aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2015-12-18Align template defaults with the clientGiulio Fidente2-4/+4
This aligns the parameter default values from python-tripleoclient with tripleo-heat-templates. This is in preparation for removing all the defaults from the client, and maintaining them only in the templates. Change-Id: I7b635a250f1ecc170e18d8e434f0118c6fcbb942 Co-Authored-By: James Slagle <jslagle@redhat.com>
2015-12-18Merge "Fix typo in HostsEntry output description"Jenkins1-1/+1
2015-12-18Merge "Allow for usage of pre-allocated IPs for the controller nodes"Jenkins1-0/+19
2015-12-17Merge "pacemaker: run neutron-server-start-wait-stop only at step 4"Jenkins1-9/+26
2015-12-17Merge "Implement Workers parameters"Jenkins1-0/+54
2015-12-16Update VNI and TunnelID ranges.Joe Talerico2-4/+4
Without modification we cannot scale to more than 1000 networks. Neutron will send this message to the user: "Unable to create the network. No tenant network is available for allocation." Change-Id: I5ecbc66a0b6aaa5edbe2669eed9caadfb0691511
2015-12-16Merge "Wire Neutron ML2 plugin and OVS agent settings as arrays"Jenkins5-137/+120
2015-12-15Merge "Pacemaker maintenance mode for the duration of Puppet run on update"Jenkins2-1/+31
2015-12-15Wire Neutron ML2 plugin and OVS agent settings as arraysGiulio Fidente5-137/+120
Wires the following as arrays to the neutron module: - mechanism_drivers - flat_networks - tenant_network_types - tunnel_types - bridge_mappings Also updates the template version to use a Liberty feature which allows serialization of comma_delimited_list into JSON. Tidies up the manifests by removing the class declarations since config is passed by the puppet/controller+compute hiera mapped_data. Change-Id: Ie9f85fb827099f897ef750e267bc3ed3a864fe59 Co-Authored-By: Steven Hardy <shardy@redhat.com>
2015-12-15Allow for usage of pre-allocated IPs for the controller nodesGiulio Fidente1-0/+19
This change adds a new *_from_pool.yaml meant to return an IP from a list instead of allocating a Neutron port, useful to pick an IP from a pre-defined list and making it possible to configure, for example an external balancer in advance (or dns), with the future IPs of the controller nodes. The list of IPs is provided via parameter_defaults (in the ControllerIPs struct) using ControllerIPs param. Also some additional VipPort types are created for the *VirtualIP resources. The VIPs were previously created using the same port resource used by the nodes, but when deploying with an external balancer we want the VIP resource to be nooped instead. Change-Id: Id3d4f12235501ae77200430a2dc022f378dce336
2015-12-15Merge "Set swift replicas = min(device_count, replicas)"Jenkins1-1/+1
2015-12-14Merge "Fix wrong keypair parameter description"Jenkins5-5/+5
2015-12-15Fix typo in HostsEntry output descriptionJuan Antonio Osorio Robles1-1/+1
Change-Id: I72a79d8200adee8258033e8da370051bbfd1986b
2015-12-14Merge "Add output for host entries"Jenkins1-0/+6
2015-12-14Set swift replicas = min(device_count, replicas)Dan Prince1-1/+1
Per Swift upstream commit: 7035639dfd239b52d4ed46aae50f78d16ec8cbfe Swift's ringbuilder now validates that the number of devices is greater than or equal to the replicas. Change-Id: I56eaa9ddda138e87f7615d3bde797b568fa5e302 Related-bug: #1525356
2015-12-14Merge "Enable per-role SchedulerHints"Jenkins5-3/+25
2015-12-14Pacemaker maintenance mode for the duration of Puppet run on updateSteven Hardy2-1/+31
This enables pacemaker maintenantce mode when running Puppet on stack update. Puppet can try to restart some overcloud services, which pacemaker tries to prevent, and this can result in a failed Puppet run. At the end of the puppet run, certain pacemaker resources are restarted in an additional SoftwareDeployment to make sure that any config changes have been fully applied. This is only done on stack updates (when UpdateIdentifier is set to something), because the assumption is that on stack create services already come up with the correct config. (Change I9556085424fa3008d7f596578b58e7c33a336f75 has been squashed into this one.) Change-Id: I4d40358c511fc1f95b78a859e943082aaea17899 Co-Authored-By: Jiri Stransky <jistr@redhat.com> Co-Authored-By: James Slagle <jslagle@redhat.com>
2015-12-12Add SoftwareConfigTransport for switching transportsSteve Baker5-0/+40
This change adds a SoftwareConfigTransport parameter to role templates so that the transport can be changed via a parameter_defaults entry. This change will have no effect on an existing overcloud as the current default POLL_SERVER_CFN is now explicit in the parameter default. Change-Id: I5c2a2d2170714093c5757282cba12ac65f8738a4
2015-12-10pacemaker: run neutron-server-start-wait-stop only at step 4Emilien Macchi1-9/+26
neutron-server-start-wait-stop is a dangerous Exec that is exposed to race conditions, because it does not have "onlyif" or "unless" statements. That means during a deployment, this exec can be run in the wrong order during Step 5 and/or 6, while it was supposed to be run at Step 4 only. If that happens, the exec will fail because puppet tries to start neutron-server while Pacemaker already started the resource. So in that case, systemd would returns 1 to Puppet which would return 6 to the overcloud deployment and the deployment would fail to finish correctly. This patch aims to prevent from this scenario by making sure we run the exec only during the step 4. Also, in order to secure it a bit more, we add 'unless' statement to this exec, so we would make sure the Puppet run would be idempotent and the Exec would run one successful time only. https://bugzilla.redhat.com/show_bug.cgi?id=1290582 Change-Id: I42813c5cff6c525c15c9c24baad4e355f88af672
2015-12-10Fix wrong keypair parameter descriptionSteven Hardy5-5/+5
The parameters have nothing to do with EC2 keypairs, they are used to specify Nova SSH key pairs. Change-Id: Ia8d37cb5c443812d02133747cb54fcaf0110d091
2015-12-10Set the name property for all deployment resourcesSteve Baker19-0/+40
There are two reasons the name property should always be set for deployment resources: - The name often shows up in logs, files and API calls, the default derived name is long and unhelpful - Sorting by name determines the merge order of os-apply-config, and the execution order of puppet/shell scripts (note this is different to resource dependency order) so leaving the default name results in an undetermined order which could lead to unpredictable deployment of configs This change simply sets the name to the resource name, but a future change should prepend each name with a run-parts style 2 digit prefix so that the order is explicitly stated. Documentation for extraconfig needs to clearly state what prefix is needed to override which merge/execution order. For existing overcloud stacks, heat currently replaces deployment resources when the name changes, so this change Depends-On: I95037191915ccd32b2efb72203b146897a4edbc9 Change-Id: Ic4bcd56aa65b981275c3d4214588bfc4de63b3b0
2015-12-09Remove unsafe "unset" defaultsSteven Hardy4-25/+0
All of our sensitive parameters are defaulted to easily predictable values, which is very bad from a security perspective because we don't force clients to make sane choices thus risk deploying with the predictable default values. tripleoclient supports generating random values for all of these, so remove the defaults, for non-tripleoclient usage we can create a developer-only environment with defaults. Related-Bug: #1516027 Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
2015-12-08Merge "Remove Ceilometer Alarm from the overcloud"Jenkins2-64/+0
2015-12-08Merge "Change for configuring use_forwarded_for value for Nuage"Jenkins1-0/+7
2015-12-08Implement Workers parametersEmilien Macchi1-0/+54
* For each OpenStack service, create a new parameter to change worker number (default to 0 to keep default behavior) * Use the parameter in Puppet configuration (Hiera) to configure the services with the number of workers defined by the parameter. Change-Id: Ic147bc9225aab48e94243a94a2189467829b8d55
2015-12-08Enable per-role SchedulerHintsSteven Hardy5-3/+25
This adds a parameter for each role, where optional scheduler hints may be passed to nova. One potential use-case for this is using the ComputeCapabilities to pin deployment to a specific node (not just a specific role/profile mapping to a pool of nodes like we have currently documented in the ahc-match docs). This could work as follows: 1. Tag a specific node as "node:controller-0" in Ironic: ironic node-update <id> replace properties/capabilities='node:controller-0,boot_option:local' 2. Create a heat environment file which uses %index% parameters: ControllerSchedulerHints: 'capabilities:node': 'controller-%index%' Change-Id: I79251dde719b4bb5c3b0cce90d0c9d1581ae66f2
2015-12-08Enable TLS in loadbalancer if cert path is detectedJuan Antonio Osorio Robles1-6/+1
If there is a value for the certificate path (which should only happen if the environment for enabling TLS is used) then the loadbalancer will detect it and configure it's front ends correctly. On the other hand a proper override for the example environment was given, since this will be needed because we want to pass the hosts and protocols correctly so the tripleoclient will catch it and pass it to os-cloud-config Change-Id: Ifba51495f0c99398291cfd29d10c04ec33b8fc34 Depends-On: Ie2428093b270ab8bc19fcb2130bb16a41ca0ce09
2015-12-07Merge "Making nova parameters configurable for nuage-metadata-agent"Jenkins4-1/+9
2015-12-07Merge "Add option to add metadata for the overcloud nodes"Jenkins5-0/+35
2015-12-07Change for configuring use_forwarded_for value for NuageLokesh Jain1-0/+7
Added a parameter to Nuage ExtraConfig template for setting use_forwarded_for value required by Nuage metadata agent Change-Id: I02c15311272126c5e530f118fbfb4a8f6e11a620
2015-12-07Remove Ceilometer Alarm from the overcloudJohn Trowbridge2-64/+0
The Ceilometer alarm service is no longer available in Mitaka. It is replaced by Aodh. Aodh support is added in a follow-up to this patch. Partial-Bug: 1521922 Change-Id: I5babaab7029eaaccf3cc6f194b6c062fd62372cf Backport: none
2015-12-07Merge "Fix the wrong selinux context when glance uses nfs backend"Jenkins1-1/+2
2015-12-04Making nova parameters configurable for nuage-metadata-agentRohit Pagedar4-1/+9
Exposing 'instance_name_template' to be set via extra config for nuage-metadata-agent to function Making nova::api::admin_tenant_name available on the compute node which is required by nuage-metadata-agent service Making KeystonePublicApiVirtualIP available on the compute node, which is used by the nuage-metadata-agent to build the auth-url Change-Id: I9736015e18cebf32b07940bf559063b60085f2fb
2015-12-04Add output for host entriesJuan Antonio Osorio Robles1-0/+6
For testing purposes it is useful to have an easy way to get the given IPs for the nodes; since currently one would have to ssh to one of the ndoes and actually fetch the entries from there. This will facilitate testing when the keystone endpoints have been changed for hostnames, as done in this CR: https://review.openstack.org/#/c/238887 Change-Id: I9b9362192d7e97690ba23d02e74389225913adb9
2015-12-04Add option to add metadata for the overcloud nodesJuan Antonio Osorio Robles5-0/+35
Some Nova hooks might require custom properties/metadata set for the servers deployed in the overcloud, and this would enable us to inject such information. For FreeIPA (IdM) integration, there is effectively a Nova hook that requires such data. Currently this inserts metadata for all servers, but a subsequent CR will introduce per-role metadata. However, that was not added to this because it will require the usage of map_merge. which will block those changes to be backported. However, this one is not a problem in that sense. Change-Id: I98b15406525eda8dff704360d443590260430ff0
2015-12-03Merge "Minor fixes to TLS related resources"Jenkins3-6/+4
2015-12-03Merge "Introduce domain configuration through parameter"Jenkins5-5/+44
2015-12-02Merge "Added libvirt_vif_driver, ovs_bridge and security_group_api parameters"Jenkins1-0/+18
2015-12-02Merge "Make enabling of controller services configurable."Jenkins2-127/+179
2015-12-02Introduce domain configuration through parameterJuan Antonio Osorio Robles5-5/+44
Introduce configuration of the nodes' domains through a parameter. Change-Id: Ie012f9f2a402b0333bebecb5b59565c26a654297
2015-11-30Changes for configuring NuageRohit Pagedar2-0/+57
Added ExtraConfig templates and environment files for Nuage Networks specific parameters. Modified overcloud_compute.pp to conditionally include nuage-metadata-agent. Change-Id: I28106d8e26ad4d0158fe5e3a13f2f7b21e5c0b28
2015-11-30Changes for configuring NuageLokesh Jain6-61/+204
Added ExtraConfig templates and environment files for Nuage specific parameters. Modified overcloud_compute.pp and overcloud_controller.pp to conditionally include Nuage plugin and agents. Change-Id: I95510c753b0a262c73566481f9e94279970f4a4f
2015-11-26Merge "Make load balancer deployment optional via template param"Jenkins3-144/+162
2015-11-26Minor fixes to TLS related resourcesJuan Antonio Osorio Robles3-6/+4
* Fixed a comment to avoid ambiguity with concepts in Heat * Removed default values from necessary parameters in the TLS environment * Simplified setting of the cert/key into a file. Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
2015-11-25Make enabling of controller services configurable.vinayrao1232-127/+179
Following parameters will be user configurable: 1. enable_dhcp_agent 2. enable_metadta_agent 3. enable_l3_agent 4. enable_ovs_agent This change was made as the Nuage plugin does not require these services to come up as a part of the installation. Now, a user can explicitly disable these services using a heat template. Change-Id: Ic132ecbb2e81a3746f304da1cecdc66d0342db72
2015-11-25Merge "Output the SSL Certificate and Key modulus"Jenkins3-0/+26
2015-11-25Merge "Enable trust anchor injection"Jenkins7-6/+129
2015-11-25Merge "Inject TLS certificate and keys for the Overcloud"Jenkins3-14/+127
2015-11-25Output the SSL Certificate and Key modulusMark Chappell3-0/+26
Provides a simple mechanism to verify the correct certificates landed. A quick and simple way to verify SSL certificates were generated for a given key is by comparing the modulus of the two. By outputing the key modulus and certificate modulus we offer a way to verify that the right cert and key have been deployed without compromising any of the secrets. Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
2015-11-25Enable trust anchor injectionJuan Antonio Osorio Robles7-6/+129
This commit enables the injection of a trust anchor or root certificate into every node in the overcloud. This is in case that the TLS certificates for the controllers are signed with a self-signed CA or if the deployer would like to inject a relevant root certificate for other purposes. In this case the other nodes might need to have the root certificate in their trust chain in order to do proper validation Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856