summaryrefslogtreecommitdiffstats
path: root/spec
AgeCommit message (Collapse)AuthorFilesLines
2017-02-14Make quotes consistent to match the sample configMikeG4511-14/+14
Per project conventions, should use single quotes. Also, update comments and defaults to match sample. Change-Id: I82ddcec230e7a03965d753db60968912b8d7da5c Closes-Bug: #1663624
2017-02-09Run nova-cell_v2-discover_hosts at step 5Emilien Macchi1-2/+2
We need to run nova-cell_v2-discover_hosts at the very end of the deployment because nova database needs to be aware of all registred compute hosts. 1. Move keystone resources management at step 3. 2. Move nova-compute service at step 4. 3. Move nova-placement-api at step 3. 5. Run nova-cell_v2-discover_hosts at step 5 on one nova-api node. 6. Run neutron-ovs-agent at step 5 to avoid racy deployments where it starts before neutron-server when doing HA deployments. With that change, we expect Nova aware of all compute services deployed in TripleO during an initial deployment. Depends-On: If943157b2b4afeb640919e77ef0214518e13ee15 Change-Id: I6f2df2a83a248fb5dc21c2bd56029eb45b66ceae Related-Bug: #1663273 Related-Bug: #1663458
2017-02-09start nova-compute when keystone resources are createdEmilien Macchi1-4/+4
1. Move keystone resources management at step 4. 2. Move nova-compute startup at step 5. That way, we make sure nova-compute will start when all Keystone resources are ready. Change-Id: I6e153e11b8519254d2a67b9142bf774a25bce69d Closes-Bug: #1663273
2017-02-08Disable midonet unit testsEmilien Macchi1-58/+0
'https://github.com/midonet/puppet-midonet' doesn't exist anymore, we need to migrate to 'https://github.com/openstack/puppet-midonet' but tests will fail. We need to work with Midokura to get them fixed. In the meantime, let's disable it. Change-Id: Id39bc5a8cd229df3e9b597a0a0f3eada838f4953
2017-02-07Merge "Proxy API endpoints that UI uses"Jenkins1-21/+43
2017-02-06Stop deploying Nova API in WSGI with ApacheEmilien Macchi1-4/+4
It was suggested by Nova team to not deploying Nova API in WSGI with Apache in production. It's causing some issues that we didn't catch until now (see in the bug report). Until we figure out what was wrong, let's disable it so we can move forward in the upgrade process. Related-Bug: 1661360 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
2017-02-03Proxy API endpoints that UI usesDan Trainor1-21/+43
Add support to enable the UI to use paths via mod_proxy to access API endpoints instead of connecting to each endpoint directly on a port other than where the UI is served from. This is necessary to prevent certificate acceptance errors from non-Chrome browsers which take exception to connections made to other ports on the same hostname, using one SSL certificate. This change extends the UI's Apache configuration to create one mod_proxy location for each of the API endpoints that UI calls upon. These mod_proxy (using ProxyPass, ProxyPassReverse) endpoints are configured using new heira variables provided in the dependent commit. Additionally, this change modifies the default UI configuration file to include endpoint URLs formatted to use the new endpoint paths that are created. Removed puppet variables which were previously used to generate the contents of the tripleo_ui_config.js template, since they are no longer used to generate this file, replaced with the new endpoint URLs formatted to use the new endpoint paths that are created. Change-Id: I55e375ad462fa98e181277ec0bd88658e620e8ad Implements: blueprint proxy-undercloud-api-services Depends-On: Ib20f4b0891563ae90ec80675635a64c39bd2fdb7
2017-01-31Fix test failure caused by change to puppet-octaviaBrent Eagles1-0/+3
Fixes a test failure caused by Ic38d4f9f9a8e69ffcee6ccc4bba9a9ab0f161d0e which pulls in a class with a required parameter. Change-Id: I0740290bff0ea7c4af6e3420775ac3e72871d372
2017-01-27nova: deploy basic setup for cellsEmilien Macchi1-5/+2
it's not required in Ocata, let's configure the basic setup for cells. note: it also cleanup old code that is not valid anymore. Change-Id: Iac5b2fbe1b03ec7ad4cb8cab2c7694547be6957d
2017-01-25Merge "Make sure we bind the rabbit inter-cluster to a specific interface"Jenkins1-0/+11
2017-01-23Merge "Add Ceph RBD mirror Pacemaker profile"Jenkins1-0/+64
2017-01-20Merge "cinder: move glance params into common"Jenkins2-4/+6
2017-01-20Make sure we bind the rabbit inter-cluster to a specific interfaceMichele Baldessari1-0/+11
Currently the inter-cluster communication port listens to all ip addresses: tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 25631/beam.smp In order to limit it to listen only to the network assigned to rabbitmq we need to add the following: {kernel, [ ... {inet_dist_use_interface, {172,17,0,16}}, ... ]} In order to do the conversion from an ip address to the Erlang representation we add a function that takes a string and returns a converted output. The (~400 randomly generated) IPv6/4 addresses at [1] have been parsed both via erl's built-in inet:parse_address() function and our ruby implementation. All converted ip addresses resulted in the same output [2], [3]. The only difference is that Erlang's parse_address() considers network ip addresses (e.g. 10.0.0.0) invalid whereas the ruby function does not. This should not be a problem as the use case here is to bind a service to a specific ip address on an interface and if anything we likely prefer the less strict behaviour, given that at least in theory it is perfectly valid for an interface to have a network address assigned to it. [1] http://acksyn.org/files/tripleo/ip-addresses.txt [2] http://acksyn.org/files/tripleo/ip-addresses-ruby.txt [3] http://acksyn.org/files/tripleo/ip-addresses-erl.txt Change-Id: I211c75b9bab25c545bcc7f90f34edebc92bba788 Partial-Bug: #1645898
2017-01-19cinder: move glance params into commonEmilien Macchi2-4/+6
glance params are also used by cinder-volume. This patch aims to use cinder::glance in common roles for cinder, so we can split cinder api and cinder volume. Depends-On: Id81c029318016068481dd614ed62cc4bfaf0f3e8 Change-Id: I9703efb38c2a3166c7f21c5c1b942f33abb9e76c
2017-01-19Add base profile for Octavia servicesbeagles2-0/+254
Adds initial base profile and profile for API service. Partially-implements: blueprint octavia-service-integration Change-Id: I77783029797be4fb488c6e743c51d228eba9c474
2017-01-18Merge "Remove legacy flag and use composable interface"Jenkins1-14/+2
2017-01-18Add Ceph RBD mirror Pacemaker profileGiulio Fidente1-0/+64
This change adds a profile for the Ceph RBD mirror service, which should be managed by Pacemaker to make sure there is always a single instance running. Change-Id: Ic63dc5cffece38942d305f538f71dd58a5d50789 Partial-Bug: #1652177
2017-01-18Remove legacy flag and use composable interfacePradeep Kilambi1-14/+2
We dont need this flag anymore as we will disable api using composable interface instead. See I67900f7e6816212831aea8ed18f323652857fbd3 Closes-bug: #1656364 Change-Id: Ib6aea02bde6ad7e5223336579f0a99d6cd3ee98f
2017-01-17Merge "Call VF configuration from udev rules"Jenkins1-1/+10
2017-01-14nova: disable ::nova::db::sync_cell_v2Emilien Macchi1-3/+5
This feature is broken for us now and there is work in progress in Nova to improve nova cell deployment. Until it's fixed upstream, we need to disable cells deployment for now, so we can promote our CI. Change-Id: I379ba9e94a92ed225a03a67fc975b542447a9c8b Related-Bug: #1649341
2017-01-10Merge "Rspec tests for nova profiles"Jenkins11-0/+800
2017-01-09Rspec tests for nova profilesAlex Schultz11-0/+800
This change fixes the hiera calls in the base nova profile to use the parameter rather than continue to call hiera. Additionally this change includes basic test coverage for the various nova profiles. Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e
2017-01-09Add support for not using admin_token in Ceph/RGWKeith Schincke2-0/+18
This patch add the option for using Keyston V3 authention with the Ceph/RGW service instead of using the admin_token Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
2017-01-05firewall: add IPv6 supportEmilien Macchi1-13/+57
This patch adds support for ip6tables rules in TripleO, in a intuitive and flexible fashion. 1) Default firewal rules 'source' parameter to undef. It was 0.0.0.0/0 before but now undef, so we don't need complex logic to support ipv6 rules. undef will create empty source, which is the same as 0.0.0.0/0 or ::/0. 2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules. 3) Automatically create IPv6 rules like it's for IPv4. 4) Only create rules that can be created, depending on source/destination ip version. This patch should be backward compatible and adds a layer of security for IPv6 deployments. If previous deployments were manually creating Ipv6 rules, it's possible that this patch will override them. Our framework is able to configure any rule, so it shouldn't be a problem for upgrades. Co-Authored-By: Ben Nemec <bnemec@redhat.com> Closes-Bug: #1654050 Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
2017-01-04Adds a profile for the Ceph MDS serviceGiulio Fidente1-0/+59
This change adds a profile to deploy the Ceph MDS service and some basic unit tests for it. Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c Partial-Bug: #1644784
2017-01-04Merge "Adds ability to populate SSH Banner text"Jenkins1-0/+30
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-2/+15
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-12-21Adds ability to populate SSH Banner textLuke Hinds1-0/+30
A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306
2016-12-19Merge "Disable legacy ceilometer api by default"Jenkins1-2/+14
2016-12-17Merge "Add tripleo::ui rspec tests"Jenkins1-0/+99
2016-12-09Disable legacy ceilometer api by defaultPradeep Kilambi1-2/+14
Ceilometer api is deprectaed in Ocata. Lets disable by default. This can still be enabled by setting enable_legacy_ceilometer_api param. Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09Merge "Add cinder profile spec tests"Jenkins21-0/+1107
2016-12-09Merge "Delete MidoNet deprecated classes and their tests"Jenkins3-216/+0
2016-12-07Delete MidoNet deprecated classes and their testsAlejandro Andreu3-216/+0
MidoNet no longer uses the API component. It has been renamed/refactored to "cluster" as it can be seen on the docs at https://blog.midonet.org/introducing-midonet-cluster-services/ Also there is no need to have a Cassandra and Zookeeper dedicated classes, as we leverage this through the use of the midonet_openstack puppet module. Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270 Partial-Bug: #1647302
2016-12-06Add tripleo::ui rspec testsAlex Schultz1-0/+99
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
2016-12-05Add cinder profile spec testsAlex Schultz21-0/+1107
This change adds rspec testing for the cinder profiles with in puppet-tripleo. Additionally while testing, it was found that the backends may incorrectly have an extra , included in the settings for cinder volume when running puppet 3. This change includes a fix the cinder volume backends to make sure we are not improperly configuring it with a trailing comma. Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles9-10/+10
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-25Merge "Do not configure state matching when using GRE"Jenkins1-1/+3
2016-11-24Do not configure state matching when using GREBrent Eagles1-1/+3
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
2016-11-17Remove Combination alarms supportPradeep Kilambi1-16/+0
combination alarms are completely removed in Ocata. Remove this from tripleo. Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
2016-11-11Normalize civetweb binding address if IPv6Giulio Fidente1-4/+12
The civetweb binding format is IP:PORT; this change ensures the IP is enclosed in brackets if IPv6. To do so we add the bind_ip and bind_port parameters to the rgw service class. Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c Co-Authored-By: Lukas Bezdicka <social@v3.sk> Related-Bug: #1636515
2016-11-11Call VF configuration from udev rulesBrent Eagles1-1/+10
When a physical function that was allocated to a guest is released back the system, it is not automatically brought "up" and the VF configuration is not restored. This patch creates a file containing some udev rules to force the VF configuration. Note: we may find that the ifup-local script is no longer required but this will require further testing. Change-Id: Ie6e78730aa0a748b3b5100ab7c7bc007d8ab176d Partial-Bug: #1639901
2016-11-01Merge "Add barbican profile rspec testing"Jenkins3-0/+166
2016-10-19Add barbican profile rspec testingAlex Schultz3-0/+166
This change adds rspec tests for the barbican profiles to ensure they function as expected. Change-Id: I73f5405ade2cc73024efbeb2cfbfc831a2120f51
2016-10-17Add port to rabbitmq node ip listBrent Eagles2-3/+3
We use the rabbit_hosts configuration for most of our services but we haven't been adding the configured port. This patch appends the IP port used provided to the service's heat template to the IPs in the list. Note: while we could use the value set for the rabbitmq server in rabbitmq::port, it doesn't allow for dealing with SSL. This also is also backwards compatible with the RabbitClientPort parameters used in the heat templates. Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b Closes-Bug: #1633580
2016-10-14packages: run upgrade at 'setup' stageEmilien Macchi1-3/+2
Instead of using an operator to make sure we upgrade package before any service, which causes dependency cycles with iptables puppet module, let's do another approach where we upgrade rpms in the 'setup' stage, which is a stage that runs before configure and running services. In that way, we'll remove dependency cycles and make sure packages are upgrades before configure and running TripleO services. Change-Id: I1be83f88be1959885c980ab4f428477d412751f7
2016-10-07Only run ceilometer::db::sync on bootstrap nodeAlex Schultz1-2/+7
The ceilometer::db::sync is included by default in ceilometer::db but we only want it to run on the bootstrap node. This change passes the sync_db parameter to ceilometer::db to manage the db sync process rather than trying to manage the inclusion of ceilometer::db::sync within the profile class. Change-Id: Ib56db1a90dd6fbfe7582fc57b7728df81942cce2 Closes-Bug: #1629373
2016-10-05Add ceph profile rspec testingAlex Schultz6-0/+403
This change adds rspec testing for the ceph profiles in puppet-tripleo. Change-Id: I08954e011848d6b747735f11b3cbff5707460c26
2016-09-30Add ceilometer profile rspec testingAlex Schultz5-0/+309
This change adds rspec testing for the ceilometer profiles. While writing these tests, the tripleo::profile::base::ceilometer::collector class needed to have the hiera lookups moved to class parameters to allow for testing the possible options around the database backend. These tests add coverage for ipv4 and ipv6 configurations for the collector profile as well as excluding mongodb on the backend. Change-Id: I1abae040104e8492a9fe266de74080e1e7701731
2016-09-30Add aodh profile rspec testingAlex Schultz8-1/+349
This change adds rspec testing for the aodh profile and serves as an example as to how to add in spec testing using hieradata to provide some required parameters. This testing adds improved coverage for expectations around computed configuration items as well as for conditions around the steps within the tripleo deployment Change-Id: Ic763a544289a222fea97020a98821c1e375651a3