summaryrefslogtreecommitdiffstats
path: root/spec
AgeCommit message (Collapse)AuthorFilesLines
2017-07-31Enable TLS for the HAProxy stats interfaceJuan Antonio Osorio Robles1-0/+104
This creates a new class for the stats interface and furtherly configures it to also use the certificates that are provided by certmonger (via the internal_certificates_specs variable). Note that the already existing haproxy_stats_certificate still works and will take precedence if it's set. bp tls-via-certmonger Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
2017-07-27Fix nova and selinux unit testsAlex Schultz3-7/+30
The unit tests jobs are failing because of missing pre conditions for the new shared class introduced by Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change moved some classes around so that the tests are now failing due to duplicate class declarations for nova::compute::libvirt::services. This change moves the include that pulls in the declaration first prior to the include that exists in tripleo::profile::base::nova::libvirt. The selinux test was also failing due to a type issue with the fact being used (boolean vs string) Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51 Closes-Bug: #1707034
2017-07-24Configure redis as incoming storage driver in gnocchiPradeep Kilambi1-0/+6
puppet support for this is added in Id8d4d091da2611de75390e045ebd473caf2a8909 Change-Id: I3354b54571a1b9d0a9187698217628d273cd7d7e
2017-07-21Deprecates using exec workaround for ODL clusteringTim Rozet1-4/+2
Previously we had used an exec defined in puppet-tripleo to do clustering with OpenDaylight docker containers. The clustering issue is now fixed in puppet-opendaylight by: https://git.opendaylight.org/gerrit/#/c/60491 So removing the custom function and class workaround. Also, 'ha_node_index' is deprecated for configuring clustering with puppet-opendaylight so that is also removed. Depends-On: I21c1eb2eff6d4cb855eff4a1122f55ad625d84cc Change-Id: I7693b692c74071945fdcc08292542e9b458a540b Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-18Merge "Create a Mesh of qdrouterd links for messaging high availability"Jenkins1-0/+119
2017-07-18Merge "Allow disabling udev usage by LVM"Jenkins1-0/+53
2017-07-16Create a Mesh of qdrouterd links for messaging high availabilityJohn Eckersberg1-0/+119
For multi-node deployments of the dispatch router, a mesh of inter-router links is created. Note that bi-directional links must not be configured. Example: For nodes A, B, C Node Inter-Router Link A: [] B: [A] C: [A,B] Change-Id: If43beea7a53c1f8f1dff062341c7ea81751c3122
2017-07-15Update resource references for dependenciesEmilien Macchi1-0/+5
The latest version of puppet now reports these as catalog failures so this change removes the unnecessary references and the references should be updated. Closes-Bug: #1702964 Change-Id: Iebc547aa92f9f40e4a633c57d79e6c9cddb5dd28
2017-07-15Merge "Add new profile for the Veritas HyperScale's cinder backend."Jenkins2-8/+87
2017-07-14Merge "Contrail: Fix controlplane/dataplane network asignments & enable ↵Jenkins1-0/+6
optional dpdk"
2017-07-14Add new profile for the Veritas HyperScale's cinder backend.abhishek.kane2-8/+87
Add new hook in the keystone profile for Veritas HyperScale. Add new hook in the rabbitmq profile for Veritas HyperScale. Add new hook in the mysql profile for Veritas HyperScale. Change-Id: I9168bffa5c73a205d1bb84b831b06081c40af549 Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d Depends-On: Id188af5e2f7bf628a97a70b8f20bef28e42b372d Signed-off-by: abhishek.kane <abhishek.kane@veritas.com> Signed-off-by: Dnyaneshwar Pawar <dnyaneshwar.pawar@veritas.com>
2017-07-13Merge "Refactor iscsi initiator-name reset into separate profile"Jenkins2-9/+42
2017-07-13Remove dependency on memcached_node_ips_v6Steven Hardy1-1/+2
This is set via all_nodes_config in t-h-t, but it's a special case for this service, so it'll be better if we handle the ipv6 transformation in puppet instead of relying on the service specific list mangling in t-h-t (one aspect of which has been identified as a potential performance problem). Related-Bug: #1684272 Change-Id: Iccb9089db4b382db3adb9340f18f6d2364ca7f58
2017-07-12Merge "Refactor nova migration config into client & target profiles"Jenkins8-424/+529
2017-07-12Merge "Do not fail if PCI device is missing"Jenkins1-2/+2
2017-07-11Refactor iscsi initiator-name reset into separate profileOliver Walsh2-9/+42
This currently assumes nova-compute and iscsid run in the same context which isn't true for a containerized deployment Change-Id: I91f1ce7625c351745dbadd84b565d55598ea5b59
2017-07-05Contrail: Fix controlplane/dataplane network asignments & enable optional dpdkMichael Henkel1-0/+6
This patch will move the Contrail roles communication towards OpenStack APIs from the public/external network to the internal_api network. I will also add the option to enable dpdk for Contrail. Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23 Closes-Bug: 1698422
2017-07-03Refactor nova migration config into client & target profilesOliver Walsh8-424/+529
The nova migration config has always been applied by the base::nova profile. It assumed that libvirtd/nova-compute and are all running on the same host. Where this config didn't apply (e.g a nova api host) it was disabled by a flag. This approach is not compatible with containers. Hieradata for all containers are combined so per-host flags no longer work, and we can no longer assume libvirtd and nova-compute run in the same context. This change refactors the profiles out of the base nova profile and into a client profile and a target profile that can be included where appropriate. Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12 Implements: blueprint tripleo-cold-migration
2017-06-29Do not fail if PCI device is missingBrent Eagles1-2/+2
Fixes a problem where SR-IOV VF count configuration will fail if a physical function is in use by a guest when 'puppet apply' is executed. This change substitutes warnings for failures and skips complaints if a PCI device is unavailable. Note: this patch has the side-effect of allowing the same configuration data on hosts that may *not* or *ever* have PCI SR-IOV devices on the hardware. Time will tell how evil this is in practice. Closes-Bug: #1701284 Change-Id: I71edc135432ab2193741c37ce977dd11172401e6
2017-06-28Merge "Split docker options and insecure registry"Jenkins1-6/+3
2017-06-27Allow disabling udev usage by LVMJiri Stransky1-0/+53
Disabling udev usage from LVM seems to be the only observed working way of running containerized cinder-volume with local LVM backend. I didn't come across reports that not using udev would have negative impact on the functionality. Additional info at https://groups.google.com/forum/#!topic/docker-user/n4Xtvsb4RAw Change-Id: I1bf395a6228dba66fa6bf9b8bcc9f3ac3d922a49 Related-Bug: #1700140
2017-06-27Split docker options and insecure registryBogdan Dobrelya1-6/+3
Use augeas to modify only parameters' dedicated configuration. Split options from insecure registry. Overlapping those params may unschedule the docker service restarts for some cases, ending up with a split brain state for the docker service run-time config vs changed /etc/sysconfig/options config. Change-Id: Ic5640061837b022f7175f0db0dc269f9a61e6023 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-06-27Always start httpd at the same timeJuan Antonio Osorio Robles4-7/+93
Puppet wipes out whatever is not in it's resource catalog each run for httpd. This causes httpd to restart if in the next step there are reasources added that were not there earlier. This patch, thus changes the instances of httpd to start at the same time: On step 3 for the bootstrap node, and on step 4 for every other node. Closes-Bug: #1699502 Change-Id: I3d29728c1ab7bd5b78100f89e00e5fa082f97b0c Co-Authored-By: Alex Schultz <aschultz@redhat.com>
2017-06-21Merge "Ignore failures when loading nf_conntrack_proto_sctp kernel module"Jenkins1-0/+59
2017-06-20Ignore failures when loading nf_conntrack_proto_sctp kernel moduleOr Idgar1-0/+59
Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Co-Authored-By: Or Idgar <oidgar@redhat.com> Co-Authored-By: Alex Schultz <aschultz@redhat.com> Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: I8f1c841a7c0f3b1247aba2b959b6dfbe43d8cd79 Closes-Bug: 1695885
2017-06-20Add maxconn parameter to MySQL / HAProxyMike Bayer2-0/+118
Allows configurability of maxconn as applies to the MySQL section of the HAProxy config, both for clustercheck and single node. Also adds a new test for the haproxy class overall to exercise options. Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
2017-06-15Fix redis when hostname has capital lettersAlex Schultz2-0/+107
The bootstrap_nodeid comparison should be case insensitive. Change-Id: I1e6672bb0219c1cf56ab21dd911c6f33e2436cc3 Closes-Bug: #1698190
2017-06-15Move gnocchi upgrade and api to step 4Pradeep Kilambi1-20/+2
gnocchi upgrade requires storage sacks to be initialized. This means we need to ensure the storage backends are up before running the upgrade and starting the api. Lets move the api to step 4 so we can ensure other dependencies are in place. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ibfa9fb39f60c1e4a802d189b32ff4c34476c93d3 Change-Id: If2ae48b21389e76fd638c0b48c148a5d4f227630
2017-06-09Merge "Add resource to fetch CRL"Jenkins1-0/+104
2017-06-08Merge "Move tripleo::certmonger::httpd to defines folder and fix suffix"Jenkins1-0/+2
2017-06-08Add resource to fetch CRLJuan Antonio Osorio Robles1-0/+104
This will fetch the CRL file from the specified file or URL. Furtherly it will set up a cron job to refresh the crl file once a week and notify the needed services. bp tls-via-certmonger Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-06-08Merge "Add _spec suffix to class spec tests"Jenkins5-0/+0
2017-06-08Merge "Add polkit rule to allow kolla nova user access to libvirtd socket on ↵Jenkins1-0/+79
docker host"
2017-06-08Move tripleo::certmonger::httpd to defines folder and fix suffixJuan Antonio Osorio Robles1-0/+2
It's a define, not a class. And it also needs the _spec suffix. Change-Id: Ie5e0cf81d03379d8b791fd77a5c78d12048ebfef
2017-06-08Add _spec suffix to class spec testsJuan Antonio Osorio Robles5-0/+0
Some of them didn't have it. So I added it to them for uniformity. Change-Id: I2ea57d0ecfe151f9a14db9f7722a26f09aa8a506
2017-06-06Add polkit rule to allow kolla nova user access to libvirtd socket on docker ↵Oliver Walsh1-0/+79
host The polkit rules are currently evaluated in the context of the docker host. As a result the check fails for the kolla nova compute user, as the uids are not consistent with the host uids (in fact we probably can't assume a nova user exists on the docker host). As a short-term workaround a 'docker_nova' user group is created on the docker host and the polkit rule is updated to grant this user access to the libvirtd socket. Longer term solution probably requires running polkitd in a container too. Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Related-bug: #1693844
2017-06-05Add novajoin profileJuan Antonio Osorio Robles1-0/+126
This is needed in order to deploy novajoin in a containerized undercloud environment. Change-Id: Iea461f66b8f4e3b01a0498e566a2c3684144df80
2017-05-24Move ceilometer upgrade step out of basePradeep Kilambi1-24/+0
ceilometer-upgrade should only run on controller nodes. Since its currently in base profile, it gets triggered on compute as well. So instead split out the upgrade into its own and include when we deploy notification and central agents instead. Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe Closes-bug: #1693339
2017-05-19Merge "Switch to overlay2 driver for storage"Jenkins1-2/+57
2017-05-19Switch to overlay2 driver for storageDan Prince1-2/+57
This patch switches the default to the overlay2 storage driver and see if it helps performance. Background: The loopback driver is not recommended for production. Most other docker storage backends require extra disks (or partitions) which we don't have on the root disk. Overlay seems to make the most since for TripleO upgrades where we intend to update in-place installations to use docker. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
2017-05-18Merge "Update tox configuration"Jenkins1-56/+1
2017-05-18Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"Jenkins1-0/+102
2017-05-18Merge "Disable SSH login for nova_migration user when migration over ssh is ↵Jenkins1-11/+49
disabled."
2017-05-17Update tox configurationAlex Schultz1-56/+1
Update the tox configuration to pull in the openstack upper-constraints.txt when running releasenotes. This will fix the releasenotes job that is currently failing due to a new version of sphinx. Additionally this change includes updates from puppet-modulesync-configs. Change-Id: Ie587bfde2367dfec796f1b07c01bba15d839a3b1 Related-Bug: #1691511
2017-05-13vhostuser socket dir shall be created for vhostuserclient modeKarthik S2-0/+75
In order to support vhostuser client mode, a vhostuser_socket_dir needs to be created with qemu:qemu g+w permissions. Closes-Bug: #1675690 Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com> Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8 Signed-off-by: Karthik S <ksundara@redhat.com>
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-0/+102
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-11/+49
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-03Restrict nova migration ssh tunnelOliver Walsh2-10/+160
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+60
2017-04-21Move ceilometer upgrade re-run out of collectorPradeep Kilambi2-26/+25
Since collector is deprecated, lets move this out of collector.pp so it gets run and resource types are created appropriately even when collector is not included. Closes-bug: #1676961 Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481