diff options
38 files changed, 225 insertions, 297 deletions
diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml index a6f35711..2203665a 100644 --- a/ci/environments/scenario001-multinode.yaml +++ b/ci/environments/scenario001-multinode.yaml @@ -4,7 +4,6 @@ resource_registry: OS::TripleO::Services::CephMon: ../../puppet/services/ceph-mon.yaml OS::TripleO::Services::CephOSD: ../../puppet/services/ceph-osd.yaml OS::TripleO::Services::CephClient: ../../puppet/services/ceph-client.yaml - OS::TripleO::Services::PankoApi: ../../puppet/services/panko-api.yaml OS::TripleO::Services::Collectd: ../../puppet/services/metrics/collectd.yaml OS::TripleO::Services::Tacker: ../../puppet/services/tacker.yaml OS::TripleO::Services::Congress: ../../puppet/services/congress.yaml diff --git a/deployed-server/deployed-server-bootstrap-centos.sh b/deployed-server/deployed-server-bootstrap-centos.sh index 7266ca57..c86e771c 100644 --- a/deployed-server/deployed-server-bootstrap-centos.sh +++ b/deployed-server/deployed-server-bootstrap-centos.sh @@ -8,7 +8,8 @@ yum install -y \ openstack-puppet-modules \ os-net-config \ openvswitch \ - python-heat-agent* + python-heat-agent* \ + openstack-selinux ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules diff --git a/deployed-server/deployed-server-bootstrap-rhel.sh b/deployed-server/deployed-server-bootstrap-rhel.sh index 36ff0077..10b4999b 100644 --- a/deployed-server/deployed-server-bootstrap-rhel.sh +++ b/deployed-server/deployed-server-bootstrap-rhel.sh @@ -8,6 +8,7 @@ yum install -y \ openstack-puppet-modules \ os-net-config \ openvswitch \ - python-heat-agent* + python-heat-agent* \ + openstack-selinux ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules diff --git a/deployed-server/scripts/get-occ-config.sh b/deployed-server/scripts/get-occ-config.sh index 6c196f97..d0cc4dff 100755 --- a/deployed-server/scripts/get-occ-config.sh +++ b/deployed-server/scripts/get-occ-config.sh @@ -63,7 +63,7 @@ for role in $OVERCLOUD_ROLES; do rg_stack=$(openstack stack resource show overcloud $role -c physical_resource_id -f value) done - stacks=$(openstack stack resource list $rg_stack -c physical_resource_id -f value) + stacks=$(openstack stack resource list $rg_stack -c resource_name -c physical_resource_id -f json | jq -r "sort_by(.resource_name) | .[] | .physical_resource_id") i=0 diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 0f079436..8f95208f 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -205,7 +205,8 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume '--volume', '%s:%s:rw' % (sh_script, sh_script) ] for volume in volumes: - dcmd.extend(['--volume', volume]) + if volume: + dcmd.extend(['--volume', volume]) dcmd.extend(['--entrypoint', sh_script]) diff --git a/docker/services/README.rst b/docker/services/README.rst index 219f35eb..465e4abe 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -23,7 +23,7 @@ puppet (our configuration tool of choice) into the Kolla base images. The undercloud nova-scheduler also requires openstack-tripleo-common to provide custom filters. -To build Kolla images for TripleO adjust your kolla config to build your +To build Kolla images for TripleO adjust your kolla config [*]_ to build your centos base image with puppet using the example below: .. code-block:: @@ -37,6 +37,10 @@ kolla-build --base centos --template-override template-overrides.j2 .. +.. [*] See the + `override file <https://github.com/openstack/tripleo-common/blob/master/contrib/tripleo_kolla_template_overrides.j2>`_ + which can be used to build Kolla packages that work with TripleO, and an + `example build script <https://github.com/dprince/undercloud_containers/blob/master/build_kolla.sh>_. Docker settings --------------- diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 265558a4..15795828 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -102,8 +102,8 @@ outputs: step_config: 'include ::tripleo::profile::base::database::mongodb' config_image: *mongodb_image volumes: - - "mongodb:/var/lib/mongodb/" - - "logs:/var/log/kolla:ro" + - /var/lib/mongodb:/var/lib/mongodb + - logs:/var/log/kolla:ro host_prep_tasks: - name: create /var/lib/mongodb file: diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 63713677..0597b906 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -33,7 +33,7 @@ parameters: KeystoneTokenProvider: description: The keystone token format type: string - default: 'uuid' + default: 'fernet' constraints: - allowed_values: ['uuid', 'fernet'] @@ -46,9 +46,6 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} -conditions: - keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} - outputs: role_data: description: Role data for the Keystone API role. @@ -76,53 +73,6 @@ outputs: kolla_config: /var/lib/kolla/config_files/keystone.json: command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/keystone/keystone.conf - owner: keystone - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/keystone/keystone.conf - - dest: /etc/keystone/credential-keys/0 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/0 - - dest: /etc/keystone/credential-keys/1 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1 - - dest: /etc/keystone/fernet-keys/0 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0 - optional: {if: [keystone_fernet_tokens, false, true]} - - dest: /etc/keystone/fernet-keys/1 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1 - optional: {if: [keystone_fernet_tokens, false, true]} - - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_admin.conf - - dest: /etc/httpd/conf.d/10-keystone_wsgi_main.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_main.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - - dest: /var/www/cgi-bin/keystone/keystone-admin - owner: keystone - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-admin - - dest: /var/www/cgi-bin/keystone/keystone-public - owner: keystone - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-public docker_config: step_3: keystone-init-log: @@ -140,8 +90,9 @@ outputs: detach: false volumes: &keystone_volumes - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/keystone/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/keystone/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro + - /var/lib/config-data/keystone/var/www/:/var/www/:ro + - /var/lib/config-data/keystone/etc/keystone/:/etc/keystone/:ro + - /var/lib/config-data/keystone/etc/httpd/:/etc/httpd/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 9e203b7a..e5c78d6c 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -134,8 +134,9 @@ outputs: - /etc/localtime:/etc/localtime:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + step_5: nova_api_discover_hosts: - start_order: 3 + start_order: 1 image: *nova_api_image net: host detach: false diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 7fc00b47..957eed7f 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -83,6 +83,15 @@ outputs: - /lib/modules:/lib/modules:ro - /run:/run - /var/lib/nova:/var/lib/nova - - libvirtd:/var/lib/libvirt + - /var/lib/libvirt:/var/lib/libvirt environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create /var/lib/libvirt + file: + path: /var/lib/libvirt + state: directory + upgrade_tasks: + - name: Stop and disable nova-compute service + tags: step2 + service: name=nova-compute state=stopped enabled=no diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 170468a5..3d849f59 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -85,6 +85,10 @@ outputs: - /run:/run - /dev:/dev - /etc/iscsi:/etc/iscsi - - nova_compute:/var/lib/nova/ + - /var/lib/nova/:/var/lib/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable nova-compute service + tags: step2 + service: name=nova-compute state=stopped enabled=no diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 85fabe5a..480bb80e 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -88,7 +88,19 @@ outputs: - /var/lib/nova:/var/lib/nova # Needed to use host's virtlogd - /var/run/libvirt:/var/run/libvirt - - libvirtd:/var/lib/libvirt - - nova_libvirt_qemu:/etc/libvirt/qemu + - /var/lib/libvirt:/var/lib/libvirt + - /etc/libvirt/qemu:/etc/libvirt/qemu environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create libvirt persistent data directories + file: + path: "{{ item }}" + state: directory + with_items: + - /etc/libvirt/qemu + - /var/lib/libvirt + upgrade_tasks: + - name: Stop and disable libvirtd service + tags: step2 + service: name=libvirtd state=stopped enabled=no diff --git a/environments/deployed-server-environment.j2.yaml b/environments/deployed-server-environment.j2.yaml new file mode 100644 index 00000000..327934da --- /dev/null +++ b/environments/deployed-server-environment.j2.yaml @@ -0,0 +1,11 @@ +resource_registry: + OS::TripleO::Server: ../deployed-server/deployed-server.yaml + OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port + OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None + +{% for role in roles %} + # Default nic config mappings + OS::TripleO::{{role.name}}::Net::SoftwareConfig: ../net-config-static.yaml +{% endfor %} + + OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig: ../net-config-static-bridge.yaml diff --git a/environments/deployed-server-environment.yaml b/environments/deployed-server-environment.yaml deleted file mode 100644 index 7bc1bd9b..00000000 --- a/environments/deployed-server-environment.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resource_registry: - OS::TripleO::Server: ../deployed-server/deployed-server.yaml - OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port - OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index e245a6af..2fdecb4f 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -12,9 +12,6 @@ resource_registry: OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml - OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml - OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml - OS::TripleO::Services::RabbitMQTLS: ../puppet/services/rabbitmq-internal-tls-certmonger.yaml # We use apache as a TLS proxy OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml diff --git a/environments/services/panko.yaml b/environments/services/panko.yaml deleted file mode 100644 index 28bf99f6..00000000 --- a/environments/services/panko.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resource_registry: - OS::TripleO::Services::PankoApi: ../../puppet/services/panko-api.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index d9eaf8df..b294d7cb 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -120,7 +120,6 @@ resource_registry: # services OS::TripleO::Services: puppet/services/services.yaml OS::TripleO::Services::Apache: puppet/services/apache.yaml - OS::TripleO::Services::ApacheTLS: OS::Heat::None OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMds: OS::Heat::None OS::TripleO::Services::CephMon: OS::Heat::None @@ -144,7 +143,6 @@ resource_registry: OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml OS::TripleO::Services::Kernel: puppet/services/kernel.yaml OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml - OS::TripleO::Services::MySQLTLS: OS::Heat::None OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml @@ -170,7 +168,6 @@ resource_registry: OS::TripleO::Services::PacemakerRemote: OS::Heat::None OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml - OS::TripleO::Services::RabbitMQTLS: OS::Heat::None OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index e99f770f..7b780112 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -579,12 +579,24 @@ resources: PingTestIps: list_join: - ' ' - - - {get_attr: [{{primary_role_name}}, resource.0.external_ip_address]} - - {get_attr: [{{primary_role_name}}, resource.0.internal_api_ip_address]} - - {get_attr: [{{primary_role_name}}, resource.0.storage_ip_address]} - - {get_attr: [{{primary_role_name}}, resource.0.storage_mgmt_ip_address]} - - {get_attr: [{{primary_role_name}}, resource.0.tenant_ip_address]} - - {get_attr: [{{primary_role_name}}, resource.0.management_ip_address]} + - - yaql: + expression: coalesce($.data, []).first(null) + data: {get_attr: [Controller, external_ip_address]} + - yaql: + expression: coalesce($.data, []).first(null) + data: {get_attr: [Controller, internal_api_ip_address]} + - yaql: + expression: coalesce($.data, []).first(null) + data: {get_attr: [Controller, storage_ip_address]} + - yaql: + expression: coalesce($.data, []).first(null) + data: {get_attr: [Controller, storage_mgmt_ip_address]} + - yaql: + expression: coalesce($.data, []).first(null) + data: {get_attr: [Controller, tenant_ip_address]} + - yaql: + expression: coalesce($.data, []).first(null) + data: {get_attr: [Controller, management_ip_address]} UpdateWorkflow: type: OS::TripleO::Tasks::UpdateWorkflow diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml deleted file mode 100644 index 4c94f440..00000000 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ /dev/null @@ -1,75 +0,0 @@ -heat_template_version: ocata - -description: > - Apache service TLS configurations. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -resources: - - ApacheNetworks: - type: OS::Heat::Value - properties: - value: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap - -outputs: - role_data: - description: Role data for the Apache role. - value: - service_name: apache_internal_tls_certmonger - config_settings: - generate_service_certificates: true - apache_certificates_specs: - map_merge: - repeat: - template: - httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd-NETWORK.key' - hostname: "%{hiera('fqdn_NETWORK')}" - principal: "HTTP/%{hiera('fqdn_NETWORK')}" - for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} - metadata_settings: - repeat: - template: - - service: HTTP - network: $NETWORK - type: node - for_each: - $NETWORK: {get_attr: [ApacheNetworks, value]} - upgrade_tasks: - - name: Check if httpd is deployed - command: systemctl is-enabled httpd - tags: common - ignore_errors: True - register: httpd_enabled - - name: "PreUpgrade step0,validation: Check service httpd is running" - shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' - when: httpd_enabled.rc == 0 - tags: step0,validation diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2d950151..9bd282f8 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -31,13 +31,25 @@ parameters: type: boolean default: false +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: - ApacheTLS: - type: OS::TripleO::Services::ApacheTLS + ApacheNetworks: + type: OS::Heat::Value properties: - ServiceNetMap: {get_param: ServiceNetMap} + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # is for HAProxy so it isn't used for apache either. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap outputs: role_data: @@ -46,7 +58,6 @@ outputs: service_name: apache config_settings: map_merge: - - get_attr: [ApacheTLS, role_data, config_settings] - # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -64,8 +75,31 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + - + generate_service_certificates: true + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + hostname: "%{hiera('fqdn_NETWORK')}" + principal: "HTTP/%{hiera('fqdn_NETWORK')}" + for_each: + NETWORK: {get_attr: [ApacheNetworks, value]} metadata_settings: - get_attr: [ApacheTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} + - null upgrade_tasks: - name: Check if httpd is deployed command: systemctl is-enabled httpd diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index b52955ef..26f1a96f 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -94,11 +94,7 @@ outputs: tripleo::profile::base::cinder::volume::cinder_enable_nfs_backend: {get_param: CinderEnableNfsBackend} tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend} tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions} - tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: - str_replace: - template: SERVERS - params: - SERVERS: {get_param: CinderNfsServers} + tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers} tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol} diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml index fd1ee24b..20f64162 100644 --- a/puppet/services/congress.yaml +++ b/puppet/services/congress.yaml @@ -90,6 +90,7 @@ outputs: service_config_settings: keystone: congress::keystone::auth::tenant: 'service' + congress::keystone::auth::region: {get_param: KeystoneRegion} congress::keystone::auth::password: {get_param: CongressPassword} congress::keystone::auth::public_url: {get_param: [EndpointMap, CongressPublic, uri]} congress::keystone::auth::internal_url: {get_param: [EndpointMap, CongressInternal, uri]} diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml deleted file mode 100644 index 9f7eaf57..00000000 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ /dev/null @@ -1,47 +0,0 @@ -heat_template_version: ocata - -description: > - MySQL configurations for using TLS via certmonger. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: MySQL configurations for using TLS via certmonger. - value: - service_name: mysql_internal_tls_certmonger - config_settings: - generate_service_certificates: true - tripleo::profile::base::database::mysql::certificate_specs: - service_certificate: '/etc/pki/tls/certs/mysql.crt' - service_key: '/etc/pki/tls/private/mysql.key' - hostname: - str_replace: - template: "%{hiera('cloud_name_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - principal: - str_replace: - template: "mysql/%{hiera('cloud_name_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - metadata_settings: - - service: mysql - network: {get_param: [ServiceNetMap, MysqlNetwork]} - type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 808f1353..da55da3c 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -23,6 +23,10 @@ parameters: description: Configures MySQL max_connections config setting type: number default: 4096 + MysqlIncreaseFileLimit: + description: Flag to increase MySQL open-files-limit to 16384 + type: boolean + default: true MysqlRootPassword: type: string hidden: true @@ -38,13 +42,13 @@ parameters: description: The password for the nova db account type: string hidden: true + EnableInternalTLS: + type: boolean + default: false -resources: +conditions: - MySQLTLS: - type: OS::TripleO::Services::MySQLTLS - properties: - ServiceNetMap: {get_param: ServiceNetMap} + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -53,7 +57,6 @@ outputs: service_name: mysql config_settings: map_merge: - - get_attr: [MySQLTLS, role_data, config_settings] - # The Galera package should work in cluster and # non-cluster modes based on the config file. @@ -96,10 +99,32 @@ outputs: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} tripleo::profile::base::database::mysql::client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::generate_dropin_file_limit: + {get_param: MysqlIncreaseFileLimit} + - generate_service_certificates: true + tripleo::profile::base::database::mysql::certificate_specs: + service_certificate: '/etc/pki/tls/certs/mysql.crt' + service_key: '/etc/pki/tls/private/mysql.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + principal: + str_replace: + template: "mysql/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql metadata_settings: - get_attr: [MySQLTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip + - null upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index d7555561..dc6daece 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -32,10 +32,6 @@ parameters: CephClientUserName: default: openstack type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint RedisPassword: description: The password for the redis service account. type: string @@ -72,7 +68,7 @@ outputs: gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 3 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} - gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneV3Internal, uri]} gnocchi::storage::ceph::ceph_pool: {get_param: GnocchiRbdPoolName} gnocchi::storage::ceph::ceph_username: {get_param: CephClientUserName} gnocchi::storage::ceph::ceph_keyring: diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index fec455d1..ee4c771f 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -56,5 +56,7 @@ outputs: value: 10000 kernel.pid_max: value: {get_param: KernelPidMax} + kernel.dmesg_restrict: + value: 1 step_config: | include ::tripleo::profile::base::kernel diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index bb102c08..7a24ffdd 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -57,6 +57,9 @@ parameters: default: tag: openstack.neutron.api path: /var/log/neutron/server.log + EnableInternalTLS: + type: boolean + default: false # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. @@ -71,10 +74,6 @@ parameters: removed in Ocata. Future releases will enable L3 HA by default if it is appropriate for the deployment type. Alternate mechanisms will be available to override. - EnableInternalTLS: - type: boolean - default: false - parameter_groups: - label: deprecated description: | @@ -204,3 +203,5 @@ outputs: tags: step1 when: neutron_server_enabled.rc == 0 service: name=neutron-server state=stopped + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index e25bc495..2c7ab57c 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -69,7 +69,10 @@ outputs: service_name: neutron_ovs_dpdk_agent config_settings: map_merge: - - get_attr: [NeutronOvsAgent, role_data, config_settings] + - map_replace: + - get_attr: [NeutronOvsAgent, role_data, config_settings] + - keys: + tripleo.neutron_ovs_agent.firewall_rules: tripleo.neutron_ovs_dpdk_agent.firewall_rules - neutron::agents::ml2::ovs::enable_dpdk: true neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 3db0848e..5cf416f3 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -60,11 +60,7 @@ outputs: opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} - neutron::plugins::ovs::opendaylight::provider_mappings: - str_replace: - template: MAPPINGS - params: - MAPPINGS: {get_param: OpenDaylightProviderMappings} + neutron::plugins::ovs::opendaylight::provider_mappings: {get_param: OpenDaylightProviderMappings} tripleo.opendaylight_ovs.firewall_rules: '118 neutron vxlan networks': proto: 'udp' diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml deleted file mode 100644 index 39d6b903..00000000 --- a/puppet/services/rabbitmq-internal-tls-certmonger.yaml +++ /dev/null @@ -1,47 +0,0 @@ -heat_template_version: ocata - -description: > - RabbitMQ configurations for using TLS via certmonger. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: RabbitMQ configurations for using TLS via certmonger. - value: - service_name: rabbitmq_internal_tls_certmonger - config_settings: - generate_service_certificates: true - tripleo::profile::base::rabbitmq::certificate_specs: - service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - service_key: '/etc/pki/tls/private/rabbitmq.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - principal: - str_replace: - template: "rabbitmq/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - metadata_settings: - - service: rabbitmq - network: {get_param: [ServiceNetMap, RabbitmqNetwork]} - type: node diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 92a0015a..47479783 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -52,14 +52,8 @@ parameters: type: boolean default: false -resources: - - RabbitMQTLS: - type: OS::TripleO::Services::RabbitMQTLS - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} +conditions: + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -69,7 +63,6 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} config_settings: map_merge: - - get_attr: [RabbitMQTLS, role_data, config_settings] - rabbitmq::file_limit: {get_param: RabbitFDLimit} rabbitmq::default_user: {get_param: RabbitUserName} @@ -124,6 +117,24 @@ outputs: # TODO(jaosorior): Remove this once we set a proper default in # puppet-tripleo tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::rabbitmq::certificate_specs: + service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + service_key: '/etc/pki/tls/private/rabbitmq.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + principal: + str_replace: + template: "rabbitmq/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + - {} step_config: | include ::tripleo::profile::base::rabbitmq upgrade_tasks: @@ -134,4 +145,10 @@ outputs: tags: step4 service: name=rabbitmq-server state=started metadata_settings: - get_attr: [RabbitMQTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: rabbitmq + network: {get_param: [ServiceNetMap, RabbitmqNetwork]} + type: node + - null diff --git a/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml new file mode 100644 index 00000000..682171c1 --- /dev/null +++ b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - Fixes an issue when using the CinderNfsServers + parameter_defaults setting. It now works using a + single share as well as a comma-separated list of + shares. diff --git a/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml new file mode 100644 index 00000000..bb18aed8 --- /dev/null +++ b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - Fixes firewall rules from neutron OVS agent not being + inherited correctly and applied in neutron OVS DPDK + template. diff --git a/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml new file mode 100644 index 00000000..79cea05e --- /dev/null +++ b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Fixes OpenDaylightProviderMappings parsing on a + comma delimited list. diff --git a/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml new file mode 100644 index 00000000..d2b2eb94 --- /dev/null +++ b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - openstack-selinux is now installed by the deployed-server + bootstrap scripts. Previously, it was not installed, so + if SELinux was set to enforcing, all OpenStack policy + was missing. diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml new file mode 100644 index 00000000..c24e8921 --- /dev/null +++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive + kernel address information with unprivileged access. Deployments that set + or depend on values other than 1 for kernel.dmesg_restrict may be affected + by upgrading. +security: + - | + Kernel syslog contains sensitive kernel address information, setting + kernel.dmesg_restrict to avoid unprivileged access to this information. diff --git a/requirements.txt b/requirements.txt index 057aa287..df8a71f5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ # The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -pbr>=1.8 # Apache-2.0 +pbr>=2.0.0 # Apache-2.0 Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause) six>=1.9.0 # MIT @@ -25,5 +25,5 @@ except ImportError: pass setuptools.setup( - setup_requires=['pbr>=1.8'], + setup_requires=['pbr>=2.0.0'], pbr=True) |