Enabling glance image cache by setting up value of 'flavor' to
'keystone+cachemanagement' in glance-api.conf from THT.
Change-Id: I9a87d8edcb2e98ae45e98439b44b659916e44d89
blueprint: split-controlplane-glance-cache
Configure cinder to use the nova API's admin endpoint instead of the
default public endpoint. Add the necessary auth credentials so that
cinder can access nova's API as a privileged user, which is required
for certain actions (see [1]).
[1] https://git.openstack.org/cgit/openstack/cinder/tree/cinder/compute/nova.py#n86
Closes-Bug: #1802347
Depends-On: I925e25bcc352955560fc449fc5287e56beb12ca3
Depends-On: Ia357ea41f8472d47e266d853f120a14b767e880d
Change-Id: Ic0eef51c1dafd4a1378f5317390e7c09f1d429cd
Nova metadata api is running via http wsgi in its own service.
Therefore we can cleanup the ports definition being opened by
nova api service.
Change-Id: I3066806f8810e30742516c3ca14afc12a1c95bbc
With the upgrade to puppet 5, we can no longer use dots in the hieradata
key lookups. This change updates the THT for firewall_rules,
haproxy_endpoints and haproxy_userlists to use the colon notation.
Change-Id: I6f67153e04aed191acb715fe8cfa976ee2e75878
Related-Bug: #1803024
With layered product packaging upgrading openvswitch may involve a
package rename of the openvswitch package (e.g. openvswitch to
openvswitch 2.10 or openvswitch2.12 to openvswitch2.13) This patch
adds special handling for the rhosp-openvswitch layered product package
to ensure that openvswitch networking remains available during the
upgrade.
Note that this patch also moves the special upgrade logic to
tripleo-packages because it could affect any node that is running
openvswitch for host networking, not just those that are using it for
cloud workloads.
Closes-Bug: #1794359
Change-Id: Ibd64ac1407333c1548261f9d2ae69cdf013e94ce
During upgrade we may have container_cli be Podman but the containers
may still be running on Docker. Handle this situation in the upgrade
tasks which are the last-resort online data migration if user forgot
to trigger them earlier, as they seem to be hitting this issue.
We must support both options at the same time, because the upgrade
code must be idempotent (re-runnable). When running upgrade 1st time,
the containers will be running in Docker, when re-running the upgrade
(e.g. because a part of it failed), the containers will be running in
Podman.
Once we converge onto a single solution and do not have to support
migration, this commit can be reverted.
Change-Id: I933ce754f081ee87ec53d5f8d9c901ab71dceb1e
Closes-Bug: #1802085
During upgrade, as we don't use instack_undercloud anymore, we missing
the _member_ role to the admin user.
This creates the necessary hooks in tht to have the member role
created during upgrade (and install for that matter).
This passes on the keystone_enable_member to puppet-tripleo, but it
needs a patch there as well for this mechanism to fully work.
Change-Id: I2319ed876eba7f21c0e80444bf78ca080fef252a
Depends-On: https://review.openstack.org/611919
Partial-Bug: #1799177
Add ContainerCli parameter, default to docker. Possible values:
podman/docker (default).
Deprecate DockerAdditionalSockets so it does nothing for podman.
Nested podman CLI replaces docker sockets. Only bind mount
/var/lib/openstack for the neutron/ovn agents for docker.
Support debug messages for Neutron/OVN wrappers controled via
NeutronWrapperDebug and OWNWrapperDebug (defaults to False). Or
globally controlled by Debug.
Make the wrapper containers managed by its parent processes and
not exited/removed forcibly, when the parent container restarts.
Background for podman CLI replacing the docker socket:
We'll use 'nsenter -m -n -p -t 1 podman' in wrappers
to execute podman in the same namespaces as on the host
and to NOT bind-mount world for that, like:
- /sys/fs/cgroup:/sys/fs/cgroup
- /run/libpod:/run/libpod
- /run/containers:/run/containers
- /run/runc:/run/runc
- /run/runc-ctrs:/run/runc-ctrs
- /var/lib/containers:/var/lib/containers
- /etc/containers:/etc/containers:ro
- /usr/bin/podman:/usr/bin/podman:ro
- /usr/bin/runc:/usr/bin/runc:ro
- /usr/libexec/podman/conmon:/usr/libexec/podman/conmon:ro
- /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2:ro
...
We cannot use chroot /host instead as there is more bind-mounts to use
outside of the /host chroot. Maybe varlink is a good replacement for
all of that, but it's not there yet.
Change-Id: I055fb7a5fd20932c5bee665bb96678f3ae92bffe
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Added a new parameter CinderDellScMultipathXfer to
support cinder::backend::dellsc_iscsi::use_multipath_for_image_xfer
to the Dell EMC SC Cinder iSCSI volume driver template.
Depends-On: https://review.openstack.org/#/c/611126/
Change-Id: I04f42ce0cd117f7dcc7a817274ea7664d9995864
Since the ironic-inspector service and the dnsmasq
service for ironic-inspector is running in different
containters, having the ironic-inspector service
start/stop the dnsmasq service is non-trivial.
Using `--pid="host"` and making the containers
priviligeied seems less than ideal.
This changes the ironic-inspector configuration so
that it will no longer purge the dhcp-hosts dir on
intialization. Purging the directory without also
restarting (or HUP) the dnsmasq service can cause
the configuration in the DHCP service to deviate
from what ironic-inspector intend it to be.
Related-Bug: #1780421
Depends-On: Icc532115891c567dde20a28110bf08f54187c49f
Change-Id: Id26b578b57c46f9993459f83b5f90393d7798a82
Other Octavia services like octavia-worker also require setting of
database connection in order to access the octavia database.
Closes-Bug: #1797098
Depends-On: https://review.openstack.org/#/c/612395/
Change-Id: I33a08521a4cfffc709de850b99f9292ca464537e
Openstack service don't support TRACE requests, so there is little
point allowing TRACE for apache.
Change-Id: I396a4c3bfab8f353d038b011d5dc8029f4137a57
Closes-Bug: #1801298
These tasks should have check_mode:no set so that they run in check
mode, as the variables they register are used in later tasks. Otherwise,
ansible in check mode fails with undefined variable errors.
Also, some tasks may fail due to not all requirements being available
since those requirements were not created by previous tasks that were
also ran in check mode.
This adds ignore_errors to these tasks, and sets the value to the
boolean ansible_check_mode which is provided by ansible and set based on
whether or not --check was passed to the ansible command line.
Change-Id: I84bc3c14ede37959a4078fd14ce4661b7bd23f84
This is required to fix bug #1800958 so that DockerRegistryMirror is
available to make mirror requests during prepare.
Change-Id: If896c22bf449a3ac91ca363648f84dd5b9aef227
Add a chrony service configuration. The chrony service configuration
includes tasks to ensure that the ntpd service is stopped prior to
configuring chronyd. Since both can be switched back and forth, the ntpd
configuration is also updated to stop chronyd prior to attemping to
configure the ntpd service.
Change-Id: Ie5e8183c000915f28166c842cecc04f445c013ae
Related-Blueprint: tripleo-chrony
Update dhcp_profile_uuid and metadata_proxy_uuid config params
based on NSX plugin side changes, and also expose more config
parameters that can be used in depoying tripleo with nsx plugin.
Change-Id: I787606f39f1b707211f19415aceb81cda8260d91
We did not have a easy way to ensure all the openstack clients are
installed on a given system. In the old instack-undercloud installation,
we were installing some additional clients outside of the ones required
via python-tripleoclient. To allow a user to quickly install all the
clients on a given system, this change adds an OpenStack clients
"service" which can be added to a role to ensure the clients are
available. In the future if we provide a client container, this service
can be converted into a container deployment mechanism.
Change-Id: If878c2ab7679eea2fff42b410bec9c8c9b92ed6f
Closes-Bug: #1800001
Defaults the ODL OVSDB inactivity probe timer to 180s. This value is
more suitable for large number of compute nodes as the default ODL value
of 5s causes too much stress on the controller in large scale
environments.
Closes-Bug: 1797128
Change-Id: I74a8c40b609adec97a27602700bbfa7203ad031f
Signed-off-by: Tim Rozet <trozet@redhat.com>
Since, openstack-glance package has been removed from overcloud image
during the cleanup, 'filesystem_store_metadata_file' file is failing to
create on host in case of glance netapp.
So, moving metadata file creation part in puppet-tripleo and setting
few more conf parameters which were missing previously. Also
merging the regular NFS and Netapp NFS mounts as the process of
mounting NFS share is independent of whether the share is for Netapp
server or any other nfs server.
Depends-on: I031a8921a74af137927ba83ee2307aafc13263cb
Depends-on: If3a0bc37fe23698b5b5730b4e535f4f56b266a75
Change-Id: I621208c2d41a1942b48d4cf92fc1aa7f4e08e1d4