Having GSSAPIAuthentication enabled by default
can cause issues during the deployment process
if the user is unable to authenticate with kerberos.
This change moves the default for GSSAPIAuthentication
to no instead of yes.
Resolves: rhbz#2059855
Change-Id: Ic579380c9c72917daa01493c259bc969b7291fe9
Each puppet module provides the sync_db parameter to run commands to
initialize database schema. This change ensures the feature is disabled
as we have independent tasks to run the same.
Change-Id: I8ccf4ddd40a0d1a9bff9c1ca001284eda25dc9b2
OS::TripleO::DeployedServerEnvironment was dropped in
I47beaaccd01d72cc550ffc7871e3384e112d9334 which used
this output.
Change-Id: I5fb37734837a84d37f08263de1b7a2840ec64139
Note that one-off init containers should be removed as well.
Related-bug: #1959662
Change-Id: I9380cc4c62acc6860f7a1e5869131fa3406e2d98
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This patch update the barbican policy for orders in the secure-rbac
environment. The change was already implemented in barbican to fix
an order access bug.
Depends-On: Ie0e6f6edae40e47d45afbe92fd509032cb091b1a
Change-Id: I4b61523d9169de4a82a9383def58710d303b3bcf
Currently only the log file of gnocchi-api is captured by rsyslog and
logs files of the other services like gnocchi-statsd are not. This
change fixes the missing logging sources so that all service logs are
captured by rsyslog.
Change-Id: I408c52de048551bc74afa540e3430d1d9f119b8a
Currently logs from aodh services are not captured by rsyslog. This
change fixes the missing logging sources so that these logs are also
detected by rsyslog.
Change-Id: I8ab0a7f9ba5e9af47af549bac88180bde0d3c782
This change introduces the new RsyslogExtraLoggingSources parameter
which allows users to transfer additional log files using rsyslog.
Change-Id: Ic6339945690339b6fb50dbfbb21026195d6a5421
Now that pacemaker resources are managed by puppet on
the host [1], the galera container gets restarted
before the puppet run that manages password update.
To make sure that any DB root password update gets
reflected in the running galera container, add a
deploy task that syncs up .myc.cnf if required.
Closes-Bug: #1960332
[1] Ie14819b66cecdb5a9cc6299b68a0cc70a7aa3370
Change-Id: I60f73939dac03b14389f37e5ffc67de5d929ee52
This is to fix the provided DDP package is not loaded
on the compute node first time and requires reboot to
load the provided DDP package.
Change-Id: I1e8f340725658008ca2ad65e364130cc85d32f33
With the recent changes meant to allow deployment of Ganesha on the
"external" network, the CephNfs service can be added to more roles
than just ControllerStorageNfs.
Change-Id: Ic9010307c2aab7041c8ae30c72cc1bf99fdd22f6
Closes-Bug: 1961578
This change fixes the wrong policy parameters to inject policy rules
for Octavia and Manila, which were introduced by [1].
[1] f63176e97a19f5587e5cc8a7064109d6b8a4441c
Change-Id: Ifeeca64a699a5a04a71f384d71a8a7737610ecb2
This change ensures designate-dashboard is enabled in Horizon so that
users can manage DNS resources using web UI. Note that panels are still
disabled unless Designate is actually deployed.
Change-Id: I8e9f38e65e00c5944f53e0a150274f6616d472ae
Hugepages management was always a manual step done by operators via the
TripleO parameter ``KernelArgs``. This is error prone and causing confusion.
The new ``Hugepages`` parameter allow operators to define hugepages as
dictionnary, making it easier to read and follow.
To prevent unvolontary changes, there's multiple validations before
applying a change:
- We convert the current running configurations to an actual dictionnary
that we validate the new format against
- If no change is necessary, even though the format might not be the same,
there's no kernel_args update.
- By default, we don't remove hugepages in places except when operators
specifically set the ``ReconfigureHugepages`` to true.
This change is also opening the door to more automations and automatic
tuning.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2043588
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/828776
Change-Id: I1e05a5ea17c858a86acc170cfb91288884664b05
The docker_config is not intended for puppet execution and doesn't
automatically present the common requirements like fact cache generated
on host to run puppet inside containers.
This merges puppet execution into the base puppet_task to simplify
puppet execution. Because creating ovs bridge requires access to host
pids which is not allowed to container puppet tasks, that specific
task is re-implemented by host prep tasks.
Closes-Bug: #1958240
Change-Id: I7d647afbf26ea11aff4d51cc3ea734881bf5cd32
The current script requires the orchestration (Heat)
be available. This change will allow the script to convert
existing templates provided without the orchestration
service present.
Change-Id: Ie94de5841617cd8dc87ee7dccc5d4ece5b908cb9
It should be POLL_SERVER_HEAT as we no longer use Heat CFN.
This follows up I639f5626013cd0ef61c1f9066fab7a7b8806287f
Change-Id: I2ba1be7a5c72a34f67dbf9a79abef66213ff6af6
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Run the SSL verification at step2 instead of host_prep as we need
to have CACerts injected before being able to validate the SSL
certificates. It looks like NodeTLSCerts is getting deprecated
and CI has already moved away from taht method .
Change-Id: I5e3491efd12ad2445a3d77f0907fbb766fe54466
Closes-bug: #1961056
Update some barbican policies that were recently changed in a bugfix for
the Barbican API.
Story: 2009664
Depends-On: I1724152839f0f5850f8d32d40b36d1670c0ad996
Change-Id: I9cfca53b3f9370ce86840cc717986cf127ff1119
Cleanup openldap certs database as some users will create certs
database that will conflict with system CA certs database and
break openldap functionality within keystone.
Change-Id: Ia76b5ab2e319d66666f109aefe22fb83778b6f2d
The 'ceph' tags included in the cephadm tht directory are directly
inherited from the previous ceph-ansible model. Those tags were useful
to follow a specific ansible flow during update/upgrade scenarios, but
since cephadm is day1 and upgrades from nautilus to pacific are still
managed by ceph-ansible, we don't have to include these tags, that are
cause of issues during minor updates. In addition, as per [1],
>=pacific updates are asynchronous, hence they should not be managed by
TripleO anymore.
[1] https://docs.ceph.com/en/pacific/cephadm/upgrade/#starting-the-upgrade
Change-Id: Id9a6b990c9bc8783f29afca640341962b6a26834
Even if Ceph is deployed before Heat runs, the Ceph
Dashboard downloads Ceph containers. If the user opts
to get Ceph contianers based on the default in cephadm
and not from container_image_prepare_defaults.yaml,
then the same choice should be applied during the
overcloud deployment when the dashboard is deployed.
The deployed_ceph.yaml environment file generated
by 'openstack overcloud ceph deploy' will set this
parameter this patch introduces so the user will not
need to set it more than once.
Depends-On: Ic4f626ebbe1a5332f9f285e5ea6aaa9f24a400b8
Change-Id: I0f64c8738d65c08561a22b09dc9f5ed48af0935c