This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.
Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.
The containers also need to trust the CA's that the overcloud node
trusts, else we'll get SSL verification failures.
Per puppet-nova commit 2c743a6bff5b17a85d1e0500f3a9ecb21468204e
there is now a custom resource for Nova_cell_v2 configuration.
As this resource runs automatically regardless of our use
of puppet tags we need to explicitly disable it to be able to
generate Nova API configs for docker.
This moves the directories containing the certs/keys for httpd one step
further inside the hierarchy. This way we will be able to bind-mount
this certificate into the container without bind-mounting any other
certs/keys from other services.
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.
This change removes old references left to 192.0.2 network from the
This reverts commit b323f8a160 and uses
the new logic in puppet-tripleo (see Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
), basically doing the same.
There is a windows for the pcs cluster status to hang forever. We
add a timeout during check0 to avoid this situation. 2 minutes should
be more than enought to get all the pcsd nodes to reply.
This will add the Docker service to all roles. Note that currently by
default the Docker service is mapped to OS::Heat::None by default. It
will only be deployed if environments/docker.yaml file is included in
This ports the fixes made to the legacy 51-hosts script, which this
script is derived from, to tht.
See related t-i-e patch Ibe0a9f6ec10d55750e3b0e16301236141f988d69
Current puppet module miss password section hence congress is not
available due to missing password in congress.conf. This fix is to
Signed-off-by: Tomofumi Hayashi <email@example.com>
This submission will enable the BGPVPN API
This addition to scenario004 does not
provide any sanity check for the Neutron API
extension. At this stage is meant to
install the required packages and prerequisites,
configure the extension and
having the services started correctly.
In the README.rst file, this is displayed as
neutron-bgpvpn, so for further integrations
should be added as neutron-<extension_name>
for an easier reading.
ip_conntrack_proto_sctp is the old name for the module and it is now
nf_conntrack_proto_sctp. In order for the kmod module to not keep trying
to modprobe the module, we need to use the correct name.
This adds the ability to manage the securetty file.
By allowing management of securetty, operators can limit root
console access and improve security through hardening.