aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/pacemaker
AgeCommit message (Collapse)AuthorFilesLines
2017-08-15Merge "Enable TLS configuration for containerized HAProxy"Jenkins1-18/+97
2017-08-12Merge "Enable TLS configuration for containerized Galera"Jenkins1-74/+118
2017-08-10Do not include manila ceph key resource twiceJan Provaznik1-10/+12
When mds creates manila key [1], then manila manifest needs to check first if this resource already exists otherwise puppet fails. [1] I6308a317ffe0af244396aba5197c85e273e69f68 Change-Id: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
2017-08-10Merge "Enable TLS configuration for containerized RabbitMQ"Jenkins1-52/+76
2017-08-09Merge "Use clustercheck credentials to poll galera state in container"Jenkins1-3/+8
2017-08-09Enable TLS configuration for containerized HAProxyDamien Ciabrini1-18/+97
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files, as well as the crl file are all passed as configuration files and must be copied by Kolla at container startup. Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255 Partial-Bug: #1709563
2017-08-09Enable TLS configuration for containerized RabbitMQDamien Ciabrini1-52/+76
In non-containerized deployments, RabbitMQ can be configured to use TLS for serving and mirroring traffic. Fix the creation of the rabbitmq bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9 Partial-Bug: #1709558
2017-08-06Enable TLS configuration for containerized GaleraDamien Ciabrini1-74/+118
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the creation of the mysql bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814 Partial-Bug: #1708135
2017-07-31Use clustercheck credentials to poll galera state in containerDamien Ciabrini1-3/+8
The clustercheck service currently connects to mysql as root to poll the state of the galera cluster. Update the generated config to use clustercheck credentials. Depends-On: If8e0b3f9e4f317fde5328e71115aab87a5fa655f Closes-Bug: #1707683 Change-Id: I4ee6e1f56a7880ccf456f5c08d26a267fb810361
2017-07-27Prevent haproxy to run iptables during docker-puppet configurationDamien Ciabrini1-1/+9
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
2017-07-24Merge "Puppet module to deploy Manila Share bundle for HA"Jenkins1-0/+136
2017-07-24Merge "Fix lint issues to upgrade to puppet-lint 2.3"Jenkins3-6/+5
2017-07-21Fix lint issues to upgrade to puppet-lint 2.3Carlos Camacho3-6/+5
2017-07-20 15:09:38.571317 | manifests/glance/nfs_mount.pp:65:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571430 | manifests/pacemaker/haproxy_with_vip.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571473 | manifests/pacemaker/haproxy_with_vip.pp:108:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571511 | manifests/pacemaker/haproxy_with_vip.pp:109:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571551 | manifests/pacemaker/resource_restart_flag.pp:44:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571590 | manifests/profile/base/cinder/volume/nfs.pp:72:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571625 | manifests/profile/base/docker.pp:188:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571661 | manifests/profile/base/docker.pp:210:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571699 | manifests/profile/base/logging/fluentd.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571735 | manifests/profile/base/pacemaker.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571773 | manifests/profile/base/swift/ringbuilder.pp:97:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571811 | manifests/profile/base/swift/ringbuilder.pp:125:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571850 | manifests/profile/base/swift/ringbuilder.pp:130:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571889 | manifests/profile/pacemaker/ceph/rbdmirror.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571927 | manifests/profile/pacemaker/cinder/backup.pp:66:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571965 | manifests/profile/pacemaker/ovn_northd.pp:96:WARNING: arrow should be on the right operand's line Change-Id: I9393c5e04310cf84695531df9bb16f33e7e15abb
2017-07-21Fix up the control-port for rabbitmq bundlesMichele Baldessari3-5/+5
Mistakenly this was set to 3121 which is the same port that pacemaker remote uses. Move this to 3122 which was the plan all along. Also fix a wrong port comment in redis and mysql at the same time. Change-Id: Iccca6a53a769570443091577c7d86f47119d9cbb
2017-07-18Puppet module to deploy Manila Share bundle for HAVictoria Martinez de la Cruz1-0/+136
This module is used by tripleo-heat-templates to configure and deploy Kolla-based manila-share containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Based on work done in fc5bc07b3be401694681420ba453af29b95a9fcf Change-Id: I89f65e8a34a3a88029498463942016a9f5285f1c Partial-Bug: #1668922
2017-07-17Merge "Add option for innodb_flush_log_at_trx_commit = 2 for Galera only"Jenkins1-35/+44
2017-07-13Fix typo in haproxy bundleMichele Baldessari1-2/+2
Change I6f4d3a5abae8f1781cfe6f69ff960aad500061e3 slipped in a typo and it removed the '$' character from a puppet manifest. Which causes a deployment to fail with: INFO: running container haproxy-bundle-docker-0 for the first time ERROR: /usr/bin/docker-current: Error response from daemon: Invalid bind mount spec "deployed_ssl_cert_path:deployed_ssl_cert_path:ro": Invalid volume destination path: 'deployed_ssl_cert_path' mount path must be absolute.. See '/usr/bin/docker-current run --help'. ERROR: docker failed to launch container Change-Id: Ic602fd443d38482bf1f924531561b2174dc38293
2017-07-13Merge "Leverage kolla config_files to copy config into containers"Jenkins6-43/+23
2017-07-12Leverage kolla config_files to copy config into containersMartin André6-43/+23
This solves a problem with bind-mounts when the containers are holding files descriptors open. At the same time this makes the template more robust to puppet changes since new config files will be available in the containers without needing to update the templates. Closes-Bug: #1698323 Change-Id: I857c94ba5f7f064d7c58df621ec5d477654b9166 Depends-On: I78dcec741a941dc21adba33ba33a6dc6ff1d217c
2017-07-10Let pacemaker bind-mount needed cert for haproxy bundleDamien Ciabrini1-5/+16
When SSL configuration is enabled, haproxy expects to load a SSL certificate file at startup. Update the bundle configuration to always bind-mount the cert file, to support both SSL and non SSL HAproxy bundle deployments. Change-Id: I6f4d3a5abae8f1781cfe6f69ff960aad500061e3
2017-07-06Add option for innodb_flush_log_at_trx_commit = 2 for Galera onlyMike Bayer1-35/+44
The innodb_flush_log_at_trx_commit flag changes the timing of when the log buffer is written to disk for writes. At its default of 1, transactions are written to disk and the buffer flushed on a per-transaction basis; but when set to 2, the flush of the buffer proceeds only once per second. This removes the durability guarantee for the single node. However the central concept of Galera is that durability is achieved via the cluster as a whole, in that transactions are replicated to other nodes before the commit succeeds (though not necessarily written to disk unless wsrep_causal_reads is set). In this model, data would only be lost of all nodes of the Galera cluster were killed within one second of each other. Percona's blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/ recommends that the value of 2 should be considered "safe" for a Galera cluster unless you are in fact worried that all three nodes will be powered off simultaneously. The value here is added as an option only, defaulting to the usual default of "1", flush per transaction. Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
2017-06-21Enable TLS for MySQL's replication trafficJuan Antonio Osorio Robles1-6/+43
This enables the options so Galera can use TLS for the replication traffic. bp tls-via-certmonger Depends-On: I9252303b92a2805ba83f86a85770db2551a014d3 Change-Id: I2ee3bf4bbda3f65f5b03440ecbc75f14225a2428
2017-06-16Merge "Ensure hiera step value is an integer"Jenkins17-17/+17
2017-06-14Merge "Do not create VIP for pacemaker OVN OCF resource"Jenkins1-29/+7
2017-06-14Ensure hiera step value is an integerSteve Baker17-17/+17
The step is typically set with the hieradata setting an integer value: {"step": 1} However it would be useful for the value to be a string so that substitutions are possible, for example: {"step": "%{::step}"} This change ensures the step parameter defaults to an integer by calling Integer(hiera('step')) This change was made by manually removing the undef defaults from fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with: find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/" Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
2017-06-13Merge "Make sure the resource bundles use a location_rule"Jenkins4-0/+16
2017-06-13Merge "Configure Galera cluster with FQDNs instead of shortnames"Jenkins1-11/+13
2017-06-13Configure Galera cluster with FQDNs instead of shortnamesJuan Antonio Osorio Robles1-11/+13
This takes into use the cluster_host_map, which allows to give aliases to the pacemaker nodes (which are FQDNs), and allows us to configure the cluster using FQDNs. We need FQDNs in order to request certificates, since the default CA (FreeIPA) only allows certificates for FQDNs. Change-Id: I2f146afdd32aef2d11cf25a65fa8d67428f621f5
2017-06-12Merge "Puppet module to deploy cinder-backup bundle for HA"Jenkins1-0/+146
2017-06-12Merge "Puppet module to deploy cinder-volume bundle for HA"Jenkins1-0/+141
2017-06-11Merge "Install rsync package for galera"Jenkins1-0/+9
2017-06-11Do not create VIP for pacemaker OVN OCF resourceNuman Siddique1-29/+7
The commit with change id [1], added the pacemaker HA support for OVN DB servers. That commit created a new VIP which is really not required. This patch removes the code to create a new ip resource. Instead it expects the pacemaker ip resource (with the ip address in the 'ovn_dbs_vip' parameter and with the name "ip-$ovn_dbs_vip") to be created before ovn_northd class is called, which is the case anyway if 'ovn_dbs_vip' is taken from the ServiceNetMapDefaults (in t-h-t). [1] - I9dc366002ef5919339961e5deebbf8aa815c73db Change-Id: I94d3960e6c5406e3af309cc8c787ac0a6c9b1756 Partial-bug: #1670564
2017-06-09Make sure the resource bundles use a location_ruleMichele Baldessari4-0/+16
In composable HA we bind resources to nodes that have special node properties. We need to do this also for bundle resources otherwise there is a potential race where the bundle might be started on nodes where it is not supposed to during a small window of time. Tested with the depends-on and correctly obtained a containerized composable HA deployment: Docker container set: rabbitmq-bundle [192.168.24.1:8787/tripleoupstream/centos-binary-rabbitmq:latest] rabbitmq-bundle-0 (ocf::heartbeat:rabbitmq-cluster): Started overcloud-rabbit-0 rabbitmq-bundle-1 (ocf::heartbeat:rabbitmq-cluster): Started overcloud-rabbit-1 rabbitmq-bundle-2 (ocf::heartbeat:rabbitmq-cluster): Started overcloud-rabbit-2 Docker container set: galera-bundle [192.168.24.1:8787/tripleoupstream/centos-binary-mariadb:latest] galera-bundle-0 (ocf::heartbeat:galera): Master overcloud-galera-0 galera-bundle-1 (ocf::heartbeat:galera): Master overcloud-galera-1 galera-bundle-2 (ocf::heartbeat:galera): Master overcloud-galera-2 Docker container set: redis-bundle [192.168.24.1:8787/tripleoupstream/centos-binary-redis:latest] redis-bundle-0 (ocf::heartbeat:redis): Master overcloud-controller-0 redis-bundle-1 (ocf::heartbeat:redis): Slave overcloud-controller-1 redis-bundle-2 (ocf::heartbeat:redis): Slave overcloud-controller-2 ip-192.168.24.11 (ocf::heartbeat:IPaddr2): Started overcloud-controller-0 ip-10.0.0.7 (ocf::heartbeat:IPaddr2): Started overcloud-controller-1 ip-172.16.2.11 (ocf::heartbeat:IPaddr2): Started overcloud-controller-2 ip-172.16.2.9 (ocf::heartbeat:IPaddr2): Started overcloud-controller-0 ip-172.16.1.6 (ocf::heartbeat:IPaddr2): Started overcloud-controller-1 ip-172.16.3.7 (ocf::heartbeat:IPaddr2): Started overcloud-controller-2 Docker container set: haproxy-bundle [192.168.24.1:8787/tripleoupstream/centos-binary-haproxy:latest] haproxy-bundle-docker-0 (ocf::heartbeat:docker): Started overcloud-controller-0 haproxy-bundle-docker-1 (ocf::heartbeat:docker): Started overcloud-controller-1 haproxy-bundle-docker-2 (ocf::heartbeat:docker): Started overcloud-controller-2 Depends-On: I44449861cbfe56304b8829c9ca10fd648353b3ae Change-Id: I48fb490040497ba08cae19937159c0efdf99e3f8
2017-06-08Puppet module to deploy cinder-volume bundle for HADamien Ciabrini1-0/+141
This module is used by tripleo-heat-templates to configure and deploy Kolla-based cinder-volume containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Co-Authored-By: Michele Baldesari <michele@acksyn.org> Partial-Bug: #1668920 Change-Id: I95ad4dd89b47396bea672813d87de35e64c04b2d
2017-06-08Puppet module to deploy cinder-backup bundle for HADamien Ciabrini1-0/+146
This module is used by tripleo-heat-templates to configure and deploy Kolla-based cinder-backup containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Co-Authored-By: Michele Baldesari <michele@acksyn.org> Partial-Bug: #1668920 Change-Id: If53495ff75d4832cc6be80dc0dc9bd540ab6583b
2017-06-05Merge "Pacemaker support for OVN DB servers"Jenkins1-0/+121
2017-06-03Merge "Clustercheck, monitor service for galera containers"Jenkins1-0/+65
2017-06-03Merge "Puppet module to deploy MySQL bundle for HA"Jenkins1-0/+302
2017-06-03Merge "Puppet module to deploy RabbitMQ bundle for HA"Jenkins1-0/+194
2017-06-02Merge "Puppet module to deploy Redis bundle for HA"Jenkins1-0/+178
2017-06-02Puppet module to deploy MySQL bundle for HADamien Ciabrini1-0/+302
This module is used by tripleo-heat-templates to configure and deploy Kolla-based mysql containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Co-Authored-By: Michele Baldesari <michele@acksyn.org> Partial-Bug: #1692842 Depends-On: I44fbd7f89ab22b72e8d3fc0a0e3fe54a9418a60f Depends-On: Ie9b7e7d2a3cec4b121915a17c1e809e4ec950e7f Change-Id: I3b4d8ad2eec70080419882d5d822f78ebd3721ae
2017-06-02Merge "Puppet module to deploy HAProxy bundle for HA"Jenkins1-0/+196
2017-06-01Install rsync package for galeraJames Slagle1-0/+9
Since galera is configured to use rsync, we ought to make sure the package is installed. Particularly when using deployed-server, the package is not always installed by default depending on what was used to install the servers. Change-Id: I92ee78f2dd2c0f7fd4d393b104166407d7c654e2 Closes-Bug: #1693003
2017-06-01Pacemaker support for OVN DB serversBabu Shanmugam1-0/+121
This patch enables OVN DB servers to be started in master/slave mode in the pacemaker cluster. A virtual IP resource is created first and then the pacemaker OVN OCF resource - "ovn:ovndb-servers" is created. The OVN OCF resource is configured to be colocated with the vip resource. The ovn-controller and Neutron OVN ML2 mechanism driver which depends on OVN DB servers will always connect to the vip address on which the master OVN DB servers listen on. The OVN OCF resource itself takes care of (re)starting ovn-northd service on the master node and we don't have to manage it. When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB servers in its configuration. This patch requires OVS 2.7 in the overcloud. Co-authored:by: Numan Siddique <nusiddiq@redhat.com> Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db Partial-bug: #1670564
2017-05-30Puppet module to deploy RabbitMQ bundle for HADamien Ciabrini1-0/+194
This module is used by tripleo-heat-templates to configure and deploy Kolla-based RabbitMQ containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Co-Authored-By: Michele Baldessari <michele@acksyn.org> Co-Authored-By: John Eckersberg <jeckersb@redhat.com> Partial-Bug: #1692909 Change-Id: I0722e4a4d4716f477e8304cfa1aadd3eef7c2f31 Depends-On: I44fbd7f89ab22b72e8d3fc0a0e3fe54a9418a60f Depends-On: Ie9b7e7d2a3cec4b121915a17c1e809e4ec950e7f
2017-05-25Puppet module to deploy HAProxy bundle for HADamien Ciabrini1-0/+196
This module is used by tripleo-heat-templates to configure and deploy Kolla-based haproxy containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Co-Authored-By: Michele Baldesari <michele@acksyn.org> Partial-Bug: #1692908 Depends-On: I44fbd7f89ab22b72e8d3fc0a0e3fe54a9418a60f Depends-On: Ie9b7e7d2a3cec4b121915a17c1e809e4ec950e7f Change-Id: Ifcf890a88ef003d3ab754cb677cbf34ba8db9312
2017-05-25Puppet module to deploy Redis bundle for HADamien1-0/+178
This module is used by tripleo-heat-templates to configure and deploy Kolla-based Redis containers managed by pacemaker. We use short-lived containers that call pcs via puppet to create the needed pacemaker resources, properties and constraints. Co-Authored-By: Michele Baldesari <michele@acksyn.org> Partial-Bug: #1692924 Depends-On: I44fbd7f89ab22b72e8d3fc0a0e3fe54a9418a60f Depends-On: Ie9b7e7d2a3cec4b121915a17c1e809e4ec950e7f Change-Id: Ia1131611d15670190b7b6654f72e6290bf7f8b9e
2017-05-23Clustercheck, monitor service for galera containersDamien Ciabrini1-0/+65
In HA overcloud deployments, HAProxy makes use of a helper service called "clustercheck", to check whether galera nodes are available for serving traffic. This change implements a dedicated profile for clustercheck, which was originally part of the pacemaker mysql profile. The profile generates the necessary configuration files for clustercheck and let heat templates manage the associated container's lifecycle. Co-Authored-By: Michele Baldessari <michele@acksyn.org> Partial-Bug: #1692969 Change-Id: I1aabe34fa6a9c8c705a4405f275b66502c313cf2
2017-05-16Composable Role for Neutron LBaaSRyan Hefner1-0/+44
Add composable service interface for Neutron LBaaSv2 service. Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
2017-05-05Remove limits for redis in /etc/security/limits.dMichele Baldessari1-15/+16
Now that puppet-redis supports ulimit for cluster managed redis (via https://github.com/arioch/puppet-redis/pull/192), we need to remove the file snippet as otherwise we will get a duplicate resource error. We will need to create a THT change that at the very least sets the redis::managed_by_cluster_manager key to true so that /etc/security/limits.d/redis.conf gets created. We also add code to not break backwards compatibility with the old hiera key. Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Partial-Bug: #1688464