summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-03-26Remove certificate request bits from service profilesJuan Antonio Osorio Robles18-222/+0
This is now the job of the certmonger_user profile. So these bits are not needed anymore in the service profiles. Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800 Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
2017-03-23Ensure iscsi-initiator-utils installedAlex Schultz2-0/+5
We attempt to use iscsi-iname in an exec for our nova compute profile but we do not ensure that the package providing this command is installed. This change adds the package definition for iscsi-initiator-utils to ensure it is installed before trying to use iscsi-iname. Change-Id: I1bfdb68170931fd05a09859cf8eefb50ed20915d Closes-Bug: #1675462
2017-03-17Merge "Enables OpenDaylight Clustering in HA deployments"Jenkins6-15/+135
2017-03-17Merge "Explicitly configure credentials used by ironic to access other services"Jenkins1-0/+7
2017-03-16Enables OpenDaylight Clustering in HA deploymentsTim Rozet6-15/+135
Previously ODL was restricted to only running on the first node in an tripleO HA deployment. This patches enables clustering for ODL and allows multiple ODL instances (minimum 3 for HA). Partially-implements: blueprint opendaylight-ha Change-Id: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-16Explicitly configure credentials used by ironic to access other servicesDmitry Tantsur1-0/+7
Using keystone_authtoken credentials for this purpose is deprecated, and also prevents ironic-conductor from being used as a separate role. As a side effect, this change makes it possible to potentially enable ironic-inspector support in the future (it's not enabled yet). Change-Id: I21180678bec911f1be36e3b174bae81af042938c Partial-Bug: #1661250
2017-03-16Merge "Add spec tests for tripleo::certmonger::mysql class"Jenkins1-0/+64
2017-03-16Merge "Add spec tests for tripleo::certmonger::ca::local class"Jenkins1-0/+46
2017-03-16Merge "Add spec test for tripleo::certmonger::httpd resource"Jenkins1-0/+63
2017-03-16Merge "Create profile to request certificates for the services in the node"Jenkins1-0/+77
2017-03-16Add spec tests for tripleo::certmonger::ca::local classJuan Antonio Osorio Robles1-0/+46
Change-Id: I81e0850777f1498ba9b7a213ba02819847a40786
2017-03-16Add spec tests for tripleo::certmonger::mysql classJuan Antonio Osorio Robles1-0/+64
Change-Id: I81b0b8b54a034817f5791ff7e29f1a3065902642
2017-03-16Add spec test for tripleo::certmonger::httpd resourceJuan Antonio Osorio Robles1-0/+63
Change-Id: Ia002aced6de474022d4aa4e9e3d7d5ee7c31a2b0
2017-03-15Merge "HAProxy: Refactor certificate retrieval bits"Jenkins2-21/+14
2017-03-14Merge "Correct haproxy's stat unix socket path"Jenkins1-1/+1
2017-03-14Create profile to request certificates for the services in the nodeJuan Antonio Osorio Robles1-0/+77
This profile will specifically be used to create all the certificates required in the node. These are fetched from hiera and will be ran in the first step of the overcloud deployment and in the undercloud. The reasoning for this is that, with services moving to containers, we can't yet do these requests for certificates within the containers for the specific services. this is because the containers won't have credentials to the CA, while the baremetal node does. So instead we still do this on the baremetal node, and will subsequently bind mount the certificates to the containers that need them. Also, this gives us flexibility since this approach still works for the baremetal case. There will be a subsequent commit removing the certificate requests from the service-specific profiles. Change-Id: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
2017-03-13Fixes issues with raising mysql file limitTim Rozet3-3/+87
Changes Include: - Adds spec testing - Only raise limits if nonha. puppet-systemd will restart the mariadb service which breaks ha deployments. Hence we only want to do this in noha. - Minor fix to hiera value refrenced not as parameter to mysql.pp Partial-Bug: #1648181 Related-Bug: #1524809 Co-Authored By: Feng Pan <fpan@redhat.com> Change-Id: Id063bf4b4ac229181b01f40965811cb8ac4230d5 Signed-off-by: Tim Rozet <trozet@redhat.com> Signed-off-by: Feng Pan <fpan@redhat.com>
2017-03-13Correct haproxy's stat unix socket pathMichele Baldessari1-1/+1
We currently set the haproxy stat socket to /var/run/haproxy.sock. On Centos/RHEL with selinux enabled this will break: avc: denied { link } for pid=284010 comm="haproxy" name="haproxy.sock" dev="tmpfs" ino=330803 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file The blessed/correctly-labeled path is /var/lib/haproxy/stats Note: I am setting only Partial-Bug because I would still like to make this a parameter so other distros may just override the path. But that change is more apt for pike and not for ocata. Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c Patial-Bug: #1671119
2017-03-13Add bindep supportPaul Belanger1-0/+2
Bindep is an automation tool used by openstack-infra to bootstrap a worker with default packages. Something not needed for puppet jobs. Change-Id: I6b4784c233a2abad01da3408f131af2c89586868 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-03-13HAProxy: Refactor certificate retrieval bitsJuan Antonio Osorio Robles2-21/+14
This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
2017-03-11Merge "Add support for BGPVPN service plugin"Jenkins2-0/+39
2017-03-11Add support for BGPVPN service pluginRicardo Noriega2-0/+39
Introduce profile to configure networking-bgpvpn service Implements: blueprint bgpvpn-service-integration Change-Id: I7c1686693a29cc1985f009bd7a3c268c0e211876 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-03-11Merge "httpd: Clean up heat API profiles and add release note"Jenkins4-28/+12
2017-03-10Merge "Deploy Heat APIs over httpd"Jenkins4-6/+186
2017-03-10panko: Do db_sync in api manifestJuan Antonio Osorio Robles2-18/+18
The db_sync from panko comes from the panko-api package; So we move the db_sync to be done in the api manifest as it's done for other services such as barbican. This is necessary since in cases where the overcloud deploy requires puppet to do the installations, with the previous setup it failed since the command wasn't available in the step it was being done. Change-Id: I20a549cbaa2ee4b2c762dbae97f5cbf4d0b517c8 Closes-Bug: #1671716
2017-03-09Add tests for tripleo::certmonger::rabbitmq classJuan Antonio Osorio Robles2-1/+65
Change-Id: I1668b749779bf812d8f55b695dd138cde7eb09d6
2017-03-09Enable TLS in the internal network for RabbitMQJuan Antonio Osorio Robles2-15/+136
This optionally enables TLS for RabbitMQ in the internal network. Note that this leaves enable_internal_tls as undef instead of using the regular default. This is because we don't want to enable this just now, since we first want to pass the necessary hieradata via t-h-t. This will be cleaned in further commits. bp tls-via-certmonger Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9 Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514
2017-03-07sahara: include authtoken classEmilien Macchi2-0/+5
authtoken class configures the keystone_authtoken parameters, required to move to Keystone V3 auth. Change-Id: Ibfd761fef813faa7bf13881c52c34e20d3eac9e5
2017-03-07Update version for PikeAlex Schultz2-7/+7
The current version information is behind that of stable/ocata. In order to address some version generation issues in packaging, we need to bump the version numbers for in preparation for the next version. Change-Id: I586811d9623c4bb03b1b234eaed2b3b365ba6e3e Releated-Bug: #1669462
2017-03-07httpd: Clean up heat API profiles and add release noteJuan Antonio Osorio Robles4-28/+12
There were some values that were passed to the classes manually, and this takes the parameters from t-h-t instead. Also, the release note was added. bp tls-via-certmonger Change-Id: I17c4b7041e16da6489f4b713fdeb28a6e1c5563c Depends-On: I88e5ea7b9bbf35ae03f84fdc3ec76ae09f11a1b6
2017-03-07Deploy Heat APIs over httpdJuan Antonio Osorio Robles4-6/+186
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and includes the TLS-everywhere bits. bp tls-via-certmonger Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
2017-03-07Merge "Stop the chronyd service"Jenkins3-4/+49
2017-03-07Merge "fix typo in release note"Jenkins1-1/+1
2017-03-07Merge "Throw warnings for norpm actions"Jenkins1-0/+5
2017-03-06fix typo in release noteEmilien Macchi1-1/+1
Change-Id: I89e544474b3f73a9e00d37dcddb605d5fe979ca8
2017-03-06Stop the chronyd serviceAlex Schultz3-4/+49
Since the norpm provider can prevent the chronyd package from actually getting purged, we need to make sure the chronyd service is stopped and disabled so that it does not conflict with ntpd. Change-Id: I7a697aba7aa5a27ba4ab6e46018057f7f01dfab2 Closes-Bug: #1665426
2017-03-06Add docker profileSteven Hardy3-0/+140
This configures the docker service on the host, as an alternative to the firstboot script in docker/firstboot/setup_docker_host.sh Doing this via puppet will enable easier integration with e.g the multinode jobs where no firstboot scripts run, and also enables a better error path in the event the service fails to start Co-Authored-By: Alex Schultz <aschultz@redhat.com> Change-Id: Id8add1e8a0ecaedb7d8a7dc9ba3747c1ac3b8eea
2017-03-03Merge "mariadb: Move generation of systemd drop-in to puppet-tripleo"Jenkins1-0/+15
2017-03-03Throw warnings for norpm actionsAlex Schultz1-0/+5
If the norpm provider attempts to do any install/update/remove actions, we should throw a warning in the logs so people are aware that the action did not actually take place. Change-Id: Ieee5cac3412c709ba6b39316e455d7708cc9d22e Closes-Bug: #1669666
2017-03-01Merge "mysqlclient: Drop hiera calls in favor of getting these via t-h-t"Jenkins1-7/+7
2017-03-01Merge "Configure MySQL client SSL connections via the config file"Jenkins1-5/+26
2017-02-28Merge "Revert "Add httpchk for http services""Jenkins1-25/+87
2017-02-28mysqlclient: Drop hiera calls in favor of getting these via t-h-tJuan Antonio Osorio Robles1-7/+7
This also updates a leftover comment. Change-Id: I870caf20103b044655e699aac09f6621414f5326 Depends-On: I5af5ccb88e644f4dd25503d8e7a93796695d3039
2017-02-28Configure MySQL client SSL connections via the config fileJuan Antonio Osorio Robles1-5/+26
This does the actual configuration for the mysql client to use SSL if the parameter is set via t-h-t. Change-Id: I24e4c195a31109835739e78a6b53d36f661f9fd0 Depends-On: Ifd1a06e0749a05a65f6314255843f572d2209067
2017-02-28Merge "Default neutron dhcp_agents_per_network to number of agents"Jenkins3-0/+109
2017-02-28Merge "Ironic inspector support"Jenkins3-0/+52
2017-02-28Revert "Add httpchk for http services"Emilien Macchi1-25/+87
https://bugs.launchpad.net/tripleo/+bug/1668493 I thought about a fix for ceph_rgw, but I realized we might have missed other services too, specially the ones we're not testing in CI. We need to revisit this work and probably make the code more robust for the services where no CI coverage is done. Related-Bug: #1668493 This reverts commit ebcc470ea8a632e6d5c13561a97e817d5f290aac. Change-Id: I3f79c881d8aeda361a59f9952948355986a7c835
2017-02-27Merge "Add ceilometer polling agent profile"Jenkins3-0/+142
2017-02-27mariadb: Move generation of systemd drop-in to puppet-tripleoDamien Ciabrini1-0/+15
Systemd starts mariadb as user mysql, so in order to allow a large number of connections (e.g. max_connections=4096) it is necessary to raise the file descriptor limit via a system drop-in file. When installing an undercloud, such drop-in file is currently generated by instack-undercloud (in file puppet-stack-config.pp). But non-HA overcloud also need such drop-in to be generated. In order to avoid duplicating code, the drop-in creation code should be provided by puppet-tripleo. By default, no drop-in is generated; it has to be enabled by instack-undercloud or tripleo-heat-template once they will use it (resp. to create undercloud or non-HA overcloud). This patch does not aim at generating a dynamic file limit based on the number of connections, this should land in another dedicated patch. Instead, it just reuses the limit currently set for undercloud and HA-overclouds. Also, the generation of the drop-in does not force a mysql restart like it currently does in instack-undercloud, to avoid unexpected service disruption on a non-HA overcloud after a minor update. Co-Authored-By: Tim Rozet <trozet@redhat.com> Depends-On: I7ca7b5f7614971455cae2bf7c4bf8264b642b0dc Change-Id: Ia0907b2ab6062a93fb9363e39c86535a490fbaf6 Partial-Bug: #1648181 Related-Bug: #1524809
2017-02-27Add release note for httpchkAlex Schultz1-0/+6
Adding release note for Ie72b96c76d7513f84003bc15b6527c97df7ba92f Change-Id: Ie3dd31519a4a2cc7aa94a5fc7cd7e906482668f3 Related-Bug: #1629052