summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base
AgeCommit message (Collapse)AuthorFilesLines
2017-06-16Merge "Only set the stonith property on the pacemaker_master node"Jenkins2-10/+5
2017-06-15Fix redis when hostname has capital lettersAlex Schultz1-1/+1
The bootstrap_nodeid comparison should be case insensitive. Change-Id: I1e6672bb0219c1cf56ab21dd911c6f33e2436cc3 Closes-Bug: #1698190
2017-06-15Move gnocchi upgrade and api to step 4Pradeep Kilambi1-12/+12
gnocchi upgrade requires storage sacks to be initialized. This means we need to ensure the storage backends are up before running the upgrade and starting the api. Lets move the api to step 4 so we can ensure other dependencies are in place. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3 Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630
2017-06-14Only set the stonith property on the pacemaker_master nodeMichele Baldessari2-10/+5
It makes little sense to enforce the stonith property on remote nodes and/or all cluster nodes. We can just enforce it once on the pacemaker_master node as it is a cluster-wide property anyway. We can also remove the tripleo::fencing -> pacemaker::stonith constraint in the pacemaker remote profile now as the fencing stuff happens on step 5 anyway and the property is set at step 1. While this works in general it creates extra CIB changes for nothing and slows down the deployment. Change-Id: Ifef08033043a4cc90a6261e962d2fdecdf275650 Closes-Bug: #1696336
2017-06-14Merge "Fix Swift ring management in container deployments"Jenkins1-7/+25
2017-06-14Merge "Remove unnecessary references to neutron core plugin hiera"Jenkins1-11/+3
2017-06-13Merge "Fix Swift ring rebalance order"Jenkins1-2/+2
2017-06-09Configure credentials for ironic to access cinderDmitry Tantsur1-0/+1
Change-Id: I097c494d3953b7d26d94aecc546ddef5225d1125 Depends-On: I2f0eb779b711e57f1532b1227896542d0ecffc89
2017-06-09Fix Swift ring rebalance orderChristian Schwede1-2/+2
The current order is broken if there were changes to the account and container devices, but not to the object devices. In these cases it can happen that the rebalance happens before modifying devices. Change-Id: I15641c32266939c9a00936cc471cc59b1bb54eec
2017-06-09Merge "Use CRL for HAProxy"Jenkins1-0/+10
2017-06-08Use CRL for HAProxyJuan Antonio Osorio Robles1-0/+10
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
2017-06-08Merge "Add polkit rule to allow kolla nova user access to libvirtd socket on ↵Jenkins1-0/+59
docker host"
2017-06-08Merge "Add novajoin profile"Jenkins1-0/+83
2017-06-07Remove unnecessary references to neutron core plugin hieraBrent Eagles1-11/+3
If the tripleo::profile::base::neutron::sriov is included it is expected that the SR-IOV agent should be deployed and configured so references to core plugin configuration is out of place and currently breaks deployment. Change-Id: Ie5d8cd7863c0d042cc6a4e1fc52602d8a03a1935
2017-06-07Fix Swift ring management in container deploymentsChristian Schwede1-7/+25
The ring up- and downloading was never executed if run within a containerized environment. This is due to the fact that this manifest gets executed within step 6(5) only. There is also an ordering issue, which actually tries to create the tarballs before rebalancing. This patch fixes the step conditions and also chains the tarball creation to the rebalance. The check to query rings on all nodes can now be disabled. This is required on containerized environments: the local ring will be modified and rebalanced, but rings on the existing servers are not yet modified. Therefore a recon-check will fail, and needs to be disabled. Closes-Bug: 1694211 Change-Id: I51c5795b9893d797bd73e059910f17a98f04cdbe
2017-06-06Add polkit rule to allow kolla nova user access to libvirtd socket on docker ↵Oliver Walsh1-0/+59
host The polkit rules are currently evaluated in the context of the docker host. As a result the check fails for the kolla nova compute user, as the uids are not consistent with the host uids (in fact we probably can't assume a nova user exists on the docker host). As a short-term workaround a 'docker_nova' user group is created on the docker host and the polkit rule is updated to grant this user access to the libvirtd socket. Longer term solution probably requires running polkitd in a container too. Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Related-bug: #1693844
2017-06-05Merge "Add Mistral event engine"Jenkins1-0/+46
2017-06-05Add novajoin profileJuan Antonio Osorio Robles1-0/+83
This is needed in order to deploy novajoin in a containerized undercloud environment. Change-Id: Iea461f66b8f4e3b01a0498e566a2c3684144df80
2017-06-02Merge "Add conditional for setting authlogin_nsswitch_use_ldap selboolean"Jenkins1-0/+6
2017-06-01Merge "Composable Role for Neutron LBaaS"Jenkins1-0/+44
2017-06-01Add conditional for setting authlogin_nsswitch_use_ldap selbooleanJacob Liberman1-0/+6
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must be enabled. This setting allows LDAP communications to the confined LDAP/server port. This change includes a conditional for enabling this Boolean only when selinux is in use. Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe Closes-Bug: #1695002
2017-06-01Merge "Restart docker after changing storage driver"Jenkins1-0/+2
2017-05-31Merge "Add missing octavia mysql user creation"Jenkins1-0/+3
2017-05-26Restart docker after changing storage driverSteve Baker1-0/+2
This likely explains why CI appears to still be running the devicemapper driver even though overlay2 is now the default. Change-Id: Ic2d80bae1fddbdb1c80bae297031521dd78d896a Closes-Bug: #1692502
2017-05-26Merge "Move ceilometer upgrade step out of base"Jenkins4-20/+54
2017-05-26Merge "Pass mistral::api service_name from t-h-t"Jenkins1-11/+3
2017-05-24Move ceilometer upgrade step out of basePradeep Kilambi4-20/+54
ceilometer-upgrade should only run on controller nodes. Since its currently in base profile, it gets triggered on compute as well. So instead split out the upgrade into its own and include when we deploy notification and central agents instead. Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe Closes-bug: #1693339
2017-05-24Merge "Add support for autofencing to Pacemaker Remote."Jenkins1-0/+27
2017-05-24Merge "Enable mistral to run under mod_wsgi"Jenkins1-4/+52
2017-05-24Add missing octavia mysql user creationMartin André1-0/+3
This patch makes sure the octavia mysql user is created when the octavia_api service is enabled. Change-Id: I270f3f6879737fc29370165e4a8fa8c9c19fffb3
2017-05-23Enable novajoin user on keystone profileJuan Antonio Osorio Robles1-0/+3
If novajoin is enabled, the keystone profile should create its user. bp tls-via-certmonger-containers Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
2017-05-22Merge "TLS everywhere: Add resources for mongodb's TLS configuration"Jenkins1-0/+9
2017-05-19Merge "Switch to overlay2 driver for storage"Jenkins1-2/+33
2017-05-19Switch to overlay2 driver for storageDan Prince1-2/+33
This patch switches the default to the overlay2 storage driver and see if it helps performance. Background: The loopback driver is not recommended for production. Most other docker storage backends require extra disks (or partitions) which we don't have on the root disk. Overlay seems to make the most since for TripleO upgrades where we intend to update in-place installations to use docker. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
2017-05-18Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"Jenkins1-3/+7
2017-05-18Merge "Disable SSH login for nova_migration user when migration over ssh is ↵Jenkins1-23/+34
disabled."
2017-05-17TLS everywhere: Add resources for mongodb's TLS configurationJuan Antonio Osorio Robles1-0/+9
bp tls-via-certmonger Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
2017-05-16Composable Role for Neutron LBaaSRyan Hefner1-0/+44
Add composable service interface for Neutron LBaaSv2 service. Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
2017-05-16Merge "Use verify_on_create when creating pacemaker remote resources"Jenkins1-0/+1
2017-05-15Merge "vhostuser socket dir shall be created for vhostuserclient mode"Jenkins1-1/+16
2017-05-13vhostuser socket dir shall be created for vhostuserclient modeKarthik S1-1/+16
In order to support vhostuser client mode, a vhostuser_socket_dir needs to be created with qemu:qemu g+w permissions. Closes-Bug: #1675690 Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com> Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8 Signed-off-by: Karthik S <ksundara@redhat.com>
2017-05-11Merge "Add support for Cinder "NAS secure" driver params"Jenkins2-6/+29
2017-05-07Use verify_on_create when creating pacemaker remote resourcesMichele Baldessari1-0/+1
We currently create remote resources without waiting for their creation. This leads to the following potential race (spotted by Marian Mkrcmari): - On Step1 pacemaker bootstrap node creates the resource but the remote resource is not yet created - Step1 completes and Step2 starts - On Step2 the remote node sets a property (or calls pcs cib) but the remote is not yet set up so 'pcs cluster cib' will fail there with: (err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed with code: 1 -> Note that when verify_on_create is set to true we are not using the cib dump/push mechanism. That is fine because we create the remotes on step1 and the dump/push mechanism is only needed starting from step2 when multiple nodes set cluster properties at the same time. Tested by Marian Mkrcmari successfully as well. Closes-Bug: #1689028 Change-Id: I764526b3f3c06591d477cc92779d83a19802368e Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
2017-05-06Pass mistral::api service_name from t-h-tBrad P. Crochet1-11/+3
In order to have the chicken-egg work, service_name had to be explicitly passed to ::mistral::api. This switches to using values from t-h-t. Change-Id: Ib94e51f863ba59a1a1db47d58aed3ba4e5fc9650 Depends-On: Ie98dd5061d92dbc3c15bdd8926b0e3d62cc471f6
2017-05-06Enable mistral to run under mod_wsgiBrad P. Crochet1-4/+52
Mistral should run under mod_wsgi. Enable that. Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
2017-05-06Add Mistral event engineBrad P. Crochet1-0/+46
Mistral has an event engine for triggering cron events. Let's run it. Change-Id: I386e0b77064ca6938af36238f82bfec010aa5a17 Depends-On: Icaef5e5732f98e9cc39ed1f024d715cee371acac
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-3/+7
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-23/+34
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-04Merge "Restrict nova migration ssh tunnel"Jenkins1-58/+101
2017-05-04Add support for Cinder "NAS secure" driver paramsAlan Bishop2-6/+29
Add ability to set Cinder's nas_secure_file_operations and nas_secure_file_permissions driver parameters. Two sets of identically named parameters are implemented by Cinder's NFS and NetApp back end drivers. The ability to control these parameters is crucial for supporting deployments that require non-default values. Partial-Bug: #1688332 Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9 Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308