From c35e2181a391aa36e79ab0b8dc7b2cd6583f57ee Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Mon, 20 Apr 2026 08:41:07 +0200
Subject: [PATCH 1/6] kolla-toolbox: Retry ansible --version check

We've seen CI failures multiple times when the container was not
yet up before this check ran

Change-Id: Ib78e27ac4e06a39ed76c410a000ed3d3d647bd2e
Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
---
 ansible/roles/kolla_toolbox/handlers/main.yml | 3 +++
 zuul.d/scenarios/aio.yaml                     | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/kolla_toolbox/handlers/main.yml b/ansible/roles/kolla_toolbox/handlers/main.yml
index 73db9be9de..0c71b3953f 100644
--- a/ansible/roles/kolla_toolbox/handlers/main.yml
+++ b/ansible/roles/kolla_toolbox/handlers/main.yml
@@ -23,3 +23,6 @@
   become: true
   ansible.builtin.command: "{{ kolla_container_engine }} exec -t {{ service['container_name'] }} ansible --version"
   changed_when: false
+  until: result.rc == 0
+  retries: 5
+  delay: 5
diff --git a/zuul.d/scenarios/aio.yaml b/zuul.d/scenarios/aio.yaml
index 95fa0a9e08..564572c6cc 100644
--- a/zuul.d/scenarios/aio.yaml
+++ b/zuul.d/scenarios/aio.yaml
@@ -7,7 +7,7 @@
       - ^ansible/group_vars/all/(common|cron|fluentd|glance|haproxy|heat|horizon|keepalived|keystone|loadbalancer|neutron|nova|nova-cell|openvswitch|placement|proxysql|rabbitmq).yml
       - ^ansible/group_vars/baremetal/ansible-python-interpreter.yml
       - ^ansible/(action_plugins|filter_plugins|library|module_utils)/
-      - ^ansible/roles/(common|cron|fluentd|glance|haproxy-config|heat|horizon|keystone|loadbalancer|loadbalancer-config|neutron|nova|nova-cell|openvswitch|placement|proxysql|rabbitmq|service.*)/
+      - ^ansible/roles/(common|cron|fluentd|glance|haproxy-config|heat|horizon|keystone|kolla-toolbox|loadbalancer|loadbalancer-config|neutron|nova|nova-cell|openvswitch|placement|proxysql|rabbitmq|service.*)/
       - ^ansible/templates/
       - ^kolla_ansible/
       - ^roles/kolla-ansible-(deploy|tempest|test-dashboard|reconfigure)/

From 19ad49c90f6307ec6f2e63631f9a5831a4fd00cf Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Mon, 8 Jun 2026 16:14:04 +0100
Subject: [PATCH 2/6] CI: Temporarily disable keepalived track script

Change-Id: If31a5ff7c715f39fd7d74131745eed5d00bf0975
Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
---
 tests/templates/globals-default.j2 | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2
index a10bc267ce..ea45c562df 100644
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -246,9 +246,7 @@ octavia_network_type: "tenant"
 enable_valkey: "yes"
 {% endif %}
 
-{% if groups['all'] | length == 1 %}
 keepalived_track_script_enabled: "no"
-{% endif %}
 
 neutron_modules_extra:
   - name: 'nf_conntrack_tftp'

From 1e0fa6c62bbb6129f29f01605a00ce3e0f50e27a Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Mon, 8 Jun 2026 06:00:05 +0100
Subject: [PATCH 3/6] proxysql: fix keepalived healthcheck to use MySQL
 protocol

The check_alive_proxysql.sh script piped raw ASCII text
("show info\n") directly into the admin socket via socat, bypassing
the MySQL handshake.

ProxySQL's MySQL_Data_Stream interprets the first 3 bytes of "show"
as a little-endian packet length (7301235), which has always been
semantically wrong - the check only appeared to work because socat
received ProxySQL's binary handshake greeting back and exited 0.

ProxySQL 3.0.9 introduced a pre-authentication bounds check
(GHSA-58ww-865x-grpr) that explicitly rejects first packets whose
declared length exceeds the 32 KB input queue capacity and closes
the connection.
This causes socat to exit non-zero, making keepalived mark ProxySQL
as unhealthy on every check interval.

Replace the raw socat probe with a mariadb client connection that
speaks proper MySQL protocol against the admin socket.

Closes-Bug: #2155865

Depends-On: https://review.opendev.org/c/openstack/kolla/+/992239

Change-Id: Ic090916509cbb1bd98c96e8beb32ec9e90bfc6aa
Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
---
 .../templates/keepalived/check_alive_proxysql.sh.j2       | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/loadbalancer/templates/keepalived/check_alive_proxysql.sh.j2 b/ansible/roles/loadbalancer/templates/keepalived/check_alive_proxysql.sh.j2
index a3e3dd78d6..a3f221c022 100644
--- a/ansible/roles/loadbalancer/templates/keepalived/check_alive_proxysql.sh.j2
+++ b/ansible/roles/loadbalancer/templates/keepalived/check_alive_proxysql.sh.j2
@@ -3,4 +3,10 @@
 # This will return 0 when it successfully talks to the ProxySQL daemon via localhost
 # Failures return 1
 
-echo "show info" | socat unix-connect:/var/lib/kolla/proxysql/admin.sock stdio > /dev/null
+mariadb --no-defaults \
+  --protocol socket \
+  --socket=/var/lib/kolla/proxysql/admin.sock \
+  --user={{ proxysql_admin_user }} \
+  --password={{ proxysql_admin_password }} \
+  --skip-ssl \
+  -e "SELECT 1" 2>/dev/null

From 971e71405e640e1b4f7679bac3fea26a881b71bf Mon Sep 17 00:00:00 2001
From: Michal Arbet <michal.arbet@ultimum.io>
Date: Tue, 9 Jun 2026 14:34:42 +0200
Subject: [PATCH 4/6] Fix missing register in toolbox initialization handler

Add the missing register statement required by the until
condition when waiting for the toolbox container to become
ready.

Fixing https://review.opendev.org/c/openstack/kolla-ansible/+/985324

Signed-off-by: Michal Arbet <michal.arbet@ultimum.io>
Change-Id: I5a3dddc7743ea6f0e261708baec8e396ca93abc8
---
 ansible/roles/kolla_toolbox/handlers/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/roles/kolla_toolbox/handlers/main.yml b/ansible/roles/kolla_toolbox/handlers/main.yml
index 0c71b3953f..8acaece936 100644
--- a/ansible/roles/kolla_toolbox/handlers/main.yml
+++ b/ansible/roles/kolla_toolbox/handlers/main.yml
@@ -23,6 +23,7 @@
   become: true
   ansible.builtin.command: "{{ kolla_container_engine }} exec -t {{ service['container_name'] }} ansible --version"
   changed_when: false
+  register: result
   until: result.rc == 0
   retries: 5
   delay: 5

From 363adab9ea01144ba8d515e70b4780d3122af837 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Wed, 27 May 2026 22:07:45 +0900
Subject: [PATCH 5/6] Drop leftovers of neutron-infoblox-ipam-agent support

These were overlooked in the previous attempt.

Remove neutron_ipam_driver since the only option would
be left supported is the default one [1].

[1]: https://docs.openstack.org/neutron/latest/configuration/neutron.html#DEFAULT.ipam_driver

Change-Id: I780851ba15871627bae6ebf2ea003bd945605964
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
---
 ansible/group_vars/all/neutron.yml              | 3 ---
 ansible/roles/neutron/templates/neutron.conf.j2 | 2 --
 etc/kolla/globals.yml                           | 4 ----
 tests/templates/inventory.j2                    | 3 +++
 4 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/ansible/group_vars/all/neutron.yml b/ansible/group_vars/all/neutron.yml
index a71cbb3477..91b81658a0 100644
--- a/ansible/group_vars/all/neutron.yml
+++ b/ansible/group_vars/all/neutron.yml
@@ -24,9 +24,6 @@ neutron_keystone_user: "neutron"
 # Valid options are [ openvswitch, ovn ]
 neutron_plugin_agent: "openvswitch"
 
-# Valid option is [ internal ]
-neutron_ipam_driver: "internal"
-
 eutron_external_interface: "eth1"
 
 #######################
diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2
index 0fdc374335..43ab511b6c 100644
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@@ -52,8 +52,6 @@ dns_domain = {{ neutron_dns_domain }}
 external_dns_driver = designate
 {% endif %}
 
-ipam_driver = {{ neutron_ipam_driver }}
-
 [nova]
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 44904c9d7d..c900a2533d 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -160,9 +160,6 @@ workaround_ansible_issue_8743: true
 # Valid options are [ openvswitch, ovn ]
 #neutron_plugin_agent: "openvswitch"
 
-# Valid options are [ internal, infoblox ]
-#neutron_ipam_driver: "internal"
-
 # Configure Neutron upgrade option, currently Kolla support
 # two upgrade ways for Neutron: legacy_upgrade and rolling_upgrade
 # The variable "neutron_enable_rolling_upgrade: true" is meaning rolling_upgrade
@@ -406,7 +403,6 @@ workaround_ansible_issue_8743: true
 #enable_neutron_sfc: false
 #enable_neutron_trunk: false
 #enable_neutron_metering: false
-#enable_neutron_infoblox_ipam_agent: false
 #enable_neutron_port_forwarding: false
 #enable_nova_serialconsole_proxy: false
 #enable_nova_ssh: true
diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2
index 433263430b..c6abc787bd 100644
--- a/tests/templates/inventory.j2
+++ b/tests/templates/inventory.j2
@@ -325,8 +325,11 @@ neutron
 [neutron-dhcp-agent:children]
 neutron
 
+{# NOTE(mnasiadka): Remove me after 2026.2 release #}
+{% if is_upgrade %}
 [neutron-infoblox-ipam-agent:children]
 neutron
+{% endif %}
 
 [neutron-l3-agent:children]
 neutron

From 428951a945ce5faf18bff829e74c29688f8a53e3 Mon Sep 17 00:00:00 2001
From: Bartosz Bezak <bartosz@stackhpc.com>
Date: Fri, 12 Jun 2026 14:37:23 +0100
Subject: [PATCH 6/6] CI: Move aarch64 jobs to experimental pipeline

OpenDev does not have enough aarch64 node capacity at this point to
run these jobs on every change. Move them from the check-arm64
pipeline to the experimental pipeline, so they can still be run on
demand by commenting "check experimental" on a change.

Change-Id: I2522bb1bba7f704fe73bbff75f94bd4477acc615
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
---
 zuul.d/scenarios/aio.yaml    | 12 ++++++------
 zuul.d/scenarios/ironic.yaml |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/zuul.d/scenarios/aio.yaml b/zuul.d/scenarios/aio.yaml
index 69f5405b87..7ad38c71d2 100644
--- a/zuul.d/scenarios/aio.yaml
+++ b/zuul.d/scenarios/aio.yaml
@@ -146,12 +146,6 @@
         - kolla-ansible-ubuntu-noble
         - kolla-ansible-ubuntu-noble-podman
         - kolla-ansible-ubuntu-noble-upgrade
-    check-arm64:
-      jobs:
-        - kolla-ansible-debian-trixie-aarch64
-        - kolla-ansible-debian-trixie-aarch64-podman
-        - kolla-ansible-debian-trixie-aarch64-upgrade
-        - kolla-ansible-ubuntu-noble-aarch64
     gate:
       jobs:
         - kolla-ansible-debian-trixie
@@ -163,3 +157,9 @@
         - kolla-ansible-ubuntu-noble
         - kolla-ansible-ubuntu-noble-upgrade
         - kolla-ansible-ubuntu-noble-podman
+    experimental:
+      jobs:
+        - kolla-ansible-debian-trixie-aarch64
+        - kolla-ansible-debian-trixie-aarch64-podman
+        - kolla-ansible-debian-trixie-aarch64-upgrade
+        - kolla-ansible-ubuntu-noble-aarch64
diff --git a/zuul.d/scenarios/ironic.yaml b/zuul.d/scenarios/ironic.yaml
index 333ba0026e..99fc0e2ccd 100644
--- a/zuul.d/scenarios/ironic.yaml
+++ b/zuul.d/scenarios/ironic.yaml
@@ -71,6 +71,6 @@
         - kolla-ansible-rocky-10-ironic-upgrade
         - kolla-ansible-ubuntu-noble-ironic
         - kolla-ansible-ubuntu-noble-ironic-upgrade
-    check-arm64:
+    experimental:
       jobs:
         - kolla-ansible-debian-trixie-aarch64-ironic