aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2017-03-30Don't check haproxy if external load-balancer is used.Sofer Athlan-Guyot1-1/+13
Change-Id: Ia65796b04be9f7cadc57af30ef66788dd8cb7de8 Closes-Bug: 1677539
2017-03-30Merge "Include panko in the default dispatcher"Jenkins1-1/+1
2017-03-30Merge "Allow to configure policy.json for OpenStack projects"Jenkins20-1/+134
2017-03-29Add ceilometer ipmi agentPradeep Kilambi1-0/+77
Closes-Bug: #1662679 Change-Id: I3446d59b89d43859caedd2be4583099374944379
2017-03-29Add network sysctl tweaks for securityzshi1-0/+18
* Disable Kernel Parameter for Sending ICMP Redirects: - net.ipv4.conf.default.send_redirects = 0 - net.ipv4.conf.all.send_redirects = 0 Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. * Disable Kernel Parameter for Accepting ICMP Redirects: - net.ipv4.conf.default.accept_redirects = 0 Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured. * Disable Kernel Parameter for secure ICMP Redirects: - net.ipv4.conf.default.secure_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. * Enable Kernel Parameter to log suspicious packets: - net.ipv4.conf.default.log_martians = 1 - net.ipv4.conf.all.log_martians = 1 Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. * Ensure IPv6 redirects are not accepted by Default - net.ipv6.conf.all.accept_redirects = 0 - net.ipv6.conf.default.accept_redirects = 0 Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e Co-Authored-By: Luke Hinds <lhinds@redhat.com> Signed-off-by: zshi <zshi@redhat.com>
2017-03-29Qpid dispatch router composable roleJohn Eckersberg1-0/+60
Note: since it replaces rabbitmq, in order to aim for the smallest amount of changes the service_name is called 'rabbitmq' so all the other services do not need additional logic to use qdr. Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608 Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
2017-03-29Merge "Modify pci_passthrough hiera value as string"Jenkins1-2/+6
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi20-1/+134
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-28Include panko in the default dispatcherPradeep Kilambi1-1/+1
panko is enabled by default, we might as well make it the default dispatcher along with gnocchi. Closes-bug: #1676900 Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
2017-03-28Merge "N->O upgrade, blanks ipv6 rules before activating it."Jenkins1-0/+6
2017-03-28Merge "N->O Upgrade, make sure all nova placement parameter properly set."Jenkins1-3/+6
2017-03-28Merge "Stop openstack-nova-compute during nova-ironic upgrade"Jenkins1-0/+4
2017-03-28Merge "Only set EnableConfigPurge on major upgrades"Jenkins3-9/+9
2017-03-28Merge "Swift auth url should use a suffix"Jenkins1-1/+1
2017-03-28Merge "MySQL: Use conditional instead of nested stack for TLS-specific bits"Jenkins2-54/+26
2017-03-28Merge "Apache: Use conditional instead of nested stack for TLS-specific bits"Jenkins2-80/+39
2017-03-28Merge "Rabbitmq: Use conditional instead of nested stack for TLS-specific bits"Jenkins2-57/+27
2017-03-28Modify pci_passthrough hiera value as stringSaravanan KR1-2/+6
Hiera value of nova::compute::pci_passthrough should be a string. It has been modified to JSON with the heira hook changes. Modifying it again back to string. Closes-Bug: #1675036 Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
2017-03-28Disable core dump for setuid programszshi1-0/+2
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi <zshi@redhat.com>
2017-03-28Merge "Restrict Access to Kernel Message Buffer"Jenkins1-0/+2
2017-03-27Add missing ec2api::api::keystone_ec2_tokens_url configSven Anderson1-0/+5
Change-Id: I9a19aff24dede2bea3bf2959afa7adde00817ee0 Related-Bug: #1676491
2017-03-27Fixes port binding controller for OpenDaylightTim Rozet1-0/+45
In Ocata and later, the port binding controller for ODL was changed by default to be the pseudo agent controller, which requires a new feature "host config" for OVS. This patch modifies the default to use network-topology, which will work without any new host config features implemented (previous way of port binding). Closes-Bug: 1675211 Depends-On: I5004fdeb238dea81bc4f7e9437843a8a080d5b46 Change-Id: I6a6969d1d6b8d8b8ac31fecd57af85eb653245d2 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-27Swift auth url should use a suffixPradeep Kilambi1-1/+1
gnocchi metricd and statsd are broken due to recent change to support keystone v3. see I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a We need swift auth url to have suffix so it knows what endpoint to use. Change-Id: I753f37e121b95813e345f200ad3f3e75ec4bd7e1
2017-03-27MySQL: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles2-54/+26
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
2017-03-27Apache: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles2-80/+39
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
2017-03-27Rabbitmq: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles2-57/+27
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
2017-03-27N->O upgrade, blanks ipv6 rules before activating it.Sofer Athlan-Guyot1-0/+6
When the firewall is enabled with ipv6, the default rules set is taken as not ipv6 firewall was present for Newton. This make communication impossible until puppet is run again. This ensures that no rules are loaded when the firewall is enabled. This mimic this patch[1] [1] https://github.com/openstack/tripleo-heat-templates/commit/ae8aac36143d5dadb08af0d275f513678909dcc7 Change-Id: Id878b5caae666a799c89c8466ce46b9ecb86d9f7 Closes-Bug: #1675782
2017-03-26Merge "Remove unused KeystoneRegion parameter from gnocchi-base"Jenkins1-4/+0
2017-03-26Merge "Setting keystone region for congress"Jenkins1-0/+1
2017-03-26Merge "Enables increasing mariadb open files for noha deployments"Jenkins1-0/+6
2017-03-25Merge "Fixes missing firewall rules for neutron_ovs_dpdk_agent service"Jenkins1-1/+4
2017-03-25Merge "Fix usage of CinderNfsServers"Jenkins1-5/+1
2017-03-25Merge "Add missing metadata_settings from neutron-api profile"Jenkins1-4/+5
2017-03-24Stop openstack-nova-compute during nova-ironic upgradeMarius Cornea1-0/+4
This change ensures that that openstack-nova-compute is stopped and disabled during the upgrade process. Closes-Bug: 1675814 Change-Id: Ifd2557b11e4317f1e76e459e8de4162116578eff
2017-03-24N->O Upgrade, make sure all nova placement parameter properly set.Sofer Athlan-Guyot1-3/+6
The restart of openstack-nova-compute takes place before crudini set the password, user_domain and project_name get set. Change-Id: I57b54d5f59d5803d7ad4e399d598f699785a5825 Closes-Bug: #1675739 Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
2017-03-23[N->O] Fix wrong database connection for cell0 during upgrade.Sofer Athlan-Guyot2-1/+11
During upgrade the cell0 database has the connection pointing to mysql+pymysql://nova:c2cdagE8PyAbnpers3AD88Hge@10.0.0.19/nova_cell0?bind_address=10.0.0.20 where 10.0.0.20 was the ip of the bootstrap node. This makes the nova-api fails on 2/3 node at the end of the major-upgrade-composable-steps.yaml step. We do have the right value in the hiera database so make sure we use it for cell0 creation and not the nova.conf file which hasn't been updated yet. Change-Id: I09775206cb8fc5e15934f7e4475506a7fe17271e Closes-Bug: #1675359
2017-03-23Fixes OpenDaylightProviderMappings hiera parsingTim Rozet1-5/+1
The str_replace conversion used previously is no longer needed and breaks the hieradata value. Closes-Bug: 1675426 Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-23[N->O] is creating 2 default cell_v2 cellsOliver Walsh1-4/+4
A side-effect of running map_cell_and_hosts is that a default cell is created (unless host mappings already exists). As we are explicitly creating the default cell we need to run discover_hosts to create the host mappings. Change-Id: I1a28e9b85a7c43561700faf692248c5fc06b8ad8 Closes-Bug: #1675418
2017-03-23Add missing metadata_settings from neutron-api profileJuan Antonio Osorio Robles1-4/+5
This is needed for the TLS everywhere work. This will break on TLS-everywhere setups where neutron would be deployed in its own role. So we need to add the metadata_settings. bp tls-via-certmonger Change-Id: I7934a258e032d8eaa6f07c0e48b3fbdb1f8c6a06
2017-03-23Fix usage of CinderNfsServersChristian Schwede1-5/+1
This feature stopped working somewhere along the lines. In the past it was working with parameter_defaults like this: CinderNfsServers: '10.0.0.254:/srv/nfs/cinder' or CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder" The problem was that the templating escaped these strings, and puppet-tripleo didn't receive a proper array, but a string. This patch fixes this. It accepts strings as above as well as comma-delimited lists of Nfs Servers. Closes-Bug: 1671153 Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
2017-03-23Adds Horizon secure cookie map.lhinds1-0/+5
Puppet-horizon already contains a `secure_cookies` parameter, that sets `CSRF_COOKIE_SECURE` and `SESSION_COOKIE_SECURE` within `/templates/local_settings.py.erb`. This change introduces the services map for TripleO Heat Templates Change-Id: Ie6f6158929c33da8c5f245e2379aebe1afd524ef Closes-bug: #1640491
2017-03-22Fixes missing firewall rules for neutron_ovs_dpdk_agent serviceTim Rozet1-1/+4
Firewall config was being inherited by the dpdk service, however since the firewall service name was the parent (neutron_ovs_agent) and technically that service was not enabled - the rules were never applied. This modifies the service name as it is inherited using map_replace. Closes-Bug: 1674689 Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-22Remove unused KeystoneRegion parameter from gnocchi-baseJuan Antonio Osorio Robles1-4/+0
This is used in gnocchi-api.yaml and is not needed on the base template. Change-Id: I5ebd27dff3dca7053647a57eb4cdef56d38526c6
2017-03-22Only set EnableConfigPurge on major upgradesSteven Hardy3-9/+9
Bug #1611800 fixed an upgrade issue by enabling purging configs for some services, but this causes issues such as longer updates and restarting services in the minor update case, so only do this for major upgrades, and default to false. Related-Bug: #1611800 Closes-Bug: #1674858 Change-Id: Iff7d715f6730c5633f1146008504b4309ef3133d
2017-03-22Merge "Enables OpenDaylight clustering in HA deployments"Jenkins1-1/+2
2017-03-22Restrict Access to Kernel Message Bufferzshi1-0/+2
Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-03-20Merge "Bind redis-sentinel to its network"Jenkins1-0/+1
2017-03-20Setting keystone region for congressDan Radez1-0/+1
Change-Id: I4958b886cbd6c2b34da0c265e8774105474ace13
2017-03-20Enables OpenDaylight clustering in HA deploymentsTim Rozet1-1/+2
Port 2550 is required for inter-ODL communication when clustering. odl-jolokia feature is required to expose REST APIs from ODL for monitoring the cluster. Implements: blueprint opendaylight-ha Depends-On: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Change-Id: Ie108ab75cce0cb7d89e72637c600e30fc241d186 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-18Merge "Make sure PrePuppet runs before any Deployment_Step"Jenkins1-1/+1