aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xextraconfig/tasks/pacemaker_common_functions.sh49
-rwxr-xr-xextraconfig/tasks/yum_update.sh30
-rw-r--r--puppet/major_upgrade_steps.j2.yaml78
-rw-r--r--puppet/services/ceilometer-collector.yaml13
-rw-r--r--puppet/services/ec2-api.yaml15
-rw-r--r--puppet/services/gnocchi-base.yaml5
-rw-r--r--puppet/services/haproxy.yaml6
-rw-r--r--puppet/services/nova-libvirt.yaml25
-rw-r--r--puppet/services/snmp.yaml5
-rw-r--r--releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml6
-rw-r--r--releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml3
-rw-r--r--releasenotes/notes/snmp_listen-2364188f73d43b14.yaml7
12 files changed, 203 insertions, 39 deletions
diff --git a/extraconfig/tasks/pacemaker_common_functions.sh b/extraconfig/tasks/pacemaker_common_functions.sh
index 4480f74d..f17a073a 100755
--- a/extraconfig/tasks/pacemaker_common_functions.sh
+++ b/extraconfig/tasks/pacemaker_common_functions.sh
@@ -322,3 +322,52 @@ function special_case_ovs_upgrade_if_needed {
}
+# This code is meant to fix https://bugs.launchpad.net/tripleo/+bug/1686357 on
+# existing setups via a minor update workflow and be idempotent. We need to
+# run this before the yum update because we fix this up even when there are no
+# packages to update on the system (in which case the script exits).
+# This code must be called with set +eu (due to the ocf scripts being sourced)
+function fixup_wrong_ipv6_vip {
+ # This XPath query identifies of all the VIPs in pacemaker with netmask /64. Those are IPv6 only resources that have the wrong netmask
+ # This gives the address of the resource in the CIB, one address per line. For example:
+ # /cib/configuration/resources/primitive[@id='ip-2001.db8.ca2.4..10']/instance_attributes[@id='ip-2001.db8.ca2.4..10-instance_attributes']\
+ # /nvpair[@id='ip-2001.db8.ca2.4..10-instance_attributes-cidr_netmask']
+ vip_xpath_query="//resources/primitive[@type='IPaddr2']/instance_attributes/nvpair[@name='cidr_netmask' and @value='64']"
+ vip_xpath_xml_addresses=$(cibadmin --query --xpath "$vip_xpath_query" -e 2>/dev/null)
+ # The following extracts the @id value of the resource
+ vip_resources_to_fix=$(echo -e "$vip_xpath_xml_addresses" | sed -n "s/.*primitive\[@id='\([^']*\)'.*/\1/p")
+ # Runnning this in a subshell so that sourcing files cannot possibly affect the running script
+ (
+ OCF_PATH="/usr/lib/ocf/lib/heartbeat"
+ if [ -n "$vip_resources_to_fix" -a -f $OCF_PATH/ocf-shellfuncs -a -f $OCF_PATH/findif.sh ]; then
+ source $OCF_PATH/ocf-shellfuncs
+ source $OCF_PATH/findif.sh
+ for resource in $vip_resources_to_fix; do
+ echo "Updating IPv6 VIP $resource with a /128 and a correct addrlabel"
+ # The following will give us something like:
+ # <nvpair id="ip-2001.db8.ca2.4..10-instance_attributes-ip" name="ip" value="2001:db8:ca2:4::10"/>
+ ip_cib_nvpair=$(cibadmin --query --xpath "//resources/primitive[@type='IPaddr2' and @id='$resource']/instance_attributes/nvpair[@name='ip']")
+ # Let's filter out the value of the nvpair to get the ip address
+ ip_address=$(echo $ip_cib_nvpair | xmllint --xpath 'string(//nvpair/@value)' -)
+ OCF_RESKEY_cidr_netmask="64"
+ OCF_RESKEY_ip="$ip_address"
+ # Unfortunately due to https://bugzilla.redhat.com/show_bug.cgi?id=1445628
+ # we need to find out the appropiate nic given the ip address.
+ nic=$(findif $ip_address | awk '{ print $1 }')
+ ret=$?
+ if [ -z "$nic" -o $ret -ne 0 ]; then
+ echo "NIC autodetection failed for VIP $ip_address, not updating VIPs"
+ # Only exits the subshell
+ exit 1
+ fi
+ ocf_run -info pcs resource update --wait "$resource" ip="$ip_address" cidr_netmask=128 nic="$nic" lvs_ipv6_addrlabel=true lvs_ipv6_addrlabel_value=99
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "pcs resource update for VIP $resource failed, not updating VIPs"
+ # Only exits the subshell
+ exit 1
+ fi
+ done
+ fi
+ )
+}
diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh
index 018c9b74..83d6d8d6 100755
--- a/extraconfig/tasks/yum_update.sh
+++ b/extraconfig/tasks/yum_update.sh
@@ -38,6 +38,29 @@ if [[ -a "$timestamp_file" ]]; then
fi
touch "$timestamp_file"
+pacemaker_status=""
+if hiera -c /etc/puppet/hiera.yaml service_names | grep -q pacemaker; then
+ pacemaker_status=$(systemctl is-active pacemaker)
+fi
+
+# (NB: when backporting this s/pacemaker_short_bootstrap_node_name/bootstrap_nodeid)
+# This runs before the yum_update so we are guaranteed to run it even in the absence
+# of packages to update (the check for -z "$update_identifier" guarantees that this
+# is run only on overcloud stack update -i)
+if [[ "$pacemaker_status" == "active" && \
+ "$(hiera -c /etc/puppet/hiera.yaml pacemaker_short_bootstrap_node_name)" == "$(facter hostname)" ]] ; then \
+ # OCF scripts don't cope with -eu
+ echo "Verifying if we need to fix up any IPv6 VIPs"
+ set +eu
+ fixup_wrong_ipv6_vip
+ ret=$?
+ set -eu
+ if [ $ret -ne 0 ]; then
+ echo "Fixing up IPv6 VIPs failed. Stopping here. (See https://bugs.launchpad.net/tripleo/+bug/1686357 for more info)"
+ exit 1
+ fi
+fi
+
command_arguments=${command_arguments:-}
# yum check-update exits 100 if updates are available
@@ -55,10 +78,6 @@ elif [[ "$check_update_exit" != "100" ]]; then
exit 0
fi
-pacemaker_status=""
-if hiera -c /etc/puppet/hiera.yaml service_names | grep -q pacemaker; then
- pacemaker_status=$(systemctl is-active pacemaker)
-fi
# special case https://bugs.launchpad.net/tripleo/+bug/1635205 +bug/1669714
special_case_ovs_upgrade_if_needed
@@ -129,6 +148,7 @@ if [[ "$pacemaker_status" == "active" ]] ; then
pcs status
fi
-echo "Finished yum_update.sh on server $deploy_server_id at `date`"
+
+echo "Finished yum_update.sh on server $deploy_server_id at `date` with return code: $return_code"
exit $return_code
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index 28092773..d07da568 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -32,6 +32,20 @@ parameters:
type: string
hidden: true
+conditions:
+ # Conditions to disable any steps where the task list is empty
+ {%- for role in roles %}
+ {{role.name}}UpgradeBatchConfigEnabled:
+ not:
+ equals:
+ - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]}
+ - []
+ {{role.name}}UpgradeConfigEnabled:
+ not:
+ equals:
+ - {get_param: [role_data, {{role.name}}, upgrade_tasks]}
+ - []
+ {%- endfor %}
resources:
@@ -89,22 +103,23 @@ resources:
{%- for role in roles %}
{{role.name}}UpgradeBatchConfig_Step{{step}}:
type: OS::TripleO::UpgradeConfig
- {%- if step > 0 %}
- {%- if role in enabled_roles %}
+ condition: {{role.name}}UpgradeBatchConfigEnabled
+ {%- if step > 0 %}
depends_on:
- - {{role.name}}UpgradeBatch_Step{{step -1}}
- {%- endif %}
- {%- else %}
+ {%- for role_inside in enabled_roles %}
+ - {{role_inside.name}}UpgradeBatch_Step{{step -1}}
+ {%- endfor %}
+ {% else %}
{% for role in roles if role.disable_upgrade_deployment|default(false) %}
{% if deliver_script.update({'deliver': True}) %} {% endif %}
{% endfor %}
{% if deliver_script.deliver %}
depends_on:
- {% endif %}
{% for dep in roles if dep.disable_upgrade_deployment|default(false) %}
- {{dep.name}}DeliverUpgradeScriptDeployment
{% endfor %}
- {% endif %}
+ {% endif %}
+ {% endif %}
properties:
UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]}
step: {{step}}
@@ -114,19 +129,29 @@ resources:
{%- for role in enabled_roles %}
{{role.name}}UpgradeBatch_Step{{step}}:
type: OS::Heat::SoftwareDeploymentGroup
+ condition: {{role.name}}UpgradeBatchConfigEnabled
{%- if step > 0 %}
depends_on:
{%- for role_inside in enabled_roles %}
- {{role_inside.name}}UpgradeBatch_Step{{step -1}}
{%- endfor %}
- {%- endif %}
+ {% else %}
+ {% for role in roles if role.disable_upgrade_deployment|default(false) %}
+ {% if deliver_script.update({'deliver': True}) %} {% endif %}
+ {% endfor %}
+ {% if deliver_script.deliver %}
+ depends_on:
+ {% for dep in roles if dep.disable_upgrade_deployment|default(false) %}
+ - {{dep.name}}DeliverUpgradeScriptDeployment
+ {% endfor %}
+ {% endif %}
+ {% endif %}
update_policy:
batch_create:
max_batch_size: {{role.upgrade_batch_size|default(1)}}
rolling_update:
max_batch_size: {{role.upgrade_batch_size|default(1)}}
properties:
- name: {{role.name}}UpgradeBatch_Step{{step}}
servers: {get_param: [servers, {{role.name}}]}
config: {get_resource: {{role.name}}UpgradeBatchConfig_Step{{step}}}
input_values:
@@ -167,16 +192,19 @@ resources:
{%- for role in roles %}
{{role.name}}UpgradeConfig_Step{{step}}:
type: OS::TripleO::UpgradeConfig
- # The UpgradeConfig resources could actually be created without
- # serialization, but the event output is easier to follow if we
- # do, and there should be minimal performance hit (creating the
- # config is cheap compared to the time to apply the deployment).
- {%- if step > 0 %}
- {%- if role in enabled_roles %}
+ condition: {{role.name}}UpgradeConfigEnabled
+ # The UpgradeConfig resources could actually be created without
+ # serialization, but the event output is easier to follow if we
+ # do, and there should be minimal performance hit (creating the
+ # config is cheap compared to the time to apply the deployment).
depends_on:
- - {{role.name}}Upgrade_Step{{step -1}}
- {%- endif %}
- {%- endif %}
+ {%- for role_inside in enabled_roles %}
+ {%- if step > 0 %}
+ - {{role_inside.name}}Upgrade_Step{{step -1}}
+ {%- else %}
+ - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}}
+ {%- endif %}
+ {%- endfor %}
properties:
UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]}
step: {{step}}
@@ -186,22 +214,16 @@ resources:
{%- for role in enabled_roles %}
{{role.name}}Upgrade_Step{{step}}:
type: OS::Heat::SoftwareDeploymentGroup
- {%- if step > 0 %}
- # Make sure we wait that all roles have finished their own
- # previous step before going to the next, so we can guarantee
- # state for each steps.
+ condition: {{role.name}}UpgradeConfigEnabled
depends_on:
{%- for role_inside in enabled_roles %}
+ {%- if step > 0 %}
- {{role_inside.name}}Upgrade_Step{{step -1}}
- {%- endfor %}
- {%- else %}
- depends_on:
- {%- for role_inside in enabled_roles %}
+ {%- else %}
- {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}}
+ {%- endif %}
{%- endfor %}
- {%- endif %}
properties:
- name: {{role.name}}Upgrade_Step{{step}}
servers: {get_param: [servers, {{role.name}}]}
config: {get_resource: {{role.name}}UpgradeConfig_Step{{step}}}
input_values:
diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml
index dfc844be..111b3e8b 100644
--- a/puppet/services/ceilometer-collector.yaml
+++ b/puppet/services/ceilometer-collector.yaml
@@ -51,7 +51,16 @@ parameters:
type: comma_delimited_list
constraints:
- allowed_values: ['panko', 'gnocchi', 'database']
-
+ CeilometerEventTTL:
+ default: '86400'
+ description: Number of seconds that events are kept in the database for
+ (<= 0 means forever)
+ type: string
+ CeilometerMeteringTTL:
+ default: '86400'
+ description: Number of seconds that samples are kept in the database for
+ (<= 0 means forever)
+ type: string
resources:
CeilometerServiceBase:
type: ./ceilometer-base.yaml
@@ -91,6 +100,8 @@ outputs:
- '/ceilometer'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
ceilometer_backend: {get_param: CeilometerBackend}
+ ceilometer::event_time_to_live: {get_param: CeilometerEventTTL}
+ ceilometer::metering_time_to_live: {get_param: CeilometerMeteringTTL}
# we include db_sync class in puppet-tripleo
ceilometer::db::sync_db: false
ceilometer::db::database_db_max_retries: -1
diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml
index d1adefe5..98d656a5 100644
--- a/puppet/services/ec2-api.yaml
+++ b/puppet/services/ec2-api.yaml
@@ -30,6 +30,15 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ Ec2ApiExternalNetwork:
+ type: string
+ default: ''
+ description: Name of the external network, which is used to connect VPCs to
+ Internet and to allocate Elastic IPs
+ NovaDefaultFloatingPool:
+ default: 'public'
+ description: Default pool for floating IP addresses
+ type: string
MonitoringSubscriptionEc2Api:
default: 'overcloud-ec2-api'
type: string
@@ -52,6 +61,7 @@ parameters:
conditions:
nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]}
+ external_network_unset: {equals : [{get_param: Ec2ApiExternalNetwork}, '']}
outputs:
role_data:
@@ -109,6 +119,11 @@ outputs:
- {}
- ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers}
ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers}
+ -
+ if:
+ - external_network_unset
+ - ec2api::api::external_network: {get_param: NovaDefaultFloatingPool}
+ - ec2api::api::external_network: {get_param: Ec2ApiExternalNetwork}
step_config: |
include tripleo::profile::base::nova::ec2api
service_config_settings:
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index dc6daece..24f4157b 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -22,6 +22,10 @@ parameters:
default: 'mysql'
description: The short name of the Gnocchi indexer backend to use.
type: string
+ MetricProcessingDelay:
+ default: 60
+ description: Delay between processing metrics.
+ type: number
GnocchiPassword:
description: The password for the gnocchi service and db account.
type: string
@@ -65,6 +69,7 @@ outputs:
- '/gnocchi'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
gnocchi::db::sync::extra_opts: '--skip-storage'
+ gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay}
gnocchi::storage::swift::swift_user: 'service:gnocchi'
gnocchi::storage::swift::swift_auth_version: 3
gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword}
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index c651bbe5..e32b44dd 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -37,6 +37,11 @@ parameters:
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
@@ -71,6 +76,7 @@ outputs:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
+ tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..c3e6f4e4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -41,16 +41,23 @@ parameters:
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
LibvirtCACert:
type: string
- default: '/etc/ipa/ca.crt'
+ default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
- be less than 65K (so we can't use the system's CA bundle). The
- current default reflects TripleO's default CA, which is
- FreeIPA. It will only be used if internal TLS is enabled.
+ be less than 65K (so we can't use the system's CA bundle).
+ This parameter should be used if the default (which comes from
+ the InternalTLSCAFile parameter) is not desired. The current
+ default reflects TripleO's default CA, which is FreeIPA.
+ It will only be used if internal TLS is enabled.
conditions:
@@ -63,6 +70,11 @@ conditions:
- {get_param: UseTLSTransportForLiveMigration}
- true
+ libvirt_specific_ca_unset:
+ equals:
+ - {get_param: LibvirtCACert}
+ - ''
+
resources:
NovaBase:
type: ./nova-base.yaml
@@ -113,7 +125,10 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
tripleo::certmonger::ca::libvirt::origin_ca_pem:
- get_param: LibvirtCACert
+ if:
+ - libvirt_specific_ca_unset
+ - get_param: InternalTLSCAFile
+ - get_param: LibvirtCACert
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
libvirt_certificates_specs:
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index 80c29f95..072ccc1a 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -28,6 +28,10 @@ parameters:
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true
+ SnmpdBindHost:
+ description: An array of bind host addresses on which SNMP daemon will listen.
+ type: comma_delimited_list
+ default: ['udp:161','udp6:[::1]:161']
outputs:
role_data:
@@ -37,6 +41,7 @@ outputs:
config_settings:
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
+ snmp::agentaddress: {get_param: SnmpdBindHost}
tripleo.snmp.firewall_rules:
'127 snmp':
dport: 161
diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
new file mode 100644
index 00000000..8847b22b
--- /dev/null
+++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - Adds the InternalTLSCAFile parameter, which defines which CA file should be
+ used by the internal services to verify that the peer's certificate is
+ trusted. This is applicable if internal TLS is enabled. Currently, it
+ defaults to using the CA file for FreeIPA, which is the default CA.
diff --git a/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml b/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml
new file mode 100644
index 00000000..1fc4f105
--- /dev/null
+++ b/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+ - Expose metric_processing_delay to tweak gnocchi performance.
diff --git a/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml b/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml
new file mode 100644
index 00000000..7cff9eec
--- /dev/null
+++ b/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - |
+ Adding a new parameter to SNMP profile, SnmpdBindHost
+ so users can change the binding addresses on SNMP daemon.
+ The parameter is an array and takes the default value that
+ were previously hardcoded in puppet-tripleo.