Age | Commit message (Collapse) | Author | Files | Lines |
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd.
bp tls-via-certmonger-containers
Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed
|
|
Some containers are using the logs named volume for collecting logs
written to `/var/log`. We should make this consistent for all the
containers.
This patch also cleans up some mounts that weren't needed for some
services. For example, glance-api doesn't need `/run` to be mounted.
Other changes:
* Rework log volumes to hostpath mounts to omit slow COW writes.
* Add kolla_config's permission and host_prep_tasks create and
manage hostpath mounted log dirs permissions.
* Rework data owning init containers to kolla_config permissions
* When a step wants KOLLA_BOOTSTRAP or DB sync, use logs data owning
init containers to set permissions for logs. This is required
because kolla bootsrap and DB sync runs before the kolla config
stage and there is yet permissions set for logs.
* In order to address hybrid cases for host services vs containerized
ones to access logs having different UIDs, persist containerized
services' logs into separate directories (an upgrade impact)
* Ensure host prep tasks to create /var/log/containers/ and /var/lib/
sub-directories for services
* Fix missing /etc/httpd, /var/www config-data mounts for zaqar/ironic
* Fix YAML indentation and drop strings quotation.
Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com>
Partial blueprint containerized-services-logs
Change-Id: I53e737120bf0121bd28667f355b6f29f1b2a6b82
|
|
This switches heat-api and heat-api-cfn to use httpd in containerized
overcloud.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I2fe6e25474279c7c91a69d9df7b28e12b1d8ac00
|
|
|
|
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
|
|
list_concat was introduced recently and is able to replace the yaql
calls for concatenating lists.
Change-Id: Id3a80a0e1e4c25b6d838898757c69ec99d0cd826
|
|
Log prepared docker command
Use logger stdout instead of print command
Log stderr as debug as well
Change-Id: I3d48fbf4fa3381d325e3be3788b041e06d4bb294
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
The puppet-redis module makes use of the exec puppet tag to copy the
/etc/redis.conf.puppet file to /etc/redis.conf. We need to explicitly
enable it otherwise our redis container will pick up the default redis
configuration and not the one that was generated with puppet.
Also creates the /var/run/redis directory on the host since we bind
mount /run, and ensure the container sets the correct ownership on the
directory.
Finally, configure redis to not daemonize otherwise the container ends
up in a restart loop.
Change-Id: Ia1dce2120ca7479eef8bc77dedf9431adbe210cc
Closes-Bug: #1686707
|
|
|
|
|
|
Docker puppet hook writes to /etc of
containers. Mount /etc as rw for etcd container.
Change-Id: I8e45de18a91022690c19888cbfaa68d2fdfe46ce
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
We have a circular dependency errror since
https://review.openstack.org/#/c/452734/ landed.
This adjusts the dependencies to ensure we run pre-config before
the first puppet deploy step, and removes the duplicate declaration
of the ControllerPostConfig resource. Also we ensure the first
container step always depends on the same step puppet deploy.
Change-Id: I70c5a39fb36b951bdeb04c15bddac7d00eebf08a
Closes-Bug: #1686098
|
|
|
|
|
|
Depends-On: I3ad463217ed3f2d6374627248236b274cfed72fb
Depends-On: If4b01934a9a5cb6ca2ff6c1831e4fe073f1b04ea
Closes-bug: #1668938
Change-Id: I6cb902d712849bf11f331ed776cd0ed6e200dcd9
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
The [Pre|Post]Puppet resources were renamed in
https://review.openstack.org/#/c/365763.
This was intended for having a pre/post deployment
steps using an agnostic name instead of
being attached to a technology.
The renaming was unintentionally reverted in
https://review.openstack.org/#/c/393644/ and
https://review.openstack.org/#/c/434451.
This submission merge both resources into one,
and remove the old pre|post hooks.
Closes-bug: #1669756
Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064
|
|
* Use default puppet tags instead of the 'file' tag only
* Noop user/policy providers for puppet_config docker step
and move them into docker_puppet_tasks (init container)
Change-Id: I98a54808aae6fca060b23f074b71178f2d4c815e
Closes-bug: #1684138
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
Closes-bug: #1668919
Change-Id: Ie750caa34c6fa22ca6eae6834b9ca20e15d97f7f
|
|
When configuring nova containers via puppet, the puppet class chain
includes a class for live migration, which configures live migration
aspects in nova and libvirt.
Some of the libvirt config parts try to notify Service[libvirt], but
that service definition is only included in nova-libvirt service, it's
not included in the control plan nova services. However, our hieradata
is currently global on the node, it's not per-service, which means even
though only nova-compute and nova-libvirt service set
tripleo::profile::base::nova::manage_migration: true
this hiera setting is applied to all containers running puppet, most
notably the ones which configure nova control plane services. As a
result, configuration of nova control plane services failed, and in turn
the whole deployment failed.
This commit disables the libvirt part of live migration config until we
implement some better solution (e.g. hieradata separation between
different puppet containers, or move the libvirt config parts only to
nova-compute manifests in puppet-tripleo).
Change-Id: I0328406607d451e6bdce4d92c441c03648925fa7
Closes-Bug: #1684107
|
|
|
|
|
|
Currently we're referencing some steps that don't exist in the
output from the OS::Heat::Value resource, but as noted in the heat
bug #1681749 I think this isn't valid and probably should not be
allowed, so instead merge defaults with the non-empty step
tasks. To avoid further duplication of the loop variables, I
made the max step a variable.
Change-Id: Icf3d639b53c97006a0c370c12600449fba6f3323
Related-Bug: #1681749
|
|
There's no need for puppet to download rabbitmqadmin script from
rabbitmq, as the script would be immediately deleted together with the
ephemeral puppet container. Also, since rabbitmq isn't running at the
time we run the puppet container (rabbitmq doesn't have config files
generated at that point), puppet couldn't connect to rabbitmq anyway.
Change-Id: Ia59e1013c24ab02037246135024418cc9b674606
Closes-Bug: #1684104
|
|
This is not really an issue, but this is now consistent with other
images and is generally nicer to people with OCD.
Also, this helps generating a consistent overcloud_containers.yaml from
parsing the heat templates.
Change-Id: I24b41dea51d2a8e862f43e9092c94ba07431af4a
|
|
This covers aodh, gnocchi and panko.
cp tls-via-certmonger-containers
Change-Id: I6dabb0d82755c28b8940c0baab0e23cfcc587c42
|
|
|
|
|
|
|
|
|
|
When TLS is enabled, the containers need to trust the CAs that the
host trusts.
Change-Id: I0434b0ac10290970857cad3d1a89d00f5b054196
|
|
This enables common resources that the docker templates might need.
The initial resource only is common volumes, and two volumes are
introduced (localtime and hosts).
Change-Id: Ic55af32803f9493a61f9b57aff849bfc6187d992
|
|
This reverts commit 57a26486128982c9887edd02eb8897045215b10a.
Change-Id: I1bbe16a1a7a382ae0c898bd19cd64d3d49aa84c7
Closes-bug: #1683210
|
|
|
|
|
|
Previously Ansible upgrade steps failed with: Could not find the
requested service nova-compute: cannot disable.
Change-Id: I14e8bc89aca0a3f7308d88488b431e23251cc043
Closes-Bug: #1682373
|
|
The rest of the services are using underscores, so this helps
uniformity.
Change-Id: I4ce3cc76f430a19fa08c77b004b86ecad02119ae
|
|
|
|
|
|
|
|
|
|
Prior to Ocata, the Controller role was hardcoded for various lookups.
When we switched to having the primary role name being dynamically
pulled from the roles_data.yaml using the first role as the primary
role as part of I36df7fa86c2ff40026d59f02248af529a4a81861, it
introduced a regression for folks who had previously been using
a custom roles file without the Controller being listed first.
Instead of relying on the position of the role in the roles data, this
change adds the concepts of tags to the role data that can be used when
looking for specific functionality within the deployment process. If
no roles are specified with this the tags indicating a 'primary'
'controller', it will fall back to using the first role listed in the
roles data as the primary role.
Change-Id: Id3377e7d7dcc88ba9a61ca9ef1fb669949714f65
Closes-Bug: #1677374
|
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.
Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.
bp tls-via-certmonger-containers
Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
|
|
The containers also need to trust the CA's that the overcloud node
trusts, else we'll get SSL verification failures.
bp tls-via-certmonger-containers
Change-Id: I7d3412a6273777712db2c90522e365c413567c49
|
|
We pass the short hostname to docker-puppet.py. In order to satisfy the
factor FQDN check for the short hostname we need to run the container
with --net=host in some cases.
Change-Id: I2929f122f23ee33e8ea5d4c5006d2bbb8b928b67
Closes-bug: #1681903
|