| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
In Ocata all live-migration over ssh is performed on the default ssh port (22).
In Pike the containerized live-migration over ssh is on port 2022 as the
docker host's sshd is using port 22.
To allow live migration during upgrade we need to temporarily pin the Pike
computes to port 22 and in the final converge we can switch over to port 2022.
This also changes the default port to 2022 for baremetal computes in Pike to
enable live-migration between baremetal and containerized computes.
Change-Id: Icb9bfdd9a99dc1dce28eb95c50a9a36bffa621b1
Depends-On: I0b80b81711f683be539939e7d084365ff63546d3
Closes-Bug: 1714171
(cherry picked from commit 17fd16b9f266e1aa67bf03ebdf309e89d668ada2)
|
|
Bind mounts the necessary certs and keys to enable live migrations
using TLS.
bp tls-via-certmonger-containers
Depends-On: I26a7748b37059ea37f460d8c70ef684cc41b16d3
Change-Id: I81efa85d916823f740bf320c88a248403743a45b
|
|
|
|
This is working, so we add it to the list.
bp tls-via-certmonger-containers
Change-Id: Ib545d4e6c130b73b4921eb9b6325d2e8d6ff1e2c
|
|
bind mount the certificates needed for TLS.
bp tls-via-certmonger-containers
Change-Id: Ib9b533249be37665b77396a76133cc42fd15ee2b
|
|
|
|
|
|
Bind mounts and adds the appropriate permissions for the cert and
key that's used for TLS.
bp tls-via-certmonger-containers
Depends-On: I62ff89362cfcc80e6e62fad09110918c36802813
Change-Id: I48325893a00690e2f5d6f1d685f903234545d5b8
|
|
|
|
|
|
Previously what we've been doing with setup_docker_host.sh can now be
achieved with host_prep_tasks, and we can free up the NodeUserData
interface for other use cases.
Closes-Bug: #1711387
Change-Id: Iaac90efd03e37ceb02c312f9c15c1da7d4982510
|
|
Most nova services are working with TLS everywhere, so they can be
added to the environment.
The compute and libvirt services are still pending.
bp tls-via-certmonger-containers
Change-Id: I80745fff5fbd9a6ccd701c1d154b38ad41b0cc3c
|
|
Since nova-compute is not containerized with TLS yet, using containerized
iscsid causes errors when trying to spawn a VM with a volume. Since
the path is different in this case.
I will re-add iscsid to this environment once nova-compute is
containerized with TLS.
bp tls-via-certmonger-containers
Change-Id: Ida87b187e56ae852c5a4ef6f78cc04a0870fe3f4
|
|
Bind mounts and adds the appropriate permissions for the cert and
key that's used for TLS.
bp tls-via-certmonger-containers
Change-Id: I7fae4083604c7dc89ca04141080a228ebfc44ac9
|
|
This bind mounts the certificates if TLS is enabled in the internal
network. It also disables the CRL usage since we can't restart haproxy
at the rate that the CRL is updated. This will be addressed later and
is a known limitation of using containerized haproxy (there's the same
issue in the HA scenario). To address the different UID that the certs
and keys will have, I added an extra step that changes the ownership
of these files; though this only gets included if TLS in the internal
network is enabled.
bp tls-via-certmonger-containers
Depends-On: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
Change-Id: Ic6ca88ee7b6b256ae6182e60e07498a8a793d66a
|
|
If we consolidate these we can focus on one implementation (the new ansible
based one used for docker-steps)
Change-Id: Iec0ad2278d62040bf03613fc9556b199c6a80546
Depends-On: Ifa2afa915e0fee368fb2506c02de75bf5efe82d5
|
|
some resources were missing, so this syncs up what's working right now.
bp tls-via-certmonger-containers
Change-Id: Ic8fe20d0240f1ad8f18218d66634029d522d4d5a
|
|
Some resources have changed. So the environment needed syncing
Change-Id: I9aa310ae80edfccd3ed28e67a431aad6e1ed8a7f
|
|
|
|
Updates hieradata for changes in https://review.openstack.org/471950.
Creates a new service - NovaMigrationTarget. On baremetal this just configures
live/cold-migration. On docker is includes a container running a second sshd
services on an alternative port.
Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd
containers.
Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427
Implements: blueprint tripleo-cold-migration
Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc
Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
|
|
This currently assumes nova-compute and iscsid run in the same context which
isn't true for a containerized deployment
Change-Id: I11232fc412adcc18087928c281ba82546388376e
Depends-On: I91f1ce7625c351745dbadd84b565d55598ea5b59
Depends-On: I0cbb1081ad00b2202c9d913e0e1759c2b95612a5
|
|
Change-Id: Ibfc568755764203b68aed524d6f334eeb7cd5da7
Closes-bug: #1703001
|
|
This commit brings change from
I3896fa2ea7caa603186f0af04f6d8382d50dd97a to
docker-services-tls-everywhere.yaml, which original commit message was:
These duplicate the defaults in puppet/services/docker.yaml and
break things if you include an environment file (e.g that generated
by quickstart containers-default-parameters.yaml) before the
docker.yaml.
Instead it's probably more helpful to include the commented lines
showing how to enable use of a local docker registry.
Change-Id: Ifa95ef60bc17bd2638ebb6aebf77a819b28c9f0b
Related-Bug: #1691524
|
|
Move to one common services.yaml not only reduces the duplication, but it
should improve performance for the docker/services.yaml case, because we were
creating two ResourceChains with $many services which we know can be really
slow (especially since we seem to be missing concurrent: true on one)
Change-Id: I76f188438bfc6449b152c2861d99738e6eb3c61b
|
|
This adds the sshd puppet service to the containerized compute role
All other roles already include this service from the defaults roles data,
it is only missing from the compute role.
As the sshd service runs on the docker host, this must remain as a
traditional puppet service. NB the sshd puppet service does not enable
sshd, it just enables the management of the sshd config via t-h-t/puppet.
Closes-bug: #1693837
Change-Id: I86ff749245ac791e870528ad4b410f3c1fd812e0
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of neutron server.
bp tls-via-certmonger-containers
Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of glance-api.
bp tls-via-certmonger-containers
Change-Id: If902ac732479832b9aa3e4a8d063b5be68a42a9b
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of swift.
bp tls-via-certmonger-containers
Depends-On: Ib01137cd0d98e6f5a3e49579c080ab18d8905b0d
Change-Id: I9639af8b46b8e865cc1fa7249bf1d8b1b978adfe
|
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd.
bp tls-via-certmonger-containers
Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed
|
|
the CA and certmonger user profiles were needed in the compute services
list from the tls-everywhere in containers environment.
bp tls-via-certmonger-containers
Change-Id: Ib584ac0745d68828467bcfad7f6472ab66adbac3
|
|
This covers aodh, gnocchi and panko.
cp tls-via-certmonger-containers
Change-Id: I6dabb0d82755c28b8940c0baab0e23cfcc587c42
|
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.
Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.
bp tls-via-certmonger-containers
Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
|
Oliver Walsh
Juan Antonio Osorio Robles
Jenkins
Jiri Stransky
Steven Hardy
Dan Prince
Martin André