Age | Commit message (Collapse) | Author | Files | Lines |
|
puppet run on never fails, even when it should, since we moved
to the ansible way of applying it. The reason is the current following code:
- name: Run puppet host configuration for step {{step}}
command: >-
puppet apply
--modulepath=/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
--logdest syslog --logdest console --color=false
/var/lib/tripleo-config/puppet_step_config.pp
The above is missing the --detailed-exitcodes switch and so puppet will never
really error out on us and the deployment will keep on running all the
steps even though a previous puppet manifest might have failed. This
cause extra hard-to-debug failures.
Initially the issue was observed on the puppet host runs, but this
parameter is missing also from docker-puppet.py, so let's add it there
as well as it makes sense to return proper error codes whenever we call
puppet.
Besides this being a good idea in general, we actually *have* to do it
because puppet does not fail correctly without this option due to the
following puppet bug:
https://tickets.puppetlabs.com/browse/PUP-2754
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: Ie9df4f520645404560a9635fb66e3af42b966f54
Closes-Bug: #1723163
(cherry picked from commit 11e599d116cfbf7df4dcd0e7670c3405a4224c1a)
|
|
Some services only mount this directory, not /var/lib/config-data/$service
so handle this case in the docker-puppet code that maps the mounted
volumes to the services when adding the config hash to the container
environment.
Change-Id: I3bdb7609f322458584ac9597ffbfefb057b84646
Closes-Bug: #1720208
(cherry picked from commit 3a932b056914d148fa460b8890fc0e631c817a40)
|
|
Co-Authored-By: Ian Main <imain@redhat.com>
Change-Id: Iad6d38690340f4a064a4527c58ed439d91fa5188
Closes-bug: #1715136
(cherry picked from commit d3b3361a76c2e8b188fa8e586d9fb7f3c60bb66f)
|
|
Use a more restrictive mode for these files, as some may contain sensitive data
which shouldn't be world readable
Closes-Bug: #1714986
Change-Id: Ib1e79b1d4e25d6e329938402b1ca776bdab81bdd
(cherry picked from commit 94c7752cfae64d96124a32bc36ccd6ec7b4df4a7)
|
|
Get the path from the CONFIG_VOLUME_PREFIX environment variable.
This is useful for debugging and generate configuration files to
a different directory.
Change-Id: Ib85e3898804312ebb6677a5fa189fbfc357ce27c
(cherry picked from commit 0c62b6cd8d696befb1c0c31bb6e206199ce1edac)
|
|
Change-Id: Idf627a348cad8d5287c82cb393367210f1c760cf
Closes-bug: #1713185
(cherry picked from commit 20e1f0e8c9a2bbc3734f6eec0ee9ac2d5156f166)
|
|
Running puppet apply with --logdest syslog results in all the output
being redirected to syslog. You get no error messages. In the case where this fails, the subsequent debug task shows nothing useful
as there was no stdout/stderr.
Also pass --logdest console to docker-puppet's puppet apply so that
we get the output for the debug task.
Related-Bug: #1707030
Change-Id: I67df5eee9916237420ca646a16e188f26c828c0e
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Updates hieradata for changes in https://review.openstack.org/471950.
Creates a new service - NovaMigrationTarget. On baremetal this just configures
live/cold-migration. On docker is includes a container running a second sshd
services on an alternative port.
Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd
containers.
Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427
Implements: blueprint tripleo-cold-migration
Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc
Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
|
|
|
|
* Debug ansible 'puppet apply' stderr joined stdout, split
by lines.
* Do 'puppet apply' w/o colors, logdest syslog, and given a wanted
modulepath instead of the module puppet, that can't support those
options.
* Bind-mount syslog socket for docker-puppet.py to pass puppet logs
to host OS syslog.
* Fix logging handlers for multiprocess workers in docker-puppet.py.
Related-bug: #1698172
Closes-bug: #1700086
Change-Id: I84112a836e968aa5c3596a6544e0392980529963
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
This change enables the puppet cron resource in docker-puppet.py and adds user
crontabs to the paths copied from the config containers.
Only the nova crontab is configured for now. Other services will require
similar changes to run their crontabs.
Partial-Bug: 1701254
Change-Id: I2d1d0f0d77908a132472cf4bc475f8bd526af504
Depends-On: Ie16fb4539481a3c192cff8220a97daa4c70467fc
|
|
This solves a problem with bind-mounts when the containers are holding
files descriptors open.
At the same time this makes the template more robust to puppet changes
since new config files will be available in the containers without
needing to update the templates.
Partial-Bug: #1698323
Change-Id: Ia4ad6d77387e3dc354cd131c2f9756939fb8f736
|
|
Depends-On: I020550ede0ef981582392cf6c48dd5cb5823a074
Depends-On: I610b07a3c2bcf1c3288f76112a08b81c50e06913
Depends-On: I3d378044b3da5309b60967a12df7800520a254dc
Depends-On: I9c32b41ef865a09587f3ebfe8b8a896031fbd285
Depends-On: Ib31bf29bc69f5c58e98b99c3e598b19c99efc77f
Change-Id: I36c7390ddb4192e55ee56006fd6e9c5f8704445c
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The checksum is changing each run because the mtime is different, so force
a specific date such that we only compare the directory contents.
Change-Id: I5ed2b50176f902d7af12b96e650b67b736d59a4a
|
|
If you want debug logging you can set the new DockerPuppetDebug
heat parameter to 'True'.
Change-Id: Iae7bb67379351ea15d61c331867d7005f07ba98e
Closes-bug: 1700570
|
|
This should help determine what exactly needs to be bind mounted in the
container and should also help limit the size of collected logs in CI,
as collecting the entire /etc directory from each container can grow
pretty quickly in size and is not that useful.
Related-Bug: #1698172
Change-Id: Ie2bded39cdb82a72f0c28f1c552403cd11b5af45
|
|
Also attempts to move the workaround for bug #1696283 to before the
puppet apply call.
Closes-Bug: #1696622
Change-Id: I3a195466a5039e7641e843c11e5436440bfc5a01
|
|
The configuration generated by docker-puppet may change on update,
so checksum the combined files from the config-data directories,
to enable detecting those that have changed and restarting the
appropriate containers - we need to merge this checksum into
the environment passed to the containters, as this will cause
paunch to correctly restart containers when the configuration
generated changes, even if the rest of the json definition
provided by heat does not.
Change-Id: I40d9080cf3ad708ef4ed91e46d2b2ae1138bb9c3
|
|
Works around the issue encountered in 1696283.
Change-Id: I1947d9d1e3cabc5dfe25ee1af994d684425bdbf7
Resolves-Bug: #1696283
|
|
This helps a bit with debugging issues, and the container will be
deleted on the next run when the same volume is configured.
Change-Id: I4f2f219bd7e40abafd0eb31c1275fdd8ed4db4da
|
|
Variables are now passed in with --env in the docker run call.
This will allow docker-puppet.sh to be baked into the image instead of
having it as a custom entrypoint.
Change-Id: Icbaefe033becc6b2226535f28ee202917bdc1074
|
|
Log prepared docker command
Use logger stdout instead of print command
Log stderr as debug as well
Change-Id: I3d48fbf4fa3381d325e3be3788b041e06d4bb294
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
The containers also need to trust the CA's that the overcloud node
trusts, else we'll get SSL verification failures.
bp tls-via-certmonger-containers
Change-Id: I7d3412a6273777712db2c90522e365c413567c49
|
|
This is cluttering up the logs with useless error messages, making it
more difficult than necessary to debug the CI job.
Change-Id: Icbdc4c74d99fea39b8722955dab56e5f538849aa
|
|
|
|
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
|
|
This allows to optionally add volumes, where we could use a heat
conditional to either put the volume path we want or put an empty string
which should be safely skipped.
Change-Id: I68f91ffdd8ceb14735adad1322fcf124c47b160c
|
|
|
|
Currently returncodes are ignored from docker puppet workers, so a
failed puppet apply may not manifest until later in the stack
deployment due to some other failure.
This change logs any failures at the end of the run and returns a
failure code if any worker returns a failure code.
Change-Id: I6a504dbeb4c0ac465ce10e7647830524fe0a1160
|
|
This approach removes the need for the yaql zip to build the
docker-puppet data by building the data in a puppet_config dict.
This allows a future change to make docker-puppet.py only accept dict
data.
Currently the step_config is left where it is and referenced inside
puppet_config, but feedback is welcome whether this is necessary or
desirable.
Change-Id: I4a4d7a6fd2735cb841174af305dbb62e0b3d3e8c
|
|
We should always pass the `DOCKER_*` env vars to all the `docker`
commands that are executed in the various scripts as those variables may
contain the access data for the docker daemon.
Change-Id: Ie719f451350e6ea35cb22d97a8f090ad81fa8141
|
|
This change gives the option of docker-puppet.py data to be in a dict
as well as a list. This allows docker_puppet_tasks data to use the
same keys as the top level puppet config data.
If the yaql fu can be worked out to build the top level data,
docker-puppet.py can later drop the list format entirely.
Change-Id: I7e2294c6c898d2340421c93516296ccf120aa6d2
|
|
This allows you to show the changes made to a container during
configuration stage for fast development.
Change-Id: Id9c72cf2b07486f0a80bf3572a7ba349888d877f
|
|
This patch sets the step correctly for docker_puppet_tasks.
This is now required in order to match the 'step' in some
puppet manifests explicitly so that things like keystone
initialization run correctly.
Closes-bug: #1667454
Change-Id: If2bdd0b1051125674f116f895832b48723d82b3a
|
|
Use a pool of worker processes to run the puppet modules so they
can all be done in parallel. Defaults to cpu count processes.
Change-Id: I083d302b8cf6538569e4d165221c21df152266bc
|
|
This patch adds a new (optional) section to the docker post.j2.yaml
that collects any 'docker_puppet_tasks' data from enabled
services and applies it on the primary role node (the
first node in the primary (first) role).
The use case for this is although we are generally only using
puppet for configuration there are several exceptions that we
desire to make use of today for parity with baremetal. This
includes things like database creation and keystone endpoint
initialization which we rely on configuration via hiera variables
controlled by the puppet services.
Change-Id: Ic14ef48f26de761b0d0eabd0e1c0eae52d90e68a
|
|
This patch implements a new docker deployment architecture that
should us to install docker services in a stepwise manner alongside
of baremetal puppet services. This works by using Yaql to select
docker specific services (docker/services/*.yaml) vs the puppet
specific ones and then applying the selected Json to relevant Heat
software deployments for docker and baremetal puppet in a stepwise
fashion.
Additionally the new architecture
leverages new composable services interfaces from Newton to
allow configuration of per-service container configuration
sets (directories that are bind mounted into kolla containers) by
using the Kolla containers themselves. It does this by spinning up
a throw away "configuration only" version of the container being
configured itself, then running the puppet apply in that container and
copying the generated config files into /var/lib/config-data. This
avoids having to install all of the OpenStack dependency packages
in the heat-agent-container itself (our previous approach) and should
allow us to configure a much wider variety of container config files
that would otherwise be impossible with the previous shared approach.
The new approach (combined) should allow us to configure containers in
both the undercloud and overcloud and incrementally add CI coverage to
services as we containerize them.
Co-Authored-By: Martin André <m.andre@redhat.com>
Co-Authored-By: Ian Main <imain@redhat.com>
Co-Authored-By: Flavio Percoco <flavio@redhat.com>
Change-Id: Ibcff99f03e6751fbf3197adefd5d344178b71fc2
|