Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Since collector is deprecated, lets move this out of collector.pp
so it gets run and resource types are created appropriately even
when collector is not included.
Closes-bug: #1676961
Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
|
|
|
|
|
|
|
|
|
|
set"
|
|
|
|
balancermembers"
|
|
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
are mutually exclusive. This patch, and the next patchset of that review,
resolves the conflict.
Related-Bug: 1668543
Change-Id: I1d09530d69e42c0c36311789166554a889e46556
|
|
Update the gnocchi api to expose the redis information as a class
parameter so it can be tested correctly.
Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
|
|
A recent Centos docker packaging change removed the default
/etc/docker/daemon.json file. As such we need to create an empty
json file if none exists before running Augeas to configure
the settings.
Change-Id: Ibfe04b468639002f55da7bb65d2606f730c700b7
Closes-bug: #1684297
|
|
Currently we hard-code the fact that haproxy starts as a daemon.
When running haproxy in a container we need this to be configurable
because the haproxy process will be pid number 1.
We are not changing the current semantics which have the 'daemon'
option always set, but we are allowing its disabling.
Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
|
|
|
|
|
|
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
|
|
This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.
Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
|
|
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
|
|
|
|
|
|
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug: 1666072
|
|
|
|
|
|
|
|
|
|
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
|
|
|
|
|
|
By default the undercloud and the overcloud share virtual_router_id
definition, leading to errors like "ip address associated with VRID not
present in received packet". This allows setting the range for the IDs.
Change-Id: I0c822777824b469b0f8ef0f31b3708fe47d5b2d7
|
|
This option allows users to exclude some fault domains.
Otherwise all domains are returned.
Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483
Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
|
|
This defaults to 'True' to keep backward compatibility and can be
disabled by setting 'enable_container_images_built' to false in
undercloud.conf.
Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef
Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
|
|
We configure apache in step3 so we need to configure the gnocchi api in
step 3 as well to prevent unnecessary service restarts during updates.
Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be
Related-Bug: #1664418
|
|
Apache is configured in step 3 so if we configure ceilometer in step 4,
the configuration is removed on updates. We need to configure it in step
3 with the other apache services to ensure we don't have issues on
updates.
Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423
Related-Bug: #1664418
|
|
|
|
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5
Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
|
|
Including the ::ssh manifest will manage both client and server config.
Managing the client config was not intended and will clobber the OS
default config with the puppet ssh moduled defaults.
Follow up for https://review.openstack.org/443113 where I found the issue after
the changes merged.
Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
Related-Bug: 1668543
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
|
|
Change-Id: I848b3cc747f1be06aeda57ba15d4ec557c23ad46
Depends-On: Idf3d82058d87d9c8a3b6d8973d5166043dad2252
|
|
|
|
|
|
When TLS is enabled for the internal network, HAProxy needs to handle
etcd's TLS termination. Else it will use plain text.
bp secure-etcd
Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
|
|
|
|
This patch adds a new registry_mirror option to help
configure /etc/docker/daemon.json so that we can make use
of HTTP docker mirrors within upstream TripleO CI (infra).
Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
|
|
The docker_registry profile has resources to configure
the docker service and package. These conflict with the
entries in the tripleo::profile::base::docker class which
exists specifically to manage these resources (and has
unit tests).
This patch removes the duplicate resources and updates
the docker_registry profile to simply include the
base docker profile instead.
This instack-undercloud change below needs to land first.
Depends-On: I6154f4c7435b02b92f6f64687e9ee89d6b86186a
Change-Id: I75c740e7efc6662861c28caeb7fa965ba55438cb
|
|
|
|
|
|
|
|
|
|
|