Commit Graph

84 Commits

Author SHA1 Message Date
Carlos Camacho
44ef2a3ec1 Change template names to rocky
The new master branch should point now to rocky.

So, HOT templates should specify that they might contain features
for rocky release [1]

Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
2018-05-09 08:28:42 +02:00
Andrew Smith
78bc457585 Support separate oslo.messaging services for RPC and Notification
This commit introduces oslo.messaging services in place of a single
rabbitmq server. This will enable the separation of rpc and
notifications for the continued use of a single backend (e.g.
rabbitmq server) or a dual backend for the messaging communications.

This patch:
* add oslo_messaging_rpc and oslo_messaging_notify services
* add puppet services for rpc and notification
  (rabbitmq and qdrouterd servers)
* add docker services to deploy rpc (rabbitmq or qdrouterd)
  and notify (rabbitmq or shared)
* retains rabbit parameters for core services
* update resource registries, service_net_map, roles, etc.
* update ci environment container scenarios
* add environment generator for messaging
* add release note

Depends-On: Ic2c1a58526febefc1703da5fec12ff68dcc0efa0
Depends-On: I154e2fe6f66b296b9b643627d57696e5178e1815
Depends-On: I03e99d35ed043cf11bea9b7462058bd80f4d99da
Needed-By: Ie181a92731e254b7f613ad25fee6cc37e985c315
Change-Id: I934561612d26befd88a9053262836b47bdf4efb0
2018-04-22 04:33:44 +00:00
Emilien Macchi
02cacfd53a undercloud: increase token expiration time
We did it in the past (3 years ago!) in instack-undercloud:
43e792c684
in the context of: https://bugzilla.redhat.com/show_bug.cgi?id=1235908

This time, we have the same problem when the undercloud is
containeirized.
This patch is actually setting parity with keystone config from
instack-undercloud, but also raising an actual issue that will be
addressed this cycle.

In the meantime, let's increase the token expiration so we can move
forward with testing the containerized undercloud.

Change-Id: Iceaaf53fae44b5bcda9f6517f163939ba6be3d49
Related-Bug: #1761050
2018-04-04 13:46:12 -07:00
Emilien Macchi
88daf0d5da Move API cors config to their services
- Move out cors config from tripleo-ui to be in services.
- Configure allowed_origin to '*' for the containerized
  undercloud (when TripleO UI is containerized)
- Default param for allowed_origin is unset for security reasons.

Change-Id: Iee983d84c78fe055f295eedfadde336b25a5d6a1
2018-03-24 03:04:44 +00:00
Steven Hardy
3a7baa8fa6 Convert ServiceNetMap evals to hiera interpolation
Since https://review.openstack.org/#/c/514707/ added the net_ip_map
to hieradata, we can look up the per-network bind IPs via hiera
interpolation instead of heat map_replace.

In some cases the ServiceNetMap lookup is used for other things,
but anywhere we make use of the "magic" translation via NetIpMap
is changed the same way.

This will enable more of the configuration data to be exposed per
role vs per node in a future patch (to simplify our ansible
workflow).

Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com>
Change-Id: Ie3da9fedbfce87e85f74d8780e7ad1ceadda79c8
2018-03-10 08:18:30 +00:00
Lars Kellogg-Stedman
b20bce1bf0 logging: use service_config_settings for fluentd
The initial fluentd client implementation predates the introduction of
service_config_settings, and necessitated some invasive changes to
what is now common/serivces.yaml. This commit modifies existing
services to use the service_config_settings based configuration
mechanism supported by more recent versions of the fluentd support in
puppet-tripleo.

Partial-bug: #1715187
Depends-On: I3149902401d68d6fd236073a73a20f982d4b952a
Depends-On: I2b057190ec0e4e75ee4ee47ebe0164c2644e5ab7
Depends-On: Ie7df4b8b94cb0ae38096ab95800f211ef1cd8455
Change-Id: I28028ffa00df2da8e0478a551d3de89c3ee46e1f
2018-02-07 16:37:00 +01:00
Juan Antonio Osorio Robles
dae0bd9b82 Tie keystone admin API port to what we configure in t-h-t
This only exposes the port that we actually will use for the admin API
port, as well as bonding the actual port to what we configure of the
keystone service (apache and the keystone configuration).

Change-Id: I4b27d774d5ab291340c0a3e537efbb75ed311d49
Closes-Bug: #1746180
2018-01-30 09:33:13 +02:00
Zuul
1af7729939 Merge "Convert tags to when statements for Q major upgrade workflow" 2018-01-13 09:39:38 +00:00
marios
dec003def8 Convert tags to when statements for Q major upgrade workflow
This converts "tags: stepN" to "when: step|int == N" for the direct
execution as an ansible playbook, with a loop variable 'step'.
The tasks all include the explicit cast |int.

This also adds a set_fact task for handling of the package removal
with the UpgradeRemovePackages parameter (no change to the interface)

The yaml-validate also now checks for duplicate 'when:' statements

Q upgrade spec @ Ibde21e6efae3a7d311bee526d63c5692c4e27b28
Related Blueprint: major-upgrade-workflow
[0]: 394a92f761/tripleo_common/utils/config.py (L141)
Change-Id: I6adc5619a28099f4e241351b63377f1e96933810
2018-01-08 13:57:47 +02:00
Juan Antonio Osorio Robles
cb875d327a Add parameters to configure options in keystone's security_compliance group
These parameters were introduced as strings and will only be configured
if the value is set. This way it respects the $::os_service_default
settings which is the default for all of them.

Depends-On: I089f2e28cce2688ed080096c88ab539393627cfb
Change-Id: I3399129c41054a914bb91417c814cd063ee0c07e
2018-01-04 14:40:51 +02:00
Michele Baldessari
c56cdc8dda Add Instance HA support
This adds support for an Instance HA deployment option which evacuates
VMs after a compute node failure. To enable this feature just add
-e environments/compute-instanceha.yaml and make sure the compute nodes
have the OS::TripleO::Services::ComputeInstanceHA and the
OS::TripleO::Services::PacemakerRemote services added to it.

Testing has been done as follows:
1) Deploy an overcloud with Instance HA
2) Create a VM on the overcloud
3) Crash a compute node
4) Observe that the nova evacuate resource agent initiates the nova
   evacuation:
Nov 29 10:39:49 localhost NovaEvacuate(nova-evacuate)[32253]: NOTICE: Initiating evacuation of overcloud-novacompute-0.localdomain with fence_evacuate
Nov 29 10:39:57 localhost NovaEvacuate(nova-evacuate)[32253]: NOTICE: Completed evacuation of overcloud-novacompute-0.localdomain
5) Observe the VM having been started on the functional compute node

A documentation patch will follow explaining the whole mechanism more
in detail.

blueprint instance-ha

Depends-On: I4d1908242e9513a225d2b1da06ed4ee769ee10f7
Change-Id: If6c7d6c56eca96bd64ac5936036d119bd9ec6226
2017-12-10 09:08:01 +01:00
Carlos Camacho
927495fe3d Change template names to queens
The new master branch should point now to queens instead of pike.

So, HOT templates should specify that they might contain features
for queens release [1]

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens

Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
2017-11-23 10:15:32 +01:00
Zuul
fabbbbbfdf Merge "Add constraints to service Debug flags" 2017-11-13 22:23:50 +00:00
Juan Antonio Osorio Robles
2f7888c2c5 Add constraints to service Debug flags
The service debug flags (e.g. BarbicanDebug), allow the deployer to set
the verbose logging for a specific service. They are strings to allow
folks to set it up regardless of the global Debug flag being set.

This commit adds a constraint to set the allowed values for these
parameters. It is based on a subset of the underlying implementation
that sets this flag (which uses any2bool).

Change-Id: I35e7a7ee35aefb7108ec6b0bb8f3124610fb97ee
2017-11-06 08:23:21 +02:00
Juan Antonio Osorio Robles
3de75ccea0 Keystone: Enable notification topics to be configured
This enables the configuration of notification topics via the
KeystoneNotificationTopics parameter.

Change-Id: I224e730e41e1bcb703e5deebfab3ca74f08faa02
Related-Bug: #1729293
2017-11-01 13:48:53 +00:00
Ade Lee
c9b7091536 Ensure Debug is a boolean
Oslo does not like it when Debug is not a proper python boolean
Closes-Bug: 1719929

Change-Id: Ib6c3969d4dd75d5fb2cc274266c060acff8d5571
2017-09-27 13:22:07 -04:00
Thomas Herve
8008089de2 Use list_concat in place of yaql
Where applicable, use list_concat instead of yaql to build new lists: it
should be more resilient to errors, easier to debug, and less expensive.

Change-Id: I6d3dbc7ee8eac50f46023a35af4ec7f2d378fd87
Related-Bug: #1714005
2017-08-30 15:43:16 +02:00
Juan Antonio Osorio Robles
79aca264ff Use number for KeystoneCronTokenFlushMaxDelay instead of string
Using a string results in an erroneous check in puppet-keystone, which
sets up a zero where it shouldn't. So we change it to number to avoid
that. Note that there will also be a puppet-keystone fix for this.
Changing the value here assures that deployers only give valid values to
this parameter.

Change-Id: I00823e23358df91ce54f421c12636f05d4196e15
Closes-Bug: #1708584
2017-08-07 08:28:23 +00:00
Ben Nemec
8fb3da3c60 Make EnablePackageInstall and Debug descriptions consistent
Change-Id: I3ea7c0c7ea049043668e68c6e637fd2aaf992622
Partial-Bug: 1700664
2017-07-21 18:38:58 +00:00
Giulio Fidente
baf6eee501 Adds network/cidr mapping into a new service property
Makes it possible to resolve network subnets within a service
template; the data is transported into a new property ServiceData
wired into every service which hopefully is generic enough to
be extended in the future and transport more data.

Data can be consumed in service templates to set config values
which need to know what is the subnet where a deamon operates (for
example the Ceph Public vs Cluster network).

Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
2017-07-14 13:44:04 +02:00
Emilien Macchi
d5145167cb Allow to set Notification Driver to 'noop'
This patch does 2 things:
* Configure messagingv2 as default driver for Oslo Notifications sent on
  RPC.
* Allow users to choose between messagingv2 (default) and noop when we
  want to disable notifications (for example, when Telemetry is disabled).
* Deprecate KeystoneNotificationDriver in favor of NotificationDriver.

Change-Id: Ia547d7f4bfb51e7c45246b097b48fd86da231bd3
Related-Bug: #1701357
2017-07-11 13:57:48 -07:00
Juan Antonio Osorio Robles
4ec13cc91b Make fernet max active keys configurable
This will set the max_active_keys setting in keystone.conf, and
furtherly we'll read this value from tripleo-common to do purging of
keys if necessary.

bp keystone-fernet-rotation

Change-Id: I9c6b0708c2c03ad9918222599f8b6aad397d8089
2017-06-16 07:26:34 +00:00
Juan Antonio Osorio Robles
350e1a81dd Enable heat/puppet to manage the fernet keys and make it configurable
With the addition of the KeystoneFernetKeys parameter, it's now possible
to do fernet key rotations using mistral, by modifying the
KeystoneFernetKeys variable in mistral; subsequently a rotation could
happen when doing a stack update.

So this re-enables the managing of the key files by puppet. However,
this is left configurable, as folks might want to manage those files
out-of-band.

bp keystone-fernet-rotation
Change-Id: Ic82fb8b8a76481a6e588047acf33a036cf444d7d
2017-06-14 10:04:06 +03:00
Juan Antonio Osorio Robles
490e237f09 Use KeystoneFernetKeys instead of individual parameters
This uses the newly introduced dict with the keys and paths instead of
the individual keys. Having the advantage that rotation will be
possible on stack update, as we no longer have a limit on how many keys
we can pass (as we did with the individual parameters).

bp keystone-fernet-rotation
Change-Id: I7d224595b731d9f3390fce5a9d002282b2b4b8f2
Depends-On: I63ae158fa8cb33ac857dcf9434e9fbef07ecb68d
2017-06-14 10:03:54 +03:00
Emilien Macchi
1e899703cc Ability to enable/disable debug mode per OpenStack service
Add ServiceDebug parameters for each services that will allow operators
to enable/disable Debug for specific services.

We keep the Debug parameters for backward compatibility.

Operators want to enable Debug everywhere:
  Debug: true
Operators want to disable Debug everywhere:
  Debug: false
Operators want to disable Debug everywhere except Glance:
  GlanceDebug: true
Operators want to enable Debug everywhere except Glance:
  Debug: true
  GlanceDebug: false

New parameters: AodhDebug, BarbicanDebug, CeilometerDebug, CinderDebug,
CongressDebug, GlanceDebug, GnocchiDebug, HeatDebug, HorizonDebug,
IronicDebug, KeystoneDebug, ManilaDebug, MistralDebug, NeutronDebug,
NovaDebug, OctaviaDebug, PankoDebug, SaharaDebug, TackerDebug,
ZaqarDebug.

Note: for backward compatibility in Horizon, HorizonDebug is set to
false, so we maintain previous behavior.

Change-Id: Icbf4a38afcdbd8471d1afc11743df9705451db52
Implement-blueprint: composable-debug
Closes-Bug: #1634567
2017-06-07 11:26:30 +02:00
Saravanan KR
a096ddab34 Add role specific information to the service template
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.

Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:

  parameters_default:
      # Default value for applied to all roles
      NovaReservedHostMemory: 2048
      ComputeDpdkParameters:
          # Applied only to ComputeDpdk role
          NovaReservedHostMemory: 4096

In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters

Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-15 10:06:46 +05:30
Juan Antonio Osorio Robles
eb923b0fae Disabling replacing fernet keys from puppet
Once puppet has written the initial fernet keys, if a deployer wants to
rotate them, the keys will be overwritten when another overcloud deploy
is executed (for instance, for updates or upgrades). This disables
replacing this keys via puppet, so now the operator can rotate the keys
out of band.

Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
2017-05-11 10:45:45 +03:00
Zane Bitter
b26fe7d164 Use the make_url function to build URLs
Change-Id: I2b23d92c85d5ecc889a7ee597b90e930bde9028e
Depends-On: I72f84e737b042ecfaabf5639c6164d46a072b423
2017-05-05 14:43:11 -04:00
Emilien Macchi
a6041608ca upgrades: deploy mod_ssl when upgrading apache
1) When Apache is upgraded, install mod_ssl rpm.
   See https://bugs.launchpad.net/tripleo/+bug/1682448
   to understand why we need mod_ssl.

2) All services that run Apache for API will use the snippet from
   Apache service to deploy mod_ssl, so we don't duplicate the code
   in all services. It's using the same mechanism as ovs upgrade to
   compile upgrade_tasks between both services.

Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84
Closes-Bug: #1686503
2017-04-26 20:08:26 +00:00
Juan Antonio Osorio Robles
65e643aca2 Run token flush cron job hourly by default
Running this job once a day has proven problematic for large
deployments as seen in the bug report. Setting it to run hourly
would be an improvement to the current situation, as the flushes
wouldn't need to process as much data.

Note that this only affects people using UUID as the token provider.

Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a
Related-Bug: #1649616
2017-04-18 10:30:07 +00:00
Juan Antonio Osorio Robles
df36f221dd Use comma_delimited_list for token flush cron time settings
This allows us to better configure these parametes, e.g. we could set
the cron job to run more times per day, and not just one.

Change-Id: I0a151808804809c0742bcfa8ac876e22f5ce5570
Closes-Bug: #1682097
2017-04-12 14:40:07 +03:00
Cyril Lopez
347f5434b3 Add trigger to setup a LDAP backend as keystone domaine
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.

Given the following environment:

parameter_defaults:
  KeystoneLDAPDomainEnable: true
  KeystoneLDAPBackendConfigs:
    tripleoldap:
      url: ldap://192.0.2.250
      user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
      password: Secrete
      suffix: dc=redhat,dc=example,dc=com
      user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
      user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
      user_objectclass: person
      user_id_attribute: cn
      user_allow_create: false
      user_allow_update: false
      user_allow_delete: false
  ControllerExtraConfig:
    nova::keystone::authtoken::auth_version: v3
    cinder::keystone::authtoken::auth_version: v3

It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.

More backends can be added as more entries to that hash.

This also enables multi-domain support for horizon.

Closes-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2017-04-06 07:10:57 +00:00
Emilien Macchi
91053af09d Allow to configure policy.json for OpenStack projects
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).

Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.

Note: use it with extreme caution.

Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-28 22:21:28 +00:00
Juan Antonio Osorio Robles
c737eea8c0 Switch keystone default provider to fernet
UUID is to be deprecated, and we should be using fernet.

Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
2017-03-14 16:54:49 +00:00
Jenkins
90a0c87608 Merge "Keystone token flush cron job should log to a file" 2017-03-09 21:44:13 +00:00
Sofer Athlan-Guyot
fb78213782 Put service stop at step1 and quiesce at step2.
In the previous release[1], the services were stopped before the
pacemaker services, so that they get a chance to send last message to
the database/rabbitmq queue:

Let's do the upgrade in the same order.

[1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71

Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
2017-02-28 19:20:13 +01:00
Juan Antonio Osorio Robles
40a50031f3 Deploy versionless keystone endpoints (for keystone only)
The default is to deploy v2.0 endpoints, but this is not the recommended
approach. we should instead be using versionless endpoints

Change-Id: Icbfae1c2ff2b7312646fd8e817dd8209220a0d96
Related-Bug: #1667679
2017-02-27 18:54:45 +02:00
Michele Baldessari
90431683b5 Make the DB URIs host-independent for all services
When fixing LP#1643487 we added ?bind_address to all DB URIs.
Since this clashes with Cellsv2 due to the URIs becoming host
dependent, we need a new approach to pass bind_address to pymysql
that leaves the DB URIs host-independent.

In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a
/etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct
bind-address option.

In this change we make sure that the DB URIs will point to the added
file and to the specific section containing the necessary bind-address
option. We do introduce a new MySQLClient profile which will hold all
this more client-specific configuration so that this change can fit
better in the composable roles work. Also, in the future it might
contain the necessary configuration for SSL for example.

Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist
(because it is created via the mysqlclient profile), things keep on
working as usual and the bind-address option simply won't be set, which
has no impact on hosts where there are no VIPs.

Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>

Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12
Related-Bug: #1643487
Closes-Bug: #1663181
Closes-Bug: #1664524
Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-17 17:22:42 +01:00
marios
ec5ba081c4 Remove [heat,glance,ironic,cinder,keystone] db sync from ansible
These are handle by puppet as usual (puppet run comes after the
ansible steps) so remove them from these remaining upgrade_tasks

Change-Id: Ic341f31251622ccb11a5f7818b2edf7a82391560
2017-02-13 13:54:21 +02:00
Steven Hardy
1b58806a62 Reduce number of steps for upgrades
We don't need all the steps currently enabled for either batched
or concurrent updates, so decrease them.  In future we can perhaps
introspect the task tags during plan creation and set these
dynamically.

Change-Id: I0358886a332dfbecd03bc4a67086b08d25756c22
Partially-Implements: blueprint overcloud-upgrades-per-service
2017-02-03 11:43:47 +00:00
Juan Antonio Osorio Robles
80086fd342 Add metadata settings for needed kerberos principals
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.

bp tls-via-certmonger
bp novajoin

Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-25 00:33:11 +02:00
Jenkins
9282a7e0f2 Merge "Don't start all services during upgrade steps" 2017-01-19 18:27:02 +00:00
Steven Hardy
df1e016ad7 Don't start all services during upgrade steps
Currently we start all OpenStack services in step6, but puppet
already does this, and sometimes services require configuration
to account for the new version after the yum update before they
will start.

So instead of reimplementing that configuration management in
ansible, just defer starting the services until puppet has run
which will happen right after the ansible upgrade steps complete.

Note there are some DB sync operations etc that we may also be able
to remove and let puppet do those steps, but I've left those in
for now, as we know there are some actions during that phase
e.g nova cells setup, which aren't yet handled by puppet.

Change-Id: Idc8e253167a4bc74b086830cfabf28d4aab97d28
2017-01-19 13:27:58 +00:00
Carlos Camacho
e1f223b925 Configure cron parameters for Cinder Heat Keystone and Nova
Change-Id: I1b2c0025e363d0387ddc0514decd3bc2dc80f9ae
Closes-Bug: 1650680
2017-01-16 09:43:32 +01:00
Jenkins
0bfe7c9279 Merge "DB connection: prevent src address from binding to a VIP" 2017-01-04 16:43:34 +00:00
Damien Ciabrini
56ebc7e58d DB connection: prevent src address from binding to a VIP
When a service connects to the database VIP from the node hosting this
VIP, the resulting TCP socket has a src address which is by default
bound to the VIP as well. If the VIP is failed over to another node
while the socket's Send-Q is not empty, TCP keepalive won't engage and
the service will become unavailable for a very long time (by default
more than 10m).

To prevent failover issues, DB connections should have the src address
of their TCP socket bound to the IP of the network interface used for
MySQL traffic. This is achieved by passing a new option to the
database connection URIs. This option is available starting from
PyMySQL 0.7.9-2.

We use a new intermediate variable in hiera to hold the IP to be used
as a source address for all DB connections. All services adapt their
database URI accordingly.

Moreover, a new YAML validation check is added to guarantee that new
services will construct their database URI appropriately.

Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035
Closes-Bug: #1643487
2017-01-03 10:56:02 +01:00
Steven Hardy
3c6ec654b4 Bump template version for all templates to "ocata"
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.

This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.

Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-23 11:43:39 +00:00
akrzos
480e35a92b Keystone token flush cron job should log to a file
Keystone UUID tokens require the token_flush job to delete expired
tokens to prevent the disk from filling.  When the job runs, it should
be allowed to log to the disk so that the job can be traced if required.

Change-Id: I62e36e0968902564b97093a45df15e963ad08242
Closes-Bug: #1648174
2016-12-07 12:46:10 -05:00
Jenkins
5aa0c861a4 Merge "Use network-based fqdn entry from hiera instead of the custom fact" 2016-12-02 09:40:36 +00:00
Steven Hardy
dbece39f54 Initial support for composable upgrades with Heat+Ansible
This shows how we could wire in the upgrade steps using Ansible
as was previously proposed e.g in https://review.openstack.org/#/c/321416/
but it's more closely integrated with the new composable services
architecture.

It's also very similar to the approach taken by SpinalStack where
ansible snippets per-service were combined then run in a series of
steps using Ansible tags.

This patch just enables upgrade of keystone - we'll add support for
other patches in subsequent patches.

Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
2016-12-01 13:40:50 +00:00