Age | Commit message (Collapse) | Author | Files | Lines |
|
In Ocata all live-migration over ssh is performed on the default ssh port (22).
In Pike the containerized live-migration over ssh is on port 2022 as the
docker host's sshd is using port 22.
To allow live migration during upgrade we need to temporarily pin the Pike
computes to port 22 and in the final converge we can switch over to port 2022.
This patch make the necessary puppet-tripleo change to allow this:
- Adds support in sshd profile for listening on multiple ports.
- Adds a profile to allow proxying to the containerized sshd from the
baremetal sshd
Change-Id: I0b80b81711f683be539939e7d084365ff63546d3
Related-bug: 1714171
(cherry picked from commit 05a413c34fa1266d38bf991a1f5ed2795631f0b7)
|
|
This adds a TLS proxy in front of it so it serves TLS in the internal
network.
bp tls-via-certmonger
Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
|
|
|
|
The default (on RHEL/CentOS) is to use polkit but this is only useful
for GUI support or for fine grained API access control. As we don't
require either we can achieve identical control using plain old unix
filesystem permissions.
I've merged Sven's changes from https://review.openstack.org/484979
and https://review.openstack.org/487150.
As we need to be careful with the libvirtd option quoting I think it's
best to do this in puppet-tripleo instead of t-h-t yaml.
The option to override the settings from t-h-t remains.
Co-Authored-By: Sven Anderson <sven@redhat.com>
Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Closes-bug: 1696504
Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
|
|
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected
as the default encryption key manager, even when TripleO is not deploying
Barbican.
This change ensures the legacy key manager is enabled when no key manager
(such as Barbican) has been specified. This restores the previous behavior,
where the legacy key manager was enabled by default.
[0] https://review.openstack.org/484501
[1] https://review.openstack.org/485322
Closes-Bug: #1706389
Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
|
|
The unit tests jobs are failing because of missing pre conditions for
the new shared class introduced by
Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change
moved some classes around so that the tests are now failing due to
duplicate class declarations for nova::compute::libvirt::services. This
change moves the include that pulls in the declaration first prior to
the include that exists in tripleo::profile::base::nova::libvirt.
The selinux test was also failing due to a type issue with the fact
being used (boolean vs string)
Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51
Closes-Bug: #1707034
|
|
Some of the tasks carried by nova::compute::rbd class apply libvirt.
Change-Id: Ib233689fdcdda391596d01a21f77bd8e1672ae04
Depends-On: I28557deb13b75922932cd3e86c3467a541c988d0
|
|
|
|
This is set via all_nodes_config in t-h-t, but it's a special case for
this service, so it'll be better if we handle the ipv6 transformation
in puppet instead of relying on the service specific list mangling in
t-h-t (one aspect of which has been identified as a potential performance
problem).
Related-Bug: #1684272
Change-Id: Iccb9089db4b382db3adb9340f18f6d2364ca7f58
|
|
|
|
This currently assumes nova-compute and iscsid run in the same context which
isn't true for a containerized deployment
Change-Id: I91f1ce7625c351745dbadd84b565d55598ea5b59
|
|
It is not necessary to mangle libvirt_rbd_secret_key parameter as this
is now given by the templates.
Depends-On: Iff3dbcb0f1b4d2373570e184e636a71553cea708
Change-Id: I6b163ab102f505f0d0ce9eb1ad9d4274e4ff6348
|
|
The nova migration config has always been applied by the base::nova profile.
It assumed that libvirtd/nova-compute and are all running on the
same host.
Where this config didn't apply (e.g a nova api host) it was disabled by a flag.
This approach is not compatible with containers. Hieradata for all containers
are combined so per-host flags no longer work, and we can no longer assume
libvirtd and nova-compute run in the same context.
This change refactors the profiles out of the base nova profile and into
a client profile and a target profile that can be included where appropriate.
Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12
Implements: blueprint tripleo-cold-migration
|
|
Puppet wipes out whatever is not in it's resource catalog each run for
httpd. This causes httpd to restart if in the next step there are
reasources added that were not there earlier.
This patch, thus changes the instances of httpd to start at the same
time: On step 3 for the bootstrap node, and on step 4 for every other
node.
Closes-Bug: #1699502
Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
The step is typically set with the hieradata setting an integer value:
{"step": 1}
However it would be useful for the value to be a string so that
substitutions are possible, for example:
{"step": "%{::step}"}
This change ensures the step parameter defaults to an integer by
calling Integer(hiera('step'))
This change was made by manually removing the undef defaults from
fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with:
find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/"
Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
|
|
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
|
|
Change-Id: Id933276fab16eebd72751dca136ad805547e6291
Related-Bug: #1676491
|
|
This is now the job of the certmonger_user profile. So these bits are
not needed anymore in the service profiles.
Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800
Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
|
|
We attempt to use iscsi-iname in an exec for our nova compute profile
but we do not ensure that the package providing this command is
installed. This change adds the package definition for
iscsi-initiator-utils to ensure it is installed before trying to use
iscsi-iname.
Change-Id: I1bfdb68170931fd05a09859cf8eefb50ed20915d
Closes-Bug: #1675462
|
|
The Nova Placement API's configuration currently relies
on the nova-api profile for its keystone authtoken
configuration. This means that Nova Placement would
fail if it got installed on an isolated node or
docker container (this currently breaks TripleO's
deployment of placement via docker).
This patch creates a new authtoken profile and
calls it via the api and placement roles.
Change-Id: I7b38ab6ba5cae41689ac500d97dec4d09c73d387
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
|
|
|
|
- transform nova_api_wsgi_enabled in a parameter
- update rspec tests
- fix TLS to run at step 1
Change-Id: I4d3f9c92f0717ae8c3bc8d71065fab281de82008
|
|
We need to run nova-cell_v2-discover_hosts at the very end of the
deployment because nova database needs to be aware of all registred
compute hosts.
1. Move keystone resources management at step 3.
2. Move nova-compute service at step 4.
3. Move nova-placement-api at step 3.
5. Run nova-cell_v2-discover_hosts at step 5 on one nova-api node.
6. Run neutron-ovs-agent at step 5 to avoid racy deployments where
it starts before neutron-server when doing HA deployments.
With that change, we expect Nova aware of all compute services deployed
in TripleO during an initial deployment.
Depends-On: If943157b2b4afeb640919e77ef0214518e13ee15
Change-Id: I6f2df2a83a248fb5dc21c2bd56029eb45b66ceae
Related-Bug: #1663273
Related-Bug: #1663458
|
|
|
|
1. Move keystone resources management at step 4.
2. Move nova-compute startup at step 5.
That way, we make sure nova-compute will start when all Keystone
resources are ready.
Change-Id: I6e153e11b8519254d2a67b9142bf774a25bce69d
Closes-Bug: #1663273
|
|
Cleanup patch once the THT patch is merged.
Change-Id: Iba439a4758a4728197d7620b764a4f0f2648ee0f
Depends-On: I09b73476762593642a0e011f83f0233de68f2c33
|
|
|
|
On compute nodes, instead of binding vnc server on 0.0.0.0, use the IP
address provided by libvirt's t-h-t profile (hiera).
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ie377c09734e9f6170daa519aed69c53fc67c366b
Change-Id: If6b116b238a52144aad5e76c9edc7df6aa15313c
Closes-Bug: #1660099
|
|
It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.
Related-Bug: 1661360
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
|
|
it's not required in Ocata, let's configure the basic setup for cells.
note: it also cleanup old code that is not valid anymore.
Change-Id: Iac5b2fbe1b03ec7ad4cb8cab2c7694547be6957d
|
|
|
|
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
|
|
nova::placement needs to be declared on more than placement api node,
because credentials are used by different services (at least
nova-compute now).
This patch moves the class to base/nova.pp, at the same step.
So compute nodes will have the credentials and will be able to use
Placement API on multinode environments.
Change-Id: Iada8e9fcccec7dbfe7ac0ec0f9ec6eac1581290e
|
|
|
|
This feature is broken for us now and there is work in progress in Nova
to improve nova cell deployment.
Until it's fixed upstream, we need to disable cells deployment for now,
so we can promote our CI.
Change-Id: I379ba9e94a92ed225a03a67fc975b542447a9c8b
Related-Bug: #1649341
|
|
Allow TripleO to deploy Nova Placement API with a new profile.
Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
|
|
Having the db_sync code live in the mysql profile causes
coupling that doesn't work unless your MySQL server has the
latest Nova packages installed. This may not work for some
baremetal setups (where an isolated database exists) or
with containers where the MySQL container definately doesn't
have nova packages installed.
Moving this code into the nova-api role also matches where we
were already db syncing the normal API database so it should be
fine and safe.
Change-Id: Ib625e2ac9c8d6bd1d335c58e291facc4ea5839ae
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
nova::wsgi::apache was deprecated in ocata in favor of
nova::wsgi::apache_api.
Let's switch to it.
Change-Id: I59b3b36be33268fa6e261a7db3c4aa8e8e712ffb
Depends-On: I5fc99062d349597393e2248c66f2d863029c7730
|
|
This is useful to customize the libvirt/qemu.conf limits when deploying
a large overcloud or one with many Ceph OSDs.
Change-Id: I258afd3ee6633e4b2ebc45aa8611be652476be0c
Depends-On: I5fa423a4b212d14f6e9ff6a270931b569558b54e
|
|
This optionally enables TLS for Nova API in the internal network.
If internal TLS is enabled, each node that is serving the Nova API
service will use certmonger to request its certificate.
Note that this doesn't enable internal TLS for the nova metadata
service since it doesn't run over httpd. This will be handled in
a later commit.
bp tls-via-certmonger
Change-Id: I88380a1ed8fd597a1a80488cbc6ce357f133bd70
|
|
|
|
|
|
This patch updates the Nova profile so that we set memcached
servers correctly for the Nova keystone auth_token middleware.
Most of the hiera settings for ::nova::keystone::authtoken are
already included in the t-h-t nova-api service.
Change-Id: I3b7ff02abbd0d5e0c38232d02b33e4c7bc411120
Closes-bug: #1633595
|
|
The patch making nova run over httpd had added migration logic to
stop nova-api, However, this doesn't work since nova-metadata is
running over the same process. Now, the fact that is was running
seems to be just luck, since the systemctl runs, then we start the
service via the nova::api resource. So this is fragile in it's
current state.
This then removes the exec, as we don't need it for the migration.
Change-Id: I4603b81d30a704b07eef461b3cdbfe164614b04f
|
|
We can now get this parameter from t-h-t, so it's not needed here.
Change-Id: I014e7b3a6feb5609ace2e8ef1e4df11448b0a0cc
Depends-On: Ic229182cc5c887b57f6182c3db1bac8bed330f7c
|
|
This adds the necessary resources to the manifest to migrate nova
to run over httpd. The service name will be moved to t-h-t in a
subsequent commit, but since this patch depends on t-h-t, we try to
avoid circular dependencies of repos.
Change-Id: I91d430a3871672f90b0f885736f067ddae3c238c
Depends-On: I57fb20cf0d58b3376243ba4aeb04e995e7152ce3
|
|
This patch moves the various DB syncs into the MySQL role.
Database creation needs to occur on the MySQL server to
avoid permission issues.
This patch also moves database creation to step 2 so we can
guarantee that all per-service databases exist at this time.
This avoids complex ordering needed during step 3 where
services, on different hosts, can run their own db sync's
in a distributed fashion.
Change-Id: I05cc0afa9373429a3197c194c3e8f784ae96de5f
Partial-bug: #1620595
|
|
As we are staring to manually check overcloud services
the first step is to check that the puppet profiles
are all aligned.
Changes applied:
No logic added or removed in this submission.
Removed unused parameters.
Align header comments structure.
All profiles parameters sorted following:
"Mandatory params first sorted alphabetically
then optional params sorted alphabetically."
Note: Following submissions will check pacemaker,
cinder, mistral and redis services in the base profiles
as some of them has the $pacemaker_master parameter
defaulted to true.
Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
|
|
|