aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile
AgeCommit message (Collapse)AuthorFilesLines
2017-03-16Merge "Create profile to request certificates for the services in the node"Jenkins1-0/+77
2017-03-15Merge "HAProxy: Refactor certificate retrieval bits"Jenkins1-21/+1
2017-03-14Create profile to request certificates for the services in the nodeJuan Antonio Osorio Robles1-0/+77
This profile will specifically be used to create all the certificates required in the node. These are fetched from hiera and will be ran in the first step of the overcloud deployment and in the undercloud. The reasoning for this is that, with services moving to containers, we can't yet do these requests for certificates within the containers for the specific services. this is because the containers won't have credentials to the CA, while the baremetal node does. So instead we still do this on the baremetal node, and will subsequently bind mount the certificates to the containers that need them. Also, this gives us flexibility since this approach still works for the baremetal case. There will be a subsequent commit removing the certificate requests from the service-specific profiles. Change-Id: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
2017-03-13Fixes issues with raising mysql file limitTim Rozet1-3/+8
Changes Include: - Adds spec testing - Only raise limits if nonha. puppet-systemd will restart the mariadb service which breaks ha deployments. Hence we only want to do this in noha. - Minor fix to hiera value refrenced not as parameter to mysql.pp Partial-Bug: #1648181 Related-Bug: #1524809 Co-Authored By: Feng Pan <fpan@redhat.com> Change-Id: Id063bf4b4ac229181b01f40965811cb8ac4230d5 Signed-off-by: Tim Rozet <trozet@redhat.com> Signed-off-by: Feng Pan <fpan@redhat.com>
2017-03-13HAProxy: Refactor certificate retrieval bitsJuan Antonio Osorio Robles1-21/+1
This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
2017-03-11Merge "Add support for BGPVPN service plugin"Jenkins1-0/+36
2017-03-11Add support for BGPVPN service pluginRicardo Noriega1-0/+36
Introduce profile to configure networking-bgpvpn service Implements: blueprint bgpvpn-service-integration Change-Id: I7c1686693a29cc1985f009bd7a3c268c0e211876 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-03-11Merge "httpd: Clean up heat API profiles and add release note"Jenkins3-28/+9
2017-03-10Merge "Deploy Heat APIs over httpd"Jenkins3-6/+183
2017-03-10panko: Do db_sync in api manifestJuan Antonio Osorio Robles2-18/+18
The db_sync from panko comes from the panko-api package; So we move the db_sync to be done in the api manifest as it's done for other services such as barbican. This is necessary since in cases where the overcloud deploy requires puppet to do the installations, with the previous setup it failed since the command wasn't available in the step it was being done. Change-Id: I20a549cbaa2ee4b2c762dbae97f5cbf4d0b517c8 Closes-Bug: #1671716
2017-03-09Enable TLS in the internal network for RabbitMQJuan Antonio Osorio Robles1-15/+57
This optionally enables TLS for RabbitMQ in the internal network. Note that this leaves enable_internal_tls as undef instead of using the regular default. This is because we don't want to enable this just now, since we first want to pass the necessary hieradata via t-h-t. This will be cleaned in further commits. bp tls-via-certmonger Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9 Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514
2017-03-07sahara: include authtoken classEmilien Macchi1-0/+1
authtoken class configures the keystone_authtoken parameters, required to move to Keystone V3 auth. Change-Id: Ibfd761fef813faa7bf13881c52c34e20d3eac9e5
2017-03-07httpd: Clean up heat API profiles and add release noteJuan Antonio Osorio Robles3-28/+9
There were some values that were passed to the classes manually, and this takes the parameters from t-h-t instead. Also, the release note was added. bp tls-via-certmonger Change-Id: I17c4b7041e16da6489f4b713fdeb28a6e1c5563c Depends-On: I88e5ea7b9bbf35ae03f84fdc3ec76ae09f11a1b6
2017-03-07Deploy Heat APIs over httpdJuan Antonio Osorio Robles3-6/+183
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and includes the TLS-everywhere bits. bp tls-via-certmonger Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
2017-03-07Merge "Stop the chronyd service"Jenkins1-4/+6
2017-03-06Stop the chronyd serviceAlex Schultz1-4/+6
Since the norpm provider can prevent the chronyd package from actually getting purged, we need to make sure the chronyd service is stopped and disabled so that it does not conflict with ntpd. Change-Id: I7a697aba7aa5a27ba4ab6e46018057f7f01dfab2 Closes-Bug: #1665426
2017-03-06Add docker profileSteven Hardy1-0/+68
This configures the docker service on the host, as an alternative to the firstboot script in docker/firstboot/setup_docker_host.sh Doing this via puppet will enable easier integration with e.g the multinode jobs where no firstboot scripts run, and also enables a better error path in the event the service fails to start Co-Authored-By: Alex Schultz <aschultz@redhat.com> Change-Id: Id8add1e8a0ecaedb7d8a7dc9ba3747c1ac3b8eea
2017-03-03Merge "mariadb: Move generation of systemd drop-in to puppet-tripleo"Jenkins1-0/+15
2017-03-01Merge "mysqlclient: Drop hiera calls in favor of getting these via t-h-t"Jenkins1-7/+7
2017-03-01Merge "Configure MySQL client SSL connections via the config file"Jenkins1-5/+26
2017-02-28mysqlclient: Drop hiera calls in favor of getting these via t-h-tJuan Antonio Osorio Robles1-7/+7
This also updates a leftover comment. Change-Id: I870caf20103b044655e699aac09f6621414f5326 Depends-On: I5af5ccb88e644f4dd25503d8e7a93796695d3039
2017-02-28Configure MySQL client SSL connections via the config fileJuan Antonio Osorio Robles1-5/+26
This does the actual configuration for the mysql client to use SSL if the parameter is set via t-h-t. Change-Id: I24e4c195a31109835739e78a6b53d36f661f9fd0 Depends-On: Ifd1a06e0749a05a65f6314255843f572d2209067
2017-02-28Merge "Default neutron dhcp_agents_per_network to number of agents"Jenkins1-0/+28
2017-02-28Merge "Ironic inspector support"Jenkins3-0/+52
2017-02-27Merge "Add ceilometer polling agent profile"Jenkins1-0/+64
2017-02-27mariadb: Move generation of systemd drop-in to puppet-tripleoDamien Ciabrini1-0/+15
Systemd starts mariadb as user mysql, so in order to allow a large number of connections (e.g. max_connections=4096) it is necessary to raise the file descriptor limit via a system drop-in file. When installing an undercloud, such drop-in file is currently generated by instack-undercloud (in file puppet-stack-config.pp). But non-HA overcloud also need such drop-in to be generated. In order to avoid duplicating code, the drop-in creation code should be provided by puppet-tripleo. By default, no drop-in is generated; it has to be enabled by instack-undercloud or tripleo-heat-template once they will use it (resp. to create undercloud or non-HA overcloud). This patch does not aim at generating a dynamic file limit based on the number of connections, this should land in another dedicated patch. Instead, it just reuses the limit currently set for undercloud and HA-overclouds. Also, the generation of the drop-in does not force a mysql restart like it currently does in instack-undercloud, to avoid unexpected service disruption on a non-HA overcloud after a minor update. Co-Authored-By: Tim Rozet <trozet@redhat.com> Depends-On: I7ca7b5f7614971455cae2bf7c4bf8264b642b0dc Change-Id: Ia0907b2ab6062a93fb9363e39c86535a490fbaf6 Partial-Bug: #1648181 Related-Bug: #1524809
2017-02-27Default neutron dhcp_agents_per_network to number of agentsBrent Eagles1-0/+28
This patch will set neutron's dhcp_agents_per_network equal to the number of deployed neutron DHCP agents unless otherwise explicitly set. Partial-bug: #1632721 Change-Id: I5533e42c5ba9f72cc70d80489a07e30ee2341198
2017-02-26Remove todo commentCarlos Camacho1-2/+0
We can remove the sprintf todo comment (Already fixed). Change-Id: I407cbf015ccd23a28ee01a669d397479277b4fd3
2017-02-25Add ceilometer polling agent profilePradeep Kilambi1-0/+64
Ceilometer central, compute and ipmi agent classes are deprecated. Instead we should be using polling agent with relevant namespace. Closes-bug: #1662685 Change-Id: I1ee50124bf8936e12414f984e1bcd4545d92e953
2017-02-25Merge "Remove the string cast for using transport_url"Jenkins11-24/+22
2017-02-24Merge "Replace default to be more robust"Jenkins1-2/+2
2017-02-22Remove the string cast for using transport_urlCarlos Camacho11-24/+22
os_transport_url was updated to allow receiving a string or an integer as parameter. Fixes the workarounds in puppet-tripleo Change-Id: I50993514048bf96b5a42b3425a7d6f98778fe694 Depends-On: I9e56f8e2de542b20fe9e6995506cff5bb435e220
2017-02-21Configure authtoken in Nova PlacementDan Prince3-10/+58
The Nova Placement API's configuration currently relies on the nova-api profile for its keystone authtoken configuration. This means that Nova Placement would fail if it got installed on an isolated node or docker container (this currently breaks TripleO's deployment of placement via docker). This patch creates a new authtoken profile and calls it via the api and placement roles. Change-Id: I7b38ab6ba5cae41689ac500d97dec4d09c73d387 Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-02-21Merge "Add VPP service"Jenkins1-0/+32
2017-02-21Stop accidentally removing docker-distributionJiri Stransky1-1/+2
By default Puppet does virtual package matching if precise name matching fails. Docker-distribution RPM "provides" docker-registry: bash-4.2# rpm -q --whatprovides docker-registry docker-distribution-2.5.1-1.el7.x86_64 This means that when we wanted to make docker-registry package absent, we were actually removing docker-distribution instead. This is now fixed by allow_virtual => false. Only name matching is performed. Change-Id: I1f93b404085f0bc2b6c063f573c801db6409c0bb Closes-Bug: #1666459
2017-02-20Ironic inspector supportDan Prince3-0/+52
This includes a new ironic-inspector profile, and updates to the mysql and keystone profiles so that a database and endpoints are also created when the inspector is enabled. Change-Id: I4a71a95efb87a10528df0600277768969a32117b
2017-02-20Replace default to be more robustDavid Gurtner1-2/+2
Specifying undef as the fallback only works because the merge function specifically checks for this: next if arg.is_a? String and arg.empty? # empty string is synonym for puppet's undef But the empty Hash would be a much more robust default. Change-Id: I7e302c00ef030d75998e352d88b3ccc60b194ab7
2017-02-20Merge "Allow neutron_options customization for dashboard"Jenkins1-3/+8
2017-02-20Merge "Use rpc and notify transport_url for oslo_messaging backends"Jenkins16-251/+913
2017-02-18Merge "Create /etc/my.cnf.d/tripleo.cnf with proper bind-address"Jenkins1-0/+72
2017-02-17Create /etc/my.cnf.d/tripleo.cnf with proper bind-addressMichele Baldessari1-0/+72
When fixing LP#1643487 we added ?bind_address to all DB URIs. Since this clashes with Cellsv2 due to the URIs becoming host dependent, we need a new approach to pass bind_address to pymysql that leaves the DB URIs host-independent. We first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo] section and in this section we add the correct bind-address option. Note that we use the puppet augeas lens and not the mysql one because the mysql one does not support custom sections *and* there are older versions around which do not like the /etc/my.cnf.d/* path. The reason for not reusing an existing mariadb file (my.cnf or galera.cnf) is that pymysql's ini file support is not robust enough at the moment: https://github.com/PyMySQL/PyMySQL/issues/548 The reason for putting this file creation code only on the controller nodes the following: The slow VIP failover only happens if a service runs where the VIPs exist. The VIPs get created in the haproxy profile and that is why in order to have fast VIP failovers the MySQLClient profile must live where the Haproxy service is running. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Partial-Bug: #1663181 Change-Id: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-17Use rpc and notify transport_url for oslo_messaging backendsAndrew Smith16-251/+913
This commit adds the transport_url for specifying the oslo.messaging rpc and notify transport schemes. The rpc or notification backend can be one of rabbit, amqp, zmq, etc. Oslo.messaging is deprecating the host, port and auth configuration options. All drivers will get the options via the transport_url. This patch: * Adds transport_url to base services * Updates the corresponding specs * Adds to default hierdata Depends-On: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40 Change-Id: Iea5607dbb3ee6b1dd50acc1395de52dc920aa915
2017-02-17Add VPP serviceFeng Pan1-0/+32
Vector Packet Processing (VPP) is a high performance packet processing stack that runs in user space in Linux. VPP is used as an alternative to kernel networking stack for accelerated network data path. Implements: blueprint fdio-integration-tripleo Change-Id: I70a68a204a8b9d533fc2fa4fc33c39c3b1c366bf Signed-off-by: Feng Pan <fpan@redhat.com>
2017-02-17Merge "xinetd: bind only on mysql network"Jenkins1-0/+1
2017-02-16Merge "Fix a typo in mysql.pp"Jenkins1-1/+1
2017-02-14tuning: manage keystone resources only at step3Emilien Macchi3-15/+7
1. Manage Keystone resources only at step 3. Don't verify them at step 4 and 5, it's a huge loss of time. 2. Don't require Keystone resources for Gnocchi services, they are already ready at Step 5. Related-Bug: #1664418 Change-Id: I9879718a1a86b862e5eb97e6f938533c96c9f5c8
2017-02-14Merge "Add ::ironic::config to Ironic base profile"Jenkins1-0/+1
2017-02-13nova: move placement credentials config at step 3Emilien Macchi1-1/+1
nova placement credentials in nova.conf need to be configured at step 3 so Nova services can use them as soon as they start. Change-Id: I0abdd305b7e6c8d83f23e25b3872e98eb56dd299
2017-02-12Merge "Add support to changing the Rabbitmq password on update"Jenkins1-0/+26
2017-02-11Merge "nova/api: more cleanup"Jenkins1-16/+24