Commit Graph

103 Commits

Author SHA1 Message Date
Juan Antonio Osorio Robles
63a8f5529f Remove md5 checksum output from CA injection
This doesn't work with config download anymore, since the software
configs are overwritten. It was never a very useful output anyway, so
it's being removed.

Change-Id: I2c4fc26009fb6e031c6d7fe11401e85c995bd210
Closes-Bug: #1786954
2018-08-14 17:32:27 +03:00
Mathieu Bultel
a472f7d513 Match only haproxy for docker ps and skipp all *-haproxy occurences
The grep regexp can match several lines if the haproxy pattern
is present.
By matching only the started by a whitespace it will match
the haproxy container listed by docker ps:
[...] Up 17 hours   neutron-haproxy-qrouter
[...] Up 20 hours   haproxy-bundle-docker-

Change-Id: Id63991e862ab10170c8afbde7a11677cc3d2e2f6
2018-06-11 10:50:39 +02:00
Carlos Camacho
44ef2a3ec1 Change template names to rocky
The new master branch should point now to rocky.

So, HOT templates should specify that they might contain features
for rocky release [1]

Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
2018-05-09 08:28:42 +02:00
Zuul
a30f74a5e9 Merge "Sanitize the uuid string" 2018-04-12 23:05:52 +00:00
Zuul
e9418e171c Merge "Mount the public TLS certificate for HAProxy on up(date|grade) on pacemaker" 2018-04-11 08:58:18 +00:00
Juan Antonio Osorio Robles
8b85faf7e6 Mount the public TLS certificate for HAProxy on up(date|grade) on pacemaker
As part of the minor update workflow and the update workflow, this changes
the pacemaker haproxy bundle resource to add the needed mount for public
TLS to work.

This also handles the reloading of the container to fetch any new certificates
and if needed, it will restart the pacemaker resource (for upgrades), since
we would need pacemaker to re-create the resource.

Change-Id: I850f4de17e7f7e3b46deb27119227ef76658dcb5
Closes-Bug: #1759797
2018-04-10 12:09:21 +00:00
Alex Schultz
dc3781778e Sanitize the uuid string
dmidecode can return some additional data if SMBIOS is updated. Let's
ensure that the expected output matches the expected UUID format. The
expected string from the 'dmidecode --s system-uuid' call should look
like "79287E4C-2FBF-11B2-A85C-EB9FB9250CBA".

Change-Id: Ib0d19e64b2f24f4a9229f8868795e8979e267f04
Closes-Bug: #1762460
2018-04-09 09:36:34 -06:00
Juan Antonio Osorio Robles
1877ef80be Default NodeTLSData to always attempt setting TLS cert
This is part of enabling TLS by default. It'll be needed in order to get
the certificate injection to work.

Needed-By: I3d3cad0eb1396e7bee146794b29badad302efdf3
Change-Id: I25e35ad1e4f12eb4cca7a0cd3e120e70e4a8c564
2018-04-09 07:46:45 +03:00
Sandhya Dasu
b2d76220f0 Adding new config parameters for Cisco UCSM ML2 driver
UCSM ML2 driver now supports the following additional
configuration parameters:
1. ucsm_https_verify
2. sp_template_list
3. vnic_template_list

Change-Id: Ie74f1b9653894f8c717156beb604dae9d9e60e6a
2018-02-13 16:26:12 +00:00
Carol Bouchard
d11d8155b5 Latest Nexus Configuration Variables Updates
Add new interface Config variables added to Nexus plugin.
    vnc_pool
    intfcfg.portchannel
Identify variables which are obsolete and those being deprecated.
Change default to switch_heartbeat_time.

Depends-On: I940659bdd448b7bda1c38d9343ec6322390b027a
Change-Id: I1995711fc976e72e4254fc0738e4c91b455830ab
Closes-bug:  #1672493
2018-01-12 21:04:03 +00:00
Giulio Fidente
1971e7b049 Passes NodeDataLookup to ceph-ansible workflow
Per-node customizations were only dumped as hieradata, so the
ceph-ansible workflow could not consume them.
This change passes the structure to the mistral workflow so that it
can consume the data and populate the inventory accordingly.

Change-Id: Ie7a9f10f0c821b8c642494a4d3933b2901f39d40
Depends-On: Ia23825aea938f6f9bcf536e35cad562a1b96c93b
Closes-Bug: #1736707
2017-12-13 14:38:02 +01:00
Zuul
410027d64f Merge "Add name property where missing" 2017-12-05 18:07:49 +00:00
James Slagle
7a3fc67559 Add name property where missing
All SoftwareDeployment resources should use the name property when using
config-download.

This also adds a validation to check that the name property is set in
yaml-validate.py

Change-Id: I621e282a2e2c041a0701da0296881c615f0bfda4
Closes-Bug: #1733586
2017-12-04 18:01:52 -05:00
Carlos Camacho
927495fe3d Change template names to queens
The new master branch should point now to queens instead of pike.

So, HOT templates should specify that they might contain features
for queens release [1]

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens

Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
2017-11-23 10:15:32 +01:00
Juan Antonio Osorio Robles
d1f3b1f683 Remove certificate before updating it
Containerized HAProxy always tries to load the SSL certificate; if TLS
is not enabled it will create the file as a directory. This messes up
with the script that actually injects the HAProxy certificate into the
undercloud. To address this, we update that script to take this into
account.

Change-Id: Ifc748648cc0f8caaf5a551fd0bc5724b94f3087d
Closes-Bug: #1728267
2017-11-07 09:00:00 +00:00
Zuul
2b7ccf6159 Merge "added level of indirection causes incorrect hiera config" 2017-11-01 19:27:35 +00:00
Aditya Vaja
485339129c added level of indirection causes incorrect hiera config
- until Newton this worked fine, however starting with Ocata, we
   do not need the key 'mapped_data'
 - having it results in extra indirection in the dictionary in
   neutron_bigswitch_data.json

Change-Id: I3bc9940aeff4e290d83de95a7df294c11f061954
2017-09-28 17:36:26 -07:00
Vineet Paul
4b1276b8f6 Drop extraconfig for nova-nuage
Made the Compute as a composable service with Nuage.
Moved all the Nuage specific parameters from extraconfig to be part of this service.

Change-Id: Ic83e9c18d09fbba62bb5d8a12e28a23127f4197d
2017-08-16 07:46:00 -04:00
Juan Antonio Osorio Robles
74e7e67459 Move HAProxy's public TLS logic from controller to service template
This de-couples public TLS from controllers to now run wherever HAProxy
is deployed.

Partially-Implements: blueprint composable-networks
Change-Id: I9e84a25a363899acf103015527787bdd8248949f
2017-08-11 04:07:38 +00:00
Sandhya Dasu
605ad6f65d Modifying Cisco templates to support composable roles
Change-Id: I21fee832aeeb9780f818ae869ea8714f28bbe4a0
Closes-bug:  #1704853
2017-07-24 23:49:37 +00:00
Carlos Camacho
0a0e2ee629 Update the template_version alias for all the templates to pike.
Master is now the development branch for pike
changing the release alias name.

Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
2017-05-19 09:58:07 +02:00
Jenkins
c7b045e44e Merge "Add composable role support for NetApp Cinder back end" 2017-04-12 15:28:00 +00:00
Alan Bishop
c533a3219e Add composable role support for NetApp Cinder back end
Convert NetApp Cinder back end to support composable roles via new
"CinderBackendNetApp" service.

Closes-Bug: #1680568
Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
2017-04-10 11:38:49 -04:00
Giulio Fidente
b5b6681a74 Replace references to the 192.0.2 network
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.

This change removes old references left to 192.0.2 network from the
overcloud templates.

Change-Id: I1986721d339887741038b6cd050a46171a4d8022
2017-04-10 14:05:50 +02:00
Alex Schultz
8eaa5f8e10 Re-Add bigswitch agent support
The agent configuration was lost in newton during the puppet-tripleo and
THT role conversion. This change adds support for including the bigswitch
agent service for composable roles.

Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908
Closes-Bug: #1673126
2017-03-17 15:10:39 -06:00
marios
c5d10cd9fc Use the new hiera hook in all remaining templates
The new hiera hook in I21639f6aadabf9e49f40d1bb0b1d0edcfc4dbc5e
was added to most of the tripleo-heat-templates in
Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1

The new hook is installed by default if you use tripleo-common
Ia1864933235152b7e899c4442534879f8e22240d and will be installed
as part of the Newton to Ocata upgrades workflow in
I0c7a32194c0069b63a501a913c17907b47c9cc16

In order to use the new hiera data as part of the upgrade we
need to remove the old hieradata which will break anyone still
defining and using it. This change updates the remaining vendor
plugin manifests to use the new hiera hook. The pre-requisite
is that the new hook is installed on their overcloud (as above
it comes if you follow the N..O upgrade)

Change-Id: Ic95154734cb21e6b941c7f1569295b413963831d
2017-03-06 10:33:01 +02:00
Jenkins
f190469c01 Merge "Re-organizes Contrail services to the correct roles" 2017-02-09 17:02:55 +00:00
Michael Henkel
da91bb6e1e Re-organizes Contrail services to the correct roles
In current setup some Contrail services belong to the wrong roles.
The Contrail control plane can be impacted if the Analytics database has
problems.

Change-Id: I0d57a2324c38b5b20cc687c6217a7a364941f7e6
Depends-On: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
Closes-Bug: #1659560
2017-02-08 20:25:41 +01:00
Jenkins
a79b3ecb39 Merge "Composable service support for Cinder Dell EMC Storage Center" 2017-02-08 11:15:10 +00:00
rajinir
a19e570cad Composable services support for Cinder Dell EMC PS Series
Updated the heat templates for Cinder Dell EMC PS Series backend
to use composable services and rebranding of EQLX to Dell EMC PS Series

Closes-Bug: #1661313

Change-Id: Id9d6f172f3f79a31788b26c7776d738fda5a30fa
2017-02-07 11:54:24 +00:00
rajinir
341afb9f83 Composable service support for Cinder Dell EMC Storage Center
Updated the heat templates for Cinder Dell EMC Storage Center
Backend to use composable services

Closes-Bug: #1661314

Change-Id: I454549c45da7388f0e42975c9f4637dde9ec51e3
2017-02-03 12:07:33 -06:00
Jenkins
a6522190b3 Merge "Temporary UCSM mapping files should be opened with write mode" 2017-02-02 13:32:49 +00:00
Steven Hardy
3c6ec654b4 Bump template version for all templates to "ocata"
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.

This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.

Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-23 11:43:39 +00:00
Juan Antonio Osorio Robles
d2c61c5b79 FreeIPA: Make OTP and FreeIPA server parameters optional
In the freeipa-enroll.yaml, it can be the case that the node has been
enrolled (via a cloud-init script); in this case, the OTP and the
FreeIPA server are optional. However, we still need to get a kerberos
ticket, which is the last step of this script, since this ticket is what
certmonger will use to request the certificates in subsequent steps.

Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
2016-12-20 14:37:08 +02:00
Juan Antonio Osorio Robles
7611f45722 Add FreeIPA enrollment template
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.

This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.

Enrollment is done via the ipa-client-install command and it does
the following:

* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
  kerberos, certmonger)

The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos

The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.

[1] https://github.com/JAORMX/freeipa-tripleo-incubator

bp tls-via-certmonger

Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-12-09 16:07:54 +02:00
krogon-intel
b0f964d547 Temporary UCSM mapping files should be opened with write mode
Change-Id: I965f0ec21075cd540de061ec96a52dd919762368
Closes-Bug: #1636542
Signed-off-by: krogon-intel <kamil.rogon@intel.com>
2016-11-08 14:44:39 +01:00
Jenkins
ccbc75a814 Merge "Use netapp_host_type instead of netapp_eseries_host_type" 2016-10-04 11:00:47 +00:00
Juan Antonio Osorio Robles
b74b6793d2 reload HAProxy config in HA setups when certificate is updated
When updating a certificate for HAProxy, we only do a reload of the
configuration on non-HA setups. This means that if we try the same in
an HA setup, the cloud will still serve the old certificate and that
leads to several issues, such as serving a revoked or even a
compromised certificate for some time, or just SSL issues that the
certificate doesn't match. This enables a reload for HA cases too.

Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a
Closes-Bug: #1629886
2016-10-03 18:20:29 +03:00
Giulio Fidente
752394a111 Use netapp_host_type instead of netapp_eseries_host_type
This patch deprecates netapp_eseries_host_type in favor of netapp_host_type.

Change-Id: I113c770ca2e4dc54526d4262bacae48e223c54f4
Closes-Bug: 1579161
2016-09-29 10:52:12 +02:00
Michele Baldessari
9393a3e2a5 get_param calls with multiple arguments need brackets around them
This issue was spotted during major upgrade where we had calls like
this:

   servers: {get_param: servers, Controller}

These get_param calls are hanging indefinitely and make the whole
upgrade end in a timeout. We need to put brackets around the get_param
function when there are multiple arguments:
http://docs.openstack.org/developer/heat/template_guide/hot_spec.html#get-param

This is already done in most of the tree, and the few places where this
was not happening were parts not under CI. After this change the
following grep returns only one false positive:

   grep -ir get_param: |grep -v -- '\[' |grep ','

Change-Id: I65b23bb44f37b93e017dd15a5212939ffac76614
Closes-Bug: #1626628
2016-09-25 22:05:00 +02:00
Jenkins
22da7a0fce Merge "Convert AllNodesExtraConfig to support composable roles" 2016-09-17 02:53:28 +00:00
Steven Hardy
b738e9ca78 Convert AllNodesExtraConfig to support composable roles
This adjusts the interface to OS::TripleO::AllNodesExtraConfig so
it supports custom/composable/optional roles.

Note this does break backwards compatibility, and I can't see any way
to avoid that.  I've converted the in-tree templates, and we'll have
to document carefully and or provide a script (or automated conversion
via mistral perhaps?) to allow folks to easily adjust any out of tree
templates to the new format.

Basically you just have to:

1. Remove all the *_servers parameters, replace with one "servers"
   json parameter

2. Replace references to e.g "controller_servers" with "servers, Controller"
   which does a path-based lookup into the json map provided by overcloud.yaml

Change-Id: I5eebf853646b2f6300d6b542fcd4f43e82d3b413
Partially-Implements: blueprint custom-roles
2016-09-16 00:24:44 +00:00
Jiri Stransky
66b5c5d5a2 Populate vnc_api_lib.ini on compute nodes with OpenContrail
This is setting sane defaults for vnc_api_lib.ini as requested from the
field. The settings still can be overriden using NovaComputeExtraConfig
if needed.

Change-Id: I6a823c0b34f6ea21aa16939577ac0e1563483557
Closes-Bug: #1620647
2016-09-08 18:23:09 +02:00
Steven Hardy
7ff66b9af1 Remove config_identifier from all_nodes extraconfig examples
Since https://review.openstack.org/#/c/315616 this is no longer
required.

Change-Id: I0452d1577a25d19b4351bfe7830a6c7bbe485e67
2016-07-05 17:46:23 +01:00
Giulio Fidente
794fece5cc Switch Ceph Monitor/OSD/Client/External to composable roles
Change-Id: I1921115cb6218c7554348636c404245c79937673
Depends-On: I7ac096feb9f5655003becd79d2eea355a047c90b
Depends-On: I871ef420700e6d0ee5c1e444e019d58b3a9a45a6
2016-07-04 16:38:40 +02:00
Jenkins
1a481a89a3 Merge "Drop extraconfig for neutron-opencontrail.yaml" 2016-06-23 04:00:25 +00:00
Jenkins
f32de519ad Merge "Drop extraconfig for neutron-nuage.yaml" 2016-06-23 03:57:57 +00:00
Boris Kreitchman
3717794789 Create Cinder backup pool in Ceph
Creates pool in Ceph for Cinder backups and
adds proper access permissions.
To be used with https://review.openstack.org/#/c/311218

Change-Id: Ibf84f78aff92dbd83c6e254ceb7a80e86c15036d
2016-06-20 15:24:30 +02:00
Dan Prince
e21c741679 Drop extraconfig for neutron-opencontrail.yaml
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.

The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the opencontrail settings get to live in the same file.

Partially-implements: blueprint composable-services-within-roles

Change-Id: I0edbd86a8c981bd6e8a547cd2a6ebed18ecdbb31
2016-06-16 15:04:25 -04:00
Dan Prince
29e04f6dde Drop extraconfig for neutron-nuage.yaml
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.

The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the nuage settings get to live in the same file.

Partially-implements: blueprint composable-services-within-roles

Change-Id: I15fe14e9d6881bc408eb6bb10d9293bd914ef858
2016-06-16 15:04:25 -04:00