summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ci/environments/scenario001-multinode.yaml1
-rw-r--r--deployed-server/deployed-server-bootstrap-centos.sh3
-rw-r--r--deployed-server/deployed-server-bootstrap-rhel.sh3
-rwxr-xr-xdeployed-server/scripts/get-occ-config.sh2
-rwxr-xr-xdocker/docker-puppet.py7
-rw-r--r--docker/services/README.rst8
-rw-r--r--docker/services/database/mongodb.yaml4
-rw-r--r--docker/services/keystone.yaml57
-rw-r--r--docker/services/nova-api.yaml3
-rw-r--r--docker/services/nova-compute.yaml11
-rw-r--r--docker/services/nova-ironic.yaml6
-rw-r--r--docker/services/nova-libvirt.yaml16
-rw-r--r--environments/deployed-server-environment.j2.yaml11
-rw-r--r--environments/deployed-server-environment.yaml4
-rw-r--r--environments/enable-internal-tls.yaml3
-rw-r--r--environments/major-upgrade-composable-steps-docker.yaml1
-rw-r--r--environments/major-upgrade-composable-steps.yaml1
-rw-r--r--environments/major-upgrade-converge-docker.yaml1
-rw-r--r--environments/major-upgrade-converge.yaml1
-rw-r--r--environments/nova-api-policy.yaml10
-rw-r--r--environments/services/panko.yaml2
-rwxr-xr-xextraconfig/tasks/yum_update.sh22
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml3
-rw-r--r--overcloud.j2.yaml32
-rw-r--r--puppet/config.role.j2.yaml2
-rw-r--r--puppet/major_upgrade_steps.j2.yaml9
-rw-r--r--puppet/services/aodh-api.yaml7
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml75
-rw-r--r--puppet/services/apache.yaml44
-rw-r--r--puppet/services/barbican-api.yaml7
-rw-r--r--puppet/services/ceilometer-api.yaml7
-rw-r--r--puppet/services/ceilometer-base.yaml2
-rw-r--r--puppet/services/cinder-api.yaml7
-rw-r--r--puppet/services/cinder-volume.yaml6
-rw-r--r--puppet/services/congress.yaml8
-rw-r--r--puppet/services/database/mysql-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/database/mysql.yaml39
-rw-r--r--puppet/services/ec2-api.yaml7
-rw-r--r--puppet/services/glance-api.yaml7
-rw-r--r--puppet/services/gnocchi-api.yaml7
-rw-r--r--puppet/services/gnocchi-base.yaml6
-rw-r--r--puppet/services/heat-api.yaml7
-rw-r--r--puppet/services/ironic-api.yaml7
-rw-r--r--puppet/services/kernel.yaml2
-rw-r--r--puppet/services/keystone.yaml7
-rw-r--r--puppet/services/mistral-api.yaml7
-rw-r--r--puppet/services/neutron-api.yaml16
-rw-r--r--puppet/services/neutron-base.yaml6
-rw-r--r--puppet/services/neutron-ovs-dpdk-agent.yaml5
-rw-r--r--puppet/services/nova-api.yaml7
-rw-r--r--puppet/services/nova-base.yaml6
-rw-r--r--puppet/services/nova-compute.yaml8
-rw-r--r--puppet/services/nova-ironic.yaml4
-rw-r--r--puppet/services/octavia-api.yaml7
-rw-r--r--puppet/services/octavia-base.yaml6
-rw-r--r--puppet/services/opendaylight-ovs.yaml6
-rw-r--r--puppet/services/panko-api.yaml7
-rw-r--r--puppet/services/rabbitmq-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/rabbitmq.yaml37
-rw-r--r--puppet/services/sahara-api.yaml7
-rw-r--r--puppet/services/tacker.yaml7
-rw-r--r--puppet/services/tripleo-firewall.yaml6
-rw-r--r--puppet/services/zaqar.yaml7
-rw-r--r--releasenotes/notes/api-policy-4ca739519537f6f4.yaml13
-rw-r--r--releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml6
-rw-r--r--releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml5
-rw-r--r--releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml4
-rw-r--r--releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml6
-rw-r--r--releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml4
-rw-r--r--releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml11
-rw-r--r--releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml4
-rw-r--r--requirements.txt2
-rw-r--r--setup.py2
73 files changed, 450 insertions, 325 deletions
diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml
index a6f35711..2203665a 100644
--- a/ci/environments/scenario001-multinode.yaml
+++ b/ci/environments/scenario001-multinode.yaml
@@ -4,7 +4,6 @@ resource_registry:
OS::TripleO::Services::CephMon: ../../puppet/services/ceph-mon.yaml
OS::TripleO::Services::CephOSD: ../../puppet/services/ceph-osd.yaml
OS::TripleO::Services::CephClient: ../../puppet/services/ceph-client.yaml
- OS::TripleO::Services::PankoApi: ../../puppet/services/panko-api.yaml
OS::TripleO::Services::Collectd: ../../puppet/services/metrics/collectd.yaml
OS::TripleO::Services::Tacker: ../../puppet/services/tacker.yaml
OS::TripleO::Services::Congress: ../../puppet/services/congress.yaml
diff --git a/deployed-server/deployed-server-bootstrap-centos.sh b/deployed-server/deployed-server-bootstrap-centos.sh
index 7266ca57..c86e771c 100644
--- a/deployed-server/deployed-server-bootstrap-centos.sh
+++ b/deployed-server/deployed-server-bootstrap-centos.sh
@@ -8,7 +8,8 @@ yum install -y \
openstack-puppet-modules \
os-net-config \
openvswitch \
- python-heat-agent*
+ python-heat-agent* \
+ openstack-selinux
ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules
diff --git a/deployed-server/deployed-server-bootstrap-rhel.sh b/deployed-server/deployed-server-bootstrap-rhel.sh
index 36ff0077..10b4999b 100644
--- a/deployed-server/deployed-server-bootstrap-rhel.sh
+++ b/deployed-server/deployed-server-bootstrap-rhel.sh
@@ -8,6 +8,7 @@ yum install -y \
openstack-puppet-modules \
os-net-config \
openvswitch \
- python-heat-agent*
+ python-heat-agent* \
+ openstack-selinux
ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules
diff --git a/deployed-server/scripts/get-occ-config.sh b/deployed-server/scripts/get-occ-config.sh
index 6c196f97..d0cc4dff 100755
--- a/deployed-server/scripts/get-occ-config.sh
+++ b/deployed-server/scripts/get-occ-config.sh
@@ -63,7 +63,7 @@ for role in $OVERCLOUD_ROLES; do
rg_stack=$(openstack stack resource show overcloud $role -c physical_resource_id -f value)
done
- stacks=$(openstack stack resource list $rg_stack -c physical_resource_id -f value)
+ stacks=$(openstack stack resource list $rg_stack -c resource_name -c physical_resource_id -f json | jq -r "sort_by(.resource_name) | .[] | .physical_resource_id")
i=0
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index 0f079436..eb647737 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -205,7 +205,8 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
'--volume', '%s:%s:rw' % (sh_script, sh_script) ]
for volume in volumes:
- dcmd.extend(['--volume', volume])
+ if volume:
+ dcmd.extend(['--volume', volume])
dcmd.extend(['--entrypoint', sh_script])
@@ -246,9 +247,9 @@ for config_volume in configs:
volumes = service[4] if len(service) > 4 else []
if puppet_tags:
- puppet_tags = "file,file_line,concat,%s" % puppet_tags
+ puppet_tags = "file,file_line,concat,augeas,%s" % puppet_tags
else:
- puppet_tags = "file,file_line,concat"
+ puppet_tags = "file,file_line,concat,augeas"
process_map.append([config_volume, puppet_tags, manifest, config_image, volumes])
diff --git a/docker/services/README.rst b/docker/services/README.rst
index 219f35eb..84ac842e 100644
--- a/docker/services/README.rst
+++ b/docker/services/README.rst
@@ -23,7 +23,7 @@ puppet (our configuration tool of choice) into the Kolla base images. The
undercloud nova-scheduler also requires openstack-tripleo-common to
provide custom filters.
-To build Kolla images for TripleO adjust your kolla config to build your
+To build Kolla images for TripleO adjust your kolla config [*]_ to build your
centos base image with puppet using the example below:
.. code-block::
@@ -37,6 +37,10 @@ kolla-build --base centos --template-override template-overrides.j2
..
+.. [*] See the
+ `override file <https://github.com/openstack/tripleo-common/blob/master/contrib/tripleo_kolla_template_overrides.j2>`_
+ which can be used to build Kolla packages that work with TripleO, and an
+ `example build script <https://github.com/dprince/undercloud_containers/blob/master/build_kolla.sh>_.
Docker settings
---------------
@@ -70,7 +74,7 @@ are re-asserted when applying latter ones.
* puppet_tags: Puppet resource tag names that are used to generate config
files with puppet. Only the named config resources are used to generate
a config file. Any service that specifies tags will have the default
- tags of 'file,concat,file_line' appended to the setting.
+ tags of 'file,concat,file_line,augeas' appended to the setting.
Example: keystone_config
* config_volume: The name of the volume (directory) where config files
diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml
index 265558a4..15795828 100644
--- a/docker/services/database/mongodb.yaml
+++ b/docker/services/database/mongodb.yaml
@@ -102,8 +102,8 @@ outputs:
step_config: 'include ::tripleo::profile::base::database::mongodb'
config_image: *mongodb_image
volumes:
- - "mongodb:/var/lib/mongodb/"
- - "logs:/var/log/kolla:ro"
+ - /var/lib/mongodb:/var/lib/mongodb
+ - logs:/var/log/kolla:ro
host_prep_tasks:
- name: create /var/lib/mongodb
file:
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 63713677..0597b906 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -33,7 +33,7 @@ parameters:
KeystoneTokenProvider:
description: The keystone token format
type: string
- default: 'uuid'
+ default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
@@ -46,9 +46,6 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
-conditions:
- keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
-
outputs:
role_data:
description: Role data for the Keystone API role.
@@ -76,53 +73,6 @@ outputs:
kolla_config:
/var/lib/kolla/config_files/keystone.json:
command: /usr/sbin/httpd -DFOREGROUND
- config_files:
- - dest: /etc/keystone/keystone.conf
- owner: keystone
- perm: '0640'
- source: /var/lib/kolla/config_files/src/etc/keystone/keystone.conf
- - dest: /etc/keystone/credential-keys/0
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/0
- - dest: /etc/keystone/credential-keys/1
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
- - dest: /etc/keystone/fernet-keys/0
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
- optional: {if: [keystone_fernet_tokens, false, true]}
- - dest: /etc/keystone/fernet-keys/1
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
- optional: {if: [keystone_fernet_tokens, false, true]}
- - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_admin.conf
- - dest: /etc/httpd/conf.d/10-keystone_wsgi_main.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_main.conf
- - dest: /etc/httpd/conf/httpd.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf
- - dest: /etc/httpd/conf/ports.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf
- - dest: /var/www/cgi-bin/keystone/keystone-admin
- owner: keystone
- perm: '0644'
- source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-admin
- - dest: /var/www/cgi-bin/keystone/keystone-public
- owner: keystone
- perm: '0644'
- source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-public
docker_config:
step_3:
keystone-init-log:
@@ -140,8 +90,9 @@ outputs:
detach: false
volumes: &keystone_volumes
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/config-data/keystone/:/var/lib/kolla/config_files/src:ro
- - /var/lib/config-data/keystone/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro
+ - /var/lib/config-data/keystone/var/www/:/var/www/:ro
+ - /var/lib/config-data/keystone/etc/keystone/:/etc/keystone/:ro
+ - /var/lib/config-data/keystone/etc/httpd/:/etc/httpd/:ro
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index 9e203b7a..e5c78d6c 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -134,8 +134,9 @@ outputs:
- /etc/localtime:/etc/localtime:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ step_5:
nova_api_discover_hosts:
- start_order: 3
+ start_order: 1
image: *nova_api_image
net: host
detach: false
diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml
index 7fc00b47..957eed7f 100644
--- a/docker/services/nova-compute.yaml
+++ b/docker/services/nova-compute.yaml
@@ -83,6 +83,15 @@ outputs:
- /lib/modules:/lib/modules:ro
- /run:/run
- /var/lib/nova:/var/lib/nova
- - libvirtd:/var/lib/libvirt
+ - /var/lib/libvirt:/var/lib/libvirt
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ host_prep_tasks:
+ - name: create /var/lib/libvirt
+ file:
+ path: /var/lib/libvirt
+ state: directory
+ upgrade_tasks:
+ - name: Stop and disable nova-compute service
+ tags: step2
+ service: name=nova-compute state=stopped enabled=no
diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml
index 170468a5..3d849f59 100644
--- a/docker/services/nova-ironic.yaml
+++ b/docker/services/nova-ironic.yaml
@@ -85,6 +85,10 @@ outputs:
- /run:/run
- /dev:/dev
- /etc/iscsi:/etc/iscsi
- - nova_compute:/var/lib/nova/
+ - /var/lib/nova/:/var/lib/nova
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ upgrade_tasks:
+ - name: Stop and disable nova-compute service
+ tags: step2
+ service: name=nova-compute state=stopped enabled=no
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 85fabe5a..480bb80e 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -88,7 +88,19 @@ outputs:
- /var/lib/nova:/var/lib/nova
# Needed to use host's virtlogd
- /var/run/libvirt:/var/run/libvirt
- - libvirtd:/var/lib/libvirt
- - nova_libvirt_qemu:/etc/libvirt/qemu
+ - /var/lib/libvirt:/var/lib/libvirt
+ - /etc/libvirt/qemu:/etc/libvirt/qemu
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ host_prep_tasks:
+ - name: create libvirt persistent data directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ with_items:
+ - /etc/libvirt/qemu
+ - /var/lib/libvirt
+ upgrade_tasks:
+ - name: Stop and disable libvirtd service
+ tags: step2
+ service: name=libvirtd state=stopped enabled=no
diff --git a/environments/deployed-server-environment.j2.yaml b/environments/deployed-server-environment.j2.yaml
new file mode 100644
index 00000000..327934da
--- /dev/null
+++ b/environments/deployed-server-environment.j2.yaml
@@ -0,0 +1,11 @@
+resource_registry:
+ OS::TripleO::Server: ../deployed-server/deployed-server.yaml
+ OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port
+ OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None
+
+{% for role in roles %}
+ # Default nic config mappings
+ OS::TripleO::{{role.name}}::Net::SoftwareConfig: ../net-config-static.yaml
+{% endfor %}
+
+ OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig: ../net-config-static-bridge.yaml
diff --git a/environments/deployed-server-environment.yaml b/environments/deployed-server-environment.yaml
deleted file mode 100644
index 7bc1bd9b..00000000
--- a/environments/deployed-server-environment.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-resource_registry:
- OS::TripleO::Server: ../deployed-server/deployed-server.yaml
- OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port
- OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index e245a6af..2fdecb4f 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -12,9 +12,6 @@ resource_registry:
OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
- OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
- OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
- OS::TripleO::Services::RabbitMQTLS: ../puppet/services/rabbitmq-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
diff --git a/environments/major-upgrade-composable-steps-docker.yaml b/environments/major-upgrade-composable-steps-docker.yaml
index 5fa2f2d8..40da726d 100644
--- a/environments/major-upgrade-composable-steps-docker.yaml
+++ b/environments/major-upgrade-composable-steps-docker.yaml
@@ -4,6 +4,7 @@ resource_registry:
# enough (as we want to share the ansible tasks steps etc)
OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml
parameter_defaults:
+ EnableConfigPurge: false
UpgradeLevelNovaCompute: auto
UpgradeInitCommonCommand: |
#!/bin/bash
diff --git a/environments/major-upgrade-composable-steps.yaml b/environments/major-upgrade-composable-steps.yaml
index 9ecc2251..3bc9faa2 100644
--- a/environments/major-upgrade-composable-steps.yaml
+++ b/environments/major-upgrade-composable-steps.yaml
@@ -1,6 +1,7 @@
resource_registry:
OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml
parameter_defaults:
+ EnableConfigPurge: true
UpgradeLevelNovaCompute: auto
UpgradeInitCommonCommand: |
#!/bin/bash
diff --git a/environments/major-upgrade-converge-docker.yaml b/environments/major-upgrade-converge-docker.yaml
index 463206f1..a3816b50 100644
--- a/environments/major-upgrade-converge-docker.yaml
+++ b/environments/major-upgrade-converge-docker.yaml
@@ -3,5 +3,6 @@
resource_registry:
OS::TripleO::PostDeploySteps: ../docker/post.yaml
parameter_defaults:
+ EnableConfigPurge: false
UpgradeLevelNovaCompute: ''
UpgradeInitCommonCommand: ''
diff --git a/environments/major-upgrade-converge.yaml b/environments/major-upgrade-converge.yaml
index f09fb20e..4e8bf46b 100644
--- a/environments/major-upgrade-converge.yaml
+++ b/environments/major-upgrade-converge.yaml
@@ -3,5 +3,6 @@
resource_registry:
OS::TripleO::PostDeploySteps: ../puppet/post.yaml
parameter_defaults:
+ EnableConfigPurge: false
UpgradeLevelNovaCompute: ''
UpgradeInitCommonCommand: ''
diff --git a/environments/nova-api-policy.yaml b/environments/nova-api-policy.yaml
new file mode 100644
index 00000000..681bd010
--- /dev/null
+++ b/environments/nova-api-policy.yaml
@@ -0,0 +1,10 @@
+# A Heat environment file which can be used to configure access policies for
+# Nova API resources. It is here for example and doesn't cover all services
+# but just Nova here.
+# While recipes for editing policy.json files is supported, modifying the
+# policy can have unexpected side effects and is not encouraged.
+
+parameter_defaults:
+ # The target is "compute:get_all", the "list all instances" API of the Compute service.
+ # The rule is an empty string meaning "always". This policy allows anybody to list instances.
+ NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } }
diff --git a/environments/services/panko.yaml b/environments/services/panko.yaml
deleted file mode 100644
index 28bf99f6..00000000
--- a/environments/services/panko.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-resource_registry:
- OS::TripleO::Services::PankoApi: ../../puppet/services/panko-api.yaml
diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh
index 3bf72f14..d3d38114 100755
--- a/extraconfig/tasks/yum_update.sh
+++ b/extraconfig/tasks/yum_update.sh
@@ -113,15 +113,19 @@ if [[ "$pacemaker_status" == "active" ]] ; then
fi
done
- tstart=$(date +%s)
- while ! clustercheck; do
- sleep 5
- tnow=$(date +%s)
- if (( tnow-tstart > galera_sync_timeout )) ; then
- echo "ERROR galera sync timed out"
- exit 1
- fi
- done
+ RETVAL=$( pcs resource show galera-master | grep wsrep_cluster_address | grep -q `crm_node -n` ; echo $? )
+
+ if [[ $RETVAL -eq 0 && -e /etc/sysconfig/clustercheck ]]; then
+ tstart=$(date +%s)
+ while ! clustercheck; do
+ sleep 5
+ tnow=$(date +%s)
+ if (( tnow-tstart > galera_sync_timeout )) ; then
+ echo "ERROR galera sync timed out"
+ exit 1
+ fi
+ done
+ fi
echo "Waiting for pacemaker cluster to settle"
if ! timeout -k 10 $cluster_settle_timeout crm_resource --wait; then
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index d9eaf8df..b294d7cb 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -120,7 +120,6 @@ resource_registry:
# services
OS::TripleO::Services: puppet/services/services.yaml
OS::TripleO::Services::Apache: puppet/services/apache.yaml
- OS::TripleO::Services::ApacheTLS: OS::Heat::None
OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
OS::TripleO::Services::CephMds: OS::Heat::None
OS::TripleO::Services::CephMon: OS::Heat::None
@@ -144,7 +143,6 @@ resource_registry:
OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
- OS::TripleO::Services::MySQLTLS: OS::Heat::None
OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None
OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
@@ -170,7 +168,6 @@ resource_registry:
OS::TripleO::Services::PacemakerRemote: OS::Heat::None
OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml
- OS::TripleO::Services::RabbitMQTLS: OS::Heat::None
OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml
OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None
OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index e99f770f..cb240022 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -114,6 +114,11 @@ parameters:
description: What interface to add to the HypervisorNeutronPhysicalBridge.
type: string
+ NodeCreateBatchSize:
+ default: 30
+ description: Maxiumum batch size for creating nodes
+ type: number
+
# Jinja loop for Role in role_data.yaml
{% for role in roles %}
# Parameters generated for {{role.name}} Role
@@ -339,6 +344,9 @@ resources:
{{role.name}}:
type: OS::Heat::ResourceGroup
depends_on: Networks
+ update_policy:
+ batch_create:
+ max_batch_size: {get_param: NodeCreateBatchSize}
properties:
count: {get_param: {{role.name}}Count}
removal_policies: {get_param: {{role.name}}RemovalPolicies}
@@ -579,12 +587,24 @@ resources:
PingTestIps:
list_join:
- ' '
- - - {get_attr: [{{primary_role_name}}, resource.0.external_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.internal_api_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.storage_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.storage_mgmt_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.tenant_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.management_ip_address]}
+ - - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [{{primary_role_name}}, external_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [{{primary_role_name}}, internal_api_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [{{primary_role_name}}, storage_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [{{primary_role_name}}, storage_mgmt_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [{{primary_role_name}}, tenant_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [{{primary_role_name}}, management_ip_address]}
UpdateWorkflow:
type: OS::TripleO::Tasks::UpdateWorkflow
diff --git a/puppet/config.role.j2.yaml b/puppet/config.role.j2.yaml
index 7337d062..cdbc76f0 100644
--- a/puppet/config.role.j2.yaml
+++ b/puppet/config.role.j2.yaml
@@ -38,7 +38,7 @@ resources:
- ''
- list_join:
- ','
- - ['file,concat,file_line', {get_param: PuppetTags}]
+ - ['file,concat,file_line,augeas', {get_param: PuppetTags}]
outputs:
- name: result
inputs:
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index 6f2dd684..5aba90e8 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -65,18 +65,21 @@ resources:
- " crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n"
- " crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n"
- " crudini --set /etc/nova/nova.conf placement project_name service\n\n"
- - " systemctl restart openstack-nova-compute\n\n"
- - "fi\n\n"
- str_replace:
template: |
crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD'
crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME'
crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL'
- ROLE='ROLE_NAME'
params:
SERVICE_PASSWORD: { get_param: NovaPassword }
REGION_NAME: { get_param: KeystoneRegion }
AUTH_URL: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+ - " systemctl restart openstack-nova-compute\n\n"
+ - "fi\n\n"
+ - str_replace:
+ template: |
+ ROLE='ROLE_NAME'
+ params:
ROLE_NAME: {{role.name}}
- get_file: ../extraconfig/tasks/pacemaker_common_functions.sh
- get_file: ../extraconfig/tasks/run_puppet.sh
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index d7c87b61..7cc6e4c6 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ AodhApiPolicies:
+ description: |
+ A hash of policies to configure for Aodh API.
+ e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
AodhBase:
@@ -61,6 +67,7 @@ outputs:
aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi'
aodh::api::service_name: 'httpd'
aodh::api::enable_proxy_headers_parsing: true
+ aodh::policy::policies: {get_param: AodhApiPolicies}
tripleo.aodh_api.firewall_rules:
'128 aodh-api':
dport:
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
deleted file mode 100644
index 4c94f440..00000000
--- a/puppet/services/apache-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-heat_template_version: ocata
-
-description: >
- Apache service TLS configurations.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-resources:
-
- ApacheNetworks:
- type: OS::Heat::Value
- properties:
- value:
- # NOTE(jaosorior) Get unique network names to create
- # certificates for those. We skip the tenant network since
- # we don't need a certificate for that, and the external
- # network will be handled in another template.
- yaql:
- expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
- data:
- map:
- get_param: ServiceNetMap
-
-outputs:
- role_data:
- description: Role data for the Apache role.
- value:
- service_name: apache_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- apache_certificates_specs:
- map_merge:
- repeat:
- template:
- httpd-NETWORK:
- service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
- service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
- hostname: "%{hiera('fqdn_NETWORK')}"
- principal: "HTTP/%{hiera('fqdn_NETWORK')}"
- for_each:
- NETWORK: {get_attr: [ApacheNetworks, value]}
- metadata_settings:
- repeat:
- template:
- - service: HTTP
- network: $NETWORK
- type: node
- for_each:
- $NETWORK: {get_attr: [ApacheNetworks, value]}
- upgrade_tasks:
- - name: Check if httpd is deployed
- command: systemctl is-enabled httpd
- tags: common
- ignore_errors: True
- register: httpd_enabled
- - name: "PreUpgrade step0,validation: Check service httpd is running"
- shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
- when: httpd_enabled.rc == 0
- tags: step0,validation
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 2d950151..9bd282f8 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -31,13 +31,25 @@ parameters:
type: boolean
default: false
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
- ApacheTLS:
- type: OS::TripleO::Services::ApacheTLS
+ ApacheNetworks:
+ type: OS::Heat::Value
properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ value:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # is for HAProxy so it isn't used for apache either.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
outputs:
role_data:
@@ -46,7 +58,6 @@ outputs:
service_name: apache
config_settings:
map_merge:
- - get_attr: [ApacheTLS, role_data, config_settings]
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
@@ -64,8 +75,31 @@ outputs:
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
+ -
+ generate_service_certificates: true
+ apache_certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ httpd-NETWORK:
+ service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+ hostname: "%{hiera('fqdn_NETWORK')}"
+ principal: "HTTP/%{hiera('fqdn_NETWORK')}"
+ for_each:
+ NETWORK: {get_attr: [ApacheNetworks, value]}
metadata_settings:
- get_attr: [ApacheTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ repeat:
+ template:
+ - service: HTTP
+ network: $NETWORK
+ type: node
+ for_each:
+ $NETWORK: {get_attr: [ApacheNetworks, value]}
+ - null
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml
index d8787c87..91a5b01c 100644
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@@ -55,6 +55,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ BarbicanPolicies:
+ description: |
+ A hash of policies to configure for Barbican.
+ e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -77,6 +83,7 @@ outputs:
barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
+ barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index f5ee9d40..ba94b451 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -29,6 +29,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ CeilometerApiPolicies:
+ description: |
+ A hash of policies to configure for Ceilometer API.
+ e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
CeilometerServiceBase:
@@ -78,6 +84,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
+ ceilometer::policy::policies: {get_param: CeilometerApiPolicies}
ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
ceilometer::wsgi::apache::servername:
diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml
index a9c84289..a6fd304c 100644
--- a/puppet/services/ceilometer-base.yaml
+++ b/puppet/services/ceilometer-base.yaml
@@ -37,7 +37,7 @@ parameters:
constraints:
- allowed_values: ['gnocchi', 'database']
CeilometerEventDispatcher:
- default: ['gnocchi']
+ default: ['panko', 'gnocchi']
description: Comma-separated list of Dispatchers to process events data
type: comma_delimited_list
constraints:
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 958b0e7d..c1e6b0b0 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -46,6 +46,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ CinderApiPolicies:
+ description: |
+ A hash of policies to configure for Cinder API.
+ e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
@@ -86,6 +92,7 @@ outputs:
cinder::keystone::authtoken::project_name: 'service'
cinder::keystone::authtoken::user_domain_name: 'Default'
cinder::keystone::authtoken::project_domain_name: 'Default'
+ cinder::policy::policies: {get_param: CinderApiPolicies}
cinder::api::enable_proxy_headers_parsing: true
cinder::api::nova_catalog_info: 'compute:nova:internalURL'
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index b52955ef..26f1a96f 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -94,11 +94,7 @@ outputs:
tripleo::profile::base::cinder::volume::cinder_enable_nfs_backend: {get_param: CinderEnableNfsBackend}
tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend}
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions}
- tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers:
- str_replace:
- template: SERVERS
- params:
- SERVERS: {get_param: CinderNfsServers}
+ tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers}
tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol}
diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml
index fd1ee24b..1d9eecb1 100644
--- a/puppet/services/congress.yaml
+++ b/puppet/services/congress.yaml
@@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ CongressPolicies:
+ description: |
+ A hash of policies to configure for Congress.
+ e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
role_data:
@@ -86,10 +92,12 @@ outputs:
congress::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ congress::policy::policies: {get_param: CongressPolicies}
service_config_settings:
keystone:
congress::keystone::auth::tenant: 'service'
+ congress::keystone::auth::region: {get_param: KeystoneRegion}
congress::keystone::auth::password: {get_param: CongressPassword}
congress::keystone::auth::public_url: {get_param: [EndpointMap, CongressPublic, uri]}
congress::keystone::auth::internal_url: {get_param: [EndpointMap, CongressInternal, uri]}
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
deleted file mode 100644
index 9f7eaf57..00000000
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- MySQL configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: MySQL configurations for using TLS via certmonger.
- value:
- service_name: mysql_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::database::mysql::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/mysql.crt'
- service_key: '/etc/pki/tls/private/mysql.key'
- hostname:
- str_replace:
- template: "%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- principal:
- str_replace:
- template: "mysql/%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- metadata_settings:
- - service: mysql
- network: {get_param: [ServiceNetMap, MysqlNetwork]}
- type: vip
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 808f1353..da55da3c 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -23,6 +23,10 @@ parameters:
description: Configures MySQL max_connections config setting
type: number
default: 4096
+ MysqlIncreaseFileLimit:
+ description: Flag to increase MySQL open-files-limit to 16384
+ type: boolean
+ default: true
MysqlRootPassword:
type: string
hidden: true
@@ -38,13 +42,13 @@ parameters:
description: The password for the nova db account
type: string
hidden: true
+ EnableInternalTLS:
+ type: boolean
+ default: false
-resources:
+conditions:
- MySQLTLS:
- type: OS::TripleO::Services::MySQLTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -53,7 +57,6 @@ outputs:
service_name: mysql
config_settings:
map_merge:
- - get_attr: [MySQLTLS, role_data, config_settings]
-
# The Galera package should work in cluster and
# non-cluster modes based on the config file.
@@ -96,10 +99,32 @@ outputs:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
tripleo::profile::base::database::mysql::client_bind_address:
{get_param: [ServiceNetMap, MysqlNetwork]}
+ tripleo::profile::base::database::mysql::generate_dropin_file_limit:
+ {get_param: MysqlIncreaseFileLimit}
+ - generate_service_certificates: true
+ tripleo::profile::base::database::mysql::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/mysql.crt'
+ service_key: '/etc/pki/tls/private/mysql.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ principal:
+ str_replace:
+ template: "mysql/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql
metadata_settings:
- get_attr: [MySQLTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: mysql
+ network: {get_param: [ServiceNetMap, MysqlNetwork]}
+ type: vip
+ - null
upgrade_tasks:
- name: Check for galera root password
tags: step0
diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml
index 10f6d311..eef2a76f 100644
--- a/puppet/services/ec2-api.yaml
+++ b/puppet/services/ec2-api.yaml
@@ -42,6 +42,12 @@ parameters:
default: 'false'
description: Set to true to enable package installation via Puppet
type: boolean
+ Ec2ApiPolicies:
+ description: |
+ A hash of policies to configure for EC2-API.
+ e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
@@ -67,6 +73,7 @@ outputs:
ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword}
ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ec2api::policy::policies: {get_param: Ec2ApiPolicies}
ec2api::api::enabled: true
ec2api::package_manage: {get_param: EnablePackageInstall}
ec2api::api::ec2api_listen:
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index b06f9993..f61e6154 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -110,6 +110,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ GlanceApiPolicies:
+ description: |
+ A hash of policies to configure for Glance API.
+ e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
@@ -155,6 +161,7 @@ outputs:
glance::api::enable_proxy_headers_parsing: true
glance::api::debug: {get_param: Debug}
glance::api::workers: {get_param: GlanceWorkers}
+ glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo.glance_api.firewall_rules:
'112 glance_api':
dport:
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index f4629917..cd323703 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -44,6 +44,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ GnocchiApiPolicies:
+ description: |
+ A hash of policies to configure for Gnocchi API.
+ e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -83,6 +89,7 @@ outputs:
gnocchi::api::enabled: true
gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
+ gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index d7555561..dc6daece 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -32,10 +32,6 @@ parameters:
CephClientUserName:
default: openstack
type: string
- KeystoneRegion:
- type: string
- default: 'regionOne'
- description: Keystone region for endpoint
RedisPassword:
description: The password for the redis service account.
type: string
@@ -72,7 +68,7 @@ outputs:
gnocchi::storage::swift::swift_user: 'service:gnocchi'
gnocchi::storage::swift::swift_auth_version: 3
gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword}
- gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
gnocchi::storage::ceph::ceph_pool: {get_param: GnocchiRbdPoolName}
gnocchi::storage::ceph::ceph_username: {get_param: CephClientUserName}
gnocchi::storage::ceph::ceph_keyring:
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index e21369e8..f8128bb8 100644
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -41,6 +41,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ HeatApiPolicies:
+ description: |
+ A hash of policies to configure for Heat API.
+ e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]}
@@ -82,6 +88,7 @@ outputs:
- 13004
heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]}
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
+ heat::policy::policies: {get_param: HeatApiPolicies}
heat::api::service_name: 'httpd'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index e24d0de6..1f18cb1b 100644
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -29,6 +29,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ IronicApiPolicies:
+ description: |
+ A hash of policies to configure for Ironic API.
+ e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
IronicBase:
@@ -64,6 +70,7 @@ outputs:
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
# This is used to build links in responses
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
+ ironic::policy::policies: {get_param: IronicApiPolicies}
tripleo.ironic_api.firewall_rules:
'133 ironic api':
dport:
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index fec455d1..ee4c771f 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -56,5 +56,7 @@ outputs:
value: 10000
kernel.pid_max:
value: {get_param: KernelPidMax}
+ kernel.dmesg_restrict:
+ value: 1
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 17616867..0976b97c 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -158,6 +158,12 @@ parameters:
description: >
Cron to purge expired tokens - User
default: 'keystone'
+ KeystonePolicies:
+ description: |
+ A hash of policies to configure for Keystone.
+ e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -197,6 +203,7 @@ outputs:
keystone::admin_token: {get_param: AdminToken}
keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
+ keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}
diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml
index 1c7d6bd3..02c69392 100644
--- a/puppet/services/mistral-api.yaml
+++ b/puppet/services/mistral-api.yaml
@@ -22,6 +22,12 @@ parameters:
default: 1
description: The number of workers for the mistral-api.
type: number
+ MistralApiPolicies:
+ description: |
+ A hash of policies to configure for Mistral API.
+ e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
MistralBase:
@@ -41,6 +47,7 @@ outputs:
- get_attr: [MistralBase, role_data, config_settings]
- mistral::api::api_workers: {get_param: MistralWorkers}
mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]}
+ mistral::policy::policies: {get_param: MistralApiPolicies}
tripleo.mistral_api.firewall_rules:
'133 mistral':
dport:
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index bb102c08..9b9d1c72 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -57,6 +57,15 @@ parameters:
default:
tag: openstack.neutron.api
path: /var/log/neutron/server.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ NeutronApiPolicies:
+ description: |
+ A hash of policies to configure for Neutron API.
+ e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
@@ -71,10 +80,6 @@ parameters:
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
- EnableInternalTLS:
- type: boolean
- default: false
-
parameter_groups:
- label: deprecated
description: |
@@ -128,6 +133,7 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/ovs_neutron'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+ neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::api_workers: {get_param: NeutronWorkers}
@@ -204,3 +210,5 @@ outputs:
tags: step1
when: neutron_server_enabled.rc == 0
service: name=neutron-server state=stopped
+ metadata_settings:
+ get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 55361939..5ed54f31 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -44,10 +44,10 @@ parameters:
description: Set to True to enable debugging on all services.
EnableConfigPurge:
type: boolean
- default: true
+ default: false
description: >
- Remove configuration that is not generated by TripleO. Setting
- to false may result in configuration remnants after updates/upgrades.
+ Remove configuration that is not generated by TripleO. Used to avoid
+ configuration remnants after upgrades.
NeutronGlobalPhysnetMtu:
type: number
default: 1500
diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml
index e25bc495..2c7ab57c 100644
--- a/puppet/services/neutron-ovs-dpdk-agent.yaml
+++ b/puppet/services/neutron-ovs-dpdk-agent.yaml
@@ -69,7 +69,10 @@ outputs:
service_name: neutron_ovs_dpdk_agent
config_settings:
map_merge:
- - get_attr: [NeutronOvsAgent, role_data, config_settings]
+ - map_replace:
+ - get_attr: [NeutronOvsAgent, role_data, config_settings]
+ - keys:
+ tripleo.neutron_ovs_agent.firewall_rules: tripleo.neutron_ovs_dpdk_agent.firewall_rules
- neutron::agents::ml2::ovs::enable_dpdk: true
neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType}
neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir}
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index b0ba0cd6..22fae897 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -62,6 +62,12 @@ parameters:
default: 300
description: Timeout for Nova db sync
type: number
+ NovaApiPolicies:
+ description: |
+ A hash of policies to configure for Nova API.
+ e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
@@ -145,6 +151,7 @@ outputs:
nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
+ nova::policy::policies: {get_param: NovaApiPolicies}
-
if:
- nova_workers_zero
diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml
index ceacb0b2..8100c9b1 100644
--- a/puppet/services/nova-base.yaml
+++ b/puppet/services/nova-base.yaml
@@ -58,10 +58,10 @@ parameters:
description: Set to True to enable debugging on all services.
EnableConfigPurge:
type: boolean
- default: true
+ default: false
description: >
- Remove configuration that is not generated by TripleO. Setting
- to false may result in configuration remnants after updates/upgrades.
+ Remove configuration that is not generated by TripleO. Used to avoid
+ configuration remnants after upgrades.
NovaIPv6:
default: false
description: Enable IPv6 features in Nova
diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml
index d208bede..a9737eb6 100644
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@@ -52,7 +52,7 @@ parameters:
For different formats, refer to the nova.conf documentation for
pci_passthrough_whitelist configuration
type: json
- default: {}
+ default: ''
NovaVcpuPinSet:
description: >
A list or range of physical CPU cores to reserve for virtual machine
@@ -101,7 +101,11 @@ outputs:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- nova::compute::libvirt::manage_libvirt_services: false
- nova::compute::pci_passthrough: {get_param: NovaPCIPassthrough}
+ nova::compute::pci_passthrough:
+ str_replace:
+ template: "JSON_PARAM"
+ params:
+ JSON_PARAM: {get_param: NovaPCIPassthrough}
nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet}
nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory}
# we manage migration in nova common puppet profile
diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml
index 843f44c5..f1d8dff7 100644
--- a/puppet/services/nova-ironic.yaml
+++ b/puppet/services/nova-ironic.yaml
@@ -51,3 +51,7 @@ outputs:
nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager'
step_config: |
include tripleo::profile::base::nova::compute::ironic
+ upgrade_tasks:
+ - name: Stop openstack-nova-compute service
+ tags: step1
+ service: name=openstack-nova-compute state=stopped enabled=no
diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml
index 909a3030..2f898a67 100644
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@@ -34,6 +34,12 @@ parameters:
default:
tag: openstack.octavia.api
path: /var/log/octavia/api.log
+ OctaviaApiPolicies:
+ description: |
+ A hash of policies to configure for Octavia API.
+ e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -57,6 +63,7 @@ outputs:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::db::database_connection:
list_join:
- ''
diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml
index a3f616ff..db15aa15 100644
--- a/puppet/services/octavia-base.yaml
+++ b/puppet/services/octavia-base.yaml
@@ -24,10 +24,10 @@ parameters:
description: Set to True to enable debugging on all services.
EnableConfigPurge:
type: boolean
- default: true
+ default: false
description: >
- Remove configuration that is not generated by TripleO. Setting
- to false may result in configuration remnants after updates/upgrades.
+ Remove configuration that is not generated by TripleO. Used to avoid
+ configuration remnants after upgrades.
RabbitPassword:
description: The password for RabbitMQ
type: string
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index 3db0848e..5cf416f3 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -60,11 +60,7 @@ outputs:
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
- neutron::plugins::ovs::opendaylight::provider_mappings:
- str_replace:
- template: MAPPINGS
- params:
- MAPPINGS: {get_param: OpenDaylightProviderMappings}
+ neutron::plugins::ovs::opendaylight::provider_mappings: {get_param: OpenDaylightProviderMappings}
tripleo.opendaylight_ovs.firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
index eed98257..43e7aa18 100644
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ PankoApiPolicies:
+ description: |
+ A hash of policies to configure for Panko API.
+ e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
PankoBase:
@@ -58,6 +64,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ panko::policy::policies: {get_param: PankoApiPolicies}
panko::api::service_name: 'httpd'
panko::api::enable_proxy_headers_parsing: true
tripleo.panko_api.firewall_rules:
diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml
deleted file mode 100644
index 39d6b903..00000000
--- a/puppet/services/rabbitmq-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- RabbitMQ configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: RabbitMQ configurations for using TLS via certmonger.
- value:
- service_name: rabbitmq_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::rabbitmq::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
- service_key: '/etc/pki/tls/private/rabbitmq.key'
- hostname:
- str_replace:
- template: "%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- principal:
- str_replace:
- template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- metadata_settings:
- - service: rabbitmq
- network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- type: node
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 92a0015a..47479783 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -52,14 +52,8 @@ parameters:
type: boolean
default: false
-resources:
-
- RabbitMQTLS:
- type: OS::TripleO::Services::RabbitMQTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
- DefaultPasswords: {get_param: DefaultPasswords}
- EndpointMap: {get_param: EndpointMap}
+conditions:
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -69,7 +63,6 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
config_settings:
map_merge:
- - get_attr: [RabbitMQTLS, role_data, config_settings]
-
rabbitmq::file_limit: {get_param: RabbitFDLimit}
rabbitmq::default_user: {get_param: RabbitUserName}
@@ -124,6 +117,24 @@ outputs:
# TODO(jaosorior): Remove this once we set a proper default in
# puppet-tripleo
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
+ -
+ if:
+ - internal_tls_enabled
+ - generate_service_certificates: true
+ tripleo::profile::base::rabbitmq::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
+ service_key: '/etc/pki/tls/private/rabbitmq.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ principal:
+ str_replace:
+ template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::rabbitmq
upgrade_tasks:
@@ -134,4 +145,10 @@ outputs:
tags: step4
service: name=rabbitmq-server state=started
metadata_settings:
- get_attr: [RabbitMQTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: rabbitmq
+ network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ type: node
+ - null
diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml
index 96b3d6e3..d9f2115a 100644
--- a/puppet/services/sahara-api.yaml
+++ b/puppet/services/sahara-api.yaml
@@ -38,6 +38,12 @@ parameters:
default:
tag: openstack.sahara.api
path: /var/log/sahara/sahara-api.log
+ SaharaApiPolicies:
+ description: |
+ A hash of policies to configure for Sahara API.
+ e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
SaharaBase:
@@ -60,6 +66,7 @@ outputs:
map_merge:
- get_attr: [SaharaBase, role_data, config_settings]
- sahara::port: {get_param: [EndpointMap, SaharaInternal, port]}
+ sahara::policy::policies: {get_param: SaharaApiPolicies}
sahara::service::api::api_workers: {get_param: SaharaWorkers}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml
index a4c139b5..d6c0ef9a 100644
--- a/puppet/services/tacker.yaml
+++ b/puppet/services/tacker.yaml
@@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ TackerPolicies:
+ description: |
+ A hash of policies to configure for Tacker.
+ e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
role_data:
@@ -87,6 +93,7 @@ outputs:
tacker::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ tacker::policy::policies: {get_param: TackerPolicies}
service_config_settings:
keystone:
diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml
index 67e14d9c..ff2b067f 100644
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@@ -37,3 +37,9 @@ outputs:
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
step_config: |
include ::tripleo::firewall
+ upgrade_tasks:
+ - name: blank ipv6 rule before activating ipv6 firewall.
+ tags: step3
+ shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
+ args:
+ creates: /etc/sysconfig/ip6tables.n-o-upgrade
diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml
index a320f694..33769d02 100644
--- a/puppet/services/zaqar.yaml
+++ b/puppet/services/zaqar.yaml
@@ -30,6 +30,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ ZaqarPolicies:
+ description: |
+ A hash of policies to configure for Zaqar.
+ e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
@@ -38,6 +44,7 @@ outputs:
value:
service_name: zaqar
config_settings:
+ zaqar::policy::policies: {get_param: ZaqarPolicies}
zaqar::keystone::authtoken::password: {get_param: ZaqarPassword}
zaqar::keystone::authtoken::project_name: 'service'
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
diff --git a/releasenotes/notes/api-policy-4ca739519537f6f4.yaml b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml
new file mode 100644
index 00000000..54beb305
--- /dev/null
+++ b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - |
+ TripleO is now able to configure role-based access API policies with new
+ parameters for each API service.
+ For example, Nova API service has now NovaApiPolicies and the value
+ could be { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ It will configure /etc/nova/policy.json file and configure context_is_admin
+ to true. Puppet will take care of this configuration and API services are
+ restarted when the file is touched.
+ We're also adding augeas resource to the list of Puppet providers that
+ container deployments grab in the catalog to generate configurations, so
+ this feature can be used when deploying TripleO in containers.
diff --git a/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml
new file mode 100644
index 00000000..682171c1
--- /dev/null
+++ b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - Fixes an issue when using the CinderNfsServers
+ parameter_defaults setting. It now works using a
+ single share as well as a comma-separated list of
+ shares.
diff --git a/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml
new file mode 100644
index 00000000..bb18aed8
--- /dev/null
+++ b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - Fixes firewall rules from neutron OVS agent not being
+ inherited correctly and applied in neutron OVS DPDK
+ template.
diff --git a/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml
new file mode 100644
index 00000000..79cea05e
--- /dev/null
+++ b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+ - Fixes OpenDaylightProviderMappings parsing on a
+ comma delimited list.
diff --git a/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml
new file mode 100644
index 00000000..d2b2eb94
--- /dev/null
+++ b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - openstack-selinux is now installed by the deployed-server
+ bootstrap scripts. Previously, it was not installed, so
+ if SELinux was set to enforcing, all OpenStack policy
+ was missing.
diff --git a/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml
new file mode 100644
index 00000000..d0624265
--- /dev/null
+++ b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+ - Since panko is enabled by default, include it the default dispatcher
+ for ceilometer events.
diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
new file mode 100644
index 00000000..c24e8921
--- /dev/null
+++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+ - |
+ The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive
+ kernel address information with unprivileged access. Deployments that set
+ or depend on values other than 1 for kernel.dmesg_restrict may be affected
+ by upgrading.
+security:
+ - |
+ Kernel syslog contains sensitive kernel address information, setting
+ kernel.dmesg_restrict to avoid unprivileged access to this information.
diff --git a/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml
new file mode 100644
index 00000000..20146b0a
--- /dev/null
+++ b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+ - The ``pci_passthrough`` hiera value should be passed as a string
+ (`bug 1675036 <https://bugs.launchpad.net/tripleo/+bug/1675036>`__).
diff --git a/requirements.txt b/requirements.txt
index 057aa287..df8a71f5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
-pbr>=1.8 # Apache-2.0
+pbr>=2.0.0 # Apache-2.0
Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause)
six>=1.9.0 # MIT
diff --git a/setup.py b/setup.py
index 782bb21f..566d8443 100644
--- a/setup.py
+++ b/setup.py
@@ -25,5 +25,5 @@ except ImportError:
pass
setuptools.setup(
- setup_requires=['pbr>=1.8'],
+ setup_requires=['pbr>=2.0.0'],
pbr=True)