Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
Since the service_name is now being passed from t-h-t, we can clean
it up from the profile in puppet.
Change-Id: I724af8c355c3077be64cf472cedbca80af55da01
Depends-On: I13638cd1af52537bef8540f0d5fa5f5f7decd392
|
|
In order to make the zaqar service fully composable, the mongo ips need
to be calculated without assuming that mongo and zaqar are on the same
node.
Change-Id: I0b077e85ba5fcd9fdfd33956cf33ce2403fcb088
|
|
|
|
In some cases, for instance, when updating from a non-SSL setup in
HAProxy to an SSL setup, we don't reload haproxy's configuration.
This is problematic since we need HAProxy to serve the certificates
and the new endpoints.
This forces the reload when puppet notices changes.
Change-Id: Ie1dd809e6beef33fadad48de55e488219fb7d686
Closes-Bug: #1636921
|
|
|
|
|
|
|
|
If we upgrade a cloud that was configured with external load balancer
the process will fail during convergence step because it will try to
restart haproxy which is not configured when an external load balancer
is configured.
Closes-Bug: #1636527
Change-Id: I6f6caec3e5c96e77437c1c83e625f39649a66c48
|
|
The current redis file descriptor limit is 4096 because of two reasons:
- It is run via the redis user
- It is not started via systemd which has explicit LimitNOFILE set to
10240 (which matches the default configuration of maximum 10000
clients)
Create an /etc/security/limits.d/redis.conf file in order to increase
the fd limit value With this change we correctly get the following
limits:
[root@overcloud-controller-0 ~]# pcs status |grep -A2 redis
Master/Slave Set: redis-master [redis]
Masters: [ overcloud-controller-2 ]
Slaves: [ overcloud-controller-0 overcloud-controller-1 ]
[root@overcloud-controller-0 ~]# cat /proc/`pgrep redis`/limits | grep open
Max open files 10240 10240 files
Previously this limit was set to 4096.
Change-Id: I7691581bad92ad9442cecd82cf44f5ac78ed169f
Closes-Bug: #1635334
|
|
|
|
|
|
Previously we did this with Pacemaker, but with move to NG HA
architecture we lost the ability to use NFS mounts as image storage for
Glance. This reimplements the mounting without utilizing Pacemaker. The
mount is by default also written to /etc/fstab so that it persists over
reboot, but this behavior can be disabled.
This could also go to puppet-glance eventually, but not yet -- we need
this backported to Newton because it's a TripleO regression. I don't
think puppet-glance would allow backporting this to Newton, because from
their point of view it would be a RFE rather than a regression.
Change-Id: I45ad34c36587a8d695069368cf791f1efb68256c
Related-Bug: #1635606
|
|
|
|
|
|
To be able to monitor during deployment, we need sensu clients
and fluentd collectors be deployed as soon as it is possible.
Change-Id: I952f0d6de6f6327d5c923b8f1d7a5979758dbc59
|
|
In change I35921652bd84d1d6be0727051294983d4a0dde10 we want to remove
all those duplicate tcp_listen_option entries. One consequence of that
is that we need to set rabbitmq::tcp_keepalive to true via hiera
(as opposed to forcing it via the tcp_listen_option hash).
For this to work we need to remove this forced parameter override.
Note that even if I35921652bd84d1d6be0727051294983d4a0dde10 and this
change don't merge at the exact same time it is still okay because
we do force tcp_keepalive to true via the tcp_listen_options.
Change-Id: I608477d5714a5081b3b4ab3b9fc2932bdd598301
|
|
|
|
|
|
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the aodh
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I50ef0c8fbecb19d6597a28290daa61a91f3b13fc
|
|
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the ceilometer
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
|
|
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
|
|
|
|
|
|
|
|
|
|
Without this, neutron-server fails to start and communication will not
work to ODL REST.
Parital-Bug: 1633630
Change-Id: Ifd906db4e6062ac271c2147fe1149b1009d06ae2
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
This patch updates the Nova profile so that we set memcached
servers correctly for the Nova keystone auth_token middleware.
Most of the hiera settings for ::nova::keystone::authtoken are
already included in the t-h-t nova-api service.
Change-Id: I3b7ff02abbd0d5e0c38232d02b33e4c7bc411120
Closes-bug: #1633595
|
|
|
|
When deploying via ipv6, rabbitmq-ctl commands have the following
issues:
- `rabbitmq cluster_status` shows nodedown alerts
- list_queues / list_connections hang
- `rabbitmqctl node_health_check` fails with an error.
* There is no any issue while performing activity on RHOS setup(From
* horizon/cli). i.e. RHOS environment is functioning as expected.
For example:
sudo rabbitmqctl node_health_check -n rabbit@node1
Checking health of node 'rabbit@node1' ...
Heath check failed:
health check of node 'rabbit@node1' fails: nodedown
The problem is that we are missing the following in
/etc/rabbitmq/rabbitmq-env.conf:
RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
Fix these by setting the appropriate RABBITMQ_CTL_ERL_ARGS when
deploying ipv6.
Closes-Bug: #1633693
Change-Id: I53f4e76e687b3966fbb74fd0c2d83f05176630de
|
|
We use the rabbit_hosts configuration for most of our services but we
haven't been adding the configured port. This patch appends the IP port
used provided to the service's heat template to the IPs in the list.
Note: while we could use the value set for the rabbitmq server in
rabbitmq::port, it doesn't allow for dealing with SSL. This also is also
backwards compatible with the RabbitClientPort parameters used in the
heat templates.
Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b
Closes-Bug: #1633580
|
|
Since moving to composable service/roles there was some logic here that
was relying on a variable to enable ODL rather than enabling the service
itself to decide where ODL was enabled. Now that ODL and ODL OVS
configuration are split into 2 different services we can make these
truly composable.
Partial-Bug: 1633625
Change-Id: Ia55c05e12d5d434111a13e1ed795da530e3ff4a5
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
Change-Id: Ie215289a7be681a2b1aa5495d3f965c005d62f52
Depends-On: Ia863b38bbac1aceabe6b7deb6939c9db693ff16d
|
|
This adds the necessary resources to the manifest to run cinder
to run over httpd. The service name will be moved to t-h-t in a
subsequent commit, but since this patch depends on t-h-t, we try to
avoid circular dependencies of repos.
Change-Id: I950257e3b5d8db071752e53557115429574e98e2
Depends-On: Ic1967a6f4f60a273965811516f33121115d518b4
|
|
The patch making nova run over httpd had added migration logic to
stop nova-api, However, this doesn't work since nova-metadata is
running over the same process. Now, the fact that is was running
seems to be just luck, since the systemctl runs, then we start the
service via the nova::api resource. So this is fragile in it's
current state.
This then removes the exec, as we don't need it for the migration.
Change-Id: I4603b81d30a704b07eef461b3cdbfe164614b04f
|
|
|
|
|
|
This needs to happen on the node running keystone, or things break
when you try to deploy e.g the heat_engine service on a non Controller
role. We check the enabled flag for heat engine so this only happens
if the heat_engine service is running on some (any) role.
Partial-Bug: #1631130
Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3
|
|
We can now get this parameter from t-h-t, so it's not needed here.
Change-Id: I014e7b3a6feb5609ace2e8ef1e4df11448b0a0cc
Depends-On: Ic229182cc5c887b57f6182c3db1bac8bed330f7c
|
|
|
|
|
|
|
|
Change-Id: I78049105adf52226d47cc6764b1ba6c2c06e91e5
Related-Bug: 1631926
|
|
|
|
remove_default_accounts is a mysql::server parameter that, set to True,
will execute some MySQL commands to cleanup MySQL defaults accounts
created by packaging.
In order to successfully run the commands, we need MySQL up and running,
which is not the case at step 1 but at step 2.
This patch make sure we run the commands at step 2 on pacemaker master
only.
No change for scenarios without Pacemaker.
Change-Id: Ifad3cb40fd958d7ea606b9cd2ba4c8ec22a8e94e
Closes-Bug: #1633113
|