aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-01-27Add a default rule for dhcpv6 trafficMichele Baldessari1-0/+6
Via bug https://bugs.launchpad.net/tripleo/+bug/1657108 we need to zero out the default rules in /etc/sysconfig/ip{6}tables in the image. We have done this for ipv4, but when we will do it for ipv6 we will also need to make sure we add a rule for dhcpv6 traffic as it is shipped in the iptables rpm. (See https://bugzilla.redhat.com/show_bug.cgi?id=1169036 for more info) With this change we correctly get the rule present (aka the first ACCEPT line. The second line is due to the stock ip6tables rule I had in my testing): [root@overcloud-controller-0 ~]# iptables -nvL |grep 546 [root@overcloud-controller-0 ~]# ip6tables -nvL |grep 546 0 0 ACCEPT udp * * ::/0 fe80::/64 multiport dports 546 /* 004 accept ipv6 dhcpv6 ipv6 */ state NEW 0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW Change-Id: If22080054b2b1fa7acfd101e8c34d2707e8e7864 Partial-Bug: #1657108
2017-01-27Merge "horizon: be more flexible in hiera neutron"Jenkins1-1/+1
2017-01-27Merge "Use TLS proxy for neutron server's internal TLS"Jenkins3-13/+82
2017-01-26Merge "Support composable HA for the Ceph rbdmirror daemon"Jenkins1-1/+21
2017-01-26Merge "Adding congress service"Jenkins4-0/+122
2017-01-26horizon: be more flexible in hiera neutronEmilien Macchi1-1/+1
Requiring the neutron mechanism driver from hiera is too rigid, if Neutron is not deployed in the catalog. Be more flexible so catalog won't fail if the value is not set in Hiera. Change-Id: I1475687c4dc53c77e763f42a440355a7c8d014bc Partial-Bug: #1659662
2017-01-26Support composable HA for the Ceph rbdmirror daemonGiulio Fidente1-1/+21
Follow up patch for I63da4f48da14534fd76265764569e76300534472 to support composable HA for the Ceph rbdmirror daemon. Change-Id: I3767bee4b1c7849fa85e71bcc57534b393d2d415
2017-01-26Use TLS proxy for neutron server's internal TLSJuan Antonio Osorio Robles3-13/+82
This uses the tls_proxy resource added in a previous commit [1] in front of the neutron server when internal TLS is enabled. Right now values are passed quite manually, but a subsequent commit will use t-h-t to pass the appropriate hieradata, and then we'll be able to clean it up from here. Note that the proxy is only deployed when internal TLS is enabled. [1] I82243fd3acfe4f23aab373116b78e1daf9d08467 bp tls-via-certmonger Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
2017-01-26Merge "Ensure basic Ceph configuration is performed by RBD mirror"Jenkins1-0/+1
2017-01-26Merge "[keepalived] fix netmask for vip"Jenkins1-4/+24
2017-01-26Adding congress serviceDan Radez4-0/+122
Change-Id: Ic74ccd5fa7b3b04ca810416e5160463252f17474 Signed-off-by: Dan Radez <dradez@redhat.com>
2017-01-25Merge "Adding tacker service"Jenkins4-0/+122
2017-01-25Merge "Composable HA"Jenkins9-59/+250
2017-01-25Merge "Remove double include of neutron::server class"Jenkins1-8/+1
2017-01-25Composable HAMichele Baldessari9-59/+250
This commit implements composable HA for the pacemaker profiles. - Everytime a pacemaker resource gets included on a node, that node will add a node cluster property with the name of the resource (e.g. galera-role=true) - Add a location rule constraint to force running the resource only on the nodes that have that property - We also make sure that any pacemaker resource/property creation has a predefined number of tries (20 by default). The reason for this is that within composable HA, it might be possible to get "older CIB" errors when another node changed the CIB while we were doing an operation on it. Simply retrying fixes this. - Also make sure that we use the newly introduced pacemaker::constraint::order class instead of the older pacemaker::constraint::base class. The former uses the push_cib() function and hence behaves correctly in case multiple nodes try to modify the CIB at the same time. Change-Id: I63da4f48da14534fd76265764569e76300534472 Depends-On: Ib931adaff43dbc16220a90fb509845178d696402 Depends-On: I8d78cc1b14f0e18e034b979a826bf3cdb0878bae Depends-On: Iba1017c33b1cd4d56a3ee8824d851b38cfdbc2d3
2017-01-25Adding tacker serviceDan Radez4-0/+122
Change-Id: I3d6bbc05644e840395f87333ec80e3b844f69903
2017-01-25Remove double include of neutron::server classJuan Antonio Osorio Robles1-8/+1
This class was being included in the same way in two different branches of the code which could be joined in the initial branch (or if statement). Change-Id: Iee3c1663a2fe929b21a9c089d89b721600af66bd
2017-01-25Ensure basic Ceph configuration is performed by RBD mirrorGiulio Fidente1-0/+1
Previously we missed to perform the basic Ceph client configuration on a node where only the RBD mirror service was deployed. Change-Id: Ie6a4284a88714bcee964a38636e12aa88bb95c9d Co-Authored-By: Michele Baldessari <michele@acksyn.org> Related-Bug: #1652177
2017-01-25[keepalived] fix netmask for vipLukas Bezdicka1-4/+24
For pacemaker we ensure netmask of virtual IP to 64bit for IPv6 and 32bit for IPv4. We should have feature parity in keepalived setup.[1] The issue is that puppet picks first IP orf ifconfig output as and interface IP. In case of IPv6 keepalived would add new IP to interface with netmask 128 causing interface_for_ip to fail on second puppet run. [1] - https://github.com/openstack/puppet-tripleo/blob/master/manifests/pacemaker/haproxy_with_vip.pp Closes-Bug: #1659309 Change-Id: Icb0c9a8d51a9bfcdc4b2caef9e52fdeb6f634cba
2017-01-25Fix wrong hiera key in ceph_rbdmirrorMichele Baldessari1-1/+1
There is a typo in the bootstrap check which will lead to: Could not find data item ceph_rbdmirror_bootstrap_short_node_name in any Hiera data file and no default supplied at /etc/puppet/modules/tripleo/manifests/profile/pacemaker/ceph/rbdmirror.pp We need to be using the correct one: $ hiera ceph_rbdmirror_short_bootstrap_node_name overcloud-remote-0 Change-Id: Ic343e5f99e48360bdd2d2989781a4b6ca484e8fc
2017-01-25Merge "Clean TLS proxy-related setup for glance api profile"Jenkins1-11/+29
2017-01-25Merge "Make sure we bind the rabbit inter-cluster to a specific interface"Jenkins3-7/+63
2017-01-25Merge "pacemaker remote profile support"Jenkins2-2/+95
2017-01-24Clean TLS proxy-related setup for glance api profileJuan Antonio Osorio Robles1-11/+29
Since the commit this depends on sets it up via hieradata, the conditions here are no longer needed. bp tls-via-certmonger Change-Id: I66956f0b85e8e3bf1ab9562221d51d51c230b88e Depends-On: I693213a1f35021b540202240e512d121cc1cd0eb
2017-01-24Merge "Use TLS proxy for Glance API's internal TLS"Jenkins2-9/+69
2017-01-24Merge "updates to collectd support"Jenkins3-48/+80
2017-01-24pacemaker remote profile supportMichele Baldessari2-2/+95
This support enables a base profile called pacemaker_remote which will allow the operator to automatically configure the pacemaker_remote service on such nodes. This manifest also automatically adds any pacemaker_remote nodes to the pacemaker cluster. Depends-On: I0c01ecb7df1a0f9856fdc866b9d06acf0283fa4f Depends-On: Ic0488f4fc63e35b9aede60fae1e2cab34b1fbdd5 Change-Id: I92953afcc7d536d387381f08164cae8b52f41605
2017-01-24Merge "Add retries to the ::pacemaker::stonith property"Jenkins1-1/+7
2017-01-23Merge "Implement Nova ec2api profile"Jenkins4-1/+92
2017-01-23Merge "Remove last bits of Glance Registry"Jenkins2-72/+0
2017-01-23Merge "Add Ceph RBD mirror Pacemaker profile"Jenkins2-0/+141
2017-01-23Use TLS proxy for Glance API's internal TLSJuan Antonio Osorio Robles2-9/+69
This uses the tls_proxy resource added in the previous commit [1] in front of the Glance API server when internal TLS is enabled. Right now values are passed quite manually, but a subsequent commit will use t-h-t to pass the appropriate hieradata, and then we'll be able to clean it up from here. Note that the proxy is only deployed when internal TLS is enabled. [1] I82243fd3acfe4f23aab373116b78e1daf9d08467 bp tls-via-certmonger Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
2017-01-23Remove last bits of Glance RegistryEmilien Macchi2-72/+0
Glance Registry has been removed in TripleO. So we can clean puppet-tripleo and remove last bits that used to deploy this service. Change-Id: Iea8f6340349ab366606205305a3ec9a6e4f11ba6
2017-01-23Merge "Add haproxy firewall rules for galera and redis"Jenkins1-0/+18
2017-01-23Merge "Add a noop_resource function"Jenkins1-0/+53
2017-01-20Add a noop_resource functionDan Prince1-0/+53
A function to create noop providers (set as the default) for the named resource. This works alongside of 'puppet apply --tags' to disable some custom resource types that still attempt to run commands during prefetch, etc. Change-Id: Icabdb30369c8ca15e77d169dc441bee8cfd3631f
2017-01-21Merge "Add support for fence_ironic fencing agent."Jenkins1-0/+3
2017-01-20Merge "cinder: move glance params into common"Jenkins4-5/+7
2017-01-20Merge "Fix typo in endpoint.pp"Jenkins1-1/+1
2017-01-20Merge "Move nova::placement to common nova manifest"Jenkins2-2/+1
2017-01-20Implement Nova ec2api profileSven Anderson4-1/+92
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
2017-01-20Merge "Add base profile for Octavia services"Jenkins4-0/+365
2017-01-20Merge "Remove unused variable in certmonger/mysql manifest"Jenkins1-10/+0
2017-01-20Make sure we bind the rabbit inter-cluster to a specific interfaceMichele Baldessari3-7/+63
Currently the inter-cluster communication port listens to all ip addresses: tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 25631/beam.smp In order to limit it to listen only to the network assigned to rabbitmq we need to add the following: {kernel, [ ... {inet_dist_use_interface, {172,17,0,16}}, ... ]} In order to do the conversion from an ip address to the Erlang representation we add a function that takes a string and returns a converted output. The (~400 randomly generated) IPv6/4 addresses at [1] have been parsed both via erl's built-in inet:parse_address() function and our ruby implementation. All converted ip addresses resulted in the same output [2], [3]. The only difference is that Erlang's parse_address() considers network ip addresses (e.g. 10.0.0.0) invalid whereas the ruby function does not. This should not be a problem as the use case here is to bind a service to a specific ip address on an interface and if anything we likely prefer the less strict behaviour, given that at least in theory it is perfectly valid for an interface to have a network address assigned to it. [1] http://acksyn.org/files/tripleo/ip-addresses.txt [2] http://acksyn.org/files/tripleo/ip-addresses-ruby.txt [3] http://acksyn.org/files/tripleo/ip-addresses-erl.txt Change-Id: I211c75b9bab25c545bcc7f90f34edebc92bba788 Partial-Bug: #1645898
2017-01-20Fix typo in endpoint.ppzhangyanxian1-1/+1
TrivialFix Change-Id: I8ea2f108d6f98167217b31284c84dbdf23f55f36
2017-01-19cinder: move glance params into commonEmilien Macchi4-5/+7
glance params are also used by cinder-volume. This patch aims to use cinder::glance in common roles for cinder, so we can split cinder api and cinder volume. Depends-On: Id81c029318016068481dd614ed62cc4bfaf0f3e8 Change-Id: I9703efb38c2a3166c7f21c5c1b942f33abb9e76c
2017-01-20Move nova::placement to common nova manifestEmilien Macchi2-2/+1
nova::placement needs to be declared on more than placement api node, because credentials are used by different services (at least nova-compute now). This patch moves the class to base/nova.pp, at the same step. So compute nodes will have the credentials and will be able to use Placement API on multinode environments. Change-Id: Iada8e9fcccec7dbfe7ac0ec0f9ec6eac1581290e
2017-01-19Merge "Adds etcd"Jenkins3-0/+96
2017-01-19Merge "Implement NTP profile"Jenkins2-0/+32
2017-01-19Add base profile for Octavia servicesbeagles4-0/+365
Adds initial base profile and profile for API service. Partially-implements: blueprint octavia-service-integration Change-Id: I77783029797be4fb488c6e743c51d228eba9c474