summaryrefslogtreecommitdiffstats
path: root/environments
AgeCommit message (Collapse)AuthorFilesLines
2017-04-06Adds service for managing securettylhinds2-0/+13
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7 Partial-Bug: #1665042 Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
2017-04-05Merge "Add l2gw neutron service plugin support"Jenkins1-0/+20
2017-04-05Merge "Addition of firewall rules for Nuage"Jenkins1-1/+0
2017-04-03Addition of firewall rules for Nuagelokesh-jain1-1/+0
Added VxLAN and metadata agent firewall rules to neutron-compute-plugin for Nuage. Removed a deprecated parameter 'OSControllerIp' as well. Change-Id: If10c300db48c66b9ebeaf74b5f5fee9132e75366
2017-04-03Remove not-working all-in-one upgrade environmentSteven Hardy1-2/+0
This won't work because we need to change the state of UpgradeLevelNovaCompute and EnableConfigPurge during the upgrade - it should have been removed before release, which was an oversight. Removing this now to avoid further confusion in future. Change-Id: I16853cdec6c8fe6ad54f17ae2ad1e0460f1574ea Closes-Bug: #1679214
2017-04-03Merge "Qpid dispatch router composable role"Jenkins1-0/+2
2017-04-03Merge "Fixes port binding controller for OpenDaylight"Jenkins1-0/+1
2017-03-31Set auth flag so ceilometer auth is enabledPradeep Kilambi1-0/+3
Ceilometer Auth should be enabled even if ceilometer api is not. Lets decouple these, this flag will be used in puppet-tripleo where ceilometer::keystone::auth class is initialized. Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354
2017-03-30Merge "Re-Add bigswitch agent support"Jenkins1-1/+12
2017-03-30Add l2gw neutron service plugin supportPeng Liu1-0/+20
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging two or more networks together to make them look at a single broadcast domain. This patch implements the l2gw neutron service plugin support part in t-h-t. Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5 Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3 Partially-Implements: blueprint l2gw-service-integration Signed-off-by: Peng Liu <pliu@redhat.com>
2017-03-30Merge "Do not install openstack-heat-agents"Jenkins1-1/+0
2017-03-30Do not install openstack-heat-agentsSteve Baker1-1/+0
Installing openstack-heat-agents is unnecessary since it has the same effect as installing python-heat-agent-* which happens on the next line. Installing openstack-heat-agents is causing issues when mixing ocata and master repos, since there hasn't been a release on master since ocata was branched. Change-Id: I1a75e16810b6a89cf1dd9ff4f4b3b5dccfc0466e Closes-Bug: #1677278
2017-03-29Qpid dispatch router composable roleJohn Eckersberg1-0/+2
Note: since it replaces rabbitmq, in order to aim for the smallest amount of changes the service_name is called 'rabbitmq' so all the other services do not need additional logic to use qdr. Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608 Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi1-0/+10
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-28Merge "Only set EnableConfigPurge on major upgrades"Jenkins4-0/+4
2017-03-28Merge "MySQL: Use conditional instead of nested stack for TLS-specific bits"Jenkins1-1/+0
2017-03-28Merge "Apache: Use conditional instead of nested stack for TLS-specific bits"Jenkins1-1/+0
2017-03-28Merge "Rabbitmq: Use conditional instead of nested stack for TLS-specific bits"Jenkins1-1/+0
2017-03-28Merge "Nic config mappings for deployed-server"Jenkins2-4/+11
2017-03-27Fixes port binding controller for OpenDaylightTim Rozet1-0/+1
In Ocata and later, the port binding controller for ODL was changed by default to be the pseudo agent controller, which requires a new feature "host config" for OVS. This patch modifies the default to use network-topology, which will work without any new host config features implemented (previous way of port binding). Closes-Bug: 1675211 Depends-On: I5004fdeb238dea81bc4f7e9437843a8a080d5b46 Change-Id: I6a6969d1d6b8d8b8ac31fecd57af85eb653245d2 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-27MySQL: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles1-1/+0
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
2017-03-27Apache: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles1-1/+0
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
2017-03-27Rabbitmq: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles1-1/+0
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
2017-03-26Merge "Remove unnecesary code to enable panko-api"Jenkins1-2/+0
2017-03-22Nic config mappings for deployed-serverJames Slagle2-4/+11
Adds default nic config mappings when using the deployed-server custom roles data at deployed-server/deployed-server-roles-data.yaml. Previously there were no default mappings as the hardcoded mapping for the Controller role from overcloud-resource-registry-puppet.j2.yaml would not be used since there is no Controller role when using deployed-server. The default mapping is net-config-static.yaml instead of net-config-noop.yaml, since there is no requirement of a L2 domain for dhcp between undercloud and overcloud nodes when using deployed-server. The convenience mapping of ControllerDeployedServer to net-config-static-bridge.yaml is also added so that out of the box the roles with controller services will get the right bridge created. The mappings can always be overridden in later environment files if needed. Change-Id: I581fec99b459a12512686e47b10b962756652eb3 Closes-Bug: #1670493 Depends-On: Ib681729cc2728ca4b0486c14166b6b702edfcaab
2017-03-22Only set EnableConfigPurge on major upgradesSteven Hardy4-0/+4
Bug #1611800 fixed an upgrade issue by enabling purging configs for some services, but this causes issues such as longer updates and restarting services in the minor update case, so only do this for major upgrades, and default to false. Related-Bug: #1611800 Closes-Bug: #1674858 Change-Id: Iff7d715f6730c5633f1146008504b4309ef3133d
2017-03-20Merge "Containerize panko api service"Jenkins1-1/+1
2017-03-18Merge "Add certmonger-user profile"Jenkins3-0/+12
2017-03-17Re-Add bigswitch agent supportAlex Schultz1-1/+12
The agent configuration was lost in newton during the puppet-tripleo and THT role conversion. This change adds support for including the bigswitch agent service for composable roles. Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908 Closes-Bug: #1673126
2017-03-17Containerize panko api serviceFlavio Percoco1-1/+1
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com> Closes-bug: #1668918 Change-Id: Ie1ebd25965bd2dbad2a22161da0022bad0b9e554
2017-03-13Containerize gnocchi servicesPradeep Kilambi1-0/+3
Closes-bug: #1668928 Change-Id: I291df31be97c3d55cddb3924482aa5976a79c2b1
2017-03-13Merge "Containerize Aodh alarm services"Jenkins1-0/+5
2017-03-13Add certmonger-user profileJuan Antonio Osorio Robles3-0/+12
This profile will request the certificates for the services on the node. So with this, we will remove the requesting of these certs on the services' profiles themselves. The reasoning for this is that for a containerized environment, the containers won't have credentials to the CA while the baremetal node does. So, with this, we will have this profile that still gets executed in the baremetal nodes, and we can subsequently pass the requested certificates by bind-mounting them on the containers. On the other hand, this approach still works well for the TLS-everywhere case when the services are running on baremetal. Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6 Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
2017-03-13Remove unnecesary code to enable panko-apiCarlos Camacho1-2/+0
We are already enabling panko-api by default `https://github.com/openstack/tripleo-heat-templates/blob/34c46241cda3be567017943560d218ced3bbdc03/overcloud-resource-registry-puppet.j2.yaml#L226` so there is no need to have the environment file or the resource in the ci environment template. Change-Id: I6af6e2196a77320c8d3b5914d161a795b007151a
2017-03-13Merge "Move zaqar into services-docker"Jenkins2-2/+2
2017-03-11Merge "Add BGPVPN composable service"Jenkins1-0/+16
2017-03-10Merge "Move mistral into services-docker"Jenkins2-3/+4
2017-03-10Merge "Move ironic into services-docker"Jenkins2-4/+5
2017-03-10Containerize Aodh alarm servicesPradeep Kilambi1-0/+5
Closes-bug: #1668930 Change-Id: If5dff4388b255373083e164a74aaacd529a94111
2017-03-10Add BGPVPN composable serviceRicardo Noriega1-0/+16
This project aims at supporting inter-connection between L3VPNs and Neutron resources, i.e. Networks, Routers and Ports. Partially-Implements: blueprint bgpvpn-service-integration Depends-On:I7c1686693a29cc1985f009bd7a3c268c0e211876 Change-Id: I576c9ac2b443dbb6886824b3da457dcc4f87b442 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-03-09Merge "Pass hieradata for internal TLS for RabbitMQ"Jenkins1-0/+3
2017-03-09Pass hieradata for internal TLS for RabbitMQJuan Antonio Osorio Robles1-0/+3
As with other services, this passes the necessary hieradata to enable TLS for RabbitMQ. This will mean (once we set it via puppet-tripleo) that there will only be TLS connections, as the ssl_only option is being used. bp tls-via-certmonger Change-Id: I960bf747cd5e3040f99b28e2fc5873ca3a7472b5 Depends-On: Ic2a7f877745a0a490ddc9315123bd1180b03c514
2017-03-08Move zaqar into services-dockerDan Prince2-2/+2
This patch moves enabling Zaqar docker services into a separate environment in the environments/services-docker directory. Change-Id: I6755eb7ae2abb2b9c8b213ff6fd21b0392353ef5
2017-03-08Move mistral into services-dockerDan Prince2-3/+4
This patch moves enabling Mistral docker services into a separate environment in the environments/services-docker directory. Change-Id: I8b484532de5f5d61fc0240defbc5fc27789a1279
2017-03-08Move ironic into services-dockerDan Prince2-4/+5
This patch moves enabling Ironic docker services into a separate environment in the environments/services-docker directory. Change-Id: I236de47d422b3563a0192359f2327610fc1714ca
2017-03-08Enable Docker service for Compute roleMartin André1-0/+3
A recent commit [1] change how docker is installed and configured on the overcloud nodes, from a cloud-init script to a proper puppet profile in puppet-tripleo but forgot to enable the docker service on the compute nodes. [1] Ia50169819cb959025866348b11337728f8ed5c9e Change-Id: I202723d0e48f110e5b0dbfe3dcf6646da9f37948
2017-03-07Merge "Enable keystone cadf notifications"Jenkins1-0/+2
2017-03-06Enable keystone cadf notificationsYolanda Robla1-0/+2
It will allow to configure keystone event notifications using CADF, as documented on: https://docs.openstack.org/developer/keystone/event_notifications.html CADF events provide auditing capabilities for compliance with security. Change-Id: Id16b264c295b9e3adbf960366ff8328ba8dcd485
2017-03-06Enable composable upgrades for docker service templatesSteven Hardy3-1/+23
This aligns the docker based services with the new composable upgrades architecture we landed for ocata, and does a first-pass adding upgrade_tasks for the services (these may change, atm we only disable the service on the host). To run the upgrade workflow you basically do two steps: openstack overcloud deploy --templates \ -e environments/major-upgrade-composable-steps-docker.yaml This will run the ansible upgrade steps we define via upgrade_tasks then run the normal docker PostDeploySteps to bring up the containers. For the puppet workflow there's then an operator driven step where compute nodes (and potentially storage nodes) are upgrades in batches and finally you do: openstack overcloud deploy --templates \ -e environments/major-upgrade-converge-docker.yaml In the puppet case this re-applies puppet to unpin the nova RPC API so I guess it'll restart the nova containers this affects but otherwise will be a no-op (we also disable the ansible steps at this point. Depends-On: I9057d47eea15c8ba92ca34717b6b5965d4425ab1 Change-Id: Ia50169819cb959025866348b11337728f8ed5c9e
2017-03-01Containerize neutron-l3 agentJohn Trowbridge1-0/+1
This allows to run a containerized neutron on the overcloud. Co-Authored-By: Martin André <m.andre@redhat.com> Depends-On: Iaf6536b1c4d0b2b118af92295136378cdfeee9d1 Change-Id: I86a12248d4f28f4dbe7708be928bcd8a45968d01