Age | Commit message (Collapse) | Author | Files | Lines |
|
* Fixed a comment to avoid ambiguity with concepts in Heat
* Removed default values from necessary parameters in the TLS
environment
* Simplified setting of the cert/key into a file.
Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
|
|
|
|
|
|
|
|
|
|
|
|
Provides a simple mechanism to verify the correct certificates
landed.
A quick and simple way to verify SSL certificates were generated for
a given key is by comparing the modulus of the two. By outputing
the key modulus and certificate modulus we offer a way to verify
that the right cert and key have been deployed without compromising
any of the secrets.
Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
|
|
This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation
Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
|
|
Older neutron versions have a bug which makes them leave keepalived and
radvd running even after all neutron services are stopped, preventing
neutron router failover from happening. Router can then get stuck on the
inactive node, like this:
[stack@instack ~]$ neutron l3-agent-list-hosting-router default_router
+--------------------------------------+------------------------------------+----------------+-------+----------+
| id | host | admin_state_up | alive | ha_state |
+--------------------------------------+------------------------------------+----------------+-------+----------+
| 48ca9477-b93b-4305-9e6d-9f1c5d3388f0 | overcloud-controller-1.localdomain | True | :-) | standby |
| eba0575c-654f-4da6-b1cd-f7fdf1cd3726 | overcloud-controller-2.localdomain | True | :-) | standby |
| 68815390-251f-4425-a5f8-38bdbf3bdb90 | overcloud-controller-0.localdomain | True | xxx | active |
+--------------------------------------+------------------------------------+----------------+-------+----------+
We need to kill the leftover processes manually to prevent the state
described above from happening.
See https://review.gerrithub.io/#/c/248931
Change-Id: I2deaa176222983daa0c33ab52a6aa5dbe7365302
|
|
|
|
|
|
|
|
The original value for the ServiceNetMap parameter had the Keystone
Admin API service on the Internal API network. Later, it was moved to
the ctlplane network by default.
Users updating from clouds already deployed may not want to have the
service moved, and we've occassionly seen it cause issues with services
not getting restarted properly.
This sample environment file documents the old value so that users can
just optionally include it via -e to keep the services the same as they
were when they originally deployed.
Change-Id: I0b68542337a2f40e26df15fe7ac2da5aafe651d5
|
|
The neutron pcs constraints were reworked in
https://review.openstack.org/#/c/229466/
For overclouds deployed with older tripleo-heat-templates the
current pcs ordering constraints will not have those changes,
meaning that the behaviour discussed at
https://bugs.launchpad.net/tripleo/+bug/1501378 is likely
given we will stop and restart all services. This review
applies those, in short, remove the ovs-cleanup after
neutron-server and add openvswitch-agent instead. Detail in
the bug report and linked BZ.
Change-Id: I45822c5fe9029f11635400b7fbd386880ac80a4e
Related-Bug: 1501378
|
|
|
|
This is a first implementation of adding TLS termination to the load
balancer in the controllers. The implementation was made so that the
appropriate certificate/private key in PEM format is copied to the
appropriate controller(s) via a software deployment resource.
And the path is then referenced on the HAProxy configuration, but this
part was left commented out because we need to be able to configure the
keystone endpoints in order for this to work properly.
Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
|
|
|
|
|
|
We don't necessarily want the network configuration to be reapplied
with every template update so we add a param to configure on which
action the NetworkDeployment resource should be executed.
Change-Id: I0e86318eb5521e540cc567ce9d77e1060086d48b
Co-Authored-By: Dan Sneddon <dsneddon@redhat.com>
Co-Authored-By: James Slagle <jslagle@redhat.com>
Co-Authored-By: Jiri Stransky <jstransk@redhat.com>
Co-Authored-By: Steven Hardy <shardy@redhat.com>
|
|
The tripleoupstream registry contains images that are built
every time there is a change in delorean.
The gate also needs this.
Change-Id: If460853284588f637de820afa54069f773f2e6f7
|
|
|
|
|
|
|
|
Results from pmap of idle nova-compute:
https://gist.github.com/jtaleric/addd9079d6cdf4f7cf42
Results from free -m and cat /proc/meminfo:
https://gist.github.com/jtaleric/410130f09c2aad2dc7e9
bug: https://bugzilla.redhat.com/show_bug.cgi?id=1282644
Change-Id: I9b3ceecabfdae0a516cfc72886fde7b26cc68f82
|
|
Consume puppet-tripleo to create/manage IPtables from Heat templates.
This review put in place the logic to enable and setup firewall rules.
A known set of rules are applied. More to come.
Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
|
|
To avoid pcmk reconfiguring the resources on each config change,
we want to apply the constraints and timeouts from file.
We also *do not* want to alter the timeouts for a few ocf resources
which are rabbitmq, neutron-netns-cleanup and neutron-ovs-cleanup
Change-Id: I6875f19e1f34f0fdcf0928421f49b61d857ca7c8
Co-Authored-By: Andrew Beekhof <abeekhof@redhat.com>
|
|
|
|
|
|
|
|
|
|
* Add NovaApiVirtualIP string parameter.
* Compute nova_url and nova_admin_auth_url parameters.
* Configure in Hiera neutron::server::notifications::* parameters.
* non-ha: include ::neutron::server::notifications
* ha: include ::neutron::server::notifications and create orchestration
* Set vif_plugging_is_fatal to True so we actually fail if Neutron is not
able to create the VIF during Nova server creation workflow.
Depends-On: I21dc10396e92906eab4651c318aa2ee62a8e03c7
Change-Id: I02e41f87404e0030d488476680af2f6d45af94ff
|
|
* Use the parameter in Puppet configuration (Hiera) to configure neutron
BZ-1273303
Change-Id: Ic5a7a1f13fd2bc800cadc3a78b1daadbc0394787
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
|
|
When the cluster is brought back online after a yum update in
yum_update.sh, we should verify that galera is fully sync'd before
moving on. This ensures the sync is complete before moving on to update
any other nodes in the cluster.
Change-Id: Ie8fc2c5d5214deacea94ca658ac75359b318ced1
|
|
|
|
|
|
Create a bridge for the overcloud services using linux bridge instead of
openvswitch. Some SDNs may be incompatible with openvswitch datapath.
Change-Id: I873368e74ddfd95bf5c6e1f88cec33ba011e09dd
|
|
This change adds support for enabling/disabling L2 population in
Neutron agents. It currently defaults to false.
Change-Id: I3dd19feb4acb1046bc560b35e5a7a111364ea0d7
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Pass the ceph::pool properties as arguments to the class call
instead of setting them as class defaults.
Ceph recommends max 32 PGs and min 4 PGs per OSD so this change
also lowers the defaults to 32 which works with 1 OSD, suits well
a scenario with 3 OSDs and is easy to customize in the static
hiera if more than 8 OSDs are deployed.
More info at: https://bugzilla.redhat.com/show_bug.cgi?id=1252546
Change-Id: Ifed11d1857900b2251dfdf69d6b6f168150e6330
|
|
|
|
|