Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
Adds some missing name properties on deployment resources where they
were lacking. It's convention in TripleO that all the deployment
resources have the name property set.
Change-Id: I6464b099e725f8469163c887676d56d769e2f9b1
|
|
|
|
Ceilometer Auth should be enabled even if ceilometer api
is not. Lets decouple these, this flag will be used in
puppet-tripleo where ceilometer::keystone::auth class
is initialized.
Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48
Closes-bug: #1677354
|
|
This patch updates ceph::keystone::auth::roles to remove
"member" and add "Member". The previous entry breaks
OSP N to O upgrades when ceph-rgw is enabled.
This patch fixes: https://bugs.launchpad.net/tripleo/+bug/1678126
Closes-bug: 1678126
Change-Id: I2e442eda98e2e083d6f4193fb38a0484919a6d33
|
|
In [1] we removed the previously used special case upgrade code.
However we have since discovered that for openvswitch 2.5.0-14
the special case is still required with an extra flag to prevent
the restart. This adds the upgrade code back into the minor
update and 'manual upgrade' scripts for compute/swift. The
review at If998704b3c4199bbae8a1d068c31a71763f5c8a2 is adding
this logic for the ansible upgrade steps.
Related-Bug: 1669714
[1] https://review.openstack.org/#/q/59e5f9597eb37f69045e470eb457b878728477d7
Change-Id: I3e5899e2d831b89745b2f37e61ff69dbf83ff595
|
|
When we upgrade OVS from 2.5 to 2.6, the postrun package update
restart the services and drop the connectivity
We need to push this manual upgrade script and executed to the
nodes for newton to ocata
The special case is needed for 2.5.0-14 specifically see related
bug for more info (or, older where the postun tries restart).
See related review at [1] for the minor update/manual upgrade.
Related-Bug: 1669714
Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
[1] https://review.openstack.org/#/c/450607/
Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2
|
|
|
|
Change-Id: I170b7e4cff66f0a4b1b6d5735f93c9f0295a5ac5
|
|
We are removing this in favor of just using the keystone uri and
appending /ec2tokens
Change-Id: Idab78d61f3931818aa91faad2d68c1fe20f68db6
|
|
They were using v2.0 and we're getting rid of v2.0/ec2tokens in the
EndpointMap.
Change-Id: Ib9fbbdb0144bb4e250c561613bba6219506ff30f
|
|
|
|
This patch enables deployment of fluentd service in scenario001.
Depends-On: Ibabd4688c00c6a12ea22055c95563d906716954d
Change-Id: Ib24a67f9068efb60b754590503a503344ab1f1df
|
|
|
|
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging
two or more networks together to make them look at a single broadcast
domain. This patch implements the l2gw neutron service plugin support part
in t-h-t.
Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5
Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3
Partially-Implements: blueprint l2gw-service-integration
Signed-off-by: Peng Liu <pliu@redhat.com>
|
|
|
|
|
|
|
|
|
|
Change-Id: Ia65796b04be9f7cadc57af30ef66788dd8cb7de8
Closes-Bug: 1677539
|
|
|
|
This output gets nova metadata into the servers this is deployed to and
is necessary for the TLS-everywhere work.
bp tls-via-certmonger-containers
Change-Id: Iff54f7af9c63a529f88c6455047f6584d29154b4
|
|
|
|
|
|
Installing openstack-heat-agents is unnecessary since it has the same
effect as installing python-heat-agent-* which happens on the next
line.
Installing openstack-heat-agents is causing issues when mixing ocata
and master repos, since there hasn't been a release on master since
ocata was branched.
Change-Id: I1a75e16810b6a89cf1dd9ff4f4b3b5dccfc0466e
Closes-Bug: #1677278
|
|
Closes-Bug: #1662679
Change-Id: I3446d59b89d43859caedd2be4583099374944379
|
|
We set dns_domain to '' in the undercloud neutron. This patch adds a new
heat parameter to control the Neutron DNS setting and sets the
undercloud environment default correctly for this setting.
Change-Id: I794e7b88108d0d6286e5930bb5236e72ba806c3f
|
|
* Disable Kernel Parameter for Sending ICMP Redirects:
- net.ipv4.conf.default.send_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host
to send invalid ICMP redirects to other router devices
in an attempt to corrupt routing and have users access
a system set up by the attacker as opposed to a valid
system.
* Disable Kernel Parameter for Accepting ICMP Redirects:
- net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect
messages to maliciously alter the system routing tables
and get them to send packets to incorrect networks and
allow your system packets to be captured.
* Disable Kernel Parameter for secure ICMP Redirects:
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP
redirects, except they come from gateways listed on
the default gateway list. It is assumed that these
gateways are known to your system, and that they are
likely to be secure.
* Enable Kernel Parameter to log suspicious packets:
- net.ipv4.conf.default.log_martians = 1
- net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets
allows an administrator to investigate the possibility
that an attacker is sending spoofed packets to their system.
* Ensure IPv6 redirects are not accepted by Default
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
Rationale: It is recommended that systems not accept ICMP
redirects as they could be tricked into routing traffic to
compromised machines. Setting hard routes within the system
(usually a single default route to a trusted router) protects
the system from bad routes.
Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
|
|
Note: since it replaces rabbitmq, in order to aim for the smallest
amount of changes the service_name is called 'rabbitmq' so all the
other services do not need additional logic to use qdr.
Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608
Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
|
|
|
|
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
|
|
panko is enabled by default, we might as well make it
the default dispatcher along with gnocchi.
Closes-bug: #1676900
Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
|
|
|
|
|
|
|
|
|
|
So far the operational tools are:
- Availability monitoring
- Centralized logging
- Performance monitoring
This change added the performance monitoring under the Operational tools
so on the tripleo-ui --> deployment configuration --> operational tools
all these features can be added
Change-Id: I7335eaeaed4118422f5630d042229f1a1bf60b5d
|
|
|
|
|
|
|
|
Change-Id: I86fd68da7b2d96590f21a8511fa1a23dcf1a6dda
|
|
|
|
|
|
|
|
Attempt to check galera's cluster status fails when galera service
is not running on the same node.
Change-Id: I27fb0841d85cd0dc86e92ac2e21eedf5f8f863ab
|
|
|
|
|
|
Hiera value of nova::compute::pci_passthrough should be a string.
It has been modified to JSON with the heira hook changes. Modifying
it again back to string.
Closes-Bug: #1675036
Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
|
|
The core dump of a setuid program is more likely
to contain sensitive data, as the program itself
runs with greater privileges than the user who
initiated execution of the program. Disabling the
ability for any setuid program to write a core
file decreases the risk of unauthorized access of
such data.
This change sets core dump for setuid programs
to '0'.
Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d
Signed-off-by: zshi <zshi@redhat.com>
|