Packages and repositories for openshift 3.7 have been created already.
I've updated the version we are installing and tested this manually.
Change-Id: Id09242b637ca2a060f068887e10981eecaa59e4a
Make sure nodes have, at least, the region and zone labels to allow for
deployments to schedule infra PODs on them.
Change-Id: If3849a46391cfac7eb5dd556d5b65c831026a95c
The first phase sets up the node-to-node tunnels at step 1; this
ensures that the corosync cluster setup is done over the tunnels
and prevents any timeouts that were happening when the setup was
done after the cluster was up. This has the added value that all
the pacemaker communication is encrypted from the beginning.
The second phase is the VIP tunnel setup, which is in step 3. This
is because we need the VIPs to be setup by pacemaker, and we also
need pacemaker to be up.
Depends-On: Ib9a134648c74e5dfcbd7a8ebd2d67bda87992497
Change-Id: Ic402dc73044e2426b097ed0eaf57a77c5e6eef24
The *-variables.conf file for tuned is hardcoded for the profile
"cpu-partitioning", which makes other profiles fail, that also need
the isolated_cores variable.
Change-Id: Iaeedfe5d7c501453fd2039b81c1603eff6125ebf
This change is to update the memory channels parameter default
value in service yaml instead of environment yaml file.
Change-Id: Ia0a79b5dc3aa060b91d68e0d23cb1fb5b33eb020
Closes-Bug: #1741234
This converts "tags: stepN" to "when: step|int == N" for the direct
execution as an ansible playbook, with a loop variable 'step'.
The tasks all include the explicit cast |int.
This also adds a set_fact task for handling of the package removal
with the UpgradeRemovePackages parameter (no change to the interface)
The yaml-validate also now checks for duplicate 'when:' statements
Q upgrade spec @ Ibde21e6efae3a7d311bee526d63c5692c4e27b28
Related Blueprint: major-upgrade-workflow
[0]: 394a92f761/tripleo_common/utils/config.py (L141)
Change-Id: I6adc5619a28099f4e241351b63377f1e96933810
As a preparation for the new contrail microservices current templates are
removed.
Change-Id: Iea61fefe9a147b96cf00a008bbb61a482eb95a75
Closes-Bug: 1741452
By default OpenShift won't allow scheduling on masters. We'll want to
deploy OpenStack pods on the controllers so we need this enabled, and
we'll need this for CI too.
Change-Id: Ia4190a23c04bda52b17eac50e57da891af615ff4
Since the ansible-tripleo-ipsec package is now available and
tripleo-heat-templates relies on it, we no longer need to clone
the tripleo-ipsec repo as part of the ansible tasks.
Change-Id: I513f748abeaee6589829e1d45483db9a7e7791ea
... so we can know how long take resources configuration in Puppet
catalogs, and more easily debug why we have timeouts.
Change-Id: If3fae8837140caae91120e46b4880146ffe22afc
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.
Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.
Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.
Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.
Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
There are still some templates with the wrong
alias name. This patch updates them with the
correct version.
Change-Id: I43549ac98f3736029d4aaad1ead745caf40f9299
We weren't creating the default flavors for the undercloud. Do it here!
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Ic0b00ab42422e8d7f1ddd750d993c7919af0823e
A previous (failed/hanging?) yum process blocks 'yum makecache'
and 'yum check-update' operations, which leads to timeout during
minor update.
Change-Id: I461c1c722944813493f53f339054f420d6ddbe15
Related-Bug: #1704131
These services only work with the new Ansible deploy workflow, which
is currently considered experimental because it's yet to be integrated
with UI.
Change-Id: Ia3f6b62118696792c6581f08f1beb5c75742c66f
Add external_deploy_tasks for OpenShift installation. This makes
OpenShift installation work with the config download mechanism.
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Depends-On: I9786f1a27cb7c765211dffe0ea06afd75f8e5275
Change-Id: I4c995dcfd97b5c9ccb751862ff77ab785ad0ac5b
Add a parameter to control the homedir of the
Undercloud user. Useful if you don't want stackrc
and ssh creds in /root/
Change-Id: I2ad703689b600280b2c1ab1752654f2d334cb6db
Co-Authored-By: Ian Main <imain@redhat.com>
With parameter tags, it is possible to categorize the parameters.
In this patch, all role-specific parameters of the services are
categorized as role_specific, which will help in adding validation
during the deployment (to ensure the provided role-specific
parameter is actually implemented as role-specific). This patch
adds only the tags, and the validation will done via workflows.
Change-Id: Ic053111298e7872a3a3cd11e6249dbd85707cc29
It seems the ansible_ssh_private_key_file variable is only defined
when --private-key parameter is passed to the main deployment Ansible
run. This is always true for deploying via tripleoclient and Mistral,
but may not be true when deploying via manual ansible-playbook
execution.
We now check whether the variable is defined before using it. If it's
not defined, user's default ssh key will be used for trying to connect
to the overcloud nodes.
Change-Id: Id04d3bab85713d644899694231dd4009a88385af
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.
bp ipsec
Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
All SoftwareDeployment resources should use the name property when using
config-download.
This also adds a validation to check that the name property is set in
yaml-validate.py
Change-Id: I621e282a2e2c041a0701da0296881c615f0bfda4
Closes-Bug: #1733586
We have swap enabled in CI, by default Kubespray refuses to run with
swap, and so does Kubelet. Make this behavior configurable and allow
swap in the Kubespray scenario env file. It should be fine to run with
swap for development/testing [1].
[1] https://github.com/kubernetes-incubator/kubespray/issues/1787#issuecomment-336159788
Depends-On: I7a02134970c1b1754d42c4e85ed0a2188a5ecdb6
Change-Id: I023824a31f1278b01c33ce81d4af81247dd5f672
The private key file is not part of the inventory in our case, but
it's a global Ansible parameter. Make sure that we carry the same
--private-key parameter from parent Ansible run into Kubespray.
Change-Id: If6e341ee52f9d4944ee1855d3339e26b9a485dd0
Doing this was useful for playing with Kubespray, but it's suboptimal
for multiple reasons:
1. It gets generated into artifacts directory which we collect for CI
logs. It has around 220 megabytes, which would be very bad for log
collection space usage. Even if Kubespray made the location
configurable, mistral user's external_deploy_tasks don't have
rights to write it e.g. into /usr/local/bin, so usefulness of doing
this at all is questionable.
2. Kubectl on the undercloud, it would ideally be preinstalled via
RPMs rather than relying on the respective COE installers to
produce one by fetching it from the overcloud.
Change-Id: Ia7faeb13537adfc3326302d26965439f5603c5a8
We don't install git by default (at least in CI), so let's use a
tarball instead of git clone to get Kubespray sources.
Change-Id: I8321206b095effbc482779a10ff77fd18299bbdf
Depends-On: I2da025961c584cb1adc83943561b1d9faa3559b1
This format of pre_network was introduced in ocata but it has been
enhanced with role-specific parameters in pike. And it was not
used in pike. It is now being removed in queens.
Change-Id: Ibe6bec3b76f4771197064bba018b196393180d2b
Similar to I8bd89f2b24bafc6c991382b9eb484cfa9a2f8968,
use yum to check if updates are available during RHEL registration and
run upgrades only when there are some.
Change-Id: I42cd699d21cbec7d754edf1b8d83e75de0f2c7d9
We don't do host key checking for any of our current Ansible
executions (validations, ceph-ansible, ...) so let's not do it for
Kubespray either. Having it enabled caused Kubespray to stop and ask
for confirmation, and given that the outer Ansible action wasn't
interactive, it failed.
Also we are now setting the become flag only for overcloud machines,
rather than globally on the whole ansible-playbook run. Kubespray also
accesses localhost for some task, and we won't always run it as a user
who is allowed passwordless privilege escalation (e.g. mistral user
isn't).
Change-Id: Id49b97c2b5d37f6d215132a987a53aa742b4a60f
The ansible "failed_when" filter that uses a registered output
of a previous task piped to the '|failed' filter does not work
as expected. Given the following playbook:
- name: return code
shell: |
echo "fail 2"
exit 2
failed_when: false
log_when: false
register: outputs
- debug:
msg: "rc: {{ outputs.rc }}"
- debug: msg="Broken (does not fail as expected)"
when: outputs is defined
failed_when: outputs|failed
- debug: msg="Working (fails as expected)"
when: outputs is defined
failed_when: outputs.rc != 0
We obtain the following output:
TASK [return code] ****
changed: [localhost]
TASK [debug] **********
ok: [localhost] => {
"msg": "rc: 2"
}
TASK [debug] **********
ok: [localhost] => {
"failed_when_result": false,
"msg": "Broken (does not fail as expected)"
}
TASK [debug] **********
fatal: [localhost]: FAILED! => {
"failed_when_result": true,
"msg": "Working (fails as expected)"
}
This means that the 'outputs|failed' just does not work at all.
Let's move to a more explicit check on the rc code of the registered
variable.
We also need to fix all the "outputs is defined" checks, because
when a task is skipped the registered outputs variable *is* actually
defined as the following dictionary:
{'skip_reason': u'Conditional result was False', 'skipped': True, 'changed': False}
So we use "outputs.rc is defined" in order to make sure that the
previous task did indeed run.
Closes-Bug: #1733402
Change-Id: I6ef53dc3f9aede42f10c7f110d24722355481261
When running overcloud deployment as Mistral user, we won't have
rights to alter the undercloud content (see change
I2980c584d2f4ee5c2de3720eecfc80cc43ee1fa6). If kubespray isn't found
in /usr/share/kubespray (expected RPM content location), we now clone
it elsewhere, to directory accessible by the user which runs the
overcloud deployment.
Change-Id: I9980b41668b3c838fa978e48441929d4351d101e