[baremetal] MaaS: Enable HTTP proxy

Instead of using NAT on the mas01 node for all cluster node outgoing
traffic, use the MaaS built-in proxy for APT traffic to leverage its
caching capabilities too.
Also enable the proxy for salt minions, so they can access public
keyservers et al.
Cleanup public DNS from kvm nodes, interferes with MaaS proxy.

Add example config for global env proxy, but don't enable it:
- default environment settings - /etc/environment (via reclass);

The MaaS proxy will not be used (at least for now) on nodes:
- cfg01;
- mas01;

NOTE: We can't yet drop the maas.pxe_nat state completely, as certain
Openstack services are still accessed via public addresses from ctl
nodes.

JIRA: FUEL-317
JIRA: FUEL-318

Change-Id: I6c5f6872bb94afb838580571080e808bc262fc68
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>

diff --git a/mcp/config/states/baremetal_init b/mcp/config/states/baremetal_init
index a8bb3b9..eeb0818 100755 (executable)
--- a/mcp/config/states/baremetal_init
+++ b/mcp/config/states/baremetal_init
@@ -24,11 +24,13 @@ salt -C 'kvm* or cmp*' file.replace $debian_ip_source \
 
 salt -C 'kvm*' pkg.install bridge-utils
 salt -C 'kvm*' state.apply linux.network
+salt -C 'kvm* or cmp*' state.apply salt.minion
+salt -C 'kvm* or cmp*' service.force_reload salt-minion
 salt -C 'cmp*' state.apply linux.system
 salt -C 'cmp*' state.apply linux.network || true
 salt -C 'kvm* or cmp*' system.reboot
 wait_for 90 "! salt -C 'kvm* or cmp*' test.ping | " \
   "tee /dev/stderr | grep -Fq 'Not connected'"
 
-salt -C 'kvm* or cmp*' state.apply linux,ntp,salt.minion
+salt -C 'kvm* or cmp*' state.apply linux,ntp
 salt -C 'kvm* or cmp*' pkg.upgrade refresh=False

diff --git a/mcp/config/states/virtual_control_plane b/mcp/config/states/virtual_control_plane
index cabe44a..c7768f7 100755 (executable)
--- a/mcp/config/states/virtual_control_plane
+++ b/mcp/config/states/virtual_control_plane
@@ -50,7 +50,17 @@ while [ $rc -ne 0 ] && [ ${attempt} -lt ${total_attempts} ]; do
 done
 
 wait_for 10 "salt -C '* and not cfg01* and not mas01*' saltutil.sync_all"
+
+# Propagate APT proxy config created by curtin on baremetal nodes to VCP VMs
+APT_CONF_D_CURTIN='/etc/apt/apt.conf.d/90curtin-aptproxy'
+salt -C 'kvm01*' cp.push "${APT_CONF_D_CURTIN}"
+cd /srv/salt/env/prd/maas/files && ln -sf \
+  /var/cache/salt/master/minions/kvm01.*/files/${APT_CONF_D_CURTIN}
+salt -C 'E@^(?!cfg01|mas01|kvm|cmp00).*' cp.get_file \
+  "salt://maas/files/$(basename "${APT_CONF_D_CURTIN}")" "${APT_CONF_D_CURTIN}"
+
 wait_for 10 "salt -C 'E@^(?!cfg01|mas01|kvm|cmp00).*' state.apply salt"
+wait_for 10 "salt -C 'E@^(?!cfg01|mas01|kvm|cmp00).*' service.force_reload salt-minion"
 wait_for 10 "! salt -C 'E@^(?!cfg01|mas01|kvm|cmp00).*' state.apply linux,ntp | " \
   "tee /dev/stderr | grep -Eq '(Not connected|No response)'"
 

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/include/proxy.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/include/proxy.yml
new file mode 100644 (file)
index 0000000..5d74758
--- /dev/null
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/include/proxy.yml
@@ -0,0 +1,23 @@
+##############################################################################
+# Copyright (c) 2017 Mirantis Inc., Enea AB and others.
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+parameters:
+  # NOTE: Apt proxy is set by curtin, Salt minion proxy is configured below,
+  # only enable proxy via /etc/environment if you need it for smth else
+  # linux:
+  #   system:
+  #     env:
+  #       http_proxy: http://${_param:infra_maas_node01_deploy_address}:8000
+  #       https_proxy: http://${_param:infra_maas_node01_deploy_address}:8000
+  #       no_proxy:
+  #         - .local
+  salt:
+    minion:
+      proxy:
+        host: ${_param:infra_maas_node01_deploy_address}
+        port: 8000

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
index c3d9b14..dcd78a2 100644 (file)
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
@@ -22,6 +22,7 @@ classes:
   # - system.salt.control.cluster.stacklight_log_cluster
   # - system.salt.control.cluster.stacklight_telemetry_cluster
   - cluster.baremetal-mcp-pike-common-ha.infra.kvm_pdf
+  - cluster.baremetal-mcp-pike-common-ha.include.proxy
 parameters:
   _param:
     linux_system_codename: xenial

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm_pdf.yml.j2 b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm_pdf.yml.j2
index d14f905..b7f6b7c 100644 (file)
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm_pdf.yml.j2
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm_pdf.yml.j2
@@ -76,7 +76,6 @@ parameters:
           enabled: true
           proto: dhcp
           type: bridge
-          name_servers: ${_param:opnfv_name_servers}
           use_interfaces:
             - {{ nic_admin }}{% if vlan_admin and vlan_admin != 'native' %}.{{ vlan_admin }}{% endif %}
           noifupdown: true

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/maas.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/maas.yml
index 6332776..7a37fe7 100644 (file)
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/maas.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/maas.yml
@@ -33,6 +33,7 @@ parameters:
         default_distro_series: 'xenial'
         default_osystem: 'ubuntu'
         default_storage_layout: 'lvm'
+        enable_http_proxy: true
         disk_erase_with_secure_erase: false
         dnssec_validation: 'no'
         enable_third_party_drivers: true

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
index 5c077d5..60a01a8 100644 (file)
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
@@ -18,6 +18,7 @@ classes:
   - system.cinder.volume.backend.lvm
   - system.ceilometer.agent.cluster
   - cluster.baremetal-mcp-pike-common-ha.openstack_compute_pdf
+  - cluster.baremetal-mcp-pike-common-ha.include.proxy
 parameters:
   _param:
     cluster_vip_address: ${_param:openstack_control_address}

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_biport.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_biport.yml
index 3c7f3e2..f5a4ad0 100644 (file)
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_biport.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_biport.yml
@@ -6,6 +6,8 @@
 # http://www.apache.org/licenses/LICENSE-2.0
 ##############################################################################
 ---
+classes:
+  - cluster.baremetal-mcp-pike-common-ha.include.proxy
 parameters:
   _param:
     dhcp_nic: ${_param:opnfv_vcp_vm_primary_interface}

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_triport.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_triport.yml
index 9068cc0..146e545 100644 (file)
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_triport.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_interface_vcp_triport.yml
@@ -6,6 +6,8 @@
 # http://www.apache.org/licenses/LICENSE-2.0
 ##############################################################################
 ---
+classes:
+  - cluster.baremetal-mcp-pike-common-ha.include.proxy
 parameters:
   _param:
     dhcp_nic: ${_param:opnfv_vcp_vm_primary_interface}

diff --git a/mcp/salt-formulas/opendaylight/server.sls b/mcp/salt-formulas/opendaylight/server.sls
index 5de4eee..30c337c 100644 (file)
--- a/mcp/salt-formulas/opendaylight/server.sls
+++ b/mcp/salt-formulas/opendaylight/server.sls
@@ -11,7 +11,14 @@
 
 opendaylight_repo:
   pkgrepo.managed:
-  - ppa: {{ server.repo }}
+  # NOTE(armband): PPA handling behind proxy broken, define it explicitly
+  # https://github.com/saltstack/salt/pull/45224
+  # - ppa: {{ server.repo }}
+  - human_name: opendaylight-ppa
+  - name: deb http://ppa.launchpad.net/odl-team/nitrogen/ubuntu xenial main
+  - file: /etc/apt/sources.list.d/odl-team-ubuntu-nitrogen-xenial.list
+  - keyid: 49B07274951063870A8B7EAE7B8AA1A344C05248
+  - keyserver: keyserver.ubuntu.com
 
 opendaylight:
   pkg.installed: