OSSN-0090 [1] recommends deploying two instances of the glance-api
service: a "user facing" service, plus an "internal" service that is
accessible via keystone's internal endpoint.
To support this, the tripleo::profile::base::glance::api class is
enhanced to allow overriding certain associated glance::api parameters.
This makes it possible to override parameters when including the
glance::api class in order to facilitate configuring two different
instances of the glance-api service, each with their own configuration.
The tripleo::haproxy class is enhanced to provide HA support for running
the internal glance-api service on its own TCP port (defaults to 9293).
[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090
Change-Id: Ideb5a951d538d9e2c7cca11dfe0e8b99520de959
The new parameter allows to toggle the apache configuration management.
This will be useful once we get [1] so that we can migrate services to
the new configuration management one by one.
[1] https://review.opendev.org/c/openstack/tripleo-ansible/+/853481
Change-Id: Id1ddbae4946e5c428d0f21ef89e20a11665a370e
The hiera function is deprecated and does not work with the latest
hieradata version 5. It should be replaced by the new lookup
function[1].
[1] https://puppet.com/docs/puppet/7/hiera_automatic.html
With the lookup function, we can define value type and merge behavior,
but these are kept default at this moment to limit scope of this change
to just simple replacement. Adding value type might be useful to make
sure the value is in expected type (especially when a boolean value is
expected), but we will revisit that later.
example:
lookup(<NAME>, [<VALUE TYPE>], [<MERGE BEHAVIOR>], [<DEFAULT VALUE>])
Change-Id: I1e2dcec22f74e47a48d6f29b177c14cd2b41a666
Since database parameters in the base classes were deprecated, it is
likely that db classes are no longer included automatically in a future
release. Let's ensure that the db classes are included so that
database parameters are always set.
Change-Id: I2a28cd1b7a92776b711eb784db3c4a486dcf6a85
This change makes that haproxy monitors service availability by sending
HTTP request which is responsed by healthcheck middleware, to ensure
that backend api can respond to requests.
Change-Id: Idbfe6a8e110ec24d9fe64e43d82772bb05fa00ba
The keymgr_* parameters are deprecated and these parameters will be
completely migrated to glance::key_manager. This change ensures the new
classes are included.
Depends-on: https://review.opendev.org/772141
Change-Id: Idc5b51db85b007abad34d0d69cf5be9fe51c5f0d
This change fixes the lint errors detected since we removed pins of
lint packages.
Note that this change also replaces absolute name used to call
the tripleo::stunnel::service_proxy resource type, which is not yet
detected by the latest lint rules.
Closes-Bug: #1928079
Change-Id: I12ba801db92cb3df1d05f14f4c150ac765f0b874
This change is a prep work to migrate class composition for image cache
feature from tripleo-heat-templates to puppet-tripleo, so that we can
gather all logics to compose required puppet classes in puppet-tripleo.
Change-Id: I843d72542154a2e278ba257f6b61ed573c7c3860
Glance has a read-only 'http' backend that is obsolete now that tripleo
supports glance multi-store (multiple backends). Glance's web-download
import method no longer relies on the 'http' backend, so tripleo should
no longer include 'http' in the list of enabled backends.
Change-Id: I64ee3a3c8f0dabdeab16968c39ea00b8879f5405
Downcase in puppet 6.14 throws an error if the input to it is Undef. We
can avoid this by checking for a value before trying to downcase.
See context https://review.rdoproject.org/r/#/c/26297/
Change-Id: Ib2e97060523a4198a14949a15c9171b56928699c
Add new tripleo::profile::base::glance::api::multistore_config parameter
to support configuring multiple glance-api backends. The parameter is
optional, and represents a hash of settings for each additional backend.
The existing 'glance_backend' parameter specifies the default backend.
In order to support DCN/Edge deployments, the syntax supports multiple
instances of the 'rbd' backend type. Restrictions are imposed to allow
only a single instance of the 'cinder', 'file' and 'swift' backend types.
Change-Id: I41ab9b3593bf3d078c5bbd1826df8308e3f5e7af
Depends-On: I5a1c61430879a910e7b6c79effba538431959d56
Use memcached to cache token in glance authtoken, as in-process
cache, which we currently use, was already deprecated[1].
[1] Ied2b88c8cefe5655a88d0c2f334de04e588fa75a
Change-Id: Iba9c1df73c00e5eb314cb6bc2cda06ccd6ead96f
Some services are missing the base apache configuration, when
running with TLS and under WSGI. Address that in its base
profiles.
Related-Bug: #1835414
Change-Id: I8148a039ab9dcbc97baff141aae6ebab4c27e16d
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
These have been dropped from some of the puppet classes by default. We
still need to include them so our debug logging works.
Change-Id: I4e65219d9669fdd16b2663b7239354330ffbae38
This solves the problem that bootstrap_nodeid, which is set to the
first node in each role via t-h-t, can match potentially more than
one node - e.g in the event that a service is deployed such that it
spans more than one role.
The SERVICE_short_bootstrap_node_name is automatically generated
based on the composable service template service_name, and this
considers all roles where the service is enabled, e.g it should
only evaluate true once regardles off the roles where the service
is enabled.
Change-Id: I48ec4549552910f3cb8db960b0ff10a6c61b4bb9
Partial-Bug: #1792613
Since, mounting nfs would run via ansible in t-h-t,
puppet-tripleo glance nfs_mount.pp would no longer be
used.
Hence removing all glance nfs related part from here.
Depends-On: I232577643c26d7eb0162c09b3c394b7f3e161154
Change-Id: I617c38266d17fdf8cade660207e1e369dcd54fdb
Changing group permissions alters the ACL mask, causing the "read"
permission we set explicitly for the openstack users to be ignored.
This change ensures "read" is set for the ACLs mask.
Change-Id: I4f94a3f7ab2c55a8c45363b8354be99d52980a7b
Closes-Bug: 1775549
Deployment of a managed Ceph cluster using puppet-ceph
is not supported from the Pike release. From Queens it
is not supported use of puppet-ceph when using an
external Ceph cluster either.
This change removes the old manifests necessary to
support deployment of Ceph via puppet-ceph.
Templates removed by I17b94e8023873f3129a55e69efd751be0674dfcb
Depends-On: I8b22917e7436084028ef4fbe7604d28d6a68bee0
Implements: blueprint remove-puppet-ceph
Change-Id: I052af1f755b40a5fefa1f8d37e62b6b36c931271
This commit introduces separate oslo.messaging services in place of
a single rabbitmq server. This enables the separation of rpc and
notifications, the continued use of single rabbitmq server as well
as the use of alternative oslo.messaging drivers/backends.
This patch:
* adds oslo_messaging_* hiera parameters
* update rabbitmq and qdrourterd services
* add release note
Depends-On: I03e99d35ed043cf11bea9b7462058bd80f4d99da
Depends-On: I934561612d26befd88a9053262836b47bdf4efb0
Change-Id: Ie181a92731e254b7f613ad25fee6cc37e985c315
This commit selects either the rabbitmq hosts or the
hosts associated to oslo.messaging rpc and notify services.
This is required for the transition of t-h-t to the use
of the separated oslo.messaging service backends.
This patch:
*select rpc and notify hosts from rabbitmq or oslo_messaging
*modify qdrouterd inter-router link port
*update qdr unit spec
*add release note
Needed-By: I934561612d26befd88a9053262836b47bdf4efb0
Change-Id: I154e2fe6f66b296b9b643627d57696e5178e1815
This patch will set file system ACLs on the ceph client keyring.
This will help resolve (1) for OSP Ocata and before
Change-Id: I0c1bc3d2362c6500b1a515d99f641f8c1468754a
Partial-Bug: #1720787
1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
This reverts commit a4d12e02a7.
There is a typo in the manilla relationship that causes failures.
Reverting for now to unblock scenario004. The typo should be fixed and
resubmitted.
Change-Id: I69f54418dd603e5819b9da483a04cea3b3f66231
Closes-Bug: #1731688
This patch will set file system ACLs on the ceph client keyring.
This will help resolve (1) for OSP Ocata and before
Change-Id: I353b19a5a3f9a9af110587bd0996f08700335a44
Partial-Bug: #1720787
1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
The stores parameter should be set with the new parameters
as they are going to be deprecated in the old method.
Change-Id: If272345e96988778ceccb8f2f624db1c38aea365
Closes-Bug: 1704327
The step is typically set with the hieradata setting an integer value:
{"step": 1}
However it would be useful for the value to be a string so that
substitutions are possible, for example:
{"step": "%{::step}"}
This change ensures the step parameter defaults to an integer by
calling Integer(hiera('step'))
This change was made by manually removing the undef defaults from
fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with:
find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/"
Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
This is now the job of the certmonger_user profile. So these bits are
not needed anymore in the service profiles.
Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800
Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
Since the commit this depends on sets it up via hieradata, the
conditions here are no longer needed.
bp tls-via-certmonger
Change-Id: I66956f0b85e8e3bf1ab9562221d51d51c230b88e
Depends-On: I693213a1f35021b540202240e512d121cc1cd0eb
This uses the tls_proxy resource added in the previous commit [1] in
front of the Glance API server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to clean
it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e
Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
Cleanup some code that were useful in the effort of removing Glance
Registry service from TripleO.
Change-Id: I2a4bdc413e953b8b713d9a12bba74ca18487fe0d
The glance database should be created as part of the glance-api service
installation and not the registry. Move the db_sync param to the
glance-api class call.
Change-Id: Ib9f511219e8cb9a7322745b6bd7c4f9c9cc0c198
This patch changes the rabbit_hosts config generation to work properly
with IPv6 addresses.
Closes-Bug: #1639881
Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
Previously we did this with Pacemaker, but with move to NG HA
architecture we lost the ability to use NFS mounts as image storage for
Glance. This reimplements the mounting without utilizing Pacemaker. The
mount is by default also written to /etc/fstab so that it persists over
reboot, but this behavior can be disabled.
This could also go to puppet-glance eventually, but not yet -- we need
this backported to Newton because it's a TripleO regression. I don't
think puppet-glance would allow backporting this to Newton, because from
their point of view it would be a RFE rather than a regression.
Change-Id: I45ad34c36587a8d695069368cf791f1efb68256c
Related-Bug: #1635606
We use the rabbit_hosts configuration for most of our services but we
haven't been adding the configured port. This patch appends the IP port
used provided to the service's heat template to the IPs in the list.
Note: while we could use the value set for the rabbitmq server in
rabbitmq::port, it doesn't allow for dealing with SSL. This also is also
backwards compatible with the RabbitClientPort parameters used in the
heat templates.
Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b
Closes-Bug: #1633580
Instead of hard-coded yaml aliases in t-h-t, make each service
profile that requires rabbit default to the list of rabbit ips.
Note this could still be extended in future to e.g enable per
service rabbit clusters, but the default is to lookup the
hiera which should be logically equivalent to current t-h-t.
Change-Id: Ie53c93456529420588eb1927703ea91b54095d87
Partially-Implements: blueprint custom-roles
As we are staring to manually check overcloud services
the first step is to check that the puppet profiles
are all aligned.
Changes applied:
No logic added or removed in this submission.
Removed unused parameters.
Align header comments structure.
All profiles parameters sorted following:
"Mandatory params first sorted alphabetically
then optional params sorted alphabetically."
Note: Following submissions will check pacemaker,
cinder, mistral and redis services in the base profiles
as some of them has the $pacemaker_master parameter
defaulted to true.
Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
These can be controlled via the specific Pacemaker role template.
Depends-On: I91a4267f0fc230f63df3333747d28463c7ae55fe
Change-Id: I8ef7bb94e048b998712b3534ceb51a7d10d016e9