openstack/openstack-ansible-haproxy_server - openstack-ansible-haproxy_server - OpenDev: Free Software Needs Free Tools

This role only support openSUSE Leap 15, not 42.3, not tumbleweed.
Saying all is confusing and a bad practice. This fixes it, while
ensuring the job is properly defined to test that assertion.
Change-Id: I679939edd56149a2aed29228e5215648956c60da

Change-Id: I3202333007abbb4bf15cfadbec01a39e9ffaa68b

Change-Id: Icacdc17bd35bdc30646f7dd9011933b764adec1a

This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.

Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: Idf442d5b01f54206fdff44022995e6b2eda90b0f
Sem-Ver: feature

This patch adds the Debian jobs for this role to make sure
it's always passing as well as updates the meta to reflect
it's support of Debian accordingly.
It also clean-up an old variable which is carried for upgrades
that is no longer relevant now.
A new variable has been added to ensure pre-packages, which
have been generally assumed to be installed as a base OS
package, have been installed before installing the application
or configuring the system via the role.
Depends-On: I135ea73604890eae5e9e2a7cdcab81b2b39ad426
Change-Id: I19094b540aff81b7aa029880e404a2990f82e538
Signed-off-by: Kevin Carter <kevin@cloudnull.com>

When we restart HAproxy, we kill all the connections and it causes
all of the services to be dropped out. This is really not ideal and
causes things to be lost in the control plane.
This patch instead does a reload which will safely keep the existing
clients connected till they evacuate and then use SO_REUSEPORT for
the new process.
Change-Id: I502457f691ad66dfd68ace21ac1575cea23b538a

sphinxmark is no longer compatible with the latest release of Sphinx
which is causing all of our documentation jobs to fail. This patch
removes it as our current usage of openstacktheme for documentation
already provides watermarks for current branch and notices for which
branch the documentation covers.
Change-Id: I06fec95c12a239a6d143a8bf7d6e072d4eeb6d2d

Change-Id: I1ce94c4ab7eb6532c1445d80304543eaf872422a

The HTTP keepalive mode is currently hardcoded to "http-server-close"
for all HTTP services. This disables keepalive for HAProxy to backend
connections, but leaves it enabled for client connections to HAProxy.
This is problematic especially for service to service calls (e.g.
nova-api to neutron). If a request is made at the same time the HAProxy
keepalive timeout expires, the result of the request is undefined. This
leads to code 500 error responses from the nova-api because the request
from nova-api to neutron failed. "Connection aborted" error messages in
the logs are an indication of this issue.
There is also a bug report[1] about the same issue in devstack which was
solved by disabling keepalive and a script[2] to reproduce the issue in
devstack.
This adds a default and per service variables to set the HTTP keepalive
mode used by HAProxy. The default value is changed to "forceclose" to
disable HTTP keepalive on the server and client side. With HTTP
keepalive disabled the issue can no longer be reproduced.
[1] https://bugs.launchpad.net/devstack/+bug/1630664
[2] https://github.com/JordanP/openstack-snippets/blob/master/keepalive-race/keep-alive-race.py
Change-Id: If819912873270f0568974925490023310f9cbd66

The suffix is added automatically by certbot if there is already a configuration for
domain passed as argument.
Change-Id: I7440b84648bf58c36dcb262920c876c7d1a5efa4

Change-Id: Ia10e5172c1d7a65fb5325ce6499d0ba9105d4a8e

certbot-auto wants to install depedencies which are possibly
not fulfilled by the repo-server - so bypass installation here.
Use the venv bin later for the renew script.
Minor errors are also fixed.
Change-Id: I4087bbcb4fe6182cb090a5b6b85bea36768b4f4f

- installs certbot-auto
- generates and validates ssl cert
- installs cert in haproxy settings
- renew cert with cron
Change-Id: Iea59ec2893a988b184ca8bc70e1d273ac071551e

We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I1d9a985c6c81f7ee789daa4c8529d33635503787
Closes-Bug: #1801657 

The template previously set the rise/fall count to the number
of backend/backup nodes. This may not always be appropriate
so this patch allows the rise/fall counts to be defined per
service if required. The default behaviour remains unchanged
if no rise/fall counts are provided.
Change-Id: Ib413b622310b1f6f5146060089af7dffc0dd9236

Secure by default
Change-Id: I70007af94bfd5e482662ab72d25bf090cf5d0834

There are many possible options that can be set for haproxy backend
servers but the current template does not provide a means for these
to be supplied. This patch follows the pattern already used with
haproxy_backend_options and creates a new haproxy_backend_server_options.
Change-Id: Ic312e5915a5df07121ffadca643ca6e4013e00ee

openstack-dev was decomissioned this night in https://review.openstack.org/621258
Update openstack-dev to openstack-discuss
Change-Id: Ic3f30f6027926f720e132f96e308cc34d018891c

Change-Id: I9a432f69b5c891d8f1cdcaeaf16076a4bf75ee25

Change-Id: I015d45907e755de4c506b03b22e8f8ff4cd48528

Change-Id: Id6ffcc8146ad0ae298bcee38ce58e0ea912514ba

Allow deprecation of haproxy endpoints by setting the state of the
service to 'absent'. It will also now clean up any config files
when there are no backends, or the service is disabled.
Change-Id: I1db5932c559b5e04d330c114164869dd43c1cbb2

Change-Id: I97bc5724f6507ae5fe6fe92fe8c95ce6533e1336

Change-Id: I3e281d2ea7addcfea07f63b1c49f695a99a87ed0

Change-Id: I1ffcec44e42d94dd9dea7332cc0f7105753a0083

We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: Iee7722a0ef9d7adacc666b51989373a01248cbcd
Signed-off-by: Doug Hellmann <doug@doughellmann.com>

* Install haproxy-logging.cfg numerically before Ubuntu's
 /etc/rsyslog.d/49-haproxy.conf so its logging directives see HAProxy
 logs before they are discarded by 49-haproxy.conf.
* Set owner of /var/log/haproxy to rsyslog's `syslog` user so rsyslog
 can write to it on Ubuntu.
* Limit HAProxy-related rsyslog processing to HAProxy log messages
 instead of any/all log messages with the local0 or local1 facility
 and assuming HAProxy is the only application using those facilities.
Change-Id: Ic259abc281619ba5ee8f020ac68373858a06e94d
Closes-Bug: #1783886 

openSUSE ships a HAProxy profile which prevents the creation of the
/run/haproxy.stat file.
profile="/usr/sbin/haproxy" name="/run/haproxy.stat.21697.tmp" pid=21697 comm="haproxy" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
As such, lets follow the common pattern across OSA roles to disable the
profile instead of trying to manage it.
Change-Id: Iaacb628f4cc78687c95034e81ed924807a3018bd

Change-Id: Ia5b86821ad3bc9458f7a474a13479939dd2ca21d

The role uses the 'adm' group when creating the log directory. However,
nothing really checks whether the groups is present or not, so it will
fail in case it is not. As such, we need to create the group before
trying to use it.
Change-Id: I757632db50b57710da77ea36de09e5f76674fcd5

Curly quotes(Chinese punctuation) usually input from Chinese input
method. When read from english context, it makes some confusion.
Change-Id: Ia7da4523e726db04f85b1ebd49bf5ec4e31fe727
Closes-Bug: #1792131 

This is a mechanically generated patch to switch the documentation
jobs to use the new PTI versions of the jobs as part of the
python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: I08fbb533b6e7e35b257a1f14efd2cfe6725ff776
Story: #2002586
Task: #24319 

This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Icdfca2f5d33ecb97c5c13948fdf3c38eb4e047f1
Story: #2002586
Task: #24319 

The TESTING_BRANCH environment variable is provided by the
run_tests.sh script and is derived from the .gitreview file.
This ensures that once the master branch becomes a stable
branch, the constraints from the stable branch in the
integrated repository will automatically get used once the
.gitreview file is updated.
To ensure that the required environment variables are present
we export them appropriately in run_tests.sh and modify the
tox configuration to pass them into the tox test.
Change-Id: Id1dc554c375f499c365e05017f6617e5e905a855
Needed-By: https://review.openstack.org/579371 

Change-Id: I196be7531999af51ce0b1d1ce8e24aee8fd323dc