aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base
AgeCommit message (Collapse)AuthorFilesLines
2017-04-26Add support for autofencing to Pacemaker Remote.Chris Jones1-0/+27
We now configure stonith devices for Pacemaker Remote nodes. Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197 Partial-Bug: #1686115
2017-04-17Merge "Support for external swift proxy"Jenkins1-1/+1
2017-04-15Merge "Move ceilometer wsgi to step 3"Jenkins1-1/+1
2017-04-15Merge "Move gnocchi wsgi configuration to step 3"Jenkins1-1/+3
2017-04-14Merge "Dell SC: Add exclude_domain_ip option"Jenkins1-0/+1
2017-04-14Support for external swift proxyLuca Lorenzetto1-1/+1
Users may have an external swift proxy already available (i.e. radosgw from already existing ceph, or hardware appliance implementing swift proxy). With this change user may specify an environment file that registers the specified urls as endpoint for the object-store service. The internal swift proxy is left as unconfigured. Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
2017-04-13Merge "Make install of kolla optional on the undercloud"Jenkins1-4/+11
2017-04-12Dell SC: Add exclude_domain_ip optionrajinir1-0/+1
This option allows users to exclude some fault domains. Otherwise all domains are returned. Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483 Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
2017-04-12Make install of kolla optional on the undercloudMartin André1-4/+11
This defaults to 'True' to keep backward compatibility and can be disabled by setting 'enable_container_images_built' to false in undercloud.conf. Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
2017-04-12Move gnocchi wsgi configuration to step 3Alex Schultz1-1/+3
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418
2017-04-12Move ceilometer wsgi to step 3Alex Schultz1-1/+1
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418
2017-04-12Merge "Stop SSHD profile clobbering SSH client config"Jenkins1-1/+1
2017-04-12Merge "Ensure directory exists for certificates for httpd"Jenkins1-0/+1
2017-04-11Stop SSHD profile clobbering SSH client configOliver Walsh1-1/+1
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543
2017-04-11Ensure directory exists for certificates for httpdJuan Antonio Osorio Robles1-0/+1
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11Merge "Add registry_mirror to base::docker profile"Jenkins1-0/+23
2017-04-11Merge "Use docker profile in docker_registry"Jenkins1-6/+3
2017-04-10Merge "Move etcd to step 2"Jenkins1-1/+1
2017-04-08Add registry_mirror to base::docker profileDan Prince1-0/+23
This patch adds a new registry_mirror option to help configure /etc/docker/daemon.json so that we can make use of HTTP docker mirrors within upstream TripleO CI (infra). Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
2017-04-07Use docker profile in docker_registryDan Prince1-6/+3
The docker_registry profile has resources to configure the docker service and package. These conflict with the entries in the tripleo::profile::base::docker class which exists specifically to manage these resources (and has unit tests). This patch removes the duplicate resources and updates the docker_registry profile to simply include the base docker profile instead. This instack-undercloud change below needs to land first. Depends-On: I6154f4c7435b02b92f6f64687e9ee89d6b86186a Change-Id: I75c740e7efc6662861c28caeb7fa965ba55438cb
2017-04-07Merge "TLS-everywhere: Add resources for libvirt's cert for live migration"Jenkins1-0/+12
2017-04-07Merge "Stop including ironic::drivers::ssh in the ironic-conductor profile"Jenkins1-1/+4
2017-04-07Merge "Enable creation of keystone domain when ldap backends are created"Jenkins1-1/+3
2017-04-07Merge "syntax error extra comma in rabbitmq.pp"Jenkins1-1/+1
2017-04-07Merge "Add networking-vpp ML2 mechanism driver support"Jenkins3-0/+102
2017-04-07Merge "Add missing octavia auth include to keystone manifest"Jenkins1-0/+3
2017-04-07syntax error extra comma in rabbitmq.ppJon Schlueter1-1/+1
bundle rake syntax Could not parse for environment *root*: Syntax error at ')'; expected '}' Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf
2017-04-07Stop including ironic::drivers::ssh in the ironic-conductor profileDmitry Tantsur1-1/+4
The SSH drivers are deprecated, pxe_ipmitool + virtualbmc should be used instead. This is a follow-up to blueprint switch-to-virtualbmc. Change-Id: I4fd567dffa3992042eebcf495334b8130e1bdc9f
2017-04-07TLS-everywhere: Add resources for libvirt's cert for live migrationJuan Antonio Osorio Robles1-0/+12
This merely requests the certificates that will be used for libvirt's live migration if TLS-everywhere is enabled. bp tls-via-certmonger Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
2017-04-07Merge "Don't try and create the my.cnf.d dir everytime"Jenkins1-0/+1
2017-04-07Enable creation of keystone domain when ldap backends are createdJuan Antonio Osorio Robles1-1/+3
This sets the flag create_domain_entry for the ldap_backend resource, which will create the domain for the ldap backend (this was previously not the case since only the configuration was created). Furtherly, this flag will also refresh the keystone server, so the changes come into effect. Note that this is only done in step 3, so the domains are created there and the refresh happens in that step. Also, this is only done for the bootstrap node, since when the other nodes start, they will already have the domains available in the keystone database and there won't be a need to restart. Related-Bug: #1677603 Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28 Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c
2017-04-07Merge "Composable services support for Cinder Pure Storage FlashArray"Jenkins2-0/+78
2017-04-07Merge "Migrate Swift ring handling from tripleo-heat-templates to ↵Jenkins1-0/+36
puppet-tripleo"
2017-04-07Merge "Make the cluster-check property configurable"Jenkins1-0/+25
2017-04-06Merge "Include ironic::drivers::interfaces in the ironic-conductor profile"Jenkins1-0/+1
2017-04-06Merge "Adding support for Bagpipe Agent as BGPVPN driver"Jenkins1-0/+37
2017-04-06Merge "Add a trigger to call ldap_backend define"Jenkins1-0/+16
2017-04-06Add missing octavia auth include to keystone manifestBrent Eagles1-0/+3
This patch adds the appropriate include to make sure that appropriate keystone user, services, etc. are created when octavia is selected. Closes-bug: #1680588 Change-Id: I0b6d657a0300538292223923d8808c23f936c193
2017-04-06Don't try and create the my.cnf.d dir everytimeAlex Schultz1-0/+1
The creation of /etc/my.cnf.d is not idempotent and is run anytime the mysql client profile is included. This change adds an unless parameter to ensure it is only run if not used. Change-Id: I4a30eaccf72f5687dc22ba93c19136e55d36dcab Closes-Bug: #1680570
2017-04-06Merge "Clean up TLS-related bits from swift-proxy"Jenkins1-13/+4
2017-04-06Merge "Fix missing groups for fluentd user"Jenkins1-78/+82
2017-04-05Merge "Add TLS in the internal network for Swift Proxy"Jenkins1-1/+68
2017-04-05Merge "Introduce profile to configure l2 gateway Neutron agent."Jenkins1-0/+35
2017-04-05Add a trigger to call ldap_backend defineCyril Lopez1-0/+16
Ldap_backend is a define so we need a resource to talk it. If ldap_backend_enable set by tripleo-heat-templates, we call the ldap_backend as a resource. Given an environment such as the following: parameter_defaults: KeystoneLdapDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. Partial-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Authored-By: Guillaume Coré <gucore@redhat.com> Signed-off-by: Cyril Lopez <cylopez@redhat.com> Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
2017-04-05Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede1-0/+36
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
2017-04-05Adding support for Bagpipe Agent as BGPVPN driverRicardo Noriega1-0/+37
Partially-Implements: blueprint bgpvpn-service-integration Change-Id: I54ef40f9d958e87d187a6d124995aa6951c0651a Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-04-05Merge "SSHD Service extensions"Jenkins1-29/+27
2017-04-05Make the cluster-check property configurableMichele Baldessari1-0/+25
This change will make the global cluster-check property configurable and will pick a lower default (60s) in case a pacemaker remote node is deployed. The cluster-recheck-interval is set to default to 15minutes by pacemaker. This value is too high when a pacemaker remote service is deployed. With this default value a reboot of a pacemaker remote node will be reported as offline by pacemaker for up to 15minutes. With this change we do the following: 1) Do nothing in case pacemaker remote is not deployed 2) When pacemaker remote is deployed and the operator has not specified otherwise, we set the recheck interval to 60s. 3) When the operator specifies the recheck interval we set that. Change-Id: I900952b33317b7998a1f26a65f4d70c1726df19c Closes-Bug: #1679753
2017-04-04Move etcd to step 2Feng Pan1-1/+1
Etcd should be configured and started in step 2 with other core services when required. Change-Id: If95a74d211a194f2bfbe9653a6e19e05b095a210 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-04Merge "Configure migration SSH tunnel"Jenkins1-18/+69