Age | Commit message (Collapse) | Author | Files | Lines |
|
Unprivileged access to the kernel syslog can expose sensitive
kernel address information.
Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2
Signed-off-by: zshi <zshi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use mounts instead of docker volumes, and preserve existing data when
moving from baremetal to containerized ironic-conductor.
We cannot keep the data in the same directory to avoid hard-linking
errors in ironic, because of this issue:
https://github.com/docker/docker/issues/7457
This means we need to copy the data over to a new location before we
start the containers.
Change-Id: If98460120212f887b06adf117c5d88b97682638e
|
|
|
|
|
|
|
|
|
|
|
|
We used to have this in mitaka:
https://github.com/openstack/tripleo-heat-templates/blob/stable/mitaka/puppet/controller-post.yaml#L45
but we lost it along the way. The problem without this change is that we
are open to the following race:
1) ControllerDeployment_Step1 is started and manages to do a successful
"systemctl start pacemaker"
2) PrePuppet gets called and in the HA deployment calls
pacemaker_maintenance_mode.sh
3) pacemaker_maintenance_mode.sh will set the maintenance-mode=true
property because the pacemaker service is already up:
https://github.com/openstack/tripleo-heat-templates/blob/master/extraconfig/tasks/pacemaker_maintenance_mode.sh#L8-L9
4) If the maintenance property is set to true at this stage, the
creation of any resource will take place but they won't really
start.
Change-Id: Icb7495edd00385b2975dd42f63085d20292ef9a9
Closes-Bug: #1673795
Co-Authored-By: Jiri Stransky <jstransk@redhat.com>
|
|
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com>
Closes-bug: #1668918
Change-Id: Ie1ebd25965bd2dbad2a22161da0022bad0b9e554
|
|
|
|
|
|
|
|
We currently do not bind redis-sentinel to any IP:
redis 21144 0.0 0.0 142908 5908 ? Ssl 07:43 0:11 /usr/bin/redis-sentinel *:26379 [sentinel]
Let's bind it to the same network as redis.
Change-Id: I8a782ae1db84eb614aa3995a1638a2f370e70d06
Partial-Bug: #1673715
|
|
|
|
Using keystone_authtoken credentials for this purpose is deprecated, and also
prevents ironic-conductor from being used as a separate role.
Also remove neutron_url, it can be fetched from the catalog instead.
Change-Id: I12822568cb4db31808aec5fd407d71fe4b7b09e0
Depends-On: I21180678bec911f1be36e3b174bae81af042938c
Partial-Bug: #1661250
|
|
|
|
This is used for the TLS-everywhere bits. It will be taken into account
by a metadata hook that outputs relevant entries for the nova-metadata
service; and subsequently kerberos principals will be created from
these.
Subsequent patches will add support for TLS in the internal network for
the containerized keystone.
Change-Id: Ic747ad9c8d6e76c8c16e347c1cdcabc899dd9f9a
|
|
This section will be needed for TLS-everywhere. So it should be added as
optional in the yaml-validate.
Change-Id: Ic6ea563b6c8e454cb51f640bb5aaa3adda82a5dd
|
|
|
|
Use mounts instead of docker volumes to preserve existing data when
moving from baremetal to containerized Swift.
Change-Id: Ib7cbca2ef674a0245a67b69ee2c77f574d74c181
|
|
|
|
Secure EtcdInitialClusterToken parameter by:
* removing the default value.
* make it hidden.
Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961
Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9
Closes-Bug: #1673266
|
|
|
|
Change-Id: I936b31fd24c43e35092b3bfef4454a8da81d19c8
|
|
Removes some of the no longer used scripts and templates used by
the upgrades workflow in previous versions.
Change-Id: I7831d20eae6ab9668a919b451301fe669e2b1346
|
|
UUID is to be deprecated, and we should be using fernet.
Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
|
|
Since the 'file' resource is included in the tags that puppet takes into
account, we already generate the fernet keys if it's enabled as a token
provider.
This merely adds the keys to the container. However, if fernet is not
the provider, we make this file addition optional.
Change-Id: Id92039b3bad9ecda169323e01de7bebae70f2ba0
|
|
|
|
Use mounts instead of docker volumes to preserve existing data when
moving from baremetal to containerized RabbitMQ.
Change-Id: I8de6610d13d2d878ffba12eb742880eed694eb3e
|
|
We used named Docker volume for MongoDB storage, which meant that when
moving from bare metal to containerized, we lost data and reinitialized
the storage from scratch.
With this commit we keep the data by mounting the original data into the
container. We also need make sure that file ownership is correct
according to the uid/gid used within MongoDB container image.
Change-Id: I86ef2cb37a068b767462d6d50fe451389b7cbb58
|
|
We used named Docker volume for MariaDB storage, which meant that when
moving from BM to containerized wit MariaDB, we lost data and
reinitialized the storage from scratch.
With this commit we keep the data by mounting the original data into the
container.
We also need to make sure that file ownership is correct according to
the MariaDB container image used, and that Kolla bootstrap mechanisms
aren't retriggered, as they aren't idempotent.
Change-Id: I1fc955021c6dd83f1a366495dd8c7281fb9e7cc5
|
|
There were multiple issues in retry() in rhel-registration:
- There was no need for it to be recursive (local variables
got overwritten)
- There was no delay between multiple attempts, leading to faster but
more frequent failures.
- The max number of attempts was set too low for some environements.
With this patch, rhel-registration now works more reliably with slow-links
for portal registration and does not attempt to DDos the portal or your
satellite server.
Change-Id: I594d3c94867b45a7a58766dbcc66edead78d6a4e
|
|
|
|
|
|
|
|
|
|
Change-Id: I0c57f7b8a97b854e3c44ff7776ea05e3888e78e8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|