aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services
AgeCommit message (Collapse)AuthorFilesLines
2017-08-25Add panko publisher in the event pipelinePradeep Kilambi1-1/+1
Even though panko is deprecated, we still enable it by default. So lets keep it in pipeline as well until its fully dead. Change-Id: Idac89820a66c59b921551857cccae6dbc38241c3 (cherry picked from commit 3dbd5bfe86c2d6864c5678774fc7f910ab846300)
2017-08-23Configure listen_address for libvirtd when TLS is enabledJuan Antonio Osorio Robles1-0/+2
It wasn't being configured, and the default is to listen on all interfaces. This fixes that. Change-Id: I00da25474fb1544eabdedaf126e67d5a6617f02f Closes-Bug: #1712475
2017-08-23Merge "Accept multiple registries in DockerInsecureRegistryAddress"Jenkins1-5/+5
2017-08-22Merge "Zaqar: Match service name with service-net-map"Jenkins1-2/+2
2017-08-22Zaqar: Match service name with service-net-mapJuan Antonio Osorio Robles1-2/+2
This is required for t-h-t to generate the appropriate hieradata. Change-Id: I9b451eac4427a52ad8eec62ff89acc6c6d3ab799 Closes-Bug: #1712328
2017-08-21Merge "TLS everywhere/haproxy: Remove empty postsave command"Jenkins2-2/+0
2017-08-21Merge "Let mds create manila key and fs"Jenkins6-13/+48
2017-08-19Merge "Extend VNC port range"Jenkins1-1/+1
2017-08-19Merge "Enable TLS for nova-metadata"Jenkins2-1/+52
2017-08-19Merge "Add support for Dell EMC Unity Cinder backend"Jenkins1-0/+85
2017-08-18Let mds create manila key and fsJan Provaznik6-13/+48
ceph-ansible will take care of setting up client keys both in ceph and on client side. It will also create filesystem for manila. To assure that manila manifest can work in future both with puppet and with ceph-ansible, creation of filesystem is moved to ceph-mds manifest and creation of manila key on ceph side is moved to ceph-base (so manila key is always created), manila key is added to ceph-external for external ceph deployments. Key creation is removed from manila.pp in patch I2b5567a39ac8737e80758b705818cc1807dc8bf1 Change-Id: I6308a317ffe0af244396aba5197c85e273e69f68 Related-To: Ia3ef9e9a2b159dacea01e38762145ff2bcc7ba27 Depends-On: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
2017-08-18TLS everywhere/haproxy: Remove empty postsave commandJuan Antonio Osorio Robles2-2/+0
This is addressed by the patch this depends on. bp tls-via-certmonger Depends-On: I62ff89362cfcc80e6e62fad09110918c36802813 Change-Id: Ibecc461b0c9af02500f590a1f7469d7e4ff20d95
2017-08-18Enable listening on TLS for the internal network for horizonJuan Antonio Osorio Robles1-0/+16
This sets the flag that tells the horizon manifest to use TLS for the configuration. bp tls-via-certmonger Depends-On: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e Change-Id: I13d59e7663538884b34b5a910b741de8721abbb9
2017-08-18Merge "Make cinder-manage db sync run on only one controller during upgrade"Jenkins1-7/+13
2017-08-17Enable TLS for nova-metadataJuan Antonio Osorio Robles2-1/+52
This also tells the neutron metadata agent to use TLS for contacting nova-metadata. bp tls-via-certmonger Depends-On: I97ac2da29be468c75713fe2fae7e6d84cae8f67c Depends-On: I9df395dc699090bd73265d10395e155e9b8adb26 Change-Id: I9a8c54f6e052852b8f9d06a42da87773f4da3a15
2017-08-17Add support for Dell EMC Unity Cinder backendrajinir1-0/+85
This change adds a new define for cinder::backend::dellemc_unity. Change-Id: I7f9dbb707cf9b5c90ec2f31dcff82cd578805b80 Implements: blueprint dellemc-unity-cinder
2017-08-15Add NeutronOverlayIPVersion parameter to neutron-plugins-ml2 serviceFeng Pan1-0/+7
This patch adds NeutronOverlayIPVersion parameter to congfigure neutron ML2 overlay_ip_version option from T-H-T. puppet-neutron already has support for configuration of this option, we are just exposing it from T-H-T. This parameter needs to be set to '6' when IPv6 vxlan tunnel endpoints are desired. Closes-Bug: #1691213 Change-Id: I056afa25f67a3b6857bdfef14e6d582b0a9e5e93 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-08-14Merge "Make HA container bundle work on remote nodes"Jenkins1-0/+13
2017-08-14Extend VNC port rangeBen Nemec1-1/+1
Per the attached bug, if a large number of instances are colocated on a single compute node it is possible to exhaust the allowed VNC ports. This change extends the range to include 1024 ports, which with the default 16x overcommit ratio in Nova means we could handle a fully loaded 64 core server. That's _probably_ overkill, but I think it makes sense to overshoot a bit on this and ensure nobody runs into weird problems because their VNC ports weren't allowed through the firewall. Change-Id: Ia48602e82b8e0fbb585371ea514eea3c2334dab0 Closes-Bug: 1678025
2017-08-12Add support for update_tasksSteven Hardy2-1/+17
These work the same way as upgrade_tasks *but* they use a step variable instead of tags, so we can iterate over a count/sequence which isn't possibly via a wrapper playbook with tags (we may want to align upgrade tasks with the same approach if this works out well). Note the tasks can be run via ansible-playbook on the undercloud, like: openstack overcloud config download --config-dir tmpconfig cd tmpconfig/tripleo-HCrDA6-config ansible-playbook -b -i /usr/bin/tripleo-ansible-inventory update_steps_playbook.yaml --limit controller The above will do a rolling update for the Controller role (note the inconsistent capitalization, we probably need to fix the group naming in tripleo-ansible-inventory) because we specify serial: 1 in the playbook. You can also trigger an update explicitly on one node like this, which is useful for debugging: ansible-playbook -vvv -b -i /usr/bin/tripleo-ansible-inventory update_steps_playbook.yaml --limit overcloud-controller-0 Change-Id: I20bb3e26ab9d9cadf1a31fd304de8a014a901aa9
2017-08-11TLS everywhere: Configure CA for mongodbJuan Antonio Osorio Robles1-0/+6
It wasn't being configured, thus making mongodb fail. Change-Id: If0d7513aacfa74493a9747440fb97f915a77db84 Closes-Bug: #1710162
2017-08-11Merge "Move HAProxy's public TLS logic from controller to service template"Jenkins1-2/+24
2017-08-11Merge "Set virsh secret with an init step when using Ceph"Jenkins2-0/+10
2017-08-11Move HAProxy's public TLS logic from controller to service templateJuan Antonio Osorio Robles1-2/+24
This de-couples public TLS from controllers to now run wherever HAProxy is deployed. Partially-Implements: blueprint composable-networks Change-Id: I9e84a25a363899acf103015527787bdd8248949f
2017-08-10Merge "Create parameters for haproxy TLS certs and keys"Jenkins2-11/+55
2017-08-10Accept multiple registries in DockerInsecureRegistryAddressJiri Stransky1-5/+5
We allow using multiple registries (e.g. for OpenStack vs. Ceph container images). We should allow it also in the insecure registry configuration. Change-Id: Icf4a51baf2a230b3fa0d5ced0e9cd1983cd93fb0 Closes-Bug: #1709310 Depends-On: I5cddd20a123a85516577bde1b793a30d43171285
2017-08-09Merge "Addition of Nuage as mechanism driver for ML2"Jenkins3-0/+111
2017-08-09Set virsh secret with an init step when using CephGiulio Fidente2-0/+10
Run virsh secret-define and secret-set-value in an init step instead of relying on the puppet-nova exec. Co-Authored-By: Jiri Stransky <jistr@redhat.com> Change-Id: Ic950e290af1c66d34b40791defbdf4f8afaa11da Closes-Bug: #1709583
2017-08-08Make HA container bundle work on remote nodesMichele Baldessari1-0/+13
Right now when we deploy an HA bundle on a pacemaker remote node, the deploy will fail due to the fact that the bundle includes tripleo::profile::base::pacemaker which makes a call to hiera('hacluster_pwd') which will fail on pcmk remote nodes. While we could noop the profile on pcmk nodes, it's much simpler to just make sure this hiera key exists on pcmk remote nodes. Also make sure that pacemaker::corosync::manage_fw is set to false on remote nodes, otherwise the mere inclusion of the pacemaker profile will cause iptables-save to run in a container and thus failing. Change-Id: I09b3e54a470cc2d600a701d23463962501c5c9d6
2017-08-08Make cinder-manage db sync run on only one controller during upgradeSofer Athlan-Guyot1-7/+13
We got to ensure that the cinder-manage db sync is run on only one controller. Change-Id: I88a6aa4c49d893b95a26795fbfcf163a780fd0bc Closes-Bug: #1709315
2017-08-07Create parameters for haproxy TLS certs and keysJuan Antonio Osorio Robles2-11/+55
this removes the hardcoded paths for the haproxy certs and keys and will enable re-use. We'll use this in a further commit in the containterized TLS work. Change-Id: I602e5a569e2e7e60835deb80532abcedd7a1f63d
2017-08-07Use number for KeystoneCronTokenFlushMaxDelay instead of stringJuan Antonio Osorio Robles1-2/+2
Using a string results in an erroneous check in puppet-keystone, which sets up a zero where it shouldn't. So we change it to number to avoid that. Note that there will also be a puppet-keystone fix for this. Changing the value here assures that deployers only give valid values to this parameter. Change-Id: I00823e23358df91ce54f421c12636f05d4196e15 Closes-Bug: #1708584
2017-08-05Merge "Start redis service after upgrade"Jenkins1-0/+3
2017-08-04Change the directory for haproxy certs/keys to be service-specificJuan Antonio Osorio Robles2-7/+11
This moves the directories containing the certs/keys for haproxy one step further inside the hierarchy. This way we will be able to bind-mount this certificate into the container without bind-mounting any other certs/keys from other services. bp tls-via-certmonger-containers Depends-On: Iba3adb9464a755e67c6f87d1233b3affa8be565a Change-Id: I73df8d442b361cb5ef4e343b4ea2a198a5b95da9
2017-08-04Merge "Changing the default port-binding configuration"Jenkins2-2/+46
2017-08-03Update EventPipelinePublisher param description to include zaqarPradeep Kilambi1-0/+2
Since we now support zaqar:// publisher, Enhance the description to indicate how to set the zaqar publisher. Change-Id: Ib7eba98d199fade2346620672e33b74686d4685b
2017-08-03Merge "Make UpgradeLevelNovaCompute parameters consistent"Jenkins2-2/+2
2017-08-03Addition of Nuage as mechanism driver for ML2lokesh-jain3-0/+111
Adding composable services for Nuage mechanism driver for ML2. This is separate from Nuage as the core plugin and intentional duplication of Nuage under puppet services. Parameters required for working of Nuage as mechanism driver are also added. Change-Id: I2b564610721152c4f4dab9da79442256ba8d0b33
2017-08-03Merge "Make many networking parameters consistent"Jenkins5-8/+7
2017-08-03Merge "Set redis password hiera value in compute agent"Jenkins1-0/+5
2017-08-02Make UpgradeLevelNovaCompute parameters consistentBen Nemec2-2/+2
There is logic in nova-base.yaml that depends on the default for this parameter being '', and the nova-compute service only needs it set to auto during upgrade. That will be done by [1] anyway, so it doesn't matter what the default is. It's also not clear to me that the nova-compute task is even needed now that we're post-Ocata, but that's not a change I feel comfortable making. 1: https://github.com/openstack/tripleo-heat-templates/blob/master/environments/major-upgrade-composable-steps.yaml Change-Id: Iccfcb5b68e406db1b942375803cfedbb929b4307 Partial-Bug: 1700664
2017-08-02Make many networking parameters consistentBen Nemec5-8/+7
These are mostly the low hanging fruit that only required a few minor changes to fix. There are more that require a lot of changes or might be more controversial that will be done later. Change-Id: I55cebc92ef37a3bb167f5fae0debe77339395e62 Partial-Bug: 1700664
2017-08-02Start redis service after upgradePradeep Kilambi1-0/+3
We install redis if its not already there, but we should also ensure redis service is started in the next step 4. related to issues we're seeing in I284de61bbefac9e9b37390650016643ffe38b5cc Change-Id: Ic01db53ea8669f14e87f6987045b2be5a3480024
2017-08-02Merge "Fix iscsid role data's section"Jenkins1-1/+1
2017-08-01Set redis password hiera value in compute agentPradeep Kilambi1-0/+5
Without this config defaults to undef in containers Change-Id: Id47f365364e7b0d399de92995871b136550cd625
2017-07-31Merge "Add 'ovn-controller' service"Jenkins2-4/+32
2017-07-28Merge "Enable Zaqar API SSL"Jenkins1-1/+3
2017-07-27Changing the default port-binding configurationItzik Brown2-2/+46
networking-odl no longer supports the network-topology port binding controller and instead now relies on a pseudo-agent binding controller. This means that each OVS node must be configured with host configuration in OVSDB about which VIF types, network types, functions, etc that this OVS node supports. The end result is this affects where nova and neutron will schedule instances. Changes Include: - Modifying default port binding controller to use pseudo agent - Adds necessary per role parameters to be able to configure host config on a per role basis to allow for heterogenous compute node configurations. Change-Id: I50458abf6a8a6bf724ad97accb6444d9c497d287 Closes-Bug: 1674995 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-07-27Add 'ovn-controller' serviceNuman Siddique2-4/+32
Presently the ovn-controller service (puppet/services/neutron-compute-plugin-ovn.yaml) is started only on compute nodes. But for the cases where the controller nodes provide the north/south traffic, we need ovn-controller service runninng in controller nodes as well. This patch - Renames the neutron-compute-plugin-ovn.yaml to ovn-controller.yaml which makes more sense and sets the service name as 'ovn-controller'. - Adds the service 'ovn-controller' to Controller and Compute roles. - Adds the missing 'upgrade_tasks' section in ovn-dbs.yaml and ovn-controller.yaml Depends-On: Ie3f09dc70a582f3d14de093043e232820f837bc3 Depends-On: Ide11569d81f5f28bafccc168b624be505174fc53 Change-Id: Ib7747406213d18fd65b86820c1f86ee7c39f7cf5
2017-07-27Fix iscsid role data's sectionDamien Ciabrini1-1/+1
The iscsid service definition has a typo, config_setting should read config_settings Change-Id: I12605dba61fd5f6ce80c3ab78e883ed5ebf3ca62