2913 Commits

Author SHA1 Message Date
Emilien Macchi
991d52605c Add heat::cache to heat profile
... so our operators can override oslo cache options in heat.conf.

Change-Id: I1cbe94928540af48134ce878ca7ad404b92de170
2020-03-27 18:07:36 +00:00
Zuul
6de3a8c24e Merge "Support for mariadb's ed25519 authentication" 2020-03-27 16:26:51 +00:00
Takashi Kajinami
02ffeba0d9 Replace deprecated gnocchi::storage::coordination_url
The gnocchi::storage::corrdination_url parameter was deprecated to be
replaced by the gnocchi::coordination_url parameter.
This patch make puppet-tripleo to use the new parameter instead of the
deprecated one.

Depends-on: https://review.opendev.org/#/c/713448/
Change-Id: I2bbe95375c465aea8d2fe91b31897541ed998ae7
2020-03-26 09:03:09 +09:00
Damien Ciabrini
00a06edc5c Support for mariadb's ed25519 authentication
Add the ability to configure all mysql users to require authenticating
to the server via mariadb's ed25519 auth plugin [1], rather than the
default native authentication [2].

[1] https://mariadb.com/kb/en/authentication-plugin-ed25519/
[2] https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/

Change-Id: I430ea8e1fa15fb263d1d4ef8c39615021d907f8a
Partial-Bug: #1866093
2020-03-25 17:45:43 +01:00
Takashi Kajinami
3f3067e21e Add unit test job on CentOS8
This patch introduces a unit test job which runs on CentOS8, so that we
can migrate from CentOS7 and CentOS8.
The new unit test job on CentOS8 is added as non-voting job initially,
but will be make as voting job with removing CentOS7 one after we
confirm the gate status of master and stable branches after this change
is merged.

Change-Id: Iee33fe1953af27b5f4b68b093464a831cb4ddcc6
2020-03-25 11:10:20 +09:00
Zuul
36523da90f Merge "Handle ipv6 addresses in etcd and cinder's backend_url" 2020-03-23 23:59:49 +00:00
Zuul
2f29d0f0bf Merge "Add Octavia OVN Provider configuration (1 of 2)" 2020-03-23 22:03:31 +00:00
Alan Bishop
aed9bda1b0 Handle ipv6 addresses in etcd and cinder's backend_url
When configured to use an ipv6 address, the etcd URLs and the cinder
lock manager's backend_url need to include brackets around the address.

Closes-Bug: #1868284
Change-Id: I79f385f14b5904803cdc7fdd145afa2dbcef9c49
2020-03-23 07:04:11 -07:00
Zuul
089b2469c3 Merge "Make all mysql root users managed during stack creation/update" 2020-03-21 03:45:30 +00:00
Francesco Pantano
b6175ece1a
Fix grafana haproxy frontend ip variable
Grafana could be exposed along with ceph dashboard
but it's actually embedded by in a view created for
this purpose.
For this reason the ceph-dashboard component should
be able to reach grafana or the requests will fail.

Closes-Bug: #1868118
Change-Id: I7894c51d18961c5cab7ac62e5eec5d515e2667c8
2020-03-19 16:35:40 +01:00
Flavio Fernandes
c68aa2e140 Add Octavia OVN Provider configuration (1 of 2)
This is part 1 of 2, where ovn provider info located in
tripleo::profile::base::octavia::api will move
to newly created octavia::provider::ovn.
But that has to be split into 2 parts to avoid breaking the
CI until the THT+pupple-tripleo changes merges [1].

[1]: https://review.opendev.org/#/q/topic:bug/1861886+(status:open+OR+status:merged)

This patch enhances Octavia's OVN driver config, so it can connect to
OVN_Northbound DB using TLS.

Depends-On: https://review.opendev.org/#/c/711333/

Change-Id: I85049de9960586a1069aa750c8d727c6e37cec73
Related-Bug: #1861886
2020-03-18 14:35:16 -04:00
Damien Ciabrini
7ee97845dd Make all mysql root users managed during stack creation/update
In non-HA deployments (undercloud and standalone) puppet-mysql
handles password for user 'root@localhost' [1], but it doesn't
try to update 'root@%'.
Instantiate the appropriate resource to fix the management of
that mysql user.

Closes-Bug: #1867186

[1] https://github.com/puppetlabs/puppetlabs-mysql/blob/master/manifests/server/root_password.pp

Change-Id: I5bb1c23f5fbe7e6fd28537aef4fbfc1be5950dcc
2020-03-12 19:21:09 +01:00
Chandan Kumar (raukadah)
3e8e98dde3 Remove duplicate entry of collectd-python package
672452018a
in puppet-collectd adds supports of CentOS-8 and collect-python
package is already defined there.

In puppet-tripleo, it started complaining about duplicate entry of
collectd-python package, removing the same fixes for puppet-tripleo
fixes the issue.

Closes-Bug: #1866965

Change-Id: If1a2c65c4208c2255a3140134204e240496ec8b6
Signed-off-by: Chandan Kumar (raukadah) <chkumar@redhat.com>
2020-03-11 18:20:36 +05:30
Francesco Pantano
165ed10dc1
Fix restart unit condition on radosgw
This change just fixes the restart condition
for the radosgw file used when the certificate
is renewed.

Change-Id: Id3f76cd03c993d013090c7c764d6963a64a1c74f
2020-03-09 14:46:06 +01:00
Zuul
48e66f4772 Merge "Enforce firewall rules before pacemaker-auth" 2020-03-07 00:11:21 +00:00
Zuul
48127ec353 Merge "Make sure we create stonith resources before stonith levels" 2020-03-07 00:11:20 +00:00
Zuul
a69b205c9b Merge "Add Certmonger ceph_rgw class to config tls" 2020-03-06 17:47:22 +00:00
Michele Baldessari
b706f5365a Make sure we create stonith resources before stonith levels
Currently stonith levels kind of work out of pure luck. If puppet
decides to reorder resources stonith levels can fail with:

            "Error: /Stage[main]/Tripleo::Fencing/Pacemaker::Stonith::Level[stonith-1-525400e05b23]/Pcmk_stonith_level[stonith-level-1-$(/usr/sbin/crm_node -n)-stonith-fence_ipmilan-525400e05b23]/ensure: change from absent to present failed: pcs -f /var/lib/pacemaker/cib/puppet-cib-backup20200305-60559-tn9ici create failed: Error: Stonith resource(s) 'stonith-fence_ipmilan-525400e05b23' do not exist, use --force to override"

Nowhere in the code do we mandate that the single stonith resources need
to be created *before* the stonith levels which make use of them.
Let's add a constraint via collectors so we enforce this ordering.

Tested on the environment that was not working and got a correctly
deployed IHA overcloud.

Change-Id: I78cb6ae21366a429b65a8357b3b267a485484a42
Closes-Bug: #1866214
2020-03-05 19:03:00 +01:00
Michele Baldessari
88e119d747 Enforce firewall rules before pacemaker-auth
We want to make sure that any firewall rule set to open pacemaker ports
is executed before we run any commands that invoke pcs to
authenticate remote nodes.

It simply makes sense from a high-level POV to explicitely open
up firewall rules before we invoke pcs commands that will talk to
remote nodes.

I have actually seen one case in the wild where during a scaleup
the node being scaled up was waiting on Exec['wait-for-settle']
and the bootstrap node failed to contact pcs on the scaled up node
because there the firewall rules were never opened up as it was
waiting on the 'wait-for-settle' step.

Note that we *cannot* impose the ordering via a too-generic
Firewall<||> collector because in tripleo::firewall we have

    Service<||> -> Class['tripleo::firewall::post']

and we would create a circular dependency.

Tested a queens deploy with this change and we are correctly
guaranteed to open up firewalling before invoking pcs:
Mar 05 16:22:51 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[swift_storage]/Tripleo::Firewall::Rule[123 swift storage]/Firewall[123 swift storage ipv4]/ensure) created
Mar 05 16:22:52 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[swift_storage]/Tripleo::Firewall::Rule[123 swift storage]/Firewall[123 swift storage ipv6]/ensure) created
Mar 05 16:22:52 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[tripleo_firewall]/Tripleo::Firewall::Rule[003 accept ssh from any]/Firewall[003 accept ssh from any ipv4]/ensure) created
Mar 05 16:22:52 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[tripleo_firewall]/Tripleo::Firewall::Rule[003 accept ssh from any]/Firewall[003 accept ssh from any ipv6]/ensure) created
Mar 05 16:22:52 controller-0. puppet-user[18840]: (Exec[reauthenticate-across-all-nodes](provider=posix)) Executing '/sbin/pcs cluster auth controller-0 controller-1 controller-2 database-0 database-1 database-2 messaging-0 messaging-1 messag
ing-2 -u hacluster -p foobar --force'
Mar 05 16:22:52 controller-0. puppet-user[18840]: Executing: '/sbin/pcs cluster auth controller-0 controller-1 controller-2 database-0 database-1 database-2 messaging-0 messaging-1 messaging-2 -u hacluster -p AQtEeE6e3FDEqrfm --force'
Mar 05 16:22:55 controller-0. puppet-user[18840]: (Exec[Create Cluster tripleo_cluster](provider=posix)) Executing '/sbin/pcs cluster setup --wait --name tripleo_cluster controller-0 controller-1 controller-2 database-0 database-1 database-2
messaging-0 messaging-1 messaging-2 --token 10000 --encryption 1'
Mar 05 16:22:55 controller-0. puppet-user[18840]: Executing: '/sbin/pcs cluster setup --wait --name tripleo_cluster controller-0 controller-1 controller-2 database-0 database-1 database-2 messaging-0 messaging-1 messaging-2 --token 10000 --en
cryption 1'
Mar 05 16:23:20 controller-0. puppet-user[18840]: (Exec[Start Cluster tripleo_cluster](provider=posix)) Executing check '/sbin/pcs status >/dev/null 2>&1'
Mar 05 16:23:20 controller-0. puppet-user[18840]: Executing: '/sbin/pcs status >/dev/null 2>&1'
Mar 05 16:23:21 controller-0. puppet-user[18840]: (Exec[Start Cluster tripleo_cluster](provider=posix)) Executing '/sbin/pcs cluster start --all'
Mar 05 16:23:21 controller-0. puppet-user[18840]: Executing: '/sbin/pcs cluster start --all'

Change-Id: I775ad1abf87368d013054e9a5dab22931f21f86c
Closes-Bug: #1866209
2020-03-05 17:42:18 +01:00
Sagi Shnaidman
9c05cdf97f Revert "Add replication_probe_interval for ovsdbs"
it broke OVB in master
Closes-Bug: #1866031
This reverts commit 5b5291423a04e324a3075caaf07620e7b0a14ac0.
Change-Id: Id4ec674ecd18bed02034714c2da103933b4e0b42
2020-03-04 14:18:05 +00:00
Francesco Pantano
7013cd94ee
Add Certmonger ceph_rgw class to config tls
This patch adds the ceph_rgw class required by certmonger to
create the cert/key.
This patch also creates the service_pem file since the rgw
container private key, public certificate and any other CA or
intermediate certificates should be in one file, in PEM format.

Change-Id: I960f7c48866ef11e58e63d80217f7df660455fe1
2020-03-03 13:01:22 +01:00
Zuul
ac76abf7b1 Merge "Add replication_probe_interval for ovsdbs" 2020-03-02 20:57:00 +00:00
Takashi Kajinami
ebdbbfe8fd Remove wsgi enabled parameters in nova
... because issue with wsgi deployment in nova[1] was resolved a while
ago, and we don't encourage users to use standalone eventlet servers.

[1] https://bugs.launchpad.net/nova/+bug/1661360

Change-Id: I40c3b6ea9a958cb5b1548282299414a72eb254c4
2020-03-02 00:14:15 +09:00
Zuul
9e952cce10 Merge "HA: fix rabbitmq readiness check for rabbitmq-server 3.8" 2020-02-28 20:43:51 +00:00
Kamil Sambor
5b5291423a Add replication_probe_interval for ovsdbs
Add posibilities to configure replication_probe_interval for ovsdb-server.
It configure probe interval for connection for ovsdb-server when it is
in backup mode and connects to the active ovsdb-server for replication

Change-Id: I6e5af0cfc00778e251bae0fc42c116a24c8fabc3
2020-02-28 11:30:30 +01:00
Zuul
f019a7512b Merge "Use short prameter names for nova::network::neutron" 2020-02-28 09:43:05 +00:00
Damien Ciabrini
e60351ee09 HA: fix rabbitmq readiness check for rabbitmq-server 3.8
In HA profiles, we wait for rabbitmq application readiness by
parsing the output of "rabbitmqctl status". This breaks with
rabbitmq-server 3.8 which changed the output of that command.

Fix our check by using a "rabbitmqctl eval" and by relying on
a stable function call rather than parsing output. This
approach works for rabbitmq-server 3.6 to 3.8.

Change-Id: Id88d0aee74e4b26fd64bbc2da5d0c0fc4bbd6644
Co-Authored-By: Yatin Karel <ykarel@redhat.com>
Closes-Bug: #1864962
2020-02-27 16:41:44 +01:00
Zuul
0c162fcf70 Merge "Add support for glance multistore" 2020-02-26 22:30:07 +00:00
Takashi Kajinami
1a48963307 Use short prameter names for nova::network::neutron
Depends-on: https://review.opendev.org/#/c/709371
Change-Id: Ifa04c6f7ee29a4b3dc1303f63465ca8427efb7e5
2020-02-24 21:44:52 +09:00
Takashi Kajinami
f1a878c177 Remove OpenShift API from haproxy LB configuration
Support for OpenShift deployment in TripleO was already removed[1],
so remove OpenShift API from haproxy LB configuration, as we don't
exepect anyone use that implementation.

[1] c845595ba3c9f8ad88e0dad24d56c7349fbd3d1b

Change-Id: Id0825d95f1effd4091dda4a4324787762c180960
2020-02-24 18:33:15 +09:00
Emilien Macchi
b82deada63 Remove k8s from haproxy
k8s service has been deprecated and is being removed from THT; we don't
need that code anymore.

Change-Id: I31765715d86546955ca39540d15b247bafdb403f
2020-02-17 20:29:47 +00:00
Emilien Macchi
1015d5ab01 Remove unused time/ptp class
Depends-On: https://review.opendev.org/707296
Change-Id: I7c1c74da9df47d1ba76e927adb101db814e64490
2020-02-17 20:29:43 +00:00
Emilien Macchi
f2158dd312 Remove deprecated securetty
This code isn't used anymore.

Depends-On: https://review.opendev.org/707293
Change-Id: I50cc6e5d6a31e28be317aff9637b4b9c42d1ec37
2020-02-17 20:29:38 +00:00
Emilien Macchi
8e10ee78c8 Remove kernel class
The code isn't useful anymore.

Depends-On: https://review.opendev.org/707289
Change-Id: I23704246f5ba905666db0d2508245ca764d87161
2020-02-17 20:29:34 +00:00
Zuul
2039b4d842 Merge "Add support to configure virtlogd" 2020-02-14 10:03:18 +00:00
Emilien Macchi
4ce5754bfc Prepare u-2 release
Change-Id: I3e353cb96a4e222368ab63c9486d1462d335a0e1
2020-02-13 12:25:04 -05:00
Zuul
95ec64064d Merge "Add ceph dashboard frontend endpoint and tls-e integration" 2020-02-12 15:51:02 +00:00
Takashi Kajinami
e72ce5e4c5 Pin puppet-collectd
Pin puppet-collectd because its recent change[1] broke its
compatibility with facter 2.X.X, which is currently required
in centos-7 jobs.

[1] bda9e87a41

Change-Id: Ie3174349b23a46d527358e0d57f9ccbce73dec49
Closes-Bug: #1862434
2020-02-08 19:07:34 +09:00
Zuul
6738df5dad Merge "Make pipeline config more flexible" 2020-02-07 01:11:10 +00:00
Zuul
d88f982ada Merge "Enable sudo rule creation" 2020-02-06 02:22:54 +00:00
Zuul
7a87b0add7 Merge "Don't use defined" 2020-02-04 21:11:06 +00:00
Zuul
0d41163d95 Merge "Fix typo in remote pcsd_bind_addr" 2020-02-04 00:27:03 +00:00
Zuul
88ce1830b6 Merge "Use memcached for token caching in designate authtoken" 2020-02-04 00:26:58 +00:00
Martin Magr
53665f2393 Don't use defined
The 'defined' function is always true for defined variables
even when the value is undef. This makes the conditionals useless
and this patch makes the module to test value instead.

Change-Id: I9228d84e02b485f089fce84ea12ca8afba903a61
2020-02-03 16:53:23 +01:00
Michele Baldessari
d833bcd92e Fix typo in remote pcsd_bind_addr
Typo slipped in when this code was merged, we need to reference the
proper variable

Closes-Bug: #1861668

Change-Id: Ida10d018e73fb19bb72032fcb2113e1762fb94fa
2020-02-03 11:03:17 +01:00
Martin Magr
03ade40ffd Enable sudo rule creation
We need to enable creation of sudo rule creation for user under which sensubility
is executed to enable operators execution of any command they possibly need
in their health check implementation.

Change-Id: I47c6e4fb3beab14cc5c7f824646e3c2242b140d4
2020-02-03 07:35:49 +01:00
Zuul
6468651b27 Merge "Use ctlplane for internal QDR communication" 2020-02-02 01:15:48 +00:00
Alan Bishop
c7b9b90dbd Add support for glance multistore
Add new tripleo::profile::base::glance::api::multistore_config parameter
to support configuring multiple glance-api backends. The parameter is
optional, and represents a hash of settings for each additional backend.
The existing 'glance_backend' parameter specifies the default backend.

In order to support DCN/Edge deployments, the syntax supports multiple
instances of the 'rbd' backend type. Restrictions are imposed to allow
only a single instance of the 'cinder', 'file' and 'swift' backend types.

Change-Id: I41ab9b3593bf3d078c5bbd1826df8308e3f5e7af
Depends-On: I5a1c61430879a910e7b6c79effba538431959d56
2020-01-31 07:06:16 -08:00
Francesco Pantano
eec31fd149
Add ceph dashboard frontend endpoint and tls-e integration
This change exposes to the end-user the new ceph dashboard
frontend which is fully integrated with grafana service.
This review also adds all the info/classes to integrate the
service with tls-everywhere framework, providing the cert
request and generation that will be passed to ceph dashboard
via ceph-ansible.

Depends-On: https://review.opendev.org/#/c/704308
Change-Id: Id6d2e4b00355cd84baccc2b493f3205c2b32a44b
2020-01-30 12:37:52 +01:00
abdallahyas
48125267dd Change the name of the HAProxy service to reflict the new name
Changed the name of the haproxy service so it will reflect the 
new name of the service, and a reload will be possible for the cron
job.

Change-Id: I66ee58f3b4fd2f10ceba6306497ac796daaf98e8
2020-01-27 12:40:39 +00:00