Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
If TLS in the internal network is enabled, we run neutron-server
behind a TLS proxy (which is actually httpd's mod_proxy). This passes
the necessary hieradata.
bp tls-via-certmonger
Depends-On: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
Change-Id: I9252512dbf9cf2e3eec50c41bf10629d36070bbd
|
|
This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)
This is achieved by means of the `puppet-auditd` puppet module.
Also places ssh banner capabilities map on top of patch
Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d
Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
|
|
|
|
|
|
Adds a step0 for most services to check that the state is running
before continuing with any of the other upgrades steps (these are
tagged step0).
You can skip this service check by overriding the
SkipUpgradeConfigTags parameter as follows:
parameter_defaults:
SkipUpgradeConfigTags: validation
Co-Authored-By: Steven Hardy <shardy@redhat.com>
Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
|
|
Allow to deploy 2 different nodes with Neutron and another with Horizon.
Horizon will get the right hieradata to collect the mechanism driver and
configure the dashboard correctly.
Change-Id: I24621f6a7d053cff487984bab0d10a4a97204675
Closes-Bug: 1659662
|
|
|
|
|
|
This flag is quite old and doesnt work as expected anymore.
Let ceilometer upgrade create these reource types instead.
Change-Id: I71ea6e2fd9418095de658d709c14bb3006ca2753
|
|
|
|
|
|
|
|
|
|
|
|
The 'ceph' metapackage is only provided by some repos so we should
not explicitly pull it.
Also adds a validation step to the CephMon and CephOSD roles to
stop upgrade if the Ceph cluster is in error state.
Change-Id: I5aa275677ada47a352a327b9be21927b852d16f3
|
|
|
|
|
|
|
|
|
|
|
|
This change adds a profile to deploy the Ceph RBD mirroring daemon
as a Pacemaker resource.
Change-Id: Ib07e5bca6a45f0c6c59a3acf07f4e3ae9d2f8948
Depends-On: Ic63dc5cffece38942d305f538f71dd58a5d50789
Closes-Bug: #1652177
|
|
|
|
Allow use of ooo template to populate banner text into /etc/issue
Change-Id: If5b2da9415f10652a0a64503b2da4b63d1018640
Depends-On: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306
|
|
It may be that we want ways to selectively disable certain tasks,
such as pre-flight validations that might fail when restarting an
upgrade from a failed state. This shows a way we might do that.
Depends-On: I18214f80be9f3ad6c2d385fc00f3b786d3e7dda3
Change-Id: Ibffaaf1de0baf47a0450daa5b7cbb57d38746556
|
|
|
|
|
|
Change-Id: I62735676b45a881a7dac24171b26d88d6eb60d4a
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
Change-Id: Ie1fe7db081d69db4b99869057352367e8e01760c
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
Use heat conditions to skip resources (conditionally create them)
when there are no tasks to deploy.
This requires the heat fix Iefae1fcea720bee4ed69ad1a5fe403d52d54433c
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I2f43fb922d122ffade20e35738f0ba3bb56a4492
|
|
This takes a subset of the logic from major_upgrade_ceph_storage.sh
and ports it into ansible tasks, which will be applied in a rolling
upgrade after the mon services are upgraded (in the step0 batch).
Change-Id: I6e87969add301e78bb665d7748e5f0df8eeae819
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
Initial support for a rolling upgrade of ceph-mon services which
happens before the OpenStack services are upgraded.
Change-Id: Ifaebbe2ae884bd899cdc6f1c288274e5838792a6
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
Some services (e.g ceph mon) require upgrading in batches (the old
upgrade architecture did the ceph mon upgrade one controller at a
time). This interface enables doing the same, and over time we
can probably move more services into this interface (e.g when
services support rolling upgrades) to reduce downtime.
Change-Id: If581f301a5493ef33ac1386bdc22f9fca4f2544e
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
castellan (the key manager interface used by nova and cinder) is no
longer tied to keystone v3 [1]. So now it's possible to use versionless
endpoints for keystone.
[1] I124c0ea2d9403d6b530b33f18896c4e7bf4eabb5
Change-Id: Id5d893a6a41077ab76ca59295593a27be5c3004c
|
|
The current default is empty which overrides the puppet-gnocchi
os_workers calculated value. Instead default to the os_workers.
Change-Id: I9bf9a107c03172500f7c8c5e4353c20305c8e6b5
|
|
|
|
|
|
|
|
We missed to refactor CephExternal when migrating to the new
hiera hook. The old template would have pushed the value of
ceph::profile::params::client_keys as a string causing the
deployment to fail with:
Error while evaluating a Function Call, {...} is not a Hash
The new template emits that same data as a map, as it happened
for the other services in Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
Change-Id: I3cf59b7d8343d7433047e9ccef310d287dbd47b5
|
|
Horizon provides a password validation check, which OpenStack cloud
operators can use to enforce password complexity checks for users
within horizon.
A dictionary containing a regular expression can be used for
password validation with help text that is displayed if the password
does not pass validation.
HORIZON_CONFIG["password_validator"] = {
"regex": '.*',
"help_text": _("Your password does not meet the requirements."),
}
This change allows injection of the regex into horizons local_settings
file from a tripleo heat template
Change-Id: Ib6517c8f96148bea002b0e3442a26367b236928f
Depends-On: If82a80ed6a8e6e65aecc2a25ee6d60640ae03c9a
Closes-Bug: #1640800
|
|
Change-Id: Ifa10b764ae7c67e089c0d2506a49e474135083bb
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
|
|
|
|
|
|
This nested for loop is wrong as it generates all steps for all
roles twice. This works because yaml parsing ignores the duplicate
resources, but it's a big waste of space in swift (this fix reduces
the rendered file size by over 2000 lines with the default roles!)
Change-Id: Ifaf860020839390147c92848d52b1a59e355dc50
Closes-Bug: #1659139
|
|
|
|
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.
bp tls-via-certmonger
bp novajoin
Change-Id: I873094bb69200052febda629fda698a7a782c031
|
|
|