aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-08-11Do not create fs and server side key from manilaJan Provaznik2-28/+5
Both fs and key are handled by ceph-ansible, move fs and key creation out of manila manifest to assure that it works with and without ceph-ansbile. Client-side manila key is created from ceph-mds and ceph-external templates in I6308a317ffe0af244396aba5197c85e273e69f68. Depends-On: I6308a317ffe0af244396aba5197c85e273e69f68 Partially-Implements: blueprint nfs-ganesha Change-Id: I2b5567a39ac8737e80758b705818cc1807dc8bf1
2017-08-11HAProxy: Set listen options for internal services tooJuan Antonio Osorio Robles1-0/+1
This was missed from a previous commit, as described in the bug report. We need to set this variable in this case as well, else it will use the undefined variable, thus ignoring anything that the user had set. Change-Id: I6810e7bb3eed16a6478974ac759c3f720a41120a Closes-Bug: #1709332
2017-08-11Modify resource dependencies of certmonger_user resourcesJuan Antonio Osorio Robles2-7/+11
In a containerized environment the haproxy class might not be defined, so this was made optional. On the other hand, this also retrieves the CRL before any certmonger_certificate resources are created. bp tls-via-certmonger-containers Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
2017-08-10Do not include manila ceph key resource twiceJan Provaznik1-10/+12
When mds creates manila key [1], then manila manifest needs to check first if this resource already exists otherwise puppet fails. [1] I6308a317ffe0af244396aba5197c85e273e69f68 Change-Id: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
2017-08-10Merge "Enable TLS configuration for containerized RabbitMQ"Jenkins1-52/+76
2017-08-09Merge "Use clustercheck credentials to poll galera state in container"Jenkins1-3/+8
2017-08-09Enable TLS configuration for containerized HAProxyDamien Ciabrini1-18/+97
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files, as well as the crl file are all passed as configuration files and must be copied by Kolla at container startup. Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255 Partial-Bug: #1709563
2017-08-09Merge "Enable innodb_buffer_pool_size configuration"Jenkins2-8/+18
2017-08-09Enable TLS configuration for containerized RabbitMQDamien Ciabrini1-52/+76
In non-containerized deployments, RabbitMQ can be configured to use TLS for serving and mirroring traffic. Fix the creation of the rabbitmq bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9 Partial-Bug: #1709558
2017-08-07Merge "Update swift-proxy unit tests for puppet5"Jenkins1-1/+3
2017-08-07Run online_data_migrations for Ironic on upgradeDmitry Tantsur1-2/+3
This only enables correct offline upgrade for now, proper rolling upgrade support will follow in the Queens release. Change-Id: Iebbd0c6dfc704ba2e0b5176d607354dd31f13a0d Depends-On: I548c80cf138b661ba3a5e45a6dfe8711f3322ed0 Partial-Bug: #1708149
2017-08-07Merge "Update link addresses in README.md"Jenkins1-3/+3
2017-08-06Update swift-proxy unit tests for puppet5Emilien Macchi1-1/+3
The latest version of puppet now require the class dependencies included in the unit tests. Change-Id: I0b6462f697f2d8012f8a785660c004f3efb13fdc
2017-08-06Enable TLS configuration for containerized GaleraDamien Ciabrini1-74/+118
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the creation of the mysql bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814 Partial-Bug: #1708135
2017-08-05Merge "Enable encryption of pacemaker traffic by default"Jenkins2-2/+24
2017-08-05Merge "Update openstackdocstheme>=1.16.0"Jenkins1-1/+1
2017-08-04Merge "Configure dockerd with --iptables=false"Jenkins2-3/+3
2017-08-04Merge "Ensure directory exists for certificates for haproxy"Jenkins3-0/+61
2017-08-03Enable innodb_buffer_pool_size configurationMike Bayer2-8/+18
Adds a hiera-enabled setting for mysql.pp to allow configuration of innodb_buffer_pool_size, a key configurational element for MySQL performance tuning. Change-Id: Iabdcb6f76510becb98cba35c95db550ffce44ff3 Closes-bug: #1704978
2017-08-03Configure dockerd with --iptables=falseDan Prince2-3/+3
This change defaults --iptables=false for dockerd to avoid having Docker create its own FORWARD iptables rules. These rules can interact with normal OS networking rules and disable communications between hosts on reboot. Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f Closes-bug: #1708279
2017-08-03Update link addresses in README.mdzhangdebo19871-3/+3
Change-Id: I0ad611bd669e9fb5f119237034dca347641c74b5
2017-08-02Use normal socket file permissions instead of polkitOliver Walsh4-137/+62
The default (on RHEL/CentOS) is to use polkit but this is only useful for GUI support or for fine grained API access control. As we don't require either we can achieve identical control using plain old unix filesystem permissions. I've merged Sven's changes from https://review.openstack.org/484979 and https://review.openstack.org/487150. As we need to be careful with the libvirtd option quoting I think it's best to do this in puppet-tripleo instead of t-h-t yaml. The option to override the settings from t-h-t remains. Co-Authored-By: Sven Anderson <sven@redhat.com> Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Closes-bug: 1696504 Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2 Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
2017-08-02Merge "Support for Dell EMC Unity Cinder Driver"Jenkins3-12/+129
2017-08-02Ensure directory exists for certificates for haproxyJuan Antonio Osorio Robles3-0/+61
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
2017-08-01Enable encryption of pacemaker traffic by defaultJuan Antonio Osorio Robles2-2/+24
We already are setting a pre-shared key by default for the pacemaker cluster. This was done in order to communicate with TLS-PSK with pacemaker-remote clusters. This key is also useful for us to enable encrypted traffic for the regular cluster traffic, which we enable by default with this patch. Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
2017-07-31Merge "Enable TLS for the HAProxy stats interface"Jenkins4-28/+199
2017-07-31Use clustercheck credentials to poll galera state in containerDamien Ciabrini1-3/+8
The clustercheck service currently connects to mysql as root to poll the state of the galera cluster. Update the generated config to use clustercheck credentials. Depends-On: If8e0b3f9e4f317fde5328e71115aab87a5fa655f Closes-Bug: #1707683 Change-Id: I4ee6e1f56a7880ccf456f5c08d26a267fb810361
2017-07-31Merge "Prevent haproxy to run iptables during docker-puppet configuration"Jenkins4-4/+32
2017-07-31Enable TLS for the HAProxy stats interfaceJuan Antonio Osorio Robles4-28/+199
This creates a new class for the stats interface and furtherly configures it to also use the certificates that are provided by certmonger (via the internal_certificates_specs variable). Note that the already existing haproxy_stats_certificate still works and will take precedence if it's set. bp tls-via-certmonger Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
2017-07-31Update openstackdocstheme>=1.16.0ZhongShengping1-1/+1
Change-Id: I69f9af4191cf7148d517f56c77da739c1a06b49f
2017-07-30Fix legacy nova/cinder encryption key manager configurationAlan Bishop5-7/+46
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected as the default encryption key manager, even when TripleO is not deploying Barbican. This change ensures the legacy key manager is enabled when no key manager (such as Barbican) has been specified. This restores the previous behavior, where the legacy key manager was enabled by default. [0] https://review.openstack.org/484501 [1] https://review.openstack.org/485322 Closes-Bug: #1706389 Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
2017-07-28Support for Dell EMC Unity Cinder Driverrajinir3-12/+129
This changes adds Dell EMC Unity backend as composable service and matches the tripleo-heat-templates. Change-Id: I015f7dfec4bedf72332d91b91cda3ef1dc8caf8c
2017-07-27Replace enabled languages with excluded languages in UIHonza Pokorny2-30/+14
Change-Id: I14d2c8d11abb1df17759e2a9d4ae6b9ccebbe30f Depends-On: Idf5a3314c19be18ca6cabbae1e94bc7cb1d1fe94
2017-07-27Handle SSL options for ZaqarThomas Herve2-5/+44
This allows running Zaqar with SSL under Apache. Change-Id: I4c68a662c2433398249f770ac50ba0791449fe71
2017-07-27Prevent haproxy to run iptables during docker-puppet configurationDamien Ciabrini4-4/+32
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
2017-07-27Fix nova and selinux unit testsAlex Schultz4-9/+32
The unit tests jobs are failing because of missing pre conditions for the new shared class introduced by Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change moved some classes around so that the tests are now failing due to duplicate class declarations for nova::compute::libvirt::services. This change moves the include that pulls in the declaration first prior to the include that exists in tripleo::profile::base::nova::libvirt. The selinux test was also failing due to a type issue with the fact being used (boolean vs string) Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51 Closes-Bug: #1707034
2017-07-27Merge "Move gnocchi::api resource to run with wsgi setup"Jenkins1-1/+1
2017-07-27Merge "Configure redis as incoming storage driver in gnocchi"Jenkins2-0/+11
2017-07-26Move gnocchi::api resource to run with wsgi setupJuan Antonio Osorio Robles1-1/+1
Having this run in step 4 causes a refresh (restart) for httpd, which in turn is problematic for the gnocchi db upgrade command, since when it runs httpd is not available at that point. This fixes the issue, since the API configuration is now ran at the same time as the wsgi bits. Change-Id: Ie0ab389a4450bb940757e34d1964423911885fa3
2017-07-26Pass 'false' docroot to vhost for tls_proxyJuan Antonio Osorio Robles1-1/+1
passing undef causes a failure since due to a recent commit [1] the resource now does proper validation of the parameters. [1] https://github.com/puppetlabs/puppetlabs-apache/commit/d6952b21ec66d7ce8b69dd0c2f2a0debca54e18f Change-Id: I6dc1e5820a1f4fe449d254d301738e1073f4b82b Closes-Bug: #1706026
2017-07-24Configure redis as incoming storage driver in gnocchiPradeep Kilambi2-0/+11
puppet support for this is added in Id8d4d091da2611de75390e045ebd473caf2a8909 Change-Id: I3354b54571a1b9d0a9187698217628d273cd7d7e
2017-07-24Merge "Puppet module to deploy Manila Share bundle for HA"Jenkins1-0/+136
2017-07-24Merge "Release pike-3"Jenkins2-3/+3
2017-07-24Merge "Deprecates using exec workaround for ODL clustering"Jenkins5-98/+12
2017-07-24Merge "Fix lint issues to upgrade to puppet-lint 2.3"Jenkins11-37/+37
2017-07-24Release pike-3Emilien Macchi2-3/+3
Change-Id: I317efb369dc0a6cd4ec9eefb6678d14caba784f9
2017-07-22Merge "Make calls to nova::compute::rbd from libvirt profile"Jenkins3-19/+50
2017-07-21Deprecates using exec workaround for ODL clusteringTim Rozet5-98/+12
Previously we had used an exec defined in puppet-tripleo to do clustering with OpenDaylight docker containers. The clustering issue is now fixed in puppet-opendaylight by: https://git.opendaylight.org/gerrit/#/c/60491 So removing the custom function and class workaround. Also, 'ha_node_index' is deprecated for configuring clustering with puppet-opendaylight so that is also removed. Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc Change-Id: I7693b692c74071945fdcc08292542e9b458a540b Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-21Fix lint issues to upgrade to puppet-lint 2.3Carlos Camacho11-37/+37
2017-07-20 15:09:38.571317 | manifests/glance/nfs_mount.pp:65:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571430 | manifests/pacemaker/haproxy_with_vip.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571473 | manifests/pacemaker/haproxy_with_vip.pp:108:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571511 | manifests/pacemaker/haproxy_with_vip.pp:109:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571551 | manifests/pacemaker/resource_restart_flag.pp:44:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571590 | manifests/profile/base/cinder/volume/nfs.pp:72:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571625 | manifests/profile/base/docker.pp:188:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571661 | manifests/profile/base/docker.pp:210:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571699 | manifests/profile/base/logging/fluentd.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571735 | manifests/profile/base/pacemaker.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571773 | manifests/profile/base/swift/ringbuilder.pp:97:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571811 | manifests/profile/base/swift/ringbuilder.pp:125:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571850 | manifests/profile/base/swift/ringbuilder.pp:130:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571889 | manifests/profile/pacemaker/ceph/rbdmirror.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571927 | manifests/profile/pacemaker/cinder/backup.pp:66:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571965 | manifests/profile/pacemaker/ovn_northd.pp:96:WARNING: arrow should be on the right operand's line Change-Id: I9393c5e04310cf84695531df9bb16f33e7e15abb
2017-07-21Fix up the control-port for rabbitmq bundlesMichele Baldessari3-5/+5
Mistakenly this was set to 3121 which is the same port that pacemaker remote uses. Move this to 3122 which was the plan all along. Also fix a wrong port comment in redis and mysql at the same time. Change-Id: Iccca6a53a769570443091577c7d86f47119d9cbb