Skip to content

Commit 3ce2ac1

Browse files
authored
Merge pull request #894 from stackhpc/upstream/master-2026-06-29
Synchronise master with upstream
2 parents f55c7de + 1d47940 commit 3ce2ac1

19 files changed

Lines changed: 134 additions & 21 deletions

File tree

ansible/group_vars/all/keystone.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ keystone_admin_project: "admin"
1616

1717
# Whether or not to apply changes to service user passwords when services are
1818
# reconfigured
19-
update_keystone_service_user_passwords: true
19+
update_keystone_service_user_passwords: false
2020

2121
default_project_domain_name: "Default"
2222
default_project_domain_id: "default"
@@ -68,13 +68,21 @@ keystone_default_user_role: "member"
6868
# The configuration of attribute mappings is a list of objects, where each
6969
# object must have a 'name' (that mapps to the 'attribute_mapping' to the IdP
7070
# object in the IdPs set), and the 'file' with a full qualified path to a mapping file.
71+
#
72+
# The "schema_version" attribute is optional. Here we just demonstrate a few examples of
73+
# configuration; before using them, one must check the supported version by Keystone. If
74+
# one wants to use the default of Keystone, she/he can omit the "schema_version" option.
75+
#
7176
# keystone_identity_mappings:
7277
# - name: "mappingId1"
7378
# file: "/full/qualified/path/to/mapping/json/file/to/mappingId1"
79+
# schema_version: "1.0"
7480
# - name: "mappingId2"
7581
# file: "/full/qualified/path/to/mapping/json/file/to/mappingId2"
82+
# schema_version: "2.0"
7683
# - name: "mappingId3"
7784
# file: "/full/qualified/path/to/mapping/json/file/to/mappingId3"
85+
# schema_version: "3.0"
7886
keystone_identity_providers: []
7987
keystone_identity_mappings: []
8088
keystone_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else keystone_public_listen_port }}"

ansible/module_utils/kolla_podman_worker.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -539,8 +539,12 @@ def compare_config(self):
539539
if rc == 0:
540540
return False
541541
elif rc == 1:
542-
self._config_diff = (raw_output.decode('utf-8') if
543-
isinstance(raw_output, bytes) else raw_output)
542+
try:
543+
self._config_diff = (raw_output.decode('utf-8') if
544+
isinstance(raw_output, bytes) else
545+
raw_output)
546+
except UnicodeDecodeError:
547+
self._config_diff = 'container changed during config check'
544548
return True
545549
else:
546550
raise Exception('Failed to compare container configuration: '

ansible/roles/barbican/defaults/main.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ barbican_api_healthcheck_test:
109109
- >-
110110
healthcheck_curl {{
111111
'https' if barbican_enable_tls_backend | bool else 'http' }}://{{
112-
api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}/healthcheck"
112+
api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}/healthcheck
113113
barbican_api_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
114114
barbican_api_healthcheck:
115115
interval: "{{ barbican_api_healthcheck_interval }}"

ansible/roles/ironic/defaults/main.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,6 @@ ironic_services:
3434
group: ironic-conductor
3535
enabled: true
3636
image: "{{ ironic_conductor_image_full }}"
37-
privileged: true
3837
volumes: "{{ ironic_conductor_default_volumes + ironic_conductor_extra_volumes + lookup('vars', 'run_default_volumes_' + kolla_container_engine) }}"
3938
dimensions: "{{ ironic_conductor_dimensions }}"
4039
healthcheck: "{{ ironic_conductor_healthcheck }}"

ansible/roles/keystone/tasks/register_identity_providers.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@
6161
ca_cert: "{{ openstack_cacert if openstack_cacert != '' else omit }}"
6262
name: "{{ item.name }}"
6363
rules: "{{ '{{ keystone_identity_mapping_rules | from_json }}' }}"
64+
schema_version: "{{ item.schema_version | default(omit) }}"
6465
state: present
6566
module_extra_vars:
6667
keystone_identity_mapping_rules: "{{ lookup('ansible.builtin.file', item.file) }}"

ansible/roles/nova-cell/defaults/main.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -639,6 +639,17 @@ libvirt_sasl_authname: "nova"
639639
libvirt_sasl_mech_list:
640640
- "{{ 'SCRAM-SHA-256' if libvirt_tls | bool else 'DIGEST-MD5' }}"
641641

642+
# Connection processing limits for libvirtd. nova-compute is effectively the
643+
# only privileged client of libvirtd under Kolla, so libvirt's stock per-client
644+
# request cap (max_client_requests=5) is the binding constraint rather than a
645+
# safety net: concurrent instance builds plus the resource-tracker periodic
646+
# routinely exceed five in-flight RPCs, which starves keepalive responses until
647+
# libvirtd drops the connection. Raise the per-client cap, and the worker pool
648+
# along with it so that lifting the per-client limit does not starve other
649+
# connections (live migration, health checks, periodics).
650+
libvirt_max_client_requests: 20
651+
libvirt_max_workers: 50
652+
642653
####################
643654
# Kolla
644655
####################

ansible/roles/nova-cell/templates/libvirtd.conf.j2

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,13 @@ listen_addr = "{{ migration_interface_address }}"
2525
# Enable read-only access to libvirt socket
2626
auth_unix_ro = "none"
2727
{% endif %}
28+
29+
# Connection processing limits. libvirt's defaults (max_workers=20,
30+
# max_client_requests=5) assume a multi-tenant host with many mutually
31+
# distrustful clients. Under Kolla, nova-compute is effectively the sole
32+
# privileged client, so the per-client cap of 5 becomes the binding
33+
# constraint: concurrent builds plus the resource-tracker periodic exceed
34+
# five in-flight RPCs and starve keepalive responses, causing libvirtd to
35+
# drop the connection after keepalive_interval (5s) x keepalive_count (5).
36+
max_workers = {{ libvirt_max_workers }}
37+
max_client_requests = {{ libvirt_max_client_requests }}

doc/source/admin/password-rotation.rst

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,13 @@ The majority of the secrets can be applied by simply reconfiguring services
3838
with ``kolla-ansible reconfigure``. Below is a list of secrets that can be
3939
applied this way.
4040

41+
.. note::
42+
43+
Rotating ``*_keystone_password`` secrets requires
44+
``update_keystone_service_user_passwords`` to be set to ``true`` in
45+
``globals.yml`` before running ``kolla-ansible reconfigure``, as the default
46+
is ``false``. This setting may be reverted to ``false`` after the reconfigure
47+
completes.
4148

4249
* ``*_keystone_password``
4350
* ``*_database_password`` (excluding ``nova_database_password``)

doc/source/reference/compute/libvirt-guide.rst

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,3 +198,26 @@ Since the Yoga release, the ``kolla-ansible certificates`` command generates
198198
certificates for libvirt TLS. A single key and certificate is used for all
199199
hosts, with a Subject Alternative Name (SAN) entry for each compute host
200200
hostname.
201+
202+
Libvirt Connection Limits
203+
=========================
204+
205+
By default ``libvirt`` is configured by upstream packages with reasonable
206+
defaults for an environment where many users are starting and stopping virtual
207+
machines. This isn't true for Kolla Hypervisor nodes, where a single
208+
``nova-compute`` container manages all of the virtual machine instances on the
209+
machine.
210+
211+
Kolla-Ansible therefore tunes the following values in ``libvirtd.conf``:
212+
213+
* libvirt_max_client_requests: raised to 20 compared to the usual default of
214+
5.
215+
* libvirt_max_workers: raised to 50 compared to the usual default of 20.
216+
217+
Both of these values may be overridden in ``globals.yml``.
218+
219+
This means that ``nova-compute`` can therefore perform 20 operations via
220+
libvirt simultaneously instead of the usual default of 5. These values should
221+
be safe, but if you see libvirt error messages saying ``Client hit max requests
222+
limit``, you may want to consider an additional increase -- especially if you
223+
have particularly large hypervisors.

doc/source/reference/shared-services/keystone-guide.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@ below:
8787
keystone_identity_mappings:
8888
- name: "mappingId1"
8989
file: "/full/qualified/path/to/mapping/json/file/to/mappingId1"
90+
schema_version: "2.0"
9091
9192
In some cases it's necessary to add JWKS (JSON Web Key Set) uri.
9293
It is required for auth-openidc endpoint - which is

0 commit comments

Comments
 (0)