Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
This uses the newly introduced dict with the keys and paths instead of
the individual keys. Having the advantage that rotation will be
possible on stack update, as we no longer have a limit on how many keys
we can pass (as we did with the individual parameters).
bp keystone-fernet-rotation
Change-Id: I7d224595b731d9f3390fce5a9d002282b2b4b8f2
Depends-On: I63ae158fa8cb33ac857dcf9434e9fbef07ecb68d
|
|
|
|
|
|
|
|
|
|
In newton, we used to construct the fqdn_$NETWORK in puppet-tripleo for
external, internal_api, storage, storage_mgmt, tenant, management, and
ctrlplane. When this was moved into THT, we accidently dropped external
which leads to deployment failures if a service is moved to the external
network and the configuration consumes the fqdn_external hiera key.
Specifically this is reproduced if the MysqlNetwork is switch to to
exernal, then the deployment fails because the bind address which is set
to use fqdn_external is blank.
Change-Id: I01ad0c14cb3dc38aad7528345c928b86628433c1
Closes-Bug: #1697722
|
|
Gnocchi 4 supports storage sacks during upgrade. lets make this
configurable if we want to use more metricd workers.
Change-Id: Ibb2ee885e59d43c1ae20887ec1026786d58c6b9e
|
|
|
|
We need to ensure that the pacemaker cluster restarts
in the end of the deployment.
Due to the resources renaming we added the
postconfig resource not in the end of the
deployment as it was *postpuppet.
Closes-bug: 1695904
Change-Id: Ic6978fcff591635223b354831cd6cbe0802316cf
|
|
Add new parameters that control the NAS security settings in Cinder's
NFS and NetApp back end drivers. The settings are disabled by default.
Partial-Bug: #1688332
Depends-On: I76e2ce10acf7b671be6a2785829ebb3012b79308
Change-Id: I306a8378dc1685132f7ea3ed91d345eaae70046f
|
|
We now pass configuration for autofencing to Pacemaker Remote nodes.
Change-Id: Ibb9c65a83cc909528024c538cf3bcc96390c555e
Depends-On: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce
Closes-Bug: #1686115
|
|
|
|
Change-Id: Id896e01e24ecc2bfd7a983a3ff9756fefe4a4525
Depends-On: I097c494d3953b7d26d94aecc546ddef5225d1125
|
|
This reverts commit a915b150018bf306a5942782bf93c5faadcd7cde.
The argument is renamed and causing promotions to fail.
Change-Id: I7e1674cff75b606c20956edddf70eee2990fca78
|
|
|
|
|
|
|
|
HorizonSecureCookies is incompatible with non-ssl deployments, which
is our default deployment method. When SSL is in use, it can be
turned on in the enable-tls.yaml file. This does mean that
existing users won't automatically get this feature turned on as
part of their upgrade because enable-tls.yaml is an environment that
is intended to be copied and edited, but it's simple to add the
parameter to the file for users who want that behavior after they
upgrade to a version where it is available.
Change-Id: If83d3d8709fc4e0c09569e8bf524721d332bf560
Closes-Bug: 1696861
|
|
|
|
|
|
The parameters NovaVcpuPinSet, NovaReservedHostMemory and
NovaPCIPassthrough are modified to support role-specific
parameter inputs.
Change-Id: I7c11e8fc2c933f424318e457cb1e96acb8df2ec7
|
|
This will enable HAProxy to use CRLs for the nodes it's proxying.
bp tls-via-certmonger
Depends-On: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
Change-Id: I2558113bf83674ce22d99364b63c0c5be446bf77
|
|
This uses by default the URL for the CRL provided by FreeIPA (the
default CA in TripleO).
bp tls-via-certmonger
Depends-On: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
Change-Id: I87001388f300f3decb3b74bc037fff9d3b3ccdc2
|
|
This option allows users to exclude some fault domains.
Otherwise all domains are returned.
Change-Id: Iefd1a44c8fe217aee5845bba35def571317bb123
Closes-Bug: #1681490
Depends-On: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483
|
|
Instead of doing this via puppet which has the consequence of including
the step_config and getting included on the host manifest. Lets disable
via ansible upgrade task instead.
Change-Id: I5f1a4019dd635dea67db4313bd06a228ae7bacd4
|
|
Gnocchi 4 supports storage sacks during upgrade. lets make this
configurable if we want to use more metricd workers.
Change-Id: I27390b8babf8c4ef35f4c9b8a2e5be69fb9a54ee
|
|
Instead of using the Heat condition directly on the Deployment
resources, use it to set the action list to an empty list when the
server is blacklisted.
This has a couple advantages over the previous approach in that the
actual resources are not deleted and recreated when servers are added
and removed from the blacklist.
Recreating the resources can be problematic, as it would then force the
Deployments to re-run when a server is removed from the blacklist. That
is likely not always desirable, especially in the case of
NetworkDeloyment.
Additionally, you will still see the resources for a blacklisted server
in the stack, just with an empty set of actions. This has the benefit of
preserving the history of the previous time the Deployment was
triggered.
implements blueprint disable-deployments
Change-Id: I3d0263a6319ae4871b1ae11383ae838bd2540d36
|
|
|
|
Add ServiceDebug parameters for each services that will allow operators
to enable/disable Debug for specific services.
We keep the Debug parameters for backward compatibility.
Operators want to enable Debug everywhere:
Debug: true
Operators want to disable Debug everywhere:
Debug: false
Operators want to disable Debug everywhere except Glance:
GlanceDebug: true
Operators want to enable Debug everywhere except Glance:
Debug: true
GlanceDebug: false
New parameters: AodhDebug, BarbicanDebug, CeilometerDebug, CinderDebug,
CongressDebug, GlanceDebug, GnocchiDebug, HeatDebug, HorizonDebug,
IronicDebug, KeystoneDebug, ManilaDebug, MistralDebug, NeutronDebug,
NovaDebug, OctaviaDebug, PankoDebug, SaharaDebug, TackerDebug,
ZaqarDebug.
Note: for backward compatibility in Horizon, HorizonDebug is set to
false, so we maintain previous behavior.
Change-Id: Icbf4a38afcdbd8471d1afc11743df9705451db52
Implement-blueprint: composable-debug
Closes-Bug: #1634567
|
|
Replace the multiple SoftwareDeployment resources with a common
playbook that runs on all roles, consuming the configuration data
written via the HostPrepAnsible tasks.
This hopefully simplifies things, and will enable re-running the
deploy steps for minor updates (we'll need some way to detect
a container should be replaced, but that will be done via a
follow-up patch).
Change-Id: I674a4d9d2c77d1f6fbdb0996f6c9321848e32662
|
|
|
|
|
|
|
|
This helps with processing the backlog, so lets update
the default out of the box.
Change-Id: I06d4ca95f4a1da2864f4845ef3e7a74a1bce9e41
|
|
|
|
|
|
|
|
|
|
Idle compute nodes are found to already consume ~1.5GB of memory, so
2GB is a bit tight. Increasing to 4GB to be on the safe side. Also
see https://bugzilla.redhat.com/show_bug.cgi?id=1341178
Change-Id: Ic95984b62a748593992446271b197439fa12b376
|
|
Adds the ability to blacklist servers from all SoftwareDeployment
resources. The servers are specified in a new list parameter,
DeploymentServerBlacklist by the Heat assigned name
(overcloud-compute-0, etc).
implements blueprint disable-deployments
Change-Id: I46941e54a476c7cc8645cd1aff391c9c6c5434de
|
|
This fix needs to be backported to ocata.
Change-Id: I5938761efa4f56e576f41929e0bc12df246ac81a
Signed-off-by: Karthik S <ksundara@redhat.com>
Closes-Bug: #1694703
|
|
When gnocchi-upgrade run, we need to ensure storage is upgraded so we
initialize the necessary storage sacks.
Closes-bug: #1693621
Change-Id: I84e4fc3b6ad7fd966c4097a29678a0fd5b7a20a5
|
|
|
|
When running disabled/ceilometer-expirer.yaml, we want to remove the
crontab that used to run ceilometer-expirer binary in periodic way.
Let's use Puppet to remove this crontab.
We can't easily use Ansible tasks this time, because the Ansible cron
module can only remove Crontabs previously managed by Ansible:
https://docs.ansible.com/ansible/cron_module.html#examples
In this case, Puppet will erase the crontab in Pike. In Queens, we'll be
able to remove these environments files since we wouldn't need it
anymore.
Change-Id: Idb050c3b281d258aea52d6a3ef40441bb9c8bcbe
|
|
Add upgrade tasks for cinder-volume when it's controlled by pacemaker:
o Stop the service before the entire pacemaker cluster is stopped.
This ensures the service is stopped before infrastructure services
(e.g. rabbitmq) go away.
o Migrate the cinder DB prior to restarting the service. This covers
the situation when puppet-cinder (who otherwise would handle the db
sync) isn't managing the service.
o Start the service after the rest of the pacemaker cluster has been
started.
Closes-Bug: #1691851
Change-Id: I5874ab862964fadb68320d5c4de39b20f53dc25c
|
|
OpenStack heavily relies on gratuitous ARP updates when moving floating
IP addresses between devices. When a floating IP moves, Neutron L3 agent
issues a burst of gratuitous ARP packets that should update any existing
ARP table entries on all nodes that belong to the same network segment.
Due to locktime kernel behavior, some gratuitous ARP packets may be
ignored [1], rendering ARP table entries broken for some time. Due to a
kernel bug [2], the time may be as long as hours, depending on other
traffic flowing to the node.
With the current EL7 kernel, the only way to make sure that nodes honor
all sent gratuitous ARP updates is to set arp_accept to 1; this will
disable locktime mechanism for the packets sent by Neutron L3 agent, and
will make sure ARP tables are always updated.
[1] https://patchwork.ozlabs.org/patch/762732/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1450203
Related-Bug: #1690165
Change-Id: I863b240e0ab4c4d5bb844f91b607fd0937d5cedf
|
|
Without this, ceilometer db gets hammered with gnocchi swift events.
Keystone creds are required so middleware can query for id.
Related change: I5c0f4f1a2c7fe7eb39ea6441970e9ac0946a4ec1
Change-Id: I9a7a80252703e470a69dc10352e7ece45ab23150
|