The aide puppet manifest is being removed because the heat template
which invoked it has been converted to ansible. This change removes
the aide manifest and spec files accordingly.
Depends-On: I4479de4c157625be50fdbec33cbf43b30dd7558f
Change-Id: I9d63a38298311909e615e51e1e46dcc35652b351
Signed-off-by: Kevin Carter <kecarter@redhat.com>
There are situation when it might be required to use different TLS
versions between the services. HAproxy configures TLS version on
bind line in the configuration, there is missing customization.
At the moment we can only set TLS version globally via ssl_options
This code's idea it to configure it per-service. For example, with:
parameter_defaults:
ExtraConfig:
tripleo::haproxy::cinder::internal_bind_options: 'force-tlsv11'
tripleo::haproxy::keystone_public::public_bind_options: 'force-tlsv12'
tripleo::haproxy::horizon::public_bind_options: 'force-tlsv11'
tripleo::haproxy::horizon::internal_bind_options: 'force-tlsv12'
We will get something like the following in the haproxy config:
listen cinder
bind 2620:52:0:13b8:5054:ff:fe3e:1:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind fd00:fd00:fd00:2000::17:8776 transparent force-tlsv11
...
listen keystone_public
bind 2620:52:0:13b8:5054:ff:fe3e:1:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
bind fd00:fd00:fd00:2000::17:5000 transparent
...
listen horizon
bind 2620:52:0:13b8:5054:ff:fe3e:1:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv11
bind 2620:52:0:13b8:5054:ff:fe3e:1:80 transparent force-tlsv11
bind fd00:fd00:fd00:2000::17:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
bind fd00:fd00:fd00:2000::17:80 transparent force-tlsv12
...
The two {public,internal}_bind_options accept both strings and arrays of
strings.
Closes-Bug: #1829328
Change-Id: I4b724a515d729c2e8e0da9cb8f081b8325d51a6b
As of Rocky [1], the nova-consoleauth service has been deprecated and
cell databases are used for storing token authorizations. All new consoles
will be supported by the database backend and existing consoles will be
reset. Console proxies must be run per cell because the new console token
authorizations are stored in cell databases.
nova-consoleauth was deprecated in tripleo with:
I68485a6c4da4476d07ec0ab5e7b5a4c528820a4f
This change now removes the NovaConsoleauth Service.
[1] https://docs.openstack.org/releasenotes/nova/rocky.html
Related-Bug: #1828414
Depends-On: https://review.opendev.org/658081
Change-Id: I55d13aa079f40a97a7aeb60a636d8a7ce1d052c8
We no longer support ntp so we should remove the puppet classes and
puppet-ntp usage.
Change-Id: I8d813fdccb45a464e5bbecda2de0f322299cf6e3
Depends-On: https://review.opendev.org/#/c/656999/
Related-Blueprint: tripleo-chrony
When using ovn provider unless set, it would try to
connect to 127.0.0.1.
Change-Id: If8eb685dd21791b65845afd44fb483592b8bcc0c
Depends-On: https://review.openstack.org/653673
Closes-Bug: #1825146
In case of a multicell deployment the mysql and nova novncproxy
backend servers need to use the SERVICE_cell_node_names.
Also the novncproxy did use the nova_api_vip and
nova_api_node_[ips|names] information insteand of
nova_vnc_proxy_vip and nova_vnc_proxy_node_[ips|names]
Change-Id: I606d1187a442c6ef6327a7503b6b5f0832cbb872
Related-Bug: #1822607
Add the ability to run the cinder-volume service in an active-active
configuration. This involves two settings:
1) Configure the service's cluster name. This is the signal to the
cinder-volume service that it should run in active-active mode.
2) Configure the "backend URL" cinder uses for its distributed lock
manager (DLM). This patch assumes that DLM is etcd3, and it's
accessible via an HTTP gateway.
Depends-On: Ib37c75952fed7c762a71dae3cd169b7753faf6f7
Change-Id: I615af64086d46356f322094d9f3b4e29557ed899
manila now [1] supports configuring an octal value for the
rwx permissions mode of the cephfs volumes and snapshots
and groups of these that back manila shares, snapshots,
and groups.
Expose this parameter in the backend manifests for manila
with cephfs.
[1] https://review.openstack.org/#/c/614332
Depends-On: https://review.openstack.org/#/c/638770/
Change-Id: Id8cbdfeff8299ff08a84c1c5902fb909353d4678
Qemu certs are note used by libvirt and therefore does not need a restart.
In case certs gets renewed, right now qemu processes (instances) need to be
restarted. This removes the postsave_cmd and also restart libvirt on cert
file change.
Change-Id: I1a72265b369271f7bdfd3aaa143aad14a861a90a
MongoDB hasn't been supported since Pike, it's time to remove the
deployment files. Starting in Stein, it's not possible to deploy MongoDB
anymore. It already changes the default zaqar management_store to
sqlalchemy and the zaqar messaging_store to redis, which is already
set by TripleO Heat Templates.
Change-Id: I470a7e8c25293b2f2cb5420be124a8809481478a
Allow tht parameter IronicInspectorSubnets to specify
per-instance ip range(s) using hostname as key for each
list of ip ranges. For HA deployments use disjoint
address pools to avoid potential address conflict.
Implements: blueprint ironic-inspector-overcloud
Change-Id: Ifae513265b8c35d98012f14f951bac33ae90b66c
Add the ability to configure the nfs_snapshot_support parameter
associated with Cinder's NFS backend.
Change-Id: I4df8e3941eb074339e399e5a5c44fa411ff21560
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.
Related-bug: 1793093
Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
Change-Id: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
This change allows to get a better filtering at (r)syslog level, as
we can now dedicate a facility for this service.
Change-Id: I8fee040287940188f6bc6bc35bdbdaf6c234cbfd
Adapt wrapper containers for podman, which has no a socket available.
Add container_cli parameter for base neutron class, default to docker.
Possible values: podman/docker (default). It is used by the wrappers
tooling to issue CLI commands to the host containers system.
Deprecate bind_socket so it does nothing for podman CLI.
Additionally, add debug triggers for the wrapper scripts messages to
become captured to the wrapper containers' stdout.
Do not stop and remove the existing container before launching a new
one. Allow the neutron parent process to control the process life
cycle. Although make the wraper containers cleaning up any exited
containers after its main process terminated by the neutron parent
process. Additionally, If a name is already taken by a container,
give it an unique name and assume all the smooth transitioning work
to be done by the parent neutron process and that clean up logic
in the wrapper.
Closes-Bug: #1799484
Change-Id: Ib3c41a8bee349856d21f360595e41a9eafd79323
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Iterate over destination for each source to have the
correct return rules created. (Passing a list as
destination to tripleo::firewall::rule does not work.)
Also the "forward destinations" rules should use the
source addresses in the data for both source and
destination rules.
Change-Id: I3d572bf4aab65f5befb596f7c90c94fc0abe7afa
Closes-Bug: #1797455
Remove "hostgroup" as the fallback string for the default
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_backend_host value.
The cinder_rbd_backend_host parameter is only relevant for HA deployments,
when it's value is set by the pacemaker version of the cinder-volume.yaml
TripleO heat template. For non-HA deployments, the parameter should be
undefined.
Closes-Bug: #1796359
Change-Id: I35e5b11bb57a7dd8a724102480b3e9ec56df0626
Add the ability to override the "backend_availability_zone" parameter
in every cinder volume backend.
Implements: blueprint split-controlplane-cinder-volume-az
Depends-On: I11821a38d8ba5afc594b3d601cd1634207a6f093
Change-Id: Ic407b747474b567858ad36beabc8a7d8c5022343
This solves the problem that bootstrap_nodeid, which is set to the
first node in each role via t-h-t, can match potentially more than
one node - e.g in the event that a service is deployed such that it
spans more than one role.
The SERVICE_short_bootstrap_node_name is automatically generated
based on the composable service template service_name, and this
considers all roles where the service is enabled, e.g it should
only evaluate true once regardles off the roles where the service
is enabled.
Change-Id: I48ec4549552910f3cb8db960b0ff10a6c61b4bb9
Partial-Bug: #1792613
The Dell EMC SC configuration option excluded_domain_ip has been
deprecated and will be removed in a future release. Deployments
should now migrate to the option excluded_domain_ips for
equivalent functionality.
Depends-On: https://review.openstack.org/#/c/604384/
Change-Id: Ib9218e7825fef83e41bdebaba3a444935c8a38e1
This reimplements commit 67a7dc70f2885b7db2a42bc28c25ece0bbeba3e4.
Copytruncate becomes a default for containerized logrotate. The
solution based on signals processing goes away.
As long as key deployment framework components heat-engine and
mistral-engine do not tolerate SIGHUP copytruncate should be used.
There is more openstack services, like neutron-server, nova-scheduler
that cannot handle SIGHUP nicely yet.
Nor can we fall back to that predates the containerization of services
because of the following reasons:
* We cannot and should not use the restart command in postrotate as it
was before containerization of services. For that a container needs
to be privileged and granted a docker socket bind-mount, which is a
total security antipattern and defeats the very purpose of
containerization. Things may change with future adoption of Podman
and/or kubelet control plane though. If/when that happens, we might
consider an option for postrotate to terminate a process with
SIGTERM, to have the process instantly respawned via its systemd
unit/kubelet restart policies.
* Individual services' logrotate configs worth nothing, when still
being handled by a central logrotation container running crond. And
it needs to remain centralized as individual containers neither do
run crond nor contain logrotate, nor lightweight containers following
12-factors apps recommendations should do anything like that. Nor the
host logrotate/crond can do rotation of logs for containers as we do/
should not install required packages on the host, but only in
containers. See also the spec [0] explaining the reasoning better.
All of that makes copytruncate a global choice for logs rotation of
containerized services as we just cannont be sure, if a service foo
*really* does correct processing of SIGHUP. We leave that option for
future implementation in the hope things get fixed eventually. As well
as the aforementioned systemd/kublet option, or the option to provide
stdout only logging [0] and let the logrotate thing go.
[0] https://review.openstack.org/#/c/462900
Closes-Bug: #1795411
Related-Bug: #1276694
Change-Id: Ibdad7859a389d0ff37bbf7bfd9f4c521a05a5ea1
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This added the "tripleo::<service name>::mysql_user" interface, which
allows folks to create databases, users and grants via hieradata instead
of having to modify puppet-tripleo.
Change-Id: I975d64c73e314159db0f6c1ada14a26491a46d1a
Make necessary changes for proper deployment
of ODL on IPv6 network.
Change-Id: Id7a0986f886a81b2041987b0d5a95edf2160e05e
Depends-On: Idd257cf4666b853eb4c52861f9f400b6dbdeeadb
Partial-Bug: #1783196
With nova metadata api running via wsgi we do not need the ssl proxy when
configure tls-everywhere as we terminate ssl direct in the httpd wsgi.
With this change we only create the ssl proxy vhost if we do not run nova
metadata via wsgi.
Related-Bug: 1781405
Change-Id: Ia0e769925812e91679631bdd631030ab12ceff01
It is possible to configure bond over two virtual functions
for the vms in case of using mellanox interfaces.
Change-Id: Iaeee31a9edaefec25498a734cac6eda389c38ec5
With tls-everywhere enabled the connection from haproxy to the nova novnc
proxy was not encrypted. Now we request a certificate and configue haproxy
and the novnc proxy to encrypt this remaining part in a vnc connection to
be encrypted as well.
Change-Id: I4667706633205c240f2efb51663e6efbce5e344e
Related-bug: #1785700
Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
Copytruncate cannot fix the postrotate filter for lsof searching for
deleted (unlinked and open) files. Copytruncate instead makes the
filter matching nothing as it makes files never deleted after rotation
happens.
This reverts commit 67a7dc70f2885b7db2a42bc28c25ece0bbeba3e4.
Change-Id: I8a73819b4aa45813cbac310452b348681496032a
Since, openstack-glance package has been removed from overcloud image
during the cleanup, 'filesystem_store_metadata_file' file is failing to
create on host in case of glance netapp.
So, adding metadata file creation part in puppet-tripleo.
Change-Id: I031a8921a74af137927ba83ee2307aafc13263cb
There is a case where OVS needs to have the OpenFlow configuration
resynced. The regsubst was only replacing one of the ports instead of
all, so sometimes the OpenFlow controller settings on OVS would have
ports 6640 instead of the right port (6653).
Closes-Bug: 1786037
Change-Id: I93e3d355625508fdc42f44bdd358f3ba86fbd8d7
Signed-off-by: Tim Rozet <trozet@redhat.com>
Use copytruncate and 'hourly' log rotation by default. Increase the
default max number of rotated files to 336, which corresponds to 14
days, so that default period retained as is.
With the copytruncate option enabled, logs should be hourly rotated to
decrease disk IO load when copying log files around. The default
maxsize of 10M is better maintained for often rotations done within a
day as well, so log files will not happen to become unexpectedly huge
at the end of it.
W/o copytruncate, the containerized logrotate sends no signals to
processes, as files are only renamed and not unlinked. That makes the
files deletion based filter failing, until the default period of 14
days expires. To fix that non-copytruncate case, post-rotate always
sends HUP (USR1 for httpd) signals to all processes holding open files
in the /var/log/containers host path. That also makes all services
reloaded hourly (there is still a random splay applied by cron though)
as a side effect.
With copytruncate ON, each rotation ensures the old log files will also be
deleted, so only affected services will be reloaded.
Additionally, send USR1 instead of HUP to reload httpd in containers
gracefully.
Closes-Bug: #1785659
Change-Id: I15fa0eab1625ac63fd57b6a6d5cd22a6ac85f221
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Add a resource that creates Cinder's default volume type. The
cinder::type provider executes osc commands, so this is only done once
on the bootstrap node, and at step 4 when the cinder_api service is
running.
Partial-Bug: #1782217
Change-Id: Ia23996abefdd1410fb86f04ed84a314f4364339c