Synchronise master with upstream

.ansible-lint

@@ -7,12 +7,10 @@ rulesdir:
   - .ansible-lint-rules/
 # NOTE(mnasiadka): Switched to false due to rules skipped via .ansible-lint-ignore causing
 #                  failures
-strict: false
+strict: true
 skip_list:
   # disable experimental rules
   - experimental
-  # FQCNs again, now for module actions
-  - fqcn[action]
   # Role names
   - role-name
   - var-naming[no-role-prefix]

ansible/group_vars/all/common.yml

@@ -86,20 +86,35 @@ run_default_volumes_podman:
   - "/run/openvswitch:/run/openvswitch:shared"
 
 run_default_volumes_docker: []
+
 ####################
 # Dimensions options
 ####################
-# Dimension options for Docker Containers
-# NOTE(mnasiadka): Lower 1073741816 nofile limit on EL9 (RHEL9/CentOS Stream 9/Rocky Linux 9)
-#                  fixes at least rabbitmq and mariadb
-default_container_dimensions: "{{ default_container_dimensions_el9 if ansible_facts.os_family == 'RedHat' else {} }}"
-default_container_dimensions_el9: "{{ default_docker_dimensions_el9 if kolla_container_engine == 'docker' else default_podman_dimensions_el9 }}"
-default_docker_dimensions_el9:
+# Dimension options for container runtimes
+#
+# NOTE(amir58118): Some container runtimes do not apply ulimits by default unless they
+#                  are explicitly configured. Defining file descriptor and process
+#                  limits at the container level helps ensure stable operation of
+#                  services that are sensitive to resource limits (e.g. message brokers
+#                  and databases).
+#
+default_container_dimensions: >-
+  {{
+    default_container_dimensions_docker
+    if kolla_container_engine == 'docker'
+    else default_container_dimensions_podman
+  }}
+
+default_container_dimensions_docker:
   ulimits:
     nofile:
       soft: 1048576
       hard: 1048576
-default_podman_dimensions_el9:
+
+# NOTE(amir58118): Podman currently lowers RLIMIT_NOFILE and RLIMIT_NPROC
+#                  in kolla_podman_worker.py. These constants are retained here
+#                  for documentation and potential future use.
+default_container_dimensions_podman:
   ulimits:
     RLIMIT_NOFILE:
       soft: 1048576

ansible/roles/blazar/defaults/main.yml

@@ -8,6 +8,7 @@ blazar_services:
     volumes: "{{ blazar_api_default_volumes + blazar_api_extra_volumes }}"
     dimensions: "{{ blazar_api_dimensions }}"
     healthcheck: "{{ blazar_api_healthcheck }}"
+    wsgi: "blazar.wsgi.api:application"
     haproxy:
       blazar_api:
         enabled: "{{ enable_blazar }}"
@@ -151,6 +152,7 @@ blazar_keystone_user: "blazar"
 
 openstack_blazar_auth: "{{ openstack_auth }}"
 
+blazar_api_workers: "{{ openstack_service_workers }}"
 
 #####################
 ## Kolla

ansible/roles/blazar/tasks/config.yml

@@ -41,6 +41,21 @@
   become: true
   with_dict: "{{ blazar_services | select_services_enabled_and_mapped_to_host }}"
 
+- name: "Configure uWSGI for blazar-api"
+  ansible.builtin.include_role:
+    name: service-uwsgi-config
+  vars:
+    project_services: "{{ blazar_services }}"
+    service: "{{ blazar_services['blazar-api'] }}"
+    service_name: "blazar-api"
+    service_uwsgi_config_http_port: "{{ blazar_api_listen_port }}"
+    service_uwsgi_config_log_file_chmod: "644"
+    service_uwsgi_config_module: "{{ service.wsgi }}"
+    service_uwsgi_config_uid: "blazar"
+    service_uwsgi_config_workers: "{{ blazar_api_workers }}"
+  when:
+    - service | service_enabled_and_mapped_to_host
+
 - name: Copying over blazar.conf
   vars:
     service_name: "{{ item.key }}"

ansible/roles/blazar/templates/blazar-api.json.j2

@@ -1,11 +1,17 @@
 {
-    "command": "blazar-api --config-file /etc/blazar/blazar.conf",
+    "command": "uwsgi /etc/blazar/blazar-api-uwsgi.ini",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/blazar.conf",
             "dest": "/etc/blazar/blazar.conf",
             "owner": "blazar",
             "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/blazar-api-uwsgi.ini",
+            "dest": "/etc/blazar/blazar-api-uwsgi.ini",
+            "owner": "blazar",
+            "perm": "0600"
         }{% if blazar_policy_file is defined %},
         {
             "source": "{{ container_config_directory }}/{{ blazar_policy_file }}",

ansible/roles/cloudkitty/defaults/main.yml

@@ -8,6 +8,7 @@ cloudkitty_services:
     volumes: "{{ cloudkitty_api_default_volumes + cloudkitty_api_extra_volumes }}"
     dimensions: "{{ cloudkitty_api_dimensions }}"
     healthcheck: "{{ cloudkitty_api_healthcheck }}"
+    wsgi: "cloudkitty.wsgi.api:application"
     haproxy:
       cloudkitty_api:
         enabled: "{{ enable_cloudkitty }}"
@@ -228,3 +229,8 @@ cloudkitty_database_enable_tls_internal: "{{ database_enable_tls_internal | bool
 # Copy certificates
 ###################
 cloudkitty_copy_certs: "{{ kolla_copy_ca_into_containers | bool or cloudkitty_database_enable_tls_internal | bool }}"
+
+#######
+# WSGI
+#######
+cloudkitty_wsgi_provider: "uwsgi"

ansible/roles/cloudkitty/tasks/config.yml

@@ -76,6 +76,22 @@
   become: true
   with_dict: "{{ cloudkitty_services | select_services_enabled_and_mapped_to_host }}"
 
+- name: "Configure uWSGI for cloudkitty-api"
+  ansible.builtin.include_role:
+    name: service-uwsgi-config
+  vars:
+    project_services: "{{ cloudkitty_services }}"
+    service: "{{ cloudkitty_services['cloudkitty-api'] }}"
+    service_name: "cloudkitty-api"
+    service_uwsgi_config_http_port: "{{ cloudkitty_api_listen_port }}"
+    service_uwsgi_config_log_file_chmod: "644"
+    service_uwsgi_config_module: "{{ service.wsgi }}"
+    service_uwsgi_config_uid: "cloudkitty"
+    service_uwsgi_config_workers: "{{ cloudkitty_api_workers }}"
+  when:
+    - service | service_enabled_and_mapped_to_host
+    - cloudkitty_wsgi_provider == "uwsgi"
+
 - name: Copying over wsgi-cloudkitty.conf
   vars:
     service: "{{ cloudkitty_services['cloudkitty-api'] }}"
@@ -84,7 +100,9 @@
     dest: "{{ node_config_directory }}/cloudkitty-api/wsgi-cloudkitty.conf"
     mode: "0660"
   become: true
-  when: service | service_enabled_and_mapped_to_host
+  when:
+    - cloudkitty_wsgi_provider == "apache"
+    - service | service_enabled_and_mapped_to_host
 
 - name: Copying over existing policy file
   ansible.builtin.template:

ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2

@@ -1,20 +1,27 @@
-{% set cloudkitty_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set cloudkitty_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
+{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
+{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
+{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if cloudkitty_wsgi_provider == 'apache' else 'uwsgi /etc/cloudkitty/cloudkitty-api-uwsgi.ini' %}
 {
-    "command": "{{ cloudkitty_cmd }} -DFOREGROUND",
+    "command": "{{ command }}",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/cloudkitty.conf",
             "dest": "/etc/cloudkitty/cloudkitty.conf",
             "owner": "cloudkitty",
             "perm": "0600"
-        },
+        }{% if cloudkitty_wsgi_provider == "apache" %},
         {
             "source": "{{ container_config_directory }}/wsgi-cloudkitty.conf",
-            "dest": "/etc/{{ cloudkitty_dir }}/wsgi-cloudkitty.conf",
+            "dest": "/etc/{{ apache_conf_dir }}/wsgi-cloudkitty.conf",
             "owner": "cloudkitty",
             "perm": "0600"
-        }{% if cloudkitty_policy_file is defined %},
+        }{% elif cloudkitty_wsgi_provider == "uwsgi" %},
+        {
+            "source": "{{ container_config_directory }}/cloudkitty-api-uwsgi.ini",
+            "dest": "/etc/cloudkitty/cloudkitty-api-uwsgi.ini",
+            "owner": "cloudkitty",
+            "perm": "0600"
+        }{% endif %}{% if cloudkitty_policy_file is defined %},
         {
             "source": "{{ container_config_directory }}/{{ cloudkitty_policy_file }}",
             "dest": "/etc/cloudkitty/{{ cloudkitty_policy_file }}",

ansible/roles/cyborg/defaults/main.yml

@@ -8,6 +8,7 @@ cyborg_services:
     volumes: "{{ cyborg_api_default_volumes + cyborg_api_extra_volumes }}"
     dimensions: "{{ cyborg_api_dimensions }}"
     healthcheck: "{{ cyborg_api_healthcheck }}"
+    wsgi: "cyborg.wsgi.api:application"
     haproxy:
       cyborg_api:
         enabled: "{{ enable_cyborg }}"
@@ -170,6 +171,8 @@ cyborg_keystone_user: "cyborg"
 
 openstack_cyborg_auth: "{{ openstack_auth }}"
 
+cyborg_api_workers: "{{ openstack_service_workers }}"
+
 ####################
 # Kolla
 ####################

ansible/roles/cyborg/tasks/config.yml

@@ -51,6 +51,21 @@
   become: true
   with_dict: "{{ cyborg_services | select_services_enabled_and_mapped_to_host }}"
 
+- name: "Configure uWSGI for cyborg-api"
+  ansible.builtin.include_role:
+    name: service-uwsgi-config
+  vars:
+    project_services: "{{ cyborg_services }}"
+    service: "{{ cyborg_services['cyborg-api'] }}"
+    service_name: "cyborg-api"
+    service_uwsgi_config_http_port: "{{ cyborg_api_listen_port }}"
+    service_uwsgi_config_log_file_chmod: "644"
+    service_uwsgi_config_module: "{{ service.wsgi }}"
+    service_uwsgi_config_uid: "cyborg"
+    service_uwsgi_config_workers: "{{ cyborg_api_workers }}"
+  when:
+    - service | service_enabled_and_mapped_to_host
+
 - name: Copying over cyborg.conf
   vars:
     service_name: "{{ item.key }}"

ansible/roles/cyborg/templates/cyborg-api.json.j2

@@ -1,12 +1,18 @@
 {
-    "command": "cyborg-api --config-file /etc/cyborg/cyborg.conf",
+    "command": "uwsgi /etc/cyborg/cyborg-api-uwsgi.ini",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/cyborg.conf",
             "dest": "/etc/cyborg/cyborg.conf",
             "owner": "cyborg",
             "perm": "0600"
         },
+        {
+            "source": "{{ container_config_directory }}/cyborg-api-uwsgi.ini",
+            "dest": "/etc/cyborg/cyborg-api-uwsgi.ini",
+            "owner": "cyborg",
+            "perm": "0600"
+        },
         {
             "source": "{{ container_config_directory }}/api-paste.ini",
             "dest": "/etc/cyborg/api-paste.ini",

ansible/roles/cyborg/templates/cyborg.conf.j2

@@ -1,6 +1,9 @@
 [DEFAULT]
 auth_strategy = keystone
 log_dir = /var/log/kolla/cyborg
+{% if service_name == 'cyborg-api' %}
+log_file = /var/log/kolla/cyborg/cyborg-api.log
+{% endif %}
 debug = {{ cyborg_logging_debug }}
 
 transport_url = {{ rpc_transport_url }}

ansible/roles/haproxy-config/tasks/main.yml

@@ -49,7 +49,7 @@
     - enable_haproxy | bool
 
 - name: "Configuring firewall for {{ project_name }}"
-  firewalld:
+  ansible.posix.firewalld:
     immediate: true
     offline: true
     permanent: true

ansible/roles/ironic/defaults/main.yml

@@ -262,6 +262,7 @@ ironic_logging_debug: "{{ openstack_logging_debug }}"
 openstack_ironic_auth: "{{ openstack_auth }}"
 
 ironic_api_workers: "{{ openstack_service_workers }}"
+ironic_prometheus_exporter_workers: "{{ openstack_service_workers }}"
 
 #########
 # Ironic

ansible/roles/ironic/tasks/config.yml

@@ -165,7 +165,9 @@
     - "{{ node_config_directory }}/ironic/{{ inventory_hostname }}/ironic-prometheus-exporter-wsgi.conf"
     - "{{ node_config_directory }}/ironic/ironic-prometheus-exporter-wsgi.conf"
     - "ironic-prometheus-exporter-wsgi.conf.j2"
-  when: service | service_enabled_and_mapped_to_host
+  when:
+    - service | service_enabled_and_mapped_to_host
+    - ironic_wsgi_provider == "apache"
 
 - name: Copying over existing Ironic policy file
   vars:
@@ -199,16 +201,19 @@
     name: service-uwsgi-config
   vars:
     project_services: "{{ ironic_services }}"
-    service: "{{ ironic_services['ironic-api'] }}"
-    service_name: "ironic-api"
-    service_uwsgi_config_http_port: "{{ ironic_api_listen_port }}"
+    service: "{{ ironic_services[item.name] }}"
+    service_name: "{{ item.name }}"
+    service_uwsgi_config_http_port: "{{ item.port }}"
     service_uwsgi_config_log_file_chmod: "644"
     service_uwsgi_config_module: "{{ service.wsgi }}"
     service_uwsgi_config_tls_backend: "{{ ironic_enable_tls_backend | bool }}"
     service_uwsgi_config_tls_cert: "/etc/ironic/certs/ironic-cert.pem"
     service_uwsgi_config_tls_key: "/etc/ironic/certs/ironic-key.pem"
     service_uwsgi_config_uid: "ironic"
-    service_uwsgi_config_workers: "{{ ironic_api_workers }}"
+    service_uwsgi_config_workers: "{{ item.workers }}"
   when:
     - service | service_enabled_and_mapped_to_host
     - ironic_wsgi_provider == "uwsgi"
+  loop:
+    - { name: "ironic-api", port: "{{ ironic_api_listen_port }}", workers: "{{ ironic_api_workers }}" }
+    - { name: "ironic-prometheus-exporter", port: "{{ ironic_prometheus_exporter_port }}", workers: "{{ ironic_prometheus_exporter_workers }}" }

ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2

@@ -1,20 +1,27 @@
 {% set ironic_prometheus_exporter_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
 {% set ironic_prometheus_exporter_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
+{% set command = ('/usr/sbin/' + apache_binary + ' -DFOREGROUND') if ironic_wsgi_provider == 'apache' else 'uwsgi /etc/ironic/ironic-prometheus-exporter-uwsgi.ini' %}
 {
-    "command": "/usr/sbin/{{ ironic_prometheus_exporter_cmd }} -DFOREGROUND",
+    "command": "{{ command }}",
     "config_files": [
+        {
+            "source": "{{ container_config_directory }}/ironic.conf",
+            "dest": "/etc/ironic/ironic.conf",
+            "owner": "ironic",
+            "perm": "0600"
+        }{% if ironic_wsgi_provider == 'apache' %},
         {
             "source": "{{ container_config_directory }}/ironic-prometheus-exporter-wsgi.conf",
             "dest": "/etc/{{ ironic_prometheus_exporter_dir }}/ironic-prometheus-exporter-wsgi.conf",
             "owner": "ironic",
             "perm": "0600"
-        },
+        }{% elif ironic_wsgi_provider == 'uwsgi' %},
         {
-            "source": "{{ container_config_directory }}/ironic.conf",
-            "dest": "/etc/ironic/ironic.conf",
+            "source": "{{ container_config_directory }}/ironic-prometheus-exporter-uwsgi.ini",
+            "dest": "/etc/ironic/ironic-prometheus-exporter-uwsgi.ini",
             "owner": "ironic",
             "perm": "0600"
-        }{% if kolla_copy_ca_into_containers | bool %},
+        }{% endif %}{% if kolla_copy_ca_into_containers | bool %},
         {
             "source": "{{ container_config_directory }}/ca-certificates",
             "dest": "/var/lib/kolla/share/ca-certificates",

ansible/roles/manila/defaults/main.yml

@@ -8,6 +8,7 @@ manila_services:
     volumes: "{{ manila_api_default_volumes + manila_api_extra_volumes }}"
     dimensions: "{{ manila_api_dimensions }}"
     healthcheck: "{{ manila_api_healthcheck }}"
+    wsgi: "manila.wsgi.api:application"
     haproxy:
       manila_api:
         enabled: "{{ enable_manila }}"

ansible/roles/manila/tasks/config.yml

@@ -39,6 +39,21 @@
   when:
     - manila_copy_certs | bool
 
+- name: "Configure uWSGI for cloudkitty-api"
+  ansible.builtin.include_role:
+    name: service-uwsgi-config
+  vars:
+    project_services: "{{ manila_services }}"
+    service: "{{ manila_services['manila-api'] }}"
+    service_name: "manila-api"
+    service_uwsgi_config_http_port: "{{ manila_api_listen_port }}"
+    service_uwsgi_config_log_file_chmod: "644"
+    service_uwsgi_config_module: "{{ service.wsgi }}"
+    service_uwsgi_config_uid: "manila"
+    service_uwsgi_config_workers: "{{ manila_api_workers }}"
+  when:
+    - service | service_enabled_and_mapped_to_host
+
 - name: Copying over config.json files for services
   ansible.builtin.template:
     src: "{{ item.key }}.json.j2"