Till now we've been flusing iptables in the gates to allow cross node
communication in the multi node ceph jobs. This raised security
concerns, in particular it exposed memcached to the external net.
This patch uses the infra provided role 'multi-node-firewall' in order
to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey
for help with this.
Closes-Bug: #1749326
Change-Id: Iafaf1cf1d9b0227b0f869969d0bd52fbde3791a0
Ansible provide script module to run shell script, The local script at
path will be transferred to the remote node and then executed, so no
need to copy script to remote node and use shell moulde to run it.
this patch optimise it.
Change-Id: If774502b66652f25593cda137cc8a5baefbd9695
When bootstrap compute hosts for XenAPI, it will generate a facts
file for each compute node. It contains some XenAPI specific variables
for both the compute host and the XenServer where the compute host
run on. This commit is to fetch the facts file into deployment host
and put it under a centralized directory - each compute host will
have a separate sub-dir which is named with its *inventory_hostname*.
In this way, the following tasks can use proper variable from the
proper facts file which exactly belongs to the host they running on.
Change-Id: I68d1a2d098d38c8e6bf4db76cdaf1f0465831822
blueprint: xenserver-support
The original code assumes that ElasticSearch will be deployed
on the same node as Kibana. This isn't always the case. When
they are not on the same node, Kibana will not be able to
connect to ElasticSearch and deployment will fail on the task:
'kibana : Wait for kibana to register in elasticsearch'.
A second advantage of making this change is that Kibana won't
break if ElasticSearch goes down on the node that it's running on
when there are additional ElasticSearch instances on other nodes.
A disadvantage of this change is that queries from Kibana to
ElasticSearch will no longer be local.
Closes-Bug: 1751817
Change-Id: I02ab2e7b1eb963b33e29c8f649cc9db0d63316f7
keystone-ssh is required by keystone-fernet. So start keystone-ssh
container before keystone-fernet.
Closes-Bug: #1751224
Change-Id: Ie1c8ae185549acc3dd87a2c5f0356443ea7924a5
We have pin keyston to queens release which supports UUID token through
https://review.openstack.org/546475, let us use UUID in queens and
migrate to fernet in rocky cycle.
This reverts commit df0bf1903febd124343ffb7fae398f44b9986422.
Change-Id: Ifb0112315b5047461ce0bf02c754cc0beac52d9a
