| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
If novajoin is enabled, the keystone profile should create its user.
bp tls-via-certmonger-containers
Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
|
|
|
|
|
|
This patch switches the default to the overlay2 storage driver and see
if it helps performance.
Background:
The loopback driver is not recommended for production. Most
other docker storage backends require extra disks (or partitions)
which we don't have on the root disk. Overlay seems to make the
most since for TripleO upgrades where we intend to update
in-place installations to use docker.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
|
|
|
|
disabled."
|
|
bp tls-via-certmonger
Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
|
|
|
|
|
|
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Closes-Bug: #1675690
Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com>
Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8
Signed-off-by: Karthik S <ksundara@redhat.com>
|
|
|
|
We currently create remote resources without waiting for their creation.
This leads to the following potential race (spotted by Marian Mkrcmari):
- On Step1 pacemaker bootstrap node creates the resource but the remote
resource is not yet created
- Step1 completes and Step2 starts
- On Step2 the remote node sets a property (or calls pcs cib) but the
remote is not yet set up so 'pcs cluster cib' will fail there with:
(err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster
cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed
with code: 1 ->
Note that when verify_on_create is set to true we are not using the cib
dump/push mechanism. That is fine because we create the remotes on
step1 and the dump/push mechanism is only needed starting from step2
when multiple nodes set cluster properties at the same time.
Tested by Marian Mkrcmari successfully as well.
Closes-Bug: #1689028
Change-Id: I764526b3f3c06591d477cc92779d83a19802368e
Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
|
|
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #1688308
|
|
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
|
|
|
|
Add ability to set Cinder's nas_secure_file_operations and
nas_secure_file_permissions driver parameters. Two sets of identically
named parameters are implemented by Cinder's NFS and NetApp back end
drivers.
The ability to control these parameters is crucial for supporting deployments
that require non-default values.
Partial-Bug: #1688332
Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9
Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
|
|
|
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
|
It used to be hardcoded to use the OpenSSL default CA Bundle, however,
this will be changed in t-h-t.
Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
|
|
Binding is now done in THT via Hiera directly, so users can change the
option more easily.
Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614
Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79
Closes-Bug: #1687628
|
|
|
|
|
|
the TLS proxy was notifying neutron::server instead of swift proxy.
Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
|
|
|
|
|
|
|
|
|
|
Part of blueprint redfish-support
Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa
Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
|
|
Since collector is deprecated, lets move this out of collector.pp
so it gets run and resource types are created appropriately even
when collector is not included.
Closes-bug: #1676961
Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
|
|
|
|
|
|
|
|
This includes the Zaqar apache module, allowing to run Zaqar behind
httpd.
Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906
Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
|
|
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
are mutually exclusive. This patch, and the next patchset of that review,
resolves the conflict.
Related-Bug: 1668543
Change-Id: I1d09530d69e42c0c36311789166554a889e46556
|
|
Update the gnocchi api to expose the redis information as a class
parameter so it can be tested correctly.
Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
|
|
A recent Centos docker packaging change removed the default
/etc/docker/daemon.json file. As such we need to create an empty
json file if none exists before running Augeas to configure
the settings.
Change-Id: Ibfe04b468639002f55da7bb65d2606f730c700b7
Closes-bug: #1684297
|
|
Adds support for a secondary DSM in case the primary becomes
unavailable.
Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf
Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
|
|
|
|
Add a tripleo profile for neutron linuxbridge agent configuration.
Change-Id: Ie3ac03052f341c26735b423701e1decf7233d935
Partial-Bug: #1652211
|
|
|
|
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
|
|
|
|
|
|
|
|
|
|
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
|
|
|
|
This option allows users to exclude some fault domains.
Otherwise all domains are returned.
Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483
Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
|
|
This defaults to 'True' to keep backward compatibility and can be
disabled by setting 'enable_container_images_built' to false in
undercloud.conf.
Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef
Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
|
|
We configure apache in step3 so we need to configure the gnocchi api in
step 3 as well to prevent unnecessary service restarts during updates.
Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be
Related-Bug: #1664418
|
Juan Antonio Osorio Robles
Jenkins
Dan Prince
Karthik S
Michele Baldessari
Oliver Walsh
Alan Bishop
Emilien Macchi
Dmitry Tantsur
Pradeep Kilambi
Thomas Herve
Alex Schultz
rajinir
Bartosz Stopa
Lukas Bezdicka
Luca Lorenzetto
Martin André