62 Commits

Author SHA1 Message Date
Zuul
824ec8b5ad Merge "Simplify internal_tls_enabled conditions" 2021-04-03 13:20:28 +00:00
ramishra
c9991c2e31 Use 'wallaby' heat_template_version
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
 e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.

Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
2021-03-31 17:35:12 +05:30
ramishra
b4203a30eb Change all *Debug parameter types to boolean
This changes all these parameters as heat would correctly
parse all values. Also, drops all yaql shenanigans
used for their handling and heat conditions.

Also fixes wrong usage of non-existent NeutronWrapperDebug
parameter in ovn-metadata-container-puppet.yaml.

We had converted all ``Debug`` parameters to boolean with
Ib6c3969d4dd75d5fb2cc274266c060acff8d5571.

Change-Id: Ia2bffffde34aa248a4cc60c3895464f1f9d1ded2
2021-03-30 08:29:10 +05:30
Zuul
7399f85bc9 Merge "Remove duplicate keys from yaml files" 2021-03-29 21:22:47 +00:00
Sorin Sbarnea
27788212cc Remove duplicate keys from yaml files
- removes duplicate keys from yaml files by assuming that the last
  one was the desired one (matches current loader behavior)
- prevent regressions by activating yaml lint rule that detects them
  (yaml skip was silencing all yaml checks, so the long list seen
  is in fact shorter than just 'yaml')
- includes sorting of some of the keys, was needed in order to spot
  the duplicates.

Change-Id: Idf5c0041a0c6d3ed7d5d49fb68be856719916663
2021-03-29 13:56:31 +00:00
Michele Baldessari
5e4c17acfb Simplify internal_tls_enabled conditions
We do not need to add an if: internal_tls_enabled in a number of
ansible tasks. enabled_internal_tls is already defined as an ansible
fact in common/deploy-steps.j2:
enable_internal_tls: {get_param: EnableInternalTLS}

So when the service uses the enable_internal_tls condition and it points
to the EnableInternalTLS param, we can just use the ansible fact
directly. Note that if the enable_internal_tls condition points to
something else than the mere EnableInternalTLS we may not do this
cleanup.

Change-Id: Idb07cbc8fc3a4d73ff52c54d869310fd6c49b502
2021-03-27 13:42:35 +01:00
Lucas Alvares Gomes
9283e44d16 [OVN] Remove check for OVN + Availability Zones
The ML2/OVN driver does support AZ-aware routing scheduling from
stable/train and newer versions.

This patch also removes the check from the DHCP agent container because
although not a typical deployment, the Neutron DHCP agent can be
deployed with OVN for special cases such as baremetal provisioning where
the agent would serve DHCP to the baremetal instances.

Change-Id: I8941c4d9a8e68eb775c910495de4aff9fbc67206
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2021-03-26 11:58:02 +00:00
Carlos Goncalves
6e7e0ab48e Remove obsoleted generate_service_certificates
Remove traces of generate_service_certificates. It was removed during
Pike release cycle [1].

[1] https://review.opendev.org/c/openstack/puppet-tripleo/+/444891

Change-Id: Ib203b52547433ff73141df66641528c389b50361
2021-03-16 19:50:14 +01:00
Grzegorz Grasza
e329ca915e Generate certificates using ansible role
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.

Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
2021-03-10 16:28:22 +01:00
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Raildo
9760977529 Adding key_size option on the certificate creation
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.

Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
2020-12-17 20:22:52 -03:00
Emilien Macchi
c02738aec9 Fix temp namespace tasks to work in check mode
Fix the tasks that remove the temporary namespace when running in check
mode.
Checking that the rc variable is actually defined.

Change-Id: I1f0512532f564d58343440bd0a6594da9609b65d
2020-09-29 21:53:17 +00:00
Rajesh Tailor
a672bedfc2 Fix typos
Change-Id: Ia9b0410d1ade1abc2d29d3634379b9128016d0e9
2020-09-16 15:45:12 +05:30
Jose Luis Franco Arza
8783ec9c45 Remove ffwd-upgrade leftovers from THT.
Now that the FFU process relies on the upgrade_tasks and deployment
tasts there is no need to keep the old fast_forward_upgrade_tasks.

This patch removes all the fast_forward_upgrade_tasks section from
the services, as well as from the common structures.

Change-Id: I39b8a846145fdc2fb3d0f6853df541c773ee455e
2020-07-23 15:33:25 +00:00
Emilien Macchi
df8003384a Allow more tasks to be run in check mode
When running Ansible in check mode (aka dry run), some tasks need some
changes, specially around variables and make sure they are actually
defined.

Change-Id: I337aa287f1c88a0e2707b441fc6b19b997d52385
2020-07-06 21:38:13 +00:00
Alex Schultz
230481674f Move sidecar kill scripts to host prep
These tasks are really should be managed a single time against the host
rather than at deployment time.

Change-Id: I535d8360493267d50196aebb6365124b67e9ba78
Related-Bug: #1883609
2020-07-02 21:06:04 +00:00
Zuul
9e751c820d Merge "Revert "Add shared volume for side-car wrapper locks"" 2020-05-20 17:23:42 +00:00
Alex Schultz
4d70846a72 Revert "Add shared volume for side-car wrapper locks"
This reverts commit 1517df0fc30b7b10263aa96fe48978d7bf17a0fe.

We reverted the sidecar wrappers, we don't need this anymore.

Change-Id: Ia69b7e489db9b26db852083bf5991b64df5b80a5
2020-05-18 13:28:34 +00:00
Zuul
79f0ddc8a9 Merge "Add shared volume for side-car wrapper locks" 2020-05-05 14:40:22 +00:00
Alex Schultz
62e529ce32 Revert systemd sidecars
We've found that the systemd sidecars tend to drop events when spawning
multiple processes at once. Rather than continue to try and patch it, we
need to go back to the drawing board. This change reverts the various
patches that were related to the systemd side car code.

Revert "Use exec when spawning any neutron sidecar container"

This reverts commit 5b799136facc15d4e69bcede52b60d39a4a02464.

Revert "Remove neutron wrappers usage"

This reverts commit f4f3045c413e7da083dbd8495ef758c2ac86870d.

Revert "Use a systemd service to handle sidecar containers"

This reverts commit 2dc7066b050ecf22dc9e5909061272ffe765ebfc.

Change-Id: I8b9578b7c7d6bd23f0b677f64afae7be76ddcadf
2020-05-01 07:47:04 -06:00
Bogdan Dobrelya
1517df0fc3 Add shared volume for side-car wrapper locks
The lock used in the wrapper is under /var/lock in the container which
is not shared with the host so the sync script never waits for the
wrapper to be done. Moving the lock file to a path on a shared mount in
the container seems to solve that particular race.

Partial-bug: #1874470

Change-Id: Iaa3a19bc47241e6eb686d65c1a198ec69505398e
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2020-04-29 11:03:21 +02:00
Bernard Cafarelli
5b799136fa
Use exec when spawning any neutron sidecar container
Similarly to dnsmasq [0], other processes can receive SIGHUP. This is
allowed by rootwrap filters for all processes [1], and I found some
examples when running neutron-tempest-plugin tests checking
l3-agent.log files:
Running command (rootwrap daemon): ['radvd-kill', 'HUP', '712810'] execute_rootwrap_daemon /usr/lib/python3.6/site-packages/neutron/agent/linux/utils.py:103
Running command (rootwrap daemon): ['keepalived-kill', 'HUP', '402009'] execute_rootwrap_daemon /usr/lib/python3.6/site-packages/neutron/agent/linux/utils.py:103

To prevent additional similar issues, apply similar fix for these
sidecar containers too

Related-Bug: #1867192

[0] I1af2ecd9e3996de4f43224f66a8bdb81eab07022
[1] https://opendev.org/openstack/neutron/src/branch/master/etc/neutron/rootwrap.d

Change-Id: I31237d21527a2909a1669cb6c80cc0fa9be798a6
2020-04-01 22:06:59 +02:00
Rajesh Tailor
f4f3045c41 Remove neutron wrappers usage
With I2feb9e81bc40e44cb2c7a2972366fa4b16590227, we don't need to
set wrapper parameters as everything is deployed by Ansible.

Change-Id: Ie03450aa0796614a686f6c390c9b0088fcf591f0
Blueprint: safe-side-containers
2020-03-20 14:45:11 +05:30
Michele Baldessari
3ca7e8f03f Use exec when spawning dnsmasq inside sidecar container
We see some deployment failures where the overcloud is unable to PXE/DHCP boot during the initial bits of the deployments. The following errors are seen in neutron dhcp logs:

2020-03-11 17:58:33.737 54481 DEBUG neutron.agent.dhcp.agent [req-6caace19-095f-4115-be85-644f7a8baa7f - - - - -] Resync event has been scheduled _periodic_resync_helper /usr/lib/python3.6/site-packages/neutron/agent/dhcp/agent.py:277
2020-03-11 17:58:33.737 54481 DEBUG neutron.common.utils [req-6caace19-095f-4115-be85-644f7a8baa7f - - - - -] Calling throttled function clear wrapper /usr/lib/python3.6/site-packages/neutron/common/utils.py:110
2020-03-11 17:58:33.738 54481 DEBUG neutron.agent.dhcp.agent [req-6caace19-095f-4115-be85-644f7a8baa7f - - - - -] resync (a187b137-b68c-476e-bd37-39253158e762): [ProcessExecutionError("Exit code: 125; Stdin: ; Stdout: ; Stderr: + exec\n+ trap 'exec 2>&4 1>&3' 0 1 2 3\n+ exec\n",)] _periodic_resync_helper /usr/lib/python3.6/site-packages/neutron/agent/dhcp/agent.py:294
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent [-] Unable to reload_allocations dhcp for a187b137-b68c-476e-bd37-39253158e762.: neutron_lib.exceptions.ProcessExecutionError: Exit code: 125; Stdin: ; Stdout: ; Stderr: + exec
+ trap 'exec 2>&4 1>&3' 0 1 2 3
+ exec
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent Traceback (most recent call last):
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent File "/usr/lib/python3.6/site-packages/neutron/agent/dhcp/agent.py", line 160, in call_driver
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent getattr(driver, action)(**action_kwargs)
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent File "/usr/lib/python3.6/site-packages/neutron/agent/linux/dhcp.py", line 528, in reload_allocations
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent self._spawn_or_reload_process(reload_with_HUP=True)
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent File "/usr/lib/python3.6/site-packages/neutron/agent/linux/dhcp.py", line 470, in _spawn_or_reload_process
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent pm.enable(reload_cfg=reload_with_HUP, ensure_active=True)
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent File "/usr/lib/python3.6/site-packages/neutron/agent/linux/external_process.py", line 92, in enable
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent self.reload_cfg()
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent File "/usr/lib/python3.6/site-packages/neutron/agent/linux/external_process.py", line 100, in reload_cfg
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent self.disable('HUP')
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent File "/usr/lib/python3.6/site-packages/neutron/agent/linux/external_process.py", line 113, in disable
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent utils.execute(cmd, run_as_root=self.run_as_root)
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent File "/usr/lib/python3.6/site-packages/neutron/agent/linux/utils.py", line 147, in execute
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent returncode=returncode)
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent neutron_lib.exceptions.ProcessExecutionError: Exit code: 125; Stdin: ; Stdout: ; Stderr: + exec
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent + trap 'exec 2>&4 1>&3' 0 1 2 3
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent + exec
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent
2020-03-11 17:58:33.738 54481 ERROR neutron.agent.dhcp.agent
2020-03-11 17:58:33.740 54481 DEBUG neutron.agent.linux.utils [-] Unable to access /var/lib/neutron/external/pids/a187b137-b68c-476e-bd37-39253158e762.pid.haproxy get_value_from_file /usr/lib/pyt

The issue is that the dhcp side containers are spawned with the following processes:
           |-conmon(375906)-+-dumb-init(375918)---bash(375935)---dnsmasq(375938)
           | `-{conmon}(375908)

Now when neutron wants to send a SIGHUP to the dnsmasq it actually invokes the following command:
nsenter --net=/run/netns/qdhcp-e11ac152-745f-4292-b423-d282fbf97f13 --preserve-credentials -m -t 1 podman kill --signal HUP 0b7371f6de52cfe377858...

The problem is that podman kill will send the signal to "dumb-init
--single-child" (pid1 for this container) which will then forward it only to
bash, which will cause dnsmasq to be terminated and will eventually be later
respawned with a different pid (stored in
/var/lib/neutron/dhcp/86884abc-f7d7-4118-923f-38b247fee8e9/pid).

So if multiple ports are created concurrently this is racy and one of them will fail to reload dnsmasq with the error above, because one process might use a pid file that is no longer valid.
TLDR: this all works if SIGHUP to the dnsmasq process does not change pids under the hood all of a sudden.
Otherwise a SIGHUP used to reload dnsmasq will be sent to the bash
process father of dnsmasq which will then terminate dnsmasq and break
all the things

Tested this on three runs and did not experience the issue any longer

Co-Authored-By: Bernard Cafarelli <bcafarel@redhat.com>
Co-Authored-By: Slawomir Kaplonski <skaplons@redhat.com>

Closes-Bug: #1867192

Change-Id: I1af2ecd9e3996de4f43224f66a8bdb81eab07022
2020-03-12 20:03:37 +01:00
Zuul
02b7cc6f4e Merge "Add NeutronDhcpAgentDnsmasqEnableAddr6List param" 2020-03-12 01:57:36 +00:00
Emilien Macchi
38bad5283f Remove all ignore_errors to avoid confusion when debugging
- deploy-steps-tasks-step-1.yaml: Do not ignore errors when dealing
  with check-mode directories. The file module is resilient enough to
  not fail if the path is already absent.

- deploy-steps-tasks.yaml: Replace ignore_errors by another condition,
  "not ansible_check_mode"; this task is not needed in check mode.

- generate-config-tasks.yaml: Replace ignore_errors by another
  condition, "not ansible_check_mode"; this task is not needed in check mode.

- Neutron wrappers: use fail_key: False instead of ignore_errors: True
  if a key can't be found in /etc/passwd.

- All services with service checks: Replace "ignore_errors: true" by
  "failed_when: false". Since we don't care about whether or not the
  task returns 0, let's just make the task never fail. It will only
  improve UX when scrawling logs; no more failure will be shown for
  these tasks.

- Same as above for cibadmin commands, cluster resources show
  commands and keepalived container restart command; and all other shell
  or command or yum modules uses where we just don't care about their potential
  failures.

- Aodh/Gnocchi: Add pipefail so the task isn't support to fail

- tripleo-packages-baremetal-puppet and undercloud-upgrade: check shell
  rc instead of "succeeded", since the task will always succeed.

Change-Id: I0c44db40e1b9a935e7dde115bb0c9affa15c42bf
2020-03-05 09:22:04 -05:00
Harald Jensås
4ebcdc4443 Add NeutronDhcpAgentDnsmasqEnableAddr6List param
Add boolean parameter ``NeutronDhcpAgentDnsmasqEnableAddr6List``
to support the ``dnsmasq_enable_addr6_list`` option in dhcp
agent settings.

Related-Bug: #1861032
Depends-On: https://review.opendev.org/704436
Depends-On: https://review.opendev.org/710335
Change-Id: I69651b7e3390b5239097a9638ac1dc83a12fe96f
2020-03-05 06:55:02 +00:00
Cédric Jeanneret
0875895553 Replace svirt_sandbox_file_t by container_file_t
While they are, at SELinux level, exactly the same (one is an alias to
the other), the "container_file_t" name is easier to understand (and
shorter to write).

A second pass in a couple of days or weeks will be needed in order to
change files that were merged after this first pass.

Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5
2020-02-07 13:33:20 +01:00
Jesse Pretorius (odyssey4me)
2092b1303f Update ffwd-upgrade branch names
The next iteration of fast-forward-upgrade will be
from queens through to train, so we update the names
accordingly.

Change-Id: Ia6d73c33774218b70c1ed7fa9eaad882fde2eefe
2020-01-27 19:42:40 +00:00
Kevin Carter
9a2a36437d
Update all roles to use the new role name
Ansible has decided that roles with hypens in them are no longer supported
by not including support for them in collections. This change renames all
the roles we use to the new role name.

Depends-On: Ie899714aca49781ccd240bb259901d76f177d2ae
Change-Id: I4d41b2678a0f340792dd5c601342541ade771c26
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2020-01-20 10:32:23 -06:00
Emilien Macchi
5bfbcd32e0 depends_on: add .service to avoid errors in logs
Make sure we depends on a systemd service by having the .service in the
service name that we depend on.

Otherwise it leads to errors in /var/log/messages:
  Failed to add dependency on openvswitch, ignoring: Invalid argument

Change-Id: I35230c6dfd8bc7ea2c45f7d2e1e5b5f4316a9375
2020-01-13 22:49:25 -05:00
Sagi Shnaidman
016f7c6002 Remove unnecessary slash volume maps
When podman parses such volume map it removes the slash
automatically and shows in inspection volumes w/o slash.
When comparing configurations it turns to be a difference and
it breaks idempotency of containers, causing them to be recreated.

Change-Id: Ifdebecc8c7975b6f5cfefb14b0133be247b7abf0
2019-12-04 20:32:14 +02:00
Cédric Jeanneret (Tengu)
1ce103186d Revert "Drop the SELinux flags for openvswitch /var/run directory"
This reverts commit af80a0d914d9663079ad30c7dcdf73e1060c33e7.

Reason: the added SELinux rule actually allows openvswitch to write in
container_file_t - not the contrary. We therefore still need the ":z" flag.
A possible follow-up would be to drop the "shared" flag (useless) and
remove the duplicated mount.

Change-Id: Idc8813792b5c6d4d4226491f81de2965beeaadbe
2019-11-26 13:32:00 +01:00
Cédric Jeanneret
af80a0d914 Drop the SELinux flags for openvswitch /var/run directory
Enforcing re-labelling (:z) creates some issues when we are deploying
with DPDK.
A new SELinux policy has been added[1] in openstack-selinux, allowing
container_t to actually write in openvswitch_file_t.

The "shared" flag isn't of any use in this context, because we don't
have any sub-mounts[2] in there.

Also dropped a duplicate mount (/var/run == /run)

This issue is related to the following BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1772025
https://bugzilla.redhat.com/show_bug.cgi?id=1776326

[1] https://github.com/redhat-openstack/openstack-selinux/pull/46
[2] https://docs.docker.com/storage/bind-mounts/#configure-bind-propagation

Change-Id: I216d7899c569419fdee7e30cc11af1d68d0f7fa3
Closes-Bug: #1853844
2019-11-25 16:37:35 +01:00
Zuul
fb0dbebf9b Merge "Convert firewall rules to use TripleO-Ansible" 2019-11-20 05:30:43 +00:00
Kevin Carter
50367fbe35 Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.

A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.

Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-11-18 15:40:22 -06:00
Alex Schultz
2dc7066b05 Use a systemd service to handle sidecar containers
This change switches the neutron dhcp, l3 and ovn containers to use
ansible on the host to write out systemd & service scripts that can be
used to trigger side car containers to be launched from within the
target containers.

Change-Id: I2feb9e81bc40e44cb2c7a2972366fa4b16590227
Blueprint: safe-side-containers
Depends-On: https://review.opendev.org/693442
2019-11-15 12:21:26 +00:00
Jose Luis Franco Arza
4cbae84c75 Get rid of docker removing in post_upgrade tasks.
When upgrading from Rocky to Stein we moved also from using the docker
container engine into Podman. To ensure that every single docker container
was removed after the upgrade a post_upgrade task was added which made
use of the tripleo-docker-rm role that removed the container. In this cycle,
from Stein to Train both the Undercloud and Overcloud work with Podman, so
there is no need to remove any docker container anymore.

This patch removes all the tripleo-docker-rm post-upgrade task and in those
services which only included a single task, the post-upgrade-tasks section
is also erased.

Change-Id: I5c9ab55ec6ff332056a426a76e150ea3c9063c6e
2019-11-12 16:33:38 +01:00
Michele Baldessari
1b718b2cab Fix duplicate mount point in neutron_dhcp
podman >= 1.4.x bails out when duplicate mount points are passed to it
and with tls-everywhere the neutron_dhcp container will fail with:

2019-10-25 09:43:06.168 117719 DEBUG paunch [ ] $ podman create --name neutron_dhcp --label config_id=tripleo_step4 --label container_name=neutron_dhcp --label managed_by=paunch --label config_data={"depends_on": ["openvswitch"], "environment": ["KOLLA_CONFIG_STRATEGY=COPY_ALWAYS", "TRIPLEO_CONFIG_HASH=553e07d2d41900907a6cb501d10e15af"], "healthcheck": {"test": "/openstack/healthcheck 5672"}, "image": "192.168.24.1:8787/rh-osbs/rhosp15-openstack-neutron-dhcp-agent:20191022.1", "net": "host", "pid": "host", "privileged": true, "restart": "always", "security_opt": "label=disable", "start_order": 10, "ulimit": ["nofile=16384"], "volumes": ["/etc/hosts:/etc/hosts:ro", "/etc/localtime:/etc/localtime:ro", "/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro", "/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro", "/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro", "/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro", "/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro", "/dev/log:/dev/log", "/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro", "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro", "/etc/puppet:/etc/puppet:ro", "/var/log/containers/neutron:/var/log/neutron:z", "/var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro", "/lib/modules:/lib/modules:ro", "/run/openvswitch:/run/openvswitch:shared,z", "/var/lib/neutron:/var/lib/neutron:shared,z", "/run/netns:/run/netns:shared", "/var/lib/neutron/dnsmasq_wrapper:/usr/local/bin/dnsmasq:ro", "/var/lib/neutron/dhcp_haproxy_wrapper:/usr/local/bin/haproxy:ro", "/etc/pki/tls/certs/neutron.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron.crt:ro", "/etc/pki/tls/private/neutron.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron.key:ro", "/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro"]} --conmon-pidfile=/var/run/neutron_dhcp.pid --detach=true --log-driver k8s-file --log-opt path=/var/log/containers/stdouts/neutron_dhcp.log --env=KOLLA_CONFIG_STRATEGY=COPY_ALWAYS --env=TRIPLEO_CONFIG_HASH=553e07d2d41900907a6cb501d10e15af --net=host --pid=host --ulimit=nofile=16384 --privileged=true --volume=/etc/hosts:/etc/hosts:ro --volume=/etc/localtime:/etc/localtime:ro --volume=/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro --volume=/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro --volume=/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro --volume=/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro --volume=/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro --volume=/dev/log:/dev/log --volume=/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro --volume=/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro --volume=/etc/puppet:/etc/puppet:ro --volume=/var/log/containers/neutron:/var/log/neutron:z --volume=/var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro --volume=/var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro --volume=/lib/modules:/lib/modules:ro --volume=/run/openvswitch:/run/openvswitch:shared,z --volume=/var/lib/neutron:/var/lib/neutron:shared,z --volume=/run/netns:/run/netns:shared --volume=/var/lib/neutron/dnsmasq_wrapper:/usr/local/bin/dnsmasq:ro --volume=/var/lib/neutron/dhcp_haproxy_wrapper:/usr/local/bin/haproxy:ro --volume=/etc/pki/tls/certs/neutron.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron.crt:ro --volume=/etc/pki/tls/private/neutron.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron.key:ro --volume=/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro --security-opt=label=disable --cpuset-cpus=0,1,2,3 192.168.24.1:8787/rh-osbs/rhosp15-openstack-neutron-dhcp-agent:20191022.1

 "b'Error: /etc/ipa/ca.crt: duplicate mount destination\\n'

That is because the /etc/ipa/ca.crt is provided by both
[ContainersCommon, volumes] and the step_4/neutron_dhcp itself

We can simply remove it from the neutron_dhcp container.

Change-Id: I99fd308e7e63699cb9deac1d0a4ace5cd4f43c68
Closes-Bug: #1850663
2019-10-30 17:05:00 +01:00
Emilien Macchi
81258ae551 Convert container environment from a list to a dict
Moving all the container environments from lists to dicts, so they can
be consumed later by the podman_container ansible module which uses
dict.

Using a dict is also easier to parse, since it doesn't involve "=" for
each item in the environment to export.

Change-Id: I894f339cdf03bc2a93c588f826f738b0b851a3ad
Depends-On: I98c75e03d78885173d829fa850f35c52c625e6bb
2019-10-16 01:29:31 +00:00
Harald Jensås
add2d39da7 Add DHCPv6 rules + set ipversion for dhcp rules
Use the ipversion parameter for firewall rules to contain
rule creation in either iptables or ip6tables. Add rules
in ironic-inspector and neutron deployment template to
add rules for DHCPv6 in ip6tables.

DHCPv6 relay and DHCPv6 server both use port 547 so 547
need to be open for both INPUT and OUTPUT.

Related-bug: #1845153
Depends-On: Id872c55cfc6b958fef3ccda2d923f821a1fe6a13
Depends-On: I8b453f7c13c2015aa208ed1bddcdca246cdca58d
Change-Id: If91b883459488856ae54e3ca0d0fb97d4d248f97
2019-10-07 22:59:55 +00:00
Martin Magr
5ccf8951e5 Remove fluentd composable service
This patch removes fluentd composable service in favor of rsyslog composable service
and modifies *LoggingSource configuration accordingly.

Change-Id: I1e12470b4eea86d8b7a971875d28a2a5e50d5e07
2019-08-29 13:52:55 +01:00
Jose Luis Franco Arza
d1035703b7 Force removal of docker container in tripleo-docker-rm.
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.

For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.

Closes-Bug: #1836531
[0] - 2135446a35

Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
2019-07-19 12:37:35 +00:00
Zuul
b23ef5ad87 Merge "Enable kill script for Neutron agents" 2019-06-27 18:51:18 +00:00
Cédric Jeanneret
e4c4fcb2a6 Enable kill script for Neutron agents
Neutron introduced "kill script" support for its agents, allowing to do
more than a simple "kill <pid>".

This patch intends to activate this new feature, allowing to avoid
dangling containers with failed exit state.

It supports the "HUP" and "9" signal - first one invokes the "kill
--signal HUP" commande from the container_cli, while the second one will
stop and delete the container.
Other signals will return an error, since they aren't known.

The kill-script also supports the global Debug flag for a more verbose
output.

This patch also adds a soon to be deprecated parameter
DockerAdditionalSockets in order to make the change compatible with
setups still using Docker (HA deploy on Centos-7 and RHEL-7 for
example).

For more information about Neutron new kill script feature, please have
a look at this change: I29dfbedfb7167982323dcff1c4554ee780cc48db

Depends-On: https://review.opendev.org/661760
Change-Id: Iafa57b462f5ee205345a8d6e6d460ab68f312099
2019-06-26 17:18:10 +02:00
Bogdan Dobrelya
99b63d7805 [AZs] Better detect OVN in NeutronMechanismDrivers
NeutronMechanismDrivers is a list and we should examine it
if it contains 'ovn' or not.

Change-Id: I2bd9d7150c1f08f078f1a3a709138fbe3e66d365
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-06-18 12:16:05 +02:00
Zuul
14998e6a5d Merge "Convert Docker*Image parameters" 2019-06-18 08:01:14 +00:00
Bogdan Dobrelya
20f34fc556 Rework neutron AZ configs considering OVN
Allow Neutron to be configured for use of AZs w/o additional t-h-t
services introduced.

Limitations for the used NeutronMechanismDrivers:

* Right now OVN doesn't support AZ aware routing scheduling (later in
  Train cycle OVN ml2 driver will be extended to support it).
* Nor there is Neutron agents deployed normally for OVN.
* We do allow the L3 agent taking AZ configs disregard of
  the used NeutronMechanismDrivers.
* But we take the safe path for the DHCP agent and prohibit AZ
  configuration for it in the OVN case.

So there is effectively nothing applies there for Neutron AZs and OVN
as it takes a little to no sense to do that yet.

Related blueprint split-controlplane-templates

Change-Id: I0d97b004c4f162fdefc97a7b603c0136686fa21c
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-06-12 09:43:06 +02:00
Dan Prince
a68151d02a Convert Docker*Image parameters
This converts all Docker*Image parameter varients into
Container*Image varients.

The commit was autogenerated with the following shell commands:

for file in $(grep -lr Docker.*Image --include \*.yaml --exclude-dir releasenotes); do
  sed -e "s|Docker\([^ ]*Image\)|Container\1|g" -i $file
done

Change-Id: Iab06efa5616975b99aa5772a65b415629f8d7882
Depends-On: I7d62a3424ccb7b01dc101329018ebda896ea8ff3
Depends-On: Ib1dc0c08ce7971a03639acc42b1e738d93a52f98
2019-06-05 14:33:44 -06:00
Zuul
2f43d4b967 Merge "Consolidate RpcPort healthchecks" 2019-05-31 14:58:21 +00:00