Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw (from parent 2: 5fb637c)
Merge "Update Dell EMC Cinder back end services"
authorJenkins <jenkins@review.openstack.org>
Wed, 12 Apr 2017 20:09:14 +0000 (20:09 +0000)
committerGerrit Code Review <review@openstack.org>
Wed, 12 Apr 2017 20:09:14 +0000 (20:09 +0000)
40 files changed:
README.rst patch | blob | history
capabilities-map.yaml patch | blob | history
ci/environments/scenario004-multinode.yaml patch | blob | history
deployed-server/README.rst patch | blob | history
deployed-server/deployed-server.yaml patch | blob | history
docker/docker-puppet.py patch | blob | history
docker/services/gnocchi-api.yaml patch | blob | history
docker/services/gnocchi-metricd.yaml patch | blob | history
docker/services/gnocchi-statsd.yaml patch | blob | history
docker/services/keystone.yaml patch | blob | history
docker/services/nova-api.yaml patch | blob | history
docker/services/zaqar.yaml patch | blob | history
environments/contrail/contrail-net.yaml patch | blob | history
environments/docker-services-tls-everywhere.yaml [new file with mode: 0644] patch | blob
environments/external-loadbalancer-vip-v6.yaml patch | blob | history
environments/external-loadbalancer-vip.yaml patch | blob | history
environments/logging-environment.yaml patch | blob | history
environments/network-environment.yaml patch | blob | history
environments/neutron-bgpvpn.yaml patch | blob | history
environments/neutron-ml2-cisco-n1kv.yaml patch | blob | history
environments/services/keystone_domain_specific_ldap_backend.yaml patch | blob | history
environments/updates/update-from-192_0_2-subnet.yaml [new file with mode: 0644] patch | blob
extraconfig/nova_metadata/krb-service-principals.yaml patch | blob | history
extraconfig/tasks/swift-ring-deploy.yaml [deleted file] patch | blob | history
extraconfig/tasks/swift-ring-update.yaml [deleted file] patch | blob | history
extraconfig/tasks/yum_update.sh patch | blob | history
net-config-linux-bridge.yaml patch | blob | history
overcloud-resource-registry-puppet.j2.yaml patch | blob | history
puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml patch | blob | history
puppet/puppet-steps.j2 patch | blob | history
puppet/role.role.j2.yaml patch | blob | history
puppet/services/apache.yaml patch | blob | history
puppet/services/kernel.yaml patch | blob | history
puppet/services/monitoring/sensu-client.yaml patch | blob | history
puppet/services/network/contrail-vrouter.yaml patch | blob | history
puppet/services/pacemaker.yaml patch | blob | history
puppet/services/services.yaml patch | blob | history
puppet/services/swift-ringbuilder.yaml patch | blob | history
releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml [new file with mode: 0644] patch | blob
releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml [new file with mode: 0644] patch | blob

diff --git a/README.rst b/README.rst
index 51a21f6..4eed715 100644 (file)
--- a/README.rst
+++ b/README.rst
@@ -76,6 +76,8 @@ and should be executed according to the following table:
 +----------------+-------------+-------------+-------------+-------------+-----------------+
 | neutron        |     ovs     |     ovs     |     ovs     |     ovs     |        X        |
 +----------------+-------------+-------------+-------------+-------------+-----------------+
+| neutron-bgpvpn |             |             |             |      X      |                 |
++----------------+-------------+-------------+-------------+-------------+-----------------+
 | rabbitmq       |      X      |      X      |      X      |      X      |        X        |
 +----------------+-------------+-------------+-------------+-------------+-----------------+
 | mongodb        |      X      |      X      |             |             |                 |
diff --git a/capabilities-map.yaml b/capabilities-map.yaml
index 947ba8b..0af0e82 100644 (file)
--- a/capabilities-map.yaml
+++ b/capabilities-map.yaml
@@ -552,7 +552,7 @@ topics:
         description: Enable monitoring agents
         environments:
           - file: environments/monitoring-environment.yaml
-            title: enable monitoring agents
+            title: Enable monitoring agents
             description:
             requires:
               - overcloud-resource-registry-puppet.yaml
@@ -564,6 +564,14 @@ topics:
             description:
             requires:
               - overcloud-resource-registry-puppet.yaml
+      - title: Performance monitoring
+        description: Enable performance monitoring agents
+        environments:
+          - file: environments/collectd-environment.yaml
+            title: Enable performance monitoring agents
+            description:
+            requires:
+              - overcloud-resource-registry-puppet.yaml
 
   - title: Security Options
     description: Security Hardening Options
diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml
index dc05ab4..7428d42 100644 (file)
--- a/ci/environments/scenario004-multinode.yaml
+++ b/ci/environments/scenario004-multinode.yaml
@@ -12,6 +12,7 @@ resource_registry:
   OS::TripleO::Services::ManilaScheduler: ../../puppet/services/manila-scheduler.yaml
   OS::TripleO::Services::ManilaShare: ../../puppet/services/pacemaker/manila-share.yaml
   OS::TripleO::Services::ManilaBackendCephFs: ../../puppet/services/manila-backend-cephfs.yaml
+  OS::TripleO::Services::NeutronBgpVpnApi: ../../puppet/services/neutron-bgpvpn-api.yaml
   # These enable Pacemaker
   OS::TripleO::Tasks::ControllerPrePuppet: ../../extraconfig/tasks/pre_puppet_pacemaker.yaml
   OS::TripleO::Tasks::ControllerPostPuppet: ../../extraconfig/tasks/post_puppet_pacemaker.yaml
@@ -39,6 +40,7 @@ parameter_defaults:
     - OS::TripleO::Services::HeatEngine
     - OS::TripleO::Services::MySQL
     - OS::TripleO::Services::MySQLClient
+    - OS::TripleO::Services::NeutronBgpVpnApi
     - OS::TripleO::Services::NeutronDhcpAgent
     - OS::TripleO::Services::NeutronL3Agent
     - OS::TripleO::Services::NeutronMetadataAgent
@@ -83,3 +85,5 @@ parameter_defaults:
   CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ=='
   CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw=='
   SwiftCeilometerPipelineEnabled: false
+  NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin'
+  BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
diff --git a/deployed-server/README.rst b/deployed-server/README.rst
index e4d8299..8638818 100644 (file)
--- a/deployed-server/README.rst
+++ b/deployed-server/README.rst
@@ -67,11 +67,11 @@ example:
 parameter_defaults:
   ControlPlaneDefaultRoute: 192.168.122.130
   ControlPlaneSubnetCidr: "24"
-  EC2MetadataIp: "192.0.2.1"
+  EC2MetadataIp: "192.168.24.1"
 
 In this example, 192.168.122.130 is the external management IP of an
 undercloud, thus it is the default route for the configured local_ip value of
-192.0.2.1.
+192.168.24.1.
 
 
 os-collect-config
diff --git a/deployed-server/deployed-server.yaml b/deployed-server/deployed-server.yaml
index 1e8afb2..afdb5d0 100644 (file)
--- a/deployed-server/deployed-server.yaml
+++ b/deployed-server/deployed-server.yaml
@@ -81,6 +81,7 @@ resources:
   InstanceIdDeployment:
     type: OS::Heat::StructuredDeployment
     properties:
+      name: InstanceIdDeployment
       config: {get_resource: InstanceIdConfig}
       server: {get_resource: deployed-server}
     depends_on: UpgradeInitDeployment
@@ -103,6 +104,7 @@ resources:
   HostsEntryDeployment:
     type: OS::Heat::SoftwareDeployment
     properties:
+      name: HostsEntryDeployment
       config: {get_resource: HostsEntryConfig}
       server: {get_resource: deployed-server}
 
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index c364d03..5c68b08 100755 (executable)
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -202,6 +202,12 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                 '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
                 '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw',
                 '--volume', 'tripleo_logs:/var/log/tripleo/',
+                # OpenSSL trusted CA injection
+                '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro',
+                '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro',
+                '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro',
+                '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro',
+                # script injection
                 '--volume', '%s:%s:rw' % (sh_script, sh_script) ]
 
         for volume in volumes:
diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml
index 08f4b56..659785a 100644 (file)
--- a/docker/services/gnocchi-api.yaml
+++ b/docker/services/gnocchi-api.yaml
@@ -96,3 +96,7 @@ outputs:
               - /etc/localtime:/etc/localtime:ro
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      upgrade_tasks:
+        - name: Stop and disable httpd service
+          tags: step2
+          service: name=httpd state=stopped enabled=no
diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml
index 6b41eaa..78494d6 100644 (file)
--- a/docker/services/gnocchi-metricd.yaml
+++ b/docker/services/gnocchi-metricd.yaml
@@ -71,3 +71,7 @@ outputs:
               - /etc/localtime:/etc/localtime:ro
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      upgrade_tasks:
+        - name: Stop and disable openstack-gnocchi-metricd service
+          tags: step2
+          service: name=openstack-gnocchi-metricd.service state=stopped enabled=no
diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml
index 93b616c..7f43984 100644 (file)
--- a/docker/services/gnocchi-statsd.yaml
+++ b/docker/services/gnocchi-statsd.yaml
@@ -71,3 +71,7 @@ outputs:
               - /etc/localtime:/etc/localtime:ro
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      upgrade_tasks:
+        - name: Stop and disable openstack-gnocchi-statsd service
+          tags: step2
+          service: name=openstack-gnocchi-statsd.service state=stopped enabled=no
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 90ddeb9..526a357 100644 (file)
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -36,6 +36,9 @@ parameters:
     default: 'fernet'
     constraints:
       - allowed_values: ['uuid', 'fernet']
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -46,6 +49,10 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -96,6 +103,16 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                  - ''
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index 4cd48b7..97fafb0 100644 (file)
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -50,7 +50,10 @@ outputs:
           - get_attr: [NovaApiBase, role_data, config_settings]
           - apache::default_vhost: false
       step_config: &step_config
-        get_attr: [NovaApiBase, role_data, step_config]
+        list_join:
+          - "\n"
+          - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }"
+            - {get_attr: [NovaApiBase, role_data, step_config]}
       service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml
index 21aff31..1160031 100644 (file)
--- a/docker/services/zaqar.yaml
+++ b/docker/services/zaqar.yaml
@@ -56,7 +56,7 @@ outputs:
             - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ]
       kolla_config:
         /var/lib/kolla/config_files/zaqar.json:
-          command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf
+          command: /usr/sbin/httpd -DFOREGROUND
         /var/lib/kolla/config_files/zaqar_websocket.json:
           command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf
       docker_config:
@@ -66,9 +66,13 @@ outputs:
             net: host
             privileged: false
             restart: always
+            # NOTE(mandre) kolla image changes the user to 'zaqar', we need it
+            # to be root to run httpd
+            user: root
             volumes:
               - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro
               - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro
+              - /var/lib/config-data/zaqar/etc/httpd:/etc/httpd/:ro
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
             environment:
@@ -88,5 +92,4 @@ outputs:
       upgrade_tasks:
         - name: Stop and disable zaqar service
           tags: step2
-          service: name=openstack-zaqar.service state=stopped enabled=no
-
+          service: name=httpd state=stopped enabled=no
diff --git a/environments/contrail/contrail-net.yaml b/environments/contrail/contrail-net.yaml
index 1e64f91..cca9bea 100644 (file)
--- a/environments/contrail/contrail-net.yaml
+++ b/environments/contrail/contrail-net.yaml
@@ -8,7 +8,7 @@ resource_registry:
 
 parameter_defaults:
   ControlPlaneSubnetCidr: '24'
-  ControlPlaneDefaultRoute: 192.0.2.254
+  ControlPlaneDefaultRoute: 192.168.24.254
   InternalApiNetCidr: 10.0.0.0/24
   InternalApiAllocationPools: [{'start': '10.0.0.10', 'end': '10.0.0.200'}]
   InternalApiDefaultRoute: 10.0.0.1
@@ -17,7 +17,7 @@ parameter_defaults:
   ManagementInterfaceDefaultRoute: 10.1.0.1
   ExternalNetCidr: 10.2.0.0/24
   ExternalAllocationPools: [{'start': '10.2.0.10', 'end': '10.2.0.200'}]
-  EC2MetadataIp: 192.0.2.1  # Generally the IP of the Undercloud
+  EC2MetadataIp: 192.168.24.1  # Generally the IP of the Undercloud
   DnsServers: ["8.8.8.8","8.8.4.4"]
   VrouterPhysicalInterface: eth1
   VrouterGateway: 10.0.0.1
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
new file mode 100644 (file)
index 0000000..ec39951
--- /dev/null
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -0,0 +1,28 @@
+# This environment contains the services that can work with TLS-everywhere.
+resource_registry:
+  # This can be used when you don't want to run puppet on the host,
+  # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker
+  # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+  OS::TripleO::Services::Docker: ../puppet/services/docker.yaml
+  # The compute node still needs extra initialization steps
+  OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+
+  # NOTE: add roles to be docker enabled as we support them.
+  OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+
+  OS::TripleO::PostDeploySteps: ../docker/post.yaml
+  OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
+
+  OS::TripleO::Services: ../docker/services/services.yaml
+
+parameter_defaults:
+  # Defaults to 'tripleoupstream'.  Specify a local docker registry
+  # Example: 192.168.24.1:8787/tripleoupstream
+  DockerNamespace: tripleoupstream
+  DockerNamespaceIsRegistry: false
+
+  ComputeServices:
+    - OS::TripleO::Services::NovaCompute
+    - OS::TripleO::Services::NovaLibvirt
+    - OS::TripleO::Services::ComputeNeutronOvsAgent
+    - OS::TripleO::Services::Docker
diff --git a/environments/external-loadbalancer-vip-v6.yaml b/environments/external-loadbalancer-vip-v6.yaml
index fbd1fb9..bd45517 100644 (file)
--- a/environments/external-loadbalancer-vip-v6.yaml
+++ b/environments/external-loadbalancer-vip-v6.yaml
@@ -13,7 +13,7 @@ parameter_defaults:
   # to control your VIPs (currently one per network)
   # NOTE: we will eventually move to one VIP per service
   #
-  ControlFixedIPs: [{'ip_address':'192.0.2.251'}]
+  ControlFixedIPs: [{'ip_address':'192.168.24.251'}]
   PublicVirtualFixedIPs: [{'ip_address':'2001:db8:fd00:1000:0000:0000:0000:0005'}]
   InternalApiVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0005'}]
   StorageVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:3000:0000:0000:0000:0005'}]
diff --git a/environments/external-loadbalancer-vip.yaml b/environments/external-loadbalancer-vip.yaml
index 1759c04..dec9b83 100644 (file)
--- a/environments/external-loadbalancer-vip.yaml
+++ b/environments/external-loadbalancer-vip.yaml
@@ -12,7 +12,7 @@ parameter_defaults:
   # to control your VIPs (currently one per network)
   # NOTE: we will eventually move to one VIP per service
   #
-  ControlFixedIPs: [{'ip_address':'192.0.2.251'}]
+  ControlFixedIPs: [{'ip_address':'192.168.24.251'}]
   PublicVirtualFixedIPs: [{'ip_address':'10.0.0.251'}]
   InternalApiVirtualFixedIPs: [{'ip_address':'172.16.2.251'}]
   StorageVirtualFixedIPs: [{'ip_address':'172.16.1.251'}]
diff --git a/environments/logging-environment.yaml b/environments/logging-environment.yaml
index c583ca7..ae8bd7b 100644 (file)
--- a/environments/logging-environment.yaml
+++ b/environments/logging-environment.yaml
@@ -18,7 +18,7 @@ resource_registry:
 ## (note the use of port 24284 for ssl connections)
 #
 # LoggingServers:
-#   - host: 192.0.2.11
+#   - host: 192.168.24.11
 #     port: 24284
 # LoggingUsesSSL: true
 # LoggingSharedKey: secret
diff --git a/environments/network-environment.yaml b/environments/network-environment.yaml
index 210b6b0..3de5dba 100644 (file)
--- a/environments/network-environment.yaml
+++ b/environments/network-environment.yaml
@@ -18,8 +18,8 @@ parameter_defaults:
   # CIDR subnet mask length for provisioning network
   ControlPlaneSubnetCidr: '24'
   # Gateway router for the provisioning network (or Undercloud IP)
-  ControlPlaneDefaultRoute: 192.0.2.254
-  EC2MetadataIp: 192.0.2.1  # Generally the IP of the Undercloud
+  ControlPlaneDefaultRoute: 192.168.24.254
+  EC2MetadataIp: 192.168.24.1  # Generally the IP of the Undercloud
   # Customize the IP subnets to match the local environment
   InternalApiNetCidr: 172.17.0.0/24
   StorageNetCidr: 172.18.0.0/24
diff --git a/environments/neutron-bgpvpn.yaml b/environments/neutron-bgpvpn.yaml
index 58157df..2a63248 100644 (file)
--- a/environments/neutron-bgpvpn.yaml
+++ b/environments/neutron-bgpvpn.yaml
@@ -12,5 +12,5 @@ resource_registry:
   OS::TripleO::Services::NeutronBgpVpnApi: ../puppet/services/neutron-bgpvpn-api.yaml
 
 parameter_defaults:
-  NeutronServicePlugins: 'networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin'
+  NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin'
   BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
diff --git a/environments/neutron-ml2-cisco-n1kv.yaml b/environments/neutron-ml2-cisco-n1kv.yaml
index 651e956..8d46e1c 100644 (file)
--- a/environments/neutron-ml2-cisco-n1kv.yaml
+++ b/environments/neutron-ml2-cisco-n1kv.yaml
@@ -5,7 +5,7 @@ resource_registry:
   OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml
 
 parameter_defaults:
-  N1000vVSMIP: '192.0.2.50'
-  N1000vMgmtGatewayIP: '192.0.2.1'
+  N1000vVSMIP: '192.168.24.50'
+  N1000vMgmtGatewayIP: '192.168.24.1'
   N1000vVSMDomainID: '100'
   N1000vVSMHostMgmtIntf: 'br-ex'
diff --git a/environments/services/keystone_domain_specific_ldap_backend.yaml b/environments/services/keystone_domain_specific_ldap_backend.yaml
index 40b02fc..3cc9c7b 100644 (file)
--- a/environments/services/keystone_domain_specific_ldap_backend.yaml
+++ b/environments/services/keystone_domain_specific_ldap_backend.yaml
@@ -5,7 +5,7 @@ parameter_defaults:
   KeystoneLDAPDomainEnable: true
   KeystoneLDAPBackendConfigs:
     tripleoldap:
-      url: ldap://192.0.2.250
+      url: ldap://192.168.24.251
       user: cn=openstack,ou=Users,dc=tripleo,dc=example,dc=com
       password: Secrete
       suffix: dc=tripleo,dc=example,dc=com
diff --git a/environments/updates/update-from-192_0_2-subnet.yaml b/environments/updates/update-from-192_0_2-subnet.yaml
new file mode 100644 (file)
index 0000000..1813e7b
--- /dev/null
+++ b/environments/updates/update-from-192_0_2-subnet.yaml
@@ -0,0 +1,3 @@
+parameter_defaults:
+  ControlPlaneDefaultRoute: 192.0.2.1
+  EC2MetadataIp: 192.0.2.1
diff --git a/extraconfig/nova_metadata/krb-service-principals.yaml b/extraconfig/nova_metadata/krb-service-principals.yaml
index c66e646..56d3cbc 100644 (file)
--- a/extraconfig/nova_metadata/krb-service-principals.yaml
+++ b/extraconfig/nova_metadata/krb-service-principals.yaml
@@ -46,7 +46,7 @@ resources:
           # Filter null values and values that contain don't contain
           # 'metadata_settings', get the values from that key and get the
           # unique ones.
-          expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct())
+          expression: list(coalesce($.data, []).where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct())
           data: {get_param: RoleData}
 
   # Generates entries for nova metadata with the following format:
@@ -57,7 +57,7 @@ resources:
     properties:
       value:
         yaql:
-          expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))]))
+          expression: let(fqdns => $.data.fqdns) -> dict(coalesce($.data.metadata, []).where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))]))
           data:
             metadata: {get_attr: [IncomingMetadataSettings, value]}
             fqdns:
@@ -72,7 +72,7 @@ resources:
     properties:
       value:
         yaql:
-          expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1]))
+          expression: dict(coalesce($.data, []).where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1]))
           data: {get_attr: [IncomingMetadataSettings, value]}
 
 outputs:
diff --git a/extraconfig/tasks/swift-ring-deploy.yaml b/extraconfig/tasks/swift-ring-deploy.yaml
deleted file mode 100644 (file)
index d17f78a..0000000
--- a/extraconfig/tasks/swift-ring-deploy.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-heat_template_version: ocata
-
-parameters:
-  servers:
-    type: json
-  SwiftRingGetTempurl:
-    default: ''
-    description: A temporary Swift URL to download rings from.
-    type: string
-
-resources:
-  SwiftRingDeployConfig:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: script
-      inputs:
-        - name: swift_ring_get_tempurl
-      config: |
-        #!/bin/sh
-        pushd /
-        curl --insecure --silent "${swift_ring_get_tempurl}" | tar xz || true
-        popd
-
-  SwiftRingDeploy:
-    type: OS::Heat::SoftwareDeployments
-    properties:
-      name: SwiftRingDeploy
-      config: {get_resource: SwiftRingDeployConfig}
-      servers:  {get_param: servers}
-      input_values:
-        swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl}
diff --git a/extraconfig/tasks/swift-ring-update.yaml b/extraconfig/tasks/swift-ring-update.yaml
deleted file mode 100644 (file)
index 440c688..0000000
--- a/extraconfig/tasks/swift-ring-update.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-heat_template_version: ocata
-
-parameters:
-  servers:
-    type: json
-  SwiftRingPutTempurl:
-    default: ''
-    description: A temporary Swift URL to upload rings to.
-    type: string
-
-resources:
-  SwiftRingUpdateConfig:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: script
-      inputs:
-        - name: swift_ring_put_tempurl
-      config: |
-        #!/bin/sh
-        TMP_DATA=$(mktemp -d)
-        function cleanup {
-          rm -Rf "$TMP_DATA"
-        }
-        trap cleanup EXIT
-        # sanity check in case rings are not consistent within cluster
-        swift-recon --md5 | grep -q "doesn't match" && exit 1
-        pushd ${TMP_DATA}
-        tar -cvzf swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/*
-        resp=`curl --insecure --silent -X PUT "${swift_ring_put_tempurl}" --write-out "%{http_code}" --data-binary @swift-rings.tar.gz`
-        popd
-        if [ "$resp" != "201" ]; then
-            exit 1
-        fi
-
-  SwiftRingUpdate:
-    type: OS::Heat::SoftwareDeployments
-    properties:
-      name: SwiftRingUpdate
-      config: {get_resource: SwiftRingUpdateConfig}
-      servers: {get_param: servers}
-      input_values:
-        swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl}
diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh
index ad36827..20a5b65 100755 (executable)
--- a/extraconfig/tasks/yum_update.sh
+++ b/extraconfig/tasks/yum_update.sh
@@ -40,9 +40,17 @@ touch "$timestamp_file"
 
 command_arguments=${command_arguments:-}
 
-list_updates=$(yum list updates)
-
-if [[ "$list_updates" == "" ]]; then
+# yum check-update exits 100 if updates are available
+set +e
+check_update=$(yum check-update 2>&1)
+check_update_exit=$?
+set -e
+
+if [[ "$check_update_exit" == "1" ]]; then
+    echo "Failed to check for package updates"
+    echo "$check_update"
+    exit 1
+elif [[ "$check_update_exit" != "100" ]]; then
     echo "No packages require updating"
     exit 0
 fi
diff --git a/net-config-linux-bridge.yaml b/net-config-linux-bridge.yaml
index 0466481..a544d54 100644 (file)
--- a/net-config-linux-bridge.yaml
+++ b/net-config-linux-bridge.yaml
@@ -33,7 +33,7 @@ parameters:
   ControlPlaneDefaultRoute: # Override this via parameter_defaults
     description: The default route of the control plane network.
     type: string
-    default: 192.0.2.1
+    default: 192.168.24.1
   EC2MetadataIp: # Override this via parameter_defaults
     description: The IP address of the EC2 metadata server.
     type: string
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index f01fb2a..b178068 100644 (file)
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -11,9 +11,6 @@ resource_registry:
   OS::TripleO::Tasks::UpdateWorkflow: OS::Heat::None
   OS::TripleO::Tasks::PackageUpdate: extraconfig/tasks/yum_update.yaml
 
-  OS::TripleO::Tasks::SwiftRingDeploy: extraconfig/tasks/swift-ring-deploy.yaml
-  OS::TripleO::Tasks::SwiftRingUpdate: extraconfig/tasks/swift-ring-update.yaml
-
 {% for role in roles %}
   OS::TripleO::{{role.name}}::PreNetworkConfig: OS::Heat::None
   OS::TripleO::{{role.name}}PostDeploySteps: puppet/post.yaml
diff --git a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml
index bca6010..40b407b 100644 (file)
--- a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml
+++ b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml
@@ -10,7 +10,7 @@ parameters:
   # Config specific parameters, to be provided via parameter_defaults
   N1000vVSMIP:
     type: string
-    default: '192.0.2.50'
+    default: '192.168.24.50'
   N1000vVSMDomainID:
     type: number
     default: 100
@@ -62,7 +62,7 @@ parameters:
     default: '255.255.255.0'
   N1000vMgmtGatewayIP:
     type: string
-    default: '192.0.2.1'
+    default: '192.168.24.1'
   N1000vPacemakerControl:
     type: boolean
     default: true
diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2
index 86af611..782a32c 100644 (file)
--- a/puppet/puppet-steps.j2
+++ b/puppet/puppet-steps.j2
@@ -30,13 +30,6 @@
       input_values:
         update_identifier: {get_param: DeployIdentifier}
 
-  {% if role.name in ['Controller', 'ObjectStorage'] %}
-  {{role.name}}SwiftRingDeploy:
-    type: OS::TripleO::Tasks::SwiftRingDeploy
-    properties:
-      servers: {get_param: [servers, {{role.name}}]}
-  {% endif %}
-
   # Step through a series of configuration steps
 {% for step in range(1, 6) %}
   {{role.name}}Deployment_Step{{step}}:
@@ -88,15 +81,4 @@
       servers: {get_param: [servers, {{role.name}}]}
       input_values:
         update_identifier: {get_param: DeployIdentifier}
-
-  {% if role.name in ['Controller', 'ObjectStorage'] %}
-  {{role.name}}SwiftRingUpdate:
-    type: OS::TripleO::Tasks::SwiftRingUpdate
-    depends_on:
-  {% for dep in roles %}
-      - {{dep.name}}Deployment_Step5
-  {% endfor %}
-    properties:
-      servers: {get_param: [servers, {{role.name}}]}
-  {% endif %}
 {% endfor %}
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 1f68f41..9227b52 100644 (file)
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -483,6 +483,7 @@ resources:
     type: OS::Heat::SoftwareDeployment
     depends_on: NetworkDeployment
     properties:
+      name: UpdateDeployment
       config: {get_resource: UpdateConfig}
       server: {get_resource: {{role}}}
       input_values:
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 9bd282f..6e53b1f 100644 (file)
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -77,13 +77,15 @@ outputs:
               - "%{hiera('apache_remote_proxy_ips_network')}"
           -
             generate_service_certificates: true
+            tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
+            tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
             apache_certificates_specs:
               map_merge:
                 repeat:
                   template:
                     httpd-NETWORK:
-                      service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
-                      service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+                      service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
+                      service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
                       hostname: "%{hiera('fqdn_NETWORK')}"
                       principal: "HTTP/%{hiera('fqdn_NETWORK')}"
                   for_each:
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 94b15d4..2a335b6 100644 (file)
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -22,6 +22,10 @@ parameters:
     default: 1048576
     description: Configures sysctl kernel.pid_max key
     type: number
+  KernelDisableIPv6:
+    default: 0
+    description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+    type: number
 
 outputs:
   role_data:
@@ -57,6 +61,10 @@ outputs:
             value: 500000
           net.netfilter.nf_conntrack_max:
             value: 500000
+          net.ipv6.conf.default.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
+          net.ipv6.conf.all.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
           # prevent neutron bridges from autoconfiguring ipv6 addresses
           net.ipv6.conf.all.accept_ra:
             value: 0
diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml
index aba2b1e..4b5f36a 100644 (file)
--- a/puppet/services/monitoring/sensu-client.yaml
+++ b/puppet/services/monitoring/sensu-client.yaml
@@ -81,4 +81,4 @@ outputs:
         - name: Install sensu package if it was disabled
           tags: step3
           yum: name=sensu state=latest
-          when: sensu_client.rc != 0
+          when: sensu_client_enabled.rc != 0
diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml
index db9f083..0cd1f82 100644 (file)
--- a/puppet/services/network/contrail-vrouter.yaml
+++ b/puppet/services/network/contrail-vrouter.yaml
@@ -27,7 +27,7 @@ parameters:
     description: vRouter physical interface
     type: string
   ContrailVrouterGateway:
-    default: '192.0.2.1'
+    default: '192.168.24.1'
     description: vRouter default gateway
     type: string
   ContrailVrouterNetmask:
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index 28fcbd6..f7a0edf 100644 (file)
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -141,6 +141,8 @@ outputs:
         - name: Check pacemaker cluster running before upgrade
           tags: step0,validation
           pacemaker_cluster: state=online check_and_fail=true
+          async: 30
+          poll: 4
         - name: Stop pacemaker cluster
           tags: step2
           pacemaker_cluster: state=offline
diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml
index a2286d1..9820b43 100644 (file)
--- a/puppet/services/services.yaml
+++ b/puppet/services/services.yaml
@@ -90,14 +90,11 @@ outputs:
         # fluentd user.
         yaql:
           expression: >
-            set($.data.groups.flatten()).where($)
+            set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($)
           data:
-            groups:
-              - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}]
-              - yaql:
-                  expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null))
-                  data: {role_data: {get_attr: [ServiceChain, role_data]}}
-              - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}]
+            default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]}
+            extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]}
+            role_data: {get_attr: [ServiceChain, role_data]}
       config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}}
       global_config_settings:
         map_merge:
diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml
index 2e3c818..f62d5e1 100644 (file)
--- a/puppet/services/swift-ringbuilder.yaml
+++ b/puppet/services/swift-ringbuilder.yaml
@@ -42,6 +42,14 @@ parameters:
     default: true
     description: 'Use a local directory for Swift storage services when building rings'
     type: boolean
+  SwiftRingGetTempurl:
+    default: ''
+    description: A temporary Swift URL to download rings from.
+    type: string
+  SwiftRingPutTempurl:
+    default: ''
+    description: A temporary Swift URL to upload rings to.
+    type: string
 
 conditions:
   swift_use_local_dir:
@@ -59,6 +67,8 @@ outputs:
     value:
       service_name: swift_ringbuilder
       config_settings:
+        tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl}
+        tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl}
         tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild}
         tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas}
         tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower}
diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
new file mode 100644 (file)
index 0000000..8b57f58
--- /dev/null
+++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Add IPv6 disable option and make it configurable for user to disable IPv6
+    when it's not used, this will descrease the risk of ipv6 attack.
+    Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6
+    will be explicitly set to the default value (0) which is enabled.
diff --git a/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml
new file mode 100644 (file)
index 0000000..09d3be0
--- /dev/null
+++ b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml
@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default network for the ctlplane changed from 192.0.2.0/24 to
+    192.168.24.0/24. All references to the ctlplane network in the templates
+    have been updated to reflect this change. When upgrading from a previous
+    release, if the default network was used for the ctlplane (192.0.2.0/24),
+    then it is necessary to provide as input, via environment file, the correct
+    setting for all the parameters that previously defaulted to 192.0.2.x and
+    now default to 192.168.24.x; there is an environment file which could be
+    used on upgrade `environments/updates/update-from-192_0_2-subnet.yaml` to
+    cover a simple scenario but it won't be enough for scenarios using an
+    external load balancer, Contrail or Cisto N1KV. Follows a list of params to
+    be provided on upgrade.
+    From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute
+    From external-loadbalancer-vip-v6.yaml: ControlFixedIPs
+    From external-loadbalancer-vip.yaml: ControlFixedIPs
+    From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute
+    From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP
+    From contrail-vrouter.yaml: ContrailVrouterGateway