aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-06-15Dell SC: Add secondary DSM supportrajinir1-10/+14
Adds support for a secondary DSM in case the primary becomes unavailable. Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7 (cherry picked from commit f30b791103ec3c5ff9b2e656fe751ad4bb3c6a6c)
2017-06-14Merge "Dell SC: Add exclude_domain_ip option" into stable/ocataJenkins1-0/+1
2017-06-02Add conditional for setting authlogin_nsswitch_use_ldap selbooleanJacob Liberman1-0/+6
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must be enabled. This setting allows LDAP communications to the confined LDAP/server port. This change includes a conditional for enabling this Boolean only when selinux is in use. Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe Closes-Bug: #1695002 (cherry picked from commit 90704a6017f7c539e3c1fed038ed247763619380)
2017-06-01Restrict nova migration ssh tunnelOliver Walsh4-55/+259
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293 (cherry picked from commit f8ca94a5b7c7658631f5b0a9b010251ebbcff65e)
2017-06-01make release note a list of stringsDoug Hellmann1-2/+3
Change-Id: I073ee5c40025a5821a6586c25b6d003890169db1 Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2017-05-31Dell SC: Add exclude_domain_ip optionrajinir1-0/+1
This option allows users to exclude some fault domains. Otherwise all domains are returned. Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483 Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433 (cherry picked from commit 49ea8b5ed3ce79857e7875413f908f8cdcce1a8e)
2017-05-19Update gitignore not to exclude fixture hieradataAlex Schultz1-1/+2
The existing .gitignore is causing the hieradata we use for tests to be excluded in git and our release tarballs. Lets adjust the gitignore not to exclude the hiera files in spec/fixtures Change-Id: Ic31687d0eb1c2e8acc92796d4c0eba096db8e533 Closes-Bug: #1691559 (cherry picked from commit 66b6ea166c0f8470170f6e07843ff41068d8e9e9)
2017-05-19Use verify_on_create when creating pacemaker remote resourcesMichele Baldessari1-0/+1
We currently create remote resources without waiting for their creation. This leads to the following potential race (spotted by Marian Mkrcmari): - On Step1 pacemaker bootstrap node creates the resource but the remote resource is not yet created - Step1 completes and Step2 starts - On Step2 the remote node sets a property (or calls pcs cib) but the remote is not yet set up so 'pcs cluster cib' will fail there with: (err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed with code: 1 -> Note that when verify_on_create is set to true we are not using the cib dump/push mechanism. That is fine because we create the remotes on step1 and the dump/push mechanism is only needed starting from step2 when multiple nodes set cluster properties at the same time. Tested by Marian Mkrcmari successfully as well. Closes-Bug: #1689028 Change-Id: I764526b3f3c06591d477cc92779d83a19802368e Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f (cherry picked from commit b6d02fd5001153b53b3061d63d2cb686b0646f18)
2017-05-04IPv6 VIP addresses need to be /128Michele Baldessari1-6/+14
We currently hardcode /64 as our VIP addresses when using IPv6. The problem with this is that some server code might bind to that IP as a source address when doing inter-cluster communication (rabbitmq/galera for example). So when the VIP moves there will be effectively a network outage between the nodes, which should not happen. Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic parameter when /128 is specified. This is due to: https://bugzilla.redhat.com/show_bug.cgi?id=1445628 We also make sure we use the ipv6_addrlabel option set to 99 so that they will never be used as source ip addresses. Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c Partial-Bug: #1686357 Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com> Co-Authored-By: Marios Andreou <mandreou@redhat.com> Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> (cherry picked from commit 6227484b60cd72cf4647051923a3baf175100a72)
2017-04-27Prepare 6.4.0 release (ocata)Emilien Macchi2-3/+3
Change-Id: Icf2be1f8cb09d7a83a5f786723a84fb263d42808
2017-04-26Add a flag to rabbitmq so that we can deploy with ha-mode: all againMichele Baldessari1-2/+6
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. Will propose another THT change to actually change the default to -1 so we get this ha-mode:all by default. Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c Partial-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com> (cherry picked from commit c504d6a8591bcf12e31d97a62222d7611941b136)
2017-04-25Merge "Refactor SSHD config to allow both SSHD options and banner/motd to be ↵Jenkins2-5/+147
set" into stable/ocata
2017-04-25Merge "Update Gemfile to pull spec_helper from stable/ocata" into stable/ocataJenkins1-0/+1
2017-04-25Merge "Stop SSHD profile clobbering SSH client config" into stable/ocataJenkins2-2/+2
2017-04-25Merge "SSHD Service extensions" into stable/ocataJenkins4-38/+88
2017-04-25Merge "Move gnocchi wsgi configuration to step 3" into stable/ocataJenkins3-1/+106
2017-04-24Update Gemfile to pull spec_helper from stable/ocataEmilien Macchi1-0/+1
It was missed after Ocata release, but we need to do it to pull the right version of puppet-openstack_spec_helper. Change-Id: Ieab0a99ea3491bd8bb6985318ff630442e9be353
2017-04-21Merge "Configure migration SSH tunnel" into stable/ocataJenkins3-21/+188
2017-04-21Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh2-5/+147
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556 (cherry picked from commit 3c49f51c8f42472d0d1cb2986b46a6c96821293a)
2017-04-21Stop SSHD profile clobbering SSH client configOliver Walsh2-2/+2
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543 (cherry picked from commit 2a329d545d0e619c88c323148d5fe2098e70b4b1)
2017-04-21SSHD Service extensionslhinds4-38/+88
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Related-Bug: 1668543 (cherry picked from commit b35bc80ac2acf18463e4c18c8360862749aa0964)
2017-04-21Merge "Move ceilometer wsgi to step 3" into stable/ocataJenkins2-5/+5
2017-04-21Configure migration SSH tunnelOliver Walsh3-21/+188
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec (cherry picked from commit ccbcd11276c7bc3ffc8f013d9a5b2d3944bf76cf)
2017-04-19Ensure we configure ssl.confLukas Bezdicka11-0/+20
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977 (cherry picked from commit 9e729c0db22865d036860346eb6b81c4c2108719)
2017-04-19Merge "Enable creation of keystone domain when ldap backends are created" ↵Jenkins1-1/+3
into stable/ocata
2017-04-19Merge "Migrate Swift ring handling from tripleo-heat-templates to ↵Jenkins2-0/+101
puppet-tripleo" into stable/ocata
2017-04-17Move ceilometer wsgi to step 3Alex Schultz2-5/+5
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418 (cherry picked from commit 890178bd6f6f465ffcb8cf4ad9b8019a1d6dc653)
2017-04-17Move gnocchi wsgi configuration to step 3Alex Schultz3-1/+106
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418 (cherry picked from commit 9de4c92571fdbe342a20a68e4ee44feb55464007)
2017-04-17Restrict mongodb memory usagePradeep Kilambi2-0/+17
Currently, mongodb has no limits on how much memory it can consume. This enforces restriction so mongodb service limits through systemd. The puppet-systemd module has support for limits. The MemoryLimit support is added in the follwoing pull request https://github.com/camptocamp/puppet-systemd/pull/23 Closes-bug: #1656558 Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891 (cherry picked from commit 3aa86a4ea3c2406f79d6283cbb158f67136b5e9a)
2017-04-10Merge "Add missing octavia auth include to keystone manifest" into stable/ocataJenkins2-0/+6
2017-04-09Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede2-0/+101
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b (cherry picked from commit 3412150d91dc7fe6e9f168b4ffdbb4d54c39fc55)
2017-04-08Enable creation of keystone domain when ldap backends are createdJuan Antonio Osorio Robles1-1/+3
This sets the flag create_domain_entry for the ldap_backend resource, which will create the domain for the ldap backend (this was previously not the case since only the configuration was created). Furtherly, this flag will also refresh the keystone server, so the changes come into effect. Note that this is only done in step 3, so the domains are created there and the refresh happens in that step. Also, this is only done for the bootstrap node, since when the other nodes start, they will already have the domains available in the keystone database and there won't be a need to restart. Related-Bug: #1677603 Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28 Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c (cherry picked from commit 13ea87e658e36d1afcc3e4db7f43bcfc068e1f49)
2017-04-07syntax error extra comma in rabbitmq.ppJon Schlueter1-1/+1
bundle rake syntax Could not parse for environment *root*: Syntax error at ')'; expected '}' Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf (cherry picked from commit 33e0fe959d849acdab4b084ffd31d242c58ff6b6)
2017-04-07Add missing octavia auth include to keystone manifestBrent Eagles2-0/+6
This patch adds the appropriate include to make sure that appropriate keystone user, services, etc. are created when octavia is selected. Closes-bug: #1680588 Change-Id: I0b6d657a0300538292223923d8808c23f936c193 (cherry picked from commit 23e723255cf46fd730cae185a0dc1f7194a511e0)
2017-04-07Merge "Make the cluster-check property configurable" into stable/ocataJenkins1-0/+25
2017-04-07Add a trigger to call ldap_backend defineCyril Lopez2-0/+21
Ldap_backend is a define so we need a resource to talk it. If ldap_backend_enable set by tripleo-heat-templates, we call the ldap_backend as a resource. Given an environment such as the following: parameter_defaults: KeystoneLdapDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. Partial-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Authored-By: Guillaume Coré <gucore@redhat.com> Signed-off-by: Cyril Lopez <cylopez@redhat.com> Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db (cherry picked from commit b8388e378a9151bccbac0db0478b1ef5d1e2e3fb)
2017-04-07Make the cluster-check property configurableMichele Baldessari1-0/+25
This change will make the global cluster-check property configurable and will pick a lower default (60s) in case a pacemaker remote node is deployed. The cluster-recheck-interval is set to default to 15minutes by pacemaker. This value is too high when a pacemaker remote service is deployed. With this default value a reboot of a pacemaker remote node will be reported as offline by pacemaker for up to 15minutes. With this change we do the following: 1) Do nothing in case pacemaker remote is not deployed 2) When pacemaker remote is deployed and the operator has not specified otherwise, we set the recheck interval to 60s. 3) When the operator specifies the recheck interval we set that. Change-Id: I900952b33317b7998a1f26a65f4d70c1726df19c Closes-Bug: #1679753 (cherry picked from commit f464e9f703b824f8971ade50c32884748caffefc)
2017-04-06Merge "Fixes missing neutron base in sriov" into stable/ocataJenkins2-0/+5
2017-04-06Deploy WSGI apps at the same step (3)Emilien Macchi2-5/+5
So we avoid useless apache restart and save time during the deployment. Note: the backport is not 100% clean as Heat API was not deployed in WSGI during Ocata cycle, so now, it's only for Aodh. Related-Bug: #1664418 Change-Id: Ie00b717a6741e215e59d219710154f0d2ce6b39e (cherry picked from commit 2272bcabba8752cd1876f85b1f9b83b0c7592c94)
2017-04-06Merge "Fix deprecated eqlx parameters" into stable/ocataJenkins1-3/+3
2017-04-06Fixes missing neutron base in sriovTim Rozet2-0/+5
This causes issues in deployments that is not using ML2 ComputeNeutronCorePlugin or OVS agent on the compute nodes. Closes-Bug: 1679202 Change-Id: I9cdfd115add8c0d2d3ae6802e7bde007c1677c67 Signed-off-by: Tim Rozet <trozet@redhat.com> (cherry picked from commit 1b93ca14c4d58c360424fbf34f669014b34d3b4b)
2017-04-06Merge "Add tunnel timeout for ui proxy container" into stable/ocataJenkins2-0/+12
2017-04-04Decouple ceilometer user create from APIPradeep Kilambi2-1/+9
Ceilometer user is needed for other ceilometer services to authenticate with keystone even when API is not present. So the data can be dispatched to gnocchi. Lets keep these separate so user always exists even when api is not. Depends-On: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354 Change-Id: I8f4e543a7cef5e50a35a191fe20e276d518daf20 (cherry picked from commit 38e4976b7b80487e26c75ece20bab631597240a3)
2017-04-04Add tunnel timeout for ui proxy containerDan Trainor2-0/+12
Add an explicit tunnel timeout configuration option to increase the tunnel timeout for persistent socket connections from two minutes (2m) to one hour (3600s). A configuration was already present to apply a tunnel timeout to the zaqar_ws endpoint, but that only applies to connections made directly to the zaqar_ws endpoint directly. Since UI now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout is now applied for the same reasons to the ui haproxy server. Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb Closes-Bug: 1672826 (cherry picked from commit e8125cb3640e0fe74b8617aaf55686d5645c8f7f)
2017-04-03Move horizon to step 3Alex Schultz4-1/+65
We configure apache in step 3 so horizon should be configured at the same time or else updates will cause horizon to be unvailable during the update process. Change-Id: I4032f7c24edc0ff9ed637e213870cdd3beb9a54e Closes-Bug: #1678338 (cherry picked from commit e2928717412242faa4eb15d778f1b5c0952edc08)
2017-03-30Fix deprecated eqlx parametersAlex Schultz1-3/+3
The eqlx_use_chap, eqlx_chap_login and eqlx_chap_password were previously deprecated and are scheduled to be removed in Pike. This change updates these parameters to use the replacement params. See I295d8388ba17dd60e83995e7c82f64f02a3c4258 for more details. Change-Id: I0f229ed2e7bb65d9da81c5caa69dbe1a4aded814 (cherry picked from commit 9cd4ddce32b4f14e7f6168416fcaee26a64f7a90)
2017-03-30Check rabbitmq user at step >= 2James Slagle2-0/+9
The rabbitmq user check is moved to step >= 2 from step >= 1. There is no gaurantee that rabbitmq is running at step 1, especially if updating a failed stack that never made it past step 1 to begin with. Change-Id: I029193da4c180deff3ab516bc8dc2da14c279317 Closes-Bug: #1675194 (cherry picked from commit aa9af086f05e466e88ac2a85ecc9d39f5a6d1e2f)
2017-03-30Merge "Add missing include of ::ec2api::keystone::authtoken" into stable/ocataJenkins1-0/+1
2017-03-29Merge "Re-run gnocchi and ceilometer upgrade in step 5" into stable/ocataJenkins4-0/+48
2017-03-27Add missing include of ::ec2api::keystone::authtokenSven Anderson1-0/+1
Change-Id: Id933276fab16eebd72751dca136ad805547e6291 Related-Bug: #1676491 (cherry picked from commit f137661aa178a6b390976470ddec7ed77eb05cf5)