Age | Commit message (Collapse) | Author | Files | Lines |
|
In the freeipa-enroll.yaml, it can be the case that the node has been
enrolled (via a cloud-init script); in this case, the OTP and the
FreeIPA server are optional. However, we still need to get a kerberos
ticket, which is the last step of this script, since this ticket is what
certmonger will use to request the certificates in subsequent steps.
Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
|
|
|
|
|
|
It turns out the puppet-mistral change this depends on broke
introspection, so we need to back it out for now.
This reverts commit ed029e5bf279945e82bff8766af4093856a7ac6a.
Change-Id: I828478267935cdc68aa24de8c9dc2d12fcadb631
|
|
|
|
Currently when the docker environments are invoked, every node has the
boot script run which replaces os-collect-config with the heat-agents
container. This should only be happening on Compute nodes currently,
and each role will be converted to heat-agents one at a time.
This change implements a role-specific NodeUserData resource and uses
that mechanism to run docker/firstboot/install_docker_agents.yaml only
on Compute nodes.
Change-Id: Id81811dbcaf0e661c3980aa25f3ca80db5ef0954
|
|
|
|
We can't run this during the upgrade steps, because there are things
which need to happen before any role configuration happens, e.g
installing the new hiera heat-config hook, which must be done before
e.g "ControllerDeployment" runs or the stack update hangs.
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I365b57513590662c3f78a33dc625747f457c48c5
|
|
|
|
|
|
This allows us to take advantage of the composable roles hiera
settings to connect the plugin to the northd/ovndb API without
needing to hard-code the IP of the node running the service.
Change-Id: I2508d48f81c1819ae3521fff271c0bdc50724604
Depends-On: I9af7bd837c340c3df016fc7ad4238b2941ba7a95
Closes-Bug: #1634171
|
|
When Nova and/or Cinder are using Ceph as backend, qemu will need
to open a connection and two threads for each and every Ceph OSD.
This change raises the max_files (set to 1024 by default) to 32768
and the max_processes (set to 4096 by default) to 131072. The max
number of FDs is per-process, while the max number of processes is
per-user. The values can be overridden via ExtraConfig, no params
are added to the templates.
A more detailed description of the values were chosen can be
found at: https://access.redhat.com/solutions/1602683
Change-Id: I1e79675f6aac1b0fe6cc7269550fa6bc8586e1fb
Depends-On: I258afd3ee6633e4b2ebc45aa8611be652476be0c
|
|
We could already pass metadata to the nova server instances (on
creation) via the ServerMetadata parameter, however, there was no
way of doing this per-role. This introduces that by adding a
{{role}}ServerMetadata parameter for each role. This parameter gets
merged with the ServerMetadata parameter and allows this
functionality.
Note that both default to {}, and so does the result of merging those
parameters with their default values. So nothing changes for the
default settings.
Change-Id: I334edcc51ce7ee82fc13b6cf4c0d74ccb7db099c
|
|
There are some requirements for early configuration that involves
e.g setting kernel parameters then rebooting. Currently this can
be done via cloud-init, e.g firstboot templates, but there's been
discussion around enabling a SoftwareDeployment approach instead.
The main advantage of doing it this way is there's an error path
if something goes wrong with the config (except triggering the
reboot as we have to use NO_SIGNAL for that).
Change-Id: Ia54ee654f755631b8062eb5c209a60c6f9161500
|
|
The RabbitMQ's puppet manifest configures the node's IP and port through
environment variables. While this would usually be fine, it doesn't
allow us to use TLS-only, since it will always try to start a TCP
listener. So, by setting these values through the config file, when
setting ssl_only for rabbitmq, they will effectively be discarded and
thus allow us to use an SSL listener on the same port.
Change-Id: I33d051a8c740baf69b99517378e1f9b0f3cc1681
|
|
This reads makes Django take the X-Forwarded-Proto header into account
when forming URLs.
Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673
Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
|
|
The inputs on the NetworkDeployment SoftwareDeployment resource were not
the same for generic roles as they were for the default roles
(role.role.js.yaml vs. controller-role.yaml).
This patch synchronizes the input between the 2 so that the interface is
the same for deployers.
Change-Id: Id14cf7ca219aee61f5b9d21171a5c41dea765f98
Implements: blueprint multinode-ci-os-net-config
|
|
disallow_iframe_embed can be used to prevent Horizon from being
embedded within an iframe. Legacy browsers are still vulnerable
to a Cross-Frame Scripting (XFS) vulnerability, so this option
allows extra security hardening where iframes are not used in
deployment
Change-Id: I2fe6b243250608b340ee555062060dbdad1a49c4
Depends-On: I5c540e552efe738bdec8598f9257fa22ae651a76
Closes-Bug: #1641882
|
|
This patch updates the swift-proxy base profile so that
we now explicitly set the rabbit_port. This allows us
to remove the use of puppet-ceilometer default settings
in the puppet-tripleo modules change ID here:
I8d9f69f5e9160543b372bd9886800f16f625fdc6
It also adds a new boolean parameter that allows the
end user to disable the swift ceilometer pipeline
by setting SwiftCeilometerPipelineEnabled to false.
This two settings allow Swift to once again be installed
on a machine without configuring Ceilometer.
Depends-On: Id1584df5e5bb90f8087ae25eecc4834179b6fc21
Change-Id: Ief5399d7ea4d26e96ce54903a69d660fa4fe3ce9
Related-bug: #1648736
|
|
The upstream puppet module is adding the proper keystone authtoken
middleware support. This change updates THT to use the keystone
authtoken class rather than the deprecated settings. This also allows
for proper keystone v3 integration.
Change-Id: Iaf82716122a25e3e0785de1250d24edaaa5e4d04
Depends-On: I71969ef09018f9daa5f81c4f3bcbdb0b0974446c
|
|
Change-Id: I75815a4bcbf421597abb86226238b74a9afffc0d
Depends-On: Iffb8c2cfed53d8b29e777c35cee44921194239e9
|
|
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.
This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.
Enrollment is done via the ipa-client-install command and it does
the following:
* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
kerberos, certmonger)
The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos
The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.
[1] https://github.com/JAORMX/freeipa-tripleo-incubator
bp tls-via-certmonger
Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
|
|
example for
- NeutronSriovNumVFs
- NeutronPhysicalDevMappings
as given, causes parsing error.
Change-Id: I71fb42f10dac70afa02244cd6629b3439f418d63
Closes-Bug: #1648351
|
|
|
|
Change-Id: I299f8f33b0bac40d331084df37f690dc2a279677
|
|
It's no longer available in Neutron (removed in Mitaka). See:
I2a879213c3b095a007a4531f430a33cea9fdf1bd
Change-Id: I044c648eb8c4933667b8ea2c9159a30e5ebb7df3
|
|
We now fetch the name argument from the correctly named SwiftStorage
object.
Change-Id: I885505eadfc778ab57793c97af4d1c6739ec9614
Closes-Bug: #1647716
|
|
|
|
|
|
|
|
|
|
The script tries to download all artifact URLs with a single
request, instead of downloading each URL on its own if
multiple DeployArtifactURLs were given.
Change-Id: I6a8be699aff7023a67702bb1d3ddc2273984cd08
|
|
This seems to have broken the updates job, causing it to fail
with following error:
Can't set long node name!\nPlease check your configuration\n
Related-Bug: 1646873
This reverts commit 3e9fcfd09320ace07bc1bd4cb57feb98cd057332.
Change-Id: I72ba891cd9cd8c4f1bc204144f46aaabbdfd3647
|
|
|
|
There were several instances where the short-names/FQDNs where being
gotten in the same way in the role's templates. So this introduces a
mapping to get these values in order to reduce clutter.
Change-Id: Ie7df360bb69d56655f3e0fcbbf4d297db39b7a26
|
|
|
|
|
|
|
|
'user' is required or puppet-ceph will complain that the Keystone_user
has no title:
Evaluation Error: Missing title. The title expression resulted in undef
at /etc/puppet/modules/ceph/manifests/rgw/keystone/auth.pp
The value is set to Swift, as we use the same credentials as Swift
service.
Closes-Bug: #1642524
Change-Id: Ib4a7c07086b0b3354c8e589612f330ecdffdc637
|
|
|
|
|
|
|
|
This shows how we could wire in the upgrade steps using Ansible
as was previously proposed e.g in https://review.openstack.org/#/c/321416/
but it's more closely integrated with the new composable services
architecture.
It's also very similar to the approach taken by SpinalStack where
ansible snippets per-service were combined then run in a series of
steps using Ansible tags.
This patch just enables upgrade of keystone - we'll add support for
other patches in subsequent patches.
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
|
|
|
|
|
|
Change-Id: Iee1afeced0b210a46b273aafc0d40e99d6ee6d4e
|
|
This changes how we get the network-based FQDNs for the specific
services, from using the custom fact, to the new hiera entries.
Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
|
|
Currently, one can get the network-based FQDNs via a custom puppet
fact. This is currently unreliable, as it's based on the ::hostname
fact which we assume it's set correctly by nova. However, this is not
necessarily the case (for instance, if you use pre-deployed services
such as we do with the multinode-jobs). In these cases, the
::hostname fact will return something other than what we specified in
nova, and effectively breaks the configurations in we relly too much
on the network-based FQDN facts.
By using hiera instead, we avoid this issue as we set those values to
be exactly what we expect (as we set them in the OS::TripleO::Server
resource.
Change-Id: I6ce31237098f57bdc0adfd3c42feef0073c224fb
|
|
This patch optimizes how we deploy hiera by using a new
heat hook specifically designed to help compose hiera
within heat templates. As part of this change:
- we update all the 'hiera' software configurations to set the group to hiera
instead of os-apply-config.
- The new format uses JSON instead of YAML. The hook actually writes
out the hiera JSON directly so no conversion takes place. Arrays,
Strings, Booleans all stay in their native formats. As such we can avoid
having to do many of the awkward string and list conversions in t-h-t to
support the previous YAML formatting.
- The new hook prefers JSON over YAML so upgrading users will have the
new files prefered. (we will post a cleanup routine for the old files
soon but this isn't a new behavior, JSON is now simply prefered.)
- A lot of services required edits to account for default settings that
worked in YAML that no longer work correctly in the native JSON
format. In almost all these cases I think the resulting codes looks
cleaner and is more explicit with regards to what is getting
configured in hiera on the actual nodes.
Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b
Closes-bug: #1596373
Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
|
|
This patch adds a local version of our template processing
routine so that developers can more quickly view the templates
that are actually getting generated. I've noticed multiple developers
now do a full deployment with 'overcloud deploy' only to download
the swift container with the generated templates. This simple task
avoids that step by allowing developers to generate it locally.
It also aims to preserve the ability to use t-h-t templates directly
with Heat (instead of going through Mistral) should users wish to do that.
The new undercloud heat installer requires the ability to generate
templates without requiring Mistral and Swift to do so.
Ideally the Mistral API workflow would use this same code
so perhaps in the future we might modify that routine to:
-download swift tarball containing the templates
-run this local routine that lives in t-h-t
-re-upload the tarball of templates to the swift container
Change-Id: Ie664c9c5f455b7320a58a26f35bc403355408d9b
|