10 files changed, 42 insertions, 33 deletions

diff --git a/extraconfig/tasks/pacemaker_resource_restart.sh b/extraconfig/tasks/pacemaker_resource_restart.sh
index 1637cee2..fd1fd0dc 100755
--- a/extraconfig/tasks/pacemaker_resource_restart.sh
+++ b/extraconfig/tasks/pacemaker_resource_restart.sh
@@ -7,15 +7,23 @@ pacemaker_status=$(systemctl is-active pacemaker)
 # Run if pacemaker is running, we're the bootstrap node,
 # and we're updating the deployment (not creating).
 if [ "$pacemaker_status" = "active" -a \
-     "$(hiera bootstrap_nodeid)" = "$(facter hostname)" -a \
-     "$(hiera stack_action)" = "UPDATE" ]; then
+     "$(hiera bootstrap_nodeid)" = "$(facter hostname)" ]; then
 
-    PCMK_RESOURCES="haproxy-clone redis-master rabbitmq-clone galera-master openstack-cinder-volume openstack-cinder-backup"
-    # Ten minutes of timeout to restart each resource, given there are no constraints should be enough
     TIMEOUT=600
-    for resource in $PCMK_RESOURCES; do
-      if pcs status | grep $resource; then
-        pcs resource restart --wait=$TIMEOUT $resource
-      fi
+    SERVICES_TO_RESTART="$(ls /var/lib/tripleo/pacemaker-restarts)"
+    PCS_STATUS_OUTPUT="$(pcs status)"
+
+    for service in $SERVICES_TO_RESTART; do
+        if ! echo "$PCS_STATUS_OUTPUT" | grep $service; then
+            echo "Service $service not found as a pacemaker resource, cannot restart it."
+            exit 1
+        fi
+    done
+
+    for service in $SERVICES_TO_RESTART; do
+        echo "Restarting $service..."
+        pcs resource restart --wait=$TIMEOUT $service
+        rm -f /var/lib/tripleo/pacemaker-restarts/$service
     done
+
 fi
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 758d9510..7595e4c3 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -31,6 +31,8 @@ outputs:
         # internal_api_uri -> [IP]
         # internal_api_subnet - > IP/CIDR
         apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
+        apache::server_signature: 'Off'
+        apache::server_tokens: 'Prod'
         apache_remote_proxy_ips_network:
           str_replace:
             template: "NETWORK_subnet"
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index 5b63da4d..c84c784e 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -99,10 +99,6 @@ outputs:
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address:
-              str_replace:
-                template: "NETWORK_uri"
-                params:
-                  NETWORK: {get_param: [ServiceNetMap, CinderIscsiNetwork]}
+            tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: {get_param: [ServiceNetMap, CinderIscsiNetwork]}
       step_config: |
         include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 23689e2a..adc1b4cb 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -94,14 +94,14 @@ outputs:
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/glance'
         glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
-        glance::api::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        glance::api::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+        glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+        glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
         glance::api::registry_host:
           str_replace:
             template: "'REGISTRY_HOST'"
             params:
               REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]}
-        glance::api::keystone_password: {get_param: GlancePassword}
+        glance::api::authtoken::password: {get_param: GlancePassword}
         glance::api::enable_proxy_headers_parsing: true
         glance::api::debug: {get_param: Debug}
         glance::api::workers: {get_param: GlanceWorkers}
@@ -132,7 +132,7 @@ outputs:
               - 9292
               - 13292
         glance::keystone::auth::tenant: 'service'
-        glance::api::keystone_tenant: 'service'
+        glance::api::authtoken::project_name: 'service'
         glance::api::pipeline: 'keystone'
         glance::api::show_image_direct_url: true
         # NOTE: bind IP is found in Heat replacing the network name with the
diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml
index f633567e..d5f01d46 100644
--- a/puppet/services/glance-registry.yaml
+++ b/puppet/services/glance-registry.yaml
@@ -50,11 +50,11 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/glance'
-        glance::registry::keystone_password: {get_param: GlancePassword}
-        glance::registry::keystone_tenant: 'service'
+        glance::registry::authtoken::password: {get_param: GlancePassword}
+        glance::registry::authtoken::project_name: 'service'
         glance::registry::pipeline: 'keystone'
-        glance::registry::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        glance::registry::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+        glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+        glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
         glance::registry::debug: {get_param: Debug}
         glance::registry::workers: {get_param: GlanceWorkers}
         glance::db::mysql::user: glance
diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index 5b55bd52..5c3f370e 100644
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -58,9 +58,9 @@ outputs:
             ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
             # This is used to build links in responses
             ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
-            ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri]}
-            ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri]}
-            ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri]}
+            ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
+            ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
+            ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
             ironic::keystone::auth::auth_name: 'ironic'
             ironic::keystone::auth::password: {get_param: IronicPassword }
             ironic::keystone::auth::tenant: 'service'
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index 023d1364..da4ec26b 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -83,19 +83,19 @@ outputs:
             neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
             neutron::keystone::auth::password: {get_param: NeutronPassword}
             neutron::keystone::auth::region: {get_param: KeystoneRegion}
-            neutron::server::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-            neutron::server::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
             neutron::server::api_workers: {get_param: NeutronWorkers}
             neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
             neutron::server::l3_ha: {get_param: NeutronL3HA}
-            neutron::server::password: {get_param: NeutronPassword}
+            neutron::keystone::authtoken::password: {get_param: NeutronPassword}
 
             neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] }
             neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneV3Admin, uri ] }
             neutron::server::notifications::tenant_name: 'service'
             neutron::server::notifications::project_name: 'service'
             neutron::server::notifications::password: {get_param: NovaPassword}
-            neutron::server::project_name: 'service'
+            neutron::keystone::authtoken::project_name: 'service'
             neutron::server::sync_db: true
             neutron::db::mysql::password: {get_param: NeutronPassword}
             neutron::db::mysql::user: neutron
diff --git a/puppet/services/neutron-sriov-agent.yaml b/puppet/services/neutron-sriov-agent.yaml
index 559500df..b9a93394 100644
--- a/puppet/services/neutron-sriov-agent.yaml
+++ b/puppet/services/neutron-sriov-agent.yaml
@@ -53,6 +53,6 @@ outputs:
       config_settings:
         neutron::agents::ml2::sriov::physical_device_mappings: {get_param: NeutronPhysicalDevMappings}
         neutron::agents::ml2::sriov::exclude_devices: {get_param: NeutronExcludeDevices}
-        neutron::agents::ml2::sriov::number_of_vfs: {get_param: NeutronSriovNumVFs}
+        tripleo::host::sriov::number_of_vfs: {get_param: NeutronSriovNumVFs}
       step_config: |
         include ::tripleo::profile::base::neutron::sriov
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 10521877..d7b0cd7c 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -61,9 +61,9 @@ outputs:
           - get_attr: [SwiftBase, role_data, config_settings]
 
           - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            swift::proxy::authtoken::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
-            swift::proxy::authtoken::admin_password: {get_param: SwiftPassword}
-            swift::proxy::authtoken::admin_tenant_name: 'service'
+            swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            swift::proxy::authtoken::password: {get_param: SwiftPassword}
+            swift::proxy::authtoken::project_name: 'service'
             swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
             swift::proxy::workers: {get_param: SwiftWorkers}
             swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py
index d75aeb4f..7b3d3473 100755
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@@ -17,6 +17,8 @@ import traceback
 import yaml
 
 
+required_params = ['EndpointMap', 'ServiceNetMap', 'DefaultPasswords']
+
 def exit_usage():
     print('Usage %s <yaml file or directory>' % sys.argv[0])
     sys.exit(1)
@@ -40,7 +42,6 @@ def validate_service(filename, tpl):
                   % filename)
             return 1
     if 'parameters' in tpl:
-        required_params = ['EndpointMap', 'ServiceNetMap', 'DefaultPasswords']
         for param in required_params:
             if param not in tpl['parameters']:
                 print('ERROR: parameter %s is required for %s.'
@@ -64,6 +65,8 @@ def validate(filename):
         return 1
     # yaml is OK, now walk the parameters and output a warning for unused ones
     for p in tpl.get('parameters', {}):
+        if p in required_params:
+            continue
         str_p = '\'%s\'' % p
         in_resources = str_p in str(tpl.get('resources', {}))
         in_outputs = str_p in str(tpl.get('outputs', {}))