Age | Commit message (Collapse) | Author | Files | Lines |
|
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
|
|
|
|
|
|
|
|
|
|
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
|
|
|
|
Adds default nic config mappings when using the deployed-server custom
roles data at deployed-server/deployed-server-roles-data.yaml.
Previously there were no default mappings as the hardcoded mapping for
the Controller role from overcloud-resource-registry-puppet.j2.yaml
would not be used since there is no Controller role when using
deployed-server.
The default mapping is net-config-static.yaml instead of
net-config-noop.yaml, since there is no requirement of a L2 domain for
dhcp between undercloud and overcloud nodes when using deployed-server.
The convenience mapping of ControllerDeployedServer to
net-config-static-bridge.yaml is also added so that out of the box the
roles with controller services will get the right bridge created.
The mappings can always be overridden in later environment files if
needed.
Change-Id: I581fec99b459a12512686e47b10b962756652eb3
Closes-Bug: #1670493
Depends-On: Ib681729cc2728ca4b0486c14166b6b702edfcaab
|
|
Bug #1611800 fixed an upgrade issue by enabling purging configs for
some services, but this causes issues such as longer updates and
restarting services in the minor update case, so only do this for
major upgrades, and default to false.
Related-Bug: #1611800
Closes-Bug: #1674858
Change-Id: Iff7d715f6730c5633f1146008504b4309ef3133d
|
|
|
|
|
|
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com>
Closes-bug: #1668918
Change-Id: Ie1ebd25965bd2dbad2a22161da0022bad0b9e554
|
|
Closes-bug: #1668928
Change-Id: I291df31be97c3d55cddb3924482aa5976a79c2b1
|
|
|
|
This profile will request the certificates for the services on the node.
So with this, we will remove the requesting of these certs on the
services' profiles themselves.
The reasoning for this is that for a containerized environment, the
containers won't have credentials to the CA while the baremetal node
does. So, with this, we will have this profile that still gets executed
in the baremetal nodes, and we can subsequently pass the requested
certificates by bind-mounting them on the containers. On the other hand,
this approach still works well for the TLS-everywhere case when the
services are running on baremetal.
Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6
Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
|
|
We are already enabling panko-api by default
`https://github.com/openstack/tripleo-heat-templates/blob/34c46241cda3be567017943560d218ced3bbdc03/overcloud-resource-registry-puppet.j2.yaml#L226`
so there is no need to have the environment file
or the resource in the ci environment template.
Change-Id: I6af6e2196a77320c8d3b5914d161a795b007151a
|
|
|
|
|
|
|
|
|
|
Closes-bug: #1668930
Change-Id: If5dff4388b255373083e164a74aaacd529a94111
|
|
This project aims at supporting inter-connection between L3VPNs
and Neutron resources, i.e. Networks, Routers and Ports.
Partially-Implements: blueprint bgpvpn-service-integration
Depends-On:I7c1686693a29cc1985f009bd7a3c268c0e211876
Change-Id: I576c9ac2b443dbb6886824b3da457dcc4f87b442
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
|
|
As with other services, this passes the necessary hieradata to enable
TLS for RabbitMQ. This will mean (once we set it via puppet-tripleo)
that there will only be TLS connections, as the ssl_only option is being
used.
bp tls-via-certmonger
Change-Id: I960bf747cd5e3040f99b28e2fc5873ca3a7472b5
Depends-On: Ic2a7f877745a0a490ddc9315123bd1180b03c514
|
|
This patch moves enabling Zaqar docker services into
a separate environment in the environments/services-docker
directory.
Change-Id: I6755eb7ae2abb2b9c8b213ff6fd21b0392353ef5
|
|
This patch moves enabling Mistral docker services into
a separate environment in the environments/services-docker
directory.
Change-Id: I8b484532de5f5d61fc0240defbc5fc27789a1279
|
|
This patch moves enabling Ironic docker services into
a separate environment in the environments/services-docker
directory.
Change-Id: I236de47d422b3563a0192359f2327610fc1714ca
|
|
A recent commit [1] change how docker is installed and configured on
the overcloud nodes, from a cloud-init script to a proper puppet
profile in puppet-tripleo but forgot to enable the docker service on
the compute nodes.
[1] Ia50169819cb959025866348b11337728f8ed5c9e
Change-Id: I202723d0e48f110e5b0dbfe3dcf6646da9f37948
|
|
|
|
It will allow to configure keystone event notifications
using CADF, as documented on:
https://docs.openstack.org/developer/keystone/event_notifications.html
CADF events provide auditing capabilities for compliance with
security.
Change-Id: Id16b264c295b9e3adbf960366ff8328ba8dcd485
|
|
This aligns the docker based services with the new composable upgrades
architecture we landed for ocata, and does a first-pass adding upgrade_tasks
for the services (these may change, atm we only disable the service on
the host).
To run the upgrade workflow you basically do two steps:
openstack overcloud deploy --templates \
-e environments/major-upgrade-composable-steps-docker.yaml
This will run the ansible upgrade steps we define via upgrade_tasks
then run the normal docker PostDeploySteps to bring up the containers.
For the puppet workflow there's then an operator driven step where
compute nodes (and potentially storage nodes) are upgrades in batches
and finally you do:
openstack overcloud deploy --templates \
-e environments/major-upgrade-converge-docker.yaml
In the puppet case this re-applies puppet to unpin the nova RPC API
so I guess it'll restart the nova containers this affects but otherwise
will be a no-op (we also disable the ansible steps at this point.
Depends-On: I9057d47eea15c8ba92ca34717b6b5965d4425ab1
Change-Id: Ia50169819cb959025866348b11337728f8ed5c9e
|
|
This allows to run a containerized neutron on the overcloud.
Co-Authored-By: Martin André <m.andre@redhat.com>
Depends-On: Iaf6536b1c4d0b2b118af92295136378cdfeee9d1
Change-Id: I86a12248d4f28f4dbe7708be928bcd8a45968d01
|
|
Until bug #1635409 is fixed we'll have to keep the default list
of services deployed by hyperconverged-ceph.yaml in sync with the
ServicesDefault list provided in roles_data.yaml
This change adds some logic in the templates validation script to
ensure that is preserved with future updates.
Change-Id: Ib767f9a24c3541b16f96bd6b6455cf797113fbd8
|
|
|
|
|
|
|
|
Vector Packet Processing (VPP) is a high performance packet processing
stack that runs in user space in Linux. VPP is used as an alternative to
kernel networking stack for accelerated network data path. This patch
adds VPP as a composable service. Note that NIC binding related configs
for VPP are handled in os-net-config.
Depends-on: I70a68a204a8b9d533fc2fa4fc33c39c3b1c366bf
Change-Id: I5e4b1903dc87cb16259eeb05db585678acadbc6b
Implements: blueprint fdio-integration-tripleo
|
|
This package wasn't installed in the Newton image and we need to
install it during upgrade to be able to skip preupgrade validations.
Change-Id: If6ee7a3801756ac445ae35534803eab175ad8e40
Closes-Bug: 1667967
|
|
A recent patch enabled a few containerized services on the Controller
node. We need to enable docker for all the roles.
Change-Id: I99fc0c2d29db3514a439b717d14367ad2252e450
|
|
|
|
We need to bump this a bit for the overcloud containers
jobs. This patch makes it configurable and increases the
size for the undercloud.
Related-bug: #1667697
Change-Id: I79319f051747b381f5fa36f8a7fc7f31020bc245
|
|
|
|
|
|
|
|
Increase apache serverlimit and maxrequestworkers to 100
in low-memory-usage template.
We have been reaching the limit with all the OpenStack services that we run in WSGI.
Increasing the number will help us to promote packages in TripleO CI.
Change-Id: I3f71f279a8dfaee9db5f5d1091ad079d9170de1f
|
|
A new environment file to be used when using the deployed-server roles
data at deployed-server/deployed-server-roles-data.yaml. This ensures
the Pre and Post Puppet Tasks for the ControllerDeployedServer role are
mapped to the stacks that handle maintenance mode and resource restarts
for pacemaker on stack-update.
Change-Id: I1ca52dfb3a3b669e128ebb0a28d9e36a1807faad
Closes-Bug: #1665060
|
|
|