summaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2016-11-09Merge "Pass X-Forwarded-Proto for missing services"Jenkins1-0/+20
2016-11-08Merge "Add proper handling of IPv6 addresses for rabbit host/port handling"Jenkins12-13/+24
2016-11-08Merge "Enable TLS in the internal network for gnocchi"Jenkins2-4/+56
2016-11-08Merge "Improve failed mysql node removal time in HA deploys."Jenkins1-3/+20
2016-11-08Pass X-Forwarded-Proto for missing servicesJuan Antonio Osorio Robles1-0/+20
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in order to return links with the correct protocol when SSL is enabled. This enables it in HAProxy Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8 Closes-Bug: #1640126
2016-11-08Improve failed mysql node removal time in HA deploys.Chris Jones1-3/+20
In HA deployments, we now check mysql nodes every 1s and removed them immediately if they are failed. Previously we would check every 2s and allow them to fail 5 checks before being removed, producing errors from other OpenStack services for 10s, which causes confusion and delay for operators. Additionally, these check options are now also a class parameter so can be overridden by operators. Closes-Bug: #1639189 Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
2016-11-08Add proper handling of IPv6 addresses for rabbit host/port handlingBrent Eagles12-13/+24
This patch changes the rabbit_hosts config generation to work properly with IPv6 addresses. Closes-Bug: #1639881 Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
2016-11-07Increase haproxy timeoutsSteven Hardy1-2/+2
It's been proposed this may help with the ('Connection aborted.', BadStatusLine("''",)) errors. This patch increase queue, server and client timeouts to 2m (default is 1m) Related-Bug: #1638908 Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
2016-11-04swift/proxy: configure rabbitmq properlyEmilien Macchi1-3/+16
Use rabbitmq_node_ips to find out where rabbitmq nodes are, and have correct ipv6 syntax if required. Closes-Bug: 1637443 Change-Id: Ibc0ed642931dd3ada7ee594bb8c70a1c3462206d
2016-11-03Merge "Fix default for barbican documentation"Jenkins1-1/+1
2016-11-03Merge "Make sure keepalived is restarted before haproxy."Jenkins1-1/+4
2016-11-02Create heat user in keystone profileAlex Schultz2-16/+37
Rather than use the heat::keystone::domain class which also includes the configuration options, we should just create the user for heat in keystone independently of the configuration. Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe Related-Bug: #1638350 Closes-Bug: #1638626
2016-11-01Fix default for barbican documentationJuan Antonio Osorio Robles1-1/+1
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
2016-11-01Merge "Add barbican profile"Jenkins4-0/+121
2016-11-01Merge "Fixes transparent binding to OpenDaylight in HA Proxy"Jenkins1-2/+2
2016-11-01Merge "NFS mounting for Glance file backend"Jenkins2-4/+93
2016-10-31Make sure keepalived is restarted before haproxy.Sofer Athlan-Guyot1-1/+4
When using SSL setup for undercloud, the admin and public vip required for ssl binding by haproxy are created by keepalived. This makes sure that keepalived is started before haproxy and thus that the interfaces are indeed present. This patch also ensures this is happening for overcloud ssl configuration. The case where another load-balancing technology other than haproxy is used is not covered. Closes-Bug: #1638029 Change-Id: I98cb0dcd7f389a1dd38ec8324429bfef4979aa66
2016-10-31Merge "Calculate zaqar mongo from mongodb_node_ips"Jenkins1-2/+17
2016-10-31Merge "Reload haproxy if any configuration changes on HA"Jenkins1-1/+1
2016-10-31Merge "Enable TLS in the internal network for aodh"Jenkins2-3/+56
2016-10-31Merge "Enable TLS in the internal network for ceilometer"Jenkins2-2/+54
2016-10-30Fixes transparent binding to OpenDaylight in HA ProxyTim Rozet1-2/+2
ODL was missing transparent binding mode, which causes HA deployments to fail since HA Proxy will try to come up on every node (even without VIP). Closes-Bug: 1637833 Change-Id: I0bb7839cdcfeacb4ca1a9fc6f878e8b51330be92 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-10-27Clean up service name from cinder apiJuan Antonio Osorio Robles1-3/+1
Since the service_name is now being passed from t-h-t, we can clean it up from the profile in puppet. Change-Id: I724af8c355c3077be64cf472cedbca80af55da01 Depends-On: I13638cd1af52537bef8540f0d5fa5f5f7decd392
2016-10-27Calculate zaqar mongo from mongodb_node_ipsBrad P. Crochet1-2/+17
In order to make the zaqar service fully composable, the mongo ips need to be calculated without assuming that mongo and zaqar are on the same node. Change-Id: I0b077e85ba5fcd9fdfd33956cf33ce2403fcb088
2016-10-27Merge "Set redis file descriptor limit when run via pacemaker"Jenkins1-0/+17
2016-10-26Reload haproxy if any configuration changes on HAJuan Antonio Osorio Robles1-1/+1
In some cases, for instance, when updating from a non-SSL setup in HAProxy to an SSL setup, we don't reload haproxy's configuration. This is problematic since we need HAProxy to serve the certificates and the new endpoints. This forces the reload when puppet notices changes. Change-Id: Ie1dd809e6beef33fadad48de55e488219fb7d686 Closes-Bug: #1636921
2016-10-26Merge "Deploy cinder over Apache httpd"Jenkins1-1/+4
2016-10-26Merge "Only restart haproxy services when enable_load_balancer is defined"Jenkins1-1/+1
2016-10-26Merge "Remove the hardcoded tcp_keepalive false parameter"Jenkins1-2/+0
2016-10-25Only restart haproxy services when enable_load_balancer is definedMichele Baldessari1-1/+1
If we upgrade a cloud that was configured with external load balancer the process will fail during convergence step because it will try to restart haproxy which is not configured when an external load balancer is configured. Closes-Bug: #1636527 Change-Id: I6f6caec3e5c96e77437c1c83e625f39649a66c48
2016-10-25Set redis file descriptor limit when run via pacemakerMichele Baldessari1-0/+17
The current redis file descriptor limit is 4096 because of two reasons: - It is run via the redis user - It is not started via systemd which has explicit LimitNOFILE set to 10240 (which matches the default configuration of maximum 10000 clients) Create an /etc/security/limits.d/redis.conf file in order to increase the fd limit value With this change we correctly get the following limits: [root@overcloud-controller-0 ~]# pcs status |grep -A2 redis Master/Slave Set: redis-master [redis] Masters: [ overcloud-controller-2 ] Slaves: [ overcloud-controller-0 overcloud-controller-1 ] [root@overcloud-controller-0 ~]# cat /proc/`pgrep redis`/limits | grep open Max open files 10240 10240 files Previously this limit was set to 4096. Change-Id: I7691581bad92ad9442cecd82cf44f5ac78ed169f Closes-Bug: #1635334
2016-10-23Merge "Enable communication between UI and the Undercloud by making HAProxy ↵Jenkins2-1/+21
proxy for the UI"
2016-10-23Merge "Enable haproxy statistics unix socket"Jenkins1-0/+4
2016-10-22Merge "Increase haproxy client/server timeout for swift-proxy"Jenkins1-0/+5
2016-10-22Merge "Use HAProxy for docker-registry endpoint"Jenkins1-0/+26
2016-10-21Merge "Deploy monitoring/logging agents sooner"Jenkins2-86/+82
2016-10-21Merge "Add zaqar profiles"Jenkins2-0/+52
2016-10-21NFS mounting for Glance file backendJiri Stransky2-4/+93
Previously we did this with Pacemaker, but with move to NG HA architecture we lost the ability to use NFS mounts as image storage for Glance. This reimplements the mounting without utilizing Pacemaker. The mount is by default also written to /etc/fstab so that it persists over reboot, but this behavior can be disabled. This could also go to puppet-glance eventually, but not yet -- we need this backported to Newton because it's a TripleO regression. I don't think puppet-glance would allow backporting this to Newton, because from their point of view it would be a RFE rather than a regression. Change-Id: I45ad34c36587a8d695069368cf791f1efb68256c Related-Bug: #1635606
2016-10-21Increase haproxy client/server timeout for swift-proxyJohn Trowbridge1-0/+5
The upload and extraction for the plan tarball to swift can take longer than the default one minute in slower environments. Doubling the timeout to two minutes has proven to help. This is only a partial fix, because the error reporting for this issue also needs to be improved. Change-Id: I06592d38fdfefacc8bdf76289a0bfa20eb33a89b Partial-Bug: 1635269
2016-10-21Merge "Removes logic dependent on 'odl_on_controller'"Jenkins3-15/+4
2016-10-21Merge "Enable TLS in the internal network for keystone"Jenkins3-11/+156
2016-10-21Deploy monitoring/logging agents soonerMartin Mágr2-86/+82
To be able to monitor during deployment, we need sensu clients and fluentd collectors be deployed as soon as it is possible. Change-Id: I952f0d6de6f6327d5c923b8f1d7a5979758dbc59
2016-10-21Remove the hardcoded tcp_keepalive false parameterMichele Baldessari1-2/+0
In change I35921652bd84d1d6be0727051294983d4a0dde10 we want to remove all those duplicate tcp_listen_option entries. One consequence of that is that we need to set rabbitmq::tcp_keepalive to true via hiera (as opposed to forcing it via the tcp_listen_option hash). For this to work we need to remove this forced parameter override. Note that even if I35921652bd84d1d6be0727051294983d4a0dde10 and this change don't merge at the exact same time it is still okay because we do force tcp_keepalive to true via the tcp_listen_options. Change-Id: I608477d5714a5081b3b4ab3b9fc2932bdd598301
2016-10-20Merge "pacemaker/mysql: wait step 2 to remove default accounts"Jenkins1-1/+11
2016-10-20Merge "Fixes missing ODL ML2 Authentication info"Jenkins1-4/+16
2016-10-20Use HAProxy for docker-registry endpointSteve Baker1-0/+26
The docker tooling has a preference for interacting with encrypted endpoints. Terminating the docker-registry endpoint with HAProxy allows the SSL VIP to be used for this purpose. Change-Id: Ifebfa7256e0887d6f26a478ff8dc82b0ef5f65f6
2016-10-19Enable TLS in the internal network for gnocchiJuan Antonio Osorio Robles2-4/+56
This optionally enables TLS for gnocchi in the internal network. If internal TLS is enabled, each node that is serving the gnocchi service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: Ie983933e062ac6a7f0af4d88b32634e6ce17838b
2016-10-19Enable TLS in the internal network for aodhJuan Antonio Osorio Robles2-3/+56
This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the aodh service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I50ef0c8fbecb19d6597a28290daa61a91f3b13fc
2016-10-19Enable TLS in the internal network for ceilometerJuan Antonio Osorio Robles2-2/+54
This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the ceilometer service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
2016-10-19Enable TLS in the internal network for keystoneJuan Antonio Osorio Robles3-11/+156
This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039