Configure the deployment_user to be part of docker group, required for
openstack container commands.
Change-Id: Ifd1bec1262dfbd213810bb2b4d561f47bf010e69
See https://bugzilla.redhat.com/show_bug.cgi?id=1541528
We don't want IPtables rules managed by Neutron to be persistent, it can
cause issues when rule are recreated while a namespace doesn't exist.
This patch makes sure that in any Neutron node, no IPtables rule will be
persistent if it contains "neutron-" in the name.
Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c
Related-Bug: #1747960
This change adds a new define for cinder::backend::dellemc_xtremio_iscsi
Change-Id: I0bb926becaf32e62cfc79d37c619282416b0627d
Implements: blueprint dellemc-xtremeio-cinder
Configures ca/certs/key for nova-novnc vencrypt.
A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.
Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Neutron agents need key/certificate in order to communicate with OVS
using SSL.
Partial-Bug: 1746762
Change-Id: I4bbaf00f0776cab0be34d814a541fb2fd1e64326
Signed-off-by: Tim Rozet <trozet@redhat.com>
This change adds test coverage for the tripleo::keepalived class
and exposes the ability to pass network_vips as a parameter rather than
just via hiera.
Change-Id: Ied2f26f6bfdcd9c4fe85f08461b997c15c66345f
Allow to let puppet-keystone managing _member_ role which is required
by Horizon. Can be enabled with keystone_enable_member parameter (disabled
by default.)
A patch in tripleo-heat-templates will activate this boolean to true so
Horizon deployments will trigger the role creation.
Change-Id: I5272f1fc199772043db48d29b0ea99a8bfff4ed5
Related-Bug: #1741066
In 6d55417f80384ead56e176beec9e2fc4eb162d61 cloudwatch api
has been removed from heat.
Change-Id: Ic11d8803bb260fe302da929eda9ec8d547a92176
Depends-On: https://review.openstack.org/541132
This change adds a new define for cinder::backend::emc_vnx
Change-Id: Ieab9a66db78b61383dca4400e06cb1152660933a
Implements: blueprint dellemc-vnx-cinder
Allows enabling TLS for the ODL service as well as OVS.
Partially-Implements: blueprint opendaylight-ssl-support
Depends-On: I719e8dddbd00d19fd8e1bd2a20dabd600b7b9d1c
Change-Id: Id579aea77bf8d679b514ef9851af36d9170e93a1
Signed-off-by: Tim Rozet <trozet@redhat.com>
Swift added a requirement that storage directories must exist before
using them. In case of the d1 directory in TripleO - used when there are
no "real disks" - it has to be created by TripleO in advance.
Related-Bug: 1729569
Change-Id: I49e395ac379ced01adb60d8d9f951c08718b1c61
Configure all VIPs including those on custom composable networks.
Hard-coded network names are removed and instead a hiera parameter
containing all networks is used.
For keepalived, the vrouter_id is generated from an index for each
network in the hiera data. This will change the vrouter_ids for
some VIPs.
Change-Id: I117454afe750451ad1f2633fa0f196bb71740b8d
Partial-Bug: 1741129
Depends-On: If8d3219a0714e3db34980e884dce84912a837865
This enables us to configure the security compliance options through
t-h-t.
Depends-On: Ic4d962910343ad30de7840124bbc7773ea3697a1
Change-Id: I089f2e28cce2688ed080096c88ab539393627cfb
In order to get a proper support for authenticated endpoints, this patch
creates a new definition (tripleo::haproxy::userlist) and exploit it in
the dynamic endpoint (tripleo::haproxy::service_endpoints) as well as
standard tripleo::haproxy::endpoint.
It also detected a small issue with the "underscorization" of the
service name, the missing 'G' flag for regsubst, that preventend all
dashes to be replaced by underscores.
Change-Id: Ie7471155d1ef3f6adc177a468b81ac410bbfb9c0
Closes-Bug: 1736132
In order to get a proper unit test suits, we need to change the
separator from the "dot" to "double-semicolons".
The "." is a reserved character in YAML for hashes. In puppet world,
we commonly use "::".
Unit tests don't work if we let the "dot" separator, and apparently it's
an intended outcome with that kind of syntax.
Fact it's working in the deploy process is kind of black magic (see the
tripleo::firewall::service_rules resource for example). And the "dot"
creates something weird, as all other resources are using the standard
double-semicolon.
Change-Id: I78625a6e69f58dfb2bbad83fdd4f798cd3f4c281
Closes-Bug: 1737086
In order to get a proper unit test suits, we need to change the
separator from the "dot" to "double-semicolons".
The "." is a reserved character in YAML for hashes. In puppet world,
we commonly use "::".
Unit tests don't work if we let the "dot" separator, and apparently it's
an intended outcome with that kind of syntax.
Fact it's working in the deploy process is kind of black magic (see the
tripleo::haproxy::service_endpoints resource for example). And the "dot"
creates something weird, as all other resources are using the standard
double-semicolon.
Change-Id: If53d632ab458b0c04a8b7211194c18ebc8978d23
Closes-Bug: 1737086
In Kernel 4.10 supports changing SR-IOV to switchdev mode.
This mode allows to create VFs represontors which can manage
the SR-IOV VFs from the hypervsior.
This patch extends the tripleo::host::sriov::number_of_vf to
<physical_network>:<number_of_vfs>:<sriov_mode>,
where sriov_mode accepts legacy or switchdev.
if sriov_mode is not specified we default to legacy.
Change-Id: I578f956f2a8c6ee29a9d1ff38ee51765bcab05c1
This change enables configuration of certificate based properties in
Octavia for setting up secure communication with amphorae.
Change-Id: I164da1228397f9a900118cae377b55f79c4fadaf
This patch enables configuring Octavia's service_auth section which is
required for service-to-service communication.
Depends-On: Ifcd38386db386ee6d61aa7f262b1e14ac6516eb7
Change-Id: I67ab537d1b2a82f17657ed90f794f0fa13c5207f
Port Status in ODL was previously disabled due to bugs which have now
been resolved. This patch enables it via Neutron ML2 conf. Port status
is communicated by ODL through a websocket connection on port 8185.
Therefore we need to enable haproxy to load balance across that port.
Related-Bug: 1718508
Change-Id: Iebdcc6404f5503eeb45b39380b3f198be175514b
Signed-off-by: Tim Rozet <trozet@redhat.com>
Precision Time Protocol (PTP) is a protocol used to
synchronize clocks throughout a network. When used
in conjunction with hardware support, PTP is capable
of sub-microsecond accuracy which is far better than
is normally obtainable with NTP.
Change-Id: Idc78df3a90b73be504480bc9d33a3f0041d2d84f
This allows to get the full HTTP log (and TCP if not HTTP) from HAProxy,
in case you need any debug from that central point.
In case you want timers for those entries, you might want to use the
already present "$haproxy_globals_override" parameter and set its
content to:
{ 'log' => '/dev/log local0 debug' }
Change-Id: I4667317cbd453875585521b22b0ccbdb208f5353
Closes-Bug: 1733801
Enables management of shadow password directives in login.defs
By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.
This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.
bp login-defs
Change-Id: Iec8c032adb44593da3770d3c6bb5a4655e463637
Deprecate the keymgr_api_class input parameter and replace with new
keymgr_backend option. This mimics an equivalent set of changes in
puppet-cinder and puppet-nova, which were driven by a similar change
in Castellan's key manager options.
The deprecated value is still supported for backward compatibility.
Closes-Bug: #1732998
Change-Id: I5036c8de9a429f22e1828b4e37735f4aa47bd858
This was missing, and therefore the Swif hashes were not properly set in
swift.conf if only the proxy manifest was applied (for example when
deploying separate storage nodes).
Related-Bug: 1732663
Change-Id: I11c044bbc8b9f56f95ace9320cc77303d9a7543e
By default keystone sends notifications to the 'notifications'
topic. This is consumed by default by ceilometer. However, when
ceilometer is not enabled, rabbitmq accumulates these notifications
since nothing is consuming them. This results in the queue consuming
rabbitmq's memory.
With this capability, we can now dynamically configure notification
topics depending on the 'keystone_notification_topics' hiera key.
Related-Bug: #1729293
Change-Id: I4dcce73446633c08ea37ba567610eec398094036
With this resource we can add the values needed for haproxy via t-h-t,
instead of having everything in the haproxy manifest. Right now nothing
is using it, but subsequent and per-service changes will come.
Change-Id: I8ab49c0b8d8f42ce68c0c7fe3ef8067a7d0da3c0
Port status was already disabled in HA deployments pending a fix for:
https://bugs.opendaylight.org//show_bug.cgi?id=9147
However even in noha deployments port status will not work because ODL
is unable to bind to a specific IP for websocket, meaning it binds to
all IPs and haproxy cannot bind the VIP. Therefore we need to disable
it for all deployments until also this bug is fixed:
https://bugs.opendaylight.org//show_bug.cgi?id=9256
Related-Bug: 1718508
Change-Id: I2f2dc3ece97c97fc8477d4129d69719866a7f0c1
Signed-off-by: Tim Rozet <trozet@redhat.com>
You can either append new options or override existing one.
This can be particularly useful in case you want to set your own log
options, for example.
Change-Id: I19005b7e70e624d3b64b6c2ac8eaadfdec3944db
Closes-Bug: 1721246
Expose a new Puppet parameter to snmp profile, ``snmpd_config`` which
is an array definded to undef by default.
It can be used to override all snmpd configuration for advanced
deployments.
If used, all parameters have to be configured included users and
passwords, which should be the same as given to snmpd_password
and snmpd_user. There is no logic that will verify the content
of ``snmpd_config``.
Example of hieradata which configures snmpd_config:
snmpd_config:
- 'createUser ro_snmp_user MD5 "secrete"',
- 'rouser ro_snmp_user'
- 'proc neutron-server'
- 'proc nova-api'
Depends-On: I5c322b3f5350261b58ef065bd3ded0369cadbc4c
Change-Id: Ief2518d5e47137215a34e9ae3b35c27c87fa6e08
Closes-Bug: #1720868