aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2017-04-26upgrades: deploy mod_ssl when upgrading apacheEmilien Macchi10-95/+150
1) When Apache is upgraded, install mod_ssl rpm. See https://bugs.launchpad.net/tripleo/+bug/1682448 to understand why we need mod_ssl. 2) All services that run Apache for API will use the snippet from Apache service to deploy mod_ssl, so we don't duplicate the code in all services. It's using the same mechanism as ovs upgrade to compile upgrade_tasks between both services. Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84 Closes-Bug: #1686503
2017-04-26Open ports 443 and 80 on haproxy's firewall when horizon is standaloneRadomir Dopieralski1-0/+7
Change-Id: Ifec9839ac0fc688678f0221bb731fb64bd86d2d9
2017-04-26Change the default for rabbitmq back to ha-mode: allMichele Baldessari2-33/+4
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. This is the THT part of the change that changes the default to ha-mode: all. Closes-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com> Change-Id: I7afcf2b3c8deb13fc2134e4cae9c06a44e775384 Depends-On: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-21/+56
2017-04-25Deprecate ceilometer collectorPradeep Kilambi3-33/+72
Ceilometer collector is deprecated in Pike release. Do not deploy by default. Instead use the pipeline yaml to configure the publisher directly. Closes-bug: #1676961 Change-Id: Ic71360c6307086d5393cd37d38ab921de186a2e0
2017-04-25Deploy ceilometer_auth_enabled to node containing keystoneJuan Antonio Osorio Robles1-1/+1
This hiera key is used by keystone to create the ceilometer service user. It works in CI cause keystone and the ceilometer services are in the same node. However, this fails if keystone is deployed on a separate note. We should only deploy it in the nodes containing the keystone service since it's only relevant to create the service user. Change-Id: Ic0f02fe9a78a1fe14ac2b87197692fbd80c003b8 Closes-Bug: #1685828
2017-04-25Pass httpd service_name to ZaqarThomas Herve1-0/+1
This removes the need to do it in puppet-tripleo Change-Id: I6f44a6a02041c0fbbafb770a087a0032c3a53a76
2017-04-25Merge "Disable Manila CephFS snapshots by default"Jenkins1-1/+1
2017-04-25Merge "Add initial support for NSX plugin"Jenkins1-0/+66
2017-04-24Dell SC: Add secondary DSM supportrajinir1-0/+16
Adds support for a secondary DSM in case the primary becomes unavailable. Change-Id: I0887e15a7e1c90a4f333bef6cdbb5d43ba0cd838 Closes-Bug: #1681492 Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
2017-04-24Merge "Merge pre|post puppet resources into pre|post config."Jenkins1-17/+2
2017-04-24Merge "Run Zaqar with httpd in puppet service"Jenkins1-12/+54
2017-04-24Merge pre|post puppet resources into pre|post config.Carlos Camacho1-17/+2
The [Pre|Post]Puppet resources were renamed in https://review.openstack.org/#/c/365763. This was intended for having a pre/post deployment steps using an agnostic name instead of being attached to a technology. The renaming was unintentionally reverted in https://review.openstack.org/#/c/393644/ and https://review.openstack.org/#/c/434451. This submission merge both resources into one, and remove the old pre|post hooks. Closes-bug: #1669756 Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064
2017-04-24Merge "Allow configuring enabled hardware types for Ironic"Jenkins1-0/+6
2017-04-22Merge "Increase documentation about parameters"Jenkins1-1/+3
2017-04-21Merge "Add service config settings to agent services"Jenkins3-0/+6
2017-04-21Merge "glance: deploy services with Keystone v3 endpoints"Jenkins1-2/+5
2017-04-21Merge "SSHD Service extensions"Jenkins1-0/+29
2017-04-21Merge "Use conditionals for neutron and glance worker defaults"Jenkins2-10/+20
2017-04-21Merge "Add NeutronDnsDomain heat option, undercloud fix"Jenkins1-0/+5
2017-04-20Merge "N->O Manual puppet commands have the right modulepath."Jenkins1-1/+1
2017-04-20N->O Manual puppet commands have the right modulepath.Sofer Athlan-Guyot1-1/+1
In two places during upgrade we manually trigger puppet. There can be a problem when new puppet modules are added, and their corresponding symlinks in /etc/puppet/modules are not created during the installation as their are installed in /usr/share/openstack-puppet/modules. To prevent the issue tripleo set modulepath in the templates. We must use the same modulepath to make sure that we don't fail because of missing module in the manual puppet run. This particulary happens when you upgrade from M->N->O, as the base image in Mitaka doesn't have the proper symlinks and they are not created during the installation of the package. Closes-Bug: #1684587 Change-Id: I79df6ea33f1c58e13309176a6de41b7572541fd6
2017-04-20Merge "TLS-everywhere: Enable for TLS libvirt live migration"Jenkins1-0/+82
2017-04-20Run Zaqar with httpd in puppet serviceThomas Herve1-12/+54
This switches Zaqar to run with httpd when configured by puppet. Change-Id: I69b923dd76a60e9ec786cae886c137ba572ec906
2017-04-20Merge "N->O upgrade, fix wrong parameters to nova placement."Jenkins1-1/+2
2017-04-20Merge "Pluggable server type per Role"Jenkins6-6/+6
2017-04-20glance: deploy services with Keystone v3 endpointsEmilien Macchi1-2/+5
* Switch auth_uri to point to Keystone versionless endpoint. * Switch Swift auth url to use Keystone versionless endpoint and Keystone v3 API. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I78cdd2286b5a5094f36d4f3c7c58340745664449 Partial-blueprint: keystone-v3
2017-04-19SSHD Service extensionsLuke Hinds1-0/+29
This change implements a MOTD message and provides a hash of sshd config options which are sourced to the puppet-ssh module as a hash. The SSHD puppet service is enabled by default, as it is required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293. Also added the service to the CI roles. Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e Depends-On: I1d09530d69e42c0c36311789166554a889e46556 Closes-Bug: #1668543 Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
2017-04-19N->O upgrade, fix wrong parameters to nova placement.Sofer Athlan-Guyot1-1/+2
According to [1] we need os_region_name, not region_name. Furthermore the os_interface is configured as well. The hard check on this parameter was introduced in ocata[2], explaining why the newton version did not chock on it. [1] https://docs.openstack.org/ocata/config-reference/compute/config-options.html [2] https://github.com/openstack/nova/commit/d486315e0 Closes-Bug: #1684058 Change-Id: If6118bf03e832fe3fa5ea4fcb1b436afd2adf80a
2017-04-19TLS-everywhere: Enable for TLS libvirt live migrationJuan Antonio Osorio Robles1-0/+82
This relies on using the default paths for certs/keys used by libvirt and is only enabled if TLS-everywhere is enabled. bp tls-via-certmonger Depends-On: If18206d89460f6660a81aabc4ff8b97f1f99bba7 Depends-On: I0a1684397ebefaa8dc00237e0b7952e9296381fa Change-Id: I0538bbdd54fd0b82518585f4f270b4be684f0ec4
2017-04-19Merge "Use tripleo profile for bigswitch agent"Jenkins1-3/+1
2017-04-19Merge "Add migration SSH tunneling support"Jenkins2-1/+8
2017-04-18Merge "SSH known_hosts config"Jenkins6-1/+223
2017-04-18Merge "Run token flush cron job hourly by default"Jenkins1-1/+1
2017-04-18Run token flush cron job hourly by defaultJuan Antonio Osorio Robles1-1/+1
Running this job once a day has proven problematic for large deployments as seen in the bug report. Setting it to run hourly would be an improvement to the current situation, as the flushes wouldn't need to process as much data. Note that this only affects people using UUID as the token provider. Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a Related-Bug: #1649616
2017-04-18Support for external swift proxyLuca Lorenzetto1-0/+70
Users may have an external swift proxy already available (i.e. radosgw from already existing ceph, or hardware appliance implementing swift proxy). With this change user may specify an environment file that registers the specified urls as endpoint for the object-store service. The internal swift proxy is left as unconfigured. Change-Id: I5e6f0a50f26d4296565f0433f720bfb40c5d2109 Depends-On: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
2017-04-17aodh-base.yaml uses a hard coded keystone region nameKeith Schincke1-1/+1
aodh::auth::auth_region in aodh-base.yaml is hardcoded to regionOne instead of using the available KeystoneRegion Change-Id: I521b7e226675062225085e1d5f0296e53b152e81
2017-04-15Add migration SSH tunneling supportOliver Walsh2-1/+8
This enables nova cold migration. This also switches to SSH as the default transport for live-migration. The tripleo-common mistral action that generates passwords supplies the MigrationSshKey parameter that enables this. The TCP transport is no longer used for live-migration and the firewall port has been closed. Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-04-13SSH known_hosts configOliver Walsh6-1/+223
Fetch the host public keys from each node, combine them all and write to the system-wide ssh known hosts. The alternative of disabling host key verification is vulnerable to a MITM attack. Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
2017-04-13Pluggable server type per RoleJames Slagle6-6/+6
The server resource type, OS::TripleO::Server can now be mapped per role instead of globally. This allows users to mix baremetal (OS::Nova::Server) and deployed-server (OS::Heat::DeployedServer) server resources in the same deployment. blueprint pluggable-server-type-per-role Change-Id: Ib9e9abe2ba5103db221f0b485c46704b1e260dbf
2017-04-13Merge "Use comma_delimited_list for token flush cron time settings"Jenkins1-5/+5
2017-04-12Add service config settings to agent servicesPradeep Kilambi3-0/+6
When containerizing ceilometer agents, keystone auth is not getting set correctly as we're not including the service config settings. Change-Id: Ic17d64eb39e1fcb64c198410f27adbe94c84b7d4
2017-04-12Merge "Add IPv6 disable option"Jenkins1-0/+8
2017-04-12Merge "Add composable role support for NetApp Cinder back end"Jenkins3-158/+129
2017-04-12Merge "Change the directory for httpd certs/keys to be service-specific"Jenkins1-2/+4
2017-04-12Use comma_delimited_list for token flush cron time settingsJuan Antonio Osorio Robles1-5/+5
This allows us to better configure these parametes, e.g. we could set the cron job to run more times per day, and not just one. Change-Id: I0a151808804809c0742bcfa8ac876e22f5ce5570 Closes-Bug: #1682097
2017-04-11Merge "Add missing name properties on deloyment resources"Jenkins1-0/+1
2017-04-11Change the directory for httpd certs/keys to be service-specificJuan Antonio Osorio Robles1-2/+4
This moves the directories containing the certs/keys for httpd one step further inside the hierarchy. This way we will be able to bind-mount this certificate into the container without bind-mounting any other certs/keys from other services. bp tls-via-certmonger-containers Change-Id: Ibe6e66ae4589b9eab7db330dd8b178e0f8775639 Depends-On: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11Merge "Decouple Swift ringbuilding logic"Jenkins2-18/+10
2017-04-11Add IPv6 disable optionzshi1-0/+8
This will give user the ability to set these values, if IPv6 is not to be used, it's recommended that it be disabled to reduce the attack surface of the system. Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1 Co-Authored-By: Luke Hinds <lhinds@redhat.com> Signed-off-by: zshi <zshi@redhat.com>