aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2017-05-17TLS everywhere: configure mongodb's TLS settingsJuan Antonio Osorio Robles1-0/+37
This configures the mongodb server to use TLS in the internal network, while also passing the necessary attributes to generate the needed cert and key. bp tls-via-certmonger Depends-On: I85dda29bcad686372a74bd7f094bfd62777a3032 Change-Id: If6c603b074cfa7e122579cec29d034fd3312868d
2017-05-17Merge "Add params to manage and configure pipeline publisher"Jenkins1-2/+23
2017-05-16Merge "Optimize kernel neighbour table for large scale environments"Jenkins1-0/+29
2017-05-16Optimize kernel neighbour table for large scale environmentsOr Idgar1-0/+29
Changing the default values of neighbor table (also known as ARP table) in the kernel to avoid neighbour table overflow and thus fix communication errors between overcloud nodes. default kernel values support L2 network up to 1024 hosts (/22). The patch will allow up to 4096 hosts (/20). Change-Id: I5fabc766dd75a38cd3d835deee7e168f04dd30ce Closes-Bug: #1690087
2017-05-16Fix resource type in ObjectStorage roleChristian Schwede1-1/+1
The currently used resource type does not exist, therefore changing it. Closes-Bug: 1691021 Change-Id: Iaf18af546817e0cf6cdfafcc5c54ab4d1a0f819d
2017-05-15Add missing type for RoleParameters parameterMartin André1-0/+1
This was forgotten in I72376a803ec6b2ed93903cc0c95a6ffce718b6dc and broke containerized deployment. Change-Id: I599a87bf06efbfefd3067c77ed6ca866505900f9 Closes-Bug: #1690870
2017-05-15Merge "Update the services README documentation"Jenkins1-9/+23
2017-05-15Default snmp to less verbose loggingMichele Baldessari1-0/+5
Currently we just use what puppet-snmp provides in terms of defaults. This means that currently every single snmp query gets logged with the following: May 15 10:51:30 centos.localdomain snmpd[5159]: Connection from UDP: [127.0.0.1]:57799->[127.0.0.1]:161 May 15 10:51:30 centos.localdomain snmpd[5159]: Connection from UDP: [127.0.0.1]:57799->[127.0.0.1]:161 May 15 10:51:32 centos.localdomain snmpd[5159]: Connection from UDP: [127.0.0.1]:50566->[127.0.0.1]:161 The reason is that we use '-LS0-6d' as the default content for /etc/sysconfig/snmpd: https://github.com/razorsedge/puppet-snmp/blob/master/manifests/params.pp#L322 This default means that we are logging from 0 (LOG_EMERG) to 6 (LOG_INFO). The above messages bring nothing in a default installation and only spam the log files, so let's lower the upper log level to 5 (LOG_NOTICE) by default, so we properly do not see every single query in the logs. We add an option so the operator can still configure the desired log level via a Heat parameter. Change-Id: I8d3dfdb4d549cd27131346fc477755ad72313449
2017-05-15Merge "Change neutron-metadata number of workers determination method"Jenkins1-1/+8
2017-05-15Update the services README documentationSaravanan KR1-9/+23
Service template's parameter documentation has been update by correcting few of the wrong informations and added more information with examples. Change-Id: I2d92fd01cbeb6fdc6f030255dc4b71166509b4f6
2017-05-15Add role specific information to the service templateSaravanan KR178-44/+1694
When a service is enabled on multiple roles, the parameters for the service will be global. This change enables an option to provide role specific parameter to services and other templates. Two new parameters - RoleName and RoleParameters, are added to the service template. RoleName provides the role name of on which the current instance of the service is being applied on. RoleParameters provides the list of parameters which are configured specific to the role in the environment file, like below: parameters_default: # Default value for applied to all roles NovaReservedHostMemory: 2048 ComputeDpdkParameters: # Applied only to ComputeDpdk role NovaReservedHostMemory: 4096 In above sample, the cluster contains 2 roles - Compute, ComputeDpdk. The values of ComputeDpdkParameters will be passed on to the templates as RoleParameters while creating the stack for ComputeDpdk role. The parameter which supports role specific configuration, should find the parameter first in in the RoleParameters list, if not found, then the default (for all roles) should be used. Implements: blueprint tripleo-derive-parameters Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-12Merge "Deprecate Ceilometer Expirer"Jenkins2-0/+32
2017-05-11Merge "Disabling replacing fernet keys from puppet"Jenkins1-0/+1
2017-05-11Add params to manage and configure pipeline publisherPradeep Kilambi1-2/+23
Change-Id: Ifaa3bb0400ee22601fd8f3e1f2f16192b5f8766b
2017-05-11Deprecate Ceilometer ExpirerPradeep Kilambi2-0/+32
We dont need expirer unless we have collector and standard storage enabled. Lets turn it off by default and make it an optional service. In upgrade scenario, we will kill the process and stop the expirer, unless explicitly enabled. Change-Id: Icffb7d1bb2cf7bd61026be7d2dcfbd70cd3bcbda
2017-05-11Merge "Make upgrade steps unconditional to fix broken dependencies"Jenkins1-19/+0
2017-05-11Disabling replacing fernet keys from puppetJuan Antonio Osorio Robles1-0/+1
Once puppet has written the initial fernet keys, if a deployer wants to rotate them, the keys will be overwritten when another overcloud deploy is executed (for instance, for updates or upgrades). This disables replacing this keys via puppet, so now the operator can rotate the keys out of band. Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
2017-05-10Merge "Add networking-vpp ML2 mechanism driver support"Jenkins1-0/+48
2017-05-10Change neutron-metadata number of workers determination methodOr Idgar1-1/+8
neutron-metadata number of workers will be taken from NeutronWorkers parameter if not empty. when empty, all keys related to NeutronWorkers value will be set with empty dictionary instead empty string ({}). Change-Id: I18347639c188bbf085e2f3c739465e52c94b9d77 Closes-bug: #1689571
2017-05-09Make upgrade steps unconditional to fix broken dependenciesJiri Stransky1-19/+0
Change I5c8b0c4abfc0607f42fd3f2da9f5ef2702b1bbe1 introduced conditions to optimize upgrade times and fix related bugs. Unfortunately the conditional inclusion would have to be paired with support in depends_on to work as we need. Currently we can hit this bug if the batch upgrade steps are undefined for some role, but upgrade steps are definied: The specified reference "ControllerUpgradeBatch_Step2" (in ControllerUpgradeConfig_Step0) is incorrect. To fix this we have to make the steps unconditional. This isn't fully reverting the original change because that change also addressed ordering issues. Change-Id: I369591f4757c10142f5b455e64aa778e1a9a5611 Closes-Bug: #1689553
2017-05-07Merge "Set puppet-redis managed_by_cluster_manager to true"Jenkins2-0/+6
2017-05-06Set puppet-redis managed_by_cluster_manager to trueMichele Baldessari2-0/+6
Via https://github.com/arioch/puppet-redis/pull/192 puppet-redis grew ulimit support also for pacemaker managed redis instances. To be able to use that we need to set redis::managed_by_cluster_manager to true. We also allow redis::ulimit to be configurable and we set a default of 10420 which was the default value before the above change. Change-Id: I06129870665d7d3bfa09057fd9f0a33a99f98397 Depends-On: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Closes-Bug: #1688464
2017-05-06Enable mistral to run under mod_wsgiBrad P. Crochet1-6/+38
Mistral should run under mod_wsgi. Let's do that. Change-Id: Ie98dd5061d92dbc3c15bdd8926b0e3d62cc471f6 Depends-On: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
2017-05-05Use the make_url function to build URLsZane Bitter20-242/+236
Change-Id: I2b23d92c85d5ecc889a7ee597b90e930bde9028e Depends-On: I72f84e737b042ecfaabf5639c6164d46a072b423
2017-05-05Merge "Add StackUpdateType to set hiera on upgrade"Jenkins1-1/+11
2017-05-04Merge "[N->O] Add openstack-nova-migration to compute nodes."Jenkins1-0/+3
2017-05-04Merge "Restrict nova migration ssh tunnel"Jenkins1-0/+5
2017-05-04Merge "Configure snmpd auth params in ceilometer profile"Jenkins1-0/+10
2017-05-04Remove nova placement config for compute service node on upgrademarios1-18/+0
This was necessary during the newton to ocata upgrade Change-Id: Iee248b6605e6c9cd82ce7cb733e220c6318c1764
2017-05-04Add StackUpdateType to set hiera on upgradeSteven Hardy1-1/+11
This will enable those consuming the stack_update_type hieradata set by this parameter to differentiate an update from a major upgrade Change-Id: I38469f4b7d04165ea5371aeb0cbd2e9349d70c79
2017-05-04Merge "Internal TLS: Use specific CA file for mysql-client"Jenkins1-0/+6
2017-05-04Merge "Internal TLS: use common CA file parameter for libvirt CA cert"Jenkins1-5/+20
2017-05-03Merge "Add back Heat conditions in upgrade workflow"Jenkins1-28/+50
2017-05-03Merge "snmp: add SnmpdBindHost parameter"Jenkins1-0/+5
2017-05-03Merge "Set reasonable TTL defaults for Ceilometer DB"Jenkins1-1/+12
2017-05-03Merge "Expose metric delay processing metric"Jenkins1-0/+5
2017-05-03[N->O] Add openstack-nova-migration to compute nodes.Sofer Athlan-Guyot1-0/+3
This add openstack-nova-migration on the compute during the upgrade. Closes-Bug: #1687081 Depends-on: Iab022bdfb655e3c52fecebf416e75c9e981072ab Depends-on: I02dc8934521340f42ac44a7d16889f6d79620c33 Change-Id: I3db2a3188e538eeaef61769d38f0166545444cfe
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-0/+5
Specify the allowed networks for migration ssh tunneling. bp tripleo-cold-migration Change-Id: Iab022bdfb655e3c52fecebf416e75c9e981072ab Depends-on: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-05-03Merge "Add parameter Ec2ApiExternalNetwork for VPCs"Jenkins1-0/+15
2017-05-03Add back Heat conditions in upgrade workflowGiulio Fidente1-28/+50
By adding back the conditions we avoid the deployment of unneded software configs on nodes where we don't have any upgrade task to run, speeding up the upgrade process. Related-Bug: #1679486 Related-Bug: #1678101 Change-Id: I5c8b0c4abfc0607f42fd3f2da9f5ef2702b1bbe1
2017-05-03Configure snmpd auth params in ceilometer profilePradeep Kilambi1-0/+10
Depends-On: I55ac06e1a561d29d7e1c928a1684989c9654b95d Change-Id: Id29e96979b937593efe244f46ce2dd74df3aaa7f
2017-05-03Set reasonable TTL defaults for Ceilometer DBPradeep Kilambi1-1/+12
By deafult, we let the data live for ever. Which isnt very efficient. Lets expose params to tweak this and use a reasonable default. Change-Id: I145fa73a7af9cb4135ba910d3659853b3baa893d
2017-05-03Expose metric delay processing metricPradeep Kilambi1-0/+5
For performance reasons we might want to tweak this param lets expose this via tripleo. The puppet changes were added in this patch I5de5283d1b14e0bba63d6d9a440611914ba86ca4 Change-Id: I72f1fe3a47060fe37602a70b8a74fba72209127c
2017-05-03Internal TLS: Use specific CA file for mysql-clientJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-05-03Internal TLS: use common CA file parameter for libvirt CA certJuan Antonio Osorio Robles1-5/+20
libvirt has its own parameter for setting the CA, however, if we have a common CA for all services in the internal network (which we do), it's more consistent to use the common parameter for configuring that CA file. The previous parameter was left in case the deployer wants to use a specific CA file for the compute nodes. Change-Id: I3d132d3d257d7ea9f43e49593f8509c3cd205ca5
2017-05-03Internal TLS: Use specific CA file for haproxyJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
2017-05-02Add deprecation notes for panko servicePradeep Kilambi1-1/+3
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
2017-05-02Merge "Fix for the resource ControllerPostPuppetMaintenanceModeDeployment"Jenkins1-1/+1
2017-05-02Merge "Deprecate ceilometer collector"Jenkins3-33/+72
2017-05-02Merge "Use list_concat for metadata_settings for haproxy"Jenkins1-6/+4