Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
This adds the ability to manage the securetty file.
By allowing management of securetty, operators can limit root
console access and improve security through hardening.
Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
|
|
Change-Id: I397a6ad430cef5ddb4eee48347ad4c89144ad01e
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
Ceilometer API has been deprecated since Ocata. lets disable
it by default and add an env file to enable it if needed.
Closes-bug: #1676968
Change-Id: I571f5467466c29271e0235e8fde6bdae07c20daf
|
|
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging
two or more networks together to make them look at a single broadcast
domain. This patch implements the l2gw neutron service plugin support part
in t-h-t.
Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5
Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3
Partially-Implements: blueprint l2gw-service-integration
Signed-off-by: Peng Liu <pliu@redhat.com>
|
|
This profile will request the certificates for the services on the node.
So with this, we will remove the requesting of these certs on the
services' profiles themselves.
The reasoning for this is that for a containerized environment, the
containers won't have credentials to the CA while the baremetal node
does. So, with this, we will have this profile that still gets executed
in the baremetal nodes, and we can subsequently pass the requested
certificates by bind-mounting them on the containers. On the other hand,
this approach still works well for the TLS-everywhere case when the
services are running on baremetal.
Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6
Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
|
|
This project aims at supporting inter-connection between L3VPNs
and Neutron resources, i.e. Networks, Routers and Ports.
Partially-Implements: blueprint bgpvpn-service-integration
Depends-On:I7c1686693a29cc1985f009bd7a3c268c0e211876
Change-Id: I576c9ac2b443dbb6886824b3da457dcc4f87b442
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
This aligns the docker based services with the new composable upgrades
architecture we landed for ocata, and does a first-pass adding upgrade_tasks
for the services (these may change, atm we only disable the service on
the host).
To run the upgrade workflow you basically do two steps:
openstack overcloud deploy --templates \
-e environments/major-upgrade-composable-steps-docker.yaml
This will run the ansible upgrade steps we define via upgrade_tasks
then run the normal docker PostDeploySteps to bring up the containers.
For the puppet workflow there's then an operator driven step where
compute nodes (and potentially storage nodes) are upgrades in batches
and finally you do:
openstack overcloud deploy --templates \
-e environments/major-upgrade-converge-docker.yaml
In the puppet case this re-applies puppet to unpin the nova RPC API
so I guess it'll restart the nova containers this affects but otherwise
will be a no-op (we also disable the ansible steps at this point.
Depends-On: I9057d47eea15c8ba92ca34717b6b5965d4425ab1
Change-Id: Ia50169819cb959025866348b11337728f8ed5c9e
|
|
This uses the mysql client configuration file to configure if SSL should
be used for the connection if SSL in the internal network is enabled.
Change-Id: Ifd1a06e0749a05a65f6314255843f572d2209067
|
|
Vector Packet Processing (VPP) is a high performance packet processing
stack that runs in user space in Linux. VPP is used as an alternative to
kernel networking stack for accelerated network data path. This patch
adds VPP as a composable service. Note that NIC binding related configs
for VPP are handled in os-net-config.
Depends-on: I70a68a204a8b9d533fc2fa4fc33c39c3b1c366bf
Change-Id: I5e4b1903dc87cb16259eeb05db585678acadbc6b
Implements: blueprint fdio-integration-tripleo
|
|
This was accidentally removed in
If581f301a5493ef33ac1386bdc22f9fca4f2544e looks like
Change-Id: I0e2c4fe664daca5c50921673db067701195c501f
|
|
When fixing LP#1643487 we added ?bind_address to all DB URIs.
Since this clashes with Cellsv2 due to the URIs becoming host
dependent, we need a new approach to pass bind_address to pymysql
that leaves the DB URIs host-independent.
In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a
/etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct
bind-address option.
In this change we make sure that the DB URIs will point to the added
file and to the specific section containing the necessary bind-address
option. We do introduce a new MySQLClient profile which will hold all
this more client-specific configuration so that this change can fit
better in the composable roles work. Also, in the future it might
contain the necessary configuration for SSL for example.
Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist
(because it is created via the mysqlclient profile), things keep on
working as usual and the bind-address option simply won't be set, which
has no impact on hosts where there are no VIPs.
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12
Related-Bug: #1643487
Closes-Bug: #1663181
Closes-Bug: #1664524
Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
|
|
|
|
Depends-On: Ic74ccd5fa7b3b04ca810416e5160463252f17474
Implements: blueprint congress-service-integration
Change-Id: Ie60540c340c0eb71ff376aba65507a8bb3e909b6
Signed-off-by: Dan Radez <dradez@redhat.com>
|
|
This delivers a /root/tripleo_upgrade_node.sh to those nodes
that have the disable_upgrade_deployment flag set to true.
They will later be upgraded manually by the operator who will
invoke the script delivered here using upgrade-non-controller.sh
We can also deliver any service specific upgrade configuration,
such as configuring nova-compute to use the placement API as this
is required in order for placement to be configured and installed
during the subsequent upgrade steps for controller services.
This removes the compute and swift specific upgrade scripts as
they are now merged into the common
tripleo_upgrade_node.sh - removing any hard coded
reference to a particular role name (compute/objectstorage) and
only relying on the disable_upgrade_deployment is roles_data.yaml
Change-Id: I4531a4038b78087ef4a1a62c35f1328822427817
Co-Authored-By: Mathieu Bultel <mbultel@redhat.com>
|
|
Depends-On: Ide0e60f3b7a3733788af4337c1c39b4a956c876f
Depends-On: I3d6bbc05644e840395f87333ec80e3b844f69903
Depends-On: Idf6abcb7fe766546cb362ad4afe54f4bccd9c994
Implements: blueprint tacker-service-integration
Change-Id: Ibddc81561f6e6ba671bd01a9251c57d3ad67ba8c
Signed-off-by: Dan Radez <dradez@redhat.com>
|
|
|
|
The collectd composable service permits an operator to configure
collectd metrics collection as part of the overcloud install.
Depends-on: I03cfbd96778a76125d18e2ca2f48d96e292608de
Change-Id: I143565329f5128f15cc39c9b62a6b242666383ab
|
|
This patch adds the Octavia services to the registry and controller role
(disabled by default). Also included is an example environment file for
enabling the services and required configuration. The API service
profile is also amended configure the load balancer service provider in
neutron to point to the octavia load balancer driver.
Change-Id: I7f3bba950f5b1574ba842a39e93a8ac2b1ccf7bb
Partially-implements: blueprint octavia-service-integration
|
|
This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)
This is achieved by means of the `puppet-auditd` puppet module.
Also places ssh banner capabilities map on top of patch
Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d
Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
|
|
|
|
|
|
This change adds a profile to deploy the Ceph RBD mirroring daemon
as a Pacemaker resource.
Change-Id: Ib07e5bca6a45f0c6c59a3acf07f4e3ae9d2f8948
Depends-On: Ic63dc5cffece38942d305f538f71dd58a5d50789
Closes-Bug: #1652177
|
|
Allow use of ooo template to populate banner text into /etc/issue
Change-Id: If5b2da9415f10652a0a64503b2da4b63d1018640
Depends-On: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306
|
|
Some services (e.g ceph mon) require upgrading in batches (the old
upgrade architecture did the ceph mon upgrade one controller at a
time). This interface enables doing the same, and over time we
can probably move more services into this interface (e.g when
services support rolling upgrades) to reduce downtime.
Change-Id: If581f301a5493ef33ac1386bdc22f9fca4f2544e
Partially-Implements: blueprint overcloud-upgrades-per-service
|
|
|
|
|
|
This change adds the ec2api service using the
tripleo::profile::base::nova::ec2api profile.
The deprecated nova-cert service is not supported, and therefore the
RegisterImage action is not supported either.
Change-Id: I2510fd4ed935d8423216fff9ce3adf2d69c9c804
Depends-On: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
|
|
|
|
As part of the composable upgrades current plan is to disable
the composable upgrades steps running on a particular role
(e.g. all compute nodes) in favor of a later operator driven
upgrades process as has previously been the case
This adds the disable_upgrade_deployment flag to roles_data as
a first step. Thanks to shardy for his help with this.
Change-Id: Ice845742a043b34917e61f662885786c73e955fd
|
|
Introduce THT for fossw ML2 plugin in networking-fujitsu.
networking-fujitsu is a neutron ML2 plugin which enables several
FUJITSU switch products in OpenStack environment. This templates
deploy overcloud with FOS switch.
Change-Id: I977dbecbf9f6f9725f7fb5ca4745b537a73975ff
Implements: blueprint integration-fossw-networking-fujitsu
Depends-On: I044c5812bbc5cd3de4bc33556cffbe5bad8e64cf
Depends-On: I79df6b6a27d95f0c0e2c87207ab80235a4efccfc
|
|
etcd is used by networking-vpp ML2 driver as the messaging mechanism. This
patch adds etcd service which can be used by other services.
Implements: blueprint fdio-integration-tripleo
Depends-on: Idaa3e3deddf9be3d278e90b569466c2717e2d517
Change-Id: I8ae1e2c9b0c3d6f448e1da712100938d011289f5
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
|
|
|
|
Add support to deploy Nova Placement API service in TripleO.
Change-Id: Ie41ebc362a0695c8f55419e231100c63007405ed
|
|
Glance registry is not required for the v2 of the API and there are
plans to deprecate it in the glance community.
Let's remove v1 support since it has been deprecated for a while in
Glance.
Depends-On: I77db1e1789fba0fb8ac014d6d1f8f5a8ae98ae84
Co-Authored: Flavio Percoco <flaper87@gmail.com>
Change-Id: I0cd722e8c5a43fd19336e23a7fada71c257a8e2d
|
|
Cinder configuration with HPELeftHandISCSIDriver
for VSA storage
Change-Id: Iaefbf38522069f6c636130e357f19a7fb7d54fe4
|
|
|
|
|
|
This change adds a CephMds service, disabled by default, on the
Controller role and an environment file to enable it.
Change-Id: If7cb46319038a80ed52f753a623989885e1b7da4
Depends-On: Iaecc3ff7acb851776c5057c42a5a513a70425d2c
Partial-Bug: #1644784
|
|
Introduce THT for networking-fujitsu. networking-fujitsu is a neutron ML2 plugin
which enables FUJITSU C-Fabric switch in OpenStack environment. This templates
deploy overcloud with C-Fabric switch.
Change-Id: Iee75a1a30552d8dc9f55f52d10b0dc2b623992ef
Implements: blueprint integration-networking-fujitsu
Depends-On: I37a502b43eb7d91bfe20625248ed117eae3ca535
Depends-On: I5eb2c2a9c50b5991d62f4b6d74b83351c86b02de
|
|
Add a new roles data YAML file and environment to help
create the undercloud via t-h-t.
Partially-implements: blueprint heat-undercloud
Change-Id: I36df7fa86c2ff40026d59f02248af529a4a81861
|
|
With change I80c8559bb2d915385bcc20ae71fe144ddd6591c1 we removed
all the unused puppet-tripleo pacemaker profiles. With this change
we remove the corresponding puppet profiles from tripleo-heat-templates.
We can also remove any trace of the fake ::Core service as it was
introduced via Iacd94294b8a66bc082bb2b3e8d3364ec1bf053b8
for the fake openstack-core pacemaker resource during the Mitaka cycle
and became unused in Newton.
Change-Id: I48cd2b6a4593d673d5883b45feae088392e7e713
|
|
Adds a custom roles data file for use when using the deployed-server
templates. The file takes care of setting disable_constraints: True, so
that deployers don't have to do things like create fake images in
glance.
Also adds a comment to roles_data.yaml documenting disable_constraints.
Partially-implements: blueprint split-stack-software-configuration
Change-Id: I7c26c0c2851e0d6bcea42d7af7f4295a1944ec9f
|
|
This allows us to take advantage of the composable roles hiera
settings to connect the plugin to the northd/ovndb API without
needing to hard-code the IP of the node running the service.
Change-Id: I2508d48f81c1819ae3521fff271c0bdc50724604
Depends-On: I9af7bd837c340c3df016fc7ad4238b2941ba7a95
Closes-Bug: #1634171
|
|
Change-Id: Iecafa7878fec20c707e94bdaca55f1489f3e338a
|
|
This patch drops use of the vip-hosts.yaml service which can
cause issues during deployment because puppet 'hosts' resources
overwrite the data in /etc/hosts. The only reason things seem to work
at all at the moment is because our hosts element in t-i-e runs
on each os-refresh-config iteration and re-adds the dropped hosts
entries.
To work around the issue we add a conditional which selectively
adds the extra hosts entries only if the AddVipsToEtcHosts is set
to true.
Closes-bug: 1645123
Change-Id: Ic6aaeb249a127df83894f32a704219683a6382b2
|
|
|