Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Since nova-compute is not containerized with TLS yet, using containerized
iscsid causes errors when trying to spawn a VM with a volume. Since
the path is different in this case.
I will re-add iscsid to this environment once nova-compute is
containerized with TLS.
bp tls-via-certmonger-containers
Change-Id: Ida87b187e56ae852c5a4ef6f78cc04a0870fe3f4
|
|
Bind mounts and adds the appropriate permissions for the cert and
key that's used for TLS.
bp tls-via-certmonger-containers
Change-Id: I7fae4083604c7dc89ca04141080a228ebfc44ac9
|
|
This bind mounts the certificates if TLS is enabled in the internal
network. It also disables the CRL usage since we can't restart haproxy
at the rate that the CRL is updated. This will be addressed later and
is a known limitation of using containerized haproxy (there's the same
issue in the HA scenario). To address the different UID that the certs
and keys will have, I added an extra step that changes the ownership
of these files; though this only gets included if TLS in the internal
network is enabled.
bp tls-via-certmonger-containers
Depends-On: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
Change-Id: Ic6ca88ee7b6b256ae6182e60e07498a8a793d66a
|
|
If we consolidate these we can focus on one implementation (the new ansible
based one used for docker-steps)
Change-Id: Iec0ad2278d62040bf03613fc9556b199c6a80546
Depends-On: Ifa2afa915e0fee368fb2506c02de75bf5efe82d5
|
|
some resources were missing, so this syncs up what's working right now.
bp tls-via-certmonger-containers
Change-Id: Ic8fe20d0240f1ad8f18218d66634029d522d4d5a
|
|
Some resources have changed. So the environment needed syncing
Change-Id: I9aa310ae80edfccd3ed28e67a431aad6e1ed8a7f
|
|
|
|
Updates hieradata for changes in https://review.openstack.org/471950.
Creates a new service - NovaMigrationTarget. On baremetal this just configures
live/cold-migration. On docker is includes a container running a second sshd
services on an alternative port.
Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd
containers.
Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427
Implements: blueprint tripleo-cold-migration
Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc
Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
|
|
This currently assumes nova-compute and iscsid run in the same context which
isn't true for a containerized deployment
Change-Id: I11232fc412adcc18087928c281ba82546388376e
Depends-On: I91f1ce7625c351745dbadd84b565d55598ea5b59
Depends-On: I0cbb1081ad00b2202c9d913e0e1759c2b95612a5
|
|
Change-Id: Ibfc568755764203b68aed524d6f334eeb7cd5da7
Closes-bug: #1703001
|
|
This commit brings change from
I3896fa2ea7caa603186f0af04f6d8382d50dd97a to
docker-services-tls-everywhere.yaml, which original commit message was:
These duplicate the defaults in puppet/services/docker.yaml and
break things if you include an environment file (e.g that generated
by quickstart containers-default-parameters.yaml) before the
docker.yaml.
Instead it's probably more helpful to include the commented lines
showing how to enable use of a local docker registry.
Change-Id: Ifa95ef60bc17bd2638ebb6aebf77a819b28c9f0b
Related-Bug: #1691524
|
|
Move to one common services.yaml not only reduces the duplication, but it
should improve performance for the docker/services.yaml case, because we were
creating two ResourceChains with $many services which we know can be really
slow (especially since we seem to be missing concurrent: true on one)
Change-Id: I76f188438bfc6449b152c2861d99738e6eb3c61b
|
|
This adds the sshd puppet service to the containerized compute role
All other roles already include this service from the defaults roles data,
it is only missing from the compute role.
As the sshd service runs on the docker host, this must remain as a
traditional puppet service. NB the sshd puppet service does not enable
sshd, it just enables the management of the sshd config via t-h-t/puppet.
Closes-bug: #1693837
Change-Id: I86ff749245ac791e870528ad4b410f3c1fd812e0
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of neutron server.
bp tls-via-certmonger-containers
Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of glance-api.
bp tls-via-certmonger-containers
Change-Id: If902ac732479832b9aa3e4a8d063b5be68a42a9b
|
|
This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of swift.
bp tls-via-certmonger-containers
Depends-On: Ib01137cd0d98e6f5a3e49579c080ab18d8905b0d
Change-Id: I9639af8b46b8e865cc1fa7249bf1d8b1b978adfe
|
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd.
bp tls-via-certmonger-containers
Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed
|
|
the CA and certmonger user profiles were needed in the compute services
list from the tls-everywhere in containers environment.
bp tls-via-certmonger-containers
Change-Id: Ib584ac0745d68828467bcfad7f6472ab66adbac3
|
|
This covers aodh, gnocchi and panko.
cp tls-via-certmonger-containers
Change-Id: I6dabb0d82755c28b8940c0baab0e23cfcc587c42
|
|
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.
Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.
bp tls-via-certmonger-containers
Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
|