Move cell_v2 discovery off compute hosts

In I12a02f636f31985bc1b71bff5b744d346286a95f cell_v2 discovery was originally moved from the nova-api container to the nova-compute|nova-ironic containers in order to run cell discovery during a scale up where the controllers are omitted (e.g to exclude the controllers from a maintenance window). This requires api database credentials on the compute node, which is forbidden, so it must move back to a nova-api host as a pre-requisite for removing these credentials in a follow-up patch. Scale-up while omitting the controllers will no longer work out of the box. Either a manual cell_v2 discovery can be run after scale up, or an additional node can be deployed using the NovaManager tripleo role. Related-bug: #1786961 Related-bug: #1871482 Change-Id: I47b95ad46e2d4e5b1f370a2f840826e87da2d703 (cherry picked from commit 629485dde5)
12 months ago · 03697234fd
7 changed files with 178 additions and 8 deletions
--- a/ci/environments/multinode-containers.yaml
+++ b/ci/environments/multinode-containers.yaml
@ -42,6 +42,7 @@ parameter_defaults:
    - OS::TripleO::Services::Multipathd
    - OS::TripleO::Services::Pacemaker
    - OS::TripleO::Services::Clustercheck
+    - OS::TripleO::Services::NovaManager
  ControllerExtraConfig:
    nova::compute::libvirt::services::libvirt_virt_type: qemu
    nova::compute::libvirt::virt_type: qemu
--- a/deployment/nova/nova-compute-common-container-puppet.yaml
+++ b/deployment/nova/nova-compute-common-container-puppet.yaml
@ -61,19 +61,27 @@ outputs:
              - not nova_additional_cell|bool
              - nova_cellv2_discovery_done is not defined
            block:
-              - name: discover via nova_compute?
+              - name: discover via nova_manager?
                set_fact:
-                  nova_cellv2_discovery_delegate_host: "{{ groups['nova_compute'][0] }}"
+                  nova_cellv2_discovery_delegate_host: "{{ groups['nova_manager'][0] }}"
+                  nova_cellv2_discovery_container: nova_manager
                when:
-                  - groups['nova_compute'] is defined and (groups['nova_compute']|length>0)
-              - name: discover via nova_ironic?
+                  - groups['nova_manager'] is defined and (groups['nova_manager']|length>0)
+              - name: discover via nova_api?
                set_fact:
-                  nova_cellv2_discovery_delegate_host: "{{ groups['nova_ironic'][0] }}"
+                  nova_cellv2_discovery_delegate_host: "{{ groups['nova_api'][0] }}"
+                  nova_cellv2_discovery_container: nova_api
+                when:
+                  - nova_cellv2_discovery_delegate_host is not defined
+                  - groups['nova_api'] is defined and (groups['nova_api']|length>0)
+              - name: Warn if no discovery host available
+                fail:
+                  msg: 'No hosts available to run nova cell_v2 host discovery.'
+                ignore_errors: yes
                when:
                  - nova_cellv2_discovery_delegate_host is not defined
-                  - groups['nova_ironic'] is defined and (groups['nova_ironic']|length>0)
              - name: Discovering nova hosts
-                command: "{{ container_cli }} exec nova_compute nova-manage cell_v2 discover_hosts --by-service"
+                command: "{{ container_cli }} exec {{ nova_cellv2_discovery_container }} nova-manage cell_v2 discover_hosts --by-service"
                become: true
                changed_when: false
                delegate_to: '{{ nova_cellv2_discovery_delegate_host }}'
--- a/deployment/nova/nova-manager-container-puppet.yaml
+++ b/deployment/nova/nova-manager-container-puppet.yaml
@ -0,0 +1,105 @@
+heat_template_version: rocky
+
+description: >
+  OpenStack containerized nova-manage runner service
+
+parameters:
+  ContainerNovaConductorImage:
+    description: image
+    type: string
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+
+
+resources:
+
+  # Cannot control nova-manage logging so expect it to log to file
+  NovaLogging:
+    type: ../logging/files/nova-common.yaml
+    properties:
+      ContainerNovaImage: &nova_conductor_image {get_param: ContainerNovaConductorImage}
+      NovaServiceName: 'manager'
+
+  ContainersCommon:
+    type: ../containers-common.yaml
+
+  NovaConductorBase:
+    type: ./nova-conductor-container-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+
+outputs:
+  role_data:
+    description: Role data for the nova-manage runner service.
+    value:
+      service_name: nova_manager
+      config_settings:
+        get_attr: [NovaConductorBase, role_data, config_settings]
+      service_config_settings:
+        mysql:
+          get_attr: [NovaConductorBase, role_data, service_config_settings, mysql]
+      # BEGIN DOCKER SETTINGS
+      puppet_config:
+        get_attr: [NovaConductorBase, role_data, puppet_config]
+      kolla_config:
+        /var/lib/kolla/config_files/nova_manager.json:
+          command: "/bin/sleep infinity"
+          config_files:
+            - source: "/var/lib/kolla/config_files/src/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
+          permissions:
+            - path: /var/log/nova
+              owner: nova:nova
+              recurse: true
+      docker_config:
+        step_2:
+          get_attr: [NovaLogging, docker_config, step_2]
+        step_4:
+          nova_manager:
+            image: *nova_conductor_image
+            net: host
+            privileged: false
+            restart: always
+            volumes:
+              list_concat:
+                - {get_attr: [ContainersCommon, volumes]}
+                - {get_attr: [NovaLogging, volumes]}
+                -
+                  - /var/lib/kolla/config_files/nova_manager.json:/var/lib/kolla/config_files/config.json:ro
+                  - /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
+            environment:
+              KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
+      host_prep_tasks:
+        get_attr: [NovaLogging, host_prep_tasks]
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -189,6 +189,7 @@ resource_registry:
  OS::TripleO::Services::NovaConductor: deployment/nova/nova-conductor-container-puppet.yaml
  OS::TripleO::Services::NovaLibvirt: deployment/nova/nova-libvirt-container-puppet.yaml
  OS::TripleO::Services::NovaLibvirtGuests: deployment/nova/nova-libvirt-guests-container-puppet.yaml
+  OS::TripleO::Services::NovaManager: deployment/nova/nova-manager-container-puppet.yaml
  OS::TripleO::Services::NovaMetadata: deployment/nova/nova-metadata-container-puppet.yaml
  OS::TripleO::Services::NovaMigrationTarget: deployment/nova/nova-migration-target-container-puppet.yaml
  OS::TripleO::Services::NovaPlacement: OS::Heat::None
--- a/releasenotes/notes/cell_v2_discovery_off_computes-2b977c6b9a01cde2.yaml
+++ b/releasenotes/notes/cell_v2_discovery_off_computes-2b977c6b9a01cde2.yaml
@ -0,0 +1,13 @@
+---
+issues:
+  - |
+    Cell_v2 discovery has been moved from the nova-compute|nova-ironic
+    containers as this requires nova api database credentials which must
+    not be configured for the nova-compute service.
+    As a result scale-up deployments which explicitly omit the Controller
+    nodes will need to make alternative arrangements to run cell_v2 discovery.
+    Either the nova-manage command can be run manually after scale-up, or
+    an additional helper node using the NovaManage role can be deployed that
+    will be used for this task instead of a Controller node. See Bug:
+    `1786961 <https://launchpad.net/bugs/1786961>`_ and Bug:
+    `1871482 <https://launchpad.net/bugs/1871482>`_.
--- a/roles/NovaManager.yaml
+++ b/roles/NovaManager.yaml
@ -0,0 +1,37 @@
+###############################################################################
+# Role: NovaManager
+###############################################################################
+- name: NovaManager
+  description: |
+    Role to run nova-manage runner container on a separate host
+  networks:
+    InternalApi:
+      subnet: internal_api_subnet
+  HostnameFormatDefault: '%stackname%-novamanager-%index%'
+  update_serial: 25
+  ServicesDefault:
+    - OS::TripleO::Services::Aide
+    - OS::TripleO::Services::AuditD
+    - OS::TripleO::Services::BootParams
+    - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
+    - OS::TripleO::Services::Collectd
+    - OS::TripleO::Services::IpaClient
+    - OS::TripleO::Services::Ipsec
+    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
+    - OS::TripleO::Services::MetricsQdr
+    - OS::TripleO::Services::MySQLClient
+    - OS::TripleO::Services::NovaManager
+    - OS::TripleO::Services::ContainersLogrotateCrond
+    - OS::TripleO::Services::Podman
+    - OS::TripleO::Services::Rhsm
+    - OS::TripleO::Services::Rsyslog
+    - OS::TripleO::Services::Securetty
+    - OS::TripleO::Services::Snmp
+    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Timesync
+    - OS::TripleO::Services::Timezone
+    - OS::TripleO::Services::TripleoFirewall
+    - OS::TripleO::Services::TripleoPackages
+    - OS::TripleO::Services::Tuned
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@ -260,6 +260,10 @@ VALIDATE_DOCKER_OVERRIDE = {
  # Does not follow the filename pattern
  './deployment/multipathd/multipathd-container.yaml': True
 }
+VALIDATE_DOCKER_PUPPET_CONFIG_OVERRIDE = {
+    # inherits from nova-conductor
+  './deployment/nova/nova-manager-container-puppet.yaml': False,
+}
 DEPLOYMENT_RESOURCE_TYPES = [
    'OS::Heat::SoftwareDeploymentGroup',
    'OS::Heat::StructuredDeploymentGroup',
@ -740,7 +744,8 @@ def validate_docker_service(filename, tpl):
                          % (section_name, filename))
                    return 1

-        if 'puppet_config' in role_data:
+        if 'puppet_config' in role_data and \
+                VALIDATE_DOCKER_PUPPET_CONFIG_OVERRIDE.get(filename, True):
            if validate_docker_service_mysql_usage(filename, tpl):
                print('ERROR: could not validate use of mysql service for %s.'
                      % filename)