Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
Provides a simple mechanism to verify the correct certificates
landed.
A quick and simple way to verify SSL certificates were generated for
a given key is by comparing the modulus of the two. By outputing
the key modulus and certificate modulus we offer a way to verify
that the right cert and key have been deployed without compromising
any of the secrets.
Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
|
|
This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation
Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
|
|
|
|
This is a first implementation of adding TLS termination to the load
balancer in the controllers. The implementation was made so that the
appropriate certificate/private key in PEM format is copied to the
appropriate controller(s) via a software deployment resource.
And the path is then referenced on the HAProxy configuration, but this
part was left commented out because we need to be able to configure the
keystone endpoints in order for this to work properly.
Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
|
|
|
|
|
|
We don't necessarily want the network configuration to be reapplied
with every template update so we add a param to configure on which
action the NetworkDeployment resource should be executed.
Change-Id: I0e86318eb5521e540cc567ce9d77e1060086d48b
Co-Authored-By: Dan Sneddon <dsneddon@redhat.com>
Co-Authored-By: James Slagle <jslagle@redhat.com>
Co-Authored-By: Jiri Stransky <jstransk@redhat.com>
Co-Authored-By: Steven Hardy <shardy@redhat.com>
|
|
Results from pmap of idle nova-compute:
https://gist.github.com/jtaleric/addd9079d6cdf4f7cf42
Results from free -m and cat /proc/meminfo:
https://gist.github.com/jtaleric/410130f09c2aad2dc7e9
bug: https://bugzilla.redhat.com/show_bug.cgi?id=1282644
Change-Id: I9b3ceecabfdae0a516cfc72886fde7b26cc68f82
|
|
Consume puppet-tripleo to create/manage IPtables from Heat templates.
This review put in place the logic to enable and setup firewall rules.
A known set of rules are applied. More to come.
Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
|
|
|
|
|
|
|
|
* Add NovaApiVirtualIP string parameter.
* Compute nova_url and nova_admin_auth_url parameters.
* Configure in Hiera neutron::server::notifications::* parameters.
* non-ha: include ::neutron::server::notifications
* ha: include ::neutron::server::notifications and create orchestration
* Set vif_plugging_is_fatal to True so we actually fail if Neutron is not
able to create the VIF during Nova server creation workflow.
Depends-On: I21dc10396e92906eab4651c318aa2ee62a8e03c7
Change-Id: I02e41f87404e0030d488476680af2f6d45af94ff
|
|
* Use the parameter in Puppet configuration (Hiera) to configure neutron
BZ-1273303
Change-Id: Ic5a7a1f13fd2bc800cadc3a78b1daadbc0394787
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
|
|
|
|
This change adds support for enabling/disabling L2 population in
Neutron agents. It currently defaults to false.
Change-Id: I3dd19feb4acb1046bc560b35e5a7a111364ea0d7
|
|
|
|
|
|
|
|
Pass the ceph::pool properties as arguments to the class call
instead of setting them as class defaults.
Ceph recommends max 32 PGs and min 4 PGs per OSD so this change
also lowers the defaults to 32 which works with 1 OSD, suits well
a scenario with 3 OSDs and is easy to customize in the static
hiera if more than 8 OSDs are deployed.
More info at: https://bugzilla.redhat.com/show_bug.cgi?id=1252546
Change-Id: Ifed11d1857900b2251dfdf69d6b6f168150e6330
|
|
|
|
When I deploy director with NFS backend for cinder,
sometimes I don't need nfs mount options.
If I choose to omit this option, or if the option
is defined to '', the deployment fails.
This patch add just a default value for this option.
Change-Id: Idf708aaecebd5c6db14f48ad2a53d6c2453be5ee
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1281870
|
|
This bumps further up the stop/start timeout for the pcmk/systemd
services so that it matches the 100s default set in future pcmk
versions [1].
1. https://github.com/ClusterLabs/pacemaker/commit/17d65e9f44061a4fa14a9cddd6edc403b2d6d2b3
Change-Id: I6fc18f1ad876c5a25723710a3b20d8ec9519dcba
|
|
|
|
|
|
|
|
Because many of the service endpoints URLs use the same patterns for
generating the URLs it makes sense to use the same templates to reduce
the copy and paste.
In the process also adds support for explicitly specifying hostnames
for use in the endpoints. Note: DNS must be pre-configured. The
Heat templates do not directly configure DNS.
Change-Id: Ie3270909beca3d63f2d7e4bcb04c559380ddc54d
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
|
|
|
|
|
|
|
|
Currently rabbit username and password are defaulted and attempting
to use anything else would result in a failure during deployment.
Change-Id: I8a2e240a19f915309eee45ea3c3368d131af6c1b
Related: rhbz#1261303
|
|
This change will increase the default start/stop timeout for all
the non-ocf pcmk services to 95s to make sure it allows for at
least 90s to the systemd script to complete the start/stop.
More info at: https://bugzilla.redhat.com/show_bug.cgi?id=1275324
Change-Id: I04f691396a4118b456728a43d71d32ac9a556431
|
|
|
|
In some deployments we will need to tag the patch port connecting to
vsm-br in order for traffic to go out. This patch takes passes the vlan
parameter to the puppet.
Change-Id: I18734ae39007985769db9371abe1740e0f2872f7
|
|
Previously we enforced the Ceph user used by the OpenStack clients
to be named 'openstack', this change allows for customization
of such a name.
Change-Id: Idef3e1ed4e8e21b645081869b8d6fad2329bdc60
|
|
This is useful in those scenarios were we want to use an external
Ceph deployment with multiple overclouds.
Change-Id: I1749d2a6547f6ce25843709e46a1447e8d42cfff
|
|
- https://docs.puppetlabs.com/puppet/3.8/reference/deprecated_language.html
- Temporary disablement of the pupppet-lint autoload layout check
failing for ringbuilder.pp. A fix for that will be part of an other patch.
Change-Id: I495825641ab12e7c5789c1405649c356c5bb8051
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
|
|
|
|
|
|
|
|
This reverts commit 86d6c1ddc76bad423194e789ffb5474e4e12960e.
This likely has an impact on upgrades, and since we don't
have an upgrade CI job yet I'm concerned that we may have
just broken ourselves. I would prefer to wait to merge this
until the CI job is in place.
Change-Id: Ib2366cb4b40471a28122f6e9955da9bdb31a53fb
|
|
|
|
|
|
The same timeout value is set for every pcmk service in [1]
1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/manifests/overcloud_controller_pacemaker.pp#L81
Change-Id: I253f6cbc5ccdbf8c46cc537ff9600f201aae540a
|
|
This is the second change of a servies of two, it creates the
user, user_role, service and endpoint for:
* glance
* nova
* neutron
* cinder
* horizon
* swift
* ceilometer
* heat
Change-Id: I50e792d98a2ba516ff498c58ad402f463c5f7e76
|
|
Currently keystone initialization happens via os-cloud-config [1].
This commit moves some of that directly into the manifests. This is the
first in a series of two changes to migrate it entirely into t-h-t.
This change focus on implementing what keystone.initialize() was doing
on the tripleoclient [2], creates the admin tenant, user and roles.
It also creates the keystone endpoint itself.
1. https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L128-L158
2. https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/overcloud_deploy.py#L462-L527
Change-Id: I98555b707ff9b91c6e218de5dca68106ea05c8ea
Depends-On: Ia4b3244f114dcff746ab89d355ad4933f8fdbddf
|
|
In HA, when using MySQL as a backend for Ceilometer, the dependencies
set for the Ceilometer central agent depended always on MongoDB; Which
should only be the case if MongoDB is set as a backend.
Change-Id: I6fecfe0564b13e9352313c5a3492505b44d12eaa
|