diff options
83 files changed, 1203 insertions, 394 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml index 7ed0deb4..cc22ff92 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -444,30 +444,59 @@ topics: configured via puppet requires: - overcloud-resource-registry-puppet.yaml - - title: Externally managed Ceph + - title: Ceph description: > - Enable the use of an externally managed Ceph cluster + Enable the use of Ceph in the overcloud environments: - file: environments/puppet-ceph-external.yaml title: Externally managed Ceph - description: + description: > + Configures the overcloud to use an externally managed Ceph cluster, via RBD driver. + requires: + - overcloud-resource-registry-puppet.yaml + - file: environments/puppet-ceph.yaml + title: TripleO managed Ceph + description: > + Deploys a Ceph cluster via TripleO, requires at lease one CephStorage node or + use of hyperconverged-ceph.yaml environment for the HCI scenario, where CephOSD is + colocated with NovaCompute and configures the overcloud to use it, via RBD driver. requires: - overcloud-resource-registry-puppet.yaml - - title: Ceph Devel + - title: CephMDS + description: > + Deploys CephMDS via TripleO, an additional Ceph service needed to create shared + filesystems hosted in Ceph. + environments: + - file: environments/services/ceph-mds.yaml + title: Deploys CephMDS + description: + requires: + - environments/puppet-ceph.yaml + - title: Ceph Rados Gateway description: > - Enable a Ceph storage cluster using the controller and 2 ceph nodes. - Rbd backends are enabled for Cinder, Glance, and Nova. + Deploys CephRGW via TripleO, transparently replaces Swift providing a compatible API + which stores data in the Ceph cluster. environments: - - file: environments/puppet-ceph-devel.yaml - title: Ceph Devel + - file: environments/ceph-radosgw.yaml + title: Deploys CephRGW description: requires: + - environments/puppet-ceph.yaml + - title: Manila with CephFS + description: > + Deploys Manila and configures it with the CephFS driver. This requires the deployment of + Ceph and CephMDS from TripleO or the use of an external Ceph cluster for the overcloud. + environments: + - file: environments/manila-cephfsnative-config.yaml + title: Deploys Manila with CephFS driver + description: Deploys Manila and configures CephFS as its default backend. + requires: - overcloud-resource-registry-puppet.yaml - title: Storage Environment description: > Can be used to set up storage backends. Defaults to Ceph used as a - backend for Cinder, Glance and Nova ephemeral storage. It configures - for example which services will use Ceph, or if any of the services + backend for Cinder, Glance, Nova ephemeral storage and Gnocchi. It + configures which services will use Ceph, or if any of the services will use NFS. And more. Usually requires to be edited by user first. tags: - no-gui diff --git a/ci/environments/multinode-core.yaml b/ci/environments/multinode-core.yaml new file mode 100644 index 00000000..0c07a1b0 --- /dev/null +++ b/ci/environments/multinode-core.yaml @@ -0,0 +1,37 @@ +heat_template_version: ocata + +description: > + OpenStack Core Service + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Debug: + type: string + default: '' + +resources: + +outputs: + role_data: + description: Role data for the multinode firewall configuration + value: + service_name: multinode_core + config_settings: + tripleo.core.firewall_rules: + '999 core': + proto: 'udp' + dport: + - 4789 diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml index 56d04de5..4859c23a 100644 --- a/ci/environments/multinode_major_upgrade.yaml +++ b/ci/environments/multinode_major_upgrade.yaml @@ -1,12 +1,10 @@ resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Services::Core: multinode-core.yaml parameter_defaults: ControllerServices: - OS::TripleO::Services::CACerts - - OS::TripleO::Services::Core - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi diff --git a/ci/scripts/freeipa_setup.sh b/ci/scripts/freeipa_setup.sh index c9a5cba2..e699841f 100644 --- a/ci/scripts/freeipa_setup.sh +++ b/ci/scripts/freeipa_setup.sh @@ -22,6 +22,15 @@ elif [ -f "/tmp/freeipa-setup.env" ]; then source /tmp/freeipa-setup.env fi +export Hostname=${Hostname:-""} +export FreeIPAIP=${FreeIPAIP:-""} +export DirectoryManagerPassword=${DirectoryManagerPassword:-""} +export AdminPassword=${AdminPassword:-""} +export UndercloudFQDN=${UndercloudFQDN:-""} +export HostsSecret=${HostsSecret:-""} +export ProvisioningCIDR=${ProvisioningCIDR:-""} +export UsingNovajoin=${UsingNovajoin:-""} + if [ -n "$ProvisioningCIDR" ]; then # Add address to provisioning network interface ip link set dev eth1 up @@ -85,7 +94,9 @@ rm -f /etc/httpd/conf.d/ssl.conf # Set up FreeIPA ipa-server-install -U -r `hostname -d|tr "[a-z]" "[A-Z]"` \ -p $DirectoryManagerPassword -a $AdminPassword \ - --hostname `hostname -f` + --hostname `hostname -f` \ + --ip-address=$FreeIPAIP \ + --setup-dns --auto-forwarders --auto-reverse # Authenticate echo $AdminPassword | kinit admin diff --git a/docker/copy-etc.sh b/docker/copy-etc.sh deleted file mode 100644 index 1a6cd520..00000000 --- a/docker/copy-etc.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -echo "Copying agent container /etc to /var/lib/etc-data" -cp -a /etc/* /var/lib/etc-data/ diff --git a/docker/create-config-dir.sh b/docker/create-config-dir.sh new file mode 100644 index 00000000..1be1a56f --- /dev/null +++ b/docker/create-config-dir.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# This is where we stack puppet configuration (for now)... +mkdir -p /var/lib/config-data + +# This is the docker-puppet configs end in +mkdir -p /var/lib/docker-puppet diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py new file mode 100755 index 00000000..2d560819 --- /dev/null +++ b/docker/docker-puppet.py @@ -0,0 +1,210 @@ +#!/usr/bin/env python +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# Shell script tool to run puppet inside of the given docker container image. +# Uses the config file at /var/lib/docker-puppet/docker-puppet.json as a source for a JSON +# array of [config_volume, puppet_tags, manifest, config_image, [volumes]] settings +# that can be used to generate config files or run ad-hoc puppet modules +# inside of a container. + +import json +import os +import subprocess +import sys +import tempfile + + +# this is to match what we do in deployed-server +def short_hostname(): + subproc = subprocess.Popen(['hostname', '-s'], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + cmd_stdout, cmd_stderr = subproc.communicate() + return cmd_stdout.rstrip() + + +def pull_image(name): + print('Pulling image: %s' % name) + subproc = subprocess.Popen(['/usr/bin/docker', 'pull', name], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + cmd_stdout, cmd_stderr = subproc.communicate() + print(cmd_stdout) + print(cmd_stderr) + + +def rm_container(name): + print('Removing container: %s' % name) + subproc = subprocess.Popen(['/usr/bin/docker', 'rm', name], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + cmd_stdout, cmd_stderr = subproc.communicate() + print(cmd_stdout) + print(cmd_stderr) + + +config_file = os.environ.get('CONFIG', '/var/lib/docker-puppet/docker-puppet.json') +print('docker-puppet') +print('CONFIG: %s' % config_file) +with open(config_file) as f: + json_data = json.load(f) + +# To save time we support configuring 'shared' services at the same +# time. For example configuring all of the heat services +# in a single container pass makes sense and will save some time. +# To support this we merge shared settings together here. +# +# We key off of config_volume as this should be the same for a +# given group of services. We are also now specifying the container +# in which the services should be configured. This should match +# in all instances where the volume name is also the same. + +configs = {} + +for service in json_data: + config_volume = service[0] or '' + puppet_tags = service[1] or '' + manifest = service[2] or '' + config_image = service[3] or '' + volumes = service[4] if len(service) > 4 else [] + + print('---------') + print('config_volume %s' % config_volume) + print('puppet_tags %s' % puppet_tags) + print('manifest %s' % manifest) + print('config_image %s' % config_image) + print('volumes %s' % volumes) + # We key off of config volume for all configs. + if config_volume in configs: + # Append puppet tags and manifest. + print("Existing service, appending puppet tags and manifest\n") + if puppet_tags: + configs[config_volume][1] = '%s,%s' % (configs[config_volume][1], + puppet_tags) + if manifest: + configs[config_volume][2] = '%s\n%s' % (configs[config_volume][2], + manifest) + if configs[config_volume][3] != config_image: + print("WARNING: Config containers do not match even though" + " shared volumes are the same!\n") + else: + print("Adding new service\n") + configs[config_volume] = service + +print('Service compilation completed.\n') + +for config_volume in configs: + + service = configs[config_volume] + puppet_tags = service[1] or '' + manifest = service[2] or '' + config_image = service[3] or '' + volumes = service[4] if len(service) > 4 else [] + + if puppet_tags: + puppet_tags = "file,file_line,concat,%s" % puppet_tags + else: + puppet_tags = "file,file_line,concat" + + print('---------') + print('config_volume %s' % config_volume) + print('puppet_tags %s' % puppet_tags) + print('manifest %s' % manifest) + print('config_image %s' % config_image) + hostname = short_hostname() + + with open('/var/lib/docker-puppet/docker-puppet.sh', 'w') as script_file: + os.chmod(script_file.name, 0755) + script_file.write("""#!/bin/bash + set -ex + mkdir -p /etc/puppet + cp -a /tmp/puppet-etc/* /etc/puppet + rm -Rf /etc/puppet/ssl # not in use and causes permission errors + echo '{"step": 6}' > /etc/puppet/hieradata/docker.json + TAGS="" + if [ -n "%(puppet_tags)s" ]; then + TAGS='--tags "%(puppet_tags)s"' + fi + FACTER_hostname=%(hostname)s FACTER_uuid=docker /usr/bin/puppet apply --verbose $TAGS /etc/config.pp + + # Disables archiving + if [ -z "%(no_archive)s" ]; then + rm -Rf /var/lib/config-data/%(name)s + + # copying etc should be enough for most services + mkdir -p /var/lib/config-data/%(name)s/etc + cp -a /etc/* /var/lib/config-data/%(name)s/etc/ + + if [ -d /root/ ]; then + cp -a /root/ /var/lib/config-data/%(name)s/root/ + fi + if [ -d /var/lib/ironic/tftpboot/ ]; then + mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/ + cp -a /var/lib/ironic/tftpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/tftpboot/ + fi + if [ -d /var/lib/ironic/httpboot/ ]; then + mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/ + cp -a /var/lib/ironic/httpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/httpboot/ + fi + + # apache services may files placed in /var/www/ + if [ -d /var/www/ ]; then + mkdir -p /var/lib/config-data/%(name)s/var/www + cp -a /var/www/* /var/lib/config-data/%(name)s/var/www/ + fi + fi + """ % {'puppet_tags': puppet_tags, 'name': config_volume, + 'hostname': hostname, + 'no_archive': os.environ.get('NO_ARCHIVE', '')}) + + with tempfile.NamedTemporaryFile() as tmp_man: + with open(tmp_man.name, 'w') as man_file: + man_file.write('include ::tripleo::packages\n') + man_file.write(manifest) + + rm_container('docker-puppet-%s' % config_volume) + pull_image(config_image) + + dcmd = ['/usr/bin/docker', 'run', + '--user', 'root', + '--name', 'docker-puppet-%s' % config_volume, + '--volume', '%s:/etc/config.pp:ro' % tmp_man.name, + '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro', + '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', + '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw', + '--volume', 'tripleo_logs:/var/log/tripleo/', + '--volume', '/var/lib/docker-puppet/docker-puppet.sh:/var/lib/docker-puppet/docker-puppet.sh:ro'] + + for volume in volumes: + dcmd.extend(['--volume', volume]) + + dcmd.extend(['--entrypoint', '/var/lib/docker-puppet/docker-puppet.sh']) + + env = {} + if os.environ.get('NET_HOST', 'false') == 'true': + print('NET_HOST enabled') + dcmd.extend(['--net', 'host', '--volume', + '/etc/hosts:/etc/hosts:ro']) + dcmd.append(config_image) + + subproc = subprocess.Popen(dcmd, stdout=subprocess.PIPE, + stderr=subprocess.PIPE, env=env) + cmd_stdout, cmd_stderr = subproc.communicate() + print(cmd_stdout) + print(cmd_stderr) + if subproc.returncode != 0: + print('Failed running docker-puppet.py for %s' % config_volume) + sys.exit(subproc.returncode) + else: + rm_container('docker-puppet-%s' % config_volume) diff --git a/docker/firstboot/setup_docker_host.sh b/docker/firstboot/setup_docker_host.sh new file mode 100755 index 00000000..b2287e91 --- /dev/null +++ b/docker/firstboot/setup_docker_host.sh @@ -0,0 +1,26 @@ +#!/bin/bash +set -eux +# TODO This would be better in puppet + +# TODO remove this when built image includes docker +if [ ! -f "/usr/bin/docker" ]; then + yum -y install docker +fi + +# NOTE(mandre) $docker_namespace_is_registry is not a bash variable but is +# a place holder for text replacement done via heat +if [ "$docker_namespace_is_registry" = "True" ]; then + /usr/bin/systemctl stop docker.service + # if namespace is used with local registry, trim all namespacing + trim_var=$docker_registry + registry_host="${trim_var%%/*}" + /bin/sed -i -r "s/^[# ]*INSECURE_REGISTRY *=.+$/INSECURE_REGISTRY='--insecure-registry $registry_host'/" /etc/sysconfig/docker +fi + +# enable and start docker +/usr/bin/systemctl enable docker.service +/usr/bin/systemctl start docker.service + +# Disable libvirtd +/usr/bin/systemctl disable libvirtd.service +/usr/bin/systemctl stop libvirtd.service diff --git a/docker/firstboot/install_docker_agents.yaml b/docker/firstboot/setup_docker_host.yaml index 41a87406..2f258987 100644 --- a/docker/firstboot/install_docker_agents.yaml +++ b/docker/firstboot/setup_docker_host.yaml @@ -1,9 +1,6 @@ heat_template_version: ocata parameters: - DockerAgentImage: - type: string - default: heat-docker-agents DockerNamespace: type: string default: tripleoupstream @@ -17,22 +14,18 @@ resources: type: OS::Heat::MultipartMime properties: parts: - - config: {get_resource: install_docker_agents} + - config: {get_resource: setup_docker_host} - install_docker_agents: + setup_docker_host: type: OS::Heat::SoftwareConfig properties: group: script config: str_replace: params: - $agent_image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerAgentImage} ] $docker_registry: {get_param: DockerNamespace} $docker_namespace_is_registry: {get_param: DockerNamespaceIsRegistry} - template: {get_file: ./start_docker_agents.sh} + template: {get_file: ./setup_docker_host.sh} outputs: OS::stack_id: diff --git a/docker/firstboot/start_docker_agents.sh b/docker/firstboot/start_docker_agents.sh deleted file mode 100755 index 1c5cc18d..00000000 --- a/docker/firstboot/start_docker_agents.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash -set -eux - -# TODO remove this when built image includes docker -if [ ! -f "/usr/bin/docker" ]; then - yum -y install docker -fi - -# Local docker registry 1.8 -# NOTE(mandre) $docker_namespace_is_registry is not a bash variable but is -# a place holder for text replacement done via heat -if [ "$docker_namespace_is_registry" = "True" ]; then - /usr/bin/systemctl stop docker.service - # if namespace is used with local registry, trim all namespacing - trim_var=$docker_registry - registry_host="${trim_var%%/*}" - /bin/sed -i -r "s/^[# ]*INSECURE_REGISTRY *=.+$/INSECURE_REGISTRY='--insecure-registry $registry_host'/" /etc/sysconfig/docker -fi - -mkdir -p /var/lib/etc-data/json-config #FIXME: this should be a docker data container - -# NOTE(flaper87): Heat Agent required mounts -AGENT_COMMAND_MOUNTS="\ --v /var/lib/etc-data:/var/lib/etc-data \ --v /run:/run \ --v /etc/hosts:/etc/hosts \ --v /etc:/host/etc \ --v /var/lib/dhclient:/var/lib/dhclient \ --v /var/lib/cloud:/var/lib/cloud \ --v /var/lib/heat-cfntools:/var/lib/heat-cfntools \ --v /var/lib/os-collect-config:/var/lib/os-collect-config \ --v /var/lib/os-apply-config-deployments:/var/lib/os-apply-config-deployments \ --v /var/lib/heat-config:/var/lib/heat-config \ --v /etc/sysconfig/docker:/etc/sysconfig/docker \ --v /etc/sysconfig/network-scripts:/etc/sysconfig/network-scripts \ --v /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2 \ --v /usr/bin/docker:/usr/bin/docker \ --v /usr/bin/docker-current:/usr/bin/docker-current \ --v /var/lib/os-collect-config:/var/lib/os-collect-config" - -# heat-docker-agents service -cat <<EOF > /etc/systemd/system/heat-docker-agents.service -[Unit] -Description=Heat Docker Agent Container -After=docker.service -Requires=docker.service -Before=os-collect-config.service -Conflicts=os-collect-config.service - -[Service] -User=root -Restart=always -ExecStartPre=-/usr/bin/docker rm -f heat-agents -ExecStart=/usr/bin/docker run --name heat-agents --privileged --net=host \ - $AGENT_COMMAND_MOUNTS \ - --entrypoint=/usr/bin/os-collect-config $agent_image -ExecStop=/usr/bin/docker stop heat-agents - -[Install] -WantedBy=multi-user.target -EOF - -# enable and start heat-docker-agents -/usr/bin/systemctl enable heat-docker-agents.service -/usr/bin/systemctl start --no-block heat-docker-agents.service - -# Disable libvirtd -/usr/bin/systemctl disable libvirtd.service -/usr/bin/systemctl stop libvirtd.service diff --git a/docker/post.j2.yaml b/docker/post.j2.yaml index 865c74e5..c125423d 100644 --- a/docker/post.j2.yaml +++ b/docker/post.j2.yaml @@ -1,3 +1,7 @@ +# certain initialization steps (run in a container) will occur +# on the first role listed in the roles file +{% set primary_role_name = roles[0].name -%} + heat_template_version: ocata description: > @@ -8,17 +12,20 @@ parameters: servers: type: json description: Mapping of Role name e.g Controller to a list of servers - role_data: type: json description: Mapping of Role name e.g Controller to the per-role data - DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json resources: @@ -42,81 +49,171 @@ resources: input_values: update_identifier: {get_param: DeployIdentifier} - {{role.name}}Config: - type: OS::TripleO::{{role.name}}Config + {{role.name}}CreateConfigDir: + type: OS::Heat::SoftwareConfig properties: - StepConfig: {get_param: [role_data, {{role.name}}, step_config]} - {% if role.name.lower() == 'compute' %} - PuppetTags: {get_param: [role_data, {{role.name}}, puppet_tags]} - {% endif %} + group: script + config: {get_file: create-config-dir.sh} - # Step through a series of configuration steps - {{role.name}}Deployment_Step1: - type: OS::Heat::StructuredDeploymentGroup - depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] + {{role.name}}CreateConfigDirDeployment: + type: OS::Heat::SoftwareDeploymentGroup properties: - name: {{role.name}}Deployment_Step1 servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} - input_values: - step: 1 - update_identifier: {get_param: DeployIdentifier} + config: {get_resource: {{role.name}}CreateConfigDir} - {{role.name}}Deployment_Step2: - type: OS::Heat::StructuredDeploymentGroup - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step1 - {% endfor %} + # this creates a JSON config file for our docker-puppet.py script + {{role.name}}GenPuppetConfig: + type: OS::Heat::StructuredConfig + properties: + group: json-file + config: + /var/lib/docker-puppet/docker-puppet.json: + yaql: + # select only services that have a non-null config_image with + # a step_config as well + expression: + $.data.config_volume.zip($.data.puppet_tags, $.data.step_config, $.data.config_image).where($[3] != null and $[1] != null) + data: + config_volume: {get_param: [role_data, {{role.name}}, config_volume]} + step_config: {get_param: [role_data, {{role.name}}, step_config]} + puppet_tags: {get_param: [role_data, {{role.name}}, puppet_tags]} + config_image: {get_param: [role_data, {{role.name}}, config_image]} + + {{role.name}}GenPuppetDeployment: + type: OS::Heat::SoftwareDeploymentGroup properties: - name: {{role.name}}Deployment_Step2 servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} - input_values: - step: 2 - update_identifier: {get_param: DeployIdentifier} + config: {get_resource: {{role.name}}GenPuppetConfig} - {{role.name}}Deployment_Step3: - type: OS::Heat::StructuredDeploymentGroup - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step2 - {% endfor %} + {{role.name}}GenerateConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: docker-puppet.py} + + {{role.name}}GenerateConfigDeployment: + type: OS::Heat::SoftwareDeploymentGroup + depends_on: [{{role.name}}GenPuppetDeployment, {{role.name}}ArtifactsDeploy, {{role.name}}CreateConfigDirDeployment] properties: - name: {{role.name}}Deployment_Step3 + name: {{role.name}}GenerateConfigDeployment servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} + config: {get_resource: {{role.name}}GenerateConfig} + + {{role.name}}PuppetStepConfig: + type: OS::Heat::Value + properties: + type: string + value: + yaql: + expression: + # select 'step_config' only from services that do not have a docker_image + $.data.service_names.zip($.data.step_config, $.data.docker_image).where($[2] = null).where($[1] != null).select($[1]).join("\n") + data: + service_names: {get_param: [role_data, {{role.name}}, service_names]} + step_config: {get_param: [role_data, {{role.name}}, step_config]} + docker_image: {get_param: [role_data, {{role.name}}, docker_image]} + + {{role.name}}DockerConfig: + type: OS::Heat::Value + properties: + type: json + value: + yaql: + expression: + # select 'docker_config' only from services that have a docker_image + $.data.service_names.zip($.data.docker_config, $.data.docker_image).where($[2] != null).select($[1]).reduce($1.mergeWith($2), {}) + data: + service_names: {get_param: [role_data, {{role.name}}, service_names]} + docker_config: {get_param: [role_data, {{role.name}}, docker_config]} + docker_image: {get_param: [role_data, {{role.name}}, docker_image]} + + {{role.name}}KollaJsonConfig: + type: OS::Heat::StructuredConfig + properties: + group: json-file + config: + {get_param: [role_data, {{role.name}}, kolla_config]} + + {{role.name}}KollaJsonDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + name: {{role.name}}KollaJsonDeployment + config: {get_resource: {{role.name}}KollaJsonConfig} + servers: {get_param: [servers, {{role.name}}]} + + # BEGIN BAREMETAL CONFIG STEPS + + {% if role.name == 'Controller' %} + ControllerPrePuppet: + type: OS::TripleO::Tasks::ControllerPrePuppet + properties: + servers: {get_param: [servers, Controller]} input_values: - step: 3 update_identifier: {get_param: DeployIdentifier} + {% endif %} - {{role.name}}Deployment_Step4: + {{role.name}}Config: + type: OS::TripleO::{{role.name}}Config + properties: + StepConfig: {get_attr: [{{role.name}}PuppetStepConfig, value]} + + {% for step in range(1, 6) %} + + {{role.name}}Deployment_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup + {% if step == 1 %} + depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] + {% else %} depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step3 - {% endfor %} + {% for dep in roles %} + - {{dep.name}}Deployment_Step{{step -1}} + - {{dep.name}}ContainersDeployment_Step{{step -1}} + {% endfor %} + {% endif %} properties: - name: {{role.name}}Deployment_Step4 + name: {{role.name}}Deployment_Step{{step}} servers: {get_param: [servers, {{role.name}}]} config: {get_resource: {{role.name}}Config} input_values: - step: 4 + step: {{step}} update_identifier: {get_param: DeployIdentifier} - {{role.name}}Deployment_Step5: + {% endfor %} + # END BAREMETAL CONFIG STEPS + + # BEGIN CONTAINER CONFIG STEPS + {% for step in range(1, 6) %} + + {{role.name}}ContainersConfig_Step{{step}}: + type: OS::Heat::StructuredConfig + properties: + group: docker-cmd + config: + {get_attr: [{{role.name}}DockerConfig, value, step_{{step}}]} + + {{role.name}}ContainersDeployment_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup + {% if step == 1 %} depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step4 - {% endfor %} + - {{role.name}}PreConfig + - {{role.name}}KollaJsonDeployment + - {{role.name}}GenPuppetDeployment + - {{role.name}}GenerateConfigDeployment + {% else %} + depends_on: + {% for dep in roles %} + - {{dep.name}}ContainersDeployment_Step{{step -1}} + - {{dep.name}}Deployment_Step{{step}} # baremetal steps of the same level run first + - {{dep.name}}Deployment_Step{{step -1}} + {% endfor %} + {% endif %} properties: - name: {{role.name}}Deployment_Step5 + name: {{role.name}}ContainersDeployment_Step{{step}} servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} - input_values: - step: 5 - update_identifier: {get_param: DeployIdentifier} + config: {get_resource: {{role.name}}ContainersConfig_Step{{step}}} + + {% endfor %} + # END CONTAINER CONFIG STEPS {{role.name}}PostConfig: type: OS::TripleO::Tasks::{{role.name}}PostConfig @@ -140,68 +237,15 @@ resources: properties: servers: {get_param: [servers, {{role.name}}]} - {% if role.name.lower() == 'compute' %} - CopyEtcConfig: - type: OS::Heat::SoftwareConfig - depends_on: {{role.name}}PostConfig - properties: - group: script - outputs: - - name: result - config: {get_file: ../docker/copy-etc.sh} - - CopyEtcDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - name: CopyEtcDeployment - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: CopyEtcConfig} - - {{role.name}}KollaJsonConfig: - type: OS::Heat::StructuredConfig - depends_on: CopyEtcDeployment - properties: - group: json-file - config: - {get_param: [role_data, {{role.name}}, kolla_config]} - - {{role.name}}KollaJsonDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - name: {{role.name}}KollaJsonDeployment - config: {get_resource: {{role.name}}KollaJsonConfig} - servers: {get_param: [servers, {{role.name}}]} - - {{role.name}}ContainersConfig_Step1: - type: OS::Heat::StructuredConfig - depends_on: {{role.name}}KollaJsonDeployment - properties: - group: docker-cmd - config: - {get_param: [role_data, {{role.name}}, docker_config, step_1]} - - {{role.name}}ContainersConfig_Step2: - type: OS::Heat::StructuredConfig - depends_on: {{role.name}}KollaJsonDeployment - properties: - group: docker-cmd - config: - {get_param: [role_data, {{role.name}}, docker_config, step_2]} - - {{role.name}}ContainersDeployment_Step1: - type: OS::Heat::StructuredDeploymentGroup - depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] - properties: - name: {{role.name}}ContainersDeployment_Step1 - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}ContainersConfig_Step1} - - {{role.name}}ContainersDeployment_Step2: - type: OS::Heat::StructuredDeploymentGroup - depends_on: {{role.name}}ContainersDeployment_Step1 + {% if role.name == 'Controller' %} + ControllerPostPuppet: + depends_on: + - ControllerExtraConfigPost + type: OS::TripleO::Tasks::ControllerPostPuppet properties: - name: {{role.name}}ContainersDeployment_Step2 - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}ContainersConfig_Step2} + servers: {get_param: [servers, Controller]} + input_values: + update_identifier: {get_param: DeployIdentifier} {% endif %} + {% endfor %} diff --git a/docker/services/README.rst b/docker/services/README.rst index 60719bfc..edaa5ee9 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -1,65 +1,104 @@ -======== -services -======== +=============== +Docker Services +=============== -A TripleO nested stack Heat template that encapsulates generic configuration -data to configure a specific service. This generally includes everything -needed to configure the service excluding the local bind ports which -are still managed in the per-node role templates directly (controller.yaml, -compute.yaml, etc.). All other (global) service settings go into -the puppet/service templates. +TripleO docker services are currently built on top of the puppet services. +To do this each of the docker services includes the output of the +t-h-t puppet/service templates where appropriate. -Input Parameters ----------------- +In general global docker specific service settings should reside in these +templates (templates in the docker/services directory.) The required and +optional items are specified in the docker settings section below. -Each service may define its own input parameters and defaults. -Operators will use the parameter_defaults section of any Heat -environment to set per service parameters. +If you are adding a config setting that applies to both docker and +baremetal that setting should (so long as we use puppet) go into the +puppet/services templates themselves. -Config Settings ---------------- +Building Kolla Images +--------------------- + +TripleO currently relies on Kolla docker containers. Kolla supports container +customization and we are making use of this feature within TripleO to inject +puppet (our configuration tool of choice) into the Kolla base images. To +build Kolla images for TripleO adjust your kolla config to build your +centos base image with puppet using the example below: + +.. code-block:: + +$ cat template-overrides.j2 +{% extends parent_template %} +{% set base_centos_binary_packages_append = ['puppet'] %} -Each service may define a config_settings output variable which returns -Hiera settings to be configured. +kolla-build --base centos --template-override template-overrides.j2 -Steps ------ +.. + +Docker settings +--------------- Each service may define an output variable which returns a puppet manifest snippet that will run at each of the following steps. Earlier manifests are re-asserted when applying latter ones. - * config_settings: Custom hiera settings for this service. These are - used to generate configs. + * config_settings: This setting is generally inherited from the + puppet/services templates and only need to be appended + to on accasion if docker specific config settings are required. + + * step_config: This setting controls the manifest that is used to + create docker config files via puppet. The puppet tags below are + used along with this manifest to generate a config directory for + this container. * kolla_config: Contains YAML that represents how to map config files into the kolla container. This config file is typically mapped into the container itself at the /var/lib/kolla/config_files/config.json location and drives how kolla's external config mechanisms work. - * step_config: A puppet manifest that is used to step through the deployment - sequence. Each sequence is given a "step" (via hiera('step') that provides - information for when puppet classes should activate themselves. + * docker_image: The full name of the docker image that will be used. - * docker_compose: + * docker_config: Data that is passed to the docker-cmd hook to configure + a container, or step of containers at each step. See the available steps + below and the related docker-cmd hook documentation in the heat-agents + project. - * container_name: + * puppet_tags: Puppet resource tag names that are used to generate config + files with puppet. Only the named config resources are used to generate + a config file. Any service that specifies tags will have the default + tags of 'file,concat,file_line' appended to the setting. + Example: keystone_config - * volumes: + * config_volume: The name of the volume (directory) where config files + will be generated for this service. Use this as the location to + bind mount into the running Kolla container for configuration. -Steps correlate to the following: - - 1) Service configuration generation with puppet. - - 2) Early Openstack Service setup (database init?) - - 3) Early containerized networking services startup (OVS) + * config_image: The name of the docker image that will be used for + generating configuration files. This is often the same value as + 'docker_image' above but some containers share a common set of + config files which are generated in a common base container. - 4) Network configuration +Docker steps +------------ +Similar to baremetal docker containers are brought up in a stepwise manner. +The current architecture supports bringing up baremetal services alongside +of containers. For each step the baremetal puppet manifests are executed +first and then any docker containers are brought up afterwards. - 5) General OpenStack Services - - 6) Service activation (Pacemaker) - - 7) Fencing (Pacemaker) +Steps correlate to the following: + Pre) Containers config files generated per hiera settings. + 1) Load Balancer configuration baremetal + a) step 1 baremetal + b) step 1 containers + 2) Core Services (Database/Rabbit/NTP/etc.) + a) step 2 baremetal + b) step 2 containers + 3) Early Openstack Service setup (Ringbuilder, etc.) + a) step 3 baremetal + b) step 3 containers + 4) General OpenStack Services + a) step 4 baremetal + b) step 4 containers + c) Keystone containers post initialization (tenant,service,endpoint creation) + 5) Service activation (Pacemaker) + a) step 5 baremetal + b) step 5 containers diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index 0a061f6c..ab99da5e 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -10,7 +10,7 @@ parameters: type: string DockerOpenvswitchImage: description: image - default: 'centos-binary-neutron-openvswitch-agent' + default: 'centos-binary-neutron-openvswitch-agent:latest' type: string ServiceNetMap: default: {} @@ -32,53 +32,53 @@ resources: NeutronOvsAgentBase: type: ../../puppet/services/neutron-ovs-agent.yaml properties: + EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} outputs: role_data: description: Role data for Neutron openvswitch service value: + service_name: {get_attr: [NeutronOvsAgentBase, role_data, service_name]} config_settings: {get_attr: [NeutronOvsAgentBase, role_data, config_settings]} step_config: {get_attr: [NeutronOvsAgentBase, role_data, step_config]} + docker_image: &neutron_ovs_agent_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerOpenvswitchImage} ] puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2 + config_volume: neutron + config_image: *neutron_ovs_agent_image kolla_config: - /var/lib/etc-data/json-config/neutron-openvswitch-agent.json: - command: /usr/bin/neutron-openvswitch-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini + /var/lib/kolla/config_files/neutron-openvswitch-agent.json: + command: /usr/bin/neutron-openvswitch-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini config_files: - dest: /etc/neutron/neutron.conf owner: neutron perm: '0600' - source: /var/lib/kolla/config_files/neutron.conf + source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini owner: neutron perm: '0600' - source: /var/lib/kolla/config_files/openvswitch_agent.ini + source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/openvswitch_agent.ini - dest: /etc/neutron/plugins/ml2/ml2_conf.ini owner: neutron perm: '0600' - source: /var/lib/kolla/config_files/ml2_conf.ini + source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/ml2_conf.ini docker_config: - step_1: + step_4: neutronovsagent: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerOpenvswitchImage} ] + image: *neutron_ovs_agent_image net: host pid: host privileged: true restart: always volumes: - - /var/lib/etc-data/json-config/neutron-openvswitch-agent.json:/var/lib/kolla/config_files/config.json - - /var/lib/etc-data/neutron/neutron.conf:/var/lib/kolla/config_files/neutron.conf:ro - - /var/lib/etc-data/neutron/plugins/ml2/ml2_conf.ini:/var/lib/kolla/config_files/ml2_conf.ini:ro - - /var/lib/etc-data/neutron/plugins/ml2/openvswitch_agent.ini:/var/lib/kolla/config_files/openvswitch_agent.ini:ro + - /var/lib/kolla/config_files/neutron-openvswitch-agent.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron:/var/lib/kolla/config_files/src:ro - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro - /run:/run - - logs:/var/log/kolla/ environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - step_2: {} diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index e765609e..8eebc397 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -10,7 +10,7 @@ parameters: type: string DockerNovaComputeImage: description: image - default: 'centos-binary-nova-compute' + default: 'centos-binary-nova-compute:latest' type: string ServiceNetMap: default: {} @@ -29,53 +29,57 @@ parameters: resources: + NovaComputeBase: type: ../../puppet/services/nova-compute.yaml properties: EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} outputs: role_data: description: Role data for the Nova Compute service. value: + service_name: {get_attr: [NovaComputeBase, role_data, service_name]} config_settings: {get_attr: [NovaComputeBase, role_data, config_settings]} step_config: {get_attr: [NovaComputeBase, role_data, step_config]} puppet_tags: nova_config,nova_paste_api_ini + docker_image: &nova_compute_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] + config_volume: nova_libvirt + config_image: *nova_compute_image kolla_config: - /var/lib/etc-data/json-config/nova-compute.json: + /var/lib/kolla/config_files/nova-compute.json: command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf config_files: - dest: /etc/nova/nova.conf owner: nova perm: '0600' - source: /var/lib/kolla/config_files/nova.conf + source: /var/lib/kolla/config_files/src/etc/nova/nova.conf - dest: /etc/nova/rootwrap.conf owner: nova perm: '0600' - source: /var/lib/kolla/config_files/rootwrap.conf + source: /var/lib/kolla/config_files/src/etc/nova/rootwrap.conf docker_config: - step_1: + step_4: novacompute: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] + image: *nova_compute_image net: host privileged: true user: root restart: always volumes: - - /var/lib/etc-data/json-config/nova-compute.json:/var/lib/kolla/config_files/config.json - - /var/lib/etc-data/nova/nova.conf:/var/lib/kolla/config_files/nova.conf:ro - - /var/lib/etc-data/nova/rootwrap.conf:/var/lib/kolla/config_files/rootwrap.conf:ro + - /var/lib/kolla/config_files/nova-compute.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova_libvirt:/var/lib/kolla/config_files/src:ro + - /dev:/dev + - /etc/iscsi:/etc/iscsi - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro - /run:/run - - /dev:/dev - - logs:/var/log/kolla/ - - /etc/iscsi:/etc/iscsi + - /var/lib/nova:/var/lib/nova - libvirtd:/var/lib/libvirt - - nova_compute:/var/lib/nova/ environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - step_2: {} diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 004d624a..d6e7dc76 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -10,7 +10,13 @@ parameters: type: string DockerLibvirtImage: description: image - default: 'centos-binary-libvirt' + default: 'centos-binary-nova-libvirt:latest' + type: string + # we configure libvirt via the nova-compute container due to coupling + # in the puppet modules + DockerNovaComputeImage: + description: image + default: 'centos-binary-nova-compute:latest' type: string ServiceNetMap: default: {} @@ -33,50 +39,54 @@ resources: type: ../../puppet/services/nova-libvirt.yaml properties: EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} outputs: role_data: description: Role data for the Libvirt service. value: + service_name: {get_attr: [NovaLibvirtBase, role_data, service_name]} config_settings: {get_attr: [NovaLibvirtBase, role_data, config_settings]} step_config: {get_attr: [NovaLibvirtBase, role_data, step_config]} + docker_image: &libvirt_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerLibvirtImage} ] puppet_tags: nova_config + config_volume: nova_libvirt + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] kolla_config: - /var/lib/etc-data/json-config/nova-libvirt.json: + /var/lib/kolla/config_files/nova-libvirt.json: command: /usr/sbin/libvirtd --config /etc/libvirt/libvirtd.conf config_files: - dest: /etc/libvirt/libvirtd.conf owner: root perm: '0644' - source: /var/lib/kolla/config_files/libvirtd.conf + source: /var/lib/kolla/config_files/src/etc/libvirt/libvirtd.conf docker_config: - step_1: + step_3: nova_libvirt: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerLibvirtImage} ] + image: *libvirt_image net: host pid: host privileged: true restart: always volumes: - - /var/lib/etc-data/json-config/nova-libvirt.json:/var/lib/kolla/config_files/config.json - - /var/lib/etc-data/libvirt/libvirtd.conf:/var/lib/kolla/config_files/libvirtd.conf - # NOTE(mandre) Ideally the qemu.conf file is mounted in - # /var/lib/kolla/config_files and copied to the right place but - # copy-json.py doesn't allow us to do that without appending the - # file as an additional config on the CLI - - /var/lib/etc-data/libvirt/qemu.conf:/etc/libvirt/qemu.conf:ro + - /var/lib/kolla/config_files/nova-libvirt.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova_libvirt:/var/lib/kolla/config_files/src:ro + - /dev:/dev - /etc/localtime:/etc/localtime:ro - /lib/modules:/lib/modules:ro - /run:/run - - /dev:/dev - /sys/fs/cgroup:/sys/fs/cgroup - - logs:/var/log/kolla/ + - /var/lib/nova:/var/lib/nova + # Needed to use host's virtlogd + - /var/run/libvirt:/var/run/libvirt - libvirtd:/var/lib/libvirt - - nova_compute:/var/lib/nova/ - nova_libvirt_qemu:/etc/libvirt/qemu environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - step_2: {} diff --git a/docker/services/services.yaml b/docker/services/services.yaml index 8c31107f..8e899024 100644 --- a/docker/services/services.yaml +++ b/docker/services/services.yaml @@ -66,10 +66,12 @@ outputs: global_config_settings: {get_attr: [PuppetServices, role_data, global_config_settings]} step_config: - {get_attr: [PuppetServices, role_data, step_config]} - puppet_tags: {list_join: [",", {get_attr: [ServiceChain, role_data, puppet_tags]}]} + {get_attr: [ServiceChain, role_data, step_config]} + docker_image: {get_attr: [ServiceChain, role_data, docker_image]} + puppet_tags: {get_attr: [ServiceChain, role_data, puppet_tags]} + config_volume: {get_attr: [ServiceChain, role_data, config_volume]} + config_image: {get_attr: [ServiceChain, role_data, config_image]} kolla_config: map_merge: {get_attr: [ServiceChain, role_data, kolla_config]} docker_config: - step_1: {map_merge: {get_attr: [ServiceChain, role_data, docker_config, step_1]}} - step_2: {map_merge: {get_attr: [ServiceChain, role_data, docker_config, step_2]}} + {get_attr: [ServiceChain, role_data, docker_config]} diff --git a/environments/docker.yaml b/environments/docker.yaml index 4f5b36b4..37612b07 100644 --- a/environments/docker.yaml +++ b/environments/docker.yaml @@ -1,28 +1,19 @@ resource_registry: - # Docker container with heat agents for containerized compute node. - OS::TripleO::Compute::NodeUserData: ../docker/firstboot/install_docker_agents.yaml + OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml + + #NOTE (dprince) add roles to be docker enabled as we support them OS::TripleO::Services::NovaLibvirt: ../docker/services/nova-libvirt.yaml OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml OS::TripleO::Services::NovaCompute: ../docker/services/nova-compute.yaml - # NOTE (dprince) here we set new roles to be docker enabled as we add support - #OS::TripleO::ComputePostDeploySteps: ../docker/post.yaml - # NOTE (mandre) Defining per role post deploy steps doesn't work yet - # Set a global PostDeploySteps that works for both containerized and - # non-containerized roles + OS::TripleO::PostDeploySteps: ../docker/post.yaml OS::TripleO::Services: ../docker/services/services.yaml parameter_defaults: # Defaults to 'tripleoupstream'. Specify a local docker registry - # Example: 192.0.2.1:8787/tripleoupstream + # Example: 192.168.24.1:8787/tripleoupstream DockerNamespace: tripleoupstream - # Enable local Docker registry DockerNamespaceIsRegistry: false - DockerAgentImage: heat-docker-agents:newton - # Docker containers - DockerNovaComputeImage: centos-binary-nova-compute:newton - DockerLibvirtImage: centos-binary-nova-libvirt:newton - DockerOpenvswitchImage: centos-binary-neutron-openvswitch-agent:newton ComputeServices: - OS::TripleO::Services::NovaCompute diff --git a/environments/host-config-pre-network.j2.yaml b/environments/host-config-pre-network.j2.yaml index fe1302b5..c79e28b4 100644 --- a/environments/host-config-pre-network.j2.yaml +++ b/environments/host-config-pre-network.j2.yaml @@ -1,12 +1,12 @@ resource_registry: # Create the registry only for roles with the word "Compute" in it. Like ComputeOvsDpdk, ComputeSriov, etc., -{% for role in roles %} +{%- for role in roles -%} {% if "Compute" in role.name %} OS::TripleO::{{role.name}}::PreNetworkConfig: ../extraconfig/pre_network/{{role.name.lower()}}-host_config_and_reboot.yaml -{% endif %} +{%- endif -%} {% endfor %} -parameter_defaults: +#parameter_defaults: # Sample parameters for Compute and ComputeOvsDpdk roles #ComputeKernelArgs: "" #ComputeTunedProfileName: "" diff --git a/environments/major-upgrade-composable-steps.yaml b/environments/major-upgrade-composable-steps.yaml index 4283b212..9e3cddba 100644 --- a/environments/major-upgrade-composable-steps.yaml +++ b/environments/major-upgrade-composable-steps.yaml @@ -1,2 +1,15 @@ resource_registry: OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml +parameter_defaults: + UpgradeLevelNovaCompute: auto + UpgradeInitCommonCommand: | + #!/bin/bash + # Newton to Ocata, we need to remove old hiera hook data and + # install ansible heat agents and ansible-pacemaker + set -eu + yum install -y python-heat-agent-* + yum install -y ansible-pacemaker + rm -f /usr/libexec/os-apply-config/templates/etc/puppet/hiera.yaml + rm -f /usr/libexec/os-refresh-config/configure.d/40-hiera-datafiles + rm -f /etc/puppet/hieradata/*.yaml + diff --git a/environments/major-upgrade-converge.yaml b/environments/major-upgrade-converge.yaml new file mode 100644 index 00000000..f09fb20e --- /dev/null +++ b/environments/major-upgrade-converge.yaml @@ -0,0 +1,7 @@ +# Use this to reset any mappings only used for upgrades after the +# update of all nodes is completed +resource_registry: + OS::TripleO::PostDeploySteps: ../puppet/post.yaml +parameter_defaults: + UpgradeLevelNovaCompute: '' + UpgradeInitCommonCommand: '' diff --git a/environments/neutron-ml2-ovn.yaml b/environments/neutron-ml2-ovn.yaml index 3da560c8..7483bdbb 100644 --- a/environments/neutron-ml2-ovn.yaml +++ b/environments/neutron-ml2-ovn.yaml @@ -3,6 +3,7 @@ resource_registry: OS::TripleO::Services::NeutronL3Agent: OS::Heat::None OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginML2OVN OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-ovn.yaml # Disabling Neutron services that overlap with OVN @@ -12,11 +13,12 @@ resource_registry: parameter_defaults: NeutronMechanismDrivers: ovn - OVNSouthboundServerPort: 6642 - OVNNorthboundServerPort: 6641 - OVNDbConnectionTimeout: 60 OVNVifType: ovs OVNNeutronSyncMode: log OVNQosDriver: ovn-qos OVNTunnelEncapType: geneve NeutronEnableDHCPAgent: false + NeutronTypeDrivers: 'geneve,vxlan,vlan,flat' + NeutronNetworkType: 'geneve' + NeutronServicePlugins: 'qos,ovn-router' + NeutronVniRanges: ['1:65536', ] diff --git a/environments/neutron-opendaylight.yaml b/environments/neutron-opendaylight.yaml index e08b2b27..ed7292b7 100644 --- a/environments/neutron-opendaylight.yaml +++ b/environments/neutron-opendaylight.yaml @@ -10,4 +10,4 @@ resource_registry: parameter_defaults: NeutronEnableForceMetadata: true NeutronMechanismDrivers: 'opendaylight_v2' - NeutronServicePlugins: 'odl-router_v2' + NeutronServicePlugins: 'odl-router_v2,trunk' diff --git a/environments/puppet-ceph.yaml b/environments/puppet-ceph.yaml new file mode 100644 index 00000000..57af540a --- /dev/null +++ b/environments/puppet-ceph.yaml @@ -0,0 +1,12 @@ +resource_registry: + OS::TripleO::Services::CephMon: ../puppet/services/ceph-mon.yaml + OS::TripleO::Services::CephOSD: ../puppet/services/ceph-osd.yaml + OS::TripleO::Services::CephClient: ../puppet/services/ceph-client.yaml + +parameter_defaults: + CinderEnableIscsiBackend: false + CinderEnableRbdBackend: true + CinderBackupBackend: ceph + NovaEnableRbdBackend: true + GlanceBackend: rbd + GnocchiBackend: rbd diff --git a/extraconfig/tasks/run_puppet.sh b/extraconfig/tasks/run_puppet.sh new file mode 100755 index 00000000..b7771e33 --- /dev/null +++ b/extraconfig/tasks/run_puppet.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +function run_puppet { + set -eux + local manifest="$1" + local role="$2" + local step="$3" + local rc=0 + + export FACTER_deploy_config_name="${role}Deployment_Step${step}" + if [ -e "/etc/puppet/hieradata/heat_config_${FACTER_deploy_config_name}.json" ]; then + set +e + puppet apply --detailed-exitcodes "${manifest}" + rc=$? + echo "puppet apply exited with exit code $rc" + else + echo "Step${step} doesn't exist for ${role}" + fi + set -e + + if [ $rc -eq 2 -o $rc -eq 0 ]; then + set +xu + return 0 + fi + set +xu + return $rc +} diff --git a/extraconfig/tasks/swift-ring-deploy.yaml b/extraconfig/tasks/swift-ring-deploy.yaml new file mode 100644 index 00000000..d17f78ae --- /dev/null +++ b/extraconfig/tasks/swift-ring-deploy.yaml @@ -0,0 +1,31 @@ +heat_template_version: ocata + +parameters: + servers: + type: json + SwiftRingGetTempurl: + default: '' + description: A temporary Swift URL to download rings from. + type: string + +resources: + SwiftRingDeployConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: swift_ring_get_tempurl + config: | + #!/bin/sh + pushd / + curl --insecure --silent "${swift_ring_get_tempurl}" | tar xz || true + popd + + SwiftRingDeploy: + type: OS::Heat::SoftwareDeployments + properties: + name: SwiftRingDeploy + config: {get_resource: SwiftRingDeployConfig} + servers: {get_param: servers} + input_values: + swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl} diff --git a/extraconfig/tasks/swift-ring-update.yaml b/extraconfig/tasks/swift-ring-update.yaml new file mode 100644 index 00000000..440c6883 --- /dev/null +++ b/extraconfig/tasks/swift-ring-update.yaml @@ -0,0 +1,42 @@ +heat_template_version: ocata + +parameters: + servers: + type: json + SwiftRingPutTempurl: + default: '' + description: A temporary Swift URL to upload rings to. + type: string + +resources: + SwiftRingUpdateConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: swift_ring_put_tempurl + config: | + #!/bin/sh + TMP_DATA=$(mktemp -d) + function cleanup { + rm -Rf "$TMP_DATA" + } + trap cleanup EXIT + # sanity check in case rings are not consistent within cluster + swift-recon --md5 | grep -q "doesn't match" && exit 1 + pushd ${TMP_DATA} + tar -cvzf swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/* + resp=`curl --insecure --silent -X PUT "${swift_ring_put_tempurl}" --write-out "%{http_code}" --data-binary @swift-rings.tar.gz` + popd + if [ "$resp" != "201" ]; then + exit 1 + fi + + SwiftRingUpdate: + type: OS::Heat::SoftwareDeployments + properties: + name: SwiftRingUpdate + config: {get_resource: SwiftRingUpdateConfig} + servers: {get_param: servers} + input_values: + swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl} diff --git a/extraconfig/tasks/tripleo_upgrade_node.sh b/extraconfig/tasks/tripleo_upgrade_node.sh index 27ba33a8..16584254 100644 --- a/extraconfig/tasks/tripleo_upgrade_node.sh +++ b/extraconfig/tasks/tripleo_upgrade_node.sh @@ -44,9 +44,14 @@ if [[ -n \$NOVA_COMPUTE ]]; then systemctl restart openstack-ceilometer-compute fi -# Apply puppet manifest to converge just right after the \$ROLE upgrade -puppet apply /root/${ROLE}_puppet_config.pp - +# Apply puppet manifest to converge just right after the ${ROLE} upgrade +$(declare -f run_puppet) +for step in 1 2 3 4 5 6; do + if ! run_puppet /root/${ROLE}_puppet_config.pp ${ROLE} \${step}; then + echo "Puppet failure at step \${step}" + exit 1 + fi +done ENDOFCAT # ensure the permissions are OK diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index a6b32ddb..9a8de34a 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -2,7 +2,7 @@ resource_registry: OS::TripleO::SoftwareDeployment: OS::Heat::StructuredDeployment OS::TripleO::PostDeploySteps: puppet/post.yaml - OS::TripleO::PostUpgradeSteps: puppet/post.yaml + OS::TripleO::PostUpgradeSteps: puppet/post-upgrade.yaml OS::TripleO::AllNodes::SoftwareConfig: puppet/all-nodes-config.yaml OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml OS::TripleO::DefaultPasswords: default_passwords.yaml @@ -11,6 +11,9 @@ resource_registry: OS::TripleO::Tasks::UpdateWorkflow: OS::Heat::None OS::TripleO::Tasks::PackageUpdate: extraconfig/tasks/yum_update.yaml + OS::TripleO::Tasks::SwiftRingDeploy: extraconfig/tasks/swift-ring-deploy.yaml + OS::TripleO::Tasks::SwiftRingUpdate: extraconfig/tasks/swift-ring-update.yaml + {% for role in roles %} OS::TripleO::{{role.name}}::PreNetworkConfig: OS::Heat::None OS::TripleO::{{role.name}}PostDeploySteps: puppet/post.yaml diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index 5b2ca4a2..e9447b94 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -255,6 +255,18 @@ resources: EndpointMap: {get_attr: [EndpointMap, endpoint_map]} DefaultPasswords: {get_attr: [DefaultPasswords, passwords]} + # Filter any null/None service_names which may be present due to mapping + # of services to OS::Heat::None + {{role.name}}ServiceNames: + type: OS::Heat::Value + depends_on: {{role.name}}ServiceChain + properties: + type: comma_delimited_list + value: + yaql: + expression: coalesce($.data, []).where($ != null) + data: {get_attr: [{{role.name}}ServiceChain, role_data, service_names]} + {{role.name}}HostsDeployment: type: OS::Heat::StructuredDeployments properties: @@ -305,7 +317,7 @@ resources: StorageMgmtIpList: {get_attr: [{{role.name}}, storage_mgmt_ip_address]} TenantIpList: {get_attr: [{{role.name}}, tenant_ip_address]} ManagementIpList: {get_attr: [{{role.name}}, management_ip_address]} - EnabledServices: {get_attr: [{{role.name}}ServiceChain, role_data, service_names]} + EnabledServices: {get_attr: [{{role.name}}ServiceNames, value]} ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map_lower]} ServiceHostnameList: {get_attr: [{{role.name}}, hostname]} NetworkHostnameMap: @@ -361,8 +373,8 @@ resources: {% for r in roles %} - get_attr: [{{r.name}}ServiceChain, role_data, service_config_settings] {% endfor %} - services: {get_attr: [{{role.name}}ServiceChain, role_data, service_names]} - ServiceNames: {get_attr: [{{role.name}}ServiceChain, role_data, service_names]} + services: {get_attr: [{{role.name}}ServiceNames, value]} + ServiceNames: {get_attr: [{{role.name}}ServiceNames, value]} MonitoringSubscriptions: {get_attr: [{{role.name}}ServiceChain, role_data, monitoring_subscriptions]} ServiceMetadataSettings: {get_attr: [{{role.name}}ServiceChain, role_data, service_metadata_settings]} {% endfor %} @@ -396,7 +408,7 @@ resources: list_join: - ',' {% for role in roles %} - - {get_attr: [{{role.name}}ServiceChain, role_data, service_names]} + - {get_attr: [{{role.name}}ServiceNames, value]} {% endfor %} logging_groups: yaql: @@ -646,7 +658,7 @@ outputs: description: The services enabled on each role value: {% for role in roles %} - {{role.name}}: {get_attr: [{{role.name}}ServiceChain, role_data, service_names]} + {{role.name}}: {get_attr: [{{role.name}}ServiceNames, value]} {% endfor %} RoleData: description: The configuration data associated with each role diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml index e92de45f..a5218dbe 100644 --- a/puppet/blockstorage-role.yaml +++ b/puppet/blockstorage-role.yaml @@ -115,6 +115,14 @@ parameters: Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' + UpgradeInitCommonCommand: + type: string + description: | + Common commands required by the upgrades process. This should not + normally be modified by the operator and is set and unset in the + major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml + environment files. + default: '' resources: BlockStorage: @@ -360,6 +368,7 @@ resources: - - "#!/bin/bash\n\n" - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - get_param: UpgradeInitCommand + - get_param: UpgradeInitCommonCommand # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml index 892f91ef..0867e17f 100644 --- a/puppet/cephstorage-role.yaml +++ b/puppet/cephstorage-role.yaml @@ -121,6 +121,14 @@ parameters: Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' + UpgradeInitCommonCommand: + type: string + description: | + Common commands required by the upgrades process. This should not + normally be modified by the operator and is set and unset in the + major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml + environment files. + default: '' resources: CephStorage: @@ -366,6 +374,7 @@ resources: - - "#!/bin/bash\n\n" - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - get_param: UpgradeInitCommand + - get_param: UpgradeInitCommonCommand # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml index 62adcd33..1a0294af 100644 --- a/puppet/compute-role.yaml +++ b/puppet/compute-role.yaml @@ -133,6 +133,14 @@ parameters: Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' + UpgradeInitCommonCommand: + type: string + description: | + Common commands required by the upgrades process. This should not + normally be modified by the operator and is set and unset in the + major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml + environment files. + default: '' resources: @@ -383,6 +391,7 @@ resources: - - "#!/bin/bash\n\n" - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - get_param: UpgradeInitCommand + - get_param: UpgradeInitCommonCommand # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml index d3268ee2..825006ba 100644 --- a/puppet/controller-role.yaml +++ b/puppet/controller-role.yaml @@ -147,6 +147,14 @@ parameters: Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' + UpgradeInitCommonCommand: + type: string + description: | + Common commands required by the upgrades process. This should not + normally be modified by the operator and is set and unset in the + major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml + environment files. + default: '' parameter_groups: - label: deprecated @@ -417,6 +425,7 @@ resources: - - "#!/bin/bash\n\n" - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - get_param: UpgradeInitCommand + - get_param: UpgradeInitCommonCommand # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 3362a01f..6f2dd684 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -79,6 +79,7 @@ resources: AUTH_URL: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} ROLE_NAME: {{role.name}} - get_file: ../extraconfig/tasks/pacemaker_common_functions.sh + - get_file: ../extraconfig/tasks/run_puppet.sh - get_file: ../extraconfig/tasks/tripleo_upgrade_node.sh {{role.name}}DeliverUpgradeScriptDeployment: diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml index 1633134d..172484dc 100644 --- a/puppet/objectstorage-role.yaml +++ b/puppet/objectstorage-role.yaml @@ -115,6 +115,14 @@ parameters: Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' + UpgradeInitCommonCommand: + type: string + description: | + Common commands required by the upgrades process. This should not + normally be modified by the operator and is set and unset in the + major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml + environment files. + default: '' resources: @@ -360,6 +368,7 @@ resources: - - "#!/bin/bash\n\n" - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - get_param: UpgradeInitCommand + - get_param: UpgradeInitCommonCommand # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2 index c3b54ccd..b517db6e 100644 --- a/puppet/puppet-steps.j2 +++ b/puppet/puppet-steps.j2 @@ -21,7 +21,7 @@ {{role.name}}Config: type: OS::TripleO::{{role.name}}Config properties: - StepConfig: {get_param: [role_data, {{role.name}}, step_config]} + StepConfig: {list_join: ["\n", {get_param: [role_data, {{role.name}}, step_config]}]} {% if role.name == 'Controller' %} ControllerPrePuppet: @@ -32,6 +32,13 @@ update_identifier: {get_param: DeployIdentifier} {% endif %} + {% if role.name in ['Controller', 'ObjectStorage'] %} + {{role.name}}SwiftRingDeploy: + type: OS::TripleO::Tasks::SwiftRingDeploy + properties: + servers: {get_param: [servers, {{role.name}}]} + {% endif %} + # Step through a series of configuration steps {% for step in range(1, 6) %} {{role.name}}Deployment_Step{{step}}: @@ -85,4 +92,15 @@ input_values: update_identifier: {get_param: DeployIdentifier} {% endif %} + + {% if role.name in ['Controller', 'ObjectStorage'] %} + {{role.name}}SwiftRingUpdate: + type: OS::TripleO::Tasks::SwiftRingUpdate + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step5 + {% endfor %} + properties: + servers: {get_param: [servers, {{role.name}}]} + {% endif %} {% endfor %} diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index 2f070da2..2e1bd6f1 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -137,7 +137,14 @@ parameters: Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' - + UpgradeInitCommonCommand: + type: string + description: | + Common commands required by the upgrades process. This should not + normally be modified by the operator and is set and unset in the + major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml + environment files. + default: '' resources: {{role}}: @@ -386,6 +393,7 @@ resources: - - "#!/bin/bash\n\n" - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - get_param: UpgradeInitCommand + - get_param: UpgradeInitCommonCommand # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index 8648a971..f5ca329e 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -80,7 +80,7 @@ outputs: aodh::keystone::authtoken::project_name: 'service' aodh::keystone::authtoken::password: {get_param: AodhPassword} aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::auth::auth_password: {get_param: AodhPassword} aodh::auth::auth_region: 'regionOne' aodh::auth::auth_tenant_name: 'service' diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 186af1cc..239b6ca9 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -75,7 +75,7 @@ outputs: - get_attr: [ApacheServiceBase, role_data, config_settings] - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index a86a0cdf..5658e416 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -96,13 +96,12 @@ outputs: - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" ceilometer_backend: {get_param: CeilometerBackend} - ceilometer::metering_secret: {get_param: CeilometerMeteringSecret} # we include db_sync class in puppet-tripleo ceilometer::db::sync_db: false ceilometer::keystone::authtoken::project_name: 'service' ceilometer::keystone::authtoken::password: {get_param: CeilometerPassword} ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword} ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::notification::event_pipeline_publishers: {get_param: EventPipelinePublishers} diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 83339f2b..d7014e54 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -54,7 +54,7 @@ outputs: - get_attr: [CephBase, role_data, config_settings] - tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey} tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken} - tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} tripleo::profile::base::ceph::rgw::rgw_keystone_version: v3 diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index bc5f080d..8c5a07ac 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -81,7 +81,7 @@ outputs: - get_attr: [CinderBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} cinder::keystone::authtoken::project_name: 'service' cinder::api::enable_proxy_headers_parsing: true diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 8c4042d9..808f1353 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -34,6 +34,10 @@ parameters: default: true description: Whether to use Galera instead of regular MariaDB. type: boolean + NovaPassword: + description: The password for the nova db account + type: string + hidden: true resources: @@ -94,6 +98,8 @@ outputs: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql + metadata_settings: + get_attr: [MySQLTLS, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 @@ -104,6 +110,15 @@ outputs: - name: Start service tags: step4 service: name=mariadb state=started - metadata_settings: - get_attr: [MySQLTLS, role_data, metadata_settings] - + - name: Setup cell_v2 (create cell0 database) + tags: step4 + mysql_db: + name: nova_cell0 + state: present + - name: Setup cell_v2 (grant access to the nova DB user) + tags: step4 + mysql_user: + str_replace: + template: "name=nova password=PASSWORD host=\"%\" priv=\"nova.*:ALL/nova_cell0.*:ALL,GRANT\" state=present" + params: + PASSWORD: {get_param: NovaPassword} diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml index 7049d773..002342b6 100644 --- a/puppet/services/ec2-api.yaml +++ b/puppet/services/ec2-api.yaml @@ -66,7 +66,7 @@ outputs: ec2api::keystone::authtoken::project_name: 'service' ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} ec2api::api::enabled: true ec2api::package_manage: {get_param: EnablePackageInstall} ec2api::api::ec2api_listen: diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 5b3ab3e4..c4f97d54 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -95,7 +95,7 @@ outputs: - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 23fcb2f6..22c0967e 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -84,7 +84,7 @@ outputs: gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} @@ -105,7 +105,7 @@ outputs: gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi' gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri]} step_config: | include ::tripleo::profile::base::gnocchi::api diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml index 90943751..b4d314f4 100644 --- a/puppet/services/heat-base.yaml +++ b/puppet/services/heat-base.yaml @@ -122,7 +122,7 @@ outputs: heat::rabbit_heartbeat_timeout_threshold: 60 heat::keystone::authtoken::project_name: 'service' heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } heat::keystone::authtoken::password: {get_param: HeatPassword} heat::keystone::domain::domain_name: 'heat_stack' heat::keystone::domain::domain_admin: 'heat_stack_domain_admin' diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index bc34b736..a84df538 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -51,7 +51,7 @@ outputs: ironic::api::authtoken::project_name: 'service' ironic::api::authtoken::username: 'ironic' ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/puppet/services/logging/fluentd-client.yaml b/puppet/services/logging/fluentd-client.yaml index 769ab68f..94c63d33 100644 --- a/puppet/services/logging/fluentd-client.yaml +++ b/puppet/services/logging/fluentd-client.yaml @@ -62,3 +62,12 @@ outputs: get_attr: [LoggingConfiguration, LoggingSharedKey] step_config: | include ::tripleo::profile::base::logging::fluentd + upgrade_tasks: + - name: Check status of fluentd service + shell: > + /usr/bin/systemctl show fluentd --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop fluentd service + tags: step2 + service: name=fluentd state=stopped diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index f1cddbd0..7b78c82e 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -49,7 +49,7 @@ outputs: - get_attr: [ManilaBase, role_data, config_settings] - manila::keystone::authtoken::password: {get_param: ManilaPassword} manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' tripleo.manila_api.firewall_rules: '150 manila': diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml index e38fe675..6ac0d2cf 100644 --- a/puppet/services/manila-share.yaml +++ b/puppet/services/manila-share.yaml @@ -46,7 +46,7 @@ outputs: - manila::volume::cinder::cinder_admin_tenant_name: 'service' manila::keystone::authtoken::password: {get_param: ManilaPassword} manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' service_config_settings: get_attr: [ManilaBase, role_data, service_config_settings] diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index eba8a58b..146cc306 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -18,6 +18,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MemcachedMaxMemory: + default: '50%' + description: The maximum amount of memory for memcached to be configured + to use when installed. This can be either a percentage ('50%') + or a fixed value ('2048'). + type: string MonitoringSubscriptionMemcached: default: 'overcloud-memcached' type: string @@ -35,6 +41,7 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR memcached::listen_ip: {get_param: [ServiceNetMap, MemcachedNetwork]} + memcached::max_memory: {get_param: MemcachedMaxMemory} tripleo.memcached.firewall_rules: '121 memcached': dport: 11211 diff --git a/puppet/services/metrics/collectd.yaml b/puppet/services/metrics/collectd.yaml index e4e7dac7..a3e3b842 100644 --- a/puppet/services/metrics/collectd.yaml +++ b/puppet/services/metrics/collectd.yaml @@ -109,3 +109,12 @@ outputs: .flatten().distinct() step_config: | include ::tripleo::profile::base::metrics::collectd + upgrade_tasks: + - name: Check status of collectd service + shell: > + /usr/bin/systemctl show collectd --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop collectd service + tags: step2 + service: name=collectd state=stopped diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index e678b14f..4d020498 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -76,7 +76,7 @@ outputs: mistral::keystone_tenant: 'service' mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} - mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} service_config_settings: keystone: mistral::keystone::auth::tenant: 'service' diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index 76ba59c1..d74a68a2 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -62,3 +62,12 @@ outputs: region: {get_param: KeystoneRegion} step_config: | include ::tripleo::profile::base::monitoring::sensu + upgrade_tasks: + - name: Check status of sensu-client service + shell: > + /usr/bin/systemctl show sensu-client --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop sensu-client service + tags: step2 + service: name=sensu-client state=stopped diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index e89509b2..b3a07fb0 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -130,14 +130,12 @@ outputs: - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} - - neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] } neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneV3Admin, uri ] } neutron::server::notifications::tenant_name: 'service' neutron::server::notifications::project_name: 'service' diff --git a/puppet/services/neutron-compute-plugin-ovn.yaml b/puppet/services/neutron-compute-plugin-ovn.yaml index ce28b5c3..e3a4da99 100644 --- a/puppet/services/neutron-compute-plugin-ovn.yaml +++ b/puppet/services/neutron-compute-plugin-ovn.yaml @@ -18,9 +18,6 @@ parameters: via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json - OVNDbHost: - description: IP address on which the OVN DB servers are listening - type: string OVNSouthboundServerPort: description: Port of the Southbound DB Server type: number @@ -29,6 +26,16 @@ parameters: description: Tunnel encapsulation type type: string default: geneve + NeutronBridgeMappings: + description: > + The OVS logical->physical bridge mappings to use. See the Neutron + documentation for details. Defaults to mapping br-ex - the external + bridge on hosts - to a physical name 'datacentre' which can be used + to create provider networks (and we use this for the default floating + network) - if changing this either use different post-install network + scripts or be sure to keep 'datacentre' as a mapping network name + type: comma_delimited_list + default: "datacentre:br-ex" outputs: @@ -37,9 +44,16 @@ outputs: value: service_name: neutron_compute_plugin_ovn config_settings: - tripleo::profile::base::neutron::agents::ovn::ovn_db_host: {get_param: OVNDbHost} ovn::southbound::port: {get_param: OVNSouthboundServerPort} - ovn::southbound::encap_type: {get_param: OVNTunnelEncapType} + ovn::controller::ovn_encap_type: {get_param: OVNTunnelEncapType} ovn::controller::ovn_encap_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} + ovn::controller::ovn_bridge_mappings: {get_param: NeutronBridgeMappings} + tripleo.neutron_compute_plugin_ovn.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '119 neutron geneve networks': + proto: 'udp' + dport: 6081 step_config: | include ::tripleo::profile::base::neutron::agents::ovn diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 199b5809..6f5debdd 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -70,7 +70,7 @@ outputs: - neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret} neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers} neutron::agents::metadata::auth_password: {get_param: NeutronPassword} - neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}" step_config: | diff --git a/puppet/services/neutron-plugin-ml2-ovn.yaml b/puppet/services/neutron-plugin-ml2-ovn.yaml index 59346edc..4d4c3900 100644 --- a/puppet/services/neutron-plugin-ml2-ovn.yaml +++ b/puppet/services/neutron-plugin-ml2-ovn.yaml @@ -18,10 +18,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + OVNSouthboundServerPort: + description: Port of the OVN Southbound DB server + type: number + default: 6642 OVNDbConnectionTimeout: description: Timeout in seconds for the OVSDB connection transaction type: number - default: 60 + default: 180 OVNVifType: description: Type of VIF to be used for ports type: string @@ -43,6 +47,10 @@ parameters: description: OVN notification driver for Neutron QOS service plugin type: string default: NULL + NeutronGeneveMaxHeaderSize: + description: Geneve encapsulation header size + type: number + default: 38 resources: @@ -61,10 +69,12 @@ outputs: config_settings: map_merge: - get_attr: [NeutronMl2Base, role_data, config_settings] - - neutron::plugins::ovn::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout} - neutron::plugins::ovn::neutron_sync_mode: {get_param: OVNNeutronSyncMode} - neutron::plugins::ovn::ovn_l3_mode: true - neutron::plugins::ovn::vif_type: {get_param: OVNVifType} + - ovn::southbound::port: {get_param: OVNSouthboundServerPort} + neutron::plugins::ml2::ovn::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout} + neutron::plugins::ml2::ovn::neutron_sync_mode: {get_param: OVNNeutronSyncMode} + neutron::plugins::ml2::ovn::ovn_l3_mode: true + neutron::plugins::ml2::ovn::vif_type: {get_param: OVNVifType} neutron::server::qos_notification_drivers: {get_param: OVNQosDriver} + neutron::plugins::ml2::max_header_size: {get_param: NeutronGeneveMaxHeaderSize} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-plumgrid.yaml b/puppet/services/neutron-plugin-plumgrid.yaml index bd078074..ad1dcfb0 100644 --- a/puppet/services/neutron-plugin-plumgrid.yaml +++ b/puppet/services/neutron-plugin-plumgrid.yaml @@ -102,7 +102,7 @@ outputs: - '/ovs_neutron' - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" - neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneAdmin, host]} + neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneInternal, host]} neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword} neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} neutron::plugins::plumgrid::director_server: {get_param: PLUMgridDirectorServer} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 0c5f3afe..d18b5b48 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -58,6 +58,10 @@ parameters: default: 'public' description: Default pool for floating IP addresses type: string + NovaDbSyncTimeout: + default: 300 + description: Timeout for Nova db sync + type: number conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -108,7 +112,7 @@ outputs: nova::keystone::authtoken::project_name: 'service' nova::keystone::authtoken::password: {get_param: NovaPassword} nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::api::enabled: true nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool} nova::api::sync_db_api: true @@ -178,3 +182,86 @@ outputs: # https://bugs.launchpad.net/nova/+bug/1661360 # metadata_settings: # get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: get bootstrap nodeid + tags: common + command: hiera bootstrap_nodeid + register: bootstrap_node + - name: set is_bootstrap_node fact + tags: common + set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}} + - name: Extra migration for nova tripleo/+bug/1656791 + tags: step0,pre-upgrade + when: is_bootstrap_node + command: nova-manage db online_data_migrations + - name: update nova api + tags: step2 + yum: name=openstack-nova-api state=latest + - name: Stop and disable nova_api service (pre-upgrade not under httpd) + tags: step2 + service: name=openstack-nova-api state=stopped enabled=no + - name: Create puppet manifest to set transport_url in nova.conf + tags: step5 + when: is_bootstrap_node + copy: + dest: /root/nova-api_upgrade_manifest.pp + mode: 0600 + content: > + $transport_url = os_transport_url({ + 'transport' => hiera('messaging_service_name', 'rabbit'), + 'hosts' => any2array(hiera('rabbitmq_node_names', undef)), + 'port' => sprintf('%s',hiera('nova::rabbit_port', '5672') ), + 'username' => hiera('nova::rabbit_userid', 'guest'), + 'password' => hiera('nova::rabbit_password'), + 'ssl' => sprintf('%s', bool2num(str2bool(hiera('nova::rabbit_use_ssl', '0')))) + }) + oslo::messaging::default { 'nova_config': + transport_url => $transport_url + } + - name: Run puppet apply to set tranport_url in nova.conf + tags: step5 + when: is_bootstrap_node + command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp + register: puppet_apply_nova_api_upgrade + failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] + changed_when: puppet_apply_nova_api_upgrade.rc == 2 + - name: Setup cell_v2 (map cell0) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_cell0 + - name: Setup cell_v2 (create default cell) + tags: step5 + when: is_bootstrap_node + # (owalsh) puppet-nova expects the cell name 'default' + # (owalsh) pass the db uri explicitly to avoid https://bugs.launchpad.net/tripleo/+bug/1662344 + shell: nova-manage cell_v2 create_cell --name='default' --database_connection=$(hiera nova::database_connection) + register: nova_api_create_cell + failed_when: nova_api_create_cell.rc not in [0,2] + changed_when: nova_api_create_cell.rc == 0 + - name: Setup cell_v2 (sync nova/cell DB) + tags: step5 + when: is_bootstrap_node + command: nova-manage db sync + async: {get_param: NovaDbSyncTimeout} + poll: 10 + - name: Setup cell_v2 (migrate hosts) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_cell_and_hosts + - name: Setup cell_v2 (get cell uuid) + tags: step5 + when: is_bootstrap_node + shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' + register: nova_api_cell_uuid + - name: Setup cell_v2 (migrate instances) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_instances --cell_uuid {{nova_api_cell_uuid.stdout}} + - name: Sync nova_api DB + tags: step5 + command: nova-manage api_db sync + when: is_bootstrap_node + - name: Online data migration for nova + tags: step5 + when: is_bootstrap_node + command: nova-manage db online_data_migrations diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 5b9fb769..d892c36d 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -121,7 +121,6 @@ parameters: Endpoint interface to be used for the placement API. default: 'internal' - conditions: compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']} @@ -139,7 +138,7 @@ outputs: nova::rabbit_port: {get_param: RabbitClientPort} nova::placement::project_name: 'service' nova::placement::password: {get_param: NovaPassword} - nova::placement::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::placement::os_region_name: {get_param: KeystoneRegion} nova::placement::os_interface: {get_param: NovaPlacementAPIInterface} nova::database_connection: diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index f7484da2..9923e833 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -75,6 +75,10 @@ parameters: default: tag: openstack.nova.compute path: /var/log/nova/nova-compute.log + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: auto resources: NovaBase: @@ -146,3 +150,19 @@ outputs: tripleo.collectd.plugins.nova_compute: - virt collectd::plugins::virt::connection: "qemu:///system" + upgrade_tasks: + - name: Stop nova-compute service + tags: step2 + service: name=openstack-nova-compute state=stopped + # If not already set by puppet (e.g a pre-ocata version), set the + # upgrade_level for compute to "auto" + - name: Set compute upgrade level to auto + tags: step3 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} + - name: Start nova-compute service + tags: step6 + service: name=openstack-nova-compute state=started diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index b96bf6e6..7b086536 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -30,6 +30,10 @@ parameters: default: tag: openstack.nova.scheduler path: /var/log/nova/nova-scheduler.log + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: auto conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -61,3 +65,19 @@ outputs: - nova::conductor::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::conductor + upgrade_tasks: + - name: Stop nova_conductor service + tags: step2 + service: name=openstack-nova-conductor state=stopped + - name: update nova conductor + tags: step2 + yum: name=openstack-nova-conductor state=latest + # If not already set by puppet (e.g a pre-ocata version), set the + # upgrade_level for compute to "auto" + - name: Set compute upgrade level to auto + tags: step3 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} diff --git a/puppet/services/nova-consoleauth.yaml b/puppet/services/nova-consoleauth.yaml index 79969ded..b5a1312a 100644 --- a/puppet/services/nova-consoleauth.yaml +++ b/puppet/services/nova-consoleauth.yaml @@ -48,3 +48,7 @@ outputs: get_attr: [NovaBase, role_data, config_settings] step_config: | include tripleo::profile::base::nova::consoleauth + upgrade_tasks: + - name: Stop nova_consoleauth service + tags: step2 + service: name=openstack-nova-consoleauth state=stopped diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml index 306c6b6f..5eb2170a 100644 --- a/puppet/services/nova-ironic.yaml +++ b/puppet/services/nova-ironic.yaml @@ -42,10 +42,10 @@ outputs: - nova::compute::force_config_drive: true nova::compute::reserved_host_memory: '0' nova::compute::vnc_enabled: false - nova::ironic::common::admin_password: {get_param: IronicPassword} - nova::ironic::common::admin_tenant_name: 'service' - nova::ironic::common::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri]} - nova::ironic::common::admin_username: 'ironic' + nova::ironic::common::password: {get_param: IronicPassword} + nova::ironic::common::project_name: 'service' + nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + nova::ironic::common::username: 'ironic' nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]} nova::network::neutron::dhcp_domain: '' nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager' diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index 353a75ac..0e0b9d1e 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -63,3 +63,10 @@ outputs: nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} step_config: | include tripleo::profile::base::nova::scheduler + upgrade_tasks: + - name: Stop nova_scheduler service + tags: step2 + service: name=openstack-nova-scheduler state=stopped + - name: update nova scheduler + tags: step2 + yum: name=openstack-nova-scheduler state=latest diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index bf244943..f6cf9649 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -64,3 +64,7 @@ outputs: - 13080 step_config: | include tripleo::profile::base::nova::vncproxy + upgrade_tasks: + - name: Stop nova_vnc_proxy service + tags: step2 + service: name=openstack-nova-consoleauth state=stopped diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml index 58223baf..37ba1f73 100644 --- a/puppet/services/octavia-api.yaml +++ b/puppet/services/octavia-api.yaml @@ -68,7 +68,7 @@ outputs: - '/octavia' - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" - octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} octavia::keystone::authtoken::project_name: 'service' octavia::keystone::authtoken::password: {get_param: OctaviaPassword} octavia::api::sync_db: true diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml index 6e25d796..2c2586af 100644 --- a/puppet/services/panko-base.yaml +++ b/puppet/services/panko-base.yaml @@ -53,7 +53,7 @@ outputs: panko::keystone::authtoken::project_name: 'service' panko::keystone::authtoken::password: {get_param: PankoPassword} panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::auth::auth_password: {get_param: PankoPassword} panko::auth::auth_region: 'regionOne' panko::auth::auth_tenant_name: 'service' diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index b4307053..e2084186 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -73,7 +73,7 @@ outputs: sahara::debug: {get_param: Debug} sahara::admin_password: {get_param: SaharaPassword} sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + sahara::identity_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } sahara::use_neutron: true sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index 80da5352..a2286d16 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -52,11 +52,7 @@ outputs: description: Combined Role data for this set of services. value: service_names: - # Filter any null/None service_names which may be present due to mapping - # of services to OS::Heat::None - yaql: - expression: list($.data.s_names.where($ != null)) - data: {s_names: {get_attr: [ServiceChain, role_data, service_name]}} + {get_attr: [ServiceChain, role_data, service_name]} monitoring_subscriptions: yaql: expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) @@ -112,7 +108,7 @@ outputs: yaql: expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) data: {role_data: {get_attr: [ServiceChain, role_data]}} - step_config: {list_join: ["\n", {get_attr: [ServiceChain, role_data, step_config]}]} + step_config: {get_attr: [ServiceChain, role_data, step_config]} upgrade_tasks: yaql: # Note we use distinct() here to filter any identical tasks, e.g yum update for all services diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 31a4c178..526fa888 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -87,7 +87,7 @@ outputs: - get_attr: [SwiftBase, role_data, config_settings] - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} swift::proxy::authtoken::project_name: 'service' swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml index 88ab90cb..b14d7bcc 100644 --- a/puppet/services/time/ntp.yaml +++ b/puppet/services/time/ntp.yaml @@ -22,8 +22,10 @@ parameters: via parameter_defaults in the resource registry. type: json NtpServer: - default: [] - description: NTP servers + default: ['pool.ntp.org'] + description: NTP servers list. Defaulted to pool.ntp.org in order to + have a sane default for Pacemaker deployments when + not configuring this parameter by default. type: comma_delimited_list outputs: diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index 0224ac13..cb860fa8 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -40,7 +40,7 @@ outputs: config_settings: zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} zaqar::keystone::authtoken::project_name: 'service' - zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} zaqar::debug: {get_param: Debug} zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} diff --git a/puppet/upgrade_config.yaml b/puppet/upgrade_config.yaml index c37cc033..2cfd43f4 100644 --- a/puppet/upgrade_config.yaml +++ b/puppet/upgrade_config.yaml @@ -41,7 +41,7 @@ resources: - {get_param: SkipUpgradeConfigTags} tags: str_replace: - template: "stepSTEP" + template: "common,stepSTEP" params: STEP: {get_param: step} modulepath: /usr/share/ansible-modules diff --git a/releasenotes/notes/add-default-ntp-server-696b8568e09be497.yaml b/releasenotes/notes/add-default-ntp-server-696b8568e09be497.yaml new file mode 100644 index 00000000..78fdbb59 --- /dev/null +++ b/releasenotes/notes/add-default-ntp-server-696b8568e09be497.yaml @@ -0,0 +1,6 @@ +--- +issues: + - We add a default NTP server to the Overcloud + for all Pacemaker and non-Pacemaker deployments, + also useful for keeping time diff controlled for + Keystone and Ceph. diff --git a/releasenotes/notes/composable-ha-37e2d7e1f57f5c10.yaml b/releasenotes/notes/composable-ha-37e2d7e1f57f5c10.yaml new file mode 100644 index 00000000..e560fe95 --- /dev/null +++ b/releasenotes/notes/composable-ha-37e2d7e1f57f5c10.yaml @@ -0,0 +1,12 @@ +--- +features: + - With the composable HA work landed it is now possible + to split pacemaker-managed services like galera, rabbit, + redis, haproxy and any A/P resource, off to dedicated + nodes. These services can be split off to separate nodes + either via the normal Pacemaker service (which has a limit + of 16 maximum number of nodes) or via the newer PacemakerRemote + service (but not both on the same node). Note that until + https://bugzilla.redhat.com/show_bug.cgi?id=1417936 is fixed, + PacemakerRemote should only be used for Cinder A/P resources + and Manila A/P resources. diff --git a/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml b/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml new file mode 100644 index 00000000..edcc1250 --- /dev/null +++ b/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The environments/puppet-pacemaker.yaml file is now deprecated and the HA + deployment is now the default. In order to get the non-HA deployment use + environments/nonha-arch.yaml explicitly. diff --git a/releasenotes/notes/keystone_internal-53cc7b24ebdd9df4.yaml b/releasenotes/notes/keystone_internal-53cc7b24ebdd9df4.yaml new file mode 100644 index 00000000..1f41073b --- /dev/null +++ b/releasenotes/notes/keystone_internal-53cc7b24ebdd9df4.yaml @@ -0,0 +1,9 @@ +--- +other: + - | + Use Keystone internal endpoint instead of admin for services. + The admin endpoint is listening on the ctlplane network by default; + services should ideally be using the internal api network for this kind + of traffic, as the ctlplane network is mostly for provisioning. On the + other hand, the admin endpoint shouldn't be as relevant with services + switching to keystone v3. diff --git a/releasenotes/notes/memcached-max-memory-ef6834d17953fca6.yaml b/releasenotes/notes/memcached-max-memory-ef6834d17953fca6.yaml new file mode 100644 index 00000000..c14cefa0 --- /dev/null +++ b/releasenotes/notes/memcached-max-memory-ef6834d17953fca6.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Memcached max memory configuration is now exposed va MemcachedMaxMemory. +upgrade: + - | + Reduce the default memory configuration for memcached from 95% to 50%. diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst index 9767dad2..43c77709 100644 --- a/releasenotes/source/index.rst +++ b/releasenotes/source/index.rst @@ -9,6 +9,7 @@ Contents :maxdepth: 2 unreleased + ocata Indices and tables diff --git a/releasenotes/source/ocata.rst b/releasenotes/source/ocata.rst new file mode 100644 index 00000000..ebe62f42 --- /dev/null +++ b/releasenotes/source/ocata.rst @@ -0,0 +1,6 @@ +=================================== + Ocata Series Release Notes +=================================== + +.. release-notes:: + :branch: origin/stable/ocata |