post-deployment

ceph-health

Check the status of the ceph cluster.

Uses ceph health to check if cluster is in HEALTH_WARN state and prints a debug message.

  • hosts: ceph_mon

  • groups: backup-and-restore, post-deployment, post-ceph

  • parameters:

    • tripleo_delegate_to: {{ groups[‘ceph_mon’] | default([]) }}

    • osd_percentage_min: 0

  • roles: ceph

Role documentation

container-status

Ensure container status.

Detect failed containers and raise an error.

  • hosts: undercloud, allovercloud

  • groups: backup-and-restore, pre-upgrade, pre-update, post-deployment, post-upgrade

  • parameters:

  • roles: container_status

Role documentation

containerized-undercloud-docker

Verify docker containers are up and ports are open.

Ensure relevant docker containers are up and running, with ports open to listen. We iterate through a list of container names and ports provided in defaults, and ensure the system has those available.

  • hosts: undercloud

  • groups: post-deployment, pre-upgrade

  • parameters:

    • open_ports: [111, 873, 3000, 3306, 4369, 5000, 5050, 5672, 6000, 6001, 6002, 6379, 6385, 8000, 8004, 8080, 8088, 8774, 8775, 8778, 8787, 8888, 8989, 9000, 9292, 9696, 11211, 15672, 25672, 35357, 39422, {‘port’: 22, ‘search_regex’: ‘OpenSSH’}]

    • running_containers: [‘glance_api’, ‘heat_api’, ‘heat_api_cfn’, ‘heat_api_cron’, ‘heat_engine’, ‘ironic_api’, ‘ironic_conductor’, ‘ironic_inspector’, ‘ironic_inspector_dnsmasq’, ‘ironic_neutron_agent’, ‘ironic_pxe_http’, ‘ironic_pxe_tftp’, ‘iscsid’, ‘keystone’, ‘keystone_cron’, ‘logrotate_crond’, ‘memcached’, ‘mistral_api’, ‘mistral_engine’, ‘mistral_event_engine’, ‘mistral_executor’, ‘mysql’, ‘neutron_api’, ‘neutron_dhcp’, ‘neutron_l3_agent’, ‘neutron_ovs_agent’, ‘nova_api’, ‘nova_api_cron’, ‘nova_compute’, ‘nova_conductor’, ‘nova_metadata’, ‘nova_placement’, ‘nova_scheduler’, ‘rabbitmq’, ‘swift_account_auditor’, ‘swift_account_reaper’, ‘swift_account_replicator’, ‘swift_account_server’, ‘swift_container_auditor’, ‘swift_container_replicator’, ‘swift_container_server’, ‘swift_container_updater’, ‘swift_object_auditor’, ‘swift_object_expirer’, ‘swift_object_replicator’, ‘swift_object_server’, ‘swift_object_updater’, ‘swift_proxy’, ‘swift_rsync’, ‘tripleo_ui’, ‘zaqar’, ‘zaqar_websocket’]

  • roles: containerized_undercloud_docker

Role documentation

controller-token

Verify that keystone admin token is disabled.

This validation checks that keystone admin token is disabled on both undercloud and overcloud controller after deployment.

  • hosts: [‘undercloud’, “{{ controller_rolename | default(‘Controller’) }}”]

  • groups: post-deployment

  • parameters:

    • keystone_conf_file: /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

  • roles: controller_token

Role documentation

controller-ulimits

Check controller ulimits.

This will check the ulimits of each controller.

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment

  • parameters:

    • nofiles_min: 1024

    • nproc_min: 2048

  • roles: controller_ulimits

Role documentation

healthcheck-service-status

Healthcheck systemd services Check.

Check for failed healthcheck systemd services.

  • hosts: undercloud, allovercloud

  • groups: backup-and-restore, post-deployment

  • parameters:

    • retries_number: 1

    • delay_number: 1

    • inflight_healthcheck_services: []

  • roles: healthcheck_service_status

Role documentation

image-serve

Verify image-serve service is working and answering.

Ensures image-serve vhost is configured and httpd is running.

  • hosts: undercloud

  • groups: backup-and-restore, pre-upgrade, post-deployment, post-upgrade

  • parameters:

  • roles: image_serve

Role documentation

mysql-open-files-limit

MySQL Open Files Limit.

Verify the open-files-limit configuration is high enough https://access.redhat.com/solutions/1598733

  • hosts: [“{{ controller_rolename | default(‘Controller’) }}”, ‘mysql’]

  • groups: post-deployment

  • parameters:

    • min_open_files_limit: 16384

  • roles: mysql_open_files_limit

Role documentation

neutron-sanity-check

Neutron Sanity Check.

Run neutron-sanity-check on the controller nodes to find out potential issues with Neutron’s configuration. The tool expects all the configuration files that are passed to the Neutron services.

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: backup-and-restore, post-deployment

  • parameters:

  • roles: neutron_sanity_check

Role documentation

nfv-ovsdpdk-counter-stat-validation

NFV OvS DPDK Counter Stat Validations.

Run check-nfv-ovsdpdk-counter-stat-validation on the compute ovsdpdk nodes to find out the issues with NFV OvS Dpdk interface statistics.

  • hosts: {{ compute_ovsdpdk_rolename | default(‘ComputeOvsDpdk’) }}

  • groups: post-deployment

  • parameters:

  • roles: check_nfv_ovsdpdk_counter_stat_validation

Role documentation

nfv-ovsdpdk-zero-packet-loss-check

NFV OvS DPDK Zero Packet Loss Validations.

Run check-nfv-ovsdpdk-zero-packet-loss on the compute ovsdpdk nodes to find out the issues with NFV OvS Dpdk configuration. The tool expects all the configuration files that are passed.

  • hosts: {{ compute_ovsdpdk_rolename | default(‘ComputeOvsDpdk’) }}

  • groups: post-deployment

  • parameters:

  • roles: check_nfv_ovsdpdk_zero_packet_loss

Role documentation

no-op-firewall-nova-driver

Verify NoOpFirewallDriver is set in Nova.

When using Neutron, the firewall_driver option in Nova must be set to NoopFirewallDriver.

  • hosts: nova_compute

  • groups: post-deployment

  • parameters:

    • nova_conf_path: /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova/nova.conf

  • roles: no_op_firewall_nova_driver

Role documentation

nova-event-callback

Nova Event Callback Configuration Check.

This validations verifies that the Nova auth_url in neutron, which is generally enabled by default, is configured correctly It checks the following files on the Overcloud Controller(s): - /etc/neutron/neutron.conf: [nova]/auth_url = ‘http://nova_admin_auth_ip:5000

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment

  • parameters:

    • neutron_config_file: /var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf

  • roles: nova_event_callback

Role documentation

nova-svirt

Check nova sVirt support.

Ensures all running VM are correctly protected with sVirt

  • hosts: nova_libvirt

  • groups: post-deployment, post-upgrade

  • parameters:

  • roles: nova_svirt

Role documentation

openstack-endpoints

Check connectivity to various OpenStack services.

This validation gets the PublicVip address from the deployment and tries to access Horizon and get a Keystone token.

  • hosts: undercloud

  • groups: post-deployment, pre-upgrade, post-upgrade, pre-update, post-update

  • parameters:

  • roles: openstack_endpoints

Role documentation

oslo-config-validator

Openstack services configuration validation.

This role is intended to leverage the oslo-config-validator on each one of the configuration files found on a deployment. The goal is to quickly catch erroneous configurations.

When called manually, it will also be possible to generate a report returning all the differences between the current configuration and the default configuration

  • hosts: allovercloud

  • groups: post-deployment, post-system-upgrade, post-update, post-upgrade

  • parameters:

    • oslo_config_validator_debug: False

    • oslo_config_validator_report: False

    • oslo_config_validator_validation: True

    • oslo_config_validator_invalid_settings: True

    • oslo_config_validator_report_path: /var/tmp/config_validator_report

    • oslo_config_validator_report_archive: True

    • oslo_config_validator_work_path: /var/lib/tripleo-config/oslo_config_validator

    • oslo_config_validator_checked_services: [‘nova’, ‘cinder’, ‘glance’, ‘heat’, ‘ironic’, ‘placement’, ‘neutron’, ‘keystone’]

  • roles: oslo_config_validator

Role documentation

overcloud-service-status

Verify overcloud services state after running a deployment or an update.

An Ansible role to verify the Overcloud services states after a deployment or an update. It checks the API /os-services and looks for deprecated services (nova-consoleauth) or any down services.

  • hosts: Undercloud

  • groups: post-deployment, post-upgrade, post-overcloud-upgrade, post-overcloud-converge

  • parameters:

    • overcloud_service_status_debug: False

    • overcloud_service_api: [‘nova’, ‘cinderv3’]

    • overcloud_deprecated_services: {‘nova’: [‘nova-consoleauth’]}

  • roles: overcloud_service_status

Role documentation

ovs-dpdk-pmd-cpus-check

Validates OVS DPDK PMD cores from all NUMA nodes..

OVS DPDK PMD cpus must be provided from all NUMA nodes. A failed status post-deployment indicates PMD CPU list is not configured correctly.

  • hosts: {{ compute_ovsdpdk_rolename | default(‘ComputeOvsDpdk’) }}

  • groups: post-deployment

  • parameters:

  • roles: ovs_dpdk_pmd

Role documentation

pacemaker-status

Check the status of the pacemaker cluster.

This runs pcs status and checks for any failed actions. A failed status post-deployment indicates something is not configured correctly. This should also be run before upgrade as the process will likely fail with a cluster that’s not completely healthy. This validation fails if pacemaker service is found failed or inactive.

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: backup-and-restore, post-deployment

  • parameters:

  • roles: pacemaker_status

Role documentation

rabbitmq-limits

Rabbitmq limits.

Make sure the rabbitmq file descriptor limits are set to reasonable values.

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment

  • parameters:

    • min_fd_limit: 16384

  • roles: rabbitmq_limits

Role documentation

stonith-exists

Validate stonith devices.

Verify that stonith devices are configured for your OpenStack Platform HA cluster. We don’t configure stonith device with TripleO Installer. Because the hardware configuration may be differ in each environment and requires different fence agents. How to configure fencing please read https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/paged/director-installation-and-usage/86-fencing-the-controller-nodes

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment

  • parameters:

  • roles: stonith_exists

Role documentation

tls-everywhere-post-deployment

Confirm that overcloud nodes are setup correctly.

Checks that overcloud nodes are registered with IdM and that all certs being tracked by certmonger are in the MONITORING state.

  • hosts: allovercloud

  • groups: post-deployment

  • parameters:

  • roles: tls_everywhere

Role documentation

tripleo-haproxy

TripleO HAProxy configuration.

Verify the HAProxy configuration has recommended values.

  • hosts: haproxy

  • groups: post-deployment

  • parameters:

    • config_file: /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg

    • global_maxconn_min: 20480

    • defaults_maxconn_min: 4096

    • defaults_timeout_queue: 2m

    • defaults_timeout_client: 2m

    • defaults_timeout_server: 2m

    • defaults_timeout_check: 10s

  • roles: tripleo_haproxy

Role documentation