Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
This change implements a MOTD message and provides a hash of
sshd config options which are sourced to the puppet-ssh module
as a hash.
The SSHD puppet service is enabled by default, as it is
required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
Also added the service to the CI roles.
Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
Depends-On: I1d09530d69e42c0c36311789166554a889e46556
Closes-Bug: #1668543
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
(cherry picked from commit 5e14f95a4a46fcf88293f1b0fa93327566614d43)
|
|
|
|
|
|
This enables nova cold migration.
This also switches to SSH as the default transport for live-migration.
The tripleo-common mistral action that generates passwords supplies the
MigrationSshKey parameter that enables this.
The TCP transport is no longer used for live-migration and the firewall
port has been closed.
Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f
Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
(cherry picked from commit 0271a63e52b961eab0da2f5c6a61811a7a1498f7)
|
|
Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
verification is vulnerable to a MITM attack.
Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
(cherry picked from commit 7d3552a105ad5aa62cad0998c11df5ec6bd06ed6)
|
|
|
|
Running this job once a day has proven problematic for large
deployments as seen in the bug report. Setting it to run hourly
would be an improvement to the current situation, as the flushes
wouldn't need to process as much data.
Note that this only affects people using UUID as the token provider.
Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a
Related-Bug: #1649616
(cherry picked from commit 65e643aca2202f031db94f1ccd3d44e195e5e772)
|
|
The puppet-tripleo change was added in
Ie9391aa39532507c5de8dd668a70d5b66e17c891.
Closes-bug: #1656558
Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
(cherry picked from commit 75d48838020ad9ff2bbd739212599ec8eb932649)
|
|
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.
This change removes old references left to 192.0.2 network from the
overcloud templates.
(cherry picked from commit b5b6681a74e001448a836e7eea5e75fba859b88c)
Closes-Bug: #1682144
Change-Id: I49bd1ac8d594105665010bd898670b17e72fa763
|
|
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.
Given the following environment:
parameter_defaults:
KeystoneLDAPDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
This also enables multi-domain support for horizon.
Conflicts:
puppet/services/keystone.yaml
Closes-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
(cherry picked from commit 347f5434b3e3793b9fdf2a94f49ab7734c5d923b)
|
|
When we upgrade OVS from 2.5 to 2.6, the postrun package update
restart the services and drop the connectivity
We need to push this manual upgrade script and executed to the
nodes for newton to ocata
The special case is needed for 2.5.0-14 specifically see related
bug for more info (or, older where the postun tries restart).
See related review at [1] for the minor update/manual upgrade.
Related-Bug: 1669714
Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
[1] https://review.openstack.org/#/c/450607/
Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2
(cherry picked from commit d2d319ec0ead06b860f8464b001048fb4f723788)
|
|
|
|
We need to purge the initial firewall for deployed-server's, otherwise
if you have a default REJECT rule, the pacemaker cluster will fail to
initialize. This matches the behavior done when using images, see:
Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3
I0dee5ff045fbfe7b55d078583e16b107eec534aa
Change-Id: Ia83d17b609e4f737074482a980689cc57c3ad911
Closes-Bug: #1679234
(cherry picked from commit a216934f408439e77bf8346dafe30c4752c70946)
|
|
Ceilometer Auth should be enabled even if ceilometer api
is not. Lets decouple these, this flag will be used in
puppet-tripleo where ceilometer::keystone::auth class
is initialized.
Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48
Closes-bug: #1677354
(cherry picked from commit 0d04302abd19f98df3cd700f9cc4ec47273e5dac)
|
|
|
|
panko is enabled by default, we might as well make it
the default dispatcher along with gnocchi.
Closes-bug: #1676900
Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
(cherry picked from commit 568573b9b054c3804d9d1be2ce6ec2668ca2dbfb)
|
|
The agent configuration was lost in newton during the puppet-tripleo and
THT role conversion. This change adds support for including the bigswitch
agent service for composable roles.
Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908
Closes-Bug: #1673126
(cherry picked from commit 8eaa5f8e10a801be8fc45eeaaa479e7774d97997)
|
|
Hiera value of nova::compute::pci_passthrough should be a string.
It has been modified to JSON with the heira hook changes. Modifying
it again back to string.
Closes-Bug: #1675036
Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
(cherry picked from commit 57c06ddefd4d7ff87de02dab9d1c5e92eb8e6eef)
|
|
stable/ocata
|
|
|
|
|
|
This feature stopped working somewhere along the lines. In the past it
was working with parameter_defaults like this:
CinderNfsServers: '10.0.0.254:/srv/nfs/cinder'
or
CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder"
The problem was that the templating escaped these strings, and
puppet-tripleo didn't receive a proper array, but a string.
This patch fixes this. It accepts strings as above as well as
comma-delimited lists of Nfs Servers.
Closes-Bug: 1671153
Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
(cherry picked from commit 9445b0e0972696e7de1c0a702f456571d12fa964)
|
|
|
|
No other packages actually require openstack-selinux, so it must be
explicity installed.
Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a
Closes-Bug: #1675170
(cherry picked from commit 583a60248f47428542a560a869aab04933512d94)
|
|
Firewall config was being inherited by the dpdk service, however
since the firewall service name was the parent (neutron_ovs_agent)
and technically that service was not enabled - the rules were never
applied. This modifies the service name as it is inherited using
map_replace.
Closes-Bug: 1674689
Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95
Signed-off-by: Tim Rozet <trozet@redhat.com>
(cherry picked from commit 48a38a19347a18d4d35fb22de82136359aae5cb7)
|
|
The str_replace conversion used previously is no longer needed and
breaks the hieradata value.
Closes-Bug: 1675426
Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055
Signed-off-by: Tim Rozet <trozet@redhat.com>
(cherry picked from commit ae10ae4a5a21bb58c183aa50f237ffa2d6f14280)
|
|
Secure EtcdInitialClusterToken parameter by:
* removing the default value.
* make it hidden.
Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961
Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9
Closes-Bug: #1673266
(cherry picked from commit 55d17ca118d27f16b57424774265f5b3db7b7b52)
|
|
This was not implemented for Ocata so this
release note should not exist.
Change-Id: I58216fb54a156853f60697a903f1c38cf7970216
|
|
While the heat templates specify a default value of 3, it rarely seems
to have an effect as the tripleoclient is setting this according to the
controller scale. This was fine before composable roles, but it is now
invalid. While the client needs to be modified to no longer set this
according to controller scale, the template should default to a sentinel
value that will allow the puppet code to determine the proper value by
the number of hosts that have the neutron dhcp agent deployed on them.
Depends-On: I5533e42c5ba9f72cc70d80489a07e30ee2341198
Partial-bug: #1632721
Change-Id: I06628764c4769d91bbc42efe1c722702d6574d02
(cherry picked from commit 3c5345fc75da1e289929ef5caf08a0f75f904bb4)
|
|
Previously we could only configure Manila/CephFS with an externally
managed Ceph cluster. By adding CephMDS users can use the TripleO
managed Ceph cluster as well.
Change-Id: If714076e34a639c3df54936f335da4f2684b4533
(cherry picked from commit 9b70330a150b363c31b952867819e48830a10817)
|
|
|
|
|
|
|
|
|
|
Add some release notes about the composable ha work
Change-Id: I8975c3f597d1affbe6e52d4e16a2aad527006264
|
|
Adding a default NTP server by default will
keep all Pacemaker and non-Pacemaker deployments
aligned with the same server by default.
Also useful for keeping time diff controlled for
Keystone and Ceph.
Change-Id: I8a26bae15cbfb83e3abd6b9ef9d12b57467e6258
|
|
Add reno for:
- I1213a83ef8693c1cca1d20de974f7949a801d9f1
- Ib1103c00ddb7d6d624f4911147197d8355a3a6dd
Change-Id: Iecbbab5aeeade46b5cc238bc5542396e78db751c
|
|
Change-Id: I8c2e0af3ad4e47b12f4ecf2d5762df95e66fa34d
|
|
|
|
Previously the memcached configuration was set to use the defaults which
would be 95% of the avaiable ram in the system. This can lead to memory
contention issues if memcache is heavily utilized. This change reduces
the default to 50% and exposes the ability to tune this configuration.
Change-Id: Ie8a48ff4cf509e93d7c1487813d5feed5e5131a4
Closes-Bug: #1662941
|
|
Change-Id: I1bc3f37f910d6dfa833166217b1f58931d06be02
|
|
|
|
This patch adds the Octavia services to the registry and controller role
(disabled by default). Also included is an example environment file for
enabling the services and required configuration. The API service
profile is also amended configure the load balancer service provider in
neutron to point to the octavia load balancer driver.
Change-Id: I7f3bba950f5b1574ba842a39e93a8ac2b1ccf7bb
Partially-implements: blueprint octavia-service-integration
|
|
Ironic will soon refuse to start when at least some value is not provided.
Unfortunately, we do not create any overcloud[*] networks during deployment.
Fortunately, Ironic does not validate this value until actual cleaning. So,
this change sets it to "provisioning", which is what people often use.
An update will follow to the documentation to recommend this name:
http://tripleo.org/advanced_deployment/baremetal_overcloud.html#configuring-cleaning
A new parameter is created for this value, with a reminded to change it to
an actual UUID later on. While a pre-defined name will work in a simplest case,
in a real multi-tenant deployment a network name conflict is possible.
Using a UUID is safer in this regard.
[*] networks created in overcloud neutron
Change-Id: I1b7dc2ff70d3b76f19a183a60e88cf72f6d2a318
Closes-Bug: #1661082
|
|
This patch seeks to add futher security functions present within
tripleo for the ocata release.
Change-Id: Ie89b85589c2dfd3580de75253b73009b5d06c9f2
|
|
This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)
This is achieved by means of the `puppet-auditd` puppet module.
Also places ssh banner capabilities map on top of patch
Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d
Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
|
|
|