diff options
176 files changed, 1400 insertions, 853 deletions
@@ -76,6 +76,8 @@ and should be executed according to the following table: +----------------+-------------+-------------+-------------+-------------+-----------------+ | neutron | ovs | ovs | ovs | ovs | X | +----------------+-------------+-------------+-------------+-------------+-----------------+ +| neutron-bgpvpn | | | | X | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ | rabbitmq | X | X | X | X | X | +----------------+-------------+-------------+-------------+-------------+-----------------+ | mongodb | X | X | | | | @@ -128,3 +130,9 @@ and should be executed according to the following table: +----------------+-------------+-------------+-------------+-------------+-----------------+ | manila | | | | X | | +----------------+-------------+-------------+-------------+-------------+-----------------+ +| collectd | X | | | | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ +| fluentd | X | | | | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ +| sensu-client | X | | | | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ diff --git a/capabilities-map.yaml b/capabilities-map.yaml index b6df7946..0af0e822 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -370,6 +370,11 @@ topics: description: Enable FOS in the overcloud requires: - overcloud-resource-registry-puppet.yaml + - file: environments/neutron-l2gw.yaml + title: Neutron L2 gateway Service Plugin + description: Enables Neutron L2 gateway Service Plugin + requires: + - overcloud-resource-registry-puppet.yaml - title: Nova Extensions description: @@ -600,3 +605,8 @@ topics: environments: - file: environments/cadf.yaml title: Keystone CADF auditing + - title: SecureTTY Values + description: Set values within /etc/securetty + environments: + - file: environments/securetty.yaml + title: SecureTTY Values diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml index d6e2376a..8307db96 100644 --- a/ci/environments/multinode-3nodes.yaml +++ b/ci/environments/multinode-3nodes.yaml @@ -24,7 +24,6 @@ - OS::TripleO::Services::CACerts - OS::TripleO::Services::CinderApi - OS::TripleO::Services::CinderScheduler - - OS::TripleO::Services::Core - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi @@ -63,7 +62,6 @@ - OS::TripleO::Services::CACerts - OS::TripleO::Services::CinderBackup - OS::TripleO::Services::CinderVolume - - OS::TripleO::Services::Core - OS::TripleO::Services::Kernel - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml index 2203665a..5dd1f0f6 100644 --- a/ci/environments/scenario001-multinode.yaml +++ b/ci/environments/scenario001-multinode.yaml @@ -18,6 +18,8 @@ resource_registry: OS::TripleO::Tasks::ControllerPrePuppet: ../../extraconfig/tasks/pre_puppet_pacemaker.yaml OS::TripleO::Tasks::ControllerPostPuppet: ../../extraconfig/tasks/post_puppet_pacemaker.yaml OS::TripleO::Tasks::ControllerPostPuppetRestart: ../../extraconfig/tasks/post_puppet_pacemaker_restart.yaml + OS::TripleO::Services::FluentdClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/logging/fluentd-client.yaml + OS::TripleO::Services::SensuClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/monitoring/sensu-client.yaml parameter_defaults: ControllerServices: @@ -49,6 +51,7 @@ parameter_defaults: - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt @@ -62,6 +65,7 @@ parameter_defaults: - OS::TripleO::Services::CeilometerCollector - OS::TripleO::Services::CeilometerExpirer - OS::TripleO::Services::CeilometerAgentCentral + - OS::TripleO::Services::CeilometerAgentIpmi - OS::TripleO::Services::CeilometerAgentNotification - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd @@ -79,6 +83,9 @@ parameter_defaults: - OS::TripleO::Services::Congress - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::SensuClient + ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu @@ -112,3 +119,17 @@ parameter_defaults: ****************************************************************** CollectdExtraPlugins: - rrdtool + LoggingServers: + - host: 127.0.0.1 + port: 24224 + MonitoringRabbitHost: 127.0.0.1 + MonitoringRabbitPort: 5676 + MonitoringRabbitPassword: sensu + TtyValues: + - console + - tty1 + - tty2 + - tty3 + - tty4 + - tty5 + - tty6 diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml index dc05ab4e..7428d426 100644 --- a/ci/environments/scenario004-multinode.yaml +++ b/ci/environments/scenario004-multinode.yaml @@ -12,6 +12,7 @@ resource_registry: OS::TripleO::Services::ManilaScheduler: ../../puppet/services/manila-scheduler.yaml OS::TripleO::Services::ManilaShare: ../../puppet/services/pacemaker/manila-share.yaml OS::TripleO::Services::ManilaBackendCephFs: ../../puppet/services/manila-backend-cephfs.yaml + OS::TripleO::Services::NeutronBgpVpnApi: ../../puppet/services/neutron-bgpvpn-api.yaml # These enable Pacemaker OS::TripleO::Tasks::ControllerPrePuppet: ../../extraconfig/tasks/pre_puppet_pacemaker.yaml OS::TripleO::Tasks::ControllerPostPuppet: ../../extraconfig/tasks/post_puppet_pacemaker.yaml @@ -39,6 +40,7 @@ parameter_defaults: - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::NeutronBgpVpnApi - OS::TripleO::Services::NeutronDhcpAgent - OS::TripleO::Services::NeutronL3Agent - OS::TripleO::Services::NeutronMetadataAgent @@ -83,3 +85,5 @@ parameter_defaults: CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ==' CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw==' SwiftCeilometerPipelineEnabled: false + NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin' + BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' diff --git a/deployed-server/README.rst b/deployed-server/README.rst index e4d8299b..8638818b 100644 --- a/deployed-server/README.rst +++ b/deployed-server/README.rst @@ -67,11 +67,11 @@ example: parameter_defaults: ControlPlaneDefaultRoute: 192.168.122.130 ControlPlaneSubnetCidr: "24" - EC2MetadataIp: "192.0.2.1" + EC2MetadataIp: "192.168.24.1" In this example, 192.168.122.130 is the external management IP of an undercloud, thus it is the default route for the configured local_ip value of -192.0.2.1. +192.168.24.1. os-collect-config diff --git a/deployed-server/deployed-server-bootstrap-centos.sh b/deployed-server/deployed-server-bootstrap-centos.sh index c86e771c..6f2bb124 100644 --- a/deployed-server/deployed-server-bootstrap-centos.sh +++ b/deployed-server/deployed-server-bootstrap-centos.sh @@ -15,3 +15,6 @@ ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules setenforce 0 sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config + +echo '# empty ruleset created by deployed-server bootstrap' > /etc/sysconfig/iptables +echo '# empty ruleset created by deployed-server bootstrap' > /etc/sysconfig/ip6tables diff --git a/deployed-server/deployed-server-bootstrap-rhel.sh b/deployed-server/deployed-server-bootstrap-rhel.sh index 10b4999b..9e9e9b3b 100644 --- a/deployed-server/deployed-server-bootstrap-rhel.sh +++ b/deployed-server/deployed-server-bootstrap-rhel.sh @@ -12,3 +12,6 @@ yum install -y \ openstack-selinux ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules + +echo '# empty ruleset created by deployed-server bootstrap' > /etc/sysconfig/iptables +echo '# empty ruleset created by deployed-server bootstrap' > /etc/sysconfig/ip6tables diff --git a/deployed-server/deployed-server.yaml b/deployed-server/deployed-server.yaml index 1e8afb25..afdb5d0c 100644 --- a/deployed-server/deployed-server.yaml +++ b/deployed-server/deployed-server.yaml @@ -81,6 +81,7 @@ resources: InstanceIdDeployment: type: OS::Heat::StructuredDeployment properties: + name: InstanceIdDeployment config: {get_resource: InstanceIdConfig} server: {get_resource: deployed-server} depends_on: UpgradeInitDeployment @@ -103,6 +104,7 @@ resources: HostsEntryDeployment: type: OS::Heat::SoftwareDeployment properties: + name: HostsEntryDeployment config: {get_resource: HostsEntryConfig} server: {get_resource: deployed-server} diff --git a/deployed-server/scripts/get-occ-config.sh b/deployed-server/scripts/get-occ-config.sh index d0cc4dff..28f038ce 100755 --- a/deployed-server/scripts/get-occ-config.sh +++ b/deployed-server/scripts/get-occ-config.sh @@ -89,16 +89,16 @@ for role in $OVERCLOUD_ROLES; do done echo "======================" - echo "$role$i os-collect-config.conf configuration:" + echo "$role$i deployed-server.json configuration:" - config=" -[DEFAULT] -collectors=request -command=os-refresh-config -polling_interval=30 - -[request] -metadata_url=$deployed_server_metadata_url" + config="{ + \"os-collect-config\": { + \"collectors\": [\"request\", \"local\"], + \"request\": { + \"metadata_url\": \"$deployed_server_metadata_url\" + } + } +}" echo "$config" echo "======================" @@ -108,12 +108,11 @@ metadata_url=$deployed_server_metadata_url" host= eval host=\${${role}_hosts_a[i]} if [ -n "$host" ]; then - # Delete the os-collect-config.conf template so our file won't get - # overwritten - ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host sudo /bin/rm -f /usr/libexec/os-apply-config/templates/etc/os-collect-config.conf - ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host "echo \"$config\" > os-collect-config.conf" - ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host sudo cp os-collect-config.conf /etc/os-collect-config.conf - ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host sudo systemctl restart os-collect-config + ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host "echo '$config' > deployed-server.json" + ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host sudo mkdir -p -m 0700 /var/lib/os-collect-config/local-data/ || true + ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host sudo cp deployed-server.json /var/lib/os-collect-config/local-data/deployed-server.json + ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host sudo systemctl start os-collect-config + ssh $SSH_OPTIONS -i $SUBNODES_SSH_KEY $host sudo systemctl enable os-collect-config fi let i+=1 diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 8f95208f..c364d039 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -247,9 +247,9 @@ for config_volume in configs: volumes = service[4] if len(service) > 4 else [] if puppet_tags: - puppet_tags = "file,file_line,concat,%s" % puppet_tags + puppet_tags = "file,file_line,concat,augeas,%s" % puppet_tags else: - puppet_tags = "file,file_line,concat" + puppet_tags = "file,file_line,concat,augeas" process_map.append([config_volume, puppet_tags, manifest, config_image, volumes]) @@ -259,4 +259,13 @@ for p in process_map: # Fire off processes to perform each configuration. Defaults # to the number of CPUs on the system. p = multiprocessing.Pool(process_count) -p.map(mp_puppet_config, process_map) +returncodes = list(p.map(mp_puppet_config, process_map)) +config_volumes = [pm[0] for pm in process_map] +success = True +for returncode, config_volume in zip(returncodes, config_volumes): + if returncode != 0: + print('ERROR configuring %s' % config_volume) + success = False + +if not success: + sys.exit(1) diff --git a/docker/services/README.rst b/docker/services/README.rst index 465e4abe..84ac842e 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -74,7 +74,7 @@ are re-asserted when applying latter ones. * puppet_tags: Puppet resource tag names that are used to generate config files with puppet. Only the named config resources are used to generate a config file. Any service that specifies tags will have the default - tags of 'file,concat,file_line' appended to the setting. + tags of 'file,concat,file_line,augeas' appended to the setting. Example: keystone_config * config_volume: The name of the volume (directory) where config files diff --git a/docker/services/aodh-api.yaml b/docker/services/aodh-api.yaml index ca410d6d..32294958 100644 --- a/docker/services/aodh-api.yaml +++ b/docker/services/aodh-api.yaml @@ -58,29 +58,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerAodhApiImage} ] kolla_config: - /var/lib/kolla/config_files/aodh-api.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/aodh/aodh.conf - owner: aodh - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/aodh/aodh.conf - - dest: /etc/httpd/conf.d/10-aodh_wsgi.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-aodh_wsgi.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - - dest: /var/www/cgi-bin/aodh/app - owner: aodh - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/aodh/app + /var/lib/kolla/config_files/aodh-api.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: step_3: aodh-init-log: @@ -97,7 +76,7 @@ outputs: privileged: false detach: false volumes: - - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log @@ -110,8 +89,9 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/aodh-api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/aodh/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/aodh/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro + - /var/lib/config-data/aodh/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/aodh/var/www/:/var/www/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log diff --git a/docker/services/aodh-evaluator.yaml b/docker/services/aodh-evaluator.yaml index d3c8c595..1553df3c 100644 --- a/docker/services/aodh-evaluator.yaml +++ b/docker/services/aodh-evaluator.yaml @@ -57,13 +57,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerAodhEvaluatorImage} ] kolla_config: - /var/lib/kolla/config_files/aodh-evaluator.json: - command: /usr/bin/aodh-evaluator - config_files: - - dest: /etc/aodh/aodh.conf - owner: aodh - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/aodh/aodh.conf + /var/lib/kolla/config_files/aodh-evaluator.json: + command: /usr/bin/aodh-evaluator docker_config: step_4: aodh_evaluator: @@ -73,7 +68,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/aodh-evaluator.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/aodh/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/aodh-listener.yaml b/docker/services/aodh-listener.yaml index 7aa9618d..300dfde3 100644 --- a/docker/services/aodh-listener.yaml +++ b/docker/services/aodh-listener.yaml @@ -57,13 +57,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerAodhListenerImage} ] kolla_config: - /var/lib/kolla/config_files/aodh-listener.json: - command: /usr/bin/aodh-listener - config_files: - - dest: /etc/aodh/aodh.conf - owner: aodh - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/aodh/aodh.conf + /var/lib/kolla/config_files/aodh-listener.json: + command: /usr/bin/aodh-listener docker_config: step_4: aodh_listener: @@ -73,7 +68,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/aodh-listener.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/aodh/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/aodh-notifier.yaml b/docker/services/aodh-notifier.yaml index f525d6bd..b4056603 100644 --- a/docker/services/aodh-notifier.yaml +++ b/docker/services/aodh-notifier.yaml @@ -57,13 +57,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerAodhNotifierImage} ] kolla_config: - /var/lib/kolla/config_files/aodh-notifier.json: - command: /usr/bin/aodh-notifier - config_files: - - dest: /etc/aodh/aodh.conf - owner: aodh - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/aodh/aodh.conf + /var/lib/kolla/config_files/aodh-notifier.json: + command: /usr/bin/aodh-notifier docker_config: step_4: aodh_notifier: @@ -73,7 +68,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/aodh-notifier.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/aodh/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 15795828..7d2d1a15 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -62,33 +62,19 @@ outputs: kolla_config: /var/lib/kolla/config_files/mongodb.json: command: /usr/bin/mongod --unixSocketPrefix=/var/run/mongodb --config /etc/mongod.conf run - config_files: - - dest: /etc/mongod.conf - source: /var/lib/kolla/config_files/src/etc/mongod.conf - owner: mongodb - perm: '0600' - - dest: /etc/mongos.conf - source: /var/lib/kolla/config_files/src/etc/mongos.conf - owner: mongodb - perm: '0600' + permissions: + - path: /var/lib/mongodb + owner: mongodb:mongodb + recurse: true docker_config: step_2: - mongodb_data_ownership: - start_order: 0 - image: *mongodb_image - net: host - user: root - command: ['chown', '-R', 'mongodb:', '/var/lib/mongodb'] - volumes: - - /var/lib/mongodb:/var/lib/mongodb mongodb: - start_order: 1 image: *mongodb_image net: host privileged: false volumes: &mongodb_volumes - /var/lib/kolla/config_files/mongodb.json:/var/lib/kolla/config_files/config.json - - /var/lib/config-data/mongodb/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/mongodb/etc/:/etc/:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log/kolla - /var/lib/mongodb:/var/lib/mongodb diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index 0ffd0336..cba2070d 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -71,29 +71,14 @@ outputs: kolla_config: /var/lib/kolla/config_files/mysql.json: command: /usr/bin/mysqld_safe - config_files: - - dest: /etc/mysql/my.cnf - source: /var/lib/kolla/config_files/src/etc/my.cnf - owner: mysql - perm: '0644' - - dest: /etc/my.cnf.d/galera.cnf - source: /var/lib/kolla/config_files/src/etc/my.cnf.d/galera.cnf - owner: mysql - perm: '0644' + permissions: + - path: /var/lib/mysql + owner: mysql:mysql + recurse: true docker_config: step_2: - mysql_data_ownership: - start_order: 0 - detach: false - image: *mysql_image - net: host - user: root - # Kolla does only non-recursive chown - command: ['chown', '-R', 'mysql:', '/var/lib/mysql'] - volumes: - - /var/lib/mysql:/var/lib/mysql mysql_bootstrap: - start_order: 1 + start_order: 0 detach: false image: *mysql_image net: host @@ -101,7 +86,7 @@ outputs: command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start'] volumes: &mysql_volumes - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json - - /var/lib/config-data/mysql/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/mysql/etc/:/etc/:ro - /etc/localtime:/etc/localtime:ro - /etc/hosts:/etc/hosts:ro - /var/lib/mysql:/var/lib/mysql @@ -122,7 +107,7 @@ outputs: - {get_param: MysqlRootPassword} - {get_param: [DefaultPasswords, mysql_root_password]} mysql: - start_order: 2 + start_order: 1 image: *mysql_image restart: always net: host @@ -137,8 +122,8 @@ outputs: step_config: 'include ::tripleo::profile::base::database::mysql' config_image: *mysql_image volumes: - - "/var/lib/mysql:/var/lib/mysql/:ro" - - "/var/lib/config-data/mysql/root:/root:ro" #provides .my.cnf + - /var/lib/mysql:/var/lib/mysql/:ro + - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf host_prep_tasks: - name: create /var/lib/mysql file: diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index 77e4aa01..fdfdbc68 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -58,17 +58,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerGlanceApiImage} ] kolla_config: - /var/lib/kolla/config_files/glance-api.json: - command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf - config_files: - - dest: /etc/glance/glance-api.conf - owner: glance - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/glance/glance-api.conf - - dest: /etc/glance/glance-swift.conf - owner: glance - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/glance/glance-swift.conf + /var/lib/kolla/config_files/glance-api.json: + command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf docker_config: step_3: glance_api_db_sync: @@ -78,9 +69,9 @@ outputs: detach: false volumes: &glance_volumes - /var/lib/kolla/config_files/glance-api.json:/var/lib/kolla/config_files/config.json + - /var/lib/config-data/glance_api/etc/glance/:/etc/glance/:ro - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro - - /var/lib/config-data/glance_api/:/var/lib/kolla/config_files/src:ro - /run:/run - /dev:/dev - /etc/hosts:/etc/hosts:ro diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index a64d1507..08f4b56b 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -58,29 +58,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerGnocchiApiImage} ] kolla_config: - /var/lib/kolla/config_files/gnocchi-api.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/gnocchi/gnocchi.conf - owner: gnocchi - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/gnocchi/gnocchi.conf - - dest: /etc/httpd/conf.d/10-gnocchi_wsgi.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-gnocchi_wsgi.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - - dest: /var/www/cgi-bin/gnocchi/app - owner: gnocchi - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/gnocchi/app + /var/lib/kolla/config_files/gnocchi-api.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: step_3: gnocchi-init-log: @@ -97,7 +76,7 @@ outputs: detach: false privileged: false volumes: - - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi:ro + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log @@ -110,8 +89,9 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/gnocchi-api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/gnocchi/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/gnocchi/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro + - /var/lib/config-data/gnocchi/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/gnocchi/var/www/:/var/www/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index 6437e942..6b41eaa3 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -55,13 +55,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerGnocchiMetricdImage} ] kolla_config: - /var/lib/kolla/config_files/gnocchi-metricd.json: - command: /usr/bin/gnocchi-metricd - config_files: - - dest: /etc/gnocchi/gnocchi.conf - owner: gnocchi - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/gnocchi/gnocchi.conf + /var/lib/kolla/config_files/gnocchi-metricd.json: + command: /usr/bin/gnocchi-metricd docker_config: step_4: gnocchi_metricd: @@ -71,7 +66,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/gnocchi-metricd.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/gnocchi/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index 32c16521..93b616c4 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -55,13 +55,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerGnocchiStatsdImage} ] kolla_config: - /var/lib/kolla/config_files/gnocchi-statsd.json: - command: /usr/bin/gnocchi-statsd - config_files: - - dest: /etc/gnocchi/gnocchi.conf - owner: gnocchi - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/gnocchi/gnocchi.conf + /var/lib/kolla/config_files/gnocchi-statsd.json: + command: /usr/bin/gnocchi-statsd docker_config: step_4: gnocchi_statsd: @@ -71,7 +66,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/gnocchi-statsd.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/gnocchi/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/heat-api-cfn.yaml b/docker/services/heat-api-cfn.yaml index 85ad9212..e1226471 100644 --- a/docker/services/heat-api-cfn.yaml +++ b/docker/services/heat-api-cfn.yaml @@ -64,13 +64,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerHeatConfigImage} ] kolla_config: - /var/lib/kolla/config_files/heat_api_cfn.json: - command: /usr/bin/heat-api-cfn --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf - config_files: - - dest: /etc/heat/heat.conf - owner: heat - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/heat/heat.conf + /var/lib/kolla/config_files/heat_api_cfn.json: + command: /usr/bin/heat-api-cfn --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf docker_config: step_4: heat_api_cfn: @@ -82,12 +77,12 @@ outputs: privileged: false restart: always volumes: - - /run:/run - /var/lib/kolla/config_files/heat_api_cfn.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/heat/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev:/dev + - /run:/run environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index 12884f56..3212d909 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -64,13 +64,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerHeatConfigImage} ] kolla_config: - /var/lib/kolla/config_files/heat_api.json: - command: /usr/bin/heat-api --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf - config_files: - - dest: /etc/heat/heat.conf - owner: heat - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/heat/heat.conf + /var/lib/kolla/config_files/heat_api.json: + command: /usr/bin/heat-api --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf docker_config: step_4: heat_api: @@ -82,12 +77,12 @@ outputs: privileged: false restart: always volumes: - - /run:/run - /var/lib/kolla/config_files/heat_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/heat/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev:/dev + - /run:/run environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: diff --git a/docker/services/heat-engine.yaml b/docker/services/heat-engine.yaml index 85a00b1d..83c63095 100644 --- a/docker/services/heat-engine.yaml +++ b/docker/services/heat-engine.yaml @@ -59,13 +59,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerHeatEngineImage} ] kolla_config: - /var/lib/kolla/config_files/heat_engine.json: - command: /usr/bin/heat-engine --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf - config_files: - - dest: /etc/heat/heat.conf - owner: heat - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/heat/heat.conf + /var/lib/kolla/config_files/heat_engine.json: + command: /usr/bin/heat-engine --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf docker_config: step_3: heat_engine_db_sync: @@ -74,7 +69,7 @@ outputs: privileged: false detach: false volumes: - - /var/lib/config-data/heat/etc/heat:/etc/heat:ro + - /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro command: ['heat-manage', 'db_sync'] @@ -85,11 +80,11 @@ outputs: privileged: false restart: always volumes: - - /run:/run - /var/lib/kolla/config_files/heat_engine.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/heat/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro + - /run:/run environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: diff --git a/docker/services/ironic-api.yaml b/docker/services/ironic-api.yaml index 5ae82d46..bef84e2e 100644 --- a/docker/services/ironic-api.yaml +++ b/docker/services/ironic-api.yaml @@ -61,13 +61,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerIronicConfigImage} ] kolla_config: - /var/lib/kolla/config_files/ironic_api.json: - command: /usr/bin/ironic-api - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf + /var/lib/kolla/config_files/ironic_api.json: + command: /usr/bin/ironic-api docker_config: step_3: ironic_db_sync: @@ -82,8 +77,6 @@ outputs: - /var/lib/config-data/ironic/etc/:/etc/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS command: ['ironic-dbsync', '--config-file', '/etc/ironic/ironic.conf'] step_4: ironic_api: @@ -94,7 +87,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/ironic/etc/:/etc/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/ironic-conductor.yaml b/docker/services/ironic-conductor.yaml index 678b8c27..3047f30b 100644 --- a/docker/services/ironic-conductor.yaml +++ b/docker/services/ironic-conductor.yaml @@ -69,20 +69,12 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerIronicConfigImage} ] kolla_config: - /var/lib/kolla/config_files/ironic_conductor.json: - command: /usr/bin/ironic-conductor - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf - permissions: - - path: /var/lib/ironic/httpboot - owner: ironic:ironic - recurse: true - - path: /var/lib/ironic/tftpboot - owner: ironic:ironic - recurse: true + /var/lib/kolla/config_files/ironic_conductor.json: + command: /usr/bin/ironic-conductor + permissions: + - path: /var/lib/ironic + owner: ironic:ironic + recurse: true docker_config: step_4: ironic_conductor: @@ -96,7 +88,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/ironic_conductor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/ironic/etc/ironic/:/etc/ironic/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro diff --git a/docker/services/ironic-pxe.yaml b/docker/services/ironic-pxe.yaml index c6607094..51538e73 100644 --- a/docker/services/ironic-pxe.yaml +++ b/docker/services/ironic-pxe.yaml @@ -49,52 +49,10 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerIronicConfigImage} ] kolla_config: - /var/lib/kolla/config_files/ironic_pxe_http.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf - - dest: /etc/httpd/conf.d/10-ipxe_vhost.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-ipxe_vhost.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - /var/lib/kolla/config_files/ironic_pxe_tftp.json: - command: /usr/sbin/in.tftpd --foreground --user root --address 0.0.0.0:69 --map-file /var/lib/ironic/tftpboot/map-file /var/lib/ironic/tftpboot - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf - - dest: /var/lib/ironic/tftpboot/chain.c32 - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/chain.c32 - - dest: /var/lib/ironic/tftpboot/pxelinux.0 - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/pxelinux.0 - - dest: /var/lib/ironic/tftpboot/ipxe.efi - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/ipxe.efi - - dest: /var/lib/ironic/tftpboot/undionly.kpxe - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/undionly.kpxe - - dest: /var/lib/ironic/tftpboot/map-file - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/map-file + /var/lib/kolla/config_files/ironic_pxe_http.json: + command: /usr/sbin/httpd -DFOREGROUND + /var/lib/kolla/config_files/ironic_pxe_tftp.json: + command: /usr/sbin/in.tftpd --foreground --user root --address 0.0.0.0:69 --map-file /var/lib/ironic/tftpboot/map-file /var/lib/ironic/tftpboot docker_config: step_4: ironic_pxe_tftp: @@ -108,11 +66,20 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/ironic_pxe_tftp.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/ironic/etc/ironic/:/etc/ironic/:ro + # TODO(mandre) check how docker like mounting in a bind-mounted tree + # This directory may contain migrated data from BM + - /var/lib/ironic:/var/lib/ironic/ + # These files were generated by puppet inside the config container + # TODO(mandre) check the mount permission (ro/rw) + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/chain.c32:/var/lib/ironic/tftpboot/chain.c32 + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/pxelinux.0:/var/lib/ironic/tftpboot/pxelinux.0 + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/ipxe.efi:/var/lib/ironic/tftpboot/ipxe.efi + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/undionly.kpxe:/var/lib/ironic/tftpboot/undionly.kpxe + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/map-file:/var/lib/ironic/tftpboot/map-file - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev/log:/dev/log - - /var/lib/ironic:/var/lib/ironic/ environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ironic_pxe_http: @@ -123,8 +90,8 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/ironic_pxe_http.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/ironic/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro + - /var/lib/config-data/ironic/etc/ironic/:/etc/ironic/:ro + - /var/lib/config-data/ironic/etc/httpd/:/etc/httpd/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /var/lib/ironic:/var/lib/ironic/ diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 0597b906..90ddeb9f 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -71,8 +71,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ] kolla_config: - /var/lib/kolla/config_files/keystone.json: - command: /usr/sbin/httpd -DFOREGROUND + /var/lib/kolla/config_files/keystone.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: step_3: keystone-init-log: diff --git a/docker/services/mistral-api.yaml b/docker/services/mistral-api.yaml index 4dd3b74c..5b5e1f50 100644 --- a/docker/services/mistral-api.yaml +++ b/docker/services/mistral-api.yaml @@ -61,13 +61,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerMistralConfigImage} ] kolla_config: - /var/lib/kolla/config_files/mistral_api.json: - command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/api.log --server=api - config_files: - - dest: /etc/mistral/mistral.conf - owner: mistral - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/mistral/mistral.conf + /var/lib/kolla/config_files/mistral_api.json: + command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/api.log --server=api docker_config: step_3: mistral_db_sync: @@ -83,8 +78,6 @@ outputs: - /var/lib/config-data/mistral/etc/:/etc/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS command: ['mistral-db-manage', '--config-file', '/etc/mistral/mistral.conf', 'upgrade', 'head'] mistral_db_populate: start_order: 2 @@ -96,8 +89,6 @@ outputs: - /var/lib/config-data/mistral/etc/:/etc/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS # NOTE: dprince this requires that we install openstack-tripleo-common into # the Mistral API image so that we get tripleo* actions command: ['mistral-db-manage', '--config-file', '/etc/mistral/mistral.conf', 'populate'] @@ -110,7 +101,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/mistral_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/mistral/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/mistral-engine.yaml b/docker/services/mistral-engine.yaml index db2721bd..feecd5d7 100644 --- a/docker/services/mistral-engine.yaml +++ b/docker/services/mistral-engine.yaml @@ -62,13 +62,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerMistralConfigImage} ] kolla_config: - /var/lib/kolla/config_files/mistral_engine.json: - command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/engine.log --server=engine - config_files: - - dest: /etc/mistral/mistral.conf - owner: mistral - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/mistral/mistral.conf + /var/lib/kolla/config_files/mistral_engine.json: + command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/engine.log --server=engine docker_config: step_4: mistral_engine: @@ -82,7 +77,7 @@ outputs: volumes: - /run:/run - /var/lib/kolla/config_files/mistral_engine.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/mistral/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: @@ -91,4 +86,3 @@ outputs: - name: Stop and disable mistral_engine service tags: step2 service: name=openstack-mistral-engine state=stopped enabled=no - diff --git a/docker/services/mistral-executor.yaml b/docker/services/mistral-executor.yaml index d68830ed..45fed7b2 100644 --- a/docker/services/mistral-executor.yaml +++ b/docker/services/mistral-executor.yaml @@ -62,13 +62,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerMistralConfigImage} ] kolla_config: - /var/lib/kolla/config_files/mistral_executor.json: - command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor - config_files: - - dest: /etc/mistral/mistral.conf - owner: mistral - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/mistral/mistral.conf + /var/lib/kolla/config_files/mistral_executor.json: + command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor docker_config: step_4: mistral_executor: @@ -80,11 +75,11 @@ outputs: privileged: false restart: always volumes: - - /run:/run - /var/lib/kolla/config_files/mistral_executor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/mistral/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro + - /run:/run # FIXME: this is required in order for Nova cells # initialization workflows on the Undercloud. Need to # exclude this on the overcloud for security reasons. diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml index ed03de6c..c5001a30 100644 --- a/docker/services/neutron-api.yaml +++ b/docker/services/neutron-api.yaml @@ -62,17 +62,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: - /var/lib/kolla/config_files/neutron_api.json: - command: /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/plugin.ini - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/ml2_conf.ini + /var/lib/kolla/config_files/neutron_api.json: + command: /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini docker_config: step_3: neutron_db_sync: @@ -100,7 +91,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index 9be13ad3..03fbf766 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -62,17 +62,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: - /var/lib/kolla/config_files/neutron_dhcp.json: - command: /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --log-file /var/log/neutron/dhcp-agent.log - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/dhcp_agent.ini - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/dhcp_agent.ini + /var/lib/kolla/config_files/neutron_dhcp.json: + command: /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --log-file /var/log/neutron/dhcp-agent.log docker_config: step_4: neutron_dhcp: @@ -86,7 +77,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro - /etc/localtime:/etc/localtime:ro - /etc/hosts:/etc/hosts:ro - /lib/modules:/lib/modules:ro diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index db4fa863..0b04b56d 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -59,30 +59,21 @@ outputs: - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: /var/lib/kolla/config_files/neutron-l3-agent.json: - command: /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/l3_agent.ini - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/neutron/l3_agent.ini + command: /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini docker_config: step_4: neutronl3agent: image: list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronL3AgentImage} ] + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronL3AgentImage} ] net: host pid: host privileged: true restart: always volumes: - /var/lib/kolla/config_files/neutron-l3-agent.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro - /run:/run diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index 4102693b..bea08e91 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -55,19 +55,6 @@ outputs: kolla_config: /var/lib/kolla/config_files/neutron-openvswitch-agent.json: command: /usr/bin/neutron-openvswitch-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/openvswitch_agent.ini - - dest: /etc/neutron/plugins/ml2/ml2_conf.ini - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/ml2_conf.ini docker_config: step_4: neutronovsagent: @@ -78,7 +65,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/neutron-openvswitch-agent.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro - /run:/run diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index e5c78d6c..97fafb09 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -50,7 +50,10 @@ outputs: - get_attr: [NovaApiBase, role_data, config_settings] - apache::default_vhost: false step_config: &step_config - get_attr: [NovaApiBase, role_data, step_config] + list_join: + - "\n" + - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }" + - {get_attr: [NovaApiBase, role_data, step_config]} service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: @@ -62,13 +65,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: - /var/lib/kolla/config_files/nova_api.json: - command: /usr/bin/nova-api - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf + /var/lib/kolla/config_files/nova_api.json: + command: /usr/bin/nova-api docker_config: step_3: nova_api_db_sync: @@ -129,7 +127,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/nova_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 957eed7f..eefcb367 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -55,16 +55,7 @@ outputs: - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] kolla_config: /var/lib/kolla/config_files/nova-compute.json: - command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf - - dest: /etc/nova/rootwrap.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/rootwrap.conf + command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf docker_config: # FIXME: run discover hosts here step_4: @@ -76,7 +67,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/nova-compute.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova_libvirt:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro - /dev:/dev - /etc/iscsi:/etc/iscsi - /etc/localtime:/etc/localtime:ro diff --git a/docker/services/nova-conductor.yaml b/docker/services/nova-conductor.yaml index f85cf546..b7a1d742 100644 --- a/docker/services/nova-conductor.yaml +++ b/docker/services/nova-conductor.yaml @@ -60,13 +60,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: - /var/lib/kolla/config_files/nova_conductor.json: - command: /usr/bin/nova-conductor - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf + /var/lib/kolla/config_files/nova_conductor.json: + command: /usr/bin/nova-conductor docker_config: step_4: nova_conductor: @@ -78,11 +73,11 @@ outputs: privileged: false restart: always volumes: - - /run:/run - /var/lib/kolla/config_files/nova_conductor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro + - /run:/run environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 3d849f59..9941abda 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -58,15 +58,6 @@ outputs: kolla_config: /var/lib/kolla/config_files/nova_ironic.json: command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf - - dest: /etc/nova/rootwrap.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/rootwrap.conf docker_config: step_5: novacompute: @@ -80,7 +71,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/nova_ironic.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - /etc/localtime:/etc/localtime:ro - /run:/run - /dev:/dev diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 480bb80e..15cee597 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -60,12 +60,7 @@ outputs: - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: /var/lib/kolla/config_files/nova-libvirt.json: - command: /usr/sbin/libvirtd --config /etc/libvirt/libvirtd.conf - config_files: - - dest: /etc/libvirt/libvirtd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/libvirt/libvirtd.conf + command: /usr/sbin/libvirtd --config /etc/libvirt/libvirtd.conf docker_config: step_3: nova_libvirt: @@ -79,10 +74,10 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/nova-libvirt.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova_libvirt:/var/lib/kolla/config_files/src:ro - - /dev:/dev + - /var/lib/config-data/nova_libvirt/etc/libvirt/:/etc/libvirt/:ro - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro + - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - /var/lib/nova:/var/lib/nova diff --git a/docker/services/nova-placement.yaml b/docker/services/nova-placement.yaml index e49839b5..0c595dc2 100644 --- a/docker/services/nova-placement.yaml +++ b/docker/services/nova-placement.yaml @@ -58,35 +58,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNovaPlacementImage} ] kolla_config: - /var/lib/kolla/config_files/nova_placement.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf - - dest: /etc/httpd/conf.d/10-placement_wsgi.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-placement_wsgi.conf - # puppet generates a stubbed out version of the stock one so we - # copy it in to overwrite the existing one - - dest: /etc/httpd/conf.d/00-nova-placement-api.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/00-nova-placement-api.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - - dest: /var/www/cgi-bin/nova/nova-placement-api - owner: nova - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/nova/nova-placement-api + /var/lib/kolla/config_files/nova_placement.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: # start this early so it is up before computes start reporting step_3: @@ -98,8 +71,9 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/nova_placement.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova_placement/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/nova_placement/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro + - /var/lib/config-data/nova_placement/etc/nova/:/etc/nova/:ro + - /var/lib/config-data/nova_placement/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/nova_placement/var/www/:/var/www/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/nova-scheduler.yaml b/docker/services/nova-scheduler.yaml index de1199e1..e6f4896b 100644 --- a/docker/services/nova-scheduler.yaml +++ b/docker/services/nova-scheduler.yaml @@ -59,13 +59,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: - /var/lib/kolla/config_files/nova_scheduler.json: - command: /usr/bin/nova-scheduler - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf + /var/lib/kolla/config_files/nova_scheduler.json: + command: /usr/bin/nova-scheduler docker_config: step_4: nova_scheduler: @@ -77,11 +72,11 @@ outputs: privileged: false restart: always volumes: - - /run:/run - /var/lib/kolla/config_files/nova_scheduler.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro + - /run:/run environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: diff --git a/docker/services/panko-api.yaml b/docker/services/panko-api.yaml index 32efc5d7..f4f1f7b0 100644 --- a/docker/services/panko-api.yaml +++ b/docker/services/panko-api.yaml @@ -58,29 +58,8 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerPankoApiImage} ] kolla_config: - /var/lib/kolla/config_files/panko-api.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/httpd/conf.d/10-panko_wsgi.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-panko_wsgi.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - - dest: /etc/panko/panko.conf - owner: panko - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/panko/panko.conf - - dest: /var/www/cgi-bin/panko/app - owner: panko - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/panko/app + /var/lib/kolla/config_files/panko-api.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: step_3: panko-init-log: @@ -111,8 +90,9 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/panko-api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/panko/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/panko/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro + - /var/lib/config-data/panko/etc/panko/:/etc/panko/:ro + - /var/lib/config-data/panko/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/panko/var/www/:/var/www/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index 341ec3de..9d5a52a6 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -61,23 +61,6 @@ outputs: kolla_config: /var/lib/kolla/config_files/rabbitmq.json: command: /usr/lib/rabbitmq/bin/rabbitmq-server - config_files: - - dest: /etc/rabbitmq/rabbitmq.config - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/rabbitmq.config - - dest: /etc/rabbitmq/enabled_plugins - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/enabled_plugins - - dest: /etc/rabbitmq/rabbitmq-env.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/rabbitmq-env.conf - - dest: /etc/rabbitmq/rabbitmqadmin.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/rabbitmqadmin.conf docker_config: step_1: rabbitmq_bootstrap: @@ -87,7 +70,7 @@ outputs: privileged: false volumes: - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /var/lib/rabbitmq:/var/lib/rabbitmq @@ -113,7 +96,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /var/lib/rabbitmq:/var/lib/rabbitmq diff --git a/docker/services/services.yaml b/docker/services/services.yaml index 84c56b5b..21387c9b 100644 --- a/docker/services/services.yaml +++ b/docker/services/services.yaml @@ -89,3 +89,5 @@ outputs: # Note we use distinct() here to filter any identical tasks, e.g yum update for all services expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() data: {get_attr: [ServiceChain, role_data]} + service_metadata_settings: + get_attr: [PuppetServices, role_data, service_metadata_settings] diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index 0d7cd7b9..e60aca12 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -64,10 +64,10 @@ outputs: net: host user: swift restart: always - # I'm mounting /etc/swift as rw. Are the rings written to at all during runtime? volumes: - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift:/var/lib/kolla/config_files/src:ro + # FIXME I'm mounting /etc/swift as rw. Are the rings written to + # at all during runtime? - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro diff --git a/docker/services/swift-storage.yaml b/docker/services/swift-storage.yaml index 301ef69b..cccddb46 100644 --- a/docker/services/swift-storage.yaml +++ b/docker/services/swift-storage.yaml @@ -115,7 +115,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_account_auditor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -131,7 +130,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_account_reaper.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -146,7 +144,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_account_replicator.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -161,7 +158,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_account_server.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -179,7 +175,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_container_auditor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -194,7 +189,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_container_replicator.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -209,7 +203,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_container_updater.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -224,7 +217,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_container_server.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -242,7 +234,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_object_auditor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -257,7 +248,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_object_expirer.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -272,7 +262,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_object_replicator.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -287,7 +276,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_object_updater.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro @@ -302,7 +290,6 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/swift_object_server.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index 3ec819e0..21aff31a 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -57,22 +57,8 @@ outputs: kolla_config: /var/lib/kolla/config_files/zaqar.json: command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf - config_files: - - dest: /etc/zaqar/zaqar.conf - owner: zaqar - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/zaqar/zaqar.conf /var/lib/kolla/config_files/zaqar_websocket.json: command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf - config_files: - - dest: /etc/zaqar/zaqar.conf - owner: zaqar - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/zaqar/zaqar.conf - - dest: /etc/zaqar/1.conf - owner: zaqar - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/zaqar/1.conf docker_config: step_4: zaqar: @@ -82,7 +68,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/zaqar/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: @@ -94,7 +80,7 @@ outputs: restart: always volumes: - /var/lib/kolla/config_files/zaqar_websocket.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/zaqar/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: diff --git a/environments/contrail/contrail-net.yaml b/environments/contrail/contrail-net.yaml index 1e64f91d..cca9beac 100644 --- a/environments/contrail/contrail-net.yaml +++ b/environments/contrail/contrail-net.yaml @@ -8,7 +8,7 @@ resource_registry: parameter_defaults: ControlPlaneSubnetCidr: '24' - ControlPlaneDefaultRoute: 192.0.2.254 + ControlPlaneDefaultRoute: 192.168.24.254 InternalApiNetCidr: 10.0.0.0/24 InternalApiAllocationPools: [{'start': '10.0.0.10', 'end': '10.0.0.200'}] InternalApiDefaultRoute: 10.0.0.1 @@ -17,7 +17,7 @@ parameter_defaults: ManagementInterfaceDefaultRoute: 10.1.0.1 ExternalNetCidr: 10.2.0.0/24 ExternalAllocationPools: [{'start': '10.2.0.10', 'end': '10.2.0.200'}] - EC2MetadataIp: 192.0.2.1 # Generally the IP of the Undercloud + EC2MetadataIp: 192.168.24.1 # Generally the IP of the Undercloud DnsServers: ["8.8.8.8","8.8.4.4"] VrouterPhysicalInterface: eth1 VrouterGateway: 10.0.0.1 diff --git a/environments/external-loadbalancer-vip-v6.yaml b/environments/external-loadbalancer-vip-v6.yaml index fbd1fb98..bd455175 100644 --- a/environments/external-loadbalancer-vip-v6.yaml +++ b/environments/external-loadbalancer-vip-v6.yaml @@ -13,7 +13,7 @@ parameter_defaults: # to control your VIPs (currently one per network) # NOTE: we will eventually move to one VIP per service # - ControlFixedIPs: [{'ip_address':'192.0.2.251'}] + ControlFixedIPs: [{'ip_address':'192.168.24.251'}] PublicVirtualFixedIPs: [{'ip_address':'2001:db8:fd00:1000:0000:0000:0000:0005'}] InternalApiVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0005'}] StorageVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:3000:0000:0000:0000:0005'}] diff --git a/environments/external-loadbalancer-vip.yaml b/environments/external-loadbalancer-vip.yaml index 1759c04c..dec9b835 100644 --- a/environments/external-loadbalancer-vip.yaml +++ b/environments/external-loadbalancer-vip.yaml @@ -12,7 +12,7 @@ parameter_defaults: # to control your VIPs (currently one per network) # NOTE: we will eventually move to one VIP per service # - ControlFixedIPs: [{'ip_address':'192.0.2.251'}] + ControlFixedIPs: [{'ip_address':'192.168.24.251'}] PublicVirtualFixedIPs: [{'ip_address':'10.0.0.251'}] InternalApiVirtualFixedIPs: [{'ip_address':'172.16.2.251'}] StorageVirtualFixedIPs: [{'ip_address':'172.16.1.251'}] diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml index 8f74ec35..f1c90e2d 100644 --- a/environments/hyperconverged-ceph.yaml +++ b/environments/hyperconverged-ceph.yaml @@ -13,6 +13,7 @@ parameter_defaults: - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Kernel @@ -32,3 +33,4 @@ parameter_defaults: - OS::TripleO::Services::CephOSD - OS::TripleO::Services::Vpp - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::Docker diff --git a/environments/logging-environment.yaml b/environments/logging-environment.yaml index c583ca79..ae8bd7b9 100644 --- a/environments/logging-environment.yaml +++ b/environments/logging-environment.yaml @@ -18,7 +18,7 @@ resource_registry: ## (note the use of port 24284 for ssl connections) # # LoggingServers: -# - host: 192.0.2.11 +# - host: 192.168.24.11 # port: 24284 # LoggingUsesSSL: true # LoggingSharedKey: secret diff --git a/environments/major-upgrade-all-in-one.yaml b/environments/major-upgrade-all-in-one.yaml deleted file mode 100644 index 4283b212..00000000 --- a/environments/major-upgrade-all-in-one.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resource_registry: - OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml diff --git a/environments/major-upgrade-composable-steps-docker.yaml b/environments/major-upgrade-composable-steps-docker.yaml index 5fa2f2d8..40da726d 100644 --- a/environments/major-upgrade-composable-steps-docker.yaml +++ b/environments/major-upgrade-composable-steps-docker.yaml @@ -4,6 +4,7 @@ resource_registry: # enough (as we want to share the ansible tasks steps etc) OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml parameter_defaults: + EnableConfigPurge: false UpgradeLevelNovaCompute: auto UpgradeInitCommonCommand: | #!/bin/bash diff --git a/environments/major-upgrade-composable-steps.yaml b/environments/major-upgrade-composable-steps.yaml index 9ecc2251..8b1617f9 100644 --- a/environments/major-upgrade-composable-steps.yaml +++ b/environments/major-upgrade-composable-steps.yaml @@ -1,13 +1,13 @@ resource_registry: OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml parameter_defaults: + EnableConfigPurge: true UpgradeLevelNovaCompute: auto UpgradeInitCommonCommand: | #!/bin/bash # Newton to Ocata, we need to remove old hiera hook data and # install ansible heat agents and ansible-pacemaker set -eu - yum install -y openstack-heat-agents yum install -y python-heat-agent-* yum install -y ansible-pacemaker rm -f /usr/libexec/os-apply-config/templates/etc/puppet/hiera.yaml diff --git a/environments/major-upgrade-converge-docker.yaml b/environments/major-upgrade-converge-docker.yaml index 463206f1..a3816b50 100644 --- a/environments/major-upgrade-converge-docker.yaml +++ b/environments/major-upgrade-converge-docker.yaml @@ -3,5 +3,6 @@ resource_registry: OS::TripleO::PostDeploySteps: ../docker/post.yaml parameter_defaults: + EnableConfigPurge: false UpgradeLevelNovaCompute: '' UpgradeInitCommonCommand: '' diff --git a/environments/major-upgrade-converge.yaml b/environments/major-upgrade-converge.yaml index f09fb20e..4e8bf46b 100644 --- a/environments/major-upgrade-converge.yaml +++ b/environments/major-upgrade-converge.yaml @@ -3,5 +3,6 @@ resource_registry: OS::TripleO::PostDeploySteps: ../puppet/post.yaml parameter_defaults: + EnableConfigPurge: false UpgradeLevelNovaCompute: '' UpgradeInitCommonCommand: '' diff --git a/environments/network-environment.yaml b/environments/network-environment.yaml index 210b6b03..3de5dba5 100644 --- a/environments/network-environment.yaml +++ b/environments/network-environment.yaml @@ -18,8 +18,8 @@ parameter_defaults: # CIDR subnet mask length for provisioning network ControlPlaneSubnetCidr: '24' # Gateway router for the provisioning network (or Undercloud IP) - ControlPlaneDefaultRoute: 192.0.2.254 - EC2MetadataIp: 192.0.2.1 # Generally the IP of the Undercloud + ControlPlaneDefaultRoute: 192.168.24.254 + EC2MetadataIp: 192.168.24.1 # Generally the IP of the Undercloud # Customize the IP subnets to match the local environment InternalApiNetCidr: 172.17.0.0/24 StorageNetCidr: 172.18.0.0/24 diff --git a/environments/neutron-bgpvpn.yaml b/environments/neutron-bgpvpn.yaml index dc6c1454..2a632480 100644 --- a/environments/neutron-bgpvpn.yaml +++ b/environments/neutron-bgpvpn.yaml @@ -9,8 +9,8 @@ # - OpenDaylight: BGPVPN:OpenDaylight:networking_bgpvpn.neutron.services.service_drivers.opendaylight.odl.OpenDaylightBgpvpnDriver:default # - Nuage: BGPVPN:Nuage:nuage_neutron.bgpvpn.services.service_drivers.driver.NuageBGPVPNDriver:default resource_registry: - OS::TripleO::Services::NeutronBgpvpnApi: ../puppet/services/neutron-bgpvpn-api.yaml + OS::TripleO::Services::NeutronBgpVpnApi: ../puppet/services/neutron-bgpvpn-api.yaml parameter_defaults: - NeutronServicePlugins: 'networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin' + NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin' BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' diff --git a/environments/neutron-l2gw-api.yaml b/environments/neutron-l2gw-api.yaml new file mode 100644 index 00000000..09894671 --- /dev/null +++ b/environments/neutron-l2gw-api.yaml @@ -0,0 +1,20 @@ +# A Heat environment file that can be used to deploy Neutron L2 Gateway service +# +# Currently there are only two service provider for Neutron L2 Gateway +# The default option is a dummy driver that allows to enable the API. +# In order to enable other backend, replace the content of L2gwServiceProvider +# +# - L2 gateway agent: L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.rpc_l2gw.L2gwRpcDriver:default +# - OpenDaylight: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default +resource_registry: + OS::TripleO::Services::NeutronL2gwApi: ../puppet/services/neutron-l2gw-api.yaml + +parameter_defaults: + NeutronServicePlugins: "networking_l2gw.services.l2gateway.plugin.L2GatewayPlugin" + L2gwServiceProvider: ["L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default"] + + # Optional + # L2gwServiceDefaultInterfaceName: + # L2gwServiceDefaultDeviceName: + # L2gwServiceQuotaL2Gateway: + # L2gwServicePeriodicMonitoringInterval: diff --git a/environments/neutron-ml2-bigswitch.yaml b/environments/neutron-ml2-bigswitch.yaml index 750d3c4e..8a4a144c 100644 --- a/environments/neutron-ml2-bigswitch.yaml +++ b/environments/neutron-ml2-bigswitch.yaml @@ -3,12 +3,17 @@ resource_registry: OS::TripleO::ControllerExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml + OS::TripleO::NeutronBigswitchAgent: ../puppet/services/neutron-bigswitch-agent.yaml + OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::NeutronL3Agent: OS::Heat::None parameter_defaults: # Required to fill in: NeutronBigswitchRestproxyServers: NeutronBigswitchRestproxyServerAuth: - NeutronMechanismDrivers: bsn_ml2 + NeutronMechanismDrivers: openvswitch,bsn_ml2 + NeutronServicePlugins: bsn_l3,bsn_service_plugin + KeystoneNotificationDriver: messaging # Optional: # NeutronBigswitchRestproxyAutoSyncOnFailure: @@ -19,3 +24,9 @@ parameter_defaults: # NeutronBigswitchAgentEnabled: # NeutronBigswitchLLDPEnabled: + ControllerExtraConfig: + neutron::agents::l3::enabled: false + neutron::agents::dhcp::enable_force_metadata: true + neutron::agents::dhcp::enable_isolated_metadata: true + neutron::agents::dhcp::enable_metadata_network: false + neutron::server::l3_ha: false diff --git a/environments/neutron-ml2-cisco-n1kv.yaml b/environments/neutron-ml2-cisco-n1kv.yaml index 651e9564..8d46e1ca 100644 --- a/environments/neutron-ml2-cisco-n1kv.yaml +++ b/environments/neutron-ml2-cisco-n1kv.yaml @@ -5,7 +5,7 @@ resource_registry: OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml parameter_defaults: - N1000vVSMIP: '192.0.2.50' - N1000vMgmtGatewayIP: '192.0.2.1' + N1000vVSMIP: '192.168.24.50' + N1000vMgmtGatewayIP: '192.168.24.1' N1000vVSMDomainID: '100' N1000vVSMHostMgmtIntf: 'br-ex' diff --git a/environments/neutron-nuage-config.yaml b/environments/neutron-nuage-config.yaml index 74899246..601554a1 100644 --- a/environments/neutron-nuage-config.yaml +++ b/environments/neutron-nuage-config.yaml @@ -10,7 +10,6 @@ resource_registry: OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-nuage.yaml parameter_defaults: - NeutronNuageOSControllerIp: '0.0.0.0' NeutronNuageNetPartitionName: 'default_name' NeutronNuageVSDIp: '0.0.0.0:0' NeutronNuageVSDUsername: 'username' diff --git a/environments/neutron-opendaylight.yaml b/environments/neutron-opendaylight.yaml index ed7292b7..4644725d 100644 --- a/environments/neutron-opendaylight.yaml +++ b/environments/neutron-opendaylight.yaml @@ -3,6 +3,7 @@ resource_registry: OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None + OS::TripleO::Services::NeutronCorePlugin: ../puppet/services/neutron-plugin-ml2-odl.yaml OS::TripleO::Services::OpenDaylightApi: ../puppet/services/opendaylight-api.yaml OS::TripleO::Services::OpenDaylightOvs: ../puppet/services/opendaylight-ovs.yaml OS::TripleO::Services::NeutronL3Agent: OS::Heat::None diff --git a/environments/nova-api-policy.yaml b/environments/nova-api-policy.yaml new file mode 100644 index 00000000..681bd010 --- /dev/null +++ b/environments/nova-api-policy.yaml @@ -0,0 +1,10 @@ +# A Heat environment file which can be used to configure access policies for +# Nova API resources. It is here for example and doesn't cover all services +# but just Nova here. +# While recipes for editing policy.json files is supported, modifying the +# policy can have unexpected side effects and is not encouraged. + +parameter_defaults: + # The target is "compute:get_all", the "list all instances" API of the Compute service. + # The rule is an empty string meaning "always". This policy allows anybody to list instances. + NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } } diff --git a/environments/securetty.yaml b/environments/securetty.yaml new file mode 100644 index 00000000..cdadf376 --- /dev/null +++ b/environments/securetty.yaml @@ -0,0 +1,12 @@ +resource_registry: + OS::TripleO::Services::Securetty: ../puppet/services/securetty.yaml + +parameter_defaults: + TtyValues: + - console + - tty1 + - tty2 + - tty3 + - tty4 + - tty5 + - tty6 diff --git a/environments/services/ceilometer-api.yaml b/environments/services/ceilometer-api.yaml new file mode 100644 index 00000000..1e37e73b --- /dev/null +++ b/environments/services/ceilometer-api.yaml @@ -0,0 +1,6 @@ +resource_registry: + OS::TripleO::Services::CeilometerApi: ../../puppet/services/ceilometer-api.yaml + +parameter_defaults: + CeilometerApiEndpoint: true + diff --git a/environments/services/disable-ceilometer-api.yaml b/environments/services/disable-ceilometer-api.yaml deleted file mode 100644 index 94cd8d5d..00000000 --- a/environments/services/disable-ceilometer-api.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resource_registry: - OS::TripleO::Services::CeilometerApi: OS::Heat::None diff --git a/environments/services/keystone_domain_specific_ldap_backend.yaml b/environments/services/keystone_domain_specific_ldap_backend.yaml new file mode 100644 index 00000000..3cc9c7b7 --- /dev/null +++ b/environments/services/keystone_domain_specific_ldap_backend.yaml @@ -0,0 +1,18 @@ +# This is an example template on how to configure keystone domain specific LDAP +# backends. This will configure a domain called tripleoldap will the attributes +# specified. +parameter_defaults: + KeystoneLDAPDomainEnable: true + KeystoneLDAPBackendConfigs: + tripleoldap: + url: ldap://192.168.24.251 + user: cn=openstack,ou=Users,dc=tripleo,dc=example,dc=com + password: Secrete + suffix: dc=tripleo,dc=example,dc=com + user_tree_dn: ou=Users,dc=tripleo,dc=example,dc=com + user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=tripleo,dc=example,dc=com)" + user_objectclass: person + user_id_attribute: cn + user_allow_create: false + user_allow_update: false + user_allow_delete: false diff --git a/environments/services/qdr.yaml b/environments/services/qdr.yaml new file mode 100644 index 00000000..e4ad87bd --- /dev/null +++ b/environments/services/qdr.yaml @@ -0,0 +1,2 @@ +resource_registry: + OS::TripleO::Services::Qdr: ../../puppet/services/qdr.yaml diff --git a/environments/updates/update-from-192_0_2-subnet.yaml b/environments/updates/update-from-192_0_2-subnet.yaml new file mode 100644 index 00000000..1813e7be --- /dev/null +++ b/environments/updates/update-from-192_0_2-subnet.yaml @@ -0,0 +1,3 @@ +parameter_defaults: + ControlPlaneDefaultRoute: 192.0.2.1 + EC2MetadataIp: 192.0.2.1 diff --git a/extraconfig/nova_metadata/krb-service-principals.yaml b/extraconfig/nova_metadata/krb-service-principals.yaml index c66e6460..56d3cbc0 100644 --- a/extraconfig/nova_metadata/krb-service-principals.yaml +++ b/extraconfig/nova_metadata/krb-service-principals.yaml @@ -46,7 +46,7 @@ resources: # Filter null values and values that contain don't contain # 'metadata_settings', get the values from that key and get the # unique ones. - expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct()) + expression: list(coalesce($.data, []).where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct()) data: {get_param: RoleData} # Generates entries for nova metadata with the following format: @@ -57,7 +57,7 @@ resources: properties: value: yaql: - expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))])) + expression: let(fqdns => $.data.fqdns) -> dict(coalesce($.data.metadata, []).where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))])) data: metadata: {get_attr: [IncomingMetadataSettings, value]} fqdns: @@ -72,7 +72,7 @@ resources: properties: value: yaql: - expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1])) + expression: dict(coalesce($.data, []).where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1])) data: {get_attr: [IncomingMetadataSettings, value]} outputs: diff --git a/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration b/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration index 0d0fa3f1..d14ed73f 100644 --- a/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration +++ b/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration @@ -240,7 +240,6 @@ case "${REG_METHOD:-}" in retry subscription-manager $repos retry yum install -y katello-agent || true # needed for errata reporting to satellite6 katello-package-upload - retry subscription-manager repos --disable ${satellite_repo} else pushd /usr/share/rhn/ curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -k -O $REG_SAT_URL/pub/RHN-ORG-TRUSTED-SSL-CERT diff --git a/extraconfig/tasks/pacemaker_common_functions.sh b/extraconfig/tasks/pacemaker_common_functions.sh index aae4a2de..4480f74d 100755 --- a/extraconfig/tasks/pacemaker_common_functions.sh +++ b/extraconfig/tasks/pacemaker_common_functions.sh @@ -299,9 +299,10 @@ function systemctl_swift { } # Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205 +# Update condition and add --notriggerun for +bug/1669714 function special_case_ovs_upgrade_if_needed { - if [[ -n $(rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart") ]]; then - echo "Manual upgrade of openvswitch - restart in postun detected" + if rpm -qa | grep "^openvswitch-2.5.0-14" || rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart" ; then + echo "Manual upgrade of openvswitch - ovs-2.5.0-14 or restart in postun detected" rm -rf OVS_UPGRADE mkdir OVS_UPGRADE && pushd OVS_UPGRADE echo "Attempting to downloading latest openvswitch with yumdownloader" @@ -310,8 +311,8 @@ function special_case_ovs_upgrade_if_needed { if rpm -U --test $pkg 2>&1 | grep "already installed" ; then echo "Looks like newer version of $pkg is already installed, skipping" else - echo "Updating $pkg with nopostun option" - rpm -U --replacepkgs --nopostun $pkg + echo "Updating $pkg with --nopostun --notriggerun" + rpm -U --replacepkgs --nopostun --notriggerun $pkg fi done popd diff --git a/extraconfig/tasks/swift-ring-deploy.yaml b/extraconfig/tasks/swift-ring-deploy.yaml deleted file mode 100644 index d17f78ae..00000000 --- a/extraconfig/tasks/swift-ring-deploy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -heat_template_version: ocata - -parameters: - servers: - type: json - SwiftRingGetTempurl: - default: '' - description: A temporary Swift URL to download rings from. - type: string - -resources: - SwiftRingDeployConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - inputs: - - name: swift_ring_get_tempurl - config: | - #!/bin/sh - pushd / - curl --insecure --silent "${swift_ring_get_tempurl}" | tar xz || true - popd - - SwiftRingDeploy: - type: OS::Heat::SoftwareDeployments - properties: - name: SwiftRingDeploy - config: {get_resource: SwiftRingDeployConfig} - servers: {get_param: servers} - input_values: - swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl} diff --git a/extraconfig/tasks/swift-ring-update.yaml b/extraconfig/tasks/swift-ring-update.yaml deleted file mode 100644 index 440c6883..00000000 --- a/extraconfig/tasks/swift-ring-update.yaml +++ /dev/null @@ -1,42 +0,0 @@ -heat_template_version: ocata - -parameters: - servers: - type: json - SwiftRingPutTempurl: - default: '' - description: A temporary Swift URL to upload rings to. - type: string - -resources: - SwiftRingUpdateConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - inputs: - - name: swift_ring_put_tempurl - config: | - #!/bin/sh - TMP_DATA=$(mktemp -d) - function cleanup { - rm -Rf "$TMP_DATA" - } - trap cleanup EXIT - # sanity check in case rings are not consistent within cluster - swift-recon --md5 | grep -q "doesn't match" && exit 1 - pushd ${TMP_DATA} - tar -cvzf swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/* - resp=`curl --insecure --silent -X PUT "${swift_ring_put_tempurl}" --write-out "%{http_code}" --data-binary @swift-rings.tar.gz` - popd - if [ "$resp" != "201" ]; then - exit 1 - fi - - SwiftRingUpdate: - type: OS::Heat::SoftwareDeployments - properties: - name: SwiftRingUpdate - config: {get_resource: SwiftRingUpdateConfig} - servers: {get_param: servers} - input_values: - swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl} diff --git a/extraconfig/tasks/tripleo_upgrade_node.sh b/extraconfig/tasks/tripleo_upgrade_node.sh index 24211ab0..a5a312dc 100644 --- a/extraconfig/tasks/tripleo_upgrade_node.sh +++ b/extraconfig/tasks/tripleo_upgrade_node.sh @@ -28,12 +28,15 @@ SCRIPT_NAME=$(basename $0) $(declare -f log_debug) $(declare -f manage_systemd_service) $(declare -f systemctl_swift) +$(declare -f special_case_ovs_upgrade_if_needed) # pin nova messaging +-1 for the nova-compute service if [[ -n \$NOVA_COMPUTE ]]; then crudini --set /etc/nova/nova.conf upgrade_levels compute auto fi +special_case_ovs_upgrade_if_needed + if [[ -n \$SWIFT_STORAGE ]]; then systemctl_swift stop fi diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index 3bf72f14..ad368278 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -70,6 +70,9 @@ if [[ "$pacemaker_status" == "active" && \ fi fi +# special case https://bugs.launchpad.net/tripleo/+bug/1635205 +bug/1669714 +special_case_ovs_upgrade_if_needed + if [[ "$pacemaker_status" == "active" ]] ; then echo "Pacemaker running, stopping cluster node and doing full package update" node_count=$(pcs status xml | grep -o "<nodes_configured.*/>" | grep -o 'number="[0-9]*"' | grep -o "[0-9]*") @@ -113,15 +116,19 @@ if [[ "$pacemaker_status" == "active" ]] ; then fi done - tstart=$(date +%s) - while ! clustercheck; do - sleep 5 - tnow=$(date +%s) - if (( tnow-tstart > galera_sync_timeout )) ; then - echo "ERROR galera sync timed out" - exit 1 - fi - done + RETVAL=$( pcs resource show galera-master | grep wsrep_cluster_address | grep -q `crm_node -n` ; echo $? ) + + if [[ $RETVAL -eq 0 && -e /etc/sysconfig/clustercheck ]]; then + tstart=$(date +%s) + while ! clustercheck; do + sleep 5 + tnow=$(date +%s) + if (( tnow-tstart > galera_sync_timeout )) ; then + echo "ERROR galera sync timed out" + exit 1 + fi + done + fi echo "Waiting for pacemaker cluster to settle" if ! timeout -k 10 $cluster_settle_timeout crm_resource --wait; then diff --git a/net-config-linux-bridge.yaml b/net-config-linux-bridge.yaml index 04664818..a544d547 100644 --- a/net-config-linux-bridge.yaml +++ b/net-config-linux-bridge.yaml @@ -33,7 +33,7 @@ parameters: ControlPlaneDefaultRoute: # Override this via parameter_defaults description: The default route of the control plane network. type: string - default: 192.0.2.1 + default: 192.168.24.1 EC2MetadataIp: # Override this via parameter_defaults description: The IP address of the EC2 metadata server. type: string diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml index 277bd676..c92ce377 100644 --- a/network/endpoints/endpoint_data.yaml +++ b/network/endpoints/endpoint_data.yaml @@ -225,7 +225,6 @@ Keystone: net_param: KeystonePublicApi uri_suffixes: '': /v2.0 - EC2: /v2.0/ec2tokens V3: /v3 names: EC2: KeystoneEC2 diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml index fecac0af..b4fcbb17 100644 --- a/network/endpoints/endpoint_map.yaml +++ b/network/endpoints/endpoint_map.yaml @@ -6012,88 +6012,6 @@ outputs: template: NETWORK_uri - ':' - get_param: [EndpointMap, KeystoneAdmin, port] - KeystoneEC2: - host: - str_replace: - template: - get_param: [EndpointMap, KeystoneInternal, host] - params: - CLOUDNAME: - get_param: - - CloudEndpoints - - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - IP_ADDRESS: - get_param: - - NetIpMap - - str_replace: - params: - NETWORK: - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - template: NETWORK_uri - host_nobrackets: - str_replace: - template: - get_param: [EndpointMap, KeystoneInternal, host] - params: - CLOUDNAME: - get_param: - - CloudEndpoints - - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - IP_ADDRESS: - get_param: - - NetIpMap - - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - port: - get_param: [EndpointMap, KeystoneInternal, port] - protocol: - get_param: [EndpointMap, KeystoneInternal, protocol] - uri: - list_join: - - '' - - - get_param: [EndpointMap, KeystoneInternal, protocol] - - :// - - str_replace: - template: - get_param: [EndpointMap, KeystoneInternal, host] - params: - CLOUDNAME: - get_param: - - CloudEndpoints - - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - IP_ADDRESS: - get_param: - - NetIpMap - - str_replace: - params: - NETWORK: - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - template: NETWORK_uri - - ':' - - get_param: [EndpointMap, KeystoneInternal, port] - - /v2.0/ec2tokens - uri_no_suffix: - list_join: - - '' - - - get_param: [EndpointMap, KeystoneInternal, protocol] - - :// - - str_replace: - template: - get_param: [EndpointMap, KeystoneInternal, host] - params: - CLOUDNAME: - get_param: - - CloudEndpoints - - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - IP_ADDRESS: - get_param: - - NetIpMap - - str_replace: - params: - NETWORK: - get_param: [ServiceNetMap, KeystonePublicApiNetwork] - template: NETWORK_uri - - ':' - - get_param: [EndpointMap, KeystoneInternal, port] KeystoneInternal: host: str_replace: diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index a1042ebb..7fb9420c 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -67,6 +67,7 @@ parameters: HorizonNetwork: internal_api MemcachedNetwork: internal_api RabbitmqNetwork: internal_api + QdrNetwork: internal_api RedisNetwork: internal_api MysqlNetwork: internal_api CephClusterNetwork: storage_mgmt diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index b294d7cb..c0f5f7e5 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -11,9 +11,6 @@ resource_registry: OS::TripleO::Tasks::UpdateWorkflow: OS::Heat::None OS::TripleO::Tasks::PackageUpdate: extraconfig/tasks/yum_update.yaml - OS::TripleO::Tasks::SwiftRingDeploy: extraconfig/tasks/swift-ring-deploy.yaml - OS::TripleO::Tasks::SwiftRingUpdate: extraconfig/tasks/swift-ring-update.yaml - {% for role in roles %} OS::TripleO::{{role.name}}::PreNetworkConfig: OS::Heat::None OS::TripleO::{{role.name}}PostDeploySteps: puppet/post.yaml @@ -143,8 +140,9 @@ resource_registry: OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml OS::TripleO::Services::Kernel: puppet/services/kernel.yaml OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml - OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None + OS::TripleO::Services::NeutronBgpVpnApi: OS::Heat::None OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml + OS::TripleO::Services::NeutronL2gwApi: OS::Heat::None OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml # FIXME(shardy) the duplicate NeutronServer line can be removed when we've updated @@ -168,6 +166,7 @@ resource_registry: OS::TripleO::Services::PacemakerRemote: OS::Heat::None OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml + OS::TripleO::Services::Qdr: OS::Heat::None OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None @@ -176,6 +175,7 @@ resource_registry: OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None OS::TripleO::Services::Sshd: OS::Heat::None + OS::TripleO::Services::Securetty: OS::Heat::None OS::TripleO::Services::Redis: puppet/services/database/redis.yaml OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml @@ -200,6 +200,7 @@ resource_registry: OS::TripleO::Services::CeilometerAgentCentral: puppet/services/ceilometer-agent-central.yaml OS::TripleO::Services::CeilometerAgentNotification: puppet/services/ceilometer-agent-notification.yaml OS::TripleO::Services::ComputeCeilometerAgent: puppet/services/ceilometer-agent-compute.yaml + OS::TripleO::Services::CeilometerAgentIpmi: puppet/services/ceilometer-agent-ipmi.yaml OS::TripleO::Services::Horizon: puppet/services/horizon.yaml #Gnocchi services OS::TripleO::Services::GnocchiApi: puppet/services/gnocchi-api.yaml diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index 7b780112..a322a445 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -114,6 +114,11 @@ parameters: description: What interface to add to the HypervisorNeutronPhysicalBridge. type: string + NodeCreateBatchSize: + default: 30 + description: Maxiumum batch size for creating nodes + type: number + # Jinja loop for Role in role_data.yaml {% for role in roles %} # Parameters generated for {{role.name}} Role @@ -339,6 +344,9 @@ resources: {{role.name}}: type: OS::Heat::ResourceGroup depends_on: Networks + update_policy: + batch_create: + max_batch_size: {get_param: NodeCreateBatchSize} properties: count: {get_param: {{role.name}}Count} removal_policies: {get_param: {{role.name}}RemovalPolicies} @@ -398,7 +406,7 @@ resources: - {% for role in roles %} - list_join: - - "\n" + - "" - {get_attr: [{{role.name}}, hosts_entry]} {% endfor %} @@ -581,22 +589,22 @@ resources: - ' ' - - yaql: expression: coalesce($.data, []).first(null) - data: {get_attr: [Controller, external_ip_address]} + data: {get_attr: [{{primary_role_name}}, external_ip_address]} - yaql: expression: coalesce($.data, []).first(null) - data: {get_attr: [Controller, internal_api_ip_address]} + data: {get_attr: [{{primary_role_name}}, internal_api_ip_address]} - yaql: expression: coalesce($.data, []).first(null) - data: {get_attr: [Controller, storage_ip_address]} + data: {get_attr: [{{primary_role_name}}, storage_ip_address]} - yaql: expression: coalesce($.data, []).first(null) - data: {get_attr: [Controller, storage_mgmt_ip_address]} + data: {get_attr: [{{primary_role_name}}, storage_mgmt_ip_address]} - yaql: expression: coalesce($.data, []).first(null) - data: {get_attr: [Controller, tenant_ip_address]} + data: {get_attr: [{{primary_role_name}}, tenant_ip_address]} - yaql: expression: coalesce($.data, []).first(null) - data: {get_attr: [Controller, management_ip_address]} + data: {get_attr: [{{primary_role_name}}, management_ip_address]} UpdateWorkflow: type: OS::TripleO::Tasks::UpdateWorkflow diff --git a/puppet/config.role.j2.yaml b/puppet/config.role.j2.yaml index 7337d062..cdbc76f0 100644 --- a/puppet/config.role.j2.yaml +++ b/puppet/config.role.j2.yaml @@ -38,7 +38,7 @@ resources: - '' - list_join: - ',' - - ['file,concat,file_line', {get_param: PuppetTags}] + - ['file,concat,file_line,augeas', {get_param: PuppetTags}] outputs: - name: result inputs: diff --git a/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml b/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml index 533c0ee9..e3f4cce6 100644 --- a/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml +++ b/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml @@ -27,6 +27,15 @@ resources: mapped_data: neutron::agents::bigswitch::agent_enabled: {get_input: neutron_enable_bigswitch_agent} neutron::agents::bigswitch::lldp_enabled: {get_input: neutron_enable_bigswitch_lldp} + # NOTE(aschultz): required for the puppet module but we don't + # actually want them defined on the compute nodes so we're + # relying on the puppet module's handling of <SERVICE DEFAULT> + # to just not set these but still accept that they were defined. + # This will should be fixed in puppet-neutron and removed here, + # but for backportability, we need to define something. + neutron::plugins::ml2::bigswitch::restproxy::servers: '<SERVICE DEFAULT>' + neutron::plugins::ml2::bigswitch::restproxy::server_auth: '<SERVICE DEFAULT>' + NeutronBigswitchDeployment: type: OS::Heat::StructuredDeployment diff --git a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml index 1456337f..e7d0b830 100644 --- a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml +++ b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml @@ -6,6 +6,14 @@ parameters: server: description: ID of the controller node to apply this config to type: string + NeutronBigswitchAgentEnabled: + description: The state of the neutron-bsn-agent service. + type: boolean + default: true + NeutronBigswitchLLDPEnabled: + description: The state of the neutron-bsn-lldp service. + type: boolean + default: false NeutronBigswitchRestproxyServers: description: 'Big Switch controllers ("IP:port,IP:port")' type: string @@ -43,6 +51,8 @@ resources: datafiles: neutron_bigswitch_data: mapped_data: + neutron::agents::bigswitch::agent_enabled: {get_input: neutron_enable_bigswitch_agent} + neutron::agents::bigswitch::lldp_enabled: {get_input: neutron_enable_bigswitch_lldp} neutron::plugins::ml2::bigswitch::restproxy::servers: {get_input: restproxy_servers} neutron::plugins::ml2::bigswitch::restproxy::server_auth: {get_input: restproxy_server_auth} neutron::plugins::ml2::bigswitch::restproxy::auto_sync_on_failure: {get_input: restproxy_auto_sync_on_failure} @@ -58,6 +68,8 @@ resources: config: {get_resource: NeutronBigswitchConfig} server: {get_param: server} input_values: + neutron_enable_bigswitch_agent: {get_param: NeutronBigswitchAgentEnabled} + neutron_enable_bigswitch_lldp: {get_param: NeutronBigswitchLLDPEnabled} restproxy_servers: {get_param: NeutronBigswitchRestproxyServers} restproxy_server_auth: {get_param: NeutronBigswitchRestproxyServerAuth } restproxy_auto_sync_on_failure: {get_param: NeutronBigswitchRestproxyAutoSyncOnFailure} diff --git a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml index bca6010a..40b407bc 100644 --- a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml +++ b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml @@ -10,7 +10,7 @@ parameters: # Config specific parameters, to be provided via parameter_defaults N1000vVSMIP: type: string - default: '192.0.2.50' + default: '192.168.24.50' N1000vVSMDomainID: type: number default: 100 @@ -62,7 +62,7 @@ parameters: default: '255.255.255.0' N1000vMgmtGatewayIP: type: string - default: '192.0.2.1' + default: '192.168.24.1' N1000vPacemakerControl: type: boolean default: true diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 6f2dd684..c0a0778c 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -32,20 +32,6 @@ parameters: type: string hidden: true -conditions: - # Conditions to disable any steps where the task list is empty -{%- for role in roles %} - {{role.name}}UpgradeBatchConfigEnabled: - not: - equals: - - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} - - [] - {{role.name}}UpgradeConfigEnabled: - not: - equals: - - {get_param: [role_data, {{role.name}}, upgrade_tasks]} - - [] -{%- endfor %} resources: @@ -65,18 +51,21 @@ resources: - " crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n" - " crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n" - " crudini --set /etc/nova/nova.conf placement project_name service\n\n" - - " systemctl restart openstack-nova-compute\n\n" - - "fi\n\n" - str_replace: template: | crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD' crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME' crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL' - ROLE='ROLE_NAME' params: SERVICE_PASSWORD: { get_param: NovaPassword } REGION_NAME: { get_param: KeystoneRegion } AUTH_URL: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + - " systemctl restart openstack-nova-compute\n\n" + - "fi\n\n" + - str_replace: + template: | + ROLE='ROLE_NAME' + params: ROLE_NAME: {{role.name}} - get_file: ../extraconfig/tasks/pacemaker_common_functions.sh - get_file: ../extraconfig/tasks/run_puppet.sh @@ -100,12 +89,11 @@ resources: {{role.name}}UpgradeBatchConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig {%- if step > 0 %} - condition: {{role.name}}UpgradeBatchConfigEnabled - {% if role.name in enabled_roles %} + {%- if role in enabled_roles %} depends_on: - {{role.name}}UpgradeBatch_Step{{step -1}} {%- endif %} - {% else %} + {%- else %} {% for role in roles if role.disable_upgrade_deployment|default(false) %} {% if deliver_script.update({'deliver': True}) %} {% endif %} {% endfor %} @@ -125,13 +113,11 @@ resources: {%- for role in enabled_roles %} {{role.name}}UpgradeBatch_Step{{step}}: type: OS::Heat::SoftwareDeploymentGroup - condition: {{role.name}}UpgradeBatchConfigEnabled {%- if step > 0 %} depends_on: - - {{role.name}}UpgradeBatch_Step{{step -1}} - {% else %} - depends_on: - - {{role.name}}UpgradeBatchConfig_Step{{step}} + {%- for role_inside in enabled_roles %} + - {{role_inside.name}}UpgradeBatch_Step{{step -1}} + {%- endfor %} {%- endif %} update_policy: batch_create: @@ -185,11 +171,10 @@ resources: # do, and there should be minimal performance hit (creating the # config is cheap compared to the time to apply the deployment). {%- if step > 0 %} - condition: {{role.name}}UpgradeConfigEnabled - {% if role.name in enabled_roles %} + {%- if role in enabled_roles %} depends_on: - {{role.name}}Upgrade_Step{{step -1}} - {% endif %} + {%- endif %} {%- endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} @@ -201,9 +186,18 @@ resources: {{role.name}}Upgrade_Step{{step}}: type: OS::Heat::SoftwareDeploymentGroup {%- if step > 0 %} - condition: {{role.name}}UpgradeConfigEnabled + # Make sure we wait that all roles have finished their own + # previous step before going to the next, so we can guarantee + # state for each steps. depends_on: - - {{role.name}}Upgrade_Step{{step -1}} + {%- for role_inside in enabled_roles %} + - {{role_inside.name}}Upgrade_Step{{step -1}} + {%- endfor %} + {%- else %} + depends_on: + {%- for role_inside in enabled_roles %} + - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} + {%- endfor %} {%- endif %} properties: name: {{role.name}}Upgrade_Step{{step}} diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2 index 86af6114..782a32c9 100644 --- a/puppet/puppet-steps.j2 +++ b/puppet/puppet-steps.j2 @@ -30,13 +30,6 @@ input_values: update_identifier: {get_param: DeployIdentifier} - {% if role.name in ['Controller', 'ObjectStorage'] %} - {{role.name}}SwiftRingDeploy: - type: OS::TripleO::Tasks::SwiftRingDeploy - properties: - servers: {get_param: [servers, {{role.name}}]} - {% endif %} - # Step through a series of configuration steps {% for step in range(1, 6) %} {{role.name}}Deployment_Step{{step}}: @@ -88,15 +81,4 @@ servers: {get_param: [servers, {{role.name}}]} input_values: update_identifier: {get_param: DeployIdentifier} - - {% if role.name in ['Controller', 'ObjectStorage'] %} - {{role.name}}SwiftRingUpdate: - type: OS::TripleO::Tasks::SwiftRingUpdate - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step5 - {% endfor %} - properties: - servers: {get_param: [servers, {{role.name}}]} - {% endif %} {% endfor %} diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index 1f68f41f..9227b527 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -483,6 +483,7 @@ resources: type: OS::Heat::SoftwareDeployment depends_on: NetworkDeployment properties: + name: UpdateDeployment config: {get_resource: UpdateConfig} server: {get_resource: {{role}}} input_values: diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index d7c87b61..7cc6e4c6 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -24,6 +24,12 @@ parameters: EnableInternalTLS: type: boolean default: false + AodhApiPolicies: + description: | + A hash of policies to configure for Aodh API. + e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: AodhBase: @@ -61,6 +67,7 @@ outputs: aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi' aodh::api::service_name: 'httpd' aodh::api::enable_proxy_headers_parsing: true + aodh::policy::policies: {get_param: AodhApiPolicies} tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index d8787c87..91a5b01c 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -55,6 +55,12 @@ parameters: EnableInternalTLS: type: boolean default: false + BarbicanPolicies: + description: | + A hash of policies to configure for Barbican. + e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -77,6 +83,7 @@ outputs: barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' + barbican::policy::policies: {get_param: BarbicanPolicies} barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false barbican::api::enabled_certificate_plugins: ['simple_certificate'] diff --git a/puppet/services/ceilometer-agent-ipmi.yaml b/puppet/services/ceilometer-agent-ipmi.yaml new file mode 100644 index 00000000..26647dfd --- /dev/null +++ b/puppet/services/ceilometer-agent-ipmi.yaml @@ -0,0 +1,77 @@ +heat_template_version: ocata + +description: > + OpenStack Ceilometer Ipmi Agent service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RedisPassword: + description: The password for the redis service account. + type: string + hidden: true + MonitoringSubscriptionCeilometerIpmi: + default: 'overcloud-ceilometer-agent-ipmi' + type: string + CeilometerAgentIpmiLoggingSource: + type: json + default: + tag: openstack.ceilometer.agent.ipmi + path: /var/log/ceilometer/ipmi.log + +resources: + CeilometerServiceBase: + type: ./ceilometer-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Ceilometer Agent Ipmi role. + value: + service_name: ceilometer_agent_ipmi + monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerIpmi} + logging_source: {get_param: CeilometerAgentIpmiLoggingSource} + logging_groups: + - ceilometer + config_settings: + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - ceilometer_redis_password: {get_param: RedisPassword} + ipmi_namespace: true + step_config: | + include ::tripleo::profile::base::ceilometer::agent::polling + upgrade_tasks: + - name: Check if ceilometer-agent-ipmi is deployed + command: systemctl is-enabled openstack-ceilometer-ipmi + tags: common + ignore_errors: True + register: ceilometer_ipmi_enabled + - name: "PreUpgrade step0,validation: Check if openstack-ceilometer-ipmi is running" + shell: > + /usr/bin/systemctl show 'openstack-ceilometer-ipmi' --property ActiveState | + grep '\bactive\b' + when: ceilometer_ipmi_enabled.rc == 0 + tags: step0,validation + - name: Stop openstack-ceilometer-ipmi service + tags: step1 + when: ceilometer_ipmi_enabled.rc == 0 + service: name=openstack-ceilometer-ipmi state=stopped + - name: Install openstack-ceilometer-ipmi package if it was disabled + tags: step3 + yum: name=openstack-ceilometer-ipmi state=latest + when: ceilometer_ipmi_enabled.rc != 0 diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index f5ee9d40..ba94b451 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -29,6 +29,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CeilometerApiPolicies: + description: | + A hash of policies to configure for Ceilometer API. + e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: CeilometerServiceBase: @@ -78,6 +84,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + ceilometer::policy::policies: {get_param: CeilometerApiPolicies} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS} ceilometer::wsgi::apache::servername: diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index a9c84289..e1613720 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -37,7 +37,7 @@ parameters: constraints: - allowed_values: ['gnocchi', 'database'] CeilometerEventDispatcher: - default: ['gnocchi'] + default: ['panko', 'gnocchi'] description: Comma-separated list of Dispatchers to process events data type: comma_delimited_list constraints: @@ -76,6 +76,11 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + CeilometerApiEndpoint: + default: false + description: Whether to create or skip API endpoint. Set this to + false, if you choose to disable Ceilometer API service. + type: boolean outputs: role_data: @@ -83,6 +88,7 @@ outputs: value: service_name: ceilometer_base config_settings: + ceilometer_auth_enabled: true ceilometer::debug: {get_param: Debug} ceilometer::db::database_connection: list_join: @@ -133,6 +139,7 @@ outputs: ceilometer::keystone::auth::password: {get_param: CeilometerPassword} ceilometer::keystone::auth::region: {get_param: KeystoneRegion} ceilometer::keystone::auth::tenant: 'service' + ceilometer::keystone::auth::configure_endpoint: {get_param: CeilometerApiEndpoint} mysql: ceilometer::db::mysql::password: {get_param: CeilometerPassword} ceilometer::db::mysql::user: ceilometer diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 01531971..49856115 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -73,7 +73,7 @@ outputs: ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} - ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ] + ceph::rgw::keystone::auth::roles: [ 'admin', 'Member', '_member_' ] ceph::rgw::keystone::auth::tenant: service ceph::rgw::keystone::auth::user: swift ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 958b0e7d..c1e6b0b0 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -46,6 +46,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CinderApiPolicies: + description: | + A hash of policies to configure for Cinder API. + e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} @@ -86,6 +92,7 @@ outputs: cinder::keystone::authtoken::project_name: 'service' cinder::keystone::authtoken::user_domain_name: 'Default' cinder::keystone::authtoken::project_domain_name: 'Default' + cinder::policy::policies: {get_param: CinderApiPolicies} cinder::api::enable_proxy_headers_parsing: true cinder::api::nova_catalog_info: 'compute:nova:internalURL' diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml index 20f64162..5f6b5657 100644 --- a/puppet/services/congress.yaml +++ b/puppet/services/congress.yaml @@ -47,6 +47,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + CongressPolicies: + description: | + A hash of policies to configure for Congress. + e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -73,6 +79,7 @@ outputs: congress::rabbit_port: {get_param: RabbitClientPort} congress::server::bind_host: {get_param: [ServiceNetMap, CongressApiNetwork]} + congress::keystone::authtoken::password: {get_param: CongressPassword} congress::keystone::authtoken::project_name: 'service' congress::keystone::authtoken::user_domain_name: 'Default' congress::keystone::authtoken::project_domain_name: 'Default' @@ -86,6 +93,7 @@ outputs: congress::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + congress::policy::policies: {get_param: CongressPolicies} service_config_settings: keystone: diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 63ec4446..50597216 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -19,6 +19,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MongodbMemoryLimit: + default: '20G' + description: Limit the amount of memory mongodb uses with systemd. + type: string MongoDbLoggingSource: type: json description: Fluentd logging configuration for mongodb. @@ -49,6 +53,7 @@ outputs: map_merge: - get_attr: [MongoDbBase, role_data, config_settings] - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]} + tripleo::profile::base::database::mongodb::memory_limit: {get_param: MongodbMemoryLimit} mongodb::server::service_manage: True tripleo.mongodb.firewall_rules: '101 mongodb_config': diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml index 10f6d311..d1adefe5 100644 --- a/puppet/services/ec2-api.yaml +++ b/puppet/services/ec2-api.yaml @@ -42,6 +42,12 @@ parameters: default: 'false' description: Set to true to enable package installation via Puppet type: boolean + Ec2ApiPolicies: + description: | + A hash of policies to configure for EC2-API. + e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: @@ -67,6 +73,7 @@ outputs: ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ec2api::policy::policies: {get_param: Ec2ApiPolicies} ec2api::api::enabled: true ec2api::package_manage: {get_param: EnablePackageInstall} ec2api::api::ec2api_listen: @@ -91,6 +98,11 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/ec2_api' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + ec2api::api::keystone_ec2_tokens_url: + list_join: + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' - if: - nova_workers_zero diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index b06f9993..f61e6154 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -110,6 +110,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + GlanceApiPolicies: + description: | + A hash of policies to configure for Glance API. + e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} @@ -155,6 +161,7 @@ outputs: glance::api::enable_proxy_headers_parsing: true glance::api::debug: {get_param: Debug} glance::api::workers: {get_param: GlanceWorkers} + glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': dport: diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index f4629917..cd323703 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -44,6 +44,12 @@ parameters: EnableInternalTLS: type: boolean default: false + GnocchiApiPolicies: + description: | + A hash of policies to configure for Gnocchi API. + e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -83,6 +89,7 @@ outputs: gnocchi::api::enabled: true gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' + gnocchi::policy::policies: {get_param: GnocchiApiPolicies} gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index b45c084a..dc6daece 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -68,7 +68,7 @@ outputs: gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 3 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} - gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneV3Internal, uri]} gnocchi::storage::ceph::ceph_pool: {get_param: GnocchiRbdPoolName} gnocchi::storage::ceph::ceph_username: {get_param: CephClientUserName} gnocchi::storage::ceph::ceph_keyring: diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index e21369e8..f8128bb8 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -41,6 +41,12 @@ parameters: EnableInternalTLS: type: boolean default: false + HeatApiPolicies: + description: | + A hash of policies to configure for Heat API. + e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} @@ -82,6 +88,7 @@ outputs: - 13004 heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + heat::policy::policies: {get_param: HeatApiPolicies} heat::api::service_name: 'httpd' # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index a166f3a7..98dac4c9 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -112,7 +112,11 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/heat' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' - heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + heat::keystone_ec2_uri: + list_join: + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} heat::engine::auth_encryption_key: yaql: diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 7ae518b5..8fb13c16 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -40,6 +40,10 @@ parameters: type: string hidden: true default: '' + HorizonSecureCookies: + description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon + type: boolean + default: true MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. @@ -88,6 +92,7 @@ outputs: passwords: - {get_param: HorizonSecret} - {get_param: [DefaultPasswords, horizon_secret]} + horizon::secure_cookies: {get_param: [HorizonSecureCookies]} memcached_ipv6: {get_param: MemcachedIPv6} - if: diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index e24d0de6..1f18cb1b 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -29,6 +29,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + IronicApiPolicies: + description: | + A hash of policies to configure for Ironic API. + e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: IronicBase: @@ -64,6 +70,7 @@ outputs: ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} # This is used to build links in responses ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::policy::policies: {get_param: IronicApiPolicies} tripleo.ironic_api.firewall_rules: '133 ironic api': dport: diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 56e1a90b..be910d10 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -32,6 +32,15 @@ parameters: created yet) and should be changed to an actual UUID in a post-deployment stack update. type: string + IronicDefaultNetworkInterface: + default: 'flat' + description: Network interface implementation to use by default. + Set to "flat" (the default) to use one flat provider network. + Set to "neutron" to make Ironic interact with the Neutron + ML2 driver to enable other network types and certain + advances networking features. Requires + IronicProvisioningNetwork to be correctly set. + type: string IronicEnabledDrivers: default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo'] description: Enabled Ironic drivers @@ -48,6 +57,15 @@ parameters: description: The password for the Ironic service and db account, used by the Ironic services type: string hidden: true + IronicProvisioningNetwork: + default: 'provisioning' + description: Name or UUID of the *overcloud* network used for provisioning + of bare metal nodes, if IronicDefaultNetworkInterface is + set to "neutron". The default value of "provisioning" can be + left during the initial deployment (when no networks are + created yet) and should be changed to an actual UUID in + a post-deployment stack update. + type: string MonitoringSubscriptionIronicConductor: default: 'overcloud-ironic-conductor' type: string @@ -72,6 +90,7 @@ outputs: - ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase} ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} + ironic::conductor::provisioning_network: {get_param: IronicProvisioningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} # We need an endpoint containing a real IP, not a VIP here ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]} @@ -93,6 +112,8 @@ outputs: # NOTE(dtantsur): UEFI only works with iPXE currently for us ironic::drivers::pxe::uefi_pxe_config_template: '$pybasedir/drivers/modules/ipxe_config.template' ironic::drivers::pxe::uefi_pxe_bootfile_name: 'ipxe.efi' + ironic::drivers::interfaces::enabled_network_interfaces: ['flat', 'neutron'] + ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface} tripleo.ironic_conductor.firewall_rules: '134 ironic conductor TFTP': dport: 69 diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index ee4c771f..94b15d4b 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -31,7 +31,7 @@ outputs: config_settings: kernel_modules: nf_conntrack: {} - ip_conntrack_proto_sctp: {} + nf_conntrack_proto_sctp: {} sysctl_settings: net.ipv4.tcp_keepalive_intvl: value: 1 @@ -39,6 +39,20 @@ outputs: value: 5 net.ipv4.tcp_keepalive_time: value: 5 + net.ipv4.conf.default.send_redirects: + value: 0 + net.ipv4.conf.all.send_redirects: + value: 0 + net.ipv4.conf.default.accept_redirects: + value: 0 + net.ipv4.conf.default.secure_redirects: + value: 0 + net.ipv4.conf.all.secure_redirects: + value: 0 + net.ipv4.conf.default.log_martians: + value: 1 + net.ipv4.conf.all.log_martians: + value: 1 net.nf_conntrack_max: value: 500000 net.netfilter.nf_conntrack_max: @@ -52,11 +66,17 @@ outputs: value: 0 net.ipv6.conf.default.autoconf: value: 0 + net.ipv6.conf.default.accept_redirects: + value: 0 + net.ipv6.conf.all.accept_redirects: + value: 0 net.core.netdev_max_backlog: value: 10000 kernel.pid_max: value: {get_param: KernelPidMax} kernel.dmesg_restrict: value: 1 + fs.suid_dumpable: + value: 0 step_config: | include ::tripleo::profile::base::kernel diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 17616867..632d9b0b 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -158,6 +158,22 @@ parameters: description: > Cron to purge expired tokens - User default: 'keystone' + KeystonePolicies: + description: | + A hash of policies to configure for Keystone. + e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json + KeystoneLDAPDomainEnable: + description: Trigger to call ldap_backend puppet keystone define. + type: boolean + default: False + KeystoneLDAPBackendConfigs: + description: Hash containing the configurations for the LDAP backends + configured in keystone. + type: json + default: {} + hidden: true resources: @@ -171,6 +187,7 @@ resources: conditions: keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} + keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]} outputs: role_data: @@ -197,6 +214,7 @@ outputs: keystone::admin_token: {get_param: AdminToken} keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} + keystone::policy::policies: {get_param: KeystonePolicies} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} @@ -293,6 +311,15 @@ outputs: keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay} keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination} keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser} + - + if: + - keystone_ldap_domain_enabled + - + tripleo::profile::base::keystone::ldap_backend_enable: True + keystone::using_domain_config: True + tripleo::profile::base::keystone::ldap_backends_config: + get_param: KeystoneLDAPBackendConfigs + - {} step_config: | include ::tripleo::profile::base::keystone @@ -305,6 +332,13 @@ outputs: keystone::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + horizon: + if: + - keystone_ldap_domain_enabled + - + horizon::keystone_multidomain_support: true + horizon::keystone_default_domain: 'Default' + - {} # Ansible tasks to handle upgrade upgrade_tasks: - name: Stop keystone service (running under httpd) diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml index 1c7d6bd3..02c69392 100644 --- a/puppet/services/mistral-api.yaml +++ b/puppet/services/mistral-api.yaml @@ -22,6 +22,12 @@ parameters: default: 1 description: The number of workers for the mistral-api. type: number + MistralApiPolicies: + description: | + A hash of policies to configure for Mistral API. + e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: MistralBase: @@ -41,6 +47,7 @@ outputs: - get_attr: [MistralBase, role_data, config_settings] - mistral::api::api_workers: {get_param: MistralWorkers} mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]} + mistral::policy::policies: {get_param: MistralApiPolicies} tripleo.mistral_api.firewall_rules: '133 mistral': dport: diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index e1030346..d5c21694 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -74,7 +74,11 @@ outputs: mistral::keystone_password: {get_param: MistralPassword} mistral::keystone_tenant: 'service' mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + mistral::keystone_ec2_uri: + list_join: + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} service_config_settings: keystone: diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index aba2b1ed..4b5f36ac 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -81,4 +81,4 @@ outputs: - name: Install sensu package if it was disabled tags: step3 yum: name=sensu state=latest - when: sensu_client.rc != 0 + when: sensu_client_enabled.rc != 0 diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml index db9f0836..0cd1f829 100644 --- a/puppet/services/network/contrail-vrouter.yaml +++ b/puppet/services/network/contrail-vrouter.yaml @@ -27,7 +27,7 @@ parameters: description: vRouter physical interface type: string ContrailVrouterGateway: - default: '192.0.2.1' + default: '192.168.24.1' description: vRouter default gateway type: string ContrailVrouterNetmask: diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 7a24ffdd..9b9d1c72 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -60,6 +60,12 @@ parameters: EnableInternalTLS: type: boolean default: false + NeutronApiPolicies: + description: | + A hash of policies to configure for Neutron API. + e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. @@ -127,6 +133,7 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + neutron::policy::policies: {get_param: NeutronApiPolicies} neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 55361939..9f605062 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -22,6 +22,10 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + DatabaseSyncTimeout: + default: 300 + description: DB Sync Timeout default + type: number NeutronDhcpAgentsPerNetwork: type: number default: 0 @@ -44,10 +48,10 @@ parameters: description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. NeutronGlobalPhysnetMtu: type: number default: 1500 @@ -95,6 +99,7 @@ outputs: neutron::host: '%{::fqdn}' neutron::db::database_db_max_retries: -1 neutron::db::database_max_retries: -1 + neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} - if: - dhcp_agents_zero diff --git a/puppet/services/neutron-bigswitch-agent.yaml b/puppet/services/neutron-bigswitch-agent.yaml new file mode 100644 index 00000000..845f0da0 --- /dev/null +++ b/puppet/services/neutron-bigswitch-agent.yaml @@ -0,0 +1,31 @@ +heat_template_version: ocata + +description: > + Installs bigswitch agent and enables the services + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + +outputs: + role_data: + description: Configure the bigswitch agent services + value: + service_name: neutron_bigswitch_agent + step_config: | + if hiera('step') >= 4 { + include ::neutron::agents::bigswitch + } diff --git a/puppet/services/neutron-compute-plugin-nuage.yaml b/puppet/services/neutron-compute-plugin-nuage.yaml index 04431e28..ea717690 100644 --- a/puppet/services/neutron-compute-plugin-nuage.yaml +++ b/puppet/services/neutron-compute-plugin-nuage.yaml @@ -22,6 +22,10 @@ parameters: description: The password for the nova service account, used by nova-api. type: string hidden: true + NuageMetadataPort: + description: TCP Port to listen for metadata server requests + type: string + default: '9697' outputs: role_data: @@ -32,5 +36,11 @@ outputs: tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service' tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword} tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]} + tripleo.neutron_compute_plugin_nuage.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '100 metadata agent': + dport: {get_param: NuageMetadataPort} step_config: | include ::tripleo::profile::base::neutron::agents::nuage diff --git a/puppet/services/neutron-compute-plugin-ovn.yaml b/puppet/services/neutron-compute-plugin-ovn.yaml index e3a4da99..0dca29ab 100644 --- a/puppet/services/neutron-compute-plugin-ovn.yaml +++ b/puppet/services/neutron-compute-plugin-ovn.yaml @@ -48,6 +48,7 @@ outputs: ovn::controller::ovn_encap_type: {get_param: OVNTunnelEncapType} ovn::controller::ovn_encap_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} ovn::controller::ovn_bridge_mappings: {get_param: NeutronBridgeMappings} + nova::compute::force_config_drive: true tripleo.neutron_compute_plugin_ovn.firewall_rules: '118 neutron vxlan networks': proto: 'udp' diff --git a/puppet/services/neutron-l2gw-api.yaml b/puppet/services/neutron-l2gw-api.yaml new file mode 100644 index 00000000..b6f0d281 --- /dev/null +++ b/puppet/services/neutron-l2gw-api.yaml @@ -0,0 +1,54 @@ +heat_template_version: ocata + +description: > + L2 Gateway service plugin configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + L2gwServiceDefaultInterfaceName: + default: 'FortyGigE1/0/1' + description: default interface name of the L2 gateway + type: string + L2gwServiceDefaultDeviceName: + default: 'Switch1' + description: default device name of the L2 gateway + type: string + L2gwServiceQuotaL2Gateway: + default: 5 + description: quota of the L2 gateway + type: number + L2gwServicePeriodicMonitoringInterval: + default: 5 + description: The periodic interval at which the plugin + type: number + L2gwServiceProvider: + default: ["L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default"] + description: Backend to use as a service provider for L2 Gateway + type: comma_delimited_list + +outputs: + role_data: + description: Role data for the L2 Gateway role. + value: + service_name: neutron_l2gw_api + config_settings: + neutron::services::l2gw::default_interface_name: {get_param: L2gwServiceDefaultInterfaceName} + neutron::services::l2gw::default_device_name: {get_param: L2gwServiceDefaultDeviceName} + neutron::services::l2gw::quota_l2_gateway: {get_param: L2gwServiceQuotaL2Gateway} + neutron::services::l2gw::periodic_monitoring_interval: {get_param: L2gwServicePeriodicMonitoringInterval} + neutron::services::l2gw::service_providers: {get_param: L2gwServiceProvider} + step_config: | + include tripleo::profile::base::neutron::l2gw diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index 01471ba2..ef2485d4 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -82,6 +82,9 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml + outputs: role_data: description: Role data for the Neutron OVS agent service. @@ -121,16 +124,22 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::ovs upgrade_tasks: - - name: Check if neutron_ovs_agent is deployed - command: systemctl is-enabled neutron-openvswitch-agent - tags: common - ignore_errors: True - register: neutron_ovs_agent_enabled - - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" - shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' - when: neutron_ovs_agent_enabled.rc == 0 - tags: step0,validation - - name: Stop neutron_ovs_agent service - tags: step1 - when: neutron_ovs_agent_enabled.rc == 0 - service: name=neutron-openvswitch-agent state=stopped + yaql: + expression: $.data.ovs_upgrade + $.data.neutron_ovs_upgrade + data: + ovs_upgrade: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] + neutron_ovs_upgrade: + - name: Check if neutron_ovs_agent is deployed + command: systemctl is-enabled neutron-openvswitch-agent + tags: common + ignore_errors: True + register: neutron_ovs_agent_enabled + - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" + shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' + when: neutron_ovs_agent_enabled.rc == 0 + tags: step0,validation + - name: Stop neutron_ovs_agent service + tags: step1 + when: neutron_ovs_agent_enabled.rc == 0 + service: name=neutron-openvswitch-agent state=stopped diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index 2c7ab57c..80516fe6 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -62,6 +62,9 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml + outputs: role_data: description: Role data for the Neutron OVS DPDK Agent service. @@ -82,3 +85,5 @@ outputs: vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory} vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType} step_config: {get_attr: [NeutronOvsAgent, role_data, step_config]} + upgrade_tasks: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] diff --git a/puppet/services/neutron-plugin-ml2-odl.yaml b/puppet/services/neutron-plugin-ml2-odl.yaml new file mode 100644 index 00000000..acacadfa --- /dev/null +++ b/puppet/services/neutron-plugin-ml2-odl.yaml @@ -0,0 +1,45 @@ +heat_template_version: ocata + +description: > + OpenStack Neutron ML2/OpenDaylight plugin configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OpenDaylightPortBindingController: + description: OpenDaylight port binding controller + type: string + default: 'network-topology' + +resources: + + NeutronMl2Base: + type: ./neutron-plugin-ml2.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron ML2/ODL plugin. + value: + service_name: neutron_plugin_ml2_odl + config_settings: + map_merge: + - get_attr: [NeutronMl2Base, role_data, config_settings] + - neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController} + step_config: | + include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-nuage.yaml b/puppet/services/neutron-plugin-nuage.yaml index e09cd704..6229a3f1 100644 --- a/puppet/services/neutron-plugin-nuage.yaml +++ b/puppet/services/neutron-plugin-nuage.yaml @@ -19,10 +19,6 @@ parameters: via parameter_defaults in the resource registry. type: json # Config specific parameters, to be provided via parameter_defaults - NeutronNuageOSControllerIp: - description: IP address of the OpenStack Controller - type: string - NeutronNuageNetPartitionName: description: Specifies the title that you will see on the VSD type: string @@ -76,8 +72,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::plugins::nuage::nuage_oscontroller_ip: {get_param: NeutronNuageOSControllerIp} - neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} + - neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} neutron::plugins::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp} neutron::plugins::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername} neutron::plugins::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 473c24b4..18d9b924 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -62,6 +62,12 @@ parameters: default: 300 description: Timeout for Nova db sync type: number + NovaApiPolicies: + description: | + A hash of policies to configure for Nova API. + e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -145,6 +151,7 @@ outputs: nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} nova::api::instance_name_template: {get_param: InstanceNameTemplate} nova_enable_db_purge: {get_param: NovaEnableDBPurge} + nova::policy::policies: {get_param: NovaApiPolicies} - if: - nova_workers_zero @@ -227,7 +234,7 @@ outputs: - name: Setup cell_v2 (map cell0) tags: step5 when: is_bootstrap_node - command: nova-manage cell_v2 map_cell0 + shell: nova-manage cell_v2 map_cell0 --database_connection=$(hiera nova::cell0_database_connection) - name: Setup cell_v2 (create default cell) tags: step5 when: is_bootstrap_node @@ -243,15 +250,15 @@ outputs: command: nova-manage db sync async: {get_param: NovaDbSyncTimeout} poll: 10 - - name: Setup cell_v2 (migrate hosts) - tags: step5 - when: is_bootstrap_node - command: nova-manage cell_v2 map_cell_and_hosts - name: Setup cell_v2 (get cell uuid) tags: step5 when: is_bootstrap_node shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' register: nova_api_cell_uuid + - name: Setup cell_v2 (migrate hosts) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 discover_hosts --cell_uuid {{nova_api_cell_uuid.stdout}} --verbose - name: Setup cell_v2 (migrate instances) tags: step5 when: is_bootstrap_node diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index ceacb0b2..9e7f0145 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -52,16 +52,20 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + DatabaseSyncTimeout: + default: 300 + description: DB Sync Timeout default + type: number Debug: type: string default: '' description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. NovaIPv6: default: false description: Enable IPv6 features in Nova @@ -151,6 +155,16 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + nova::cell0_database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://nova:' + - {get_param: NovaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/nova_cell0' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' nova::api_database_connection: list_join: - '' @@ -188,6 +202,8 @@ outputs: nova::network::neutron::neutron_auth_type: 'v3password' nova::db::database_db_max_retries: -1 nova::db::database_max_retries: -1 + nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} + nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout} nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} nova::use_ipv6: {get_param: NovaIPv6} nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index d208bede..a9737eb6 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -52,7 +52,7 @@ parameters: For different formats, refer to the nova.conf documentation for pci_passthrough_whitelist configuration type: json - default: {} + default: '' NovaVcpuPinSet: description: > A list or range of physical CPU cores to reserve for virtual machine @@ -101,7 +101,11 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::compute::libvirt::manage_libvirt_services: false - nova::compute::pci_passthrough: {get_param: NovaPCIPassthrough} + nova::compute::pci_passthrough: + str_replace: + template: "JSON_PARAM" + params: + JSON_PARAM: {get_param: NovaPCIPassthrough} nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet} nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory} # we manage migration in nova common puppet profile diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml index 843f44c5..f1d8dff7 100644 --- a/puppet/services/nova-ironic.yaml +++ b/puppet/services/nova-ironic.yaml @@ -51,3 +51,7 @@ outputs: nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager' step_config: | include tripleo::profile::base::nova::compute::ironic + upgrade_tasks: + - name: Stop openstack-nova-compute service + tags: step1 + service: name=openstack-nova-compute state=stopped enabled=no diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml index 909a3030..2f898a67 100644 --- a/puppet/services/octavia-api.yaml +++ b/puppet/services/octavia-api.yaml @@ -34,6 +34,12 @@ parameters: default: tag: openstack.octavia.api path: /var/log/octavia/api.log + OctaviaApiPolicies: + description: | + A hash of policies to configure for Octavia API. + e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -57,6 +63,7 @@ outputs: map_merge: - get_attr: [OctaviaBase, role_data, config_settings] - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::db::database_connection: list_join: - '' diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml index a3f616ff..db15aa15 100644 --- a/puppet/services/octavia-base.yaml +++ b/puppet/services/octavia-base.yaml @@ -24,10 +24,10 @@ parameters: description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. RabbitPassword: description: The password for RabbitMQ type: string diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 5cf416f3..ed572b4d 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -48,6 +48,10 @@ parameters: default: {} type: json +resources: + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml + outputs: role_data: description: Role data for the OpenDaylight service. @@ -70,16 +74,22 @@ outputs: step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight upgrade_tasks: - - name: Check if openvswitch is deployed - command: systemctl is-enabled openvswitch - tags: common - ignore_errors: True - register: openvswitch_enabled - - name: "PreUpgrade step0,validation: Check service openvswitch is running" - shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b' - when: openvswitch_enabled.rc == 0 - tags: step0,validation - - name: Stop openvswitch service - tags: step1 - when: openvswitch_enabled.rc == 0 - service: name=openvswitch state=stopped + yaql: + expression: $.data.ovs_upgrade + $.data.opendaylight_upgrade + data: + ovs_upgrade: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] + opendaylight_upgrade: + - name: Check if openvswitch is deployed + command: systemctl is-enabled openvswitch + tags: common + ignore_errors: True + register: openvswitch_enabled + - name: "PreUpgrade step0,validation: Check service openvswitch is running" + shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b' + when: openvswitch_enabled.rc == 0 + tags: step0,validation + - name: Stop openvswitch service + tags: step1 + when: openvswitch_enabled.rc == 0 + service: name=openvswitch state=stopped diff --git a/puppet/services/openvswitch-upgrade.yaml b/puppet/services/openvswitch-upgrade.yaml new file mode 100644 index 00000000..fea1ba96 --- /dev/null +++ b/puppet/services/openvswitch-upgrade.yaml @@ -0,0 +1,50 @@ +heat_template_version: ocata + +description: > + Openvswitch package special handling for upgrade. + +outputs: + role_data: + description: Upgrade task for special handling of Openvswitch (OVS) upgrade. + value: + service_name: openvswitch_upgrade + upgrade_tasks: + - name: Check openvswitch version. + tags: step2 + register: ovs_version + ignore_errors: true + shell: rpm -qa | awk -F- '/^openvswitch-2/{print $2 "-" $3}' + - name: Check openvswitch packaging. + tags: step2 + shell: rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep -q "systemctl.*try-restart" + register: ovs_packaging_issue + ignore_errors: true + - block: + - name: "Ensure empty directory: emptying." + file: + state: absent + path: /root/OVS_UPGRADE + - name: "Ensure empty directory: creating." + file: + state: directory + path: /root/OVS_UPGRADE + owner: root + group: root + mode: 0750 + - name: Download OVS packages. + command: yumdownloader --destdir /root/OVS_UPGRADE --resolve openvswitch + - name: Get rpm list for manual upgrade of OVS. + shell: ls -1 /root/OVS_UPGRADE/*.rpm + register: ovs_list_of_rpms + - name: Manual upgrade of OVS + shell: | + rpm -U --test {{item}} 2>&1 | grep "already installed" || \ + rpm -U --replacepkgs --notriggerun --nopostun {{item}}; + args: + chdir: /root/OVS_UPGRADE + with_items: + - "{{ovs_list_of_rpms.stdout_lines}}" + tags: step2 + when: "'2.5.0-14' in '{{ovs_version.stdout}}' + or + ovs_packaging_issue|succeeded" diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml index 7f81afde..6b8be77c 100644 --- a/puppet/services/ovn-dbs.yaml +++ b/puppet/services/ovn-dbs.yaml @@ -36,5 +36,11 @@ outputs: ovn::northbound::port: {get_param: OVNNorthboundServerPort} ovn::southbound::port: {get_param: OVNSouthboundServerPort} ovn::northd::dbs_listen_ip: {get_param: [ServiceNetMap, OvnDbsNetwork]} + tripleo.ovn_dbs.firewall_rules: + '121 OVN DB server ports': + proto: 'tcp' + dport: + - {get_param: OVNNorthboundServerPort} + - {get_param: OVNSouthboundServerPort} step_config: | include ::tripleo::profile::base::neutron::ovn_northd diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 762d0092..f7a0edf8 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -87,10 +87,16 @@ parameters: \[(?<pid>[^ ]*)\] (?<host>[^ ]*) (?<message>.*)$/ + + EnableLoadBalancer: + default: true + description: Whether to deploy a LoadBalancer on the Controller + type: boolean + PacemakerResources: type: comma_delimited_list description: List of resources managed by pacemaker - default: ['rabbitmq','haproxy','galera'] + default: ['rabbitmq', 'galera'] outputs: role_data: @@ -135,6 +141,8 @@ outputs: - name: Check pacemaker cluster running before upgrade tags: step0,validation pacemaker_cluster: state=online check_and_fail=true + async: 30 + poll: 4 - name: Stop pacemaker cluster tags: step2 pacemaker_cluster: state=offline @@ -147,3 +155,9 @@ outputs: resource: "{{ item }}" max_wait: 500 with_items: {get_param: PacemakerResources} + - name: Check pacemaker haproxy resource + tags: step4 + pacemaker_is_active: + resource: haproxy + max_wait: 500 + when: {get_param: EnableLoadBalancer} diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index eed98257..43e7aa18 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -24,6 +24,12 @@ parameters: EnableInternalTLS: type: boolean default: false + PankoApiPolicies: + description: | + A hash of policies to configure for Panko API. + e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: PankoBase: @@ -58,6 +64,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + panko::policy::policies: {get_param: PankoApiPolicies} panko::api::service_name: 'httpd' panko::api::enable_proxy_headers_parsing: true tripleo.panko_api.firewall_rules: diff --git a/puppet/services/qdr.yaml b/puppet/services/qdr.yaml new file mode 100644 index 00000000..f8746cec --- /dev/null +++ b/puppet/services/qdr.yaml @@ -0,0 +1,60 @@ +heat_template_version: ocata + +description: > + Qpid dispatch router service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RabbitUserName: + default: guest + description: The username for Qdr + type: string + RabbitPassword: + description: The password for Qdr + type: string + hidden: true + RabbitClientPort: + description: Listening port for Qdr + default: 5672 + type: number + MonitoringSubscriptionQdr: + default: 'overcloud-qdr' + type: string + +outputs: + role_data: + description: Role data for the Qdr role. + value: + service_name: rabbitmq + monitoring_subscription: {get_param: MonitoringSubscriptionQdr} + global_config_settings: + messaging_notify_service_name: 'amqp' + messaging_rpc_service_name: 'amqp' + keystone::messaging::amqp::amqp_pre_settled: 'notify' + config_settings: + tripleo.rabbitmq.firewall_rules: + '109 qdr': + dport: + - {get_param: RabbitClientPort} + qdr::listener_addr: {get_param: [ServiceNetMap, QdrNetwork]} + # cannot pass qdr::listener_port directly because it needs to be a string + # we do the conversion in the puppet layer + tripleo::profile::base::qdr::qdr_listener_port: {get_param: RabbitClientPort} + tripleo::profile::base::qdr::qdr_username: {get_param: RabbitUserName} + tripleo::profile::base::qdr::qdr_password: {get_param: RabbitPassword} + + step_config: | + include ::tripleo::profile::base::qdr diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 96b3d6e3..d9f2115a 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -38,6 +38,12 @@ parameters: default: tag: openstack.sahara.api path: /var/log/sahara/sahara-api.log + SaharaApiPolicies: + description: | + A hash of policies to configure for Sahara API. + e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: SaharaBase: @@ -60,6 +66,7 @@ outputs: map_merge: - get_attr: [SaharaBase, role_data, config_settings] - sahara::port: {get_param: [EndpointMap, SaharaInternal, port]} + sahara::policy::policies: {get_param: SaharaApiPolicies} sahara::service::api::api_workers: {get_param: SaharaWorkers} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/securetty.yaml b/puppet/services/securetty.yaml new file mode 100644 index 00000000..6d32fe82 --- /dev/null +++ b/puppet/services/securetty.yaml @@ -0,0 +1,36 @@ +heat_template_version: ocata + +description: > + Configure securetty values + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + TtyValues: + default: {} + description: Configures console values in securetty + type: json + constraints: + - length: { min: 1} + +outputs: + role_data: + description: Console data for the securetty + value: + service_name: securetty + config_settings: + tripleo::profile::base::securetty::tty_list: {get_param: TtyValues} + step_config: | + include ::tripleo::profile::base::securetty diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index a2286d16..9820b431 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -90,14 +90,11 @@ outputs: # fluentd user. yaql: expression: > - set($.data.groups.flatten()).where($) + set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($) data: - groups: - - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}] - - yaql: - expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null)) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}] + default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]} + extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]} + role_data: {get_attr: [ServiceChain, role_data]} config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: map_merge: diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 0c3cc1ec..0ecc942c 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -63,10 +63,14 @@ parameters: Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host. type: string + EnableInternalTLS: + type: boolean + default: false conditions: ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]} + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: SwiftBase: @@ -76,6 +80,14 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + outputs: role_data: description: Role data for the Swift proxy service. @@ -85,7 +97,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - + - get_attr: [TLSProxyBase, role_data, config_settings] - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} @@ -146,7 +158,22 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_bind_ip: + get_param: [ServiceNetMap, SwiftProxyNetwork] + tripleo::profile::base::swift::proxy::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_port: + get_param: [EndpointMap, SwiftInternal, port] + swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]} + swift::proxy::proxy_local_net_ip: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, SwiftProxyNetwork]} step_config: | include ::tripleo::profile::base::swift::proxy service_config_settings: @@ -169,3 +196,5 @@ outputs: - name: Stop swift_proxy service tags: step1 service: name=openstack-swift-proxy state=stopped + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index 2e3c818f..f62d5e18 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -42,6 +42,14 @@ parameters: default: true description: 'Use a local directory for Swift storage services when building rings' type: boolean + SwiftRingGetTempurl: + default: '' + description: A temporary Swift URL to download rings from. + type: string + SwiftRingPutTempurl: + default: '' + description: A temporary Swift URL to upload rings to. + type: string conditions: swift_use_local_dir: @@ -59,6 +67,8 @@ outputs: value: service_name: swift_ringbuilder config_settings: + tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl} + tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl} tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower} diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml index a4c139b5..c14e061b 100644 --- a/puppet/services/tacker.yaml +++ b/puppet/services/tacker.yaml @@ -47,6 +47,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + TackerPolicies: + description: | + A hash of policies to configure for Tacker. + e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -87,10 +93,12 @@ outputs: tacker::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + tacker::policy::policies: {get_param: TackerPolicies} service_config_settings: keystone: tacker::keystone::auth::tenant: 'service' + tacker::keystone::auth::region: {get_param: KeystoneRegion} tacker::keystone::auth::password: {get_param: TackerPassword} tacker::keystone::auth::public_url: {get_param: [EndpointMap, TackerPublic, uri]} tacker::keystone::auth::internal_url: {get_param: [EndpointMap, TackerInternal, uri]} diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index 67e14d9c..ff2b067f 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -37,3 +37,9 @@ outputs: tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules} step_config: | include ::tripleo::firewall + upgrade_tasks: + - name: blank ipv6 rule before activating ipv6 firewall. + tags: step3 + shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables + args: + creates: /etc/sysconfig/ip6tables.n-o-upgrade diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index a320f694..33769d02 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -30,6 +30,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + ZaqarPolicies: + description: | + A hash of policies to configure for Zaqar. + e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: @@ -38,6 +44,7 @@ outputs: value: service_name: zaqar config_settings: + zaqar::policy::policies: {get_param: ZaqarPolicies} zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} zaqar::keystone::authtoken::project_name: 'service' zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} diff --git a/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml new file mode 100644 index 00000000..d1f73407 --- /dev/null +++ b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support to configure Ceilometer Agent Ipmi profiles. diff --git a/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml new file mode 100644 index 00000000..81835323 --- /dev/null +++ b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for L2 Gateway Neutron service plugin diff --git a/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml new file mode 100644 index 00000000..19452f27 --- /dev/null +++ b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add capabilities to configure LDAP backends as for keystone domains. + This can be done by using the KeystoneLDAPDomainEnable and + KeystoneLDAPBackendConfigs parameters. diff --git a/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml b/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml new file mode 100644 index 00000000..163536dd --- /dev/null +++ b/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml @@ -0,0 +1,8 @@ +--- +features: + - Introduce the ability to deploy the qpid-dispatch-router (Qdr) for + the oslo.messaging AMQP 1.0 driver backend. The Qdr provides + direct messaging (e.g. brokerless) communications for + oslo.messaging services. To facilitate simple use for evaluation + in an overcloud deployment, the Qdr aliases the RabbitMQ service + to provide the messaging backend. diff --git a/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml new file mode 100644 index 00000000..ecf35933 --- /dev/null +++ b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml @@ -0,0 +1,3 @@ +--- +features: + - Adds DatabaseSyncTimeout parameter to Nova and Neutron templates. diff --git a/releasenotes/notes/api-policy-4ca739519537f6f4.yaml b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml new file mode 100644 index 00000000..54beb305 --- /dev/null +++ b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + TripleO is now able to configure role-based access API policies with new + parameters for each API service. + For example, Nova API service has now NovaApiPolicies and the value + could be { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + It will configure /etc/nova/policy.json file and configure context_is_admin + to true. Puppet will take care of this configuration and API services are + restarted when the file is touched. + We're also adding augeas resource to the list of Puppet providers that + container deployments grab in the catalog to generate configurations, so + this feature can be used when deploying TripleO in containers. diff --git a/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml b/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml new file mode 100644 index 00000000..49ede200 --- /dev/null +++ b/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Updated bigswitch environment file to include the bigswitch agent + installation and correct support for the restproxy configuration. diff --git a/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml new file mode 100644 index 00000000..298a8ece --- /dev/null +++ b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The initial firewall will now be purged by the deployed-server bootstrap + scripts. This is needed to prevent possible issues with bootstrapping the + initial Pacemaker cluster. See + https://bugs.launchpad.net/tripleo/+bug/1679234 diff --git a/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml new file mode 100644 index 00000000..2661f7c9 --- /dev/null +++ b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml @@ -0,0 +1,4 @@ +--- +deprecations: + - Deprecate and disable ceilometer Api by default. This can be enabled + by passing in an env file to deploy command. diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml new file mode 100644 index 00000000..3168a549 --- /dev/null +++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent + exposing sensitive data through core dumps of processes with elevated + permissions. Deployments that set or depend on non-zero values for + fs.suid_dumpable may be affected by upgrading. +security: + - | + Explicitly disable core dump for setuid programs by setting + fs.suid_dumpable = 0, this will descrease the risk of unauthorized access + of core dump file generated by setuid program. diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml new file mode 100644 index 00000000..0f226a84 --- /dev/null +++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects + are now set to 0 to prevent a compromised host from sending invalid ICMP + redirects to other router devices. + - The net.ipv4.conf.default.accept_redirects, + net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects + are now set to 0 to prevent forged ICMP packet from altering host's routing + tables. + - The net.ipv4.conf.default.secure_redirects & + net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance + of secure ICMP redirected packets. +security: + - Invalide ICMP redirects may corrupt routing and have users access a system + set up by the attacker as opposed to a valid system. + - Routing tables may be altered by bogus ICMP redirect messages and send + packets to incorrect networks. + - Secure ICMP redirects are the same as ICMP redirects, except they come from + gateways listed on the default gateway list. diff --git a/releasenotes/notes/docker-service-all-roles-5c22a018caeafcf0.yaml b/releasenotes/notes/docker-service-all-roles-5c22a018caeafcf0.yaml new file mode 100644 index 00000000..734db08a --- /dev/null +++ b/releasenotes/notes/docker-service-all-roles-5c22a018caeafcf0.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + When deploying with environments/docker.yaml, the docker service + is now deployed on all predefined roles. diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml new file mode 100644 index 00000000..bb2543f2 --- /dev/null +++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are + now set to 1 to enable logging of suspicious packets. +security: + - | + Logging of suspicious packets allows an administrator to investigate the + spoofed packets sent to their system. diff --git a/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml new file mode 100644 index 00000000..ef8877ae --- /dev/null +++ b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - The deployed-server Heat agent configuration script, + get-occ-config.sh, is now updated to configure the + local data source for os-collect-config instead of + configuring /etc/os-collect-config.conf directly. Doing + so means that the configuration template for os-apply-config + no longer has to be deleted as the file will be rendered + correctly with the right data. See + https://bugs.launchpad.net/tripleo/+bug/1679705 diff --git a/releasenotes/notes/ironic-neutron-integration-76c4f9e0d10785e4.yaml b/releasenotes/notes/ironic-neutron-integration-76c4f9e0d10785e4.yaml new file mode 100644 index 00000000..dd99acc7 --- /dev/null +++ b/releasenotes/notes/ironic-neutron-integration-76c4f9e0d10785e4.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Allow setting the Ironic provisioning network UUID or name via new + ``IronicProvisioningNetwork`` configuration. + - | + Enable support for "neutron" Ironic networking plugin, enabling advanced + integration with Neutron, such as VLAN/VXLAN network support, bonding and + security groups. diff --git a/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml new file mode 100644 index 00000000..c327265a --- /dev/null +++ b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Previously the RHEL registration script disabled the satellite repo after + installing the necessary packages from it. This makes it awkward to + update those packages later, so the repo will no longer be disabled. diff --git a/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml new file mode 100644 index 00000000..d0624265 --- /dev/null +++ b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Since panko is enabled by default, include it the default dispatcher + for ceilometer events. diff --git a/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml b/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml new file mode 100644 index 00000000..f5ccec06 --- /dev/null +++ b/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml @@ -0,0 +1,6 @@ +--- +features: + - Support configuring NeutronBridgeMappings + - Set force_config_drive to true as OVN doesn't support metadata service + - Add necessary iptables rules to allow Geneve traffic and ovsdb-server + traffic for Northbound and Southbound databases. diff --git a/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml new file mode 100644 index 00000000..8c210823 --- /dev/null +++ b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml @@ -0,0 +1,12 @@ +--- +issues: + - During the ovs upgrade for 2.5 to 2.6 we need to workaround the classic + yum update command by handling the upgrade of the package separately to not + loose the IPs and the connectivity on the nodes. The workaround is + discussed here https://bugs.launchpad.net/tripleo/+bug/1669714 +upgrade: + - The upgrade from openvswitch 2.5 to 2.6 is handled gracefully and there should + be no user impact in particular no restart of the openvswitch service. For more + information please see the related bug above which also links the relevant code reviews. + The workaround (transparent to the user/doesn't require any input) is to download the OVS + package and install with --nopostun and --notriggerun options provided by the rpm binary. diff --git a/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml new file mode 100644 index 00000000..09d3be03 --- /dev/null +++ b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default network for the ctlplane changed from 192.0.2.0/24 to + 192.168.24.0/24. All references to the ctlplane network in the templates + have been updated to reflect this change. When upgrading from a previous + release, if the default network was used for the ctlplane (192.0.2.0/24), + then it is necessary to provide as input, via environment file, the correct + setting for all the parameters that previously defaulted to 192.0.2.x and + now default to 192.168.24.x; there is an environment file which could be + used on upgrade `environments/updates/update-from-192_0_2-subnet.yaml` to + cover a simple scenario but it won't be enough for scenarios using an + external load balancer, Contrail or Cisto N1KV. Follows a list of params to + be provided on upgrade. + From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute + From external-loadbalancer-vip-v6.yaml: ControlFixedIPs + From external-loadbalancer-vip.yaml: ControlFixedIPs + From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute + From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP + From contrail-vrouter.yaml: ContrailVrouterGateway diff --git a/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml new file mode 100644 index 00000000..86622bc1 --- /dev/null +++ b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Add knobs to limit memory comsumed by mongodb with systemd diff --git a/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml b/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml new file mode 100644 index 00000000..07407f20 --- /dev/null +++ b/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - We need ceilometer user in cases where ceilometer API is disabled. + This is to ensure other ceilometer services can still authenticate + with keystone. diff --git a/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml new file mode 100644 index 00000000..20146b0a --- /dev/null +++ b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - The ``pci_passthrough`` hiera value should be passed as a string + (`bug 1675036 <https://bugs.launchpad.net/tripleo/+bug/1675036>`__). diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index 8da995b0..ec158ceb 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -52,9 +52,9 @@ copyright = u'2017, TripleO Developers' # built documents. # # The full version, including alpha/beta/rc tags. -release = '6.0.0.0b3' +release = '7.0.0.0b1' # The short X.Y version. -version = '6.0.0' +version = '7.0.0' # The full version, including alpha/beta/rc tags. diff --git a/requirements.txt b/requirements.txt index 057aa287..df8a71f5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ # The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -pbr>=1.8 # Apache-2.0 +pbr>=2.0.0 # Apache-2.0 Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause) six>=1.9.0 # MIT diff --git a/roles_data.yaml b/roles_data.yaml index 130451ff..48859473 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -53,8 +53,9 @@ - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient - - OS::TripleO::Services::NeutronBgpvpnApi + - OS::TripleO::Services::NeutronBgpVpnApi - OS::TripleO::Services::NeutronDhcpAgent + - OS::TripleO::Services::NeutronL2gwApi - OS::TripleO::Services::NeutronL3Agent - OS::TripleO::Services::NeutronMetadataAgent - OS::TripleO::Services::NeutronApi @@ -81,8 +82,8 @@ - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - - OS::TripleO::Services::CeilometerApi - OS::TripleO::Services::CeilometerCollector - OS::TripleO::Services::CeilometerExpirer - OS::TripleO::Services::CeilometerAgentCentral @@ -143,6 +144,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Kernel @@ -161,6 +163,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Vpp - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::Docker - name: BlockStorage ServicesDefault: @@ -172,6 +175,7 @@ - OS::TripleO::Services::Timezone - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient @@ -179,6 +183,7 @@ - OS::TripleO::Services::AuditD - OS::TripleO::Services::Collectd - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::Docker - name: ObjectStorage disable_upgrade_deployment: True @@ -191,6 +196,7 @@ - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall @@ -199,6 +205,7 @@ - OS::TripleO::Services::AuditD - OS::TripleO::Services::Collectd - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::Docker - name: CephStorage ServicesDefault: @@ -209,6 +216,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall @@ -217,3 +225,4 @@ - OS::TripleO::Services::AuditD - OS::TripleO::Services::Collectd - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::Docker diff --git a/scripts/hosts-config.sh b/scripts/hosts-config.sh index f456b316..b3109a0c 100755 --- a/scripts/hosts-config.sh +++ b/scripts/hosts-config.sh @@ -13,14 +13,16 @@ write_entries() { if grep -q "^# HEAT_HOSTS_START" "$file"; then temp=$(mktemp) - awk -v v="$entries" '/^# HEAT_HOSTS_START/ { - print $0 - print v - f=1 - }f &&!/^# HEAT_HOSTS_END$/{next}/^# HEAT_HOSTS_END$/{f=0}!f' "$file" > "$temp" - echo "INFO: Updating hosts file $file, check below for changes" - diff "$file" "$temp" || true - cat "$temp" > "$file" + ( + sed '/^# HEAT_HOSTS_START/,$d' "$file" + echo -ne "\n# HEAT_HOSTS_START - Do not edit manually within this section!\n" + echo "$entries" + echo -ne "# HEAT_HOSTS_END\n\n" + sed '1,/^# HEAT_HOSTS_END/d' "$file" + ) > "$temp" + echo "INFO: Updating hosts file $file, check below for changes" + diff "$file" "$temp" || true + cat "$temp" > "$file" else echo -ne "\n# HEAT_HOSTS_START - Do not edit manually within this section!\n" >> "$file" echo "$entries" >> "$file" @@ -25,5 +25,5 @@ except ImportError: pass setuptools.setup( - setup_requires=['pbr>=1.8'], + setup_requires=['pbr>=2.0.0'], pbr=True) diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 5ff6f134..5669a8af 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -212,8 +212,10 @@ def validate(filename): % filename) return 1 + # qdr aliases rabbitmq service to provide alternative messaging backend if (filename.startswith('./puppet/services/') and - filename != './puppet/services/services.yaml'): + filename not in ['./puppet/services/services.yaml', + './puppet/services/qdr.yaml']): retval = validate_service(filename, tpl) if (filename.startswith('./docker/services/') and |