aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-01-25Manage password_validator regexLuke Hinds3-0/+27
Horizon provides a password validation check, which OpenStack cloud operators can use to enforce password complexity checks for users within horizon. A dictionary containing a regular expression can be used for password validation with help text that is displayed if the password does not pass validation. HORIZON_CONFIG["password_validator"] = { "regex": '.*', "help_text": _("Your password does not meet the requirements."), } This change allows injection of the regex into horizons local_settings file from a tripleo heat template Change-Id: Ib6517c8f96148bea002b0e3442a26367b236928f Depends-On: If82a80ed6a8e6e65aecc2a25ee6d60640ae03c9a Closes-Bug: #1640800
2016-12-21Merge "Make the openvswitch 2.4->2.5 upgrade more robust"Jenkins10-80/+57
2016-12-21Merge "net-conf: make bridge and interface name optional"Jenkins1-5/+5
2016-12-20Merge "Set the default event pipeline publisher"Jenkins1-0/+5
2016-12-20Merge "Use OS::Heat::DeployedServer"Jenkins4-42/+10
2016-12-20Set the default event pipeline publisherPradeep Kilambi1-0/+5
Since we have aodh enabled for alarms, we should set the notifier to the default queue alarm.all. Closes-bug: #1590473 Change-Id: Ibcb5076424ac2ddcd18ff717d82da1aec4c035cb
2016-12-20Merge "Expose param to enable legacy ceilometer api"Jenkins1-0/+5
2016-12-20Merge "Move UpgradeInitCommand to role templates"Jenkins7-37/+169
2016-12-20Merge "Run upgrade steps before post-deploy config"Jenkins2-8/+15
2016-12-19Merge "Remove unused attr from templates"Jenkins1-1/+0
2016-12-19Merge "Revert "Switch mistral to use authtoken configuration""Jenkins1-4/+2
2016-12-19Revert "Switch mistral to use authtoken configuration"Ben Nemec1-4/+2
It turns out the puppet-mistral change this depends on broke introspection, so we need to back it out for now. This reverts commit ed029e5bf279945e82bff8766af4093856a7ac6a. Change-Id: I828478267935cdc68aa24de8c9dc2d12fcadb631
2016-12-19Merge "Switch mistral to use authtoken configuration"Jenkins1-2/+4
2016-12-19Merge "Add a type for the ControlVirtualIP resource"Jenkins2-1/+2
2016-12-19Merge "Correction to SRIOV THT Examples"Jenkins1-2/+3
2016-12-19Move UpgradeInitCommand to role templatesSteven Hardy7-37/+169
We can't run this during the upgrade steps, because there are things which need to happen before any role configuration happens, e.g installing the new hiera heat-config hook, which must be done before e.g "ControllerDeployment" runs or the stack update hangs. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I365b57513590662c3f78a33dc625747f457c48c5
2016-12-19Run upgrade steps before post-deploy configSteven Hardy2-8/+15
For some upgrade scenarios, e.g all-in-one deployments, it may be possible to run the upgrade steps, then apply puppet in one stack update, so reverse the order here. For normal deployments the upgrade steps are mapped to OS::Heat::None so this will have no effect. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I3c78751349a6ac2bc5dff82f67bffe13750ac21c
2016-12-19Merge "Set rabbitmq's port and IP via the config file and not the env file"Jenkins1-1/+3
2016-12-19Merge "Introduce role-specific nova-server-metadata"Jenkins6-12/+84
2016-12-19Merge "Enable SECURE_PROXY_SSL_HEADER option for horizon"Jenkins1-0/+1
2016-12-17Merge "Use hostname -s instead of hostnamectl --transient"Jenkins1-1/+1
2016-12-17net-conf: make bridge and interface name optionalDan Prince1-5/+5
Update the run-os-net-config.sh so that we make the bridge_name and interface_name parameters (supplied by the SoftwareConfig) optional. This allows operators to create custom network templates to be used on roles other than compute and controller which appear to be the only two roles which set bridge_name and interface_name parameters. Change-Id: I8997cf8177c1bf0e1f19de5f93dc4e81da1a951f
2016-12-16Introduce role-specific nova-server-metadataJuan Antonio Osorio Robles6-12/+84
We could already pass metadata to the nova server instances (on creation) via the ServerMetadata parameter, however, there was no way of doing this per-role. This introduces that by adding a {{role}}ServerMetadata parameter for each role. This parameter gets merged with the ServerMetadata parameter and allows this functionality. Note that both default to {}, and so does the result of merging those parameters with their default values. So nothing changes for the default settings. Change-Id: I334edcc51ce7ee82fc13b6cf4c0d74ccb7db099c
2016-12-15Add ZaqarApiNetwork to the service net mapDan Prince1-0/+1
Without this Zaqar API will fail to run due to a missing bind IP address in the config file. Change-Id: Icd0a6e85b7455e89f37f05399146d5e743359da8 Closes-bug: #1650307
2016-12-15Merge "Deployed server: switch to apply-config hook"Jenkins1-1/+1
2016-12-14Use hostname -s instead of hostnamectl --transientDan Prince1-1/+1
This patch updates the deployed-server interface to use a simple hostname -s. The previous hostnamectl --transient can pick up extra domain name configuration in some cases that can cause very odd hostname generation if used with the tripleo-heat-template host file generation. This would actually break the new undercloud t-h-t installer in that some of the /etc/hosts entries would be invalid (no IP address) due to substring replacements failing in a variety of odd hostname situations. Simplifying the hostname of deployed servers to just the short version seems the most sensable way to avoid all this. Change-Id: Ia7e636d021f948ea5234475cef02f666d8ce6999
2016-12-14Make the openvswitch 2.4->2.5 upgrade more robustmarios10-80/+57
In I9b1f0eaa0d36a28e20b507bec6a4e9b3af1781ae and I11fcf688982ceda5eef7afc8904afae44300c2d9 we added a manual step for upgrading openvswitch in order to specify the --nopostun as discussed in the bug below. This change adds a minor update to make this workaround more robust. It removes any existing rpms that may be around from an earlier run, and also checks that the rpms installed are at least newer than the version we are on. This also refactors the code into a common definition in the pacemaker_common_functions.sh which is included even for the heredocs generating upgrade scripts during init. Thanks Sofer Athlan-Guyot and Jirka Stransky for help with that. Change-Id: Idc863de7b5a8c116c990ee8c1472cfe377836d37 Related-Bug: 1635205
2016-12-14Set rabbitmq's port and IP via the config file and not the env fileJuan Antonio Osorio Robles1-1/+3
The RabbitMQ's puppet manifest configures the node's IP and port through environment variables. While this would usually be fine, it doesn't allow us to use TLS-only, since it will always try to start a TCP listener. So, by setting these values through the config file, when setting ssl_only for rabbitmq, they will effectively be discarded and thus allow us to use an SSL listener on the same port. Change-Id: I33d051a8c740baf69b99517378e1f9b0f3cc1681
2016-12-14Enable SECURE_PROXY_SSL_HEADER option for horizonJuan Antonio Osorio Robles1-0/+1
This reads makes Django take the X-Forwarded-Proto header into account when forming URLs. Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673 Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-13Use OS::Heat::DeployedServerJames Slagle4-42/+10
The new DeployedServer resource in Heat will provide a native resource for Server resources that are not orchestrated via Nova. This will allow associating SoftwareDeployment's with servers that have not been launched with Nova with Heat directly. With the new resource, all of the SoftwareConfigTransport methods are available, including POLL_TEMP_URL. This patch also updates the get-occ-config.sh script to configure the requests collector in os-collect-config.conf on the deployed servers. Change-Id: I4b80421088acca709fe3f92741c5c052be483131 Partially-implements: blueprint split-stack-software-configuration Depends-On: I07b9a053ecd3ef4411b602bbc6ef985224834cf8
2016-12-13Merge "Don't rely on lsb_release for hosts template write"Jenkins1-11/+3
2016-12-13Merge "docker: don't use custom run-os-net-config"Jenkins2-22/+2
2016-12-12Merge "Add FreeIPA enrollment template"Jenkins1-0/+72
2016-12-11Add a type for the ControlVirtualIP resourceDan Prince2-1/+2
This patch adds a new type called: OS::TripleO::Network::Ports::ControlPlaneVipPort This defaults to a normal OS::Neutron::Port object but can be mocked out for some implementations like when installing the undercloud where neutron doesn't exist. Change-Id: Iebf2428432a98a9d789b206ce973599adbc0af8f
2016-12-10Switch mistral to use authtoken configurationAlex Schultz1-2/+4
The upstream puppet module is adding the proper keystone authtoken middleware support. This change updates THT to use the keystone authtoken class rather than the deprecated settings. This also allows for proper keystone v3 integration. Change-Id: Iaf82716122a25e3e0785de1250d24edaaa5e4d04 Depends-On: I71969ef09018f9daa5f81c4f3bcbdb0b0974446c
2016-12-10Merge "Add NIC config for compute role for DVR with multiple NICs"Jenkins1-0/+162
2016-12-09Expose param to enable legacy ceilometer apiPradeep Kilambi1-0/+5
Change-Id: I75815a4bcbf421597abb86226238b74a9afffc0d Depends-On: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09Add FreeIPA enrollment templateJuan Antonio Osorio Robles1-0/+72
This is based on previous work [1] and it's what I've been using to test the TLS-everywhere work. This introduces a template that will run on every node to enroll them to FreeIPA and acquire a ticket (authenticate) in order to be able to request certificates. Enrollment is done via the ipa-client-install command and it does the following: * Get FreeIPA's CA certificate and trust it. * Authenticate to FreeIPA using an OTP and get a kerberos keytab. * Set up several configurations that are needed for FreeIPA (sssd, kerberos, certmonger) The keytab is then used to authenticate and get an actual TGT (Ticket-Granting-Ticket) from Kerberos The previous implementation used a PreConfig hook, however, here it was modified to use NodeTLSCAData. This has the advantage that it runs on every node as opposed to the PreConfig hook where we had to specify the role type so it's a usability improvement. And, on the other hand, this does set up necessary things for the usage of FreeIPA as a CA, such as getting the certificate and enrolling to the CA. [1] https://github.com/JAORMX/freeipa-tripleo-incubator bp tls-via-certmonger Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-12-08Don't rely on lsb_release for hosts template writeSteve Baker1-11/+3
This is problematic for the containerised heat-agents, lsb_release has to be bind-mounted in, and atomic host doesn't even have lsb_release installed. Instead just write to every /etc/cloud/templates/hosts.*.tmpl file. Change-Id: If2aab7e9b1e03aa657baf1c33aa4392ef7044075
2016-12-08docker: don't use custom run-os-net-configSteve Baker2-22/+2
The script run-os-net-config[1] copies in ifcfg-* from the host before running os-net-config. Apparently it was done this way because the other scripts in /etc/sysconfig/network-scripts/ differed between host and agent container. This should be less of an issue now that host and heat-agents run centos-7 (even when the host is atomic) tripleo-heat-templates recently changed to running os-net-config in a deployment script instead of an os-refresh-config script [2]. This means that our current run-os-net-config approach is currently resulting in os-net-config being executed twice. Another issue with run-os-net-config is that it copies ifcfg-* from host to container, but not back again. This means that rebooting the server will result in unconfigured interfaces until os-net-config is somehow run again. This change bind mounts /etc/sysconfig/network-scripts/ from the host and uses the conventional approach to running os-refresh-config. This may fix the issue where compute nodes are losing network connectivity, so Closes-Bug: #1646897 [1] http://git.openstack.org/cgit/openstack/tripleo-common/tree/heat_docker_agent/run-os-net-config [2] I0ed08332cfc49a579de2e83960f0d8047690b97a Change-Id: I763fc8d8e3eb10ac64d33e46c92888d211003e72
2016-12-08Merge "Enable haproxy internal TLS through enable-internal-tls.yaml"Jenkins1-0/+1
2016-12-08Correction to SRIOV THT ExamplesSanjay Upadhyay1-2/+3
example for - NeutronSriovNumVFs - NeutronPhysicalDevMappings as given, causes parsing error. Change-Id: I71fb42f10dac70afa02244cd6629b3439f418d63 Closes-Bug: #1648351
2016-12-08Merge "Make get-occ-config.sh support custom roles"Jenkins2-12/+25
2016-12-07Merge "neutron: don't set router_delete_namespaces"Jenkins1-2/+1
2016-12-07Enable haproxy internal TLS through enable-internal-tls.yamlJuan Antonio Osorio Robles1-0/+1
For usability and to reduce the number of environments that need to be given when enabling TLS in the internal network, it's convenient to add the enabling of TLS in the internal front-ends for HAProxy, instead of doing that in a separate environment file. bp tls-via-certmonger Change-Id: Icef0c70b4b166ce2108315d5cf0763d4e8585ae1
2016-12-06Remove unused attr from templatesPradeep Kilambi1-1/+0
Change-Id: I299f8f33b0bac40d331084df37f690dc2a279677
2016-12-06neutron: don't set router_delete_namespacesIhar Hrachyshka1-2/+1
It's no longer available in Neutron (removed in Mitaka). See: I2a879213c3b095a007a4531f430a33cea9fdf1bd Change-Id: I044c648eb8c4933667b8ea2c9159a30e5ebb7df3
2016-12-06Fix SwiftStorage role.Chris Jones1-2/+2
We now fetch the name argument from the correctly named SwiftStorage object. Change-Id: I885505eadfc778ab57793c97af4d1c6739ec9614 Closes-Bug: #1647716
2016-12-05Merge "Support multiple meter dispatchers in ceilometer config"Jenkins1-3/+3
2016-12-05Merge "Move nodes' fqdns to a map to remove clutter"Jenkins6-679/+660