Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
* Switch auth_uri to point to Keystone versionless endpoint.
* Switch Swift auth url to use Keystone versionless endpoint and
Keystone v3 API.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I78cdd2286b5a5094f36d4f3c7c58340745664449
Partial-blueprint: keystone-v3
|
|
This change implements a MOTD message and provides a hash of
sshd config options which are sourced to the puppet-ssh module
as a hash.
The SSHD puppet service is enabled by default, as it is
required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
Also added the service to the CI roles.
Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
Depends-On: I1d09530d69e42c0c36311789166554a889e46556
Closes-Bug: #1668543
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
|
|
According to [1] we need os_region_name, not region_name. Furthermore
the os_interface is configured as well. The hard check on this
parameter was introduced in ocata[2], explaining why the newton version
did not chock on it.
[1] https://docs.openstack.org/ocata/config-reference/compute/config-options.html
[2] https://github.com/openstack/nova/commit/d486315e0
Closes-Bug: #1684058
Change-Id: If6118bf03e832fe3fa5ea4fcb1b436afd2adf80a
|
|
This relies on using the default paths for certs/keys used by libvirt
and is only enabled if TLS-everywhere is enabled.
bp tls-via-certmonger
Depends-On: If18206d89460f6660a81aabc4ff8b97f1f99bba7
Depends-On: I0a1684397ebefaa8dc00237e0b7952e9296381fa
Change-Id: I0538bbdd54fd0b82518585f4f270b4be684f0ec4
|
|
|
|
|
|
|
|
|
|
Running this job once a day has proven problematic for large
deployments as seen in the bug report. Setting it to run hourly
would be an improvement to the current situation, as the flushes
wouldn't need to process as much data.
Note that this only affects people using UUID as the token provider.
Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a
Related-Bug: #1649616
|
|
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: I5e6f0a50f26d4296565f0433f720bfb40c5d2109
Depends-On: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
|
|
aodh::auth::auth_region in aodh-base.yaml is hardcoded to regionOne
instead of using the available KeystoneRegion
Change-Id: I521b7e226675062225085e1d5f0296e53b152e81
|
|
This enables nova cold migration.
This also switches to SSH as the default transport for live-migration.
The tripleo-common mistral action that generates passwords supplies the
MigrationSshKey parameter that enables this.
The TCP transport is no longer used for live-migration and the firewall
port has been closed.
Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f
Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
|
|
Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
verification is vulnerable to a MITM attack.
Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
|
|
The server resource type, OS::TripleO::Server can now be mapped per role
instead of globally. This allows users to mix baremetal
(OS::Nova::Server) and deployed-server (OS::Heat::DeployedServer) server
resources in the same deployment.
blueprint pluggable-server-type-per-role
Change-Id: Ib9e9abe2ba5103db221f0b485c46704b1e260dbf
|
|
|
|
When containerizing ceilometer agents, keystone auth is not getting
set correctly as we're not including the service config settings.
Change-Id: Ic17d64eb39e1fcb64c198410f27adbe94c84b7d4
|
|
|
|
|
|
|
|
This allows us to better configure these parametes, e.g. we could set
the cron job to run more times per day, and not just one.
Change-Id: I0a151808804809c0742bcfa8ac876e22f5ce5570
Closes-Bug: #1682097
|
|
|
|
This moves the directories containing the certs/keys for httpd one step
further inside the hierarchy. This way we will be able to bind-mount
this certificate into the container without bind-mounting any other
certs/keys from other services.
bp tls-via-certmonger-containers
Change-Id: Ibe6e66ae4589b9eab7db330dd8b178e0f8775639
Depends-On: I0b71902358b754fa8bd7fdbb213479503c87aa46
|
|
|
|
This will give user the ability to set these values,
if IPv6 is not to be used, it's recommended that it be
disabled to reduce the attack surface of the system.
Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
|
|
|
|
Implements: blueprint fdio-integration-tripleo
Change-Id: I412f7a887ca4b95bcf1314e8c54cb1e7d03b1e41
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
Convert NetApp Cinder back end to support composable roles via new
"CinderBackendNetApp" service.
Closes-Bug: #1680568
Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
|
|
|
|
|
|
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.
This change removes old references left to 192.0.2 network from the
overcloud templates.
Change-Id: I1986721d339887741038b6cd050a46171a4d8022
|
|
|
|
yaql calls are fairly expensive. Let's try to not nest them when we can
avoid it.
Change-Id: I5e7dbc42be625bbfe7989867794a67ebae08687d
|
|
Ironic is going to change the default boot_option from netboot to local in the
near future. Let's be pro-active, and change it in advance. Users cano change
it back via new IronicDefaultBootOption configuration.
Partial-Bug: #1619339
Change-Id: Idddc2e384c6cd9a1595777090500bf04f230edd4
|
|
This reverts commit b323f8a16035549d84cdec4718380bde3d23d6c3 and uses
the new logic in puppet-tripleo (see Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
), basically doing the same.
Closes-Bug: 1665641
Change-Id: Ib5cb0578be2993af0a0b8675005d838640bdb139
|
|
bp secure-etcd
Depends-on: I0759deef7cbcf13b9056350e92f01afd33e9c649
Change-Id: I049e35f3158435a0a82ca666911f2337b38e30ce
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
|
|
Using an empty string to signal that the default value in the puppet module
is to be used no longer seems to work, resulting in the puppet specified
defaults being overridden by empty string values. The impact on
configuration will differ depending on the actual configuration item, the
puppet code and the service, so it is just safer to omit the hieradata if
the user has not explicitly set a value.
Change-Id: Iefbc8f8669680e4f9d01db6b49543bfbe9b7661b
Closes-Bug: #1669452
|
|
When service is added during an upgrade, fix the ansible syntax
to use the right variable for return code.
Change-Id: I974699fb8b0dcbe5ffa6935c394df4ac8e7b21d4
|
|
There is a windows for the pcs cluster status to hang forever[1]. We
add a timeout during check0 to avoid this situation. 2 minutes should
be more than enought to get all the pcsd nodes to reply.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1292858
Closes-Bug: #1680477
Change-Id: Icb3dc76e031a3d4f26294f37d169f2f61d30973e
|
|
|
|
|
|
|
|
Current puppet module miss password section hence congress is not
available due to missing password in congress.conf. This fix is to
add password.
Change-Id: I277c03ca93130a0337d5085f09c375fb0ac9331d
Signed-off-by: Tomofumi Hayashi <s1061123@gmail.com>
|
|
|
|
|
|
|
|
|
|
ip_conntrack_proto_sctp is the old name for the module and it is now
nf_conntrack_proto_sctp. In order for the kmod module to not keep trying
to modprobe the module, we need to use the correct name.
Change-Id: Ieaed235e71e9e6e41a46d9be0e02beb8f4341b1a
Closes-Bug: #1680579
|
|
|