aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-08-14Merge "Enable TLS for nova api and placement containers"Jenkins2-0/+34
2017-08-14Merge "Make containerized nova-api run with httpd"Jenkins2-12/+8
2017-08-14Set file mode permission of Ceph keyringsJohn Fulton1-5/+1
Pass mode parameter to ceph-ansible in place of ACLs parameter because ACLs are not for same UID in container as container host and because ACLs are not passed by kolla_config. Change-Id: I7e3433eab8e2a62963b623531f223d5abd301d16 Closes-Bug: #1709683
2017-08-14Enable TLS for containerized MySQLJuan Antonio Osorio Robles2-9/+61
Bind mounts and adds the appropriate permissions for the cert and key that's used for TLS. bp tls-via-certmonger-containers Change-Id: I7fae4083604c7dc89ca04141080a228ebfc44ac9
2017-08-14Enable TLS for containerized haproxyJuan Antonio Osorio Robles2-8/+58
This bind mounts the certificates if TLS is enabled in the internal network. It also disables the CRL usage since we can't restart haproxy at the rate that the CRL is updated. This will be addressed later and is a known limitation of using containerized haproxy (there's the same issue in the HA scenario). To address the different UID that the certs and keys will have, I added an extra step that changes the ownership of these files; though this only gets included if TLS in the internal network is enabled. bp tls-via-certmonger-containers Depends-On: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec Change-Id: Ic6ca88ee7b6b256ae6182e60e07498a8a793d66a
2017-08-14Don't unregister on system/resource deleteJames Slagle2-17/+26
Don't unregister systems from the portal/satellite when deleting from Heat. There are several reasons why it's compelling to fix this behavior. See https://bugs.launchpad.net/tripleo/+bug/1710144 for full information. The previous behavior can be triggered by setting the DeleteOnRHELUnregistration parameter to "true". Closes-Bug: #1710144 Change-Id: I909a6f7a049dc23fc27f2231a4893d428f06a1f1
2017-08-14Fix Heat condition for RHEL registration yum updateJames Slagle2-2/+14
There were 2 problems with this condition making the rhel-registration.yal template broken: "conditions" should be "condition" The condition should refer to just a condition name defined in the "conditions:" section of the template. Change-Id: I14d5c72cf86423808e81f1d8406098d5fd635e66 Closes-Bug: #1709916
2017-08-14Fix metadata_settings in containerized mongodbDamien Ciabrini1-0/+2
The containerized version of the mongodb service omits the metadata_settings definition [1], which confuses certmonger when internal TLS is enabled and make the generation of certificates fail. Use the right setting from the non-containerized profile. [1] https://review.openstack.org/#/c/461780/ Change-Id: I50a9a3a822ba5ef5d2657a12c359b51b7a3a42f2 Closes-Bug: #1709553
2017-08-14Bind mount tripleo.cnf in transient bootstrap containersDamien Ciabrini6-0/+6
Various containerized services (e.g. nova, neutron, heat) run initial set up steps with some ephemeral containers that don't use kolla_start. The tripleo.cnf file is not copied in /etc/my.cnf.d and this can break some deployments (e.g. when using internal TLS, service lack SSL settings). Fix the configuration of transient containers by bind mounting of the tripleo.cnf file when kolla_start is not used. Change-Id: I5246f9d52fcf8c8af81de7a0dd8281169c971577 Closes-Bug: #1710127 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
2017-08-14Containerize virtlogdJiri Stransky2-21/+35
So far we've been using virtlogd running on the host, we should now be using virtlogd from a container. Co-Authored-By: Martin André <m.andre@redhat.com> Co-Authored-By: Jiri Stransky <jistr@redhat.com> Change-Id: I998c69ea1f7480ebb90afb44d6006953a84a1c04
2017-08-14Consolidate deployment in major-upgrade-composable-stepsJose Luis Franco Arza1-1/+1
After 483293 commit is merged, major-upgrade-composable-steps.yaml file is pointing to the wrong location deployment, which is now under common/ folder. Change-Id: Ic6784533d1c21b5b8fcb422bccd820af72e499d9
2017-08-13Merge "Pass monitor_address_block to ceph-ansible for mon_host"Jenkins1-0/+1
2017-08-13Merge "Add environment to disable deploy steps"Jenkins2-1/+3
2017-08-13Merge "Add support for update_tasks"Jenkins4-1/+46
2017-08-13Merge "Add RoleConfig output"Jenkins2-0/+21
2017-08-13Merge "Default docker_puppet_debug to false"Jenkins1-1/+1
2017-08-13Merge "Move deploy-steps-playbook to deploy-steps-tasks"Jenkins2-4/+12
2017-08-12Merge "Convert blockstorage-role.yaml to role.role.j2.yaml"Jenkins2-706/+0
2017-08-12Merge "Convert objectstorage-role.yaml to role.role.j2.yaml"Jenkins5-704/+22
2017-08-12Fix parsing of DockerCephDaemonImage parameterGiulio Fidente1-15/+30
Splitting by colon using native str_split function did not work well because we needed a right split. This change replaces the str_split calls with yaql rightSplit(). Change-Id: Iab2f69a5fadc6b02e2eacf3c9d1a9024b0212ac6
2017-08-12Pass monitor_address_block to ceph-ansible for mon_hostGiulio Fidente1-0/+1
The ip address which clients and other nodes use to connect to the monitors is derived from the monitor_interface parameter unless a monitor_address or monitor_address_block is given (to set mon_host into ceph.conf); this change adds setting for monitor_address_block to match the public_network so that clients attempt to connect to the mons on the appropriate network. Change-Id: I7187e739e9f777eab724fbc09e8b2c8ddedc552d Closes-Bug: #1709485
2017-08-12Add environment to disable deploy stepsSteven Hardy2-1/+3
This enables either deploying without configuring any services, or temporarily disabling the deploy steps such as will be required for minor updates where we want to re-run the rolling update outside of heat. To deploy directly via ansible-playbook you can do e.g: openstack overcloud config download --config-dir tmpconfig cd tmpconfig/tripleo-6b02U7-config ansible-playbook -vvv -b -i /usr/bin/tripleo-ansible-inventory deploy_steps_playbook.yaml Which will run the same ansible steps as we normally run via heat. Change-Id: I59947b67523dfcc43d454d4ac7d82b06804cf71d
2017-08-12Add support for update_tasksSteven Hardy4-1/+46
These work the same way as upgrade_tasks *but* they use a step variable instead of tags, so we can iterate over a count/sequence which isn't possibly via a wrapper playbook with tags (we may want to align upgrade tasks with the same approach if this works out well). Note the tasks can be run via ansible-playbook on the undercloud, like: openstack overcloud config download --config-dir tmpconfig cd tmpconfig/tripleo-HCrDA6-config ansible-playbook -b -i /usr/bin/tripleo-ansible-inventory update_steps_playbook.yaml --limit controller The above will do a rolling update for the Controller role (note the inconsistent capitalization, we probably need to fix the group naming in tripleo-ansible-inventory) because we specify serial: 1 in the playbook. You can also trigger an update explicitly on one node like this, which is useful for debugging: ansible-playbook -vvv -b -i /usr/bin/tripleo-ansible-inventory update_steps_playbook.yaml --limit overcloud-controller-0 Change-Id: I20bb3e26ab9d9cadf1a31fd304de8a014a901aa9
2017-08-12Add RoleConfig outputSteven Hardy2-0/+21
This exposes the deploy workflow for all roles from deploy-steps via overcloud.j2.yaml - which means we can write it via the new openstack overcloud config download command and/or run the workflow outside of heat via mistral With https://review.openstack.org/#/c/485732/ applied to tripleoclient it becomes possible to do: openstack overcloud config download --config-dir tmpconfig cd tmpconfig/tripleo-EvEZk0-config ansible-playbook -b -i /usr/bin/tripleo-ansible-inventory deploy_steps_playbook.yaml This runs the deploy steps, exactly the same as normally run via heat via ansible-playbook for all overcloud nodes (--limit can be used to restrict to specific nodes/roles). Change-Id: I96ec09bc788836584c4b39dcce5bf9b80e914c71
2017-08-12Default docker_puppet_debug to falseSteven Hardy1-1/+1
This isn't set unless the playbook is run via heat, so default it to false to enable easier use via ansible-playbook combined with tripleo-ansible-inventory Change-Id: I9705e4533831a019dd0051e5522d4b7958682506
2017-08-12Move deploy-steps-playbook to deploy-steps-tasksSteven Hardy2-4/+12
So that we can more easily iterate over an include in an output Change-Id: Idd5bb47589e5c37123caafcded1afbff8881aa33
2017-08-12Merge "Consolidate puppet/docker deployments with one deploy steps workflow"Jenkins15-235/+9
2017-08-12Merge "Correct gnocchi-upgrade command quotes"Jenkins2-4/+14
2017-08-12Merge "Convert compute-role.yaml to role.role.j2.yaml"Jenkins8-757/+57
2017-08-12Merge "Convert controller-role.yaml to role.role.j2.yaml"Jenkins7-857/+177
2017-08-11Add ServiceData to hidden paramsBen Nemec1-1/+1
It looks like this was added recently and it doesn't appear to be a parameter we want in the sample environments. Change-Id: I0ac433553e7ad9b0a54c011b66c54b4692b44be0
2017-08-11Merge "TLS everywhere: Configure CA for mongodb"Jenkins1-0/+6
2017-08-11Merge "Add script to create tripleo-admin on deployed servers"Jenkins1-0/+60
2017-08-11Correct gnocchi-upgrade command quotesJose Luis Franco Arza2-4/+14
After merging commit 488796, single quotation marks were missed. This causes the upgrade to fail as the flag --sacks-number is considered a su command flag. Also mounts Ceph config data into the container which seems needed for the gnocchi-upgrade command when configured to use Ceph. Also move the gnocchi db sync to step 4, so ceph is ready. Add a retry loop to ceilometer-upgrade cmd so it doesnt fail while apache is restarted. Closes-Bug: #1709322 Change-Id: I62f3a5fa2d43a2cd579f72286661d503e9f08b90
2017-08-11Merge "openstack-heat-templates: fix deprecation path"Jenkins1-1/+1
2017-08-11Consolidate puppet/docker deployments with one deploy steps workflowSteven Hardy15-235/+9
If we consolidate these we can focus on one implementation (the new ansible based one used for docker-steps) Change-Id: Iec0ad2278d62040bf03613fc9556b199c6a80546 Depends-On: Ifa2afa915e0fee368fb2506c02de75bf5efe82d5
2017-08-11Convert cephstorage-role.yaml to role.role.j2.yamlSteven Hardy2-719/+3
Add some special-casing for backwards compatibility, such that the CephStorage role can be rendered via j2 for support of composable networks. Change-Id: Iee92bb6ee94963717d3a8ef400e7970f62576a0d Partially-Implements: blueprint composable-networks
2017-08-11Convert blockstorage-role.yaml to role.role.j2.yamlSteven Hardy2-706/+0
Add some special-casing for backwards compatibility, such that the BlockStorage role can be rendered via j2 for support of composable networks. Change-Id: Ia5fb5ff6dbe218710e95a69583ac289cf7b4af9e Partially-Implements: blueprint composable-networks
2017-08-11Convert objectstorage-role.yaml to role.role.j2.yamlSteven Hardy5-704/+22
Add some special-casing for backwards compatibility, such that the ObjectStorage role can be rendered via j2 for support of composable networks. Change-Id: I52abbefe2f5035059ccbed925990faab020c6c89 Partially-Implements: blueprint composable-networks
2017-08-11Convert compute-role.yaml to role.role.j2.yamlSteven Hardy8-757/+57
Add some special-casing for backwards compatibility, such that the Compute role can be rendered via j2 for support of composable networks. Change-Id: Ieee446583f77bb9423609d444c576788cf930121 Partially-Implements: blueprint composable-networks
2017-08-11Convert controller-role.yaml to role.role.j2.yamlSteven Hardy7-857/+177
Add deprecated role-specific parameters to role definition, in order to special-case some parameters for backwards compatibility, such that the Controller role can be rendered via j2 for support of composable networks. Co-Authored By: Dan Sneddon <dsneddon@redhat.com> Change-Id: I5983f03ae1b7f0b6add793914540b8ca405f9b2b Partially-Implements: blueprint composable-networks
2017-08-11Internal TLS support for mongodb containerJuan Antonio Osorio Robles1-7/+45
This bind mounts the necessary files for the mongodb container to serve TLS in the internal network. bp tls-via-certmonger-containers Change-Id: Ieef2a456a397f7d5df368ddd5003273cb0bb7259 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
2017-08-11TLS everywhere: Configure CA for mongodbJuan Antonio Osorio Robles1-0/+6
It wasn't being configured, thus making mongodb fail. Change-Id: If0d7513aacfa74493a9747440fb97f915a77db84 Closes-Bug: #1710162
2017-08-11Merge "Move HAProxy's public TLS logic from controller to service template"Jenkins4-6/+25
2017-08-11Merge "Set virsh secret with an init step when using Ceph"Jenkins3-4/+62
2017-08-11Merge "Keep dynamic network creation backward compatible."Jenkins2-3/+7
2017-08-11Enable TLS for nova api and placement containersJuan Antonio Osorio Robles2-0/+34
With these two services running over httpd in the containers, we can now enable TLS for them. bp tls-via-certmonger-containers Change-Id: Ib8fc37a391e3b32feef0ac6492492c0088866d21
2017-08-11Make containerized nova-api run with httpdJuan Antonio Osorio Robles2-12/+8
The non-containerized version will run over httpd [1], and for the containerized TLS work, it is needed in the container version as well. [1] Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3 bp tls-via-certmonger-containers Depends-On: I1c5f13039414f17312f91a5e0fd02019aa08e00e Change-Id: I2c39a2957fd95dd261b5b8c4df5e66e00a68d2f7
2017-08-11Enable TLS configuration for containerized GaleraDamien Ciabrini1-0/+35
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the metadata service definition and update the Kolla configuration to make gcomm use TLS in containers, if configured. bp tls-via-certmonger-containers Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Closes-Bug: #1708135 Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814
2017-08-11Move HAProxy's public TLS logic from controller to service templateJuan Antonio Osorio Robles4-6/+25
This de-couples public TLS from controllers to now run wherever HAProxy is deployed. Partially-Implements: blueprint composable-networks Change-Id: I9e84a25a363899acf103015527787bdd8248949f