90 Commits

Author SHA1 Message Date
Emilien Macchi
2d608e07b5 Move docker into deployment directory
This changes moves docker services from puppet to deployment directory.

Change-Id: I11a34708ee91f5b5928d7c647c83e95ca1b01cae
Related-Blueprint: services-yaml-flattening
2019-01-09 22:58:50 +00:00
Emilien Macchi
7fe1730a38 Move podman into deployment directory
This changes moves podman service from puppet to deployment directory.

Change-Id: I31b8299b43158347f4f1f61f1e1fdf38b0a2102f
Related-Blueprint: services-yaml-flattening
2018-12-17 11:37:19 +00:00
Emilien Macchi
be61d8a2b5 Re-implement keepalived restart without pre_deploy
... and use host_prep_tasks from config-download.
We are trying to HostPrepConfig resource that use OS::Heat::SoftwareConfig
and the old fashion to run Ansible, for more native config-downlaod.
undercloud_pre is the only service that needs HostPrepConfig now, so
let's switch to config-download.

It restarts keepalived container at each undercloud install & upgrade.
Also it adds support for podman as it uses container_cli variable.

Note: the workaround can still be removed once we have Keepalived 2.0.6
but it won't happen before CentOS8 probably.

Change-Id: I7454013c2e37058b5010a2a6cacfae0d0f873744
Related-Bug: #1791238
2018-12-06 17:08:57 -05:00
Christian Schwede
a05ba28c60 Set Swift workers to 2
Swift workers have been decreased to 1 recently, but after doing some
more benchmarks it seems that 2 is actually the sweet spot (details in
https://review.openstack.org/#/c/618105/).

Change-Id: If8135bb641f5e0e7e2ed983bc23808268558d054
2018-11-20 09:29:24 +01:00
Christian Schwede
25800b8fe3 Restrict number of Swift workers to 1 on the undercloud
The number of requests to Swift on the undercloud is pretty low, while
the default number of services is set by the number of available CPU
cores. This is likely much to high and also increases memory
requirements et al, thus limiting this to 1 per service.

Change-Id: Ic6048b2a75120d44108ed2a7f3a04c4f38e63871
2018-11-14 09:13:25 +00:00
Zuul
71bd36bb57 Merge "Enable _member_ role for undercloud install." 2018-11-09 19:19:28 +00:00
Sofer Athlan-Guyot
1c64c2c07b Enable _member_ role for undercloud install.
During upgrade, as we don't use instack_undercloud anymore, we missing
the _member_ role to the admin user.

This creates the necessary hooks in tht to have the member role
created during upgrade (and install for that matter).

This passes on the keystone_enable_member to puppet-tripleo, but it
needs a patch there as well for this mechanism to fully work.

Change-Id: I2319ed876eba7f21c0e80444bf78ca080fef252a
Depends-On: https://review.openstack.org/611919
Partial-Bug: #1799177
2018-11-07 14:30:40 +01:00
Carlos Goncalves
70162488bf Mount /usr/share/openstack-octavia-amphora-images into mistral-executor
With containerized undercloud, the Octavia playbook shipping with
tripleo-common can no longer install the octavia-amphora-image RPM
available in RHOSP-based environments as the yum repository list is
empty. Thus, the amphora QCOW2 file needs to be made available by the
undercloud base OS via a volume mount. This will also help in
uniformizing default placement of amphora images across different
OpenStack distributions.

Change Icae47e76f71b739cf0e1f5633b15432fd531e645 will close the loop.

Partial-Bug: #1800916

Change-Id: I84943a5e6e2b08baaf8e61a1cd9f2fe92286ad9a
2018-11-05 11:21:17 +01:00
Alex Schultz
653649ebbc Add OpenStack clients service
We did not have a easy way to ensure all the openstack clients are
installed on a given system. In the old instack-undercloud installation,
we were installing some additional clients outside of the ones required
via python-tripleoclient. To allow a user to quickly install all the
clients on a given system, this change adds an OpenStack clients
"service" which can be added to a role to ensure the clients are
available. In the future if we provide a client container, this service
can be converted into a container deployment mechanism.

Change-Id: If878c2ab7679eea2fff42b410bec9c8c9b92ed6f
Closes-Bug: #1800001
2018-10-26 16:25:35 -06:00
Zuul
1fd31e4270 Merge "Standardize path to prepare log file" 2018-10-25 19:10:07 +00:00
Bogdan Dobrelya
47f93e1792 Disable Swift auditors/replicators on undercloud
Maintain parity with instack-undercloud
Ic93082282e9ea481c13832f8ce1265a47f0ef3d5

Swift is using only a single replica on the undercloud. Therefore
recovering from a corrupted or lost object is not possible, and running
replicators and auditors only wastes resources. And may create some
trouble. For example, the DB replicators and auditors will lock the DB,
and new objects won't be stored during that time.

Related-Bug: #1632885
Closes-Bug: #1797167

Change-Id: I584cdb03b99721fbdc28bf7f6019d914586341d2
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-10-15 15:06:32 +00:00
Steve Baker
8fe38fb7ed Standardize path to prepare log file
This change makes the default ContainerImagePrepareLogFile be
/var/log/tripleo-container-image-prepare.log for both undercloud and
overcloud deploy.

Previously, undercloud prepare logged to $HOME/install-undercloud.log
and overcloud prepare logged to
$(pwd)/tripleo-container-image-prepare.log.

With this change, both will be logged to
/var/log/tripleo-container-image-prepare.log

Depends-On: Id4b776de808ea329a299430078c6f3efdb604e02
Change-Id: Icd3c5d612a9c42d1d3d8e374f10eb56d5737d516
Closes-Bug: #1789871
2018-10-14 12:53:44 +00:00
Michele Baldessari
c2139a7db2 Fix TLS when using a containerized undercloud
Since we moved to containerized UC, TLS Everywhere deployments are broken.
Namely we miss two things:

A. The NAT iptables rule for the nova metadata service to be reachable
B. The setting 'service_metadata_proxy=false' needs to be set for nova
   metadata otherwise the curl calls to setup ipa will fail with the
   following:
[root@overcloud-controller-0 log]# curl http://169.254.169.254/openstack/2016-10-06
<html>
 <head>
  <title>400 Bad Request</title>
 </head>
 <body>
  <h1>400 Bad Request</h1>
  X-Instance-ID header is missing from request.<br /><br />
 </body>
</html>

A. Is fixed by adding a conditional iptables rule that is only triggered
   when deploying an undercloud (where we set MetadataNATRule to true)

B. Is fixed by setting NeutronMetadataProxySharedSecret to '' on the
   undercloud and then setting the corresponding hiera keys only when
   the parameter != ''. We tried alternative simpler approaches like
   setting NeutronMetadataProxySharedSecret to null but that will break
   heat as the parameter is required and setting it to null breaks heat
   validation (we also tried to make the parameter optional with a
   default: '', but that broke as well)

While we're at it we also remove the neutron metadata service from the
undercloud as it is not needed.

Tested by deploying an undercloud with this change and observing:
A.
Chain PREROUTING (policy ACCEPT 106 packets, 6698 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  br-ctlplane *       0.0.0.0/0            169.254.169.254      multiport dports 80 state NEW /* 999 undercloud nat ipv4 */ redir ports 8775

B.
grep -ir ^service_metadata_proxy /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf
service_metadata_proxy=False

Also a deployment of a TLS overcloud was successful.

Change-Id: Id48df6db012fb433f9a0e618d0269196f4cfc2c6
Co-Authored-By: Martin Schuppert <mschuppe@redhat.com>
Closes-Bug: #1795722
2018-10-06 13:25:18 +00:00
Zuul
7ea21fff23 Merge "Mount /usr/share/ceph-ansible into mistral-executor" 2018-10-03 16:00:19 +00:00
Emilien Macchi
bfca5353d0 undercloud: deploy podman
We want to enable podman on the undercloud first, this patch just
install the rpm and configure the insecure registry if needed.

Change-Id: If469e584e2905a002931277bbe2f7301f7b8fd93
2018-10-02 01:47:56 +00:00
Giulio Fidente
5ca0b91275 Mount /usr/share/ceph-ansible into mistral-executor
The undercloud needs to be able to run the playbooks shipping with
ceph-ansible so we mount them from the hosting node in undercloud.yaml

Change-Id: I8d1db69d520da069099f919f286e6a553dd645a5
Closes-Bug: 1794027
2018-10-01 11:35:40 +02:00
Thomas Herve
25901f8c53 Set mysql connect timeout in the undercloud
This sets the mysql connect timeout in the containerized undercloud
case. It mirrors Ia3799cdaf171892431151e4f2f7d2095081b8242.

Related-Bug: #1783995
Change-Id: I727a38eb537f83accadca9ee7f38bd7ace62500e
2018-09-29 01:08:02 +00:00
Harald Jensås
b766e253f4 Undercloud - Restart keepalived on update
instack-undercloud had a workaround (30-reload-keepalived)
in place to always restart keepalived on install/upgrade.
This is required to ensure VIP's are present in case the
network config was changed and os-net-config restarts
the network interface. When containerizing the undercloud
this workaround was missed.

This change adds a similar workaround. A pre_deploy
NodeExtraconfig script will restart the keepalived
container when the undercloud installer is (re-)run.

NOTE: We can remove this workaround once keepalived
      v2.0.6 or later is available.

Closes-Bug: #1791238
Change-Id: I8cada7be57cd50c54ca5f2f38ec010062512ae06
2018-09-24 21:02:34 +00:00
Michele Baldessari
0be27ee963 Disable sync_power_state_interval in containerized undercloud
On the non containerized undercloud we had the following snippet:
"""
nova_config {
  'DEFAULT/sync_power_state_interval': value => hiera('nova_sync_power_state_interval');
}

nova_sync_power_state_interval: -1
"""
The reasons for which were described in: https://launchpad.net/bugs/1552842.
This setting has been lost when we moved to containerized undercloud.
Let's add a new NovaSyncPowerStateInterval parameter that is set to 0
(meaning uses the default) and set it to -1 on the undercloud.

With this patch we have on the undercloud:
undercloud: http://logs.openstack.org/23/599423/1/check/tripleo-ci-centos-7-undercloud-containers/73a1323/logs/undercloud/var/log/config-data/nova/etc/nova/nova.conf.txt.gz:
sync_power_state_interval=-1

And on the overcloud:
https://logs.rdoproject.org/23/599423/1/openstack-check/legacy-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-master/d372ea8/logs/overcloud-controller-0/var/log/config-data/nova/etc/nova/nova.conf.txt.gz
sync_power_state_interval=0

Reported-By: Marian Krcmari <mkrcmari@redhat.com>
Co-Authored-By: Emilien Macchi <emilien@redhat.com>

Change-Id: Ifc817ba77187d454c24090c93461b1edad9fe7c4
Closes-Bug: #1790504
2018-09-07 11:35:47 +00:00
04b235652b Do not enable Ram/Disk Filter with filter_scheduler
Core/Ram/Disk Filters are not required when using filter_scheduler.

After https://review.openstack.org/#/c/565841 when using these
Filters nova is not scheduling to the ironic nodes and overcloud
deployment fails.
For now just testing the undercloud, good to see what scheduler/filters
are being enabled in overcloud and reflect there as well.

Related-Bug: #1787910
Depends-On: Ia82f1c6be0d5504498e77a90268cad8abecdeae2
Change-Id: I0e376d99adeaa318118833018be81491c6b14095
2018-08-28 02:01:13 +00:00
Zuul
4a7b37f01b Merge "undercloud: revert to using the iscsi deploy interface by default" 2018-08-22 13:57:02 +00:00
Zuul
39e360624e Merge "Break out image prepare into its own "service"" 2018-08-10 02:31:33 +00:00
Thomas Herve
7cf4a316cc Mount /usr/lib/heat on undercloud Heat
We need the tripleo common on the undercloud heat, let's mount an
additional volume to share them.

Change-Id: If306862f5a9b7455165523ab7b8350d18395edb7
Closes-Bug: #1784569
2018-08-03 14:27:03 +02:00
Steve Baker
1bda1fd9a7 Break out image prepare into its own "service"
This makes the docker-registry service focused on installing the
registry, as it should be. Also this makes it possible to invoke this
service during overcloud deploy too.

This change also switches to calling the tripleo-common script
tripleo-container-image-prepare instead of the full openstack command.
This will allow a mistral image to do a prepare without depending on
the python-tripleoclient package.

The {{role}}Services and {{role}}Count are propagated to
tripleo-container-image-prepare so that images are filtered correctly.

sudo is used instead of become:true so that the tripleo-common mistral
sudoers pattern matches.

Depends-On: Ic1648e43f45bb7604d4c0f9abf247a475fb23707
Change-Id: Ibc16bed673de7b22cd8eef3f6fb0d45871083873
Blueprint: container-prepare-workflow
2018-08-02 11:29:39 +12:00
Dmitry Tantsur
42c118244a undercloud: revert to using the iscsi deploy interface by default
The direct deploy interface looks promising in the scale tests so far,
but it prevent local testing and PoC with nodes with less than 8 GiB
RAM because it has to convert the overcloud-full image in memory.

This change changes back to the iscsi deploy interface, leaving
the direct deploy interface fully configured and opt-in.

This patch will likely be reverted in Stein.

Change-Id: I5f8126474ab15a310b4ba305c4d537b93e9f0399
Related-Blueprint: ironic-direct-deploy
2018-07-24 16:12:22 +02:00
Bogdan Dobrelya
e489e58db4 Log more details for container images prepare
Add a heat param to log tripleo container images prepare
verbose details into a file.

Depends-On: I1c72b5ef0d7acbc4eded422d569f1383d92ad3c2
Change-Id: I000ffeb9b111c4a2a8919fe448dcead922ef03c3
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-07-13 14:38:51 +03:00
Zuul
f713cb7308 Merge "Increase max heat stack depth" 2018-07-12 12:19:35 +00:00
Zuul
7ae479f416 Merge "Undercloud specific volumes for mistral-executor container" 2018-07-06 08:14:37 +00:00
Alex Schultz
76330d922a Increase max heat stack depth
We've previously increased this to 7 in instack-undercloud because of
containers. As we switch to containerized undercloud we need to continue
to incrase this to 7.

See Ib31bf29bc69f5c58e98b99c3e598b19c99efc77f for history.

Change-Id: Id9facbc53ac5166fcc544157bf820389fa00efac
Related-Blueprint: containerized-undercloud
2018-07-02 15:48:38 -06:00
Steve Baker
afba68e50a Undercloud specific volumes for mistral-executor container
This fixes the issue where the nova config was being mounted into the
mistral-executor, even though that is only needed for the undercloud.

The second parameter MistralExecutorExtraVolumes is provided so that
users can provide their own extra mounts without overwriting
MistralExecutorVolumes.

Once this mechanism lands, it can also be used to mount the extra
directories which CI needs to modify container images during
deployment, therefor this change is part of

Blueprint: container-prepare-workflow
Change-Id: I88612465d87f24a42e78e5f87a2d6b44b9335b11
2018-06-29 09:21:22 +12:00
Alex Schultz
db181732c6 Add SELinux management to containerized undercloud
In instack-undercloud we manage the selinux configuration during the
deployment. This change exposes the configuration as a new tripleo
service for selinux so we can configure it.

Change-Id: I2109bf62e307df92b6bdb57600c58dd61482f46d
Partial-Bug: #1779005
2018-06-28 09:12:30 -06:00
Emilien Macchi
32ea5028fd undercloud: enable KernelIpNonLocalBind
We need KernelIpNonLocalBind on the undercloud to bind non local ips
among other ip forward options. This sysctl parameter was managed by
instack-undercloud but never ported to the containerized undercloud.
We need the same sysctl parameters for parity with non containerized
undercloud.

Change-Id: Idd3d432b8f7eb573d94cd56be8e05614510ebddf
Related-Bug: #1774898
2018-06-05 01:38:51 +00:00
Emilien Macchi
70901ab69a ssh: enable PasswordAuthentication for containerized undercloud
We don't expect our operators to have SSH keys setup on the undercloud
node, so we don't want to block the PasswordAuthentication in
sshd_config.

Depends-On: I88b24c82fb3cf2309f45d5d447a9b0c403da7fc9
Change-Id: I10b112e8bffff30879606ddd970dfd3ec67fd9c7
Closes-Bug: #1772519
2018-06-03 01:49:26 +00:00
Zuul
0e1336f9a2 Merge "[tripleo-ui] Explicitly configure Nova CORS" 2018-05-21 17:35:08 +00:00
Zuul
4815c8bd17 Merge "Remove undercloud specific service definitions" 2018-05-19 21:45:46 +00:00
Steve Baker
ab1cba9047 Expose parameter MistralDockerGroup
This will be set to true for undercloud deployments

Change-Id: I4e34a930d384ae4220070e3b613477b9ff89314c
Blueprint: container-prepare-workflow
2018-05-15 00:22:39 +00:00
Alex Schultz
64bc4a7683 Remove undercloud specific service definitions
Since we're aligning the overcloud/undercloud and we've switched to
containerization it, we should reuse the same heat services rather than
duplicating the services with the Undercloud definition.

Depends-On: Ic7dba7e548f85574cce2db23e3fec5c8ea761bb7
Change-Id: I497597a47533375f34a22a56e2e9a145d9393358
Related-Blueprint: containerized-undercloud
2018-05-09 21:33:20 +00:00
Zuul
4f5dceca90 Merge "undercloud: switch to the "direct" deploy interface by default" 2018-05-08 04:20:57 +00:00
Emilien Macchi
54fcdb2cff undercloud: do not hardcode eth1 for public interface
Instead, rely on local_interface parameter from undercloud.conf like it
was with instack-undercloud.

Depends-On: I94de786a4e2d6bfbc66e08f32ea65c217ea35268
Change-Id: Id46256b66aa43c38a6a6501d2f26dfb85009b1ef
2018-05-05 06:52:38 +00:00
Emilien Macchi
56898d95fb heat: align config with instack-undercloud
- Enable heat convergence for containerized undercloud
- Set max_json_body_size=4194304 for containerized undercloud.
- Introduce HeatMaxNestedStackDepth parameter.
- Introduce HeatReauthenticationAuthMethod parameter and configure it to
  'trusts' for the undercloud.

Change-Id: I044bf29e7ae320a478e0ba0eb12870f47735d4f1
2018-05-03 08:35:09 -07:00
Dmitry Tantsur
89de728acb undercloud: switch to the "direct" deploy interface by default
Instead of serving images via slow and somewhat unreliable iSCSI protocol,
this deploy method makes IPA download them from the undercloud Swift.

Change-Id: Ic569358b781337ec6ba8ba802ada1f940917bd61
Implements: blueprint ironic-direct-deploy
2018-05-02 11:58:41 +02:00
Dmitry Tantsur
22459dcfa6 Add support to ironic "direct" deploy interface
This change adds a configuration script that sets up Swift temporary
URL key, if it is not set up otherwise. This key is required for both
ironic "direct" and "ansible" deploy interfaces.

The "direct" deploy interface is then enabled for the undercloud.

Implements: blueprint ironic-direct-deploy
Change-Id: I3cbc51831fc3e185f907b44da654f71aa0f4c420
2018-04-23 14:17:27 +02:00
Honza Pokorny
064d5d50c0 [tripleo-ui] Explicitly configure Nova CORS
Change-Id: I17d6f6b7710a398f207009f4115fcc9cd38952bf
2018-04-19 14:19:48 -03:00
Zuul
628cd0e390 Merge "Add Ironic Networking Baremetal Templates" 2018-04-18 05:52:20 +00:00
Emilien Macchi
d86025593b Handle undercloud upgrades via host_prep_tasks
Using host_prep_tasks interface to handle undercloud teardown before we
run the undercloud install.
The reason of not using upgrade_tasks is because the existing tasks were
created for the overcloud upgrade first and there are too much logic
right now so we can easily re-use the bits for the undercloud. In the
future, we'll probably use upgrade_tasks for both the undercloud and
overcloud but right now this is not possible and a simple way to move
forward was to implement these tasks that work fine for the undercloud
containerization case.

Workflow will be:
- Services will be stopped and disabled (except mariadb)
- Neutron DB will be renamed, then mariadb stopped & disabled
- Remove cron jobs
- All packages will be upgraded with yum update.

Change-Id: I36be7f398dcd91e332687c6222b3ccbb9cd74ad2
2018-04-12 18:14:28 -07:00
Harald Jensas
5203e43979 Add Ironic Networking Baremetal Templates
Ironic neutron agent will be installed on controller nodes, or
networker nodes, when environments/services/ironic.yaml or
environments/services-docker/ironic.yaml is used.

It should also be enabled on undercloud.

Also enables ``baremetal`` ML2 mechanism driver on undercloud.

Depends-On: Ic1f44414e187393d35e1382a42d384760d5757ef
Depends-On: I3c40f84052a41ed440758b971975c5c81ace4225
Change-Id: I0b4ef83a5383ff9726f6d69e0394fc544c381a7e
2018-04-12 23:59:34 +02:00
Zuul
e57e2e871b Merge "Enable ironic rescue mode by default" 2018-04-06 02:04:44 +00:00
Emilien Macchi
02cacfd53a undercloud: increase token expiration time
We did it in the past (3 years ago!) in instack-undercloud:
43e792c684
in the context of: https://bugzilla.redhat.com/show_bug.cgi?id=1235908

This time, we have the same problem when the undercloud is
containeirized.
This patch is actually setting parity with keystone config from
instack-undercloud, but also raising an actual issue that will be
addressed this cycle.

In the meantime, let's increase the token expiration so we can move
forward with testing the containerized undercloud.

Change-Id: Iceaaf53fae44b5bcda9f6517f163939ba6be3d49
Related-Bug: #1761050
2018-04-04 13:46:12 -07:00
Dmitry Tantsur
3464547983 Enable ironic rescue mode by default
Change-Id: I3070f17a9c137e97208ed424ebd3f5ba5b4912bc
Implements: blueprint ironic-rescue
2018-04-03 12:26:21 +02:00
Harald Jensas
e947c7e610 Add ctlplane networking for routed networks
* Add a new post install software deployment which runs
a python script to configure the undercloud control
plane network. Replaces section in post shell script.

Change-Id: I1cd594564d1628a6e1fccb9eadf18b716ccc5c72
2018-03-29 23:32:45 +00:00