instack-undercloud is no longer in use by the TripleO project. Removing
the code to avoid confusion. Stable branches will continue to be
maintained for their life however no new features should be added.
Change-Id: I63a813c7c1ffd30ca30017133d31a497b77a9a4d
Blueprint: remove-instack-undercloud
Currently it's easy to create a new instack_env variable and forget to white-list it
in 02-puppet-stack-config. This change makes instack_undercloud.undercloud module
the primary source of truth on what instack_env can and cannot contain.
Closes-Bug: #1660671
Change-Id: I82eef3ba4bb172b0260f72ce50f52bfb6bfc8e21
Novajoin is a new nova metadata micro-service that registers
instances created by nova with a FreeIPA server, so that we can
take advantage of server/service identities, kerberos credentials,
access and sudo controls etc.
The included modules will cause the undercloud to be registered with
a FreeIPA server, for novajoin to be installed, and for nova on the
undercloud to be configured to use novajoin.
Change-Id: I2e1c18a0174f70dc6e9c1d402caac574e6c81678
Implements: blueprint novajoin
For it to work, disable HTML escaping in the rendered
(we're not dealing with HTML anyway).
Related to blueprint switch-to-virtualbmc
Change-Id: Ib649ffb402d3b01192a20354a17bc76e07ece80e
TL;DR:
To support upgrades, we need to make sure _member_ role is still
assigned to the admin user if that role assignment existed before
the undercloud was upgraded.
Background:
Until fairly recently, keystone created a _member_ role and this was
applied to all users, including the admin role used for overcloud
deployments.
This creates a problem on upgrade however, because puppet isn't
aware of any existing role assignments, hence it deletes them,
and heat contains a reference to a keystone trust, which expects
to delegate this role (by default all roles are delegated, so
on an older deployment the trust will delegate _member_ and admin).
The _member_ role is not needed anymore by new deployments, and is
no longer created, so we need to detect the existence of this legacy
role, and apply it only for environments where it exists - we can
safely ignore connection errors trying to connect to keystone and
read the roles during an intial deployment, because no new deployments
should ever contain the _member_ role, it's only an upgrade issue.
This patch is a Puppet collector, that will collect the admin role
assignement resource, and makes sure we assign both admin and _member_
based on a flag set by undercloud.py that is passed via hiera.
Closes-Bug: #1571708
Co-Authored-By: Steven Hardy <shardy@redhat.com>
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I06ccdeb01e0aa69754855a0dcae3087725399583
Store the paths where the tripleo deployment config files are created
into hiera for easy retrieval later on.
A few of the tripleo-validations will need to read the files generated
during the deployment.
Change-Id: I78cdd1b9844a12ef43fee3d5967d00a7d9992b02
First we generate completly new token on every instack-install-undercloud run.
Second we could use puppet-keystone instead of os-cloud-config.
Third we actually use uuid as we don't set token_provider option anywhere.
Change-Id: I9f3d50ebf8bfff4d6f9125a9202c0d64c9d1dddd
For the most part, the pystache context is just a list of values from
undercloud.conf. Rather than maintain this list manually, including
duplicate default values (some of which are bad, like the "unset"
password defaults), let's just generate the context dict based on
the options we can look up from undercloud.py.
This also avoids masking mistakes where a value is added to the
context, but a corresponding config opt is not added to
undercloud.conf, resulting in an unconfigurable "option".
Change-Id: I70cc0f98e4f869417e22270a71f1f18525a06aac
Replaces uses of add-rule with using the puppet-tripleo firewall class.
This removes additional dependencies on scripts provided by the elements
(add-rule). There is still one usage of iptables directly in
10-iptables that will be cleaned up in a subsequent patch.
With this change, we can remove the iptables element from the json
files.
blueprint undercloud-elements
Change-Id: I5d496efe22c1a5e17a2b688ba6dfbcfd403349db
Depends-On: I0598007f90018f80a3266193bb24dbf112de49b7
dib-lint can catch some common errors in elements, so it would be
good to run it on instack-undercloud. For the moment I'm just
ignoring failures that would require invasive changes to the
existing code, but it might be good to actually fix those at some
point.
Change-Id: Iaa522a888806fd9a58eafa30a3cf7d5aac01a45e
Depends-On: Id4b167ed220dd55852b6587b884fabe7bc8554eb
We're running ceilometer and aodh services but none of our current features
require them, and we don't document any interaction with them.
To mitigate the risk folks are using these services, I've left support in
but turned them off by default, as we don't require them & saving resources
(particularly in CI) seems more appropriate than enabling unused things.
Change-Id: Icbb49d1a4a8b4c6c713c54c53317a42f17e406f9
As we build out workflows for tripleo-ui we'll want to have Zaqar
automatically enabled by default.
Change-Id: I92de8c4c2498273f56150a99d6667e2cd9d48b32
Add INTERFACE_MTU to be able to specify the MTU of the br-ctlplane and
the local_interface. This is a mandatory parameter as soon as the
network MTU is below 1500 for example because of a VLAN.
Change-Id: I8ff5ed63d9542285610ff131b99f52f8af4c4587
Currently when we deploy our haproxy configuration, it includes the
stats endpoint as unauthenticated. This means anyone with access
to the undercloud can query the haproxy stats, which is a security
concern.
Change-Id: I94086c17c3fa5efe80650c2770bfb5c7f2f941ab
Depends-On: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
Ironic supports automatic cleaning before and between deployments. With the IPA
image it wipes the hard drive, but may potentially do other tasks returning a
node to a clean state. We have it disabled by default, as it's time-consuming
and our bulk introspection operation does not account for it. However, there is
a valid use case for cleaning, so this patch adds an option to enable it.
Change-Id: Id4946ee08c67610aae4c28e5d28056105e2c0c84
Adds a store_events option to allow admins to configure
the Undercloud Ceilometer to store events.
The default is false.
Change-Id: I9d9ae8eb2e1ec069e2ecd0bcf553f57647750ef1
Related-Bug: rhbz#1312373
Interaction between Nova and Ironic is subject to races. It may happen that
Nova scheduler picks the same Ironic node for several instances. Of course only
one instance ends up deployed, the other fail with the Conflict exception. This
would repeat until all nodes are deployed, provided that we do have enough
Ironic nodes. However, with the current scheduler_max_attempts being equal to 3,
we fail long before.
The proper fix to this issue is being worked on in Nova and will probably merge
in Newton. Until it's done we work around this issue by increasing
scheduler_max_attempts substantially from 3 to 30. This number is essentially
random, and is based on the observation that people prefer to deploy nodes in
bulks of 20-30. This value also become configurable via the
scheduler_max_attempts configuration variable.
The only downside is that the actual scheduling problems will take longer now.
For TripleO we have additional node checks in the deployment command, so it
should not hit us too often.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1310178
Change-Id: I1f357cd0e1afe9e8ef6fd4cc7cb32c7d1a09583a
* Enable collection extra data on the ramdisk using python-hardware library
when a new configuration option inspection_extras is set to True (the default)
* Enable storing this data in swift and converting it to format appropriate
for introspection rules (always enabled, noop when inspection_extras is False)
* Revive the "inspecion_runbench" option (off by default).
Change-Id: Ie7921d9b038bea5aa10c35ccbed908e2651465bc
Add support for installing OpenStack zaqar if enable_zaqar
is set to true.
Depends-on: Ibb380401eb58319c9a0c239598571f1b11b020d4
Depends-on: I668ecc79f1684438beff620394711c6bb8f2cc34
Change-Id: Idf5858bc8414a3e55fc68e43feb99de73474b9c5
When monitoring was added one of the mapping was missed, so the
option didn't actually take effect.
Change-Id: Id92f3505a4ee03f367e7c09c71d1b53e68eb1a62
This is a first attempt to add monitoring support in TripleO.
It will reside on the undercloud and won't be HA right now.
The services are optional and disabled by default.
It will deploy:
* Sensu Server and API services
* Uchiwa, which is the open-source Sensu dashboard
* Add keystone-api check so we can validate oschecks are installed &
ready to be consummed.
New parameters:
- enable_monitoring
- undercloud_sensu_password
It's using 2 Puppet modules that are the references and official modules
to deploy Sensu & Uchiwa.
Depends-On: I603d766ea6ec5104152a715c0fe4ad2f74663cf0
Change-Id: I4bb3ede7f46bc19ce213b274ee604953583b293f
Ceilometer Alarm is deprecated in Liberty by Aodh.
This patch:
* deploy Apache (Aodh runs in WSGI)
* manage Aodh Keystone resources
* deploy Aodh API under WSGI, Notifier, Listener and Evaluator
* manage new parameters to customize Aodh deployment
Change-Id: I8ae85083b18e12d5bfedb63bfbd5f1c0eae2d2a6
Depends-On: Ied8ba5985f43a5c5b3be5b35a091aef6ed86572f
OpenStack has a workflow service so provide the
option to use it for some things.
Change-Id: I2a806d6d131feb82d7d9cfa07da044bcaaf5b95d
Depends-on: Ide01de8c761ccd099b7a8469bff34316ff5c04f2
Depends-on: I986623ca541552755951d1d10e4e6e097276d249
Depends-on: I1afca0eb57792b11b1f15041bd59bcec82fe6337
When an ssl certificate is configured, configures haproxy with said
certificate in front of the public API endpoints for the services.
If no certificate is configured, leaves everything setup as before.
Change-Id: Idd9492303e797f5b39c980772f33754fb44a9f12
Ironic does not support UEFI with iPXE, so we need an option to use plain PXE.
With this patch we still build an iPXE environment as well, in case a user
will want to switch to it later.
Change-Id: I2bc88005cd98adf1c01a8d5df23af723e1f1fe3a
This removes the ironic-inspector element from the
undercloud install, and instead uses the puppet module
to setup the ironic-inspector service.
Depends-On: I9b2917a2c3f6afe75dc295c81d09f7a12856007f
Change-Id: Ic3eca27515721000ed1c9d19a2427276e6b1af68
This patch adds an option to disable the installation of Tempest
packages in each undercloud. Users may or may not want
to run Tempest from their undercloud... not installing it
saves us network bandwidth and CI time upstream as well
(where we don't even have the extra time to execute Tempest
at this point currently anyway).
Change-Id: If18b3d333bdbdc20390cb8d952e8c6182218cc1d
Hard-coding it to "unset__" defeats its purpose. os-make-password
returns a 40 character password, heat requires it to be 8,16 or 32
so it is truncated.
Change-Id: I4de7e058a0fdf87f1fc5061a01d45beda72b3345
For most services it is impossible to track down problems without
the debug log level enabled. Turn it on by default, but provide
an entry in instack.answers for changing it.
Swift and ceilometer do not provide a debug parameter from what I
can tell, so they are omitted.
Change-Id: I2d64c93ab10f1e3f0a2481cb8e9975e2ab8a4a3c
Migrate as much as we're initially able to over to be installed via Puppet
instead of elements from tripleo-image-elements. This change is rather large,
but it's all more or less inter-dependent so I wasn't able to break it up any
finer.
The bulk of the change is a new element, puppet-stack-config. That element
installs a puppet manifest at /etc/puppet/manifests/puppet-stack-config.pp that
is applied via puppet during the os-refresh-config phase of the installation.
When the manifest is applied, it uses a hiera data file from
/etc/puppet/hieradata/puppet-stack-config.yaml as input. That file is generated
from a template.
The Puppet modules require a handful of additional inputs for password and
secret items. These inputs are added to the instack.answers.sample file and
instack-install-undercloud.
We're able to remove many items from the static json we're writing out to
/var/lib/heat-cfntools/cfn-init-data, but we still need this for some
configuration as not everything is driven via a Puppet module (os-net-config)
for instance.
Also kemoves some particular hooks scripts that are no longer needed in
instack-undercloud.
This fix-undercloud-package-installs element is no longer needed. It's
addressing bugs that have already been fixed.
Change-Id: I9b93569f193c58d3e98063a1a90c3946a3a886db
Alex Schultz