Age | Commit message (Collapse) | Author | Files | Lines |
|
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
|
|
|
|
Add ability to set Cinder's nas_secure_file_operations and
nas_secure_file_permissions driver parameters. Two sets of identically
named parameters are implemented by Cinder's NFS and NetApp back end
drivers.
The ability to control these parameters is crucial for supporting deployments
that require non-default values.
Partial-Bug: #1688332
Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9
Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
|
|
|
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
|
It used to be hardcoded to use the OpenSSL default CA Bundle, however,
this will be changed in t-h-t.
Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
|
|
Binding is now done in THT via Hiera directly, so users can change the
option more easily.
Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614
Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79
Closes-Bug: #1687628
|
|
|
|
|
|
the TLS proxy was notifying neutron::server instead of swift proxy.
Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
|
|
We now configure stonith devices for Pacemaker Remote nodes.
Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce
Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197
Partial-Bug: #1686115
|
|
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=1441635.
Will propose another THT change to actually change the default to
-1 so we get this ha-mode:all by default.
Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
Partial-Bug: #1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
|
|
|
|
|
|
|
|
|
|
Part of blueprint redfish-support
Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa
Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
|
|
Since collector is deprecated, lets move this out of collector.pp
so it gets run and resource types are created appropriately even
when collector is not included.
Closes-bug: #1676961
Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
|
|
|
|
|
|
|
|
This includes the Zaqar apache module, allowing to run Zaqar behind
httpd.
Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906
Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
|
|
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
are mutually exclusive. This patch, and the next patchset of that review,
resolves the conflict.
Related-Bug: 1668543
Change-Id: I1d09530d69e42c0c36311789166554a889e46556
|
|
Update the gnocchi api to expose the redis information as a class
parameter so it can be tested correctly.
Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
|
|
A recent Centos docker packaging change removed the default
/etc/docker/daemon.json file. As such we need to create an empty
json file if none exists before running Augeas to configure
the settings.
Change-Id: Ibfe04b468639002f55da7bb65d2606f730c700b7
Closes-bug: #1684297
|
|
Adds support for a secondary DSM in case the primary becomes
unavailable.
Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf
Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
|
|
|
|
Add a tripleo profile for neutron linuxbridge agent configuration.
Change-Id: Ie3ac03052f341c26735b423701e1decf7233d935
Partial-Bug: #1652211
|
|
|
|
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
|
|
|
|
|
|
|
|
|
|
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
|
|
|
|
This option allows users to exclude some fault domains.
Otherwise all domains are returned.
Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483
Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
|
|
This defaults to 'True' to keep backward compatibility and can be
disabled by setting 'enable_container_images_built' to false in
undercloud.conf.
Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef
Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
|
|
We configure apache in step3 so we need to configure the gnocchi api in
step 3 as well to prevent unnecessary service restarts during updates.
Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be
Related-Bug: #1664418
|
|
Apache is configured in step 3 so if we configure ceilometer in step 4,
the configuration is removed on updates. We need to configure it in step
3 with the other apache services to ensure we don't have issues on
updates.
Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423
Related-Bug: #1664418
|
|
|
|
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5
Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
|
|
bp secure-etcd
Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
Including the ::ssh manifest will manage both client and server config.
Managing the client config was not intended and will clobber the OS
default config with the puppet ssh moduled defaults.
Follow up for https://review.openstack.org/443113 where I found the issue after
the changes merged.
Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
Related-Bug: 1668543
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
|
|
|
|
|
|
|
|
This patch adds a new registry_mirror option to help
configure /etc/docker/daemon.json so that we can make use
of HTTP docker mirrors within upstream TripleO CI (infra).
Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
|