aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2017-04-11Merge "Add missing name properties on deloyment resources"Jenkins1-0/+1
2017-04-11Change the directory for httpd certs/keys to be service-specificJuan Antonio Osorio Robles1-2/+4
This moves the directories containing the certs/keys for httpd one step further inside the hierarchy. This way we will be able to bind-mount this certificate into the container without bind-mounting any other certs/keys from other services. bp tls-via-certmonger-containers Change-Id: Ibe6e66ae4589b9eab7db330dd8b178e0f8775639 Depends-On: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11Merge "Decouple Swift ringbuilding logic"Jenkins2-18/+10
2017-04-11Add IPv6 disable optionzshi1-0/+8
This will give user the ability to set these values, if IPv6 is not to be used, it's recommended that it be disabled to reduce the attack surface of the system. Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1 Co-Authored-By: Luke Hinds <lhinds@redhat.com> Signed-off-by: zshi <zshi@redhat.com>
2017-04-11Merge "Replace references to the 192.0.2 network"Jenkins2-3/+3
2017-04-10Add composable role support for NetApp Cinder back endAlan Bishop3-158/+129
Convert NetApp Cinder back end to support composable roles via new "CinderBackendNetApp" service. Closes-Bug: #1680568 Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
2017-04-10Merge "Remove yaql call when building logging_groups"Jenkins1-7/+4
2017-04-10Merge "sensu: fix upgrade case when service is added"Jenkins1-1/+1
2017-04-10Replace references to the 192.0.2 networkGiulio Fidente2-3/+3
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane network will be 192.168.24 by default and not 192.0.2 anymore. This change removes old references left to 192.0.2 network from the overcloud templates. Change-Id: I1986721d339887741038b6cd050a46171a4d8022
2017-04-10Merge "Timeout early on pcs cluster status check0 during upgrade."Jenkins1-0/+2
2017-04-10Remove yaql call when building logging_groupsThomas Herve1-7/+4
yaql calls are fairly expensive. Let's try to not nest them when we can avoid it. Change-Id: I5e7dbc42be625bbfe7989867794a67ebae08687d
2017-04-10[ironic] expose default boot_option in configuration and change it to localDmitry Tantsur1-0/+8
Ironic is going to change the default boot_option from netboot to local in the near future. Let's be pro-active, and change it in advance. Users cano change it back via new IronicDefaultBootOption configuration. Partial-Bug: #1619339 Change-Id: Idddc2e384c6cd9a1595777090500bf04f230edd4
2017-04-10Decouple Swift ringbuilding logicChristian Schwede2-18/+10
This reverts commit b323f8a16035549d84cdec4718380bde3d23d6c3 and uses the new logic in puppet-tripleo (see Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b ), basically doing the same. Closes-Bug: 1665641 Change-Id: Ib5cb0578be2993af0a0b8675005d838640bdb139
2017-04-09Enable internal network TLS for etcdFeng Pan1-21/+56
bp secure-etcd Depends-on: I0759deef7cbcf13b9056350e92f01afd33e9c649 Change-Id: I049e35f3158435a0a82ca666911f2337b38e30ce Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-07Merge "Update ceph-rgw acccepted roles to fix OSP upgrade"Jenkins1-1/+1
2017-04-07Use conditionals for neutron and glance worker defaultsBrent Eagles2-10/+20
Using an empty string to signal that the default value in the puppet module is to be used no longer seems to work, resulting in the puppet specified defaults being overridden by empty string values. The impact on configuration will differ depending on the actual configuration item, the puppet code and the service, so it is just safer to omit the hieradata if the user has not explicitly set a value. Change-Id: Iefbc8f8669680e4f9d01db6b49543bfbe9b7661b Closes-Bug: #1669452
2017-04-07sensu: fix upgrade case when service is addedEmilien Macchi1-1/+1
When service is added during an upgrade, fix the ansible syntax to use the right variable for return code. Change-Id: I974699fb8b0dcbe5ffa6935c394df4ac8e7b21d4
2017-04-07Timeout early on pcs cluster status check0 during upgrade.Sofer Athlan-Guyot1-0/+2
There is a windows for the pcs cluster status to hang forever[1]. We add a timeout during check0 to avoid this situation. 2 minutes should be more than enought to get all the pcsd nodes to reply. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1292858 Closes-Bug: #1680477 Change-Id: Icb3dc76e031a3d4f26294f37d169f2f61d30973e
2017-04-07Merge "Add password to authtoken section in congress.conf"Jenkins1-0/+1
2017-04-07Merge "Add support for "neutron" Ironic networking plugin"Jenkins1-0/+21
2017-04-07Merge "ovn: Add missing configurations required"Jenkins2-0/+7
2017-04-07Add password to authtoken section in congress.confTomofumi Hayashi1-0/+1
Current puppet module miss password section hence congress is not available due to missing password in congress.conf. This fix is to add password. Change-Id: I277c03ca93130a0337d5085f09c375fb0ac9331d Signed-off-by: Tomofumi Hayashi <s1061123@gmail.com>
2017-04-07Merge "Fix conntrack proto sctp module"Jenkins1-1/+1
2017-04-06Merge "Adds Horizon secure cookie map."Jenkins1-0/+5
2017-04-06Merge "Add trigger to setup a LDAP backend as keystone domaine"Jenkins1-0/+27
2017-04-06Merge "Adds service for managing securetty"Jenkins1-0/+36
2017-04-06Fix conntrack proto sctp moduleAlex Schultz1-1/+1
ip_conntrack_proto_sctp is the old name for the module and it is now nf_conntrack_proto_sctp. In order for the kmod module to not keep trying to modprobe the module, we need to use the correct name. Change-Id: Ieaed235e71e9e6e41a46d9be0e02beb8f4341b1a Closes-Bug: #1680579
2017-04-06Merge "Disable ceilometer API"Jenkins1-1/+1
2017-04-06Disable Manila CephFS snapshots by defaultJan Provaznik1-1/+1
Because CephFS Snapshots are still an experimental feature and also Manila Ceph driver has this feature disabled by default, it makes sense to not override this value by default. Change-Id: I3dacbd7a3c673d2f34998ee9f433889727c6a0f7
2017-04-06Adds service for managing securettylhinds1-0/+36
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7 Partial-Bug: #1665042 Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
2017-04-06Add initial support for NSX pluginGary Kotton1-0/+66
Add the support for the VMware NSX plugin Co-Authored-By: Tong Liu <tongl@vmware.com> Change-Id: I3567cbb4ed8d6e5b2a3ea6b8cff6c7b8ed13b692
2017-04-06Merge "Add manual ovs upgrade script for workaround ovs upgrade issue"Jenkins4-26/+100
2017-04-06Merge "Enforce upgrade_batch_tasks before upgrade_tasks order"Jenkins1-19/+12
2017-04-06Merge "add configurable timeouts for DB sync"Jenkins2-0/+11
2017-04-06Merge "Add network sysctl tweaks for security"Jenkins1-0/+18
2017-04-06Merge "Ensure upgrade step orchestration accross roles."Jenkins1-8/+6
2017-04-06ovn: Add missing configurations requiredNuman Siddique2-0/+7
This patch adds - setting nova config param 'force_config_meta' to True as metadata service is not supported by OVN yet. - Add the necessary iptables rules to allow ovsdb-server traffic for Northbound and Southboud databases. - Update the release notes for OVN. Change-Id: If1a2d07d66e493781b74aab2fc9b76a6d58f3842 Closes-bug: #1670562
2017-04-06Add trigger to setup a LDAP backend as keystone domaineCyril Lopez1-0/+27
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo who will call a define in puppet-keysone ldap_backend.pp. Given the following environment: parameter_defaults: KeystoneLDAPDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. This also enables multi-domain support for horizon. Closes-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643 Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2017-04-06Merge "Add parameters for internal TLS for swift proxy"Jenkins1-2/+31
2017-04-05add configurable timeouts for DB syncMike Bayer2-0/+11
This patch integrates with the db_sync_timeout parameter recently added to puppet-nova and puppet-neutron in I6b30a4d9e3ca25d9a473e4eb614a8769fa4567e7, which allow for the full db_sync install to have more time than just Pupppet's default of 300 seconds. Ultimately, similar timeouts can be added for all other projects that feature db sync phases, however Nova and Neutron are currently the ones that are known to time out in some environments. Closes-bug: #1661100 Change-Id: Ic47439a0a774e3d74e844d43b58956da8d1887da
2017-04-05Merge "Add l2gw neutron service plugin support"Jenkins1-0/+54
2017-04-05Merge "Addition of firewall rules for Nuage"Jenkins2-6/+11
2017-04-05Merge "Disable core dump for setuid programs"Jenkins1-0/+2
2017-04-05Allow configuring enabled hardware types for IronicDmitry Tantsur1-0/+6
This enabled ``ipmi`` hardware type with all defaults + support for socat-based nova-compatible serial console. Part of blueprint ironic-driver-composition Depends-On: Ie434609c62cf052ee169a0fac0db3200647a1af0 Change-Id: Iecead2d6581dff7a9cead58de6505567d7cd2402
2017-04-05Add parameters for internal TLS for swift proxyJuan Antonio Osorio Robles1-2/+31
This adds the necessary parameter for swift proxy to be terminiated internally by a TLS proxy. bp tls-via-certmonger Change-Id: I3cb9d53d75f982068f1025729c1793efaee87380 Depends-On: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
2017-04-05Merge "Add params to tweak memory limit on mongodb"Jenkins1-0/+5
2017-04-04Enforce upgrade_batch_tasks before upgrade_tasks ordermarios1-19/+12
If we really want upgrade_batch_tasks before the upgrade_tasks as described in the README then we should enforce the ordering Noticed this working on bug 1671504 upgrade tasks were being executed before batch upgrade tasks. Closes-Bug: 1678101 Change-Id: Iaa1bce960a37c072b5f8441132705a6bb6eb6ede
2017-04-04Ensure upgrade step orchestration accross roles.Sofer Athlan-Guyot1-8/+6
Currently we don't enforce step ordering across role, only within role. With custom role, we can reach a step5 on one role while the cluster is still at step3, breaking the contract announced in the README[1] where each step has a guarantied cluster state. We have to remove the conditional here as well as jinja has no way to access this information, but we need jinja to iterate over all enabled role to create the orchestration. This deals only with Upgrade tasks, there is another review to deal with UpgradeBatch tasks. [1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst Closes-Bug: #1679486 Change-Id: Ibc6b64424cde56419fe82f984d3cc3620f7eb028
2017-04-04Increase documentation about parametersJuan Badia Payno1-1/+3
CollectdServer, CollectdServerPort, CollectdSecurityLevel, CollectdUsername, CollectdPassword Change-Id: I43a0aca6f620f2570bdfd88531e70611867337b0
2017-04-04Merge "Add ceilometer ipmi agent"Jenkins1-0/+77