Age | Commit message (Collapse) | Author | Files | Lines |
|
Adds new puppet and puppet pacemaker specific services for
Keystone.
The puppet manifests for keystone now live in puppet-tripleo.
Hiera settings are driven by the nested stack heat templates
and used to control puppet-keystone and puppet-tripleo
directly.
The Pacemaker template extends the default keystone service and
swaps in the pacemaker specific puppet-tripleo profile instead.
Change-Id: I8b30438a27e9d5ec4e7d335e0bd1a931a20b03a2
Depends-On: I2faf5a78db802549053ec41678bf83bf28108189
|
|
Create the glance-fs Pacemaker resource on one node (pacemaker master)
instead of all nodes, and set verify_on_create to True.
* It will avoid a race condition if Puppet is applied on 2 nodes on the
same time, so the filesystem is attempted to be created once.
* Verify with psc that the resource has been correctly created.
The full context of the bug is decribed here:
https://bugzilla.redhat.com/show_bug.cgi?id=1319384
Change-Id: I625f0879ae56e814664d1433ae47e27148779f12
|
|
By default only the admin user key is generated and this key is used
for both admin and openstack user.
Because the mode of the client's key file is 644, any user with a
valid shell on the controller/compute/ceph nodes can made admin
operations on the ceph cluster.
This patch allows to used the random key generated by tripleoclient
for the openstack user.
Change-Id: I771bbee81c0acfe593e92a99ad12d6f1f7f445ef
Closes-bug: #1566927
Depends-On: I404665c09084f0a6cd2d8872940ee90220dc5f69
|
|
This might prevent dropping members from corosync cluster on high load
environments. Symptoms of this problem happening can sometimes be found
in corosync log:
dub 05 17:23:45 overcloud-controller-0 corosync[14152]: [MAIN ] Corosync
main process was not scheduled for 3691.8391 ms (threshold is 1320.0000
ms). Consider token timeout increase.
The default in the Puppet manifest is 1 second, which matches the
corosync default, and we override it with hiera to 10 seconds.
Change-Id: I5ea850ada657e5eecafa3e8b28613a0ac48e78f3
|
|
This was accidentally dropped from
Id5ed05b3a20d06af8ae7a3d6f859b03399b0d77d but we should handle the
non-pacemaker case as well.
Change-Id: Ia06746f9c536159cd7b62259e450b3dec331cdb0
|
|
|
|
Right now, the service-related IPs assosiated with the machine are
registered in the /etc/hosts with different hostnames. This is fine,
except if you need to register that hostname in a third party service
(such as FreeIPA), since the current configuration is not assigning a
domain to those IP addresses. So the current implementation requires
DNS to be properly working, which is not ideal for testing purposes.
Since the current hostnames are not currently being used; it's still
trivial to change this mapping and the format of them. instead of
having entries such as:
<INTERNAL IP> <node>-internalapi
<STORAGE IP> <node>-storage
...
in /etc/hosts; This changes the format to:
<INTERNAL IP> <node>.internalapi.<domain> <node>.internalapi
<STORAGE IP> <node>.storage.<domain> <node>.storage
...
So the network (external, internal, storage, etc...) is now
represented as a subdomain. For simplicity, the format without the
domain is still available through an alias.
Change-Id: I6502959a974546e5de757935acea15df6326acda
|
|
|
|
Microversions since Nova API v2.1 are aimed to replace the v3 work. The
/v2.1 is backwards compatible with the legacy /v2 endpoint. What we
called in the past /v3 is now something defunct in-tree. The /v2.1 API
is based on the v3 work, but there are many things that differ, in
particular with the backwards-compat thing. We keep the /v2 path in
api-paste.ini for making sure an upgrade doesn't trample operators and
users but if you look in tree, that's redirecting to the v2.1
codepath (just not asking for microversions). In summary, we only need
one endpoint, ie. /v2.1.
Additional information at https://bugzilla.redhat.com/show_bug.cgi?id=1291291
Related-Bug: #1564372
Change-Id: I1654665663bc5a19c201f7d25407910654ac1308
Depends-On: I6d64b8bcd0f79f1f298ddc809e6d92fbc2985c45
|
|
This patch wires in a new for Mitaka Heat feature
that allows us to dynamically include a set of nested
stacks representing individual services via a Heat resource chain.
Follow on patches will use this interface to decompose the controller
role into isolated services.
Co-Authored-By: Steve Hardy <shardy@redhat.com>
Depends-On: If510abe260ea7852dfe2d1f7f92b529979483068
Change-Id: I84c97a76159704c2d6c963bc4b26e365764b1366
|
|
The generated galera config has to include additional settings for
galera to be active on MariaDB 10.1.
wsrep_on must be explicitely set to ON. On MariaDB 5.5, this was
implicitely set as soon as wsrep_provider was specified.
a valid wsrep_cluster_address must be configured in addition to
wsrep_on, otherwise recovery command mysqld_safe --wsrep-recover
cannot retrieve replication state, and cluster cannot be bootstrapped.
These explicit settings are backward compatible with MariaDB 5.5 since
the two variables exist in both versions of MariaDB.
Change-Id: I4ab4f4eeb8679899f194399ba8695155e9a2f4a5
Closes-Bug: 1563751
|
|
|
|
Some options in neutron.conf are used bu OVS agent, like logging &
messaging.
During the upgrade process, you need to restart the agent if these
options change.
We could patch puppet-neutron to add a notify, but the community won't
like it because Neutron OVS agent is not able to restart gracefully
until [1] got merged. Until that, we can fix it in TripleO, where we
suppose Puppet runs happenning during bootstraps and upgrades.
Later, we'll drop this code from here and move it in puppet-neutron.
[1] https://review.openstack.org/#/c/297211
Change-Id: I02b17b66e93331ddfb1a7abd8adff672bc7a32d6
Closes-Bug: #1563437
|
|
|
|
|
|
|
|
|
|
We need to reload/restart services on updates/upgrades to apply any
config changes, but restarting services managed from Pacemaker from
Puppet causes problems.
For now we no-op the restart and rely on the catch-all restart after
Puppet phase.
In the future we should have a service provider for pacemaker resources
that will be using pcs. We still might have to restart services outside
Puppet due to cluster-wide orchestration issues, but we might be able to
do the restarts selectively rather than restart everything.
We also no-op the start/stop commands to be safe, as it also doesn't
make sense for Puppet to try start and stop those services when it
doesn't have knowledge about Pacemaker.
Change-Id: I95e21e10471cd7575f28c095c48150325f1414b3
Closes-Bug: #1562922
|
|
This patch wires in ringbuilder.pp so that it is always
asserted like the other manifests and it fixes the misaligned
step sequencing in calling our overcloud controller manifests.
Previously it was called as a separate software deployment outside of
the hiera step sequence. This made things confusing in
controller-post.yaml since the deployment names didn't align
with the step hiera variables after step 3. Now that we call it
just like the other modules it should make gradually moving this
code to puppet-tripleo more straightforward as well.
Change-Id: Ibd4f51f65da475bb20a6b08d7bda673f330a5464
|
|
Change-Id: Ibf37bfd6150d212fadcc4d2e2e2d0a89cdd76c91
|
|
|
|
In I783e939ae304385674909bfd9f1cac95e04cef22 we add brackets around
the cinder_iscsi_ip_address if IPv6 but that causes hiera to try
mapping the value into an array, while it isn't. This change adds
quotes around the brackets.
Change-Id: Id9bb4b12542f1943e9df702486d68424539c7a59
Closes-Bug: 1560934
|
|
|
|
Without this the HAProxy monitoring for Redis would fail to poll
the backends.
Change-Id: Id0826c6b04e471844c7bef69480af263cf2b3bd4
|
|
|
|
|
|
|
|
* Add MemcachedIPv6 parameter
* If MemcachedIPv6 is set at True, configure Horizon with Memcached IPv6
addresses.
This patch is required to make Horizon working when running IPv6
networks.
Change-Id: I752e727bfb9040b29f5d755f565fa6b54b9511c8
|
|
Configure the Cinder iscsi_ip_address key using brackets when
the IP address is of v6 class.
Closes-Bug: 1560934
Change-Id: I783e939ae304385674909bfd9f1cac95e04cef22
|
|
Full context is described here:
https://review.openstack.org/#/c/270110/
The patch that was supposed to fix [1] was not fixing non-ha scenario.
[1] https://launchpad.net/bugs/1536103
This patch aims to fix it.
Change-Id: Iaf4608de1894ce03f35925939e83230abb9f5207
Closes-Bug: #1560063
|
|
The static setting for the glance/rbd user name was overriding
any customization provided via template param because it was
up in the hierarchy for the controller nodes.
More at: https://bugzilla.redhat.com/show_bug.cgi?id=1308889
Change-Id: I3d112de7eeffd524fb1308d5976a28f04aa5ff23
|
|
The coordination url connection string to redis
is incorrectly formatted with password.
More details: https://bugzilla.redhat.com/show_bug.cgi?id=1320036
Change-Id: I93f5e93dfce4ba2629aa57534e8d33d5d1e6d77b
|
|
|
|
|
|
There are quite a few cases where it is useful to disable ring building on the
nodes. For example:
- using different weights, regions, and zones
- replacing a node in an existing Swift cluster
- adding a new node to an existing cluster
- using storage policies and therefore multiple rings
- using different nodes and disks for account, container and object servers
This patch allows it to disable ring building. Rings need to be maintained
manually then, and copied to all storage and proxy nodes within a cluster.
This patch is similar to I01311ec3ca265b151f8740bf7dc57cdf0cf0df6f, except that
it uses the current templates.
Change-Id: I56978b15823dd6eaf4b6fd3440df2f895e89611a
|
|
The user is created by installation of of the pacemaker package, so it's
not required to add it to the resource catalog.
This paves the way to merge the refeactoring of the puppet-pacemaker
module[1]. It brings a lot of changes, one of them is an idempotent
handling of the hacluster user's password. Removing it here prevents
duplicate resource error durring puppet run.
[1] https://review.openstack.org/#/c/294182/
Change-Id: I56849d9fc00bd3ce342d5c440cfe7c5b6d26b5bf
|
|
Ceilometer Alarm is deprecated in Liberty by Aodh.
This patch:
* manage Aodh Keystone resources
* deploy Aodh API under WSGI, Notifier, Listener and Evaluator
* manage new parameters to customize Aodh deployment
* uses ceilometer DB for the upgrade path
* pacemaker config
* Add migration logic to remove pcs resources
Depends-On: I5333faa72e52d2aa2a622ac2d4b60825aadc52b5
Depends-On: Ib6c9c4c35da3fb55e0ca8e2d5a58ebaf4204d792
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Change-Id: Ib47a22884afb032ebc1655e1a4a06bfe70249134
|
|
Enable PLUMgrid neutron liberty plugin in a TripleO overcloud environment.
Change-Id: I07025f67ec3f3399aac4dcd10cc37e857772548b
Signed-off-by: Qasim Sarfraz <qasims@plumgrid.com>
|
|
|
|
Since the password is now autogenerated from the tripleoclient,
there is no need to keep the default value here.
Change-Id: If41cb56134966456f8590da04f392faffe5c62a1
Closes-Bug: #1557688
|
|
|
|
|
|
|
|
|
|
|
|
In a previous patch [1], we added support for VIR_MIGRATE_TUNNELLED when
doing VM shared storage.
In Nova Mitaka [2] [3], we have now a parameter called
'live_migration_tunnelled' to whether or not use tunnelled migration.
It replaces 'block_migration_flag' and 'live_migration_flag' that are
both deprecated.
[1] https://review.openstack.org/#/c/286584/
[2] https://review.openstack.org/#/c/263436/
[3] https://review.openstack.org/#/c/263434/
Change-Id: I8b199b6e72c80b2df7b679e0a20e39f8400d0478
|
|
|
|
|
|
|
|
This patch makes sure:
* When doing shared storage
Nova is configured with block_migration_flag and live_migration_flag = '(...),VIR_MIGRATE_TUNNELLED'
flag for security improvements.
* When not doing shared storage
Nova is not configured with VIR_MIGRATE_TUNNELLED flag because it's not
supported by Qemu yet. We need to make sure the value is unset otherwise
live migration will fail when not running shared storage for VMs.
Note: this patch will be backport to stable branches. In a further
iteration, we'll probably use live_migration_tunnelled new Nova
parameter which is a simplier way to manage this feature.
Co-Authored-By: Kashyap Chamarthy <kchamart@redhat.com>
Change-Id: I557c1624ee944a32b1831d504f7b189308cd1961
|