summaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2016-02-22Update nova::network::neutron variables to drop deprecated parametersDavid Moreau Simard3-9/+9
This commit ensures we are not using any deprecated parameters for nova::network::neutron and are using the right variable names. Change-Id: Ic1b41e2cdbb6b180496822cc363c433e9388aa02
2016-02-19Merge "Use the class param to configure Cinder 'host' setting"Jenkins1-3/+1
2016-02-19Merge "Add TripleO Heat Template Parameters for Neutron Tenant MTU"Jenkins2-0/+24
2016-02-19Use the class param to configure Cinder 'host' settingGiulio Fidente1-3/+1
By configuring the Cinder 'host' setting via the appropriate class param instead of cinder_config we don't risk to override it if the user is to pass additional config settings using cinder_config in ExtraConfig. Change-Id: Idf33d87e08355b5b4369ccb0001db8d4c3b4c20f
2016-02-18Merge "Configure keystone public_endpoint"Jenkins1-1/+1
2016-02-18Merge "Enable the ML2 port security extension driver by default"Jenkins1-1/+1
2016-02-18Merge "Add missing : in hieradata key name"Jenkins1-1/+1
2016-02-18Add sysctl settings to disable IPv6 autoconfig and accept_raDan Sneddon1-0/+5
This change adds puppet hieradata settings which disable IPv6 autoconfiguration and accept_ra by default on all interfaces. When IPv6 is used, the interfaces are individually enabled and configured with static IP addresses. The networking on the compute host needs to be completely separate from the tenant networking, in order to safeguard the compute host and isolate tenant traffic. This change disables IPv6 autoconfiguration and acceptance of RAs by default on interfaces unless specifically enabled. Without these settings, IPv6 is enabled on all interfaces, as well as autoconfiguration and accept_ra, so when the compute host creates a bridge interface for the router (qbr-<ID>), the compute node will automatically assign an IPv6 address and will install a default IPv6 route on the bridge interface when it receives the RAs from the Neutron router. The change to turn off autoconfiguration means that interfaces will not self-assign an IPv6 address, and the change to not accept RAs is a security hardening feature. This requires that a static gateway address be declared in the network environment in the parameter ExternalNetworkDefaultRoute. Alternately, sysctl can be modified to change the accept_ra behavior for specific interfaces. Change-Id: I8a8d311a14b41baf6e7e1b8ce26a63abc2eaabef Closes-bug: 1544296
2016-02-18Merge "Make injected CA file readable by others"Jenkins1-1/+1
2016-02-18Merge "Increase size of connection tracking table"Jenkins7-0/+19
2016-02-17Add TripleO Heat Template Parameters for Neutron Tenant MTUDan Sneddon2-0/+24
This change adds the TripleO Heat Parameters and Puppet hieradata to support setting the MTU for Neutron tenant networks. A new parameter, NeutronTenantMtu is introduced, and this gets used for the NeutronDnsmasqOptions and in Puppet hieradata. NeutronTenantMtu is also used in the Puppet hieradata for both the compute and control nodes. Two values are set: nova::compute::network_device_mtu which sets /etc/nova/nova.conf: network_device_mtu = <NeutronTenantMtu> neutron::network_device_mtu which sets in /etc/neutron/neutron.conf: network_device_mtu = <NeutronTenantMtu> finally, the NeutronDnsmasqOptions parameter becomes a str_format that maps the NeutronTenantMtu onto the DHCP options, so a default of 'dhcp-option-force=26,%MTU%' would be formatted to 'dhcp-option-force=26,1300' if NeutronTenantMtu were 1300. This will set dnsmasq to serve an MTU via DHCP that matches the NeutronTenantMtu: /etc/neutron/dnsmasq-neutron.conf:dhcp-option-force=26,1300 Typically, you would change all three of these settings to use small or jumbo frames in VMs. When using tunneling, NeutronTenantMtu should be set at least 50 bytes smaller than the physical network MTU in order to make room for tunneling overhead. Note that this change does not support setting the MTU on veth interfaces if veth patches are used to br-int instead of OVS patches. Change-Id: I38840e082ee01dc3b6fc78e1dd97f53fa4e63039
2016-02-17Merge "Wire the Glance rbd user correctly into the external Ceph template"Jenkins1-1/+1
2016-02-17Make injected CA file readable by othersJuan Antonio Osorio Robles1-1/+1
Currently the permissions for the CA file that is injected (if the environment is set), doesn't permit users that don't belong to the group that owns the file to read it. This is too restrictive and isn't necessary, as the certificate should be public. This is useful in the case where we want a service that can't read the certificate chain (or bundle) to be able to read that CA certificate. This is the case for the MariaDB version that is being used in CentOS 7.1 for example. Change-Id: I6ff59326a5570670c031b448fb0ffd8dfbd8b025
2016-02-17Merge "Bind Galera on a hostname for compat with IPv6 addresses"Jenkins2-2/+12
2016-02-17Merge "Remove start-delay=10s for the Nova resources monitor"Jenkins1-5/+0
2016-02-16Wire the Glance rbd user correctly into the external Ceph templateGiulio Fidente1-1/+1
We were incorrectly wiring the rbd user to the relevant glance module parameter, making it was impossible to customize the rbd user when using an external Ceph. Change-Id: Ibe4eaedf986a9077f869c6530381e69ee0281f5b
2016-02-15Merge "Update Dell Storage Center api port setting"Jenkins2-2/+2
2016-02-15Merge "Enable SSL middleware for cinder"Jenkins2-0/+2
2016-02-12Add missing : in hieradata key nameJames Slagle1-1/+1
This hieradata key, neutron::agents::ml2::ovs:bridge_mappings was missing a : before bridge_mappings causing the value to be blank in /etc/neutron/plugins/ml2/openvswitch_agent.ini even if a value had been specified. Change-Id: I377565d3fb821be1bb2dc7d92ec1ad25a4a3b1f1
2016-02-12Merge "Nova now requires an api database to be created"Jenkins5-0/+23
2016-02-12Remove start-delay=10s for the Nova resources monitorGiulio Fidente1-5/+0
As per conversation in [1], these settings should have probably never been there. 1. https://bugzilla.redhat.com/show_bug.cgi?id=1262409 Change-Id: I116f825ba0fe3e4faac8dd347bb087e1b4c70e57
2016-02-11Merge "Increase default Cinder LVM backing file to 10G"Jenkins2-2/+2
2016-02-11Merge "puppet: run keystone in wsgi"Jenkins4-63/+63
2016-02-11Merge "Fixed typo in Dell Equallogic Cinder settings"Jenkins2-2/+2
2016-02-10Merge "Set 'host' globally in Cinder instead of per-backend basis"Jenkins3-24/+3
2016-02-10Merge "Remove not needed completion-signal"Jenkins1-1/+1
2016-02-10Nova now requires an api database to be createdDavid Moreau Simard5-0/+23
This enables the creation of the nova_api database that is now mandatory since https://review.openstack.org/#/c/245828/ Change-Id: Ia8242f23864ebb14ccf858a77ba754059e9c2d4a Related-Bug: #1539793
2016-02-10Merge "Makes the iSCSI initiator name unique for compute nodes"Jenkins1-0/+10
2016-02-09puppet: run keystone in wsgiEmilien Macchi4-63/+63
For both HA & non-HA scenarios, switch puppet-keystone configuration to be run in a WSGI process instead of eventlet. WSGI is the way to go for scaling Keystone, moreover, eventlet won't be support in next OpenStack releases. Co-Authored-By: Dan Prince <dprince@redhat.com> Depends-On: I22a348c298ff44f616b2e898f4872eddea040239 Change-Id: I862b4a68f43347564ec3c0ddc4ec9e1d1c755cf2 Signed-off-by: Jason Guiditta <jguiditt@redhat.com>
2016-02-09Increase size of connection tracking tableJames Slagle7-0/+19
During high load, the default limit of the kernel connection tracking table (65536) is often too low, resuling in error messages such as: kernel: nf_conntrack: table full, dropping packet This patch increases the limit to 500,000. Since the nf_conntrack kernel module is not always loaded by default, it also adds a mechanism to load kernel modules via hieradata using the kmod puppet module. In order to express the needed dependency in puppet that kernel modules are loaded before sysctl settings are applied, the Exec resources tagged with 'kmod::load' are specified in a resource collector to express that that Exec resources with the tag should run before Sysctl resources. Depends-On: I59cc2280ebae315af38fb5008e6ee0073195ae51 Change-Id: Iffa0a77852729786b69945c1e72bc90ad57ce3bb
2016-02-09Update Dell Storage Center api port settingrajinir2-2/+2
Updated the setting for the dell storage center api port to the right variable name ::dell_sc_api_port Change-Id: I67a7533469947355629b6cb54b79759e21e0ec55
2016-02-09Merge "Fix MidoNet errors"Jenkins4-14/+31
2016-02-08Set 'host' globally in Cinder instead of per-backend basisGiulio Fidente3-24/+3
This change will set a common value for 'host' across all controllers. We missed to do so for the NFS backend previously. It will still be possible to set a different per-backend 'host' value by providing it via ExtraData. Change-Id: I00fd05660a15be3611e1a394650be6ab713670f9
2016-02-08Fixed typo in Dell Equallogic Cinder settingsrajinir2-2/+2
The name of the variable ::eqlx_pool had a typo. Fixed it Change-Id: I83a94d4bccf9c9a60c7b37473ae8a64ac050671c
2016-02-04Merge "neutron: delete by default router/dhcp namespaces"Jenkins1-0/+2
2016-02-03Makes the iSCSI initiator name unique for compute nodesRhys Oxenham1-0/+10
When we utilise images for deployment, the iSCSI initiator name is not unique, leading to problems with live migration. This patch simply updates the iSCSI initiator name to a unique ID randomly generated by iscsi-iname. https://bugzilla.redhat.com/show_bug.cgi?id=1244328 Change-Id: I170e7f45f67fa8ce70436f24807d1ed7808f2c32
2016-02-03Increase default Cinder LVM backing file to 10GGiulio Fidente2-2/+2
We get false negatives from Tempest when the Cinder LVM backing file runs out space. This change increases its default size to 10G, matching devstack [1] 1. https://github.com/openstack-dev/devstack/blob/master/stackrc#L649 Change-Id: Ia334ea481e17c1d35aa67c33729cac6570f48199
2016-01-25Remove empty value for wsrep_notify_cmdJohn Trowbridge1-1/+0
This was being silently ignored by the mysql puppet module prior to this commit.[1] However, now that empty values are allowed, the overcloud deploy fails because the option --wsrep_notify_cmd requires an argument. This is not currently failing on master because we are pinned to an old puppet-mysql. We will need to remove that pin in order to get on a newer delorean repo though. Also, this is breaking stable/liberty HA job because we use the packaged OPM there. [1] https://github.com/puppetlabs/puppetlabs-mysql/commit/e30e0bc958761890ea4f06cdd3f1fc7242a00fe2 Change-Id: I9e07efe1650831e81e9a783428554578874aa765 Closes-Bug: 1537720
2016-01-25Enable SSL middleware for cinderJuan Antonio Osorio Robles2-0/+2
Change-Id: Ifd750e634812dae2b7945cbe2f35f98d8a82695e Depends-On: If88dcdf9f4905e2a792b2fdc656eab51c85f637e
2016-01-23Merge "puppet: allow config of ad-hoc Neutron settings"Jenkins3-0/+3
2016-01-23Merge "puppet: allow config of ad-hoc Cinder settings"Jenkins2-0/+2
2016-01-22neutron: delete by default router/dhcp namespacesEmilien Macchi1-0/+2
The 'router_delete_namespaces' (L3 agent) and 'dhcp_delete_namespaces' (DHCP agent) configuration settings default to false OpenStack Neutron resulting in network namespaces not being deleted when no longer needed. Disabling automatic namespace cleanup was appropriate for older Linux distributions but is no longer required. TripleO should set the values to true. Change-Id: I39e1a347d24ecc99b6f878807c47103c4b3f85e1
2016-01-22Merge "puppet: allow config of ad-hoc Heat settings"Jenkins2-0/+2
2016-01-22Merge "puppet: allow config of ad-hoc Glance settings"Jenkins2-0/+2
2016-01-22Merge "puppet: allow config of ad-hoc Ceph settings"Jenkins4-0/+8
2016-01-22puppet: allow config of ad-hoc Neutron settingsDan Prince3-0/+3
Including ::neutron::config on the controller and compute roles will allow ad-hoc (non-puppet managed) settings to be made in all the various neutron config files using Hiera. Change-Id: Ifadc77cdcb60b7075d091d778cb92b0dd75bd949
2016-01-22puppet: allow config of ad-hoc Cinder settingsDan Prince2-0/+2
Including ::cinder::config on controller, and volume roles will allow ad-hoc (non-puppet managed) settings to be made in the cinder.conf using Hiera. Change-Id: I519aff02e3cfb7fbf57e89c7a139564df42f8967
2016-01-22puppet: allow config of ad-hoc Heat settingsDan Prince2-0/+2
Including ::heat::config on the controller roles will allow ad-hoc (non-puppet managed) settings to be made in the heat config file using Hiera. Change-Id: I80a39b798869ac330ea8a4d01699f5db47c93d47
2016-01-22puppet: allow config of ad-hoc Glance settingsDan Prince2-0/+2
Including ::glance::config on glance roles will allow ad-hoc (non-puppet managed) settings to be made in the glance config files using Hiera. Change-Id: I7c86ae0e8f1a0a2b46d526598964454cb80319a6
2016-01-22puppet: allow config of ad-hoc Ceph settingsDan Prince4-0/+8
Including ::ceph::conf on ceph roles will allow ad-hoc (non-puppet managed) settings to be made in the ceph.conf using Hiera. Change-Id: I656a0ecde465023d7afad9371aa3c5c270078a67