Heat parameters are different in swarm master and swarm node.
So we should use different scripts to write the heat parameters.
Change-Id: I81625613913773e627d96f54374ae57af6fe64d3
Closes-Bug: #1571582
Currently, we use the users auth token, which expires after a while.
We need to use a trust instead.
Remove user_token at the same time.
Change-Id: Id1d34c59eccd70be24c5b9e00cd921b5a9d59860
Partially-Implements: blueprint use-trust-for-tls-cert-generation
Allow configuring Flannel with 3 different backends
Magnum deploys k8s/swarm over a dedicated neutron private network,
possibly using flannel. Flannel's `host-gw` backend gives the best
performance in this topopolgy (private layer2): no packet processing
overhead, no reduction to MTU, scales to many hosts as well as the
alternatives. The performance difference is significant, see bug for
performance numbers for the 3 backend options.
Note that part of this change involves relaxing the minion IP spoofing
rules to allow traffic from all dynamically-allocated flannel subnets.
This is morally equivalent to what we were doing previously with
encapsulation - only now neutron is able to see the inner IP header
directly.
This patch repurposes the label "flannel_use_vxlan" when the network
driver is flannel.
1. Rename the label flannel_use_vxlan to flannel_backend
2. Redefine the value of this label from "yes/no"
to "udp/vxlan/host-gw"
For example, to create a bay model with flannel as network driver:
--network-driver flannel --labels flannel_backend=host-gw
Other backend options are udp and vxlan.
Co-Authored-By: Ton Ngo <ton@us.ibm.com>
Partial-Bug: #1518605
Closes-Bug: #1516789
Change-Id: I6d2441664ad1baaca14d0e6ff4bcddbe75bee094
Fix incorrect Docker storage configuration at agent nodes which cause
failure of docker-storage-setup.service. Add Cinder volume to the
master and configure Docker DeviceMapper to use them and set proper
volume sizes for integration tests
Change-Id: I57dfd6174143f8c7563db2920dd4e94b4f3c9883
Related-Bug: #1500062
The swarm func test occasionally failed with the error below. This
error cannot be determinately reproduced. After some experiments,
it seems that swarm will abort connections during registration of
a new swarm agent.
ConnectionError: ('Connection aborted.', BadStatusLine("''",))
This commit tries to fix the issue by waiting for the completion of
agent registration. After the swarm agent service starts, it checks
ETCD to ensure the agent was successfully registered before sending
signal to Heat to indicate its success.
Closes-Bug: #1521395
Change-Id: Iec1772d1df7d85e367676758b1f97a5b604c0eb7
This patch does some cleanup work in swarm heat template including description,
typo fixes, removal of default in nested template.
Also updated magnum.conf.example.
Closes-Bug: #1524134
Change-Id: Id0dd345150aba4cf88df5a7d9ac85dcbb100e3d0
Would like to make swarm much more similar with k8s.
This patch is the preparation of supporting Swarm HA mode:
1. Refactor swarm.yaml to swarmcluster.yaml and swarmmaster.yaml
2. Add api_pool, LB in front of swarm master node.
3. Add etcd_pool
After this change:
Swarm bay will update the fileds of 'master_addresses'.
P.S. notes Swarm HA is not supported yet, master_addresses will be only 1
ip address.
Partially implements: blueprint swarm-high-availability
Change-Id: Ib6346bfd5a7ad0ef2226a6e6bc98b0ad46e577cb
Currently Swarm version in magnum are appear in multiple files.
It's not easy for us to maintain.
This patch add a global var to store swarm image and its version.
so that we can update swarm image more easy.
Change-Id: I3063ff4350f8e2f3c96b0bc3700ed509edad206b
Closes-Bug: #1515567
Previously, Swarm leveraged Docker's public discovery mechanism
for bootstrapping a cluster. Etcd bootstrapping is supported by
Swarm and is preferred for production use for the following reasons:
1. Required for HA.
2. Is more secure.
3. Required for the Flannel network-driver.
Partially-Implements: blueprint extend-baymodel-net-attributes
Partially-Implements: blueprint conductor-template-net-update
Change-Id: Iab844c03ed7cf8bbee69b72ff71c219f0a5ab1dd
Previously, the Swarm templates did not support the Container
Network Model. The templates have been updated to support the
Flannel --network-driver. Conditionals have been added to support
future --network-drivers.
Partially-Implements: blueprint heat-network-refactor
Change-Id: Ie90e41568df05055b91764b861e08de6f689d864
Previously, the swarm bay type did not support using a cinder
volume for docker.
Implements: blueprint swarm-cinder
Change-Id: I8acaf60caab52a5e5a234e4c5f89ce3dd155759c
Rename heat-kubernetes to kubernetes, heat-mesos to mesos,
docker-swarm to swarm in templates. We use heat templates and
no other methods, so I think it is unnecessary to add heat before
coe. kubernetes, mesos, swarm are better than
heat-kubernetes, heat-mesos, docker-swarm.
Change-Id: I257b35c1c4ef55d3172095736f550f2c55c8d81f
Closes-Bug: #1514682
The old method of detecting failures was very likely to fail in
many cases because it relied on all bay services being started by
the time cloud-init finished. This is a problem because the bay
services are started asynchronously and can take quite a while to
start.
The new method relies on systemd's OnFailure directive to kick off
specific service units when a failure is detected. Both the swarm
agent and manager have their own failure service so that we are
not overloading a single wait condition with multiple potential
failures.
Change-Id: I7ce4be567517fe948dde0ac7225996967196c9e8
Closes-bug: #1502329
When talking about TLS "insecure" is used for describing a situation
where certificate validation is disabled. However in Magnum it has been
used to describe disabling TLS entirely. This change modifies this
column and attribute name to avoid any confusion.
Co-Authored by: Adrian Otto <adrian.otto@rackspace.com>
Co-Authored by: Vilobh Meshram <vilobhmm@yahoo-inc.com>
Closes-Bug: #1500953
Change-Id: Idb3316900fe2b7fb3acd38f57226902ca10e091a
This patch checks $NODE_SERVICES status before send SUCCESS single to heat cfn,
this will make sure the bay is usable.
Change-Id: Ie232c578c5c27b1842965bdda481096fb0b5c820
Closes-Bug: #1500291
docker-tcp.socket should be changed to docker.socket.
refer magnum/templates/docker-swarm/fragments/write-docker-socket.yaml
for this modification.
Change-Id: I173b5b81905836d5c65238b71a8652dff658c4f9
Closes-Bug: #1501148
Previously, the security group rules were blocking all traffic
except ssh, icmp and swarm-manager traffic. This causes container
traffic to be blocked. This patch opens up the security rules
until a better solution can be developed to secure Magnum nodes
while allowing containers to communicate freely.
Closes-bug: #1501038
Change-Id: Idc20201b7e1928101629fc6231fd8a9c9070ba33
In Ic88edf4b2e0005f6aa0a6df33b94ff275a5623d2,
we changed write-docker-service.yaml to write-docker-service.sh, this bring
a regression bug, before write-docker-service.sh being called,
/etc/systemd/system/docker.service.d/ was not created yet, this leading
add_proxy scripts failed.
This patch moves configure_swarm and add_proxy after write-docker-service.
Besids, rename make_cert.py to make-cert.py to consistent with other shell
scrpts naming style.
Change-Id: Ia7fcc029189047ae6424a26ac4cb6b4b785552db
Closes-Bug: #1499588
This patch adds configure-swarm.sh to configure docker-storage options
New options added to DOCKER_STORAGE_OPTIONS:
--storage-driver devicemapper
Change-Id: Ie86b7e70fdb996cdea950742a1cdb552a0db29e3
Closes-Bug: #1499219
This patch adds TLS at two key places. The first is on the Docker
daemon itself, which secures communication between the Swarm manager
service and the Docker Daemon. The second is on the Swarm manager,
which secures communication between the Magnum conductor and the
Swarm manager.
TLS can be disabled with the 'insecure' attribute on BayModel. It
is enabled by default on new BayModels, but is set to False on
existing BayModels as not to break how they currently function.
Partial-Implements: blueprint secure-docker
Change-Id: Ic88edf4b2e0005f6aa0a6df33b94ff275a5623d2
This patch will proxy values to swarm-agent
services which would other wise give error
if you are not under proxy.
Change-Id: I63a0340a6806794e6f22a761cc1510697b3011bb
Closes-Bug: #1493952
1 swarm master won't know swarm node's ip, remove it.
2 SWARM_MASTER_IP passed to swarm node should be a private ip.
3 Remove FIXED_NETWORK_CIDR which is useless
Closes-Bug: #1492963
Change-Id: I3ec1923d94be346890bbd2117501f60645d33c0c
This patch will replace use of manager with
master in nova instances because as we will
support more masters in future and master word
is appropriate for nova instances.
Change-Id: I543010796f0cac9bcfed8387656d801aea9dc13a
Implements: blueprint manager-to-master
People who are using magnum in VPN needs proxy
for vm instances in a bay for network. firewall
may block and user will end up in vm's without
network
Closes-Bug: #1476843
Implements: blueprint add-proxy
Co-Authored-By: Eli Qiao <liyong.qiao@intel.com>
Change-Id: I4f25918d755bd150da4f66c17ddf8b2645ab37b5
In heat guide
http://docs.openstack.org/hot-reference/content/
OS__Neutron__FloatingIP.html
floating_network_id is deprecated. and also for OS::Neutron::Router
network properties can be with name or id.
Change-Id: Icb119c36e4abac1facf447773ec46f21b2b863b8
Closes-Bug: #1472532
The swarm heat use wrong parameter pass, which cause the swarm bay creation
reference wrong issue.
Closes-Bug: #1458445
Change-Id: I5ff824cc615fd392372f5578c62fb7f76454b599
This blocks the heat stack from going into CREATE_COMPLETE status until
all of the swarm services have completely started. This also means that
if the swarm services fail to start, the bay will eventually timeout
instead of going into CREATE_COMPLETE.
Change-Id: I050e206b99793e0a07ba670d141b64592549c61b
Closes-bug: #1452936
Closes-bug: #1457596
This change will allow deployers to select either Kubernetes
or Swarm to be the CoE used in Magnum's bays. A Swarm bay uses
a subset of the BayModel parameters used for Kubernetes.
Node discovery is provided via Docker's public discovery
endpoint, but operators and users can override this with
Bay's discovery_url argument.
Implements: bp multiple-bay-templates
Change-Id: I5278e6d477298085d07673810e5d8813d21b7730
* Docker service needs to listen on file descriptor to work with
systemd socket activation.
* Need to delete /etc/docker/key.json so that each host generates
it's own unique id.
* Use smaller swarm image for agent and manager services
* Disable selinux so that cloud-init works
Closes-bug: #1444714
Change-Id: I496330af656d488b826028cec9b5d5275a63d3b4
According to Heat documentation, AWS::CloudFormation::WaitCondition
timeout attribute should be a number but magnum templates use strings:
master_wait_condition:
type: "AWS::CloudFormation::WaitCondition"
properties:
Handle:
get_resource: master_wait_handle
Timeout: "6000"
This change replaces string timeouts ("6000") by number timeout (6000).
Change-Id: I2ad6825899dca551a152c101832c2d38c61a113e
Closes-Bug: #1437234
This template will spin up a single swarm-manager node and N number of
swarm-agent nodes. Every node, including the manager, is running a
Docker daemon and a swarm-agent service advertising the docker daemon.
The swarm-manager node is running an additional swarm-manager service
listening on port 2376. The swarm-manager service acts a a single
docker api for interacting with the entire cluster.
This template was adapted from the existing heat-kubernetes bay template.
As such, it uses identical neutron network topology.
Implements: blueprint docker-bay-heat-template
Change-Id: I22276022bbb4155ccdce0f75c47d46492a5ac821
These were the commits pulled from larsks github repo(s)
ef48d0 configure flannel via systemd unit
4e1b7a Merge pull request #11 from hongbin/replacement_policy
02ea53 Set port replacement_policy to AUTO
b06de8 call daemon-reload before starting services
c265dd fix json syntax problem
88a8bd configure cinder volume for docker storage
7ae6e5 default server_image wasn't useful
809d9b updated requirements in README
6595da integrate wait-for-flanneld into docker.service.yaml
cb51ae use flanneld sysconfig for etcd url
6cf8b9 added note re: vxlan backend issues on centos
18d9c6 make portal_net address range a parameter
343bde added license
efb341 add fix for docker/docker#9468
b235dc use less confusing name for flannel json config
08d873 make vxlan support conditional (+ doc updates)
daee9e permit kube api access via services
747d06 add a "minion" default user
b1c36c refactor config using software config support
0d981d use centos atomic host
538f7a remove get-image.sh
Change-Id: Ibd22a2805328ef76ad3996113b10e82cc1a16a9b
Closes-Bug: 1417642
In 20150106 IRC meeting, we decide to add two templates to magnum
for creating bays. One for virt and the other is for ironic.
larsks/heat-kubernetes is for virt and we can merge it first.
Change-Id: I9db19c006db9c9b725a562f532448d447761542f
Hua Wang
Angus Lees
Egor Guz
Hongbin Lu
Eli Qiao
Xian Chaobo
Daneyon Hansen
Andrew Melton
Tom Cammann
Manjeet Singh Bhatia
Kai Qiang Wu(Kennan)
Cedric Brandily
digambar
Jay Lau (Guangya Liu)