During the initial deployment, a one-time container is used to bootstrap the
mysql databse on disk, create the required users and set their password. The
script that runs that is too verbose and logs some credentials in the
container's logs and in the journal.
Use kolla_extend_start directly instead of kolla_start to stop tracing shell
commands and reduce logging to the bare minimum for troubleshooting.
Closes-Bug: #1765339
Change-Id: I90827feff0d1b9fd8badb72e68e4c8dd8db8aea5
We now enforce TLS1.1 or higher for httpd connections, to meet the
requirements for FedRAMP.
Change-Id: If875822f1cb705d17405621e64fea2536edc142a
Related-Bug: #1754368
Removes hardcoded references to the Ceph container image to use
in CI to rely (and test) the tripleoclient default.
Change-Id: I7f028e31eb5e993aa6af9b7f2c19f64ed45224dd
Walk through services' templates role_data to identify
missing hiera interplolation of networks.
Use additionally provided interfaces for validations:
* search in dicts by keys or values matching some regex,
entering into lists as an option;
* safe get values by the discovered paths casted as lists,
like get_param/get_attr works for heat templates.
Add PyYAML missing to the requirements.txt.
Closes-bug: #1764315
Change-Id: Idef66ee96cbd67d23760a1cce9537ecc157c3429
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Presently ovn-controller container is started with "-v /run/openvswitch:/run/openvswitch".
The openvswitch systemd script deletes the /run/openvswitch folder when stopping it in the host.
/run/openvswitch path inside the ovn-controller container becomes a stale directory.
And when the service is started again, it creates the folder again. In order for ovn-controller
to access again, the folder has to be remounted or the ovn-controller container should be
restarted.
As a temporary fix, this patch mounts /run so that when /run/openvswitch is created again, it will
get reflected inside the ovn-controller container. The proper fix has to come from openvswitch
systemd script to not delete /run/openvswitch when stopping the service. This is presently
discusses in OVS mailing list [1], but no proper solution has been arrived yet.
[1] - https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/345589.html
Closes-bug: #1764745
Change-Id: I032571cec49537cac972ebbbb44733ea17c299fa
FluentClient service has been renamed
into Fluentd [0] for queens. This patch
handles the disabling of the old FluentdClient
service.
[0] Idb9886f04d56ffc75a78c4059ff319b58b4acf9f
Change-Id: I085973f3d23fd78c16cba94a91692421956b301b
Closes-Bug: #1746493
The mod_ssl release note was in the wrong place. Moving it so it can be
with it's friends in releasenotes/notes
Change-Id: I33d6a2354f26e5571501d5810ac20bb9c0101634
Indentation for few lines is corrected and
correct path for config file is updated. data
folder is deleted during update/upgrade. Set
correct permissions (42462:42462) for
genius-mdsalutil-config.xml. 42462 comes from
kolla and is id for odl user inside the container.
Closes-Bug: 1764603
Change-Id: Ie343cd4cab7cc009b1940a98fa73b1ac15b3b56d
Uses external_deploy_tasks instead of workflow_tasks for the
deployment of Ceph, via ceph-ansible.
Initially, external_deploy_tasks are added alongside workflow_tasks so
that CI will pass. Once CI is updated to use config-download for these
jobs, we will remove the workflow_tasks.
Co-Authored-By: James Slagle <jslagle@redhat.com>
Co-Authored-By: John Fulton <fulton@redhat.com>
Implements: blueprint ceph-ansible-external-deploy-tasks
Change-Id: I4b88e97c38ff394023a92bec5631b3cd0f6e293e
Adds an optional environment that can be used to disable workflow_tasks
by mapping OS::Mistral resources to None. This environment can be used
by CI so that the updated ceph jobs
(I757be222143e41392b474d6b20c7a7b7df4537de) can be converted to
external_deploy_tasks, but the existing workflow_tasks can be
temporarily disabled until they are removed from the templates.
Change-Id: Ib39313712ea03e5562e7b19875c178e9c8dfef54
It's disabled by default, and will be an option to use if we decide to
enable Swift volume encryption for the undercloud.
Change-Id: I9c5e07a2eb764168670d5de7bdeb4b6362f9bfb5
The log file for nova-metadata service is not configured for fluentd.
This patch adds the configuration
Change-Id: Idb174705f39ea91062f0a9c06c101a3f1a3ae73a
This consolidates the upgrade and ffwd-upgrade related env files,
removing no longer relevant files (like converge vs converge-docker).
In line with recent/ongoing work in tripleoclient [1][2] we now have
cli: overcloud [upgrade|update|ffwd-upgrade] [prepare|run|converge]
With this patch we can also change the set/unset of resource 'noop'
and move it from tripleo-common to python-tripleoclient, like I am
pointing at in related client review below. If others agree then I
will do the same with the upgrade-prepare and also the ffwd cli
in [3], i.e. add explicit inclusion of the upgrade-prepare.yaml
and then similarly include the upgrade-converge.yaml for the
upgrade/ffwd-upgrade converge cli.
Related:
I1288fe68ae8af02a5d77390d237ec467d88e43d2 python-tripleoclient
[1] 96ffa3a325
[2] https://review.openstack.org/#/c/558536/5/tripleoclient/v1/overcloud_update.py
[3] https://review.openstack.org/#/c/557937/4/tripleoclient/v1/overcloud_ffwd_upgrade.py@72
Change-Id: Icfe494e3219d6d6cd3251f75bb4329fc4d793c3c
After [1] iptables rules are not set for memcached service
thus services relying on memcached were not functioning well.
With [2] it's requrired to use hiera interpolation for service
configs, this patch fixes it for memcached_network.
[1] https://review.openstack.org/#/c/551292
[2] https://review.openstack.org/#/c/526692
Related-Bug: #1757556
Closes-Bug: #1763009
Change-Id: If9b274192ea4738f455a6106ff1a62eb4e7a5c91
no-tls-endpoints-public-ip.yaml is a new file that needs to be validated
among other TLS environments, so we can make sure that EndpointMap will
be constructed correctly with all needed endpoints.
Change-Id: I5e83b37d8fa757065a6dab87d6eeac1c345efd32
Ansible yum module installs all packages available in the repo
if you use asterix. We instead will use yum -y update name*.
Change-Id: I8e71367ae91faa06313711c6a954c61af705fd8f
Resolves: rhbz#1549845
Some container yaml file does not get the
service_config_settings from the base file.
This patch makes for the following docker yaml files get
the service_config_settings:
docker/services/neutron-l3.yaml
docker/services/neutron-metadata.yaml
docker/services/neutron-ovs-agent.yaml
Related-Bug: #1757066
Change-Id: Ifc8def10da0b10decd12efaab4452ff46f3c685b
