Age | Commit message (Collapse) | Author | Files | Lines |
|
This module is used by tripleo-heat-templates to configure and deploy
Kolla-based cinder-volume containers managed by pacemaker.
We use short-lived containers that call pcs via puppet to create
the needed pacemaker resources, properties and constraints.
Co-Authored-By: Michele Baldesari <michele@acksyn.org>
Partial-Bug: #1668920
Change-Id: I95ad4dd89b47396bea672813d87de35e64c04b2d
|
|
|
|
|
|
If novajoin is enabled, the keystone profile should create its user.
bp tls-via-certmonger-containers
Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
|
|
|
|
|
|
|
|
It was an error in the example to set firewall rule
Tested on newton.
Closes-Bug: 1691990
Change-Id: I091ad0305ac9d9fbb63853e46169fcaa6092456b
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
|
|
This patch switches the default to the overlay2 storage driver and see
if it helps performance.
Background:
The loopback driver is not recommended for production. Most
other docker storage backends require extra disks (or partitions)
which we don't have on the root disk. Overlay seems to make the
most since for TripleO upgrades where we intend to update
in-place installations to use docker.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
|
|
|
|
|
|
|
|
disabled."
|
|
The existing .gitignore is causing the hieradata we use for tests to be
excluded in git and our release tarballs. Lets adjust the gitignore not
to exclude the hiera files in spec/fixtures
Change-Id: Ic31687d0eb1c2e8acc92796d4c0eba096db8e533
Closes-Bug: #1691559
|
|
Update the tox configuration to pull in the openstack
upper-constraints.txt when running releasenotes. This will
fix the releasenotes job that is currently failing due to
a new version of sphinx. Additionally this change includes
updates from puppet-modulesync-configs.
Change-Id: Ie587bfde2367dfec796f1b07c01bba15d839a3b1
Related-Bug: #1691511
|
|
bp tls-via-certmonger
Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
|
|
|
|
|
|
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Closes-Bug: #1675690
Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com>
Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8
Signed-off-by: Karthik S <ksundara@redhat.com>
|
|
|
|
|
|
We currently create remote resources without waiting for their creation.
This leads to the following potential race (spotted by Marian Mkrcmari):
- On Step1 pacemaker bootstrap node creates the resource but the remote
resource is not yet created
- Step1 completes and Step2 starts
- On Step2 the remote node sets a property (or calls pcs cib) but the
remote is not yet set up so 'pcs cluster cib' will fail there with:
(err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster
cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed
with code: 1 ->
Note that when verify_on_create is set to true we are not using the cib
dump/push mechanism. That is fine because we create the remotes on
step1 and the dump/push mechanism is only needed starting from step2
when multiple nodes set cluster properties at the same time.
Tested by Marian Mkrcmari successfully as well.
Closes-Bug: #1689028
Change-Id: I764526b3f3c06591d477cc92779d83a19802368e
Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
|
|
Mistral should run under mod_wsgi. Enable that.
Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
|
|
ODL repo has been moved from a personal github account into official ODL
repo.
Change-Id: I1248c22acc09962ef788ca19ee87b6bda8ef8450
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
Now that puppet-redis supports ulimit for cluster managed redis (via
https://github.com/arioch/puppet-redis/pull/192), we need to remove the
file snippet as otherwise we will get a duplicate resource error.
We will need to create a THT change that at the very least sets the
redis::managed_by_cluster_manager key to true so that
/etc/security/limits.d/redis.conf gets created.
We also add code to not break backwards compatibility with the old hiera
key.
Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d
Partial-Bug: #1688464
|
|
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #1688308
|
|
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
|
|
|
|
Add ability to set Cinder's nas_secure_file_operations and
nas_secure_file_permissions driver parameters. Two sets of identically
named parameters are implemented by Cinder's NFS and NetApp back end
drivers.
The ability to control these parameters is crucial for supporting deployments
that require non-default values.
Partial-Bug: #1688332
Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9
Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
|
|
|
|
|
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
|
|
|
It used to be hardcoded to use the OpenSSL default CA Bundle, however,
this will be changed in t-h-t.
Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
|
|
We currently hardcode /64 as our VIP addresses when using IPv6.
The problem with this is that some server code might bind to that
IP as a source address when doing inter-cluster communication
(rabbitmq/galera for example). So when the VIP moves there will
be effectively a network outage between the nodes, which should not
happen.
Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic
parameter when /128 is specified. This is due to:
https://bugzilla.redhat.com/show_bug.cgi?id=1445628
We also make sure we use the ipv6_addrlabel option set to 99 so that
they will never be used as source ip addresses.
Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c
Partial-Bug: #1686357
Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
Co-Authored-By: Marios Andreou <mandreou@redhat.com>
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
|
|
log rule"
|
|
Binding is now done in THT via Hiera directly, so users can change the
option more easily.
Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614
Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79
Closes-Bug: #1687628
|
|
|
|
|
|
|
|
the TLS proxy was notifying neutron::server instead of swift proxy.
Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
|
|
Other services include it by using the vhost resource from openstacklib.
If we include a service (such as swift-proxy) that uses the tls_proxy
resource, and we do so in a separate node or in its own container, it
will fail since the base apache module hadn't been included.
Change-Id: I0167e08b0b652618d8a1af792376bcf02c8fcd82
|
|
We now configure stonith devices for Pacemaker Remote nodes.
Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce
Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197
Partial-Bug: #1686115
|
|
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=1441635.
Will propose another THT change to actually change the default to
-1 so we get this ha-mode:all by default.
Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
Partial-Bug: #1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
Include the yaml config file for containers
Change-Id: I3ad463217ed3f2d6374627248236b274cfed72fb
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|