Commit Graph

60 Commits

Author SHA1 Message Date
Sagi Shnaidman
e40a346d70 Use collection FQCN for podman modules
Replace modules for containers.podman and openstack.cloud
Change-Id: Ia7478fc82ce532bf60a07cba395c5652a6200a8d
2021-05-26 17:50:08 +03:00
Zuul
f7c88f625a Merge "Cleanup optional flag for conf.modules.d" 2021-05-22 15:52:58 +00:00
Zuul
ff5c2c91d3 Merge "Use server side env merging for ServiceNetMap/VipSubnetMap" 2021-05-21 05:48:23 +00:00
Alex Schultz
2aa1f6364b Cleanup optional flag for conf.modules.d
This was for a bug that has since been cleaned up via a promotion.

Change-Id: I1332dd82c60113cfa2e19878da66eb4170fbb4f7
Related-Bug: #1884115
2021-05-20 13:38:47 +00:00
ramishra
b253d564f7 Use server side env merging for ServiceNetMap/VipSubnetMap
This simplifies the ServiceNetMap/VipSubnetMap interfaces
to use parameter merge strategy and removes the *Defaults
interfaces.

Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
2021-05-19 10:16:58 +05:30
ramishra
0a4904aff9 Simplify nova service templates
Simplifies conditions and verbosity.

Change-Id: If38a9ebc91741ca7201d053195033413a13480b5
2021-05-18 07:56:06 +05:30
ramishra
c9991c2e31 Use 'wallaby' heat_template_version
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
 e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.

Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
2021-03-31 17:35:12 +05:30
Grzegorz Grasza
e329ca915e Generate certificates using ansible role
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.

Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
2021-03-10 16:28:22 +01:00
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Zuul
2b60807c01 Merge "Make sure apache metadata is set for nova-metadata service" 2020-11-22 15:54:43 +00:00
Martin Schuppert
89d605103c Make sure apache metadata is set for nova-metadata service
In case of cellv2 multicell environment nova-metadata is the only
httpd managed service on the cell controller role. In case of
tls-everywhere it is required that the cell controller host has
ther needed metadata to be able to request the HTTP certificates.
Otherwise the getcert request fails with "Insufficient 'add' privilege
to add the entry 'krbprincipalname=HTTP/cell1-cellcontrol-0....'"

Change-Id: I57a49d1b7fc4c03b773f3a52b327584f537aca19
2020-11-18 14:38:04 +01:00
Oliver Walsh
9d82364de8 Refactor nova db config
It is best to avoid placing db creds on the compute nodes to limit the
exposure if an attacker succeeds in gaining access to the hypervisor
host.

Related patches in puppet-nova remove the credentials from nova.conf
however the current scope of db credential hieradata is all nova tripleo
services - so it will but written to the hieradata keys on compute
nodes.

This patch refactors the nova hieradata structure, splitting the
nova-api/nova database hieradata out into individual templates and
selectively including only where necessary, ensuring we have no db
creds on a compute node (unless it is an all-in-one api+compute node).

Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c
Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a
Closes-bug: #1871482
2020-11-18 12:22:48 +00:00
Takashi Kajinami
37548ddb40 Enforce internal api for token verification
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.

Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
2020-10-11 15:46:08 +09:00
Emilien Macchi
1a48fa61f4 Sync httpd conf.modules.d configs
For containers which run httpd, make sure conf.modules.d is also synced
into the container; so apache doesn't fail with:
AH00534: httpd: Configuration error: More than one MPM loaded.

This is now required since:
6425cc46a8

Change-Id: Ib315d10dbdbbad1628f536a74cd1fca371f018f5
Closes-Bug: #1884115
2020-06-24 03:32:02 +00:00
Emilien Macchi
21d1f773c7 healthchecks: check if fact is defined before checking its value
When checking if keystone/nova healthchecks are healthy, make sure the
registered fact is set (which can slip to a further retry if podman
inspect took too much time to execute).

That way, we process the retries without an error like found in the bug
report.

Change-Id: I9f5063c9c3b598afd5bd01447f00a1146a20f4c3
Closes-Bug: #1878063
2020-05-11 13:39:06 -04:00
Zuul
3304e50c45 Merge "Remove deprecated nova::metadata::enable_proxy_headers_parsing" 2020-04-29 10:10:35 +00:00
Emilien Macchi
4ba1c013a7 Re-validate healthcheck work on nova/keystone containers
They were disabled until the native podman healthcheck was integrated in
tripleo-ansible and it finally merged; so we can remove that safeguard
and it should be working.

Change-Id: I03361c33e54f0c8e71b420b144464ccb29a1ca4e
2020-04-27 21:40:42 -04:00
Takashi Kajinami
1816a5cc57 Remove deprecated nova::metadata::enable_proxy_headers_parsing
The nova::metadata::enable_proxy_headers_parsing parameter was
deprecated in puppet-nova[1], and is useless now because we set
nova::api::enable_proxy_headers_parsing already.

[1] 7c1717af69d2659703833e9fefe9af86664d2e29

Change-Id: I6f51af926ae1f20a5362e4cf5121ee9e1b88693c
2020-04-25 23:02:53 +09:00
Emilien Macchi
6464efdc4e Migrate inflight validations to native podman healthchecks
The systemd healthchecks are moving away, so we can use the native
podman healthchecks interface.

See I37508cd8243999389f9e17d5ea354529bb042279 for the whole context.

This patch does the following:

- Migrate the healthcheck checks to use podman inspect instead of
  systemd service status.
- Force the tasks to not run, because we first need
  https://review.opendev.org/#/c/720061 to merge

Once https://review.opendev.org/#/c/720061 is merged, we'll remove the
condition workaround and also migrate to unify the way containers are
checked; and use the role in tripleo-validations.

Depends-On: https://review.opendev.org/720283
Change-Id: I7172d81d305ac8939bee5e7f64960b0a9fea8627
2020-04-15 20:23:58 +00:00
Emilien Macchi
38bad5283f Remove all ignore_errors to avoid confusion when debugging
- deploy-steps-tasks-step-1.yaml: Do not ignore errors when dealing
  with check-mode directories. The file module is resilient enough to
  not fail if the path is already absent.

- deploy-steps-tasks.yaml: Replace ignore_errors by another condition,
  "not ansible_check_mode"; this task is not needed in check mode.

- generate-config-tasks.yaml: Replace ignore_errors by another
  condition, "not ansible_check_mode"; this task is not needed in check mode.

- Neutron wrappers: use fail_key: False instead of ignore_errors: True
  if a key can't be found in /etc/passwd.

- All services with service checks: Replace "ignore_errors: true" by
  "failed_when: false". Since we don't care about whether or not the
  task returns 0, let's just make the task never fail. It will only
  improve UX when scrawling logs; no more failure will be shown for
  these tasks.

- Same as above for cibadmin commands, cluster resources show
  commands and keepalived container restart command; and all other shell
  or command or yum modules uses where we just don't care about their potential
  failures.

- Aodh/Gnocchi: Add pipefail so the task isn't support to fail

- tripleo-packages-baremetal-puppet and undercloud-upgrade: check shell
  rc instead of "succeeded", since the task will always succeed.

Change-Id: I0c44db40e1b9a935e7dde115bb0c9affa15c42bf
2020-03-05 09:22:04 -05:00
Takashi Kajinami
a999923f34 Remove wsgi_enabled parameters in nova
Now wsgi_enabled parameters in puppet-tripleo are removed and we always
use wsgi to deploy nova-api and nova-metadata-api.

Depends-on: https://review.opendev.org/#/c/710642/
Change-Id: Iec68c96917bdfd60f0cb11bf437909d44f8920ed
2020-03-01 22:12:40 +09:00
Zuul
efd47eaec2 Merge "Replace '' by [] when a bind mount isn't needed" 2020-02-08 05:19:17 +00:00
Emilien Macchi
98118b6294 Replace '' by [] when a bind mount isn't needed
To avoid empty volumes like:

{
  (...)
  "volumes": [
    "/etc/puppet:/etc/puppet:ro",
    (...)
    "",
    ""
  ],
}

Replace '' by [], so heat won't create an item in the list.
It helps to have idempotent containers, since podman_container module
will compare the list of volumes that is given in parameters (containing
the empty entries) vs the list of volumes actually in podman inspect.
Replacing to [] clears out empty volumes and makes these containers
idempotent when podman_container module is used to deploy containers.

Change-Id: I228b01009e7d9980bee5480778dbc88b9e226297
2020-02-07 14:34:53 +05:30
Takashi Kajinami
8cc62c5f14 Remove deprecated authtoken::auth_uri
auth_uri parameter in authtoken was already removed from puppet modules[1],
so remove it from hieradata.

Also, some service templates missed www_authenticate_uri, which was
introduced as a replacement of auth_uri, so add it to make sure that
we have a correct parameter confugured.

[1] I12b4049e4942911c8d1d8027c579eb4c0d1a53eb

Change-Id: I1e8378f58662377344194916e8bc336df02d0591
2020-01-26 09:26:50 +09:00
Kevin Carter
9a2a36437d
Update all roles to use the new role name
Ansible has decided that roles with hypens in them are no longer supported
by not including support for them in collections. This change renames all
the roles we use to the new role name.

Depends-On: Ie899714aca49781ccd240bb259901d76f177d2ae
Change-Id: I4d41b2678a0f340792dd5c601342541ade771c26
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2020-01-20 10:32:23 -06:00
Emilien Macchi
7f40baabcd Manage all Keystone resources with Ansible
Depends-On: I557d8f33c9c699aed14b3b6fc1d1c0407365cd08
Depends-On: Ia68f8852662fb4abbd194954a246afb740bf3f71

Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
2020-01-06 22:33:05 +00:00
Zuul
18617b6bd1 Merge "Remove unnecessary slash volume maps" 2019-12-05 17:36:29 +00:00
Sagi Shnaidman
016f7c6002 Remove unnecessary slash volume maps
When podman parses such volume map it removes the slash
automatically and shows in inspection volumes w/o slash.
When comparing configurations it turns to be a difference and
it breaks idempotency of containers, causing them to be recreated.

Change-Id: Ifdebecc8c7975b6f5cfefb14b0133be247b7abf0
2019-12-04 20:32:14 +02:00
Martin Magr
cdda44028a Fix rsyslog issues
This patch is fixing following issues, which makes rsyslog service
to fail to start successfully:

- Changes LoggingSource configuration key 'path' to 'file' for various services
- Fixes LoggingSource configuration key 'startmsg.regex' for pacemaker
- Removes nonexistent log files from LoggingSource of keystone

Change-Id: I7fe6456a1d2a3ba4300a82c57b76774152422250
2019-12-03 18:53:31 +00:00
Kevin Carter
50367fbe35 Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.

A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.

Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-11-18 15:40:22 -06:00
Jose Luis Franco Arza
4cbae84c75 Get rid of docker removing in post_upgrade tasks.
When upgrading from Rocky to Stein we moved also from using the docker
container engine into Podman. To ensure that every single docker container
was removed after the upgrade a post_upgrade task was added which made
use of the tripleo-docker-rm role that removed the container. In this cycle,
from Stein to Train both the Undercloud and Overcloud work with Podman, so
there is no need to remove any docker container anymore.

This patch removes all the tripleo-docker-rm post-upgrade task and in those
services which only included a single task, the post-upgrade-tasks section
is also erased.

Change-Id: I5c9ab55ec6ff332056a426a76e150ea3c9063c6e
2019-11-12 16:33:38 +01:00
Zuul
21b56ec34a Merge "Revert "Temporaily disable nova inflight healthchecks to unblock the gate"" 2019-10-17 17:07:37 +00:00
Emilien Macchi
81258ae551 Convert container environment from a list to a dict
Moving all the container environments from lists to dicts, so they can
be consumed later by the podman_container ansible module which uses
dict.

Using a dict is also easier to parse, since it doesn't involve "=" for
each item in the environment to export.

Change-Id: I894f339cdf03bc2a93c588f826f738b0b851a3ad
Depends-On: I98c75e03d78885173d829fa850f35c52c625e6bb
2019-10-16 01:29:31 +00:00
Cédric Jeanneret
affbe57a8b Revert "Temporaily disable nova inflight healthchecks to unblock the gate"
Inflight validations are now properly deactivated within the
tripleoclient/tripleo-common code.

This reverts commit 1761fc81c2.

Change-Id: I4ea9bfadbcc71c847232c8585d99f8698daffc9a
2019-10-15 12:36:05 +00:00
Oliver Walsh
1761fc81c2 Temporaily disable nova inflight healthchecks to unblock the gate
Change-Id: I8b687dcf7b36730a282e2091566a15a7ddc6fd23
Related-bug: #1843555
2019-09-30 12:44:42 +01:00
Oliver Walsh
c919f1b65b Wait for first healthcheck before running validation tasks
The systemd healthcheck timer first triggers 120s after activation.
The initial value for ExecMainStatus is 0, resulting in false positives if we
check this too early.
This changes waits (up to 5 mins) for ExecMainPID to be set and the service to
return to an inactive/failed state.

Change-Id: Iad4ebb283a7a6559b6fffead4145cc9bbad45e4e
Depends-On: Ia2897a6be3e000a9594103502b716431baa615b1
Related-bug: #1843555
2019-09-14 02:15:58 +00:00
Oliver Walsh
84a3cc1afd Skip systemd healthcheck validation on docker
The validation tasks added in I2c044e3d2af7f747acde5ad3bf256386b8c550a3 are not
valid on docker. As it's now deprecated we can just skip them.

Change-Id: I4ff530af8ad7f864b8038e5e509ec38840096c5d
Related-bug: #1842687
2019-09-12 14:56:26 -04:00
Emilien Macchi
7064cd8e90 nova: use systemd to check container healthchecks
Instead of running "podman exec" to test the container healthchecks, we
should rather rely on the status of systemd timers which reflect the
real state of the healthchecks, since they run under a specific user and
pid.

Also, we should only test the healthchecks if
ContainerHealthcheckDisabled is set to False.

Change-Id: I2c044e3d2af7f747acde5ad3bf256386b8c550a3
Closes-Bug: #1842687
2019-09-06 15:05:33 +05:30
Martin Magr
5ccf8951e5 Remove fluentd composable service
This patch removes fluentd composable service in favor of rsyslog composable service
and modifies *LoggingSource configuration accordingly.

Change-Id: I1e12470b4eea86d8b7a971875d28a2a5e50d5e07
2019-08-29 13:52:55 +01:00
Zuul
51c22afdf0 Merge "Add NovaLocalMetadataPerCell cell support" 2019-08-14 17:07:11 +00:00
Zuul
456c8da28c Merge "Add inflight validations for compute services" 2019-08-14 13:56:08 +00:00
Martin Schuppert
2cd9e44e66 Add NovaLocalMetadataPerCell cell support
Indicates that the nova-metadata API service has been deployed
per-cell, so that we can have better performance and data isolation
in a multi-cell deployment. Users should consider the use of this
configuration depending on how neutron is setup. If networks span
cells, you might need to run nova-metadata API service globally.
If your networks are segmented along cell boundaries, then you can
run nova-metadata API service per cell.

Introduces a new endpoint_map entry NovaMetadataInternal.

If NovaLocalMetadataPerCell is true, NovaMetadataCellInternal points
to the local cell endpoint.

If NovaLocalMetadataPerCell is false, NovaMetadataCellInternal points
to the central control plane nova metadata endpoint.

The NovaMetadataCellInternal endpoint is then used to configure the
nova-metadata api endpoint the ovn metadata agent points to.

Also removes setting the deprecated [DEFAULT]/nova_metadata_ip
hiera key and only uses [DEFAULT]/nova_metadata_host for the ovn
metadata agent.

Depends-On: https://review.opendev.org/675070
Depends-On: https://review.opendev.org/650943
Change-Id: I78f6d30676ee166f84d8aca1609b376bb73e5f2c
Closes-Bug: #1823760

Change-Id: I1e05230e4105a3706f0662b0c203137d05ebf3d8
2019-08-12 17:42:51 +02:00
Carlos Camacho
8529ce60da Stop services for unupgraded controllers
Before we start services on upgraded bootstrap
controller (usually controller-0), we need to
stop services on unupgraded controllers
(usually controller-1 and controller-2).

Also we need to move the mysql data transfer
to the step 2 as we need to first stop the
services.

Depends-On: I4fcc0858cac8f59d797d62f6de18c02e4b1819dc
Change-Id: Ib4af5b4a92b3b516b8e2fc1ae12c8d5abe40327f
2019-08-07 19:23:11 +02:00
Rajesh Tailor
8dc0cee704 Add inflight validations for compute services
Added inflight validations for compute container
services.

Change-Id: I8a8757aec80c379656665c4a1f0952c3b29f53b8
2019-08-07 10:24:36 +05:30
Bogdan Dobrelya (bogdando)
a1e580f039 Revert "Fix generating Apache configs by container-puppet"
fixes following issue coming on RHEL8 http://logs.rdoproject.org/openstack-periodic-master/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-rhel-8-standalone-master/11c7794/logs/undercloud/var/log/extra/podman/containers/keystone_db_sync/stdout.log.txt.gz

This reverts commit 80d12514d5.

Change-Id: Ice566e90e468bc919872d0954d2d696f4554e00b
2019-08-02 13:54:35 +02:00
Chandan Kumar (raukadah)
c1269a6475 Revert "Wire-in Apache MPM module parameters and switch it"
This reverts commit 09cfcc1464.

Change-Id: Ife71b124fa404050fcbcb2e041590a295076d6d9
2019-08-02 10:34:07 +00:00
Bogdan Dobrelya
09cfcc1464 Wire-in Apache MPM module parameters and switch it
Allow to configure Apache MPM module for the containerized API/WSGI'ish
services running Apache as a backend. Change the default from 'prefork'
to 'event', which is a low level change and should provide no sensible
upgrade impact. This alleviates the related heartbeats threading issue
arising with the monkey-patched eventlet.

Merge the missing ApacheServiceBase config settings for Octavia API,
Horizon and Ironix PXE. This is needed to apply the base Apache
service hiera settings, including MPM module switches, for those
as well.

Related-bug: #1829062

Change-Id: Ia65af7a9d6ae106a61ec52912bebba72830d5f28
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-07-31 10:18:46 +02:00
Bogdan Dobrelya
80d12514d5 Fix generating Apache configs by container-puppet
The changes listed below provide a single unit of work required to
configure Apache backend for WSGI-based OpenStack API services
w/o conflicts causing containers startup failures.

W/o this change /etc/httpd/conf.modules.d/00-mpm.conf shipped with RPM
or other conflicting httpd modules might remain in the containers
and cause startup failures. While puppet removes such conflicts from
the configuration, f.e. when switching MPM 'prefork' to 'event', and we
expect it never gets into container configs.

Make kolla extended start properly enforcing the wanted state of
/etc/httpd, including conf.d and conf.modules.d, and also any of the
removed by puppet files, like conflicting Apache MPM modules.

Add container-puppet tasks to ensure apache MPM configs generated
before the main config steps that require Apache started in the
service container.

Additionally, ensure consistent mirroring across config-data
paths for the container-puppet tool. Purge obsoleted/irrelevant files
in the destingation (puppet-generated) before rsyncing new contents
into it.

Closes-Bug: #1835414

Change-Id: I3e5b4372a01b29bf13179d8a16acc36da9c5caab
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-07-31 10:18:30 +02:00
Jose Luis Franco Arza
d1035703b7 Force removal of docker container in tripleo-docker-rm.
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.

For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.

Closes-Bug: #1836531
[0] - 2135446a35

Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
2019-07-19 12:37:35 +00:00
Harald Jensås
7a52a6986e Drop EC2MetadataIp parameter and its uses
Since https://review.opendev.org/656581 is merged (and the revert,
reverting the revert ...) there is no metadata service running.

This change removes all things related to setting up routes
to the metadata service, i.e the EC2MetadataIp. As well as NAT
firewall redirect rule used only on the undercloud but disabled
by default.

Blueprint: nova-less-deploy
Change-Id: Ic4ea74b45c566048e32dde82d2bf00498f932af6
2019-07-05 14:05:59 +02:00