summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-04-19Merge "Introduce common CAs to be mounted to the containers"Jenkins1-0/+5
2017-04-19Merge "Introduce common resources for docker templates"Jenkins36-349/+644
2017-04-19Merge "Rework DOCKER_PUPPET_CONFIG validate tool"Jenkins1-7/+11
2017-04-19Merge "Use underscore for Aodh and Gnocchi's container names"Jenkins2-4/+4
2017-04-19Merge "Use tripleo profile for bigswitch agent"Jenkins1-3/+1
2017-04-19Merge "Add migration SSH tunneling support"Jenkins3-1/+22
2017-04-18Merge "SSH known_hosts config"Jenkins11-1/+324
2017-04-18Merge "Run token flush cron job hourly by default"Jenkins2-1/+8
2017-04-18Merge "Support for external swift proxy"Jenkins5-0/+89
2017-04-18Merge "Fix nova-compute service name in upgrade steps"Jenkins2-2/+2
2017-04-18Merge "Non-ha multinode environment for container upgrade job"Jenkins1-0/+61
2017-04-18Merge "Add RoleNetIpMap output to overcloud.j2.yaml"Jenkins1-0/+6
2017-04-18Run token flush cron job hourly by defaultJuan Antonio Osorio Robles2-1/+8
Running this job once a day has proven problematic for large deployments as seen in the bug report. Setting it to run hourly would be an improvement to the current situation, as the flushes wouldn't need to process as much data. Note that this only affects people using UUID as the token provider. Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a Related-Bug: #1649616
2017-04-18Introduce common CAs to be mounted to the containersJuan Antonio Osorio Robles1-0/+5
When TLS is enabled, the containers need to trust the CAs that the host trusts. Change-Id: I0434b0ac10290970857cad3d1a89d00f5b054196
2017-04-18Introduce common resources for docker templatesJuan Antonio Osorio Robles36-349/+644
This enables common resources that the docker templates might need. The initial resource only is common volumes, and two volumes are introduced (localtime and hosts). Change-Id: Ic55af32803f9493a61f9b57aff849bfc6187d992
2017-04-18Support for external swift proxyLuca Lorenzetto5-0/+89
Users may have an external swift proxy already available (i.e. radosgw from already existing ceph, or hardware appliance implementing swift proxy). With this change user may specify an environment file that registers the specified urls as endpoint for the object-store service. The internal swift proxy is left as unconfigured. Change-Id: I5e6f0a50f26d4296565f0433f720bfb40c5d2109 Depends-On: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
2017-04-16Revert "Use httpd in Zaqar docker service"Dan Prince1-6/+3
This reverts commit 57a26486128982c9887edd02eb8897045215b10a. Change-Id: I1bbe16a1a7a382ae0c898bd19cd64d3d49aa84c7 Closes-bug: #1683210
2017-04-15Add migration SSH tunneling supportOliver Walsh3-1/+22
This enables nova cold migration. This also switches to SSH as the default transport for live-migration. The tripleo-common mistral action that generates passwords supplies the MigrationSshKey parameter that enables this. The TCP transport is no longer used for live-migration and the firewall port has been closed. Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-04-14Merge "Allow for update after RHEL registration"Jenkins2-0/+43
2017-04-14Rework DOCKER_PUPPET_CONFIG validate toolBogdan Dobrelya1-7/+11
* Split it to REQUIRED/OPTIONAL * Move puppet_tags to OPTIONAL as it already has a default set of tags that need not to be repeated explicitly. Change-Id: Ib70176f1edf61228771c983b0c3231fb7939a316 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-13Merge "Add name and description fields to plan-environment.yaml"Jenkins2-5/+11
2017-04-13SSH known_hosts configOliver Walsh11-1/+324
Fetch the host public keys from each node, combine them all and write to the system-wide ssh known hosts. The alternative of disabling host key verification is vulnerable to a MITM attack. Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
2017-04-13Merge "Add tags to roles"Jenkins5-7/+52
2017-04-13Merge "Use comma_delimited_list for token flush cron time settings"Jenkins1-5/+5
2017-04-13Merge "Do not log errors on non-existing container"Jenkins1-1/+4
2017-04-13Merge "Add Docker to services list in multinode CI environments"Jenkins7-0/+8
2017-04-13Fix nova-compute service name in upgrade stepsJiri Stransky2-2/+2
Previously Ansible upgrade steps failed with: Could not find the requested service nova-compute: cannot disable. Change-Id: I14e8bc89aca0a3f7308d88488b431e23251cc043 Closes-Bug: #1682373
2017-04-13Use underscore for Aodh and Gnocchi's container namesJuan Antonio Osorio Robles2-4/+4
The rest of the services are using underscores, so this helps uniformity. Change-Id: I4ce3cc76f430a19fa08c77b004b86ecad02119ae
2017-04-12Merge "Update Dell EMC Cinder back end services"Jenkins2-0/+6
2017-04-12Merge "yum_update.sh - Use the yum parameter: check-update"Jenkins1-3/+11
2017-04-12Merge "Add upgrade tasks for gnocchi container services"Jenkins3-0/+12
2017-04-12Merge "Add IPv6 disable option"Jenkins2-0/+15
2017-04-12Merge "Use httpd in Zaqar docker service"Jenkins1-3/+6
2017-04-12Merge "Add composable role support for NetApp Cinder back end"Jenkins6-159/+132
2017-04-12Add name and description fields to plan-environment.yamlAna Krivokapic2-5/+11
Change-Id: I99b96343742ee5c40d8786e26b2336427e225c82 Implements: blueprint update-plan-environment-yaml
2017-04-12Merge "Bind mount directories that contain the key/certs for keystone"Jenkins2-0/+45
2017-04-12Merge "docker/all: Bind-mount OpenSSL CA bundle"Jenkins1-0/+6
2017-04-12Merge "Change the directory for httpd certs/keys to be service-specific"Jenkins1-2/+4
2017-04-12Add tags to rolesAlex Schultz5-7/+52
Prior to Ocata, the Controller role was hardcoded for various lookups. When we switched to having the primary role name being dynamically pulled from the roles_data.yaml using the first role as the primary role as part of I36df7fa86c2ff40026d59f02248af529a4a81861, it introduced a regression for folks who had previously been using a custom roles file without the Controller being listed first. Instead of relying on the position of the role in the roles data, this change adds the concepts of tags to the role data that can be used when looking for specific functionality within the deployment process. If no roles are specified with this the tags indicating a 'primary' 'controller', it will fall back to using the first role listed in the roles data as the primary role. Change-Id: Id3377e7d7dcc88ba9a61ca9ef1fb669949714f65 Closes-Bug: #1677374
2017-04-12Non-ha multinode environment for container upgrade jobJiri Stransky1-0/+61
Non-working containers upgrade CI is caused by the fact that all multinode jobs deploy pacemaker environments. Currently we cannot upgrade Pacemakerized deployments anyway (containerization of pacemakerized services is WIP), upgrades have only been tested with non-Pacemaker deployments so far. We need a new environment which will not try deploying in a pacemakerized way. When pacemaker-managed services are containerized, we can change the job to upgrade an HA deployment (or single-node "HA" at least), and perhaps even get rid of the environment file introduced here, and reuse multinode.yaml. Change-Id: Ie635b1b3a0b91ed5305f38d3c76f6a961efc1d30 Closes-Bug: #1682051
2017-04-12Use comma_delimited_list for token flush cron time settingsJuan Antonio Osorio Robles1-5/+5
This allows us to better configure these parametes, e.g. we could set the cron job to run more times per day, and not just one. Change-Id: I0a151808804809c0742bcfa8ac876e22f5ce5570 Closes-Bug: #1682097
2017-04-12Bind mount directories that contain the key/certs for keystoneJuan Antonio Osorio Robles2-0/+45
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. Which is the commit this is on top of. Also, an environment file was added that's similar to environments/docker.yaml. The difference is that this one will contain the services that can run containerized with TLS-everywhere. This file will be updated as more services get support for this. bp tls-via-certmonger-containers Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
2017-04-12docker/all: Bind-mount OpenSSL CA bundleJuan Antonio Osorio Robles1-0/+6
The containers also need to trust the CA's that the overcloud node trusts, else we'll get SSL verification failures. bp tls-via-certmonger-containers Change-Id: I7d3412a6273777712db2c90522e365c413567c49
2017-04-12Merge "Grouped all the Operational tools"Jenkins1-1/+9
2017-04-11Merge "Add missing name properties on deloyment resources"Jenkins2-0/+3
2017-04-11Add RoleNetIpMap output to overcloud.j2.yamlSteven Hardy1-0/+6
To enable easier detection of the IPs associated with nodes (such as to enable the tripleo-validations ansible inventory to work with custom roles more easily) expose the data we already have about the nodes/roles and the list of IPs for each network. Change-Id: I5667a142f47fbff120c703bedadd8b6e163c9480
2017-04-11docker: use noop_resource for Nova_cell_v2Dan Prince1-1/+4
Per puppet-nova commit 2c743a6bff5b17a85d1e0500f3a9ecb21468204e there is now a custom resource for Nova_cell_v2 configuration. As this resource runs automatically regardless of our use of puppet tags we need to explicitly disable it to be able to generate Nova API configs for docker. Change-Id: Id675dc124464acddc3fc5a88b017a351e93ba685 Closes-bug: #1681841
2017-04-11Change the directory for httpd certs/keys to be service-specificJuan Antonio Osorio Robles1-2/+4
This moves the directories containing the certs/keys for httpd one step further inside the hierarchy. This way we will be able to bind-mount this certificate into the container without bind-mounting any other certs/keys from other services. bp tls-via-certmonger-containers Change-Id: Ibe6e66ae4589b9eab7db330dd8b178e0f8775639 Depends-On: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11Merge "Decouple Swift ringbuilding logic"Jenkins5-94/+10
2017-04-11Add Docker to services list in multinode CI environmentsJiri Stransky7-0/+8
We need the service to be present to run jobs involving containers. Note that this is effectively a no-op for the current CI jobs, as by default the Docker service is mapped to OS::Heat::None. Docker will actually be deployed only if environments/docker.yaml is included in the deploy command. Change-Id: I97a35e30e428ff64feeb411bf63dbb7aa54f9829