Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
bp secure-etcd
Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
Including the ::ssh manifest will manage both client and server config.
Managing the client config was not intended and will clobber the OS
default config with the puppet ssh moduled defaults.
Follow up for https://review.openstack.org/443113 where I found the issue after
the changes merged.
Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
Related-Bug: 1668543
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
|
|
|
|
|
|
|
|
This patch adds a new registry_mirror option to help
configure /etc/docker/daemon.json so that we can make use
of HTTP docker mirrors within upstream TripleO CI (infra).
Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
|
|
The docker_registry profile has resources to configure
the docker service and package. These conflict with the
entries in the tripleo::profile::base::docker class which
exists specifically to manage these resources (and has
unit tests).
This patch removes the duplicate resources and updates
the docker_registry profile to simply include the
base docker profile instead.
This instack-undercloud change below needs to land first.
Depends-On: I6154f4c7435b02b92f6f64687e9ee89d6b86186a
Change-Id: I75c740e7efc6662861c28caeb7fa965ba55438cb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bundle rake syntax
Could not parse for environment *root*: Syntax error at ')'; expected '}'
Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf
|
|
The SSH drivers are deprecated, pxe_ipmitool + virtualbmc should be used instead.
This is a follow-up to blueprint switch-to-virtualbmc.
Change-Id: I4fd567dffa3992042eebcf495334b8130e1bdc9f
|
|
This merely requests the certificates that will be used for libvirt's
live migration if TLS-everywhere is enabled.
bp tls-via-certmonger
Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
|
|
|
|
This sets the flag create_domain_entry for the ldap_backend resource,
which will create the domain for the ldap backend (this was previously
not the case since only the configuration was created). Furtherly, this
flag will also refresh the keystone server, so the changes come into
effect.
Note that this is only done in step 3, so the domains are created there
and the refresh happens in that step. Also, this is only done for the
bootstrap node, since when the other nodes start, they will already have
the domains available in the keystone database and there won't be a need
to restart.
Related-Bug: #1677603
Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28
Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c
|
|
|
|
puppet-tripleo"
|
|
|
|
|
|
|
|
|
|
Previously we were always run the galera-ready exec every step. This
change switches it to be refreshonly so we only wait when the service is
setup or restarted.
Change-Id: I5ff9d49c2590751913b96777bcd72c8a15627a01
Closes-Bug: #1680586
|
|
This patch adds the appropriate include to make sure that appropriate
keystone user, services, etc. are created when octavia is selected.
Closes-bug: #1680588
Change-Id: I0b6d657a0300538292223923d8808c23f936c193
|
|
The creation of /etc/my.cnf.d is not idempotent and is run anytime the
mysql client profile is included. This change adds an unless parameter
to ensure it is only run if not used.
Change-Id: I4a30eaccf72f5687dc22ba93c19136e55d36dcab
Closes-Bug: #1680570
|
|
|
|
|
|
|
|
|
|
Ldap_backend is a define so we need a resource to talk it. If
ldap_backend_enable set by tripleo-heat-templates, we call the
ldap_backend as a resource.
Given an environment such as the following:
parameter_defaults:
KeystoneLdapDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
Partial-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Guillaume Coré <gucore@redhat.com>
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
|
|
This allows decoupling the Swift ringbuilding logic from the Controller
and ObjectStorage roles. A follow up patch will modify
tripleo-heat-templates and use this modified class.
Actually this downloads the Swift rings even if ring building is
disabled or if there is no need to rebalance. This is required, because
operators can disable ring building, but use the same mechanism to
distribute pre-built rings to the nodes.
If ring building is disabled, these won't be uploaded at the end back to
the undercloud.
Related-Bug: 1665641
Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
|
|
Partially-Implements: blueprint bgpvpn-service-integration
Change-Id: I54ef40f9d958e87d187a6d124995aa6951c0651a
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
|
|
This change will make the global cluster-check property configurable
and will pick a lower default (60s) in case a pacemaker remote node
is deployed.
The cluster-recheck-interval is set to default to 15minutes by
pacemaker. This value is too high when a pacemaker remote service
is deployed. With this default value a reboot of a pacemaker remote
node will be reported as offline by pacemaker for up to 15minutes.
With this change we do the following:
1) Do nothing in case pacemaker remote is not deployed
2) When pacemaker remote is deployed and the operator has not
specified otherwise, we set the recheck interval to 60s.
3) When the operator specifies the recheck interval we set that.
Change-Id: I900952b33317b7998a1f26a65f4d70c1726df19c
Closes-Bug: #1679753
|
|
Etcd should be configured and started in step 2 with other core
services when required.
Change-Id: If95a74d211a194f2bfbe9653a6e19e05b095a210
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
|
|
|
|
|
|
This change adds an `include` statement to bring in the extra
functionality available from the existing puppet-ssh module in
already available in RDO.
By using puppet-ssh it provides a framework to allow the passing in of
server options using just hiera values under ssh::server_options.
For example, sshd_config banner can now be passed a server option, as
well as all the new parameters outlined in the launchpad issue that
the patch references for Closing. For this reason, the former augeas
setting for `Banner /etc/issue` is now managed by the main puppet-ssh
module instead.
The change also allows population of MOTD text to `/etc/motd` as
well as `issue.net`.
$bannertext is refactored in accordance with patch [1]
[1] https://review.openstack.org/#/c/442406/
Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c
Closes-Bug: 1668543
|
|
bp tls-via-certmonger
Change-Id: I8a66d3a067f934ea30b668308237cbca1d58fbb8
Depends-On: I3cb9d53d75f982068f1025729c1793efaee87380
|
|
This adds the necessary bits for a TLS Proxy to be placed in front of
swift proxy when TLS-everywhere is enabled.
This will be furtherly cleaned up once the t-h-t bits are added.
bp tls-via-certmonger
Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
|
|
|
|
Added the heat templates for Cinder Pure Storage FlashArray
backend to use composable services
Change-Id: I6f46f45a3af394de85672261c7d72ddc492a07b2
|
|
This enables configuring new-style drivers (aha hardware types).
Part of blueprint ironic-driver-composition
Change-Id: I72eb8b06cca14073d1d1c82462fb702630e02de3
|
|
Currently, mongodb has no limits on how much memory
it can consume. This enforces restriction so mongodb
service limits through systemd.
The puppet-systemd module has support for limits. The
MemoryLimit support is added in the follwoing pull
request https://github.com/camptocamp/puppet-systemd/pull/23
Closes-bug: #1656558
Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891
|