pre-update

check-for-dangling-images

Check for podman dangling images.

Make sure before update we do not have any dangling images.

  • hosts: undercloud

  • groups: pre-update

  • parameters:

    • check_for_dangling_images_debug: False

  • roles: check_for_dangling_images

Role documentation

check-reboot

Verify if a reboot is necessary with yum-utils.

This validation checks if a reboot is necessary with yum-utils with the option: needs-restarting -r

  • hosts: all

  • groups: pre-upgrade, post-upgrade, pre-update, post-update

  • parameters:

  • roles: check_reboot

Role documentation

compute-tsx

RHEL8.x kernel flag for Compute nodes validation.

RHEL-8.3 kernel disabled the Intel TSX (Transactional Synchronization Extensions) feature by default as a preemptive security measure, but it breaks live migration from RHEL-7.9 (or even RHEL-8.1 or RHEL-8.2) to RHEL-8.3.

Operators are expected to explicitly define the TSX flag in their KernelArgs for the compute role to prevent live-migration issues during the upgrade process.

This also impacts upstream CentOS systems.

  • hosts: nova_libvirt

  • groups: pre-upgrade, pre-system-upgrade, pre-overcloud-prepare, pre-overcloud-upgrade, pre-overcloud-converge, pre-update, pre-update-prepare, pre-update-run, pre-update-converge

  • parameters:

    • compute_tsx_debug: False

    • compute_tsx_warning: False

  • roles: compute_tsx

Role documentation

container-status

Ensure container status.

Detect failed containers and raise an error.

  • hosts: undercloud, allovercloud

  • groups: backup-and-restore, pre-upgrade, pre-update, post-deployment, post-upgrade, post-update

  • parameters:

  • roles: container_status

Role documentation

controller-token

Verify that keystone admin token is disabled.

This validation checks that keystone admin token is disabled on both undercloud and overcloud controller after deployment.

  • hosts: [‘undercloud’, “{{ controller_rolename | default(‘Controller’) }}”]

  • groups: post-deployment, post-update, pre-update

  • parameters:

    • keystone_conf_file: /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

  • roles: controller_token

Role documentation

controller-ulimits

Check controller ulimits.

This will check the ulimits of each controller.

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment, post-update, pre-update

  • parameters:

    • nofiles_min: 1024

    • nproc_min: 2048

  • roles: controller_ulimits

Role documentation

fips-enabled

Confirm that undercloud has fips enabled.

Check if the undercloud is ready to deploy an environment using fips.

  • hosts: all

  • groups: prep, post-deployment, post-update, pre-update

  • parameters:

  • roles: fips_enabled

Role documentation

healthcheck-service-status

Healthcheck systemd services Check.

Check for failed healthcheck systemd services.

  • hosts: undercloud, allovercloud

  • groups: backup-and-restore, post-deployment, post-update, pre-update

  • parameters:

    • retries_number: 1

    • delay_number: 1

    • inflight_healthcheck_services: []

  • roles: healthcheck_service_status

Role documentation

image-serve

Verify image-serve service is working and answering.

Ensures image-serve vhost is configured and httpd is running.

  • hosts: undercloud

  • groups: backup-and-restore, pre-upgrade, post-deployment, post-upgrade, post-update, pre-update

  • parameters:

  • roles: image_serve

Role documentation

mysql-open-files-limit

MySQL Open Files Limit.

Verify the open-files-limit configuration is high enough

https://access.redhat.com/solutions/1598733

  • hosts: [“{{ controller_rolename | default(‘Controller’) }}”, ‘mysql’]

  • groups: post-deployment, post-update, pre-update

  • parameters:

    • min_open_files_limit: 16384

  • roles: mysql_open_files_limit

Role documentation

neutron-sanity-check

Neutron Sanity Check.

Run neutron-sanity-check on the controller nodes to find out potential issues with Neutron’s configuration.

The tool expects all the configuration files that are passed to the Neutron services.

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: backup-and-restore, post-deployment, post-update, pre-update

  • parameters:

  • roles: neutron_sanity_check

Role documentation

nova-event-callback

Nova Event Callback Configuration Check.

This validations verifies that the Nova auth_url in neutron, which is generally enabled by default, is configured correctly It checks the following files on the Overcloud Controller(s):

  • /etc/neutron/neutron.conf: [nova]/auth_url = ‘http://nova_admin_auth_ip:5000

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment, post-update, pre-update

  • parameters:

    • neutron_config_file: /var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf

  • roles: nova_event_callback

Role documentation

nova-svirt

Check nova sVirt support.

Ensures all running VM are correctly protected with sVirt

  • hosts: nova_libvirt

  • groups: post-deployment, post-upgrade, post-update, pre-update

  • parameters:

  • roles: nova_svirt

Role documentation

openstack-endpoints

Check connectivity to various OpenStack services.

This validation gets the PublicVip address from the deployment and tries to access Horizon and get a Keystone token.

  • hosts: undercloud

  • groups: post-deployment, pre-upgrade, post-upgrade, pre-update, post-update

  • parameters:

  • roles: openstack_endpoints

Role documentation

package-version

package-version.

Ensures we can access the wanted package version. Especially useful when you are switching repositories, for instance during an upgrade.

  • hosts: all

  • groups: prep, pre-deployment, pre-upgrade, pre-update, pre-system-upgrade, pre-undercloud-upgrade, pre-overcloud-prepare, pre-overcloud-upgrade, pre-overcloud-converge, pre-ceph

  • parameters:

    • package_version_debug: False

  • roles: package_version

Role documentation

rabbitmq-limits

Rabbitmq limits.

Make sure the rabbitmq file descriptor limits are set to reasonable values.

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment, post-update, pre-update

  • parameters:

    • min_fd_limit: 16384

  • roles: rabbitmq_limits

Role documentation

repos

Check correctness of current repositories.

Detect whether the repositories listed in yum repolist can be connected to and that there is at least one repo configured.

Detect if there are any unwanted repositories (such as EPEL) enabled.

  • hosts: undercloud, allovercloud

  • groups: pre-upgrade, pre-update

  • parameters:

  • roles: repos

Role documentation

stonith-exists

Validate stonith devices.

Verify that stonith devices are configured for your OpenStack Platform HA cluster. We don’t configure stonith device with TripleO Installer. Because the hardware configuration may be differ in each environment and requires different fence agents. How to configure fencing please read https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/paged/director-installation-and-usage/86-fencing-the-controller-nodes

  • hosts: {{ controller_rolename | default(‘Controller’) }}

  • groups: post-deployment, post-update, pre-update

  • parameters:

  • roles: stonith_exists

Role documentation

system-encoding

System encoding.

Ensure the local is unicode

  • hosts: all

  • groups: pre-deployment, pre-upgrade, pre-update

  • parameters:

    • system_encoding_debug: False

  • roles: system_encoding

Role documentation

tripleo-haproxy

TripleO HAProxy configuration.

Verify the HAProxy configuration has recommended values.

  • hosts: haproxy

  • groups: post-deployment, post-update, pre-update

  • parameters:

    • config_file: /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg

    • global_maxconn_min: 20480

    • defaults_maxconn_min: 4096

    • defaults_timeout_queue: 2m

    • defaults_timeout_client: 2m

    • defaults_timeout_server: 2m

    • defaults_timeout_check: 10s

  • roles: tripleo_haproxy

Role documentation

undercloud-disabled-services

Verify undercloud services state before running update or upgrade.

Check undercloud status before running a stack update - especially minor update and major upgrade.

  • hosts: undercloud

  • groups: post-upgrade, pre-upgrade, post-update, pre-update

  • parameters:

  • roles: undercloud_disabled_services

Role documentation

undercloud-ipa-server-check

Verify that the IPA server has the right permissions and ACI.

This validation is relevant for systems where TLS Everywhere is enabled.

A new ACI is needed on the FreeIPA server to ensure that certificates with IP SANs can be issued. This ACI will be delivered by default from FreeIPA 4.8.5.

In addition, a new permission is needed to add DNS zones for tripleo-ipa. This permission is an addition to the current permissions for the Nova Host Manager role.

This validation confirms that the new permission and ACI are present.

https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/tls-introduction.html

  • hosts: undercloud

  • groups: pre-upgrade, pre-update

  • parameters:

  • roles: tls_everywhere

Role documentation

undercloud-service-status

Verify undercloud services state before running update or upgrade.

Check undercloud status before running a stack update - especially minor update and major upgrade.

  • hosts: undercloud

  • groups: backup-and-restore, post-upgrade, pre-upgrade, post-update, pre-update

  • parameters:

  • roles: undercloud_service_status

Role documentation

undercloud-sysctl

Verify undercloud sysctl option availability.

The undercloud will not install properly if some of the expected sysctl values are not available to be set.

  • hosts: undercloud

  • groups: prep, pre-upgrade, pre-update

  • parameters:

  • roles: undercloud_sysctl

Role documentation