13634 Commits

Author SHA1 Message Date
Zuul
0c1f973ef3 Merge "Remove unused [ec2]driver parameter" 2021-04-09 05:17:44 +00:00
Zuul
f97b6259fc Merge "Move Ceph services to linux-system-roles.certificate" 2021-04-09 01:40:34 +00:00
Zuul
c73c470be7 Merge "Remove tripleo_hostname tag" 2021-04-09 01:40:04 +00:00
Zuul
04620d261e Merge "Fix some template conditions" 2021-04-09 01:39:43 +00:00
Zuul
4e7e35b4e8 Merge "Simplify ceilometer service template conditions" 2021-04-09 01:39:19 +00:00
Zuul
9d3088e4b3 Merge "Simplify conditions in barbican service templates" 2021-04-09 01:39:10 +00:00
Zuul
54b18352b2 Merge "Simplify apache service conditions" 2021-04-08 23:05:59 +00:00
Zuul
842ef194f4 Merge "Set Designate mdns to listen on both ipv6 and ipv4" 2021-04-08 19:26:50 +00:00
Zuul
12ef7e9632 Merge "Always update the local certmonger ca cert" 2021-04-08 11:27:15 +00:00
Zuul
c76182cb3a Merge "HA: fix race when moving VIP during minor update" 2021-04-07 15:37:00 +00:00
Zuul
9915cd53b3 Merge "[update][upgrade] Use container-tools:3.0" 2021-04-07 11:34:19 +00:00
Zuul
cbddc5c367 Merge "Add parameter to set iscsid CHAP algorithms" 2021-04-07 11:06:05 +00:00
Zuul
37e07b45f0 Merge "Enable exec resource to generate policy.yaml for Gnocchi" 2021-04-07 10:28:19 +00:00
Zuul
fbea1dd5b3 Merge "Move frr setup steps to pre_deploy_step_tasks" 2021-04-07 10:11:47 +00:00
Zuul
f8676c05f1 Merge "Ensure SELinux context persist across restorecon and reboot" 2021-04-07 03:59:53 +00:00
Takashi Kajinami
1ca4f727b6 Enable exec resource to generate policy.yaml for Gnocchi
The recent change[1] in puppet-gnocchi introduced conversion of policy
file from yaml to json, using the exec resource, thus we need to ensure
that the exec resource is enabled.

[1] https://review.opendev.org/c/openstack/puppet-gnocchi/+/768690

Depends-on: https://review.opendev.org/785076
Closes-Bug: #1922282
Change-Id: I91d3a879938bf6839eaf7e8b2c3d7f617109be2e
2021-04-07 08:40:04 +09:00
Zuul
243e8e0a43 Merge "Enable debug logging of libvirt services when Debug is true" 2021-04-06 23:27:43 +00:00
Zuul
26352bb459 Merge "Add missing KOLLA_CONFIG_STRATEGY for the aodh_api_cron container" 2021-04-06 22:32:33 +00:00
Michele Baldessari
79ddf2f879 Move frr setup steps to pre_deploy_step_tasks
Previously we managed to get away with starting FRR during deployment
tasks at step1. This worked because puppet config tasks (which need
all nodes to be reachable due to pacemaker) ran after deployment step
task 1. In our testing also TLS-E setups worked okay, but that was
likely mainly due to coincidence because the IPA registration tasks
were also run at step1 of the deployment tasks and came after FRR.
FRR is needed to be up in order to reach nodes like freeipa in a BGP
based deployment.

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/771832
moved IPA role from deployment_step 1 to external_deployment_step 1 and
this broke TLS-E deployments with FRR, because FRR is not up already
during external deployment step 1 and so we fail to reach the freeipa
node.

We fix this by relying on newly introduced pre_deploy_step_tasks which
are run in a separate task after container_setup_task, which is where
podman gets configured and before any deployment task.

While we're at it we also remove the state: stopped line for kolla,
which makes no sense any longer. And we also remove the main block,
since a single bunch of tasks will do it and is a bit simpler.

Tested as follows:
- Deployed an FRR-enabled TLS-E environment from master (was previously
  failing 100%) a bunch of times.

Co-Authored-By: Carlos Gonçalves <cgoncalves@redhat.com>

Change-Id: I54531995fd180b3251901ff61296d6bd05fb85b2
2021-04-06 20:25:58 +00:00
Zuul
b104f039af Merge "Use list_concat_unique instead of yaql" 2021-04-06 19:59:29 +00:00
Zuul
4749fef686 Merge "Introduce pre_deploy_step_tasks" 2021-04-06 18:58:21 +00:00
Ade Lee
a65df66fb6 Always update the local certmonger ca cert
The local certmonger cert will renew after half its lifetime, which will
be after 6 months by default.  The current code would extract the CA cert
to a PEM file (and trust it), only if the cert in the existing PEM file
was expired.

But this means that the certmonger local cert could be renewed after six
months and not be replaced in the PEM file until the existing cert
expired at the end of the year.  If certs are issued in this time, they
will not be trusted and the update will fail.

This patch removes this condition, so that the extracted and trusted cert
always matches what is in the PEM file, and what is trusted.

Note, this only place this occurs is on the undercloud - because this is
where we could use the certmonger local cert.  We assume that the haproxy
cert will be re-issued in an update.

This change has been added to puppet-tripleo for master and all previous
releases, but in master now, we do this directly in tht as we use
ansible to get the system certs.

Change-Id: Ia0ad0ac6d7a09858b56dcb419a3bec17b63779a4
2021-04-06 13:51:41 -04:00
Takashi Kajinami
e163846971 Add missing KOLLA_CONFIG_STRATEGY for the aodh_api_cron container
... because kolla_start fails to start with the following error if
that environment parameter is not defined.

ERROR:__main__:InvalidConfig: KOLLA_CONFIG_STRATEGY is not set properly

Change-Id: I7cdf127b495c4d9f415a703fc8b7954a3f5b53fe
2021-04-06 23:51:36 +09:00
Jesse Pretorius (odyssey4me)
9098450076 [update][upgrade] Use container-tools:3.0
We now need to move forward and pin the newer
container-tools:3.0 stream. This will be available
on RHEL 8.4 and CentOS 8.4+.

Related: rhbz#1866479

Change-Id: I61850fa01afca92aa78412e0277180596633f858
2021-04-06 11:06:53 +00:00
ramishra
95bc75aaf2 Fix some template conditions
Regressions from Ic77ed56c32c7071ce126a1528030094b97894653
and I685ec7d7c583c9f8d9f04b0f1027136ed042487c.
'if' can't be used for a key in a map. If specified for
a value the key would be ignored.

Change-Id: I0ed0d6657622100480721f7e4ca14e39944ce292
2021-04-06 16:05:35 +05:30
ramishra
3ed29643b9 Simplify ceilometer service template conditions
Also removes leftover ceilometer_qdr_publish condition.

Change-Id: I520d32488f3300ebe895040c2cd5f0acc0c0d386
2021-04-06 16:04:46 +05:30
ramishra
06efcbbd1f Simplify conditions in barbican service templates
Change-Id: I799c4d60a674af965971c763e437e4f7987b0dff
2021-04-06 16:04:11 +05:30
ramishra
cefbfe418c Simplify apache service conditions
Change-Id: I1c1a49fdae6fb3e3ba15030eb762128c76f2a391
2021-04-06 16:03:30 +05:30
Michele Baldessari
35cb010cc8 Introduce pre_deploy_step_tasks
Let's introduce a new set of tasks that will be called after all the
groundwork to run containers has been run (so after podman's
host_prep_tasks, after the container_setup tasks but before any
deployment step or external deployment step).

Change-Id: If3c74703a684fbd5a815e073cc9da34e9ad672e8
2021-04-06 09:25:34 +02:00
Zuul
5ed1b12242 Merge "Enable fernet token cache by default" 2021-04-06 01:39:04 +00:00
Zuul
870dc4e519 Merge "[collectd] Fix CollectdAmqpSendQueueLimit references" 2021-04-06 00:43:10 +00:00
Zuul
b9563a0e4d Merge "Fix CephExternalMultiConfig using tripleo_ceph_client" 2021-04-05 21:56:33 +00:00
ramishra
ef240c1f62 Use list_concat_unique instead of yaql
These tasks are already filtered per service.

Change-Id: Ib868c110f8d32619762333e1dda3ddc2b007148a
2021-04-05 10:26:30 +05:30
Francesco Pantano
1954c3b251
Move Ceph services to linux-system-roles.certificate
When Ceph is deployed by cephadm and tls-everywhere is enabled,
all the related certificates and keys should be created by TripleO.
For this reason, this change aligns these services to use the role [1]
for key and cert generation.

[1] https://github.com/linux-system-roles/certificate

Change-Id: I8cb69256e57f20dd1050f99fa305c56f22435bc2
2021-04-03 17:58:04 +02:00
Zuul
824ec8b5ad Merge "Simplify internal_tls_enabled conditions" 2021-04-03 13:20:28 +00:00
Zuul
76cb99a2a7 Merge "radosgw_frontend_port should be a number" 2021-04-01 19:34:39 +00:00
Zuul
ff30e18bb1 Merge "Simplify conditions in aodh service templates" 2021-04-01 19:34:29 +00:00
Zuul
cc6cdfa754 Merge "Simplify conditions in heat service templates" 2021-04-01 18:57:41 +00:00
Zuul
fdb5ac2a24 Merge "Use 'wallaby' heat_template_version" 2021-04-01 18:57:13 +00:00
Zuul
7d48e49301 Merge "Move overcloud common bootstrap tasks out of step1 deploy tasks" 2021-04-01 13:59:32 +00:00
Takashi Kajinami
3f2e063c78 Enable debug logging of libvirt services when Debug is true
This patch ensures that debug logging of libvirt services is enabled
when the global Debug parameter is true, since the parameter is
supposed to enable debug logging for all services.

Also it introduces a new LibvirtDebug parameter, to allow operators to
enable debug of libvirt services more easily, than setting log level
number between 1 and 4.

Change-Id: I54e0ee6fe59d04686f15cb5638262b34572596e1
2021-04-01 13:16:47 +09:00
Zuul
0dbcbd18ad Merge "Move tmpwatch from cron.daily to actual root crontab" 2021-03-31 16:09:27 +00:00
ramishra
dba59f9047 Simplify conditions in aodh service templates
Change-Id: I75678ee767871190a598a6e08c9222628ddd90ea
2021-03-31 17:35:15 +05:30
ramishra
4ee0f18947 Simplify conditions in heat service templates
This is part of a series of patches to reduce the
template complexity.

Change-Id: I685ec7d7c583c9f8d9f04b0f1027136ed042487c
2021-03-31 17:35:15 +05:30
ramishra
c9991c2e31 Use 'wallaby' heat_template_version
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
 e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.

Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
2021-03-31 17:35:12 +05:30
Zuul
c1957574cf Merge "Remove neutron-l3-compute-dvr referenced nowhere" 2021-03-31 11:22:54 +00:00
Zuul
6edb6760f1 Merge "Provide ability to deploy metrics_qdr using ansible" 2021-03-31 09:54:02 +00:00
Francesco Pantano
d04e7b8ccf
radosgw_frontend_port should be a number
cephadm, when rgw is deployed via [1], requires that the frontend_port
in the spec dict is an int and not a string.
[2] shows a string is produced, and this patch just adds some logic at
tht level to manipulate the input, casting it to int.
The ansible option 'ANSIBLE_JINJA2_NATIVE=True' [3] is supposed to be
able to enable this feature at tripleo-ansible level, but it's a
constraint we wouldn't like to introduce.

[1] https://review.opendev.org/c/openstack/tripleo-ansible/+/783305
[2] https://github.com/openstack/tripleo-heat-templates/blob/master/network/endpoints/endpoint_map.yaml#L64
[3] https://docs.ansible.com/ansible/latest/reference_appendices/config.html#envvar-ANSIBLE_JINJA2_NATIVE

Change-Id: I34f34bc3b263cf0df319ae6f175c7fc414528559
2021-03-31 11:31:55 +02:00
Zuul
91ae3c4ec6 Merge "Change all *Debug parameter types to boolean" 2021-03-31 08:59:54 +00:00
Cédric Jeanneret
1c7657b00b Move tmpwatch from cron.daily to actual root crontab
It appeary running the tmpwatch from the cron.daily location isn't
possible: the way cron/anacron is running things appears to break
SELinux context at some point, leading to SELinux denials caused by a
weird need for dac_override.

In order to NOT allow this dac_override (security hazard), and after
extensive testing, it seems it's better to push the job directly in
root's crontab.

Change-Id: Ib7e1d47fe7cffa2bd2ed1d72d94e4f380162f10a
Closes-Bug: #1922002
Resolves: rhbz#1944466
2021-03-31 08:37:35 +02:00