aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ci/environments/scenario001-multinode.yaml1
-rw-r--r--deployed-server/deployed-server-bootstrap-centos.sh3
-rw-r--r--deployed-server/deployed-server-bootstrap-rhel.sh3
-rwxr-xr-xdeployed-server/scripts/get-occ-config.sh2
-rwxr-xr-xdocker/docker-puppet.py3
-rw-r--r--docker/services/README.rst6
-rw-r--r--docker/services/database/mongodb.yaml4
-rw-r--r--docker/services/keystone.yaml57
-rw-r--r--docker/services/nova-api.yaml3
-rw-r--r--docker/services/nova-compute.yaml11
-rw-r--r--docker/services/nova-ironic.yaml6
-rw-r--r--docker/services/nova-libvirt.yaml16
-rw-r--r--environments/deployed-server-environment.j2.yaml11
-rw-r--r--environments/deployed-server-environment.yaml4
-rw-r--r--environments/enable-internal-tls.yaml3
-rw-r--r--environments/services/panko.yaml2
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml3
-rw-r--r--overcloud.j2.yaml24
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml75
-rw-r--r--puppet/services/apache.yaml44
-rw-r--r--puppet/services/cinder-volume.yaml6
-rw-r--r--puppet/services/congress.yaml1
-rw-r--r--puppet/services/database/mysql-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/database/mysql.yaml39
-rw-r--r--puppet/services/gnocchi-base.yaml6
-rw-r--r--puppet/services/kernel.yaml2
-rw-r--r--puppet/services/neutron-api.yaml9
-rw-r--r--puppet/services/neutron-ovs-dpdk-agent.yaml5
-rw-r--r--puppet/services/opendaylight-ovs.yaml6
-rw-r--r--puppet/services/rabbitmq-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/rabbitmq.yaml37
-rw-r--r--releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml6
-rw-r--r--releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml5
-rw-r--r--releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml4
-rw-r--r--releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml6
-rw-r--r--releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml11
-rw-r--r--requirements.txt2
-rw-r--r--setup.py2
38 files changed, 225 insertions, 297 deletions
diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml
index a6f35711..2203665a 100644
--- a/ci/environments/scenario001-multinode.yaml
+++ b/ci/environments/scenario001-multinode.yaml
@@ -4,7 +4,6 @@ resource_registry:
OS::TripleO::Services::CephMon: ../../puppet/services/ceph-mon.yaml
OS::TripleO::Services::CephOSD: ../../puppet/services/ceph-osd.yaml
OS::TripleO::Services::CephClient: ../../puppet/services/ceph-client.yaml
- OS::TripleO::Services::PankoApi: ../../puppet/services/panko-api.yaml
OS::TripleO::Services::Collectd: ../../puppet/services/metrics/collectd.yaml
OS::TripleO::Services::Tacker: ../../puppet/services/tacker.yaml
OS::TripleO::Services::Congress: ../../puppet/services/congress.yaml
diff --git a/deployed-server/deployed-server-bootstrap-centos.sh b/deployed-server/deployed-server-bootstrap-centos.sh
index 7266ca57..c86e771c 100644
--- a/deployed-server/deployed-server-bootstrap-centos.sh
+++ b/deployed-server/deployed-server-bootstrap-centos.sh
@@ -8,7 +8,8 @@ yum install -y \
openstack-puppet-modules \
os-net-config \
openvswitch \
- python-heat-agent*
+ python-heat-agent* \
+ openstack-selinux
ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules
diff --git a/deployed-server/deployed-server-bootstrap-rhel.sh b/deployed-server/deployed-server-bootstrap-rhel.sh
index 36ff0077..10b4999b 100644
--- a/deployed-server/deployed-server-bootstrap-rhel.sh
+++ b/deployed-server/deployed-server-bootstrap-rhel.sh
@@ -8,6 +8,7 @@ yum install -y \
openstack-puppet-modules \
os-net-config \
openvswitch \
- python-heat-agent*
+ python-heat-agent* \
+ openstack-selinux
ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules
diff --git a/deployed-server/scripts/get-occ-config.sh b/deployed-server/scripts/get-occ-config.sh
index 6c196f97..d0cc4dff 100755
--- a/deployed-server/scripts/get-occ-config.sh
+++ b/deployed-server/scripts/get-occ-config.sh
@@ -63,7 +63,7 @@ for role in $OVERCLOUD_ROLES; do
rg_stack=$(openstack stack resource show overcloud $role -c physical_resource_id -f value)
done
- stacks=$(openstack stack resource list $rg_stack -c physical_resource_id -f value)
+ stacks=$(openstack stack resource list $rg_stack -c resource_name -c physical_resource_id -f json | jq -r "sort_by(.resource_name) | .[] | .physical_resource_id")
i=0
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index 0f079436..8f95208f 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -205,7 +205,8 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
'--volume', '%s:%s:rw' % (sh_script, sh_script) ]
for volume in volumes:
- dcmd.extend(['--volume', volume])
+ if volume:
+ dcmd.extend(['--volume', volume])
dcmd.extend(['--entrypoint', sh_script])
diff --git a/docker/services/README.rst b/docker/services/README.rst
index 219f35eb..465e4abe 100644
--- a/docker/services/README.rst
+++ b/docker/services/README.rst
@@ -23,7 +23,7 @@ puppet (our configuration tool of choice) into the Kolla base images. The
undercloud nova-scheduler also requires openstack-tripleo-common to
provide custom filters.
-To build Kolla images for TripleO adjust your kolla config to build your
+To build Kolla images for TripleO adjust your kolla config [*]_ to build your
centos base image with puppet using the example below:
.. code-block::
@@ -37,6 +37,10 @@ kolla-build --base centos --template-override template-overrides.j2
..
+.. [*] See the
+ `override file <https://github.com/openstack/tripleo-common/blob/master/contrib/tripleo_kolla_template_overrides.j2>`_
+ which can be used to build Kolla packages that work with TripleO, and an
+ `example build script <https://github.com/dprince/undercloud_containers/blob/master/build_kolla.sh>_.
Docker settings
---------------
diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml
index 265558a4..15795828 100644
--- a/docker/services/database/mongodb.yaml
+++ b/docker/services/database/mongodb.yaml
@@ -102,8 +102,8 @@ outputs:
step_config: 'include ::tripleo::profile::base::database::mongodb'
config_image: *mongodb_image
volumes:
- - "mongodb:/var/lib/mongodb/"
- - "logs:/var/log/kolla:ro"
+ - /var/lib/mongodb:/var/lib/mongodb
+ - logs:/var/log/kolla:ro
host_prep_tasks:
- name: create /var/lib/mongodb
file:
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 63713677..0597b906 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -33,7 +33,7 @@ parameters:
KeystoneTokenProvider:
description: The keystone token format
type: string
- default: 'uuid'
+ default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
@@ -46,9 +46,6 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
-conditions:
- keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
-
outputs:
role_data:
description: Role data for the Keystone API role.
@@ -76,53 +73,6 @@ outputs:
kolla_config:
/var/lib/kolla/config_files/keystone.json:
command: /usr/sbin/httpd -DFOREGROUND
- config_files:
- - dest: /etc/keystone/keystone.conf
- owner: keystone
- perm: '0640'
- source: /var/lib/kolla/config_files/src/etc/keystone/keystone.conf
- - dest: /etc/keystone/credential-keys/0
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/0
- - dest: /etc/keystone/credential-keys/1
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
- - dest: /etc/keystone/fernet-keys/0
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
- optional: {if: [keystone_fernet_tokens, false, true]}
- - dest: /etc/keystone/fernet-keys/1
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
- optional: {if: [keystone_fernet_tokens, false, true]}
- - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_admin.conf
- - dest: /etc/httpd/conf.d/10-keystone_wsgi_main.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_main.conf
- - dest: /etc/httpd/conf/httpd.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf
- - dest: /etc/httpd/conf/ports.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf
- - dest: /var/www/cgi-bin/keystone/keystone-admin
- owner: keystone
- perm: '0644'
- source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-admin
- - dest: /var/www/cgi-bin/keystone/keystone-public
- owner: keystone
- perm: '0644'
- source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-public
docker_config:
step_3:
keystone-init-log:
@@ -140,8 +90,9 @@ outputs:
detach: false
volumes: &keystone_volumes
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/config-data/keystone/:/var/lib/kolla/config_files/src:ro
- - /var/lib/config-data/keystone/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro
+ - /var/lib/config-data/keystone/var/www/:/var/www/:ro
+ - /var/lib/config-data/keystone/etc/keystone/:/etc/keystone/:ro
+ - /var/lib/config-data/keystone/etc/httpd/:/etc/httpd/:ro
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index 9e203b7a..e5c78d6c 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -134,8 +134,9 @@ outputs:
- /etc/localtime:/etc/localtime:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ step_5:
nova_api_discover_hosts:
- start_order: 3
+ start_order: 1
image: *nova_api_image
net: host
detach: false
diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml
index 7fc00b47..957eed7f 100644
--- a/docker/services/nova-compute.yaml
+++ b/docker/services/nova-compute.yaml
@@ -83,6 +83,15 @@ outputs:
- /lib/modules:/lib/modules:ro
- /run:/run
- /var/lib/nova:/var/lib/nova
- - libvirtd:/var/lib/libvirt
+ - /var/lib/libvirt:/var/lib/libvirt
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ host_prep_tasks:
+ - name: create /var/lib/libvirt
+ file:
+ path: /var/lib/libvirt
+ state: directory
+ upgrade_tasks:
+ - name: Stop and disable nova-compute service
+ tags: step2
+ service: name=nova-compute state=stopped enabled=no
diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml
index 170468a5..3d849f59 100644
--- a/docker/services/nova-ironic.yaml
+++ b/docker/services/nova-ironic.yaml
@@ -85,6 +85,10 @@ outputs:
- /run:/run
- /dev:/dev
- /etc/iscsi:/etc/iscsi
- - nova_compute:/var/lib/nova/
+ - /var/lib/nova/:/var/lib/nova
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ upgrade_tasks:
+ - name: Stop and disable nova-compute service
+ tags: step2
+ service: name=nova-compute state=stopped enabled=no
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 85fabe5a..480bb80e 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -88,7 +88,19 @@ outputs:
- /var/lib/nova:/var/lib/nova
# Needed to use host's virtlogd
- /var/run/libvirt:/var/run/libvirt
- - libvirtd:/var/lib/libvirt
- - nova_libvirt_qemu:/etc/libvirt/qemu
+ - /var/lib/libvirt:/var/lib/libvirt
+ - /etc/libvirt/qemu:/etc/libvirt/qemu
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ host_prep_tasks:
+ - name: create libvirt persistent data directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ with_items:
+ - /etc/libvirt/qemu
+ - /var/lib/libvirt
+ upgrade_tasks:
+ - name: Stop and disable libvirtd service
+ tags: step2
+ service: name=libvirtd state=stopped enabled=no
diff --git a/environments/deployed-server-environment.j2.yaml b/environments/deployed-server-environment.j2.yaml
new file mode 100644
index 00000000..327934da
--- /dev/null
+++ b/environments/deployed-server-environment.j2.yaml
@@ -0,0 +1,11 @@
+resource_registry:
+ OS::TripleO::Server: ../deployed-server/deployed-server.yaml
+ OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port
+ OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None
+
+{% for role in roles %}
+ # Default nic config mappings
+ OS::TripleO::{{role.name}}::Net::SoftwareConfig: ../net-config-static.yaml
+{% endfor %}
+
+ OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig: ../net-config-static-bridge.yaml
diff --git a/environments/deployed-server-environment.yaml b/environments/deployed-server-environment.yaml
deleted file mode 100644
index 7bc1bd9b..00000000
--- a/environments/deployed-server-environment.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-resource_registry:
- OS::TripleO::Server: ../deployed-server/deployed-server.yaml
- OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port
- OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index e245a6af..2fdecb4f 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -12,9 +12,6 @@ resource_registry:
OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
- OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
- OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
- OS::TripleO::Services::RabbitMQTLS: ../puppet/services/rabbitmq-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
diff --git a/environments/services/panko.yaml b/environments/services/panko.yaml
deleted file mode 100644
index 28bf99f6..00000000
--- a/environments/services/panko.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-resource_registry:
- OS::TripleO::Services::PankoApi: ../../puppet/services/panko-api.yaml
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index d9eaf8df..b294d7cb 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -120,7 +120,6 @@ resource_registry:
# services
OS::TripleO::Services: puppet/services/services.yaml
OS::TripleO::Services::Apache: puppet/services/apache.yaml
- OS::TripleO::Services::ApacheTLS: OS::Heat::None
OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
OS::TripleO::Services::CephMds: OS::Heat::None
OS::TripleO::Services::CephMon: OS::Heat::None
@@ -144,7 +143,6 @@ resource_registry:
OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
- OS::TripleO::Services::MySQLTLS: OS::Heat::None
OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None
OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
@@ -170,7 +168,6 @@ resource_registry:
OS::TripleO::Services::PacemakerRemote: OS::Heat::None
OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml
- OS::TripleO::Services::RabbitMQTLS: OS::Heat::None
OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml
OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None
OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index e99f770f..7b780112 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -579,12 +579,24 @@ resources:
PingTestIps:
list_join:
- ' '
- - - {get_attr: [{{primary_role_name}}, resource.0.external_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.internal_api_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.storage_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.storage_mgmt_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.tenant_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.management_ip_address]}
+ - - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, external_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, internal_api_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, storage_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, storage_mgmt_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, tenant_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, management_ip_address]}
UpdateWorkflow:
type: OS::TripleO::Tasks::UpdateWorkflow
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
deleted file mode 100644
index 4c94f440..00000000
--- a/puppet/services/apache-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-heat_template_version: ocata
-
-description: >
- Apache service TLS configurations.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-resources:
-
- ApacheNetworks:
- type: OS::Heat::Value
- properties:
- value:
- # NOTE(jaosorior) Get unique network names to create
- # certificates for those. We skip the tenant network since
- # we don't need a certificate for that, and the external
- # network will be handled in another template.
- yaql:
- expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
- data:
- map:
- get_param: ServiceNetMap
-
-outputs:
- role_data:
- description: Role data for the Apache role.
- value:
- service_name: apache_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- apache_certificates_specs:
- map_merge:
- repeat:
- template:
- httpd-NETWORK:
- service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
- service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
- hostname: "%{hiera('fqdn_NETWORK')}"
- principal: "HTTP/%{hiera('fqdn_NETWORK')}"
- for_each:
- NETWORK: {get_attr: [ApacheNetworks, value]}
- metadata_settings:
- repeat:
- template:
- - service: HTTP
- network: $NETWORK
- type: node
- for_each:
- $NETWORK: {get_attr: [ApacheNetworks, value]}
- upgrade_tasks:
- - name: Check if httpd is deployed
- command: systemctl is-enabled httpd
- tags: common
- ignore_errors: True
- register: httpd_enabled
- - name: "PreUpgrade step0,validation: Check service httpd is running"
- shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
- when: httpd_enabled.rc == 0
- tags: step0,validation
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 2d950151..9bd282f8 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -31,13 +31,25 @@ parameters:
type: boolean
default: false
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
- ApacheTLS:
- type: OS::TripleO::Services::ApacheTLS
+ ApacheNetworks:
+ type: OS::Heat::Value
properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ value:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # is for HAProxy so it isn't used for apache either.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
outputs:
role_data:
@@ -46,7 +58,6 @@ outputs:
service_name: apache
config_settings:
map_merge:
- - get_attr: [ApacheTLS, role_data, config_settings]
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
@@ -64,8 +75,31 @@ outputs:
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
+ -
+ generate_service_certificates: true
+ apache_certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ httpd-NETWORK:
+ service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+ hostname: "%{hiera('fqdn_NETWORK')}"
+ principal: "HTTP/%{hiera('fqdn_NETWORK')}"
+ for_each:
+ NETWORK: {get_attr: [ApacheNetworks, value]}
metadata_settings:
- get_attr: [ApacheTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ repeat:
+ template:
+ - service: HTTP
+ network: $NETWORK
+ type: node
+ for_each:
+ $NETWORK: {get_attr: [ApacheNetworks, value]}
+ - null
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index b52955ef..26f1a96f 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -94,11 +94,7 @@ outputs:
tripleo::profile::base::cinder::volume::cinder_enable_nfs_backend: {get_param: CinderEnableNfsBackend}
tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend}
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions}
- tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers:
- str_replace:
- template: SERVERS
- params:
- SERVERS: {get_param: CinderNfsServers}
+ tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers}
tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol}
diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml
index fd1ee24b..20f64162 100644
--- a/puppet/services/congress.yaml
+++ b/puppet/services/congress.yaml
@@ -90,6 +90,7 @@ outputs:
service_config_settings:
keystone:
congress::keystone::auth::tenant: 'service'
+ congress::keystone::auth::region: {get_param: KeystoneRegion}
congress::keystone::auth::password: {get_param: CongressPassword}
congress::keystone::auth::public_url: {get_param: [EndpointMap, CongressPublic, uri]}
congress::keystone::auth::internal_url: {get_param: [EndpointMap, CongressInternal, uri]}
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
deleted file mode 100644
index 9f7eaf57..00000000
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- MySQL configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: MySQL configurations for using TLS via certmonger.
- value:
- service_name: mysql_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::database::mysql::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/mysql.crt'
- service_key: '/etc/pki/tls/private/mysql.key'
- hostname:
- str_replace:
- template: "%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- principal:
- str_replace:
- template: "mysql/%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- metadata_settings:
- - service: mysql
- network: {get_param: [ServiceNetMap, MysqlNetwork]}
- type: vip
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 808f1353..da55da3c 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -23,6 +23,10 @@ parameters:
description: Configures MySQL max_connections config setting
type: number
default: 4096
+ MysqlIncreaseFileLimit:
+ description: Flag to increase MySQL open-files-limit to 16384
+ type: boolean
+ default: true
MysqlRootPassword:
type: string
hidden: true
@@ -38,13 +42,13 @@ parameters:
description: The password for the nova db account
type: string
hidden: true
+ EnableInternalTLS:
+ type: boolean
+ default: false
-resources:
+conditions:
- MySQLTLS:
- type: OS::TripleO::Services::MySQLTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -53,7 +57,6 @@ outputs:
service_name: mysql
config_settings:
map_merge:
- - get_attr: [MySQLTLS, role_data, config_settings]
-
# The Galera package should work in cluster and
# non-cluster modes based on the config file.
@@ -96,10 +99,32 @@ outputs:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
tripleo::profile::base::database::mysql::client_bind_address:
{get_param: [ServiceNetMap, MysqlNetwork]}
+ tripleo::profile::base::database::mysql::generate_dropin_file_limit:
+ {get_param: MysqlIncreaseFileLimit}
+ - generate_service_certificates: true
+ tripleo::profile::base::database::mysql::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/mysql.crt'
+ service_key: '/etc/pki/tls/private/mysql.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ principal:
+ str_replace:
+ template: "mysql/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql
metadata_settings:
- get_attr: [MySQLTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: mysql
+ network: {get_param: [ServiceNetMap, MysqlNetwork]}
+ type: vip
+ - null
upgrade_tasks:
- name: Check for galera root password
tags: step0
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index d7555561..dc6daece 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -32,10 +32,6 @@ parameters:
CephClientUserName:
default: openstack
type: string
- KeystoneRegion:
- type: string
- default: 'regionOne'
- description: Keystone region for endpoint
RedisPassword:
description: The password for the redis service account.
type: string
@@ -72,7 +68,7 @@ outputs:
gnocchi::storage::swift::swift_user: 'service:gnocchi'
gnocchi::storage::swift::swift_auth_version: 3
gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword}
- gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
gnocchi::storage::ceph::ceph_pool: {get_param: GnocchiRbdPoolName}
gnocchi::storage::ceph::ceph_username: {get_param: CephClientUserName}
gnocchi::storage::ceph::ceph_keyring:
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index fec455d1..ee4c771f 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -56,5 +56,7 @@ outputs:
value: 10000
kernel.pid_max:
value: {get_param: KernelPidMax}
+ kernel.dmesg_restrict:
+ value: 1
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index bb102c08..7a24ffdd 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -57,6 +57,9 @@ parameters:
default:
tag: openstack.neutron.api
path: /var/log/neutron/server.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
@@ -71,10 +74,6 @@ parameters:
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
- EnableInternalTLS:
- type: boolean
- default: false
-
parameter_groups:
- label: deprecated
description: |
@@ -204,3 +203,5 @@ outputs:
tags: step1
when: neutron_server_enabled.rc == 0
service: name=neutron-server state=stopped
+ metadata_settings:
+ get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml
index e25bc495..2c7ab57c 100644
--- a/puppet/services/neutron-ovs-dpdk-agent.yaml
+++ b/puppet/services/neutron-ovs-dpdk-agent.yaml
@@ -69,7 +69,10 @@ outputs:
service_name: neutron_ovs_dpdk_agent
config_settings:
map_merge:
- - get_attr: [NeutronOvsAgent, role_data, config_settings]
+ - map_replace:
+ - get_attr: [NeutronOvsAgent, role_data, config_settings]
+ - keys:
+ tripleo.neutron_ovs_agent.firewall_rules: tripleo.neutron_ovs_dpdk_agent.firewall_rules
- neutron::agents::ml2::ovs::enable_dpdk: true
neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType}
neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir}
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index 3db0848e..5cf416f3 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -60,11 +60,7 @@ outputs:
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
- neutron::plugins::ovs::opendaylight::provider_mappings:
- str_replace:
- template: MAPPINGS
- params:
- MAPPINGS: {get_param: OpenDaylightProviderMappings}
+ neutron::plugins::ovs::opendaylight::provider_mappings: {get_param: OpenDaylightProviderMappings}
tripleo.opendaylight_ovs.firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml
deleted file mode 100644
index 39d6b903..00000000
--- a/puppet/services/rabbitmq-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- RabbitMQ configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: RabbitMQ configurations for using TLS via certmonger.
- value:
- service_name: rabbitmq_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::rabbitmq::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
- service_key: '/etc/pki/tls/private/rabbitmq.key'
- hostname:
- str_replace:
- template: "%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- principal:
- str_replace:
- template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- metadata_settings:
- - service: rabbitmq
- network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- type: node
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 92a0015a..47479783 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -52,14 +52,8 @@ parameters:
type: boolean
default: false
-resources:
-
- RabbitMQTLS:
- type: OS::TripleO::Services::RabbitMQTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
- DefaultPasswords: {get_param: DefaultPasswords}
- EndpointMap: {get_param: EndpointMap}
+conditions:
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -69,7 +63,6 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
config_settings:
map_merge:
- - get_attr: [RabbitMQTLS, role_data, config_settings]
-
rabbitmq::file_limit: {get_param: RabbitFDLimit}
rabbitmq::default_user: {get_param: RabbitUserName}
@@ -124,6 +117,24 @@ outputs:
# TODO(jaosorior): Remove this once we set a proper default in
# puppet-tripleo
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
+ -
+ if:
+ - internal_tls_enabled
+ - generate_service_certificates: true
+ tripleo::profile::base::rabbitmq::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
+ service_key: '/etc/pki/tls/private/rabbitmq.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ principal:
+ str_replace:
+ template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::rabbitmq
upgrade_tasks:
@@ -134,4 +145,10 @@ outputs:
tags: step4
service: name=rabbitmq-server state=started
metadata_settings:
- get_attr: [RabbitMQTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: rabbitmq
+ network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ type: node
+ - null
diff --git a/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml
new file mode 100644
index 00000000..682171c1
--- /dev/null
+++ b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - Fixes an issue when using the CinderNfsServers
+ parameter_defaults setting. It now works using a
+ single share as well as a comma-separated list of
+ shares.
diff --git a/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml
new file mode 100644
index 00000000..bb18aed8
--- /dev/null
+++ b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - Fixes firewall rules from neutron OVS agent not being
+ inherited correctly and applied in neutron OVS DPDK
+ template.
diff --git a/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml
new file mode 100644
index 00000000..79cea05e
--- /dev/null
+++ b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+ - Fixes OpenDaylightProviderMappings parsing on a
+ comma delimited list.
diff --git a/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml
new file mode 100644
index 00000000..d2b2eb94
--- /dev/null
+++ b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - openstack-selinux is now installed by the deployed-server
+ bootstrap scripts. Previously, it was not installed, so
+ if SELinux was set to enforcing, all OpenStack policy
+ was missing.
diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
new file mode 100644
index 00000000..c24e8921
--- /dev/null
+++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+ - |
+ The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive
+ kernel address information with unprivileged access. Deployments that set
+ or depend on values other than 1 for kernel.dmesg_restrict may be affected
+ by upgrading.
+security:
+ - |
+ Kernel syslog contains sensitive kernel address information, setting
+ kernel.dmesg_restrict to avoid unprivileged access to this information.
diff --git a/requirements.txt b/requirements.txt
index 057aa287..df8a71f5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
-pbr>=1.8 # Apache-2.0
+pbr>=2.0.0 # Apache-2.0
Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause)
six>=1.9.0 # MIT
diff --git a/setup.py b/setup.py
index 782bb21f..566d8443 100644
--- a/setup.py
+++ b/setup.py
@@ -25,5 +25,5 @@ except ImportError:
pass
setuptools.setup(
- setup_requires=['pbr>=1.8'],
+ setup_requires=['pbr>=2.0.0'],
pbr=True)