Commit Graph

2271 Commits

Author SHA1 Message Date
Jenkins
2f230e0775 Merge "Add IPv6 disable option" 2017-04-12 16:39:47 +00:00
Jenkins
c7b045e44e Merge "Add composable role support for NetApp Cinder back end" 2017-04-12 15:28:00 +00:00
Jenkins
cec6d0d3dd Merge "Change the directory for httpd certs/keys to be service-specific" 2017-04-12 14:17:36 +00:00
Jenkins
d33948a45b Merge "Add missing name properties on deloyment resources" 2017-04-11 22:22:14 +00:00
Juan Antonio Osorio Robles
87f41c6ec6 Change the directory for httpd certs/keys to be service-specific
This moves the directories containing the certs/keys for httpd one step
further inside the hierarchy. This way we will be able to bind-mount
this certificate into the container without bind-mounting any other
certs/keys from other services.

bp tls-via-certmonger-containers

Change-Id: Ibe6e66ae4589b9eab7db330dd8b178e0f8775639
Depends-On: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11 11:33:32 +00:00
Jenkins
74684af1ad Merge "Decouple Swift ringbuilding logic" 2017-04-11 11:03:13 +00:00
zshi
d22484d389 Add IPv6 disable option
This will give user the ability to set these values,
if IPv6 is not to be used, it's recommended that it be
disabled to reduce the attack surface of the system.

Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
2017-04-11 15:29:04 +08:00
Jenkins
ccb0655db4 Merge "Replace references to the 192.0.2 network" 2017-04-11 07:09:54 +00:00
Alan Bishop
c533a3219e Add composable role support for NetApp Cinder back end
Convert NetApp Cinder back end to support composable roles via new
"CinderBackendNetApp" service.

Closes-Bug: #1680568
Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
2017-04-10 11:38:49 -04:00
Jenkins
8bcd1ed110 Merge "Remove yaql call when building logging_groups" 2017-04-10 15:09:28 +00:00
Jenkins
3a624e6fc1 Merge "sensu: fix upgrade case when service is added" 2017-04-10 12:25:56 +00:00
Giulio Fidente
b5b6681a74 Replace references to the 192.0.2 network
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.

This change removes old references left to 192.0.2 network from the
overcloud templates.

Change-Id: I1986721d339887741038b6cd050a46171a4d8022
2017-04-10 14:05:50 +02:00
Jenkins
f71c4c2e1d Merge "Timeout early on pcs cluster status check0 during upgrade." 2017-04-10 11:05:20 +00:00
Thomas Herve
687c53a05a Remove yaql call when building logging_groups
yaql calls are fairly expensive. Let's try to not nest them when we can
avoid it.

Change-Id: I5e7dbc42be625bbfe7989867794a67ebae08687d
2017-04-10 10:15:52 +00:00
Christian Schwede
76c1c0cbba Decouple Swift ringbuilding logic
This reverts commit b323f8a160 and uses
the new logic in puppet-tripleo (see Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
), basically doing the same.

Closes-Bug: 1665641
Change-Id: Ib5cb0578be2993af0a0b8675005d838640bdb139
2017-04-10 07:23:27 +00:00
Jenkins
7e5e9aa8bb Merge "Update ceph-rgw acccepted roles to fix OSP upgrade" 2017-04-07 21:35:39 +00:00
Emilien Macchi
deb9b4cad5 sensu: fix upgrade case when service is added
When service is added during an upgrade, fix the ansible syntax
to use the right variable for return code.

Change-Id: I974699fb8b0dcbe5ffa6935c394df4ac8e7b21d4
2017-04-07 11:54:48 -04:00
Sofer Athlan-Guyot
0ea21f51a8 Timeout early on pcs cluster status check0 during upgrade.
There is a windows for the pcs cluster status to hang forever[1].  We
add a timeout during check0 to avoid this situation.  2 minutes should
be more than enought to get all the pcsd nodes to reply.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1292858

Closes-Bug: #1680477

Change-Id: Icb3dc76e031a3d4f26294f37d169f2f61d30973e
2017-04-07 17:43:53 +02:00
Jenkins
e221203da4 Merge "Add password to authtoken section in congress.conf" 2017-04-07 15:28:28 +00:00
Jenkins
46376ccaa5 Merge "Add support for "neutron" Ironic networking plugin" 2017-04-07 15:27:31 +00:00
Jenkins
47a4e9830c Merge "ovn: Add missing configurations required" 2017-04-07 10:09:42 +00:00
Tomofumi Hayashi
09be1e1c6a Add password to authtoken section in congress.conf
Current puppet module miss password section hence congress is not
available due to missing password in congress.conf. This fix is to
add password.

Change-Id: I277c03ca93130a0337d5085f09c375fb0ac9331d
Signed-off-by: Tomofumi Hayashi <s1061123@gmail.com>
2017-04-07 18:38:21 +09:00
Jenkins
8897a23aa1 Merge "Fix conntrack proto sctp module" 2017-04-07 08:26:38 +00:00
Jenkins
88510fce67 Merge "Adds Horizon secure cookie map." 2017-04-06 23:54:13 +00:00
Jenkins
8dc8980358 Merge "Add trigger to setup a LDAP backend as keystone domaine" 2017-04-06 23:17:17 +00:00
Jenkins
656f78f00b Merge "Adds service for managing securetty" 2017-04-06 23:16:17 +00:00
Alex Schultz
e811bb2efc Fix conntrack proto sctp module
ip_conntrack_proto_sctp is the old name for the module and it is now
nf_conntrack_proto_sctp. In order for the kmod module to not keep trying
to modprobe the module, we need to use the correct name.

Change-Id: Ieaed235e71e9e6e41a46d9be0e02beb8f4341b1a
Closes-Bug: #1680579
2017-04-06 13:30:09 -06:00
Jenkins
799359847d Merge "Disable ceilometer API" 2017-04-06 16:35:30 +00:00
lhinds
9945538069 Adds service for managing securetty
This adds the ability to manage the securetty file.

By allowing management of securetty, operators can limit root
console access and improve security through hardening.

Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
2017-04-06 13:30:50 +01:00
Jenkins
4fb4cc780d Merge "Add manual ovs upgrade script for workaround ovs upgrade issue" 2017-04-06 10:35:52 +00:00
Jenkins
4ddfe41775 Merge "Enforce upgrade_batch_tasks before upgrade_tasks order" 2017-04-06 10:03:11 +00:00
Jenkins
e10ddcc3d2 Merge "add configurable timeouts for DB sync" 2017-04-06 09:42:27 +00:00
Jenkins
886d9afc79 Merge "Add network sysctl tweaks for security" 2017-04-06 09:41:00 +00:00
Jenkins
d7108016b7 Merge "Ensure upgrade step orchestration accross roles." 2017-04-06 08:10:28 +00:00
Numan Siddique
acc20aa525 ovn: Add missing configurations required
This patch adds
 - setting nova config param 'force_config_meta' to True
   as metadata service is not supported by OVN yet.
 - Add the necessary iptables rules to allow ovsdb-server
   traffic for Northbound and Southboud databases.
 - Update the release notes for OVN.

Change-Id: If1a2d07d66e493781b74aab2fc9b76a6d58f3842
Closes-bug: #1670562
2017-04-06 13:15:30 +05:30
Cyril Lopez
347f5434b3 Add trigger to setup a LDAP backend as keystone domaine
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.

Given the following environment:

parameter_defaults:
  KeystoneLDAPDomainEnable: true
  KeystoneLDAPBackendConfigs:
    tripleoldap:
      url: ldap://192.0.2.250
      user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
      password: Secrete
      suffix: dc=redhat,dc=example,dc=com
      user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
      user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
      user_objectclass: person
      user_id_attribute: cn
      user_allow_create: false
      user_allow_update: false
      user_allow_delete: false
  ControllerExtraConfig:
    nova::keystone::authtoken::auth_version: v3
    cinder::keystone::authtoken::auth_version: v3

It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.

More backends can be added as more entries to that hash.

This also enables multi-domain support for horizon.

Closes-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2017-04-06 07:10:57 +00:00
Jenkins
0846b3d76e Merge "Add parameters for internal TLS for swift proxy" 2017-04-06 02:10:20 +00:00
Mike Bayer
a87b5630ba add configurable timeouts for DB sync
This patch integrates with the db_sync_timeout
parameter recently added to puppet-nova
and puppet-neutron in
I6b30a4d9e3ca25d9a473e4eb614a8769fa4567e7, which allow for the full
db_sync install to have more time than just Pupppet's
default of 300 seconds.   Ultimately, similar timeouts
can be added for all other projects that feature
db sync phases, however Nova and Neutron are currently
the ones that are known to time out in some
environments.

Closes-bug: #1661100
Change-Id: Ic47439a0a774e3d74e844d43b58956da8d1887da
2017-04-05 16:10:02 -06:00
Jenkins
f68111bd9e Merge "Add l2gw neutron service plugin support" 2017-04-05 16:08:48 +00:00
Jenkins
42b502e033 Merge "Addition of firewall rules for Nuage" 2017-04-05 16:02:15 +00:00
Jenkins
963d4a6954 Merge "Disable core dump for setuid programs" 2017-04-05 14:23:49 +00:00
Juan Antonio Osorio Robles
dba8795b26 Add parameters for internal TLS for swift proxy
This adds the necessary parameter for swift proxy to be terminiated
internally by a TLS proxy.

bp tls-via-certmonger

Change-Id: I3cb9d53d75f982068f1025729c1793efaee87380
Depends-On: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
2017-04-05 06:24:15 +00:00
Jenkins
29faa38ddc Merge "Add params to tweak memory limit on mongodb" 2017-04-05 00:36:14 +00:00
marios
299b9f5323 Enforce upgrade_batch_tasks before upgrade_tasks order
If we really want upgrade_batch_tasks before the upgrade_tasks
as described in the README then we should enforce the ordering

Noticed this working on bug 1671504 upgrade tasks were being
executed before batch upgrade tasks.

Closes-Bug: 1678101
Change-Id: Iaa1bce960a37c072b5f8441132705a6bb6eb6ede
2017-04-04 12:05:44 +00:00
Sofer Athlan-Guyot
d286892c78 Ensure upgrade step orchestration accross roles.
Currently we don't enforce step ordering across role, only within
role.  With custom role, we can reach a step5 on one role while the
cluster is still at step3, breaking the contract announced in the
README[1] where each step has a guarantied cluster state.

We have to remove the conditional here as well as jinja has no way to
access this information, but we need jinja to iterate over all enabled
role to create the orchestration.

This deals only with Upgrade tasks, there is another review to deal
with UpgradeBatch tasks.

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst

Closes-Bug: #1679486

Change-Id: Ibc6b64424cde56419fe82f984d3cc3620f7eb028
2017-04-04 11:44:43 +03:00
Jenkins
0b11bcee71 Merge "Add ceilometer ipmi agent" 2017-04-04 01:59:11 +00:00
Pradeep Kilambi
75d4883802 Add params to tweak memory limit on mongodb
The puppet-tripleo change was added in
Ie9391aa39532507c5de8dd668a70d5b66e17c891.

Closes-bug: #1656558

Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
2017-04-03 18:15:33 -04:00
Dmitry Tantsur
6ddcd9a1cb Add support for "neutron" Ironic networking plugin
This enabled a lot of advanced networking features (see the release note).
Related to blueprint ironic-driver-composition

Change-Id: I20ea994fec36d73e618107b5c3594ec1c0f8cb93
Depends-On: I72eb8b06cca14073d1d1c82462fb702630e02de3
2017-04-03 23:00:52 +02:00
lokesh-jain
d5309c9443 Addition of firewall rules for Nuage
Added VxLAN and metadata agent firewall rules to neutron-compute-plugin
for Nuage. Removed a deprecated parameter 'OSControllerIp' as well.

Change-Id: If10c300db48c66b9ebeaf74b5f5fee9132e75366
2017-04-03 16:49:16 -04:00
Jenkins
b20bdcee03 Merge "Qpid dispatch router composable role" 2017-04-03 14:54:19 +00:00