Commit Graph

108 Commits (258c6ce52d0c8467f34693722a883d96345802b2)

Author SHA1 Message Date
Carlos Camacho 258c6ce52d Merge pre|post puppet resources into pre|post config.
The [Pre|Post]Puppet resources were renamed in
This was intended for having a pre/post deployment
steps using an agnostic name instead of
being attached to a technology.

The renaming was unintentionally reverted in and

This submission merge both resources into one,
and remove the old pre|post hooks.

Closes-bug: #1669756
Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064
2017-04-24 12:56:49 +02:00
Jenkins afe2740ccc Merge "SSHD Service extensions" 2017-04-21 06:42:55 +00:00
Jenkins 89927b6b4d Merge "Add network_data.yaml to encapsulate list of networks for j2" 2017-04-21 00:41:15 +00:00
Jenkins ef82c3a010 Merge "Pluggable server type per Role" 2017-04-20 09:26:59 +00:00
Luke Hinds 5e14f95a4a SSHD Service extensions
This change implements a MOTD message and provides a hash of
sshd config options which are sourced to the puppet-ssh module
as a hash.

The SSHD puppet service is enabled by default, as it is
required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
Also added the service to the CI roles.

Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
Depends-On: I1d09530d69e42c0c36311789166554a889e46556
Closes-Bug: #1668543
Co-Authored-By: Oliver Walsh <>
2017-04-19 18:03:02 +01:00
Jenkins ff2ca16ba4 Merge "SSH known_hosts config" 2017-04-18 22:53:25 +00:00
Luca Lorenzetto 0d8f11ffca Support for external swift proxy
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.

Change-Id: I5e6f0a50f26d4296565f0433f720bfb40c5d2109
Depends-On: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
2017-04-18 09:13:19 +02:00
Oliver Walsh 7d3552a105 SSH known_hosts config
Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
 verification is vulnerable to a MITM attack.

Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
2017-04-13 21:53:59 +01:00
James Slagle 87ce5d4574 Pluggable server type per Role
The server resource type, OS::TripleO::Server can now be mapped per role
instead of globally. This allows users to mix baremetal
(OS::Nova::Server) and deployed-server (OS::Heat::DeployedServer) server
resources in the same deployment.

blueprint pluggable-server-type-per-role

Change-Id: Ib9e9abe2ba5103db221f0b485c46704b1e260dbf
2017-04-13 15:38:44 -04:00
Jenkins 3e8b6289d7 Merge "Update Dell EMC Cinder back end services" 2017-04-12 20:09:14 +00:00
Jenkins c7b045e44e Merge "Add composable role support for NetApp Cinder back end" 2017-04-12 15:28:00 +00:00
Alan Bishop 5fb637c611 Update Dell EMC Cinder back end services
Add services for Dell EMC Cinder back ends to the resource registry
and to the Controller role (defaulting to OS::Heat::None).

Closes-Bug: #1681497
Change-Id: I694fd7738abd3601851bdcd38e3633607ce6152c
2017-04-10 13:30:43 -04:00
Alan Bishop c533a3219e Add composable role support for NetApp Cinder back end
Convert NetApp Cinder back end to support composable roles via new
"CinderBackendNetApp" service.

Closes-Bug: #1680568
Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
2017-04-10 11:38:49 -04:00
Christian Schwede 76c1c0cbba Decouple Swift ringbuilding logic
This reverts commit b323f8a160 and uses
the new logic in puppet-tripleo (see Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
), basically doing the same.

Closes-Bug: 1665641
Change-Id: Ib5cb0578be2993af0a0b8675005d838640bdb139
2017-04-10 07:23:27 +00:00
Jenkins e1e8554494 Merge "Fixing acronym for BGPVPN composable service" 2017-04-06 23:18:12 +00:00
lhinds 9945538069 Adds service for managing securetty
This adds the ability to manage the securetty file.

By allowing management of securetty, operators can limit root
console access and improve security through hardening.

Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
2017-04-06 13:30:50 +01:00
Jenkins f68111bd9e Merge "Add l2gw neutron service plugin support" 2017-04-05 16:08:48 +00:00
Ricardo Noriega 9e27118ec9 Fixing acronym for BGPVPN composable service
Change-Id: I397a6ad430cef5ddb4eee48347ad4c89144ad01e
Signed-off-by: Ricardo Noriega <>
2017-04-05 13:52:14 +02:00
Jenkins 0b11bcee71 Merge "Add ceilometer ipmi agent" 2017-04-04 01:59:11 +00:00
Peng Liu d7c00f01b5 Add l2gw neutron service plugin support
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging
two or more networks together to make them look at a single broadcast
domain. This patch implements the l2gw neutron service plugin support part
in t-h-t.

Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5
Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3
Partially-Implements: blueprint l2gw-service-integration
Signed-off-by: Peng Liu <>
2017-03-30 14:42:10 +00:00
Pradeep Kilambi 9c4c15d533 Add ceilometer ipmi agent
Closes-Bug: #1662679

Change-Id: I3446d59b89d43859caedd2be4583099374944379
2017-03-29 22:00:43 +00:00
John Eckersberg 1ca3c2c4b0 Qpid dispatch router composable role
Note: since it replaces rabbitmq, in order to aim for the smallest
amount of changes the service_name is called 'rabbitmq' so all the
other services do not need additional logic to use qdr.

Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608
Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
2017-03-29 10:19:41 +02:00
Juan Antonio Osorio Robles 3bd4a3f94b MySQL: Use conditional instead of nested stack for TLS-specific bits
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings  and metadata_settings this way in an attempt to save

Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
2017-03-27 14:00:46 +03:00
Juan Antonio Osorio Robles 7d0f27980d Apache: Use conditional instead of nested stack for TLS-specific bits
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings  and metadata_settings this way in an attempt to save

Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
2017-03-27 13:33:17 +03:00
Juan Antonio Osorio Robles 69c213e3e3 Rabbitmq: Use conditional instead of nested stack for TLS-specific bits
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings  and metadata_settings this way in an attempt to save

Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
2017-03-27 13:33:12 +03:00
Juan Antonio Osorio Robles 31bc6eaa88 Add certmonger-user profile
This profile will request the certificates for the services on the node.
So with this, we will remove the requesting of these certs on the
services' profiles themselves.

The reasoning for this is that for a containerized environment, the
containers won't have credentials to the CA while the baremetal node
does. So, with this, we will have this profile that still gets executed
in the baremetal nodes, and we can subsequently pass the requested
certificates by bind-mounting them on the containers. On the other hand,
this approach still works well for the TLS-everywhere case when the
services are running on baremetal.

Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6
Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
2017-03-13 17:10:13 +02:00
Ricardo Noriega b67ad0695e Add BGPVPN composable service
This project aims at supporting inter-connection between L3VPNs
 and Neutron resources, i.e. Networks, Routers and Ports.

Partially-Implements: blueprint bgpvpn-service-integration

Change-Id: I576c9ac2b443dbb6886824b3da457dcc4f87b442
Signed-off-by: Ricardo Noriega <>
2017-03-10 11:35:48 +01:00
Juan Antonio Osorio Robles 1992282b88 Pass hieradata for internal TLS for RabbitMQ
As with other services, this passes the necessary hieradata to enable
TLS for RabbitMQ. This will mean (once we set it via puppet-tripleo)
that there will only be TLS connections, as the ssl_only option is being

bp tls-via-certmonger

Change-Id: I960bf747cd5e3040f99b28e2fc5873ca3a7472b5
Depends-On: Ic2a7f877745a0a490ddc9315123bd1180b03c514
2017-03-09 11:08:41 +00:00
Steven Hardy fb748ba307 Enable composable upgrades for docker service templates
This aligns the docker based services with the new composable upgrades
architecture we landed for ocata, and does a first-pass adding upgrade_tasks
for the services (these may change, atm we only disable the service on
the host).

To run the upgrade workflow you basically do two steps:

openstack overcloud deploy --templates \
  -e environments/major-upgrade-composable-steps-docker.yaml

This will run the ansible upgrade steps we define via upgrade_tasks
then run the normal docker PostDeploySteps to bring up the containers.

For the puppet workflow there's then an operator driven step where
compute nodes (and potentially storage nodes) are upgrades in batches
and finally you do:

openstack overcloud deploy --templates \
  -e environments/major-upgrade-converge-docker.yaml

In the puppet case this re-applies puppet to unpin the nova RPC API
so I guess it'll restart the nova containers this affects but otherwise
will be a no-op (we also disable the ansible steps at this point.

Depends-On: I9057d47eea15c8ba92ca34717b6b5965d4425ab1
Change-Id: Ia50169819cb959025866348b11337728f8ed5c9e
2017-03-06 15:53:46 +00:00
Steven Hardy a5116005d8 Add network_data.yaml to encapsulate list of networks for j2
This moves the hard-coded networks from the default environment,
and provides the first step towards enabling composable networks.

Co-Author: Dan Sneddon <>
Partial-Bug: #1633090
Depends-On: I9f818912bd8e2a3220e41c8ccbbab3d9063b4d72
Change-Id: I7793b8badede5450b05437c84d9b40c28de7546b
2017-03-05 03:20:42 +00:00
Feng Pan 0ea941a615 Add VPP composable service
Vector Packet Processing (VPP) is a high performance packet processing
stack that runs in user space in Linux. VPP is used as an alternative to
kernel networking stack for accelerated network data path. This patch
adds VPP as a composable service. Note that NIC binding related configs
for VPP are handled in os-net-config.

Depends-on: I70a68a204a8b9d533fc2fa4fc33c39c3b1c366bf

Change-Id: I5e4b1903dc87cb16259eeb05db585678acadbc6b
Implements: blueprint fdio-integration-tripleo
2017-02-26 16:43:26 -05:00
Pradeep Kilambi 161cd3cbe3 Enable panko service by default on overcloud
There are other applications still relying on panko and not
enabling by default is causing integration concerns.

Closes-bug: #1666619

Change-Id: I615694ca5f5a04fef4b0098c8083fb43432bb81f
2017-02-21 13:44:24 -05:00
Jenkins c94e09eeac Merge "Generate Pre/Post Puppet Tasks for all roles" 2017-02-20 23:48:52 +00:00
Michele Baldessari 90431683b5 Make the DB URIs host-independent for all services
When fixing LP#1643487 we added ?bind_address to all DB URIs.
Since this clashes with Cellsv2 due to the URIs becoming host
dependent, we need a new approach to pass bind_address to pymysql
that leaves the DB URIs host-independent.

In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a
/etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct
bind-address option.

In this change we make sure that the DB URIs will point to the added
file and to the specific section containing the necessary bind-address
option. We do introduce a new MySQLClient profile which will hold all
this more client-specific configuration so that this change can fit
better in the composable roles work. Also, in the future it might
contain the necessary configuration for SSL for example.

Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist
(because it is created via the mysqlclient profile), things keep on
working as usual and the bind-address option simply won't be set, which
has no impact on hosts where there are no VIPs.

Co-Authored-By: Damien Ciabrini <>

Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12
Related-Bug: #1643487
Closes-Bug: #1663181
Closes-Bug: #1664524
Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-17 17:22:42 +01:00
James Slagle 529768ae84 Generate Pre/Post Puppet Tasks for all roles
We need to generate the Pre and Post Puppet Tasks for all roles, not
just the Controller role. Otherwise, you have to have a role
specifically named Controller that is running your pacemaker services,
or pacemaker won't be properly handled on stack-updates.

When using deployed-server's it's actually not possible to have a role
called Controller, since we need to use all custom roles so that we can
set disable_contraints on each role. Further, it is not possible to
redefine the Controller role since puppet/controller-role.yaml is listed
in the excludes file.

Change-Id: I737b24db90932e292b50b122640f66385f2d1c23
Partial-Bug: #1665060
2017-02-17 09:03:35 -05:00
Jenkins 1c486d57a8 Merge "Apply post-upgrade step to not run puppet in post upgrade" 2017-02-17 01:23:11 +00:00
Jenkins 0951a579fe Merge "Automatically backup and restore Swift rings from the undercloud" 2017-02-17 01:21:21 +00:00
Mathieu Bultel b3b04eb0d2 Apply post-upgrade step to not run puppet in post upgrade
In the environment file:
we don't want to run puppet in certains roles in post upgrade
because we need to make some extra tasks on this nodes and
run puppet on converge step

Change-Id: I38fc5772cdb4a7df7979beb2e7475c70f34076a7
2017-02-16 14:57:56 +01:00
Dan Radez f666228678 adding Congress Support
Depends-On: Ic74ccd5fa7b3b04ca810416e5160463252f17474

Implements: blueprint congress-service-integration

Change-Id: Ie60540c340c0eb71ff376aba65507a8bb3e909b6
Signed-off-by: Dan Radez <>
2017-02-10 09:59:38 -05:00
Dan Radez b49b443ea7 Adding Tacker Support
Depends-On: Ide0e60f3b7a3733788af4337c1c39b4a956c876f
Depends-On: I3d6bbc05644e840395f87333ec80e3b844f69903
Depends-On: Idf6abcb7fe766546cb362ad4afe54f4bccd9c994

Implements: blueprint tacker-service-integration

Change-Id: Ibddc81561f6e6ba671bd01a9251c57d3ad67ba8c
Signed-off-by: Dan Radez <>
2017-02-09 20:23:36 +00:00
Jenkins f190469c01 Merge "Re-organizes Contrail services to the correct roles" 2017-02-09 17:02:55 +00:00
Michael Henkel da91bb6e1e Re-organizes Contrail services to the correct roles
In current setup some Contrail services belong to the wrong roles.
The Contrail control plane can be impacted if the Analytics database has

Change-Id: I0d57a2324c38b5b20cc687c6217a7a364941f7e6
Depends-On: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
Closes-Bug: #1659560
2017-02-08 20:25:41 +01:00
Jenkins 76b53b3e2c Merge "implement a collectd composable service" 2017-02-08 06:58:48 +00:00
Jenkins 9dc9c65522 Merge "Add registry and role service list entries for Octavia" 2017-02-07 23:46:06 +00:00
Lars Kellogg-Stedman 490c19bb38 implement a collectd composable service
The collectd composable service permits an operator to configure
collectd metrics collection as part of the overcloud install.

Depends-on: I03cfbd96778a76125d18e2ca2f48d96e292608de
Change-Id: I143565329f5128f15cc39c9b62a6b242666383ab
2017-02-07 11:54:14 +00:00
Christian Schwede b323f8a160 Automatically backup and restore Swift rings from the undercloud
Swift rings created or updated on the overcloud nodes will now be
stored on the undercloud at the end of the deployment.  An
additional consistency check is executed before storing them,
ensuring all rings within the cluster are identical.

These rings will be retrieved (before Puppet runs) by every node
when an UPDATE is executed, and by doing this will be in a
consistent state across the cluster.

This makes it possible to add, remove or replace nodes in an
existing cluster without manual operator interaction.

Closes-Bug: 1609421
Depends-On: Ic3da38cffdd993c768bdb137c17d625dff1aa372
Change-Id: I758179182265da5160c06bb95f4c6258dc0edcd6
2017-02-06 15:48:11 +01:00
Brent Eagles 07876f2d90 Add registry and role service list entries for Octavia
This patch adds the Octavia services to the registry and controller role
(disabled by default). Also included is an example environment file for
enabling the services and required configuration. The API service
profile is also amended configure the load balancer service provider in
neutron to point to the octavia load balancer driver.

Change-Id: I7f3bba950f5b1574ba842a39e93a8ac2b1ccf7bb
Partially-implements: blueprint octavia-service-integration
2017-02-03 12:59:13 -03:30
Steven Hardy 87af02d673 Disable puppet on upgrade for roles not upgrading
Where the role has disabled upgrades, we need to skip both the ansible and
puppet steps.  To do this we refactor the post.j2.yaml so that it can be
included in the upgrade template with an adjusted list of roles.

Note this requires - this
change will be required for local testing of this patch
(run mistral-db-mange populate after updating tripleo-common
and restart the mistral services, or update your repos and re-run
openstack undercloud install).

Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: Ie7d0fa6fef3528bd93e6cde076b964ea8de3185a
2017-02-03 11:43:47 +00:00
Steven Hardy afdc138987 Add AuditD composable service
This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)

This is achieved by means of the `puppet-auditd` puppet module.

Also places ssh banner capabilities map on top of patch

Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d
Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
2017-01-27 13:23:18 +00:00
Jenkins ef741fab9b Merge "Adds SSH Banner text into sshd_config" 2017-01-27 12:29:12 +00:00