From 76e78c59cae1c887a3572e7a876f653c9925bff2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Din=C3=A7er=20=C3=87elik?= Date: Tue, 3 Jun 2025 15:17:24 +0300 Subject: [PATCH 01/12] Fix shebangs Change-Id: I305bb756eb2fd8f582bbef5b2674f8b09b141ab8 --- kolla_ansible/cmd/genpwd.py | 2 +- kolla_ansible/cmd/mergepwd.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py index 89b7bbd0ab..7248a8f209 100755 --- a/kolla_ansible/cmd/genpwd.py +++ b/kolla_ansible/cmd/genpwd.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kolla_ansible/cmd/mergepwd.py b/kolla_ansible/cmd/mergepwd.py index 00f38d9760..d7368fd53a 100755 --- a/kolla_ansible/cmd/mergepwd.py +++ b/kolla_ansible/cmd/mergepwd.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From e1df807fae30c3d5fed38d4f64a4818751451026 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 3 Apr 2026 09:50:13 +0200 Subject: [PATCH 02/12] octavia: update [neutron] configuration section Add authentication settings for Neutron and replace deprecated configuration. See change I686cfdef78de927fa4bc1921c15e8d5853fd2ef9 for more details [1]. [1] https://review.opendev.org/c/openstack/octavia/+/866327 Change-Id: I212dbfc7d555c731f629c1f73ae518351dd713f6 Signed-off-by: Pierre Riteau --- ansible/roles/octavia/templates/octavia.conf.j2 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2 index 8a145d6a3a..8e40506927 100644 --- a/ansible/roles/octavia/templates/octavia.conf.j2 +++ b/ansible/roles/octavia/templates/octavia.conf.j2 @@ -157,9 +157,16 @@ endpoint_type = internal ca_certificates_file = {{ openstack_cacert }} [neutron] +auth_url = {{ keystone_internal_url }} +auth_type = password +username = {{ octavia_keystone_user }} +password = {{ octavia_keystone_password }} +user_domain_name = {{ default_user_domain_name }} +project_name = {{ octavia_service_auth_project }} +project_domain_name = {{ default_project_domain_name }} region_name = {{ openstack_region_name }} valid_interfaces = internal -ca_certificates_file = {{ openstack_cacert }} +cafile = {{ openstack_cacert }} [nova] region_name = {{ openstack_region_name }} From 23c420a55d678269930e80bc1f1afc052e061189 Mon Sep 17 00:00:00 2001 From: Piotr Milewski Date: Tue, 14 Apr 2026 09:07:08 +0200 Subject: [PATCH 03/12] Fix Prometheus scraping for ProxySQL and Valkey The configuration for ProxySQL and Valkey exporters was incorrectly nested inside the 'enable_prometheus_alertmanager' block. This caused the scrape jobs to be missing from prometheus.yml when Alertmanager was disabled, even if the exporters themselves were enabled. This commit moves these exporter blocks outside the Alertmanager conditional to ensure metrics are collected independently. Closes-Bug: #2148279 Change-Id: Ib4ac95cfce2272529cdc8b98c40dc7f21c50e27f Signed-off-by: Piotr Milewski --- .../prometheus/templates/prometheus.yml.j2 | 40 +++++++++---------- .../notes/bug-2148279-2ec0852b8bee0971.yaml | 8 ++++ 2 files changed, 28 insertions(+), 20 deletions(-) create mode 100644 releasenotes/notes/bug-2148279-2ec0852b8bee0971.yaml diff --git a/ansible/roles/prometheus/templates/prometheus.yml.j2 b/ansible/roles/prometheus/templates/prometheus.yml.j2 index f07e89ceac..0887f98534 100644 --- a/ansible/roles/prometheus/templates/prometheus.yml.j2 +++ b/ansible/roles/prometheus/templates/prometheus.yml.j2 @@ -241,43 +241,43 @@ scrape_configs: {% endfor %} {% endif %} -{% if enable_prometheus_alertmanager | bool %} - - job_name: alertmanager +{% if enable_prometheus_proxysql_exporter | bool %} + - job_name: proxysql static_configs: -{% for host in groups['prometheus-alertmanager'] %} +{% for host in groups["loadbalancer"] %} - targets: - - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_port'] }}' + - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['proxysql_prometheus_exporter_port'] }}' {% if hostvars[host].prometheus_instance_label | default(false, true) %} labels: instance: "{{ hostvars[host].prometheus_instance_label }}" {% endif %} {% endfor %} +{% endif %} -{% if enable_prometheus_proxysql_exporter | bool %} - - job_name: proxysql +{% if enable_prometheus_valkey_exporter | bool %} + - job_name: valkey_exporter static_configs: -{% for host in groups["loadbalancer"] %} +{% for host in groups["prometheus-valkey-exporter"] %} - targets: - - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['proxysql_prometheus_exporter_port'] }}' -{% if hostvars[host].prometheus_instance_label | default(false, true) %} + - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_valkey_exporter_port'] }}' +{% if hostvars[host].prometheus_instance_label | default(false, true) %} labels: instance: "{{ hostvars[host].prometheus_instance_label }}" -{% endif %} -{% endfor %} -{% endif %} +{% endif %} +{% endfor %} +{% endif %} -{% if enable_prometheus_valkey_exporter | bool %} - - job_name: valkey_exporter +{% if enable_prometheus_alertmanager | bool %} + - job_name: alertmanager static_configs: -{% for host in groups["prometheus-valkey-exporter"] %} +{% for host in groups['prometheus-alertmanager'] %} - targets: - - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_valkey_exporter_port'] }}' -{% if hostvars[host].prometheus_instance_label | default(false, true) %} + - '{{ 'api' | kolla_address(host, override_var='prometheus_target_address') | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_alertmanager_port'] }}' +{% if hostvars[host].prometheus_instance_label | default(false, true) %} labels: instance: "{{ hostvars[host].prometheus_instance_label }}" -{% endif %} -{% endfor %} -{% endif %} +{% endif %} +{% endfor %} alerting: alertmanagers: diff --git a/releasenotes/notes/bug-2148279-2ec0852b8bee0971.yaml b/releasenotes/notes/bug-2148279-2ec0852b8bee0971.yaml new file mode 100644 index 0000000000..3e5d9c9e49 --- /dev/null +++ b/releasenotes/notes/bug-2148279-2ec0852b8bee0971.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes an issue where Prometheus would not scrape ProxySQL or + Valkey metrics if Alertmanager was disabled. The configuration + blocks for these exporters were incorrectly nested within the + Alertmanager conditional block. + `LP#2148279 `__ From df63282b329965b03a8956170aa0b5406a894e56 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 11 Mar 2026 12:10:25 +0100 Subject: [PATCH 04/12] cinder: Change default destination for cinder-volume/backup containers Kolla-Ansible defaulted for long time to deploy cinder-volume/backup containers on storage group, which is good for Cinder LVM deployments. Problem is - majority of deployments does not use Cinder LVM backend - they use mainly Ceph (based on OpenStack User Survey) and probably some other proprietary vendors which are API driven. Let's change the default to reflect reality. If a user has cinder lvm enabled - we will deploy it as it was before If a user has both cinder lvm and something else enabled - we will deploy cinder-volume and cinder-backup in both places (cinder group and storage group) If a user doesn't have cinder lvm enabled - we deploy only in the cinder group Change-Id: Ia4a874de8f1b8eab8ff688eab4c6af013449c18c Signed-off-by: Michal Nasiadka --- ansible/inventory/all-in-one | 17 ++++++- ansible/inventory/multinode | 14 ++++++ ansible/roles/cinder/defaults/main.yml | 10 +++- ansible/roles/cinder/tasks/precheck.yml | 4 +- ansible/roles/iscsi/defaults/main.yml | 12 ++++- ansible/site.yml | 4 ++ doc/source/reference/storage/cinder-guide.rst | 47 +++++-------------- .../move-cinder-volume-b4ee8e4378ea6828.yaml | 16 +++++++ tests/templates/inventory.j2 | 17 +++++++ zuul.d/scenarios/cephadm.yaml | 1 + 10 files changed, 101 insertions(+), 41 deletions(-) create mode 100644 releasenotes/notes/move-cinder-volume-b4ee8e4378ea6828.yaml diff --git a/ansible/inventory/all-in-one b/ansible/inventory/all-in-one index 79704c8dea..96fca6f8f1 100644 --- a/ansible/inventory/all-in-one +++ b/ansible/inventory/all-in-one @@ -267,12 +267,26 @@ network cinder [cinder-backup:children] +cinder + +[cinder-backup-lvm:children] +storage + +[cinder-backup-multiple:children] +cinder storage [cinder-scheduler:children] cinder [cinder-volume:children] +cinder + +[cinder-volume-lvm:children] +storage + +[cinder-volume-multiple:children] +cinder storage # Cloudkitty @@ -283,11 +297,12 @@ cloudkitty cloudkitty # iSCSI +# NOTE(mnasiadka): We need iscsid on cinder-volume hosts and clients [iscsid:children] compute storage -ironic +# NOTE(mnasiadka): We need tgtd on storage nodes for Cinder LVM [tgtd:children] storage diff --git a/ansible/inventory/multinode b/ansible/inventory/multinode index cbb0db70c0..10fcb0f5c0 100644 --- a/ansible/inventory/multinode +++ b/ansible/inventory/multinode @@ -285,12 +285,26 @@ network cinder [cinder-backup:children] +cinder + +[cinder-backup-lvm:children] +storage + +[cinder-backup-multiple:children] +cinder storage [cinder-scheduler:children] cinder [cinder-volume:children] +cinder + +[cinder-volume-lvm:children] +storage + +[cinder-volume-multiple:children] +cinder storage # Cloudkitty diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml index 4258d863e2..50d764c622 100644 --- a/ansible/roles/cinder/defaults/main.yml +++ b/ansible/roles/cinder/defaults/main.yml @@ -41,7 +41,10 @@ cinder_services: healthcheck: "{{ cinder_scheduler_healthcheck }}" cinder-volume: container_name: cinder_volume - group: cinder-volume + group: >- + {{ 'cinder-volume-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else + 'cinder-volume-lvm' if enable_cinder_backend_lvm | bool else + 'cinder-volume' }} enabled: true image: "{{ cinder_volume_image_full }}" privileged: true @@ -52,7 +55,10 @@ cinder_services: healthcheck: "{{ cinder_volume_healthcheck }}" cinder-backup: container_name: cinder_backup - group: cinder-backup + group: >- + {{ 'cinder-backup-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else + 'cinder-backup-lvm' if enable_cinder_backend_lvm | bool else + 'cinder-backup' }} enabled: "{{ enable_cinder_backup | bool }}" image: "{{ cinder_backup_image_full }}" privileged: true diff --git a/ansible/roles/cinder/tasks/precheck.yml b/ansible/roles/cinder/tasks/precheck.yml index ebaf913bf1..35870c8485 100644 --- a/ansible/roles/cinder/tasks/precheck.yml +++ b/ansible/roles/cinder/tasks/precheck.yml @@ -54,7 +54,7 @@ when: - enable_cinder | bool - enable_cinder_backend_lvm | bool - - inventory_hostname in groups['cinder-volume'] + - inventory_hostname in groups['cinder-volume-multiple'] if cinder_enabled_backends | length > 1 else inventory_hostname in groups['cinder-volume-lvm'] - name: Checking for coordination backend if Ceph backend is enabled run_once: true @@ -64,7 +64,7 @@ - not skip_cinder_backend_check | bool - cinder_backend_ceph | bool - cinder_coordination_backend == '' - - groups['cinder-volume'] | length > 1 + - groups['cinder-volume-multiple'] | length > 1 if enable_cinder_backend_lvm | bool else groups['cinder-volume'] | length > 1 - name: Check if S3 configurations are defined ansible.builtin.assert: diff --git a/ansible/roles/iscsi/defaults/main.yml b/ansible/roles/iscsi/defaults/main.yml index 8d94bcaf5b..ecf8ad6e11 100644 --- a/ansible/roles/iscsi/defaults/main.yml +++ b/ansible/roles/iscsi/defaults/main.yml @@ -57,10 +57,18 @@ tgtd_default_volumes: iscsid_extra_volumes: "{{ default_extra_volumes }}" tgtd_extra_volumes: "{{ default_extra_volumes }}" +iscsid_cinder_backup_group: >- + {{ 'cinder-backup-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else + 'cinder-backup-lvm' if enable_cinder_backend_lvm | bool else + 'cinder-backup' }} +iscsid_cinder_volume_group: >- + {{ 'cinder-volume-multiple' if (cinder_enabled_backends | length > 1 and enable_cinder_backend_lvm | bool) else + 'cinder-volume-lvm' if enable_cinder_backend_lvm | bool else + 'cinder-volume' }} enable_iscsid_for_cinder: >- {{ (inventory_hostname in groups['compute'] - or inventory_hostname in groups['cinder-backup'] - or inventory_hostname in groups['cinder-volume']) + or inventory_hostname in groups[iscsid_cinder_backup_group] if enable_cinder_backend_lvm | bool + or inventory_hostname in groups[iscsid_cinder_volume_group] if enable_cinder_backend_lvm | bool) and enable_cinder | bool and enable_cinder_backend_iscsi | bool }} enable_iscsid_for_ironic: >- diff --git a/ansible/site.yml b/ansible/site.yml index 18d9c3c925..6e286397c6 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -602,8 +602,12 @@ hosts: - cinder-api - cinder-backup + - cinder-backup-lvm + - cinder-backup-multiple - cinder-scheduler - cinder-volume + - cinder-volume-lvm + - cinder-volume-multiple - "&enable_cinder_True" serial: '{{ kolla_serial|default("0") }}' max_fail_percentage: >- diff --git a/doc/source/reference/storage/cinder-guide.rst b/doc/source/reference/storage/cinder-guide.rst index 9f8a5bf2aa..a850deb275 100644 --- a/doc/source/reference/storage/cinder-guide.rst +++ b/doc/source/reference/storage/cinder-guide.rst @@ -67,6 +67,14 @@ Enable the ``lvm`` backend in ``/etc/kolla/globals.yml``: enable_cinder_backend_lvm: "yes" +Edit the inventory file and add ``storage`` group as a child of +``cinder-volume`` group: + +.. code-block:: ini + + [cinder-volume:children] + storage + .. note:: There are currently issues using the LVM backend in a multi-controller setup, @@ -151,9 +159,11 @@ Cinder LVM2 backend with iSCSI As of Newton-1 milestone, Kolla supports LVM2 as cinder backend. It is accomplished by introducing two new containers ``tgtd`` and ``iscsid``. -``tgtd`` container serves as a bridge between cinder-volume process and a -server hosting Logical Volume Groups (LVG). ``iscsid`` container serves as -a bridge between nova-compute process and the server hosting LVG. +``tgtd`` container is the target part of iSCSI setup which needs to run +on the ``storage`` Ansible group for exposing volumes from LVM. +``iscsid`` container is the client part of iSCSI setup which needs to run +together with nova-compute for instance access to storage and on hosts +running ``cinder-volume`` and ``cinder-backup`` for volume operations. In order to use Cinder's LVM backend, a LVG named ``cinder-volumes`` should exist on the server and following parameter must be specified in @@ -163,37 +173,6 @@ exist on the server and following parameter must be specified in enable_cinder_backend_lvm: "yes" -For Ubuntu and LVM2/iSCSI -------------------------- - -``iscsd`` process uses configfs which is normally mounted at -``/sys/kernel/config`` to store discovered targets information, on centos/rhel -type of systems this special file system gets mounted automatically, which is -not the case on debian/ubuntu. Since ``iscsid`` container runs on every nova -compute node, the following steps must be completed on every Ubuntu server -targeted for nova compute role. - -* Add configfs module to ``/etc/modules`` -* Rebuild initramfs using: ``update-initramfs -u`` command -* Stop ``open-iscsi`` system service due to its conflicts - with iscsid container. - - Ubuntu 16.04 (systemd): - ``systemctl stop open-iscsi; systemctl stop iscsid`` - -* Make sure configfs gets mounted during a server boot up process. There are - multiple ways to accomplish it, one example: - - .. code-block:: console - - mount -t configfs /etc/rc.local /sys/kernel/config - - .. note:: - - There is currently an issue with the folder /sys/kernel/config as it is - either empty or does not exist in several operating systems, - see `_bug 1631072 `__ for more info - Cinder backend with external iSCSI storage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/releasenotes/notes/move-cinder-volume-b4ee8e4378ea6828.yaml b/releasenotes/notes/move-cinder-volume-b4ee8e4378ea6828.yaml new file mode 100644 index 0000000000..10cab61934 --- /dev/null +++ b/releasenotes/notes/move-cinder-volume-b4ee8e4378ea6828.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + ``cinder-volume`` and ``cinder-backup`` containers are now + deployed by default on ``cinder`` group - which effectively + is ``control`` by default (earlier it defaulted to ``storage``). + - | + New Ansible inventory groups have been introduced to support properly + Cinder LVM backend setup: + + * ``cinder-backup-lvm`` + * ``cinder-backup-multiple`` + * ``cinder-volume-lvm`` + * ``cinder-volume-multiple`` + + Please update your inventory overrides accordingly. diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2 index 9a7787b312..769fcae29b 100644 --- a/tests/templates/inventory.j2 +++ b/tests/templates/inventory.j2 @@ -352,14 +352,31 @@ network cinder [cinder-backup:children] +cinder + +[cinder-backup-lvm:children] +storage + +[cinder-backup-multiple:children] +cinder storage [cinder-scheduler:children] cinder [cinder-volume:children] +cinder + +[cinder-volume-lvm:children] storage +[cinder-volume-multiple:children] +cinder +storage + +[cinder-scheduler:children] +cinder + # Cloudkitty [cloudkitty-api:children] cloudkitty diff --git a/zuul.d/scenarios/cephadm.yaml b/zuul.d/scenarios/cephadm.yaml index ea36ecc91f..11bbcacc42 100644 --- a/zuul.d/scenarios/cephadm.yaml +++ b/zuul.d/scenarios/cephadm.yaml @@ -8,6 +8,7 @@ - ^ansible/group_vars/baremetal/ansible-python-interpreter.yml - ^ansible/roles/(ceph-rgw|certificates|cinder|common|fluentd|glance|haproxy-config|heat|horizon|keystone|loadbalancer|loadbalancer-config|neutron|nova|nova-cell|openvswitch|placement|proxysql|rabbitmq|valkey)/ - ^roles/cephadm/ + - ^tests/templates/inventory.j2 vars: kolla_ansible_setup_disks_file_path: "/var/lib/ceph-osd.img" kolla_ansible_setup_disks_vg_name: "cephvg" From 49eb67aa84f073e3434fad11defa0bc07d710236 Mon Sep 17 00:00:00 2001 From: Grzegorz Bialas Date: Thu, 16 Apr 2026 16:30:22 +0200 Subject: [PATCH 05/12] Fix prometheus bootstrapping mysqld-exporter When monitoring is deployed on hosts outside of control group it will not pass service_enabled_and_mapped_to_host filter and bootstrapping step will not be executed, resulting with lack of prometheus user in mariadb. Closes-bug: #2148551 Change-Id: I520131aa976609dd2c1f5b95e4e5fc5fb8fc6e57 Signed-off-by: Grzegorz Bialas --- ansible/roles/prometheus/tasks/deploy.yml | 3 ++- .../fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml diff --git a/ansible/roles/prometheus/tasks/deploy.yml b/ansible/roles/prometheus/tasks/deploy.yml index 8aba64ae63..89576f1449 100644 --- a/ansible/roles/prometheus/tasks/deploy.yml +++ b/ansible/roles/prometheus/tasks/deploy.yml @@ -6,7 +6,8 @@ ansible.builtin.import_tasks: check-containers.yml - name: Bootstrap prometheus service - ansible.builtin.import_tasks: bootstrap.yml + ansible.builtin.include_tasks: bootstrap.yml + when: inventory_hostname in groups['prometheus-mysqld-exporter'] - name: Flush handlers ansible.builtin.meta: flush_handlers diff --git a/releasenotes/notes/fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml b/releasenotes/notes/fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml new file mode 100644 index 0000000000..b857b9d739 --- /dev/null +++ b/releasenotes/notes/fix-bootstrapping-mysqld-exporter-f10a4ff269c2395b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes bootstrapping of prometheus-mysqld-exporter which is failing creating + mariadb user when monitoring group is configured to be deployed on separate + hosts. From 93e7d719a81fee0db977895b53aa3518f19eda0f Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Mon, 20 Apr 2026 11:25:50 +0200 Subject: [PATCH 06/12] CI: Fix ovn-upgrade jobs Since we use the same globals before upgrade and after upgrade, we need to not enable vpnaas before the upgrade, because there's no additional logic for configuring neutron-ovn-vpn-agent in previous release. Rename the role under /roles to fit out naming and ensure no clashes with other role names Change-Id: I3ccef6b1e75224a60036e9bf49500804ee76eba6 Signed-off-by: Michal Nasiadka --- .../defaults/main.yml | 0 .../tasks/cleanup_site.yml | 0 .../tasks/init_env.yml | 0 .../tasks/main.yml | 0 .../tasks/setup_site.yml | 0 tests/run.yml | 3 ++- tests/templates/globals-default.j2 | 2 ++ 7 files changed, 4 insertions(+), 1 deletion(-) rename roles/{test-ovn-vpnaas => kolla-ansible-test-ovn-vpnaas}/defaults/main.yml (100%) rename roles/{test-ovn-vpnaas => kolla-ansible-test-ovn-vpnaas}/tasks/cleanup_site.yml (100%) rename roles/{test-ovn-vpnaas => kolla-ansible-test-ovn-vpnaas}/tasks/init_env.yml (100%) rename roles/{test-ovn-vpnaas => kolla-ansible-test-ovn-vpnaas}/tasks/main.yml (100%) rename roles/{test-ovn-vpnaas => kolla-ansible-test-ovn-vpnaas}/tasks/setup_site.yml (100%) diff --git a/roles/test-ovn-vpnaas/defaults/main.yml b/roles/kolla-ansible-test-ovn-vpnaas/defaults/main.yml similarity index 100% rename from roles/test-ovn-vpnaas/defaults/main.yml rename to roles/kolla-ansible-test-ovn-vpnaas/defaults/main.yml diff --git a/roles/test-ovn-vpnaas/tasks/cleanup_site.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/cleanup_site.yml similarity index 100% rename from roles/test-ovn-vpnaas/tasks/cleanup_site.yml rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/cleanup_site.yml diff --git a/roles/test-ovn-vpnaas/tasks/init_env.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/init_env.yml similarity index 100% rename from roles/test-ovn-vpnaas/tasks/init_env.yml rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/init_env.yml diff --git a/roles/test-ovn-vpnaas/tasks/main.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/main.yml similarity index 100% rename from roles/test-ovn-vpnaas/tasks/main.yml rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/main.yml diff --git a/roles/test-ovn-vpnaas/tasks/setup_site.yml b/roles/kolla-ansible-test-ovn-vpnaas/tasks/setup_site.yml similarity index 100% rename from roles/test-ovn-vpnaas/tasks/setup_site.yml rename to roles/kolla-ansible-test-ovn-vpnaas/tasks/setup_site.yml diff --git a/tests/run.yml b/tests/run.yml index 775eb2630d..8dd6c62c65 100644 --- a/tests/run.yml +++ b/tests/run.yml @@ -431,8 +431,9 @@ - name: Test OVN VPNaaS import_role: - name: test-ovn-vpnaas + name: kolla-ansible-test-ovn-vpnaas when: + - not is_upgrade - scenario == 'ovn' # FIXME(neutron): Enable when https://bugs.launchpad.net/neutron/+bug/2146308 is fixed - not (ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '10') diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2 index 5ed9428101..f5f005acd5 100644 --- a/tests/templates/globals-default.j2 +++ b/tests/templates/globals-default.j2 @@ -195,7 +195,9 @@ neutron_plugin_agent: "ovn" neutron_ovn_distributed_fip: "yes" neutron_enable_ovn_agent: "yes" ovn_sb_db_relay_count: "3" +{% if not is_upgrade %} enable_neutron_vpnaas: "yes" +{% endif %} enable_octavia: "yes" octavia_provider_drivers: "ovn:OVN provider" octavia_provider_agents: "ovn" From e3b0cf1a876319f0e462b47e170ee701b258d504 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 22 Apr 2026 12:28:55 +0200 Subject: [PATCH 07/12] CI: Add ^prometheus img regex to ovn scenario We enabled prometheus due to testing of network-exporter Change-Id: I382ab5394baef107cfe62f6e1416561b269cf58c Signed-off-by: Michal Nasiadka --- zuul.d/scenarios/ovn.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/zuul.d/scenarios/ovn.yaml b/zuul.d/scenarios/ovn.yaml index fb6f097b99..2860ad21a4 100644 --- a/zuul.d/scenarios/ovn.yaml +++ b/zuul.d/scenarios/ovn.yaml @@ -12,6 +12,7 @@ scenario_images_extra: - ^octavia - ^ovn + - ^prometheus - job: name: kolla-ansible-debian-trixie-ovn From f0f9810b67afb7531e89cd683d44e49b9980d00f Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 23 Apr 2026 12:30:00 +0200 Subject: [PATCH 08/12] CI: Remove upper-constraints in linters tox job j2lint 1.2.0 requires rich<15 and u-c bumped it to 15.0.0, so things are failing right now - but we don't need u-c for linters job Change-Id: Ie14c11e299da1e505d379ad35928cc62929a678f Signed-off-by: Michal Nasiadka --- tox.ini | 1 - 1 file changed, 1 deletion(-) diff --git a/tox.ini b/tox.ini index 7e9beb8efe..30271d8a27 100644 --- a/tox.ini +++ b/tox.ini @@ -97,7 +97,6 @@ setenv = ANSIBLE_ROLES_PATH = {toxinidir}/ansible/roles deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/lint-requirements.txt allowlist_externals = bash From fcc21812c4f720ed38eb574ca6144499d32c3013 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Thu, 23 Apr 2026 12:33:57 +0200 Subject: [PATCH 09/12] service-uwsgi-config: Add threads support Allow services to set an explicit uWSGI thread count alongside the default `enable-threads` setting [1]. Horizon now passes exising `horizon_wsgi_threads` to uWSGI. [1] https://uwsgi-docs.readthedocs.io/en/latest/Options.html#threads Change-Id: I0e33f2331ba10645f5947572c3d443647dd0c3a1 Signed-off-by: Bartosz Bezak --- ansible/roles/horizon/tasks/config.yml | 1 + ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 | 3 +++ .../notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml | 5 +++++ 3 files changed, 9 insertions(+) create mode 100644 releasenotes/notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml index 8065779cf9..5463169a96 100644 --- a/ansible/roles/horizon/tasks/config.yml +++ b/ansible/roles/horizon/tasks/config.yml @@ -78,6 +78,7 @@ service_uwsgi_config_tls_key: "/etc/horizon/certs/horizon-key.pem" service_uwsgi_config_uid: "{{ 'horizon' if enable_haproxy | bool else 'root' }}" service_uwsgi_config_workers: "{{ horizon_wsgi_processes }}" + service_uwsgi_config_threads: "{{ horizon_wsgi_threads }}" when: - service | service_enabled_and_mapped_to_host - horizon_wsgi_provider == "uwsgi" diff --git a/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 b/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 index 2c93d4e1b5..ef0a5d3735 100644 --- a/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 +++ b/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 @@ -30,6 +30,9 @@ wsgi-file = {{ service_uwsgi_config_wsgi_file }} plugins-dir = {{ '/usr/lib/uwsgi/plugins' if kolla_base_distro in ['ubuntu', 'debian'] else '/usr/lib64/uwsgi' }} plugins = python3 processes = {{ service_uwsgi_config_workers }} +{% if service_uwsgi_config_threads is defined %} +threads = {{ service_uwsgi_config_threads }} +{% endif %} {% if service_uwsgi_config_socket_port | length > 0 %} socket = {{ service_uwsgi_config_host }}:{{ service_uwsgi_config_socket_port }} {% endif %} diff --git a/releasenotes/notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml b/releasenotes/notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml new file mode 100644 index 0000000000..69224c3bdb --- /dev/null +++ b/releasenotes/notes/service_uwsgi_config_threads-e4c4867f204b94cf.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added ``service_uwsgi_config_threads`` to configure uWSGI thread count. + Horizon now applies ``horizon_wsgi_threads`` when using uWSGI. From 23c4ae04a1a2711d0ec359a742a3e636e92e01ef Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Fri, 10 Apr 2026 19:13:47 +0000 Subject: [PATCH 10/12] barbican: remove leftover barbican-api.ini.j2 Template is no longer used as Barbican API already relies on the shared service-uwsgi-config role. This removes obsolete and unused file. Change-Id: Ifc8f652843c85b95fa1f5d12a41db21100994ea5 Signed-off-by: Michal Arbet --- .../roles/barbican/templates/barbican-api.ini.j2 | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 ansible/roles/barbican/templates/barbican-api.ini.j2 diff --git a/ansible/roles/barbican/templates/barbican-api.ini.j2 b/ansible/roles/barbican/templates/barbican-api.ini.j2 deleted file mode 100644 index e3a88e2790..0000000000 --- a/ansible/roles/barbican/templates/barbican-api.ini.j2 +++ /dev/null @@ -1,15 +0,0 @@ -[uwsgi] -{% if barbican_enable_tls_backend | bool %} -https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem -{% else %} -http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }} -{% endif %} -processes = {{ barbican_api_workers }} -lazy = true -vacuum = true -no-default-app = true -memory-report = true -plugins = python3 -paste = config:/etc/barbican/barbican-api-paste.ini -add-header = Connection: close -logto = /var/log/kolla/barbican/barbican_api_uwsgi_access.log From e55f8a610808f266f0eac995afee41973150b439 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Fri, 27 Mar 2026 14:13:54 +0100 Subject: [PATCH 11/12] Drop support for running WSGI under Apache The migration to uWSGI has been successfully completed. All API services now run exclusively under uWSGI. The *_wsgi_provider variables have been removed from all affected roles along with leftover Apache wsgi config templates and fluentd Apache log handling. Rework Apache fluentd input configuration so it doesn't glob out whole /var/log/kolla/*/* and just include required services when enabled. Change-Id: I1475e629d033163a50a5c681c8fe2557a7b10bae Signed-off-by: Michal Nasiadka Signed-off-by: Bartosz Bezak --- ...apache-wsgi-provider-5049b660249d0f20.yaml | 8 ++ ansible/roles/aodh/defaults/main.yml | 5 - ansible/roles/aodh/tasks/config.yml | 13 -- ansible/roles/aodh/templates/aodh-api.json.j2 | 15 +-- .../roles/aodh/templates/wsgi-aodh.conf.j2 | 38 ------ ansible/roles/barbican/defaults/main.yml | 5 - ansible/roles/barbican/tasks/config.yml | 1 - ansible/roles/cinder/defaults/main.yml | 5 - ansible/roles/cinder/tasks/config.yml | 17 --- .../roles/cinder/templates/cinder-api.json.j2 | 15 +-- .../cinder/templates/cinder-wsgi.conf.j2 | 35 ----- ansible/roles/cloudkitty/defaults/main.yml | 5 - ansible/roles/cloudkitty/tasks/config.yml | 13 -- .../templates/cloudkitty-api.json.j2 | 15 +-- .../templates/wsgi-cloudkitty.conf.j2 | 36 ------ ansible/roles/fluentd/tasks/config.yml | 8 +- .../templates/conf/filter/01-rewrite.conf.j2 | 10 -- .../conf/format/apache_access.conf.j2 | 12 -- .../templates/conf/format/wsgi_access.conf.j2 | 12 -- .../templates/conf/input/04-apache.conf.j2 | 34 +++++ .../conf/input/04-openstack-wsgi.conf.j2 | 12 -- ansible/roles/gnocchi/defaults/main.yml | 5 - ansible/roles/gnocchi/tasks/config.yml | 15 --- .../gnocchi/templates/gnocchi-api.json.j2 | 15 +-- .../gnocchi/templates/wsgi-gnocchi.conf.j2 | 34 ----- ansible/roles/heat/defaults/main.yml | 5 - ansible/roles/heat/tasks/config.yml | 26 ---- .../roles/heat/templates/heat-api-cfn.json.j2 | 15 +-- ansible/roles/heat/templates/heat-api.json.j2 | 15 +-- .../heat/templates/wsgi-heat-api-cfn.conf.j2 | 46 ------- .../heat/templates/wsgi-heat-api.conf.j2 | 46 ------- ansible/roles/horizon/defaults/main.yml | 5 - ansible/roles/horizon/tasks/config.yml | 17 --- .../roles/horizon/templates/horizon.conf.j2 | 91 ------------- .../roles/horizon/templates/horizon.json.j2 | 14 +- ansible/roles/ironic/defaults/main.yml | 5 - ansible/roles/ironic/tasks/config.yml | 29 ----- .../ironic/templates/ironic-api-wsgi.conf.j2 | 49 ------- .../roles/ironic/templates/ironic-api.json.j2 | 15 +-- .../ironic-prometheus-exporter-wsgi.conf.j2 | 37 ------ .../ironic-prometheus-exporter.json.j2 | 15 +-- ansible/roles/keystone/defaults/main.yml | 8 +- ansible/roles/keystone/tasks/config.yml | 18 --- .../keystone/templates/keystone-startup.sh.j2 | 6 +- .../roles/keystone/templates/keystone.json.j2 | 53 +------- .../keystone/templates/wsgi-keystone.conf.j2 | 121 ------------------ ansible/roles/masakari/defaults/main.yml | 5 - ansible/roles/masakari/tasks/config.yml | 13 -- .../masakari/templates/masakari-api.json.j2 | 15 +-- .../masakari/templates/wsgi-masakari.conf.j2 | 37 ------ ansible/roles/nova/defaults/main.yml | 5 - ansible/roles/nova/tasks/config.yml | 25 ---- .../nova/templates/nova-api-wsgi.conf.j2 | 49 ------- ansible/roles/nova/templates/nova-api.json.j2 | 15 +-- .../nova/templates/nova-metadata-wsgi.conf.j2 | 49 ------- .../nova/templates/nova-metadata.json.j2 | 15 +-- ansible/roles/octavia/defaults/main.yml | 5 - ansible/roles/octavia/tasks/config.yml | 17 --- .../octavia/templates/octavia-api.json.j2 | 15 +-- .../octavia/templates/octavia-wsgi.conf.j2 | 41 ------ ansible/roles/placement/defaults/main.yml | 5 - ansible/roles/placement/tasks/config.yml | 19 --- .../templates/placement-api-wsgi.conf.j2 | 42 ------ .../placement/templates/placement-api.json.j2 | 23 +--- ansible/roles/trove/defaults/main.yml | 5 - ansible/roles/trove/tasks/config.yml | 17 --- .../roles/trove/templates/trove-api.json.j2 | 15 +-- .../roles/trove/templates/trove-wsgi.conf.j2 | 41 ------ ansible/roles/zun/defaults/main.yml | 5 - ansible/roles/zun/tasks/config.yml | 13 -- ansible/roles/zun/templates/wsgi-zun.conf.j2 | 41 ------ ansible/roles/zun/templates/zun-api.json.j2 | 15 +-- tests/check-logs.sh | 4 + 73 files changed, 109 insertions(+), 1461 deletions(-) create mode 100644 ansible/releasenotes/notes/drop-apache-wsgi-provider-5049b660249d0f20.yaml delete mode 100644 ansible/roles/aodh/templates/wsgi-aodh.conf.j2 delete mode 100644 ansible/roles/cinder/templates/cinder-wsgi.conf.j2 delete mode 100644 ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 delete mode 100644 ansible/roles/fluentd/templates/conf/format/apache_access.conf.j2 delete mode 100644 ansible/roles/fluentd/templates/conf/format/wsgi_access.conf.j2 create mode 100644 ansible/roles/fluentd/templates/conf/input/04-apache.conf.j2 delete mode 100644 ansible/roles/fluentd/templates/conf/input/04-openstack-wsgi.conf.j2 delete mode 100644 ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 delete mode 100644 ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 delete mode 100644 ansible/roles/heat/templates/wsgi-heat-api.conf.j2 delete mode 100644 ansible/roles/horizon/templates/horizon.conf.j2 delete mode 100644 ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2 delete mode 100644 ansible/roles/ironic/templates/ironic-prometheus-exporter-wsgi.conf.j2 delete mode 100644 ansible/roles/keystone/templates/wsgi-keystone.conf.j2 delete mode 100644 ansible/roles/masakari/templates/wsgi-masakari.conf.j2 delete mode 100644 ansible/roles/nova/templates/nova-api-wsgi.conf.j2 delete mode 100644 ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 delete mode 100644 ansible/roles/octavia/templates/octavia-wsgi.conf.j2 delete mode 100644 ansible/roles/placement/templates/placement-api-wsgi.conf.j2 delete mode 100644 ansible/roles/trove/templates/trove-wsgi.conf.j2 delete mode 100644 ansible/roles/zun/templates/wsgi-zun.conf.j2 diff --git a/ansible/releasenotes/notes/drop-apache-wsgi-provider-5049b660249d0f20.yaml b/ansible/releasenotes/notes/drop-apache-wsgi-provider-5049b660249d0f20.yaml new file mode 100644 index 0000000000..e5eda3f92f --- /dev/null +++ b/ansible/releasenotes/notes/drop-apache-wsgi-provider-5049b660249d0f20.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + Support for running WSGI services under Apache+mod_wsgi has been dropped. + All API services now run exclusively under uWSGI. The ``*_wsgi_provider`` + variables (``keystone_wsgi_provider``, ``nova_wsgi_provider``, + ``cinder_wsgi_provider``, etc.) have been removed. If you had any of these + set to ``apache`` in your configuration, remove them before upgrading. diff --git a/ansible/roles/aodh/defaults/main.yml b/ansible/roles/aodh/defaults/main.yml index 0c6df039ca..21315cbd81 100644 --- a/ansible/roles/aodh/defaults/main.yml +++ b/ansible/roles/aodh/defaults/main.yml @@ -260,8 +260,3 @@ aodh_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" # Copy certificates ################### aodh_copy_certs: "{{ kolla_copy_ca_into_containers | bool or aodh_database_enable_tls_internal | bool }}" - -#################### -# WSGI -#################### -aodh_wsgi_provider: "uwsgi" diff --git a/ansible/roles/aodh/tasks/config.yml b/ansible/roles/aodh/tasks/config.yml index a450746816..b90d7892de 100644 --- a/ansible/roles/aodh/tasks/config.yml +++ b/ansible/roles/aodh/tasks/config.yml @@ -78,17 +78,4 @@ service_uwsgi_config_uid: "aodh" service_uwsgi_config_workers: "{{ aodh_api_workers }}" when: - - aodh_wsgi_provider == "uwsgi" - - service | service_enabled_and_mapped_to_host - -- name: Copying over wsgi-aodh files for services - vars: - service: "{{ aodh_services['aodh-api'] }}" - ansible.builtin.template: - src: "wsgi-aodh.conf.j2" - dest: "{{ node_config_directory }}/aodh-api/wsgi-aodh.conf" - mode: "0660" - become: true - when: - - aodh_wsgi_provider == "apache" - service | service_enabled_and_mapped_to_host diff --git a/ansible/roles/aodh/templates/aodh-api.json.j2 b/ansible/roles/aodh/templates/aodh-api.json.j2 index 844fe8db93..77fd4604b2 100644 --- a/ansible/roles/aodh/templates/aodh-api.json.j2 +++ b/ansible/roles/aodh/templates/aodh-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set aodh_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if aodh_wsgi_provider == 'apache' else 'uwsgi /etc/aodh/aodh-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/aodh/aodh-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/aodh.conf", "dest": "/etc/aodh/aodh.conf", "owner": "aodh", "perm": "0600" - }{% if aodh_wsgi_provider == "apache" %}, - { - "source": "{{ container_config_directory }}/wsgi-aodh.conf", - "dest": "/etc/{{ aodh_dir }}/wsgi-aodh.conf", - "owner": "root", - "perm": "0600" - }{% elif aodh_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/aodh-api-uwsgi.ini", "dest": "/etc/aodh/aodh-api-uwsgi.ini", "owner": "aodh", "perm": "0600" - }{% endif %}{% if aodh_policy_file is defined %}, + }{% if aodh_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ aodh_policy_file }}", "dest": "/etc/aodh/{{ aodh_policy_file }}", diff --git a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 deleted file mode 100644 index a1f61a0d0b..0000000000 --- a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 +++ /dev/null @@ -1,38 +0,0 @@ -{% set aodh_log_dir = '/var/log/kolla/aodh' %} -{% set binary_path = '/var/lib/kolla/venv/bin' %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ aodh_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -ErrorLog "{{ aodh_log_dir }}/apache-error.log" - - CustomLog "{{ aodh_log_dir }}/apache-access.log" common - - -{% if aodh_logging_debug | bool %} -LogLevel info -{% endif %} - - - - Options Indexes FollowSymLinks MultiViews - AllowOverride None - Require all granted - - - - - ## Logging - ErrorLog "{{ aodh_log_dir }}/aodh_wsgi_error.log" - ServerSignature Off - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ aodh_log_dir }}/aodh_wsgi_access.log" logformat - WSGIApplicationGroup %{GLOBAL} - WSGIDaemonProcess aodh group=aodh processes={{ aodh_api_workers }} threads=1 user=aodh - WSGIProcessGroup aodh - WSGIScriptAlias / "{{ binary_path }}/aodh-api" - diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml index 2110805792..5e1ad02871 100644 --- a/ansible/roles/barbican/defaults/main.yml +++ b/ansible/roles/barbican/defaults/main.yml @@ -236,8 +236,3 @@ barbican_database_enable_tls_internal: "{{ database_enable_tls_internal | bool } # Copy certificates ################### barbican_copy_certs: "{{ kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool or barbican_database_enable_tls_internal | bool }}" - -################### -# WSGI -################### -barbican_wsgi_provider: "uwsgi" diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml index da7126fc13..52ebbff16a 100644 --- a/ansible/roles/barbican/tasks/config.yml +++ b/ansible/roles/barbican/tasks/config.yml @@ -50,7 +50,6 @@ service_uwsgi_config_workers: "{{ barbican_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - barbican_wsgi_provider == "uwsgi" - name: Copying over config.json files for services ansible.builtin.template: diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml index 50d764c622..37f7f7aab5 100644 --- a/ansible/roles/cinder/defaults/main.yml +++ b/ansible/roles/cinder/defaults/main.yml @@ -388,11 +388,6 @@ cinder_enable_tls_backend: "{{ kolla_enable_tls_backend }}" cinder_cluster_name: "" cinder_cluster_skip_precheck: false -############ -# WSGI -############ -cinder_wsgi_provider: "uwsgi" - # Database cinder_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml index d97cd080f4..e2022fdc0f 100644 --- a/ansible/roles/cinder/tasks/config.yml +++ b/ansible/roles/cinder/tasks/config.yml @@ -54,22 +54,6 @@ become: true with_dict: "{{ cinder_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over cinder-wsgi.conf - vars: - service: "{{ cinder_services['cinder-api'] }}" - become: true - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ node_config_directory }}/cinder-api/cinder-wsgi.conf" - mode: "0660" - with_first_found: - - "{{ node_custom_config }}/cinder/{{ inventory_hostname }}/cinder-wsgi.conf" - - "{{ node_custom_config }}/cinder/cinder-wsgi.conf" - - "cinder-wsgi.conf.j2" - when: - - service | service_enabled_and_mapped_to_host - - cinder_wsgi_provider == "apache" - - name: "Configure uWSGI for Cinder" ansible.builtin.include_role: name: service-uwsgi-config @@ -87,7 +71,6 @@ service_uwsgi_config_workers: "{{ cinder_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - cinder_wsgi_provider == "uwsgi" - name: Copying over cinder.conf vars: diff --git a/ansible/roles/cinder/templates/cinder-api.json.j2 b/ansible/roles/cinder/templates/cinder-api.json.j2 index 1a332f1732..161597c6d4 100644 --- a/ansible/roles/cinder/templates/cinder-api.json.j2 +++ b/ansible/roles/cinder/templates/cinder-api.json.j2 @@ -1,27 +1,18 @@ -{% set cinder_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set cinder_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if cinder_wsgi_provider == 'apache' else 'uwsgi /etc/cinder/cinder-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/cinder/cinder-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/cinder.conf", "dest": "/etc/cinder/cinder.conf", "owner": "cinder", "perm": "0600" - }{% if cinder_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/cinder-wsgi.conf", - "dest": "/etc/{{ cinder_dir }}/cinder-wsgi.conf", - "owner": "cinder", - "perm": "0600" - }{% elif cinder_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/cinder-api-uwsgi.ini", "dest": "/etc/cinder/cinder-api-uwsgi.ini", "owner": "cinder", "perm": "0600" - }{% endif %}{% if cinder_policy_file is defined %}, + }{% if cinder_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ cinder_policy_file }}", "dest": "/etc/cinder/{{ cinder_policy_file }}", diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 deleted file mode 100644 index d0f090bb0b..0000000000 --- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -{% if cinder_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cinder_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -{% if cinder_logging_debug | bool %} -LogLevel info -{% endif %} - - - WSGIDaemonProcess cinder-api processes={{ cinder_api_workers }} threads=1 user=cinder group=cinder display-name=cinder-api - WSGIProcessGroup cinder-api - WSGIScriptAlias / /var/www/cgi-bin/cinder/cinder-wsgi - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog /var/log/kolla/cinder/cinder-api-error.log - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog /var/log/kolla/cinder/cinder-api-access.log logformat -{% if cinder_enable_tls_backend | bool %} - SSLEngine On - SSLCertificateFile /etc/cinder/certs/cinder-cert.pem - SSLCertificateKeyFile /etc/cinder/certs/cinder-key.pem -{% endif %} - diff --git a/ansible/roles/cloudkitty/defaults/main.yml b/ansible/roles/cloudkitty/defaults/main.yml index b1840642ec..0b74f8e278 100644 --- a/ansible/roles/cloudkitty/defaults/main.yml +++ b/ansible/roles/cloudkitty/defaults/main.yml @@ -235,8 +235,3 @@ cloudkitty_database_enable_tls_internal: "{{ database_enable_tls_internal | bool # Copy certificates ################### cloudkitty_copy_certs: "{{ kolla_copy_ca_into_containers | bool or cloudkitty_database_enable_tls_internal | bool }}" - -####### -# WSGI -####### -cloudkitty_wsgi_provider: "uwsgi" diff --git a/ansible/roles/cloudkitty/tasks/config.yml b/ansible/roles/cloudkitty/tasks/config.yml index e5f95f301a..15e994add2 100644 --- a/ansible/roles/cloudkitty/tasks/config.yml +++ b/ansible/roles/cloudkitty/tasks/config.yml @@ -90,19 +90,6 @@ service_uwsgi_config_workers: "{{ cloudkitty_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - cloudkitty_wsgi_provider == "uwsgi" - -- name: Copying over wsgi-cloudkitty.conf - vars: - service: "{{ cloudkitty_services['cloudkitty-api'] }}" - ansible.builtin.template: - src: "wsgi-cloudkitty.conf.j2" - dest: "{{ node_config_directory }}/cloudkitty-api/wsgi-cloudkitty.conf" - mode: "0660" - become: true - when: - - cloudkitty_wsgi_provider == "apache" - - service | service_enabled_and_mapped_to_host - name: Copying over existing policy file ansible.builtin.template: diff --git a/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 b/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 index c6fcca90e9..2bf756d20c 100644 --- a/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 +++ b/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if cloudkitty_wsgi_provider == 'apache' else 'uwsgi /etc/cloudkitty/cloudkitty-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/cloudkitty/cloudkitty-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/cloudkitty.conf", "dest": "/etc/cloudkitty/cloudkitty.conf", "owner": "cloudkitty", "perm": "0600" - }{% if cloudkitty_wsgi_provider == "apache" %}, - { - "source": "{{ container_config_directory }}/wsgi-cloudkitty.conf", - "dest": "/etc/{{ apache_conf_dir }}/wsgi-cloudkitty.conf", - "owner": "cloudkitty", - "perm": "0600" - }{% elif cloudkitty_wsgi_provider == "uwsgi" %}, + }, { "source": "{{ container_config_directory }}/cloudkitty-api-uwsgi.ini", "dest": "/etc/cloudkitty/cloudkitty-api-uwsgi.ini", "owner": "cloudkitty", "perm": "0600" - }{% endif %}{% if cloudkitty_policy_file is defined %}, + }{% if cloudkitty_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ cloudkitty_policy_file }}", "dest": "/etc/cloudkitty/{{ cloudkitty_policy_file }}", diff --git a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 deleted file mode 100644 index 38a3150050..0000000000 --- a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 +++ /dev/null @@ -1,36 +0,0 @@ -{% set cloudkitty_log_dir = '/var/log/kolla/cloudkitty' %} -{% set binary_path = '/var/lib/kolla/venv/bin' %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cloudkitty_api_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -ErrorLog "{{ cloudkitty_log_dir }}/apache-error.log" - - CustomLog "{{ cloudkitty_log_dir }}/apache-access.log" common - - -{% if cloudkitty_logging_debug | bool %} -LogLevel info -{% endif %} - - - - ErrorLog "{{ cloudkitty_log_dir }}/cloudkitty-api-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ cloudkitty_log_dir }}/cloudkitty-api-access.log" logformat - WSGIApplicationGroup %{GLOBAL} - WSGIDaemonProcess cloudkitty group=cloudkitty processes={{ cloudkitty_api_workers }} threads=1 user=cloudkitty - WSGIProcessGroup cloudkitty - WSGIScriptAlias / "{{ binary_path }}/cloudkitty-api" - - - - Require all granted - - - - diff --git a/ansible/roles/fluentd/tasks/config.yml b/ansible/roles/fluentd/tasks/config.yml index 50e54a7ec2..830ce91484 100644 --- a/ansible/roles/fluentd/tasks/config.yml +++ b/ansible/roles/fluentd/tasks/config.yml @@ -85,8 +85,8 @@ enabled: true - name: "conf/input/03-rabbitmq.conf.j2" enabled: true - - name: "conf/input/04-openstack-wsgi.conf.j2" - enabled: true + - name: "conf/input/04-apache.conf.j2" + enabled: "{{ enable_keystone_federation | bool or enable_ironic | bool or enable_letsencrypt | bool or enable_skyline | bool }}" - name: "conf/input/05-libvirt.conf.j2" enabled: "{{ enable_nova | bool and enable_nova_libvirt_container | bool }}" - name: "conf/input/08-prometheus.conf.j2" @@ -111,9 +111,7 @@ customised_filter_files: "{{ find_custom_fluentd_filters.files | map(attribute='path') | list }}" # Formats fluentd_format_files: "{{ default_format_files | customise_fluentd(customised_format_files) }}" - default_format_files: - - "conf/format/apache_access.conf.j2" - - "conf/format/wsgi_access.conf.j2" + default_format_files: [] customised_format_files: "{{ find_custom_fluentd_formats.files | map(attribute='path') | list }}" # Outputs fluentd_output_files: "{{ default_output_files_enabled | customise_fluentd(customised_output_files) }}" diff --git a/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 b/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 index 66a1897a20..d6bb684903 100644 --- a/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 +++ b/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 @@ -1,16 +1,6 @@ @type rewrite_tag_filter capitalize_regex_backreference yes - - key programname - pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access|trove-api-access)$ - tag apache_access - - - key programname - pattern ^(aodh_wsgi_access|barbican_api_uwsgi_access|zun_api_wsgi_access)$ - tag wsgi_access - key programname pattern ^(nova-api|nova-compute|nova-compute-ironic|nova-conductor|nova-manage|nova-novncproxy|nova-scheduler|nova-placement-api|placement-api|privsep-helper)$ diff --git a/ansible/roles/fluentd/templates/conf/format/apache_access.conf.j2 b/ansible/roles/fluentd/templates/conf/format/apache_access.conf.j2 deleted file mode 100644 index ba12c6695d..0000000000 --- a/ansible/roles/fluentd/templates/conf/format/apache_access.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ - - @type parser - reserve_data true - key_name Payload - - @type grok - grok_pattern \[%{HTTPDATE:Timestamp}\] "(?:%{WORD:http_method} %{NOTSPACE:http_url}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})" %{NUMBER:http_status} (?:%{NUMBER:http_bytes}|-) (?:%{NUMBER:http_response_time_us}|-) "%{DATA:referrer}" "%{DATA:agent}" - time_key Timestamp - time_format %d/%b/%Y:%H:%M:%S %z - keep_time_key true - - diff --git a/ansible/roles/fluentd/templates/conf/format/wsgi_access.conf.j2 b/ansible/roles/fluentd/templates/conf/format/wsgi_access.conf.j2 deleted file mode 100644 index fae0e52127..0000000000 --- a/ansible/roles/fluentd/templates/conf/format/wsgi_access.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ - - @type parser - reserve_data true - key_name Payload - - @type grok - grok_pattern %{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:Timestamp}\] "(?:%{WORD:http_method} %{NOTSPACE:http_url}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})" %{NUMBER:http_status} (?:%{NUMBER:http_bytes}|-) (?:%{NUMBER:http_response_time_us}|-) %{QS:referrer} %{QS:agent} - time_key Timestamp - time_format %d/%b/%Y:%H:%M:%S %z - keep_time_key true - - diff --git a/ansible/roles/fluentd/templates/conf/input/04-apache.conf.j2 b/ansible/roles/fluentd/templates/conf/input/04-apache.conf.j2 new file mode 100644 index 0000000000..975e85f93f --- /dev/null +++ b/ansible/roles/fluentd/templates/conf/input/04-apache.conf.j2 @@ -0,0 +1,34 @@ +{% set apache_paths = [] %} +{% if enable_keystone_federation | bool %} +{% set _ = apache_paths.append('/var/log/kolla/keystone/apache-access.log') %} +{% set _ = apache_paths.append('/var/log/kolla/keystone/apache-error.log') %} +{% set _ = apache_paths.append('/var/log/kolla/keystone/keystone-apache-public-access.log') %} +{% set _ = apache_paths.append('/var/log/kolla/keystone/keystone-apache-public-error.log') %} +{% endif %} +{% if enable_ironic | bool %} +{% set _ = apache_paths.append('/var/log/kolla/ironic/ironic-http-access.log') %} +{% set _ = apache_paths.append('/var/log/kolla/ironic/ironic-http-error.log') %} +{% endif %} +{% if enable_letsencrypt | bool %} +{% set _ = apache_paths.append('/var/log/kolla/letsencrypt/letsencrypt-webserver-access.log') %} +{% set _ = apache_paths.append('/var/log/kolla/letsencrypt/letsencrypt-webserver-error.log') %} +{% endif %} +{% if enable_skyline | bool %} +{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-access.log') %} +{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-error.log') %} +{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-nginx-access.log') %} +{% set _ = apache_paths.append('/var/log/kolla/skyline/skyline-nginx-error.log') %} +{% endif %} +{% if apache_paths | length > 0 %} + + @type tail + path {{ apache_paths | join(',') }} + pos_file /var/run/fluentd/kolla-apache.pos + tag kolla.* + enable_watch_timer {{ fluentd_enable_watch_timer }} + + @type regexp + expression /^(?.*)$/ + + +{% endif %} diff --git a/ansible/roles/fluentd/templates/conf/input/04-openstack-wsgi.conf.j2 b/ansible/roles/fluentd/templates/conf/input/04-openstack-wsgi.conf.j2 deleted file mode 100644 index 20d408f123..0000000000 --- a/ansible/roles/fluentd/templates/conf/input/04-openstack-wsgi.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -# Note (blallau): to manage Apache and WSGI log files - - @type tail - path /var/log/kolla/*/*-access.log,/var/log/kolla/*/*-error.log,/var/log/kolla/*/*_access.log,/var/log/kolla/*/*_error.log - pos_file /var/run/fluentd/kolla-openstack-wsgi.pos - tag kolla.* - enable_watch_timer {{ fluentd_enable_watch_timer }} - - @type regexp - expression /^(?.*)$/ - - diff --git a/ansible/roles/gnocchi/defaults/main.yml b/ansible/roles/gnocchi/defaults/main.yml index 401f143267..83a29d5979 100644 --- a/ansible/roles/gnocchi/defaults/main.yml +++ b/ansible/roles/gnocchi/defaults/main.yml @@ -203,8 +203,3 @@ gnocchi_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }} # Copy certificates ################### gnocchi_copy_certs: "{{ kolla_copy_ca_into_containers | bool or gnocchi_database_enable_tls_internal | bool }}" - -#################### -# WSGI -#################### -gnocchi_wsgi_provider: "uwsgi" diff --git a/ansible/roles/gnocchi/tasks/config.yml b/ansible/roles/gnocchi/tasks/config.yml index b895d0a0f8..00ee883dd2 100644 --- a/ansible/roles/gnocchi/tasks/config.yml +++ b/ansible/roles/gnocchi/tasks/config.yml @@ -61,20 +61,6 @@ become: true with_dict: "{{ gnocchi_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over wsgi-gnocchi.conf - vars: - service: "{{ gnocchi_services['gnocchi-api'] }}" - ansible.builtin.template: - src: "wsgi-gnocchi.conf.j2" - dest: "{{ node_config_directory }}/{{ item }}/wsgi-gnocchi.conf" - mode: "0660" - become: true - when: - - gnocchi_wsgi_provider == "apache" - - service | service_enabled_and_mapped_to_host - with_items: - - "gnocchi-api" - - name: "Configure uWSGI for Gnocchi" ansible.builtin.include_role: name: service-uwsgi-config @@ -87,7 +73,6 @@ service_uwsgi_config_uid: "gnocchi" service_uwsgi_config_workers: "{{ gnocchi_api_workers }}" when: - - gnocchi_wsgi_provider == "uwsgi" - service | service_enabled_and_mapped_to_host - name: Copying over existing policy file diff --git a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 index 2fc22c6469..0880285efe 100644 --- a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set gnocchi_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if gnocchi_wsgi_provider == 'apache' else 'uwsgi /etc/gnocchi/gnocchi-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/gnocchi/gnocchi-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/gnocchi.conf", "dest": "/etc/gnocchi/gnocchi.conf", "owner": "gnocchi", "perm": "0600" - }{% if gnocchi_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/wsgi-gnocchi.conf", - "dest": "/etc/{{ gnocchi_dir }}/wsgi-gnocchi.conf", - "owner": "gnocchi", - "perm": "0600" - }{% elif gnocchi_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/gnocchi-api-uwsgi.ini", "dest": "/etc/gnocchi/gnocchi-api-uwsgi.ini", "owner": "gnocchi", "perm": "0600" - }{% endif %}{% if gnocchi_policy_file is defined %}, + }{% if gnocchi_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ gnocchi_policy_file }}", "dest": "/etc/gnocchi/{{ gnocchi_policy_file }}", diff --git a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 deleted file mode 100644 index f3309bfef0..0000000000 --- a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 +++ /dev/null @@ -1,34 +0,0 @@ -{% set gnocchi_log_dir = '/var/log/kolla/gnocchi' %} -{% set wsgi_path = '/var/lib/kolla/venv/bin' %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ gnocchi_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -ErrorLog "{{ gnocchi_log_dir }}/apache-error.log" - - CustomLog "{{ gnocchi_log_dir }}/apache-access.log" common - - -{% if gnocchi_logging_debug | bool %} -LogLevel info -{% endif %} - - - - ErrorLog "{{ gnocchi_log_dir }}/gnocchi-api-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ gnocchi_log_dir }}/gnocchi-api-access.log" logformat - WSGIApplicationGroup %{GLOBAL} - WSGIDaemonProcess gnocchi group=gnocchi processes={{ gnocchi_api_workers }} threads=1 user=gnocchi - WSGIProcessGroup gnocchi - WSGIScriptAlias / "{{ wsgi_path }}/gnocchi-api" - - - Require all granted - - - diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml index bc22c1a352..ca2992c56c 100644 --- a/ansible/roles/heat/defaults/main.yml +++ b/ansible/roles/heat/defaults/main.yml @@ -276,8 +276,3 @@ heat_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" # Copy certificates ################### heat_copy_certs: "{{ kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool or heat_database_enable_tls_internal | bool }}" - -###### -# WSGI -###### -heat_wsgi_provider: "uwsgi" diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml index 3e2c488cb5..d1641dfaaf 100644 --- a/ansible/roles/heat/tasks/config.yml +++ b/ansible/roles/heat/tasks/config.yml @@ -66,18 +66,6 @@ - heat_policy_file is defined with_dict: "{{ heat_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over heat-api wsgi config - vars: - service: "{{ heat_services['heat-api'] }}" - ansible.builtin.template: - src: "{{ role_path }}/templates/wsgi-heat-api.conf.j2" - dest: "{{ node_config_directory }}/heat-api/wsgi-heat-api.conf" - mode: "0660" - become: true - when: - - service | service_enabled_and_mapped_to_host - - heat_wsgi_provider == "apache" - - name: Configure uWSGI for heat-api ansible.builtin.include_role: name: service-uwsgi-config @@ -95,19 +83,6 @@ service_uwsgi_config_workers: "{{ heat_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - heat_wsgi_provider == "uwsgi" - -- name: Copying over heat-api-cfn wsgi config - vars: - service: "{{ heat_services['heat-api-cfn'] }}" - ansible.builtin.template: - src: "{{ role_path }}/templates/wsgi-heat-api-cfn.conf.j2" - dest: "{{ node_config_directory }}/heat-api-cfn/wsgi-heat-api-cfn.conf" - mode: "0660" - become: true - when: - - service | service_enabled_and_mapped_to_host - - heat_wsgi_provider == "apache" - name: Configure uWSGI for heat-api-cfn ansible.builtin.include_role: @@ -126,4 +101,3 @@ service_uwsgi_config_workers: "{{ heat_api_cfn_workers }}" when: - service | service_enabled_and_mapped_to_host - - heat_wsgi_provider == "uwsgi" diff --git a/ansible/roles/heat/templates/heat-api-cfn.json.j2 b/ansible/roles/heat/templates/heat-api-cfn.json.j2 index 7868e4a1a1..1a308dfd80 100644 --- a/ansible/roles/heat/templates/heat-api-cfn.json.j2 +++ b/ansible/roles/heat/templates/heat-api-cfn.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if heat_wsgi_provider == 'apache' else 'uwsgi /etc/heat/heat-api-cfn-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/heat/heat-api-cfn-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/heat.conf", "dest": "/etc/heat/heat.conf", "owner": "heat", "perm": "0600" - }{% if heat_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/wsgi-heat-api-cfn.conf", - "dest": "/etc/{{ apache_conf_dir }}/wsgi-heat-api-cfn.conf", - "owner": "heat", - "perm": "0600" - }{% elif heat_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/heat-api-cfn-uwsgi.ini", "dest": "/etc/heat/heat-api-cfn-uwsgi.ini", "owner": "heat", "perm": "0600" - }{% endif %}{% if heat_policy_file is defined %}, + }{% if heat_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ heat_policy_file }}", "dest": "/etc/heat/{{ heat_policy_file }}", diff --git a/ansible/roles/heat/templates/heat-api.json.j2 b/ansible/roles/heat/templates/heat-api.json.j2 index b3afb81820..0792678475 100644 --- a/ansible/roles/heat/templates/heat-api.json.j2 +++ b/ansible/roles/heat/templates/heat-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if heat_wsgi_provider == 'apache' else 'uwsgi /etc/heat/heat-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/heat/heat-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/heat.conf", "dest": "/etc/heat/heat.conf", "owner": "heat", "perm": "0600" - }{% if heat_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/wsgi-heat-api.conf", - "dest": "/etc/{{ apache_conf_dir }}/wsgi-heat-api.conf", - "owner": "heat", - "perm": "0600" - }{% elif heat_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/heat-api-uwsgi.ini", "dest": "/etc/heat/heat-api-uwsgi.ini", "owner": "heat", "perm": "0600" - }{% endif %}{% if heat_policy_file is defined %}, + }{% if heat_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ heat_policy_file }}", "dest": "/etc/heat/{{ heat_policy_file }}", diff --git a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 deleted file mode 100644 index 1b339959fa..0000000000 --- a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 +++ /dev/null @@ -1,46 +0,0 @@ -{% set heat_log_dir = '/var/log/kolla/heat' %} -{% set binary_path = '/var/lib/kolla/venv/bin' %} -{% if heat_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_cfn_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - - - - AllowOverride None - Options None - Require all granted - - - -ErrorLog "{{ heat_log_dir }}/apache-cfn-error.log" - -CustomLog "{{ heat_log_dir }}/apache-cfn-access.log" common - - - - WSGIDaemonProcess heat-api-cfn processes={{ heat_api_cfn_workers }} threads=1 user=heat group=heat display-name=heat-api-cfn - WSGIProcessGroup heat-api-cfn - WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api-cfn - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog "{{ heat_log_dir }}/heat-api-cfn-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ heat_log_dir }}/heat-api-cfn-access.log" logformat -{% if heat_enable_tls_backend | bool %} - SSLEngine On - SSLCertificateFile /etc/heat/certs/heat-cert.pem - SSLCertificateKeyFile /etc/heat/certs/heat-key.pem -{% endif %} - diff --git a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 deleted file mode 100644 index 175336f529..0000000000 --- a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 +++ /dev/null @@ -1,46 +0,0 @@ -{% set heat_log_dir = '/var/log/kolla/heat' %} -{% set binary_path = '/var/lib/kolla/venv/bin' %} -{% if heat_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - - - - AllowOverride None - Options None - Require all granted - - - -ErrorLog "{{ heat_log_dir }}/apache-error.log" - -CustomLog "{{ heat_log_dir }}/apache-access.log" common - - - - WSGIDaemonProcess heat-api processes={{ heat_api_workers }} threads=1 user=heat group=heat display-name=heat-api - WSGIProcessGroup heat-api - WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog "{{ heat_log_dir }}/heat-api-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ heat_log_dir }}/heat-api-access.log" logformat -{% if heat_enable_tls_backend | bool %} - SSLEngine On - SSLCertificateFile /etc/heat/certs/heat-cert.pem - SSLCertificateKeyFile /etc/heat/certs/heat-key.pem -{% endif %} - diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml index 2f69d04a5d..de4f6129a3 100644 --- a/ansible/roles/horizon/defaults/main.yml +++ b/ansible/roles/horizon/defaults/main.yml @@ -171,8 +171,3 @@ horizon_use_keystone_public_url: false # Copy certificates ################### horizon_copy_certs: "{{ kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool }}" - -############ -# WSGI -############ -horizon_wsgi_provider: "uwsgi" diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml index 8065779cf9..08a46f0ec4 100644 --- a/ansible/roles/horizon/tasks/config.yml +++ b/ansible/roles/horizon/tasks/config.yml @@ -48,22 +48,6 @@ mode: "0660" when: service | service_enabled_and_mapped_to_host -- name: Copying over horizon.conf - become: true - vars: - service: "{{ horizon_services['horizon'] }}" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ node_config_directory }}/horizon/horizon.conf" - mode: "0660" - with_first_found: - - "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/horizon.conf" - - "{{ node_custom_config }}/horizon/horizon.conf" - - "horizon.conf.j2" - when: - - service | service_enabled_and_mapped_to_host - - horizon_wsgi_provider == "apache" - - name: "Configure uWSGI for Horizon" ansible.builtin.include_role: name: service-uwsgi-config @@ -80,7 +64,6 @@ service_uwsgi_config_workers: "{{ horizon_wsgi_processes }}" when: - service | service_enabled_and_mapped_to_host - - horizon_wsgi_provider == "uwsgi" - name: Copying over kolla-settings.py become: true diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2 deleted file mode 100644 index 8d78f67a4f..0000000000 --- a/ansible/roles/horizon/templates/horizon.conf.j2 +++ /dev/null @@ -1,91 +0,0 @@ -{% if horizon_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off - - - LogLevel warn - ErrorLogFormat "%{cu}t %M" - ErrorLog /var/log/kolla/horizon/horizon-error.log - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog /var/log/kolla/horizon/horizon-access.log logformat - - WSGIScriptReloading On - WSGIDaemonProcess horizon-http processes={{ horizon_wsgi_processes }} threads={{ horizon_wsgi_threads }} user=horizon group=horizon display-name=horizon - WSGIProcessGroup horizon-http - WSGIScriptAlias / /var/lib/kolla/venv/lib/python3/site-packages/openstack_dashboard/wsgi.py - WSGIPassAuthorization On - WSGIApplicationGroup %{GLOBAL} - - - Require all granted - - - - Require local - - - Alias /static /var/lib/kolla/venv/lib/python3/site-packages/static - - SetHandler None - - -{% if horizon_enable_tls_backend | bool %} - SSLEngine On - SSLCertificateFile /etc/horizon/certs/horizon-cert.pem - SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem -{% endif %} -{% if horizon_httpd_limitrequestbody is defined %} - LimitRequestBody {{ horizon_httpd_limitrequestbody }} -{% endif %} - - - - # Compress HTML, CSS, JavaScript, Json, Text, XML and fonts - AddOutputFilterByType DEFLATE application/javascript - AddOutputFilterByType DEFLATE application/json - AddOutputFilterByType DEFLATE application/rss+xml - AddOutputFilterByType DEFLATE application/vnd.ms-fontobject - AddOutputFilterByType DEFLATE application/x-font - AddOutputFilterByType DEFLATE application/x-font-opentype - AddOutputFilterByType DEFLATE application/x-font-otf - AddOutputFilterByType DEFLATE application/x-font-truetype - AddOutputFilterByType DEFLATE application/x-font-ttf - AddOutputFilterByType DEFLATE application/x-javascript - AddOutputFilterByType DEFLATE application/xhtml+xml - AddOutputFilterByType DEFLATE application/xml - AddOutputFilterByType DEFLATE font/opentype - AddOutputFilterByType DEFLATE font/otf - AddOutputFilterByType DEFLATE font/ttf - AddOutputFilterByType DEFLATE image/svg+xml - AddOutputFilterByType DEFLATE image/x-icon - AddOutputFilterByType DEFLATE text/css - AddOutputFilterByType DEFLATE text/html - AddOutputFilterByType DEFLATE text/javascript - AddOutputFilterByType DEFLATE text/plain - AddOutputFilterByType DEFLATE text/xml - - - - - ExpiresActive on - ExpiresDefault "access plus 1 month" - ExpiresByType application/javascript "access plus 1 year" - ExpiresByType text/css "access plus 1 year" - ExpiresByType image/x-ico "access plus 1 year" - ExpiresByType image/jpg "access plus 1 year" - ExpiresByType image/jpeg "access plus 1 year" - ExpiresByType image/gif "access plus 1 year" - ExpiresByType image/png "access plus 1 year" - Header merge Cache-Control public - Header unset ETag - - diff --git a/ansible/roles/horizon/templates/horizon.json.j2 b/ansible/roles/horizon/templates/horizon.json.j2 index 9b86503dca..f7859194ae 100644 --- a/ansible/roles/horizon/templates/horizon.json.j2 +++ b/ansible/roles/horizon/templates/horizon.json.j2 @@ -1,23 +1,11 @@ -{% set apache_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set apache_file = '000-default.conf' if kolla_base_distro in ['ubuntu', 'debian'] else 'horizon.conf' %} -{% set uwsgi_cmd = 'uwsgi /etc/horizon/horizon-uwsgi.ini' %} -{% set command = uwsgi_cmd if horizon_wsgi_provider == 'uwsgi' else ('/usr/sbin/' + apache_cmd + ' -DFOREGROUND') %} { - "command": "{{ command }}", + "command": "uwsgi /etc/horizon/horizon-uwsgi.ini", "config_files": [ { -{% if horizon_wsgi_provider == 'apache' %} - "source": "{{ container_config_directory }}/horizon.conf", - "dest": "/etc/{{ apache_dir }}/{{ apache_file }}", - "owner": "horizon", - "perm": "0600" -{% elif horizon_wsgi_provider == 'uwsgi' %} "source": "{{ container_config_directory }}/horizon-uwsgi.ini", "dest": "/etc/horizon/horizon-uwsgi.ini", "owner": "horizon", "perm": "0600" -{% endif %} }, {% for path in custom_policy %} { diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index 10b5a6d4f4..12ee3a1850 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -359,11 +359,6 @@ ironic_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" ################### ironic_copy_certs: "{{ kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool or ironic_database_enable_tls_internal | bool }}" -############ -# WSGI -############ -ironic_wsgi_provider: "uwsgi" - ############ # NTP ############ diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml index cc1073081f..bfe7c600e4 100644 --- a/ansible/roles/ironic/tasks/config.yml +++ b/ansible/roles/ironic/tasks/config.yml @@ -153,22 +153,6 @@ - "ironic-http-httpd.conf.j2" when: service | service_enabled_and_mapped_to_host -- name: Copying over ironic-prometheus-exporter-wsgi.conf - vars: - service: "{{ ironic_services['ironic-prometheus-exporter'] }}" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ node_config_directory }}/ironic-prometheus-exporter/ironic-prometheus-exporter-wsgi.conf" - mode: "0660" - become: true - with_first_found: - - "{{ node_config_directory }}/ironic/{{ inventory_hostname }}/ironic-prometheus-exporter-wsgi.conf" - - "{{ node_config_directory }}/ironic/ironic-prometheus-exporter-wsgi.conf" - - "ironic-prometheus-exporter-wsgi.conf.j2" - when: - - service | service_enabled_and_mapped_to_host - - ironic_wsgi_provider == "apache" - - name: Copying over existing Ironic policy file vars: services_require_policy_json: @@ -184,18 +168,6 @@ - item.key in services_require_policy_json with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over ironic-api-wsgi.conf - vars: - service: "{{ ironic_services['ironic-api'] }}" - ansible.builtin.template: - src: "ironic-api-wsgi.conf.j2" - dest: "{{ node_config_directory }}/ironic-api/ironic-api-wsgi.conf" - mode: "0660" - become: true - when: - - service | service_enabled_and_mapped_to_host - - ironic_wsgi_provider == "apache" - - name: "Configure uWSGI for ironic-api" ansible.builtin.include_role: name: service-uwsgi-config @@ -213,7 +185,6 @@ service_uwsgi_config_workers: "{{ item.workers }}" when: - service | service_enabled_and_mapped_to_host - - ironic_wsgi_provider == "uwsgi" loop: - { name: "ironic-api", port: "{{ ironic_api_listen_port }}", workers: "{{ ironic_api_workers }}" } - { name: "ironic-prometheus-exporter", port: "{{ ironic_prometheus_exporter_port }}", workers: "{{ ironic_prometheus_exporter_workers }}" } diff --git a/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2 b/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2 deleted file mode 100644 index 03fce1104f..0000000000 --- a/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2 +++ /dev/null @@ -1,49 +0,0 @@ -{% set ironic_log_dir = '/var/log/kolla/ironic' %} -{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} -{% if ironic_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - - - - Options None - Require all granted - - - -ErrorLog "{{ ironic_log_dir }}/apache-error.log" - -CustomLog "{{ ironic_log_dir }}/apache-access.log" common - - -{% if ironic_logging_debug | bool %} -LogLevel info -{% endif %} - - - WSGIDaemonProcess ironic-api processes={{ ironic_api_workers }} threads=1 user=ironic group=ironic display-name=ironic-api - WSGIProcessGroup ironic-api - WSGIScriptAlias / {{ wsgi_directory }}/ironic-api-wsgi - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog "{{ ironic_log_dir }}/ironic-api-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ ironic_log_dir }}/ironic-api-access.log" logformat -{% if ironic_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/ironic/certs/ironic-cert.pem - SSLCertificateKeyFile /etc/ironic/certs/ironic-key.pem -{% endif %} - diff --git a/ansible/roles/ironic/templates/ironic-api.json.j2 b/ansible/roles/ironic/templates/ironic-api.json.j2 index 7765e421f5..d9c5d5f8b5 100644 --- a/ansible/roles/ironic/templates/ironic-api.json.j2 +++ b/ansible/roles/ironic/templates/ironic-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if ironic_wsgi_provider == 'apache' else 'uwsgi /etc/ironic/ironic-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/ironic/ironic-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/ironic.conf", "dest": "/etc/ironic/ironic.conf", "owner": "ironic", "perm": "0600" - }{% if ironic_wsgi_provider == "apache" %}, - { - "source": "{{ container_config_directory }}/ironic-api-wsgi.conf", - "dest": "/etc/{{ apache_conf_dir }}/ironic-api-wsgi.conf", - "owner": "ironic", - "perm": "0600" - }{% elif ironic_wsgi_provider == "uwsgi" %}, + }, { "source": "{{ container_config_directory }}/ironic-api-uwsgi.ini", "dest": "/etc/ironic/ironic-api-uwsgi.ini", "owner": "ironic", "perm": "0600" - }{% endif %}{% if ironic_policy_file is defined %}, + }{% if ironic_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ ironic_policy_file }}", "dest": "/etc/ironic/{{ ironic_policy_file }}", diff --git a/ansible/roles/ironic/templates/ironic-prometheus-exporter-wsgi.conf.j2 b/ansible/roles/ironic/templates/ironic-prometheus-exporter-wsgi.conf.j2 deleted file mode 100644 index 319bf2f888..0000000000 --- a/ansible/roles/ironic/templates/ironic-prometheus-exporter-wsgi.conf.j2 +++ /dev/null @@ -1,37 +0,0 @@ -{% set ironic_log_dir = '/var/log/kolla/ironic' %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_prometheus_exporter_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off - - - - AllowOverride None - Options None - Require all granted - - - -ErrorLog "{{ ironic_log_dir }}/apache-error.log" - - CustomLog "{{ ironic_log_dir }}/apache-access.log" common - - -{% if ironic_logging_debug | bool %} -LogLevel info -{% endif %} - - - ErrorLog "{{ ironic_log_dir }}/ironic-prometheus-exporter-wsgi-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ ironic_log_dir }}/ironic-prometheus-exporter-wsgi-access.log" logformat - - WSGIDaemonProcess ironic-prometheus-exporter processes={{ openstack_service_workers }} threads=1 user=ironic display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python3/site-packages - WSGIProcessGroup ironic-prometheus-exporter - WSGIScriptAlias / /var/lib/kolla/venv/lib/python3/site-packages/ironic_prometheus_exporter/app/wsgi.py - WSGIApplicationGroup %{GLOBAL} - - Require all granted - - diff --git a/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 b/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 index 1075b312d3..a4d931effc 100644 --- a/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 +++ b/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 @@ -1,27 +1,18 @@ -{% set ironic_prometheus_exporter_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set ironic_prometheus_exporter_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if ironic_wsgi_provider == 'apache' else 'uwsgi /etc/ironic/ironic-prometheus-exporter-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/ironic/ironic-prometheus-exporter-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/ironic.conf", "dest": "/etc/ironic/ironic.conf", "owner": "ironic", "perm": "0600" - }{% if ironic_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/ironic-prometheus-exporter-wsgi.conf", - "dest": "/etc/{{ ironic_prometheus_exporter_dir }}/ironic-prometheus-exporter-wsgi.conf", - "owner": "ironic", - "perm": "0600" - }{% elif ironic_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/ironic-prometheus-exporter-uwsgi.ini", "dest": "/etc/ironic/ironic-prometheus-exporter-uwsgi.ini", "owner": "ironic", "perm": "0600" - }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + }{% if kolla_copy_ca_into_containers | bool %}, { "source": "{{ container_config_directory }}/ca-certificates", "dest": "/var/lib/kolla/share/ca-certificates", diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index bb3b352866..bb4efcd9d0 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -48,7 +48,7 @@ keystone_services: keystone-httpd: container_name: "keystone_httpd" group: "keystone" - enabled: "{{ enable_keystone_federation | bool and keystone_wsgi_provider == 'uwsgi' }}" + enabled: "{{ enable_keystone_federation | bool }}" image: "{{ keystone_httpd_image_full }}" volumes: "{{ keystone_httpd_default_volumes + keystone_httpd_extra_volumes }}" dimensions: "{{ keystone_httpd_dimensions }}" @@ -265,10 +265,7 @@ keystone_remote_id_attribute_oidc: "HTTP_OIDC_ISS" keystone_container_federation_oidc_metadata_folder: "{{ '/etc/apache2/metadata' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/metadata' }}" keystone_container_federation_oidc_idp_certificate_folder: "{{ '/etc/apache2/cert' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/cert' }}" keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_config_directory }}/federation/oidc/attribute_maps" -keystone_host_federation_base_folder: >- - {{ node_config_directory }}/{{ - 'keystone-httpd' if keystone_wsgi_provider == 'uwsgi' else 'keystone' - }}/federation +keystone_host_federation_base_folder: "{{ node_config_directory }}/keystone-httpd/federation" keystone_host_federation_oidc_metadata_folder: "{{ keystone_host_federation_base_folder }}/oidc/metadata" keystone_host_federation_oidc_idp_certificate_folder: "{{ keystone_host_federation_base_folder }}/oidc/cert" keystone_host_federation_oidc_attribute_mappings_folder: "{{ keystone_host_federation_base_folder }}/oidc/attribute_maps" @@ -322,5 +319,4 @@ keystone_copy_certs: "{{ kolla_copy_ca_into_containers | bool or keystone_enable ############ # WSGI ############ -keystone_wsgi_provider: "uwsgi" keystone_wsgi_socket_port: "5001" diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index 2170135ddb..92c306d975 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -126,22 +126,6 @@ when: - keystone_enable_federation_openid | bool -- name: Copying over wsgi-keystone.conf - vars: - service: "{{ keystone_services['keystone'] }}" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ node_config_directory }}/keystone/wsgi-keystone.conf" - mode: "0660" - become: true - when: - - service | service_enabled_and_mapped_to_host - - keystone_wsgi_provider == "apache" - with_first_found: - - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/wsgi-keystone.conf" - - "{{ node_custom_config }}/keystone/wsgi-keystone.conf" - - "wsgi-keystone.conf.j2" - - name: "Configure uWSGI for Keystone" ansible.builtin.include_role: name: service-uwsgi-config @@ -163,7 +147,6 @@ service_uwsgi_config_workers: "{{ keystone_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - keystone_wsgi_provider == "uwsgi" - name: Copying over httpd-keystone.conf vars: @@ -175,7 +158,6 @@ become: true when: - service | service_enabled_and_mapped_to_host - - keystone_wsgi_provider == "uwsgi" with_first_found: - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/httpd-keystone.conf" - "{{ node_custom_config }}/keystone/httpd-keystone.conf" diff --git a/ansible/roles/keystone/templates/keystone-startup.sh.j2 b/ansible/roles/keystone/templates/keystone-startup.sh.j2 index 224e86f5dd..6ea097ba29 100644 --- a/ansible/roles/keystone/templates/keystone-startup.sh.j2 +++ b/ansible/roles/keystone/templates/keystone-startup.sh.j2 @@ -1,8 +1,4 @@ #!/bin/bash -x -{% set apache_cmd = '/usr/sbin/apache2' if kolla_base_distro in ['ubuntu', 'debian'] else '/usr/sbin/httpd' %} -{% set uwsgi_cmd = 'uwsgi /etc/keystone/keystone-api-uwsgi.ini' %} -{% set keystone_cmd = uwsgi_cmd if keystone_wsgi_provider == 'uwsgi' else (apache_cmd + ' -DFOREGROUND') %} - set -o errexit set -o pipefail @@ -23,4 +19,4 @@ while [ ! -f "${FERNET_KEY_DIR}/0" ]; do fi done -exec {{ keystone_cmd }} $@ +exec uwsgi /etc/keystone/keystone-api-uwsgi.ini diff --git a/ansible/roles/keystone/templates/keystone.json.j2 b/ansible/roles/keystone/templates/keystone.json.j2 index a4cf8b7fa5..4ebfdce8e2 100644 --- a/ansible/roles/keystone/templates/keystone.json.j2 +++ b/ansible/roles/keystone/templates/keystone.json.j2 @@ -1,5 +1,3 @@ -{% set keystone_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set apache_user = 'www-data' if kolla_base_distro in ['ubuntu', 'debian'] else 'apache' %} { "command": "/usr/bin/keystone-startup.sh", "config_files": [ @@ -28,22 +26,16 @@ "owner": "keystone", "perm": "0600", "optional": true - }{% if keystone_policy_file is defined %}, - { - "source": "{{ container_config_directory }}/{{ keystone_policy_file }}", - "dest": "/etc/keystone/{{ keystone_policy_file }}", - "owner": "keystone", - "perm": "0600" - }{% endif %}{% if keystone_wsgi_provider == 'apache' %}, + }, { - "source": "{{ container_config_directory }}/wsgi-keystone.conf", - "dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf", + "source": "{{ container_config_directory }}/keystone-uwsgi.ini", + "dest": "/etc/keystone/keystone-api-uwsgi.ini", "owner": "keystone", "perm": "0600" - }{% elif keystone_wsgi_provider == 'uwsgi' %}, + }{% if keystone_policy_file is defined %}, { - "source": "{{ container_config_directory }}/keystone-uwsgi.ini", - "dest": "/etc/keystone/keystone-api-uwsgi.ini", + "source": "{{ container_config_directory }}/{{ keystone_policy_file }}", + "dest": "/etc/keystone/{{ keystone_policy_file }}", "owner": "keystone", "perm": "0600" }{% endif %}{% if keystone_enable_tls_backend | bool %}, @@ -58,28 +50,7 @@ "dest": "/etc/keystone/certs/keystone-key.pem", "owner": "keystone", "perm": "0600" - }{% endif %}{% if keystone_enable_federation_openid | bool and keystone_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/federation/oidc/metadata", - "dest": "{{ keystone_container_federation_oidc_metadata_folder }}", - "owner": "{{ apache_user }}:{{ apache_user }}", - "perm": "0600", - "merge": true - }, - { - "source": "{{ container_config_directory }}/federation/oidc/cert", - "dest": "{{ keystone_container_federation_oidc_idp_certificate_folder }}", - "owner": "{{ apache_user }}:{{ apache_user }}", - "perm": "0600", - "merge": true - }, - { - "source": "{{ container_config_directory }}/federation/modoidc-error-page.html", - "dest": "/var/www/html/modoidc-error-page.html", - "owner": "{{ apache_user }}:{{ apache_user }}", - "perm": "0600" - } - {% endif %}{% if kolla_copy_ca_into_containers | bool %}, + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, { "source": "{{ container_config_directory }}/ca-certificates", "dest": "/var/lib/kolla/share/ca-certificates", @@ -95,17 +66,7 @@ { "path": "/var/log/kolla/keystone/keystone.log", "owner": "keystone:keystone" - },{% if keystone_enable_federation_openid | bool and keystone_wsgi_provider == 'apache' %} - { - "path": "{{ keystone_container_federation_oidc_metadata_folder }}", - "owner": "{{ apache_user }}:{{ apache_user }}", - "perm": "0700" }, - { - "path": "{{ keystone_container_federation_oidc_idp_certificate_folder }}", - "owner": "{{ apache_user }}:{{ apache_user }}", - "perm": "0700" - },{% endif %} { "path": "/etc/keystone/fernet-keys", "owner": "keystone:keystone", diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 deleted file mode 100644 index 13f9f56c5c..0000000000 --- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ /dev/null @@ -1,121 +0,0 @@ -{% set keystone_log_dir = '/var/log/kolla/keystone' %} -{% set binary_path = '/var/lib/kolla/venv/bin' %} -{% if keystone_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -ErrorLog "{{ keystone_log_dir }}/apache-error.log" - - CustomLog "{{ keystone_log_dir }}/apache-access.log" common - - -{% if keystone_logging_debug | bool %} -LogLevel info -{% endif %} - - - - AllowOverride None - Options None - Require all granted - - - - - -{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#} -{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#} -{% if kolla_enable_tls_external | bool %} - ServerName {{ keystone_public_url }} -{% endif %} - WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public - WSGIProcessGroup keystone-public - WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat - -{% if keystone_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/keystone/certs/keystone-cert.pem - SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem -{% endif %} - -{% if keystone_enable_federation_openid | bool %} -{% if keystone_federation_oidc_forwarded_headers | length > 0 %} - OIDCXForwardedHeaders "{{ keystone_federation_oidc_forwarded_headers }}" -{% endif %} - OIDCClaimPrefix "OIDC-" - OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}" - OIDCResponseType "{{ keystone_federation_oidc_response_type }}" - OIDCScope "{{ keystone_federation_oidc_scopes }}" - OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }} -{% if keystone_federation_oidc_jwks_uri | length > 0 %} - OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }} -{% endif %} -{# TODO(mnasiadka): Drop this when introducing Ubuntu 26.04 or when Noble bumps package version #} -{% if kolla_base_distro == "ubuntu" %} - OIDCHTMLErrorTemplate /var/www/html/modoidc-error-page.html -{% endif %} -{% if keystone_federation_openid_certificate_key_ids | length > 0 %} - OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }} -{% endif %} - OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }} - OIDCRedirectURI {{ keystone_public_url }}/redirect_uri -{% if enable_memcached | bool and keystone_oidc_enable_memcached | bool %} - OIDCCacheType memcache - OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}" -{% endif %} -{% for key, value in keystone_federation_oidc_additional_options.items() %} - {{ key }} {{ value }} -{% endfor %} - - - Require valid-user - AuthType openid-connect - - - {# WebSSO authentication endpoint -#} - - Require valid-user - AuthType openid-connect - - -{% for idp in keystone_identity_providers %} -{% if idp.protocol == 'openid' %} - - OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ idp.identifier | urlencode }} - Require valid-user - AuthType openid-connect - -{% endif %} -{% endfor %} - - {# CLI / API authentication endpoint -#} -{% for idp in keystone_identity_providers %} -{% if idp.protocol == 'openid' %} - - Require valid-user - {# Note(jasonanderson): `auth-openidc` is a special auth type that can -#} - {# additionally handle verifying bearer tokens -#} - AuthType auth-openidc - -{% endif %} -{% endfor %} -{% endif %} - - diff --git a/ansible/roles/masakari/defaults/main.yml b/ansible/roles/masakari/defaults/main.yml index 12910a5b92..7c39e60d92 100644 --- a/ansible/roles/masakari/defaults/main.yml +++ b/ansible/roles/masakari/defaults/main.yml @@ -217,8 +217,3 @@ masakari_database_enable_tls_internal: "{{ database_enable_tls_internal | bool } # Copy certificates ################### masakari_copy_certs: "{{ kolla_copy_ca_into_containers | bool or masakari_database_enable_tls_internal | bool }}" - -############ -# WSGI -############ -masakari_wsgi_provider: "uwsgi" diff --git a/ansible/roles/masakari/tasks/config.yml b/ansible/roles/masakari/tasks/config.yml index 350648efb9..26eb3573b0 100644 --- a/ansible/roles/masakari/tasks/config.yml +++ b/ansible/roles/masakari/tasks/config.yml @@ -89,18 +89,6 @@ - masakari-instancemonitor - masakari-hostmonitor -- name: Copying over wsgi-masakari file for services - vars: - service: "{{ masakari_services['masakari-api'] }}" - ansible.builtin.template: - src: "wsgi-masakari.conf.j2" - dest: "{{ node_config_directory }}/masakari-api/wsgi-masakari.conf" - mode: "0660" - become: true - when: - - service | service_enabled_and_mapped_to_host - - masakari_wsgi_provider == "apache" - - name: "Configure uWSGI for Masakari" ansible.builtin.include_role: name: service-uwsgi-config @@ -115,7 +103,6 @@ service_uwsgi_config_workers: "{{ masakari_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - masakari_wsgi_provider == "uwsgi" - name: Copying over masakari-api-paste.ini vars: diff --git a/ansible/roles/masakari/templates/masakari-api.json.j2 b/ansible/roles/masakari/templates/masakari-api.json.j2 index b0b2ca370d..55d1c103d0 100644 --- a/ansible/roles/masakari/templates/masakari-api.json.j2 +++ b/ansible/roles/masakari/templates/masakari-api.json.j2 @@ -1,8 +1,5 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if masakari_wsgi_provider == 'apache' else 'uwsgi /etc/masakari/masakari-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/masakari/masakari-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/masakari.conf", @@ -15,19 +12,13 @@ "dest": "/etc/masakari/api-paste.ini", "owner": "masakari", "perm": "0600" - }{% if masakari_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/wsgi-masakari.conf", - "dest": "/etc/{{ apache_conf_dir }}/wsgi-masakari.conf", - "owner": "root", - "perm": "0600" - }{% elif masakari_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/masakari-api-uwsgi.ini", "dest": "/etc/masakari/masakari-api-uwsgi.ini", "owner": "masakari", "perm": "0600" - }{% endif %}{% if masakari_policy_file is defined %}, + }{% if masakari_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ masakari_policy_file }}", "dest": "/etc/masakari/{{ masakari_policy_file }}", diff --git a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 b/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 deleted file mode 100644 index 1891dcde81..0000000000 --- a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 +++ /dev/null @@ -1,37 +0,0 @@ -{% set masakari_log_dir = '/var/log/kolla/masakari' %} -{% set binary_path = '/var/lib/kolla/venv/bin' %} - -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ masakari_api_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -ErrorLog "{{ masakari_log_dir }}/apache-error.log" - - CustomLog "{{ masakari_log_dir }}/apache-access.log" common - - -{% if masakari_logging_debug | bool %} -LogLevel info -{% endif %} - - - - Options Indexes FollowSymLinks MultiViews - Require all granted - - - - - ## Logging - ErrorLog "{{ masakari_log_dir }}/masakari_wsgi_error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ masakari_log_dir }}/masakari_wsgi_access.log" logformat - WSGIApplicationGroup %{GLOBAL} - WSGIDaemonProcess masakari group=masakari processes={{ masakari_api_workers }} threads=1 user=masakari - WSGIProcessGroup masakari - WSGIScriptAlias / "{{ binary_path }}/masakari-wsgi" - diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml index faf44558a3..215826cddb 100644 --- a/ansible/roles/nova/defaults/main.yml +++ b/ansible/roles/nova/defaults/main.yml @@ -312,8 +312,3 @@ nova_source_version: "{{ kolla_source_version }}" nova_enable_tls_backend: "{{ kolla_enable_tls_backend }}" nova_copy_certs: "{{ kolla_copy_ca_into_containers | bool or nova_enable_tls_backend | bool or nova_database_enable_tls_internal | bool }}" nova_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" - -#################### -# WSGI -#################### -nova_wsgi_provider: "uwsgi" diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml index 320563a6bf..b2ce4591f0 100644 --- a/ansible/roles/nova/tasks/config.yml +++ b/ansible/roles/nova/tasks/config.yml @@ -80,30 +80,6 @@ - item.key in nova_services_require_policy_json with_dict: "{{ nova_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over nova-api-wsgi.conf - vars: - service: "{{ nova_services['nova-api'] }}" - ansible.builtin.template: - src: "nova-api-wsgi.conf.j2" - dest: "{{ node_config_directory }}/nova-api/nova-api-wsgi.conf" - mode: "0660" - become: true - when: - - service | service_enabled_and_mapped_to_host - - nova_wsgi_provider == "apache" - -- name: Copying over nova-metadata-wsgi.conf - vars: - service: "{{ nova_services['nova-metadata'] }}" - ansible.builtin.template: - src: "nova-metadata-wsgi.conf.j2" - dest: "{{ node_config_directory }}/nova-metadata/nova-metadata-wsgi.conf" - mode: "0660" - become: true - when: - - service | service_enabled_and_mapped_to_host - - nova_wsgi_provider == "apache" - - name: Copying over vendordata file for nova services vars: service: "{{ nova_services[item] }}" @@ -136,7 +112,6 @@ service_uwsgi_config_workers: "{{ item.workers }}" when: - service | service_enabled_and_mapped_to_host - - nova_wsgi_provider == "uwsgi" loop: - { name: "nova-api", port: "{{ nova_api_listen_port }}", workers: "{{ nova_api_workers }}" } - { name: "nova-metadata", port: "{{ nova_metadata_listen_port }}", workers: "{{ nova_metadata_api_workers }}" } diff --git a/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 b/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 deleted file mode 100644 index 79f6956fd7..0000000000 --- a/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 +++ /dev/null @@ -1,49 +0,0 @@ -{% set nova_log_dir = '/var/log/kolla/nova' %} -{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} -{% if nova_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - - - - Options None - Require all granted - - - -ErrorLog "{{ nova_log_dir }}/apache-error.log" - -CustomLog "{{ nova_log_dir }}/apache-access.log" common - - -{% if nova_logging_debug | bool %} -LogLevel info -{% endif %} - - - WSGIDaemonProcess nova-api processes={{ nova_api_workers }} threads=1 user=nova group=nova display-name=nova-api - WSGIProcessGroup nova-api - WSGIScriptAlias / {{ wsgi_directory }}/nova-api-wsgi - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog "{{ nova_log_dir }}/nova-api-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ nova_log_dir }}/nova-api-access.log" logformat -{% if nova_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/nova/certs/nova-cert.pem - SSLCertificateKeyFile /etc/nova/certs/nova-key.pem -{% endif %} - diff --git a/ansible/roles/nova/templates/nova-api.json.j2 b/ansible/roles/nova/templates/nova-api.json.j2 index af6bc96b9d..71947010e4 100644 --- a/ansible/roles/nova/templates/nova-api.json.j2 +++ b/ansible/roles/nova/templates/nova-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if nova_wsgi_provider == 'apache' else 'uwsgi /etc/nova/nova-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/nova/nova-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/nova.conf", "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }{% if nova_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/nova-api-wsgi.conf", - "dest": "/etc/{{ apache_conf_dir }}/nova-api-wsgi.conf", - "owner": "nova", - "perm": "0600" - }{% elif nova_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/nova-api-uwsgi.ini", "dest": "/etc/nova/nova-api-uwsgi.ini", "owner": "nova", "perm": "0600" - }{% endif %}{% if nova_policy_file is defined %}, + }{% if nova_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ nova_policy_file }}", "dest": "/etc/nova/{{ nova_policy_file }}", diff --git a/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 b/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 deleted file mode 100644 index 471baac843..0000000000 --- a/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 +++ /dev/null @@ -1,49 +0,0 @@ -{% set nova_log_dir = '/var/log/kolla/nova' %} -{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} -{% if nova_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - - - - Options None - Require all granted - - - -ErrorLog "{{ nova_log_dir }}/apache-error.log" - -CustomLog "{{ nova_log_dir }}/apache-access.log" common - - -{% if nova_logging_debug | bool %} -LogLevel info -{% endif %} - - - WSGIDaemonProcess nova-metadata processes={{ nova_metadata_api_workers }} threads=1 user=nova group=nova display-name=nova-metadata-api - WSGIProcessGroup nova-metadata - WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat -{% if nova_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/nova/certs/nova-cert.pem - SSLCertificateKeyFile /etc/nova/certs/nova-key.pem -{% endif %} - diff --git a/ansible/roles/nova/templates/nova-metadata.json.j2 b/ansible/roles/nova/templates/nova-metadata.json.j2 index f33a6f96fa..0bbfa920e1 100644 --- a/ansible/roles/nova/templates/nova-metadata.json.j2 +++ b/ansible/roles/nova/templates/nova-metadata.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if nova_wsgi_provider == 'apache' else 'uwsgi /etc/nova/nova-metadata-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/nova/nova-metadata-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/nova.conf", "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }{% if nova_wsgi_provider == 'apache' %}, - { - "source": "{{ container_config_directory }}/nova-metadata-wsgi.conf", - "dest": "/etc/{{ apache_conf_dir }}/nova-api-wsgi.conf", - "owner": "nova", - "perm": "0600" - }{% elif nova_wsgi_provider == 'uwsgi' %}, + }, { "source": "{{ container_config_directory }}/nova-metadata-uwsgi.ini", "dest": "/etc/nova/nova-metadata-uwsgi.ini", "owner": "nova", "perm": "0600" - }{% endif %}{% if nova_policy_file is defined %}, + }{% if nova_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ nova_policy_file }}", "dest": "/etc/nova/{{ nova_policy_file }}", diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml index 4e53dac618..1909af8cff 100644 --- a/ansible/roles/octavia/defaults/main.yml +++ b/ansible/roles/octavia/defaults/main.yml @@ -405,8 +405,3 @@ octavia_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }} # Copy certificates ################### octavia_copy_certs: "{{ kolla_copy_ca_into_containers | bool or octavia_enable_tls_backend | bool or octavia_database_enable_tls_internal | bool }}" - -############ -# WSGI -############ -octavia_wsgi_provider: "uwsgi" diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml index aed1f7c4c2..709b4c02e0 100644 --- a/ansible/roles/octavia/tasks/config.yml +++ b/ansible/roles/octavia/tasks/config.yml @@ -55,22 +55,6 @@ become: true with_dict: "{{ octavia_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over octavia-wsgi.conf - vars: - service: "{{ octavia_services['octavia-api'] }}" - become: true - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ node_config_directory }}/octavia-api/octavia-wsgi.conf" - mode: "0660" - with_first_found: - - "{{ node_custom_config }}/octavia/{{ inventory_hostname }}/octavia-wsgi.conf" - - "{{ node_custom_config }}/octavia/octavia-wsgi.conf" - - "octavia-wsgi.conf.j2" - when: - - service | service_enabled_and_mapped_to_host - - octavia_wsgi_provider == "apache" - - name: "Configure uWSGI for Octavia" ansible.builtin.include_role: name: service-uwsgi-config @@ -88,7 +72,6 @@ service_uwsgi_config_workers: "{{ octavia_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - octavia_wsgi_provider == "uwsgi" - name: Copying over octavia.conf vars: diff --git a/ansible/roles/octavia/templates/octavia-api.json.j2 b/ansible/roles/octavia/templates/octavia-api.json.j2 index f9b3ebfc52..7304e91504 100644 --- a/ansible/roles/octavia/templates/octavia-api.json.j2 +++ b/ansible/roles/octavia/templates/octavia-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ( '/usr/sbin/' + apache_binary + ' -DFOREGROUND' ) if octavia_wsgi_provider == 'apache' else 'uwsgi /etc/octavia/octavia-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/octavia/octavia-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/octavia.conf", "dest": "/etc/octavia/octavia.conf", "owner": "octavia", "perm": "0600" - }{% if octavia_wsgi_provider == "apache" %}, - { - "source": "{{ container_config_directory }}/octavia-wsgi.conf", - "dest": "/etc/{{ apache_conf_dir }}/octavia-wsgi.conf", - "owner": "octavia", - "perm": "0600" - }{% elif octavia_wsgi_provider == "uwsgi" %}, + }, { "source": "{{ container_config_directory }}/octavia-api-uwsgi.ini", "dest": "/etc/octavia/octavia-api-uwsgi.ini", "owner": "octavia", "perm": "0600" - }{% endif %}{% if octavia_policy_file is defined %}, + }{% if octavia_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ octavia_policy_file }}", "dest": "/etc/octavia/{{ octavia_policy_file }}", diff --git a/ansible/roles/octavia/templates/octavia-wsgi.conf.j2 b/ansible/roles/octavia/templates/octavia-wsgi.conf.j2 deleted file mode 100644 index d7fa10ac3b..0000000000 --- a/ansible/roles/octavia/templates/octavia-wsgi.conf.j2 +++ /dev/null @@ -1,41 +0,0 @@ -{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} -{% if octavia_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ octavia_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -{% if octavia_logging_debug | bool %} -LogLevel info -{% endif %} - - - WSGIDaemonProcess octavia-api processes={{ octavia_api_workers }} threads=1 user=octavia group=octavia display-name=octavia-api - WSGIProcessGroup octavia-api - WSGIScriptAlias / {{ wsgi_directory }}/octavia-wsgi - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog /var/log/kolla/octavia/octavia-api-error.log - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog /var/log/kolla/octavia/octavia-api-access.log logformat - - - Require all granted - - -{% if octavia_enable_tls_backend | bool %} - SSLEngine On - SSLCertificateFile /etc/octavia/certs/octavia-cert.pem - SSLCertificateKeyFile /etc/octavia/certs/octavia-key.pem -{% endif %} - diff --git a/ansible/roles/placement/defaults/main.yml b/ansible/roles/placement/defaults/main.yml index f70c496b9a..e40aa86a42 100644 --- a/ansible/roles/placement/defaults/main.yml +++ b/ansible/roles/placement/defaults/main.yml @@ -162,8 +162,3 @@ placement_database_enable_tls_internal: "{{ database_enable_tls_internal | bool # Copy certificates ################### placement_copy_certs: "{{ kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool or placement_database_enable_tls_internal | bool }}" - -#################### -# WSGI -#################### -placement_wsgi_provider: "uwsgi" diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml index 4e7252ab8b..da9ae4136f 100644 --- a/ansible/roles/placement/tasks/config.yml +++ b/ansible/roles/placement/tasks/config.yml @@ -56,24 +56,6 @@ mode: "0660" with_dict: "{{ placement_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over placement-api wsgi configuration - become: true - vars: - service: "{{ placement_services['placement-api'] }}" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ node_config_directory }}/placement-api/placement-api-wsgi.conf" - mode: "0660" - when: - - service | service_enabled_and_mapped_to_host - - placement_wsgi_provider == "apache" - with_first_found: - - "{{ node_custom_config }}/placement/{{ inventory_hostname }}/placement-api-wsgi.conf" - - "{{ node_custom_config }}/placement/placement-api-wsgi.conf" - - "placement-api-wsgi.conf.j2" - notify: - - "Restart placement-api container" - - name: "Configure uWSGI for Placement" ansible.builtin.include_role: name: service-uwsgi-config @@ -90,7 +72,6 @@ service_uwsgi_config_workers: "{{ placement_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - placement_wsgi_provider == "uwsgi" - name: Copying over migrate-db.rc.j2 configuration become: true diff --git a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 deleted file mode 100644 index 19925bae5e..0000000000 --- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 +++ /dev/null @@ -1,42 +0,0 @@ -{% set log_dir = '/var/log/kolla/placement' %} -{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} -{% if placement_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos', 'rocky'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -{% if placement_logging_debug | bool %} -LogLevel info -{% endif %} - - - WSGIDaemonProcess placement-api processes={{ placement_api_workers }} threads=1 user=placement group=placement display-name=placement-api - WSGIProcessGroup placement-api - WSGIScriptAlias / {{ wsgi_directory }}/placement-api - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog "{{ log_dir }}/placement-api-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ log_dir }}/placement-api-access.log" logformat - - - Require all granted - - -{% if placement_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/placement/certs/placement-cert.pem - SSLCertificateKeyFile /etc/placement/certs/placement-key.pem -{% endif %} - diff --git a/ansible/roles/placement/templates/placement-api.json.j2 b/ansible/roles/placement/templates/placement-api.json.j2 index 29409eac37..9333e1459f 100644 --- a/ansible/roles/placement/templates/placement-api.json.j2 +++ b/ansible/roles/placement/templates/placement-api.json.j2 @@ -1,30 +1,21 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = '/usr/sbin/' + apache_binary + ' -DFOREGROUND' if placement_wsgi_provider == 'apache' else 'uwsgi /etc/placement/placement-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/placement/placement-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/placement.conf", "dest": "/etc/placement/placement.conf", "owner": "placement", "perm": "0600" - }{% if placement_policy_file is defined %}, - { - "source": "{{ container_config_directory }}/{{ placement_policy_file }}", - "dest": "/etc/placement/{{ placement_policy_file }}", - "owner": "placement", - "perm": "0600" - }{% endif %}{% if placement_wsgi_provider == 'apache' %}, + }, { - "source": "{{ container_config_directory }}/placement-api-wsgi.conf", - "dest": "/etc/{{ apache_conf_dir }}/00-placement-api.conf", + "source": "{{ container_config_directory }}/placement-api-uwsgi.ini", + "dest": "/etc/placement/placement-api-uwsgi.ini", "owner": "placement", "perm": "0600" - }{% elif placement_wsgi_provider == 'uwsgi' %}, + }{% if placement_policy_file is defined %}, { - "source": "{{ container_config_directory }}/placement-api-uwsgi.ini", - "dest": "/etc/placement/placement-api-uwsgi.ini", + "source": "{{ container_config_directory }}/{{ placement_policy_file }}", + "dest": "/etc/placement/{{ placement_policy_file }}", "owner": "placement", "perm": "0600" }{% endif %}, diff --git a/ansible/roles/trove/defaults/main.yml b/ansible/roles/trove/defaults/main.yml index 8dd251d4e6..5b481fad6d 100644 --- a/ansible/roles/trove/defaults/main.yml +++ b/ansible/roles/trove/defaults/main.yml @@ -230,8 +230,3 @@ trove_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" # Copy certificates ################### trove_copy_certs: "{{ kolla_copy_ca_into_containers | bool or trove_enable_tls_backend | bool or trove_database_enable_tls_internal | bool }}" - -####### -# WSGI -####### -trove_wsgi_provider: "uwsgi" diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml index bd964c108e..0952c6c94d 100644 --- a/ansible/roles/trove/tasks/config.yml +++ b/ansible/roles/trove/tasks/config.yml @@ -55,23 +55,6 @@ service_uwsgi_config_workers: "{{ trove_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - trove_wsgi_provider == "uwsgi" - -- name: Copying over trove-wsgi.conf - vars: - service: "{{ trove_services['trove-api'] }}" - become: true - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ node_config_directory }}/trove-api/trove-wsgi.conf" - mode: "0660" - with_first_found: - - "{{ node_custom_config }}/trove/{{ inventory_hostname }}/trove-wsgi.conf" - - "{{ node_custom_config }}/trove/trove-wsgi.conf" - - "trove-wsgi.conf.j2" - when: - - trove_wsgi_provider == "apache" - - service | service_enabled_and_mapped_to_host - name: Copying over trove-guestagent.conf vars: diff --git a/ansible/roles/trove/templates/trove-api.json.j2 b/ansible/roles/trove/templates/trove-api.json.j2 index f487e3127e..a44c927de6 100644 --- a/ansible/roles/trove/templates/trove-api.json.j2 +++ b/ansible/roles/trove/templates/trove-api.json.j2 @@ -1,27 +1,18 @@ -{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if trove_wsgi_provider == 'apache' else 'uwsgi /etc/trove/trove-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/trove/trove-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/trove.conf", "dest": "/etc/trove/trove.conf", "owner": "trove", "perm": "0600" - }{% if trove_wsgi_provider == "apache" %}, - { - "source": "{{ container_config_directory }}/trove-wsgi.conf", - "dest": "/etc/{{ apache_conf_dir }}/trove-wsgi.conf", - "owner": "trove", - "perm": "0600" - }{% elif trove_wsgi_provider == "uwsgi" %}, + }, { "source": "{{ container_config_directory }}/trove-api-uwsgi.ini", "dest": "/etc/trove/trove-api-uwsgi.ini", "owner": "trove", "perm": "0600" - }{% endif %}{% if trove_policy_file is defined %}, + }{% if trove_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ trove_policy_file }}", "dest": "/etc/trove/{{ trove_policy_file }}", diff --git a/ansible/roles/trove/templates/trove-wsgi.conf.j2 b/ansible/roles/trove/templates/trove-wsgi.conf.j2 deleted file mode 100644 index f623704bb7..0000000000 --- a/ansible/roles/trove/templates/trove-wsgi.conf.j2 +++ /dev/null @@ -1,41 +0,0 @@ -{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} -{% if trove_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ trove_api_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -{% if trove_logging_debug | bool %} -LogLevel info -{% endif %} - - - WSGIDaemonProcess trove-api processes={{ trove_api_workers }} threads=1 user=trove group=trove display-name=trove-api - WSGIProcessGroup trove-api - WSGIScriptAlias / {{ wsgi_directory }}/trove-wsgi - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - ErrorLogFormat "%{cu}t %M" - ErrorLog /var/log/kolla/trove/trove-api-error.log - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog /var/log/kolla/trove/trove-api-access.log logformat - - - Require all granted - - -{% if trove_enable_tls_backend | bool %} - SSLEngine On - SSLCertificateFile /etc/trove/certs/trove-cert.pem - SSLCertificateKeyFile /etc/trove/certs/trove-key.pem -{% endif %} - diff --git a/ansible/roles/zun/defaults/main.yml b/ansible/roles/zun/defaults/main.yml index 01a577f20c..69fce72c29 100644 --- a/ansible/roles/zun/defaults/main.yml +++ b/ansible/roles/zun/defaults/main.yml @@ -263,8 +263,3 @@ zun_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" # Copy certificates ################### zun_copy_certs: "{{ kolla_copy_ca_into_containers | bool or zun_database_enable_tls_internal | bool }}" - -####### -# WSGI -####### -zun_wsgi_provider: "uwsgi" diff --git a/ansible/roles/zun/tasks/config.yml b/ansible/roles/zun/tasks/config.yml index 60df39a4b6..1f50148125 100644 --- a/ansible/roles/zun/tasks/config.yml +++ b/ansible/roles/zun/tasks/config.yml @@ -76,19 +76,6 @@ service_uwsgi_config_workers: "{{ zun_api_workers }}" when: - service | service_enabled_and_mapped_to_host - - zun_wsgi_provider == "uwsgi" - -- name: Copying over wsgi-zun files for services - vars: - service: "{{ zun_services['zun-api'] }}" - ansible.builtin.template: - src: "wsgi-zun.conf.j2" - dest: "{{ node_config_directory }}/zun-api/wsgi-zun.conf" - mode: "0660" - become: true - when: - - zun_wsgi_provider == "apache" - - service | service_enabled_and_mapped_to_host - name: Copying over existing policy file ansible.builtin.template: diff --git a/ansible/roles/zun/templates/wsgi-zun.conf.j2 b/ansible/roles/zun/templates/wsgi-zun.conf.j2 deleted file mode 100644 index 725b95597f..0000000000 --- a/ansible/roles/zun/templates/wsgi-zun.conf.j2 +++ /dev/null @@ -1,41 +0,0 @@ -{% set zun_log_dir = '/var/log/kolla/zun' %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ zun_api_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -ErrorLog "{{ zun_log_dir }}/apache-error.log" - - CustomLog "{{ zun_log_dir }}/apache-access.log" common - - -{% if zun_logging_debug | bool %} -LogLevel info -{% endif %} - - - - ## Vhost docroot - DocumentRoot "/var/www/cgi-bin/zun" - - ## Directories, there should at least be a declaration for /var/www/cgi-bin/zun - - - Options Indexes FollowSymLinks MultiViews - AllowOverride None - Require all granted - - - ## Logging - ErrorLog "{{ zun_log_dir }}/zun_api_wsgi_error.log" - ServerSignature Off - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ zun_log_dir }}/zun_api_wsgi_access.log" logformat - WSGIApplicationGroup %{GLOBAL} - WSGIDaemonProcess zun group=zun processes={{ zun_api_workers }} threads=1 user=zun - WSGIProcessGroup zun - WSGIScriptAlias / "/var/www/cgi-bin/zun/app.wsgi" - diff --git a/ansible/roles/zun/templates/zun-api.json.j2 b/ansible/roles/zun/templates/zun-api.json.j2 index a1ea4c9736..27198a32b0 100644 --- a/ansible/roles/zun/templates/zun-api.json.j2 +++ b/ansible/roles/zun/templates/zun-api.json.j2 @@ -1,27 +1,18 @@ -{% set zun_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} -{% set zun_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} -{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if zun_wsgi_provider == 'apache' else 'uwsgi /etc/zun/zun-api-uwsgi.ini' %} { - "command": "{{ command }}", + "command": "uwsgi /etc/zun/zun-api-uwsgi.ini", "config_files": [ { "source": "{{ container_config_directory }}/zun.conf", "dest": "/etc/zun/zun.conf", "owner": "zun", "perm": "0600" - }{% if zun_wsgi_provider == "apache" %}, - { - "source": "{{ container_config_directory }}/wsgi-zun.conf", - "dest": "/etc/{{ zun_dir }}/wsgi-zun.conf", - "owner": "zun", - "perm": "0600" - }{% elif zun_wsgi_provider == "uwsgi" %}, + }, { "source": "{{ container_config_directory }}/zun-api-uwsgi.ini", "dest": "/etc/zun/zun-api-uwsgi.ini", "owner": "zun", "perm": "0600" - }{% endif %}{% if zun_policy_file is defined %}, + }{% if zun_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ zun_policy_file }}", "dest": "/etc/zun/{{ zun_policy_file }}", diff --git a/tests/check-logs.sh b/tests/check-logs.sh index 650f2d7b25..2bc3ccee13 100755 --- a/tests/check-logs.sh +++ b/tests/check-logs.sh @@ -58,6 +58,10 @@ function check_fluentd_missing_logs { /var/log/kolla/haproxy/*) continue ;; + # TODO(mnasiadka): Remove me after G/2026.1 release + /var/log/kolla/keystone/*apache*) + continue + ;; /var/log/kolla/ironic/dnsmasq.log) continue ;; From 0f4c8544d8b822bd0d97da75b47b1244d147bef3 Mon Sep 17 00:00:00 2001 From: Doug Szumski Date: Mon, 26 Jan 2026 11:25:34 +0000 Subject: [PATCH 12/12] Support multiple Nova Compute Ironic instances Adds support for deploying multiple instances of the Nova Compute Ironic service on the same host. This is useful in large baremetal deployments, where the sharding and/or conductor group feature is used to scale out the service. A further patch to support deploying multiple Ironic conductor instances will follow. Co-Authored-By: Bartosz Bezak Co-Authored-By: Bertrand Lanson Change-Id: Ibbddfd87e831a3775c3ed66c80b18e5070cedc90 Signed-off-by: Doug Szumski --- ansible/roles/nova-cell/defaults/main.yml | 15 ++- ansible/roles/nova-cell/handlers/main.yml | 7 +- ansible/roles/nova-cell/tasks/cleanup.yml | 26 +++++ .../nova-cell/tasks/config-compute-ironic.yml | 67 +++++++++++ ansible/roles/nova-cell/tasks/config.yml | 16 +++ ansible/roles/nova-cell/tasks/deploy.yml | 4 + ansible/roles/nova-cell/tasks/precheck.yml | 14 +++ ansible/roles/nova-cell/tasks/reload.yml | 24 ++++ .../tasks/wait_discover_computes.yml | 23 ++-- .../roles/nova-cell/templates/nova.conf.j2 | 35 +++++- .../service-cert-copy/tasks/iterated.yml | 10 ++ .../roles/service-cert-copy/tasks/main.yml | 13 +++ .../tasks/iterated.yml | 6 + .../roles/service-precheck/tasks/iterated.yml | 13 +++ ansible/roles/service-precheck/tasks/main.yml | 12 ++ ansible/roles/service-stop/tasks/iterated.yml | 1 + doc/source/admin/advanced-configuration.rst | 107 ++++++++++++++++++ kolla_ansible/nova_filters.py | 51 +++++++++ kolla_ansible/tests/unit/test_nova_filters.py | 86 ++++++++++++++ ...mpute-ironic-support-1bf5c64f8a530cc9.yaml | 10 ++ roles/openstack-clients/defaults/main.yml | 2 +- tests/run.yml | 11 +- tests/templates/globals-default.j2 | 16 +++ tests/templates/inventory.j2 | 19 +++- tests/templates/ironic-overrides.j2 | 10 ++ zuul.d/project.yaml | 1 + zuul.d/scenarios/multi-compute-ironic.yaml | 47 ++++++++ 27 files changed, 627 insertions(+), 19 deletions(-) create mode 100644 ansible/roles/nova-cell/tasks/cleanup.yml create mode 100644 ansible/roles/nova-cell/tasks/config-compute-ironic.yml create mode 100644 ansible/roles/service-cert-copy/tasks/iterated.yml create mode 100644 ansible/roles/service-precheck/tasks/iterated.yml create mode 100644 releasenotes/notes/add-nova-multi-compute-ironic-support-1bf5c64f8a530cc9.yaml create mode 100644 zuul.d/scenarios/multi-compute-ironic.yaml diff --git a/ansible/roles/nova-cell/defaults/main.yml b/ansible/roles/nova-cell/defaults/main.yml index 6979408e93..790190fb08 100644 --- a/ansible/roles/nova-cell/defaults/main.yml +++ b/ansible/roles/nova-cell/defaults/main.yml @@ -72,6 +72,8 @@ nova_cell_services: volumes: "{{ nova_compute_ironic_default_volumes + nova_compute_ironic_extra_volumes }}" dimensions: "{{ nova_compute_ironic_dimensions }}" healthcheck: "{{ nova_compute_ironic_healthcheck }}" + iterate: "{{ nova_multi_compute_ironic_config | length > 0 }}" + iterate_var: "{{ nova_multi_compute_ironic_config | length }}" #################### # Config Validate @@ -501,7 +503,7 @@ nova_compute_default_volumes: - "{% if enable_shared_var_lib_nova_mnt | bool %}/var/lib/nova/mnt:/var/lib/nova/mnt:shared{% endif %}" - "{{ kolla_dev_repos_directory ~ '/nova:/dev-mode/nova' if nova_dev_mode | bool else '' }}" nova_compute_ironic_default_volumes: - - "{{ node_config_directory }}/nova-compute-ironic/:{{ container_config_directory }}/:ro" + - "{{ node_config_directory }}/nova-compute-ironic{{ '-' ~ item if item|default(0)|int > 0 else '' }}/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "kolla_logs:/var/log/kolla/" - "{{ '/dev/shm:/dev/shm' }}" @@ -675,6 +677,17 @@ nova_libvirt_cleanup_remove_volumes: false # Database nova_cell_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" +############################## +# Nova Compute Ironic scaling +############################## + +# The following option can be used to deploy multiple instances of Nova +# Compute Ironic per host. This is useful for deployments with a large +# number of baremetal nodes (>200). Please see the advanced documentation +# section for further details. + +nova_multi_compute_ironic_config: [] + ################### # Copy certificates ################### diff --git a/ansible/roles/nova-cell/handlers/main.yml b/ansible/roles/nova-cell/handlers/main.yml index a67a1231f5..c6ac28da9a 100644 --- a/ansible/roles/nova-cell/handlers/main.yml +++ b/ansible/roles/nova-cell/handlers/main.yml @@ -162,16 +162,21 @@ vars: service_name: "nova-compute-ironic" service: "{{ nova_cell_services[service_name] }}" + item: "{{ changed_container.item }}" + container_name_postfix: "{{ '' if changed_container == 'legacy' else '_' ~ item }}" become: true kolla_container: action: "recreate_or_restart_container" common_options: "{{ docker_common_options }}" - name: "{{ service.container_name }}" + name: "{{ service.container_name + container_name_postfix }}" image: "{{ service.image }}" privileged: "{{ service.privileged | default(False) }}" volumes: "{{ service.volumes | reject('equalto', '') | list }}" dimensions: "{{ service.dimensions }}" healthcheck: "{{ service.healthcheck | default(omit) }}" + loop_control: + loop_var: changed_container + loop: "{{ nova_compute_ironic_changed_containers | default(['legacy']) }}" # nova-compute-fake is special. It will start multi numbers of container # so put all variables here rather than defaults/main.yml file diff --git a/ansible/roles/nova-cell/tasks/cleanup.yml b/ansible/roles/nova-cell/tasks/cleanup.yml new file mode 100644 index 0000000000..0f0952823e --- /dev/null +++ b/ansible/roles/nova-cell/tasks/cleanup.yml @@ -0,0 +1,26 @@ +--- +- name: Stop and remove containers for unmanaged services + become: true + vars: + service_name: "nova-compute-ironic" + service: "{{ nova_cell_services[service_name] }}" + kolla_container: + action: "stop_and_remove_container" + name: "{{ service.container_name ~ '_' ~ item }}" + loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}" + when: + - service.iterate | bool + - inventory_hostname not in groups[nova_cell_compute_ironic_group ~ '-' ~ item] + +- name: Removing config for unmanaged services + vars: + service_name: "nova-compute-ironic" + service: "{{ nova_cell_services[service_name] }}" + ansible.builtin.file: + path: "{{ node_config_directory }}/{{ service_name ~ '-' ~ item }}" + state: "absent" + become: true + loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}" + when: + - service.iterate | bool + - inventory_hostname not in groups[nova_cell_compute_ironic_group ~ '-' ~ item] diff --git a/ansible/roles/nova-cell/tasks/config-compute-ironic.yml b/ansible/roles/nova-cell/tasks/config-compute-ironic.yml new file mode 100644 index 0000000000..0f1c05a9f0 --- /dev/null +++ b/ansible/roles/nova-cell/tasks/config-compute-ironic.yml @@ -0,0 +1,67 @@ +--- +- name: "Ensuring config directories exist for Nova Compute Ironic container {{ item }}" + vars: + nova_compute_ironic_id: "{{ item }}" + ansible.builtin.file: + path: "{{ node_config_directory }}/nova-compute-ironic-{{ item }}" + state: "directory" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true + +- name: "Copying over config.json files for Nova Compute Ironic container {{ item }}" + vars: + nova_compute_ironic_id: "{{ item }}" + ansible.builtin.template: + src: "nova-compute-ironic.json.j2" + dest: "{{ node_config_directory }}/nova-compute-ironic-{{ item }}/config.json" + mode: "0660" + become: true + +- name: "Get Nova Compute Ironic multi-instance configuration for instance {{ item }}" + ansible.builtin.set_fact: + nova_multi_compute_ironic_instance_config: "{{ nova_multi_compute_ironic_config[(item | int) - 1] }}" + +- name: "Generate config files for Nova Compute Ironic {{ item }}" + vars: + service_name: "nova-compute-ironic" + nova_compute_shard_key: "{{ nova_multi_compute_ironic_instance_config['shard_key'] | default('default') }}" + nova_compute_conductor_group: "{{ nova_multi_compute_ironic_instance_config['conductor_group'] | default('default') }}" + nova_compute_ironic_custom_host: "{{ nova_multi_compute_ironic_instance_config['custom_host'] | default('') }}" + nova_compute_ironic_id: "{{ item }}" + merge_configs: + sources: + - "{{ role_path }}/templates/nova.conf.j2" + - "{{ node_custom_config }}/global.conf" + - "{{ node_custom_config }}/nova.conf" + - "{{ node_custom_config }}/nova/{{ service_name }}.conf" + - "{{ node_custom_config }}/nova/{{ service_name }}-{{ item }}.conf" + - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/nova.conf" + - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ service_name }}.conf" + - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ service_name }}-{{ item }}.conf" + dest: "{{ node_config_directory }}/nova-compute-ironic-{{ item }}/nova.conf" + mode: "0660" + become: true + +- name: "Copying over existing policy file for item {{ item }}" + vars: + service_name: "nova-compute-ironic" + ansible.builtin.template: + src: "{{ nova_policy_file_path }}" + dest: "{{ node_config_directory }}/{{ service_name }}-{{ item }}/{{ nova_policy_file }}" + mode: "0660" + become: true + when: + - nova_policy_file is defined + +- name: "Copying over vendordata file for Nova Compute Ironic {{ item }}" + vars: + service_name: "nova-compute-ironic" + ansible.builtin.copy: + src: "{{ vendordata_file_path }}" + dest: "{{ node_config_directory }}/{{ service_name }}-{{ item }}/vendordata.json" + mode: "0660" + become: true + when: + - vendordata_file_path is defined diff --git a/ansible/roles/nova-cell/tasks/config.yml b/ansible/roles/nova-cell/tasks/config.yml index 87104f89e8..7f0cfca22e 100644 --- a/ansible/roles/nova-cell/tasks/config.yml +++ b/ansible/roles/nova-cell/tasks/config.yml @@ -7,6 +7,8 @@ owner: "{{ config_owner_user }}" group: "{{ config_owner_group }}" mode: "0770" + when: + - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0 with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}" - name: Copying over TLS certificates @@ -58,6 +60,8 @@ src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" mode: "0660" + when: + - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0 with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}" - name: Copying over nova.conf @@ -76,8 +80,18 @@ mode: "0660" when: - item.key in nova_cell_services_require_nova_conf + - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0 with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}" +- name: Copying over config for Nova compute Ironic multi-instance + vars: + service: "{{ nova_cell_services['nova-compute-ironic'] }}" + ansible.builtin.include_tasks: config-compute-ironic.yml + loop: "{{ range(1, nova_multi_compute_ironic_config | length + 1) | list }}" + when: + - nova_multi_compute_ironic_config | length > 0 + - inventory_hostname in groups[service.group ~ '-' ~ item] + - name: Copying over Nova compute provider config become: true vars: @@ -196,6 +210,7 @@ when: - nova_policy_file is defined - item.key in nova_cell_services_require_policy_json + - item.key != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0 with_dict: "{{ nova_cell_services | select_services_enabled_and_mapped_to_host }}" - name: Copying over vendordata file to containers @@ -209,6 +224,7 @@ when: - vendordata_file_path is defined - service | service_enabled_and_mapped_to_host + - item != "nova-compute-ironic" or nova_multi_compute_ironic_config | length == 0 with_items: - nova-compute - nova-compute-ironic diff --git a/ansible/roles/nova-cell/tasks/deploy.yml b/ansible/roles/nova-cell/tasks/deploy.yml index 2a416d8d43..2885315576 100644 --- a/ansible/roles/nova-cell/tasks/deploy.yml +++ b/ansible/roles/nova-cell/tasks/deploy.yml @@ -6,6 +6,10 @@ - name: Import tasks from version-check.yml ansible.builtin.import_tasks: version-check.yml +# NOTE(dougszu): Currently only covers nova-compute-ironic +- name: Cleanup stale configuration + ansible.builtin.import_tasks: cleanup.yml + - name: Import tasks from config-host.yml ansible.builtin.import_tasks: config-host.yml diff --git a/ansible/roles/nova-cell/tasks/precheck.yml b/ansible/roles/nova-cell/tasks/precheck.yml index a509e790cd..9364c619e6 100644 --- a/ansible/roles/nova-cell/tasks/precheck.yml +++ b/ansible/roles/nova-cell/tasks/precheck.yml @@ -30,6 +30,20 @@ - groups[nova_cell_compute_group] | length < 1 - not nova_compute_ironic.enabled | bool +- name: Checking nova multi-compute-ironic inventory + vars: + nova_compute_ironic: "{{ nova_cell_services['nova-compute-ironic'] }}" + ansible.builtin.assert: + msg: > + Each nova-compute-ironic-N group must contain a single host. + that: + - groups[nova_cell_compute_ironic_group ~ '-' ~ item] | length == 1 + loop: "{{ range(1, (nova_compute_ironic.iterate_var | int) + 1) | list }}" + run_once: true + when: + - nova_compute_ironic.iterate | bool + - nova_compute_ironic.enabled | bool + - name: Checking free port for Nova NoVNC Proxy vars: service: "{{ nova_cell_services['nova-novncproxy'] }}" diff --git a/ansible/roles/nova-cell/tasks/reload.yml b/ansible/roles/nova-cell/tasks/reload.yml index 5724effdf2..5f5c05b4e5 100644 --- a/ansible/roles/nova-cell/tasks/reload.yml +++ b/ansible/roles/nova-cell/tasks/reload.yml @@ -37,4 +37,28 @@ when: - kolla_action == 'upgrade' - service | service_enabled_and_mapped_to_host + - item != 'nova-compute-ironic' or not service.iterate | bool with_items: "{{ nova_cell_services_require_nova_conf }}" + +- name: Reload nova-compute-ironic to remove RPC version cap (iterated) + vars: + nova_compute_ironic: "{{ nova_cell_services['nova-compute-ironic'] }}" + become: true + kolla_container: + action: "recreate_or_restart_container" + common_options: "{{ docker_common_options }}" + name: "{{ nova_compute_ironic.container_name ~ '_' ~ item }}" + image: "{{ nova_compute_ironic.image }}" + environment: "{{ nova_compute_ironic.environment | default(omit) }}" + pid_mode: "{{ nova_compute_ironic.pid_mode | default('') }}" + ipc_mode: "{{ nova_compute_ironic.ipc_mode | default(omit) }}" + privileged: "{{ nova_compute_ironic.privileged | default(False) }}" + volumes: "{{ nova_compute_ironic.volumes | reject('equalto', '') | list }}" + dimensions: "{{ nova_compute_ironic.dimensions }}" + healthcheck: "{{ nova_compute_ironic.healthcheck | default(omit) }}" + when: + - kolla_action == 'upgrade' + - nova_compute_ironic | service_enabled + - nova_compute_ironic.iterate | bool + - inventory_hostname in groups[nova_compute_ironic.group ~ '-' ~ item] + loop: "{{ range(1, (nova_compute_ironic.iterate_var | int) + 1) | list }}" diff --git a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml index d930f8dea5..eb7e80e83a 100644 --- a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml +++ b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml @@ -13,13 +13,14 @@ {{ virt_computes_in_batch | map('extract', hostvars, ['ansible_facts', 'nodename']) | list }} - # For ironic, use {{ansible_facts.hostname}}-ironic since this is what we - # configure for [DEFAULT] host in nova.conf. ironic_compute_service_hosts: >- {{ ironic_computes_in_batch | - map('extract', hostvars) | json_query('[].nova_compute_ironic_custom_host || [].ansible_facts.hostname') | - map('regex_replace', '^(.*)$', '\1-ironic') | - list }} + map('extract', hostvars) | + json_query( + '{classic: [].nova_compute_ironic_custom_host || [].ansible_facts.hostname, + multi: [].group_names}') | + get_expected_ironic_compute_services(nova_multi_compute_ironic_config, nova_cell_compute_ironic_group) }} + expected_compute_service_hosts: "{{ virt_compute_service_hosts + ironic_compute_service_hosts }}" block: - name: Waiting for nova-compute services to register themselves @@ -73,13 +74,19 @@ failed_compute_service_hosts: >- {{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }} # Whether any compute services failed on this host. + ironic_compute_service_config_for_host: + classic: "{{ [nova_compute_ironic_custom_host | default(ansible_facts.hostname)] if inventory_hostname in ironic_computes_in_batch else [] }}" + multi: "{{ [group_names] }}" + expected_ironic_compute_services: >- + {{ ironic_compute_service_config_for_host | get_expected_ironic_compute_services(nova_multi_compute_ironic_config, nova_cell_compute_ironic_group) }} any_failed_services: >- {{ (ansible_facts.nodename | default()) in failed_compute_service_hosts or - ((ansible_facts.hostname | default()) ~ "-ironic") in failed_compute_service_hosts }} + expected_ironic_compute_services | intersect(failed_compute_service_hosts) | length > 0 }} + ansible.builtin.fail: msg: >- - The Nova compute service failed to register itself on the following - hosts: {{ failed_compute_service_hosts | join(',') }} + The following Nova compute services failed to register + themselves: {{ failed_compute_service_hosts | join(',') }} when: >- any_failed_services or (nova_compute_registration_fatal | bool and diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2 index 2950dfcc4d..7d30dcfd08 100644 --- a/ansible/roles/nova-cell/templates/nova.conf.j2 +++ b/ansible/roles/nova-cell/templates/nova.conf.j2 @@ -8,9 +8,27 @@ state_path = /var/lib/nova allow_resize_to_same_host = true +{% set nova_compute_shard_key = nova_compute_shard_key | default("") %} +{% set nova_compute_conductor_group = nova_compute_conductor_group | default("") %} +{% set nova_compute_ironic_custom_host = nova_compute_ironic_custom_host | default("") %} {% if service_name == "nova-compute-ironic" %} -host={{ nova_compute_ironic_custom_host | default(ansible_facts.hostname) }}-ironic +{% if nova_compute_ironic_custom_host | length > 0 %} +{# NOTE(dougszu): This is provided for backwards compatibility #} +{% set host_value = nova_compute_ironic_custom_host ~ "-ironic" %} +{% elif nova_compute_conductor_group | length > 0 or nova_compute_shard_key | length > 0 %} +{% set host_value = (nova_compute_conductor_group ~ "-" ~ nova_compute_shard_key) ~ "-ironic" %} +{% else %} +{# NOTE(dougszu): This is to support legacy behaviour #} +{% set host_value = ansible_facts.hostname ~ "-ironic" %} +{% endif %} +host = {{ host_value }} + +{% if nova_compute_ironic_id is defined %} +log_file = /var/log/kolla/nova/nova-compute-ironic-{{ nova_compute_ironic_id }}.log +{% else %} log_file = /var/log/kolla/nova/nova-compute-ironic.log +{% endif %} + compute_driver = ironic.IronicDriver ram_allocation_ratio = 1.0 reserved_host_memory_mb = 0 @@ -101,6 +119,19 @@ project_name = service user_domain_name = {{ default_user_domain_name }} project_domain_name = {{ default_project_domain_name }} endpoint_override = {{ ironic_internal_endpoint }}/v1 + +{% if nova_compute_shard_key is not in ['default', ''] %} +shard = {{ nova_compute_shard_key }} +{% endif %} +{% if nova_compute_conductor_group is not in ['default', ''] %} +conductor_group = {{ nova_compute_conductor_group }} +{% endif %} +{% if nova_compute_conductor_group is not in ['default', ''] and nova_compute_shard_key is in ['default', ''] %} +{# NOTE(dougszu): In this case only, Nova Compute Ironic won't start unless the peer_list #} +{# is populated. peer_list is a deprecated config option and should never have more than #} +{# one host in it. This appears to be a bug. #} +peer_list = {{ host_value }} +{% endif %} {% endif %} [oslo_concurrency] @@ -180,7 +211,7 @@ driver = noop [oslo_messaging_rabbit] use_queue_manager = true {% if service_name == "nova-compute-ironic" %} -hostname = {{ nova_compute_ironic_custom_host | default(ansible_facts.hostname) }}-ironic +hostname = {{ host_value }} {% endif %} heartbeat_in_pthread = false {% if om_enable_rabbitmq_tls | bool %} diff --git a/ansible/roles/service-cert-copy/tasks/iterated.yml b/ansible/roles/service-cert-copy/tasks/iterated.yml new file mode 100644 index 0000000000..4da5741fe6 --- /dev/null +++ b/ansible/roles/service-cert-copy/tasks/iterated.yml @@ -0,0 +1,10 @@ +--- +- name: "Copying over extra CA certificates for {{ project_name }}" + become: true + ansible.builtin.copy: + src: "{{ kolla_certificates_dir }}/ca/" + dest: "{{ node_config_directory }}/{{ outer_item.key }}-{{ item }}/ca-certificates" + mode: "0644" + loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}" + when: + - inventory_hostname in groups[service.group ~ '-' ~ item] diff --git a/ansible/roles/service-cert-copy/tasks/main.yml b/ansible/roles/service-cert-copy/tasks/main.yml index d96bf0ca62..ef7ac67175 100644 --- a/ansible/roles/service-cert-copy/tasks/main.yml +++ b/ansible/roles/service-cert-copy/tasks/main.yml @@ -7,8 +7,21 @@ mode: "0644" when: - kolla_copy_ca_into_containers | bool + - not (item.value.iterate | default(False)) | bool with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}" +# NOTE(dougszu): For current iterable services, we only need CA certs +- name: "Check containers that require iteration for {{ kolla_role_name | default(project_name) }}" + vars: + service: "{{ outer_item.value }}" + ansible.builtin.include_tasks: iterated.yml + loop: "{{ project_services | select_services_enabled_and_mapped_to_host | dict2items }}" + loop_control: + loop_var: outer_item + when: + - (service.iterate | default(False)) | bool + - kolla_copy_ca_into_containers | bool + - name: "Copying over backend internal TLS certificate for {{ project_name }}" vars: certs: diff --git a/ansible/roles/service-check-containers/tasks/iterated.yml b/ansible/roles/service-check-containers/tasks/iterated.yml index bd266b115f..c4f28e6d49 100644 --- a/ansible/roles/service-check-containers/tasks/iterated.yml +++ b/ansible/roles/service-check-containers/tasks/iterated.yml @@ -23,6 +23,12 @@ command: "{{ service.command | default(omit) }}" cgroupns_mode: "{{ service.cgroupns_mode | default(omit) }}" loop: "{{ range(1, (iterate_count | int) + 1) | list }}" + when: + # NOTE(dougszu): Due to issues with nova-compute-ironic HA, we can't have + # more than one instance for a given 'item'. Eg. nova_compute_ironic_1 + # should never run on more than one host. + # See: https://specs.openstack.org/openstack/nova-specs/specs/2024.1/implemented/ironic-shards.html + - service_name != 'nova-compute-ironic' or inventory_hostname in groups[nova_cell_compute_ironic_group ~ '-' ~ item] register: container_check - name: "Store changed containers to pass to the handler" diff --git a/ansible/roles/service-precheck/tasks/iterated.yml b/ansible/roles/service-precheck/tasks/iterated.yml new file mode 100644 index 0000000000..d9157ddce3 --- /dev/null +++ b/ansible/roles/service-precheck/tasks/iterated.yml @@ -0,0 +1,13 @@ +--- +- name: "Validate inventory groups (iterated) for {{ project_name }}" + vars: + service_name: "{{ outer_item.key }}" + service: "{{ outer_item.value }}" + service_group: "{{ service.group ~ '-' ~ item }}" + ansible.builtin.fail: + msg: >- + Ansible inventory does not contain the expected group {{ service_group }} + for service {{ service_name }} in {{ project_name }}. + when: + - service_group not in groups + loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}" diff --git a/ansible/roles/service-precheck/tasks/main.yml b/ansible/roles/service-precheck/tasks/main.yml index 58448555e5..81b90f6a5d 100644 --- a/ansible/roles/service-precheck/tasks/main.yml +++ b/ansible/roles/service-precheck/tasks/main.yml @@ -9,7 +9,19 @@ for service {{ service_name }} in {{ project_name }}. loop: "{{ query('dict', service_precheck_services) }}" when: + - not (service.iterate | default(False)) | bool - "'group' in service" - service.group not in groups loop_control: label: "{{ service_name }}" + +- name: Include tasks + vars: + service: "{{ outer_item.value }}" + ansible.builtin.include_tasks: iterated.yml + loop: "{{ query('dict', service_precheck_services) }}" + loop_control: + loop_var: outer_item + when: + - (service.iterate | default(False)) | bool + - "'group' in service" diff --git a/ansible/roles/service-stop/tasks/iterated.yml b/ansible/roles/service-stop/tasks/iterated.yml index f25bf0c26a..cf4e8e4896 100644 --- a/ansible/roles/service-stop/tasks/iterated.yml +++ b/ansible/roles/service-stop/tasks/iterated.yml @@ -11,4 +11,5 @@ ignore_missing: "{{ kolla_action_stop_ignore_missing | bool }}" when: - service.container_name not in skip_stop_containers + - service_name != 'nova-compute-ironic' or inventory_hostname in groups[service.group ~ '-' ~ item] loop: "{{ range(1, (service.iterate_var | int) + 1) | list }}" diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst index 7ece68e3ae..c85a498dca 100644 --- a/doc/source/admin/advanced-configuration.rst +++ b/doc/source/admin/advanced-configuration.rst @@ -178,6 +178,113 @@ operator needs to create ``/etc/kolla/config/global.conf`` with content: [database] max_pool_size = 100 +Large baremetal deployments +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Out of the box, a typical Kolla Ansible deployment can support managing a few +hundred baremetal nodes. Beyond this number, it becomes necessary to configure +scaling mechanisms built into Nova and Ironic. + +There are two mechanisms to consider: + - shards + - conductor groups + +Please see the Ironic documentation for further `information +`_. + +As an example, consider a deployment of 700 baremetal nodes spread over two +distinct locations. Location 1 consists of 500 baremetal nodes, and location 2 +consists of 200 baremetal nodes. + +For location 1, all 500 nodes are placed into the same Ironic conductor +group. Ironic conductors configured to use this group are deployed on each +of the three nodes in the control plane. A single Nova Compute Ironic service +would struggle to manage this many nodes, so two shards are created. Due to +HA limitations with Nova Compute Ironic, a single instance is created for +each shard, and the instances may be deployed to any node in the control +plane. + +For location 2, no shards are required due to the smaller number of baremetal +nodes. A single conductor group is configured. The result is that three Ironic +conductors are deployed (one on each node in the control plane), and a single +instance of Nova Compute Ironic configured to use this conductor group. +Furthermore, for this location ``custom_host`` is used to override the +automatically generated host field in the configuration. This is useful for +migrating to the multi-instance configuration described here. + +Finally, Ironic and Nova services are deployed with no configured shards or +conductor groups as a catch all. + +.. code-block:: yaml + + nova_multi_compute_ironic_config: + - "shard_key": "shard_1" + "conductor_group": "location_1" + - "shard_key": "shard_2" + "conductor_group": "location_1" + - "conductor_group": "location_2" + "custom_host": "some_custom_host_field" + - {} + +.. note:: + + ``nova_multi_compute_ironic_config`` must be defined as a global variable + and not customised via hostvars. + +.. note:: + + If you currently have the ``nova-compute-ironic`` service deployed, + you must manually remove it from the controllers before migrating to the + new mode. You will need to ensure that you configure a compatible service + in ``nova_multi_compute_ironic_config`` to replace the old one. This will + likely involve setting the ``custom_host`` field at the very minimum. + +The placement of the above services is managed via the inventory. This +allows flexible placement, should a controller fail. + +.. code-block:: yaml + + [nova-compute-ironic-1] + controller-01 + [nova-compute-ironic-2] + controller-02 + [nova-compute-ironic-3] + controller-03 + [nova-compute-ironic-4] + controller-03 + + [nova-compute-ironic:children] + nova-compute-ironic-1 + nova-compute-ironic-2 + nova-compute-ironic-3 + nova-compute-ironic-4 + +.. note:: + + The number of ``nova-compute-ironic-N`` groups must equal the length of + ``nova_multi_compute_ironic_config``. This variable is an ordered list, + where the first item maps to ``nova-compute-ironic-1``, the second item + to ``nova-compute-ironic-2`` and so forth. + +.. note:: + + A 'cleanup' function is provided which assists in 'failing over' + service instances to other hosts. For example, if ``controller-01`` + was to be taken down for maintenance, replacing it with ``controller-02`` + in the ``nova-compute-ironic-1`` group and re-deploying the ``nova`` + service would result in the service being removed from ``controller-01`` + and re-deployed on ``controller-02``. The cleanup function cannot + currently handle downsizing the number of service instances. In this case + the redundant service instances must be cleaned up manually. For obvious + reasons the cleanup function cannot remove a service from a failed node, + and in such a case, you must be careful not to allow a second identical + service instance to start when the failed node is recovered. + +The ``nova-compute-ironic`` service instances may be configured +individually via the existing override mechanism. For example, the +creation of ``nova/nova-compute-ironic-1.conf`` will allow variables +for that specific service to be overridden. + OpenStack policy customisation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/kolla_ansible/nova_filters.py b/kolla_ansible/nova_filters.py index 4bb5cbdf66..f9be3eb98c 100644 --- a/kolla_ansible/nova_filters.py +++ b/kolla_ansible/nova_filters.py @@ -15,6 +15,8 @@ import jinja2 import re +from kolla_ansible import exception + def extract_cell(list_cells_cli_output, cell_name): """Extract cell settings from nova_manage CLI @@ -85,8 +87,57 @@ def _namespace(name): return services +def get_expected_ironic_compute_services(ironic_compute_batch_info, + multi_compute_conf, + nova_cell_compute_ironic_group): + """Return a List of expected Ironic compute services + + :param ironic_compute_batch_info: A dict containing configuration + information about Ironic Compute hosts. + :param multi_compute_conf: Ironic multi-compute config + :param nova_cell_compute_ironic_group: Ansible group name for + nova-compute-ironic. Eg. 'nova-compute-ironic'. + :returns: A list of Nova Compute Ironic service hostnames. + """ + classic_info = ironic_compute_batch_info['classic'] + multi_compute_info = ironic_compute_batch_info['multi'] + if len(multi_compute_conf) == 0: + return [f'{host}-ironic' for host in classic_info] + + expected_services = [] + group_prefix = nova_cell_compute_ironic_group + '-' + for host in multi_compute_info: + iterate_vars = [ + int(group.split(group_prefix)[1]) + for group in host if group_prefix in group] + for i in iterate_vars: + try: + service_conf = multi_compute_conf[i - 1] + except IndexError: + raise exception.FilterError( + "Unable to look up multi-compute Ironic config for " + "{g}-{i} inventory group. Check that " + "nova_multi_compute_ironic_config has an entry for " + "each defined group.".format( + g=nova_cell_compute_ironic_group, + i=i)) + expected_services.append( + _get_expected_compute_service_name(service_conf)) + return expected_services + + +def _get_expected_compute_service_name(service_conf): + custom_host = service_conf.get('custom_host') + if custom_host: + return f"{custom_host}-ironic" + cg = service_conf.get('conductor_group', 'default') + sk = service_conf.get('shard_key', 'default') + return f"{cg}-{sk}-ironic" + + def get_filters(): return { "extract_cell": extract_cell, "namespace_haproxy_for_cell": namespace_haproxy_for_cell, + "get_expected_ironic_compute_services": get_expected_ironic_compute_services, # noqa } diff --git a/kolla_ansible/tests/unit/test_nova_filters.py b/kolla_ansible/tests/unit/test_nova_filters.py index e8d5c507aa..d436b0ef10 100644 --- a/kolla_ansible/tests/unit/test_nova_filters.py +++ b/kolla_ansible/tests/unit/test_nova_filters.py @@ -73,6 +73,92 @@ def test_extract_duplicate_cell(self): self.assertRaisesRegex(jinja2.TemplateRuntimeError, 'duplicates', self._test_extract_cell, test_data, 'cell0001') + def test_get_expected_ironic_compute_services_multi_compute(self): + example_ironic_compute_conf = { + # We expect the classic config to be ignored + 'classic': ['custom-host-nova-compute'], + # We have a batch of 2 Ironic compute hosts which should + # run a total of 3 Nova compute Ironic instances + 'multi': [ + ['nova-compute-ironic-1', + 'nova-compute-ironic-2', + 'nova-compute-ironic', + 'something'], + ['nova-compute-ironic-3', + 'nova-compute-ironic', + 'something'], + ] + } + multi_conf = [ + {"custom_host": "some_custom_host"}, + {"shard_key": "shard_1", "conductor_group": "location_1"}, + {"shard_key": "shard_2", "conductor_group": "location_1"}, + {"conductor_group": "location_2"}, + {"shard_key": "shard_1"} + ] + actual = filters.get_expected_ironic_compute_services( + example_ironic_compute_conf, multi_conf, 'nova-compute-ironic') + expected = [ + 'some_custom_host-ironic', + 'location_1-shard_1-ironic', + 'location_1-shard_2-ironic', + ] + self.assertListEqual(actual, expected) + + def test_get_expected_ironic_compute_services_no_compute(self): + example_ironic_compute_conf = { + 'classic': [], + 'multi': [] + } + actual = filters.get_expected_ironic_compute_services( + example_ironic_compute_conf, [], 'nova-compute-ironic') + expected = [] + self.assertListEqual(actual, expected) + + def test_get_expected_ironic_compute_services_classic_compute(self): + example_ironic_compute_conf = { + 'classic': ['custom-foo'], + 'multi': [] + } + actual = filters.get_expected_ironic_compute_services( + example_ironic_compute_conf, [], 'nova-compute-ironic') + expected = ['custom-foo-ironic'] + self.assertListEqual(actual, expected) + + def test_get_expected_ironic_compute_services_classic_compute_multi(self): + # NOTE(dougszu): This isn't a recommended configuration + example_ironic_compute_conf = { + 'classic': ['custom-foo', 'ctrl02', 'ctrl03'], + 'multi': [] + } + actual = filters.get_expected_ironic_compute_services( + example_ironic_compute_conf, [], 'nova-compute-ironic') + expected = [ + 'custom-foo-ironic', + 'ctrl02-ironic', + 'ctrl03-ironic', + ] + self.assertListEqual(actual, expected) + + def test_get_expected_ironic_compute_services_bad_config(self): + example_ironic_compute_conf = { + 'classic': [], + 'multi': [ + ['my-custom-group-1', + 'my-custom-group-2', + 'my-custom-group', + 'something'], + ] + } + multi_conf = [ + {"shard_key": "shard_1", "conductor_group": "location_1"}, + ] + with self.assertRaisesRegex(Exception, + 'Unable to look up multi-compute Ironic ' + 'config for my-custom-group-2'): + filters.get_expected_ironic_compute_services( + example_ironic_compute_conf, multi_conf, 'my-custom-group') + def test_namespace_haproxy_for_cell_with_empty_name(self): example_services = { 'nova-novncproxy': { diff --git a/releasenotes/notes/add-nova-multi-compute-ironic-support-1bf5c64f8a530cc9.yaml b/releasenotes/notes/add-nova-multi-compute-ironic-support-1bf5c64f8a530cc9.yaml new file mode 100644 index 0000000000..c99523feb3 --- /dev/null +++ b/releasenotes/notes/add-nova-multi-compute-ironic-support-1bf5c64f8a530cc9.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Adds support for deploying multiple instances of the Nova Compute Ironic + service on the same host. This is useful in large baremetal deployments. +upgrade: + - | + If you are migrating to the new feature to deploy multiple instances of + Nova Compute Ironic, you are first required to manually remove the + existing Nova Compute Ironic Docker container, and config directories. diff --git a/roles/openstack-clients/defaults/main.yml b/roles/openstack-clients/defaults/main.yml index e1f53e2799..034618843a 100644 --- a/roles/openstack-clients/defaults/main.yml +++ b/roles/openstack-clients/defaults/main.yml @@ -11,7 +11,7 @@ openstack_clients_pip_packages: - package: python-heatclient enabled: true - package: python-ironicclient - enabled: "{{ scenario == 'ironic' }}" + enabled: "{{ scenario in ['ironic', 'multi-compute-ironic'] }}" - package: python-magnumclient enabled: "{{ scenario == 'magnum' }}" - package: python-neutronclient diff --git a/tests/run.yml b/tests/run.yml index 8dd6c62c65..efa817e24d 100644 --- a/tests/run.yml +++ b/tests/run.yml @@ -208,10 +208,10 @@ # ironic.conf - src: "tests/templates/ironic-overrides.j2" dest: /etc/kolla/config/ironic.conf - when: "{{ scenario == 'ironic' }}" + when: "{{ scenario == 'ironic' or scenario == 'multi-compute-ironic' }}" - src: "tests/templates/tenks-deploy-config.yml.j2" dest: "{{ ansible_env.HOME }}/tenks.yml" - when: "{{ scenario == 'ironic' }}" + when: "{{ scenario == 'ironic' or scenario == 'multi-compute-ironic' }}" # keystone-federation config - src: "tests/templates/keystone-federation/idp.example.org%2Frealms%2Fexample.conf.j2" dest: "/etc/kolla/config/keystone-httpd/federation/oidc/metadata/idp.example.org%2Frealms%2Fexample.conf" @@ -243,7 +243,7 @@ dest: ironic-agent.initramfs - src: "ipa-centos9-{{ zuul.branch | replace('/', '-') }}.kernel" dest: ironic-agent.kernel - when: scenario == "ironic" + when: scenario == "ironic" or scenario == "multi-compute-ironic" - block: - name: Slurp requirements.yml @@ -427,7 +427,7 @@ EXT_NET_GATEWAY: "{{ neutron_external_network_prefix }}1" EXT_NET_DEMO_ROUTER_ADDR: "{{ neutron_external_network_prefix }}10" SCENARIO: "{{ scenario }}" - when: openstack_core_tested or scenario in ['ironic', 'magnum', 'nfv', 'zun', 'octavia'] + when: openstack_core_tested or scenario in ['ironic', 'multi-compute-ironic' ,'magnum', 'nfv', 'zun', 'octavia'] - name: Test OVN VPNaaS import_role: @@ -494,7 +494,8 @@ chdir: "{{ kolla_ansible_src_dir }}" environment: TLS_ENABLED: "{{ tls_enabled }}" - when: scenario == "ironic" + MULTI_COMPUTE_IRONIC: "{{ scenario == 'multi-compute-ironic' }}" + when: scenario == "ironic" or scenario == "multi-compute-ironic" - name: Run test-magnum.sh script script: diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2 index f5f005acd5..ca2ad562e0 100644 --- a/tests/templates/globals-default.j2 +++ b/tests/templates/globals-default.j2 @@ -138,6 +138,22 @@ enable_proxysql: "yes" enable_prometheus_proxysql_exporter: "yes" {% endif %} +{% if scenario == "multi-compute-ironic" %} +nova_multi_compute_ironic_config: + - {} + - "shard_key": "shard_1" + "conductor_group": "location_1" + - "shard_key": "shard_2" + "conductor_group": "location_1" + - "conductor_group": "location_2" + +enable_ironic: "yes" +enable_ironic_pxe_filter: "yes" +ironic_dnsmasq_dhcp_ranges: + - range: "10.42.0.2,10.42.0.254,255.255.255.0" +ironic_internal_endpoint: http://192.0.2.1:6385 +{% endif %} + {% if scenario == "mariadb" %} enable_fluentd: "yes" enable_mariadb: "yes" diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2 index 2991518ce1..a3bea72130 100644 --- a/tests/templates/inventory.j2 +++ b/tests/templates/inventory.j2 @@ -6,7 +6,7 @@ # primary and secondary while the parent group (control) uses only primary. [control] -{% if scenario == 'masakari' %} +{% if scenario in ['masakari', 'multi-compute-ironic'] %} {% for host in hostvars if host in ['primary'] %} {{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} {% endfor %} @@ -299,8 +299,25 @@ nova [nova-spicehtml5proxy:children] nova +{% if scenario == 'multi-compute-ironic' %} +[nova-compute-ironic-1] +primary +[nova-compute-ironic-2] +secondary1 +[nova-compute-ironic-3] +secondary2 +[nova-compute-ironic-4] +secondary2 + +[nova-compute-ironic:children] +nova-compute-ironic-1 +nova-compute-ironic-2 +nova-compute-ironic-3 +nova-compute-ironic-4 +{% else %} [nova-compute-ironic:children] nova +{% endif %} [nova-serialproxy:children] nova diff --git a/tests/templates/ironic-overrides.j2 b/tests/templates/ironic-overrides.j2 index be944b3072..9603d6b2ca 100644 --- a/tests/templates/ironic-overrides.j2 +++ b/tests/templates/ironic-overrides.j2 @@ -2,6 +2,16 @@ enabled_inspect_interfaces = no-inspect, agent default_inspect_interface = agent +{% if scenario == "multi-compute-ironic" %} +{% raw %} +{% set cg = 'location_1' if inventory_hostname == 'secondary1' else 'location_2' if inventory_hostname == 'secondary2' %} +{% if cg %} +[conductor] +conductor_group = {{ cg }} +{% endif %} +{% endraw %} +{% endif %} + [neutron] cleaning_network = public1 inspection_network = public1 diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 0758a8067d..7cb2ec76ff 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -4,6 +4,7 @@ templates: - ansible-role-jobs - check-requirements + - kolla-ansible-scenario-multi-compute-ironic - kolla-ansible-scenario-aio - kolla-ansible-scenario-bifrost - kolla-ansible-scenario-cells diff --git a/zuul.d/scenarios/multi-compute-ironic.yaml b/zuul.d/scenarios/multi-compute-ironic.yaml new file mode 100644 index 0000000000..814116a1fd --- /dev/null +++ b/zuul.d/scenarios/multi-compute-ironic.yaml @@ -0,0 +1,47 @@ +--- +- job: + name: kolla-ansible-multi-compute-ironic-base + parent: kolla-ansible-base + voting: false + files: !inherit + - ^ansible/group_vars/all/(nova|ironic).yml + - ^ansible/roles/(nova|nova-cell|ironic)/ + - ^tests/deploy-tenks\.sh$ + - ^tests/templates/ironic-overrides\.j2$ + - ^tests/templates/tenks-deploy-config\.yml\.j2$ + - ^tests/test-dashboard\.sh$ + - ^tests/test-ironic\.sh$ + required-projects: + - openstack/tenks + vars: + scenario: multi-compute-ironic + scenario_images_extra: + - ^dnsmasq + - ^ironic + - ^iscsid + tls_enabled: false + +- job: + name: kolla-ansible-debian-trixie-multi-compute-ironic + parent: kolla-ansible-multi-compute-ironic-base + nodeset: kolla-ansible-debian-trixie-multi-16GB + +- job: + name: kolla-ansible-rocky-10-multi-compute-ironic + parent: kolla-ansible-multi-compute-ironic-base + nodeset: kolla-ansible-rocky-10-multi-16GB + +- job: + name: kolla-ansible-ubuntu-noble-multi-compute-ironic + parent: kolla-ansible-multi-compute-ironic-base + nodeset: kolla-ansible-ubuntu-noble-multi-16GB + +- project-template: + name: kolla-ansible-scenario-multi-compute-ironic + description: | + Runs Kolla-Ansible Nova Multi Compute Ironic scenario jobs. + check: + jobs: + - kolla-ansible-debian-trixie-multi-compute-ironic + - kolla-ansible-rocky-10-multi-compute-ironic + - kolla-ansible-ubuntu-noble-multi-compute-ironic