Currently, multiple scripts are being stored in
/var/lib/container-config-scripts directory if any of theses scripts
are being used during the update_tasks the content won't be up to
date (or the script will be fully missing if added in a new release),
as the content of this folder is being updated during the deploy tasks
(step 1), which occurs after all the update_tasks.
This patch gathers the tasks responsible for the folder creation and
content update into a new playbook named common_container_config_scripts.yaml,
this way we can reference the tasks from the deploy-tasks step1 playbook
(as it was happening up to now) and invoke them before the update_tasks
playbook gets called.
Change-Id: I2ac6bb98e1d4183327e888240fc8d5a70e0d6fcb
Related-Bug: #1904193
The ipa dns acl validation needs to occur on the undercloud
rather than on the node, because in a new environment, the node
is not yet set up as an ipa client. That only happens in the
deploy_steps tasks.
I also removed the validation tags so that this check could be
done even if validations are not requested. The check itself
is not expensive, and troubleshooting the issue we're trying to
prevent is somewhat tricky. Much better to fail fast.
Change-Id: I021a2aa173f58e0e7cb37022b73ef17782033f70
Since this is needed by the conductor and the permissions need to be set
at boot via kolla, the directory needs to exist before the container
starts.
Change-Id: Iedb41537fbb9a3680b8cd00ec013cc23ae5be7d1
Closes-Bug: 1907272
This will allow folders and files created in that folder
(i.e for /var/lib/ironic/images/*) to have the same group
ID (42422) and hence no permission issues.
Related-Bug: #1907272
Change-Id: Ib2ca2ca46ff4efa419b6b9236299e70b39f8639e
A resource lock is used as a synchronization point between
pacemaker cluster nodes. It is currently implemented
by adding an attribute in an offline copy of CIB, and merging
the update in the CIB only if no concurrent updates has
occurred in the mean time.
The problem with that approach is that - even if the concurrency
is enforced by pacemaker - the offline CIB contains a snapshot
of the cluster state; so pushing back the entire offline CIB
pushes old resources' state back into the cluster. This causes
additional burden on the cluster and sometimes caused unexpected
cluster state transition.
Reimplement the locking strategy with cibadmin; It's a much faster
approach, that provides the same concurrency guarantees, and only
changes one attribute rather than the entire CIB, so it doesn't
cause unexpected cluster state transition.
Closes-Bug: #1905585
Change-Id: Id10f026c8b31cad7b7313ac9427a99b3e6744788
This file, and its tests, are not useful for tripleo so we're
removing because they're now becoming problematic.
Change-Id: I4207e7f543f33dda640bf0784e54311c66ba4e30
Signed-off-by: Kevin Carter <kecarter@redhat.com>
tools/process-templates.py -c was failing with a traceback:
FileNotFoundError: [Errno 2] No such file or directory:
'./network/config'
That directory was removed in commit
3c246d15d8, so we can remove trying to
clean it from process-templates.py
Closes-Bug: #1907268
Change-Id: I9e07d82240dee7d066634b1cade1390fe62e8341
Signed-off-by: James Slagle <jslagle@redhat.com>
Setting nova::metadata::dhcp_domain will no longer work unless nova::metadata
is included.
Since I07caa3185427b48e6e7d60965fa3e6157457018c we no longer include
nova::metadata on computes.
So we must now set nova::dhcp_domain in nova-base instead of relying on the
deprecated nova::metadata::dhcp_domain param.
Closes-bug: #1905418
Depends-on: I98fe83e0c245388944529cd19b5e2bbed134e855
Change-Id: Iaf7823ea8d456008c1f4a3d7631657faa65eb6d3
With an existing BZ #1898664 on dracut does not create ramfs with
vfio_iommu_type1 module, because which loading vfio-pci during the initramfs
fails to load this module. Because of this dpdk ports are added in ERROR
state. It requires a restart ovs to bring to normal state after ffu is
complete. As a workaround, the module-load file vfio-pci.conf is removed
before upgrade, which will ensure that vfio-pci is not loaded during initramfs
and it will be loaded when driverctl configures the vfio-pci driver to the
interface.
Closes-Bug: #1905533
Change-Id: I752a764a53e90fcb17e414d4900bb186fa689f45
Currently galera and ovn require a coordinated restart across
the controller node when certmonger determines the certificate
for a node has expired and it needs to regenerate it.
But right now, when the tripleo certmonger puppet module is
called to assert to state of the certificates, it ends up
regenerating new certificate unconditionally. So the galera and
ovn get restarted on stack update, even when there is no need to.
To mitigate these unecessary restarts, disable the post-action
for now until we fix the behaviour of tripleo's certmonger puppet
module. This has the side effect that services won't get restarted
automatically if no stack update takes place until the certificate
expiration date is reached.
Related-Bug: #1906505
Change-Id: I17f1364932e43b8487515084e41b525e186888db
The resource name should be CinderBackendDellEMCPowerFle instead of
CinderBackendPowerFlex.
Change-Id: Idbeda0d219a231e050a7d11040a7e41adfdddd18
Closes-Bug: #1903634
Added RabbitTCPBacklog to allow overriding the connection
backlog for RabbitMQ. The current limit is set to 4096, but in
some scenarios with larger deployments this may be insufficient.
Change-Id: Ibcab8c20a4effcf64932d2fb7e3ed2354012f5f3
Sometimes cloud-init does not finish before we start applying
configs with ansible/puppet and can lead to issues. This would
ensure that cloud-init has finished before ansible/puppet
configs.
With os-collect-config we used to ensure that with:
$ sudo cat /usr/lib/systemd/system/os-collect-config.service
[Unit]
Description=Collect metadata and run hook commands.
After=cloud-final.service
Before=crond.service
With baremetal provisioning after config-drive support, this
would also be useful when firstboot config is used.
Change-Id: I35c7c1610af08b33497f43090761aaa55d3a9efc
With I7f583d18e558b95922a66eb539cc91de74409c96 certificates are
moved to use bind mounts and in case of UseTLSTransportForNbd
to create the required certificates even if UseTLSTransportForNbd
is set to False. In case of UseTLSTransportForNbd is False the
compute node still need the qemu metadata to have permissions
to request the certificates for the nbd tls use case.
Change-Id: Ibba61afbeb3957a955aa6d75e8258279a60fd141
This patch adds support for two new options in barbican.conf for the
PKCS#11 backend plugin: [p11_crypto]token_label and
[p11_crypto]token_serial_number by adding two new parameters
to the Barbican deployment BarbicanPkcs11CryptoTokenSerialNumber
and BarbicanPkcs11CryptoTokenLabel.
This patch also simplifies the use of barbican-manage to generate
the MKEK and PKEK in the HSM backend by using the values provided
in barbican.conf instead of duplicating them on the command line.
For the Thales Luna Network device, this patch uses the label
parameters to identify the partition to be used. Because we are
using labels we no longer need to write the runtime generated
Slot ID of the HA group into hieradata.
Depends-On: I4e86e73bbdef0e16d3699cec1cc8f7e17dfb643b
Change-Id: Id05acb6516daa62279c9aade41256bcec7c5fce7
Tag was added to neutron port resources in:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/761845
Tag's previously added was pefixed with 'tripleo_'. This
change adds the 'tripleo_' prefix to the tags on neutron
port resources as well.
Partial-Implements: blueprint network-data-v2-ports
Change-Id: I0fa2230ae4f8ff4fdc6fc4b79e7bdcf3bdff342f
Add a group_var carrying all enabled overcloud
networks. The multi-nic templates should iterate
over all the networks in the order they apper in
network_data.yaml to allow maintaining the
network to nicX contract that existed in the Heat
mulit-nic config templates.
Change-Id: I69fa208d160f1ae2cb2cc252d9b7852ada9e96f0
Related-Bug: #1904894
In some cases such as RHEL7>RHEL8 upgrade leapp or NetworkManager may
change resolv.conf. This patch invokes os-net-config on step3 to ensure
that network parts are configured properly (interfaces, resolv.conf).
Since os-net-config is idempotant it causes no harm or packet loss to
undercloud.
Change-Id: I0b2f28cd3d92795802e51c69d975826af0ee86ee
Resolves: rhbz#1870617
Update the cinder-lvm-losetup systemd service to wait until the local
/var directory is mounted and the lvm2-monitor service has started
prior to creating the loopback device used by cinder's LVM backend.
Make LIO SCSI target data persistent by adding container volume mounts
for the /etc/target directory so that the data is stored on the host.
Closes-Bug: #1905617
Change-Id: I0c0cbed3a41e8d4b1fbaf5c2dc7fd0412fee644a
https://review.opendev.org/q/I8df21d5d171976cbb8670dc5aef744b5fae657b2
introduced THT parameters to set libvirt/cpu_mode. The patch sets the
NovaLibvirtCPUMode wrong to 'none' string which results in puppet-nova
not to handle the default cases correct and sets libvirt/cpu_mode to
none which results in 'qemu64' CPU model, which is highly buggy and
undesirable for production usage. This changes the default to the
recommended CPU mode 'host-model', for various benefits documented
elsewhere.
Closes-Bug: #1905544
Change-Id: Iea8cccd77caac4b84764d84a213918ed57bd4e3e
Jose Luis Franco Arza