aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services/database
AgeCommit message (Collapse)AuthorFilesLines
2017-03-17Bind redis-sentinel to its networkMichele Baldessari1-0/+1
We currently do not bind redis-sentinel to any IP: redis 21144 0.0 0.0 142908 5908 ? Ssl 07:43 0:11 /usr/bin/redis-sentinel *:26379 [sentinel] Let's bind it to the same network as redis. Change-Id: I8a782ae1db84eb614aa3995a1638a2f370e70d06 Partial-Bug: #1673715
2017-02-28mysqlclient: Use actual parameter in puppet to set bind-addressJuan Antonio Osorio Robles1-1/+1
It was using a hiera key, and fetching that from a hiera call in the puppet manfiest. But we can remove that if we set it via hiera from t-h-t. Change-Id: I5af5ccb88e644f4dd25503d8e7a93796695d3039
2017-02-28Configure SSL connection for MySQL client via client config fileJuan Antonio Osorio Robles1-0/+4
This uses the mysql client configuration file to configure if SSL should be used for the connection if SSL in the internal network is enabled. Change-Id: Ifd1a06e0749a05a65f6314255843f572d2209067
2017-02-17Make the DB URIs host-independent for all servicesMichele Baldessari1-0/+30
When fixing LP#1643487 we added ?bind_address to all DB URIs. Since this clashes with Cellsv2 due to the URIs becoming host dependent, we need a new approach to pass bind_address to pymysql that leaves the DB URIs host-independent. In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct bind-address option. In this change we make sure that the DB URIs will point to the added file and to the specific section containing the necessary bind-address option. We do introduce a new MySQLClient profile which will hold all this more client-specific configuration so that this change can fit better in the composable roles work. Also, in the future it might contain the necessary configuration for SSL for example. Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist (because it is created via the mysqlclient profile), things keep on working as usual and the bind-address option simply won't be set, which has no impact on hosts where there are no VIPs. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12 Related-Bug: #1643487 Closes-Bug: #1663181 Closes-Bug: #1664524 Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-14Add nova service support for composable upgradesSteven Hardy1-3/+18
Co-Authored-By: Mathieu Bultel <mbultel@redhat.com> Co-Authored-By: Oliver Walsh <owalsh@redhat.com> Change-Id: Iafad800a6819d7e75fdaab60d328999d3d3c037f Partially-Implements: blueprint overcloud-upgrades-per-service Related-Bug: #1662344
2017-01-25Add telemetry service support for composable upgradesSteven Hardy1-0/+7
Change-Id: I62735676b45a881a7dac24171b26d88d6eb60d4a Partially-Implements: blueprint overcloud-upgrades-per-service
2017-01-25Add metadata settings for needed kerberos principalsJuan Antonio Osorio Robles2-0/+6
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-13Adds a step0 for pre upgrade-init checksmarios1-0/+3
Adds a step0 for any pre-upgrade checks. This migrates some of the checks we have at the top of extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh Checks for other services (and for the cluster) will follow in separate commits. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I607f1fed68d7f11773484c3d7cb3e5af67465d57
2017-01-04Merge "DB connection: prevent src address from binding to a VIP"Jenkins1-0/+2
2017-01-03DB connection: prevent src address from binding to a VIPDamien Ciabrini1-0/+2
When a service connects to the database VIP from the node hosting this VIP, the resulting TCP socket has a src address which is by default bound to the VIP as well. If the VIP is failed over to another node while the socket's Send-Q is not empty, TCP keepalive won't engage and the service will become unavailable for a very long time (by default more than 10m). To prevent failover issues, DB connections should have the src address of their TCP socket bound to the IP of the network interface used for MySQL traffic. This is achieved by passing a new option to the database connection URIs. This option is available starting from PyMySQL 0.7.9-2. We use a new intermediate variable in hiera to hold the IP to be used as a source address for all DB connections. All services adapt their database URI accordingly. Moreover, a new YAML validation check is added to guarantee that new services will construct their database URI appropriately. Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035 Closes-Bug: #1643487
2016-12-23Bump template version for all templates to "ocata"Steven Hardy6-6/+6
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-02Merge "Use network-based fqdn entry from hiera instead of the custom fact"Jenkins1-1/+1
2016-12-01Initial support for composable upgrades with Heat+AnsibleSteven Hardy1-0/+8
This shows how we could wire in the upgrade steps using Ansible as was previously proposed e.g in https://review.openstack.org/#/c/321416/ but it's more closely integrated with the new composable services architecture. It's also very similar to the approach taken by SpinalStack where ansible snippets per-service were combined then run in a series of steps using Ansible tags. This patch just enables upgrade of keystone - we'll add support for other patches in subsequent patches. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
2016-12-01Use network-based fqdn entry from hiera instead of the custom factJuan Antonio Osorio Robles1-1/+1
This changes how we get the network-based FQDNs for the specific services, from using the custom fact, to the new hiera entries. Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
2016-11-30Hiera optimization: use a new hiera hookDan Prince2-3/+3
This patch optimizes how we deploy hiera by using a new heat hook specifically designed to help compose hiera within heat templates. As part of this change: - we update all the 'hiera' software configurations to set the group to hiera instead of os-apply-config. - The new format uses JSON instead of YAML. The hook actually writes out the hiera JSON directly so no conversion takes place. Arrays, Strings, Booleans all stay in their native formats. As such we can avoid having to do many of the awkward string and list conversions in t-h-t to support the previous YAML formatting. - The new hook prefers JSON over YAML so upgrading users will have the new files prefered. (we will post a cleanup routine for the old files soon but this isn't a new behavior, JSON is now simply prefered.) - A lot of services required edits to account for default settings that worked in YAML that no longer work correctly in the native JSON format. In almost all these cases I think the resulting codes looks cleaner and is more explicit with regards to what is getting configured in hiera on the actual nodes. Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b Closes-bug: #1596373 Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
2016-11-25Enable TLS in the internal networkf or MysqlJuan Antonio Osorio Robles2-39/+92
This adds the necessary hieradata for enabling TLS for MySQL (which happens to run on the internal network). It also adds a template so this can be done via certmonger. As with other services, this will fill the necessary specs for the certificate to be requested in a hash that will be consumed in puppet-tripleo. Note that this only enables that we can now use TLS, however, we still need to configure the services (or limit the users the services use) to only connect via SSL. But that will be done in another patch, as there is some things that need to land before we can do this (changes in puppetlabs-mysql and puppet-openstacklib). Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118 Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-09-26Bind MySQL address to hostname appropriate to its networkJuan Antonio Osorio Robles1-0/+6
This now takes into use the mysql_bind_host key, to set an appropriate fqdn for mysql to bind to. Closes-Bug: #1627060 Change-Id: I50f4082ea968d93b240b6b5541d84f27afd6e2a3 Depends-On: I316acfd514aac63b84890e20283c4ca611ccde8b
2016-09-17Add fluentd client serviceLars Kellogg-Stedman1-0/+12
This implements support for installing fluentd agents as a composable service on the overcloud. Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940 Implements: tripleo-opstools-centralized-logging Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
2016-08-26Move Redis, Memcached, Sahara, OVS agent out of role templatesGiulio Fidente1-0/+6
Change-Id: I99784b5cfbb741bfc6d1ce9b77e8acf6cf00e073 Related-Bug: 1604414
2016-08-25Mv keystone, mongo, manila out of controller.yamlDan Prince1-0/+7
This patch moves keystone, mongodb, and manila bind host settings out of controller.yaml and into composable services. Change-Id: I1874dc47fffa30606107999da702442badde35c9
2016-08-24Move Keepalived/HAproxy settings out of controllerDan Prince1-1/+0
This moves the config settings out of controller.yaml for Keepalived and HAproxy. NOTE: the tripleo::haproxy::redis_password wasn't getting set correctly before this patch. Looks like a breakages that occurred when puppet-tripleo dropped the loadbalancer class. Related-Bug: #1604414 Change-Id: Id24b02ac73f4ae33b20194da8a5f99f17403ece9
2016-08-23Move MySQL settings out of puppet/controller.yamlDan Prince1-1/+33
This moves the config settings out of controller.yaml for MySQL and into puppet/services/database/mysql.yaml. The top leve MysqlRootPassword is still maintained by default in overcloud.yaml so that users who upgrade won't get broken. New users may optionally specify the MysqlRootPassword as a parameter instead which will take priority over the top level generated parameter. We drop the top level MysqlClusterUniquePart because it is no longer used (I think it was a remnant from t-i-e). Related-Bug: #1604414 Change-Id: I06ebac0f4c87dabfccefb2e550a64650868c5b26
2016-08-18Add DefaultPasswords to composable servicesDan Prince5-0/+17
This patch adds a new DefaultPasswords parameter to composable services. This is needed to help provide access to top level password resources that overcloud.yaml currently manages (passwords for Rabbit, Mysql, etc.). Moving the RandomString resources into composable services would cause them to regenerate within the stack. With this approach we can leave them where they are while we deprecate the top level mechanism and move the code that uses the passwords into the composable services. Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18Pass ServiceNetMap to servicesGiulio Fidente5-0/+46
This will be needed to pick the network where the service has to bind to from within the service template. Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-07-29Merge "Convert service_name to underscore syntax"Jenkins2-2/+2
2016-07-28Convert service_name to underscore syntaxSteven Hardy2-2/+2
Currently we use hyphens, e.g cinder-api, but in overcloud.yaml we have a lot of references to services (e.g for AllNodesConfig) by underscore, e.g cinder_api. To enable dynamic generation of this data, we need the service name in underscore format. Change-Id: Ief13dfe5d8d7691dfe2534ad5c39d7eacbcb6f70
2016-07-27Migrate Puppet Hieradata to composable servicesEmilien Macchi3-6/+17
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml except for some services that are not composable yet. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
2016-07-25Composable firewall rulesDan Prince3-1/+22
Split out the firewall rules in puppet/hieradata/controller.yaml into the composable services Depends-On: Id370362ab57347b75b1ab25afda877885b047263 Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
2016-07-22Add 'service_name' to composable servicesDan Prince5-0/+5
This patch adds a new service_name section to each composable service. We now have an explicit unit test check to ensure that service_name exists in tools/yaml-validate.py. This patch also wires service_names into hieradata on each of the roles so that tools can access the deployed services locally during deployment and upgrades. Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
2016-07-14Move MySQL Galera within composable servicesEmilien Macchi1-0/+20
This patch just moves the Puppet code into puppet-tripleo. A future iteration will be to move parameters within the service template. Closes-Bug: #1601853 Depends-On: I7ddae28a6affd55c5bffc15d72226a18c708850e Change-Id: I51a05dbf53f516b200c146b35529ce563ce9ac7b
2016-06-12Composable roles within services - MongoDBCarlos Camacho2-0/+58
Add MongoDB as a composable service. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Idaa3275def3bcdb302a66fc1c88531ff718bcf67 Depends-On: Idb1e78ebec7682fe68ca5902a22cfb6030498091
2016-06-02Composable roles within services - RedisPradeep Kilambi2-0/+46
Co-Authored-By: Carlos Camacho <ccamacho@redhat.com> Change-Id: I0d9332f7f4f9116c5435d338a9c35d4fb3f512c6 Implements: blueprint composable-services-within-roles Depends-On: I60493a3aa64e5136b763e8e2084d728f5f812f8a