Overview

We will need to define a new ci job in the tripleo-ci_zuul.d_standalone-jobs (preferably following the currently ongoing ci_v3_migrations define this as v3 job).

For the generation of the playbooks themselves we hope to use the ephemeral heat service that is used to deploy the stand-alone node, or use the keep-running option to the stand-alone deployment to keep the stack around after deployment.

As described in the problem statement we hope to avoid the task of having to distinguish between control and dataplane services in order to enforce that controlplane services are upgraded first.

Alternatives

Add another node and have 3 node upgrades jobs together with increasing the walltime but this is not scalable in the long term assuming limited resources!

Security Impact

None

Other End User Impact

None

Performance Impact

None

Other Deployer Impact

More coverage of services should mean less breakage because of upgrades incompatible things being merged.

Developer Impact

Might be easier for developers too who may have limited access to resources to take the reproducer script with the standalone jobs and get a dev env for testing upgrades.

Assignee(s)

tripleo-ci and upgrades squads

Work Items

First we must solve the problem of generating the ansible playbooks, that will include all the latest configuration from the tripleo-heat-templates at the time of upgrade (including all upgrade_tasks etc) when there is no undercloud Heat stack to query.

We might consider some non-heat solution by parsing the tripleo-heat-templates but I don’t think that is a feasible solution (re-inventing wheels). There is ongoing work to transfer tasks to roles which is promising and that is another area to explore.

One obvious mechanism to explore given the current tools is to re-use the same ephemeral heat process that the stand-alone uses in deploying the overcloud, but setting the usual ‘upgrade-init’ environment files for a short stack ‘update’. This is not tested at all yet so needs to be investigated further. As identified earlier there is now in fact a keep-running option to the tripleoclient that will keep this heat process around

For the first iteration of this work we will aim to use the minimum possible combination of services to implement a ‘compute’/’control’ overcloud. That is, using the existing services from the current current_upgrade_ci_scenario with the addition of nova-compute and any dependencies.

Finally a third major consideration is how to execute this service upgrade, that is how to invoke the playbook generation and then run the resulting playbooks (it probably doesn’t need to converge if we are just interested in the upgrades tasks). One consideration might be to re-use the existing python-tripleoclient “openstack overcloud upgrade” prepare and run sub-commands. However the first and currently favored approach will be to use the existing stand-alone client commands (tripleo_upgradetripleo_deploy). So one work item is to try these and discover any modifications we might need to make them work for us.

Items:

• Work out/confirm generation the playbooks for the standalone upgrade tasks.

• Work out any needed changes in the client/tools to execute the ansible playbooks

• Define new ci job in the tripleo-ci_zuul.d_standalone-jobs with control and compute services, that will exercise upgrade_tasks, deployment_tasks and post_upgrade_tasks playbooks.

Once this first iteration is complete we can then consider defining multiple jobs for small subsets of services, or even for single services.

Goals

• Increase developer focus, decrease distractions, interruptions, and time slicing.

• Encourage collaborative team development.

• Better and faster code reviews

Team Structure

• The Ruck

• The Rover

• The Sprint Team

The Ruck

One person per week will be on the front lines reporting failures found in CI. The Ruck & Rover switch roles in the second week of the sprint.

• Primary focus is to watch CI, report bugs, improve debug documentation.

• Does not participate in the sprint

• Attends the meetings where the team needs to be represented

• Responds to pings on #oooq / #tripleo regarding CI

• Reviews and improves documentation

• Attends meetings for the group where possible

• For identification, use the irc nick $user|ruck

The Rover

The primary backup for the Ruck. The Ruck should be catching all the issues in CI and passing the issues to the Rover for more in depth analysis or resolution of the bug.

• Back up for the Ruck

• Workload is driven from the tripleo-quickstart bug queue, the Rover is not monitoring CI

• A secondary input for work is identified technical debt defined in the Trello board.

• Attends the sprint meetings, but is not responsible for any sprint work

• Helps to triage incoming gerrit reviews

• Responds to pings on irc #oooq / #tripleo

• If the Ruck is overwhelmed with any of their responsibilities the Rover is the primary backup.

• For identification, use the irc nick $user|rover

The Sprint Team

The team is defined at the beginning of the sprint based on availability. Members on the team should be as focused on the sprint epic as possible. A member of team should spend 80% of their time on sprint goals and 20% on any other duties like code review or incoming high priority bugs that the Rover can not manage alone.

• hand off interruptions to the Ruck and Rover as much as possible

• focus as a team on the sprint epic

• collaborate with other members of the sprint team

• seek out peer review regarding sprint work

• keep the Trello board updated daily

  • One can point to Trello cards in stand up meetings for status

The Squads

The squads operate as a subunit of the sprint team. Each squad will operate with the same process and procedures and are managed by the team catalyst.

• Current Squads

  • CI

    • Responsible for the TripleO CI system ( non-infra ) and build verification.

  • Tempest

    • Responsible for tempest development.

The team catalyst (TC)

The member of the team responsible organizing the group. The team will elect or appoint a team catalyst per release.

• organize and plan sprint meetings

• collect status and send status emails

The user advocate (UA)

The member of the team responsible for help to prioritize work. The team will elect or appoint a user advocate per release.

• organize and prioritize the Trello board for the sprint planning

• monitor the board during the sprint.

• ensure the right work is being done.

The Squads

There are two squads on the CI team.

• tripleo ci

• tempest development

Each squad has a UA and they share a TC. Both contribute to Ruck and Rover rotations.

Current Leaders for Rocky

• team catalyst (ci, tempest) - Matt Young

• user advocate (ci) - Gabriele Cerami

• user advocate (tempest) - Chandan Kumar

Sprint Structure

The goal of the sprint is to define a narrow and focused feature called an epic to work on in a collaborative way. Work not completed in the sprint will be added to the technical debt column of Trello.

Note: Each sprint needs a clear definition of done that is documented in the epic used for the sprint.

Sprint Start ( Day 1 ) - 2.5 hours

• Sprints are three weeks in length

• A planning meeting is attended by the entire team including the Ruck and Rover

• Review PTO

• Review any meetings that need to be covered by the Ruck/Rover

• The UA will present options for the sprint epic

• Discuss the epic, lightly breaking each one down

• Vote on an epic

• The vote can be done using a doodle form

• Break down the sprint epic into cards

• Review each card

  • Each card must have a clear definition of done

  • As a group include as much detail in the card as to provide enough information for an engineer with little to no background with the task.

Sprint End ( Day 15 ) - 2.5 hours

• Retrospective

  • team members, ruck and rover only

• Document any technical debt left over from the sprint

• Ruck / Rover hand off

• Assign Ruck and Rover positions

• Sprint demo - when available

• Office hours on irc

Scrum meetings - 30 Min

• Planning meeting, video conference

• Sprint End, video and irc #oooq on freenode

• 2 live video conference meetings per week

  • sprint stand up

• Other days, post status to the team’s Trello board and/or cards

TripleoO CI Community meeting

• A community meeting should be held once a week.

• The meeting should ideally be conveniently scheduled immediately after the TripleO community meeting on #tripleo (freenode)

• The CI meeting should be announced as part of the TripleO community meeting to encourage participation.

Trello

A Trello board will be used to organize work. The team is expected to keep the board and their cards updated on a daily basis.

• https://trello.com/b/U1ITy0cu/tripleo-ci-squad

Dashboards

A number of dashboards are used to monitor the CI

• http://cistatus.tripleo.org/

• https://dashboards.rdoproject.org/rdo-dev

• http://zuul-status.tripleo.org/

Team Notes

• https://etherpad.openstack.org/p/tripleo-ci-squad-meeting

Bug Queue

• http://tinyurl.com/yag6y9ne

Alternatives

Create a subpackage of python-tripleoclient which installs less dependencies. The general footprint of required packages would still be quite high (lots of OpenStack packages will still be installed for the client tooling).

Or do nothing and continue to use VMs to encapsulate the dependencies for an Undercloud/All-In-One installer and generate Ansible playbooks. Setting up a local VM requires more initial setup and dependencies however and is heavier than just using a local container to generate the same playbooks.

Security Impact

As a container will be used to generate Ansible playbooks the user may need to expose some local data/files to the installer container. This is likely a minimal concern as we already require this data to be exposed to the Undercloud and All-In-One installers.

Other End User Impact

None

Performance Impact

Faster deployment and testing of local All-On-One setups.

Other Deployer Impact

None

Developer Impact

Faster deployment and testing of local All-On-One setups.

Assignee(s)

Primary assignee:

dprince

Work Items

• A new ‘tripleoclient’ container

• New project to drive the installation (Talon?)

• Continue to work on refining the Ansible playbook modules to provide a cleaner set of playbook dependencies. Specifically those that depend on the any of the traditional TripleO/Heat agent hooks and scripts.

• documentation updates

Overview

After each container/service is started, a new step is added to run one or more validations on the deployed host in order to ensure the service is actually working as expected at said step.

These validations must not use Mistral Workflow, in order to provide support for the undercloud/standalone case.

The best way to push those validations would be through the already existing deploy_steps_tasks keywork. A validation should be either at the start of the next step, or at the end of the current step we want to check.

The validations should point to an external playbook, for instance hosted in tripleo-validations. If there isn’t real use to create a playbook for the validation, it might be inline - but it must be short, for example a single test for an open port.

Alternatives

There isn’t really other alternative. We might think running the validation ansible playbook directly is a good idea, but it will break the wanted convergence with the UI.

For now, there isn’t such validations, we can start fresh.

Security Impact

No security impact.

Upgrade Impact

If a service isn’t starting properly, the upgrade might fail. This is also true for a fresh deploy.

We might want different validation tasks/workflows if we’re in an upgrade state.

Other End User Impact

End user will get early failure in case of issues detected by the validations. This is an improvement, as for now it might fail at a later step, and might break things due to the lack of valid state.

Performance Impact

Running in-flight validation WILL slow the overall deploy/upgrade process, but on the other hand, it will ensure we have a clean state before each step.

Other Deployer Impact

No other deployer impact.

Developer Impact

Validations will need to be created and documented in order to get proper runs.

Assignee(s)

Who is leading the writing of the code? Or is this a blueprint where you’re throwing it out there to see who picks it up?

If more than one person is working on the implementation, please designate the primary author and contact.

Primary assignee:

cjeanner

Other contributors:

<launchpad-id or None>

Work Items

• Add new hook for the validation_tasks

• Provide proper documentation on its use

Overview

The proposal is to create an Ansible based project named tripleo-ha-utils that will be consumable by the various tools that we use to deploy TripleO environments like tripleo-quickstart or infrared or by manual deployments.

The project will initially cover three principal roles:

• stonith-config: a playbook used to automate the creation of fencing devices in the overcloud;

• instance-ha: a playbook that automates the seventeen manual steps needed to configure instance HA in the overcloud, test them via rally and verify that instance HA works appropriately;

• validate-ha: a playbook that runs a series of disruptive actions in the overcloud and verifies it always behaves correctly by deploying a heat-template that involves all the overcloud components;

Today the project exists outside the TripleO umbrella, and it is named tripleo-quickstart-utils [1] (see “Alternatives” for the historical reasons of this name). It is used internally inside promotion pipelines, and has also been tested with success in RDOCloud.

Alternatives

While evaluating alternatives, the first thing to consider is that this project aims to be a TripleO-centric set of tools for HA, not a generic OpenStack’s one. We want tools to help the user answer questions like “Is the Galera bundle cluster resource able to tolerate a stop and a consecutive start without affecting the environment capabilities?” or “Is the environment able to evacuate instances after being configured for Instance HA?”. And the answer we want is YES or NO.

• tripleo-validations: the most logical place to put this, at least

  looking at the name, would be tripleo-validations. By talking with folks working on it, it came out that the meaning of tripleo-validations project is not doing disruptive tests. Integrating this stuff would be out of scope.

• tripleo-quickstart-extras: apart from the fact that this is not

  something meant just for quickstart (the project supports infrared and “plain” environments as well) even if we initially started there, in the end, it came out that nobody was looking at the patches since nobody was able to verify them. The result was a series of reviews stuck forever. So moving back to extras would be a step backward.

Other End User Impact

None. The good thing about this solution is that there’s no impact for anyone unless the solution gets loaded inside an existing project. Since this will be an external project, it will not impact anything of the current stuff.

Performance Impact

None. Unless the deployments, the CI runs or whatever include the roles there will be no impact, and so the performances will not change.

Work Items

• Import the tripleo-quickstart-utils [1] as a new repository and start new deployments from there.

Introduction

The containerization of TripleO has been an ongoing effort since a few releases now and we’ve always been looking at a step-by-step approach that tries to maintain backward compatibility for the deployers and developers; and also in a way where upgrade from a previous release is possible, without too much pain. With that said, we are looking at a proposed change that isn’t too much disruptive but is still aligned with the general roadmap of the container story and hopefully will drive us to manage our containers with Kubernetes. We use Paunch project to provide an abstraction in our container integration. Paunch will deal with container configurations formats with backends support.

Integrate Podman CLI

The goal of Podman is to allow users to run standalone (non-orchestrated) containers which is what we have been doing with Docker until now. Podman also allows users to run groups of containers called Pods where a Pod is a term developed for the Kubernetes Project which describes an object that has one or more containerized processes sharing multiple namespaces (Network, IPC and optionally PID). Podman doesn’t have any daemon which makes it lighter than Docker and use a more traditional fork/exec model of Unix and Linux. The container runtime used by Podman is runc. The CLI has a partial backward compatibility with Docker so its integration in TripleO shouldn’t be that painful.

It is proposed to add support for Podman CLI (beside Docker CLI) in TripleO to manage the creation, deletion, inspection of our containers. We would have a new parameter called ContainerCli in TripleO, that if set to ‘podman’, will make the container provisionning done with Podman CLI and not Docker CLI.

Because there is no daemon, there are some problems that we needs to solve:

• Automatically restart failed containers.

• Automatically start containers when the host is (re)booted.

• Start the containers in a specific order during host boot.

• Provide an channel of communication with containers.

• Run container healthchecks.

To solve the first 3 problems, it is proposed to use Systemd:

• Use Restart so we can configure a restart policy for our containers. Most of our containers would run with Restart=always policy, but we’ll have to support some exceptions.

• The systemd services will be enabled by default so the containers start at boot.

• The ordering will be managed by Wants which provides Implicit Dependencies in Systemd. Wants is a weaker version of Requires. It’ll allow to make sure we start HAproxy before Keepalived for example, if they are on the same host. Because it is a weak dependency, they will only be honored if the containers are running on the same host.

• The way containers will be managed (start/stop/restart/status) will be familiar for our operators used to control Systemd services. However we probably want to make it clear that this is not our long term goal to manage the containers with Systemd.

The Systemd integration would be:

• complete enough to cover our use-cases and bring feature parity with the Docker implementation.

• light enough to be able to migrate our container lifecycle with Kubernetes in the future (e.g. CRI-O).

For the fourth problem, we are still investigating the options:

• varlink: interface description format and protocol that aims to make services accessible to both humans and machines in the simplest feasible way.

• CRI-O: CI-based implementation of Kubernetes Container Runtime Interface without Kubelet. For example, we could use a CRI-O Python binding to communicate with the containers.

• A dedicated image which runs the rootwrap daemon, with rootwrap filters to only run the allowed commands. The controlling container will have the rootwrap socket mounted in so that it can trigger allowed calls in the rootwrap container. For pacemaker, the rootwrap container will allow image tagging. For neutron, the rootwrap container will spawn the processes inside the container, so it will need to be a long-lived container that is managed outside paunch.

  +———+ +———-+ | | | | | L3Agent +—–+ Rootwrap | | | | | +———+ +———-+

  In this example, the L3Agent container has mounted in the rootwrap daemon socket so that it can run allowed commands inside the rootwrap container.

Finally, the fifth problem is still an ongoing question. There are some plans to support healthchecks in Podman but nothing has been done as of today. We might have to implement something on our side with Systemd.

CRI-O Integration

CRI-O is meant to provide an integration path between OCI conformant runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. Note that the CLI utility for interacting with CRI-O isn’t meant to be used in production, so managing the containers lifecycle with a CLI is only possible with Docker or Podman.

So instead of a smooth migration from Docker CLI to Podman CLI, we could go straight to Kubernetes integration and convert our TripleO services to work with a standalone Kubelet managed by CRI-O. We would have to generate YAML files for each container in a Pod format, so CRI-O can manage them. It wouldn’t require Systemd integration, as the containers will be managed by Kubelet. The operator would control the container lifecycle by using kubectl commands and the automated deployment & upgrade process would happen in Paunch with a Kubelet backend.

While this implementation will help us to move to a multi-node Kubernetes friendly environment, it remains the most risky option in term of the quantity of work that needs to happen versus the time that we have to design, implement, test and ship the next tooling before the end of Stein cycle.

We also need to keep in mind that CRI-O and Podman share containers/storage and containers/image libraries, so the issues that we have had with Podman will be hit with CRI-O as well.

Keep Docker

We could keep Docker around and do not change anything in the way we manage containers. We could also keep Docker and make it work with CRI-O. The only risk here is that Docker tooling might not be supported in the future by Red Hat platforms and we would be on our own if any issue with Docker. The TripleO community is always seeking for an healthy and long term collaboration between us and the projects communities that we are interracting with.

Contributors

• Bogdan Dobrelya

• Cédric Jeanneret

• Emilien Macchi

• Steve Baker

Work Items

• Update TripleO services to work with Podman (e.g. fix bind-mounts issues).

• SELinux separation (relates to bind-mounts rights + some other issues when we’re calling iptables/other host command from a containe)

• Systemd integration.

• Healthcheck support.

• Socket / runtime: varlink? CRI-O?

• Upgrade workflow.

• Testing.

• Documentation for operators.

Overview

This blueprint proposes removal replacing the triad Heat-Nova-Glance with Ironic driven directly by Mistral. To avoid placing Ironic-specific code into tripleo-common, a new library metalsmith has been developed and accepted into the Ironic governance.

As part of the implementation, this blueprint proposes completely separting the bare metal provisioning process from software configuration, including the CLI level. This has two benefits:

1. Having a clear separation between two error-prone processes simplifies debugging for operators.

2. Reusing the existing deployed-server workflow simplifies the implementation.

In the distant future, the functionality of metalsmith may be moved into Ironic API itself. In this case it will be phased out, while keeping the same Mistral workflows.

Operator workflow

As noted in Overview, the CLI/GUI workflow will be split into hardware provisioning and software configuration parts (the former being optional).

1. In addition to existing Heat templates, a new file baremetal_deployment.yaml will be populated by an operator with the bare metal provisioning information.

2. Bare metal deployment will be conducted by a new CLI command or GUI operation using the new deploy_roles workflow:

   openstackovercloudnodeprovision \
      -obaremetal_environment.yamlbaremetal_deployment.yaml

   This command will take the input from baremetal_deployment.yaml, provision requested bare metal machines and output a Heat environment file baremetal_environment.yaml to use with the deployed-server feature.

3. Finally, the regular deployment is done, including the generated file:

   openstackoverclouddeploy \
      <othercliarguments> \
      -ebaremetal_environment.yaml \
      -e/usr/share/openstack-tripleo-heat-templates/environments/deployed-server-environment.yaml \
      -e/usr/share/openstack-tripleo-heat-templates/environments/deployed-server-bootstrap-environment-centos.yaml \
      -r/usr/share/openstack-tripleo-heat-templates/deployed-server/deployed-server-roles-data.yaml

For simplicity the two commands can be combined:

openstackoverclouddeploy \
   <othercliarguments> \
   -bbaremetal_deployment.yaml \
   -e/usr/share/openstack-tripleo-heat-templates/environments/deployed-server-environment.yaml \
   -e/usr/share/openstack-tripleo-heat-templates/environments/deployed-server-bootstrap-environment-centos.yaml \
   -r/usr/share/openstack-tripleo-heat-templates/deployed-server/deployed-server-roles-data.yaml

The new argument --baremetal-deployment/-b will accept the baremetal_deployment.yaml and do the deployment automatically.

Breakdown of the changes

This section describes the required changes in depth.

cd/var/lib/ironic/httpboot/overcloud-imagesmd5sumovercloud-full.*>MD5SUMS

-name:Compute-name:Controller

-name:Computecount:2profile:computehostname_format:compute-%index%.example.com-name:Controllercount:3profile:controlhostname_format:controller-%index%.example.com

-name:Computeprofile:computeinstances:-hostname:compute-05.us-west.example.comnics:-network:ctlplanefixed_ip:10.0.2.5traits:-HW_CPU_X86_VMX-hostname:compute-06.us-west.example.comnics:-network:ctlplanefixed_ip:10.0.2.5traits:-HW_CPU_X86_VMX-name:Controllerprofile:controlinstances:-hostname:controller-1.us-west.example.comswap_size_mb:4096-hostname:controller-2.us-west.example.comswap_size_mb:4096-hostname:controller-3.us-west.example.comswap_size_mb:4096

-hostname:overcloud-compute-0-hostname:overcloud-controller-0

-hostname:compute-0.example.comprofile:compute-hostname:compute-1.example.comprofile:compute-hostname:controller-0.example.comprofile:control-hostname:controller-1.example.comprofile:control-hostname:controller-2.example.comprofile:control

-hostname:compute-05.us-west.example.comnics:-network:ctlplanefixed_ip:10.0.2.5profile:computetraits:-HW_CPU_X86_VMX-hostname:compute-06.us-west.example.comnics:-network:ctlplanefixed_ip:10.0.2.5profile:computetraits:-HW_CPU_X86_VMX-hostname:controller-1.us-west.example.comprofile:controlswap_size_mb:4096-hostname:controller-2.us-west.example.comprofile:controlswap_size_mb:4096-hostname:controller-3.us-west.example.comprofile:controlswap_size_mb:4096

parameter_defaults:HostnameMap:overcloud-controller-0:controller-1.us-west.example.comovercloud-controller-1:controller-2.us-west.example.comovercloud-controller-2:controller-3.us-west.example.comovercloud-novacompute-0:compute-05.us-west.example.comovercloud-novacompute-1:compute-06.us-west.example.com

Novajoin replacement

The novajoin service is currently used to enroll nodes into IPA and provide them with TLS certificates. Unfortunately, it has hard dependencies on Nova, Glance and Metadata API, even though the information could be provided via other means. Actually, the metadata API cannot always be provided with Ironic (notably, it may not be available when using isolated provisioning networks).

A potential solution is to provide the required information via a configdrive, and make the nodes register themselves instead.

Alternatives

• Do nothing, continue to rely on Nova and work around cases when it does match our goals well. See Problem Description for why it is not desired.

• Avoid metalsmith, use OpenStack Ansible modules or Bifrost. They currently lack features (such as VIF attach/detach API) and do not have any notion of scheduling. Implementing sophisticated enough scheduling in pure Ansible seems a serious undertaking.

• Avoid Mistral, drive metalsmith via Ansible. This is a potential future direction of this work, but currently it seems much simpler to call metalsmith Python API from Mistral actions. We would anyway need Mistral ( (or Ansible Tower) to drive Ansible, because we need some API level.

• Remove Neutron in the same change. Would reduce footprint even further, but some operators may find the presence of an IPAM desirable. Also setting up static DHCP would increase the scope of the implementation substantially and complicate the upgrade even further.

• Keep Glance but remove Nova. Does not make much sense, since Glance is only a requirement because of Nova. Ironic can deploy from HTTP or local file locations just as well.

Security Impact

• Overcloud images will be exposed to unauthenticated users via HTTP. We need to communicate it clearly that secrets must not be built into images in plain text and should be delivered via configdrive instead. If it proves a problem, we can limit ourselves to providing images via local files.

  Note

  This issue exists today, as images are transferred via insecure medium in all supported deploy methods.

• Removing two services from the undercloud will reduce potential attack surface and simplify audit.

Upgrade Impact

The initial version of this feature will be enabled for new deployments only.

The upgrade procedure will happen within a release, not between releases. It will go roughly as follows:

1. Upgrade to a release where undercloud without Nova and Glance is supported.

2. Make a full backup of the undercloud.

3. Run openstackovercloudimageupload to ensure that the overcloud-full images are available via HTTP(s).

The next steps will probably be automated via an Ansible playbook or a Mistral workflow:

1. Mark deployed nodes protected in Ironic to prevent undeploying them by mistake.

2. Run a Heat stack update replacing references to Nova servers with references to deployed servers. This will require telling Heat not to remove the instances.

3. Mark nodes as managed by metalsmith (optional, but simplifies troubleshooting).

4. Update node’s instance_info to refer to images over HTTP(s).

   Note

   This may require temporary moving nodes to maintenance.

5. Run an undercloud update removing Nova and Glance.

Other End User Impact

• Nova CLI will no longer be available for troubleshooting. It should not be a big problem in reality, as most of the problems it is used for are caused by using Nova itself.

  metalsmith provides a CLI tool for troubleshooting and advanced users. We will document using it for tasks like determining IP addresses of nodes.

• It will no longer be possible to update images via Glance API, e.g. from GUI. It should not be a bit issue, as most of users use pre-built images. Advanced operators are likely to resort to CLI anyway.

• No valid host found error will no longer be seen by operators. metalsmith provides more detailed errors, and is less likely to fail because of its scheduling approach working better with the undercloud case.

Performance Impact

• A substantial speed-up is expected for deployments because of removing several layers of indirection. The new deployment process will also fail faster if the scheduling request cannot be satisfied.

• Providing images via local files will remove the step of downloading them from Glance, providing even more speed-up for larger images.

• An operator will be able to tune concurrency of deployment via CLI arguments or GUI parameters, other than nova.conf.

Other Deployer Impact

None

Developer Impact

New features for bare metal provisioning will have to be developed with this work in mind. It may mean implementing something in metalsmith code instead of relying on Nova servers or flavors, or Glance images.

Assignee(s)

Primary assignee:

Dmitry Tantsur, IRC: dtantsur, LP: divius

Work Items

Phase 1 (Stein, technical preview):

1. Update openstackovercloudimageupload to copy images into the HTTP location and generate checksums.

2. Implement deploy_instances workflow and undeploy_instances workflow.

3. Update validations to not fail if Nova and/or Glance are not present.

4. Implement deploy_roles workflow.

5. Provide CLI commands for the created workflows.

6. Provide an experimental OVB CI job exercising the new approach.

Phase 2 (T+, fully supported):

1. Update openstackoverclouddeploy to support the new workflow.

2. Support scaling down.

3. Provide a Novajoin replacement.

4. Provide an upgrade workflow.

5. Consider deprecating provisioning with Nova and Glance.

Overview

Use systemd on the host to launch the side process containers directly with support for network namespaces that Neutron agents require. The benefit of this approach is that we no longer have to give the Neutron containers privs to launch containers which they shouldn’t require.

The pattern could work like this:

1. A systemd.path file monitors a know location on the host for changes. Example (neutron-dhcp-dnsmasq.path):

[Path]PathModified=/var/lib/neutron/neutron-dnsmasq-processes-timestampPathChanged=/var/lib/neutron/neutron-dnsmasq-processes-timestamp[Install]WantedBy=multi-user.target

1. When systemd.path notices a change it fires the service for this path file: Example (neutron-dhcp-dnsmasq.service):

[Unit]Description=neutron dhcp dnsmasq sync service[Service]Type=oneshotExecStart=/usr/local/bin/neutron-dhcp-dnsmasq-process-syncUser=root

1. We use the same “wrapper scripts” used today to write two files. The first file is a dump of CLI arguments used to launch the process on the host. This file can optionally include extra data like network namespaces which are required for some neutron side processes. The second file is a timestamp which is monitored by systemd.path on the host for changes and is used as a signal that it needs to process the first file with arguments.

# When a change is detected the systemd.service above executes a script on the

host to cleanly launch containerized side processes. When the script finishes launching processes it truncates the file to start with a clean slate.

# Both the wrapper scripts and the host scripts use flock to eliminate race

conditions which could cause issues in relaunching or missed containers.

Alternatives

With Podman an API like varlink would be an option however it would likely still required exposure to a socket on the host which would involve extra privileges like what we have today. This would avoid the nsenter hacks however.

An architecture like Kubernetes would give us an API which could be used to launch containers directly via the COE.

Additionally an external process manager in Neutron that is “containers aware” could be written to improve either of the above options. The current python in Neutron was writtin primarily for launching processes on baremetal with assumptions that some of the processes it launches are meant to live across a contain restart. Implementing a class that can launch side processes via a clean interface rather than overwriting binaries would be desirable. Classes which supported launching containers via Kubernetes and or Systemd via the host directly could be supported.

Security Impact

This mechanism should allow us to remove some of the container privileges for neutron agents which in the past were used to execute containers. It is a more restrictive crude interface that allows the containers only to launch a specific type of process rather than any container it chooses.

Upgrade Impact

The side process containers should be the same regardless of how they are launched so the upgrade should be minimal.

Assignee(s)

Primary assignee:

dan-prince

Other contributors:

emilienm

Work Items

# Ansible playbook to create systemd files, wrappers

# TripleO Heat template updates to use the new playbooks

# Remove/deprecate the old docker.socket and nsenter code from puppet-tripleo

Upgrading the Undercloud

The in-place undercloud upgrade using Leapp will likely consist of the following steps. First, prepare for OS upgrade via Leapp, downloading the necessary packages:

leappupgrade

Then reboot, which will upgrade the OS:

reboot

Then run the undercloud upgrade, which will bring back the undercloud services (using the newer OpenStack release):

openstacktripleocontainerimagepreparedefault \
    --output-env-filecontainers-prepare-parameter.yamlopenstackundercloudupgrade

If we wanted or needed to upgrade the undercloud via reprovisioning, we would use a backup and restore procedure as currently documented, with restore perhaps being utilized just partially.

Upgrading the Overcloud

1. Update the Heat stack, generate Heat outputs for building upgrade playbooks:

   openstackovercloudupgradeprepare<DEPLOYARGS>

   Notes:

   • Among the <DEPLOYARGS> should be containers-prepare-parameter.yaml bringing in the containers of newer OpenStack release.

2. Prepare an OS upgrade on one machine from each of the “schema-/cluster-sensitive” roles:

   openstackovercloudupgraderun \
       --tagssystem_upgrade_prepare \
       --limitcontroller-openstack-0,database-0,messaging-0

   Notes:

   • This stops all services on the nodes selected.

   • For external installers like Ceph, we’ll have a similar external-upgrade command, which can e.g. remove the nodes from the Ceph cluster:

     openstackovercloudexternal-upgraderun \
         --tagssystem_upgrade_prepare \
         -esystem_upgrade_nodes=controller-openstack-0,database-0,messaging-0

   • If we use in-place upgrade:

     • This will run the leappupgrade command. It should use newer OS and newer OpenStack repos to download packages, and leave the node ready to reboot into the upgrade process.

     • Caution: Any reboot after this is done on a particular node will cause that node to automatically upgrade to newer OS.

   • If we reprovision:

     • This should persist node’s important data to the undercloud. (Only node-specific data. It would not include e.g. MariaDB database content, which would later be transferred from one of the other controllers instead.)

     • Services can export their upgrade_tasks to do the persistence, we should provide an Ansible module or role to make it DRY.

3. Upload new overcloud base image:

   openstackovercloudimageupload--update-existing \
       --image-path/home/stack/new-images

   Notes:

   • For Nova+Ironic environments only. After this step any new or reprovisioned nodes will receive the new OS.

4. Run an OS upgrade on one node from each of the “schema-/cluster-sensitive” roles or reprovision those nodes.

   Only if we do reprovisioning:

   openstackserverrebuildcontroller-openstack-0openstackserverrebuilddatabase-0openstackserverrebuildmessaging-0openstackovercloudadminauthorize \
       --overcloud-ssh-user<user> \
       --overcloud-ssh-key<path-to-key> \
       --overcloud-ssh-network<ssh-network> \
       --limitcontroller-openstack-0,database-0,messaging-0

   Both reprovisioning and in-place:

   openstackovercloudupgraderun \
       --tagssystem_upgrade_run \
       --limitcontroller-openstack-0,database-0,messaging-0

   Notes:

   • This step either performs a reboot of the nodes and lets Leapp upgrade them to newer OS, or reimages the nodes with a fresh new OS image. After they come up, they’ll have newer OS but no services running. The nodes can be checked before continuing.

   • In case of reprovisioning:

     • The overcloudadminauthorize will ensure existence of tripleo-admin user and authorize Mistral’s ssh keys for connection to the newly provisioned nodes. The --overcloud-ssh-* work the same as for overclouddeploy.

     • The --tagssystem_upgrade_run is still necessary because it will restore the node-specific data from the undercloud.

     • Services can export their upgrade_tasks to do the restoration, we should provide an Ansible module or role to make it DRY.

   • Ceph-mon count is reduced by 1 (from 3 to 2 in most environments).

   • Caution: This will have bad consequences if run by accident on unintended nodes, e.g. on all nodes in a single role. If possible, it should refuse to run if –limit is not specified. If possible further, it should refuse to run if a full role is included, rather than individual nodes.

5. Stop services on older OS and transfer data to newer OS:

   openstackovercloudexternal-upgraderun \
       --tagssystem_upgrade_transfer_data \
       --limitControllerOpenstack,Database,Messaging

   Notes:

   • This is where control plane downtime starts.

   • Here we should:

     • Detect which nodes are on older OS and which are on newer OS.

     • Fail if we don’t find at least one older OS and exactly one newer OS node in each role.

     • On older OS nodes, stop all services except ceph-mon. (On newer node, no services are running yet.)

     • Transfer data from an older OS node (simply the first one in the list we detect, or do we need to be more specific?) to the newer OS node in a role. This is probably only going to do anything on the Database role which includes DBs, and will be a no-op for others.

     • Services can export their external_upgrade_tasks for the persist/restore operations, we’ll provide an Ansible module or role to make it DRY. The transfer will likely go via undercloud initially, but it would be nice to make it direct in order to speed it up.

6. Run the usual upgrade tasks on the newer OS nodes:

   openstackovercloudupgraderun \
       --limitcontroller-openstack-0,database-0,messaging-0

   Notes:

   • Control plane downtime stops at the end of this step. This means the control plane downtime spans two commands. We should not make it one command because the commands use different parts of upgrade framework underneath, and the separation will mean easier re-running of individual parts, should they fail.

   • Here we start pcmk cluster and all services on the newer OS nodes, using the data previously transferred from the older OS nodes.

   • Likely we won’t need any special per-service upgrade tasks, unless we discover we need some data conversions or adjustments. The node will be with all services stopped after upgrade to newer OS, so likely we’ll be effectively “setting up a fresh cloud on pre-existing data”.

   • Caution: At this point the newer OS nodes became the authority on data state. Do not re-run the previous data transfer step after services have started on newer OS nodes.

   • (Currently upgraderun has --nodes and --roles which both function the same, as Ansible --limit. Notably, nothing stops you from passing role names to --nodes and vice versa. Maybe it’s time to retire those two and implement --limit to match the concept from Ansible closely.)

7. Perform any service-specific && node-specific external upgrades, most importantly Ceph:

   openstackovercloudexternal-upgraderun \
       --tagssystem_upgrade_run \
       -esystem_upgrade_nodes=controller-openstack-0,database-0,messaging-0

   Notes:

   • Ceph-ansible here runs on a single node and spawns a new version of ceph-mon. Per-node run capability will need to be added to ceph-ansible.

   • Ceph-mon count is restored here (in most environments, it means going from 2 to 3).

8. Upgrade the remaining control plane nodes. Perform all the previous control plane upgrade steps for the remaining controllers too. Two important notes here:

   • Do not run the ``system_upgrade_transfer_data`` step anymore. The remaining controllers are expected to join the cluster and sync the database data from the primary controller via DB replication mechanism, no explicit data transfer should be necessary.

   • To have the necessary number of ceph-mons running at any given time (often that means 2 out of 3), the controllers (ceph-mon nodes) should be upgraded one-by-one.

   After this step is finished, all of the nodes which are sensitive to Pacemaker version or DB schema version should be upgraded to newer OS, newer OpenStack, and newer ceph-mons.

9. Upgrade the rest of the overcloud nodes (Compute, Networker, CephStorage), either one-by-one or in batches, depending on uptime requirements of particular nodes. E.g. for computes this would mean evacuating and then also running:

   openstackovercloudupgraderun \
       --tagssystem_upgrade_prepare \
       --limitnovacompute-0openstackovercloudupgraderun \
       --tagssystem_upgrade_run \
       --limitnovacompute-0openstackovercloudupgraderun \
       --limitnovacompute-0

   Notes:

   • Ceph OSDs can be removed by the external-upgraderun--tagssystem_upgrade_prepare step before reprovisioning, and after upgraderun command, ceph-ansible can recreate the OSD via the external-upgraderun--tagssystem_upgrade_run step, always limited to the OSD being upgraded:

     # Remove OSDopenstackovercloudexternal-upgraderun \
         --tagssystem_upgrade_prepare \
         -esystem_upgrade_nodes=novacompute-0# <<Here the node is reprovisioned and upgraded>># Re-deploy OSDopenstackovercloudexternal-upgraderun \
         --tagssystem_upgrade_run \
         -esystem_upgrade_nodes=novacompute-0

10. Perform online upgrade (online data migrations) after all nodes have been upgraded:

    openstackovercloudexternal-upgraderun \
        --tagsonline_upgrade

11. Perfrom upgrade converge to re-assert the overcloud state:

    openstackovercloudupgradeconverge<DEPLOYARGS>

12. Clean up upgrade data persisted on undercloud:

    openstackovercloudexternal-upgraderun \
        --tagssystem_upgrade_cleanup

Additional notes on data persist/restore

• There are two different use cases:

  • Persistence for things that need to survive reprovisioning (for each node)

  • Transfer of DB data from node to node (just once to bootstrap the first new OS node in a role)

• The synchronize Ansible module shipped with Ansible seems fitting, we could wrap it in a role to handle common logic, and execute the role via include_role from upgrade_tasks.

• We would persist the temporary data on the undercloud under a directory accessible only by the user which runs the upgrade playbooks (mistral user). The root dir could be /var/lib/tripleo-upgrade and underneath would be subdirs for individual nodes, and one more subdir level for services.

  • (Undercloud’s Swift also comes to mind as a potential place for storage. However, it would probably add more complexity than benefit.)

• The data persist/restore operations within the upgrade do not supplement or replace backup/restore procedures which should be performed by the operator, especially before upgrading. The automated data persistence is solely for upgrade purposes, not for disaster recovery.

Alternatives

• Parallel cloud migration. We could declare the in-place upgrade of operating system + OpenStack as too risky and complex and time consuming, and recommend standing up a new cloud and transferring content to it. However, this brings its own set of challenges.

  This option is already available for anyone whose environment is constrained such that normal upgrade procedure is not realistic, e.g. in case of extreme uptime requirements or extreme risk-aversion environments.

  Implementing parallel cloud migration is probably best handled on a per-environment basis, and TripleO doesn’t provide any automation in this area.

• Upgrading the operating system separately from OpenStack. This would simplify things on several fronts, but separating the operating system upgrade while preserving uptime (i.e. upgrading the OS in a rolling fashion node-by-node) currently seems not realistic due to:

  • The pacemaker cluster (corosync) limitations mentioned earlier. We would have to containerize Pacemaker (even if just ad-hoc non-productized image).

  • Either we’d have to make OpenStack (and dependencies) compatible with OS releases in a way we currently do not intend, or at least ensure such compatibility when running containerized. E.g. for data transfer, we could then probably use Galera native replication.

  • OS release differences might be too large. E.g. in case of differing container runtimes, we might have to make t-h-t be able to deploy on two runtimes within one deployment.

• Upgrading all control plane nodes at the same time as we’ve been doing so far. This is not entirely impossible, but rebooting all controllers at the same time to do the upgrade could mean total ceph-mon unavailability. Also given that the upgraded nodes are unreachable via ssh for some time, should something go wrong and the nodes got stuck in that state, it could be difficult to recover back into a working cloud.

  This is probably not realistic, mainly due to concerns around Ceph mon availability and risk of bricking the cloud.

Security Impact

• How we transfer data from older OS machines to newer OS machines is a potential security concern.

• The same security concern applies for per-node data persist/restore procedure in case we go with reprovisioning.

• The stored data may include overcloud node’s secrets and should be cleaned up from the undercloud when no longer needed.

• In case of using the synchronize Ansible module: it uses rsync over ssh, and we would store any data on undercloud in a directory only accessible by the same user which runs the upgrade playbooks (mistral). This undercloud user has full control over overcloud already, via ssh keys authorized for all management operations, so this should not constitute a significant expansion of mistral user’s knowledge/capabilities.

Upgrade Impact

• The upgrade procedure is riskier and more complex.

  • More things can potentially go wrong.

  • It will take more time to complete, both manually and automatically.

• Given that we upgrade one of the controllers while the other two are still running, the control plane services downtime could be slightly shorter than before.

• When control plane services are stopped on older OS machines and running on newer OS machine, we create a window without high availability.

• Upgrade framework might need some tweaks but on high level it seems we’ll be able to fit the workflow into it.

• All the upgrade steps should be idempotent, rerunnable and recoverable as much as we can make them so.

Other End User Impact

• Floating IP availability could be affected. Neutron upgrade procedure typically doesn’t immediately restart sidecar containers of L3 agent. Restarting will be a must if we upgrade the OS.

Performance Impact

• When control plane services are stopped on older OS machines and running on newer OS machine, only one controller is available to serve all control plane requests.

• Depending on role/service composition of the overcloud, the reduced throughput could also affect tenant traffic, not just control plane APIs.

Other Deployer Impact

• Automating such procedure introduces some code which had better not be executed by accident. The external upgrade tasks which are tagged system_upgrade_* should also be tagged never, so that they only run when explicitly requested.

• For the data transfer step specifically, we may also introduce a safety “flag file” on the target overcloud node, which would prevent re-running of the data transfer until the file is manually removed.

Developer Impact

Developers who work on specific composable services in TripleO will need to get familiar with the new upgrade workflow.

Main Risks

• Leapp has been somewhat explored but its viability/readiness for our purpose is still not 100% certain.

• CI testing will be difficult, if we go with Leapp it might be impossible (more below).

• Time required to implement everything may not fit within the release cycle.

• We have some idea how to do the data persist/restore/transfer parts, but some prototyping needs to be done there to gain confidence.

• We don’t know exactly what data needs to be persisted during reprovisioning.

Assignee(s)

Primary assignees::

jistr, chem, jfrancoa

Other contributors::

fultonj for Ceph

Work Items

With aditional info in format: (how much do we know about this task, estimate of implementation difficulty).

• (semi-known, est. as medium) Change tripleo-heat-templates + puppet-tripleo to be able to set up a cluster on just one controller (with newer OS) while the Heat stack knows about all controllers. This is currently not possible.

• (semi-known, est. as medium) Amend upgrade_tasks to work for Rocky->Stein with OS upgrade.

• system_upgrade_transfer_data:

  • (unknown, est. as easy) Detect upgraded vs. unupgraded machines to transfer data to/from.

  • (known, est. as easy) Stop all services on the unupgraded machines transfer data to/from. (Needs to be done via external upgrade tasks which is new, but likely not much different from what we’ve been doing.)

  • (semi-known, est. as medium/hard) Implement an Ansible role for transferring data from one node to another via undercloud.

  • (unknown, est. as medium) Figure out which data needs transferring from old controller to new, implement it using the above Ansible role – we expect only MariaDB to require this, any special services should probably be tackled by service squads.

• (semi-known, est. as medium/hard) Implement Ceph specifics, mainly how to upgrade one node (mon, OSD, …) at a time.

• (unknown, either easy or hacky or impossible :) ) Implement --limit for external-upgraderun. (As external upgrade runs on undercloud by default, we’ll need to use delegate_to or nested Ansible for overcloud nodes. I’m not sure how well –limit will play with this.)

• (known, est. as easy) Change update/upgrade CLI from --nodes and --roles to --limit.

• (semi-known, est. as easy/medium) Add -e variable pass-through support to external-upgraderun.

• (unknown, unknown) Test as much as we can in CI – integrate with tripleo-upgrade and OOOQ.

• For reprovisioning:

  • (semi-known, est. as medium) Implement openstackovercloudadminauthorize. Should take --stack, --limit, --overcloud-ssh-* params.

  • (semi-known, est. as medium/hard) Implement an Ansible role for temporarily persisting overcloud nodes’ data on the undercloud and restoring it.

  • (known, est. as easy) Implement external-upgraderun--tagssystem_upgrade_cleanup.

  • (unknown, est. as hard in total, but should probably be tackled by service squads) Figure out which data needs persisting for particular services and implement the persistence using the above Ansible role.

• For in-place:

  • (semi-known, est. as easy) Calls to Leapp in system_upgrade_prepare, system_upgrade_run.

  • (semi-known, est. as medium) Implement a Leapp actor to set up or use the repositories we need.

Single +2 Approvals

A core can and should approve patches without a second +2 under the following circumstances:

• The change has multiple +2’s on previous patch sets, indicating an agreement from the other cores that the overall design is good, and any alterations to the patch since those +2’s must be minor implementation details only - trivial rebases, minor syntax changes, or comment/documentation changes.

• Backports proposed by another core reviewer. Backports should already have been reviewed for design when they merged to master, so if two cores agree that the backport is good (one by proposing, the other by reviewing), they can be merged with a single +2 review.

• Requirements updates proposed by the bot.

• Translation updates proposed by the bot. (See also reviewing translation imports.)

Co-author +2

Co-authors on a patch are allowed to +2 that patch, but at least one +2 from a core not listed as a co-author is required to merge the patch. For example, if core A pushes a patch with cores B and C as a co-authors, core B and core C are both allowed to +2 that patch, but another core is required to +2 before the patch can be merged.

Self-Approval

It is acceptable for a core to self-approve a patch they submitted if it has the requisite 2 +2’s and a CI pass. However, this should not be done if there is any dispute about the patch, such as on a change with 2 +2’s and an unresolved -1.

Note on CI

This policy does not affect CI requirements. Patches must still pass CI before merging.

Author(s)

Primary author:

bnemec

Milestones

The policy is already in effect.

Work Items

Ensure all cores are aware of the policy. Once the policy has merged, an email should be sent to openstack-dev referring to it.

Alternatives

If we do not use the existing os_tempest role then we need to re-write the validate-tempest role which will result in again duplication and it will cost too much time and it also requires another set of efforts for adoption in the community which does not seems to feasible.

Security Impact

None

Upgrade Impact

None

Other End User Impact

We need to educate users for migrating to os_tempest.

Performance Impact

None

Other Deployer Impact

None

Developer Impact

Helps more collaboration and improves testing.

Assignee(s)

Primary assignee:

• Arx Cruz (arxcruz)

• Chandan Kumar (chkumar246)

• Martin Kopec (mkopec)

Work Items

• Install tempest and it’s dependencies from Distro packages

• Running tempest from containers

• Enable stackviz

• python-tempestconf support

• skiplist management

• Keeping all tempest related files at one place

• Bugcheck

• Standalone based TripleO CI job consuming os_tempest role

• Migration path from validate-tempest to os_tempest role

• Documentation update on How to use it

• RDO packaging

Overview

In order to improve the current situation, we propose to create a new “branching” in the tripleoclient commands: openstack tripleo validator

This new subcommand will allow to list and run validations in an independent way.

Doing so will allow to get a clear and clean view on the validations we can run depending on the stage we’re in.

(Note: the subcommand has yet to be defined - this is only a “mock-up”.)

The following subcommands should be supported:

• openstacktripleovalidatorlist: will display all the available validations with a small description, like “validate network capabilities on undercloud”

• openstacktripleovalidatorrun: will run the validations. Should take options, like:

  • --validation-name: run only the passed validation.

  • --undercloud: runs all undercloud-related validations

  • --overcloud: runs all overcloud-related validations

  • --use-mistral: runs validations through Mistral

  • --use-ansible: runs validations directly via Ansible

  • --plan: allows to run validations against specific plan. Defaults to $TRIPLEO_PLAN_NAME or “overcloud”

• in addition, common options for all the subcommands:

  • --extra-roles: path to a local directory containing validation roles maintained by the operator, or swift directory containing extra validation roles.

  • --output: points to a valid Ansible output_callback, such as the native json, or custom validation_output. The default one should be the latter as it renders a “human readable” output. More callbacks can be added later.

The --extra-roles must support both local path and remote swift container, since the custom validation support will push any validation to a dedicated swift directory.

The default engine will be determined by the presence of Mistral: if Mistral is present and accepting requests (meaning the Undercloud is most probably deployed), the validator has to use it by default. If no Mistral is present, it must fallback on the ansible-playbook.

The validations should be in the form of Ansible roles, in order to be easily accessed from Mistral as well (as it is currently the case). It will also allow to get a proper documentation, canvas and gives the possibility to validate the role before running it (ensuring there are metadata, output, and so on).

We might also create some dedicated roles in order to make a kind of “self validation”, ensuring we actually can run the validations (network, resources, and so on).

The UI uses Mistral workflows in order to run the validations - the CLI must be able to use those same workflows of course, but also run at least some validations directly via ansible, especially when we want to validate the undercloud environment before we even deploy it.

Also, in order to avoid Mistral modification, playbooks including validation roles will be created.

In the end, all the default validation roles should be in one and only one location: tripleo-validations. The support for “custom validations” being added, such custom validation should also be supported (see references for details).

In order to get a proper way to “aim” the validations, proper validation groups must be created and documented. Of course, one validation can be part of multiple groups.

In addition, a proper documentation with examples describing the Good Practices regarding the roles content, format and outputs should be created.

For instance, a role should contain a description, a “human readable error output”, and if applicable a possible solution.

Proper testing for the default validations (i.e. those in tripleo-validations) might be added as well in order to ensure a new validation follows the Good Practices.

We might want to add support for “nagios-compatible outputs” and exit codes, but it is not sure running those validations through any monitoring tool is a good idea due to the possible load it might create. This has to be discussed later, once we get the framework in place.

Alternatives

No real alternatives in fact. Currently, we have many ways to validate, but they are all unrelated, not concerted. If we don’t provide a unified framework, we will get more and more “side validations ways” and it won’t be maintainable.

Security Impact

Rights might be needed for some validations - they should be added accordingly in the system sudoers, in a way that limits unwanted privilege escalations.

Other End User Impact

The end user will get a proper way to validate the environment prior to any action. This will give more confidence in the final product, and ease the update and upgrade processes.

It will also provide a good way to collect information about the systems in case of failures.

If a “nagios-compatible output” is to be created (mix of ansible JSON output, parsing and compatibility stuff), it might provide a way to get a daily report about the health of the stack - this might be a nice feature, but not in the current scope (will need a new stdout_callback for instance).

Performance Impact

The more validations we get, the more time it might take IF we decide to run them by default prior any action.

The current way to disable them, either with a configuration file or a CLI option will stay.

In addition, we can make a great use of “groups” in order to filter out greedy validations.

Other Deployer Impact

Providing a CLI subcommand for validation will make the deployment easier.

Providing a unified framework will allow an operator to run the validations either from the UI, or from the CLI, without any surprise regarding the validation list.

Developer Impact

A refactoring will be needed in python-tripleoclient and probably in tripleo-common in order to get a proper subcommand and options.

A correct way to call Ansible from Python is to be decided (ansible-runner?).

A correct way to call Mistral workflows from the CLI is to be created if it does not already exist.

In the end, the framework will allow other Openstack projects to push their own validations, since they are the ones knowing how and what to validate in the different services making Openstack.

All validations will be centralized in the tripleo-validations repository. This means we might want to create a proper tree in order to avoid having 100+ validations in the same directory.

Assignee(s)

Primary assignee:

cjeanner

Other contributors:

akrivoka ccamacho dpeacock florianf

Work Items

• List current existing validations in both undercloud_preflight.py and openstack-tripleo-validations.

• Decide if we integrate ansible-runner as a dependency (needs to be packaged).

• Implement the undercloud_preflight validations as Ansible roles.

• Implement a proper way to call Ansible from the tripleoclient code.

• Implement support for a configuration file dedicated for the validations.

• Implement the new subcommand tree in tripleoclient.

• Validate, Validate, Validate.

Introduction

While the use of certmonger isn’t in question, the way we’re using it is.

The goal of this document is to describe how we could change that usage, allowing to provide a better security, while allowing Certmonger to restart only the needed containers in an easy fashion.

Implement certmonger in Ansible

A first step will be to implement a certmonger “thing” in Ansible. There are two ways to do that:

• Reusable role

• Native Ansible module

While the first one is faster to implement, the second would be better, since it will allow to provide a clean way to manage the certificates.

Move certificate management to tripleo-heat-templates

Once we have a way to manage Certmonger within Ansible, we will be able to move calls directly in relevant tripleo-heat-templates files, allowing to generate per-container certificate.

Doing so will also allow Certmonger to know exactly which container to restart upon certificate renewal, using a simple “container_cli kill” command.

Maintain a list

We could maintain the code as-is, and just add a list for the containers needing a restart/reload. Certmonger would loop on that list, and do its job upon certificate renewal.

This isn’t a good solution, since the list will eventually lack updates, and this will create new issues instead of solving the current ones.

Also, it doesn’t allow to get per-container certificate, which is bad.

Contributors

• Cédric Jeanneret

• Grzegorz Grasza

• Nathan Kinder

Work Items

• Implement reusable role for Certmonger

• Move certificate management to tripleo-heat-templates

• Remove certmonger parts from Puppet

• Update/create needed documentations about the certificate management

Later: * Implement a proper Ansible Module * Update the role in order to wrap module calls

Overview

We are proposing to add a new undercloud “minion” configuration that can be used by operators to configure additional instances of heat-engine and ironic-conductor when they need more processing capacity. We would also allow the operator to disable heat-engine from the main undercloud to reduce the resource usage of the undercloud. By removing the heat-engine from the regular undercloud, the operator could possibly avoid timeouts on other services like keystone and neutron that can occur when the system is under load.

Alternatives

An alternative would be to make the undercloud deployable in a traditional HA capacity where we share the services across multiple nodes. This would increase the overall capacity but adds additional complexity to the undercloud. Additionally this does not let us target specific services that are resource heavy.

Security Impact

The new node would need to have access to the the main undercloud’s keystone, database and messaging services.

Upgrade Impact

The new minion role would need to be able to be upgraded by the user.

Other End User Impact

None.

Performance Impact

• This additional minion role may improve heat processing due to the additional resource capacity being provided.

• Locating an ironic-conductor closer to the nodes being managed can improve performance by being closer to the systems (less latency, etc).

Other Deployer Impact

Additional undercloud role and a new undercloud-minion.conf configuration file will be created. Additionally a new option may be added to the undercloud.conf to manage heat-engine instalation.

Developer Impact

None.

Assignee(s)

Primary assignee:

mwhahaha

Other contributors:

slagle EmilienM

Work Items

Work items or tasks – break the feature up into the things that need to be done to implement it. Those parts might end up being done by different people, but we’re mostly trying to understand the timeline for implementation.

Benefits

• More collaboration is expected between people working on a same topic. It will reflect officially what we have nearly done over the last cycles.

• People working on the same area of TripleO would have the possibility to do public and open meetings, where anyone would be free to join.

• Newcomers would more easily understand what TripleO project delivers since squads would provide a good overview of the work we do. Also it would be an opportunity for people who want to learn on a specific area of TripleO to join a new squad and learn from others.

• Open more possibilities like setting up mentoring program for each squad, or specific docs to get involved more quickly.

Challenges

• We need to avoid creating silos and keep horizontal collaboration. Working on a squad doesn’t meen you need to ignore other squads.

Squads

The list tends to be dynamic over the cycles, depending on which topics the team is working on. The list below is subject to change as squads change.

Author(s)

Primary author:

emacchi

Milestones

Ongoing

Work Items

• Work with TripleO developers to document the area of work for every squad.

• Document the output.

• Document squads members.

• Setup Squad meetings if needed.

• For each squad, find a liaison or a squad leader.

Overview

The proposed change would allow for users to directly add new node definitions to the Ansible inventory by way of a new Heat parameter to allow for scaling services onto those new nodes. No change in the <Role>Count parameters would be required.

A minimum set of data would be required when adding a new node to the Ansible inventory. Presently, this includes the TripleO role, and an IP address on each network that is used by that role.

Only scaling of already defined roles will be possible with this method. Defining new roles would still require a full Heat stack update which defined the new role.

Once the new node(s) are added to the inventory, ansible-playbook could be rerun with the config-download directory to scale the software services out on to the new nodes.

As increasing the node count in the Heat stack operation won’t be necessary when scaling, if baremetal provisioning is required for the new nodes, then this work depends on the nova-less-deploy work:

https://specs.openstack.org/openstack/tripleo-specs/specs/stein/nova-less-deploy.html

Once baremetal provisioning is migrated out of Heat with the above work, then new nodes can be provisioned with those new workflows before adding them directly to the Ansible inventory.

Since new nodes added directly to the Ansible inventory would still be consuming IP’s from the subnet ranges defined for the overcloud networks, Neutron needs to be made aware of those assignments so that there are no overlapping IP addresses. This could be done with a new interface in tripleo-heat-templates that allows for specifying the extra node inventory data. The parameter would be called ExtraInventoryData. The templates would take care of operating on that input and creating the appropriate Neutron ports to correspond to the IP addresses specified in the data.

When tripleo-ansible-inventory is used to generate the inventory, it would query Heat as it does today, but also layer in the extra inventory data as specified by ExtraInventoryData. The resulting inventory would be a unified view of all nodes in the deployment.

ExtraInventoryData may be a list of files that are consumed with Heat’s get_file function so that the deployer can keep their inventory data organized by file.

Alternatives

This change is primarily targeted at addressing scaling issues around the Heat stack operation. Alternative methods include using undercloud minions:

https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/undercloud_minion.html

Multi-stack/split-controlplane also addresses the issue somewhat by breaking up the deployment into smaller and more manageable stacks:

https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/distributed_compute_node.html

These alternatives are complimentary to the proposed solution here, and all of these solutions can be used together for the greatest benefits.

Security Impact

IP addresses and hostnames would potentially exist in user managed templates that have the value for ExtraInventoryData, however this is no different than what is present today.

Upgrade Impact

The upgrade process will need to be aware that not all nodes are represented in the Heat stack, and some will be represented only in the inventory. This should not be an issue as long as there is a consistent interface to get a single unified inventory as there exists now.

Any changes around creating the unified view of the inventory should be made within the implementation of that interface (tripleo-ansible-inventory) such that existing tooling continues to use an inventory that contains all nodes for a deployment.

Other End User Impact

Users will potentially have to manage additional environment files for the extra inventory data.

Performance Impact

Performance should be improved during scale out operations.

However, it should be noted that Ansible will face scaling challenges as well. While this change does not directly introduce those new challenges, it may expose them more rapidly as it bypasses the Heat scaling challenges.

For example, it is not expected that simply adding hundreds or thousands of new nodes directly to the Ansible inventory means that scaling operation would succeed. It would likely expose new scaling challenges in other tooling, such as the playbook and role tasks or Ansible itself.

Other Deployer Impact

Since this proposal is meant to align with the nova-less-deploy, all nodes (whether they are known to Heat or not) would be unprovisioned if the deployment is deleted.

If using pre-provisioned nodes, then there is no change in behavior in that deleting the Heat stack does not actually “undeploy” any software. This proposal does not change that behavior.

Developer Impact

Developers could more quickly test scaling by bypassing the Heat stack update completely if desired, or using the ExtraInventoryData interface.

Assignee(s)

Primary assignee:

James Slagle <jslagle@redhat.com>

Work Items

• Add new parameter ExtraInventoryData

• Add Heat processing of ExtraInventoryData

  • create Neutron ports

  • add stack outputs

• Update tripleo-ansible-inventory to consume from added stack outputs

• Update HostsEntry to be generic

Overview

TripleO should create a new repository where ansible roles, plugins and modules that wrap TripleO actions can be stored. This repository should be branchless so that the roles can be used with any currently supported version of TripleO. The goal is to only provide automation for TripleO actions and not necessarily other cloud related actions. The roles in this new repository should only be targeted to providing an automation interface for the existing tripleoclient commands. The repository may provide basic setups actions such as implementing a wrapper around tripleo-repos. The roles contained in this repository should not implement additional day 2 cloud related operations such as creating servers, networks or other resources on the deployed Overcloud.

This new repository should be able to be packaged and distributed via an RPM as well as being able to be published to Ansible Galaxy. The structure of this new repository should be Ansible collections compatible.

The target audience of the new repository would be end users (operators, developers, etc) who want to write automation around TripleO. The new repository and roles would be our officially supported automation artifacts. One way to describe this would be like providing Puppet modules for a given peice of software so that it can be consumed by users who use Puppet. The existing CLI will continue to function for users who do not want to use Ansible to automate TripleO deployments or who wish to continue to use the CLI by hand. The roles are not a replacement for the CLI, but only provide an official set of roles for people who use Ansible.

The integration point for Ansible users would be the roles provided via tripleo-operator-ansible. We would expect users to perform actions by including our provided roles.

An example playbook for a user could be:

-hosts:undercloudgather_facts:truetasks:-include_role:role:tripleo_undercloudtasks_from:installvars:tripleo_undercloud_configuration:DEFAULT:undercloud_debug:Truelocal_ip:192.168.50.1/24-name:Copy nodes.jsoncopy:src:/home/myuser/my-environment-nodes.jsondest:/home/stack/nodes.json-include_role:role:tripleo_baremetaltasks_from:introspectionvars:tripleo_baremetal_nodes_file:/home/stack/nodes.jsontripleo_baremetal_introspection_provide:Truetripleo_baremetal_introspection_all_managable:True-include_role:role:tripleo_overcloudtasks_from:deployvars:tripleo_overcloud_environment_files:-network_isolation.yaml-ceph_storage.yamltripleo_overcloud_roles:-Controller-Networker-Compute-CephStorage

The internals of these roles could possibly proceed in two different paths:

• Implement simple wrappers around the invocation of the actual TripleO commands using execs, shell or commands. This path will likely be the fastest path to have an initial implementation.

-name:Install undercloudcommand:"openstackundercloudinstall{{tripleo_undercloud_install_options}}"chdir:"{{tripleo_undercloud_install_directory}}"

• Implement a python wrapper to call into the provided tripleoclient classes. This path may be a longer term goal as we may be able to provide better testing by using modules.

#!/usr/bin/python# import the python-tripleoclient# undercloud clifromtripleoclient.v1importundercloudimportsysimportjsonimportosimportshlex# See the following for details# https://opendev.org/openstack/python-tripleoclient/src/branch/# master/tripleoclient/v1/undercloud.py# setup the osc commandclassArg:verbose_level=4# instantiate theu=undercloud.InstallUndercloud('tripleo',Arg())# prog_name = 'openstack undercloud install'tripleo_args=u.get_parser('openstack undercloud install')# read the argument string from the arguments fileargs_file=sys.argv[1]args_data=file(args_file).read()# For this module, we're going to do key=value style arguments.arguments=shlex.split(args_data)forarginarguments:# ignore any arguments without an equals in itif"="inarg:(key,value)=arg.split("=")# if setting the time, the key 'time'# will contain the value we want to set the time toifkey=="dry_run":ifvalue=="True":tripleo_args.dry_run=Trueelse:tripleo_args.dry_run=Falsetripleo_args.force_stack_validations=Falsetripleo_args.no_validations=Truetripleo_args.force_stack_update=Falsetripleo_args.inflight=False# execute the install via python-tripleoclientrc=u.take_action(tripleo_args)ifrc!=0:print(json.dumps({"failed":True,"msg":"failed tripleo undercloud install"}))sys.exit(1)print(json.dumps({"changed":True,"msg":"SUCCESS"}))sys.exit(0)

-name:Install undercloudtripleo_undercloud:install:truefoo:bar

These implementations will need to be evaluated to understand which works best when attempting to support multiple versions of TripleO where options may or may not be available. The example of this is where we supported one cli parameter in versions >= Stein but not prior to this.

The goal is to have a complete set of roles to do basic deployments within a single cycle. We should be able to itterate on the internals of the roles once we have established basic set to prove out the concept. More complex actions or other version support may follow on in later cycles.

Alternatives

• Do nothing and continue to have multiple tools re-implement the actions in ansible roles.

• Pick a singular implementaion from the existing set and merge them together within this existing tool. This however may include additional actions that are outside of the scope of the TripleO management. This may also limit the integration by others if established interfaces are too opinionated.

Security Impact

None.

Upgrade Impact

There should be no upgrade impact other than pulling in the upgrade related actions into this repository.

Other End User Impact

None.

Performance Impact

None.

Other Deployer Impact

None.

Developer Impact

Developers will need to ensure the supported roles are updated if the cli or other actions are updated with new options or patterns.

Assignee(s)

Primary assignee:

mwhahaha

Other contributors:

weshay emilienm cloudnull

Work Items

The existing roles should be evaulated to see if they can be reused and pulled into the new repository.

• Create new tripleo-operator-ansible

• Establish CI and testing framework for the new repository

• Evaulate and pull in existing roles if possible

• Initial implementation may only be a basic wrapper over the cli

• Update tripleo-quickstart to leverage the newly provided roles and remove previously roles.

Tags

Author(s)

Primary author:

jpichon

Milestones

Newton-3

Work Items

Once the policy has merged, someone with the appropriate Launchpad permissions should create the tags and an email should be sent to openstack-dev referring to this policy.

Overview

Remove Mistral from the TripleO undercloud and convert all Mistral workbooks, workflows and actions to Ansible playbooks within tripleo-ansible. tripleoclient will then be updated to execute the Ansible playbooks rather than the Mistral workflows.

Alternatives

The only other alternative candidate is to keep using Mistral and accept the complexity and reinvest in the project.

Security Impact

• As the code will be re-writing Mistral workflows that currently deal with passwords, tokens and secrets we will need to be careful. However the logic should be largely the same.

• With the eventual removal of Mistral and Zaqar two complex systems can be removed which will reduce the surface area for security issues.

• The new Ansible playbooks will only use the undercloud OpenStack APIs, therefore they shouldn’t create a new attack vector.

Upgrade Impact

• Upgrades will need to remove Mistral services and make sure the Ansible playbooks are in place.

• Older versions of tripleoclient will no longer work with the undercloud as they will expect Mistral to be present.

• Most of the data in Mistral is ephemeral, but some longer term data is stored in Mistral environments. This data will likely be moved to Swift.

Other End User Impact

The output of CLI commands will change format. For example, the Mistral workflow ID will no longer be included and other Ansible specific output will be included. Where possible we will favour streaming Ansible output to the user, making tripleoclient very light and transparent.

Some CLI commands, such as introspection will need to fundamentally change their output. Currently they send real time updates and progress to the client with Zaqar. Despite moving the execution locally, we are unable to easily get messages from a Ansible playbook while it is running. This means the user may need to wait a long time before they get any feedback.

Performance Impact

There is no expected performance impact as the internal logic should be largely the same. However, the Ansible playbooks will be executed where the user runs the CLI rather than by the Mistral server. This could then be slower or faster depending on the resources available to the machine and the network connection to the undercloud.

The undercloud itself should have more resources available since it wont be running Mistral or Zaqar.

Other Deployer Impact

If anyone is using the Mistral workflows directly, they will stop working. We currently don’t know of any users doing this and it was never documented.

Developer Impact

Developers will need to contribute to Ansible playbooks instead of Mistral workflows. As the pool of developers that know Ansible is larger than those that know Mistral this should make development easier. Ansible contributions will likely expect unit/functional tests.

Assignee(s)

Primary assignee:

d0ugal

Other contributors:

• apetrich

• ekultails

• sshnaidm

• cloudnull

Work Items

Storyboard is being used to track this work:

https://storyboard.openstack.org/#!/board/208

• Migrate the Mistral workflows to Ansible playbooks.

• Migrate or replace custom Mistral actions to Ansible native components.

• Remove Mistral and Zaqar.

• Update documentation specific to Mistral.

• Extend our auto-documentation plugin to support playbooks within tripleo-ansible. This will allow us to generate API documentation for all playbooks committed to tripleo-ansible, which will include our new cli prefixed playbooks.

Problem Description

Where possible, modern high-performance datacenter networks typically use routed networking to increase scalability and reduce failure domains. Using routed networks makes it possible to optimize a Clos (also known as “spine-and-leaf”) architecture for scalability:

,=========.,=========.|spine1|____|spine2|'==|\=====\_ \__________________/ _/=====/|=='| \_     \___/       \  ___/_/|^|    \___/    \ _______/   \ ___/||--Dynamicrouting(BGP,OSPF,|/  \       /       \      /  \    |vEIGRP),------.,------,------.,------.|leaf1|....|leaf2||leaf3|....|leaf4|========Layer2/3boundary'------''------''------''------'|||||||||-[serv-A1]=-||-[serv-B1]=-||-[serv-A2]=-||-[serv-B2]=-||-[serv-A3]=-||-[serv-B3]=-|RackARackB

In the above diagram, each server is connected via an Ethernet bond to both top-of-rack leaf switches, which are clustered and configured as a virtual switch chassis. Each leaf switch is attached to each spine switch. Within each rack, all servers share a layer 2 domain. The subnets are local to the rack, and the default gateway is the top-of-rack virtual switch pair. Dynamic routing between the leaf switches and the spine switches permits East-West traffic between the racks.

This is just one example of a routed network architecture. The layer 3 routing could also be done only on the spine switches, or there may even be distribution level switches that sit in between the top-of-rack switches and the routed core. The distinguishing feature that we are trying to enable is segregating local systems within a layer 2 domain, with routing between domains.

In a shared layer-2 architecture, the spine switches typically have to act in an active/passive mode to act as the L3 gateway for the single shared VLAN. All leaf switches must be attached to the active switch, and the limit on North-South bandwidth is the connection to the active switch, so there is an upper bound on the scalability. The Clos topology is favored because it provides horizontal scalability. Additional spine switches can be added to increase East-West and North-South bandwidth. Equal-cost multipath routing between switches ensures that all links are utlized simultaneously. If all ports are full on the spine switches, an additional tier can be added to connect additional spines, each with their own set of leaf switches, providing hyperscale expandability.

Each network device may be taken out of service for maintenance without the entire network being offline. This topology also allows the switches to be configured without physical loops or Spanning Tree, since the redundant links are either delivered via bonding or via multiple layer 3 uplink paths with equal metrics. Some advantages of using this architecture with separate subnets per rack are:

• Reduced domain for broadcast, unknown unicast, and multicast (BUM) traffic.

• Reduced failure domain.

• Geographical separation.

• Association between IP address and rack location.

• Better cross-vendor support for multipath forwarding using equal-cost multipath forwarding (ECMP) via L3 routing, instead of proprietary “fabric”.

This topology is significantly different from the shared-everything approach that TripleO takes today.

Proposed Change

The proposed changes are discussed below.

allowtrafficfrom172.19.0.0/16to172.19.0.0/16denytrafficfrom*to172.19.0.0/16

Implementation

Dependencies

There may be a dependency on the Neutron Routed Networks. This won’t be clear until a full evaluation is done on whether we can represent spine-and-leaf using only multiple subnets per network.

There will be a dependency on routing switches that perform DHCP relay service for production spine-and-leaf deployments.

Testing

In order to properly test this framework, we will need to establish at least one CI test that deploys spine-and-leaf. As discussed in this spec, it isn’t necessary to have a full routed bare metal environment in order to test this functionality, although there is some work to get it working in virtual environments such as OVB.

For bare metal testing, it is sufficient to trunk all VLANs back to the Undercloud, then run DHCP proxy on the Undercloud to receive all the requests and forward them to br-ctlplane, where dnsmasq listens. This will provide a substitute for routers running DHCP relay. For Neutron DHCP, some modifications to the iptables rule may be required to ensure that all DHCP requests from the overcloud nodes are received by the DHCP proxy and/or the Neutron dnsmasq process running in the dhcp-agent namespace.

Documentation Impact

The procedure for setting up a dev environment will need to be documented, and a work item mentions this requirement.

The TripleO docs will need to be updated to include detailed instructions for deploying in a spine-and-leaf environment, including the environment setup. Covering specific vendor implementations of switch configurations is outside this scope, but a specific overview of required configuration options should be included, such as enabling DHCP relay (or “helper-address” as it is also known) and setting the Undercloud as a server to receive DHCP requests.

The updates to TripleO docs will also have to include a detailed discussion of choices to be made about IP addressing before a deployment. If supernets are to be used for network isolation, then a good plan for IP addressing will be required to ensure scalability in the future.

References

0

Review: TripleO Heat Templates: Tripleo routed networks ironic inspector, and Undercloud

1

Spec: Routed Networks for Neutron

3

Review: Modify os-net-config to make changes without bouncing interface

5

Blueprint: Modify TripleO Ironic Inspector to PXE Boot Via DHCP Relay

6

Spec: Modify TripleO Ironic Inspector to PXE Boot Via DHCP Relay

7

Blueprint: User-specifiable Control Plane IP on TripleO Routed Isolated Networks

8

Spec: User-specifiable Control Plane IP on TripleO Routed Isolated Networks

9

Review: Configure ctlplane network with a static IP

10(1,2)

Review: Neutron: Make “on-link” routes for subnets optional

11

Review: Ironic Inspector: Make “on-link” routes for subnets optional

12

Review: Ironic Inspector: Introducing a dnsmasq PXE filter driver

13

Review: Multiple DHCP Subnets for Ironic Inspector

14

Review: Instack Undercloud: Add support for multiple inspection subnets

15(1,2)

Review: DHCP Agent: Separate local from non-local subnets

16(1,2)

Review Series: topic:bp/composable-networks

17

Review Series: project:openstack/networking-baremetal

Problem Description

OpenStack upgrades are often seen by operators as problematic 12. Whilst TripleO upgrades have improved greatly over recent cycles many operators are still reluctant to upgrade with each new release.

This often leads to a situation where environments remain on the release used when first deployed. Eventually this release will come to the end of its supported life (EOL), forcing operators to upgrade to the next supported release. There can also be restrictions imposed on an environment that simply do not allow upgrades to be performed ahead of the EOL of a given release, forcing operators to again wait until the release hits EOL.

While it is possible to then linearly upgrade to a supported release with the cadence of upstream releases, downstream distributions providing long-term support (LTS) releases may not be able to provide the same path once the initially installed release reaches EOL. Operators in such a situation may also want to avoid running multiple lengthy linear upgrades to reach their desired release.

Proposed Change

Newton    Ocata     Pike       Queens
+-----+   +-----+   +-----+    +-----+
||| N+1 || N+2 ||||  N  | ---------------------> | N+3 |||||||||
+-----+   +-----+   +-----+    +-----+

fast_forward_upgrade_tasks:-name:Example Ocata step 2 taskcommand:/bin/foo barwhen:-step|int == 2-release == 'ocata'

openstack overcloud fast-forward-upgrade --templates [..path to latest THT..]\[..original environment arguments..]\[..new container environment agruments..]

openstack overcloud deploy --templates [..path to latest THT..]\[..original environment arguments..]\[..new container environment agruments..]\
                           -e environments/fast-forward-upgrade.yaml \
                           -e environments/noop-deploy-steps.yaml
openstack overcloud config download

Implementation

Dependencies

• TripleO - Ansible upgrade Workflow with UI integration 9

The new major upgrade workflow being introduced for Pike to Queens upgrades will obviously impact what fast-forward upgrades looks like to Queens. At present the high level flow for fast-forward upgrades assumes that we can reuse the current upgrade_tasks between N+2 and N+3 to disable and then potentially remove baremetal services. This is likely to change as the major upgrade workflow is introduced and so it is likely that these steps will need to be encoded in fast_forward_upgrade_tasks.

Testing

• Third party CI jobs will need to be created to test Newton to Queens using RDO given the upstream EOL of stable/newton with the release of Pike.

• These jobs should cover the initial undercloud upgrade, overcloud upgrade and optional canary compute node checks.

• An additional third party CI job will be required to verify that a Queens undercloud can correctly manage a Newton overcloud, allowing the separation of the undercloud upgrade and fast-forward upgrade discussed under prerequisites.

• Finally, minimal overcloud roles should be used to verify the upgrade for certain services. For example, when changes are made to the fast_forward_upgrade_tasks of Nova via changes to docker/services/nova-*.yaml files then a basic overcloud deployment of Keystone, Glance, Swift, Cinder, Neutron and Nova could be used to quickly verify the changes in regards to fast-forward upgrades.

Documentation Impact

• This will require extensive developer and user documentation to be written, most likely in a new section of the docs specifically detailing the fast-forward upgrade flow.

References

1

https://etherpad.openstack.org/p/MEX-ops-migrations-upgrades

2

https://etherpad.openstack.org/p/BOS-forum-skip-level-upgrading

3

https://governance.openstack.org/tc/reference/tags/assert_supports-upgrade.html

4

http://tripleo.org/install/post_deployment/package_update.html

5

https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst#update-steps

6

https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst#upgrade-steps

7

https://review.openstack.org/#/c/495658/

8

https://review.openstack.org/#/q/topic:major-upgrade+(status:open+OR+status:merged)

9

https://specs.openstack.org/openstack/tripleo-specs/specs/queens/tripleo_ansible_upgrades_workflow.html

Tracking Code Tech Debt with Bugs

Intentionally created tech debt items should have a bug 1 created with the tech-debt tag added to it. Additionally the commit message of the change should reference this tech-debt bug and if possible a comment should be added into the code referencing who put it in there.

Example Commit Message:

Alwaysexit0becausefooiscurrentlybrokenWeneedtoalwaysexit0becausethefooprocesseroneouslyreturns42.Abughasbeenreportedupstreambutwearenotsurewhenitwillbeaddressed.Related-Bug:#1234567

Example Comment:

# TODO(aschultz): We need this because the world is falling apart LP#1234567foo||exit0

Triaging Bugs as Tech Debt

If an end user reports a bug that we know is a tech debt item, the person triaging the bug should add the tech-debt tag to the bug.

Reporting Tech Debt

With the tech-debt tag on bugs, we should be able to keep a running track of the bugs we have labeled and should report on this every release milestone to see trends around how much is being added and when. As part of our triaging of bugs, we should strive to add net-zero tech-debt bugs each major release if possible.

Alternatives

We continue to not track any of these things and continue to rely on developers to remember when they add code and circle back around to fix it themselves or when other developers find the issue and remove it.

Author(s)

Primary author:

aschultz

Milestones

Queens-1

Work Items

• aschultz to create tech-debt tag in Launchpad.

Mistral Workflows to Derive Parameters

A group of Mistral workflows will be added for the features which are complex to determine the deployment parameters. Features like DPDK, SR-IOV and HCI require, input from the introspection data to be analyzed to compute the deployment parameters. This derive parameters workflow will provide a default set of computational formulas by analyzing the introspected data. Thus, there will be a hard dependency with node introspection for this workflow to be successful.

During the first iterations, all the roles in a deployment will be analyzed to find a service associated with the role, which requires parameter derivation. Various options of using this and the final choice for the current iteration is discussed in below section Workflow Association with Services.

This workflow assumes that all the nodes in a role have a homegenous hardware specification and introspection data of the first node will be used for processing the parameters for the entire role. This will be reexamined in later iterations, based on the need for node specific derivations. The workflow will consider the flavor-profile association and nova placement scheduler to identify the nodes associated with a role.

Role-specific parameters are an important requirement for this workflow. If there are multiple roles with the same service (feature) enabled, the parameters which are derived from this workflow will be applied only on the corresponding role.

The input sources for these workflows are the ironic database and ironic introspection data stored in Swift, in addition to the Deployment plan stored in Swift. Computations done to derive the parameters within the Mistral workflow will be implemented in YAQL. These computations will be a separate workflow on per feature basis so that the formulas can be customizable. If an operator has to modify the default formulas, he or she has to update only this workflow with customized formula.

Applying Derived Parameters to the Overcloud

In order for the resulting parameters to be applied to the overcloud, the deployment plan, which is stored in Swift on the undercloud, will be modified with the Mistral tripleo.parameters.update action or similar.

The methods for providing input for derivation and the update of parameters which are derivation output should be consistent with the Deployment Plan Management specification 1. The implementation of this spec with respect to the interfaces to set and get parameters may change as it is updated. However, the basic workflow should remain the same.

Trigger Mistral Workflows with TripleO

Assuming that workflows are in place to derive parameters and update the deployment plan as described in the previous two sections, an operator may take advantage of this optional feature by enabling it via plan-environment.yaml. A new section workflow_parameters will be added to the plan-environments.yaml file to accomodate the additional parameters required for executing workflows. With this additional section, we can ensure that the workflow specific parameters are provide only to the workflow, without polluting the heat environments. It will also be possible to provide multiple plan environment files which will be merged in the CLI before plan creation.

These additional parameters will be read by the derive params workflow directly from the merged plan-environment.yaml file stored in Swift.

It is possible to modify the created plan or modify the profile-node association, after the derive parameters workflow execution. As of now, we assume that there no such alterations done, but it will be extended after the initial iteration, to fail the deployment with some validations.

An operator should be able to derive and view parameters without doing a deployment; e.g. “generate deployment plan”. If the calculation is done as part of the plan creation, it would be possible to preview the calculated values. Alternatively the workflow could be run independently of the overcloud deployment, but how that will fit with the UI workflow needs to be determined.

Users may still override parameters

If a workflow derives a parameter, e.g. cpu_allocation_ratio, but the operator specified a cpu_allocation_ratio in their overcloud deploy, then the operator provided value is given priority over the derived value. This may be useful in a case where an operator wants all of the values that were derived but just wants to override a subset of those parameters.

Handling Cross Dependency Resources

It is possible that multiple workflows will end up deriving parameters based on the same resource (like CPUs). When this happens, it is important to have a specific order for the workflows to be run considering the priority.

For example, let us consider the resource CPUs and how it should be used between DPDK and HCI. DPDK requires a set of dedicated CPUs for Poll Mode Drivers (NeutronDpdkCoreList), which should not be used for host process (ComputeHostCpusList) and guest VM’s (NovaVcpuPinSet). HCI requires the CPU allocation ratio to be derived based on the number of CPUs that are available for guest VMs (NovaVcpuPinSet). Priority is given to DPDK, followed by HOST parameters and then HCI parameters. In this case, the workflow execution starts with a pool of CPUs, then:

• DPDK: Allocate NeutronDpdkCoreList

• HOST: Allocate ComputeHostCpusList

• HOST: Allocate NovaVcpuPinSet

• HCI: Fix the cpu allocation ratio based on NovaVcpuPinSet

Derived parameters for specific services or roles

If an operator only wants to configure Enhanced Placement Awareness (EPA) features like CPU pinning or huge pages, which are not associated with any feature like DPDK or HCI, then it should be associated with just the compute service.

Workflow Association with Services

The optimal way to associate the derived parameter workflows with services, is to get the list of the enabled services on a given role, by previewing Heat stack. With the current limitations in Heat, it is not possible fetch the enabled services list on a role. Thus, a new parameter will be introduced on the service which is associated with a derive parameters workflow. If this parameter is referenced in the heat resource tree, on a specific role, then the corresponding derive parameter workflow will be invoked. For example, the DPDK service will have a new parameter “EnableDpdkDerivation” to enable the DPDK specific workflows.

Future integration with TripleO UI

If this spec were implemented and merged, then the TripleO UI could have a menu item for a deployment, e.g. HCI, in which the deployer may choose a derivation profile and then deploy an overcloud with that derivation profile.

The UI could better integrate with this feature by allowing a deployer to use a graphical slider to vary an existing derivation profile and then save that derivation profile with a new name. The following cycle could be used by the deployer to tune the overcloud.

• Choose a deployment, e.g. HCI

• Choose an HCI profile, e.g. many_small_vms

• Run the deployment

• Benchmark the planned workload on the deployed overcloud

• Use the sliders to change aspects of the derivation profile

• Update the deployment and re-run the benchmark

• Repeat as needed

• Save the new derivation profile as the one to be deployed in the field

The implementation of this spec would enable the TripleO UI to support the above.

Alternatives

The simplest alternative is for operators to determine what tunings are appropriate by testing or reading documentation and then implement those tunings in the appropriate Heat environment files. For example, in an HCI scenario, an operator could run nova_mem_cpu_calc.py 4 and then create a Heat environment file like the following with its output and then deploy the overcloud and directly reference this file:

parameter_defaults:ExtraConfig:nova::compute::reserved_host_memory:75000nova::cpu_allocation_ratio:8.2

This could translate into a variety of overrides which would require initiative on the operator’s part.

Another alternative is to write separate tools which generate the desired Heat templates but don’t integrate them with TripleO. For example, nova_mem_cpu_calc.py and similar, would produce a set of Heat environment files as output which the operator would then include instead of output containing the following:

• nova.conf reserved_host_memory_mb = 75000 MB

• nova.conf cpu_allocation_ratio = 8.214286

When evaluating the above, keep in mind that only two parameters for CPU allocation and memory are being provided as an example, but that a tuned deployment may contain more.

Security Impact

There is no security impact from this change as it sits at a higher level to automate, via Mistral and Heat, features that already exist.

Other End User Impact

Operators need not manually derive the deployment parameters based on the introspection or hardware specification data, as it is automatically derived with pre-defined formulas.

Performance Impact

The deployment and update of an overcloud may take slightly longer if an operator uses this feature because an additional Mistral workflow needs to run to perform some analytics before applying configuration updates. However, the performance of the overcloud would be improved because this proposal aims to make it easier to tune the overcloud for performance.

Other Deployer Impact

A new configuration option is being added, but it has to be explicitly enabled, and thus it would not take immediate effect after its merged. Though, if a deployer chooses to use it and there is a bug in it, then it could affect the overcloud deployment. If a deployer uses this new option, and had a deploy in which they set a parameter directly, e.g. the Nova cpu_allocation_ratio, then that parameter may be overridden by a particular tuning profile. So that is something a deployer should be aware of when using this proposed feature.

The config options being added will ship with a variety of defaults based on deployments put under load in a lab. The main idea is to make different sets of defaults, which were produced under these conditions, available. The example discussed in this proposal and to be made available on completion could be extended.

Developer Impact

This spec proposes modifying the deployment plan which, if there was a bug, could introduce problems into a deployment. However, because the new feature is completely optional, a developer could easily disable it.

Assignee(s)

Primary assignees:

skramaja fultonj

Other contributors:

jpalanis abishop shardy gfidente

Work Items

• Derive Params start workflow to find list of roles

• Workflow run for each role to fetch the introspection data and trigger individual features workflow

• Workflow to identify if a service associated with a features workflow is enabled in a role

• DPDK Workflow: Analysis and concluding the format of the input data (jpalanis)

• DPDK Workflow: Parameter deriving workflow (jpalanis)

• HCI Workflow: Run a workflow that calculates the parameters (abishop)

• SR-IOV Workflow

• EPA Features Workflow

• Run the derive params workflow from CLI

• Add CI scenario testing if workflow with produced expected output

Avoid duplication of effort

If there is a feature or bug fix in the Ceph community’s tools not in the tools used by TripleO, then members of the TripleO community could allow deployers to use those features directly instead of writing their own implementation. If this proposal is successful, then it might result in not maintaining two code bases, (along with the bug fixes and testing included) in the future. For example, if ceph-ansible fixed a bug to correctly handle alternative system paths to block devices, e.g. /dev/disk/by-path/ in lieu of /dev/sdb, then the same bug would not need to be fixed in puppet-ceph. This detail would also be nicely abstracted from a deployer because this spec proposes maintaining parity with TripleO Heat Templates. Thus, the deployer would not need to change the ceph::profile::params::osds parameter as the same list of OSDs would work.

In taking this approach it’s possible for there to be cases where TripleO’s deployment architecture may have unique features that don’t exist within ceph-ansible. In these cases, efforts may need to be taken so ensure such a features remian in parity with this approach. In no way, does this proposal enable a TripleO deployer to bypass TripleO and use ceph-ansible directly. Also, because Ceph is not an OpenStack service itself but a service that TripleO uses, this approach remains consistent with the TripleO mission.

Consistency between OpenStack and non-OpenStack Ceph deployments

A deployer may seek assistance from the Ceph community with a Ceph deployment and this process will be simplified if both deployments were done using the same tool.

Enable Decoupling of Ceph management from TripleO

The complexity of Ceph management can be moved to a different tool and abstracted, where appropriate, from TripleO making the Ceph management aspect of TripleO less complex. Combining this with containerized Ceph would offer flexible deployment options. This is a deployer benefit that is difficult to deliver today.

Features in the Ceph community’s tools not in TripleO’s tools

The Ceph community tool, ceph-ansible 1, offers benefits to OpenStack users not found in TripleO’s tool chain, including playbooks to deploy Ceph in containers and migrate a non-containerized deployment to a containerized deployment without downtime. Also, making the Ceph deployment in TripleO less tightly coupled, by moving it into a new Mistral workflow, would make it easier in a future release to add a business logic layer through a tool like Tendrl 2, to offer additional Ceph policy based configurations and possibly a graphical tool to see the status of the Ceph cluster. However, the scope of this proposal for Pike does not include Tendrl and instead takes the first step towards deploying Ceph via a Mistral workflow by triggering ceph-ansible directly. After the Pike cycle is complete triggering Mistral may be considered in a future spec.

Overview

The ceph-ansible 1 project provides a set of playbooks to deploy and manage Ceph. A proof of concept 3 has been written which uses two custom Mistral actions from the experimental mistral-ansible-actions project 4 to have a Mistral workflow on the undercloud trigger ceph-ansible to produce a working hyperconverged overcloud.

The deployer experience to stand up Ceph with TripleO at the end of this cycle should be the following:

1. The deployer chooses to deploy a role containing any of the Ceph server services: CephMon, CephOSD, CephRbdMirror, CephRgw, or CephMds.

2. The deployer provides the same Ceph parameters they provide today in a Heat env file, e.g. a list of OSDs.

3. The deployer starts the deploy and gets an overcloud with Ceph

Thus, the deployment experience remains the same for the deployer but behind the scenes a Mistral workflow is started which triggers ceph-ansible. The details of the Mistral workflow to accomplish this follows.

TripleO Ceph Deployment via Mistral

TripleO’s workflow to deploy a Ceph cluster would be changed so that there are two ways to deploy a Ceph cluster; the way currently supported by TripleO and the way described in this proposal.

The workflow described here assumes the following:

1. A deployer chooses to deploy Ceph server services from the following list of five services found in THT’s roles_data.yaml: CephMon, CephOSD, CephRbdMirror, CephRgw, or CephMds.

2. The deployer chooses to include new Heat environment files which will be in THT when this spec is implemented. The new Heat environment file will change the implementation of any of the five services from the previous step. Using storage-environment.yaml, which defaults to Ceph deployed by puppet-ceph, will still trigger the Ceph deployment by puppet-ceph. However, if the new Heat environment files are included instead of storage-environment.yaml, then the implementation of the service will be done by ceph-ansible instead; which already configures these services for hosts under the following roles in the Ansible inventory: mons, osds, mdss, rgws, or rbdmirrors.

3. The undercloud has a directory called /usr/share/ceph-ansible which contains the ceph-ansible playbooks described in this spec. It will be present because its install will contain the installation of the ceph-ansible package.

4. The Mistral on the Undercloud will contain to custom actions called ansible and ansible-playbook (or similar) and will also contain the workflow for each task below and can be observed by running openstack workflow list. Assume this is the case because the tripleo-common package will be modified to ship these actions and they will be available after undercloud installation.

5. Heat will ship a new CustomResource type like OS::Mistral::WorflowExecution 6, which will execute custom Mistral workflows.

The standard TripleO workflow, as executed by a deployer, will create a custom Heat resource which starts an independent Mistral workflow to interact with ceph-ansible. An example of such a Heat resource would be OS::Mistral::WorflowExecution 6.

Each independent Mistral workflow may be implemented directly in tripleo-common/workbooks. A separate Mistral workbook will be created for each goal described below:

• Initial deployment of OpenStack and Ceph

• Adding additional Ceph OSDs to existing OpenStack and Ceph clusters

The initial goal for the Pike cycle will be to maintain feature parity with what is possible today in TripleO and puppet-ceph but with containerized Ceph. Additional Mistral workflows may be written, time permitting or in a future cycle to add new features to TripleO’s Ceph deployment which leverage ceph-ansible playbooks to shrink the Ceph Cluster and safely remove an OSD or to perform maintenance on the cluster by using Ceph’s ‘noout’ flag so that the maintenance does not result in more data migration than necessary.

Initial deployment of OpenStack and Ceph

The sequence of events for this new Mistral workflow and Ceph-Ansible to be triggered during initial deployment with TripleO follows:

1. Define the Overcloud on the Undercloud in Heat. This includes the Heat parameters that are related to storage which will later be passed to ceph-ansible via a Mistral workflow.

2. Run openstack overcloud deploy with standard Ceph options but including a new Heat environment file to make the implementation of the service deployment use ceph-ansible.

3. The undercloud assembles and uploads the deployment plan to the undercloud Swift and Mistral environment.

4. Mistral starts the workflow to deploy the Overcloud and interfaces with Heat accordingly.

5. A point in the deployment is reached where the Overcloud nodes are imaged, booted, and networked. At that point the undercloud has access to the provisioning or management IPs of the Overcloud nodes.

6. A new Heat Resource is created which starts a Mistral workflow to Deploy Ceph on the systems with the any of the five Ceph server services, including CephMon, CephOSD, CephRbdMirror, CephRgw, or CephMds 6.

7. The servers which host Ceph services have their relevant firewall ports opened according to the needs of their service, e.g. the Ceph monitor firewalls are configured to accept connections on TCP port 6789. 7.

8. The Heat resource is passed the same parameters normally found in the tripleo-heat-templates environments/storage-environment.yaml but instead through a new Heat environment file. Additional files may be passed to include overrides, e.g. the list of OSD disks.

9. The Heat resource passes its parameters to the Mistral workflow as parameters. This will include information about which hosts should have which of the five Ceph server services.

10. The Mistral workflow translates these parameters so that they match the parameters that ceph-ansible expects, e.g. ceph::profile::params::osds would become devices though they’d have the same content, which would be a list of block devices. The translation entails building an argument list that may be passed to the playbook by calling ansible-playbook –extra-vars. Typically ceph-ansible uses modified files in the group_vars directory but in this case, no files are modified and instead the parameters are passed programmatically. Thus, the playbooks in /usr/share/ceph-ansible may be run unaltered and that will be the default directory. However, it will be possible to pass an alternative location for the /usr/share/ceph-ansible playbook as an argument. No playbooks are run yet at this stage.

11. The Mistral environment is updated to generate a new SSH key-pair for ceph-ansible and the Overcloud nodes using the same process that is used to create the SSH keys for TripleO validations and install the public key on Overcloud nodes. After this environment update it will be possible to run mistral environment-get ssh_keys_ceph on the undercloud and see the public and private keys in JSON.

12. The Mistral Action Plugin ansible-playbook is called and passed the list of parameters as described earlier. The dynamic ansible inventory used by tripleo-validations is used with the -i option. In order for ceph-ansible to work as usual there must be a group called [mons] and [osds] in the inventory. In addition to optional groups for [mdss], [rgws], or [rbdmirrors]. Modifications to the tripleo-validations project’s tripleo-ansible-inventory script may be made to support this, or a derivative work of the same as shipped by TripleO common. The SSH private key for the heat-admin user and the provisioning or management IPs of the Overcloud nodes are what Ansible will use.

13. The mistral workflow computes the number of forks in Ansible according to the number of machines that are going to be bootstrapped and will pass this number with ansible-playbook –forks.

14. Mistral verifies that the Ansible ping module can execute ansible $group -m ping for any group in mons, osds, mdss, rgws, or rbdmirrors, that was requested by the deployer. For example, if the deployer only specified the CephMon and CephOSD service, then Mistral will only run ansible mons -m ping and ansible osds -m ping. The Ansible ping module will SSH into each host as the heat-admin user with key which was generated as described previously. If this fails, then the deployment fails.

15. Mistral starts the Ceph install using the ansible-playbook action.

16. The Mistral workflow creates a Zaqar queue to send progress information back to the client (CLI or web UI).

17. The workflow posts messages to the “tripleo” Zaqar queue or the queue name provided to the original deploy workflow.

18. If there is a problem during the status of the deploy may be seen by openstack workflow execution list | grep ceph and in the logs at /var/log/mistral/{engine.log,executor.log}. Running openstack stack resource list would show the custom Heat resource that started the Mistral workflow, but openstack workflow execution list and openstack workflow task list would contain more details about what steps completed within the Mistral workflow.

19. The Ceph deployment is done in containers in a way which must prevent any configuration file conflict for any composed service, e.g. if a Nova compute container (as deployed by TripleO) and a Ceph OSD container are on the same node, then they must have different ceph.conf files, even if those files have the same content. Though, ceph-ansible will manage ceph.conf for Ceph services and puppet-ceph will still manage ceph.conf for OpenStack services, neither tool will both try to manage the same ceph.conf because it will be in a different location on the container host and bind mounted to /etc/ceph/ceph.conf within different containers.

20. After the Mistral workflow is completed successfully, the custom Heat resource is considered successfully created. If the Mistral workflow does not complete successfully, then the Heat resource is not considered successfully created. TripleO should handle this the same way that it handles any Heat resource that failed to be created. For example, because the workflow is idempotent, if the resource creation fails because the wrong parameter was passed or because of a temporary network issue, the deployer could simply run a stack-update the Mistral worklow would run again and if the issues which caused the first run to fail were resolved, the deployment should succeed. Similarly if a user updates a parameter, e.g. a new disk is added to ceph::profile::params::osds, then the workflow will run again without breaking the state of the running Ceph cluster but it will configure the new disk.

21. After the dependency of the previous step is satisfied, the TripleO Ceph external Heat resource is created to configure the appropriate Overcloud nodes as Ceph clients.

22. For the CephRGW service, hieradata will be emitted so that it may be used for the haproxy listener setup and keystone users setup.

23. The Overcloud deployment continues as if it was using an external Ceph cluster.

Adding additional Ceph OSD Nodes to existing OpenStack and Ceph clusters

The process to add an additional Ceph OSD node is similar to the process to deploy the OSDs along with the Overcloud:

1. Introspect the new hardware to host the OSDs.

2. In the Heat environment file containing the node counts, increment the CephStorageCount.

3. Run openstack overcloud deploy with standard Ceph options and the environment file which specifies the implementation of the Ceph deployment via ceph-ansible.

4. The undercloud updates the deployment plan.

5. Mistral starts the workflow to update the Overcloud and interfaces with Heat accordingly.

6. A point in the deployment is reached where the new Overcloud nodes are imaged, booted, and networked. At that point the undercloud has access to the provisioning or management IPs of the Overcloud nodes.

7. A new Heat Resource is created which starts a Mistral workflow to add new Ceph OSDs.

8. TCP ports 6800:7300 are opened on the OSD host 7.

9. The Mistral environment already has an SSH key-pair as described in the initial deployment scenario. The same process that is used to install the public SSH key on Overcloud nodes for TripleO validations is used to install the SSH keys for ceph-ansible.

10. If necessary, the Mistral workflow updates the number of forks in Ansible according to the new number of machines that are going to be bootstrapped.

11. The dynamic Ansible inventory will contain the new node.

12. Mistral confirms that Ansible can execute ansible osds -m ping. This causes Ansible to SSH as the heat-admin user into all of the CephOsdAnsible nodes, including the new nodes. If this fails, then the update fails.

13. Mistral uses the Ceph variables found in Heat as described in the initial deployment scenario.

14. Mistral runs the osd-configure.yaml playbook from ceph-ansible to add the extra Ceph OSD server.

15. The OSDs on the server are each deployed in their own containers and docker ps will list each OSD container.

16. After the Mistral workflow is completed, the Custom Heat resource is considered to be updated.

17. No changes are necessary for the TripleO Ceph external Heat resource since the Overcloud Ceph clients only need information about new OSDs from the Ceph monitors.

18. The Overcloud deployment continues as if it was using an external Ceph cluster.

Containerization of configuration files

As described in the Containerize TripleO spec, configuration files for the containerized service will be generated by Puppet and then passed to the containerized service using a configuration volume 8. A similar containerization feature is already supported by ceph-ansible, which uses the following sequence to generate the ceph.conf configuration file.

• Ansible generates a ceph.conf on a monitor node

• Ansible runs the monitor container and bindmount /etc/ceph

• No modification is being done in the ceph.conf

• Ansible copies the ceph.conf to the Ansible server

• Ansible copies the ceph.conf and keys to the appropriate machine

• Ansible runs the OSD container and bindmount /etc/ceph

• No modification is being done in the ceph.conf

These similar processes are compatible, even in the case of container hosts which run more than one OpenStack service but which each need their own copy of the configuration file per container. For example, consider a containerzation node which hosts both Nova compute and Ceph OSD services. In this scenario, the Nova compute service would be a Ceph client and puppet-ceph would generate its ceph.conf and the Ceph OSD service would be a Ceph server and ceph-ansible would generate its ceph.conf. It is necessary for Puppet to configure the Ceph client because Puppet configures the other OpenStack related configuration files as is already provided by TripleO. Both generated ceph.conf files would need to be stored in a separate directory on the containerization hosts to avoid conflicts and the directories could be mapped to specific containers. For example, host0 could have the following versions of foo.conf for two different containers:

host0:/container1/etc/foo.conf<---generatedbyconftool1host0:/container2/etc/foo.conf<---generatedbyconftool2