instack-undercloud is no longer in use by the TripleO project. Removing
the code to avoid confusion. Stable branches will continue to be
maintained for their life however no new features should be added.
Change-Id: I63a813c7c1ffd30ca30017133d31a497b77a9a4d
Blueprint: remove-instack-undercloud
If an operator wanted to configure something currently not available via
hieradata, they would only be able to do so for nova as it includes
::nova::config. This change addes the config classes for aodh, gnocchi,
keystone, neutron, swift, heat, ironic, mistral, and zaqar.
Change-Id: I3946e23cc5955d7c1a4dc4771d2708a6c8c2974b
Closes-Bug: #1793361
Included nova::config in undercloud puppet-stack-config
puppet manifest so that nova configuration parameters can
be overriden using hiera overrides.
Change-Id: I71bc5ed35cc41139481ceb51216183e6c703cf01
Use the new sync_power_state_interval parameter from puppet-nova to
avoid any breakage in the future, like Puppet resource duplication
error.
Depends-On: Ie82d88f16b42d4405853153460e20f38ba42714a
Change-Id: Ia2cff1c5f4bee28ff1d2b513f2d0b061ab0bbe83
When the PXE filter's dhcp-hostsdir is purged on start/stop
of the ironic-inspector service inspectors dnsmasq service
must also be restarted to ensure that the dhcp server config
is updated as well.
Partial-bug: #1780421
Depends-On: Ie961ec4d3b6b65a462e2d2493f5b9240c2bfa7a6
Change-Id: I22c7be368b62ef93efabcbd2c13599625ea45548
Currently, the sshd configuration generated on RHEL does not reflect
the default RHEL configuration:
Port 22
AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
X11Forwarding yes
The default RHEL sshd configuration has some more stuff in it, especially
regarding the logging and accepted environments:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
In addition, with release >Queens, the configuration is managed directly in
tripleo-heat-templates, and will look like the standard RHEL one.
Change-Id: I4803615fb6b8066b0c1afe2b0b7cbbd9d50aff40
This sets the connect_timeout in mysqld, to work around issues with Heat
losing connection to MySQL in the undercloud under load.
Closes-Bug: #1783995
Change-Id: Ia3799cdaf171892431151e4f2f7d2095081b8242
Sometimes an undercloud could fail to install with the following error:
2018-05-29 12:53:17,588 INFO: May 29 12:53:08 foo.int.bar systemd[1]: Starting RabbitMQ broker...
2018-05-29 12:53:17,588 INFO: May 29 12:53:11 foo.int.bar rabbitmq-server[14327]: ERROR: epmd error for host foo: address (cannot connect to host/port)
2018-05-29 12:53:17,588 INFO: May 29 12:53:11 foo.int.bar systemd[1]: rabbitmq-server.service: main process exited, code=exited, status=1/FAILURE
1) The hostname of the box is
foo.int.bar foo
and in the hosts file we have the following entry: 192.168.248.2
192.168.248.2 foo.int.bar foo
Note: 192.168.248.2 is a VIP managed by keepalived because we configured this
undercloud to be an SSL one so we have:
undercloud_public_host = 192.168.248.2
2) At this stage we see rabbitmq-server being started:
Jan 27 06:46:31 foo.int.bar systemd[1]: Starting Flexible Branding Service...
Jan 27 06:46:31 foo.int.bar systemd[1]: epmd@0.0.0.0.socket failed to listen on sockets: Address already in use
Jan 27 06:46:31 foo.int.bar systemd[1]: Failed to listen on Erlang Port Mapper Daemon Activation Socket.
Jan 27 06:46:31 foo.int.bar systemd[1]: Unit epmd@0.0.0.0.socket entered failed state.
Jan 27 06:46:31 foo.int.bar systemd[1]: Starting Erlang Port Mapper Daemon Activation Socket.
Jan 27 06:46:31 foo.int.bar systemd[1]: Starting RabbitMQ broker...
Jan 27 06:46:34 foo.int.bar rabbitmq-server[14532]: ERROR: epmd error for host foo: address (cannot connect to host/port)
Now epmd might have already been up (and normally the failed message is
not particularly concerning). But the real problem is that we are trying
to connect to foo which maps to a VIP, but the VIP gets started only
later by keepalived:
3)
Jan 27 07:02:30 foo.int.bar Keepalived_vrrp[914]: VRRP_Instance(42) Sending/queueing gratuitous ARPs on br-ctlplane for 192.168.248.2
Jan 27 07:02:30 foo.int.bar Keepalived_vrrp[914]: Sending gratuitous ARP on br-ctlplane for 192.168.248.2
Let's make sure keepalived is up and running before rabbitmq in order to
fix this.
Change-Id: I010102b01e41610838c836a743a07be1965944d6
Closes-Bug: #1782814
This is required for mistral actions to perform image prepare
operations (pull, build, push)
Change-Id: I301ea04e4dbb3809ce247c0c620b0f087dedb5f9
Blueprint: container-prepare-workflow
We need to ensure that ironic-conductor starts before nova-compute.
This is to workaround an issue where nova-compute tries and fails to
call plug_vifs, this in turn report a vm_state error which, in this
case is a false positive. See lp#1777608 for more.
We ensure ordering by forcing puppet to restart nova-compute after
ironic-conductor in the case of undercloud upgrade/update.
Change-Id: Ifbada53f088258a397777a6fa18dd7c1b37c09d3
Closes-Bug: #1777475
rabbit param removed from puppet-neutron in [1],
Required transport_url is taken care by puppet-stack-config.yaml.
This patch removes the usage of removed rabbit_hosts param.
[1] https://review.openstack.org/#/c/570307/
Closes-Bug: #1777616
Change-Id: I9d561aa2e2f71b8892580950e9664d62f956773d
If the ntp server is not configured in the undercloud.conf, we should
fall back to the defaults provided by puppet-ntp otherwise we end up
with an invalid ntp configuration.
Change-Id: I0000e1cf736b513dbc58c0d39f7e1c0137b660dd
Closes-BUg: #1777140
The neutron global_physnet_mtu must be set to the configured local_mtu
in order to set local_mtu to a value greater than 1500. Otherwise
the neutron configuration will fail during the undercloud install.
Change-Id: Iaadff350a14a2cfb4bf545065f6d12eab49ba125
Closes-Bug: #1774271
Commit e49688be98
introduced filters for ephemeral firewall rules
managed by Ironic Inspectors iptables PXE filter.
These new filters cause duplicate entries in the
persisted firewall rules.
sed expression '/-m comment --comment/p' was used
to ensure the ironic-inspector api port is not
accidentally removed. But the expression also
matches several other entries causing duplicates
to be written.
This change enhances the expression to check for
'-m comment --comment' and 'ironic-inspector'.
Related-Bug: #1771128
Change-Id: I6ac397e786f66e33c523edb94613181040c15f19
They are deprecated and will be removed from Ironic. A similar change
was already done to the containerized undercloud.
Change-Id: If442f103adc03ec97f9e995d5e2bc47dfc097f90
Show a deprecation message in the Puppet catalog so people know we
deprecate underclouds deployed by instack-undercloud in Rocky.
Also add a release note for deprecation.
Change-Id: I4ca1478ea22060ada7f35bf74575fa08c8471d73
Remove the deprecated rabbit params which have been deprecated
for two years. The default_transport_url has been present for
a while now and should be used. Rabbit params have already been
removed from some puppet modules, see for example change
I337249e64bb5c3379db60f71608fb2d39b600294
Change-Id: I770b2a7f49ee033a01821a6ce2f391397366d995
The baremetal scheduling options were deprecated
in Pike and the ironic_host_manager was deprecated
in Queens and has now been removed. Deployments
must use resource classes now for baremetal scheduling.
Depends-On: I695b250c82c8dcedcd8e2bee00c56bb2df19212c
Change-Id: I20d45db6925f7534837e8d00d4d78f06b7c9897d
Introduce docker_insecure_registries that is an array of host/port
combiniations of docker insecure registries. The default value will
be the previous parameter that were hardcoded, but now we can easily
override it in undercloud.conf.
Note: the feature is already supported for the containerized undercloud
but was only missing in instack-undercloud. This patch will be
backported.
Depends-On: I14fda3481ac88429648bed8edb2f4469b33be957
Change-Id: I402ebb80b1d755cdb0c3c28fd542121bc60cb144
Closes-Bug: #1767373
The default timeout of 5s has proven to be quite tight and tends to
fail. So We up the timeout to 30s instead.
Change-Id: I5717bdaf7bda3c9146aa9d269d0296b74b0ede54
Closes-Bug: #1760118
Puppet class tripleo::firewall makes an effort to not
persist ephemeral firewall rules created by neutron and
ironic-inspector. In instack-undercloud the rules are
persisted anyway because we run iptables-save when
configuring masquerading.
This changes the masquerading to also filter the rules,
similar to what we do in tripleo::firewall.
Additionally filtering of the Ironic Inspector iptables
pxe_filter rules are implemented.
Closes-Bug: #1765700
Change-Id: I0cebfe4177981958c6e1a3b4b772f0a365f79e39
No matter how many NTP servers we have in undercloud.conf, we need NTP
service running correctly, so the undercloud is always on time.
The default configuration already provide sane defaults
(X.centos.pool.ntp.org) so let's configure the service all the time.
Change-Id: I946f055b119ea878c893bd333ebb5f2c9d68ea6d
auth_uri option has been depreacted in favor
of www_authenticate_uri from group keystone_authtoken
in puppet-keystone [0] and keystonemiddleware [1].
This patch adds the new option www_authenticate_uri
until the old auth_uri option is deprecated from
the rest of packages, moment in which auth_uri
references will be removed.
[0] https://review.openstack.org/#/c/558344/
[1] https://review.openstack.org/#/c/508522/
Change-Id: Ie3f59495b1ac43c1a35d912a2da170399652a10e
Related-Bug: #1761171
The slo and dlo middlewares are required to enable support for large
objects (> 5GB). Also enabling the copy & versioned_writes middleware,
which enables object copying and versionining.
Change-Id: Iff73833f1d470750862873f70a4a9aaba50bd164
This makes sure we always include the certmonger_user profile, which
installs the local CA (if that's the one we're using). This is necessary
for when we deploy TLS by default in the overcloud.
It also makes the setting of the certificate specification to be
optional and to depend on the generate_service_certificate flag.
Change-Id: I8b46ce3f9cd6e36d0b8f604b49e4113301461a4c
With the introduction of rotued networks there can be
a situation where baremetal nodes on remote segments
are unintentionally introspected. Using the dnsmasq
based PXE filtering driver in ironic inspector fixes
the issue.
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Closes-Bug: #1756075
Change-Id: I53d6c5718c7f9112d578ec6f73830830d2c71737
Depends-On: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0
Currently there is no consumer for the versioned notification queue, which
results in the queue growing infinitely large. Until we have a consumer set
the notification format to 'unversioned' only.
Change-Id: I972dd8513c6706d03c328c961bd77eea2672bba2
Resolves-Bug: #1734185
https://access.redhat.com/security/cve/cve-2018-1000115
Restrict Memcached to only work on TCP and localhost.
The restriction is made at the application and firewall levels.
It will prevent DDoS amplification attacks using memcached.
Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
Related-Bug: #1754607
"segments" was needed for routed networks in
I4b384bab2af9f6ba07a137a37f4098a00ce18bc0
it should have been added to the existing list
Closes-Bug: #1754683
Change-Id: I1cfb6b56b520124e8c5b95968dd61f98945f689b
A user uses a guest image for the undercloud, cloud-init may be
installed which can also cause other services like os-collect-config to
be running. We should ensure that cloud-init is removed and that the
os-collect-config service is disable to prevent it from interfering with
overcloud deployments.
Change-Id: I58f6fc4b299c8f1f561205ac9a2de75c46467ba8
Closes-Bug: #1754426
Alex Schultz
yatin