aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services/neutron-api.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-04-07Use conditionals for neutron and glance worker defaultsBrent Eagles1-9/+14
Using an empty string to signal that the default value in the puppet module is to be used no longer seems to work, resulting in the puppet specified defaults being overridden by empty string values. The impact on configuration will differ depending on the actual configuration item, the puppet code and the service, so it is just safer to omit the hieradata if the user has not explicitly set a value. Change-Id: Iefbc8f8669680e4f9d01db6b49543bfbe9b7661b Closes-Bug: #1669452
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi1-0/+7
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-23Add missing metadata_settings from neutron-api profileJuan Antonio Osorio Robles1-4/+5
This is needed for the TLS everywhere work. This will break on TLS-everywhere setups where neutron would be deployed in its own role. So we need to add the metadata_settings. bp tls-via-certmonger Change-Id: I7934a258e032d8eaa6f07c0e48b3fbdb1f8c6a06
2017-03-13neutron: switch auth_uri to uri_no_suffixEmilien Macchi1-2/+4
Switch Neutron to use auth_uri with keystone versionless endpoint, also for notifications with Nova. Change-Id: I530e3dcdfe6961e14755a63767c1fb5c0e1cfa22 Partial-implement: blueprint keystone-v3
2017-03-01upgrades/validation: only run validation when services existEmilien Macchi1-0/+7
During upgrades, validation test if a service is running before the upgrade process starts. In some cases, servies doesn't exist yet so we don't want to run the validation. This patch makes sure we check if the service is actually present on the system before validating it's running correctly. Also it makes sure that services are enabled before trying to stop them. It allows use-cases where we want to add new services during an upgrade. Also install new packages of services added in Ocata, so we can validate upgrades on scenarios jobs. Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
2017-02-28Put service stop at step1 and quiesce at step2.Sofer Athlan-Guyot1-1/+1
In the previous release[1], the services were stopped before the pacemaker services, so that they get a chance to send last message to the database/rabbitmq queue: Let's do the upgrade in the same order. [1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71 Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
2017-02-17Make the DB URIs host-independent for all servicesMichele Baldessari1-2/+1
When fixing LP#1643487 we added ?bind_address to all DB URIs. Since this clashes with Cellsv2 due to the URIs becoming host dependent, we need a new approach to pass bind_address to pymysql that leaves the DB URIs host-independent. In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct bind-address option. In this change we make sure that the DB URIs will point to the added file and to the specific section containing the necessary bind-address option. We do introduce a new MySQLClient profile which will hold all this more client-specific configuration so that this change can fit better in the composable roles work. Also, in the future it might contain the necessary configuration for SSL for example. Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist (because it is created via the mysqlclient profile), things keep on working as usual and the bind-address option simply won't be set, which has no impact on hosts where there are no VIPs. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12 Related-Bug: #1643487 Closes-Bug: #1663181 Closes-Bug: #1664524 Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-16Merge "Remove unused nova_url from neutron config"Jenkins1-2/+0
2017-02-14Use Keystone internal endpoint instead of admin for servicesJuan Antonio Osorio Robles1-1/+1
The admin endpoint is listening on the ctlplane network by default; services should ideally be using the internal api network for this kind of traffic, as the ctlplane network is mostly for provisioning. On the other hand, the admin endpoint shouldn't be as relevant with services switching to keystone v3. Change-Id: I1213a83ef8693c1cca1d20de974f7949a801d9f1
2017-02-13Remove the ansible neutron-api db sync as for other servicesmarios1-3/+0
In line with other service we leave the db sync to puppet unless needed for some workaround/upgrade related reason. Change-Id: I9ae463cda19ffdd66f9ccbae40e85551841ab938
2017-01-27Pass parameters for TLS proxy in front of neutron serverJuan Antonio Osorio Robles1-1/+32
If TLS in the internal network is enabled, we run neutron-server behind a TLS proxy (which is actually httpd's mod_proxy). This passes the necessary hieradata. bp tls-via-certmonger Depends-On: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e Change-Id: I9252512dbf9cf2e3eec50c41bf10629d36070bbd
2017-01-27Adds a pre-upgrade check that service is running (step0)marios1-0/+3
Adds a step0 for most services to check that the state is running before continuing with any of the other upgrades steps (these are tagged step0). You can skip this service check by overriding the SkipUpgradeConfigTags parameter as follows: parameter_defaults: SkipUpgradeConfigTags: validation Co-Authored-By: Steven Hardy <shardy@redhat.com> Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
2017-01-20Remove unused nova_url from neutron configBrent Eagles1-2/+0
The was deprecated in the neutron puppet module in newton and is now being removed. Neutron hasn't been using it for some time. Change-Id: I8cfb88bc042fbf140ed16c2005962e3e12390897 Depends-On: I9ceba371a62615faebc5e853eefd3db3bd821480
2017-01-19Don't start all services during upgrade stepsSteven Hardy1-4/+0
Currently we start all OpenStack services in step6, but puppet already does this, and sometimes services require configuration to account for the new version after the yum update before they will start. So instead of reimplementing that configuration management in ansible, just defer starting the services until puppet has run which will happen right after the ansible upgrade steps complete. Note there are some DB sync operations etc that we may also be able to remove and let puppet do those steps, but I've left those in for now, as we know there are some actions during that phase e.g nova cells setup, which aren't yet handled by puppet. Change-Id: Idc8e253167a4bc74b086830cfabf28d4aab97d28
2017-01-13Add neutron service support for composable upgradesSteven Hardy1-0/+11
Change-Id: I9c6116ddb4475b798876635cbb701214759fa33b Partially-Implements: blueprint overcloud-upgrades-per-service
2017-01-04Merge "DB connection: prevent src address from binding to a VIP"Jenkins1-0/+2
2017-01-03DB connection: prevent src address from binding to a VIPDamien Ciabrini1-0/+2
When a service connects to the database VIP from the node hosting this VIP, the resulting TCP socket has a src address which is by default bound to the VIP as well. If the VIP is failed over to another node while the socket's Send-Q is not empty, TCP keepalive won't engage and the service will become unavailable for a very long time (by default more than 10m). To prevent failover issues, DB connections should have the src address of their TCP socket bound to the IP of the network interface used for MySQL traffic. This is achieved by passing a new option to the database connection URIs. This option is available starting from PyMySQL 0.7.9-2. We use a new intermediate variable in hiera to hold the IP to be used as a source address for all DB connections. All services adapt their database URI accordingly. Moreover, a new YAML validation check is added to guarantee that new services will construct their database URI appropriately. Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035 Closes-Bug: #1643487
2016-12-23Bump template version for all templates to "ocata"Steven Hardy1-1/+1
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-11-17Remove conditional for neutron l3_haSteven Hardy1-28/+10
This is handled in puppet-tripleo instead so we can remove the hard-coded reference to ControllerCount and instead use the hiera neutron_api_node_names to derive the number of neutron API nodes regardless of roles. Note that the NeutronL3HA parameter is maintained despite being marked deprecated because we need to backport this bugfix so we can't just remove it. I'm not sure if we want to consider removing the deprecation as leaving the override parameter in place seems fairly low overhead. Closes-Bug: #1629187 Change-Id: I7a77836dcaf809cc7959fca7691a4cd7d4af5d6a Depends-On: I01c50973eec8138ec61304f2982d5026142f267c
2016-10-17Enable proxy headers parsing for NeutronJuan Antonio Osorio Robles1-0/+1
http_proxy_to_wsgi middleware was recently added to Neutron [1] and in order to take it into use, we need to enable it via hiera. [1] Ice9ee8f4e04050271d59858f92034c230325718b Depends-On: I99bc9486fdd85857ce73c413e17400320bd6ec5b Related-Bug: #1590608 Change-Id: I10c065e726f2708e09acfc04dac3cae34a534d23
2016-10-06Enable firewalling by default on compute nodesEmilien Macchi1-5/+0
- Move VXLAN and VRRP rules from Neutron Server to the right services. - Enable Firewall by default on Compute nodes. Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1
2016-10-06Re-enable ManageFirewall by default.Dan Prince1-2/+2
This default setting got lots in the composable roles/services patches. Re-enable the ManageFirewall setting by default per what we did in git commit 73c76b867ddc8a23a30b9a3cac4031189d4178c6. We also fix a typo in neutron-api.yaml so that the firewall rules matches to service_name. (otherwise it won't get loaded). Also, drops the environments/manage-firewall.yaml which is no longer needed if we enable firewall management by default. Change-Id: Ie198e4efd190131d0722085b10ef77da9005bc1b Closes-bug: 1629934
2016-09-28Move db::mysql into service_config_settingsDan Prince1-7/+8
This patch movs the various db::mysql hiera settings into a 'mysql' specific service_config_settings section for each service so that these will only get applied on the MySQL service node. This follows a similar puppet-tripleo change where we create the actual databases for all services locally on the MySQL service node to avoid permission issues. Change-Id: Ic0692b1f7aa8409699630ef3924c4be98ca6ffb2 Closes-bug: #1620595 Depends-On: I05cc0afa9373429a3197c194c3e8f784ae96de5f Depends-On: I5e1ef2dc6de6f67d7c509e299855baec371f614d
2016-09-28Merge "Deprecate the NeutronL3HA parameter"Jenkins1-7/+23
2016-09-23Move keystone::auth into service_config_settingsDan Prince1-6/+8
This patch moves the keystone::auth settings for all services into the new service_config_settings section. This is important because we execute the keystone commands via puppet only on the role containing the keystone service and without these settings it will fail. Note that yaql merging/filtering is used here to ensure that service_config_settings is optional in service templates, and also that we'll only deploy hieradata for a given service on a node running the service (the key in the service_config_settings map must match the service_name in the service template for this to work). e.g the following will result in only deploying keystone: 123 in hiera on the role running the "keystone" service, regardless of which service template defines it. service_config_settings: keystone: keystone: 123 Co-Authored-By: Steven Hardy <shardy@redhat.com> Change-Id: I0c2fce037a1a38772f998d582a816b4b703f8265 Closes-bug: 1620829
2016-09-22Deprecate the NeutronL3HA parameterBrent Eagles1-7/+23
NeutronL3HA used to be enabled by the tripleoclient if the controller count > 1. This functionality has been moved into the relevant heat template, making the parameter less valuable for general use. If necessary, deployers can override the automatic behavior through extra config. Change-Id: Id5bb5070b9627fd545357acc9ef51bdc69d10551 Related-Bug: #1623155
2016-09-19Enable L3 HA when multiple controllers and no DVRBrent Eagles1-3/+25
This patch conditionally enables Neutron L3 HA if there are multiple controllers but DVR has not been enabled. If the conditions are false, the value of NeutronL3HA is used. Change-Id: If1ebeaf417c0da99d833450e394b71cabff2c800 Closes-Bug: #1623155
2016-09-17Add fluentd client serviceLars Kellogg-Stedman1-0/+8
This implements support for installing fluentd agents as a composable service on the overcloud. Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940 Implements: tripleo-opstools-centralized-logging Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
2016-09-07Fix service config files having wrong map_merge formatSaravanan KR1-1/+1
map_merge in heat templates should start with hypen for each map group, few templates are missing the hypen for the second map group, which is added in this patch Closes-Bug: #1621008 Change-Id: I307fdd7afc374cce46d6e378594f1b688b9fd4f6
2016-09-06Merge "Change NeutronWorkers default to result in previous behavior"Jenkins1-3/+11
2016-09-02Merge "Availability monitoring agents support"Jenkins1-0/+4
2016-09-01Change NeutronWorkers default to result in previous behaviorBrent Eagles1-3/+11
Neutron's behavior changed in Newton with respect to the default value of 0 for NeutronWorkers. Instead of effectively treating it as "processorcount", it now assumes we mean what we say and doesn't spawn any workers, resulting in only a single process for handling API requests. This change alters the default value to regain the previous behavior. This change also extends the worker count to the RPC worker setting - which was possibly an oversight in previous releases. The default behavior will have no result for most systems. Closes-Bug: 1619383 Change-Id: Id6e3ee544160372c806905e77348150a1a1eec1b
2016-08-31Last round of modern authtoken updateEmilien Macchi1-4/+4
It updates Glance, Neutron and Swift to deploy authtoken with modern pattern. Change-Id: Icfaf011ea4a23bc47d2fb45e8768f8238532dab3
2016-08-31Availability monitoring agents supportMartin Mágr1-0/+4
- adds possibility to install sensu-client on all nodes - each composable service has it's own subscription Co-Authored-By: Emilien Macchi <emilien@redhat.com> Co-Authored-By: Michele Baldessari <michele@redhat.com> Implements: blueprint tripleo-opstools-availability-monitoring Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
2016-08-30Mv Nova, Neutron, Horizon out of controller.yamlDan Prince1-0/+6
This patch moves the settings for Nova, Neutron, and Horizon out of controller.yaml. Also fixes the NovaPassword settings in nova-base.yaml so they don't use get_input. Also, creates a new apache.yaml base service to contain shared apache settings for several services which use Apache for WSGI. Co-Authored-By: Giulio Fidente <gfidente@redhat.com> Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e Related-bug: #1604414
2016-08-18Add DefaultPasswords to composable servicesDan Prince1-0/+4
This patch adds a new DefaultPasswords parameter to composable services. This is needed to help provide access to top level password resources that overcloud.yaml currently manages (passwords for Rabbit, Mysql, etc.). Moving the RandomString resources into composable services would cause them to regenerate within the stack. With this approach we can leave them where they are while we deprecate the top level mechanism and move the code that uses the passwords into the composable services. Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18Pass ServiceNetMap to servicesGiulio Fidente1-0/+9
This will be needed to pick the network where the service has to bind to from within the service template. Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-08-12Rename NeutronServer to NeutronApi to align with ServiceNetMapSteven Hardy1-0/+102
The new composable service name conflicts with the existing ServiceNetMap naming, so align with NeutronApi since ServiceNetMap exists in current released versions. This is required so we can correctly generate the neutron_api_node_ips list (needed by puppet-tripleo) based on the service_name. Change-Id: Ic1d45cbaa77bc6ac9ca247c880a9845ca49905da Partially-Implements: blueprint custom-roles