diff options
65 files changed, 1549 insertions, 48 deletions
@@ -116,5 +116,7 @@ and should be executed according to the following table: +----------------+-------------+-------------+-------------+-------------+-----------------+ | zaqar | | X | | | | +----------------+-------------+-------------+-------------+-------------+-----------------+ +| ec2api | | X | | | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ | cephrgw | | X | | X | | +----------------+-------------+-------------+-------------+-------------+-----------------+ diff --git a/capabilities-map.yaml b/capabilities-map.yaml index cd846316..aae89307 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -537,3 +537,15 @@ topics: description: requires: - overcloud-resource-registry-puppet.yaml + + - title: Security Options + description: Security Hardening Options + environment_groups: + - title: Horizon Password Validation + description: Enable Horizon Password validation + environments: + - file: environments/horizon_password_validation.yaml + title: Horizon Password Validation + description: + requires: + - overcloud-resource-registry-puppet.yaml diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml new file mode 100644 index 00000000..7de1594f --- /dev/null +++ b/ci/environments/multinode_major_upgrade.yaml @@ -0,0 +1,46 @@ +resource_registry: + OS::TripleO::Controller::Net::SoftwareConfig: ../heat-templates/net-config-multinode.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../heat-templates/net-config-multinode.yaml + OS::TripleO::Services::Core: multinode-core.yaml + +parameter_defaults: + ControllerServices: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::Core + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceRegistry + - OS::TripleO::Services::NeutronDhcpAgent + - OS::TripleO::Services::NeutronL3Agent + - OS::TripleO::Services::NeutronMetadataAgent + - OS::TripleO::Services::NeutronServer + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::NeutronOvsAgent + - OS::TripleO::Services::CinderApi + - OS::TripleO::Services::CinderScheduler + - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatApiCloudwatch + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::SaharaApi + - OS::TripleO::Services::SaharaEngine + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::HAproxy + - OS::TripleO::Services::Keepalived + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + ControllerExtraConfig: + nova::compute::libvirt::services::libvirt_virt_type: qemu + nova::compute::libvirt::libvirt_virt_type: qemu + # Required for Centos 7.3 and Qemu 2.6.0 + nova::compute::libvirt::libvirt_cpu_mode: 'none' + SwiftCeilometerPipelineEnabled: False diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml index 636b3a26..0dfa78d3 100644 --- a/ci/environments/scenario002-multinode.yaml +++ b/ci/environments/scenario002-multinode.yaml @@ -3,6 +3,7 @@ resource_registry: OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Services::BarbicanApi: ../../puppet/services/barbican-api.yaml OS::TripleO::Services::Zaqar: ../../puppet/services/zaqar.yaml + OS::TripleO::Services::Ec2Api: ../../puppet/services/ec2-api.yaml parameter_defaults: ControllerServices: @@ -45,6 +46,7 @@ parameter_defaults: - OS::TripleO::Services::BarbicanApi - OS::TripleO::Services::MongoDb - OS::TripleO::Services::Zaqar + - OS::TripleO::Services::Ec2Api ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index d2fc59c6..ff4ecfbe 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -2,9 +2,18 @@ # a TLS for in the internal network via certmonger parameter_defaults: EnableInternalTLS: true + + # Required for novajoin to enroll the overcloud nodes + ServerMetadata: + ipa_enroll: True + resource_registry: OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml # We use apache as a TLS proxy OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml + + # Creates nova metadata that will create the extra service principals per + # node. + OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml diff --git a/environments/horizon_password_validation.yaml b/environments/horizon_password_validation.yaml new file mode 100644 index 00000000..1a0f92cc --- /dev/null +++ b/environments/horizon_password_validation.yaml @@ -0,0 +1,5 @@ +# Use this enviroment to pass in validation regex for horizons password +# validation checks +parameter_defaults: + HorizonPasswordValidator: '.*' + HorizonPasswordValidatorHelp: 'Your password does not meet the requirements.' diff --git a/environments/services/ceph-rbdmirror.yaml b/environments/services/ceph-rbdmirror.yaml new file mode 100644 index 00000000..b350e4c5 --- /dev/null +++ b/environments/services/ceph-rbdmirror.yaml @@ -0,0 +1,2 @@ +resource_registry: + OS::TripleO::Services::CephRbdMirror: ../../puppet/services/pacemaker/ceph-rbdmirror.yaml diff --git a/environments/services/ec2-api.yaml b/environments/services/ec2-api.yaml new file mode 100644 index 00000000..d751ba23 --- /dev/null +++ b/environments/services/ec2-api.yaml @@ -0,0 +1,3 @@ +# A Heat environment file which can be used to enable EC2-API service. +resource_registry: + OS::TripleO::Services::Ec2Api: ../../puppet/services/ec2-api.yaml diff --git a/environments/tls-endpoints-public-dns.yaml b/environments/tls-endpoints-public-dns.yaml index 74c9f61d..a02c479a 100644 --- a/environments/tls-endpoints-public-dns.yaml +++ b/environments/tls-endpoints-public-dns.yaml @@ -17,6 +17,9 @@ parameter_defaults: CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} + Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'} GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} @@ -55,6 +58,9 @@ parameter_defaults: NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} + OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} PankoAdmin: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoInternal: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoPublic: {protocol: 'https', port: '13779', host: 'CLOUDNAME'} diff --git a/environments/tls-endpoints-public-ip.yaml b/environments/tls-endpoints-public-ip.yaml index 17ff2feb..bf4d4f41 100644 --- a/environments/tls-endpoints-public-ip.yaml +++ b/environments/tls-endpoints-public-ip.yaml @@ -17,6 +17,9 @@ parameter_defaults: CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'} + Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'IP_ADDRESS'} GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'} @@ -55,6 +58,9 @@ parameter_defaults: NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'} + OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'} PankoAdmin: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoInternal: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoPublic: {protocol: 'https', port: '13779', host: 'IP_ADDRESS'} diff --git a/environments/tls-everywhere-endpoints-dns.yaml b/environments/tls-everywhere-endpoints-dns.yaml index 0aa2be08..6193dde5 100644 --- a/environments/tls-everywhere-endpoints-dns.yaml +++ b/environments/tls-everywhere-endpoints-dns.yaml @@ -17,6 +17,9 @@ parameter_defaults: CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} + Ec2ApiAdmin: {protocol: 'https', port: '8788', host: 'CLOUDNAME'} + Ec2ApiInternal: {protocol: 'https', port: '8788', host: 'CLOUDNAME'} + Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'} GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} @@ -55,6 +58,9 @@ parameter_defaults: NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} + OctaviaAdmin: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'} + OctaviaInternal: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'} + OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} PankoAdmin: {protocol: 'https', port: '8779', host: 'CLOUDNAME'} PankoInternal: {protocol: 'https', port: '8779', host: 'CLOUDNAME'} PankoPublic: {protocol: 'https', port: '13779', host: 'CLOUDNAME'} diff --git a/extraconfig/nova_metadata/krb-service-principals.yaml b/extraconfig/nova_metadata/krb-service-principals.yaml new file mode 100644 index 00000000..c66e6460 --- /dev/null +++ b/extraconfig/nova_metadata/krb-service-principals.yaml @@ -0,0 +1,84 @@ +heat_template_version: ocata +description: 'Generates the relevant service principals for a server' + +parameters: + RoleData: + type: json + description: the list containing the 'role_data' output for the ServiceChain + + # Coming from parameter_defaults + CloudName: + default: overcloud.localdomain + description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org + type: string + CloudNameInternal: + default: overcloud.internalapi.localdomain + description: > + The DNS name of this cloud's internal API endpoint. E.g. + 'ci-overcloud.internalapi.tripleo.org'. + type: string + CloudNameStorage: + default: overcloud.storage.localdomain + description: > + The DNS name of this cloud's storage endpoint. E.g. + 'ci-overcloud.storage.tripleo.org'. + type: string + CloudNameStorageManagement: + default: overcloud.storagemgmt.localdomain + description: > + The DNS name of this cloud's storage management endpoint. E.g. + 'ci-overcloud.storagemgmt.tripleo.org'. + type: string + CloudNameCtlplane: + default: overcloud.ctlplane.localdomain + description: > + The DNS name of this cloud's storage management endpoint. E.g. + 'ci-overcloud.management.tripleo.org'. + type: string + +resources: + + IncomingMetadataSettings: + type: OS::Heat::Value + properties: + value: + yaql: + # Filter null values and values that contain don't contain + # 'metadata_settings', get the values from that key and get the + # unique ones. + expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct()) + data: {get_param: RoleData} + + # Generates entries for nova metadata with the following format: + # 'managed_service_<id>' : <service>/<fqdn> + # Depending on the requested network + IndividualServices: + type: OS::Heat::Value + properties: + value: + yaql: + expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))])) + data: + metadata: {get_attr: [IncomingMetadataSettings, value]} + fqdns: + external: {get_param: CloudName} + internal_api: {get_param: CloudNameInternal} + storage: {get_param: CloudNameStorage} + storage_mgmt: {get_param: CloudNameStorageManagement} + ctlplane: {get_param: CloudNameCtlplane} + + CompactServices: + type: OS::Heat::Value + properties: + value: + yaql: + expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1])) + data: {get_attr: [IncomingMetadataSettings, value]} + +outputs: + metadata: + description: actual metadata entries that will be passed to the server. + value: + map_merge: + - {get_attr: [IndividualServices, value]} + - compact_services: {get_attr: [CompactServices, value]} diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index 74af7b02..edcc9e8e 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -42,7 +42,7 @@ if [[ "$list_updates" == "" ]]; then exit 0 fi -pacemaker_status=$(systemctl is-active pacemaker) +pacemaker_status=$(systemctl is-active pacemaker || :) # Fix the redis/rabbit resource start/stop timeouts. See https://bugs.launchpad.net/tripleo/+bug/1633455 # and https://bugs.launchpad.net/tripleo/+bug/1634851 diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml index 5a7bdda9..1b2f842c 100644 --- a/network/endpoints/endpoint_data.yaml +++ b/network/endpoints/endpoint_data.yaml @@ -28,6 +28,15 @@ Ceilometer: net_param: CeilometerApi port: 8777 +Ec2Api: + Internal: + net_param: Ec2Api + Public: + net_param: Public + Admin: + net_param: Ec2Api + port: 8788 + Gnocchi: Internal: net_param: GnocchiApi @@ -305,3 +314,12 @@ ZaqarWebSocket: net_param: ZaqarApi port: 9000 protocol: ws + +Octavia: + Internal: + net_param: OctaviaApi + Public: + net_param: Public + Admin: + net_param: OctaviaApi + port: 9876 diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml index 8ce62484..2d60df8b 100644 --- a/network/endpoints/endpoint_map.yaml +++ b/network/endpoints/endpoint_map.yaml @@ -34,6 +34,9 @@ parameters: CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS} CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS} CinderPublic: {protocol: http, port: '8776', host: IP_ADDRESS} + Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS} + Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS} + Ec2ApiPublic: {protocol: http, port: '8788', host: IP_ADDRESS} GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS} GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS} GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS} @@ -72,6 +75,9 @@ parameters: NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyPublic: {protocol: http, port: '6080', host: IP_ADDRESS} + OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS} + OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS} + OctaviaPublic: {protocol: http, port: '9876', host: IP_ADDRESS} PankoAdmin: {protocol: http, port: '8779', host: IP_ADDRESS} PankoInternal: {protocol: http, port: '8779', host: IP_ADDRESS} PankoPublic: {protocol: http, port: '8779', host: IP_ADDRESS} @@ -1810,6 +1816,249 @@ outputs: template: NETWORK_uri - ':' - get_param: [EndpointMap, CinderPublic, port] + Ec2ApiAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, Ec2ApiNetwork] + port: + get_param: [EndpointMap, Ec2ApiAdmin, port] + protocol: + get_param: [EndpointMap, Ec2ApiAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiAdmin, port] + Ec2ApiInternal: + host: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, Ec2ApiNetwork] + port: + get_param: [EndpointMap, Ec2ApiInternal, port] + protocol: + get_param: [EndpointMap, Ec2ApiInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiInternal, port] + Ec2ApiPublic: + host: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, Ec2ApiPublic, port] + protocol: + get_param: [EndpointMap, Ec2ApiPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiPublic, port] GlanceAdmin: host: str_replace: @@ -5487,6 +5736,249 @@ outputs: template: NETWORK_uri - ':' - get_param: [EndpointMap, NovaVNCProxyPublic, port] + OctaviaAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, OctaviaApiNetwork] + port: + get_param: [EndpointMap, OctaviaAdmin, port] + protocol: + get_param: [EndpointMap, OctaviaAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaAdmin, port] + OctaviaInternal: + host: + str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, OctaviaApiNetwork] + port: + get_param: [EndpointMap, OctaviaInternal, port] + protocol: + get_param: [EndpointMap, OctaviaInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaInternal, port] + OctaviaPublic: + host: + str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, OctaviaPublic, port] + protocol: + get_param: [EndpointMap, OctaviaPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaPublic, port] PankoAdmin: host: str_replace: diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index cb4f464a..390b18b4 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -41,6 +41,7 @@ parameters: KeystonePublicApiNetwork: internal_api ManilaApiNetwork: internal_api NeutronApiNetwork: internal_api + OctaviaApiNetwork: internal_api HeatApiNetwork: internal_api HeatApiCfnNetwork: internal_api HeatApiCloudwatchNetwork: internal_api @@ -48,6 +49,8 @@ parameters: NovaPlacementNetwork: internal_api NovaMetadataNetwork: internal_api NovaVncProxyNetwork: internal_api + Ec2ApiNetwork: internal_api + Ec2ApiMetadataNetwork: internal_api SwiftStorageNetwork: storage_mgmt SwiftProxyNetwork: storage SaharaApiNetwork: internal_api diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 0612b186..7c4e78fa 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -119,6 +119,7 @@ resource_registry: OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMds: OS::Heat::None OS::TripleO::Services::CephMon: OS::Heat::None + OS::TripleO::Services::CephRbdMirror: OS::Heat::None OS::TripleO::Services::CephRgw: OS::Heat::None OS::TripleO::Services::CephOSD: OS::Heat::None OS::TripleO::Services::CephClient: OS::Heat::None @@ -237,6 +238,7 @@ resource_registry: OS::TripleO::Services::NeutronML2FujitsuFossw: OS::Heat::None OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None OS::TripleO::Services::Etcd: OS::Heat::None + OS::TripleO::Services::Ec2Api: OS::Heat::None parameter_defaults: EnablePackageInstall: false diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 433b03a0..eae85991 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -1,3 +1,4 @@ +{% set upgrade_steps_max = 8 -%} heat_template_version: ocata description: 'Upgrade steps for all roles' @@ -15,26 +16,94 @@ parameters: Setting to a previously unused value during stack-update will trigger the Upgrade resources to re-run on all roles. +conditions: + # Conditions to disable any steps where the task list is empty +{% for step in range(0, upgrade_steps_max) %} + {% for role in roles %} + UpgradeBatchConfig_Step{{step}}Enabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} + - [] + UpgradeConfig_Step{{step}}Enabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_tasks]} + - [] + {% endfor %} +{% endfor %} + resources: +# Upgrade Steps for all roles, batched updates +# FIXME(shardy): would be nice to make the number of steps configurable +{% for step in range(0, upgrade_steps_max) %} + {% for role in roles %} + # Step {{step}} resources + {{role.name}}UpgradeBatchConfig_Step{{step}}: + type: OS::TripleO::UpgradeConfig + condition: UpgradeBatchConfig_Step{{step}}Enabled + # The UpgradeConfig resources could actually be created without + # serialization, but the event output is easier to follow if we + # do, and there should be minimal performance hit (creating the + # config is cheap compared to the time to apply the deployment). + {% if step > 0 %} + depends_on: + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{step -1}} + {% endfor %} + {% endif %} + properties: + UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} + step: {{step}} + + {{role.name}}UpgradeBatch_Step{{step}}: + type: OS::Heat::StructuredDeploymentGroup + condition: UpgradeBatchConfig_Step{{step}}Enabled + {% if step > 0 %} + depends_on: + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{step -1}} + {% endfor %} + {% endif %} + update_policy: + batch_create: + max_batch_size: {{role.upgrade_batch_size|default(1)}} + rolling_update: + max_batch_size: {{role.upgrade_batch_size|default(1)}} + properties: + name: {{role.name}}UpgradeBatch_Step{{step}} + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}UpgradeBatchConfig_Step{{step}}} + input_values: + role: {{role.name}} + update_identifier: {get_param: UpdateIdentifier} + {% endfor %} +{% endfor %} + # Upgrade Steps for all roles # FIXME(shardy): would be nice to make the number of steps configurable -{% for step in range(0, 8) %} +{% for step in range(0, upgrade_steps_max) %} {% for role in roles %} # Step {{step}} resources {{role.name}}UpgradeConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig + condition: UpgradeConfig_Step{{step}}Enabled # The UpgradeConfig resources could actually be created without # serialization, but the event output is easier to follow if we # do, and there should be minimal performance hit (creating the # config is cheap compared to the time to apply the deployment). - {% if step > 0 %} depends_on: + {% if step > 0 %} {% for dep in roles %} {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} {% endif %} {% endfor %} + {% else %} + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{upgrade_steps_max -1}} + {% endfor %} {% endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} @@ -42,13 +111,18 @@ resources: {% if not role.disable_upgrade_deployment|default(false) %} {{role.name}}Upgrade_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup - {% if step > 0 %} + condition: UpgradeConfig_Step{{step}}Enabled depends_on: + {% if step > 0 %} {% for dep in roles %} {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} {% endif %} {% endfor %} + {% else %} + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{upgrade_steps_max -1}} + {% endfor %} {% endif %} properties: name: {{role.name}}Upgrade_Step{{step}} diff --git a/puppet/services/README.rst b/puppet/services/README.rst index 6e4e9c1d..34cb350b 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -49,6 +49,28 @@ are re-asserted when applying latter ones. 5) Service activation (Pacemaker) +Batch Upgrade Steps +------------------- + +Each service template may optionally define a `upgrade_batch_tasks` key, which +is a list of ansible tasks to be performed during the upgrade process. + +Similar to the step_config, we allow a series of steps for the per-service +upgrade sequence, defined as ansible tasks with a tag e.g "step1" for the first +step, "step2" for the second, etc. Note that each step is performed in batches, +then we move on to the next step which is also performed in batches (we don't +perform all steps on one node, then move on to the next one which means you +can sequence rolling upgrades of dependent services via the step value). + +The tasks performed at each step is service specific, but note that all batch +upgrade steps are performed before the `upgrade_tasks` described below. This +means that all services that support rolling upgrades can be upgraded without +downtime during `upgrade_batch_tasks`, then any remaining services are stopped +and upgraded during `upgrade_tasks` + +The default batch size is 1, but this can be overridden for each role via the +`upgrade_batch_size` option in roles_data.yaml + Upgrade Steps ------------- diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4e735b45..62c4b093 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -83,3 +83,12 @@ outputs: get_attr: [AodhBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::aodh::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop aodh_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped + - name: Run aodh dbsync + tags: step5 + command: aodh-dbsync diff --git a/puppet/services/aodh-evaluator.yaml b/puppet/services/aodh-evaluator.yaml index 61f8c23f..bd87bf86 100644 --- a/puppet/services/aodh-evaluator.yaml +++ b/puppet/services/aodh-evaluator.yaml @@ -40,3 +40,7 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::evaluator + upgrade_tasks: + - name: Stop aodh_evaluator service + tags: step2 + service: name=openstack-aodh-evaluator state=stopped diff --git a/puppet/services/aodh-listener.yaml b/puppet/services/aodh-listener.yaml index 715165b3..606131ee 100644 --- a/puppet/services/aodh-listener.yaml +++ b/puppet/services/aodh-listener.yaml @@ -40,3 +40,7 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::listener + upgrade_tasks: + - name: Stop aodh_listener service + tags: step2 + service: name=openstack-aodh-listener state=stopped diff --git a/puppet/services/aodh-notifier.yaml b/puppet/services/aodh-notifier.yaml index da85581b..666e641f 100644 --- a/puppet/services/aodh-notifier.yaml +++ b/puppet/services/aodh-notifier.yaml @@ -40,3 +40,7 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::notifier + upgrade_tasks: + - name: Stop aodh_notifier service + tags: step2 + service: name=openstack-aodh-notifier state=stopped diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml index 07ec1b3c..97d6ff8e 100644 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -21,6 +21,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + ApacheNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the Apache role. @@ -38,13 +54,12 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [ApacheNetworks, value]} + metadata_settings: + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2e95dcb0..82e0c5ff 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -64,3 +64,5 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + metadata_settings: + get_attr: [ApacheTLS, role_data, metadata_settings] diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 000a744c..4e420750 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -136,11 +136,13 @@ outputs: nova::compute::barbican_endpoint: get_param: [EndpointMap, BarbicanInternal, uri] nova::compute::barbican_auth_endpoint: - get_param: [EndpointMap, KeystoneV3Internal, uri] + get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] cinder_api: cinder::api::keymgr_api_class: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager cinder::api::keymgr_encryption_api_url: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: - get_param: [EndpointMap, KeystoneV3Internal, uri] + get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index b9d8966c..99982db9 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -54,3 +54,7 @@ outputs: - ceilometer_redis_password: {get_param: RedisPassword} step_config: | include ::tripleo::profile::base::ceilometer::agent::central + upgrade_tasks: + - name: Stop ceilometer_agent_central service + tags: step2 + service: name=openstack-ceilometer-central state=stopped diff --git a/puppet/services/ceilometer-agent-compute.yaml b/puppet/services/ceilometer-agent-compute.yaml index b666b86b..d2d299be 100644 --- a/puppet/services/ceilometer-agent-compute.yaml +++ b/puppet/services/ceilometer-agent-compute.yaml @@ -48,3 +48,7 @@ outputs: - ceilometer::agent::compute::instance_discovery_method: {get_param: InstanceDiscoveryMethod} step_config: | include ::tripleo::profile::base::ceilometer::agent::compute + upgrade_tasks: + - name: Stop ceilometer_agent_compute service + tags: step2 + service: name=openstack-ceilometer-compute state=stopped diff --git a/puppet/services/ceilometer-agent-notification.yaml b/puppet/services/ceilometer-agent-notification.yaml index 9c9a3bd9..4cd7c431 100644 --- a/puppet/services/ceilometer-agent-notification.yaml +++ b/puppet/services/ceilometer-agent-notification.yaml @@ -49,3 +49,7 @@ outputs: get_attr: [CeilometerServiceBase, role_data, config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::notification + upgrade_tasks: + - name: Stop ceilometer_agent_notification service + tags: step2 + service: name=openstack-ceilometer-notification state=stopped diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 63e02d4f..cd0c46e1 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -90,3 +90,12 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop ceilometer_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped + - name: Run ceilometer upgrade + tags: step5 + command: ceilometer-upgrade --config-file=/etc/ceilometer/ceilometer.conf --skip-gnocchi-resource-types diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index 88e7d781..5250c2c8 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -59,3 +59,7 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::collector + upgrade_tasks: + - name: Stop ceilometer_collector service + tags: step2 + service: name=openstack-ceilometer-collector state=stopped diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index aaa9b039..134f47c4 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -89,23 +89,23 @@ outputs: ceph::profile::params::fsid: {get_param: CephClusterFSID} ceph::profile::params::rbd_default_features: {get_param: RbdDefaultFeatures} ceph::profile::params::client_keys: - str_replace: - template: "{ - client.CLIENT_USER: { - secret: 'CLIENT_KEY', - mode: '0644', - cap_mon: 'allow r', - cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' - } - }" - params: - CLIENT_USER: {get_param: CephClientUserName} - CLIENT_KEY: {get_param: CephClientKey} - NOVA_POOL: {get_param: NovaRbdPoolName} - CINDER_POOL: {get_param: CinderRbdPoolName} - CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} - GLANCE_POOL: {get_param: GlanceRbdPoolName} - GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + map_replace: + - CEPH_CLIENT_KEY: + secret: {get_param: CephClientKey} + mode: '0644' + cap_mon: 'allow r' + cap_osd: + str_replace: + template: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' + params: + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + - keys: + CEPH_CLIENT_KEY: + list_join: ['.', ['client', {get_param: CephClientUserName}]] ceph::profile::params::manage_repo: false # FIXME(gfidente): we should not have to list the packages explicitly in # the templates, but this should stay until the following is fixed: diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 68ad69b7..1ce58335 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -113,3 +113,27 @@ outputs: get_attr: [CephBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceph::mon + upgrade_batch_tasks: + # Note we perform these tasks in list order, but they are all step0 so + # we can perform a rolling upgrade of all mon nodes in step0, then a + # rolling upgrade of all osd nodes in step1 + - name: Check status + tags: step0,validation + shell: ceph health | grep -qv HEALTH_ERR + # FIXME(shardy) I suspect we can use heat or ansible facts here instead? + - name: Get hostname + tags: step0 + shell: hostname -s + register: mon_id + - name: Stop Ceph Mon + tags: step0 + service: name=ceph-mon@{{mon_id.stdout}} pattern=ceph-mon state=stopped + - name: Update ceph packages + tags: step0 + yum: name=ceph-mon state=latest + - name: Start ceph-mon service + tags: step0 + service: name=ceph-mon@{{mon_id.stdout}} state=started + - name: ceph osd crush tunables default + tags: step0 + shell: ceph osd crush tunables default diff --git a/puppet/services/ceph-osd.yaml b/puppet/services/ceph-osd.yaml index df0ee6c3..98f83d08 100644 --- a/puppet/services/ceph-osd.yaml +++ b/puppet/services/ceph-osd.yaml @@ -45,3 +45,47 @@ outputs: - '6800-7300' step_config: | include ::tripleo::profile::base::ceph::osd + upgrade_batch_tasks: + - name: Check status + tags: step1,validation + shell: ceph health | grep -qv HEALTH_ERR + - name: Get OSD IDs + tags: step1 + shell: ls /var/lib/ceph/osd | awk 'BEGIN { FS = "-" } ; { print $2 }' + register: osd_ids + # "so that mirrors aren't rebalanced as if the OSD died" - gfidente / leseb + - name: ceph osd set noout + tags: step1 + command: ceph osd set noout + - name: ceph osd set norebalance + tags: step1 + command: ceph osd set norebalance + - name: ceph osd set nodeep-scrub + tags: step1 + command: ceph osd set nodeep-scrub + - name: ceph osd set noscrub + tags: step1 + command: ceph osd set noscrub + - name: Stop Ceph OSD + tags: step1 + service: name=ceph-osd@$item state=stopped + with_items: "{{osd_ids.stdout.strip().split()}}" + - name: Update ceph OSD packages + tags: step1 + yum: name=ceph-osd state=latest + - name: Start ceph-osd service + tags: step1 + service: name=ceph-osd@$item state=started + with_items: "{{osd_ids.stdout.strip().split()}}" + - name: ceph osd unset noout + tags: step1 + command: ceph osd unset noout + - name: ceph osd unset norebalance + tags: step1 + command: ceph osd unset norebalance + - name: ceph osd unset nodeep-scrub + tags: step1 + command: ceph osd unset nodeep-scrub + - name: ceph osd unset noscrub + tags: step1 + command: ceph osd unset noscrub diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index eee04ce0..e3c96325 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -146,7 +146,12 @@ outputs: cinder::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: + - name: "PreUpgrade step0: Check service openstack-cinder-api is running" + shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: check for cinder running under apache (post upgrade) tags: step2 shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder" diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 8290cae7..63ec4446 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -66,3 +66,10 @@ outputs: mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]} step_config: | include ::tripleo::profile::base::database::mongodb + upgrade_tasks: + - name: Stop mongodb service + tags: step2 + service: name=mongod state=stopped + - name: Start mongodb service + tags: step4 + service: name=mongod state=started diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml index 56d037e7..9f7eaf57 100644 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -41,3 +41,7 @@ outputs: template: "mysql/%{hiera('cloud_name_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + metadata_settings: + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 7e12894f..8c4042d9 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -104,4 +104,6 @@ outputs: - name: Start service tags: step4 service: name=mariadb state=started + metadata_settings: + get_attr: [MySQLTLS, role_data, metadata_settings] diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml new file mode 100644 index 00000000..7049d773 --- /dev/null +++ b/puppet/services/ec2-api.yaml @@ -0,0 +1,118 @@ +heat_template_version: ocata + +description: > + OpenStack EC2-API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Ec2ApiWorkers: + default: 0 + description: Number of workers for EC2-API service. + type: number + Ec2ApiPassword: + description: The password for the nova service and db account, used by nova-api. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionEc2Api: + default: 'overcloud-ec2-api' + type: string + Ec2ApiLoggingSource: + type: json + default: + tag: openstack.ec2.api + path: /var/log/ec2api/ec2api.log + EnablePackageInstall: + default: 'false' + description: Set to true to enable package installation via Puppet + type: boolean + + +conditions: + nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]} + +outputs: + role_data: + description: Role data for the EC2-API service. + value: + service_name: ec2_api + monitoring_subscription: {get_param: MonitoringSubscriptionEc2Api} + logging_source: {get_param: Ec2ApiLoggingSource} + logging_groups: + - nova + config_settings: + map_merge: + - tripleo.ec2_api.firewall_rules: + '113 ec2_api': + dport: + - 8788 + - 13788 + ec2api::keystone::authtoken::project_name: 'service' + ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} + ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ec2api::api::enabled: true + ec2api::package_manage: {get_param: EnablePackageInstall} + ec2api::api::ec2api_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiNetwork]} + ec2api::metadata::metadata_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiMetadataNetwork]} + ec2api::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://ec2_api:' + - {get_param: Ec2ApiPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/ec2_api' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - + if: + - nova_workers_zero + - {} + - ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers} + ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers} + step_config: | + include tripleo::profile::base::nova::ec2api + service_config_settings: + keystone: + ec2api::keystone::auth::tenant: 'service' + ec2api::keystone::auth::public_url: {get_param: [EndpointMap, Ec2ApiPublic, uri]} + ec2api::keystone::auth::internal_url: {get_param: [EndpointMap, Ec2ApiInternal, uri]} + ec2api::keystone::auth::admin_url: {get_param: [EndpointMap, Ec2ApiAdmin, uri]} + ec2api::keystone::auth::password: {get_param: Ec2ApiPassword} + ec2api::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + ec2api::db::mysql::password: {get_param: Ec2ApiPassword} + ec2api::db::mysql::user: ec2_api + ec2api::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ec2api::db::mysql::dbname: ec2_api + ec2api::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 3929e005..bb2ff581 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -131,3 +131,12 @@ outputs: gnocchi::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop gnocchi_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped + - name: Run gnocchi upgrade + tags: step5 + command: gnocchi-upgrade diff --git a/puppet/services/gnocchi-metricd.yaml b/puppet/services/gnocchi-metricd.yaml index e5f9a8e7..d888e2a4 100644 --- a/puppet/services/gnocchi-metricd.yaml +++ b/puppet/services/gnocchi-metricd.yaml @@ -22,7 +22,7 @@ parameters: default: 'overcloud-gnocchi-metricd' type: string GnocchiMetricdWorkers: - default: '' + default: '%{::os_workers}' description: Number of workers for Gnocchi MetricD type: string @@ -46,3 +46,7 @@ outputs: - gnocchi::metricd::workers: {get_param: GnocchiMetricdWorkers} step_config: | include ::tripleo::profile::base::gnocchi::metricd + upgrade_tasks: + - name: Stop gnocchi_metricd service + tags: step2 + service: name=openstack-gnocchi-metricd state=stopped diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index df438b37..d5012cb9 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -45,3 +45,7 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::gnocchi::statsd + upgrade_tasks: + - name: Stop gnocchi_statsd service + tags: step2 + service: name=openstack-gnocchi-statsd state=stopped diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index 77457593..ae226163 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -19,6 +19,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + HAProxyNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the HAProxy internal TLS via certmonger role. @@ -39,13 +55,12 @@ outputs: postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [HAProxyNetworks, value]} + metadata_settings: + repeat: + template: + - service: haproxy + network: $NETWORK + type: vip + for_each: + $NETWORK: {get_attr: [HAProxyNetworks, value]} diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index 227697b9..6013b026 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -35,3 +35,7 @@ outputs: hostname: "%{hiera('cloud_name_external')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_external')}" + metadata_settings: + - service: haproxy + network: external + type: vip diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 9049c901..981a08d2 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -84,3 +84,9 @@ outputs: - name: Start haproxy service tags: step4 # Needed at step 4 for mysql service: name=haproxy state=started + metadata_settings: + yaql: + expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))' + data: + public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} + internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index cf35d202..2111021b 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -27,6 +27,14 @@ parameters: description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list + HorizonPasswordValidator: + description: Regex for password validation + type: string + default: '' + HorizonPasswordValidatorHelp: + description: Help text for password validation + type: string + default: '' HorizonSecret: description: Secret key for Django type: string @@ -71,6 +79,8 @@ outputs: options: ['FollowSymLinks','MultiViews'] horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::password_validator: {get_param: [HorizonPasswordValidator]} + horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index aebb37b2..ff91eb63 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -81,3 +81,7 @@ outputs: ironic::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop ironic_api service + tags: step2 + service: name=openstack-ironic-api state=stopped diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 194afec7..a10c03a5 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -98,3 +98,10 @@ outputs: step_config: | include ::tripleo::profile::base::ironic::conductor + upgrade_tasks: + - name: Stop ironic_conductor service + tags: step2 + service: name=openstack-ironic-conductor state=stopped + - name: Sync ironic_conductor DB + tags: step5 + command: ironic-dbsync diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 434f0a33..b989d502 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -313,3 +313,8 @@ outputs: - name: Sync keystone DB tags: step5 command: keystone-manage db_sync + - name: Start keystone service (running under httpd) + tags: step6 + service: name=httpd state=started + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index 5e7de18e..bb4742c9 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -39,6 +39,10 @@ parameters: default: tag: openstack.neutron.agent.dhcp path: /var/log/neutron/dhcp-agent.log + NeutronDhcpAgentDnsmasqDnsServers: + default: [] + description: List of servers to use as dnsmasq forwarders + type: comma_delimited_list resources: @@ -64,6 +68,7 @@ outputs: - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} neutron::agents::dhcp::enable_force_metadata: {get_param: NeutronEnableForceMetadata} neutron::agents::dhcp::enable_metadata_network: {get_param: NeutronEnableMetadataNetwork} + neutron::agents::dhcp::dnsmasq_dns_servers: {get_param: NeutronDhcpAgentDnsmasqDnsServers} tripleo.neutron_dhcp.firewall_rules: '115 neutron dhcp input': proto: 'udp' diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 36ac3e08..892e63dd 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -165,3 +165,5 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml new file mode 100644 index 00000000..4c6f4c37 --- /dev/null +++ b/puppet/services/octavia-api.yaml @@ -0,0 +1,97 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia API service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaPassword: + description: The password for the Octavia's database account. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionOctaviaApi: + default: 'overcloud-octavia-api' + type: string + OctaviaApiLoggingSource: + type: json + default: + tag: openstack.octavia.api + path: /var/log/octavia/api.log + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia API service. + value: + service_name: octavia_api + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} + logging_source: {get_param: OctaviaApiLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://octavia:' + - {get_param: OctaviaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/octavia' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + octavia::keystone::authtoken::project_name: 'service' + octavia::api::sync_db: true + tripleo.octavia_api.firewall_rules: + '120 octavia api': + dport: + - 9876 + - 13876 + octavia::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]} + step_config: | + include tripleo::profile::base::octavia::api + service_config_settings: + keystone: + octavia::keystone::auth::tenant: 'service' + octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]} + octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] } + octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] } + octavia::keystone::auth::password: {get_param: OctaviaPassword} + octavia::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + octavia::db::mysql::password: {get_param: OctaviaPassword} + octavia::db::mysql::user: octavia + octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + octavia::db::mysql::dbname: octavia + octavia::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml new file mode 100644 index 00000000..b537a2bc --- /dev/null +++ b/puppet/services/octavia-base.yaml @@ -0,0 +1,62 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia base service. Shared for all Octavia services + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Debug: + type: string + default: '' + description: Set to True to enable debugging on all services. + EnableConfigPurge: + type: boolean + default: true + description: > + Remove configuration that is not generated by TripleO. Setting + to false may result in configuration remnants after updates/upgrades. + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Base role data for Octavia services + value: + service_name: octavia_base + config_settings: + octavia::debug: {get_param: Debug} + octavia::purge_config: {get_param: EnableConfigPurge} + octavia::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + tripleo::profile::base::octavia::rabbit_user: {get_param: RabbitUserName} + tripleo::profile::base::octavia::rabbit_password: {get_param: RabbitPassword} + tripleo::profile::base::octavia::rabbit_port: {get_param: RabbitClientPort} + diff --git a/puppet/services/pacemaker/ceph-rbdmirror.yaml b/puppet/services/pacemaker/ceph-rbdmirror.yaml new file mode 100644 index 00000000..7686028d --- /dev/null +++ b/puppet/services/pacemaker/ceph-rbdmirror.yaml @@ -0,0 +1,47 @@ +heat_template_version: ocata + +description: > + Ceph RBD mirror service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + +resources: + CephBase: + type: ../ceph-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Ceph RBD mirrror service. + value: + service_name: ceph_rbdmirror + config_settings: + map_merge: + - get_attr: [CephBase, role_data, config_settings] + - tripleo::profile::pacemaker::ceph::rbdmirror::client_name: {get_param: CephClientUserName} + tripleo.ceph_rbdmirror.firewall_rules: + '113 ceph_rbdmirror': + dport: + - '6800-7300' + step_config: | + include ::tripleo::profile::pacemaker::ceph::rbdmirror
\ No newline at end of file diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 511a01ab..93bf5967 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -53,6 +53,8 @@ outputs: get_param: [ServiceNetMap, MysqlNetwork] step_config: | include ::tripleo::profile::pacemaker::database::mysql + metadata_settings: + get_attr: [MysqlBase, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 50da4119..598deaef 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -40,3 +40,5 @@ outputs: tripleo::haproxy::mysql_clustercheck: true step_config: | include ::tripleo::profile::pacemaker::haproxy + metadata_settings: + get_attr: [LoadbalancerServiceBase, role_data, metadata_settings] diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index 06284fb2..4b74ad45 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -82,3 +82,5 @@ outputs: get_attr: [PankoBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::panko::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index 90268c78..80da5352 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -118,4 +118,9 @@ outputs: # Note we use distinct() here to filter any identical tasks, e.g yum update for all services expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() data: {get_attr: [ServiceChain, role_data]} + upgrade_batch_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index be9d143e..fd6ed818 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -43,3 +43,7 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::snmp + upgrade_tasks: + - name: Stop snmp service + tags: step2 + service: name=snmpd state=stopped diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index a7ba7bad..2e3c818f 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -43,6 +43,16 @@ parameters: description: 'Use a local directory for Swift storage services when building rings' type: boolean +conditions: + swift_use_local_dir: + and: + - equals: + - get_param: SwiftUseLocalDir + - true + - equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for Swift Ringbuilder configuration. @@ -59,7 +69,7 @@ outputs: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} + - {if: [swift_use_local_dir, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 08df928d..247b23ff 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -56,6 +56,17 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} +conditions: + swift_mount_check: + or: + - equals: + - get_param: SwiftMountCheck + - true + - not: + equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for the Swift Proxy role. @@ -65,7 +76,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - - swift::storage::all::mount_check: {get_param: SwiftMountCheck} + - swift::storage::all::mount_check: {if: [swift_mount_check, true, false]} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} tripleo.swift_storage.firewall_rules: '123 swift storage': diff --git a/puppet/upgrade_config.yaml b/puppet/upgrade_config.yaml index e892d813..c37cc033 100644 --- a/puppet/upgrade_config.yaml +++ b/puppet/upgrade_config.yaml @@ -11,6 +11,11 @@ parameters: type: string description: Step number of the upgrade + SkipUpgradeConfigTags: + type: comma_delimited_list + description: Ansible tags to skip during upgrade, e.g validation skips pre-upgrade validations + default: [] + resources: AnsibleConfig: @@ -30,6 +35,10 @@ resources: properties: group: ansible options: + skip_tags: + list_join: + - "," + - {get_param: SkipUpgradeConfigTags} tags: str_replace: template: "stepSTEP" diff --git a/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml new file mode 100644 index 00000000..069cbd23 --- /dev/null +++ b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml @@ -0,0 +1,95 @@ +--- +prelude: > + 6.0.0 is the final release for Ocata. + It's the first release where release notes are added. +features: + - Fujitsu Neutron plugin for FOS support. Users can deploy + Neutron with this plugin by using + environments/neutron-ml2-fujitsu-fossw.yaml environment file. + - Expose InstanceDiscoveryMethod parameter to configure Ceilometer + method used to discover instances running on compute node. + Default value to 'libvirt_metadata'. Allowed values are 'naive', + 'libvirt_metadata' and 'workload_partitioning'. + - Make ServiceNetMap support custom network names. + Note that operators will still be expected to pass any ServiceNetMap + overrides with the "new" network name, e.g whatever NetName specifies, + otherwise environment files could get very confusing. + - Nova Placement API support. As this new service is required, deploy it + by default in WSGI with Apache, like other API services. + - Cinder pass-through iSER backend support. + - etcd composable services, used by networking-vpp ML2 driver as the + messaging mechanism. + - Allow to configure cron parameters for Cinder, Heat, Keystone and Nova + crontabs. + - Export NovaDefaultFloatingPool parameter to configure the default pool + of floating IP addressed available. Default to 'public' for backward + compatibility. + - Bump Heat Templates to 'ocata' version, to match Heat requirements. + - Configure OVS agent firewall driver only if NeutronOVSFirewallDriver + is set. + - Expose RbdDefaultFeatures parameter to configure the default features + enabled when creating a block device image. + Only applies to format '2' images. Set to '1' for Jewel clients using + older Ceph servers. + - Cinder HPELeftHandISCSIDriver backend support. + - Pacemaker stopped to manage Ceilometer, Cinder API, + Cinder Scheduler, MongoDB, Glance, Gnocchi, Heat, Apache, Memcached, + Neutron, Nova and Sahara. + - Ceph MDS service support. Service can be enable with + environments/services/ceph-mds.yaml environment file. + - Expose HeatConvergenceEngine and HeatMaxResourcesPerStack parameters + to configure Heat. + - Add pre-network hook and example showing config-then-reboot. + - Expose LibvirtEnabledPerfEvents parameter in Nova Compute service. + Default to an empty array. + This is a performance event list which could be used as monitor. + - Increase libvirt/qemu.conf max_files to 32768 and max_processes to + 131072. + - Split OVN northd and ml2 plugin, so we can deploy OVNDBs and Northd + services on different nodes. + - Add hook to generate metadata from service profiles. + This is useful for nova vendordata plugins that can parse said metadata. + - Expose EventPipelinePublishers to Ceilometer and set the default to + 'notifier://?topic=alarm.all'. + - Add Panko service support. This service is not enabled by default. Use + environments/services/enable-panko.yaml to include it in your deployment. + - Add EC2-API composable service support. +upgrade: + - Update OpenDaylight deployment to use networking-odl v2 as a mechanism + driver. +deprecations: + - Glance Registry service has been removed and Glance API v2 is now deploy + by default. Glance API v1 is not supported anymore in TripleO. + - Remove CeilometerStoreEvents parameter, which has been removed + in Ceilometer. + - Ceilometer API service is deprecated and will be removed in a future + release. If you would like to disable it, use + environments/services/disable-ceilometer-api.yaml environment file. + - Removes deprecated OpenDaylight L2 only deployments. + Deploying ODL without L3 DVR is no longer supported. +security: + - Disallow iframe embed in Horizon configuration to prevent dashboard being + embedded within an iframe and exposed to Cross-Frame Scripting (XFS) + vulnerability on legacy browsers. + - Allow management of enforce_password_check in Horizons configuration to + display an 'Admin Password' field on the Change Password form to verify that + it is indeed the admin logged-in who wants to change the password. + - Allow management of disable_password_reveal in Horizon, to remove the + password reveal option. + - Enable secure_proxy_ssl_header option in Horizons configuration to take + X-Forwarded-Proto header into account when forming URLs. +fixes: + - Fixes `bug 1645898 + <https://bugs.launchpad.net/tripleo/+bug/1645898>`__ so epmd is binded on + the right address, where RabbitMQ is listening too. + - Fixes `bug 1652184 + <https://bugs.launchpad.net/tripleo/+bug/1652184>`__ so swap partitions + can be handled from an environment file thanks to AllNodesExtraConfig. + - Add retry to RHEL registration, useful when having network outages during + registration. + - Fixes `bug 1651476 + <https://bugs.launchpad.net/tripleo/+bug/1651476>`__ so firewall rules + are created for Opendaylight API service. + - Fixes `bug 1643487 + <https://bugs.launchpad.net/tripleo/+bug/1643487>`__ to prevent source + address from binding to a VIP for database connection. diff --git a/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml b/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml new file mode 100644 index 00000000..55062b04 --- /dev/null +++ b/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Composable service plugins now support two additional sections, + upgrade_tasks and upgrade_batch_tasks. These can be used by service + template authors to define the required behavior on upgrade as ansible + tasks, for both upgrades that require downtime, and rolling upgrades. + See puppet/services/README.rst for more details. +upgrade: + - | + Please refer to tripleo-docs for full details on the upgrade workflow + required for Newton to Ocata upgrades, as it's possible some steps are + different to previous releases: + http://docs.openstack.org/developer/tripleo-docs/post_deployment/upgrade.html diff --git a/roles_data.yaml b/roles_data.yaml index 39cb56f9..a21ef961 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -17,8 +17,9 @@ # disable_constraints: (boolean) optional, whether to disable Nova and Glance # constraints for each role specified in the templates. # -# disable_upgrade_deployment: (boolean) optional, whether to run the composable upgrade -# steps for all services that are deployed on the particular role. +# upgrade_batch_size: (number): batch size for upgrades where tasks are +# specified by services to run in batches vs all nodes at once. +# This defaults to 1, but larger batches may be specified here. # # ServicesDefault: (list) optional default list of services to be deployed # on the role, defaults to an empty list. Sets the default for the @@ -31,6 +32,7 @@ - OS::TripleO::Services::CephMds - OS::TripleO::Services::CephMon - OS::TripleO::Services::CephExternal + - OS::TripleO::Services::CephRbdMirror - OS::TripleO::Services::CephRgw - OS::TripleO::Services::CinderApi - OS::TripleO::Services::CinderBackup @@ -64,6 +66,7 @@ - OS::TripleO::Services::NovaScheduler - OS::TripleO::Services::NovaConsoleauth - OS::TripleO::Services::NovaVncProxy + - OS::TripleO::Services::Ec2Api - OS::TripleO::Services::Ntp - OS::TripleO::Services::SwiftProxy - OS::TripleO::Services::SwiftStorage |