From c9541b477412e3d877ef2f23e99c4a0d79b9098e Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Thu, 12 Nov 2020 20:38:26 +0000 Subject: [PATCH] Move cell_v2 discovery off compute hosts In I12a02f636f31985bc1b71bff5b744d346286a95f cell_v2 discovery was originally moved from the nova-api container to the nova-compute|nova-ironic containers in order to run cell discovery during a scale up where the controllers are omitted (e.g to exclude the controllers from a maintenance window). This requires api database credentials on the compute node, which is forbidden, so it must move back to a nova-api host as a pre-requisite for removing these credentials in a follow-up patch. Scale-up while omitting the controllers will no longer work out of the box. Either a manual cell_v2 discovery can be run after scale up, or an additional node can be deployed using the NovaManager tripleo role. Related-bug: #1786961 Related-bug: #1871482 Change-Id: I47b95ad46e2d4e5b1f370a2f840826e87da2d703 (cherry picked from commit 629485dde5d6b96d38688f362362fac45392ece9) (cherry picked from commit 03697234fd2e8c8d052c331485d304bcb77b1b8b) (cherry picked from commit 9a8c007daa5d02e20454a39ee453ea6e9f6b0292) --- ci/environments/multinode-containers.yaml | 1 + .../nova-compute-common-container-puppet.yaml | 22 ++-- .../nova/nova-manager-container-puppet.yaml | 105 ++++++++++++++++++ overcloud-resource-registry-puppet.j2.yaml | 1 + ...scovery_off_computes-2b977c6b9a01cde2.yaml | 13 +++ roles/NovaManager.yaml | 37 ++++++ tools/yaml-validate.py | 7 +- 7 files changed, 178 insertions(+), 8 deletions(-) create mode 100644 deployment/nova/nova-manager-container-puppet.yaml create mode 100644 releasenotes/notes/cell_v2_discovery_off_computes-2b977c6b9a01cde2.yaml create mode 100644 roles/NovaManager.yaml diff --git a/ci/environments/multinode-containers.yaml b/ci/environments/multinode-containers.yaml index fef5c93356..dd05816e80 100644 --- a/ci/environments/multinode-containers.yaml +++ b/ci/environments/multinode-containers.yaml @@ -43,6 +43,7 @@ parameter_defaults: - OS::TripleO::Services::Multipathd - OS::TripleO::Services::Pacemaker - OS::TripleO::Services::Clustercheck + - OS::TripleO::Services::NovaManager ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/deployment/nova/nova-compute-common-container-puppet.yaml b/deployment/nova/nova-compute-common-container-puppet.yaml index 0e522afd7b..f6dd0b1060 100644 --- a/deployment/nova/nova-compute-common-container-puppet.yaml +++ b/deployment/nova/nova-compute-common-container-puppet.yaml @@ -61,19 +61,27 @@ outputs: - not nova_additional_cell|bool - nova_cellv2_discovery_done is not defined block: - - name: discover via nova_compute? + - name: discover via nova_manager? set_fact: - nova_cellv2_discovery_delegate_host: "{{ groups['nova_compute'][0] }}" + nova_cellv2_discovery_delegate_host: "{{ groups['nova_manager'][0] }}" + nova_cellv2_discovery_container: nova_manager when: - - groups['nova_compute'] is defined and (groups['nova_compute']|length>0) - - name: discover via nova_ironic? + - groups['nova_manager'] is defined and (groups['nova_manager']|length>0) + - name: discover via nova_api? set_fact: - nova_cellv2_discovery_delegate_host: "{{ groups['nova_ironic'][0] }}" + nova_cellv2_discovery_delegate_host: "{{ groups['nova_api'][0] }}" + nova_cellv2_discovery_container: nova_api + when: + - nova_cellv2_discovery_delegate_host is not defined + - groups['nova_api'] is defined and (groups['nova_api']|length>0) + - name: Warn if no discovery host available + fail: + msg: 'No hosts available to run nova cell_v2 host discovery.' + ignore_errors: yes when: - nova_cellv2_discovery_delegate_host is not defined - - groups['nova_ironic'] is defined and (groups['nova_ironic']|length>0) - name: Discovering nova hosts - command: "{{ container_cli }} exec nova_compute nova-manage cell_v2 discover_hosts --by-service" + command: "{{ container_cli }} exec {{ nova_cellv2_discovery_container }} nova-manage cell_v2 discover_hosts --by-service" become: true changed_when: false delegate_to: '{{ nova_cellv2_discovery_delegate_host }}' diff --git a/deployment/nova/nova-manager-container-puppet.yaml b/deployment/nova/nova-manager-container-puppet.yaml new file mode 100644 index 0000000000..7d5da2d2ef --- /dev/null +++ b/deployment/nova/nova-manager-container-puppet.yaml @@ -0,0 +1,105 @@ +heat_template_version: rocky + +description: > + OpenStack containerized nova-manage runner service + +parameters: + ContainerNovaConductorImage: + description: image + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + + +resources: + + # Cannot control nova-manage logging so expect it to log to file + NovaLogging: + type: ../logging/files/nova-common.yaml + properties: + ContainerNovaImage: &nova_conductor_image {get_param: ContainerNovaConductorImage} + NovaServiceName: 'manager' + + ContainersCommon: + type: ../containers-common.yaml + + NovaConductorBase: + type: ./nova-conductor-container-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + +outputs: + role_data: + description: Role data for the nova-manage runner service. + value: + service_name: nova_manager + config_settings: + get_attr: [NovaConductorBase, role_data, config_settings] + service_config_settings: + mysql: + get_attr: [NovaConductorBase, role_data, service_config_settings, mysql] + # BEGIN DOCKER SETTINGS + puppet_config: + get_attr: [NovaConductorBase, role_data, puppet_config] + kolla_config: + /var/lib/kolla/config_files/nova_manager.json: + command: "/bin/sleep infinity" + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true + docker_config: + step_2: + get_attr: [NovaLogging, docker_config, step_2] + step_4: + nova_manager: + image: *nova_conductor_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [NovaLogging, volumes]} + - + - /var/lib/kolla/config_files/nova_manager.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro + environment: + KOLLA_CONFIG_STRATEGY: COPY_ALWAYS + host_prep_tasks: + get_attr: [NovaLogging, host_prep_tasks] diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index de87d38149..695bf5f42d 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -196,6 +196,7 @@ resource_registry: OS::TripleO::Services::NovaConductor: deployment/nova/nova-conductor-container-puppet.yaml OS::TripleO::Services::NovaLibvirt: deployment/nova/nova-libvirt-container-puppet.yaml OS::TripleO::Services::NovaLibvirtGuests: deployment/nova/nova-libvirt-guests-container-puppet.yaml + OS::TripleO::Services::NovaManager: deployment/nova/nova-manager-container-puppet.yaml OS::TripleO::Services::NovaMetadata: deployment/nova/nova-metadata-container-puppet.yaml OS::TripleO::Services::NovaMigrationTarget: deployment/nova/nova-migration-target-container-puppet.yaml OS::TripleO::Services::NovaPlacement: OS::Heat::None diff --git a/releasenotes/notes/cell_v2_discovery_off_computes-2b977c6b9a01cde2.yaml b/releasenotes/notes/cell_v2_discovery_off_computes-2b977c6b9a01cde2.yaml new file mode 100644 index 0000000000..8a0fe24e82 --- /dev/null +++ b/releasenotes/notes/cell_v2_discovery_off_computes-2b977c6b9a01cde2.yaml @@ -0,0 +1,13 @@ +--- +issues: + - | + Cell_v2 discovery has been moved from the nova-compute|nova-ironic + containers as this requires nova api database credentials which must + not be configured for the nova-compute service. + As a result scale-up deployments which explicitly omit the Controller + nodes will need to make alternative arrangements to run cell_v2 discovery. + Either the nova-manage command can be run manually after scale-up, or + an additional helper node using the NovaManage role can be deployed that + will be used for this task instead of a Controller node. See Bug: + `1786961 `_ and Bug: + `1871482 `_. diff --git a/roles/NovaManager.yaml b/roles/NovaManager.yaml new file mode 100644 index 0000000000..23266d126c --- /dev/null +++ b/roles/NovaManager.yaml @@ -0,0 +1,37 @@ +############################################################################### +# Role: NovaManager +############################################################################### +- name: NovaManager + description: | + Role to run nova-manage runner container on a separate host + networks: + InternalApi: + subnet: internal_api_subnet + HostnameFormatDefault: '%stackname%-novamanager-%index%' + update_serial: 25 + ServicesDefault: + - OS::TripleO::Services::Aide + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::BootParams + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::CertmongerUser + - OS::TripleO::Services::Collectd + - OS::TripleO::Services::IpaClient + - OS::TripleO::Services::Ipsec + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs + - OS::TripleO::Services::MetricsQdr + - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::NovaManager + - OS::TripleO::Services::ContainersLogrotateCrond + - OS::TripleO::Services::Podman + - OS::TripleO::Services::Rhsm + - OS::TripleO::Services::Rsyslog + - OS::TripleO::Services::Securetty + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Timesync + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::Tuned diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 40ed0b9114..40c50bdc7d 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -219,6 +219,10 @@ VALIDATE_DOCKER_OVERRIDE = { # deploy container './deployment/rabbitmq/rabbitmq-messaging-notify-shared-puppet.yaml': False, } +VALIDATE_DOCKER_PUPPET_CONFIG_OVERRIDE = { + # inherits from nova-conductor + './deployment/nova/nova-manager-container-puppet.yaml': False, +} DEPLOYMENT_RESOURCE_TYPES = [ 'OS::Heat::SoftwareDeploymentGroup', 'OS::Heat::StructuredDeploymentGroup', @@ -679,7 +683,8 @@ def validate_docker_service(filename, tpl): % (section_name, filename)) return 1 - if 'puppet_config' in role_data: + if 'puppet_config' in role_data and \ + VALIDATE_DOCKER_PUPPET_CONFIG_OVERRIDE.get(filename, True): if validate_docker_service_mysql_usage(filename, tpl): print('ERROR: could not validate use of mysql service for %s.' % filename)