54 Commits

Author SHA1 Message Date
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Takashi Kajinami
f89140402e Fix logic to honor HorizonDebug
Debug always has one of true/false and is always set. We should check
whether HorizonDebug is set instead of whether Debug is set.

Also, this change fixes the current logic to make sure that
HorizonDebug: false is honored even when Debug: true is set.

Closes-Bug: #1908362
Change-Id: I514b5a3d4133d3561376ea06a803d019acaa0f0b
2020-12-22 17:56:16 +09:00
Grzegorz Grasza
d476a31a08 Fix the value of ssl_verify_client
As per documentation, this should be one of
none, optional, require or optional_no_ca:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLVerifyClient

Change-Id: Ia586151169e7f359a2a58a33b4ac9526d0113679
Closes-bug: #1904731
2020-11-18 13:34:54 +01:00
Zuul
0519978254 Merge "Remove Sahara support" 2020-11-06 03:12:06 +00:00
Takashi Kajinami
8d9621e2e3 Revert "Use the appropriate name for horizon ssl ca parameter"
Because the dependent patch[1] does not present in stable/victoria
we should not merge this patch until stable/victoria release is created
for TripleO projects.
This revert will be reverted once stable/victoria branch is created.

This reverts commit d3b099fac949bed6e5da0660b13509cf391ca571.
Resolved conflict caused by the subsequemtn commit[2]

[1] https://review.opendev.org/#/c/758041/
[2] 132c0b1e792084664920fc8ac6c984cb4d1b823d

Conflicts:
	deployment/horizon/horizon-container-puppet.yaml

Related-Bug: #1901626
Change-Id: I1cc635715084789602fc40084ba5df4d5790199c
2020-10-27 08:18:33 +09:00
Takashi Kajinami
132c0b1e79 Add ssl_verify_client parameter for horizon
The recent change in puppet-horizon[1] made the ssl_verify_client
parameter mandatory when ssl_ca is set. This patch makes sure that
the ssl_verify_client parameter is set properly.

In addition, internal tls cert is not valid when internal tls is not
enabled. This patch also addresses that point, and make ssl_ca is set
only when needed.

[1] https://review.opendev.org/#/c/758041/6

Closes-Bug: #1900947
Change-Id: I286f69b8d3775d7538685e799f092ce47b5d75a7
2020-10-23 00:47:43 +09:00
Lance Bragstad
d3b099fac9 Use the appropriate name for horizon ssl ca parameter
A recent change to puppet-horizon refactored the SSL parameter names
[0]. This change updates THT to use the right name for the CA value.

[0] https://review.opendev.org/#/c/758041/6

Change-Id: I2957cf529c3ba00269fded75a26dcd6d806fb18e
2020-10-21 16:11:33 -05:00
Takashi Kajinami
4a7d56947a Remove Sahara support
Sahara support was deprecated during previous Ussuri cycle[1], so we
can remove it completely now.

[1] f1d9b15c85fd1ed2250d40cea8184a18f458234f
Change-Id: Id047221cb912c09984cc3bf864196a26fd36736f
2020-10-19 09:39:36 +09:00
Martin Magr
f2fc8c8faf Add possibility to set logging source for Horizon
This patch adds HorizonLoggingSource parameter to enable fluentd to tail logs
from Horizon.

To keep consistency with other services the default value is set as single log located
in appropriate log directory, but we also need to enable customer to pass multiple
horizon log files also used by httpd.

Change-Id: I0161e6d9c76424b301e48b73f1d7b4b071af0676
2020-10-01 15:31:05 +02:00
Zhu Sheng Li
a5f432b849 Add parameter for setting horizon session timeout
Add HorizonSessionTimeout parameter for configuring the session timeout
of horizon in seconds.

Closes-Bug: #1897197
Change-Id: I1bfd645ed9e1823a626d6972ab00893ca49bba83
2020-09-26 10:00:02 +08:00
Keigo Noha
812aa726ef Set 'DEBUG' to horizon::log_level if HorizonDebug or Debug is true
Previously, if HorzionDebug of Debug was true, horizon::django_debug
was set to True. However, those parameters didn't change the logger
level of horizon components. By this change, when HorizonDebug or
Debug is True, horizon::log_level is set to 'DEBUG'.

Change-Id: I0a140682c552ba8a4e943124330852259e66142d
2020-07-28 17:59:48 +09:00
Emilien Macchi
1a48fa61f4 Sync httpd conf.modules.d configs
For containers which run httpd, make sure conf.modules.d is also synced
into the container; so apache doesn't fail with:
AH00534: httpd: Configuration error: More than one MPM loaded.

This is now required since:
6425cc46a8

Change-Id: Ib315d10dbdbbad1628f536a74cd1fca371f018f5
Closes-Bug: #1884115
2020-06-24 03:32:02 +00:00
Alexey Stupnikov
d762417106 Add an option to adjust help URL in horizon
There is a help button in horizon dashboard that has various
use cases:

- by default it should point to upstream documentation;
- OpenStack vendor could adjust this URL, so it will point
  to his documentation;
- every cloud operator could adjust this URL, so users will
  be re-directed to some custom portal.

This patch adds an option to configure custom URL for Help
button using HorizonHelpURL parameter.

Change-Id: Ic95e55a007ea6db9336e81574c7a49185590eaee
Closes-Bug: #1879522
Related: rhbz#1835820
2020-05-21 10:44:36 +00:00
Harald Jensås
a03f33a7d4 Deprecate service ipv6 params
Detect the IP version used instead of relying on the
user specifying the IP version for services.

The IP version is stored in a net_ip_version_map which
is passed to all services in ServiceData.

Deprecates the following parameters:
 CephIPv6, CorosyncIPv6, RabbitIPv6, MemcachedIPv6,
 MysqlIPv6, RedisIPv6 and NeutronOverlayIPVersion.

Change-Id: Iebfd8ef686381be2f45d0d4c45dfd6bf654d1ac6
2020-05-12 07:25:11 +00:00
Jose Luis Franco Arza
94bc023390 Add mode option when creating persistent directories.
Almost every single tripleo service creates a persistent directory. To
simplify the creation, a with_items structure was being used. In which
many times, the mode option was being set. However, that mode option
was not taken into account at the time of creating the file. As a
consequence, the directory was being created with its father directory
rights, instead of the ones being passed in the template.

Change-Id: I215db2bb79029c19ab8c62a7ae8d93cec50fb8dc
Closes-Bug: #1871231
2020-04-20 15:37:08 +02:00
Zuul
3f0f918e38 Merge "Add parameter to manage horizon's keystone_domain_choices" 2020-04-13 23:05:33 +00:00
Takashi Kajinami
fffdcf0f30 Use absolute name to include puppet classes
Current puppet modules uses only absolute name to include classes,
so replace relative name by absolute name in template files so that
template description can be consistent with puppet implementation.

Change-Id: I7a704d113289d61ed05f7a31d65caf2908a7994a
2020-04-11 08:13:23 +09:00
Mihai Plasoianu
713f203441 Remove duplicate key
Change-Id: Ic3642afde2d77023ef71b0ec90ae9009fffbbbae
2020-04-02 21:29:28 +02:00
Alexey Stupnikov
ec9b2753e2 Add parameter to manage horizon's keystone_domain_choices
Since Stein release it is possible to set
OPENSTACK_KEYSTONE_DOMAIN_CHOICES using puppet-horizon
(change-id: I67c4c8923ef4d6e4c3420e0a2b0d38ee3c6e2819 ).
This patch adds THT parameter to set
horizon::keystone_domain_choices

Fixes: rhbz#1732672
Change-Id: Iebd7ab7c111a6c3a15ee90f3acf47138138568bc
2020-03-29 23:22:53 +02:00
Zuul
76aa0d0cf8 Merge "Disable Mistral dashboard" 2020-03-02 21:16:23 +00:00
Takashi Kajinami
d1d296fa59 Disable Mistral dashboard
... because we don't expect that Mistral is used in overcloud.

Change-Id: Iba4e1545480623fb0dab2b71510f2cb05eda3ae9
2020-03-01 11:02:29 +09:00
Takashi Kajinami
4da031300d Remove outdated comment about enabled dashboard
Now we have heat-dashboard installed, so remove the outdated comment
we had before adding heat-dashboard.

Change-Id: I42586af1493b8dc8601bfe974363505c075781c0
2020-03-01 10:57:12 +09:00
Zuul
b130f78076 Merge "Replace svirt_sandbox_file_t by container_file_t" 2020-02-10 13:58:31 +00:00
Cédric Jeanneret
0875895553 Replace svirt_sandbox_file_t by container_file_t
While they are, at SELinux level, exactly the same (one is an alias to
the other), the "container_file_t" name is easier to understand (and
shorter to write).

A second pass in a couple of days or weeks will be needed in order to
change files that were merged after this first pass.

Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5
2020-02-07 13:33:20 +01:00
Emilien Macchi
98118b6294 Replace '' by [] when a bind mount isn't needed
To avoid empty volumes like:

{
  (...)
  "volumes": [
    "/etc/puppet:/etc/puppet:ro",
    (...)
    "",
    ""
  ],
}

Replace '' by [], so heat won't create an item in the list.
It helps to have idempotent containers, since podman_container module
will compare the list of volumes that is given in parameters (containing
the empty entries) vs the list of volumes actually in podman inspect.
Replacing to [] clears out empty volumes and makes these containers
idempotent when podman_container module is used to deploy containers.

Change-Id: I228b01009e7d9980bee5480778dbc88b9e226297
2020-02-07 14:34:53 +05:30
Kevin Carter
9a2a36437d
Update all roles to use the new role name
Ansible has decided that roles with hypens in them are no longer supported
by not including support for them in collections. This change renames all
the roles we use to the new role name.

Depends-On: Ie899714aca49781ccd240bb259901d76f177d2ae
Change-Id: I4d41b2678a0f340792dd5c601342541ade771c26
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2020-01-20 10:32:23 -06:00
Emilien Macchi
2da9cc14bf horizon: put plugins toggles in quotes
Without quotes, it seems like Ansible "from_yaml" filter will convert
yes to True and no to False; which is problematic in the case of Kolla
image for Horizon where the extend_start script checks for yes/no and
not the actual booleans.

Putting them between quotes seems to solve the issue.

Change-Id: Ie08726c0916c55c3d4c315b63ee341196cc2e70e
Closes-Bug: #1859491
2020-01-13 11:07:06 -05:00
Emilien Macchi
7f40baabcd Manage all Keystone resources with Ansible
Depends-On: I557d8f33c9c699aed14b3b6fc1d1c0407365cd08
Depends-On: Ia68f8852662fb4abbd194954a246afb740bf3f71

Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
2020-01-06 22:33:05 +00:00
Alex Schultz
71b5d40862 Enable horizon healthcheck
Change-Id: If1c7e2902c2e2ac70965e5718228cc34161ae3d2
Depends-On: https://review.opendev.org/#/c/698587/
Closes-Bug: #1856088
2019-12-11 13:44:47 -07:00
Sagi Shnaidman
016f7c6002 Remove unnecessary slash volume maps
When podman parses such volume map it removes the slash
automatically and shows in inspection volumes w/o slash.
When comparing configurations it turns to be a difference and
it breaks idempotency of containers, causing them to be recreated.

Change-Id: Ifdebecc8c7975b6f5cfefb14b0133be247b7abf0
2019-12-04 20:32:14 +02:00
Kevin Carter
50367fbe35 Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.

A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.

Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-11-18 15:40:22 -06:00
Jose Luis Franco Arza
4cbae84c75 Get rid of docker removing in post_upgrade tasks.
When upgrading from Rocky to Stein we moved also from using the docker
container engine into Podman. To ensure that every single docker container
was removed after the upgrade a post_upgrade task was added which made
use of the tripleo-docker-rm role that removed the container. In this cycle,
from Stein to Train both the Undercloud and Overcloud work with Podman, so
there is no need to remove any docker container anymore.

This patch removes all the tripleo-docker-rm post-upgrade task and in those
services which only included a single task, the post-upgrade-tasks section
is also erased.

Change-Id: I5c9ab55ec6ff332056a426a76e150ea3c9063c6e
2019-11-12 16:33:38 +01:00
Alex Schultz
7906fb43be Drop legacy log folder and readme
We switched to containers a long time ago. This patch drops the
management of a /var/log/<service> directory and the creation of a
readme indicating that we've moved to containers which makes the logging
available under /var/log/containers/<service>

Change-Id: Ia4e991d5d937031ac3312f639b726a944743dd1e
2019-11-04 09:19:07 -07:00
Alex Schultz
f2147c9974 Ensure service log folder permissions
We should ensure that the service folders are 0750. We're setting
/var/log/containers but we should also ensure the service folders also
have the correct permissions.

Change-Id: I28e8017edc7e30a60288adf846da722fd6ab310e
2019-11-04 08:48:24 -07:00
Emilien Macchi
81258ae551 Convert container environment from a list to a dict
Moving all the container environments from lists to dicts, so they can
be consumed later by the podman_container ansible module which uses
dict.

Using a dict is also easier to parse, since it doesn't involve "=" for
each item in the environment to export.

Change-Id: I894f339cdf03bc2a93c588f826f738b0b851a3ad
Depends-On: I98c75e03d78885173d829fa850f35c52c625e6bb
2019-10-16 01:29:31 +00:00
Takashi Kajinami
a75cc9a953 Use /var/tmp on host to store temporal files for image upload via Horizon
Previously we use /tmp inside horizon container to store temporal files
for image upload via Horizon, but this makes the image size grow for
each upload operation.

This patch makes sure that we use host directory to store temporal
file, so that it is not written inside container.

Change-Id: Ic32e7a2db83bb5a0fb3c69708be9be96435dd030
Closes-Bug: 1840607
2019-08-19 13:36:17 +09:00
Carlos Camacho
8529ce60da Stop services for unupgraded controllers
Before we start services on upgraded bootstrap
controller (usually controller-0), we need to
stop services on unupgraded controllers
(usually controller-1 and controller-2).

Also we need to move the mysql data transfer
to the step 2 as we need to first stop the
services.

Depends-On: I4fcc0858cac8f59d797d62f6de18c02e4b1819dc
Change-Id: Ib4af5b4a92b3b516b8e2fc1ae12c8d5abe40327f
2019-08-07 19:23:11 +02:00
Bogdan Dobrelya (bogdando)
a1e580f039 Revert "Fix generating Apache configs by container-puppet"
fixes following issue coming on RHEL8 http://logs.rdoproject.org/openstack-periodic-master/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-rhel-8-standalone-master/11c7794/logs/undercloud/var/log/extra/podman/containers/keystone_db_sync/stdout.log.txt.gz

This reverts commit 80d12514d5cd3c20057bd01588e5d5d15d131ca9.

Change-Id: Ice566e90e468bc919872d0954d2d696f4554e00b
2019-08-02 13:54:35 +02:00
Chandan Kumar (raukadah)
c1269a6475 Revert "Wire-in Apache MPM module parameters and switch it"
This reverts commit 09cfcc1464dce0eb7c05caf42375290bbaae4199.

Change-Id: Ife71b124fa404050fcbcb2e041590a295076d6d9
2019-08-02 10:34:07 +00:00
Bogdan Dobrelya
09cfcc1464 Wire-in Apache MPM module parameters and switch it
Allow to configure Apache MPM module for the containerized API/WSGI'ish
services running Apache as a backend. Change the default from 'prefork'
to 'event', which is a low level change and should provide no sensible
upgrade impact. This alleviates the related heartbeats threading issue
arising with the monkey-patched eventlet.

Merge the missing ApacheServiceBase config settings for Octavia API,
Horizon and Ironix PXE. This is needed to apply the base Apache
service hiera settings, including MPM module switches, for those
as well.

Related-bug: #1829062

Change-Id: Ia65af7a9d6ae106a61ec52912bebba72830d5f28
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-07-31 10:18:46 +02:00
Bogdan Dobrelya
80d12514d5 Fix generating Apache configs by container-puppet
The changes listed below provide a single unit of work required to
configure Apache backend for WSGI-based OpenStack API services
w/o conflicts causing containers startup failures.

W/o this change /etc/httpd/conf.modules.d/00-mpm.conf shipped with RPM
or other conflicting httpd modules might remain in the containers
and cause startup failures. While puppet removes such conflicts from
the configuration, f.e. when switching MPM 'prefork' to 'event', and we
expect it never gets into container configs.

Make kolla extended start properly enforcing the wanted state of
/etc/httpd, including conf.d and conf.modules.d, and also any of the
removed by puppet files, like conflicting Apache MPM modules.

Add container-puppet tasks to ensure apache MPM configs generated
before the main config steps that require Apache started in the
service container.

Additionally, ensure consistent mirroring across config-data
paths for the container-puppet tool. Purge obsoleted/irrelevant files
in the destingation (puppet-generated) before rsyncing new contents
into it.

Closes-Bug: #1835414

Change-Id: I3e5b4372a01b29bf13179d8a16acc36da9c5caab
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-07-31 10:18:30 +02:00
Jose Luis Franco Arza
d1035703b7 Force removal of docker container in tripleo-docker-rm.
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.

For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.

Closes-Bug: #1836531
[0] - 2135446a35

Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
2019-07-19 12:37:35 +00:00
Zuul
903f680d45 Merge "Configure Horizon timezone according to the host timezone" 2019-06-18 20:36:56 +00:00
Zuul
14998e6a5d Merge "Convert Docker*Image parameters" 2019-06-18 08:01:14 +00:00
Goutham Pacha Ravi
1de24c4962 Re-enable manila dashboard
The Shared File Systems service (manila) provides
a dashboard plugin that needs to be enabled by
tripleo. It appears that it was disabled inadvertently
while triaging a bug with the dashboard and sqlite.

See: Launchpad bug #1766184
and associated commit: https://review.opendev.org/#/c/613186/

Change-Id: If4bc4ed0e9fa31e11a5a701dc57ffdf67aade861
Closes-Bug: #1832302
2019-06-10 23:35:57 -07:00
Dan Prince
a68151d02a Convert Docker*Image parameters
This converts all Docker*Image parameter varients into
Container*Image varients.

The commit was autogenerated with the following shell commands:

for file in $(grep -lr Docker.*Image --include \*.yaml --exclude-dir releasenotes); do
  sed -e "s|Docker\([^ ]*Image\)|Container\1|g" -i $file
done

Change-Id: Iab06efa5616975b99aa5772a65b415629f8d7882
Depends-On: I7d62a3424ccb7b01dc101329018ebda896ea8ff3
Depends-On: Ib1dc0c08ce7971a03639acc42b1e738d93a52f98
2019-06-05 14:33:44 -06:00
Carlos Goncalves
14436f915b Remove Neutron LBaaS
The project has been retired and there will be no Train release [1].
This patch removes Neutron LBaaS support in tripleo-heat-templates.

[1] https://review.opendev.org/#/c/658494/

Closes-Bug: #1831618
Change-Id: If13bbcdea82045d816485412f252c9b52bcf45a7
2019-06-04 15:12:38 +02:00
Michele Baldessari
114e5778f9 Remove the iptables rules set via service_config_settings
This breaks the rules for the haproxy stats access because it
shadows them. Let's remove these rules and move the iptables
rules for haproxy in puppet-tripleo where they should have
been in the first place, like for all other services.

Depends-On: I1325171ef60d7a7e3b57373082fcdb5487be939b
Change-Id: I2f177c930567b3a45f0d95cec4140f478f14a074
Closes-Bug: #1829338
2019-05-23 05:14:05 +00:00
Dan Prince
a52498ab4d Move containers-common.yaml into deployment
Change-Id: I8cc27cd8ed76a1e124cbb54c938bb86332956ac2
Related-Blueprint: services-yaml-flattening
2019-04-14 18:15:12 -04:00
Zuul
4fea9b81bf Merge "Remove tasks that stop and disable Horizon services." 2019-03-29 11:39:29 +00:00