aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-04-07Merge "Migrate Swift ring handling from tripleo-heat-templates to ↵Jenkins2-0/+101
puppet-tripleo"
2017-04-07Merge "Adding OVNDBs vip to keepalive"Jenkins1-0/+18
2017-04-07Merge "Make the cluster-check property configurable"Jenkins1-0/+25
2017-04-07Merge "Add httpchk for http services"Jenkins1-87/+26
2017-04-06Merge "Include ironic::drivers::interfaces in the ironic-conductor profile"Jenkins1-0/+1
2017-04-06Merge "Adding support for Bagpipe Agent as BGPVPN driver"Jenkins2-0/+40
2017-04-06Merge "Add a trigger to call ldap_backend define"Jenkins2-0/+21
2017-04-06Merge "Clean up TLS-related bits from swift-proxy"Jenkins2-14/+8
2017-04-06Merge "Fix missing groups for fluentd user"Jenkins1-78/+82
2017-04-05Merge "Add TLS in the internal network for Swift Proxy"Jenkins3-5/+70
2017-04-05Merge "Introduce profile to configure l2 gateway Neutron agent."Jenkins2-0/+38
2017-04-05Add a trigger to call ldap_backend defineCyril Lopez2-0/+21
Ldap_backend is a define so we need a resource to talk it. If ldap_backend_enable set by tripleo-heat-templates, we call the ldap_backend as a resource. Given an environment such as the following: parameter_defaults: KeystoneLdapDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. Partial-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Authored-By: Guillaume Coré <gucore@redhat.com> Signed-off-by: Cyril Lopez <cylopez@redhat.com> Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
2017-04-05Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede2-0/+101
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
2017-04-05Merge "Certmonger/rabbitmq: Remove parameter doc for unexisting parameter"Jenkins1-4/+0
2017-04-05Adding support for Bagpipe Agent as BGPVPN driverRicardo Noriega2-0/+40
Partially-Implements: blueprint bgpvpn-service-integration Change-Id: I54ef40f9d958e87d187a6d124995aa6951c0651a Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-04-05Merge "SSHD Service extensions"Jenkins4-38/+88
2017-04-05Make the cluster-check property configurableMichele Baldessari1-0/+25
This change will make the global cluster-check property configurable and will pick a lower default (60s) in case a pacemaker remote node is deployed. The cluster-recheck-interval is set to default to 15minutes by pacemaker. This value is too high when a pacemaker remote service is deployed. With this default value a reboot of a pacemaker remote node will be reported as offline by pacemaker for up to 15minutes. With this change we do the following: 1) Do nothing in case pacemaker remote is not deployed 2) When pacemaker remote is deployed and the operator has not specified otherwise, we set the recheck interval to 60s. 3) When the operator specifies the recheck interval we set that. Change-Id: I900952b33317b7998a1f26a65f4d70c1726df19c Closes-Bug: #1679753
2017-04-05Certmonger/rabbitmq: Remove parameter doc for unexisting parameterJuan Antonio Osorio Robles1-4/+0
This parameter was used at some point in the implementation but ended up not being needed in favor of getting this information from the puppet manifest. So it's removed as the parameter doesn't actually exist. Change-Id: I09f4091ee7a2221b26249959ea2927090d36ba0f
2017-04-04Merge "Configure migration SSH tunnel"Jenkins3-20/+189
2017-04-04Merge "Refactor enabled languages from an array to a hash"Jenkins2-4/+21
2017-04-04Merge "Use correct manage_firewall hieradata"Jenkins2-3/+3
2017-04-04Merge "Fixes missing neutron base in sriov"Jenkins2-0/+5
2017-04-04Merge "Remove cluster_enabled setting for etcd"Jenkins1-7/+0
2017-04-04Add httpchk for http servicesAlex Schultz1-87/+26
The httpchk health check option should help reduce the situtations where haproxy thinks the service is up but the service is only listening and not actively serving http requests. Change-Id: I13cc5dcf2eea53731e756d078586ab9a97340912 Closes-Bug: #1629052
2017-04-04SSHD Service extensionslhinds4-38/+88
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Closes-Bug: 1668543
2017-04-04Clean up TLS-related bits from swift-proxyJuan Antonio Osorio Robles2-14/+8
bp tls-via-certmonger Change-Id: I8a66d3a067f934ea30b668308237cbca1d58fbb8 Depends-On: I3cb9d53d75f982068f1025729c1793efaee87380
2017-04-04Add TLS in the internal network for Swift ProxyJuan Antonio Osorio Robles3-5/+70
This adds the necessary bits for a TLS Proxy to be placed in front of swift proxy when TLS-everywhere is enabled. This will be furtherly cleaned up once the t-h-t bits are added. bp tls-via-certmonger Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
2017-04-03Merge "Deploy WSGI apps at the same step (3)"Jenkins5-8/+8
2017-04-03Merge "Add tunnel timeout for ui proxy container"Jenkins2-0/+12
2017-04-03Include ironic::drivers::interfaces in the ironic-conductor profileDmitry Tantsur1-0/+1
This enables configuring new-style drivers (aha hardware types). Part of blueprint ironic-driver-composition Change-Id: I72eb8b06cca14073d1d1c82462fb702630e02de3
2017-04-03Restrict mongodb memory usagePradeep Kilambi2-0/+17
Currently, mongodb has no limits on how much memory it can consume. This enforces restriction so mongodb service limits through systemd. The puppet-systemd module has support for limits. The MemoryLimit support is added in the follwoing pull request https://github.com/camptocamp/puppet-systemd/pull/23 Closes-bug: #1656558 Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891
2017-04-03Fixes missing neutron base in sriovTim Rozet2-0/+5
This causes issues in deployments that is not using ML2 ComputeNeutronCorePlugin or OVS agent on the compute nodes. Closes-Bug: 1679202 Change-Id: I9cdfd115add8c0d2d3ae6802e7bde007c1677c67 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-04-03Use correct manage_firewall hieradataBen Nemec2-3/+3
The manage_firewall hieradata was moved to tripleo::firewall::manage_firewall but some of the references to it were not updated, which makes it impossible to completely disable the firewall rules. Change-Id: I5f40f3b8b07bd312cce862aa319b8a1ef331ee49 Closes-Bug: 1679189
2017-04-03Configure migration SSH tunnelOliver Walsh3-20/+189
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-04-03Deploy WSGI apps at the same step (3)Emilien Macchi5-8/+8
So we avoid useless apache restart and save time during the deployment. Related-Bug: #1664418 Change-Id: Ie00b717a6741e215e59d219710154f0d2ce6b39e
2017-04-02Move horizon to step 3Alex Schultz4-1/+65
We configure apache in step 3 so horizon should be configured at the same time or else updates will cause horizon to be unvailable during the update process. Change-Id: I4032f7c24edc0ff9ed637e213870cdd3beb9a54e Closes-Bug: #1678338
2017-04-02Merge "Decouple ceilometer user create from API"Jenkins2-1/+9
2017-03-30Add tunnel timeout for ui proxy containerDan Trainor2-0/+12
Add an explicit tunnel timeout configuration option to increase the tunnel timeout for persistent socket connections from two minutes (2m) to one hour (3600s). A configuration was already present to apply a tunnel timeout to the zaqar_ws endpoint, but that only applies to connections made directly to the zaqar_ws endpoint directly. Since UI now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout is now applied for the same reasons to the ui haproxy server. Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb Closes-Bug: 1672826
2017-03-30Merge "Add missing include of ::ec2api::keystone::authtoken"Jenkins1-0/+1
2017-03-30Merge "Fix deprecated eqlx parameters"Jenkins1-3/+3
2017-03-30Decouple ceilometer user create from APIPradeep Kilambi2-1/+9
Ceilometer user is needed for other ceilometer services to authenticate with keystone even when API is not present. So the data can be dispatched to gnocchi. Lets keep these separate so user always exists even when api is not. Depends-On: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354 Change-Id: I8f4e543a7cef5e50a35a191fe20e276d518daf20
2017-03-30Merge "Tuned should be configured properly"Jenkins2-0/+64
2017-03-30Fix missing groups for fluentd userMartin Mágr1-78/+82
This patch moves fluentd deployment to step 4 (the same as openstack services) and makes resource for user fluentd be dependent on all openstack packages, so that we avoid errors such as "usermod: group 'cinder' does not exist". Change-Id: Ibabd4688c00c6a12ea22055c95563d906716954d
2017-03-30Merge "securetty: use validate_array for tty list"Jenkins1-2/+4
2017-03-30Merge "Move neutron profile out of step 4"Jenkins1-2/+3
2017-03-30Refactor enabled languages from an array to a hashHonza Pokorny2-4/+21
Change-Id: I5173361818508849e5012a943a984af69d9d08cd Depends-On: I2d28d9019e8bcf9f6b8ef5698958932d44321679 Closes-Bug: #1668978
2017-03-30securetty: use validate_array for tty listJuan Antonio Osorio Robles1-2/+4
Change-Id: I1e79407ec6f360a2b205cec6cf8e812a11b799ea
2017-03-30Merge "Adds service for managing securetty"Jenkins4-0/+128
2017-03-30Merge "Qpid dispatch router puppet profile"Jenkins1-0/+54
2017-03-29Adds service for managing securettylhinds4-0/+128
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c Closes-Bug: #1665042