Age | Commit message (Collapse) | Author | Files | Lines |
|
The container now expects to find configuration at these locations.
Change-Id: Iea84a291414e515d8c72a60646188e5b37354a38
Related-Bug: #1729430
(cherry picked from commit 9df7f1c85df56fa9de54bd45f53d1c16ea23c731)
|
|
When internal TLS is enabled, generate a galera config that enable
encryption of SST rsync traffic.
The configuration relies on a new sst script wsrep_sst_rsync_tunnel,
which encapsulates rsync traffic in a socat-based encrypted tunnel.
Change-Id: I1d6ee8febb596b3ab9dcde3a85a028ee99b2798c
Depends-On: Ia857350ac451fc1bda6659d85019962d3a9d5617
Closes-Bug: #1719885
(cherry picked from commit 9fb617eaea607bc3615edeaf4608fded55045ebd)
|
|
Add innodb_flush_log_at_trx_commit from
Id5a30f1daf978e094a74db2d284febbc9ae64bb3
to the container-specific mysql_bundle.pp
Note that innodb_buffer_pool_size from
Iabdcb6f76510becb98cba35c95db550ffce44ff3 should already
be pulled at runtime from the base mysql.pp.
Closes-Bug: #1730360
Change-Id: Iba164ddcc9b24ee231fb224b03ad8e7c123d5418
(cherry picked from commit 7de6d8d9f5687cdb7e1709a7e15e98184aa615f0)
|
|
|
|
In the case of ovn HA, the ovsdb-server's running in the cluster
try to open a TCP socket on the VIP.
Closes-bug: #1720761
Change-Id: I6f762534350a3f96696c87ccd2d14545dccc8a0b
(cherry picked from commit a6483f39f9767c40e6823c7f28526441a436560a)
|
|
This is needed because when we run bundles we actually
want to store attributes on a per-node basis and not on a per-bundle
basis. By activating this attribute pacemaker will pass
some extra OCS_RESKEY_CRM_meta attributes that will help us in this
decision.
We can merge this once we have packages for pacemaker and
resource-agents releases that contain the necessary fixes.
Proper pacemaker and resource-agents are now in the repo [1] so
we can merge it and backport it to pike.
[1] https://buildlogs.centos.org/centos/7/cloud/x86_64/openstack-pike/
Closes-Bug: #1713007
Change-Id: I0dd06e953b4c81f217d0f4199b2337e4c3358086
(cherry picked from commit 6bcb011723ad7b75f18914c887dc4fa4bad4d620)
|
|
There is no reason to keep backend configuration in pacemaker-specific
manifest. This configuration is used no matter whether pacemaker is
used or not.
Change-Id: I63b53d230372a323db1d35a3774283ad2e29fbb1
Closes-Bug: #1714310
(cherry picked from commit 7327cc88246abe6473b7b29703af408adeccc88d)
|
|
This uses the tls_proxy resource in front of the Redis server when
internal TLS is enabled.
bp tls-via-certmonger
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147
(cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
|
|
This changes adds Dell EMC VNX backend as composable service
and matches the tripleo-heat-templates.
Change-Id: Iab80dc636913610704e1ceb2642ce738b68bb827
Implements: blueprint support-dellemc-vnx-manila
(cherry picked from commit eca5b4dfb22a9e9476cd835d2e211def4c9bd5c9)
|
|
|
|
|
|
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470
Implements: blueprint dellemc-unity-manila
(cherry picked from commit 2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
|
|
This changes adds Dell EMC Isilon backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb
Implements: blueprint dellemc-isilon-manila
(cherry picked from commit 75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
|
|
We missed to mount the Ceph config files into the docker/pacemaker
profiles.
Change-Id: I23b6890b4cf7f1e6fe84b6be280dde82218275fc
Closes-Bug: #1713421
(cherry picked from commit b18ae72c6aaad9eb98d7e4490a6572441f63b9a1)
|
|
|
|
|
|
|
|
It uses the control-port 3125.
Partial-bug: #1699085
Change-Id: I4787321e10cc35beeb5ec3f585dafb2268ea4f21
|
|
|
|
This changes adds Dell EMC VMAX backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I6e3b4ed6477c7ee56aef4e9849893229ca648c85
Implements: blueprint dellemc-vmax-manila
|
|
|
|
Both fs and key are handled by ceph-ansible, move fs and key
creation out of manila manifest to assure that it works with and
without ceph-ansbile.
Client-side manila key is created from ceph-mds and ceph-external
templates in I6308a317ffe0af244396aba5197c85e273e69f68.
Depends-On: I6308a317ffe0af244396aba5197c85e273e69f68
Partially-Implements: blueprint nfs-ganesha
Change-Id: I2b5567a39ac8737e80758b705818cc1807dc8bf1
|
|
When mds creates manila key [1], then manila manifest needs to check
first if this resource already exists otherwise puppet fails.
[1] I6308a317ffe0af244396aba5197c85e273e69f68
Change-Id: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
|
|
|
|
|
|
In non-containerized deployments, HAProxy can be configured to use TLS
for proxying internal services.
Fix the creation of the of the haproxy bundle resource to enable TLS
when configured. The keys and certs files, as well as the crl file are
all passed as configuration files and must be copied by Kolla at
container startup.
Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255
Partial-Bug: #1709563
|
|
In non-containerized deployments, RabbitMQ can be configured to use TLS for
serving and mirroring traffic.
Fix the creation of the rabbitmq bundle resource to enable TLS when configured.
The key and cert are passed as other configuration files and must be copied by
Kolla at container startup.
Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9
Partial-Bug: #1709558
|
|
In non-containerized deployments, Galera can be configured to use TLS
for gcomm group communication when enable_internal_tls is set to true.
Fix the creation of the mysql bundle resource to enable TLS when
configured. The key and cert are passed as other configuration files
and must be copied by Kolla at container startup.
Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814
Partial-Bug: #1708135
|
|
The clustercheck service currently connects to mysql as root
to poll the state of the galera cluster.
Update the generated config to use clustercheck credentials.
Depends-On: If8e0b3f9e4f317fde5328e71115aab87a5fa655f
Closes-Bug: #1707683
Change-Id: I4ee6e1f56a7880ccf456f5c08d26a267fb810361
|
|
When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
|
|
|
|
|
|
2017-07-20 15:09:38.571317 | manifests/glance/nfs_mount.pp:65:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571430 | manifests/pacemaker/haproxy_with_vip.pp:107:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571473 | manifests/pacemaker/haproxy_with_vip.pp:108:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571511 | manifests/pacemaker/haproxy_with_vip.pp:109:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571551 | manifests/pacemaker/resource_restart_flag.pp:44:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571590 | manifests/profile/base/cinder/volume/nfs.pp:72:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571625 | manifests/profile/base/docker.pp:188:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571661 | manifests/profile/base/docker.pp:210:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571699 | manifests/profile/base/logging/fluentd.pp:79:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571735 | manifests/profile/base/pacemaker.pp:107:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571773 | manifests/profile/base/swift/ringbuilder.pp:97:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571811 | manifests/profile/base/swift/ringbuilder.pp:125:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571850 | manifests/profile/base/swift/ringbuilder.pp:130:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571889 | manifests/profile/pacemaker/ceph/rbdmirror.pp:79:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571927 | manifests/profile/pacemaker/cinder/backup.pp:66:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571965 | manifests/profile/pacemaker/ovn_northd.pp:96:WARNING: arrow should be on the right operand's line
Change-Id: I9393c5e04310cf84695531df9bb16f33e7e15abb
|
|
Mistakenly this was set to 3121 which is the same port that pacemaker
remote uses. Move this to 3122 which was the plan all along.
Also fix a wrong port comment in redis and mysql at the same time.
Change-Id: Iccca6a53a769570443091577c7d86f47119d9cbb
|
|
This module is used by tripleo-heat-templates to configure and deploy
Kolla-based manila-share containers managed by pacemaker.
We use short-lived containers that call pcs via puppet to create
the needed pacemaker resources, properties and constraints.
Based on work done in fc5bc07b3be401694681420ba453af29b95a9fcf
Change-Id: I89f65e8a34a3a88029498463942016a9f5285f1c
Partial-Bug: #1668922
|
|
|
|
Change I6f4d3a5abae8f1781cfe6f69ff960aad500061e3 slipped in a typo
and it removed the '$' character from a puppet manifest. Which causes
a deployment to fail with:
INFO: running container haproxy-bundle-docker-0 for the first time
ERROR: /usr/bin/docker-current: Error response from daemon: Invalid bind mount spec "deployed_ssl_cert_path:deployed_ssl_cert_path:ro": Invalid volume destination path: 'deployed_ssl_cert_path' mount path must be absolute.. See '/usr/bin/docker-current run --help'.
ERROR: docker failed to launch container
Change-Id: Ic602fd443d38482bf1f924531561b2174dc38293
|
|
|
|
This solves a problem with bind-mounts when the containers are holding
files descriptors open.
At the same time this makes the template more robust to puppet changes
since new config files will be available in the containers without
needing to update the templates.
Closes-Bug: #1698323
Change-Id: I857c94ba5f7f064d7c58df621ec5d477654b9166
Depends-On: I78dcec741a941dc21adba33ba33a6dc6ff1d217c
|
|
When SSL configuration is enabled, haproxy expects to load a SSL
certificate file at startup.
Update the bundle configuration to always bind-mount the cert
file, to support both SSL and non SSL HAproxy bundle deployments.
Change-Id: I6f4d3a5abae8f1781cfe6f69ff960aad500061e3
|
|
The innodb_flush_log_at_trx_commit flag changes the timing
of when the log buffer is written to disk for writes.
At its default of 1, transactions are written to disk
and the buffer flushed on a per-transaction basis; but when
set to 2, the flush of the buffer proceeds only once per
second. This removes the durability guarantee for the
single node. However the central concept of Galera is
that durability is achieved via the cluster as a whole,
in that transactions are replicated to other nodes before
the commit succeeds (though not necessarily written to disk
unless wsrep_causal_reads is set). In this model,
data would only be lost of all nodes of the Galera cluster
were killed within one second of each other. Percona's
blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/
recommends that the value of 2 should be considered "safe"
for a Galera cluster unless you are in fact worried that
all three nodes will be powered off simultaneously.
The value here is added as an option only, defaulting
to the usual default of "1", flush per transaction.
Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
|
|
This enables the options so Galera can use TLS for the replication
traffic.
bp tls-via-certmonger
Depends-On: I9252303b92a2805ba83f86a85770db2551a014d3
Change-Id: I2ee3bf4bbda3f65f5b03440ecbc75f14225a2428
|
|
|
|
|
|
The step is typically set with the hieradata setting an integer value:
{"step": 1}
However it would be useful for the value to be a string so that
substitutions are possible, for example:
{"step": "%{::step}"}
This change ensures the step parameter defaults to an integer by
calling Integer(hiera('step'))
This change was made by manually removing the undef defaults from
fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with:
find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/"
Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
|
|
|
|
|
|
This takes into use the cluster_host_map, which allows to give aliases
to the pacemaker nodes (which are FQDNs), and allows us to configure the
cluster using FQDNs.
We need FQDNs in order to request certificates, since the default CA
(FreeIPA) only allows certificates for FQDNs.
Change-Id: I2f146afdd32aef2d11cf25a65fa8d67428f621f5
|
|
|
|
|