aboutsummaryrefslogtreecommitdiffstats
path: root/extraconfig
AgeCommit message (Collapse)AuthorFilesLines
2017-06-13Moving *postconfig where it was *postpuppetCarlos Camacho1-4/+4
We need to ensure that the pacemaker cluster restarts in the end of the deployment. Due to the resources renaming we added the postconfig resource not in the end of the deployment as it was *postpuppet. Closes-bug: 1695904 Change-Id: Ic6978fcff591635223b354831cd6cbe0802316cf
2017-05-13Merge "Fix for the resource ControllerPostPuppetMaintenanceModeDeployment" ↵Jenkins3-10/+15
into stable/ocata
2017-05-12Merge "Merge pre|post puppet resources into pre|post config." into stable/ocataJenkins1-2/+2
2017-05-08Fix for the resource ControllerPostPuppetMaintenanceModeDeploymentCarlos Camacho3-10/+15
Depends-On: If88f403c85b79bd896a24c7816486709bd67706f Closes-Bug:1686619 Change-Id: I7c32ca39a456de9833d30c31d41fcb727d2b0a34 (cherry picked from commit 77b4bd53dae1882ae3094597e674218b7773eda9)
2017-05-08Merge pre|post puppet resources into pre|post config.Jenkins1-2/+2
The [Pre|Post]Puppet resources were renamed in https://review.openstack.org/#/c/365763. This was intended for having a pre/post deployment steps using an agnostic name instead of being attached to a technology. The renaming was unintentionally reverted in https://review.openstack.org/#/c/393644/ and https://review.openstack.org/#/c/434451. This submission merge both resources into one, and remove the old pre|post hooks. Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064 Closes-bug: #1669756 (cherry picked from commit 258c6ce52d0c8467f34693722a883d96345802b2)
2017-05-08Fix up pacemaker_status test in yum_update.shMichele Baldessari1-2/+2
In change I2aae4e2fdfec526c835f8967b54e1db3757bca17 we did the following: -pacemaker_status=$(systemctl is-active pacemaker || :) +pacemaker_status="" +if hiera -c /etc/puppet/hiera.yaml service_names | grep -q pacemaker; then + pacemaker_status=$(systemctl is-active pacemaker) +fi we did that so due to LP#1668266: we did not want systemctl is-active to fail on non pacemaker nodes. The problem with the above hiera check is that it will match on pacemaker_remote nodes as well. We cannot piggyback the pacemaker_enabled hiera key because that is true on all nodes. So let's make the test check only for pacemaker service without matching pacemaker remote. Tested with: 1) Test on a controller node with pacemaker service enabled [root@overcloud-controller-0 ~]# hiera -c /etc/puppet/hiera.yaml -a service_names |grep '\bpacemaker\b' "pacemaker", [root@overcloud-controller-0 ~]# echo $? 0 2) Test on a compute node without pacemaker: [root@overcloud-novacompute-0 puppet]# hiera -c /etc/puppet/hiera.yaml service_names |grep '\bpacemaker\b' [root@overcloud-novacompute-0 puppet]# echo $? 1 3) Test on a node with pacemaker_remote in the service_names key: [root@overcloud-novacompute-0 puppet]# hiera -c /etc/puppet/hiera.yaml service_names |grep '\bpacemaker\b' [root@overcloud-novacompute-0 puppet]# echo $? 1 [root@overcloud-novacompute-0 puppet]# hiera -c /etc/puppet/hiera.yaml service_names |grep '\bpacemaker_remote\b' "pacemaker_remote"] [root@overcloud-novacompute-0 puppet]# echo $? 0 NB: cherry-pick was not 100% clean due to unrelated lines being cleaned up in master. Change-Id: I54c5756ba6dea791aef89a79bc0b538ba02ae48a Closes-Bug: #1688214 (cherry picked from commit 2244290424ffa7781fb5b64688908c218cd10ecd)
2017-05-04Initial VIP ipv6 minor update codeMichele Baldessari2-5/+74
To test this change we deployed a stock master with ipv6 which created a bunch of ipv6 with /64 netmask: [root@overcloud-controller-0 ~]# pcs resource show ip-fd00.fd00.fd00.2000..18 Resource: ip-fd00.fd00.fd00.2000..18 (class=ocf provider=heartbeat type=IPaddr2) Attributes: ip=fd00:fd00:fd00:2000::18 cidr_netmask=64 Operations: start interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-start-interval-0s) stop interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-stop-interval-0s) monitor interval=10s timeout=20s (ip-fd00.fd00.fd00.2000..18-monitor-interval-10s) Then we update the THT folder with this patch and upload the new scripts on the undercloud via: openstack overcloud deploy --update-plan-only .... Then we kick off the minor update workflow: openstack overcloud update stack -i overcloud Once the controller-0 node (bootstrap node for pacemaker) is completed we have the correct VIP configuration: [root@overcloud-controller-0 heat-config-script]# pcs resource show ip-fd00.fd00.fd00.2000..18 Resource: ip-fd00.fd00.fd00.2000..18 (class=ocf provider=heartbeat type=IPaddr2) Attributes: ip=fd00:fd00:fd00:2000::18 cidr_netmask=128 nic=vlan20 lvs_ipv6_addrlabel=true lvs_ipv6_addrlabel_value=99 Operations: start interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-start-interval-0s) stop interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-stop-interval-0s) monitor interval=10s timeout=20s (ip-fd00.fd00.fd00.2000..18-monitor-interval-10s) Also verified that running the script a second time does not alter the (already fixed) VIPs. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: I765cd5c9b57134dff61f67ce726bf88af90f8090 (cherry picked from commit 4923f5c4991bd539888b4175fae20025d6ef3957)
2017-04-25Merge "SSH known_hosts config" into stable/ocataJenkins2-0/+78
2017-04-20SSH known_hosts configOliver Walsh2-0/+78
Fetch the host public keys from each node, combine them all and write to the system-wide ssh known hosts. The alternative of disabling host key verification is vulnerable to a MITM attack. Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c (cherry picked from commit 7d3552a105ad5aa62cad0998c11df5ec6bd06ed6)
2017-04-20N->O Manual puppet commands have the right modulepath.Sofer Athlan-Guyot1-1/+4
In two places during upgrade we manually trigger puppet. There can be a problem when new puppet modules are added, and their corresponding symlinks in /etc/puppet/modules are not created during the installation as their are installed in /usr/share/openstack-puppet/modules. To prevent the issue tripleo set modulepath in the templates. We must use the same modulepath to make sure that we don't fail because of missing module in the manual puppet run. This particulary happens when you upgrade from M->N->O, as the base image in Mitaka doesn't have the proper symlinks and they are not created during the installation of the package. Closes-Bug: #1684587 Change-Id: I79df6ea33f1c58e13309176a6de41b7572541fd6 (cherry picked from commit 79c2d0f3d411da9e57731d9da79d25a3e0364eb2)
2017-04-20Merge "Touch /etc/httpd/conf.d/ssl.conf" into stable/ocataJenkins1-0/+4
2017-04-19Merge "Decouple Swift ringbuilding logic" into stable/ocataJenkins2-73/+0
2017-04-18Touch /etc/httpd/conf.d/ssl.confLukas Bezdicka1-0/+4
To ensure that yum update passes without issues we touch ssl.conf. Proper fix is https://review.openstack.org/#/c/456712/ Depends-On: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Closes-Bug: #1682448 Resolves: rhbz#1441977 Change-Id: I73e5272c64df4aa5900f544a5d9f0670544ca679
2017-04-12yum_update.sh - Use the yum parameter: check-updateMatthew Flusche1-3/+11
The current check tends to produce a false positive causing unnecessary service restarts. yum check-update will exit with return code 100 if updated packages are available. Change-Id: I8bd89f2b24bafc6c991382b9eb484cfa9a2f8968 (cherry picked from commit 9e4375d2762f4a26e8b0b8375f9265ad6e439ea1) Closes-Bug: #1680634
2017-04-11Merge "Use --disable= in subscription-manager to avoid shell expansion." ↵Jenkins1-1/+1
into stable/ocata
2017-04-11Decouple Swift ringbuilding logicChristian Schwede2-73/+0
This reverts commit b323f8a16035549d84cdec4718380bde3d23d6c3 and uses the new logic in puppet-tripleo, basically doing the same. Closes-Bug: 1665641 Depends-On: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b Change-Id: Ib5cb0578be2993af0a0b8675005d838640bdb139 (cherry picked from commit 76c1c0cbba38b2f25290f5ad80e38ddd97ae834b)
2017-04-03Merge "Add special case upgrade from openvswitch 2.5.0-14" into stable/ocataJenkins3-4/+11
2017-04-02Merge "Fixes multiple issues with retry function in rhel-registration." into ↵Jenkins1-17/+31
stable/ocata
2017-04-02Add special case upgrade from openvswitch 2.5.0-14marios3-4/+11
In [1] we removed the previously used special case upgrade code. However we have since discovered that for openvswitch 2.5.0-14 the special case is still required with an extra flag to prevent the restart. This adds the upgrade code back into the minor update and 'manual upgrade' scripts for compute/swift. The review at If998704b3c4199bbae8a1d068c31a71763f5c8a2 is adding this logic for the ansible upgrade steps. Related-Bug: 1669714 [1] https://review.openstack.org/#/q/59e5f9597eb37f69045e470eb457b878728477d7 Change-Id: I3e5899e2d831b89745b2f37e61ff69dbf83ff595 (cherry picked from commit 25983882c2f7a8e8f8fb83bd967a67d008a556a4)
2017-03-30Run cluster check on nodes configured in wsrep_cluster_address.Yurii Prokulevych1-9/+13
Attempt to check galera's cluster status fails when galera service is not running on the same node. Change-Id: I27fb0841d85cd0dc86e92ac2e21eedf5f8f863ab Closes-Bug: #1677574 (cherry picked from commit d39c952fd3150d24c9e01c15806181715d0760f8 )
2017-03-28Merge "Don't try to run os-net-config from yum_update.sh" into stable/ocataJenkins1-11/+0
2017-03-22Merge "Cleanup no longer used upgrade files" into stable/ocataJenkins13-1013/+0
2017-03-22Don't try to run os-net-config from yum_update.shLukas Bezdicka1-11/+0
The UpdateDeployment already depends on NetworkDeployment. We should not run os-net-config unconditionally before update. Closes-Bug: #1666227 Change-Id: I48cbf5de00d47c6fdad71ff24c00e9db05cec5d5 (cherry picked from commit b19d6306ea582dc31ebfd609475d9ac4e641e278)
2017-03-21Merge "Disable exit on error for pacemaker commands for update flow" into ↵Jenkins1-1/+4
stable/ocata
2017-03-20Fixes multiple issues with retry function in rhel-registration.Vincent S. Cojot1-17/+31
There were multiple issues in retry() in rhel-registration: - There was no need for it to be recursive (local variables got overwritten) - There was no delay between multiple attempts, leading to faster but more frequent failures. - The max number of attempts was set too low for some environements. With this patch, rhel-registration now works more reliably with slow-links for portal registration and does not attempt to DDos the portal or your satellite server. Closes-Bug: #1674358 Change-Id: I594d3c94867b45a7a58766dbcc66edead78d6a4e (cherry picked from commit 038eae089130bc3a814897c0e282223de16f4658)
2017-03-16Cleanup no longer used upgrade filesmarios13-1013/+0
Removes some of the no longer used scripts and templates used by the upgrades workflow in previous versions. Closes-Bug: 1673447 Change-Id: I7831d20eae6ab9668a919b451301fe669e2b1346 (cherry picked from commit 521a8973229484d52c03e9ed04782c5dc493c1b0)
2017-03-03Remove the openvswitch special case upgrade codemarios2-9/+9
Removed from the tripleo_upgrade_node.sh (major upgrade) & yum_update.sh (minor update). The workaround is no longer needed and in fact has the opposite effect killing connectitivity to the node. The 'normal' yum update on nodes delivers the latest openvswitch 2.6.1 with no drama. Also adds a 'complete' message, some extra debug echo for logs and removes the python-zaqarclient install no longer needed Closes-Bug: 1669714 Change-Id: Icd1517bcade36781fa0da21d045ffd9ec68efc38 (cherry picked from commit 9025a3bc23834e31efc5021acaef80b8d0f5de73)
2017-03-01Disable exit on error for pacemaker commands for update flowSaravanan KR1-1/+4
Package update fails on compute node, when yum_update checks for pacemaker status via systemctl command. Because exit on error (-e) option has been enabled recently, this issue is happening. Fixing by, executing the command only on nodes where pacemaker is enabled. Closes-Bug: #1668266 Change-Id: I2aae4e2fdfec526c835f8967b54e1db3757bca17 (cherry picked from commit e9a2fdc0afd2a3f1242f397c5f164cf6b43c2669)
2017-03-01Use --disable= in subscription-manager to avoid shell expansion.Vincent S. Cojot1-1/+1
In extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration, there's a line that says: retry subscription-manager repos --disable '*' I believe this is broken and will result in shell expansion being made. The proper line should be: retry subscription-manager repos --disable='*' This regression came from commit 2b06ed8adce2bcc18480b71c0f20a0ec2d21de19. (Also see https://review.openstack.org/#/c/381233 ) This patch fixes the regression while preserving functionality of the above change. Closes-Bug: 1667316 Change-Id: I54f0db3f1f596f6356f7445cdc61737f20f14318 Signed-off-by: Vincent S. Cojot <vincent@cojot.name> (cherry picked from commit 87569bd5711eaf79c1a3f0a4449daef860626daa)
2017-02-28Adds http proxy support for registering RHEL overcloud nodesVincent S. Cojot3-0/+100
It is quite common in large entreprises that direct HTTP/HTTPS to the outside world is denied from nodes/systems but reaching out through a proxy is allowed. This change adds support for an HTTP proxy when RHEL overcloud nodes reach out to either the RHSM portal or to a satellite server. This allows the overcloud nodes to download updates even in locked-down environments. The following variables are settable through templates: rhel_reg_http_proxy_host: rhel_reg_http_proxy_port: rhel_reg_http_proxy_username: rhel_reg_http_proxy_password: Note the following restrictions: - If setting rhel_reg_http_proxy_host, then rhel_reg_http_proxy_port cannot be empty. - If setting rhel_reg_http_proxy_port, then rhel_reg_http_proxy_host cannot be empty. - If setting rhel_reg_http_proxy_username, then rhel_reg_http_proxy_password cannot be empty. - If setting rhel_reg_http_proxy_password, then rhel_reg_http_proxy_username cannot be empty. - If setting either rhel_reg_http_proxy_username or rhel_reg_http_proxy_password, then rhel_reg_http_proxy_host AND rhel_reg_http_proxy_port cannot be empty Closes-Bug: #1668618 Change-Id: I003ad5449bd99c01376781ec0ce9074eca3e2704 (cherry picked from commit 3002edc90a631f3adb8ae0ee696062347f94ea52)
2017-02-24Add checks in ansible upgrade tasks for CephMon and CephOSDGiulio Fidente1-4/+0
Adds two checks, one for the CephMon and one for the CephOSD upgrade tasks borrowed from ceph-ansible. Change-Id: I0a0e60d277240130c6bd76a74ccc13354b87a30a Co-Authored-By: Sebastien Han <seb@redhat.com> (cherry picked from commit a3df16776dd5d7eb0a60ca4c58cef9913eb1c5cb)
2017-02-17Merge "Apply puppet in non-controller script in step." into stable/ocataJenkins2-3/+35
2017-02-17Merge "Automatically backup and restore Swift rings from the undercloud" ↵Jenkins2-0/+73
into stable/ocata
2017-02-17Add explicit swift check to tripleo_upgrade_node.shmarios1-4/+11
And change the conditional to use hiera instead. Change-Id: Icf91dd91c0ab04e7919172fcfd130183bfd427b4 (cherry picked from commit d8e75b220efec3b17a76bed6898327784fb4e6cc)
2017-02-17Apply puppet in non-controller script in step.Sofer Athlan-Guyot2-3/+35
We want to apply a puppet manifest for the non-controller role, but we need to apply it in stages. By loading the proper hieradata we get the needed step configuration. Change-Id: I07bfeee7b7d9a9b8c2c20e5d5c9ed735d0bfc842 Closes-Bug: #1664304 (cherry picked from commit 237cd2004a2c0869d60d0e11e9dccd59e809ff90)
2017-02-17Automatically backup and restore Swift rings from the undercloudChristian Schwede2-0/+73
Swift rings created or updated on the overcloud nodes will now be stored on the undercloud at the end of the deployment. An additional consistency check is executed before storing them, ensuring all rings within the cluster are identical. These rings will be retrieved (before Puppet runs) by every node when an UPDATE is executed, and by doing this will be in a consistent state across the cluster. This makes it possible to add, remove or replace nodes in an existing cluster without manual operator interaction. Closes-Bug: 1609421 Depends-On: Ic3da38cffdd993c768bdb137c17d625dff1aa372 Change-Id: I758179182265da5160c06bb95f4c6258dc0edcd6 (cherry picked from commit b323f8a16035549d84cdec4718380bde3d23d6c3)
2017-02-12Merge "Dump and run puppet for role which are disable_upgrade_deployment true"Jenkins1-0/+3
2017-02-10Dump and run puppet for role which are disable_upgrade_deployment trueMathieu Bultel1-0/+3
We wants to run puppet on each role which has the flag disable_upgrade_deployment to true. It will run after the upgrade of the role and before running the whole converge step. Change-Id: Ia85be688d070dfb5b8337e8ef3c4bc439fb6052e
2017-02-10Remove legacy major upgrade scripts for Ceph and BlockStorageGiulio Fidente4-246/+1
We do not need the upgrade scripts used to migrate Ceph from hammer to jewel. This submission removes that and the legacy upgrade scripts used for the BlockStorage role. Change-Id: I2674216dd9b5b849de6a2624ee1115420a254182
2017-02-10Delivers upgrade scripts where upgrade steps are disabledmarios4-173/+51
This delivers a /root/tripleo_upgrade_node.sh to those nodes that have the disable_upgrade_deployment flag set to true. They will later be upgraded manually by the operator who will invoke the script delivered here using upgrade-non-controller.sh We can also deliver any service specific upgrade configuration, such as configuring nova-compute to use the placement API as this is required in order for placement to be configured and installed during the subsequent upgrade steps for controller services. This removes the compute and swift specific upgrade scripts as they are now merged into the common tripleo_upgrade_node.sh - removing any hard coded reference to a particular role name (compute/objectstorage) and only relying on the disable_upgrade_deployment is roles_data.yaml Change-Id: I4531a4038b78087ef4a1a62c35f1328822427817 Co-Authored-By: Mathieu Bultel <mbultel@redhat.com>
2017-02-02Merge "Don't run yum_update.sh inside docker"Jenkins1-0/+5
2017-01-25Merge "Add metadata settings for needed kerberos principals"Jenkins1-0/+84
2017-01-25Merge "Ignore systemctl return code in yum_update.sh"Jenkins1-1/+1
2017-01-25Add metadata settings for needed kerberos principalsJuan Antonio Osorio Robles1-0/+84
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-19Merge "Remove redundant CLI arguments for neutron-db-manage"Jenkins1-1/+1
2017-01-19Ignore systemctl return code in yum_update.shLukas Bezdicka1-1/+1
We only need to know if pacemaker service is in active state. Change-Id: Id5e16f2bbbe51b8a0c250eb5d35e89e61a7b3383 Resolves: rhbz#1414779 Closes-Bug: #1656980
2017-01-18Merge "Bump missing template names to ocata"Jenkins2-2/+2
2017-01-18Merge "Remove Glance Registry service"Jenkins2-2/+1
2017-01-17Bump missing template names to ocataCarlos Camacho2-2/+2
Update pending templates to use the release name alias. Change-Id: I39f9be212d3e9f3bec6f45d9757eca7a3b0ccc06
2017-01-16Remove Glance Registry serviceEmilien Macchi2-2/+1
Glance registry is not required for the v2 of the API and there are plans to deprecate it in the glance community. Let's remove v1 support since it has been deprecated for a while in Glance. Depends-On: I77db1e1789fba0fb8ac014d6d1f8f5a8ae98ae84 Co-Authored: Flavio Percoco <flaper87@gmail.com> Change-Id: I0cd722e8c5a43fd19336e23a7fada71c257a8e2d