75 Commits

Author SHA1 Message Date
Zuul
c9ca23dfb1 Merge "Enable libvirt health check" 2018-07-10 01:03:36 +00:00
Lukas Bezdicka
56bec75c02 Upgrades: Refactor playbooks to set facts
To not to redefine variable multiple times in each service we
run check only once and we set fact. To increase readability of
generated playbook we add block per strep in services.

Change-Id: I2399a72709d240f84e3463c5c3b56942462d1e5c
2018-06-08 11:46:12 +02:00
Carlos Camacho
44ef2a3ec1 Change template names to rocky
The new master branch should point now to rocky.

So, HOT templates should specify that they might contain features
for rocky release [1]

Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
2018-05-09 08:28:42 +02:00
Bogdan Dobrelya
be5fd4eaeb Copy-in libvirt certs via kolla extended/start
Instead of bind-mounting directly into the libvirt container,
follow the established approach for ditributing certificates
in containers.

Change-Id: Icdec38004df28988aa3a62019cb092c59d915f0e
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-05-02 14:24:32 +02:00
Zuul
2ec5bd01dc Merge "Apply the vhost group parameter for the vhost_sockets directory creation" 2018-04-09 16:01:12 +00:00
Oliver Walsh
ab78b1fcc1 Correct the InternalTLSVncCAFile to comply with selinux policy
InternalTLSVncCAFile currently defaults to /etc/ipa/vnc.crt.
Certmonger attempts to save the CA cert to this path as cert_t, however
/etc/ipa is etc_t.
Moving to /etc/pki/CA/certs which is cert_t resolves the issue, and is
arugably a more suitable location.

Change-Id: Ib275fc43dd772851511598a4932c19fcda706479
2018-04-06 17:42:30 +01:00
Saravanan KR
611830fd76 Apply the vhost group parameter for the vhost_sockets directory creation
Directory /var/lib/vhost_sockets will be used to create vhost sockets
which should have the the group name as hugetlbfs, which is common
between qemu and openvswitch to share the vhost_sockets. And the
correct selinux context to be applied on the vhost_sockets directory.
Closes-Bug: #1751711
Change-Id: Ib917cf86bd9a4ce57af243ab43337ea6c88bf76c
2018-03-24 15:28:23 +05:30
Martin Mágr
b2ea39eb47 Enable libvirt health check
This patch enables health check execution for nova-libvirt docker container.

Change-Id: I09e0335778745876bb17ae881f948ab19b6596d3
Depends-On: Id5dc7d169301e45cb0abab7cecae67457db9fd96
Depends-On: I757d53189f5819bb3a0e7bebe277353f3460738d
2018-03-07 16:40:35 +01:00
Oliver Walsh
37a339d2b0 Add support for libvirt VNC TLS
Configures certs/key for nova-novnc vencrypt when TLS is enabled on the
internal network. A dedicated IPA sub-CA can be used to restrict access,
however by default the main IPA CA is used.

Depends-On: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Change-Id: I67ffd847dc2d1949833a9d7039ad51e4364e02da
2018-02-22 15:46:39 +00:00
Giulio Fidente
0b1afb48e5 Allows for configuration of the Ceph cluster name
To be able to support multiple Ceph cluster, an initial step is
to allow for configuration of each cluster name.

Depends-On: I8d5293eaaf104b6374dfa13992a67ddc37397f10
Implements: blueprint custom-ceph-cluster-name
Change-Id: I1b4d51ca6a2d08fa7a68eea680eb104eff732057
2018-02-20 11:35:01 +01:00
Zuul
4e3cd0df30 Merge "Always evaluate step first in conditional" 2018-02-12 19:39:06 +00:00
Lukas Bezdicka
0cb5c847f3 Always evaluate step first in conditional
If we use variables defined in later step in conditional before
checking which step are we on we will fail.

Resolves: rhbz#1535457
Closes-Bug: #1743764
Change-Id: Ic21f6eb5c4101f230fa894cd0829a11e2f0ef39b
2018-02-09 17:12:29 +01:00
Oliver Walsh
8318923dd7 Fix docker nova logging
rootwrap.conf is not a nova conf file.
Also cleaned up redundant config file args, were the same as the defaults.

Change-Id: I4db5b0c896e7b3ee00c0d97cf07caacb83f04a9c
Related-bug: 1739492
2018-02-09 00:19:39 +00:00
marios
dec003def8 Convert tags to when statements for Q major upgrade workflow
This converts "tags: stepN" to "when: step|int == N" for the direct
execution as an ansible playbook, with a loop variable 'step'.
The tasks all include the explicit cast |int.

This also adds a set_fact task for handling of the package removal
with the UpgradeRemovePackages parameter (no change to the interface)

The yaml-validate also now checks for duplicate 'when:' statements

Q upgrade spec @ Ibde21e6efae3a7d311bee526d63c5692c4e27b28
Related Blueprint: major-upgrade-workflow
[0]: 394a92f761/tripleo_common/utils/config.py (L141)
Change-Id: I6adc5619a28099f4e241351b63377f1e96933810
2018-01-08 13:57:47 +02:00
Sven Anderson
22b5fd7928 Expose logs from nova_libvirt container
By default logs for libvirt are disabled. However, for debugging
purposes they might be enabled but are only available within the
container. This change bind mounts the log directory to the host.

Change-Id: I4a69e39355a332872ab40663d85a0bc15b98dcf4
2017-12-13 15:42:34 +01:00
Carlos Camacho
927495fe3d Change template names to queens
The new master branch should point now to queens instead of pike.

So, HOT templates should specify that they might contain features
for queens release [1]

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens

Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
2017-11-23 10:15:32 +01:00
Zuul
def7c3851b Merge "Re-enable libvirt TLS with SCRAM SHA-1 auth" 2017-11-23 07:24:42 +00:00
Zuul
5f4105e2c3 Merge "Add validation task in docker services [Nova]" 2017-11-22 18:30:05 +00:00
Zuul
5da47d2e4f Merge "Set file mode permission for Ceph keyrings in containers" 2017-11-21 01:00:07 +00:00
Oliver Walsh
2aab6971ba Re-enable libvirt TLS with SCRAM SHA-1 auth
Depends-On: Ic9335829fe39eaf4e76385f651a77b293793571a
Depends-On: I137040560b3c40fedff6feffb40125b1d1451cb6
Change-Id: I3c2a7921426bcd99d6340a913787edfb9bbd8bbd
Closes-bug: 1732479
2017-11-17 13:09:01 +00:00
Dan Prince
a307fe7ffc Drop step_config as top level docker requirement
Step config is only required within the puppet_configs section
of docker/services/*. This patch drops the top level 'step_config'
and updates the unit tests accordingly.

Change-Id: I7dc7cfae3ef1965ec95b1d9ef23e7f162418c034
2017-11-15 16:01:16 -05:00
John Fulton
ce7b65f443 Set file mode permission for Ceph keyrings in containers
Pass mode parameter to ceph-ansible for Ceph keyrings on container
host. Pass mode and ownership parameter to each Ceph client container
using kolla_config. ACLs are set for Cinder if it is not running in
containers.

Change-Id: I11618b3fd696739ad9b86618a1f3f96570c61a30
Partial-Bug: #1720787
2017-11-15 15:03:41 +00:00
Zuul
0a63857c25 Merge "Add option for nova-libvirt container to log to stdout/stderr" 2017-11-11 23:40:32 +00:00
Zuul
210aeaaab1 Merge "Disable live migration over TLS" 2017-11-10 17:37:27 +00:00
Juan Antonio Osorio Robles
759d10770d Add option for nova-libvirt container to log to stdout/stderr
This adds the option to get the nova-libvirt container to log to stdout.
The option is disabled by default.

bp logging-stdout-rsyslog

Change-Id: Ie769b4d93f3bd728b7efb84d283509db8213b5fc
2017-11-10 14:13:40 +01:00
Juan Antonio Osorio Robles
1bbcc5dc68 libvirt: Remove unnecessary binding of /var/log/containers/nova
These are not used.

Change-Id: Idb97b1a7227b4b266a26f2c827a40fcdc8bbdbc8
2017-11-09 05:22:31 +00:00
Zuul
9ca2c2a46a Merge "Set bind mount propegatation to shared for /var/lib/nova." 2017-11-08 21:07:08 +00:00
Juan Antonio Osorio Robles
645757cbd6 Disable live migration over TLS
Due to the fact that it doesn't use a separate CA (or sub CA) for
libvirtd, and that proper SASL is not being used. We are disabling this
option since it doesn't meet the appropriate security requirements.
We'll look into adding this back once these issues get fixed.

Change-Id: I6a5e4db1b6dd6bc8b7e73e53b614b070d15b8a23
Closes-Bug: #1730370
2017-11-07 10:14:45 +02:00
Oliver Walsh
ef0493f5ea Set bind mount propegatation to shared for /var/lib/nova.
This is required for nfs exports mounted by the nova_compute container to be
visible to nova_libvirt.

Depends-on: I8a63c044e15d7ca0f54654e9fc9c5d878461aa25
Change-Id: I55859e744e3c2ebbd6975c96b84b6b0774dc6700
Closes-bug: 1730533
2017-11-07 00:35:18 +00:00
Jose Luis Franco Arza
188435ca18 Add validation task in docker services [Nova]
Docker services are missing the pre-upgrade validation task
in the upgrade_tasks section which verifies if the service
is running before going on with the upgrade.

Change-Id: I5327bd319012d99a6b805631bd96ca9f335d1b22
Partial-Bug: #1704389
2017-11-03 11:00:31 +01:00
Oliver Walsh
7c8127cf96 Only mount selinux sysfs in nova_libvirt container
https://review.openstack.org/500952 initially just did this. Then we assumed
every container should have the selinux sysfs.
This causes issues with the sshd container used for live-migration.

The advice from the selinux experts is that it should not be enabled within
containers, so reverting back to the original fix that enables it only in the
nova-libvirt container.

Closes-bug: 1729405
Change-Id: I80bf38d7d64ab99510574af5c57423fde9b84eca
2017-11-01 18:14:32 +00:00
Juan Badia Payno
5dbe1121e9 docker: add logging(source & groups)
The services that docker depends on, have logging_sources and logging_groups;
but those are not set on the docker outputs so they are not used when dockers
are deployed.

Added logging_source & logging_groups as docker optional parameters in
tools/yaml-validate.py

Closes-Bug: #1718110
Change-Id: I8795eaf4bd06051e9b94aa50450dee0d8761e526
2017-09-27 07:37:14 +00:00
Jenkins
60cf6a5ff2 Merge "Support for Ocata-Pike live-migration over ssh" 2017-09-22 21:32:28 +00:00
Oliver Walsh
17fd16b9f2 Support for Ocata-Pike live-migration over ssh
In Ocata all live-migration over ssh is performed on the default ssh port (22).
In Pike the containerized live-migration over ssh is on port 2022 as the
docker host's sshd is using port 22.

To allow live migration during upgrade we need to temporarily pin the Pike
computes to port 22 and in the final converge we can switch over to port 2022.

This also changes the default port to 2022 for baremetal computes in Pike to
enable live-migration between baremetal and containerized computes.

Change-Id: Icb9bfdd9a99dc1dce28eb95c50a9a36bffa621b1
Depends-On: I0b80b81711f683be539939e7d084365ff63546d3
Closes-Bug: 1714171
2017-09-07 12:20:34 +01:00
Saravanan KR
3ea04744c2 Mount vhost_sockets directory for vhost-user socket creation
For DPDK, vhost-user sockets are created on the host at
/var/lib/vhost_sockets directory, which will be used by
libvirt and openvswitch. This directory has the necessary
permissions and SELinux policies. Mount this folder for
libvirt container.

Change-Id: Id8be208d1b05886ac45dfdcf48fe766ee5724d1c
Partial-Bug: #1712732
2017-09-04 11:46:33 +05:30
Juan Antonio Osorio Robles
2696eadaa0 Docker: Enable TLS in the internal network for libvirt
Bind mounts the necessary certs and keys to enable live migrations
using TLS.

bp tls-via-certmonger-containers

Depends-On: I26a7748b37059ea37f460d8c70ef684cc41b16d3
Change-Id: I81efa85d916823f740bf320c88a248403743a45b
2017-08-23 05:10:58 +00:00
Jan Provaznik
ad8589212c Let mds create manila key and fs
ceph-ansible will take care of setting up client keys both
in ceph and on client side. It will also create filesystem
for manila. To assure that manila manifest can work in future
both with puppet and with ceph-ansible, creation of filesystem
is moved to ceph-mds manifest and creation of manila key on ceph
side is moved to ceph-base (so manila key is always created),
manila key is added to ceph-external for external ceph deployments.
Key creation is removed from manila.pp in patch
I2b5567a39ac8737e80758b705818cc1807dc8bf1

Change-Id: I6308a317ffe0af244396aba5197c85e273e69f68
Related-To: Ia3ef9e9a2b159dacea01e38762145ff2bcc7ba27
Depends-On: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
2017-08-18 16:22:10 +02:00
Jiri Stransky
f7a84702de Refactor setup_docker_host.sh as host_prep_tasks
Previously what we've been doing with setup_docker_host.sh can now be
achieved with host_prep_tasks, and we can free up the NodeUserData
interface for other use cases.

Closes-Bug: #1711387
Change-Id: Iaac90efd03e37ceb02c312f9c15c1da7d4982510
2017-08-17 17:10:22 +02:00
Jiri Stransky
5f109d08e7 Containerize virtlogd
So far we've been using virtlogd running on the host, we should now be
using virtlogd from a container.

Co-Authored-By: Martin André <m.andre@redhat.com>
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Change-Id: I998c69ea1f7480ebb90afb44d6006953a84a1c04
2017-08-14 11:25:32 +01:00
Giulio Fidente
c20033524d Set virsh secret with an init step when using Ceph
Run virsh secret-define and secret-set-value in an init step
instead of relying on the puppet-nova exec.

Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Change-Id: Ic950e290af1c66d34b40791defbdf4f8afaa11da
Closes-Bug: #1709583
2017-08-09 16:19:39 +02:00
Damien Ciabrini
0cb45d65c6 Generate MySQL client config if service requires database
Services that access database have to read an extra MySQL configuration file
/etc/my.cnf.d/tripleo.cnf which holds client-only settings, like client bind
address and SSL configuration. The configuration file is thus used by
containerized services, but also by non-containerized services that still
run on the host.

In order to generate that client configuration file appropriately both on the
host and for containers, 1) the MySQLClient service must be included by the
role; 2) every containerized service which uses the database must include the
mysql::client profile in the docker-puppet config generation step.

By including the mysql::client profile in each containerized service, we ensure
that any change in configuration file will be reflected in the service's
/var/lib/config-data/{service}, and that paunch will restart the service's
container automatically.

We now only rely on MySQLClient from puppet/services, to make it possible to
generate /etc/my.cnf.d/tripleo.cnf on the host, and to set the hiera keys that
drive the generation of that config file in containers via docker-puppet.

We include a new YAML validation step to ensure that any service which depends
on MySQL will initialize the mysql::client profile during the docker-puppet
step.

Change-Id: I0dab1dc9caef1e749f1c42cfefeba179caebc8d7
2017-07-27 13:41:13 -04:00
Jenkins
a8442ba386 Merge "Enable libvirtd_config puppet tag in nova-libvirtd docker service" 2017-07-27 11:36:48 +00:00
Giulio Fidente
ed0b77ff93 Provides Ceph config into OpenStack clients
Given ceph-ansible or puppet-ceph will have created the Ceph
config files and keyrings in /etc/ceph on baremetal, this change
copies into the OpenStack containers the necessary files for the
services to be able to connect to the Ceph cluster.

Change-Id: Ibc9964902637429209d4e1c1563b462c60090365
2017-07-25 22:08:06 +00:00
Oliver Walsh
75fbc084d7 Enable libvirtd_config puppet tag in nova-libvirtd docker service
Required now that https://review.openstack.org/480289 has merged

Change-Id: I17f6c9b5a6e2120a53bae296042ece492210597a
Related-Bug: #1696504
2017-07-25 22:56:41 +01:00
Jenkins
86621ff34a Merge "Add support for nova live/cold-migration with containers" 2017-07-24 15:22:39 +00:00
Oliver Walsh
4a7f3398f1 Add support for nova live/cold-migration with containers
Updates hieradata for changes in https://review.openstack.org/471950.
Creates a new service - NovaMigrationTarget. On baremetal this just configures
live/cold-migration. On docker is includes a container running a second sshd
services on an alternative port.
Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd
containers.

Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427
Implements: blueprint tripleo-cold-migration
Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc
Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
2017-07-23 02:26:55 +01:00
Ben Nemec
8fb3da3c60 Make EnablePackageInstall and Debug descriptions consistent
Change-Id: I3ea7c0c7ea049043668e68c6e637fd2aaf992622
Partial-Bug: 1700664
2017-07-21 18:38:58 +00:00
Giulio Fidente
391a38e91c Add nova::compute::rbd setting into nova-libvirt profile
Some of the tasks carried by nova::compute::rbd class apply to the
compute service, others to the libvirt service so it needs to be
included in both.

Change-Id: I28557deb13b75922932cd3e86c3467a541c988d0
2017-07-19 15:18:33 +02:00
Jenkins
2185b83560 Merge "Use a single configuration file for specifying docker containers." 2017-07-15 06:19:13 +00:00
Ian Main
e76d84f784 Use a single configuration file for specifying docker containers.
This removes the default container names from all the templates
and uses a single environment file to specify the full container
name and registry from which to pull.  Also does away with most
of DockerNamespace.

Change-Id: Ieaedac33f0a25a352ab432cdb00b5c888be4ba27
Depends-On: Ibc108871ebc2beb1baae437105b2da1d0123ba60
Co-Authored-By: Dan Prince <dprince@redhat.com>
Co-Authored-By: Steve Baker <sbaker@redhat.com>
2017-07-14 22:23:02 +00:00