aboutsummaryrefslogtreecommitdiffstats
path: root/spec/classes
AgeCommit message (Collapse)AuthorFilesLines
2017-03-06Add docker profileSteven Hardy1-0/+68
This configures the docker service on the host, as an alternative to the firstboot script in docker/firstboot/setup_docker_host.sh Doing this via puppet will enable easier integration with e.g the multinode jobs where no firstboot scripts run, and also enables a better error path in the event the service fails to start Co-Authored-By: Alex Schultz <aschultz@redhat.com> Change-Id: Id8add1e8a0ecaedb7d8a7dc9ba3747c1ac3b8eea
2017-02-28Merge "Default neutron dhcp_agents_per_network to number of agents"Jenkins1-0/+76
2017-02-27Default neutron dhcp_agents_per_network to number of agentsBrent Eagles1-0/+76
This patch will set neutron's dhcp_agents_per_network equal to the number of deployed neutron DHCP agents unless otherwise explicitly set. Partial-bug: #1632721 Change-Id: I5533e42c5ba9f72cc70d80489a07e30ee2341198
2017-02-25Add ceilometer polling agent profilePradeep Kilambi1-0/+72
Ceilometer central, compute and ipmi agent classes are deprecated. Instead we should be using polling agent with relevant namespace. Closes-bug: #1662685 Change-Id: I1ee50124bf8936e12414f984e1bcd4545d92e953
2017-02-21Configure authtoken in Nova PlacementDan Prince3-0/+196
The Nova Placement API's configuration currently relies on the nova-api profile for its keystone authtoken configuration. This means that Nova Placement would fail if it got installed on an isolated node or docker container (this currently breaks TripleO's deployment of placement via docker). This patch creates a new authtoken profile and calls it via the api and placement roles. Change-Id: I7b38ab6ba5cae41689ac500d97dec4d09c73d387 Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-02-17Use rpc and notify transport_url for oslo_messaging backendsAndrew Smith28-75/+90
This commit adds the transport_url for specifying the oslo.messaging rpc and notify transport schemes. The rpc or notification backend can be one of rabbit, amqp, zmq, etc. Oslo.messaging is deprecating the host, port and auth configuration options. All drivers will get the options via the transport_url. This patch: * Adds transport_url to base services * Updates the corresponding specs * Adds to default hierdata Depends-On: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40 Change-Id: Iea5607dbb3ee6b1dd50acc1395de52dc920aa915
2017-02-15Merge "Make quotes consistent to match the sample config"Jenkins1-14/+14
2017-02-14Make quotes consistent to match the sample configMikeG4511-14/+14
Per project conventions, should use single quotes. Also, update comments and defaults to match sample. Change-Id: I82ddcec230e7a03965d753db60968912b8d7da5c Closes-Bug: #1663624
2017-02-13nova: move placement credentials config at step 3Emilien Macchi1-0/+4
nova placement credentials in nova.conf need to be configured at step 3 so Nova services can use them as soon as they start. Change-Id: I0abdd305b7e6c8d83f23e25b3872e98eb56dd299
2017-02-11Merge "nova/api: more cleanup"Jenkins1-11/+29
2017-02-10Merge "Add module to support ScaleIO backend in Cinder"Jenkins1-0/+58
2017-02-10Merge "Rebranding of Eqlx to Dell EMC PS Series"Jenkins2-15/+15
2017-02-10nova/api: more cleanupEmilien Macchi1-11/+29
- transform nova_api_wsgi_enabled in a parameter - update rspec tests - fix TLS to run at step 1 Change-Id: I4d3f9c92f0717ae8c3bc8d71065fab281de82008
2017-02-09Run nova-cell_v2-discover_hosts at step 5Emilien Macchi1-2/+2
We need to run nova-cell_v2-discover_hosts at the very end of the deployment because nova database needs to be aware of all registred compute hosts. 1. Move keystone resources management at step 3. 2. Move nova-compute service at step 4. 3. Move nova-placement-api at step 3. 5. Run nova-cell_v2-discover_hosts at step 5 on one nova-api node. 6. Run neutron-ovs-agent at step 5 to avoid racy deployments where it starts before neutron-server when doing HA deployments. With that change, we expect Nova aware of all compute services deployed in TripleO during an initial deployment. Depends-On: If943157b2b4afeb640919e77ef0214518e13ee15 Change-Id: I6f2df2a83a248fb5dc21c2bd56029eb45b66ceae Related-Bug: #1663273 Related-Bug: #1663458
2017-02-09Add module to support ScaleIO backend in CinderGiulio Fidente1-0/+58
Also adds an initial spec file for basic testing of the module. Change-Id: I5534aab53b70de215336a076d25263c73b8d7b5b Partial-Bug: #1661316
2017-02-09Rebranding of Eqlx to Dell EMC PS Seriesrajinir2-15/+15
This changes rebrands Dell Eqlx to Dell PS series and matches the tripleo-heat-templates. Change-Id: I3536147a06b426ace18cf415e99361c47b4cf5d9
2017-02-09start nova-compute when keystone resources are createdEmilien Macchi1-4/+4
1. Move keystone resources management at step 4. 2. Move nova-compute startup at step 5. That way, we make sure nova-compute will start when all Keystone resources are ready. Change-Id: I6e153e11b8519254d2a67b9142bf774a25bce69d Closes-Bug: #1663273
2017-02-08Disable midonet unit testsEmilien Macchi1-58/+0
'https://github.com/midonet/puppet-midonet' doesn't exist anymore, we need to migrate to 'https://github.com/openstack/puppet-midonet' but tests will fail. We need to work with Midokura to get them fixed. In the meantime, let's disable it. Change-Id: Id39bc5a8cd229df3e9b597a0a0f3eada838f4953
2017-02-07Merge "Proxy API endpoints that UI uses"Jenkins1-21/+43
2017-02-06Stop deploying Nova API in WSGI with ApacheEmilien Macchi1-4/+4
It was suggested by Nova team to not deploying Nova API in WSGI with Apache in production. It's causing some issues that we didn't catch until now (see in the bug report). Until we figure out what was wrong, let's disable it so we can move forward in the upgrade process. Related-Bug: 1661360 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
2017-02-03Proxy API endpoints that UI usesDan Trainor1-21/+43
Add support to enable the UI to use paths via mod_proxy to access API endpoints instead of connecting to each endpoint directly on a port other than where the UI is served from. This is necessary to prevent certificate acceptance errors from non-Chrome browsers which take exception to connections made to other ports on the same hostname, using one SSL certificate. This change extends the UI's Apache configuration to create one mod_proxy location for each of the API endpoints that UI calls upon. These mod_proxy (using ProxyPass, ProxyPassReverse) endpoints are configured using new heira variables provided in the dependent commit. Additionally, this change modifies the default UI configuration file to include endpoint URLs formatted to use the new endpoint paths that are created. Removed puppet variables which were previously used to generate the contents of the tripleo_ui_config.js template, since they are no longer used to generate this file, replaced with the new endpoint URLs formatted to use the new endpoint paths that are created. Change-Id: I55e375ad462fa98e181277ec0bd88658e620e8ad Implements: blueprint proxy-undercloud-api-services Depends-On: Ib20f4b0891563ae90ec80675635a64c39bd2fdb7
2017-01-31Fix test failure caused by change to puppet-octaviaBrent Eagles1-0/+3
Fixes a test failure caused by Ic38d4f9f9a8e69ffcee6ccc4bba9a9ab0f161d0e which pulls in a class with a required parameter. Change-Id: I0740290bff0ea7c4af6e3420775ac3e72871d372
2017-01-27nova: deploy basic setup for cellsEmilien Macchi1-5/+2
it's not required in Ocata, let's configure the basic setup for cells. note: it also cleanup old code that is not valid anymore. Change-Id: Iac5b2fbe1b03ec7ad4cb8cab2c7694547be6957d
2017-01-23Merge "Add Ceph RBD mirror Pacemaker profile"Jenkins1-0/+64
2017-01-20Merge "cinder: move glance params into common"Jenkins2-4/+6
2017-01-19cinder: move glance params into commonEmilien Macchi2-4/+6
glance params are also used by cinder-volume. This patch aims to use cinder::glance in common roles for cinder, so we can split cinder api and cinder volume. Depends-On: Id81c029318016068481dd614ed62cc4bfaf0f3e8 Change-Id: I9703efb38c2a3166c7f21c5c1b942f33abb9e76c
2017-01-19Add base profile for Octavia servicesbeagles2-0/+254
Adds initial base profile and profile for API service. Partially-implements: blueprint octavia-service-integration Change-Id: I77783029797be4fb488c6e743c51d228eba9c474
2017-01-18Merge "Remove legacy flag and use composable interface"Jenkins1-14/+2
2017-01-18Add Ceph RBD mirror Pacemaker profileGiulio Fidente1-0/+64
This change adds a profile for the Ceph RBD mirror service, which should be managed by Pacemaker to make sure there is always a single instance running. Change-Id: Ic63dc5cffece38942d305f538f71dd58a5d50789 Partial-Bug: #1652177
2017-01-18Remove legacy flag and use composable interfacePradeep Kilambi1-14/+2
We dont need this flag anymore as we will disable api using composable interface instead. See I67900f7e6816212831aea8ed18f323652857fbd3 Closes-bug: #1656364 Change-Id: Ib6aea02bde6ad7e5223336579f0a99d6cd3ee98f
2017-01-14nova: disable ::nova::db::sync_cell_v2Emilien Macchi1-3/+5
This feature is broken for us now and there is work in progress in Nova to improve nova cell deployment. Until it's fixed upstream, we need to disable cells deployment for now, so we can promote our CI. Change-Id: I379ba9e94a92ed225a03a67fc975b542447a9c8b Related-Bug: #1649341
2017-01-10Merge "Rspec tests for nova profiles"Jenkins10-0/+791
2017-01-09Rspec tests for nova profilesAlex Schultz10-0/+791
This change fixes the hiera calls in the base nova profile to use the parameter rather than continue to call hiera. Additionally this change includes basic test coverage for the various nova profiles. Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e
2017-01-09Add support for not using admin_token in Ceph/RGWKeith Schincke1-0/+11
This patch add the option for using Keyston V3 authention with the Ceph/RGW service instead of using the admin_token Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
2017-01-05firewall: add IPv6 supportEmilien Macchi1-13/+57
This patch adds support for ip6tables rules in TripleO, in a intuitive and flexible fashion. 1) Default firewal rules 'source' parameter to undef. It was 0.0.0.0/0 before but now undef, so we don't need complex logic to support ipv6 rules. undef will create empty source, which is the same as 0.0.0.0/0 or ::/0. 2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules. 3) Automatically create IPv6 rules like it's for IPv4. 4) Only create rules that can be created, depending on source/destination ip version. This patch should be backward compatible and adds a layer of security for IPv6 deployments. If previous deployments were manually creating Ipv6 rules, it's possible that this patch will override them. Our framework is able to configure any rule, so it shouldn't be a problem for upgrades. Co-Authored-By: Ben Nemec <bnemec@redhat.com> Closes-Bug: #1654050 Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
2017-01-04Adds a profile for the Ceph MDS serviceGiulio Fidente1-0/+59
This change adds a profile to deploy the Ceph MDS service and some basic unit tests for it. Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c Partial-Bug: #1644784
2017-01-04Merge "Adds ability to populate SSH Banner text"Jenkins1-0/+30
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-2/+15
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-12-21Adds ability to populate SSH Banner textLuke Hinds1-0/+30
A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306
2016-12-19Merge "Disable legacy ceilometer api by default"Jenkins1-2/+14
2016-12-17Merge "Add tripleo::ui rspec tests"Jenkins1-0/+99
2016-12-09Disable legacy ceilometer api by defaultPradeep Kilambi1-2/+14
Ceilometer api is deprectaed in Ocata. Lets disable by default. This can still be enabled by setting enable_legacy_ceilometer_api param. Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09Merge "Add cinder profile spec tests"Jenkins13-0/+1084
2016-12-09Merge "Delete MidoNet deprecated classes and their tests"Jenkins3-216/+0
2016-12-07Delete MidoNet deprecated classes and their testsAlejandro Andreu3-216/+0
MidoNet no longer uses the API component. It has been renamed/refactored to "cluster" as it can be seen on the docs at https://blog.midonet.org/introducing-midonet-cluster-services/ Also there is no need to have a Cassandra and Zookeeper dedicated classes, as we leverage this through the use of the midonet_openstack puppet module. Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270 Partial-Bug: #1647302
2016-12-06Add tripleo::ui rspec testsAlex Schultz1-0/+99
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
2016-12-05Add cinder profile spec testsAlex Schultz13-0/+1084
This change adds rspec testing for the cinder profiles with in puppet-tripleo. Additionally while testing, it was found that the backends may incorrectly have an extra , included in the settings for cinder volume when running puppet 3. This change includes a fix the cinder volume backends to make sure we are not improperly configuring it with a trailing comma. Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles9-10/+10
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-25Merge "Do not configure state matching when using GRE"Jenkins1-1/+3
2016-11-24Do not configure state matching when using GREBrent Eagles1-1/+3
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7