aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-03-22Restrict Access to Kernel Message Bufferzshi2-0/+13
Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-03-21Merge "Keep existing data for containerized ironic-conductor"Jenkins2-12/+45
2017-03-21Merge "Cleanup docker services templates"Jenkins16-85/+40
2017-03-20Merge "Containerize panko api service"Jenkins3-1/+121
2017-03-20Merge "Don't try to run os-net-config from yum_update.sh"Jenkins1-11/+0
2017-03-20Merge "Bind redis-sentinel to its network"Jenkins1-0/+1
2017-03-20Merge "Fixes multiple issues with retry function in rhel-registration."Jenkins1-17/+31
2017-03-20Keep existing data for containerized ironic-conductorJiri Stransky2-12/+45
Use mounts instead of docker volumes, and preserve existing data when moving from baremetal to containerized ironic-conductor. We cannot keep the data in the same directory to avoid hard-linking errors in ironic, because of this issue: https://github.com/docker/docker/issues/7457 This means we need to copy the data over to a new location before we start the containers. Change-Id: If98460120212f887b06adf117c5d88b97682638e
2017-03-18Merge "Make sure PrePuppet runs before any Deployment_Step"Jenkins1-1/+1
2017-03-18Merge "Add certmonger-user profile"Jenkins7-0/+51
2017-03-17Merge "docker/keystone: add metadata_settings to output"Jenkins1-0/+2
2017-03-17Merge "Keep existing data for containerized Swift"Jenkins2-16/+26
2017-03-17Merge "Keep existing data for containerized RabbitMQ"Jenkins1-2/+7
2017-03-17Make sure PrePuppet runs before any Deployment_StepMichele Baldessari1-1/+1
We used to have this in mitaka: https://github.com/openstack/tripleo-heat-templates/blob/stable/mitaka/puppet/controller-post.yaml#L45 but we lost it along the way. The problem without this change is that we are open to the following race: 1) ControllerDeployment_Step1 is started and manages to do a successful "systemctl start pacemaker" 2) PrePuppet gets called and in the HA deployment calls pacemaker_maintenance_mode.sh 3) pacemaker_maintenance_mode.sh will set the maintenance-mode=true property because the pacemaker service is already up: https://github.com/openstack/tripleo-heat-templates/blob/master/extraconfig/tasks/pacemaker_maintenance_mode.sh#L8-L9 4) If the maintenance property is set to true at this stage, the creation of any resource will take place but they won't really start. Change-Id: Icb7495edd00385b2975dd42f63085d20292ef9a9 Closes-Bug: #1673795 Co-Authored-By: Jiri Stransky <jstransk@redhat.com>
2017-03-17Containerize panko api serviceFlavio Percoco3-1/+121
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com> Closes-bug: #1668918 Change-Id: Ie1ebd25965bd2dbad2a22161da0022bad0b9e554
2017-03-17Merge "docker: Add metadata_settings to optional parameters for yaml validate"Jenkins1-1/+2
2017-03-17Merge "Keep existing data for containerized MongoDB"Jenkins1-1/+15
2017-03-17Merge "Explicitly configure credentials used by ironic to access other services"Jenkins1-4/+39
2017-03-17Bind redis-sentinel to its networkMichele Baldessari1-0/+1
We currently do not bind redis-sentinel to any IP: redis 21144 0.0 0.0 142908 5908 ? Ssl 07:43 0:11 /usr/bin/redis-sentinel *:26379 [sentinel] Let's bind it to the same network as redis. Change-Id: I8a782ae1db84eb614aa3995a1638a2f370e70d06 Partial-Bug: #1673715
2017-03-16Merge "Added release note for NeutronExternalNetworkBridge deprecation"Jenkins1-0/+10
2017-03-16Explicitly configure credentials used by ironic to access other servicesDmitry Tantsur1-4/+39
Using keystone_authtoken credentials for this purpose is deprecated, and also prevents ironic-conductor from being used as a separate role. Also remove neutron_url, it can be fetched from the catalog instead. Change-Id: I12822568cb4db31808aec5fd407d71fe4b7b09e0 Depends-On: I21180678bec911f1be36e3b174bae81af042938c Partial-Bug: #1661250
2017-03-16Merge "Keep existing data when moving to containerized MariaDB"Jenkins1-4/+21
2017-03-16docker/keystone: add metadata_settings to outputJuan Antonio Osorio Robles1-0/+2
This is used for the TLS-everywhere bits. It will be taken into account by a metadata hook that outputs relevant entries for the nova-metadata service; and subsequently kerberos principals will be created from these. Subsequent patches will add support for TLS in the internal network for the containerized keystone. Change-Id: Ic747ad9c8d6e76c8c16e347c1cdcabc899dd9f9a
2017-03-16docker: Add metadata_settings to optional parameters for yaml validateJuan Antonio Osorio Robles1-1/+2
This section will be needed for TLS-everywhere. So it should be added as optional in the yaml-validate. Change-Id: Ic6ea563b6c8e454cb51f640bb5aaa3adda82a5dd
2017-03-16Merge "etcd: secure EtcdInitialClusterToken parameter"Jenkins2-1/+7
2017-03-16Keep existing data for containerized SwiftJiri Stransky2-16/+26
Use mounts instead of docker volumes to preserve existing data when moving from baremetal to containerized Swift. Change-Id: Ib7cbca2ef674a0245a67b69ee2c77f574d74c181
2017-03-16Merge "Add upgrade tasks for aodh containers"Jenkins4-0/+16
2017-03-15etcd: secure EtcdInitialClusterToken parameterEmilien Macchi2-1/+7
Secure EtcdInitialClusterToken parameter by: * removing the default value. * make it hidden. Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961 Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9 Closes-Bug: #1673266
2017-03-15Merge "Cleanup no longer used upgrade files"Jenkins13-1014/+0
2017-03-15Add upgrade tasks for aodh containersPradeep Kilambi4-0/+16
Change-Id: I936b31fd24c43e35092b3bfef4454a8da81d19c8
2017-03-15Cleanup no longer used upgrade filesmarios13-1014/+0
Removes some of the no longer used scripts and templates used by the upgrades workflow in previous versions. Change-Id: I7831d20eae6ab9668a919b451301fe669e2b1346
2017-03-14Switch keystone default provider to fernetJuan Antonio Osorio Robles2-1/+7
UUID is to be deprecated, and we should be using fernet. Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
2017-03-14keystone/containers: Add support for fernet keysJuan Antonio Osorio Robles1-0/+19
Since the 'file' resource is included in the tags that puppet takes into account, we already generate the fernet keys if it's enabled as a token provider. This merely adds the keys to the container. However, if fernet is not the provider, we make this file addition optional. Change-Id: Id92039b3bad9ecda169323e01de7bebae70f2ba0
2017-03-14Merge "Update properties being set for octavia rabbit properties"Jenkins1-3/+3
2017-03-14Keep existing data for containerized RabbitMQJiri Stransky1-2/+7
Use mounts instead of docker volumes to preserve existing data when moving from baremetal to containerized RabbitMQ. Change-Id: I8de6610d13d2d878ffba12eb742880eed694eb3e
2017-03-14Keep existing data for containerized MongoDBJiri Stransky1-1/+15
We used named Docker volume for MongoDB storage, which meant that when moving from bare metal to containerized, we lost data and reinitialized the storage from scratch. With this commit we keep the data by mounting the original data into the container. We also need make sure that file ownership is correct according to the uid/gid used within MongoDB container image. Change-Id: I86ef2cb37a068b767462d6d50fe451389b7cbb58
2017-03-14Keep existing data when moving to containerized MariaDBJiri Stransky1-4/+21
We used named Docker volume for MariaDB storage, which meant that when moving from BM to containerized wit MariaDB, we lost data and reinitialized the storage from scratch. With this commit we keep the data by mounting the original data into the container. We also need to make sure that file ownership is correct according to the MariaDB container image used, and that Kolla bootstrap mechanisms aren't retriggered, as they aren't idempotent. Change-Id: I1fc955021c6dd83f1a366495dd8c7281fb9e7cc5
2017-03-14Fixes multiple issues with retry function in rhel-registration.Vincent S. Cojot1-17/+31
There were multiple issues in retry() in rhel-registration: - There was no need for it to be recursive (local variables got overwritten) - There was no delay between multiple attempts, leading to faster but more frequent failures. - The max number of attempts was set too low for some environements. With this patch, rhel-registration now works more reliably with slow-links for portal registration and does not attempt to DDos the portal or your satellite server. Change-Id: I594d3c94867b45a7a58766dbcc66edead78d6a4e
2017-03-14Merge "Update README for Glance coverage"Jenkins1-1/+1
2017-03-14Merge "Tasks hook for preparing BM host for deploying containerized services"Jenkins3-2/+33
2017-03-14Merge "Add bindep support"Jenkins1-0/+2
2017-03-14Merge "congress/tacker: switch auth_uri to use uri_no_suffix"Jenkins2-4/+8
2017-03-13Update README for Glance coverageEmilien Macchi1-1/+1
Change-Id: I0c57f7b8a97b854e3c44ff7776ea05e3888e78e8
2017-03-13Merge "cinder: switch auth_uri to uri_no_suffix"Jenkins1-1/+3
2017-03-13Merge "Containerize gnocchi services"Jenkins5-0/+280
2017-03-13Merge "Pass the DOCKER_* env vars when running docker"Jenkins1-0/+5
2017-03-13Merge "neutron: switch auth_uri to uri_no_suffix"Jenkins1-2/+4
2017-03-13Merge "gnocchi: deploy services with Keystone v3 endpoints"Jenkins3-6/+9
2017-03-13Merge "manila: switch auth_uri to use uri_no_suffix"Jenkins1-1/+3
2017-03-13Merge "heat: switch auth_uri to use uri_no_suffix"Jenkins1-1/+3