| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
This was wrongly set to service_name while it should have been
server_service_name.
Change-Id: Ia802857cc585bb9b057a02f6a13c16981baa5b76
|
|
|
|
|
|
Since the commit this depends on sets it up via hieradata, the
conditionals here are no longer needed.
bp tls-via-certmonger
Depends-On: I9252512dbf9cf2e3eec50c41bf10629d36070bbd
Change-Id: I37275e42763e103b81878b6af07c750a524c5697
|
|
it's not required in Ocata, let's configure the basic setup for cells.
note: it also cleanup old code that is not valid anymore.
Change-Id: Iac5b2fbe1b03ec7ad4cb8cab2c7694547be6957d
|
|
This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)
This is achieved by means of the `puppet-auditd` puppet module.
Closes-Bug: #1640302
Co-Authored-By: Luke Hinds (lhinds@redhat.com)
Change-Id: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
|
|
Via bug https://bugs.launchpad.net/tripleo/+bug/1657108 we need
to zero out the default rules in /etc/sysconfig/ip{6}tables in
the image.
We have done this for ipv4, but when we will do it for ipv6 we
will also need to make sure we add a rule for dhcpv6 traffic
as it is shipped in the iptables rpm. (See
https://bugzilla.redhat.com/show_bug.cgi?id=1169036 for more info)
With this change we correctly get the rule present (aka the first
ACCEPT line. The second line is due to the stock ip6tables rule
I had in my testing):
[root@overcloud-controller-0 ~]# iptables -nvL |grep 546
[root@overcloud-controller-0 ~]# ip6tables -nvL |grep 546
0 0 ACCEPT udp * * ::/0 fe80::/64 multiport dports 546 /* 004 accept ipv6 dhcpv6 ipv6 */ state NEW
0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW
Change-Id: If22080054b2b1fa7acfd101e8c34d2707e8e7864
Partial-Bug: #1657108
|
|
|
|
|
|
|
|
|
|
Requiring the neutron mechanism driver from hiera is too rigid, if
Neutron is not deployed in the catalog.
Be more flexible so catalog won't fail if the value is not set in Hiera.
Change-Id: I1475687c4dc53c77e763f42a440355a7c8d014bc
Partial-Bug: #1659662
|
|
Follow up patch for I63da4f48da14534fd76265764569e76300534472
to support composable HA for the Ceph rbdmirror daemon.
Change-Id: I3767bee4b1c7849fa85e71bcc57534b393d2d415
|
|
This uses the tls_proxy resource added in a previous commit [1] in
front of the neutron server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to
clean it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
|
|
|
|
|
|
Change-Id: Ic74ccd5fa7b3b04ca810416e5160463252f17474
Signed-off-by: Dan Radez <dradez@redhat.com>
|
|
Bring change of I53151d4f555d5d161a3e53ce5f022e3bf3b2ffbd into
puppet-tripleo.
Change-Id: I1227956a0389497eedc00e4ec817f52be608dc75
Related-Bug: #1643655
|
|
|
|
|
|
|
|
This commit implements composable HA for the pacemaker profiles.
- Everytime a pacemaker resource gets included on a node,
that node will add a node cluster property with the name of the resource
(e.g. galera-role=true)
- Add a location rule constraint to force running the resource only
on the nodes that have that property
- We also make sure that any pacemaker resource/property creation has a
predefined number of tries (20 by default). The reason for this is
that within composable HA, it might be possible to get "older CIB"
errors when another node changed the CIB while we were doing an
operation on it. Simply retrying fixes this.
- Also make sure that we use the newly introduced
pacemaker::constraint::order class instead of the older
pacemaker::constraint::base class. The former uses the push_cib()
function and hence behaves correctly in case multiple nodes try
to modify the CIB at the same time.
Change-Id: I63da4f48da14534fd76265764569e76300534472
Depends-On: Ib931adaff43dbc16220a90fb509845178d696402
Depends-On: I8d78cc1b14f0e18e034b979a826bf3cdb0878bae
Depends-On: Iba1017c33b1cd4d56a3ee8824d851b38cfdbc2d3
|
|
Change-Id: I3d6bbc05644e840395f87333ec80e3b844f69903
|
|
This class was being included in the same way in two different branches
of the code which could be joined in the initial branch (or if
statement).
Change-Id: Iee3c1663a2fe929b21a9c089d89b721600af66bd
|
|
Previously we missed to perform the basic Ceph client configuration
on a node where only the RBD mirror service was deployed.
Change-Id: Ie6a4284a88714bcee964a38636e12aa88bb95c9d
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
Related-Bug: #1652177
|
|
For pacemaker we ensure netmask of virtual IP to 64bit for IPv6 and
32bit for IPv4. We should have feature parity in keepalived setup.[1]
The issue is that puppet picks first IP orf ifconfig output as and
interface IP. In case of IPv6 keepalived would add new IP to
interface with netmask 128 causing interface_for_ip to fail on
second puppet run.
[1] - https://github.com/openstack/puppet-tripleo/blob/master/manifests/pacemaker/haproxy_with_vip.pp
Closes-Bug: #1659309
Change-Id: Icb0c9a8d51a9bfcdc4b2caef9e52fdeb6f634cba
|
|
There is a typo in the bootstrap check which will lead to:
Could not find data item ceph_rbdmirror_bootstrap_short_node_name in any
Hiera data file and no default supplied at
/etc/puppet/modules/tripleo/manifests/profile/pacemaker/ceph/rbdmirror.pp
We need to be using the correct one:
$ hiera ceph_rbdmirror_short_bootstrap_node_name
overcloud-remote-0
Change-Id: Ic343e5f99e48360bdd2d2989781a4b6ca484e8fc
|
|
|
|
|
|
|
|
Since the commit this depends on sets it up via hieradata, the
conditions here are no longer needed.
bp tls-via-certmonger
Change-Id: I66956f0b85e8e3bf1ab9562221d51d51c230b88e
Depends-On: I693213a1f35021b540202240e512d121cc1cd0eb
|
|
|
|
|
|
This support enables a base profile called pacemaker_remote which will
allow the operator to automatically configure the pacemaker_remote
service on such nodes. This manifest also automatically adds any
pacemaker_remote nodes to the pacemaker cluster.
Depends-On: I0c01ecb7df1a0f9856fdc866b9d06acf0283fa4f
Depends-On: Ic0488f4fc63e35b9aede60fae1e2cab34b1fbdd5
Change-Id: I92953afcc7d536d387381f08164cae8b52f41605
|
|
|
|
|
|
|
|
|
|
This uses the tls_proxy resource added in the previous commit [1] in
front of the Glance API server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to clean
it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e
Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
|
|
Glance Registry has been removed in TripleO. So we can clean
puppet-tripleo and remove last bits that used to deploy this service.
Change-Id: Iea8f6340349ab366606205305a3ec9a6e4f11ba6
|
|
|
|
|
|
A function to create noop providers (set as the default) for the named
resource. This works alongside of 'puppet apply --tags' to disable
some custom resource types that still attempt to run commands during
prefetch, etc.
Change-Id: Icabdb30369c8ca15e77d169dc441bee8cfd3631f
|
|
|
|
|
|
|
|
|
Jenkins
Juan Antonio Osorio Robles
Emilien Macchi
Steven Hardy
Michele Baldessari
Giulio Fidente
Dan Radez
Martin André
Lukas Bezdicka
Dan Prince