478 Commits

Author SHA1 Message Date
Takashi Kajinami
b7ee703964 Use short prameter names for nova::network::neutron
Depends-on: https://review.opendev.org/#/c/709371
Change-Id: If8a3d0a6db1b2950191ab62bdcfd7d2f12935de1
2020-02-24 21:47:35 +09:00
Piotr Kopec
e4afb3e903 Add NovaMaxDiskDevicesToAttach parameter
This change exposes the `[compute]/max_disk_devices_to_attach`
in Nova config. The paramerer sets maximum number of disk devices
allowed to attach to a single server.

Depends-On: https://review.opendev.org/708666
Change-Id: I08c5769bfe5f38d2503ed232b3771f615c24d158
2020-02-19 16:22:57 +01:00
Alan Bishop
cda3c9b340 Override nova's glance endpoint only when necessary
nova::glance_api_servers is deprecated because the corresponding nova
parameter is deprecated. There is a new nova::glance_endpoint_override,
but it should be set only in situations where the intent is to *not*
use ksa to discover glance's endpoint. For example, in a DCN/Edge
deployment, we override the endpoint to force nova to use the glance
service running at the edge site.

Change-Id: I42af3e39da76ae94ca7bbf2797f776c28a75f7e7
Depends-On: Ib7fac4f37ef02d8f577abc98e4cc78b750caba54
2020-02-18 10:52:20 -08:00
Martin Schuppert
cfb00c9cfe Add dependency for enable KSM for RHEL/CentOS8
With the OS change to version 8, the qemu-kvm-common package
name changed to just qemu-kvm-common instead of qemu-kvm-common-ev
or qemu-kvm-common-rhev. This adds a condition for the major
OS version.

Change-Id: Idd69c687232a10fcb6db79a8b835a1576b7558dd
Closes-Bug: #1862921
2020-02-12 11:15:10 +01:00
Zuul
b130f78076 Merge "Replace svirt_sandbox_file_t by container_file_t" 2020-02-10 13:58:31 +00:00
Zuul
efd47eaec2 Merge "Replace '' by [] when a bind mount isn't needed" 2020-02-08 05:19:17 +00:00
Zuul
c48ccacf74 Merge "Remove deprecated authtoken::auth_uri" 2020-02-07 17:43:51 +00:00
Cédric Jeanneret
0875895553 Replace svirt_sandbox_file_t by container_file_t
While they are, at SELinux level, exactly the same (one is an alias to
the other), the "container_file_t" name is easier to understand (and
shorter to write).

A second pass in a couple of days or weeks will be needed in order to
change files that were merged after this first pass.

Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5
2020-02-07 13:33:20 +01:00
Emilien Macchi
98118b6294 Replace '' by [] when a bind mount isn't needed
To avoid empty volumes like:

{
  (...)
  "volumes": [
    "/etc/puppet:/etc/puppet:ro",
    (...)
    "",
    ""
  ],
}

Replace '' by [], so heat won't create an item in the list.
It helps to have idempotent containers, since podman_container module
will compare the list of volumes that is given in parameters (containing
the empty entries) vs the list of volumes actually in podman inspect.
Replacing to [] clears out empty volumes and makes these containers
idempotent when podman_container module is used to deploy containers.

Change-Id: I228b01009e7d9980bee5480778dbc88b9e226297
2020-02-07 14:34:53 +05:30
Zuul
a3916383d3 Merge "Update ffwd-upgrade branch names" 2020-02-01 21:51:45 +00:00
Zuul
ded79acb93 Merge "Create qemu user/group on controller" 2020-01-30 02:55:14 +00:00
Zuul
a5f1d5c6e2 Merge "Add DeployIdentifier to extra config containers" 2020-01-29 14:44:14 +00:00
Jesse Pretorius (odyssey4me)
2092b1303f Update ffwd-upgrade branch names
The next iteration of fast-forward-upgrade will be
from queens through to train, so we update the names
accordingly.

Change-Id: Ia6d73c33774218b70c1ed7fa9eaad882fde2eefe
2020-01-27 19:42:40 +00:00
Rajesh Tailor
b8c6154e7a Create qemu user/group on controller
Deployment is failing with error [1] because the owner/group
of the TLS generated certificate and key were set to 'qemu'.
This user and group exist on compute nodes, but not on controller.
[1] Error: Could not find group qemu"

This patch adds 'qemu' user/group on controller node to
resolve the issue as this user is required to retrieve the cert,
used by the VNC proxy, the same way as on the compute nodes.

Change-Id: I3aa774c06d91a3b67726fad0d0ca409cda5b78b9
Closes-Bug: #1860971
2020-01-27 16:19:23 +01:00
Takashi Kajinami
8cc62c5f14 Remove deprecated authtoken::auth_uri
auth_uri parameter in authtoken was already removed from puppet modules[1],
so remove it from hieradata.

Also, some service templates missed www_authenticate_uri, which was
introduced as a replacement of auth_uri, so add it to make sure that
we have a correct parameter confugured.

[1] I12b4049e4942911c8d1d8027c579eb4c0d1a53eb

Change-Id: I1e8378f58662377344194916e8bc336df02d0591
2020-01-26 09:26:50 +09:00
Zuul
f739c2134c Merge "Set region in authtoken middleware settings" 2020-01-25 15:45:00 +00:00
Zuul
98f834c923 Merge "Drop NovaEnableNumaLiveMigration" 2020-01-25 06:26:48 +00:00
Zuul
e199aecd00 Merge "Check to make sure compute service is deployed before scale down" 2020-01-25 05:12:54 +00:00
Zuul
d2cd8acf31 Merge "Update all roles to use the new role name" 2020-01-24 07:12:44 +00:00
Sai Sindhur Malleni
119769384f Check to make sure compute service is deployed before scale down
Currently during a node scale down using openstack overcloud
node delete, we assume the that nova-compute is enabled on the
node and is working as expected. However, the node scale down
fails in cases where the node being scaled is not correctly
behaving as a compute node (nova containers not running/reporting
to the overcloud). This patch includes a check to only disable
and stop nova services if they are running. We ran into this
scenario when we wanted to scale down a node that did not cleanly
deploy as a compute node due to failure in step 5 in a large scale
environment.

Change-Id: Ic8225af65c409b6a32d4bb2def370c7c802147fa
Co-Authored-By: Luke Short <ekultails@gmail.com>
Closes-Bug: #1860694
Signed-off-by: Sai Sindhur Malleni <smalleni@redhat.com>
2020-01-23 13:14:34 -05:00
Brent Eagles
714e1b5d31 Add DeployIdentifier to extra config containers
Certain config containers might need to be replaced and re-run
regardless of whether configuration changes on update and upgrade.
Adding the DeployIdentifier to the env will ensure that they are.

Change-Id: I150212ebac3fed471ffb4e7ed7b6eb6c7af3fad9
Closes-Bug: #1860571
2020-01-22 15:16:12 -03:30
Zuul
62646b0485 Merge "Improve documentation for 'NovaComputeCpuSharedSet' parameter" 2020-01-21 23:21:00 +00:00
Takashi Kajinami
bc27951ff2 Drop NovaEnableNumaLiveMigration
In nova, enable_numa_live_migration was deprecated in train release,
so remove the corresponding parameter, NovaEnableNUMALiveMigration,
in templates.

Change-Id: I9616b290bf4ee6fefee66efb6924a3fd6699ccae
2020-01-21 22:06:58 +00:00
Kevin Carter
9a2a36437d
Update all roles to use the new role name
Ansible has decided that roles with hypens in them are no longer supported
by not including support for them in collections. This change renames all
the roles we use to the new role name.

Depends-On: Ie899714aca49781ccd240bb259901d76f177d2ae
Change-Id: I4d41b2678a0f340792dd5c601342541ade771c26
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2020-01-20 10:32:23 -06:00
Takashi Kajinami
26305fae91 Set region in authtoken middleware settings
While we can specify keystone region where all keystone resources
are created, currently we don't set the specified region correctly
in credential configurations used for authtoken middleware.

Configure region parameter for authtoken according to the parameter
KeystoneRegion so that we're consistent about the region where
we expect to have service users created.

Change-Id: Icc0ee9a859c2c67cae92339c6b4102946150269f
2020-01-18 21:59:49 +09:00
Stephen Finucane
522f3d74ad Improve documentation for 'NovaComputeCpuSharedSet' parameter
This one's a little tricky, so improve the documentation around it to
help avoid later confusion.

Change-Id: Idfa9887cb2a3b5f3d5a594f0e7c69c79c817c950
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2020-01-16 17:12:56 +00:00
Martin Schuppert
ee778fc245 Don't disable compute cell in scale down tasks for additional cells
When we scale down a compute in an additional cell, disabling the compute
service fails in scale down tasks as the workflow of scale down a compute
from an additional cell is [1]:

- migrate off instances from the compute or delete them
- remove the compute from the cell (nova-manage command)
- scale down the cell stack

Until we have fully automated scale down of a compute from an additional
cell, don't run disable of compute service as we have already removed it from
cell in pre steps.

[1] https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/deploy_cellv2_manage_cell.html#delete-a-compute-from-a-cell

Change-Id: Ie699d7d3367652f4a4dfcb5bf7e52b81c4325aae
Closes-Bug: #1859825
2020-01-15 16:57:19 +01:00
Zuul
176e6cb6cf Merge "Add novajoin to EndpointMap" 2020-01-15 04:28:50 +00:00
Zuul
714ee1adc4 Merge "nova: Always provide LIBGUESTFS_BACKEND=libvirt:qemu:///system" 2020-01-15 04:28:43 +00:00
Emilien Macchi
18e51ca533 Add novajoin to EndpointMap
Previously, novajoin was relying on hiera data to populate endpoints in
keystone, but that recently changed for the rest of the OpenStack
services. This commit updates novajoin to use the same approach with
EndpointMap. Otherwise, deploying the undercloud fails with an error
message similar to the following:

  Cannot create an endpoint with an invalid URL: http://%{hiera('ctlplane')}:9090/v1/.

Change-Id: I0e177a5e21ed9fb5eacba7a766c153ba99af34ae
2020-01-14 08:26:19 -05:00
Emilien Macchi
5bfbcd32e0 depends_on: add .service to avoid errors in logs
Make sure we depends on a systemd service by having the .service in the
service name that we depend on.

Otherwise it leads to errors in /var/log/messages:
  Failed to add dependency on openvswitch, ignoring: Invalid argument

Change-Id: I35230c6dfd8bc7ea2c45f7d2e1e5b5f4316a9375
2020-01-13 22:49:25 -05:00
Lee Yarwood
948fc6bcbf nova: Always provide LIBGUESTFS_BACKEND=libvirt:qemu:///system
Previously nova-compute would launch libguestfs using the default
``qemu:///session`` backend that would attempt and fail to launch an
instance of libvirtd locally within the container. This change forces
libguestfs to use the same ``qemu://system`` as nova-compute itself uses
when launching instances on the host.

Change-Id: Ib55936ea562dfa965be0764647e2b8e3fa309fd6
2020-01-13 15:01:43 +00:00
Emilien Macchi
f9dc0dbee3 nova-compute: add tripleo-container-shutdown service dep
Like we did for paunch-container-shutdown.service, we need to have the
dependency on the new service tripleo-container-shutdown.service managed
by TripleO Ansible which will replace Paunch by default soon.

Change-Id: Idd005b3b8a4fc2a8438798a5c376f6d9dd64ce5f
2020-01-10 09:07:13 -05:00
Zuul
9b9ced71be Merge "Manage all Keystone resources with Ansible" 2020-01-09 04:40:33 +00:00
Zuul
b3f7907e8c Merge "Remove libvirt packaged dependencies" 2020-01-07 16:56:50 +00:00
Emilien Macchi
7f40baabcd Manage all Keystone resources with Ansible
Depends-On: I557d8f33c9c699aed14b3b6fc1d1c0407365cd08
Depends-On: Ia68f8852662fb4abbd194954a246afb740bf3f71

Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
2020-01-06 22:33:05 +00:00
Zuul
d67f1ef67f Merge "Provide option to set reserved_huge_pages" 2019-12-19 22:19:40 +00:00
yogananth subramanian
6099999336 Provide option to set reserved_huge_pages
Provide option to set reserved_huge_pages in puppet-nova.
Ex. NovaReservedHugePages: ["node:0,size:2048,count:64","node:1,size:1GB,count:1"]
will reserve on NUMA node 0 64 pages of 2MiB and on NUMA node 1 1 page of 1GiB

When NovaReservedHugePages is set, "reserved_huge_pages" is set to the value of
NovaReservedHugePages. If NovaReservedHugePages is unset and OvsDpdkSocketMemory is
set, reserved_huge_pages value is calcuated from KernelArgs and OvsDpdkSocketMemory.
KernelArgs helps determine the default huge page size used, the default is set to
2048kb and OvsDpdkSocketMemory helps determine the number of hugepages to reserve.
when both  NovaReservedHugePages and OvsDpdkSocketMemory are unset, then
NovaReservedHugePages set to default value [].

Change-Id: I8c7a8cb6ebf46130f5d102d281f9b736029b5390
Closes-Bug: #1852385
2019-12-18 05:31:20 +00:00
Lee Yarwood
9c5c36632d Mount /boot from the host within the nova-compute container
libguestfs expects to find /boot/vmlinuz-* for the running version of
the kernel. This check is duplicated in nova-compute when libguestfs has
failed to launch, providing a useful bread crumb for operators [1].

Obviously when this is called from within the nova-compute container in
the context of a TripleO deployment this can easily fail after a minor
update that has pulled in a newer container containing a newer kernel.
This check could also fail in the opposite case if the host kernel is
updated past the version present in the container.

This change works around this by simply passing /boot as read-only
through to the nova-compute container ensure libguestfs is able to
always find the correct version of vmlinuz.

This should also allow us to eventually drop the kernel RPM from the
nova-compute container that has been a constant source of maintenance
overhead in terms of CVEs etc.

[1] aa096fd183/nova/virt/disk/vfs/guestfs.py (L75-L97)

Change-Id: Iadef8f3300bb1b5b995052c1a35a1becbfd5730c
2019-12-13 16:13:32 +00:00
Emilien Macchi
fe6b235e5f scale: fixes for compute scale down
- Force fact gathering so that we're ensured to have the proper FQDN
- Update start squence so that our scale down process is not starting
  from irrelevant steps
- correct list evaluation. The compute service argument should have one
  item in the list. Prior to this change it was expecting zero items,
  which was causing the removal tasks to skip.

Co-Authored-By: "Cedric Jeanneret (Tengu) <cjeanner@redhat.com>"
Co-Authored-By: "Emilien Macchi <emilien@redhat.com>"
Co-Authored-By: "Kevin Carter (cloudnull) <kecarter@redhat.com>"

Change-Id: I7c1615685718924e872a2f9173b15c63bba8c482
Closes-Bug: #1856062
2019-12-12 13:54:31 +00:00
Zuul
8349fa92de Merge "New Parameter NovaCronArchiveDeleteAllCells and NovaCronArchiveDeleteRowsAge" 2019-12-10 22:32:33 +00:00
Martin Schuppert
f4a4b236cf New Parameter NovaCronArchiveDeleteAllCells and NovaCronArchiveDeleteRowsAge
Introduces two new parameters to configure the archive deleted
instances cron job.
1) NovaCronArchiveDeleteAllCells
To make sure deleted instances get archived also from the cell0
in a single cell deployment and also in additional cell databases
in case of a multi cell deployment.

2) NovaCronArchiveDeleteRowsAge
--before is required to prevent the orphaning of libvirt guests
if/when nova-compute is down when a db archive cron job fires.

This change also modifies
1) the default from 100 to 1000 for NovaCronArchiveDeleteRowsMaxRows
to match the default from the nova-manage command instead the default
of 100 from the puppet-nova parameter.

2) changes the default for NovaCronPurgeShadowTablesAllCells from
false to true also the nova-manage db purge command needs to run
for all cells instead of only the default cell.

Depends-On: https://review.opendev.org/696900
Depends-On: https://review.opendev.org/697299

Change-Id: I91cb1e16f65b23117235d4eac76f03748b47e926
2019-12-10 11:21:09 +01:00
Zuul
18617b6bd1 Merge "Remove unnecessary slash volume maps" 2019-12-05 17:36:29 +00:00
Sagi Shnaidman
016f7c6002 Remove unnecessary slash volume maps
When podman parses such volume map it removes the slash
automatically and shows in inspection volumes w/o slash.
When comparing configurations it turns to be a difference and
it breaks idempotency of containers, causing them to be recreated.

Change-Id: Ifdebecc8c7975b6f5cfefb14b0133be247b7abf0
2019-12-04 20:32:14 +02:00
Martin Magr
cdda44028a Fix rsyslog issues
This patch is fixing following issues, which makes rsyslog service
to fail to start successfully:

- Changes LoggingSource configuration key 'path' to 'file' for various services
- Fixes LoggingSource configuration key 'startmsg.regex' for pacemaker
- Removes nonexistent log files from LoggingSource of keystone

Change-Id: I7fe6456a1d2a3ba4300a82c57b76774152422250
2019-12-03 18:53:31 +00:00
Zuul
d85e4ad372 Merge "Add healthcheck for nova-virtlogd container" 2019-12-03 15:07:31 +00:00
Piotr Kopec
42eb7c98b6 Remove libvirt packaged dependencies
Nova services are now running in the containers but we have still
a lot of libvirt packages installed on Overcloud systems.
To delete unnecessary packages on host systems I'm removing following
dependencies:
* modifying NovaLibvirtGuests service to run in containers and generate
  config files for libvirt-guests
* removeing hard dependencies for libvirt-guests service to
  virt-guest-shutdown.target.
  packages.

Change-Id: I2d0557127f88a492b283897767e57ea126adfe83
Closes-Bug: 1842932
2019-11-25 09:17:41 +01:00
Kevin Carter
8adef8587b
Update scale down to fix regression
This change updates our scale down process to ensure that we're
searching for and matching only the one host that intended to
be remove during the task execution. The process will now use
the `ansible_fqdn` fact as the search criteria and ensure we're
only ever interacting with one known host.

* If the search criteria returns more than one value the task
  will fail indicating why it failed and return data on the
  failure.
* If the search criteria returns no values, it will be assumed
  that the compute service is already disabled and has been
  removed.

Resolves: rhbz#1495489
Closes-bug: 1853644
Change-Id: I2f684191b146e0f6a28b98d7c0080e6eab14f2d9
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-11-22 12:41:10 -06:00
Rajesh Tailor
730ae4a784 Add healthcheck for nova-virtlogd container
This change sets healthcheck command for nova-virtlogd container,
which is added in tripleo-common repo in change [1].

[1] I9c76855169448a125541c94d480a4afd49ff6d0e

Depends-On: https://review.opendev.org/#/c/693674/
Change-Id: I787edced7c14d04b2fe2342c4b3c830a329dbaf9
2019-11-21 12:29:05 +05:30
Kevin Carter
50367fbe35 Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.

A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.

Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-11-18 15:40:22 -06:00