summaryrefslogtreecommitdiffstats
path: root/releasenotes/notes
AgeCommit message (Collapse)AuthorFilesLines
2017-10-07Allow to override HAProxy global options.Cédric Jeanneret1-0/+5
You can either append new options or override existing one. This can be particularly useful in case you want to set your own log options, for example. Change-Id: I19005b7e70e624d3b64b6c2ac8eaadfdec3944db Closes-Bug: 1721246 (cherry picked from commit e62efd0782fd6521893102101daaa21f0cd8a275)
2017-10-06Allow to configure snmpd_configEmilien Macchi1-0/+11
Expose a new Puppet parameter to snmp profile, ``snmpd_config`` which is an array definded to undef by default. It can be used to override all snmpd configuration for advanced deployments. If used, all parameters have to be configured included users and passwords, which should be the same as given to snmpd_password and snmpd_user. There is no logic that will verify the content of ``snmpd_config``. Example of hieradata which configures snmpd_config: snmpd_config: - 'createUser ro_snmp_user MD5 "secrete"', - 'rouser ro_snmp_user' - 'proc neutron-server' - 'proc nova-api' Change-Id: Ief2518d5e47137215a34e9ae3b35c27c87fa6e08 Closes-Bug: #1720868 (cherry picked from commit c211ba78cabde54be2e3a6672f6e1d33d1d580f0)
2017-09-28Disables port status updates with ODL in HATim Rozet1-0/+5
ODL enables a feature by default to communicate port state to Neutron via a websocket connection. The current implementation does not work in HA, but does work with a noHA deployment. Therefore this patch disables port status for HA deployments only until there is proper support. Depends-On: I7eb752ad692e5522051f8393376890fcac9a09fe Closes-Bug: 1718508 Change-Id: I13b5b72285d3c70cdee4d81678470d52be385aaf Signed-off-by: Tim Rozet <trozet@redhat.com> (cherry picked from commit 228d7b456c6d5c4958c9add8f9021a83a4360510)
2017-09-15added release note for new haproxy_socket_accessCédric Jeanneret1-0/+7
Change-Id: I4024177fdf97bef929d6a699662acbf56abdb0af (cherry picked from commit 9939df4c177040e67433ca19f55dca18067d9923)
2017-09-05Support for Dell EMC VNX Manila Driverrajinir1-0/+4
This changes adds Dell EMC VNX backend as composable service and matches the tripleo-heat-templates. Change-Id: Iab80dc636913610704e1ceb2642ce738b68bb827 Implements: blueprint support-dellemc-vnx-manila (cherry picked from commit eca5b4dfb22a9e9476cd835d2e211def4c9bd5c9)
2017-08-30Support for Dell EMC Unity Manila Driverrajinir1-0/+4
This changes adds Dell EMC Unity backend as composable service and matches the tripleo-heat-templates. Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470 Implements: blueprint dellemc-unity-manila (cherry picked from commit 2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
2017-08-30Support for Dell EMC Isilon Manila Driverrajinir1-0/+4
This changes adds Dell EMC Isilon backend as composable service and matches the tripleo-heat-templates. Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb Implements: blueprint dellemc-isilon-manila (cherry picked from commit 75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
2017-08-19Merge "Support for Dell EMC VMAX Manila Driver"Jenkins1-0/+4
2017-08-14Support for Dell EMC VMAX Manila Driverrajinir1-0/+4
This changes adds Dell EMC VMAX backend as composable service and matches the tripleo-heat-templates. Change-Id: I6e3b4ed6477c7ee56aef4e9849893229ca648c85 Implements: blueprint dellemc-vmax-manila
2017-08-09Merge "Enable innodb_buffer_pool_size configuration"Jenkins1-0/+4
2017-08-05Merge "Enable encryption of pacemaker traffic by default"Jenkins1-0/+6
2017-08-03Enable innodb_buffer_pool_size configurationMike Bayer1-0/+4
Adds a hiera-enabled setting for mysql.pp to allow configuration of innodb_buffer_pool_size, a key configurational element for MySQL performance tuning. Change-Id: Iabdcb6f76510becb98cba35c95db550ffce44ff3 Closes-bug: #1704978
2017-08-01Enable encryption of pacemaker traffic by defaultJuan Antonio Osorio Robles1-0/+6
We already are setting a pre-shared key by default for the pacemaker cluster. This was done in order to communicate with TLS-PSK with pacemaker-remote clusters. This key is also useful for us to enable encrypted traffic for the regular cluster traffic, which we enable by default with this patch. Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
2017-07-31Enable TLS for the HAProxy stats interfaceJuan Antonio Osorio Robles1-0/+8
This creates a new class for the stats interface and furtherly configures it to also use the certificates that are provided by certmonger (via the internal_certificates_specs variable). Note that the already existing haproxy_stats_certificate still works and will take precedence if it's set. bp tls-via-certmonger Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
2017-07-21Deprecates using exec workaround for ODL clusteringTim Rozet1-0/+8
Previously we had used an exec defined in puppet-tripleo to do clustering with OpenDaylight docker containers. The clustering issue is now fixed in puppet-opendaylight by: https://git.opendaylight.org/gerrit/#/c/60491 So removing the custom function and class workaround. Also, 'ha_node_index' is deprecated for configuring clustering with puppet-opendaylight so that is also removed. Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc Change-Id: I7693b692c74071945fdcc08292542e9b458a540b Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-19Merge "PS Cinder: Added support for password less login"Jenkins1-0/+4
2017-07-18PS Cinder: Added support for password less loginrajinir1-0/+4
Added missing san_private_key parameter used for password less SSH authentication. Change-Id: Ia9857064692681172573e9092b53a352cd776cbd Depends-On: 0743d42ed1ed66e08ab7f4355145b4c06c589801
2017-07-17Merge "Add option for innodb_flush_log_at_trx_commit = 2 for Galera only"Jenkins1-0/+17
2017-07-15Merge "Add new profile for the Veritas HyperScale's cinder backend."Jenkins1-0/+3
2017-07-14Merge "Contrail: Fix controlplane/dataplane network asignments & enable ↵Jenkins1-0/+10
optional dpdk"
2017-07-14Add new profile for the Veritas HyperScale's cinder backend.abhishek.kane1-0/+3
Add new hook in the keystone profile for Veritas HyperScale. Add new hook in the rabbitmq profile for Veritas HyperScale. Add new hook in the mysql profile for Veritas HyperScale. Change-Id: I9168bffa5c73a205d1bb84b831b06081c40af549 Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d Depends-On: Id188af5e2f7bf628a97a70b8f20bef28e42b372d Signed-off-by: abhishek.kane <abhishek.kane@veritas.com> Signed-off-by: Dnyaneshwar Pawar <dnyaneshwar.pawar@veritas.com>
2017-07-12Merge "Do not fail if PCI device is missing"Jenkins1-0/+5
2017-07-06Merge "Add Swift dispersion profile"Jenkins1-0/+6
2017-07-06Add option for innodb_flush_log_at_trx_commit = 2 for Galera onlyMike Bayer1-0/+17
The innodb_flush_log_at_trx_commit flag changes the timing of when the log buffer is written to disk for writes. At its default of 1, transactions are written to disk and the buffer flushed on a per-transaction basis; but when set to 2, the flush of the buffer proceeds only once per second. This removes the durability guarantee for the single node. However the central concept of Galera is that durability is achieved via the cluster as a whole, in that transactions are replicated to other nodes before the commit succeeds (though not necessarily written to disk unless wsrep_causal_reads is set). In this model, data would only be lost of all nodes of the Galera cluster were killed within one second of each other. Percona's blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/ recommends that the value of 2 should be considered "safe" for a Galera cluster unless you are in fact worried that all three nodes will be powered off simultaneously. The value here is added as an option only, defaulting to the usual default of "1", flush per transaction. Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
2017-07-05Contrail: Fix controlplane/dataplane network asignments & enable optional dpdkMichael Henkel1-0/+10
This patch will move the Contrail roles communication towards OpenStack APIs from the public/external network to the internal_api network. I will also add the option to enable dpdk for Contrail. Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23 Closes-Bug: 1698422
2017-06-29Zaqar: support configurable backendsDan Prince1-0/+6
This patch updates the Zaqar profile so that we have support for configuring alternate versions of the messaging and management backends. In Pike instack-undercloud started using the swift/sqlalchemy backends and the intent here is to update the new containers undercloud to use a similar default (thus letting us drop Mongodb). Change-Id: Ie6a56b9163950cee2c0341afa0c0ddce665f3704
2017-06-29Do not fail if PCI device is missingBrent Eagles1-0/+5
Fixes a problem where SR-IOV VF count configuration will fail if a physical function is in use by a guest when 'puppet apply' is executed. This change substitutes warnings for failures and skips complaints if a PCI device is unavailable. Note: this patch has the side-effect of allowing the same configuration data on hosts that may *not* or *ever* have PCI SR-IOV devices on the hardware. Time will tell how evil this is in practice. Closes-Bug: #1701284 Change-Id: I71edc135432ab2193741c37ce977dd11172401e6
2017-06-27Always start httpd at the same timeJuan Antonio Osorio Robles1-0/+5
Puppet wipes out whatever is not in it's resource catalog each run for httpd. This causes httpd to restart if in the next step there are reasources added that were not there earlier. This patch, thus changes the instances of httpd to start at the same time: On step 3 for the bootstrap node, and on step 4 for every other node. Closes-Bug: #1699502 Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-06-23Add Swift dispersion profileChristian Schwede1-0/+6
The swift-dispersion-populate command needs to be called when Swift and Keystone are up and running, and therefore we need to ensure this is running in step 5 or later. Change-Id: I5b4c08c252b6083dace5a65367920c475de416ce
2017-06-21Merge "Ignore failures when loading nf_conntrack_proto_sctp kernel module"Jenkins1-0/+9
2017-06-20Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar1-0/+9
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885
2017-06-20Add maxconn parameter to MySQL / HAProxyMike Bayer1-0/+5
Allows configurability of maxconn as applies to the MySQL section of the HAProxy config, both for clustercheck and single node. Also adds a new test for the haproxy class overall to exercise options. Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
2017-06-14Merge "Fix Swift ring management in container deployments"Jenkins1-0/+8
2017-06-13Merge "Support for proxying ironic-inspector via Apache"Jenkins1-0/+6
2017-06-11Merge "Install rsync package for galera"Jenkins1-0/+6
2017-06-08Use CRL for HAProxyJuan Antonio Osorio Robles1-0/+6
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
2017-06-08Add resource to fetch CRLJuan Antonio Osorio Robles1-0/+4
This will fetch the CRL file from the specified file or URL. Furtherly it will set up a cron job to refresh the crl file once a week and notify the needed services. bp tls-via-certmonger Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-06-07Fix Swift ring management in container deploymentsChristian Schwede1-0/+8
The ring up- and downloading was never executed if run within a containerized environment. This is due to the fact that this manifest gets executed within step 6(5) only. There is also an ordering issue, which actually tries to create the tarballs before rebalancing. This patch fixes the step conditions and also chains the tarball creation to the rebalance. The check to query rings on all nodes can now be disabled. This is required on containerized environments: the local ring will be modified and rebalanced, but rings on the existing servers are not yet modified. Therefore a recon-check will fail, and needs to be disabled. Closes-Bug: 1694211 Change-Id: I51c5795b9893d797bd73e059910f17a98f04cdbe
2017-06-05Merge "Add Mistral event engine"Jenkins1-0/+4
2017-06-05Merge "Pacemaker support for OVN DB servers"Jenkins1-0/+4
2017-06-05Support for proxying ironic-inspector via ApacheJenkins1-0/+6
Future work in the UI requires Apache to proxy for the ironic-inspector service the same as it has for other related services. This adds support for ironic-inspector through Apache's mod_proxy Closes-Bug: 1695202 Depends-On: Id395604f1dfbc4bf4f26adbe05f484a10227fd76 Change-Id: I9dcb0769ff90a2fc9561cb86bb822be8087ffe8e
2017-06-01Merge "Composable Role for Neutron LBaaS"Jenkins1-0/+3
2017-06-01Install rsync package for galeraJames Slagle1-0/+6
Since galera is configured to use rsync, we ought to make sure the package is installed. Particularly when using deployed-server, the package is not always installed by default depending on what was used to install the servers. Change-Id: I92ee78f2dd2c0f7fd4d393b104166407d7c654e2 Closes-Bug: #1693003
2017-06-01make release note a list of stringsDoug Hellmann1-2/+3
Change-Id: I806e15f24309261bb4bf108aacc43a5c4d2d33bc Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2017-06-01Pacemaker support for OVN DB serversBabu Shanmugam1-0/+4
This patch enables OVN DB servers to be started in master/slave mode in the pacemaker cluster. A virtual IP resource is created first and then the pacemaker OVN OCF resource - "ovn:ovndb-servers" is created. The OVN OCF resource is configured to be colocated with the vip resource. The ovn-controller and Neutron OVN ML2 mechanism driver which depends on OVN DB servers will always connect to the vip address on which the master OVN DB servers listen on. The OVN OCF resource itself takes care of (re)starting ovn-northd service on the master node and we don't have to manage it. When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB servers in its configuration. This patch requires OVS 2.7 in the overcloud. Co-authored:by: Numan Siddique <nusiddiq@redhat.com> Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db Partial-bug: #1670564
2017-05-16Composable Role for Neutron LBaaSRyan Hefner1-0/+3
Add composable service interface for Neutron LBaaSv2 service. Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
2017-05-06Enable mistral to run under mod_wsgiBrad P. Crochet1-0/+7
Mistral should run under mod_wsgi. Enable that. Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
2017-05-06Add Mistral event engineBrad P. Crochet1-0/+4
Mistral has an event engine for triggering cron events. Let's run it. Change-Id: I386e0b77064ca6938af36238f82bfec010aa5a17 Depends-On: Icaef5e5732f98e9cc39ed1f024d715cee371acac
2017-05-05Remove limits for redis in /etc/security/limits.dMichele Baldessari1-0/+5
Now that puppet-redis supports ulimit for cluster managed redis (via https://github.com/arioch/puppet-redis/pull/192), we need to remove the file snippet as otherwise we will get a duplicate resource error. We will need to create a THT change that at the very least sets the redis::managed_by_cluster_manager key to true so that /etc/security/limits.d/redis.conf gets created. We also add code to not break backwards compatibility with the old hiera key. Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Partial-Bug: #1688464
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-0/+10
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293