From: Jenkins Date: Wed, 12 Apr 2017 20:09:14 +0000 (+0000) Subject: Merge "Update Dell EMC Cinder back end services" X-Git-Tag: opnfv-6.0.0~781 X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=3e8b6289d708a858baa8460867926f871ab49ec0;hp=5fb637c611c3c8c4daf8e8d2f06d5579b9ef34fd;p=apex-tripleo-heat-templates.git Merge "Update Dell EMC Cinder back end services" --- diff --git a/README.rst b/README.rst index 51a21f6b..4eed715e 100644 --- a/README.rst +++ b/README.rst @@ -76,6 +76,8 @@ and should be executed according to the following table: +----------------+-------------+-------------+-------------+-------------+-----------------+ | neutron | ovs | ovs | ovs | ovs | X | +----------------+-------------+-------------+-------------+-------------+-----------------+ +| neutron-bgpvpn | | | | X | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ | rabbitmq | X | X | X | X | X | +----------------+-------------+-------------+-------------+-------------+-----------------+ | mongodb | X | X | | | | diff --git a/capabilities-map.yaml b/capabilities-map.yaml index 947ba8b6..0af0e822 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -552,7 +552,7 @@ topics: description: Enable monitoring agents environments: - file: environments/monitoring-environment.yaml - title: enable monitoring agents + title: Enable monitoring agents description: requires: - overcloud-resource-registry-puppet.yaml @@ -564,6 +564,14 @@ topics: description: requires: - overcloud-resource-registry-puppet.yaml + - title: Performance monitoring + description: Enable performance monitoring agents + environments: + - file: environments/collectd-environment.yaml + title: Enable performance monitoring agents + description: + requires: + - overcloud-resource-registry-puppet.yaml - title: Security Options description: Security Hardening Options diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml index dc05ab4e..7428d426 100644 --- a/ci/environments/scenario004-multinode.yaml +++ b/ci/environments/scenario004-multinode.yaml @@ -12,6 +12,7 @@ resource_registry: OS::TripleO::Services::ManilaScheduler: ../../puppet/services/manila-scheduler.yaml OS::TripleO::Services::ManilaShare: ../../puppet/services/pacemaker/manila-share.yaml OS::TripleO::Services::ManilaBackendCephFs: ../../puppet/services/manila-backend-cephfs.yaml + OS::TripleO::Services::NeutronBgpVpnApi: ../../puppet/services/neutron-bgpvpn-api.yaml # These enable Pacemaker OS::TripleO::Tasks::ControllerPrePuppet: ../../extraconfig/tasks/pre_puppet_pacemaker.yaml OS::TripleO::Tasks::ControllerPostPuppet: ../../extraconfig/tasks/post_puppet_pacemaker.yaml @@ -39,6 +40,7 @@ parameter_defaults: - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::NeutronBgpVpnApi - OS::TripleO::Services::NeutronDhcpAgent - OS::TripleO::Services::NeutronL3Agent - OS::TripleO::Services::NeutronMetadataAgent @@ -83,3 +85,5 @@ parameter_defaults: CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ==' CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw==' SwiftCeilometerPipelineEnabled: false + NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin' + BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' diff --git a/deployed-server/README.rst b/deployed-server/README.rst index e4d8299b..8638818b 100644 --- a/deployed-server/README.rst +++ b/deployed-server/README.rst @@ -67,11 +67,11 @@ example: parameter_defaults: ControlPlaneDefaultRoute: 192.168.122.130 ControlPlaneSubnetCidr: "24" - EC2MetadataIp: "192.0.2.1" + EC2MetadataIp: "192.168.24.1" In this example, 192.168.122.130 is the external management IP of an undercloud, thus it is the default route for the configured local_ip value of -192.0.2.1. +192.168.24.1. os-collect-config diff --git a/deployed-server/deployed-server.yaml b/deployed-server/deployed-server.yaml index 1e8afb25..afdb5d0c 100644 --- a/deployed-server/deployed-server.yaml +++ b/deployed-server/deployed-server.yaml @@ -81,6 +81,7 @@ resources: InstanceIdDeployment: type: OS::Heat::StructuredDeployment properties: + name: InstanceIdDeployment config: {get_resource: InstanceIdConfig} server: {get_resource: deployed-server} depends_on: UpgradeInitDeployment @@ -103,6 +104,7 @@ resources: HostsEntryDeployment: type: OS::Heat::SoftwareDeployment properties: + name: HostsEntryDeployment config: {get_resource: HostsEntryConfig} server: {get_resource: deployed-server} diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index c364d039..5c68b08d 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -202,6 +202,12 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw', '--volume', 'tripleo_logs:/var/log/tripleo/', + # OpenSSL trusted CA injection + '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', + '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', + # script injection '--volume', '%s:%s:rw' % (sh_script, sh_script) ] for volume in volumes: diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index 08f4b56b..659785aa 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -96,3 +96,7 @@ outputs: - /etc/localtime:/etc/localtime:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable httpd service + tags: step2 + service: name=httpd state=stopped enabled=no diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index 6b41eaa3..78494d66 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -71,3 +71,7 @@ outputs: - /etc/localtime:/etc/localtime:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable openstack-gnocchi-metricd service + tags: step2 + service: name=openstack-gnocchi-metricd.service state=stopped enabled=no diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index 93b616c4..7f439846 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -71,3 +71,7 @@ outputs: - /etc/localtime:/etc/localtime:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable openstack-gnocchi-statsd service + tags: step2 + service: name=openstack-gnocchi-statsd.service state=stopped enabled=no diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 90ddeb9f..526a357b 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -36,6 +36,9 @@ parameters: default: 'fernet' constraints: - allowed_values: ['uuid', 'fernet'] + EnableInternalTLS: + type: boolean + default: false resources: @@ -46,6 +49,10 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + outputs: role_data: description: Role data for the Keystone API role. @@ -96,6 +103,16 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 4cd48b75..97fafb09 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -50,7 +50,10 @@ outputs: - get_attr: [NovaApiBase, role_data, config_settings] - apache::default_vhost: false step_config: &step_config - get_attr: [NovaApiBase, role_data, step_config] + list_join: + - "\n" + - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }" + - {get_attr: [NovaApiBase, role_data, step_config]} service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index 21aff31a..1160031f 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -56,7 +56,7 @@ outputs: - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ] kolla_config: /var/lib/kolla/config_files/zaqar.json: - command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf + command: /usr/sbin/httpd -DFOREGROUND /var/lib/kolla/config_files/zaqar_websocket.json: command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf docker_config: @@ -66,9 +66,13 @@ outputs: net: host privileged: false restart: always + # NOTE(mandre) kolla image changes the user to 'zaqar', we need it + # to be root to run httpd + user: root volumes: - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro + - /var/lib/config-data/zaqar/etc/httpd:/etc/httpd/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: @@ -88,5 +92,4 @@ outputs: upgrade_tasks: - name: Stop and disable zaqar service tags: step2 - service: name=openstack-zaqar.service state=stopped enabled=no - + service: name=httpd state=stopped enabled=no diff --git a/environments/contrail/contrail-net.yaml b/environments/contrail/contrail-net.yaml index 1e64f91d..cca9beac 100644 --- a/environments/contrail/contrail-net.yaml +++ b/environments/contrail/contrail-net.yaml @@ -8,7 +8,7 @@ resource_registry: parameter_defaults: ControlPlaneSubnetCidr: '24' - ControlPlaneDefaultRoute: 192.0.2.254 + ControlPlaneDefaultRoute: 192.168.24.254 InternalApiNetCidr: 10.0.0.0/24 InternalApiAllocationPools: [{'start': '10.0.0.10', 'end': '10.0.0.200'}] InternalApiDefaultRoute: 10.0.0.1 @@ -17,7 +17,7 @@ parameter_defaults: ManagementInterfaceDefaultRoute: 10.1.0.1 ExternalNetCidr: 10.2.0.0/24 ExternalAllocationPools: [{'start': '10.2.0.10', 'end': '10.2.0.200'}] - EC2MetadataIp: 192.0.2.1 # Generally the IP of the Undercloud + EC2MetadataIp: 192.168.24.1 # Generally the IP of the Undercloud DnsServers: ["8.8.8.8","8.8.4.4"] VrouterPhysicalInterface: eth1 VrouterGateway: 10.0.0.1 diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml new file mode 100644 index 00000000..ec39951b --- /dev/null +++ b/environments/docker-services-tls-everywhere.yaml @@ -0,0 +1,28 @@ +# This environment contains the services that can work with TLS-everywhere. +resource_registry: + # This can be used when you don't want to run puppet on the host, + # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker + # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml + OS::TripleO::Services::Docker: ../puppet/services/docker.yaml + # The compute node still needs extra initialization steps + OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml + + # NOTE: add roles to be docker enabled as we support them. + OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml + + OS::TripleO::PostDeploySteps: ../docker/post.yaml + OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml + + OS::TripleO::Services: ../docker/services/services.yaml + +parameter_defaults: + # Defaults to 'tripleoupstream'. Specify a local docker registry + # Example: 192.168.24.1:8787/tripleoupstream + DockerNamespace: tripleoupstream + DockerNamespaceIsRegistry: false + + ComputeServices: + - OS::TripleO::Services::NovaCompute + - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::ComputeNeutronOvsAgent + - OS::TripleO::Services::Docker diff --git a/environments/external-loadbalancer-vip-v6.yaml b/environments/external-loadbalancer-vip-v6.yaml index fbd1fb98..bd455175 100644 --- a/environments/external-loadbalancer-vip-v6.yaml +++ b/environments/external-loadbalancer-vip-v6.yaml @@ -13,7 +13,7 @@ parameter_defaults: # to control your VIPs (currently one per network) # NOTE: we will eventually move to one VIP per service # - ControlFixedIPs: [{'ip_address':'192.0.2.251'}] + ControlFixedIPs: [{'ip_address':'192.168.24.251'}] PublicVirtualFixedIPs: [{'ip_address':'2001:db8:fd00:1000:0000:0000:0000:0005'}] InternalApiVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0005'}] StorageVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:3000:0000:0000:0000:0005'}] diff --git a/environments/external-loadbalancer-vip.yaml b/environments/external-loadbalancer-vip.yaml index 1759c04c..dec9b835 100644 --- a/environments/external-loadbalancer-vip.yaml +++ b/environments/external-loadbalancer-vip.yaml @@ -12,7 +12,7 @@ parameter_defaults: # to control your VIPs (currently one per network) # NOTE: we will eventually move to one VIP per service # - ControlFixedIPs: [{'ip_address':'192.0.2.251'}] + ControlFixedIPs: [{'ip_address':'192.168.24.251'}] PublicVirtualFixedIPs: [{'ip_address':'10.0.0.251'}] InternalApiVirtualFixedIPs: [{'ip_address':'172.16.2.251'}] StorageVirtualFixedIPs: [{'ip_address':'172.16.1.251'}] diff --git a/environments/logging-environment.yaml b/environments/logging-environment.yaml index c583ca79..ae8bd7b9 100644 --- a/environments/logging-environment.yaml +++ b/environments/logging-environment.yaml @@ -18,7 +18,7 @@ resource_registry: ## (note the use of port 24284 for ssl connections) # # LoggingServers: -# - host: 192.0.2.11 +# - host: 192.168.24.11 # port: 24284 # LoggingUsesSSL: true # LoggingSharedKey: secret diff --git a/environments/network-environment.yaml b/environments/network-environment.yaml index 210b6b03..3de5dba5 100644 --- a/environments/network-environment.yaml +++ b/environments/network-environment.yaml @@ -18,8 +18,8 @@ parameter_defaults: # CIDR subnet mask length for provisioning network ControlPlaneSubnetCidr: '24' # Gateway router for the provisioning network (or Undercloud IP) - ControlPlaneDefaultRoute: 192.0.2.254 - EC2MetadataIp: 192.0.2.1 # Generally the IP of the Undercloud + ControlPlaneDefaultRoute: 192.168.24.254 + EC2MetadataIp: 192.168.24.1 # Generally the IP of the Undercloud # Customize the IP subnets to match the local environment InternalApiNetCidr: 172.17.0.0/24 StorageNetCidr: 172.18.0.0/24 diff --git a/environments/neutron-bgpvpn.yaml b/environments/neutron-bgpvpn.yaml index 58157dfa..2a632480 100644 --- a/environments/neutron-bgpvpn.yaml +++ b/environments/neutron-bgpvpn.yaml @@ -12,5 +12,5 @@ resource_registry: OS::TripleO::Services::NeutronBgpVpnApi: ../puppet/services/neutron-bgpvpn-api.yaml parameter_defaults: - NeutronServicePlugins: 'networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin' + NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin' BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' diff --git a/environments/neutron-ml2-cisco-n1kv.yaml b/environments/neutron-ml2-cisco-n1kv.yaml index 651e9564..8d46e1ca 100644 --- a/environments/neutron-ml2-cisco-n1kv.yaml +++ b/environments/neutron-ml2-cisco-n1kv.yaml @@ -5,7 +5,7 @@ resource_registry: OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml parameter_defaults: - N1000vVSMIP: '192.0.2.50' - N1000vMgmtGatewayIP: '192.0.2.1' + N1000vVSMIP: '192.168.24.50' + N1000vMgmtGatewayIP: '192.168.24.1' N1000vVSMDomainID: '100' N1000vVSMHostMgmtIntf: 'br-ex' diff --git a/environments/services/keystone_domain_specific_ldap_backend.yaml b/environments/services/keystone_domain_specific_ldap_backend.yaml index 40b02fc5..3cc9c7b7 100644 --- a/environments/services/keystone_domain_specific_ldap_backend.yaml +++ b/environments/services/keystone_domain_specific_ldap_backend.yaml @@ -5,7 +5,7 @@ parameter_defaults: KeystoneLDAPDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: - url: ldap://192.0.2.250 + url: ldap://192.168.24.251 user: cn=openstack,ou=Users,dc=tripleo,dc=example,dc=com password: Secrete suffix: dc=tripleo,dc=example,dc=com diff --git a/environments/updates/update-from-192_0_2-subnet.yaml b/environments/updates/update-from-192_0_2-subnet.yaml new file mode 100644 index 00000000..1813e7be --- /dev/null +++ b/environments/updates/update-from-192_0_2-subnet.yaml @@ -0,0 +1,3 @@ +parameter_defaults: + ControlPlaneDefaultRoute: 192.0.2.1 + EC2MetadataIp: 192.0.2.1 diff --git a/extraconfig/nova_metadata/krb-service-principals.yaml b/extraconfig/nova_metadata/krb-service-principals.yaml index c66e6460..56d3cbc0 100644 --- a/extraconfig/nova_metadata/krb-service-principals.yaml +++ b/extraconfig/nova_metadata/krb-service-principals.yaml @@ -46,7 +46,7 @@ resources: # Filter null values and values that contain don't contain # 'metadata_settings', get the values from that key and get the # unique ones. - expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct()) + expression: list(coalesce($.data, []).where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct()) data: {get_param: RoleData} # Generates entries for nova metadata with the following format: @@ -57,7 +57,7 @@ resources: properties: value: yaql: - expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))])) + expression: let(fqdns => $.data.fqdns) -> dict(coalesce($.data.metadata, []).where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))])) data: metadata: {get_attr: [IncomingMetadataSettings, value]} fqdns: @@ -72,7 +72,7 @@ resources: properties: value: yaql: - expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1])) + expression: dict(coalesce($.data, []).where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1])) data: {get_attr: [IncomingMetadataSettings, value]} outputs: diff --git a/extraconfig/tasks/swift-ring-deploy.yaml b/extraconfig/tasks/swift-ring-deploy.yaml deleted file mode 100644 index d17f78ae..00000000 --- a/extraconfig/tasks/swift-ring-deploy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -heat_template_version: ocata - -parameters: - servers: - type: json - SwiftRingGetTempurl: - default: '' - description: A temporary Swift URL to download rings from. - type: string - -resources: - SwiftRingDeployConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - inputs: - - name: swift_ring_get_tempurl - config: | - #!/bin/sh - pushd / - curl --insecure --silent "${swift_ring_get_tempurl}" | tar xz || true - popd - - SwiftRingDeploy: - type: OS::Heat::SoftwareDeployments - properties: - name: SwiftRingDeploy - config: {get_resource: SwiftRingDeployConfig} - servers: {get_param: servers} - input_values: - swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl} diff --git a/extraconfig/tasks/swift-ring-update.yaml b/extraconfig/tasks/swift-ring-update.yaml deleted file mode 100644 index 440c6883..00000000 --- a/extraconfig/tasks/swift-ring-update.yaml +++ /dev/null @@ -1,42 +0,0 @@ -heat_template_version: ocata - -parameters: - servers: - type: json - SwiftRingPutTempurl: - default: '' - description: A temporary Swift URL to upload rings to. - type: string - -resources: - SwiftRingUpdateConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - inputs: - - name: swift_ring_put_tempurl - config: | - #!/bin/sh - TMP_DATA=$(mktemp -d) - function cleanup { - rm -Rf "$TMP_DATA" - } - trap cleanup EXIT - # sanity check in case rings are not consistent within cluster - swift-recon --md5 | grep -q "doesn't match" && exit 1 - pushd ${TMP_DATA} - tar -cvzf swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/* - resp=`curl --insecure --silent -X PUT "${swift_ring_put_tempurl}" --write-out "%{http_code}" --data-binary @swift-rings.tar.gz` - popd - if [ "$resp" != "201" ]; then - exit 1 - fi - - SwiftRingUpdate: - type: OS::Heat::SoftwareDeployments - properties: - name: SwiftRingUpdate - config: {get_resource: SwiftRingUpdateConfig} - servers: {get_param: servers} - input_values: - swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl} diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index ad368278..20a5b658 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -40,9 +40,17 @@ touch "$timestamp_file" command_arguments=${command_arguments:-} -list_updates=$(yum list updates) - -if [[ "$list_updates" == "" ]]; then +# yum check-update exits 100 if updates are available +set +e +check_update=$(yum check-update 2>&1) +check_update_exit=$? +set -e + +if [[ "$check_update_exit" == "1" ]]; then + echo "Failed to check for package updates" + echo "$check_update" + exit 1 +elif [[ "$check_update_exit" != "100" ]]; then echo "No packages require updating" exit 0 fi diff --git a/net-config-linux-bridge.yaml b/net-config-linux-bridge.yaml index 04664818..a544d547 100644 --- a/net-config-linux-bridge.yaml +++ b/net-config-linux-bridge.yaml @@ -33,7 +33,7 @@ parameters: ControlPlaneDefaultRoute: # Override this via parameter_defaults description: The default route of the control plane network. type: string - default: 192.0.2.1 + default: 192.168.24.1 EC2MetadataIp: # Override this via parameter_defaults description: The IP address of the EC2 metadata server. type: string diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index f01fb2a6..b1780680 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -11,9 +11,6 @@ resource_registry: OS::TripleO::Tasks::UpdateWorkflow: OS::Heat::None OS::TripleO::Tasks::PackageUpdate: extraconfig/tasks/yum_update.yaml - OS::TripleO::Tasks::SwiftRingDeploy: extraconfig/tasks/swift-ring-deploy.yaml - OS::TripleO::Tasks::SwiftRingUpdate: extraconfig/tasks/swift-ring-update.yaml - {% for role in roles %} OS::TripleO::{{role.name}}::PreNetworkConfig: OS::Heat::None OS::TripleO::{{role.name}}PostDeploySteps: puppet/post.yaml diff --git a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml index bca6010a..40b407bc 100644 --- a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml +++ b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml @@ -10,7 +10,7 @@ parameters: # Config specific parameters, to be provided via parameter_defaults N1000vVSMIP: type: string - default: '192.0.2.50' + default: '192.168.24.50' N1000vVSMDomainID: type: number default: 100 @@ -62,7 +62,7 @@ parameters: default: '255.255.255.0' N1000vMgmtGatewayIP: type: string - default: '192.0.2.1' + default: '192.168.24.1' N1000vPacemakerControl: type: boolean default: true diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2 index 86af6114..782a32c9 100644 --- a/puppet/puppet-steps.j2 +++ b/puppet/puppet-steps.j2 @@ -30,13 +30,6 @@ input_values: update_identifier: {get_param: DeployIdentifier} - {% if role.name in ['Controller', 'ObjectStorage'] %} - {{role.name}}SwiftRingDeploy: - type: OS::TripleO::Tasks::SwiftRingDeploy - properties: - servers: {get_param: [servers, {{role.name}}]} - {% endif %} - # Step through a series of configuration steps {% for step in range(1, 6) %} {{role.name}}Deployment_Step{{step}}: @@ -88,15 +81,4 @@ servers: {get_param: [servers, {{role.name}}]} input_values: update_identifier: {get_param: DeployIdentifier} - - {% if role.name in ['Controller', 'ObjectStorage'] %} - {{role.name}}SwiftRingUpdate: - type: OS::TripleO::Tasks::SwiftRingUpdate - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step5 - {% endfor %} - properties: - servers: {get_param: [servers, {{role.name}}]} - {% endif %} {% endfor %} diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index 1f68f41f..9227b527 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -483,6 +483,7 @@ resources: type: OS::Heat::SoftwareDeployment depends_on: NetworkDeployment properties: + name: UpdateDeployment config: {get_resource: UpdateConfig} server: {get_resource: {{role}}} input_values: diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 9bd282f8..6e53b1f7 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -77,13 +77,15 @@ outputs: - "%{hiera('apache_remote_proxy_ips_network')}" - generate_service_certificates: true + tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' + tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' apache_certificates_specs: map_merge: repeat: template: httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 94b15d4b..2a335b67 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -22,6 +22,10 @@ parameters: default: 1048576 description: Configures sysctl kernel.pid_max key type: number + KernelDisableIPv6: + default: 0 + description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys + type: number outputs: role_data: @@ -57,6 +61,10 @@ outputs: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + net.ipv6.conf.default.disable_ipv6: + value: {get_param: KernelDisableIPv6} + net.ipv6.conf.all.disable_ipv6: + value: {get_param: KernelDisableIPv6} # prevent neutron bridges from autoconfiguring ipv6 addresses net.ipv6.conf.all.accept_ra: value: 0 diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index aba2b1ed..4b5f36ac 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -81,4 +81,4 @@ outputs: - name: Install sensu package if it was disabled tags: step3 yum: name=sensu state=latest - when: sensu_client.rc != 0 + when: sensu_client_enabled.rc != 0 diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml index db9f0836..0cd1f829 100644 --- a/puppet/services/network/contrail-vrouter.yaml +++ b/puppet/services/network/contrail-vrouter.yaml @@ -27,7 +27,7 @@ parameters: description: vRouter physical interface type: string ContrailVrouterGateway: - default: '192.0.2.1' + default: '192.168.24.1' description: vRouter default gateway type: string ContrailVrouterNetmask: diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 28fcbd6f..f7a0edf8 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -141,6 +141,8 @@ outputs: - name: Check pacemaker cluster running before upgrade tags: step0,validation pacemaker_cluster: state=online check_and_fail=true + async: 30 + poll: 4 - name: Stop pacemaker cluster tags: step2 pacemaker_cluster: state=offline diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index a2286d16..9820b431 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -90,14 +90,11 @@ outputs: # fluentd user. yaql: expression: > - set($.data.groups.flatten()).where($) + set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($) data: - groups: - - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}] - - yaql: - expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null)) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}] + default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]} + extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]} + role_data: {get_attr: [ServiceChain, role_data]} config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: map_merge: diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index 2e3c818f..f62d5e18 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -42,6 +42,14 @@ parameters: default: true description: 'Use a local directory for Swift storage services when building rings' type: boolean + SwiftRingGetTempurl: + default: '' + description: A temporary Swift URL to download rings from. + type: string + SwiftRingPutTempurl: + default: '' + description: A temporary Swift URL to upload rings to. + type: string conditions: swift_use_local_dir: @@ -59,6 +67,8 @@ outputs: value: service_name: swift_ringbuilder config_settings: + tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl} + tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl} tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower} diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml new file mode 100644 index 00000000..8b57f587 --- /dev/null +++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Add IPv6 disable option and make it configurable for user to disable IPv6 + when it's not used, this will descrease the risk of ipv6 attack. + Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6 + will be explicitly set to the default value (0) which is enabled. diff --git a/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml new file mode 100644 index 00000000..09d3be03 --- /dev/null +++ b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default network for the ctlplane changed from 192.0.2.0/24 to + 192.168.24.0/24. All references to the ctlplane network in the templates + have been updated to reflect this change. When upgrading from a previous + release, if the default network was used for the ctlplane (192.0.2.0/24), + then it is necessary to provide as input, via environment file, the correct + setting for all the parameters that previously defaulted to 192.0.2.x and + now default to 192.168.24.x; there is an environment file which could be + used on upgrade `environments/updates/update-from-192_0_2-subnet.yaml` to + cover a simple scenario but it won't be enough for scenarios using an + external load balancer, Contrail or Cisto N1KV. Follows a list of params to + be provided on upgrade. + From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute + From external-loadbalancer-vip-v6.yaml: ControlFixedIPs + From external-loadbalancer-vip.yaml: ControlFixedIPs + From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute + From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP + From contrail-vrouter.yaml: ContrailVrouterGateway