aboutsummaryrefslogtreecommitdiffstats
path: root/spec/classes
AgeCommit message (Collapse)AuthorFilesLines
2017-06-08Merge "Add polkit rule to allow kolla nova user access to libvirtd socket on ↵Jenkins1-0/+79
docker host"
2017-06-08Move tripleo::certmonger::httpd to defines folder and fix suffixJuan Antonio Osorio Robles1-63/+0
It's a define, not a class. And it also needs the _spec suffix. Change-Id: Ie5e0cf81d03379d8b791fd77a5c78d12048ebfef
2017-06-08Add _spec suffix to class spec testsJuan Antonio Osorio Robles5-0/+0
Some of them didn't have it. So I added it to them for uniformity. Change-Id: I2ea57d0ecfe151f9a14db9f7722a26f09aa8a506
2017-06-06Add polkit rule to allow kolla nova user access to libvirtd socket on docker ↵Oliver Walsh1-0/+79
host The polkit rules are currently evaluated in the context of the docker host. As a result the check fails for the kolla nova compute user, as the uids are not consistent with the host uids (in fact we probably can't assume a nova user exists on the docker host). As a short-term workaround a 'docker_nova' user group is created on the docker host and the polkit rule is updated to grant this user access to the libvirtd socket. Longer term solution probably requires running polkitd in a container too. Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Related-bug: #1693844
2017-06-05Add novajoin profileJuan Antonio Osorio Robles1-0/+126
This is needed in order to deploy novajoin in a containerized undercloud environment. Change-Id: Iea461f66b8f4e3b01a0498e566a2c3684144df80
2017-05-24Move ceilometer upgrade step out of basePradeep Kilambi1-24/+0
ceilometer-upgrade should only run on controller nodes. Since its currently in base profile, it gets triggered on compute as well. So instead split out the upgrade into its own and include when we deploy notification and central agents instead. Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe Closes-bug: #1693339
2017-05-19Merge "Switch to overlay2 driver for storage"Jenkins1-2/+57
2017-05-19Switch to overlay2 driver for storageDan Prince1-2/+57
This patch switches the default to the overlay2 storage driver and see if it helps performance. Background: The loopback driver is not recommended for production. Most other docker storage backends require extra disks (or partitions) which we don't have on the root disk. Overlay seems to make the most since for TripleO upgrades where we intend to update in-place installations to use docker. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
2017-05-18Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"Jenkins1-0/+102
2017-05-18Merge "Disable SSH login for nova_migration user when migration over ssh is ↵Jenkins1-11/+49
disabled."
2017-05-13vhostuser socket dir shall be created for vhostuserclient modeKarthik S1-0/+73
In order to support vhostuser client mode, a vhostuser_socket_dir needs to be created with qemu:qemu g+w permissions. Closes-Bug: #1675690 Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com> Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8 Signed-off-by: Karthik S <ksundara@redhat.com>
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-0/+102
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-11/+49
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-10/+159
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+60
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi2-26/+25
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
2017-04-21Merge "Cover gnocchi api step 4 and 5"Jenkins1-30/+79
2017-04-19Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh1-1/+117
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556
2017-04-19Cover gnocchi api step 4 and 5Alex Schultz1-30/+79
Update the gnocchi api to expose the redis information as a class parameter so it can be tested correctly. Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
2017-04-19Merge "Create bigswitch agent profile"Jenkins1-0/+48
2017-04-15Merge "Move ceilometer wsgi to step 3"Jenkins1-4/+4
2017-04-15Merge "Move gnocchi wsgi configuration to step 3"Jenkins1-0/+101
2017-04-12Move gnocchi wsgi configuration to step 3Alex Schultz1-0/+101
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418
2017-04-12Move ceilometer wsgi to step 3Alex Schultz1-4/+4
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+60
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-11Stop SSHD profile clobbering SSH client configOliver Walsh1-1/+1
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543
2017-04-08Add registry_mirror to base::docker profileDan Prince1-0/+15
This patch adds a new registry_mirror option to help configure /etc/docker/daemon.json so that we can make use of HTTP docker mirrors within upstream TripleO CI (infra). Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
2017-04-07Merge "Composable services support for Cinder Pure Storage FlashArray"Jenkins2-8/+88
2017-04-05Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede1-0/+65
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
2017-04-05Merge "SSHD Service extensions"Jenkins1-8/+54
2017-04-04Merge "Configure migration SSH tunnel"Jenkins1-2/+116
2017-04-04SSHD Service extensionslhinds1-8/+54
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Closes-Bug: 1668543
2017-04-03Composable services support for Cinder Pure Storage FlashArraySimon Dodsley2-8/+88
Added the heat templates for Cinder Pure Storage FlashArray backend to use composable services Change-Id: I6f46f45a3af394de85672261c7d72ddc492a07b2
2017-04-03Configure migration SSH tunnelOliver Walsh1-2/+116
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-04-03Deploy WSGI apps at the same step (3)Emilien Macchi1-4/+4
So we avoid useless apache restart and save time during the deployment. Related-Bug: #1664418 Change-Id: Ie00b717a6741e215e59d219710154f0d2ce6b39e
2017-04-02Move horizon to step 3Alex Schultz1-0/+57
We configure apache in step 3 so horizon should be configured at the same time or else updates will cause horizon to be unvailable during the update process. Change-Id: I4032f7c24edc0ff9ed637e213870cdd3beb9a54e Closes-Bug: #1678338
2017-03-30Merge "Tuned should be configured properly"Jenkins1-0/+44
2017-03-30Merge "Adds service for managing securetty"Jenkins1-0/+72
2017-03-29Adds service for managing securettylhinds1-0/+72
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c Closes-Bug: #1665042
2017-03-27Re-run gnocchi and ceilometer upgrade in step 5Pradeep Kilambi1-0/+26
Without this gnocchi resources types are not created as they are skipped initially and the resources from ceilometer wont make it to gnocchi. Closes-bug: #1674421 Depends-On: I753f37e121b95813e345f200ad3f3e75ec4bd7e1 Change-Id: Ib45bf1b3e526a58f675d7555fe7bb5038dadeede
2017-03-26Remove certificate request bits from service profilesJuan Antonio Osorio Robles1-4/+0
This is now the job of the certmonger_user profile. So these bits are not needed anymore in the service profiles. Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800 Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
2017-03-23Ensure iscsi-initiator-utils installedAlex Schultz1-0/+3
We attempt to use iscsi-iname in an exec for our nova compute profile but we do not ensure that the package providing this command is installed. This change adds the package definition for iscsi-initiator-utils to ensure it is installed before trying to use iscsi-iname. Change-Id: I1bfdb68170931fd05a09859cf8eefb50ed20915d Closes-Bug: #1675462
2017-03-21Create bigswitch agent profileAlex Schultz1-0/+48
Create a tripleo profile for the bigswitch neutron agent configuration to be consumed by THT. Change-Id: I7a8f7f73c9c8446e21c16a5c378bd7e0f0a4c94e Partial-Bug: #1674791
2017-03-16Enables OpenDaylight Clustering in HA deploymentsTim Rozet1-0/+88
Previously ODL was restricted to only running on the first node in an tripleO HA deployment. This patches enables clustering for ODL and allows multiple ODL instances (minimum 3 for HA). Partially-implements: blueprint opendaylight-ha Change-Id: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-16Merge "Add spec tests for tripleo::certmonger::mysql class"Jenkins1-0/+64
2017-03-16Merge "Add spec tests for tripleo::certmonger::ca::local class"Jenkins1-0/+46
2017-03-16Add spec tests for tripleo::certmonger::ca::local classJuan Antonio Osorio Robles1-0/+46
Change-Id: I81e0850777f1498ba9b7a213ba02819847a40786
2017-03-16Add spec tests for tripleo::certmonger::mysql classJuan Antonio Osorio Robles1-0/+64
Change-Id: I81b0b8b54a034817f5791ff7e29f1a3065902642
2017-03-16Add spec test for tripleo::certmonger::httpd resourceJuan Antonio Osorio Robles1-0/+63
Change-Id: Ia002aced6de474022d4aa4e9e3d7d5ee7c31a2b0
2017-03-13Fixes issues with raising mysql file limitTim Rozet1-0/+75
Changes Include: - Adds spec testing - Only raise limits if nonha. puppet-systemd will restart the mariadb service which breaks ha deployments. Hence we only want to do this in noha. - Minor fix to hiera value refrenced not as parameter to mysql.pp Partial-Bug: #1648181 Related-Bug: #1524809 Co-Authored By: Feng Pan <fpan@redhat.com> Change-Id: Id063bf4b4ac229181b01f40965811cb8ac4230d5 Signed-off-by: Tim Rozet <trozet@redhat.com> Signed-off-by: Feng Pan <fpan@redhat.com>