1090 Commits

Author SHA1 Message Date
Damien Ciabrini
ae453229a8 Less agressive cleanup of docker containers in post_upgrade_tasks
"system prune -a -f" deletes unused container images, as well as
containers which are stopped. This removes useful HA containers
*_init_bundle and *_restart_bundle, which makes debugging more
complex. This also removes tags whose image id are used by
pacemaker HA container.

Reduce the effect of cleanup by keeping stopped containers, which
in effect ensures that we also keep the tags used by HA containers.

Note: keep the aggressive cleanup for upgrade_tasks, because
they are always followed by deployed tasks, which recreate the
missing containers.

Note2: This doesn't apply for podman containers, whose cleanup
looks similar but is not as aggressive.

Change-Id: I936fb965687b961602e677bcca72f403121cbb0d
Closes-Bug: #1846368
2019-10-17 15:40:18 +02:00
Harald Jensås
6e202df4ea Fix Ironic configuration for IPv6
When using IPv6 for provisioning baremtal nodes ironic.conf
needs:
  - [pxe]/ip_version must be set to '6'. Add parameter
    IronicIpVersion.
  - [deploy]/http_url must have the IPv6 address wrapped.
    Use the $NETWORK_uri value from hiera which carries
    an ip address fit for use in url.

Related-Bug: #1845746
Depends-On: Ib29adccc8378bd3e2a46b7d2ca3cfacba55e7674
Change-Id: I6384e11dd68cdbf2179545caae2c818fd1a6b23e
2019-10-01 06:13:19 +00:00
Zuul
bf055342a2 Merge "Move Octavia agent containers to step 5" 2019-10-01 03:52:18 +00:00
Zuul
ee44e97440 Merge "Add second fact to ensure type safty" 2019-10-01 02:58:54 +00:00
Zuul
c370491c82 Merge "nova-libvirt: set 'cpuset_cpus' to 'all'" 2019-09-30 23:01:43 +00:00
Oliver Walsh
1761fc81c2 Temporaily disable nova inflight healthchecks to unblock the gate
Change-Id: I8b687dcf7b36730a282e2091566a15a7ddc6fd23
Related-bug: #1843555
2019-09-30 12:44:42 +01:00
Zuul
c2d4816840 Merge "Give the OVN DBS service a separate Vip" 2019-09-29 18:48:25 +00:00
Zuul
50f02ff9b9 Merge "Ironic: disallow deployment and cleaning in maintenance mode" 2019-09-28 03:18:02 +00:00
Kevin Carter
51469aab2e
Add second fact to ensure type safty
The logins json can be both a hash and a string, depending on how it is
being set by the deployer. To ensure that we're able to cover both cases
this change will test the initial data type and react accordingly.

Change-Id: I443bc36ca8808e1547da37f207b011031120067f
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-09-27 14:47:05 -05:00
Slawek Kaplonski
09cd8785bc Update names of Rsyslog container Image variables
Names used in rsyslog-container-puppet.yaml, with "Docker"
were outdated. Correct names are with "Container" instead of
"Docker" and this commit updates that.

Change-Id: Id599d3d121926c66c190f299094b53b484175d35
2019-09-26 16:59:58 +02:00
Zuul
6006dae5c2 Merge "Add heat templates to deploy mellanox neutron agent" 2019-09-25 21:10:10 +00:00
Zuul
0f48e4329f Merge "Adapt ContainerImagePrepareDebug to the string pattern" 2019-09-25 20:36:37 +00:00
Hamdy Khader
cd243da101 Add heat templates to deploy mellanox neutron agent
- configures mlnx_conf.ini neutron file
  - creates two containers on the compute node (neutron_mlnx_agent, eswitchd)
  - add networking-mlnx package to neutron_server and nova_compute

Depends-On: Ib7d9b4a3dd360911eb500e820cb129c6463900ed
Depends-On: I31fd5223ce528c4fe0ee0fe1b8f7ed8cdf38a796
Depends-On: Ibd817a4a34ee2944ee86b4a47e7621637d258da3
Change-Id: Iee636c6d0d52bd17148c93f797d01cf69906802e
2019-09-24 16:50:40 +03:00
Zuul
018ff067f3 Merge "Fix selinux context for glance-api" 2019-09-24 00:18:03 +00:00
Emilien Macchi
1d11972b10 Adapt ContainerImagePrepareDebug to the string pattern
Like other *Debug parameters, make it so we first look for
ContainerImagePrepareDebug to be set, otherwise we fallback to Debug;
like we already do in all other OpenStack services.

Change-Id: I0f18b475c69a8ba71b06f517e87caf0d5c209fbb
2019-09-23 19:14:41 -04:00
Zuul
25b544f3cc Merge "Use _uri which is wrapped if IPv6 for ironic tftp" 2019-09-23 19:22:09 +00:00
Dmitry Tantsur
036946bc7d Ironic: disallow deployment and cleaning in maintenance mode
This is a common source of confusion for users since ironic essentially
gets stuck in "wait call-back" or "clean wait" state. See e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=1712561

Depends-On: https://review.opendev.org/#/c/683970/
Change-Id: I3b3f6037970e741f93549878e4e36d36297be9c3
2019-09-23 16:15:14 +02:00
Michele Baldessari
176b30649b Give the OVN DBS service a separate Vip
This change (with its dependent reviews) creates a separate VIP for the OVN DBS
service. A more detailed explanation can be found in https://bugs.launchpad.net/tripleo/+bug/1841811.
The short explanation is that the OVN DBS HA service puts some additional constraints on the VIP it
uses and that is problematic when that VIP is used by other services (e.g. a change in OVN DBS master
will move the VIP and will also reset all mysql connections. It also prevents us splitting OVN DBS from
where haproxy runs).

Tested as follows:
A) Deployed a mster environment with this review and all its dependencies and correctly obtained
an OVN DBS service with its own Vip and the OVN services
(controller/metadata) pointing to this separate Vip

B) Deployed a master environment as is and then applied this review +
dependencies and observed that a redeploy correctly created a new VIP,
reconfigured the services to point to the new VIP and that the old
obsolete constraints created around the per-network VIP were removed

Closes-Bug: #1841811

Depends-On: Ic62b0fbc0fee40638811a5cd77a5dc5a4d82acf5
Change-Id: I620e37117c26b5b51bf9e1eda91daeb00fdf0f43
2019-09-23 13:05:39 +00:00
Zuul
41dcc097ba Merge "Support deploying multiple Cinder Pure Storage backends" 2019-09-23 10:21:57 +00:00
Zuul
cbfaa7f41f Merge "Delete deprecated nova-consoleauth-container-puppet.yaml" 2019-09-22 19:53:50 +00:00
Zuul
6d687626c9 Merge "Enable "port_forwarding" feature in neutron ML2 ovs environment" 2019-09-21 20:59:10 +00:00
Zuul
3bc6e43fbe Merge "Don't run keystone_cron container if fernet token is used" 2019-09-20 23:56:52 +00:00
Zuul
1f08348e56 Merge "Add new parameter options to Octavia service" 2019-09-20 15:47:19 +00:00
Slawek Kaplonski
95f889720c Enable "port_forwarding" feature in neutron ML2 ovs environment
This patch enables port_forwarding service plugin and L3 agent's
extension in case of ML2/OVS environment.
It don't enable it in ML2/OVN cases as networking-ovn don't support
port_forwarding yet.

This patch also adds NeutronL3AgentExtensions config option for
Neutron L3 agent.
This new option is used to enable "port_forwarding" extension on L3
agent.

Change-Id: I2417f9f6a436ae7a3820e16fdf6210099807b651
2019-09-20 14:59:37 +00:00
Harald Jensås
d2b607c976 Use _uri which is wrapped if IPv6 for ironic tftp
Use $NETWORK_uri for ironic::pxe::tftp_bind_host so that
the wrapped ip address is picked up from hieradata when
IPv6 is used.

Closes-Bug: #1844713
Change-Id: I874d5eb401113fb9a1664be0b3cd29e76756d970
2019-09-19 22:01:30 +02:00
Zuul
a187c5eab9 Merge "Add IPv6 condition to set to the local_address" 2019-09-19 19:09:37 +00:00
Martin Schuppert
16a2a07d90 Delete deprecated nova-consoleauth-container-puppet.yaml
nova-consoleauth got deprecated with b4e4878b838c6f773f5f36f61a71fc89fd010257 ,
lets remove it now.

Change-Id: Ia6d985251c3db4a8c4b81c61a9993f36e8329195
2019-09-19 09:30:48 +02:00
Zuul
979d4968c6 Merge "Add redis password for ml2 ansible coordination" 2019-09-19 04:44:51 +00:00
Alan Bishop
aa1f4bf621 Fix selinux context for glance-api
Remove the z flag from glance-api's service directory. The service
directory does not need to be shared with other containers, and
podman fails to apply setting with glance is using NFS (i.e.
/var/lib/glance/images is a mount point).

Also update the NFS mount options to use svirt_sandbox_file_t, which
is consistent with the parent service directory.

Closes-Bug: #1834857
Closes-Bug: #1844465
Change-Id: I7e135615fb53815ce14a3bcfec42b28f86d6dbae
2019-09-18 05:47:56 -07:00
Carlos Goncalves
f924a35d70 Add new parameter options to Octavia service
This patch adds three new parameters:

1. OctaviaConnectionMaxRetries
2. OctaviaBuildActiveRetries
3. OctaviaPortDetachTimeout

The default values are same as in octavia and puppet-octavia master
branches as of now.

Depends-On: https://review.opendev.org/#/c/682636/
Change-Id: Id5f7bb2160215170561f39015ddfdb93cba904b5
2019-09-17 18:03:05 +02:00
Emilien Macchi
1cbc1ee387 nova-libvirt: set 'cpuset_cpus' to 'all'
nova-compute-libvirt should be able to run on any CPU, as it launch VMs on
isolated CPUs (they are isolated to be dedicated to run vCPU).

This patch makes sure the right container configurations is applied with
Paunch.

Change-Id: I9b8893e4812a7a3f71bd75f66004ed8d6f67b3d1
2019-09-17 10:39:59 -04:00
Takashi Kajinami
f9d7f64e14 Don't run keystone_cron container if fernet token is used
Fernet token does not require to be persisted in database, so we
don't need to run cron job to flush expired tokens.

Depends-on: https://review.opendev.org/#/c/682512/
Change-Id: I760d2b721a1dbb83c203f9192b7639193698fd66
2019-09-17 09:40:35 +09:00
Brent Eagles
914a93f012 Move Octavia agent containers to step 5
Octavia uses external deploy steps to complete configuration of the
support services, requiring a restart to pick these changes up if the
services are started in step 4. This patch moves the startup of these
services to step 5 avoiding the need for restarting.

This was actually causing an issue with healthchecks as the restart was
happening during the restart.

Change-Id: I4d7d322c2d64ed06b71ab0da049cf92f5a8e8d8a
Related-Bug: #1843981
2019-09-16 14:44:13 -02:30
Zuul
9fde6321e0 Merge "Revert Add OvnDbInternal to EndpointMap and use it for ovn_db_host" 2019-09-16 16:18:51 +00:00
Kevin Carter
ba0ad3a65c Add IPv6 condition to set to the local_address
This change re-adds the local_address IPv6 condition to the kernel
template. This will ensure that the local address is always set using
our expected conditions.

Depends-On: I20e69315bacdded4bc2d5b47e18609f130f8abc5
Change-Id: I01d0f20f6f78d235f99f51f75bcefe675dc0dee5
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
2019-09-16 12:42:16 +00:00
Zuul
447c8e19f1 Merge "Wait for first healthcheck before running validation tasks" 2019-09-14 17:47:34 +00:00
Zuul
fdfe6db045 Merge "Enable deep_compare by default for stonith resources" 2019-09-14 12:05:48 +00:00
Oliver Walsh
c919f1b65b Wait for first healthcheck before running validation tasks
The systemd healthcheck timer first triggers 120s after activation.
The initial value for ExecMainStatus is 0, resulting in false positives if we
check this too early.
This changes waits (up to 5 mins) for ExecMainPID to be set and the service to
return to an inactive/failed state.

Change-Id: Iad4ebb283a7a6559b6fffead4145cc9bbad45e4e
Depends-On: Ia2897a6be3e000a9594103502b716431baa615b1
Related-bug: #1843555
2019-09-14 02:15:58 +00:00
Zuul
247191dcbc Merge "Fix nova-conductor healthcheck RPC port" 2019-09-13 19:33:53 +00:00
Zuul
da206cabea Merge "Skip systemd healthcheck validation on docker" 2019-09-13 19:08:57 +00:00
Emilien Macchi
91e8ed328a Support deploying multiple Cinder Pure Storage backends
CinderPureBackendName is enhanced to support a list of backend names,
and a new CinderPureMultiConfig parameter provides a way to specify
parameter values for each backend. For example:

parameter_defaults:
  CinderEnableIscsiBackend: false
  CinderEnablePureBackend: true
  CinderPureBackendName:
    - tripleo_pure_1
    - tripleo_pure_2
  # These will be the default parameter values for each backend.
  CinderPureStorageProtocol: 'iSCSI'
  CinderPureUseChap: false
  CinderPureMultipathXfer: true
  CinderPureImageCache: true
  # Use CinderPureMultiConfig to override values in specific backends.
  CinderPureMultiConfig:
    tripleo_pure_1:
      CinderPureSanIp: '10.0.0.1'
      CinderPureAPIToken: 'secret'
    tripleo_pure_2:
      CinderPureSanIp: '10.0.0.2'
      CinderPureAPIToken: 'anothersecret'
      # This will take precedence over the default value.
      CinderPureUseChap: true

Co-Authored-By: Alan Bishop <abishop@redhat.com>
Depends-On: Ia7cc82f5eb4e228a43e47624d87e319ac5340268
Change-Id: I1083ef9893dede234b4cafd9888c898fa0e31077
2019-09-13 07:36:42 -07:00
Oliver Walsh
5089d09ba6 Fix nova-conductor healthcheck RPC port
It currently assumes the default RPCPort.

Change-Id: Idbb1738db0f4cc3efb9005c2bfee188d3a9ef5be
Closes-Bug: #1843890
2019-09-13 13:12:52 +01:00
Luca Miccini
9f2ab2b88b Enable deep_compare by default for stonith resources
With this commit we enable deep_compare by default, allowing stonith
resources to be updated via stack update.

Co-Authored-By: Michele Baldessari <michele@acksyn.org>

Depends-on: https://review.opendev.org/#/c/681778/
Depends-on: https://review.opendev.org/#/c/679407/
Change-Id: I330698f41cc092bdeb741c0b9c729264cf2cb28c
2019-09-13 10:09:12 +00:00
Zuul
b8eba3cf60 Merge "Resolve broken zaqar container caused by logging issues" 2019-09-12 23:50:07 +00:00
Oliver Walsh
84a3cc1afd Skip systemd healthcheck validation on docker
The validation tasks added in I2c044e3d2af7f747acde5ad3bf256386b8c550a3 are not
valid on docker. As it's now deprecated we can just skip them.

Change-Id: I4ff530af8ad7f864b8038e5e509ec38840096c5d
Related-bug: #1842687
2019-09-12 14:56:26 -04:00
Michele Baldessari
e3b528af4f Revert Add OvnDbInternal to EndpointMap and use it for ovn_db_host
We revert I0d9eb663405d1113ea84e3c12651a3f0dbdfc75d and we instead
export ovn_dbs_vip on all nodes so it can be used in cells. Reason for this
is that we want a separate VIP for OVN because a) composable roles and b)
we do not want to impose the extra promote master constraints on the internal_api
VIP which ends up being used by OVN.

In the same vein as I7ca94dff4acf0816708110b9fe6f78d19dcc7b4d
(Move redis_vip to all_nodes.j2) we will have the ovn_dbs_vip moved
to all nodes (via I1d80587752ffca6c3eb5281aa89ea3d7cf5535ce).

Depends-On: I1d80587752ffca6c3eb5281aa89ea3d7cf5535ce

Change-Id: I4e4bf0a91751fb4f9e4c7233242cdc5649c421f8
Related-Bug: #1841811
2019-09-12 11:55:59 +00:00
michaeltchapman
d2314a92cd Add redis password for ml2 ansible coordination
networking-ansible-ml2 added a requirement for tooz coordination
which needs a redis password.

Change-Id: Iea42f5ad4830e290277f443082eed4f9275eabaa
2019-09-11 19:07:32 +10:00
Zuul
dcd2c5b339 Merge "Correct SELinux type for host openvswitch logs" 2019-09-10 16:35:19 +00:00
Kevin Carter
4579d42e8d
Resolve broken zaqar container caused by logging issues
The zaqar container is broken due to the log file being owned by root. When
the zaqar-server log file is unabnle to be written to by the zaqar process
it causes a traceback resulting in 500 errors. This change ensures that the
zaqar log directory has the proper permissions and that the log file within
the directory is created when the container is started. A sticky bit is
being used on the zaqar log directory to ensure all files created within
the directory retain group expected permissions in almost all circumstances.

Change-Id: I63442f0bdec11179c361f503906166f75c5e0355
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-09-10 11:31:28 -05:00
Zuul
33791111cb Merge "nova: use systemd to check container healthchecks" 2019-09-10 01:12:24 +00:00