| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
It is required for a hybrid deployments
when WSGI based services running both at host and in containers, without conflicting default ports.
Partial-bug: #1686637
Co-authored-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I9d0a5bb32337a6a8f1a4036f9560df79dfe1d90a
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
1) When Apache is upgraded, install mod_ssl rpm.
See https://bugs.launchpad.net/tripleo/+bug/1682448
to understand why we need mod_ssl.
2) All services that run Apache for API will use the snippet from
Apache service to deploy mod_ssl, so we don't duplicate the code
in all services. It's using the same mechanism as ovs upgrade to
compile upgrade_tasks between both services.
Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84
Closes-Bug: #1686503
|
|
This moves the directories containing the certs/keys for httpd one step
further inside the hierarchy. This way we will be able to bind-mount
this certificate into the container without bind-mounting any other
certs/keys from other services.
bp tls-via-certmonger-containers
Change-Id: Ibe6e66ae4589b9eab7db330dd8b178e0f8775639
Depends-On: I0b71902358b754fa8bd7fdbb213479503c87aa46
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
|
|
During upgrades, validation test if a service is running before the
upgrade process starts.
In some cases, servies doesn't exist yet so we don't want to run the
validation.
This patch makes sure we check if the service is actually present on the
system before validating it's running correctly.
Also it makes sure that services are enabled before trying to stop them.
It allows use-cases where we want to add new services during an upgrade.
Also install new packages of services added in Ocata, so we can validate
upgrades on scenarios jobs.
Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
|
|
Adds a step0 for most services to check that the state is running
before continuing with any of the other upgrades steps (these are
tagged step0).
You can skip this service check by overriding the
SkipUpgradeConfigTags parameter as follows:
parameter_defaults:
SkipUpgradeConfigTags: validation
Co-Authored-By: Steven Hardy <shardy@redhat.com>
Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
|
|
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.
bp tls-via-certmonger
bp novajoin
Change-Id: I873094bb69200052febda629fda698a7a782c031
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
This adds an environment file that can be used to enable TLS in
the internal endpoints via certmonger if used. This will include
a nested stack that will create the hash that will be used to
create the certmonger certificates.
When setting up a service over apache via puppet, we used to disable
explicitly ssl (which sets modd_ssl-related fields for that vhost).
We now make this depend on the EnableInternalTLS flag. This has only
been done for keystone, but more services will be added as the
puppet code lands
bp tls-via-certmonger
Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039
Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
|
|
We hit problems in environments which don't have a lot of RAM (e.g. dev
envs, could be also CI) that Apache ate too much memory due to
too many worker processes being spawned.
This commit allows customizing the Apache MaxRequestWorkers and
ServerLimit directives via Heat parameters. The default stays 256 as
that's the default in the Puppet module, to be suited for production
environments with powerful machines. Also low-memory-usage.yaml
environment file is added, which can be used to make dev/test/CI
overclouds less memory hungry, where the limits are now set to 32.
Change-Id: Ibcf1d9c3326df8bb5b380066166c4ae3c4bf8d96
Co-Authored-By: Carlos Camacho <ccamacho@redhat.com>
Closes-Bug: #1619205
|
|
By default, the httpd version and the OS type is described in the
HTTP header 'Server'.
Server: Apache/2.4.6 (Red Hat Enterprise Linux)
This patch allows to remove the specific informations related to the
httpd server and the OS.
Change-Id: Ib608919102bc6b2c7619a522ae1262729dc7a91e
|
|
This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.
Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.
Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.
Co-Authored-By: Giulio Fidente <gfidente@redhat.com>
Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
|
Jenkins
Bogdan Dobrelya
Emilien Macchi
Juan Antonio Osorio Robles
marios
Steven Hardy
Jiri Stransky
Dimitri Savineau
Dan Prince