openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I730ae569f199fc8542a5a61beb149f459465d7e2

Long time ago a variable `nova_ram_weight_multiplier` was implemented
and its default value was set to 5.0.
There are 2 issues with this:
1. Default value in nova is 1.0 [1] so our value is much bigger than
nova's default without having a strong reason for that.
2. OSA does not provide similar variables for other multipliers like
`cpu_weight_multiplier`.
Because there are a couple of different multipliers and more of them
can be implemented in the future(for ex.
`hypervisor_version_weight_multiplier` was implemented in 2023.2) it
would be hard for the OSA project to maintain variables for all of them.
It is better to deprecate `nova_ram_weight_multiplier` and let users
define multipliers with `nova_nova_conf_overrides` if necessary.
[1] https://docs.openstack.org/nova/2023.1/configuration/config.html#filter_scheduler.ram_weight_multiplier
Change-Id: I4f82840e94312d38696e3ddd05ef494821233f4d

We're adding 2 services that are responsible for executing db purge and
archive_deleted_rows. Services will be deployed by default, but left
stopped/disabled. This way we allow deployers to enable/disable
feature by changing value of nova_archive/purge_deleted.
Otherwise, when variables set to true once, setting them to false won't
lead to stopoing of DB trimming and that would need to be done manualy.
Change-Id: I9f110f663fae71f5f3c01c6d09e6d1302d517466

By overriding the variable `nova_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the nova backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
`nova_pki_console_certificates` are used to encrypt:
- traffic between console proxy and compute hosts
`nova_pki_certificates` are used to encrypt:
- traffic between haproxy and its backends(including console proxy)
It would be complex to use nova_pki_console_certificates to encrypt
traffic between haproxy and console proxy because they don't have valid
key_usage for that and changing key_usage would require to manually set
`pki_regen_cert` for existing environments.
Certs securing traffic between haproxy and console proxy are provided in
execstarts because otherwise they would have to be defined in nova.conf
that may be shared with nova-api(which stands behind uwsgi and should
not use TLS).
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ibff3bf0b5eedc87c221bbb1b5976b12972fda608

At the moment we don't really utilize neutron_provider_networks
mapping except of 2 quite specific drivers, that are NSX and Nuage.
For these 2 usecases we suggest using overrides functionality instead.
Change-Id: I7d905a1dbda1ec722b161b96742247c806bed162

use_forwarded_for option for api has been deprecated since 26.0.0
as this feature is the duplicate of the HTTPProxyToWSGI that
has being enabled by default now.
Change-Id: I45e70e42605455df944ced63f106a76f351052e8

Calico driver support has been removed from OpenStack-Ansible
starting in Antelope release [1]. We clean-up nove role to drop calico
support from it as well.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/866119
Change-Id: Ie9c118b8bab265e5bf06b6ec05731cd673ee4d95

Resource providers can be configured using the API or CLI, or they
can also be configured on a per-compute node basis using config
files stored in /etc/nova/provider_config.
This patch adds support for a user defined list of provider config
files to be created on the compute nodes. This can be specified in
user_variables or perhaps more usefully in group_vars/host_vars.
A typical use case would be describing the resources made available
as a result of GPU or other hardware installed in a compute node.
Change-Id: I13d70a1030b1173b1bc051f00323e6fb0781872b

This variable determines if one of the nova console proxies is
deployed alongside the nova-compute service for ironic. Currently
the only supported values are "disabled" and "serialconsole"
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/860947
Change-Id: I8eae97f9c60956049072de8b04e557671a8cdcfa

This should be nova_management_address which by default is
equivalent to ansible_host, but the use of ansible_host is confusing
when the whole of the rest of os_nova uses nova_managment_address
for the address to bind services to.
Change-Id: Ie34acf0115d8e89e2888952e1c2d3dc03a284aff

At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Change-Id: I48e193ef29e56aa8639511c5b5dcddc70f5e1198

The 'AvailabilityZoneFilter' is deprecated since the 24.0.0 (Xena)
release. The feature is enabled by query_placement_for_availability_zone
config option and is now enabled by default.
Change-Id: I6be16f7621899a45271a70e7c39d76b837d8c5c9

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I04b22722b32b6dc8b1dc95e18c3fe96ad17e51ac

This is otherwise undefined in functional tests
Change-Id: I5a387566d5bdb9ee4c34976c55f86f31fc65f87e

This uses ssh signed certificates so there is no longer the need
to distribute the nova public key from each compute host to all
other compute hosts.
The legacy scripts and authorized key files are removed as a
migration step.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292
Change-Id: I3456bdf7bed66a2675b8a410d4cf6b2174598a22

When nova don't use rbd images (ie local storage) it still might be good
idea to use direct connection to rbd to get images rather then
connect through HTTP.
Change-Id: I4f2d7cf54e07376c7a25d45093f5d83be5422234

This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.
Change-Id: I7de034307da9352e6f5d1f5f175a330fb8c86463
Related-Bug: #1961603 

According to nova doc, secure_proxy_ssl_header has been deprecated and
has no effect [1]. Since these variables are not used for other purpose
we drop them.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#oslo_middleware.secure_proxy_ssl_header
Change-Id: Ibc3ac4f0f3fb038463748f8c1608fa475374cf67

Since api_servers from [glance] secton is deprecated and can be
silently ignored [1], we drop corresponsive OSA variable
[1] https://docs.openstack.org/nova/latest/configuration/config.html#glance.api_servers
Change-Id: I52de65a4629f23fd2c0c3735033a8e2d57a82024

Ansible's combine() filter needs recursive=True parameter in order to recursively merge nested hashes.
https: //docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#combining-hashes-dictionaries
Change-Id: I2e84c0370c04336c124e5b6549b638483f107601

This reverts commit ca352be75b.
Change-Id: I19e1cc491e2441ab8d1bd39d383dd2e09a5b7077

Change-Id: If4d036794cf8edb14e6b0ed491cf0de78f425b2c

- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Change-Id: Ibc876f2744c271e9c4ad797597c15af8d73867c1

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819300
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/819298
Change-Id: If5622f736e17f0f187a0740d60ea435d03a131bb

Change-Id: I6fded616989ccae02d9d34efb68543336f87f848

With new Ampere GPUs you need to explicitly define explicit lists of PCI
devices which length depends on picked type as placement can't pick them
automatically due to nvidia driver brokeness.
In order to have readable representation of the variable it's worth
to make it iterable but keep a simple string for
backwards compatability.
Change-Id: I2a1e85efc8ad4f6a2596e6d53b1d793b2f934758

To secure communications from the proxy server to the compute
nodes using VeNCrypt authentication scheme.
In a previous patch a TLS server certificate was deployed to
compute nodes, this patch makes use of this same server cert for
securing VNC sessions on compute nodes. It is recommended that
this certificate be issued by a dedicated certificate authority
solely for the VNC service, as libvirt does not currently have a
mechanism to restrict what certificates can be presented by the
proxy server. This has not been implemented to reduce complexity.
In addition the noVNC proxy needs to present a client certificate
so only approved VNC proxy servers can connect to the Compute nodes.
The PKI role has been used to create a client certificate for the
nova console nodes.
Related Nova docs:
https://docs.openstack.org/nova/latest/admin/remote-console-access.html
To help with the transition from from unencrypted VNC to VeNCrypt,
initially compute nodes auth scheme allows for both encrypted and
unencrypted sessions using the variable `nova_vencrypt_auth_scheme`, this
will be removed in future releases.
Change-Id: Iafb788f80fd401c6ce6e4576bafd06c92431bd65

Instead of using SSH to live migrate VM's use TLS as this is more
secure and SSH migrations are deprecated.
https://docs.openstack.org/nova/xena/admin/secure-live-migration-with-qemu-native-tls.html
A pre-existing PKI (Public Key Infrastruture) setup is required.
TLS live migrations require that all compute hosts can communcate
with each other on port 16514 and port range 49152 to 49261.
To enable TLS live migrations, both libvirt and QEMU require server
and client certificates, the server certicicates is used to verify
servers and the client cert is used by servers to authenticate
clients. A single cert is created by the pki role, that can be
used by both libvirt and QEMU for both client and server auth.
The client, server and CA certifcates need to installed in a
number of locations on each compute host:
* For Libvirt https://libvirt.org/tlscerts.html
* For QEMU https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu.conf
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815007
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815849
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/816857
Change-Id: Iddbe8764bb6d3cd3eaee122b2d5ddc02fa3f7662

In order to reflect upstream nova variable change [1] we rename
nova_enabled_vgpu_types to nova_enabled_mdev_types.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#devices.enabled_mdev_types
Change-Id: I7fcc6f6fbfd8e6e358036e72a82348b9cefe74ef

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I99509b519c91d8fefc91745bb982866fe3fbc8e7

Use the version pinned in repo_packages/nova_consoles.yml in
openstack-ansible to install the SPICE HTML5 client. Without this change
the version pin in openstack-ansible has no effect and the role always
installs master.
This is the same change as already done for the noVNC console in commit
1de7b24e70.
Change-Id: Ie004f845138a23095f6e02138401511054975a01

This always existed as a default value but was only used for service
setup, never in the runtime db connection url. Update the URL and
database connection template to include the port.
Change-Id: Ie404c117146c6bbd7eea79300f7c85515fa4e27d

There might be scenarios when compute_hosts group is not present, but
we still need to deploy nova scheduler.
So we have to set default for groups['compute_hosts'].
Change-Id: I18d42e902b0b3eb5494bcffb424731dfe85c74f9

Having this variable set to 10 might be a very bad option for small environments. From the other side, switching back to nova default value(1) also has another disadvantages. I think the best option is to add some logic here and compute a proper value based on number of compute nodes
Change-Id: I073875d380b14771cff434620553eada5068a430

Change-Id: Ibe24bf754bd56d6e518b93f05f47d163454e169d