348 Commits

Author SHA1 Message Date
Emilien Macchi
f81ee4f865 docker: configure group/user for deployment_user
Configure the deployment_user to be part of docker group, required for
openstack container commands.

Change-Id: Ifd1bec1262dfbd213810bb2b4d561f47bf010e69
2018-02-15 12:17:04 -08:00
Emilien Macchi
3c71c483e3 Remove neutron-managed firewall rules from /etc/sysconfig/iptables
See https://bugzilla.redhat.com/show_bug.cgi?id=1541528

We don't want IPtables rules managed by Neutron to be persistent, it can
cause issues when rule are recreated while a namespace doesn't exist.

This patch makes sure that in any Neutron node, no IPtables rule will be
persistent if it contains "neutron-" in the name.

Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c
Related-Bug: #1747960
2018-02-14 21:44:51 -08:00
rajinir
23add877fd Add support for Dell EMC XtremIO Cinder ISCSI Backend
This change adds a new define for cinder::backend::dellemc_xtremio_iscsi

Change-Id: I0bb926becaf32e62cfc79d37c619282416b0627d
Implements: blueprint dellemc-xtremeio-cinder
2018-02-14 10:15:58 -06:00
Oliver Walsh
ceb4faebe1 Add support for libvirt VNC TLS with option of a dedicated CA
Configures ca/certs/key for nova-novnc vencrypt.

A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.

Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
2018-02-14 10:23:26 +00:00
Zuul
10a833071b Merge "Remove support for heat-api-cloudwatch service" 2018-02-09 13:19:14 +00:00
Zuul
2fca0708cc Merge "Adds missing Neutron TLS certificate/key generation" 2018-02-08 07:49:14 +00:00
Tim Rozet
92c7d6880b Adds missing Neutron TLS certificate/key generation
Neutron agents need key/certificate in order to communicate with OVS
using SSL.

Partial-Bug: 1746762

Change-Id: I4bbaf00f0776cab0be34d814a541fb2fd1e64326
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-02-07 15:00:30 -05:00
Alex Schultz
e083f248a9 Add tests for tripleo::keepalived
This change adds test coverage for the tripleo::keepalived class
and exposes the ability to pass network_vips as a parameter rather than
just via hiera.

Change-Id: Ied2f26f6bfdcd9c4fe85f08461b997c15c66345f
2018-02-06 16:47:22 -07:00
Emilien Macchi
95db3f03cb keystone: support _member_ role management
Allow to let puppet-keystone managing _member_ role which is required
by Horizon. Can be enabled with keystone_enable_member parameter (disabled
by default.)

A patch in tripleo-heat-templates will activate this boolean to true so
Horizon deployments will trigger the role creation.

Change-Id: I5272f1fc199772043db48d29b0ea99a8bfff4ed5
Related-Bug: #1741066
2018-02-06 17:51:14 +00:00
rabi
4b8aac2405 Remove support for heat-api-cloudwatch service
In 6d55417f80384ead56e176beec9e2fc4eb162d61 cloudwatch api
has been removed from heat.

Change-Id: Ic11d8803bb260fe302da929eda9ec8d547a92176
Depends-On: https://review.openstack.org/541132
2018-02-06 06:17:56 +00:00
Zuul
42e7ab0299 Merge "Add variable for keystone topics queue for barbican" 2018-01-27 05:06:05 +00:00
Zuul
5d52039e0b Merge "Add support for Dell EMC VNX Cinder Backend" 2018-01-27 05:06:04 +00:00
Ade Lee
aa7c76329a Add variable for keystone topics queue for barbican
Barbican keystone listener needs its own queue for keystone
notifications.

Change-Id: I3a81e109fcfe8ec8bb434ece7a7fd92f3642922c
2018-01-23 11:44:17 -05:00
rajinir
aeb8482938 Add support for Dell EMC VNX Cinder Backend
This change adds a new define for cinder::backend::emc_vnx

Change-Id: Ieab9a66db78b61383dca4400e06cb1152660933a
Implements: blueprint dellemc-vnx-cinder
2018-01-22 16:01:35 -06:00
Zuul
9fd33795b8 Merge "Adds TLS support for OpenDaylight" 2018-01-22 19:50:15 +00:00
Tim Rozet
10468ae5f9 Adds TLS support for OpenDaylight
Allows enabling TLS for the ODL service as well as OVS.

Partially-Implements: blueprint opendaylight-ssl-support

Depends-On: I719e8dddbd00d19fd8e1bd2a20dabd600b7b9d1c

Change-Id: Id579aea77bf8d679b514ef9851af36d9170e93a1
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-01-19 17:11:07 -05:00
Christian Schwede
ffd524d7f1 Create Swift directory d1 if needed
Swift added a requirement that storage directories must exist before
using them. In case of the d1 directory in TripleO - used when there are
no "real disks" - it has to be created by TripleO in advance.

Related-Bug: 1729569
Change-Id: I49e395ac379ced01adb60d8d9f951c08718b1c61
2018-01-11 06:06:55 +00:00
Zuul
f017d17a8a Merge "Configure VIPs for all networks including composable networks" 2018-01-10 07:06:42 +00:00
Bob Fournier
5824044527 Configure VIPs for all networks including composable networks
Configure all VIPs including those on custom composable networks.
Hard-coded network names are removed and instead a hiera parameter
containing all networks is used.

For keepalived, the vrouter_id is generated from an index for each
network in the hiera data.  This will change the vrouter_ids for
some VIPs.

Change-Id: I117454afe750451ad1f2633fa0f196bb71740b8d
Partial-Bug: 1741129
Depends-On: If8d3219a0714e3db34980e884dce84912a837865
2018-01-04 15:23:35 -05:00
Juan Antonio Osorio Robles
50f6aa1884 Include security_compliance manifest in keystone
This enables us to configure the security compliance options through
t-h-t.

Depends-On: Ic4d962910343ad30de7840124bbc7773ea3697a1
Change-Id: I089f2e28cce2688ed080096c88ab539393627cfb
2018-01-04 10:18:46 +02:00
Zuul
0caaf51a39 Merge "Add PTP service" 2017-12-23 01:24:12 +00:00
Cédric Jeanneret
9d438cd142 Add Basic Authentication support for HAProxy
In order to get a proper support for authenticated endpoints, this patch
creates a new definition (tripleo::haproxy::userlist) and exploit it in
the dynamic endpoint (tripleo::haproxy::service_endpoints) as well as
standard tripleo::haproxy::endpoint.

It also detected a small issue with the "underscorization" of the
service name, the missing 'G' flag for regsubst, that preventend all
dashes to be replaced by underscores.

Change-Id: Ie7471155d1ef3f6adc177a468b81ac410bbfb9c0
Closes-Bug: 1736132
2017-12-16 09:37:27 +01:00
Cédric Jeanneret
4430253701 Add unit test for tripleo::haproxy::service_endpoints
In order to get a proper unit test suits, we need to change the
separator from the "dot" to "double-semicolons".

The "." is a reserved character in YAML for hashes. In puppet world,
we commonly use "::".

Unit tests don't work if we let the "dot" separator, and apparently it's
an intended outcome with that kind of syntax.

Fact it's working in the deploy process is kind of black magic (see the
tripleo::firewall::service_rules resource for example). And the "dot"
creates something weird, as all other resources are using the standard
double-semicolon.

Change-Id: I78625a6e69f58dfb2bbad83fdd4f798cd3f4c281
Closes-Bug: 1737086
2017-12-14 09:47:43 +01:00
Zuul
b081ab67fa Merge "Add unit tests for tripleo::firewall::service_rules" 2017-12-13 23:30:13 +00:00
Cédric Jeanneret
41f9b0d3cf Add unit tests for tripleo::firewall::service_rules
In order to get a proper unit test suits, we need to change the
separator from the "dot" to "double-semicolons".

The "." is a reserved character in YAML for hashes. In puppet world,
we commonly use "::".

Unit tests don't work if we let the "dot" separator, and apparently it's
an intended outcome with that kind of syntax.

Fact it's working in the deploy process is kind of black magic (see the
tripleo::haproxy::service_endpoints resource for example). And the "dot"
creates something weird, as all other resources are using the standard
double-semicolon.

Change-Id: If53d632ab458b0c04a8b7211194c18ebc8978d23
Closes-Bug: 1737086
2017-12-13 07:22:46 +01:00
waleed mousa
e5c563290c Add support for switchdev mode in SR-IOV
In Kernel 4.10 supports changing SR-IOV to switchdev mode.
This mode allows to create VFs represontors which can manage
the SR-IOV VFs from the hypervsior.

This patch extends the tripleo::host::sriov::number_of_vf to
<physical_network>:<number_of_vfs>:<sriov_mode>,
where sriov_mode accepts legacy or switchdev.
if sriov_mode is not specified we default to legacy.

Change-Id: I578f956f2a8c6ee29a9d1ff38ee51765bcab05c1
2017-12-12 14:58:43 +00:00
Zuul
388cbac566 Merge "Enable Octavia service_auth configuration" 2017-12-09 05:32:26 +00:00
Zuul
bcf9570978 Merge "Add multiple backends for barbican" 2017-12-07 22:58:07 +00:00
Brent Eagles
bddbced119 Enable octavia certificate configuration
This change enables configuration of certificate based properties in
Octavia for setting up secure communication with amphorae.

Change-Id: I164da1228397f9a900118cae377b55f79c4fadaf
2017-12-06 11:20:36 -03:30
Brent Eagles
43fd15375d Enable Octavia service_auth configuration
This patch enables configuring Octavia's service_auth section which is
required for service-to-service communication.

Depends-On: Ifcd38386db386ee6d61aa7f262b1e14ac6516eb7
Change-Id: I67ab537d1b2a82f17657ed90f794f0fa13c5207f
2017-12-06 09:42:20 -03:30
Ade Lee
37d64357d6 Add multiple backends for barbican
Depends-On: I8cb8d3cd745fbf7ddba1ce8e5347b38342afd58d
Change-Id: I07e52897897f453382f74aa4fdaa98c37e6eca30
2017-12-05 02:28:14 -05:00
Zuul
14008148c6 Merge "Enables websocket based port status for OpenDaylight" 2017-12-02 09:56:30 +00:00
Zuul
091b587acb Merge "Adding manifest for Cisco VTS ML2 mechanism driver configuration" 2017-11-30 05:59:02 +00:00
Zuul
28adbf1c3f Merge "Fix use of deprecated "api_class" key manager option" 2017-11-30 05:59:01 +00:00
Zuul
048b3b5bec Merge "Introduces puppet module for /etc/login.defs" 2017-11-30 05:58:57 +00:00
Zuul
e68abd6abf Merge "Add Octavia API endpoint to haproxy" 2017-11-29 15:08:32 +00:00
Tim Rozet
bc3feec75f Enables websocket based port status for OpenDaylight
Port Status in ODL was previously disabled due to bugs which have now
been resolved.  This patch enables it via Neutron ML2 conf.  Port status
is communicated by ODL through a websocket connection on port 8185.
Therefore we need to enable haproxy to load balance across that port.

Related-Bug: 1718508

Change-Id: Iebdcc6404f5503eeb45b39380b3f198be175514b
Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-11-27 11:43:04 -05:00
zshi
07eabfd08d Add PTP service
Precision Time Protocol (PTP) is a protocol used to
synchronize clocks throughout a network. When used
in conjunction with hardware support, PTP is capable
of sub-microsecond accuracy which is far better than
is normally obtainable with NTP.

Change-Id: Idc78df3a90b73be504480bc9d33a3f0041d2d84f
2017-11-27 16:43:32 +08:00
Brent Eagles
c410f608ca Add Octavia API endpoint to haproxy
This patch adds an endpoint for Octavia API to haproxy.

Closes-Bug: #1728589

Change-Id: I978b83fa5f3900d2f09c2affc59e90e150a42892
2017-11-23 08:15:34 -03:30
Cédric Jeanneret
323cd64c58 Added new parameter: $activate_httplog
This allows to get the full HTTP log (and TCP if not HTTP) from HAProxy,
in case you need any debug from that central point.

In case you want timers for those entries, you might want to use the
already present "$haproxy_globals_override" parameter and set its
content to:
{ 'log' => '/dev/log local0 debug'  }

Change-Id: I4667317cbd453875585521b22b0ccbdb208f5353
Closes-Bug: 1733801
2017-11-22 21:33:38 +01:00
Zuul
2b80eeb55e Merge "Add resource to create haproxy endpoints dynamically" 2017-11-22 19:33:23 +00:00
Wojciech Dec
5251ff5e4b Adding manifest for Cisco VTS ML2 mechanism driver configuration
Change-Id: I4329d54d66c8a02f651887c90f43b0658ebab384
Implements: blueprint ml2-cisco-vts
Signed-off-by: Wojciech Dec <wdec@cisco.com>
2017-11-22 15:58:23 +01:00
lhinds
9d6f569ab9 Introduces puppet module for /etc/login.defs
Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Iec8c032adb44593da3770d3c6bb5a4655e463637
2017-11-22 11:09:08 +00:00
Alan Bishop
bcc8ccccb1 Fix use of deprecated "api_class" key manager option
Deprecate the keymgr_api_class input parameter and replace with new
keymgr_backend option. This mimics an equivalent set of changes in
puppet-cinder and puppet-nova, which were driven by a similar change
in Castellan's key manager options.

The deprecated value is still supported for backward compatibility.

Closes-Bug: #1732998
Change-Id: I5036c8de9a429f22e1828b4e37735f4aa47bd858
2017-11-17 16:24:08 -05:00
Christian Schwede
86df825028 Include swift base class in the proxy class
This was missing, and therefore the Swif hashes were not properly set in
swift.conf if only the proxy manifest was applied (for example when
deploying separate storage nodes).

Related-Bug: 1732663
Change-Id: I11c044bbc8b9f56f95ace9320cc77303d9a7543e
2017-11-16 11:16:02 +01:00
Juan Antonio Osorio Robles
bbe7d9effe Make keystone notification topics configurable
By default keystone sends notifications to the 'notifications'
topic. This is consumed by default by ceilometer. However, when
ceilometer is not enabled, rabbitmq accumulates these notifications
since nothing is consuming them. This results in the queue consuming
rabbitmq's memory.

With this capability, we can now dynamically configure notification
topics depending on the 'keystone_notification_topics' hiera key.

Related-Bug: #1729293
Change-Id: I4dcce73446633c08ea37ba567610eec398094036
2017-11-01 13:47:03 +00:00
Juan Antonio Osorio Robles
7ff44712c1 Add resource to create haproxy endpoints dynamically
With this resource we can add the values needed for haproxy via t-h-t,
instead of having everything in the haproxy manifest. Right now nothing
is using it, but subsequent and per-service changes will come.

Change-Id: I8ab49c0b8d8f42ce68c0c7fe3ef8067a7d0da3c0
2017-10-09 09:12:48 +02:00
Tim Rozet
2471a8669d Disables port status for all ODL deployments
Port status was already disabled in HA deployments pending a fix for:
https://bugs.opendaylight.org//show_bug.cgi?id=9147

However even in noha deployments port status will not work because ODL
is unable to bind to a specific IP for websocket, meaning it binds to
all IPs and haproxy cannot bind the VIP.  Therefore we need to disable
it for all deployments until also this bug is fixed:
https://bugs.opendaylight.org//show_bug.cgi?id=9256

Related-Bug: 1718508

Change-Id: I2f2dc3ece97c97fc8477d4129d69719866a7f0c1
Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-10-08 14:17:44 +00:00
Cédric Jeanneret
e62efd0782 Allow to override HAProxy global options.
You can either append new options or override existing one.

This can be particularly useful in case you want to set your own log
options, for example.

Change-Id: I19005b7e70e624d3b64b6c2ac8eaadfdec3944db
Closes-Bug: 1721246
2017-10-06 08:35:24 +02:00
Emilien Macchi
c211ba78ca Allow to configure snmpd_config
Expose a new Puppet parameter to snmp profile, ``snmpd_config`` which
is an array definded to undef by default.
It can be used to override all snmpd configuration for advanced
deployments.
If used, all parameters have to be configured included users and
passwords, which should be the same as given to snmpd_password
and snmpd_user. There is no logic that will verify the content
of ``snmpd_config``.

Example of hieradata which configures snmpd_config:
  snmpd_config:
    - 'createUser ro_snmp_user MD5 "secrete"',
    - 'rouser ro_snmp_user'
    - 'proc neutron-server'
    - 'proc nova-api'

Depends-On: I5c322b3f5350261b58ef065bd3ded0369cadbc4c
Change-Id: Ief2518d5e47137215a34e9ae3b35c27c87fa6e08
Closes-Bug: #1720868
2017-10-04 16:01:44 +00:00