With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.
Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
We do not need to add an if: internal_tls_enabled in a number of
ansible tasks. enabled_internal_tls is already defined as an ansible
fact in common/deploy-steps.j2:
enable_internal_tls: {get_param: EnableInternalTLS}
So when the service uses the enable_internal_tls condition and it points
to the EnableInternalTLS param, we can just use the ansible fact
directly. Note that if the enable_internal_tls condition points to
something else than the mere EnableInternalTLS we may not do this
cleanup.
Change-Id: Idb07cbc8fc3a4d73ff52c54d869310fd6c49b502
Ovn controller need openvswitch to be running properly. This
patch adds the required depends_on so paunch can add the dependency to
the systemd service file.
Closes-bug: #1921097
Change-Id: I2e54771f0a01d22ce95530bef146ea368189db24
In case when vlan_transparent in Neutron is enabled,
other_config:vlan-limit should be set to value "0" in the openvswitch on
all nodes.
Related-Bug: #1918418
Depends-On: https://review.opendev.org/c/openstack/puppet-vswitch/+/779796
Change-Id: Id6fc08bce5673a41fd9fa5cb27f41c9786f560da
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.
Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.
Reduces a number of heat resources.
Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.
Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
The service cleans up orphaned tap devices on node boot. This is good
for cases were node was fenced or hard rebooted. There is similar patch
for OVS deployments [1].
[1] 8126573718
Closes-bug: #1899799
Change-Id: Idec9e5ca0a8d3de7414938c7f280c06bcbd906c1
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
As Geneve UDP traffic is allowed, there's no reason to create
conntrack entries as it may result in a performance hit.
This patch is preventing Geneve traffic to be sent to conntrack.
Closes-Bug: #1885551
Change-Id: I1eb6c77ea3cbdfaaa2b2a3fec0e6b8d2a71aae95
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
Almost every single tripleo service creates a persistent directory. To
simplify the creation, a with_items structure was being used. In which
many times, the mode option was being set. However, that mode option
was not taken into account at the time of creating the file. As a
consequence, the directory was being created with its father directory
rights, instead of the ones being passed in the template.
Change-Id: I215db2bb79029c19ab8c62a7ae8d93cec50fb8dc
Closes-Bug: #1871231
Current puppet modules uses only absolute name to include classes,
so replace relative name by absolute name in template files so that
template description can be consistent with puppet implementation.
Change-Id: I7a704d113289d61ed05f7a31d65caf2908a7994a
While they are, at SELinux level, exactly the same (one is an alias to
the other), the "container_file_t" name is easier to understand (and
shorter to write).
A second pass in a couple of days or weeks will be needed in order to
change files that were merged after this first pass.
Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5
Certain config containers might need to be replaced and re-run
regardless of whether configuration changes on update and upgrade.
Adding the DeployIdentifier to the env will ensure that they are.
Change-Id: I150212ebac3fed471ffb4e7ed7b6eb6c7af3fad9
Closes-Bug: #1860571
This reverts commit af80a0d914.
Reason: the added SELinux rule actually allows openvswitch to write in
container_file_t - not the contrary. We therefore still need the ":z" flag.
A possible follow-up would be to drop the "shared" flag (useless) and
remove the duplicated mount.
Change-Id: Idc8813792b5c6d4d4226491f81de2965beeaadbe
Prior to this patch, ovsdb-servers are started directly. This doesn't
take care of any ovsdb schema updates. Instead, if we use the
start-nb/sb-db-server.sh (generated by kolla OVN images [1])
it takes care of creating the db file from the schema file if the db
file doesn't exist. It also takes care of updating the db file if schema was updated.
The start-nb/sb-db-server.sh used ovn-ctl script internally.
This patch also prepares the ground for using the latest OVN.
OVN is split from openvswitch and it has its own code repo. After
the split, OVN has its own run dir (/var/run/ovn), db dir (/etc/ovn/),
log dir (/var/logs/ovn) and datadir - /usr/share/ovn/scripts.
With this patch, it supports running older version (2.11) or new
version (2.12) without any issues. It mounts the host directories accordingly
so that there is no impact when OVN is updated and it is transparent.
Closes-bug: #1853272
Change-Id: I1fbfaf43af17b558497fd2b46fc4278b4703ec74
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.
A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.
Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
When upgrading from Rocky to Stein we moved also from using the docker
container engine into Podman. To ensure that every single docker container
was removed after the upgrade a post_upgrade task was added which made
use of the tripleo-docker-rm role that removed the container. In this cycle,
from Stein to Train both the Undercloud and Overcloud work with Podman, so
there is no need to remove any docker container anymore.
This patch removes all the tripleo-docker-rm post-upgrade task and in those
services which only included a single task, the post-upgrade-tasks section
is also erased.
Change-Id: I5c9ab55ec6ff332056a426a76e150ea3c9063c6e
We switched to containers a long time ago. This patch drops the
management of a /var/log/<service> directory and the creation of a
readme indicating that we've moved to containers which makes the logging
available under /var/log/containers/<service>
Change-Id: Ia4e991d5d937031ac3312f639b726a944743dd1e
We should ensure that the service folders are 0750. We're setting
/var/log/containers but we should also ensure the service folders also
have the correct permissions.
Change-Id: I28e8017edc7e30a60288adf846da722fd6ab310e
Moving all the container environments from lists to dicts, so they can
be consumed later by the podman_container ansible module which uses
dict.
Using a dict is also easier to parse, since it doesn't involve "=" for
each item in the environment to export.
Change-Id: I894f339cdf03bc2a93c588f826f738b0b851a3ad
Depends-On: I98c75e03d78885173d829fa850f35c52c625e6bb
Add param OVNOpenflowProbeInterval to set ovn_openflow_probe_interval
Depends-On: https://review.opendev.org/#/c/683291/
Change-Id: I95e4c82f53d3cba49b660a9da0ad6e43b0839fb6
This patch introduce parameters which support using SSL to connect to
OVN_Northbound DB and OVN_Southbound DB.
Depends-On: https://review.opendev.org/#/c/683916/
Change-Id: Ib36a1b85ee33d1d06d14eaa323eba3e0f9b20f47
Signed-off-by: Kamil Sambor <ksambor@redhat.com>
We revert I0d9eb663405d1113ea84e3c12651a3f0dbdfc75d and we instead
export ovn_dbs_vip on all nodes so it can be used in cells. Reason for this
is that we want a separate VIP for OVN because a) composable roles and b)
we do not want to impose the extra promote master constraints on the internal_api
VIP which ends up being used by OVN.
In the same vein as I7ca94dff4acf0816708110b9fe6f78d19dcc7b4d
(Move redis_vip to all_nodes.j2) we will have the ovn_dbs_vip moved
to all nodes (via I1d80587752ffca6c3eb5281aa89ea3d7cf5535ce).
Depends-On: I1d80587752ffca6c3eb5281aa89ea3d7cf5535ce
Change-Id: I4e4bf0a91751fb4f9e4c7233242cdc5649c421f8
Related-Bug: #1841811
Openvswitch server is running on the host, and puts its logs in
/var/log/openvswitch, while its agents are in containers and put logs in
/var/log/containers/openvswitch.
This means the /var/log/openvswitch container doesn't need to get the
fancy "container_file_t" type, and can be set to the right one,
openvswitch_log_t.
This will prevent issues with different softwares, such as logrotate or
even openvswitch itself on a SELinux enforcing system.
Change-Id: I4a786ecb60190759754d17f7b4e84d93f7ffb389
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.
For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.
Closes-Bug: #1836531
[0] - 2135446a35
Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
This parameter sets inactive probe interval of the JSON
session from ovn-controller to the OVN SB database.
By default this it is 5s which not be sufficient in
loaded systems or during high control-plane activity spikes,
leading to unnecessary reconnections to OVSDB server.
Now it is extended by default to 1 min and it
is configurable.
Depends-On: https://review.opendev.org/#/c/670861/
Change-Id: Ie7cb761ad3b4a180990de2916d6210d15ec0bf50
Closes-Bug: #1836604
This converts all Docker*Image parameter varients into
Container*Image varients.
The commit was autogenerated with the following shell commands:
for file in $(grep -lr Docker.*Image --include \*.yaml --exclude-dir releasenotes); do
sed -e "s|Docker\([^ ]*Image\)|Container\1|g" -i $file
done
Change-Id: Iab06efa5616975b99aa5772a65b415629f8d7882
Depends-On: I7d62a3424ccb7b01dc101329018ebda896ea8ff3
Depends-On: Ib1dc0c08ce7971a03639acc42b1e738d93a52f98
There are usecases when operator wants to talk to metadata API from
config-drive script (e.g. using curl to get data from metadata). That
means it makes sense to have OVN Metadata Agent deployed while forcing
config-drive to be used.
This patch sets force_config_drive to true only when OVNMetadataEnable
is set to false. If it's set to true then it doesn't touch
force_config_drive option, leaving it up to environment to define it.
(The default for force_config_drive is false.)
Closes-Bug: #1830179
Change-Id: Ib956ff2f521b9853c58eaa5500836c692dd9321d
ovn::controller::hostname defaults to ::fqdn,
hostname can differ based on how nova configures it, detected
when dhcp_domain name is removed in [1].
So it's good to rely on fqdn_canonical hiera key which
nova also relies on to set "host" in nova.conf.
Also use neutron_timeout instead of neutron_url_timeout
which was deprecated for long and is removed in [1].
[1] https://review.opendev.org/#/c/658400/
Related-Bug: #1829993
Change-Id: If52302b5a04b5e146ac53ccd3fc65a064b2df2fb
The only OVN Tunnel Encap Type that we are supporting in OVN is Geneve
and this is set by default in ovn puppet. So there are no need to set
it in TripleO
Change-Id: Ide08d028d3311dfd08ee3872b32ebd1e1a36e17b
Closes-Bug: 1828186
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the ovn services.
Related-Blueprint: services-yaml-flattening
Change-Id: I6261863c15f594fed8207ff258f1d9c809a9a864
We have non fatal errors in the upgrade
jobs execution if the logs folder is not
created when adding the readme.txt file
to clarify the possible locations of
the logs.
Closes-Bug: 1811708
Change-Id: Ibc0a266bdc6630eaf34bfadeff21f7bd72fa75ad
As healthchecks are using "ss" command, we need to allow contaier_t
to access a tcp diagnostic socket, at least for the port healthchecks.
This follows change I9ebdf09c36fd2c69d05128b584593b41d9144e56, triggered
by the neutron healthchecks. A second pass was necessary in order to
further check the calls of ss.
Change-Id: I27e4c860948667abc2c21df5ec9e01627f58465a
Related-Bug: #1810512
We don't need upgrade_tasks that stop systemd services since all
services are now containerized.
However, we decided to keep the tasks that remove the rpms in case some
of deployments didn't cleanup them in previous releases, they can still
do it now.
Change-Id: I6abdc9e37966cd818306f7af473958fd4662ccb5
Related-Bug: #1806733
For all containers where restart=always is configured and that are not
managed by Pacemaker (this part will be handled later), we remove these
containers at step 1 of post_upgrade_tasks.
Change-Id: Id446dbf7b0a18bd1d4539856e6709d35c7cfa0f0
This allows to deploy and use the services on a selinux-enforcing host
with proper selinux separation.
Change-Id: Icde6c61a0b26741946d079b2b00475de34722bea
This has been unused for a while, and even deprecation was scheduled
(although the patch never merged [1]). So, in order to stop folks
getting confused with this, it's being removed.
[1] https://review.openstack.org/#/c/543871/
Change-Id: Iada64874432146ef311682f26af5990469790ed2
This patch enables container health check execution for ovn_controller
and ovn_dbs_bundle containers.
Change-Id: Ie519e9684dc527cc384e11fb8f32b532dd2da1d7
Depends-On: Ie724b155fa071da9f1baee193cf79e2ecdc2ff30
This has been unused for a while, and even deprecation was scheduled
(although the patch never merged [1]). So, in order to stop folks
getting confused with this, it's being removed.
[1] https://review.openstack.org/#/c/543871/
Change-Id: Icc6b51044ccc826f5b629eb1abd3342813ed84c0
The depends on patch (in puppet-ovn) now makes use of "exec" to set
mac table size of provider bridges. We need "exec" puppet tag
to run that successfully.
Depends-On: I8f392c7807c4c6a152dfa4b77c7f4350b44324c0
Change-Id: Ie7f000c658cab31dd6f453e02b55ac244d0328e2
Closes-bug: #1779706
To not to redefine variable multiple times in each service we
run check only once and we set fact. To increase readability of
generated playbook we add block per strep in services.
Change-Id: I2399a72709d240f84e3463c5c3b56942462d1e5c
The new master branch should point now to rocky.
So, HOT templates should specify that they might contain features
for rocky release [1]
Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.
[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
Presently ovn-controller container is started with "-v /run/openvswitch:/run/openvswitch".
The openvswitch systemd script deletes the /run/openvswitch folder when stopping it in the host.
/run/openvswitch path inside the ovn-controller container becomes a stale directory.
And when the service is started again, it creates the folder again. In order for ovn-controller
to access again, the folder has to be remounted or the ovn-controller container should be
restarted.
As a temporary fix, this patch mounts /run so that when /run/openvswitch is created again, it will
get reflected inside the ovn-controller container. The proper fix has to come from openvswitch
systemd script to not delete /run/openvswitch when stopping the service. This is presently
discusses in OVS mailing list [1], but no proper solution has been arrived yet.
[1] - https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/345589.html
Closes-bug: #1764745
Change-Id: I032571cec49537cac972ebbbb44733ea17c299fa
ovn-cms-options config option is mistakenly added as ovn-cms-opts.
As a result ovn_cms_options is never set in SBDB and OVN
mechanism driver is unable to schedule router as expected.
Change-Id: Iaa89a1dbec732c3aa743fa3f5cf1f4931e2ab9ef
If we use variables defined in later step in conditional before
checking which step are we on we will fail.
Resolves: rhbz#1535457
Closes-Bug: #1743764
Change-Id: Ic21f6eb5c4101f230fa894cd0829a11e2f0ef39b
This option was recently supported in ovn-controller [1]. If this value is configured
in the external_ids column of OpenvSwitch table of OVS database, ovn-controller copies
it to the chassis table, which will be read by Neutron OVN mechanism driver. OVN mech driver can
take certain decisions based on the value. One such use case is setting the value
'enable-chassis-as-gw' in this option. Only those chassis which has this option set,
will be considered as a candidate to schedule a neutron router. So, the administrator
can decide to use only controller nodes (or networker nodes) for scheduling the
router.
[1] - 4705963f2c
Change-Id: Iabe5aec30c740447b9714e1b1ace366768488bdb
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
ramishra
Michele Baldessari
Kamil Sambor
Carlos Goncalves
Slawek Kaplonski
Grzegorz Grasza
Raildo
Jakub Libosvar
Daniel Alvarez
Jose Luis Franco Arza
Takashi Kajinami
Cédric Jeanneret
Brent Eagles
Numan Siddique
Kevin Carter
Alex Schultz
Emilien Macchi
Dan Prince
yatinkarel
Saravanan KR
Carlos Camacho
Juan Antonio Osorio Robles
Martin Mágr
Lukas Bezdicka
venkata anil