Age | Commit message (Collapse) | Author | Files | Lines |
|
Using an empty string to signal that the default value in the puppet module
is to be used no longer seems to work, resulting in the puppet specified
defaults being overridden by empty string values. The impact on
configuration will differ depending on the actual configuration item, the
puppet code and the service, so it is just safer to omit the hieradata if
the user has not explicitly set a value.
Change-Id: Iefbc8f8669680e4f9d01db6b49543bfbe9b7661b
Closes-Bug: #1669452
|
|
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
|
|
This is needed for the TLS everywhere work. This will break on
TLS-everywhere setups where neutron would be deployed in its own role.
So we need to add the metadata_settings.
bp tls-via-certmonger
Change-Id: I7934a258e032d8eaa6f07c0e48b3fbdb1f8c6a06
|
|
Switch Neutron to use auth_uri with keystone versionless endpoint, also
for notifications with Nova.
Change-Id: I530e3dcdfe6961e14755a63767c1fb5c0e1cfa22
Partial-implement: blueprint keystone-v3
|
|
During upgrades, validation test if a service is running before the
upgrade process starts.
In some cases, servies doesn't exist yet so we don't want to run the
validation.
This patch makes sure we check if the service is actually present on the
system before validating it's running correctly.
Also it makes sure that services are enabled before trying to stop them.
It allows use-cases where we want to add new services during an upgrade.
Also install new packages of services added in Ocata, so we can validate
upgrades on scenarios jobs.
Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
|
|
In the previous release[1], the services were stopped before the
pacemaker services, so that they get a chance to send last message to
the database/rabbitmq queue:
Let's do the upgrade in the same order.
[1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71
Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
|
|
When fixing LP#1643487 we added ?bind_address to all DB URIs.
Since this clashes with Cellsv2 due to the URIs becoming host
dependent, we need a new approach to pass bind_address to pymysql
that leaves the DB URIs host-independent.
In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a
/etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct
bind-address option.
In this change we make sure that the DB URIs will point to the added
file and to the specific section containing the necessary bind-address
option. We do introduce a new MySQLClient profile which will hold all
this more client-specific configuration so that this change can fit
better in the composable roles work. Also, in the future it might
contain the necessary configuration for SSL for example.
Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist
(because it is created via the mysqlclient profile), things keep on
working as usual and the bind-address option simply won't be set, which
has no impact on hosts where there are no VIPs.
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12
Related-Bug: #1643487
Closes-Bug: #1663181
Closes-Bug: #1664524
Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
|
|
|
|
The admin endpoint is listening on the ctlplane network by default;
services should ideally be using the internal api network for this kind
of traffic, as the ctlplane network is mostly for provisioning. On the
other hand, the admin endpoint shouldn't be as relevant with services
switching to keystone v3.
Change-Id: I1213a83ef8693c1cca1d20de974f7949a801d9f1
|
|
In line with other service we leave the db sync to puppet unless
needed for some workaround/upgrade related reason.
Change-Id: I9ae463cda19ffdd66f9ccbae40e85551841ab938
|
|
If TLS in the internal network is enabled, we run neutron-server
behind a TLS proxy (which is actually httpd's mod_proxy). This passes
the necessary hieradata.
bp tls-via-certmonger
Depends-On: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
Change-Id: I9252512dbf9cf2e3eec50c41bf10629d36070bbd
|
|
Adds a step0 for most services to check that the state is running
before continuing with any of the other upgrades steps (these are
tagged step0).
You can skip this service check by overriding the
SkipUpgradeConfigTags parameter as follows:
parameter_defaults:
SkipUpgradeConfigTags: validation
Co-Authored-By: Steven Hardy <shardy@redhat.com>
Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
|
|
The was deprecated in the neutron puppet module in newton and is now
being removed. Neutron hasn't been using it for some time.
Change-Id: I8cfb88bc042fbf140ed16c2005962e3e12390897
Depends-On: I9ceba371a62615faebc5e853eefd3db3bd821480
|
|
Currently we start all OpenStack services in step6, but puppet
already does this, and sometimes services require configuration
to account for the new version after the yum update before they
will start.
So instead of reimplementing that configuration management in
ansible, just defer starting the services until puppet has run
which will happen right after the ansible upgrade steps complete.
Note there are some DB sync operations etc that we may also be able
to remove and let puppet do those steps, but I've left those in
for now, as we know there are some actions during that phase
e.g nova cells setup, which aren't yet handled by puppet.
Change-Id: Idc8e253167a4bc74b086830cfabf28d4aab97d28
|
|
Change-Id: I9c6116ddb4475b798876635cbb701214759fa33b
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
|
|
When a service connects to the database VIP from the node hosting this
VIP, the resulting TCP socket has a src address which is by default
bound to the VIP as well. If the VIP is failed over to another node
while the socket's Send-Q is not empty, TCP keepalive won't engage and
the service will become unavailable for a very long time (by default
more than 10m).
To prevent failover issues, DB connections should have the src address
of their TCP socket bound to the IP of the network interface used for
MySQL traffic. This is achieved by passing a new option to the
database connection URIs. This option is available starting from
PyMySQL 0.7.9-2.
We use a new intermediate variable in hiera to hold the IP to be used
as a source address for all DB connections. All services adapt their
database URI accordingly.
Moreover, a new YAML validation check is added to guarantee that new
services will construct their database URI appropriately.
Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035
Closes-Bug: #1643487
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
This is handled in puppet-tripleo instead so we can remove the
hard-coded reference to ControllerCount and instead use the
hiera neutron_api_node_names to derive the number of neutron API
nodes regardless of roles.
Note that the NeutronL3HA parameter is maintained despite being
marked deprecated because we need to backport this bugfix so we
can't just remove it. I'm not sure if we want to consider removing
the deprecation as leaving the override parameter in place seems
fairly low overhead.
Closes-Bug: #1629187
Change-Id: I7a77836dcaf809cc7959fca7691a4cd7d4af5d6a
Depends-On: I01c50973eec8138ec61304f2982d5026142f267c
|
|
http_proxy_to_wsgi middleware was recently added to Neutron [1] and
in order to take it into use, we need to enable it via hiera.
[1] Ice9ee8f4e04050271d59858f92034c230325718b
Depends-On: I99bc9486fdd85857ce73c413e17400320bd6ec5b
Related-Bug: #1590608
Change-Id: I10c065e726f2708e09acfc04dac3cae34a534d23
|
|
- Move VXLAN and VRRP rules from Neutron Server to the right services.
- Enable Firewall by default on Compute nodes.
Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1
|
|
This default setting got lots in the composable roles/services patches.
Re-enable the ManageFirewall setting by default per what we did in
git commit 73c76b867ddc8a23a30b9a3cac4031189d4178c6.
We also fix a typo in neutron-api.yaml so that the firewall rules
matches to service_name. (otherwise it won't get loaded).
Also, drops the environments/manage-firewall.yaml which is
no longer needed if we enable firewall management by default.
Change-Id: Ie198e4efd190131d0722085b10ef77da9005bc1b
Closes-bug: 1629934
|
|
This patch movs the various db::mysql hiera settings into a
'mysql' specific service_config_settings section for each
service so that these will only get applied on the MySQL service
node. This follows a similar puppet-tripleo change where we
create the actual databases for all services locally on
the MySQL service node to avoid permission issues.
Change-Id: Ic0692b1f7aa8409699630ef3924c4be98ca6ffb2
Closes-bug: #1620595
Depends-On: I05cc0afa9373429a3197c194c3e8f784ae96de5f
Depends-On: I5e1ef2dc6de6f67d7c509e299855baec371f614d
|
|
|
|
This patch moves the keystone::auth settings for all
services into the new service_config_settings section. This
is important because we execute the keystone commands via
puppet only on the role containing the keystone service
and without these settings it will fail.
Note that yaql merging/filtering is used here to ensure that
service_config_settings is optional in service templates,
and also that we'll only deploy hieradata for a given
service on a node running the service (the key in
the service_config_settings map must match the service_name
in the service template for this to work).
e.g the following will result in only deploying keystone: 123
in hiera on the role running the "keystone" service,
regardless of which service template defines it.
service_config_settings:
keystone:
keystone: 123
Co-Authored-By: Steven Hardy <shardy@redhat.com>
Change-Id: I0c2fce037a1a38772f998d582a816b4b703f8265
Closes-bug: 1620829
|
|
NeutronL3HA used to be enabled by the tripleoclient if the controller
count > 1. This functionality has been moved into the relevant heat
template, making the parameter less valuable for general use. If
necessary, deployers can override the automatic behavior through extra
config.
Change-Id: Id5bb5070b9627fd545357acc9ef51bdc69d10551
Related-Bug: #1623155
|
|
This patch conditionally enables Neutron L3 HA if there are multiple
controllers but DVR has not been enabled. If the conditions are false,
the value of NeutronL3HA is used.
Change-Id: If1ebeaf417c0da99d833450e394b71cabff2c800
Closes-Bug: #1623155
|
|
This implements support for installing fluentd agents as a composable
service on the overcloud.
Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940
Implements: tripleo-opstools-centralized-logging
Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
|
|
map_merge in heat templates should start with hypen for
each map group, few templates are missing the hypen for the
second map group, which is added in this patch
Closes-Bug: #1621008
Change-Id: I307fdd7afc374cce46d6e378594f1b688b9fd4f6
|
|
|
|
|
|
Neutron's behavior changed in Newton with respect to the default value
of 0 for NeutronWorkers. Instead of effectively treating it as
"processorcount", it now assumes we mean what we say and doesn't spawn
any workers, resulting in only a single process for handling API
requests. This change alters the default value to regain the previous
behavior.
This change also extends the worker count to the RPC worker setting -
which was possibly an oversight in previous releases. The default
behavior will have no result for most systems.
Closes-Bug: 1619383
Change-Id: Id6e3ee544160372c806905e77348150a1a1eec1b
|
|
It updates Glance, Neutron and Swift to deploy authtoken with modern
pattern.
Change-Id: Icfaf011ea4a23bc47d2fb45e8768f8238532dab3
|
|
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
|
|
This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.
Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.
Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.
Co-Authored-By: Giulio Fidente <gfidente@redhat.com>
Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
|
|
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
|
|
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
|
|
The new composable service name conflicts with the existing ServiceNetMap
naming, so align with NeutronApi since ServiceNetMap exists in current
released versions.
This is required so we can correctly generate the neutron_api_node_ips
list (needed by puppet-tripleo) based on the service_name.
Change-Id: Ic1d45cbaa77bc6ac9ca247c880a9845ca49905da
Partially-Implements: blueprint custom-roles
|