16 files changed, 63 insertions, 13 deletions

diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml
index c142922a..7c323811 100644
--- a/ci/environments/scenario001-multinode-containers.yaml
+++ b/ci/environments/scenario001-multinode-containers.yaml
@@ -6,15 +6,17 @@
 resource_registry:
   OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml
   OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml
+  # TODO deploy ceph with ceph-ansible: https://review.openstack.org/#/c/465066/
   OS::TripleO::Services::CephMon: ../../puppet/services/ceph-mon.yaml
   OS::TripleO::Services::CephOSD: ../../puppet/services/ceph-osd.yaml
   OS::TripleO::Services::CephClient: ../../puppet/services/ceph-client.yaml
-  OS::TripleO::Services::PankoApi: ../../puppet/services/panko-api.yaml
-  OS::TripleO::Services::Collectd: ../../puppet/services/metrics/collectd.yaml
-  OS::TripleO::Services::Tacker: ../../puppet/services/tacker.yaml
-  OS::TripleO::Services::Congress: ../../puppet/services/congress.yaml
+  OS::TripleO::Services::PankoApi: ../../docker/services/panko-api.yaml
+  OS::TripleO::Services::Collectd: ../../docker/services/collectd.yaml
+  OS::TripleO::Services::Tacker: ../../docker/services/tacker.yaml
+  OS::TripleO::Services::Congress: ../../docker/services/congress-api.yaml
+  # TODO fluentd is being containerized: https://review.openstack.org/#/c/467072/
   OS::TripleO::Services::FluentdClient: ../../puppet/services/logging/fluentd-client.yaml
-  OS::TripleO::Services::SensuClient: ../../puppet/services/monitoring/sensu-client.yaml
+  OS::TripleO::Services::SensuClient: ../../docker/services/sensu-client.yaml
   # NOTE: This is needed because of upgrades from Ocata to Pike. We
   # deploy the initial environment with Ocata templates, and
   # overcloud-resource-registry.yaml there doesn't have this Docker
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index 430aa88b..4c193e49 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -221,7 +221,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
 
             # Write a checksum of the config-data dir, this is used as a
             # salt to trigger container restart when the config changes
-            tar cf - /var/lib/config-data/${NAME} | md5sum | awk '{print $1}' > /var/lib/config-data/${NAME}.md5sum
+            tar -c -f - /var/lib/config-data/${NAME} --mtime='1970-01-01' | md5sum | awk '{print $1}' > /var/lib/config-data/${NAME}.md5sum
         fi
         """)
 
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 011ffaaa..b6cfa21e 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -113,6 +113,7 @@ outputs:
           keystone_db_sync:
             image: *keystone_image
             net: host
+            user: root
             privileged: false
             detach: false
             volumes: &keystone_volumes
@@ -152,6 +153,7 @@ outputs:
           keystone_bootstrap:
             start_order: 3
             action: exec
+            user: root
             command:
               [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
       docker_puppet_tasks:
diff --git a/docker/services/sahara-api.yaml b/docker/services/sahara-api.yaml
index 55c42abd..32d64583 100644
--- a/docker/services/sahara-api.yaml
+++ b/docker/services/sahara-api.yaml
@@ -92,6 +92,7 @@ outputs:
             net: host
             privileged: false
             detach: false
+            user: root
             volumes: &sahara_volumes
               list_concat:
                 - {get_attr: [ContainersCommon, volumes]}
diff --git a/environments/docker-ha.yaml b/environments/docker-ha.yaml
new file mode 100644
index 00000000..442262b3
--- /dev/null
+++ b/environments/docker-ha.yaml
@@ -0,0 +1,22 @@
+# Environment file to deploy the HA services via docker
+# Add it *after* -e docker.yaml:
+# ...deploy..-e docker.yaml -e docker-ha.yaml
+resource_registry:
+  # Pacemaker runs on the host
+  OS::TripleO::Tasks::ControllerPreConfig: ../extraconfig/tasks/pre_puppet_pacemaker.yaml
+  OS::TripleO::Tasks::ControllerPostConfig: ../extraconfig/tasks/post_puppet_pacemaker.yaml
+  OS::TripleO::Tasks::ControllerPostPuppetRestart: ../extraconfig/tasks/post_puppet_pacemaker_restart.yaml
+  OS::TripleO::Services::Pacemaker: ../puppet/services/pacemaker.yaml
+  OS::TripleO::Services::PacemakerRemote: ../puppet/services/pacemaker_remote.yaml
+
+  # Services that are disabled for HA deployments with pacemaker
+  OS::TripleO::Services::Keepalived: OS::Heat::None
+
+  # HA Containers managed by pacemaker
+  OS::TripleO::Services::CinderVolume: ../docker/services/pacemaker/cinder-volume.yaml
+  OS::TripleO::Services::CinderBackup: ../docker/services/pacemaker/cinder-backup.yaml
+  OS::TripleO::Services::Clustercheck: ../docker/services/pacemaker/clustercheck.yaml
+  OS::TripleO::Services::HAproxy: ../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::MySQL: ../docker/services/pacemaker/database/mysql.yaml
+  OS::TripleO::Services::RabbitMQ: ../docker/services/pacemaker/rabbitmq.yaml
+  OS::TripleO::Services::Redis: ../docker/services/pacemaker/database/redis.yaml
diff --git a/environments/neutron-ml2-cisco-nexus-ucsm.yaml b/environments/neutron-ml2-cisco-nexus-ucsm.yaml
index f5a0a399..2c87470b 100644
--- a/environments/neutron-ml2-cisco-nexus-ucsm.yaml
+++ b/environments/neutron-ml2-cisco-nexus-ucsm.yaml
@@ -2,7 +2,6 @@
 # a Cisco Neutron plugin.
 resource_registry:
   OS::TripleO::AllNodesExtraConfig: ../puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml
-  OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None
   OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None
 
 parameter_defaults:
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index b1a35293..51cc85d8 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -268,6 +268,7 @@ resource_registry:
   OS::TripleO::Services::Docker: OS::Heat::None
   OS::TripleO::Services::CertmongerUser: OS::Heat::None
   OS::TripleO::Services::Iscsid: OS::Heat::None
+  OS::TripleO::Services::Clustercheck: OS::Heat::None
 
 parameter_defaults:
   EnablePackageInstall: false
diff --git a/puppet/post-upgrade.j2.yaml b/puppet/post-upgrade.j2.yaml
index c51b6e1b..bdd1e613 100644
--- a/puppet/post-upgrade.j2.yaml
+++ b/puppet/post-upgrade.j2.yaml
@@ -8,17 +8,20 @@ parameters:
   servers:
     type: json
     description: Mapping of Role name e.g Controller to a list of servers
-
+  stack_name:
+    type: string
+    description: Name of the topmost stack
   role_data:
     type: json
     description: Mapping of Role name e.g Controller to the per-role data
-
   DeployIdentifier:
     default: ''
     type: string
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  ctlplane_service_ips:
+    type: json
 
 resources:
 # Note the include here is the same as post.j2.yaml but the data used at
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 7e741d8c..4ce5316d 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -28,7 +28,7 @@ parameters:
     type: json
   NovaWorkers:
     default: 0
-    description: Number of workers for Nova API service.
+    description: Number of workers for Nova services.
     type: number
   NovaPassword:
     description: The password for the nova service and db account, used by nova-api.
diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml
index 30eb1277..b83b9852 100644
--- a/puppet/services/nova-conductor.yaml
+++ b/puppet/services/nova-conductor.yaml
@@ -28,7 +28,7 @@ parameters:
     type: json
   NovaWorkers:
     default: 0
-    description: Number of workers for Nova Conductor service.
+    description: Number of workers for Nova services.
     type: number
   MonitoringSubscriptionNovaConductor:
     default: 'overcloud-nova-conductor'
diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml
index 335b2c28..bc7dc1b0 100644
--- a/puppet/services/nova-metadata.yaml
+++ b/puppet/services/nova-metadata.yaml
@@ -28,7 +28,7 @@ parameters:
     type: json
   NovaWorkers:
     default: 0
-    description: Number of workers for Nova API service.
+    description: Number of workers for Nova services.
     type: number
 
 conditions:
diff --git a/puppet/services/nova-placement.yaml b/puppet/services/nova-placement.yaml
index 86aa079e..aaa7ef5b 100644
--- a/puppet/services/nova-placement.yaml
+++ b/puppet/services/nova-placement.yaml
@@ -28,7 +28,7 @@ parameters:
     type: json
   NovaWorkers:
     default: 0
-    description: Number of workers for Nova Placement API service.
+    description: Number of workers for Nova services.
     type: number
   NovaPassword:
     description: The password for the nova service and db account, used by nova-placement.
diff --git a/roles/Controller.yaml b/roles/Controller.yaml
index b0a13138..e156396d 100644
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@@ -46,6 +46,7 @@
     - OS::TripleO::Services::CinderVolume
     - OS::TripleO::Services::Collectd
     - OS::TripleO::Services::Congress
+    - OS::TripleO::Services::Clustercheck
     - OS::TripleO::Services::Docker
     - OS::TripleO::Services::Ec2Api
     - OS::TripleO::Services::Etcd
diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml
index 6cf2120e..4ad405aa 100644
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@@ -40,6 +40,7 @@
     - OS::TripleO::Services::CinderVolume
     - OS::TripleO::Services::Collectd
     - OS::TripleO::Services::Congress
+    - OS::TripleO::Services::Clustercheck
     - OS::TripleO::Services::Docker
     - OS::TripleO::Services::Ec2Api
     - OS::TripleO::Services::Etcd
diff --git a/roles_data.yaml b/roles_data.yaml
index f96e5625..d84b6378 100644
--- a/roles_data.yaml
+++ b/roles_data.yaml
@@ -47,6 +47,7 @@
     - OS::TripleO::Services::CinderHPELeftHandISCSI
     - OS::TripleO::Services::CinderScheduler
     - OS::TripleO::Services::CinderVolume
+    - OS::TripleO::Services::Clustercheck
     - OS::TripleO::Services::Collectd
     - OS::TripleO::Services::Congress
     - OS::TripleO::Services::Docker
diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py
index 233ec185..674449f5 100755
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@@ -200,6 +200,23 @@ def validate_docker_service(filename, tpl):
                       % (expected_config_image_parameter, config_volume))
                 return 1
 
+        if 'docker_config' in role_data:
+            docker_config = role_data['docker_config']
+            for _, step in docker_config.items():
+                for _, container in step.items():
+                    if not isinstance(container, dict):
+                        # NOTE(mandre) this skips everything that is not a dict
+                        # so we may ignore some containers definitions if they
+                        # are in a map_merge for example
+                        continue
+                    command = container.get('command', '')
+                    if isinstance(command, list):
+                        command = ' '.join(map(str, command))
+                    if 'bootstrap_host_exec' in command \
+                            and container.get('user') != 'root':
+                      print('ERROR: bootstrap_host_exec needs to run as the root user.')
+                      return 1
+
     if 'parameters' in tpl:
         for param in required_params:
             if param not in tpl['parameters']: