Age | Commit message (Collapse) | Author | Files | Lines |
|
For pacemaker we ensure netmask of virtual IP to 64bit for IPv6 and
32bit for IPv4. We should have feature parity in keepalived setup.[1]
The issue is that puppet picks first IP orf ifconfig output as and
interface IP. In case of IPv6 keepalived would add new IP to
interface with netmask 128 causing interface_for_ip to fail on
second puppet run.
[1] - https://github.com/openstack/puppet-tripleo/blob/master/manifests/pacemaker/haproxy_with_vip.pp
Closes-Bug: #1659309
Change-Id: Icb0c9a8d51a9bfcdc4b2caef9e52fdeb6f634cba
|
|
|
|
|
|
|
|
Having the db_sync code live in the mysql profile causes
coupling that doesn't work unless your MySQL server has the
latest Nova packages installed. This may not work for some
baremetal setups (where an isolated database exists) or
with containers where the MySQL container definately doesn't
have nova packages installed.
Moving this code into the nova-api role also matches where we
were already db syncing the normal API database so it should be
fine and safe.
Change-Id: Ib625e2ac9c8d6bd1d335c58e291facc4ea5839ae
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
This patch add the option for using Keyston V3 authention with
the Ceph/RGW service instead of using the admin_token
Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
|
|
As part of the initial implementation, we hard coded the cell0 setup in
puppet. This change switches it to leverage the defined value in the
tripleo-heat-templates
Change-Id: I896a124d91d06ca85b77c9fbe24fd252815a2d28
Depends-On: I08119d781ef60750cc19753bc03190e413159925
Related-Bug: #1649341
|
|
The profile was moved out of instack-undercloud puppet manifest and
changed to install a v2 Docker registry rather than the old, deprecated
v1 registry.
Change-Id: Iecf7a4c7e86349e6ecaa0a8ee6d37223e3af7862
|
|
|
|
|
|
Change-Id: If2f6559a7d76b26fa9b0a3ecfa2e2101aae93e3c
|
|
|
|
Unknown variable: 'haproxy_ssl_firewall_rules' when public_ssl_port is
empty.
Fixing it by setting an empty hash in this case.
Change-Id: If864732262852ef79ebb91ee77902c86b847072a
|
|
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
|
|
Cleanup some code that were useful in the effort of removing Glance
Registry service from TripleO.
Change-Id: I2a4bdc413e953b8b713d9a12bba74ca18487fe0d
|
|
|
|
nova::wsgi::apache was deprecated in ocata in favor of
nova::wsgi::apache_api.
Let's switch to it.
Change-Id: I59b3b36be33268fa6e261a7db3c4aa8e8e712ffb
Depends-On: I5fc99062d349597393e2248c66f2d863029c7730
|
|
|
|
This change adds a profile to deploy the Ceph MDS service and some
basic unit tests for it.
Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d
Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c
Partial-Bug: #1644784
|
|
This migrates the haproxy config for ODL to use the
tripleo::haproxy::endpoint class. This class automatically configures
firewall rules for each haproxy endpoint. Also removes listening on
public network for IP and adds listening on ctlplane network for admin
access.
Partial-Bug: 1651476
Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The glance database should be created as part of the glance-api service
installation and not the registry. Move the db_sync param to the
glance-api class call.
Change-Id: Ib9f511219e8cb9a7322745b6bd7c4f9c9cc0c198
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When package installation is disabled we still prefetch packages.
This disables the package prefetch by returning an empty array
which should be fine in the normal case and fixes issues when
running puppet in some docker containers.
Change-Id: Ia483c5f8500b804ba37a80e9ca1ec9c038f0a867
|
|
Manila pacemaker manifest (which sets manila share service only)
includes also manila api and scheduler manifests. There is no
reason for this. Also it causes that on whichever node manila share
service runs also manila api and scheduler services are started.
Change-Id: Ia1b39ef36c5bc34813cd6430b69ad9b698acc3cf
Closes-Bug: #1653500
|
|
Add the option to add the section of ml2_odl
to ml2_conf.ini when opendaylight_v2 mechanism driver is used
Change-Id: I2a1c5097614e47cc09e43bbc77305a0548d54baa
|
|
|
|
Configure Nova with new Oslo Messaging parameters for RabbitMQ.
Note: parameters are renamed to be standard, so it will help a future
transition to another backend in TripleO.
Change-Id: Ia67a4dbe5b2bd12c45308a5581f96d0457b8e018
|
|
|
|
We need to run the basic cell v2 setup for nova as it is required for
Ocata.
Change-Id: I693239ff5026f58a65eb6278b1a8fcb97af4f561
Depends-On: I43ba77cd4c8da7c6dc117ab0bd53e5cd330dc3de
Depends-On: I9462ef16fd64a577c3f950bd121f0bd28670fabc
Closes-Bug: #1649341
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This closes CVE-2016-9599.
1) Sanitize dynamic HAproxy endpoints firewall rules
Build the hash of firewall rules only when a port is specified. The
HAproxy endpoints are using TCP protocol, which means we have to specify
a port to the IPtables rules.
Some services don't have public network exposure (e.g. Glance Registry),
which means they don't need haproxy_ssl rule.
The code prepare the hash depending on the service_port and
public_ssl_port parameters and create the actual firewall rules only if
one of those or both parameters are specified.
It will prevent new services without public exposure to open all traffic
because no port is specified.
2) Secure Firewall rules creations
The code won't allow to create TCP / UDP IPtables rules in INPUT
or OUTPUT chains without port or sport or dport, because doing it would
allow an IPtables rule opening all traffic for TCP or UDP.
If we try to do that, Puppet catalog will fail with an error explaining
why.
Example of use-cases:
- creating VRRP rules wouldn't require port parameters.
- creating TCP or UDP rules would require port parameters.
3) Allow to open all traffic for TCO / UDP (when desired)
Some use-cases require to open all traffic for all ports on TCP / UDP.
It will be possible if the user gives port = 'all' when creating the
firewall rule.
Backward compatibility:
- if our users created custom TCP / UDP firewall rules without port
parameters, it won't work anymore, for security purpose.
- if you users want to open TCP / UDP for all ports, they need to pass
port = 'all' and the rule will be created, though a warning will be
displayed because this is insecure.
- if our users created custom VRRP rules without port parameters, it
will still work correctly and rules will be created.
- TCP / UDP rules in FORWARD chain without port are still accepted.
Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
Closes-Bug: #1651831
|
|
I'm seeing this run yum update on deploy, even though hiera
tripleo::packages::enable_upgrade says false.
I assume these are needed because we're getting "false", but I'm
unclear if this is a recently introduced problem (I only noticed it
today as my image has outdated centos packages and it thus hung on
step2 of the deploy.
Change-Id: If09cdde9883f2674dbbc40944be5fe4445caa08e
Closes-Bug: #1652107
|
|
Enable ml2.pp to call networking-fujitsu manifest in puppet-neutron
for fossw ML2 plugin setting.
Change-Id: I044c5812bbc5cd3de4bc33556cffbe5bad8e64cf
Implements: blueprint integration-fossw-networking-fujitsu
Depends-On: I79df6b6a27d95f0c0e2c87207ab80235a4efccfc
|
|
|
|
|
|
|
|
A puppet manifest to allow the toggle of 'Banner' in sshd_config
and enable population of an SSH login banner needed for security
compliance such as DISA STIG
If `Bannertext` is set as a parameter, the `Banner` key within
sshd_config is toggled to `/etc/issue` and the content is copied
into the `/etc/issue` file
Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306
|
|
Removes including Neutron services in the OpenDaylight API service.
This was breaking custom roles when splitting up OpenDaylight and Neutron
into different roles. Also, references to "controller" are removed
because with custom roles OpenDaylight could be isolated to any role
type. The 'bootstrap_nodeid' still works with any role, and only
resolves to the first node in the series of nodes for that role type.
Partial-Bug: 1651499
Change-Id: I418643810ee6b8a2c17a4754c83453140ebe39c7
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
some services need a terminating proxy to do TLS on their main
interfaces, to address this, we use httpd's mod_proxy and make it listen
in front of these services with an appropriate certificate.
bp tls-via-certmonger
Change-Id: I82243fd3acfe4f23aab373116b78e1daf9d08467
|