| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:
* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
are valid, instead of any certificate that the system trusts (which
could include potentially compromised public certs).
Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
|
|
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
|
|
|
|
|
|
Change-Id: I26652afe0f513ec354c05570e7fa0e5b4b0ab669
|
|
Change-Id: Ia0e0a12e1863dce657d4e1c7f9894ea5bfd008be
|
|
Exporting the neutron::server parameter into the neutron_api service, so
Octavia API and Neutron Server can be separated.
Change-Id: Iee28b0e84a00bd589d6f14a73f0c3f32d310b393
Closes-Bug: #1687026
|
|
storage backend"
|
|
|
|
|
|
|
|
|
|
|
|
local"
|
|
It is required for a hybrid deployments
when WSGI based services running both at host and in containers, without conflicting default ports.
Partial-bug: #1686637
Co-authored-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I9d0a5bb32337a6a8f1a4036f9560df79dfe1d90a
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
1) When Apache is upgraded, install mod_ssl rpm.
See https://bugs.launchpad.net/tripleo/+bug/1682448
to understand why we need mod_ssl.
2) All services that run Apache for API will use the snippet from
Apache service to deploy mod_ssl, so we don't duplicate the code
in all services. It's using the same mechanism as ovs upgrade to
compile upgrade_tasks between both services.
Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84
Closes-Bug: #1686503
|
|
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=1441635.
This is the THT part of the change that changes the default to
ha-mode: all.
Closes-Bug: #1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
Change-Id: I7afcf2b3c8deb13fc2134e4cae9c06a44e775384
Depends-On: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
|
|
|
|
Ceilometer collector is deprecated in Pike release.
Do not deploy by default. Instead use the pipeline
yaml to configure the publisher directly.
Closes-bug: #1676961
Change-Id: Ic71360c6307086d5393cd37d38ab921de186a2e0
|
|
This hiera key is used by keystone to create the ceilometer service
user. It works in CI cause keystone and the ceilometer services are in
the same node. However, this fails if keystone is deployed on a separate
note.
We should only deploy it in the nodes containing the keystone service
since it's only relevant to create the service user.
Change-Id: Ic0f02fe9a78a1fe14ac2b87197692fbd80c003b8
Closes-Bug: #1685828
|
|
This removes the need to do it in puppet-tripleo
Change-Id: I6f44a6a02041c0fbbafb770a087a0032c3a53a76
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In two places during upgrade we manually trigger puppet.
There can be a problem when new puppet modules are added, and their
corresponding symlinks in /etc/puppet/modules are not created during
the installation as their are installed in
/usr/share/openstack-puppet/modules. To prevent the issue tripleo set
modulepath in the templates.
We must use the same modulepath to make sure that we don't fail
because of missing module in the manual puppet run.
This particulary happens when you upgrade from M->N->O, as the base
image in Mitaka doesn't have the proper symlinks and they are not
created during the installation of the package.
Closes-Bug: #1684587
Change-Id: I79df6ea33f1c58e13309176a6de41b7572541fd6
|
|
|
|
This switches Zaqar to run with httpd when configured by puppet.
Change-Id: I69b923dd76a60e9ec786cae886c137ba572ec906
|
|
* Switch auth_uri to point to Keystone versionless endpoint.
* Switch Swift auth url to use Keystone versionless endpoint and
Keystone v3 API.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I78cdd2286b5a5094f36d4f3c7c58340745664449
Partial-blueprint: keystone-v3
|
|
This change implements a MOTD message and provides a hash of
sshd config options which are sourced to the puppet-ssh module
as a hash.
The SSHD puppet service is enabled by default, as it is
required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
Also added the service to the CI roles.
Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
Depends-On: I1d09530d69e42c0c36311789166554a889e46556
Closes-Bug: #1668543
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
|
|
This relies on using the default paths for certs/keys used by libvirt
and is only enabled if TLS-everywhere is enabled.
bp tls-via-certmonger
Depends-On: If18206d89460f6660a81aabc4ff8b97f1f99bba7
Depends-On: I0a1684397ebefaa8dc00237e0b7952e9296381fa
Change-Id: I0538bbdd54fd0b82518585f4f270b4be684f0ec4
|
|
|
|
|
|
|
|
Running this job once a day has proven problematic for large
deployments as seen in the bug report. Setting it to run hourly
would be an improvement to the current situation, as the flushes
wouldn't need to process as much data.
Note that this only affects people using UUID as the token provider.
Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a
Related-Bug: #1649616
|
|
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: I5e6f0a50f26d4296565f0433f720bfb40c5d2109
Depends-On: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
|
|
aodh::auth::auth_region in aodh-base.yaml is hardcoded to regionOne
instead of using the available KeystoneRegion
Change-Id: I521b7e226675062225085e1d5f0296e53b152e81
|
|
This enables nova cold migration.
This also switches to SSH as the default transport for live-migration.
The tripleo-common mistral action that generates passwords supplies the
MigrationSshKey parameter that enables this.
The TCP transport is no longer used for live-migration and the firewall
port has been closed.
Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f
Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
|
|
|
|
When containerizing ceilometer agents, keystone auth is not getting
set correctly as we're not including the service config settings.
Change-Id: Ic17d64eb39e1fcb64c198410f27adbe94c84b7d4
|
|
|
|
|
Jenkins
Juan Antonio Osorio Robles
Pradeep Kilambi
Sven Anderson
Emilien Macchi
Bogdan Dobrelya
Michele Baldessari
Thomas Herve
Sofer Athlan-Guyot
Luke Hinds
Luca Lorenzetto
Keith Schincke
Oliver Walsh