398 Commits

Author SHA1 Message Date
Zuul
7a1ad4068e Merge "Remove unused pre_network configuration" 2018-01-31 09:44:01 +00:00
Flavio Percoco
238675b25e Update to openshift 3.7
Packages and repositories for openshift 3.7 have been created already.
I've updated the version we are installing and tested this manually.

Change-Id: Id09242b637ca2a060f068887e10981eecaa59e4a
2018-01-25 14:02:05 +01:00
Flavio Percoco
a592631239 Assign labels to nodes
Make sure nodes have, at least, the region and zone labels to allow for
deployments to schedule infra PODs on them.

Change-Id: If3849a46391cfac7eb5dd556d5b65c831026a95c
2018-01-25 14:02:05 +01:00
Zuul
313d42c4c7 Merge "Split IPSEC deployment in two" 2018-01-18 19:11:46 +00:00
Juan Antonio Osorio Robles
1363eda063 Split IPSEC deployment in two
The first phase sets up the node-to-node tunnels at step 1; this
ensures that the corosync cluster setup is done over the tunnels
and prevents any timeouts that were happening when the setup was
done after the cluster was up. This has the added value that all
the pacemaker communication is encrypted from the beginning.

The second phase is the VIP tunnel setup, which is in step 3. This
is because we need the VIPs to be setup by pacemaker, and we also
need pacemaker to be up.

Depends-On: Ib9a134648c74e5dfcbd7a8ebd2d67bda87992497
Change-Id: Ic402dc73044e2426b097ed0eaf57a77c5e6eef24
2018-01-18 08:31:29 +02:00
Sven Anderson
dc8a61b7b4 Replace hardcoded profile name with _TUNED_PROFILE_NAME_
The *-variables.conf file for tuned is hardcoded for the profile
"cpu-partitioning", which makes other profiles fail, that also need
the isolated_cores variable.

Change-Id: Iaeedfe5d7c501453fd2039b81c1603eff6125ebf
2018-01-16 16:20:18 +01:00
Zuul
0d24fdbd2e Merge "OvsDpdkMemoryChannels parameter default value" 2018-01-16 00:29:36 +00:00
Zuul
1af7729939 Merge "Convert tags to when statements for Q major upgrade workflow" 2018-01-13 09:39:38 +00:00
Carlos Camacho
7bf4edde5d Enhance completion message when upgrading non controller nodes
This adds a better completion message when upgrading a non
controller node.

Change-Id: I1cd765b1998f059702f0c17ccb67d54f6d5db362
Closes-Bug: 1703792
2018-01-11 10:08:30 +01:00
Jaganathan Palanisamy
2194cce7b8 OvsDpdkMemoryChannels parameter default value
This change is to update the memory channels parameter default
value in service yaml instead of environment yaml file.

Change-Id: Ia0a79b5dc3aa060b91d68e0d23cb1fb5b33eb020
Closes-Bug: #1741234
2018-01-11 00:42:59 -05:00
Zuul
7e148af75f Merge "OpenShift: allow scheduling on all nodes" 2018-01-08 13:48:35 +00:00
marios
dec003def8 Convert tags to when statements for Q major upgrade workflow
This converts "tags: stepN" to "when: step|int == N" for the direct
execution as an ansible playbook, with a loop variable 'step'.
The tasks all include the explicit cast |int.

This also adds a set_fact task for handling of the package removal
with the UpgradeRemovePackages parameter (no change to the interface)

The yaml-validate also now checks for duplicate 'when:' statements

Q upgrade spec @ Ibde21e6efae3a7d311bee526d63c5692c4e27b28
Related Blueprint: major-upgrade-workflow
[0]: 394a92f761/tripleo_common/utils/config.py (L141)
Change-Id: I6adc5619a28099f4e241351b63377f1e96933810
2018-01-08 13:57:47 +02:00
Michael Henkel
4b2ef6887a Removal of Contrail templates
As a preparation for the new contrail microservices current templates are
removed.

Change-Id: Iea61fefe9a147b96cf00a008bbb61a482eb95a75
Closes-Bug: 1741452
2018-01-06 15:25:09 +00:00
Zuul
4c7389fa78 Merge "IPSEC: stop relying on cloning the repository from t-h-t" 2018-01-06 12:27:48 +00:00
Jiri Stransky
cfcfed7acc OpenShift: allow scheduling on all nodes
By default OpenShift won't allow scheduling on masters. We'll want to
deploy OpenStack pods on the controllers so we need this enabled, and
we'll need this for CI too.

Change-Id: Ia4190a23c04bda52b17eac50e57da891af615ff4
2018-01-05 12:03:36 +00:00
Juan Antonio Osorio Robles
fe3be577ab IPSEC: stop relying on cloning the repository from t-h-t
Since the ansible-tripleo-ipsec package is now available and
tripleo-heat-templates relies on it, we no longer need to clone
the tripleo-ipsec repo as part of the ansible tasks.

Change-Id: I513f748abeaee6589829e1d45483db9a7e7791ea
2018-01-05 06:22:18 +00:00
Emilien Macchi
eb324768d0 puppet apply: add --summarize
... so we can know how long take resources configuration in Puppet
catalogs, and more easily debug why we have timeouts.

Change-Id: If3fae8837140caae91120e46b4880146ffe22afc
2018-01-04 09:37:46 -08:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Zuul
8809cd0ad4 Merge "Update templates alias to queens" 2017-12-23 07:20:34 +00:00
Zuul
1bf2793db8 Merge "Check for yum lock befor all yum* operations." 2017-12-20 16:25:39 +00:00
Carlos Camacho
b13728cac3 Update templates alias to queens
There are still some templates with the wrong
alias name. This patch updates them with the
correct version.

Change-Id: I43549ac98f3736029d4aaad1ead745caf40f9299
2017-12-20 10:27:23 +01:00
Ian Main
e144858927 Create flavors for undercloud
We weren't creating the default flavors for the undercloud.  Do it here!

Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Ic0b00ab42422e8d7f1ddd750d993c7919af0823e
2017-12-19 22:17:53 +00:00
Yurii Prokulevych
bfe876e01c Check for yum lock befor all yum* operations.
A previous (failed/hanging?) yum process blocks 'yum makecache'
 and 'yum check-update' operations, which leads to timeout during
minor update.

Change-Id: I461c1c722944813493f53f339054f420d6ddbe15
Related-Bug: #1704131
2017-12-19 12:01:05 +02:00
Zuul
42a07d7dc4 Merge "Fix permissions on .ssh directory." 2017-12-19 03:14:11 +00:00
Ian Main
5ada69131b Fix permissions on .ssh directory.
Typo I think.. should be 700.

Change-Id: Iaafe68328b507caff46c9d2610a72541f19b0979
2017-12-15 19:31:24 +00:00
Jiri Stransky
88bbed3d85 Add readme for experimental extraconfig/services
These services only work with the new Ansible deploy workflow, which
is currently considered experimental because it's yet to be integrated
with UI.

Change-Id: Ia3f6b62118696792c6581f08f1beb5c75742c66f
2017-12-15 15:41:23 +00:00
Flavio Percoco
8dd99ba7fd Deploy OpenShift using OOO on the overcloud
Add external_deploy_tasks for OpenShift installation. This makes
OpenShift installation work with the config download mechanism.

Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Depends-On: I9786f1a27cb7c765211dffe0ea06afd75f8e5275
Change-Id: I4c995dcfd97b5c9ccb751862ff77ab785ad0ac5b
2017-12-15 15:41:15 +00:00
Zuul
236ed65ab1 Merge "Add a tag to all the role specific parameters" 2017-12-15 06:12:01 +00:00
Ian Main
da42199dec Generate a default keypair for nova.
This was missing from the post configuration.  Need a default keypair
for CI.

Change-Id: I79ce491890e0b3b7c6ca6f27c762cf8687b1428f
2017-12-09 02:11:54 +00:00
Dan Prince
315091e8dc Add a new UndercloudHomeDir parameter
Add a parameter to control the homedir of the
Undercloud user. Useful if you don't want stackrc
and ssh creds in /root/

Change-Id: I2ad703689b600280b2c1ab1752654f2d334cb6db
Co-Authored-By: Ian Main <imain@redhat.com>
2017-12-09 02:08:29 +00:00
Saravanan KR
d0702e82b5 Add a tag to all the role specific parameters
With parameter tags, it is possible to categorize the parameters.
In this patch, all role-specific parameters of the services are
categorized as role_specific, which will help in adding validation
during the deployment (to ensure the provided role-specific
parameter is actually implemented as role-specific). This patch
adds only the tags, and the validation will done via workflows.

Change-Id: Ic053111298e7872a3a3cd11e6249dbd85707cc29
2017-12-07 12:20:11 +05:30
Zuul
adeb5df53c Merge "Add IPSEC composable service" 2017-12-06 22:53:33 +00:00
Zuul
2f48a455bd Merge "Make Kubespray install work without --private-key too" 2017-12-06 04:07:20 +00:00
Jiri Stransky
ac6c11f7aa Make Kubespray install work without --private-key too
It seems the ansible_ssh_private_key_file variable is only defined
when --private-key parameter is passed to the main deployment Ansible
run. This is always true for deploying via tripleoclient and Mistral,
but may not be true when deploying via manual ansible-playbook
execution.

We now check whether the variable is defined before using it. If it's
not defined, user's default ssh key will be used for trying to connect
to the overcloud nodes.

Change-Id: Id04d3bab85713d644899694231dd4009a88385af
2017-12-05 18:15:29 +00:00
Zuul
410027d64f Merge "Add name property where missing" 2017-12-05 18:07:49 +00:00
Juan Antonio Osorio Robles
898ad4f54b Add IPSEC composable service
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-12-05 13:10:18 +00:00
James Slagle
7a3fc67559 Add name property where missing
All SoftwareDeployment resources should use the name property when using
config-download.

This also adds a validation to check that the name property is set in
yaml-validate.py

Change-Id: I621e282a2e2c041a0701da0296881c615f0bfda4
Closes-Bug: #1733586
2017-12-04 18:01:52 -05:00
Jiri Stransky
cb17631829 Don't fail Kubespray scenario if swap is enabled
We have swap enabled in CI, by default Kubespray refuses to run with
swap, and so does Kubelet. Make this behavior configurable and allow
swap in the Kubespray scenario env file. It should be fine to run with
swap for development/testing [1].

[1] https://github.com/kubernetes-incubator/kubespray/issues/1787#issuecomment-336159788

Depends-On: I7a02134970c1b1754d42c4e85ed0a2188a5ecdb6
Change-Id: I023824a31f1278b01c33ce81d4af81247dd5f672
2017-11-29 13:40:20 +01:00
Jiri Stransky
904cc3dd6d Pass private key file from parent Ansible to Kubespray
The private key file is not part of the inventory in our case, but
it's a global Ansible parameter. Make sure that we carry the same
--private-key parameter from parent Ansible run into Kubespray.

Change-Id: If6e341ee52f9d4944ee1855d3339e26b9a485dd0
2017-11-28 15:41:09 +01:00
Jiri Stransky
849a00b973 Stop creating kubectl binary on undercloud
Doing this was useful for playing with Kubespray, but it's suboptimal
for multiple reasons:

1. It gets generated into artifacts directory which we collect for CI
   logs. It has around 220 megabytes, which would be very bad for log
   collection space usage. Even if Kubespray made the location
   configurable, mistral user's external_deploy_tasks don't have
   rights to write it e.g. into /usr/local/bin, so usefulness of doing
   this at all is questionable.

2. Kubectl on the undercloud, it would ideally be preinstalled via
   RPMs rather than relying on the respective COE installers to
   produce one by fetching it from the overcloud.

Change-Id: Ia7faeb13537adfc3326302d26965439f5603c5a8
2017-11-28 14:40:37 +01:00
Jiri Stransky
2531c07dee Download Kubespray instead of git clone
We don't install git by default (at least in CI), so let's use a
tarball instead of git clone to get Kubespray sources.

Change-Id: I8321206b095effbc482779a10ff77fd18299bbdf
Depends-On: I2da025961c584cb1adc83943561b1d9faa3559b1
2017-11-28 13:21:14 +01:00
Saravanan KR
bd69b09c5a Remove unused pre_network configuration
This format of pre_network was introduced in ocata but it has been
enhanced with role-specific parameters in pike. And it was not
used in pike. It is now being removed in queens.

Change-Id: Ibe6bec3b76f4771197064bba018b196393180d2b
2017-11-27 15:21:52 +05:30
Carlos Camacho
927495fe3d Change template names to queens
The new master branch should point now to queens instead of pike.

So, HOT templates should specify that they might contain features
for queens release [1]

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens

Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
2017-11-23 10:15:32 +01:00
Emilien Macchi
b336b45102 RHEL/Update: replace wc by yum to check updates
Similar to I8bd89f2b24bafc6c991382b9eb484cfa9a2f8968,
use yum to check if updates are available during RHEL registration and
run upgrades only when there are some.

Change-Id: I42cd699d21cbec7d754edf1b8d83e75de0f2c7d9
2017-11-21 15:00:23 -08:00
Zuul
35c5e7a122 Merge "Host access fixes for Kubespray playbook run" 2017-11-21 21:16:33 +00:00
Jiri Stransky
03e8766905 Host access fixes for Kubespray playbook run
We don't do host key checking for any of our current Ansible
executions (validations, ceph-ansible, ...) so let's not do it for
Kubespray either. Having it enabled caused Kubespray to stop and ask
for confirmation, and given that the outer Ansible action wasn't
interactive, it failed.

Also we are now setting the become flag only for overcloud machines,
rather than globally on the whole ansible-playbook run. Kubespray also
accesses localhost for some task, and we won't always run it as a user
who is allowed passwordless privilege escalation (e.g. mistral user
isn't).

Change-Id: Id49b97c2b5d37f6d215132a987a53aa742b4a60f
2017-11-21 11:21:23 +01:00
Michele Baldessari
ed2b957a4f Fix all outputs|failed and outputs is defined
The ansible "failed_when" filter that uses a registered output
of a previous task piped to the '|failed' filter does not work
as expected. Given the following playbook:

  - name: return code
    shell: |
      echo "fail 2"
      exit 2
    failed_when: false
    log_when: false
    register: outputs
  - debug:
      msg: "rc: {{ outputs.rc }}"
  - debug: msg="Broken (does not fail as expected)"
    when: outputs is defined
    failed_when: outputs|failed
  - debug: msg="Working (fails as expected)"
    when: outputs is defined
    failed_when: outputs.rc != 0

We obtain the following output:

TASK [return code] ****
changed: [localhost]

TASK [debug] **********
ok: [localhost] => {
    "msg": "rc: 2"
}

TASK [debug] **********
ok: [localhost] => {
    "failed_when_result": false,
    "msg": "Broken (does not fail as expected)"
}

TASK [debug] **********
fatal: [localhost]: FAILED! => {
    "failed_when_result": true,
    "msg": "Working (fails as expected)"
}

This means that the 'outputs|failed' just does not work at all.
Let's move to a more explicit check on the rc code of the registered
variable.

We also need to fix all the "outputs is defined" checks, because
when a task is skipped the registered outputs variable *is* actually
defined as the following dictionary:
{'skip_reason': u'Conditional result was False', 'skipped': True, 'changed': False}

So we use "outputs.rc is defined" in order to make sure that the
previous task did indeed run.

Closes-Bug: #1733402

Change-Id: I6ef53dc3f9aede42f10c7f110d24722355481261
2017-11-21 08:06:41 +01:00
Zuul
38d0525a5e Merge "Clone kubespray to location accessible by the user" 2017-11-20 14:43:04 +00:00
Steven Hardy
dc621da47f Add yml extension to kubespray inventory
Since the update to ansible 2.4 this seems required to select the appropriate
inventory plugin

Change-Id: I9499dac7b13284bccd05043eb59bbba67c24fa20
2017-11-14 15:42:27 +00:00
Jiri Stransky
2af0769199 Clone kubespray to location accessible by the user
When running overcloud deployment as Mistral user, we won't have
rights to alter the undercloud content (see change
I2980c584d2f4ee5c2de3720eecfc80cc43ee1fa6). If kubespray isn't found
in /usr/share/kubespray (expected RPM content location), we now clone
it elsewhere, to directory accessible by the user which runs the
overcloud deployment.

Change-Id: I9980b41668b3c838fa978e48441929d4351d101e
2017-11-08 14:20:59 +01:00