diff options
37 files changed, 507 insertions, 179 deletions
diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml index 8307db96..56013adf 100644 --- a/ci/environments/multinode-3nodes.yaml +++ b/ci/environments/multinode-3nodes.yaml @@ -24,6 +24,7 @@ - OS::TripleO::Services::CACerts - OS::TripleO::Services::CinderApi - OS::TripleO::Services::CinderScheduler + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi @@ -62,6 +63,7 @@ - OS::TripleO::Services::CACerts - OS::TripleO::Services::CinderBackup - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient diff --git a/ci/environments/multinode-container-upgrade.yaml b/ci/environments/multinode-container-upgrade.yaml new file mode 100644 index 00000000..44a0ce73 --- /dev/null +++ b/ci/environments/multinode-container-upgrade.yaml @@ -0,0 +1,61 @@ +# NOTE: This is an environment specific for containers upgrade +# CI. Mainly we deploy non-pacemakerized overcloud, as at the time +# being containerization of services managed by pacemaker is not +# complete, so we deploy and upgrade the non-HA services for now. + +resource_registry: + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + +parameter_defaults: + ControllerServices: + - OS::TripleO::Services::CephMon + - OS::TripleO::Services::CephOSD + - OS::TripleO::Services::CinderApi + - OS::TripleO::Services::CinderScheduler + - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Docker + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatApiCloudwatch + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::NeutronDhcpAgent + - OS::TripleO::Services::NeutronL3Agent + - OS::TripleO::Services::NeutronMetadataAgent + - OS::TripleO::Services::NeutronServer + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::NeutronOvsAgent + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::HAproxy + - OS::TripleO::Services::Keepalived + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::Pacemaker + - OS::TripleO::Services::NovaConductor + - OS::TripleO::Services::NovaApi + - OS::TripleO::Services::NovaPlacement + - OS::TripleO::Services::NovaMetadata + - OS::TripleO::Services::NovaScheduler + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::NovaCompute + - OS::TripleO::Services::NovaLibvirt + ControllerExtraConfig: + nova::compute::libvirt::services::libvirt_virt_type: qemu + nova::compute::libvirt::libvirt_virt_type: qemu + # Required for Centos 7.3 and Qemu 2.6.0 + nova::compute::libvirt::libvirt_cpu_mode: 'none' + #NOTE(gfidente): not great but we need this to deploy on ext4 + #http://docs.ceph.com/docs/jewel/rados/configuration/filesystem-recommendations/ + ceph::profile::params::osd_max_object_name_len: 256 + ceph::profile::params::osd_max_object_namespace_len: 64 + SwiftCeilometerPipelineEnabled: False + Debug: True diff --git a/ci/environments/multinode.yaml b/ci/environments/multinode.yaml index c946ec8a..d0d6ba99 100644 --- a/ci/environments/multinode.yaml +++ b/ci/environments/multinode.yaml @@ -18,6 +18,7 @@ parameter_defaults: - OS::TripleO::Services::CinderApi - OS::TripleO::Services::CinderScheduler - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml index 2251cc0c..c97080fb 100644 --- a/ci/environments/multinode_major_upgrade.yaml +++ b/ci/environments/multinode_major_upgrade.yaml @@ -14,6 +14,7 @@ resource_registry: parameter_defaults: ControllerServices: - OS::TripleO::Services::CACerts + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml index 5dd1f0f6..0282c385 100644 --- a/ci/environments/scenario001-multinode.yaml +++ b/ci/environments/scenario001-multinode.yaml @@ -23,6 +23,7 @@ resource_registry: parameter_defaults: ControllerServices: + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml index cbcfa9b3..38d24ee1 100644 --- a/ci/environments/scenario002-multinode.yaml +++ b/ci/environments/scenario002-multinode.yaml @@ -17,6 +17,7 @@ resource_registry: parameter_defaults: ControllerServices: + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi diff --git a/ci/environments/scenario003-multinode.yaml b/ci/environments/scenario003-multinode.yaml index 6e926f74..5472b494 100644 --- a/ci/environments/scenario003-multinode.yaml +++ b/ci/environments/scenario003-multinode.yaml @@ -17,6 +17,7 @@ resource_registry: parameter_defaults: ControllerServices: + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml index 7428d426..25fad4bb 100644 --- a/ci/environments/scenario004-multinode.yaml +++ b/ci/environments/scenario004-multinode.yaml @@ -31,6 +31,7 @@ parameter_defaults: - OS::TripleO::Services::CephMon - OS::TripleO::Services::CephOSD - OS::TripleO::Services::CephRgw + - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index c364d039..909a2c8a 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -61,7 +61,10 @@ def rm_container(name): stderr=subprocess.PIPE) cmd_stdout, cmd_stderr = subproc.communicate() print(cmd_stdout) - print(cmd_stderr) + if cmd_stderr and \ + cmd_stderr != 'Error response from daemon: ' \ + 'No such container: {}\n'.format(name): + print(cmd_stderr) process_count = int(os.environ.get('PROCESS_COUNT', multiprocessing.cpu_count())) @@ -202,6 +205,12 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw', '--volume', 'tripleo_logs:/var/log/tripleo/', + # OpenSSL trusted CA injection + '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', + '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', + # script injection '--volume', '%s:%s:rw' % (sh_script, sh_script) ] for volume in volumes: diff --git a/docker/docker-steps.j2 b/docker/docker-steps.j2 index 301d838f..f0af8e25 100644 --- a/docker/docker-steps.j2 +++ b/docker/docker-steps.j2 @@ -1,7 +1,14 @@ # certain initialization steps (run in a container) will occur -# on the first role listed in the roles file -{% set primary_role_name = roles[0].name -%} - +# on the role marked as primary controller or the first role listed +{%- set primary_role = [roles[0]] -%} +{%- for role in roles -%} + {%- if 'primary' in role.tags and 'controller' in role.tags -%} + {%- set _ = primary_role.pop() -%} + {%- set _ = primary_role.append(role) -%} + {%- endif -%} +{%- endfor -%} +{%- set primary_role_name = primary_role[0].name -%} +# primary role is: {{primary_role_name}} heat_template_version: ocata description: > diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index 08f4b56b..659785aa 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -96,3 +96,7 @@ outputs: - /etc/localtime:/etc/localtime:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable httpd service + tags: step2 + service: name=httpd state=stopped enabled=no diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index 6b41eaa3..78494d66 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -71,3 +71,7 @@ outputs: - /etc/localtime:/etc/localtime:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable openstack-gnocchi-metricd service + tags: step2 + service: name=openstack-gnocchi-metricd.service state=stopped enabled=no diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index 93b616c4..7f439846 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -71,3 +71,7 @@ outputs: - /etc/localtime:/etc/localtime:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable openstack-gnocchi-statsd service + tags: step2 + service: name=openstack-gnocchi-statsd.service state=stopped enabled=no diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 90ddeb9f..526a357b 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -36,6 +36,9 @@ parameters: default: 'fernet' constraints: - allowed_values: ['uuid', 'fernet'] + EnableInternalTLS: + type: boolean + default: false resources: @@ -46,6 +49,10 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + outputs: role_data: description: Role data for the Keystone API role. @@ -96,6 +103,16 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index eefcb367..fb286ca5 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -85,4 +85,4 @@ outputs: upgrade_tasks: - name: Stop and disable nova-compute service tags: step2 - service: name=nova-compute state=stopped enabled=no + service: name=openstack-nova-compute state=stopped enabled=no diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 9941abda..d6270424 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -82,4 +82,4 @@ outputs: upgrade_tasks: - name: Stop and disable nova-compute service tags: step2 - service: name=nova-compute state=stopped enabled=no + service: name=openstack-nova-compute state=stopped enabled=no diff --git a/environments/cinder-netapp-config.yaml b/environments/cinder-netapp-config.yaml index b9a84342..dfd15893 100644 --- a/environments/cinder-netapp-config.yaml +++ b/environments/cinder-netapp-config.yaml @@ -1,7 +1,7 @@ # A Heat environment file which can be used to enable a # a Cinder NetApp backend, configured via puppet resource_registry: - OS::TripleO::ControllerExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/cinder-netapp.yaml + OS::TripleO::Services::CinderBackendNetApp: ../puppet/services/cinder-backend-netapp.yaml parameter_defaults: CinderEnableNetappBackend: true diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml new file mode 100644 index 00000000..ec39951b --- /dev/null +++ b/environments/docker-services-tls-everywhere.yaml @@ -0,0 +1,28 @@ +# This environment contains the services that can work with TLS-everywhere. +resource_registry: + # This can be used when you don't want to run puppet on the host, + # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker + # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml + OS::TripleO::Services::Docker: ../puppet/services/docker.yaml + # The compute node still needs extra initialization steps + OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml + + # NOTE: add roles to be docker enabled as we support them. + OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml + + OS::TripleO::PostDeploySteps: ../docker/post.yaml + OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml + + OS::TripleO::Services: ../docker/services/services.yaml + +parameter_defaults: + # Defaults to 'tripleoupstream'. Specify a local docker registry + # Example: 192.168.24.1:8787/tripleoupstream + DockerNamespace: tripleoupstream + DockerNamespaceIsRegistry: false + + ComputeServices: + - OS::TripleO::Services::NovaCompute + - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::ComputeNeutronOvsAgent + - OS::TripleO::Services::Docker diff --git a/environments/swift-external.yaml b/environments/swift-external.yaml new file mode 100644 index 00000000..0bf0d39e --- /dev/null +++ b/environments/swift-external.yaml @@ -0,0 +1,12 @@ +resource_registry: + OS::TripleO::Services::ExternalSwiftProxy: ../puppet/services/external-swift-proxy.yaml + OS::TripleO::Services::SwiftProxy: OS::Heat::None + OS::TripleO::Services::SwiftStorage: OS::Heat::None + OS::TripleO::Services::SwiftRingBuilder: OS::Heat::None + +parameter_defaults: + ExternalPublicUrl: 'http://swiftproxy:9024/v1/%(tenant_id)s' + ExternalInternalUrl: 'http://swiftproxy:9024/v1/%(tenant_id)s' + ExternalAdminUrl: 'http://swiftproxy:9024/v1/%(tenant_id)s' + ExternalSwiftUserTenant: 'service' + diff --git a/extraconfig/pre_deploy/rhel-registration/rhel-registration.yaml b/extraconfig/pre_deploy/rhel-registration/rhel-registration.yaml index e8316c53..30a83550 100644 --- a/extraconfig/pre_deploy/rhel-registration/rhel-registration.yaml +++ b/extraconfig/pre_deploy/rhel-registration/rhel-registration.yaml @@ -53,6 +53,12 @@ parameters: type: string rhel_reg_http_proxy_password: type: string + UpdateOnRHELRegistration: + type: boolean + default: false + description: | + When enabled, the system will perform a yum update after performing the + RHEL Registration process. resources: @@ -134,6 +140,37 @@ resources: input_values: REG_METHOD: {get_param: rhel_reg_method} + YumUpdateConfigurationAfterRHELRegistration: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: | + #!/bin/bash + set -x + num_updates=$(yum list -q updates | wc -l) + if [ "$num_updates" -eq "0" ]; then + echo "No packages require updating" + exit 0 + fi + full_command="yum -q -y update" + echo "Running: $full_command" + result=$($full_command) + return_code=$? + echo "$result" + echo "yum return code: $return_code" + exit $return_code + + UpdateDeploymentAfterRHELRegistration: + type: OS::Heat::SoftwareDeployment + depends_on: RHELRegistrationDeployment + conditions: + update_requested: {get_param: UpdateOnRHELRegistration} + properties: + name: UpdateDeploymentAfterRHELRegistration + config: {get_resource: YumUpdateConfigurationAfterRHELRegistration} + server: {get_param: server} + actions: ['CREATE'] # Only do this on CREATE + outputs: deploy_stdout: description: Deployment reference, used to trigger puppet apply on changes diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index ad368278..20a5b658 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -40,9 +40,17 @@ touch "$timestamp_file" command_arguments=${command_arguments:-} -list_updates=$(yum list updates) - -if [[ "$list_updates" == "" ]]; then +# yum check-update exits 100 if updates are available +set +e +check_update=$(yum check-update 2>&1) +check_update_exit=$? +set -e + +if [[ "$check_update_exit" == "1" ]]; then + echo "Failed to check for package updates" + echo "$check_update" + exit 1 +elif [[ "$check_update_exit" != "100" ]]; then echo "No packages require updating" exit 0 fi diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index c0f5f7e5..c4d4fdec 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -189,6 +189,7 @@ resource_registry: OS::TripleO::Services::NovaLibvirt: puppet/services/nova-libvirt.yaml OS::TripleO::Services::Ntp: puppet/services/time/ntp.yaml OS::TripleO::Services::SwiftProxy: puppet/services/swift-proxy.yaml + OS::TripleO::Services::ExternalSwiftProxy: OS::Heat::None OS::TripleO::Services::SwiftStorage: puppet/services/swift-storage.yaml OS::TripleO::Services::SwiftRingBuilder: puppet/services/swift-ringbuilder.yaml OS::TripleO::Services::Snmp: puppet/services/snmp.yaml @@ -239,6 +240,10 @@ resource_registry: OS::TripleO::Services::Zaqar: OS::Heat::None OS::TripleO::Services::NeutronML2FujitsuCfab: OS::Heat::None OS::TripleO::Services::NeutronML2FujitsuFossw: OS::Heat::None + OS::TripleO::Services::CinderBackendDellPs: OS::Heat::None + OS::TripleO::Services::CinderBackendDellSc: OS::Heat::None + OS::TripleO::Services::CinderBackendNetApp: OS::Heat::None + OS::TripleO::Services::CinderBackendScaleIO: OS::Heat::None OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None OS::TripleO::Services::Etcd: OS::Heat::None OS::TripleO::Services::Ec2Api: OS::Heat::None diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index a322a445..87e67eac 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -1,4 +1,12 @@ -{% set primary_role_name = roles[0].name -%} +{%- set primary_role = [roles[0]] -%} +{%- for role in roles -%} + {%- if 'primary' in role.tags and 'controller' in role.tags -%} + {%- set _ = primary_role.pop() -%} + {%- set _ = primary_role.append(role) -%} + {%- endif -%} +{%- endfor -%} +{%- set primary_role_name = primary_role[0].name -%} +# primary role is: {{primary_role_name}} heat_template_version: ocata description: > @@ -692,3 +700,9 @@ outputs: {% for role in roles %} {{role.name}}: {get_attr: [{{role.name}}ServiceChain, role_data]} {% endfor %} + RoleNetIpMap: + description: Mapping of each network to a list of IPs for each role + value: +{% for role in roles %} + {{role.name}}: {get_attr: [{{role.name}}IpListMap, net_ip_map]} +{% endfor %} diff --git a/plan-environment.yaml b/plan-environment.yaml index f629eff3..1f9c8211 100644 --- a/plan-environment.yaml +++ b/plan-environment.yaml @@ -1,5 +1,8 @@ -version: 1.0
-
-template: overcloud.yaml
-environments:
-- path: overcloud-resource-registry-puppet.yaml
+version: 1.0 + +name: overcloud +description: > + Default Deployment plan +template: overcloud.yaml +environments: + - path: overcloud-resource-registry-puppet.yaml diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml index 2f4f583c..3d32add2 100644 --- a/puppet/controller-role.yaml +++ b/puppet/controller-role.yaml @@ -467,7 +467,6 @@ resources: - all_nodes # provided by allNodesConfig - vip_data # provided by allNodesConfig - '"%{::osfamily}"' - - cinder_netapp_data # Optionally provided by ControllerExtraConfigPre - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre diff --git a/puppet/extraconfig/pre_deploy/controller/cinder-netapp.yaml b/puppet/extraconfig/pre_deploy/controller/cinder-netapp.yaml deleted file mode 100644 index 378f7f98..00000000 --- a/puppet/extraconfig/pre_deploy/controller/cinder-netapp.yaml +++ /dev/null @@ -1,157 +0,0 @@ -heat_template_version: ocata - -description: Configure hieradata for Cinder Netapp configuration - -parameters: - server: - description: ID of the controller node to apply this config to - type: string - - # Config specific parameters, to be provided via parameter_defaults - CinderEnableNetappBackend: - type: boolean - default: true - CinderNetappBackendName: - type: string - default: 'tripleo_netapp' - CinderNetappLogin: - type: string - CinderNetappPassword: - type: string - hidden: true - CinderNetappServerHostname: - type: string - CinderNetappServerPort: - type: string - default: '80' - CinderNetappSizeMultiplier: - type: string - default: '1.2' - CinderNetappStorageFamily: - type: string - default: 'ontap_cluster' - CinderNetappStorageProtocol: - type: string - default: 'nfs' - CinderNetappTransportType: - type: string - default: 'http' - CinderNetappVfiler: - type: string - default: '' - CinderNetappVolumeList: - type: string - default: '' - CinderNetappVserver: - type: string - default: '' - CinderNetappPartnerBackendName: - type: string - default: '' - CinderNetappNfsShares: - type: string - default: '' - CinderNetappNfsSharesConfig: - type: string - default: '/etc/cinder/shares.conf' - CinderNetappNfsMountOptions: - type: string - default: '' - CinderNetappCopyOffloadToolPath: - type: string - default: '' - CinderNetappControllerIps: - type: string - default: '' - CinderNetappSaPassword: - type: string - default: '' - hidden: true - CinderNetappStoragePools: - type: string - default: '' - CinderNetappHostType: - type: string - default: '' - CinderNetappWebservicePath: - type: string - default: '/devmgr/v2' - # DEPRECATED options for compatibility with older versions - CinderNetappEseriesHostType: - type: string - default: 'linux_dm_mp' - -parameter_groups: -- label: deprecated - description: Do not use deprecated params, they will be removed. - parameters: - - CinderNetappEseriesHostType - -resources: - CinderNetappConfig: - type: OS::Heat::StructuredConfig - properties: - group: hiera - config: - datafiles: - cinder_netapp_data: - mapped_data: - tripleo::profile::base::cinder::volume::cinder_enable_netapp_backend: {get_input: EnableNetappBackend} - cinder::backend::netapp::title: {get_input: NetappBackendName} - cinder::backend::netapp::netapp_login: {get_input: NetappLogin} - cinder::backend::netapp::netapp_password: {get_input: NetappPassword} - cinder::backend::netapp::netapp_server_hostname: {get_input: NetappServerHostname} - cinder::backend::netapp::netapp_server_port: {get_input: NetappServerPort} - cinder::backend::netapp::netapp_size_multiplier: {get_input: NetappSizeMultiplier} - cinder::backend::netapp::netapp_storage_family: {get_input: NetappStorageFamily} - cinder::backend::netapp::netapp_storage_protocol: {get_input: NetappStorageProtocol} - cinder::backend::netapp::netapp_transport_type: {get_input: NetappTransportType} - cinder::backend::netapp::netapp_vfiler: {get_input: NetappVfiler} - cinder::backend::netapp::netapp_volume_list: {get_input: NetappVolumeList} - cinder::backend::netapp::netapp_vserver: {get_input: NetappVserver} - cinder::backend::netapp::netapp_partner_backend_name: {get_input: NetappPartnerBackendName} - cinder::backend::netapp::nfs_shares: {get_input: NetappNfsShares} - cinder::backend::netapp::nfs_shares_config: {get_input: NetappNfsSharesConfig} - cinder::backend::netapp::nfs_mount_options: {get_input: NetappNfsMountOptions} - cinder::backend::netapp::netapp_copyoffload_tool_path: {get_input: NetappCopyOffloadToolPath} - cinder::backend::netapp::netapp_controller_ips: {get_input: NetappControllerIps} - cinder::backend::netapp::netapp_sa_password: {get_input: NetappSaPassword} - cinder::backend::netapp::netapp_storage_pools: {get_input: NetappStoragePools} - cinder::backend::netapp::netapp_host_type: {get_input: NetappHostType} - cinder::backend::netapp::netapp_webservice_path: {get_input: NetappWebservicePath} - - CinderNetappDeployment: - type: OS::Heat::StructuredDeployment - properties: - name: CinderNetappDeployment - config: {get_resource: CinderNetappConfig} - server: {get_param: server} - input_values: - EnableNetappBackend: {get_param: CinderEnableNetappBackend} - NetappBackendName: {get_param: CinderNetappBackendName} - NetappLogin: {get_param: CinderNetappLogin} - NetappPassword: {get_param: CinderNetappPassword} - NetappServerHostname: {get_param: CinderNetappServerHostname} - NetappServerPort: {get_param: CinderNetappServerPort} - NetappSizeMultiplier: {get_param: CinderNetappSizeMultiplier} - NetappStorageFamily: {get_param: CinderNetappStorageFamily} - NetappStorageProtocol: {get_param: CinderNetappStorageProtocol} - NetappTransportType: {get_param: CinderNetappTransportType} - NetappVfiler: {get_param: CinderNetappVfiler} - NetappVolumeList: {get_param: CinderNetappVolumeList} - NetappVserver: {get_param: CinderNetappVserver} - NetappPartnerBackendName: {get_param: CinderNetappPartnerBackendName} - NetappNfsShares: {get_param: CinderNetappNfsShares} - NetappNfsSharesConfig: {get_param: CinderNetappNfsSharesConfig} - NetappNfsMountOptions: {get_param: CinderNetappNfsMountOptions} - NetappCopyOffloadToolPath: {get_param: CinderNetappCopyOffloadToolPath} - NetappControllerIps: {get_param: CinderNetappControllerIps} - NetappSaPassword: {get_param: CinderNetappSaPassword} - NetappStoragePools: {get_param: CinderNetappStoragePools} - NetappHostType: {get_param: CinderNetappHostType} - NetappWebservicePath: {get_param: CinderNetappWebservicePath} - -outputs: - deploy_stdout: - description: Deployment reference, used to trigger puppet apply on changes - value: {get_attr: [CinderNetappDeployment, deploy_stdout]} diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 9bd282f8..6e53b1f7 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -77,13 +77,15 @@ outputs: - "%{hiera('apache_remote_proxy_ips_network')}" - generate_service_certificates: true + tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' + tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' apache_certificates_specs: map_merge: repeat: template: httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: diff --git a/puppet/services/cinder-backend-netapp.yaml b/puppet/services/cinder-backend-netapp.yaml new file mode 100644 index 00000000..29a0ce1b --- /dev/null +++ b/puppet/services/cinder-backend-netapp.yaml @@ -0,0 +1,129 @@ +heat_template_version: ocata + +description: Openstack Cinder Netapp backend + +parameters: + CinderEnableNetappBackend: + type: boolean + default: true + CinderNetappBackendName: + type: string + default: 'tripleo_netapp' + CinderNetappLogin: + type: string + CinderNetappPassword: + type: string + hidden: true + CinderNetappServerHostname: + type: string + CinderNetappServerPort: + type: string + default: '80' + CinderNetappSizeMultiplier: + type: string + default: '1.2' + CinderNetappStorageFamily: + type: string + default: 'ontap_cluster' + CinderNetappStorageProtocol: + type: string + default: 'nfs' + CinderNetappTransportType: + type: string + default: 'http' + CinderNetappVfiler: + type: string + default: '' + CinderNetappVolumeList: + type: string + default: '' + CinderNetappVserver: + type: string + default: '' + CinderNetappPartnerBackendName: + type: string + default: '' + CinderNetappNfsShares: + type: string + default: '' + CinderNetappNfsSharesConfig: + type: string + default: '/etc/cinder/shares.conf' + CinderNetappNfsMountOptions: + type: string + default: '' + CinderNetappCopyOffloadToolPath: + type: string + default: '' + CinderNetappControllerIps: + type: string + default: '' + CinderNetappSaPassword: + type: string + default: '' + hidden: true + CinderNetappStoragePools: + type: string + default: '' + CinderNetappHostType: + type: string + default: '' + CinderNetappWebservicePath: + type: string + default: '/devmgr/v2' + # DEPRECATED options for compatibility with older versions + CinderNetappEseriesHostType: + type: string + default: 'linux_dm_mp' + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +parameter_groups: +- label: deprecated + description: Do not use deprecated params, they will be removed. + parameters: + - CinderNetappEseriesHostType + +outputs: + role_data: + description: Role data for the Cinder NetApp backend. + value: + service_name: cinder_backend_netapp + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_netapp_backend: {get_param: CinderEnableNetappBackend} + cinder::backend::netapp::title: {get_param: CinderNetappBackendName} + cinder::backend::netapp::netapp_login: {get_param: CinderNetappLogin} + cinder::backend::netapp::netapp_password: {get_param: CinderNetappPassword} + cinder::backend::netapp::netapp_server_hostname: {get_param: CinderNetappServerHostname} + cinder::backend::netapp::netapp_server_port: {get_param: CinderNetappServerPort} + cinder::backend::netapp::netapp_size_multiplier: {get_param: CinderNetappSizeMultiplier} + cinder::backend::netapp::netapp_storage_family: {get_param: CinderNetappStorageFamily} + cinder::backend::netapp::netapp_storage_protocol: {get_param: CinderNetappStorageProtocol} + cinder::backend::netapp::netapp_transport_type: {get_param: CinderNetappTransportType} + cinder::backend::netapp::netapp_vfiler: {get_param: CinderNetappVfiler} + cinder::backend::netapp::netapp_volume_list: {get_param: CinderNetappVolumeList} + cinder::backend::netapp::netapp_vserver: {get_param: CinderNetappVserver} + cinder::backend::netapp::netapp_partner_backend_name: {get_param: CinderNetappPartnerBackendName} + cinder::backend::netapp::nfs_shares: {get_param: CinderNetappNfsShares} + cinder::backend::netapp::nfs_shares_config: {get_param: CinderNetappNfsSharesConfig} + cinder::backend::netapp::nfs_mount_options: {get_param: CinderNetappNfsMountOptions} + cinder::backend::netapp::netapp_copyoffload_tool_path: {get_param: CinderNetappCopyOffloadToolPath} + cinder::backend::netapp::netapp_controller_ips: {get_param: CinderNetappControllerIps} + cinder::backend::netapp::netapp_sa_password: {get_param: CinderNetappSaPassword} + cinder::backend::netapp::netapp_storage_pools: {get_param: CinderNetappStoragePools} + cinder::backend::netapp::netapp_host_type: {get_param: CinderNetappHostType} + cinder::backend::netapp::netapp_webservice_path: {get_param: CinderNetappWebservicePath} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/external-swift-proxy.yaml b/puppet/services/external-swift-proxy.yaml new file mode 100644 index 00000000..75f5b6a0 --- /dev/null +++ b/puppet/services/external-swift-proxy.yaml @@ -0,0 +1,70 @@ +heat_template_version: ocata + +description: > + External Swift Proxy endpoint configured with Puppet + +parameters: + ExternalPublicUrl: + description: Public endpoint url for the external swift proxy + type: string + ExternalInternalUrl: + description: Internal endpoint url for the external swift proxy + type: string + ExternalAdminUrl: + description: External endpoint url for the external swift proxy + type: string + ExternalSwiftUserTenant: + description: Tenant where swift user will be set as admin + type: string + default: 'service' + SwiftPassword: + description: The password for the swift service account, used by the swift proxy services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + +outputs: + role_data: + description: Role data for External Swift proxy. + value: + service_name: external_swift_proxy + config_settings: + + step_config: + + service_config_settings: + keystone: + swift::keystone::auth::public_url: {get_param: ExternalPublicUrl} + swift::keystone::auth::internal_url: {get_param: ExternalInternalUrl} + swift::keystone::auth::admin_url: {get_param: ExternalAdminUrl} + swift::keystone::auth::public_url_s3: '' + swift::keystone::auth::internal_url_s3: '' + swift::keystone::auth::admin_url_s3: '' + swift::keystone::auth::password: {get_param: SwiftPassword} + swift::keystone::auth::region: {get_param: KeystoneRegion} + swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant} + swift::keystone::auth::configure_s3_endpoint: false + swift::keystone::auth::operator_roles: + - admin + - swiftoperator + - ResellerAdmin + diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 94b15d4b..2a335b67 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -22,6 +22,10 @@ parameters: default: 1048576 description: Configures sysctl kernel.pid_max key type: number + KernelDisableIPv6: + default: 0 + description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys + type: number outputs: role_data: @@ -57,6 +61,10 @@ outputs: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + net.ipv6.conf.default.disable_ipv6: + value: {get_param: KernelDisableIPv6} + net.ipv6.conf.all.disable_ipv6: + value: {get_param: KernelDisableIPv6} # prevent neutron bridges from autoconfiguring ipv6 addresses net.ipv6.conf.all.accept_ra: value: 0 diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml new file mode 100644 index 00000000..8b57f587 --- /dev/null +++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Add IPv6 disable option and make it configurable for user to disable IPv6 + when it's not used, this will descrease the risk of ipv6 attack. + Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6 + will be explicitly set to the default value (0) which is enabled. diff --git a/releasenotes/notes/enable-support-for-external-swift-proxy-941917f8bcc63a5d.yaml b/releasenotes/notes/enable-support-for-external-swift-proxy-941917f8bcc63a5d.yaml new file mode 100644 index 00000000..83b05bbb --- /dev/null +++ b/releasenotes/notes/enable-support-for-external-swift-proxy-941917f8bcc63a5d.yaml @@ -0,0 +1,5 @@ +--- +features: + - Added support for external swift proxy. Users may need to + configure endpoints pointing to swift proxy service + already available. diff --git a/releasenotes/notes/role-tags-16ac2e9e8fcab218.yaml b/releasenotes/notes/role-tags-16ac2e9e8fcab218.yaml new file mode 100644 index 00000000..dadbfa4b --- /dev/null +++ b/releasenotes/notes/role-tags-16ac2e9e8fcab218.yaml @@ -0,0 +1,18 @@ +--- +features: + - | + Adds tags to roles that allow an operator to specify custom tags to use + when trying to find functionality available from a role. Currently a role + with both the 'primary' and 'controller' tag is consider to be the primary + role. Historically the role named 'Controller' was the 'primary' role and + this primary designation is used to determine items like memcache ip + addresses. If no roles have the both the 'primary' and 'controller' tags, + the first role specified in the roles_data.yaml is used as the primary + role. +upgrade: + - | + If using custom roles data, the logic was changed to leverage the first + role listed in the roles_data.yaml file to be the primary role. This can + be worked around by adding the 'primary' and 'controller' tags to the + custom controller role in your roles_data.yaml to ensure that the defined + custom controller role is still considered the primary role. diff --git a/releasenotes/notes/update-on-rhel-registration-afbef3ead983b08f.yaml b/releasenotes/notes/update-on-rhel-registration-afbef3ead983b08f.yaml new file mode 100644 index 00000000..ad1f39c4 --- /dev/null +++ b/releasenotes/notes/update-on-rhel-registration-afbef3ead983b08f.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds a new boolean parameter for RHEL Registration called + 'UpdateOnRHELRegistration' that when enabled will trigger a yum update + on the node after the registration process completes. diff --git a/releasenotes/notes/update-plan-environment-4e164b57a801e2cb.yaml b/releasenotes/notes/update-plan-environment-4e164b57a801e2cb.yaml new file mode 100644 index 00000000..29d32cb7 --- /dev/null +++ b/releasenotes/notes/update-plan-environment-4e164b57a801e2cb.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add name and description fields to plan-environment.yaml diff --git a/roles_data.yaml b/roles_data.yaml index 48859473..8d3b5078 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -28,9 +28,18 @@ # ServicesDefault: (list) optional default list of services to be deployed # on the role, defaults to an empty list. Sets the default for the # {{role.name}}Services parameter in overcloud.yaml - -- name: Controller # the 'primary' role goes first +# +# tags: (list) list of tags used by other parts of the deployment process to +# find the role for a specific type of functionality. Currently a role +# with both 'primary' and 'controller' is used as the primary role for the +# deployment process. If no roles have have 'primary' and 'controller', the +# first role in this file is used as the primary role. +# +- name: Controller CountDefault: 1 + tags: + - primary + - controller ServicesDefault: - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser @@ -43,6 +52,10 @@ - OS::TripleO::Services::CinderBackup - OS::TripleO::Services::CinderScheduler - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::CinderBackendDellPs + - OS::TripleO::Services::CinderBackendDellSc + - OS::TripleO::Services::CinderBackendNetApp + - OS::TripleO::Services::CinderBackendScaleIO - OS::TripleO::Services::Congress - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone @@ -78,6 +91,7 @@ - OS::TripleO::Services::Ec2Api - OS::TripleO::Services::Ntp - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::SwiftStorage - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index 8e830711..df2e196b 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -1,6 +1,9 @@ -- name: Undercloud # the 'primary' role goes first +- name: Undercloud CountDefault: 1 disable_constraints: True + tags: + - primary + - controller ServicesDefault: - OS::TripleO::Services::Ntp - OS::TripleO::Services::MySQL |