aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2016-11-30Merge "Use FQDNs for the services' RabbitMQ configuration"Jenkins22-62/+62
2016-11-30Add verify required and CA bundle to haproxyJuan Antonio Osorio Robles1-2/+7
This only takes effect is internal-tls is used, and forces haproxy to do proper verifications of the SSL certificates provided by the servers. bp tls-via-certmonger Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
2016-11-30Set memcache_servers in /etc/swift/object-expirer.confChristian Schwede1-1/+3
This defaults to 127.0.0.1:11211 without setting these explicitly. The object-expirer is working without a correct memcache server, however it is slower and warnings will be logged. Related-Bug: 1627927 Depends-On: Ie139f018c4a742b014dd4d682970e154d66a8c6d Change-Id: I89a879592a264d541cf42f007584e2e78058c867
2016-11-29pacemaker: create Mysql_user once Galera is ready (puppet4)Emilien Macchi1-1/+2
Puppet 4 ordering make things more strict in catalog, which is good. Resources have to be orchestrated or Puppet will take them in the order they are found in catalog. This patch makes sure we create MySQL users only when Galera is actually ready. Closes-Bug: #1645787 Change-Id: I536a1a128c3a7eca49bcc4f34a1307bcd60b029e
2016-11-29Merge "Include local CA in haproxy PEM"Jenkins1-2/+18
2016-11-29Enable object-expirer on Swift proxy profileChristian Schwede1-0/+2
This service is required to delete expired automatically. It is often run on the proxy nodes, therefore adding it to the Swift proxy profile. Change-Id: I3250c205ffc166ae628bc427de2e3492d086c3bb Closes-Bug: 1645657
2016-11-28Merge "Enable TLS in the internal network for Panko API"Jenkins1-2/+53
2016-11-28Use FQDNs for RabbitMQ's cluster configurationJuan Antonio Osorio Robles1-2/+2
This sets the cluster_nodes configuration in RabbitMQ to use FQDNs instead of IP addresses. Note that in HA, RabbitMQ is already configured using FQDNs. Change-Id: I2b1cec25ff25f4afd72a28246c2cda9c58d7b61e
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles22-62/+62
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-28Merge "adding new swift middleware that is typically enabled by default"Jenkins1-0/+5
2016-11-27Drop vip_hostsDan Prince1-39/+0
This should no longer be used based on problems discovered in https://bugs.launchpad.net/tripleo/+bug/1645123 Change-Id: I53b13d514a15226dacbeda1c7b2ede09e7f8807e Depends-On: Ic6aaeb249a127df83894f32a704219683a6382b2
2016-11-25Merge "Enable internal TLS for MySQL"Jenkins2-6/+131
2016-11-25Show team and repo badges on READMEFlavio Percoco1-0/+7
This patch adds the team's and repository's badges to the README file. The motivation behind this is to communicate the project status and features at first glance. For more information about this effort, please read this email thread: http://lists.openstack.org/pipermail/openstack-dev/2016-October/105562.html To see an example of how this would look like check: https://gist.github.com/5f53b5b51c414919aa857d0472158564 Change-Id: I89860cb042cd1c23cc5278a8f963f3d62e9492aa
2016-11-25Merge "Do not configure state matching when using GRE"Jenkins2-3/+12
2016-11-25Enable TLS in the internal network for Panko APIJuan Antonio Osorio Robles1-2/+53
This optionally enables TLS for Panko API in the internal network. If internal TLS is enabled, each node that is serving the Panko API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: Ie9be7ce19601435b1b83b4ba58d9c7e8d53f23ba
2016-11-25Enable internal TLS for MySQLJuan Antonio Osorio Robles2-6/+131
this adds the necessary code in the manfiest to configure TLS if internal TLS is enabled. this also adds the capability of auto-generating the certificate via certmonger. bp tls-via-certmonger Change-Id: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-24Do not configure state matching when using GREBrent Eagles2-3/+12
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
2016-11-23Merge "Remove Combination alarms support"Jenkins2-28/+0
2016-11-23Merge "Proxy manila in http mode"Jenkins1-0/+1
2016-11-23Merge "Move calculation of neutron l3_ha into puppet profile"Jenkins1-0/+33
2016-11-22Update ceilometer collector ipv6 handlingAlex Schultz1-13/+2
The normalize_ip_for_uri handles ipv6 bracketing correctly. Rather than continue to do it manually, this change updates the ceilometer collector profile to leverage the normalize_ip_for_uri function to properly escape ipv6 addresses. Change-Id: Ifaf6568785235db55f8dc593d83e534216413d31 Closes-Bug: #1629380
2016-11-22Split ovn plugin and northd configurationSteven Hardy4-16/+110
This allows us to use the composable services interfaces to handle providing the IP address for northd, and will be more flexible in the event folks want to deploy northd/ovndb on a different node to the neutron plugin. This also adds ovn_northd to the haproxy configuration so we can access it via the ovn_northd_vip in other service profiles. Note we need to ensure the haproxy config only hits the bootstrap node as northd won't be running on the other nodes. Change-Id: I9af7bd837c340c3df016fc7ad4238b2941ba7a95 Partial-Bug: #1634171
2016-11-22Merge "Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchi"Jenkins1-0/+4
2016-11-22Proxy manila in http modeJuan Antonio Osorio Robles1-0/+1
It needs it so HAProxy will be able to set the X-Forwarded-Proto header. Related-Bug: #1640126 Change-Id: I1726fa1742bc70518338b80fc6d27567bb020e7c
2016-11-22Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchiJuan Antonio Osorio Robles1-0/+4
HAProxy won't pass X-Forwarded-Proto to these services in mode tcp, so we need to switch it to http in order for it to work and for the services to properly set the protocol in the links they serve. Change-Id: Ib10282159fb9269eebe81af23171ec9fb1297cd0 Closes-Bug: #1640126
2016-11-22Merge "firewall: stop using stdlib stages"Jenkins1-4/+3
2016-11-21Merge "Adds auto-detection for VIP interfaces"Jenkins2-15/+44
2016-11-21Merge "Add panko service support"Jenkins5-0/+120
2016-11-21firewall: stop using stdlib stagesEmilien Macchi1-4/+3
Using Puppet stdlib in TripleO is risky because it exposes deployments to dependency cycles in the catalog. We should rather use native functions to make orchestrations, like ordering and dependencies management. This patch: - removes usage of stages from stdlib - use ordering to make sure we run pre rules before post - use ordering to make sure we start all Services in catalog before post rules. It ensure that we don't drop all traffic before starting the services, which could lead to services errors (e.g. trying to reach database or amqp) Change-Id: Iec4705d6b785a40ccf6f43809b94b726ccd47fef Closes-Bug: #1643575
2016-11-21Move calculation of neutron l3_ha into puppet profileSteven Hardy1-0/+33
This is currently calculated in t-h-t but has a hard-coded reference to the ControllerCount which is incompatible with custom-roles. So instead calculate the setting based on the number of neutron API services running (on any role, not just Controller), combined with whether DVR is enabled (equivalent to current t-h-t logic). To avoid breaking the NeutronL3HA parameter in t-h-t we maintain an optional parameter to override the calculated value. Change-Id: I01c50973eec8138ec61304f2982d5026142f267c Partial-Bug: #1629187
2016-11-20Adds auto-detection for VIP interfacesTim Rozet2-15/+44
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan deployments ends up being the wrong interface. The public VIP interface was also defaulted to 'br-ex' which would be incorrect for vlan based deployments. Since a user has already given the nic template (and in most cases the subnet that corresponds to the nic) the installer should be able to figure out which interface the public/control vip should be on. These changes enable that type of auto-detection, unless a user explicitly overrides the heat parameters for ControlVirtualInterface and PublicVirtualInterface. Also removes calling keepalived from haproxy now that the services are composed separately on the Controller role. Partial-Bug: 1606632 Change-Id: I05105fce85be8ace986db351cdca2916f405ed04 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-18Changes default MidoNet API port on HAProxyAlejandro Andreu1-4/+5
The default port of the MidoNet Cluster (formerly known as MidoNet API) is now 8181 instead of 8081. Since this parameter is configurable through the settings, the default value for the port has been added to the $service_ports array. Change-Id: I2785d3109993bca0bd68077ff55cfeafbf594e19
2016-11-17Replace hard-coded haproxy/keepalived couplingSteven Hardy1-3/+3
We have a variable in hiera which tells us if the keepalived service is enabled, so use it here. Without this any deployment disabling OS::TripleO::Services::Keepalived will fail. Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23 Closes-Bug: #1642677
2016-11-17Remove Combination alarms supportPradeep Kilambi2-28/+0
combination alarms are completely removed in Ocata. Remove this from tripleo. Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
2016-11-17Merge "Sort parameters in keystone profile alphabetically"Jenkins1-20/+20
2016-11-16Merge "Prepare 6.0.0 (ocata-1)"Jenkins1-1/+1
2016-11-16Sort parameters in keystone profile alphabeticallyJuan Antonio Osorio Robles1-20/+20
Change-Id: I035c26e0f50e4b3fc0f6085fa5a4bf524e4852b7
2016-11-16Remove explicit hiera calls for heat in keystone profileJuan Antonio Osorio Robles1-9/+8
These are now passed via the heat profiles in t-h-t (via heat-base.yaml and heat-engine.yaml) and use the actual names of keystone parameters instead. Change-Id: Id0f5dd03b6757df989339c93b58a5b7eac3402a2 Depends-On: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
2016-11-15Prepare 6.0.0 (ocata-1)Emilien Macchi1-1/+1
Prepare the first release of Ocata. Change-Id: Ib8173d1ce26752216aeaab835f483503cf82b217
2016-11-15Merge " Enable TLS in the internal network for Barbican API"Jenkins2-4/+56
2016-11-14Add panko service supportPradeep Kilambi5-0/+120
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
2016-11-14Merge "Fix barbican server name to not use aodh hiera"Jenkins1-1/+1
2016-11-14 Enable TLS in the internal network for Barbican APIJuan Antonio Osorio Robles2-4/+56
This optionally enables TLS for Barbican API in the internal network. If internal TLS is enabled, each node that is serving the Barbican API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
2016-11-11Merge "Normalize civetweb binding address if IPv6"Jenkins2-6/+30
2016-11-11Merge "Enable TLS in the internal network for Cinder API"Jenkins2-3/+55
2016-11-11Merge "Ensure keepalived is restarted when necessary."Jenkins1-0/+11
2016-11-11Normalize civetweb binding address if IPv6Giulio Fidente2-6/+30
The civetweb binding format is IP:PORT; this change ensures the IP is enclosed in brackets if IPv6. To do so we add the bind_ip and bind_port parameters to the rgw service class. Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c Co-Authored-By: Lukas Bezdicka <social@v3.sk> Related-Bug: #1636515
2016-11-11Call VF configuration from udev rulesBrent Eagles3-4/+33
When a physical function that was allocated to a guest is released back the system, it is not automatically brought "up" and the VF configuration is not restored. This patch creates a file containing some udev rules to force the VF configuration. Note: we may find that the ifup-local script is no longer required but this will require further testing. Change-Id: Ie6e78730aa0a748b3b5100ab7c7bc007d8ab176d Partial-Bug: #1639901
2016-11-11Fix barbican server name to not use aodh hieraPradeep Kilambi1-1/+1
this looks like a copy/paste error. Let barbican use its own hiera data. Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b
2016-11-10Fix puppet lint failureBen Nemec1-3/+3
I'm not sure how this merged, but it's causing failures in other patches to puppet-tripleo. Change-Id: Ib20d349fa9abd6347739190bb29a02b6e3eb839d