| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
neutron-server-start-wait-stop is a dangerous Exec that is exposed to
race conditions, because it does not have "onlyif" or "unless"
statements.
That means during a deployment, this exec can be run in the wrong order
during Step 5 and/or 6, while it was supposed to be run at Step 4 only.
If that happens, the exec will fail because puppet tries to start
neutron-server while Pacemaker already started the resource. So in that
case, systemd would returns 1 to Puppet which would return 6 to the
overcloud deployment and the deployment would fail to finish correctly.
This patch aims to prevent from this scenario by making sure we run the
exec only during the step 4.
Also, in order to secure it a bit more, we add 'unless' statement to
this exec, so we would make sure the Puppet run would be idempotent and
the Exec would run one successful time only.
https://bugzilla.redhat.com/show_bug.cgi?id=1290582
Change-Id: I42813c5cff6c525c15c9c24baad4e355f88af672
|
|
The parameters have nothing to do with EC2 keypairs, they are used to
specify Nova SSH key pairs.
Change-Id: Ia8d37cb5c443812d02133747cb54fcaf0110d091
|
|
There are two reasons the name property should always be set for deployment
resources:
- The name often shows up in logs, files and API calls, the default
derived name is long and unhelpful
- Sorting by name determines the merge order of os-apply-config, and the
execution order of puppet/shell scripts (note this is different to
resource dependency order) so leaving the default name results in an
undetermined order which could lead to unpredictable deployment of
configs
This change simply sets the name to the resource name, but a future change
should prepend each name with a run-parts style 2 digit prefix so that the
order is explicitly stated. Documentation for extraconfig needs to clearly
state what prefix is needed to override which merge/execution order.
For existing overcloud stacks, heat currently replaces deployment resources
when the name changes, so this change
Depends-On: I95037191915ccd32b2efb72203b146897a4edbc9
Change-Id: Ic4bcd56aa65b981275c3d4214588bfc4de63b3b0
|
|
All of our sensitive parameters are defaulted to easily predictable
values, which is very bad from a security perspective because we don't
force clients to make sane choices thus risk deploying with the
predictable default values. tripleoclient supports generating random
values for all of these, so remove the defaults, for non-tripleoclient
usage we can create a developer-only environment with defaults.
Related-Bug: #1516027
Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c
Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
|
|
|
|
|
|
* For each OpenStack service, create a new parameter to change worker
number (default to 0 to keep default behavior)
* Use the parameter in Puppet configuration (Hiera) to configure the
services with the number of workers defined by the parameter.
Change-Id: Ic147bc9225aab48e94243a94a2189467829b8d55
|
|
This adds a parameter for each role, where optional scheduler hints
may be passed to nova. One potential use-case for this is using
the ComputeCapabilities to pin deployment to a specific node (not
just a specific role/profile mapping to a pool of nodes like we
have currently documented in the ahc-match docs).
This could work as follows:
1. Tag a specific node as "node:controller-0" in Ironic:
ironic node-update <id> replace properties/capabilities='node:controller-0,boot_option:local'
2. Create a heat environment file which uses %index%
parameters:
ControllerSchedulerHints:
'capabilities:node': 'controller-%index%'
Change-Id: I79251dde719b4bb5c3b0cce90d0c9d1581ae66f2
|
|
If there is a value for the certificate path (which should only happen
if the environment for enabling TLS is used) then the loadbalancer will
detect it and configure it's front ends correctly. On the other hand
a proper override for the example environment was given, since this
will be needed because we want to pass the hosts and protocols
correctly so the tripleoclient will catch it and pass it to
os-cloud-config
Change-Id: Ifba51495f0c99398291cfd29d10c04ec33b8fc34
Depends-On: Ie2428093b270ab8bc19fcb2130bb16a41ca0ce09
|
|
|
|
|
|
Added a parameter to Nuage ExtraConfig template for setting
use_forwarded_for value required by Nuage metadata agent
Change-Id: I02c15311272126c5e530f118fbfb4a8f6e11a620
|
|
The Ceilometer alarm service is no longer available
in Mitaka. It is replaced by Aodh.
Aodh support is added in a follow-up to this patch.
Partial-Bug: 1521922
Change-Id: I5babaab7029eaaccf3cc6f194b6c062fd62372cf
Backport: none
|
|
|
|
Exposing 'instance_name_template' to be set via
extra config for nuage-metadata-agent to function
Making nova::api::admin_tenant_name
available on the compute node which is
required by nuage-metadata-agent service
Making KeystonePublicApiVirtualIP available
on the compute node, which is used by the
nuage-metadata-agent to build the auth-url
Change-Id: I9736015e18cebf32b07940bf559063b60085f2fb
|
|
For testing purposes it is useful to have an easy way to get the given
IPs for the nodes; since currently one would have to ssh to one of the
ndoes and actually fetch the entries from there.
This will facilitate testing when the keystone endpoints have been
changed for hostnames, as done in this CR:
https://review.openstack.org/#/c/238887
Change-Id: I9b9362192d7e97690ba23d02e74389225913adb9
|
|
Some Nova hooks might require custom properties/metadata set for the
servers deployed in the overcloud, and this would enable us to inject
such information.
For FreeIPA (IdM) integration, there is effectively a Nova hook that
requires such data.
Currently this inserts metadata for all servers, but a subsequent CR
will introduce per-role metadata. However, that was not added to this
because it will require the usage of map_merge. which will block those
changes to be backported. However, this one is not a problem in that
sense.
Change-Id: I98b15406525eda8dff704360d443590260430ff0
|
|
|
|
|
|
|
|
|
|
Introduce configuration of the nodes' domains through a parameter.
Change-Id: Ie012f9f2a402b0333bebecb5b59565c26a654297
|
|
Added ExtraConfig templates and environment files
for Nuage Networks specific parameters.
Modified overcloud_compute.pp to conditionally
include nuage-metadata-agent.
Change-Id: I28106d8e26ad4d0158fe5e3a13f2f7b21e5c0b28
|
|
Added ExtraConfig templates and environment files for Nuage specific parameters.
Modified overcloud_compute.pp and overcloud_controller.pp to conditionally
include Nuage plugin and agents.
Change-Id: I95510c753b0a262c73566481f9e94279970f4a4f
|
|
|
|
* Fixed a comment to avoid ambiguity with concepts in Heat
* Removed default values from necessary parameters in the TLS
environment
* Simplified setting of the cert/key into a file.
Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
|
|
Following parameters will be user configurable:
1. enable_dhcp_agent
2. enable_metadta_agent
3. enable_l3_agent
4. enable_ovs_agent
This change was made as the Nuage plugin does not require these
services to come up as a part of the installation.
Now, a user can explicitly disable these services using a heat
template.
Change-Id: Ic132ecbb2e81a3746f304da1cecdc66d0342db72
|
|
|
|
|
|
|
|
Provides a simple mechanism to verify the correct certificates
landed.
A quick and simple way to verify SSL certificates were generated for
a given key is by comparing the modulus of the two. By outputing
the key modulus and certificate modulus we offer a way to verify
that the right cert and key have been deployed without compromising
any of the secrets.
Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
|
|
This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation
Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
|
|
Adds control over the load balancer deployment via template param.
Change-Id: I5625083ff323a87712a5fd3f9a64dd66d2838468
|
|
|
|
This is a first implementation of adding TLS termination to the load
balancer in the controllers. The implementation was made so that the
appropriate certificate/private key in PEM format is copied to the
appropriate controller(s) via a software deployment resource.
And the path is then referenced on the HAProxy configuration, but this
part was left commented out because we need to be able to configure the
keystone endpoints in order for this to work properly.
Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
|
|
|
|
|
|
We don't necessarily want the network configuration to be reapplied
with every template update so we add a param to configure on which
action the NetworkDeployment resource should be executed.
Change-Id: I0e86318eb5521e540cc567ce9d77e1060086d48b
Co-Authored-By: Dan Sneddon <dsneddon@redhat.com>
Co-Authored-By: James Slagle <jslagle@redhat.com>
Co-Authored-By: Jiri Stransky <jstransk@redhat.com>
Co-Authored-By: Steven Hardy <shardy@redhat.com>
|
|
Results from pmap of idle nova-compute:
https://gist.github.com/jtaleric/addd9079d6cdf4f7cf42
Results from free -m and cat /proc/meminfo:
https://gist.github.com/jtaleric/410130f09c2aad2dc7e9
bug: https://bugzilla.redhat.com/show_bug.cgi?id=1282644
Change-Id: I9b3ceecabfdae0a516cfc72886fde7b26cc68f82
|
|
Consume puppet-tripleo to create/manage IPtables from Heat templates.
This review put in place the logic to enable and setup firewall rules.
A known set of rules are applied. More to come.
Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
|
|
|
|
|
|
|
|
Made libvirt_vif_driver, ovs_bridge and security_group_api parameters
in nova as configurable parameters through heat templates
Change-Id: I3f355c31a64912baa1a159d59f0fa9089f77b8f4
|
|
* Add NovaApiVirtualIP string parameter.
* Compute nova_url and nova_admin_auth_url parameters.
* Configure in Hiera neutron::server::notifications::* parameters.
* non-ha: include ::neutron::server::notifications
* ha: include ::neutron::server::notifications and create orchestration
* Set vif_plugging_is_fatal to True so we actually fail if Neutron is not
able to create the VIF during Nova server creation workflow.
Depends-On: I21dc10396e92906eab4651c318aa2ee62a8e03c7
Change-Id: I02e41f87404e0030d488476680af2f6d45af94ff
|
|
* Use the parameter in Puppet configuration (Hiera) to configure neutron
BZ-1273303
Change-Id: Ic5a7a1f13fd2bc800cadc3a78b1daadbc0394787
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
|
|
|
|
This change adds support for enabling/disabling L2 population in
Neutron agents. It currently defaults to false.
Change-Id: I3dd19feb4acb1046bc560b35e5a7a111364ea0d7
|
|
|
|
|
Emilien Macchi
Steven Hardy
Steve Baker
Jenkins
Juan Antonio Osorio Robles
Lokesh Jain
John Trowbridge
Rohit Pagedar
vinayrao123
Mark Chappell
Giulio Fidente
Joe Talerico
Cyril Lopez
Brent Eagles