3055 Commits

Author SHA1 Message Date
Steven Hardy
58c6988751 Run upgrade steps before post-deploy config
For some upgrade scenarios, e.g all-in-one deployments, it may
be possible to run the upgrade steps, then apply puppet in one
stack update, so reverse the order here.  For normal deployments
the upgrade steps are mapped to OS::Heat::None so this will have
no effect.

Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I3c78751349a6ac2bc5dff82f67bffe13750ac21c
2016-12-19 11:04:47 +00:00
Jenkins
b8a4e40cf2 Merge "Set rabbitmq's port and IP via the config file and not the env file" 2016-12-19 08:54:27 +00:00
Jenkins
3f2242d05e Merge "Introduce role-specific nova-server-metadata" 2016-12-19 07:45:05 +00:00
Jenkins
6111d9ccf5 Merge "Enable SECURE_PROXY_SSL_HEADER option for horizon" 2016-12-19 07:41:31 +00:00
Jenkins
d78e6c2822 Merge "Use hostname -s instead of hostnamectl --transient" 2016-12-17 22:47:00 +00:00
Juan Antonio Osorio Robles
3078533eef Introduce role-specific nova-server-metadata
We could already pass metadata to the nova server instances (on
creation) via the ServerMetadata parameter, however, there was no
way of doing this per-role. This introduces that by adding a
{{role}}ServerMetadata parameter for each role. This parameter gets
merged with the ServerMetadata parameter and allows this
functionality.

Note that both default to {}, and so does the result of merging those
parameters with their default values. So nothing changes for the
default settings.

Change-Id: I334edcc51ce7ee82fc13b6cf4c0d74ccb7db099c
2016-12-16 13:46:15 +02:00
Dan Prince
b3e5f8e821 Add ZaqarApiNetwork to the service net map
Without this Zaqar API will fail to run due to a missing bind
IP address in the config file.

Change-Id: Icd0a6e85b7455e89f37f05399146d5e743359da8
Closes-bug: #1650307
2016-12-15 10:23:12 -05:00
Jenkins
713a0326e4 Merge "Deployed server: switch to apply-config hook" 2016-12-15 05:59:48 +00:00
Dan Prince
4e8d5aa2c3 Use hostname -s instead of hostnamectl --transient
This patch updates the deployed-server interface to use a
simple hostname -s. The previous hostnamectl --transient
can pick up extra domain name configuration in some cases
that can cause very odd hostname generation if used
with the tripleo-heat-template host file generation.

This would actually break the new undercloud t-h-t installer
in that some of the /etc/hosts entries would be invalid
(no IP address) due to substring replacements failing in
a variety of odd hostname situations. Simplifying the
hostname of deployed servers to just the short version seems
the most sensable way to avoid all this.

Change-Id: Ia7e636d021f948ea5234475cef02f666d8ce6999
2016-12-14 15:48:07 -05:00
Juan Antonio Osorio Robles
de923539c8 Set rabbitmq's port and IP via the config file and not the env file
The RabbitMQ's puppet manifest configures the node's IP and port through
environment variables. While this would usually be fine, it doesn't
allow us to use TLS-only, since it will always try to start a TCP
listener. So, by setting these values through the config file, when
setting ssl_only for rabbitmq, they will effectively be discarded and
thus allow us to use an SSL listener on the same port.

Change-Id: I33d051a8c740baf69b99517378e1f9b0f3cc1681
2016-12-14 14:06:21 +02:00
Juan Antonio Osorio Robles
db31ff5e5a Enable SECURE_PROXY_SSL_HEADER option for horizon
This reads makes Django take the X-Forwarded-Proto header into account
when forming URLs.

Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673
Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-14 08:32:48 +00:00
Jenkins
1e88f87523 Merge "Don't rely on lsb_release for hosts template write" 2016-12-13 14:36:20 +00:00
Jenkins
99a2a2f414 Merge "docker: don't use custom run-os-net-config" 2016-12-13 14:35:29 +00:00
Jenkins
326fb47bfa Merge "Add FreeIPA enrollment template" 2016-12-12 09:22:00 +00:00
Jenkins
0cd7cbdd6f Merge "Add NIC config for compute role for DVR with multiple NICs" 2016-12-10 00:19:36 +00:00
Juan Antonio Osorio Robles
7611f45722 Add FreeIPA enrollment template
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.

This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.

Enrollment is done via the ipa-client-install command and it does
the following:

* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
  kerberos, certmonger)

The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos

The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.

[1] https://github.com/JAORMX/freeipa-tripleo-incubator

bp tls-via-certmonger

Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-12-09 16:07:54 +02:00
Steve Baker
f592e195e2 Don't rely on lsb_release for hosts template write
This is problematic for the containerised heat-agents, lsb_release has
to be bind-mounted in, and atomic host doesn't even have lsb_release
installed.

Instead just write to every /etc/cloud/templates/hosts.*.tmpl file.

Change-Id: If2aab7e9b1e03aa657baf1c33aa4392ef7044075
2016-12-08 20:09:26 +00:00
Steve Baker
bb73874310 docker: don't use custom run-os-net-config
The script run-os-net-config[1] copies in ifcfg-* from the host before
running os-net-config. Apparently it was done this way because the
other scripts in /etc/sysconfig/network-scripts/ differed between host
and agent container. This should be less of an issue now that host and
heat-agents run centos-7 (even when the host is atomic)

tripleo-heat-templates recently changed to running os-net-config in a
deployment script instead of an os-refresh-config script [2]. This
means that our current run-os-net-config approach is currently
resulting in os-net-config being executed twice.

Another issue with run-os-net-config is that it copies ifcfg-* from
host to container, but not back again. This means that rebooting the
server will result in unconfigured interfaces until os-net-config is
somehow run again.

This change bind mounts /etc/sysconfig/network-scripts/ from the host
and uses the conventional approach to running os-refresh-config.

This may fix the issue where compute nodes are losing network
connectivity, so
Closes-Bug: #1646897

[1] http://git.openstack.org/cgit/openstack/tripleo-common/tree/heat_docker_agent/run-os-net-config
[2] I0ed08332cfc49a579de2e83960f0d8047690b97a

Change-Id: I763fc8d8e3eb10ac64d33e46c92888d211003e72
2016-12-08 20:09:25 +00:00
Jenkins
1e11997e76 Merge "Enable haproxy internal TLS through enable-internal-tls.yaml" 2016-12-08 16:25:08 +00:00
Jenkins
7e4904cafc Merge "Make get-occ-config.sh support custom roles" 2016-12-08 02:59:31 +00:00
Jenkins
9fac0b99b5 Merge "neutron: don't set router_delete_namespaces" 2016-12-07 16:23:33 +00:00
Juan Antonio Osorio Robles
4b425b95f4 Enable haproxy internal TLS through enable-internal-tls.yaml
For usability and to reduce the number of environments that need to be
given when enabling TLS in the internal network, it's convenient to add
the enabling of TLS in the internal front-ends for HAProxy, instead of
doing that in a separate environment file.

bp tls-via-certmonger

Change-Id: Icef0c70b4b166ce2108315d5cf0763d4e8585ae1
2016-12-07 09:03:18 +02:00
Ihar Hrachyshka
d4db12b988 neutron: don't set router_delete_namespaces
It's no longer available in Neutron (removed in Mitaka). See:
I2a879213c3b095a007a4531f430a33cea9fdf1bd

Change-Id: I044c648eb8c4933667b8ea2c9159a30e5ebb7df3
2016-12-06 22:03:18 +00:00
Chris Jones
9745e8b82f Fix SwiftStorage role.
We now fetch the name argument from the correctly named SwiftStorage
object.

Change-Id: I885505eadfc778ab57793c97af4d1c6739ec9614
Closes-Bug: #1647716
2016-12-06 14:33:47 +01:00
Jenkins
94a42fb5b7 Merge "Support multiple meter dispatchers in ceilometer config" 2016-12-05 14:28:37 +00:00
Jenkins
ba3fb5184f Merge "Move nodes' fqdns to a map to remove clutter" 2016-12-05 14:28:29 +00:00
Jenkins
e46349a37c Merge "Use transient hostname for deployed servers" 2016-12-05 14:14:48 +00:00
Jenkins
a45fbe02f4 Merge "Fix bug when using multiple DeployArtifactURLs" 2016-12-05 14:12:37 +00:00
Jenkins
a23ad11958 Merge "No longer hard coding to a specifc network interface name." 2016-12-02 19:49:48 +00:00
Dan Sneddon
8e5652ec8d Add NIC config for compute role for DVR with multiple NICs
This change adds a NIC config to the multiple-nics sample NIC
config templates for a compute node running DVR. In order for
DVR to work on the compute nodes, they must share an external
bridge with the controllers. All of the other sample NIC
configs already have an external bridge (defaults to 'br-ex'),
but the multiple-nics compute role does not, so now the
compute-dvr.yaml NIC template will demonstrate DVR with
multiple NICs.

Change-Id: I80fe2e5842a67984e1d4d8aa295c7607c4f340ad
2016-12-02 10:12:17 -08:00
Jenkins
f0348b0d7a Merge "Revert "Use FQDN for rabbitmq's nodename env variable"" 2016-12-02 18:07:32 +00:00
Jenkins
67f7dc9fae Merge "Add zaqar to the controller's list of services in roles_data.yaml" 2016-12-02 18:06:33 +00:00
Christian Schwede
f7e8a043d9 Fix bug when using multiple DeployArtifactURLs
The script tries to download all artifact URLs with a single
request, instead of downloading each URL on its own if
multiple DeployArtifactURLs were given.

Change-Id: I6a8be699aff7023a67702bb1d3ddc2273984cd08
2016-12-02 16:10:52 +00:00
Ben Nemec
0f1022e8ee Revert "Use FQDN for rabbitmq's nodename env variable"
This seems to have broken the updates job, causing it to fail
with following error:

Can't set long node name!\nPlease check your configuration\n

Related-Bug: 1646873

This reverts commit 3e9fcfd09320ace07bc1bd4cb57feb98cd057332.

Change-Id: I72ba891cd9cd8c4f1bc204144f46aaabbdfd3647
2016-12-02 15:45:21 +00:00
Jenkins
ae1a0e6ec0 Merge "scenario001: deploy Cinder with RBD backend" 2016-12-02 14:34:41 +00:00
Juan Antonio Osorio Robles
41b062a0a7 Add zaqar to the controller's list of services in roles_data.yaml
Change-Id: Iecafa7878fec20c707e94bdaca55f1489f3e338a
2016-12-02 14:14:33 +02:00
Jenkins
ee86735b0c Merge "Add Zaqar to scenario002" 2016-12-02 12:09:13 +00:00
Jenkins
21303cd9fc Merge "Composable Zaqar services" 2016-12-02 12:08:37 +00:00
Juan Antonio Osorio Robles
d7060322ee Move nodes' fqdns to a map to remove clutter
There were several instances where the short-names/FQDNs where being
gotten in the same way in the role's templates. So this introduces a
mapping to get these values in order to reduce clutter.

Change-Id: Ie7df360bb69d56655f3e0fcbbf4d297db39b7a26
2016-12-02 10:45:27 +00:00
Jenkins
cefb448de5 Merge "Use FQDN for rabbitmq's nodename env variable" 2016-12-02 09:41:28 +00:00
Jenkins
5aa0c861a4 Merge "Use network-based fqdn entry from hiera instead of the custom fact" 2016-12-02 09:40:36 +00:00
Jenkins
5854a632c4 Merge "scenario001: deploy Ceph" 2016-12-02 00:06:06 +00:00
Jenkins
7fa038f1a4 Merge "Implement scenario004 with Ceph Rados Gateway scenario" 2016-12-02 00:05:20 +00:00
Jenkins
ef9dcee567 Merge "scenario003: configure Keystone tokens with Fernet provider" 2016-12-01 23:10:07 +00:00
James Slagle
64e44e8626 Make get-occ-config.sh support custom roles
Updates the get-occ-config.sh script used with the deployed-server
environment to support custom roles. Any custom role name, and a
corresponding set of hosts (ip addresses or hostnames) can now be passed
to the script and it will query for the proper nested stack uuid's and
configure os-collect-config appropriately on the respective nodes.

Change-Id: I8fc39e6d18cd70ff881e2a284234b26261018d67
2016-12-01 17:43:45 -05:00
Emilien Macchi
26c229a4b5 scenario001: deploy Cinder with RBD backend
Improve scenario001 with Cinder + RBD coverage.
Also remove Barbican bits, we don't deploy Barbican in scenario001, but
002.

Change-Id: Ib9cadbefcb3ddcdb4812f47ff5496e74b2bd888d
2016-12-01 16:05:50 -05:00
Jenkins
d19ae9f490 Merge "ceph-rgw: add missing user parameter" 2016-12-01 19:59:51 +00:00
Jenkins
ec678ff253 Merge "scenario001/pingtest: remove gnocchi_res_alarm" 2016-12-01 19:56:23 +00:00
Emilien Macchi
ea67638633 scenario003: configure Keystone tokens with Fernet provider
Improve scenario003 to configure Keystone tokens with Fernet provider.
Scenario001 and scenario002 will still deploy uuid for now.

Change-Id: I8c671d0371b2c3590b58b9623bb0df0b0c625a5b
2016-12-01 13:35:44 -05:00
Emilien Macchi
072a06f3b2 Implement scenario004 with Ceph Rados Gateway scenario
Like Puppet OpenStack CI, implement scenario004 with Ceph RGW scenario,
where Glance uses it as a image storage backend.

Change-Id: If055ca225c456a738c5726ef1e76a4a4f9c566a8
2016-12-01 17:16:40 +00:00