aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2017-03-30Fix missing groups for fluentd userMartin Mágr1-78/+82
This patch moves fluentd deployment to step 4 (the same as openstack services) and makes resource for user fluentd be dependent on all openstack packages, so that we avoid errors such as "usermod: group 'cinder' does not exist". Change-Id: Ibabd4688c00c6a12ea22055c95563d906716954d
2017-03-30Merge "securetty: use validate_array for tty list"Jenkins1-2/+4
2017-03-30Merge "Move neutron profile out of step 4"Jenkins1-2/+3
2017-03-30Refactor enabled languages from an array to a hashHonza Pokorny1-3/+20
Change-Id: I5173361818508849e5012a943a984af69d9d08cd Depends-On: I2d28d9019e8bcf9f6b8ef5698958932d44321679 Closes-Bug: #1668978
2017-03-30securetty: use validate_array for tty listJuan Antonio Osorio Robles1-2/+4
Change-Id: I1e79407ec6f360a2b205cec6cf8e812a11b799ea
2017-03-30Merge "Adds service for managing securetty"Jenkins1-0/+46
2017-03-30Merge "Qpid dispatch router puppet profile"Jenkins1-0/+54
2017-03-29Adds service for managing securettylhinds1-0/+46
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c Closes-Bug: #1665042
2017-03-29Fix reno for rabbitmq-user-checkEmilien Macchi1-6/+0
Change-Id: I5eed22ab0230a477d1629545b8ab1aeff33f4a35
2017-03-29Qpid dispatch router puppet profileMichele Baldessari1-0/+54
Depends-On: I4b56417ce8ee7502ad32da578bdc29c46e459bd5 Change-Id: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608 Author: John Eckersberg <jeckersb@redhat.com>
2017-03-29Introduce profile to configure l2 gateway Neutron agent.Peng Liu1-0/+35
Implements: blueprint l2gw-service-integration Change-Id: If1501c153b1b170b9550cb7e5a23be463fba1fe9
2017-03-28Merge "Re-run gnocchi and ceilometer upgrade in step 5"Jenkins2-0/+17
2017-03-28Merge "Include oslo.messaging amqp support for rpc and notifications"Jenkins1-0/+4
2017-03-28Merge "Add openstack-kolla to docker-registry profile"Jenkins1-0/+1
2017-03-28Merge "Check rabbitmq user at step >= 2"Jenkins2-0/+9
2017-03-28Merge "Include ceph::profile::client from rgw.pp"Jenkins1-1/+1
2017-03-27Add missing include of ::ec2api::keystone::authtokenSven Anderson1-0/+1
Change-Id: Id933276fab16eebd72751dca136ad805547e6291 Related-Bug: #1676491
2017-03-27Re-run gnocchi and ceilometer upgrade in step 5Pradeep Kilambi2-0/+17
Without this gnocchi resources types are not created as they are skipped initially and the resources from ceilometer wont make it to gnocchi. Closes-bug: #1674421 Depends-On: I753f37e121b95813e345f200ad3f3e75ec4bd7e1 Change-Id: Ib45bf1b3e526a58f675d7555fe7bb5038dadeede
2017-03-27Add l2 gateway Neutron service plugin profilePeng Liu1-0/+37
Introduce profile to configure l2 gateway Neutron service plugin. Implements: blueprint l2gw-service-integration Change-Id: I01a8afdc51b2a077be1bbc7855892f68756e1fd3 Signed-off-by: Peng Liu <pliu@redhat.com>
2017-03-26Remove certificate request bits from service profilesJuan Antonio Osorio Robles17-218/+0
This is now the job of the certmonger_user profile. So these bits are not needed anymore in the service profiles. Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800 Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
2017-03-23Ensure iscsi-initiator-utils installedAlex Schultz1-0/+2
We attempt to use iscsi-iname in an exec for our nova compute profile but we do not ensure that the package providing this command is installed. This change adds the package definition for iscsi-initiator-utils to ensure it is installed before trying to use iscsi-iname. Change-Id: I1bfdb68170931fd05a09859cf8eefb50ed20915d Closes-Bug: #1675462
2017-03-22Check rabbitmq user at step >= 2James Slagle2-0/+9
The rabbitmq user check is moved to step >= 2 from step >= 1. There is no gaurantee that rabbitmq is running at step 1, especially if updating a failed stack that never made it past step 1 to begin with. Change-Id: I029193da4c180deff3ab516bc8dc2da14c279317 Closes-Bug: #1675194
2017-03-22Move neutron profile out of step 4Carlos Camacho1-2/+3
This submission moves the neutron profile `::tripleo::profile::base::neutron` our of step 4. Change-Id: I4d0617b0d7801426ea6827e70f5f31f10bbcc038
2017-03-21Include oslo.messaging amqp support for rpc and notificationsAndrew Smith1-0/+4
This commit conditionally includes messaging amqp class for the oslo.messaging AMQP 1.0 driver to support notifications. This patch: * include keystone::messaging::amqp class for oslo_messaging_amqp opts Change-Id: I8eb23a21d2499795c3a76ae3197bda7773165a8c
2017-03-17Merge "Enables OpenDaylight Clustering in HA deployments"Jenkins3-15/+38
2017-03-17Merge "Explicitly configure credentials used by ironic to access other services"Jenkins1-0/+7
2017-03-16Enables OpenDaylight Clustering in HA deploymentsTim Rozet3-15/+38
Previously ODL was restricted to only running on the first node in an tripleO HA deployment. This patches enables clustering for ODL and allows multiple ODL instances (minimum 3 for HA). Partially-implements: blueprint opendaylight-ha Change-Id: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-16Explicitly configure credentials used by ironic to access other servicesDmitry Tantsur1-0/+7
Using keystone_authtoken credentials for this purpose is deprecated, and also prevents ironic-conductor from being used as a separate role. As a side effect, this change makes it possible to potentially enable ironic-inspector support in the future (it's not enabled yet). Change-Id: I21180678bec911f1be36e3b174bae81af042938c Partial-Bug: #1661250
2017-03-16Remove cluster_enabled setting for etcdFeng Pan1-7/+0
Setting cluster_enabled to false causes ETCD_INITIAL_ADVERTISE_PEER_URLS to be unset, which will cause deployment failure when etcd is deployed in a single node mode. Closes-Bug: #1673188 Change-Id: Iadff36bf7beb247d0408913c89f83fa5c8ac6874 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-03-16Merge "Create profile to request certificates for the services in the node"Jenkins1-0/+77
2017-03-16Include ceph::profile::client from rgw.ppGiulio Fidente1-1/+1
To deploy successfully the RadosGW service on a dedicated node it is necessary to provision on the node a CephX keyring with the needed permissions to import the RadosGW service keyring. This change will provision any keyring passed via client_keys. It makes possible to deploy the CephRgw service on any custom role without including the CephClient service. Change-Id: I5772eeb233ca241887226145a472c7a0363249cb Closes-Bug: #1673288
2017-03-15Merge "HAProxy: Refactor certificate retrieval bits"Jenkins2-21/+14
2017-03-14Merge "Correct haproxy's stat unix socket path"Jenkins1-1/+1
2017-03-14Create profile to request certificates for the services in the nodeJuan Antonio Osorio Robles1-0/+77
This profile will specifically be used to create all the certificates required in the node. These are fetched from hiera and will be ran in the first step of the overcloud deployment and in the undercloud. The reasoning for this is that, with services moving to containers, we can't yet do these requests for certificates within the containers for the specific services. this is because the containers won't have credentials to the CA, while the baremetal node does. So instead we still do this on the baremetal node, and will subsequently bind mount the certificates to the containers that need them. Also, this gives us flexibility since this approach still works for the baremetal case. There will be a subsequent commit removing the certificate requests from the service-specific profiles. Change-Id: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
2017-03-13Fixes issues with raising mysql file limitTim Rozet1-3/+8
Changes Include: - Adds spec testing - Only raise limits if nonha. puppet-systemd will restart the mariadb service which breaks ha deployments. Hence we only want to do this in noha. - Minor fix to hiera value refrenced not as parameter to mysql.pp Partial-Bug: #1648181 Related-Bug: #1524809 Co-Authored By: Feng Pan <fpan@redhat.com> Change-Id: Id063bf4b4ac229181b01f40965811cb8ac4230d5 Signed-off-by: Tim Rozet <trozet@redhat.com> Signed-off-by: Feng Pan <fpan@redhat.com>
2017-03-13Correct haproxy's stat unix socket pathMichele Baldessari1-1/+1
We currently set the haproxy stat socket to /var/run/haproxy.sock. On Centos/RHEL with selinux enabled this will break: avc: denied { link } for pid=284010 comm="haproxy" name="haproxy.sock" dev="tmpfs" ino=330803 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file The blessed/correctly-labeled path is /var/lib/haproxy/stats Note: I am setting only Partial-Bug because I would still like to make this a parameter so other distros may just override the path. But that change is more apt for pike and not for ocata. Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c Patial-Bug: #1671119
2017-03-13HAProxy: Refactor certificate retrieval bitsJuan Antonio Osorio Robles2-21/+14
This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
2017-03-13Tuned should be configured properlyJoe Talerico1-0/+20
Currently tuned uses the wrong profile on compute nodes. This patch will allow users to update their tuned profile. Fixes bug 1667524 Change-Id: Ic67aca7f5338ea4bb2d3843201e122c72d97056e
2017-03-11Merge "Add support for BGPVPN service plugin"Jenkins1-0/+36
2017-03-11Add support for BGPVPN service pluginRicardo Noriega1-0/+36
Introduce profile to configure networking-bgpvpn service Implements: blueprint bgpvpn-service-integration Change-Id: I7c1686693a29cc1985f009bd7a3c268c0e211876 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-03-11Merge "httpd: Clean up heat API profiles and add release note"Jenkins3-28/+9
2017-03-10Merge "Deploy Heat APIs over httpd"Jenkins4-6/+186
2017-03-10Fix deprecated eqlx parametersAlex Schultz1-3/+3
The eqlx_use_chap, eqlx_chap_login and eqlx_chap_password were previously deprecated and are scheduled to be removed in Pike. This change updates these parameters to use the replacement params. See I295d8388ba17dd60e83995e7c82f64f02a3c4258 for more details. Change-Id: I0f229ed2e7bb65d9da81c5caa69dbe1a4aded814
2017-03-10Adding OVNDBs vip to keepaliveDan Radez1-0/+18
Change-Id: I56f7e3280eda6fe3cc8dd677ad06b700ef504829
2017-03-10panko: Do db_sync in api manifestJuan Antonio Osorio Robles2-18/+18
The db_sync from panko comes from the panko-api package; So we move the db_sync to be done in the api manifest as it's done for other services such as barbican. This is necessary since in cases where the overcloud deploy requires puppet to do the installations, with the previous setup it failed since the command wasn't available in the step it was being done. Change-Id: I20a549cbaa2ee4b2c762dbae97f5cbf4d0b517c8 Closes-Bug: #1671716
2017-03-09Add tests for tripleo::certmonger::rabbitmq classJuan Antonio Osorio Robles1-1/+1
Change-Id: I1668b749779bf812d8f55b695dd138cde7eb09d6
2017-03-09Enable TLS in the internal network for RabbitMQJuan Antonio Osorio Robles2-15/+136
This optionally enables TLS for RabbitMQ in the internal network. Note that this leaves enable_internal_tls as undef instead of using the regular default. This is because we don't want to enable this just now, since we first want to pass the necessary hieradata via t-h-t. This will be cleaned in further commits. bp tls-via-certmonger Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9 Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514
2017-03-07sahara: include authtoken classEmilien Macchi1-0/+1
authtoken class configures the keystone_authtoken parameters, required to move to Keystone V3 auth. Change-Id: Ibfd761fef813faa7bf13881c52c34e20d3eac9e5
2017-03-07httpd: Clean up heat API profiles and add release noteJuan Antonio Osorio Robles3-28/+9
There were some values that were passed to the classes manually, and this takes the parameters from t-h-t instead. Also, the release note was added. bp tls-via-certmonger Change-Id: I17c4b7041e16da6489f4b713fdeb28a6e1c5563c Depends-On: I88e5ea7b9bbf35ae03f84fdc3ec76ae09f11a1b6
2017-03-07Deploy Heat APIs over httpdJuan Antonio Osorio Robles4-6/+186
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and includes the TLS-everywhere bits. bp tls-via-certmonger Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1