summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-11-13Set keystone notification topics if ceilometer is enabledJuan Antonio Osorio Robles2-0/+7
This sets the keystone notification topics only if ceilometer is enabled. This mitigates the issue of keystone sending notifications when nobody is receiving them. Closes-Bug: #1729293 Depends-On: I4dcce73446633c08ea37ba567610eec398094036 Change-Id: I063af5e642388acc180cb8e728481c5a36cc8ddc (cherry picked from commit 4adb82d03ddd72191bb379f277374a0a5720bbc4)
2017-11-11Disable live migration over TLSJuan Antonio Osorio Robles3-18/+26
Due to the fact that it doesn't use a separate CA (or sub CA) for libvirtd, and that proper SASL is not being used. We are disabling this option since it doesn't meet the appropriate security requirements. We'll look into adding this back once these issues get fixed. Change-Id: I6a5e4db1b6dd6bc8b7e73e53b614b070d15b8a23 Closes-Bug: #1730370 (cherry picked from commit 645757cbd6bdb1a1b75cb4aa8acce80a178099ce)
2017-11-10Merge "Update default cell_v2 cell when it already exists" into stable/pikeZuul1-10/+22
2017-11-10Merge "Refactor cellv2 host discovery logic to avoid races" into stable/pikeZuul8-5/+129
2017-11-10Merge "Fix cinder-{backup,volume} container with pacemaker" into stable/pikeZuul2-14/+54
2017-11-10Merge "Configure docker0 bridge address" into stable/pikeZuul2-4/+15
2017-11-10Merge "Re-enable containerized fluentd" into stable/pikeZuul1-6/+1
2017-11-10Merge "Env files for ODL deployments" into stable/pikeZuul4-20/+60
2017-11-10Update default cell_v2 cell when it already existsOliver Walsh1-10/+22
nova-manage cell_v2 create_cell just uses a dumb string comparison to detect when a cell already exists. If there is a slight difference (e.g ordering of params in the db uri query string) it can result in duplicate cells. With this patch we should detect that the default cell already exists and update it to use the current transport_url/database_connection instead of attempting to create a new cell. Change-Id: If6a32e87b19cb0edf683144367701a115657ad0a Closes-bug: 1718912 (cherry picked from commit ebcaabcc5c5d2840128b3609c82c4a70a81ea0a0)
2017-11-10Refactor cellv2 host discovery logic to avoid racesOliver Walsh8-5/+129
The compute service list is polled until all expected hosts are reported or a timeout occurs (600s). Adds a cellv2_discovery flag to puppet services. Used to generate a list of hosts that should have cellv2 host mappings. Adds a canonical fqdn and that should match the fqdn reported by a host. Adds the ability to upload a config script for docker config instead of using complex bash on-liners. Closes-bug: 1720821 Change-Id: I33e2f296526c957cb5f96dff19682a4e60c6a0f0 (cherry picked from commit 61fcfca045aeb5be1ee280d8dd9c260fb39b9084)
2017-11-10Fix cinder-{backup,volume} container with pacemakerMartin André2-14/+54
The cinder-backup and cinder-volume templates were lagging behind the non-pacemaker version and didn't pass CI. This commit aims at bringing back parity. Change-Id: I11a12f52538168c858b16c9786eb83ae88161488 Depends-On: Iea84a291414e515d8c72a60646188e5b37354a38 Closes-Bug: #1729430 (cherry picked from commit 72c5c73aaafc013d3e2292cded11234ae2b55e80)
2017-11-10Configure docker0 bridge addressMartin André2-4/+15
This was previously conflicting with the InternalApiNetCidr value in environments/network-environment.yaml. Change-Id: I3f1cb6f056fb19a1ba93d1076191abe7aca4fa21 Depends-On: Ie803b33c93b931f7fefb87b6833eb22fd59cd92d Closes-Bug: #1726773 (cherry picked from commit 509209a29be1ac3e72d6ea97eaf328760693daaf)
2017-11-10Merge "Fix rights to local_settings.d for dockerized Horizon" into stable/pikeZuul1-0/+4
2017-11-09Merge "Only mount selinux sysfs in nova_libvirt container" into stable/pikeZuul2-1/+1
2017-11-09Re-enable containerized fluentdMartin André1-6/+1
Now that we got a promotion, there is a container image for fluentd in tripleomaster registry. We can finally re-enable the containerized fluentd service in scenario0001. Change-Id: I636e63f9b66dd47267fa40febf49a6ec9a6b7ef3 Related-Bug: #1721723 Closes-Bug: #1726891 (cherry picked from commit c795e748d2e0fe1299919872250d6951246c1365)
2017-11-09Merge "Fix wrong permission on database during mysql_init tasks." into ↵Zuul1-1/+1
stable/pike
2017-11-09Merge "Set bind mount propegatation to shared for /var/lib/nova." into ↵Zuul4-5/+5
stable/pike
2017-11-09Merge "Do not set cluster in maintenance mode during split stack upgrade" ↵Zuul1-2/+2
into stable/pike
2017-11-09Merge "Set ipc=host for services attaching encrypted volumes" into stable/pikeZuul2-0/+2
2017-11-09Env files for ODL deploymentsJanki Chhatbar4-20/+60
This patch adds env files for SRIOV, OVS-DPDK, L2GW, BGPVPN and SFC deployments with ODL. These files contain configs not present in basic ODL deployment env file. While deploying, these need to be used along the basic deployment env file like openstack overcloud deploy \ -e environments/services-docker/neutron-opendaylight.yaml \ -e environments/services-docker/neutron-opendaylight-dpdk.yaml and openstack overcloud deploy \ -e environments/services-docker/neutron-opendaylight.yaml \ -e environments/services-docker/neutron-opendaylight-sriov.yaml and so forth for all other deployments. Closes-Bug: 1722881 Change-Id: I2b70d3f4518e0c014cf37f7fecd92f69989f0860 (cherry picked from commit e0c89d6593dadd9bf6ba9fa6f618e7c44ec7aa2e)
2017-11-09Fix rights to local_settings.d for dockerized HorizonRadomir Dopieralski1-0/+4
For some reasonf that directory doesn't have r/x rights, so when compress is ran as root, it can access config files in it, but when horizon is run by apache, it can't, and expects different theme files, thus failing with OfflineGenerationError. Giving apache access to that directory fixes the problem and makes the custom theme work. Closes-bug: #1730911 Change-Id: I53f6db23b036bc9b5a689bbac958550f384194c6 (cherry picked from commit 2827fa428c757180019dd7c1aacafcca554845ab)
2017-11-09Merge "Set metric procssing delay for metricd" into stable/pikeZuul1-0/+5
2017-11-09Merge "Add --detailed-exitcodes when running puppet via ansible" into ↵Zuul2-5/+14
stable/pike
2017-11-09Merge "Temporarily disable fluentd from scenario001-multinode-containers" ↵Zuul1-2/+6
into stable/pike
2017-11-08Do not set cluster in maintenance mode during split stack upgradeMarius Cornea1-2/+2
This change noops ControllerDeployedServer{Pre,Post}Config to avoid getting the upgrade of a split stack deployment getting stuck due to the cluster being in maintenance mode. For reference a similar change has been done for the regular Controller role in: https://review.openstack.org/#/c/487313/ Change-Id: Idd393011b3c4d0d236780e11a04a59d426750de1 Closes-bug: 1725175 (cherry picked from commit 8e92d7c6db6fcae863a250f63b01a98f7a3f3340)
2017-11-08Merge "Add all services to container scenarios" into stable/pikeZuul4-27/+74
2017-11-08Add --detailed-exitcodes when running puppet via ansibleMichele Baldessari2-5/+14
puppet run on never fails, even when it should, since we moved to the ansible way of applying it. The reason is the current following code: - name: Run puppet host configuration for step {{step}} command: >- puppet apply --modulepath=/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --logdest syslog --logdest console --color=false /var/lib/tripleo-config/puppet_step_config.pp The above is missing the --detailed-exitcodes switch and so puppet will never really error out on us and the deployment will keep on running all the steps even though a previous puppet manifest might have failed. This cause extra hard-to-debug failures. Initially the issue was observed on the puppet host runs, but this parameter is missing also from docker-puppet.py, so let's add it there as well as it makes sense to return proper error codes whenever we call puppet. Besides this being a good idea in general, we actually *have* to do it because puppet does not fail correctly without this option due to the following puppet bug: https://tickets.puppetlabs.com/browse/PUP-2754 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ie9df4f520645404560a9635fb66e3af42b966f54 Closes-Bug: #1723163 (cherry picked from commit 11e599d116cfbf7df4dcd0e7670c3405a4224c1a)
2017-11-08Temporarily disable fluentd from scenario001-multinode-containersMichele Baldessari1-2/+6
Mixing containers and BM is currently not working. Once the master promotion will take place we will have a fluentd container and can readd fluentd as a container and the problem should not re-occurr. Change-Id: Iad97f7e0e4de56f46a46d2381fc1ea5822a2114a Related-Bug: #1726891 (cherry picked from commit 35d91ddc6d11bb2696321fff4593d5cca3b0cba8)
2017-11-08Merge "Switch scenario004-containers to use ceph-ansible" into stable/pikeZuul2-24/+24
2017-11-08Set bind mount propegatation to shared for /var/lib/nova.Oliver Walsh4-5/+5
This is required for nfs exports mounted by the nova_compute container to be visible to nova_libvirt. Depends-on: I8a63c044e15d7ca0f54654e9fc9c5d878461aa25 Change-Id: I55859e744e3c2ebbd6975c96b84b6b0774dc6700 Closes-bug: 1730533 (cherry picked from commit ef0493f5ea6a7f5412fcf1e1722d71092aba1398)
2017-11-08Merge "nova-placement: switch auth_uri to keystone versionless endpoint" ↵Zuul1-1/+1
into stable/pike
2017-11-08Merge "Fix /etc/openstack-dashboard/ permissions for access to *policy.json" ↵Zuul1-0/+6
into stable/pike
2017-11-08Fix wrong permission on database during mysql_init tasks.Sofer Athlan-Guyot1-1/+1
During mysql initialization, mysql needs to be able to write in the database directory. Change-Id: I82c2e46f66ab01021cb910eb7e0d17c81b00fa09 Closes-bug: #1730349 (cherry picked from commit 0d65e380caf89d8c486e8ea87571298a6687b680)
2017-11-08Merge "Enable Cinder as a backend for Glance" into stable/pikeZuul5-6/+20
2017-11-08Merge "Add tags to baremetal cron removal tasks" into stable/pikeZuul4-0/+4
2017-11-07Set metric procssing delay for metricdPradeep Kilambi1-0/+5
Depends-On: 1d6084045e6019c7ad536a8adfd5249b1d95e37e Closes-bug: #1722788 Change-Id: I22a815bbc8dad65366fbc212f35bdb9d7b4faa52 (cherry picked from commit 66f85f17273353c30ae5625d29c367e0a5f513a8)
2017-11-07Merge "mysql: Only set certificate specs if TLS everywhere is enabled" into ↵Zuul1-20/+24
stable/pike
2017-11-06Merge "cinder: switch CinderCronDbPurgeUser to 'cinder'" into stable/pikeZuul1-1/+1
2017-11-05Merge "Fix iptables rules override bug in clustercheck docker service" into ↵Zuul1-1/+4
stable/pike
2017-11-05Merge "RHSM: when using proxy, test its connectivity first" into stable/pikeZuul2-6/+37
2017-11-05cinder: switch CinderCronDbPurgeUser to 'cinder'Emilien Macchi1-1/+1
... and not 'keystone' or it fails. Change-Id: Iee4161ec9d8c7a84997ab24ddd234353f3a81dfb Closes-Bug: #1729352 (cherry picked from commit b99a240ccc4f262ee7626518087784eb92b0152f)
2017-11-04Merge "mysql: expose IPv6 configuration to mysql puppet modules" into ↵Zuul2-0/+8
stable/pike
2017-11-04Fix iptables rules override bug in clustercheck docker serviceMichele Baldessari1-1/+4
When deploying a composable HA overcloud with a database role split off to separate nodes we could observe a deployment failure due to galera never starting up properly. The reason for this was that instead of having the firewall rules for the galera bundle applied (i.e. those with the extra control-port for the bundle), we would see the firewall rules for the BM galera service. E.g. we would see the following on the host: tripleo.mysql.firewall_rules: { 104 mysql galera: { dport: [ 873, 3306, 4444, 4567, 4568, 9200 ] Instead of the correct mysq bundle firewall rules: tripleo.mysql.firewall_rules: 104 mysql galera-bundle: dport: [ 873, 3123, 3306, 4444, 4567, 4568, 9200 ] The reason for this is the following piece of code in https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/pacemaker/clustercheck.yaml#L62: ... MysqlPuppetBase: type: ../../../puppet/services/pacemaker/database/mysql.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Containerized service clustercheck using composable services. value: service_name: clustercheck config_settings: {get_attr: [MysqlPuppetBase, role_data, config_settings]} logging_source: {get_attr: [MysqlPuppetBase, role_data, logging_source]} ... Depending on the ordering of the clustercheck service within the role (before or after the mysql service), the above code will override the tripleo.mysql.firewall_rules with the wrong rules because we derive from puppet/services/... which contain the BM firewall rules. Let's just switch to derive from the docker service so we do not risk getting the wrong firewall rules during the map_merge. Tested this change successfully on a composable HA with split-off DB nodes. Change-Id: Ie87b327fe7981d905f8762d3944a0e950dbd0bfa Closes-Bug: #1728918 (cherry picked from commit 3df6a4204a85b119cd67ccf176d5b72f9e550da6)
2017-11-04mysql: Only set certificate specs if TLS everywhere is enabledJuan Antonio Osorio Robles1-20/+24
The conditional was missing. Change-Id: Ie2617dd9dba1c49f37e82448b6bf229d127ed46a Closes-Bug: #1729384 (cherry picked from commit 410e062aa0d91b99c4493fac6940499cc02e4288)
2017-11-04Set ipc=host for services attaching encrypted volumesEric Harney2-0/+2
Without ipc=host set, cryptsetup/devicemapper will never see devices created when running "cryptsetup luksOpen", causing the command to hang. This is required for attaching encrypted Cinder volumes. Closes-Bug: #1729419 Change-Id: Ic7184b1fbbafea266f8ec1e7974d0a4a2cf4d750 (cherry picked from commit 05b61472463d5dbde3f1b1285819044409a80e2e)
2017-11-03Merge "Fix nova-cpu/collectd hieradata" into stable/pikeZuul1-1/+1
2017-11-03Merge "Upgrade rhel_reg_sat_repo to 6.2" into stable/pikeZuul2-1/+6
2017-11-03Merge "Run containerized mistral-api eventlet" into stable/pikeZuul1-1/+35
2017-11-03Merge "added level of indirection causes incorrect hiera config" into ↵Zuul2-21/+19
stable/pike
2017-11-03Merge "Add NetIpMap to hieradata for *ExtraConfig overrides" into stable/pikeZuul1-0/+2