aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/pacemaker
AgeCommit message (Collapse)AuthorFilesLines
2017-11-10Fix bind mounts for cinder-{backup,volume}Martin André2-8/+8
The container now expects to find configuration at these locations. Change-Id: Iea84a291414e515d8c72a60646188e5b37354a38 Related-Bug: #1729430 (cherry picked from commit 9df7f1c85df56fa9de54bd45f53d1c16ea23c731)
2017-11-08Galera: add support for encrypted SSTDamien Ciabrini2-4/+80
When internal TLS is enabled, generate a galera config that enable encryption of SST rsync traffic. The configuration relies on a new sst script wsrep_sst_rsync_tunnel, which encapsulates rsync traffic in a socat-based encrypted tunnel. Change-Id: I1d6ee8febb596b3ab9dcde3a85a028ee99b2798c Depends-On: Ia857350ac451fc1bda6659d85019962d3a9d5617 Closes-Bug: #1719885 (cherry picked from commit 9fb617eaea607bc3615edeaf4608fded55045ebd)
2017-11-06Add new MySQL server option to mysql_bundleMike Bayer1-39/+48
Add innodb_flush_log_at_trx_commit from Id5a30f1daf978e094a74db2d284febbc9ae64bb3 to the container-specific mysql_bundle.pp Note that innodb_buffer_pool_size from Iabdcb6f76510becb98cba35c95db550ffce44ff3 should already be pulled at runtime from the base mysql.pp. Closes-Bug: #1730360 Change-Id: Iba164ddcc9b24ee231fb224b03ad8e7c123d5418 (cherry picked from commit 7de6d8d9f5687cdb7e1709a7e15e98184aa615f0)
2017-10-24Merge "Set meta container-attribute-target=host attribute" into stable/pikeZuul4-7/+8
2017-10-10ovn HA: Enable ip_nonlocal_bind sysctl flagNuman Siddique2-0/+13
In the case of ovn HA, the ovsdb-server's running in the cluster try to open a TCP socket on the VIP. Closes-bug: #1720761 Change-Id: I6f762534350a3f96696c87ccd2d14545dccc8a0b (cherry picked from commit a6483f39f9767c40e6823c7f28526441a436560a)
2017-10-05Set meta container-attribute-target=host attributeMichele Baldessari4-7/+8
This is needed because when we run bundles we actually want to store attributes on a per-node basis and not on a per-bundle basis. By activating this attribute pacemaker will pass some extra OCS_RESKEY_CRM_meta attributes that will help us in this decision. We can merge this once we have packages for pacemaker and resource-agents releases that contain the necessary fixes. Proper pacemaker and resource-agents are now in the repo [1] so we can merge it and backport it to pike. [1] https://buildlogs.centos.org/centos/7/cloud/x86_64/openstack-pike/ Closes-Bug: #1713007 Change-Id: I0dd06e953b4c81f217d0f4199b2337e4c3358086 (cherry picked from commit 6bcb011723ad7b75f18914c887dc4fa4bad4d620)
2017-09-07Move manila backend configuration from pacemaker to baseJan Provaznik1-187/+0
There is no reason to keep backend configuration in pacemaker-specific manifest. This configuration is used no matter whether pacemaker is used or not. Change-Id: I63b53d230372a323db1d35a3774283ad2e29fbb1 Closes-Bug: #1714310 (cherry picked from commit 7327cc88246abe6473b7b29703af408adeccc88d)
2017-09-05Use TLS proxy for Redis' internal TLSMartin André1-0/+65
This uses the tls_proxy resource in front of the Redis server when internal TLS is enabled. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
2017-09-05Support for Dell EMC VNX Manila Driverrajinir1-1/+22
This changes adds Dell EMC VNX backend as composable service and matches the tripleo-heat-templates. Change-Id: Iab80dc636913610704e1ceb2642ce738b68bb827 Implements: blueprint support-dellemc-vnx-manila (cherry picked from commit eca5b4dfb22a9e9476cd835d2e211def4c9bd5c9)
2017-08-31Merge "Support for Dell EMC Unity Manila Driver" into stable/pikeJenkins1-1/+22
2017-08-31Merge "Support for Dell EMC Isilon Manila Driver" into stable/pikeJenkins1-1/+23
2017-08-30Support for Dell EMC Unity Manila Driverrajinir1-1/+22
This changes adds Dell EMC Unity backend as composable service and matches the tripleo-heat-templates. Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470 Implements: blueprint dellemc-unity-manila (cherry picked from commit 2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
2017-08-30Support for Dell EMC Isilon Manila Driverrajinir1-1/+23
This changes adds Dell EMC Isilon backend as composable service and matches the tripleo-heat-templates. Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb Implements: blueprint dellemc-isilon-manila (cherry picked from commit 75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
2017-08-30Add /etc/ceph into pacemaker bundlesGiulio Fidente3-0/+15
We missed to mount the Ceph config files into the docker/pacemaker profiles. Change-Id: I23b6890b4cf7f1e6fe84b6be280dde82218275fc Closes-Bug: #1713421 (cherry picked from commit b18ae72c6aaad9eb98d7e4490a6572441f63b9a1)
2017-08-24Merge "Add OVN DBs bundle support for pacemaker HA"Jenkins1-0/+159
2017-08-21Merge "Do not create fs and server side key from manila"Jenkins1-28/+0
2017-08-19Merge "Support for Dell EMC VMAX Manila Driver"Jenkins1-1/+25
2017-08-16Add OVN DBs bundle support for pacemaker HANuman Siddique1-0/+159
It uses the control-port 3125. Partial-bug: #1699085 Change-Id: I4787321e10cc35beeb5ec3f585dafb2268ea4f21
2017-08-15Merge "Enable TLS configuration for containerized HAProxy"Jenkins1-18/+97
2017-08-14Support for Dell EMC VMAX Manila Driverrajinir1-1/+25
This changes adds Dell EMC VMAX backend as composable service and matches the tripleo-heat-templates. Change-Id: I6e3b4ed6477c7ee56aef4e9849893229ca648c85 Implements: blueprint dellemc-vmax-manila
2017-08-12Merge "Enable TLS configuration for containerized Galera"Jenkins1-74/+118
2017-08-11Do not create fs and server side key from manilaJan Provaznik1-28/+0
Both fs and key are handled by ceph-ansible, move fs and key creation out of manila manifest to assure that it works with and without ceph-ansbile. Client-side manila key is created from ceph-mds and ceph-external templates in I6308a317ffe0af244396aba5197c85e273e69f68. Depends-On: I6308a317ffe0af244396aba5197c85e273e69f68 Partially-Implements: blueprint nfs-ganesha Change-Id: I2b5567a39ac8737e80758b705818cc1807dc8bf1
2017-08-10Do not include manila ceph key resource twiceJan Provaznik1-10/+12
When mds creates manila key [1], then manila manifest needs to check first if this resource already exists otherwise puppet fails. [1] I6308a317ffe0af244396aba5197c85e273e69f68 Change-Id: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
2017-08-10Merge "Enable TLS configuration for containerized RabbitMQ"Jenkins1-52/+76
2017-08-09Merge "Use clustercheck credentials to poll galera state in container"Jenkins1-3/+8
2017-08-09Enable TLS configuration for containerized HAProxyDamien Ciabrini1-18/+97
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files, as well as the crl file are all passed as configuration files and must be copied by Kolla at container startup. Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255 Partial-Bug: #1709563
2017-08-09Enable TLS configuration for containerized RabbitMQDamien Ciabrini1-52/+76
In non-containerized deployments, RabbitMQ can be configured to use TLS for serving and mirroring traffic. Fix the creation of the rabbitmq bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9 Partial-Bug: #1709558
2017-08-06Enable TLS configuration for containerized GaleraDamien Ciabrini1-74/+118
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the creation of the mysql bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814 Partial-Bug: #1708135
2017-07-31Use clustercheck credentials to poll galera state in containerDamien Ciabrini1-3/+8
The clustercheck service currently connects to mysql as root to poll the state of the galera cluster. Update the generated config to use clustercheck credentials. Depends-On: If8e0b3f9e4f317fde5328e71115aab87a5fa655f Closes-Bug: #1707683 Change-Id: I4ee6e1f56a7880ccf456f5c08d26a267fb810361
2017-07-27Prevent haproxy to run iptables during docker-puppet configurationDamien Ciabrini1-1/+9
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
2017-07-24Merge "Puppet module to deploy Manila Share bundle for HA"Jenkins1-0/+136
2017-07-24Merge "Fix lint issues to upgrade to puppet-lint 2.3"Jenkins3-6/+5
2017-07-21Fix lint issues to upgrade to puppet-lint 2.3Carlos Camacho3-6/+5
2017-07-20 15:09:38.571317 | manifests/glance/nfs_mount.pp:65:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571430 | manifests/pacemaker/haproxy_with_vip.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571473 | manifests/pacemaker/haproxy_with_vip.pp:108:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571511 | manifests/pacemaker/haproxy_with_vip.pp:109:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571551 | manifests/pacemaker/resource_restart_flag.pp:44:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571590 | manifests/profile/base/cinder/volume/nfs.pp:72:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571625 | manifests/profile/base/docker.pp:188:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571661 | manifests/profile/base/docker.pp:210:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571699 | manifests/profile/base/logging/fluentd.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571735 | manifests/profile/base/pacemaker.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571773 | manifests/profile/base/swift/ringbuilder.pp:97:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571811 | manifests/profile/base/swift/ringbuilder.pp:125:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571850 | manifests/profile/base/swift/ringbuilder.pp:130:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571889 | manifests/profile/pacemaker/ceph/rbdmirror.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571927 | manifests/profile/pacemaker/cinder/backup.pp:66:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571965 | manifests/profile/pacemaker/ovn_northd.pp:96:WARNING: arrow should be on the right operand's line Change-Id: I9393c5e04310cf84695531df9bb16f33e7e15abb
2017-07-21Fix up the control-port for rabbitmq bundlesMichele Baldessari3-5/+5
Mistakenly this was set to 3121 which is the same port that pacemaker remote uses. Move this to 3122 which was the plan all along. Also fix a wrong port comment in redis and mysql at the same time. Change-Id: Iccca6a53a769570443091577c7d86f47119d9cbb
2017-07-18Puppet module to deploy Manila Share bundle for HAVictoria Martinez de la Cruz1-0/+136
This module is used by tripleo-heat-templates to configure and deploy Kolla-based manila-share containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Based on work done in fc5bc07b3be401694681420ba453af29b95a9fcf Change-Id: I89f65e8a34a3a88029498463942016a9f5285f1c Partial-Bug: #1668922
2017-07-17Merge "Add option for innodb_flush_log_at_trx_commit = 2 for Galera only"Jenkins1-35/+44
2017-07-13Fix typo in haproxy bundleMichele Baldessari1-2/+2
Change I6f4d3a5abae8f1781cfe6f69ff960aad500061e3 slipped in a typo and it removed the '$' character from a puppet manifest. Which causes a deployment to fail with: INFO: running container haproxy-bundle-docker-0 for the first time ERROR: /usr/bin/docker-current: Error response from daemon: Invalid bind mount spec "deployed_ssl_cert_path:deployed_ssl_cert_path:ro": Invalid volume destination path: 'deployed_ssl_cert_path' mount path must be absolute.. See '/usr/bin/docker-current run --help'. ERROR: docker failed to launch container Change-Id: Ic602fd443d38482bf1f924531561b2174dc38293
2017-07-13Merge "Leverage kolla config_files to copy config into containers"Jenkins6-43/+23
2017-07-12Leverage kolla config_files to copy config into containersMartin André6-43/+23
This solves a problem with bind-mounts when the containers are holding files descriptors open. At the same time this makes the template more robust to puppet changes since new config files will be available in the containers without needing to update the templates. Closes-Bug: #1698323 Change-Id: I857c94ba5f7f064d7c58df621ec5d477654b9166 Depends-On: I78dcec741a941dc21adba33ba33a6dc6ff1d217c
2017-07-10Let pacemaker bind-mount needed cert for haproxy bundleDamien Ciabrini1-5/+16
When SSL configuration is enabled, haproxy expects to load a SSL certificate file at startup. Update the bundle configuration to always bind-mount the cert file, to support both SSL and non SSL HAproxy bundle deployments. Change-Id: I6f4d3a5abae8f1781cfe6f69ff960aad500061e3
2017-07-06Add option for innodb_flush_log_at_trx_commit = 2 for Galera onlyMike Bayer1-35/+44
The innodb_flush_log_at_trx_commit flag changes the timing of when the log buffer is written to disk for writes. At its default of 1, transactions are written to disk and the buffer flushed on a per-transaction basis; but when set to 2, the flush of the buffer proceeds only once per second. This removes the durability guarantee for the single node. However the central concept of Galera is that durability is achieved via the cluster as a whole, in that transactions are replicated to other nodes before the commit succeeds (though not necessarily written to disk unless wsrep_causal_reads is set). In this model, data would only be lost of all nodes of the Galera cluster were killed within one second of each other. Percona's blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/ recommends that the value of 2 should be considered "safe" for a Galera cluster unless you are in fact worried that all three nodes will be powered off simultaneously. The value here is added as an option only, defaulting to the usual default of "1", flush per transaction. Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
2017-06-21Enable TLS for MySQL's replication trafficJuan Antonio Osorio Robles1-6/+43
This enables the options so Galera can use TLS for the replication traffic. bp tls-via-certmonger Depends-On: I9252303b92a2805ba83f86a85770db2551a014d3 Change-Id: I2ee3bf4bbda3f65f5b03440ecbc75f14225a2428
2017-06-16Merge "Ensure hiera step value is an integer"Jenkins17-17/+17
2017-06-14Merge "Do not create VIP for pacemaker OVN OCF resource"Jenkins1-29/+7
2017-06-14Ensure hiera step value is an integerSteve Baker17-17/+17
The step is typically set with the hieradata setting an integer value: {"step": 1} However it would be useful for the value to be a string so that substitutions are possible, for example: {"step": "%{::step}"} This change ensures the step parameter defaults to an integer by calling Integer(hiera('step')) This change was made by manually removing the undef defaults from fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with: find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/" Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
2017-06-13Merge "Make sure the resource bundles use a location_rule"Jenkins4-0/+16
2017-06-13Merge "Configure Galera cluster with FQDNs instead of shortnames"Jenkins1-11/+13
2017-06-13Configure Galera cluster with FQDNs instead of shortnamesJuan Antonio Osorio Robles1-11/+13
This takes into use the cluster_host_map, which allows to give aliases to the pacemaker nodes (which are FQDNs), and allows us to configure the cluster using FQDNs. We need FQDNs in order to request certificates, since the default CA (FreeIPA) only allows certificates for FQDNs. Change-Id: I2f146afdd32aef2d11cf25a65fa8d67428f621f5
2017-06-12Merge "Puppet module to deploy cinder-backup bundle for HA"Jenkins1-0/+146
2017-06-12Merge "Puppet module to deploy cinder-volume bundle for HA"Jenkins1-0/+141