Age | Commit message (Collapse) | Author | Files | Lines |
|
In order for the browser to trust the certificate served by HAProxy
we need to include the CA cert in the PEM file that the endpoints
serve.
Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417
Closes-Bug: #1639807
|
|
Use rabbitmq_node_ips to find out where rabbitmq nodes are, and have
correct ipv6 syntax if required.
Closes-Bug: 1637443
Change-Id: Ibc0ed642931dd3ada7ee594bb8c70a1c3462206d
|
|
|
|
|
|
Rather than use the heat::keystone::domain class which also includes the
configuration options, we should just create the user for heat in
keystone independently of the configuration.
Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe
Related-Bug: #1638350
Closes-Bug: #1638626
|
|
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
|
|
|
|
|
|
|
|
When using SSL setup for undercloud, the admin and public vip required
for ssl binding by haproxy are created by keepalived.
This makes sure that keepalived is started before haproxy and thus that
the interfaces are indeed present.
This patch also ensures this is happening for overcloud ssl
configuration. The case where another load-balancing technology other
than haproxy is used is not covered.
Closes-Bug: #1638029
Change-Id: I98cb0dcd7f389a1dd38ec8324429bfef4979aa66
|
|
|
|
|
|
|
|
|
|
ODL was missing transparent binding mode, which causes HA deployments to
fail since HA Proxy will try to come up on every node (even without
VIP).
Closes-Bug: 1637833
Change-Id: I0bb7839cdcfeacb4ca1a9fc6f878e8b51330be92
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
Since the service_name is now being passed from t-h-t, we can clean
it up from the profile in puppet.
Change-Id: I724af8c355c3077be64cf472cedbca80af55da01
Depends-On: I13638cd1af52537bef8540f0d5fa5f5f7decd392
|
|
In order to make the zaqar service fully composable, the mongo ips need
to be calculated without assuming that mongo and zaqar are on the same
node.
Change-Id: I0b077e85ba5fcd9fdfd33956cf33ce2403fcb088
|
|
|
|
In some cases, for instance, when updating from a non-SSL setup in
HAProxy to an SSL setup, we don't reload haproxy's configuration.
This is problematic since we need HAProxy to serve the certificates
and the new endpoints.
This forces the reload when puppet notices changes.
Change-Id: Ie1dd809e6beef33fadad48de55e488219fb7d686
Closes-Bug: #1636921
|
|
|
|
|
|
|
|
If we upgrade a cloud that was configured with external load balancer
the process will fail during convergence step because it will try to
restart haproxy which is not configured when an external load balancer
is configured.
Closes-Bug: #1636527
Change-Id: I6f6caec3e5c96e77437c1c83e625f39649a66c48
|
|
The current redis file descriptor limit is 4096 because of two reasons:
- It is run via the redis user
- It is not started via systemd which has explicit LimitNOFILE set to
10240 (which matches the default configuration of maximum 10000
clients)
Create an /etc/security/limits.d/redis.conf file in order to increase
the fd limit value With this change we correctly get the following
limits:
[root@overcloud-controller-0 ~]# pcs status |grep -A2 redis
Master/Slave Set: redis-master [redis]
Masters: [ overcloud-controller-2 ]
Slaves: [ overcloud-controller-0 overcloud-controller-1 ]
[root@overcloud-controller-0 ~]# cat /proc/`pgrep redis`/limits | grep open
Max open files 10240 10240 files
Previously this limit was set to 4096.
Change-Id: I7691581bad92ad9442cecd82cf44f5ac78ed169f
Closes-Bug: #1635334
|
|
proxy for the UI"
|
|
|
|
|
|
|
|
|
|
|
|
Previously we did this with Pacemaker, but with move to NG HA
architecture we lost the ability to use NFS mounts as image storage for
Glance. This reimplements the mounting without utilizing Pacemaker. The
mount is by default also written to /etc/fstab so that it persists over
reboot, but this behavior can be disabled.
This could also go to puppet-glance eventually, but not yet -- we need
this backported to Newton because it's a TripleO regression. I don't
think puppet-glance would allow backporting this to Newton, because from
their point of view it would be a RFE rather than a regression.
Change-Id: I45ad34c36587a8d695069368cf791f1efb68256c
Related-Bug: #1635606
|
|
The upload and extraction for the plan tarball to swift can take
longer than the default one minute in slower environments. Doubling
the timeout to two minutes has proven to help.
This is only a partial fix, because the error reporting for this
issue also needs to be improved.
Change-Id: I06592d38fdfefacc8bdf76289a0bfa20eb33a89b
Partial-Bug: 1635269
|
|
|
|
|
|
To be able to monitor during deployment, we need sensu clients
and fluentd collectors be deployed as soon as it is possible.
Change-Id: I952f0d6de6f6327d5c923b8f1d7a5979758dbc59
|
|
In change I35921652bd84d1d6be0727051294983d4a0dde10 we want to remove
all those duplicate tcp_listen_option entries. One consequence of that
is that we need to set rabbitmq::tcp_keepalive to true via hiera
(as opposed to forcing it via the tcp_listen_option hash).
For this to work we need to remove this forced parameter override.
Note that even if I35921652bd84d1d6be0727051294983d4a0dde10 and this
change don't merge at the exact same time it is still okay because
we do force tcp_keepalive to true via the tcp_listen_options.
Change-Id: I608477d5714a5081b3b4ab3b9fc2932bdd598301
|
|
|
|
|
|
The docker tooling has a preference for interacting with encrypted
endpoints. Terminating the docker-registry endpoint with HAProxy
allows the SSL VIP to be used for this purpose.
Change-Id: Ifebfa7256e0887d6f26a478ff8dc82b0ef5f65f6
|
|
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the aodh
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I50ef0c8fbecb19d6597a28290daa61a91f3b13fc
|
|
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the ceilometer
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
|
|
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
|
|
|
|
|
|
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: If2804b469eb3ee08f3f194c7dd3290d23a245a7a
|
|
|
|
|
|
Without this, neutron-server fails to start and communication will not
work to ODL REST.
Parital-Bug: 1633630
Change-Id: Ifd906db4e6062ac271c2147fe1149b1009d06ae2
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
This patch updates the Nova profile so that we set memcached
servers correctly for the Nova keystone auth_token middleware.
Most of the hiera settings for ::nova::keystone::authtoken are
already included in the t-h-t nova-api service.
Change-Id: I3b7ff02abbd0d5e0c38232d02b33e4c7bc411120
Closes-bug: #1633595
|