| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This change adds puppet hieradata settings which disable IPv6
autoconfiguration and accept_ra by default on all interfaces.
When IPv6 is used, the interfaces are individually enabled and
configured with static IP addresses.
The networking on the compute host needs to be completely
separate from the tenant networking, in order to safeguard the
compute host and isolate tenant traffic. This change disables
IPv6 autoconfiguration and acceptance of RAs by default on
interfaces unless specifically enabled.
Without these settings, IPv6 is enabled on all interfaces, as well
as autoconfiguration and accept_ra, so when the compute host
creates a bridge interface for the router (qbr-<ID>), the
compute node will automatically assign an IPv6 address and will
install a default IPv6 route on the bridge interface when it
receives the RAs from the Neutron router.
The change to turn off autoconfiguration means that interfaces
will not self-assign an IPv6 address, and the change to not accept
RAs is a security hardening feature. This requires that a
static gateway address be declared in the network environment
in the parameter ExternalNetworkDefaultRoute. Alternately, sysctl
can be modified to change the accept_ra behavior for specific
interfaces.
Change-Id: I8a8d311a14b41baf6e7e1b8ce26a63abc2eaabef
Closes-bug: 1544296
|
|
|
|
|
|
|
|
This enables the creation of the nova_api database that is now
mandatory since https://review.openstack.org/#/c/245828/
Change-Id: Ia8242f23864ebb14ccf858a77ba754059e9c2d4a
Related-Bug: #1539793
|
|
For both HA & non-HA scenarios, switch puppet-keystone configuration to
be run in a WSGI process instead of eventlet.
WSGI is the way to go for scaling Keystone, moreover, eventlet won't be
support in next OpenStack releases.
Co-Authored-By: Dan Prince <dprince@redhat.com>
Depends-On: I22a348c298ff44f616b2e898f4872eddea040239
Change-Id: I862b4a68f43347564ec3c0ddc4ec9e1d1c755cf2
Signed-off-by: Jason Guiditta <jguiditt@redhat.com>
|
|
During high load, the default limit of the kernel connection tracking
table (65536) is often too low, resuling in error messages such as:
kernel: nf_conntrack: table full, dropping packet
This patch increases the limit to 500,000.
Since the nf_conntrack kernel module is not always loaded by default, it also
adds a mechanism to load kernel modules via hieradata using the kmod puppet
module. In order to express the needed dependency in puppet that kernel modules
are loaded before sysctl settings are applied, the Exec resources tagged with
'kmod::load' are specified in a resource collector to express that that Exec
resources with the tag should run before Sysctl resources.
Depends-On: I59cc2280ebae315af38fb5008e6ee0073195ae51
Change-Id: Iffa0a77852729786b69945c1e72bc90ad57ce3bb
|
|
This change will set a common value for 'host' across all
controllers. We missed to do so for the NFS backend previously.
It will still be possible to set a different per-backend 'host'
value by providing it via ExtraData.
Change-Id: I00fd05660a15be3611e1a394650be6ab713670f9
|
|
The 'router_delete_namespaces' (L3 agent) and 'dhcp_delete_namespaces'
(DHCP agent) configuration settings default to false OpenStack Neutron
resulting in network namespaces not being deleted when
no longer needed. Disabling automatic namespace cleanup was appropriate
for older Linux distributions but is no longer required.
TripleO should set the values to true.
Change-Id: I39e1a347d24ecc99b6f878807c47103c4b3f85e1
|
|
If the X-Forwarded-Proto header is received by keystone, this option
will make the service properly handle it. This is useful, for instance,
if TLS is enabled for the admin endpoint.
Change-Id: I31a1f51591e8423367e61eafc3af9b2d61278468
|
|
|
|
Integration of OpenStack data processing service (sahara) with
TripleO.
- Deploys sahara in distributed mode (separate api and engine
processes on each controller node)
- Load balancing w/haproxy
- RabbitMQ/MySQL supported per current TripleO standard
- Minimal configurability at this time
Change-Id: I77a6a69ed5691e3b1ba34e9ebb4d88c80019642c
Partially-implements: blueprint sahara-integration
Depends-On: I0f0a1dc2eaa57d8226bad8cfb250110296ab9614
Depends-On: Ib84cc59667616ec94e7edce2715cbd7dd944f4ae
Depends-On: I9fe321fd4284f7bfd55bd2e69dcfe623ed6f8a2a
|
|
- Adds parameter to enable switching off token flush cron job.
- Sets destination for deleted rows to /dev/null
Change-Id: I9e8aed969e81595d8a1d0a5300da17da6ba15c03
Partial-bug: rhbz#1249106
Depends-On: I5e51562338f68b4ba1b2e942907e6f6a0ab7a61e
|
|
Creates cron job running every 24 hours
for "cinder-manage db purge"
Partial-bug: rhbz#1249106
Change-Id: I9156e0bf1401eda49a7c9a2921dc3a8723af026d
Depends-On: I677f2ef3d9ca81fff0f672c8e34b6e4278674a96
|
|
Creates cron job running every twelve hours
for "nova-manage db archive_deleted_rows"
Partial-bug: rhbz#1249106
Depends-On: Ic674f4d39bc88f89abfeb0ce99a571c2534e57e4
Change-Id: I4740cc02aa9714f48798521fe9918ac3487db031
|
|
Exposing 'instance_name_template' to be set via
extra config for nuage-metadata-agent to function
Making nova::api::admin_tenant_name
available on the compute node which is
required by nuage-metadata-agent service
Making KeystonePublicApiVirtualIP available
on the compute node, which is used by the
nuage-metadata-agent to build the auth-url
Change-Id: I9736015e18cebf32b07940bf559063b60085f2fb
|
|
|
|
|
|
Results from pmap of idle nova-compute:
https://gist.github.com/jtaleric/addd9079d6cdf4f7cf42
Results from free -m and cat /proc/meminfo:
https://gist.github.com/jtaleric/410130f09c2aad2dc7e9
bug: https://bugzilla.redhat.com/show_bug.cgi?id=1282644
Change-Id: I9b3ceecabfdae0a516cfc72886fde7b26cc68f82
|
|
Consume puppet-tripleo to create/manage IPtables from Heat templates.
This review put in place the logic to enable and setup firewall rules.
A known set of rules are applied. More to come.
Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
|
|
|
|
* Add NovaApiVirtualIP string parameter.
* Compute nova_url and nova_admin_auth_url parameters.
* Configure in Hiera neutron::server::notifications::* parameters.
* non-ha: include ::neutron::server::notifications
* ha: include ::neutron::server::notifications and create orchestration
* Set vif_plugging_is_fatal to True so we actually fail if Neutron is not
able to create the VIF during Nova server creation workflow.
Depends-On: I21dc10396e92906eab4651c318aa2ee62a8e03c7
Change-Id: I02e41f87404e0030d488476680af2f6d45af94ff
|
|
Pass the ceph::pool properties as arguments to the class call
instead of setting them as class defaults.
Ceph recommends max 32 PGs and min 4 PGs per OSD so this change
also lowers the defaults to 32 which works with 1 OSD, suits well
a scenario with 3 OSDs and is easy to customize in the static
hiera if more than 8 OSDs are deployed.
More info at: https://bugzilla.redhat.com/show_bug.cgi?id=1252546
Change-Id: Ifed11d1857900b2251dfdf69d6b6f168150e6330
|
|
|
|
|
|
|
|
Previously we enforced the Ceph user used by the OpenStack clients
to be named 'openstack', this change allows for customization
of such a name.
Change-Id: Idef3e1ed4e8e21b645081869b8d6fad2329bdc60
|
|
This is useful in those scenarios were we want to use an external
Ceph deployment with multiple overclouds.
Change-Id: I1749d2a6547f6ce25843709e46a1447e8d42cfff
|
|
|
|
This reverts commit 86d6c1ddc76bad423194e789ffb5474e4e12960e.
This likely has an impact on upgrades, and since we don't
have an upgrade CI job yet I'm concerned that we may have
just broken ourselves. I would prefer to wait to merge this
until the CI job is in place.
Change-Id: Ib2366cb4b40471a28122f6e9955da9bdb31a53fb
|
|
This is the second change of a servies of two, it creates the
user, user_role, service and endpoint for:
* glance
* nova
* neutron
* cinder
* horizon
* swift
* ceilometer
* heat
Change-Id: I50e792d98a2ba516ff498c58ad402f463c5f7e76
|
|
Currently keystone initialization happens via os-cloud-config [1].
This commit moves some of that directly into the manifests. This is the
first in a series of two changes to migrate it entirely into t-h-t.
This change focus on implementing what keystone.initialize() was doing
on the tripleoclient [2], creates the admin tenant, user and roles.
It also creates the keystone endpoint itself.
1. https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L128-L158
2. https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/overcloud_deploy.py#L462-L527
Change-Id: I98555b707ff9b91c6e218de5dca68106ea05c8ea
Depends-On: Ia4b3244f114dcff746ab89d355ad4933f8fdbddf
|
|
|
|
To let ceilometer access to keystone endpoints, use internalURL instead of
publicURL for security & performances reasons.
Change-Id: I6677f40038d6adf36b4f0375484b6ef2e16869e3
|
|
|
|
|
|
Adds support for NFS backend in Glance by allowing the storage directory
for the 'file' backend to be a mount managed by Pacemaker. Default
behavior is unchanged.
Since the Pacemaker-related parameters are not exposed on top level,
change storage-environment.yaml to use parameter_defaults instead of
parameters.
Depends on a Heat fix for environment file's parameter_defaults to
work well with JSONs and comma delimited lists (see Depends-On).
Change-Id: I6e7e2eaf6919b955650c0b32e1629a4067602c89
Depends-On: I85b13a79dbc97a77e20c0d5df8eaf05b3000815e
|
|
To let ceilometer access to keystone endpoints, use internalURL instead
of publicURL for security & performances reasons.
Ceilometer services (API, agents) will use internalURL endpoint to talk
to other services (keystone, neutron, etc).
Change-Id: I4cb843400f244cd34bbae4bc76371977780c7943
|
|
In nova.conf, set cinder/catalog_info to 'volumev2:cinderv2:internalURL'
instead of 'volumev2:cinderv2:publicURL'.
So Nova will use internal Cinder endpoint to reach volume API by
using internal network.
Depends-On: Id9e579ca31364d5207d0c1b892d0f7aa7f20f7a8
Change-Id: Ia34f0fe59f662c3ad29ca0178c01ef1570759d57
|
|
Moves the vhost_params out of the manifest and into static hiera;
also removes unneeded server_alias parameter as that matched the
vhost servername anyway.
Change-Id: I4b5971b23ef3be9529a59075fa93ccc64af75b9c
|
|
Change-Id: Ia2079fc3e350cc677811ebb970cd2b306d6e7040
|
|
If horizon is running in production (DEBUG is False), it will answer
only to the IPs/hostnames specified in the ALLOWED_HOSTS variable in the
local_settings.py configuration file.
The puppet-horizon module offer the feature to customize that,
tripleo-heat-teamplates was missing the link between the top-level
parameter and the puppet parameter, hence this commit.
More info :
* https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
* https://github.com/openstack/puppet-horizon/blob/master/templates/local_settings.py.erb#L14-L24
Change-Id: I5faede8b74a0318e15baa761dc502b95b051ae0d
|
|
The removal of default MariaDB accounts was being triggered roughly at
the same time on all controllers, causing a race condition -- multiple
nodes found an account present and attempted deletion, but then only one
succeeded with the deletion, the others failed.
HA controller deletes the accounts only on bootstrap node now, which
fixes the issue.
Change-Id: Ieacd10a6ce26da50f6a37eaa3221d866c24353fa
|
|
|
|
Make core_plugin, type_drivers and service_plugins parameter in
neutron configurable through heat.
Also changing the type_drivers order to "vxlan,vlan,flat,gre"
Change-Id: Iba895ed5897bdaf7bb772ffc063c424abb6e1638
|
|
|
|
The staticweb middleware needs to be put after authentication
middlewares to ensure correct functionality as documented in
http://docs.openstack.org/developer/swift/middleware.html#staticweb
Without this Swift sends a HTML response even if the request was done
using a X-Auth-Token. This might result in a faulty handling of the response on
the client side; for example, "swift stat containername" would report an empty,
private container, while the container might actually be public readable with
data stored in it.
Closes-bug: 1494896
Change-Id: Id48840e0041f8d272e08def292fbedfaf76bbfbb
Co-Authored-By: Christian Schwede <cschwede@redhat.com>
|
|
This patch adds settings for swift::storage::all so
that we set the recommended the incoming and outgoing
chmod permissions.
Depends-On: I627ab2255087b0ebc2d3ddc9cd4a7a7d254abb65
Change-Id: I2f14c9afe7b7135ad1bfecb9db0a39bfc3b4d03a
|
|
Setting `show_image_direct_url` to true allows to enable Copy-On-Write
features when using some storage backends across Nova, Cinder & Glance.
It allows for example nearly instantaneous creation of instances root
disk and volumes when using RBD as a storage backend for all projects by
using Ceph features instead of downloading from Ceph via Glance, then
convert the image, then upload to Ceph via Nova or Cinder.
Change-Id: I1f56273c6b7c8d3922799cae07a66eebc0884205
|
|
This is unused on compute nodes and does not need to be specified.
Further, nova::api is not even included in the compute puppet manifest,
so it had no effect anyway.
Change-Id: I7589bf544fb1ddad3cd371869756cb880c0bac37
|
Dan Sneddon
Jenkins
David Moreau Simard
Emilien Macchi
James Slagle
Giulio Fidente
Juan Antonio Osorio Robles
Ethan Gafford
Martin Mágr
Rohit Pagedar
Joe Talerico
Ben Nemec
Yanis Guenane
Jiri Stransky
Shiva Prasad Rao
Dan Prince
François Charlier