aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-08-01Adds networking-sfc supportTim Rozet2-0/+41
Enables configuration for Service Function Chaining plugin with neutron. Implements: blueprint networking-sfc-support Change-Id: Icd433ddc6ae7de19a09f9e33b410a362c317138a Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-08-01Add puppet base class for barometer service.jhinman11-0/+33
Puppet module is at: https://github.com/johnhinman/puppet-barometer/ Change-Id: I878ff8d1e0a8b96f3380bb77f168cd5a4c3f6543 Signed-off-by: jhinman1 <john.hinman@intel.com>
2017-07-27Add VPP and honeycomb servicesFeng Pan10-1/+228
Change-Id: I6ed724f4c81a230a17584c33cc4de8b4000d525e
2017-07-12Enables OpenDaylight Clustering in HA deploymentsTim Rozet6-15/+135
Previously ODL was restricted to only running on the first node in an tripleO HA deployment. This patches enables clustering for ODL and allows multiple ODL instances (minimum 3 for HA). Partially-implements: blueprint opendaylight-ha Change-Id: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-12Adding support for BGPVPN service pluginRicardo Noriega1-0/+36
puppet-neutron (Ocata) has already got that support, so this patch only calls that manifest. Change-Id: I4af82d456c9d999667f2ef4d16e8f6822463d331 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-07-12Pointing apex fork to opnfv's gerritDan Radez1-3/+2
Change-Id: If0324e4519eae1efe62ac86799e1858df69d806d Signed-off-by: Dan Radez <dradez@redhat.com>
2017-07-03Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar3-5/+91
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885 (cherry picked from commit 76eb1bbd4f977e16c97516500f050f8b49e7399d)
2017-06-27Release 6.5.0 (ocata)Emilien Macchi2-3/+3
Change-Id: I5e681705ffcd1a807aac9fe4afaa1bac17c2efce
2017-06-21Move gnocchi upgrade and api to step 4Pradeep Kilambi2-32/+14
gnocchi upgrade requires storage sacks to be initialized. This means we need to ensure the storage backends are up before running the upgrade and starting the api. Lets move the api to step 4 so we can ensure other dependencies are in place. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3 Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630 (cherry picked from commit 5e91493f7aaecef924a78f0743f812a225080085)
2017-06-21Merge "Cover gnocchi api step 4 and 5" into stable/ocataJenkins3-31/+92
2017-06-16Merge "Add support for autofencing to Pacemaker Remote." into stable/ocataJenkins1-0/+27
2017-06-15Merge "Dell SC: Add secondary DSM support" into stable/ocataJenkins1-10/+14
2017-06-15Cover gnocchi api step 4 and 5Alex Schultz3-31/+92
Update the gnocchi api to expose the redis information as a class parameter so it can be tested correctly. Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71 (cherry picked from commit 4450afd495794a8ac0fc5b8c51d696416e5deb9d)
2017-06-15Merge "Add support for Cinder "NAS secure" driver params" into stable/ocataJenkins2-6/+29
2017-06-15Dell SC: Add secondary DSM supportrajinir1-10/+14
Adds support for a secondary DSM in case the primary becomes unavailable. Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7 (cherry picked from commit f30b791103ec3c5ff9b2e656fe751ad4bb3c6a6c)
2017-06-14Merge "Dell SC: Add exclude_domain_ip option" into stable/ocataJenkins1-0/+1
2017-06-13Add support for autofencing to Pacemaker Remote.Chris Jones1-0/+27
We now configure stonith devices for Pacemaker Remote nodes. Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197 Partial-Bug: #1686115 (cherry picked from commit 19d177c182f35a16bf3ddccfcf7fad6bb54c7bb2)
2017-06-02Add conditional for setting authlogin_nsswitch_use_ldap selbooleanJacob Liberman1-0/+6
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must be enabled. This setting allows LDAP communications to the confined LDAP/server port. This change includes a conditional for enabling this Boolean only when selinux is in use. Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe Closes-Bug: #1695002 (cherry picked from commit 90704a6017f7c539e3c1fed038ed247763619380)
2017-06-01Restrict nova migration ssh tunnelOliver Walsh4-55/+259
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293 (cherry picked from commit f8ca94a5b7c7658631f5b0a9b010251ebbcff65e)
2017-06-01make release note a list of stringsDoug Hellmann1-2/+3
Change-Id: I073ee5c40025a5821a6586c25b6d003890169db1 Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2017-05-31Dell SC: Add exclude_domain_ip optionrajinir1-0/+1
This option allows users to exclude some fault domains. Otherwise all domains are returned. Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483 Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433 (cherry picked from commit 49ea8b5ed3ce79857e7875413f908f8cdcce1a8e)
2017-05-23Add support for Cinder "NAS secure" driver paramsAlan Bishop2-6/+29
Add ability to set Cinder's nas_secure_file_operations and nas_secure_file_permissions driver parameters. Two sets of identically named parameters are implemented by Cinder's NFS and NetApp back end drivers. The ability to control these parameters is crucial for supporting deployments that require non-default values. Partial-Bug: #1688332 Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9 Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308 (cherry picked from commit 5a350024957d197295a16f6f25e8a253c7c1545a)
2017-05-19Update gitignore not to exclude fixture hieradataAlex Schultz1-1/+2
The existing .gitignore is causing the hieradata we use for tests to be excluded in git and our release tarballs. Lets adjust the gitignore not to exclude the hiera files in spec/fixtures Change-Id: Ic31687d0eb1c2e8acc92796d4c0eba096db8e533 Closes-Bug: #1691559 (cherry picked from commit 66b6ea166c0f8470170f6e07843ff41068d8e9e9)
2017-05-19Use verify_on_create when creating pacemaker remote resourcesMichele Baldessari1-0/+1
We currently create remote resources without waiting for their creation. This leads to the following potential race (spotted by Marian Mkrcmari): - On Step1 pacemaker bootstrap node creates the resource but the remote resource is not yet created - Step1 completes and Step2 starts - On Step2 the remote node sets a property (or calls pcs cib) but the remote is not yet set up so 'pcs cluster cib' will fail there with: (err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed with code: 1 -> Note that when verify_on_create is set to true we are not using the cib dump/push mechanism. That is fine because we create the remotes on step1 and the dump/push mechanism is only needed starting from step2 when multiple nodes set cluster properties at the same time. Tested by Marian Mkrcmari successfully as well. Closes-Bug: #1689028 Change-Id: I764526b3f3c06591d477cc92779d83a19802368e Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f (cherry picked from commit b6d02fd5001153b53b3061d63d2cb686b0646f18)
2017-05-04IPv6 VIP addresses need to be /128Michele Baldessari1-6/+14
We currently hardcode /64 as our VIP addresses when using IPv6. The problem with this is that some server code might bind to that IP as a source address when doing inter-cluster communication (rabbitmq/galera for example). So when the VIP moves there will be effectively a network outage between the nodes, which should not happen. Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic parameter when /128 is specified. This is due to: https://bugzilla.redhat.com/show_bug.cgi?id=1445628 We also make sure we use the ipv6_addrlabel option set to 99 so that they will never be used as source ip addresses. Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c Partial-Bug: #1686357 Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com> Co-Authored-By: Marios Andreou <mandreou@redhat.com> Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> (cherry picked from commit 6227484b60cd72cf4647051923a3baf175100a72)
2017-04-27Prepare 6.4.0 release (ocata)Emilien Macchi2-3/+3
Change-Id: Icf2be1f8cb09d7a83a5f786723a84fb263d42808
2017-04-26Add a flag to rabbitmq so that we can deploy with ha-mode: all againMichele Baldessari1-2/+6
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. Will propose another THT change to actually change the default to -1 so we get this ha-mode:all by default. Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c Partial-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com> (cherry picked from commit c504d6a8591bcf12e31d97a62222d7611941b136)
2017-04-25Merge "Refactor SSHD config to allow both SSHD options and banner/motd to be ↵Jenkins2-5/+147
set" into stable/ocata
2017-04-25Merge "Update Gemfile to pull spec_helper from stable/ocata" into stable/ocataJenkins1-0/+1
2017-04-25Merge "Stop SSHD profile clobbering SSH client config" into stable/ocataJenkins2-2/+2
2017-04-25Merge "SSHD Service extensions" into stable/ocataJenkins4-38/+88
2017-04-25Merge "Move gnocchi wsgi configuration to step 3" into stable/ocataJenkins3-1/+106
2017-04-24Update Gemfile to pull spec_helper from stable/ocataEmilien Macchi1-0/+1
It was missed after Ocata release, but we need to do it to pull the right version of puppet-openstack_spec_helper. Change-Id: Ieab0a99ea3491bd8bb6985318ff630442e9be353
2017-04-21Merge "Configure migration SSH tunnel" into stable/ocataJenkins3-21/+188
2017-04-21Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh2-5/+147
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556 (cherry picked from commit 3c49f51c8f42472d0d1cb2986b46a6c96821293a)
2017-04-21Stop SSHD profile clobbering SSH client configOliver Walsh2-2/+2
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543 (cherry picked from commit 2a329d545d0e619c88c323148d5fe2098e70b4b1)
2017-04-21SSHD Service extensionslhinds4-38/+88
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Related-Bug: 1668543 (cherry picked from commit b35bc80ac2acf18463e4c18c8360862749aa0964)
2017-04-21Merge "Move ceilometer wsgi to step 3" into stable/ocataJenkins2-5/+5
2017-04-21Configure migration SSH tunnelOliver Walsh3-21/+188
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec (cherry picked from commit ccbcd11276c7bc3ffc8f013d9a5b2d3944bf76cf)
2017-04-19Ensure we configure ssl.confLukas Bezdicka11-0/+20
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977 (cherry picked from commit 9e729c0db22865d036860346eb6b81c4c2108719)
2017-04-19Merge "Enable creation of keystone domain when ldap backends are created" ↵Jenkins1-1/+3
into stable/ocata
2017-04-19Merge "Migrate Swift ring handling from tripleo-heat-templates to ↵Jenkins2-0/+101
puppet-tripleo" into stable/ocata
2017-04-17Move ceilometer wsgi to step 3Alex Schultz2-5/+5
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418 (cherry picked from commit 890178bd6f6f465ffcb8cf4ad9b8019a1d6dc653)
2017-04-17Move gnocchi wsgi configuration to step 3Alex Schultz3-1/+106
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418 (cherry picked from commit 9de4c92571fdbe342a20a68e4ee44feb55464007)
2017-04-17Restrict mongodb memory usagePradeep Kilambi2-0/+17
Currently, mongodb has no limits on how much memory it can consume. This enforces restriction so mongodb service limits through systemd. The puppet-systemd module has support for limits. The MemoryLimit support is added in the follwoing pull request https://github.com/camptocamp/puppet-systemd/pull/23 Closes-bug: #1656558 Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891 (cherry picked from commit 3aa86a4ea3c2406f79d6283cbb158f67136b5e9a)
2017-04-10Merge "Add missing octavia auth include to keystone manifest" into stable/ocataJenkins2-0/+6
2017-04-09Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede2-0/+101
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b (cherry picked from commit 3412150d91dc7fe6e9f168b4ffdbb4d54c39fc55)
2017-04-08Enable creation of keystone domain when ldap backends are createdJuan Antonio Osorio Robles1-1/+3
This sets the flag create_domain_entry for the ldap_backend resource, which will create the domain for the ldap backend (this was previously not the case since only the configuration was created). Furtherly, this flag will also refresh the keystone server, so the changes come into effect. Note that this is only done in step 3, so the domains are created there and the refresh happens in that step. Also, this is only done for the bootstrap node, since when the other nodes start, they will already have the domains available in the keystone database and there won't be a need to restart. Related-Bug: #1677603 Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28 Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c (cherry picked from commit 13ea87e658e36d1afcc3e4db7f43bcfc068e1f49)
2017-04-07syntax error extra comma in rabbitmq.ppJon Schlueter1-1/+1
bundle rake syntax Could not parse for environment *root*: Syntax error at ')'; expected '}' Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf (cherry picked from commit 33e0fe959d849acdab4b084ffd31d242c58ff6b6)
2017-04-07Add missing octavia auth include to keystone manifestBrent Eagles2-0/+6
This patch adds the appropriate include to make sure that appropriate keystone user, services, etc. are created when octavia is selected. Closes-bug: #1680588 Change-Id: I0b6d657a0300538292223923d8808c23f936c193 (cherry picked from commit 23e723255cf46fd730cae185a0dc1f7194a511e0)