aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-04-02Merge "Set auth flag so ceilometer auth is enabled"Jenkins3-0/+15
2017-04-01Merge "Add special case upgrade from openvswitch 2.5.0-14"Jenkins3-4/+11
2017-04-01Add missing name properties on deloyment resourcesJames Slagle2-0/+3
Adds some missing name properties on deployment resources where they were lacking. It's convention in TripleO that all the deployment resources have the name property set. Change-Id: I6464b099e725f8469163c887676d56d769e2f9b1
2017-03-31Merge "Don't check haproxy if external load-balancer is used."Jenkins1-1/+13
2017-03-31Set auth flag so ceilometer auth is enabledPradeep Kilambi3-0/+15
Ceilometer Auth should be enabled even if ceilometer api is not. Lets decouple these, this flag will be used in puppet-tripleo where ceilometer::keystone::auth class is initialized. Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354
2017-03-31Update ceph-rgw acccepted roles to fix OSP upgradeKeith Schincke1-1/+1
This patch updates ceph::keystone::auth::roles to remove "member" and add "Member". The previous entry breaks OSP N to O upgrades when ceph-rgw is enabled. This patch fixes: https://bugs.launchpad.net/tripleo/+bug/1678126 Closes-bug: 1678126 Change-Id: I2e442eda98e2e083d6f4193fb38a0484919a6d33
2017-03-31Add special case upgrade from openvswitch 2.5.0-14marios3-4/+11
In [1] we removed the previously used special case upgrade code. However we have since discovered that for openvswitch 2.5.0-14 the special case is still required with an extra flag to prevent the restart. This adds the upgrade code back into the minor update and 'manual upgrade' scripts for compute/swift. The review at If998704b3c4199bbae8a1d068c31a71763f5c8a2 is adding this logic for the ansible upgrade steps. Related-Bug: 1669714 [1] https://review.openstack.org/#/q/59e5f9597eb37f69045e470eb457b878728477d7 Change-Id: I3e5899e2d831b89745b2f37e61ff69dbf83ff595
2017-03-31Add manual ovs upgrade script for workaround ovs upgrade issueMathieu Bultel5-26/+112
When we upgrade OVS from 2.5 to 2.6, the postrun package update restart the services and drop the connectivity We need to push this manual upgrade script and executed to the nodes for newton to ocata The special case is needed for 2.5.0-14 specifically see related bug for more info (or, older where the postun tries restart). See related review at [1] for the minor update/manual upgrade. Related-Bug: 1669714 Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3 Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com> [1] https://review.openstack.org/#/c/450607/ Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2
2017-03-31Merge "Add missing ec2api::api::keystone_ec2_tokens_url config"Jenkins1-0/+5
2017-03-31Setting keystone region for tackerDan Radez1-0/+1
Change-Id: I170b7e4cff66f0a4b1b6d5735f93c9f0295a5ac5
2017-03-31Remove EC2 endpoint from EndpointMapJuan Antonio Osorio Robles2-83/+0
We are removing this in favor of just using the keystone uri and appending /ec2tokens Change-Id: Idab78d61f3931818aa91faad2d68c1fe20f68db6
2017-03-31Change heat and mistral to use v3/ec2tokens urlJuan Antonio Osorio Robles2-2/+10
They were using v2.0 and we're getting rid of v2.0/ec2tokens in the EndpointMap. Change-Id: Ib9fbbdb0144bb4e250c561613bba6219506ff30f
2017-03-30Merge "Re-Add bigswitch agent support"Jenkins5-1/+69
2017-03-30Add logging agents deployment to CIMartin Mágr2-0/+10
This patch enables deployment of fluentd service in scenario001. Depends-On: Ibabd4688c00c6a12ea22055c95563d906716954d Change-Id: Ib24a67f9068efb60b754590503a503344ab1f1df
2017-03-30Merge "Output service_metadata_settings in docker services.yaml"Jenkins1-0/+2
2017-03-30Add l2gw neutron service plugin supportPeng Liu6-0/+84
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging two or more networks together to make them look at a single broadcast domain. This patch implements the l2gw neutron service plugin support part in t-h-t. Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5 Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3 Partially-Implements: blueprint l2gw-service-integration Signed-off-by: Peng Liu <pliu@redhat.com>
2017-03-30Merge "Do not install openstack-heat-agents"Jenkins1-1/+0
2017-03-30Merge "[N->O] Fix wrong database connection for cell0 during upgrade."Jenkins2-1/+11
2017-03-30Merge "[N->O] is creating 2 default cell_v2 cells"Jenkins1-4/+4
2017-03-30Merge "Add NodeCreateBatchSize parameter"Jenkins1-0/+8
2017-03-30Don't check haproxy if external load-balancer is used.Sofer Athlan-Guyot1-1/+13
Change-Id: Ia65796b04be9f7cadc57af30ef66788dd8cb7de8 Closes-Bug: 1677539
2017-03-30Merge "Run cluster check on nodes configured in wsrep_cluster_address."Jenkins1-9/+13
2017-03-30Output service_metadata_settings in docker services.yamlJuan Antonio Osorio Robles1-0/+2
This output gets nova metadata into the servers this is deployed to and is necessary for the TLS-everywhere work. bp tls-via-certmonger-containers Change-Id: Iff54f7af9c63a529f88c6455047f6584d29154b4
2017-03-30Merge "Include panko in the default dispatcher"Jenkins2-1/+5
2017-03-30Merge "Allow to configure policy.json for OpenStack projects"Jenkins24-4/+160
2017-03-30Do not install openstack-heat-agentsSteve Baker1-1/+0
Installing openstack-heat-agents is unnecessary since it has the same effect as installing python-heat-agent-* which happens on the next line. Installing openstack-heat-agents is causing issues when mixing ocata and master repos, since there hasn't been a release on master since ocata was branched. Change-Id: I1a75e16810b6a89cf1dd9ff4f4b3b5dccfc0466e Closes-Bug: #1677278
2017-03-29Add ceilometer ipmi agentPradeep Kilambi4-0/+82
Closes-Bug: #1662679 Change-Id: I3446d59b89d43859caedd2be4583099374944379
2017-03-29Add NeutronDnsDomain heat option, undercloud fixDan Prince2-0/+6
We set dns_domain to '' in the undercloud neutron. This patch adds a new heat parameter to control the Neutron DNS setting and sets the undercloud environment default correctly for this setting. Change-Id: I794e7b88108d0d6286e5930bb5236e72ba806c3f
2017-03-29Add network sysctl tweaks for securityzshi3-0/+46
* Disable Kernel Parameter for Sending ICMP Redirects: - net.ipv4.conf.default.send_redirects = 0 - net.ipv4.conf.all.send_redirects = 0 Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. * Disable Kernel Parameter for Accepting ICMP Redirects: - net.ipv4.conf.default.accept_redirects = 0 Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured. * Disable Kernel Parameter for secure ICMP Redirects: - net.ipv4.conf.default.secure_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. * Enable Kernel Parameter to log suspicious packets: - net.ipv4.conf.default.log_martians = 1 - net.ipv4.conf.all.log_martians = 1 Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. * Ensure IPv6 redirects are not accepted by Default - net.ipv6.conf.all.accept_redirects = 0 - net.ipv6.conf.default.accept_redirects = 0 Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e Co-Authored-By: Luke Hinds <lhinds@redhat.com> Signed-off-by: zshi <zshi@redhat.com>
2017-03-29Qpid dispatch router composable roleJohn Eckersberg6-1/+75
Note: since it replaces rabbitmq, in order to aim for the smallest amount of changes the service_name is called 'rabbitmq' so all the other services do not need additional logic to use qdr. Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608 Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
2017-03-29Merge "Modify pci_passthrough hiera value as string"Jenkins2-2/+10
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi24-4/+160
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-28Include panko in the default dispatcherPradeep Kilambi2-1/+5
panko is enabled by default, we might as well make it the default dispatcher along with gnocchi. Closes-bug: #1676900 Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
2017-03-28Merge "Remove 'Controller' role references from overcloud.j2.yaml"Jenkins1-6/+6
2017-03-28Merge "N->O upgrade, blanks ipv6 rules before activating it."Jenkins1-0/+6
2017-03-28Merge "N->O Upgrade, make sure all nova placement parameter properly set."Jenkins1-3/+6
2017-03-28Merge "Stop openstack-nova-compute during nova-ironic upgrade"Jenkins1-0/+4
2017-03-28Grouped all the Operational toolsJuan Badia Payno1-1/+9
So far the operational tools are: - Availability monitoring - Centralized logging - Performance monitoring This change added the performance monitoring under the Operational tools so on the tripleo-ui --> deployment configuration --> operational tools all these features can be added Change-Id: I7335eaeaed4118422f5630d042229f1a1bf60b5d
2017-03-28Merge "Only set EnableConfigPurge on major upgrades"Jenkins7-9/+13
2017-03-28Merge "Updated from global requirements"Jenkins2-2/+2
2017-03-28Merge "Swift auth url should use a suffix"Jenkins1-1/+1
2017-03-28Updated from global requirementsOpenStack Proposal Bot2-2/+2
Change-Id: I86fd68da7b2d96590f21a8511fa1a23dcf1a6dda
2017-03-28Merge "MySQL: Use conditional instead of nested stack for TLS-specific bits"Jenkins4-56/+26
2017-03-28Merge "Apache: Use conditional instead of nested stack for TLS-specific bits"Jenkins4-82/+39
2017-03-28Merge "Rabbitmq: Use conditional instead of nested stack for TLS-specific bits"Jenkins4-59/+27
2017-03-28Run cluster check on nodes configured in wsrep_cluster_address.Yurii Prokulevych1-9/+13
Attempt to check galera's cluster status fails when galera service is not running on the same node. Change-Id: I27fb0841d85cd0dc86e92ac2e21eedf5f8f863ab
2017-03-28Merge "Remove kolla_config copy from keystone service."Jenkins1-47/+3
2017-03-28Merge "Nic config mappings for deployed-server"Jenkins2-4/+11
2017-03-28Modify pci_passthrough hiera value as stringSaravanan KR2-2/+10
Hiera value of nova::compute::pci_passthrough should be a string. It has been modified to JSON with the heira hook changes. Modifying it again back to string. Closes-Bug: #1675036 Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
2017-03-28Disable core dump for setuid programszshi2-0/+14
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi <zshi@redhat.com>