diff options
109 files changed, 1555 insertions, 507 deletions
diff --git a/Gemfile b/Gemfile deleted file mode 100644 index 302ef415..00000000 --- a/Gemfile +++ /dev/null @@ -1,24 +0,0 @@ -source 'https://rubygems.org' - -group :development, :test do - gem 'puppetlabs_spec_helper', :require => false - - gem 'puppet-lint', '~> 1.1' - gem 'puppet-lint-absolute_classname-check' - gem 'puppet-lint-absolute_template_path' - gem 'puppet-lint-trailing_newline-check' - - # Puppet 4.x related lint checks - gem 'puppet-lint-unquoted_string-check' - gem 'puppet-lint-leading_zero-check' - gem 'puppet-lint-variable_contains_upcase' - gem 'puppet-lint-numericvariable' -end - -if puppetversion = ENV['PUPPET_GEM_VERSION'] - gem 'puppet', puppetversion, :require => false -else - gem 'puppet', :require => false -end - -# vim:ft=ruby diff --git a/Rakefile b/Rakefile deleted file mode 100644 index bca6a6c2..00000000 --- a/Rakefile +++ /dev/null @@ -1,6 +0,0 @@ -require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-lint/tasks/puppet-lint' - -PuppetLint.configuration.fail_on_warnings = true -PuppetLint.configuration.send('disable_80chars') -PuppetLint.configuration.send('disable_autoloader_layout') diff --git a/capabilities-map.yaml b/capabilities-map.yaml index 279ff1c1..b2b424b1 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -426,10 +426,11 @@ topics: via puppet requires: - overcloud-resource-registry-puppet.yaml - - file: environments/cinder-eqlx-config.yaml - title: Cinder EQLX backend + - file: environments/cinder-dellps-config.yaml + title: Cinder Dell EMC PS Series backend description: > - Enables a Cinder EQLX backend, configured via puppet + Enables a Cinder Dell EMC PS Series backend, + configured via puppet requires: - overcloud-resource-registry-puppet.yaml - file: environments/cinder-iser.yaml @@ -541,6 +542,14 @@ topics: - title: Security Options description: Security Hardening Options environment_groups: + - title: SSH Banner Text + description: Enables population of SSH Banner Text + environments: + - file: environments/sshd-banner.yaml + title: SSH Banner Text + description: + requires: + - overcloud-resource-registry-puppet.yaml - title: Horizon Password Validation description: Enable Horizon Password validation environments: @@ -549,3 +558,11 @@ topics: description: requires: - overcloud-resource-registry-puppet.yaml + - title: AuditD Rules + description: Management of AuditD rules + environments: + - file: environments/auditd.yaml + title: AuditD Rule Management + description: + requires: + - overcloud-resource-registry-puppet.yaml diff --git a/ci/common/net-config-multinode-os-net-config.yaml b/ci/common/net-config-multinode-os-net-config.yaml new file mode 100644 index 00000000..8c50b641 --- /dev/null +++ b/ci/common/net-config-multinode-os-net-config.yaml @@ -0,0 +1,114 @@ +heat_template_version: ocata + +description: > + Software Config to drive os-net-config for a simple bridge configured + with a static IP address for the ctlplane network. + +parameters: + ControlPlaneIp: + default: '' + description: IP address/subnet on the ctlplane network + type: string + ExternalIpSubnet: + default: '' + description: IP address/subnet on the external network + type: string + InternalApiIpSubnet: + default: '' + description: IP address/subnet on the internal API network + type: string + StorageIpSubnet: + default: '' + description: IP address/subnet on the storage network + type: string + StorageMgmtIpSubnet: + default: '' + description: IP address/subnet on the storage mgmt network + type: string + TenantIpSubnet: + default: '' + description: IP address/subnet on the tenant network + type: string + ManagementIpSubnet: + default: '' + description: IP address/subnet on the management network + type: string + ControlPlaneSubnetCidr: # Override this via parameter_defaults + default: '24' + description: The subnet CIDR of the control plane network. + type: string + OvSBridgeMtu: + default: 1300 + description: The mtu of the OvS bridge + type: number + +resources: + + OsNetConfigImpl: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: + list_join: + - '' + - - | + #!/bin/bash + function network_config_hook { + primary_private_ip=$(cat /etc/nodepool/primary_node_private) + sed -i "s/primary_private_ip/$primary_private_ip/" /etc/os-net-config/config.json + subnode_private_ip=$(cat /etc/nodepool/node_private) + sed -i "s/subnode_private_ip/$subnode_private_ip/" /etc/os-net-config/config.json + # We start with an arbitrarily high vni key so that we don't + # overlap with Neutron created values. These will also match the + # values that we've been using previously from the devstack-gate + # code. + vni=1000002 + subnode_index=$(grep -n $(cat /etc/nodepool/node_private) /etc/nodepool/sub_nodes_private | cut -d: -f1) + let vni+=$subnode_index + sed -i "s/vni/$vni/" /etc/os-net-config/config.json + export interface_name="br-ex_$primary_private_ip" + # Until we are fully migrated to os-net-config we need to clean + # up the old bridge first created by devstack-gate + ovs-vsctl del-br br-ex + } + + - + str_replace: + template: + get_file: ../../network/scripts/run-os-net-config.sh + params: + $network_config: + network_config: + - type: ovs_bridge + name: bridge_name + mtu: + get_param: OvSBridgeMtu + use_dhcp: false + addresses: + - ip_netmask: + list_join: + - "/" + - - get_param: ControlPlaneIp + - get_param: ControlPlaneSubnetCidr + members: + - type: ovs_tunnel + name: interface_name + tunnel_type: vxlan + ovs_options: + - list_join: + - "=" + - - key + - vni + - list_join: + - "=" + - - remote_ip + - primary_private_ip + - list_join: + - "=" + - - local_ip + - subnode_private_ip + +outputs: + OS::stack_id: + description: The OsNetConfigImpl resource. + value: {get_resource: OsNetConfigImpl} diff --git a/ci/common/net-config-multinode.yaml b/ci/common/net-config-multinode.yaml index bf947d3e..dc31235a 100644 --- a/ci/common/net-config-multinode.yaml +++ b/ci/common/net-config-multinode.yaml @@ -47,7 +47,9 @@ resources: str_replace: template: | #!/bin/bash - ip addr add CONTROLPLANEIP/CONTROLPLANESUBNETCIDR dev $bridge_name + if ! ip addr show dev $bridge_name | grep CONTROLPLANEIP/CONTROLPLANESUBNETCIDR; then + ip addr add CONTROLPLANEIP/CONTROLPLANESUBNETCIDR dev $bridge_name + fi params: CONTROLPLANEIP: {get_param: ControlPlaneIp} CONTROLPLANESUBNETCIDR: {get_param: ControlPlaneSubnetCidr} diff --git a/ci/environments/multinode.yaml b/ci/environments/multinode.yaml index d7b61bb6..212f6a23 100644 --- a/ci/environments/multinode.yaml +++ b/ci/environments/multinode.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml parameter_defaults: ControllerServices: @@ -45,3 +45,4 @@ parameter_defaults: # Required for Centos 7.3 and Qemu 2.6.0 nova::compute::libvirt::libvirt_cpu_mode: 'none' SwiftCeilometerPipelineEnabled: False + Debug: True diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml index 7de1594f..56d04de5 100644 --- a/ci/environments/multinode_major_upgrade.yaml +++ b/ci/environments/multinode_major_upgrade.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../heat-templates/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../heat-templates/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Services::Core: multinode-core.yaml parameter_defaults: @@ -43,4 +43,6 @@ parameter_defaults: nova::compute::libvirt::libvirt_virt_type: qemu # Required for Centos 7.3 and Qemu 2.6.0 nova::compute::libvirt::libvirt_cpu_mode: 'none' + heat::rpc_response_timeout: 600 SwiftCeilometerPipelineEnabled: False + Debug: True diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml index db6967e0..69bf7c90 100644 --- a/ci/environments/scenario001-multinode.yaml +++ b/ci/environments/scenario001-multinode.yaml @@ -1,10 +1,11 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::CephMon: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-mon.yaml OS::TripleO::Services::CephOSD: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-osd.yaml OS::TripleO::Services::CephClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-client.yaml OS::TripleO::Services::PankoApi: /usr/share/openstack-tripleo-heat-templates/puppet/services/panko-api.yaml + OS::TripleO::Services::Collectd: /usr/share/openstack-tripleo-heat-templates/puppet/services/metrics/collectd.yaml parameter_defaults: ControllerServices: @@ -34,6 +35,7 @@ parameter_defaults: - OS::TripleO::Services::NovaScheduler - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt @@ -59,6 +61,7 @@ parameter_defaults: - OS::TripleO::Services::CinderBackup - OS::TripleO::Services::CinderScheduler - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Collectd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu @@ -81,3 +84,14 @@ parameter_defaults: GlanceBackend: rbd GnocchiBackend: rbd CinderEnableIscsiBackend: false + BannerText: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** + CollectdExtraPlugins: + - rrdtool diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml index 0dfa78d3..e611c6f9 100644 --- a/ci/environments/scenario002-multinode.yaml +++ b/ci/environments/scenario002-multinode.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::BarbicanApi: ../../puppet/services/barbican-api.yaml OS::TripleO::Services::Zaqar: ../../puppet/services/zaqar.yaml OS::TripleO::Services::Ec2Api: ../../puppet/services/ec2-api.yaml diff --git a/ci/environments/scenario003-multinode.yaml b/ci/environments/scenario003-multinode.yaml index 08e4d19f..b26ee0a3 100644 --- a/ci/environments/scenario003-multinode.yaml +++ b/ci/environments/scenario003-multinode.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::SaharaApi: ../../puppet/services/sahara-api.yaml OS::TripleO::Services::SaharaEngine: ../../puppet/services/sahara-engine.yaml OS::TripleO::Services::MistralApi: ../../puppet/services/mistral-api.yaml diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml index e97113b0..5b253a84 100644 --- a/ci/environments/scenario004-multinode.yaml +++ b/ci/environments/scenario004-multinode.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::CephMon: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-mon.yaml OS::TripleO::Services::CephOSD: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-osd.yaml OS::TripleO::Services::CephClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-client.yaml diff --git a/ci/pingtests/tenantvm_floatingip.yaml b/ci/pingtests/tenantvm_floatingip.yaml index 0f31bc16..b910d6c1 100644 --- a/ci/pingtests/tenantvm_floatingip.yaml +++ b/ci/pingtests/tenantvm_floatingip.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2013-05-23 +heat_template_version: ocata description: > This template resides in tripleo-ci for Mitaka CI jobs only. diff --git a/deployed-server/deployed-server-bootstrap-rhel.sh b/deployed-server/deployed-server-bootstrap-rhel.sh new file mode 100644 index 00000000..36ff0077 --- /dev/null +++ b/deployed-server/deployed-server-bootstrap-rhel.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -eux + +yum install -y \ + jq \ + python-ipaddr \ + openstack-puppet-modules \ + os-net-config \ + openvswitch \ + python-heat-agent* + +ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules diff --git a/deployed-server/deployed-server-bootstrap-rhel.yaml b/deployed-server/deployed-server-bootstrap-rhel.yaml new file mode 100644 index 00000000..2d2f5156 --- /dev/null +++ b/deployed-server/deployed-server-bootstrap-rhel.yaml @@ -0,0 +1,22 @@ +heat_template_version: ocata + +description: 'Deployed Server Bootstrap Config' + +parameters: + + server: + type: string + +resources: + + DeployedServerBootstrapConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: deployed-server-bootstrap-rhel.sh} + + DeployedServerBootstrapDeployment: + type: OS::Heat::SoftwareDeployment + properties: + config: {get_resource: DeployedServerBootstrapConfig} + server: {get_param: server} diff --git a/docker/copy-json.py b/docker/copy-json.py deleted file mode 100644 index e85ff11e..00000000 --- a/docker/copy-json.py +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/python -import json -import os - -data = {} -file_perms = '0600' -libvirt_perms = '0644' - -libvirt_config = os.getenv('libvirt_config').split(',') -nova_config = os.getenv('nova_config').split(',') -neutron_openvswitch_agent_config = os.getenv('neutron_openvswitch_agent_config').split(',') - -# Command, Config_files, Owner, Perms -services = { - 'nova-libvirt': [ - '/usr/sbin/libvirtd', - libvirt_config, - 'root', - libvirt_perms], - 'nova-compute': [ - '/usr/bin/nova-compute', - nova_config, - 'nova', - file_perms], - 'neutron-openvswitch-agent': [ - '/usr/bin/neutron-openvswitch-agent', - neutron_openvswitch_agent_config, - 'neutron', - file_perms], - 'ovs-vswitchd': [ - '/usr/sbin/ovs-vswitchd unix:/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --log-file=/var/log/kolla/openvswitch/ovs-vswitchd.log'], - 'ovsdb-server': [ - '/usr/sbin/ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/run/openvswitch/db.sock --remote=ptcp:6640:127.0.0.1 --log-file=/var/log/kolla/openvswitch/ovsdb-server.log'] -} - - -def build_config_files(config, owner, perms): - config_source = '/var/lib/kolla/config_files/' - config_files_dict = {} - source = os.path.basename(config) - dest = config - config_files_dict.update({'source': config_source + source, - 'dest': dest, - 'owner': owner, - 'perm': perms}) - return config_files_dict - - -for service in services: - if service != 'ovs-vswitchd' and service != 'ovsdb-server': - command = services.get(service)[0] - config_files = services.get(service)[1] - owner = services.get(service)[2] - perms = services.get(service)[3] - config_files_list = [] - for config_file in config_files: - if service == 'nova-libvirt': - command = command + ' --config ' + config_file - else: - command = command + ' --config-file ' + config_file - data['command'] = command - config_files_dict = build_config_files(config_file, owner, perms) - config_files_list.append(config_files_dict) - data['config_files'] = config_files_list - else: - data['command'] = services.get(service)[0] - data['config_files'] = [] - - json_config_dir = '/var/lib/etc-data/json-config/' - with open(json_config_dir + service + '.json', 'w') as json_file: - json.dump(data, json_file, sort_keys=True, indent=4, - separators=(',', ': ')) diff --git a/docker/post.j2.yaml b/docker/post.j2.yaml index 1ba96e27..865c74e5 100644 --- a/docker/post.j2.yaml +++ b/docker/post.j2.yaml @@ -20,23 +20,6 @@ parameters: Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. - DockerNamespace: - description: namespace - default: 'tripleoupstream' - type: string - - LibvirtConfig: - type: string - default: "/etc/libvirt/libvirtd.conf" - - NovaConfig: - type: string - default: "/etc/nova/nova.conf,/etc/nova/rootwrap.conf" - - NeutronOpenvswitchAgentConfig: - type: string - default: "/etc/neutron/neutron.conf,/etc/neutron/plugins/ml2/openvswitch_agent.ini" - resources: {% for role in roles %} @@ -174,31 +157,24 @@ resources: servers: {get_param: [servers, {{role.name}}]} config: {get_resource: CopyEtcConfig} - CopyJsonConfig: - type: OS::Heat::SoftwareConfig + {{role.name}}KollaJsonConfig: + type: OS::Heat::StructuredConfig + depends_on: CopyEtcDeployment properties: - group: script - inputs: - - name: libvirt_config - - name: nova_config - - name: neutron_openvswitch_agent_config - config: {get_file: ../docker/copy-json.py} + group: json-file + config: + {get_param: [role_data, {{role.name}}, kolla_config]} - CopyJsonDeployment: + {{role.name}}KollaJsonDeployment: type: OS::Heat::SoftwareDeploymentGroup - depends_on: CopyEtcDeployment properties: - name: CopyJsonDeployment - config: {get_resource: CopyJsonConfig} + name: {{role.name}}KollaJsonDeployment + config: {get_resource: {{role.name}}KollaJsonConfig} servers: {get_param: [servers, {{role.name}}]} - input_values: - libvirt_config: {get_param: LibvirtConfig} - nova_config: {get_param: NovaConfig} - neutron_openvswitch_agent_config: {get_param: NeutronOpenvswitchAgentConfig} {{role.name}}ContainersConfig_Step1: type: OS::Heat::StructuredConfig - depends_on: CopyJsonDeployment + depends_on: {{role.name}}KollaJsonDeployment properties: group: docker-cmd config: @@ -206,7 +182,7 @@ resources: {{role.name}}ContainersConfig_Step2: type: OS::Heat::StructuredConfig - depends_on: CopyJsonDeployment + depends_on: {{role.name}}KollaJsonDeployment properties: group: docker-cmd config: diff --git a/docker/services/README.rst b/docker/services/README.rst index 8d1f9e86..60719bfc 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -32,6 +32,11 @@ are re-asserted when applying latter ones. * config_settings: Custom hiera settings for this service. These are used to generate configs. + * kolla_config: Contains YAML that represents how to map config files + into the kolla container. This config file is typically mapped into + the container itself at the /var/lib/kolla/config_files/config.json + location and drives how kolla's external config mechanisms work. + * step_config: A puppet manifest that is used to step through the deployment sequence. Each sequence is given a "step" (via hiera('step') that provides information for when puppet classes should activate themselves. diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index 1c9e60db..0a061f6c 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -43,6 +43,22 @@ outputs: config_settings: {get_attr: [NeutronOvsAgentBase, role_data, config_settings]} step_config: {get_attr: [NeutronOvsAgentBase, role_data, step_config]} puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2 + kolla_config: + /var/lib/etc-data/json-config/neutron-openvswitch-agent.json: + command: /usr/bin/neutron-openvswitch-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini + config_files: + - dest: /etc/neutron/neutron.conf + owner: neutron + perm: '0600' + source: /var/lib/kolla/config_files/neutron.conf + - dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini + owner: neutron + perm: '0600' + source: /var/lib/kolla/config_files/openvswitch_agent.ini + - dest: /etc/neutron/plugins/ml2/ml2_conf.ini + owner: neutron + perm: '0600' + source: /var/lib/kolla/config_files/ml2_conf.ini docker_config: step_1: neutronovsagent: diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index c695c94d..e765609e 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -41,6 +41,18 @@ outputs: config_settings: {get_attr: [NovaComputeBase, role_data, config_settings]} step_config: {get_attr: [NovaComputeBase, role_data, step_config]} puppet_tags: nova_config,nova_paste_api_ini + kolla_config: + /var/lib/etc-data/json-config/nova-compute.json: + command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf + config_files: + - dest: /etc/nova/nova.conf + owner: nova + perm: '0600' + source: /var/lib/kolla/config_files/nova.conf + - dest: /etc/nova/rootwrap.conf + owner: nova + perm: '0600' + source: /var/lib/kolla/config_files/rootwrap.conf docker_config: step_1: novacompute: diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index a40a21fd..004d624a 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -41,6 +41,14 @@ outputs: config_settings: {get_attr: [NovaLibvirtBase, role_data, config_settings]} step_config: {get_attr: [NovaLibvirtBase, role_data, step_config]} puppet_tags: nova_config + kolla_config: + /var/lib/etc-data/json-config/nova-libvirt.json: + command: /usr/sbin/libvirtd --config /etc/libvirt/libvirtd.conf + config_files: + - dest: /etc/libvirt/libvirtd.conf + owner: root + perm: '0644' + source: /var/lib/kolla/config_files/libvirtd.conf docker_config: step_1: nova_libvirt: diff --git a/docker/services/services.yaml b/docker/services/services.yaml index 3d51eb19..8c31107f 100644 --- a/docker/services/services.yaml +++ b/docker/services/services.yaml @@ -68,6 +68,8 @@ outputs: step_config: {get_attr: [PuppetServices, role_data, step_config]} puppet_tags: {list_join: [",", {get_attr: [ServiceChain, role_data, puppet_tags]}]} + kolla_config: + map_merge: {get_attr: [ServiceChain, role_data, kolla_config]} docker_config: step_1: {map_merge: {get_attr: [ServiceChain, role_data, docker_config, step_1]}} step_2: {map_merge: {get_attr: [ServiceChain, role_data, docker_config, step_2]}} diff --git a/environments/auditd.yaml b/environments/auditd.yaml new file mode 100644 index 00000000..b358c98a --- /dev/null +++ b/environments/auditd.yaml @@ -0,0 +1,119 @@ +resource_registry: + OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml + +parameter_defaults: + AuditdRules: + 'Record attempts to alter time through adjtimex': + content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules' + order : 1 + 'Record attempts to alter time through settimeofday': + content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules' + order : 2 + 'Record Attempts to Alter Time Through stime': + content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules' + order : 3 + 'Record Attempts to Alter Time Through clock_settime': + content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules' + order : 4 + 'Record Attempts to Alter the localtime File': + content: '-w /etc/localtime -p wa -k audit_time_rules' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chmod': + content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chown': + content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 6 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmod': + content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 7 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat': + content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 8 + 'Record Events that Modify the Systems Discretionary Access Controls - fchown': + content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 9 + 'Record Events that Modify the Systems Discretionary Access Controls - fchownat': + content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 10 + 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr': + content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 11 + 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr': + content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 12 + 'Record Events that Modify the Systems Discretionary Access Controls - lchown': + content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 13 + 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr': + content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 14 + 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr': + content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 15 + 'Record Events that Modify the Systems Discretionary Access Controls - removexattr': + content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 16 + 'Record Events that Modify the Systems Discretionary Access Controls - setxattr': + content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 17 + 'Record Events that Modify User/Group Information - /etc/group': + content: '-w /etc/group -p wa -k audit_rules_usergroup_modification' + order : 18 + 'Record Events that Modify User/Group Information - /etc/passwd': + content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification' + order : 19 + 'Record Events that Modify User/Group Information - /etc/gshadow': + content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification' + order : 20 + 'Record Events that Modify User/Group Information - /etc/shadow': + content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification' + order : 21 + 'Record Events that Modify User/Group Information - /etc/opasswd': + content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification' + order : 22 + 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname': + content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification' + order : 23 + 'Record Events that Modify the Systems Network Environment - /etc/issue': + content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification' + order : 24 + 'Record Events that Modify the Systems Network Environment - /etc/issue.net': + content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification' + order : 25 + 'Record Events that Modify the Systems Network Environment - /etc/hosts': + content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification' + order : 26 + 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network': + content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification' + order : 27 + 'Record Events that Modify the Systems Mandatory Access Controls': + content: '-w /etc/selinux/ -p wa -k MAC-policy' + order : 28 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + order : 29 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + order : 30 + 'Ensure auditd Collects Information on the Use of Privileged Commands': + content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' + order : 31 + 'Ensure auditd Collects Information on Exporting to Media (successful)': + content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export' + order : 32 + 'Ensure auditd Collects File Deletion Events by User': + content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + order : 33 + 'Ensure auditd Collects System Administrator Actions': + content: '-w /etc/sudoers -p wa -k actions' + order : 34 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)': + content: '-w /usr/sbin/insmod -p x -k modules' + order : 35 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)': + content: '-w /usr/sbin/rmmod -p x -k modules' + order : 36 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)': + content: '-w /usr/sbin/modprobe -p x -k modules' + order : 37 diff --git a/environments/cinder-dellps-config.yaml b/environments/cinder-dellps-config.yaml new file mode 100644 index 00000000..eefd0fd6 --- /dev/null +++ b/environments/cinder-dellps-config.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# A Heat environment file which can be used to enable a +# a Cinder Dell EMC PS Series backend, configured via puppet +resource_registry: + OS::TripleO::Services::CinderBackendDellPs: ../puppet/services/cinder-backend-dellps.yaml + +parameter_defaults: + CinderEnableDellPsBackend: true + CinderDellPsBackendName: 'tripleo_dellps' + CinderDellPsSanIp: '' + CinderDellPsSanLogin: '' + CinderDellPsSanPassword: '' + CinderDellPsSanThinProvision: true + CinderDellPsGroupname: 'group-0' + CinderDellPsPool: 'default' + CinderDellPsChapLogin: '' + CinderDellPsChapPassword: '' + CinderDellPsUseChap: false diff --git a/environments/cinder-eqlx-config.yaml b/environments/cinder-eqlx-config.yaml deleted file mode 100644 index ca2c5e5a..00000000 --- a/environments/cinder-eqlx-config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# A Heat environment file which can be used to enable a -# a Cinder eqlx backen, configured via puppet -resource_registry: - OS::TripleO::ControllerExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml - -parameter_defaults: - CinderEnableEqlxBackend: true - CinderEqlxBackendName: 'tripleo_eqlx' - CinderEqlxSanIp: '' - CinderEqlxSanLogin: '' - CinderEqlxSanPassword: '' - CinderEqlxSanThinProvision: true - CinderEqlxGroupname: 'group-0' - CinderEqlxPool: 'default' - CinderEqlxChapLogin: '' - CinderEqlxChapPassword: '' - CinderEqlxUseChap: false diff --git a/environments/collectd-environment.yaml b/environments/collectd-environment.yaml new file mode 100644 index 00000000..7780530c --- /dev/null +++ b/environments/collectd-environment.yaml @@ -0,0 +1,23 @@ +resource_registry: + OS::TripleO::Services::Collectd: ../puppet/services/metrics/collectd.yaml + +# parameter_defaults: +# +## You can specify additional plugins to load using the +## CollectdExtraPlugins key: +# +# CollectdExtraPlugins: +# - disk +# - df +# +## You can use ExtraConfig (or one of the related *ExtraConfig keys) +## to configure collectd. See the documentation for puppet-collectd at +## https://github.com/voxpupuli/puppet-collectd for details. +# +# ExtraConfig: +# collectd::plugin::disk::disks: +# - "/^[vhs]d[a-f][0-9]?$/" +# collectd::plugin::df::mountpoints: +# - "/" +# collectd::plugin::df::ignoreselected: false +# collectd::plugin::cpu::valuespercentage: true diff --git a/environments/deployed-server-bootstrap-environment-rhel.yaml b/environments/deployed-server-bootstrap-environment-rhel.yaml new file mode 100644 index 00000000..f614a91a --- /dev/null +++ b/environments/deployed-server-bootstrap-environment-rhel.yaml @@ -0,0 +1,7 @@ +# An environment that can be used with the deployed-server.yaml template to do +# initial bootstrapping of the deployed servers. +resource_registry: + OS::TripleO::DeployedServer::Bootstrap: ../deployed-server/deployed-server-bootstrap-rhel.yaml + +parameter_defaults: + EnablePackageInstall: True diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index d2fc59c6..ff4ecfbe 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -2,9 +2,18 @@ # a TLS for in the internal network via certmonger parameter_defaults: EnableInternalTLS: true + + # Required for novajoin to enroll the overcloud nodes + ServerMetadata: + ipa_enroll: True + resource_registry: OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml # We use apache as a TLS proxy OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml + + # Creates nova metadata that will create the extra service principals per + # node. + OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml diff --git a/environments/major-upgrade-all-in-one.yaml b/environments/major-upgrade-all-in-one.yaml index 69d72edd..4283b212 100644 --- a/environments/major-upgrade-all-in-one.yaml +++ b/environments/major-upgrade-all-in-one.yaml @@ -1,8 +1,2 @@ -# We run the upgrade steps without disabling the OS::TripleO::PostDeploySteps -# this means you can do a major upgrade in one pass, which may be useful -# e.g for all-in-one deployments where we can upgrade the compute services -# at the same time as the controlplane -# Note that it will be necessary to pass a mapping of OS::Heat::None again for -# any subsequent updates, or the upgrade steps will run again. resource_registry: - OS::TripleO::UpgradeSteps: ../puppet/major_upgrade_steps.yaml + OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml diff --git a/environments/major-upgrade-composable-steps.yaml b/environments/major-upgrade-composable-steps.yaml index 7e10014b..4283b212 100644 --- a/environments/major-upgrade-composable-steps.yaml +++ b/environments/major-upgrade-composable-steps.yaml @@ -1,3 +1,2 @@ resource_registry: - OS::TripleO::UpgradeSteps: ../puppet/major_upgrade_steps.yaml - OS::TripleO::PostDeploySteps: OS::Heat::None + OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml diff --git a/environments/neutron-opendaylight-l3.yaml b/environments/neutron-opendaylight-l3.yaml deleted file mode 100644 index 6d5c7404..00000000 --- a/environments/neutron-opendaylight-l3.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# A Heat environment that can be used to deploy OpenDaylight with L3 DVR -resource_registry: - OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None - OS::TripleO::Services::OpenDaylightApi: ../puppet/services/opendaylight-api.yaml - OS::TripleO::Services::OpenDaylightOvs: ../puppet/services/opendaylight-ovs.yaml - OS::TripleO::Services::NeutronL3Agent: OS::Heat::None - -parameter_defaults: - NeutronEnableForceMetadata: true - NeutronMechanismDrivers: 'opendaylight_v2' - NeutronServicePlugins: 'odl-router_v2' - OpenDaylightEnableL3: "'yes'" diff --git a/environments/services/octavia.yaml b/environments/services/octavia.yaml new file mode 100644 index 00000000..24c57b8c --- /dev/null +++ b/environments/services/octavia.yaml @@ -0,0 +1,9 @@ +resource_registry: + OS::TripleO::Services::OctaviaApi: ../../puppet/services/octavia-api.yaml + OS::TripleO::Services::OctaviaHealthManager: ../../puppet/services/octavia-health-manager.yaml + OS::TripleO::Services::OctaviaHousekeeping: ../../puppet/services/octavia-housekeeping.yaml + OS::TripleO::Services::OctaviaWorker: ../../puppet/services/octavia-worker.yaml + +parameter_defaults: + NeutronServicePlugins: "qos,router,trunk,lbaasv2" + NeutronEnableForceMetadata: true diff --git a/environments/sshd-banner.yaml b/environments/sshd-banner.yaml new file mode 100644 index 00000000..041c0990 --- /dev/null +++ b/environments/sshd-banner.yaml @@ -0,0 +1,13 @@ +resource_registry: + OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml + +parameter_defaults: + BannerText: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index edcc9e8e..c66dd01f 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -10,6 +10,11 @@ echo "Started yum_update.sh on server $deploy_server_id at `date`" echo -n "false" > $heat_outputs_path.update_managed_packages +if [ -f /.dockerenv ]; then + echo "Not running due to running inside a container" + exit 0 +fi + if [[ -z "$update_identifier" ]]; then echo "Not running due to unset update_identifier" exit 0 diff --git a/network/endpoints/build_endpoint_map.py b/network/endpoints/build_endpoint_map.py index 7e8088be..990cbabc 100755 --- a/network/endpoints/build_endpoint_map.py +++ b/network/endpoints/build_endpoint_map.py @@ -280,8 +280,9 @@ def main(): try: if options.check: if not check_up_to_date(options.output_file, options.input_file): - print('EndpointMap template does not match input data', - file=sys.stderr) + print('EndpointMap template does not match input data. Please ' + 'run the build_endpoint_map.py tool to update the ' + 'template.', file=sys.stderr) sys.exit(2) else: build_endpoint_map(options.output_file, options.input_file) diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index 390b18b4..b2562c79 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -49,6 +49,7 @@ parameters: NovaPlacementNetwork: internal_api NovaMetadataNetwork: internal_api NovaVncProxyNetwork: internal_api + NovaLibvirtNetwork: internal_api Ec2ApiNetwork: internal_api Ec2ApiMetadataNetwork: internal_api SwiftStorageNetwork: storage_mgmt diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 7c4e78fa..503c42f7 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -2,6 +2,7 @@ resource_registry: OS::TripleO::SoftwareDeployment: OS::Heat::StructuredDeployment OS::TripleO::PostDeploySteps: puppet/post.yaml + OS::TripleO::PostUpgradeSteps: puppet/post.yaml OS::TripleO::AllNodes::SoftwareConfig: puppet/all-nodes-config.yaml OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml OS::TripleO::DefaultPasswords: default_passwords.yaml @@ -110,7 +111,6 @@ resource_registry: # Upgrade resources OS::TripleO::UpgradeConfig: puppet/upgrade_config.yaml - OS::TripleO::UpgradeSteps: OS::Heat::None # services OS::TripleO::Services: puppet/services/services.yaml @@ -171,6 +171,7 @@ resource_registry: OS::TripleO::Services::Memcached: puppet/services/memcached.yaml OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None + OS::TripleO::Services::Sshd: OS::Heat::None OS::TripleO::Services::Redis: puppet/services/database/redis.yaml OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml @@ -201,6 +202,7 @@ resource_registry: OS::TripleO::Services::GnocchiStatsd: puppet/services/gnocchi-statsd.yaml # Services that are disabled by default (use relevant environment files): OS::TripleO::Services::FluentdClient: OS::Heat::None + OS::TripleO::Services::Collectd: OS::Heat::None OS::TripleO::LoggingConfiguration: puppet/services/logging/fluentd-config.yaml OS::TripleO::Services::ManilaApi: OS::Heat::None OS::TripleO::Services::ManilaScheduler: OS::Heat::None @@ -239,6 +241,11 @@ resource_registry: OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None OS::TripleO::Services::Etcd: OS::Heat::None OS::TripleO::Services::Ec2Api: OS::Heat::None + OS::TripleO::Services::AuditD: OS::Heat::None + OS::TripleO::Services::OctaviaApi: OS::Heat::None + OS::TripleO::Services::OctaviaHealthManager: OS::Heat::None + OS::TripleO::Services::OctaviaHousekeeping: OS::Heat::None + OS::TripleO::Services::OctaviaWorker: OS::Heat::None parameter_defaults: EnablePackageInstall: false diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index f93c19a3..dea748ed 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -598,9 +598,9 @@ resources: {{role.name}}: {get_attr: [{{role.name}}, attributes, nova_server_resource]} {% endfor %} - # Upgrade steps for all roles - AllNodesUpgradeSteps: - type: OS::TripleO::UpgradeSteps + # Post deployment steps for all roles + AllNodesDeploySteps: + type: OS::TripleO::PostDeploySteps depends_on: {% for role in roles %} - {{role.name}}AllNodesDeployment @@ -615,20 +615,6 @@ resources: {{role.name}}: {get_attr: [{{role.name}}ServiceChain, role_data]} {% endfor %} - # Post deployment steps for all roles - AllNodesDeploySteps: - type: OS::TripleO::PostDeploySteps - depends_on: AllNodesUpgradeSteps - properties: - servers: -{% for role in roles %} - {{role.name}}: {get_attr: [{{role.name}}, attributes, nova_server_resource]} -{% endfor %} - role_data: -{% for role in roles %} - {{role.name}}: {get_attr: [{{role.name}}ServiceChain, role_data]} -{% endfor %} - outputs: ManagedEndpoints: description: Asserts that the keystone endpoints have been provisioned. diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml index 007023cd..d3268ee2 100644 --- a/puppet/controller-role.yaml +++ b/puppet/controller-role.yaml @@ -459,7 +459,6 @@ resources: - vip_data # provided by allNodesConfig - '"%{::osfamily}"' - cinder_netapp_data # Optionally provided by ControllerExtraConfigPre - - cinder_eqlx_data # Optionally provided by ControllerExtraConfigPre - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre diff --git a/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml b/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml index cb8d498c..9b900bc4 100644 --- a/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml +++ b/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml @@ -245,7 +245,9 @@ resources: for map_name in mappings: f_name = '/root/' + map_name map_data = os.getenv(map_name, "Nada") - with open(f_name, 'a') as f: + with os.fdopen(os.open(f_name, + os.O_CREAT | os.O_TRUNC | os.O_WRONLY, 0o644), + 'w') as f: f.write(map_data) if map_data is not "Nada": if map_name is not 'nexus_config': @@ -260,7 +262,9 @@ resources: for mac in vals[1:]: mac2host[mac.lower()] = vals[0] - with open('/root/mac2host', 'a') as f: + with os.fdopen(os.open('/root/mac2host', + os.O_CREAT | os.O_TRUNC | os.O_WRONLY, 0o644), + 'w') as f: f.write(str(mac2host)) # now we have mac to host, map host to switchport in hieradata diff --git a/puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml b/puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml deleted file mode 100644 index 30509044..00000000 --- a/puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml +++ /dev/null @@ -1,86 +0,0 @@ -heat_template_version: ocata - -description: Configure hieradata for Cinder Eqlx configuration - -parameters: - server: - description: ID of the controller node to apply this config to - type: string - - # Config specific parameters, to be provided via parameter_defaults - CinderEnableEqlxBackend: - type: boolean - default: true - CinderEqlxBackendName: - type: string - default: 'tripleo_eqlx' - CinderEqlxSanIp: - type: string - CinderEqlxSanLogin: - type: string - CinderEqlxSanPassword: - type: string - hidden: true - CinderEqlxSanThinProvision: - type: boolean - default: true - CinderEqlxGroupname: - type: string - default: 'group-0' - CinderEqlxPool: - type: string - default: 'default' - CinderEqlxChapLogin: - type: string - default: '' - CinderEqlxChapPassword: - type: string - default: '' - CinderEqlxUseChap: - type: boolean - default: false - -resources: - CinderEqlxConfig: - type: OS::Heat::StructuredConfig - properties: - group: os-apply-config - config: - hiera: - datafiles: - cinder_eqlx_data: - mapped_data: - tripleo::profile::base::cinder::volume::cinder_enable_eqlx_backend: {get_input: EnableEqlxBackend} - cinder::backend::eqlx::volume_backend_name: {get_input: EqlxBackendName} - cinder::backend::eqlx::san_ip: {get_input: EqlxSanIp} - cinder::backend::eqlx::san_login: {get_input: EqlxSanLogin} - cinder::backend::eqlx::san_password: {get_input: EqlxSanPassword} - cinder::backend::eqlx::san_thin_provision: {get_input: EqlxSanThinProvision} - cinder::backend::eqlx::eqlx_group_name: {get_input: EqlxGroupname} - cinder::backend::eqlx::eqlx_pool: {get_input: EqlxPool} - cinder::backend::eqlx::eqlx_use_chap: {get_input: EqlxUseChap} - cinder::backend::eqlx::eqlx_chap_login: {get_input: EqlxChapLogin} - cinder::backend::eqlx::eqlx_chap_password: {get_input: EqlxChapPassword} - - CinderEqlxDeployment: - type: OS::Heat::StructuredDeployment - properties: - config: {get_resource: CinderEqlxConfig} - server: {get_param: server} - input_values: - EnableEqlxBackend: {get_param: CinderEnableEqlxBackend} - EqlxBackendName: {get_param: CinderEqlxBackendName} - EqlxSanIp: {get_param: CinderEqlxSanIp} - EqlxSanLogin: {get_param: CinderEqlxSanLogin} - EqlxSanPassword: {get_param: CinderEqlxSanPassword} - EqlxSanThinProvision: {get_param: CinderEqlxSanThinProvision} - EqlxGroupname: {get_param: CinderEqlxGroupname} - EqlxPool: {get_param: CinderEqlxPool} - EqlxUseChap: {get_param: CinderEqlxUseChap} - EqlxChapLogin: {get_param: CinderEqlxChapLogin} - EqlxChapPassword: {get_param: CinderEqlxChapPassword} - -outputs: - deploy_stdout: - description: Deployment reference, used to trigger puppet apply on changes - value: {get_attr: [CinderEqlxDeployment, deploy_stdout]} diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index eae85991..b879fafa 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -1,4 +1,6 @@ -{% set upgrade_steps_max = 8 -%} +{% set enabled_roles = roles|rejectattr('disable_upgrade_deployment')|list -%} +{% set batch_upgrade_steps_max = 3 -%} +{% set upgrade_steps_max = 6 -%} heat_template_version: ocata description: 'Upgrade steps for all roles' @@ -18,54 +20,53 @@ parameters: conditions: # Conditions to disable any steps where the task list is empty -{% for step in range(0, upgrade_steps_max) %} - {% for role in roles %} - UpgradeBatchConfig_Step{{step}}Enabled: +{%- for role in roles %} + {{role.name}}UpgradeBatchConfigEnabled: not: equals: - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} - [] - UpgradeConfig_Step{{step}}Enabled: + {{role.name}}UpgradeConfigEnabled: not: equals: - {get_param: [role_data, {{role.name}}, upgrade_tasks]} - [] - {% endfor %} -{% endfor %} +{%- endfor %} resources: # Upgrade Steps for all roles, batched updates -# FIXME(shardy): would be nice to make the number of steps configurable -{% for step in range(0, upgrade_steps_max) %} - {% for role in roles %} - # Step {{step}} resources +# The UpgradeConfig resources could actually be created without +# serialization, but the event output is easier to follow if we +# do, and there should be minimal performance hit (creating the +# config is cheap compared to the time to apply the deployment). +{% for step in range(0, batch_upgrade_steps_max) %} + # Batch config resources step {{step}} + {%- for role in roles %} {{role.name}}UpgradeBatchConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig - condition: UpgradeBatchConfig_Step{{step}}Enabled - # The UpgradeConfig resources could actually be created without - # serialization, but the event output is easier to follow if we - # do, and there should be minimal performance hit (creating the - # config is cheap compared to the time to apply the deployment). - {% if step > 0 %} + {%- if step > 0 %} depends_on: - {% for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}UpgradeBatch_Step{{step -1}} - {% endfor %} - {% endif %} + {%- endfor %} + {%- endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} step: {{step}} + {%- endfor %} + # Batch deployment resources for step {{step}} (only for enabled roles) + {%- for role in enabled_roles %} {{role.name}}UpgradeBatch_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - condition: UpgradeBatchConfig_Step{{step}}Enabled - {% if step > 0 %} + type: OS::Heat::SoftwareDeploymentGroup + condition: {{role.name}}UpgradeBatchConfigEnabled + {%- if step > 0 %} depends_on: - {% for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}UpgradeBatch_Step{{step -1}} - {% endfor %} - {% endif %} + {%- endfor %} + {%- endif %} update_policy: batch_create: max_batch_size: {{role.upgrade_batch_size|default(1)}} @@ -78,52 +79,49 @@ resources: input_values: role: {{role.name}} update_identifier: {get_param: UpdateIdentifier} - {% endfor %} -{% endfor %} + {%- endfor %} +{%- endfor %} # Upgrade Steps for all roles -# FIXME(shardy): would be nice to make the number of steps configurable -{% for step in range(0, upgrade_steps_max) %} - {% for role in roles %} - # Step {{step}} resources +{%- for step in range(0, upgrade_steps_max) %} + # Config resources for step {{step}} + {%- for role in roles %} {{role.name}}UpgradeConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig - condition: UpgradeConfig_Step{{step}}Enabled # The UpgradeConfig resources could actually be created without # serialization, but the event output is easier to follow if we # do, and there should be minimal performance hit (creating the # config is cheap compared to the time to apply the deployment). depends_on: - {% if step > 0 %} - {% for dep in roles %} - {% if not dep.disable_upgrade_deployment|default(false) %} + {%- if step > 0 %} + {%- for dep in enabled_roles %} - {{dep.name}}Upgrade_Step{{step -1}} - {% endif %} - {% endfor %} - {% else %} - {% for dep in roles %} - - {{dep.name}}UpgradeBatch_Step{{upgrade_steps_max -1}} - {% endfor %} - {% endif %} + {%- endfor %} + {%- else %} + {%- for dep in enabled_roles %} + - {{dep.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} + {%- endfor %} + {%- endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} step: {{step}} - {% if not role.disable_upgrade_deployment|default(false) %} + {%- endfor %} + + # Deployment resources for step {{step}} (only for enabled roles) + {%- for role in enabled_roles %} {{role.name}}Upgrade_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - condition: UpgradeConfig_Step{{step}}Enabled + type: OS::Heat::SoftwareDeploymentGroup + condition: {{role.name}}UpgradeConfigEnabled depends_on: - {% if step > 0 %} - {% for dep in roles %} - {% if not dep.disable_upgrade_deployment|default(false) %} + {%- if step > 0 %} + {%- for dep in enabled_roles %} - {{dep.name}}Upgrade_Step{{step -1}} - {% endif %} - {% endfor %} - {% else %} - {% for dep in roles %} - - {{dep.name}}UpgradeBatch_Step{{upgrade_steps_max -1}} - {% endfor %} - {% endif %} + {%- endfor %} + {%- else %} + {%- for dep in enabled_roles %} + - {{dep.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} + {%- endfor %} + {%- endif %} properties: name: {{role.name}}Upgrade_Step{{step}} servers: {get_param: [servers, {{role.name}}]} @@ -131,9 +129,21 @@ resources: input_values: role: {{role.name}} update_identifier: {get_param: UpdateIdentifier} - {% endif %} - {% endfor %} -{% endfor %} + {%- endfor %} +{%- endfor %} + + # Post upgrade deployment steps for all roles + # This runs the normal configuration (e.g puppet) steps unless upgrade + # is disabled for the role + AllNodesPostUpgradeSteps: + type: OS::TripleO::PostUpgradeSteps + depends_on: +{%- for dep in enabled_roles %} + - {{dep.name}}Upgrade_Step{{upgrade_steps_max - 1}} +{%- endfor %} + properties: + servers: {get_param: servers} + role_data: {get_param: role_data} outputs: # Output the config for each role, just use Step1 as the config should be diff --git a/puppet/post-upgrade.j2.yaml b/puppet/post-upgrade.j2.yaml new file mode 100644 index 00000000..b84039de --- /dev/null +++ b/puppet/post-upgrade.j2.yaml @@ -0,0 +1,27 @@ +heat_template_version: ocata + +description: > + Post-upgrade configuration steps via puppet for all roles + where upgrade is not disabled as defined in ../roles_data.yaml + +parameters: + servers: + type: json + description: Mapping of Role name e.g Controller to a list of servers + + role_data: + type: json + description: Mapping of Role name e.g Controller to the per-role data + + DeployIdentifier: + default: '' + type: string + description: > + Setting this to a unique value will re-run any deployment tasks which + perform configuration on a Heat stack-update. + +resources: +# Note the include here is the same as post.j2.yaml but the data used at +# the time of rendering is different if any roles disable upgrades +{% set roles = roles|rejectattr('disable_upgrade_deployment')|list -%} +{% include 'puppet-steps.j2' %} diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml index 83c32868..39155c36 100644 --- a/puppet/post.j2.yaml +++ b/puppet/post.j2.yaml @@ -21,92 +21,4 @@ parameters: perform configuration on a Heat stack-update. resources: - # Post deployment steps for all roles - # A single config is re-applied with an incrementing step number -{% for role in roles %} - # {{role.name}} Role post deploy steps - {{role.name}}ArtifactsConfig: - type: deploy-artifacts.yaml - - {{role.name}}ArtifactsDeploy: - type: OS::Heat::StructuredDeployments - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}ArtifactsConfig} - - {{role.name}}PreConfig: - type: OS::TripleO::Tasks::{{role.name}}PreConfig - properties: - servers: {get_param: [servers, {{role.name}}]} - input_values: - update_identifier: {get_param: DeployIdentifier} - - {{role.name}}Config: - type: OS::TripleO::{{role.name}}Config - properties: - StepConfig: {get_param: [role_data, {{role.name}}, step_config]} - - {% if role.name == 'Controller' %} - ControllerPrePuppet: - type: OS::TripleO::Tasks::ControllerPrePuppet - properties: - servers: {get_param: [servers, Controller]} - input_values: - update_identifier: {get_param: DeployIdentifier} - {% endif %} - - # Step through a series of configuration steps -{% for step in range(1, 6) %} - {{role.name}}Deployment_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - {% if step == 1 %} - depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] - {% else %} - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step{{step -1}} - {% endfor %} - {% endif %} - properties: - name: {{role.name}}Deployment_Step{{step}} - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} - input_values: - step: {{step}} - update_identifier: {get_param: DeployIdentifier} -{% endfor %} - - {{role.name}}PostConfig: - type: OS::TripleO::Tasks::{{role.name}}PostConfig - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step5 - {% endfor %} - properties: - servers: {get_param: servers} - input_values: - update_identifier: {get_param: DeployIdentifier} - - # Note, this should come last, so use depends_on to ensure - # this is created after any other resources. - {{role.name}}ExtraConfigPost: - depends_on: - {% for dep in roles %} - - {{dep.name}}PostConfig - {% endfor %} - type: OS::TripleO::NodeExtraConfigPost - properties: - servers: {get_param: [servers, {{role.name}}]} - - {% if role.name == 'Controller' %} - ControllerPostPuppet: - depends_on: - - ControllerExtraConfigPost - type: OS::TripleO::Tasks::ControllerPostPuppet - properties: - servers: {get_param: [servers, Controller]} - input_values: - update_identifier: {get_param: DeployIdentifier} - {% endif %} - -{% endfor %} +{% include 'puppet-steps.j2' %} diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2 new file mode 100644 index 00000000..c3b54ccd --- /dev/null +++ b/puppet/puppet-steps.j2 @@ -0,0 +1,88 @@ + # Post deployment steps for all roles + # A single config is re-applied with an incrementing step number +{% for role in roles %} + # {{role.name}} Role post-deploy steps + {{role.name}}ArtifactsConfig: + type: deploy-artifacts.yaml + + {{role.name}}ArtifactsDeploy: + type: OS::Heat::StructuredDeployments + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}ArtifactsConfig} + + {{role.name}}PreConfig: + type: OS::TripleO::Tasks::{{role.name}}PreConfig + properties: + servers: {get_param: [servers, {{role.name}}]} + input_values: + update_identifier: {get_param: DeployIdentifier} + + {{role.name}}Config: + type: OS::TripleO::{{role.name}}Config + properties: + StepConfig: {get_param: [role_data, {{role.name}}, step_config]} + + {% if role.name == 'Controller' %} + ControllerPrePuppet: + type: OS::TripleO::Tasks::ControllerPrePuppet + properties: + servers: {get_param: [servers, Controller]} + input_values: + update_identifier: {get_param: DeployIdentifier} + {% endif %} + + # Step through a series of configuration steps +{% for step in range(1, 6) %} + {{role.name}}Deployment_Step{{step}}: + type: OS::Heat::StructuredDeploymentGroup + {% if step == 1 %} + depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] + {% else %} + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step{{step -1}} + {% endfor %} + {% endif %} + properties: + name: {{role.name}}Deployment_Step{{step}} + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}Config} + input_values: + step: {{step}} + update_identifier: {get_param: DeployIdentifier} +{% endfor %} + + {{role.name}}PostConfig: + type: OS::TripleO::Tasks::{{role.name}}PostConfig + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step5 + {% endfor %} + properties: + servers: {get_param: servers} + input_values: + update_identifier: {get_param: DeployIdentifier} + + # Note, this should come last, so use depends_on to ensure + # this is created after any other resources. + {{role.name}}ExtraConfigPost: + depends_on: + {% for dep in roles %} + - {{dep.name}}PostConfig + {% endfor %} + type: OS::TripleO::NodeExtraConfigPost + properties: + servers: {get_param: [servers, {{role.name}}]} + + {% if role.name == 'Controller' %} + ControllerPostPuppet: + depends_on: + - ControllerExtraConfigPost + type: OS::TripleO::Tasks::ControllerPostPuppet + properties: + servers: {get_param: [servers, Controller]} + input_values: + update_identifier: {get_param: DeployIdentifier} + {% endif %} +{% endfor %} diff --git a/puppet/services/README.rst b/puppet/services/README.rst index 34cb350b..9c2d8c5c 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -57,10 +57,14 @@ is a list of ansible tasks to be performed during the upgrade process. Similar to the step_config, we allow a series of steps for the per-service upgrade sequence, defined as ansible tasks with a tag e.g "step1" for the first -step, "step2" for the second, etc. Note that each step is performed in batches, -then we move on to the next step which is also performed in batches (we don't -perform all steps on one node, then move on to the next one which means you -can sequence rolling upgrades of dependent services via the step value). +step, "step2" for the second, etc (currently only two steps are supported, but +more may be added when required as additional services get converted to batched +upgrades). + +Note that each step is performed in batches, then we move on to the next step +which is also performed in batches (we don't perform all steps on one node, +then move on to the next one which means you can sequence rolling upgrades of +dependent services via the step value). The tasks performed at each step is service specific, but note that all batch upgrade steps are performed before the `upgrade_tasks` described below. This @@ -93,9 +97,9 @@ step, "step2" for the second, etc. 5) Perform any migration tasks, e.g DB sync commands - 6) Start control-plane services - - 7) Any additional online migration tasks (e.g data migrations) +Note that the services are not started in the upgrade tasks - we instead re-run +puppet which does any reconfiguration required for the new version, then starts +the services. Nova Server Metadata Settings ----------------------------- diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 2c44f4df..62c4b093 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -85,3 +85,10 @@ outputs: include tripleo::profile::base::aodh::api metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop aodh_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped + - name: Run aodh dbsync + tags: step5 + command: aodh-dbsync diff --git a/puppet/services/aodh-evaluator.yaml b/puppet/services/aodh-evaluator.yaml index 61f8c23f..56dbb558 100644 --- a/puppet/services/aodh-evaluator.yaml +++ b/puppet/services/aodh-evaluator.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::evaluator + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-evaluator is running" + shell: /usr/bin/systemctl show 'openstack-aodh-evaluator' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_evaluator service + tags: step2 + service: name=openstack-aodh-evaluator state=stopped diff --git a/puppet/services/aodh-listener.yaml b/puppet/services/aodh-listener.yaml index 715165b3..76db0ca8 100644 --- a/puppet/services/aodh-listener.yaml +++ b/puppet/services/aodh-listener.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::listener + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-listener is running" + shell: /usr/bin/systemctl show 'openstack-aodh-listener' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_listener service + tags: step2 + service: name=openstack-aodh-listener state=stopped diff --git a/puppet/services/aodh-notifier.yaml b/puppet/services/aodh-notifier.yaml index da85581b..30c67635 100644 --- a/puppet/services/aodh-notifier.yaml +++ b/puppet/services/aodh-notifier.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::notifier + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-notifier is running" + shell: /usr/bin/systemctl show 'openstack-aodh-notifier' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_notifier service + tags: step2 + service: name=openstack-aodh-notifier state=stopped diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml index 97d6ff8e..4c21e02a 100644 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -63,3 +63,7 @@ outputs: type: node for_each: $NETWORK: {get_attr: [ApacheNetworks, value]} + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service httpd is running" + shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 82e0c5ff..74ddbde8 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -66,3 +66,7 @@ outputs: - "%{hiera('apache_remote_proxy_ips_network')}" metadata_settings: get_attr: [ApacheTLS, role_data, metadata_settings] + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service httpd is running" + shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/auditd.yaml b/puppet/services/auditd.yaml new file mode 100644 index 00000000..639631e1 --- /dev/null +++ b/puppet/services/auditd.yaml @@ -0,0 +1,34 @@ +heat_template_version: ocata + +description: > + AuditD configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + AuditdRules: + description: Mapping of auditd rules + type: json + default: {} + +outputs: + role_data: + description: Role data for the auditd service + value: + service_name: auditd + config_settings: + auditd::rules: {get_param: AuditdRules} + step_config: | + include ::tripleo::profile::base::auditd diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 4e420750..186af1cc 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -146,3 +146,7 @@ outputs: get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running" + shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index b9d8966c..cf8a8a8e 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -54,3 +54,10 @@ outputs: - ceilometer_redis_password: {get_param: RedisPassword} step_config: | include ::tripleo::profile::base::ceilometer::agent::central + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-central is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-central' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_central service + tags: step2 + service: name=openstack-ceilometer-central state=stopped diff --git a/puppet/services/ceilometer-agent-compute.yaml b/puppet/services/ceilometer-agent-compute.yaml index b666b86b..00042914 100644 --- a/puppet/services/ceilometer-agent-compute.yaml +++ b/puppet/services/ceilometer-agent-compute.yaml @@ -48,3 +48,10 @@ outputs: - ceilometer::agent::compute::instance_discovery_method: {get_param: InstanceDiscoveryMethod} step_config: | include ::tripleo::profile::base::ceilometer::agent::compute + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-compute is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-compute' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_compute service + tags: step2 + service: name=openstack-ceilometer-compute state=stopped diff --git a/puppet/services/ceilometer-agent-notification.yaml b/puppet/services/ceilometer-agent-notification.yaml index 9c9a3bd9..760acd65 100644 --- a/puppet/services/ceilometer-agent-notification.yaml +++ b/puppet/services/ceilometer-agent-notification.yaml @@ -49,3 +49,10 @@ outputs: get_attr: [CeilometerServiceBase, role_data, config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::notification + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-notification is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-notification' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_notification service + tags: step2 + service: name=openstack-ceilometer-notification state=stopped diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index f774167f..741f8da1 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -92,3 +92,7 @@ outputs: include ::tripleo::profile::base::ceilometer::api metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop ceilometer_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index 88e7d781..a219f9eb 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -59,3 +59,10 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::collector + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-collector is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-collector' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_collector service + tags: step2 + service: name=openstack-ceilometer-collector state=stopped diff --git a/puppet/services/ceilometer-expirer.yaml b/puppet/services/ceilometer-expirer.yaml index 714434b1..5341cfee 100644 --- a/puppet/services/ceilometer-expirer.yaml +++ b/puppet/services/ceilometer-expirer.yaml @@ -40,3 +40,7 @@ outputs: get_attr: [CeilometerServiceBase, role_data, config_settings] step_config: | include ::tripleo::profile::base::ceilometer::expirer + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-expirer is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-expirer' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 0c61305d..1ce58335 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -117,6 +117,9 @@ outputs: # Note we perform these tasks in list order, but they are all step0 so # we can perform a rolling upgrade of all mon nodes in step0, then a # rolling upgrade of all osd nodes in step1 + - name: Check status + tags: step0,validation + shell: ceph health | grep -qv HEALTH_ERR # FIXME(shardy) I suspect we can use heat or ansible facts here instead? - name: Get hostname tags: step0 @@ -127,7 +130,7 @@ outputs: service: name=ceph-mon@{{mon_id.stdout}} pattern=ceph-mon state=stopped - name: Update ceph packages tags: step0 - yum: name=ceph-mon,ceph state=latest + yum: name=ceph-mon state=latest - name: Start ceph-mon service tags: step0 service: name=ceph-mon@{{mon_id.stdout}} state=started diff --git a/puppet/services/ceph-osd.yaml b/puppet/services/ceph-osd.yaml index e9ed6c29..9bd83aab 100644 --- a/puppet/services/ceph-osd.yaml +++ b/puppet/services/ceph-osd.yaml @@ -46,6 +46,9 @@ outputs: step_config: | include ::tripleo::profile::base::ceph::osd upgrade_batch_tasks: + - name: Check status + tags: step1,validation + shell: ceph health | grep -qv HEALTH_ERR - name: Get OSD IDs tags: step1 shell: ls /var/lib/ceph/osd | awk 'BEGIN { FS = "-" } ; { print $2 }' @@ -65,14 +68,14 @@ outputs: command: ceph osd set noscrub - name: Stop Ceph OSD tags: step1 - service: name=ceph-osd@$item state=stopped + service: name=ceph-osd@{{ item }} state=stopped with_items: "{{osd_ids.stdout.strip().split()}}" - name: Update ceph OSD packages tags: step1 yum: name=ceph-osd state=latest - name: Start ceph-osd service tags: step1 - service: name=ceph-osd@$item state=started + service: name=ceph-osd@{{ item }} state=started with_items: "{{osd_ids.stdout.strip().split()}}" - name: ceph osd unset noout tags: step1 diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 92536994..83339f2b 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -77,3 +77,14 @@ outputs: ceph::rgw::keystone::auth::tenant: service ceph::rgw::keystone::auth::user: swift ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} + upgrade_tasks: + - name: Gather RGW instance ID + tags: step0 + shell: hiera -c /etc/puppet/hiera.yaml ceph::profile::params::rgw_name radosgw.gateway + register: rgw_id + - name: Check status + shell: /usr/bin/systemctl show ceph-radosgw@{{rgw_id.stdout}} --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop RGW instance + tags: step1 + service: name=ceph-radosgw@{{rgw_id.stdout}} state=stopped diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index e3c96325..bc5f080d 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -149,7 +149,7 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - - name: "PreUpgrade step0: Check service openstack-cinder-api is running" + - name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running" shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' tags: step0,validation - name: check for cinder running under apache (post upgrade) diff --git a/puppet/services/cinder-backend-dellps.yaml b/puppet/services/cinder-backend-dellps.yaml new file mode 100644 index 00000000..1f15c53e --- /dev/null +++ b/puppet/services/cinder-backend-dellps.yaml @@ -0,0 +1,85 @@ +# Copyright (c) 2017 Dell Inc. or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +heat_template_version: ocata + +description: > + Openstack Cinder Dell EMC PS Series backend + +parameters: + CinderEnableDellPsBackend: + type: boolean + default: true + CinderDellPsBackendName: + type: string + default: 'tripleo_dellps' + CinderDellPsSanIp: + type: string + CinderDellPsSanLogin: + type: string + CinderDellPsSanPassword: + type: string + hidden: true + CinderDellPsSanThinProvision: + type: boolean + default: true + CinderDellPsGroupname: + type: string + default: 'group-0' + CinderDellPsPool: + type: string + default: 'default' + CinderDellPsChapLogin: + type: string + default: '' + CinderDellPsChapPassword: + type: string + default: '' + CinderDellPsUseChap: + type: boolean + default: false + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC PS Series backend. + value: + service_name: cinder_backend_dellps + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_dellps_backend: {get_param: CinderEnableDellPsBackend} + cinder::backend::eqlx::volume_backend_name: {get_param: CinderDellPsBackendName} + cinder::backend::eqlx::san_ip: {get_param: CinderDellPsSanIp} + cinder::backend::eqlx::san_login: {get_param: CinderDellPsSanLogin} + cinder::backend::eqlx::san_password: {get_param: CinderDellPsSanPassword} + cinder::backend::eqlx::san_thin_provision: {get_param: CinderDellPsSanThinProvision} + cinder::backend::eqlx::eqlx_group_name: {get_param: CinderDellPsGroupname} + cinder::backend::eqlx::eqlx_pool: {get_param: CinderDellPsPool} + cinder::backend::eqlx::eqlx_use_chap: {get_param: CinderDellPsUseChap} + cinder::backend::eqlx::eqlx_chap_login: {get_param: CinderDellPsChapLogin} + cinder::backend::eqlx::eqlx_chap_password: {get_param: CinderDellPsChapPassword} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-scheduler.yaml b/puppet/services/cinder-scheduler.yaml index 6a0b1f24..f102810e 100644 --- a/puppet/services/cinder-scheduler.yaml +++ b/puppet/services/cinder-scheduler.yaml @@ -52,6 +52,9 @@ outputs: step_config: | include ::tripleo::profile::base::cinder::scheduler upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-scheduler is running" + shell: /usr/bin/systemctl show 'openstack-cinder-scheduler' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop cinder_scheduler service tags: step2 service: name=openstack-cinder-scheduler state=stopped diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index 8834eaa5..dd1d3833 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -116,6 +116,9 @@ outputs: step_config: | include ::tripleo::profile::base::cinder::volume upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-volume is running" + shell: /usr/bin/systemctl show 'openstack-cinder-volume' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop cinder_volume service tags: step2 service: name=openstack-cinder-volume state=stopped diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 8290cae7..63ec4446 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -66,3 +66,10 @@ outputs: mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]} step_config: | include ::tripleo::profile::base::database::mongodb + upgrade_tasks: + - name: Stop mongodb service + tags: step2 + service: name=mongod state=stopped + - name: Start mongodb service + tags: step4 + service: name=mongod state=started diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 09ea5d22..b49b29f7 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -138,6 +138,9 @@ outputs: service_config_settings: get_attr: [GlanceBase, role_data, service_config_settings] upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-glance-api is running" + shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop glance_api service tags: step2 service: name=openstack-glance-api state=stopped diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index ae384ce0..2a1ed2a3 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -103,12 +103,6 @@ outputs: # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi' - gnocchi::api::host: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} @@ -133,3 +127,10 @@ outputs: - "%{hiera('mysql_bind_host')}" metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop gnocchi_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped + - name: Run gnocchi upgrade + tags: step5 + command: gnocchi-upgrade diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index d92b1766..8fddae4b 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -69,7 +69,7 @@ outputs: - '/gnocchi' - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" - gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types' + gnocchi::db::sync::extra_opts: '--skip-storage' gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 2 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} diff --git a/puppet/services/gnocchi-metricd.yaml b/puppet/services/gnocchi-metricd.yaml index 27700606..1337b0cb 100644 --- a/puppet/services/gnocchi-metricd.yaml +++ b/puppet/services/gnocchi-metricd.yaml @@ -46,3 +46,10 @@ outputs: - gnocchi::metricd::workers: {get_param: GnocchiMetricdWorkers} step_config: | include ::tripleo::profile::base::gnocchi::metricd + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-gnocchi-metricd is running" + shell: /usr/bin/systemctl show 'openstack-gnocchi-metricd' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop gnocchi_metricd service + tags: step2 + service: name=openstack-gnocchi-metricd state=stopped diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index df438b37..41222a79 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -45,3 +45,10 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::gnocchi::statsd + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-gnocchi-statsd is running" + shell: /usr/bin/systemctl show 'openstack-gnocchi-statsd' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop gnocchi_statsd service + tags: step2 + service: name=openstack-gnocchi-statsd state=stopped diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 981a08d2..358698dd 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -78,6 +78,9 @@ outputs: step_config: | include ::tripleo::profile::base::haproxy upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service haproxy is running" + shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop haproxy service tags: step1 service: name=haproxy state=stopped diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 28317dd3..7bd2fcf1 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -85,6 +85,9 @@ outputs: heat::keystone::auth_cfn::password: {get_param: HeatPassword} heat::keystone::auth_cfn::region: {get_param: KeystoneRegion} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api-cfn is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-api-cfn' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api_cfn service tags: step2 service: name=openstack-heat-api-cfn state=stopped diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index 5de25ab8..0954ad19 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -67,6 +67,9 @@ outputs: step_config: | include ::tripleo::profile::base::heat::api_cloudwatch upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api-cloudwatch is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-api-cloudwatch' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api_cloudwatch service tags: step2 service: name=openstack-heat-api-cloudwatch state=stopped diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 0ce8e1fa..ae656b1e 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -85,6 +85,9 @@ outputs: heat::keystone::auth::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api service tags: step2 service: name=openstack-heat-api state=stopped diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index 976d413c..3b73eb88 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -138,6 +138,9 @@ outputs: # This is needed because the keystone profile handles creating the domain tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-engine is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-engine' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_engine service tags: step2 service: name=openstack-heat-engine state=stopped diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index ff91eb63..bc34b736 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -25,6 +25,10 @@ parameters: MonitoringSubscriptionIronicApi: default: 'overcloud-ironic-api' type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint resources: IronicBase: @@ -73,6 +77,7 @@ outputs: ironic::keystone::auth::auth_name: 'ironic' ironic::keystone::auth::password: {get_param: IronicPassword } ironic::keystone::auth::tenant: 'service' + ironic::keystone::auth::region: {get_param: KeystoneRegion} mysql: ironic::db::mysql::password: {get_param: IronicPassword} ironic::db::mysql::user: ironic diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index a10c03a5..48d87209 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -24,6 +24,14 @@ parameters: "full" for full cleaning, "metadata" to clean only disk metadata (partition table). type: string + IronicCleaningNetwork: + default: 'provisioning' + description: Name or UUID of the *overcloud* network used for cleaning + bare metal nodes. The default value of "provisioning" can be + left during the initial deployment (when no networks are + created yet) and should be changed to an actual UUID in + a post-deployment stack update. + type: string IronicEnabledDrivers: default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo'] description: Enabled Ironic drivers @@ -61,6 +69,7 @@ outputs: - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase} + ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} # We need an endpoint containing a real IP, not a VIP here ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]} diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index b989d502..7da4a9c2 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -313,8 +313,5 @@ outputs: - name: Sync keystone DB tags: step5 command: keystone-manage db_sync - - name: Start keystone service (running under httpd) - tags: step6 - service: name=httpd state=started metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index ffa969e0..eba8a58b 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -40,3 +40,11 @@ outputs: dport: 11211 step_config: | include ::tripleo::profile::base::memcached + service_config_settings: + collectd: + tripleo.collectd.plugins.memcached: + - memcached + collectd::plugin::memcached::instances: + local: + host: "%{hiera('memcached::listen_ip')}" + port: 11211 diff --git a/puppet/services/metrics/collectd.yaml b/puppet/services/metrics/collectd.yaml new file mode 100644 index 00000000..e4e7dac7 --- /dev/null +++ b/puppet/services/metrics/collectd.yaml @@ -0,0 +1,111 @@ +heat_template_version: ocata + +description: Collectd client service + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + DefaultPasswords: + default: {} + type: json + CollectdDefaultPlugins: + default: + - disk + - interface + - load + - memory + - processes + - tcpconns + type: comma_delimited_list + description: > + List of collectd plugins to activate on all overcloud hosts. See + the documentation for the puppet-collectd module for a list plugins + supported by the module (https://github.com/voxpupuli/puppet-collectd). + Set this key to override the default list of plugins. Use + CollectdExtraPlugins if you want to load additional plugins without + overriding the defaults. + CollectdExtraPlugins: + default: [] + type: comma_delimited_list + description: > + List of collectd plugins to activate on all overcloud hosts. See + the documentation for the puppet-collectd module for a list plugins + supported by the module (https://github.com/voxpupuli/puppet-collectd). + Set this key to load plugins in addition to those in + CollectdDefaultPlugins. + CollectdServer: + type: string + description: > + Address of remote collectd server to which we will send + metrics. + default: '' + CollectdServerPort: + type: number + default: 25826 + description: > + Port on remote collectd server to which we will send + metrics. + CollectdUsername: + type: string + description: > + Username for authenticating to the remote collectd server. The default + is to not configure any authentication. + default: '' + CollectdPassword: + type: string + hidden: true + description: > + Password for authenticating to the remote collectd server. The + default is to not configure any authentication. + default: '' + CollectdSecurityLevel: + type: string + description: > + Security level setting for remote collectd connection. + default: 'None' + constraints: + - allowed_values: + - None + - Sign + - Encrypt + +outputs: + role_data: + description: Role data for the Collectd client role. + value: + service_name: collectd + config_settings: + collectd::manage_repo: false + collectd::purge: true + collectd::recurse: true + collectd::purge_config: true + collectd::minimum_version: "5.7" + tripleo::profile::base::metrics::collectd::collectd_server: + get_param: CollectdServer + tripleo::profile::base::metrics::collectd::collectd_port: + get_param: CollectdServerPort + tripleo::profile::base::metrics::collectd::collectd_username: + get_param: CollectdUsername + tripleo::profile::base::metrics::collectd::collectd_password: + get_param: CollectdPassword + tripleo::profile::base::metrics::collectd::collectd_securitylevel: + get_param: CollectdSecurityLevel + tripleo.collectd.plugins.collectd: + yaql: + data: + default_plugins: {get_param: CollectdDefaultPlugins} + extra_plugins: {get_param: CollectdExtraPlugins} + expression: > + ($.data.default_plugins + $.data.extra_plugins) + .flatten().distinct() + step_config: | + include ::tripleo::profile::base::metrics::collectd diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index cf444215..65fa0d8f 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -71,6 +71,9 @@ parameters: removed in Ocata. Future releases will enable L3 HA by default if it is appropriate for the deployment type. Alternate mechanisms will be available to override. + EnableInternalTLS: + type: boolean + default: false parameter_groups: - label: deprecated @@ -82,8 +85,19 @@ parameter_groups: parameters: - NeutronL3HA +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + resources: + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + NeutronBase: type: ./neutron-base.yaml properties: @@ -103,6 +117,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - neutron::server::database_connection: list_join: - '' @@ -140,7 +155,23 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::tls_proxy_bind_ip: + get_param: [ServiceNetMap, NeutronApiNetwork] + tripleo::profile::base::neutron::server::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::tls_proxy_port: + get_param: [EndpointMap, NeutronInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLS + # proxy in front. + neutron::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, NeutronApiNetwork]} tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} step_config: | include tripleo::profile::base::neutron::server @@ -161,6 +192,9 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-server is running" + shell: /usr/bin/systemctl show 'neutron-server' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_api service tags: step2 service: name=neutron-server state=stopped diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index bb4742c9..062edaa4 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -80,6 +80,9 @@ outputs: step_config: | include tripleo::profile::base::neutron::dhcp upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-dhcp-agent is running" + shell: /usr/bin/systemctl show 'neutron-dhcp-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_dhcp service tags: step2 service: name=neutron-dhcp-agent state=stopped diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index 9d858441..69803551 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -80,6 +80,9 @@ outputs: step_config: | include tripleo::profile::base::neutron::l3 upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-l3-agent is running" + shell: /usr/bin/systemctl show 'neutron-l3-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_l3 service tags: step2 service: name=neutron-l3-agent state=stopped diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 43066767..199b5809 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -76,6 +76,9 @@ outputs: step_config: | include tripleo::profile::base::neutron::metadata upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-metadata-agent is running" + shell: /usr/bin/systemctl show 'neutron-metadata-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_metadata service tags: step2 service: name=neutron-metadata-agent state=stopped diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index baeb0c66..c27bb909 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -121,6 +121,9 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::ovs upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" + shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_ovs_agent service tags: step2 service: name=neutron-openvswitch-agent state=stopped diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index 5c77e35d..e25bc495 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -18,6 +18,11 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HostCpusList: + description: List of cores to be used for host process + type: string + constraints: + - allowed_pattern: "'[0-9,-]+'" NeutronDpdkCoreList: description: List of cores to be used for DPDK Poll Mode Driver type: string @@ -68,7 +73,8 @@ outputs: - neutron::agents::ml2::ovs::enable_dpdk: true neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} - vswitch::dpdk::core_list: {get_param: NeutronDpdkCoreList} + vswitch::dpdk::host_core_list: {get_param: HostCpusList} + vswitch::dpdk::pmd_core_list: {get_param: NeutronDpdkCoreList} vswitch::dpdk::memory_channels: {get_param: NeutronDpdkMemoryChannels} vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory} vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType} diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 407ce6ba..71a0076f 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -95,3 +95,6 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 + service_config_settings: + horizon: + neutron::plugins::ml2::mechanism_drivers: {get_param: NeutronMechanismDrivers} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 892e63dd..0c5f3afe 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -63,13 +63,15 @@ conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} resources: - ApacheServiceBase: - type: ./apache.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - EnableInternalTLS: {get_param: EnableInternalTLS} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # ApacheServiceBase: + # type: ./apache.yaml + # properties: + # ServiceNetMap: {get_param: ServiceNetMap} + # DefaultPasswords: {get_param: DefaultPasswords} + # EndpointMap: {get_param: EndpointMap} + # EnableInternalTLS: {get_param: EnableInternalTLS} NovaBase: type: ./nova-base.yaml @@ -90,7 +92,9 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - - get_attr: [ApacheServiceBase, role_data, config_settings] + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # - get_attr: [ApacheServiceBase, role_data, config_settings] - nova::cron::archive_deleted_rows::hour: '*/12' nova::cron::archive_deleted_rows::destination: '/dev/null' tripleo.nova_api.firewall_rules: @@ -115,20 +119,23 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::api::service_name: 'httpd' - nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + nova_wsgi_enabled: false + # nova::api::service_name: 'httpd' + # nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - nova::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::wsgi::apache_api::servername: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + # nova::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + # nova::wsgi::apache_api::servername: + # str_replace: + # template: + # "%{hiera('fqdn_$NETWORK')}" + # params: + # $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} nova::api::instance_name_template: {get_param: InstanceNameTemplate} nova_enable_db_purge: {get_param: NovaEnableDBPurge} @@ -137,7 +144,9 @@ outputs: - nova_workers_zero - {} - nova::api::osapi_compute_workers: {get_param: NovaWorkers} - nova::wsgi::apache_api::workers: {get_param: NovaWorkers} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # nova::wsgi::apache_api::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::api service_config_settings: @@ -165,5 +174,7 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} - metadata_settings: - get_attr: [ApacheServiceBase, role_data, metadata_settings] + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # metadata_settings: + # get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index c448bf49..49cba79c 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -145,8 +145,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::api_database_connection: list_join: - '' @@ -156,8 +154,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::placement_database_connection: list_join: - '' @@ -167,8 +163,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_placement' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::debug: {get_param: Debug} nova::purge_config: {get_param: EnableConfigPurge} nova::network::neutron::neutron_project_name: 'service' diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 2312b635..f7484da2 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -141,3 +141,8 @@ outputs: # We'll probably treat it like we do with Neutron plugins. # Until then, just include it in the default nova-compute role. include tripleo::profile::base::nova::compute::libvirt + service_config_settings: + collectd: + tripleo.collectd.plugins.nova_compute: + - virt + collectd::plugins::virt::connection: "qemu:///system" diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index a9b2b3f9..faf1ae48 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -62,6 +62,7 @@ outputs: nova::compute::libvirt::qemu::configure_qemu: true nova::compute::libvirt::qemu::max_files: 32768 nova::compute::libvirt::qemu::max_processes: 131072 + nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} tripleo.nova_libvirt.firewall_rules: '200 nova_libvirt': dport: diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml index 4c6f4c37..58223baf 100644 --- a/puppet/services/octavia-api.yaml +++ b/puppet/services/octavia-api.yaml @@ -70,13 +70,15 @@ outputs: - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} octavia::keystone::authtoken::project_name: 'service' + octavia::keystone::authtoken::password: {get_param: OctaviaPassword} octavia::api::sync_db: true tripleo.octavia_api.firewall_rules: '120 octavia api': dport: - 9876 - 13876 - octavia::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]} + octavia::api::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]} + neutron::server::service_providers: ['LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default'] step_config: | include tripleo::profile::base::octavia::api service_config_settings: diff --git a/puppet/services/octavia-health-manager.yaml b/puppet/services/octavia-health-manager.yaml new file mode 100644 index 00000000..51d32f23 --- /dev/null +++ b/puppet/services/octavia-health-manager.yaml @@ -0,0 +1,61 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Health Manager service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionOctaviaHealthManager: + default: 'overcloud-octavia-health-manager' + type: string + OctaviaHealthManagerLoggingSource: + type: json + default: + tag: openstack.octavia.health-manager + path: /var/log/octavia/health-manager.log + OctaviaHeartbeatKey: + type: string + description: Key to identify heartbeat messages for amphorae. + hidden: true + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia Health Manager service. + value: + service_name: octavia_health_manager + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager} + logging_source: {get_param: OctaviaHealthManagerLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey} + octavia::health_manager::event_streamer_driver: 'queue_event_streamer' + step_config: | + include tripleo::profile::base::octavia::health_manager + + + diff --git a/puppet/services/octavia-housekeeping.yaml b/puppet/services/octavia-housekeeping.yaml new file mode 100644 index 00000000..84c33433 --- /dev/null +++ b/puppet/services/octavia-housekeeping.yaml @@ -0,0 +1,70 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Housekeeping service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaAmphoraExpiryAge: + default: 0 + description: The interval in seconds after which an unused Amphora will + be considered expired and cleaned up. If left to 0, the + configuration will not be set and the system will use + the service defaults. + type: number + MonitoringSubscriptionOctaviaHousekeeping: + default: 'overcloud-octavia-housekeeping' + type: string + OctaviaHousekeepingLoggingSource: + type: json + default: + tag: openstack.octavia.housekeeping + path: /var/log/octavia/housekeeping.log + +conditions: + amphora_expiry_is_zero: {equals: [{get_param: OctaviaAmphoraExpiryAge}, 0]} + + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia Housekeeping service. + value: + service_name: octavia_housekeeping + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHousekeeping} + logging_source: {get_param: OctaviaHousekeepingLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - + if: + - amphora_expiry_is_zero + - {} + - octavia::worker::amphora_expiry_age: {get_param: OctaviaAmphoraExpiryAge} + step_config: | + include tripleo::profile::base::octavia::housekeeping + + diff --git a/puppet/services/octavia-worker.yaml b/puppet/services/octavia-worker.yaml new file mode 100644 index 00000000..9212b76b --- /dev/null +++ b/puppet/services/octavia-worker.yaml @@ -0,0 +1,102 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Worker service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionOctaviaWorker: + default: 'overcloud-octavia-worker' + type: string + OctaviaWorkerLoggingSource: + type: json + default: + tag: openstack.octavia.worker + path: /var/log/octavia/worker.log + OctaviaAmphoraImageTag: + default: '' + description: Glance image tag for identifying the amphora image. + type: string + OctaviaAmphoraNetworkList: + default: [] + description: List of networks to attach to amphorae. + type: comma_delimited_list + OctaviaLoadBalancerTopology: + default: '' + description: Load balancer topology configuration. + type: string + OctaviaFlavorId: + default: 65 + description: Nova flavor ID to be used when creating the nova flavor for + amphora. + type: number + OctaviaFlavorProperties: + default: {} + description: Dictionary describing the nova flavor for amphora. + type: json + OctaviaManageNovaFlavor: + default: false + description: Configure the nova flavor for the amphora. + type: boolean + OctaviaSSHKeyName: + default: 'octavia-ssh-key' + description: name for ssh key to be configured so the amphora can + be logged into. + type: string + +conditions: + octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]} + octavia_amphora_tag_unset: {equals: [{get_param: OctaviaAmphoraImageTag}, ""]} + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia WoWorker service. + value: + service_name: octavia_worker + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaWorker} + logging_source: {get_param: OctaviaWorkerLoggingSource} + logging_groups: + -octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::worker::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList} + octavia::worker::amp_flavor_id: {get_param: OctaviaFlavorId} + octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties} + octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor} + octavia::worker::ssh_key_name: {get_param: OctaviaSSHKeyName} + - + if: + - octavia_amphora_tag_unset + - {} + - octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag} + - + if: + - octavia_topology_unset + - {} + - octavia::worker::loadbalancer_topology: {get_param: OctaviaLoadBalancerTopology} + step_config: | + include tripleo::profile::base::octavia::worker + diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index a8a9fb99..c47229f1 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -39,6 +39,12 @@ parameters: description: The password for the 'pcsd' user for pacemaker. hidden: true default: '' + CorosyncSettleTries: + type: number + description: Number of tries for cluster settling. This has the + same default as the pacemaker puppet module. Override + to a smaller value when in need to replace a controller node. + default: 360 FencingConfig: default: {} description: | @@ -97,6 +103,7 @@ outputs: pacemaker::resource_defaults::defaults: resource-stickiness: { value: INFINITY } corosync_token_timeout: 10000 + pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries} tripleo.pacemaker.firewall_rules: '130 pacemaker tcp': proto: 'tcp' diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml new file mode 100644 index 00000000..41e144a0 --- /dev/null +++ b/puppet/services/sshd.yaml @@ -0,0 +1,34 @@ +heat_template_version: ocata + +description: > + Configure sshd_config + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + BannerText: + default: '' + description: Configures Banner text in sshd_config + type: string + +outputs: + role_data: + description: Role data for the ssh + value: + service_name: sshd + config_settings: + BannerText: {get_param: BannerText} + step_config: | + include ::tripleo::profile::base::sshd diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 62d227a2..31a4c178 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -57,6 +57,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string conditions: @@ -91,6 +97,7 @@ outputs: swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} swift::proxy::ceilometer::nonblocking_notify: true tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort} + tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL} tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled} tripleo.swift_proxy.firewall_rules: '122 swift proxy': diff --git a/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml b/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml new file mode 100644 index 00000000..55062b04 --- /dev/null +++ b/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Composable service plugins now support two additional sections, + upgrade_tasks and upgrade_batch_tasks. These can be used by service + template authors to define the required behavior on upgrade as ansible + tasks, for both upgrades that require downtime, and rolling upgrades. + See puppet/services/README.rst for more details. +upgrade: + - | + Please refer to tripleo-docs for full details on the upgrade workflow + required for Newton to Ocata upgrades, as it's possible some steps are + different to previous releases: + http://docs.openstack.org/developer/tripleo-docs/post_deployment/upgrade.html diff --git a/releasenotes/notes/deployed-servers-fd47f18204cea105.yaml b/releasenotes/notes/deployed-servers-fd47f18204cea105.yaml new file mode 100644 index 00000000..d05b268c --- /dev/null +++ b/releasenotes/notes/deployed-servers-fd47f18204cea105.yaml @@ -0,0 +1,8 @@ +--- +features: + - It is now possible to deploy with tripleo-heat-templates using servers that + are already provisioned with an operating system, and not necessarily + provisioned with Nova and Ironic. This feature is enabled by making use of + the environments/deployed-server-environment.yaml environment file. For + more information, see + http://docs.openstack.org/developer/tripleo-docs/advanced_deployment/deployed_server.html diff --git a/releasenotes/notes/ironic-cleaning-network-1e06881df0402221.yaml b/releasenotes/notes/ironic-cleaning-network-1e06881df0402221.yaml new file mode 100644 index 00000000..72601f9e --- /dev/null +++ b/releasenotes/notes/ironic-cleaning-network-1e06881df0402221.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + New parameter "IronicCleaningNetwork" can be used to override the name + or UUID of the **overcloud** network Ironic uses for cleaning. +fixes: + - | + A default value is now provided for Ironic ``cleaning_network`` + configuration option. Not providing it on start up was deprecated since + Newton, and will result in a failure in the near future. diff --git a/releasenotes/notes/octavia-service-integration-03bd3eb6cfe1efaf.yaml b/releasenotes/notes/octavia-service-integration-03bd3eb6cfe1efaf.yaml new file mode 100644 index 00000000..bd8d3562 --- /dev/null +++ b/releasenotes/notes/octavia-service-integration-03bd3eb6cfe1efaf.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Added initial support for deploying the Octavia services in the overcloud. diff --git a/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml b/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml new file mode 100644 index 00000000..1949e4fe --- /dev/null +++ b/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Adds the ability to manage auditd.service and enter audit.rules via tripleo + heat templates. This in turn enforces an audit log of system events, such + as system time changes, modifications to Discretionary Access Controls, + Failed login attempts. + + diff --git a/roles_data.yaml b/roles_data.yaml index a21ef961..542e8669 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -72,6 +72,7 @@ - OS::TripleO::Services::SwiftStorage - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::CeilometerApi - OS::TripleO::Services::CeilometerCollector @@ -103,6 +104,7 @@ - OS::TripleO::Services::OpenDaylightOvs - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::Collectd - OS::TripleO::Services::BarbicanApi - OS::TripleO::Services::PankoApi - OS::TripleO::Services::Zaqar @@ -111,6 +113,11 @@ - OS::TripleO::Services::NeutronML2FujitsuFossw - OS::TripleO::Services::CinderHPELeftHandISCSI - OS::TripleO::Services::Etcd + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaHealthManager + - OS::TripleO::Services::OctaviaHousekeeping + - OS::TripleO::Services::OctaviaWorker - name: Compute CountDefault: 1 @@ -123,6 +130,7 @@ - OS::TripleO::Services::Timezone - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Kernel @@ -137,6 +145,8 @@ - OS::TripleO::Services::OpenDaylightOvs - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd - name: BlockStorage ServicesDefault: @@ -146,10 +156,13 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::Timezone - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd - name: ObjectStorage disable_upgrade_deployment: True @@ -160,11 +173,14 @@ - OS::TripleO::Services::SwiftStorage - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd - name: CephStorage disable_upgrade_deployment: True @@ -174,8 +190,11 @@ - OS::TripleO::Services::Kernel - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd diff --git a/tools/process-templates.py b/tools/process-templates.py index 7d66b35d..1c8c4ba6 100755 --- a/tools/process-templates.py +++ b/tools/process-templates.py @@ -19,6 +19,8 @@ import six import sys import yaml +__tht_root_dir = os.path.dirname(os.path.dirname(__file__)) + def parse_opts(argv): parser = argparse.ArgumentParser( @@ -51,9 +53,14 @@ def _j2_render_to_file(j2_template, j2_data, outfile_name=None, print('ERROR: path already exists for file: %s' % outfile_name) sys.exit(1) + # Search for templates relative to the current template path first + template_base = os.path.dirname(yaml_f) + j2_loader = jinja2.loaders.FileSystemLoader([template_base, __tht_root_dir]) + try: # Render the j2 template - template = jinja2.Environment().from_string(j2_template) + template = jinja2.Environment(loader=j2_loader).from_string( + j2_template) r_template = template.render(**j2_data) except jinja2.exceptions.TemplateError as ex: error_msg = ("Error rendering template %s : %s" diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 19e40d19..0eacbc60 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -66,7 +66,10 @@ def validate_mysql_connection(settings): def validate_mysql_uri(key, items): # Only consider a connection if it targets mysql - if key.endswith('connection') and \ + # TODO(owalsh): skip nova mysql uris,temporary workaround for + # tripleo/+bug/1662344 + if not key.startswith('nova') and \ + key.endswith('connection') and \ search(items, mysql_protocol, no_op): # Assume the "bind_address" option is one of # the token that made up the uri @@ -94,10 +97,6 @@ def validate_mysql_connection(settings): def validate_service(filename, tpl): - if 'heat_template_version' in tpl and not str(tpl['heat_template_version']).isalpha(): - print('ERROR: heat_template_version needs to be the release alias not a date: %s' - % filename) - return 1 if 'outputs' in tpl and 'role_data' in tpl['outputs']: if 'value' not in tpl['outputs']['role_data']: print('ERROR: invalid role_data for filename: %s' @@ -135,6 +134,13 @@ def validate(filename): try: tpl = yaml.load(open(filename).read()) + # The template alias version should be used instead a date, this validation + # will be applied to all templates not just for those in the services folder. + if 'heat_template_version' in tpl and not str(tpl['heat_template_version']).isalpha(): + print('ERROR: heat_template_version needs to be the release alias not a date: %s' + % filename) + return 1 + if (filename.startswith('./puppet/services/') and filename != './puppet/services/services.yaml'): retval = validate_service(filename, tpl) @@ -13,6 +13,7 @@ commands = {posargs} [testenv:pep8] commands = python ./tools/process-templates.py + python ./network/endpoints/build_endpoint_map.py --check python ./tools/yaml-validate.py . [testenv:templates] |