As part of the minor update workflow and the update workflow, this changes
the pacemaker haproxy bundle resource to add the needed mount for public
TLS to work.
This also handles the reloading of the container to fetch any new certificates
and if needed, it will restart the pacemaker resource (for upgrades), since
we would need pacemaker to re-create the resource.
Change-Id: I850f4de17e7f7e3b46deb27119227ef76658dcb5
Closes-Bug: #1759797
dmidecode can return some additional data if SMBIOS is updated. Let's
ensure that the expected output matches the expected UUID format. The
expected string from the 'dmidecode --s system-uuid' call should look
like "79287E4C-2FBF-11B2-A85C-EB9FB9250CBA".
Change-Id: Ib0d19e64b2f24f4a9229f8868795e8979e267f04
Closes-Bug: #1762460
This is part of enabling TLS by default. It'll be needed in order to get
the certificate injection to work.
Needed-By: I3d3cad0eb1396e7bee146794b29badad302efdf3
Change-Id: I25e35ad1e4f12eb4cca7a0cd3e120e70e4a8c564
Add new interface Config variables added to Nexus plugin.
vnc_pool
intfcfg.portchannel
Identify variables which are obsolete and those being deprecated.
Change default to switch_heartbeat_time.
Depends-On: I940659bdd448b7bda1c38d9343ec6322390b027a
Change-Id: I1995711fc976e72e4254fc0738e4c91b455830ab
Closes-bug: #1672493
Per-node customizations were only dumped as hieradata, so the
ceph-ansible workflow could not consume them.
This change passes the structure to the mistral workflow so that it
can consume the data and populate the inventory accordingly.
Change-Id: Ie7a9f10f0c821b8c642494a4d3933b2901f39d40
Depends-On: Ia23825aea938f6f9bcf536e35cad562a1b96c93b
Closes-Bug: #1736707
All SoftwareDeployment resources should use the name property when using
config-download.
This also adds a validation to check that the name property is set in
yaml-validate.py
Change-Id: I621e282a2e2c041a0701da0296881c615f0bfda4
Closes-Bug: #1733586
Containerized HAProxy always tries to load the SSL certificate; if TLS
is not enabled it will create the file as a directory. This messes up
with the script that actually injects the HAProxy certificate into the
undercloud. To address this, we update that script to take this into
account.
Change-Id: Ifc748648cc0f8caaf5a551fd0bc5724b94f3087d
Closes-Bug: #1728267
- until Newton this worked fine, however starting with Ocata, we
do not need the key 'mapped_data'
- having it results in extra indirection in the dictionary in
neutron_bigswitch_data.json
Change-Id: I3bc9940aeff4e290d83de95a7df294c11f061954
Made the Compute as a composable service with Nuage.
Moved all the Nuage specific parameters from extraconfig to be part of this service.
Change-Id: Ic83e9c18d09fbba62bb5d8a12e28a23127f4197d
This de-couples public TLS from controllers to now run wherever HAProxy
is deployed.
Partially-Implements: blueprint composable-networks
Change-Id: I9e84a25a363899acf103015527787bdd8248949f
Convert NetApp Cinder back end to support composable roles via new
"CinderBackendNetApp" service.
Closes-Bug: #1680568
Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.
This change removes old references left to 192.0.2 network from the
overcloud templates.
Change-Id: I1986721d339887741038b6cd050a46171a4d8022
The agent configuration was lost in newton during the puppet-tripleo and
THT role conversion. This change adds support for including the bigswitch
agent service for composable roles.
Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908
Closes-Bug: #1673126
The new hiera hook in I21639f6aadabf9e49f40d1bb0b1d0edcfc4dbc5e
was added to most of the tripleo-heat-templates in
Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
The new hook is installed by default if you use tripleo-common
Ia1864933235152b7e899c4442534879f8e22240d and will be installed
as part of the Newton to Ocata upgrades workflow in
I0c7a32194c0069b63a501a913c17907b47c9cc16
In order to use the new hiera data as part of the upgrade we
need to remove the old hieradata which will break anyone still
defining and using it. This change updates the remaining vendor
plugin manifests to use the new hiera hook. The pre-requisite
is that the new hook is installed on their overcloud (as above
it comes if you follow the N..O upgrade)
Change-Id: Ic95154734cb21e6b941c7f1569295b413963831d
In current setup some Contrail services belong to the wrong roles.
The Contrail control plane can be impacted if the Analytics database has
problems.
Change-Id: I0d57a2324c38b5b20cc687c6217a7a364941f7e6
Depends-On: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
Closes-Bug: #1659560
Updated the heat templates for Cinder Dell EMC PS Series backend
to use composable services and rebranding of EQLX to Dell EMC PS Series
Closes-Bug: #1661313
Change-Id: Id9d6f172f3f79a31788b26c7776d738fda5a30fa
Updated the heat templates for Cinder Dell EMC Storage Center
Backend to use composable services
Closes-Bug: #1661314
Change-Id: I454549c45da7388f0e42975c9f4637dde9ec51e3
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
In the freeipa-enroll.yaml, it can be the case that the node has been
enrolled (via a cloud-init script); in this case, the OTP and the
FreeIPA server are optional. However, we still need to get a kerberos
ticket, which is the last step of this script, since this ticket is what
certmonger will use to request the certificates in subsequent steps.
Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.
This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.
Enrollment is done via the ipa-client-install command and it does
the following:
* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
kerberos, certmonger)
The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos
The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.
[1] https://github.com/JAORMX/freeipa-tripleo-incubator
bp tls-via-certmonger
Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
When updating a certificate for HAProxy, we only do a reload of the
configuration on non-HA setups. This means that if we try the same in
an HA setup, the cloud will still serve the old certificate and that
leads to several issues, such as serving a revoked or even a
compromised certificate for some time, or just SSL issues that the
certificate doesn't match. This enables a reload for HA cases too.
Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a
Closes-Bug: #1629886
This issue was spotted during major upgrade where we had calls like
this:
servers: {get_param: servers, Controller}
These get_param calls are hanging indefinitely and make the whole
upgrade end in a timeout. We need to put brackets around the get_param
function when there are multiple arguments:
http://docs.openstack.org/developer/heat/template_guide/hot_spec.html#get-param
This is already done in most of the tree, and the few places where this
was not happening were parts not under CI. After this change the
following grep returns only one false positive:
grep -ir get_param: |grep -v -- '\[' |grep ','
Change-Id: I65b23bb44f37b93e017dd15a5212939ffac76614
Closes-Bug: #1626628
This adjusts the interface to OS::TripleO::AllNodesExtraConfig so
it supports custom/composable/optional roles.
Note this does break backwards compatibility, and I can't see any way
to avoid that. I've converted the in-tree templates, and we'll have
to document carefully and or provide a script (or automated conversion
via mistral perhaps?) to allow folks to easily adjust any out of tree
templates to the new format.
Basically you just have to:
1. Remove all the *_servers parameters, replace with one "servers"
json parameter
2. Replace references to e.g "controller_servers" with "servers, Controller"
which does a path-based lookup into the json map provided by overcloud.yaml
Change-Id: I5eebf853646b2f6300d6b542fcd4f43e82d3b413
Partially-Implements: blueprint custom-roles
This is setting sane defaults for vnc_api_lib.ini as requested from the
field. The settings still can be overriden using NovaComputeExtraConfig
if needed.
Change-Id: I6a823c0b34f6ea21aa16939577ac0e1563483557
Closes-Bug: #1620647
Creates pool in Ceph for Cinder backups and
adds proper access permissions.
To be used with https://review.openstack.org/#/c/311218
Change-Id: Ibf84f78aff92dbd83c6e254ceb7a80e86c15036d
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the opencontrail settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I0edbd86a8c981bd6e8a547cd2a6ebed18ecdbb31
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the nuage settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I15fe14e9d6881bc408eb6bb10d9293bd914ef858
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the plumgrid settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I1c5827e3650a29f7a0258531f84ae0f50f22343d
Uses a shared cinder-base resource to do the database
and messaging configuration for all three services.
Depends-On: I3c6d5226eed5f0f852b0ad9476c7cd9a959fda69
Change-Id: I47c5fd190efca5f02e73fd22aba6cda573daf5cc