1113 Commits

Author SHA1 Message Date
Pradeep Kilambi
cc9ec3d39b Mount central agent log dir to access outside the container
Change-Id: Ib01abbefba42e862d7628edd80b9da008bbafff9
2018-02-08 16:13:34 -05:00
Ricardo Noriega
83ae4b75ae Adding /usr/share/neutron/server config dir
This config-dir is included in default neutron-server
  exec command as explained in the bug

Change-Id: I22023a645c4752c6371b5cea5ab69c7503991887
Closes-Bug: #1748173
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2018-02-08 16:24:16 +01:00
Zuul
77b19ed2e8 Merge "Fix missing Swift d1 directory" 2018-02-08 12:55:40 +00:00
Giulio Fidente
05b8f5ef67 Set rgw_keystone_revocation_interval to 0 for ceph-ansible
Ceph RGW defaults to checking every 600 seconds for a revocation.
This is only useful for PKI tokens. PKI is not enabled.
This check needs to be disabled.

Change-Id: I9d87ff5226ab55df05e68f6639e6679fb0566484
Closes-Bug: #1748137
2018-02-08 10:35:24 +01:00
Zuul
067b8ce6ca Merge "Pass storage nfs VIP to ceph-ansible" 2018-02-08 07:31:17 +00:00
Zuul
f47cb424fb Merge "Bind mount the database client settings in cinder_api_db_sync" 2018-02-08 01:45:36 +00:00
Zuul
9e27288203 Merge "Add support for ceph-nfs manila backend" 2018-02-08 01:25:46 +00:00
Zuul
083b324824 Merge "Containerize keepalived" 2018-02-08 01:23:15 +00:00
Thiago da Silva
ab1a421cc6 Add new encryption middleware to swift proxy
Enabling data-at-rest encryption and integration
with barbican to swift proxy

Related-Change-Id: I78c6003f5f599a422193dc47422ee607ce05c715
Related-Change-Id: I1ceda973733acb081967ab04a5fd57eb1609c9a7
Change-Id: I26cf063fe410689530ee507cc2f79e93b5e71732
Signed-off-by: Thiago da Silva <thiago@redhat.com>
2018-02-07 16:05:37 -05:00
Christian Schwede
bc8618126f Fix missing Swift d1 directory
The /srv/node/d1 directory was missing, thus creating it in advance.

Note: there is a related change that merged earlier (f6108f5d) but
for some reason didn't work as expected.

Closes-Bug: 1746734
Change-Id: Iabaa2033d065c9da653f7ba9e25430c3554a1169
2018-02-07 17:06:04 +01:00
Tim Rozet
e5c72b1129 Fixes SSL/TLS with OpenDaylight docker service
The ODL private key, cert, and CA cert were missing in the puppet
container config.  These are required during puppet stage in order to
create the proper keystores in ODL.  The files are not needed during the
service bringup time, because the information is built into the
keystore created by puppet.

Closes-Bug: 1747700

Change-Id: If548fdba836104412bf20e8e05ecf6a5058aa318
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-02-07 10:25:54 -05:00
Zuul
65e75b39db Merge "Disable ceph-mgr dashboard module" 2018-02-06 21:21:23 +00:00
Jan Provaznik
b9ebc4e162 Pass storage nfs VIP to ceph-ansible
This VIP is needed in ceph-ansible to tell ganesha service
to listen on this IP only.
This parameter is passed through the endpoint map, it could be
done also by passing allNodesConfig to ceph-ansible (addressed
in patch https://review.openstack.org/#/c/509146/) and then getting
this value from allNodesConfig in tripleo-common ceph-ansible workbook.
Disadvantage of this alternative approach is that any parameter
change would require also change in tripleo-common.

Depends-On: If31722d669efe91082c93ecb815e6c41676480c8
Change-Id: I3c0da46dd0f0252158c6065b7c122b8567c88bc0
Partially-Implements: blueprint nfs-ganesha
2018-02-06 19:05:19 +00:00
Jan Provaznik
96b82d149e Add support for ceph-nfs manila backend
If ceph-nfs (ganesha) service is enabled, it's set up by ceph-ansible
and it can be used as a manila backend. Manila can be configured to use
ceph either directly (manila-cephfsnative-config-docker.yaml env file)
or through ganesha (environments/manila-cephfganesha-config-docker.yaml
env file).

Change-Id: Ib408c7827e5fba0c1b01388db26363806fc64370
Partially-Implements: blueprint nfs-ganesha
2018-02-06 19:04:39 +00:00
Zuul
c04d8e8a01 Merge "ovn: Provide the option to configure OVNCMSOptions ('ovn-cms-options') as a role parameter" 2018-02-06 00:05:09 +00:00
Damien Ciabrini
91db2020df Fix Redis TLS setup and its HA deployment
This patch reverts the revert of Redis TLS [1,2], and update the
pacemaker redis template to configure Redis to encrypt the
replication traffic between Redis nodes.

[1] a3769c03175cb36f0066c173477749a26f767566
[2] ebc8414cd0c18426ff80d9d65c964e91a7fe447f

Depends-On: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1
Change-Id: I7f7be4bba6d41c04385f074857c82507cc8c2617
Closes-Bug: #1737707
2018-02-05 14:05:12 +00:00
Giulio Fidente
4ae6833cee Disable ceph-mgr dashboard module
The ceph-mgr dashboard is enabled by default and we do not want it
to, as it listens on 0.0.0.0:7000 and exposes sensible cluster
internals.

Change-Id: I9f0c9daec8209f7991400c7450f0e8f227bf0362
2018-02-01 17:31:40 +01:00
Martin Mágr
3c7c763397 Enable Neutron server health check
This patch enables health check execution for neutron-api docker container.

Change-Id: I9f919e9e486c0557fa261d58891cb5c3ce250acd
Depends-On: I290704c72e104e40d104d63583155d0eba7c128e
2018-02-01 16:24:12 +01:00
John Fulton
56038f39a0 Change type of CephAnsiblePlaybook from string to comma_delimited_list
Enables users to run more than one CephAnsiblePlaybook during deployment
if desired. Change is backwards compatible in case string is passed.

Depends-On: I70786ab7b81f9985ddf1148b14ef803c327752b9
Change-Id: Ie0e6e53ed08a22b1453ab1230c7c6d46104716fa
2018-01-31 17:34:54 -05:00
Dan Prince
8b578da433 inspector: fix perms on /var/lib/ironic
This patch fixes permissions on the /var/lib/ironic directory when
it gets used by ironic-inspector. It was previously getting owned as
root:root which causes functional issues with the ironic-conductor
service on the same node which expects it to be ironic:ironic.

Change-Id: I408f791af1d6dca059836efc197d814ec63f942d
Closes-bug: #1746553
2018-01-31 12:02:40 -05:00
Damien Ciabrini
6381879a1b Bind mount the database client settings in cinder_api_db_sync
cinder_api_db_sync does not use the database settings which are
generated by the puppet_config step. Consequently, it loses some
important client settings for accessing the DB, e.g. it breaks
when TLS everywhere is enabled.

Bind mount the tripleo.cnf file to expose the proper DB settings.

Change-Id: I17f3304d546eeb78803b4a3cc859255bfb3f71eb
Closes-Bug: #1746491
2018-01-31 11:14:28 +00:00
Zuul
eda047f075 Merge "Remove unused env var during mysql bootstrap" 2018-01-31 10:05:09 +00:00
Zuul
cc4ec7caff Merge "Upgrade ODL" 2018-01-31 03:19:14 +00:00
Janki Chhatbar
886b815509 Upgrade ODL
Major upgrade (Q -> R) is complex in ODL. There are multiple components
involved.

This patch enables major upgrade of ODL. Steps involved are:
1. Block OVS instances to connect to ODL
2. Set ODL upgrade flag to True
3. Start ODL
4. Start Neutron re-sync and wait for it to finish
5. Delete OVS groups and ports
6. Stop OVS
7. Unblock OVS ports
8. Start OVS
9. Unset ODL upgrade flag

Change-Id: Icf98a1215900762a0677aabee1cccbf1d130e5bd
2018-01-30 10:20:55 +00:00
Zuul
d4ad8da864 Merge "Adding support for ovs hw offloading in containers" 2018-01-27 16:19:59 +00:00
Zuul
5328121662 Merge "Enable panko API health check" 2018-01-27 05:06:13 +00:00
Alan Bishop
0c65801ac9 Run cinder-backup in a privileged container
The cinder-backup service requires privileges in order to make iSCSI
connections.

Closes-Bug: 1745628
Change-Id: I63423ac4715269163e36d59d2703502455d33f86
2018-01-26 10:31:27 -05:00
Numan Siddique
71d59bb0a3 ovn: Provide the option to configure OVNCMSOptions ('ovn-cms-options') as a role parameter
This option was recently supported in ovn-controller [1]. If this value is configured
in the external_ids column of OpenvSwitch table of OVS database, ovn-controller copies
it to the chassis table, which will be read by Neutron OVN mechanism driver. OVN mech driver can
take certain decisions based on the value. One such use case is setting the value
'enable-chassis-as-gw' in this option. Only those chassis which has this option set,
will be considered as a candidate to schedule a neutron router. So, the administrator
can decide to use only controller nodes (or networker nodes) for scheduling the
router.

[1] - 4705963f2c

Change-Id: Iabe5aec30c740447b9714e1b1ace366768488bdb
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
2018-01-25 19:46:22 +05:30
Zuul
6f402f430c Merge "Ensure packages for octavia only when EnablePackageInstall is True" 2018-01-24 22:45:19 +00:00
Zuul
363a1018d8 Merge "swift_rsync: don't bind mount /run" 2018-01-24 19:03:10 +00:00
Zuul
50333a596c Merge "Enable Redis health check" 2018-01-24 16:19:03 +00:00
Zuul
6228dd53d3 Merge "Add rgw_keystone_implicit_tenants to ceph-ansible/ceph-base.yaml" 2018-01-24 12:48:35 +00:00
Or Idgar
49c03164d4 Ensure packages for octavia only when EnablePackageInstall is True
Changing the ansible task for ensuring packages to run only when
EnablePackageInstall is True.
Also removed the step4 tag from this task as there are no tags
in host_prep_tasks.

Change-Id: I1374b20ec66694fe661183e089f8d88473be11a9
2018-01-24 09:52:30 +00:00
Zuul
af4ce05dc5 Merge "Adds SSL/TLS everywhere for OpenDaylight" 2018-01-24 02:28:45 +00:00
Zuul
5675d7202e Merge "Set permissions for openstack keyring on CephPools" 2018-01-23 23:21:33 +00:00
Keith Schincke
178cfdd742 Add rgw_keystone_implicit_tenants to ceph-ansible/ceph-base.yaml
This patch adds rgw_keystone_implicit_tenants to the ceph-base.yaml
file. Setting this parameter to true creates a new tenant per user.
This patch resolves BZ1481819 for ceph-ansible deployments.

Change-Id: I4f4688bbdc79c33ccf697813adb5ef26eca79e6b
2018-01-23 11:52:18 -05:00
Zuul
2ebc2ee3af Merge "Run Octavia configuration on the overcloud" 2018-01-22 19:50:12 +00:00
Tim Rozet
a8fd3214f4 Adds SSL/TLS everywhere for OpenDaylight
Enables TLS encryption between ODL and OVS, as well as Northbound ODL
communication with Neutron.

Implements: blueprint opendaylight-ssl-support

Depends-On: Id579aea77bf8d679b514ef9851af36d9170e93a1

Change-Id: I7c43f1358807f3ffeef2ddf29d0085ad55151dfe
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-01-22 14:09:29 -05:00
Martin Mágr
5cbf193e9c Enable Redis health check
This patch enables health check execution for Redis docker container.

Change-Id: I631f6e1a57fe3e455ec278a3bdc8d2ec35929b8a
Depends-On: If6e4fba9da81350046630420e5bee0ee4cbd14cc
2018-01-22 17:41:42 +01:00
Dan Prince
1e0056751f Containerize keepalived
Also includes updates to docker/services/haproxy.yaml (the non-pacemaker
one) so that it works with this version.

This is required by the t-h-t undercloud installer.

Change-Id: I54b5b59ef49de8d66232312bc449559a7f16eaad
Depends-On: I800d5c067a57b0ed7f15397a1f655fbd88a4633e
2018-01-22 08:28:46 -05:00
Martin Mágr
e08ddb11e7 Enable panko API health check
This patch enables health check execution for Panko API
docker container.

Change-Id: I8e4315465faf9b246a0086ed5c24f1fbbbff6c1b
Depends-On: I1109909189b2c14c89913e217e2eb3b520897596
2018-01-19 23:58:31 +01:00
Bogdan Dobrelya
e658c4b781 Align Manila Share docker templates
Fix mismatches for templates for pacemaker vs docker
control planes

Change-Id: I796ae972dcfe0907025c5ecc4d0e48c15d6f5d68
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-01-19 13:43:57 +01:00
Zuul
3ab3ff3a6f Merge "Correct erroneous upgrade tasks." 2018-01-17 18:39:56 +00:00
Giulio Fidente
3ecb286feb Set permissions for openstack keyring on CephPools
The openstack keyring needs permissions to operate on the additional
Ceph pools created using the CephPools parameter.

Change-Id: I4a8d185f0a1ff205525247719abb3b27aa187800
Closes-Bug: 1742647
2018-01-17 15:55:10 +00:00
Zuul
750fa306ce Merge "Configure ODL Logging mechanism" 2018-01-17 12:48:08 +00:00
Jose Luis Franco Arza
cc0c466044 Correct erroneous upgrade tasks.
After merging [0], the step for each upgrade_task
is now handled in a 'when' condition. This patch
corrects some templates which where not following
that logic or had some syntax error.

[0] https://review.openstack.org/#/c/510902/

Change-Id: I5e42fa6b3d84ad6e0163900ee8146fd224fb5103
2018-01-17 11:16:45 +01:00
waleed mousa
75a062b498 Adding support for ovs hw offloading in containers
During deployment, deploy with

-e environments/services-docker/neutron-ovs-hw-offload.yaml

along with other env files.

Change-Id: I9cd27a86e29381a220dd9c90d4ec1cec81f582e1
2018-01-17 03:43:59 -05:00
Giulio Fidente
17a7c255c0 Enable *_use_fqdn in ceph-ansible when EnableInternalTLS
This change implements automatically in the templates use of
*_use_fqdn in ceph-ansible basing on the value set for
EnableInternalTLS parameter.

Also see I14a88bd3bc91ccf6cc61d2592b823f3a92d74fec

Change-Id: I3a49308de3e94a157eee074d2deea30736ae429e
2018-01-16 17:11:00 +01:00
Or Idgar
9d692aaa2f Run Octavia configuration on the overcloud
Fully configuring Octavia requires resources such as the load balancer
management network and amphora image to be created in the overcloud
during deployment. This is handled through some ansible driven through a
mistral workflow. This patch enables configuring and triggering this
workflow from heat.

Co-Authored-By: Brent Eagles <beagles@redhat.com>
Depends-on: If07ded033be9f44b7c7a7e09214032fa89a02e77

Change-Id: I2d10dbd33b3a0ed0463096849d01aa2c1b9f293e
2018-01-16 13:19:09 +00:00
Janki Chhatbar
85d2c53c35 Configure ODL Logging mechanism
ODL logs to either console for containarised deployment and to file
for non-containarised deployment. For containarised deployments, logs
can then be read via "docker logs".

We need both JVM and karaf (ODL application) logs together to debug
any failure scenario and for them to correlate. JVM logs to console
and not to a file. Karaf can log to file and console. So we make
karaf and JVM both log to console and read these logs via docker logs.

In cases when ODL container restarts, "docker logs" retain logs from
previous broken container so there is no loss of logs in these cases.

Change-Id: I2fe56df082c5d9206015f156f5f1b3cfca63c982
2018-01-16 09:35:26 +05:30