aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/nova.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-3/+7
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-23/+34
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-58/+101
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-03Configure migration SSH tunnelOliver Walsh1-18/+69
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-02-26Remove todo commentCarlos Camacho1-2/+0
We can remove the sprintf todo comment (Already fixed). Change-Id: I407cbf015ccd23a28ee01a669d397479277b4fd3
2017-02-22Remove the string cast for using transport_urlCarlos Camacho1-2/+2
os_transport_url was updated to allow receiving a string or an integer as parameter. Fixes the workarounds in puppet-tripleo Change-Id: I50993514048bf96b5a42b3425a7d6f98778fe694 Depends-On: I9e56f8e2de542b20fe9e6995506cff5bb435e220
2017-02-17Use rpc and notify transport_url for oslo_messaging backendsAndrew Smith1-32/+65
This commit adds the transport_url for specifying the oslo.messaging rpc and notify transport schemes. The rpc or notification backend can be one of rabbit, amqp, zmq, etc. Oslo.messaging is deprecating the host, port and auth configuration options. All drivers will get the options via the transport_url. This patch: * Adds transport_url to base services * Updates the corresponding specs * Adds to default hierdata Depends-On: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40 Change-Id: Iea5607dbb3ee6b1dd50acc1395de52dc920aa915
2017-02-13nova: move placement credentials config at step 3Emilien Macchi1-1/+1
nova placement credentials in nova.conf need to be configured at step 3 so Nova services can use them as soon as they start. Change-Id: I0abdd305b7e6c8d83f23e25b3872e98eb56dd299
2017-01-20Move nova::placement to common nova manifestEmilien Macchi1-0/+1
nova::placement needs to be declared on more than placement api node, because credentials are used by different services (at least nova-compute now). This patch moves the class to base/nova.pp, at the same step. So compute nodes will have the credentials and will be able to use Placement API on multinode environments. Change-Id: Iada8e9fcccec7dbfe7ac0ec0f9ec6eac1581290e
2017-01-09Rspec tests for nova profilesAlex Schultz1-1/+1
This change fixes the hiera calls in the base nova profile to use the parameter rather than continue to call hiera. Additionally this change includes basic test coverage for the various nova profiles. Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e
2017-01-09Move nova cells db sync into nova-api profileDan Prince1-0/+7
Having the db_sync code live in the mysql profile causes coupling that doesn't work unless your MySQL server has the latest Nova packages installed. This may not work for some baremetal setups (where an isolated database exists) or with containers where the MySQL container definately doesn't have nova packages installed. Moving this code into the nova-api role also matches where we were already db syncing the normal API database so it should be fine and safe. Change-Id: Ib625e2ac9c8d6bd1d335c58e291facc4ea5839ae Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2016-12-23nova: use transport_url for rabbitmqEmilien Macchi1-12/+34
Configure Nova with new Oslo Messaging parameters for RabbitMQ. Note: parameters are renamed to be standard, so it will help a future transition to another backend in TripleO. Change-Id: Ia67a4dbe5b2bd12c45308a5581f96d0457b8e018
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles1-4/+4
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-08Add proper handling of IPv6 addresses for rabbit host/port handlingBrent Eagles1-1/+2
This patch changes the rabbit_hosts config generation to work properly with IPv6 addresses. Closes-Bug: #1639881 Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
2016-10-17Add port to rabbitmq node ip listBrent Eagles1-1/+6
We use the rabbit_hosts configuration for most of our services but we haven't been adding the configured port. This patch appends the IP port used provided to the service's heat template to the IPs in the list. Note: while we could use the value set for the rabbitmq server in rabbitmq::port, it doesn't allow for dealing with SSL. This also is also backwards compatible with the RabbitClientPort parameters used in the heat templates. Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b Closes-Bug: #1633580
2016-09-02Make service profiles default to rabbitmq_node_ipsSteven Hardy1-1/+8
Instead of hard-coded yaml aliases in t-h-t, make each service profile that requires rabbit default to the list of rabbit ips. Note this could still be extended in future to e.g enable per service rabbit clusters, but the default is to lookup the hiera which should be logically equivalent to current t-h-t. Change-Id: Ie53c93456529420588eb1927703ea91b54095d87 Partially-Implements: blueprint custom-roles
2016-08-11Align hiera keys with service namesSteven Hardy1-2/+2
These hiera keys aren't aligned with the service names, which will be required for composable generation of the ip lists per service. Change-Id: I423b544df174254ac511b906b0c570e701678022 Depends-On: I7febf28bf409e25e8e5961ab551b6d56bb11e0c6 Partially-Implements: blueprint custom-roles
2016-08-08Fix parameters and headers inconsistency in the puppet manifests.Carlos Camacho1-9/+9
As we are staring to manually check overcloud services the first step is to check that the puppet profiles are all aligned. Changes applied: No logic added or removed in this submission. Removed unused parameters. Align header comments structure. All profiles parameters sorted following: "Mandatory params first sorted alphabetically then optional params sorted alphabetically." Note: Following submissions will check pacemaker, cinder, mistral and redis services in the base profiles as some of them has the $pacemaker_master parameter defaulted to true. Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
2016-07-27profile/base/nova: declare nova class and configure cache correctly.Emilien Macchi1-9/+19
Nova {} workaround is not working correctly, we need to merge this patch so we can move out ::nova from THT completely. Also we need to use nova::cache to configure memcached parameters. Co-Authorized-By: Giulio Fidente <gfidente@redhat.com> Co-Authorized-By: Sven Anderson <sven@redhat.com> Co-Authorized-By: Emilien Macchi <emilien@redhat.com> Depends-On: I52d5badb9960124bb8fcb54983db2853c4185e77 Depends-On: I3e400a5f64b85f0d374fc02cc5e4080d19d0f2e4 Depends-On: Iee5f8015cbf40ca0e9a435a7de919ebdb74cf93f Change-Id: Ie4e72e765f6a8ade48d4b2b766f067872554d1a2
2016-06-29nova: manage migration bits in a composable wayEmilien Macchi1-1/+26
Allow to enable/disable migration bits from a single place, and select which services are running on a node. The use case here is to allow container deployements where libvirt & nova-compute are separated. Also support collocation for backward compatibility. Change-Id: I0b765f8cb08633005c1fc5a5a2a8e5658ff44302
2016-06-09Import ::nova class from THTEmilien Macchi1-1/+13
Import ::nova class with memcached parameter computed from Hiera, that was previously in THT, now in nova-base role. Use step 3 for ::nova since we need it for database resources. Also make sure nova base profile is included for conductor role and any nova pacemaker role. Change-Id: I45244861082edae616f2b82334e7678cefa97bc7 Implements: blueprint refactor-puppet-manifests
2016-06-04Implement Nova base profileEmilien Macchi1-0/+32
This patch implements the base for Nova profiles. It's a first iteration to deploy Nova using composable roles. Implements: blueprint refactor-puppet-manifests Change-Id: I8253e4b61484047948e222e68408e417d2787fb7