diff options
Diffstat (limited to 'puppet')
26 files changed, 564 insertions, 308 deletions
diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml index 3044fe39..37c1d4e5 100644 --- a/puppet/all-nodes-config.yaml +++ b/puppet/all-nodes-config.yaml @@ -16,10 +16,6 @@ parameters: type: comma_delimited_list controller_ips: type: comma_delimited_list - logging_groups: - type: json - logging_sources: - type: json service_ips: type: json service_node_names: @@ -113,8 +109,6 @@ resources: bootstrap_nodeid_ip: {get_input: bootstrap_nodeid_ip} all_nodes: map_merge: - - tripleo::profile::base::logging::fluentd::fluentd_sources: {get_param: logging_sources} - - tripleo::profile::base::logging::fluentd::fluentd_groups: {get_param: logging_groups} - enabled_services: yaql: expression: $.data.distinct() diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index 5453e65c..15da1773 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -105,6 +105,11 @@ parameters: description: DEPRECATED - use {{role.name}}IPs instead type: json {%- endif %} + {{role.name}}NetworkDeploymentActions: + type: comma_delimited_list + description: > + Heat action when to apply network configuration changes + default: [] NetworkDeploymentActions: type: comma_delimited_list description: > @@ -148,12 +153,6 @@ parameters: type: json description: Optional scheduler hints to pass to nova default: {} -{%- if role.deprecated_param_scheduler_hints is defined %} - {{role.deprecated_param_scheduler_hints}}: - type: json - description: DEPRECATED - use {{role.name}}SchedulerHints instead - default: {} -{%- endif %} NodeIndex: type: number default: 0 @@ -239,7 +238,7 @@ parameter_groups: description: Do not use deprecated params, they will be removed. parameters: {%- for property in role %} -{%- if property.startswith('deprecated_param_') %} +{%- if property.startswith('deprecated_param_') and not role[property].endswith('SchedulerHints') %} - {{role[property]}} {%- endif %} {%- endfor %} @@ -271,6 +270,11 @@ conditions: - {get_param: {{role.deprecated_param_flavor}}} - {{default_flavor_name}} {%- endif %} + role_network_deployment_actions_exists: + not: + equals: + - {get_param: {{role.name}}NetworkDeploymentActions} + - [] resources: {{server_resource_name}}: @@ -317,12 +321,7 @@ resources: {%- endif %} - {get_param: {{role.name}}ServerMetadata} - {get_param: ServiceMetadataSettings} - scheduler_hints: - map_merge: -{%- if role.deprecated_param_scheduler_hints is defined %} - - {get_param: {{role.deprecated_param_scheduler_hints}}} -{%- endif %} - - {get_param: {{role.name}}SchedulerHints} + scheduler_hints: {get_param: {{role.name}}SchedulerHints} deployment_swift_data: if: - deployment_swift_data_map_unset @@ -501,7 +500,10 @@ resources: actions: if: - server_not_blacklisted - - {get_param: NetworkDeploymentActions} + - if: + - role_network_deployment_actions_exists + - {get_param: {{role.name}}NetworkDeploymentActions} + - {get_param: NetworkDeploymentActions} - [] {{server_resource_name}}UpgradeInitConfig: diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index f84edde0..f0493f0e 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -116,12 +116,9 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.aodh_api_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - aodh_api_upgrade: - - name: Stop aodh_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Stop aodh_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index a894dbdf..974c2538 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -186,22 +186,19 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.barbican_api_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - barbican_api_upgrade: - - name: Check if barbican_api is deployed - command: systemctl is-enabled openstack-barbican-api - tags: common - ignore_errors: True - register: barbican_api_enabled - - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running" - shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b' - when: barbican_api_enabled.rc == 0 - tags: step0,validation - - name: Install openstack-barbican-api package if it was disabled - tags: step3 - yum: name=openstack-barbican-api state=latest - when: barbican_api_enabled.rc != 0 + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Check if barbican_api is deployed + command: systemctl is-enabled openstack-barbican-api + tags: common + ignore_errors: True + register: barbican_api_enabled + - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running" + shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b' + when: barbican_api_enabled.rc == 0 + tags: step0,validation + - name: Install openstack-barbican-api package if it was disabled + tags: step3 + yum: name=openstack-barbican-api state=latest + when: barbican_api_enabled.rc != 0 diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index aba303fb..1076c043 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -118,12 +118,9 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.ceilometer_api_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - ceilometer_api_upgrade: - - name: Stop ceilometer_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Stop ceilometer_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index fbfe532a..193c6ba3 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -184,31 +184,28 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.cinder_api_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - cinder_api_upgrade: - - name: Check if cinder_api is deployed - command: systemctl is-enabled openstack-cinder-api - tags: common - ignore_errors: True - register: cinder_api_enabled - - name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running" - shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' - when: cinder_api_enabled.rc == 0 - tags: step0,validation - - name: check for cinder running under apache (post upgrade) - tags: step1 - shell: "httpd -t -D DUMP_VHOSTS | grep -q cinder" - register: cinder_apache - ignore_errors: true - - name: Stop cinder_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped - when: cinder_apache.rc == 0 - - name: Stop and disable cinder_api service (pre-upgrade not under httpd) - tags: step1 - when: cinder_api_enabled.rc == 0 - service: name=openstack-cinder-api state=stopped enabled=no + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Check if cinder_api is deployed + command: systemctl is-enabled openstack-cinder-api + tags: common + ignore_errors: True + register: cinder_api_enabled + - name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running" + shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' + when: cinder_api_enabled.rc == 0 + tags: step0,validation + - name: check for cinder running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q cinder" + register: cinder_apache + ignore_errors: true + - name: Stop cinder_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: cinder_apache.rc == 0 + - name: Stop and disable cinder_api service (pre-upgrade not under httpd) + tags: step1 + when: cinder_api_enabled.rc == 0 + service: name=openstack-cinder-api state=stopped enabled=no diff --git a/puppet/services/cinder-backend-dellemc-vmax-iscsi.yaml b/puppet/services/cinder-backend-dellemc-vmax-iscsi.yaml new file mode 100644 index 00000000..1a3beab5 --- /dev/null +++ b/puppet/services/cinder-backend-dellemc-vmax-iscsi.yaml @@ -0,0 +1,65 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +heat_template_version: pike + +description: > + Openstack Cinder Dell EMC VMAX iscsi backend + +parameters: + CinderEnableDellEMCVMAXISCSIBackend: + type: boolean + default: true + CinderDellEMCVMAXISCSIBackendName: + type: string + default: 'tripleo_dellemc_vmax_iscsi' + CinderDellEMCVMAXISCSIConfigFile: + type: string + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC VMAX iscsi backend. + value: + service_name: cinder_backend_dellemc_vmax_iscsi + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_dellemc_vmax_iscsi_backend: {get_param: CinderEnableDellEMCVMAXISCSIBackend} + cinder::backend::dell_emc_vmax_iscsi::volume_backend_name: {get_param: CinderDellEMCVMAXISCSIBackendName} + cinder::backend::dell_emc_vmax_iscsi::cinder_emc_config_file: {get_param: CinderDellEMCVMAXISCSIConfigFile} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 2a6a89e9..8436062a 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -38,6 +38,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -53,10 +59,20 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - redis::bind: {get_param: [ServiceNetMap, RedisNetwork]} + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + redis::bind: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, RedisNetwork]} redis::port: 6379 redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}" redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' - redis::sentinel::sentinel_bind: {get_param: [ServiceNetMap, RedisNetwork]} + redis::sentinel::sentinel_bind: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, RedisNetwork]} redis::ulimit: {get_param: RedisFDLimit} diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index bdcc4fcd..810e467e 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -30,8 +30,15 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: + RedisBase: type: ./redis-base.yaml properties: @@ -41,6 +48,7 @@ resources: EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -55,8 +63,41 @@ outputs: dport: - 6379 - 26379 + tripleo::profile::base::database::redis::tls_proxy_bind_ip: + get_param: [ServiceNetMap, RedisNetwork] + tripleo::profile::base::database::redis::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + tripleo::profile::base::database::redis::tls_proxy_port: 6379 + - if: + - use_tls_proxy + - redis_certificate_specs: + service_certificate: '/etc/pki/tls/certs/redis.crt' + service_key: '/etc/pki/tls/private/redis.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + principal: + str_replace: + template: "redis/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + - {} step_config: | include ::tripleo::profile::base::database::redis + metadata_settings: + if: + - use_tls_proxy + - + - service: redis + network: {get_param: [ServiceNetMap, RabbitmqNetwork]} + type: vip + - null upgrade_tasks: - name: Check if redis is deployed command: systemctl is-enabled redis diff --git a/puppet/services/disabled/mongodb-disabled.yaml b/puppet/services/disabled/mongodb-disabled.yaml index 9e58103c..c01a91fb 100644 --- a/puppet/services/disabled/mongodb-disabled.yaml +++ b/puppet/services/disabled/mongodb-disabled.yaml @@ -37,6 +37,10 @@ outputs: value: service_name: mongodb_disabled upgrade_tasks: + - name: Check for mongodb service + stat: path=/usr/lib/systemd/system/mongod.service + register: mongod_service - name: Stop and disable mongodb service on upgrade tags: step1 service: name=mongod state=stopped enabled=no + when: mongod_service.stat.exists diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index cd7ab692..0f8f352a 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -151,12 +151,9 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.gnocchi_api_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - gnocchi_api_upgrade: - - name: Stop gnocchi_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Stop gnocchi_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index 14d171dc..cdfc41cf 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -36,6 +36,11 @@ parameters: HAProxyInternalTLSKeysDirectory: default: '/etc/pki/tls/private/haproxy' type: string + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string outputs: role_data: @@ -44,22 +49,14 @@ outputs: service_name: haproxy_public_tls_certmonger config_settings: generate_service_certificates: true - tripleo::haproxy::service_certificate: - list_join: - - '' - - - {get_param: HAProxyInternalTLSCertsDirectory} - - '/overcloud-haproxy-external.pem' + tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} tripleo::certmonger::haproxy_dirs::certificate_dir: get_param: HAProxyInternalTLSCertsDirectory tripleo::certmonger::haproxy_dirs::key_dir: get_param: HAProxyInternalTLSKeysDirectory certificates_specs: haproxy-external: - service_pem: - list_join: - - '' - - - {get_param: HAProxyInternalTLSCertsDirectory} - - '/overcloud-haproxy-external.pem' + service_pem: {get_param: DeployedSSLCertificatePath} service_certificate: list_join: - '' diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 218ba740..6301314a 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -400,12 +400,9 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.keystone_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - keystone_upgrade: - - name: Stop keystone service (running under httpd) - tags: step1 - service: name=httpd state=stopped + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Stop keystone service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/manila-backend-isilon.yaml b/puppet/services/manila-backend-isilon.yaml new file mode 100644 index 00000000..6d8a1fb6 --- /dev/null +++ b/puppet/services/manila-backend-isilon.yaml @@ -0,0 +1,72 @@ +heat_template_version: pike + +description: > + Openstack Manila isilon backend. + +parameters: + ManilaIsilonDriverHandlesShareServers: + type: string + default: true + ManilaIsilonBackendName: + type: string + default: tripleo_isilon + ManilaIsilonNasLogin: + type: string + default: '' + ManilaIsilonNasPassword: + type: string + default: '' + ManilaIsilonNasServer: + type: string + default: '' + ManilaIsilonNasRootDir: + type: string + default: '' + ManilaIsilonNasServerPort: + type: number + default: 8080 + ManilaIsilonNasServerSecure: + type: string + default: '' + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Manila Isilon backend. + value: + service_name: manila_backend_isilon + config_settings: + manila::backend::dellemc_isilon::title: {get_param: ManilaIsilonBackendName} + manila::backend::dellemc_isilon::emc_nas_login: {get_param: ManilaIsilonNasLogin} + manila::backend::dellemc_isilon::driver_handles_share_servers: {get_param: ManilaIsilonDriverHandlesShareServers} + manila::backend::dellemc_isilon::emc_nas_password: {get_param: ManilaIsilonNasPassword} + manila::backend::dellemc_isilon::emc_nas_server: {get_param: ManilaIsilonNasServer} + manila::backend::dellemc_isilon::emc_nas_root_dir: {get_param: ManilaIsilonNasRootDir} + manila::backend::dellemc_isilon::emc_nas_server_port: {get_param: ManilaIsilonNasServerPort} + manila::backend::dellemc_isilon::emc_nas_server_secure: {get_param: ManilaIsilonNasServerSecure} + step_config: diff --git a/puppet/services/manila-backend-vmax.yaml b/puppet/services/manila-backend-vmax.yaml new file mode 100644 index 00000000..cdd32f5d --- /dev/null +++ b/puppet/services/manila-backend-vmax.yaml @@ -0,0 +1,74 @@ +heat_template_version: pike + +description: > + Openstack Manila vmax backend. + +parameters: + ManilaVMAXDriverHandlesShareServers: + type: string + default: false + ManilaVMAXBackendName: + type: string + default: tripleo_manila_vmax + ManilaVMAXNasLogin: + type: string + default: '' + ManilaVMAXNasPassword: + type: string + default: '' + ManilaVMAXNasServer: + type: string + default: '' + ManilaVMAXServerContainer: + type: string + default: '' + ManilaVMAXShareDataPools: + type: string + default: '' + ManilaVMAXEthernetPorts: + type: string + default: '' + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Manila VMAX backend. + value: + service_name: manila_backend_vmax + config_settings: + manila::backend::dellemc_vmax::title: {get_param: ManilaVMAXBackendName} + manila::backend::dellemc_vmax::emc_nas_login: {get_param: ManilaVMAXNasLogin} + manila::backend::dellemc_vmax::driver_handles_share_servers: {get_param: ManilaVMAXDriverHandlesShareServers} + manila::backend::dellemc_vmax::emc_nas_password: {get_param: ManilaVMAXNasPassword} + manila::backend::dellemc_vmax::emc_nas_server: {get_param: ManilaVMAXNasServer} + manila::backend::dellemc_vmax::emc_share_backend: {'vmax'} + manila::backend::dellemc_vmax::vmax_server_container: {get_param: ManilaVMAXServerContainer} + manila::backend::dellemc_vmax::vmax_share_data_pools: {get_param: ManilaVMAXShareDataPools} + manila::backend::dellemc_vmax::vmax_ethernet_ports: {get_param: ManilaVMAXEthernetPorts} + step_config: + diff --git a/puppet/services/manila-scheduler.yaml b/puppet/services/manila-scheduler.yaml index 7d43f685..364a1a3d 100644 --- a/puppet/services/manila-scheduler.yaml +++ b/puppet/services/manila-scheduler.yaml @@ -70,7 +70,7 @@ outputs: manila::compute::nova::nova_admin_password: {get_param: NovaPassword} manila::compute::nova::nova_admin_tenant_name: 'service' manila::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} - manila::network::neutron::neutron_admin_auth_url: {get_param: [EndpointMap, NeutronAdmin, uri]} + manila::network::neutron::neutron_admin_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} manila::network::neutron::neutron_admin_password: {get_param: NeutronPassword} step_config: | include ::tripleo::profile::base::manila::scheduler diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index 7894f78b..a2f82a58 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -140,22 +140,19 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::ovs upgrade_tasks: - yaql: - expression: $.data.ovs_upgrade + $.data.neutron_ovs_upgrade - data: - ovs_upgrade: - get_attr: [Ovs, role_data, upgrade_tasks] - neutron_ovs_upgrade: - - name: Check if neutron_ovs_agent is deployed - command: systemctl is-enabled neutron-openvswitch-agent - tags: common - ignore_errors: True - register: neutron_ovs_agent_enabled - - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" - shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' - when: neutron_ovs_agent_enabled.rc == 0 - tags: step0,validation - - name: Stop neutron_ovs_agent service - tags: step1 - when: neutron_ovs_agent_enabled.rc == 0 - service: name=neutron-openvswitch-agent state=stopped + list_concat: + - get_attr: [Ovs, role_data, upgrade_tasks] + - + - name: Check if neutron_ovs_agent is deployed + command: systemctl is-enabled neutron-openvswitch-agent + tags: common + ignore_errors: True + register: neutron_ovs_agent_enabled + - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" + shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' + when: neutron_ovs_agent_enabled.rc == 0 + tags: step0,validation + - name: Stop neutron_ovs_agent service + tags: step1 + when: neutron_ovs_agent_enabled.rc == 0 + service: name=neutron-openvswitch-agent state=stopped diff --git a/puppet/services/neutron-plugin-nsx.yaml b/puppet/services/neutron-plugin-nsx.yaml index 2774b03e..26380649 100644 --- a/puppet/services/neutron-plugin-nsx.yaml +++ b/puppet/services/neutron-plugin-nsx.yaml @@ -65,14 +65,14 @@ outputs: value: service_name: neutron_plugin_nsx config_settings: - neutron::plugins::nsx_v3::default_overlay_tz: {get_param: DefaultOverlayTz} - neutron::plugins::nsx_v3::default_tier0_router: {get_param: DefaultTier0Router} - neutron::plugins::nsx_v3::nsx_api_managers: {get_param: NsxApiManagers} - neutron::plugins::nsx_v3::nsx_api_user: {get_param: NsxApiUser} - neutron::plugins::nsx_v3::nsx_api_password: {get_param: NsxApiPassword} - neutron::plugins::nsx_v3::native_dhcp_metadata: {get_param: NativeDhcpMetadata} - neutron::plugins::nsx_v3::dhcp_profile_uuid: {get_param: DhcpProfileUuid} - neutron::plugins::nsx_v3::metadata_proxy_uuid: {get_param: MetadataProxyUuid} + neutron::plugins::nsx::default_overlay_tz: {get_param: DefaultOverlayTz} + neutron::plugins::nsx::default_tier0_router: {get_param: DefaultTier0Router} + neutron::plugins::nsx::nsx_api_managers: {get_param: NsxApiManagers} + neutron::plugins::nsx::nsx_api_user: {get_param: NsxApiUser} + neutron::plugins::nsx::nsx_api_password: {get_param: NsxApiPassword} + neutron::plugins::nsx::native_dhcp_metadata: {get_param: NativeDhcpMetadata} + neutron::plugins::nsx::dhcp_profile_uuid: {get_param: DhcpProfileUuid} + neutron::plugins::nsx::metadata_proxy_uuid: {get_param: MetadataProxyUuid} step_config: | - include tripleo::profile::base::neutron::plugins::nsx_v3 + include tripleo::profile::base::neutron::plugins::nsx diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index b413fb12..a4a3ca2b 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -199,88 +199,85 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.nova_api_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - nova_api_upgrade: - - name: get bootstrap nodeid - tags: common - command: hiera bootstrap_nodeid - register: bootstrap_node - - name: set is_bootstrap_node fact - tags: common - set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} - - name: Extra migration for nova tripleo/+bug/1656791 - tags: step0,pre-upgrade - when: is_bootstrap_node - command: nova-manage db online_data_migrations - - name: Stop and disable nova_api service (pre-upgrade not under httpd) - tags: step2 - service: name=openstack-nova-api state=stopped enabled=no - - name: Create puppet manifest to set transport_url in nova.conf - tags: step5 - when: is_bootstrap_node - copy: - dest: /root/nova-api_upgrade_manifest.pp - mode: 0600 - content: > - $transport_url = os_transport_url({ - 'transport' => hiera('messaging_service_name', 'rabbit'), - 'hosts' => any2array(hiera('rabbitmq_node_names', undef)), - 'port' => sprintf('%s',hiera('nova::rabbit_port', '5672') ), - 'username' => hiera('nova::rabbit_userid', 'guest'), - 'password' => hiera('nova::rabbit_password'), - 'ssl' => sprintf('%s', bool2num(str2bool(hiera('nova::rabbit_use_ssl', '0')))) - }) - oslo::messaging::default { 'nova_config': - transport_url => $transport_url - } - - name: Run puppet apply to set tranport_url in nova.conf - tags: step5 - when: is_bootstrap_node - command: puppet apply --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes /root/nova-api_upgrade_manifest.pp - register: puppet_apply_nova_api_upgrade - failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] - changed_when: puppet_apply_nova_api_upgrade.rc == 2 - - name: Setup cell_v2 (map cell0) - tags: step5 - when: is_bootstrap_node - shell: nova-manage cell_v2 map_cell0 --database_connection=$(hiera nova::cell0_database_connection) - - name: Setup cell_v2 (create default cell) - tags: step5 - when: is_bootstrap_node - # (owalsh) puppet-nova expects the cell name 'default' - # (owalsh) pass the db uri explicitly to avoid https://bugs.launchpad.net/tripleo/+bug/1662344 - shell: nova-manage cell_v2 create_cell --name='default' --database_connection=$(hiera nova::database_connection) - register: nova_api_create_cell - failed_when: nova_api_create_cell.rc not in [0,2] - changed_when: nova_api_create_cell.rc == 0 - - name: Setup cell_v2 (sync nova/cell DB) - tags: step5 - when: is_bootstrap_node - command: nova-manage db sync - async: {get_param: NovaDbSyncTimeout} - poll: 10 - - name: Setup cell_v2 (get cell uuid) - tags: step5 - when: is_bootstrap_node - shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' - register: nova_api_cell_uuid - - name: Setup cell_v2 (migrate hosts) - tags: step5 - when: is_bootstrap_node - command: nova-manage cell_v2 discover_hosts --cell_uuid {{nova_api_cell_uuid.stdout}} --verbose - - name: Setup cell_v2 (migrate instances) - tags: step5 - when: is_bootstrap_node - command: nova-manage cell_v2 map_instances --cell_uuid {{nova_api_cell_uuid.stdout}} - - name: Sync nova_api DB - tags: step5 - command: nova-manage api_db sync - when: is_bootstrap_node - - name: Online data migration for nova - tags: step5 - when: is_bootstrap_node - command: nova-manage db online_data_migrations + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: get bootstrap nodeid + tags: common + command: hiera bootstrap_nodeid + register: bootstrap_node + - name: set is_bootstrap_node fact + tags: common + set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Extra migration for nova tripleo/+bug/1656791 + tags: step0,pre-upgrade + when: is_bootstrap_node + command: nova-manage db online_data_migrations + - name: Stop and disable nova_api service (pre-upgrade not under httpd) + tags: step2 + service: name=openstack-nova-api state=stopped enabled=no + - name: Create puppet manifest to set transport_url in nova.conf + tags: step5 + when: is_bootstrap_node + copy: + dest: /root/nova-api_upgrade_manifest.pp + mode: 0600 + content: > + $transport_url = os_transport_url({ + 'transport' => hiera('messaging_service_name', 'rabbit'), + 'hosts' => any2array(hiera('rabbitmq_node_names', undef)), + 'port' => sprintf('%s',hiera('nova::rabbit_port', '5672') ), + 'username' => hiera('nova::rabbit_userid', 'guest'), + 'password' => hiera('nova::rabbit_password'), + 'ssl' => sprintf('%s', bool2num(str2bool(hiera('nova::rabbit_use_ssl', '0')))) + }) + oslo::messaging::default { 'nova_config': + transport_url => $transport_url + } + - name: Run puppet apply to set tranport_url in nova.conf + tags: step5 + when: is_bootstrap_node + command: puppet apply --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes /root/nova-api_upgrade_manifest.pp + register: puppet_apply_nova_api_upgrade + failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] + changed_when: puppet_apply_nova_api_upgrade.rc == 2 + - name: Setup cell_v2 (map cell0) + tags: step5 + when: is_bootstrap_node + shell: nova-manage cell_v2 map_cell0 --database_connection=$(hiera nova::cell0_database_connection) + - name: Setup cell_v2 (create default cell) + tags: step5 + when: is_bootstrap_node + # (owalsh) puppet-nova expects the cell name 'default' + # (owalsh) pass the db uri explicitly to avoid https://bugs.launchpad.net/tripleo/+bug/1662344 + shell: nova-manage cell_v2 create_cell --name='default' --database_connection=$(hiera nova::database_connection) + register: nova_api_create_cell + failed_when: nova_api_create_cell.rc not in [0,2] + changed_when: nova_api_create_cell.rc == 0 + - name: Setup cell_v2 (sync nova/cell DB) + tags: step5 + when: is_bootstrap_node + command: nova-manage db sync + async: {get_param: NovaDbSyncTimeout} + poll: 10 + - name: Setup cell_v2 (get cell uuid) + tags: step5 + when: is_bootstrap_node + shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' + register: nova_api_cell_uuid + - name: Setup cell_v2 (migrate hosts) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 discover_hosts --cell_uuid {{nova_api_cell_uuid.stdout}} --verbose + - name: Setup cell_v2 (migrate instances) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_instances --cell_uuid {{nova_api_cell_uuid.stdout}} + - name: Sync nova_api DB + tags: step5 + command: nova-manage api_db sync + when: is_bootstrap_node + - name: Online data migration for nova + tags: step5 + when: is_bootstrap_node + command: nova-manage db online_data_migrations diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index 472dbcce..71536ff3 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -62,6 +62,14 @@ parameters: description: Whether to manage the OpenDaylight repository type: boolean default: false + OpenDaylightSNATMechanism: + description: SNAT mechanism to be used + default: 'conntrack' + type: string + constraints: + - allowed_values: + - conntrack + - controller outputs: role_data: @@ -84,6 +92,7 @@ outputs: - 6640 - 6653 - 2550 + opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism} step_config: | include tripleo::profile::base::neutron::opendaylight upgrade_tasks: diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 139ab7c7..c1cec4ff 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -141,22 +141,19 @@ outputs: step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight upgrade_tasks: - yaql: - expression: $.data.ovs_upgrade + $.data.opendaylight_upgrade - data: - ovs_upgrade: - get_attr: [Ovs, role_data, upgrade_tasks] - opendaylight_upgrade: - - name: Check if openvswitch is deployed - command: systemctl is-enabled openvswitch - tags: common - ignore_errors: True - register: openvswitch_enabled - - name: "PreUpgrade step0,validation: Check service openvswitch is running" - shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b' - when: openvswitch_enabled.rc == 0 - tags: step0,validation - - name: Stop openvswitch service - tags: step1 - when: openvswitch_enabled.rc == 0 - service: name=openvswitch state=stopped + list_concat: + - get_attr: [Ovs, role_data, upgrade_tasks] + - + - name: Check if openvswitch is deployed + command: systemctl is-enabled openvswitch + tags: common + ignore_errors: True + register: openvswitch_enabled + - name: "PreUpgrade step0,validation: Check service openvswitch is running" + shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b' + when: openvswitch_enabled.rc == 0 + tags: step0,validation + - name: Stop openvswitch service + tags: step1 + when: openvswitch_enabled.rc == 0 + service: name=openvswitch state=stopped diff --git a/puppet/services/openvswitch.yaml b/puppet/services/openvswitch.yaml index d8061d4b..6479d7f9 100644 --- a/puppet/services/openvswitch.yaml +++ b/puppet/services/openvswitch.yaml @@ -179,6 +179,6 @@ outputs: with_items: - "{{ovs_list_of_rpms.stdout_lines}}" tags: step2 - when: "'2.5.0-14' in '{{ovs_version.stdout}}' + when: "'2.5.0-14' in ovs_version.stdout|default('') or - ovs_packaging_issue|succeeded" + ovs_packaging_issue|default(false)|succeeded" diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml index 66eb4b2a..e466f304 100644 --- a/puppet/services/pacemaker/database/redis.yaml +++ b/puppet/services/pacemaker/database/redis.yaml @@ -53,5 +53,16 @@ outputs: - redis::service_manage: false redis::notify_service: false redis::managed_by_cluster_manager: true + tripleo::profile::pacemaker::database::redis::tls_proxy_bind_ip: + get_param: [ServiceNetMap, RedisNetwork] + tripleo::profile::pacemaker::database::redis::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + tripleo::profile::pacemaker::database::redis::tls_proxy_port: 6379 step_config: | include ::tripleo::profile::pacemaker::database::redis + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index 74d3f27c..892ad1c1 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -112,27 +112,24 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.panko_api_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - panko_api_upgrade: - - name: Check if httpd is deployed - command: systemctl is-enabled httpd - tags: common - ignore_errors: True - register: httpd_enabled - - name: "PreUpgrade step0,validation: Check if httpd is running" - shell: > - /usr/bin/systemctl show 'httpd' --property ActiveState | - grep '\bactive\b' - when: httpd_enabled.rc == 0 - tags: step0,validation - - name: Stop panko-api service (running under httpd) - tags: step1 - service: name=httpd state=stopped - when: httpd_enabled.rc == 0 - - name: Install openstack-panko-api package if it was not installed - tags: step3 - yum: name=openstack-panko-api state=latest + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Check if httpd is deployed + command: systemctl is-enabled httpd + tags: common + ignore_errors: True + register: httpd_enabled + - name: "PreUpgrade step0,validation: Check if httpd is running" + shell: > + /usr/bin/systemctl show 'httpd' --property ActiveState | + grep '\bactive\b' + when: httpd_enabled.rc == 0 + tags: step0,validation + - name: Stop panko-api service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: httpd_enabled.rc == 0 + - name: Install openstack-panko-api package if it was not installed + tags: step3 + yum: name=openstack-panko-api state=latest diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index ba3a0984..a1a60201 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -122,6 +122,7 @@ outputs: rabbitmq::interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} rabbitmq::ssl: {get_param: EnableInternalTLS} + rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} rabbitmq::ssl_port: 5672 rabbitmq::ssl_depth: 1 rabbitmq::ssl_only: {get_param: EnableInternalTLS} diff --git a/puppet/services/zaqar-api.yaml b/puppet/services/zaqar-api.yaml index 82d105ef..71f90534 100644 --- a/puppet/services/zaqar-api.yaml +++ b/puppet/services/zaqar-api.yaml @@ -98,6 +98,7 @@ outputs: zaqar::keystone::authtoken::project_name: 'service' zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::debug: if: - service_debug_unset @@ -164,6 +165,8 @@ outputs: zaqar::keystone::auth_websocket::internal_url: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]} zaqar::keystone::auth_websocket::region: {get_param: KeystoneRegion} zaqar::keystone::auth_websocket::tenant: 'service' + zaqar::keystone::trust::password: {get_param: ZaqarPassword} + zaqar::keystone::trust::user_domain_name: 'Default' - if: - zaqar_management_store_sqlalchemy @@ -181,37 +184,34 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - yaql: - expression: $.data.apache_upgrade + $.data.zaqar_upgrade - data: - apache_upgrade: - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - zaqar_upgrade: - - name: Check if zaqar is deployed - command: systemctl is-enabled openstack-zaqar - tags: common - ignore_errors: True - register: zaqar_enabled - - name: "PreUpgrade step0,validation: Check if openstack-zaqar is running" - shell: > - /usr/bin/systemctl show 'openstack-zaqar' --property ActiveState | - grep '\bactive\b' - when: zaqar_enabled.rc == 0 - tags: step0,validation - - name: Check for zaqar running under apache (post upgrade) - tags: step1 - shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi" - register: zaqar_apache - ignore_errors: true - - name: Stop zaqar service (running under httpd) - tags: step1 - service: name=httpd state=stopped - when: zaqar_apache.rc == 0 - - name: Stop and disable zaqar service (pre-upgrade not under httpd) - tags: step1 - when: zaqar_enabled.rc == 0 - service: name=openstack-zaqar state=stopped enabled=no - - name: Install openstack-zaqar package if it was disabled - tags: step3 - yum: name=openstack-zaqar state=latest - when: zaqar_enabled.rc != 0 + list_concat: + - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + - + - name: Check if zaqar is deployed + command: systemctl is-enabled openstack-zaqar + tags: common + ignore_errors: True + register: zaqar_enabled + - name: "PreUpgrade step0,validation: Check if openstack-zaqar is running" + shell: > + /usr/bin/systemctl show 'openstack-zaqar' --property ActiveState | + grep '\bactive\b' + when: zaqar_enabled.rc == 0 + tags: step0,validation + - name: Check for zaqar running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi" + register: zaqar_apache + ignore_errors: true + - name: Stop zaqar service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: zaqar_apache.rc == 0 + - name: Stop and disable zaqar service (pre-upgrade not under httpd) + tags: step1 + when: zaqar_enabled.rc == 0 + service: name=openstack-zaqar state=stopped enabled=no + - name: Install openstack-zaqar package if it was disabled + tags: step3 + yum: name=openstack-zaqar state=latest + when: zaqar_enabled.rc != 0 |