Alan Bishop [Tue, 23 May 2017 14:42:24 +0000 (10:42 -0400)]
Handle upgrading cinder-volume under pacemaker
Add upgrade tasks for cinder-volume when it's controlled by pacemaker:
o Stop the service before the entire pacemaker cluster is stopped.
This ensures the service is stopped before infrastructure services
(e.g. rabbitmq) go away.
o Migrate the cinder DB prior to restarting the service. This covers
the situation when puppet-cinder (who otherwise would handle the db
sync) isn't managing the service.
o Start the service after the rest of the pacemaker cluster has been
started.
Closes-Bug: #
1691851
Change-Id: I5874ab862964fadb68320d5c4de39b20f53dc25c
(cherry picked from commit
c4e3bbe039135f32f0e198365e704b3dbfd00290)
Ihar Hrachyshka [Wed, 24 May 2017 01:13:28 +0000 (18:13 -0700)]
Enable arp_accept for all interfaces
OpenStack heavily relies on gratuitous ARP updates when moving floating
IP addresses between devices. When a floating IP moves, Neutron L3 agent
issues a burst of gratuitous ARP packets that should update any existing
ARP table entries on all nodes that belong to the same network segment.
Due to locktime kernel behavior, some gratuitous ARP packets may be
ignored [1], rendering ARP table entries broken for some time. Due to a
kernel bug [2], the time may be as long as hours, depending on other
traffic flowing to the node.
With the current EL7 kernel, the only way to make sure that nodes honor
all sent gratuitous ARP updates is to set arp_accept to 1; this will
disable locktime mechanism for the packets sent by Neutron L3 agent, and
will make sure ARP tables are always updated.
[1] https://patchwork.ozlabs.org/patch/762732/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=
1450203
Conflicts:
puppet/services/kernel.yaml
Related-Bug: #
1690165
Change-Id: I863b240e0ab4c4d5bb844f91b607fd0937d5cedf
(cherry picked from commit
804fd3427eeb31a2846ee096dbdac924ec39bcbc)
John Trowbridge [Thu, 25 May 2017 13:24:57 +0000 (09:24 -0400)]
Add heat environment for disabling all telemetry services
This will be used in our HA OVB CI job where we currently are
failing due to running out of memory. Telemetry will still be
tested via scenarios, but this will free up a large chunk of
memory in the most memory intensive job.
Closes-Bug:
1693174
Change-Id: Idefe9f0de47c5b0f29b7326642d697ed179e2eb8
(cherry picked from commit
0751d69e3b6560ef87ed43859df92fdcc08f9cd1)
James Slagle [Thu, 27 Apr 2017 17:00:17 +0000 (13:00 -0400)]
Add $STACK_NAME input var
The stack name can now be overridden in the get-occ-config.sh script for
deployed-server's by setting the $STACK_NAME variable in the
environment.
Change-Id: Iecba21499b80e463b4c629be53c309996d39472d
Closes-Bug: #
1686719
(cherry picked from commit
e17590c69e599a3eb6b4a18d2d6dbef9dede9ea8)
Jenkins [Mon, 22 May 2017 15:00:00 +0000 (15:00 +0000)]
Merge "Timeout early on pcs cluster status check0 during upgrade." into stable/ocata
Jenkins [Sat, 20 May 2017 01:15:01 +0000 (01:15 +0000)]
Merge "Addition of firewall rules for Nuage" into stable/ocata
Jenkins [Sat, 20 May 2017 01:08:03 +0000 (01:08 +0000)]
Merge "Disable Manila CephFS snapshots by default" into stable/ocata
Steven Hardy [Fri, 17 Mar 2017 09:53:14 +0000 (09:53 +0000)]
Add NodeCreateBatchSize parameter
This uses the heat resource group batched create feature to ensure
we don't create more than 30 nodes at a time, which has been reported
as the maximum supported by the default ironic ipxe/TFTP configuration.
Closes-Bug: #
1688550
Change-Id: If3651e4c465d8d7bd4c8f2b48d45b1272ff2d272
Depends-On: I3551456664daf89d01f98bde85d7fb22a01d4a03
(cherry picked from commit
129881f2c600217ff06b4570950b4e60ff9a63b5)
Sofer Athlan-Guyot [Thu, 6 Apr 2017 14:55:08 +0000 (16:55 +0200)]
Timeout early on pcs cluster status check0 during upgrade.
There is a windows for the pcs cluster status to hang forever[1]. We
add a timeout during check0 to avoid this situation. 2 minutes should
be more than enought to get all the pcsd nodes to reply.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=
1292858
Closes-Bug: #
1680477
Change-Id: Icb3dc76e031a3d4f26294f37d169f2f61d30973e
(cherry picked from commit
0ea21f51a8128e536404ffd87f741443c9287593)
Jenkins [Tue, 16 May 2017 22:06:43 +0000 (22:06 +0000)]
Merge "Disable ComputeNeutron* for cisco-nexus-ucsm" into stable/ocata
Oliver Walsh [Mon, 15 May 2017 20:21:57 +0000 (21:21 +0100)]
Fix SshHostPubKeyDeployment on containerized nova-compute.
This is failing since https://review.openstack.org/458672 merged
because the ssh host keys are not mapped to the container.
Change-Id: Ie868654f13bee04da642337cc344871903f40473
Closes-bug: #
1690911
Steven Hardy [Wed, 3 May 2017 08:44:21 +0000 (09:44 +0100)]
Disable ComputeNeutron* for cisco-nexus-ucsm
It seems this wasn't adjusted when https://review.openstack.org/#/c/338315/
landed, which added interfaces for compute specific neutron configuration,
which is disabled for most vendor backends.
Change-Id: I4c98008107568b3b65decd7640e25c7d2b1ea9ff
Related-Bug: #
1687597
(cherry picked from commit
95fbda4d0254edb12bfec1ccd41d3b5f6204fe8f)
Jenkins [Sat, 13 May 2017 00:40:39 +0000 (00:40 +0000)]
Merge "Fix for the resource ControllerPostPuppetMaintenanceModeDeployment" into stable/ocata
Jenkins [Fri, 12 May 2017 03:06:32 +0000 (03:06 +0000)]
Merge "Merge pre|post puppet resources into pre|post config." into stable/ocata
Carlos Camacho [Thu, 27 Apr 2017 09:00:32 +0000 (11:00 +0200)]
Fix for the resource ControllerPostPuppetMaintenanceModeDeployment
Depends-On: If88f403c85b79bd896a24c7816486709bd67706f
Closes-Bug:
1686619
Change-Id: I7c32ca39a456de9833d30c31d41fcb727d2b0a34
(cherry picked from commit
77b4bd53dae1882ae3094597e674218b7773eda9)
Jenkins [Mon, 24 Apr 2017 18:42:00 +0000 (18:42 +0000)]
Merge pre|post puppet resources into pre|post config.
The [Pre|Post]Puppet resources were renamed in
https://review.openstack.org/#/c/365763.
This was intended for having a pre/post deployment
steps using an agnostic name instead of
being attached to a technology.
The renaming was unintentionally reverted in
https://review.openstack.org/#/c/393644/ and
https://review.openstack.org/#/c/434451.
This submission merge both resources into one,
and remove the old pre|post hooks.
Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064
Closes-bug: #
1669756
(cherry picked from commit
258c6ce52d0c8467f34693722a883d96345802b2)
Michele Baldessari [Thu, 4 May 2017 09:46:45 +0000 (11:46 +0200)]
Fix up pacemaker_status test in yum_update.sh
In change I2aae4e2fdfec526c835f8967b54e1db3757bca17 we did the
following:
-pacemaker_status=$(systemctl is-active pacemaker || :)
+pacemaker_status=""
+if hiera -c /etc/puppet/hiera.yaml service_names | grep -q pacemaker;
then
+ pacemaker_status=$(systemctl is-active pacemaker)
+fi
we did that so due to LP#
1668266: we did not want systemctl is-active to
fail on non pacemaker nodes. The problem with the above hiera check is
that it will match on pacemaker_remote nodes as well.
We cannot piggyback the pacemaker_enabled hiera key because that is true
on all nodes. So let's make the test check only for pacemaker service
without matching pacemaker remote. Tested with:
1) Test on a controller node with pacemaker service enabled
[root@overcloud-controller-0 ~]# hiera -c /etc/puppet/hiera.yaml -a service_names |grep '\bpacemaker\b'
"pacemaker",
[root@overcloud-controller-0 ~]# echo $?
0
2) Test on a compute node without pacemaker:
[root@overcloud-novacompute-0 puppet]# hiera -c /etc/puppet/hiera.yaml service_names |grep '\bpacemaker\b'
[root@overcloud-novacompute-0 puppet]# echo $?
1
3) Test on a node with pacemaker_remote in the service_names key:
[root@overcloud-novacompute-0 puppet]# hiera -c /etc/puppet/hiera.yaml service_names |grep '\bpacemaker\b'
[root@overcloud-novacompute-0 puppet]# echo $?
1
[root@overcloud-novacompute-0 puppet]# hiera -c /etc/puppet/hiera.yaml service_names |grep '\bpacemaker_remote\b'
"pacemaker_remote"]
[root@overcloud-novacompute-0 puppet]# echo $?
0
NB: cherry-pick was not 100% clean due to unrelated lines being cleaned
up in master.
Change-Id: I54c5756ba6dea791aef89a79bc0b538ba02ae48a
Closes-Bug: #
1688214
(cherry picked from commit
2244290424ffa7781fb5b64688908c218cd10ecd)
Michele Baldessari [Thu, 27 Apr 2017 19:41:11 +0000 (21:41 +0200)]
Initial VIP ipv6 minor update code
To test this change we deployed a stock master with ipv6 which created a bunch
of ipv6 with /64 netmask:
[root@overcloud-controller-0 ~]# pcs resource show ip-fd00.fd00.fd00.2000..18
Resource: ip-fd00.fd00.fd00.2000..18 (class=ocf provider=heartbeat type=IPaddr2)
Attributes: ip=fd00:fd00:fd00:2000::18 cidr_netmask=64
Operations: start interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-start-interval-0s)
stop interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-stop-interval-0s)
monitor interval=10s timeout=20s (ip-fd00.fd00.fd00.2000..18-monitor-interval-10s)
Then we update the THT folder with this patch and upload the new scripts on the undercloud via:
openstack overcloud deploy --update-plan-only ....
Then we kick off the minor update workflow:
openstack overcloud update stack -i overcloud
Once the controller-0 node (bootstrap node for pacemaker) is completed we have the
correct VIP configuration:
[root@overcloud-controller-0 heat-config-script]# pcs resource show ip-fd00.fd00.fd00.2000..18
Resource: ip-fd00.fd00.fd00.2000..18 (class=ocf provider=heartbeat type=IPaddr2)
Attributes: ip=fd00:fd00:fd00:2000::18 cidr_netmask=128 nic=vlan20 lvs_ipv6_addrlabel=true lvs_ipv6_addrlabel_value=99
Operations: start interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-start-interval-0s)
stop interval=0s timeout=20s (ip-fd00.fd00.fd00.2000..18-stop-interval-0s)
monitor interval=10s timeout=20s (ip-fd00.fd00.fd00.2000..18-monitor-interval-10s)
Also verified that running the script a second time does not alter the
(already fixed) VIPs.
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: I765cd5c9b57134dff61f67ce726bf88af90f8090
(cherry picked from commit
4923f5c4991bd539888b4175fae20025d6ef3957)
lokesh-jain [Mon, 3 Apr 2017 20:32:53 +0000 (16:32 -0400)]
Addition of firewall rules for Nuage
Added VxLAN and metadata agent firewall rules to neutron-compute-plugin
for Nuage. Removed a deprecated parameter 'OSControllerIp' as well.
Change-Id: If10c300db48c66b9ebeaf74b5f5fee9132e75366
(cherry picked from commit
d5309c9443cbfe50ba5e7c15f025393a58b0804c)
Steven Hardy [Tue, 2 May 2017 10:54:12 +0000 (11:54 +0100)]
Ensure AllNodesExtraConfig runs before AllNodesDeploySteps
When implementing custom roles, we lost an implicit dependency that
ensured AllNodesExtraConfig is applied before AllNodesDeploySteps,
which causes problems if you need to write hieradata via the
AllNodesExtraConfig hook (some cisco integrations we have in tree
do this, and are now broken because the ordering is no longer ensured.
Change-Id: Ie78ecbb4e135ab7f196867ef9d8d271049a9cd10
Closes-Bug: #
1687597
(cherry picked from commit
4efc067a7e2965fc7a07eb05b019d0e3e8160606)
marios [Thu, 27 Apr 2017 13:51:42 +0000 (16:51 +0300)]
Unset the UpgradeInitCommand on converge
In the converge envs we unset the UpgradeInitCommon since we used
that for the N..O upgrades workflow. However an operator may have
also overridden the UpgradeInitCommand so we should unset that
too.
Closes-Bug:
1686918
Change-Id: I3b316d04b78a4ab1e3f9f69948e42e6fb0ad6632
(cherry picked from commit
7d87b8225bd640fee4b55fd66e793391526f6d54)
Jenkins [Fri, 28 Apr 2017 09:59:04 +0000 (09:59 +0000)]
Merge "Change the default for rabbitmq back to ha-mode: all" into stable/ocata
Jenkins [Fri, 28 Apr 2017 09:21:14 +0000 (09:21 +0000)]
Merge "upgrades: deploy mod_ssl when upgrading apache" into stable/ocata
Jenkins [Thu, 27 Apr 2017 20:20:53 +0000 (20:20 +0000)]
Merge "Prepare 6.1.0 (ocata)" into stable/ocata
Jenkins [Thu, 27 Apr 2017 20:20:11 +0000 (20:20 +0000)]
Merge "Cinder-api upgrade: use httpd instead of apachectl" into stable/ocata
Jenkins [Thu, 27 Apr 2017 19:19:06 +0000 (19:19 +0000)]
Merge "Align hyperconverged-ceph.yaml environment and adds some validation" into stable/ocata
Emilien Macchi [Thu, 27 Apr 2017 16:17:46 +0000 (12:17 -0400)]
Prepare 6.1.0 (ocata)
Change-Id: Idb0423f9cf76234b9f44cacf32dd34cd9ae4e655
Sofer Athlan-Guyot [Wed, 26 Apr 2017 21:10:24 +0000 (23:10 +0200)]
upgrades: deploy mod_ssl when upgrading apache
1) When Apache is upgraded, install mod_ssl rpm.
See https://bugs.launchpad.net/tripleo/+bug/
1682448
to understand why we need mod_ssl.
2) All services that run Apache for API will use the snippet from
Apache service to deploy mod_ssl, so we don't duplicate the code
in all services. It's using the same mechanism as ovs upgrade to
compile upgrade_tasks between both services.
Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84
Closes-Bug: #
1686503
(cherry picked from commit
a6041608ca68aad4298ed9e8febafc442a250a55)
Sofer Athlan-Guyot [Wed, 26 Apr 2017 20:38:13 +0000 (22:38 +0200)]
Cinder-api upgrade: use httpd instead of apachectl
It doesn't work downstream, so the httpd command was recommended.
Change-Id: I4807333b80dad10f16e5deb56cbfdda656cd1e50
(cherry picked from commit
0b05d7fd9b0e8811755499642647919eaf64cc39)
Michele Baldessari [Wed, 26 Apr 2017 08:29:18 +0000 (10:29 +0200)]
Change the default for rabbitmq back to ha-mode: all
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=
1441635.
This is the THT part of the change that changes the default to
ha-mode: all.
NB: not clean cherry-pick due to the added metadata_settings line in
master
Closes-Bug: #
1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
Change-Id: I7afcf2b3c8deb13fc2134e4cae9c06a44e775384
Depends-On: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
(cherry picked from commit
90fc4b2e27ef6f612a82dfc5e08884629d0fe0bf)
Juan Badia Payno [Thu, 2 Mar 2017 18:47:23 +0000 (19:47 +0100)]
Increase documentation about parameters
CollectdServer, CollectdServerPort, CollectdSecurityLevel, CollectdUsername, CollectdPassword
Change-Id: I43a0aca6f620f2570bdfd88531e70611867337b0
(cherry picked from commit
f209f0aa48d277ecb8300ef33225f6ce6e24a4ae)
Jenkins [Tue, 25 Apr 2017 22:58:54 +0000 (22:58 +0000)]
Merge "SSHD Service extensions" into stable/ocata
Jenkins [Tue, 25 Apr 2017 22:04:25 +0000 (22:04 +0000)]
Merge "sensu: fix upgrade case when service is added" into stable/ocata
Jenkins [Tue, 25 Apr 2017 19:48:32 +0000 (19:48 +0000)]
Merge "Deploy ceilometer_auth_enabled to node containing keystone" into stable/ocata
Jenkins [Tue, 25 Apr 2017 19:10:04 +0000 (19:10 +0000)]
Merge "Remove no longer used environment files - older upgrade workflows" into stable/ocata
Jenkins [Tue, 25 Apr 2017 18:45:36 +0000 (18:45 +0000)]
Merge "Add migration SSH tunneling support" into stable/ocata
Jenkins [Tue, 25 Apr 2017 16:48:39 +0000 (16:48 +0000)]
Merge "SSH known_hosts config" into stable/ocata
Juan Antonio Osorio Robles [Mon, 24 Apr 2017 15:53:05 +0000 (18:53 +0300)]
Deploy ceilometer_auth_enabled to node containing keystone
This hiera key is used by keystone to create the ceilometer service
user. It works in CI cause keystone and the ceilometer services are in
the same node. However, this fails if keystone is deployed on a separate
note.
We should only deploy it in the nodes containing the keystone service
since it's only relevant to create the service user.
Change-Id: Ic0f02fe9a78a1fe14ac2b87197692fbd80c003b8
Closes-Bug: #
1685828
(cherry picked from commit
f1f6b5dc7d698a36f04186856fb94b4115d121dc)
Jan Provaznik [Tue, 21 Feb 2017 11:00:48 +0000 (12:00 +0100)]
Disable Manila CephFS snapshots by default
Because CephFS Snapshots are still an experimental feature and
also Manila Ceph driver has this feature disabled by default,
it makes sense to not override this value by default.
Change-Id: I3dacbd7a3c673d2f34998ee9f433889727c6a0f7
(cherry picked from commit
99371a90a29b4f9ffda606263540a1ef0b919633)
marios [Fri, 21 Apr 2017 14:47:59 +0000 (17:47 +0300)]
Remove no longer used environment files - older upgrade workflows
In I7831d20eae6ab9668a919b451301fe669e2b1346 we removed some of
the old upgrades but left the environment files removed here.
Related-Bug:
1673447
Change-Id: Ib3eca5687285b280832d19b647c3b4aa3d9ac36d
(cherry picked from commit
61632a621b1ef0fc0e3d20080eb8a5ff05952bbe)
Emilien Macchi [Fri, 7 Apr 2017 15:54:48 +0000 (11:54 -0400)]
sensu: fix upgrade case when service is added
When service is added during an upgrade, fix the ansible syntax
to use the right variable for return code.
Change-Id: I974699fb8b0dcbe5ffa6935c394df4ac8e7b21d4
(cherry picked from commit
deb9b4cad5a59e650922067841604a4bc121c228)
Jenkins [Fri, 21 Apr 2017 15:14:49 +0000 (15:14 +0000)]
Merge "Fix bogus parameters in get_param" into stable/ocata
Luke Hinds [Sun, 12 Mar 2017 03:24:35 +0000 (03:24 +0000)]
SSHD Service extensions
This change implements a MOTD message and provides a hash of
sshd config options which are sourced to the puppet-ssh module
as a hash.
The SSHD puppet service is enabled by default, as it is
required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
Also added the service to the CI roles.
Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
Depends-On: I1d09530d69e42c0c36311789166554a889e46556
Closes-Bug: #
1668543
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
(cherry picked from commit
5e14f95a4a46fcf88293f1b0fa93327566614d43)
Jenkins [Fri, 21 Apr 2017 12:14:55 +0000 (12:14 +0000)]
Merge "N->O Manual puppet commands have the right modulepath." into stable/ocata
Jenkins [Fri, 21 Apr 2017 09:06:02 +0000 (09:06 +0000)]
Merge "Run token flush cron job hourly by default" into stable/ocata
Jenkins [Fri, 21 Apr 2017 07:14:02 +0000 (07:14 +0000)]
Merge "Update Dell EMC Cinder back end services" into stable/ocata
Jenkins [Fri, 21 Apr 2017 06:41:16 +0000 (06:41 +0000)]
Merge "Add composable role support for NetApp Cinder back end" into stable/ocata
Jenkins [Fri, 21 Apr 2017 06:01:09 +0000 (06:01 +0000)]
Merge "Replace references to the 192.0.2 network" into stable/ocata
Jenkins [Fri, 21 Apr 2017 03:39:48 +0000 (03:39 +0000)]
Merge "N->O upgrade, fix wrong parameters to nova placement." into stable/ocata
Oliver Walsh [Tue, 28 Mar 2017 15:15:08 +0000 (16:15 +0100)]
Add migration SSH tunneling support
This enables nova cold migration.
This also switches to SSH as the default transport for live-migration.
The tripleo-common mistral action that generates passwords supplies the
MigrationSshKey parameter that enables this.
The TCP transport is no longer used for live-migration and the firewall
port has been closed.
Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f
Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
(cherry picked from commit
0271a63e52b961eab0da2f5c6a61811a7a1498f7)
Oliver Walsh [Fri, 24 Mar 2017 14:35:09 +0000 (14:35 +0000)]
SSH known_hosts config
Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
verification is vulnerable to a MITM attack.
Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
(cherry picked from commit
7d3552a105ad5aa62cad0998c11df5ec6bd06ed6)
Jenkins [Thu, 20 Apr 2017 21:30:10 +0000 (21:30 +0000)]
Merge "Use comma_delimited_list for token flush cron time settings" into stable/ocata
Sofer Athlan-Guyot [Thu, 20 Apr 2017 10:30:46 +0000 (12:30 +0200)]
N->O Manual puppet commands have the right modulepath.
In two places during upgrade we manually trigger puppet.
There can be a problem when new puppet modules are added, and their
corresponding symlinks in /etc/puppet/modules are not created during
the installation as their are installed in
/usr/share/openstack-puppet/modules. To prevent the issue tripleo set
modulepath in the templates.
We must use the same modulepath to make sure that we don't fail
because of missing module in the manual puppet run.
This particulary happens when you upgrade from M->N->O, as the base
image in Mitaka doesn't have the proper symlinks and they are not
created during the installation of the package.
Closes-Bug: #
1684587
Change-Id: I79df6ea33f1c58e13309176a6de41b7572541fd6
(cherry picked from commit
79c2d0f3d411da9e57731d9da79d25a3e0364eb2)
Jenkins [Thu, 20 Apr 2017 11:20:07 +0000 (11:20 +0000)]
Merge "Touch /etc/httpd/conf.d/ssl.conf" into stable/ocata
Sofer Athlan-Guyot [Wed, 19 Apr 2017 09:26:45 +0000 (11:26 +0200)]
N->O upgrade, fix wrong parameters to nova placement.
According to [1] we need os_region_name, not region_name. Furthermore
the os_interface is configured as well. The hard check on this
parameter was introduced in ocata[2], explaining why the newton version
did not chock on it.
[1] https://docs.openstack.org/ocata/config-reference/compute/config-options.html
[2] https://github.com/openstack/nova/commit/
d486315e0
Closes-Bug: #
1684058
Change-Id: If6118bf03e832fe3fa5ea4fcb1b436afd2adf80a
(cherry picked from commit
88a3168b3019f7c8232c14b95d4c7c6fb5080f03)
Jenkins [Wed, 19 Apr 2017 15:12:34 +0000 (15:12 +0000)]
Merge "Decouple Swift ringbuilding logic" into stable/ocata
Jenkins [Wed, 19 Apr 2017 10:45:48 +0000 (10:45 +0000)]
Merge "Modify pci_passthrough hiera value as string" into stable/ocata
Juan Antonio Osorio Robles [Wed, 12 Apr 2017 11:31:53 +0000 (14:31 +0300)]
Run token flush cron job hourly by default
Running this job once a day has proven problematic for large
deployments as seen in the bug report. Setting it to run hourly
would be an improvement to the current situation, as the flushes
wouldn't need to process as much data.
Note that this only affects people using UUID as the token provider.
Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a
Related-Bug: #
1649616
(cherry picked from commit
65e643aca2202f031db94f1ccd3d44e195e5e772)
Juan Antonio Osorio Robles [Wed, 12 Apr 2017 11:30:27 +0000 (14:30 +0300)]
Use comma_delimited_list for token flush cron time settings
This allows us to better configure these parametes, e.g. we could set
the cron job to run more times per day, and not just one.
Change-Id: I0a151808804809c0742bcfa8ac876e22f5ce5570
Closes-Bug: #
1682097
(cherry picked from commit
df36f221dd402a5b93585a6851fb1eb43de91967)
Lukas Bezdicka [Thu, 13 Apr 2017 17:31:29 +0000 (19:31 +0200)]
Touch /etc/httpd/conf.d/ssl.conf
To ensure that yum update passes without issues we touch ssl.conf.
Proper fix is https://review.openstack.org/#/c/456712/
Depends-On: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Closes-Bug: #
1682448
Resolves: rhbz#
1441977
Change-Id: I73e5272c64df4aa5900f544a5d9f0670544ca679
Bogdan Dobrelya [Mon, 6 Mar 2017 16:49:01 +0000 (17:49 +0100)]
Fix bogus parameters in get_param
Change-Id: I1b5658efaaa26c473ceef184a962ec320f267ffe
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
(cherry picked from commit
e88dfbc4ca115be9522ee0fc0bdb5b60f9ddd7a7)
Jenkins [Mon, 17 Apr 2017 21:54:21 +0000 (21:54 +0000)]
Merge "Add params to tweak memory limit on mongodb" into stable/ocata
Jenkins [Mon, 17 Apr 2017 18:06:33 +0000 (18:06 +0000)]
Merge "Update ceph-rgw acccepted roles to fix OSP upgrade" into stable/ocata
Pradeep Kilambi [Mon, 3 Apr 2017 22:01:27 +0000 (18:01 -0400)]
Add params to tweak memory limit on mongodb
The puppet-tripleo change was added in
Ie9391aa39532507c5de8dd668a70d5b66e17c891.
Closes-bug: #
1656558
Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
(cherry picked from commit
75d48838020ad9ff2bbd739212599ec8eb932649)
Alan Bishop [Mon, 10 Apr 2017 16:37:13 +0000 (12:37 -0400)]
Update Dell EMC Cinder back end services
Add services for Dell EMC Cinder back ends to the resource registry
and to the Controller role (defaulting to OS::Heat::None).
Closes-Bug: #
1681497
Change-Id: I694fd7738abd3601851bdcd38e3633607ce6152c
(cherry picked from commit
5fb637c611c3c8c4daf8e8d2f06d5579b9ef34fd)
Matthew Flusche [Mon, 27 Feb 2017 22:11:37 +0000 (22:11 +0000)]
yum_update.sh - Use the yum parameter: check-update
The current check tends to produce a false positive causing unnecessary
service restarts. yum check-update will exit with return code 100 if
updated packages are available.
Change-Id: I8bd89f2b24bafc6c991382b9eb484cfa9a2f8968
(cherry picked from commit
9e4375d2762f4a26e8b0b8375f9265ad6e439ea1)
Closes-Bug: #
1680634
Alan Bishop [Mon, 10 Apr 2017 15:11:58 +0000 (11:11 -0400)]
Add composable role support for NetApp Cinder back end
Convert NetApp Cinder back end to support composable roles via new
"CinderBackendNetApp" service.
Closes-Bug: #
1680568
Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
(cherry picked from commit
c533a3219e47c5a6155e85e089b9f8acdb4a3dd6)
Giulio Fidente [Fri, 7 Apr 2017 08:51:08 +0000 (10:51 +0200)]
Replace references to the 192.0.2 network
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.
This change removes old references left to 192.0.2 network from the
overcloud templates.
(cherry picked from commit
b5b6681a74e001448a836e7eea5e75fba859b88c)
Closes-Bug: #
1682144
Change-Id: I49bd1ac8d594105665010bd898670b17e72fa763
Jenkins [Tue, 11 Apr 2017 22:45:50 +0000 (22:45 +0000)]
Merge "Use --disable= in subscription-manager to avoid shell expansion." into stable/ocata
Keith Schincke [Fri, 31 Mar 2017 12:59:47 +0000 (08:59 -0400)]
Update ceph-rgw acccepted roles to fix OSP upgrade
This patch updates ceph::keystone::auth::roles to remove
"member" and add "Member". The previous entry breaks
OSP N to O upgrades when ceph-rgw is enabled.
This patch fixes: https://bugs.launchpad.net/tripleo/+bug/
1678126
Closes-bug:
1678126
(cherry picked from commit
4656323fc30e67f43d3dbd1ada42b608aa6f79e7)
Change-Id: I70e70f96c4aba2c89a9f81973f732d4348b91515
Christian Schwede [Mon, 20 Feb 2017 21:22:25 +0000 (21:22 +0000)]
Decouple Swift ringbuilding logic
This reverts commit
b323f8a16035549d84cdec4718380bde3d23d6c3 and uses
the new logic in puppet-tripleo, basically doing the same.
Closes-Bug:
1665641
Depends-On: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
Change-Id: Ib5cb0578be2993af0a0b8675005d838640bdb139
(cherry picked from commit
76c1c0cbba38b2f25290f5ad80e38ddd97ae834b)
Jenkins [Sat, 8 Apr 2017 06:15:47 +0000 (06:15 +0000)]
Merge "Add missing ec2api::api::keystone_ec2_tokens_url config" into stable/ocata
Cyril Lopez [Thu, 30 Mar 2017 13:48:14 +0000 (15:48 +0200)]
Add trigger to setup a LDAP backend as keystone domaine
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.
Given the following environment:
parameter_defaults:
KeystoneLDAPDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
This also enables multi-domain support for horizon.
Conflicts:
puppet/services/keystone.yaml
Closes-Bug:
1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
(cherry picked from commit
347f5434b3e3793b9fdf2a94f49ab7734c5d923b)
Jenkins [Fri, 7 Apr 2017 05:14:26 +0000 (05:14 +0000)]
Merge "Generate Pre/Post Puppet Tasks for all roles" into stable/ocata
Jenkins [Thu, 6 Apr 2017 23:54:05 +0000 (23:54 +0000)]
Merge "Updated from global requirements" into stable/ocata
Jenkins [Thu, 6 Apr 2017 23:16:26 +0000 (23:16 +0000)]
Merge "Add manual ovs upgrade script for workaround ovs upgrade issue" into stable/ocata
Jenkins [Thu, 6 Apr 2017 18:22:40 +0000 (18:22 +0000)]
Merge "Add environment for deployed-server with pacemaker" into stable/ocata
Mathieu Bultel [Wed, 15 Feb 2017 15:36:17 +0000 (16:36 +0100)]
Add manual ovs upgrade script for workaround ovs upgrade issue
When we upgrade OVS from 2.5 to 2.6, the postrun package update
restart the services and drop the connectivity
We need to push this manual upgrade script and executed to the
nodes for newton to ocata
The special case is needed for 2.5.0-14 specifically see related
bug for more info (or, older where the postun tries restart).
See related review at [1] for the minor update/manual upgrade.
Related-Bug:
1669714
Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
[1] https://review.openstack.org/#/c/450607/
Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2
(cherry picked from commit
d2d319ec0ead06b860f8464b001048fb4f723788)
marios [Wed, 22 Mar 2017 14:09:22 +0000 (16:09 +0200)]
Enforce upgrade_batch_tasks before upgrade_tasks order
If we really want upgrade_batch_tasks before the upgrade_tasks
as described in the README then we should enforce the ordering
Noticed this working on bug
1671504 upgrade tasks were being
executed before batch upgrade tasks.
Closes-Bug:
1678101
Change-Id: Iaa1bce960a37c072b5f8441132705a6bb6eb6ede
(cherry picked from commit
299b9f532377a3a0c16ba9cb4fe92c637fc38eeb)
Sofer Athlan-Guyot [Mon, 3 Apr 2017 16:28:21 +0000 (18:28 +0200)]
Ensure upgrade step orchestration accross roles.
Currently we don't enforce step ordering across role, only within
role. With custom role, we can reach a step5 on one role while the
cluster is still at step3, breaking the contract announced in the
README[1] where each step has a guarantied cluster state.
We have to remove the conditional here as well as jinja has no way to
access this information, but we need jinja to iterate over all enabled
role to create the orchestration.
This deals only with Upgrade tasks, there is another review to deal
with UpgradeBatch tasks.
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst
Closes-Bug: #
1679486
Change-Id: Ibc6b64424cde56419fe82f984d3cc3620f7eb028
(cherry picked from commit
d286892c785b8b81a866ea3c6a459d1fc4a347e8)
Jenkins [Thu, 6 Apr 2017 02:10:32 +0000 (02:10 +0000)]
Merge "Make neutron dhcp agents per network conditional" into stable/ocata
Jenkins [Thu, 6 Apr 2017 00:49:17 +0000 (00:49 +0000)]
Merge "Fixes port binding controller for OpenDaylight" into stable/ocata
Jenkins [Wed, 5 Apr 2017 21:23:10 +0000 (21:23 +0000)]
Merge "Purge initial firewall for deployed-server's" into stable/ocata
James Slagle [Wed, 15 Feb 2017 18:20:00 +0000 (13:20 -0500)]
Add environment for deployed-server with pacemaker
A new environment file to be used when using the deployed-server roles
data at deployed-server/deployed-server-roles-data.yaml. This ensures
the Pre and Post Puppet Tasks for the ControllerDeployedServer role are
mapped to the stacks that handle maintenance mode and resource restarts
for pacemaker on stack-update.
Change-Id: I1ca52dfb3a3b669e128ebb0a28d9e36a1807faad
Closes-Bug: #
1665060
(cherry picked from commit
f8cc35092d8d8c60eee12bd2a550ff5d60e28582)
James Slagle [Wed, 15 Feb 2017 18:13:36 +0000 (13:13 -0500)]
Generate Pre/Post Puppet Tasks for all roles
We need to generate the Pre and Post Puppet Tasks for all roles, not
just the Controller role. Otherwise, you have to have a role
specifically named Controller that is running your pacemaker services,
or pacemaker won't be properly handled on stack-updates.
When using deployed-server's it's actually not possible to have a role
called Controller, since we need to use all custom roles so that we can
set disable_contraints on each role. Further, it is not possible to
redefine the Controller role since puppet/controller-role.yaml is listed
in the excludes file.
Change-Id: I737b24db90932e292b50b122640f66385f2d1c23
Partial-Bug: #
1665060
(cherry picked from commit
529768ae84f7713f2ae9447ff35ee2d63b4bdcd7)
OpenStack Proposal Bot [Wed, 5 Apr 2017 18:04:51 +0000 (18:04 +0000)]
Updated from global requirements
Change-Id: I40ecce838d12c2e232d8d4284bfa3ef3b88cebe4
Jenkins [Wed, 5 Apr 2017 18:04:31 +0000 (18:04 +0000)]
Merge "Add OpenDaylightConnectionProtocol parameter to opendaylight-api service" into stable/ocata
James Slagle [Mon, 3 Apr 2017 16:50:45 +0000 (12:50 -0400)]
Purge initial firewall for deployed-server's
We need to purge the initial firewall for deployed-server's, otherwise
if you have a default REJECT rule, the pacemaker cluster will fail to
initialize. This matches the behavior done when using images, see:
Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3
I0dee5ff045fbfe7b55d078583e16b107eec534aa
Change-Id: Ia83d17b609e4f737074482a980689cc57c3ad911
Closes-Bug: #
1679234
(cherry picked from commit
a216934f408439e77bf8346dafe30c4752c70946)
Pradeep Kilambi [Wed, 29 Mar 2017 19:20:40 +0000 (15:20 -0400)]
Set auth flag so ceilometer auth is enabled
Ceilometer Auth should be enabled even if ceilometer api
is not. Lets decouple these, this flag will be used in
puppet-tripleo where ceilometer::keystone::auth class
is initialized.
Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48
Closes-bug: #
1677354
(cherry picked from commit
0d04302abd19f98df3cd700f9cc4ec47273e5dac)
Jenkins [Tue, 4 Apr 2017 00:40:15 +0000 (00:40 +0000)]
Merge "Setting keystone region for tacker" into stable/ocata
Jenkins [Mon, 3 Apr 2017 22:24:39 +0000 (22:24 +0000)]
Merge "FQDN validation" into stable/ocata
Jenkins [Mon, 3 Apr 2017 22:24:31 +0000 (22:24 +0000)]
Merge "Setting keystone region for congress" into stable/ocata
Jenkins [Mon, 3 Apr 2017 18:36:58 +0000 (18:36 +0000)]
Merge "Re-Add bigswitch agent support" into stable/ocata
Matthew Flusche [Tue, 14 Feb 2017 17:00:02 +0000 (17:00 +0000)]
FQDN validation
Adds optional validation to ensure FQDN set by Nova matches /etc/hosts
as created by overcloud heat configuration.
Consistent FQDN requires the nova parameter [Default]/dhcp_domain to
match the CloudDomain tht parameter.
This validation is disabled by default.
Change-Id: Ib5689acae66baf63ecccbc3b1c0b96684781b863
(cherry picked from commit
bae2d113938b9bb22d4c291ae312d2299187f72b)
Partial-Bug: #
1581472
Tim Rozet [Wed, 22 Mar 2017 23:55:31 +0000 (19:55 -0400)]
Fixes port binding controller for OpenDaylight
In Ocata and later, the port binding controller for ODL was changed by
default to be the pseudo agent controller, which requires a new feature
"host config" for OVS. This patch modifies the default to use
network-topology, which will work without any new host config features
implemented (previous way of port binding).
Closes-Bug:
1675211
Depends-On: I5004fdeb238dea81bc4f7e9437843a8a080d5b46
Change-Id: I6a6969d1d6b8d8b8ac31fecd57af85eb653245d2
Signed-off-by: Tim Rozet <trozet@redhat.com>
(cherry picked from commit
502b3459d9c2b32beba31b37814d7625cd007775)
Jenkins [Mon, 3 Apr 2017 14:54:03 +0000 (14:54 +0000)]
Merge "Don't check haproxy if external load-balancer is used." into stable/ocata
Sven Anderson [Mon, 27 Mar 2017 19:39:00 +0000 (21:39 +0200)]
Add missing ec2api::api::keystone_ec2_tokens_url config
Change-Id: I9a19aff24dede2bea3bf2959afa7adde00817ee0
Related-Bug: #
1676491
(cherry picked from commit
10cb0cfdef9b3a4719f89bcc2cdf1dae4a14dcca)
Dan Radez [Mon, 20 Mar 2017 15:41:36 +0000 (11:41 -0400)]
Setting keystone region for tacker
Change-Id: I170b7e4cff66f0a4b1b6d5735f93c9f0295a5ac5
(cherry picked from commit
eb426db63c8cc48990a832f8e1b972feb93e7e92)
Jenkins [Mon, 3 Apr 2017 09:56:40 +0000 (09:56 +0000)]
Merge "Add special case upgrade from openvswitch 2.5.0-14" into stable/ocata
Pradeep Kilambi [Tue, 28 Mar 2017 12:04:21 +0000 (08:04 -0400)]
Include panko in the default dispatcher
panko is enabled by default, we might as well make it
the default dispatcher along with gnocchi.
Closes-bug: #
1676900
Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
(cherry picked from commit
568573b9b054c3804d9d1be2ce6ec2668ca2dbfb)