diff options
| -rwxr-xr-x | extraconfig/tasks/pacemaker_common_functions.sh | 49 | ||||
| -rwxr-xr-x | extraconfig/tasks/yum_update.sh | 30 | ||||
| -rw-r--r-- | puppet/major_upgrade_steps.j2.yaml | 78 | ||||
| -rw-r--r-- | puppet/services/ceilometer-collector.yaml | 13 | ||||
| -rw-r--r-- | puppet/services/ec2-api.yaml | 15 | ||||
| -rw-r--r-- | puppet/services/gnocchi-base.yaml | 5 | ||||
| -rw-r--r-- | puppet/services/haproxy.yaml | 6 | ||||
| -rw-r--r-- | puppet/services/nova-libvirt.yaml | 25 | ||||
| -rw-r--r-- | puppet/services/snmp.yaml | 5 | ||||
| -rw-r--r-- | releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml | 6 | ||||
| -rw-r--r-- | releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml | 3 | ||||
| -rw-r--r-- | releasenotes/notes/snmp_listen-2364188f73d43b14.yaml | 7 |
12 files changed, 203 insertions, 39 deletions
diff --git a/extraconfig/tasks/pacemaker_common_functions.sh b/extraconfig/tasks/pacemaker_common_functions.sh index 4480f74d..f17a073a 100755 --- a/extraconfig/tasks/pacemaker_common_functions.sh +++ b/extraconfig/tasks/pacemaker_common_functions.sh @@ -322,3 +322,52 @@ function special_case_ovs_upgrade_if_needed { } +# This code is meant to fix https://bugs.launchpad.net/tripleo/+bug/1686357 on +# existing setups via a minor update workflow and be idempotent. We need to +# run this before the yum update because we fix this up even when there are no +# packages to update on the system (in which case the script exits). +# This code must be called with set +eu (due to the ocf scripts being sourced) +function fixup_wrong_ipv6_vip { + # This XPath query identifies of all the VIPs in pacemaker with netmask /64. Those are IPv6 only resources that have the wrong netmask + # This gives the address of the resource in the CIB, one address per line. For example: + # /cib/configuration/resources/primitive[@id='ip-2001.db8.ca2.4..10']/instance_attributes[@id='ip-2001.db8.ca2.4..10-instance_attributes']\ + # /nvpair[@id='ip-2001.db8.ca2.4..10-instance_attributes-cidr_netmask'] + vip_xpath_query="//resources/primitive[@type='IPaddr2']/instance_attributes/nvpair[@name='cidr_netmask' and @value='64']" + vip_xpath_xml_addresses=$(cibadmin --query --xpath "$vip_xpath_query" -e 2>/dev/null) + # The following extracts the @id value of the resource + vip_resources_to_fix=$(echo -e "$vip_xpath_xml_addresses" | sed -n "s/.*primitive\[@id='\([^']*\)'.*/\1/p") + # Runnning this in a subshell so that sourcing files cannot possibly affect the running script + ( + OCF_PATH="/usr/lib/ocf/lib/heartbeat" + if [ -n "$vip_resources_to_fix" -a -f $OCF_PATH/ocf-shellfuncs -a -f $OCF_PATH/findif.sh ]; then + source $OCF_PATH/ocf-shellfuncs + source $OCF_PATH/findif.sh + for resource in $vip_resources_to_fix; do + echo "Updating IPv6 VIP $resource with a /128 and a correct addrlabel" + # The following will give us something like: + # <nvpair id="ip-2001.db8.ca2.4..10-instance_attributes-ip" name="ip" value="2001:db8:ca2:4::10"/> + ip_cib_nvpair=$(cibadmin --query --xpath "//resources/primitive[@type='IPaddr2' and @id='$resource']/instance_attributes/nvpair[@name='ip']") + # Let's filter out the value of the nvpair to get the ip address + ip_address=$(echo $ip_cib_nvpair | xmllint --xpath 'string(//nvpair/@value)' -) + OCF_RESKEY_cidr_netmask="64" + OCF_RESKEY_ip="$ip_address" + # Unfortunately due to https://bugzilla.redhat.com/show_bug.cgi?id=1445628 + # we need to find out the appropiate nic given the ip address. + nic=$(findif $ip_address | awk '{ print $1 }') + ret=$? + if [ -z "$nic" -o $ret -ne 0 ]; then + echo "NIC autodetection failed for VIP $ip_address, not updating VIPs" + # Only exits the subshell + exit 1 + fi + ocf_run -info pcs resource update --wait "$resource" ip="$ip_address" cidr_netmask=128 nic="$nic" lvs_ipv6_addrlabel=true lvs_ipv6_addrlabel_value=99 + ret=$? + if [ $ret -ne 0 ]; then + echo "pcs resource update for VIP $resource failed, not updating VIPs" + # Only exits the subshell + exit 1 + fi + done + fi + ) +} diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index 018c9b74..83d6d8d6 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -38,6 +38,29 @@ if [[ -a "$timestamp_file" ]]; then fi touch "$timestamp_file" +pacemaker_status="" +if hiera -c /etc/puppet/hiera.yaml service_names | grep -q pacemaker; then + pacemaker_status=$(systemctl is-active pacemaker) +fi + +# (NB: when backporting this s/pacemaker_short_bootstrap_node_name/bootstrap_nodeid) +# This runs before the yum_update so we are guaranteed to run it even in the absence +# of packages to update (the check for -z "$update_identifier" guarantees that this +# is run only on overcloud stack update -i) +if [[ "$pacemaker_status" == "active" && \ + "$(hiera -c /etc/puppet/hiera.yaml pacemaker_short_bootstrap_node_name)" == "$(facter hostname)" ]] ; then \ + # OCF scripts don't cope with -eu + echo "Verifying if we need to fix up any IPv6 VIPs" + set +eu + fixup_wrong_ipv6_vip + ret=$? + set -eu + if [ $ret -ne 0 ]; then + echo "Fixing up IPv6 VIPs failed. Stopping here. (See https://bugs.launchpad.net/tripleo/+bug/1686357 for more info)" + exit 1 + fi +fi + command_arguments=${command_arguments:-} # yum check-update exits 100 if updates are available @@ -55,10 +78,6 @@ elif [[ "$check_update_exit" != "100" ]]; then exit 0 fi -pacemaker_status="" -if hiera -c /etc/puppet/hiera.yaml service_names | grep -q pacemaker; then - pacemaker_status=$(systemctl is-active pacemaker) -fi # special case https://bugs.launchpad.net/tripleo/+bug/1635205 +bug/1669714 special_case_ovs_upgrade_if_needed @@ -129,6 +148,7 @@ if [[ "$pacemaker_status" == "active" ]] ; then pcs status fi -echo "Finished yum_update.sh on server $deploy_server_id at `date`" + +echo "Finished yum_update.sh on server $deploy_server_id at `date` with return code: $return_code" exit $return_code diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 28092773..d07da568 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -32,6 +32,20 @@ parameters: type: string hidden: true +conditions: + # Conditions to disable any steps where the task list is empty + {%- for role in roles %} + {{role.name}}UpgradeBatchConfigEnabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} + - [] + {{role.name}}UpgradeConfigEnabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_tasks]} + - [] + {%- endfor %} resources: @@ -89,22 +103,23 @@ resources: {%- for role in roles %} {{role.name}}UpgradeBatchConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig - {%- if step > 0 %} - {%- if role in enabled_roles %} + condition: {{role.name}}UpgradeBatchConfigEnabled + {%- if step > 0 %} depends_on: - - {{role.name}}UpgradeBatch_Step{{step -1}} - {%- endif %} - {%- else %} + {%- for role_inside in enabled_roles %} + - {{role_inside.name}}UpgradeBatch_Step{{step -1}} + {%- endfor %} + {% else %} {% for role in roles if role.disable_upgrade_deployment|default(false) %} {% if deliver_script.update({'deliver': True}) %} {% endif %} {% endfor %} {% if deliver_script.deliver %} depends_on: - {% endif %} {% for dep in roles if dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}DeliverUpgradeScriptDeployment {% endfor %} - {% endif %} + {% endif %} + {% endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} step: {{step}} @@ -114,19 +129,29 @@ resources: {%- for role in enabled_roles %} {{role.name}}UpgradeBatch_Step{{step}}: type: OS::Heat::SoftwareDeploymentGroup + condition: {{role.name}}UpgradeBatchConfigEnabled {%- if step > 0 %} depends_on: {%- for role_inside in enabled_roles %} - {{role_inside.name}}UpgradeBatch_Step{{step -1}} {%- endfor %} - {%- endif %} + {% else %} + {% for role in roles if role.disable_upgrade_deployment|default(false) %} + {% if deliver_script.update({'deliver': True}) %} {% endif %} + {% endfor %} + {% if deliver_script.deliver %} + depends_on: + {% for dep in roles if dep.disable_upgrade_deployment|default(false) %} + - {{dep.name}}DeliverUpgradeScriptDeployment + {% endfor %} + {% endif %} + {% endif %} update_policy: batch_create: max_batch_size: {{role.upgrade_batch_size|default(1)}} rolling_update: max_batch_size: {{role.upgrade_batch_size|default(1)}} properties: - name: {{role.name}}UpgradeBatch_Step{{step}} servers: {get_param: [servers, {{role.name}}]} config: {get_resource: {{role.name}}UpgradeBatchConfig_Step{{step}}} input_values: @@ -167,16 +192,19 @@ resources: {%- for role in roles %} {{role.name}}UpgradeConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig - # The UpgradeConfig resources could actually be created without - # serialization, but the event output is easier to follow if we - # do, and there should be minimal performance hit (creating the - # config is cheap compared to the time to apply the deployment). - {%- if step > 0 %} - {%- if role in enabled_roles %} + condition: {{role.name}}UpgradeConfigEnabled + # The UpgradeConfig resources could actually be created without + # serialization, but the event output is easier to follow if we + # do, and there should be minimal performance hit (creating the + # config is cheap compared to the time to apply the deployment). depends_on: - - {{role.name}}Upgrade_Step{{step -1}} - {%- endif %} - {%- endif %} + {%- for role_inside in enabled_roles %} + {%- if step > 0 %} + - {{role_inside.name}}Upgrade_Step{{step -1}} + {%- else %} + - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} + {%- endif %} + {%- endfor %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} step: {{step}} @@ -186,22 +214,16 @@ resources: {%- for role in enabled_roles %} {{role.name}}Upgrade_Step{{step}}: type: OS::Heat::SoftwareDeploymentGroup - {%- if step > 0 %} - # Make sure we wait that all roles have finished their own - # previous step before going to the next, so we can guarantee - # state for each steps. + condition: {{role.name}}UpgradeConfigEnabled depends_on: {%- for role_inside in enabled_roles %} + {%- if step > 0 %} - {{role_inside.name}}Upgrade_Step{{step -1}} - {%- endfor %} - {%- else %} - depends_on: - {%- for role_inside in enabled_roles %} + {%- else %} - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} + {%- endif %} {%- endfor %} - {%- endif %} properties: - name: {{role.name}}Upgrade_Step{{step}} servers: {get_param: [servers, {{role.name}}]} config: {get_resource: {{role.name}}UpgradeConfig_Step{{step}}} input_values: diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index dfc844be..111b3e8b 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -51,7 +51,16 @@ parameters: type: comma_delimited_list constraints: - allowed_values: ['panko', 'gnocchi', 'database'] - + CeilometerEventTTL: + default: '86400' + description: Number of seconds that events are kept in the database for + (<= 0 means forever) + type: string + CeilometerMeteringTTL: + default: '86400' + description: Number of seconds that samples are kept in the database for + (<= 0 means forever) + type: string resources: CeilometerServiceBase: type: ./ceilometer-base.yaml @@ -91,6 +100,8 @@ outputs: - '/ceilometer' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' ceilometer_backend: {get_param: CeilometerBackend} + ceilometer::event_time_to_live: {get_param: CeilometerEventTTL} + ceilometer::metering_time_to_live: {get_param: CeilometerMeteringTTL} # we include db_sync class in puppet-tripleo ceilometer::db::sync_db: false ceilometer::db::database_db_max_retries: -1 diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml index d1adefe5..98d656a5 100644 --- a/puppet/services/ec2-api.yaml +++ b/puppet/services/ec2-api.yaml @@ -30,6 +30,15 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + Ec2ApiExternalNetwork: + type: string + default: '' + description: Name of the external network, which is used to connect VPCs to + Internet and to allocate Elastic IPs + NovaDefaultFloatingPool: + default: 'public' + description: Default pool for floating IP addresses + type: string MonitoringSubscriptionEc2Api: default: 'overcloud-ec2-api' type: string @@ -52,6 +61,7 @@ parameters: conditions: nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]} + external_network_unset: {equals : [{get_param: Ec2ApiExternalNetwork}, '']} outputs: role_data: @@ -109,6 +119,11 @@ outputs: - {} - ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers} ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers} + - + if: + - external_network_unset + - ec2api::api::external_network: {get_param: NovaDefaultFloatingPool} + - ec2api::api::external_network: {get_param: Ec2ApiExternalNetwork} step_config: | include tripleo::profile::base::nova::ec2api service_config_settings: diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index dc6daece..24f4157b 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -22,6 +22,10 @@ parameters: default: 'mysql' description: The short name of the Gnocchi indexer backend to use. type: string + MetricProcessingDelay: + default: 60 + description: Delay between processing metrics. + type: number GnocchiPassword: description: The password for the gnocchi service and db account. type: string @@ -65,6 +69,7 @@ outputs: - '/gnocchi' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' gnocchi::db::sync::extra_opts: '--skip-storage' + gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay} gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 3 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index c651bbe5..e32b44dd 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -37,6 +37,11 @@ parameters: MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. resources: @@ -71,6 +76,7 @@ outputs: tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} tripleo::profile::base::haproxy::certificates_specs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index 21a5e78a..c3e6f4e4 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -41,16 +41,23 @@ parameters: description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the relevant keys for libvirt. + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. LibvirtCACert: type: string - default: '/etc/ipa/ca.crt' + default: '' description: This specifies the CA certificate to use for TLS in libvirt. This file will be symlinked to the default CA path in libvirt, which is /etc/pki/CA/cacert.pem. Note that due to limitations GNU TLS, which is the TLS backend for libvirt, the file must - be less than 65K (so we can't use the system's CA bundle). The - current default reflects TripleO's default CA, which is - FreeIPA. It will only be used if internal TLS is enabled. + be less than 65K (so we can't use the system's CA bundle). + This parameter should be used if the default (which comes from + the InternalTLSCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. conditions: @@ -63,6 +70,11 @@ conditions: - {get_param: UseTLSTransportForLiveMigration} - true + libvirt_specific_ca_unset: + equals: + - {get_param: LibvirtCACert} + - '' + resources: NovaBase: type: ./nova-base.yaml @@ -113,7 +125,10 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} tripleo::certmonger::ca::libvirt::origin_ca_pem: - get_param: LibvirtCACert + if: + - libvirt_specific_ca_unset + - get_param: InternalTLSCAFile + - get_param: LibvirtCACert tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' libvirt_certificates_specs: diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index 80c29f95..072ccc1a 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -28,6 +28,10 @@ parameters: description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true + SnmpdBindHost: + description: An array of bind host addresses on which SNMP daemon will listen. + type: comma_delimited_list + default: ['udp:161','udp6:[::1]:161'] outputs: role_data: @@ -37,6 +41,7 @@ outputs: config_settings: tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName} tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword} + snmp::agentaddress: {get_param: SnmpdBindHost} tripleo.snmp.firewall_rules: '127 snmp': dport: 161 diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml new file mode 100644 index 00000000..8847b22b --- /dev/null +++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml @@ -0,0 +1,6 @@ +--- +features: + - Adds the InternalTLSCAFile parameter, which defines which CA file should be + used by the internal services to verify that the peer's certificate is + trusted. This is applicable if internal TLS is enabled. Currently, it + defaults to using the CA file for FreeIPA, which is the default CA. diff --git a/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml b/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml new file mode 100644 index 00000000..1fc4f105 --- /dev/null +++ b/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Expose metric_processing_delay to tweak gnocchi performance. diff --git a/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml b/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml new file mode 100644 index 00000000..7cff9eec --- /dev/null +++ b/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Adding a new parameter to SNMP profile, SnmpdBindHost + so users can change the binding addresses on SNMP daemon. + The parameter is an array and takes the default value that + were previously hardcoded in puppet-tripleo. |