9 Commits

Author SHA1 Message Date
Ade Lee
2a83856585 Move ipa enrollment to host_prep_tasks
This addresses a possible bug when using FreeIPA to do TLS
everywhere.

It is possible that the IPA server is not on the ctlplane.
In this case, when the nodes start up, the registration of the node
with IPA will fail, resulting in failed certificate issuance requests
later on.

We introduce a composable service to run in host_prep_tasks.
This will always run once the networks have been set up.  If the
instance has already been enrolled (by cloud-init or in an update),
then the script executed by the service will just exit.

In this iteration, we simply execute the code that the cloud-init
would have done.  In later releases, we will execute all the code
performed by novajoin-server here in ansible - and deprecate the
novajoin server.

Change-Id: I31f64c3cbd1d151e3c2a436cc3e2ec5316535087
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Resolves: rhbz#1661635
Closes-Bug: #1815924
2019-02-14 16:07:17 +00:00
Harald Jensås
2f2d8183e6 L3 routed networks - subnet fixed_ips (3/3)
When using neutron routed networks we need to specify
either the subnet or a ip address in the fixed-ips-request
when creating neutron ports.

a) For the Vip's:

Adds VipSubnetMap and VipSubnetMapDefaults parameters in
service_net_map.yaml. The two maps are merged, so that the
operator can override the subnet where VIP port should be
hosted. For example:

parameter_defaults:
  VipSubnetMap:
    ctlplane: ctlplane-leaf1
    InternalApi: internal_api_leaf1
    Storage: storage_leaf1
    redis: internal_api_leaf1

b) For overcloud node ports:

Enrich 'networks' in roles defenition to include both
network and subnet data. Changes the list to a map
instead of a list of strings. New schema:

- name: <role_name>
  networks:
    <network_name>
      subnet: <subnet_name>

For backward compatibility a conditional is used to check
if the data is a map or not. In either case the internal
list of role networks is created as '_role_networks' in
the jinja2 templates.

When the data is a map, and the map contains the 'subnet'
key the subnet specified in roles_data.yaml is used as
the subnet in the fixed-ips-reqest when ports are created.
If subnet is not set (or role.networks is not a map) the
default will be {{network.name_lower}}_subnet.

Also, since the fixed_ips request passed to Vip ports are no
longer [] by default, the conditinal has been updated to
test for 'ip_address' entries in the request.

Partial: blueprint tripleo-routed-networks-templates
Depends-On: I773a38fd903fe287132151a4d178326a46890969
Change-Id: I77edc82723d00bfece6752b5dd2c79137db93443
2019-01-03 19:07:20 +01:00
karthik s
512c032a0b Add bootparams service for all roles
NIC partitioning requires IOMMU to be enabled on roles using it.
By adding the BootParams service to all the roles, we could
enable IOMMU selectively by supplying the role specific parameter
"KernelArgs". If a role doesn't use NIC Partitioning then
"KernelArgs" shall be not be set and backward compatibility would
be retained.

Change-Id: I2eb078d9860d9a46d6bffd0fe2f799298538bf73
2018-11-19 05:02:07 -05:00
Emilien Macchi
7bebdefda8 Introduce OS::TripleO::Services::Podman
Podman service will be in charge of installing, configuring, upgrading
and updating podman in TripleO.

For now, the service is disabled by default but included in all roles.
In the cycle, we'll make it the default.

Note: when Podman will be able to run in TripleO without Docker,
we'll do like https://review.openstack.org/#/c/586679/ and make it as
a generic service that can be switched to either podman or docker.
But for now, we need podman & docker working side by side.

Depends-On: Ie9f5d3b6380caa6824ca940ca48ed0fcf6308608
Change-Id: If9e311df2fc7b808982ee54224cc0ea27e21c830
2018-10-02 01:47:46 +00:00
Alex Schultz
f7f9053963 Create a Timesync service declaration
In order to support switching between multiple timesync backends, let's
simplify the service configurations for the roles so that there is a
single timesync service.  This timesync service should point to the
expected backend (ntp/ptp/chrony).

Change-Id: I986d39398b6143f6c11be29200a4ce364575e402
Related-Blueprint: tripleo-chrony
2018-09-04 21:00:56 +00:00
Martin Schuppert
ea9360b52d Set tuned profile for compute roles
Computes should have virtual-host tuned profile set per default in
roles definition. HCI compute as recommended before keep
throughput-performance.

Fixes bug 1667524

Change-Id: I26426e1dd0a2e81ad7549c11fb984ef5470d0561
2018-06-14 14:07:51 +02:00
mandreou
66df6bdb46 Remove no longer used disable_upgrade_deployment flag
In I75f087dc456c50327c3b4ad98a1f89a7e012dc68 we removed much of
the legacy upgrade workflow. This now also removes the
disable_upgrade_deployment flag and the tripleo_upgrade_node.sh
script, both of which are no longer used and have no effect on
the upgrade.

Related reviews
    I7b19c5299d6d60a96a73cafaf0d7103c3bd7939d tripleo-common
    I4227f82168271089ae32cbb1f318d4a84e278cc7 python-tripleoclient

Change-Id: Ib340376ee80ea42a732a51d0c195b048ca0440ac
2018-03-29 15:27:30 +03:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Tony Breeds
cfcbf3d8a0 Add ComputeAlt role and environment
In order to support compute services ppc64le, which currently don't
have supported methods for building and distributing container images,
we create a role 'ComputeAlt' which directly uses the puppet/services
templates to configure services that would typically be containers.

This new role is supposed to minimally diverge from the Compute role

The following services have been switch for the puppet versions:
 - OS::TripleO::Services::ComputeCeilometerAgent
 - OS::TripleO::Services::ComputeNeutronOvsAgent
 - OS::TripleO::Services::Iscsid
 - OS::TripleO::Services::NovaCompute
 - OS::TripleO::Services::NovaLibvirt
 - OS::TripleO::Services::NovaMigrationTarget

The following services have been removed as they're only available as
docker containers:
 - OS::TripleO::Services::Docker
 - OS::TripleO::Services::ContainersLogrotateCrond
 - OS::TripleO::Services::RsyslogSidecar

Alternate versions for the following services are configured, they are
left as OS::Heat::None the operator will need to define them
appropriately if they're needed:
 - OS::TripleO::Services::Collectd
 - OS::TripleO::Services::Fluentd
 - OS::TripleO::Services::SensuClient
 - OS::TripleO::Services::OVNController

Change-Id: I31d673dd048f687c9125733a77d0c9e6069e0614
2017-11-29 14:28:05 +11:00