348 Commits

Author SHA1 Message Date
Martin Schuppert
54c505f196 Move nova-metadata api to httpd wsgi
Upstream will deprecate usage of eventlet of all the WSGI-run
services, including nova-api and nova-metadata-api.
See https://review.openstack.org/#/c/549510/ for more details.

With this change we move nova-metadata to run via httpd wsgi
and therefore uses its own config volume.

Depends-On: Ic65736cb0e95c400a728cd699ecf06c6aecff832

Change-Id: Ic46acdbac280ac648ec5ed9d7af0139126334fe0
Closes-Bug: 1781405
2018-07-31 09:59:46 +02:00
Tim Rozet
463d3f3a63 Remove table 17 from OVS OF pipeline sync
OpenFlow flows for table 17 now only appear after a port is created and
there is no longer a default flow during the deploy stage. Therefore
remove the check for table 17 existing during deployment.

Closes-Bug: 1781616

Change-Id: Ie988ba6a2d444a614e97c0edf5fce24b23970310
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-07-13 11:03:12 -04:00
Martin Schuppert
ed16fdc55d Make sure we apply qemu config changes
With the change in https://review.openstack.org/#/c/561784/3 we need to
make sure that the new port range get applied to the the qemu.conf file.
This change includes ::nova::migration::qemu to
::tripleo::profile::base::nova::libvirt

Change-Id: Idadfc7b3507977f1385e846a48a734ed0e5f0a32
Closes-bug: 1779820
2018-07-03 11:00:26 +02:00
Zuul
1d836c24fe Merge "Remove all glance nfs changes from puppet-tripleo" 2018-07-02 22:34:32 +00:00
Zuul
e3157ab695 Merge "Add manifest for networking_ansible ML2 plugin" 2018-06-30 09:13:35 +00:00
rajinir
0d337fa5d5 Update DellEMC Manila Unity driver
This patch adds following 3 options:
* network_plugin_ipv6_enabled
* emc_ssl_cert_verify
* emc_ssl_cert_path

Closes Bug: #1778124

Change-Id: I6330862def3ffce0aa187239829eda285dd16ab1
2018-06-21 14:39:04 -05:00
rajinir
43218af47e Update DellEMC Manila VNX driver
This patch adds following 3 options:
* network_plugin_ipv6_enabled
* emc_ssl_cert_verify
* emc_ssl_cert_path

Closes Bug: #1778123

Change-Id: I99c2d9a27502af76e98e4c0b161bb3a31828520c
2018-06-21 14:27:04 -05:00
rabi
389870dd16 Add manifest for networking_ansible ML2 plugin
Change-Id: Id043105b663222ec217c300ed398ab2898684d92
Depends-On: https://review.openstack.org/577073
2018-06-21 15:17:00 +05:30
Pranali Deore
323726c58f Remove all glance nfs changes from puppet-tripleo
Since, mounting nfs would run via ansible in t-h-t,
puppet-tripleo glance nfs_mount.pp would no longer be
used.

Hence removing all glance nfs related part from here.

Depends-On: I232577643c26d7eb0162c09b3c394b7f3e161154
Change-Id: I617c38266d17fdf8cade660207e1e369dcd54fdb
2018-06-19 14:30:12 +05:30
Goutham Pacha Ravi
696e107eab Remove support for manila::backend::cephfsnative class
This class was replaced by manila::backend::cephfs
in openstack/puppet-manila in the Pike release.

See corresponding change in openstack/puppet-manila [1]

[1] Ib13dfc6ffa77e96f5738c2ca3f9646a80aded659

Change-Id: I6757cd2368021b55775ad54931aa0b78c8383a68
2018-06-18 14:04:08 -07:00
Zuul
0fdf746fd5 Merge "Don't install kolla by default" 2018-06-09 02:12:54 +00:00
Tim Rozet
199ddad31b Adds check and resyncs ODL/OVS OF pipeline
Some flows may be missing in OVS (on a per table basis) when deploying
with OpenDaylight. There is no OpenDaylight fix yet for this issue, so
this patch implements a workaround. The workaround is to check if all
the tables exist on each OVS node. If they are missing, then reset the
OpenFlow connection to the ODL controller, which will result in ODL
pushing the flows again and inserting the missing flows.

Closes-Bug: 1775436

Change-Id: I28d13a26198268cfd1f3e9e64236605f24319a04
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-06-06 14:06:48 -04:00
Steve Baker
291ff8bb3b Don't install kolla by default
The vast majority of undercloud installs will be consuming already
built images, so they don't need kolla to be installed.

This changes the default so that openstack-kolla won't be installed
unless the user enables that with enable_container_images_build.

Change-Id: I932f0f2048275942e29b589b337561473d5cb0b8
2018-06-04 17:51:05 +00:00
Zuul
ba0d68d1b6 Merge "Remove support for puppet-ceph" 2018-05-30 04:55:59 +00:00
Giulio Fidente
c796ed32f7 Remove support for puppet-ceph
Deployment of a managed Ceph cluster using puppet-ceph
is not supported from the Pike release. From Queens it
is not supported use of puppet-ceph when using an
external Ceph cluster either.

This change removes the old manifests necessary to
support deployment of Ceph via puppet-ceph.

Templates removed by I17b94e8023873f3129a55e69efd751be0674dfcb

Depends-On: I8b22917e7436084028ef4fbe7604d28d6a68bee0
Implements: blueprint remove-puppet-ceph
Change-Id: I052af1f755b40a5fefa1f8d37e62b6b36c931271
2018-05-25 15:32:53 +02:00
Bogdan Dobrelya
5a58ca5d32 Rework GDPR compliant logrotate config
Set the logrotate maxage parameter to purge_after_days
as well.

Rework additional retention rules of files in
/var/log/containers in the containerized logrotate
postrotate script. The rules are based on any of the
listed criteria met:

* time of last access of contents (atime) exceeds
purge_after_days,
* time of last modification of contents (mtime) exceeds
purge_after_days,
* time of last modification of the inode (metadata, ctime)
exceeds purge_after_days.

Forcibly purge expired files with each containerized
logrotate run triggered via cron. Note that the files creation
time (the Birth attribute) is not taken into account as it
cannot be accessed normally by system operators (depends on FS
type). Retention policies based on the creation time must
be managed elsewhere.

Related-Bug: #1771543

Change-Id: I9afa22f7dd344a29747206b286520a76d70d704b
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-05-24 17:31:15 +00:00
Alex Schultz
b2d7cab5f1 Update netapp cinder configuration
The upstream puppet-cinder modules have been updated to remove
deprecated paramters. We were still passing in deprecated options for
the netapp volume. This change ports the backwards compatibility that
was being done in puppet-cinder into puppet-tripleo. This should be
dropped in a later cycle.

Change-Id: I08f548c7784f4e00add26aafc26a9671f503bb97
Closes-Bug: #1773188
2018-05-24 10:13:39 -07:00
Zuul
19114034ea Merge "Deprecate tripleo::profile::base::docker(_registry)" 2018-05-21 17:41:17 +00:00
Bogdan Dobrelya
e13654504a Force GDPR compliance of containers logs
After purge_after_days, defaults to a 14, forcibly remove
any rotated and compressed logs of containerized services
in /var/log/containers. This overrides any related
containerized logrotate configuration used for
containerized services.

Allow to alter rotation interval for log files managed
via containerized logrotate. Defaults to 'daily'
and rotate 14 (days).

Use sharedscripts to clean up files in the postrotate
script only once.

Additionally, to enforce GDPR compliance of log files
in /var/log/containers, put them under logrotate management
(minsize 1) and always compress. Prohibit the size option
as it does not honor time-based contstraints required by
GDPR. Forcibly remove all files but those rotated and
compressed logs, via the postscript section.

Partial-bug: #1771543

Change-Id: Id8e4717a5ecda53bc9cd39f1c2efaa80b56bd45e
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-05-21 11:18:13 +02:00
Emilien Macchi
767cd520bd Deprecate tripleo::profile::base::docker(_registry)
These profiles are replaced by https://github.com/openstack/ansible-role-container-registry,
so we deprecate it now and will remove the code in the future.

Depends-On: Iee0e08cd48f173a39a6f3a1ea54b29e370d4f334
Change-Id: I9e2a475e4582deec383b92f368e9a834122f65bb
2018-05-17 17:40:54 +00:00
Zuul
02f0f479b5 Merge "Add logrotate compress option" 2018-05-05 04:08:55 +00:00
Zuul
77aac86259 Merge "Adding wrapper scripts for neutron agent subprocesses" 2018-05-05 03:42:49 +00:00
Bogdan Dobrelya
f3317084df Add logrotate compress option
Related bz: #1570039

Change-Id: Id07b7b53d31192a2d2172671b272a5b61dc8df52
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-05-04 18:16:51 +02:00
Brent Eagles
015c9b757a Adding wrapper scripts for neutron agent subprocesses
The neutron agents use subprocesses like dnsmasq and keepalived as part
of their implementation. Running these "subprocesses" in separate
containers prevent dataplane breakages/unnecessary failover on agent
container restart.

Also amends docker daemon options to allow including additional unix
domain sockets to bind to the docker daemon. The paths can be mounted by
containers that launch containers instead of mounting /run/docker.sock.
This avoids issues if the docker daemon is restarted while the containers
are running.

Related-Bug: #1749209
Change-Id: Icd4c24ac686d957391548a04722266cefc1bce27
2018-04-30 21:58:29 -02:30
Tim Rozet
c53ea2512f Fixes HA Proxy backend check for ODL
This patch removed listen_options for ODL:
https://review.openstack.org/#/c/562036/

Which introduced a regression where default options were then applied
for ODL, including httpchk.  This does not work with ODL because ODL
will not respond to an HTTP GET without specific paths used.  This patch
adds the correct path that may be used to issue HTTP backend check.

Closes-Bug: 1768037

Change-Id: I60bdfc436044851ac02449c262d382b07b888f79
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-04-30 11:29:52 -04:00
Zuul
1a73b868ce Merge "Support separate oslo.messaging services for RPC and Notifications" 2018-04-29 13:02:17 +00:00
Tim Rozet
70bedeef99 Fixes binding type for OpenDaylight Websocket
For OpenDaylight Websocket connections we were not using transparent
binding type with HA Proxy.  This means that HA Proxy was not able to
start on nodes that did not have the VIP because it was unable to bind
to that IP on more than one node.  However, transparent binding works OK
with OpenDaylight Websocket and should be fine to enable so that HA
Proxy is able to start on every controller.

Closes-Bug: 1764514

Change-Id: I89e6115795ece6735e816ab71b5b552b17f7b943
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-04-17 10:51:03 -04:00
Zuul
fba0dfc344 Merge "Split up neutron-lbaas service plugin and agent" 2018-04-10 03:54:16 +00:00
Zuul
408db62e22 Merge "Support both rabbitmq and oslo.messaging service nodes" 2018-04-07 00:39:46 +00:00
Carlos Goncalves
b93250af11 Split up neutron-lbaas service plugin and agent
Splitting up service plugin and agent allows operators to deploy
neutron-lbaas with greater granularity over what one wants to get
installed configured. For example, one may want to configure only one of
the two.

Change-Id: If3af333b34d2af764d111d49e981f9d3a170d803
2018-04-05 21:44:21 +01:00
Harald Jensas
e2beaadd52 Add support for Ironic Networking Baremetal
Add manifests to for Ironic Networking Baremetal componentes:
 - ML2 plug-in - baremetal mechanism driver
 - L2 Agent - ironic-neutron-agent

Change-Id: I3c40f84052a41ed440758b971975c5c81ace4225
2018-03-29 16:08:19 +02:00
Tim Rozet
fe09335418 Removes neutron ownership of certs
Since neutron UID is not static, setting the owners on the certificates
in the host to be 'neutron' will not match the UID for neutron in the
deployed container.  Therefore this patch removes the host neutron
ownership and leaves it as root, so that it can be later modified in the
container to be chowned to neutron.

Partial-Bug: 1759049

Change-Id: I83b14b91d1ee600bd9d5863acba34303921368ce
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-03-28 11:27:02 -07:00
Zuul
05cef8859a Merge "Add missing cron jobs for Overcloud cleanup" 2018-03-27 18:28:37 +00:00
Zuul
c64dff0af3 Merge "Add NFS backend for cinder-backup service" 2018-03-26 20:26:26 +00:00
Zuul
732fd6f5c6 Merge "Add configuration for the Nova proxy endpoint" 2018-03-23 22:17:15 +00:00
Carlos Camacho
6bc7a7fcb7 Add missing cron jobs for Overcloud cleanup
This will add the Nova cleanup for the shadow
tables.

Depends-On: I2dcf37417c36fb8b1bde207c60d22d580005715c
Change-Id: I1ebfb0964b00920d787115cfc997bcf0494081c9
2018-03-23 15:42:40 +01:00
Andrew Smith
c04557fba4 Support separate oslo.messaging services for RPC and Notifications
This commit introduces separate oslo.messaging services in place of
a single rabbitmq server. This enables the separation of rpc and
notifications, the continued use of single rabbitmq server as well
as the use of alternative oslo.messaging drivers/backends.

This patch:
* adds oslo_messaging_* hiera parameters
* update rabbitmq and qdrourterd services
* add release note

Depends-On: I03e99d35ed043cf11bea9b7462058bd80f4d99da
Depends-On: I934561612d26befd88a9053262836b47bdf4efb0
Change-Id: Ie181a92731e254b7f613ad25fee6cc37e985c315
2018-03-20 12:55:02 -04:00
Tim Rozet
e11804237e Fixes incorrect ownership of ODL TLS cert/key
Deployments were failing because the owner/group of the TLS generated
certificate and key were set to 'odl'.  This user and group does not
exist in a containerized deployment because the ODL RPM is only
installed in the container.

This patch leaves the owner as root for the files which works because
the files are only used to generate a keystore for ODL (which is owned
by odl), and the cert/key files themselves are never read by ODL.

Closes-Bug: 1757135

Change-Id: Ie5b9e98ea2fc16b820d56272653df4874e81cf68
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-03-20 12:47:07 -04:00
Honza Pokorny
c6db8d0cd2 Add configuration for the Nova proxy endpoint
Change-Id: I6128f8e8a439880aa40f9b3a32e47563ad90cdb6
Partial-Bug: #1755560
Depends-On: I3701c34841b84c2272dcc24d982fc622ff6139b6
2018-03-20 12:40:07 +00:00
Zuul
23a311f6ca Merge "firewall/rule: add 'table' support" 2018-03-17 05:54:39 +00:00
Andrew Smith
79ccad4b8d Support both rabbitmq and oslo.messaging service nodes
This commit selects either the rabbitmq hosts or the
hosts associated to oslo.messaging rpc and notify services.
This is required for the transition of t-h-t to the use
of the separated oslo.messaging service backends.

This patch:
*select rpc and notify hosts from rabbitmq or oslo_messaging
*modify qdrouterd inter-router link port
*update qdr unit spec
*add release note

Needed-By: I934561612d26befd88a9053262836b47bdf4efb0
Change-Id: I154e2fe6f66b296b9b643627d57696e5178e1815
2018-03-16 18:16:42 -04:00
Emilien Macchi
8f3c647ea0 firewall/rule: add 'table' support
... so we can create masquerade/nat rules.

Change-Id: Ic9a2626e73d132c3be7ff14a1f4cdba0c16c5b53
2018-03-16 17:25:57 +00:00
Alan Bishop
364c76158f Add NFS backend for cinder-backup service
Add a Cinder backup profile that uses NFS for the backend.

Related-Bug: #1744174
Change-Id: Ic0adb294aa2e60243f8adaf167bdd75e42c8e20e
2018-03-15 19:33:51 -04:00
Michele Baldessari
ce4576375d Allow custom per-service listen_options for haproxy
There are situations where it would be advantageous to let
an operator specify custom per-service options.
One such use case seen in the wild is to extend the timeout of the cinder
because due to the specific storage backend these cinder operations
sometimes take a bit longer. Letting the user tweak the
haproxy_default_timeout is likely not what we want as for the case
above we only want to tweak a single service.

We explored another approach to fix this by adding a bunch of
<service>_options class parameters in the tripleo::haproxy class but it
made it extremely bloated and confusing, so we opted for this approach
which is much less invasive both code-wise and complexity-wise

Tested by deploying with:
ExtraConfig:
  tripleo::haproxy::cinder::options:
    "timeout client": '90m'
    'timeout server': '90m'

And observing the following cinder haproxy stanza:
listen cinder
  bind 10.0.0.4:8776 transparent
  bind 172.16.2.9:8776 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  option httpchk
  option httplog
  timeout client 90m
  timeout server 90m
  server overcloud-controller-0.internalapi.localdomain 172.16.2.7:8776 check fall 5 inter 2000 rise 2
  server overcloud-controller-1.internalapi.localdomain 172.16.2.16:8776 check fall 5 inter 2000 rise 2
  server overcloud-controller-2.internalapi.localdomain 172.16.2.13:8776 check fall 5 inter 2000 rise 2

Closes-Bug: #1755711

Change-Id: Icb7f026190b310d34c47dc059e2fdb22031b0963
2018-03-14 15:12:38 +01:00
Juan Antonio Osorio Robles
ebde918b0f Disallow TLS v1.0 from HAProxy
This forces HAProxy to only accept newer versions of TLS, which allows
us to meet FedRAMP requirements.

Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
Related-Bug: #1754368
2018-03-12 15:39:09 +00:00
Zuul
ff7bfbb7a2 Merge "Add tests for tripleo::keepalived" 2018-03-08 03:57:13 +00:00
Zuul
b3d0b2f25a Merge "Add support for libvirt VNC TLS with option of a dedicated CA" 2018-02-28 18:39:14 +00:00
Zuul
3202394f0c Merge "Remove neutron-managed firewall rules from /etc/sysconfig/iptables" 2018-02-22 12:14:57 +00:00
Zuul
abae8eb6a8 Merge "Add support for Dell EMC XtremIO Cinder ISCSI Backend" 2018-02-21 04:37:22 +00:00
Alex Schultz
21101149f2 Add firewall chain support
Add ability to manage firewall chains with the firewallchain resource.

Change-Id: Ib75f97748540b9162d76c9c189d3ca7e082b3784
Related-Bug: #1750194
2018-02-18 11:01:04 -07:00