diff options
31 files changed, 723 insertions, 153 deletions
diff --git a/common/README b/common/README new file mode 100644 index 00000000..6a523118 --- /dev/null +++ b/common/README @@ -0,0 +1 @@ +This will contain some common templates but it needs to be added to the RPM spec first diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 4d9d40d4..13211676 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -208,6 +208,13 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume done rsync -a -R --delay-updates --delete-after $rsync_srcs /var/lib/config-data/${NAME} + # Also make a copy of files modified during puppet run + # This is useful for debugging + mkdir -p /var/lib/config-data/puppet-generated/${NAME} + rsync -a -R -0 --delay-updates --delete-after \ + --files-from=<(find $rsync_srcs -newer /etc/ssh/ssh_known_hosts -print0) \ + / /var/lib/config-data/puppet-generated/${NAME} + # Write a checksum of the config-data dir, this is used as a # salt to trigger container restart when the config changes tar cf - /var/lib/config-data/${NAME} | md5sum | awk '{print $1}' > /var/lib/config-data/${NAME}.md5sum diff --git a/docker/services/cinder-volume.yaml b/docker/services/cinder-volume.yaml index 4ee1996c..26eb10e7 100644 --- a/docker/services/cinder-volume.yaml +++ b/docker/services/cinder-volume.yaml @@ -130,10 +130,12 @@ outputs: with_items: - /var/log/containers/cinder - /var/lib/cinder - #FIXME: all of this should be conditional on the CinderEnableIscsiBackend value being set to true + - name: cinder_enable_iscsi_backend fact + set_fact: + cinder_enable_iscsi_backend: {get_param: CinderEnableIscsiBackend} - name: cinder create LVM volume group dd command: - list_join: + list_join: - '' - - 'dd if=/dev/zero of=/var/lib/cinder/cinder-volumes bs=1 count=0 seek=' - str_replace: @@ -143,6 +145,7 @@ outputs: - 'M' args: creates: /var/lib/cinder/cinder-volumes + when: cinder_enable_iscsi_backend - name: cinder create LVM volume group shell: | if ! losetup /dev/loop2; then @@ -157,6 +160,7 @@ outputs: args: executable: /bin/bash creates: /dev/loop2 + when: cinder_enable_iscsi_backend upgrade_tasks: - name: Stop and disable cinder_volume service tags: step2 diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml index 973d9994..d104853f 100644 --- a/docker/services/containers-common.yaml +++ b/docker/services/containers-common.yaml @@ -3,19 +3,64 @@ heat_template_version: pike description: > Contains a static list of common things necessary for containers +parameters: + + # Required parameters + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + + + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + outputs: volumes: description: Common volumes for the containers. value: - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - # required for bootstrap_host_exec - - /etc/puppet:/etc/puppet:ro - # OpenSSL trusted CAs - - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - # Syslog socket - - /dev/log:/dev/log - - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro + list_concat: + - - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + # required for bootstrap_host_exec + - /etc/puppet:/etc/puppet:ro + # OpenSSL trusted CAs + - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro + - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro + - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro + - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro + # Syslog socket + - /dev/log:/dev/log + - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro + - if: + - internal_tls_enabled + - - {get_param: InternalTLSCAFile} + - null diff --git a/docker/services/ec2-api.yaml b/docker/services/ec2-api.yaml new file mode 100644 index 00000000..bc3654b0 --- /dev/null +++ b/docker/services/ec2-api.yaml @@ -0,0 +1,153 @@ +heat_template_version: pike + +description: > + OpenStack containerized EC2 API service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerEc2ApiImage: + description: image + default: 'centos-binary-ec2-api:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + Ec2ApiPuppetBase: + type: ../../puppet/services/ec2-api.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the EC2 API role. + value: + service_name: {get_attr: [Ec2ApiPuppetBase, role_data, service_name]} + config_settings: {get_attr: [Ec2ApiPuppetBase, role_data, config_settings]} + step_config: &step_config + get_attr: [Ec2ApiPuppetBase, role_data, step_config] + service_config_settings: {get_attr: [Ec2ApiPuppetBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: ec2api + puppet_tags: ec2api_api_paste_ini,ec2api_config + step_config: *step_config + config_image: &ec2_api_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerEc2ApiImage} ] + kolla_config: + /var/lib/kolla/config_files/ec2_api.json: + command: /usr/bin/ec2-api + permissions: + - path: /var/log/ec2api + owner: ec2api:ec2api + recurse: true + /var/lib/kolla/config_files/ec2_api_metadata.json: + command: /usr/bin/ec2-api-metadata + permissions: + - path: /var/log/ec2api # default log dir for metadata service as well + owner: ec2api:ec2api + recurse: true + docker_config: + # db sync runs before permissions set by kolla_config + step_2: + ec2_api_init_logs: + image: *ec2_api_image + privileged: false + user: root + volumes: + - /var/log/containers/ec2_api:/var/log/ec2api + # mount ec2_api_metadata to "ec2api-metadata" only here to fix + # permissions of both directories in one go + - /var/log/containers/ec2_api_metadata:/var/log/ec2api-metadata + command: ['/bin/bash', '-c', 'chown -R ec2api:ec2api /var/log/ec2api /var/log/ec2api-metadata'] + step_3: + ec2_api_db_sync: + image: *ec2_api_image + net: host + detach: false + privileged: false + user: root + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/ec2_api/etc/ec2api/:/etc/ec2api/:ro + - /var/log/containers/ec2_api:/var/log/ec2api + command: "/usr/bin/bootstrap_host_exec ec2_api su ec2api -s /bin/bash -c '/usr/bin/ec2-api-manage db_sync'" + step_4: + ec2_api: + image: *ec2_api_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ec2_api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ec2_api/etc/ec2api/:/etc/ec2api/:ro + - /var/log/containers/ec2_api:/var/log/ec2api + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + ec2_api_metadata: + image: *ec2_api_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ec2_api_metadata.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ec2_api/etc/ec2api/:/etc/ec2api/:ro + - /var/log/containers/ec2_api_metadata:/var/log/ec2api + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent log directories + file: + path: /var/log/containers/{{ item }} + state: directory + with_items: + - ec2_api + - ec2_api_metadata + upgrade_tasks: + - name: Stop and disable EC2-API services + tags: step2 + service: name={{ item }} state=stopped enabled=no + with_items: + - openstack-ec2-api + - openstack-ec2-api-metadata diff --git a/docker/services/pacemaker/cinder-volume.yaml b/docker/services/pacemaker/cinder-volume.yaml new file mode 100644 index 00000000..987ebaf0 --- /dev/null +++ b/docker/services/pacemaker/cinder-volume.yaml @@ -0,0 +1,170 @@ +heat_template_version: pike + +description: > + OpenStack containerized Cinder Volume service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerCinderVolumeImage: + description: image + default: 'centos-binary-cinder-volume:latest' + type: string + # we configure all cinder services in the same cinder base container + DockerCinderConfigImage: + description: image + default: 'centos-binary-cinder-api:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + # custom parameters for the Cinder volume role + CinderEnableIscsiBackend: + default: true + description: Whether to enable or not the Iscsi backend for Cinder + type: boolean + CinderLVMLoopDeviceSize: + default: 10280 + description: The size of the loopback file used by the cinder LVM driver. + type: number + +resources: + + CinderBase: + type: ../../../puppet/services/cinder-volume.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Cinder Volume role. + value: + service_name: {get_attr: [CinderBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [CinderBase, role_data, config_settings] + - tripleo::profile::pacemaker::cinder::volume_bundle::cinder_volume_docker_image: &cinder_volume_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerCinderVolumeImage} ] + cinder::volume::manage_service: false + cinder::volume::enabled: false + cinder::host: hostgroup + step_config: "" + service_config_settings: {get_attr: [CinderBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: cinder + puppet_tags: cinder_config,file,concat,file_line + step_config: {get_attr: [CinderBase, role_data, step_config]} + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerCinderConfigImage} ] + kolla_config: + /var/lib/kolla/config_files/cinder_volume.json: + command: /usr/bin/cinder-volume --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf + permissions: + - path: /var/log/cinder + owner: cinder:cinder + recurse: true + docker_config: + step_3: + cinder_volume_init_logs: + start_order: 0 + image: *cinder_volume_image + privileged: false + user: root + volumes: + - /var/log/containers/cinder:/var/log/cinder + command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] + step_5: + cinder_volume_init_bundle: + start_order: 0 + detach: false + net: host + user: root + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 5}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file_line,concat,augeas,TAGS --debug -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::constraint::location' + CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::cinder::volume_bundle' + image: *cinder_volume_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/cinder + - /var/lib/cinder + #FIXME: all of this should be conditional on the CinderEnableIscsiBackend value being set to true + - name: cinder create LVM volume group dd + command: + list_join: + - '' + - - 'dd if=/dev/zero of=/var/lib/cinder/cinder-volumes bs=1 count=0 seek=' + - str_replace: + template: VALUE + params: + VALUE: {get_param: CinderLVMLoopDeviceSize} + - 'M' + args: + creates: /var/lib/cinder/cinder-volumes + - name: cinder create LVM volume group + shell: | + if ! losetup /dev/loop2; then + losetup /dev/loop2 /var/lib/cinder/cinder-volumes + fi + if ! pvdisplay | grep cinder-volumes; then + pvcreate /dev/loop2 + fi + if ! vgdisplay | grep cinder-volumes; then + vgcreate cinder-volumes /dev/loop2 + fi + args: + executable: /bin/bash + creates: /dev/loop2 + upgrade_tasks: + - name: Stop and disable cinder_volume service + tags: step2 + service: name=openstack-cinder-volume state=stopped enabled=no diff --git a/docker/services/services.yaml b/docker/services/services.yaml deleted file mode 100644 index 2ad3b63d..00000000 --- a/docker/services/services.yaml +++ /dev/null @@ -1,105 +0,0 @@ -heat_template_version: pike - -description: > - Utility stack to convert an array of services into a set of combined - role configs. - -parameters: - Services: - default: [] - description: | - List nested stack service templates. - type: comma_delimited_list - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - DefaultPasswords: - default: {} - description: Mapping of service -> default password. Used to help - pass top level passwords managed by Heat into services. - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - -resources: - - PuppetServices: - type: ../../puppet/services/services.yaml - properties: - Services: {get_param: Services} - ServiceNetMap: {get_param: ServiceNetMap} - EndpointMap: {get_param: EndpointMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - - ServiceChain: - type: OS::Heat::ResourceChain - properties: - resources: {get_param: Services} - concurrent: true - resource_properties: - ServiceNetMap: {get_param: ServiceNetMap} - EndpointMap: {get_param: EndpointMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Combined Role data for this set of services. - value: - service_names: - {get_attr: [PuppetServices, role_data, service_names]} - monitoring_subscriptions: - {get_attr: [PuppetServices, role_data, monitoring_subscriptions]} - logging_sources: - {get_attr: [PuppetServices, role_data, logging_sources]} - logging_groups: - {get_attr: [PuppetServices, role_data, logging_groups]} - service_config_settings: - {get_attr: [PuppetServices, role_data, service_config_settings]} - config_settings: - {get_attr: [PuppetServices, role_data, config_settings]} - global_config_settings: - {get_attr: [PuppetServices, role_data, global_config_settings]} - step_config: - {get_attr: [ServiceChain, role_data, step_config]} - puppet_config: {get_attr: [ServiceChain, role_data, puppet_config]} - kolla_config: - map_merge: {get_attr: [ServiceChain, role_data, kolla_config]} - docker_config: - {get_attr: [ServiceChain, role_data, docker_config]} - docker_puppet_tasks: - {get_attr: [ServiceChain, role_data, docker_puppet_tasks]} - host_prep_tasks: - yaql: - # Note we use distinct() here to filter any identical tasks - expression: $.data.where($ != null).select($.get('host_prep_tasks')).where($ != null).flatten().distinct() - data: {get_attr: [ServiceChain, role_data]} - upgrade_tasks: - yaql: - # Note we use distinct() here to filter any identical tasks, e.g yum update for all services - expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() - data: {get_attr: [ServiceChain, role_data]} - upgrade_batch_tasks: - yaql: - # Note we use distinct() here to filter any identical tasks, e.g yum update for all services - expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() - data: {get_attr: [ServiceChain, role_data]} - service_metadata_settings: - get_attr: [PuppetServices, role_data, service_metadata_settings] diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml index 2740664c..f1e3d96b 100644 --- a/environments/docker-services-tls-everywhere.yaml +++ b/environments/docker-services-tls-everywhere.yaml @@ -35,8 +35,6 @@ resource_registry: OS::TripleO::PostDeploySteps: ../docker/post.yaml OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml - OS::TripleO::Services: ../docker/services/services.yaml - parameter_defaults: # Defaults to 'tripleoupstream'. Specify a local docker registry # Example: 192.168.24.1:8787/tripleoupstream diff --git a/environments/docker.yaml b/environments/docker.yaml index 5de0c8d9..6a5ec87a 100644 --- a/environments/docker.yaml +++ b/environments/docker.yaml @@ -2,10 +2,11 @@ resource_registry: # This can be used when you don't want to run puppet on the host, # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml - OS::TripleO::Services::Docker: ../puppet/services/docker.yaml # The compute node still needs extra initialization steps OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml + OS::TripleO::Services::Docker: ../puppet/services/docker.yaml + #NOTE (dprince) add roles to be docker enabled as we support them OS::TripleO::Services::NovaLibvirt: ../docker/services/nova-libvirt.yaml OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml @@ -53,14 +54,13 @@ resource_registry: OS::TripleO::Services::Multipathd: ../docker/services/multipathd.yaml OS::TripleO::Services::CinderApi: ../docker/services/cinder-api.yaml OS::TripleO::Services::CinderScheduler: ../docker/services/cinder-scheduler.yaml - OS::TripleO::Services::CinderBackup: ../docker/services/cinder-backup.yaml - OS::TripleO::Services::CinderVolume: ../docker/services/cinder-volume.yaml + # FIXME: Had to remove these to unblock containers CI. They should be put back when fixed. + # OS::TripleO::Services::CinderBackup: ../docker/services/cinder-backup.yaml + # OS::TripleO::Services::CinderVolume: ../docker/services/cinder-volume.yaml OS::TripleO::PostDeploySteps: ../docker/post.yaml OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml - OS::TripleO::Services: ../docker/services/services.yaml - parameter_defaults: # To specify a local docker registry, enable these # where 192.168.24.1 is the host running docker-distribution diff --git a/environments/neutron-ml2-ovn-ha.yaml b/environments/neutron-ml2-ovn-ha.yaml new file mode 100644 index 00000000..c592d576 --- /dev/null +++ b/environments/neutron-ml2-ovn-ha.yaml @@ -0,0 +1,24 @@ +# A Heat environment file which can be used to enable OVN +# extensions, configured via puppet +resource_registry: + OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginML2OVN + OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-ovn.yaml + OS::TripleO::Services::OVNDBs: ../puppet/services/pacemaker/ovn-dbs.yaml +# Disabling Neutron services that overlap with OVN + OS::TripleO::Services::NeutronL3Agent: OS::Heat::None + OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None + OS::TripleO::Services::NeutronDhcpAgent: OS::Heat::None + OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None + +parameter_defaults: + NeutronMechanismDrivers: ovn + OVNVifType: ovs + OVNNeutronSyncMode: log + OVNQosDriver: ovn-qos + OVNTunnelEncapType: geneve + NeutronEnableDHCPAgent: false + NeutronTypeDrivers: 'geneve,vxlan,vlan,flat' + NeutronNetworkType: 'geneve' + NeutronServicePlugins: 'qos,ovn-router' + NeutronVniRanges: ['1:65536', ] diff --git a/environments/services-docker/ec2-api.yaml b/environments/services-docker/ec2-api.yaml new file mode 100644 index 00000000..24cbb032 --- /dev/null +++ b/environments/services-docker/ec2-api.yaml @@ -0,0 +1,2 @@ +resource_registry: + OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml diff --git a/environments/services/ironic.yaml b/environments/services/ironic.yaml index b1317382..8359f4a7 100644 --- a/environments/services/ironic.yaml +++ b/environments/services/ironic.yaml @@ -1,5 +1,4 @@ resource_registry: OS::TripleO::Services::IronicApi: ../../puppet/services/ironic-api.yaml OS::TripleO::Services::IronicConductor: ../../puppet/services/ironic-conductor.yaml - OS::TripleO::Services::IronicPxe: ../../puppet/services/ironic-pxe.yaml OS::TripleO::Services::NovaIronic: ../../puppet/services/nova-ironic.yaml diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml index 7a2716da..559d81df 100644 --- a/environments/undercloud.yaml +++ b/environments/undercloud.yaml @@ -18,3 +18,5 @@ parameter_defaults: HeatConvergenceEngine: false HeatMaxResourcesPerStack: -1 HeatMaxJsonBodySize: 2097152 + IronicInspectorInterface: br-ctlplane + IronicInspectorIpRange: '192.168.24.100,192.168.24.200' diff --git a/extraconfig/tasks/pacemaker_common_functions.sh b/extraconfig/tasks/pacemaker_common_functions.sh index f17a073a..d1dd5d1d 100755 --- a/extraconfig/tasks/pacemaker_common_functions.sh +++ b/extraconfig/tasks/pacemaker_common_functions.sh @@ -11,7 +11,7 @@ function log_debug { } function is_bootstrap_node { - if [ "$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)" = "$(facter hostname)" ]; then + if [ "$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid | tr '[:upper:]' '[:lower:]')" = "$(facter hostname | tr '[:upper:]' '[:lower:]')" ]; then log_debug "Node is bootstrap" echo "true" fi diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index cb9cc5b1..0c4a7928 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -49,7 +49,7 @@ fi # of packages to update (the check for -z "$update_identifier" guarantees that this # is run only on overcloud stack update -i) if [[ "$pacemaker_status" == "active" && \ - "$(hiera -c /etc/puppet/hiera.yaml pacemaker_short_bootstrap_node_name)" == "$(facter hostname)" ]] ; then \ + "$(hiera -c /etc/puppet/hiera.yaml pacemaker_short_bootstrap_node_name | tr '[:upper:]' '[:lower:]')" == "$(facter hostname | tr '[:upper:]' '[:lower:]')" ]] ; then \ # OCF scripts don't cope with -eu echo "Verifying if we need to fix up any IPv6 VIPs" set +eu diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 0dc93f5c..4aee571e 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -106,7 +106,7 @@ resource_registry: OS::TripleO::UpgradeConfig: puppet/upgrade_config.yaml # services - OS::TripleO::Services: puppet/services/services.yaml + OS::TripleO::Services: services.yaml OS::TripleO::Services::Apache: puppet/services/apache.yaml OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMds: OS::Heat::None @@ -237,6 +237,7 @@ resource_registry: OS::TripleO::Services::MistralExecutor: OS::Heat::None OS::TripleO::Services::IronicApi: OS::Heat::None OS::TripleO::Services::IronicConductor: OS::Heat::None + OS::TripleO::Services::IronicInspector: OS::Heat::None OS::TripleO::Services::NovaIronic: OS::Heat::None OS::TripleO::Services::TripleoPackages: puppet/services/tripleo-packages.yaml OS::TripleO::Services::TripleoFirewall: puppet/services/tripleo-firewall.yaml diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml index baafe03d..b1284452 100644 --- a/puppet/all-nodes-config.yaml +++ b/puppet/all-nodes-config.yaml @@ -12,10 +12,8 @@ parameters: type: string cloud_name_ctlplane: type: string - # FIXME(shardy) this can be comma_delimited_list when - # https://bugs.launchpad.net/heat/+bug/1617019 is fixed enabled_services: - type: string + type: comma_delimited_list controller_ips: type: comma_delimited_list logging_groups: @@ -118,7 +116,10 @@ resources: map_merge: - tripleo::profile::base::logging::fluentd::fluentd_sources: {get_param: logging_sources} - tripleo::profile::base::logging::fluentd::fluentd_groups: {get_param: logging_groups} - - enabled_services: {get_param: enabled_services} + - enabled_services: + yaql: + expression: $.data.distinct() + data: {get_param: enabled_services} # This writes out a mapping of service_name_enabled: 'true' # For any services not enabled, hiera foo_enabled will # return nil, as it's undefined @@ -129,8 +130,7 @@ resources: # https://bugs.launchpad.net/heat/+bug/1617203 SERVICE_enabled: 'true' for_each: - SERVICE: - str_split: [',', {get_param: enabled_services}] + SERVICE: {get_param: enabled_services} # Dynamically generate per-service network data # This works as follows (outer->inner functions) # yaql - filters services where no mapping exists in ServiceNetMap @@ -150,8 +150,7 @@ resources: template: SERVICE_network: SERVICE_network for_each: - SERVICE: - str_split: [',', {get_param: enabled_services}] + SERVICE: {get_param: enabled_services} - values: {get_param: ServiceNetMap} # Keystone doesn't provide separate entries for the public # and admin endpoints, so we need to add them here manually @@ -203,8 +202,7 @@ resources: template: SERVICE_vip: SERVICE_network for_each: - SERVICE: - str_split: [',', {get_param: enabled_services}] + SERVICE: {get_param: enabled_services} - values: {get_param: ServiceNetMap} - values: {get_param: NetVipMap} - keystone_admin_api_vip: diff --git a/puppet/services/ironic-inspector.yaml b/puppet/services/ironic-inspector.yaml new file mode 100644 index 00000000..e8537a29 --- /dev/null +++ b/puppet/services/ironic-inspector.yaml @@ -0,0 +1,151 @@ +heat_template_version: ocata + +description: > + OpenStack Ironic Inspector configured with Puppet (EXPERIMENTAL) + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionIronicInspector: + default: 'overcloud-ironic-inspector' + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + IronicInspectorInterface: + default: br-ex + description: | + Network interface on which inspection dnsmasq will listen. Should allow + access to untagged traffic from nodes booted for inspection. The default + value only makes sense if you don't modify any networking configuration. + type: string + IronicInspectorIPXEEnabled: + default: true + description: Whether to use iPXE for inspection. + type: boolean + IronicInspectorIpRange: + description: | + Temporary IP range that will be given to nodes during the inspection + process. This should not overlap with any range that Neutron's DHCP + gives away, but it has to be routeable back to ironic-inspector API. + This option has no meaningful defaults, and thus is required. + type: string + IronicInspectorUseSwift: + default: true + description: Whether to use Swift for storing introspection data. + type: boolean + IronicIPXEPort: + default: 8088 + description: Port to use for serving images when iPXE is used. + type: string + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true + +conditions: + enable_ipxe: {equals : [{get_param: IronicInspectorIPXEEnabled}, true]} + use_swift: {equals : [{get_param: IronicInspectorUseSwift}, true]} + +outputs: + role_data: + description: Role data for the Ironic Inspector role. + value: + service_name: ironic_inspector + monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector} + config_settings: + map_merge: + - ironic::inspector::listen_address: {get_param: [ServiceNetMap, IronicInspectorNetwork]} + ironic::inspector::dnsmasq_local_ip: {get_param: [ServiceNetMap, IronicInspectorNetwork]} + ironic::inspector::dnsmasq_ip_range: {get_param: IronicInspectorIpRange} + ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface} + ironic::inspector::debug: {get_param: Debug} + ironic::inspector::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::inspector::authtoken::username: 'ironic' + ironic::inspector::authtoken::password: {get_param: IronicPassword} + ironic::inspector::authtoken::project_name: 'service' + ironic::inspector::authtoken::user_domain_name: 'Default' + ironic::inspector::authtoken::project_domain_name: 'Default' + tripleo.ironic_inspector.firewall_rules: + '137 ironic-inspector': + dport: + - 5050 + ironic::inspector::ironic_username: 'ironic' + ironic::inspector::ironic_password: {get_param: IronicPassword} + ironic::inspector::ironic_tenant_name: 'service' + ironic::inspector::ironic_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::inspector::ironic_max_retries: 6 + ironic::inspector::ironic_retry_interval: 10 + ironic::inspector::ironic_user_domain_name: 'Default' + ironic::inspector::ironic_project_domain_name: 'Default' + ironic::inspector::http_port: {get_param: IronicIPXEPort} + ironic::inspector::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://ironic-inspector:' + - {get_param: IronicPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/ironic-inspector' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + - + if: + - enable_ipxe + - ironic::inspector::pxe_transfer_protocol: 'http' + - {} + - + if: + - use_swift + - ironic::inspector::store_data: 'swift' + ironic::inspector::swift_username: 'ironic' + ironic::inspector::swift_password: {get_param: IronicPassword} + ironic::inspector::swift_tenant_name: 'service' + ironic::inspector::swift_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::inspector::swift_user_domain_name: 'Default' + ironic::inspector::swift_project_domain_name: 'Default' + - {} + step_config: | + include ::tripleo::profile::base::ironic_inspector + service_config_settings: + keystone: + ironic::keystone::auth_inspector::tenant: 'service' + ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]} + ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]} + ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]} + ironic::keystone::auth_inspector::password: {get_param: IronicPassword} + ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion} + mysql: + ironic::inspector::db::mysql::password: {get_param: IronicPassword} + ironic::inspector::db::mysql::user: ironic-inspector + ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ironic::inspector::db::mysql::dbname: ironic-inspector + ironic::inspector::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index af494016..60d194bc 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -122,6 +122,10 @@ parameters: KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. + KeystoneFernetMaxActiveKeys: + type: number + description: The maximum active keys in the keystone fernet key repository. + default: 5 ManageKeystoneFernetKeys: type: boolean default: true @@ -258,6 +262,7 @@ outputs: keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} + keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 835edf0a..fe2f2946 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -210,7 +210,7 @@ outputs: register: bootstrap_node - name: set is_bootstrap_node fact tags: common - set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}} + set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} - name: Extra migration for nova tripleo/+bug/1656791 tags: step0,pre-upgrade when: is_bootstrap_node diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml index 20c38d8a..df234c77 100644 --- a/puppet/services/ovn-dbs.yaml +++ b/puppet/services/ovn-dbs.yaml @@ -44,6 +44,7 @@ outputs: ovn::northbound::port: {get_param: OVNNorthboundServerPort} ovn::southbound::port: {get_param: OVNSouthboundServerPort} ovn::northd::dbs_listen_ip: {get_param: [ServiceNetMap, OvnDbsNetwork]} + tripleo::haproxy::ovn_dbs_manage_lb: true tripleo.ovn_dbs.firewall_rules: '121 OVN DB server ports': proto: 'tcp' diff --git a/puppet/services/pacemaker/ovn-dbs.yaml b/puppet/services/pacemaker/ovn-dbs.yaml new file mode 100644 index 00000000..1cbb4763 --- /dev/null +++ b/puppet/services/pacemaker/ovn-dbs.yaml @@ -0,0 +1,61 @@ +heat_template_version: ocata + +description: > + OVN databases configured with puppet in HA mode + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OVNNorthboundServerPort: + description: Port of the OVN Northbound DB server + type: number + default: 6641 + OVNSouthboundServerPort: + description: Port of the OVN Southbound DB server + type: number + default: 6642 + +resources: + + OVNDBsBase: + type: ../ovn-dbs.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the OVN northd service + value: + service_name: ovn_dbs + config_settings: + map_merge: + - get_attr: [OVNDBsBase, role_data, config_settings] + - tripleo::haproxy::ovn_dbs_manage_lb: false + tripleo::profile::pacemaker::ovn_northd::nb_db_port: {get_param: OVNNorthboundServerPort} + tripleo::profile::pacemaker::ovn_northd::sb_db_port: {get_param: OVNSouthboundServerPort} + step_config: | + include ::tripleo::profile::pacemaker::ovn_northd diff --git a/releasenotes/notes/baremetal-role-34cb48cc30d7bdb4.yaml b/releasenotes/notes/baremetal-role-34cb48cc30d7bdb4.yaml new file mode 100644 index 00000000..51176426 --- /dev/null +++ b/releasenotes/notes/baremetal-role-34cb48cc30d7bdb4.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add an example role ``roles/IronicConductor.yaml`` for a node with only + ironic-conductor and its (i)PXE service. diff --git a/releasenotes/notes/ironic-inspector-43441782bdf0f84e.yaml b/releasenotes/notes/ironic-inspector-43441782bdf0f84e.yaml new file mode 100644 index 00000000..1fbdd1f8 --- /dev/null +++ b/releasenotes/notes/ironic-inspector-43441782bdf0f84e.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add basic support for **ironic-inspector** in the overcloud. It is highly + experimental and is not yet recommended for production use. diff --git a/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml b/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml new file mode 100644 index 00000000..4c10753a --- /dev/null +++ b/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml @@ -0,0 +1,5 @@ +--- +features: + - KeystoneFernetMaxActiveKeys was introduced as a parameter to the keystone + profile. It sets the max_active_keys value of the keystone.conf file and + will subsequently be used by mistral to purge the keys in a mistral task. diff --git a/releasenotes/notes/ovn-ha-c0139ac519680872.yaml b/releasenotes/notes/ovn-ha-c0139ac519680872.yaml new file mode 100644 index 00000000..d36f8364 --- /dev/null +++ b/releasenotes/notes/ovn-ha-c0139ac519680872.yaml @@ -0,0 +1,3 @@ +--- +features: + - Support HA for OVN db servers and ovn-northd using Pacemaker. diff --git a/roles/IronicConductor.yaml b/roles/IronicConductor.yaml new file mode 100644 index 00000000..8a29b337 --- /dev/null +++ b/roles/IronicConductor.yaml @@ -0,0 +1,21 @@ +############################################################################### +# Role: IronicConductor # +############################################################################### +- name: IronicConductor + description: | + Ironic Conductor node role + HostnameFormatDefault: '%stackname%-ironic-%index%' + ServicesDefault: + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::Collectd + - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::IronicConductor + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::TripleoPackages diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index 50083ce4..783df91d 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -21,6 +21,7 @@ - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor + - OS::TripleO::Services::IronicInspector - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Keystone diff --git a/puppet/services/services.yaml b/services.yaml index 0e7b6d2b..724727bb 100644 --- a/puppet/services/services.yaml +++ b/services.yaml @@ -1,3 +1,4 @@ +#FIXME move into common when specfile adds it heat_template_version: pike description: > @@ -127,3 +128,17 @@ outputs: expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() data: {get_attr: [ServiceChain, role_data]} service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} + + # Keys to support docker/services + puppet_config: {get_attr: [ServiceChain, role_data, puppet_config]} + kolla_config: + map_merge: {get_attr: [ServiceChain, role_data, kolla_config]} + docker_config: + {get_attr: [ServiceChain, role_data, docker_config]} + docker_puppet_tasks: + {get_attr: [ServiceChain, role_data, docker_puppet_tasks]} + host_prep_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks + expression: $.data.where($ != null).select($.get('host_prep_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} diff --git a/test-requirements.txt b/test-requirements.txt index df5af85d..81136356 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -7,11 +7,11 @@ six>=1.9.0 # MIT sphinx!=1.6.1,>=1.5.1 # BSD oslosphinx>=4.7.0 # Apache-2.0 reno!=2.3.1,>=1.8.0 # Apache-2.0 -coverage>=4.0,!=4.4 # Apache-2.0 -fixtures>=3.0.0 # Apache-2.0/BSD -python-subunit>=0.0.18 # Apache-2.0/BSD -testrepository>=0.0.18 # Apache-2.0/BSD -testscenarios>=0.4 # Apache-2.0/BSD -testtools>=1.4.0 # MIT -mock>=2.0 # BSD -oslotest>=1.10.0 # Apache-2.0 +coverage!=4.4,>=4.0 # Apache-2.0 +fixtures>=3.0.0 # Apache-2.0/BSD +python-subunit>=0.0.18 # Apache-2.0/BSD +testrepository>=0.0.18 # Apache-2.0/BSD +testscenarios>=0.4 # Apache-2.0/BSD +testtools>=1.4.0 # MIT +mock>=2.0 # BSD +oslotest>=1.10.0 # Apache-2.0 diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 92d76d23..0fd4bcc3 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -219,12 +219,10 @@ def validate(filename): # qdr aliases rabbitmq service to provide alternative messaging backend if (filename.startswith('./puppet/services/') and - filename not in ['./puppet/services/services.yaml', - './puppet/services/qdr.yaml']): + filename not in ['./puppet/services/qdr.yaml']): retval = validate_service(filename, tpl) - if (filename.startswith('./docker/services/') and - filename != './docker/services/services.yaml'): + if filename.startswith('./docker/services/'): retval = validate_docker_service(filename, tpl) if filename.endswith('hyperconverged-ceph.yaml'): |