Age | Commit message (Collapse) | Author | Files | Lines |
|
This shows how we could wire in the upgrade steps using Ansible
as was previously proposed e.g in https://review.openstack.org/#/c/321416/
but it's more closely integrated with the new composable services
architecture.
It's also very similar to the approach taken by SpinalStack where
ansible snippets per-service were combined then run in a series of
steps using Ansible tags.
This patch just enables upgrade of keystone - we'll add support for
other patches in subsequent patches.
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
|
|
|
|
|
|
This patch optimizes how we deploy hiera by using a new
heat hook specifically designed to help compose hiera
within heat templates. As part of this change:
- we update all the 'hiera' software configurations to set the group to hiera
instead of os-apply-config.
- The new format uses JSON instead of YAML. The hook actually writes
out the hiera JSON directly so no conversion takes place. Arrays,
Strings, Booleans all stay in their native formats. As such we can avoid
having to do many of the awkward string and list conversions in t-h-t to
support the previous YAML formatting.
- The new hook prefers JSON over YAML so upgrading users will have the
new files prefered. (we will post a cleanup routine for the old files
soon but this isn't a new behavior, JSON is now simply prefered.)
- A lot of services required edits to account for default settings that
worked in YAML that no longer work correctly in the native JSON
format. In almost all these cases I think the resulting codes looks
cleaner and is more explicit with regards to what is getting
configured in hiera on the actual nodes.
Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b
Closes-bug: #1596373
Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
|
|
|
|
The parameter type is invalid making it impossible to enable monitoring-environment.
Change-Id: I835d1e82480edb0b6d082a7496d7ceebb1781728
Closes-Bug: #1641080
Closes-Bug: rhbz#1392473
|
|
|
|
|
|
This patch drops use of the vip-hosts.yaml service which can
cause issues during deployment because puppet 'hosts' resources
overwrite the data in /etc/hosts. The only reason things seem to work
at all at the moment is because our hosts element in t-i-e runs
on each os-refresh-config iteration and re-adds the dropped hosts
entries.
To work around the issue we add a conditional which selectively
adds the extra hosts entries only if the AddVipsToEtcHosts is set
to true.
Closes-bug: 1645123
Change-Id: Ic6aaeb249a127df83894f32a704219683a6382b2
|
|
We removed Step 6 in Iae33149e4a03cd64c5831e689be8189ad0cf034b
but forgot to update the README. Similarly we made all roles
use the same steps in Ia2ea559e8eeb64763908f75705e3728ee90b5744
so the comment is no longer true.
Change-Id: If5482ebd22a2547ed2165199992840a0dcacb04c
|
|
This adds the necessary hieradata for enabling TLS for MySQL (which
happens to run on the internal network). It also adds a template so
this can be done via certmonger. As with other services, this will
fill the necessary specs for the certificate to be requested in a
hash that will be consumed in puppet-tripleo.
Note that this only enables that we can now use TLS, however, we still
need to configure the services (or limit the users the services use)
to only connect via SSL. But that will be done in another patch, as
there is some things that need to land before we can do this (changes
in puppetlabs-mysql and puppet-openstacklib).
Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118
Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If barbican is set, it will configure cinder and nova-compute with
the necessary parameters to enable encrypted volumes to be created if
requested.
Change-Id: Id13811cf8e090706c590ffff46c237ff8131efd9
|
|
Ceilometer notifications can be sent in a background thread, unblocking
the Swift proxy in case the RabbitMQ is not processing notifications
quick enough or even unavailable.
There is a default queue size of 1000 notifications. If more messages
are added to the queue these will be discarded, and a warning log entry
will be emitted.
Change-Id: I98022dcbf661a5bb7425f49ba8525225d61212dc
|
|
Currently this is disabled via a conditional in the keepalived
profile in puppet-tripleo, but this will be incompatible with
the planned composable upgrades implementation. Instead we should
disable the service template by mapping to OS::Heat::None, and
ensure the haproxy manifest uses the t-h-t generated hiera value
keepalived_enabled instead of hard-coding a hiera override in the
haproxy template.
Change-Id: I85a8b1cca7268506de22adfb3a8ce7faa4f157ef
Partial-Bug: #1642936
Depends-On: I90faf51881bd05920067c1e1d82baf5d7586af23
|
|
Security scanners complain that directory listings are enabled in horizon.
Change-Id: I1d7cfcb3521e8235a99bc452f1b7b92c20ce72ac
Closes-Bug: #1637576
|
|
This integrates panko service api into tripleo heat templates.
By default, we will disable this service, an environment service
file is included to enable if needed.
Depends-On: I35f283bdf8dd0ed979c65633724f0464695130a4
Change-Id: I07da3030c6dc69cce7327b54091da15a0c58798e
|
|
This is handled in puppet-tripleo instead so we can remove the
hard-coded reference to ControllerCount and instead use the
hiera neutron_api_node_names to derive the number of neutron API
nodes regardless of roles.
Note that the NeutronL3HA parameter is maintained despite being
marked deprecated because we need to backport this bugfix so we
can't just remove it. I'm not sure if we want to consider removing
the deprecation as leaving the override parameter in place seems
fairly low overhead.
Closes-Bug: #1629187
Change-Id: I7a77836dcaf809cc7959fca7691a4cd7d4af5d6a
Depends-On: I01c50973eec8138ec61304f2982d5026142f267c
|
|
Provision the Keystone Fernet Token provider
by installing 2 keys with dynamic content
generated by python-tripleoclient.
Note that this only sets up the necessary keys to use fernet as a token
provider, however, this does not intend to set it up as the default
provider; This will be discussed and will come as part of another
commit.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ic070d160b519b8637997dbde165dbf15275e0dfe
Change-Id: Iaa5499614417000c1b9ba42a776a50cb22c1bb30
|
|
By setting ENFORCE_PASSWORD_CHECK to `True`, it displays an 'Admin
Password' field on the Change Password form to verify that it is indeed
the admin logged-in who wants to change the password.
Change-Id: Ib11bef93b6b0c74063052875fa361290bf1e92fd
Depends-On: If7af97df7a011569a7e14fbab4f880688d7b82c3
Closes-Bug: #1640806
|
|
combination alarms are completely removed in Ocata.
Remove this from tripleo.
Change-Id: Iec2e26ebdaa108ddbb2cf45fc4b6c68023fb6ce0
|
|
|
|
|
|
ceph::profile::params::manage_repo should default to false when
using external Ceph.
Overcloud Ceph clients use Ceph packages, which may be provided by
the 'ceph' metapackage, but not for all repos, see related bug. So,
this change also includes a list of packages as a workaround as
used in change Ie55d22301dd22102d471e6002dfcaad4bfadd5f6.
Change-Id: I338e51637aa39d3f7bbbad0263740f728d42cb9b
Closes-bug: 1641989
Related-Bug: 1629933
|
|
Instead of relying on an explicit hiera call to get the stack domain
password, this uses the keystone parameter to introduce that value
instead.
Change-Id: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
|
|
This patch resolves an issue with nova-base.yaml that prevents
it from working with the new heat hiera agent hook (which
uses Json instead of Yaml).
It updates the service so that we only set the upgrade level if it
is not an empty string.
Partial-bug: #1596373
Change-Id: I595f2e16c33a6f935c7ca8935fec445d19c7b8f3
|
|
This patch resolves a few issues I noticed when porting our
Horizon service to support the new heat hiera agent hook (which
uses Json instead of Yaml).
-we only need to set django_debug if the string is non-empty. This
should match previous behavior.
-remove the duplicated NeutronMechanismDrivers setting. This is already
managed in the neutron services and shouldn't be set here.
Change-Id: I473e110bb9b14cb8f57d41c4fc398871548726b0
Partial-bug: #1596373
|
|
|
|
|
|
|
|
|
|
In order to eventually enable fernet tokens for keystone, we need to be
specify the token provider. This change codifies the current default
used by TripleO of uuid tokens and fernet token setup disabled.
Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a
Closes-Bug: #1641763
|
|
|
|
|
|
|
|
This adds the necessary hieradata for enabling TLS in the internal
network for Barbican API.
bp tls-via-certmonger
Depends-On: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
Change-Id: Ib100faa9dc222f836695a0e8f6e101dc7637d1d6
|
|
|
|
|
|
|
|
|
|
Currently OVS tunnel firewall rules are held within the neutron ovs
agent service heat template. That service is not used with ODL, so
consequently ODL was missing the VXLAN and GRE firewall rules and
traffic would not pass between nodes. This adds the missing rules to
the OpenDaylight OVS service.
Closes-Bug: 1641191
Change-Id: Icfd7db6a3e8fcdd02646fb7e413f40f26b03b994
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
When the civetweb binding IP is version 6 it needs to be enclosed
in brackets or the bind socket parsing fails. The mangling happens
in puppet-tripleo, this change updates the templates to push the
appropriate hiera keys.
Change-Id: Ic7004d768ed5e0f2382ffaa57961ea0ef9162527
Closes-Bug: #1636515
Depends-On: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
|