At the moment the 'OS::TripleO::Services::Timesync' service is
synonymous to 'OS::TripleO::Services::Ntp'. Let's use the more generic
Timesync service to pick up the new default in the event the value for
'OS::TripleO::Services::Timesync' changes.
This better aligns with the rest of the roles.
Change-Id: I44f706ce7dd1909ffd3805337fc6d9a5ce6de80f
The OpenShift roles should include the OS::TripleO::Services::Rhsm
service for Red Hat Subscription Management so that the provisioned
nodes can register with a Satellite or CDN.
Add the Podman service to OpenShifAllInOne to be more consistent with
other roles.
Change-Id: I08862635c68eddbb0940863c43867ece1b289ee5
Previously we were only deploying a master node. This commit adds the
worker and infra service to the deployed node and configures it as an
all-in-one node. In order to do so, we need to disable HAproxy when
deploying in all-in-one as the HAproxy instance Openshift deploys on
the infra node conflicts with the one we normally set up. They both
bind ports 80 and 443.
Also removes the useless ComputeServices parameter that only makes
sense in a multinode environment.
Change-Id: I6c7d1b3f2fa5c7b1d9cf695c9e021a4192e5d23a
Depends-On: Ibc98e699d34dc6ab9ff6dce0d41f275b6403d983
Depends-On: I0aa878db62e28340d019cd92769f477189886571
Since we moved to containerized UC, TLS Everywhere deployments are broken.
Namely we miss two things:
A. The NAT iptables rule for the nova metadata service to be reachable
B. The setting 'service_metadata_proxy=false' needs to be set for nova
metadata otherwise the curl calls to setup ipa will fail with the
following:
[root@overcloud-controller-0 log]# curl http://169.254.169.254/openstack/2016-10-06
<html>
<head>
<title>400 Bad Request</title>
</head>
<body>
<h1>400 Bad Request</h1>
X-Instance-ID header is missing from request.<br /><br />
</body>
</html>
A. Is fixed by adding a conditional iptables rule that is only triggered
when deploying an undercloud (where we set MetadataNATRule to true)
B. Is fixed by setting NeutronMetadataProxySharedSecret to '' on the
undercloud and then setting the corresponding hiera keys only when
the parameter != ''. We tried alternative simpler approaches like
setting NeutronMetadataProxySharedSecret to null but that will break
heat as the parameter is required and setting it to null breaks heat
validation (we also tried to make the parameter optional with a
default: '', but that broke as well)
While we're at it we also remove the neutron metadata service from the
undercloud as it is not needed.
Tested by deploying an undercloud with this change and observing:
A.
Chain PREROUTING (policy ACCEPT 106 packets, 6698 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- br-ctlplane * 0.0.0.0/0 169.254.169.254 multiport dports 80 state NEW /* 999 undercloud nat ipv4 */ redir ports 8775
B.
grep -ir ^service_metadata_proxy /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf
service_metadata_proxy=False
Also a deployment of a TLS overcloud was successful.
Change-Id: Id48df6db012fb433f9a0e618d0269196f4cfc2c6
Co-Authored-By: Martin Schuppert <mschuppe@redhat.com>
Closes-Bug: #1795722
Podman service will be in charge of installing, configuring, upgrading
and updating podman in TripleO.
For now, the service is disabled by default but included in all roles.
In the cycle, we'll make it the default.
Note: when Podman will be able to run in TripleO without Docker,
we'll do like https://review.openstack.org/#/c/586679/ and make it as
a generic service that can be switched to either podman or docker.
But for now, we need podman & docker working side by side.
Depends-On: Ie9f5d3b6380caa6824ca940ca48ed0fcf6308608
Change-Id: If9e311df2fc7b808982ee54224cc0ea27e21c830
The standalone role can be used either with the tripleo deploy command
to deploy locally, or it can be used with an undercloud to deploy an
all-in-one node. This change provides a sample set of environment files
for both deployment mechanisms.
Change-Id: Ibc735ac4326a9217469e368c074de8b0df7689bd
Related-Blueprint: all-in-one
Openshift Routers are located on the infra node and need to be highly
available on ports 80 and 443.
Depends-On: I5de14152904d06c49e9d5b2df6e3f09a35f23d92
Change-Id: Iee088e1279bff2cdb7a3601288804f626bff29a3
Introduce an openshift_node template that serves as base for all
openshift services. This reworks the inventory files so that hosts are
defined once and made part of the appropriate groups.
The master node can now be split from the infra node, or bundled
together with the Worker in the all-in-one role.
Provide environment files to enable the Master, Worker, Infra or
all-in-one role individually.
Change-Id: I9ad86185b01c88b609d320e2384c5644bd99bdae
Add the OS::TripleO::Services::ContainerImagePrepare service to the
OpenShiftMaster role so that images can be prepared automatically via
the image prepare workflow.
Change-Id: I717b2d5aa1a7dfdc6be87a2383a5d3fc2f940874
Blueprint: container-prepare-workflow
1) Complete the role description to include the main
point.
2) Set reasonable CountDefault given that ganesha
service should be deployed in HA configuration.
Change-Id: Ie787693c0f5360529a81f6e03bdcae9e19488a2c
In order to support switching between multiple timesync backends, let's
simplify the service configurations for the roles so that there is a
single timesync service. This timesync service should point to the
expected backend (ntp/ptp/chrony).
Change-Id: I986d39398b6143f6c11be29200a4ce364575e402
Related-Blueprint: tripleo-chrony
This patch adds a new role called OpenShiftInfra which is required to
define infra nodes. We've been bundling infra nodes with compute and
master nodes and they ought to be independent.
With the new node label management introduced in openshift-ansible, it
sounds like this is a good time for us to unbundle these nodes.
Co-Authored-By: Martin André <m.andre@redhat.com>
Depends-On: I291b6ac65eaa1a015bca2ee2bc1be90b0ea0aadc
Change-Id: I4f8127a9e2d822057f3db8f0974ab1db0698985a
In order to achieve better performance, OVS-DPDK instances
should have the virt queue size configured as 1k. This patch
configures the parameter for all the defined OVS-DPDK roles.
Closes-Bug: #1789827
Change-Id: Ib5d97303b973f96af8e3e0806f2549d85860d6f5
Addd support to generate roles_data file with both OVS-DPDK and
SR-IOV services in the same role.
Closes-Bug: #1789804
Change-Id: I03c9e5bfc0fc607762993202fc18ec49b13913c7
DVR doesn't imply the "External" networks, simply some type of
connection that is being used for floating IP traffic. This patch
removes the External network from the DVR role and "left overs" from
environment files. It also corrects the multiple-nics version of the
templates so that the ComputeDVR role is attached to the external
bridge with no IP.
Co-Authored-By: Dan Sneddon <dsneddon@redhat.com>
Change-Id: Ia599e01dbefe4e4c752b7d4c1c7e5682963101f7
This change includes the service
OS::TripleO::Services::ContainerImagePrepare by default in the overcloud
which will trigger a container image prepare in the same way as is
currently done for the containerized undercloud.
Along with the mistral action which populates the container image
parameters, this change makes blueprint container-prepare-workflow
functionally complete.
Change-Id: I8b0c5e630e63ef6a2e6f70f1eb00fd02f4cfd1c0
Blueprint: container-prepare-workflow
It was missing and it's necessary for the nova metadata API to work.
Without this we don't have a working TLS everywhere setup, since it
relies on this functionality.
Change-Id: I24ff6f1b5acc428f001b2ca9b0bdbfa8ec121e52
Closes-Bug: #1785744
This makes the docker-registry service focused on installing the
registry, as it should be. Also this makes it possible to invoke this
service during overcloud deploy too.
This change also switches to calling the tripleo-common script
tripleo-container-image-prepare instead of the full openstack command.
This will allow a mistral image to do a prepare without depending on
the python-tripleoclient package.
The {{role}}Services and {{role}}Count are propagated to
tripleo-container-image-prepare so that images are filtered correctly.
sudo is used instead of become:true so that the tripleo-common mistral
sudoers pattern matches.
Depends-On: Ic1648e43f45bb7604d4c0f9abf247a475fb23707
Change-Id: Ibc16bed673de7b22cd8eef3f6fb0d45871083873
Blueprint: container-prepare-workflow
This patch adds composable new service (QDR) for containerized deployments.
Metrics QDR will run on each overcloud node in 'edge' mode. This basically
means that there is a possibility that there will be two QDRs running
on controllers in case that oslo messaging is deployed. This is a reason why
we need separate composable service for this use case.
Depends-On: If9e3658d304c3071f53ecb1c42796d2603875fcd
Depends-On: I68f39b6bda02ba3920f2ab1cf2df0bd54ad7453f
Depends-On: I73f988d05840eca44949f13f248f86d094a57c46
Change-Id: I1353020f874b348afd98e7ed3832033f85a5267f
The xinetd service isn't used anymore on the host - it runs in
containers where it is needed, meaning that service can be dropped
for good, as well as its package.
Change-Id: I004a43c1b6c9cee21c24749bd6589435530e48e0
NovaResumeGuestsStateOnHostBoot (true/false) parameter which
configures whether or not to start again instances which were running at
the time of a compute reboot.
This will set the resume_guests_state_on_host_boot parameter in nova.conf
and configures and enables libvirt-guests with a dependency to the
docker service to shutdown instances before the libvirt container gets
stopped.
NovaResumeGuestsShutdownTimeout specifies the number in seconds for an
instance to allow to shutdown.
Change-Id: I946600ebbc3afd88385ca89015e8f6a6c46f46ef
Closes-Bug: 1778216
Depends-On: I2766cdd66ff17756daaf1a75ad516a7af6eebddc
Depends-On: Id1cc2e75af316b864cebf601395f1111b7fb049a
Value of HostnameFormatDefault defined in role/*.yaml files is
redundant as the default value in the templates sets the same
value as the role name in the lowercase. With the patch
Ifa60eae1ad09b2ceac207114c40c714a6fc67cbc merged, it is possible
to generate multiple roles out of the defined roles. The default
value of the {{role.name}}HostnameFormat in overcloud.j2.yaml will
apply the same format with role name in lower case, having this
default will override all generated roles with same format.
Removing the default from roles will ensure that the default value
is set as per the role name.
As NFV roles are mostly hardware associated, it is important change
for these roles, though the same can be extended to all role
definitions.
Change-Id: I701bc86034a3b75ca05ae08214dcbb2d9c6c7483
Adding mandatory OVS-DPDK parameter to the roles file instead of
environment file, as it requires to be added for each custom role.
Change-Id: I33fa198228e3e3adcb8e93146d9a9caa46a28895
The OSA assisted HA deployment is not recommended for production
environments, besides it being limited. Therefore, we're relying on our
deployment of HAproxy + Keepalived to provide HA on top of OpenShift in
addition to adding more OpenShift nodes.
Depends-On: Ib573758b515264d1dda90cc9de61f4fa6659dc7d
Change-Id: I7ab677e4803e9df5f6641204cb0b6ccc5b1eb79f
