|Age||Commit message (Collapse)||Author||Files||Lines|
This reverts commit 520be6bb4056ead8e6fad08ad96e99f7da5b341e.
This introduced a bug:
where during upgrade, the previous heat resource would for the
InternalApi network would have the incorrect name "Internal" and the
upgrade would try to delete the resource in order to create
"InternalApi". This needs to be reverted and a proper fix will be
submitted that accounts for this upgrade scenario.
Horizon needs write access to its log file and read permissions for all
of its configuration files.
The code that was supposed to set the permissions did it in the wrong
Co-Authored-By: Martin Andre <firstname.lastname@example.org>
(cherry picked from commit 960d7ff1025a568343aa5ae5ef95386306de8cab)
(cherry picked from commit 06331a830e8923a9dc2ef8c15f2f1bf9d1d58ba1)
These got missed in the refactoring to support composable networks.
(cherry picked from commit ef1768e40c3a6c58a22381a4546772f571bee5cc)
Currently when a network in network_data is disabled it no port
definitions for that network will be created per role. This results in
no fallback to the ctlplane IP because overriding a type in
network-isolation to noop.yaml does nothing when the port does not exist
for the role.
This patch changes the IPs when a network is disabled to be the same IPs
as ctlplane and fixes the issue, along with removing the need to use
noop.yaml override for ports (non-vip).
Signed-off-by: Tim Rozet <email@example.com>
(cherry picked from commit 9285cb5fc99331ca63ff09df59f26b6018bc781b)
Since, user ID on host and container differs, image-create
with NFS backend was failing with permission error. But even after
resolving permission error the image was not getting created
on the nfs share as the NFS endpoint is not mounted successfully on
the container via puppet. This will be fixed by .
Now, adding two below changes in this patch,
. chown glance:glance /var/lib/glance.
. Proposing this solution to mount NFS endpoint on the host instead
of mounting it on glance container, because mounting in container
does not work as explained in LP Bug.
(cherry picked from commit
It doesn't exist in the non containerized openstack so leave it
stubbed out by default.
(cherry picked from commit a850d8059fbc1c36efb18773e40bb600e5da5005)
Adds a UpgradeRemoveUnusedPackages param to use
in the ansible when conditional for the removal
Adds package removal to step2 right after a service
is stopped and disabled on step2. Package updates
happen in step3 so ideally remove before that.
The package removal task has ignore_errors true
so dependencies or other issue removing packages will
not fail the upgrade workflow.
Also adds this to the upgrade environment files
for visibility and defaulting false
(cherry picked from commit ce0ef2fa207698c1ae61c1620fe3c5e8d1c7bfca)
Adds update_tasks for the minor update workflow. These will be
collected into playbooks during an initial 'update init' heat
stack update and then invoked later by the operator as ansible
Step=1: stop the cluster on the updated node
Step=2: Pull the latest image and retag the it pcmklatest
Step=3: yum upgrade happens on the host
Step=4: Restart the cluster on the node
Step=5: Verification: test pacemaker services are running.
Co-Authored-By: Damien Ciabrini <firstname.lastname@example.org>
Co-Authored-By: Sofer Athlan-Guyot <email@example.com>
(cherry picked from commit a953bda0ae615dc44d3e8a70aa7ab0160e26f3af)
We make sure to run upgrade and run os-net-config on its own. Running
os-net-config with the no-activate option will
- prevent the restart of the interface
- adjust the network files to the expected configuration so that next
run won't restart the network.
Eventually at next reboot the change will be taken into account.
Currently we have no change that are required to be taken live during
the upgrade so it safe to ignore the new parameters.
(cherry picked from commit 5aab25bb68f62b0d7e4ffdc20d4f4da1d82a76db)
Currently the default Sensu check defined in docker/services/sensu-client.yaml
reports only first unhealthy container. This patch changes the check output
to contain list of all unhealthy containers.
(cherry picked from commit 9b016c9f3fbe9552497737974b9928d1dff4d299)
Currently health check for mysql container reports unhealthy container
because there is no 'mysql' user created. This patch creates the user
during mysql_bootstrap without any permission, just to allow health
check to connect to DB and run 'select 1'.
(cherry picked from commit 3a9cfaa992e92423461d64f84d701336322bdd10)
Cold migration network is determined by the value of my_ip in nova.conf.
If this isn't set then the network with the default gateway will be used.
This patch sets my_ip and the whitelisted IP for cold migation over SSH to the
Until https://bugs.launchpad.net/nova/+bug/1671288 is fixed we cannot control
the network used for live migration over SSH. It is determined by hostname
This patch sets the whitelisted IP for live migration over SSH to the hostname
resolution network for the role - which is typically the same as NovaApiNetwork.
(NB The puppet manifest will remove duplicates).
Live migration over TLS is not affected. It can control the network used so it
configurable via NovaLibvirtNetwork.
(cherry picked from commit 23331889a577b82b625610a80ecd44e164fe6cf1)
The services that docker depends on, have logging_sources and logging_groups;
but those are not set on the docker outputs so they are not used when dockers
Added logging_source & logging_groups as docker optional parameters in
(cherry picked from commit 5dbe1121e98a794ec6a6387ff56ee34314177567)
(cherry picked from commit f37fe4f903f429b43d22b485c29547f576ec7269)
The containerized galera service generates a galera.cnf which uses
short hostname to identify itself rather than the fqdn from the
mysql_network (e.g. overcloud-x.internalapi.cloudname).
This breaks when internal TLS is in use, because the mysql certificate
does not reference this short hostname.
Fix the appropriate hiera parameter to make it behave like the
non-containerized galera service.
(cherry picked from commit e10aa591dc9155a2746df01279c4ba4f2133fd17)
The environments/network-isolation[-v6].yaml files have an
unneeded reference to network/ports/noop.yaml for unused
This introduces a regression where environment files that
define the networks and ports on a per-role basis can
cancel out other environment files. See bug # 1717322.
The overcloud-resource-registry.j2.yaml already uses noop.yaml
for every network on every role (whether or not the networks
are enabled, or whether the particular network is supposed
to be on a role. So having noop.yaml specified for every
role in network-isolation[-v6].yaml is not needed and can
cause issues with upgrades if the environments are not
included in a specific order.
(cherry picked from commit 9b08df3733257ac0fbc150a4071aec051e073ef7)
In Ocata all live-migration over ssh is performed on the default ssh port (22).
In Pike the containerized live-migration over ssh is on port 2022 as the
docker host's sshd is using port 22.
To allow live migration during upgrade we need to temporarily pin the Pike
computes to port 22 and in the final converge we can switch over to port 2022.
This also changes the default port to 2022 for baremetal computes in Pike to
enable live-migration between baremetal and containerized computes.
(cherry picked from commit 17fd16b9f266e1aa67bf03ebdf309e89d668ada2)
As per Ceph docs  we should default pg_num and pgp_num to 128 when
using less than 5 OSDs.
This same change was applied to the ceph-ansible profiles with .
Also updates the CI environment files to continue using 32 where we
deploy a single OSD.
(cherry picked from commit e17ae7620e03790da0d29092ab42e8089b2e8d11)
node_private file doesn't exist anymore, use sub_nodes_private
Signed-off-by: Tim Rozet <firstname.lastname@example.org>
(cherry picked from commit ba5436099d37898e418406f8b4376923e14f4c89)
container" into stable/pike
(cherry picked from commit 3e8de70bd5a8c43389432d484189d4de5fc0ae2f)
With the dynamic Jinja2 rendering for networks, the heat resource for
Internal API network was accidentally being renamed to:
when it should be the same as previous versions:
This patch removes the 'compat_name' which was overriding the network
name for rendering the resource. This patch also removes the
compat_name functionality from the network/networks.j2.yaml file
since it is no longer needed.
Signed-off-by: Tim Rozet <email@example.com>
(cherry picked from commit 97244b942d29d2b5acd7a3eb07acdba0d9b99677)
Since each dnsmasq process consumes one inotify socket, the default
value of fs.inotify.max_user_instances which is 128 lets us scale to
only around a 116 neutron subnets (a few other sockets are used by other
processes on the system). Since, we need to provide better defaults,
this patch proposes to bump this value to 1024 by default, while giving
the user a way to cahnge it. Based on
https://unix.stackexchange.com/a/13757 each inotify watch takes 1KB of
memory and we have fs.inotify.max_user_watches set to 8192 by default.
This means that even in the worst case we won't be using more than 8MB
of memory. Bumping the fs.inotify.max_user_instances value to 1024 is
safe because there is fs.inotify.max_user_watches which caps the total
number of files that can be watched by all the inotify instances a user
(cherry picked from commit d2d0c3ff00de9b62382193d942239d543aa9499f)
During the controlplane upgrade the host_prep_tasks are being
executed on the disable_upgrade_deployment roles too.
This sets the role specific host_prep_tasks to an empty list for
those roles during an upgrade, as executing them during the
controlplane upgrade (during -e
major-upgrade-composable-steps-docker.yaml) causes problems.
They will be executed as part of the non controller upgrade as they
are written to the stack outputs to be used as ansible playbooks
(see bug 1708115 for more info on this)
(cherry picked from commit 684267a7a4fbff489f6324020289afbdcaaca8f5)
Previously it was mistakenly replacing the contents because we
do not do deep merge.
(cherry picked from commit 17416dcfc56c5148ccc9ab40297f99adfdcd085b)