aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2016-11-17No longer hard coding to a specifc network interface name.Harald Jensas1-2/+2
Instead of using a specific network interface name, thi fix fetch all ethernet mac addresses. Then uses this list of mac addresses to do a check if any entries in the list match any of the values in NetConfigDataLookup for a node. If there is a match, the /etc/os-net-config/mapping.yaml file for the node will be written. This fix removes the hard coded interface name 'eth0' used to get a mac address as identifyer for the specific node before. Using a hard coded interface name such as 'eth0' would have failed on most hardware because of "consistent network device names". Fix Bug: #1642551 Change-Id: I6c1d1b4d70b916bc5d9049469df8221f8ab2eb95
2016-11-16Merge "Do not manage overcloud repositories when using external Ceph"Jenkins1-0/+8
2016-11-16Merge "Use keystone profile parameter to pass heat password"Jenkins1-1/+1
2016-11-16Merge "Fix up Newton->Ocata rabbitmq ha policy"Jenkins2-1/+21
2016-11-16Merge "Replace ceilometer-dbsync by ceilometer-upgrade"Jenkins1-1/+1
2016-11-16Do not manage overcloud repositories when using external CephJohn Fulton1-0/+8
ceph::profile::params::manage_repo should default to false when using external Ceph. Overcloud Ceph clients use Ceph packages, which may be provided by the 'ceph' metapackage, but not for all repos, see related bug. So, this change also includes a list of packages as a workaround as used in change Ie55d22301dd22102d471e6002dfcaad4bfadd5f6. Change-Id: I338e51637aa39d3f7bbbad0263740f728d42cb9b Closes-bug: 1641989 Related-Bug: 1629933
2016-11-16Use keystone profile parameter to pass heat passwordJuan Antonio Osorio Robles1-1/+1
Instead of relying on an explicit hiera call to get the stack domain password, this uses the keystone parameter to introduce that value instead. Change-Id: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
2016-11-15Nova base cleanups for hiera json hookDan Prince1-43/+51
This patch resolves an issue with nova-base.yaml that prevents it from working with the new heat hiera agent hook (which uses Json instead of Yaml). It updates the service so that we only set the upgrade level if it is not an empty string. Partial-bug: #1596373 Change-Id: I595f2e16c33a6f935c7ca8935fec445d19c7b8f3
2016-11-15Horizon service cleanups for hiera json hookDan Prince1-35/+34
This patch resolves a few issues I noticed when porting our Horizon service to support the new heat hiera agent hook (which uses Json instead of Yaml). -we only need to set django_debug if the string is non-empty. This should match previous behavior. -remove the duplicated NeutronMechanismDrivers setting. This is already managed in the neutron services and shouldn't be set here. Change-Id: I473e110bb9b14cb8f57d41c4fc398871548726b0 Partial-bug: #1596373
2016-11-16Merge "Fix external Load Balancer deployment"Jenkins1-2/+1
2016-11-16Merge "Revert "Adjust MTU to compensate for VLAN tag issue""Jenkins1-5/+2
2016-11-15Merge "Enable internal TLS for Barbican API"Jenkins1-1/+4
2016-11-15Merge "Define keystone token provider"Jenkins1-1/+12
2016-11-15Merge "Disable password reveal in horizon"Jenkins1-0/+1
2016-11-15Replace ceilometer-dbsync by ceilometer-upgradeSteven Hardy1-1/+1
https://review.openstack.org/#/c/388688/ has removed ceilometer-dbsync so ceilometer-upgrade must be used instead. Additionally, ceilometer-dbsync enabled option --skip-gnocchi-resource-types and ceilometer-upgrade doesn't, so i'm setting it by default to ensure backwards compatibility. Note this is based on the corresponding fix to puppet-ceilometer ref https://review.openstack.org/#/c/396570 Change-Id: Ic0a15c75d1cd3e3f70eeafd9ba09d50c58cc1293 Closes-Bug: #1641076
2016-11-15Fix external Load Balancer deploymentMichele Baldessari1-2/+1
Deployments using external LB will file like this: deploy_stderr: | + RESTART_FOLDER=/var/lib/tripleo/pacemaker-restarts + [[ -d /var/lib/tripleo/pacemaker-restarts ]] ++ systemctl is-active haproxy + haproxy_status=unknown deploy_status_code: 3 openstack software deployment show 4f339ca4-7600-4ca0-b0ef-f798bc47b6cf The reason is that via https://review.openstack.org/#/c/393644/ we introducted the haproxy restart like this: haproxy_status=$(systemctl is-active haproxy) if [ "$haproxy_status" = "active" ]; then systemctl reload haproxy fi The problem is that if haproxy is not running/installed systemctl is-active can fail and the script will terminate with an error return code. Let's just move the call inside the if so the script does not fail in case haproxy is not there. The snippet before the change (on a system without haproxy installed): [root@mrg-09 tmp]# ./test.sh ++ systemctl is-active haproxy + haproxy_status=unknown [root@mrg-09 tmp]# echo $? 3 After this change: [root@mrg-09 tmp]# ./test.sh ++ systemctl is-active haproxy + '[' unknown = active ']' [root@mrg-09 tmp]# echo $? 0 Change-Id: I837c63a9dbcde8c922f843c442974fa79cf1eede Closes-Bug: #1641904
2016-11-14Define keystone token providerAlex Schultz1-1/+12
In order to eventually enable fernet tokens for keystone, we need to be specify the token provider. This change codifies the current default used by TripleO of uuid tokens and fernet token setup disabled. Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a Closes-Bug: #1641763
2016-11-14Merge "Fix typo in Keystone Sensu subscription"Jenkins1-1/+1
2016-11-14Merge "Use default Sensu redact"Jenkins1-3/+14
2016-11-14Fix up Newton->Ocata rabbitmq ha policyMichele Baldessari2-1/+21
In ocata we changed the ha policy to "ha-exactly" via the following changes: - tht: Iace6daf27a76cb8ef1050ada0de7ff1f530916c6 - puppet-tripleo: Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 We initially also took care of changing this policy (which is set in the pacemaker resource agent) for the M/N upgrade path: I2468a096b5d7042bc801a742a7a85fb1521c1c02 In the end we decided against changing the policy in Newton as well (it was only for ocata) as it was too close to the release date and we took the safer path. This patch does two things: 1) It renames the upgrade function to "newton_ocata" since that is the only upgrade path we need to take care of 2) It reinstates the actual upgrade function which was mistakenly removed via an unrelated change in the ceilometer upgrade path: If9d6987cd0a8fc5d3f9de518ba422d97d5149732 Closes-Bug: #1628998 Change-Id: I3a97505d2ae1ae27f3080ffe74c33fdabffd2420
2016-11-14Merge "Fixes missing OVS Firewall config with OpenDaylight"Jenkins1-0/+6
2016-11-14Enable internal TLS for Barbican APIJuan Antonio Osorio Robles1-1/+4
This adds the necessary hieradata for enabling TLS in the internal network for Barbican API. bp tls-via-certmonger Depends-On: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9 Change-Id: Ib100faa9dc222f836695a0e8f6e101dc7637d1d6
2016-11-12Merge "Configure civetweb bind socket via puppet-tripleo"Jenkins1-9/+3
2016-11-11Merge "Neutron L3 service cleanups for hiera json hook"Jenkins1-7/+15
2016-11-11Merge "Enable internal TLS for Cinder API"Jenkins1-4/+13
2016-11-11Merge "Increasing neutron timeout for low memory usage"Jenkins1-0/+3
2016-11-11Merge "Handle null role_data in services"Jenkins1-10/+11
2016-11-11Fixes missing OVS Firewall config with OpenDaylightTim Rozet1-0/+6
Currently OVS tunnel firewall rules are held within the neutron ovs agent service heat template. That service is not used with ODL, so consequently ODL was missing the VXLAN and GRE firewall rules and traffic would not pass between nodes. This adds the missing rules to the OpenDaylight OVS service. Closes-Bug: 1641191 Change-Id: Icfd7db6a3e8fcdd02646fb7e413f40f26b03b994 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-11Configure civetweb bind socket via puppet-tripleoGiulio Fidente1-9/+3
When the civetweb binding IP is version 6 it needs to be enclosed in brackets or the bind socket parsing fails. The mangling happens in puppet-tripleo, this change updates the templates to push the appropriate hiera keys. Change-Id: Ic7004d768ed5e0f2382ffaa57961ea0ef9162527 Closes-Bug: #1636515 Depends-On: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
2016-11-11Merge "Fix inconsistent Manila service naming"Jenkins5-24/+24
2016-11-11Increasing neutron timeout for low memory usageArx Cruz1-0/+3
We are noticing several tests failing in our low memory environment because of timeout in neutron requests. As an example the test tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON fails because it requests to plug a vif, and send request to neutron, which responds in more than neutron_url_timeout, and since the option vif_plugging_is_fatal is set to True as default, the test fails. Shortly thereafter, checking in neutron log you can see the request, returning with the proper status, after more than neutron_url_timeout, however, it's already too late once nova already marked the instance with error status, and so the test fails. Closes-Bug: #1641135 Change-Id: If0991c114f199490ac0deb71eb569a42d4711359
2016-11-11Use default Sensu redactMartin Mágr1-3/+14
By default sensu-puppet is overring default list of varibles which should be redacted. This patch enables to configure redact list and uses default value given by [1]. This patch also serves as a workaround until [2] is merged in the module itself (or in case it won't get merged). [1] https://sensuapp.org/docs/0.24/reference/clients.html [2] https://github.com/sensu/sensu-puppet/pull/580 Closes-Bug: #1641080 Closes-Bug: rhbz#1392473 Change-Id: I21201f734d2fbf5f571091603126cf11cfdd8c40
2016-11-11Merge "Add missing Barbican endpoint from tls-everywhere environment"Jenkins1-0/+3
2016-11-10Merge "Fix race during major-upgrade-pacemaker step"Jenkins8-263/+315
2016-11-10Merge "Removes deprecated overcloud VIP outputs"Jenkins1-54/+0
2016-11-10Merge "Fixes incorrect reference to OpendaylightApiNetwork"Jenkins1-1/+1
2016-11-10Merge "Ensure heat-domain hiera is in nodes that contain keystone"Jenkins3-12/+21
2016-11-10Fix inconsistent Manila service namingSteven Hardy5-24/+24
The capitalization of OS::Tripleo is wrong compared to all other services so correct this for avoidance of confusion when folks write custom roles_data files or pass custom service lists via *Services parameters. Change-Id: Ib73c80871b45586edb5774e90280ff89fc0d9895 Closes-Bug: 1640871
2016-11-10Fix typo in Keystone Sensu subscriptionMartin Mágr1-1/+1
Closes-Bug: rhbz#1392428 Closes-Bug: #1640834 Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe
2016-11-10Merge "Select bootstrap node by list index not name"Jenkins1-2/+13
2016-11-10Neutron L3 service cleanups for hiera json hookDan Prince1-7/+15
This patch resolves a few issues I noticed when porting our Neutron L3 service to support the new heat hiera agent hook (which uses Json instead of Yaml). - If NeutronExternalNetworkBridge is an emptry string '' Json was dropping the single quotes thus causing the bridge to get set incorrectly in the config file. To correct this we use a heat conditional to avoid setting the external bridge (the '' default is what we want in this case) if the bridge is an empty string. Change-Id: I5037cbde6b76a37a4c22c4616278420e9d759109 Partial-bug: #1596373
2016-11-10Handle null role_data in servicesDan Prince1-10/+11
This patch updates the Yaql expressions that work on role_data so that they evaluate properly when the get_attr for role_data is null. I hit issues using this for the heat undercloud installer and this seems to resolve them. Change-Id: I0493d0525cd3ad280339f26ef9d3aa311af9962e
2016-11-10Select bootstrap node by list index not nameSteven Hardy1-2/+13
Modify the syntax used to access the ResourceGroup attributes so we always select the first node from the group, e.g even if the node named "0" in the ResourceGroup nested stack has been removed due to the removal policy. Change-Id: I8b1c9538976a1518b220187a0034ad41a738d5a6 Closes-Bug: #1640449
2016-11-10Merge "Add firewall rules for manila api service"Jenkins1-0/+5
2016-11-09Add firewall rules for manila api serviceTom Barron1-0/+5
When the manila api service is deployed on a different role than the controller the iptables rules on that role fail to ACCEPT tcp at the manila API ports. Add tripleo.manila_api.firewall_rules to the relevant puppet services module. Change-Id: I1c5459f5ba989657fd99fd72c7ac9f8781cc7206 Closes-Bug: #1640568
2016-11-09Merge "Reload haproxy configuration as a post-deployment step"Jenkins3-3/+36
2016-11-09Merge "ceilometer compute agent needs restart on compute upgrade"Jenkins1-0/+4
2016-11-09Merge "set url_base option in static web middleware"Jenkins1-0/+1
2016-11-09Disable password reveal in horizonAlex Schultz1-0/+1
To improve security, we should disable the password reveal option in horizon by default. An end user can override this options via their own custom hiera if they would ultimately like to have this functionality. Change-Id: Ie88dac5610840eb4b327252b32dc469099ba5f5f Depends-On: Iacf899d595a2a3c522df1b96ca527731937ec698 Closes-Bug: 1640492
2016-11-09Fix race during major-upgrade-pacemaker stepMichele Baldessari8-263/+315
Currently when we call the major-upgrade step we do the following: """ ... if [[ -n $(is_bootstrap_node) ]]; then check_clean_cluster fi ... if [[ -n $(is_bootstrap_node) ]]; then migrate_full_to_ng_ha fi ... for service in $(services_to_migrate); do manage_systemd_service stop "${service%%-clone}" ... done """ The problem with the above code is that it is open to the following race condition: 1. Code gets run first on a non-bootstrap controller node so we start stopping a bunch of services 2. Pacemaker notices will notice that services are down and will mark the service as stopped 3. Code gets run on the bootstrap node (controller-0) and the check_clean_cluster function will fail and exit 4. Eventually also the script on the non-bootstrap controller node will timeout and exit because the cluster never shut down (it never actually started the shutdown because we failed at 3) Let's make sure we first only call the HA NG migration step as a separate heat step. Only afterwards we start shutting down the systemd services on all nodes. We also need to move the STONITH_STATE variable into a file because it is being used across two different scripts (1 and 2) and we need to store that state. Co-Authored-By: Athlan-Guyot Sofer <sathlang@redhat.com> Closes-Bug: #1640407 Change-Id: Ifb9b9e633fcc77604cca2590071656f4b2275c60