Commit Graph

32 Commits

Author SHA1 Message Date
rabi
66492002c4 Don't use *-dist.conf files in commands
There is nothing distribution specific in most of these.
Let's stop using those so that we can drop those from
packaging.

Change-Id: I1feb1b4167ea25710a2dc274cf73e4bf9b03cdd1
2021-09-20 08:09:09 +00:00
Sagi Shnaidman
019419463f Use community.general ansible collection instead of modules
Replace module calls by community.general ansible collection calls.
Change-Id: Ie96b3d35cea61370b1f98d7e060d696c4807c6b7
2021-06-10 15:17:08 +03:00
ramishra
b253d564f7 Use server side env merging for ServiceNetMap/VipSubnetMap
This simplifies the ServiceNetMap/VipSubnetMap interfaces
to use parameter merge strategy and removes the *Defaults
interfaces.

Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
2021-05-19 10:16:58 +05:30
ramishra
9fcd76ac47 Simplify manila, memcached and logging services
Change-Id: I828dbece30d94938c9ec904415854570041e358d
2021-04-27 12:07:26 +05:30
Zuul
f8676c05f1 Merge "Ensure SELinux context persist across restorecon and reboot" 2021-04-07 03:59:53 +00:00
ramishra
c9991c2e31 Use 'wallaby' heat_template_version
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
 e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.

Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
2021-03-31 17:35:12 +05:30
Cédric Jeanneret
d77fe55516 Ensure SELinux context persist across restorecon and reboot
Until now, we only relied on the ":z" flag in order to set container
volumes label to container_file_t.
While it works fine, it has multiple issues:
- if an operator runs a restorecon, it might break the container service
- if an SELinux related package is updated, it might reset the label,
  and break the container service
- it requires a container stop&start to reset the label to the expected
  value
- in case of deep tree or huge amount of file, relabelling takes time

This change ensures the system sets the expected context on the specific
locations, instead of following the content of selinux-policy-targeted
rulesets.

It has an equivalent for some locations in tripleo-ansible repository:
https://review.opendev.org/c/openstack/tripleo-ansible/+/782393

Note about swift locations:
Since openstack-selinux already sets fcontext rules for, at least, once
swift location, we can't override it here. The following
openstack-selinux patch is being pushed in order to work around this
specific case:
https://github.com/redhat-openstack/openstack-selinux/pull/73

Change-Id: Icb7f58004e281b42141c70a9a4895905dc32b45d
Resolves: rhbz#1941922
2021-03-30 08:11:59 +02:00
Zuul
cada48fc30 Merge "Stop non-pcmk services of manila and cinder during upgrade" 2021-02-18 14:57:17 +00:00
Takashi Kajinami
60c22c38cc Stop non-pcmk services of manila and cinder during upgrade
This change implements missing external_upgrade_tasks for non-pcmk
services of manila and cinder, to ensure that we don't have mixed
versions of controller services running at the same time during
upgrade.

These tasks should have been implemented in the initial patch[1], but
missed at that time unfortunately.

 [1] 8529ce60da

Change-Id: I35ea4354a7448a23d6517f9777ed022caa79347a
2021-02-16 00:57:21 +09:00
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Francesco Pantano
79686663e8 Configure Ceph clients via tripleo-ceph-client (not ceph-ansible)
Default CephAnsibleSkipClient to True and CephConfigPath to
/var/lib/tripleo-config/ceph (instead of /etc/ceph) and set
these paramters explicitly in scenario00{1,4}. This will
result in all Ceph client configuration being done not by
ceph-ansible but by the new tripleo-ceph-client role from
tripleo-ansible.

Add the CephClient service to all Controller* roles which will
use Ceph. The service could have always been there as there are
Ceph clients on the these controllers, but it was not because
ceph-ansible configured clients as a side effect. With new
CephConfigPath default they no longer overlap so the service
is required.

Add support for CephExternalMultiConfig via tripleo-ceph-client
by looping on the contents of the CephExternalMultiConfig list
and passing each map as the dcn variable while including the
tripleo-ceph-client role each time.

Related-Bug: #1708302
Depends-On: I938ab604859fda88f3491399444841a3a373d162
Change-Id: I784e6a476752ed701192b3a0155c42edd4836d97
2021-01-04 15:16:11 +00:00
Francesco Pantano
3663790bc0
Remove /etc/ceph dependency and add tripleo_ceph_client role
This change introduces a new CephConfigPath parameter that can be used
by all the OpenStack clients when looking for Ceph client related info
(ceph.conf and keyrings).
By overriding this parameter we can make the containers able to pull
data from different path than /etc/ceph wich was hardcoded.
On top of this change, a new bool is added to prevent the ceph-ansible
client role being executed.
When this boolean is true, the 'ceph_client' tag is added to the list
of tags that should be skipped in ceph-ansible.
By doing this, ceph-ansible won't run the client role [1] and the new,
tripleo_ceph_client role is imported and executed.

[1] https://github.com/ceph/ceph-ansible/blob/master/site-container.yml.sample#L269

Depends-On: Iaabb66cd26f0246defe391a4e34f4eab3c3c5fee
Depends-On: Ia60bc6d5d1a04bd560f2fcb05a4b64078015ae9d

Change-Id: I36673367411cc8d68ffb9ec4a2fbff64ebf12f29
2020-12-04 18:19:14 +01:00
Takashi Kajinami
37548ddb40 Enforce internal api for token verification
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.

Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
2020-10-11 15:46:08 +09:00
Jose Luis Franco Arza
8783ec9c45 Remove ffwd-upgrade leftovers from THT.
Now that the FFU process relies on the upgrade_tasks and deployment
tasts there is no need to keep the old fast_forward_upgrade_tasks.

This patch removes all the fast_forward_upgrade_tasks section from
the services, as well as from the common structures.

Change-Id: I39b8a846145fdc2fb3d0f6853df541c773ee455e
2020-07-23 15:33:25 +00:00
Zuul
4e5dcf91d4 Merge "Add mode option when creating persistent directories." 2020-05-05 11:41:09 +00:00
Takashi Kajinami
e929589327 Replace outdated cinder parameters in Manila
Depends-on: https://review.opendev.org/#/c/723239/
Change-Id: I65c1d317b3bb7c5325c115a9b1fecec000898de7
2020-04-27 08:06:27 +09:00
Takashi Kajinami
9511dd9697 Add missing region_name parameter in Manila
Change-Id: I6d0612a146de0e9aca0d9e1cc859e4fb06a05c14
2020-04-27 00:30:10 +09:00
Jose Luis Franco Arza
94bc023390 Add mode option when creating persistent directories.
Almost every single tripleo service creates a persistent directory. To
simplify the creation, a with_items structure was being used. In which
many times, the mode option was being set. However, that mode option
was not taken into account at the time of creating the file. As a
consequence, the directory was being created with its father directory
rights, instead of the ones being passed in the template.

Change-Id: I215db2bb79029c19ab8c62a7ae8d93cec50fb8dc
Closes-Bug: #1871231
2020-04-20 15:37:08 +02:00
Takashi Kajinami
fffdcf0f30 Use absolute name to include puppet classes
Current puppet modules uses only absolute name to include classes,
so replace relative name by absolute name in template files so that
template description can be consistent with puppet implementation.

Change-Id: I7a704d113289d61ed05f7a31d65caf2908a7994a
2020-04-11 08:13:23 +09:00
Emilien Macchi
38bad5283f Remove all ignore_errors to avoid confusion when debugging
- deploy-steps-tasks-step-1.yaml: Do not ignore errors when dealing
  with check-mode directories. The file module is resilient enough to
  not fail if the path is already absent.

- deploy-steps-tasks.yaml: Replace ignore_errors by another condition,
  "not ansible_check_mode"; this task is not needed in check mode.

- generate-config-tasks.yaml: Replace ignore_errors by another
  condition, "not ansible_check_mode"; this task is not needed in check mode.

- Neutron wrappers: use fail_key: False instead of ignore_errors: True
  if a key can't be found in /etc/passwd.

- All services with service checks: Replace "ignore_errors: true" by
  "failed_when: false". Since we don't care about whether or not the
  task returns 0, let's just make the task never fail. It will only
  improve UX when scrawling logs; no more failure will be shown for
  these tasks.

- Same as above for cibadmin commands, cluster resources show
  commands and keepalived container restart command; and all other shell
  or command or yum modules uses where we just don't care about their potential
  failures.

- Aodh/Gnocchi: Add pipefail so the task isn't support to fail

- tripleo-packages-baremetal-puppet and undercloud-upgrade: check shell
  rc instead of "succeeded", since the task will always succeed.

Change-Id: I0c44db40e1b9a935e7dde115bb0c9affa15c42bf
2020-03-05 09:22:04 -05:00
Cédric Jeanneret
0875895553 Replace svirt_sandbox_file_t by container_file_t
While they are, at SELinux level, exactly the same (one is an alias to
the other), the "container_file_t" name is easier to understand (and
shorter to write).

A second pass in a couple of days or weeks will be needed in order to
change files that were merged after this first pass.

Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5
2020-02-07 13:33:20 +01:00
Jesse Pretorius (odyssey4me)
2092b1303f Update ffwd-upgrade branch names
The next iteration of fast-forward-upgrade will be
from queens through to train, so we update the names
accordingly.

Change-Id: Ia6d73c33774218b70c1ed7fa9eaad882fde2eefe
2020-01-27 19:42:40 +00:00
Jose Luis Franco Arza
4cbae84c75 Get rid of docker removing in post_upgrade tasks.
When upgrading from Rocky to Stein we moved also from using the docker
container engine into Podman. To ensure that every single docker container
was removed after the upgrade a post_upgrade task was added which made
use of the tripleo-docker-rm role that removed the container. In this cycle,
from Stein to Train both the Undercloud and Overcloud work with Podman, so
there is no need to remove any docker container anymore.

This patch removes all the tripleo-docker-rm post-upgrade task and in those
services which only included a single task, the post-upgrade-tasks section
is also erased.

Change-Id: I5c9ab55ec6ff332056a426a76e150ea3c9063c6e
2019-11-12 16:33:38 +01:00
Alex Schultz
7906fb43be Drop legacy log folder and readme
We switched to containers a long time ago. This patch drops the
management of a /var/log/<service> directory and the creation of a
readme indicating that we've moved to containers which makes the logging
available under /var/log/containers/<service>

Change-Id: Ia4e991d5d937031ac3312f639b726a944743dd1e
2019-11-04 09:19:07 -07:00
Alex Schultz
f2147c9974 Ensure service log folder permissions
We should ensure that the service folders are 0750. We're setting
/var/log/containers but we should also ensure the service folders also
have the correct permissions.

Change-Id: I28e8017edc7e30a60288adf846da722fd6ab310e
2019-11-04 08:48:24 -07:00
Tom Barron
cff553c7e6 Fix Manila when run without pacemaker
The supported path is to run the manila-share service
under control of pacemaker using container bundles started
in Step5.  However, it is useful for test and POC purposes
to be able to run the manila-share service without pacemaker
control as a regular container started in Step4.

This change fixes the non-pacemaker deployment path, which runs
manila-share in Step4 rather than Step5, so that it uses the same
privileges for the manila-share container as are used for the
pacemaker-controlled container-bundle in Step5.

However. we do not change scenario004 to deploy manila using the
non-pacemaker path since in CI we want to test the path that is
supported for customers.

Change-Id: I8effea96a4428281b5a5dfa9711bb602fdbdc705
Related-Bug: #1841941
Depends-On: https://review.opendev.org/#/c/685449
2019-10-08 17:40:47 +00:00
Jose Luis Franco Arza
d1035703b7 Force removal of docker container in tripleo-docker-rm.
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.

For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.

Closes-Bug: #1836531
[0] - 2135446a35

Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
2019-07-19 12:37:35 +00:00
Dan Prince
a68151d02a Convert Docker*Image parameters
This converts all Docker*Image parameter varients into
Container*Image varients.

The commit was autogenerated with the following shell commands:

for file in $(grep -lr Docker.*Image --include \*.yaml --exclude-dir releasenotes); do
  sed -e "s|Docker\([^ ]*Image\)|Container\1|g" -i $file
done

Change-Id: Iab06efa5616975b99aa5772a65b415629f8d7882
Depends-On: I7d62a3424ccb7b01dc101329018ebda896ea8ff3
Depends-On: Ib1dc0c08ce7971a03639acc42b1e738d93a52f98
2019-06-05 14:33:44 -06:00
Dan Prince
a52498ab4d Move containers-common.yaml into deployment
Change-Id: I8cc27cd8ed76a1e124cbb54c938bb86332956ac2
Related-Blueprint: services-yaml-flattening
2019-04-14 18:15:12 -04:00
Victoria Martinez de la Cruz
0f3e0cfecc Refactored configuration options for nova/neutron in manila
Manila configuration for keystone authtoken, nova and neutron
were located on the manila-scheduler while they should
be located in manila-share.
Plus, we were missing some configs for nova/neutron.

This patch set fixes that.

Change-Id: I0cf2e242b0b547acf77888723305ef147f9e6184
Closes-Bug: #1818828
2019-03-08 17:15:13 -03:00
Goutham Pacha Ravi
5e629cacd9 Fix keystone opt deprecations in manila manifests
Add www_authenticate_uri to manila-api manifest.
Remove auth_uri from api and share manifests because
puppet-manila no longer supports that option. [1]

Related-Bug: #1761171
[1] https://review.openstack.org/#/c/620742/

Change-Id: I07f6dc5f8e0ae7d0c8060b17b08fd3ae836e073b
2019-02-14 10:00:15 -08:00
Dan Prince
27e8bbd2ac flatten the manila service configurations
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for all manila services.

With this patch the baremetal version of each manila service has been removed.

Related-Blueprint: services-yaml-flattening

Change-Id: I02addc0ecbbbcb60d2c6a0d30d7c9cfa42346f7c
2019-02-01 09:58:20 -05:00