aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-03-28Merge "Restrict Access to Kernel Message Buffer"Jenkins2-0/+13
2017-03-27Add missing ec2api::api::keystone_ec2_tokens_url configSven Anderson1-0/+5
Change-Id: I9a19aff24dede2bea3bf2959afa7adde00817ee0 Related-Bug: #1676491
2017-03-27Fixes port binding controller for OpenDaylightTim Rozet2-0/+46
In Ocata and later, the port binding controller for ODL was changed by default to be the pseudo agent controller, which requires a new feature "host config" for OVS. This patch modifies the default to use network-topology, which will work without any new host config features implemented (previous way of port binding). Closes-Bug: 1675211 Depends-On: I5004fdeb238dea81bc4f7e9437843a8a080d5b46 Change-Id: I6a6969d1d6b8d8b8ac31fecd57af85eb653245d2 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-27Merge "Sort ResourceGroup resource list"Jenkins1-1/+1
2017-03-27Remove 'Controller' role references from overcloud.j2.yamlDan Prince1-6/+6
This patch again removes hard coded role references to the overcloud.yaml template that was added in fd15a091f7ab6927833275df17b96ecacc2b1827. This breaks the composable undercloud work (undercloud-containers ci job as well). Change-Id: Ie30b2573dc4d2b45ebc0afc0e0d73bfdf41e4d4b Closes-bug: #1676528
2017-03-27Remove kolla_config copy from keystone service.Ian Main1-47/+3
Simplify the config of the keystone service by mounting in the configurations instead of specifying them all in kolla config. This is change is useful to limit the side effects of generating the config files and running the container is two separate steps as config directories are now bind-mounted inside the container instead of having files being copied to the container. We've seen examples of Apache's mod_ssl configuration file present on the container preventing it to start when puppet configured apache not to load the ssl module (in case TLS is disabled). Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: Ie33ffc7c2b1acf3e4e505d38efb104bf013f2ce6
2017-03-27Merge "Run nova-api hosts discovery after nova-compute start"Jenkins1-1/+2
2017-03-27Merge "docker/keystone: Bind mount entire fernet keys repository"Jenkins1-10/+5
2017-03-27Swift auth url should use a suffixPradeep Kilambi1-1/+1
gnocchi metricd and statsd are broken due to recent change to support keystone v3. see I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a We need swift auth url to have suffix so it knows what endpoint to use. Change-Id: I753f37e121b95813e345f200ad3f3e75ec4bd7e1
2017-03-27Merge "Pick dynamically the first node for stack validation"Jenkins1-6/+18
2017-03-27MySQL: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles4-56/+26
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
2017-03-27Apache: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles4-82/+39
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
2017-03-27Rabbitmq: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles4-59/+27
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
2017-03-27N->O upgrade, blanks ipv6 rules before activating it.Sofer Athlan-Guyot1-0/+6
When the firewall is enabled with ipv6, the default rules set is taken as not ipv6 firewall was present for Newton. This make communication impossible until puppet is run again. This ensures that no rules are loaded when the firewall is enabled. This mimic this patch[1] [1] https://github.com/openstack/tripleo-heat-templates/commit/ae8aac36143d5dadb08af0d275f513678909dcc7 Change-Id: Id878b5caae666a799c89c8466ce46b9ecb86d9f7 Closes-Bug: #1675782
2017-03-27docker/keystone: Bind mount entire fernet keys repositoryJuan Antonio Osorio Robles1-10/+5
Previously only the first two intial fernet keys were mounted into the container. This is not practical, however, as doing key rotation will generate more entries in this repository. So instead we mount the whole directory, which would allow us to do rotation in the base host and seamlessly affect the container as well. Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8
2017-03-26Merge "Remove unused KeystoneRegion parameter from gnocchi-base"Jenkins1-4/+0
2017-03-26Merge "Setting keystone region for congress"Jenkins1-0/+1
2017-03-26Merge "docker/keystone: Actually set fernet as the default token provider"Jenkins1-1/+1
2017-03-26Merge "docker-puppet: skip empty volume entries"Jenkins1-1/+2
2017-03-26Merge "Enables increasing mariadb open files for noha deployments"Jenkins1-0/+6
2017-03-26Merge "Remove unnecesary code to enable panko-api"Jenkins2-3/+0
2017-03-25Merge "Fixes missing firewall rules for neutron_ovs_dpdk_agent service"Jenkins2-1/+9
2017-03-25Merge "Install openstack-selinux for deployed-server"Jenkins3-2/+10
2017-03-25Merge "Fix usage of CinderNfsServers"Jenkins2-5/+7
2017-03-25Merge "Add missing metadata_settings from neutron-api profile"Jenkins1-4/+5
2017-03-25Merge "Rework container volumes as hostpath mounts"Jenkins4-3/+15
2017-03-25Merge "Fixes OpenDaylightProviderMappings hiera parsing"Jenkins2-5/+5
2017-03-24Merge "Clarify Kolla build overrides for tripleo"Jenkins1-1/+5
2017-03-24Stop openstack-nova-compute during nova-ironic upgradeMarius Cornea1-0/+4
This change ensures that that openstack-nova-compute is stopped and disabled during the upgrade process. Closes-Bug: 1675814 Change-Id: Ifd2557b11e4317f1e76e459e8de4162116578eff
2017-03-24N->O Upgrade, make sure all nova placement parameter properly set.Sofer Athlan-Guyot1-3/+6
The restart of openstack-nova-compute takes place before crudini set the password, user_domain and project_name get set. Change-Id: I57b54d5f59d5803d7ad4e399d598f699785a5825 Closes-Bug: #1675739 Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
2017-03-24Rework container volumes as hostpath mountsBogdan Dobrelya4-3/+15
Also add upgrade_tasks to disable corresponding host services in order to not data race with containers Change-Id: I19c16aaa3e5a73436ca7aa7d06facf64feee2327 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-03-23[N->O] Fix wrong database connection for cell0 during upgrade.Sofer Athlan-Guyot2-1/+11
During upgrade the cell0 database has the connection pointing to mysql+pymysql://nova:c2cdagE8PyAbnpers3AD88Hge@10.0.0.19/nova_cell0?bind_address=10.0.0.20 where 10.0.0.20 was the ip of the bootstrap node. This makes the nova-api fails on 2/3 node at the end of the major-upgrade-composable-steps.yaml step. We do have the right value in the hiera database so make sure we use it for cell0 creation and not the nova.conf file which hasn't been updated yet. Change-Id: I09775206cb8fc5e15934f7e4475506a7fe17271e Closes-Bug: #1675359
2017-03-23Fixes OpenDaylightProviderMappings hiera parsingTim Rozet2-5/+5
The str_replace conversion used previously is no longer needed and breaks the hieradata value. Closes-Bug: 1675426 Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-23[N->O] is creating 2 default cell_v2 cellsOliver Walsh1-4/+4
A side-effect of running map_cell_and_hosts is that a default cell is created (unless host mappings already exists). As we are explicitly creating the default cell we need to run discover_hosts to create the host mappings. Change-Id: I1a28e9b85a7c43561700faf692248c5fc06b8ad8 Closes-Bug: #1675418
2017-03-23Merge "Keep existing data for containerized Libvirt"Jenkins2-3/+16
2017-03-23Add missing metadata_settings from neutron-api profileJuan Antonio Osorio Robles1-4/+5
This is needed for the TLS everywhere work. This will break on TLS-everywhere setups where neutron would be deployed in its own role. So we need to add the metadata_settings. bp tls-via-certmonger Change-Id: I7934a258e032d8eaa6f07c0e48b3fbdb1f8c6a06
2017-03-23Fix usage of CinderNfsServersChristian Schwede2-5/+7
This feature stopped working somewhere along the lines. In the past it was working with parameter_defaults like this: CinderNfsServers: '10.0.0.254:/srv/nfs/cinder' or CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder" The problem was that the templating escaped these strings, and puppet-tripleo didn't receive a proper array, but a string. This patch fixes this. It accepts strings as above as well as comma-delimited lists of Nfs Servers. Closes-Bug: 1671153 Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
2017-03-22Install openstack-selinux for deployed-serverJames Slagle3-2/+10
No other packages actually require openstack-selinux, so it must be explicity installed. Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a Closes-Bug: #1675170
2017-03-22Nic config mappings for deployed-serverJames Slagle2-4/+11
Adds default nic config mappings when using the deployed-server custom roles data at deployed-server/deployed-server-roles-data.yaml. Previously there were no default mappings as the hardcoded mapping for the Controller role from overcloud-resource-registry-puppet.j2.yaml would not be used since there is no Controller role when using deployed-server. The default mapping is net-config-static.yaml instead of net-config-noop.yaml, since there is no requirement of a L2 domain for dhcp between undercloud and overcloud nodes when using deployed-server. The convenience mapping of ControllerDeployedServer to net-config-static-bridge.yaml is also added so that out of the box the roles with controller services will get the right bridge created. The mappings can always be overridden in later environment files if needed. Change-Id: I581fec99b459a12512686e47b10b962756652eb3 Closes-Bug: #1670493 Depends-On: Ib681729cc2728ca4b0486c14166b6b702edfcaab
2017-03-22Fixes missing firewall rules for neutron_ovs_dpdk_agent serviceTim Rozet2-1/+9
Firewall config was being inherited by the dpdk service, however since the firewall service name was the parent (neutron_ovs_agent) and technically that service was not enabled - the rules were never applied. This modifies the service name as it is inherited using map_replace. Closes-Bug: 1674689 Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-22Run nova-api hosts discovery after nova-compute startMartin André1-1/+2
The previous code had a race condition where nova-api host discovery and nova-compute where run at the same step. This commit ensures host discovery happens after nova-compute has started. Change-Id: Id2fc795a64783d958d98d4ac523a19079e8a4fab Closes-Bug: #1675011
2017-03-22Remove unused KeystoneRegion parameter from gnocchi-baseJuan Antonio Osorio Robles1-4/+0
This is used in gnocchi-api.yaml and is not needed on the base template. Change-Id: I5ebd27dff3dca7053647a57eb4cdef56d38526c6
2017-03-22Only set EnableConfigPurge on major upgradesSteven Hardy7-9/+13
Bug #1611800 fixed an upgrade issue by enabling purging configs for some services, but this causes issues such as longer updates and restarting services in the minor update case, so only do this for major upgrades, and default to false. Related-Bug: #1611800 Closes-Bug: #1674858 Change-Id: Iff7d715f6730c5633f1146008504b4309ef3133d
2017-03-22Remove useless trailing '\n' in /etc/hosts file.Gael Chamoulaud1-1/+1
In HA deployment mode, we've got some trailing '\n' generated at the beginning of each controller role nodes line in the undercloud /etc/hosts [1]. [1] - http://paste.openstack.org/show/603721/ Closes-Bug: #1674697 Change-Id: Ic38bc2a5df79dadf72025f207e91a38cc0ab0a92 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2017-03-22docker/keystone: Actually set fernet as the default token providerJuan Antonio Osorio Robles1-1/+1
A previous commit [1] added support for fernet in the keystone docker service; however, this was not set as the default token provider. This patch makes it the default. [1] Id92039b3bad9ecda169323e01de7bebae70f2ba0 Change-Id: Ib44ab61eba0be8ba54bc7d0bdb22437d769cb960
2017-03-22docker-puppet: skip empty volume entriesJuan Antonio Osorio Robles1-1/+2
This allows to optionally add volumes, where we could use a heat conditional to either put the volume path we want or put an empty string which should be safely skipped. Change-Id: I68f91ffdd8ceb14735adad1322fcf124c47b160c
2017-03-22Merge "Enables OpenDaylight clustering in HA deployments"Jenkins2-1/+7
2017-03-22Merge "Change kolla_config from required to optional in pep8."Jenkins1-3/+3
2017-03-22Restrict Access to Kernel Message Bufferzshi2-0/+13
Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-03-21Merge "Keep existing data for containerized ironic-conductor"Jenkins2-12/+45