aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2016-10-06Enable firewalling by default on compute nodesEmilien Macchi4-5/+12
- Move VXLAN and VRRP rules from Neutron Server to the right services. - Enable Firewall by default on Compute nodes. Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1
2016-10-06Re-enable ManageFirewall by default.Dan Prince2-3/+3
This default setting got lots in the composable roles/services patches. Re-enable the ManageFirewall setting by default per what we did in git commit 73c76b867ddc8a23a30b9a3cac4031189d4178c6. We also fix a typo in neutron-api.yaml so that the firewall rules matches to service_name. (otherwise it won't get loaded). Also, drops the environments/manage-firewall.yaml which is no longer needed if we enable firewall management by default. Change-Id: Ie198e4efd190131d0722085b10ef77da9005bc1b Closes-bug: 1629934
2016-10-06Merge "restore missing fluentd client functionality"Jenkins8-42/+8
2016-10-06Merge "Add generic template for custom roles."Jenkins1-0/+407
2016-10-06Merge "Set proper ceph config path for manila"Jenkins1-1/+1
2016-10-06Add generic template for custom roles.Carlos Camacho1-0/+407
This submission creates a generic template file to deploy custom roles. Also adds a file to specify an exclusion role list in order to avoid not to generate the template for those roles. Partial-Bug: #1626976 Depends-On: I6d7247bbb8702eb0ab9bdf133b5ab1c6e8349d98 Change-Id: I3e11c089023b793a5063d9e1714527a3fe2b7458
2016-10-05Set proper ceph config path for manilaTom Barron1-1/+1
When deploying manila with cephfs backend, /etc/manila/manila.conf should define cephfs_conf_path = /etc/ceph/ceph.conf in the cephfs native backend since this is the conventional path that ceph operators expect and since we document that path upstream. Change-Id: I4abf5c33b675b1102413a84d64f4ce23b07b4485 Closes-Bug: 1630777
2016-10-05restore missing fluentd client functionalityLars Kellogg-Stedman8-42/+8
in the great rebase following the JINJA ALL THE THINGS changes we lost critical functionality in the fluentd client service. This review restores the missing features. Change-Id: I7c23f16f81e75f3da6a24587b2eb8385b3e920a4 Closes-bug: 1630692
2016-10-05Select per-network hostnames for service_node_namesSteven Hardy6-0/+228
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ic6fec1057439ed9122d44ef294be890d3ff8a8ee Change-Id: I754c4a41d8a294a4c7c18bd282ae014efd4b9b16 Closes-Bug: #1628521
2016-10-05Merge "Move the main template files for defalut services to new syntax ↵Jenkins5-0/+0
generation"
2016-10-04Merge "j2 template role config templates"Jenkins5-183/+7
2016-10-04Move the main template files for defalut services to new syntax generationCarlos Camacho5-0/+0
When generating these templates, we should create them with the "-role" appended as they will be generated from a role.role.j2.yaml file. i.e. role.role.j2.yaml will generate <service>-role.yaml config.role.j2.yaml will generate <service>-config.yaml Partial-Bug: #1626976 Change-Id: I614dc462fd7fc088b67634d489d8e7b68e7d4ab1
2016-10-04Include redis/mongo hiera when using pacemakerDan Prince2-2/+2
This patch updates the pacemaker composable service templates for mongo and redis to extend the proper base (redis.yaml and mongo.yaml) templates instead of the -base.yaml versions. This was causing some missing hiera settings for these services which caused symptoms like missing firewall rules for these services. Change-Id: I3f94acbf4d1baadbb151b1c4d34b4a0ab28ad5e5 Partial-bug: #1629934
2016-10-04Merge "Use netapp_host_type instead of netapp_eseries_host_type"Jenkins1-4/+14
2016-10-04Merge "Make keystone api network hiera composable"Jenkins1-20/+0
2016-10-03Merge "reload HAProxy config in HA setups when certificate is updated"Jenkins1-4/+2
2016-10-03Merge "Cinder volume service is not managed by Pacemaker on BlockStorage"Jenkins2-1/+1
2016-10-03reload HAProxy config in HA setups when certificate is updatedJuan Antonio Osorio Robles1-4/+2
When updating a certificate for HAProxy, we only do a reload of the configuration on non-HA setups. This means that if we try the same in an HA setup, the cloud will still serve the old certificate and that leads to several issues, such as serving a revoked or even a compromised certificate for some time, or just SSL issues that the certificate doesn't match. This enables a reload for HA cases too. Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a Closes-Bug: #1629886
2016-10-03Merge "Balance Rabbitmq Queue Master Location on queue declaration with ↵Jenkins1-0/+1
min-masters strategy"
2016-10-01Change rabbitmq queues HA mode from ha-all to ha-exactlyMichele Baldessari1-0/+9
It turns out that reducing number of rabbitmq queues in cluster significantly improves performance of cluster especially in the case of failover recovery time. Right now the cluster uses ha-all mode for rabbitmq queues. It is best to change this to "ha-exactly" mode and reduce the number of queue copies to ceil(N/2) where N is number of controllers in the cluster - so in typical scenario of 3 controller It would be 2 by default. It does not make much sense to keep the copies of queues over whole cluster since if the quorum of nodes is lost then the rest of cluster nodes will be stopped anyway. We let the user override this with a parameter. I.e. for a 3 node controlplane cluster we will go from this: pcs resource show rabbitmq Resource: rabbitmq (class=ocf provider=heartbeat type=rabbitmq-cluster) Attributes: set_policy="ha-all ^(?!amq\.).* {"ha-mode":"all"}" To this: pcs resource show rabbitmq Resource: rabbitmq (class=ocf provider=heartbeat type=rabbitmq-cluster) Attributes: set_policy="ha-all ^(?!amq\.).* {"ha-mode":"exactly","ha-params":2}" According to Marin Krcmarik's testing recovery time from failure was reduced significantly. Partial-Bug: #1628998 Change-Id: Iace6daf27a76cb8ef1050ada0de7ff1f530916c6
2016-09-30Merge "telemetry: remove coordination_url hiera settings"Jenkins3-25/+1
2016-09-30Merge "Telemetry: add redis_password hiera parameter"Jenkins3-0/+3
2016-09-30Merge "Replace per role manifests with a common role manifest"Jenkins10-101/+37
2016-09-30Make keystone api network hiera composableSteven Hardy1-20/+0
These hard-coded references to the Controller role mean that things won't work if the keystone service is moved to any other role, so we need to generate the lists dynamically based on the enabled services for each role. Change-Id: I5f1250a8a1a38cb3909feeb7d4c1000fd0fabd14 Closes-Bug: #1629096
2016-09-30j2 template role config templatesSteven Hardy5-183/+7
This means the user won't have to manually specify e.g the OS::TripleO::ACustomRoleConfig resource manually. Partial-Bug: 1626976 Change-Id: I063571d4c5cbc2f295a7a044d81c27d703bd0e10 Depends-On: I9f920e191344040a564214f3f9a1147b265e9ff3
2016-09-30Replace per role manifests with a common role manifestSteven Hardy10-101/+37
This removes the (nearly empty) per role manifests, and replaces them with a generic manifest, where we use str_replace to substitute the role name at runtime (or in some cases a subset of the name for backwards compatibility) Change-Id: I79da0f523189959b783bbcbb3b0f37be778e02fe Partial-Bug: #1626976
2016-09-30telemetry: remove coordination_url hiera settingsEmilien Macchi3-25/+1
They are now normalized and set in puppet-tripleo. Change-Id: I197481c577b85894178e7899a55869da47847755 Closes-Bug: #1629279 Depends-On: Ic6de09acf0d36ca90cc2041c0add1bc2b4a369a5
2016-09-30Telemetry: add redis_password hiera parameterEmilien Macchi3-0/+3
Add redis_password parameter in Hiera so we can re-use it from puppet-tripleo later for Aodh, Ceilometer and Gnocchi. Change-Id: I038e2bac22e3bfa5047d2e76e23cff664546464d Partial-Bug: #1629279
2016-09-30Merge "Add option to specify Certmonger CA"Jenkins1-0/+8
2016-09-30Merge "Move the rest of static roles resource registry entries to j2"Jenkins3-0/+0
2016-09-29Add option to specify Certmonger CAJuan Antonio Osorio Robles1-0/+8
This will be used for internal (or even public) TLS, for when certmonger is generating the certificates. This same setting is used for the undercloud with the generate_service_certificate option. Change-Id: Ic54fe512b9ed5c71417a66491b7954e653f660b6
2016-09-29Balance Rabbitmq Queue Master Location on queue declaration with min-masters ↵Michele Baldessari1-0/+1
strategy It may happen that one of the controllers may become unavailable and Queue Masters will be located on available controllers during queue declarations. Once a lost controller will be become available masters of newly declared queues are not placed with priority to such controller with obviously lower number of queue masters and thus the distribution may be unbalanced and one of the controllers may become under significantly higher load in some circumstances of multiple fail-overs. With rabbit 3.6.0 rabbitmq introduced a new HA feature of Queue masters distribution - one of the strategies is min-masters, which picks the node hosting the minimum number of masters. One of the ways how to turn such min-masters strategy on is by adding following into configuration file - rabbitmq.config {rabbit,[ .. {queue_master_locator, <<"min-masters">>}, .. ]}, Change-Id: I61bcab0e93027282b62f2a97bec87cbb0a6e6551 Closes-Bug: #1629010
2016-09-29Cinder volume service is not managed by Pacemaker on BlockStorageGiulio Fidente2-1/+1
We do not want cinder-volume to be managed by Pacemaker on BlockStorage nodes, where Pacemaker is not running at all. This change adds a new BlockStorageCinderVolume service name which can (and is, by default) mapped to the non Pacemaker implementation of the service. The error was: Could not find dependency Exec[wait-for-settle] for Pacemaker::Resource::Systemd[openstack-cinder-volume] Also moves cinder::host setting into the Pacemaker specific service definition because we only want to set a shared host= string when the service is managed by Pacemaker. Closes-Bug: #1628912 Change-Id: I2f7e82db4fdfd5f161e44d65d17893c3e19a89c9
2016-09-29Move the rest of static roles resource registry entries to j2Carlos Camacho3-0/+0
Moving the rest of the static based resource registry entries to j2, this allows to extend the content of the template to the roles_list. Also moved the templates to correspond with the role name. Partial-Bug: #1626976 Change-Id: I1cbe101eb4ce5a89cba5f2cc45cace43d3380f22
2016-09-29Use netapp_host_type instead of netapp_eseries_host_typeGiulio Fidente1-4/+14
This patch deprecates netapp_eseries_host_type in favor of netapp_host_type. Change-Id: I113c770ca2e4dc54526d4262bacae48e223c54f4 Closes-Bug: 1579161
2016-09-28Move db::mysql into service_config_settingsDan Prince23-105/+111
This patch movs the various db::mysql hiera settings into a 'mysql' specific service_config_settings section for each service so that these will only get applied on the MySQL service node. This follows a similar puppet-tripleo change where we create the actual databases for all services locally on the MySQL service node to avoid permission issues. Change-Id: Ic0692b1f7aa8409699630ef3924c4be98ca6ffb2 Closes-bug: #1620595 Depends-On: I05cc0afa9373429a3197c194c3e8f784ae96de5f Depends-On: I5e1ef2dc6de6f67d7c509e299855baec371f614d
2016-09-28Merge "Deprecate the NeutronL3HA parameter"Jenkins1-7/+23
2016-09-27Fix NTP servers hieradataMarius Cornea1-1/+1
This patch enables correctly setting the NTP server passed via --ntp-server in the overcloud nodes' /etc/ntp.conf. Change-Id: Iff644b9da51fb8cd1946ad9d297ba0e94d3d782b
2016-09-27Merge "Add metricd workers support in gnocchi"Jenkins1-0/+5
2016-09-27Merge "Use parameter name to configure gmcast_listen_addr"Jenkins1-0/+8
2016-09-26Set manila::keystone::auth::tenantTom Barron1-0/+1
Without setting this parameter, overcloud deploy fails and 'openstack stack failures list overcloud' reveals the following error: Error: Puppet::Type::Keystone_user_role::ProviderOpenstack: Could not find project with name [services] and domain [Default] Error: /Stage[main]/Manila::Keystone::Auth/Keystone::Resource::Service_identity[manilav2]/Keystone_user_role[manilav2@services]: Could not evaluate: undefined method `[]' for nil:NilClass When we set manila::keystone::auth::tenant to 'service', analogous to cinder, nova, etc., the overcloud deploy completes successfully. Change-Id: I996ac2ff602c632a9f9ea9c293472a6f2f92fd72
2016-09-27Merge "Add integration with Manila CephFS Native driver"Jenkins1-0/+61
2016-09-27Merge "Neutron metadata agent worker count fix"Jenkins1-3/+10
2016-09-27Merge "Remove double definition of config_settings key in keystone"Jenkins1-1/+0
2016-09-26Merge "Bind MySQL address to hostname appropriate to its network"Jenkins2-1/+14
2016-09-26Use parameter name to configure gmcast_listen_addrJuan Antonio Osorio Robles1-0/+8
This used to used mysql_bind_ip, but this parameter is quite misleading since what it actually configures is not the bind-ip itself, but the gmcast.listen_addr parameter. This fixes that confusion. Depends-On: Iea4bd67074824e5dc6732fd7e408743e693d80b3 Change-Id: I2b114600e622491ccff08a07946926734b50ac70
2016-09-26Remove double definition of config_settings key in keystoneJuan Antonio Osorio Robles1-1/+0
Change-Id: I291bfb1e5736864ea504cd82eea1d4001fcdd931
2016-09-26Bind MySQL address to hostname appropriate to its networkJuan Antonio Osorio Robles2-1/+14
This now takes into use the mysql_bind_host key, to set an appropriate fqdn for mysql to bind to. Closes-Bug: #1627060 Change-Id: I50f4082ea968d93b240b6b5541d84f27afd6e2a3 Depends-On: I316acfd514aac63b84890e20283c4ca611ccde8b
2016-09-26Add metricd workers support in gnocchiCarlos Camacho1-0/+5
Depending on the environment, gnocchi workers uses several controller resources RAM/CPU, this option makes it configurable. Also, configured to 1 in environments/low-memory-usage.yaml which will reduce the service footprint in i.e. CI Change-Id: Ia008b32151f4d8fec586cf89994ac836751b7cce Closes-bug: #1626473
2016-09-25get_param calls with multiple arguments need brackets around themMichele Baldessari2-8/+8
This issue was spotted during major upgrade where we had calls like this: servers: {get_param: servers, Controller} These get_param calls are hanging indefinitely and make the whole upgrade end in a timeout. We need to put brackets around the get_param function when there are multiple arguments: http://docs.openstack.org/developer/heat/template_guide/hot_spec.html#get-param This is already done in most of the tree, and the few places where this was not happening were parts not under CI. After this change the following grep returns only one false positive: grep -ir get_param: |grep -v -- '\[' |grep ',' Change-Id: I65b23bb44f37b93e017dd15a5212939ffac76614 Closes-Bug: #1626628