Age | Commit message (Collapse) | Author | Files | Lines |
|
GenerateConfigDeployment wasn't anchored with dependencies anywhere. If
it took too long to complete and step 1 of containers creation already
started executing, problems happened. This is now fixed by adding the
required dependency relationship.
Change-Id: Ie7dfd2a965e704ba278d4c2fad67f14a3a62799e
Closes-Bug: #1692503
|
|
This is needed since it's what writes the service metadata to the nova
server in order to create the kerberos principals. It worked in a base
controller since the keystone template does have this. But if we would
deploy these services on a separate role, it would break. So this output
is needed.
bp tls-via-certmonger-containers
Change-Id: I3ee8c65d356dcd092a3fbf79041e5c69ef23b721
|
|
|
|
|
|
|
|
Master is now the development branch for pike
changing the release alias name.
Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
|
|
This patch adds support for running the neutron metadata agent in a
container.
Change-Id: I53c62516c95d62f5ced70818d4eb4c2c341df0d7
Partial-Bug: #1668922
|
|
proxy"
|
|
|
|
We already have an ansible deployment that applies the per-service
host_prep_tasks, so we can simplify the dependencies here by just
doing the docker-steps host preparation at the same time.
The motivation behind this is to both simplify the depends_on web we
have here, reduce the number of discrete deployments, and also to
potentially make running ansible directly e.g for debugging easier.
In a future patch we'll convert the configuration steps to work in
a similar way, such that they can be more easily reapplied e.g for
rolling minor updates, possibly outside of heat.
Change-Id: I9a201fc5a9e82c7fba4c2de36eb5332e21a81d37
|
|
|
|
This helps a bit with debugging issues, and the container will be
deleted on the next run when the same volume is configured.
Change-Id: I4f2f219bd7e40abafd0eb31c1275fdd8ed4db4da
|
|
Depends-on: I30ba93f76171e5993b5f0e1d7f1f5533acb25740
Closes-bug: #1668925
Change-Id: I3cb61d2d8765f9c2601bb00c4bfa24162883b96a
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of neutron server.
bp tls-via-certmonger-containers
Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
|
|
For TLS everywhere, neutron-server needs httpd in the image, since
it'll use a separate container that runs a TLS proxy to terminate
the connection. This requires the image where the configuration is
ran to have httpd installed, since there are several directories
and the user/group that's needed.
So, we then switch the image to be used to be neutron-server instead
of the openvswitch-agent image.
Change-Id: Ie16de3004925b7624f106d6c015ec04ef6031a06
Depends-On: I82f10ac0e7e692e6ba4a06dc10da9eaf79c60e7e
|
|
This was forgotten in I72376a803ec6b2ed93903cc0c95a6ffce718b6dc and
broke containerized deployment.
Change-Id: I599a87bf06efbfefd3067c77ed6ca866505900f9
Closes-Bug: #1690870
|
|
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.
Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:
parameters_default:
# Default value for applied to all roles
NovaReservedHostMemory: 2048
ComputeDpdkParameters:
# Applied only to ComputeDpdk role
NovaReservedHostMemory: 4096
In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters
Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
|
|
|
|
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of glance-api.
bp tls-via-certmonger-containers
Change-Id: If902ac732479832b9aa3e4a8d063b5be68a42a9b
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of swift.
bp tls-via-certmonger-containers
Depends-On: Ib01137cd0d98e6f5a3e49579c080ab18d8905b0d
Change-Id: I9639af8b46b8e865cc1fa7249bf1d8b1b978adfe
|
|
|
|
|
|
|
|
Variables are now passed in with --env in the docker run call.
This will allow docker-puppet.sh to be baked into the image instead of
having it as a custom entrypoint.
Change-Id: Icbaefe033becc6b2226535f28ee202917bdc1074
|
|
Move the Zaqar WSGI service to use httpd in docker deployment.
Depends-On: I35cfd1c2320eb972890b44668c8f9f0a047a65dc
Change-Id: I56a6469a9179b5c023738f447e7665d0d3c73d0b
Co-Authored-By: Martin André <m.andre@redhat.com>
Co-Authored-By: Thomas Herve <therve@redhat.com>
|
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd.
bp tls-via-certmonger-containers
Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed
|
|
Partial blueprint containerized-services-logs
Change-Id: Idbf1884226503aca9072b12d050500af407973cf
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Some containers are using the logs named volume for collecting logs
written to `/var/log`. We should make this consistent for all the
containers.
This patch also cleans up some mounts that weren't needed for some
services. For example, glance-api doesn't need `/run` to be mounted.
Other changes:
* Rework log volumes to hostpath mounts to omit slow COW writes.
* Add kolla_config's permission and host_prep_tasks create and
manage hostpath mounted log dirs permissions.
* Rework data owning init containers to kolla_config permissions
* When a step wants KOLLA_BOOTSTRAP or DB sync, use logs data owning
init containers to set permissions for logs. This is required
because kolla bootsrap and DB sync runs before the kolla config
stage and there is yet permissions set for logs.
* In order to address hybrid cases for host services vs containerized
ones to access logs having different UIDs, persist containerized
services' logs into separate directories (an upgrade impact)
* Ensure host prep tasks to create /var/log/containers/ and /var/lib/
sub-directories for services
* Fix missing /etc/httpd, /var/www config-data mounts for zaqar/ironic
* Fix YAML indentation and drop strings quotation.
Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com>
Partial blueprint containerized-services-logs
Change-Id: I53e737120bf0121bd28667f355b6f29f1b2a6b82
|
|
This switches heat-api and heat-api-cfn to use httpd in containerized
overcloud.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I2fe6e25474279c7c91a69d9df7b28e12b1d8ac00
|
|
|
|
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
|
|
list_concat was introduced recently and is able to replace the yaql
calls for concatenating lists.
Change-Id: Id3a80a0e1e4c25b6d838898757c69ec99d0cd826
|
|
Log prepared docker command
Use logger stdout instead of print command
Log stderr as debug as well
Change-Id: I3d48fbf4fa3381d325e3be3788b041e06d4bb294
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
The puppet-redis module makes use of the exec puppet tag to copy the
/etc/redis.conf.puppet file to /etc/redis.conf. We need to explicitly
enable it otherwise our redis container will pick up the default redis
configuration and not the one that was generated with puppet.
Also creates the /var/run/redis directory on the host since we bind
mount /run, and ensure the container sets the correct ownership on the
directory.
Finally, configure redis to not daemonize otherwise the container ends
up in a restart loop.
Change-Id: Ia1dce2120ca7479eef8bc77dedf9431adbe210cc
Closes-Bug: #1686707
|
|
|
|
|
|
Docker puppet hook writes to /etc of
containers. Mount /etc as rw for etcd container.
Change-Id: I8e45de18a91022690c19888cbfaa68d2fdfe46ce
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
We have a circular dependency errror since
https://review.openstack.org/#/c/452734/ landed.
This adjusts the dependencies to ensure we run pre-config before
the first puppet deploy step, and removes the duplicate declaration
of the ControllerPostConfig resource. Also we ensure the first
container step always depends on the same step puppet deploy.
Change-Id: I70c5a39fb36b951bdeb04c15bddac7d00eebf08a
Closes-Bug: #1686098
|
|
|
|
|
|
Depends-On: I3ad463217ed3f2d6374627248236b274cfed72fb
Depends-On: If4b01934a9a5cb6ca2ff6c1831e4fe073f1b04ea
Closes-bug: #1668938
Change-Id: I6cb902d712849bf11f331ed776cd0ed6e200dcd9
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
The [Pre|Post]Puppet resources were renamed in
https://review.openstack.org/#/c/365763.
This was intended for having a pre/post deployment
steps using an agnostic name instead of
being attached to a technology.
The renaming was unintentionally reverted in
https://review.openstack.org/#/c/393644/ and
https://review.openstack.org/#/c/434451.
This submission merge both resources into one,
and remove the old pre|post hooks.
Closes-bug: #1669756
Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064
|
|
* Use default puppet tags instead of the 'file' tag only
* Noop user/policy providers for puppet_config docker step
and move them into docker_puppet_tasks (init container)
Change-Id: I98a54808aae6fca060b23f074b71178f2d4c815e
Closes-bug: #1684138
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|