aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base
AgeCommit message (Collapse)AuthorFilesLines
2017-09-29Add timeout for VPP interface commandFeng Pan2-4/+17
We need to have a time out before trying to create VPP tap interfaces. Change-Id: I9954240529278e74d93fdf89d2ebc2536249245a Signed-off-by: Feng Pan <fpan@redhat.com> (cherry picked from commit 82b874e3f46b4a4b0b1e059135d5f05c9ac4c3f0)
2017-08-18Change the step from 4 to 5, to make sure gnocchi and aodhjhinman11-1/+1
are up before collectd starts, else there may be unrecoverable errors in the connections. Change-Id: I486c4045e29c7032526be6e19d11e7979070c2d9 Signed-off-by: jhinman1 <john.hinman@intel.com>
2017-08-10Add support for odl-fdio-dvr scenariosFeng Pan2-2/+50
Change-Id: I2025e3157b97b376b63002003ca17c7206aba546 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-08-09Merge "Adds networking-sfc support"Feng Pan1-0/+37
2017-08-02Merge "nosdn-fdio scenario fixes"Tim Rozet1-8/+1
2017-08-01Adds networking-sfc supportTim Rozet1-0/+37
Enables configuration for Service Function Chaining plugin with neutron. Implements: blueprint networking-sfc-support Change-Id: Icd433ddc6ae7de19a09f9e33b410a362c317138a Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-08-01Add puppet base class for barometer service.jhinman11-0/+33
Puppet module is at: https://github.com/johnhinman/puppet-barometer/ Change-Id: I878ff8d1e0a8b96f3380bb77f168cd5a4c3f6543 Signed-off-by: jhinman1 <john.hinman@intel.com>
2017-07-31nosdn-fdio scenario fixesFeng Pan1-8/+1
- Add vpp_physnet_mappings function - Change etcd deployment model Change-Id: Ie336c22b366bd478963ca14e25d645fec0cded7a Signed-off-by: Feng Pan <fpan@redhat.com>
2017-07-27Add VPP and honeycomb servicesFeng Pan6-1/+193
Change-Id: I6ed724f4c81a230a17584c33cc4de8b4000d525e
2017-07-12Enables OpenDaylight Clustering in HA deploymentsTim Rozet3-15/+38
Previously ODL was restricted to only running on the first node in an tripleO HA deployment. This patches enables clustering for ODL and allows multiple ODL instances (minimum 3 for HA). Partially-implements: blueprint opendaylight-ha Change-Id: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-12Adding support for BGPVPN service pluginRicardo Noriega1-0/+36
puppet-neutron (Ocata) has already got that support, so this patch only calls that manifest. Change-Id: I4af82d456c9d999667f2ef4d16e8f6822463d331 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-07-03Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar1-5/+23
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885 (cherry picked from commit 76eb1bbd4f977e16c97516500f050f8b49e7399d)
2017-06-21Move gnocchi upgrade and api to step 4Pradeep Kilambi1-12/+12
gnocchi upgrade requires storage sacks to be initialized. This means we need to ensure the storage backends are up before running the upgrade and starting the api. Lets move the api to step 4 so we can ensure other dependencies are in place. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3 Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630 (cherry picked from commit 5e91493f7aaecef924a78f0743f812a225080085)
2017-06-21Merge "Cover gnocchi api step 4 and 5" into stable/ocataJenkins1-1/+11
2017-06-16Merge "Add support for autofencing to Pacemaker Remote." into stable/ocataJenkins1-0/+27
2017-06-15Merge "Dell SC: Add secondary DSM support" into stable/ocataJenkins1-10/+14
2017-06-15Cover gnocchi api step 4 and 5Alex Schultz1-1/+11
Update the gnocchi api to expose the redis information as a class parameter so it can be tested correctly. Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71 (cherry picked from commit 4450afd495794a8ac0fc5b8c51d696416e5deb9d)
2017-06-15Merge "Add support for Cinder "NAS secure" driver params" into stable/ocataJenkins2-6/+29
2017-06-15Dell SC: Add secondary DSM supportrajinir1-10/+14
Adds support for a secondary DSM in case the primary becomes unavailable. Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7 (cherry picked from commit f30b791103ec3c5ff9b2e656fe751ad4bb3c6a6c)
2017-06-14Merge "Dell SC: Add exclude_domain_ip option" into stable/ocataJenkins1-0/+1
2017-06-13Add support for autofencing to Pacemaker Remote.Chris Jones1-0/+27
We now configure stonith devices for Pacemaker Remote nodes. Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197 Partial-Bug: #1686115 (cherry picked from commit 19d177c182f35a16bf3ddccfcf7fad6bb54c7bb2)
2017-06-02Add conditional for setting authlogin_nsswitch_use_ldap selbooleanJacob Liberman1-0/+6
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must be enabled. This setting allows LDAP communications to the confined LDAP/server port. This change includes a conditional for enabling this Boolean only when selinux is in use. Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe Closes-Bug: #1695002 (cherry picked from commit 90704a6017f7c539e3c1fed038ed247763619380)
2017-06-01Restrict nova migration ssh tunnelOliver Walsh1-45/+89
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293 (cherry picked from commit f8ca94a5b7c7658631f5b0a9b010251ebbcff65e)
2017-05-31Dell SC: Add exclude_domain_ip optionrajinir1-0/+1
This option allows users to exclude some fault domains. Otherwise all domains are returned. Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483 Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433 (cherry picked from commit 49ea8b5ed3ce79857e7875413f908f8cdcce1a8e)
2017-05-23Add support for Cinder "NAS secure" driver paramsAlan Bishop2-6/+29
Add ability to set Cinder's nas_secure_file_operations and nas_secure_file_permissions driver parameters. Two sets of identically named parameters are implemented by Cinder's NFS and NetApp back end drivers. The ability to control these parameters is crucial for supporting deployments that require non-default values. Partial-Bug: #1688332 Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9 Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308 (cherry picked from commit 5a350024957d197295a16f6f25e8a253c7c1545a)
2017-05-19Use verify_on_create when creating pacemaker remote resourcesMichele Baldessari1-0/+1
We currently create remote resources without waiting for their creation. This leads to the following potential race (spotted by Marian Mkrcmari): - On Step1 pacemaker bootstrap node creates the resource but the remote resource is not yet created - Step1 completes and Step2 starts - On Step2 the remote node sets a property (or calls pcs cib) but the remote is not yet set up so 'pcs cluster cib' will fail there with: (err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed with code: 1 -> Note that when verify_on_create is set to true we are not using the cib dump/push mechanism. That is fine because we create the remotes on step1 and the dump/push mechanism is only needed starting from step2 when multiple nodes set cluster properties at the same time. Tested by Marian Mkrcmari successfully as well. Closes-Bug: #1689028 Change-Id: I764526b3f3c06591d477cc92779d83a19802368e Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f (cherry picked from commit b6d02fd5001153b53b3061d63d2cb686b0646f18)
2017-04-25Merge "Refactor SSHD config to allow both SSHD options and banner/motd to be ↵Jenkins1-4/+30
set" into stable/ocata
2017-04-25Merge "Stop SSHD profile clobbering SSH client config" into stable/ocataJenkins1-1/+1
2017-04-25Merge "SSHD Service extensions" into stable/ocataJenkins1-29/+27
2017-04-25Merge "Move gnocchi wsgi configuration to step 3" into stable/ocataJenkins1-1/+3
2017-04-21Merge "Configure migration SSH tunnel" into stable/ocataJenkins1-19/+68
2017-04-21Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh1-4/+30
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556 (cherry picked from commit 3c49f51c8f42472d0d1cb2986b46a6c96821293a)
2017-04-21Stop SSHD profile clobbering SSH client configOliver Walsh1-1/+1
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543 (cherry picked from commit 2a329d545d0e619c88c323148d5fe2098e70b4b1)
2017-04-21SSHD Service extensionslhinds1-29/+27
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Related-Bug: 1668543 (cherry picked from commit b35bc80ac2acf18463e4c18c8360862749aa0964)
2017-04-21Merge "Move ceilometer wsgi to step 3" into stable/ocataJenkins1-1/+1
2017-04-21Configure migration SSH tunnelOliver Walsh1-19/+68
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec (cherry picked from commit ccbcd11276c7bc3ffc8f013d9a5b2d3944bf76cf)
2017-04-19Ensure we configure ssl.confLukas Bezdicka10-0/+10
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977 (cherry picked from commit 9e729c0db22865d036860346eb6b81c4c2108719)
2017-04-19Merge "Enable creation of keystone domain when ldap backends are created" ↵Jenkins1-1/+3
into stable/ocata
2017-04-19Merge "Migrate Swift ring handling from tripleo-heat-templates to ↵Jenkins1-0/+36
puppet-tripleo" into stable/ocata
2017-04-17Move ceilometer wsgi to step 3Alex Schultz1-1/+1
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418 (cherry picked from commit 890178bd6f6f465ffcb8cf4ad9b8019a1d6dc653)
2017-04-17Move gnocchi wsgi configuration to step 3Alex Schultz1-1/+3
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418 (cherry picked from commit 9de4c92571fdbe342a20a68e4ee44feb55464007)
2017-04-17Restrict mongodb memory usagePradeep Kilambi1-0/+11
Currently, mongodb has no limits on how much memory it can consume. This enforces restriction so mongodb service limits through systemd. The puppet-systemd module has support for limits. The MemoryLimit support is added in the follwoing pull request https://github.com/camptocamp/puppet-systemd/pull/23 Closes-bug: #1656558 Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891 (cherry picked from commit 3aa86a4ea3c2406f79d6283cbb158f67136b5e9a)
2017-04-10Merge "Add missing octavia auth include to keystone manifest" into stable/ocataJenkins1-0/+3
2017-04-09Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede1-0/+36
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b (cherry picked from commit 3412150d91dc7fe6e9f168b4ffdbb4d54c39fc55)
2017-04-08Enable creation of keystone domain when ldap backends are createdJuan Antonio Osorio Robles1-1/+3
This sets the flag create_domain_entry for the ldap_backend resource, which will create the domain for the ldap backend (this was previously not the case since only the configuration was created). Furtherly, this flag will also refresh the keystone server, so the changes come into effect. Note that this is only done in step 3, so the domains are created there and the refresh happens in that step. Also, this is only done for the bootstrap node, since when the other nodes start, they will already have the domains available in the keystone database and there won't be a need to restart. Related-Bug: #1677603 Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28 Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c (cherry picked from commit 13ea87e658e36d1afcc3e4db7f43bcfc068e1f49)
2017-04-07syntax error extra comma in rabbitmq.ppJon Schlueter1-1/+1
bundle rake syntax Could not parse for environment *root*: Syntax error at ')'; expected '}' Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf (cherry picked from commit 33e0fe959d849acdab4b084ffd31d242c58ff6b6)
2017-04-07Add missing octavia auth include to keystone manifestBrent Eagles1-0/+3
This patch adds the appropriate include to make sure that appropriate keystone user, services, etc. are created when octavia is selected. Closes-bug: #1680588 Change-Id: I0b6d657a0300538292223923d8808c23f936c193 (cherry picked from commit 23e723255cf46fd730cae185a0dc1f7194a511e0)
2017-04-07Merge "Make the cluster-check property configurable" into stable/ocataJenkins1-0/+25
2017-04-07Add a trigger to call ldap_backend defineCyril Lopez1-0/+16
Ldap_backend is a define so we need a resource to talk it. If ldap_backend_enable set by tripleo-heat-templates, we call the ldap_backend as a resource. Given an environment such as the following: parameter_defaults: KeystoneLdapDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. Partial-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Authored-By: Guillaume Coré <gucore@redhat.com> Signed-off-by: Cyril Lopez <cylopez@redhat.com> Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db (cherry picked from commit b8388e378a9151bccbac0db0478b1ef5d1e2e3fb)
2017-04-07Make the cluster-check property configurableMichele Baldessari1-0/+25
This change will make the global cluster-check property configurable and will pick a lower default (60s) in case a pacemaker remote node is deployed. The cluster-recheck-interval is set to default to 15minutes by pacemaker. This value is too high when a pacemaker remote service is deployed. With this default value a reboot of a pacemaker remote node will be reported as offline by pacemaker for up to 15minutes. With this change we do the following: 1) Do nothing in case pacemaker remote is not deployed 2) When pacemaker remote is deployed and the operator has not specified otherwise, we set the recheck interval to 60s. 3) When the operator specifies the recheck interval we set that. Change-Id: I900952b33317b7998a1f26a65f4d70c1726df19c Closes-Bug: #1679753 (cherry picked from commit f464e9f703b824f8971ade50c32884748caffefc)