In RDO CI we're seeing this undefined, but haproxy_short_bootstrap_node_name
is defined, which proves https://review.openstack.org/#/c/605046/ is included
and working.
The root cause is that the haproxy_public_tls_inject_service is actually
created via the haproxy template as a nested stack, so we need to use
haproxy_short_bootstrap_node_name instead
Change-Id: I870825140b8947a1845307b5bec1bcff387c15c0
Closes-Bug: #1804433
If resume_guests_state_on_host_boot is set in nova.conf instances
need to be shutdown using libvirt-guests after nova_compute container
is shut down. Therefore we need a customized libvirt-guests unit file
which:
1) removes the dependency to libvirt (non container) that it don't
get started as a dependency and make the nova_libvirt container
to fail.
2) adds a dependency to docker related services that a shutdown of
nova_compute container is possible on system reboot.
3) stops nova_compute container
4) shutdown VMs
This is a missing part of Bug 1778216.
Change-Id: Ic4b7b427827114fcec0f4973a200461e811ee53a
Related-bug: 1778216
Enabling glance image cache by setting up value of 'flavor' to
'keystone+cachemanagement' in glance-api.conf from THT.
Change-Id: I9a87d8edcb2e98ae45e98439b44b659916e44d89
blueprint: split-controlplane-glance-cache
Configure cinder to use the nova API's admin endpoint instead of the
default public endpoint. Add the necessary auth credentials so that
cinder can access nova's API as a privileged user, which is required
for certain actions (see [1]).
[1] https://git.openstack.org/cgit/openstack/cinder/tree/cinder/compute/nova.py#n86
Closes-Bug: #1802347
Depends-On: I925e25bcc352955560fc449fc5287e56beb12ca3
Depends-On: Ia357ea41f8472d47e266d853f120a14b767e880d
Change-Id: Ic0eef51c1dafd4a1378f5317390e7c09f1d429cd
Nova metadata api is running via http wsgi in its own service.
Therefore we can cleanup the ports definition being opened by
nova api service.
Change-Id: I3066806f8810e30742516c3ca14afc12a1c95bbc
With the upgrade to puppet 5, we can no longer use dots in the hieradata
key lookups. This change updates the THT for firewall_rules,
haproxy_endpoints and haproxy_userlists to use the colon notation.
Change-Id: I6f67153e04aed191acb715fe8cfa976ee2e75878
Related-Bug: #1803024
With layered product packaging upgrading openvswitch may involve a
package rename of the openvswitch package (e.g. openvswitch to
openvswitch 2.10 or openvswitch2.12 to openvswitch2.13) This patch
adds special handling for the rhosp-openvswitch layered product package
to ensure that openvswitch networking remains available during the
upgrade.
Note that this patch also moves the special upgrade logic to
tripleo-packages because it could affect any node that is running
openvswitch for host networking, not just those that are using it for
cloud workloads.
Closes-Bug: #1794359
Change-Id: Ibd64ac1407333c1548261f9d2ae69cdf013e94ce
During upgrade we may have container_cli be Podman but the containers
may still be running on Docker. Handle this situation in the upgrade
tasks which are the last-resort online data migration if user forgot
to trigger them earlier, as they seem to be hitting this issue.
We must support both options at the same time, because the upgrade
code must be idempotent (re-runnable). When running upgrade 1st time,
the containers will be running in Docker, when re-running the upgrade
(e.g. because a part of it failed), the containers will be running in
Podman.
Once we converge onto a single solution and do not have to support
migration, this commit can be reverted.
Change-Id: I933ce754f081ee87ec53d5f8d9c901ab71dceb1e
Closes-Bug: #1802085
During upgrade, as we don't use instack_undercloud anymore, we missing
the _member_ role to the admin user.
This creates the necessary hooks in tht to have the member role
created during upgrade (and install for that matter).
This passes on the keystone_enable_member to puppet-tripleo, but it
needs a patch there as well for this mechanism to fully work.
Change-Id: I2319ed876eba7f21c0e80444bf78ca080fef252a
Depends-On: https://review.openstack.org/611919
Partial-Bug: #1799177
Add ContainerCli parameter, default to docker. Possible values:
podman/docker (default).
Deprecate DockerAdditionalSockets so it does nothing for podman.
Nested podman CLI replaces docker sockets. Only bind mount
/var/lib/openstack for the neutron/ovn agents for docker.
Support debug messages for Neutron/OVN wrappers controled via
NeutronWrapperDebug and OWNWrapperDebug (defaults to False). Or
globally controlled by Debug.
Make the wrapper containers managed by its parent processes and
not exited/removed forcibly, when the parent container restarts.
Background for podman CLI replacing the docker socket:
We'll use 'nsenter -m -n -p -t 1 podman' in wrappers
to execute podman in the same namespaces as on the host
and to NOT bind-mount world for that, like:
- /sys/fs/cgroup:/sys/fs/cgroup
- /run/libpod:/run/libpod
- /run/containers:/run/containers
- /run/runc:/run/runc
- /run/runc-ctrs:/run/runc-ctrs
- /var/lib/containers:/var/lib/containers
- /etc/containers:/etc/containers:ro
- /usr/bin/podman:/usr/bin/podman:ro
- /usr/bin/runc:/usr/bin/runc:ro
- /usr/libexec/podman/conmon:/usr/libexec/podman/conmon:ro
- /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2:ro
...
We cannot use chroot /host instead as there is more bind-mounts to use
outside of the /host chroot. Maybe varlink is a good replacement for
all of that, but it's not there yet.
Change-Id: I055fb7a5fd20932c5bee665bb96678f3ae92bffe
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Added a new parameter CinderDellScMultipathXfer to
support cinder::backend::dellsc_iscsi::use_multipath_for_image_xfer
to the Dell EMC SC Cinder iSCSI volume driver template.
Depends-On: https://review.openstack.org/#/c/611126/
Change-Id: I04f42ce0cd117f7dcc7a817274ea7664d9995864
Since the ironic-inspector service and the dnsmasq
service for ironic-inspector is running in different
containters, having the ironic-inspector service
start/stop the dnsmasq service is non-trivial.
Using `--pid="host"` and making the containers
priviligeied seems less than ideal.
This changes the ironic-inspector configuration so
that it will no longer purge the dhcp-hosts dir on
intialization. Purging the directory without also
restarting (or HUP) the dnsmasq service can cause
the configuration in the DHCP service to deviate
from what ironic-inspector intend it to be.
Related-Bug: #1780421
Depends-On: Icc532115891c567dde20a28110bf08f54187c49f
Change-Id: Id26b578b57c46f9993459f83b5f90393d7798a82
Other Octavia services like octavia-worker also require setting of
database connection in order to access the octavia database.
Closes-Bug: #1797098
Depends-On: https://review.openstack.org/#/c/612395/
Change-Id: I33a08521a4cfffc709de850b99f9292ca464537e
Openstack service don't support TRACE requests, so there is little
point allowing TRACE for apache.
Change-Id: I396a4c3bfab8f353d038b011d5dc8029f4137a57
Closes-Bug: #1801298
These tasks should have check_mode:no set so that they run in check
mode, as the variables they register are used in later tasks. Otherwise,
ansible in check mode fails with undefined variable errors.
Also, some tasks may fail due to not all requirements being available
since those requirements were not created by previous tasks that were
also ran in check mode.
This adds ignore_errors to these tasks, and sets the value to the
boolean ansible_check_mode which is provided by ansible and set based on
whether or not --check was passed to the ansible command line.
Change-Id: I84bc3c14ede37959a4078fd14ce4661b7bd23f84
This is required to fix bug #1800958 so that DockerRegistryMirror is
available to make mirror requests during prepare.
Change-Id: If896c22bf449a3ac91ca363648f84dd5b9aef227
Add a chrony service configuration. The chrony service configuration
includes tasks to ensure that the ntpd service is stopped prior to
configuring chronyd. Since both can be switched back and forth, the ntpd
configuration is also updated to stop chronyd prior to attemping to
configure the ntpd service.
Change-Id: Ie5e8183c000915f28166c842cecc04f445c013ae
Related-Blueprint: tripleo-chrony