| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The latest version of puppet now require the class dependencies included
in the unit tests.
Change-Id: I0b6462f697f2d8012f8a785660c004f3efb13fdc
|
|
|
|
This change defaults --iptables=false for dockerd to avoid
having Docker create its own FORWARD iptables rules. These
rules can interact with normal OS networking rules and disable
communications between hosts on reboot.
Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f
Closes-bug: #1708279
|
|
The default (on RHEL/CentOS) is to use polkit but this is only useful
for GUI support or for fine grained API access control. As we don't
require either we can achieve identical control using plain old unix
filesystem permissions.
I've merged Sven's changes from https://review.openstack.org/484979
and https://review.openstack.org/487150.
As we need to be careful with the libvirtd option quoting I think it's
best to do this in puppet-tripleo instead of t-h-t yaml.
The option to override the settings from t-h-t remains.
Co-Authored-By: Sven Anderson <sven@redhat.com>
Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Closes-bug: 1696504
Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
|
|
|
|
This creates a new class for the stats interface and furtherly
configures it to also use the certificates that are provided by
certmonger (via the internal_certificates_specs variable).
Note that the already existing haproxy_stats_certificate still works and
will take precedence if it's set.
bp tls-via-certmonger
Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
|
|
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I015f7dfec4bedf72332d91b91cda3ef1dc8caf8c
|
|
The unit tests jobs are failing because of missing pre conditions for
the new shared class introduced by
Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change
moved some classes around so that the tests are now failing due to
duplicate class declarations for nova::compute::libvirt::services. This
change moves the include that pulls in the declaration first prior to
the include that exists in tripleo::profile::base::nova::libvirt.
The selinux test was also failing due to a type issue with the fact
being used (boolean vs string)
Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51
Closes-Bug: #1707034
|
|
puppet support for this is added in Id8d4d091da2611de75390e045ebd473caf2a8909
Change-Id: I3354b54571a1b9d0a9187698217628d273cd7d7e
|
|
Previously we had used an exec defined in puppet-tripleo to do
clustering with OpenDaylight docker containers. The clustering issue is
now fixed in puppet-opendaylight by:
https://git.opendaylight.org/gerrit/#/c/60491
So removing the custom function and class workaround. Also,
'ha_node_index' is deprecated for configuring clustering with
puppet-opendaylight so that is also removed.
Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc
Change-Id: I7693b692c74071945fdcc08292542e9b458a540b
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
|
|
For multi-node deployments of the dispatch router, a mesh of
inter-router links is created. Note that bi-directional links must
not be configured.
Example: For nodes A, B, C
Node Inter-Router Link
A: []
B: [A]
C: [A,B]
Change-Id: If43beea7a53c1f8f1dff062341c7ea81751c3122
|
|
The latest version of puppet now reports these as catalog failures so
this change removes the unnecessary references and the references
should be updated.
Closes-Bug: #1702964
Change-Id: Iebc547aa92f9f40e4a633c57d79e6c9cddb5dd28
|
|
|
|
Add new hook in the keystone profile for Veritas HyperScale.
Add new hook in the rabbitmq profile for Veritas HyperScale.
Add new hook in the mysql profile for Veritas HyperScale.
Change-Id: I9168bffa5c73a205d1bb84b831b06081c40af549
Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d
Depends-On: Id188af5e2f7bf628a97a70b8f20bef28e42b372d
Signed-off-by: abhishek.kane <abhishek.kane@veritas.com>
Signed-off-by: Dnyaneshwar Pawar <dnyaneshwar.pawar@veritas.com>
|
|
|
|
This is set via all_nodes_config in t-h-t, but it's a special case for
this service, so it'll be better if we handle the ipv6 transformation
in puppet instead of relying on the service specific list mangling in
t-h-t (one aspect of which has been identified as a potential performance
problem).
Related-Bug: #1684272
Change-Id: Iccb9089db4b382db3adb9340f18f6d2364ca7f58
|
|
|
|
|
|
This currently assumes nova-compute and iscsid run in the same context which
isn't true for a containerized deployment
Change-Id: I91f1ce7625c351745dbadd84b565d55598ea5b59
|
|
The nova migration config has always been applied by the base::nova profile.
It assumed that libvirtd/nova-compute and are all running on the
same host.
Where this config didn't apply (e.g a nova api host) it was disabled by a flag.
This approach is not compatible with containers. Hieradata for all containers
are combined so per-host flags no longer work, and we can no longer assume
libvirtd and nova-compute run in the same context.
This change refactors the profiles out of the base nova profile and into
a client profile and a target profile that can be included where appropriate.
Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12
Implements: blueprint tripleo-cold-migration
|
|
Fixes a problem where SR-IOV VF count configuration will fail if a
physical function is in use by a guest when 'puppet apply' is executed.
This change substitutes warnings for failures and skips complaints if a
PCI device is unavailable.
Note: this patch has the side-effect of allowing the same configuration
data on hosts that may *not* or *ever* have PCI SR-IOV devices on the
hardware. Time will tell how evil this is in practice.
Closes-Bug: #1701284
Change-Id: I71edc135432ab2193741c37ce977dd11172401e6
|
|
|
|
Disabling udev usage from LVM seems to be the only observed working
way of running containerized cinder-volume with local LVM backend.
I didn't come across reports that not using udev would have negative
impact on the functionality.
Additional info at
https://groups.google.com/forum/#!topic/docker-user/n4Xtvsb4RAw
Change-Id: I1bf395a6228dba66fa6bf9b8bcc9f3ac3d922a49
Related-Bug: #1700140
|
|
Use augeas to modify only parameters' dedicated configuration.
Split options from insecure registry. Overlapping those params may
unschedule the docker service restarts for some cases, ending up with
a split brain state for the docker service run-time config vs changed
/etc/sysconfig/options config.
Change-Id: Ic5640061837b022f7175f0db0dc269f9a61e6023
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Puppet wipes out whatever is not in it's resource catalog each run for
httpd. This causes httpd to restart if in the next step there are
reasources added that were not there earlier.
This patch, thus changes the instances of httpd to start at the same
time: On step 3 for the bootstrap node, and on step 4 for every other
node.
Closes-Bug: #1699502
Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
|
|
Ignore failures if nf_conntrack_proto_sctp module failed to load.
Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the
kernel instead of as a module as the sctp support.
TripleO will still try to load the module to support RHEL 7.3, but
in the future will remove the module management and rely on the kernel
provided in newer versions of RHEL.
Co-Authored-By: Or Idgar <oidgar@redhat.com>
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79
Closes-Bug: 1695885
|
|
Allows configurability of maxconn as applies to
the MySQL section of the HAProxy config, both
for clustercheck and single node.
Also adds a new test for the haproxy class
overall to exercise options.
Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
|
|
The bootstrap_nodeid comparison should be case insensitive.
Change-Id: I1e6672bb0219c1cf56ab21dd911c6f33e2436cc3
Closes-Bug: #1698190
|
|
gnocchi upgrade requires storage sacks to be initialized. This means
we need to ensure the storage backends are up before running the
upgrade and starting the api. Lets move the api to step 4 so we can
ensure other dependencies are in place.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3
Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630
|
|
|
|
|
|
This will fetch the CRL file from the specified file or URL. Furtherly
it will set up a cron job to refresh the crl file once a week and notify
the needed services.
bp tls-via-certmonger
Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
|
|
|
|
docker host"
|
|
It's a define, not a class. And it also needs the _spec suffix.
Change-Id: Ie5e0cf81d03379d8b791fd77a5c78d12048ebfef
|
|
Some of them didn't have it. So I added it to them for uniformity.
Change-Id: I2ea57d0ecfe151f9a14db9f7722a26f09aa8a506
|
|
host
The polkit rules are currently evaluated in the context of the docker host.
As a result the check fails for the kolla nova compute user, as the uids are not
consistent with the host uids (in fact we probably can't assume a nova user exists
on the docker host).
As a short-term workaround a 'docker_nova' user group is created on the docker host
and the polkit rule is updated to grant this user access to the libvirtd socket.
Longer term solution probably requires running polkitd in a container too.
Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Related-bug: #1693844
|
|
This is needed in order to deploy novajoin in a containerized undercloud
environment.
Change-Id: Iea461f66b8f4e3b01a0498e566a2c3684144df80
|
|
ceilometer-upgrade should only run on controller nodes.
Since its currently in base profile, it gets triggered
on compute as well. So instead split out the upgrade
into its own and include when we deploy notification
and central agents instead.
Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe
Closes-bug: #1693339
|
|
|
|
This patch switches the default to the overlay2 storage driver and see
if it helps performance.
Background:
The loopback driver is not recommended for production. Most
other docker storage backends require extra disks (or partitions)
which we don't have on the root disk. Overlay seems to make the
most since for TripleO upgrades where we intend to update
in-place installations to use docker.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
|
|
|
|
disabled."
|
|
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Closes-Bug: #1675690
Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com>
Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8
Signed-off-by: Karthik S <ksundara@redhat.com>
|
|
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #1688308
|
|
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
|
|
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
|
Emilien Macchi
Jenkins
Dan Prince
Oliver Walsh
Juan Antonio Osorio Robles
rajinir
Alex Schultz
Pradeep Kilambi
Tim Rozet
John Eckersberg
abhishek.kane
Steven Hardy
Brent Eagles
Jiri Stransky
Bogdan Dobrelya
Or Idgar
Mike Bayer
Karthik S