14 Commits

Author SHA1 Message Date
mandreou
66df6bdb46 Remove no longer used disable_upgrade_deployment flag
In I75f087dc456c50327c3b4ad98a1f89a7e012dc68 we removed much of
the legacy upgrade workflow. This now also removes the
disable_upgrade_deployment flag and the tripleo_upgrade_node.sh
script, both of which are no longer used and have no effect on
the upgrade.

Related reviews
    I7b19c5299d6d60a96a73cafaf0d7103c3bd7939d tripleo-common
    I4227f82168271089ae32cbb1f318d4a84e278cc7 python-tripleoclient

Change-Id: Ib340376ee80ea42a732a51d0c195b048ca0440ac
2018-03-29 15:27:30 +03:00
zshi
d0a92f1c20 Add PTP composable service
Precision Time Protocol (PTP) is a protocol used to
synchronize clocks throughout a network. When used
in conjunction with hardware support, PTP is capable
of sub-microsecond accuracy which is far better than
is normally obtainable with NTP.

Change-Id: I98a1833db28944cfd5a89e4f28c192bb9af8ebbb
Depends-On: Idc78df3a90b73be504480bc9d33a3f0041d2d84f
2018-02-08 15:20:17 +08:00
lhinds
7e68dbdf8c Implements AIDE Intrusion Detection System
Introduces a service to configure AIDE Intrusion Detection.

This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.

AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
2018-01-15 13:10:16 +00:00
Daniel Alvarez
85e006d19d Add support for OVN Metadata Agent
This patch adds support for networking-ovn-metadata-agent.
It will deploy the agent on compute nodes and disable Nova
force_config_drive.

The following two patches have been squashed into this one:
* https://review.openstack.org/#/c/525164/
* https://review.openstack.org/#/c/522813/
The reason behind the squash is that we had interdepenencies
and this patch alone wouldn't be testing the code properly
without the two other ones since scenario007 job in baremetal
has been removed for this cycle.

UpgradeImpact

Depends-On: I678652294cb8f964c34b742a0bc0ea360d736fb9
Depends-On: If3dffde5e0db8f7607a9708d36d54d1600fe5da8
Depends-On: I38f775479d178f5b252619635b67f876bc8c5ed5
Depends-On: Ifdd42437333730a3b3e6f36cbab6df0a2971a5a1
Depends-On: I940cec6d670df39ac6e2a3559a028acbeee99331

Change-Id: Idc2bb4e31a64502ac6fcdac771d823509dc328e7
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
2018-01-12 09:40:06 +00:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Zuul
adeb5df53c Merge "Add IPSEC composable service" 2017-12-06 22:53:33 +00:00
Zuul
7d0d74891f Merge "Add NovaMigrationTarget service to SR-IOV Compute role" 2017-12-05 16:15:52 +00:00
Juan Antonio Osorio Robles
898ad4f54b Add IPSEC composable service
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-12-05 13:10:18 +00:00
Saravanan KR
44e1b941d3 Add NovaMigrationTarget service to SR-IOV Compute role
The service NovaMigrationTarget is missing in SR-IOV compute role,
but is required for migration of instances. Added the missing
service to the role. And added validation to avoid such mistakes.
Closes-Bug: #1730275

Change-Id: I49d310b0c61331eef2d2bf5fd05cf67b34095bbb
2017-11-30 11:00:15 +05:30
lhinds
502fde7a64 Implements management of /etc/login.defs
Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
2017-11-29 09:23:25 +00:00
Zuul
b2bc4f36a3 Merge "logging: merge fluentd-client and fluentd-base" 2017-11-22 10:41:19 +00:00
Lars Kellogg-Stedman
f982eb55c4 logging: merge fluentd-client and fluentd-base
The fluentd implementation was originally split across multiple files
in order to support both client and server services. we ultimately
decided to only implement the client as part of tripleo so this
division is no longer necessary.  This commit merges
fluentd-client.yaml and fluentd-base.yaml into fluentd.yaml, and
renames things appropriately.

Partial-bug: #1715187
Depends-On: Iace34b7baae8822d2233d97adabf6ebc8833adab
Change-Id: Idb9886f04d56ffc75a78c4059ff319b58b4acf9f
2017-11-17 11:04:52 +01:00
Juan Antonio Osorio Robles
97f9a01f79 Add rsyslog-sidecar resource and configuration
This introduces a "sidecar" container, which is meant to be used
besides other containers (or as part of the pod). It merely uses
rsyslog to listen on a specific UNIX socket and outputs what it
gets to stdout.

This adds the service to each relevant role and introduces a
composable service which merely configures the container. Subsequently
it'll be used as part of other templates.

Note that it is only enabled if "stdout logging" is enabled.

bp logging-stdout-rsyslog
Depends-On: I4864ddca223becd0a17f902729cf2e566df5e521

Change-Id: I2c54acaaa820961c936f1fbe304f42162f720496
2017-11-17 10:38:57 +02:00
Saravanan KR
739b05f528 Added a new role definition for SR-IOV Compute role
In order to support the role generation command, a new role for
hosting SR-IOV workloads has been added. This also removes the
SR_IOV services from the default compute so that compute and compute
sriov can co-exist in the same cluster.
Closes-Bug: #1715829

Change-Id: If48bd6a69209da556cc75ece035b341eb59f41a9
2017-10-25 15:16:28 +05:30