diff options
52 files changed, 465 insertions, 305 deletions
diff --git a/ci/environments/multinode-containers.yaml b/ci/environments/multinode-containers.yaml index f050d9a2..781527f4 100644 --- a/ci/environments/multinode-containers.yaml +++ b/ci/environments/multinode-containers.yaml @@ -7,12 +7,6 @@ resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml - # NOTE: This is needed because of upgrades from Ocata to Pike. We - # deploy the initial environment with Ocata templates, and - # overcloud-resource-registry.yaml there doesn't have this Docker - # mapping at all. After we stop CI'ing Ocata->Pike upgrade, we can - # remove this. - OS::TripleO::Services::Docker: OS::Heat::None # Some infra instances don't pass the ping test but are otherwise working. # Since the OVB jobs also test this functionality we can shut it off here. OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml index 79d5a280..0429a4b4 100644 --- a/ci/environments/scenario001-multinode-containers.yaml +++ b/ci/environments/scenario001-multinode-containers.yaml @@ -16,12 +16,6 @@ resource_registry: # TODO fluentd is being containerized: https://review.openstack.org/#/c/467072/ OS::TripleO::Services::FluentdClient: ../../puppet/services/logging/fluentd-client.yaml OS::TripleO::Services::SensuClient: ../../docker/services/sensu-client.yaml - # NOTE: This is needed because of upgrades from Ocata to Pike. We - # deploy the initial environment with Ocata templates, and - # overcloud-resource-registry.yaml there doesn't have this Docker - # mapping at all. After we stop CI'ing Ocata->Pike upgrade, we can - # remove this. - OS::TripleO::Services::Docker: OS::Heat::None # Some infra instances don't pass the ping test but are otherwise working. # Since the OVB jobs also test this functionality we can shut it off here. OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml @@ -106,6 +100,7 @@ parameter_defaults: - /dev/loop3 journal_size: 512 journal_collocation: true + osd_scenario: collocated CephAnsibleExtraConfig: ceph_conf_overrides: global: @@ -123,7 +118,7 @@ parameter_defaults: CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ==' CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw==' CephPoolDefaultSize: 1 - DockerCephDaemonImage: ceph/daemon:tag-build-master-jewel-centos-7 + DockerCephDaemonImage: ceph/daemon:tag-build-ceph-dfg-jewel-centos-7 NovaEnableRbdBackend: true CinderEnableRbdBackend: true CinderBackupBackend: ceph diff --git a/ci/environments/scenario002-multinode-containers.yaml b/ci/environments/scenario002-multinode-containers.yaml index 0ca67d00..bec5f48e 100644 --- a/ci/environments/scenario002-multinode-containers.yaml +++ b/ci/environments/scenario002-multinode-containers.yaml @@ -10,12 +10,6 @@ resource_registry: OS::TripleO::Services::Zaqar: ../../docker/services/zaqar.yaml OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml OS::TripleO::Services::MongoDb: ../../docker/services/database/mongodb.yaml - # NOTE: This is needed because of upgrades from Ocata to Pike. We - # deploy the initial environment with Ocata templates, and - # overcloud-resource-registry.yaml there doesn't have this Docker - # mapping at all. After we stop CI'ing Ocata->Pike upgrade, we can - # remove this. - OS::TripleO::Services::Docker: OS::Heat::None # Some infra instances don't pass the ping test but are otherwise working. # Since the OVB jobs also test this functionality we can shut it off here. OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml diff --git a/ci/environments/scenario003-multinode-containers.yaml b/ci/environments/scenario003-multinode-containers.yaml index 107b66b2..65fa6a65 100644 --- a/ci/environments/scenario003-multinode-containers.yaml +++ b/ci/environments/scenario003-multinode-containers.yaml @@ -11,12 +11,6 @@ resource_registry: OS::TripleO::Services::MistralApi: ../../docker/services/mistral-api.yaml OS::TripleO::Services::MistralEngine: ../../docker/services/mistral-engine.yaml OS::TripleO::Services::MistralExecutor: ../../docker/services/mistral-executor.yaml - # NOTE: This is needed because of upgrades from Ocata to Pike. We - # deploy the initial environment with Ocata templates, and - # overcloud-resource-registry.yaml there doesn't have this Docker - # mapping at all. After we stop CI'ing Ocata->Pike upgrade, we can - # remove this. - OS::TripleO::Services::Docker: OS::Heat::None # Some infra instances don't pass the ping test but are otherwise working. # Since the OVB jobs also test this functionality we can shut it off here. OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml diff --git a/ci/environments/scenario004-multinode-containers.yaml b/ci/environments/scenario004-multinode-containers.yaml index e2be75cc..4b647925 100644 --- a/ci/environments/scenario004-multinode-containers.yaml +++ b/ci/environments/scenario004-multinode-containers.yaml @@ -1,8 +1,3 @@ -# NOTE: This is an environment specific for containers CI. Mainly we -# deploy non-pacemakerized overcloud. Once we are able to deploy and -# upgrade pacemakerized and containerized overcloud, we should remove -# this file and use normal CI multinode environments/scenarios. - resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml @@ -18,16 +13,27 @@ resource_registry: OS::TripleO::Services::ManilaScheduler: ../../docker/services/manila-scheduler.yaml OS::TripleO::Services::ManilaShare: ../../docker/services/pacemaker/manila-share.yaml OS::TripleO::Services::ManilaBackendCephFs: ../../puppet/services/manila-backend-cephfs.yaml - # NOTE: This is needed because of upgrades from Ocata to Pike. We - # deploy the initial environment with Ocata templates, and - # overcloud-resource-registry.yaml there doesn't have this Docker - # mapping at all. After we stop CI'ing Ocata->Pike upgrade, we can - # remove this. - OS::TripleO::Services::Docker: OS::Heat::None + # TODO: in Queens, re-add bgp-vpn and l2gw services when + # containerized. + # https://bugs.launchpad.net/bugs/1713612 + # OS::TripleO::Services::NeutronBgpVpnApi: ../../puppet/services/neutron-bgpvpn-api.yaml + # OS::TripleO::Services::NeutronL2gwApi: ../../puppet/services/neutron-l2gw-api.yaml + # OS::TripleO::Services::NeutronL2gwAgent: ../../puppet/services/neutron-l2gw-agent.yaml + # These enable Pacemaker + OS::TripleO::Tasks::ControllerPreConfig: OS::Heat::None + OS::TripleO::Tasks::ControllerPostConfig: OS::Heat::None + OS::TripleO::Tasks::ControllerPostPuppetRestart: ../../extraconfig/tasks/post_puppet_pacemaker_restart.yaml + OS::TripleO::Services::RabbitMQ: ../../docker/services/pacemaker/rabbitmq.yaml + OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml + OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml + OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml + OS::TripleO::Services::Redis: ../../docker/services/pacemaker/database/redis.yaml + OS::TripleO::Services::MySQL: ../../docker/services/pacemaker/database/mysql.yaml + OS::TripleO::Services::Keepalived: OS::Heat::None # Some infra instances don't pass the ping test but are otherwise working. # Since the OVB jobs also test this functionality we can shut it off here. OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml - OS::TripleO::Services::NovaMigrationTarget: OS::Heat::None parameter_defaults: @@ -80,6 +86,9 @@ parameter_defaults: # TODO: in Queens, re-add bgp-vpn and l2gw services when # containerized. # https://bugs.launchpad.net/bugs/1713612 + # - OS::TripleO::Services::NeutronBgpVpnApi + # - OS::TripleO::Services::NeutronL2gwApi + # - OS::TripleO::Services::NeutronL2gwAgent ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu @@ -98,4 +107,10 @@ parameter_defaults: CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw==' CephPoolDefaultSize: 1 SwiftCeilometerPipelineEnabled: false + # TODO: in Queens, re-add bgp-vpn and l2gw services when + # containerized. + # https://bugs.launchpad.net/bugs/1713612 + # NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin, networking_l2gw.services.l2gateway.plugin.L2GatewayPlugin' + # BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' + # L2gwServiceProvider: ['L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default'] NotificationDriver: 'noop' diff --git a/ci/environments/scenario006-multinode-containers.yaml b/ci/environments/scenario006-multinode-containers.yaml index d0a952d5..025fd81e 100644 --- a/ci/environments/scenario006-multinode-containers.yaml +++ b/ci/environments/scenario006-multinode-containers.yaml @@ -5,7 +5,6 @@ resource_registry: OS::TripleO::Services::IronicApi: ../docker/services/ironic-api.yaml OS::TripleO::Services::IronicConductor: ../docker/services/ironic-conductor.yaml OS::TripleO::Services::IronicPxe: ../docker/services/ironic-pxe.yaml - OS::TripleO::Services::Docker: OS::Heat::None parameter_defaults: ControllerServices: diff --git a/ci/environments/scenario007-multinode-containers.yaml b/ci/environments/scenario007-multinode-containers.yaml index faf56ba4..bad3e4a5 100644 --- a/ci/environments/scenario007-multinode-containers.yaml +++ b/ci/environments/scenario007-multinode-containers.yaml @@ -1,12 +1,6 @@ resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml - # NOTE: This is needed because of upgrades from Ocata to Pike. We - # deploy the initial environment with Ocata templates, and - # overcloud-resource-registry.yaml there doesn't have this Docker - # mapping at all. After we stop CI'ing Ocata->Pike upgrade, we can - # remove this. - OS::TripleO::Services::Docker: OS::Heat::None OS::TripleO::Services::OVNController: ../../docker/services/ovn-controller.yaml OS::TripleO::Services::OVNDBs: ../../docker/services/ovn-dbs.yaml # Some infra instances don't pass the ping test but are otherwise working. diff --git a/common/deploy-steps.j2 b/common/deploy-steps.j2 index 1119fb60..a1bd8826 100644 --- a/common/deploy-steps.j2 +++ b/common/deploy-steps.j2 @@ -1,7 +1,15 @@ # certain initialization steps (run in a container) will occur # on the role marked as primary controller or the first role listed -{%- set primary_role = [roles[0]] -%} -{%- for role in roles -%} +{%- if enabled_roles is not defined -%} + # On upgrade certain roles can be disabled for operator driven upgrades + # See major_upgrade_steps.j2.yaml and post-upgrade.j2.yaml + {%- set enabled_roles = roles -%} + {%- set is_upgrade = false -%} +{%- else %} + {%- set is_upgrade = true -%} +{%- endif -%} +{%- set primary_role = [enabled_roles[0]] -%} +{%- for role in enabled_roles -%} {%- if 'primary' in role.tags and 'controller' in role.tags -%} {%- set _ = primary_role.pop() -%} {%- set _ = primary_role.append(role) -%} @@ -55,10 +63,10 @@ conditions: {% for step in range(1, deploy_steps_max) %} WorkflowTasks_Step{{step}}_Enabled: or: - {%- for role in roles %} + {%- for role in enabled_roles %} - not: equals: - - get_param: [role_data, {{role.name}}, service_workflow_tasks, step{{step}}] + - get_param: [role_data, {{role.name}}, workflow_tasks, step{{step}}] - '' - False {%- endfor %} @@ -90,30 +98,30 @@ resources: _TASKS: {get_file: deploy-steps-tasks.yaml} {%- for step in range(1, deploy_steps_max) %} -# BEGIN service_workflow_tasks handling +# BEGIN workflow_tasks handling WorkflowTasks_Step{{step}}: type: OS::Mistral::Workflow condition: WorkflowTasks_Step{{step}}_Enabled depends_on: {%- if step == 1 %} - {%- for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}PreConfig - {{dep.name}}ArtifactsDeploy {%- endfor %} {%- else %} - {%- for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}Deployment_Step{{step -1}} {%- endfor %} {%- endif %} properties: - name: {list_join: [".", ["tripleo", {get_param: stack_name}, "workflowtasks", "step{{step}}"]]} + name: {list_join: [".", ["tripleo", {get_param: stack_name}, "workflow_tasks", "step{{step}}"]]} type: direct tasks: yaql: expression: $.data.where($ != '').select($.get('step{{step}}')).where($ != null).flatten() data: - {%- for role in roles %} - - get_param: [role_data, {{role.name}}, service_workflow_tasks] + {%- for role in enabled_roles %} + - get_param: [role_data, {{role.name}}, workflow_tasks] {%- endfor %} WorkflowTasks_Step{{step}}_Execution: @@ -143,13 +151,14 @@ resources: {%- endfor %} evaluate_env: false always_update: true -# END service_workflow_tasks handling +# END workflow_tasks handling {% endfor %} +# Artifacts config and HostPrepConfig is done on all roles, not only +# enabled_roles, because on upgrade we need to write the json files +# for the operator driven upgrade scripts (the ansible steps consume them) {% for role in roles %} - # Post deployment steps for all roles - # A single config is re-applied with an incrementing step number - # {{role.name}} Role steps + # Prepare host tasks for {{role.name}} {{role.name}}ArtifactsConfig: type: ../puppet/deploy-artifacts.yaml @@ -183,7 +192,11 @@ resources: tasks: # Join host_prep_tasks with the other per-host configuration list_concat: +{%- if is_upgrade|default(false) and role.disable_upgrade_deployment|default(false) %} + - [] +{%- else %} - {get_param: [role_data, {{role.name}}, host_prep_tasks]} +{%- endif %} - {%- raw %} # Write the manifest for baremetal puppet configuration @@ -235,9 +248,10 @@ resources: properties: servers: {get_param: [servers, {{role.name}}]} config: {get_resource: {{role.name}}HostPrepConfig} +{% endfor %} - # BEGIN CONFIG STEPS - + # BEGIN CONFIG STEPS, only on enabled_roles +{%- for role in enabled_roles %} {{role.name}}PreConfig: type: OS::TripleO::Tasks::{{role.name}}PreConfig depends_on: {{role.name}}HostPrepDeployment @@ -246,6 +260,8 @@ resources: input_values: update_identifier: {get_param: DeployIdentifier} + # Deployment steps for {{role.name}} + # A single config is re-applied with an incrementing step number {% for step in range(1, deploy_steps_max) %} {{role.name}}Deployment_Step{{step}}: type: OS::TripleO::DeploymentSteps @@ -257,12 +273,12 @@ resources: # if https://bugs.launchpad.net/heat/+bug/1700569 # is fixed. {%- if step == 1 %} - {%- for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}PreConfig - {{dep.name}}ArtifactsDeploy {%- endfor %} {%- else %} - {%- for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}Deployment_Step{{step -1}} {%- endfor %} {%- endif %} @@ -285,7 +301,7 @@ resources: # after all the previous deployment steps. {{role.name}}ExtraConfigPost: depends_on: - {%- for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}Deployment_Step5 {%- endfor %} type: OS::TripleO::NodeExtraConfigPost @@ -298,7 +314,7 @@ resources: {{role.name}}PostConfig: type: OS::TripleO::Tasks::{{role.name}}PostConfig depends_on: - {%- for dep in roles %} + {%- for dep in enabled_roles %} - {{dep.name}}ExtraConfigPost {%- endfor %} properties: @@ -354,8 +370,3 @@ outputs: with_sequence: start=0 end={{upgrade_steps_max-1}} loop_control: loop_var: step - - include: deploy_steps_tasks.yaml - with_sequence: start=0 end={{deploy_steps_max-1}} - loop_control: - loop_var: step - diff --git a/common/major_upgrade_steps.j2.yaml b/common/major_upgrade_steps.j2.yaml index 7fc91153..36b342f9 100644 --- a/common/major_upgrade_steps.j2.yaml +++ b/common/major_upgrade_steps.j2.yaml @@ -187,6 +187,43 @@ resources: role_data: {get_param: role_data} ctlplane_service_ips: {get_param: ctlplane_service_ips} +{%- for step in range(0, upgrade_steps_max) %} + {%- for role in roles %} + {{role.name}}PostUpgradeConfig_Config{{step}}: + type: OS::TripleO::UpgradeConfig + depends_on: + {%- for role_inside in enabled_roles %} + {%- if step > 0 %} + - {{role_inside.name}}PostUpgradeConfig_Deployment{{step -1}} + {%- else %} + - AllNodesPostUpgradeSteps + {%- endif %} + {%- endfor %} + properties: + UpgradeStepConfig: {get_param: [role_data, {{role.name}}, post_upgrade_tasks]} + step: {{step}} + {%- endfor %} + + {%- for role in enabled_roles %} + {{role.name}}PostUpgradeConfig_Deployment{{step}}: + type: OS::Heat::SoftwareDeploymentGroup + depends_on: + {%- for role_inside in enabled_roles %} + {%- if step > 0 %} + - {{role_inside.name}}PostUpgradeConfig_Deployment{{step -1}} + {%- else %} + - AllNodesPostUpgradeSteps + {%- endif %} + {%- endfor %} + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}PostUpgradeConfig_Config{{step}}} + input_values: + role: {{role.name}} + update_identifier: {get_param: UpdateIdentifier} + {%- endfor %} +{%- endfor %} + outputs: # Output the config for each role, just use Step1 as the config should be # the same for all steps (only the tag provided differs) @@ -196,3 +233,7 @@ outputs: {% for role in roles %} {{role.name.lower()}}: {get_attr: [{{role.name}}UpgradeConfig_Step1, upgrade_config]} {% endfor %} + RoleConfig: + description: Mapping of config data for all roles + value: {get_attr: [AllNodesPostUpgradeSteps, RoleConfig]} + diff --git a/common/post-upgrade.j2.yaml b/common/post-upgrade.j2.yaml index 7cd6abdf..af47c6ea 100644 --- a/common/post-upgrade.j2.yaml +++ b/common/post-upgrade.j2.yaml @@ -1,4 +1,4 @@ # Note the include here is the same as post.j2.yaml but the data used at # # the time of rendering is different if any roles disable upgrades -{% set roles = roles|rejectattr('disable_upgrade_deployment')|list -%} +{% set enabled_roles = roles|rejectattr('disable_upgrade_deployment')|list -%} {% include 'deploy-steps.j2' %} diff --git a/common/services.yaml b/common/services.yaml index a8186e43..a0015c7e 100644 --- a/common/services.yaml +++ b/common/services.yaml @@ -174,13 +174,13 @@ resources: expression: coalesce($.data.role_data, []).where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) data: {role_data: {get_attr: [ServiceChain, role_data]}} - ServiceWorkflowTasks: + WorkflowTasks: type: OS::Heat::Value properties: type: json value: yaql: - expression: coalesce($.data.role_data, []).where($ != null).select($.get('service_workflow_tasks')).where($ != null).reduce($1.mergeWith($2), {}) + expression: coalesce($.data.role_data, []).where($ != null).select($.get('workflow_tasks')).where($ != null).reduce($1.mergeWith($2), {}) data: {role_data: {get_attr: [ServiceChain, role_data]}} UpgradeTasks: @@ -193,6 +193,16 @@ resources: expression: coalesce($.data, []).where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() data: {get_attr: [ServiceChain, role_data]} + PostUpgradeTasks: + type: OS::Heat::Value + properties: + type: comma_delimited_list + value: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: coalesce($.data, []).where($ != null).select($.get('post_upgrade_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} + UpdateTasks: type: OS::Heat::Value properties: @@ -260,9 +270,10 @@ outputs: config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: {get_attr: [GlobalConfigSettings, value]} service_config_settings: {get_attr: [ServiceConfigSettings, value]} - service_workflow_tasks: {get_attr: [ServiceWorkflowTasks, value]} + workflow_tasks: {get_attr: [WorkflowTasks, value]} step_config: {get_attr: [PuppetStepConfig, value]} upgrade_tasks: {get_attr: [UpgradeTasks, value]} + post_upgrade_tasks: {get_attr: [PostUpgradeTasks, value]} update_tasks: {get_attr: [UpdateTasks, value]} upgrade_batch_tasks: {get_attr: [UpgradeBatchTasks, value]} service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml index 18d3e6a3..8cc81fb0 100644 --- a/docker/services/ceph-ansible/ceph-base.yaml +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -58,13 +58,17 @@ parameters: type: string description: List of ceph-ansible tags to skip default: 'package-install,with_pkg' + CephConfigOverrides: + type: json + description: Extra config settings to dump into ceph.conf + default: {} CephClusterFSID: type: string description: The Ceph cluster FSID. Must be a UUID. CephPoolDefaultPgNum: description: default pg_num to use for the RBD pools type: number - default: 32 + default: 128 CephPools: description: > It can be used to override settings for one of the predefined pools, or to create @@ -178,7 +182,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: + workflow_tasks: step2: - name: ceph_base_ansible_workflow workflow: { get_param: CephAnsibleWorkflowName } @@ -269,16 +273,19 @@ outputs: pools: [] ceph_conf_overrides: global: - osd_pool_default_size: {get_param: CephPoolDefaultSize} - osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum} - rgw_keystone_api_version: 3 - rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - rgw_keystone_accepted_roles: 'Member, _member_, admin' - rgw_keystone_admin_domain: default - rgw_keystone_admin_project: service - rgw_keystone_admin_user: swift - rgw_keystone_admin_password: {get_param: SwiftPassword} - rgw_s3_auth_use_keystone: 'true' + map_merge: + - osd_pool_default_size: {get_param: CephPoolDefaultSize} + osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum} + osd_pool_default_pgp_num: {get_param: CephPoolDefaultPgNum} + rgw_keystone_api_version: 3 + rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + rgw_keystone_accepted_roles: 'Member, _member_, admin' + rgw_keystone_admin_domain: default + rgw_keystone_admin_project: service + rgw_keystone_admin_user: swift + rgw_keystone_admin_password: {get_param: SwiftPassword} + rgw_s3_auth_use_keystone: 'true' + - {get_param: CephConfigOverrides} ntp_service_enabled: false generate_fsid: false ip_version: diff --git a/docker/services/ceph-ansible/ceph-client.yaml b/docker/services/ceph-ansible/ceph-client.yaml index 55d8d9da..0b782941 100644 --- a/docker/services/ceph-ansible/ceph-client.yaml +++ b/docker/services/ceph-ansible/ceph-client.yaml @@ -54,5 +54,5 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: {} diff --git a/docker/services/ceph-ansible/ceph-external.yaml b/docker/services/ceph-ansible/ceph-external.yaml index f93dd566..bb2fc20a 100644 --- a/docker/services/ceph-ansible/ceph-external.yaml +++ b/docker/services/ceph-ansible/ceph-external.yaml @@ -58,7 +58,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: ceph_client_ansible_vars: map_merge: diff --git a/docker/services/ceph-ansible/ceph-mds.yaml b/docker/services/ceph-ansible/ceph-mds.yaml index 4ef3a669..abdb3c3f 100644 --- a/docker/services/ceph-ansible/ceph-mds.yaml +++ b/docker/services/ceph-ansible/ceph-mds.yaml @@ -68,7 +68,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: map_merge: - tripleo.ceph_mds.firewall_rules: diff --git a/docker/services/ceph-ansible/ceph-mon.yaml b/docker/services/ceph-ansible/ceph-mon.yaml index 90149d1e..45f939c2 100644 --- a/docker/services/ceph-ansible/ceph-mon.yaml +++ b/docker/services/ceph-ansible/ceph-mon.yaml @@ -71,7 +71,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: map_merge: - tripleo.ceph_mon.firewall_rules: diff --git a/docker/services/ceph-ansible/ceph-osd.yaml b/docker/services/ceph-ansible/ceph-osd.yaml index 6e0f4a60..a441f5c9 100644 --- a/docker/services/ceph-ansible/ceph-osd.yaml +++ b/docker/services/ceph-ansible/ceph-osd.yaml @@ -38,6 +38,7 @@ parameters: - /dev/vdb journal_size: 512 journal_collocation: true + osd_scenario: collocated resources: CephBase: @@ -62,7 +63,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: map_merge: - tripleo.ceph_osd.firewall_rules: @@ -72,4 +73,5 @@ outputs: - ceph_osd_ansible_vars: map_merge: - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]} + - osd_objectstore: filestore - {get_param: CephAnsibleDisksConfig}
\ No newline at end of file diff --git a/docker/services/ceph-ansible/ceph-rgw.yaml b/docker/services/ceph-ansible/ceph-rgw.yaml index 4bed9b46..4479fdbf 100644 --- a/docker/services/ceph-ansible/ceph-rgw.yaml +++ b/docker/services/ceph-ansible/ceph-rgw.yaml @@ -62,7 +62,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: map_merge: - tripleo.ceph_rgw.firewall_rules: diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml index 2c894da5..9f982f8b 100644 --- a/docker/services/containers-common.yaml +++ b/docker/services/containers-common.yaml @@ -64,6 +64,7 @@ outputs: # Syslog socket - /dev/log:/dev/log - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro + - /sys/fs/selinux:/sys/fs/selinux - if: - internal_tls_enabled - - list_join: diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index 5a6958a0..9a114458 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -90,7 +90,7 @@ outputs: owner: gnocchi:gnocchi recurse: true docker_config: - step_4: + step_5: gnocchi_metricd: image: {get_param: DockerGnocchiMetricdImage} net: host diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index 2957312b..834d0055 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -90,7 +90,7 @@ outputs: owner: gnocchi:gnocchi recurse: true docker_config: - step_4: + step_5: gnocchi_statsd: image: {get_param: DockerGnocchiStatsdImage} net: host diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index f0e2f71d..70e1f893 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -96,8 +96,7 @@ outputs: config_settings: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] - - tripleo::haproxy::haproxy_daemon: false - tripleo::haproxy::haproxy_service_manage: false + - tripleo::haproxy::haproxy_service_manage: false # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy # when this is updated tripleo::haproxy::crl_file: null @@ -130,7 +129,7 @@ outputs: - null kolla_config: /var/lib/kolla/config_files/haproxy.json: - command: haproxy -f /etc/haproxy/haproxy.cfg + command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index f46e27c0..9f1ae865 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -219,7 +219,7 @@ outputs: detach: false volumes: *nova_api_bootstrap_volumes user: root - command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 discover_hosts'" + command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 discover_hosts --verbose'" metadata_settings: get_attr: [NovaApiBase, role_data, metadata_settings] host_prep_tasks: diff --git a/docker/services/pacemaker/cinder-backup.yaml b/docker/services/pacemaker/cinder-backup.yaml index c2117c04..cdb8c1bc 100644 --- a/docker/services/pacemaker/cinder-backup.yaml +++ b/docker/services/pacemaker/cinder-backup.yaml @@ -188,6 +188,9 @@ outputs: resource: openstack-cinder-backup state: disable wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Delete the stopped openstack-cinder-backup cluster resource. tags: step2 @@ -195,6 +198,9 @@ outputs: resource: openstack-cinder-backup state: delete wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Disable cinder_backup service tags: step2 diff --git a/docker/services/pacemaker/cinder-volume.yaml b/docker/services/pacemaker/cinder-volume.yaml index a4f69517..15c5e099 100644 --- a/docker/services/pacemaker/cinder-volume.yaml +++ b/docker/services/pacemaker/cinder-volume.yaml @@ -206,6 +206,9 @@ outputs: resource: openstack-cinder-volume state: disable wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Delete the stopped openstack-cinder-volume cluster resource. tags: step2 @@ -213,6 +216,9 @@ outputs: resource: openstack-cinder-volume state: delete wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Disable cinder_volume service from boot tags: step2 diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml index f57f779e..9dace271 100644 --- a/docker/services/pacemaker/database/mysql.yaml +++ b/docker/services/pacemaker/database/mysql.yaml @@ -159,6 +159,7 @@ outputs: detach: false image: {get_param: DockerMysqlImage} net: host + user: root # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done command: - 'bash' @@ -167,8 +168,9 @@ outputs: list_join: - "\n" - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi' - - 'kolla_start' - - 'mysqld_safe --skip-networking --wsrep-on=OFF --wsrep-provider=none &' + - 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf' + - 'sudo -u mysql -E kolla_start' + - 'mysqld_safe --skip-networking --wsrep-on=OFF &' - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done''' - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"' - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "GRANT PROCESS ON *.* TO ''clustercheck''@''localhost'' WITH GRANT OPTION;"' @@ -266,20 +268,34 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: galera + state: master + check_mode: true + ignore_errors: true + register: galera_res - name: Disable the galera cluster resource tags: step2 pacemaker_resource: resource: galera state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and galera_res|succeeded - name: Delete the stopped galera cluster resource. tags: step2 pacemaker_resource: resource: galera state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and galera_res|succeeded - name: Disable mysql service tags: step2 service: name=mariadb enabled=no diff --git a/docker/services/pacemaker/database/redis.yaml b/docker/services/pacemaker/database/redis.yaml index 0b8aa046..4d26a084 100644 --- a/docker/services/pacemaker/database/redis.yaml +++ b/docker/services/pacemaker/database/redis.yaml @@ -36,9 +36,19 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ../../containers-common.yaml + RedisBase: type: ../../../../puppet/services/database/redis.yaml properties: @@ -74,6 +84,8 @@ outputs: - 3124 - 6379 - 26379 + tripleo::stunnel::manage_service: false + tripleo::stunnel::foreground: 'yes' step_config: "" service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS @@ -109,6 +121,13 @@ outputs: - path: /var/log/redis owner: redis:redis recurse: true + /var/lib/kolla/config_files/redis_tls_proxy.json: + command: stunnel /etc/stunnel/stunnel.conf + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true docker_config: step_1: redis_image_tag: @@ -134,32 +153,54 @@ outputs: - /usr/bin:/usr/bin:ro - /var/run/docker.sock:/var/run/docker.sock:rw step_2: - redis_init_bundle: - start_order: 2 - detach: false - net: host - user: root - config_volume: 'redis_init_bundle' - command: - - '/bin/bash' - - '-c' - - str_replace: - template: - list_join: - - '; ' - - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" - - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" - params: - TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' - CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle' - image: *redis_config_image - volumes: - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /etc/puppet:/tmp/puppet-etc:ro - - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro - - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro - - /dev/shm:/dev/shm:rw + map_merge: + - redis_init_bundle: + start_order: 2 + detach: false + net: host + user: root + config_volume: 'redis_init_bundle' + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle' + image: *redis_config_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + - if: + - internal_tls_enabled + - redis_tls_proxy: + start_order: 3 + image: *redis_image_pcmklatest + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro + - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] host_prep_tasks: - name: create /var/run/redis file: @@ -181,20 +222,34 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: {get_attr: [RedisBase, role_data, service_name]} + state: master + check_mode: true + ignore_errors: true + register: redis_res - name: Disable the redis cluster resource tags: step2 pacemaker_resource: resource: {get_attr: [RedisBase, role_data, service_name]} state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and redis_res|succeeded - name: Delete the stopped redis cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [RedisBase, role_data, service_name]} state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and redis_res|succeeded - name: Disable redis service tags: step2 service: name=redis enabled=no diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 3cdc5255..2cc04e96 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -78,8 +78,7 @@ outputs: config_settings: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] - - tripleo::haproxy::haproxy_daemon: false - haproxy_docker: true + - haproxy_docker: true tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage} # the list of directories that contain the certs to bind mount in the countainer # bind-mounting the directories rather than all the cert, key and pem files ensures @@ -120,7 +119,7 @@ outputs: data: *tls_mapping kolla_config: /var/lib/kolla/config_files/haproxy.json: - command: haproxy -f /etc/haproxy/haproxy.cfg + command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" @@ -224,17 +223,31 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: {get_attr: [HAProxyBase, role_data, service_name]} + state: started + check_mode: true + ignore_errors: true + register: haproxy_res - name: Disable the haproxy cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [HAProxyBase, role_data, service_name]} state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and haproxy_res|succeeded - name: Delete the stopped haproxy cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [HAProxyBase, role_data, service_name]} state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and haproxy_res|succeeded diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml index ba1abaf9..7333689c 100644 --- a/docker/services/pacemaker/rabbitmq.yaml +++ b/docker/services/pacemaker/rabbitmq.yaml @@ -215,20 +215,34 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: {get_attr: [RabbitmqBase, role_data, service_name]} + state: started + check_mode: true + ignore_errors: true + register: rabbitmq_res - name: Disable the rabbitmq cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [RabbitmqBase, role_data, service_name]} state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and rabbitmq_res|succeeded - name: Delete the stopped rabbitmq cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [RabbitmqBase, role_data, service_name]} state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and rabbitmq_res|succeeded - name: Disable rabbitmq service tags: step2 service: name=rabbitmq-server enabled=no diff --git a/environments/docker-uc-light.yaml b/environments/docker-uc-light.yaml new file mode 100644 index 00000000..3220489c --- /dev/null +++ b/environments/docker-uc-light.yaml @@ -0,0 +1,29 @@ +# A lightweight UC for pre-provisioned deployed servers +resource_registry: + OS::TripleO::Services::Docker: ../puppet/services/docker.yaml + # Default Neutron ML2 puppet plugin to use when NeutronCorePlugin is set to ML2 + OS::TripleO::Docker::NeutronMl2PluginBase: ../puppet/services/neutron-plugin-ml2.yaml + + OS::TripleO::Services::ContainersLogrotateCrond: ../docker/services/logrotate-crond.yaml + OS::TripleO::Services::HeatApi: ../docker/services/heat-api.yaml + OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml + OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml + OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml + OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml + OS::TripleO::Services::MistralApi: ../docker/services/mistral-api.yaml + OS::TripleO::Services::MistralEngine: ../docker/services/mistral-engine.yaml + OS::TripleO::Services::MistralExecutor: ../docker/services/mistral-executor.yaml + OS::TripleO::Services::MySQL: ../docker/services/database/mysql.yaml + OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml + OS::TripleO::Services::NeutronCorePlugin: ../docker/services/neutron-plugin-ml2.yaml + OS::TripleO::Services::NeutronDhcpAgent: ../docker/services/neutron-dhcp.yaml + OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml + OS::TripleO::Services::RabbitMQ: ../docker/services/rabbitmq.yaml + OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml + OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml + OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml + OS::TripleO::Services::Zaqar: ../docker/services/zaqar.yaml + +parameter_defaults: + ZaqarMessageStore: 'swift' + ZaqarManagementStore: 'sqlalchemy'
\ No newline at end of file diff --git a/environments/network-isolation-no-tunneling.j2.yaml b/environments/network-isolation-no-tunneling.j2.yaml new file mode 100644 index 00000000..6bf00f1e --- /dev/null +++ b/environments/network-isolation-no-tunneling.j2.yaml @@ -0,0 +1,34 @@ +# ****************************************************************************** +# DEPRECATED: Modify networks used for custom roles by modifying the role file +# in the roles/ directory, or disable the network entirely by setting network to +# "enabled: false" in network_data.yaml. +# ****************************************************************************** +# Enable the creation of Neutron networks for isolated Overcloud +# traffic and configure each role to assign ports (related +# to that role) on these networks. This version of the environment +# has no dedicated VLAN for tunneling, for deployments that use +# VLAN mode, flat provider networks, etc. +resource_registry: + # networks as defined in network_data.yaml, except for tenant net + {%- for network in networks if network.enabled|default(true) and network.name != 'Tenant' %} + OS::TripleO::Network::{{network.name}}: ../network/{{network.name_lower|default(network.name.lower())}}.yaml + {%- endfor %} + OS::TripleO::Network::Tenant: OS::Heat::None + + # Port assignments for the VIPs + {%- for network in networks if network.vip and network.name != 'Tenant' %} + OS::TripleO::Network::Ports::{{network.name}}VipPort: ../network/ports/{{network.name_lower|default(network.name.lower())}}.yaml + {%- endfor %} + OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml + + # Port assignments for each role are determined by the role definition. +{%- for role in roles %} + # Port assignments for the {{role.name}} role. + {%- for network in networks %} + {%- if network.name in role.networks|default([]) and network.enabled|default(true) and network.name != 'Tenant'%} + OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: ../network/ports/{{network.name_lower|default(network.name.lower())}}.yaml + {%- elif network.enabled|default(true) %} + OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: ../network/ports/noop.yaml + {%- endif %} + {%- endfor %} +{% endfor %} diff --git a/environments/network-isolation-no-tunneling.yaml b/environments/network-isolation-no-tunneling.yaml deleted file mode 100644 index ff1d7887..00000000 --- a/environments/network-isolation-no-tunneling.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Enable the creation of Neutron networks for isolated Overcloud -# traffic and configure each role to assign ports (related -# to that role) on these networks. This version of the environment -# has no dedicated VLAN for tunneling, for deployments that use -# VLAN mode, flat provider networks, etc. -resource_registry: - OS::TripleO::Network::External: ../network/external.yaml - OS::TripleO::Network::InternalApi: ../network/internal_api.yaml - OS::TripleO::Network::StorageMgmt: ../network/storage_mgmt.yaml - OS::TripleO::Network::Storage: ../network/storage.yaml - OS::TripleO::Network::Tenant: ../network/noop.yaml - # Management network is optional and disabled by default. - # To enable it, include environments/network-management.yaml - #OS::TripleO::Network::Management: ../network/management.yaml - - # Port assignments for the VIPs - OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external.yaml - OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api.yaml - OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage.yaml - OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt.yaml - OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml - - # Port assignments for the controller role - OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/external.yaml - OS::TripleO::Controller::Ports::InternalApiPort: ../network/ports/internal_api.yaml - OS::TripleO::Controller::Ports::StoragePort: ../network/ports/storage.yaml - OS::TripleO::Controller::Ports::StorageMgmtPort: ../network/ports/storage_mgmt.yaml - OS::TripleO::Controller::Ports::TenantPort: ../network/ports/noop.yaml - #OS::TripleO::Controller::Ports::ManagementPort: ../network/ports/management.yaml - - # Port assignments for the compute role - OS::TripleO::Compute::Ports::ExternalPort: ../network/ports/noop.yaml - OS::TripleO::Compute::Ports::InternalApiPort: ../network/ports/internal_api.yaml - OS::TripleO::Compute::Ports::StoragePort: ../network/ports/storage.yaml - OS::TripleO::Compute::Ports::StorageMgmtPort: ../network/ports/noop.yaml - OS::TripleO::Compute::Ports::TenantPort: ../network/ports/noop.yaml - #OS::TripleO::Compute::Ports::ManagementPort: ../network/ports/management.yaml - - # Port assignments for the ceph storage role - OS::TripleO::CephStorage::Ports::ExternalPort: ../network/ports/noop.yaml - OS::TripleO::CephStorage::Ports::InternalApiPort: ../network/ports/noop.yaml - OS::TripleO::CephStorage::Ports::StoragePort: ../network/ports/storage.yaml - OS::TripleO::CephStorage::Ports::StorageMgmtPort: ../network/ports/storage_mgmt.yaml - OS::TripleO::CephStorage::Ports::TenantPort: ../network/ports/noop.yaml - #OS::TripleO::CephStorage::Ports::ManagementPort: ../network/ports/management.yaml - - # Port assignments for the swift storage role - OS::TripleO::SwiftStorage::Ports::ExternalPort: ../network/ports/noop.yaml - OS::TripleO::SwiftStorage::Ports::InternalApiPort: ../network/ports/internal_api.yaml - OS::TripleO::SwiftStorage::Ports::StoragePort: ../network/ports/storage.yaml - OS::TripleO::SwiftStorage::Ports::StorageMgmtPort: ../network/ports/storage_mgmt.yaml - OS::TripleO::SwiftStorage::Ports::TenantPort: ../network/ports/noop.yaml - #OS::TripleO::SwiftStorage::Ports::ManagementPort: ../network/ports/management.yaml - - # Port assignments for the block storage role - OS::TripleO::BlockStorage::Ports::ExternalPort: ../network/ports/noop.yaml - OS::TripleO::BlockStorage::Ports::InternalApiPort: ../network/ports/internal_api.yaml - OS::TripleO::BlockStorage::Ports::StoragePort: ../network/ports/storage.yaml - OS::TripleO::BlockStorage::Ports::StorageMgmtPort: ../network/ports/storage_mgmt.yaml - OS::TripleO::BlockStorage::Ports::TenantPort: ../network/ports/noop.yaml - #OS::TripleO::BlockStorage::Ports::ManagementPort: ../network/ports/management.yaml diff --git a/environments/network-isolation.j2.yaml b/environments/network-isolation.j2.yaml index 1b792afd..2db1a828 100644 --- a/environments/network-isolation.j2.yaml +++ b/environments/network-isolation.j2.yaml @@ -22,9 +22,6 @@ resource_registry: {%- endfor %} OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml - - OS::TripleO::{{primary_role_name}}::Ports::RedisVipPort: ../network/ports/vip.yaml - {%- for role in roles %} # Port assignments for the {{role.name}} {%- for network in networks %} diff --git a/environments/neutron-nuage-config.yaml b/environments/neutron-nuage-config.yaml index ce64311b..fb47770f 100644 --- a/environments/neutron-nuage-config.yaml +++ b/environments/neutron-nuage-config.yaml @@ -28,6 +28,8 @@ parameter_defaults: NeutronTunnelIdRanges: '' NeutronNetworkVLANRanges: '' NeutronVniRanges: '' + NovaPatchConfigMonkeyPatch: false + NovaPatchConfigMonkeyPatchModules: '' NovaOVSBridge: 'default_bridge' NeutronMetadataProxySharedSecret: 'default' InstanceNameTemplate: 'inst-%08x' diff --git a/environments/services/neutron-lbaasv2.yaml b/environments/services/neutron-lbaasv2.yaml index 385bb2fe..ca42d20d 100644 --- a/environments/services/neutron-lbaasv2.yaml +++ b/environments/services/neutron-lbaasv2.yaml @@ -8,7 +8,7 @@ # - OVS: neutron.agent.linux.interface.OVSInterfaceDriver # - LinuxBridges: neutron.agent.linux.interface.BridgeInterfaceDriver resource_registry: - OS::TripleO::Services::NeutronLbaasv2Agent: ../puppet/services/neutron-lbaas.yaml + OS::TripleO::Services::NeutronLbaasv2Agent: ../../puppet/services/neutron-lbaas.yaml parameter_defaults: NeutronLbaasInterfaceDriver: "neutron.agent.linux.interface.OVSInterfaceDriver" diff --git a/network/management_v6.yaml b/network/management_v6.yaml deleted file mode 100644 index 2eb8c876..00000000 --- a/network/management_v6.yaml +++ /dev/null @@ -1,71 +0,0 @@ -heat_template_version: pike - -description: > - Management network. System administration, SSH, DNS, NTP, etc. This network - would usually be the default gateway for the non-controller nodes. - -parameters: - # the defaults here work for static IP assignment (IPAM) only - ManagementNetCidr: - default: 'fd00:fd00:fd00:6000::/64' - description: Cidr for the management network. - type: string - ManagementNetValueSpecs: - default: {'provider:physical_network': 'management', 'provider:network_type': 'flat'} - description: Value specs for the management network. - type: json - ManagementNetAdminStateUp: - default: false - description: The admin state of the network. - type: boolean - ManagementNetShared: - default: false - description: Whether this network is shared across all tenants. - type: boolean - ManagementNetName: - default: management - description: The name of the management network. - type: string - ManagementSubnetName: - default: management_subnet - description: The name of the management subnet in Neutron. - type: string - ManagementAllocationPools: - default: [{'start': 'fd00:fd00:fd00:6000::10', 'end': 'fd00:fd00:fd00:6000:ffff:ffff:ffff:fffe'}] - description: Ip allocation pool range for the management network. - type: json - IPv6AddressMode: - default: dhcpv6-stateful - description: Neutron subnet IPv6 address mode - type: string - IPv6RAMode: - default: dhcpv6-stateful - description: Neutron subnet IPv6 router advertisement mode - type: string - -resources: - ManagementNetwork: - type: OS::Neutron::Net - properties: - admin_state_up: {get_param: ManagementNetAdminStateUp} - name: {get_param: ManagementNetName} - shared: {get_param: ManagementNetShared} - value_specs: {get_param: ManagementNetValueSpecs} - - ManagementSubnet: - type: OS::Neutron::Subnet - properties: - ip_version: 6 - ipv6_address_mode: {get_param: IPv6AddressMode} - ipv6_ra_mode: {get_param: IPv6RAMode} - cidr: {get_param: ManagementNetCidr} - name: {get_param: ManagementSubnetName} - network: {get_resource: ManagementNetwork} - allocation_pools: {get_param: ManagementAllocationPools} - -outputs: - OS::stack_id: - description: Neutron management network - value: {get_resource: ManagementNetwork} - subnet_cidr: - value: {get_attr: [ManagementSubnet, cidr]} diff --git a/network/networks.j2.yaml b/network/networks.j2.yaml index 48c509df..1a170045 100644 --- a/network/networks.j2.yaml +++ b/network/networks.j2.yaml @@ -4,8 +4,7 @@ description: Create networks to split out Overcloud traffic resources: {%- for network in networks %} - {%- set network_name = network.compat_name|default(network.name) %} - {{network_name}}Network: + {{network.name}}Network: type: OS::TripleO::Network::{{network.name}} {%- endfor %} @@ -19,9 +18,8 @@ outputs: # NOTE(gfidente): we need to replace the null value with a # string to work around https://bugs.launchpad.net/heat/+bug/1700025 {%- for network in networks %} - {%- set network_name = network.compat_name|default(network.name) %} {{network.name_lower}}: yaql: - data: {get_attr: [{{network_name}}Network, subnet_cidr]} + data: {get_attr: [{{network.name}}Network, subnet_cidr]} expression: str($.data).replace('null', 'disabled') {%- endfor %} diff --git a/network_data.yaml b/network_data.yaml index fed11576..90293ab3 100644 --- a/network_data.yaml +++ b/network_data.yaml @@ -58,7 +58,6 @@ allocation_pools: [{'start': '172.16.2.4', 'end': '172.16.2.250'}] ipv6_subnet: 'fd00:fd00:fd00:2000::/64' ipv6_allocation_pools: [{'start': 'fd00:fd00:fd00:2000::10', 'end': 'fd00:fd00:fd00:2000:ffff:ffff:ffff:fffe'}] - compat_name: Internal - name: Storage vip: true name_lower: storage @@ -81,8 +80,9 @@ ipv6_subnet: 'fd00:fd00:fd00:5000::/64' ipv6_allocation_pools: [{'start': 'fd00:fd00:fd00:5000::10', 'end': 'fd00:fd00:fd00:5000:ffff:ffff:ffff:fffe'}] - name: Management - # Management network is disabled by default - enabled: false + # Management network is enabled by default for backwards-compatibility, but + # is not included in any roles by default. Add to role definitions to use. + enabled: true vip: false # Management network does not use VIPs name_lower: management ip_subnet: '10.0.1.0/24' diff --git a/puppet/services/README.rst b/puppet/services/README.rst index a593d55e..38e2a280 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -99,12 +99,12 @@ It is also possible to use Mistral actions or workflows together with a deployment step, these are executed before the main configuration run. To describe actions or workflows from within a service use: - * service_workflow_tasks: One or more workflow task properties + * workflow_tasks: One or more workflow task properties which expects a map where the key is the step and the value a list of dictionaries descrbing each a workflow task, for example:: - service_workflow_tasks: + workflow_tasks: step2: - name: echo action: std.echo output=Hello diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index af3f8637..9e493c3e 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -33,7 +33,7 @@ parameters: DhcpAgentNotification: default: true description: Whether or not to enable DHCP agent notifications. - type: string + type: boolean NeutronDnsDomain: type: string default: openstacklocal diff --git a/puppet/services/neutron-plugin-ml2-nuage.yaml b/puppet/services/neutron-plugin-ml2-nuage.yaml index a7dc2e8b..4cd541cc 100644 --- a/puppet/services/neutron-plugin-ml2-nuage.yaml +++ b/puppet/services/neutron-plugin-ml2-nuage.yaml @@ -67,6 +67,16 @@ parameters: type: boolean default: false + NovaPatchConfigMonkeyPatch: + description: Apply monkey patching or not + type: boolean + default: false + + NovaPatchConfigMonkeyPatchModules: + description: List of modules/decorators to monkey patch + type: comma_delimited_list + default: '' + resources: NeutronML2Base: @@ -95,5 +105,7 @@ outputs: neutron::plugins::ml2::nuage::nuage_base_uri_version: {get_param: NeutronNuageBaseURIVersion} neutron::plugins::ml2::nuage::nuage_cms_id: {get_param: NeutronNuageCMSId} nova::api::use_forwarded_for: {get_param: UseForwardedFor} + nova::patch::config::monkey_patch: {get_param: NovaPatchConfigMonkeyPatch} + nova::patch::config::monkey_patch_modules: {get_param: NovaPatchConfigMonkeyPatchModules} step_config: | include tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-nsx.yaml b/puppet/services/neutron-plugin-nsx.yaml index 26380649..ad0fc7f8 100644 --- a/puppet/services/neutron-plugin-nsx.yaml +++ b/puppet/services/neutron-plugin-nsx.yaml @@ -49,7 +49,7 @@ parameters: NativeDhcpMetadata: default: True description: This is the flag to indicate if using native DHCP/Metadata or not. - type: string + type: boolean DhcpProfileUuid: description: This is the UUID of the NSX DHCP Profile that will be used to enable native DHCP service. diff --git a/puppet/services/pacemaker/cinder-volume.yaml b/puppet/services/pacemaker/cinder-volume.yaml index f4675875..cbbf2eaf 100644 --- a/puppet/services/pacemaker/cinder-volume.yaml +++ b/puppet/services/pacemaker/cinder-volume.yaml @@ -66,17 +66,9 @@ outputs: resource: openstack-cinder-volume state: disable wait_for_resource: true - - name: get bootstrap nodeid - tags: step5 - command: hiera bootstrap_nodeid - register: bootstrap_node - - block: - - name: Sync cinder DB - tags: step5 - command: cinder-manage db sync - - name: Start cinder_volume service (pacemaker) - tags: step5 - pacemaker_resource: - resource: openstack-cinder-volume - state: enable - when: bootstrap_node.stdout == ansible_hostname + post_upgrade_tasks: + - name: Start cinder_volume service (pacemaker) + tags: step1 + pacemaker_resource: + resource: openstack-cinder-volume + state: enable diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml index 541a2eb6..251d8092 100644 --- a/puppet/services/tacker.yaml +++ b/puppet/services/tacker.yaml @@ -114,6 +114,7 @@ outputs: tacker::keystone::authtoken::project_name: 'service' tacker::keystone::authtoken::user_domain_name: 'Default' tacker::keystone::authtoken::project_domain_name: 'Default' + tacker::keystone::authtoken::password: {get_param: TackerPassword} tacker::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tacker::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} diff --git a/releasenotes/notes/adds-post_upgrade_tasks-eba0656012c861a1.yaml b/releasenotes/notes/adds-post_upgrade_tasks-eba0656012c861a1.yaml new file mode 100644 index 00000000..bdce1348 --- /dev/null +++ b/releasenotes/notes/adds-post_upgrade_tasks-eba0656012c861a1.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + This adds post_upgrade_tasks, ansible tasks that can be added to any + service manifest (currently, pacemaker/cinder-volume for bug 1706951). + + These are similar to the existing upgrade_tasks in their format, however + they will be executed *after* the docker/puppet config. So the order is + upgrade_tasks, deployment steps (docker/puppet), then post_upgrade_tasks. + + Also like the upgrade_tasks these are serialised and you can use 'tags' + with 'step0' to 'step6' (more can be added if needed). diff --git a/releasenotes/notes/fix-internal-api-network-name-282bfda2cdb406aa.yaml b/releasenotes/notes/fix-internal-api-network-name-282bfda2cdb406aa.yaml new file mode 100644 index 00000000..2e7e79f1 --- /dev/null +++ b/releasenotes/notes/fix-internal-api-network-name-282bfda2cdb406aa.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes heat resource OS::TripleO::Network::Internal to be renamed back to + OS::TripleO::Network::InternalApi for backwards compatibility with + previous versions. diff --git a/releasenotes/notes/fix-missing-tacker-password-c2ce555cdd52c102.yaml b/releasenotes/notes/fix-missing-tacker-password-c2ce555cdd52c102.yaml new file mode 100644 index 00000000..7d8d3dd1 --- /dev/null +++ b/releasenotes/notes/fix-missing-tacker-password-c2ce555cdd52c102.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Fixes missing Keystone authtoken password for Tacker. diff --git a/releasenotes/notes/service_workflow_tasks-4da5830821b7154b.yaml b/releasenotes/notes/workflow_tasks-4da5830821b7154b.yaml index cf99ec5d..cf99ec5d 100644 --- a/releasenotes/notes/service_workflow_tasks-4da5830821b7154b.yaml +++ b/releasenotes/notes/workflow_tasks-4da5830821b7154b.yaml diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 066962c1..2f86d2d2 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -75,6 +75,10 @@ - OS::TripleO::Services::Memcached - OS::TripleO::Services::MongoDb - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::NeutronApi + - OS::TripleO::Services::NeutronBgpVpnApi + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::NeutronL2gwApi - OS::TripleO::Services::NovaApi - OS::TripleO::Services::NovaConductor - OS::TripleO::Services::NovaConsoleauth diff --git a/roles/Networker.yaml b/roles/Networker.yaml index ac30c2fd..afd3b101 100644 --- a/roles/Networker.yaml +++ b/roles/Networker.yaml @@ -3,10 +3,11 @@ ############################################################################### - name: Networker description: | - Standalone networking role to run Neutron services their own. Includes + Standalone networking role to run Neutron agents their own. Includes Pacemaker integration via PacemakerRemote networks: - InternalApi + - Tenant HostnameFormatDefault: '%stackname%-networker-%index%' ServicesDefault: - OS::TripleO::Services::AuditD @@ -17,12 +18,8 @@ - OS::TripleO::Services::FluentdClient - OS::TripleO::Services::Kernel - OS::TripleO::Services::MySQLClient - - OS::TripleO::Services::NeutronApi - - OS::TripleO::Services::NeutronBgpVpnApi - - OS::TripleO::Services::NeutronCorePlugin - OS::TripleO::Services::NeutronDhcpAgent - OS::TripleO::Services::NeutronL2gwAgent - - OS::TripleO::Services::NeutronL2gwApi - OS::TripleO::Services::NeutronL3Agent - OS::TripleO::Services::NeutronLbaasv2Agent - OS::TripleO::Services::NeutronMetadataAgent diff --git a/roles/UndercloudLight.yaml b/roles/UndercloudLight.yaml new file mode 100644 index 00000000..bc1b1c9a --- /dev/null +++ b/roles/UndercloudLight.yaml @@ -0,0 +1,34 @@ +############################################################################### +# Role: Undercloud # +############################################################################### +- name: Undercloud + description: | + EXPERIMENTAL. A role to deploy the minimal undercloud for pre-provisioned + deployed servers via heat using the 'openstack undercloud deploy' command. + Should be used with the 'environments/docker-uc-light.yaml' template + instead of the 'environments/docker.yaml'. + CountDefault: 1 + disable_constraints: True + tags: + - primary + - controller + ServicesDefault: + - OS::TripleO::Services::ContainersLogrotateCrond + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::MistralApi + - OS::TripleO::Services::MistralEngine + - OS::TripleO::Services::MistralExecutor + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::NeutronApi + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::NeutronDhcpAgent + - OS::TripleO::Services::NeutronServer + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::Zaqar diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 682cb8df..f7a45d7b 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -31,12 +31,13 @@ envs_containing_endpoint_map = ['tls-endpoints-public-dns.yaml', 'tls-endpoints-public-ip.yaml', 'tls-everywhere-endpoints-dns.yaml'] ENDPOINT_MAP_FILE = 'endpoint_map.yaml' -OPTIONAL_SECTIONS = ['service_workflow_tasks'] +OPTIONAL_SECTIONS = ['workflow_tasks'] REQUIRED_DOCKER_SECTIONS = ['service_name', 'docker_config', 'puppet_config', 'config_settings', 'step_config'] OPTIONAL_DOCKER_SECTIONS = ['docker_puppet_tasks', 'upgrade_tasks', - 'service_config_settings', 'host_prep_tasks', - 'metadata_settings', 'kolla_config'] + 'post_upgrade_tasks', 'service_config_settings', + 'host_prep_tasks', 'metadata_settings', + 'kolla_config'] REQUIRED_DOCKER_PUPPET_CONFIG_SECTIONS = ['config_volume', 'step_config', 'config_image'] OPTIONAL_DOCKER_PUPPET_CONFIG_SECTIONS = [ 'puppet_tags', 'volumes' ] @@ -87,6 +88,8 @@ PARAMETER_DEFINITION_EXCLUSIONS = {'ManagementNetCidr': ['default'], 'OVNSouthboundServerPort': ['description'], 'ExternalInterfaceDefaultRoute': ['description', 'default'], + 'ManagementInterfaceDefaultRoute': + ['description', 'default'], 'IPPool': ['description'], 'SSLCertificate': ['description', 'default', |