summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-01-25[keepalived] fix netmask for vipLukas Bezdicka1-4/+24
For pacemaker we ensure netmask of virtual IP to 64bit for IPv6 and 32bit for IPv4. We should have feature parity in keepalived setup.[1] The issue is that puppet picks first IP orf ifconfig output as and interface IP. In case of IPv6 keepalived would add new IP to interface with netmask 128 causing interface_for_ip to fail on second puppet run. [1] - https://github.com/openstack/puppet-tripleo/blob/master/manifests/pacemaker/haproxy_with_vip.pp Closes-Bug: #1659309 Change-Id: Icb0c9a8d51a9bfcdc4b2caef9e52fdeb6f634cba
2017-01-10Merge "Add Docker Registry profile"Jenkins2-0/+84
2017-01-10Merge "Move nova cells db sync into nova-api profile"Jenkins3-65/+26
2017-01-10Merge "Add support for not using admin_token in Ceph/RGW"Jenkins4-9/+51
2017-01-09Move nova cells db sync into nova-api profileDan Prince3-65/+26
Having the db_sync code live in the mysql profile causes coupling that doesn't work unless your MySQL server has the latest Nova packages installed. This may not work for some baremetal setups (where an isolated database exists) or with containers where the MySQL container definately doesn't have nova packages installed. Moving this code into the nova-api role also matches where we were already db syncing the normal API database so it should be fine and safe. Change-Id: Ib625e2ac9c8d6bd1d335c58e291facc4ea5839ae Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-01-09Add support for not using admin_token in Ceph/RGWKeith Schincke4-9/+51
This patch add the option for using Keyston V3 authention with the Ceph/RGW service instead of using the admin_token Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
2017-01-09Use THT to define cell0 creationAlex Schultz1-4/+1
As part of the initial implementation, we hard coded the cell0 setup in puppet. This change switches it to leverage the defined value in the tripleo-heat-templates Change-Id: I896a124d91d06ca85b77c9fbe24fd252815a2d28 Depends-On: I08119d781ef60750cc19753bc03190e413159925 Related-Bug: #1649341
2017-01-09Add Docker Registry profileMartin André2-0/+84
The profile was moved out of instack-undercloud puppet manifest and changed to install a v2 Docker registry rather than the old, deprecated v1 registry. Change-Id: Iecf7a4c7e86349e6ecaa0a8ee6d37223e3af7862
2017-01-07Merge "Ensure panko::db class is initialized"Jenkins1-0/+1
2017-01-07Merge "Fix puppet warning for empty value"Jenkins1-0/+2
2017-01-06Ensure panko::db class is initializedPradeep Kilambi1-0/+1
Change-Id: If2f6559a7d76b26fa9b0a3ecfa2e2101aae93e3c
2017-01-06Merge "glance/api: cleanup on dbsync"Jenkins1-8/+1
2017-01-06Fix puppet warning for empty valueEmilien Macchi1-0/+2
Unknown variable: 'haproxy_ssl_firewall_rules' when public_ssl_port is empty. Fixing it by setting an empty hash in this case. Change-Id: If864732262852ef79ebb91ee77902c86b847072a
2017-01-05firewall: add IPv6 supportEmilien Macchi2-18/+84
This patch adds support for ip6tables rules in TripleO, in a intuitive and flexible fashion. 1) Default firewal rules 'source' parameter to undef. It was 0.0.0.0/0 before but now undef, so we don't need complex logic to support ipv6 rules. undef will create empty source, which is the same as 0.0.0.0/0 or ::/0. 2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules. 3) Automatically create IPv6 rules like it's for IPv4. 4) Only create rules that can be created, depending on source/destination ip version. This patch should be backward compatible and adds a layer of security for IPv6 deployments. If previous deployments were manually creating Ipv6 rules, it's possible that this patch will override them. Our framework is able to configure any rule, so it shouldn't be a problem for upgrades. Co-Authored-By: Ben Nemec <bnemec@redhat.com> Closes-Bug: #1654050 Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
2017-01-05glance/api: cleanup on dbsyncEmilien Macchi1-8/+1
Cleanup some code that were useful in the effort of removing Glance Registry service from TripleO. Change-Id: I2a4bdc413e953b8b713d9a12bba74ca18487fe0d
2017-01-05Merge "Adds a profile for the Ceph MDS service"Jenkins2-0/+94
2017-01-04nova-api: switch to new wsgi classEmilien Macchi1-1/+1
nova::wsgi::apache was deprecated in ocata in favor of nova::wsgi::apache_api. Let's switch to it. Change-Id: I59b3b36be33268fa6e261a7db3c4aa8e8e712ffb Depends-On: I5fc99062d349597393e2248c66f2d863029c7730
2017-01-04Merge "Fixes missing haproxy firewall rules for OpenDaylight"Jenkins1-17/+9
2017-01-04Adds a profile for the Ceph MDS serviceGiulio Fidente2-0/+94
This change adds a profile to deploy the Ceph MDS service and some basic unit tests for it. Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c Partial-Bug: #1644784
2017-01-04Fixes missing haproxy firewall rules for OpenDaylightTim Rozet1-17/+9
This migrates the haproxy config for ODL to use the tripleo::haproxy::endpoint class. This class automatically configures firewall rules for each haproxy endpoint. Also removes listening on public network for IP and adds listening on ctlplane network for admin access. Partial-Bug: 1651476 Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-01-04Sync the db as part of the glance-api installFlavio Percoco2-12/+25
The glance database should be created as part of the glance-api service installation and not the registry. Move the db_sync param to the glance-api class call. Change-Id: Ib9f511219e8cb9a7322745b6bd7c4f9c9cc0c198
2017-01-04Merge "Adds ability to populate SSH Banner text"Jenkins3-0/+94
2017-01-04Merge "Add the ml2_odl section when using opendalight_v2"Jenkins1-1/+1
2017-01-04Merge "Don't include api/scheduler manifests on manila share service set up"Jenkins1-2/+0
2017-01-03Merge "Add fossw of networking-fujitsu support to puppet-tripleo"Jenkins1-0/+5
2017-01-03Merge "Add cell_v2 setup for nova"Jenkins1-1/+70
2017-01-03Merge "Avoid Yum/RPM prefetch in norpm provider"Jenkins1-0/+4
2017-01-03Merge "Include nova::compute::libvirt::qemu from the libvirt profile"Jenkins1-0/+2
2017-01-02Avoid Yum/RPM prefetch in norpm providerDan Prince1-0/+4
When package installation is disabled we still prefetch packages. This disables the package prefetch by returning an empty array which should be fine in the normal case and fixes issues when running puppet in some docker containers. Change-Id: Ia483c5f8500b804ba37a80e9ca1ec9c038f0a867
2017-01-02Don't include api/scheduler manifests on manila share service set upJan Provaznik1-2/+0
Manila pacemaker manifest (which sets manila share service only) includes also manila api and scheduler manifests. There is no reason for this. Also it causes that on whichever node manila share service runs also manila api and scheduler services are started. Change-Id: Ia1b39ef36c5bc34813cd6430b69ad9b698acc3cf Closes-Bug: #1653500
2016-12-29Add the ml2_odl section when using opendalight_v2Itzik Brown1-1/+1
Add the option to add the section of ml2_odl to ml2_conf.ini when opendaylight_v2 mechanism driver is used Change-Id: I2a1c5097614e47cc09e43bbc77305a0548d54baa
2016-12-23Merge "Fix puppet version for requirements in metadata"Jenkins1-2/+2
2016-12-23nova: use transport_url for rabbitmqEmilien Macchi1-12/+34
Configure Nova with new Oslo Messaging parameters for RabbitMQ. Note: parameters are renamed to be standard, so it will help a future transition to another backend in TripleO. Change-Id: Ia67a4dbe5b2bd12c45308a5581f96d0457b8e018
2016-12-23Merge "Add basic structure for ReNo"Jenkins10-0/+331
2016-12-22Add cell_v2 setup for novaAlex Schultz1-1/+70
We need to run the basic cell v2 setup for nova as it is required for Ocata. Change-Id: I693239ff5026f58a65eb6278b1a8fcb97af4f561 Depends-On: I43ba77cd4c8da7c6dc117ab0bd53e5cd330dc3de Depends-On: I9462ef16fd64a577c3f950bd121f0bd28670fabc Closes-Bug: #1649341
2016-12-22Merge "add support for collectd"Jenkins2-0/+94
2016-12-22Merge "[CVE-2016-9599] Enforce Firewall TCP / UDP rules management"Jenkins3-11/+54
2016-12-22Merge "Ensure package updates don't happen unexpectedly"Jenkins1-2/+2
2016-12-22Merge "HPELeftHandISCSIDriver support for cinder"Jenkins3-8/+95
2016-12-22Merge "Add TLS proxy resource"Jenkins1-0/+60
2016-12-22Merge "Split ovn plugin and northd configuration"Jenkins4-16/+110
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi3-11/+54
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-12-22Ensure package updates don't happen unexpectedlySteven Hardy1-2/+2
I'm seeing this run yum update on deploy, even though hiera tripleo::packages::enable_upgrade says false. I assume these are needed because we're getting "false", but I'm unclear if this is a recently introduced problem (I only noticed it today as my image has outdated centos packages and it thus hung on step2 of the deploy. Change-Id: If09cdde9883f2674dbbc40944be5fe4445caa08e Closes-Bug: #1652107
2016-12-22Add fossw of networking-fujitsu support to puppet-tripleoKoki Sanagi1-0/+5
Enable ml2.pp to call networking-fujitsu manifest in puppet-neutron for fossw ML2 plugin setting. Change-Id: I044c5812bbc5cd3de4bc33556cffbe5bad8e64cf Implements: blueprint integration-fossw-networking-fujitsu Depends-On: I79df6b6a27d95f0c0e2c87207ab80235a4efccfc
2016-12-22Merge "Decouple swift-proxy from ceilometer packages"Jenkins1-8/+15
2016-12-22Merge "Add networking-fujitsu support to puppet-tripleo"Jenkins1-0/+5
2016-12-22Merge "Do not use hardcoded controller_node_names when setting up the cluster"Jenkins1-1/+2
2016-12-21Adds ability to populate SSH Banner textLuke Hinds3-0/+94
A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306
2016-12-20Decouples neutron services from OpenDaylight API serviceTim Rozet1-12/+7
Removes including Neutron services in the OpenDaylight API service. This was breaking custom roles when splitting up OpenDaylight and Neutron into different roles. Also, references to "controller" are removed because with custom roles OpenDaylight could be isolated to any role type. The 'bootstrap_nodeid' still works with any role, and only resolves to the first node in the series of nodes for that role type. Partial-Bug: 1651499 Change-Id: I418643810ee6b8a2c17a4754c83453140ebe39c7 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-20Add TLS proxy resourceJuan Antonio Osorio Robles1-0/+60
some services need a terminating proxy to do TLS on their main interfaces, to address this, we use httpd's mod_proxy and make it listen in front of these services with an appropriate certificate. bp tls-via-certmonger Change-Id: I82243fd3acfe4f23aab373116b78e1daf9d08467