Age | Commit message (Collapse) | Author | Files | Lines |
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
|
|
|
|
|
|
|
Part of blueprint redfish-support
Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa
Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
|
|
Since collector is deprecated, lets move this out of collector.pp
so it gets run and resource types are created appropriately even
when collector is not included.
Closes-bug: #1676961
Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
|
|
|
|
This includes the Zaqar apache module, allowing to run Zaqar behind
httpd.
Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906
Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
|
|
|
|
|
|
|
|
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
|
|
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
|
|
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug: 1666072
|
|
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5
Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
bp secure-etcd
Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
|
|
|
|
|
|
The SSH drivers are deprecated, pxe_ipmitool + virtualbmc should be used instead.
This is a follow-up to blueprint switch-to-virtualbmc.
Change-Id: I4fd567dffa3992042eebcf495334b8130e1bdc9f
|
|
|
|
|
|
|
|
This patch adds the appropriate include to make sure that appropriate
keystone user, services, etc. are created when octavia is selected.
Closes-bug: #1680588
Change-Id: I0b6d657a0300538292223923d8808c23f936c193
|
|
|
|
Ldap_backend is a define so we need a resource to talk it. If
ldap_backend_enable set by tripleo-heat-templates, we call the
ldap_backend as a resource.
Given an environment such as the following:
parameter_defaults:
KeystoneLdapDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
Partial-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Guillaume Coré <gucore@redhat.com>
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
|
|
Partially-Implements: blueprint bgpvpn-service-integration
Change-Id: I54ef40f9d958e87d187a6d124995aa6951c0651a
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
|
|
|
|
|
|
This change adds an `include` statement to bring in the extra
functionality available from the existing puppet-ssh module in
already available in RDO.
By using puppet-ssh it provides a framework to allow the passing in of
server options using just hiera values under ssh::server_options.
For example, sshd_config banner can now be passed a server option, as
well as all the new parameters outlined in the launchpad issue that
the patch references for Closing. For this reason, the former augeas
setting for `Banner /etc/issue` is now managed by the main puppet-ssh
module instead.
The change also allows population of MOTD text to `/etc/motd` as
well as `issue.net`.
$bannertext is refactored in accordance with patch [1]
[1] https://review.openstack.org/#/c/442406/
Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c
Closes-Bug: 1668543
|
|
|
|
Added the heat templates for Cinder Pure Storage FlashArray
backend to use composable services
Change-Id: I6f46f45a3af394de85672261c7d72ddc492a07b2
|
|
Currently, mongodb has no limits on how much memory
it can consume. This enforces restriction so mongodb
service limits through systemd.
The puppet-systemd module has support for limits. The
MemoryLimit support is added in the follwoing pull
request https://github.com/camptocamp/puppet-systemd/pull/23
Closes-bug: #1656558
Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891
|
|
This causes issues in deployments that is not using ML2
ComputeNeutronCorePlugin or OVS agent on the compute nodes.
Closes-Bug: 1679202
Change-Id: I9cdfd115add8c0d2d3ae6802e7bde007c1677c67
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
This patch configures SSH tunneling for nova cold-migration and reuses the
tunnel for libvirt live-migration unless TLS has been enabled.
Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
|
|
We configure apache in step 3 so horizon should be configured at the
same time or else updates will cause horizon to be unvailable during the
update process.
Change-Id: I4032f7c24edc0ff9ed637e213870cdd3beb9a54e
Closes-Bug: #1678338
|
|
Add an explicit tunnel timeout configuration option to increase the
tunnel timeout for persistent socket connections from two minutes (2m)
to one hour (3600s). A configuration was already present to apply a
tunnel timeout to the zaqar_ws endpoint, but that only applies to
connections made directly to the zaqar_ws endpoint directly. Since UI
now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout
is now applied for the same reasons to the ui haproxy server.
Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb
Closes-Bug: 1672826
|
|
Ceilometer user is needed for other ceilometer services to
authenticate with keystone even when API is not present.
So the data can be dispatched to gnocchi. Lets keep these
separate so user always exists even when api is not.
Depends-On: Iffebd40752eafb1d30b5962da8b5624fb9df7d48
Closes-bug: #1677354
Change-Id: I8f4e543a7cef5e50a35a191fe20e276d518daf20
|
|
|
|
This adds the ability to manage the securetty file.
By allowing management of securetty, operators can limit root
console access and improve security through hardening.
Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
Closes-Bug: #1665042
|
|
Change-Id: I5eed22ab0230a477d1629545b8ab1aeff33f4a35
|
|
Implements: blueprint l2gw-service-integration
Change-Id: If1501c153b1b170b9550cb7e5a23be463fba1fe9
|
|
|
|
|
|
Without this gnocchi resources types are not created
as they are skipped initially and the resources from
ceilometer wont make it to gnocchi.
Closes-bug: #1674421
Depends-On: I753f37e121b95813e345f200ad3f3e75ec4bd7e1
Change-Id: Ib45bf1b3e526a58f675d7555fe7bb5038dadeede
|
|
Introduce profile to configure l2 gateway Neutron
service plugin.
Implements: blueprint l2gw-service-integration
Change-Id: I01a8afdc51b2a077be1bbc7855892f68756e1fd3
Signed-off-by: Peng Liu <pliu@redhat.com>
|
|
Create a tripleo profile for the bigswitch neutron agent configuration
to be consumed by THT.
Change-Id: I7a8f7f73c9c8446e21c16a5c378bd7e0f0a4c94e
Partial-Bug: #1674791
|
|
This commit conditionally includes messaging amqp class for the
oslo.messaging AMQP 1.0 driver to support notifications.
This patch:
* include keystone::messaging::amqp class for oslo_messaging_amqp opts
Change-Id: I8eb23a21d2499795c3a76ae3197bda7773165a8c
|
|
Previously ODL was restricted to only running on the first node in an
tripleO HA deployment. This patches enables clustering for ODL and
allows multiple ODL instances (minimum 3 for HA).
Partially-implements: blueprint opendaylight-ha
Change-Id: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31
Signed-off-by: Tim Rozet <trozet@redhat.com>
|