Age | Commit message (Collapse) | Author | Files | Lines |
|
- transform nova_api_wsgi_enabled in a parameter
- update rspec tests
- fix TLS to run at step 1
Change-Id: I4d3f9c92f0717ae8c3bc8d71065fab281de82008
|
|
1. Move keystone resources management at step 4.
2. Move nova-compute startup at step 5.
That way, we make sure nova-compute will start when all Keystone
resources are ready.
Change-Id: I6e153e11b8519254d2a67b9142bf774a25bce69d
Closes-Bug: #1663273
|
|
'https://github.com/midonet/puppet-midonet' doesn't exist anymore, we
need to migrate to 'https://github.com/openstack/puppet-midonet' but
tests will fail.
We need to work with Midokura to get them fixed. In the meantime, let's
disable it.
Change-Id: Id39bc5a8cd229df3e9b597a0a0f3eada838f4953
|
|
|
|
It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.
Related-Bug: 1661360
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
|
|
Add support to enable the UI to use paths via mod_proxy to access API
endpoints instead of connecting to each endpoint directly on a port
other than where the UI is served from. This is necessary to prevent
certificate acceptance errors from non-Chrome browsers which take
exception to connections made to other ports on the same hostname, using
one SSL certificate.
This change extends the UI's Apache configuration to create one
mod_proxy location for each of the API endpoints that UI calls upon.
These mod_proxy (using ProxyPass, ProxyPassReverse) endpoints are
configured using new heira variables provided in the dependent commit.
Additionally, this change modifies the default UI configuration file to
include endpoint URLs formatted to use the new endpoint paths that are
created.
Removed puppet variables which were previously used to generate the
contents of the tripleo_ui_config.js template, since they are no longer
used to generate this file, replaced with the new endpoint URLs
formatted to use the new endpoint paths that are created.
Change-Id: I55e375ad462fa98e181277ec0bd88658e620e8ad
Implements: blueprint proxy-undercloud-api-services
Depends-On: Ib20f4b0891563ae90ec80675635a64c39bd2fdb7
|
|
Fixes a test failure caused by Ic38d4f9f9a8e69ffcee6ccc4bba9a9ab0f161d0e
which pulls in a class with a required parameter.
Change-Id: I0740290bff0ea7c4af6e3420775ac3e72871d372
|
|
it's not required in Ocata, let's configure the basic setup for cells.
note: it also cleanup old code that is not valid anymore.
Change-Id: Iac5b2fbe1b03ec7ad4cb8cab2c7694547be6957d
|
|
|
|
|
|
|
|
Currently the inter-cluster communication port listens to all ip
addresses:
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 25631/beam.smp
In order to limit it to listen only to the network assigned to rabbitmq
we need to add the following:
{kernel, [
...
{inet_dist_use_interface, {172,17,0,16}},
...
]}
In order to do the conversion from an ip address to the Erlang
representation we add a function that takes a string and returns a
converted output. The (~400 randomly generated) IPv6/4 addresses at [1]
have been parsed both via erl's built-in inet:parse_address() function
and our ruby implementation. All converted ip addresses resulted in the
same output [2], [3]. The only difference is that Erlang's parse_address()
considers network ip addresses (e.g. 10.0.0.0) invalid whereas the ruby
function does not. This should not be a problem as the use case here is
to bind a service to a specific ip address on an interface and if
anything we likely prefer the less strict behaviour, given that at least
in theory it is perfectly valid for an interface to have a network
address assigned to it.
[1] http://acksyn.org/files/tripleo/ip-addresses.txt
[2] http://acksyn.org/files/tripleo/ip-addresses-ruby.txt
[3] http://acksyn.org/files/tripleo/ip-addresses-erl.txt
Change-Id: I211c75b9bab25c545bcc7f90f34edebc92bba788
Partial-Bug: #1645898
|
|
glance params are also used by cinder-volume. This patch aims to use
cinder::glance in common roles for cinder, so we can split cinder api
and cinder volume.
Depends-On: Id81c029318016068481dd614ed62cc4bfaf0f3e8
Change-Id: I9703efb38c2a3166c7f21c5c1b942f33abb9e76c
|
|
Adds initial base profile and profile for API service.
Partially-implements: blueprint octavia-service-integration
Change-Id: I77783029797be4fb488c6e743c51d228eba9c474
|
|
|
|
This change adds a profile for the Ceph RBD mirror service, which
should be managed by Pacemaker to make sure there is always a single
instance running.
Change-Id: Ic63dc5cffece38942d305f538f71dd58a5d50789
Partial-Bug: #1652177
|
|
We dont need this flag anymore as we will disable api
using composable interface instead.
See I67900f7e6816212831aea8ed18f323652857fbd3
Closes-bug: #1656364
Change-Id: Ib6aea02bde6ad7e5223336579f0a99d6cd3ee98f
|
|
|
|
This feature is broken for us now and there is work in progress in Nova
to improve nova cell deployment.
Until it's fixed upstream, we need to disable cells deployment for now,
so we can promote our CI.
Change-Id: I379ba9e94a92ed225a03a67fc975b542447a9c8b
Related-Bug: #1649341
|
|
|
|
This change fixes the hiera calls in the base nova profile to use the
parameter rather than continue to call hiera. Additionally this change
includes basic test coverage for the various nova profiles.
Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e
|
|
This patch add the option for using Keyston V3 authention with
the Ceph/RGW service instead of using the admin_token
Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
|
|
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
|
|
This change adds a profile to deploy the Ceph MDS service and some
basic unit tests for it.
Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d
Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c
Partial-Bug: #1644784
|
|
|
|
This closes CVE-2016-9599.
1) Sanitize dynamic HAproxy endpoints firewall rules
Build the hash of firewall rules only when a port is specified. The
HAproxy endpoints are using TCP protocol, which means we have to specify
a port to the IPtables rules.
Some services don't have public network exposure (e.g. Glance Registry),
which means they don't need haproxy_ssl rule.
The code prepare the hash depending on the service_port and
public_ssl_port parameters and create the actual firewall rules only if
one of those or both parameters are specified.
It will prevent new services without public exposure to open all traffic
because no port is specified.
2) Secure Firewall rules creations
The code won't allow to create TCP / UDP IPtables rules in INPUT
or OUTPUT chains without port or sport or dport, because doing it would
allow an IPtables rule opening all traffic for TCP or UDP.
If we try to do that, Puppet catalog will fail with an error explaining
why.
Example of use-cases:
- creating VRRP rules wouldn't require port parameters.
- creating TCP or UDP rules would require port parameters.
3) Allow to open all traffic for TCO / UDP (when desired)
Some use-cases require to open all traffic for all ports on TCP / UDP.
It will be possible if the user gives port = 'all' when creating the
firewall rule.
Backward compatibility:
- if our users created custom TCP / UDP firewall rules without port
parameters, it won't work anymore, for security purpose.
- if you users want to open TCP / UDP for all ports, they need to pass
port = 'all' and the rule will be created, though a warning will be
displayed because this is insecure.
- if our users created custom VRRP rules without port parameters, it
will still work correctly and rules will be created.
- TCP / UDP rules in FORWARD chain without port are still accepted.
Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
Closes-Bug: #1651831
|
|
A puppet manifest to allow the toggle of 'Banner' in sshd_config
and enable population of an SSH login banner needed for security
compliance such as DISA STIG
If `Bannertext` is set as a parameter, the `Banner` key within
sshd_config is toggled to `/etc/issue` and the content is copied
into the `/etc/issue` file
Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306
|
|
|
|
|
|
Ceilometer api is deprectaed in Ocata. Lets disable by default.
This can still be enabled by setting enable_legacy_ceilometer_api
param.
Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
|
|
|
|
|
|
MidoNet no longer uses the API component. It has been renamed/refactored
to "cluster" as it can be seen on the docs at
https://blog.midonet.org/introducing-midonet-cluster-services/
Also there is no need to have a Cassandra and Zookeeper dedicated
classes, as we leverage this through the use of the midonet_openstack
puppet module.
Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270
Partial-Bug: #1647302
|
|
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
|
|
This change adds rspec testing for the cinder profiles with in
puppet-tripleo. Additionally while testing, it was found that the
backends may incorrectly have an extra , included in the settings
for cinder volume when running puppet 3. This change includes a fix
the cinder volume backends to make sure we are not improperly
configuring it with a trailing comma.
Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
|
|
This replaces the services' IP-based RabbitMQ configuration and uses
FQDNs instead.
Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
|
|
|
|
The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.
Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
|
|
combination alarms are completely removed in Ocata.
Remove this from tripleo.
Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
|
|
The civetweb binding format is IP:PORT; this change ensures the IP
is enclosed in brackets if IPv6.
To do so we add the bind_ip and bind_port parameters to the
rgw service class.
Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
Co-Authored-By: Lukas Bezdicka <social@v3.sk>
Related-Bug: #1636515
|
|
When a physical function that was allocated to a guest is released back
the system, it is not automatically brought "up" and the VF
configuration is not restored. This patch creates a file containing some
udev rules to force the VF configuration.
Note: we may find that the ifup-local script is no longer required but
this will require further testing.
Change-Id: Ie6e78730aa0a748b3b5100ab7c7bc007d8ab176d
Partial-Bug: #1639901
|
|
|
|
This change adds rspec tests for the barbican profiles to ensure they
function as expected.
Change-Id: I73f5405ade2cc73024efbeb2cfbfc831a2120f51
|
|
We use the rabbit_hosts configuration for most of our services but we
haven't been adding the configured port. This patch appends the IP port
used provided to the service's heat template to the IPs in the list.
Note: while we could use the value set for the rabbitmq server in
rabbitmq::port, it doesn't allow for dealing with SSL. This also is also
backwards compatible with the RabbitClientPort parameters used in the
heat templates.
Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b
Closes-Bug: #1633580
|
|
Instead of using an operator to make sure we upgrade package before any
service, which causes dependency cycles with iptables puppet module,
let's do another approach where we upgrade rpms in the 'setup' stage,
which is a stage that runs before configure and running services.
In that way, we'll remove dependency cycles and make sure packages are
upgrades before configure and running TripleO services.
Change-Id: I1be83f88be1959885c980ab4f428477d412751f7
|
|
The ceilometer::db::sync is included by default in ceilometer::db but we
only want it to run on the bootstrap node. This change passes the
sync_db parameter to ceilometer::db to manage the db sync process rather
than trying to manage the inclusion of ceilometer::db::sync within the
profile class.
Change-Id: Ib56db1a90dd6fbfe7582fc57b7728df81942cce2
Closes-Bug: #1629373
|
|
This change adds rspec testing for the ceph profiles in puppet-tripleo.
Change-Id: I08954e011848d6b747735f11b3cbff5707460c26
|
|
This change adds rspec testing for the ceilometer profiles. While
writing these tests, the tripleo::profile::base::ceilometer::collector
class needed to have the hiera lookups moved to class parameters to
allow for testing the possible options around the database backend.
These tests add coverage for ipv4 and ipv6 configurations for the
collector profile as well as excluding mongodb on the backend.
Change-Id: I1abae040104e8492a9fe266de74080e1e7701731
|
|
This change adds rspec testing for the aodh profile and serves as an
example as to how to add in spec testing using hieradata to provide some
required parameters. This testing adds improved coverage for
expectations around computed configuration items as well as for
conditions around the steps within the tripleo deployment
Change-Id: Ic763a544289a222fea97020a98821c1e375651a3
|
|
|