Commit Graph

60 Commits

Author SHA1 Message Date
Zuul
87984f5425 Merge "Add Ansible group check to prechecks" 2020-04-16 15:33:46 +00:00
Zuul
975db2b2b4 Merge "OVN Support" 2020-04-15 20:51:57 +00:00
Zuul
9d217e92aa Merge "Introduce /etc/timezone to Debian/Ubuntu containers" 2020-04-10 10:38:37 +00:00
Dincer Celik
4b5df0d866 Introduce /etc/timezone to Debian/Ubuntu containers
Some services look for /etc/timezone on Debian/Ubuntu, so we should
introduce it to the containers.

In addition, added prechecks for /etc/localtime and /etc/timezone.

Closes-Bug: #1821592
Change-Id: I9fef14643d1bcc7eee9547eb87fa1fb436d8a6b3
2020-04-09 18:53:36 +00:00
Michal Nasiadka
8a0740df97 OVN Support
Implement OVN Ansible role.

Implements: blueprint ovn-controller-neutron-ansible

Depends-On: https://review.opendev.org/713422
Change-Id: Icd425dea85d58db49c838839d8f0b864b4a89a78
2020-04-09 07:40:12 +02:00
Mark Goddard
1d70f509e3 Perform host configuration during upgrade
This is a follow up to I001defc75d1f1e6caa9b1e11246abc6ce17c775b. To
maintain previous behaviour, and ensure we catch any host configuration
changes, we should perform host configuration during upgrade.

Change-Id: I79fcbf1efb02b7187406d3c3fccea6f200bcea69
Related-Bug: #1860161
2020-04-08 17:03:22 +01:00
Mark Goddard
fdea19a305 Separate per-service host configuration tasks
Currently there are a few services that perform host configuration
tasks. This is done in config.yml. This means that these changes are
performed during 'kolla-ansible genconfig', when we might expect not to
be making any changes to the remote system.

This change separates out these host configuration tasks into a
config-host.yml file, which is included directly from deploy.yml.

One change in behaviour is that this prevents these tasks from running
during an upgrade or genconfig. This is probably what we want, but we
should be careful when any of these host configuration tasks are
changed, to ensure they are applied during an upgrade if necessary.

Change-Id: I001defc75d1f1e6caa9b1e11246abc6ce17c775b
Closes-Bug: #1860161
2020-04-02 13:51:56 +00:00
Radosław Piliszek
266fd61ad7 Use "name:" instead of "role:" for *_role modules
Both include_role and import_role expect role's name to be given
via "name" param instead of "role".
This worked but caused errors with ansible-lint.
See: https://review.opendev.org/694779

Change-Id: I388d4ae27111e430d38df1abcb6c6127d90a06e0
2020-03-02 10:01:17 +01:00
Mark Goddard
49fb55f182 Add Ansible group check to prechecks
We assume that all groups are present in the inventory, and quite obtuse
errors can result if any are not.

This change adds a precheck that checks for the presence of all expected
groups in the inventory for each service. It also introduces a common
service-precheck role that we can use for other common prechecks.

Change-Id: Ia0af1e7df4fff7f07cd6530e5b017db8fba530b3
Partially-Implements: blueprint improve-prechecks
2020-02-28 16:23:14 +00:00
Zuul
4ca8b102d0 Merge "Change /run bind mount for neutron/openvswitch" 2020-02-20 12:01:55 +00:00
Michal Nasiadka
227008cf68 Change /run bind mount for neutron/openvswitch
Currently we have a very wide /run mount for all Neutron/OVS services,
which allows sudo/rootwrap to contact with the hosts dbus - all symptoms
are documented in the related bug.

Since we use tcp connections to OVS from Neutron agents - removing
bind mounts.

Closes-Bug: #1861792

Change-Id: Ifee4bec7b2e9ef4e2d624b1411f1a9e6332325c6
2020-02-20 09:09:12 +01:00
Mark Goddard
0ab13dc7db Clean up some kolla-kubernetes cruft in OVS
The start-ovsdb-server script is only ever called with one argument by
kolla ansible, so we can remove the multiple argument handling used by
kolla-kubernetes (RIP).

Change-Id: I9c3bc8ad24768052fc883c6fedd5f19336eb3fa4
2020-02-19 17:39:12 +00:00
Mark Goddard
9755c924be CentOS 8: Support variable image tag suffix
For the CentOS 7 to 8 transition, we will have a period where both
CentOS 7 and 8 images are available. We differentiate these images via a
tag - the CentOS 8 images will have a tag of train-centos8 (or
master-centos8 temporarily).

To achieve this, and maintain backwards compatibility for the
openstack_release variable, we introduce a new 'openstack_tag' variable.
This variable is based on openstack_release, but has a suffix of
'openstack_tag_suffix', which is empty except on CentOS 8 where it has a
value of '-centos8'.

Change-Id: I12ce4661afb3c255136cdc1aabe7cbd25560d625
Partially-Implements: blueprint centos-rhel-8
2020-01-10 09:56:04 +00:00
Michal Nasiadka
865ac24fc5 Remove Neutron integration with ONOS
Change-Id: Ie35ea07b8b6f95cbb56eb722ae2366c00243e562
2019-11-18 15:39:19 +00:00
Michal Nasiadka
eec6831fff Remove OpenDaylight role
Opendaylight support has been deprecated in Train - time to remove it.

Change-Id: I3a61bfbcbf366c327ea3e25d2424bc3fedca29f0
2019-11-18 11:57:32 +00:00
Zuul
bb3c3df400 Merge "Openvswitch: some ovs tools require ovs daemons pidfiles" 2019-10-17 19:19:25 +00:00
Viktor Michalek
492940be7b Openvswitch: some ovs tools require ovs daemons pidfiles
Change-Id: I4050c243f05571bbebab07b08c101e61879cda67
Closes-Bug: 1848363
2019-10-16 19:02:50 +02:00
Radosław Piliszek
bc053c09c1 Implement IPv6 support in the control plane
Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689

Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-10-16 10:24:35 +02:00
Kris Lindgren
2fe0d98ebb Add a job that *only* deploys updated containers
Sometimes as cloud admins, we want to only update code that is running
in a cloud.  But we dont need to do anything else.  Make an action in
kolla-ansible that allows us to do that.

Change-Id: I904f595c69f7276e71692696471e32fd1f88e6e8
Implements: blueprint deploy-containers-action
2019-09-26 17:51:14 +01:00
Zuul
8f70bc22d6 Merge "Add extra volumes support for services that were not previously supported" 2019-08-05 09:02:04 +00:00
Mark Goddard
de00bf491d Simplify handler conditionals
Currently, we have a lot of logic for checking if a handler should run,
depending on whether config files have changed and whether the
container configuration has changed. As rm_work pointed out during
the recent haproxy refactor, these conditionals are typically
unnecessary - we can rely on Ansible's handler notification system
to only trigger handlers when they need to run. This removes a lot
of error prone code.

This patch removes conditional handler logic for all services. It is
important to ensure that we no longer trigger handlers when unnecessary,
because without these checks in place it will trigger a restart of the
containers.

Implements: blueprint simplify-handlers

Change-Id: I4f1aa03e9a9faaf8aecd556dfeafdb834042e4cd
2019-06-27 15:57:19 +00:00
ZijianGuo
e610a73e98 Add extra volumes support for services that were not previously supported
We don't add extra volumes support for all services in patch [1].
In order to unify the management of the volume, so we need add extra volumes
support for these services.

[1] 12ff28a693

Change-Id: Ie148accdd8e6c60df6b521d55bda12b850c0d255
Partially-Implements: blueprint support-extra-volumes
Signed-off-by: ZijianGuo <guozijn@gmail.com>
2019-06-27 18:32:15 +08:00
Mark Goddard
b123bf6621 Use become for all docker tasks
Many tasks that use Docker have become specified already, but
not all. This change ensures all tasks that use the following
modules have become:

* kolla_docker
* kolla_ceph_keyring
* kolla_toolbox
* kolla_container_facts

It also adds become for 'command' tasks that use docker CLI.

Change-Id: I4a5ebcedaccb9261dbc958ec67e8077d7980e496
2019-06-06 19:04:58 +01:00
Raimund Hook
84ea42bd7c Updating Jinja filters to conform to Ansible 2.5+
Since Ansible 2.5, the use of jinja tests as filters has been
deprecated.

I've run the script provided by the ansible team to 'fix' the
jinja filters to conform to the newer syntax.

This fixes the deprecation warnings.

Change-Id: I844ecb7bec94e561afb09580f58b1bf83a6d00bd
Closes-bug: #1827370
2019-05-02 14:58:09 +01:00
Zuul
d08f06dd64 Merge "Add support for ovsdb conversion" 2019-04-04 07:46:14 +00:00
Mark Goddard
a4bb8567da Fix up config file permissions on the host
Several config file permissions are incorrect on the host. In general,
files should be 0660, and directories and executables 0770.

Change-Id: Id276ac1864f280554e98b937f2845bb424d521de
Closes-Bug: #1821579
2019-04-02 17:23:31 +01:00
Michal Nasiadka
2a6070b963 Add support for ovsdb conversion
After upgrade we should check if OVSDB doesn't need conversion to new
version - this patch adds that to ovsdb start script.

Change-Id: Ifa8766d050b506708142a1970121ce5944c6bae1
Closes-Bug: #1792496
2019-03-28 20:33:00 +01:00
Eduardo Gonzalez
1a682fab28 Support stop specific containers
With this change, an operator may be able to stop a
service container without stopping all services in a host.
This change is the starting point to start
fast-forward upgrades support.
In next changes new flags will be introducced to disable
stop dataplane services during upgrades.

Change-Id: Ifde7a39d7d8596ef0d7405ecf1ac1d49a459d9ef
Implements: blueprint support-stop-containers
2018-11-26 08:07:01 +00:00
Cédric Jeanneret
778dba94a4 Load known, standard kernel modules from the host, not within containers
Known kernel modules are:
- dm-multipath (for multipathd)
- ip_vs (for keepalived)
- iscsi_tcp (for ironic-conductor)
- openvswitch (for openvswitch-vswitchd)

Change-Id: I1841ec30cde142c8019830ad3190847dfe493eb9
2018-10-11 10:26:34 +02:00
David Rabel
8736817a98 openvswitch: always run handler to to ensure OVS bridges are up
When editing external bridge configuration and running a reconfigure
on openvswitch, handler "Ensuring OVS bridge is properly setup"
needs to run, but doesn't.

This moves the task from handlers to own file and always includes it
after running the handlers.

Change-Id: Iee39cf00b743ab0776354749c6e162814b5584d8
Closes-Bug: #1794504
2018-09-28 11:31:04 +00:00
caoyuan
471985dc2c Update usage of "|" to "is"
With the more recent versions of ansible, we should now use
"is" instead of the "|"

This should update it.

Change-Id: I6fba56fca182349972e8b0ee5452b37aa4090e0c
2018-08-13 12:40:10 +05:30
Zuul
3e45b2cbec Merge "Use include_tasks instead of include" 2018-07-27 08:16:08 +00:00
Zuul
cd03876e7d Merge "Apply Resource-Constraints to all services." 2018-07-26 14:18:39 +00:00
Jeffrey Zhang
b51eeed89e Use include_tasks instead of include
include is marked as deprecated since ansible 2.4[0]

[0] https://docs.ansible.com/ansible/2.4/include_module.html#deprecated

Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ic9d71e1865d1c728890625aeddf424a5734c0a8a
2018-07-25 23:57:22 +08:00
Zuul
80b8d2da25 Merge "Add networking-baremetal configuration" 2018-07-24 18:13:00 +00:00
Will Miller
5dd080a130 Add networking-baremetal configuration
Partially-Implements: blueprint networking-baremetal

Change-Id: I92b9505843f12692aef96764a314e5db49001a9b
2018-07-23 16:36:04 +01:00
Lakshmi Prasanna Goutham Pratapa
9f0db30fd1 Apply Resource-Constraints to all services.
This commit is the final commit to apply resource-constraints
to all OpenStack services.

Depends-on: I39004f54281f97d53dfa4b1dbcf248650ad6f186
Change-Id: I072d69be9698be54775cb0ae286ea2b6ed78776c
Implements: blueprint resource-constraints
2018-07-23 19:07:05 +05:30
yuqian
5f3cbd8360 Add support for onos
Co-Authored-By: caowei <cao.wei@99cloud.net>
Co-Authored-By: yuqian <yu.qian@99cloud.net>

Change-Id: If8143b720203fe75cf586248f1fa1d3fde34c750
blueprint: onos-support
2018-07-17 15:20:40 +08:00
Ha Manh Dong
30be04ea91 Specify 'become' for all tasks that use kolla_docker module
Add become to all tasks that use the module "kolla_docker"

Change-Id: I4309c4011687b88ec31d739fd8f834fe2326ff10
Partial-Implements: blueprint ansible-specific-task-become
2018-06-08 12:39:24 +00:00
ZhijunWei
5c26ccff64 Delete the null notify
Change-Id: I3789e98034b0080d2dba62f8b59fbff8b2b3e4d7
2018-05-15 14:00:38 +00:00
Jeffrey Zhang
c567055176 Fix ansible warning
- rename action and serial to kolla_ansible and kolla_serial
- use become instead of "sudo <command>" in shell
- Remove quota for failed_when and changed_when in rabbitmq tasks

Change-Id: I78cb60168aaa40bb6439198283546b7faf33917c
Implements: blueprint migrate-to-ansible-2-2-0
2018-05-11 02:54:02 +00:00
Jorge Niedbalski
bb1da0074f Allow setting computes_need_external_bridge.
Allow to set computes_need_external_bridge to true/false
depending on the desired configuration, for allowing
cases such as disable dvr and enable l3 ha.

Closes-Bug: #1769686

Change-Id: I1565b08dfccb7bec2ddda8c048b7d951c9eb1824
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@linaro.org>
2018-05-07 15:38:12 -03:00
chenxing
9fe70f45f3 Restructure the vpnaas roles
As neutron-vpnaas-agent has been loaded just inside of the existing l3 agent
rather than requiring operators to run a completely different binary with a
subclass of the existing L3 agent[1]. We need restructure this role to fit
with this new feature.

[1] https://review.openstack.org/488247

Depends-On: I47cd8ba5a14da3c76d5b1eb0b4c0cf0c729eb2ff
Change-Id: Id690a652bc9facf1c3e39358f548ab7ddd967d80
Implements: blueprint restructure-neutron-vpnaas
Closes-Bug: #1731498
2018-05-02 15:32:02 +08:00
Eduardo Gonzalez
ea1a1dee0d Verify YAML syntax in gates
This patchset implements yamllint test to all *.yml
files.

Also fixes syntax errors to make jobs to pass.

Change-Id: I3186adf9835b4d0cada272d156b17d1bc9c2b799
2018-03-26 17:56:22 +02:00
Zuul
c0af83331a Merge "Let OVS to connect to the individual IPs of each ODL node" 2017-12-25 19:30:08 +00:00
Mathieu Rohon
fc593d531b missing permissions when running as non root
some tasks miss permissions to be run as a normal user

Change-Id: Ic53308adb7fa3a10a7b1f1caa27ca7dd67037cdd
2017-12-12 16:51:36 +01:00
Zhijiang Hu
28b50c22ce Let OVS to connect to the individual IPs of each ODL node
Close-Bug: 1734047

For ODL clustering, one should explicitly points switches to each
of the ODL instances. The openflowplugin logic will figure out
which controller should be the master, and which should be the
slave.

Kolla currently sets the manager to one of the specific ODL over
ptcp and another one through the VIP. The VIP is probably
forwarding the traffic to that same ODL so from ODL's perspective
it's getting two duplicated connection requests from the same OVS
which will cause re-connection problem.

This PS does:
1) Let OVS to connect to the individual IPs of each ODL node in
a ODL cluster instead of only connect to the representative over
VIP. Devstack is doing the same thing[1]. Further more, there is no
need for HAProxy to be frontend for ODL southbound.

2) Delete the unusd ptcp connection option.

[1] https://review.openstack.org/#/c/249484/

Change-Id: Ib57e6fbb5ce64a48be0506904d3c8397ed6f70d9
Signed-off-by: Zhijiang Hu <hu.zhijiang@zte.com.cn>
2017-11-23 06:18:42 -05:00
Duong Ha-Quang
2d3866c6a4 Specify 'become' for only necessary tasks (default roles)
Add become to only neccesary tasks in roles:
- glance
- heat
- horizon
- keystone
- neutron
- nova
- openvswitch

Gate is also updated to use 'become' feature

Change-Id: I2f3f27306e9f384148e1ad4d54d8da2ebef34d00
Partial-Implements: blueprint ansible-specific-task-become
2017-10-31 02:55:31 +00:00
Christian Berendt
e0e71dc5c7 Add /lib/modules as volume to openvswitch_db container
Change-Id: I1267e9d49f8190e4998d6a8164b1e68c613de2bc
Closes-bug: #1712780
2017-09-11 09:25:31 +00:00
Kuo-tung Kao
5d22ea34c0 let openvswitch_db listener localhost
Openvswitch_db is not necessary to listener api_address.
Just let openvswitch_db listener localhost to avoid security issues.

Change-Id: If4912d90abae933a1ed9e2d14336b89b7c7179dd
Closes-Bug: #1712767
2017-08-24 16:43:47 +08:00