916b9385c6
(manually squashed the subsequent fix [1] into a single commit) (also manually squashed [2] because of #1906505) There are certain HA clustered services (e.g. galera) that don't have the ability natively to reload their TLS certificate without being restarted. If too many replicas are restarted concurrently this might result in full service disruption. To ensure service availability, provide a means to ensure that only one service replica is restarted at a time in the cluster. This works by using pacemaker's CIB to implement a cluster-wide restart lock for a service. The lock has a TTL so it's guaranteed to be eventually released without requiring complex contingency cleanup in case of failures. Tested locally by running the following: 1. force recreate certificate on all nodes at once for galera (ipa-cert resubmit -i mysql), and verify that the resources restart one after the other 2. create a lock manually in pacemaker, recreate certificate for galera on all nodes, and verify that no resource is restarted before the manually created lock expires. 3. create a lock manually, let it expires, recreate a certificate, and verify that the resource is restarted appropriately and the lock gets cleaned up from pacemaker once the restart finished. [1] Id10f026c8b31cad7b7313ac9427a99b3e6744788 [2] I17f1364932e43b8487515084e41b525e186888db Related-Bug: #1904193 Closes-Bug: #1885113 Change-Id: Ib2b62e33b34cf72edfdae6299cf432259bf960a2 (cherry picked from commit |
||
---|---|---|
ci | ||
common | ||
container_config_scripts | ||
deployed-server | ||
deployment | ||
environments | ||
extraconfig | ||
firstboot | ||
network | ||
plan-samples | ||
puppet | ||
releasenotes | ||
roles | ||
sample-env-generator | ||
scripts | ||
tools | ||
tripleo_heat_templates | ||
validation-scripts | ||
zuul.d | ||
.gitignore | ||
.gitreview | ||
.testr.conf | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
bindep.txt | ||
capabilities-map.yaml | ||
config-download-software.yaml | ||
config-download-structured.yaml | ||
default_passwords.yaml | ||
j2_excludes.yaml | ||
net-config-bond.j2.yaml | ||
net-config-bridge.j2.yaml | ||
net-config-linux-bridge.j2.yaml | ||
net-config-noop.j2.yaml | ||
net-config-standalone.j2.yaml | ||
net-config-static-bridge-with-external-dhcp.j2.yaml | ||
net-config-static-bridge.j2.yaml | ||
net-config-static.j2.yaml | ||
net-config-undercloud.j2.yaml | ||
network_data.yaml | ||
network_data_dashboard.yaml | ||
network_data_ganesha.yaml | ||
network_data_routed.yaml | ||
network_data_subnets_routed.yaml | ||
network_data_undercloud.yaml | ||
overcloud-resource-registry-puppet.j2.yaml | ||
overcloud.j2.yaml | ||
plan-environment.yaml | ||
requirements.txt | ||
roles_data.yaml | ||
roles_data_undercloud.yaml | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
tripleo-heat-templates
Heat templates to deploy OpenStack using OpenStack.
- Free software: Apache License (2.0)
- Documentation: https://docs.openstack.org/tripleo-docs/latest/
- Source: https://opendev.org/openstack/tripleo-heat-templates
- Bugs: https://bugs.launchpad.net/tripleo
- Release notes: https://docs.openstack.org/releasenotes/tripleo-heat-templates/
Features
The ability to deploy a multi-node, role based OpenStack deployment using OpenStack Heat. Notable features include:
- Choice of deployment/configuration tooling: puppet, (soon) docker
- Role based deployment: roles for the controller, compute, ceph, swift, and cinder storage
- physical network configuration: support for isolated networks, bonding, and standard ctlplane networking
Directories
A description of the directory layout in TripleO Heat Templates.
- environments: contains heat environment files that can be used with -e
on the command like to enable features, etc.
- extraconfig: templates used to enable 'extra' functionality. Includes
functionality for distro specific registration and upgrades.
- firstboot: example first_boot scripts that can be used when initially
creating instances.
- network: heat templates to help create isolated networks and ports
- puppet: templates mostly driven by configuration with puppet. To use these
templates you can use the overcloud-resource-registry-puppet.yaml.
- validation-scripts: validation scripts useful to all deployment
configurations
- roles: example roles that can be used with the tripleoclient to generate
a roles_data.yaml for a deployment See the roles/README.rst for additional details.
Service testing matrix
The configuration for the CI scenarios will be defined in tripleo-heat-templates/ci/ and should be executed according to the following table:
- | scn000 | scn001 | scn002 | scn003 | scn004 | scn006 | scn007 | scn009 | scn010 | non-ha | ovh-ha |
---|---|---|---|---|---|---|---|---|---|---|---|
keystone |
|
|
|
|
|
|
|
|
|
|
|
glance |
|
swift |
|
|
|
|
|
|
|
||
cinder |
|
iscsi | |||||||||
heat |
|
|
|||||||||
ironic |
|
||||||||||
mysql |
|
|
|
|
|
|
|
|
|
|
|
neutron |
|
|
|
|
|
|
|
|
|
||
neutron-bgpvpn |
|
||||||||||
ovn |
|
||||||||||
neutron-l2gw |
|
||||||||||
om-rpc | rabbit | rabbit |
|
rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | ||
om-notify | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | ||
redis |
|
|
|||||||||
haproxy |
|
|
|
|
|
|
|
|
|
||
memcached |
|
|
|
|
|
|
|
|
|
||
pacemaker |
|
|
|
|
|
|
|
|
|
||
nova |
|
|
|
|
ironic |
|
|
|
|
||
ntp |
|
|
|
|
|
|
|
|
|
|
|
snmp |
|
|
|
|
|
|
|
|
|
|
|
timezone |
|
|
|
|
|
|
|
|
|
|
|
sahara |
|
||||||||||
mistral |
|
||||||||||
swift |
|
||||||||||
aodh |
|
|
|||||||||
ceilometer |
|
|
|||||||||
gnocchi |
|
|
|||||||||
panko |
|
|
|||||||||
barbican |
|
||||||||||
zaqar |
|
||||||||||
ec2api |
|
||||||||||
cephrgw |
|
||||||||||
tacker |
|
||||||||||
cephmds |
|
||||||||||
manila |
|
||||||||||
collectd |
|
||||||||||
designate |
|
||||||||||
octavia |
|