When external-ceph.yaml is included, the CephExternal resource points
to the right tht deployment path.
This change fixes the wrong level that was set to the related Heat
resource.
Closes-Bug: #1954673
Change-Id: Ie31fa16202535c96683ac7f5dc3bbf965d8ad5e2
The tripleo_ovn_mac_port_name can become very
long in case a very long role name is used.
For example, the following role name triggered
the maximum length of 60 characters error:
"DistributedComputeHCIScaleOut"
The tags are used for ideompetency in:
tripleo_ansible/ansible_plugins/modules/tripleo_ovn_mac_addresses.py
However the tripleo_ovn_mac_port_name tag is
not actually used.
Related Bug: #1921713
Change-Id: I5b6124210aec0c25ffa7daf82a9c6e944bdb4966
Somewhere along the way we ended up with two copies of
neutron-ovs-dvr.yaml and they have fallen out of sync. This patch syncs
some of the differences.
Change-Id: Ib0a4801eee44d8003d20c2faf79933a123b050eb
This reverts commit 20368af844.
Reason for revert:
It turned out the previous parameter name was correct and
this change updated it to the wrong name in fact.
Change-Id: I0de403cfc2e5b5cd8ad83f568216cbfe7fba01d8
Services need to provide this rsyslog configuration in order for
their logs to get ingested by rsyslog for forwarding.
Closes-Bug: 1953672
Change-Id: I0da99239275fa7f53f032ca4a85460e6111738b4
The parameter name is not manage_libvirt_service's' but
manage_libvirt_service. This parameter actually has no effect in
TripleO because the service resource and the exect resource are both
disabled but would help us reduce unnecessary resources.
Change-Id: I05128eb7ba04194247993e32a16280a135f4d18b
Set +x permission on files:
* tools/convert_heat_nic_config_to_ansible_j2.py
* tools/convert_v1_net_data.py
Other python scripts have the executable permission set.
Align the two scripts with the rest.
Change-Id: I0a0bd4a353bdc35698444b72f093cce176bbe5a0
We are creating a new featureset064 that will deploy overcloud with
custom network + custom overcloud name + IPA integration.
With this patch, Adding tht templates that we will use in fs064 for
overcloud deployment.
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/818529
Change-Id: I5119a2c0103868fd481b57b890947b2881b86845
The manila::sql_connection parameter is deprecated in favor of
the manila::db::database_connection parameter.
Change-Id: I9c0b59e0f7f1db54e17cf7437e880916fae40133
container-selinux is applying a specific label to that location[1]. In
order to avoid conflict and keep things clean, openstack-selinux allows
container_t to manage files and directories with that new container_log_t
context[2].
Note: this patch must NOT be backported to stable/train, but is needed
in stable/wallaby (osp-17) in order to be consistent.
[1] 7e5f3cae10
[2] db6cb8e7f0
Change-Id: Ic0620f2e619730fa47a0b3feb5ca56d934f1416f
This new linter ensures we don't have any trailing "/" in the container
volume definitions.
Those trailing "/" may create issues with the containers, for instance
for specific mounts such as "/dev"[1].
This patch also takes the opportunity to fix those trailing "/" for the
affected files, in order to start on a clean basis.
[1] https://launchpad.net/bugs/1950176
Change-Id: If951f9643d67574c1225301aab7c9e4b0d316b7f
Related-Bug: #1950176
This adds a new option called EnableSecureRbac so that you can
enable secure RBAC with keystone in TripleO deployments.
This option sets the necessary oslo.policy configuration options in
Heat's configuration file so support secure RBAC.
Change-Id: I865623feb4338c8f51b56d9916fe20f2c515a86e
Signed-off-by: Kevin Carter <kecarter@redhat.com>
With the move to crun instead of runc for the container engine, we seem
to hit a known issue that was corrected back in 2015[1] for runc. There
was then a regression, fixed with [2] a bit later.
There's a good chance crun has a partial fix only, matching only /dev
and not /dev/, leading to the change of /dev/ptmx from an actual node to
a symlink pointing to /dev/pts/ptmx.
Another fix might be ensuring we don't have any trailing "/" in the
volume paths passed to the tripleo-ansible/tripleo_container_manage
module/role.
[1] https://github.com/opencontainers/runc/pull/96
[2] https://github.com/opencontainers/runc/pull/742/files
Closes-Bug: #1950176
Change-Id: I094120f7f2f6bfcfc0cc5843aa1b23629cd90a23
When SRBAC is enforced(*1), keystone requires one of the following
conditions for validate token api.
1) The user has the service role assigned
2) The user is a system reader
3) The user generated the token
When authtoken middleware validates tokens in requests, it uses service
users to call the validate_token API of Keystone. In this case
the condition 3 is never met(The token is generated by an external user
while it is validated by the service user used in API). In addition,
currently all credentials used for authtoken middleware are
project-scoped, not system-scoped, so condition 2 is never met(*2) if
SRBAC is enforced.
This change adds the project-scoped service role to all service
users so that all service users can use the validate_token API even
if SRBAC is enforced. An alternative approach would be assign
the system-scoped reader role for these users and replace credentials
for authtoken middleware by system scoped one, but we are likely to
need additional considerations to establish proper design of
system-scoped role assignment.
(*1)
When scope evaluation is enforced(enforce_scope=True) and new rules
are enforced(enforce_new_defaults=True)
(*2)
There are a few exceptions like the nova user which already have
the project-scoped service role to use the service token feature.
Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24
Default value of api_port and path will be updated soon[1]. This change
adds explicit definition of these parameters to use consistent path.
[1] d7b8c158f989f3ac7846ee3d935df39e8533cf10
Change-Id: Ie0e21f1691d3e4e1b69d3abace03d418e638fe45
Add IronicDefaultBootInterface parameter otherwise, some ironic
drivers will complain about missing default_boot_interface parameter.
Change-Id: Iebb572d0bfdc0e9146aa1f405023bcd1c1e3f9ed
Zuul