Added support for setting the Barbican option
always_set_cka_sensitive. The option defaults to true as
needed by Safenet HSMs. It is set to false in the ATOS
and Thales HSM environments.
Change-Id: If3fa975e8243dfe30ef67ec81db891943a94a9d5
Story: 2004734
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration.
With this patch the baremetal version of sahara services has been removed.
Change-Id: I5a555155c881e0e92acc3ebba7b844abdd686e6e
Related-Blueprint: services-yaml-flattening
Currently neutron_ovs_agent_launcher.sh unconditionally
runs neutron with the default python from /usr/bin/python,
so it is impossible to force it to use python3 if
/usr/bin/python points to python2.
Make the python interpreter overridable, by reusing the
existing Heat parameter "PythonInterpreter" and honouring
its value in neutron_ovs_agent_launcher.sh
Change-Id: I43c17de81603bd41e6503dd01d6f4ef452b7d533
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
on a F28-based container image nova-libvirt fails to
start in Podman if /sys/fs/selinux is bind-mounted
from the host, with the following logs:
2019-01-16 13:41:35.375+0000: 452430: error : virSecuritySELinuxQEMUInitialize:634 : cannot open SELinux label_handle: No such file or directory
2019-01-16 13:41:35.375+0000: 452430: error : qemuSecurityInit:425 : internal error: Failed to initialize security drivers
2019-01-16 13:41:35.375+0000: 452430: error : virStateInitialize:775 : Initialization of QEMU state driver failed: internal error: Failed to initialize security drivers
2019-01-16 13:41:35.375+0000: 452430: error : daemonRunStateInit:837 : Driver state initialization failed
Perform the bind-mount only when the ContainerCli is set
to 'docker'.
Change-Id: I7a2ca4fb1ff8ea5950fd52774c648af5ef274796
Closes-Bug: #1812013
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
PythonInterpreter defaults to /usr/bin/python. If a user overrides
this default, e.g. to something like python3, then we should use it.
Modify ceph-base.yml to use the PythonInterpreter parameter. The
variable will already be set to ansible_python_interpreter by the
calling ansible execution.
Change-Id: If599855c00d0ab8861ea7f873d410f9a880d35be
Closes-Bug: #1811974
The socket is only needed when ContainerCli is set to 'docker'.
It only affects mistral executor and sensu-client containers, which were
the last containers relying on the socket.
For sensu-client, it was for healthchecks and they are being replaced by
systemd so the feature parity will be here.
For mistral-executor, it's needed by tripleo-validations running docker
CLI and they will have to run podman cli instead of docker.
Change-Id: I4e3d29a6eb65d871d7a1a935fcbd7bb98e7d1752
Haproxy 1.8 brings in a specific change that breaks us:
It removes the haproxy-systemd-wrapper which
we use in order to be able to reload the config file without
restarting the whole container (important in TLS scenarios).
We fix this by calling the haproxy binary directly and
using the master-worker mode (-Ws) which allows to receive
a SIGUSR2 command which will then reload the config for
all the workers. It should also not background.
This commit keeps backward compatibility with current HAProxy
to ease the transition to new HAProxy.
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: I93943efefa22b9107c85f9f5e0bd4c3c1ab867ed
Context: https://github.com/containers/libpod/issues/1844
We have concurrency issue when podman is enabled, where
the bind-mounted entrypoint can't be found.
This patch will retry the podman run commands 3 times before declaring
a failure.
Also, everytime it fails we'll log the number of attempts to configure
the container. So we can track these numbers in CI.
I'll allow us to keep doing concurrent calls, but with less chance
to fail with the issue #1844.
Note: we hate this patch and we hope to revert it soon. But now it's how
we'll reduce issues in CI.
Change-Id: I6af89bf54e562e7c6bbcdb82041a7274789dcf28
Related-Bug: #1811383
In order to allow the system iptables to actually run from within a container,
we might need specific, per-kernel modules in order to avoid mismatches.
Currently, the only container having the system iptables mounted is the
haproxy_firewall thingy.
Change-Id: Idabc2da14413d953c8fe9effdd240dc250e7c64d
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1665598
Implicit defaults hide issues with overring ansible variables as we
pass values in from deploy-steps.j2.
Make no implicit defaults for variables passed into deploy steps via
ansible vars. Only expect those take the values defined in the caller
deploy-steps.j2 playbook template. Add missing params and vars for
templates to propagate ansible values for external deploy/upgrade,
upgrade/update and post upgrade steps playbooks.
Make DockerPuppetDebug boolean to align with other booleans we pass
into deploy steps via ansible vars. Fix its processing in
docker-puppet.py, which is defaults for DockerPuppetDebug: ''
converted into 'false' in deploy steps tasks playbook, and then
that becomes always True in docker-puppet.py.
Related-Bug: #1799914
Change-Id: Ia630f08f553bd53656c76e5c8059f15d314a17c0
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Fixes reported problem of job running only in check and not in gate:
tripleo-ci-centos-7-scenario000-multinode-oooq-container-updates
Change-Id: I7df8d811287c7605b1b406420de1eb17ae555346
Change I222873859af1b4ed1050cfffe55687b2f8d4c528 removed the
RedisVipPort using the {{primary_role_name}} jinja varialble.
The code to get the primary_role_name is no longer necessary.
Closes-Bug: #1808893
Change-Id: Id416786c85a48c598ccc8a9975bb07d7735df218