instack-undercloud is no longer in use by the TripleO project. Removing
the code to avoid confusion. Stable branches will continue to be
maintained for their life however no new features should be added.
Change-Id: I63a813c7c1ffd30ca30017133d31a497b77a9a4d
Blueprint: remove-instack-undercloud
When the PXE filter's dhcp-hostsdir is purged on start/stop
of the ironic-inspector service inspectors dnsmasq service
must also be restarted to ensure that the dhcp server config
is updated as well.
Partial-bug: #1780421
Depends-On: Ie961ec4d3b6b65a462e2d2493f5b9240c2bfa7a6
Change-Id: I22c7be368b62ef93efabcbd2c13599625ea45548
This sets the connect_timeout in mysqld, to work around issues with Heat
losing connection to MySQL in the undercloud under load.
Closes-Bug: #1783995
Change-Id: Ia3799cdaf171892431151e4f2f7d2095081b8242
Show a deprecation message in the Puppet catalog so people know we
deprecate underclouds deployed by instack-undercloud in Rocky.
Also add a release note for deprecation.
Change-Id: I4ca1478ea22060ada7f35bf74575fa08c8471d73
Introduce docker_insecure_registries that is an array of host/port
combiniations of docker insecure registries. The default value will
be the previous parameter that were hardcoded, but now we can easily
override it in undercloud.conf.
Note: the feature is already supported for the containerized undercloud
but was only missing in instack-undercloud. This patch will be
backported.
Depends-On: I14fda3481ac88429648bed8edb2f4469b33be957
Change-Id: I402ebb80b1d755cdb0c3c28fd542121bc60cb144
Closes-Bug: #1767373
auth_uri option has been depreacted in favor
of www_authenticate_uri from group keystone_authtoken
in puppet-keystone [0] and keystonemiddleware [1].
This patch adds the new option www_authenticate_uri
until the old auth_uri option is deprecated from
the rest of packages, moment in which auth_uri
references will be removed.
[0] https://review.openstack.org/#/c/558344/
[1] https://review.openstack.org/#/c/508522/
Change-Id: Ie3f59495b1ac43c1a35d912a2da170399652a10e
Related-Bug: #1761171
With the introduction of rotued networks there can be
a situation where baremetal nodes on remote segments
are unintentionally introspected. Using the dnsmasq
based PXE filtering driver in ironic inspector fixes
the issue.
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Closes-Bug: #1756075
Change-Id: I53d6c5718c7f9112d578ec6f73830830d2c71737
Depends-On: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0
This enables TLS by defalut in the undercloud. This is done by setting
the generate_service_certificate option to True by default, although,
the deployer can turn it off if needed.
Change-Id: Id329081c06343373309d6880d464ba99aba0c7be
It used to be the case that if you give both a user-provided
certificate, and set the flag for instack to autogenerate the
certificate, the autogenerated one took precedence. This is not ideal
since it might not be what the user expects (especially if we switch to
using TLS by default).
Closes-Bug: #1755497
Change-Id: Ia8aa52d80999ad278501ca8ecf0638ef8de6ca19
https://access.redhat.com/security/cve/cve-2018-1000115
Restrict Memcached to only work on TCP and localhost.
The restriction is made at the application and firewall levels.
It will prevent DDoS amplification attacks using memcached.
Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
Related-Bug: #1754607
Ironic use binding:vnic_type baremetal for flat interfaces.
The baremetal mechanism driver is required to bind this
vnic_type correctly.
The L2 agent populates segmenthostmapping data in neutron
which is a requirement for routed-networks.
Implements: blueprint tripleo-routed-networks-deployment
Change-Id: I8e192df9068c3f5d6657f5ea92e7e2f44646c290
The new online data migration in ironic will migrate nodes from classic drivers
to hardware types. However, it will skip nodes with one or more target
hardware interfaces not enabled. In the undercloud we don't enable certain
implementations that we do not support (e.g. "agent" RAID and
"ipmitool-shellinabox" console for the "ipmi" hardware type).
To allow the migration to work, set a special option to reset these
interfaces to their no-op equivalents ("no-raid", "no-console", etc).
Change-Id: Iba1e82d47c0e22613b06b99f0a9d0f4b3082bbe7
Related-Bug: #1690185
Other OpenStack services clients are being installed as dependencies of
Heat. Octavia support in Heat was included during Queens development
cycle [1]. TripleO deployments will include python-octaviaclient as
requirement of Heat. This means the Octavia client will be installed in
the undercloud and overcloud regardless.
This reverts commit fef5be332e.
[1] https://review.openstack.org/#/q/topic:bug/1737567+(status:open+OR+status:merged)
Change-Id: I727503b6c1acf1953a0ad864ae6288021a745193
With Ieabb2ded33ec0c0b68f21c9afa16a9baddc61393 using
subnet-to-segment mapping is made optional. This
updates the releasenote.
Change-Id: I6292bb68f195b8cf319401d4ba20c441193b4178
In the change to keystone sessions and Mistral client 3.2.0 the
exception raised when fetching an environment that doesn't exist
changed. This adds the new exception but continues to catch the previous
one.
Closes-Bug: #1749186
Change-Id: I304547b9ecabe4e387339c8561bbae8651cd9db6
Allow installation of the Octavia client in the Undercloud by setting
new option enable_octavia=True in the undercloud.conf. Default is not to
enable.
Change-Id: I2b27dac2f30a126e6519d19cc135ea6eea59e8a9
Reducing the frequency of the Mistral cron trigger subsystem greatly reduces
the load that is has on the system. Previously it would query the
database every second, now it will only do this every 10 minutes.
Closes-Bug: #1747386
Depends-On: I6445ff1b6691a098f15e8402ae9d971e751f5552
Depends-On: I9060253bc416be28af4ef81f3edf694059d92066
Change-Id: I18ae5bc0b2192a393959186ba756d1e6a6c62d83
* Enable the neutron segments service_plugin for routed
provider networks.
* Update controlplane network code to create segments
for each subnet.
A number of options related to ctlplane network is deprecated.
More details in release notes.
Implements: blueprint tripleo-routed-networks-ironic-inspector
Implements: blueprint tripleo-routed-networks-deployment
Depends-On: I33804bfd105a13c25d6057e8414e09957939e8af
Change-Id: I4b384bab2af9f6ba07a137a37f4098a00ce18bc0
This new deploy interface works by SSHing into IPA and using ansible to
orchestrate all deployment actions.
Change-Id: Ic697d50710a9ad92f70386b8dd74019e8cd5320b
Implements: blueprint ansible-deploy
Panko ssl port should be 13977 as defined in puppet tripleo
haproxy resource. Due to this we have a mismatch
and undercloud events fail to work.
Closes-bug: #1732459
Change-Id: I7d01af154cc9e13a30107e810cbaf951fb751f1c
Ironic is going to deprecate classic drivers in Queens and remove them in Rocky.
This change enables hardware types ilo and idrac that correspond to already
enabled classic drivers pxe_ilo and pxe_drac. It also adds support for other
common hardware types, but does not enable them by default.
The enabled_drivers option is deprecated.
Partial-Bug: #1690185
Change-Id: Ib505f3512627c49d17d6adcdc2622bdfe580a84f
Increasing the heat db-sync from 5 to 15 minutes.
During an undercloud upgrade, the database can be very big and the
dbsync needs at least 10 minutes to run. So we override the Puppet
default value of 5 minutes to have a timeout of 15 minutes for
production deployments.
Change-Id: I7720bd68a3d6044287ccdebf77086a86c51ddd8f
Closes-Bug: #1726959
Ceilometer API is deprecated and disabled in pike. Lets remove
this starting queens as its not supported anymore.
Change-Id: I738e8743a315cc2865ba6d1e64c23498e911a283
Collector was moved to legacy mode in pike and
not supported anymore. Lets drop collector
starting queens.
Change-Id: I952103e39f63d278988a73035d7194b9e351ad31
Keystone upstream removed v2.0 APIs so we can't fallback on v2 endpoints
anymore and we have to provide domains parameters to use v3 API.
This patch aims to do it.
Change-Id: I42c8fa4025be8d059ed902eaefc51dc0c21dc581
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Closes-Bug: #1721366
The resource managed in Juan's patch is ignored. We could force it with spaceship <||> but the right and Puppet way to do it, is with Hiera. I'm reverting this patch and I'll propose another one like I did in my early patchsets with Hiera (and correct parameters this time).
This reverts commit 003e373b04.
Change-Id: I0dcdfe204587dac7922aee0726285e5c4f41aaf5
Keystone upstream removed v2.0 APIs so we can't fallback on v2 endpoints
anymore and we have to provide domains parameters to use v3 API.
This patch aims to do it.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Id3fcc24614f6bf67079c07a6296ff371f51a1770
Closes-Bug: #1721366
We want to turn this on for Queens, and we might as well do it early
in the cycle so we have a chance to address any issues that may come
up.
We also want to migrate any existing stacks to use the convergence
engine to reduce the support matrix. This patch includes a post-config
step do so.
Change-Id: I96952f78cb95252d2bc6c0df64561d07df51dc5a
By default puppet only sets gnocchi as the publisher, we also need
panko, so events gets sent to both endpoints.
Change-Id: Id4d4f62cd71e87503a99c8dad6f0aeef1e9dbdb3
Deploy Mistral with Keystone v3 options (authtoken) like we do for other
services.
Change-Id: Ibc57b881c2ee99ca76ae5f38737959fb896f87f7
Depends-On: Id0d683037d232e7269e401d9b818aec09e5ed4ab
Posting the revert of the revert :) so we can eventually land this.
Not clear yet how these validations are causing this
https://bugs.launchpad.net/tripleo/+bug/1713832
This reverts commit 6c3ca0cf57.
Change-Id: I9e85ccefffa5edcee0dca58a53d782a5428c3d18
After tripleo-common workbooks are loaded, we create a new cron trigger in
Mistral. This will run the `publish_ui_logs_to_swift` workflow every hour.
Also makes sure that we are deleting the cron-triggers before deleting
the workflows
Change-Id: Ic60be51e46b56cbae9c4b5071ec8bfd908cccd5d
Depends-On: I2affd39e85ccfdbaa18590de182104715cfbbed4
Depends-On: I636873c0db4b3dbf66a0c5a856fee4dcb644ac3c
Depends-On: Ifa7d6eb43ea86e97ef5707d378901d3e2c074a7a
Implements: blueprint websocket-logging
There is a race condition that makes overcloud deployment
randomly failing. See the bug report.
Reverting for now because the gate is failing too much
times on it and we don't have a proper solution.
Partial-Bug: #1713832
This reverts commit dd3398f214.
Change-Id: I18a55efc78b6dc5fcb83248961eee078cdd6e89d