summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2016-11-15Merge "Define keystone token provider"Jenkins1-1/+12
2016-11-15Merge "Disable password reveal in horizon"Jenkins1-0/+1
2016-11-14Define keystone token providerAlex Schultz1-1/+12
In order to eventually enable fernet tokens for keystone, we need to be specify the token provider. This change codifies the current default used by TripleO of uuid tokens and fernet token setup disabled. Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a Closes-Bug: #1641763
2016-11-14Merge "Fix typo in Keystone Sensu subscription"Jenkins1-1/+1
2016-11-14Merge "Use default Sensu redact"Jenkins1-3/+14
2016-11-14Merge "Fixes missing OVS Firewall config with OpenDaylight"Jenkins1-0/+6
2016-11-12Merge "Configure civetweb bind socket via puppet-tripleo"Jenkins1-9/+3
2016-11-11Merge "Neutron L3 service cleanups for hiera json hook"Jenkins1-7/+15
2016-11-11Merge "Enable internal TLS for Cinder API"Jenkins1-4/+13
2016-11-11Merge "Increasing neutron timeout for low memory usage"Jenkins1-0/+3
2016-11-11Merge "Handle null role_data in services"Jenkins1-10/+11
2016-11-11Fixes missing OVS Firewall config with OpenDaylightTim Rozet1-0/+6
Currently OVS tunnel firewall rules are held within the neutron ovs agent service heat template. That service is not used with ODL, so consequently ODL was missing the VXLAN and GRE firewall rules and traffic would not pass between nodes. This adds the missing rules to the OpenDaylight OVS service. Closes-Bug: 1641191 Change-Id: Icfd7db6a3e8fcdd02646fb7e413f40f26b03b994 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-11Configure civetweb bind socket via puppet-tripleoGiulio Fidente1-9/+3
When the civetweb binding IP is version 6 it needs to be enclosed in brackets or the bind socket parsing fails. The mangling happens in puppet-tripleo, this change updates the templates to push the appropriate hiera keys. Change-Id: Ic7004d768ed5e0f2382ffaa57961ea0ef9162527 Closes-Bug: #1636515 Depends-On: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
2016-11-11Merge "Fix inconsistent Manila service naming"Jenkins5-24/+24
2016-11-11Increasing neutron timeout for low memory usageArx Cruz1-0/+3
We are noticing several tests failing in our low memory environment because of timeout in neutron requests. As an example the test tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON fails because it requests to plug a vif, and send request to neutron, which responds in more than neutron_url_timeout, and since the option vif_plugging_is_fatal is set to True as default, the test fails. Shortly thereafter, checking in neutron log you can see the request, returning with the proper status, after more than neutron_url_timeout, however, it's already too late once nova already marked the instance with error status, and so the test fails. Closes-Bug: #1641135 Change-Id: If0991c114f199490ac0deb71eb569a42d4711359
2016-11-11Use default Sensu redactMartin Mágr1-3/+14
By default sensu-puppet is overring default list of varibles which should be redacted. This patch enables to configure redact list and uses default value given by [1]. This patch also serves as a workaround until [2] is merged in the module itself (or in case it won't get merged). [1] https://sensuapp.org/docs/0.24/reference/clients.html [2] https://github.com/sensu/sensu-puppet/pull/580 Closes-Bug: #1641080 Closes-Bug: rhbz#1392473 Change-Id: I21201f734d2fbf5f571091603126cf11cfdd8c40
2016-11-11Merge "Add missing Barbican endpoint from tls-everywhere environment"Jenkins1-0/+3
2016-11-10Merge "Fix race during major-upgrade-pacemaker step"Jenkins8-263/+315
2016-11-10Merge "Removes deprecated overcloud VIP outputs"Jenkins1-54/+0
2016-11-10Merge "Fixes incorrect reference to OpendaylightApiNetwork"Jenkins1-1/+1
2016-11-10Merge "Ensure heat-domain hiera is in nodes that contain keystone"Jenkins3-12/+21
2016-11-10Fix inconsistent Manila service namingSteven Hardy5-24/+24
The capitalization of OS::Tripleo is wrong compared to all other services so correct this for avoidance of confusion when folks write custom roles_data files or pass custom service lists via *Services parameters. Change-Id: Ib73c80871b45586edb5774e90280ff89fc0d9895 Closes-Bug: 1640871
2016-11-10Fix typo in Keystone Sensu subscriptionMartin Mágr1-1/+1
Closes-Bug: rhbz#1392428 Closes-Bug: #1640834 Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe
2016-11-10Merge "Select bootstrap node by list index not name"Jenkins1-2/+13
2016-11-10Neutron L3 service cleanups for hiera json hookDan Prince1-7/+15
This patch resolves a few issues I noticed when porting our Neutron L3 service to support the new heat hiera agent hook (which uses Json instead of Yaml). - If NeutronExternalNetworkBridge is an emptry string '' Json was dropping the single quotes thus causing the bridge to get set incorrectly in the config file. To correct this we use a heat conditional to avoid setting the external bridge (the '' default is what we want in this case) if the bridge is an empty string. Change-Id: I5037cbde6b76a37a4c22c4616278420e9d759109 Partial-bug: #1596373
2016-11-10Handle null role_data in servicesDan Prince1-10/+11
This patch updates the Yaql expressions that work on role_data so that they evaluate properly when the get_attr for role_data is null. I hit issues using this for the heat undercloud installer and this seems to resolve them. Change-Id: I0493d0525cd3ad280339f26ef9d3aa311af9962e
2016-11-10Select bootstrap node by list index not nameSteven Hardy1-2/+13
Modify the syntax used to access the ResourceGroup attributes so we always select the first node from the group, e.g even if the node named "0" in the ResourceGroup nested stack has been removed due to the removal policy. Change-Id: I8b1c9538976a1518b220187a0034ad41a738d5a6 Closes-Bug: #1640449
2016-11-10Merge "Add firewall rules for manila api service"Jenkins1-0/+5
2016-11-09Add firewall rules for manila api serviceTom Barron1-0/+5
When the manila api service is deployed on a different role than the controller the iptables rules on that role fail to ACCEPT tcp at the manila API ports. Add tripleo.manila_api.firewall_rules to the relevant puppet services module. Change-Id: I1c5459f5ba989657fd99fd72c7ac9f8781cc7206 Closes-Bug: #1640568
2016-11-09Merge "Reload haproxy configuration as a post-deployment step"Jenkins3-3/+36
2016-11-09Merge "ceilometer compute agent needs restart on compute upgrade"Jenkins1-0/+4
2016-11-09Merge "set url_base option in static web middleware"Jenkins1-0/+1
2016-11-09Disable password reveal in horizonAlex Schultz1-0/+1
To improve security, we should disable the password reveal option in horizon by default. An end user can override this options via their own custom hiera if they would ultimately like to have this functionality. Change-Id: Ie88dac5610840eb4b327252b32dc469099ba5f5f Depends-On: Iacf899d595a2a3c522df1b96ca527731937ec698 Closes-Bug: 1640492
2016-11-09Fix race during major-upgrade-pacemaker stepMichele Baldessari8-263/+315
Currently when we call the major-upgrade step we do the following: """ ... if [[ -n $(is_bootstrap_node) ]]; then check_clean_cluster fi ... if [[ -n $(is_bootstrap_node) ]]; then migrate_full_to_ng_ha fi ... for service in $(services_to_migrate); do manage_systemd_service stop "${service%%-clone}" ... done """ The problem with the above code is that it is open to the following race condition: 1. Code gets run first on a non-bootstrap controller node so we start stopping a bunch of services 2. Pacemaker notices will notice that services are down and will mark the service as stopped 3. Code gets run on the bootstrap node (controller-0) and the check_clean_cluster function will fail and exit 4. Eventually also the script on the non-bootstrap controller node will timeout and exit because the cluster never shut down (it never actually started the shutdown because we failed at 3) Let's make sure we first only call the HA NG migration step as a separate heat step. Only afterwards we start shutting down the systemd services on all nodes. We also need to move the STONITH_STATE variable into a file because it is being used across two different scripts (1 and 2) and we need to store that state. Co-Authored-By: Athlan-Guyot Sofer <sathlang@redhat.com> Closes-Bug: #1640407 Change-Id: Ifb9b9e633fcc77604cca2590071656f4b2275c60
2016-11-09Merge "Defaults kernel.pid_max to 1048576"Jenkins1-0/+6
2016-11-09Merge "Enable internal TLS for Nova API"Jenkins1-4/+13
2016-11-09Merge "Add Sahara plugins list as a configurable parameter"Jenkins1-7/+5
2016-11-08set url_base option in static web middlewareThiago da Silva1-0/+1
Depends-On: Icf45cf2aece398b836c87ddffde5d3056e96dc4d Change-Id: I3577dc38a0b52092ee5e98a381eb52c3d2768c10 Signed-off-by: Thiago da Silva <thiago@redhat.com>
2016-11-08Merge "Enable internal TLS for gnocchi"Jenkins1-2/+11
2016-11-08ceilometer compute agent needs restart on compute upgradePradeep Kilambi1-0/+4
After compute nodes are upgraded, the ceilometer compute agent doesnt poll and throws warnings. Restarting the compute agent at this step gets the service back to its normal state. Closes-Bug: #1640177 Change-Id: I7392de43e933b1d16002e12e407748ae289d5e99
2016-11-08Merge "Do not reference CephBase from CephExternal service"Jenkins1-2/+24
2016-11-08Merge "Use --globoff when downloading artifacts"Jenkins1-1/+1
2016-11-08Merge "Add SNMP role to the CephStorage nodes"Jenkins1-0/+1
2016-11-08Reload haproxy configuration as a post-deployment stepCarlos Camacho3-3/+36
After deploying a fresh installed Overcloud or updating the stack the haproxy configuration is updated correctly but no change in the HA proxy stats happens. This submission will add the missing resources to run pre and post puppet tasks. Closes-bug: 1640175 Change-Id: I2f08704daeee502c618256695a30ce244a1d7ba5
2016-11-08Use --globoff when downloading artifactsGiulio Fidente1-1/+1
We do not encode the chars like [] possibly found in the artifacts URL, so curl tries to glob against IPv6 addresses in brackets. This change adds --globoff to the curl options so that IPv6 addresses in brackets are not misinterpreted. Closes-Bug: 1640148 Change-Id: Ic86ba1e5fb674bc15b4bcc6bd3ea9e943c4fbf8e
2016-11-08Enable internal TLS for Cinder APIJuan Antonio Osorio Robles1-4/+13
This adds the necessary hieradata for enabling TLS in the internal network for Cinder API. bp tls-via-certmonger Depends-On: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863 Change-Id: I126e890076bc96b1cd166a919eff6aa1bb80510b
2016-11-07Removes deprecated overcloud VIP outputsTim Rozet1-54/+0
These VIPs were previously used to create endpoints, but are no longer used. The one exception is KeystoneAdminVip, which is used by the python-client. Closes-Bug: 1639956 Change-Id: Iafdf37b6ee91806d683592a99e025a8de4c0ff20 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-07Fixes incorrect reference to OpendaylightApiNetworkTim Rozet1-1/+1
The renaming of the network to conform to correct case parsing was done and converted OpenDaylightApiNetwork -> OpendaylightApiNetwork. There was still a reference to the old network name which would result in an empty value being pass to odl_bind_ip. Closes-Bug: 1639944 Change-Id: I17fe348c4651420112b9b37711654a454e30b291 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-07Add missing Barbican endpoint from tls-everywhere environmentJuan Antonio Osorio Robles1-0/+3
Change-Id: Ibabf09a8b6f35c9b086efeffcf7db89ab8d6b63b
2016-11-07Ensure heat-domain hiera is in nodes that contain keystoneJuan Antonio Osorio Robles3-12/+21
The commit that this depends on only works if heat is deployed in the same node as keystone. Once we deploy them in different nodes, keystone won't be able to retrieve the appropriate hieradata. This fixes that by setting the appropriate hieradata to be deployed on the keystone service by the heat profiles. Change-Id: I1f08db68a14486526879d1a5a1ff78cb17686924 Depends-On: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe