Age | Commit message (Collapse) | Author | Files | Lines |
|
Instead of using the CA bundle, this sets the mysql client configuration
file to use a specific file for validating the certificate of the
database server. This helps in two ways:
* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
are valid, instead of any certificate that the system trusts (which
could include potentially compromised public certs).
Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7
Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
|
|
|
|
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
|
|
|
|
|
|
|
|
|
|
When implementing custom roles, we lost an implicit dependency that
ensured AllNodesExtraConfig is applied before AllNodesDeploySteps,
which causes problems if you need to write hieradata via the
AllNodesExtraConfig hook (some cisco integrations we have in tree
do this, and are now broken because the ordering is no longer ensured.
Change-Id: Ie78ecbb4e135ab7f196867ef9d8d271049a9cd10
Closes-Bug: #1687597
|
|
|
|
Closes-Bug:1686619
Change-Id: I7c32ca39a456de9833d30c31d41fcb727d2b0a34
|
|
|
|
list_concat was introduced recently and is able to replace the yaql
calls for concatenating lists.
Change-Id: Id3a80a0e1e4c25b6d838898757c69ec99d0cd826
|
|
Change-Id: Ia0e0a12e1863dce657d4e1c7f9894ea5bfd008be
|
|
Log prepared docker command
Use logger stdout instead of print command
Log stderr as debug as well
Change-Id: I3d48fbf4fa3381d325e3be3788b041e06d4bb294
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
Exporting the neutron::server parameter into the neutron_api service, so
Octavia API and Neutron Server can be separated.
Change-Id: Iee28b0e84a00bd589d6f14a73f0c3f32d310b393
Closes-Bug: #1687026
|
|
storage backend"
|
|
|
|
|
|
In the converge envs we unset the UpgradeInitCommon since we used
that for the N..O upgrades workflow. However an operator may have
also overridden the UpgradeInitCommand so we should unset that
too.
Closes-Bug: 1686918
Change-Id: I3b316d04b78a4ab1e3f9f69948e42e6fb0ad6632
|
|
|
|
|
|
|
|
|
|
|
|
We fixed pcs resources start/stop timeouts via
I587136d8d045d213875c657ea5a405074f80c8ad in Nov 2015.for mitaka.
And there we stated:
This can be removed once updates from deployments made prior to
I6fc18f1ad876c5a25723710a3b20d8ec9519dcba are no longer supported.
We can now safely remove these updates as they are useless and cost time
anyway.
Change-Id: Ibad2b3eed0d08560d52d5ebe700746b61e5b8f51
|
|
|
|
The stack name can now be overridden in the get-occ-config.sh script for
deployed-server's by setting the $STACK_NAME variable in the
environment.
Change-Id: Iecba21499b80e463b4c629be53c309996d39472d
Closes-Bug: #1686719
|
|
|
|
|
|
local"
|
|
The puppet-redis module makes use of the exec puppet tag to copy the
/etc/redis.conf.puppet file to /etc/redis.conf. We need to explicitly
enable it otherwise our redis container will pick up the default redis
configuration and not the one that was generated with puppet.
Also creates the /var/run/redis directory on the host since we bind
mount /run, and ensure the container sets the correct ownership on the
directory.
Finally, configure redis to not daemonize otherwise the container ends
up in a restart loop.
Change-Id: Ia1dce2120ca7479eef8bc77dedf9431adbe210cc
Closes-Bug: #1686707
|
|
|
|
|
|
It is required for a hybrid deployments
when WSGI based services running both at host and in containers, without conflicting default ports.
Partial-bug: #1686637
Co-authored-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I9d0a5bb32337a6a8f1a4036f9560df79dfe1d90a
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
the CA and certmonger user profiles were needed in the compute services
list from the tls-everywhere in containers environment.
bp tls-via-certmonger-containers
Change-Id: Ib584ac0745d68828467bcfad7f6472ab66adbac3
|
|
1) When Apache is upgraded, install mod_ssl rpm.
See https://bugs.launchpad.net/tripleo/+bug/1682448
to understand why we need mod_ssl.
2) All services that run Apache for API will use the snippet from
Apache service to deploy mod_ssl, so we don't duplicate the code
in all services. It's using the same mechanism as ovs upgrade to
compile upgrade_tasks between both services.
Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84
Closes-Bug: #1686503
|
|
|
|
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=1441635.
This is the THT part of the change that changes the default to
ha-mode: all.
Closes-Bug: #1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
Change-Id: I7afcf2b3c8deb13fc2134e4cae9c06a44e775384
Depends-On: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
|
|
Docker puppet hook writes to /etc of
containers. Mount /etc as rw for etcd container.
Change-Id: I8e45de18a91022690c19888cbfaa68d2fdfe46ce
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
scenario001 env in ocata has mapped PankoApi locally and it
has been removed master scenario001 env file. In tripleo.sh
upgrade command, both old (ocata) and new (master) env files
are included, because of which new service file is not used,
as it has been removed. This change is to add the PankoApi
mapping back to scenario001 env file for now. Actual fix
will be remove old env file from upgrade command of tripleo.sh.
Partial-Bug: #1685759
Change-Id: I4a8ee38d990a1980eea6ec63f2780357d040ded4
|
|
|
|
|
|
Ceilometer collector is deprecated in Pike release.
Do not deploy by default. Instead use the pipeline
yaml to configure the publisher directly.
Closes-bug: #1676961
Change-Id: Ic71360c6307086d5393cd37d38ab921de186a2e0
|
|
|
|
|
|
We have a circular dependency errror since
https://review.openstack.org/#/c/452734/ landed.
This adjusts the dependencies to ensure we run pre-config before
the first puppet deploy step, and removes the duplicate declaration
of the ControllerPostConfig resource. Also we ensure the first
container step always depends on the same step puppet deploy.
Change-Id: I70c5a39fb36b951bdeb04c15bddac7d00eebf08a
Closes-Bug: #1686098
|
|
This hiera key is used by keystone to create the ceilometer service
user. It works in CI cause keystone and the ceilometer services are in
the same node. However, this fails if keystone is deployed on a separate
note.
We should only deploy it in the nodes containing the keystone service
since it's only relevant to create the service user.
Change-Id: Ic0f02fe9a78a1fe14ac2b87197692fbd80c003b8
Closes-Bug: #1685828
|
|
This removes the need to do it in puppet-tripleo
Change-Id: I6f44a6a02041c0fbbafb770a087a0032c3a53a76
|
|
|