-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Ironic service #93
base: master
Are you sure you want to change the base?
[WIP] Ironic service #93
Conversation
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Not verified yet Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
PXE is set up temporarily. Replace it with iPXE in the future. Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
replicas: 1, | ||
|
||
image: { | ||
base: "quay.io/stackanetes/stackanetes-%s:barcelona", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can add a new line between base and init image?
mountPath: /configmaps/nova-compute-ironic.sh | ||
- name: resolvconf | ||
mountPath: /configmaps/resolv.conf | ||
- mountPath: /var/lib/nova |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you switch the order?
name: ironic-resolvconf | ||
- name: varlibnovaironic | ||
hostPath: | ||
path: /var/lib/nova/ironic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New line:)
nodeSelector: | ||
{{ deployment.control_node_label }}: enabled | ||
# TODO(DTadrzak): it must be removed in future | ||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we remove it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree we should just add in in tftpd container.
image: {{ deployment.image.conductor }} | ||
imagePullPolicy: Always | ||
# TODO(DTadrzak): it must be removed in future | ||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
security_group_api = neutron | ||
network_api_class = nova.network.neutronv2.api.API | ||
|
||
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
linuxnet_interface_driver = openvswitch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should use none or noop here, we don't need openvswitch here.
#!/bin/bash | ||
set -ex | ||
|
||
ironic-api |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here
value: "keystone-api" | ||
- name: DEPENDENCY_CONFIG | ||
value: "/tmp/post.sh" | ||
- name: ANSIBLE_LIBRARY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You dont need it.
@@ -19,9 +25,14 @@ data: | |||
vxlan_group = 239.1.1.1 | |||
|
|||
[securitygroup] | |||
{% if ironic.enabled %} | |||
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make sure that neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver is still valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for ironic it should be noop.
@@ -29,13 +27,40 @@ data: | |||
use_neutron = True | |||
security_group_api = neutron | |||
network_api_class = nova.network.neutronv2.api.API | |||
# TODO(DTadrzak): FIX ME | |||
firewall_driver = nova.virt.firewall.NoopFirewallDriver | |||
|
|||
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
linuxnet_interface_driver = openvswitch
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
spec: | ||
# TODO(DTadrzak): it must be removed in future | ||
securityContext: | ||
runAsUser: 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please drop it.
# {{ deployment.compute_node_label }}: enabled | ||
mateuszb: enabled | ||
securityContext: | ||
runAsUser: 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove that.
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
@@ -81,6 +81,13 @@ kpm.package({ | |||
glance_keyring: "", | |||
}, | |||
|
|||
swift: { | |||
enabled: false, | |||
auth_address: "http://10.91.62.52:80/auth/1.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should change it to rgw/auth/1.0 and have radosgw deployed on kubernetes. Some time ago we had a radosgw in stackanetes so we may reuse it.
variables: { | ||
deployment: { | ||
control_node_label: "openstack-control-plane", | ||
compute_node_label: "openstack-ironic-compute-node", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not really needed, openstack computes for Ironic are fully stateless for now.
init: $.variables.deployment.image.base % "kolla-toolbox", | ||
post: $.variables.deployment.image.base % "kolla-toolbox", | ||
# TODO: | ||
api: "10.91.96.87:5000/debian-source-ironic-api:mateuszb-ironic", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should push those image to quay.io
@@ -0,0 +1,59 @@ | |||
apiVersion: extensions/v1beta1 | |||
kind: DaemonSet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nova compute should be a DaemonSet or I would even opt to make it a PetSet (consitent hostnames).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a DaemonSet now - should I change it into a PetSet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, PetSet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ss7pro PetSet is currently not supported in kpm. I'll make it a Deployment for now
spec: | ||
nodeSelector: | ||
# TODO: | ||
# {{ deployment.compute_node_label }}: enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should use control plane label.
image: {{ deployment.image.compute }} | ||
imagePullPolicy: Always | ||
securityContext: | ||
privileged: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not needed.
- name: DEPENDENCY_SERVICE | ||
value: "keystone-api,glance-api,nova-api" | ||
- name: DEPENDENCY_CONFIG | ||
value: "/etc/nova/nova.conf,/etc/resolv.conf" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we mount /etc/resolv.conf as a configmap, as done here: #99
configMap: | ||
name: ironic-resolvconf | ||
- name: varlibnovaironic | ||
hostPath: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be an emptyDir.
- name: DEPENDENCY_SERVICE | ||
value: "rabbitmq" | ||
- name: DEPENDENCY_CONFIG | ||
value: "/etc/ironic/ironic.conf,/etc/resolv.conf" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same thing for /etc/resolv.conf we should use it as here: #99
image: {{ deployment.image.ironic_http }} | ||
imagePullPolicy: Always | ||
# TODO(DTadrzak): it must be removed in future | ||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this can be removed.
enabled_drivers = pxe_ipmitool,agent_ipmitool_socat,agent_pyghmi,fake | ||
|
||
[api] | ||
api_workers=128 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be parametrized: {{ misc.workers }} and should be 8 by default.
|
||
[database] | ||
connection = mysql+pymysql://{{ database.ironic_user }}:{{ database.ironic_password }}@{{ database.address }}/{{ database.ironic_database_name }} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add max_retries = -1
apiVersion: v1 | ||
kind: ConfigMap | ||
data: | ||
default.conf: |+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also redirect access and error log to std{out,err}:
error_log /dev/fd/2 info;
http {
access_log /dev/fd/1;
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's done by default in nginx:alpine :
/ # ls -lah /var/log/nginx/error.log
lrwxrwxrwx 1 root root 11 Sep 23 17:11 /var/log/nginx/error.log -> /dev/stderr
/ # ls -lah /var/log/nginx/access.log
lrwxrwxrwx 1 root root 11 Sep 23 17:11 /var/log/nginx/access.log -> /dev/stdout
let me know if this is not the solution you expect
nova.conf: |+ | ||
[DEFAULT] | ||
debug = {{ misc.debug }} | ||
# TODO(DTadrzak): FIX ME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vif related stuff should be dropped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ss7pro I believe that we don't want to create dozens of conditionals. Common nova.conf will be used by nova-compute, ironic-compute, nova-api, nova-conductor, nova-scheduler, ... If we want to hide some config options for specific services, we'll end up with multiple dirty if-elif-else statements
connection = mysql+pymysql://{{ database.nova_user }}:{{ database.nova_password }}@{{ database.address }}/{{ database.nova_api_database_name }} | ||
max_pool_size = {{ misc.workers }} | ||
max_overflow = {{ misc.workers }} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
max_retries = -1
username = {{ keystone.neutron_user }} | ||
password = {{ keystone.neutron_password }} | ||
|
||
[database] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should remove this section.
stores = file, http, rbd | ||
default_store = rbd | ||
rbd_store_pool = {{ ceph.glance_pool }} | ||
rbd_store_user = {{ ceph.glance_user }} | ||
rbd_store_ceph_conf = /etc/ceph/ceph.conf | ||
rbd_store_chunk_size = 8 | ||
|
||
{% elif swift.enabled -%} | ||
stores = file, http, swift |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
swift and rbd should not be exclusive, please allow having both stores enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what should be the default store in such case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe it calls for an additional flag (with swift generally being ok as default).
init: $.variables.deployment.image.base % "kolla-toolbox", | ||
post: $.variables.deployment.image.base % "kolla-toolbox", | ||
# TODO: | ||
api: "10.91.96.87:5000/debian-source-ironic-api:mateuszb-ironic", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should default to quay.io
image: {{ deployment.image.compute }} | ||
imagePullPolicy: Always | ||
securityContext: | ||
privileged: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do you need privileged mode for?
api_url: "http://%s:6385/v1" % $.variables.network.ip_address, | ||
|
||
dns: { | ||
servers: ["10.3.0.10"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe it should use global variable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #93 (comment)
|
||
dns: { | ||
servers: ["10.3.0.10"], | ||
kubernetes_domain: "cluster.local", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #93 (comment)
conductor: "10.91.96.87:5000/debian-source-ironic-conductor:mateuszb-ironic", | ||
compute: "10.91.96.87:5000/debian-source-nova-compute-ironic:mateuszb-ironic", | ||
ironic_pxe: "10.91.96.87:5000/debian-source-ironic-pxe:mateuszb-ironic", | ||
ironic_http: "nginx:alpine", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be debian based image
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed to leave public nginx image - i'll just use more precise (nginx:1.11.5-alpine) version
{% if ironic.enabled %} | ||
type_drivers = flat | ||
tenant_network_types = flat | ||
mechanism_drivers = openvswitch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should have noop or empty line here.
@@ -8,8 +8,6 @@ data: | |||
vif_plugging_is_fatal = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we having multiple nova.conf templates for ironic ? Can we have a single common one ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll make a single one with conditional configuration block when ironic_compute is enabled
default_store = swift | ||
swift_store_auth_version = 1 | ||
swift_store_auth_address = {{ swift.auth_address }} | ||
swift_store_user = {{ swift.glance_user }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/glance_user/store_user/
|
||
ingress: { | ||
enabled: true, | ||
host: "%s.openstack.cluster", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
take value for host from parameters.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Values from the manifest are overwritten with the same values from parameters.yaml
(if present). However, they need to be specified in a manifest.
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you please rebase?
@auvipy this project is dead. If you're interested in running openstack on k8s please take a look at openstack-helm project (https://github.com/openstack/openstack-helm) |
No description provided.