aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2016-12-22Merge "HPELeftHandISCSIDriver support for cinder"Jenkins3-8/+95
2016-12-22Merge "Add TLS proxy resource"Jenkins1-0/+60
2016-12-22Merge "Split ovn plugin and northd configuration"Jenkins4-16/+110
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi3-11/+54
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-12-22Ensure package updates don't happen unexpectedlySteven Hardy1-2/+2
I'm seeing this run yum update on deploy, even though hiera tripleo::packages::enable_upgrade says false. I assume these are needed because we're getting "false", but I'm unclear if this is a recently introduced problem (I only noticed it today as my image has outdated centos packages and it thus hung on step2 of the deploy. Change-Id: If09cdde9883f2674dbbc40944be5fe4445caa08e Closes-Bug: #1652107
2016-12-22Add fossw of networking-fujitsu support to puppet-tripleoKoki Sanagi1-0/+5
Enable ml2.pp to call networking-fujitsu manifest in puppet-neutron for fossw ML2 plugin setting. Change-Id: I044c5812bbc5cd3de4bc33556cffbe5bad8e64cf Implements: blueprint integration-fossw-networking-fujitsu Depends-On: I79df6b6a27d95f0c0e2c87207ab80235a4efccfc
2016-12-22Merge "Decouple swift-proxy from ceilometer packages"Jenkins1-8/+15
2016-12-22Merge "Add networking-fujitsu support to puppet-tripleo"Jenkins1-0/+5
2016-12-22Merge "Do not use hardcoded controller_node_names when setting up the cluster"Jenkins1-1/+2
2016-12-21Adds ability to populate SSH Banner textLuke Hinds3-0/+94
A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306
2016-12-20Decouples neutron services from OpenDaylight API serviceTim Rozet1-12/+7
Removes including Neutron services in the OpenDaylight API service. This was breaking custom roles when splitting up OpenDaylight and Neutron into different roles. Also, references to "controller" are removed because with custom roles OpenDaylight could be isolated to any role type. The 'bootstrap_nodeid' still works with any role, and only resolves to the first node in the series of nodes for that role type. Partial-Bug: 1651499 Change-Id: I418643810ee6b8a2c17a4754c83453140ebe39c7 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-20Add missing Swift base classChristian Schwede1-0/+1
The Swift base class is required if the SwiftStorageRole is used without the SwiftRingBuilder role. Change-Id: I496b65dc53c03c0711d21f98627cc21be653ca5d
2016-12-20Add TLS proxy resourceJuan Antonio Osorio Robles1-0/+60
some services need a terminating proxy to do TLS on their main interfaces, to address this, we use httpd's mod_proxy and make it listen in front of these services with an appropriate certificate. bp tls-via-certmonger Change-Id: I82243fd3acfe4f23aab373116b78e1daf9d08467
2016-12-19Merge "Disable legacy ceilometer api by default"Jenkins2-3/+20
2016-12-19Merge "Drop vip_hosts"Jenkins1-39/+0
2016-12-19Merge "Fix a typo in haproxy.pp"Jenkins1-1/+1
2016-12-17Merge "Add tripleo::ui rspec tests"Jenkins1-0/+99
2016-12-16Include nova::compute::libvirt::qemu from the libvirt profileGiulio Fidente1-0/+2
This is useful to customize the libvirt/qemu.conf limits when deploying a large overcloud or one with many Ceph OSDs. Change-Id: I258afd3ee6633e4b2ebc45aa8611be652476be0c Depends-On: I5fa423a4b212d14f6e9ff6a270931b569558b54e
2016-12-16add support for collectdLars Kellogg-Stedman2-0/+94
This is the glue between the collectd composable service in tripleo-heat-templates and the puppet-collectd module. Change-Id: I7e899e3af870b04dcd45503bd322278997fa53d0
2016-12-12Add networking-fujitsu support to puppet-tripleoKoki Sanagi1-0/+5
Enable ml2.pp to call networking-fujitsu manifest in puppet-neutron. The implementation in puppet-neutron is in progress separately. Change-Id: I5eb2c2a9c50b5991d62f4b6d74b83351c86b02de Implements: blueprint integration-networking-fujitsu Depends-On: I37a502b43eb7d91bfe20625248ed117eae3ca535
2016-12-11Decouple swift-proxy from ceilometer packagesDan Prince1-8/+15
This patch updates the swift proxy so that it only depends on ceilometer if the ceilometer_api_enabled all-nodes-data hiera setting has been set. Also removes a parameter dependency where the tripleo::profile::base::swift::proxy class was referencing a puppet-ceilometer value from hiera (which can also cause ceilometer dependencies). Depends-On: Ief5399d7ea4d26e96ce54903a69d660fa4fe3ce9 Change-Id: I8d9f69f5e9160543b372bd9886800f16f625fdc6 Closes-bug: #1648736
2016-12-11Merge "Changes default MidoNet API port on HAProxy"Jenkins1-4/+5
2016-12-09Disable legacy ceilometer api by defaultPradeep Kilambi2-3/+20
Ceilometer api is deprectaed in Ocata. Lets disable by default. This can still be enabled by setting enable_legacy_ceilometer_api param. Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09Release ocata-2Emilien Macchi1-1/+1
6.1.0 will be ocata-2. Change-Id: Ic5c4e00135a1e876e755e6ada94abb42dd29f46a
2016-12-09HPELeftHandISCSIDriver support for cinderchinthagovardhan3-8/+95
Cinder Backend configuration support for HPELeftHandISCSIDriver for VSA storage Change-Id: Ia7e5f3d436283f7949b0eb8f109b3dc0309af4f5
2016-12-09Merge "Add cinder profile spec tests"Jenkins22-7/+1120
2016-12-09Merge "Delete MidoNet deprecated classes and their tests"Jenkins4-338/+0
2016-12-08Do not use hardcoded controller_node_names when setting up the clusterMichele Baldessari1-1/+2
Currently we chose the pacemaker cluster node by simply taking hiera('controller_node_names'). We should instead use the pacemaker_short_node_names array which is built dynamically from all the nodes that include the pacemaker service. Change-Id: I0a3e4acaab11e078da5eeb2ef2adde5387785927
2016-12-07Create Glance's database if glance-api is enabledFlavio Percoco1-1/+1
Instead of checking for glance_registry_enabled, we should be checking for glance_api_enabled. The glance-api v1 depends on the registry, which means the database will be created but glance-api v2 doesn't which means that not deploying the registry would result in the glance database not being created. On the other hand, glance-registry is never deployed without glance-api Change-Id: Ief25dafb65f7a043fbb3d16f1d7ef834c9947a93
2016-12-07Delete MidoNet deprecated classes and their testsAlejandro Andreu4-338/+0
MidoNet no longer uses the API component. It has been renamed/refactored to "cluster" as it can be seen on the docs at https://blog.midonet.org/introducing-midonet-cluster-services/ Also there is no need to have a Cassandra and Zookeeper dedicated classes, as we leverage this through the use of the midonet_openstack puppet module. Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270 Partial-Bug: #1647302
2016-12-06Add tripleo::ui rspec testsAlex Schultz1-0/+99
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
2016-12-05Add cinder profile spec testsAlex Schultz22-7/+1120
This change adds rspec testing for the cinder profiles with in puppet-tripleo. Additionally while testing, it was found that the backends may incorrectly have an extra , included in the settings for cinder volume when running puppet 3. This change includes a fix the cinder volume backends to make sure we are not improperly configuring it with a trailing comma. Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
2016-12-04Merge "Remove unused pacemaker profiles"Jenkins42-2553/+0
2016-12-04Merge "Add verify required and CA bundle to haproxy"Jenkins1-2/+7
2016-12-03Add basic structure for ReNoLuke Hinds10-0/+331
ReNo [1] is the release management tool in OpenStack. This patch adds the basic structure to start using it for doc builds in puppet-tripleo. * Update .gitignore * Add a basic note "use-reno" * Add releasenotes/ dir and basic files * Add python files: setup.cfg, setup.py, test-requirements.txt and tox.ini. [1] http://docs.openstack.org/developer/reno Change-Id: Idc9a30ab632c8e2ca794fb10431cdefd5d861d14
2016-12-02Fixes typo in sriov_numvfs releasenotesLuke Hinds1-1/+1
Change-Id: I729702a5326d74ad35485fa7276af45e2223ec5f
2016-12-01Merge "Update ceilometer collector ipv6 handling"Jenkins1-13/+2
2016-12-01Merge "Show team and repo badges on README"Jenkins1-0/+7
2016-11-30Include swift::storage::loopbacks classChristian Schwede1-0/+1
This makes it possible to create loopback devices for Swift by using additional Hieradata. For example, to create a 100M loopback device that will be mounted on /srv/node/d1: parameter_defaults: ControllerExtraConfig: swift::storage::loopbacks::args: {"d1": {'seek': '100000'}} Depends-On: I11a230b7cf08a4cc2a144d9af0e6c81bb3827348 Change-Id: I8741acc8afa1f1d23c5b25fa4bf27622f674a561
2016-11-30Merge "Use FQDNs for RabbitMQ's cluster configuration"Jenkins1-2/+2
2016-11-30Merge "Use FQDNs for the services' RabbitMQ configuration"Jenkins22-62/+62
2016-11-30Add verify required and CA bundle to haproxyJuan Antonio Osorio Robles1-2/+7
This only takes effect is internal-tls is used, and forces haproxy to do proper verifications of the SSL certificates provided by the servers. bp tls-via-certmonger Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
2016-11-30Set memcache_servers in /etc/swift/object-expirer.confChristian Schwede1-1/+3
This defaults to 127.0.0.1:11211 without setting these explicitly. The object-expirer is working without a correct memcache server, however it is slower and warnings will be logged. Related-Bug: 1627927 Depends-On: Ie139f018c4a742b014dd4d682970e154d66a8c6d Change-Id: I89a879592a264d541cf42f007584e2e78058c867
2016-11-29pacemaker: create Mysql_user once Galera is ready (puppet4)Emilien Macchi1-1/+2
Puppet 4 ordering make things more strict in catalog, which is good. Resources have to be orchestrated or Puppet will take them in the order they are found in catalog. This patch makes sure we create MySQL users only when Galera is actually ready. Closes-Bug: #1645787 Change-Id: I536a1a128c3a7eca49bcc4f34a1307bcd60b029e
2016-11-29Merge "Include local CA in haproxy PEM"Jenkins1-2/+18
2016-11-29Enable object-expirer on Swift proxy profileChristian Schwede1-0/+2
This service is required to delete expired automatically. It is often run on the proxy nodes, therefore adding it to the Swift proxy profile. Change-Id: I3250c205ffc166ae628bc427de2e3492d086c3bb Closes-Bug: 1645657
2016-11-28Merge "Enable TLS in the internal network for Panko API"Jenkins1-2/+53
2016-11-28Use FQDNs for RabbitMQ's cluster configurationJuan Antonio Osorio Robles1-2/+2
This sets the cluster_nodes configuration in RabbitMQ to use FQDNs instead of IP addresses. Note that in HA, RabbitMQ is already configured using FQDNs. Change-Id: I2b1cec25ff25f4afd72a28246c2cda9c58d7b61e
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles22-62/+62
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-28Merge "adding new swift middleware that is typically enabled by default"Jenkins1-0/+5