| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The Nova Placement API's configuration currently relies
on the nova-api profile for its keystone authtoken
configuration. This means that Nova Placement would
fail if it got installed on an isolated node or
docker container (this currently breaks TripleO's
deployment of placement via docker).
This patch creates a new authtoken profile and
calls it via the api and placement roles.
Change-Id: I7b38ab6ba5cae41689ac500d97dec4d09c73d387
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
|
|
This commit adds the transport_url for specifying the oslo.messaging
rpc and notify transport schemes. The rpc or notification backend
can be one of rabbit, amqp, zmq, etc. Oslo.messaging is deprecating
the host, port and auth configuration options. All drivers will
get the options via the transport_url.
This patch:
* Adds transport_url to base services
* Updates the corresponding specs
* Adds to default hierdata
Depends-On: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40
Change-Id: Iea5607dbb3ee6b1dd50acc1395de52dc920aa915
|
|
|
|
Per project conventions, should use single quotes.
Also, update comments and defaults to match sample.
Change-Id: I82ddcec230e7a03965d753db60968912b8d7da5c
Closes-Bug: #1663624
|
|
nova placement credentials in nova.conf need to be configured at step 3
so Nova services can use them as soon as they start.
Change-Id: I0abdd305b7e6c8d83f23e25b3872e98eb56dd299
|
|
|
|
|
|
|
|
- transform nova_api_wsgi_enabled in a parameter
- update rspec tests
- fix TLS to run at step 1
Change-Id: I4d3f9c92f0717ae8c3bc8d71065fab281de82008
|
|
We need to run nova-cell_v2-discover_hosts at the very end of the
deployment because nova database needs to be aware of all registred
compute hosts.
1. Move keystone resources management at step 3.
2. Move nova-compute service at step 4.
3. Move nova-placement-api at step 3.
5. Run nova-cell_v2-discover_hosts at step 5 on one nova-api node.
6. Run neutron-ovs-agent at step 5 to avoid racy deployments where
it starts before neutron-server when doing HA deployments.
With that change, we expect Nova aware of all compute services deployed
in TripleO during an initial deployment.
Depends-On: If943157b2b4afeb640919e77ef0214518e13ee15
Change-Id: I6f2df2a83a248fb5dc21c2bd56029eb45b66ceae
Related-Bug: #1663273
Related-Bug: #1663458
|
|
Also adds an initial spec file for basic testing of the module.
Change-Id: I5534aab53b70de215336a076d25263c73b8d7b5b
Partial-Bug: #1661316
|
|
This changes rebrands Dell Eqlx to Dell PS series
and matches the tripleo-heat-templates.
Change-Id: I3536147a06b426ace18cf415e99361c47b4cf5d9
|
|
1. Move keystone resources management at step 4.
2. Move nova-compute startup at step 5.
That way, we make sure nova-compute will start when all Keystone
resources are ready.
Change-Id: I6e153e11b8519254d2a67b9142bf774a25bce69d
Closes-Bug: #1663273
|
|
'https://github.com/midonet/puppet-midonet' doesn't exist anymore, we
need to migrate to 'https://github.com/openstack/puppet-midonet' but
tests will fail.
We need to work with Midokura to get them fixed. In the meantime, let's
disable it.
Change-Id: Id39bc5a8cd229df3e9b597a0a0f3eada838f4953
|
|
|
|
It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.
Related-Bug: 1661360
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
|
|
Add support to enable the UI to use paths via mod_proxy to access API
endpoints instead of connecting to each endpoint directly on a port
other than where the UI is served from. This is necessary to prevent
certificate acceptance errors from non-Chrome browsers which take
exception to connections made to other ports on the same hostname, using
one SSL certificate.
This change extends the UI's Apache configuration to create one
mod_proxy location for each of the API endpoints that UI calls upon.
These mod_proxy (using ProxyPass, ProxyPassReverse) endpoints are
configured using new heira variables provided in the dependent commit.
Additionally, this change modifies the default UI configuration file to
include endpoint URLs formatted to use the new endpoint paths that are
created.
Removed puppet variables which were previously used to generate the
contents of the tripleo_ui_config.js template, since they are no longer
used to generate this file, replaced with the new endpoint URLs
formatted to use the new endpoint paths that are created.
Change-Id: I55e375ad462fa98e181277ec0bd88658e620e8ad
Implements: blueprint proxy-undercloud-api-services
Depends-On: Ib20f4b0891563ae90ec80675635a64c39bd2fdb7
|
|
Fixes a test failure caused by Ic38d4f9f9a8e69ffcee6ccc4bba9a9ab0f161d0e
which pulls in a class with a required parameter.
Change-Id: I0740290bff0ea7c4af6e3420775ac3e72871d372
|
|
it's not required in Ocata, let's configure the basic setup for cells.
note: it also cleanup old code that is not valid anymore.
Change-Id: Iac5b2fbe1b03ec7ad4cb8cab2c7694547be6957d
|
|
|
|
|
|
|
|
Currently the inter-cluster communication port listens to all ip
addresses:
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 25631/beam.smp
In order to limit it to listen only to the network assigned to rabbitmq
we need to add the following:
{kernel, [
...
{inet_dist_use_interface, {172,17,0,16}},
...
]}
In order to do the conversion from an ip address to the Erlang
representation we add a function that takes a string and returns a
converted output. The (~400 randomly generated) IPv6/4 addresses at [1]
have been parsed both via erl's built-in inet:parse_address() function
and our ruby implementation. All converted ip addresses resulted in the
same output [2], [3]. The only difference is that Erlang's parse_address()
considers network ip addresses (e.g. 10.0.0.0) invalid whereas the ruby
function does not. This should not be a problem as the use case here is
to bind a service to a specific ip address on an interface and if
anything we likely prefer the less strict behaviour, given that at least
in theory it is perfectly valid for an interface to have a network
address assigned to it.
[1] http://acksyn.org/files/tripleo/ip-addresses.txt
[2] http://acksyn.org/files/tripleo/ip-addresses-ruby.txt
[3] http://acksyn.org/files/tripleo/ip-addresses-erl.txt
Change-Id: I211c75b9bab25c545bcc7f90f34edebc92bba788
Partial-Bug: #1645898
|
|
glance params are also used by cinder-volume. This patch aims to use
cinder::glance in common roles for cinder, so we can split cinder api
and cinder volume.
Depends-On: Id81c029318016068481dd614ed62cc4bfaf0f3e8
Change-Id: I9703efb38c2a3166c7f21c5c1b942f33abb9e76c
|
|
Adds initial base profile and profile for API service.
Partially-implements: blueprint octavia-service-integration
Change-Id: I77783029797be4fb488c6e743c51d228eba9c474
|
|
|
|
This change adds a profile for the Ceph RBD mirror service, which
should be managed by Pacemaker to make sure there is always a single
instance running.
Change-Id: Ic63dc5cffece38942d305f538f71dd58a5d50789
Partial-Bug: #1652177
|
|
We dont need this flag anymore as we will disable api
using composable interface instead.
See I67900f7e6816212831aea8ed18f323652857fbd3
Closes-bug: #1656364
Change-Id: Ib6aea02bde6ad7e5223336579f0a99d6cd3ee98f
|
|
|
|
This feature is broken for us now and there is work in progress in Nova
to improve nova cell deployment.
Until it's fixed upstream, we need to disable cells deployment for now,
so we can promote our CI.
Change-Id: I379ba9e94a92ed225a03a67fc975b542447a9c8b
Related-Bug: #1649341
|
|
|
|
This change fixes the hiera calls in the base nova profile to use the
parameter rather than continue to call hiera. Additionally this change
includes basic test coverage for the various nova profiles.
Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e
|
|
This patch add the option for using Keyston V3 authention with
the Ceph/RGW service instead of using the admin_token
Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
|
|
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
|
|
This change adds a profile to deploy the Ceph MDS service and some
basic unit tests for it.
Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d
Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c
Partial-Bug: #1644784
|
|
|
|
This closes CVE-2016-9599.
1) Sanitize dynamic HAproxy endpoints firewall rules
Build the hash of firewall rules only when a port is specified. The
HAproxy endpoints are using TCP protocol, which means we have to specify
a port to the IPtables rules.
Some services don't have public network exposure (e.g. Glance Registry),
which means they don't need haproxy_ssl rule.
The code prepare the hash depending on the service_port and
public_ssl_port parameters and create the actual firewall rules only if
one of those or both parameters are specified.
It will prevent new services without public exposure to open all traffic
because no port is specified.
2) Secure Firewall rules creations
The code won't allow to create TCP / UDP IPtables rules in INPUT
or OUTPUT chains without port or sport or dport, because doing it would
allow an IPtables rule opening all traffic for TCP or UDP.
If we try to do that, Puppet catalog will fail with an error explaining
why.
Example of use-cases:
- creating VRRP rules wouldn't require port parameters.
- creating TCP or UDP rules would require port parameters.
3) Allow to open all traffic for TCO / UDP (when desired)
Some use-cases require to open all traffic for all ports on TCP / UDP.
It will be possible if the user gives port = 'all' when creating the
firewall rule.
Backward compatibility:
- if our users created custom TCP / UDP firewall rules without port
parameters, it won't work anymore, for security purpose.
- if you users want to open TCP / UDP for all ports, they need to pass
port = 'all' and the rule will be created, though a warning will be
displayed because this is insecure.
- if our users created custom VRRP rules without port parameters, it
will still work correctly and rules will be created.
- TCP / UDP rules in FORWARD chain without port are still accepted.
Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
Closes-Bug: #1651831
|
|
A puppet manifest to allow the toggle of 'Banner' in sshd_config
and enable population of an SSH login banner needed for security
compliance such as DISA STIG
If `Bannertext` is set as a parameter, the `Banner` key within
sshd_config is toggled to `/etc/issue` and the content is copied
into the `/etc/issue` file
Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306
|
|
|
|
|
|
Ceilometer api is deprectaed in Ocata. Lets disable by default.
This can still be enabled by setting enable_legacy_ceilometer_api
param.
Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
|
|
|
|
|
|
MidoNet no longer uses the API component. It has been renamed/refactored
to "cluster" as it can be seen on the docs at
https://blog.midonet.org/introducing-midonet-cluster-services/
Also there is no need to have a Cassandra and Zookeeper dedicated
classes, as we leverage this through the use of the midonet_openstack
puppet module.
Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270
Partial-Bug: #1647302
|
|
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
|
|
This change adds rspec testing for the cinder profiles with in
puppet-tripleo. Additionally while testing, it was found that the
backends may incorrectly have an extra , included in the settings
for cinder volume when running puppet 3. This change includes a fix
the cinder volume backends to make sure we are not improperly
configuring it with a trailing comma.
Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
|
|
This replaces the services' IP-based RabbitMQ configuration and uses
FQDNs instead.
Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
|
|
|
|
The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.
Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
|
|
combination alarms are completely removed in Ocata.
Remove this from tripleo.
Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
|
Dan Prince
Andrew Smith
Jenkins
MikeG451
Emilien Macchi
Giulio Fidente
rajinir
Dan Trainor
Brent Eagles
Michele Baldessari
Pradeep Kilambi
Alex Schultz
Keith Schincke
Luke Hinds
Alejandro Andreu
Juan Antonio Osorio Robles