This changes moves docker services from puppet to deployment directory.
Change-Id: I11a34708ee91f5b5928d7c647c83e95ca1b01cae
Related-Blueprint: services-yaml-flattening
This changes moves podman service from puppet to deployment directory.
Change-Id: I31b8299b43158347f4f1f61f1e1fdf38b0a2102f
Related-Blueprint: services-yaml-flattening
... and use host_prep_tasks from config-download.
We are trying to HostPrepConfig resource that use OS::Heat::SoftwareConfig
and the old fashion to run Ansible, for more native config-downlaod.
undercloud_pre is the only service that needs HostPrepConfig now, so
let's switch to config-download.
It restarts keepalived container at each undercloud install & upgrade.
Also it adds support for podman as it uses container_cli variable.
Note: the workaround can still be removed once we have Keepalived 2.0.6
but it won't happen before CentOS8 probably.
Change-Id: I7454013c2e37058b5010a2a6cacfae0d0f873744
Related-Bug: #1791238
Swift workers have been decreased to 1 recently, but after doing some
more benchmarks it seems that 2 is actually the sweet spot (details in
https://review.openstack.org/#/c/618105/).
Change-Id: If8135bb641f5e0e7e2ed983bc23808268558d054
The number of requests to Swift on the undercloud is pretty low, while
the default number of services is set by the number of available CPU
cores. This is likely much to high and also increases memory
requirements et al, thus limiting this to 1 per service.
Change-Id: Ic6048b2a75120d44108ed2a7f3a04c4f38e63871
During upgrade, as we don't use instack_undercloud anymore, we missing
the _member_ role to the admin user.
This creates the necessary hooks in tht to have the member role
created during upgrade (and install for that matter).
This passes on the keystone_enable_member to puppet-tripleo, but it
needs a patch there as well for this mechanism to fully work.
Change-Id: I2319ed876eba7f21c0e80444bf78ca080fef252a
Depends-On: https://review.openstack.org/611919
Partial-Bug: #1799177
With containerized undercloud, the Octavia playbook shipping with
tripleo-common can no longer install the octavia-amphora-image RPM
available in RHOSP-based environments as the yum repository list is
empty. Thus, the amphora QCOW2 file needs to be made available by the
undercloud base OS via a volume mount. This will also help in
uniformizing default placement of amphora images across different
OpenStack distributions.
Change Icae47e76f71b739cf0e1f5633b15432fd531e645 will close the loop.
Partial-Bug: #1800916
Change-Id: I84943a5e6e2b08baaf8e61a1cd9f2fe92286ad9a
We did not have a easy way to ensure all the openstack clients are
installed on a given system. In the old instack-undercloud installation,
we were installing some additional clients outside of the ones required
via python-tripleoclient. To allow a user to quickly install all the
clients on a given system, this change adds an OpenStack clients
"service" which can be added to a role to ensure the clients are
available. In the future if we provide a client container, this service
can be converted into a container deployment mechanism.
Change-Id: If878c2ab7679eea2fff42b410bec9c8c9b92ed6f
Closes-Bug: #1800001
Maintain parity with instack-undercloud
Ic93082282e9ea481c13832f8ce1265a47f0ef3d5
Swift is using only a single replica on the undercloud. Therefore
recovering from a corrupted or lost object is not possible, and running
replicators and auditors only wastes resources. And may create some
trouble. For example, the DB replicators and auditors will lock the DB,
and new objects won't be stored during that time.
Related-Bug: #1632885
Closes-Bug: #1797167
Change-Id: I584cdb03b99721fbdc28bf7f6019d914586341d2
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This change makes the default ContainerImagePrepareLogFile be
/var/log/tripleo-container-image-prepare.log for both undercloud and
overcloud deploy.
Previously, undercloud prepare logged to $HOME/install-undercloud.log
and overcloud prepare logged to
$(pwd)/tripleo-container-image-prepare.log.
With this change, both will be logged to
/var/log/tripleo-container-image-prepare.log
Depends-On: Id4b776de808ea329a299430078c6f3efdb604e02
Change-Id: Icd3c5d612a9c42d1d3d8e374f10eb56d5737d516
Closes-Bug: #1789871
Since we moved to containerized UC, TLS Everywhere deployments are broken.
Namely we miss two things:
A. The NAT iptables rule for the nova metadata service to be reachable
B. The setting 'service_metadata_proxy=false' needs to be set for nova
metadata otherwise the curl calls to setup ipa will fail with the
following:
[root@overcloud-controller-0 log]# curl http://169.254.169.254/openstack/2016-10-06
<html>
<head>
<title>400 Bad Request</title>
</head>
<body>
<h1>400 Bad Request</h1>
X-Instance-ID header is missing from request.<br /><br />
</body>
</html>
A. Is fixed by adding a conditional iptables rule that is only triggered
when deploying an undercloud (where we set MetadataNATRule to true)
B. Is fixed by setting NeutronMetadataProxySharedSecret to '' on the
undercloud and then setting the corresponding hiera keys only when
the parameter != ''. We tried alternative simpler approaches like
setting NeutronMetadataProxySharedSecret to null but that will break
heat as the parameter is required and setting it to null breaks heat
validation (we also tried to make the parameter optional with a
default: '', but that broke as well)
While we're at it we also remove the neutron metadata service from the
undercloud as it is not needed.
Tested by deploying an undercloud with this change and observing:
A.
Chain PREROUTING (policy ACCEPT 106 packets, 6698 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- br-ctlplane * 0.0.0.0/0 169.254.169.254 multiport dports 80 state NEW /* 999 undercloud nat ipv4 */ redir ports 8775
B.
grep -ir ^service_metadata_proxy /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf
service_metadata_proxy=False
Also a deployment of a TLS overcloud was successful.
Change-Id: Id48df6db012fb433f9a0e618d0269196f4cfc2c6
Co-Authored-By: Martin Schuppert <mschuppe@redhat.com>
Closes-Bug: #1795722
We want to enable podman on the undercloud first, this patch just
install the rpm and configure the insecure registry if needed.
Change-Id: If469e584e2905a002931277bbe2f7301f7b8fd93
The undercloud needs to be able to run the playbooks shipping with
ceph-ansible so we mount them from the hosting node in undercloud.yaml
Change-Id: I8d1db69d520da069099f919f286e6a553dd645a5
Closes-Bug: 1794027
This sets the mysql connect timeout in the containerized undercloud
case. It mirrors Ia3799cdaf171892431151e4f2f7d2095081b8242.
Related-Bug: #1783995
Change-Id: I727a38eb537f83accadca9ee7f38bd7ace62500e
instack-undercloud had a workaround (30-reload-keepalived)
in place to always restart keepalived on install/upgrade.
This is required to ensure VIP's are present in case the
network config was changed and os-net-config restarts
the network interface. When containerizing the undercloud
this workaround was missed.
This change adds a similar workaround. A pre_deploy
NodeExtraconfig script will restart the keepalived
container when the undercloud installer is (re-)run.
NOTE: We can remove this workaround once keepalived
v2.0.6 or later is available.
Closes-Bug: #1791238
Change-Id: I8cada7be57cd50c54ca5f2f38ec010062512ae06
Core/Ram/Disk Filters are not required when using filter_scheduler.
After https://review.openstack.org/#/c/565841 when using these
Filters nova is not scheduling to the ironic nodes and overcloud
deployment fails.
For now just testing the undercloud, good to see what scheduler/filters
are being enabled in overcloud and reflect there as well.
Related-Bug: #1787910
Depends-On: Ia82f1c6be0d5504498e77a90268cad8abecdeae2
Change-Id: I0e376d99adeaa318118833018be81491c6b14095
We need the tripleo common on the undercloud heat, let's mount an
additional volume to share them.
Change-Id: If306862f5a9b7455165523ab7b8350d18395edb7
Closes-Bug: #1784569
This makes the docker-registry service focused on installing the
registry, as it should be. Also this makes it possible to invoke this
service during overcloud deploy too.
This change also switches to calling the tripleo-common script
tripleo-container-image-prepare instead of the full openstack command.
This will allow a mistral image to do a prepare without depending on
the python-tripleoclient package.
The {{role}}Services and {{role}}Count are propagated to
tripleo-container-image-prepare so that images are filtered correctly.
sudo is used instead of become:true so that the tripleo-common mistral
sudoers pattern matches.
Depends-On: Ic1648e43f45bb7604d4c0f9abf247a475fb23707
Change-Id: Ibc16bed673de7b22cd8eef3f6fb0d45871083873
Blueprint: container-prepare-workflow
The direct deploy interface looks promising in the scale tests so far,
but it prevent local testing and PoC with nodes with less than 8 GiB
RAM because it has to convert the overcloud-full image in memory.
This change changes back to the iscsi deploy interface, leaving
the direct deploy interface fully configured and opt-in.
This patch will likely be reverted in Stein.
Change-Id: I5f8126474ab15a310b4ba305c4d537b93e9f0399
Related-Blueprint: ironic-direct-deploy
We've previously increased this to 7 in instack-undercloud because of
containers. As we switch to containerized undercloud we need to continue
to incrase this to 7.
See Ib31bf29bc69f5c58e98b99c3e598b19c99efc77f for history.
Change-Id: Id9facbc53ac5166fcc544157bf820389fa00efac
Related-Blueprint: containerized-undercloud
This fixes the issue where the nova config was being mounted into the
mistral-executor, even though that is only needed for the undercloud.
The second parameter MistralExecutorExtraVolumes is provided so that
users can provide their own extra mounts without overwriting
MistralExecutorVolumes.
Once this mechanism lands, it can also be used to mount the extra
directories which CI needs to modify container images during
deployment, therefor this change is part of
Blueprint: container-prepare-workflow
Change-Id: I88612465d87f24a42e78e5f87a2d6b44b9335b11
In instack-undercloud we manage the selinux configuration during the
deployment. This change exposes the configuration as a new tripleo
service for selinux so we can configure it.
Change-Id: I2109bf62e307df92b6bdb57600c58dd61482f46d
Partial-Bug: #1779005
We need KernelIpNonLocalBind on the undercloud to bind non local ips
among other ip forward options. This sysctl parameter was managed by
instack-undercloud but never ported to the containerized undercloud.
We need the same sysctl parameters for parity with non containerized
undercloud.
Change-Id: Idd3d432b8f7eb573d94cd56be8e05614510ebddf
Related-Bug: #1774898
We don't expect our operators to have SSH keys setup on the undercloud
node, so we don't want to block the PasswordAuthentication in
sshd_config.
Depends-On: I88b24c82fb3cf2309f45d5d447a9b0c403da7fc9
Change-Id: I10b112e8bffff30879606ddd970dfd3ec67fd9c7
Closes-Bug: #1772519
Since we're aligning the overcloud/undercloud and we've switched to
containerization it, we should reuse the same heat services rather than
duplicating the services with the Undercloud definition.
Depends-On: Ic7dba7e548f85574cce2db23e3fec5c8ea761bb7
Change-Id: I497597a47533375f34a22a56e2e9a145d9393358
Related-Blueprint: containerized-undercloud
Instead, rely on local_interface parameter from undercloud.conf like it
was with instack-undercloud.
Depends-On: I94de786a4e2d6bfbc66e08f32ea65c217ea35268
Change-Id: Id46256b66aa43c38a6a6501d2f26dfb85009b1ef
- Enable heat convergence for containerized undercloud
- Set max_json_body_size=4194304 for containerized undercloud.
- Introduce HeatMaxNestedStackDepth parameter.
- Introduce HeatReauthenticationAuthMethod parameter and configure it to
'trusts' for the undercloud.
Change-Id: I044bf29e7ae320a478e0ba0eb12870f47735d4f1
Instead of serving images via slow and somewhat unreliable iSCSI protocol,
this deploy method makes IPA download them from the undercloud Swift.
Change-Id: Ic569358b781337ec6ba8ba802ada1f940917bd61
Implements: blueprint ironic-direct-deploy
This change adds a configuration script that sets up Swift temporary
URL key, if it is not set up otherwise. This key is required for both
ironic "direct" and "ansible" deploy interfaces.
The "direct" deploy interface is then enabled for the undercloud.
Implements: blueprint ironic-direct-deploy
Change-Id: I3cbc51831fc3e185f907b44da654f71aa0f4c420
Using host_prep_tasks interface to handle undercloud teardown before we
run the undercloud install.
The reason of not using upgrade_tasks is because the existing tasks were
created for the overcloud upgrade first and there are too much logic
right now so we can easily re-use the bits for the undercloud. In the
future, we'll probably use upgrade_tasks for both the undercloud and
overcloud but right now this is not possible and a simple way to move
forward was to implement these tasks that work fine for the undercloud
containerization case.
Workflow will be:
- Services will be stopped and disabled (except mariadb)
- Neutron DB will be renamed, then mariadb stopped & disabled
- Remove cron jobs
- All packages will be upgraded with yum update.
Change-Id: I36be7f398dcd91e332687c6222b3ccbb9cd74ad2
Ironic neutron agent will be installed on controller nodes, or
networker nodes, when environments/services/ironic.yaml or
environments/services-docker/ironic.yaml is used.
It should also be enabled on undercloud.
Also enables ``baremetal`` ML2 mechanism driver on undercloud.
Depends-On: Ic1f44414e187393d35e1382a42d384760d5757ef
Depends-On: I3c40f84052a41ed440758b971975c5c81ace4225
Change-Id: I0b4ef83a5383ff9726f6d69e0394fc544c381a7e
We did it in the past (3 years ago!) in instack-undercloud:
43e792c684
in the context of: https://bugzilla.redhat.com/show_bug.cgi?id=1235908
This time, we have the same problem when the undercloud is
containeirized.
This patch is actually setting parity with keystone config from
instack-undercloud, but also raising an actual issue that will be
addressed this cycle.
In the meantime, let's increase the token expiration so we can move
forward with testing the containerized undercloud.
Change-Id: Iceaaf53fae44b5bcda9f6517f163939ba6be3d49
Related-Bug: #1761050
* Add a new post install software deployment which runs
a python script to configure the undercloud control
plane network. Replaces section in post shell script.
Change-Id: I1cd594564d1628a6e1fccb9eadf18b716ccc5c72