Age | Commit message (Collapse) | Author | Files | Lines |
|
This adds a new config/deployment per role that will come after any
post deploy steps. It drives the same ansible config as the
upgrade_tasks but instead collects the post_upgrade_tasks for any
service in the given role.
The workflow is upgrade_tasks, then post deploy steps (either
puppet/ or docker/ depending on the env) and then the
post_upgrade_tasks added here.
This is added to the pacemaker/cinder-volume.yaml service for now
see the bug below for more info
Change-Id: Iced34fecf02ebddc91df9302de54d2f4c2cab680
Closes-Bug: 1706951
(cherry picked from commit 2e182bffeeb099cb5e0b1747086fb0e0f57b7b5d)
|
|
Redis does not have TLS out of the box. Let's use a proxy container for
TLS termination.
bp tls-via-certmonger
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ie2ae0d048a71e1b1b4edb10c74bc0395a1a9d5c9
Depends-On: I078567c831ade540cf704f81564e2b7654c85c0b
Depends-On: Ia50933da9e59268b17f56db34d01dcc6b6c38147
(cherry picked from commit c2a93cf4c5d9d6b5ee0536380751a7a9540927cc)
|
|
when running manila-share under control of pacemaker, as
is done for cinder-volume service in the same circumstance.
Change-Id: Ic97f01913bae2a388c962a38fa175eb1d763cdcb
Depends-On: Ie31f2d5ccf458f5fcfe8bec5f2c37f45070cfde2
Closes-Bug: #1712842
(cherry picked from commit 8fa6c6e58c7ac0d32bf2f0dfb586683cf006e3bf)
|
|
We got to ensure that the cinder-manage db sync is run on only one
controller.
Change-Id: I88a6aa4c49d893b95a26795fbfcf163a780fd0bc
Closes-Bug: #1709315
|
|
Makes it possible to resolve network subnets within a service
template; the data is transported into a new property ServiceData
wired into every service which hopefully is generic enough to
be extended in the future and transport more data.
Data can be consumed in service templates to set config values
which need to know what is the subnet where a deamon operates (for
example the Ceph Public vs Cluster network).
Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
|
|
This will add the node's FQDN to the mysql certificate request
besides the VIP's FQDN which we already use. This is needed for
adding TLS to the replication traffic. The CA file was also added
as hieradata, since the path will be needed for the TLS
configuration.
bp tls-via-certmonger
Change-Id: I9252303b92a2805ba83f86a85770db2551a014d3
|
|
This patch adds the templates required to enable the OVN DB servers
to be started in master/slave mode in the pacemaker cluster.
For the OVN DBs base profile, ::tripleo::haproxy expects the parameter
'ovn_dbs_manage_lb' set to true in order for it to configure OVN DBs
for load balancing (please see this commit [1]). So this patch sets
'ovn_dbs_manage_lb' to true.
[1] - I9dc366002ef5919339961e5deebbf8aa815c73db
Co-authored-by: Babu Shanmugam (babu.shanmugam@gmail.com)
Depends-on: I94d3960e6c5406e3af309cc8c787ac0a6c9b1756
Change-Id: I60c55abfc523973aa926d8a12ec77f198d885916
Closes-bug: #1670564
|
|
Add upgrade tasks for cinder-volume when it's controlled by pacemaker:
o Stop the service before the entire pacemaker cluster is stopped.
This ensures the service is stopped before infrastructure services
(e.g. rabbitmq) go away.
o Migrate the cinder DB prior to restarting the service. This covers
the situation when puppet-cinder (who otherwise would handle the db
sync) isn't managing the service.
o Start the service after the rest of the pacemaker cluster has been
started.
Closes-Bug: #1691851
Change-Id: I5874ab862964fadb68320d5c4de39b20f53dc25c
|
|
Master is now the development branch for pike
changing the release alias name.
Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
|
|
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.
Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:
parameters_default:
# Default value for applied to all roles
NovaReservedHostMemory: 2048
ComputeDpdkParameters:
# Applied only to ComputeDpdk role
NovaReservedHostMemory: 4096
In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters
Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
|
|
Via https://github.com/arioch/puppet-redis/pull/192 puppet-redis grew
ulimit support also for pacemaker managed redis instances. To be able to
use that we need to set redis::managed_by_cluster_manager to true.
We also allow redis::ulimit to be configurable and we set a default of
10420 which was the default value before the above change.
Change-Id: I06129870665d7d3bfa09057fd9f0a33a99f98397
Depends-On: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d
Closes-Bug: #1688464
|
|
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=1441635.
This is the THT part of the change that changes the default to
ha-mode: all.
Closes-Bug: #1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
Change-Id: I7afcf2b3c8deb13fc2134e4cae9c06a44e775384
Depends-On: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
|
|
As with other services, this passes the necessary hieradata to enable
TLS for RabbitMQ. This will mean (once we set it via puppet-tripleo)
that there will only be TLS connections, as the ssl_only option is being
used.
bp tls-via-certmonger
Change-Id: I960bf747cd5e3040f99b28e2fc5873ca3a7472b5
Depends-On: Ic2a7f877745a0a490ddc9315123bd1180b03c514
|
|
In ocata we changed the rabbitmq ha policy to "ha-exactly" via the
following changes:
- tht: Iace6daf27a76cb8ef1050ada0de7ff1f530916c6
- puppet-tripleo: Ib62001c03e1e08f58cf0c6e0ba07a8879a584084
We took care of the upgrade path via I3a97505d2ae1ae27f3080ffe74c33fdabffd2420
With the move to the ansible-based composable upgrades we left this change out.
And now an upgraded environment has the following policy:
- Upgraded environment
Attributes: set_policy="ha-all ^(?!amq\.).* {"ha-mode":"all"}"
- New environment
Attributes: set_policy="ha-all ^(?!amq\.).* {"ha-mode":"exactly","ha-params":2}"
We need to add this pcs resource change to the our upgrade scripts.
Change-Id: I3c4113c207e9d0c45be43df7c2379ac26cb60692
Closes-Bug: #1668600
|
|
This change adds a profile to deploy the Ceph RBD mirroring daemon
as a Pacemaker resource.
Change-Id: Ib07e5bca6a45f0c6c59a3acf07f4e3ae9d2f8948
Depends-On: Ic63dc5cffece38942d305f538f71dd58a5d50789
Closes-Bug: #1652177
|
|
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.
bp tls-via-certmonger
bp novajoin
Change-Id: I873094bb69200052febda629fda698a7a782c031
|
|
Adds a step0 for any pre-upgrade checks. This migrates
some of the checks we have at the top of
extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh
Checks for other services (and for the cluster) will follow
in separate commits.
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I607f1fed68d7f11773484c3d7cb3e5af67465d57
|
|
With change I80c8559bb2d915385bcc20ae71fe144ddd6591c1 we removed
all the unused puppet-tripleo pacemaker profiles. With this change
we remove the corresponding puppet profiles from tripleo-heat-templates.
We can also remove any trace of the fake ::Core service as it was
introduced via Iacd94294b8a66bc082bb2b3e8d3364ec1bf053b8
for the fake openstack-core pacemaker resource during the Mitaka cycle
and became unused in Newton.
Change-Id: I48cd2b6a4593d673d5883b45feae088392e7e713
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
This changes how we get the network-based FQDNs for the specific
services, from using the custom fact, to the new hiera entries.
Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
|
|
This patch optimizes how we deploy hiera by using a new
heat hook specifically designed to help compose hiera
within heat templates. As part of this change:
- we update all the 'hiera' software configurations to set the group to hiera
instead of os-apply-config.
- The new format uses JSON instead of YAML. The hook actually writes
out the hiera JSON directly so no conversion takes place. Arrays,
Strings, Booleans all stay in their native formats. As such we can avoid
having to do many of the awkward string and list conversions in t-h-t to
support the previous YAML formatting.
- The new hook prefers JSON over YAML so upgrading users will have the
new files prefered. (we will post a cleanup routine for the old files
soon but this isn't a new behavior, JSON is now simply prefered.)
- A lot of services required edits to account for default settings that
worked in YAML that no longer work correctly in the native JSON
format. In almost all these cases I think the resulting codes looks
cleaner and is more explicit with regards to what is getting
configured in hiera on the actual nodes.
Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b
Closes-bug: #1596373
Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
|
|
Currently this is disabled via a conditional in the keepalived
profile in puppet-tripleo, but this will be incompatible with
the planned composable upgrades implementation. Instead we should
disable the service template by mapping to OS::Heat::None, and
ensure the haproxy manifest uses the t-h-t generated hiera value
keepalived_enabled instead of hard-coding a hiera override in the
haproxy template.
Change-Id: I85a8b1cca7268506de22adfb3a8ce7faa4f157ef
Partial-Bug: #1642936
Depends-On: I90faf51881bd05920067c1e1d82baf5d7586af23
|
|
This patch updates the pacemaker composable service templates for
mongo and redis to extend the proper base (redis.yaml and mongo.yaml)
templates instead of the -base.yaml versions. This was causing
some missing hiera settings for these services which caused symptoms
like missing firewall rules for these services.
Change-Id: I3f94acbf4d1baadbb151b1c4d34b4a0ab28ad5e5
Partial-bug: #1629934
|
|
We do not want cinder-volume to be managed by Pacemaker on
BlockStorage nodes, where Pacemaker is not running at all.
This change adds a new BlockStorageCinderVolume service name
which can (and is, by default) mapped to the non Pacemaker
implementation of the service.
The error was:
Could not find dependency Exec[wait-for-settle] for
Pacemaker::Resource::Systemd[openstack-cinder-volume]
Also moves cinder::host setting into the Pacemaker specific service
definition because we only want to set a shared host= string when
the service is managed by Pacemaker.
Closes-Bug: #1628912
Change-Id: I2f7e82db4fdfd5f161e44d65d17893c3e19a89c9
|
|
This used to used mysql_bind_ip, but this parameter is quite misleading
since what it actually configures is not the bind-ip itself, but the
gmcast.listen_addr parameter. This fixes that confusion.
Depends-On: Iea4bd67074824e5dc6732fd7e408743e693d80b3
Change-Id: I2b114600e622491ccff08a07946926734b50ac70
|
|
This now takes into use the mysql_bind_host key, to set an
appropriate fqdn for mysql to bind to.
Closes-Bug: #1627060
Change-Id: I50f4082ea968d93b240b6b5541d84f27afd6e2a3
Depends-On: I316acfd514aac63b84890e20283c4ca611ccde8b
|
|
This implements support for installing fluentd agents as a composable
service on the overcloud.
Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940
Implements: tripleo-opstools-centralized-logging
Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
|
|
If these names don't match then we cannot set the service's nodes,
VIP and network.
Change-Id: I8f1c0eaf62eee2704a5f2556a553032106db606b
Closes-Bug: #1621368
|
|
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
|
|
Change-Id: I5018e4cdb1e5df7c2d67a8c1248d7453941b725f
|
|
Change-Id: Id2227bedee098e0f18704a3dc82fb0be311ff4d2
|
|
|
|
This moves the config settings out of controller.yaml for MySQL
and into puppet/services/database/mysql.yaml.
The top leve MysqlRootPassword is still maintained by default
in overcloud.yaml so that users who upgrade won't get
broken. New users may optionally specify the MysqlRootPassword
as a parameter instead which will take priority over the top
level generated parameter.
We drop the top level MysqlClusterUniquePart because it is no
longer used (I think it was a remnant from t-i-e).
Related-Bug: #1604414
Change-Id: I06ebac0f4c87dabfccefb2e550a64650868c5b26
|
|
Marian Krcmari noticed that on a freshly deployed HA Newton system
gnocchi-metricd and gnocchi-statsd are down. This likely came about when
gnocchi moved to composable roles
(I40a3815923099d00a0f3fc1d88a942784e7c6fb9) and those settings made
sense when it was managed by pacemaker.
Also make sure that all services are disabled when managed via
pacemaker and add manage_service: false for gnocchi-api for pacemaker
which was missing.
Change-Id: If7d681e0fa3e84379ac83c8a55b481369fe2849e
|
|
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
|
|
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
|
|
Tempest tests for cinder contain backup tests that fail
unless cinder-backup service is started. This patch facilitates
the service start upon the overcloud deployment.
Original patch converted to composable role.
Co-Authored-By: Giulio Fidente <gfidente@redhat.com>
Depends-On: Ib1dfe52b83ab01819fc669312967950e75d8ddf1
Change-Id: I9ca97b3f1c26aac6d81b3525377e1f5fb962313f
|
|
https://review.openstack.org/#/c/318840/ decomposed the Sahara services
but they weren't added to the ControllerServices list, thus are now disabled.
Since we shipped mitaka with sahara enabled by default, we should probably add
them so the behavior is consistent when folks upgrade.
This also fixes a couple of issues we missed when landing the initial service
templates (partly because CI didn't test them).
In order for each service to operate independently when used with Pacemaker,
the roles needed to be separated. This commit also does this.
Depends-On: Id61eb15b1e2366f5b73c6e7d47941651e40651b1
Change-Id: I0846b328e9d938275e373d58f0b99219b19b326c
Closes-Bug: #1592284
Co-Authored-By: Brad P. Crochet <brad@redhat.com>
|
|
This is the THT part that brings us the next generation architecture
as described in the following spec:
https://review.openstack.org/#/c/299628/
Blueprint:
https://blueprints.launchpad.net/tripleo/+spec/ha-lightweight-architecture
So far we tested deployment + tripleo.sh --overcloud-pingtest and
failover + tripleo.sh --overcloud-pingtest
Note that many of the Pacemaker template files become redundant with
this change, but to simplify the process of getting this change landed,
those templates will not be removed until a future commit.
Depends-On: I5e7585c08675d8a4bd071523b94210d325d79b59
Change-Id: I00bccb2563c006f80baed623b64f1e17af20dd4e
Implements: blueprint ha-lightweight-architecture
Co-Author: cmsj@tenshu.net
|
|
Allows the installation and configuration of Manila.
Supports the generic driver only. This has a dependency on the
puppet-tripleo classes for manila where the puppet specific
config now lives.
The review at https://review.openstack.org/#/c/315658/ has been
merge into this one, as of v68, so manila lands as a composable
service. This was brought up on the mailing list at [1]
[1] http://lists.openstack.org/pipermail/openstack-dev/2016-May/096126.html
Co-Authored-By: Marios Andreou <marios@redhat.com>
Implements: blueprint composable-services-within-roles
Depends-On: I444916d60a67bf730bf4089323dba1c1429e2e71
Depends-On: I9eda4b3364e5c59342761a1ec71b0eb567c69cf1
Depends-On: I571b65a5402c1028418476a573ebeb9450ed00c9
Change-Id: I7acebac4354fca1f8d7ff6c343c1346bf29b81c6
|
|
|
|
Currently we use hyphens, e.g cinder-api, but in overcloud.yaml
we have a lot of references to services (e.g for AllNodesConfig)
by underscore, e.g cinder_api. To enable dynamic generation of
this data, we need the service name in underscore format.
Change-Id: Ief13dfe5d8d7691dfe2534ad5c39d7eacbcb6f70
|
|
|
|
Change-Id: Iacd94294b8a66bc082bb2b3e8d3364ec1bf053b8
Depends-On: I16a786ce167c57848551c7245f4344c382c55b3d
|
|
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
|
|
|
|
|
|
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.
This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.
Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
|
|
puppet-neutron takes this variable as boolean. Although it doesn't
change the behavior in master (because the variable is used directly as
config), in mitaka it is used as a conditional and should be properly
fixed.
Also a fix is needed in python-tripleoclient because it is hard coded to
be True there based on number of controllers being greater than 1.
Therefore we shoudl remove that logic from tripleoclient and implement
it in THT. In order to do that the pacemaker version of the variable is
defaulted to true.
Partial-Bug: 1605379
Change-Id: I0b797dbe188382e2dc32506913aaa60a0a21bd68
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
Deploy Horizon with composable apache service and don't include:
::tripleo::profile::pacemaker::apache
Because it's already included in the profiles in puppet-tripleo.
Change-Id: I5382d5cc95ba10805019142a9a223dbd4a4b8074
Depends-On: Id28c618133e53e28dfac7e3e9cf9f5f5a6b2421a
|