Age | Commit message (Collapse) | Author | Files | Lines |
|
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #1688308
|
|
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
|
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
|
This patch configures SSH tunneling for nova cold-migration and reuses the
tunnel for libvirt live-migration unless TLS has been enabled.
Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
|
|
We can remove the sprintf todo comment (Already fixed).
Change-Id: I407cbf015ccd23a28ee01a669d397479277b4fd3
|
|
os_transport_url was updated to allow receiving
a string or an integer as parameter.
Fixes the workarounds in puppet-tripleo
Change-Id: I50993514048bf96b5a42b3425a7d6f98778fe694
Depends-On: I9e56f8e2de542b20fe9e6995506cff5bb435e220
|
|
This commit adds the transport_url for specifying the oslo.messaging
rpc and notify transport schemes. The rpc or notification backend
can be one of rabbit, amqp, zmq, etc. Oslo.messaging is deprecating
the host, port and auth configuration options. All drivers will
get the options via the transport_url.
This patch:
* Adds transport_url to base services
* Updates the corresponding specs
* Adds to default hierdata
Depends-On: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40
Change-Id: Iea5607dbb3ee6b1dd50acc1395de52dc920aa915
|
|
nova placement credentials in nova.conf need to be configured at step 3
so Nova services can use them as soon as they start.
Change-Id: I0abdd305b7e6c8d83f23e25b3872e98eb56dd299
|
|
nova::placement needs to be declared on more than placement api node,
because credentials are used by different services (at least
nova-compute now).
This patch moves the class to base/nova.pp, at the same step.
So compute nodes will have the credentials and will be able to use
Placement API on multinode environments.
Change-Id: Iada8e9fcccec7dbfe7ac0ec0f9ec6eac1581290e
|
|
This change fixes the hiera calls in the base nova profile to use the
parameter rather than continue to call hiera. Additionally this change
includes basic test coverage for the various nova profiles.
Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e
|
|
Having the db_sync code live in the mysql profile causes
coupling that doesn't work unless your MySQL server has the
latest Nova packages installed. This may not work for some
baremetal setups (where an isolated database exists) or
with containers where the MySQL container definately doesn't
have nova packages installed.
Moving this code into the nova-api role also matches where we
were already db syncing the normal API database so it should be
fine and safe.
Change-Id: Ib625e2ac9c8d6bd1d335c58e291facc4ea5839ae
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
Configure Nova with new Oslo Messaging parameters for RabbitMQ.
Note: parameters are renamed to be standard, so it will help a future
transition to another backend in TripleO.
Change-Id: Ia67a4dbe5b2bd12c45308a5581f96d0457b8e018
|
|
This replaces the services' IP-based RabbitMQ configuration and uses
FQDNs instead.
Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
|
|
This patch changes the rabbit_hosts config generation to work properly
with IPv6 addresses.
Closes-Bug: #1639881
Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
|
|
We use the rabbit_hosts configuration for most of our services but we
haven't been adding the configured port. This patch appends the IP port
used provided to the service's heat template to the IPs in the list.
Note: while we could use the value set for the rabbitmq server in
rabbitmq::port, it doesn't allow for dealing with SSL. This also is also
backwards compatible with the RabbitClientPort parameters used in the
heat templates.
Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b
Closes-Bug: #1633580
|
|
Instead of hard-coded yaml aliases in t-h-t, make each service
profile that requires rabbit default to the list of rabbit ips.
Note this could still be extended in future to e.g enable per
service rabbit clusters, but the default is to lookup the
hiera which should be logically equivalent to current t-h-t.
Change-Id: Ie53c93456529420588eb1927703ea91b54095d87
Partially-Implements: blueprint custom-roles
|
|
These hiera keys aren't aligned with the service names, which
will be required for composable generation of the ip lists
per service.
Change-Id: I423b544df174254ac511b906b0c570e701678022
Depends-On: I7febf28bf409e25e8e5961ab551b6d56bb11e0c6
Partially-Implements: blueprint custom-roles
|
|
As we are staring to manually check overcloud services
the first step is to check that the puppet profiles
are all aligned.
Changes applied:
No logic added or removed in this submission.
Removed unused parameters.
Align header comments structure.
All profiles parameters sorted following:
"Mandatory params first sorted alphabetically
then optional params sorted alphabetically."
Note: Following submissions will check pacemaker,
cinder, mistral and redis services in the base profiles
as some of them has the $pacemaker_master parameter
defaulted to true.
Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
|
|
Nova {} workaround is not working correctly, we need to merge this patch
so we can move out ::nova from THT completely.
Also we need to use nova::cache to configure memcached parameters.
Co-Authorized-By: Giulio Fidente <gfidente@redhat.com>
Co-Authorized-By: Sven Anderson <sven@redhat.com>
Co-Authorized-By: Emilien Macchi <emilien@redhat.com>
Depends-On: I52d5badb9960124bb8fcb54983db2853c4185e77
Depends-On: I3e400a5f64b85f0d374fc02cc5e4080d19d0f2e4
Depends-On: Iee5f8015cbf40ca0e9a435a7de919ebdb74cf93f
Change-Id: Ie4e72e765f6a8ade48d4b2b766f067872554d1a2
|
|
Allow to enable/disable migration bits from a single place, and select
which services are running on a node.
The use case here is to allow container deployements where libvirt &
nova-compute are separated.
Also support collocation for backward compatibility.
Change-Id: I0b765f8cb08633005c1fc5a5a2a8e5658ff44302
|
|
Import ::nova class with memcached parameter computed from Hiera, that
was previously in THT, now in nova-base role.
Use step 3 for ::nova since we need it for database resources.
Also make sure nova base profile is included for conductor role and any
nova pacemaker role.
Change-Id: I45244861082edae616f2b82334e7678cefa97bc7
Implements: blueprint refactor-puppet-manifests
|
|
This patch implements the base for Nova profiles.
It's a first iteration to deploy Nova using composable roles.
Implements: blueprint refactor-puppet-manifests
Change-Id: I8253e4b61484047948e222e68408e417d2787fb7
|