3088 Commits

Author SHA1 Message Date
Jenkins
d291083e7f Merge "Add hook to generate metadata from service profiles" 2016-12-22 12:08:12 +00:00
Jenkins
58f3d248ba Merge "Add a per service bootstrap node variable" 2016-12-22 11:58:32 +00:00
Juan Antonio Osorio Robles
d2da59065d Add hook to generate metadata from service profiles
This enables the deployer to dynamically add nova metadata to the
servers based on the output of service profiles that implement the
metadata_settings key in the role_data output for the profiles.

One can set an implementation via the OS::TripleO::ServerMetadataHook
resource, which currently is set as OS::Heat::None. So, because of
the default implementation, if left untouched it actually does
nothing.

Currently, besides the list, which is metadata_settings, this hook also
takes the name of the node that it's setting the metadata for.

This is useful for nova vendordata plugins that can parse said metadata.

Change-Id: I8a937f711f0b90156fbb6c4632760435ef846474
2016-12-22 10:06:17 +00:00
Jenkins
33bdba26d6 Merge "Use df instead of findmnt in cephstorage upgrade scripts" 2016-12-21 21:09:36 +00:00
Jenkins
4a7e093a6b Merge "Add "deployed server" fake neutron ports" 2016-12-21 14:52:36 +00:00
Jenkins
64d720a40d Merge "Synchronize NetworkDeployment inputs for generic roles" 2016-12-21 13:53:48 +00:00
Michele Baldessari
8d796ea0e4 Add a per service bootstrap node variable
In order to call commands that need to be run on a single node, we
create a new per-service variable that will contain the first node of
each role containing the service.

Change-Id: I03e8685f939e8ae1fcd8b16883b559615042505d
Partial-Bug: #1615983
2016-12-21 11:52:57 +01:00
Jenkins
6ec44d98b4 Merge "Make the openvswitch 2.4->2.5 upgrade more robust" 2016-12-21 10:28:54 +00:00
Jenkins
aed9e1b9c1 Merge "net-conf: make bridge and interface name optional" 2016-12-21 09:36:29 +00:00
Jenkins
b9cab21630 Merge "Set the default event pipeline publisher" 2016-12-20 20:25:44 +00:00
Jenkins
7246700889 Merge "Use OS::Heat::DeployedServer" 2016-12-20 20:24:22 +00:00
Pradeep Kilambi
696bb73165 Set the default event pipeline publisher
Since we have aodh enabled for alarms, we should set the
notifier to the default queue alarm.all.

Closes-bug: #1590473

Change-Id: Ibcb5076424ac2ddcd18ff717d82da1aec4c035cb
2016-12-20 10:37:14 -05:00
Jenkins
08bc584cd6 Merge "Expose param to enable legacy ceilometer api" 2016-12-20 14:57:47 +00:00
Jenkins
78f377c163 Merge "Move UpgradeInitCommand to role templates" 2016-12-20 14:46:54 +00:00
Jenkins
c2e00128aa Merge "Run upgrade steps before post-deploy config" 2016-12-20 14:45:57 +00:00
Jenkins
58d711e29f Merge "Remove unused attr from templates" 2016-12-19 23:32:48 +00:00
Jenkins
cc2c3f96b6 Merge "Revert "Switch mistral to use authtoken configuration"" 2016-12-19 23:32:12 +00:00
Ben Nemec
997690ba31 Revert "Switch mistral to use authtoken configuration"
It turns out the puppet-mistral change this depends on broke
introspection, so we need to back it out for now.

This reverts commit ed029e5bf279945e82bff8766af4093856a7ac6a.

Change-Id: I828478267935cdc68aa24de8c9dc2d12fcadb631
2016-12-19 20:34:46 +00:00
Jenkins
a788c006df Merge "Switch mistral to use authtoken configuration" 2016-12-19 18:46:25 +00:00
Jenkins
299c301925 Merge "Add a type for the ControlVirtualIP resource" 2016-12-19 15:05:02 +00:00
Jenkins
2d16279117 Merge "Correction to SRIOV THT Examples" 2016-12-19 13:20:47 +00:00
Steven Hardy
c568891000 Move UpgradeInitCommand to role templates
We can't run this during the upgrade steps, because there are things
which need to happen before any role configuration happens, e.g
installing the new hiera heat-config hook, which must be done before
e.g "ControllerDeployment" runs or the stack update hangs.

Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I365b57513590662c3f78a33dc625747f457c48c5
2016-12-19 11:04:47 +00:00
Steven Hardy
58c6988751 Run upgrade steps before post-deploy config
For some upgrade scenarios, e.g all-in-one deployments, it may
be possible to run the upgrade steps, then apply puppet in one
stack update, so reverse the order here.  For normal deployments
the upgrade steps are mapped to OS::Heat::None so this will have
no effect.

Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I3c78751349a6ac2bc5dff82f67bffe13750ac21c
2016-12-19 11:04:47 +00:00
Jenkins
b8a4e40cf2 Merge "Set rabbitmq's port and IP via the config file and not the env file" 2016-12-19 08:54:27 +00:00
Jenkins
3f2242d05e Merge "Introduce role-specific nova-server-metadata" 2016-12-19 07:45:05 +00:00
Jenkins
6111d9ccf5 Merge "Enable SECURE_PROXY_SSL_HEADER option for horizon" 2016-12-19 07:41:31 +00:00
Jenkins
d78e6c2822 Merge "Use hostname -s instead of hostnamectl --transient" 2016-12-17 22:47:00 +00:00
Dan Prince
9313e18f30 Add "deployed server" fake neutron ports
This patch swaps out the noop ctlplane port for a more
proper fake neutron port stack. This stack is a swap
in for the OS::Neutron::Port heat resource and can be
controlled via the DeployedServerPortMap parameter.

By relying on <hostname>-<network> naming conventions in the
map we can map IPs to specific servers without using the
Neutron API. This will allow us to inject IP information
into the Heat stack within the new t-h-t undercloud installer
which currently does not run a Neutron service.

Change-Id: I29fbc720c3d582cbb94385e65e4b64b101f7eac9
2016-12-17 09:54:57 -05:00
Dan Prince
c6f4d5bf90 net-conf: make bridge and interface name optional
Update the run-os-net-config.sh so that we make the
bridge_name and interface_name parameters (supplied by
the SoftwareConfig) optional. This allows operators to
create custom network templates to be used on roles other than
compute and controller which appear to be the only two roles which
set bridge_name and interface_name parameters.

Change-Id: I8997cf8177c1bf0e1f19de5f93dc4e81da1a951f
2016-12-17 09:46:03 -05:00
Juan Antonio Osorio Robles
3078533eef Introduce role-specific nova-server-metadata
We could already pass metadata to the nova server instances (on
creation) via the ServerMetadata parameter, however, there was no
way of doing this per-role. This introduces that by adding a
{{role}}ServerMetadata parameter for each role. This parameter gets
merged with the ServerMetadata parameter and allows this
functionality.

Note that both default to {}, and so does the result of merging those
parameters with their default values. So nothing changes for the
default settings.

Change-Id: I334edcc51ce7ee82fc13b6cf4c0d74ccb7db099c
2016-12-16 13:46:15 +02:00
Dan Prince
b3e5f8e821 Add ZaqarApiNetwork to the service net map
Without this Zaqar API will fail to run due to a missing bind
IP address in the config file.

Change-Id: Icd0a6e85b7455e89f37f05399146d5e743359da8
Closes-bug: #1650307
2016-12-15 10:23:12 -05:00
Jenkins
713a0326e4 Merge "Deployed server: switch to apply-config hook" 2016-12-15 05:59:48 +00:00
Dan Prince
4e8d5aa2c3 Use hostname -s instead of hostnamectl --transient
This patch updates the deployed-server interface to use a
simple hostname -s. The previous hostnamectl --transient
can pick up extra domain name configuration in some cases
that can cause very odd hostname generation if used
with the tripleo-heat-template host file generation.

This would actually break the new undercloud t-h-t installer
in that some of the /etc/hosts entries would be invalid
(no IP address) due to substring replacements failing in
a variety of odd hostname situations. Simplifying the
hostname of deployed servers to just the short version seems
the most sensable way to avoid all this.

Change-Id: Ia7e636d021f948ea5234475cef02f666d8ce6999
2016-12-14 15:48:07 -05:00
marios
afcb6e01f3 Make the openvswitch 2.4->2.5 upgrade more robust
In I9b1f0eaa0d36a28e20b507bec6a4e9b3af1781ae and
I11fcf688982ceda5eef7afc8904afae44300c2d9 we added a manual step
for upgrading openvswitch in order to specify the --nopostun
as discussed in the bug below.

This change adds a minor update to make this workaround more
robust. It removes any existing rpms that may be around from
an earlier run, and also checks that the rpms installed are
at least newer than the version we are on.

This also refactors the code into a common definition in the
pacemaker_common_functions.sh which is included even for the
heredocs generating upgrade scripts during init. Thanks
Sofer Athlan-Guyot and Jirka Stransky for help with that.

Change-Id: Idc863de7b5a8c116c990ee8c1472cfe377836d37
Related-Bug: 1635205
2016-12-14 19:15:11 +02:00
Juan Antonio Osorio Robles
de923539c8 Set rabbitmq's port and IP via the config file and not the env file
The RabbitMQ's puppet manifest configures the node's IP and port through
environment variables. While this would usually be fine, it doesn't
allow us to use TLS-only, since it will always try to start a TCP
listener. So, by setting these values through the config file, when
setting ssl_only for rabbitmq, they will effectively be discarded and
thus allow us to use an SSL listener on the same port.

Change-Id: I33d051a8c740baf69b99517378e1f9b0f3cc1681
2016-12-14 14:06:21 +02:00
Juan Antonio Osorio Robles
db31ff5e5a Enable SECURE_PROXY_SSL_HEADER option for horizon
This reads makes Django take the X-Forwarded-Proto header into account
when forming URLs.

Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673
Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-14 08:32:48 +00:00
James Slagle
d49173b9be Synchronize NetworkDeployment inputs for generic roles
The inputs on the NetworkDeployment SoftwareDeployment resource were not
the same for generic roles as they were for the default roles
(role.role.js.yaml vs. controller-role.yaml).

This patch synchronizes the input between the 2 so that the interface is
the same for deployers.

Change-Id: Id14cf7ca219aee61f5b9d21171a5c41dea765f98
Implements: blueprint multinode-ci-os-net-config
2016-12-13 16:58:10 -05:00
James Slagle
0097da7710 Use OS::Heat::DeployedServer
The new DeployedServer resource in Heat will provide a native resource
for Server resources that are not orchestrated via Nova. This will allow
associating SoftwareDeployment's with servers that have not been
launched with Nova with Heat directly.

With the new resource, all of the SoftwareConfigTransport methods are
available, including POLL_TEMP_URL. This patch also updates the
get-occ-config.sh script to configure the requests collector in
os-collect-config.conf on the deployed servers.

Change-Id: I4b80421088acca709fe3f92741c5c052be483131
Partially-implements: blueprint split-stack-software-configuration
Depends-On: I07b9a053ecd3ef4411b602bbc6ef985224834cf8
2016-12-13 15:50:29 -05:00
Jenkins
1e88f87523 Merge "Don't rely on lsb_release for hosts template write" 2016-12-13 14:36:20 +00:00
Jenkins
99a2a2f414 Merge "docker: don't use custom run-os-net-config" 2016-12-13 14:35:29 +00:00
Giulio Fidente
623c249782 Use df instead of findmnt in cephstorage upgrade scripts
There are scenarios in which findmnt will return a list of all
mounted filesystems, which causes the upgrade script to fail in
recognizing if the Ceph OSD is backed by ext4.

Change-Id: Iadebdc32b523c05216202b782ceb54bec4389413
Closes-Bug: #1649407
2016-12-12 22:37:48 +01:00
Jenkins
326fb47bfa Merge "Add FreeIPA enrollment template" 2016-12-12 09:22:00 +00:00
Dan Prince
5938731160 Add a type for the ControlVirtualIP resource
This patch adds a new type called:
  OS::TripleO::Network::Ports::ControlPlaneVipPort

This defaults to a normal OS::Neutron::Port object but can
be mocked out for some implementations like when installing
the undercloud where neutron doesn't exist.

Change-Id: Iebf2428432a98a9d789b206ce973599adbc0af8f
2016-12-11 14:44:35 -05:00
Alex Schultz
ed029e5bf2 Switch mistral to use authtoken configuration
The upstream puppet module is adding the proper keystone authtoken
middleware support. This change updates THT to use the keystone
authtoken class rather than the deprecated settings. This also allows
for proper keystone v3 integration.

Change-Id: Iaf82716122a25e3e0785de1250d24edaaa5e4d04
Depends-On: I71969ef09018f9daa5f81c4f3bcbdb0b0974446c
2016-12-10 15:58:20 -07:00
Jenkins
0cd7cbdd6f Merge "Add NIC config for compute role for DVR with multiple NICs" 2016-12-10 00:19:36 +00:00
Pradeep Kilambi
c0cbbd5c4b Expose param to enable legacy ceilometer api
Change-Id: I75815a4bcbf421597abb86226238b74a9afffc0d
Depends-On: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09 17:34:39 -05:00
Juan Antonio Osorio Robles
7611f45722 Add FreeIPA enrollment template
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.

This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.

Enrollment is done via the ipa-client-install command and it does
the following:

* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
  kerberos, certmonger)

The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos

The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.

[1] https://github.com/JAORMX/freeipa-tripleo-incubator

bp tls-via-certmonger

Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-12-09 16:07:54 +02:00
Steve Baker
f592e195e2 Don't rely on lsb_release for hosts template write
This is problematic for the containerised heat-agents, lsb_release has
to be bind-mounted in, and atomic host doesn't even have lsb_release
installed.

Instead just write to every /etc/cloud/templates/hosts.*.tmpl file.

Change-Id: If2aab7e9b1e03aa657baf1c33aa4392ef7044075
2016-12-08 20:09:26 +00:00
Steve Baker
bb73874310 docker: don't use custom run-os-net-config
The script run-os-net-config[1] copies in ifcfg-* from the host before
running os-net-config. Apparently it was done this way because the
other scripts in /etc/sysconfig/network-scripts/ differed between host
and agent container. This should be less of an issue now that host and
heat-agents run centos-7 (even when the host is atomic)

tripleo-heat-templates recently changed to running os-net-config in a
deployment script instead of an os-refresh-config script [2]. This
means that our current run-os-net-config approach is currently
resulting in os-net-config being executed twice.

Another issue with run-os-net-config is that it copies ifcfg-* from
host to container, but not back again. This means that rebooting the
server will result in unconfigured interfaces until os-net-config is
somehow run again.

This change bind mounts /etc/sysconfig/network-scripts/ from the host
and uses the conventional approach to running os-refresh-config.

This may fix the issue where compute nodes are losing network
connectivity, so
Closes-Bug: #1646897

[1] http://git.openstack.org/cgit/openstack/tripleo-common/tree/heat_docker_agent/run-os-net-config
[2] I0ed08332cfc49a579de2e83960f0d8047690b97a

Change-Id: I763fc8d8e3eb10ac64d33e46c92888d211003e72
2016-12-08 20:09:25 +00:00
Jenkins
1e11997e76 Merge "Enable haproxy internal TLS through enable-internal-tls.yaml" 2016-12-08 16:25:08 +00:00