In some cases we may need to disable selinux (like in CI). The role
needs the SELinux service so that the management can be done during the
deployment.
Change-Id: Ife3c4600f5bd70490a68059eb27c5100743a5298
Closes-Bug: #1797910
Similarly to undercloud, Swift is using only a single replica on AIO
(all-in-one standalone). Therefore recovering from a corrupted or lost object
is not possible, and running replicators and auditors only wastes resources.
And may create some trouble. For example, the DB replicators and auditors will
lock the DB, and new objects won't be stored during that time.
Related-Bug: #1797167
Change-Id: I839393bf6cbb2303a0359f8aed32b2fc67d46f6a
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Maintain parity with instack-undercloud
Ic93082282e9ea481c13832f8ce1265a47f0ef3d5
Swift is using only a single replica on the undercloud. Therefore
recovering from a corrupted or lost object is not possible, and running
replicators and auditors only wastes resources. And may create some
trouble. For example, the DB replicators and auditors will lock the DB,
and new objects won't be stored during that time.
Related-Bug: #1632885
Closes-Bug: #1797167
Change-Id: I584cdb03b99721fbdc28bf7f6019d914586341d2
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This change makes the default ContainerImagePrepareLogFile be
/var/log/tripleo-container-image-prepare.log for both undercloud and
overcloud deploy.
Previously, undercloud prepare logged to $HOME/install-undercloud.log
and overcloud prepare logged to
$(pwd)/tripleo-container-image-prepare.log.
With this change, both will be logged to
/var/log/tripleo-container-image-prepare.log
Depends-On: Id4b776de808ea329a299430078c6f3efdb604e02
Change-Id: Icd3c5d612a9c42d1d3d8e374f10eb56d5737d516
Closes-Bug: #1789871
We expect the the Keepalived and HAproxy services to be deployed on the
OpenShift master nodes, let's require them in the openshift heat
environment file. This prevents an issue when the docker-ha environment
is loaded because it would redefine these resources.
Change-Id: I57a7ea854bd8db4e20af1a608a6937604c0e3bd2
It was using a wrong name, which came by accident since it was
introduced to the sample environment generator.
Change-Id: I154af6d0b7ebf5cd339d5d06eaaf9b1ab66814b0
Related-Bug: #1796022
The pool configuration for an ha deployment of designate looks quite
a bit different from the nonha one, so it's useful to provide a
separate example environment for it.
Change-Id: I69b3c44b368bab3fff885e67fa6523fbb1c80347
Remove scripts and templates which dealt with Pacemaker and its
resource restarts before we moved to containerized deployments. These
should all now be unused.
Many environments had this mapping:
OS::TripleO::Tasks::ControllerPreConfig: OS::Heat::None
OS::TripleO::Tasks::ControllerPostConfig: OS::Heat::None
OS::TripleO::Tasks::ControllerPostPuppetRestart: ../../extraconfig/tasks/post_puppet_pacemaker_restart.yaml
The ControllerPostPuppetRestart is only ever referenced from
ControllerPostConfig, so if ControllerPostConfig is OS::Heat::None, it
doesn't matter what ControllerPostPuppetRestart is mapped to.
Change-Id: Ibca72affb3d55cf62e5dfb52fe56b3b1c8b12ee0
Closes-Bug: #1794720
Modified heat templates to add support for containerization for
Liquidio compute service. Fixed a issue in the ProviderMappings
in Liquidio heat templates.
Depends-On: Ice2baafae2fb1011e16d83c83b5c85f721f6d679
Change-Id: Id4c754f402091e17a974972408919332aa06cd11
Since we moved to containerized UC, TLS Everywhere deployments are broken.
Namely we miss two things:
A. The NAT iptables rule for the nova metadata service to be reachable
B. The setting 'service_metadata_proxy=false' needs to be set for nova
metadata otherwise the curl calls to setup ipa will fail with the
following:
[root@overcloud-controller-0 log]# curl http://169.254.169.254/openstack/2016-10-06
<html>
<head>
<title>400 Bad Request</title>
</head>
<body>
<h1>400 Bad Request</h1>
X-Instance-ID header is missing from request.<br /><br />
</body>
</html>
A. Is fixed by adding a conditional iptables rule that is only triggered
when deploying an undercloud (where we set MetadataNATRule to true)
B. Is fixed by setting NeutronMetadataProxySharedSecret to '' on the
undercloud and then setting the corresponding hiera keys only when
the parameter != ''. We tried alternative simpler approaches like
setting NeutronMetadataProxySharedSecret to null but that will break
heat as the parameter is required and setting it to null breaks heat
validation (we also tried to make the parameter optional with a
default: '', but that broke as well)
While we're at it we also remove the neutron metadata service from the
undercloud as it is not needed.
Tested by deploying an undercloud with this change and observing:
A.
Chain PREROUTING (policy ACCEPT 106 packets, 6698 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- br-ctlplane * 0.0.0.0/0 169.254.169.254 multiport dports 80 state NEW /* 999 undercloud nat ipv4 */ redir ports 8775
B.
grep -ir ^service_metadata_proxy /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf
service_metadata_proxy=False
Also a deployment of a TLS overcloud was successful.
Change-Id: Id48df6db012fb433f9a0e618d0269196f4cfc2c6
Co-Authored-By: Martin Schuppert <mschuppe@redhat.com>
Closes-Bug: #1795722
Removes conflict on OpenShiftGlobalVariables param that was overwritten
by the openshift-cns.yaml environment file. The default options for CNS
as now moved into the extraconfig/services/openshift-cns.yaml template
and can be overwritten by setting the OpenShiftGlusterNodeVars heat
parameter.
Change-Id: I43052662e913a02945f22e9f541a45ce2d9d828c
This patch is adding missing documentation of two collectd write plugins
in the collectd-evnironment.yaml and fixes deprecated configuration keys
for metrics_qdr in metrics-collectd-qdr.yaml.
Change-Id: I7d41bbf1ca46114cfa5f1784baa8da03aee9fcab
We want to enable podman on the undercloud first, this patch just
install the rpm and configure the insecure registry if needed.
Change-Id: If469e584e2905a002931277bbe2f7301f7b8fd93
Podman service will be in charge of installing, configuring, upgrading
and updating podman in TripleO.
For now, the service is disabled by default but included in all roles.
In the cycle, we'll make it the default.
Note: when Podman will be able to run in TripleO without Docker,
we'll do like https://review.openstack.org/#/c/586679/ and make it as
a generic service that can be switched to either podman or docker.
But for now, we need podman & docker working side by side.
Depends-On: Ie9f5d3b6380caa6824ca940ca48ed0fcf6308608
Change-Id: If9e311df2fc7b808982ee54224cc0ea27e21c830
https://github.com/openstack/tripleo-heat-templates/blob/master/environments/ssl/enable-internal-tls.yaml#L22
uses RPCUseSSL only and misses the NotifyUseSSL variable.
The reason this is a problem is that commands/services that will kick
off a notification are likely to hang due to this. Imagine the
following scenario:
1. TLS configured everywhere
2. keystone-manage bootstrap actually hangs
The reason for this is that the messaging string in the keystone container will look like the following:
[oslo_messaging_notifications]
transport_url=rabbit://guest:AC8DjGviXCQks8MWjQdAjYW9L@overcloud-controller-0.internalapi.tripleodomain.example.com:5672/?ssl=0
By gdb-ing on to the keystone-manage process (thanks Damien, for the
idea) we can see that we are stuck in oslo calls connecting to rabbit
without tls
Closes-Bug: #1795462
Change-Id: I0d25527131fa4cd293994a0511bba1144510c4d8
NeutronEnableDHCPAgent is no longer consumed anywhere in OpenStack so
this patch is removing all occurrences of it in the environment files.
Change-Id: I042944c3f24d22fa60d4ed13fd9a56c5b93f465f
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
The undercloud needs to be able to run the playbooks shipping with
ceph-ansible so we mount them from the hosting node in undercloud.yaml
Change-Id: I8d1db69d520da069099f919f286e6a553dd645a5
Closes-Bug: 1794027
