openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

Add variable nova_cell_force_update to enable deployers to ensure that
role execution will also update cell mappings whenever that is needed.
For instance, it could be password rotation or intention to update MySQL
address.
Change-Id: I5b99d58a5c4d27a363306361544c5d80759483fd

Due to clash in resulting certificate names they were re-genearated each
playbook run.
In order to sort that we need to rename certificate names. As `nova_backend_ssl`
was implemented latest and not that widely adopted, we change name
for it.
This will cause all backend certificates for API to be re-generated.
Change-Id: I4bca3bb2733fe25dad71345f84d9030c535c901b

Once we've enabled TLS requirement in [1] jobs started failing on cell0
mapping as it was actually different and not connecting to MariaDB through
TLS when it was assumed it is.
[1] https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/911009
Change-Id: I96fa921cfdb849f59b5abd8452061d4c5bd04a76

As of today we do not have any means of Blazar integration with Nova,
while we do provide roles for Blazar installation for a while now. This
patch aims to bring in more native integration and remove necessity
of overrides for such deployment.
Related-Bug: #2048048
Co-Authored-By: Alexey Rusetsky <fenuks@fenuks.ru>
Change-Id: Ica50a5504de1b1604f72123751cbb3f45c85ab46

updating the config for pci devices since the old config is deprecated.
https://docs.openstack.org/nova/latest/configuration/config.html#pci.device_spec
Change-Id: Id2da29464359b4845c7d05e3bec53759341f4bad

When Nova is deployed with a mix of x86 and arm systems
(for example), it may be necessary to deploy both 'novnc' and
'serialconsole' proxy services on the same host in order to
service the mixed compute estate.
This patch introduces a list which defines the required proxy
console types.
Change-Id: I93cece8babf35854e5a30938eeb9b25538fb37f6

Long time ago a variable `nova_ram_weight_multiplier` was implemented
and its default value was set to 5.0.
There are 2 issues with this:
1. Default value in nova is 1.0 [1] so our value is much bigger than
nova's default without having a strong reason for that.
2. OSA does not provide similar variables for other multipliers like
`cpu_weight_multiplier`.
Because there are a couple of different multipliers and more of them
can be implemented in the future(for ex.
`hypervisor_version_weight_multiplier` was implemented in 2023.2) it
would be hard for the OSA project to maintain variables for all of them.
It is better to deprecate `nova_ram_weight_multiplier` and let users
define multipliers with `nova_nova_conf_overrides` if necessary.
[1] https://docs.openstack.org/nova/2023.1/configuration/config.html#filter_scheduler.ram_weight_multiplier
Change-Id: I4f82840e94312d38696e3ddd05ef494821233f4d

CentOS has upgraded their libivrt to version 9.3, where libvirt-daemon
is not installed as a dependency anymore. So we need to explicitly
isntall this package to restore functionality.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2209936
Change-Id: Ic6f2606b5a478c7a891c25bd131ad351a19699bc

We're adding 2 services that are responsible for executing db purge and
archive_deleted_rows. Services will be deployed by default, but left
stopped/disabled. This way we allow deployers to enable/disable
feature by changing value of nova_archive/purge_deleted.
Otherwise, when variables set to true once, setting them to false won't
lead to stopoing of DB trimming and that would need to be done manualy.
Change-Id: I9f110f663fae71f5f3c01c6d09e6d1302d517466

At the moment we don't really utilize neutron_provider_networks
mapping except of 2 quite specific drivers, that are NSX and Nuage.
For these 2 usecases we suggest using overrides functionality instead.
Change-Id: I7d905a1dbda1ec722b161b96742247c806bed162

Resource providers can be configured using the API or CLI, or they
can also be configured on a per-compute node basis using config
files stored in /etc/nova/provider_config.
This patch adds support for a user defined list of provider config
files to be created on the compute nodes. This can be specified in
user_variables or perhaps more usefully in group_vars/host_vars.
A typical use case would be describing the resources made available
as a result of GPU or other hardware installed in a compute node.
Change-Id: I13d70a1030b1173b1bc051f00323e6fb0781872b

This variable determines if one of the nova console proxies is
deployed alongside the nova-compute service for ironic. Currently
the only supported values are "disabled" and "serialconsole"
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/860947
Change-Id: I8eae97f9c60956049072de8b04e557671a8cdcfa

At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Change-Id: I48e193ef29e56aa8639511c5b5dcddc70f5e1198

When nova don't use rbd images (ie local storage) it still might be good
idea to use direct connection to rbd to get images rather then
connect through HTTP.
Change-Id: I4f2d7cf54e07376c7a25d45093f5d83be5422234

This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.
Change-Id: I7de034307da9352e6f5d1f5f175a330fb8c86463
Related-Bug: #1961603 

According to nova doc, secure_proxy_ssl_header has been deprecated and
has no effect [1]. Since these variables are not used for other purpose
we drop them.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#oslo_middleware.secure_proxy_ssl_header
Change-Id: Ibc3ac4f0f3fb038463748f8c1608fa475374cf67

Since api_servers from [glance] secton is deprecated and can be
silently ignored [1], we drop corresponsive OSA variable
[1] https://docs.openstack.org/nova/latest/configuration/config.html#glance.api_servers
Change-Id: I52de65a4629f23fd2c0c3735033a8e2d57a82024

This reverts commit ca352be75b.
Change-Id: I19e1cc491e2441ab8d1bd39d383dd2e09a5b7077

Change-Id: If4d036794cf8edb14e6b0ed491cf0de78f425b2c

- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Change-Id: Ibc876f2744c271e9c4ad797597c15af8d73867c1

To secure communications from the proxy server to the compute
nodes using VeNCrypt authentication scheme.
In a previous patch a TLS server certificate was deployed to
compute nodes, this patch makes use of this same server cert for
securing VNC sessions on compute nodes. It is recommended that
this certificate be issued by a dedicated certificate authority
solely for the VNC service, as libvirt does not currently have a
mechanism to restrict what certificates can be presented by the
proxy server. This has not been implemented to reduce complexity.
In addition the noVNC proxy needs to present a client certificate
so only approved VNC proxy servers can connect to the Compute nodes.
The PKI role has been used to create a client certificate for the
nova console nodes.
Related Nova docs:
https://docs.openstack.org/nova/latest/admin/remote-console-access.html
To help with the transition from from unencrypted VNC to VeNCrypt,
initially compute nodes auth scheme allows for both encrypted and
unencrypted sessions using the variable `nova_vencrypt_auth_scheme`, this
will be removed in future releases.
Change-Id: Iafb788f80fd401c6ce6e4576bafd06c92431bd65

Instead of using SSH to live migrate VM's use TLS as this is more
secure and SSH migrations are deprecated.
https://docs.openstack.org/nova/xena/admin/secure-live-migration-with-qemu-native-tls.html
A pre-existing PKI (Public Key Infrastruture) setup is required.
TLS live migrations require that all compute hosts can communcate
with each other on port 16514 and port range 49152 to 49261.
To enable TLS live migrations, both libvirt and QEMU require server
and client certificates, the server certicicates is used to verify
servers and the client cert is used by servers to authenticate
clients. A single cert is created by the pki role, that can be
used by both libvirt and QEMU for both client and server auth.
The client, server and CA certifcates need to installed in a
number of locations on each compute host:
* For Libvirt https://libvirt.org/tlscerts.html
* For QEMU https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu.conf
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815007
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815849
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/816857
Change-Id: Iddbe8764bb6d3cd3eaee122b2d5ddc02fa3f7662

In order to reflect upstream nova variable change [1] we rename
nova_enabled_vgpu_types to nova_enabled_mdev_types.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#devices.enabled_mdev_types
Change-Id: I7fcc6f6fbfd8e6e358036e72a82348b9cefe74ef

In Rocky Nova has implemented templating in Cell Mappings [1]
That means that instead of hardcoding connection details in database,
we can just put a template there. Variables are parsed from nova.conf
and substituted on the service load. Thus we don't need to update cells
every time we change passoword and we can use different credentials
across nodes since they will be just taken from config files.
We also perform upgrade of the cells to the templates when cell exist.
Task `Map instances to new Cell1` is removed, since it's required to
map instances to cellv2 only during upgrade from cellsv1 to cellsv2
which is not the case nowadays or when migrating instances between
cells [2].
[1] https://docs.openstack.org/nova/latest/user/cells.html#template-urls-in-cell-mappings
[2] https://docs.openstack.org/nova/rocky/cli/nova-manage.html#nova-cells-v2
Change-Id: Ia6bef7b902c0fb99a529c592172226bb16ed0d9d

Bunch of variables that were related to nova consoles were missused or
unneded at all.
Here we deprecate and remove them, along with
fixing behaviour to disable spice agent functionality.
Change-Id: I28f6d733db689eab879ae5939d1236e7c0d5f521
Closes-Bug: #1923184 

It still makes sense to carry a variable for defining dns_domain
since deployers will be able to control them with single variable
for all services.
Closes-Bug: #1922703
Change-Id: I2be47100ce701e71dda2fe4e8ca58a7b6cad529c

Add 'nova_scheduler_extra_filters' to allow operators to enable
additional scheduler filters without overriding the entire list of
filters as in [0].
This also reduces the burden on ops to maintain the list of overridden
default schedulers because of things like [1].
[0] 3886dbc40d/openstack_deploy/user_variables.yml (L51-L69)
[1] https://review.openstack.org/#/c/596502/
Change-Id: I9ab6bcbef2b496df7f6ecf11a7d8f5f7891aeeca

This patch reduces the number of configuration defaults that we
ship with no functional changes for users that were not overriding
them.
Change-Id: Iec7e7b0ca13e2503344d23095c0f1c30b46bb702

This driver has been retired [1] and tests are now failing becasue the
nova-lxd repo master branch is now empty.
[1] https://review.opendev.org/#/c/672283/
Change-Id: I9906ede54f6b41972a03bfa1d39ba5f99c6235ed

The PowerVM driver has been untested for a few years as well
as broken due to using the wrong driver as well. It's not possible
to test it within our infrastructure neither has there been any
contributions to improve/fix it.
This patch drops the support for it.
Change-Id: Iea84648c7ff65b5a4d8b97957fb92716578f714d

Change-Id: I5db87e14e86dc4aada19b2933773b50b865445ff

Placement is now a separate service and has been removed from nova[1]
and implemented as a separate service in OSA[2]. As such, the nova
in-tree placement API is now disabled and can be removed.
[1] https://review.opendev.org/#/c/618215/
[2] https://review.opendev.org/#/c/656891/
Depends-On: I01df855d8b9255d24efe16ab053ffa491fda351f
Depends-On: I25ce79b9e3492cb075c50beed90ea2b78055e474
Change-Id: I2f5d4c2f1fc1418bc4f4c4baa1ce3c90b88208fc

This patch adjusts the nova-lxd deployment so that it works correctly
with LXD3 and bionic.
* Update the zuul job and project config to switch from xenial to bionic.
* Change the variable lxd_storage_pool to always have a defined value
 in the role defaults. This variable represents the name of the LXD
 storage pool which is distinct from any names associated with underlying
 storage. LXD storage pools created with 'lxd init' are always called 'default'.
* Switch the role test storage backend from dir to ZFS. nova-lxd is
 currently not working for the dir backend as it expects the storage
 subsystem to support quotas.
* Due to limitiations in nova-lxd it is necessary to ensure that the
 LXD storage pool name and ZFS pool names are both set to 'default'.
Closes-Bug: #1800837
Change-Id: If1e48bb2e789e13f20435da19907b5adb7c1ef1f

This patch aims to provide the ability for the user
to enable nested kvm virtualization in a kvm compute node
through nova_nested_virt_enabled variable, which its defaults is False.
Change-Id: I64417221fb3d74453d979b7198a0e916e7f4dd23

Being able to set cpu_mode to "custom" is nice but doesn't do us
much good if users then have to resort to nova_nova_conf_overrides
to set cpu_model and/or cpu_model_extra_flags.
Instead, honor nova_cpu_model and nova_cpu_model_extra_flags variable.
Also add a release note saying that for those users who did previously
set these flags via nova_nova_conf_overrides, they should move
those bits to the newly understood variables.
Change-Id: I889e70826c5c631b86305b512b86fba2b89521b4

This support allows deployers to easily use NFS and automatically
have mountpoints during deployment.
Change-Id: Ifb15cb7815487f047c0249f340a79c67971f5411

Without this patch, the release notes published at
https://docs.openstack.org/releasenotes/openstack-ansible/rocky.html contains
the same line multiple times which is not very clear.
[...]
 Support separate oslo.messaging services for RPC and Notifications
 to enable operation of separate and different messaging backend servers.
 Support separate oslo.messaging services for RPC and Notifications
 to enable operation of separate and different messaging backend servers.
[...]
Change-Id: I0ed1a43670d97f2e2215d04c641f7bd4cfbe4f44

In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
Unfortunately we need to use the openstack client to wait for a compute host
to register, so we add it into the nova venv and implement a change in the
way we do the wait so that openrc/clouds.yaml is only implemented on a single
compute host and the wait task is executed there.
Depends-On: https://review.openstack.org/582359
Change-Id: I702480a5188a583a03f66bb39609f7d25a996e4a

Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Depends-On: https://review.openstack.org/#/c/579151/
Depends-On: https://review.openstack.org/#/c/579071/
Change-Id: Iff373b5402c664206b940b8e95a0b8845050213b
Implements: blueprint openstack-distribution-packages

The libvirt-python library has C bindings which are very particular
about the version of its companion package (libvirt). To ensure
things run smoothly for stable releases, we opt to use the distro
packages for these and symlink the appropriate library files and
binding into the venv.
This approach has been used successfully for the ceph python bindings.
Change-Id: Id962efe16c425424715409f071c4a304f8416001