Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Simplify the config of the keystone service by mounting in the
configurations instead of specifying them all in kolla config.
This is change is useful to limit the side effects of generating the
config files and running the container is two separate steps as config
directories are now bind-mounted inside the container instead of having
files being copied to the container. We've seen examples of Apache's
mod_ssl configuration file present on the container preventing it to
start when puppet configured apache not to load the ssl module (in case
TLS is disabled).
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Ie33ffc7c2b1acf3e4e505d38efb104bf013f2ce6
|
|
|
|
|
|
gnocchi metricd and statsd are broken due to recent change
to support keystone v3. see I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a
We need swift auth url to have suffix so it knows what endpoint
to use.
Change-Id: I753f37e121b95813e345f200ad3f3e75ec4bd7e1
|
|
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
|
|
Previously only the first two intial fernet keys were mounted into the
container. This is not practical, however, as doing key rotation will
generate more entries in this repository. So instead we mount the whole
directory, which would allow us to do rotation in the base host and
seamlessly affect the container as well.
Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also add upgrade_tasks to disable corresponding host
services in order to not data race with containers
Change-Id: I19c16aaa3e5a73436ca7aa7d06facf64feee2327
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
The str_replace conversion used previously is no longer needed and
breaks the hieradata value.
Closes-Bug: 1675426
Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
This is needed for the TLS everywhere work. This will break on
TLS-everywhere setups where neutron would be deployed in its own role.
So we need to add the metadata_settings.
bp tls-via-certmonger
Change-Id: I7934a258e032d8eaa6f07c0e48b3fbdb1f8c6a06
|
|
This feature stopped working somewhere along the lines. In the past it
was working with parameter_defaults like this:
CinderNfsServers: '10.0.0.254:/srv/nfs/cinder'
or
CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder"
The problem was that the templating escaped these strings, and
puppet-tripleo didn't receive a proper array, but a string.
This patch fixes this. It accepts strings as above as well as
comma-delimited lists of Nfs Servers.
Closes-Bug: 1671153
Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
|
|
No other packages actually require openstack-selinux, so it must be
explicity installed.
Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a
Closes-Bug: #1675170
|
|
Adds default nic config mappings when using the deployed-server custom
roles data at deployed-server/deployed-server-roles-data.yaml.
Previously there were no default mappings as the hardcoded mapping for
the Controller role from overcloud-resource-registry-puppet.j2.yaml
would not be used since there is no Controller role when using
deployed-server.
The default mapping is net-config-static.yaml instead of
net-config-noop.yaml, since there is no requirement of a L2 domain for
dhcp between undercloud and overcloud nodes when using deployed-server.
The convenience mapping of ControllerDeployedServer to
net-config-static-bridge.yaml is also added so that out of the box the
roles with controller services will get the right bridge created.
The mappings can always be overridden in later environment files if
needed.
Change-Id: I581fec99b459a12512686e47b10b962756652eb3
Closes-Bug: #1670493
Depends-On: Ib681729cc2728ca4b0486c14166b6b702edfcaab
|
|
Firewall config was being inherited by the dpdk service, however
since the firewall service name was the parent (neutron_ovs_agent)
and technically that service was not enabled - the rules were never
applied. This modifies the service name as it is inherited using
map_replace.
Closes-Bug: 1674689
Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The previous code had a race condition where nova-api host discovery
and nova-compute where run at the same step. This commit ensures host
discovery happens after nova-compute has started.
Change-Id: Id2fc795a64783d958d98d4ac523a19079e8a4fab
Closes-Bug: #1675011
|
|
This is used in gnocchi-api.yaml and is not needed on the base template.
Change-Id: I5ebd27dff3dca7053647a57eb4cdef56d38526c6
|
|
A previous commit [1] added support for fernet in the keystone docker
service; however, this was not set as the default token provider. This
patch makes it the default.
[1] Id92039b3bad9ecda169323e01de7bebae70f2ba0
Change-Id: Ib44ab61eba0be8ba54bc7d0bdb22437d769cb960
|
|
This allows to optionally add volumes, where we could use a heat
conditional to either put the volume path we want or put an empty string
which should be safely skipped.
Change-Id: I68f91ffdd8ceb14735adad1322fcf124c47b160c
|
|
|
|
|
|
Unprivileged access to the kernel syslog can expose sensitive
kernel address information.
Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2
Signed-off-by: zshi <zshi@redhat.com>
|
|
|
|
|
|
We've decided to use volumes for configuration wherever possible.
This means moving away from kolla_config blocks in the templates.
Update pep8 to reflect this.
Change-Id: If1ec40d0e5a515eed35e0cd04711079294f358c3
|
|
|
|
|