348 Commits

Author SHA1 Message Date
Kevin Carter
a807661c4c
Remove aide puppet manifest
The aide puppet manifest is being removed because the heat template
which invoked it has been converted to ansible. This change removes
the aide manifest and spec files accordingly.

Depends-On: I4479de4c157625be50fdbec33cbf43b30dd7558f

Change-Id: I9d63a38298311909e615e51e1e46dcc35652b351
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-05-28 10:41:06 -05:00
Robin Cernin
d319662c6c Allow custom per-service bind_options for haproxy
There are situation when it might be required to use different TLS
versions between the services. HAproxy configures TLS version on
bind line in the configuration, there is missing customization.

At the moment we can only set TLS version globally via ssl_options

This code's idea it to configure it per-service. For example, with:
parameter_defaults:
   ExtraConfig:
      tripleo::haproxy::cinder::internal_bind_options: 'force-tlsv11'
      tripleo::haproxy::keystone_public::public_bind_options: 'force-tlsv12'
      tripleo::haproxy::horizon::public_bind_options: 'force-tlsv11'
      tripleo::haproxy::horizon::internal_bind_options: 'force-tlsv12'

We will get something like the following in the haproxy config:
listen cinder
  bind 2620:52:0:13b8:5054:ff:fe3e:1:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind fd00:fd00:fd00:2000::17:8776 transparent force-tlsv11
  ...

listen keystone_public
  bind 2620:52:0:13b8:5054:ff:fe3e:1:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
  bind fd00:fd00:fd00:2000::17:5000 transparent
  ...

listen horizon
  bind 2620:52:0:13b8:5054:ff:fe3e:1:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv11
  bind 2620:52:0:13b8:5054:ff:fe3e:1:80 transparent force-tlsv11
  bind fd00:fd00:fd00:2000::17:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
  bind fd00:fd00:fd00:2000::17:80 transparent force-tlsv12
  ...

The two {public,internal}_bind_options accept both strings and arrays of
strings.

Closes-Bug: #1829328

Change-Id: I4b724a515d729c2e8e0da9cb8f081b8325d51a6b
2019-05-18 19:41:03 +02:00
Martin Schuppert
e4039299fc Remove NovaConsoleauth Service
As of Rocky [1], the nova-consoleauth service has been deprecated and
cell databases are used for storing token authorizations. All new consoles
will be supported by the database backend and existing consoles will be
reset. Console proxies must be run per cell because the new console token
authorizations are stored in cell databases.

nova-consoleauth was deprecated in tripleo with:
I68485a6c4da4476d07ec0ab5e7b5a4c528820a4f

This change now removes the NovaConsoleauth Service.

[1] https://docs.openstack.org/releasenotes/nova/rocky.html

Related-Bug: #1828414

Depends-On: https://review.opendev.org/658081

Change-Id: I55d13aa079f40a97a7aeb60a636d8a7ce1d052c8
2019-05-10 07:01:42 +00:00
Alex Schultz
ce0cffe077 Remove ntp
We no longer support ntp so we should remove the puppet classes and
puppet-ntp usage.

Change-Id: I8d813fdccb45a464e5bbecda2de0f322299cf6e3
Depends-On: https://review.opendev.org/#/c/656999/
Related-Blueprint: tripleo-chrony
2019-05-03 12:07:16 -06:00
Rabi Mishra
d88db3ad71 Add support to set ovs_nb_connection
When using ovn provider unless set, it would try to
connect to 127.0.0.1.

Change-Id: If8eb685dd21791b65845afd44fb483592b8bcc0c
Depends-On: https://review.openstack.org/653673
Closes-Bug: #1825146
2019-04-18 13:47:49 +05:30
Martin Schuppert
bfc59e9382 Use cell information for mysql and novncproxy haproxy proxies
In case of a multicell deployment the mysql and nova novncproxy
backend servers need to use the SERVICE_cell_node_names.
Also the novncproxy did use the nova_api_vip and
nova_api_node_[ips|names] information insteand of
nova_vnc_proxy_vip and nova_vnc_proxy_node_[ips|names]

Change-Id: I606d1187a442c6ef6327a7503b6b5f0832cbb872
Related-Bug: #1822607
2019-04-02 11:50:23 +02:00
Alan Bishop
427464f664 Support cinder-volume running active-active
Add the ability to run the cinder-volume service in an active-active
configuration. This involves two settings:

1) Configure the service's cluster name. This is the signal to the
   cinder-volume service that it should run in active-active mode.

2) Configure the "backend URL" cinder uses for its distributed lock
   manager (DLM). This patch assumes that DLM is etcd3, and it's
   accessible via an HTTP gateway.

Depends-On: Ib37c75952fed7c762a71dae3cd169b7753faf6f7
Change-Id: I615af64086d46356f322094d9f3b4e29557ed899
2019-03-06 13:25:14 -05:00
Tom Barron
32827b39c1 Support cephfs_volume_mode parameter
manila now [1] supports configuring an octal value for the
rwx permissions mode of the cephfs volumes and snapshots
and groups of these that back manila shares, snapshots,
and groups.

Expose this parameter in the backend manifests for manila
with cephfs.

[1] https://review.openstack.org/#/c/614332

Depends-On: https://review.openstack.org/#/c/638770/
Change-Id: Id8cbdfeff8299ff08a84c1c5902fb909353d4678
2019-02-23 07:36:18 -05:00
Martin Schuppert
a08257f0ae Remove postsave_cmd and restart libvirt on cert files change
Qemu certs are note used by libvirt and therefore does not need a restart.
In case certs gets renewed, right now qemu processes (instances) need to be
restarted. This removes the postsave_cmd and also restart libvirt on cert
file change.

Change-Id: I1a72265b369271f7bdfd3aaa143aad14a861a90a
2019-01-29 15:15:12 +01:00
Emilien Macchi
801b12b60e Remove MongoDB
MongoDB hasn't been supported since Pike, it's time to remove the
deployment files. Starting in Stein, it's not possible to deploy MongoDB
anymore. It already changes the default zaqar management_store to
sqlalchemy and the zaqar messaging_store to redis, which is already
set by TripleO Heat Templates.

Change-Id: I470a7e8c25293b2f2cb5420be124a8809481478a
2019-01-04 12:48:43 +00:00
Zuul
d29acc2aff Merge "Ironic Inspector - disjoint ip range(s) for HA" 2018-12-14 01:44:46 +00:00
Zuul
392d629d9f Merge "Add support for native TLS encryption on NBD for disk migration" 2018-12-13 21:49:30 +00:00
Harald Jensås
c2d84b4fee Ironic Inspector - disjoint ip range(s) for HA
Allow tht parameter IronicInspectorSubnets to specify
per-instance ip range(s) using hostname as key for each
list of ip ranges. For HA deployments use disjoint
address pools to avoid potential address conflict.

Implements: blueprint ironic-inspector-overcloud
Change-Id: Ifae513265b8c35d98012f14f951bac33ae90b66c
2018-12-12 08:18:04 +00:00
Alan Bishop
cadde08bc7 Add ability to configure Cinder's NFS snapshot support
Add the ability to configure the nfs_snapshot_support parameter
associated with Cinder's NFS backend.

Change-Id: I4df8e3941eb074339e399e5a5c44fa411ff21560
2018-12-06 11:29:15 -05:00
Martin Schuppert
62861db22d Add support for native TLS encryption on NBD for disk migration
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.

Related-bug: 1793093
Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
Change-Id: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
2018-12-05 11:31:43 +01:00
Cédric Jeanneret
01d96ea057 Allow to set log facility for HAProxy
This change allows to get a better filtering at (r)syslog level, as
we can now dedicate a facility for this service.

Change-Id: I8fee040287940188f6bc6bc35bdbdaf6c234cbfd
2018-11-29 10:10:39 +01:00
Bogdan Dobrelya
6117cae693 Fix wrapper containers for podman w/o sockets
Adapt wrapper containers for podman, which has no a socket available.

Add container_cli parameter for base neutron class, default to docker.
Possible values: podman/docker (default). It is used by the wrappers
tooling to issue CLI commands to the host containers system.
Deprecate bind_socket so it does nothing for podman CLI.

Additionally, add debug triggers for the wrapper scripts messages to
become captured to the wrapper containers' stdout.

Do not stop and remove the existing container before launching a new
one. Allow the neutron parent process to control the process life
cycle. Although make the wraper containers cleaning up any exited
containers after its main process terminated by the neutron parent
process. Additionally, If a name is already taken by a container,
give it an unique name and assume all the smooth transitioning work
to be done by the parent neutron process and that clean up logic
in the wrapper.

Closes-Bug: #1799484
Change-Id: Ib3c41a8bee349856d21f360595e41a9eafd79323
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-11-05 20:39:29 +00:00
Zuul
2f37e0870a Merge "Fix Undercloud masquerading firewall rules" 2018-11-02 09:54:10 +00:00
Zuul
680134b598 Merge "Dell EMC SC: Add use_multipath_for_image_xfer" 2018-11-01 22:17:10 +00:00
Harald Jensås
bebe7b8c58 Fix Undercloud masquerading firewall rules
Iterate over destination for each source to have the
correct return rules created. (Passing a list as
destination to tripleo::firewall::rule does not work.)

Also the "forward destinations" rules should use the
source addresses in the data for both source and
destination rules.

Change-Id: I3d572bf4aab65f5befb596f7c90c94fc0abe7afa
Closes-Bug: #1797455
2018-10-23 07:24:31 +00:00
rajinir
4342ac59b7 Dell EMC SC: Add use_multipath_for_image_xfer
This change adds support for
cinder::backend::dellsc_iscsi::use_multipath_for_image_xfer.

Change-Id: I69360b1ee167f8417876c9f6513981ef73e949ae
2018-10-22 10:58:40 -05:00
Alan Bishop
9379202860 Remove default value for cinder RBD backend_host
Remove "hostgroup" as the fallback string for the default
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_backend_host value.
The cinder_rbd_backend_host parameter is only relevant for HA deployments,
when it's value is set by the pacemaker version of the cinder-volume.yaml
TripleO heat template. For non-HA deployments, the parameter should be
undefined.

Closes-Bug: #1796359
Change-Id: I35e5b11bb57a7dd8a724102480b3e9ec56df0626
2018-10-21 14:53:39 -04:00
Alan Bishop
ab13b5dc80 Add support for cinder backend availability zones
Add the ability to override the "backend_availability_zone" parameter
in every cinder volume backend.

Implements: blueprint split-controlplane-cinder-volume-az
Depends-On: I11821a38d8ba5afc594b3d601cd1634207a6f093
Change-Id: Ic407b747474b567858ad36beabc8a7d8c5022343
2018-10-18 09:18:17 -04:00
Zuul
fb5323c70a Merge "Dell EMC SC: Add support for excluded_domain_ips" 2018-10-16 19:16:53 +00:00
Zuul
4f41f317d5 Merge "Replace bootstrap_nodeid with SERVICE_short_bootstrap_node_name" 2018-10-16 09:24:52 +00:00
Zuul
c5713786f6 Merge "Add support for ODL-OVS IPv6 deployment" 2018-10-12 15:56:17 +00:00
Steven Hardy
9cde9139c4 Replace bootstrap_nodeid with SERVICE_short_bootstrap_node_name
This solves the problem that bootstrap_nodeid, which is set to the
first node in each role via t-h-t, can match potentially more than
one node - e.g in the event that a service is deployed such that it
spans more than one role.

The SERVICE_short_bootstrap_node_name is automatically generated
based on the composable service template service_name, and this
considers all roles where the service is enabled, e.g it should
only evaluate true once regardles off the roles where the service
is enabled.

Change-Id: I48ec4549552910f3cb8db960b0ff10a6c61b4bb9
Partial-Bug: #1792613
2018-10-12 10:14:48 +00:00
Zuul
c0f568ef97 Merge "Copytruncate containerized logrotate configuration" 2018-10-10 22:06:58 +00:00
Zuul
555f0a0718 Merge "Do not create metadata ssl proxy if we have metadata api via httpd wsgi" 2018-10-06 21:20:48 +00:00
rajinir
7fd1113baf Dell EMC SC: Add support for excluded_domain_ips
The Dell EMC SC configuration option excluded_domain_ip has been
deprecated and will be removed in a future release. Deployments
should now migrate to the option excluded_domain_ips for
equivalent functionality.

Depends-On: https://review.openstack.org/#/c/604384/
Change-Id: Ib9218e7825fef83e41bdebaba3a444935c8a38e1
2018-10-04 09:12:12 -05:00
Bogdan Dobrelya
2b223de04b Copytruncate containerized logrotate configuration
This reimplements commit 67a7dc70f2885b7db2a42bc28c25ece0bbeba3e4.
Copytruncate becomes a default for containerized logrotate. The
solution based on signals processing goes away.

As long as key deployment framework components heat-engine and
mistral-engine do not tolerate SIGHUP copytruncate should be used.

There is more openstack services, like neutron-server, nova-scheduler
that cannot handle SIGHUP nicely yet.

Nor can we fall back to that predates the containerization of services
because of the following reasons:

* We cannot and should not use the restart command in postrotate as it
  was before containerization of services. For that a container needs
  to be privileged and granted a docker socket bind-mount, which is a
  total security antipattern and defeats the very purpose of
  containerization. Things may change with future adoption of Podman
  and/or kubelet control plane though. If/when that happens, we might
  consider an option for postrotate to terminate a process with
  SIGTERM, to have the process instantly respawned via its systemd
  unit/kubelet restart policies.

* Individual services' logrotate configs worth nothing, when still
  being handled by a central logrotation container running crond. And
  it needs to remain centralized as individual containers neither do
  run crond nor contain logrotate, nor lightweight containers following
  12-factors apps recommendations should do anything like that. Nor the
  host logrotate/crond can do rotation of logs for containers as we do/
  should not install required packages on the host, but only in
  containers. See also the spec [0] explaining the reasoning better.

All of that makes copytruncate a global choice for logs rotation of
containerized services as we just cannont be sure, if a service foo
*really* does correct processing of SIGHUP. We leave that option for
future implementation in the hope things get fixed eventually. As well
as the aforementioned systemd/kublet option, or the option to provide
stdout only logging [0] and let the logrotate thing go.

[0] https://review.openstack.org/#/c/462900

Closes-Bug: #1795411
Related-Bug: #1276694
Change-Id: Ibdad7859a389d0ff37bbf7bfd9f4c521a05a5ea1
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-10-03 14:34:00 +02:00
Zuul
ac5f1dc080 Merge "Create interface to create mysql resources via hieradata" 2018-09-18 17:09:54 +00:00
Juan Antonio Osorio Robles
0730ff23b9 Create interface to create mysql resources via hieradata
This added the "tripleo::<service name>::mysql_user" interface, which
allows folks to create databases, users and grants via hieradata instead
of having to modify puppet-tripleo.

Change-Id: I975d64c73e314159db0f6c1ada14a26491a46d1a
2018-09-17 22:57:06 -06:00
Zuul
731ca78de8 Merge "Move metadata file creation of glance netapp to puppet-tripelo from THT" 2018-09-06 15:18:59 +00:00
Janki Chhatbar
66292a5886 Add support for ODL-OVS IPv6 deployment
Make necessary changes for proper deployment
of ODL on IPv6 network.

Change-Id: Id7a0986f886a81b2041987b0d5a95edf2160e05e
Depends-On: Idd257cf4666b853eb4c52861f9f400b6dbdeeadb
Partial-Bug: #1783196
2018-08-24 09:30:37 +05:30
Martin Schuppert
a8bef7a313 Do not create metadata ssl proxy if we have metadata api via httpd wsgi
With nova metadata api running via wsgi we do not need the ssl proxy when
configure tls-everywhere as we terminate ssl direct in the httpd wsgi.
With this change we only create the ssl proxy vhost if we do not run nova
metadata via wsgi.

Related-Bug: 1781405

Change-Id: Ia0e769925812e91679631bdd631030ab12ceff01
2018-08-22 15:30:16 +02:00
Zuul
e53e14b0e4 Merge "SSL support for haproxy -> novnc proxy connection" 2018-08-21 11:17:58 +00:00
Zuul
42aa17f606 Merge "Remove support for manila::backend::cephfsnative class" 2018-08-21 06:37:00 +00:00
Zuul
32b59eccc7 Merge "Adding support for VF LAG in SR-IOV for Mellanox interfaces" 2018-08-20 21:45:05 +00:00
Zuul
aa6205ebc8 Merge "Configure cinder's default volume type" 2018-08-20 21:45:02 +00:00
Zuul
ecfa5bd3c6 Merge "Move nova-metadata api to httpd wsgi" 2018-08-20 15:34:10 +00:00
waleed mousa
cd7232bb8c Adding support for VF LAG in SR-IOV for Mellanox interfaces
It is possible to configure bond over two virtual functions
for the vms in case of using mellanox interfaces.

Change-Id: Iaeee31a9edaefec25498a734cac6eda389c38ec5
2018-08-19 05:50:05 +00:00
malei
643abd1cde Remove the duplicated word
Change-Id: I65a4867b883f216dde10482166f9827c498ff083
2018-08-17 15:50:33 +08:00
Martin Schuppert
1587c21d7f SSL support for haproxy -> novnc proxy connection
With tls-everywhere enabled the connection from haproxy to the nova novnc
proxy was not encrypted. Now we request a certificate and configue haproxy
and the novnc proxy to encrypt this remaining part in a vnc connection to
be encrypted as well.

Change-Id: I4667706633205c240f2efb51663e6efbce5e344e
Related-bug: #1785700
Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
2018-08-15 16:06:10 +01:00
Bogdan Dobrelya
263418824f Revert "Fix containerized logrotate configuration"
Copytruncate cannot fix the postrotate filter for lsof searching for
deleted (unlinked and open) files. Copytruncate instead makes the
filter matching nothing as it makes files never deleted after rotation
happens.

This reverts commit 67a7dc70f2885b7db2a42bc28c25ece0bbeba3e4.

Change-Id: I8a73819b4aa45813cbac310452b348681496032a
2018-08-14 12:24:29 +02:00
Zuul
451e76b5f8 Merge "Fix containerized logrotate configuration" 2018-08-10 02:31:29 +00:00
Pranali Deore
2f80fa1b1a Move metadata file creation of glance netapp to puppet-tripelo from THT
Since, openstack-glance package has been removed from overcloud image
during the cleanup, 'filesystem_store_metadata_file' file is failing to
create on host in case of glance netapp.

So, adding metadata file creation part in puppet-tripleo.

Change-Id: I031a8921a74af137927ba83ee2307aafc13263cb
2018-08-09 05:24:23 +00:00
Tim Rozet
54188dbcf0 Fixes ODL issue where OF port may be set wrong
There is a case where OVS needs to have the OpenFlow configuration
resynced. The regsubst was only replacing one of the ports instead of
all, so sometimes the OpenFlow controller settings on OVS would have
ports 6640 instead of the right port (6653).

Closes-Bug: 1786037

Change-Id: I93e3d355625508fdc42f44bdd358f3ba86fbd8d7
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-08-08 09:23:11 -04:00
Bogdan Dobrelya
67a7dc70f2 Fix containerized logrotate configuration
Use copytruncate and 'hourly' log rotation by default.  Increase the
default max number of rotated files to 336, which corresponds to 14
days, so that default period retained as is.

With the copytruncate option enabled, logs should be hourly rotated to
decrease disk IO load when copying log files around. The default
maxsize of 10M is better maintained for often rotations done within a
day as well, so log files will not happen to become unexpectedly huge
at the end of it.

W/o copytruncate, the containerized logrotate sends no signals to
processes, as files are only renamed and not unlinked. That makes the
files deletion based filter failing, until the default period of 14
days expires. To fix that non-copytruncate case, post-rotate always
sends HUP (USR1 for httpd) signals to all processes holding open files
in the /var/log/containers host path. That also makes all services
reloaded hourly (there is still a random splay applied by cron though)
as a side effect.

With copytruncate ON, each rotation ensures the old log files will also be
deleted, so only affected services will be reloaded.

Additionally, send USR1 instead of HUP to reload httpd in containers
gracefully.

Closes-Bug: #1785659

Change-Id: I15fa0eab1625ac63fd57b6a6d5cd22a6ac85f221
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-08-06 18:08:47 +02:00
Alan Bishop
5e87dffbee Configure cinder's default volume type
Add a resource that creates Cinder's default volume type. The
cinder::type provider executes osc commands, so this is only done once
on the bootstrap node, and at step 4 when the cinder_api service is
running.

Partial-Bug: #1782217
Change-Id: Ia23996abefdd1410fb86f04ed84a314f4364339c
2018-08-06 12:01:17 -04:00