6 files changed, 131 insertions, 41 deletions

diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index b879fafa..3362a01f 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -1,6 +1,7 @@
 {% set enabled_roles = roles|rejectattr('disable_upgrade_deployment')|list -%}
 {% set batch_upgrade_steps_max = 3 -%}
 {% set upgrade_steps_max = 6 -%}
+{% set deliver_script = {'deliver': False} -%}
 heat_template_version: ocata
 description: 'Upgrade steps for all roles'
 
@@ -17,6 +18,19 @@ parameters:
     description: >
       Setting to a previously unused value during stack-update will trigger
       the Upgrade resources to re-run on all roles.
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  KeystoneRegion:
+    type: string
+    default: 'regionOne'
+    description: Keystone region for endpoint
+  NovaPassword:
+    description: The password for the nova service and db account, used by nova-api.
+    type: string
+    hidden: true
 
 conditions:
   # Conditions to disable any steps where the task list is empty
@@ -35,6 +49,45 @@ conditions:
 
 resources:
 
+{% for role in roles if role.disable_upgrade_deployment|default(false) %}
+  {{role.name}}DeliverUpgradeScriptConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      config:
+        list_join:
+        - ''
+        - - "#!/bin/bash\n\n"
+          - "set -eu\n\n"
+          - "if hiera -c /etc/puppet/hiera.yaml service_names | grep nova_compute ; then\n\n"
+          - "  crudini --set /etc/nova/nova.conf placement auth_type password\n\n"
+          - "  crudini --set /etc/nova/nova.conf placement username placement\n\n"
+          - "  crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n"
+          - "  crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n"
+          - "  crudini --set /etc/nova/nova.conf placement project_name service\n\n"
+          - "  systemctl restart openstack-nova-compute\n\n"
+          - "fi\n\n"
+          - str_replace:
+              template: |
+                crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD'
+                crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME'
+                crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL'
+                ROLE='ROLE_NAME'
+              params:
+                SERVICE_PASSWORD: { get_param: NovaPassword }
+                REGION_NAME: { get_param: KeystoneRegion }
+                AUTH_URL: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+                ROLE_NAME: {{role.name}}
+          - get_file: ../extraconfig/tasks/pacemaker_common_functions.sh
+          - get_file: ../extraconfig/tasks/tripleo_upgrade_node.sh
+
+  {{role.name}}DeliverUpgradeScriptDeployment:
+    type: OS::Heat::SoftwareDeploymentGroup
+    properties:
+      servers:  {get_param: [servers, {{role.name}}]}
+      config: {get_resource: {{role.name}}DeliverUpgradeScriptConfig}
+{% endfor %}
+
 # Upgrade Steps for all roles, batched updates
 # The UpgradeConfig resources could actually be created without
 # serialization, but the event output is easier to follow if we
@@ -46,11 +99,22 @@ resources:
   {{role.name}}UpgradeBatchConfig_Step{{step}}:
     type: OS::TripleO::UpgradeConfig
   {%- if step > 0 %}
+    condition: {{role.name}}UpgradeBatchConfigEnabled
+    {% if role.name in enabled_roles %}
     depends_on:
-      {%- for dep in enabled_roles %}
-      - {{dep.name}}UpgradeBatch_Step{{step -1}}
-      {%- endfor %}
-  {%- endif %}
+      - {{role.name}}UpgradeBatch_Step{{step -1}}
+    {%- endif %}
+  {% else %}
+    {% for role in roles if role.disable_upgrade_deployment|default(false) %}
+      {% if deliver_script.update({'deliver': True}) %} {% endif %}
+    {% endfor %}
+    {% if deliver_script.deliver %}
+    depends_on:
+    {% endif %}
+      {% for dep in roles if dep.disable_upgrade_deployment|default(false) %}
+      - {{dep.name}}DeliverUpgradeScriptDeployment
+      {% endfor %}
+  {% endif %}
     properties:
       UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]}
       step: {{step}}
@@ -61,12 +125,13 @@ resources:
   {{role.name}}UpgradeBatch_Step{{step}}:
     type: OS::Heat::SoftwareDeploymentGroup
     condition: {{role.name}}UpgradeBatchConfigEnabled
-  {%- if step > 0 %}
+    {%- if step > 0 %}
     depends_on:
-      {%- for dep in enabled_roles %}
-      - {{dep.name}}UpgradeBatch_Step{{step -1}}
-      {%- endfor %}
-  {%- endif %}
+      - {{role.name}}UpgradeBatch_Step{{step -1}}
+    {% else %}
+    depends_on:
+      - {{role.name}}UpgradeBatchConfig_Step{{step}}
+    {%- endif %}
     update_policy:
       batch_create:
         max_batch_size: {{role.upgrade_batch_size|default(1)}}
@@ -82,6 +147,32 @@ resources:
   {%- endfor %}
 {%- endfor %}
 
+# Dump the puppet manifests to be apply later when disable_upgrade_deployment
+# is to true
+{% for role in roles  if role.disable_upgrade_deployment|default(false) %}
+  {{role.name}}DeliverPuppetConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      config:
+        list_join:
+        - ''
+        - - str_replace:
+              template: |
+                #!/bin/bash
+                cat > /root/{{role.name}}_puppet_config.pp << ENDOFCAT
+                PUPPET_CLASSES
+                ENDOFCAT
+              params:
+                PUPPET_CLASSES: {get_param: [role_data, {{role.name}}, step_config]}
+
+  {{role.name}}DeliverPuppetDeployment:
+    type: OS::Heat::SoftwareDeploymentGroup
+    properties:
+      servers:  {get_param: [servers, {{role.name}}]}
+      config: {get_resource: {{role.name}}DeliverPuppetConfig}
+{% endfor %}
+
 # Upgrade Steps for all roles
 {%- for step in range(0, upgrade_steps_max) %}
   # Config resources for step {{step}}
@@ -92,15 +183,12 @@ resources:
   # serialization, but the event output is easier to follow if we
   # do, and there should be minimal performance hit (creating the
   # config is cheap compared to the time to apply the deployment).
-    depends_on:
   {%- if step > 0 %}
-      {%- for dep in enabled_roles %}
-      - {{dep.name}}Upgrade_Step{{step -1}}
-      {%- endfor %}
-  {%- else %}
-      {%- for dep in enabled_roles %}
-      - {{dep.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}}
-      {%- endfor %}
+    condition: {{role.name}}UpgradeConfigEnabled
+    {% if role.name in enabled_roles %}
+    depends_on:
+      - {{role.name}}Upgrade_Step{{step -1}}
+    {% endif %}
   {%- endif %}
     properties:
       UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]}
@@ -111,17 +199,11 @@ resources:
   {%- for role in enabled_roles %}
   {{role.name}}Upgrade_Step{{step}}:
     type: OS::Heat::SoftwareDeploymentGroup
+    {%- if step > 0 %}
     condition: {{role.name}}UpgradeConfigEnabled
     depends_on:
-  {%- if step > 0 %}
-      {%- for dep in enabled_roles %}
-      - {{dep.name}}Upgrade_Step{{step -1}}
-      {%- endfor %}
-  {%- else %}
-      {%- for dep in enabled_roles %}
-      - {{dep.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}}
-      {%- endfor %}
-  {%- endif %}
+      - {{role.name}}Upgrade_Step{{step -1}}
+    {%- endif %}
     properties:
       name: {{role.name}}Upgrade_Step{{step}}
       servers: {get_param: [servers, {{role.name}}]}
@@ -154,4 +236,3 @@ outputs:
 {% for role in roles %}
       {{role.name.lower()}}: {get_attr: [{{role.name}}UpgradeConfig_Step1, upgrade_config]}
 {% endfor %}
-
diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml
index 39155c36..21202775 100644
--- a/puppet/post.j2.yaml
+++ b/puppet/post.j2.yaml
@@ -12,7 +12,11 @@ parameters:
   role_data:
     type: json
     description: Mapping of Role name e.g Controller to the per-role data
-
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
   DeployIdentifier:
     default: ''
     type: string
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index 62c4b093..4bd9fc47 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -89,6 +89,3 @@ outputs:
         - name: Stop aodh_api service (running under httpd)
           tags: step2
           service: name=httpd state=stopped
-        - name: Run aodh dbsync
-          tags: step5
-          command: aodh-dbsync
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index 2a1ed2a3..23fcb2f6 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -131,6 +131,3 @@ outputs:
         - name: Stop gnocchi_api service (running under httpd)
           tags: step2
           service: name=httpd state=stopped
-        - name: Run gnocchi upgrade
-          tags: step5
-          command: gnocchi-upgrade
diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml
index 71a0076f..3abd04f3 100644
--- a/puppet/services/neutron-plugin-ml2.yaml
+++ b/puppet/services/neutron-plugin-ml2.yaml
@@ -60,12 +60,6 @@ parameters:
     default: 'vxlan'
     description: The tenant network type for Neutron.
     type: comma_delimited_list
-  NeutronSupportedPCIVendorDevs:
-    description: |
-        List of supported pci vendor devices in the format VendorID:ProductID.
-        By default Intel & Mellanox SR-IOV capable NICs are supported.
-    type: comma_delimited_list
-    default: ['15b3:1004','8086:10ca']
 resources:
 
   NeutronBase:
@@ -91,7 +85,6 @@ outputs:
             neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges}
             neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges}
             neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
-            neutron::plugins::ml2::supported_pci_vendor_devs: {get_param: NeutronSupportedPCIVendorDevs}
 
       step_config: |
         include ::tripleo::profile::base::neutron::plugins::ml2
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index c47229f1..ca21cfbe 100644
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -87,6 +87,10 @@ parameters:
         \[(?<pid>[^ ]*)\]
         (?<host>[^ ]*)
         (?<message>.*)$/
+  PacemakerResources:
+    type: comma_delimited_list
+    description: List of resources managed by pacemaker
+    default: ['rabbitmq','haproxy']
 
 outputs:
   role_data:
@@ -127,3 +131,17 @@ outputs:
         tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
       step_config: |
         include ::tripleo::profile::base::pacemaker
+      upgrade_tasks:
+        - name: Check pacemaker cluster running before upgrade
+          tags: step0,validation
+          pacemaker_cluster: state=online check_and_fail=true
+        - name: Stop pacemaker cluster
+          tags: step1
+          pacemaker_cluster: state=offline
+        - name: Start pacemaker cluster
+          tags: step4
+          pacemaker_cluster: state=online
+        - name: Check pacemaker resource
+          tags: step4
+          pacemaker_resource: state=started resource={{item}} check_mode=true wait_for_resource=true timeout=200
+          with_items: {get_param: PacemakerResources}