From ced9f888e9e1e24bfe8a269e9666b00356c7b858 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Thu, 13 Dec 2018 13:22:56 +0100 Subject: [PATCH] Flatten Ironic services configuration This change combines the previous puppet and docker files into a single file that performs the docker service installation and configuration. With this patch the baremetal version of Ironic services have been removed. Change-Id: Icb33158a129356d939940433c82dae25a6334baf Related-Blueprint: services-yaml-flattening --- .../scenario006-multinode-containers.yaml | 6 +- .../scenario012-multinode-containers.yaml | 6 +- .../ironic/ironic-api-container-puppet.yaml | 125 +++++++- .../ironic/ironic-base-puppet.yaml | 0 .../ironic-conductor-container-puppet.yaml | 277 +++++++++++++++-- .../ironic-inspector-container-puppet.yaml | 240 +++++++++++++-- ...ironic-neutron-agent-container-puppet.yaml | 30 +- .../ironic/ironic-pxe-container-puppet.yaml | 2 +- docker/services/ironic-conductor.yaml | 287 ------------------ docker/services/ironic-inspector.yaml | 257 ---------------- .../services-baremetal/ironic-inspector.yaml | 2 - environments/services-baremetal/ironic.yaml | 7 - environments/services/ironic-inspector.yaml | 2 +- environments/services/ironic.yaml | 8 +- puppet/services/ironic-api.yaml | 172 ----------- puppet/services/ironic-neutron-agent.yaml | 71 ----- ...rop-baremetal-ironic-ab7af5d2b75c9cbf.yaml | 3 + 17 files changed, 616 insertions(+), 879 deletions(-) rename docker/services/ironic-api.yaml => deployment/ironic/ironic-api-container-puppet.yaml (61%) rename puppet/services/ironic-base.yaml => deployment/ironic/ironic-base-puppet.yaml (100%) rename puppet/services/ironic-conductor.yaml => deployment/ironic/ironic-conductor-container-puppet.yaml (65%) rename puppet/services/ironic-inspector.yaml => deployment/ironic/ironic-inspector-container-puppet.yaml (58%) rename docker/services/ironic-neutron-agent.yaml => deployment/ironic/ironic-neutron-agent-container-puppet.yaml (74%) rename docker/services/ironic-pxe.yaml => deployment/ironic/ironic-pxe-container-puppet.yaml (99%) delete mode 100644 docker/services/ironic-conductor.yaml delete mode 100644 docker/services/ironic-inspector.yaml delete mode 100644 environments/services-baremetal/ironic-inspector.yaml delete mode 100644 environments/services-baremetal/ironic.yaml delete mode 100644 puppet/services/ironic-api.yaml delete mode 100644 puppet/services/ironic-neutron-agent.yaml create mode 100644 releasenotes/notes/drop-baremetal-ironic-ab7af5d2b75c9cbf.yaml diff --git a/ci/environments/scenario006-multinode-containers.yaml b/ci/environments/scenario006-multinode-containers.yaml index ffb5af3557..04c86d6e7f 100644 --- a/ci/environments/scenario006-multinode-containers.yaml +++ b/ci/environments/scenario006-multinode-containers.yaml @@ -2,9 +2,9 @@ resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Services::NovaIronic: ../docker/services/nova-ironic.yaml - OS::TripleO::Services::IronicApi: ../docker/services/ironic-api.yaml - OS::TripleO::Services::IronicConductor: ../docker/services/ironic-conductor.yaml - OS::TripleO::Services::IronicPxe: ../docker/services/ironic-pxe.yaml + OS::TripleO::Services::IronicApi: ../deployment/ironic/ironic-api-container-puppet.yaml + OS::TripleO::Services::IronicConductor: ../deployment/ironic/ironic-conductor-container-puppet.yaml + OS::TripleO::Services::IronicPxe: ../deployment/ironic/ironic-pxe-container-puppet.yaml parameter_defaults: ControllerServices: diff --git a/ci/environments/scenario012-multinode-containers.yaml b/ci/environments/scenario012-multinode-containers.yaml index ceeab6f5b8..398884ac37 100644 --- a/ci/environments/scenario012-multinode-containers.yaml +++ b/ci/environments/scenario012-multinode-containers.yaml @@ -2,9 +2,9 @@ resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Services::NovaIronic: ../../docker/services/nova-ironic.yaml - OS::TripleO::Services::IronicApi: ../../docker/services/ironic-api.yaml - OS::TripleO::Services::IronicConductor: ../../docker/services/ironic-conductor.yaml - OS::TripleO::Services::IronicPxe: ../../docker/services/ironic-pxe.yaml + OS::TripleO::Services::IronicApi: ../../deployment/ironic/ironic-api-container-puppet.yaml + OS::TripleO::Services::IronicConductor: ../../deployment/ironic/ironic-conductor-container-puppet.yaml + OS::TripleO::Services::IronicPxe: ../../deployment/ironic/ironic-pxe-container-puppet.yaml # These enable Pacemaker OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml diff --git a/docker/services/ironic-api.yaml b/deployment/ironic/ironic-api-container-puppet.yaml similarity index 61% rename from docker/services/ironic-api.yaml rename to deployment/ironic/ironic-api-container-puppet.yaml index 9201d16665..c83e827a03 100644 --- a/docker/services/ironic-api.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -40,22 +40,61 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true + MonitoringSubscriptionIronicApi: + default: 'overcloud-ironic-api' + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + IronicApiPolicies: + description: | + A hash of policies to configure for Ironic API. + e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json + IronicCorsAllowedOrigin: + type: string + default: '' + description: Indicate whether this resource may be shared with the domain received in the request + "origin" header. + EnableInternalTLS: + type: boolean + default: false + +conditions: + cors_allowed_origin_unset: {equals : [{get_param: IronicCorsAllowedOrigin}, '']} resources: + ApacheServiceBase: + type: ../../puppet/services/apache.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} + ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml MySQLClient: type: ../../puppet/services/database/mysql-client.yaml - IronicApiBase: - type: ../../puppet/services/ironic-api.yaml + IronicBase: + type: ./ironic-base-puppet.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -63,12 +102,82 @@ outputs: role_data: description: Role data for the Ironic API role. value: - service_name: {get_attr: [IronicApiBase, role_data, service_name]} + service_name: ironic_api config_settings: map_merge: - - get_attr: [IronicApiBase, role_data, config_settings] + - get_attr: [IronicBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - + if: + - cors_allowed_origin_unset + - {} + - ironic::cors::allowed_origin: {get_param: IronicCorsAllowedOrigin} + - ironic::api::authtoken::password: {get_param: IronicPassword} + ironic::api::authtoken::project_name: 'service' + ironic::api::authtoken::user_domain_name: 'Default' + ironic::api::authtoken::project_domain_name: 'Default' + ironic::api::authtoken::username: 'ironic' + ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + # NOTE: bind IP is found in hiera replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + ironic::api::host_ip: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]} + ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} + # This is used to build links in responses + ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::api::service_name: 'httpd' + ironic::policy::policies: {get_param: IronicApiPolicies} + ironic::wsgi::apache::bind_host: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]} + ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]} + ironic::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]} + ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS} + ironic::cors::max_age: 3600 + ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH' + ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token' + ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma' + + tripleo::ironic_api::firewall_rules: + '133 ironic api': + dport: + - 6385 + - 13385 - apache::default_vhost: false - service_config_settings: {get_attr: [IronicApiBase, role_data, service_config_settings]} + service_config_settings: + keystone: + ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]} + ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} + ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::keystone::auth::auth_name: 'ironic' + ironic::keystone::auth::password: {get_param: IronicPassword } + ironic::keystone::auth::tenant: 'service' + ironic::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + ironic::db::mysql::password: {get_param: IronicPassword} + ironic::db::mysql::user: ironic + ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ironic::db::mysql::dbname: ironic + ironic::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: ironic_api @@ -76,7 +185,7 @@ outputs: step_config: list_join: - "\n" - - - {get_attr: [IronicApiBase, role_data, step_config]} + - - include ::tripleo::profile::base::ironic::api - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerIronicApiConfigImage} kolla_config: diff --git a/puppet/services/ironic-base.yaml b/deployment/ironic/ironic-base-puppet.yaml similarity index 100% rename from puppet/services/ironic-base.yaml rename to deployment/ironic/ironic-base-puppet.yaml diff --git a/puppet/services/ironic-conductor.yaml b/deployment/ironic/ironic-conductor-container-puppet.yaml similarity index 65% rename from puppet/services/ironic-conductor.yaml rename to deployment/ironic/ironic-conductor-container-puppet.yaml index fcb1270d61..1246fbdbff 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/deployment/ironic/ironic-conductor-container-puppet.yaml @@ -1,9 +1,20 @@ heat_template_version: rocky description: > - OpenStack Ironic conductor configured with Puppet + OpenStack containerized Ironic Conductor service parameters: + DockerIronicConductorImage: + description: image + type: string + DockerIronicConfigImage: + description: The container image to use for the ironic config_volume + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json ServiceData: default: {} description: Dictionary packing service data @@ -29,11 +40,11 @@ parameters: default: {} description: Parameters specific to the role type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json + IronicConfigureSwiftTempUrlKey: + default: true + description: Whether to configure Swift temporary URLs for use with + the "direct" and "ansible" deploy interfaces. + type: boolean IronicAutomatedClean: default: true description: Enables or disables automated cleaning which may result in @@ -215,19 +226,10 @@ parameters: default: [] description: List of additional architectures to enable. type: comma_delimited_list - -resources: - IronicBase: - type: ./ironic-base.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - Debug: {get_param: Debug} - IronicDebug: {get_param: IronicDebug} + UpgradeRemoveUnusedPackages: + default: false + description: Remove package if the service is being disabled during upgrade + type: boolean conditions: default_deploy_interface_unset: {equals : [{get_param: IronicDefaultDeployInterface}, '']} @@ -239,10 +241,31 @@ conditions: - equals: [{get_param: IronicDebug}, 'TRUE'] - equals: [{get_param: Debug}, true] enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]} + configure_swift_temp_url: {equals: [{get_param: IronicConfigureSwiftTempUrlKey}, true]} + +resources: + + ContainersCommon: + type: ../../docker/services/containers-common.yaml + + MySQLClient: + type: ../../puppet/services/database/mysql-client.yaml + + IronicBase: + type: ./ironic-base-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + Debug: {get_param: Debug} + IronicDebug: {get_param: IronicDebug} outputs: role_data: - description: Role data for the Ironic conductor role. + description: Role data for the Ironic Conductor role. value: service_name: ironic_conductor monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor} @@ -394,9 +417,213 @@ outputs: ironic::drivers::inspector::user_domain_name: 'Default' ironic::drivers::inspector::project_domain_name: 'Default' tripleo::profile::base::ironic::conductor::enable_staging: {get_param: IronicEnableStagingDrivers} - step_config: | - include ::tripleo::profile::base::ironic::conductor + # to avoid hard linking errors we store these on the same + # volume/device as the ironic master_path + # https://github.com/docker/docker/issues/7457 + - ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot + - ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images + - ironic::pxe::tftp_root: /var/lib/ironic/tftpboot + - ironic::pxe::http_root: /var/lib/ironic/httpboot + - ironic::conductor::http_root: /var/lib/ironic/httpboot + service_config_settings: {} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: ironic + puppet_tags: ironic_config + step_config: + list_join: + - "\n" + - - include ::tripleo::profile::base::ironic::conductor + - {get_attr: [MySQLClient, role_data, step_config]} + config_image: {get_param: DockerIronicConfigImage} + volumes: + - /var/lib/ironic:/var/lib/ironic:z + kolla_config: + /var/lib/kolla/config_files/ironic_conductor.json: + command: /usr/bin/ironic-conductor + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/lib/ironic + owner: ironic:ironic + recurse: true + - path: /var/log/ironic + owner: ironic:ironic + recurse: true + docker_config_scripts: + create_swift_temp_url_key.sh: + mode: "0700" + content: | + #!/bin/bash + export OS_PROJECT_DOMAIN_NAME=$(crudini --get /etc/ironic/ironic.conf swift project_domain_name) + export OS_USER_DOMAIN_NAME=$(crudini --get /etc/ironic/ironic.conf swift user_domain_name) + export OS_PROJECT_NAME=$(crudini --get /etc/ironic/ironic.conf swift project_name) + export OS_USERNAME=$(crudini --get /etc/ironic/ironic.conf swift username) + export OS_PASSWORD=$(crudini --get /etc/ironic/ironic.conf swift password) + export OS_AUTH_URL=$(crudini --get /etc/ironic/ironic.conf swift auth_url) + export OS_AUTH_TYPE=password + export OS_IDENTITY_API_VERSION=3 + + echo "Check if a temporary URL key already exists" + RETVAL=-1 + RETRIES=5 + while [ ${RETVAL} -ne 0 ] && [ ${RETRIES} -gt 0 ]; do + RETRIES=$[$RETRIES-1] + CMD_OUT=$(openstack object store account show -f value) + RETVAL=$? + if [ ${RETVAL} -ne 0 ]; then + echo Retrying... + sleep 5 + continue + fi + if [[ ! ${CMD_OUT} =~ "Temp-Url-Key" ]] ; then + echo "Creating a new temporary URL for project $OS_PROJECT_NAME" + SWIFT_TEMP_URL_KEY=$(uuidgen | sha1sum | awk '{print $1}') + openstack object store account set --property "Temp-URL-Key=$SWIFT_TEMP_URL_KEY" + RETVAL=$? + fi + done + + docker_config: + step_4: + map_merge: + - if: + - configure_swift_temp_url + - create_swift_temp_url_key: + start_order: 70 + image: &ironic_conductor_image {get_param: DockerIronicConductorImage} + net: host + detach: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/puppet-generated/ironic/etc/ironic:/etc/ironic:ro + - /var/lib/docker-config-scripts/create_swift_temp_url_key.sh:/create_swift_temp_url_key.sh:ro + user: root + command: "/usr/bin/bootstrap_host_exec ironic_conductor /create_swift_temp_url_key.sh" + - {} + - ironic_conductor: + start_order: 80 + image: *ironic_conductor_image + net: host + privileged: true + restart: always + healthcheck: + test: + list_join: + - ' ' + - - '/openstack/healthcheck' + - yaql: + expression: str($.data.port) + data: + port: {get_attr: [IronicBase, role_data, config_settings, 'ironic::rabbit_port']} + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_conductor.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/ironic/:/var/lib/kolla/config_files/src:ro + - /lib/modules:/lib/modules:ro + - /sys:/sys + - /dev:/dev + - /run:/run #shared? + - /var/lib/ironic:/var/lib/ironic:z + - /var/log/containers/ironic:/var/log/ironic:z + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: load iscsi_tcp module + import_role: + name: tripleo-module-load + vars: + modules: + - name: iscsi_tcp + - name: create persistent directories + file: + path: "{{ item.path }}" + state: directory + setype: "{{ item.setype }}" + with_items: + - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t } + - name: ironic logs readme + copy: + dest: /var/log/ironic/readme.txt + content: | + Log files from ironic containers can be found under + /var/log/containers/ironic and /var/log/containers/httpd/ironic-*. + ignore_errors: true + - name: stat /httpboot + stat: path=/httpboot + register: stat_httpboot + - name: stat /tftpboot + stat: path=/tftpboot + register: stat_tftpboot + - name: stat /var/lib/ironic/httpboot + stat: path=/var/lib/ironic/httpboot + register: stat_ironic_httpboot + - name: stat /var/lib/ironic/tftpboot + stat: path=/var/lib/ironic/tftpboot + register: stat_ironic_tftpboot + # cannot use 'copy' module as with 'remote_src' it doesn't support recursion + - name: migrate /httpboot to containerized (if applicable) + command: /bin/cp -R /httpboot /var/lib/ironic/httpboot + when: stat_httpboot.stat.exists and not stat_ironic_httpboot.stat.exists + - name: migrate /tftpboot to containerized (if applicable) + command: /bin/cp -R /tftpboot /var/lib/ironic/tftpboot + when: stat_tftpboot.stat.exists and not stat_ironic_tftpboot.stat.exists + # Even if there was nothing to copy from original locations, + # we need to create the dirs before starting the containers + - name: ensure ironic pxe directories exist + file: + path: /var/lib/ironic/{{ item }} + state: directory + with_items: + - httpboot + - tftpboot upgrade_tasks: - - name: Stop ironic_conductor service - when: step|int == 1 - service: name=openstack-ironic-conductor state=stopped + - when: step|int == 3 + block: + - name: Set fact for removal of openstack-ironic-conductor package + set_fact: + remove_ironic_conductor_package: {get_param: UpgradeRemoveUnusedPackages} + - name: Remove openstack-ironic-conductor package if operator requests it + package: name=openstack-ironic-conductor state=removed + ignore_errors: True + when: remove_ironic_conductor_package|bool + post_upgrade_tasks: + - when: step|int == 1 + import_role: + name: tripleo-docker-rm + vars: + containers_to_rm: + - ironic_conductor + fast_forward_upgrade_tasks: + - when: + - step|int == 0 + - release == 'ocata' + block: + - name: Check if ironic_conductor is deployed + command: systemctl is-enabled --quiet openstack-ironic-conductor + ignore_errors: True + register: ironic_conductor_enabled_result + - name: Set fact ironic_conductor_enabled + set_fact: + ironic_conductor_enabled: "{{ ironic_conductor_enabled_result.rc == 0 }}" + - name: Stop openstack-ironic-conductor + service: name=openstack-ironic-conductor state=stopped enabled=no + when: + - step|int == 1 + - release == 'ocata' + - ironic_conductor_enabled|bool + - name: Ironic packages update + package: + name: 'openstack-ironic*' + state: latest + when: + - step|int == 6 + - is_bootstrap_node|bool diff --git a/puppet/services/ironic-inspector.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml similarity index 58% rename from puppet/services/ironic-inspector.yaml rename to deployment/ironic/ironic-inspector-container-puppet.yaml index 1bdc7fa9fd..58d692bc76 100644 --- a/puppet/services/ironic-inspector.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -1,12 +1,19 @@ heat_template_version: rocky description: > - OpenStack Ironic Inspector configured with Puppet (EXPERIMENTAL) + OpenStack containerized Ironic Inspector service (EXPERIMENTAL) parameters: - ServiceData: + DockerIronicInspectorImage: + description: image + type: string + DockerIronicInspectorConfigImage: + description: The container image to use for the ironic_inspector config_volume + type: string + EndpointMap: default: {} - description: Dictionary packing service data + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. type: json ServiceNetMap: default: {} @@ -14,6 +21,10 @@ parameters: via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json DefaultPasswords: default: {} type: json @@ -25,11 +36,14 @@ parameters: default: {} description: Parameters specific to the role type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. + IPAImageURLs: + default: [] + description: IPA image URLs, the format should be ["http://path/to/kernel", "http://path/to/ramdisk"] type: json + UpgradeRemoveUnusedPackages: + default: false + description: Remove package if the service is being disabled during upgrade + type: boolean MonitoringSubscriptionIronicInspector: default: 'overcloud-ironic-inspector' type: string @@ -150,13 +164,21 @@ conditions: enable_node_discovery: {equals : [{get_param: IronicInspectorEnableNodeDiscovery}, true]} ironic_inspection_subnets_not_set: {equals : [{get_param: IronicInspectorSubnets}, {}]} enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]} + ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}} + +resources: + + ContainersCommon: + type: ../../docker/services/containers-common.yaml + + MySQLClient: + type: ../../puppet/services/database/mysql-client.yaml outputs: role_data: description: Role data for the Ironic Inspector role. value: service_name: ironic_inspector - monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector} config_settings: map_merge: - ironic::inspector::listen_address: @@ -257,8 +279,9 @@ outputs: - ironic::inspector::node_not_found_hook: 'enroll' ironic::inspector::discovery_default_driver: {get_param: IronicInspectorDiscoveryDefaultDriver} - {} - step_config: | - include ::tripleo::profile::base::ironic_inspector + # Match what we do for Ironic containers + - ironic::inspector::tftp_root: /var/lib/ironic/tftpboot + - ironic::inspector::http_root: /var/lib/ironic/httpboot service_config_settings: keystone: ironic::keystone::auth_inspector::tenant: 'service' @@ -275,25 +298,180 @@ outputs: ironic::inspector::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: ironic_inspector + puppet_tags: ironic_inspector_config + step_config: + list_join: + - "\n" + - - include ::tripleo::profile::base::ironic_inspector + - {get_attr: [MySQLClient, role_data, step_config]} + config_image: {get_param: DockerIronicInspectorConfigImage} + volumes: + - /var/lib/ironic:/var/lib/ironic:z + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:z + kolla_config: + /var/lib/kolla/config_files/ironic_inspector.json: + command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/ironic-inspector + owner: ironic-inspector:ironic-inspector + recurse: true + - path: /var/lib/ironic + owner: ironic:ironic + recurse: true + - path: /var/lib/ironic-inspector/dhcp-hostsdir + owner: ironic-inspector:ironic-inspector + recurse: true + /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json: + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/lib/ironic-inspector/dhcp-hostsdir + owner: ironic-inspector:ironic-inspector + recurse: true + command: /sbin/dnsmasq --conf-file=/etc/ironic-inspector/dnsmasq.conf -k --log-facility=/var/log/ironic-inspector/dnsmasq.log + docker_config: + step_3: + ironic_inspector_init_log: + start_order: 0 + image: &ironic_inspector_image + get_param: DockerIronicInspectorImage + user: root + volumes: + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z + command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector'] + + ironic_inspector_init_dnsmasq_dhcp_hostsdir: + start_order: 1 + image: *ironic_inspector_image + user: root + volumes: + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z + command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir'] + ironic_inspector_db_sync: + start_order: 2 + image: *ironic_inspector_image + net: host + user: root + privileged: false + detach: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ironic_inspector/etc/ironic-inspector:/etc/ironic-inspector:ro + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + command: "/usr/bin/bootstrap_host_exec ironic_inspector su ironic-inspector -s /bin/bash -c 'ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade'" + ironic_inspector_get_ipa: + start_order: 2 + image: *ironic_inspector_image + net: host + user: root + privileged: false + detach: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/ironic:/var/lib/ironic:shared,z + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + command: + if: + - ipa_images + - list_join: + - " " + - - "curl -g -o /var/lib/ironic/httpboot/agent.kernel" + - {get_param: [IPAImageURLs, 0]} + - "-o /var/lib/ironic/httpboot/agent.ramdisk" + - {get_param: [IPAImageURLs, 1]} + - 'true' + step_4: + ironic_inspector: + start_order: 92 + image: *ironic_inspector_image + privileged: true + net: host + restart: always + healthcheck: + test: /openstack/healthcheck + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro + - /var/lib/ironic:/var/lib/ironic:shared,z + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + ironic_inspector_dnsmasq: + start_order: 93 + image: *ironic_inspector_image + privileged: true + net: host + restart: always + user: root + healthcheck: + test: /openstack/healthcheck + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent ironic-inspector logs directory + file: + path: /var/log/containers/ironic-inspector + state: directory + setype: svirt_sandbox_file_t + - name: ironic-inspector logs readme + copy: + dest: /var/log/ironic-inspector/readme.txt + content: | + Log files from ironic-inspector container can be found under + /var/log/containers/ironic-inspector. + ignore_errors: true + - name: create persistent ironic-inspector dnsmasq dhcp hostsdir + file: + path: /var/lib/ironic-inspector/dhcp-hostsdir + state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - - name: Stop and disable ironic_inspector service - when: step|int == 2 - service: name=openstack-ironic-inspector state=stopped enabled=no - - name: Stop and disable ironic_inspector dnsmasq service - when: step|int == 2 - service: name=openstack-ironic-inspector-dnsmasq state=stopped enabled=no - - name: purge iptables port 67 jump rule - when: step|int == 2 - iptables: - chain: INPUT - interface: {get_param: IronicInspectorInterface} - protocol: udp - destination_port: 67 - jump: ironic-inspector - state: absent - - name: purge iptables ironic-inspector chain - when: step|int == 2 - iptables: - chain: ironic-inspector - flush: true - state: absent + - when: step|int == 3 + block: + - name: Set fact for removal of openstack-ironic-inspector package + set_fact: + remove_ironic_inspector_package: {get_param: UpgradeRemoveUnusedPackages} + - name: Remove openstack-ironic-inspector package if operator requests it + package: name=openstack-ironic-inspector state=removed + ignore_errors: True + when: remove_ironic_inspector_package|bool + post_upgrade_tasks: + - when: step|int == 1 + import_role: + name: tripleo-docker-rm + vars: + containers_to_rm: + - ironic_inspector + - ironic_inspector_dnsmasq diff --git a/docker/services/ironic-neutron-agent.yaml b/deployment/ironic/ironic-neutron-agent-container-puppet.yaml similarity index 74% rename from docker/services/ironic-neutron-agent.yaml rename to deployment/ironic/ironic-neutron-agent-container-puppet.yaml index 0ef9635836..a0d69003ac 100644 --- a/docker/services/ironic-neutron-agent.yaml +++ b/deployment/ironic/ironic-neutron-agent-container-puppet.yaml @@ -36,19 +36,28 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint resources: ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml - IronicNeutronAgentBase: - type: ../../puppet/services/ironic-neutron-agent.yaml + # TODO() Point to the right neutron-base once neutron is flat + NeutronBase: + type: ../../puppet/services/neutron-base.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -61,16 +70,23 @@ outputs: role_data: description: Role data for ironic-neutron-agent service value: - service_name: {get_attr: [IronicNeutronAgentBase, role_data, service_name]} + service_name: ironic_neutron_agent config_settings: map_merge: - - get_attr: [IronicNeutronAgentBase, role_data, config_settings] + - get_attr: [NeutronBase, role_data, config_settings] + - neutron::agents::ml2::networking_baremetal::user: 'ironic' + - neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword} + - neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] } + - neutron::agents::ml2::networking_baremetal::project_name: 'service' + - neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default' + - neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default' + - neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion} - get_attr: [NeutronLogging, config_settings] puppet_config: config_volume: neutron puppet_tags: neutron_config,ironic_neutron_agent_config step_config: - get_attr: [IronicNeutronAgentBase, role_data, step_config] + include tripleo::profile::base::neutron::agents::networking_baremetal config_image: {get_param: DockerNeutronConfigImage} kolla_config: /var/lib/kolla/config_files/ironic_neutron_agent.json: diff --git a/docker/services/ironic-pxe.yaml b/deployment/ironic/ironic-pxe-container-puppet.yaml similarity index 99% rename from docker/services/ironic-pxe.yaml rename to deployment/ironic/ironic-pxe-container-puppet.yaml index fd5c158bf8..b736896c57 100644 --- a/docker/services/ironic-pxe.yaml +++ b/deployment/ironic/ironic-pxe-container-puppet.yaml @@ -44,7 +44,7 @@ parameters: resources: ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml outputs: role_data: diff --git a/docker/services/ironic-conductor.yaml b/docker/services/ironic-conductor.yaml deleted file mode 100644 index 65e87e9c3a..0000000000 --- a/docker/services/ironic-conductor.yaml +++ /dev/null @@ -1,287 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack containerized Ironic Conductor service - -parameters: - DockerIronicConductorImage: - description: image - type: string - DockerIronicConfigImage: - description: The container image to use for the ironic config_volume - type: string - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - IronicConfigureSwiftTempUrlKey: - default: true - description: Whether to configure Swift temporary URLs for use with - the "direct" and "ansible" deploy interfaces. - type: boolean - UpgradeRemoveUnusedPackages: - default: false - description: Remove package if the service is being disabled during upgrade - type: boolean - -conditions: - configure_swift_temp_url: {equals: [{get_param: IronicConfigureSwiftTempUrlKey}, true]} - -resources: - - ContainersCommon: - type: ./containers-common.yaml - - MySQLClient: - type: ../../puppet/services/database/mysql-client.yaml - - IronicConductorBase: - type: ../../puppet/services/ironic-conductor.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the Ironic Conductor role. - value: - service_name: {get_attr: [IronicConductorBase, role_data, service_name]} - config_settings: - map_merge: - - get_attr: [IronicConductorBase, role_data, config_settings] - # to avoid hard linking errors we store these on the same - # volume/device as the ironic master_path - # https://github.com/docker/docker/issues/7457 - - ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot - - ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images - - ironic::pxe::tftp_root: /var/lib/ironic/tftpboot - - ironic::pxe::http_root: /var/lib/ironic/httpboot - - ironic::conductor::http_root: /var/lib/ironic/httpboot - service_config_settings: {get_attr: [IronicConductorBase, role_data, service_config_settings]} - # BEGIN DOCKER SETTINGS - puppet_config: - config_volume: ironic - puppet_tags: ironic_config - step_config: - list_join: - - "\n" - - - {get_attr: [IronicConductorBase, role_data, step_config]} - - {get_attr: [MySQLClient, role_data, step_config]} - config_image: {get_param: DockerIronicConfigImage} - volumes: - - /var/lib/ironic:/var/lib/ironic:z - kolla_config: - /var/lib/kolla/config_files/ironic_conductor.json: - command: /usr/bin/ironic-conductor - config_files: - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true - permissions: - - path: /var/lib/ironic - owner: ironic:ironic - recurse: true - - path: /var/log/ironic - owner: ironic:ironic - recurse: true - docker_config_scripts: - create_swift_temp_url_key.sh: - mode: "0700" - content: | - #!/bin/bash - export OS_PROJECT_DOMAIN_NAME=$(crudini --get /etc/ironic/ironic.conf swift project_domain_name) - export OS_USER_DOMAIN_NAME=$(crudini --get /etc/ironic/ironic.conf swift user_domain_name) - export OS_PROJECT_NAME=$(crudini --get /etc/ironic/ironic.conf swift project_name) - export OS_USERNAME=$(crudini --get /etc/ironic/ironic.conf swift username) - export OS_PASSWORD=$(crudini --get /etc/ironic/ironic.conf swift password) - export OS_AUTH_URL=$(crudini --get /etc/ironic/ironic.conf swift auth_url) - export OS_AUTH_TYPE=password - export OS_IDENTITY_API_VERSION=3 - - echo "Check if a temporary URL key already exists" - RETVAL=-1 - RETRIES=5 - while [ ${RETVAL} -ne 0 ] && [ ${RETRIES} -gt 0 ]; do - RETRIES=$[$RETRIES-1] - CMD_OUT=$(openstack object store account show -f value) - RETVAL=$? - if [ ${RETVAL} -ne 0 ]; then - echo Retrying... - sleep 5 - continue - fi - if [[ ! ${CMD_OUT} =~ "Temp-Url-Key" ]] ; then - echo "Creating a new temporary URL for project $OS_PROJECT_NAME" - SWIFT_TEMP_URL_KEY=$(uuidgen | sha1sum | awk '{print $1}') - openstack object store account set --property "Temp-URL-Key=$SWIFT_TEMP_URL_KEY" - RETVAL=$? - fi - done - - docker_config: - step_4: - map_merge: - - if: - - configure_swift_temp_url - - create_swift_temp_url_key: - start_order: 70 - image: &ironic_conductor_image {get_param: DockerIronicConductorImage} - net: host - detach: false - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/config-data/puppet-generated/ironic/etc/ironic:/etc/ironic:ro - - /var/lib/docker-config-scripts/create_swift_temp_url_key.sh:/create_swift_temp_url_key.sh:ro - user: root - command: "/usr/bin/bootstrap_host_exec ironic_conductor /create_swift_temp_url_key.sh" - - {} - - ironic_conductor: - start_order: 80 - image: *ironic_conductor_image - net: host - privileged: true - restart: always - healthcheck: - test: - list_join: - - ' ' - - - '/openstack/healthcheck' - - yaql: - expression: str($.data.port) - data: - port: {get_attr: [IronicConductorBase, role_data, config_settings, 'ironic::rabbit_port']} - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/ironic_conductor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/ironic/:/var/lib/kolla/config_files/src:ro - - /lib/modules:/lib/modules:ro - - /sys:/sys - - /dev:/dev - - /run:/run #shared? - - /var/lib/ironic:/var/lib/ironic:z - - /var/log/containers/ironic:/var/log/ironic:z - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - host_prep_tasks: - - name: load iscsi_tcp module - import_role: - name: tripleo-module-load - vars: - modules: - - name: iscsi_tcp - - name: create persistent directories - file: - path: "{{ item.path }}" - state: directory - setype: "{{ item.setype }}" - with_items: - - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t } - - { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t } - - name: ironic logs readme - copy: - dest: /var/log/ironic/readme.txt - content: | - Log files from ironic containers can be found under - /var/log/containers/ironic and /var/log/containers/httpd/ironic-*. - ignore_errors: true - - name: stat /httpboot - stat: path=/httpboot - register: stat_httpboot - - name: stat /tftpboot - stat: path=/tftpboot - register: stat_tftpboot - - name: stat /var/lib/ironic/httpboot - stat: path=/var/lib/ironic/httpboot - register: stat_ironic_httpboot - - name: stat /var/lib/ironic/tftpboot - stat: path=/var/lib/ironic/tftpboot - register: stat_ironic_tftpboot - # cannot use 'copy' module as with 'remote_src' it doesn't support recursion - - name: migrate /httpboot to containerized (if applicable) - command: /bin/cp -R /httpboot /var/lib/ironic/httpboot - when: stat_httpboot.stat.exists and not stat_ironic_httpboot.stat.exists - - name: migrate /tftpboot to containerized (if applicable) - command: /bin/cp -R /tftpboot /var/lib/ironic/tftpboot - when: stat_tftpboot.stat.exists and not stat_ironic_tftpboot.stat.exists - # Even if there was nothing to copy from original locations, - # we need to create the dirs before starting the containers - - name: ensure ironic pxe directories exist - file: - path: /var/lib/ironic/{{ item }} - state: directory - with_items: - - httpboot - - tftpboot - upgrade_tasks: - - when: step|int == 3 - block: - - name: Set fact for removal of openstack-ironic-conductor package - set_fact: - remove_ironic_conductor_package: {get_param: UpgradeRemoveUnusedPackages} - - name: Remove openstack-ironic-conductor package if operator requests it - package: name=openstack-ironic-conductor state=removed - ignore_errors: True - when: remove_ironic_conductor_package|bool - post_upgrade_tasks: - - when: step|int == 1 - import_role: - name: tripleo-docker-rm - vars: - containers_to_rm: - - ironic_conductor - fast_forward_upgrade_tasks: - - when: - - step|int == 0 - - release == 'ocata' - block: - - name: Check if ironic_conductor is deployed - command: systemctl is-enabled --quiet openstack-ironic-conductor - ignore_errors: True - register: ironic_conductor_enabled_result - - name: Set fact ironic_conductor_enabled - set_fact: - ironic_conductor_enabled: "{{ ironic_conductor_enabled_result.rc == 0 }}" - - name: Stop openstack-ironic-conductor - service: name=openstack-ironic-conductor state=stopped enabled=no - when: - - step|int == 1 - - release == 'ocata' - - ironic_conductor_enabled|bool - - name: Ironic packages update - package: - name: 'openstack-ironic*' - state: latest - when: - - step|int == 6 - - is_bootstrap_node|bool diff --git a/docker/services/ironic-inspector.yaml b/docker/services/ironic-inspector.yaml deleted file mode 100644 index 2fc51c5545..0000000000 --- a/docker/services/ironic-inspector.yaml +++ /dev/null @@ -1,257 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack containerized Ironic Inspector service (EXPERIMENTAL) - -parameters: - DockerIronicInspectorImage: - description: image - type: string - DockerIronicInspectorConfigImage: - description: The container image to use for the ironic_inspector config_volume - type: string - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - ServiceData: - default: {} - description: Dictionary packing service data - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - IPAImageURLs: - default: [] - description: IPA image URLs, the format should be ["http://path/to/kernel", "http://path/to/ramdisk"] - type: json - UpgradeRemoveUnusedPackages: - default: false - description: Remove package if the service is being disabled during upgrade - type: boolean - -resources: - - ContainersCommon: - type: ./containers-common.yaml - - IronicInspectorBase: - type: ../../puppet/services/ironic-inspector.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceNetMap: {get_param: ServiceNetMap} - ServiceData: {get_param: ServiceData} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - - MySQLClient: - type: ../../puppet/services/database/mysql-client.yaml - -conditions: - ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}} - -outputs: - role_data: - description: Role data for the Ironic Inspector role. - value: - service_name: ironic_inspector - config_settings: - map_merge: - - get_attr: [IronicInspectorBase, role_data, config_settings] - # Match what we do for Ironic containers - - ironic::inspector::tftp_root: /var/lib/ironic/tftpboot - - ironic::inspector::http_root: /var/lib/ironic/httpboot - service_config_settings: {get_attr: [IronicInspectorBase, role_data, service_config_settings]} - # BEGIN DOCKER SETTINGS - puppet_config: - config_volume: ironic_inspector - puppet_tags: ironic_inspector_config - step_config: - list_join: - - "\n" - - - {get_attr: [IronicInspectorBase, role_data, step_config]} - - {get_attr: [MySQLClient, role_data, step_config]} - config_image: {get_param: DockerIronicInspectorConfigImage} - volumes: - - /var/lib/ironic:/var/lib/ironic:z - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:z - kolla_config: - /var/lib/kolla/config_files/ironic_inspector.json: - command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf - config_files: - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true - permissions: - - path: /var/log/ironic-inspector - owner: ironic-inspector:ironic-inspector - recurse: true - - path: /var/lib/ironic - owner: ironic:ironic - recurse: true - - path: /var/lib/ironic-inspector/dhcp-hostsdir - owner: ironic-inspector:ironic-inspector - recurse: true - /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json: - config_files: - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true - permissions: - - path: /var/lib/ironic-inspector/dhcp-hostsdir - owner: ironic-inspector:ironic-inspector - recurse: true - command: /sbin/dnsmasq --conf-file=/etc/ironic-inspector/dnsmasq.conf -k --log-facility=/var/log/ironic-inspector/dnsmasq.log - docker_config: - step_3: - ironic_inspector_init_log: - start_order: 0 - image: &ironic_inspector_image - get_param: DockerIronicInspectorImage - user: root - volumes: - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z - command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector'] - - ironic_inspector_init_dnsmasq_dhcp_hostsdir: - start_order: 1 - image: *ironic_inspector_image - user: root - volumes: - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z - command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir'] - ironic_inspector_db_sync: - start_order: 2 - image: *ironic_inspector_image - net: host - user: root - privileged: false - detach: false - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic_inspector/etc/ironic-inspector:/etc/ironic-inspector:ro - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - command: "/usr/bin/bootstrap_host_exec ironic_inspector su ironic-inspector -s /bin/bash -c 'ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade'" - ironic_inspector_get_ipa: - start_order: 2 - image: *ironic_inspector_image - net: host - user: root - privileged: false - detach: false - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/ironic:/var/lib/ironic:shared,z - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - command: - if: - - ipa_images - - list_join: - - " " - - - "curl -g -o /var/lib/ironic/httpboot/agent.kernel" - - {get_param: [IPAImageURLs, 0]} - - "-o /var/lib/ironic/httpboot/agent.ramdisk" - - {get_param: [IPAImageURLs, 1]} - - 'true' - step_4: - ironic_inspector: - start_order: 92 - image: *ironic_inspector_image - privileged: true - net: host - restart: always - healthcheck: - test: /openstack/healthcheck - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro - - /var/lib/ironic:/var/lib/ironic:shared,z - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - ironic_inspector_dnsmasq: - start_order: 93 - image: *ironic_inspector_image - privileged: true - net: host - restart: always - user: root - healthcheck: - test: /openstack/healthcheck - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - host_prep_tasks: - - name: create persistent ironic-inspector logs directory - file: - path: /var/log/containers/ironic-inspector - state: directory - setype: svirt_sandbox_file_t - - name: ironic-inspector logs readme - copy: - dest: /var/log/ironic-inspector/readme.txt - content: | - Log files from ironic-inspector container can be found under - /var/log/containers/ironic-inspector. - ignore_errors: true - - name: create persistent ironic-inspector dnsmasq dhcp hostsdir - file: - path: /var/lib/ironic-inspector/dhcp-hostsdir - state: directory - setype: svirt_sandbox_file_t - upgrade_tasks: - - when: step|int == 3 - block: - - name: Set fact for removal of openstack-ironic-inspector package - set_fact: - remove_ironic_inspector_package: {get_param: UpgradeRemoveUnusedPackages} - - name: Remove openstack-ironic-inspector package if operator requests it - package: name=openstack-ironic-inspector state=removed - ignore_errors: True - when: remove_ironic_inspector_package|bool - post_upgrade_tasks: - - when: step|int == 1 - import_role: - name: tripleo-docker-rm - vars: - containers_to_rm: - - ironic_inspector - - ironic_inspector_dnsmasq diff --git a/environments/services-baremetal/ironic-inspector.yaml b/environments/services-baremetal/ironic-inspector.yaml deleted file mode 100644 index 93ce945000..0000000000 --- a/environments/services-baremetal/ironic-inspector.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resource_registry: - OS::TripleO::Services::IronicInspector: ../../puppet/services/ironic-inspector.yaml diff --git a/environments/services-baremetal/ironic.yaml b/environments/services-baremetal/ironic.yaml deleted file mode 100644 index 2dc7f57730..0000000000 --- a/environments/services-baremetal/ironic.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resource_registry: - OS::TripleO::Services::IronicApi: ../../puppet/services/ironic-api.yaml - OS::TripleO::Services::IronicConductor: ../../puppet/services/ironic-conductor.yaml - OS::TripleO::Services::NovaIronic: ../../puppet/services/nova-ironic.yaml - OS::TripleO::Services::IronicNeutronAgent: ../../puppet/services/ironic-neutron-agent.yaml -parameter_defaults: - NovaSchedulerDiscoverHostsInCellsInterval: 15 diff --git a/environments/services/ironic-inspector.yaml b/environments/services/ironic-inspector.yaml index a24284bdf6..1072d6e03b 100644 --- a/environments/services/ironic-inspector.yaml +++ b/environments/services/ironic-inspector.yaml @@ -1,5 +1,5 @@ resource_registry: - OS::TripleO::Services::IronicInspector: ../../docker/services/ironic-inspector.yaml + OS::TripleO::Services::IronicInspector: ../../deployment/ironic/ironic-inspector-container-puppet.yaml parameter_defaults: IronicDefaultInspectInterface: inspector diff --git a/environments/services/ironic.yaml b/environments/services/ironic.yaml index 413e3f8a94..a7f98cc482 100644 --- a/environments/services/ironic.yaml +++ b/environments/services/ironic.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Services::IronicApi: ../../docker/services/ironic-api.yaml - OS::TripleO::Services::IronicConductor: ../../docker/services/ironic-conductor.yaml - OS::TripleO::Services::IronicPxe: ../../docker/services/ironic-pxe.yaml + OS::TripleO::Services::IronicApi: ../../deployment/ironic/ironic-api-container-puppet.yaml + OS::TripleO::Services::IronicConductor: ../../deployment/ironic/ironic-conductor-container-puppet.yaml + OS::TripleO::Services::IronicPxe: ../../deployment/ironic/ironic-pxe-container-puppet.yaml OS::TripleO::Services::NovaIronic: ../../docker/services/nova-ironic.yaml - OS::TripleO::Services::IronicNeutronAgent: ../../docker/services/ironic-neutron-agent.yaml + OS::TripleO::Services::IronicNeutronAgent: ../../deployment/ironic/ironic-neutron-agent-container-puppet.yaml diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml deleted file mode 100644 index 37e7a5f9dc..0000000000 --- a/puppet/services/ironic-api.yaml +++ /dev/null @@ -1,172 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack Ironic API configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - IronicPassword: - description: The password for the Ironic service and db account, used by the Ironic services - type: string - hidden: true - MonitoringSubscriptionIronicApi: - default: 'overcloud-ironic-api' - type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint - IronicApiPolicies: - description: | - A hash of policies to configure for Ironic API. - e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } } - default: {} - type: json - IronicCorsAllowedOrigin: - type: string - default: '' - description: Indicate whether this resource may be shared with the domain received in the request - "origin" header. - EnableInternalTLS: - type: boolean - default: false - -conditions: - cors_allowed_origin_unset: {equals : [{get_param: IronicCorsAllowedOrigin}, '']} - -resources: - ApacheServiceBase: - type: ./apache.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - EnableInternalTLS: {get_param: EnableInternalTLS} - - IronicBase: - type: ./ironic-base.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the Ironic API role. - value: - service_name: ironic_api - monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi} - config_settings: - map_merge: - - get_attr: [IronicBase, role_data, config_settings] - - get_attr: [ApacheServiceBase, role_data, config_settings] - - - if: - - cors_allowed_origin_unset - - {} - - ironic::cors::allowed_origin: {get_param: IronicCorsAllowedOrigin} - - ironic::api::authtoken::password: {get_param: IronicPassword} - ironic::api::authtoken::project_name: 'service' - ironic::api::authtoken::user_domain_name: 'Default' - ironic::api::authtoken::project_domain_name: 'Default' - ironic::api::authtoken::username: 'ironic' - ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } - ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - # NOTE: bind IP is found in hiera replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - ironic::api::host_ip: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]} - ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} - # This is used to build links in responses - ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} - ironic::api::service_name: 'httpd' - ironic::policy::policies: {get_param: IronicApiPolicies} - ironic::wsgi::apache::bind_host: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]} - ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]} - ironic::wsgi::apache::servername: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]} - ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS} - ironic::cors::max_age: 3600 - ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH' - ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token' - ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma' - - tripleo::ironic_api::firewall_rules: - '133 ironic api': - dport: - - 6385 - - 13385 - step_config: | - include ::tripleo::profile::base::ironic::api - service_config_settings: - keystone: - ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]} - ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} - ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} - ironic::keystone::auth::auth_name: 'ironic' - ironic::keystone::auth::password: {get_param: IronicPassword } - ironic::keystone::auth::tenant: 'service' - ironic::keystone::auth::region: {get_param: KeystoneRegion} - mysql: - ironic::db::mysql::password: {get_param: IronicPassword} - ironic::db::mysql::user: ironic - ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - ironic::db::mysql::dbname: ironic - ironic::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - upgrade_tasks: - - name: Stop ironic_api service (before httpd support) - when: step|int == 1 - service: name=openstack-ironic-api state=stopped enabled=no - - name: Stop ironic_api service (running under httpd) - when: step|int == 1 - service: name=httpd state=stopped diff --git a/puppet/services/ironic-neutron-agent.yaml b/puppet/services/ironic-neutron-agent.yaml deleted file mode 100644 index a9755a4d9f..0000000000 --- a/puppet/services/ironic-neutron-agent.yaml +++ /dev/null @@ -1,71 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack ironic-neutron-agent configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - IronicPassword: - description: The password for the Ironic service and db account, used by the Ironic services - type: string - hidden: true - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint - -resources: - - NeutronBase: - type: ./neutron-base.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the ironic-neutron-agent service. - value: - service_name: ironic_neutron_agent - config_settings: - map_merge: - - get_attr: [NeutronBase, role_data, config_settings] - - neutron::agents::ml2::networking_baremetal::user: 'ironic' - - neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword} - - neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] } - - neutron::agents::ml2::networking_baremetal::project_name: 'service' - - neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default' - - neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default' - - neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion} - step_config: | - include tripleo::profile::base::neutron::agents::networking_baremetal - upgrade_tasks: [] diff --git a/releasenotes/notes/drop-baremetal-ironic-ab7af5d2b75c9cbf.yaml b/releasenotes/notes/drop-baremetal-ironic-ab7af5d2b75c9cbf.yaml new file mode 100644 index 0000000000..652f0c13d4 --- /dev/null +++ b/releasenotes/notes/drop-baremetal-ironic-ab7af5d2b75c9cbf.yaml @@ -0,0 +1,3 @@ +--- +upgrade: + - Installing Ironic on baremetal is no longer supported