14912 Commits

Author SHA1 Message Date
Brendan Shephard
fa69bfc1eb Disable GSSAPIAuthentication by default
Having GSSAPIAuthentication enabled by default
can cause issues during the deployment process
if the user is unable to authenticate with kerberos.

This change moves the default for GSSAPIAuthentication
to no instead of yes.

Resolves: rhbz#2059855
Change-Id: Ic579380c9c72917daa01493c259bc969b7291fe9
2022-03-04 01:56:57 +11:00
Zuul
e93d59464e Merge "Ensure db initialization is not executed by puppet" 2022-03-02 20:18:29 +00:00
Takashi Kajinami
263fee246a Ensure db initialization is not executed by puppet
Each puppet module provides the sync_db parameter to run commands to
initialize database schema. This change ensures the feature is disabled
as we have independent tasks to run the same.

Change-Id: I8ccf4ddd40a0d1a9bff9c1ca001284eda25dc9b2
2022-03-02 14:13:06 +09:00
Zuul
3184c3471b Merge "Update Barbican Orders policy for secure-rbac" 2022-03-01 00:18:46 +00:00
Zuul
5d12dbd3c9 Merge "Remove unused deployed_server_port_map output" 2022-03-01 00:18:39 +00:00
Zuul
4f54d1c1f9 Merge "Remove Nova from undercloud during upgrades" 2022-02-28 12:59:08 +00:00
Zuul
d52c943720 Merge "Required DDP package is not loaded issue" 2022-02-28 12:59:04 +00:00
rabi
a8b849f036 Remove unused deployed_server_port_map output
OS::TripleO::DeployedServerEnvironment was dropped in
I47beaaccd01d72cc550ffc7871e3384e112d9334 which used
this output.

Change-Id: I5fb37734837a84d37f08263de1b7a2840ec64139
2022-02-28 11:13:04 +05:30
Zuul
bf8ce722fd Merge "Do not run puppet in docker_config" 2022-02-27 19:41:01 +00:00
Zuul
9ac454b014 Merge "Horizon: Fix the wrong policy parameters" 2022-02-25 03:49:32 +00:00
Zuul
1a86a74f00 Merge "Cleanup openldap certs database" 2022-02-25 03:49:28 +00:00
Zuul
0b85a83631 Merge "Add support for additional log sources for rsyslog" 2022-02-25 03:22:41 +00:00
Zuul
66e4308536 Merge "Sync updated DB root password in running container" 2022-02-25 01:32:29 +00:00
Zuul
4fb19e644a Merge "Adding Hugepages role parameter" 2022-02-25 01:32:20 +00:00
Bogdan Dobrelya
219817528f Remove Nova from undercloud during upgrades
Note that one-off init containers should be removed as well.

Related-bug: #1959662
Change-Id: I9380cc4c62acc6860f7a1e5869131fa3406e2d98
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2022-02-24 16:36:38 +01:00
Zuul
71f5ceb459 Merge "Add CephNfs service on roles providing "external" network connectivity" 2022-02-24 04:04:18 +00:00
Zuul
5cc1a5ee7b Merge "Align defaults for SoftwareConfigTransport" 2022-02-24 01:35:21 +00:00
Zuul
ba35de0288 Merge "rsyslog: Add missing logging sources for aodh services" 2022-02-23 23:10:16 +00:00
Zuul
ed08162bc8 Merge "rsyslog: Add missing logging sources for gnocchi services" 2022-02-23 23:10:12 +00:00
Douglas Mendizábal
1395d1c496 Update Barbican Orders policy for secure-rbac
This patch update the barbican policy for orders in the secure-rbac
environment.  The change was already implemented in barbican to fix
an order access bug.

Depends-On: Ie0e6f6edae40e47d45afbe92fd509032cb091b1a
Change-Id: I4b61523d9169de4a82a9383def58710d303b3bcf
2022-02-23 15:25:06 -06:00
Takashi Kajinami
7ca6a836fb rsyslog: Add missing logging sources for gnocchi services
Currently only the log file of gnocchi-api is captured by rsyslog and
logs files of the other services like gnocchi-statsd are not. This
change fixes the missing logging sources so that all service logs are
captured by rsyslog.

Change-Id: I408c52de048551bc74afa540e3430d1d9f119b8a
2022-02-23 20:37:57 +09:00
Takashi Kajinami
e07098b534 rsyslog: Add missing logging sources for aodh services
Currently logs from aodh services are not captured by rsyslog. This
change fixes the missing logging sources so that these logs are also
detected by rsyslog.

Change-Id: I8ab0a7f9ba5e9af47af549bac88180bde0d3c782
2022-02-23 20:36:10 +09:00
Takashi Kajinami
a1b967fafe Add support for additional log sources for rsyslog
This change introduces the new RsyslogExtraLoggingSources parameter
which allows users to transfer additional log files using rsyslog.

Change-Id: Ic6339945690339b6fb50dbfbb21026195d6a5421
2022-02-23 18:17:40 +09:00
Damien Ciabrini
7f8876ce7c Sync updated DB root password in running container
Now that pacemaker resources are managed by puppet on
the host [1], the galera container gets restarted
before the puppet run that manages password update.
To make sure that any DB root password update gets
reflected in the running galera container, add a
deploy task that syncs up .myc.cnf if required.

Closes-Bug: #1960332

[1] Ie14819b66cecdb5a9cc6299b68a0cc70a7aa3370

Change-Id: I60f73939dac03b14389f37e5ffc67de5d929ee52
2022-02-23 09:56:38 +01:00
Jaganathan Palanisamy
2329e416e5 Required DDP package is not loaded issue
This is to fix the provided DDP package is not loaded
on the compute node first time and requires reboot to
load the provided DDP package.

Change-Id: I1e8f340725658008ca2ad65e364130cc85d32f33
2022-02-23 13:52:19 +05:30
Zuul
de44e208c6 Merge "Enable designate-dashboard" 2022-02-22 12:16:49 +00:00
Giulio Fidente
e1de2bcb72 Add CephNfs service on roles providing "external" network connectivity
With the recent changes meant to allow deployment of Ganesha on the
"external" network, the CephNfs service can be added to more roles
than just ControllerStorageNfs.

Change-Id: Ic9010307c2aab7041c8ae30c72cc1bf99fdd22f6
Closes-Bug: 1961578
2022-02-21 14:48:44 +01:00
Takashi Kajinami
9ed9c8da50 Horizon: Fix the wrong policy parameters
This change fixes the wrong policy parameters to inject policy rules
for Octavia and Manila, which were introduced by [1].

[1] f63176e97a19f5587e5cc8a7064109d6b8a4441c

Change-Id: Ifeeca64a699a5a04a71f384d71a8a7737610ecb2
2022-02-21 19:10:31 +09:00
Takashi Kajinami
b1e1df2b75 Enable designate-dashboard
This change ensures designate-dashboard is enabled in Horizon so that
users can manage DNS resources using web UI. Note that panels are still
disabled unless Designate is actually deployed.

Change-Id: I8e9f38e65e00c5944f53e0a150274f6616d472ae
2022-02-21 18:55:32 +09:00
Zuul
882d0a52b2 Merge "Update Barbican Secure-RBAC policy" 2022-02-21 07:06:11 +00:00
Zuul
ebff28c742 Merge "Fix ca-certs-baremetal-puppet.yaml description in header" 2022-02-18 15:59:37 +00:00
David Vallee Delisle
ae866ab47c Adding Hugepages role parameter
Hugepages management was always a manual step done by operators via the
TripleO parameter ``KernelArgs``. This is error prone and causing confusion.

The new ``Hugepages`` parameter allow operators to define hugepages as
dictionnary, making it easier to read and follow.

To prevent unvolontary changes, there's multiple validations before
applying a change:
- We convert the current running configurations to an actual dictionnary
  that we validate the new format against
- If no change is necessary, even though the format might not be the same,
  there's no kernel_args update.
- By default, we don't remove hugepages in places except when operators
  specifically set the ``ReconfigureHugepages`` to true.

This change is also opening the door to more automations and automatic
tuning.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=2043588
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/828776
Change-Id: I1e05a5ea17c858a86acc170cfb91288884664b05
2022-02-18 10:46:43 -05:00
Zuul
14fab6c803 Merge "Run the SSL verification at step2" 2022-02-18 13:05:48 +00:00
Zuul
24ab619d10 Merge "Exclude /etc/openldap to avoid overriding ro file" 2022-02-18 01:09:16 +00:00
Zuul
adad47c266 Merge "Replace dnf by tripleo_dnf_stream for updates." 2022-02-18 01:09:13 +00:00
Takashi Kajinami
c275d78703 Do not run puppet in docker_config
The docker_config is not intended for puppet execution and doesn't
automatically present the common requirements like fact cache generated
on host to run puppet inside containers.

This merges puppet execution into the base puppet_task to simplify
puppet execution. Because creating ovs bridge requires access to host
pids which is not allowed to container puppet tasks, that specific
task is re-implemented by host prep tasks.

Closes-Bug: #1958240
Change-Id: I7d647afbf26ea11aff4d51cc3ea734881bf5cd32
2022-02-18 02:24:36 +09:00
Zuul
a170fc4c75 Merge "Allow nic-config conversion without Heat" 2022-02-17 17:10:47 +00:00
Zuul
045a7aaf4b Merge "Remove "ceph" tags for the TripleO cephadm branch" 2022-02-17 17:10:44 +00:00
Zuul
41356e407c Merge "Expose tripleo_cephadm_default_container boolean" 2022-02-17 12:01:18 +00:00
bshephar
0c3ea4c286 Allow nic-config conversion without Heat
The current script requires the orchestration (Heat)
be available. This change will allow the script to convert
existing templates provided without the orchestration
service present.

Change-Id: Ie94de5841617cd8dc87ee7dccc5d4ece5b908cb9
2022-02-17 11:15:08 +00:00
Bogdan Dobrelya
27b8210fd4 Align defaults for SoftwareConfigTransport
It should be POLL_SERVER_HEAT as we no longer use Heat CFN.
This follows up I639f5626013cd0ef61c1f9066fab7a7b8806287f

Change-Id: I2ba1be7a5c72a34f67dbf9a79abef66213ff6af6
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2022-02-17 10:01:51 +00:00
David Hill
64a19091ab Run the SSL verification at step2
Run the SSL verification at step2 instead of host_prep as we need
to have CACerts injected before being able to validate the SSL
certificates.  It looks like NodeTLSCerts is getting deprecated
and CI has already moved away from taht method .

Change-Id: I5e3491efd12ad2445a3d77f0907fbb766fe54466
Closes-bug: #1961056
2022-02-16 21:03:58 -05:00
Zuul
3b0ffcd9d6 Merge "Allow deployments to run when selinux is disabled" 2022-02-17 01:49:56 +00:00
David Hill
18e7522d6b Fix ca-certs-baremetal-puppet.yaml description in header
Fix ca-certs-baremetal-puppet.yaml description in header

Change-Id: I399260a86a5926f3ed4b69a8c1fc7eb9cb7bbc7c
2022-02-16 20:03:43 -05:00
Douglas Mendizábal
71ed741769 Update Barbican Secure-RBAC policy
Update some barbican policies that were recently changed in a bugfix for
the Barbican API.

Story: 2009664
Depends-On: I1724152839f0f5850f8d32d40b36d1670c0ad996
Change-Id: I9cfca53b3f9370ce86840cc717986cf127ff1119
2022-02-16 12:48:07 -06:00
David Hill
9cb551201b Cleanup openldap certs database
Cleanup openldap certs database as some users will create certs
database that will conflict with system CA certs database and
break openldap functionality within keystone.

Change-Id: Ia76b5ab2e319d66666f109aefe22fb83778b6f2d
2022-02-16 11:30:01 -05:00
Francesco Pantano
19b0b74293
Remove "ceph" tags for the TripleO cephadm branch
The 'ceph' tags included in the cephadm tht directory are directly
inherited from the previous ceph-ansible model.  Those tags were useful
to follow a specific ansible flow during update/upgrade scenarios, but
since cephadm is day1 and upgrades from nautilus to pacific are still
managed by ceph-ansible, we don't have to include these tags, that are
cause of issues during minor updates.  In addition, as per [1],
>=pacific updates are asynchronous, hence they should not be managed by
TripleO anymore.

[1] https://docs.ceph.com/en/pacific/cephadm/upgrade/#starting-the-upgrade

Change-Id: Id9a6b990c9bc8783f29afca640341962b6a26834
2022-02-16 12:43:32 +01:00
Zuul
a445fbd02b Merge "Validate SSLCertificate is defined" 2022-02-16 01:59:19 +00:00
Zuul
33121f95c8 Merge "Fix Redis config generation when fd limit changes" 2022-02-16 00:22:34 +00:00
John Fulton
d72a23759b Expose tripleo_cephadm_default_container boolean
Even if Ceph is deployed before Heat runs, the Ceph
Dashboard downloads Ceph containers. If the user opts
to get Ceph contianers based on the default in cephadm
and not from container_image_prepare_defaults.yaml,
then the same choice should be applied during the
overcloud deployment when the dashboard is deployed.

The deployed_ceph.yaml environment file generated
by 'openstack overcloud ceph deploy' will set this
parameter this patch introduces so the user will not
need to set it more than once.

Depends-On: Ic4f626ebbe1a5332f9f285e5ea6aaa9f24a400b8
Change-Id: I0f64c8738d65c08561a22b09dc9f5ed48af0935c
2022-02-15 09:10:06 +00:00