kubernetes mode is always enabled, the flag cannot be used to
enable or disable it.
The option in the CLI will be removed completely once the wiki
and any test tools are updated.
The code that handles the "else" will also be updated in a
later commit
Story: 2004751
Task: 29756
Change-Id: I75a81ab852252ee108fefeca5682e5b1a9d7374e
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Currently docker images were pulled from public registries during
config_controller. For some users, the connection to the public
docker registry may be slow such that installing the containerized
services images may timeout or the system simply does not have
access to the public internet.
This change allows users to specify alternative public/private
registries to replace k8s.gcr.io, gcr.io, quay.io and docker.io.
Insecure registry is supported if all default registries were
replaced by one unified registry. It lowers the complexity for
those who build his own registry without internet access.
Docker doesn't support ipv6 addr as registry name, instead
hostname or domain name in ipv6 network is allowed.
Test:
AIO-SX/AIO-DX/Standard(2+2):
Alternative public registry (ipv4/domain) with proxy
- config_controller pass
Private registry (ipv4/ipv6/domain) without internet
- config_controller pass
Default registry with/without proxy
- config_controller pass
Story: 2004711
Task: 28742
Change-Id: I4fee3f4e0637863b9b5ef4ef556082ac75f62a1d
Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
(cherry picked from commit 611a68a96a)
There is an instance that sm claimed its main thread ran sluggish
as some critical timer run behind the scheuled timing.
The issue could prevent the sm from scheduling services.
As the result, the controller could fail to enable.
The issue was found only on vbox labs on AIO-SX, the fix is to boost
sm process priority to nice value -10 from current -2.
Closes-Bug: 1816764
Depends-On: https://review.openstack.org/638664
Change-Id: Iafa17b1c47d65cc7394552ea1c8e7a78398e4869
Signed-off-by: Bin Qian <bin.qian@windriver.com>
(cherry picked from commit a6934ac9d2)
After stx-openstack applied, the stx-openstack reapply shouldn't
trigger the charts reinstallation if there has no overrides changed
for charts. However, the reinstallation happens after swacting active
controller to controller-1 due to the generated images overrides on
controller-1 are different from before. The images overrides generation
requires walking through the stx-openstack charts stored under
/scratch, but charts do not exist on controller-1's /scratch as it's
an unreplicated filesystem. This causes the images overrides to differ
between controller-1 and controller-0.
This commit updates to walk through charts and get the images for
charts during application-upload, then save the images list for each
chart into the existing images file under aramda directory
/opt/platform/armada. The images file would be used for retrieving
the images for charts to generate images overrides.
Closes-Bug: 1816173
Change-Id: I4f00c3031decb063f8f126d0c837acd4dde56fc3
Signed-off-by: Angie Wang <angie.wang@windriver.com>
(cherry picked from commit cb4b30bf56)
Currently docker images were pulled from public registries during
config_controller. For some users, the connection to the public
docker registry may be slow such that installing the containerized
services images may timeout or the system simply does not have
access to the public internet.
This change allows users to specify alternative public/private
registries to replace k8s.gcr.io, gcr.io, quay.io and docker.io.
Insecure registry is supported if all default registries were
replaced by one unified registry. It lowers the complexity for
those who build his own registry without internet access.
Docker doesn't support ipv6 addr as registry name, instead
hostname or domain name in ipv6 network is allowed.
Test:
AIO-SX/AIO-DX/Standard(2+2):
Alternative public registry (ipv4/domain) with proxy
- config_controller pass
Private registry (ipv4/ipv6/domain) without internet
- config_controller pass
Default registry with/without proxy
- config_controller pass
Story: 2004711
Task: 28742
Change-Id: I4fee3f4e0637863b9b5ef4ef556082ac75f62a1d
Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
After stx-openstack applied, the stx-openstack reapply shouldn't
trigger the charts reinstallation if there has no overrides changed
for charts. However, the reinstallation happens after swacting active
controller to controller-1 due to the generated images overrides on
controller-1 are different from before. The images overrides generation
requires walking through the stx-openstack charts stored under
/scratch, but charts do not exist on controller-1's /scratch as it's
an unreplicated filesystem. This causes the images overrides to differ
between controller-1 and controller-0.
This commit updates to walk through charts and get the images for
charts during application-upload, then save the images list for each
chart into the existing images file under aramda directory
/opt/platform/armada. The images file would be used for retrieving
the images for charts to generate images overrides.
Closes-Bug: 1816173
Change-Id: I4f00c3031decb063f8f126d0c837acd4dde56fc3
Signed-off-by: Angie Wang <angie.wang@windriver.com>
In the move of gnocchi static configurations from the overrides to
the Armada manifests, some configs were put in the wrong location.
This commit fixes this.
Story: 2003909
Task: 29535
Change-Id: Iac0ada67b7a7f6c44540c731fb505090362489a1
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
There is an instance that sm claimed its main thread ran sluggish
as some critical timer run behind the scheuled timing.
The issue could prevent the sm from scheduling services.
As the result, the controller could fail to enable.
The issue was found only on vbox labs on AIO-SX, the fix is to boost
sm process priority to nice value -10 from current -2.
Closes-Bug: 1816764
Depends-On: https://review.openstack.org/638664
Change-Id: Iafa17b1c47d65cc7394552ea1c8e7a78398e4869
Signed-off-by: Bin Qian <bin.qian@windriver.com>
Docker and kubernetes add rules to iptables, which can end up
persisted in /etc/sysconfig/iptables by calls to iptables-save.
When the puppet manifest is applied during node initialization,
kubernetes is not yet running, and any related iptables rules
will fail.
This update disables the restoration of iptables rules from
previous boots, to ensure the puppet manifest does not fail
to apply due to invalid rules. However, this means that in
a DOR scenario (Dead Office Recovery, where both controllers
will be intializing at the same time), the firewall rules
will not get reapplied.
Firewall management will be moved to Calico under story 2005066,
at which point this code will be removed.
Change-Id: I43369dba34e6859088af3794de25a68571c7154c
Closes-Bug: 1815124
Signed-off-by: Don Penney <don.penney@windriver.com>
Move all horizon static configurations from the overrides to the
Armada manifest.
This is being done so we have a consistent way of managing
containerized openstack configurations. Static configurations will
be located in the Armada manifest and dynamic configuration will be
located in the overrides files.
Story: 2003909
Task: 29635
Change-Id: I4abbc0eb158304774134e2d60f2b666c0d90bbd8
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
This was causing a failure in computes unlock process where the
Platform::Dns class cannot be found.
Closes-bug: 1817126
Change-Id: I0a9e9b60580944a49b9672803fc05216f204b222
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
There are cases where the kubernetes taint is not present on,
or has already been removed from, a newly configured standby
controller. This causes the taint removal command run by the
puppet manifest to fail. This failure can be safely ignored,
so the command is updated by this commit to always return
success.
Change-Id: Icdb55738e052c65a28e44582e345038b0de83c37
Closes-Bug: 1815795
Signed-off-by: Don Penney <don.penney@windriver.com>
- downloading the Cirros image fails in glance-bootstrap if
the hardcoded requested image is not found
- to workaround this issue, we disable the download and creation
of the Cirros image in glance-bootstrap through the overrides
-> this has no other impact as the image can be created after
the chart's installation using "openstack image create"
Change-Id: I418eb236f5eceb0124eb73787fe12e2f0aa2d9e1
Closes-Bug: 1814142
Signed-off-by: Irina Mihai <irina.mihai@windriver.com>
when we run "system dns-modify" command, the command will response after
sysinv-db was updated, and file "/etc/resolv.conf" will be updated
asynchronously by another process "sysinv-agent". Once the attr
"_ihost_personality" of agent is None(initial value), it will not update
file "/etc/resolv.conf" and will not inform sysinv client also,
which will lead command dns-modify failed silently.
This patch will retry function iconfig_update_file by which sysinv-agent
update file "/etc/resolv.conf" when attr "_ihost_personality" is None.
Closes-bug: 1812269
Change-Id: I3a0437750a53607c04932c1b9b818e83903bb28b
Signed-off-by: SidneyAn <ran1.an@intel.com>
There was no mariadb replica override for the ingress pod. On AIO-SX
this caused two pods to be scheduled. When anti-affinity was added to
mariadb this broke application-apply on AIO-SX.
The mariadb ingress pod replication will be set to the number of
controllers.
Change-Id: Icf3f1979720629904ca9ddcabf59e8ecfab709e5
Story: 2004520
Task: 29570
Signed-off-by: David Sullivan <david.sullivan@windriver.com>
`helm init` is being execute before networking and DNS is properly
configured in the controller. A dependency was added to kubernetes
to setup DNS, helm manifest was updated to depend on kubernetes.
Also, the `--skip-refresh` flag was added to helm init for second
controller to avoid timeout scenarios on proxy enviroments.
Closes-Bug: 1814968
Change-Id: I65759314b3a861e7fdb428889aa5f5c1c7037661
Suggested-by: Mingyuan Qi <mingyuan.qi@intel.com>
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
Move all gnocchi and ceilometer static configurations from the
overrides to the Armada manifest.
This is being done so we have a consistent way of managing
containerized openstack configurations. Static configurations will
be located in the Armada manifest and dynamic configuration will be
located in the overrides files.
Story: 2003909
Task: 29535
Change-Id: Ieab861cb1751146b70f722e70b8f89d81c0ed9a5
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
Move all heat static configurations from the overrides to the
Armada manifest.
This is being done so we have a consistent way of managing
containerized openstack configurations. Static configurations will
be located in the Armada manifest and dynamic configuration will be
located in the overrides files.
Story: 2003909
Task: 29455
Change-Id: Ie35b1696b9fce0458db724fc8163d5d181e0768a
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
Since Barbican is in charge of storing BMC passwords for MTCE now
we need it to run as a bare-metal service alongside with kubernetes.
This patch enables SM provisioning for barbican in this case.
Change-Id: Id51f679738d429e78f388b6dc42e7606ef0c41ab
Story: 2003108
Task: 27700
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
Registries where application images pulled from during application-apply
are replaced if alternative registries are set.
The images are pulled from user specified registry and tagged to local
image tag. Local image tag will not be changed comparing to using default
registry. As a result, images pushed to local registry (192.168.204.2)
are still available as cache whatever alternative registries are set or
not.
Test:
AIO-SX/AIO-DX/Standard 2+2:
Private registry without proxy
- application-apply pass
Default registry with/without proxy
- application-apply pass
Story: 2004711
Task: 29212
Change-Id: I0cc110601e78c6adb3c6f2b747dfb6c92a0c82fd
Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
Use new nova helm chart config option introduced in dependent commit to
prevent nova from overriding our per host override for VM console
address.
Closes-Bug: #1815490
Depends-On: I86eb80578b23fd89b7f9643b943ee759f26a15be
Change-Id: I7617157b3b2848cbbe2d9014b900cd437ac082a6
Signed-off-by: Gerry Kopec <gerry.kopec@windriver.com>
The functionality of local docker registry authentication will be
enabled in commit https://review.openstack.org/#/c/626355/.
However, local docker registry is currently used to pull/push images
during application apply without authentication and no credentials
passed to the kubernetes when pulling images on other nodes except
for active controller.
In order to install stx-openstack app with local docker registry that
has authentication turned on, this commit updates the following:
1. Pass the user credentials when pulling/pushing images from local
registry during application apply.
2. Create a well-known registry secret "default-registry-key" which
holds the authorization token during stx-openstack app apply and
delete the secret during removal. The helm-toolkit is updated to
refer to this secret in k8s openstack service account template for
pulling images from local by kubelet. This secret is also added to
rbd-provisioner service account as well since it is not using
helm-toolkit to create service account.
Note: #2 is short-term solution. The long-term solution is to implement
the BP https://blueprints.launchpad.net/openstack-helm/+spec/support
-docker-registry-with-authentication-turned-on.
Story: 2002840
Task: 28945
Depends-On: https://review.openstack.org/636181
Change-Id: I015dccd12c5c7fa7a4bea74eef8d172f03b5d60e
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Move all neutron static configurations from the overrides to the
Armada manifest.
This is being done so we have a consistent way of managing
containerized openstack configurations. Static configurations will
be located in the Armada manifest and dynamic configuration will be
located in the overrides files.
Story: 2003909
Task: 29433
Change-Id: I5baf0bbc15912e0303955456151e69856bba0385
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
Use the DevStack-provided functions to do the Python installations
for configutilities and controllerconfig.
Prepare the plugin setting for declaring DevStack prereqs that
is available in master's DevStack playbook.
Also do not enable all services by default. sysinv-api is disabled
in the devstack job as it does not properly start under Bionic. We
will address this separately.
Change-Id: Ib57863526d285049b5964828e1b60bf215d25a23
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Recent Barbican integration commit introduced a typo in 'ihost' variable
That leads to the host-delete command failure with the following message
"local variable 'host' referenced before assignment"
Closes-Bug: 1815942
Change-Id: If8d8dcffb7b4f1bcfb831a4b6a104c95b76e5f2f
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
The sriov agent was polling devices via 'sudo ip link show',
and this resulted in a severe memory leak. The usage of 'sudo'
uses the host 'dbus-daemon', and somewhere the host does not
clean up login sessions.
Symptoms:
- gradual run out of memory until system unstable, host spontaneous
reboot due to delay or OOM
- huge growth of kernel slab
- thousands of /sys/fs/cgroup/systemd/user.slice/user-0.slice
session-x*.scope files with empty 'tasks', i.e., sessions
that should have deleted
- huge latency seen with ssh and various systemd commands
The problem is mitigated by disabling 'sudo' for sriov agent, using
a helm override that configures [agent]/root_helper='' .
Testing:
- Verified that we could launch a VM with SR-IOV interface;
VFs were able to set MAC and VLAN attributes.
Closes-Bug: 1815106
Change-Id: I0c57629c01b7407c99cc7f38b409019ab87af859
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
OpenDev Sysadmins