72 Commits

Author SHA1 Message Date
Dan Sneddon
15bb67261a Add Management Network For System Administration.
This change adds a system management network to all overcloud
nodes. The purpose of this network is for system administration,
for access to infrastructure services like DNS or NTP, or for
monitoring. This allows the management network to be placed on a
bond for redundancy, or for the system management network to be
an out-of-band network with no routing in or out. The management
network might also be configured as a default route instead of the
provisioning 'ctlplane' network.

This change does not enable the management network by default. An
environment file named network-management.yaml may be included to
enable the network and ports for each role. The included NIC config
templates have been updated with a block that may be uncommented
when the management network is enabled.

This change also contains some minor cleanup to the NIC templates,
particularly the multiple nic templates.

Change-Id: I0813a13f60a4f797be04b34258a2cffa9ea7e84f
2015-12-18 13:05:54 -06:00
Jenkins
8e1fd53efb Merge "Allow for usage of pre-allocated IPs for the controller nodes" 2015-12-18 10:22:39 +00:00
Jenkins
0df1c15898 Merge "Pacemaker maintenance mode for the duration of Puppet run on update" 2015-12-15 13:26:50 +00:00
Giulio Fidente
22b4acf454 Allow for usage of pre-allocated IPs for the controller nodes
This change adds a new *_from_pool.yaml meant to return an IP from
a list instead of allocating a Neutron port, useful to pick an IP
from a pre-defined list and making it possible to configure, for
example an external balancer in advance (or dns), with the future
IPs of the controller nodes.

The list of IPs is provided via parameter_defaults (in the
ControllerIPs struct) using ControllerIPs param.

Also some additional VipPort types are created for the *VirtualIP
resources. The VIPs were previously created using the same port
resource used by the nodes, but when deploying with an external
balancer we want the VIP resource to be nooped instead.

Change-Id: Id3d4f12235501ae77200430a2dc022f378dce336
2015-12-15 12:44:19 +01:00
Steven Hardy
ea1294fe9b Pacemaker maintenance mode for the duration of Puppet run on update
This enables pacemaker maintenantce mode when running Puppet on stack
update. Puppet can try to restart some overcloud services, which
pacemaker tries to prevent, and this can result in a failed Puppet run.

At the end of the puppet run, certain pacemaker resources are restarted
in an additional SoftwareDeployment to make sure that any config changes
have been fully applied. This is only done on stack updates (when
UpdateIdentifier is set to something), because the assumption is that on
stack create services already come up with the correct config.

(Change I9556085424fa3008d7f596578b58e7c33a336f75 has been squashed into
this one.)

Change-Id: I4d40358c511fc1f95b78a859e943082aaea17899
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Co-Authored-By: James Slagle <jslagle@redhat.com>
2015-12-14 14:24:13 +01:00
Lokesh Jain
8337b69bc9 Change for configuring use_forwarded_for value for Nuage
Added a parameter to Nuage ExtraConfig template for setting
use_forwarded_for value required by Nuage metadata agent

Change-Id: I02c15311272126c5e530f118fbfb4a8f6e11a620
2015-12-07 11:19:10 -05:00
Lokesh Jain
ee9b8f3a5d Changes for configuring Nuage
Added ExtraConfig templates and environment files for Nuage specific parameters.
Modified overcloud_compute.pp and overcloud_controller.pp to conditionally
include Nuage plugin and agents.

Change-Id: I95510c753b0a262c73566481f9e94279970f4a4f
2015-11-30 14:22:08 -05:00
Jenkins
fdc2359e45 Merge "Make load balancer deployment optional via template param" 2015-11-26 10:37:35 +00:00
Jenkins
a8bf039544 Merge "Add net_vip_map_external to be used for an external balancer" 2015-11-26 10:31:31 +00:00
Jenkins
1f007f2f9f Merge "Enable trust anchor injection" 2015-11-25 17:58:58 +00:00
Jenkins
d35f067ce1 Merge "Inject TLS certificate and keys for the Overcloud" 2015-11-25 17:57:38 +00:00
Juan Antonio Osorio Robles
14c4417e42 Enable trust anchor injection
This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation

Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
2015-11-25 15:16:08 +02:00
Jenkins
7bae1ce8b0 Merge "Point registry at tripleoupstream" 2015-11-24 10:21:16 +00:00
Giulio Fidente
2a6da17a3a Make load balancer deployment optional via template param
Adds control over the load balancer deployment via template param.

Change-Id: I5625083ff323a87712a5fd3f9a64dd66d2838468
2015-11-24 11:08:26 +01:00
Dan Prince
bb0d66b800 Add net_vip_map_external to be used for an external balancer
Changes VipMap into a new NetVipMap resource which defaults to
being the same as the 'old' VipMap. An environment file can be
used to map NetVipMap instead to the net_vip_map_external.yaml
which allows for passing in explicit Virtual IP addresses.

It also ensures that references to the Virtual IPs are gathered
from the VipMap resource and allows for an empty ControlPlaneIP
parameter in the neutron port templates where it can be.

Co-Authored-By: Giulio Fidente <gfidente@redhat.com>

Change-Id: Ifad32e18f12b9997e3f89e4afe3ebc4c30e14a86
2015-11-24 11:02:34 +01:00
Jenkins
d40eb03ac2 Merge "Sample environment with old ServiceNetMap value" 2015-11-23 18:28:30 +00:00
Jenkins
5e301a6a31 Merge "Implement Advanced Firewalling support" 2015-11-23 18:22:48 +00:00
James Slagle
d3145e0624 Sample environment with old ServiceNetMap value
The original value for the ServiceNetMap parameter had the Keystone
Admin API service on the Internal API network. Later, it was moved to
the ctlplane network by default.

Users updating from clouds already deployed may not want to have the
service moved, and we've occassionly seen it cause issues with services
not getting restarted properly.

This sample environment file documents the old value so that users can
just optionally include it via -e to keep the services the same as they
were when they originally deployed.

Change-Id: I0b68542337a2f40e26df15fe7ac2da5aafe651d5
2015-11-23 13:06:12 -05:00
Juan Antonio Osorio Robles
97b12afbad Inject TLS certificate and keys for the Overcloud
This is a first implementation of adding TLS termination to the load
balancer in the controllers. The implementation was made so that the
appropriate certificate/private key in PEM format is copied to the
appropriate controller(s) via a software deployment resource.

And the path is then referenced on the HAProxy configuration, but this
part was left commented out because we need to be able to configure the
keystone endpoints in order for this to work properly.

Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
2015-11-23 11:55:26 +02:00
Ryan Hallisey
0eafa814d5 Point registry at tripleoupstream
The tripleoupstream registry contains images that are built
every time there is a change in delorean.

The gate also needs this.

Change-Id: If460853284588f637de820afa54069f773f2e6f7
2015-11-20 13:21:39 -05:00
Jenkins
159e78db98 Merge "Add local docker registry support" 2015-11-20 17:28:48 +00:00
Jenkins
338a2bcfb3 Merge "Update docker compute environment to use json config" 2015-11-20 17:26:46 +00:00
Emilien Macchi
4c9d0fc6da Implement Advanced Firewalling support
Consume puppet-tripleo to create/manage IPtables from Heat templates.

This review put in place the logic to enable and setup firewall rules.

A known set of rules are applied. More to come.

Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
2015-11-19 16:47:28 +01:00
Jenkins
2e319423c5 Merge "Add environment for isolated networks without tunneling VLAN" 2015-11-16 14:08:12 +00:00
Jenkins
415d57b79b Merge "Support network isolation without external nets" 2015-11-16 14:05:41 +00:00
Jenkins
1b22aed705 Merge "Allow customization of Ceph client user" 2015-11-11 15:29:28 +00:00
Jenkins
b044733893 Merge "Allow customization of the Ceph pool names" 2015-11-10 23:22:03 +00:00
Ryan Hallisey
266d123286 Change the Atomic image name so it's less specific
The atomic image name in glance was being set to 'fedora-atomic'.
The glance image can be any form of atomic distro so we shouldn't
name this specifically 'fedora-atomic', but instead 'atomic-image'.

Change-Id: Ic539b82b92e3fdd834750e591d8622b7dc85fc6d
2015-11-10 13:28:30 -05:00
Giulio Fidente
9ea7831eae Allow customization of Ceph client user
Previously we enforced the Ceph user used by the OpenStack clients
to be named 'openstack', this change allows for customization
of such a name.

Change-Id: Idef3e1ed4e8e21b645081869b8d6fad2329bdc60
2015-11-05 19:39:09 +01:00
Giulio Fidente
e19ae9dfe0 Allow customization of the Ceph pool names
This is useful in those scenarios were we want to use an external
Ceph deployment with multiple overclouds.

Change-Id: I1749d2a6547f6ce25843709e46a1447e8d42cfff
2015-11-05 19:38:44 +01:00
Jenkins
d635adad14 Merge "Add network templates for multiple NIC configuration" 2015-11-05 16:42:15 +00:00
Dan Sneddon
6c57eab4c2 Add network templates for multiple NIC configuration
This change adds a set of network interface configurations for use
with network isolation. The multiple-nics templates includes one
separate NIC per network, and assumes that nic1 is used for the
provisioning network (ctlplane). Also included is an environment
file for including the multiple-nics configuration in a deployment.

This revision changes the ordering of the NICs. By doing that, it
is possible to wire up only a subset of the NICs for the storage
nodes, and it is possilbe to leave the External NIC only configured
on the controllers.

rdo: Updated this commit for static control plane configuration

Co-Authored-By: Rhys Oxenham <roxenham@redhat.com>
Change-Id: Ic878d1ed1a85b5705295d087a743570ca8213504
2015-11-05 14:09:45 +00:00
Ryan Hallisey
092bcd9283 Add local docker registry support
Create a set of environment variables that allows us to configure
a docker registry for deployment.  This patch assumes there is a
local docker registry already setup with the images loaded in place.

Change-Id: Iaafaf23eb3fa8b24bcd8f73bb38c552bea629607
Signed-off-by: Ian Main <imain@redhat.com>
Co-Authored-By: Ryan Hallisey <rhallise@redhat.com>
2015-11-02 19:36:51 +00:00
Ryan Hallisey
3a9186d658 Update docker compute environment to use json config
In liberty, Kolla copies around files and runs the service given
a specified command, by reading a json file.

This will update the existing work to follow that template by
creating a json file for each of the services and pushing it
into the containers.

Change-Id: I5085d1896ea965fd8854765b055068a5ad30bcfd
Co-Authored-By: Jeff Peeler <jpeeler@redhat.com>
2015-11-02 19:30:37 +00:00
Jiri Stransky
3729e63b59 Support NFS backend for Glance (via Pacemaker)
Adds support for NFS backend in Glance by allowing the storage directory
for the 'file' backend to be a mount managed by Pacemaker. Default
behavior is unchanged.

Since the Pacemaker-related parameters are not exposed on top level,
change storage-environment.yaml to use parameter_defaults instead of
parameters.

Depends on a Heat fix for environment file's parameter_defaults to
work well with JSONs and comma delimited lists (see Depends-On).

Change-Id: I6e7e2eaf6919b955650c0b32e1629a4067602c89
Depends-On: I85b13a79dbc97a77e20c0d5df8eaf05b3000815e
2015-10-19 16:48:04 +02:00
Jenkins
461b8b0ce8 Merge "Allow enabling debug mode for config management (Puppet)" 2015-10-12 08:10:26 +00:00
Dan Prince
65958395f4 Docker compute role configured via Puppet
This change adds a containerized version of the overcloud compute node for
TripleO. Configuration files are generated via OpenStack Puppet modules
which are then used to externally configure kolla containers for
each OpenStack service.

See the README-containers.md file for more information on how to set this up.

This uses AtomicOS as a base operating system and requires that we bootstrap
the image with a container which contains the required os-collect-config agent
hooks to support running puppet, shell scripts, and docker compose.

Change-Id: Ic8331f52b20a041803a9d74cdf0eb81266d4e03c
Co-Authored-By: Ian Main <imain@redhat.com>
Co-Authored-By: Ryan Hallisey <rhallise@redhat.com>
2015-10-08 07:34:26 -04:00
Jiri Stransky
94822943c1 Allow enabling debug mode for config management (Puppet)
Also adds an environment file which can be passed to heat stack-create
to enable debugging.

Change-Id: I9758e2ca3de6a0bed6d20c37ea19e48f47220721
Depends-On: Ie92d1714a8d7e59d347474039be999bd3a2b542f
2015-09-30 15:30:22 +02:00
Shiva Prasad Rao
d0b31bab82 Enable Cisco N1KV driver
This enables support for the Cisco N1kv driver for the ML2 plugin.
It also configures the Nexus 1000v switch.

Co-Authored-By: Steven Hillman <sthillma@cisco.com>

Depends-On: I02dda0685c7df9013693db5eeacb2f47745d05b5
Depends-On: I3f14cdce9b9bf278aa9b107b2d313e1e82a20709

Change-Id: Idf23ed11a53509c00aa5fea4c87a515f42ad744f
2015-09-30 09:22:33 +03:00
Dan Prince
5a353c916c Rename -puppet.yaml templates.
Updates the /puppet directory templates so that we drop the
'-puppet' from the filenames. This is redundant because
we already have puppet in the directory name and fixes
inconsistencies where we aren't using -puppet in
all the files within the puppet directory.

Depends-On: I71cb07b2f5305aaf9c43ab175cca976e844b8175

Change-Id: I70d6e048a566666f5d6e5c2407f8a6b4fd9f6f87
2015-09-22 08:30:01 -04:00
Steven Hardy
81785633bd Port Cisco Nexus/UCSM ExtraConfig to AllNodes
Switch the implemention from a pre_deploy ExtraConfig to an
AllNodesExtraConfig, so we can collect the mac->hostname mapping
for all nodes, then calculate a NexusConfig based on that and
a provided mapping of switch ports to mac address.
The same conversion is also done to the NetworkUCSMHostList:

The port mappings are provided via parameter_defaults like:

parameter_defaults:
  NetworkNexusConfig: {
    "bxb-tor-1": {
      "username": "admin",
      "ssh_port": 22,
      "password": "lab",
      "ip_address": "10.86.7.204",
      "nve_src_intf": 0,
      "physnet": "datacentre",
      "servers": {
        "fa:16:3e:fa:be:ef": "1/11",
        "fa:16:3e:fa:5e:cf": "1/23",
        "fa:16:3e:fa:12:34": "2/34"
      }
    }
  }
  NetworkUCSMHostList: 'fa:16:3e:fa:be:ef:profile1'

This results in an entry like this appended to
/etc/puppet/hieradata/neutron_cisco_data.yaml:

neutron::plugins::ml2::cisco::nexus::nexus_config:\
 {"bxb-tor-1": {"username": "admin", "nve_src_intf": 0, "ssh_port": 22,
"servers": {"overcloud-compute02": "2/34", "overcloud-compute01": "1/23",
"overcloud-control01": "1/11"}, "password": "lab", "ip_address": "10.86.7.204",
"physnet": "datacentre"}}
neutron::plugins::ml2::cisco::ucsm::ucsm_host_list: overcloud-control01:profile1

Co-Authored-By: Rob Pothier <rpothier@cisco.com>
Co-Authored-By: Tim Swanson <tiswanso@cisco.com>

Change-Id: I372c3ffb6bd85b7239fcb9f3fc4fa51cd4a39332
2015-09-17 15:50:39 +01:00
Jiri Stransky
e78e1c8d9b Big Switch Neutron ML2 plugin integration
Add support for Big Switch Neutron ML2 plugin. Makes sure that the
package is present and sets up the [restproxy] section in ml2_conf.ini.

This also adds support for setting the ovs_use_veth option in
l3_agent.ini. There is no support for this in puppet-neutron l3 class
and it probably doesn't make sense adding it there, because this setting
isn't relevant for all l3 agent drivers, it's specific to
OVSInterfaceDriver. The ovs_use_veth option is also added to
dhcp_agent.ini.

Change-Id: I99635e25b2099dacce68154fe14693d6f06ac19f
2015-09-16 14:32:48 +02:00
Jenkins
f84d4e45c0 Merge "Enable Cisco Nexus and UCSM plugins" 2015-09-16 09:20:43 +00:00
Robert Pothier
773324a6d0 Enable Cisco Nexus and UCSM plugins
This enables support for the Cisco UCS Manager and Cisco
Nexus plugins

Change-Id: I1bc28a4768d5d6857a0504ca1f77dd71259570b8
2015-09-15 20:37:56 +00:00
Dan Sneddon
3b3669ddc8 Add environment for isolated networks without tunneling VLAN
This change introduces an environment file that includes isolated
networks but does not include a Tenant tunneling network. This is
for deployments where the tenant networking will be provided by
tenant VLANs, or provider networks, or another non-tunneling method.

Change-Id: I8a05e341de80c2add418f22fa7f6f06349d378d6
2015-08-28 17:50:14 -07:00
Dan Prince
bc9368fd91 Support for using external Ceph clusters
This patch adds support for using an externally managed Ceph
cluster with the TripleO Heat templates.

For an externally managed Ceph cluster we initially
only deploy the Ceph client tools, install the 'openstack' user
keyring, and generate the ceph.conf. This matches what we do
for managed Ceph installations and is a good first start.
No other Ceph related services are installed or managed.

To enable use of a Ceph external cluster simply add
the custom Heat environment file environments/puppet-ceph-external.yaml
to your heat stack create/update command and make sure to
set the required CephClientKey, CephExternalMonHost, and CephClusterFSID
variables.

Change-Id: I0a8b213ce9dfa2fc4e62ae1e7631466e5179fc2b
2015-08-13 16:19:04 +02:00
Dan Prince
5834964154 Support network isolation without external nets
This patch adds extra heat environments that can be used
to enable network isolation without using the external
network. Instead of a separate external network the ctlplane
will be used for all of the external/public traffic.

Change-Id: Ia542cee02121771d7d57ac701b62d7608e8d1855
2015-08-06 11:01:38 -04:00
Jiri Stransky
bed3b9aeb8 Provide a sample storage environment file
Meant to help users configure their storage parameters by copying this
file out, amending it and passing it to `heat stack-create` or
`openstack overcloud deploy`.

Defaults to using Ceph as a backend for Cinder, Glance and also Nova
ephemeral storage.

Change-Id: Ia8f5ef175439394aacdea98cfd66416bcb9bfe3a
2015-07-30 15:25:25 +02:00
Jenkins
9c8364184c Merge "Fix Puppet Configuring NetApp Cinder Backend" 2015-07-21 09:27:13 +00:00
Ryan Hefner
e284daa1ff Fix Puppet Configuring NetApp Cinder Backend
It was incorrectly assumed that Puppet variables assigned to a
defined class (as seen in cinder-netapp.yaml) would be applied to
any resources created with that type. This is not how Puppet works.

The full range of configuration parameters to cinder::backend::netapp
have been added back in. They are still pulling from Hiera like they
were intended before, but it needs to be a little more explicit for
Puppet to be happy.

Change-Id: I2e00eae829713b2dbb1e4a5f296b6d08d0c21100
2015-07-20 11:09:44 -04:00