Upstream will deprecate usage of eventlet of all the WSGI-run
services, including nova-api and nova-metadata-api.
See https://review.openstack.org/#/c/549510/ for more details.
With this change we move nova-metadata to run via httpd wsgi
and therefore uses its own config volume.
Depends-On: Ic65736cb0e95c400a728cd699ecf06c6aecff832
Change-Id: Ic46acdbac280ac648ec5ed9d7af0139126334fe0
Closes-Bug: 1781405
OpenFlow flows for table 17 now only appear after a port is created and
there is no longer a default flow during the deploy stage. Therefore
remove the check for table 17 existing during deployment.
Closes-Bug: 1781616
Change-Id: Ie988ba6a2d444a614e97c0edf5fce24b23970310
Signed-off-by: Tim Rozet <trozet@redhat.com>
With the change in https://review.openstack.org/#/c/561784/3 we need to
make sure that the new port range get applied to the the qemu.conf file.
This change includes ::nova::migration::qemu to
::tripleo::profile::base::nova::libvirt
Change-Id: Idadfc7b3507977f1385e846a48a734ed0e5f0a32
Closes-bug: 1779820
Since, mounting nfs would run via ansible in t-h-t,
puppet-tripleo glance nfs_mount.pp would no longer be
used.
Hence removing all glance nfs related part from here.
Depends-On: I232577643c26d7eb0162c09b3c394b7f3e161154
Change-Id: I617c38266d17fdf8cade660207e1e369dcd54fdb
This class was replaced by manila::backend::cephfs
in openstack/puppet-manila in the Pike release.
See corresponding change in openstack/puppet-manila [1]
[1] Ib13dfc6ffa77e96f5738c2ca3f9646a80aded659
Change-Id: I6757cd2368021b55775ad54931aa0b78c8383a68
Some flows may be missing in OVS (on a per table basis) when deploying
with OpenDaylight. There is no OpenDaylight fix yet for this issue, so
this patch implements a workaround. The workaround is to check if all
the tables exist on each OVS node. If they are missing, then reset the
OpenFlow connection to the ODL controller, which will result in ODL
pushing the flows again and inserting the missing flows.
Closes-Bug: 1775436
Change-Id: I28d13a26198268cfd1f3e9e64236605f24319a04
Signed-off-by: Tim Rozet <trozet@redhat.com>
The vast majority of undercloud installs will be consuming already
built images, so they don't need kolla to be installed.
This changes the default so that openstack-kolla won't be installed
unless the user enables that with enable_container_images_build.
Change-Id: I932f0f2048275942e29b589b337561473d5cb0b8
Deployment of a managed Ceph cluster using puppet-ceph
is not supported from the Pike release. From Queens it
is not supported use of puppet-ceph when using an
external Ceph cluster either.
This change removes the old manifests necessary to
support deployment of Ceph via puppet-ceph.
Templates removed by I17b94e8023873f3129a55e69efd751be0674dfcb
Depends-On: I8b22917e7436084028ef4fbe7604d28d6a68bee0
Implements: blueprint remove-puppet-ceph
Change-Id: I052af1f755b40a5fefa1f8d37e62b6b36c931271
Set the logrotate maxage parameter to purge_after_days
as well.
Rework additional retention rules of files in
/var/log/containers in the containerized logrotate
postrotate script. The rules are based on any of the
listed criteria met:
* time of last access of contents (atime) exceeds
purge_after_days,
* time of last modification of contents (mtime) exceeds
purge_after_days,
* time of last modification of the inode (metadata, ctime)
exceeds purge_after_days.
Forcibly purge expired files with each containerized
logrotate run triggered via cron. Note that the files creation
time (the Birth attribute) is not taken into account as it
cannot be accessed normally by system operators (depends on FS
type). Retention policies based on the creation time must
be managed elsewhere.
Related-Bug: #1771543
Change-Id: I9afa22f7dd344a29747206b286520a76d70d704b
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
The upstream puppet-cinder modules have been updated to remove
deprecated paramters. We were still passing in deprecated options for
the netapp volume. This change ports the backwards compatibility that
was being done in puppet-cinder into puppet-tripleo. This should be
dropped in a later cycle.
Change-Id: I08f548c7784f4e00add26aafc26a9671f503bb97
Closes-Bug: #1773188
After purge_after_days, defaults to a 14, forcibly remove
any rotated and compressed logs of containerized services
in /var/log/containers. This overrides any related
containerized logrotate configuration used for
containerized services.
Allow to alter rotation interval for log files managed
via containerized logrotate. Defaults to 'daily'
and rotate 14 (days).
Use sharedscripts to clean up files in the postrotate
script only once.
Additionally, to enforce GDPR compliance of log files
in /var/log/containers, put them under logrotate management
(minsize 1) and always compress. Prohibit the size option
as it does not honor time-based contstraints required by
GDPR. Forcibly remove all files but those rotated and
compressed logs, via the postscript section.
Partial-bug: #1771543
Change-Id: Id8e4717a5ecda53bc9cd39f1c2efaa80b56bd45e
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
These profiles are replaced by https://github.com/openstack/ansible-role-container-registry,
so we deprecate it now and will remove the code in the future.
Depends-On: Iee0e08cd48f173a39a6f3a1ea54b29e370d4f334
Change-Id: I9e2a475e4582deec383b92f368e9a834122f65bb
The neutron agents use subprocesses like dnsmasq and keepalived as part
of their implementation. Running these "subprocesses" in separate
containers prevent dataplane breakages/unnecessary failover on agent
container restart.
Also amends docker daemon options to allow including additional unix
domain sockets to bind to the docker daemon. The paths can be mounted by
containers that launch containers instead of mounting /run/docker.sock.
This avoids issues if the docker daemon is restarted while the containers
are running.
Related-Bug: #1749209
Change-Id: Icd4c24ac686d957391548a04722266cefc1bce27
This patch removed listen_options for ODL:
https://review.openstack.org/#/c/562036/
Which introduced a regression where default options were then applied
for ODL, including httpchk. This does not work with ODL because ODL
will not respond to an HTTP GET without specific paths used. This patch
adds the correct path that may be used to issue HTTP backend check.
Closes-Bug: 1768037
Change-Id: I60bdfc436044851ac02449c262d382b07b888f79
Signed-off-by: Tim Rozet <trozet@redhat.com>
For OpenDaylight Websocket connections we were not using transparent
binding type with HA Proxy. This means that HA Proxy was not able to
start on nodes that did not have the VIP because it was unable to bind
to that IP on more than one node. However, transparent binding works OK
with OpenDaylight Websocket and should be fine to enable so that HA
Proxy is able to start on every controller.
Closes-Bug: 1764514
Change-Id: I89e6115795ece6735e816ab71b5b552b17f7b943
Signed-off-by: Tim Rozet <trozet@redhat.com>
Splitting up service plugin and agent allows operators to deploy
neutron-lbaas with greater granularity over what one wants to get
installed configured. For example, one may want to configure only one of
the two.
Change-Id: If3af333b34d2af764d111d49e981f9d3a170d803
Since neutron UID is not static, setting the owners on the certificates
in the host to be 'neutron' will not match the UID for neutron in the
deployed container. Therefore this patch removes the host neutron
ownership and leaves it as root, so that it can be later modified in the
container to be chowned to neutron.
Partial-Bug: 1759049
Change-Id: I83b14b91d1ee600bd9d5863acba34303921368ce
Signed-off-by: Tim Rozet <trozet@redhat.com>
This will add the Nova cleanup for the shadow
tables.
Depends-On: I2dcf37417c36fb8b1bde207c60d22d580005715c
Change-Id: I1ebfb0964b00920d787115cfc997bcf0494081c9
This commit introduces separate oslo.messaging services in place of
a single rabbitmq server. This enables the separation of rpc and
notifications, the continued use of single rabbitmq server as well
as the use of alternative oslo.messaging drivers/backends.
This patch:
* adds oslo_messaging_* hiera parameters
* update rabbitmq and qdrourterd services
* add release note
Depends-On: I03e99d35ed043cf11bea9b7462058bd80f4d99da
Depends-On: I934561612d26befd88a9053262836b47bdf4efb0
Change-Id: Ie181a92731e254b7f613ad25fee6cc37e985c315
Deployments were failing because the owner/group of the TLS generated
certificate and key were set to 'odl'. This user and group does not
exist in a containerized deployment because the ODL RPM is only
installed in the container.
This patch leaves the owner as root for the files which works because
the files are only used to generate a keystore for ODL (which is owned
by odl), and the cert/key files themselves are never read by ODL.
Closes-Bug: 1757135
Change-Id: Ie5b9e98ea2fc16b820d56272653df4874e81cf68
Signed-off-by: Tim Rozet <trozet@redhat.com>
This commit selects either the rabbitmq hosts or the
hosts associated to oslo.messaging rpc and notify services.
This is required for the transition of t-h-t to the use
of the separated oslo.messaging service backends.
This patch:
*select rpc and notify hosts from rabbitmq or oslo_messaging
*modify qdrouterd inter-router link port
*update qdr unit spec
*add release note
Needed-By: I934561612d26befd88a9053262836b47bdf4efb0
Change-Id: I154e2fe6f66b296b9b643627d57696e5178e1815
There are situations where it would be advantageous to let
an operator specify custom per-service options.
One such use case seen in the wild is to extend the timeout of the cinder
because due to the specific storage backend these cinder operations
sometimes take a bit longer. Letting the user tweak the
haproxy_default_timeout is likely not what we want as for the case
above we only want to tweak a single service.
We explored another approach to fix this by adding a bunch of
<service>_options class parameters in the tripleo::haproxy class but it
made it extremely bloated and confusing, so we opted for this approach
which is much less invasive both code-wise and complexity-wise
Tested by deploying with:
ExtraConfig:
tripleo::haproxy::cinder::options:
"timeout client": '90m'
'timeout server': '90m'
And observing the following cinder haproxy stanza:
listen cinder
bind 10.0.0.4:8776 transparent
bind 172.16.2.9:8776 transparent
mode http
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
option httpchk
option httplog
timeout client 90m
timeout server 90m
server overcloud-controller-0.internalapi.localdomain 172.16.2.7:8776 check fall 5 inter 2000 rise 2
server overcloud-controller-1.internalapi.localdomain 172.16.2.16:8776 check fall 5 inter 2000 rise 2
server overcloud-controller-2.internalapi.localdomain 172.16.2.13:8776 check fall 5 inter 2000 rise 2
Closes-Bug: #1755711
Change-Id: Icb7f026190b310d34c47dc059e2fdb22031b0963
This forces HAProxy to only accept newer versions of TLS, which allows
us to meet FedRAMP requirements.
Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
Related-Bug: #1754368