summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base
AgeCommit message (Collapse)AuthorFilesLines
2017-09-26Allow log path transformation in fluentd glueLars Kellogg-Stedman1-2/+27
Logs in a containerized deployment are not in the same location as on a baremetal deployment. This commit adds the $fluentd_path_transform paramter to the fluentd glue module. This is a regular expression that is used to transform log paths. To use this feature, include in your hiera configuration something like: tripleo::profile::base::logging::fluentd::fluentd_path_transform: - /var/log/ - /var/log/containers/ Change-Id: I585b6877074353b5de62e5efaabfbe62432c473d Partial-bug: #1716427 (cherry picked from commit 1ff0903a3950bc4adbc8c84b5153df6ca0fb6a3d)
2017-09-20Support for Ocata-Pike live-migration over sshOliver Walsh3-3/+99
In Ocata all live-migration over ssh is performed on the default ssh port (22). In Pike the containerized live-migration over ssh is on port 2022 as the docker host's sshd is using port 22. To allow live migration during upgrade we need to temporarily pin the Pike computes to port 22 and in the final converge we can switch over to port 2022. This patch make the necessary puppet-tripleo change to allow this: - Adds support in sshd profile for listening on multiple ports. - Adds a profile to allow proxying to the containerized sshd from the baremetal sshd Change-Id: I0b80b81711f683be539939e7d084365ff63546d3 Related-bug: 1714171 (cherry picked from commit 05a413c34fa1266d38bf991a1f5ed2795631f0b7)
2017-09-07Move manila backend configuration from pacemaker to baseJan Provaznik1-0/+187
There is no reason to keep backend configuration in pacemaker-specific manifest. This configuration is used no matter whether pacemaker is used or not. Change-Id: I63b53d230372a323db1d35a3774283ad2e29fbb1 Closes-Bug: #1714310 (cherry picked from commit 7327cc88246abe6473b7b29703af408adeccc88d)
2017-09-06Merge "Change references from nsx_v3 to nsx" into stable/pikeJenkins1-3/+3
2017-09-06Merge "Use TLS proxy for Redis' internal TLS" into stable/pikeJenkins6-10/+118
2017-09-06Merge "Enable TLS for rabbitmq's replication traffic" into stable/pikeJenkins1-1/+11
2017-09-06Change references from nsx_v3 to nsxJay Jahns1-3/+3
This patch changes references from nsx_v3 to nsx since the nsx_v3 functionality is the only one supported at this time. Change-Id: Id73f675844b0df2eafa45507d1c28f16cd0b15b2 Closes-Bug: #1713191 (cherry picked from commit f27c45a0925546f3b9627fce7d223a1bba140ce0)
2017-09-05Use TLS proxy for Redis' internal TLSMartin André6-10/+118
This uses the tls_proxy resource in front of the Redis server when internal TLS is enabled. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
2017-09-05Enable TLS for rabbitmq's replication trafficJuan Antonio Osorio Robles1-1/+11
This follows the RabbitMQ docs [1] for enabling TLS for the replication traffic. It reuses the certificate that rabbitmq already has. Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so we are not able to do proper verification of the certificates, since we can't allocate a certificate for shortnames. So, until pacemaker can track the rabbit nodes through their FQDNs, we don't set any verification options. [1] https://www.rabbitmq.com/clustering-ssl.html Depends on: https://github.com/voxpupuli/puppet-rabbitmq/pull/574 bp tls-via-certmonger Co-Authored-By: Alex Schultz <aschultz@redhat.com> Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847 (cherry picked from commit 52404b85dc140d9ddc4605365454df0e052ee2cb)
2017-09-05Support for Dell EMC VNX Manila Driverrajinir1-3/+10
This changes adds Dell EMC VNX backend as composable service and matches the tripleo-heat-templates. Change-Id: Iab80dc636913610704e1ceb2642ce738b68bb827 Implements: blueprint support-dellemc-vnx-manila (cherry picked from commit eca5b4dfb22a9e9476cd835d2e211def4c9bd5c9)
2017-09-01Fix enabling zaqar keystone endpoint and MySQL databaseJuan Antonio Osorio Robles2-2/+2
The zaqar service name switched to zaqar-api[1], so the hieradata key is zaqar_api_enabled now instead of zaqar_enabled. [1] I9b451eac4427a52ad8eec62ff89acc6c6d3ab799 Closes-Bug: #1714213 Change-Id: I692658337e7afc9d0a99b245f8b0b4f76a076bc4 (cherry picked from commit bc6a526f91c156e1cecfb9226ae3686102e655d4)
2017-08-30Support for Dell EMC Unity Manila Driverrajinir1-1/+6
This changes adds Dell EMC Unity backend as composable service and matches the tripleo-heat-templates. Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470 Implements: blueprint dellemc-unity-manila (cherry picked from commit 2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
2017-08-30Support for Dell EMC Isilon Manila Driverrajinir1-1/+5
This changes adds Dell EMC Isilon backend as composable service and matches the tripleo-heat-templates. Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb Implements: blueprint dellemc-isilon-manila (cherry picked from commit 75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
2017-08-29Enable config for docker daemon debugAlex Schultz1-6/+14
Exposes a way to configure the docker daemon with debug enabled. Change-Id: I654a70c8bb7753679be83d78ca653ed44c3a7395 Related-Bug: #1710533 (cherry picked from commit 44b90c9a79146139cbcbe7f560bd1df667cca780)
2017-08-24Merge "Use resource collector for the fencing -> stonith ordering"Jenkins1-1/+1
2017-08-24TLS-everywhere/libvirt: Make postsave command configurableJuan Antonio Osorio Robles1-1/+8
This is requires for when libvirt is running over a container, since we shouldn't try to restart the libvirt process, but the container itself. bp tls-via-certmonger-containers Change-Id: I26a7748b37059ea37f460d8c70ef684cc41b16d3
2017-08-23Use resource collector for the fencing -> stonith orderingMichele Baldessari1-1/+1
Change Ifef08033043a4cc90a6261e962d2fdecdf275650 moved the stonith property definition to the pacemaker_master node. This means that the Class['tripleo::fencing'] -> Class['pacemaker::stonith'] ordering breaks on non-boostrap pacemaker nodes because the pacemaker::stonith property is not defined there any longer. Let's fix this by simply using a resource collector and set the ordering on that instead of adding yet anoth if statement. Ordering on enablement of stonith is actually more correct formally. Tested this on a broken setup successfully. Closes-Bug: #1712605 Change-Id: I616d340bdf75da9d9eb8b83b2e804dff3d07d58e
2017-08-21Merge "Do not create fs and server side key from manila"Jenkins1-0/+5
2017-08-21Merge "Certmonger: Make postsave command configurable"Jenkins1-2/+16
2017-08-19Merge "Support for Dell EMC VMAX Manila Driver"Jenkins1-1/+6
2017-08-19Merge "Support for Dell EMC VMAX ISCSI Cinder Driver"Jenkins2-13/+69
2017-08-19Merge "Allow configuring multiple insecure registries"Jenkins1-6/+18
2017-08-19Merge "Add TLS for nova metadata service"Jenkins1-0/+40
2017-08-18Certmonger: Make postsave command configurableJuan Antonio Osorio Robles1-2/+16
We need to make it configurable since these commands don't apply for containerized environments. This way we can restart containers or disable restarting and rely on other means. This stems from the issue that some services get accidentally started by certmonger on containerized environments, which makes the container initialization fail. bp tls-via-certmonger-containers Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
2017-08-18Merge "Enable TLS in the internal network for horizon"Jenkins1-4/+41
2017-08-18Merge "Move barbican's database creation to mysql profile"Jenkins2-4/+3
2017-08-17Add TLS for nova metadata serviceJuan Antonio Osorio Robles1-0/+40
This adds a TLS proxy in front of it so it serves TLS in the internal network. bp tls-via-certmonger Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
2017-08-17Allow configuring multiple insecure registriesJiri Stransky1-6/+18
If we're using local registries, we may want to use different registries e.g. for Ceph and for OpenStack. We allow multiple registries in general for this purpose, and we should also allow it in the insecure registry configuration. Change-Id: I5cddd20a123a85516577bde1b793a30d43171285 Related-Bug: #1709310
2017-08-17Merge "Add logrotate-crond configuration"Jenkins1-0/+112
2017-08-17Enable TLS in the internal network for horizonJuan Antonio Osorio Robles1-4/+41
This enables the usage of TLS by the apache vhost that hosts horizon. bp tls-via-certmonger Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
2017-08-17Move barbican's database creation to mysql profileJuan Antonio Osorio Robles2-4/+3
This makes sure that the database creation is only executed on the mysql profile (or container if that's enabled), and stops the conflicts and errors that were happening when barbican was deployed in containerized environments. Change-Id: Ib5c99482f62397fc5fb79a9dc537dfb06ee7f4df Closes-Bug: #1710928
2017-08-16Add logrotate-crond configurationBogdan Dobrelya1-0/+112
Generate a cron job and a config for logrotate to be run against containerized services logs. Related-bug: #1700912 Change-Id: Ib9d5d8ca236296179182613e1ff625deea168614 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-08-15Merge "Use rabbitmq ipv6 flag"Jenkins1-11/+4
2017-08-14Merge "Fix legacy nova/cinder encryption key manager configuration"Jenkins2-2/+20
2017-08-14Use rabbitmq ipv6 flagJohn Eckersberg1-11/+4
The internal details of enabling IPv6 have moved upstream[1], so just set the ipv6 flag when desired and don't worry about the details anymore! [1] https://github.com/puppetlabs/puppetlabs-rabbitmq/pull/552 Closes-Bug: #1710658 Change-Id: Ib22507c4d02f0fae5c0189ab7e040efac3df7e2f
2017-08-14Support for Dell EMC VMAX Manila Driverrajinir1-1/+6
This changes adds Dell EMC VMAX backend as composable service and matches the tripleo-heat-templates. Change-Id: I6e3b4ed6477c7ee56aef4e9849893229ca648c85 Implements: blueprint dellemc-vmax-manila
2017-08-14Support for Dell EMC VMAX ISCSI Cinder Driverrajinir2-13/+69
This changes adds Dell EMC VMAX ISCSI backend as composable service and matches the tripleo-heat-templates. Change-Id: Ifc169c60994856e382b76b72e020624ca64eef9f Implements: blueprint dellemc-vmax-isci
2017-08-12Merge "Run online_data_migrations for Ironic on upgrade"Jenkins1-2/+3
2017-08-11Merge "Modify resource dependencies of certmonger_user resources"Jenkins1-1/+4
2017-08-11Do not create fs and server side key from manilaJan Provaznik1-0/+5
Both fs and key are handled by ceph-ansible, move fs and key creation out of manila manifest to assure that it works with and without ceph-ansbile. Client-side manila key is created from ceph-mds and ceph-external templates in I6308a317ffe0af244396aba5197c85e273e69f68. Depends-On: I6308a317ffe0af244396aba5197c85e273e69f68 Partially-Implements: blueprint nfs-ganesha Change-Id: I2b5567a39ac8737e80758b705818cc1807dc8bf1
2017-08-11Modify resource dependencies of certmonger_user resourcesJuan Antonio Osorio Robles1-1/+4
In a containerized environment the haproxy class might not be defined, so this was made optional. On the other hand, this also retrieves the CRL before any certmonger_certificate resources are created. bp tls-via-certmonger-containers Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
2017-08-09Merge "Enable innodb_buffer_pool_size configuration"Jenkins1-8/+14
2017-08-07Run online_data_migrations for Ironic on upgradeDmitry Tantsur1-2/+3
This only enables correct offline upgrade for now, proper rolling upgrade support will follow in the Queens release. Change-Id: Iebbd0c6dfc704ba2e0b5176d607354dd31f13a0d Depends-On: I548c80cf138b661ba3a5e45a6dfe8711f3322ed0 Partial-Bug: #1708149
2017-08-05Merge "Enable encryption of pacemaker traffic by default"Jenkins1-2/+18
2017-08-04Merge "Configure dockerd with --iptables=false"Jenkins1-2/+2
2017-08-04Merge "Ensure directory exists for certificates for haproxy"Jenkins1-0/+1
2017-08-03Enable innodb_buffer_pool_size configurationMike Bayer1-8/+14
Adds a hiera-enabled setting for mysql.pp to allow configuration of innodb_buffer_pool_size, a key configurational element for MySQL performance tuning. Change-Id: Iabdcb6f76510becb98cba35c95db550ffce44ff3 Closes-bug: #1704978
2017-08-03Configure dockerd with --iptables=falseDan Prince1-2/+2
This change defaults --iptables=false for dockerd to avoid having Docker create its own FORWARD iptables rules. These rules can interact with normal OS networking rules and disable communications between hosts on reboot. Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f Closes-bug: #1708279
2017-08-02Use normal socket file permissions instead of polkitOliver Walsh2-58/+17
The default (on RHEL/CentOS) is to use polkit but this is only useful for GUI support or for fine grained API access control. As we don't require either we can achieve identical control using plain old unix filesystem permissions. I've merged Sven's changes from https://review.openstack.org/484979 and https://review.openstack.org/487150. As we need to be careful with the libvirtd option quoting I think it's best to do this in puppet-tripleo instead of t-h-t yaml. The option to override the settings from t-h-t remains. Co-Authored-By: Sven Anderson <sven@redhat.com> Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Closes-bug: 1696504 Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2 Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
2017-08-02Merge "Support for Dell EMC Unity Cinder Driver"Jenkins2-12/+72