aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh2-34/+83
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-04Merge "Restrict nova migration ssh tunnel"Jenkins4-68/+271
2017-05-04Add support for Cinder "NAS secure" driver paramsAlan Bishop2-6/+29
Add ability to set Cinder's nas_secure_file_operations and nas_secure_file_permissions driver parameters. Two sets of identically named parameters are implemented by Cinder's NFS and NetApp back end drivers. The ability to control these parameters is crucial for supporting deployments that require non-default values. Partial-Bug: #1688332 Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9 Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
2017-05-04Merge "MySQL client: Make CA file configurable"Jenkins1-1/+6
2017-05-03Merge "snmp: remove useless parameter for binding"Jenkins1-1/+0
2017-05-03Restrict nova migration ssh tunnelOliver Walsh4-68/+271
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-05-03Merge "IPv6 VIP addresses need to be /128"Jenkins1-6/+14
2017-05-03MySQL client: Make CA file configurableJuan Antonio Osorio Robles1-1/+6
It used to be hardcoded to use the OpenSSL default CA Bundle, however, this will be changed in t-h-t. Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-05-03IPv6 VIP addresses need to be /128Michele Baldessari1-6/+14
We currently hardcode /64 as our VIP addresses when using IPv6. The problem with this is that some server code might bind to that IP as a source address when doing inter-cluster communication (rabbitmq/galera for example). So when the VIP moves there will be effectively a network outage between the nodes, which should not happen. Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic parameter when /128 is specified. This is due to: https://bugzilla.redhat.com/show_bug.cgi?id=1445628 We also make sure we use the ipv6_addrlabel option set to 99 so that they will never be used as source ip addresses. Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c Partial-Bug: #1686357 Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com> Co-Authored-By: Marios Andreou <mandreou@redhat.com> Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
2017-05-03Merge "firewall: generally accept "jump" param and use tripleo:firewall for ↵Jenkins2-2/+16
log rule"
2017-05-02snmp: remove useless parameter for bindingEmilien Macchi1-1/+0
Binding is now done in THT via Hiera directly, so users can change the option more easily. Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614 Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79 Closes-Bug: #1687628
2017-04-27Merge "Fix wrong notify in swift proxy profile"Jenkins1-1/+1
2017-04-27Merge "Add linuxbridge agent profile"Jenkins1-0/+20
2017-04-27Merge "Include base apache module in tls_proxy resource"Jenkins1-0/+1
2017-04-27Fix wrong notify in swift proxy profileJuan Antonio Osorio Robles1-1/+1
the TLS proxy was notifying neutron::server instead of swift proxy. Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
2017-04-27Include base apache module in tls_proxy resourceJuan Antonio Osorio Robles1-0/+1
Other services include it by using the vhost resource from openstacklib. If we include a service (such as swift-proxy) that uses the tls_proxy resource, and we do so in a separate node or in its own container, it will fail since the base apache module hadn't been included. Change-Id: I0167e08b0b652618d8a1af792376bcf02c8fcd82
2017-04-26Add support for autofencing to Pacemaker Remote.Chris Jones1-0/+27
We now configure stonith devices for Pacemaker Remote nodes. Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197 Partial-Bug: #1686115
2017-04-26Add a flag to rabbitmq so that we can deploy with ha-mode: all againMichele Baldessari1-2/+6
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. Will propose another THT change to actually change the default to -1 so we get this ha-mode:all by default. Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c Partial-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins6-10/+193
2017-04-25Merge "Update puppet-etcd version"Jenkins1-1/+1
2017-04-25Merge "Add support for Redfish hardware in Ironic"Jenkins2-0/+6
2017-04-25Merge "Include zaqar apache module"Jenkins2-2/+8
2017-04-25Merge "Dell SC: Add secondary DSM support"Jenkins1-10/+14
2017-04-24Update puppet-etcd versionBogdan Dobrelya1-1/+1
Include the yaml config file for containers Change-Id: I3ad463217ed3f2d6374627248236b274cfed72fb Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-24Add support for Redfish hardware in IronicDmitry Tantsur2-0/+6
Part of blueprint redfish-support Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
2017-04-24Merge "Enable setting SubjectaltNames for haproxy and httpd certs"Jenkins2-2/+26
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi5-35/+49
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
2017-04-21Merge "Allow to configure haproxy daemon's status"Jenkins1-14/+27
2017-04-21Merge "Cover gnocchi api step 4 and 5"Jenkins3-31/+92
2017-04-21Merge "Add resource profile for vmware nsx_v3"Jenkins1-0/+45
2017-04-21Merge "Add ML2 configuration for Bagpipe BGPVPN extension"Jenkins2-0/+38
2017-04-21Merge "Refactor SSHD config to allow both SSHD options and banner/motd to be ↵Jenkins2-5/+147
set"
2017-04-21Merge "Update UI language list"Jenkins1-0/+2
2017-04-20Include zaqar apache moduleThomas Herve2-2/+8
This includes the Zaqar apache module, allowing to run Zaqar behind httpd. Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906 Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
2017-04-20Merge "Haproxy: When using TLS everywhere, use verifyhost for the ↵Jenkins1-0/+3
balancermembers"
2017-04-19Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh2-5/+147
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556
2017-04-19Cover gnocchi api step 4 and 5Alex Schultz3-31/+92
Update the gnocchi api to expose the redis information as a class parameter so it can be tested correctly. Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
2017-04-19Ensure /etc/docker/daemon.jsonDan Prince1-0/+9
A recent Centos docker packaging change removed the default /etc/docker/daemon.json file. As such we need to create an empty json file if none exists before running Augeas to configure the settings. Change-Id: Ibfe04b468639002f55da7bb65d2606f730c700b7 Closes-bug: #1684297
2017-04-19Dell SC: Add secondary DSM supportrajinir1-10/+14
Adds support for a secondary DSM in case the primary becomes unavailable. Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
2017-04-19Allow to configure haproxy daemon's statusMichele Baldessari1-14/+27
Currently we hard-code the fact that haproxy starts as a daemon. When running haproxy in a container we need this to be configurable because the haproxy process will be pid number 1. We are not changing the current semantics which have the 'daemon' option always set, but we are allowing its disabling. Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
2017-04-19Merge "Ensure we configure ssl.conf"Jenkins14-0/+23
2017-04-19Add linuxbridge agent profileBartosz Stopa1-0/+20
Add a tripleo profile for neutron linuxbridge agent configuration. Change-Id: Ie3ac03052f341c26735b423701e1decf7233d935 Partial-Bug: #1652211
2017-04-19Merge "Create bigswitch agent profile"Jenkins3-0/+84
2017-04-18Merge "Added release note for "Support for external swift proxy""Jenkins1-0/+5
2017-04-18Ensure we configure ssl.confLukas Bezdicka14-0/+23
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977
2017-04-18Enable setting SubjectaltNames for haproxy and httpd certsJuan Antonio Osorio Robles2-2/+26
This enables setting the subjectAltNames for HAProxy and httpd certs. These will eventually replace the usage of many certs, to have instead just one that has several subjectAltNames. Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
2017-04-18Added release note for "Support for external swift proxy"Luca Lorenzetto1-0/+5
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
2017-04-18Haproxy: When using TLS everywhere, use verifyhost for the balancermembersJuan Antonio Osorio Robles1-0/+3
This checks that the subjectAltName in the backend server's certificate matches the server's name that was intended to be used. Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
2017-04-18Merge "Allow setting of keepalived router ID"Jenkins1-7/+14
2017-04-18Merge "HAproxy/heat_api: increase timeout to 10m"Jenkins2-2/+11