Merge pull request #513 from stackhpc/upstream/zed-2024-01-01

Synchronise zed with upstream

ansible/roles/common/templates/conf/input/03-rabbitmq.conf.j2

@@ -6,7 +6,7 @@
   enable_watch_timer false
   <parse>
     @type multiline
-    format_firstline /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}/
-    format1 /^(?<Timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}) \[(?<log_level>\w+)\] (?<Payload>.*)/
+    format_firstline /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}(\d+\+\d{2}:\d{2})?/
+    format1 /^(?<Timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3})(\d+\+\d{2}:\d{2})? \[(?<log_level>\w+)\] (?<Payload>.*)/
   </parse>
 </source>

ansible/roles/cyborg/templates/cyborg.conf.j2

@@ -43,6 +43,18 @@ region_name = {{ openstack_region_name }}
 cafile = {{ openstack_cacert }}
 valid_interfaces = internal
 
+[nova]
+auth_url = {{ keystone_internal_url }}
+auth_type = password
+project_domain_id = {{ default_project_domain_id }}
+user_domain_id = {{ default_user_domain_id }}
+region_name = {{ openstack_region_name }}
+project_name = service
+username = {{ nova_keystone_user }}
+password = {{ nova_keystone_password }}
+endpoint_type = internal
+cafile = {{ openstack_cacert }}
+
 {% if cyborg_policy_file is defined %}
 [oslo_policy]
 policy_file = {{ cyborg_policy_file }}

ansible/roles/glance/defaults/main.yml

@@ -7,7 +7,7 @@ glance_services:
     enabled: true
     image: "{{ glance_api_image_full }}"
     environment: "{{ glance_api_container_proxy }}"
-    privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool }}"
+    privileged: "{{ enable_cinder | bool and (enable_cinder_backend_iscsi | bool or cinder_backend_ceph | bool) }}"
     volumes: "{{ glance_api_default_volumes + glance_api_extra_volumes }}"
     dimensions: "{{ glance_api_dimensions }}"
     healthcheck: "{{ glance_api_healthcheck }}"

ansible/roles/keystone/tasks/config.yml

@@ -201,6 +201,7 @@
   changed_when: false
   check_mode: false
   register: cron_jobs_json
+  connection: local
   delegate_to: localhost
 
 - name: Set fact with the generated cron jobs for building the crontab later

ansible/roles/keystone/tasks/register_identity_providers.yml

@@ -13,6 +13,7 @@
       {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
     mapping list -c ID --format value
   run_once: True
+  changed_when: False
   become: True
   register: existing_mappings_register
 
@@ -112,6 +113,7 @@
     {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
     identity provider list -c ID --format value
   run_once: True
+  changed_when: False
   register: existing_idps_register
 
 - name: Register existing idps

ansible/roles/mariadb/tasks/precheck.yml

@@ -17,7 +17,7 @@
 - name: Checking free port for MariaDB
   wait_for:
     host: "{{ api_interface_address }}"
-    port: "{{ database_port }}"
+    port: "{{ mariadb_port }}"
     connect_timeout: 1
     timeout: 1
     state: stopped

ansible/roles/mariadb/tasks/restart_services.yml

@@ -31,7 +31,7 @@
   become: true
   command: >-
     {{ kolla_container_engine }} exec {{ mariadb_service.container_name }}
-    mysql -uroot -p{{ database_password }}
+    mysql -uroot -p{{ database_password }} -P {{ mariadb_port }}
     --silent --skip-column-names
     -e 'SHOW STATUS LIKE "wsrep_local_state_comment"'
   changed_when: false

ansible/roles/masakari/templates/masakari.conf.j2

@@ -70,3 +70,12 @@ policy_file = {{ masakari_policy_file }}
 
 [taskflow]
 connection = mysql+pymysql://{{ masakari_database_user }}:{{ masakari_database_password }}@{{ masakari_database_address }}/{{ masakari_database_name }}
+
+{% if service_name == 'masakari-api' %}
+[coordination]
+{% if masakari_coordination_backend == 'redis' %}
+backend_url = {{ redis_connection_string }}
+{% elif masakari_coordination_backend == 'etcd' %}
+backend_url = etcd3+{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ etcd_client_port }}{% if openstack_cacert %}?ca_cert={{ openstack_cacert }}{% endif %}
+{% endif %}
+{% endif %}

ansible/roles/octavia/defaults/main.yml

@@ -300,7 +300,7 @@ octavia_amp_security_groups:
     name: "lb-mgmt-sec-grp"
     enabled: true
     rules:
-      - protocol: icmp
+      - protocol: "{{ 'ipv6-icmp' if octavia_network_address_family == 'ipv6' else 'icmp' }}"
       - protocol: tcp
         src_port: 22
         dst_port: 22
@@ -348,6 +348,10 @@ octavia_amp_network:
 # Octavia management network subnet CIDR.
 octavia_amp_network_cidr: 10.1.0.0/24
 
+octavia_amp_router:
+  name: lb-mgmt-router
+  subnet: "{{ octavia_amp_network['subnet']['name'] }}"
+
 # Octavia provider drivers
 octavia_provider_drivers: "amphora:Amphora provider{% if neutron_plugin_agent == 'ovn' %}, ovn:OVN provider{% endif %}"
 octavia_provider_agents: "amphora_agent{% if neutron_plugin_agent == 'ovn' %}, ovn{% endif %}"

ansible/roles/octavia/tasks/prepare.yml

@@ -88,6 +88,7 @@
       protocol: "{{ item.1.protocol }}"
       port_range_min: "{{ item.1.src_port | default(omit) }}"
       port_range_max: "{{ item.1.dst_port | default(omit) }}"
+      ethertype: "IPv{{ octavia_network_address_family[-1] }}"
   with_subelements:
     - "{{ octavia_amp_security_groups }}"
     - rules
@@ -141,3 +142,20 @@
       ipv6_ra_mode: "{{ octavia_amp_network['subnet']['ipv6_ra_mode'] | default(omit) }}"
   run_once: True
   delegate_to: "{{ groups['octavia-api'][0] }}"
+
+- name: Create loadbalancer management router for IPv6
+  become: true
+  kolla_toolbox:
+    container_engine: "{{ kolla_container_engine }}"
+    module_name: openstack.cloud.router
+    module_args:
+      auth: "{{ octavia_user_auth }}"
+      cacert: "{{ openstack_cacert }}"
+      endpoint_type: "{{ openstack_interface }}"
+      region_name: "{{ openstack_region_name }}"
+      state: present
+      name: "{{ octavia_amp_router['name'] }}"
+      interfaces: "{{ octavia_amp_router['subnet'] }}"
+  run_once: True
+  when: octavia_network_address_family == "ipv6"
+  delegate_to: "{{ groups['octavia-api'][0] }}"

ansible/roles/opensearch/defaults/main.yml

@@ -58,6 +58,54 @@ opensearch_cluster_name: "kolla_logging"
 opensearch_heap_size: "1g"
 opensearch_java_opts: "{% if opensearch_heap_size %}-Xms{{ opensearch_heap_size }} -Xmx{{ opensearch_heap_size }}{% endif %} -Dlog4j2.formatMsgNoLookups=true"
 
+opensearch_apply_log_retention_policy: true
+
+# Duration after which an index is staged for deletion. This is implemented
+# by closing the index. Whilst in this state the index contributes negligible
+# load on the cluster and may be manually re-opened if required.
+# NOTE: We carry over legacy settings from ElasticSearch Curator if they
+# are set. This may be removed in a later release.
+opensearch_soft_retention_period_days: "{{ elasticsearch_curator_soft_retention_period_days | default(30) }}"
+
+# Duration after which an index is permanently erased from the cluster.
+opensearch_hard_retention_period_days: "{{ elasticsearch_curator_hard_retention_period_days | default(60) }}"
+
+opensearch_retention_policy: |
+  policy:
+    description: Retention policy for OpenStack logs
+    error_notification:
+    default_state: open
+    states:
+    - name: open
+      actions: []
+      transitions:
+      - state_name: close
+        conditions:
+          min_index_age: "{{ opensearch_soft_retention_period_days }}d"
+    - name: close
+      actions:
+      - retry:
+          count: 3
+          backoff: exponential
+          delay: 1m
+        close: {}
+      transitions:
+      - state_name: delete
+        conditions:
+          min_index_age: "{{ opensearch_hard_retention_period_days }}d"
+    - name: delete
+      actions:
+      - retry:
+          count: 3
+          backoff: exponential
+          delay: 1m
+        delete: {}
+      transitions: []
+    ism_template:
+    - index_patterns:
+      - "{{ opensearch_log_index_prefix }}-*"
+      priority: 1
+
 ####################
 # Keystone
 ####################

ansible/roles/opensearch/tasks/deploy.yml

@@ -10,3 +10,6 @@
 
 - name: Flush handlers
   meta: flush_handlers
+
+- include_tasks: post-config.yml
+  when: opensearch_apply_log_retention_policy | bool

ansible/roles/opensearch/tasks/post-config.yml

@@ -0,0 +1,65 @@
+---
+- name: Wait for OpenSearch to become ready
+  become: true
+  kolla_toolbox:
+    container_engine: "{{ kolla_container_engine }}"
+    module_name: uri
+    module_args:
+      url: "{{ opensearch_internal_endpoint }}/_cluster/stats"
+      status_code: 200
+  register: result
+  until: result.get('status') == 200
+  retries: 30
+  delay: 2
+  run_once: true
+
+- name: Check if a log retention policy exists
+  become: true
+  kolla_toolbox:
+    container_engine: "{{ kolla_container_engine }}"
+    module_name: uri
+    module_args:
+      url: "{{ opensearch_internal_endpoint }}/_plugins/_ism/policies/retention"
+      method: GET
+      status_code: 200, 404
+      return_content: yes
+  register: opensearch_retention_policy_check
+  delegate_to: "{{ groups['opensearch'][0] }}"
+  run_once: true
+
+- name: Create new log retention policy
+  become: true
+  kolla_toolbox:
+    container_engine: "{{ kolla_container_engine }}"
+    module_name: uri
+    module_args:
+      url: "{{ opensearch_internal_endpoint }}/_plugins/_ism/policies/retention"
+      method: PUT
+      status_code: 201
+      return_content: yes
+      body: "{{ opensearch_retention_policy | from_yaml | to_json }}"
+      body_format: json
+  register: opensearch_retention_policy_create
+  delegate_to: "{{ groups['opensearch'][0] }}"
+  run_once: true
+  changed_when: opensearch_retention_policy_create.status == 201
+  when: opensearch_retention_policy_check.status == 404
+
+- name: Apply retention policy to existing indicies
+  become: true
+  vars:
+    opensearch_set_policy_body: {"policy_id": "retention"}
+  kolla_toolbox:
+    container_engine: "{{ kolla_container_engine }}"
+    module_name: uri
+    module_args:
+      url: "{{ opensearch_internal_endpoint }}/_plugins/_ism/add/{{ opensearch_log_index_prefix }}-*"
+      method: POST
+      status_code: 200
+      return_content: yes
+      body: "{{ opensearch_set_policy_body | to_json }}"
+      body_format: json
+  delegate_to: "{{ groups['opensearch'][0] }}"
+  run_once: true
+  changed_when: opensearch_retention_policy_create.status == 201
+  when: opensearch_retention_policy_check.status == 404

ansible/roles/opensearch/tasks/upgrade.yml

@@ -185,3 +185,6 @@
 
 - name: Flush handlers
   meta: flush_handlers
+
+- include_tasks: post-config.yml
+  when: opensearch_apply_log_retention_policy | bool

ansible/roles/prometheus/templates/prometheus.yml.j2

@@ -142,7 +142,7 @@ scrape_configs:
     honor_labels: true
     static_configs:
       - targets:
-        - '{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ prometheus_openstack_exporter_port }}'
+        - '{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_openstack_exporter_port }}'
 {% endif %}
 
 {% if enable_prometheus_elasticsearch_exporter | bool %}
@@ -206,6 +206,9 @@ scrape_configs:
 
 {% if enable_prometheus_etcd_integration | bool %}
   - job_name: etcd
+{% if etcd_enable_tls | bool %}
+    scheme: https
+{% endif %}
     static_configs:
 {% for host in groups["etcd"] %}
       - targets:

ansible/roles/sahara/defaults/main.yml

@@ -87,7 +87,7 @@ sahara_engine_enable_healthchecks: "{{ enable_container_healthchecks }}"
 sahara_engine_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
 sahara_engine_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
 sahara_engine_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
-sahara_engine_healthcheck_test: ["CMD-SHELL", "healthcheck_port sahara_engine {{ om_rpc_port }}"]
+sahara_engine_healthcheck_test: ["CMD-SHELL", "healthcheck_port sahara-engine {{ om_rpc_port }}"]
 sahara_engine_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
 sahara_engine_healthcheck:
   interval: "{{ sahara_engine_healthcheck_interval }}"

ansible/roles/senlin/templates/senlin.conf.j2

@@ -14,6 +14,7 @@ workers = {{ senlin_api_workers }}
 
 [authentication]
 auth_url = {{ keystone_internal_url }}
+cafile = {{ openstack_cacert }}
 service_username = {{ senlin_keystone_user }}
 service_password = {{ senlin_keystone_password }}
 service_project_name = service

doc/source/reference/logging-and-monitoring/central-logging-guide.rst

@@ -40,6 +40,50 @@ By default OpenSearch is deployed on port ``9200``.
    ``opensearch`` to store the data of OpenSearch. The path can be set via
    the variable ``opensearch_datadir_volume``.
 
+Applying log retention policies
+-------------------------------
+
+To stop your disks filling up, the Index State Management plugin for
+OpenSearch can be used to define log retention policies. A default
+retention policy is applied to all indicies which match the
+``opensearch_log_index_prefix``. This policy first closes old indicies,
+and then eventually deletes them. It can be customised via the following
+variables:
+
+- ``opensearch_apply_log_retention_policy``
+- ``opensearch_soft_retention_period_days``
+- ``opensearch_hard_retention_period_days``
+
+By default the soft and hard retention periods are 30 and 60 days
+respectively. If you are upgrading from ElasticSearch, and have previously
+configured ``elasticsearch_curator_soft_retention_period_days`` or
+``elasticsearch_curator_hard_retention_period_days``, those variables will
+be used instead of the defaults. You should migrate your configuration to
+use the new variable names before the Caracal release.
+
+Advanced users may wish to customise the retention policy, which
+is possible by overriding ``opensearch_retention_policy`` with
+a valid policy. See the `Index Management plugin documentation <https://opensearch.org/docs/latest/im-plugin/index/>`__
+for further details.
+
+Updating log retention policies
+-------------------------------
+
+By design, Kolla Ansible will NOT update an existing retention
+policy in OpenSearch. This is to prevent policy changes that may have
+been made via the OpenSearch Dashboards UI, or external tooling,
+from being wiped out.
+
+There are three options for modifying an existing policy:
+
+1. Via the OpenSearch Dashboards UI. See the `Index Management plugin documentation <https://opensearch.org/docs/latest/im-plugin/index/>`__
+for further details.
+
+2. Via the OpenSearch API using external tooling.
+
+3. By manually removing the existing policy via the OpenSearch Dashboards
+   UI (or API), before re-applying the updated policy with Kolla Ansible.
+
 OpenSearch Dashboards
 ~~~~~~~~~~~~~~~~~~~~~
 

kolla_ansible/database_shards.py

@@ -121,6 +121,7 @@ def database_shards_info(context, hostnames):
                     raise FilterError("'mariadb_shard_backup_user_prefix' "
                                       "variable is unavailable")
                 db_user = f"{db_backup_prefix}{host_shard_id}"
+                db_password = host.get('mariadb_backup_database_password')
                 user_dict = {'password': db_password, 'user': db_user,
                              'shard_id': host_shard_id}
                 shards_info['users'].append(user_dict)

kolla_ansible/kolla_address.py

@@ -48,7 +48,7 @@ def kolla_address(context, network_name, hostname=None):
             raise FilterError("'inventory_hostname' variable is unavailable")
 
     hostvars = context.get('hostvars')
-    if isinstance(hostvars, Undefined):
+    if hostvars is None or isinstance(hostvars, Undefined):
         raise FilterError("'hostvars' variable is unavailable")
 
     host = hostvars.get(hostname)