The Etcd service is needed for A/A management of the CinderVolume
service on these roles so it should be added to the roles by default.
Change-Id: I9d3d17fec857014f399b8339ce7c68f844d230a9
implements: blueprint split-controlplane-templates
This service is mapped to OS::Heat::None by default, but when enabled,
it uses external deploy tasks to create a new aggregate and zone in
Nova. All Compute nodes in the stack will be added to the zone by
default.
The zone name is the stack name by default, but can be overridden with
parameter values.
Change-Id: I0afb2265949f1222a86b350734e62da673e83aa9
Depends-On:I064f872e20537642880d5482cb9e0c2a801715ef
implements: blueprint split-controlplane-templates
https://review.openstack.org/#/c/639119/ changed
the 'metadata_settings' RoleData for ovn-metadata
to {} which caused a TypeError, this patch reverts
the metadata_settings to original to fix the issue.
Closes-Bug: #1824579
Change-Id: I09ed9c99065c946760c5319086ff0dbccd29a85c
With large number of OSDs, where each OSD need a connection, the default
nofile (1024) of nova_compute is too small. This changes the default
DockerNovaComputeUlimit to 131072 what is the same for cinder.
Change-Id: Id19da6e8b7bfbe0e47b191e92c08fc34d1853a63
The warn clause should be included inside an args
subsection, otherwise the task will fail syntactically
with 'warn' is not a valid attribute for a Task.
Closes-Bug: #1824496
Change-Id: I217437c4d104475c8ea415dd178940c40264e0b0
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the neutron-plugin-ml2-mlnx-sdn-assist service.
Related-Blueprint: services-yaml-flattening
Change-Id: I0b1e0b52f26a57847263f311ea0c018bc15df46f
We have seen this container fail in selinux enforcing mode
(rhbz#1698555):
A) Enforcing on
podman run -it --rm -user=root --net=host -e KOLLA_INSTALL_METATYPE=rhos
-e KOLLA_INSTALL_TYPE=binary \
-e KOLLA_BASE_DISTRO=rhel -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS -e KOLLA_DISTRO_PYTHON_VERSION=3.6 \
-v /home/stack/undercloud.conf:/var/lib/undercloud.conf \
-v /var/lib/kolla/config_files/mistral_executor.json:/var/lib/kolla/config_files/config.json \
-v /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src 68c1f09c2bfa sh
()[root@undercloud-0 /]$ kolla_set_configs
INFO:__main__:Loading config file at
/var/lib/kolla/config_files/config.json
....snip....
INFO:__main__:Copying
/var/lib/kolla/config_files/src/var/www/cgi-bin/mistral/app to
/var/www/cgi-bin/mistral/app
ERROR:__main__:MissingRequiredSource: /var/lib/undercloud.conf file is
not found
The error is a bit misleading because the file is actually there:
()[root@undercloud-0 /]$ ls -1 /var/lib/ |grep -i undercloud.conf
undercloud.conf
The problem is that we cannot access it because selinux is denying us:
()[root@undercloud-0 /]$ ls -lZ /var/lib/undercloud.conf
ls: cannot access '/var/lib/undercloud.conf': Permission denied
[root@undercloud-0 ~]# ls -ldZ /home/stack/ ; ls -lZ
/home/stack/undercloud.conf
drwx------. 9 stack stack unconfined_u:object_r:user_home_dir_t:s0 4096
Apr 10 11:06 /home/stack/
-rwxr-xr-x. 1 stack stack unconfined_u:object_r:user_home_t:s0 891 Apr
10 10:23 /home/stack/undercloud.conf
Adding ',z' to the undercloud.conf bind mount fixed it for us. What is
still left unclear is why we did not get specific 'denied' messages for
this access problem.
Co-Authored-By: Julie Pichon <jpichon@redhat.com>
Change-Id: If061d496a26c84e5027916c0d8f9153b129b451a
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the ovn services.
Related-Blueprint: services-yaml-flattening
Change-Id: I6261863c15f594fed8207ff258f1d9c809a9a864
Same a in [1], rootwrap takes too much time if ulimit is the
default value. In the related bug, the execution time drops
from 800ms to 30ms if ulimit is set to 16384.
[1] https://review.openstack.org/#/c/559268/
Change-Id: I18de5b733066853a8c057596e85299048cee8604
Closes-Bug: #1823385
If the plan-environment.yaml includes docker-ha.yaml by default, the
pacemaker version of some services get enabled for the undercloud. Let
us be more explicit about these services in the undercloud environment
file to ensure we get the right version configured always.
Change-Id: I806f95e3b4988b0f3c427a652cdd6ea39154798a
Closes-Bug: #1824030
There are conditions, e.g. external ceph deployment, where
ceph-ansible will not produce a fetch directory so we should
not always assume there is something to archive.
Add a task to register the contents of the ceph-ansible fetch
directory and only archive that directory if the contents exist.
Also, remove the '--no-overwrite-dir' option from tar as it
seems to have broken repeat deployments.
Change-Id: I56eae30d73bf5cc6b1ae413c6841f86c2a4e86b5
Closes-Bug: #1823759
Closes-Bug: #1823229
With the default network_data.yaml and default roles_data.yaml
all composable networks are included. When deploying plain
defaults without any network-isolation, i.e ctlplane network
only the jinja2 rendered templates still include all the nets.
With change: https://review.openstack.org/645159 the vlan
parameter is passed to NIC configs for all networks enabled
for the role in roles data if networks data define a vlan id.
Because of this we need to add the parameter to the nic config
template unless networks data and roles data are customized.
(i.e networks that are'nt actually used are removed from the
roles data and networks data.)
Closes-Bug: #1823997
Change-Id: Ic5fe9c8097de814ce3ad7032f42b31859051f70a
For containers where Neutron DHCP, L3 and OVS agents are running
there is limit for number of opened files set.
This limit was configured by default to 1024 which looks that is
quite low and can cause problems even with relatively small number
of networks or routers handled by agent.
This patch increase default ulimit values for those containers to be
16x higher than it was before. Such value should allow to handle much
more routers or networks and shouldn't be too high for any system.
Change-Id: Ibc8fa0c1ccd4f60ec7c876623a7262003197f67d
Closes-bug: #1824020
octavia-api's cli app doesn't behave well with haproxy so let's run
under apache and save ourselves some grief. Also adds cleanup for the
octavia-api tls proxy in update and upgrade tasks if it was previously
deployed.
Also updates zuul layout for multinode job to track changes to new
flattened octavia service files.
Closes-Bug: #1815811
Change-Id: Ied7cb31fbf1222694250e4769573bcbb82ba5bea
Introduced with Ia615ac07d0c559deb65e307bb6254127e989794d, an issue
can be hit when deploy is launched with dry-run mode.
Change-Id: I5851dc7820fdcc4f5790980d94b81622ce3b0c8d
Related-Bug: #1823841
Now that we've dropped docker-toool we no longer have use
for the /var/lib/container-startup-configs.json file to be laid
down on disk.
As part of this change we now check for the step 1 tasks instead
of the combined startup configs when determining whether to
re-run the common startup ansible tasks.
Change-Id: I3c50d8364823073341b5f39ecce20a512e4a82e1
Octavia's external deploy tasks require access to files that are owned
by the mistral user (e.g. ssh key).
Change-Id: I8133fb9a10aa4a65d1157f4b5e32130e3f3b52c5
As of Rocky [1], the nova-consoleauth service has been deprecated and
cell databases are used for storing token authorizations. All new consoles
will be supported by the database backend and existing consoles will be
reset. Console proxies must be run per cell because the new console token
authorizations are stored in cell databases.
Lets deprecate it also in tripleo that it can be removed in a later
release.
[1] https://docs.openstack.org/releasenotes/nova/rocky.html
Change-Id: I68485a6c4da4476d07ec0ab5e7b5a4c528820a4f
When satellite is used in organization mode, deployments were failing
due to a change on code return on subscription manager. This last will
generate an error any way so this is a bypass.
Tested on queen.
Closes-Bug: #1822725
Change-Id: I0dd65cc752a6bd94bec59f695e55aa85ef8f0192
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
This defines the interface to specify the authentication credentials
for container image registries which require them. It is separate from
the ContainerImagePrepare parameter so that the credentials only need
to be stated once, and so the secrets can be flagged as hidden
parameters.
Change-Id: I3b2743cd48b2083468acb83a4ddeb98a93d795a2
Partial-Bug: #1823579
On the new versions of RHEL, the network service isn't enabled by
default because this mechanism became legacy.
However, our os-net-config doesn't use the new network manager, so we
still rely on on the network service to manage things like the virtual
bridges on the Undercloud and the Overcloud.
Closes-Bug: #1823353
Change-Id: I7094b36ef183dd388ea5a4c353f8eec43c9f2785
