[1] missed some parts from puppet/services/nova-libvirt.yaml which
broke tls-everywhere as the qemu-nbd-client-cert were not created,
also the file was not removed after merge.
Changes:
- added missing parts from puppet/services/nova-libvirt.yaml
- removed no longer needed ENV parameters for
nova_cell_v2_discover_host.py
- re-added /etc/my.cnf.d to nova_cell_v2_discover_host
- deleted puppet/services/nova-libvirt.yaml
[1] https://review.openstack.org/633278
Change-Id: I8d476fd7a040d275cd70ea8393386443b557fe4d
Closes-Bug: #1815888
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.
Closes-Bug: 1793093
Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
Depends-On: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
Depends-On: I347881cf4822583179c0c042c42fa1e33dbcedd2
Change-Id: I7d9df304d75bdbe36ecdfe50e5ce6b42a53063cc
With the upgrade to puppet 5, we can no longer use dots in the hieradata
key lookups. This change updates the THT for firewall_rules,
haproxy_endpoints and haproxy_userlists to use the colon notation.
Change-Id: I6f67153e04aed191acb715fe8cfa976ee2e75878
Related-Bug: #1803024
The libvirt driver now allows utilizing file backed memory for qemu/KVM
virtual machines, via a new configuration attribute
``[libvirt]/file_backed_memory``, defaulting to 0 (disabled).
``[libvirt]/file_backed_memory`` specifies the available capacity in MiB
for file backed memory, at the directory configured for
``memory_backing_dir`` in libvirt's ``qemu.conf``. When enabled, the
libvirt driver will report the configured value for the total memory
capacity of the node, and will report used memory as the sum of all
configured guest memory.
Running Nova with file_backed_memory requires libvirt version 4.0.0 and
qemu version 2.6.0
This introduces parameters QemuMemoryBackingDir and NovaLibvirtFileBackedMemory
Resolves-Bug: 1793687
Depends-On: I0d9eb21fcab01266e501b7fc63c5b2bbb244956a
Change-Id: I47e2f92fb2ed3e66d4bf31814eac9090382ef4e1
With https://review.openstack.org/#/c/561784 we change the default
migration port range to '61152-61215'.
nova::migration::qemu::configure_qemu needs to be set to true that
the config gets applied via puppet-nova.
Change-Id: Iad4b392c9fe7426f2ce10a02fadd8b1aeee34ef6
Closes-bug: 1779820
Depends-On: Idadfc7b3507977f1385e846a48a734ed0e5f0a32
The new master branch should point now to rocky.
So, HOT templates should specify that they might contain features
for rocky release [1]
Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.
[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
Currently this is only set when TLS is enabled, which means that with the ssh
transport we cannot control the network used, and we are relying on DNS or
hosts file to be correct, which is not guaranteed (especially with DNS).
Related-Bug: 1765462
Depends-On: Ifdc5fbd05195604ab6ea6564d0905f9385c6df67
Change-Id: I89011d06233dafb5ca3bbb45431387ebda521711
By default, libvirtd uses ports 49152 to 49215 for live-migration,
as specified in qemu.conf
Since these ports is subset to ephemeral port range, which is from
32768 to 61000 for linux, it can be consumed by any other service
as well. It causes live-migration to fail, with below error:
Live Migration failure: internal error: Unable to find an unused
port in range 'migration' (49152-49215)
Using port range out of ephemeral port range.
Change-Id: I2039eca87c11638faf6262259b7bcface982f5c6
InternalTLSVncCAFile currently defaults to /etc/ipa/vnc.crt.
Certmonger attempts to save the CA cert to this path as cert_t, however
/etc/ipa is etc_t.
Moving to /etc/pki/CA/certs which is cert_t resolves the issue, and is
arugably a more suitable location.
Change-Id: Ib275fc43dd772851511598a4932c19fcda706479
Since https://review.openstack.org/#/c/514707/ added the net_ip_map
to hieradata, we can look up the per-network bind IPs via hiera
interpolation instead of heat map_replace.
In some cases the ServiceNetMap lookup is used for other things,
but anywhere we make use of the "magic" translation via NetIpMap
is changed the same way.
This will enable more of the configuration data to be exposed per
role vs per node in a future patch (to simplify our ansible
workflow).
Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com>
Change-Id: Ie3da9fedbfce87e85f74d8780e7ad1ceadda79c8
Configures certs/key for nova-novnc vencrypt when TLS is enabled on the
internal network. A dedicated IPA sub-CA can be used to restrict access,
however by default the main IPA CA is used.
Depends-On: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Change-Id: I67ffd847dc2d1949833a9d7039ad51e4364e02da
To be able to support multiple Ceph cluster, an initial step is
to allow for configuration of each cluster name.
Depends-On: I8d5293eaaf104b6374dfa13992a67ddc37397f10
Implements: blueprint custom-ceph-cluster-name
Change-Id: I1b4d51ca6a2d08fa7a68eea680eb104eff732057
Due to the fact that it doesn't use a separate CA (or sub CA) for
libvirtd, and that proper SASL is not being used. We are disabling this
option since it doesn't meet the appropriate security requirements.
We'll look into adding this back once these issues get fixed.
Change-Id: I6a5e4db1b6dd6bc8b7e73e53b614b070d15b8a23
Closes-Bug: #1730370
In Ocata all live-migration over ssh is performed on the default ssh port (22).
In Pike the containerized live-migration over ssh is on port 2022 as the
docker host's sshd is using port 22.
To allow live migration during upgrade we need to temporarily pin the Pike
computes to port 22 and in the final converge we can switch over to port 2022.
This also changes the default port to 2022 for baremetal computes in Pike to
enable live-migration between baremetal and containerized computes.
Change-Id: Icb9bfdd9a99dc1dce28eb95c50a9a36bffa621b1
Depends-On: I0b80b81711f683be539939e7d084365ff63546d3
Closes-Bug: 1714171
It wasn't being configured, and the default is to listen on all
interfaces. This fixes that.
Change-Id: I00da25474fb1544eabdedaf126e67d5a6617f02f
Closes-Bug: #1712475
ceph-ansible will take care of setting up client keys both
in ceph and on client side. It will also create filesystem
for manila. To assure that manila manifest can work in future
both with puppet and with ceph-ansible, creation of filesystem
is moved to ceph-mds manifest and creation of manila key on ceph
side is moved to ceph-base (so manila key is always created),
manila key is added to ceph-external for external ceph deployments.
Key creation is removed from manila.pp in patch
I2b5567a39ac8737e80758b705818cc1807dc8bf1
Change-Id: I6308a317ffe0af244396aba5197c85e273e69f68
Related-To: Ia3ef9e9a2b159dacea01e38762145ff2bcc7ba27
Depends-On: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
Per the attached bug, if a large number of instances are colocated
on a single compute node it is possible to exhaust the allowed VNC
ports. This change extends the range to include 1024 ports, which
with the default 16x overcommit ratio in Nova means we could handle
a fully loaded 64 core server. That's _probably_ overkill, but I
think it makes sense to overshoot a bit on this and ensure nobody
runs into weird problems because their VNC ports weren't allowed
through the firewall.
Change-Id: Ia48602e82b8e0fbb585371ea514eea3c2334dab0
Closes-Bug: 1678025
Run virsh secret-define and secret-set-value in an init step
instead of relying on the puppet-nova exec.
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Change-Id: Ic950e290af1c66d34b40791defbdf4f8afaa11da
Closes-Bug: #1709583
Updates hieradata for changes in https://review.openstack.org/471950.
Creates a new service - NovaMigrationTarget. On baremetal this just configures
live/cold-migration. On docker is includes a container running a second sshd
services on an alternative port.
Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd
containers.
Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427
Implements: blueprint tripleo-cold-migration
Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc
Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
Some of the tasks carried by nova::compute::rbd class apply to the
compute service, others to the libvirt service so it needs to be
included in both.
Change-Id: I28557deb13b75922932cd3e86c3467a541c988d0
Makes it possible to resolve network subnets within a service
template; the data is transported into a new property ServiceData
wired into every service which hopefully is generic enough to
be extended in the future and transport more data.
Data can be consumed in service templates to set config values
which need to know what is the subnet where a deamon operates (for
example the Ceph Public vs Cluster network).
Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.
Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:
parameters_default:
# Default value for applied to all roles
NovaReservedHostMemory: 2048
ComputeDpdkParameters:
# Applied only to ComputeDpdk role
NovaReservedHostMemory: 4096
In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters
Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
libvirt has its own parameter for setting the CA, however, if we have a
common CA for all services in the internal network (which we do), it's
more consistent to use the common parameter for configuring that CA
file.
The previous parameter was left in case the deployer wants to use a
specific CA file for the compute nodes.
Change-Id: I3d132d3d257d7ea9f43e49593f8509c3cd205ca5
This relies on using the default paths for certs/keys used by libvirt
and is only enabled if TLS-everywhere is enabled.
bp tls-via-certmonger
Depends-On: If18206d89460f6660a81aabc4ff8b97f1f99bba7
Depends-On: I0a1684397ebefaa8dc00237e0b7952e9296381fa
Change-Id: I0538bbdd54fd0b82518585f4f270b4be684f0ec4
This enables nova cold migration.
This also switches to SSH as the default transport for live-migration.
The tripleo-common mistral action that generates passwords supplies the
MigrationSshKey parameter that enables this.
The TCP transport is no longer used for live-migration and the firewall
port has been closed.
Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f
Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
This adds an entry for libvirt (which is used by the VNC server) on
which we can tell it via t-h-t on which IP address to listen on.
Change-Id: Ie377c09734e9f6170daa519aed69c53fc67c366b
Related-Bug: #1660099
For cache monitoring technology feature to work, nova config
libvirt settings should have the perf events enabled for
nova to emit these so telemetry can capture them.
Depends-On: Ia27e6831f3f6e9cdeaacb650039be5c81b90cb40
Change-Id: I92c318008b965a6527acbce85b41a545eda7ee18
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
When Nova and/or Cinder are using Ceph as backend, qemu will need
to open a connection and two threads for each and every Ceph OSD.
This change raises the max_files (set to 1024 by default) to 32768
and the max_processes (set to 4096 by default) to 131072. The max
number of FDs is per-process, while the max number of processes is
per-user. The values can be overridden via ExtraConfig, no params
are added to the templates.
A more detailed description of the values were chosen can be
found at: https://access.redhat.com/solutions/1602683
Change-Id: I1e79675f6aac1b0fe6cc7269550fa6bc8586e1fb
Depends-On: I258afd3ee6633e4b2ebc45aa8611be652476be0c
- Remove vncproxy firewall rules from nova-api service
- Add vncproxy firewall rules to nova-vncproxy service
- Add console port range firewall rules to nova-libvirt service
Change-Id: I421ae21c130cac6f25e7c0869b941ba77441172c
Port 16509 should be opened for tcp traffic to enable live migration.
See Also:
http://docs.openstack.org/admin-guide/compute-configuring-migrations.html
Previously, we were not enabling any iptables rules on the Compute
Roles, so this is a regression.
Change-Id: Ie4abf53dc2a8171af48d02e34a1a3ad43f27cfb3
Closes-Bug: #1635427
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
This finishes moving most of the config settings out of
compute.yaml for Nova and into the proper nova-* services.
Only the bind port/VIP related Nova settings remain now and those
will be dealt with in a follow up patch.
Change-Id: I1c40e7d54c11dfff2aaa6438c7701e98da17ebe6
Related-Bug: #1604412
Currently we use hyphens, e.g cinder-api, but in overcloud.yaml
we have a lot of references to services (e.g for AllNodesConfig)
by underscore, e.g cinder_api. To enable dynamic generation of
this data, we need the service name in underscore format.
Change-Id: Ief13dfe5d8d7691dfe2534ad5c39d7eacbcb6f70
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.
This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.
Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
This is a first iteration of implementing libvirt and nova compute as
composable services.
Note: some parameters are still in puppet/compute.yaml -- we'll move
them later in a next iteration.
Implements: blueprint composable-services-within-roles
Depends-On: I0b765f8cb08633005c1fc5a5a2a8e5658ff44302
Change-Id: I752198cdf231ef13062ba96c3877e5defd618c3a
Martin Schuppert