Age | Commit message (Collapse) | Author | Files | Lines |
|
This adds the ability to manage the securetty file.
By allowing management of securetty, operators can limit root
console access and improve security through hardening.
Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
Closes-Bug: #1665042
|
|
|
|
|
|
|
|
This profile will specifically be used to create all the certificates
required in the node. These are fetched from hiera and will be ran in
the first step of the overcloud deployment and in the undercloud.
The reasoning for this is that, with services moving to containers, we
can't yet do these requests for certificates within the containers for
the specific services. this is because the containers won't have
credentials to the CA, while the baremetal node does. So instead we
still do this on the baremetal node, and will subsequently bind mount
the certificates to the containers that need them. Also, this gives us
flexibility since this approach still works for the baremetal case.
There will be a subsequent commit removing the certificate requests from
the service-specific profiles.
Change-Id: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
|
|
Changes Include:
- Adds spec testing
- Only raise limits if nonha. puppet-systemd will restart the mariadb
service which breaks ha deployments. Hence we only want to do this
in noha.
- Minor fix to hiera value refrenced not as parameter to mysql.pp
Partial-Bug: #1648181
Related-Bug: #1524809
Co-Authored By: Feng Pan <fpan@redhat.com>
Change-Id: Id063bf4b4ac229181b01f40965811cb8ac4230d5
Signed-off-by: Tim Rozet <trozet@redhat.com>
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
We currently set the haproxy stat socket to /var/run/haproxy.sock.
On Centos/RHEL with selinux enabled this will break:
avc: denied { link } for pid=284010 comm="haproxy"
name="haproxy.sock" dev="tmpfs" ino=330803
scontext=system_u:system_r:haproxy_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
The blessed/correctly-labeled path is /var/lib/haproxy/stats
Note: I am setting only Partial-Bug because I would still like
to make this a parameter so other distros may just override the path.
But that change is more apt for pike and not for ocata.
Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c
Patial-Bug: #1671119
|
|
This moves the certificate request bits to simplify the profile and move
the logic to the HAProxy/certmonger specific manifest.
This is a small iteration on the effort to separate the certificate
retrieval to its own manifest since this part won't be containerized
yet.
Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
|
|
|
|
Introduce profile to configure networking-bgpvpn service
Implements: blueprint bgpvpn-service-integration
Change-Id: I7c1686693a29cc1985f009bd7a3c268c0e211876
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
|
|
|
|
The db_sync from panko comes from the panko-api package; So we move the
db_sync to be done in the api manifest as it's done for other services
such as barbican.
This is necessary since in cases where the overcloud deploy requires
puppet to do the installations, with the previous setup it failed since
the command wasn't available in the step it was being done.
Change-Id: I20a549cbaa2ee4b2c762dbae97f5cbf4d0b517c8
Closes-Bug: #1671716
|
|
Change-Id: I1668b749779bf812d8f55b695dd138cde7eb09d6
|
|
This optionally enables TLS for RabbitMQ in the internal network. Note
that this leaves enable_internal_tls as undef instead of using the
regular default. This is because we don't want to enable this just now,
since we first want to pass the necessary hieradata via t-h-t. This will
be cleaned in further commits.
bp tls-via-certmonger
Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f
Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9
Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514
|
|
authtoken class configures the keystone_authtoken parameters, required
to move to Keystone V3 auth.
Change-Id: Ibfd761fef813faa7bf13881c52c34e20d3eac9e5
|
|
There were some values that were passed to the classes manually, and
this takes the parameters from t-h-t instead. Also, the release note was
added.
bp tls-via-certmonger
Change-Id: I17c4b7041e16da6489f4b713fdeb28a6e1c5563c
Depends-On: I88e5ea7b9bbf35ae03f84fdc3ec76ae09f11a1b6
|
|
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and
includes the TLS-everywhere bits.
bp tls-via-certmonger
Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
|
|
|
|
Since the norpm provider can prevent the chronyd package from actually
getting purged, we need to make sure the chronyd service is stopped and
disabled so that it does not conflict with ntpd.
Change-Id: I7a697aba7aa5a27ba4ab6e46018057f7f01dfab2
Closes-Bug: #1665426
|
|
This configures the docker service on the host, as an alternative
to the firstboot script in docker/firstboot/setup_docker_host.sh
Doing this via puppet will enable easier integration with e.g
the multinode jobs where no firstboot scripts run, and also
enables a better error path in the event the service fails to start
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Change-Id: Id8add1e8a0ecaedb7d8a7dc9ba3747c1ac3b8eea
|
|
|
|
|
|
|
|
|
|
This also updates a leftover comment.
Change-Id: I870caf20103b044655e699aac09f6621414f5326
Depends-On: I5af5ccb88e644f4dd25503d8e7a93796695d3039
|
|
This does the actual configuration for the mysql client to use SSL if
the parameter is set via t-h-t.
Change-Id: I24e4c195a31109835739e78a6b53d36f661f9fd0
Depends-On: Ifd1a06e0749a05a65f6314255843f572d2209067
|
|
|
|
|
|
https://bugs.launchpad.net/tripleo/+bug/1668493
I thought about a fix for ceph_rgw, but I realized
we might have missed other services too, specially
the ones we're not testing in CI.
We need to revisit this work and probably
make the code more robust for the services where
no CI coverage is done.
Related-Bug: #1668493
This reverts commit ebcc470ea8a632e6d5c13561a97e817d5f290aac.
Change-Id: I3f79c881d8aeda361a59f9952948355986a7c835
|
|
|
|
Systemd starts mariadb as user mysql, so in order to allow a large
number of connections (e.g. max_connections=4096) it is necessary to
raise the file descriptor limit via a system drop-in file.
When installing an undercloud, such drop-in file is currently
generated by instack-undercloud (in file puppet-stack-config.pp). But
non-HA overcloud also need such drop-in to be generated.
In order to avoid duplicating code, the drop-in creation code should
be provided by puppet-tripleo. By default, no drop-in is generated;
it has to be enabled by instack-undercloud or tripleo-heat-template
once they will use it (resp. to create undercloud or non-HA overcloud).
This patch does not aim at generating a dynamic file limit based on
the number of connections, this should land in another dedicated
patch. Instead, it just reuses the limit currently set for undercloud
and HA-overclouds.
Also, the generation of the drop-in does not force a mysql restart
like it currently does in instack-undercloud, to avoid unexpected
service disruption on a non-HA overcloud after a minor update.
Co-Authored-By: Tim Rozet <trozet@redhat.com>
Depends-On: I7ca7b5f7614971455cae2bf7c4bf8264b642b0dc
Change-Id: Ia0907b2ab6062a93fb9363e39c86535a490fbaf6
Partial-Bug: #1648181
Related-Bug: #1524809
|
|
This patch will set neutron's dhcp_agents_per_network equal to the
number of deployed neutron DHCP agents unless otherwise explicitly set.
Partial-bug: #1632721
Change-Id: I5533e42c5ba9f72cc70d80489a07e30ee2341198
|
|
|
|
|
|
We can remove the sprintf todo comment (Already fixed).
Change-Id: I407cbf015ccd23a28ee01a669d397479277b4fd3
|
|
Ceilometer central, compute and ipmi agent classes are
deprecated. Instead we should be using polling agent
with relevant namespace.
Closes-bug: #1662685
Change-Id: I1ee50124bf8936e12414f984e1bcd4545d92e953
|
|
|
|
|
|
The httpchk health check option should help reduce the situtations
where haproxy thinks the service is up but the service is only
listening and not actively serving http requests.
Change-Id: Ie72b96c76d7513f84003bc15b6527c97df7ba92f
Closes-Bug: #1629052
|
|
os_transport_url was updated to allow receiving
a string or an integer as parameter.
Fixes the workarounds in puppet-tripleo
Change-Id: I50993514048bf96b5a42b3425a7d6f98778fe694
Depends-On: I9e56f8e2de542b20fe9e6995506cff5bb435e220
|
|
The Nova Placement API's configuration currently relies
on the nova-api profile for its keystone authtoken
configuration. This means that Nova Placement would
fail if it got installed on an isolated node or
docker container (this currently breaks TripleO's
deployment of placement via docker).
This patch creates a new authtoken profile and
calls it via the api and placement roles.
Change-Id: I7b38ab6ba5cae41689ac500d97dec4d09c73d387
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
|
|
By default Puppet does virtual package matching if precise name matching
fails. Docker-distribution RPM "provides" docker-registry:
bash-4.2# rpm -q --whatprovides docker-registry
docker-distribution-2.5.1-1.el7.x86_64
This means that when we wanted to make docker-registry package absent,
we were actually removing docker-distribution instead. This is now fixed
by allow_virtual => false. Only name matching is performed.
Change-Id: I1f93b404085f0bc2b6c063f573c801db6409c0bb
Closes-Bug: #1666459
|
|
This includes a new ironic-inspector profile, and updates
to the mysql and keystone profiles so that a database
and endpoints are also created when the inspector
is enabled.
Change-Id: I4a71a95efb87a10528df0600277768969a32117b
|
|
Specifying undef as the fallback only works because the merge
function specifically checks for this:
next if arg.is_a? String and arg.empty? # empty string is synonym for puppet's undef
But the empty Hash would be a much more robust default.
Change-Id: I7e302c00ef030d75998e352d88b3ccc60b194ab7
|
|
|
|
|
|
|
|
|