Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
The bootstrap_nodeid comparison should be case insensitive.
Change-Id: I1e6672bb0219c1cf56ab21dd911c6f33e2436cc3
Closes-Bug: #1698190
|
|
gnocchi upgrade requires storage sacks to be initialized. This means
we need to ensure the storage backends are up before running the
upgrade and starting the api. Lets move the api to step 4 so we can
ensure other dependencies are in place.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3
Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630
|
|
It makes little sense to enforce the stonith property on remote nodes and/or
all cluster nodes. We can just enforce it once on the pacemaker_master
node as it is a cluster-wide property anyway. We can also remove the
tripleo::fencing -> pacemaker::stonith constraint in the pacemaker
remote profile now as the fencing stuff happens on step 5 anyway and
the property is set at step 1.
While this works in general it creates extra CIB changes for nothing and
slows down the deployment.
Change-Id: Ifef08033043a4cc90a6261e962d2fdecdf275650
Closes-Bug: #1696336
|
|
The step is typically set with the hieradata setting an integer value:
{"step": 1}
However it would be useful for the value to be a string so that
substitutions are possible, for example:
{"step": "%{::step}"}
This change ensures the step parameter defaults to an integer by
calling Integer(hiera('step'))
This change was made by manually removing the undef defaults from
fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with:
find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/"
Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
|
|
|
|
|
|
|
|
Change-Id: I097c494d3953b7d26d94aecc546ddef5225d1125
Depends-On: I2f0eb779b711e57f1532b1227896542d0ecffc89
|
|
The current order is broken if there were changes to the account and
container devices, but not to the object devices. In these cases it can
happen that the rebalance happens before modifying devices.
Change-Id: I15641c32266939c9a00936cc471cc59b1bb54eec
|
|
|
|
This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.
So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.
bp tls-via-certmonger
Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
|
|
docker host"
|
|
|
|
If the tripleo::profile::base::neutron::sriov is included it
is expected that the SR-IOV agent should be deployed and configured so
references to core plugin configuration is out of place and currently
breaks deployment.
Change-Id: Ie5d8cd7863c0d042cc6a4e1fc52602d8a03a1935
|
|
The ring up- and downloading was never executed if run within a
containerized environment. This is due to the fact that this manifest
gets executed within step 6(5) only. There is also an ordering issue,
which actually tries to create the tarballs before rebalancing.
This patch fixes the step conditions and also chains the tarball
creation to the rebalance.
The check to query rings on all nodes can now be disabled. This is
required on containerized environments: the local ring will be modified
and rebalanced, but rings on the existing servers are not yet modified.
Therefore a recon-check will fail, and needs to be disabled.
Closes-Bug: 1694211
Change-Id: I51c5795b9893d797bd73e059910f17a98f04cdbe
|
|
host
The polkit rules are currently evaluated in the context of the docker host.
As a result the check fails for the kolla nova compute user, as the uids are not
consistent with the host uids (in fact we probably can't assume a nova user exists
on the docker host).
As a short-term workaround a 'docker_nova' user group is created on the docker host
and the polkit rule is updated to grant this user access to the libvirtd socket.
Longer term solution probably requires running polkitd in a container too.
Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Related-bug: #1693844
|
|
|
|
This is needed in order to deploy novajoin in a containerized undercloud
environment.
Change-Id: Iea461f66b8f4e3b01a0498e566a2c3684144df80
|
|
|
|
|
|
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must
be enabled. This setting allows LDAP communications to the confined
LDAP/server port. This change includes a conditional for enabling this
Boolean only when selinux is in use.
Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe
Closes-Bug: #1695002
|
|
|
|
|
|
This likely explains why CI appears to still be running the
devicemapper driver even though overlay2 is now the default.
Change-Id: Ic2d80bae1fddbdb1c80bae297031521dd78d896a
Closes-Bug: #1692502
|
|
|
|
|
|
ceilometer-upgrade should only run on controller nodes.
Since its currently in base profile, it gets triggered
on compute as well. So instead split out the upgrade
into its own and include when we deploy notification
and central agents instead.
Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe
Closes-bug: #1693339
|
|
|
|
|
|
This patch makes sure the octavia mysql user is created when the
octavia_api service is enabled.
Change-Id: I270f3f6879737fc29370165e4a8fa8c9c19fffb3
|
|
If novajoin is enabled, the keystone profile should create its user.
bp tls-via-certmonger-containers
Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
|
|
|
|
|
|
This patch switches the default to the overlay2 storage driver and see
if it helps performance.
Background:
The loopback driver is not recommended for production. Most
other docker storage backends require extra disks (or partitions)
which we don't have on the root disk. Overlay seems to make the
most since for TripleO upgrades where we intend to update
in-place installations to use docker.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
|
|
|
|
disabled."
|
|
bp tls-via-certmonger
Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
|
|
Add composable service interface for Neutron LBaaSv2 service.
Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
|
|
|
|
|
|
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Closes-Bug: #1675690
Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com>
Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8
Signed-off-by: Karthik S <ksundara@redhat.com>
|
|
|
|
We currently create remote resources without waiting for their creation.
This leads to the following potential race (spotted by Marian Mkrcmari):
- On Step1 pacemaker bootstrap node creates the resource but the remote
resource is not yet created
- Step1 completes and Step2 starts
- On Step2 the remote node sets a property (or calls pcs cib) but the
remote is not yet set up so 'pcs cluster cib' will fail there with:
(err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster
cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed
with code: 1 ->
Note that when verify_on_create is set to true we are not using the cib
dump/push mechanism. That is fine because we create the remotes on
step1 and the dump/push mechanism is only needed starting from step2
when multiple nodes set cluster properties at the same time.
Tested by Marian Mkrcmari successfully as well.
Closes-Bug: #1689028
Change-Id: I764526b3f3c06591d477cc92779d83a19802368e
Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
|
|
In order to have the chicken-egg work, service_name had to be explicitly
passed to ::mistral::api. This switches to using values from t-h-t.
Change-Id: Ib94e51f863ba59a1a1db47d58aed3ba4e5fc9650
Depends-On: Ie98dd5061d92dbc3c15bdd8926b0e3d62cc471f6
|
|
Mistral should run under mod_wsgi. Enable that.
Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
|
|
Mistral has an event engine for triggering cron events. Let's run it.
Change-Id: I386e0b77064ca6938af36238f82bfec010aa5a17
Depends-On: Icaef5e5732f98e9cc39ed1f024d715cee371acac
|
|
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #1688308
|
|
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
|