openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

Instead of evaluating same condition of my_ip in multiple places across
the role this patch suggests doing this once in vars and using the
resulting variable afterwards.
This not only reduce amount of evaluations made throughout the role runtime,
but also solves possible corner cases where some syntax may go off.
Closes-Bug: #2052884
Change-Id: I454b53713ecacf844ac14f77b6d1e1adc1322c0e

It appears there was a change to remove the list option when
moving from pci_passthrough_whitelist. Instead device_spec
can be specified multiple times in the file.
This patch aims to resolve this whilst maintaining backwards
compatibility.
Change-Id: I12b38e45d7b41fbf4786d3320e511eb9127fe216

As of today we do not have any means of Blazar integration with Nova,
while we do provide roles for Blazar installation for a while now. This
patch aims to bring in more native integration and remove necessity
of overrides for such deployment.
Related-Bug: #2048048
Co-Authored-By: Alexey Rusetsky <fenuks@fenuks.ru>
Change-Id: Ica50a5504de1b1604f72123751cbb3f45c85ab46

Nova defaults to using public endpoint for Barbican API which would
require internet access from the compute node so change this to
use the internal API endpoint.
Change-Id: Iaa14a9bf80d2e02197e74d67e812afc518fe1b65

Defining barbican_service_user is required for succesfull attachement
of ecnrypted volumes to VMs. Without it being in place nova-compute
fails with not being able to get service_token.
Change-Id: I8ae3e263185b1cd8036a4fde12d9c950f2ce8b98

updating the config for pci devices since the old config is deprecated.
https://docs.openstack.org/nova/latest/configuration/config.html#pci.device_spec
Change-Id: Id2da29464359b4845c7d05e3bec53759341f4bad

This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I792595dac8b651debcd364cd245145721575a516

The region_name var is missing from the [glance] block in
the nova.conf template, and while a conf override can be used,
all other service blocks have region_name defined and overridable
with service_region.
Change-Id: I28ac078f9ebe24c8799638e93d0967003d0c0605

When Nova is deployed with a mix of x86 and arm systems
(for example), it may be necessary to deploy both 'novnc' and
'serialconsole' proxy services on the same host in order to
service the mixed compute estate.
This patch introduces a list which defines the required proxy
console types.
Change-Id: I93cece8babf35854e5a30938eeb9b25538fb37f6

Long time ago a variable `nova_ram_weight_multiplier` was implemented
and its default value was set to 5.0.
There are 2 issues with this:
1. Default value in nova is 1.0 [1] so our value is much bigger than
nova's default without having a strong reason for that.
2. OSA does not provide similar variables for other multipliers like
`cpu_weight_multiplier`.
Because there are a couple of different multipliers and more of them
can be implemented in the future(for ex.
`hypervisor_version_weight_multiplier` was implemented in 2023.2) it
would be hard for the OSA project to maintain variables for all of them.
It is better to deprecate `nova_ram_weight_multiplier` and let users
define multipliers with `nova_nova_conf_overrides` if necessary.
[1] https://docs.openstack.org/nova/2023.1/configuration/config.html#filter_scheduler.ram_weight_multiplier
Change-Id: I4f82840e94312d38696e3ddd05ef494821233f4d

Having auth credentials in service_user is required to interact with
other services. Otherwise nova won't be properly authenticated,
for example during volume detach request.
Change-Id: Ifd607d3acfb18ee4d1de0b8dc39350419cae9c22

In order to cover OSSA-2023-003, a requirement to define service_user
section for all nova services has been added by nova.
Change-Id: I81cd6431fec94f56b0ebd66c94e90c9623ba0e38

At the moment we don't really utilize neutron_provider_networks
mapping except of 2 quite specific drivers, that are NSX and Nuage.
For these 2 usecases we suggest using overrides functionality instead.
Change-Id: I7d905a1dbda1ec722b161b96742247c806bed162

use_forwarded_for option for api has been deprecated since 26.0.0
as this feature is the duplicate of the HTTPProxyToWSGI that
has being enabled by default now.
Change-Id: I45e70e42605455df944ced63f106a76f351052e8

Calico driver support has been removed from OpenStack-Ansible
starting in Antelope release [1]. We clean-up nove role to drop calico
support from it as well.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/866119
Change-Id: Ie9c118b8bab265e5bf06b6ec05731cd673ee4d95

Nova complains about an inability to access endpoint list for block
storage. This patch updates nova.conf with the respective configuration.:
Example errors in nova-compute log:
1. The [cinder] section of your nova configuration file must be configured
for authentication with the block-storage service endpoint.
2. Delete attachment failed for attachment <UUID>. Error: Unknown auth type:
None (HTTP 401) Code: 401: cinderclient.exceptions.Unauthorized:
Unknown auth type: None (HTTP 401)
Change-Id: I4c1ae32ed078a4412ff44b7ac3f921b223d0cba3

There was a typo for track_instance_changes once it was moved
under filter_scheduler.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#filter_scheduler.track_instance_changes
Change-Id: I8316989a57ada71e72af114984ec25f227def7ba

With original patch [1] I somehow missed to define enable_rbd_download
along with adding rbd_user/pool/conf. However, neither of these
options are taken into account if enable_rbd_download is set to false,
which is the default value.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/828897
Change-Id: I3220de5863c9c3af418e71774c103c4712b16086

Section
[os_vif_ovs]
isolate_vif = True
was placed in the middle of the [libvirt] section, causing
all migration settings to be placed in os_vif_ovs instead of libvirt.
Change-Id: Ief7eb74343f69912fa8a41a200edf22596adfea3

At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Change-Id: I48e193ef29e56aa8639511c5b5dcddc70f5e1198

Currently Jinja trim_blocks function does remove newline from end of
proxyclient_address which makes port_range option appearing on the same
line.
Change-Id: If33021bd0453be3ca18753777e82da12f470b278
Closes-Bug: #1988337 

Without that patch all deployers that did use OVS had to remember to
apply override for their deployments.
Now OSA will enable isolation of vif by default when OVS is used.
Change-Id: I4195153658c867f259226e80cefac0fcac4caac5
Related-Bug: #1734320 

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I04b22722b32b6dc8b1dc95e18c3fe96ad17e51ac

When nova don't use rbd images (ie local storage) it still might be good
idea to use direct connection to rbd to get images rather then
connect through HTTP.
Change-Id: I4f2d7cf54e07376c7a25d45093f5d83be5422234

This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.
Change-Id: I7de034307da9352e6f5d1f5f175a330fb8c86463
Related-Bug: #1961603 

According to nova doc, secure_proxy_ssl_header has been deprecated and
has no effect [1]. Since these variables are not used for other purpose
we drop them.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#oslo_middleware.secure_proxy_ssl_header
Change-Id: Ibc3ac4f0f3fb038463748f8c1608fa475374cf67

Since api_servers from [glance] secton is deprecated and can be
silently ignored [1], we drop corresponsive OSA variable
[1] https://docs.openstack.org/nova/latest/configuration/config.html#glance.api_servers
Change-Id: I52de65a4629f23fd2c0c3735033a8e2d57a82024

- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Change-Id: Ibc876f2744c271e9c4ad797597c15af8d73867c1

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819300
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/819298
Change-Id: If5622f736e17f0f187a0740d60ea435d03a131bb

With new Ampere GPUs you need to explicitly define explicit lists of PCI
devices which length depends on picked type as placement can't pick them
automatically due to nvidia driver brokeness.
In order to have readable representation of the variable it's worth
to make it iterable but keep a simple string for
backwards compatability.
Change-Id: I2a1e85efc8ad4f6a2596e6d53b1d793b2f934758

To secure communications from the proxy server to the compute
nodes using VeNCrypt authentication scheme.
In a previous patch a TLS server certificate was deployed to
compute nodes, this patch makes use of this same server cert for
securing VNC sessions on compute nodes. It is recommended that
this certificate be issued by a dedicated certificate authority
solely for the VNC service, as libvirt does not currently have a
mechanism to restrict what certificates can be presented by the
proxy server. This has not been implemented to reduce complexity.
In addition the noVNC proxy needs to present a client certificate
so only approved VNC proxy servers can connect to the Compute nodes.
The PKI role has been used to create a client certificate for the
nova console nodes.
Related Nova docs:
https://docs.openstack.org/nova/latest/admin/remote-console-access.html
To help with the transition from from unencrypted VNC to VeNCrypt,
initially compute nodes auth scheme allows for both encrypted and
unencrypted sessions using the variable `nova_vencrypt_auth_scheme`, this
will be removed in future releases.
Change-Id: Iafb788f80fd401c6ce6e4576bafd06c92431bd65

Instead of using SSH to live migrate VM's use TLS as this is more
secure and SSH migrations are deprecated.
https://docs.openstack.org/nova/xena/admin/secure-live-migration-with-qemu-native-tls.html
A pre-existing PKI (Public Key Infrastruture) setup is required.
TLS live migrations require that all compute hosts can communcate
with each other on port 16514 and port range 49152 to 49261.
To enable TLS live migrations, both libvirt and QEMU require server
and client certificates, the server certicicates is used to verify
servers and the client cert is used by servers to authenticate
clients. A single cert is created by the pki role, that can be
used by both libvirt and QEMU for both client and server auth.
The client, server and CA certifcates need to installed in a
number of locations on each compute host:
* For Libvirt https://libvirt.org/tlscerts.html
* For QEMU https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu.conf
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815007
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815849
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/816857
Change-Id: Iddbe8764bb6d3cd3eaee122b2d5ddc02fa3f7662

In order to reflect upstream nova variable change [1] we rename
nova_enabled_vgpu_types to nova_enabled_mdev_types.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#devices.enabled_mdev_types
Change-Id: I7fcc6f6fbfd8e6e358036e72a82348b9cefe74ef

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I99509b519c91d8fefc91745bb982866fe3fbc8e7

This always existed as a default value but was only used for service
setup, never in the runtime db connection url. Update the URL and
database connection template to include the port.
Change-Id: Ie404c117146c6bbd7eea79300f7c85515fa4e27d

Change-Id: Ibe24bf754bd56d6e518b93f05f47d163454e169d

Bunch of variables that were related to nova consoles were missused or
unneded at all.
Here we deprecate and remove them, along with
fixing behaviour to disable spice agent functionality.
Change-Id: I28f6d733db689eab879ae5939d1236e7c0d5f521
Closes-Bug: #1923184 

It still makes sense to carry a variable for defining dns_domain
since deployers will be able to control them with single variable
for all services.
Closes-Bug: #1922703
Change-Id: I2be47100ce701e71dda2fe4e8ca58a7b6cad529c