aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile
AgeCommit message (Collapse)AuthorFilesLines
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-3/+7
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-23/+34
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-58/+101
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-27Merge "Fix wrong notify in swift proxy profile"Jenkins1-1/+1
2017-04-27Merge "Add linuxbridge agent profile"Jenkins1-0/+20
2017-04-27Fix wrong notify in swift proxy profileJuan Antonio Osorio Robles1-1/+1
the TLS proxy was notifying neutron::server instead of swift proxy. Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
2017-04-26Add a flag to rabbitmq so that we can deploy with ha-mode: all againMichele Baldessari1-2/+6
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. Will propose another THT change to actually change the default to -1 so we get this ha-mode:all by default. Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c Partial-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins2-10/+56
2017-04-25Merge "Add support for Redfish hardware in Ironic"Jenkins1-0/+1
2017-04-25Merge "Include zaqar apache module"Jenkins1-2/+5
2017-04-25Merge "Dell SC: Add secondary DSM support"Jenkins1-10/+14
2017-04-24Add support for Redfish hardware in IronicDmitry Tantsur1-0/+1
Part of blueprint redfish-support Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi2-9/+18
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
2017-04-21Merge "Cover gnocchi api step 4 and 5"Jenkins1-1/+11
2017-04-21Merge "Add resource profile for vmware nsx_v3"Jenkins1-0/+45
2017-04-21Merge "Add ML2 configuration for Bagpipe BGPVPN extension"Jenkins1-0/+37
2017-04-20Include zaqar apache moduleThomas Herve1-2/+5
This includes the Zaqar apache module, allowing to run Zaqar behind httpd. Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906 Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
2017-04-19Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh1-4/+30
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556
2017-04-19Cover gnocchi api step 4 and 5Alex Schultz1-1/+11
Update the gnocchi api to expose the redis information as a class parameter so it can be tested correctly. Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
2017-04-19Ensure /etc/docker/daemon.jsonDan Prince1-0/+9
A recent Centos docker packaging change removed the default /etc/docker/daemon.json file. As such we need to create an empty json file if none exists before running Augeas to configure the settings. Change-Id: Ibfe04b468639002f55da7bb65d2606f730c700b7 Closes-bug: #1684297
2017-04-19Dell SC: Add secondary DSM supportrajinir1-10/+14
Adds support for a secondary DSM in case the primary becomes unavailable. Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
2017-04-19Merge "Ensure we configure ssl.conf"Jenkins13-0/+13
2017-04-19Add linuxbridge agent profileBartosz Stopa1-0/+20
Add a tripleo profile for neutron linuxbridge agent configuration. Change-Id: Ie3ac03052f341c26735b423701e1decf7233d935 Partial-Bug: #1652211
2017-04-19Merge "Create bigswitch agent profile"Jenkins1-0/+31
2017-04-18Ensure we configure ssl.confLukas Bezdicka13-0/+13
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977
2017-04-17Merge "Support for external swift proxy"Jenkins1-1/+1
2017-04-15Merge "Move ceilometer wsgi to step 3"Jenkins1-1/+1
2017-04-15Merge "Move gnocchi wsgi configuration to step 3"Jenkins1-1/+3
2017-04-14Merge "Dell SC: Add exclude_domain_ip option"Jenkins1-0/+1
2017-04-14Support for external swift proxyLuca Lorenzetto1-1/+1
Users may have an external swift proxy already available (i.e. radosgw from already existing ceph, or hardware appliance implementing swift proxy). With this change user may specify an environment file that registers the specified urls as endpoint for the object-store service. The internal swift proxy is left as unconfigured. Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
2017-04-13Merge "Make install of kolla optional on the undercloud"Jenkins1-4/+11
2017-04-12Dell SC: Add exclude_domain_ip optionrajinir1-0/+1
This option allows users to exclude some fault domains. Otherwise all domains are returned. Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483 Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
2017-04-12Make install of kolla optional on the undercloudMartin André1-4/+11
This defaults to 'True' to keep backward compatibility and can be disabled by setting 'enable_container_images_built' to false in undercloud.conf. Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
2017-04-12Move gnocchi wsgi configuration to step 3Alex Schultz1-1/+3
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418
2017-04-12Move ceilometer wsgi to step 3Alex Schultz1-1/+1
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418
2017-04-12Merge "Stop SSHD profile clobbering SSH client config"Jenkins1-1/+1
2017-04-12Add ML2 configuration for Bagpipe BGPVPN extensionRicardo Noriega1-0/+37
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5 Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-04-12Merge "Ensure directory exists for certificates for httpd"Jenkins1-0/+1
2017-04-12Enable internal network TLS for etcdFeng Pan2-10/+56
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-11Stop SSHD profile clobbering SSH client configOliver Walsh1-1/+1
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543
2017-04-11Ensure directory exists for certificates for httpdJuan Antonio Osorio Robles1-0/+1
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11Merge "Add registry_mirror to base::docker profile"Jenkins1-0/+23
2017-04-11Merge "Use docker profile in docker_registry"Jenkins1-6/+3
2017-04-10Merge "Move etcd to step 2"Jenkins1-1/+1
2017-04-08Add registry_mirror to base::docker profileDan Prince1-0/+23
This patch adds a new registry_mirror option to help configure /etc/docker/daemon.json so that we can make use of HTTP docker mirrors within upstream TripleO CI (infra). Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
2017-04-07Use docker profile in docker_registryDan Prince1-6/+3
The docker_registry profile has resources to configure the docker service and package. These conflict with the entries in the tripleo::profile::base::docker class which exists specifically to manage these resources (and has unit tests). This patch removes the duplicate resources and updates the docker_registry profile to simply include the base docker profile instead. This instack-undercloud change below needs to land first. Depends-On: I6154f4c7435b02b92f6f64687e9ee89d6b86186a Change-Id: I75c740e7efc6662861c28caeb7fa965ba55438cb
2017-04-07Merge "TLS-everywhere: Add resources for libvirt's cert for live migration"Jenkins1-0/+12
2017-04-07Merge "Stop including ironic::drivers::ssh in the ironic-conductor profile"Jenkins1-1/+4
2017-04-07Merge "Enable creation of keystone domain when ldap backends are created"Jenkins1-1/+3
2017-04-07Merge "syntax error extra comma in rabbitmq.pp"Jenkins1-1/+1