summaryrefslogtreecommitdiffstats
path: root/puppet/services
AgeCommit message (Collapse)AuthorFilesLines
2017-03-28Disable core dump for setuid programszshi1-0/+2
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi <zshi@redhat.com>
2017-03-28Merge "Restrict Access to Kernel Message Buffer"Jenkins1-0/+2
2017-03-26Merge "Remove unused KeystoneRegion parameter from gnocchi-base"Jenkins1-4/+0
2017-03-26Merge "Setting keystone region for congress"Jenkins1-0/+1
2017-03-26Merge "Enables increasing mariadb open files for noha deployments"Jenkins1-0/+6
2017-03-25Merge "Fixes missing firewall rules for neutron_ovs_dpdk_agent service"Jenkins1-1/+4
2017-03-25Merge "Fix usage of CinderNfsServers"Jenkins1-5/+1
2017-03-25Merge "Add missing metadata_settings from neutron-api profile"Jenkins1-4/+5
2017-03-23Fixes OpenDaylightProviderMappings hiera parsingTim Rozet1-5/+1
The str_replace conversion used previously is no longer needed and breaks the hieradata value. Closes-Bug: 1675426 Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-23Add missing metadata_settings from neutron-api profileJuan Antonio Osorio Robles1-4/+5
This is needed for the TLS everywhere work. This will break on TLS-everywhere setups where neutron would be deployed in its own role. So we need to add the metadata_settings. bp tls-via-certmonger Change-Id: I7934a258e032d8eaa6f07c0e48b3fbdb1f8c6a06
2017-03-23Fix usage of CinderNfsServersChristian Schwede1-5/+1
This feature stopped working somewhere along the lines. In the past it was working with parameter_defaults like this: CinderNfsServers: '10.0.0.254:/srv/nfs/cinder' or CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder" The problem was that the templating escaped these strings, and puppet-tripleo didn't receive a proper array, but a string. This patch fixes this. It accepts strings as above as well as comma-delimited lists of Nfs Servers. Closes-Bug: 1671153 Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
2017-03-22Fixes missing firewall rules for neutron_ovs_dpdk_agent serviceTim Rozet1-1/+4
Firewall config was being inherited by the dpdk service, however since the firewall service name was the parent (neutron_ovs_agent) and technically that service was not enabled - the rules were never applied. This modifies the service name as it is inherited using map_replace. Closes-Bug: 1674689 Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-22Remove unused KeystoneRegion parameter from gnocchi-baseJuan Antonio Osorio Robles1-4/+0
This is used in gnocchi-api.yaml and is not needed on the base template. Change-Id: I5ebd27dff3dca7053647a57eb4cdef56d38526c6
2017-03-22Merge "Enables OpenDaylight clustering in HA deployments"Jenkins1-1/+2
2017-03-22Restrict Access to Kernel Message Bufferzshi1-0/+2
Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-03-20Merge "Bind redis-sentinel to its network"Jenkins1-0/+1
2017-03-20Setting keystone region for congressDan Radez1-0/+1
Change-Id: I4958b886cbd6c2b34da0c265e8774105474ace13
2017-03-20Enables OpenDaylight clustering in HA deploymentsTim Rozet1-1/+2
Port 2550 is required for inter-ODL communication when clustering. odl-jolokia feature is required to expose REST APIs from ODL for monitoring the cluster. Implements: blueprint opendaylight-ha Depends-On: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Change-Id: Ie108ab75cce0cb7d89e72637c600e30fc241d186 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-18Merge "Add certmonger-user profile"Jenkins1-0/+28
2017-03-17Merge "Explicitly configure credentials used by ironic to access other services"Jenkins1-4/+39
2017-03-17Bind redis-sentinel to its networkMichele Baldessari1-0/+1
We currently do not bind redis-sentinel to any IP: redis 21144 0.0 0.0 142908 5908 ? Ssl 07:43 0:11 /usr/bin/redis-sentinel *:26379 [sentinel] Let's bind it to the same network as redis. Change-Id: I8a782ae1db84eb614aa3995a1638a2f370e70d06 Partial-Bug: #1673715
2017-03-16Explicitly configure credentials used by ironic to access other servicesDmitry Tantsur1-4/+39
Using keystone_authtoken credentials for this purpose is deprecated, and also prevents ironic-conductor from being used as a separate role. Also remove neutron_url, it can be fetched from the catalog instead. Change-Id: I12822568cb4db31808aec5fd407d71fe4b7b09e0 Depends-On: I21180678bec911f1be36e3b174bae81af042938c Partial-Bug: #1661250
2017-03-15etcd: secure EtcdInitialClusterToken parameterEmilien Macchi1-1/+1
Secure EtcdInitialClusterToken parameter by: * removing the default value. * make it hidden. Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961 Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9 Closes-Bug: #1673266
2017-03-14Switch keystone default provider to fernetJuan Antonio Osorio Robles1-1/+1
UUID is to be deprecated, and we should be using fernet. Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
2017-03-14Merge "Update properties being set for octavia rabbit properties"Jenkins1-3/+3
2017-03-14Merge "congress/tacker: switch auth_uri to use uri_no_suffix"Jenkins2-4/+8
2017-03-13Merge "cinder: switch auth_uri to uri_no_suffix"Jenkins1-1/+3
2017-03-13Merge "neutron: switch auth_uri to uri_no_suffix"Jenkins1-2/+4
2017-03-13Merge "gnocchi: deploy services with Keystone v3 endpoints"Jenkins2-6/+5
2017-03-13Merge "manila: switch auth_uri to use uri_no_suffix"Jenkins1-1/+3
2017-03-13Merge "heat: switch auth_uri to use uri_no_suffix"Jenkins1-1/+3
2017-03-13Merge "ironic: switch auth_uri to uri_no_suffix"Jenkins1-1/+3
2017-03-13Merge "telemetry: switch auth_uri to uri_no_suffix"Jenkins3-3/+11
2017-03-13Merge "nova: switch auth_uri to keystone versionless endpoint"Jenkins2-2/+4
2017-03-13Merge "horizon: switch keystone_url to use uri_no_suffix"Jenkins1-1/+1
2017-03-13Merge "Improve SSL support for Sensu"Jenkins1-1/+14
2017-03-13Merge "Fix bogus parameters in get_param"Jenkins2-2/+2
2017-03-13Add certmonger-user profileJuan Antonio Osorio Robles1-0/+28
This profile will request the certificates for the services on the node. So with this, we will remove the requesting of these certs on the services' profiles themselves. The reasoning for this is that for a containerized environment, the containers won't have credentials to the CA while the baremetal node does. So, with this, we will have this profile that still gets executed in the baremetal nodes, and we can subsequently pass the requested certificates by bind-mounting them on the containers. On the other hand, this approach still works well for the TLS-everywhere case when the services are running on baremetal. Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6 Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
2017-03-13congress/tacker: switch auth_uri to use uri_no_suffixEmilien Macchi2-4/+8
Switch Congress and Tacker to use auth_uri with keystone versionless endpoint. Change-Id: I7e17d061344849b0421f3a6c9571f1609e8861fb Partial-Implement: blueprint keystone-v3
2017-03-13gnocchi: deploy services with Keystone v3 endpointsEmilien Macchi2-6/+5
* Move swift_authurl to gnocchi-base hieradata, where other swift auth credentials live and switch it to versionless keystone endpoint. * Force swift_auth_version to 3 for Keystone v3. * Switch auth_uri to use versionless Keystone endpoint. * Switch auth_url to use Keystone admin endpoint (instead of internal). * Remove old parameters from gnocchi::api, not used anymore. Partial-blueprint: keystone-v3 Change-Id: I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a
2017-03-13telemetry: switch auth_uri to uri_no_suffixEmilien Macchi3-3/+11
Switch Aodh, Ceilometer and Panko to use auth_uri parameter with keystone versionless endpoint. Change-Id: I5800f4161d0406d3717e1f539d23411b11378fbc Partial-implement: blueprint keystone-v3
2017-03-13cinder: switch auth_uri to uri_no_suffixEmilien Macchi1-1/+3
Switch Cinder to use auth_uri with keystone versionless endpoint. Change-Id: Iccc6e3df6a8bb1aca3667b1783bc7f6eebf262e5 Partial-implement: blueprint keystone-v3
2017-03-13heat: switch auth_uri to use uri_no_suffixEmilien Macchi1-1/+3
Switch Heat to use auth_uri with keystone versionless endpoint. Change-Id: Iddd091a659d37d965b216db9f536d30245cd3c3a Partial-implement: blueprint keystone-v3
2017-03-13ironic: switch auth_uri to uri_no_suffixEmilien Macchi1-1/+3
Switch Ironic to use auth_uri with keystone versionless endpoint. Change-Id: Ia8061a1e08bd31425f8d4192cd45b64b9f8e1f74 Partial-implement: blueprint keystone-v3
2017-03-13manila: switch auth_uri to use uri_no_suffixEmilien Macchi1-1/+3
Switch Manila to use auth_uri with keystone versionless endpoint. Change-Id: If05032a5c7d93b5787d3f18c0aa374bac3cbd478 Partial-implement: blueprint keystone-v3
2017-03-13neutron: switch auth_uri to uri_no_suffixEmilien Macchi1-2/+4
Switch Neutron to use auth_uri with keystone versionless endpoint, also for notifications with Nova. Change-Id: I530e3dcdfe6961e14755a63767c1fb5c0e1cfa22 Partial-implement: blueprint keystone-v3
2017-03-13nova: switch auth_uri to keystone versionless endpointEmilien Macchi2-2/+4
Switch nova authtoken auth_uri to use keystone endpoint without version. Also switch ironic config in nova.conf to use it. Change-Id: I8046f2eed0b9a7da76d6d7c3507a92bf5054b000 Partial-Implement: blueprint keystone-v3
2017-03-13Upgrades: wait for galera to be settledMichele Baldessari1-2/+4
We also need to wait for the galera resource to settle down before we proceed starting up with the other services. Note that before merging this, we need to land the following change in ansible-pacemaker: https://review.gerrithub.io/#/c/351387/ Change-Id: Id71c9cb41cfd4c17685c922db2683e28ab7588fd Closes-Bug: #1668372
2017-03-11Merge "Add BGPVPN composable service"Jenkins1-0/+34
2017-03-11Remove double quotes in the "when" Ansible conditional.Carlos Camacho4-4/+4
Change-Id: I677075012a948c7c32959680608255eff919b8d4