aboutsummaryrefslogtreecommitdiffstats
path: root/releasenotes/notes
AgeCommit message (Collapse)AuthorFilesLines
2017-06-01Install rsync package for galeraJames Slagle1-0/+6
Since galera is configured to use rsync, we ought to make sure the package is installed. Particularly when using deployed-server, the package is not always installed by default depending on what was used to install the servers. Change-Id: I92ee78f2dd2c0f7fd4d393b104166407d7c654e2 Closes-Bug: #1693003
2017-05-05Remove limits for redis in /etc/security/limits.dMichele Baldessari1-0/+5
Now that puppet-redis supports ulimit for cluster managed redis (via https://github.com/arioch/puppet-redis/pull/192), we need to remove the file snippet as otherwise we will get a duplicate resource error. We will need to create a THT change that at the very least sets the redis::managed_by_cluster_manager key to true so that /etc/security/limits.d/redis.conf gets created. We also add code to not break backwards compatibility with the old hiera key. Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Partial-Bug: #1688464
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-0/+10
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+3
2017-04-25Merge "Add support for Redfish hardware in Ironic"Jenkins1-0/+5
2017-04-25Merge "Include zaqar apache module"Jenkins1-0/+3
2017-04-24Add support for Redfish hardware in IronicDmitry Tantsur1-0/+5
Part of blueprint redfish-support Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi1-0/+6
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
2017-04-21Merge "Add ML2 configuration for Bagpipe BGPVPN extension"Jenkins1-0/+1
2017-04-20Include zaqar apache moduleThomas Herve1-0/+3
This includes the Zaqar apache module, allowing to run Zaqar behind httpd. Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906 Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
2017-04-19Merge "Ensure we configure ssl.conf"Jenkins1-0/+10
2017-04-19Merge "Create bigswitch agent profile"Jenkins1-0/+5
2017-04-18Merge "Added release note for "Support for external swift proxy""Jenkins1-0/+5
2017-04-18Ensure we configure ssl.confLukas Bezdicka1-0/+10
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977
2017-04-18Added release note for "Support for external swift proxy"Luca Lorenzetto1-0/+5
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
2017-04-17HAproxy/heat_api: increase timeout to 10mEmilien Macchi1-0/+5
Default timeout is 2min but it doesn't reflect the rpc_response_timeout value that we set in THT and instack-undercloud, which is 600 (10 min). In some cases (in low-memory environments), Heat needs more than 2 minutes to reply to the client, when deploying the overcloud. It makes sense to increase the timeout to the value of rpc_timeout to give a chance to Heat to reply to the client, otherwise HAproxy will kill the connection and send 504 to the client. Depends-On: I9669d40d86d762101734704fcef153e360767690 Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c Related-Bug: 1666072
2017-04-12Add ML2 configuration for Bagpipe BGPVPN extensionRicardo Noriega1-0/+1
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5 Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+3
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-07Merge "Stop including ironic::drivers::ssh in the ironic-conductor profile"Jenkins1-0/+5
2017-04-07Merge "Add networking-vpp ML2 mechanism driver support"Jenkins1-0/+3
2017-04-07Merge "Add missing octavia auth include to keystone manifest"Jenkins1-0/+3
2017-04-07Stop including ironic::drivers::ssh in the ironic-conductor profileDmitry Tantsur1-0/+5
The SSH drivers are deprecated, pxe_ipmitool + virtualbmc should be used instead. This is a follow-up to blueprint switch-to-virtualbmc. Change-Id: I4fd567dffa3992042eebcf495334b8130e1bdc9f
2017-04-07Merge "Composable services support for Cinder Pure Storage FlashArray"Jenkins1-0/+3
2017-04-06Merge "Adding support for Bagpipe Agent as BGPVPN driver"Jenkins1-0/+3
2017-04-06Merge "Add a trigger to call ldap_backend define"Jenkins1-0/+5
2017-04-06Add missing octavia auth include to keystone manifestBrent Eagles1-0/+3
This patch adds the appropriate include to make sure that appropriate keystone user, services, etc. are created when octavia is selected. Closes-bug: #1680588 Change-Id: I0b6d657a0300538292223923d8808c23f936c193
2017-04-05Merge "Introduce profile to configure l2 gateway Neutron agent."Jenkins1-0/+3
2017-04-05Add a trigger to call ldap_backend defineCyril Lopez1-0/+5
Ldap_backend is a define so we need a resource to talk it. If ldap_backend_enable set by tripleo-heat-templates, we call the ldap_backend as a resource. Given an environment such as the following: parameter_defaults: KeystoneLdapDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. Partial-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Authored-By: Guillaume Coré <gucore@redhat.com> Signed-off-by: Cyril Lopez <cylopez@redhat.com> Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
2017-04-05Adding support for Bagpipe Agent as BGPVPN driverRicardo Noriega1-0/+3
Partially-Implements: blueprint bgpvpn-service-integration Change-Id: I54ef40f9d958e87d187a6d124995aa6951c0651a Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-04-05Merge "SSHD Service extensions"Jenkins1-1/+3
2017-04-04Merge "Configure migration SSH tunnel"Jenkins1-0/+4
2017-04-04Merge "Fixes missing neutron base in sriov"Jenkins1-0/+3
2017-04-04SSHD Service extensionslhinds1-1/+3
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Closes-Bug: 1668543
2017-04-03Merge "Add tunnel timeout for ui proxy container"Jenkins1-0/+6
2017-04-03Composable services support for Cinder Pure Storage FlashArraySimon Dodsley1-0/+3
Added the heat templates for Cinder Pure Storage FlashArray backend to use composable services Change-Id: I6f46f45a3af394de85672261c7d72ddc492a07b2
2017-04-03Restrict mongodb memory usagePradeep Kilambi1-0/+6
Currently, mongodb has no limits on how much memory it can consume. This enforces restriction so mongodb service limits through systemd. The puppet-systemd module has support for limits. The MemoryLimit support is added in the follwoing pull request https://github.com/camptocamp/puppet-systemd/pull/23 Closes-bug: #1656558 Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891
2017-04-03Fixes missing neutron base in sriovTim Rozet1-0/+3
This causes issues in deployments that is not using ML2 ComputeNeutronCorePlugin or OVS agent on the compute nodes. Closes-Bug: 1679202 Change-Id: I9cdfd115add8c0d2d3ae6802e7bde007c1677c67 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-04-03Configure migration SSH tunnelOliver Walsh1-0/+4
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-04-02Move horizon to step 3Alex Schultz1-0/+6
We configure apache in step 3 so horizon should be configured at the same time or else updates will cause horizon to be unvailable during the update process. Change-Id: I4032f7c24edc0ff9ed637e213870cdd3beb9a54e Closes-Bug: #1678338
2017-03-30Add tunnel timeout for ui proxy containerDan Trainor1-0/+6
Add an explicit tunnel timeout configuration option to increase the tunnel timeout for persistent socket connections from two minutes (2m) to one hour (3600s). A configuration was already present to apply a tunnel timeout to the zaqar_ws endpoint, but that only applies to connections made directly to the zaqar_ws endpoint directly. Since UI now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout is now applied for the same reasons to the ui haproxy server. Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb Closes-Bug: 1672826
2017-03-30Decouple ceilometer user create from APIPradeep Kilambi1-0/+5
Ceilometer user is needed for other ceilometer services to authenticate with keystone even when API is not present. So the data can be dispatched to gnocchi. Lets keep these separate so user always exists even when api is not. Depends-On: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354 Change-Id: I8f4e543a7cef5e50a35a191fe20e276d518daf20
2017-03-30Merge "Adds service for managing securetty"Jenkins1-0/+6
2017-03-29Adds service for managing securettylhinds1-0/+6
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c Closes-Bug: #1665042
2017-03-29Fix reno for rabbitmq-user-checkEmilien Macchi1-0/+6
Change-Id: I5eed22ab0230a477d1629545b8ab1aeff33f4a35
2017-03-29Introduce profile to configure l2 gateway Neutron agent.Peng Liu1-0/+3
Implements: blueprint l2gw-service-integration Change-Id: If1501c153b1b170b9550cb7e5a23be463fba1fe9
2017-03-28Merge "Re-run gnocchi and ceilometer upgrade in step 5"Jenkins1-0/+5
2017-03-28Merge "Include oslo.messaging amqp support for rpc and notifications"Jenkins1-0/+4
2017-03-27Re-run gnocchi and ceilometer upgrade in step 5Pradeep Kilambi1-0/+5
Without this gnocchi resources types are not created as they are skipped initially and the resources from ceilometer wont make it to gnocchi. Closes-bug: #1674421 Depends-On: I753f37e121b95813e345f200ad3f3e75ec4bd7e1 Change-Id: Ib45bf1b3e526a58f675d7555fe7bb5038dadeede
2017-03-27Add l2 gateway Neutron service plugin profilePeng Liu1-0/+3
Introduce profile to configure l2 gateway Neutron service plugin. Implements: blueprint l2gw-service-integration Change-Id: I01a8afdc51b2a077be1bbc7855892f68756e1fd3 Signed-off-by: Peng Liu <pliu@redhat.com>
2017-03-21Create bigswitch agent profileAlex Schultz1-0/+5
Create a tripleo profile for the bigswitch neutron agent configuration to be consumed by THT. Change-Id: I7a8f7f73c9c8446e21c16a5c378bd7e0f0a4c94e Partial-Bug: #1674791