aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-07-12Merge "Let pacemaker bind-mount needed cert for haproxy bundle"Jenkins1-5/+16
2017-07-12Leverage kolla config_files to copy config into containersMartin André6-43/+23
This solves a problem with bind-mounts when the containers are holding files descriptors open. At the same time this makes the template more robust to puppet changes since new config files will be available in the containers without needing to update the templates. Closes-Bug: #1698323 Change-Id: I857c94ba5f7f064d7c58df621ec5d477654b9166 Depends-On: I78dcec741a941dc21adba33ba33a6dc6ff1d217c
2017-07-12Fix mysql client config generation with containerized environmentDamien Ciabrini1-12/+27
When the tripleo::profile::base::database::mysql::client profile is included by other openstack services, the file /etc/my.cnf.d/tripleo.cnf is not generated because docker-puppet is configured to disregard the exec tags. Make the profile use either File or Exec resource based on how it's being called, to make it work for both containerized and non-containerized use cases. Change-Id: I103baa02373f6713cc300ac039a6f173ff0bbf1c
2017-07-12Merge "Do not fail if PCI device is missing"Jenkins4-4/+9
2017-07-11Refactor iscsi initiator-name reset into separate profileOliver Walsh4-22/+87
This currently assumes nova-compute and iscsid run in the same context which isn't true for a containerized deployment Change-Id: I91f1ce7625c351745dbadd84b565d55598ea5b59
2017-07-10Let pacemaker bind-mount needed cert for haproxy bundleDamien Ciabrini1-5/+16
When SSL configuration is enabled, haproxy expects to load a SSL certificate file at startup. Update the bundle configuration to always bind-mount the cert file, to support both SSL and non SSL HAproxy bundle deployments. Change-Id: I6f4d3a5abae8f1781cfe6f69ff960aad500061e3
2017-07-08Merge "Remove reference to bootstack_nodeid"Jenkins2-4/+4
2017-07-06Merge "Add Swift dispersion profile"Jenkins2-0/+39
2017-07-06Add option for innodb_flush_log_at_trx_commit = 2 for Galera onlyMike Bayer2-35/+61
The innodb_flush_log_at_trx_commit flag changes the timing of when the log buffer is written to disk for writes. At its default of 1, transactions are written to disk and the buffer flushed on a per-transaction basis; but when set to 2, the flush of the buffer proceeds only once per second. This removes the durability guarantee for the single node. However the central concept of Galera is that durability is achieved via the cluster as a whole, in that transactions are replicated to other nodes before the commit succeeds (though not necessarily written to disk unless wsrep_causal_reads is set). In this model, data would only be lost of all nodes of the Galera cluster were killed within one second of each other. Percona's blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/ recommends that the value of 2 should be considered "safe" for a Galera cluster unless you are in fact worried that all three nodes will be powered off simultaneously. The value here is added as an option only, defaulting to the usual default of "1", flush per transaction. Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
2017-07-06Remove reference to bootstack_nodeidSteven Hardy2-4/+4
This has been replaced with bootstrap_nodeid which isn't hard-coded to the Controller role and thus will work should this service be deployed on any other role via composable services. Change-Id: I0a9fced847caf344e5d26b452f1bd40afab8f029
2017-07-05Contrail: Fix controlplane/dataplane network asignments & enable optional dpdkMichael Henkel14-157/+280
This patch will move the Contrail roles communication towards OpenStack APIs from the public/external network to the internal_api network. I will also add the option to enable dpdk for Contrail. Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23 Closes-Bug: 1698422
2017-07-05Merge "Update puppet-tripleo libvirt to support docker deployments"Jenkins1-5/+1
2017-07-03Update puppet-tripleo libvirt to support docker deploymentsKeith Schincke1-5/+1
It is not necessary to mangle libvirt_rbd_secret_key parameter as this is now given by the templates. Depends-On: Iff3dbcb0f1b4d2373570e184e636a71553cea708 Change-Id: I6b163ab102f505f0d0ce9eb1ad9d4274e4ff6348
2017-07-03Refactor nova migration config into client & target profilesOliver Walsh14-570/+800
The nova migration config has always been applied by the base::nova profile. It assumed that libvirtd/nova-compute and are all running on the same host. Where this config didn't apply (e.g a nova api host) it was disabled by a flag. This approach is not compatible with containers. Hieradata for all containers are combined so per-host flags no longer work, and we can no longer assume libvirtd and nova-compute run in the same context. This change refactors the profiles out of the base nova profile and into a client profile and a target profile that can be included where appropriate. Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12 Implements: blueprint tripleo-cold-migration
2017-07-02Fix openstackdocsthemeZhongShengping2-5/+10
See the docs[0] how to use it. Also add the variables for the bug log feature. [0]https://docs.openstack.org/openstackdocstheme/latest/ Change-Id: I11b183986a389291d9ab02cb1d0be36c3d73bdb0
2017-06-30Merge "Merge the nova HAproxy TLS options"Jenkins1-1/+1
2017-06-29Zaqar: support configurable backendsDan Prince2-12/+45
This patch updates the Zaqar profile so that we have support for configuring alternate versions of the messaging and management backends. In Pike instack-undercloud started using the swift/sqlalchemy backends and the intent here is to update the new containers undercloud to use a similar default (thus letting us drop Mongodb). Change-Id: Ie6a56b9163950cee2c0341afa0c0ddce665f3704
2017-06-29Do not fail if PCI device is missingBrent Eagles4-4/+9
Fixes a problem where SR-IOV VF count configuration will fail if a physical function is in use by a guest when 'puppet apply' is executed. This change substitutes warnings for failures and skips complaints if a PCI device is unavailable. Note: this patch has the side-effect of allowing the same configuration data on hosts that may *not* or *ever* have PCI SR-IOV devices on the hardware. Time will tell how evil this is in practice. Closes-Bug: #1701284 Change-Id: I71edc135432ab2193741c37ce977dd11172401e6
2017-06-28Merge the nova HAproxy TLS optionsRob Crittenden1-1/+1
This makes sure that we set the necessary options so HAProxy uses TLS to contact nova. It was commented out when nova was moved to not run over httpd. Since that is no longer the case we can re-enable it. Change-Id: I026a7dab30b00a4e93966f650f098c570b0b624b Depends-On: Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3
2017-06-28Merge "Split docker options and insecure registry"Jenkins2-12/+21
2017-06-27Merge "Change CRL refresh to run every 2 hours"Jenkins1-3/+3
2017-06-27Allow disabling udev usage by LVMJiri Stransky2-0/+93
Disabling udev usage from LVM seems to be the only observed working way of running containerized cinder-volume with local LVM backend. I didn't come across reports that not using udev would have negative impact on the functionality. Additional info at https://groups.google.com/forum/#!topic/docker-user/n4Xtvsb4RAw Change-Id: I1bf395a6228dba66fa6bf9b8bcc9f3ac3d922a49 Related-Bug: #1700140
2017-06-27Split docker options and insecure registryBogdan Dobrelya2-12/+21
Use augeas to modify only parameters' dedicated configuration. Split options from insecure registry. Overlapping those params may unschedule the docker service restarts for some cases, ending up with a split brain state for the docker service run-time config vs changed /etc/sysconfig/options config. Change-Id: Ic5640061837b022f7175f0db0dc269f9a61e6023 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-06-27Always start httpd at the same time (TLS proxy)Juan Antonio Osorio Robles2-7/+21
For the TLS everywhere job, there are some apache vhosts set up that serve as TLS proxies. These need to be started at the same time as the rest of the apache vhosts too. Change-Id: I15e67c7c04142cff01704e2590d3b2a6a949cc06
2017-06-27Always start httpd at the same timeJuan Antonio Osorio Robles14-23/+186
Puppet wipes out whatever is not in it's resource catalog each run for httpd. This causes httpd to restart if in the next step there are reasources added that were not there earlier. This patch, thus changes the instances of httpd to start at the same time: On step 3 for the bootstrap node, and on step 4 for every other node. Closes-Bug: #1699502 Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-06-27Merge "MySQL: configure ::zaqar::db::mysql selectively"Jenkins1-0/+4
2017-06-26MySQL: configure ::zaqar::db::mysql selectivelyDan Prince1-0/+4
Adds the ability to create an empty MySQL database for Zaqar if zaqar is enabled and settings for the mysql backend are also available in hiera. This should allow Zaqar's database to get created when needed, but skipped if MongoDB is used instead (per overcloud defaults). Change-Id: I3598e39c0a3cdf80b96e728d9aa8a7e6505e0690
2017-06-26Change CRL refresh to run every 2 hoursJuan Antonio Osorio Robles1-3/+3
The default CA issues CRLs for 4 hours by default. So we need to change these values to reflect this, else we'll get verification issues due to the CRL having expired before its refreshed. However, the nextupdate value for the CRLs might not be aligned with the cron job. And getting this alignment is not entirely trivial. So I opted for updating every 2 hours to address this. Change-Id: I732b400462c5cabd7c6c18c007fc9e8c87b700d3
2017-06-26Force MySQL users to use SSL if internal TLS is enabledJuan Antonio Osorio Robles1-0/+3
This forces the MySQL users to use SSL when connecting to MySQL. bp tls-via-certmonger Depends-On: I24e4c195a31109835739e78a6b53d36f661f9fd0 Change-Id: I98856955132b680a159144204da1d5b400fe9794
2017-06-26Switch from oslosphinx to openstackdocsthemeZhongShengping2-4/+5
As part of the docs migration work[0] for Pike we need to switch to use the openstackdocstheme. [0]https://review.openstack.org/#/c/472275/ Change-Id: Ic82c4a2ec9fe26c8621ab2c7c9598b1582f73156
2017-06-23Add Swift dispersion profileChristian Schwede2-0/+39
The swift-dispersion-populate command needs to be called when Swift and Keystone are up and running, and therefore we need to ensure this is running in step 5 or later. Change-Id: I5b4c08c252b6083dace5a65367920c475de416ce
2017-06-23Merge "Remove manifest/profile/baseui.pp"Jenkins1-22/+0
2017-06-23Merge "Make collectd to log also to file"Jenkins1-0/+9
2017-06-22Merge "Deploy ironic-api with WSGI"Jenkins1-3/+55
2017-06-21Merge "Adds OpenDaylight resources for configuring cluster with docker"Jenkins2-0/+88
2017-06-21Merge "Ignore failures when loading nf_conntrack_proto_sctp kernel module"Jenkins3-5/+91
2017-06-21Merge "Enable TLS for MySQL's replication traffic"Jenkins1-6/+43
2017-06-21Make collectd to log also to fileMartin Mágr1-0/+9
This change will make possible to set collectd to log to file (/var/log/collectd.log by default). Change-Id: I50289ad6657852d37abbf12938128ff9ab9e3bac
2017-06-21Deploy ironic-api with WSGIDmitry Tantsur1-3/+55
Change-Id: I952c86db88dcd611722a3feaea88f618eee17620
2017-06-21Merge "Make enabling haproxy stats interface configurable"Jenkins1-13/+20
2017-06-21Merge "Allow certmonger mysql resource to use several DNS names"Jenkins1-1/+8
2017-06-21Enable TLS for MySQL's replication trafficJuan Antonio Osorio Robles1-6/+43
This enables the options so Galera can use TLS for the replication traffic. bp tls-via-certmonger Depends-On: I9252303b92a2805ba83f86a85770db2551a014d3 Change-Id: I2ee3bf4bbda3f65f5b03440ecbc75f14225a2428
2017-06-21Allow certmonger mysql resource to use several DNS namesJuan Antonio Osorio Robles1-1/+8
This allows for several SubjectAltNames which will subsequently be used for the replication traffic as well. bp tls-via-certmonger Change-Id: Ic68266eaf39d6803f7c3e299095578bbcfd63b88
2017-06-20Merge "Add maxconn parameter to MySQL / HAProxy"Jenkins4-0/+130
2017-06-20Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar3-5/+91
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885
2017-06-20Merge "Require the UI package when creating the virtual host"Jenkins2-4/+3
2017-06-20Make enabling haproxy stats interface configurableJuan Antonio Osorio Robles1-13/+20
Some people might or might not want to enable it. So this makes it configurable. It defaults to true as we were always deploying it before. Change-Id: I8d2a08cdaf3e5ec3d1a69d4f95e57522508c8610
2017-06-20Add maxconn parameter to MySQL / HAProxyMike Bayer4-0/+130
Allows configurability of maxconn as applies to the MySQL section of the HAProxy config, both for clustercheck and single node. Also adds a new test for the haproxy class overall to exercise options. Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
2017-06-19Merge "Fix the port for Panko API"Jenkins1-2/+2
2017-06-19Remove manifest/profile/baseui.ppCarlos Camacho1-22/+0
This file is not needed anymore. Change-Id: I904443624c18cc5116bc6027c016b9ccdd5e10aa Closes-bug: 1698105 Depends-On: Ie20ecabea91ca4c2040c5ef3bf6c71b2b53d26ef