aboutsummaryrefslogtreecommitdiffstats
path: root/releasenotes/notes
AgeCommit message (Collapse)AuthorFilesLines
2017-07-31Enable TLS for the HAProxy stats interfaceJuan Antonio Osorio Robles1-0/+8
This creates a new class for the stats interface and furtherly configures it to also use the certificates that are provided by certmonger (via the internal_certificates_specs variable). Note that the already existing haproxy_stats_certificate still works and will take precedence if it's set. bp tls-via-certmonger Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
2017-07-21Deprecates using exec workaround for ODL clusteringTim Rozet1-0/+8
Previously we had used an exec defined in puppet-tripleo to do clustering with OpenDaylight docker containers. The clustering issue is now fixed in puppet-opendaylight by: https://git.opendaylight.org/gerrit/#/c/60491 So removing the custom function and class workaround. Also, 'ha_node_index' is deprecated for configuring clustering with puppet-opendaylight so that is also removed. Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc Change-Id: I7693b692c74071945fdcc08292542e9b458a540b Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-19Merge "PS Cinder: Added support for password less login"Jenkins1-0/+4
2017-07-18PS Cinder: Added support for password less loginrajinir1-0/+4
Added missing san_private_key parameter used for password less SSH authentication. Change-Id: Ia9857064692681172573e9092b53a352cd776cbd Depends-On: 0743d42ed1ed66e08ab7f4355145b4c06c589801
2017-07-17Merge "Add option for innodb_flush_log_at_trx_commit = 2 for Galera only"Jenkins1-0/+17
2017-07-15Merge "Add new profile for the Veritas HyperScale's cinder backend."Jenkins1-0/+3
2017-07-14Merge "Contrail: Fix controlplane/dataplane network asignments & enable ↵Jenkins1-0/+10
optional dpdk"
2017-07-14Add new profile for the Veritas HyperScale's cinder backend.abhishek.kane1-0/+3
Add new hook in the keystone profile for Veritas HyperScale. Add new hook in the rabbitmq profile for Veritas HyperScale. Add new hook in the mysql profile for Veritas HyperScale. Change-Id: I9168bffa5c73a205d1bb84b831b06081c40af549 Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d Depends-On: Id188af5e2f7bf628a97a70b8f20bef28e42b372d Signed-off-by: abhishek.kane <abhishek.kane@veritas.com> Signed-off-by: Dnyaneshwar Pawar <dnyaneshwar.pawar@veritas.com>
2017-07-12Merge "Do not fail if PCI device is missing"Jenkins1-0/+5
2017-07-06Merge "Add Swift dispersion profile"Jenkins1-0/+6
2017-07-06Add option for innodb_flush_log_at_trx_commit = 2 for Galera onlyMike Bayer1-0/+17
The innodb_flush_log_at_trx_commit flag changes the timing of when the log buffer is written to disk for writes. At its default of 1, transactions are written to disk and the buffer flushed on a per-transaction basis; but when set to 2, the flush of the buffer proceeds only once per second. This removes the durability guarantee for the single node. However the central concept of Galera is that durability is achieved via the cluster as a whole, in that transactions are replicated to other nodes before the commit succeeds (though not necessarily written to disk unless wsrep_causal_reads is set). In this model, data would only be lost of all nodes of the Galera cluster were killed within one second of each other. Percona's blog post at https://www.percona.com/blog/2014/11/17/typical-misconceptions-on-galera-for-mysql/ recommends that the value of 2 should be considered "safe" for a Galera cluster unless you are in fact worried that all three nodes will be powered off simultaneously. The value here is added as an option only, defaulting to the usual default of "1", flush per transaction. Change-Id: Id5a30f1daf978e094a74db2d284febbc9ae64bb3
2017-07-05Contrail: Fix controlplane/dataplane network asignments & enable optional dpdkMichael Henkel1-0/+10
This patch will move the Contrail roles communication towards OpenStack APIs from the public/external network to the internal_api network. I will also add the option to enable dpdk for Contrail. Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23 Closes-Bug: 1698422
2017-06-29Zaqar: support configurable backendsDan Prince1-0/+6
This patch updates the Zaqar profile so that we have support for configuring alternate versions of the messaging and management backends. In Pike instack-undercloud started using the swift/sqlalchemy backends and the intent here is to update the new containers undercloud to use a similar default (thus letting us drop Mongodb). Change-Id: Ie6a56b9163950cee2c0341afa0c0ddce665f3704
2017-06-29Do not fail if PCI device is missingBrent Eagles1-0/+5
Fixes a problem where SR-IOV VF count configuration will fail if a physical function is in use by a guest when 'puppet apply' is executed. This change substitutes warnings for failures and skips complaints if a PCI device is unavailable. Note: this patch has the side-effect of allowing the same configuration data on hosts that may *not* or *ever* have PCI SR-IOV devices on the hardware. Time will tell how evil this is in practice. Closes-Bug: #1701284 Change-Id: I71edc135432ab2193741c37ce977dd11172401e6
2017-06-27Always start httpd at the same timeJuan Antonio Osorio Robles1-0/+5
Puppet wipes out whatever is not in it's resource catalog each run for httpd. This causes httpd to restart if in the next step there are reasources added that were not there earlier. This patch, thus changes the instances of httpd to start at the same time: On step 3 for the bootstrap node, and on step 4 for every other node. Closes-Bug: #1699502 Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-06-23Add Swift dispersion profileChristian Schwede1-0/+6
The swift-dispersion-populate command needs to be called when Swift and Keystone are up and running, and therefore we need to ensure this is running in step 5 or later. Change-Id: I5b4c08c252b6083dace5a65367920c475de416ce
2017-06-21Merge "Ignore failures when loading nf_conntrack_proto_sctp kernel module"Jenkins1-0/+9
2017-06-20Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar1-0/+9
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885
2017-06-20Add maxconn parameter to MySQL / HAProxyMike Bayer1-0/+5
Allows configurability of maxconn as applies to the MySQL section of the HAProxy config, both for clustercheck and single node. Also adds a new test for the haproxy class overall to exercise options. Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
2017-06-14Merge "Fix Swift ring management in container deployments"Jenkins1-0/+8
2017-06-13Merge "Support for proxying ironic-inspector via Apache"Jenkins1-0/+6
2017-06-11Merge "Install rsync package for galera"Jenkins1-0/+6
2017-06-08Use CRL for HAProxyJuan Antonio Osorio Robles1-0/+6
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
2017-06-08Add resource to fetch CRLJuan Antonio Osorio Robles1-0/+4
This will fetch the CRL file from the specified file or URL. Furtherly it will set up a cron job to refresh the crl file once a week and notify the needed services. bp tls-via-certmonger Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-06-07Fix Swift ring management in container deploymentsChristian Schwede1-0/+8
The ring up- and downloading was never executed if run within a containerized environment. This is due to the fact that this manifest gets executed within step 6(5) only. There is also an ordering issue, which actually tries to create the tarballs before rebalancing. This patch fixes the step conditions and also chains the tarball creation to the rebalance. The check to query rings on all nodes can now be disabled. This is required on containerized environments: the local ring will be modified and rebalanced, but rings on the existing servers are not yet modified. Therefore a recon-check will fail, and needs to be disabled. Closes-Bug: 1694211 Change-Id: I51c5795b9893d797bd73e059910f17a98f04cdbe
2017-06-05Merge "Add Mistral event engine"Jenkins1-0/+4
2017-06-05Merge "Pacemaker support for OVN DB servers"Jenkins1-0/+4
2017-06-05Support for proxying ironic-inspector via ApacheJenkins1-0/+6
Future work in the UI requires Apache to proxy for the ironic-inspector service the same as it has for other related services. This adds support for ironic-inspector through Apache's mod_proxy Closes-Bug: 1695202 Depends-On: Id395604f1dfbc4bf4f26adbe05f484a10227fd76 Change-Id: I9dcb0769ff90a2fc9561cb86bb822be8087ffe8e
2017-06-01Merge "Composable Role for Neutron LBaaS"Jenkins1-0/+3
2017-06-01Install rsync package for galeraJames Slagle1-0/+6
Since galera is configured to use rsync, we ought to make sure the package is installed. Particularly when using deployed-server, the package is not always installed by default depending on what was used to install the servers. Change-Id: I92ee78f2dd2c0f7fd4d393b104166407d7c654e2 Closes-Bug: #1693003
2017-06-01make release note a list of stringsDoug Hellmann1-2/+3
Change-Id: I806e15f24309261bb4bf108aacc43a5c4d2d33bc Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2017-06-01Pacemaker support for OVN DB serversBabu Shanmugam1-0/+4
This patch enables OVN DB servers to be started in master/slave mode in the pacemaker cluster. A virtual IP resource is created first and then the pacemaker OVN OCF resource - "ovn:ovndb-servers" is created. The OVN OCF resource is configured to be colocated with the vip resource. The ovn-controller and Neutron OVN ML2 mechanism driver which depends on OVN DB servers will always connect to the vip address on which the master OVN DB servers listen on. The OVN OCF resource itself takes care of (re)starting ovn-northd service on the master node and we don't have to manage it. When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB servers in its configuration. This patch requires OVS 2.7 in the overcloud. Co-authored:by: Numan Siddique <nusiddiq@redhat.com> Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db Partial-bug: #1670564
2017-05-16Composable Role for Neutron LBaaSRyan Hefner1-0/+3
Add composable service interface for Neutron LBaaSv2 service. Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
2017-05-06Enable mistral to run under mod_wsgiBrad P. Crochet1-0/+7
Mistral should run under mod_wsgi. Enable that. Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
2017-05-06Add Mistral event engineBrad P. Crochet1-0/+4
Mistral has an event engine for triggering cron events. Let's run it. Change-Id: I386e0b77064ca6938af36238f82bfec010aa5a17 Depends-On: Icaef5e5732f98e9cc39ed1f024d715cee371acac
2017-05-05Remove limits for redis in /etc/security/limits.dMichele Baldessari1-0/+5
Now that puppet-redis supports ulimit for cluster managed redis (via https://github.com/arioch/puppet-redis/pull/192), we need to remove the file snippet as otherwise we will get a duplicate resource error. We will need to create a THT change that at the very least sets the redis::managed_by_cluster_manager key to true so that /etc/security/limits.d/redis.conf gets created. We also add code to not break backwards compatibility with the old hiera key. Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Partial-Bug: #1688464
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-0/+10
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+3
2017-04-25Merge "Add support for Redfish hardware in Ironic"Jenkins1-0/+5
2017-04-25Merge "Include zaqar apache module"Jenkins1-0/+3
2017-04-24Add support for Redfish hardware in IronicDmitry Tantsur1-0/+5
Part of blueprint redfish-support Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi1-0/+6
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
2017-04-21Merge "Add ML2 configuration for Bagpipe BGPVPN extension"Jenkins1-0/+1
2017-04-20Include zaqar apache moduleThomas Herve1-0/+3
This includes the Zaqar apache module, allowing to run Zaqar behind httpd. Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906 Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
2017-04-19Merge "Ensure we configure ssl.conf"Jenkins1-0/+10
2017-04-19Merge "Create bigswitch agent profile"Jenkins1-0/+5
2017-04-18Merge "Added release note for "Support for external swift proxy""Jenkins1-0/+5
2017-04-18Ensure we configure ssl.confLukas Bezdicka1-0/+10
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977
2017-04-18Added release note for "Support for external swift proxy"Luca Lorenzetto1-0/+5
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
2017-04-17HAproxy/heat_api: increase timeout to 10mEmilien Macchi1-0/+5
Default timeout is 2min but it doesn't reflect the rpc_response_timeout value that we set in THT and instack-undercloud, which is 600 (10 min). In some cases (in low-memory environments), Heat needs more than 2 minutes to reply to the client, when deploying the overcloud. It makes sense to increase the timeout to the value of rpc_timeout to give a chance to Heat to reply to the client, otherwise HAproxy will kill the connection and send 504 to the client. Depends-On: I9669d40d86d762101734704fcef153e360767690 Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c Related-Bug: 1666072