Skip to main content

Deploying and upgrading TripleO with local mirrors

Continued from

In the previous blogpost, I explained how to automate the RHEL mirror creation using Now we are going to learn how to deploy and upgrade TripleO using those.

Deploying TripleO


To use local mirrors in the undercloud, you simply need to get the generated osp<version>.repo that you generated with the rhel-local-mirrors playbook, and copy it to /etc/yum.repos.d/ , in the undercloud host:
sudo curl http://<local_mirror_ip>/osp<version>_repo/osp<version>.repo \
-o /etc/yum.repos.d/osp.repo
Then proceed with the standard instructions for deploy.


Each node from the overcloud (controllers, computes, etc...) needs to have a copy of the repository file from our server where we host the local mirrors. To achieve it, you can include an script that downloads the osp<version>.repo file when deploying.
This can be achieved with Heat templates:
heat_template_version: 2014-10-16
description: >
  File for downloading the repository file from the asset server
    type: OS::Heat::MultipartMime
      - config: {get_resource: assetrepo_config}
    type: OS::Heat::SoftwareConfig
      config: |
        sudo curl http://<local_mirror_ip>/osp<version>_repo/osp<version>.repo -o /etc/yum.repos.d/osp<version>.repo
    value: {get_resource: userdata}

And then creating the environment file that will reference it:
  OS::TripleO::NodeUserData: /home/stack/templates/asset-repo.yaml

Then you need to include that environment file in your deploy command:
openstack overcloud deploy --templates  -e ~/templates/asset-environment.yaml \

Upgrading TripleO


To upgrade the undercloud, you need to be sure to disable packages from previous versions, and enable the ones from the new version.
If using local mirrors you may need to remove  the older repo file:
sudo rm /etc/yum.repos.d/osp.repo
And create the new:
sudo curl http://<local_mirror_ip>/osp<version+1>_repo/osp<version+1>.repo -o /etc/yum.repos.d/osp.repo

After that, execute the yum update and openstack undercloud upgrade commands as usual.


To upgrade the overcloud, you need to disable the older repositories and enable the new ones at upgrade time. This is achieved by a parameter that is called UpgradeInitCommand. This needs to contain a custom bash script, that will disable the older repos and enable the new ones, based on your needs.
A sample environment using UpgradeInitCommand can be:
cat > overcloud-repos.yaml <<EOF
  UpgradeInitCommand: |
    set -e
    sudo rm /etc/yum.repos.d/osp.repo
    sudo curl http://<local_mirror_ip>/osp<version+1>_repo/osp<version+1>.repo -o /etc/yum.repos.d/osp.repo 

And then execute your upgrade command including that overcloud-repos.yaml file:
openstack overcloud deploy --templates \
    -e <full environment> \
    -e /usr/share/openstack-tripleo-heat-templates/environments/major-upgrade-composable-steps.yaml \
    -e overcloud-repos.yaml


Popular posts from this blog

Automating local mirrors creation in RHEL

Sometimes there is a need to consume RHEL mirrors locally, not using the Red Hat content delivery network. It may be needed to speed up some deployment, or due to network constraints.

I create an ansible playbook, rhel-local-mirrors (, that can help with that.
What does rhel-local-mirrors do? It is basically a tool that connects to the Red Hat CDN, and syncs the repositories locally, allowing to populate the desired mirrors, that can be accessed by other systems via HTTP.

The playbook is performing several tasks, that can be run together or independently:
register a system on the Red Hat Networkprepare the system to host mirrorscreate the specified mirrorsschedule automatic updates of the mirrors How to use it?It is an Ansible playbook, so start by installing it, in any prefered format. Then continue by cloning the playbook:
git clone playbook expects a group of servers called

Build and use security hardened images with TripleO

Starting to apply since Pike Concept of security hardened images Normally the images used for overcloud deployment in TripleO are not security hardened. It means, the images lack all the extra security measures needed to accomplish with ANSSI requirements. These extra measures are needed to deploy TripleO in environments where security is an important feature.
The following recommendations are given to accomplish with security guidelines:
ensure that /tmp is mounted on a separate volume or partition, and that it is mounted with rw,nosuid,nodev,noexec,relatime flagsensure that /var, /var/log and /var/log/audit are mounted on separates volumes or partitions, and that are mounted with rw,relatime flags.ensure that /home is mounted on a separate partition or volume, and that it is mounted with rw,nodev,relatime flags.include extra kernel boot flag to enable auditing: add audit=1 to GRUB_CMDLINE_LINUX settingdisable kernel support for USB via bootloader configuration: add nousb to GRUB_CMD…