In ancient times, B&R used heat templates to deploy ReaR to the
controllers. Since a long time, this has been superseded by an ansible
playbook ran by openstack overcloud backup --setup-rear. Now, that
feature is duplicated, so we remove the possibility of installing
ReaR with heat.
A deprecation notice has been submitted to stable/train in patch #847148
Related-Bug: rhbz#2097611
Change-Id: Ic01c44ba35b6d28cb45879b1006633ac1fcf8d19
This adds support for BGP via the OS::TripleO::Services::Frr service.
Spec: https://review.opendev.org/c/openstack/tripleo-specs/+/758249
We create the frr configuration via the corresponding tripleo_frr
ansible role at step0. We start the FRR container at deployment step
1 before pacemaker gets configured as the routing to all the other nodes
needs to be functional before setting up the cluster.
Co-Authored-By: Carlos Gonçalves <cgoncalves@redhat.com>
Change-Id: I7cef73c57e7b69f4d031e220c954803afd5e0b8c
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.
Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
This patch adds ReaR service to some roles currently without it,
because this service is expected to be added to all roles when rear
service templates were introduced initially[1].
[1] 79bd7c447b
Note that this patch doesn't add ReaR service to Ceph roles because
generally we don't expect taking backup of Ceph nodes by ReaR.
Change-Id: I8222c39925a3ba3172fa03ae8931a6de3fb021a1
- Remove Docker service from all the roles; not needed anymore
- Switch ContainerCli to podman for docker-ha environment. Note; this
environment might be renamed at some point to, container-ha.yaml. But
for backward compatibility we still use it now.
Also switch EnablePaunch to false since we were waiting for the podman
switch to do it.
- In the overcloud registry, disable Docker by default and enable Podman
by default.
This patch will only work for centos8/rhel8 based deployments.
Change-Id: I561c52ce09c66a7f79763c59cd25f15949c054af
Sensu client has been deprecated and it's functionality substituted
by collectd-sensubility. This patch removes sensu-client composable
service
Change-Id: I4be68eb7319b2c92cc7d0fc9df7a5c87dfb5106c
This patch removes fluentd composable service in favor of rsyslog composable service
and modifies *LoggingSource configuration accordingly.
Change-Id: I1e12470b4eea86d8b7a971875d28a2a5e50d5e07
This patch adds rsyslogd composable service with the same behaviour
the fluentd composable service currently has.
Co-Authored-By: Juan Badia Payno <jbadiapa@redhat.com>
Change-Id: I18e349c450a42dc7e9867d200e777a324e2d12bc
By introducing update_serial variable we parallelize update
execution on non-pacemaker enabled nodes. Custom role data users
need to update their role files. By default we do serial 1 making
sure nothing changes for users who didn't update their role data.
Resolves: rhbz#1652057
Closes-Bug: #1831617
Change-Id: I4ee0110a6c2b9466d81e37e5df27f5f81a6eceb5
This addresses a possible bug when using FreeIPA to do TLS
everywhere.
It is possible that the IPA server is not on the ctlplane.
In this case, when the nodes start up, the registration of the node
with IPA will fail, resulting in failed certificate issuance requests
later on.
We introduce a composable service to run in host_prep_tasks.
This will always run once the networks have been set up. If the
instance has already been enrolled (by cloud-init or in an update),
then the script executed by the service will just exit.
In this iteration, we simply execute the code that the cloud-init
would have done. In later releases, we will execute all the code
performed by novajoin-server here in ansible - and deprecate the
novajoin server.
Change-Id: I31f64c3cbd1d151e3c2a436cc3e2ec5316535087
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Resolves: rhbz#1661635
Closes-Bug: #1815924
When using neutron routed networks we need to specify
either the subnet or a ip address in the fixed-ips-request
when creating neutron ports.
a) For the Vip's:
Adds VipSubnetMap and VipSubnetMapDefaults parameters in
service_net_map.yaml. The two maps are merged, so that the
operator can override the subnet where VIP port should be
hosted. For example:
parameter_defaults:
VipSubnetMap:
ctlplane: ctlplane-leaf1
InternalApi: internal_api_leaf1
Storage: storage_leaf1
redis: internal_api_leaf1
b) For overcloud node ports:
Enrich 'networks' in roles defenition to include both
network and subnet data. Changes the list to a map
instead of a list of strings. New schema:
- name: <role_name>
networks:
<network_name>
subnet: <subnet_name>
For backward compatibility a conditional is used to check
if the data is a map or not. In either case the internal
list of role networks is created as '_role_networks' in
the jinja2 templates.
When the data is a map, and the map contains the 'subnet'
key the subnet specified in roles_data.yaml is used as
the subnet in the fixed-ips-reqest when ports are created.
If subnet is not set (or role.networks is not a map) the
default will be {{network.name_lower}}_subnet.
Also, since the fixed_ips request passed to Vip ports are no
longer [] by default, the conditinal has been updated to
test for 'ip_address' entries in the request.
Partial: blueprint tripleo-routed-networks-templates
Depends-On: I773a38fd903fe287132151a4d178326a46890969
Change-Id: I77edc82723d00bfece6752b5dd2c79137db93443
When Ironic uses the 'direct' deploy interface it requires
access to swift. To access swift it needs the storage
network.
Change-Id: Ie49b961bb276dff0e5afbf82b450caa57d17f6ff
NIC partitioning requires IOMMU to be enabled on roles using it.
By adding the BootParams service to all the roles, we could
enable IOMMU selectively by supplying the role specific parameter
"KernelArgs". If a role doesn't use NIC Partitioning then
"KernelArgs" shall be not be set and backward compatibility would
be retained.
Change-Id: I2eb078d9860d9a46d6bffd0fe2f799298538bf73
Podman service will be in charge of installing, configuring, upgrading
and updating podman in TripleO.
For now, the service is disabled by default but included in all roles.
In the cycle, we'll make it the default.
Note: when Podman will be able to run in TripleO without Docker,
we'll do like https://review.openstack.org/#/c/586679/ and make it as
a generic service that can be switched to either podman or docker.
But for now, we need podman & docker working side by side.
Depends-On: Ie9f5d3b6380caa6824ca940ca48ed0fcf6308608
Change-Id: If9e311df2fc7b808982ee54224cc0ea27e21c830
In order to support switching between multiple timesync backends, let's
simplify the service configurations for the roles so that there is a
single timesync service. This timesync service should point to the
expected backend (ntp/ptp/chrony).
Change-Id: I986d39398b6143f6c11be29200a4ce364575e402
Related-Blueprint: tripleo-chrony
This patch adds composable new service (QDR) for containerized deployments.
Metrics QDR will run on each overcloud node in 'edge' mode. This basically
means that there is a possibility that there will be two QDRs running
on controllers in case that oslo messaging is deployed. This is a reason why
we need separate composable service for this use case.
Depends-On: If9e3658d304c3071f53ecb1c42796d2603875fcd
Depends-On: I68f39b6bda02ba3920f2ab1cf2df0bd54ad7453f
Depends-On: I73f988d05840eca44949f13f248f86d094a57c46
Change-Id: I1353020f874b348afd98e7ed3832033f85a5267f
Introduces a service to configure AIDE Intrusion Detection.
This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.
AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.
Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.
Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.
Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.
Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.
Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.
bp ipsec
Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
Enables management of shadow password directives in login.defs
By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.
This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.
bp login-defs
Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
The fluentd implementation was originally split across multiple files
in order to support both client and server services. we ultimately
decided to only implement the client as part of tripleo so this
division is no longer necessary. This commit merges
fluentd-client.yaml and fluentd-base.yaml into fluentd.yaml, and
renames things appropriately.
Partial-bug: #1715187
Depends-On: Iace34b7baae8822d2233d97adabf6ebc8833adab
Change-Id: Idb9886f04d56ffc75a78c4059ff319b58b4acf9f
The example composable roles are missing the docker service declaration
so they currently do not work when trying to deploy with containerized
services.
Change-Id: I986ae561b950e74aacea10bce84673e8d0c9bd97
Closes-Bug: #1713755
Add a docker service template to provide containerized services
logs rotation with a crond job.
Add OS::TripleO::Services::LogrotateCrond to CI multinode-containers
and to all environments among with generic services like Ntp or Kernel.
Set it to OS::Heat::None for non containerized environments and
only enable it to the environments/docker.yaml.
Closes-bug: #1700912
Change-Id: Ic94373f0a0758e9959e1f896481780674437147d
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Allow the user to set a specific Tuned profile on a given host.
Defaults to throughput-performance
Change-Id: I0c66193d2733b7a82ad44b1cd0d2187dd732065a
Ghanshyam Mann