| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This uses the tls_proxy resource in front of the Redis server when
internal TLS is enabled.
bp tls-via-certmonger
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147
(cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
|
|
This changes adds Dell EMC VNX backend as composable service
and matches the tripleo-heat-templates.
Change-Id: Iab80dc636913610704e1ceb2642ce738b68bb827
Implements: blueprint support-dellemc-vnx-manila
(cherry picked from commit eca5b4dfb22a9e9476cd835d2e211def4c9bd5c9)
|
|
The zaqar service name switched to zaqar-api[1], so the hieradata key
is zaqar_api_enabled now instead of zaqar_enabled.
[1] I9b451eac4427a52ad8eec62ff89acc6c6d3ab799
Closes-Bug: #1714213
Change-Id: I692658337e7afc9d0a99b245f8b0b4f76a076bc4
(cherry picked from commit bc6a526f91c156e1cecfb9226ae3686102e655d4)
|
|
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470
Implements: blueprint dellemc-unity-manila
(cherry picked from commit 2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
|
|
This changes adds Dell EMC Isilon backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb
Implements: blueprint dellemc-isilon-manila
(cherry picked from commit 75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
|
|
Exposes a way to configure the docker daemon with debug enabled.
Change-Id: I654a70c8bb7753679be83d78ca653ed44c3a7395
Related-Bug: #1710533
(cherry picked from commit 44b90c9a79146139cbcbe7f560bd1df667cca780)
|
|
|
|
This is requires for when libvirt is running over a container, since
we shouldn't try to restart the libvirt process, but the container
itself.
bp tls-via-certmonger-containers
Change-Id: I26a7748b37059ea37f460d8c70ef684cc41b16d3
|
|
Change Ifef08033043a4cc90a6261e962d2fdecdf275650 moved the stonith
property definition to the pacemaker_master node. This means that the
Class['tripleo::fencing'] -> Class['pacemaker::stonith'] ordering
breaks on non-boostrap pacemaker nodes because the pacemaker::stonith
property is not defined there any longer.
Let's fix this by simply using a resource collector and set the ordering
on that instead of adding yet anoth if statement. Ordering on
enablement of stonith is actually more correct formally.
Tested this on a broken setup successfully.
Closes-Bug: #1712605
Change-Id: I616d340bdf75da9d9eb8b83b2e804dff3d07d58e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.
This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.
bp tls-via-certmonger-containers
Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
|
|
|
|
|
|
This adds a TLS proxy in front of it so it serves TLS in the internal
network.
bp tls-via-certmonger
Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
|
|
If we're using local registries, we may want to use different
registries e.g. for Ceph and for OpenStack. We allow multiple
registries in general for this purpose, and we should also allow it in
the insecure registry configuration.
Change-Id: I5cddd20a123a85516577bde1b793a30d43171285
Related-Bug: #1709310
|
|
|
|
This enables the usage of TLS by the apache vhost that hosts horizon.
bp tls-via-certmonger
Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
|
|
This makes sure that the database creation is only executed on the mysql
profile (or container if that's enabled), and stops the conflicts and
errors that were happening when barbican was deployed in containerized
environments.
Change-Id: Ib5c99482f62397fc5fb79a9dc537dfb06ee7f4df
Closes-Bug: #1710928
|
|
Generate a cron job and a config for logrotate
to be run against containerized services logs.
Related-bug: #1700912
Change-Id: Ib9d5d8ca236296179182613e1ff625deea168614
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
The internal details of enabling IPv6 have moved upstream[1], so just
set the ipv6 flag when desired and don't worry about the details
anymore!
[1] https://github.com/puppetlabs/puppetlabs-rabbitmq/pull/552
Closes-Bug: #1710658
Change-Id: Ib22507c4d02f0fae5c0189ab7e040efac3df7e2f
|
|
This changes adds Dell EMC VMAX backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I6e3b4ed6477c7ee56aef4e9849893229ca648c85
Implements: blueprint dellemc-vmax-manila
|
|
This changes adds Dell EMC VMAX ISCSI backend as composable service
and matches the tripleo-heat-templates.
Change-Id: Ifc169c60994856e382b76b72e020624ca64eef9f
Implements: blueprint dellemc-vmax-isci
|
|
|
|
|
|
Both fs and key are handled by ceph-ansible, move fs and key
creation out of manila manifest to assure that it works with and
without ceph-ansbile.
Client-side manila key is created from ceph-mds and ceph-external
templates in I6308a317ffe0af244396aba5197c85e273e69f68.
Depends-On: I6308a317ffe0af244396aba5197c85e273e69f68
Partially-Implements: blueprint nfs-ganesha
Change-Id: I2b5567a39ac8737e80758b705818cc1807dc8bf1
|
|
In a containerized environment the haproxy class might not be defined,
so this was made optional. On the other hand, this also retrieves the
CRL before any certmonger_certificate resources are created.
bp tls-via-certmonger-containers
Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
|
|
|
|
This only enables correct offline upgrade for now, proper rolling
upgrade support will follow in the Queens release.
Change-Id: Iebbd0c6dfc704ba2e0b5176d607354dd31f13a0d
Depends-On: I548c80cf138b661ba3a5e45a6dfe8711f3322ed0
Partial-Bug: #1708149
|
|
|
|
|
|
|
|
Adds a hiera-enabled setting for mysql.pp to
allow configuration of innodb_buffer_pool_size, a key
configurational element for MySQL performance tuning.
Change-Id: Iabdcb6f76510becb98cba35c95db550ffce44ff3
Closes-bug: #1704978
|
|
This change defaults --iptables=false for dockerd to avoid
having Docker create its own FORWARD iptables rules. These
rules can interact with normal OS networking rules and disable
communications between hosts on reboot.
Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f
Closes-bug: #1708279
|
|
The default (on RHEL/CentOS) is to use polkit but this is only useful
for GUI support or for fine grained API access control. As we don't
require either we can achieve identical control using plain old unix
filesystem permissions.
I've merged Sven's changes from https://review.openstack.org/484979
and https://review.openstack.org/487150.
As we need to be careful with the libvirtd option quoting I think it's
best to do this in puppet-tripleo instead of t-h-t yaml.
The option to override the settings from t-h-t remains.
Co-Authored-By: Sven Anderson <sven@redhat.com>
Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Closes-bug: 1696504
Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
|
|
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
|
|
We already are setting a pre-shared key by default for the pacemaker
cluster. This was done in order to communicate with TLS-PSK with
pacemaker-remote clusters. This key is also useful for us to enable
encrypted traffic for the regular cluster traffic, which we enable by
default with this patch.
Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
|
|
|
|
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected
as the default encryption key manager, even when TripleO is not deploying
Barbican.
This change ensures the legacy key manager is enabled when no key manager
(such as Barbican) has been specified. This restores the previous behavior,
where the legacy key manager was enabled by default.
[0] https://review.openstack.org/484501
[1] https://review.openstack.org/485322
Closes-Bug: #1706389
Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
|
|
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I015f7dfec4bedf72332d91b91cda3ef1dc8caf8c
|
|
This allows running Zaqar with SSL under Apache.
Change-Id: I4c68a662c2433398249f770ac50ba0791449fe71
|
|
When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
|
|
The unit tests jobs are failing because of missing pre conditions for
the new shared class introduced by
Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change
moved some classes around so that the tests are now failing due to
duplicate class declarations for nova::compute::libvirt::services. This
change moves the include that pulls in the declaration first prior to
the include that exists in tripleo::profile::base::nova::libvirt.
The selinux test was also failing due to a type issue with the fact
being used (boolean vs string)
Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51
Closes-Bug: #1707034
|
Martin André
rajinir
Juan Antonio Osorio Robles
Alex Schultz
Jenkins
Michele Baldessari
Jiri Stransky
Bogdan Dobrelya
John Eckersberg
Jan Provaznik
Dmitry Tantsur
Mike Bayer
Dan Prince
Oliver Walsh
Alan Bishop
Thomas Herve
Damien Ciabrini