aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2016-04-09composable keystone servicesDan Prince5-233/+169
Adds new puppet and puppet pacemaker specific services for Keystone. The puppet manifests for keystone now live in puppet-tripleo. Hiera settings are driven by the nested stack heat templates and used to control puppet-keystone and puppet-tripleo directly. The Pacemaker template extends the default keystone service and swaps in the pacemaker specific puppet-tripleo profile instead. Change-Id: I8b30438a27e9d5ec4e7d335e0bd1a931a20b03a2 Depends-On: I2faf5a78db802549053ec41678bf83bf28108189
2016-04-07ha/glance-fs: avoid a race conditionEmilien Macchi1-11/+12
Create the glance-fs Pacemaker resource on one node (pacemaker master) instead of all nodes, and set verify_on_create to True. * It will avoid a race condition if Puppet is applied on 2 nodes on the same time, so the filesystem is attempted to be created once. * Verify with psc that the resource has been correctly created. The full context of the bug is decribed here: https://bugzilla.redhat.com/show_bug.cgi?id=1319384 Change-Id: I625f0879ae56e814664d1433ae47e27148779f12
2016-04-06Use a different ceph key for admin/client userDimitri Savineau1-1/+2
By default only the admin user key is generated and this key is used for both admin and openstack user. Because the mode of the client's key file is 644, any user with a valid shell on the controller/compute/ceph nodes can made admin operations on the ceph cluster. This patch allows to used the random key generated by tripleoclient for the openstack user. Change-Id: I771bbee81c0acfe593e92a99ad12d6f1f7f445ef Closes-bug: #1566927 Depends-On: I404665c09084f0a6cd2d8872940ee90220dc5f69
2016-04-06Increase corosync token timeoutJiri Stransky2-2/+3
This might prevent dropping members from corosync cluster on high load environments. Symptoms of this problem happening can sometimes be found in corosync log: dub 05 17:23:45 overcloud-controller-0 corosync[14152]: [MAIN ] Corosync main process was not scheduled for 3691.8391 ms (threshold is 1320.0000 ms). Consider token timeout increase. The default in the Puppet manifest is 1 second, which matches the corosync default, and we override it with hiera to 10 seconds. Change-Id: I5ea850ada657e5eecafa3e8b28613a0ac48e78f3
2016-04-05Reload haproxy after injecting certs w/o pcmk tooBen Nemec1-0/+8
This was accidentally dropped from Id5ed05b3a20d06af8ae7a3d6f859b03399b0d77d but we should handle the non-pacemaker case as well. Change-Id: Ia06746f9c536159cd7b62259e450b3dec331cdb0
2016-04-04Merge "Enable galera replication for Mariadb 10.1"Jenkins1-0/+2
2016-04-04Change /etc/hosts format and add domainJuan Antonio Osorio Robles5-60/+60
Right now, the service-related IPs assosiated with the machine are registered in the /etc/hosts with different hostnames. This is fine, except if you need to register that hostname in a third party service (such as FreeIPA), since the current configuration is not assigning a domain to those IP addresses. So the current implementation requires DNS to be properly working, which is not ideal for testing purposes. Since the current hostnames are not currently being used; it's still trivial to change this mapping and the format of them. instead of having entries such as: <INTERNAL IP> <node>-internalapi <STORAGE IP> <node>-storage ... in /etc/hosts; This changes the format to: <INTERNAL IP> <node>.internalapi.<domain> <node>.internalapi <STORAGE IP> <node>.storage.<domain> <node>.storage ... So the network (external, internal, storage, etc...) is now represented as a subdomain. For simplicity, the format without the domain is still available through an alias. Change-Id: I6502959a974546e5de757935acea15df6326acda
2016-04-03Merge "Configure ControllerServices via resource chains"Jenkins6-1/+112
2016-04-01Disable Nova v3 APIJiri Stransky1-1/+0
Microversions since Nova API v2.1 are aimed to replace the v3 work. The /v2.1 is backwards compatible with the legacy /v2 endpoint. What we called in the past /v3 is now something defunct in-tree. The /v2.1 API is based on the v3 work, but there are many things that differ, in particular with the backwards-compat thing. We keep the /v2 path in api-paste.ini for making sure an upgrade doesn't trample operators and users but if you look in tree, that's redirecting to the v2.1 codepath (just not asking for microversions). In summary, we only need one endpoint, ie. /v2.1. Additional information at https://bugzilla.redhat.com/show_bug.cgi?id=1291291 Related-Bug: #1564372 Change-Id: I1654665663bc5a19c201f7d25407910654ac1308 Depends-On: I6d64b8bcd0f79f1f298ddc809e6d92fbc2985c45
2016-03-31Configure ControllerServices via resource chainsDan Prince6-1/+112
This patch wires in a new for Mitaka Heat feature that allows us to dynamically include a set of nested stacks representing individual services via a Heat resource chain. Follow on patches will use this interface to decompose the controller role into isolated services. Co-Authored-By: Steve Hardy <shardy@redhat.com> Depends-On: If510abe260ea7852dfe2d1f7f92b529979483068 Change-Id: I84c97a76159704c2d6c963bc4b26e365764b1366
2016-03-30Enable galera replication for Mariadb 10.1Damien Ciabrini1-0/+2
The generated galera config has to include additional settings for galera to be active on MariaDB 10.1. wsrep_on must be explicitely set to ON. On MariaDB 5.5, this was implicitely set as soon as wsrep_provider was specified. a valid wsrep_cluster_address must be configured in addition to wsrep_on, otherwise recovery command mysqld_safe --wsrep-recover cannot retrieve replication state, and cluster cannot be bootstrapped. These explicit settings are backward compatible with MariaDB 5.5 since the two variables exist in both versions of MariaDB. Change-Id: I4ab4f4eeb8679899f194399ba8695155e9a2f4a5 Closes-Bug: 1563751
2016-03-30Merge "compute: restart OVS agent on neutron.conf changes"Jenkins1-0/+10
2016-03-29compute: restart OVS agent on neutron.conf changesEmilien Macchi1-0/+10
Some options in neutron.conf are used bu OVS agent, like logging & messaging. During the upgrade process, you need to restart the agent if these options change. We could patch puppet-neutron to add a notify, but the community won't like it because Neutron OVS agent is not able to restart gracefully until [1] got merged. Until that, we can fix it in TripleO, where we suppose Puppet runs happenning during bootstraps and upgrades. Later, we'll drop this code from here and move it in puppet-neutron. [1] https://review.openstack.org/#/c/297211 Change-Id: I02b17b66e93331ddfb1a7abd8adff672bc7a32d6 Closes-Bug: #1563437
2016-03-29Merge "PLUMgrid Neutron integration"Jenkins5-3/+147
2016-03-29Merge "Increment step count to include ringbuilder"Jenkins6-42/+44
2016-03-29Merge "Don't restart Pacemaker-managed services from Puppet"Jenkins1-0/+18
2016-03-29Merge "Add quotes around the cinder_iscsi_ip_address value"Jenkins2-2/+10
2016-03-29Don't restart Pacemaker-managed services from PuppetJiri Stransky1-0/+18
We need to reload/restart services on updates/upgrades to apply any config changes, but restarting services managed from Pacemaker from Puppet causes problems. For now we no-op the restart and rely on the catch-all restart after Puppet phase. In the future we should have a service provider for pacemaker resources that will be using pcs. We still might have to restart services outside Puppet due to cluster-wide orchestration issues, but we might be able to do the restarts selectively rather than restart everything. We also no-op the start/stop commands to be safe, as it also doesn't make sense for Puppet to try start and stop those services when it doesn't have knowledge about Pacemaker. Change-Id: I95e21e10471cd7575f28c095c48150325f1414b3 Closes-Bug: #1562922
2016-03-25Increment step count to include ringbuilderDan Prince6-42/+44
This patch wires in ringbuilder.pp so that it is always asserted like the other manifests and it fixes the misaligned step sequencing in calling our overcloud controller manifests. Previously it was called as a separate software deployment outside of the hiera step sequence. This made things confusing in controller-post.yaml since the deployment names didn't align with the step hiera variables after step 3. Now that we call it just like the other modules it should make gradually moving this code to puppet-tripleo more straightforward as well. Change-Id: Ibd4f51f65da475bb20a6b08d7bda673f330a5464
2016-03-24Remove password default for AodhPasswordPradeep Kilambi1-1/+0
Change-Id: Ibf37bfd6150d212fadcc4d2e2e2d0a89cdd76c91
2016-03-24Merge "Deploy Aodh services, replacing Ceilometer Alarm"Jenkins7-1/+153
2016-03-24Add quotes around the cinder_iscsi_ip_address valueGiulio Fidente2-2/+10
In I783e939ae304385674909bfd9f1cac95e04cef22 we add brackets around the cinder_iscsi_ip_address if IPv6 but that causes hiera to try mapping the value into an array, while it isn't. This change adds quotes around the brackets. Change-Id: Id9bb4b12542f1943e9df702486d68424539c7a59 Closes-Bug: 1560934
2016-03-24Merge "Remove unused user resource."Jenkins1-3/+0
2016-03-24Wire redis_password to the tripleo moduleGiulio Fidente1-0/+1
Without this the HAProxy monitoring for Redis would fail to poll the backends. Change-Id: Id0826c6b04e471844c7bef69480af263cf2b3bd4
2016-03-24Merge "Pass iSCSI bind address in brackets to Cinder when IPv6"Jenkins1-1/+1
2016-03-24Merge "Remove the glance/rbd user name from static hieradata"Jenkins1-1/+0
2016-03-23Merge "configure horizon with memcached ipv6 when needed"Jenkins3-2/+23
2016-03-23configure horizon with memcached ipv6 when neededEmilien Macchi3-2/+23
* Add MemcachedIPv6 parameter * If MemcachedIPv6 is set at True, configure Horizon with Memcached IPv6 addresses. This patch is required to make Horizon working when running IPv6 networks. Change-Id: I752e727bfb9040b29f5d755f565fa6b54b9511c8
2016-03-23Pass iSCSI bind address in brackets to Cinder when IPv6Giulio Fidente1-1/+1
Configure the Cinder iscsi_ip_address key using brackets when the IP address is of v6 class. Closes-Bug: 1560934 Change-Id: I783e939ae304385674909bfd9f1cac95e04cef22
2016-03-23nonha: fix memcached servers string in nova.conf for ipv6Emilien Macchi1-1/+8
Full context is described here: https://review.openstack.org/#/c/270110/ The patch that was supposed to fix [1] was not fixing non-ha scenario. [1] https://launchpad.net/bugs/1536103 This patch aims to fix it. Change-Id: Iaf4608de1894ce03f35925939e83230abb9f5207 Closes-Bug: #1560063
2016-03-23Remove the glance/rbd user name from static hieradataGiulio Fidente1-1/+0
The static setting for the glance/rbd user name was overriding any customization provided via template param because it was up in the hierarchy for the controller nodes. More at: https://bugzilla.redhat.com/show_bug.cgi?id=1308889 Change-Id: I3d112de7eeffd524fb1308d5976a28f04aa5ff23
2016-03-22Fix redis coordination urlPradeep Kilambi1-3/+4
The coordination url connection string to redis is incorrectly formatted with password. More details: https://bugzilla.redhat.com/show_bug.cgi?id=1320036 Change-Id: I93f5e93dfce4ba2629aa57534e8d33d5d1e6d77b
2016-03-21Merge "Allow option to disable Swift ring management"Jenkins2-8/+12
2016-03-21Merge "Wire in HAProxy stats user and password"Jenkins1-0/+11
2016-03-21Allow option to disable Swift ring managementChristian Schwede2-8/+12
There are quite a few cases where it is useful to disable ring building on the nodes. For example: - using different weights, regions, and zones - replacing a node in an existing Swift cluster - adding a new node to an existing cluster - using storage policies and therefore multiple rings - using different nodes and disks for account, container and object servers This patch allows it to disable ring building. Rings need to be maintained manually then, and copied to all storage and proxy nodes within a cluster. This patch is similar to I01311ec3ca265b151f8740bf7dc57cdf0cf0df6f, except that it uses the current templates. Change-Id: I56978b15823dd6eaf4b6fd3440df2f895e89611a
2016-03-21Remove unused user resource.Sofer Athlan-Guyot1-3/+0
The user is created by installation of of the pacemaker package, so it's not required to add it to the resource catalog. This paves the way to merge the refeactoring of the puppet-pacemaker module[1]. It brings a lot of changes, one of them is an idempotent handling of the hacluster user's password. Removing it here prevents duplicate resource error durring puppet run. [1] https://review.openstack.org/#/c/294182/ Change-Id: I56849d9fc00bd3ce342d5c440cfe7c5b6d26b5bf
2016-03-20Deploy Aodh services, replacing Ceilometer AlarmPradeep Kilambi7-1/+153
Ceilometer Alarm is deprecated in Liberty by Aodh. This patch: * manage Aodh Keystone resources * deploy Aodh API under WSGI, Notifier, Listener and Evaluator * manage new parameters to customize Aodh deployment * uses ceilometer DB for the upgrade path * pacemaker config * Add migration logic to remove pcs resources Depends-On: I5333faa72e52d2aa2a622ac2d4b60825aadc52b5 Depends-On: Ib6c9c4c35da3fb55e0ca8e2d5a58ebaf4204d792 Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: Ib47a22884afb032ebc1655e1a4a06bfe70249134
2016-03-18PLUMgrid Neutron integrationQasim Sarfraz5-3/+147
Enable PLUMgrid neutron liberty plugin in a TripleO overcloud environment. Change-Id: I07025f67ec3f3399aac4dcd10cc37e857772548b Signed-off-by: Qasim Sarfraz <qasims@plumgrid.com>
2016-03-18Merge "Remove default for the RabbitMQ password"Jenkins3-3/+0
2016-03-18Remove default for the RabbitMQ passwordJuan Antonio Osorio Robles3-3/+0
Since the password is now autogenerated from the tripleoclient, there is no need to keep the default value here. Change-Id: If41cb56134966456f8590da04f392faffe5c62a1 Closes-Bug: #1557688
2016-03-17Merge "Remove forced rabbitmq::file_limit conversion to string"Jenkins1-8/+1
2016-03-16Merge "compute: use live_migration_tunnelled"Jenkins1-19/+4
2016-03-15Merge "Install mongodb client package"Jenkins2-1/+2
2016-03-15Merge "Fix typos"Jenkins3-4/+4
2016-03-15Merge "Ensure access to Redis is password protected"Jenkins1-1/+10
2016-03-14compute: use live_migration_tunnelledEmilien Macchi1-19/+4
In a previous patch [1], we added support for VIR_MIGRATE_TUNNELLED when doing VM shared storage. In Nova Mitaka [2] [3], we have now a parameter called 'live_migration_tunnelled' to whether or not use tunnelled migration. It replaces 'block_migration_flag' and 'live_migration_flag' that are both deprecated. [1] https://review.openstack.org/#/c/286584/ [2] https://review.openstack.org/#/c/263436/ [3] https://review.openstack.org/#/c/263434/ Change-Id: I8b199b6e72c80b2df7b679e0a20e39f8400d0478
2016-03-14Merge "compute: include VIR_MIGRATE_TUNNELLED when doing VM shared storage"Jenkins1-6/+28
2016-03-14Merge "Keystone domain for Heat"Jenkins4-1/+37
2016-03-11Merge "Pass public_addr to ceph::profile::params instead of ceph::mon"Jenkins1-1/+1
2016-03-10compute: include VIR_MIGRATE_TUNNELLED when doing VM shared storageEmilien Macchi1-6/+28
This patch makes sure: * When doing shared storage Nova is configured with block_migration_flag and live_migration_flag = '(...),VIR_MIGRATE_TUNNELLED' flag for security improvements. * When not doing shared storage Nova is not configured with VIR_MIGRATE_TUNNELLED flag because it's not supported by Qemu yet. We need to make sure the value is unset otherwise live migration will fail when not running shared storage for VMs. Note: this patch will be backport to stable branches. In a further iteration, we'll probably use live_migration_tunnelled new Nova parameter which is a simplier way to manage this feature. Co-Authored-By: Kashyap Chamarthy <kchamart@redhat.com> Change-Id: I557c1624ee944a32b1831d504f7b189308cd1961