AgeCommit message (Collapse)AuthorFilesLines
2017-11-13Create dedicated "apache" base profileCédric Jeanneret18-16/+133
This profile has multiple purposes: - group common httpd configurations/instructions - correct a small issue with the "status" mod Until now, only Horizon was specifically including this mode, and as httpd wasn't listening on localhost, it wasn't in use at all. With this commit, all API using apache will be able to provide the httpd server status on Change-Id: If6d64f807c244d7e56852a67ac7dbad26c4c002f Closes-Bug: 1724751 (cherry picked from commit 0933bc5fd896ac2474872bb1b4b217ad8f430885)
2017-11-10Fix bind mounts for cinder-{backup,volume}Martin André2-8/+8
The container now expects to find configuration at these locations. Change-Id: Iea84a291414e515d8c72a60646188e5b37354a38 Related-Bug: #1729430 (cherry picked from commit 9df7f1c85df56fa9de54bd45f53d1c16ea23c731)
2017-11-09Merge "Make docker network configurable" into stable/pikeZuul1-0/+25
2017-11-09Merge "Unset MountFlags in docker.service systemd directives" into stable/pikeZuul2-0/+23
2017-11-08Unset MountFlags in docker.service systemd directivesOliver Walsh2-0/+23
Required to allow bind propegation options to be set on individual bind-mounts. See https://github.com/moby/moby/issues/19625. Also https://access.redhat.com/articles/2938171 for rational for using this option in RHEL/CentOS 7.3. Change-Id: I8a63c044e15d7ca0f54654e9fc9c5d878461aa25 Related-bug: 1730533 (cherry picked from commit 2366b5b2fe3bc97d11aa9c3a65660ff78a6dc6f7)
2017-11-08Galera: add support for encrypted SSTDamien Ciabrini2-4/+80
When internal TLS is enabled, generate a galera config that enable encryption of SST rsync traffic. The configuration relies on a new sst script wsrep_sst_rsync_tunnel, which encapsulates rsync traffic in a socat-based encrypted tunnel. Change-Id: I1d6ee8febb596b3ab9dcde3a85a028ee99b2798c Depends-On: Ia857350ac451fc1bda6659d85019962d3a9d5617 Closes-Bug: #1719885 (cherry picked from commit 9fb617eaea607bc3615edeaf4608fded55045ebd)
2017-11-08Merge "Add new MySQL server option to mysql_bundle" into stable/pikeZuul1-39/+48
2017-11-07Merge "Certmonger: Only notify haproxy class if it's defined" into stable/pikeZuul1-2/+3
2017-11-06Add new MySQL server option to mysql_bundleMike Bayer1-39/+48
Add innodb_flush_log_at_trx_commit from Id5a30f1daf978e094a74db2d284febbc9ae64bb3 to the container-specific mysql_bundle.pp Note that innodb_buffer_pool_size from Iabdcb6f76510becb98cba35c95db550ffce44ff3 should already be pulled at runtime from the base mysql.pp. Closes-Bug: #1730360 Change-Id: Iba164ddcc9b24ee231fb224b03ad8e7c123d5418 (cherry picked from commit 7de6d8d9f5687cdb7e1709a7e15e98184aa615f0)
2017-11-05Release 7.4.4 (pike)Emilien Macchi1-1/+1
Change-Id: Iad6ff5ec5871775faf8ad961074e2914968ef184
2017-11-04Certmonger: Only notify haproxy class if it's definedJuan Antonio Osorio Robles1-2/+3
The haproxy certmonger resource (which requests the HAProxy certs) expected the haproxy puppet manifests to run alongside if we're using a local CA. This is no longer the case in containerized environments, e.g. the containerized undercloud. This makes that optional. Change-Id: I2764ca1674dcd5ecd7886233bb5e9795ee697be3 (cherry picked from commit abd7a9486d8fb5cad7f6f0b48a466597f1d1bf71)
2017-11-03Make docker network configurableMartin André1-0/+25
The default docker0 address conflicts with the InternalApiNetCidr value set in environments/network-environment.yaml. We should provide a way to make the docker network configurable. Change-Id: Ie803b33c93b931f7fefb87b6833eb22fd59cd92d Related-Bug: #1726773 (cherry picked from commit 4462260182b5b6a8922193aff3ff603bbb93cf00)
2017-11-02Merge "Allow 'cinder' as a backend for Glance" into stable/pikeZuul1-0/+1
2017-10-30Prepare puppet-tripleo 7.4.3Emilien Macchi1-1/+1
Change-Id: Iefcd78e600d0da33c25cedf15f00208edd7c9915
2017-10-27[pike] Add Puppet package to bindep, for module buildEmilien Macchi1-0/+1
We need Puppet package deployed from bindep so we can run puppet module build with the new zuul v3 job. Change-Id: I82bffbc332c03bb20cb067be84c0de908cb1a236
2017-10-24Add option to disable running mistral-api via wsgiMartin André1-4/+13
The tripleo container do not yet have the required packages to run mistral-api on top of apache so we're looking for a way to disable it. Change-Id: I54627f1c5a8867738a55bee42075bb6087830c61 Related-Bug: #1724607 (cherry picked from commit 5eb571c4053f40d74aa5e6d136ab10c08094ddb9)
2017-10-24Merge "Set meta container-attribute-target=host attribute" into stable/pikeZuul4-7/+8
2017-10-19Make sure tuned package is installed before calling tuned-admMichele Baldessari1-1/+3
With https://review.openstack.org/#/c/511509 we start erroring out properly on puppet errors. One of the jobs that is now failing is: http://logs.openstack.org/09/511509/7/check/legacy-tripleo-ci-centos-7-undercloud-containers/5d3fecc/logs/var/log/undercloud_install.txt.gz Reason for this is that we include the tripleo::base::tuned profile which has: exec { 'tuned-adm': path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], command => "tuned-adm profile ${profile}", unless => "tuned-adm active | grep -q '${profile}'" } So if the tuned package is not installed by other means we get: "Error: /Stage[main]/Tripleo::Profile::Base::Tuned/Exec[tuned-adm]: Could not evaluate: Could not find command 'tuned-adm'", Let's add the package here in the profile instead of installing it via tripleo.sh, that way also a split stack deployment is covered. Change-Id: I130cdc59000e0c5e5fa7c542fbe6b782651a7eb7 Closes-Bug: #1724518 (cherry picked from commit 32ef340901027926ed3f77ae37d8e0d20e38e15d)
2017-10-18Allow 'cinder' as a backend for GlanceAlan Bishop1-0/+1
Allow 'cinder' as a valid Glance backend. This value is already supported by puppet-glance. Change-Id: I850047e32f3608b3ce490e52e2e540695cb1a4ff (cherry picked from commit edd7621f1db83d9b71ce3a168d2813880a660444)
2017-10-13Merge "Disables port status for all ODL deployments" into stable/pikeJenkins2-19/+8
2017-10-13Merge "ovn HA: Enable ip_nonlocal_bind sysctl flag" into stable/pikeJenkins2-0/+13
2017-10-10ovn HA: Enable ip_nonlocal_bind sysctl flagNuman Siddique2-0/+13
In the case of ovn HA, the ovsdb-server's running in the cluster try to open a TCP socket on the VIP. Closes-bug: #1720761 Change-Id: I6f762534350a3f96696c87ccd2d14545dccc8a0b (cherry picked from commit a6483f39f9767c40e6823c7f28526441a436560a)
2017-10-10Disables port status for all ODL deploymentsTim Rozet2-19/+8
Port status was already disabled in HA deployments pending a fix for: https://bugs.opendaylight.org//show_bug.cgi?id=9147 However even in noha deployments port status will not work because ODL is unable to bind to a specific IP for websocket, meaning it binds to all IPs and haproxy cannot bind the VIP. Therefore we need to disable it for all deployments until also this bug is fixed: https://bugs.opendaylight.org//show_bug.cgi?id=9256 Related-Bug: 1718508 Change-Id: I2f2dc3ece97c97fc8477d4129d69719866a7f0c1 Signed-off-by: Tim Rozet <trozet@redhat.com> (cherry picked from commit 2471a8669d35f8b35ed00e9365623b37e335cd79)
2017-10-09Release 7.4.2Emilien Macchi1-1/+1
Change-Id: I540110159943986b7511939afb1525727e751902
2017-10-07Allow to override HAProxy global options.Cédric Jeanneret2-1/+11
You can either append new options or override existing one. This can be particularly useful in case you want to set your own log options, for example. Change-Id: I19005b7e70e624d3b64b6c2ac8eaadfdec3944db Closes-Bug: 1721246 (cherry picked from commit e62efd0782fd6521893102101daaa21f0cd8a275)
2017-10-07Merge "Allow to configure snmpd_config" into stable/pikeJenkins4-11/+132
2017-10-06Allow to configure snmpd_configEmilien Macchi4-11/+132
Expose a new Puppet parameter to snmp profile, ``snmpd_config`` which is an array definded to undef by default. It can be used to override all snmpd configuration for advanced deployments. If used, all parameters have to be configured included users and passwords, which should be the same as given to snmpd_password and snmpd_user. There is no logic that will verify the content of ``snmpd_config``. Example of hieradata which configures snmpd_config: snmpd_config: - 'createUser ro_snmp_user MD5 "secrete"', - 'rouser ro_snmp_user' - 'proc neutron-server' - 'proc nova-api' Change-Id: Ief2518d5e47137215a34e9ae3b35c27c87fa6e08 Closes-Bug: #1720868 (cherry picked from commit c211ba78cabde54be2e3a6672f6e1d33d1d580f0)
2017-10-06Add a new configuration option for GUI loggersHonza Pokorny2-2/+6
This allows us to set up logging for the TripleO GUI. By default, it enables the 'console' and 'zaqar' loggers. Change-Id: Iafc874643c29e63ff670831fe80f6601c3051865 Closes-Bug: #1716458 (cherry picked from commit 5158c7ab1669d9d3e8c8163be9fdfc9b3a3aea96)
2017-10-05Set meta container-attribute-target=host attributeMichele Baldessari4-7/+8
This is needed because when we run bundles we actually want to store attributes on a per-node basis and not on a per-bundle basis. By activating this attribute pacemaker will pass some extra OCS_RESKEY_CRM_meta attributes that will help us in this decision. We can merge this once we have packages for pacemaker and resource-agents releases that contain the necessary fixes. Proper pacemaker and resource-agents are now in the repo [1] so we can merge it and backport it to pike. [1] https://buildlogs.centos.org/centos/7/cloud/x86_64/openstack-pike/ Closes-Bug: #1713007 Change-Id: I0dd06e953b4c81f217d0f4199b2337e4c3358086 (cherry picked from commit 6bcb011723ad7b75f18914c887dc4fa4bad4d620)
2017-09-28Disables port status updates with ODL in HATim Rozet2-1/+25
ODL enables a feature by default to communicate port state to Neutron via a websocket connection. The current implementation does not work in HA, but does work with a noHA deployment. Therefore this patch disables port status for HA deployments only until there is proper support. Depends-On: I7eb752ad692e5522051f8393376890fcac9a09fe Closes-Bug: 1718508 Change-Id: I13b5b72285d3c70cdee4d81678470d52be385aaf Signed-off-by: Tim Rozet <trozet@redhat.com> (cherry picked from commit 228d7b456c6d5c4958c9add8f9021a83a4360510)
2017-09-26Allow log path transformation in fluentd glueLars Kellogg-Stedman1-2/+27
Logs in a containerized deployment are not in the same location as on a baremetal deployment. This commit adds the $fluentd_path_transform paramter to the fluentd glue module. This is a regular expression that is used to transform log paths. To use this feature, include in your hiera configuration something like: tripleo::profile::base::logging::fluentd::fluentd_path_transform: - /var/log/ - /var/log/containers/ Change-Id: I585b6877074353b5de62e5efaabfbe62432c473d Partial-bug: #1716427 (cherry picked from commit 1ff0903a3950bc4adbc8c84b5153df6ca0fb6a3d)
2017-09-25Release 7.4.1Emilien Macchi1-1/+1
Change-Id: I7686a2a9132f2770f7fd0bf0e5d4f235e2b1b82b
2017-09-20Support for Ocata-Pike live-migration over sshOliver Walsh6-6/+296
In Ocata all live-migration over ssh is performed on the default ssh port (22). In Pike the containerized live-migration over ssh is on port 2022 as the docker host's sshd is using port 22. To allow live migration during upgrade we need to temporarily pin the Pike computes to port 22 and in the final converge we can switch over to port 2022. This patch make the necessary puppet-tripleo change to allow this: - Adds support in sshd profile for listening on multiple ports. - Adds a profile to allow proxying to the containerized sshd from the baremetal sshd Change-Id: I0b80b81711f683be539939e7d084365ff63546d3 Related-bug: 1714171 (cherry picked from commit 05a413c34fa1266d38bf991a1f5ed2795631f0b7)
2017-09-16Merge "added release note for new haproxy_socket_access" into stable/pikeJenkins1-0/+7
2017-09-15added release note for new haproxy_socket_accessCédric Jeanneret1-0/+7
Change-Id: I4024177fdf97bef929d6a699662acbf56abdb0af (cherry picked from commit 9939df4c177040e67433ca19f55dca18067d9923)
2017-09-14Added new parameter for HAProxy configurationCédric Jeanneret1-1/+7
This allow to set the socket access level to admin instead of default "user". This "admin" access adds the capability to interact with HAproxy in order to manage its configuration, at least temporarly. This changes keeps the default "user" access level, as "admin" might break things if misused. Change-Id: I1a4612b9f8aacc410b48a04dac3bf300bbb0e08e Closes-bug: #1716692 (cherry picked from commit 33479418eec7c1a18d57d755be47eca800b918a6)
2017-09-07Move manila backend configuration from pacemaker to baseJan Provaznik2-187/+187
There is no reason to keep backend configuration in pacemaker-specific manifest. This configuration is used no matter whether pacemaker is used or not. Change-Id: I63b53d230372a323db1d35a3774283ad2e29fbb1 Closes-Bug: #1714310 (cherry picked from commit 7327cc88246abe6473b7b29703af408adeccc88d)
2017-09-06Merge "Change references from nsx_v3 to nsx" into stable/pikeJenkins1-3/+3
2017-09-06Merge "Use TLS proxy for Redis' internal TLS" into stable/pikeJenkins9-13/+267
2017-09-06Merge "Enable TLS for rabbitmq's replication traffic" into stable/pikeJenkins1-1/+11
2017-09-06Change references from nsx_v3 to nsxJay Jahns1-3/+3
This patch changes references from nsx_v3 to nsx since the nsx_v3 functionality is the only one supported at this time. Change-Id: Id73f675844b0df2eafa45507d1c28f16cd0b15b2 Closes-Bug: #1713191 (cherry picked from commit f27c45a0925546f3b9627fce7d223a1bba140ce0)
2017-09-05Use TLS proxy for Redis' internal TLSMartin André9-13/+267
This uses the tls_proxy resource in front of the Redis server when internal TLS is enabled. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
2017-09-05Enable TLS for rabbitmq's replication trafficJuan Antonio Osorio Robles1-1/+11
This follows the RabbitMQ docs [1] for enabling TLS for the replication traffic. It reuses the certificate that rabbitmq already has. Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so we are not able to do proper verification of the certificates, since we can't allocate a certificate for shortnames. So, until pacemaker can track the rabbit nodes through their FQDNs, we don't set any verification options. [1] https://www.rabbitmq.com/clustering-ssl.html Depends on: https://github.com/voxpupuli/puppet-rabbitmq/pull/574 bp tls-via-certmonger Co-Authored-By: Alex Schultz <aschultz@redhat.com> Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847 (cherry picked from commit 52404b85dc140d9ddc4605365454df0e052ee2cb)
2017-09-05Support for Dell EMC VNX Manila Driverrajinir3-4/+36
This changes adds Dell EMC VNX backend as composable service and matches the tripleo-heat-templates. Change-Id: Iab80dc636913610704e1ceb2642ce738b68bb827 Implements: blueprint support-dellemc-vnx-manila (cherry picked from commit eca5b4dfb22a9e9476cd835d2e211def4c9bd5c9)
2017-09-04Prepare 7.4.0 (pike-rc2)Emilien Macchi1-1/+1
Change-Id: I6e1b8c305aad3fb03bd62072b376b34303ecfe24
2017-09-01Merge "Fix enabling zaqar keystone endpoint and MySQL database" into stable/pikeJenkins2-2/+2
2017-09-01Merge "Add manifests to install and configure stunnel" into stable/pikeJenkins6-0/+171
2017-09-01Merge "Repair immediate VF configuration for PCI SR-IOV" into stable/pikeJenkins2-3/+3
2017-09-01Fix enabling zaqar keystone endpoint and MySQL databaseJuan Antonio Osorio Robles2-2/+2
The zaqar service name switched to zaqar-api[1], so the hieradata key is zaqar_api_enabled now instead of zaqar_enabled. [1] I9b451eac4427a52ad8eec62ff89acc6c6d3ab799 Closes-Bug: #1714213 Change-Id: I692658337e7afc9d0a99b245f8b0b4f76a076bc4 (cherry picked from commit bc6a526f91c156e1cecfb9226ae3686102e655d4)
2017-08-31Add manifests to install and configure stunnelJuan Antonio Osorio Robles6-0/+171
Some services (such as Redis) can't use mod_proxy as a TLS proxy, since they're not HTTP services. So stunnel is necessary for these. Thus, we add manifests to configure it as such. bp tls-via-certmonger Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c (cherry picked from commit f85199c77826017e383534051ada57ef1ea4ddcc)