OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins as a part of the Git hosting and code review systems migration detailed in these mailing list posts: http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html Attempts have been made to correct repository namespaces and hostnames based on simple pattern matching, but it's possible some were updated incorrectly or missed entirely. Please reach out to us via the contact information listed at https://opendev.org/ with any questions you may have.
|6 days ago|
|doc||2 years ago|
|fuel_external_git||2 years ago|
|specs||2 years ago|
|tools||2 years ago|
|.gitignore||2 years ago|
|.gitreview||6 days ago|
|LICENSE||2 years ago|
|MANIFEST.in||2 years ago|
|README.md||2 years ago|
|requirements.txt||2 years ago|
|setup.cfg||2 years ago|
|setup.py||2 years ago|
|test-requirements.txt||2 years ago|
|tox.ini||2 years ago|
Nailgun extension that generates deployment data based on configuration files published in external git repository
Operational Fuel 9.x (Mitaka) Master Node
Execute following commands on Fuel Master node
# yum install git python-pip # git clone https://github.com/openstack/fuel-nailgun-extension-iac # cd fuel-nailgun-extension-iac # pip install -r requirements.txt # python setup.py install # nailgun_syncdb # systemctl restart nailgun.service
Since the 9. version of Fuel extension should be enabled. To list all available extensions execute following command
# fuel2 extension list
Than enable extension for a particular environment
# fuel2 env extension enable <env_id> -E fuel_external_git
This extension introduces two sets of additional Fuel CLI commands. The first set allows the operator to associate a git repo with a particular environment and preform CRUD operations on this repo. The second set allows the operator to execute audit and enforce operations on the environment as well as list the changes made to configuration. It also allows to manage white lists for these changes. See details here.
gitrepo create gitrepo delete gitrepo get configs gitrepo list gitrepo update audit enforce audit noop audit list outofsync audit whitelist show audit whitelist add audit whitelist delete
Create repository and configure nailgun to use it.
fuel2 gitrepo create --env 1 --name oscnf1 --url email@example.com:dukov/oscnf.git --ref master \ --key .ssh/id_rsa
In order to track configuration evolution it is possible to download all configuration files from the environment into separate branch of configured Git repository. User which has been configured to access repository must have write permissions to it
fuel2 gitrepo get configs --env 1
Here is the example repo structure
. |-- cluster.yaml |-- nodes | `-- node-1.domain.local.yaml `-- roles |-- compute.yaml |-- controller.yaml `-- primary-controller.yaml
There are three levels of configuration: Cluster, Role, Node. Each level has higher priority in terms of configuration parameters.
For example we have following contents of the files
# cat cluster.yaml configuration: nova_config: 'DEFAULT/nova_test': value: cluster_param 'DEFAULT/another_param': value: another_param_value # cat roles/primary-controller.yaml configuration: nova_config: 'DEFAULT/nova_test': value: controller_param
Resulting configuration Hash will be:
configuration: nova_config: 'DEFAULT/nova_test': value: controller_param 'DEFAULT/another_param': value: another_param_value
This feature enables the operator to audit the changes made to the environment as well as enforce configuration.
fuel2 audit noop --env <env-id> || --repo <repo-id>
Audit is basically a Fuel graph run with noop flag set. This runs the whole graph and records Puppet resources, that would have changed their state. The command above is equivalent to
fuel2 env redeploy --noop <env-id>
After the audit run, the operator is able to list the changes to the state of Puppet resources on the environment via following command:
fuel2 audit list outofsync --task <noop-task-id> || --repo <repo-id>
This is a convenient alternative to the stock command:
fuel2 task history show <noop-task-id> --include-summary
To enforce configuration state, the operator can issue a stock redeploy command:
fuel2 env redeploy <env-id>
To perform the whole audit-enforce process automatically, this extension provides the following command:
fuel2 audit enforce --env <env-id> || --repo <repo-id>
This command will run audit, check the changes and will enforce configuration, if needed.
Since fuel-library contains non-idempotent tasks, that contain Puppet resources, which will be triggered on each deployment run, this extension provides the operator the ability to filter such changes out.
A whitelist rule is a pair of strings. The first one is a fuel task name to match. The second one is what should be included into a Puppet report line for the whitelisted resource change, e.g. for
the whitelist rule could be
A rule with empty fuel_task filter will match to all tasks.
Whitelist rules for an environment can be listed by
fuel2 audit whitelist show <env-id>
These rules can be managed by following commands:
fuel2 audit whitelist add <env-id> --task <fuel-task> --rule <rule> fuel2 audit whitelist delete <rule-id> [<rule-id> ...] fuel2 audit whitelist load fromfile <env-id> <path-to-yaml>
Example YAML file with whitelist rules:
- fuel_task: netconfig rule: L23_stored_configs - fuel_task: top-role-compute rule: Service[nova-compute]/ensure
The default whitelist can be loaded with following command
fuel2 audit whitelist load fromfile <env-id> /usr/lib/python2.7/site-packages/fuel_external_git/default_whitelist.yaml
Note: this whitelist is not complete as it has been put together on following configuration: MOS 9.1, Ubuntu, 1 controller, 1 compute+cinder lvm, Neutron GRE.
API documentation can be found here