summaryrefslogtreecommitdiffstats
path: root/spec
AgeCommit message (Collapse)AuthorFilesLines
2017-06-21Merge "Ignore failures when loading nf_conntrack_proto_sctp kernel module"Jenkins1-0/+59
2017-06-20Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar1-0/+59
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885
2017-06-20Add maxconn parameter to MySQL / HAProxyMike Bayer2-0/+118
Allows configurability of maxconn as applies to the MySQL section of the HAProxy config, both for clustercheck and single node. Also adds a new test for the haproxy class overall to exercise options. Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
2017-06-15Fix redis when hostname has capital lettersAlex Schultz2-0/+107
The bootstrap_nodeid comparison should be case insensitive. Change-Id: I1e6672bb0219c1cf56ab21dd911c6f33e2436cc3 Closes-Bug: #1698190
2017-06-15Move gnocchi upgrade and api to step 4Pradeep Kilambi1-20/+2
gnocchi upgrade requires storage sacks to be initialized. This means we need to ensure the storage backends are up before running the upgrade and starting the api. Lets move the api to step 4 so we can ensure other dependencies are in place. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3 Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630
2017-06-09Merge "Add resource to fetch CRL"Jenkins1-0/+104
2017-06-08Merge "Move tripleo::certmonger::httpd to defines folder and fix suffix"Jenkins1-0/+2
2017-06-08Add resource to fetch CRLJuan Antonio Osorio Robles1-0/+104
This will fetch the CRL file from the specified file or URL. Furtherly it will set up a cron job to refresh the crl file once a week and notify the needed services. bp tls-via-certmonger Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-06-08Merge "Add _spec suffix to class spec tests"Jenkins5-0/+0
2017-06-08Merge "Add polkit rule to allow kolla nova user access to libvirtd socket on ↵Jenkins1-0/+79
docker host"
2017-06-08Move tripleo::certmonger::httpd to defines folder and fix suffixJuan Antonio Osorio Robles1-0/+2
It's a define, not a class. And it also needs the _spec suffix. Change-Id: Ie5e0cf81d03379d8b791fd77a5c78d12048ebfef
2017-06-08Add _spec suffix to class spec testsJuan Antonio Osorio Robles5-0/+0
Some of them didn't have it. So I added it to them for uniformity. Change-Id: I2ea57d0ecfe151f9a14db9f7722a26f09aa8a506
2017-06-06Add polkit rule to allow kolla nova user access to libvirtd socket on docker ↵Oliver Walsh1-0/+79
host The polkit rules are currently evaluated in the context of the docker host. As a result the check fails for the kolla nova compute user, as the uids are not consistent with the host uids (in fact we probably can't assume a nova user exists on the docker host). As a short-term workaround a 'docker_nova' user group is created on the docker host and the polkit rule is updated to grant this user access to the libvirtd socket. Longer term solution probably requires running polkitd in a container too. Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Related-bug: #1693844
2017-06-05Add novajoin profileJuan Antonio Osorio Robles1-0/+126
This is needed in order to deploy novajoin in a containerized undercloud environment. Change-Id: Iea461f66b8f4e3b01a0498e566a2c3684144df80
2017-05-24Move ceilometer upgrade step out of basePradeep Kilambi1-24/+0
ceilometer-upgrade should only run on controller nodes. Since its currently in base profile, it gets triggered on compute as well. So instead split out the upgrade into its own and include when we deploy notification and central agents instead. Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe Closes-bug: #1693339
2017-05-19Merge "Switch to overlay2 driver for storage"Jenkins1-2/+57
2017-05-19Switch to overlay2 driver for storageDan Prince1-2/+57
This patch switches the default to the overlay2 storage driver and see if it helps performance. Background: The loopback driver is not recommended for production. Most other docker storage backends require extra disks (or partitions) which we don't have on the root disk. Overlay seems to make the most since for TripleO upgrades where we intend to update in-place installations to use docker. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
2017-05-18Merge "Update tox configuration"Jenkins1-56/+1
2017-05-18Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"Jenkins1-0/+102
2017-05-18Merge "Disable SSH login for nova_migration user when migration over ssh is ↵Jenkins1-11/+49
disabled."
2017-05-17Update tox configurationAlex Schultz1-56/+1
Update the tox configuration to pull in the openstack upper-constraints.txt when running releasenotes. This will fix the releasenotes job that is currently failing due to a new version of sphinx. Additionally this change includes updates from puppet-modulesync-configs. Change-Id: Ie587bfde2367dfec796f1b07c01bba15d839a3b1 Related-Bug: #1691511
2017-05-13vhostuser socket dir shall be created for vhostuserclient modeKarthik S2-0/+75
In order to support vhostuser client mode, a vhostuser_socket_dir needs to be created with qemu:qemu g+w permissions. Closes-Bug: #1675690 Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com> Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8 Signed-off-by: Karthik S <ksundara@redhat.com>
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-0/+102
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-11/+49
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-03Restrict nova migration ssh tunnelOliver Walsh2-10/+160
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+60
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi2-26/+25
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
2017-04-21Merge "Cover gnocchi api step 4 and 5"Jenkins2-30/+81
2017-04-19Refactor SSHD config to allow both SSHD options and banner/motd to be setOliver Walsh1-1/+117
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd are mutually exclusive. This patch, and the next patchset of that review, resolves the conflict. Related-Bug: 1668543 Change-Id: I1d09530d69e42c0c36311789166554a889e46556
2017-04-19Cover gnocchi api step 4 and 5Alex Schultz2-30/+81
Update the gnocchi api to expose the redis information as a class parameter so it can be tested correctly. Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
2017-04-19Merge "Create bigswitch agent profile"Jenkins1-0/+48
2017-04-15Merge "Move ceilometer wsgi to step 3"Jenkins1-4/+4
2017-04-15Merge "Move gnocchi wsgi configuration to step 3"Jenkins2-0/+103
2017-04-12Move gnocchi wsgi configuration to step 3Alex Schultz2-0/+103
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418
2017-04-12Move ceilometer wsgi to step 3Alex Schultz1-4/+4
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+60
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-11Stop SSHD profile clobbering SSH client configOliver Walsh1-1/+1
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543
2017-04-08Add registry_mirror to base::docker profileDan Prince1-0/+15
This patch adds a new registry_mirror option to help configure /etc/docker/daemon.json so that we can make use of HTTP docker mirrors within upstream TripleO CI (infra). Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
2017-04-07Merge "Composable services support for Cinder Pure Storage FlashArray"Jenkins2-8/+88
2017-04-05Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleoChristian Schwede1-0/+65
This allows decoupling the Swift ringbuilding logic from the Controller and ObjectStorage roles. A follow up patch will modify tripleo-heat-templates and use this modified class. Actually this downloads the Swift rings even if ring building is disabled or if there is no need to rebalance. This is required, because operators can disable ring building, but use the same mechanism to distribute pre-built rings to the nodes. If ring building is disabled, these won't be uploaded at the end back to the undercloud. Related-Bug: 1665641 Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
2017-04-05Merge "SSHD Service extensions"Jenkins1-8/+54
2017-04-04Merge "Configure migration SSH tunnel"Jenkins1-2/+116
2017-04-04SSHD Service extensionslhinds1-8/+54
This change adds an `include` statement to bring in the extra functionality available from the existing puppet-ssh module in already available in RDO. By using puppet-ssh it provides a framework to allow the passing in of server options using just hiera values under ssh::server_options. For example, sshd_config banner can now be passed a server option, as well as all the new parameters outlined in the launchpad issue that the patch references for Closing. For this reason, the former augeas setting for `Banner /etc/issue` is now managed by the main puppet-ssh module instead. The change also allows population of MOTD text to `/etc/motd` as well as `issue.net`. $bannertext is refactored in accordance with patch [1] [1] https://review.openstack.org/#/c/442406/ Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c Closes-Bug: 1668543
2017-04-03Composable services support for Cinder Pure Storage FlashArraySimon Dodsley2-8/+88
Added the heat templates for Cinder Pure Storage FlashArray backend to use composable services Change-Id: I6f46f45a3af394de85672261c7d72ddc492a07b2
2017-04-03Configure migration SSH tunnelOliver Walsh1-2/+116
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-04-03Deploy WSGI apps at the same step (3)Emilien Macchi1-4/+4
So we avoid useless apache restart and save time during the deployment. Related-Bug: #1664418 Change-Id: Ie00b717a6741e215e59d219710154f0d2ce6b39e
2017-04-02Move horizon to step 3Alex Schultz2-0/+58
We configure apache in step 3 so horizon should be configured at the same time or else updates will cause horizon to be unvailable during the update process. Change-Id: I4032f7c24edc0ff9ed637e213870cdd3beb9a54e Closes-Bug: #1678338
2017-03-30Merge "Tuned should be configured properly"Jenkins1-0/+44
2017-03-30Merge "Adds service for managing securetty"Jenkins1-0/+72
2017-03-29Adds service for managing securettylhinds1-0/+72
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c Closes-Bug: #1665042