Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
This feature is broken for us now and there is work in progress in Nova
to improve nova cell deployment.
Until it's fixed upstream, we need to disable cells deployment for now,
so we can promote our CI.
Change-Id: I379ba9e94a92ed225a03a67fc975b542447a9c8b
Related-Bug: #1649341
|
|
Since we include ::heat::keystone::domain at step 3, and that class
requires heat.conf since it uses the heat_config resource, we need to
also include ::heat at step 3. The ::heat class will take care of
installing openstack-heat-common that provides heat.conf.
Closes-Bug: #165389
Partially-implements: blueprint split-stack-software-configuration
Change-Id: I5ba34ca96ca84d3f1cf3785ed8bbef6720f7bd42
|
|
Manila ceph driver reads ceph's client configuration
(keyring is the most important) from ceph.conf file
(or any other file set by cephfs_conf_path). ceph.conf
should be updated with keyring location.
If ceph is deployed by tripleo then also manila ceph key
is added into ceph and ceph filesystem is created.
Depends-On: I18436a64fc991b9e697a1d79e369ac110cf8fe20
Change-Id: Iac4a260af6738ed6afd4bcb107221a736d07c1b5
Partial-Bug: #1644784
Closes-Bug: #1646147
|
|
We now support creating Pacemaker stonith fencing using the fence_ironic
fencing agent.
Partial-Bug: #1649695
Depends-On: I315f9bb78a1296f691dadaeb39fb0a48df1d5f06
Change-Id: I596eef68820f16516feeda147d3689f0da85d7ac
|
|
Allow TripleO to deploy Nova Placement API with a new profile.
Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
|
|
|
|
|
|
|
|
|
|
This change fixes the hiera calls in the base nova profile to use the
parameter rather than continue to call hiera. Additionally this change
includes basic test coverage for the various nova profiles.
Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e
|
|
Having the db_sync code live in the mysql profile causes
coupling that doesn't work unless your MySQL server has the
latest Nova packages installed. This may not work for some
baremetal setups (where an isolated database exists) or
with containers where the MySQL container definately doesn't
have nova packages installed.
Moving this code into the nova-api role also matches where we
were already db syncing the normal API database so it should be
fine and safe.
Change-Id: Ib625e2ac9c8d6bd1d335c58e291facc4ea5839ae
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
This patch add the option for using Keyston V3 authention with
the Ceph/RGW service instead of using the admin_token
Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
|
|
As part of the initial implementation, we hard coded the cell0 setup in
puppet. This change switches it to leverage the defined value in the
tripleo-heat-templates
Change-Id: I896a124d91d06ca85b77c9fbe24fd252815a2d28
Depends-On: I08119d781ef60750cc19753bc03190e413159925
Related-Bug: #1649341
|
|
The profile was moved out of instack-undercloud puppet manifest and
changed to install a v2 Docker registry rather than the old, deprecated
v1 registry.
Change-Id: Iecf7a4c7e86349e6ecaa0a8ee6d37223e3af7862
|
|
This change adds haproxy rules for galera and redis. They are not there
because these haproxy entries do not use the ::tripleo::haproxy::endpoint
function which does this automatically.
Rabbit does not need them because it does not go through haproxy.
Closes-Bug: #1654280
Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b
|
|
|
|
|
|
Change-Id: If2f6559a7d76b26fa9b0a3ecfa2e2101aae93e3c
|
|
|
|
Unknown variable: 'haproxy_ssl_firewall_rules' when public_ssl_port is
empty.
Fixing it by setting an empty hash in this case.
Change-Id: If864732262852ef79ebb91ee77902c86b847072a
|
|
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
|
|
Cleanup some code that were useful in the effort of removing Glance
Registry service from TripleO.
Change-Id: I2a4bdc413e953b8b713d9a12bba74ca18487fe0d
|
|
|
|
nova::wsgi::apache was deprecated in ocata in favor of
nova::wsgi::apache_api.
Let's switch to it.
Change-Id: I59b3b36be33268fa6e261a7db3c4aa8e8e712ffb
Depends-On: I5fc99062d349597393e2248c66f2d863029c7730
|
|
|
|
This change adds a profile to deploy the Ceph MDS service and some
basic unit tests for it.
Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d
Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c
Partial-Bug: #1644784
|
|
This migrates the haproxy config for ODL to use the
tripleo::haproxy::endpoint class. This class automatically configures
firewall rules for each haproxy endpoint. Also removes listening on
public network for IP and adds listening on ctlplane network for admin
access.
Partial-Bug: 1651476
Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The glance database should be created as part of the glance-api service
installation and not the registry. Move the db_sync param to the
glance-api class call.
Change-Id: Ib9f511219e8cb9a7322745b6bd7c4f9c9cc0c198
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manila pacemaker manifest (which sets manila share service only)
includes also manila api and scheduler manifests. There is no
reason for this. Also it causes that on whichever node manila share
service runs also manila api and scheduler services are started.
Change-Id: Ia1b39ef36c5bc34813cd6430b69ad9b698acc3cf
Closes-Bug: #1653500
|
|
Add the option to add the section of ml2_odl
to ml2_conf.ini when opendaylight_v2 mechanism driver is used
Change-Id: I2a1c5097614e47cc09e43bbc77305a0548d54baa
|
|
Configure Nova with new Oslo Messaging parameters for RabbitMQ.
Note: parameters are renamed to be standard, so it will help a future
transition to another backend in TripleO.
Change-Id: Ia67a4dbe5b2bd12c45308a5581f96d0457b8e018
|
|
We need to run the basic cell v2 setup for nova as it is required for
Ocata.
Change-Id: I693239ff5026f58a65eb6278b1a8fcb97af4f561
Depends-On: I43ba77cd4c8da7c6dc117ab0bd53e5cd330dc3de
Depends-On: I9462ef16fd64a577c3f950bd121f0bd28670fabc
Closes-Bug: #1649341
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This closes CVE-2016-9599.
1) Sanitize dynamic HAproxy endpoints firewall rules
Build the hash of firewall rules only when a port is specified. The
HAproxy endpoints are using TCP protocol, which means we have to specify
a port to the IPtables rules.
Some services don't have public network exposure (e.g. Glance Registry),
which means they don't need haproxy_ssl rule.
The code prepare the hash depending on the service_port and
public_ssl_port parameters and create the actual firewall rules only if
one of those or both parameters are specified.
It will prevent new services without public exposure to open all traffic
because no port is specified.
2) Secure Firewall rules creations
The code won't allow to create TCP / UDP IPtables rules in INPUT
or OUTPUT chains without port or sport or dport, because doing it would
allow an IPtables rule opening all traffic for TCP or UDP.
If we try to do that, Puppet catalog will fail with an error explaining
why.
Example of use-cases:
- creating VRRP rules wouldn't require port parameters.
- creating TCP or UDP rules would require port parameters.
3) Allow to open all traffic for TCO / UDP (when desired)
Some use-cases require to open all traffic for all ports on TCP / UDP.
It will be possible if the user gives port = 'all' when creating the
firewall rule.
Backward compatibility:
- if our users created custom TCP / UDP firewall rules without port
parameters, it won't work anymore, for security purpose.
- if you users want to open TCP / UDP for all ports, they need to pass
port = 'all' and the rule will be created, though a warning will be
displayed because this is insecure.
- if our users created custom VRRP rules without port parameters, it
will still work correctly and rules will be created.
- TCP / UDP rules in FORWARD chain without port are still accepted.
Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
Closes-Bug: #1651831
|
|
I'm seeing this run yum update on deploy, even though hiera
tripleo::packages::enable_upgrade says false.
I assume these are needed because we're getting "false", but I'm
unclear if this is a recently introduced problem (I only noticed it
today as my image has outdated centos packages and it thus hung on
step2 of the deploy.
Change-Id: If09cdde9883f2674dbbc40944be5fe4445caa08e
Closes-Bug: #1652107
|
|
Enable ml2.pp to call networking-fujitsu manifest in puppet-neutron
for fossw ML2 plugin setting.
Change-Id: I044c5812bbc5cd3de4bc33556cffbe5bad8e64cf
Implements: blueprint integration-fossw-networking-fujitsu
Depends-On: I79df6b6a27d95f0c0e2c87207ab80235a4efccfc
|