diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 36a1ea99c..83e6d793b 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -167,7 +167,7 @@ jobs: VM_NETWORK: ${{ inputs.vm_network }} VM_SUBNET: ${{ inputs.vm_subnet }} VM_INTERFACE: ${{ inputs.vm_interface }} - VM_VOLUME_SIZE: ${{ inputs.upgrade && '55' || '40' }} + VM_VOLUME_SIZE: ${{ inputs.upgrade && '65' || '50' }} VM_TAGS: '["skc-ci-aio", "PR=${{ github.event.number }}"]' - name: Terraform Plan @@ -214,22 +214,12 @@ jobs: - name: Write Terraform network config run: | cat << EOF > etc/kayobe/environments/$KAYOBE_ENVIRONMENT/tf-networks.yml - - admin_oc_net_name: admin - admin_cidr: "{{ access_cidr.value }}" - admin_allocation_pool_start: 0.0.0.0 - admin_allocation_pool_end: 0.0.0.0 - admin_gateway: "{{ access_gw.value }}" - admin_bootproto: dhcp - admin_ips: + admin_oc_net_name: ethernet + ethernet_cidr: "{{ access_cidr.value }}" + ethernet_allocation_pool_start: 0.0.0.0 + ethernet_allocation_pool_end: 0.0.0.0 + ethernet_ips: controller0: "{{ access_ip_v4.value }}" - admin_zone: admin - EOF - - - name: Write Terraform network interface config - run: | - cat << EOF > etc/kayobe/environments/$KAYOBE_ENVIRONMENT/inventory/group_vars/controllers/tf-network-interfaces - admin_interface: "{{ access_interface.value }}" EOF - name: Write all-in-one scenario config diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst index 0708f655f..9f82e91c4 100644 --- a/doc/source/operations/upgrading-openstack.rst +++ b/doc/source/operations/upgrading-openstack.rst @@ -121,6 +121,13 @@ to ``default``. Whilst this does not have any negative impact on services that utilise Redis it will feature prominently in any preview of the overcloud configuration. +AvailabilityZoneFilter removal +------------------------------ + +Support for the ``AvailabilityZoneFilter`` filter has been dropped in Nova. +Remove it from any Nova config files before upgrading. It will cause errors in +Caracal and halt the Nova scheduler. + Known issues ============ @@ -130,6 +137,24 @@ Known issues around this in custom config, see the SMS PR for an example: https://github.com/stackhpc/smslab-kayobe-config/pull/354 +* Due to a `security-related change in the GRUB package on Rocky Linux 9 + `__, the operating + system can become unbootable (boot will stop at a ``grub>`` prompt). Remove + the ``--root-dev-only`` option from ``/boot/efi/EFI/rocky/grub.cfg`` after + applying package updates. This will happen automatically as a post hook when + running the ``kayobe overcloud host package update`` command. + +* After upgrading OpenSearch to the latest 2023.1 container image, we have seen + cluster routing allocation be disabled on some systems. See bug for details: + https://bugs.launchpad.net/kolla-ansible/+bug/2085943. + This will cause the "Perform a flush" handler to fail during the 2024.1 + OpenSearch upgrade. To workaround this, you can run the following PUT request + to enable allocation again: + + ..code-block:: console + + curl -X PUT "https://:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d '{ "transient" : { "cluster.routing.allocation.enable" : "all" } } ' + Security baseline ================= @@ -863,6 +888,15 @@ To update all eligible packages, use ``*``, escaping if necessary: kayobe overcloud host package update --packages "*" --limit +.. note:: + + Due to a `security-related change in the GRUB package on Rocky Linux 9 + `__, the operating + system can become unbootable (boot will stop at a ``grub>`` prompt). Remove + the ``--root-dev-only`` option from ``/boot/efi/EFI/rocky/grub.cfg`` after + applying package updates. This will happen automatically as a post hook when + running the ``kayobe overcloud host package update`` command. + If the kernel has been upgraded, reboot the host or batch of hosts to pick up the change: diff --git a/etc/kayobe/ansible/advise-run.yml b/etc/kayobe/ansible/advise-run.yml index d0ad2eee1..3def59034 100644 --- a/etc/kayobe/ansible/advise-run.yml +++ b/etc/kayobe/ansible/advise-run.yml @@ -16,6 +16,7 @@ name: - git+https://github.com/stackhpc/ADVise state: latest + virtualenv_command: "python3 -m venv" - name: Create data directory file: diff --git a/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml new file mode 100644 index 000000000..df8340419 --- /dev/null +++ b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml @@ -0,0 +1,151 @@ +--- +- name: Deploy RADOS gateway usage exporter + hosts: monitoring + gather_facts: false + tags: radosgw_usage_exporter + vars: + venv: "{{ virtualenv_path }}/openstack" + tasks: + - name: Deploy RADOS gateway usage exporter + when: stackhpc_enable_radosgw_usage_exporter + block: + - name: Set up openstack cli virtualenv + ansible.builtin.pip: + virtualenv: "{{ venv }}" + virtualenv_command: "/usr/bin/python3 -m venv" + name: + - python-openstackclient + state: latest + extra_args: "{% if pip_upper_constraints_file %}-c {{ pip_upper_constraints_file }}{% endif %}" + run_once: true + delegate_to: "{{ groups['controllers'][0] }}" + vars: + ansible_host: "{{ hostvars[groups['controllers'][0]].ansible_host }}" + + - name: Read admin-openrc credential file + ansible.builtin.command: + cmd: "cat {{ lookup('ansible.builtin.env', 'KOLLA_CONFIG_PATH') }}/admin-openrc.sh" + delegate_to: localhost + register: credential + changed_when: false + + - name: Set facts for admin credentials + ansible.builtin.set_fact: + openstack_auth_env: + OS_PROJECT_DOMAIN_NAME: "{{ credential.stdout_lines | select('match', '.*OS_PROJECT_DOMAIN_NAME*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_USER_DOMAIN_NAME: "{{ credential.stdout_lines | select('match', '.*OS_USER_DOMAIN_NAME*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_PROJECT_NAME: "{{ credential.stdout_lines | select('match', '.*OS_PROJECT_NAME*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_USERNAME: "{{ credential.stdout_lines | select('match', '.*OS_USERNAME*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_PASSWORD: "{{ credential.stdout_lines | select('match', '.*OS_PASSWORD*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_AUTH_URL: "{{ credential.stdout_lines | select('match', '.*OS_AUTH_URL*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_INTERFACE: "{{ credential.stdout_lines | select('match', '.*OS_INTERFACE*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_IDENTITY_API_VERSION: "{{ credential.stdout_lines | select('match', '.*OS_IDENTITY_API_VERSION*.') | first | split('=') | last | replace(\"'\", '') }}" + OS_CACERT: "{{ '/etc/ssl/certs/ca-certificates.crt' if os_distribution == 'ubuntu' else '/etc/pki/tls/certs/ca-bundle.crt' }}" + + - name: Check ec2 credential for ceph_rgw + ansible.builtin.command: > + {{ venv }}/bin/openstack + ec2 credentials list --user ceph_rgw + --format json + environment: "{{ openstack_auth_env }}" + register: credential_check + delegate_to: "{{ groups['controllers'][0] }}" + changed_when: false + vars: + ansible_host: "{{ hostvars[groups['controllers'][0]].ansible_host }}" + run_once: true + + - name: Create ec2 credential if there's none + ansible.builtin.command: > + {{ venv }}/bin/openstack + ec2 credentials create --user ceph_rgw --project service + --format json + environment: "{{ openstack_auth_env }}" + delegate_to: "{{ groups['controllers'][0] }}" + changed_when: true + vars: + ansible_host: "{{ hostvars[groups['controllers'][0]].ansible_host }}" + run_once: true + when: credential_check.stdout == [] + + - name: Query ec2 credential for ceph_rgw + ansible.builtin.command: > + {{ venv }}/bin/openstack + ec2 credentials list --user ceph_rgw + --format json + environment: "{{ openstack_auth_env }}" + delegate_to: "{{ groups['controllers'][0] }}" + changed_when: false + vars: + ansible_host: "{{ hostvars[groups['controllers'][0]].ansible_host }}" + register: credential + run_once: true + + - name: Get object storage endpoint + ansible.builtin.command: > + {{ venv }}/bin/openstack + endpoint list --service object-store --interface internal + --format json + environment: "{{ openstack_auth_env }}" + delegate_to: "{{ groups['controllers'][0] }}" + changed_when: false + vars: + ansible_host: "{{ hostvars[groups['controllers'][0]].ansible_host }}" + register: endpoint + run_once: true + + - name: Process object storage endpoint + ansible.builtin.set_fact: + radosgw_server: "{{ scheme + '://' + hostname + ':' + radosgw_port }}" + vars: + swift: "{{ endpoint.stdout | from_json | first }}" + hostname: "{{ swift.URL | urlsplit('hostname') }}" + scheme: "{{ swift.URL | urlsplit('scheme') }}" + radosgw_port: "{{ swift.URL | urlsplit('port') }}" + run_once: true + + - name: Ensure radosgw_usage_exporter container is running + community.docker.docker_container: + name: radosgw_usage_exporter + image: ghcr.io/stackhpc/radosgw_usage_exporter:v0.1.1 + network_mode: host + env: + RADOSGW_SERVER: "{{ radosgw_server }}" + ADMIN_ENTRY: admin + ACCESS_KEY: "{{ ec2.Access }}" + SECRET_KEY: "{{ ec2.Secret }}" + VIRTUAL_PORT: "{{ stackhpc_radosgw_usage_exporter_port | string }}" + entrypoint: "{{ ['python', '-u', './radosgw_usage_exporter.py', '--insecure'] if not stackhpc_radosgw_usage_exporter_verify else omit }}" + vars: + ec2: "{{ credential.stdout | from_json | first }}" + become: true + + - name: Ensure that the internal TLS certificate is trusted by the exporter + when: stackhpc_radosgw_usage_exporter_cacert | length > 0 + block: + - name: Create radosgw-usage-exporter directory + ansible.builtin.file: + path: /opt/kayobe/radosgw-usage-exporter/ + state: directory + mode: 0755 + + - name: Copy CA certificate to RADOS gateway usage exporter nodes + ansible.builtin.copy: + src: "{{ stackhpc_radosgw_usage_exporter_cacert }}" + dest: "/opt/kayobe/radosgw-usage-exporter/{{ stackhpc_radosgw_usage_exporter_cacert | basename }}" + mode: 0644 + register: copy_to_node_result + + - name: Copy CA certificate to RADOS gateway usage exporter container + community.docker.docker_container_copy_into: + container: radosgw_usage_exporter + path: "{{ copy_to_node_result.dest }}" + container_path: "/usr/local/share/ca-certificates/{{ copy_to_node_result.dest | basename }}" + become: true + + - name: Update CA certificate of RADOS gateway usage exporter container + community.docker.docker_container_exec: + container: radosgw_usage_exporter + command: update-ca-certificates + user: root + become: true diff --git a/etc/kayobe/ansible/fix-grub-rl9.yml b/etc/kayobe/ansible/fix-grub-rl9.yml new file mode 100644 index 000000000..d1fd3917d --- /dev/null +++ b/etc/kayobe/ansible/fix-grub-rl9.yml @@ -0,0 +1,21 @@ +--- +- name: Remove "--root-dev-only" from grub.cfg if OS is Rocky Linux 9 + hosts: overcloud + become: yes + gather_facts: true + tasks: + - block: + - name: Check that /boot/efi/EFI/rocky/grub.cfg exists + ansible.builtin.stat: + path: /boot/efi/EFI/rocky/grub.cfg + register: stat_result + + - name: Remove "--root-dev-only" from /boot/efi/EFI/rocky/grub.cfg + ansible.builtin.replace: + path: /boot/efi/EFI/rocky/grub.cfg + regexp: '--root-dev-only\s?' + replace: '' + when: stat_result.stat.exists + when: + - ansible_facts['distribution'] == 'Rocky' + - ansible_facts['distribution_major_version'] == '9' diff --git a/etc/kayobe/environments/ci-aio/automated-setup.sh b/etc/kayobe/environments/ci-aio/automated-setup.sh index 84e738247..cbb1e814f 100644 --- a/etc/kayobe/environments/ci-aio/automated-setup.sh +++ b/etc/kayobe/environments/ci-aio/automated-setup.sh @@ -76,10 +76,6 @@ fi sudo ip l set dummy1 up sudo ip l set dummy1 master breth1 -if type apt; then - sudo cp /run/systemd/network/* /etc/systemd/network -fi - export KAYOBE_VAULT_PASSWORD=$(cat $BASE_PATH/vault-pw) pushd $BASE_PATH/src/kayobe-config source kayobe-env --environment ci-aio diff --git a/etc/kayobe/environments/ci-aio/controllers.yml b/etc/kayobe/environments/ci-aio/controllers.yml index 8972187df..12fe3afcb 100644 --- a/etc/kayobe/environments/ci-aio/controllers.yml +++ b/etc/kayobe/environments/ci-aio/controllers.yml @@ -6,6 +6,9 @@ # to setup the Kayobe user account. Default is {{ os_distribution }}. controller_bootstrap_user: "{{ os_distribution if os_distribution == 'ubuntu' else 'cloud-user' }}" +controller_extra_network_interfaces: + - ethernet + # Controller lvm configuration. See intentory/group_vars/controllers/lvm.yml # for the exact configuration. controller_lvm_groups: diff --git a/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/network-interfaces b/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/network-interfaces index 2f8d30103..85f318f42 100644 --- a/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/network-interfaces +++ b/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/network-interfaces @@ -2,6 +2,11 @@ ############################################################################### # Network interface definitions for the controller group. +# Ethernet interface is the `primary` or `physical` interface associated +# with the instance that the AIO deployment runs inside of. It is the interface used +# to reach the instance. +ethernet_interface: "{{ ansible_facts['default_ipv4']['interface'] }}" + # Controller interface on all-in-one network. aio_interface: breth1 # Use dummy1 if it exists, otherwise the bridge will have no ports. diff --git a/etc/kayobe/environments/ci-aio/networks.yml b/etc/kayobe/environments/ci-aio/networks.yml index e3cc4d43d..4bf4e96cd 100644 --- a/etc/kayobe/environments/ci-aio/networks.yml +++ b/etc/kayobe/environments/ci-aio/networks.yml @@ -80,6 +80,12 @@ cleaning_net_name: aio ############################################################################### # Network definitions. +# This network is required to be defined within `ci-aio` environment to ensure that +# the network interface files are created appropriately and to provide easy inclusion +# within the firewall configuration. +ethernet_bootproto: dhcp +ethernet_zone: trusted + # All-in-one network. aio_cidr: 192.168.33.0/24 aio_allocation_pool_start: 192.168.33.3 diff --git a/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml b/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml new file mode 120000 index 000000000..775762abf --- /dev/null +++ b/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml @@ -0,0 +1 @@ +../../../ansible/fix-grub-rl9.yml \ No newline at end of file diff --git a/etc/kayobe/hooks/overcloud-service-deploy/post.d/deploy-radosgw-usage-exporter.yml b/etc/kayobe/hooks/overcloud-service-deploy/post.d/deploy-radosgw-usage-exporter.yml new file mode 120000 index 000000000..3d939329a --- /dev/null +++ b/etc/kayobe/hooks/overcloud-service-deploy/post.d/deploy-radosgw-usage-exporter.yml @@ -0,0 +1 @@ +../../../ansible/deploy-radosgw-usage-exporter.yml \ No newline at end of file diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 424cc8f73..68c331aba 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -5,35 +5,32 @@ kolla_image_tags: openstack: rocky-9: 2024.1-rocky-9-20240903T113235 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240725T165045 + ubuntu-jammy: 2024.1-ubuntu-jammy-20240917T091559 heat: rocky-9: 2024.1-rocky-9-20240805T142526 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240805T142526 nova: - rocky-9: 2024.1-rocky-9-20240918T164436 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240918T164436 + rocky-9: 2024.1-rocky-9-20241004T094540 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241004T094540 neutron: - rocky-9: 2024.1-rocky-9-20240918T164436 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240918T164436 + rocky-9: 2024.1-rocky-9-20241025T090323 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241025T090323 octavia: - rocky-9: 2024.1-rocky-9-20240926T144142 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240926T144142 + rocky-9: 2024.1-rocky-9-20241004T094540 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241004T094540 horizon: rocky-9: 2024.1-rocky-9-20240909T144917 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240909T144917 bifrost_deploy: rocky-9: 2024.1-rocky-9-20240725T165045 prometheus: rocky-9: 2024.1-rocky-9-20240910T072617 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240910T072617 rabbitmq: rocky-9: 2024.1-rocky-9-20240927T152945 ironic: - rocky-9: 2024.1-rocky-9-20241022T090648 - ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 + rocky-9: 2024.1-rocky-9-20241023T143407 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407 ironic_dnsmasq: - rocky-9: 2024.1-rocky-9-20241022T090648 - ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 + rocky-9: 2024.1-rocky-9-20241023T143407 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407 ironic_neutron_agent: - rocky-9: 2024.1-rocky-9-20241022T090648 - ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 + rocky-9: 2024.1-rocky-9-20241023T143407 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407 diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index e90b84a57..a85320e8d 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -360,6 +360,8 @@ kolla_build_customizations_common: nova_compute_packages_append: - python3-libvirt - python3-ethtool + neutron_mlnx_agent_pip_packages_override: + - networking-mlnx@git+https://github.com/stackhpc/networking-mlnx@stackhpc/{{ openstack_release }} kolla_build_customizations_rocky: kolla_toolbox_packages_remove: diff --git a/etc/kayobe/kolla/config/ironic/policy.yaml b/etc/kayobe/kolla/config/ironic/policy.yaml new file mode 100644 index 000000000..3461786cc --- /dev/null +++ b/etc/kayobe/kolla/config/ironic/policy.yaml @@ -0,0 +1,6 @@ +# Retrieve multiple Node records +# GET /nodes +# GET /nodes/detail +# Intended scope(s): system, project +# Overridden: added role:admin +"baremetal:node:list_all": "role:admin or (role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role" diff --git a/etc/kayobe/kolla/config/prometheus/prometheus.yml.d/80-radosgw-exporter.yml b/etc/kayobe/kolla/config/prometheus/prometheus.yml.d/80-radosgw-exporter.yml new file mode 100644 index 000000000..304736a80 --- /dev/null +++ b/etc/kayobe/kolla/config/prometheus/prometheus.yml.d/80-radosgw-exporter.yml @@ -0,0 +1,21 @@ +# yamllint disable-file +--- +{% if stackhpc_enable_radosgw_usage_exporter | bool %} +{% raw %} +scrape_configs: + - job_name: ceph_radosgw_usage_exporter + honor_labels: true + scrape_interval: 15s + metric_relabel_configs: + - replacement: ${1} + source_labels: [owner,user] + target_label: tenant_id + separator: "" + regex: (.+) + static_configs: + - targets: + {% for host in groups['monitoring'] %} + - "{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{% endraw %}{{ stackhpc_radosgw_usage_exporter_port }}{% raw %}" + {% endfor %} +{% endraw %} +{% endif %} diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index c36b659b5..30d3af9bb 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -22,6 +22,13 @@ kolla_image_tags: # Variables defining which tag to use for each container's image. {{ lookup('pipe', 'python3 ' ~ kayobe_config_path ~ '/../../tools/kolla-images.py list-tag-vars') }} +# FIXME: Pin to Antelope Magnum until it is working again upstream +kayobe_image_tags: + magnum: + rocky: 2023.1-rocky-9-20240821T102442 + ubuntu: 2023.1-ubuntu-jammy-20240821T102442 + +magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% endraw %}" ############################################################################# # Monitoring and alerting related settings diff --git a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter index cc4990334..6683d9c56 100644 --- a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter +++ b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter @@ -132,6 +132,45 @@ prometheus_blackbox_exporter_endpoints_default: enabled: "{{ enable_rabbitmq | bool }}" - endpoints: "{% set redis_endpoints = [] %}{% for host in groups.get('redis', []) %}{{ redis_endpoints.append('redis_' + host.replace('-', '') + ':tcp_connect:' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['redis_port']) }}{% endfor %}{{ redis_endpoints }}" enabled: "{{ enable_redis | bool }}" + # Backend endpoints + - endpoints: "{% set barbican_endpoints = [] %}{% for host in groups.get('barbican-api', []) %}{{ barbican_endpoints.append('barbican_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['barbican_api_port']) }}{% endfor %}{{ barbican_endpoints }}" + enabled: "{{ enable_barbican | bool }}" + - endpoints: "{% set blazar_endpoints = [] %}{% for host in groups.get('blazar-api', []) %}{{ blazar_endpoints.append('blazar_backend_' + host.replace('-', '') + ':os_endpoint:' + 'http://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['blazar_api_port']) }}{% endfor %}{{ blazar_endpoints }}" + enabled: "{{ enable_blazar | bool }}" + - endpoints: "{% set cinder_endpoints = [] %}{% for host in groups.get('cinder-api', []) %}{{ cinder_endpoints.append('cinder_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['cinder_api_port']) }}{% endfor %}{{ cinder_endpoints }}" + enabled: "{{ enable_cinder | bool }}" + - endpoints: "{% set designate_endpoints = [] %}{% for host in groups.get('designate-api', []) %}{{ designate_endpoints.append('designate_backend_' + host.replace('-', '') + ':os_endpoint:' + 'http://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['designate_api_port']) }}{% endfor %}{{ designate_endpoints }}" + enabled: "{{ enable_designate | bool }}" + - endpoints: "{% set glance_endpoints = [] %}{% for host in groups.get('glance-api', []) %}{{ glance_endpoints.append('glance_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if glance_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['glance_api_port']) }}{% endfor %}{{ glance_endpoints }}" + enabled: "{{ enable_glance | bool }}" + - endpoints: "{% set gnocchi_endpoints = [] %}{% for host in groups.get('gnocchi-api', []) %}{{ gnocchi_endpoints.append('gnocchi_backend_' + host.replace('-', '') + ':os_endpoint:' + 'http://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['gnocchi_api_port']) }}{% endfor %}{{ gnocchi_endpoints }}" + enabled: "{{ enable_gnocchi | bool }}" + - endpoints: "{% set heat_endpoints = [] %}{% for host in groups.get('heat-api', []) %}{{ heat_endpoints.append('heat_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['heat_api_port']) }}{% endfor %}{{ heat_endpoints }}" + enabled: "{{ enable_heat | bool }}" + - endpoints: "{% set heat_cfn_endpoints = [] %}{% for host in groups.get('heat-api-cfn', []) %}{{ heat_cfn_endpoints.append('heat_cfn_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['heat_api_cfn_port']) }}{% endfor %}{{ heat_cfn_endpoints }}" + enabled: "{{ enable_heat | bool }}" + - endpoints: "{% set horizon_endpoints = [] %}{% for host in groups.get('horizon', []) %}{{ horizon_endpoints.append('horizon_backend_' + host.replace('-', '') + ':http_2xx:' + ('https' if horizon_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['horizon_listen_port']) }}{% endfor %}{{ horizon_endpoints }}" + enabled: "{{ enable_horizon | bool }}" + - endpoints: "{% set keystone_endpoints = [] %}{% for host in groups.get('keystone-api', []) %}{{ keystone_endpoints.append('keystone_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['keystone_internal_port']) }}{% endfor %}{{ keystone_endpoints }}" + enabled: "{{ enable_keystone | bool }}" + - endpoints: "{% set magnum_endpoints = [] %}{% for host in groups.get('magnum-api', []) %}{{ magnum_endpoints.append('magnum_backend_' + host.replace('-', '') + ':os_endpoint:' + 'http://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['magnum_api_port']) }}{% endfor %}{{ magnum_endpoints }}" + enabled: "{{ enable_magnum | bool }}" + - endpoints: "{% set manila_endpoints = [] %}{% for host in groups.get('manila-api', []) %}{{ manila_endpoints.append('manila_backend_' + host.replace('-', '') + ':os_endpoint:' + 'http://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['manila_api_port']) }}{% endfor %}{{ manila_endpoints }}" + enabled: "{{ enable_manila | bool }}" + - endpoints: "{% set neutron_endpoints = [] %}{% for host in groups.get('neutron-server', []) %}{{ neutron_endpoints.append('neutron_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if neutron_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['neutron_server_port']) }}{% endfor %}{{ neutron_endpoints }}" + enabled: "{{ enable_neutron | bool }}" + - endpoints: "{% set nova_endpoints = [] %}{% for host in groups.get('nova-api', []) %}{{ nova_endpoints.append('nova_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['nova_api_port']) }}{% endfor %}{{ nova_endpoints }}" + enabled: "{{ enable_nova | bool }}" + - endpoints: "{% set octavia_endpoints = [] %}{% for host in groups.get('octavia-api', []) %}{{ octavia_endpoints.append('octavia_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['octavia_api_port']) }}{% endfor %}{{ octavia_endpoints }}" + enabled: "{{ enable_octavia | bool }}" + - endpoints: "{% set placement_endpoints = [] %}{% for host in groups.get('placement-api', []) %}{{ placement_endpoints.append('placement_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['placement_api_port']) }}{% endfor %}{{ placement_endpoints }}" + enabled: "{{ enable_placement | bool }}" + - endpoints: "{% set ironic_endpoints = [] %}{% for host in groups.get('ironic-api', []) %}{{ ironic_endpoints.append('ironic_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['ironic_api_port']) }}{% endfor %}{{ ironic_endpoints }}" + enabled: "{{ enable_ironic | bool }}" + - endpoints: "{% set ironic_inspector_endpoints = [] %}{% for host in groups.get('ironic-inspector', []) %}{{ ironic_inspector_endpoints.append('ironic_inspector_backend_' + host.replace('-', '') + ':os_endpoint:' + ('https' if kolla_enable_tls_backend | bool else 'http') + '://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['ironic_inspector_port']) }}{% endfor %}{{ ironic_inspector_endpoints }}" + enabled: "{{ enable_ironic | bool }}" + - endpoints: "{% set swift_endpoints = [] %}{% for host in groups.get('swift-api', []) %}{{ swift_endpoints.append('swift_backend_' + host.replace('-', '') + ':os_endpoint:' + 'http://' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['swift_api_port']) }}{% endfor %}{{ swift_endpoints }}" + enabled: "{{ enable_swift | bool }}" # Ensure service endpoints are defined blazar_internal_base_endpoint: "{{ blazar_internal_fqdn | kolla_url(internal_protocol, blazar_api_port) }}" diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf index 88f3d3164..96699c2f7 100644 --- a/etc/kayobe/kolla/kolla-build.conf +++ b/etc/kayobe/kolla/kolla-build.conf @@ -3,7 +3,7 @@ {# snapshots, so pin to a specific tag. #} {# This tag should be updated when Ubuntu package repo snapshot versions are changed. #} {% if kolla_base_distro == 'ubuntu' %} -base_tag = jammy-20231004 +base_tag = jammy-20240808 {# Similarly pinning to Rocky 9 minor version used in our repos #} {% elif kolla_base_distro == 'rocky' %} base_tag = 9.{{ stackhpc_pulp_repo_rocky_9_minor_version }} diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index b11007172..869f0190d 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -57,6 +57,6 @@ stackhpc_pulp_repo_rocky_9_4_highavailability_aarch64_version: 20240927T073838 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240718T001130 stackhpc_pulp_repo_rocky_9_sig_security_common_aarch64_version: 20240927T073838 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20240911T041957 -stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240911T063424 -stackhpc_pulp_repo_ubuntu_jammy_version: 20240911T063424 +stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240924T064114 +stackhpc_pulp_repo_ubuntu_jammy_version: 20240924T064114 stackhpc_pulp_repo_ceph_reef_debian_version: 20240925T152022 diff --git a/etc/kayobe/stackhpc-monitoring.yml b/etc/kayobe/stackhpc-monitoring.yml index e2377a13e..3e9fb107e 100644 --- a/etc/kayobe/stackhpc-monitoring.yml +++ b/etc/kayobe/stackhpc-monitoring.yml @@ -53,3 +53,19 @@ redfish_exporter_default_password: "{{ ipmi_password }}" redfish_exporter_target_address: "{{ ipmi_address }}" ############################################################################### + +# Whether the RADOS gateway usage exporter is enabled. +# Enabling this will result in templating radosgw_usage_exporter endpoint as +# Prometheus scrape targets during deployment. +stackhpc_enable_radosgw_usage_exporter: false + +# Port to expose RADOS gateway usage exporter. Default is 9242 +stackhpc_radosgw_usage_exporter_port: 9242 + +# Path to a certificate for internal TLS in the RADOS gateway usage exporter. +stackhpc_radosgw_usage_exporter_cacert: "" + +# Whether TLS certificate verification is enabled for the RADOS gateway usage +# exporter for querying Ceph RADOS gateway APIs. Default follows the condition +# of kolla_enable_tls_internal +stackhpc_radosgw_usage_exporter_verify: "{{ kolla_enable_tls_internal }}" diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index 090eaf3a9..51b152666 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -149,11 +149,7 @@ stackhpc_kolla_source_version: "stackhpc/{{ openstack_release }}" # Kolla Ansible source repository. stackhpc_kolla_ansible_source_url: "https://github.com/stackhpc/kolla-ansible" -# FIXME: Waiting for -# https://review.opendev.org/c/openstack/kolla-ansible/+/926198 to merge and -# sync to stackhpc/2024.1 -# stackhpc_kolla_ansible_source_version: "stackhpc/{{ openstack_release }}" -stackhpc_kolla_ansible_source_version: "fix-prometheus" +stackhpc_kolla_ansible_source_version: "stackhpc/{{ openstack_release }}" ############################################################################### # Container image registry diff --git a/releasenotes/notes/add-radosgw-usage-exporter-support-93d55c544418b05a.yaml b/releasenotes/notes/add-radosgw-usage-exporter-support-93d55c544418b05a.yaml new file mode 100644 index 000000000..8b6e4d4e3 --- /dev/null +++ b/releasenotes/notes/add-radosgw-usage-exporter-support-93d55c544418b05a.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Adds RADOS Gateway usage exporter support. + + To deploy the exporter, set the variable ``stackhpc_enable_radosgw_usage_exporter`` + to true. Then run playbook ``deploy-radosgw-usage-exporter.yml``. + A certificate path needs to be set to ``stackhpc_radosgw_usage_exporter_cacert`` + if internal TLS is enabled. diff --git a/releasenotes/notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml b/releasenotes/notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml new file mode 100644 index 000000000..b830aac0d --- /dev/null +++ b/releasenotes/notes/allow-admins-to-list-bms-ff0bc40d605d4ca2.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Added a custom policy to Ironic that allows users with the `admin` role to + list all baremetal nodes. This is required at sites where baremetal + provisioning targets a specific node, as we need to look up the node's uuid + to pass as the hypervisor hostname. diff --git a/releasenotes/notes/blackbox-backend-4415919e10a1aa4e.yaml b/releasenotes/notes/blackbox-backend-4415919e10a1aa4e.yaml new file mode 100644 index 000000000..a16b40622 --- /dev/null +++ b/releasenotes/notes/blackbox-backend-4415919e10a1aa4e.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Added Blackbox monitoring for backend endpoints by default. Note that this + configuration will only work if the Blackbox exporters have access to the + backend endpoints. +issues: + - | + Backend Blackbox monitoring will not work if the exporter does not have + access to the backend OpenStack endpoints. This usually happens when + separate monitoring nodes are deployed. In this case, move the Blackbox + exporter to the Haproxy group, remove the endpoints from + `etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter`, or + silence the alerts permanently. diff --git a/releasenotes/notes/caracal-bump-container-images-083b691e83816b3b.yaml b/releasenotes/notes/caracal-bump-container-images-083b691e83816b3b.yaml new file mode 100644 index 000000000..e4070f66a --- /dev/null +++ b/releasenotes/notes/caracal-bump-container-images-083b691e83816b3b.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Bumped the base image for Ubuntu 22.04 containers. + - | + Additionally bumped Nova, Neutron and Octavia images for + both Rocky and Ubuntu. diff --git a/releasenotes/notes/ironic-patch-cve-2024-44082-87c70b333bc28ea0.yaml b/releasenotes/notes/ironic-patch-cve-2024-44082-87c70b333bc28ea0.yaml new file mode 100644 index 000000000..ee8c7cf28 --- /dev/null +++ b/releasenotes/notes/ironic-patch-cve-2024-44082-87c70b333bc28ea0.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Bumps Ironic containers to patch CVE-2024-44082, see `OSSA-2024-003 + `__ for details. diff --git a/releasenotes/notes/magnum-pin-958b39182e565697.yaml b/releasenotes/notes/magnum-pin-958b39182e565697.yaml new file mode 100644 index 000000000..e13bcbdd6 --- /dev/null +++ b/releasenotes/notes/magnum-pin-958b39182e565697.yaml @@ -0,0 +1,6 @@ +--- +issues: + - | + Magnum has been pinned to the Antelope release due to an issue upstream in + Caracal. See `here `__ for + more details. diff --git a/terraform/aio/vm.tf b/terraform/aio/vm.tf index a0d097cbe..8113a5912 100644 --- a/terraform/aio/vm.tf +++ b/terraform/aio/vm.tf @@ -35,7 +35,7 @@ variable "aio_vm_subnet" { variable "aio_vm_volume_size" { type = number - default = 40 + default = 50 } variable "aio_vm_tags" {