44 Commits

Author SHA1 Message Date
Emilien Macchi
46541750c9 nova: switch auth_uri to keystone versionless endpoint
Switch nova authtoken auth_uri to use keystone endpoint without version.
Also switch ironic config in nova.conf to use it.

Change-Id: I8046f2eed0b9a7da76d6d7c3507a92bf5054b000
Partial-Implement: blueprint keystone-v3
2017-03-13 08:02:36 -04:00
Sofer Athlan-Guyot
5593877817 Upgrade nova-api/scheduler/conductor packages at step3 not step2.
The nova-api, nova-scheduler nova-conductor packages are updated during
step2.  The package upgrade trigger a restart of the service which fails
and is constantly retried by systemd:

    Feb 24 12:34:24 centos-7-2-node-rax-iad-7463943-440549 systemd[1]: Failed to start OpenStack Nova Scheduler Server.
    Feb 24 12:34:24 centos-7-2-node-rax-iad-7463943-440549 systemd[1]: Unit openstack-nova-scheduler.service entered failed state.
    Feb 24 12:34:24 centos-7-2-node-rax-iad-7463943-440549 systemd[1]: openstack-nova-scheduler.service failed.
    Feb 24 12:34:24 centos-7-2-node-rax-iad-7463943-440549 systemd[1]: openstack-nova-scheduler.service holdoff time over, scheduling restart.

We eventually reach timeout.  We use
https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/tripleo-packages.yaml#L44-L46
to upgrade existing packages.

Add a note to the README.rst to make people aware of the general upgrade
done at step3 and limit its usage to new package for individual service.

Change-Id: I13b51bcfe0c98034944613f7e1c3f0168cd4de76
Closes-Bug: #1667728
2017-02-24 17:25:28 +01:00
Oliver Walsh
10ba1fa606 Stop nova-api before upgrading package
If the service is running then the rpm upgrade will attempt to restart.
Ensuring the service is stopped before upgrade should resolve this.

Change-Id: I4179cb773616721640490d26082eacac45f92dff
Closes-Bug: 1665717
2017-02-20 14:14:22 -05:00
Jenkins
0f1c1d66eb Merge "Add nova service support for composable upgrades" 2017-02-15 19:23:33 +00:00
Steven Hardy
5353f1c7c9 Add nova service support for composable upgrades
Co-Authored-By: Mathieu Bultel <mbultel@redhat.com>
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>

Change-Id: Iafad800a6819d7e75fdaab60d328999d3d3c037f
Partially-Implements: blueprint overcloud-upgrades-per-service
Related-Bug: #1662344
2017-02-14 23:23:33 +00:00
Juan Antonio Osorio Robles
d1eb0bc0dc Use Keystone internal endpoint instead of admin for services
The admin endpoint is listening on the ctlplane network by default;
services should ideally be using the internal api network for this kind
of traffic, as the ctlplane network is mostly for provisioning. On the
other hand, the admin endpoint shouldn't be as relevant with services
switching to keystone v3.

Change-Id: I1213a83ef8693c1cca1d20de974f7949a801d9f1
2017-02-14 02:41:13 +00:00
Emilien Macchi
9f48b91ce7 Stop deploying Nova API in WSGI with Apache
It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.

Change-Id: I09b73476762593642a0e011f83f0233de68f2c33
Related-Bug: 1661360
2017-02-07 19:33:13 +00:00
Juan Antonio Osorio Robles
80086fd342 Add metadata settings for needed kerberos principals
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.

bp tls-via-certmonger
bp novajoin

Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-25 00:33:11 +02:00
Tim Rozet
c3d69c174b Parameterizes Nova API default floating IP pool
This allows a user to modify the parameter based on what name he/she
wants to use for the default neutron external network.

Closes-Bug: 1656079

Change-Id: Iaa245c234aa7e80818d901bc9947ac57cf5e903a
Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-01-12 14:56:09 -05:00
Jenkins
384c400d47 Merge "Merge mysql service_config_settings for nova" 2017-01-05 23:51:00 +00:00
James Slagle
81b0d79bb6 Merge mysql service_config_settings for nova
The hieradata from the nova-base.yaml service template needs to be available to
the role running mysql, which isn't necessarily the same role as nova.

nova-base.yaml isn't an actual service template though that is included in any
ServiceChain resources, it's outputs need to be merged with an actual nova
service template, such as nova-api.yaml.

As nova-api.yaml already provides some hieradata for the mysql service in
service_config_settings, this patch uses map_merge to combine the 2 values.

Change-Id: I4dc684b3611b13f177f9499e69468d3f6ef6fa76
Closes-Bug: #1654058
2017-01-05 12:25:29 -05:00
Emilien Macchi
c172a84c95 nova-api: legacy cleanup with old wsgi params
Cleanup old legacy params for wsgi config.

Change-Id: Ic775de171c95d43d9273e1a29db2ab685fdf7706
Depends-On: I59b3b36be33268fa6e261a7db3c4aa8e8e712ffb
2017-01-04 15:15:59 -05:00
Emilien Macchi
806fe37b2b nova-api: also include hiera for new apache_api class
puppet-nova renamed nova::wsgi::apache to nova::wsgi::apache_api to
welcome nova::wsgi::apache_placement (for nova placement API).

This patch adds the required parameters before we make the switch in
puppet-tripleo.

Legacy parameters will be removed when the switch will be done in
puppet-tripleo.

Change-Id: I5fc99062d349597393e2248c66f2d863029c7730
2017-01-04 15:11:04 -05:00
Steven Hardy
3c6ec654b4 Bump template version for all templates to "ocata"
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.

This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.

Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-23 11:43:39 +00:00
Juan Antonio Osorio Robles
b4cd2ed1ee Use network-based fqdn entry from hiera instead of the custom fact
This changes how we get the network-based FQDNs for the specific
services, from using the custom fact, to the new hiera entries.

Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
2016-12-01 11:18:23 +02:00
Dan Prince
7876851011 Hiera optimization: use a new hiera hook
This patch optimizes how we deploy hiera by using a new
heat hook specifically designed to help compose hiera
within heat templates. As part of this change:

 - we update all the 'hiera' software configurations to set the group to hiera
   instead of os-apply-config.

 - The new format uses JSON instead of YAML. The hook actually writes
   out the hiera JSON directly so no conversion takes place. Arrays,
   Strings, Booleans all stay in their native formats. As such we can avoid
   having to do many of the awkward string and list conversions in t-h-t to
   support the previous YAML formatting.

 - The new hook prefers JSON over YAML so upgrading users will have the
   new files prefered. (we will post a cleanup routine for the old files
   soon but this isn't a new behavior, JSON is now simply prefered.)

 - A lot of services required edits to account for default settings that
   worked in YAML that no longer work correctly in the native JSON
   format. In almost all these cases I think the resulting codes looks
   cleaner and is more explicit with regards to what is getting
   configured in hiera on the actual nodes.

Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b
Closes-bug: #1596373

Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
2016-11-30 22:16:13 -05:00
Jenkins
f118fc0619 Merge "Enable internal TLS for Nova API" 2016-11-09 13:30:18 +00:00
Emilien Macchi
fa5a9add9f nova: add missing vnc console port in firewall
- Remove vncproxy firewall rules from nova-api service
- Add vncproxy firewall rules to nova-vncproxy service
- Add console port range firewall rules to nova-libvirt service

Change-Id: I421ae21c130cac6f25e7c0869b941ba77441172c
2016-11-03 18:22:21 +00:00
Juan Antonio Osorio Robles
65db3743ab Enable internal TLS for Nova API
This adds the necessary hieradata for enabling TLS in the internal
network for Nova API.

bp tls-via-certmonger
Depends-On: I88380a1ed8fd597a1a80488cbc6ce357f133bd70

Change-Id: I45197f98e5b65d6b2ec364676870db4ce582ffe9
2016-11-01 12:22:14 +02:00
Juan Antonio Osorio Robles
9bd8d53cda Remove duplicate bind_host from nova-api profile
Change-Id: I3c5c7753237ebaf16fb40806df0d195cb2b9aaa0
2016-10-20 09:16:47 +03:00
Jenkins
81aa47d314 Merge "Set nova service_name via t-h-t" 2016-10-18 19:55:16 +00:00
Steven Hardy
4c500c680a Add apache workers to nova-api conditional
Without this httpd fails to start on deployments where the
worker count isn't explicitly overridden via a parameter.

Change-Id: Ie7b31bc6e022a0166af126c866994bdd019718df
Closes-Bug: #1634213
2016-10-17 19:02:41 +01:00
Juan Antonio Osorio Robles
d7610f70d0 Set nova service_name via t-h-t
with the move to use httpd instead of eventlet, We now add this
parameter in t-h-t to be able to clean it up from the puppet-tripleo
manifest.

Change-Id: Ic229182cc5c887b57f6182c3db1bac8bed330f7c
Depends-On: I4603b81d30a704b07eef461b3cdbfe164614b04f
2016-10-17 12:22:51 +03:00
Dan Prince
38f98383d3 Only set NovaWorkers in the non-default case
This patch updates the t-h-t templates for
nova services so that we only set the value of workers in
the non-default case. TripleO has always defaulted the
workers count to 0 and there was recently a regression in
nova where they treat the default of 0 as invalid (a bug
that may get fixed in nova but we don't want to wait on it)

This patch avoids the issue by allowing the default value
to be unset if the TripleO default of 0 is configured.

Change-Id: I175977b88129d87caeb32332d47eb14816a6d5d4
Closes-bug: #1631133
2016-10-12 14:17:54 -04:00
Dan Prince
a80d13b6e1 Remove duplicate metadata keys from nova-api.yaml
These keys are already specified in nova-metadata.yaml
where they get set correctly per the network management
local IP (based on 'service_name' list).

Depends-On: I94f985e719a3bf7408655fbbb5ab1aeaf15e994e

Change-Id: I5d57561b732783118efd2a637aa137f5f7bcddbc
Partial-bug: #1631133
2016-10-12 14:17:21 -04:00
Juan Antonio Osorio Robles
1da253fd8c Add parameters to run nova over httpd
This adds the necessary hieradata to run nova over httpd instead
of eventlet.

Change-Id: I57fb20cf0d58b3376243ba4aeb04e995e7152ce3
2016-09-29 16:04:56 +00:00
Dan Prince
7ba5525207 Move db::mysql into service_config_settings
This patch movs the various db::mysql hiera settings into a
'mysql' specific service_config_settings section for each
service so that these will only get applied on the MySQL service
node. This follows a similar puppet-tripleo change where we
create the actual databases for all services locally on
the MySQL service node to avoid permission issues.

Change-Id: Ic0692b1f7aa8409699630ef3924c4be98ca6ffb2
Closes-bug: #1620595
Depends-On: I05cc0afa9373429a3197c194c3e8f784ae96de5f
Depends-On: I5e1ef2dc6de6f67d7c509e299855baec371f614d
2016-09-28 07:01:49 -04:00
Dan Prince
9d67d7b3b1 Move keystone::auth into service_config_settings
This patch moves the keystone::auth settings for all
services into the new service_config_settings section. This
is important because we execute the keystone commands via
puppet only on the role containing the keystone service
and without these settings it will fail.

Note that yaql merging/filtering is used here to ensure that
service_config_settings is optional in service templates,
and also that we'll only deploy hieradata for a given
service on a node running the service (the key in
the service_config_settings map must match the service_name
in the service template for this to work).

e.g the following will result in only deploying keystone: 123
in hiera on the role running the "keystone" service,
regardless of which service template defines it.

  service_config_settings:
    keystone:
      keystone: 123

Co-Authored-By: Steven Hardy <shardy@redhat.com>
Change-Id: I0c2fce037a1a38772f998d582a816b4b703f8265
Closes-bug: 1620829
2016-09-23 07:43:21 -04:00
Lars Kellogg-Stedman
0d9298bb8f Add fluentd client service
This implements support for installing fluentd agents as a composable
service on the overcloud.

Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940

Implements: tripleo-opstools-centralized-logging
Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
2016-09-17 01:31:12 +00:00
Martin Mágr
25ad7b8e1e Availability monitoring agents support
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription

Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
2016-08-31 09:22:59 -04:00
Dan Prince
e3cb92a5db Mv Nova, Neutron, Horizon out of controller.yaml
This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.

Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.

Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.

Co-Authored-By: Giulio Fidente <gfidente@redhat.com>

Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
2016-08-30 08:59:07 -04:00
Emilien Macchi
b5a54bf985 Update authtoken parameters to match recent changes
Update authtoken parameters for:
- Aodh
- Ironic
- Manila
- Nova
- Ceilometer

Change-Id: Ie123b8da1a7af2e406aadca4775de9e8c4e6e1f5
2016-08-24 22:29:45 -04:00
Dan Prince
3b62761d2f Add DefaultPasswords to composable services
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).

Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.

Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18 12:45:30 -04:00
Giulio Fidente
885b37c80e Pass ServiceNetMap to services
This will be needed to pick the network where the service has
to bind to from within the service template.

Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-08-18 12:36:18 -04:00
Juan Antonio Osorio Robles
69ea053eeb Move nova's kestone::auth parameters to API profile
In the move to composable services, these parameters are not
necessary in the controller, but in the profile itself. They are not
yet in use but will be used to populate the keystone endpoint.

Change-Id: I42e30243b631c10d9454da444afdb50e551bbb2c
2016-08-09 08:23:59 +03:00
Jenkins
9aec3de5b8 Merge "Convert service_name to underscore syntax" 2016-07-29 08:52:05 +00:00
Steven Hardy
7df649f59e Convert service_name to underscore syntax
Currently we use hyphens, e.g cinder-api, but in overcloud.yaml
we have a lot of references to services (e.g for AllNodesConfig)
by underscore, e.g cinder_api.  To enable dynamic generation of
this data, we need the service name in underscore format.

Change-Id: Ief13dfe5d8d7691dfe2534ad5c39d7eacbcb6f70
2016-07-28 16:31:36 +01:00
Emilien Macchi
315fa31963 Migrate Puppet Hieradata to composable services
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
2016-07-27 12:23:38 -04:00
Dan Prince
5195d7f891 Composable firewall rules
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services

Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
2016-07-25 15:24:16 +02:00
Jenkins
f00ed98048 Merge "Move nova::db data within service template" 2016-07-25 08:12:49 +00:00
Giulio Fidente
55e84b6100 Move nova::db data within service template
Change-Id: I86752248e59a2e98f8ff9b2c5998839f9ade4779
2016-07-22 15:21:37 +02:00
Dan Prince
6b30ff11d4 Add 'service_name' to composable services
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.

This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.

Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
2016-07-22 07:29:39 -04:00
Emilien Macchi
47fe74946e Remove ::nova::cron::archive_deleted_rows
::nova::cron::archive_deleted_rows is not called in puppet-tripleo Nova
API profile.

Change-Id: Idc343e481ca04b404be5311b2908f016e4517aad
Depends-On: I7035f7998c11dc5508dae8c1a750b93c2944b2d4
2016-07-19 18:45:09 +00:00
Emilien Macchi
27ee21d9bd Enable nova-api as a composable service
Implement NovaApi service using nova-base for common parameters.

Change-Id: Ibcb89b332ab73f18d05e5b2e454964e322b982e6
Implements: blueprint composable-services-within-roles
Depends-On: I1dde63a5a7d1624494a7157a9679f88f4cb780e0
2016-06-14 12:00:56 +03:00