diff options
Diffstat (limited to 'puppet/services')
27 files changed, 339 insertions, 30 deletions
diff --git a/puppet/services/README.rst b/puppet/services/README.rst index d55414b7..a593d55e 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -155,7 +155,7 @@ Similar to the step_config, we allow a series of steps for the per-service upgrade sequence, defined as ansible tasks with a tag e.g "step1" for the first step, "step2" for the second, etc. - Steps/tages correlate to the following: + Steps/tags correlate to the following: 1) Stop all control-plane services. @@ -186,6 +186,18 @@ Note that the services are not started in the upgrade tasks - we instead re-run puppet which does any reconfiguration required for the new version, then starts the services. +Update Steps +------------ + +Each service template may optionally define a `update_tasks` key, which is a +list of ansible tasks to be performed during the minor update process. + +Similar to the upgrade_tasks, we allow a series of steps for the per-service +update sequence, but note update_task selects the steps via a conditional +referencing the step variable e.g when: step == 2, which is different to the +tags based approach used for upgrade_tasks (the two may be aligned in future). + + Nova Server Metadata Settings ----------------------------- diff --git a/puppet/services/ceilometer-agent-compute.yaml b/puppet/services/ceilometer-agent-compute.yaml index 3cf51519..27bc50f3 100644 --- a/puppet/services/ceilometer-agent-compute.yaml +++ b/puppet/services/ceilometer-agent-compute.yaml @@ -39,6 +39,10 @@ parameters: type: string constraints: - allowed_values: ['naive', 'libvirt_metadata', 'workload_partitioning'] + RedisPassword: + description: The password for the redis service account. + type: string + hidden: true resources: CeilometerServiceBase: @@ -61,6 +65,7 @@ outputs: map_merge: - get_attr: [CeilometerServiceBase, role_data, config_settings] - ceilometer::agent::compute::instance_discovery_method: {get_param: InstanceDiscoveryMethod} + - ceilometer_redis_password: {get_param: RedisPassword} compute_namespace: true service_config_settings: get_attr: [CeilometerServiceBase, role_data, service_config_settings] diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 9fc1530a..5cc020a9 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -51,6 +51,8 @@ parameters: description: > A list of publishers to put in event_pipeline.yaml. When the collector is used, override this with notifier:// publisher. + If zaqar is enabled, you can also publish to a zaqar queue + by including "zaqar://?queue=queue_name" in this list. Set ManageEventPipeline to true for override to take effect. type: comma_delimited_list ManagePipeline: diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 04f34e24..dcead0f7 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -47,6 +47,11 @@ parameters: EnableInternalTLS: type: boolean default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. conditions: @@ -98,6 +103,7 @@ outputs: generate_service_certificates: true mongodb::server::ssl: true mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem' + mongodb::server::ssl_ca: {get_param: InternalTLSCAFile} mongodb_certificate_specs: service_pem: '/etc/pki/tls/certs/mongodb.pem' service_certificate: '/etc/pki/tls/certs/mongodb.crt' diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index bd96823b..bdcc4fcd 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -77,3 +77,6 @@ outputs: tags: step3 yum: name=redis state=latest when: redis_enabled.rc != 0 + - name: Start redis service + tags: step4 + service: name=redis state=started diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index b6b4f270..642685a8 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -30,6 +30,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HAProxyInternalTLSCertsDirectory: + default: '/etc/pki/tls/certs/haproxy' + type: string + HAProxyInternalTLSKeysDirectory: + default: '/etc/pki/tls/private/haproxy' + type: string resources: @@ -55,14 +61,30 @@ outputs: config_settings: generate_service_certificates: true tripleo::haproxy::use_internal_certificates: true + tripleo::certmonger::haproxy_dirs::certificate_dir: + get_param: HAProxyInternalTLSCertsDirectory + tripleo::certmonger::haproxy_dirs::key_dir: + get_param: HAProxyInternalTLSKeysDirectory certificates_specs: map_merge: repeat: template: haproxy-NETWORK: - service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem' - service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt' - service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key' + service_pem: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-NETWORK.pem' + service_certificate: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-NETWORK.crt' + service_key: + list_join: + - '' + - - {get_param: HAProxyInternalTLSKeysDirectory} + - '/overcloud-haproxy-NETWORK.key' hostname: "%{hiera('cloud_name_NETWORK')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_NETWORK')}" diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index e79d2aec..b2766c44 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -30,6 +30,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HAProxyInternalTLSCertsDirectory: + default: '/etc/pki/tls/certs/haproxy' + type: string + HAProxyInternalTLSKeysDirectory: + default: '/etc/pki/tls/private/haproxy' + type: string outputs: role_data: @@ -38,12 +44,32 @@ outputs: service_name: haproxy_public_tls_certmonger config_settings: generate_service_certificates: true - tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + tripleo::haproxy::service_certificate: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-external.pem' + tripleo::certmonger::haproxy_dirs::certificate_dir: + get_param: HAProxyInternalTLSCertsDirectory + tripleo::certmonger::haproxy_dirs::key_dir: + get_param: HAProxyInternalTLSKeysDirectory certificates_specs: haproxy-external: - service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' - service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt' - service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key' + service_pem: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-external.pem' + service_certificate: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-external.crt' + service_key: + list_join: + - '' + - - {get_param: HAProxyInternalTLSKeysDirectory} + - '/overcloud-haproxy-external.key' hostname: "%{hiera('cloud_name_external')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_external')}" diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index a37135da..6b2d028f 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -57,6 +57,16 @@ parameters: MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string + SSLCertificate: + default: '' + description: > + The content of the SSL certificate (without Key) in PEM format. + type: string + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -68,6 +78,14 @@ parameters: description: Specifies the default CRL PEM file to use for revocation if TLS is used for services in the internal network. +conditions: + + public_tls_enabled: + not: + equals: + - {get_param: SSLCertificate} + - "" + resources: HAProxyPublicTLS: @@ -98,8 +116,6 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: map_merge: - - get_attr: [HAProxyPublicTLS, role_data, config_settings] - - get_attr: [HAProxyInternalTLS, role_data, config_settings] - tripleo.haproxy.firewall_rules: '107 haproxy stats': dport: 1993 @@ -115,6 +131,12 @@ outputs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] + - if: + - public_tls_enabled + - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} + - {} + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] step_config: | include ::tripleo::profile::base::haproxy upgrade_tasks: diff --git a/puppet/services/iscsid.yaml b/puppet/services/iscsid.yaml index 9510df3b..222977e9 100644 --- a/puppet/services/iscsid.yaml +++ b/puppet/services/iscsid.yaml @@ -36,6 +36,6 @@ outputs: description: Role data for iscsid value: service_name: iscsid - config_setting: {} + config_settings: {} step_config: | include ::tripleo::profile::base::iscsid diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 8796209b..218ba740 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -178,10 +178,10 @@ parameters: Cron to purge expired tokens - Week Day default: '*' KeystoneCronTokenFlushMaxDelay: - type: string + type: number description: > Cron to purge expired tokens - Max Delay - default: '0' + default: 0 KeystoneCronTokenFlushDestination: type: string description: > diff --git a/puppet/services/network/contrail-dpdk.yaml b/puppet/services/network/contrail-dpdk.yaml index 1f331894..65b2a2a1 100644 --- a/puppet/services/network/contrail-dpdk.yaml +++ b/puppet/services/network/contrail-dpdk.yaml @@ -31,7 +31,7 @@ parameters: via parameter_defaults in the resource registry. type: json NeutronMetadataProxySharedSecret: - description: Metadata Secret + description: Shared secret to prevent spoofing type: string hidden: true ContrailVrouterPhysicalInterface: diff --git a/puppet/services/network/contrail-tsn.yaml b/puppet/services/network/contrail-tsn.yaml index 058b9dc9..a9655160 100644 --- a/puppet/services/network/contrail-tsn.yaml +++ b/puppet/services/network/contrail-tsn.yaml @@ -31,8 +31,9 @@ parameters: via parameter_defaults in the resource registry. type: json NeutronMetadataProxySharedSecret: - description: Metadata Secret + description: Shared secret to prevent spoofing type: string + hidden: true ContrailVrouterPhysicalInterface: default: 'eth0' description: vRouter physical interface diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml index 981fe2fb..1773c367 100644 --- a/puppet/services/network/contrail-vrouter.yaml +++ b/puppet/services/network/contrail-vrouter.yaml @@ -31,7 +31,7 @@ parameters: via parameter_defaults in the resource registry. type: json NeutronMetadataProxySharedSecret: - description: Metadata Secret + description: Shared secret to prevent spoofing type: string hidden: true ContrailVrouterPhysicalInterface: diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index b9556890..b6980045 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -69,6 +69,12 @@ parameters: networks, neutron uses this value without modification. For overlay networks such as VXLAN, neutron automatically subtracts the overlay protocol overhead from this value. + NeutronDBSyncExtraParams: + default: '' + description: | + String of extra command line parameters to append to the neutron-db-manage + upgrade head command. + type: string ServiceData: default: {} description: Dictionary packing service data @@ -134,6 +140,7 @@ outputs: neutron::db::database_max_retries: -1 neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} + neutron::db::sync::extra_params: {get_param: NeutronDBSyncExtraParams} - if: - dhcp_agents_zero - {} diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index 1d4029cf..7894f78b 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -32,8 +32,7 @@ parameters: type: json NeutronEnableL2Pop: type: string - description: > - Enable/disable the L2 population feature in the Neutron agents. + description: Enable/disable the L2 population feature in the Neutron agents. default: "False" NeutronBridgeMappings: description: > @@ -47,8 +46,7 @@ parameters: default: "datacentre:br-ex" NeutronTunnelTypes: default: 'vxlan' - description: | - The tunnel types for the Neutron tenant network. + description: The tunnel types for the Neutron tenant network. type: comma_delimited_list NeutronAgentExtensions: default: "qos" diff --git a/puppet/services/neutron-plugin-ml2-nuage.yaml b/puppet/services/neutron-plugin-ml2-nuage.yaml new file mode 100644 index 00000000..a7dc2e8b --- /dev/null +++ b/puppet/services/neutron-plugin-ml2-nuage.yaml @@ -0,0 +1,99 @@ +heat_template_version: pike + +description: > + OpenStack Neutron ML2/Nuage plugin configured with Puppet + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + # Config specific parameters, to be provided via parameter_defaults + NeutronNuageNetPartitionName: + description: Specifies the title that you will see on the VSD + type: string + default: 'default_name' + + NeutronNuageVSDIp: + description: IP address and port of the Virtual Services Directory + type: string + + NeutronNuageVSDUsername: + description: Username to be used to log into VSD + type: string + + NeutronNuageVSDPassword: + description: Password to be used to log into VSD + type: string + + NeutronNuageVSDOrganization: + description: Organization parameter required to log into VSD + type: string + default: 'organization' + + NeutronNuageBaseURIVersion: + description: URI version to be used based on the VSD release + type: string + default: 'default_uri_version' + + NeutronNuageCMSId: + description: Cloud Management System ID (CMS ID) to distinguish between OS instances on the same VSD + type: string + + UseForwardedFor: + description: Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy. + type: boolean + default: false + +resources: + + NeutronML2Base: + type: ./neutron-plugin-ml2.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Neutron ML2/Nuage plugin + value: + service_name: neutron_plugin_ml2_nuage + config_settings: + map_merge: + - get_attr: [NeutronML2Base, role_data, config_settings] + - neutron::plugins::ml2::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} + neutron::plugins::ml2::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp} + neutron::plugins::ml2::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername} + neutron::plugins::ml2::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword} + neutron::plugins::ml2::nuage::nuage_vsd_organization: {get_param: NeutronNuageVSDOrganization} + neutron::plugins::ml2::nuage::nuage_base_uri_version: {get_param: NeutronNuageBaseURIVersion} + neutron::plugins::ml2::nuage::nuage_cms_id: {get_param: NeutronNuageCMSId} + nova::api::use_forwarded_for: {get_param: UseForwardedFor} + step_config: | + include tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-ml2-odl.yaml b/puppet/services/neutron-plugin-ml2-odl.yaml index cc4cd8f4..68bba110 100644 --- a/puppet/services/neutron-plugin-ml2-odl.yaml +++ b/puppet/services/neutron-plugin-ml2-odl.yaml @@ -33,7 +33,7 @@ parameters: OpenDaylightPortBindingController: description: OpenDaylight port binding controller type: string - default: 'network-topology' + default: 'pseudo-agentdb-binding' resources: diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index dd757b5d..bc91374a 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -72,6 +72,10 @@ parameters: default: 'vxlan' description: The tenant network type for Neutron. type: comma_delimited_list + NeutronFirewallDriver: + description: Firewall driver for realizing neutron security group function + type: string + default: 'openvswitch' resources: NeutronBase: @@ -100,6 +104,7 @@ outputs: neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges} neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges} neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType} + neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index a12bfd0f..36866a3a 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -97,7 +97,7 @@ parameters: UpgradeLevelNovaCompute: type: string description: Nova Compute upgrade level - default: auto + default: '' MigrationSshKey: type: json description: > @@ -170,6 +170,11 @@ outputs: tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort} nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName} nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} + nova::compute::rbd::rbd_keyring: + list_join: + - '.' + - - 'client' + - {get_param: CephClientUserName} tripleo::profile::base::nova::compute::cinder_nfs_backend: {get_param: CinderEnableNfsBackend} rbd_persistent_storage: {get_param: CinderEnableRbdBackend} nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey} diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index a6638be0..5abad452 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -45,7 +45,7 @@ parameters: UpgradeLevelNovaCompute: type: string description: Nova Compute upgrade level - default: auto + default: '' conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index e2ae7260..04936c33 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -139,6 +139,11 @@ outputs: # we manage migration in nova common puppet profile nova::compute::libvirt::migration_support: false nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} + nova::compute::rbd::rbd_keyring: + list_join: + - '.' + - - 'client' + - {get_param: CephClientUserName} nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey} nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID} tripleo::profile::base::nova::migration::client::libvirt_enabled: true diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 2027292c..139ab7c7 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -33,6 +33,28 @@ parameters: Required for VLAN deployments. For example physnet1 -> eth1. type: comma_delimited_list default: "datacentre:br-ex" + HostAllowedNetworkTypes: + description: Allowed tenant network types for this OVS host. Note this can + vary per host or role to constrain which hosts nova instances + and networks are scheduled to. + type: comma_delimited_list + default: ['local', 'vlan', 'vxlan', 'gre'] + OvsEnableDpdk: + description: Whether or not to configure enable DPDK in OVS + default: false + type: boolean + OvsVhostuserMode: + description: Specify the mode for OVS with vhostuser port creation. In + client mode, the hypervisor will be responsible for creating + vhostuser sockets. In server mode, OVS will create them. + type: string + default: "client" + constraints: + - allowed_values: [ 'client', 'server' ] + VhostuserSocketDir: + description: Specify the directory to use for vhostuser sockets + type: string + default: "/var/run/openvswitch" EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -71,6 +93,28 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + # Merging role-specific parameters (RoleParameters) with the default parameters. + # RoleParameters will have the precedence over the default parameters. + RoleParametersValue: + type: OS::Heat::Value + properties: + type: json + value: + map_replace: + - map_replace: + - neutron::plugins::ovs::opendaylight::allowed_network_types: HostAllowedNetworkTypes + neutron::plugins::ovs::opendaylight::enable_dpdk: OvsEnableDpdk + neutron::plugins::ovs::opendaylight::vhostuser_socket_dir: VhostuserSocketDir + neutron::plugins::ovs::opendaylight::vhostuser_mode: OvsVhostuserMode + neutron::plugins::ovs::opendaylight::provider_mappings: OpenDaylightProviderMappings + - values: {get_param: [RoleParameters]} + - values: + HostAllowedNetworkTypes: {get_param: HostAllowedNetworkTypes} + OvsEnableDpdk: {get_param: OvsEnableDpdk} + VhostuserSocketDir: {get_param: VhostuserSocketDir} + OvsVhostuserMode: {get_param: OvsVhostuserMode} + OpenDaylightProviderMappings: {get_param: OpenDaylightProviderMappings} + outputs: role_data: description: Role data for the OpenDaylight service. @@ -86,7 +130,6 @@ outputs: opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} - neutron::plugins::ovs::opendaylight::provider_mappings: {get_param: OpenDaylightProviderMappings} tripleo.opendaylight_ovs.firewall_rules: '118 neutron vxlan networks': proto: 'udp' @@ -94,6 +137,7 @@ outputs: '136 neutron gre networks': proto: 'gre' - get_attr: [Ovs, role_data, config_settings] + - get_attr: [RoleParametersValue, value] step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight upgrade_tasks: diff --git a/puppet/services/neutron-compute-plugin-ovn.yaml b/puppet/services/ovn-controller.yaml index dfd87eda..30720448 100644 --- a/puppet/services/neutron-compute-plugin-ovn.yaml +++ b/puppet/services/ovn-controller.yaml @@ -1,7 +1,7 @@ heat_template_version: pike description: > - OpenStack Neutron Compute OVN agent + OpenStack OVN Controller agent parameters: EndpointMap: @@ -45,23 +45,23 @@ parameters: bridge on hosts - to a physical name 'datacentre' which can be used to create provider networks (and we use this for the default floating network) - if changing this either use different post-install network - scripts or be sure to keep 'datacentre' as a mapping network name + scripts or be sure to keep 'datacentre' as a mapping network name. type: comma_delimited_list default: "datacentre:br-ex" outputs: role_data: - description: Role data for the Neutron Compute OVN agent + description: Role data for the OVN Controller agent value: - service_name: neutron_compute_plugin_ovn + service_name: ovn_controller config_settings: ovn::southbound::port: {get_param: OVNSouthboundServerPort} ovn::controller::ovn_encap_type: {get_param: OVNTunnelEncapType} ovn::controller::ovn_encap_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} ovn::controller::ovn_bridge_mappings: {get_param: NeutronBridgeMappings} nova::compute::force_config_drive: true - tripleo.neutron_compute_plugin_ovn.firewall_rules: + tripleo.ovn_controller.firewall_rules: '118 neutron vxlan networks': proto: 'udp' dport: 4789 @@ -70,3 +70,17 @@ outputs: dport: 6081 step_config: | include ::tripleo::profile::base::neutron::agents::ovn + upgrade_tasks: + - name: Check if ovn_controller is deployed + command: systemctl is-enabled ovn-controller + tags: common + ignore_errors: True + register: ovn_controller_enabled + - name: "PreUpgrade step0,validation: Check service ovn-controller is running" + shell: /usr/bin/systemctl show 'ovn-controller' --property ActiveState | grep '\bactive\b' + when: ovn_controller_enabled.rc == 0 + tags: step0,validation + - name: Stop ovn-controller service + tags: step1 + when: ovn_controller_enabled.rc == 0 + service: name=ovn-controller state=stopped diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml index f6f3e3c8..2b98008b 100644 --- a/puppet/services/ovn-dbs.yaml +++ b/puppet/services/ovn-dbs.yaml @@ -57,3 +57,17 @@ outputs: - {get_param: OVNSouthboundServerPort} step_config: | include ::tripleo::profile::base::neutron::ovn_northd + upgrade_tasks: + - name: Check if ovn_northd is deployed + command: systemctl is-enabled ovn-northd + tags: common + ignore_errors: True + register: ovn_northd_enabled + - name: "PreUpgrade step0,validation: Check service ovn-northd is running" + shell: /usr/bin/systemctl show 'ovn-northd' --property ActiveState | grep '\bactive\b' + when: ovn_northd_enabled.rc == 0 + tags: step0,validation + - name: Stop ovn-northd service + tags: step1 + when: ovn_northd_enabled.rc == 0 + service: name=ovn-northd state=stopped diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml index 76511784..47ca6142 100644 --- a/puppet/services/pacemaker_remote.yaml +++ b/puppet/services/pacemaker_remote.yaml @@ -35,6 +35,11 @@ parameters: description: The authkey for the pacemaker remote service. hidden: true default: '' + PcsdPassword: + type: string + description: The password for the 'pcsd' user for pacemaker. + hidden: true + default: '' MonitoringSubscriptionPacemakerRemote: default: 'overcloud-pacemaker_remote' type: string @@ -103,5 +108,13 @@ outputs: tripleo::fencing::config: {get_param: FencingConfig} enable_fencing: {get_param: EnableFencing} tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey} + pacemaker::corosync::manage_fw: false + hacluster_pwd: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: PcsdPassword} + - {get_param: [DefaultPasswords, pcsd_password]} step_config: | include ::tripleo::profile::base::pacemaker_remote diff --git a/puppet/services/tripleo-packages.yaml b/puppet/services/tripleo-packages.yaml index e471c2a6..2a8620c8 100644 --- a/puppet/services/tripleo-packages.yaml +++ b/puppet/services/tripleo-packages.yaml @@ -56,3 +56,7 @@ outputs: - name: Update all packages tags: step3 yum: name=* state=latest + update_tasks: + - name: Update all packages + yum: name=* state=latest + when: step == "3" diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index 21857423..4a1ad179 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -105,7 +105,7 @@ outputs: - {get_param: ZaqarDebug } zaqar::server::service_name: 'httpd' zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} - zaqar::wsgi::apache::ssl: false + zaqar::wsgi::apache::ssl: {get_param: EnableInternalTLS} zaqar::wsgi::apache::bind_host: {get_param: [ServiceNetMap, ZaqarApiNetwork]} zaqar::message_pipeline: 'zaqar.notification.notifier' zaqar::unreliable: true @@ -178,6 +178,8 @@ outputs: - {} step_config: | include ::tripleo::profile::base::zaqar + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: yaql: expression: $.data.apache_upgrade + $.data.zaqar_upgrade |