/lint-requirements.txt
allowlist_externals = bash
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 0758a8067d..7cb2ec76ff 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -4,6 +4,7 @@
templates:
- ansible-role-jobs
- check-requirements
+ - kolla-ansible-scenario-multi-compute-ironic
- kolla-ansible-scenario-aio
- kolla-ansible-scenario-bifrost
- kolla-ansible-scenario-cells
diff --git a/zuul.d/scenarios/cephadm.yaml b/zuul.d/scenarios/cephadm.yaml
index ea36ecc91f..11bbcacc42 100644
--- a/zuul.d/scenarios/cephadm.yaml
+++ b/zuul.d/scenarios/cephadm.yaml
@@ -8,6 +8,7 @@
- ^ansible/group_vars/baremetal/ansible-python-interpreter.yml
- ^ansible/roles/(ceph-rgw|certificates|cinder|common|fluentd|glance|haproxy-config|heat|horizon|keystone|loadbalancer|loadbalancer-config|neutron|nova|nova-cell|openvswitch|placement|proxysql|rabbitmq|valkey)/
- ^roles/cephadm/
+ - ^tests/templates/inventory.j2
vars:
kolla_ansible_setup_disks_file_path: "/var/lib/ceph-osd.img"
kolla_ansible_setup_disks_vg_name: "cephvg"
diff --git a/zuul.d/scenarios/multi-compute-ironic.yaml b/zuul.d/scenarios/multi-compute-ironic.yaml
new file mode 100644
index 0000000000..814116a1fd
--- /dev/null
+++ b/zuul.d/scenarios/multi-compute-ironic.yaml
@@ -0,0 +1,47 @@
+---
+- job:
+ name: kolla-ansible-multi-compute-ironic-base
+ parent: kolla-ansible-base
+ voting: false
+ files: !inherit
+ - ^ansible/group_vars/all/(nova|ironic).yml
+ - ^ansible/roles/(nova|nova-cell|ironic)/
+ - ^tests/deploy-tenks\.sh$
+ - ^tests/templates/ironic-overrides\.j2$
+ - ^tests/templates/tenks-deploy-config\.yml\.j2$
+ - ^tests/test-dashboard\.sh$
+ - ^tests/test-ironic\.sh$
+ required-projects:
+ - openstack/tenks
+ vars:
+ scenario: multi-compute-ironic
+ scenario_images_extra:
+ - ^dnsmasq
+ - ^ironic
+ - ^iscsid
+ tls_enabled: false
+
+- job:
+ name: kolla-ansible-debian-trixie-multi-compute-ironic
+ parent: kolla-ansible-multi-compute-ironic-base
+ nodeset: kolla-ansible-debian-trixie-multi-16GB
+
+- job:
+ name: kolla-ansible-rocky-10-multi-compute-ironic
+ parent: kolla-ansible-multi-compute-ironic-base
+ nodeset: kolla-ansible-rocky-10-multi-16GB
+
+- job:
+ name: kolla-ansible-ubuntu-noble-multi-compute-ironic
+ parent: kolla-ansible-multi-compute-ironic-base
+ nodeset: kolla-ansible-ubuntu-noble-multi-16GB
+
+- project-template:
+ name: kolla-ansible-scenario-multi-compute-ironic
+ description: |
+ Runs Kolla-Ansible Nova Multi Compute Ironic scenario jobs.
+ check:
+ jobs:
+ - kolla-ansible-debian-trixie-multi-compute-ironic
+ - kolla-ansible-rocky-10-multi-compute-ironic
+ - kolla-ansible-ubuntu-noble-multi-compute-ironic
diff --git a/zuul.d/scenarios/ovn.yaml b/zuul.d/scenarios/ovn.yaml
index fb6f097b99..2860ad21a4 100644
--- a/zuul.d/scenarios/ovn.yaml
+++ b/zuul.d/scenarios/ovn.yaml
@@ -12,6 +12,7 @@
scenario_images_extra:
- ^octavia
- ^ovn
+ - ^prometheus
- job:
name: kolla-ansible-debian-trixie-ovn