Age | Commit message (Collapse) | Author | Files | Lines |
|
When TLS is enabled, the containers need to trust the CAs that the
host trusts.
Change-Id: I0434b0ac10290970857cad3d1a89d00f5b054196
|
|
This enables common resources that the docker templates might need.
The initial resource only is common volumes, and two volumes are
introduced (localtime and hosts).
Change-Id: Ic55af32803f9493a61f9b57aff849bfc6187d992
|
|
This reverts commit 57a26486128982c9887edd02eb8897045215b10a.
Change-Id: I1bbe16a1a7a382ae0c898bd19cd64d3d49aa84c7
Closes-bug: #1683210
|
|
|
|
|
|
Previously Ansible upgrade steps failed with: Could not find the
requested service nova-compute: cannot disable.
Change-Id: I14e8bc89aca0a3f7308d88488b431e23251cc043
Closes-Bug: #1682373
|
|
The rest of the services are using underscores, so this helps
uniformity.
Change-Id: I4ce3cc76f430a19fa08c77b004b86ecad02119ae
|
|
|
|
|
|
|
|
|
|
Prior to Ocata, the Controller role was hardcoded for various lookups.
When we switched to having the primary role name being dynamically
pulled from the roles_data.yaml using the first role as the primary
role as part of I36df7fa86c2ff40026d59f02248af529a4a81861, it
introduced a regression for folks who had previously been using
a custom roles file without the Controller being listed first.
Instead of relying on the position of the role in the roles data, this
change adds the concepts of tags to the role data that can be used when
looking for specific functionality within the deployment process. If
no roles are specified with this the tags indicating a 'primary'
'controller', it will fall back to using the first role listed in the
roles data as the primary role.
Change-Id: Id3377e7d7dcc88ba9a61ca9ef1fb669949714f65
Closes-Bug: #1677374
|
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.
Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.
bp tls-via-certmonger-containers
Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
|
|
The containers also need to trust the CA's that the overcloud node
trusts, else we'll get SSL verification failures.
bp tls-via-certmonger-containers
Change-Id: I7d3412a6273777712db2c90522e365c413567c49
|
|
We pass the short hostname to docker-puppet.py. In order to satisfy the
factor FQDN check for the short hostname we need to run the container
with --net=host in some cases.
Change-Id: I2929f122f23ee33e8ea5d4c5006d2bbb8b928b67
Closes-bug: #1681903
|
|
Per puppet-nova commit 2c743a6bff5b17a85d1e0500f3a9ecb21468204e
there is now a custom resource for Nova_cell_v2 configuration.
As this resource runs automatically regardless of our use
of puppet tags we need to explicitly disable it to be able to
generate Nova API configs for docker.
Change-Id: Id675dc124464acddc3fc5a88b017a351e93ba685
Closes-bug: #1681841
|
|
This is cluttering up the logs with useless error messages, making it
more difficult than necessary to debug the CI job.
Change-Id: Icbdc4c74d99fea39b8722955dab56e5f538849aa
|
|
Change-Id: I43c35bbf959e5dcdd7e87a8f6a604d5fe5b4f2a9
|
|
|
|
|
|
This updates the docker version of ironic-conductor.yaml so
that it sets permissions on the entire /var/lib/ironic
tree correctly. Since 1a4ece16cea40075fe7332ed048b9c289b3ff424
we bind mount in /var/lib/ironic from the host (created via
Ansible if it didn't already exist). This caused a subtle
permissions issue in that the Ironic conductor service
can no longer create sub-directories it needs to operate.
Change-Id: I1eb6b5ddad7cd89ee887e2e429ebe245aa7b80dc
Closes-bug: 1677086
|
|
Move the Zaqar WSGI service to use httpd in docker deployment.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: If9b16c1aa3529386e68961e3dda5f613ac57b44b
|
|
Kolla provides a way to set ownership of files and directory inside the
containers. Use it instead of running an additional container to do the
job.
Change-Id: I554faf7c797f3997dd3ca854da032437acecf490
|
|
|
|
Simplify the config of the containerized services by bind mounting in
the configurations instead of specifying them all in kolla config.
This is change is useful to limit the side effects of generating the
config files and running the container is two separate steps as config
directories are now bind-mounted inside the container instead of having
files being copied to the container. We've seen examples of Apache's
mod_ssl configuration file present on the container preventing it to
start when puppet configured apache not to load the ssl module (in case
TLS is disabled).
Co-Authored-By: Ian Main <imain@redhat.com>
Change-Id: I4ec5dd8b360faea71a044894a61790997f54d48a
|
|
This output gets nova metadata into the servers this is deployed to and
is necessary for the TLS-everywhere work.
bp tls-via-certmonger-containers
Change-Id: Iff54f7af9c63a529f88c6455047f6584d29154b4
|
|
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
|
|
Simplify the config of the keystone service by mounting in the
configurations instead of specifying them all in kolla config.
This is change is useful to limit the side effects of generating the
config files and running the container is two separate steps as config
directories are now bind-mounted inside the container instead of having
files being copied to the container. We've seen examples of Apache's
mod_ssl configuration file present on the container preventing it to
start when puppet configured apache not to load the ssl module (in case
TLS is disabled).
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Ie33ffc7c2b1acf3e4e505d38efb104bf013f2ce6
|
|
|
|
Previously only the first two intial fernet keys were mounted into the
container. This is not practical, however, as doing key rotation will
generate more entries in this repository. So instead we mount the whole
directory, which would allow us to do rotation in the base host and
seamlessly affect the container as well.
Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8
|
|
|
|
|
|
|
|
|
|
Also add upgrade_tasks to disable corresponding host
services in order to not data race with containers
Change-Id: I19c16aaa3e5a73436ca7aa7d06facf64feee2327
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
The previous code had a race condition where nova-api host discovery
and nova-compute where run at the same step. This commit ensures host
discovery happens after nova-compute has started.
Change-Id: Id2fc795a64783d958d98d4ac523a19079e8a4fab
Closes-Bug: #1675011
|
|
A previous commit [1] added support for fernet in the keystone docker
service; however, this was not set as the default token provider. This
patch makes it the default.
[1] Id92039b3bad9ecda169323e01de7bebae70f2ba0
Change-Id: Ib44ab61eba0be8ba54bc7d0bdb22437d769cb960
|
|
This allows to optionally add volumes, where we could use a heat
conditional to either put the volume path we want or put an empty string
which should be safely skipped.
Change-Id: I68f91ffdd8ceb14735adad1322fcf124c47b160c
|
|
|
|
|
|
|
|
Use mounts instead of docker volumes, and preserve existing data when
moving from baremetal to containerized ironic-conductor.
We cannot keep the data in the same directory to avoid hard-linking
errors in ironic, because of this issue:
https://github.com/docker/docker/issues/7457
This means we need to copy the data over to a new location before we
start the containers.
Change-Id: If98460120212f887b06adf117c5d88b97682638e
|
|
|
|
|
|
|
|
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com>
Closes-bug: #1668918
Change-Id: Ie1ebd25965bd2dbad2a22161da0022bad0b9e554
|
|
|
|
|
|
This is used for the TLS-everywhere bits. It will be taken into account
by a metadata hook that outputs relevant entries for the nova-metadata
service; and subsequently kerberos principals will be created from
these.
Subsequent patches will add support for TLS in the internal network for
the containerized keystone.
Change-Id: Ic747ad9c8d6e76c8c16e347c1cdcabc899dd9f9a
|