Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must
be enabled. This setting allows LDAP communications to the confined
LDAP/server port. This change includes a conditional for enabling this
Boolean only when selinux is in use.
Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe
Closes-Bug: #1695002
|
|
|
|
|
|
This likely explains why CI appears to still be running the
devicemapper driver even though overlay2 is now the default.
Change-Id: Ic2d80bae1fddbdb1c80bae297031521dd78d896a
Closes-Bug: #1692502
|
|
|
|
|
|
This module is used by tripleo-heat-templates to configure and deploy
Kolla-based haproxy containers managed by pacemaker.
We use short-lived containers that call pcs via puppet to create
the needed pacemaker resources, properties and constraints.
Co-Authored-By: Michele Baldesari <michele@acksyn.org>
Partial-Bug: #1692908
Depends-On: I44fbd7f89ab22b72e8d3fc0a0e3fe54a9418a60f
Depends-On: Ie9b7e7d2a3cec4b121915a17c1e809e4ec950e7f
Change-Id: Ifcf890a88ef003d3ab754cb677cbf34ba8db9312
|
|
ceilometer-upgrade should only run on controller nodes.
Since its currently in base profile, it gets triggered
on compute as well. So instead split out the upgrade
into its own and include when we deploy notification
and central agents instead.
Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe
Closes-bug: #1693339
|
|
|
|
|
|
This patch makes sure the octavia mysql user is created when the
octavia_api service is enabled.
Change-Id: I270f3f6879737fc29370165e4a8fa8c9c19fffb3
|
|
If novajoin is enabled, the keystone profile should create its user.
bp tls-via-certmonger-containers
Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
|
|
|
|
|
|
|
|
It was an error in the example to set firewall rule
Tested on newton.
Closes-Bug: 1691990
Change-Id: I091ad0305ac9d9fbb63853e46169fcaa6092456b
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
|
|
This patch switches the default to the overlay2 storage driver and see
if it helps performance.
Background:
The loopback driver is not recommended for production. Most
other docker storage backends require extra disks (or partitions)
which we don't have on the root disk. Overlay seems to make the
most since for TripleO upgrades where we intend to update
in-place installations to use docker.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
|
|
|
|
disabled."
|
|
bp tls-via-certmonger
Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
|
|
Add composable service interface for Neutron LBaaSv2 service.
Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
|
|
|
|
|
|
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Closes-Bug: #1675690
Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com>
Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8
Signed-off-by: Karthik S <ksundara@redhat.com>
|
|
|
|
We currently create remote resources without waiting for their creation.
This leads to the following potential race (spotted by Marian Mkrcmari):
- On Step1 pacemaker bootstrap node creates the resource but the remote
resource is not yet created
- Step1 completes and Step2 starts
- On Step2 the remote node sets a property (or calls pcs cib) but the
remote is not yet set up so 'pcs cluster cib' will fail there with:
(err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster
cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed
with code: 1 ->
Note that when verify_on_create is set to true we are not using the cib
dump/push mechanism. That is fine because we create the remotes on
step1 and the dump/push mechanism is only needed starting from step2
when multiple nodes set cluster properties at the same time.
Tested by Marian Mkrcmari successfully as well.
Closes-Bug: #1689028
Change-Id: I764526b3f3c06591d477cc92779d83a19802368e
Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
|
|
In order to have the chicken-egg work, service_name had to be explicitly
passed to ::mistral::api. This switches to using values from t-h-t.
Change-Id: Ib94e51f863ba59a1a1db47d58aed3ba4e5fc9650
Depends-On: Ie98dd5061d92dbc3c15bdd8926b0e3d62cc471f6
|
|
Mistral should run under mod_wsgi. Enable that.
Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
|
|
Now that puppet-redis supports ulimit for cluster managed redis (via
https://github.com/arioch/puppet-redis/pull/192), we need to remove the
file snippet as otherwise we will get a duplicate resource error.
We will need to create a THT change that at the very least sets the
redis::managed_by_cluster_manager key to true so that
/etc/security/limits.d/redis.conf gets created.
We also add code to not break backwards compatibility with the old hiera
key.
Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d
Partial-Bug: #1688464
|
|
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #1688308
|
|
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
|
|
|
|
Add ability to set Cinder's nas_secure_file_operations and
nas_secure_file_permissions driver parameters. Two sets of identically
named parameters are implemented by Cinder's NFS and NetApp back end
drivers.
The ability to control these parameters is crucial for supporting deployments
that require non-default values.
Partial-Bug: #1688332
Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9
Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
|
|
|
|
|
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
|
|
|
It used to be hardcoded to use the OpenSSL default CA Bundle, however,
this will be changed in t-h-t.
Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
|
|
We currently hardcode /64 as our VIP addresses when using IPv6.
The problem with this is that some server code might bind to that
IP as a source address when doing inter-cluster communication
(rabbitmq/galera for example). So when the VIP moves there will
be effectively a network outage between the nodes, which should not
happen.
Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic
parameter when /128 is specified. This is due to:
https://bugzilla.redhat.com/show_bug.cgi?id=1445628
We also make sure we use the ipv6_addrlabel option set to 99 so that
they will never be used as source ip addresses.
Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c
Partial-Bug: #1686357
Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
Co-Authored-By: Marios Andreou <mandreou@redhat.com>
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
|
|
log rule"
|
|
Binding is now done in THT via Hiera directly, so users can change the
option more easily.
Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614
Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79
Closes-Bug: #1687628
|
|
|
|
|
|
|
|
the TLS proxy was notifying neutron::server instead of swift proxy.
Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
|
|
Other services include it by using the vhost resource from openstacklib.
If we include a service (such as swift-proxy) that uses the tls_proxy
resource, and we do so in a separate node or in its own container, it
will fail since the base apache module hadn't been included.
Change-Id: I0167e08b0b652618d8a1af792376bcf02c8fcd82
|
|
We now configure stonith devices for Pacemaker Remote nodes.
Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce
Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197
Partial-Bug: #1686115
|