summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-05-26Merge "Pass mistral::api service_name from t-h-t"Jenkins1-11/+3
2017-05-24Merge "Add support for autofencing to Pacemaker Remote."Jenkins1-0/+27
2017-05-24Merge "Enable mistral to run under mod_wsgi"Jenkins2-4/+59
2017-05-23Enable novajoin user on keystone profileJuan Antonio Osorio Robles1-0/+3
If novajoin is enabled, the keystone profile should create its user. bp tls-via-certmonger-containers Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
2017-05-22Merge "TLS everywhere: Add resources for mongodb's TLS configuration"Jenkins2-0/+96
2017-05-19Merge "Bad example in firewall.pp"Jenkins1-1/+1
2017-05-19Merge "Switch to overlay2 driver for storage"Jenkins2-4/+90
2017-05-19Bad example in firewall.ppCyril Lopez1-1/+1
It was an error in the example to set firewall rule Tested on newton. Closes-Bug: 1691990 Change-Id: I091ad0305ac9d9fbb63853e46169fcaa6092456b Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2017-05-19Switch to overlay2 driver for storageDan Prince2-4/+90
This patch switches the default to the overlay2 storage driver and see if it helps performance. Background: The loopback driver is not recommended for production. Most other docker storage backends require extra disks (or partitions) which we don't have on the root disk. Overlay seems to make the most since for TripleO upgrades where we intend to update in-place installations to use docker. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
2017-05-18Merge "Update tox configuration"Jenkins5-63/+21
2017-05-18Merge "Update gitignore not to exclude fixture hieradata"Jenkins1-1/+2
2017-05-18Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"Jenkins2-3/+109
2017-05-18Merge "Disable SSH login for nova_migration user when migration over ssh is ↵Jenkins2-34/+83
disabled."
2017-05-17Update gitignore not to exclude fixture hieradataAlex Schultz1-1/+2
The existing .gitignore is causing the hieradata we use for tests to be excluded in git and our release tarballs. Lets adjust the gitignore not to exclude the hiera files in spec/fixtures Change-Id: Ic31687d0eb1c2e8acc92796d4c0eba096db8e533 Closes-Bug: #1691559
2017-05-17Update tox configurationAlex Schultz5-63/+21
Update the tox configuration to pull in the openstack upper-constraints.txt when running releasenotes. This will fix the releasenotes job that is currently failing due to a new version of sphinx. Additionally this change includes updates from puppet-modulesync-configs. Change-Id: Ie587bfde2367dfec796f1b07c01bba15d839a3b1 Related-Bug: #1691511
2017-05-17TLS everywhere: Add resources for mongodb's TLS configurationJuan Antonio Osorio Robles2-0/+96
bp tls-via-certmonger Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
2017-05-16Merge "Use verify_on_create when creating pacemaker remote resources"Jenkins1-0/+1
2017-05-15Merge "vhostuser socket dir shall be created for vhostuserclient mode"Jenkins4-1/+92
2017-05-13vhostuser socket dir shall be created for vhostuserclient modeKarthik S4-1/+92
In order to support vhostuser client mode, a vhostuser_socket_dir needs to be created with qemu:qemu g+w permissions. Closes-Bug: #1675690 Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com> Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8 Signed-off-by: Karthik S <ksundara@redhat.com>
2017-05-11Merge "Add support for Cinder "NAS secure" driver params"Jenkins2-6/+29
2017-05-08Merge "Migrates OpenDaylight to official repo"Jenkins1-1/+1
2017-05-07Use verify_on_create when creating pacemaker remote resourcesMichele Baldessari1-0/+1
We currently create remote resources without waiting for their creation. This leads to the following potential race (spotted by Marian Mkrcmari): - On Step1 pacemaker bootstrap node creates the resource but the remote resource is not yet created - Step1 completes and Step2 starts - On Step2 the remote node sets a property (or calls pcs cib) but the remote is not yet set up so 'pcs cluster cib' will fail there with: (err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed with code: 1 -> Note that when verify_on_create is set to true we are not using the cib dump/push mechanism. That is fine because we create the remotes on step1 and the dump/push mechanism is only needed starting from step2 when multiple nodes set cluster properties at the same time. Tested by Marian Mkrcmari successfully as well. Closes-Bug: #1689028 Change-Id: I764526b3f3c06591d477cc92779d83a19802368e Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
2017-05-06Pass mistral::api service_name from t-h-tBrad P. Crochet1-11/+3
In order to have the chicken-egg work, service_name had to be explicitly passed to ::mistral::api. This switches to using values from t-h-t. Change-Id: Ib94e51f863ba59a1a1db47d58aed3ba4e5fc9650 Depends-On: Ie98dd5061d92dbc3c15bdd8926b0e3d62cc471f6
2017-05-06Enable mistral to run under mod_wsgiBrad P. Crochet2-4/+59
Mistral should run under mod_wsgi. Enable that. Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
2017-05-05Migrates OpenDaylight to official repoTim Rozet1-1/+1
ODL repo has been moved from a personal github account into official ODL repo. Change-Id: I1248c22acc09962ef788ca19ee87b6bda8ef8450 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-05-05Remove limits for redis in /etc/security/limits.dMichele Baldessari2-15/+21
Now that puppet-redis supports ulimit for cluster managed redis (via https://github.com/arioch/puppet-redis/pull/192), we need to remove the file snippet as otherwise we will get a duplicate resource error. We will need to create a THT change that at the very least sets the redis::managed_by_cluster_manager key to true so that /etc/security/limits.d/redis.conf gets created. We also add code to not break backwards compatibility with the old hiera key. Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Partial-Bug: #1688464
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh2-3/+109
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh2-34/+83
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-04Merge "Restrict nova migration ssh tunnel"Jenkins4-68/+271
2017-05-04Add support for Cinder "NAS secure" driver paramsAlan Bishop2-6/+29
Add ability to set Cinder's nas_secure_file_operations and nas_secure_file_permissions driver parameters. Two sets of identically named parameters are implemented by Cinder's NFS and NetApp back end drivers. The ability to control these parameters is crucial for supporting deployments that require non-default values. Partial-Bug: #1688332 Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9 Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
2017-05-04Merge "MySQL client: Make CA file configurable"Jenkins1-1/+6
2017-05-03Merge "snmp: remove useless parameter for binding"Jenkins1-1/+0
2017-05-03Restrict nova migration ssh tunnelOliver Walsh4-68/+271
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-05-03Merge "IPv6 VIP addresses need to be /128"Jenkins1-6/+14
2017-05-03MySQL client: Make CA file configurableJuan Antonio Osorio Robles1-1/+6
It used to be hardcoded to use the OpenSSL default CA Bundle, however, this will be changed in t-h-t. Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-05-03IPv6 VIP addresses need to be /128Michele Baldessari1-6/+14
We currently hardcode /64 as our VIP addresses when using IPv6. The problem with this is that some server code might bind to that IP as a source address when doing inter-cluster communication (rabbitmq/galera for example). So when the VIP moves there will be effectively a network outage between the nodes, which should not happen. Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic parameter when /128 is specified. This is due to: https://bugzilla.redhat.com/show_bug.cgi?id=1445628 We also make sure we use the ipv6_addrlabel option set to 99 so that they will never be used as source ip addresses. Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c Partial-Bug: #1686357 Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com> Co-Authored-By: Marios Andreou <mandreou@redhat.com> Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
2017-05-03Merge "firewall: generally accept "jump" param and use tripleo:firewall for ↵Jenkins2-2/+16
log rule"
2017-05-02snmp: remove useless parameter for bindingEmilien Macchi1-1/+0
Binding is now done in THT via Hiera directly, so users can change the option more easily. Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614 Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79 Closes-Bug: #1687628
2017-04-27Merge "Fix wrong notify in swift proxy profile"Jenkins1-1/+1
2017-04-27Merge "Add linuxbridge agent profile"Jenkins1-0/+20
2017-04-27Merge "Include base apache module in tls_proxy resource"Jenkins1-0/+1
2017-04-27Fix wrong notify in swift proxy profileJuan Antonio Osorio Robles1-1/+1
the TLS proxy was notifying neutron::server instead of swift proxy. Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
2017-04-27Include base apache module in tls_proxy resourceJuan Antonio Osorio Robles1-0/+1
Other services include it by using the vhost resource from openstacklib. If we include a service (such as swift-proxy) that uses the tls_proxy resource, and we do so in a separate node or in its own container, it will fail since the base apache module hadn't been included. Change-Id: I0167e08b0b652618d8a1af792376bcf02c8fcd82
2017-04-26Add support for autofencing to Pacemaker Remote.Chris Jones1-0/+27
We now configure stonith devices for Pacemaker Remote nodes. Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197 Partial-Bug: #1686115
2017-04-26Add a flag to rabbitmq so that we can deploy with ha-mode: all againMichele Baldessari1-2/+6
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. Will propose another THT change to actually change the default to -1 so we get this ha-mode:all by default. Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c Partial-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins6-10/+193
2017-04-25Merge "Update puppet-etcd version"Jenkins1-1/+1
2017-04-25Merge "Add support for Redfish hardware in Ironic"Jenkins2-0/+6
2017-04-25Merge "Include zaqar apache module"Jenkins2-2/+8
2017-04-25Merge "Dell SC: Add secondary DSM support"Jenkins1-10/+14