As part of the minor update workflow and the update workflow, this changes
the pacemaker haproxy bundle resource to add the needed mount for public
TLS to work.
This also handles the reloading of the container to fetch any new certificates
and if needed, it will restart the pacemaker resource (for upgrades), since
we would need pacemaker to re-create the resource.
Change-Id: I850f4de17e7f7e3b46deb27119227ef76658dcb5
Closes-Bug: #1759797
ovn-cms-options config option is mistakenly added as ovn-cms-opts.
As a result ovn_cms_options is never set in SBDB and OVN
mechanism driver is unable to schedule router as expected.
Change-Id: Iaa89a1dbec732c3aa743fa3f5cf1f4931e2ab9ef
Added nfs as an option to where CinderBackupBackend was hardcoded
as either ceph or swift. Also added some parameters for this
driver - CinderBackupNfsShare and CinderBackupNfsMountOptions
Depends-On: Ic0adb294aa2e60243f8adaf167bdd75e42c8e20e
Change-Id: I29a488374726676a28fb82f2f950db891fcf9627
Closes-Bug: #1744174
InternalTLSVncCAFile currently defaults to /etc/ipa/vnc.crt.
Certmonger attempts to save the CA cert to this path as cert_t, however
/etc/ipa is etc_t.
Moving to /etc/pki/CA/certs which is cert_t resolves the issue, and is
arugably a more suitable location.
Change-Id: Ib275fc43dd772851511598a4932c19fcda706479
Neutron agents are using oslo-rootwrap-daemon to run
privileged commands. Containers inherit file descriptor
limit from docker daemon(currently:1048576) which is too
high and leading to performance issues. This patch set
nofile limit for neutron agent containers to 1024 which is
reasonable as before containers they were using host defaults
i.e 1024.
Depends-On: I0cfcf4e3e3e13578ec42e12f459732992fb3a760
Change-Id: Iec722cdfd7642ff3149f50d940d8079b9e1b7147
Related-Bug: #1760471
Zaqar was using mongodb by default but we haven't supported mongodb
since pike. This change switches Zaqar to use redis by default.
Change-Id: If6ed9fddf4a4fcff3bb9105b04df777ec8a8990e
Closes-Bug: #1761239
Name was defined as ceph_client instead of ceph_external.
Closes-Bug: 1761531
Change-Id: I5fd84bbdbb175d81e247664929f728fa1c5b4bdb
Signed-off-by: Tim Rozet <trozet@redhat.com>
The Neutron UID is not static and may be different between the host and
neutron container. Since we generate certificates and keys on the host
for neutron and then mount them in a container, it is highly likely the
container Neutron UID will not match the one used on the host to
generate the files and reading these files will fail in the container.
This patch modifies the permissions after the files are mounted in the
container to be owned by the correct Neutron UID.
Closes-Bug: 1759049
Depends-On: I83b14b91d1ee600bd9d5863acba34303921368ce
Change-Id: Ibad3f1af4b44459e96a6dc9937e5fcef3e6335f4
Signed-off-by: Tim Rozet <trozet@redhat.com>
This reverts commit bd48087520c5f0846363bdc0c025508ba450ceb3.
After further inspection It seems that panko dbsync shouldn't be
needed, as it will upgrade an newly created empty db.
And this is assuming we find a way to:
- configure panko database connection properly
- create the db
Knowing that we don't have access to this information[1] as the
new hieradata haven't been rendered at this stage.
So all that to upgrade a newly (I guess empty) database seems like too
much trouble.
The db will be created in the last step of the FFU.
[1] https://github.com/openstack/tripleo-heat-templates/blob/stable/ocata/puppet/services/panko-base.yaml#L39..L75
Change-Id: Ie68849a7033c199c339d28cdb10c3dba9419904b
Closes-Bug: #1760135
This is necessary for certain setups (such as enabling multiple LDAP
domains). So, instead of always adding checks every time to see if
we need to refresh or not, lets just do it always, thus simplifying
the already convoluted logic here.
Change-Id: Ie1a0b9740ed18663451a3907ec3e3575adb4e778
Closes-Bug: #1748219
Co-Authored-By: Raildo Mascena <rmascena@redhat.com>
During major upgrade, ensure that the haproxy bundle exposes
the HAProxy stats socket by ensuring there is a bind mount of
/var/lib/haproxy from the host.
Also create /var/lib/haproxy on the host with host_prep_tasks,
and make sure that permissions will be set by Kolla init
at next container restarts.
Depends-On: Ib833ebe16fcc1356c9e0fc23a7eebe9c4b970c55
Change-Id: I0923375fef9f392d3692afb50b21fee7b57c3ca0
This patch adds possibility to pass non-standard ports of monitoring
RabbitMQ instance to sensu-client container health check
Change-Id: Icc01ce23b3fc538811b4dfc4fbaba18dc7165f89
Add an ansible task to run mysql_upgrade whenever a container
image upgrade causes a major upgrade of mariadb (e.g. 5.5 -> 10.1)
. If the overcloud was containerized prior to the major upgrade, the
mysql upgrade job is ran in an ephemeral container (where the latest
version of mysql comes from) and uses credentials from the Kolla
configuration.
. Otherwise the upgrade job is run from the host (once the mysql
rpm has been updated) and uses credentials from the host.
We log the output of the script in the journal. Also, the mysql server
needs to be started temporarily, so use a temporary log file for it
when run from the ephemeral container.
Change-Id: Id330d634ee214923407ea893fdf7a189dc477e5c
Directory /var/lib/vhost_sockets will be used to create vhost sockets
which should have the the group name as hugetlbfs, which is common
between qemu and openvswitch to share the vhost_sockets. And the
correct selinux context to be applied on the vhost_sockets directory.
Closes-Bug: #1751711
Change-Id: Ib917cf86bd9a4ce57af243ab43337ea6c88bf76c
I54b5b59ef49de8d66232312bc449559a7f16eaad configures the HAProxy
service to expose the stats socket with a bind mount, however the
main service container doesn't use that bind mount. Fix that.
Change-Id: I316ab408e82cda70bed8b203b3755936392201da
HA containerized services currently log under
/var/log/pacemaker/bundles/{service-replica}.
Move the logging of those HA services into /var/log/containers,
like all the paunch-managed containers. Also leave a readme.txt
in the previous location to notify the change (taken from
Ic8048b25a33006a3fb5ba9bf8f20afd2de2501ee)
Only the main service log is being moved, e.g. for mysql:
. mysqld.log now ends up in /var/log/containers/mysqld.log
. pacemaker logs stay under /var/log/pacemaker/bundles/{service-replica}
Note: some HA services don't need to be changed during upgrade:
. cinder-{backup|volume} log under /var/log/containers/cinder
. manila-share log under /var/log/containers/manila
. haproxy only logs to the journal
Change-Id: Icb311984104eac16cd391d75613517f62ccf6696
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Partial-Bug: #1731969