This review updates openstack-helm-infra to commit
8351fdd0f1228717342c2accc96977b0cdc36dc3 and removes patches that were
merged on osh-i; fixes the remaining patches to the current diffs and do
minor adaptations to make osh-i work on StarlingX.
Story: 2009161
Task: 43151
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I36159b0264a79c3727b20e6ff1b7831183e47c3a
Adding a certificate and ca_certificate using:
`certificate-install -m {openstack | openstack_ca}` ends up breaking
openstack application. OS-STX forces public endpoint and when such
endpoint has TLS enabled everything breaks, therefore based on the
implementation of tls support for openstack-helm that enables tls
for the openstack services we picked the trust cert code without
actually enabling tls backends
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: I2dfc7c12defcc948fcdc353251301980e65f3011
Closes-Bug: 1937260
Update remaining StarlingX packages with hardcoded TIS_PATCH_VER to
use PKG_GITREVCOUNT where possible, with offsets as needed to ensure
the version is incremented above the hardcoded version.
Story: 2008455
Task: 41455
Signed-off-by: Don Penney <don.penney@windriver.com>
Change-Id: Icdc9d71d1268a4d3dd9e569c8642717bceadda5e
admin account is used before, but if admin password is changed, flock
service cannot be notified and cannot get the new password, so flock
service like nfv-vim cannot fetch openstack vm info ever.
stx_admin account is created for this case.
Depends-On: https://review.opendev.org/753971
Closes-Bug: 1887755
Change-Id: I36f2442036bf6c98fbb0af727fddf1dd50e58330
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
- cinder-volumes
- cinder.backups
- images
- ephemeral
Pg_num values were increased to avoid ceph health warning
that occurs on larger systems due to the default
pg_num settings not being large enough.
Change-Id: I23feffe613c37b12dff51c73e7ced9a9c7663089
Closes-bug: 1899128
Signed-off-by: Elena Taivan <elena.taivan@windriver.com>
The requests to Openstack services hang/fail sometimes
due to message loss when connecting to internal service
endpoints. This issue was observed before and fixed in
commit https://review.opendev.org/#/c/683818/ by setting
net.ipv4.tcp_tw_reuse to 0, however, it's still being
seen on recent STX loads.
It has been tested and proved that requests go through
ingress pod do not have the issue. This commit updates
helm charts and manifest to make all requests sending
to openstack services go to ingress pod and then ingress
would forward requests to the corresponding api service.
Changes included:
- update helm-toolkit manifest job-ks-endpoint.yaml
to provide an ability to conditionally configure
all types of openstack endpoints with public endpoint
url when endpoints.identity.force_public_endpoint is
true. Same update for keystone and keystone-api-proxy.
With the update, for example, the admin,internal
and public endpoints for neutron will be
neutron.openstack.svc.cluster.local:80
- update armada manifest to make neccessary overrides
in openstack service configuration file to make
communications between services go through ingress
Change-Id: Icd646dd07d544da420a75f920bd7c3e8fc931327
Closes-Bug: 1880777
Signed-off-by: Angie Wang <angie.wang@windriver.com>
This adds support for Helm v3.
- 'helm init' and initialization is no longer required
- 'chartmuseum' is used as a drop-in replacement for 'helm serv'
- all Charts require the tag: apiVersion: v1 (or v2)
This updates ingress chart to specify apiVersion.
Change-Id: Ie41cde4ad450b63a78a0a677995e9c28eefd9798
Story: 2007000
Task: 39327
Depends-On: https://review.opendev.org/719962
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
With the update of openstack clients within heat image:
openstack client >= 4.0.0
neutron client >= 6.14.0
neturon lib >= 1.29.1
The command 'openstack network show ${network} -f value -c subnets'
returns '[]' instead of null string if no subnets found in the
specific network. This commit adds a check logic to avoid subsequent
command returns error by using '[]' as subnet input.
Change-Id: I695e504518e1c884c7d66ecc94c9fa8787ce9752
Closes-Bug: 1855319
Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
This update patched openstack keystone helm chart to support ingress
creation for custom admin endpoint. It will be used in DC subcloud
deployment to expose keystone admin endpoint to System Controller.
The change has been submitted to upstream openstack-helm for review:
https://review.opendev.org/#/c/697525/
Change-Id: I5792f3f9031470ab97a4dea8f47eff244160f8ee
Story: 2006588
Task: 37747
Signed-off-by: Andy Ning <andy.ning@windriver.com>
In deployment-novncproxy.yaml, it set hostNetwork = true.
We want to let it use cluster network instead of hostNetwork.
This patch will add a config item, so that we can override it
to use cluster network. Then no need to enable 6080 port in
local network firewall for novncproxy access.
Upstream patch submitted as below.
https://review.opendev.org/#/c/679891
Below test pass!
Access to VM console through horizon works!
Closes-bug: 1827246
Change-Id: Icb0cfa39839e151d5869c64bc8f0151d0d9faf49
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
When https is enabled, the cinder helm chart would fail
to apply due to a failure in cinder bootstrap script.
The cinder client which uses the public endpoint to query
the volume types cannot resolve the dns name locally.
This commit changes the cinder template bootstrap script
to use the openstack client instead of the cinder client
to list volume types.
Upstream (openstack-helm) review:
https://review.opendev.org/#/c/671024/
Partial-Bug: 1826583
Change-Id: I63bf1d557c1dd4c93a0063cc9ec1624584079917
Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
When HTTPS is enabled, the public endpoint of placement service
is set with https and fqdn. The placement helm chart would fail
to apply.
This commit is to correct the syntax of the secret tls section
in the values.yaml and secret-ingress-tls.yaml.
Upstream (openstack-helm) review:
https://review.opendev.org/#/c/662229
Partial-Bug: 1826583
Change-Id: I64e7c1ff1972b0640145d18cafe2ea4e505db465
Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
This commit adds the capability for Aodh, Panko and Gnocchi
charts to support TLS on overriden fqdn for public endpoints.
Upstream(openstack-helm/openstack-helm-infra) reviews:
https://review.opendev.org/#/c/670121/https://review.opendev.org/#/c/670123/
Change-Id: I3011a9f0f07c9cf1b30694c97f3c02db6cdef56e
Partial-Bug: 1826583
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Add capability for nova to send service token. Default to disabled.
Config setup is similar to keystone_authtoken.
Upstream openstack-helm review: https://review.opendev.org/#/c/667690
Story: 2003909
Task: 34311
Change-Id: I9f217a4c98298a861f2ade03a620895697e79122
Signed-off-by: Gerry Kopec <gerry.kopec@windriver.com>
Wrap code making the assumption there is only one Ceph backend
(using is_ceph_volume_configured) in a "range" and use ceph_backend_list
helper to iterate all available Ceph backends.
Move Ceph pool application name in values.yaml from
conf.software.rbd.rbd_pool_app_name* to conf.ceph.pools.*.app_name
Change-Id: Ib62407a876b8e679a15d6b9293b8e1e03e149788
Depends-On: I2d3e7d5440b55e0e9e3d053f645fc162736bbde6
Story: 2003909
Task: 30351
Signed-off-by: Daniel Badea <daniel.badea@windriver.com>
This commit adds helm charts of placement to openstack-helm
Related openstack-helm upstream change is
https://review.opendev.org/#/c/662229/
Below test pass on both AIO and multi setup
1) Openstack Application apply and reapply
2) VM creation and delete
3) Active controller switch and create vm after that
Story: 2005750
Task: 33418
Change-Id: I68ec2325af6b37393267d5898a49e75623728349
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Pull in the two upstream changes since the last chart rebase and cherry
pick the newly proposed changes for enabling Cinder volume backups.
The following changes will be dropped on the next chart rebase:
- Adding a cinder internal tenant to support image-volume caching
- Allow configuring the RBD application name for volumes and backups
Change-Id: I2d3e7d5440b55e0e9e3d053f645fc162736bbde6
Story: 2004520
Task: 33631
Signed-off-by: Robert Church <robert.church@windriver.com>
There are exceptions in nova pods looking like
ERROR oslo_messaging.rpc.server [-] Exception during message handling: oslo_messaging.rpc.dispatcher.UnsupportedVersion: Endpoint does not support RPC version 1.0. Attempted method: pod_health_probe_method_ignore_errors
ERROR oslo_messaging.rpc.server Traceback (most recent call last):
ERROR oslo_messaging.rpc.server File "/var/lib/openstack/lib/python3.6/site-packages/oslo_messaging/rpc/server.py", line 163, in _process_incoming
ERROR oslo_messaging.rpc.server res = self.dispatcher.dispatch(message)
ERROR oslo_messaging.rpc.server File "/var/lib/openstack/lib/python3.6/site-packages/oslo_messaging/rpc/dispatcher.py", line 276, in dispatch
ERROR oslo_messaging.rpc.server raise UnsupportedVersion(version, method=method)
ERROR oslo_messaging.rpc.server oslo_messaging.rpc.dispatcher.UnsupportedVersion: Endpoint does not support RPC version 1.0. Attempted method: pod_health_probe_method_ignore_errors
Merged fix from openstack-helm community
Change-Id: Ic1ce9fb30424beb78ed604d9ae340fe838815bb5
Closes-Bug: 1829793
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
Current script does not consider centos distro as base image.
Different folder was checked to copy pxe files to tftpboot folder.
Story: 2004760
Task: 30280
Change-Id: I288d7e6bc0e3570f6a6bb7a9587e120ab4501736
Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
Remove patches that were added on top of upstream to adapt helm to Ceph
Jewel.
Change-Id: I29a2154c662f1a223265e7710a5f7976bc922939
Depends-On: I4d05a05ad116e33ee7c24432219c176c8a0b8d61
Co-Authored-By: Robert Church <robert.church@windriver.com>
Signed-off-by: Daniel Badea <daniel.badea@windriver.com>
Each patch included in this commit contains a commit message that
describes the required purpose of the patch.
Change-Id: Ied38e5cbedbe06fd0b6f27612aa0bddf60064dea
Depends-On: Ic788a2c86edfbceca1f1ff18dd0344472546c81b
Story: 2004520
Task: 29966
Signed-off-by: Robert Church <robert.church@windriver.com>
Fuzzy openstack-helm patches are causing intermittent
build failures when .orig files are found by the linter.
==> Linting neutron
[ERROR] templates/daemonset-lb-agent.yaml.orig: file extension '.orig'
not valid. Valid extensions are .yaml, .yml, .tpl, or .txt
[ERROR] templates/daemonset-ovs-agent.yaml.orig: file extension '.orig'
not valid. Valid extensions are .yaml, .yml, .tpl, or .txt
BUILDSTDERR: Error: 1 chart(s) linted, 1 chart(s) failed
BUILDSTDERR: make[1]: *** [lint-neutron] Error 1
make[1]: Leaving directory `/builddir/build/BUILD/openstack-helm'
BUILDSTDERR: make: *** [neutron] Error 2
BUILDSTDERR: error: Bad exit status from /var/tmp/rpm-tmp.Sd6TYe
(%build)
BUILDSTDERR: Bad exit status from /var/tmp/rpm-tmp.Sd6TYe (%build)
RPM build errors:
This update attacks the problem in two ways.
1) Defuzz the patches
2) Add patch options to avoid creation of .orig and .rej files
in a location that will be linted.
Change-Id: Ifc42988984fab5225bc041704c5631ac6cd8043d
Signed-off-by: Scott Little <scott.little@windriver.com>
We should up the interfaces added to ovs bridges, otherwise packets can
not go through the nic interfaces.
Story: 2004649
Task: 29999
Change-Id: Ib1b8577edc7f0d15e1f20479da7740eba127935b
Signed-off-by: chengli3 <cheng1.li@intel.com>
Add new job to create the required ephemeral pool(s).
Tests performed:
- application apply
- launch of instance without ephemeral storage
- launch of instance with remote ephemeral storage
- cold migration of instance with remote ephemeral storage
Change-Id: Iac31bb5ae2dc32913addc8ab9b5182391515c0ea
Story: 2005074
Task: 29648
Signed-off-by: Irina Mihai <irina.mihai@windriver.com>
Depends-on: I9850663fc86c62ed759714f1297cfdaa8183183f
Support per-host overrides of auto_bridge_add, so we can set different
nic for ovs bridges.
This feature is already merged into openstack-helm. As we don't use
latest version of openstack-helm, so make this as a patch in
stx-upstream.
Change-Id: Ida085e8475ade6787aaaee77148d669248dd66c6
Story: 2004649
Task: 29867
Signed-off-by: chengli3 <cheng1.li@intel.com>
Upstream nova helm chart attempts to figure out the address for VM
consoles by running an init container that checks for ip routes and
addresses on a compute host. It then sets the appropriate nova config
options in a config file which it passes to nova-compute. However this
effectively overwrites the same config option that stx has already
set in nova.conf via per host overrides causing us to communicate over
the wrong network or not to connect at all.
This fix introduces an option to enable/disable passing of this
additional config file to nova-compute. Default upstream behaviour is
unchanged, but we will disable it in our overrides.
Partial-Bug: #1815490
Change-Id: I86eb80578b23fd89b7f9643b943ee759f26a15be
Signed-off-by: Gerry Kopec <gerry.kopec@windriver.com>
- pass new pool replication parameter to the storage init script
- set images pool replication in the storage init script
Change-Id: If0ecaeb12afd78caacdbb9b85cda8d6cfda00dea
Story: 2004520
Task: 29324
Depends-on: I120e196ec3acca1f57b717cc4548c7c549fac738
Signed-off-by: Irina Mihai <irina.mihai@windriver.com>
neutron-sanity-check command triggers privsep code and produces the
following:
WARNING oslo.privsep.daemon [-] privsep log:
oslo_log.log.LogConfigError: Error loading logging config
/etc/neutron/logging.conf: [Errno 2] No such file or directory:
'/etc/neutron/logging.conf'
This will add log_config_append to neutron-etc and allow ovs-agent to
successfully deploy
Change-Id: I82dd56dc686e2efbd10921b248497955c37279f1
Story: 2004751
Task: 28894
Signed-off-by: Robert Church <robert.church@windriver.com>
During Stein the deprecated query_volume_filters config option was
removed. As a result, /etc/cinder/resource_filters.json is required to
allow volume display operations to function.
This adds the file to the configmap and provides the default values for
the filters.
Change-Id: I5b21949160430c72eb63db20475efa9f098e809f
Story: 2004751
Task: 28894
Signed-off-by: Robert Church <robert.church@windriver.com>
This removes the --skip-metering-database option from _db-sync.sh.tpl.
This option was removed with the deprecated storage drivers in
Queens.
Change-Id: I6c88f882c9e54841c9eeb97c5010cf0691804a62
Story: 2004751
Task: 28894
Signed-off-by: Robert Church <robert.church@windriver.com>
To enable cold migration, need to update nova charts in openstack-helm
and helm-toolkit chart in openstack-helm-infra. These changes build
on existing upstream components which attempt to add a second container
to the nova-compute pod which creates a sshd process listening on port
8022.
Nova chart changes include:
- Fix bug in ssh-config mapping so config file is generated properly in
/root/.ssh/config in nova-compute container.
- Move private key from sshd container to nova-compute container.
- Map private and public ssh keys to new configmap-ssh which will
default to acceptable file permissions (400) for ssh. Keys will be
provided in overrides.
- Add additional config to /etc/ssh/sshd_config to allow passwordless
root logins over appropriate subnet passed in from overrides. This
is the same as what is done in nova puppet currently.
- Remove chmods from sshd bash script as they are failing. Function is
replaced by configmap-ssh.
To enable cold migration in nova helm chart, we need to allow multiple
containers within the same daemonset pod. This requires a patch to
the helm-toolkit _daemonset_overrides template to remove upstream
restriction. This issue is tracked upstream by storyboard 2003876.
These changes should be upstreamed but may require further refinement.
Story: 2003909
Task: 28927
Change-Id: Id789ba051cec019e8b7564c713cf1b5296ecf9f6
Signed-off-by: Gerry Kopec <Gerry.Kopec@windriver.com>
The keystone-api pod gets stuck in CrashLoopBackOff on
AIO-SX lock/unlock attempt.
When Kubernetes decides to kill the keystone-api pod due to readiness
probe failure or other reasons, it calls the preStop hook immediately
before the container is terminated. This hook starts a graceful
shutdown process which includes removing pid, shared memory segment
and wsgi sock files. If the container is not terminated within the
grace period, a SIGKILL is sent, and the container is forced to shut
down.
When the container was forced to terminate without clean up, the
stale files were left behind. On the restart, the application
detected the file existed, and treated it as configuration failure,
hence the exit. As a result, the pod went into a crash loop.
This update removes any stale files when the pod starts.
Story: 2004520
Task: 28392
Change-Id: I613a0db674de9578b3f9d1fa781a1612d9caf214
Signed-off-by: Tao Liu <tao.liu@windriver.com>
The spec files for openstack-helm-infra and openstack-helm
have been updated to not require networking, and therefore
can be built the same as other std targets rather than as
a container target.
helm init --client-only was using networking and DNS lookup.
This commit sets up helm without running that command.
Story: 2004005
Task: 28793
Change-Id: I35c9b547a98fac559793bc2ec00012f6eded8ffa
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
IPMI device should be mounted from host to ceilometer-ipmi pod
in order to enable pulling of ipmi samples.
Change-Id: Ic8c31c825e406ab4f3fd7bdad5c9dd104120230c
Story: 2003909
Task: 27083
Signed-off-by: Angie Wang <angie.wang@windriver.com>
This change adds a cron job to purge deleted items from the heat
database every 24h.
Long running operations (for example autoscale stacks) can lead to heat
database growth over time. This will remove entries that have been soft
deleted from the heat database.
This change should be upstreamed.
Change-Id: I5f78e63ee4219525e82c5897e72d39e25aa166c4
Story: 2003909
Task: 27088
Signed-off-by: David Sullivan <david.sullivan@windriver.com>
Stale Apache2 pids will prevent Apache2 from starting and will leave
the POD in a crashed state.
Note: the pid file is somewhat confusingly called
/var/run/httpd/httpd.pid and /var/run/apache2 is just a symlink to
/var/run/httpd.
This is loosely based off the in-review upstream commit at
https://review.openstack.org/#/c/619747
Change-Id: Ifec8b58e4789edb1f858ef1a9d720045d8768701
Story: 2003909
Task: 27632
Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
Openstack-helm has been rebased to a current version of the upstream repo
which includes the feature that use secrets to store config information.
Aodh, panko and ceilometer charts should apply the same change in order to
deploy those services successfully.
Change-Id: I32424a01a0dc049989f67d14de94b645f8045e68
Story: 2004005
Task: 27947
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Rebase to a current version of the upstream repos. This will retire the
reverted commits that we needed to enable per host overrides as this was
fixed upstream.
Change-Id: Iacbdd666687b8bc12053f9d3dd833f9896a508cd
Depends-On: Iedb814ce0c72a59ab0ce5e72e4601082b61f82b0
Story: 2003909
Task: 27632
Signed-off-by: Robert Church <robert.church@windriver.com>
This commit includes two patches for adding helm charts to
deloy Aodh and Panko services.
The charts are created based on the upstream unfinished ones:
https://review.openstack.org/#/c/468530/https://review.openstack.org/#/c/469180/
Change-Id: I7c012ea023481aa1be9b69657f58dd9f733a58ab
Story: 2004005
Task: 27947
Signed-off-by: Angie Wang <angie.wang@windriver.com>
There are 3 patches for openstack-helm-infra based on
upstream SHA 5ec85a5d70fab468160d2fdafed1a2a7a5151405
There are 3 patches for openstack-helm based on
upstream SHA add7a9bc1175f6fafa8ea2918bc1d62209aaf243
Those patches will be removed as the commits are squashed
and merged by the containerization team.
Story: 2003909
Task: 27632
Depends-On: I5c761b9261e72783f1771492d653e641193f7c52
Depends-On: I57c5ec5f3565e9e585f0935af745e495699aa28c
Change-Id: I566f5f841397195024db7c636c1db2be7b2c8f4d
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Thiago Brito
Lucas Cavalcante
Don Penney
Shuicheng Lin
Elena Taivan
Angie Wang
Zhipeng Liu
Jim Gauld
Mingyuan Qi
Andy Ning
Teresa Ho
Gerry Kopec
Daniel Badea
Robert Church
Martin, Chen
Scott Little
chengli3
Irina Mihai
Tao Liu
Al Bailey
David Sullivan
Chris Friesen