We currently install the openldap-clients package on overcloud
controller nodes. It was assumed that this package was needed for
IPA client enrollment, but the ipa-client package only uses the
openldap libraries that will already be pulled in as an indirect
dependency of ipa-client. The openldap-clients package contains
LDAP CLI utilities, which don't appear to be actually used.
Change-Id: I14c1d8204bd84ead0d6995b5aefd10d2bbc4227d
There seems to be a difference between how include_tasks and
import_tasks work.
`include_tasks` applies properties on the inclusion itself, and if we
want to apply something on the included tasks, we need to use `apply`
dict. We previously had to add `always` tag onto `include_tasks` to
make the inclusion happen when we ran upgrade with `--tags`.
`import_tasks`, on the other hand, is processed more like a block than
an individual task, and all its properties get applied on the tasks
inside. This meant that the `always` tag got applied on all tags in
the upgrade playbook, instead of on the import itself, which broke use
of tags in `upgrade_tasks`. This is now fixed by removing the tags
from `import_tasks`. The import should happen always regardless if
there are any `tags` on the import.
Change-Id: I66a4ed99f9e0cc199899494813073b4a085d99e7
Closes-Bug: #1830892
It is likely that change I50a1289a864f804d02a2e2bc0ca8738a186beff0
broke upgrade CI, even though the job somehow passed on it. MariaDB
upgrade tasks now cannot remove the container image, because it's
being used by a running container. Let's keep all tasks for stopping
Pacemaker cluster for now, both untagged ones and the ones tagged for
system_upgrade_prepare step.
Change-Id: Ic45b74c83b99dc58cd6e0f0f45d421b88c7e97a1
Closes-Bug: #1831022
Handle service_net_map_replace in the jinja2 logic so that
service_net_map_replace works for both default networks and
custom networks.
Enables a user either to change 'name_lower' of a network
and overriding the ServiceNetMap accordingly, as well as
user changeing 'name_lower' and use 'service_net_map_replace'
so that the default ServiceNetMap can be used.
Related-Bug: #1830852
Change-Id: Iae4341e9e7c888da4dd8d0dedd5ad28b7e0e6c40
The lowercase network names was hardcoded to 'external',
'internal_api' and 'storage_mgmt'. Use jinja to get the
network.name_lower value from network_data.yaml instead
so that users can customize the lowercase network name.
Closes-Bug: #1830852
Change-Id: Ie9bd482782ff770d90dfc38a585237812ed81c06
The main ceph-ansible playbook for containerized deployment is named
site-container.yml because it isn't only used for docker.
Currently the site-docker playbook is a symlink to site-container and
this symlink will probably be remove in the future.
Change-Id: Ie623e91517f2b310d58181233f06bc3e7c9e9c71
The default is changing in https://review.opendev.org/661413
and in TripleO we use 'service', and not 'services'. So we need to force
cinder::nova::project_name to be 'service'.
Change-Id: I688e6b32703e19df032c86c0f4d04b75a12bfd20
During the system_upgrade_prepare step in the upgrade
workflow, we need to stop all services before starting
the operating system upgrade, we're doing that by stopping
all docker containers at once after stopping the pcmkr
cluster in step 2.
Change-Id: I50a1289a864f804d02a2e2bc0ca8738a186beff0
With RHEL8, we apparently hit an issue where the "raw" table doesn't
exist. While this is worked around during the deploy, we need to ensure
this table does exist upon reboot.
This patch creates 2 systemd unit in order to ensure this table is
present in both iptables and ip6tables. They are to be launched before
the ip(6)tables.service in order to allow the standard rules to be
loaded at boot time.
Those units will probably be removed once we have an updated iptables
package.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1673609
Change-Id: I5334ac3e8080700d77e7a1de3330fdad76bc633f
The octavia amphora flavor config was inadvertantly removed during the
flattening stage. This adds it back.
Change-Id: Ic928d3562583291f4d640d6ccdc3d9d9b22a7866
Replace the dependency of network data values for wrapping
'ip_address_uri' in brackets. Instead of using jinja2
variables network.ipv6 or ipv6_override to decide if the
IP need to be wrapped in brackets or not the make_url
function in heat in combination with a str_replace is
used.
Related-Bug: #1830406
Change-Id: I2d8c405c1df30ac11cc2286398fe4749694da10e
Two options have proven useful for deployers.
--domain: To specify the IdM DNS domain in cases where the client is
not in the same DNS domain as the IdM server
--no-ntp: To ensure that the idm-client-install does not change the
NTP settings when they have already been set by puppet.
The patch adds both these options.
Change-Id: I88075174dfffe4117c8ccc31f28ed9f43bf8b4e7
a) The haproxy.stats stanza in haproxy config file has pretty much remained the same since newton:
listen haproxy.stats
bind 192.168.24.8:1993 transparent
mode http
stats enable
stats uri /
stats auth admin:tRJre6PnQuN4ZwqKYUygTJArB
b) what we do today with the haproxy stats makes little sense:
- we bind it to the VIP running on the control-plane network on all controller nodes
- de facto we allow to look at the haproxy stat info via web only on the node holding the ctlplane VIP
- since haproxy does not share stats across nodes, we're effectively
limited at looking at the stats info on a single node.
Now imagine ctrl-0 holding the internal_api VIP and ctrl-1 holding the
ctlplane VIP. Basically now the only stats you will be able to see are
the ones relative to keystone_admin (which for other silly reasons has
been moved to ctlplane by default) and very little else.
Tested this and am able to bind the haproxy stat to another network
and to have it listen to the IP of the node on said network (in addition
to the ctrlplane vip which we do not remove as it might break stuff):
listen haproxy.stats
bind fd00:fd00:fd00:2000::16:1993 transparent
bind 192.168.24.15:1993 transparent
mode http
stats enable
stats uri /
stats auth admin:password
Closes-Bug: #1830334
Depends-On: Iab5f11c3065ff34a3543621554e7f05161d069f2
Change-Id: If2ee15f1e0fcf6d077cba524fad75dec7e1144b6
The run-os-net-config.sh script checks to see if an IP address is
IPv4 or IPv6, and uses ping or ping6 accordingly. This change also
resolves hostnames and submits the resolved IP to the same test.
If the hostname only resolves to an IPv6 address, then ping6 will
be used.
Change-Id: I9f37992157935b37cc9beb8a2f3b9d749a62bd1b
Closes-bug: 1830274
CephAnsibleEnvironmentVariables are also useful when running
the nodes-uuid playbook. Users may know ceph-ansible playbook
is run but may not know the nodes-uuid playbook is run too.
If additional Ansible environment variables are useful for
running ceph-ansible it is likely they will be needed for
the nodes-uuid playbook. The altnernative is to create another
parameter like NodesUuidAnsibleEnvironmentVariables.
Change-Id: I10ddb4f79f5c8b69b09622b96e96325ba19d62e0
There are usecases when operator wants to talk to metadata API from
config-drive script (e.g. using curl to get data from metadata). That
means it makes sense to have OVN Metadata Agent deployed while forcing
config-drive to be used.
This patch sets force_config_drive to true only when OVNMetadataEnable
is set to false. If it's set to true then it doesn't touch
force_config_drive option, leaving it up to environment to define it.
(The default for force_config_drive is false.)
Closes-Bug: #1830179
Change-Id: Ib956ff2f521b9853c58eaa5500836c692dd9321d
This breaks the rules for the haproxy stats access because it
shadows them. Let's remove these rules and move the iptables
rules for haproxy in puppet-tripleo where they should have
been in the first place, like for all other services.
Depends-On: I1325171ef60d7a7e3b57373082fcdb5487be939b
Change-Id: I2f177c930567b3a45f0d95cec4140f478f14a074
Closes-Bug: #1829338
ovn::controller::hostname defaults to ::fqdn,
hostname can differ based on how nova configures it, detected
when dhcp_domain name is removed in [1].
So it's good to rely on fqdn_canonical hiera key which
nova also relies on to set "host" in nova.conf.
Also use neutron_timeout instead of neutron_url_timeout
which was deprecated for long and is removed in [1].
[1] https://review.opendev.org/#/c/658400/
Related-Bug: #1829993
Change-Id: If52302b5a04b5e146ac53ccd3fc65a064b2df2fb