Age | Commit message (Collapse) | Author | Files | Lines |
|
Because CephFS Snapshots are still an experimental feature and
also Manila Ceph driver has this feature disabled by default,
it makes sense to not override this value by default.
Change-Id: I3dacbd7a3c673d2f34998ee9f433889727c6a0f7
|
|
This adds the ability to manage the securetty file.
By allowing management of securetty, operators can limit root
console access and improve security through hardening.
Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
|
|
Add the support for the VMware NSX plugin
Co-Authored-By: Tong Liu <tongl@vmware.com>
Change-Id: I3567cbb4ed8d6e5b2a3ea6b8cff6c7b8ed13b692
|
|
|
|
|
|
|
|
|
|
|
|
This patch adds
- setting nova config param 'force_config_meta' to True
as metadata service is not supported by OVN yet.
- Add the necessary iptables rules to allow ovsdb-server
traffic for Northbound and Southboud databases.
- Update the release notes for OVN.
Change-Id: If1a2d07d66e493781b74aab2fc9b76a6d58f3842
Closes-bug: #1670562
|
|
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.
Given the following environment:
parameter_defaults:
KeystoneLDAPDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
This also enables multi-domain support for horizon.
Closes-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
|
|
|
|
This patch integrates with the db_sync_timeout
parameter recently added to puppet-nova
and puppet-neutron in
I6b30a4d9e3ca25d9a473e4eb614a8769fa4567e7, which allow for the full
db_sync install to have more time than just Pupppet's
default of 300 seconds. Ultimately, similar timeouts
can be added for all other projects that feature
db sync phases, however Nova and Neutron are currently
the ones that are known to time out in some
environments.
Closes-bug: #1661100
Change-Id: Ic47439a0a774e3d74e844d43b58956da8d1887da
|
|
|
|
|
|
|
|
This enabled ``ipmi`` hardware type with all defaults + support for
socat-based nova-compatible serial console.
Part of blueprint ironic-driver-composition
Depends-On: Ie434609c62cf052ee169a0fac0db3200647a1af0
Change-Id: Iecead2d6581dff7a9cead58de6505567d7cd2402
|
|
This adds the necessary parameter for swift proxy to be terminiated
internally by a TLS proxy.
bp tls-via-certmonger
Change-Id: I3cb9d53d75f982068f1025729c1793efaee87380
Depends-On: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
|
|
FlashArray storage backend
This adds the necessary parameters for:
- Pure Storage FlashArray Block Storage driver configuration
Change-Id: I5b5617dd57015c0944a2d0c60187b01ede09b480
|
|
|
|
If we really want upgrade_batch_tasks before the upgrade_tasks
as described in the README then we should enforce the ordering
Noticed this working on bug 1671504 upgrade tasks were being
executed before batch upgrade tasks.
Closes-Bug: 1678101
Change-Id: Iaa1bce960a37c072b5f8441132705a6bb6eb6ede
|
|
Currently we don't enforce step ordering across role, only within
role. With custom role, we can reach a step5 on one role while the
cluster is still at step3, breaking the contract announced in the
README[1] where each step has a guarantied cluster state.
We have to remove the conditional here as well as jinja has no way to
access this information, but we need jinja to iterate over all enabled
role to create the orchestration.
This deals only with Upgrade tasks, there is another review to deal
with UpgradeBatch tasks.
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst
Closes-Bug: #1679486
Change-Id: Ibc6b64424cde56419fe82f984d3cc3620f7eb028
|
|
CollectdServer, CollectdServerPort, CollectdSecurityLevel, CollectdUsername, CollectdPassword
Change-Id: I43a0aca6f620f2570bdfd88531e70611867337b0
|
|
|
|
The puppet-tripleo change was added in
Ie9391aa39532507c5de8dd668a70d5b66e17c891.
Closes-bug: #1656558
Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
|
|
This enabled a lot of advanced networking features (see the release note).
Related to blueprint ironic-driver-composition
Change-Id: I20ea994fec36d73e618107b5c3594ec1c0f8cb93
Depends-On: I72eb8b06cca14073d1d1c82462fb702630e02de3
|
|
Added VxLAN and metadata agent firewall rules to neutron-compute-plugin
for Nuage. Removed a deprecated parameter 'OSControllerIp' as well.
Change-Id: If10c300db48c66b9ebeaf74b5f5fee9132e75366
|
|
|
|
Ceilometer API has been deprecated since Ocata. lets disable
it by default and add an env file to enable it if needed.
Closes-bug: #1676968
Change-Id: I571f5467466c29271e0235e8fde6bdae07c20daf
|
|
|
|
|
|
|
|
|
|
Adds some missing name properties on deployment resources where they
were lacking. It's convention in TripleO that all the deployment
resources have the name property set.
Change-Id: I6464b099e725f8469163c887676d56d769e2f9b1
|
|
|
|
Ceilometer Auth should be enabled even if ceilometer api
is not. Lets decouple these, this flag will be used in
puppet-tripleo where ceilometer::keystone::auth class
is initialized.
Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48
Closes-bug: #1677354
|
|
This patch updates ceph::keystone::auth::roles to remove
"member" and add "Member". The previous entry breaks
OSP N to O upgrades when ceph-rgw is enabled.
This patch fixes: https://bugs.launchpad.net/tripleo/+bug/1678126
Closes-bug: 1678126
Change-Id: I2e442eda98e2e083d6f4193fb38a0484919a6d33
|
|
When we upgrade OVS from 2.5 to 2.6, the postrun package update
restart the services and drop the connectivity
We need to push this manual upgrade script and executed to the
nodes for newton to ocata
The special case is needed for 2.5.0-14 specifically see related
bug for more info (or, older where the postun tries restart).
See related review at [1] for the minor update/manual upgrade.
Related-Bug: 1669714
Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
[1] https://review.openstack.org/#/c/450607/
Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2
|
|
|
|
Change-Id: I170b7e4cff66f0a4b1b6d5735f93c9f0295a5ac5
|
|
They were using v2.0 and we're getting rid of v2.0/ec2tokens in the
EndpointMap.
Change-Id: Ib9fbbdb0144bb4e250c561613bba6219506ff30f
|
|
|
|
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging
two or more networks together to make them look at a single broadcast
domain. This patch implements the l2gw neutron service plugin support part
in t-h-t.
Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5
Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3
Partially-Implements: blueprint l2gw-service-integration
Signed-off-by: Peng Liu <pliu@redhat.com>
|
|
|
|
|
|
Change-Id: Ia65796b04be9f7cadc57af30ef66788dd8cb7de8
Closes-Bug: 1677539
|
|
|
|
|
|
Closes-Bug: #1662679
Change-Id: I3446d59b89d43859caedd2be4583099374944379
|
|
We set dns_domain to '' in the undercloud neutron. This patch adds a new
heat parameter to control the Neutron DNS setting and sets the
undercloud environment default correctly for this setting.
Change-Id: I794e7b88108d0d6286e5930bb5236e72ba806c3f
|
|
* Disable Kernel Parameter for Sending ICMP Redirects:
- net.ipv4.conf.default.send_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host
to send invalid ICMP redirects to other router devices
in an attempt to corrupt routing and have users access
a system set up by the attacker as opposed to a valid
system.
* Disable Kernel Parameter for Accepting ICMP Redirects:
- net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect
messages to maliciously alter the system routing tables
and get them to send packets to incorrect networks and
allow your system packets to be captured.
* Disable Kernel Parameter for secure ICMP Redirects:
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP
redirects, except they come from gateways listed on
the default gateway list. It is assumed that these
gateways are known to your system, and that they are
likely to be secure.
* Enable Kernel Parameter to log suspicious packets:
- net.ipv4.conf.default.log_martians = 1
- net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets
allows an administrator to investigate the possibility
that an attacker is sending spoofed packets to their system.
* Ensure IPv6 redirects are not accepted by Default
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
Rationale: It is recommended that systems not accept ICMP
redirects as they could be tricked into routing traffic to
compromised machines. Setting hard routes within the system
(usually a single default route to a trusted router) protects
the system from bad routes.
Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
|