aboutsummaryrefslogtreecommitdiffstats
path: root/spec/classes
AgeCommit message (Collapse)AuthorFilesLines
2017-07-12Merge "Refactor nova migration config into client & target profiles"Jenkins7-423/+529
2017-07-12Merge "Do not fail if PCI device is missing"Jenkins1-2/+2
2017-07-03Refactor nova migration config into client & target profilesOliver Walsh7-423/+529
The nova migration config has always been applied by the base::nova profile. It assumed that libvirtd/nova-compute and are all running on the same host. Where this config didn't apply (e.g a nova api host) it was disabled by a flag. This approach is not compatible with containers. Hieradata for all containers are combined so per-host flags no longer work, and we can no longer assume libvirtd and nova-compute run in the same context. This change refactors the profiles out of the base nova profile and into a client profile and a target profile that can be included where appropriate. Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12 Implements: blueprint tripleo-cold-migration
2017-06-29Do not fail if PCI device is missingBrent Eagles1-2/+2
Fixes a problem where SR-IOV VF count configuration will fail if a physical function is in use by a guest when 'puppet apply' is executed. This change substitutes warnings for failures and skips complaints if a PCI device is unavailable. Note: this patch has the side-effect of allowing the same configuration data on hosts that may *not* or *ever* have PCI SR-IOV devices on the hardware. Time will tell how evil this is in practice. Closes-Bug: #1701284 Change-Id: I71edc135432ab2193741c37ce977dd11172401e6
2017-06-28Merge "Split docker options and insecure registry"Jenkins1-6/+3
2017-06-27Split docker options and insecure registryBogdan Dobrelya1-6/+3
Use augeas to modify only parameters' dedicated configuration. Split options from insecure registry. Overlapping those params may unschedule the docker service restarts for some cases, ending up with a split brain state for the docker service run-time config vs changed /etc/sysconfig/options config. Change-Id: Ic5640061837b022f7175f0db0dc269f9a61e6023 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-06-27Always start httpd at the same timeJuan Antonio Osorio Robles4-7/+93
Puppet wipes out whatever is not in it's resource catalog each run for httpd. This causes httpd to restart if in the next step there are reasources added that were not there earlier. This patch, thus changes the instances of httpd to start at the same time: On step 3 for the bootstrap node, and on step 4 for every other node. Closes-Bug: #1699502 Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-06-21Merge "Ignore failures when loading nf_conntrack_proto_sctp kernel module"Jenkins1-0/+59
2017-06-20Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar1-0/+59
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885
2017-06-20Add maxconn parameter to MySQL / HAProxyMike Bayer1-0/+115
Allows configurability of maxconn as applies to the MySQL section of the HAProxy config, both for clustercheck and single node. Also adds a new test for the haproxy class overall to exercise options. Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
2017-06-15Fix redis when hostname has capital lettersAlex Schultz1-0/+106
The bootstrap_nodeid comparison should be case insensitive. Change-Id: I1e6672bb0219c1cf56ab21dd911c6f33e2436cc3 Closes-Bug: #1698190
2017-06-15Move gnocchi upgrade and api to step 4Pradeep Kilambi1-20/+2
gnocchi upgrade requires storage sacks to be initialized. This means we need to ensure the storage backends are up before running the upgrade and starting the api. Lets move the api to step 4 so we can ensure other dependencies are in place. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3 Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630
2017-06-09Merge "Add resource to fetch CRL"Jenkins1-0/+104
2017-06-08Merge "Move tripleo::certmonger::httpd to defines folder and fix suffix"Jenkins1-63/+0
2017-06-08Add resource to fetch CRLJuan Antonio Osorio Robles1-0/+104
This will fetch the CRL file from the specified file or URL. Furtherly it will set up a cron job to refresh the crl file once a week and notify the needed services. bp tls-via-certmonger Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-06-08Merge "Add _spec suffix to class spec tests"Jenkins5-0/+0
2017-06-08Merge "Add polkit rule to allow kolla nova user access to libvirtd socket on ↵Jenkins1-0/+79
docker host"
2017-06-08Move tripleo::certmonger::httpd to defines folder and fix suffixJuan Antonio Osorio Robles1-63/+0
It's a define, not a class. And it also needs the _spec suffix. Change-Id: Ie5e0cf81d03379d8b791fd77a5c78d12048ebfef
2017-06-08Add _spec suffix to class spec testsJuan Antonio Osorio Robles5-0/+0
Some of them didn't have it. So I added it to them for uniformity. Change-Id: I2ea57d0ecfe151f9a14db9f7722a26f09aa8a506
2017-06-06Add polkit rule to allow kolla nova user access to libvirtd socket on docker ↵Oliver Walsh1-0/+79
host The polkit rules are currently evaluated in the context of the docker host. As a result the check fails for the kolla nova compute user, as the uids are not consistent with the host uids (in fact we probably can't assume a nova user exists on the docker host). As a short-term workaround a 'docker_nova' user group is created on the docker host and the polkit rule is updated to grant this user access to the libvirtd socket. Longer term solution probably requires running polkitd in a container too. Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Related-bug: #1693844
2017-06-05Add novajoin profileJuan Antonio Osorio Robles1-0/+126
This is needed in order to deploy novajoin in a containerized undercloud environment. Change-Id: Iea461f66b8f4e3b01a0498e566a2c3684144df80
2017-05-24Move ceilometer upgrade step out of basePradeep Kilambi1-24/+0
ceilometer-upgrade should only run on controller nodes. Since its currently in base profile, it gets triggered on compute as well. So instead split out the upgrade into its own and include when we deploy notification and central agents instead. Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe Closes-bug: #1693339
2017-05-19Merge "Switch to overlay2 driver for storage"Jenkins1-2/+57
2017-05-19Switch to overlay2 driver for storageDan Prince1-2/+57
This patch switches the default to the overlay2 storage driver and see if it helps performance. Background: The loopback driver is not recommended for production. Most other docker storage backends require extra disks (or partitions) which we don't have on the root disk. Overlay seems to make the most since for TripleO upgrades where we intend to update in-place installations to use docker. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
2017-05-18Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"Jenkins1-0/+102
2017-05-18Merge "Disable SSH login for nova_migration user when migration over ssh is ↵Jenkins1-11/+49
disabled."
2017-05-13vhostuser socket dir shall be created for vhostuserclient modeKarthik S1-0/+73
In order to support vhostuser client mode, a vhostuser_socket_dir needs to be created with qemu:qemu g+w permissions. Closes-Bug: #1675690 Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com> Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8 Signed-off-by: Karthik S <ksundara@redhat.com>
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-0/+102
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-11/+49
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-10/+159
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+60
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi2-26/+25
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
2017-04-21Merge "Cover gnocchi api step 4 and 5"Jenkins1-30/+79
2017-04-19Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh1-1/+117
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556
2017-04-19Cover gnocchi api step 4 and 5Alex Schultz1-30/+79
Update the gnocchi api to expose the redis information as a class parameter so it can be tested correctly. Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
2017-04-19Merge "Create bigswitch agent profile"Jenkins1-0/+48
2017-04-15Merge "Move ceilometer wsgi to step 3"Jenkins1-4/+4
2017-04-15Merge "Move gnocchi wsgi configuration to step 3"Jenkins1-0/+101
2017-04-12Move gnocchi wsgi configuration to step 3Alex Schultz1-0/+101
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418
2017-04-12Move ceilometer wsgi to step 3Alex Schultz1-4/+4
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+60
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-11Stop SSHD profile clobbering SSH client configOliver Walsh1-1/+1
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543
2017-04-08Add registry_mirror to base::docker profileDan Prince1-0/+15
This patch adds a new registry_mirror option to help configure /etc/docker/daemon.json so that we can make use of HTTP docker mirrors within upstream TripleO CI (infra). Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
2017-04-07Merge "Composable services support for Cinder Pure Storage FlashArray"Jenkins2-8/+88
2017-04-05Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede1-0/+65
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
2017-04-05Merge "SSHD Service extensions"Jenkins1-8/+54
2017-04-04Merge "Configure migration SSH tunnel"Jenkins1-2/+116
2017-04-04SSHD Service extensionslhinds1-8/+54
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Closes-Bug: 1668543
2017-04-03Composable services support for Cinder Pure Storage FlashArraySimon Dodsley2-8/+88
Added the heat templates for Cinder Pure Storage FlashArray backend to use composable services Change-Id: I6f46f45a3af394de85672261c7d72ddc492a07b2
2017-04-03Configure migration SSH tunnelOliver Walsh1-2/+116
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec