335 Commits

Author SHA1 Message Date
rajinir
a462d796a7 Add support for Dell EMC XtremIO Cinder ISCSI Backend
This change adds a new define for cinder::backend::dellemc_xtremio_iscsi

Change-Id: Icf4a199383064e7884953f0f5085dcef54c3b9a4
Implements: blueprint dellemc-xtremeio-cinder
2018-03-09 14:25:14 -06:00
Jiri Stransky
6f5776cc36 Remove registry special casing which no longer has any effect
This was only needed when we need to special-case SwiftStorage, but
since we now have the resource names match the role name [1], having
the special casing will result in the same resource registry being
generated as when not having it.

[1] see change I96fd27bdad5d417f23550ecc3387d81fd3c5418a

Change-Id: I367081a8aa32178f1c8cf07bae2db3d0c0bc1258
2018-03-09 11:21:36 +01:00
Juan Antonio Osorio Robles
b3420f7095 Enable containers by default
This changes the default resource registry definitions to use the docker
services by default. It also keeps the baremetal installation by adding
a baremetal-services.yaml environment.

Change-Id: I373fef6581dfbfa365479f88d7b967cfbed446e4
2018-03-01 11:26:15 +02:00
Pradeep Kilambi
7a5d5a8e1b Add tls roles for undercloud
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Dan Prince <dprince@redhat.com>
Co-Authored-By: Ian Main <imain@redhat.com>

Change-Id: Icca382db28e4ea57f3cbf24e9e794b428b824db5
2018-02-15 00:00:05 +00:00
marios
5cbe298f59 Remove the heat upgrade steps for Q upgrade workflow
This removes most of the Heat driver upgrade workflow, including
the script delivery and stepwise upgrade tasks with invocation
of ansible via heat

For Q upgrades the operator should use
    openstack overcloud upgrade --init-upgrade --container-registry-file file
    openstack overcloud upgrade --nodes Controller
etc.

Depends-On: I54f8fc57b758e34c620d607be15d2291d545ff6f
Change-Id: I75f087dc456c50327c3b4ad98a1f89a7e012dc68
2018-02-09 18:41:04 +02:00
zshi
d0a92f1c20 Add PTP composable service
Precision Time Protocol (PTP) is a protocol used to
synchronize clocks throughout a network. When used
in conjunction with hardware support, PTP is capable
of sub-microsecond accuracy which is far better than
is normally obtainable with NTP.

Change-Id: I98a1833db28944cfd5a89e4f28c192bb9af8ebbb
Depends-On: Idc78df3a90b73be504480bc9d33a3f0041d2d84f
2018-02-08 15:20:17 +08:00
Zuul
9e27288203 Merge "Add support for ceph-nfs manila backend" 2018-02-08 01:25:46 +00:00
Zuul
16e15b73b9 Merge "Add support for Dell EMC VNX Cinder Backend" 2018-02-07 03:47:17 +00:00
Jan Provaznik
96b82d149e Add support for ceph-nfs manila backend
If ceph-nfs (ganesha) service is enabled, it's set up by ceph-ansible
and it can be used as a manila backend. Manila can be configured to use
ceph either directly (manila-cephfsnative-config-docker.yaml env file)
or through ganesha (environments/manila-cephfganesha-config-docker.yaml
env file).

Change-Id: Ib408c7827e5fba0c1b01388db26363806fc64370
Partially-Implements: blueprint nfs-ganesha
2018-02-06 19:04:39 +00:00
Pradeep Kilambi
4308485b2c Restore disable templates for telemetry for Queens
We need these templates accessible for fast forward upgrades
workflow to disable these services. Lets put these back in
and remove them in Rocky instead. These were originally
removed in commit  5ebbc81c2ad90c34925173942bdd4a468964d53b.

Change-Id: Iba1e13c7a78dd012373830331682c9e29d775f73
2018-02-05 14:56:35 +00:00
rajinir
afe81a4e05 Add support for Dell EMC VNX Cinder Backend
This change adds a new define for cinder::backend::dellemc_vnx

Change-Id: I57af2f781c24c74b355410ffb4dc28382ee183fd
Implements: blueprint dellemc-vnx-cinder
2018-01-30 10:57:56 -06:00
Zuul
2ebc2ee3af Merge "Run Octavia configuration on the overcloud" 2018-01-22 19:50:12 +00:00
Zuul
23aa82de04 Merge "Implements AIDE Intrusion Detection System" 2018-01-22 15:48:30 +00:00
Or Idgar
9d692aaa2f Run Octavia configuration on the overcloud
Fully configuring Octavia requires resources such as the load balancer
management network and amphora image to be created in the overcloud
during deployment. This is handled through some ansible driven through a
mistral workflow. This patch enables configuring and triggering this
workflow from heat.

Co-Authored-By: Brent Eagles <beagles@redhat.com>
Depends-on: If07ded033be9f44b7c7a7e09214032fa89a02e77

Change-Id: I2d10dbd33b3a0ed0463096849d01aa2c1b9f293e
2018-01-16 13:19:09 +00:00
Zuul
33a254cacb Merge "Reinstate common overcloud manifest for all roles" 2018-01-16 03:42:55 +00:00
lhinds
7e68dbdf8c Implements AIDE Intrusion Detection System
Introduces a service to configure AIDE Intrusion Detection.

This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.

AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
2018-01-15 13:10:16 +00:00
Daniel Alvarez
85e006d19d Add support for OVN Metadata Agent
This patch adds support for networking-ovn-metadata-agent.
It will deploy the agent on compute nodes and disable Nova
force_config_drive.

The following two patches have been squashed into this one:
* https://review.openstack.org/#/c/525164/
* https://review.openstack.org/#/c/522813/
The reason behind the squash is that we had interdepenencies
and this patch alone wouldn't be testing the code properly
without the two other ones since scenario007 job in baremetal
has been removed for this cycle.

UpgradeImpact

Depends-On: I678652294cb8f964c34b742a0bc0ea360d736fb9
Depends-On: If3dffde5e0db8f7607a9708d36d54d1600fe5da8
Depends-On: I38f775479d178f5b252619635b67f876bc8c5ed5
Depends-On: Ifdd42437333730a3b3e6f36cbab6df0a2971a5a1
Depends-On: I940cec6d670df39ac6e2a3559a028acbeee99331

Change-Id: Idc2bb4e31a64502ac6fcdac771d823509dc328e7
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
2018-01-12 09:40:06 +00:00
Steven Hardy
bb9fd2c61a Reinstate common overcloud manifest for all roles
This was lost in the translation to ansible, but it's needed to
enable existing interfaces such as hiera includes via *ExtraConfig.

For reference this problem was introduced in:
I674a4d9d2c77d1f6fbdb0996f6c9321848e32662 and this fix only considers
returning the behaviour prior to that patch (for the baremetal puppet
apply), further discussion is required on if/how this could be applied
to the new container architecture.

Change-Id: I0384edb23eed336b95ffe6293fe7d4248447e849
Partial-Bug: #1742663
2018-01-11 18:42:45 +00:00
Zuul
ef6d97c543 Merge "Telemetry Needs Redis" 2018-01-08 18:21:24 +00:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Ian Main
b54135fc3a Telemetry Needs Redis
Add redis to the undercloud when telemetry is added.

Change-Id: I5fc235e6f77efba73ab1858e959357a954c7b7a3
2017-12-27 17:29:18 +00:00
Dan Prince
cec41586f7 Add docker-registry service
This is required for the containerized undercloud.

Change-Id: I542a19c084f37aaafd72378857af4f379f335a39
2017-12-27 01:41:50 +00:00
Flavio Percoco
8dd99ba7fd Deploy OpenShift using OOO on the overcloud
Add external_deploy_tasks for OpenShift installation. This makes
OpenShift installation work with the config download mechanism.

Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Depends-On: I9786f1a27cb7c765211dffe0ea06afd75f8e5275
Change-Id: I4c995dcfd97b5c9ccb751862ff77ab785ad0ac5b
2017-12-15 15:41:15 +00:00
Michele Baldessari
c56cdc8dda Add Instance HA support
This adds support for an Instance HA deployment option which evacuates
VMs after a compute node failure. To enable this feature just add
-e environments/compute-instanceha.yaml and make sure the compute nodes
have the OS::TripleO::Services::ComputeInstanceHA and the
OS::TripleO::Services::PacemakerRemote services added to it.

Testing has been done as follows:
1) Deploy an overcloud with Instance HA
2) Create a VM on the overcloud
3) Crash a compute node
4) Observe that the nova evacuate resource agent initiates the nova
   evacuation:
Nov 29 10:39:49 localhost NovaEvacuate(nova-evacuate)[32253]: NOTICE: Initiating evacuation of overcloud-novacompute-0.localdomain with fence_evacuate
Nov 29 10:39:57 localhost NovaEvacuate(nova-evacuate)[32253]: NOTICE: Completed evacuation of overcloud-novacompute-0.localdomain
5) Observe the VM having been started on the functional compute node

A documentation patch will follow explaining the whole mechanism more
in detail.

blueprint instance-ha

Depends-On: I4d1908242e9513a225d2b1da06ed4ee769ee10f7
Change-Id: If6c7d6c56eca96bd64ac5936036d119bd9ec6226
2017-12-10 09:08:01 +01:00
Zuul
20a5994716 Merge "Add multiple secret store backends for barbican" 2017-12-08 01:23:23 +00:00
Zuul
8ff4c03d28 Merge "Adding Cisco VTS ML2 mechanism driver service template" 2017-12-07 03:41:32 +00:00
Ade Lee
f8decc73fc Add multiple secret store backends for barbican
Change-Id: I7aaa242ee1ecbfcbcc7502b0ce8e5a9191d307f2
Depends-On: I07e52897897f453382f74aa4fdaa98c37e6eca30
2017-12-05 13:07:50 -05:00
Juan Antonio Osorio Robles
898ad4f54b Add IPSEC composable service
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-12-05 13:10:18 +00:00
lhinds
502fde7a64 Implements management of /etc/login.defs
Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
2017-11-29 09:23:25 +00:00
Zuul
b2bc4f36a3 Merge "logging: merge fluentd-client and fluentd-base" 2017-11-22 10:41:19 +00:00
Zuul
0c336132e5 Merge "Add option for barbican API container to log to stdout/stderr" 2017-11-21 21:16:32 +00:00
Zuul
a4877d7272 Merge "Removes manila-generic-config from TripleO" 2017-11-21 16:54:11 +00:00
Zuul
301e8d84e9 Merge "Deploy Ceph Luminous and add support for CephMgr service" 2017-11-21 01:48:51 +00:00
Giulio Fidente
3cea68f12c Deploy Ceph Luminous and add support for CephMgr service
The upgrade of Ceph to Luminous requires a new daemon, ceph-mgr, to be
deployed with every ceph-mon. This submission adds support for the
deployment of ceph-mgr via ceph-ansible.

Change-Id: I4226233d02b70980c6b53518ae2d511b653ce2de
Depends-On: I3645c6c3f68fcefc93fa8699796ba8892aa946c8
Implements: blueprint ceph-luminous
2017-11-20 21:11:23 +01:00
Ade Lee
3d510d7700 Add option for barbican API container to log to stdout/stderr
This adds the option to get the barbican API container to log to stdout.
The option is disabled by default. If enabled, It also adds a sidecar
container that reads the apache access logs.

bp logging-stdout-rsyslog
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>

Change-Id: Ia06fee2826062330a4377ca5fda7e3ba68534af6
2017-11-20 14:10:34 +02:00
Lars Kellogg-Stedman
f982eb55c4 logging: merge fluentd-client and fluentd-base
The fluentd implementation was originally split across multiple files
in order to support both client and server services. we ultimately
decided to only implement the client as part of tripleo so this
division is no longer necessary.  This commit merges
fluentd-client.yaml and fluentd-base.yaml into fluentd.yaml, and
renames things appropriately.

Partial-bug: #1715187
Depends-On: Iace34b7baae8822d2233d97adabf6ebc8833adab
Change-Id: Idb9886f04d56ffc75a78c4059ff319b58b4acf9f
2017-11-17 11:04:52 +01:00
Juan Antonio Osorio Robles
32d5e0cd77 Add option for HAProxy (non-HA) container to log to stdout/stderr
This adds the option to get the HAProxy container to log to stdout.
The option is disabled by default. If enabled, It also adds a sidecar
container that reads from syslog and outputs what it gets to stdout.

bp logging-stdout-rsyslog

Change-Id: Ica819713aa50352ba04a748c463534d982e00538
2017-11-17 10:39:00 +02:00
Juan Antonio Osorio Robles
97f9a01f79 Add rsyslog-sidecar resource and configuration
This introduces a "sidecar" container, which is meant to be used
besides other containers (or as part of the pod). It merely uses
rsyslog to listen on a specific UNIX socket and outputs what it
gets to stdout.

This adds the service to each relevant role and introduces a
composable service which merely configures the container. Subsequently
it'll be used as part of other templates.

Note that it is only enabled if "stdout logging" is enabled.

bp logging-stdout-rsyslog
Depends-On: I4864ddca223becd0a17f902729cf2e566df5e521

Change-Id: I2c54acaaa820961c936f1fbe304f42162f720496
2017-11-17 10:38:57 +02:00
Zuul
5840413021 Merge "Barbican: Add ability to specify KEK for simple crypto plugin" 2017-11-13 14:18:39 +00:00
Zuul
16bca6c288 Merge "Add undercloud cinder roles and environment files" 2017-11-12 13:32:44 +00:00
Pradeep Kilambi
07ce5c4bae Add undercloud cinder roles and environment files
If enable_cinder is true in undercloud.conf, we will need to include
these env files to setup cinder containers.

Change-Id: I208347c52ac5ad24a54aade0be23a31f5bdd4249
2017-11-10 16:39:04 +00:00
Juan Antonio Osorio Robles
0b5117840b Add option for panko container to log to stdout/stderr
This adds the option to get the panko container to log to stdout.
The option is disabled by default.

If enabled, It also adds a sidecar container that reads the apache
access logs.

bp logging-stdout-rsyslog

Change-Id: I56fa3de7427330c1d7bc10e0f8b1adbacec00e46
2017-11-10 14:13:40 +01:00
Juan Antonio Osorio Robles
97e3a2fd0d Add option for heat containers to log to stdout/stderr
This adds the option to get the heat containers to log to stdout.
The option is disabled by default.

If enabled, It also adds a sidecar container that reads the apache
access logs.

bp logging-stdout-rsyslog

Depends-On: Iae6a86cb93305cb3307e058cfd31e0fca3b1be8e
Change-Id: Iac79232bc981fff365faa818afde72e38fc176fb
2017-11-10 14:13:40 +01:00
Juan Antonio Osorio Robles
759d10770d Add option for nova-libvirt container to log to stdout/stderr
This adds the option to get the nova-libvirt container to log to stdout.
The option is disabled by default.

bp logging-stdout-rsyslog

Change-Id: Ie769b4d93f3bd728b7efb84d283509db8213b5fc
2017-11-10 14:13:40 +01:00
Zuul
3bf720ee11 Merge "Remove deprecated Telemetry services from roles data" 2017-11-09 00:20:20 +00:00
Pradeep Kilambi
5ebbc81c2a Remove deprecated Telemetry services from roles data
Ceilometer API, Collector and Expirer are removed from upstream,
so lets clean these deprecated services.

Change-Id: Ifd28a3029cd39644833ab0e9fc66efb7b5b67c9d
2017-11-07 12:54:41 +00:00
Juan Antonio Osorio Robles
e0441af380 Add option for Neutron containers to log to stdout/stderr
This adds the option to get the neutron containers to log to stdout.
The option is disabled by default.

bp logging-stdout-rsyslog

Change-Id: I0f9d201d93da702b702e7ecf4b43a6d705389846
2017-11-07 08:48:35 +00:00
Ade Lee
2089a53afd Barbican: Add ability to specify KEK for simple crypto plugin
It adds the profile to enable the backend and a relevant environment
file that will be used.

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I44391b91b01bc03c9773410152e117ec6bbba491
Change-Id: I39ce9f203af0dea20f7c14ba8b484f600f4aad49
2017-11-02 15:31:17 +00:00
Zuul
64656852bf Merge "Fix networking settings for ObjectStorage role" 2017-10-28 05:58:39 +00:00
Zuul
b13a5e9461 Merge "Add option for nova containers to log to stdout/stderr" 2017-10-28 05:41:33 +00:00