aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2015-11-26Minor fixes to TLS related resourcesJuan Antonio Osorio Robles3-6/+4
* Fixed a comment to avoid ambiguity with concepts in Heat * Removed default values from necessary parameters in the TLS environment * Simplified setting of the cert/key into a file. Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
2015-11-25Merge "Update: clean keepalived and radvd instances after pcs cluster stop"Jenkins1-0/+7
2015-11-25Merge "Output the SSL Certificate and Key modulus"Jenkins3-0/+26
2015-11-25Merge "Enable trust anchor injection"Jenkins9-6/+136
2015-11-25Merge "Inject TLS certificate and keys for the Overcloud"Jenkins6-31/+138
2015-11-25Merge "Fixup neutron constraints in older overclouds before updating"Jenkins1-0/+10
2015-11-25Output the SSL Certificate and Key modulusMark Chappell3-0/+26
Provides a simple mechanism to verify the correct certificates landed. A quick and simple way to verify SSL certificates were generated for a given key is by comparing the modulus of the two. By outputing the key modulus and certificate modulus we offer a way to verify that the right cert and key have been deployed without compromising any of the secrets. Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
2015-11-25Enable trust anchor injectionJuan Antonio Osorio Robles9-6/+136
This commit enables the injection of a trust anchor or root certificate into every node in the overcloud. This is in case that the TLS certificates for the controllers are signed with a self-signed CA or if the deployer would like to inject a relevant root certificate for other purposes. In this case the other nodes might need to have the root certificate in their trust chain in order to do proper validation Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
2015-11-24Update: clean keepalived and radvd instances after pcs cluster stopJiri Stransky1-0/+7
Older neutron versions have a bug which makes them leave keepalived and radvd running even after all neutron services are stopped, preventing neutron router failover from happening. Router can then get stuck on the inactive node, like this: [stack@instack ~]$ neutron l3-agent-list-hosting-router default_router +--------------------------------------+------------------------------------+----------------+-------+----------+ | id | host | admin_state_up | alive | ha_state | +--------------------------------------+------------------------------------+----------------+-------+----------+ | 48ca9477-b93b-4305-9e6d-9f1c5d3388f0 | overcloud-controller-1.localdomain | True | :-) | standby | | eba0575c-654f-4da6-b1cd-f7fdf1cd3726 | overcloud-controller-2.localdomain | True | :-) | standby | | 68815390-251f-4425-a5f8-38bdbf3bdb90 | overcloud-controller-0.localdomain | True | xxx | active | +--------------------------------------+------------------------------------+----------------+-------+----------+ We need to kill the leftover processes manually to prevent the state described above from happening. See https://review.gerrithub.io/#/c/248931 Change-Id: I2deaa176222983daa0c33ab52a6aa5dbe7365302
2015-11-24Merge "Point registry at tripleoupstream"Jenkins2-11/+10
2015-11-23Merge "Sample environment with old ServiceNetMap value"Jenkins2-0/+42
2015-11-23Merge "Implement Advanced Firewalling support"Jenkins10-0/+137
2015-11-23Sample environment with old ServiceNetMap valueJames Slagle2-0/+42
The original value for the ServiceNetMap parameter had the Keystone Admin API service on the Internal API network. Later, it was moved to the ctlplane network by default. Users updating from clouds already deployed may not want to have the service moved, and we've occassionly seen it cause issues with services not getting restarted properly. This sample environment file documents the old value so that users can just optionally include it via -e to keep the services the same as they were when they originally deployed. Change-Id: I0b68542337a2f40e26df15fe7ac2da5aafe651d5
2015-11-23Fixup neutron constraints in older overclouds before updatingmarios1-0/+10
The neutron pcs constraints were reworked in https://review.openstack.org/#/c/229466/ For overclouds deployed with older tripleo-heat-templates the current pcs ordering constraints will not have those changes, meaning that the behaviour discussed at https://bugs.launchpad.net/tripleo/+bug/1501378 is likely given we will stop and restart all services. This review applies those, in short, remove the ovs-cleanup after neutron-server and add openvswitch-agent instead. Detail in the bug report and linked BZ. Change-Id: I45822c5fe9029f11635400b7fbd386880ac80a4e Related-Bug: 1501378
2015-11-23Merge "Add constraints and timeouts from file in single step"Jenkins1-78/+50
2015-11-23Inject TLS certificate and keys for the OvercloudJuan Antonio Osorio Robles6-31/+138
This is a first implementation of adding TLS termination to the load balancer in the controllers. The implementation was made so that the appropriate certificate/private key in PEM format is copied to the appropriate controller(s) via a software deployment resource. And the path is then referenced on the HAProxy configuration, but this part was left commented out because we need to be able to configure the keystone endpoints in order for this to work properly. Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
2015-11-23Merge "Allows for customization of NetworkDeployment actions"Jenkins5-2/+30
2015-11-20Merge "Change default host reserved memory to 2048MB from 512MB"Jenkins1-0/+6
2015-11-20Allows for customization of NetworkDeployment actionsGiulio Fidente5-2/+30
We don't necessarily want the network configuration to be reapplied with every template update so we add a param to configure on which action the NetworkDeployment resource should be executed. Change-Id: I0e86318eb5521e540cc567ce9d77e1060086d48b Co-Authored-By: Dan Sneddon <dsneddon@redhat.com> Co-Authored-By: James Slagle <jslagle@redhat.com> Co-Authored-By: Jiri Stransky <jstransk@redhat.com> Co-Authored-By: Steven Hardy <shardy@redhat.com>
2015-11-20Point registry at tripleoupstreamRyan Hallisey2-11/+10
The tripleoupstream registry contains images that are built every time there is a change in delorean. The gate also needs this. Change-Id: If460853284588f637de820afa54069f773f2e6f7
2015-11-20Merge "Nova-libvirt needs to bind to /sys/fs/cgroup"Jenkins1-1/+1
2015-11-20Merge "Add local docker registry support"Jenkins4-15/+55
2015-11-20Merge "Update docker compute environment to use json config"Jenkins4-32/+144
2015-11-19Change default host reserved memory to 2048MB from 512MBJoe Talerico1-0/+6
Results from pmap of idle nova-compute: https://gist.github.com/jtaleric/addd9079d6cdf4f7cf42 Results from free -m and cat /proc/meminfo: https://gist.github.com/jtaleric/410130f09c2aad2dc7e9 bug: https://bugzilla.redhat.com/show_bug.cgi?id=1282644 Change-Id: I9b3ceecabfdae0a516cfc72886fde7b26cc68f82
2015-11-19Implement Advanced Firewalling supportEmilien Macchi10-0/+137
Consume puppet-tripleo to create/manage IPtables from Heat templates. This review put in place the logic to enable and setup firewall rules. A known set of rules are applied. More to come. Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22 Co-Authored-By: Yanis Guenane <yguenane@redhat.com> Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
2015-11-19Add constraints and timeouts from file in single stepGiulio Fidente1-78/+50
To avoid pcmk reconfiguring the resources on each config change, we want to apply the constraints and timeouts from file. We also *do not* want to alter the timeouts for a few ocf resources which are rabbitmq, neutron-netns-cleanup and neutron-ovs-cleanup Change-Id: I6875f19e1f34f0fdcf0928421f49b61d857ca7c8 Co-Authored-By: Andrew Beekhof <abeekhof@redhat.com>
2015-11-18Merge "Implement Neutron enable_isolated_metadata parameters"Jenkins3-0/+17
2015-11-18Merge "Verify galera is sync'd in yum_update.sh"Jenkins1-0/+12
2015-11-17Merge "neutron: enable nova-event-callback by default"Jenkins6-2/+16
2015-11-17Merge "Pass ceph::pool arguments when calling class"Jenkins3-10/+6
2015-11-17neutron: enable nova-event-callback by defaultEmilien Macchi6-2/+16
* Add NovaApiVirtualIP string parameter. * Compute nova_url and nova_admin_auth_url parameters. * Configure in Hiera neutron::server::notifications::* parameters. * non-ha: include ::neutron::server::notifications * ha: include ::neutron::server::notifications and create orchestration * Set vif_plugging_is_fatal to True so we actually fail if Neutron is not able to create the VIF during Nova server creation workflow. Depends-On: I21dc10396e92906eab4651c318aa2ee62a8e03c7 Change-Id: I02e41f87404e0030d488476680af2f6d45af94ff
2015-11-17Implement Neutron enable_isolated_metadata parametersCyril Lopez3-0/+17
* Use the parameter in Puppet configuration (Hiera) to configure neutron BZ-1273303 Change-Id: Ic5a7a1f13fd2bc800cadc3a78b1daadbc0394787 Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2015-11-17Verify galera is sync'd in yum_update.shJames Slagle1-0/+12
When the cluster is brought back online after a yum update in yum_update.sh, we should verify that galera is fully sync'd before moving on. This ensures the sync is complete before moving on to update any other nodes in the cluster. Change-Id: Ie8fc2c5d5214deacea94ca658ac75359b318ced1
2015-11-17Merge "Add support for enabling L2 population in Neutron"Jenkins5-0/+35
2015-11-17Merge "Add simple linux bridge as network environment"Jenkins1-0/+73
2015-11-16Add simple linux bridge as network environmentJaume Devesa1-0/+73
Create a bridge for the overcloud services using linux bridge instead of openvswitch. Some SDNs may be incompatible with openvswitch datapath. Change-Id: I873368e74ddfd95bf5c6e1f88cec33ba011e09dd
2015-11-16Add support for enabling L2 population in NeutronBrent Eagles5-0/+35
This change adds support for enabling/disabling L2 population in Neutron agents. It currently defaults to false. Change-Id: I3dd19feb4acb1046bc560b35e5a7a111364ea0d7
2015-11-16Merge "Add environment for isolated networks without tunneling VLAN"Jenkins1-0/+37
2015-11-16Merge "Support network isolation without external nets"Jenkins6-0/+288
2015-11-16Merge "Add the GlanceRegistry and Horizon endpoints to EndpointMap"Jenkins1-0/+35
2015-11-16Merge "Expose the IP of the Endpoints"Jenkins1-0/+1
2015-11-16Merge "Make CloudName available for Endpoints"Jenkins3-3/+49
2015-11-16Merge "Bump further the stop/start timeout for pcmk/systemd services"Jenkins1-8/+8
2015-11-16Merge "Set start/stop pacemaker resource timeouts for updates"Jenkins1-0/+72
2015-11-16Merge "Add missing constraints in yum_update.sh"Jenkins1-0/+30
2015-11-13Merge "honor the rabbit user and password provided"Jenkins2-2/+4
2015-11-13Merge "Fix cinder error when CinderNfsMountOptions option is absent"Jenkins2-2/+2
2015-11-13Pass ceph::pool arguments when calling classGiulio Fidente3-10/+6
Pass the ceph::pool properties as arguments to the class call instead of setting them as class defaults. Ceph recommends max 32 PGs and min 4 PGs per OSD so this change also lowers the defaults to 32 which works with 1 OSD, suits well a scenario with 3 OSDs and is easy to customize in the static hiera if more than 8 OSDs are deployed. More info at: https://bugzilla.redhat.com/show_bug.cgi?id=1252546 Change-Id: Ifed11d1857900b2251dfdf69d6b6f168150e6330
2015-11-13Merge "Refacter Endpoints into EndpointMap"Jenkins9-134/+493
2015-11-13Merge "Add DeployIdentifier overcloud parameter"Jenkins1-0/+11