aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2016-12-21Merge "Synchronize NetworkDeployment inputs for generic roles"Jenkins1-0/+7
2016-12-21Add a per service bootstrap node variableMichele Baldessari1-0/+3
In order to call commands that need to be run on a single node, we create a new per-service variable that will contain the first node of each role containing the service. Change-Id: I03e8685f939e8ae1fcd8b16883b559615042505d Partial-Bug: #1615983
2016-12-20Adds missing firewall rules for OpenDaylight API serviceTim Rozet1-0/+6
Custom role deployments were not working when ODL API was on a different node due to firewall rules blocking traffic. This patch adds the missing rules for the REST communication to ODL (8081 by default), OVSDB connection (6640), and OpenFlow protocol (6653). Closes-Bug: 1651476 Depends-On: I1f2af2793d040fda17bf73252afe59434d99f31f Change-Id: Ic0119c783d01e864c49fa06a66fdd68c059a726b Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-20Adds missing OpenDaylight username/password from ODL OVS serviceTim Rozet1-0/+11
ODL username and password are already present in the OpenDaylightApi service. However, when moving the OpenDaylightApi service to its own custom role, the Controller/Compute nodes no longer have access to these hiera values. This patch adds them also to the OpenDaylightOvs service. Closes-Bug: 1651499 Depends-On: I418643810ee6b8a2c17a4754c83453140ebe39c7 Change-Id: I169fdad4c94bd6dfc1fe7cde3d6b19b36d916af7 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-20Set gnocchi wsgi display namePradeep Kilambi1-0/+1
Depends-On: Ice921f0fdd4bec6de50e62c39c447ee40dc0e8f5 Change-Id: I4109ac83c32ee2365695611009579a8b117134ff
2016-12-20Set aodh wsgi display namePradeep Kilambi1-0/+1
Depends-On: I53b156505e08625d56ed6a302cf5b5c30e8e288c Change-Id: Id9791d8a19a74c1f0855e794170f66542f88a548
2016-12-20Set the default event pipeline publisherPradeep Kilambi1-0/+5
Since we have aodh enabled for alarms, we should set the notifier to the default queue alarm.all. Closes-bug: #1590473 Change-Id: Ibcb5076424ac2ddcd18ff717d82da1aec4c035cb
2016-12-20Merge "Expose param to enable legacy ceilometer api"Jenkins1-0/+5
2016-12-20Merge "Move UpgradeInitCommand to role templates"Jenkins7-37/+169
2016-12-20FreeIPA: Make OTP and FreeIPA server parameters optionalJuan Antonio Osorio Robles1-5/+16
In the freeipa-enroll.yaml, it can be the case that the node has been enrolled (via a cloud-init script); in this case, the OTP and the FreeIPA server are optional. However, we still need to get a kerberos ticket, which is the last step of this script, since this ticket is what certmonger will use to request the certificates in subsequent steps. Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
2016-12-19Merge "Remove unused attr from templates"Jenkins1-1/+0
2016-12-19Merge "Revert "Switch mistral to use authtoken configuration""Jenkins1-4/+2
2016-12-19Revert "Switch mistral to use authtoken configuration"Ben Nemec1-4/+2
It turns out the puppet-mistral change this depends on broke introspection, so we need to back it out for now. This reverts commit ed029e5bf279945e82bff8766af4093856a7ac6a. Change-Id: I828478267935cdc68aa24de8c9dc2d12fcadb631
2016-12-19Merge "Switch mistral to use authtoken configuration"Jenkins1-2/+4
2016-12-19Introduce role-specific NodeUserData, use for dockerSteve Baker6-0/+42
Currently when the docker environments are invoked, every node has the boot script run which replaces os-collect-config with the heat-agents container. This should only be happening on Compute nodes currently, and each role will be converted to heat-agents one at a time. This change implements a role-specific NodeUserData resource and uses that mechanism to run docker/firstboot/install_docker_agents.yaml only on Compute nodes. Change-Id: Id81811dbcaf0e661c3980aa25f3ca80db5ef0954
2016-12-19Merge "Correction to SRIOV THT Examples"Jenkins1-2/+3
2016-12-19Move UpgradeInitCommand to role templatesSteven Hardy7-37/+169
We can't run this during the upgrade steps, because there are things which need to happen before any role configuration happens, e.g installing the new hiera heat-config hook, which must be done before e.g "ControllerDeployment" runs or the stack update hangs. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I365b57513590662c3f78a33dc625747f457c48c5
2016-12-19Merge "Set rabbitmq's port and IP via the config file and not the env file"Jenkins1-1/+3
2016-12-19Merge "Introduce role-specific nova-server-metadata"Jenkins6-12/+84
2016-12-19Split OVN northd and ml2 pluginSteven Hardy2-10/+41
This allows us to take advantage of the composable roles hiera settings to connect the plugin to the northd/ovndb API without needing to hard-code the IP of the node running the service. Change-Id: I2508d48f81c1819ae3521fff271c0bdc50724604 Depends-On: I9af7bd837c340c3df016fc7ad4238b2941ba7a95 Closes-Bug: #1634171
2016-12-16Increase libvirt/qemu.conf max_files and max_processesGiulio Fidente1-0/+3
When Nova and/or Cinder are using Ceph as backend, qemu will need to open a connection and two threads for each and every Ceph OSD. This change raises the max_files (set to 1024 by default) to 32768 and the max_processes (set to 4096 by default) to 131072. The max number of FDs is per-process, while the max number of processes is per-user. The values can be overridden via ExtraConfig, no params are added to the templates. A more detailed description of the values were chosen can be found at: https://access.redhat.com/solutions/1602683 Change-Id: I1e79675f6aac1b0fe6cc7269550fa6bc8586e1fb Depends-On: I258afd3ee6633e4b2ebc45aa8611be652476be0c
2016-12-16Introduce role-specific nova-server-metadataJuan Antonio Osorio Robles6-12/+84
We could already pass metadata to the nova server instances (on creation) via the ServerMetadata parameter, however, there was no way of doing this per-role. This introduces that by adding a {{role}}ServerMetadata parameter for each role. This parameter gets merged with the ServerMetadata parameter and allows this functionality. Note that both default to {}, and so does the result of merging those parameters with their default values. So nothing changes for the default settings. Change-Id: I334edcc51ce7ee82fc13b6cf4c0d74ccb7db099c
2016-12-15Add pre-network hook and example showing config-then-rebootSteven Hardy6-0/+36
There are some requirements for early configuration that involves e.g setting kernel parameters then rebooting. Currently this can be done via cloud-init, e.g firstboot templates, but there's been discussion around enabling a SoftwareDeployment approach instead. The main advantage of doing it this way is there's an error path if something goes wrong with the config (except triggering the reboot as we have to use NO_SIGNAL for that). Change-Id: Ia54ee654f755631b8062eb5c209a60c6f9161500
2016-12-14Set rabbitmq's port and IP via the config file and not the env fileJuan Antonio Osorio Robles1-1/+3
The RabbitMQ's puppet manifest configures the node's IP and port through environment variables. While this would usually be fine, it doesn't allow us to use TLS-only, since it will always try to start a TCP listener. So, by setting these values through the config file, when setting ssl_only for rabbitmq, they will effectively be discarded and thus allow us to use an SSL listener on the same port. Change-Id: I33d051a8c740baf69b99517378e1f9b0f3cc1681
2016-12-14Enable SECURE_PROXY_SSL_HEADER option for horizonJuan Antonio Osorio Robles1-0/+1
This reads makes Django take the X-Forwarded-Proto header into account when forming URLs. Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673 Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-13Synchronize NetworkDeployment inputs for generic rolesJames Slagle1-0/+7
The inputs on the NetworkDeployment SoftwareDeployment resource were not the same for generic roles as they were for the default roles (role.role.js.yaml vs. controller-role.yaml). This patch synchronizes the input between the 2 so that the interface is the same for deployers. Change-Id: Id14cf7ca219aee61f5b9d21171a5c41dea765f98 Implements: blueprint multinode-ci-os-net-config
2016-12-13Manage disallow_iframe_embedLuke Hinds1-0/+1
disallow_iframe_embed can be used to prevent Horizon from being embedded within an iframe. Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security hardening where iframes are not used in deployment Change-Id: I2fe6b243250608b340ee555062060dbdad1a49c4 Depends-On: I5c540e552efe738bdec8598f9257fa22ae651a76 Closes-Bug: #1641882
2016-12-11Decouple swift-proxy from ceilometerDan Prince1-21/+43
This patch updates the swift-proxy base profile so that we now explicitly set the rabbit_port. This allows us to remove the use of puppet-ceilometer default settings in the puppet-tripleo modules change ID here: I8d9f69f5e9160543b372bd9886800f16f625fdc6 It also adds a new boolean parameter that allows the end user to disable the swift ceilometer pipeline by setting SwiftCeilometerPipelineEnabled to false. This two settings allow Swift to once again be installed on a machine without configuring Ceilometer. Depends-On: Id1584df5e5bb90f8087ae25eecc4834179b6fc21 Change-Id: Ief5399d7ea4d26e96ce54903a69d660fa4fe3ce9 Related-bug: #1648736
2016-12-10Switch mistral to use authtoken configurationAlex Schultz1-2/+4
The upstream puppet module is adding the proper keystone authtoken middleware support. This change updates THT to use the keystone authtoken class rather than the deprecated settings. This also allows for proper keystone v3 integration. Change-Id: Iaf82716122a25e3e0785de1250d24edaaa5e4d04 Depends-On: I71969ef09018f9daa5f81c4f3bcbdb0b0974446c
2016-12-09Expose param to enable legacy ceilometer apiPradeep Kilambi1-0/+5
Change-Id: I75815a4bcbf421597abb86226238b74a9afffc0d Depends-On: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09Add FreeIPA enrollment templateJuan Antonio Osorio Robles1-0/+72
This is based on previous work [1] and it's what I've been using to test the TLS-everywhere work. This introduces a template that will run on every node to enroll them to FreeIPA and acquire a ticket (authenticate) in order to be able to request certificates. Enrollment is done via the ipa-client-install command and it does the following: * Get FreeIPA's CA certificate and trust it. * Authenticate to FreeIPA using an OTP and get a kerberos keytab. * Set up several configurations that are needed for FreeIPA (sssd, kerberos, certmonger) The keytab is then used to authenticate and get an actual TGT (Ticket-Granting-Ticket) from Kerberos The previous implementation used a PreConfig hook, however, here it was modified to use NodeTLSCAData. This has the advantage that it runs on every node as opposed to the PreConfig hook where we had to specify the role type so it's a usability improvement. And, on the other hand, this does set up necessary things for the usage of FreeIPA as a CA, such as getting the certificate and enrolling to the CA. [1] https://github.com/JAORMX/freeipa-tripleo-incubator bp tls-via-certmonger Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-12-08Correction to SRIOV THT ExamplesSanjay Upadhyay1-2/+3
example for - NeutronSriovNumVFs - NeutronPhysicalDevMappings as given, causes parsing error. Change-Id: I71fb42f10dac70afa02244cd6629b3439f418d63 Closes-Bug: #1648351
2016-12-07Merge "neutron: don't set router_delete_namespaces"Jenkins1-2/+1
2016-12-06Remove unused attr from templatesPradeep Kilambi1-1/+0
Change-Id: I299f8f33b0bac40d331084df37f690dc2a279677
2016-12-06neutron: don't set router_delete_namespacesIhar Hrachyshka1-2/+1
It's no longer available in Neutron (removed in Mitaka). See: I2a879213c3b095a007a4531f430a33cea9fdf1bd Change-Id: I044c648eb8c4933667b8ea2c9159a30e5ebb7df3
2016-12-06Fix SwiftStorage role.Chris Jones1-2/+2
We now fetch the name argument from the correctly named SwiftStorage object. Change-Id: I885505eadfc778ab57793c97af4d1c6739ec9614 Closes-Bug: #1647716
2016-12-05Merge "Support multiple meter dispatchers in ceilometer config"Jenkins1-3/+3
2016-12-05Merge "Move nodes' fqdns to a map to remove clutter"Jenkins6-679/+660
2016-12-05Merge "Fix bug when using multiple DeployArtifactURLs"Jenkins1-1/+1
2016-12-02Merge "Revert "Use FQDN for rabbitmq's nodename env variable""Jenkins1-7/+1
2016-12-02Fix bug when using multiple DeployArtifactURLsChristian Schwede1-1/+1
The script tries to download all artifact URLs with a single request, instead of downloading each URL on its own if multiple DeployArtifactURLs were given. Change-Id: I6a8be699aff7023a67702bb1d3ddc2273984cd08
2016-12-02Revert "Use FQDN for rabbitmq's nodename env variable"Ben Nemec1-7/+1
This seems to have broken the updates job, causing it to fail with following error: Can't set long node name!\nPlease check your configuration\n Related-Bug: 1646873 This reverts commit 3e9fcfd09320ace07bc1bd4cb57feb98cd057332. Change-Id: I72ba891cd9cd8c4f1bc204144f46aaabbdfd3647
2016-12-02Merge "Composable Zaqar services"Jenkins1-0/+66
2016-12-02Move nodes' fqdns to a map to remove clutterJuan Antonio Osorio Robles6-679/+660
There were several instances where the short-names/FQDNs where being gotten in the same way in the role's templates. So this introduces a mapping to get these values in order to reduce clutter. Change-Id: Ie7df360bb69d56655f3e0fcbbf4d297db39b7a26
2016-12-02Merge "Use FQDN for rabbitmq's nodename env variable"Jenkins1-1/+7
2016-12-02Merge "Use network-based fqdn entry from hiera instead of the custom fact"Jenkins11-21/+21
2016-12-01Merge "ceph-rgw: add missing user parameter"Jenkins1-0/+1
2016-12-01ceph-rgw: add missing user parameterEmilien Macchi1-0/+1
'user' is required or puppet-ceph will complain that the Keystone_user has no title: Evaluation Error: Missing title. The title expression resulted in undef at /etc/puppet/modules/ceph/manifests/rgw/keystone/auth.pp The value is set to Swift, as we use the same credentials as Swift service. Closes-Bug: #1642524 Change-Id: Ib4a7c07086b0b3354c8e589612f330ecdffdc637
2016-12-01Merge "Initial support for composable upgrades with Heat+Ansible"Jenkins10-3/+225
2016-12-01Merge "Introduce network-based FQDNs via hiera"Jenkins6-0/+217