For some upgrade scenarios, e.g all-in-one deployments, it may
be possible to run the upgrade steps, then apply puppet in one
stack update, so reverse the order here. For normal deployments
the upgrade steps are mapped to OS::Heat::None so this will have
no effect.
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I3c78751349a6ac2bc5dff82f67bffe13750ac21c
We could already pass metadata to the nova server instances (on
creation) via the ServerMetadata parameter, however, there was no
way of doing this per-role. This introduces that by adding a
{{role}}ServerMetadata parameter for each role. This parameter gets
merged with the ServerMetadata parameter and allows this
functionality.
Note that both default to {}, and so does the result of merging those
parameters with their default values. So nothing changes for the
default settings.
Change-Id: I334edcc51ce7ee82fc13b6cf4c0d74ccb7db099c
Without this Zaqar API will fail to run due to a missing bind
IP address in the config file.
Change-Id: Icd0a6e85b7455e89f37f05399146d5e743359da8
Closes-bug: #1650307
This patch updates the deployed-server interface to use a
simple hostname -s. The previous hostnamectl --transient
can pick up extra domain name configuration in some cases
that can cause very odd hostname generation if used
with the tripleo-heat-template host file generation.
This would actually break the new undercloud t-h-t installer
in that some of the /etc/hosts entries would be invalid
(no IP address) due to substring replacements failing in
a variety of odd hostname situations. Simplifying the
hostname of deployed servers to just the short version seems
the most sensable way to avoid all this.
Change-Id: Ia7e636d021f948ea5234475cef02f666d8ce6999
The RabbitMQ's puppet manifest configures the node's IP and port through
environment variables. While this would usually be fine, it doesn't
allow us to use TLS-only, since it will always try to start a TCP
listener. So, by setting these values through the config file, when
setting ssl_only for rabbitmq, they will effectively be discarded and
thus allow us to use an SSL listener on the same port.
Change-Id: I33d051a8c740baf69b99517378e1f9b0f3cc1681
This reads makes Django take the X-Forwarded-Proto header into account
when forming URLs.
Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673
Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.
This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.
Enrollment is done via the ipa-client-install command and it does
the following:
* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
kerberos, certmonger)
The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos
The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.
[1] https://github.com/JAORMX/freeipa-tripleo-incubator
bp tls-via-certmonger
Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
This is problematic for the containerised heat-agents, lsb_release has
to be bind-mounted in, and atomic host doesn't even have lsb_release
installed.
Instead just write to every /etc/cloud/templates/hosts.*.tmpl file.
Change-Id: If2aab7e9b1e03aa657baf1c33aa4392ef7044075
The script run-os-net-config[1] copies in ifcfg-* from the host before
running os-net-config. Apparently it was done this way because the
other scripts in /etc/sysconfig/network-scripts/ differed between host
and agent container. This should be less of an issue now that host and
heat-agents run centos-7 (even when the host is atomic)
tripleo-heat-templates recently changed to running os-net-config in a
deployment script instead of an os-refresh-config script [2]. This
means that our current run-os-net-config approach is currently
resulting in os-net-config being executed twice.
Another issue with run-os-net-config is that it copies ifcfg-* from
host to container, but not back again. This means that rebooting the
server will result in unconfigured interfaces until os-net-config is
somehow run again.
This change bind mounts /etc/sysconfig/network-scripts/ from the host
and uses the conventional approach to running os-refresh-config.
This may fix the issue where compute nodes are losing network
connectivity, so
Closes-Bug: #1646897
[1] http://git.openstack.org/cgit/openstack/tripleo-common/tree/heat_docker_agent/run-os-net-config
[2] I0ed08332cfc49a579de2e83960f0d8047690b97a
Change-Id: I763fc8d8e3eb10ac64d33e46c92888d211003e72
For usability and to reduce the number of environments that need to be
given when enabling TLS in the internal network, it's convenient to add
the enabling of TLS in the internal front-ends for HAProxy, instead of
doing that in a separate environment file.
bp tls-via-certmonger
Change-Id: Icef0c70b4b166ce2108315d5cf0763d4e8585ae1
It's no longer available in Neutron (removed in Mitaka). See:
I2a879213c3b095a007a4531f430a33cea9fdf1bd
Change-Id: I044c648eb8c4933667b8ea2c9159a30e5ebb7df3
This change adds a NIC config to the multiple-nics sample NIC
config templates for a compute node running DVR. In order for
DVR to work on the compute nodes, they must share an external
bridge with the controllers. All of the other sample NIC
configs already have an external bridge (defaults to 'br-ex'),
but the multiple-nics compute role does not, so now the
compute-dvr.yaml NIC template will demonstrate DVR with
multiple NICs.
Change-Id: I80fe2e5842a67984e1d4d8aa295c7607c4f340ad
The script tries to download all artifact URLs with a single
request, instead of downloading each URL on its own if
multiple DeployArtifactURLs were given.
Change-Id: I6a8be699aff7023a67702bb1d3ddc2273984cd08
This seems to have broken the updates job, causing it to fail
with following error:
Can't set long node name!\nPlease check your configuration\n
Related-Bug: 1646873
This reverts commit 3e9fcfd09320ace07bc1bd4cb57feb98cd057332.
Change-Id: I72ba891cd9cd8c4f1bc204144f46aaabbdfd3647
There were several instances where the short-names/FQDNs where being
gotten in the same way in the role's templates. So this introduces a
mapping to get these values in order to reduce clutter.
Change-Id: Ie7df360bb69d56655f3e0fcbbf4d297db39b7a26
Updates the get-occ-config.sh script used with the deployed-server
environment to support custom roles. Any custom role name, and a
corresponding set of hosts (ip addresses or hostnames) can now be passed
to the script and it will query for the proper nested stack uuid's and
configure os-collect-config appropriately on the respective nodes.
Change-Id: I8fc39e6d18cd70ff881e2a284234b26261018d67
Improve scenario001 with Cinder + RBD coverage.
Also remove Barbican bits, we don't deploy Barbican in scenario001, but
002.
Change-Id: Ib9cadbefcb3ddcdb4812f47ff5496e74b2bd888d
Improve scenario003 to configure Keystone tokens with Fernet provider.
Scenario001 and scenario002 will still deploy uuid for now.
Change-Id: I8c671d0371b2c3590b58b9623bb0df0b0c625a5b
Like Puppet OpenStack CI, implement scenario004 with Ceph RGW scenario,
where Glance uses it as a image storage backend.
Change-Id: If055ca225c456a738c5726ef1e76a4a4f9c566a8