Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
|
|
We already are setting a pre-shared key by default for the pacemaker
cluster. This was done in order to communicate with TLS-PSK with
pacemaker-remote clusters. This key is also useful for us to enable
encrypted traffic for the regular cluster traffic, which we enable by
default with this patch.
Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
|
|
The clustercheck service currently connects to mysql as root
to poll the state of the galera cluster.
Update the generated config to use clustercheck credentials.
Depends-On: If8e0b3f9e4f317fde5328e71115aab87a5fa655f
Closes-Bug: #1707683
Change-Id: I4ee6e1f56a7880ccf456f5c08d26a267fb810361
|
|
|
|
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected
as the default encryption key manager, even when TripleO is not deploying
Barbican.
This change ensures the legacy key manager is enabled when no key manager
(such as Barbican) has been specified. This restores the previous behavior,
where the legacy key manager was enabled by default.
[0] https://review.openstack.org/484501
[1] https://review.openstack.org/485322
Closes-Bug: #1706389
Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
|
|
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I015f7dfec4bedf72332d91b91cda3ef1dc8caf8c
|
|
This allows running Zaqar with SSL under Apache.
Change-Id: I4c68a662c2433398249f770ac50ba0791449fe71
|
|
When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
|
|
The unit tests jobs are failing because of missing pre conditions for
the new shared class introduced by
Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change
moved some classes around so that the tests are now failing due to
duplicate class declarations for nova::compute::libvirt::services. This
change moves the include that pulls in the declaration first prior to
the include that exists in tripleo::profile::base::nova::libvirt.
The selinux test was also failing due to a type issue with the fact
being used (boolean vs string)
Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51
Closes-Bug: #1707034
|
|
|
|
Having this run in step 4 causes a refresh (restart) for httpd, which
in turn is problematic for the gnocchi db upgrade command, since when
it runs httpd is not available at that point. This fixes the issue,
since the API configuration is now ran at the same time as the wsgi
bits.
Change-Id: Ie0ab389a4450bb940757e34d1964423911885fa3
|
|
puppet support for this is added in Id8d4d091da2611de75390e045ebd473caf2a8909
Change-Id: I3354b54571a1b9d0a9187698217628d273cd7d7e
|
|
|
|
|
|
|
|
|
|
Previously we had used an exec defined in puppet-tripleo to do
clustering with OpenDaylight docker containers. The clustering issue is
now fixed in puppet-opendaylight by:
https://git.opendaylight.org/gerrit/#/c/60491
So removing the custom function and class workaround. Also,
'ha_node_index' is deprecated for configuring clustering with
puppet-opendaylight so that is also removed.
Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc
Change-Id: I7693b692c74071945fdcc08292542e9b458a540b
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
2017-07-20 15:09:38.571317 | manifests/glance/nfs_mount.pp:65:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571430 | manifests/pacemaker/haproxy_with_vip.pp:107:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571473 | manifests/pacemaker/haproxy_with_vip.pp:108:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571511 | manifests/pacemaker/haproxy_with_vip.pp:109:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571551 | manifests/pacemaker/resource_restart_flag.pp:44:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571590 | manifests/profile/base/cinder/volume/nfs.pp:72:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571625 | manifests/profile/base/docker.pp:188:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571661 | manifests/profile/base/docker.pp:210:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571699 | manifests/profile/base/logging/fluentd.pp:79:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571735 | manifests/profile/base/pacemaker.pp:107:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571773 | manifests/profile/base/swift/ringbuilder.pp:97:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571811 | manifests/profile/base/swift/ringbuilder.pp:125:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571850 | manifests/profile/base/swift/ringbuilder.pp:130:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571889 | manifests/profile/pacemaker/ceph/rbdmirror.pp:79:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571927 | manifests/profile/pacemaker/cinder/backup.pp:66:WARNING: arrow should be on the right operand's line
2017-07-20 15:09:38.571965 | manifests/profile/pacemaker/ovn_northd.pp:96:WARNING: arrow should be on the right operand's line
Change-Id: I9393c5e04310cf84695531df9bb16f33e7e15abb
|
|
Mistakenly this was set to 3121 which is the same port that pacemaker
remote uses. Move this to 3122 which was the plan all along.
Also fix a wrong port comment in redis and mysql at the same time.
Change-Id: Iccca6a53a769570443091577c7d86f47119d9cbb
|
|
|
|
Some of the tasks carried by nova::compute::rbd class apply libvirt.
Change-Id: Ib233689fdcdda391596d01a21f77bd8e1672ae04
Depends-On: I28557deb13b75922932cd3e86c3467a541c988d0
|
|
This module is used by tripleo-heat-templates to configure and deploy
Kolla-based manila-share containers managed by pacemaker.
We use short-lived containers that call pcs via puppet to create
the needed pacemaker resources, properties and constraints.
Based on work done in fc5bc07b3be401694681420ba453af29b95a9fcf
Change-Id: I89f65e8a34a3a88029498463942016a9f5285f1c
Partial-Bug: #1668922
|
|
Added missing san_private_key parameter used for password less SSH
authentication.
Change-Id: Ia9857064692681172573e9092b53a352cd776cbd
Depends-On: 0743d42ed1ed66e08ab7f4355145b4c06c589801
|
|
|
|
|
|
|
|
|
|
|
|
For multi-node deployments of the dispatch router, a mesh of
inter-router links is created. Note that bi-directional links must
not be configured.
Example: For nodes A, B, C
Node Inter-Router Link
A: []
B: [A]
C: [A,B]
Change-Id: If43beea7a53c1f8f1dff062341c7ea81751c3122
|
|
When the ceilometer-upgrade command is run in step5, it talks to gnocchi
and keystone on all the controllers. Since these other nodes might have
httpd restarted mid-upgrade we should retry if we get a failure.
Change-Id: I874cf9c34b41d055a258704dabe9150eab0f7968
Closes-Bug: #1703444
|
|
|
|
|
|
|
|
The stores parameter should be set with the new parameters
as they are going to be deprecated in the old method.
Change-Id: If272345e96988778ceccb8f2f624db1c38aea365
Closes-Bug: 1704327
|
|
Add new hook in the keystone profile for Veritas HyperScale.
Add new hook in the rabbitmq profile for Veritas HyperScale.
Add new hook in the mysql profile for Veritas HyperScale.
Change-Id: I9168bffa5c73a205d1bb84b831b06081c40af549
Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d
Depends-On: Id188af5e2f7bf628a97a70b8f20bef28e42b372d
Signed-off-by: abhishek.kane <abhishek.kane@veritas.com>
Signed-off-by: Dnyaneshwar Pawar <dnyaneshwar.pawar@veritas.com>
|
|
|
|
|
|
Change I6f4d3a5abae8f1781cfe6f69ff960aad500061e3 slipped in a typo
and it removed the '$' character from a puppet manifest. Which causes
a deployment to fail with:
INFO: running container haproxy-bundle-docker-0 for the first time
ERROR: /usr/bin/docker-current: Error response from daemon: Invalid bind mount spec "deployed_ssl_cert_path:deployed_ssl_cert_path:ro": Invalid volume destination path: 'deployed_ssl_cert_path' mount path must be absolute.. See '/usr/bin/docker-current run --help'.
ERROR: docker failed to launch container
Change-Id: Ic602fd443d38482bf1f924531561b2174dc38293
|
|
This patch adds a new insecure_registry_address parameter
to the docker profile. This parameter is meant to replace two
deprecated parameters which did the same thing.
Co-Authored-By: Ian Main <imain@redhat.com>
Change-Id: I729fa00175cb36b02b882d729aae5ff06d0e3fbc
|
|
This is set via all_nodes_config in t-h-t, but it's a special case for
this service, so it'll be better if we handle the ipv6 transformation
in puppet instead of relying on the service specific list mangling in
t-h-t (one aspect of which has been identified as a potential performance
problem).
Related-Bug: #1684272
Change-Id: Iccb9089db4b382db3adb9340f18f6d2364ca7f58
|
|
|
|
|
|
This solves a problem with bind-mounts when the containers are holding
files descriptors open.
At the same time this makes the template more robust to puppet changes
since new config files will be available in the containers without
needing to update the templates.
Closes-Bug: #1698323
Change-Id: I857c94ba5f7f064d7c58df621ec5d477654b9166
Depends-On: I78dcec741a941dc21adba33ba33a6dc6ff1d217c
|
|
When the tripleo::profile::base::database::mysql::client profile is
included by other openstack services, the file /etc/my.cnf.d/tripleo.cnf
is not generated because docker-puppet is configured to disregard the
exec tags.
Make the profile use either File or Exec resource based on how it's
being called, to make it work for both containerized and non-containerized
use cases.
Change-Id: I103baa02373f6713cc300ac039a6f173ff0bbf1c
|
|
This currently assumes nova-compute and iscsid run in the same context which
isn't true for a containerized deployment
Change-Id: I91f1ce7625c351745dbadd84b565d55598ea5b59
|
|
When SSL configuration is enabled, haproxy expects to load a SSL
certificate file at startup.
Update the bundle configuration to always bind-mount the cert
file, to support both SSL and non SSL HAproxy bundle deployments.
Change-Id: I6f4d3a5abae8f1781cfe6f69ff960aad500061e3
|
|
|
|
|
|
The innodb_flush_log_at_trx_commit flag changes the timing
of when the log buffer is written to disk for writes.
At its default of 1, transactions are written to disk
and the buffer flushed on a per-transaction basis; but when
set to 2, the flush of the buffer proceeds only once per
second. This removes the durability guarantee for the
single node. However the central concept of Galera is
that durability is achieved via the cluster as a whole,
in that transactions are replicated to other nodes before
the commit succeeds (though not necessarily written to disk
unless wsrep_causal_reads is set). In this model,
data would only be lost of all nodes of the Galera cluster
were killed within one second of each other. Percona's
blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/
recommends that the value of 2 should be considered "safe"
for a Galera cluster unless you are in fact worried that
all three nodes will be powered off simultaneously.
The value here is added as an option only, defaulting
to the usual default of "1", flush per transaction.
Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
|