This config-dir is included in default neutron-server
exec command as explained in the bug
Change-Id: I22023a645c4752c6371b5cea5ab69c7503991887
Closes-Bug: #1748173
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
Ceph RGW defaults to checking every 600 seconds for a revocation.
This is only useful for PKI tokens. PKI is not enabled.
This check needs to be disabled.
Change-Id: I9d87ff5226ab55df05e68f6639e6679fb0566484
Closes-Bug: #1748137
Enabling data-at-rest encryption and integration
with barbican to swift proxy
Related-Change-Id: I78c6003f5f599a422193dc47422ee607ce05c715
Related-Change-Id: I1ceda973733acb081967ab04a5fd57eb1609c9a7
Change-Id: I26cf063fe410689530ee507cc2f79e93b5e71732
Signed-off-by: Thiago da Silva <thiago@redhat.com>
The /srv/node/d1 directory was missing, thus creating it in advance.
Note: there is a related change that merged earlier (f6108f5d) but
for some reason didn't work as expected.
Closes-Bug: 1746734
Change-Id: Iabaa2033d065c9da653f7ba9e25430c3554a1169
The ODL private key, cert, and CA cert were missing in the puppet
container config. These are required during puppet stage in order to
create the proper keystores in ODL. The files are not needed during the
service bringup time, because the information is built into the
keystore created by puppet.
Closes-Bug: 1747700
Change-Id: If548fdba836104412bf20e8e05ecf6a5058aa318
Signed-off-by: Tim Rozet <trozet@redhat.com>
This VIP is needed in ceph-ansible to tell ganesha service
to listen on this IP only.
This parameter is passed through the endpoint map, it could be
done also by passing allNodesConfig to ceph-ansible (addressed
in patch https://review.openstack.org/#/c/509146/) and then getting
this value from allNodesConfig in tripleo-common ceph-ansible workbook.
Disadvantage of this alternative approach is that any parameter
change would require also change in tripleo-common.
Depends-On: If31722d669efe91082c93ecb815e6c41676480c8
Change-Id: I3c0da46dd0f0252158c6065b7c122b8567c88bc0
Partially-Implements: blueprint nfs-ganesha
If ceph-nfs (ganesha) service is enabled, it's set up by ceph-ansible
and it can be used as a manila backend. Manila can be configured to use
ceph either directly (manila-cephfsnative-config-docker.yaml env file)
or through ganesha (environments/manila-cephfganesha-config-docker.yaml
env file).
Change-Id: Ib408c7827e5fba0c1b01388db26363806fc64370
Partially-Implements: blueprint nfs-ganesha
This patch reverts the revert of Redis TLS [1,2], and update the
pacemaker redis template to configure Redis to encrypt the
replication traffic between Redis nodes.
[1] a3769c03175cb36f0066c173477749a26f767566
[2] ebc8414cd0c18426ff80d9d65c964e91a7fe447f
Depends-On: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1
Change-Id: I7f7be4bba6d41c04385f074857c82507cc8c2617
Closes-Bug: #1737707
The ceph-mgr dashboard is enabled by default and we do not want it
to, as it listens on 0.0.0.0:7000 and exposes sensible cluster
internals.
Change-Id: I9f0c9daec8209f7991400c7450f0e8f227bf0362
This patch enables health check execution for neutron-api docker container.
Change-Id: I9f919e9e486c0557fa261d58891cb5c3ce250acd
Depends-On: I290704c72e104e40d104d63583155d0eba7c128e
Enables users to run more than one CephAnsiblePlaybook during deployment
if desired. Change is backwards compatible in case string is passed.
Depends-On: I70786ab7b81f9985ddf1148b14ef803c327752b9
Change-Id: Ie0e6e53ed08a22b1453ab1230c7c6d46104716fa
This patch fixes permissions on the /var/lib/ironic directory when
it gets used by ironic-inspector. It was previously getting owned as
root:root which causes functional issues with the ironic-conductor
service on the same node which expects it to be ironic:ironic.
Change-Id: I408f791af1d6dca059836efc197d814ec63f942d
Closes-bug: #1746553
cinder_api_db_sync does not use the database settings which are
generated by the puppet_config step. Consequently, it loses some
important client settings for accessing the DB, e.g. it breaks
when TLS everywhere is enabled.
Bind mount the tripleo.cnf file to expose the proper DB settings.
Change-Id: I17f3304d546eeb78803b4a3cc859255bfb3f71eb
Closes-Bug: #1746491
Major upgrade (Q -> R) is complex in ODL. There are multiple components
involved.
This patch enables major upgrade of ODL. Steps involved are:
1. Block OVS instances to connect to ODL
2. Set ODL upgrade flag to True
3. Start ODL
4. Start Neutron re-sync and wait for it to finish
5. Delete OVS groups and ports
6. Stop OVS
7. Unblock OVS ports
8. Start OVS
9. Unset ODL upgrade flag
Change-Id: Icf98a1215900762a0677aabee1cccbf1d130e5bd
The cinder-backup service requires privileges in order to make iSCSI
connections.
Closes-Bug: 1745628
Change-Id: I63423ac4715269163e36d59d2703502455d33f86
This option was recently supported in ovn-controller [1]. If this value is configured
in the external_ids column of OpenvSwitch table of OVS database, ovn-controller copies
it to the chassis table, which will be read by Neutron OVN mechanism driver. OVN mech driver can
take certain decisions based on the value. One such use case is setting the value
'enable-chassis-as-gw' in this option. Only those chassis which has this option set,
will be considered as a candidate to schedule a neutron router. So, the administrator
can decide to use only controller nodes (or networker nodes) for scheduling the
router.
[1] - 4705963f2c
Change-Id: Iabe5aec30c740447b9714e1b1ace366768488bdb
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Changing the ansible task for ensuring packages to run only when
EnablePackageInstall is True.
Also removed the step4 tag from this task as there are no tags
in host_prep_tasks.
Change-Id: I1374b20ec66694fe661183e089f8d88473be11a9
This patch adds rgw_keystone_implicit_tenants to the ceph-base.yaml
file. Setting this parameter to true creates a new tenant per user.
This patch resolves BZ1481819 for ceph-ansible deployments.
Change-Id: I4f4688bbdc79c33ccf697813adb5ef26eca79e6b
Enables TLS encryption between ODL and OVS, as well as Northbound ODL
communication with Neutron.
Implements: blueprint opendaylight-ssl-support
Depends-On: Id579aea77bf8d679b514ef9851af36d9170e93a1
Change-Id: I7c43f1358807f3ffeef2ddf29d0085ad55151dfe
Signed-off-by: Tim Rozet <trozet@redhat.com>
This patch enables health check execution for Redis docker container.
Change-Id: I631f6e1a57fe3e455ec278a3bdc8d2ec35929b8a
Depends-On: If6e4fba9da81350046630420e5bee0ee4cbd14cc
Also includes updates to docker/services/haproxy.yaml (the non-pacemaker
one) so that it works with this version.
This is required by the t-h-t undercloud installer.
Change-Id: I54b5b59ef49de8d66232312bc449559a7f16eaad
Depends-On: I800d5c067a57b0ed7f15397a1f655fbd88a4633e
This patch enables health check execution for Panko API
docker container.
Change-Id: I8e4315465faf9b246a0086ed5c24f1fbbbff6c1b
Depends-On: I1109909189b2c14c89913e217e2eb3b520897596
Fix mismatches for templates for pacemaker vs docker
control planes
Change-Id: I796ae972dcfe0907025c5ecc4d0e48c15d6f5d68
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
The openstack keyring needs permissions to operate on the additional
Ceph pools created using the CephPools parameter.
Change-Id: I4a8d185f0a1ff205525247719abb3b27aa187800
Closes-Bug: 1742647
After merging [0], the step for each upgrade_task
is now handled in a 'when' condition. This patch
corrects some templates which where not following
that logic or had some syntax error.
[0] https://review.openstack.org/#/c/510902/
Change-Id: I5e42fa6b3d84ad6e0163900ee8146fd224fb5103
During deployment, deploy with
-e environments/services-docker/neutron-ovs-hw-offload.yaml
along with other env files.
Change-Id: I9cd27a86e29381a220dd9c90d4ec1cec81f582e1
This change implements automatically in the templates use of
*_use_fqdn in ceph-ansible basing on the value set for
EnableInternalTLS parameter.
Also see I14a88bd3bc91ccf6cc61d2592b823f3a92d74fec
Change-Id: I3a49308de3e94a157eee074d2deea30736ae429e
Fully configuring Octavia requires resources such as the load balancer
management network and amphora image to be created in the overcloud
during deployment. This is handled through some ansible driven through a
mistral workflow. This patch enables configuring and triggering this
workflow from heat.
Co-Authored-By: Brent Eagles <beagles@redhat.com>
Depends-on: If07ded033be9f44b7c7a7e09214032fa89a02e77
Change-Id: I2d10dbd33b3a0ed0463096849d01aa2c1b9f293e
ODL logs to either console for containarised deployment and to file
for non-containarised deployment. For containarised deployments, logs
can then be read via "docker logs".
We need both JVM and karaf (ODL application) logs together to debug
any failure scenario and for them to correlate. JVM logs to console
and not to a file. Karaf can log to file and console. So we make
karaf and JVM both log to console and read these logs via docker logs.
In cases when ODL container restarts, "docker logs" retain logs from
previous broken container so there is no loss of logs in these cases.
Change-Id: I2fe56df082c5d9206015f156f5f1b3cfca63c982