summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base
AgeCommit message (Collapse)AuthorFilesLines
2017-08-15Merge "Use rabbitmq ipv6 flag"Jenkins1-11/+4
2017-08-14Merge "Fix legacy nova/cinder encryption key manager configuration"Jenkins2-2/+20
2017-08-14Use rabbitmq ipv6 flagJohn Eckersberg1-11/+4
The internal details of enabling IPv6 have moved upstream[1], so just set the ipv6 flag when desired and don't worry about the details anymore! [1] https://github.com/puppetlabs/puppetlabs-rabbitmq/pull/552 Closes-Bug: #1710658 Change-Id: Ib22507c4d02f0fae5c0189ab7e040efac3df7e2f
2017-08-12Merge "Run online_data_migrations for Ironic on upgrade"Jenkins1-2/+3
2017-08-11Merge "Modify resource dependencies of certmonger_user resources"Jenkins1-1/+4
2017-08-11Modify resource dependencies of certmonger_user resourcesJuan Antonio Osorio Robles1-1/+4
In a containerized environment the haproxy class might not be defined, so this was made optional. On the other hand, this also retrieves the CRL before any certmonger_certificate resources are created. bp tls-via-certmonger-containers Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
2017-08-09Merge "Enable innodb_buffer_pool_size configuration"Jenkins1-8/+14
2017-08-07Run online_data_migrations for Ironic on upgradeDmitry Tantsur1-2/+3
This only enables correct offline upgrade for now, proper rolling upgrade support will follow in the Queens release. Change-Id: Iebbd0c6dfc704ba2e0b5176d607354dd31f13a0d Depends-On: I548c80cf138b661ba3a5e45a6dfe8711f3322ed0 Partial-Bug: #1708149
2017-08-05Merge "Enable encryption of pacemaker traffic by default"Jenkins1-2/+18
2017-08-04Merge "Configure dockerd with --iptables=false"Jenkins1-2/+2
2017-08-04Merge "Ensure directory exists for certificates for haproxy"Jenkins1-0/+1
2017-08-03Enable innodb_buffer_pool_size configurationMike Bayer1-8/+14
Adds a hiera-enabled setting for mysql.pp to allow configuration of innodb_buffer_pool_size, a key configurational element for MySQL performance tuning. Change-Id: Iabdcb6f76510becb98cba35c95db550ffce44ff3 Closes-bug: #1704978
2017-08-03Configure dockerd with --iptables=falseDan Prince1-2/+2
This change defaults --iptables=false for dockerd to avoid having Docker create its own FORWARD iptables rules. These rules can interact with normal OS networking rules and disable communications between hosts on reboot. Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f Closes-bug: #1708279
2017-08-02Use normal socket file permissions instead of polkitOliver Walsh2-58/+17
The default (on RHEL/CentOS) is to use polkit but this is only useful for GUI support or for fine grained API access control. As we don't require either we can achieve identical control using plain old unix filesystem permissions. I've merged Sven's changes from https://review.openstack.org/484979 and https://review.openstack.org/487150. As we need to be careful with the libvirtd option quoting I think it's best to do this in puppet-tripleo instead of t-h-t yaml. The option to override the settings from t-h-t remains. Co-Authored-By: Sven Anderson <sven@redhat.com> Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Closes-bug: 1696504 Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2 Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
2017-08-02Merge "Support for Dell EMC Unity Cinder Driver"Jenkins2-12/+72
2017-08-02Ensure directory exists for certificates for haproxyJuan Antonio Osorio Robles1-0/+1
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
2017-08-01Enable encryption of pacemaker traffic by defaultJuan Antonio Osorio Robles1-2/+18
We already are setting a pre-shared key by default for the pacemaker cluster. This was done in order to communicate with TLS-PSK with pacemaker-remote clusters. This key is also useful for us to enable encrypted traffic for the regular cluster traffic, which we enable by default with this patch. Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
2017-07-31Merge "Prevent haproxy to run iptables during docker-puppet configuration"Jenkins1-0/+7
2017-07-30Fix legacy nova/cinder encryption key manager configurationAlan Bishop2-2/+20
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected as the default encryption key manager, even when TripleO is not deploying Barbican. This change ensures the legacy key manager is enabled when no key manager (such as Barbican) has been specified. This restores the previous behavior, where the legacy key manager was enabled by default. [0] https://review.openstack.org/484501 [1] https://review.openstack.org/485322 Closes-Bug: #1706389 Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
2017-07-28Support for Dell EMC Unity Cinder Driverrajinir2-12/+72
This changes adds Dell EMC Unity backend as composable service and matches the tripleo-heat-templates. Change-Id: I015f7dfec4bedf72332d91b91cda3ef1dc8caf8c
2017-07-27Handle SSL options for ZaqarThomas Herve1-5/+43
This allows running Zaqar with SSL under Apache. Change-Id: I4c68a662c2433398249f770ac50ba0791449fe71
2017-07-27Prevent haproxy to run iptables during docker-puppet configurationDamien Ciabrini1-0/+7
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
2017-07-27Fix nova and selinux unit testsAlex Schultz1-2/+2
The unit tests jobs are failing because of missing pre conditions for the new shared class introduced by Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change moved some classes around so that the tests are now failing due to duplicate class declarations for nova::compute::libvirt::services. This change moves the include that pulls in the declaration first prior to the include that exists in tripleo::profile::base::nova::libvirt. The selinux test was also failing due to a type issue with the fact being used (boolean vs string) Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51 Closes-Bug: #1707034
2017-07-27Merge "Move gnocchi::api resource to run with wsgi setup"Jenkins1-1/+1
2017-07-26Move gnocchi::api resource to run with wsgi setupJuan Antonio Osorio Robles1-1/+1
Having this run in step 4 causes a refresh (restart) for httpd, which in turn is problematic for the gnocchi db upgrade command, since when it runs httpd is not available at that point. This fixes the issue, since the API configuration is now ran at the same time as the wsgi bits. Change-Id: Ie0ab389a4450bb940757e34d1964423911885fa3
2017-07-24Configure redis as incoming storage driver in gnocchiPradeep Kilambi1-0/+5
puppet support for this is added in Id8d4d091da2611de75390e045ebd473caf2a8909 Change-Id: I3354b54571a1b9d0a9187698217628d273cd7d7e
2017-07-24Merge "Deprecates using exec workaround for ODL clustering"Jenkins3-94/+2
2017-07-24Merge "Fix lint issues to upgrade to puppet-lint 2.3"Jenkins5-23/+24
2017-07-22Merge "Make calls to nova::compute::rbd from libvirt profile"Jenkins3-19/+50
2017-07-21Deprecates using exec workaround for ODL clusteringTim Rozet3-94/+2
Previously we had used an exec defined in puppet-tripleo to do clustering with OpenDaylight docker containers. The clustering issue is now fixed in puppet-opendaylight by: https://git.opendaylight.org/gerrit/#/c/60491 So removing the custom function and class workaround. Also, 'ha_node_index' is deprecated for configuring clustering with puppet-opendaylight so that is also removed. Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc Change-Id: I7693b692c74071945fdcc08292542e9b458a540b Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-21Fix lint issues to upgrade to puppet-lint 2.3Carlos Camacho5-23/+24
2017-07-20 15:09:38.571317 | manifests/glance/nfs_mount.pp:65:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571430 | manifests/pacemaker/haproxy_with_vip.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571473 | manifests/pacemaker/haproxy_with_vip.pp:108:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571511 | manifests/pacemaker/haproxy_with_vip.pp:109:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571551 | manifests/pacemaker/resource_restart_flag.pp:44:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571590 | manifests/profile/base/cinder/volume/nfs.pp:72:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571625 | manifests/profile/base/docker.pp:188:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571661 | manifests/profile/base/docker.pp:210:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571699 | manifests/profile/base/logging/fluentd.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571735 | manifests/profile/base/pacemaker.pp:107:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571773 | manifests/profile/base/swift/ringbuilder.pp:97:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571811 | manifests/profile/base/swift/ringbuilder.pp:125:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571850 | manifests/profile/base/swift/ringbuilder.pp:130:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571889 | manifests/profile/pacemaker/ceph/rbdmirror.pp:79:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571927 | manifests/profile/pacemaker/cinder/backup.pp:66:WARNING: arrow should be on the right operand's line 2017-07-20 15:09:38.571965 | manifests/profile/pacemaker/ovn_northd.pp:96:WARNING: arrow should be on the right operand's line Change-Id: I9393c5e04310cf84695531df9bb16f33e7e15abb
2017-07-19Merge "PS Cinder: Added support for password less login"Jenkins1-0/+1
2017-07-19Make calls to nova::compute::rbd from libvirt profileGiulio Fidente3-19/+50
Some of the tasks carried by nova::compute::rbd class apply libvirt. Change-Id: Ib233689fdcdda391596d01a21f77bd8e1672ae04 Depends-On: I28557deb13b75922932cd3e86c3467a541c988d0
2017-07-18PS Cinder: Added support for password less loginrajinir1-0/+1
Added missing san_private_key parameter used for password less SSH authentication. Change-Id: Ia9857064692681172573e9092b53a352cd776cbd Depends-On: 0743d42ed1ed66e08ab7f4355145b4c06c589801
2017-07-18Merge "Create a Mesh of qdrouterd links for messaging high availability"Jenkins1-5/+67
2017-07-18Merge "Allow disabling udev usage by LVM"Jenkins1-0/+40
2017-07-18Merge "Retry ceilometer-upgrade"Jenkins1-2/+10
2017-07-17Merge "Modified glance stores parameter values"Jenkins1-4/+4
2017-07-16Create a Mesh of qdrouterd links for messaging high availabilityJohn Eckersberg1-5/+67
For multi-node deployments of the dispatch router, a mesh of inter-router links is created. Note that bi-directional links must not be configured. Example: For nodes A, B, C Node Inter-Router Link A: [] B: [A] C: [A,B] Change-Id: If43beea7a53c1f8f1dff062341c7ea81751c3122
2017-07-16Retry ceilometer-upgradeAlex Schultz1-2/+10
When the ceilometer-upgrade command is run in step5, it talks to gnocchi and keystone on all the controllers. Since these other nodes might have httpd restarted mid-upgrade we should retry if we get a failure. Change-Id: I874cf9c34b41d055a258704dabe9150eab0f7968 Closes-Bug: #1703444
2017-07-15Merge "Add new profile for the Veritas HyperScale's cinder backend."Jenkins5-7/+73
2017-07-14Merge "Add insecure_registry_address to docker profile"Jenkins1-11/+23
2017-07-14Modified glance stores parameter valuesPranaliD1-4/+4
The stores parameter should be set with the new parameters as they are going to be deprecated in the old method. Change-Id: If272345e96988778ceccb8f2f624db1c38aea365 Closes-Bug: 1704327
2017-07-14Add new profile for the Veritas HyperScale's cinder backend.abhishek.kane5-7/+73
Add new hook in the keystone profile for Veritas HyperScale. Add new hook in the rabbitmq profile for Veritas HyperScale. Add new hook in the mysql profile for Veritas HyperScale. Change-Id: I9168bffa5c73a205d1bb84b831b06081c40af549 Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d Depends-On: Id188af5e2f7bf628a97a70b8f20bef28e42b372d Signed-off-by: abhishek.kane <abhishek.kane@veritas.com> Signed-off-by: Dnyaneshwar Pawar <dnyaneshwar.pawar@veritas.com>
2017-07-13Merge "Refactor iscsi initiator-name reset into separate profile"Jenkins2-13/+45
2017-07-13Merge "Fix mysql client config generation with containerized environment"Jenkins1-12/+27
2017-07-13Add insecure_registry_address to docker profileDan Prince1-11/+23
This patch adds a new insecure_registry_address parameter to the docker profile. This parameter is meant to replace two deprecated parameters which did the same thing. Co-Authored-By: Ian Main <imain@redhat.com> Change-Id: I729fa00175cb36b02b882d729aae5ff06d0e3fbc
2017-07-13Remove dependency on memcached_node_ips_v6Steven Hardy3-27/+26
This is set via all_nodes_config in t-h-t, but it's a special case for this service, so it'll be better if we handle the ipv6 transformation in puppet instead of relying on the service specific list mangling in t-h-t (one aspect of which has been identified as a potential performance problem). Related-Bug: #1684272 Change-Id: Iccb9089db4b382db3adb9340f18f6d2364ca7f58
2017-07-12Merge "Refactor nova migration config into client & target profiles"Jenkins6-146/+271
2017-07-12Fix mysql client config generation with containerized environmentDamien Ciabrini1-12/+27
When the tripleo::profile::base::database::mysql::client profile is included by other openstack services, the file /etc/my.cnf.d/tripleo.cnf is not generated because docker-puppet is configured to disregard the exec tags. Make the profile use either File or Exec resource based on how it's being called, to make it work for both containerized and non-containerized use cases. Change-Id: I103baa02373f6713cc300ac039a6f173ff0bbf1c