Age | Commit message (Collapse) | Author | Files | Lines |
|
This creates a new class for the stats interface and furtherly
configures it to also use the certificates that are provided by
certmonger (via the internal_certificates_specs variable).
Note that the already existing haproxy_stats_certificate still works and
will take precedence if it's set.
bp tls-via-certmonger
Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
|
|
Previously we had used an exec defined in puppet-tripleo to do
clustering with OpenDaylight docker containers. The clustering issue is
now fixed in puppet-opendaylight by:
https://git.opendaylight.org/gerrit/#/c/60491
So removing the custom function and class workaround. Also,
'ha_node_index' is deprecated for configuring clustering with
puppet-opendaylight so that is also removed.
Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc
Change-Id: I7693b692c74071945fdcc08292542e9b458a540b
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
Added missing san_private_key parameter used for password less SSH
authentication.
Change-Id: Ia9857064692681172573e9092b53a352cd776cbd
Depends-On: 0743d42ed1ed66e08ab7f4355145b4c06c589801
|
|
|
|
|
|
optional dpdk"
|
|
Add new hook in the keystone profile for Veritas HyperScale.
Add new hook in the rabbitmq profile for Veritas HyperScale.
Add new hook in the mysql profile for Veritas HyperScale.
Change-Id: I9168bffa5c73a205d1bb84b831b06081c40af549
Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d
Depends-On: Id188af5e2f7bf628a97a70b8f20bef28e42b372d
Signed-off-by: abhishek.kane <abhishek.kane@veritas.com>
Signed-off-by: Dnyaneshwar Pawar <dnyaneshwar.pawar@veritas.com>
|
|
|
|
|
|
The innodb_flush_log_at_trx_commit flag changes the timing
of when the log buffer is written to disk for writes.
At its default of 1, transactions are written to disk
and the buffer flushed on a per-transaction basis; but when
set to 2, the flush of the buffer proceeds only once per
second. This removes the durability guarantee for the
single node. However the central concept of Galera is
that durability is achieved via the cluster as a whole,
in that transactions are replicated to other nodes before
the commit succeeds (though not necessarily written to disk
unless wsrep_causal_reads is set). In this model,
data would only be lost of all nodes of the Galera cluster
were killed within one second of each other. Percona's
blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/
recommends that the value of 2 should be considered "safe"
for a Galera cluster unless you are in fact worried that
all three nodes will be powered off simultaneously.
The value here is added as an option only, defaulting
to the usual default of "1", flush per transaction.
Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
|
|
This patch will move the Contrail roles communication towards
OpenStack APIs from the public/external network to the
internal_api network. I will also add the option to enable
dpdk for Contrail.
Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23
Closes-Bug: 1698422
|
|
This patch updates the Zaqar profile so that we have
support for configuring alternate versions of the messaging
and management backends.
In Pike instack-undercloud started using the swift/sqlalchemy
backends and the intent here is to update the new containers
undercloud to use a similar default (thus letting us drop Mongodb).
Change-Id: Ie6a56b9163950cee2c0341afa0c0ddce665f3704
|
|
Fixes a problem where SR-IOV VF count configuration will fail if a
physical function is in use by a guest when 'puppet apply' is executed.
This change substitutes warnings for failures and skips complaints if a
PCI device is unavailable.
Note: this patch has the side-effect of allowing the same configuration
data on hosts that may *not* or *ever* have PCI SR-IOV devices on the
hardware. Time will tell how evil this is in practice.
Closes-Bug: #1701284
Change-Id: I71edc135432ab2193741c37ce977dd11172401e6
|
|
Puppet wipes out whatever is not in it's resource catalog each run for
httpd. This causes httpd to restart if in the next step there are
reasources added that were not there earlier.
This patch, thus changes the instances of httpd to start at the same
time: On step 3 for the bootstrap node, and on step 4 for every other
node.
Closes-Bug: #1699502
Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
The swift-dispersion-populate command needs to be called when Swift and
Keystone are up and running, and therefore we need to ensure this is
running in step 5 or later.
Change-Id: I5b4c08c252b6083dace5a65367920c475de416ce
|
|
|
|
Ignore failures if nf_conntrack_proto_sctp module failed to load.
Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the
kernel instead of as a module as the sctp support.
TripleO will still try to load the module to support RHEL 7.3, but
in the future will remove the module management and rely on the kernel
provided in newer versions of RHEL.
Co-Authored-By: Or Idgar <oidgar@redhat.com>
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79
Closes-Bug: 1695885
|
|
Allows configurability of maxconn as applies to
the MySQL section of the HAProxy config, both
for clustercheck and single node.
Also adds a new test for the haproxy class
overall to exercise options.
Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
|
|
|
|
|
|
|
|
This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.
So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.
bp tls-via-certmonger
Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
|
|
This will fetch the CRL file from the specified file or URL. Furtherly
it will set up a cron job to refresh the crl file once a week and notify
the needed services.
bp tls-via-certmonger
Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
|
|
The ring up- and downloading was never executed if run within a
containerized environment. This is due to the fact that this manifest
gets executed within step 6(5) only. There is also an ordering issue,
which actually tries to create the tarballs before rebalancing.
This patch fixes the step conditions and also chains the tarball
creation to the rebalance.
The check to query rings on all nodes can now be disabled. This is
required on containerized environments: the local ring will be modified
and rebalanced, but rings on the existing servers are not yet modified.
Therefore a recon-check will fail, and needs to be disabled.
Closes-Bug: 1694211
Change-Id: I51c5795b9893d797bd73e059910f17a98f04cdbe
|
|
|
|
|
|
Future work in the UI requires Apache to proxy for the
ironic-inspector service the same as it has for other
related services. This adds support for ironic-inspector
through Apache's mod_proxy
Closes-Bug: 1695202
Depends-On: Id395604f1dfbc4bf4f26adbe05f484a10227fd76
Change-Id: I9dcb0769ff90a2fc9561cb86bb822be8087ffe8e
|
|
|
|
Since galera is configured to use rsync, we ought to make sure the
package is installed. Particularly when using deployed-server, the
package is not always installed by default depending on what was used to
install the servers.
Change-Id: I92ee78f2dd2c0f7fd4d393b104166407d7c654e2
Closes-Bug: #1693003
|
|
Change-Id: I806e15f24309261bb4bf108aacc43a5c4d2d33bc
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
|
|
This patch enables OVN DB servers to be started in master/slave
mode in the pacemaker cluster.
A virtual IP resource is created first and then the pacemaker OVN OCF
resource - "ovn:ovndb-servers" is created. The OVN OCF resource is
configured to be colocated with the vip resource. The ovn-controller and
Neutron OVN ML2 mechanism driver which depends on OVN DB servers will
always connect to the vip address on which the master OVN DB servers
listen on.
The OVN OCF resource itself takes care of (re)starting ovn-northd service
on the master node and we don't have to manage it.
When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB
servers in its configuration.
This patch requires OVS 2.7 in the overcloud.
Co-authored:by: Numan Siddique <nusiddiq@redhat.com>
Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db
Partial-bug: #1670564
|
|
Add composable service interface for Neutron LBaaSv2 service.
Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
|
|
Mistral should run under mod_wsgi. Enable that.
Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
|
|
Mistral has an event engine for triggering cron events. Let's run it.
Change-Id: I386e0b77064ca6938af36238f82bfec010aa5a17
Depends-On: Icaef5e5732f98e9cc39ed1f024d715cee371acac
|
|
Now that puppet-redis supports ulimit for cluster managed redis (via
https://github.com/arioch/puppet-redis/pull/192), we need to remove the
file snippet as otherwise we will get a duplicate resource error.
We will need to create a THT change that at the very least sets the
redis::managed_by_cluster_manager key to true so that
/etc/security/limits.d/redis.conf gets created.
We also add code to not break backwards compatibility with the old hiera
key.
Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d
Partial-Bug: #1688464
|
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
|
|
|
|
|
|
|
Part of blueprint redfish-support
Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa
Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
|
|
Since collector is deprecated, lets move this out of collector.pp
so it gets run and resource types are created appropriately even
when collector is not included.
Closes-bug: #1676961
Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
|
|
|
|
This includes the Zaqar apache module, allowing to run Zaqar behind
httpd.
Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906
Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
|
|
|
|
|
|
|
|
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
|
|
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
|
|
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug: 1666072
|