Previously we managed to get away with starting FRR during deployment
tasks at step1. This worked because puppet config tasks (which need
all nodes to be reachable due to pacemaker) ran after deployment step
task 1. In our testing also TLS-E setups worked okay, but that was
likely mainly due to coincidence because the IPA registration tasks
were also run at step1 of the deployment tasks and came after FRR.
FRR is needed to be up in order to reach nodes like freeipa in a BGP
based deployment.
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/771832
moved IPA role from deployment_step 1 to external_deployment_step 1 and
this broke TLS-E deployments with FRR, because FRR is not up already
during external deployment step 1 and so we fail to reach the freeipa
node.
We fix this by relying on newly introduced pre_deploy_step_tasks which
are run in a separate task after container_setup_task, which is where
podman gets configured and before any deployment task.
While we're at it we also remove the state: stopped line for kolla,
which makes no sense any longer. And we also remove the main block,
since a single bunch of tasks will do it and is a bit simpler.
Tested as follows:
- Deployed an FRR-enabled TLS-E environment from master (was previously
failing 100%) a bunch of times.
Co-Authored-By: Carlos Gonçalves <cgoncalves@redhat.com>
Change-Id: I54531995fd180b3251901ff61296d6bd05fb85b2
The local certmonger cert will renew after half its lifetime, which will
be after 6 months by default. The current code would extract the CA cert
to a PEM file (and trust it), only if the cert in the existing PEM file
was expired.
But this means that the certmonger local cert could be renewed after six
months and not be replaced in the PEM file until the existing cert
expired at the end of the year. If certs are issued in this time, they
will not be trusted and the update will fail.
This patch removes this condition, so that the extracted and trusted cert
always matches what is in the PEM file, and what is trusted.
Note, this only place this occurs is on the undercloud - because this is
where we could use the certmonger local cert. We assume that the haproxy
cert will be re-issued in an update.
This change has been added to puppet-tripleo for master and all previous
releases, but in master now, we do this directly in tht as we use
ansible to get the system certs.
Change-Id: Ia0ad0ac6d7a09858b56dcb419a3bec17b63779a4
... because kolla_start fails to start with the following error if
that environment parameter is not defined.
ERROR:__main__:InvalidConfig: KOLLA_CONFIG_STRATEGY is not set properly
Change-Id: I7cdf127b495c4d9f415a703fc8b7954a3f5b53fe
We now need to move forward and pin the newer
container-tools:3.0 stream. This will be available
on RHEL 8.4 and CentOS 8.4+.
Related: rhbz#1866479
Change-Id: I61850fa01afca92aa78412e0277180596633f858
Regressions from Ic77ed56c32c7071ce126a1528030094b97894653
and I685ec7d7c583c9f8d9f04b0f1027136ed042487c.
'if' can't be used for a key in a map. If specified for
a value the key would be ignored.
Change-Id: I0ed0d6657622100480721f7e4ca14e39944ce292
Let's introduce a new set of tasks that will be called after all the
groundwork to run containers has been run (so after podman's
host_prep_tasks, after the container_setup tasks but before any
deployment step or external deployment step).
Change-Id: If3c74703a684fbd5a815e073cc9da34e9ad672e8
When Ceph is deployed by cephadm and tls-everywhere is enabled,
all the related certificates and keys should be created by TripleO.
For this reason, this change aligns these services to use the role [1]
for key and cert generation.
[1] https://github.com/linux-system-roles/certificate
Change-Id: I8cb69256e57f20dd1050f99fa305c56f22435bc2
This patch ensures that debug logging of libvirt services is enabled
when the global Debug parameter is true, since the parameter is
supposed to enable debug logging for all services.
Also it introduces a new LibvirtDebug parameter, to allow operators to
enable debug of libvirt services more easily, than setting log level
number between 1 and 4.
Change-Id: I54e0ee6fe59d04686f15cb5638262b34572596e1
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.
Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
It appeary running the tmpwatch from the cron.daily location isn't
possible: the way cron/anacron is running things appears to break
SELinux context at some point, leading to SELinux denials caused by a
weird need for dac_override.
In order to NOT allow this dac_override (security hazard), and after
extensive testing, it seems it's better to push the job directly in
root's crontab.
Change-Id: Ib7e1d47fe7cffa2bd2ed1d72d94e4f380162f10a
Closes-Bug: #1922002
Resolves: rhbz#1944466