Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
This adds the ability to manage the securetty file.
By allowing management of securetty, operators can limit root
console access and improve security through hardening.
Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This patch adds
- setting nova config param 'force_config_meta' to True
as metadata service is not supported by OVN yet.
- Add the necessary iptables rules to allow ovsdb-server
traffic for Northbound and Southboud databases.
- Update the release notes for OVN.
Change-Id: If1a2d07d66e493781b74aab2fc9b76a6d58f3842
Closes-bug: #1670562
|
|
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.
Given the following environment:
parameter_defaults:
KeystoneLDAPDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
This also enables multi-domain support for horizon.
Closes-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
|
|
OS::TripleO::Services::Core is still referenced in the CI roles
enviornment file. Because of which CI is failing when service
template is modified. Removing the obsolete service.
Closes-Bug: #1680043
Change-Id: I168452fa5c2e6d6d8fdf829b9b02996d9ca5532a
|
|
|
|
|
|
|
|
This patch integrates with the db_sync_timeout
parameter recently added to puppet-nova
and puppet-neutron in
I6b30a4d9e3ca25d9a473e4eb614a8769fa4567e7, which allow for the full
db_sync install to have more time than just Pupppet's
default of 300 seconds. Ultimately, similar timeouts
can be added for all other projects that feature
db sync phases, however Nova and Neutron are currently
the ones that are known to time out in some
environments.
Closes-bug: #1661100
Change-Id: Ic47439a0a774e3d74e844d43b58956da8d1887da
|
|
The current check tends to produce a false positive causing unnecessary
service restarts. yum check-update will exit with return code 100 if
updated packages are available.
Change-Id: I8bd89f2b24bafc6c991382b9eb484cfa9a2f8968
|
|
This updates the docker version of ironic-conductor.yaml so
that it sets permissions on the entire /var/lib/ironic
tree correctly. Since 1a4ece16cea40075fe7332ed048b9c289b3ff424
we bind mount in /var/lib/ironic from the host (created via
Ansible if it didn't already exist). This caused a subtle
permissions issue in that the Ironic conductor service
can no longer create sub-directories it needs to operate.
Change-Id: I1eb6b5ddad7cd89ee887e2e429ebe245aa7b80dc
Closes-bug: 1677086
|
|
|
|
|
|
|
|
Change-Id: I397a6ad430cef5ddb4eee48347ad4c89144ad01e
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
Move the Zaqar WSGI service to use httpd in docker deployment.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: If9b16c1aa3529386e68961e3dda5f613ac57b44b
|
|
Kolla provides a way to set ownership of files and directory inside the
containers. Use it instead of running an additional container to do the
job.
Change-Id: I554faf7c797f3997dd3ca854da032437acecf490
|
|
This adds the necessary parameter for swift proxy to be terminiated
internally by a TLS proxy.
bp tls-via-certmonger
Change-Id: I3cb9d53d75f982068f1025729c1793efaee87380
Depends-On: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
|
|
os-collect-config is already configured to use json files in
/var/lib/os-collect-config/local-data/ as a data source, so this can
be used in the deployed-server get-occ-config.sh to copy in the
required json to generate the required os-collect-config.conf.
Co-Authored-By: James Slagle <jslagle@redhat.com>
Closes-Bug: #1679705
Change-Id: Ibde9e6bf360277d4ff64f66d637a5c7f0360e754
|
|
|
|
|
|
This patch enables deployment of sensu-client service in scenario001.
Depends-On: I4895e3b6d3d0e2c12c083133e423cafeecbafe88
Depends-On: Ibabd4688c00c6a12ea22055c95563d906716954d
Change-Id: I377811878712b7615c38094ecbf55dcc67d9ddd5
|
|
|
|
|
|
If we really want upgrade_batch_tasks before the upgrade_tasks
as described in the README then we should enforce the ordering
Noticed this working on bug 1671504 upgrade tasks were being
executed before batch upgrade tasks.
Closes-Bug: 1678101
Change-Id: Iaa1bce960a37c072b5f8441132705a6bb6eb6ede
|
|
Currently we don't enforce step ordering across role, only within
role. With custom role, we can reach a step5 on one role while the
cluster is still at step3, breaking the contract announced in the
README[1] where each step has a guarantied cluster state.
We have to remove the conditional here as well as jinja has no way to
access this information, but we need jinja to iterate over all enabled
role to create the orchestration.
This deals only with Upgrade tasks, there is another review to deal
with UpgradeBatch tasks.
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst
Closes-Bug: #1679486
Change-Id: Ibc6b64424cde56419fe82f984d3cc3620f7eb028
|
|
|
|
The puppet-tripleo change was added in
Ie9391aa39532507c5de8dd668a70d5b66e17c891.
Closes-bug: #1656558
Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
|
|
This enabled a lot of advanced networking features (see the release note).
Related to blueprint ironic-driver-composition
Change-Id: I20ea994fec36d73e618107b5c3594ec1c0f8cb93
Depends-On: I72eb8b06cca14073d1d1c82462fb702630e02de3
|
|
Added VxLAN and metadata agent firewall rules to neutron-compute-plugin
for Nuage. Removed a deprecated parameter 'OSControllerIp' as well.
Change-Id: If10c300db48c66b9ebeaf74b5f5fee9132e75366
|
|
We need to purge the initial firewall for deployed-server's, otherwise
if you have a default REJECT rule, the pacemaker cluster will fail to
initialize. This matches the behavior done when using images, see:
Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3
I0dee5ff045fbfe7b55d078583e16b107eec534aa
Change-Id: Ia83d17b609e4f737074482a980689cc57c3ad911
Closes-Bug: #1679234
|
|
Simplify the config of the containerized services by bind mounting in
the configurations instead of specifying them all in kolla config.
This is change is useful to limit the side effects of generating the
config files and running the container is two separate steps as config
directories are now bind-mounted inside the container instead of having
files being copied to the container. We've seen examples of Apache's
mod_ssl configuration file present on the container preventing it to
start when puppet configured apache not to load the ssl module (in case
TLS is disabled).
Co-Authored-By: Ian Main <imain@redhat.com>
Change-Id: I4ec5dd8b360faea71a044894a61790997f54d48a
|
|
This won't work because we need to change the state of UpgradeLevelNovaCompute
and EnableConfigPurge during the upgrade - it should have been removed
before release, which was an oversight.
Removing this now to avoid further confusion in future.
Change-Id: I16853cdec6c8fe6ad54f17ae2ad1e0460f1574ea
Closes-Bug: #1679214
|
|
|
|
|
|
|
|
Ceilometer API has been deprecated since Ocata. lets disable
it by default and add an env file to enable it if needed.
Closes-bug: #1676968
Change-Id: I571f5467466c29271e0235e8fde6bdae07c20daf
|
|
|
|
|
|
|
|
|