apex-tripleo-heat-templates.git
8 years agoNo longer hard coding to a specifc network interface name.
Harald Jensas [Thu, 17 Nov 2016 14:37:10 +0000 (15:37 +0100)]
No longer hard coding to a specifc network interface name.

Instead of using a specific network interface name, thi fix
fetch all ethernet mac addresses. Then uses this list of
mac addresses to do a check if any entries in the list
match any of the values in NetConfigDataLookup for a node.
If there is a match, the /etc/os-net-config/mapping.yaml
file for the node will be written.

This fix removes the hard coded interface name 'eth0' used
to get a mac address as identifyer for the specific node
before. Using a hard coded interface name such as 'eth0'
would have failed on most hardware because of "consistent
network device names".

    Fix Bug: #1642551

Change-Id: I6c1d1b4d70b916bc5d9049469df8221f8ab2eb95

8 years agoMerge "Do not manage overcloud repositories when using external Ceph"
Jenkins [Wed, 16 Nov 2016 16:23:14 +0000 (16:23 +0000)]
Merge "Do not manage overcloud repositories when using external Ceph"

8 years agoMerge "Use keystone profile parameter to pass heat password"
Jenkins [Wed, 16 Nov 2016 16:22:49 +0000 (16:22 +0000)]
Merge "Use keystone profile parameter to pass heat password"

8 years agoMerge "Fix up Newton->Ocata rabbitmq ha policy"
Jenkins [Wed, 16 Nov 2016 12:49:21 +0000 (12:49 +0000)]
Merge "Fix up Newton->Ocata rabbitmq ha policy"

8 years agoMerge "Replace ceilometer-dbsync by ceilometer-upgrade"
Jenkins [Wed, 16 Nov 2016 12:15:25 +0000 (12:15 +0000)]
Merge "Replace ceilometer-dbsync by ceilometer-upgrade"

8 years agoDo not manage overcloud repositories when using external Ceph
John Fulton [Tue, 15 Nov 2016 16:35:27 +0000 (11:35 -0500)]
Do not manage overcloud repositories when using external Ceph

ceph::profile::params::manage_repo should default to false when
using external Ceph.

Overcloud Ceph clients use Ceph packages, which may be provided by
the 'ceph' metapackage, but not for all repos, see related bug. So,
this change also includes a list of packages as a workaround as
used in change Ie55d22301dd22102d471e6002dfcaad4bfadd5f6.

Change-Id: I338e51637aa39d3f7bbbad0263740f728d42cb9b
Closes-bug: 1641989
Related-Bug: 1629933

8 years agoUse keystone profile parameter to pass heat password
Juan Antonio Osorio Robles [Wed, 16 Nov 2016 06:32:26 +0000 (08:32 +0200)]
Use keystone profile parameter to pass heat password

Instead of relying on an explicit hiera call to get the stack domain
password, this uses the keystone parameter to introduce that value
instead.

Change-Id: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf

8 years agoNova base cleanups for hiera json hook
Dan Prince [Tue, 15 Nov 2016 22:12:37 +0000 (17:12 -0500)]
Nova base cleanups for hiera json hook

This patch resolves an issue with nova-base.yaml that prevents
it from working with the new heat hiera agent hook (which
uses Json instead of Yaml).

It updates the service so that we only set the upgrade level if it
is not an empty string.

Partial-bug: #1596373

Change-Id: I595f2e16c33a6f935c7ca8935fec445d19c7b8f3

8 years agoHorizon service cleanups for hiera json hook
Dan Prince [Thu, 3 Nov 2016 11:44:17 +0000 (07:44 -0400)]
Horizon service cleanups for hiera json hook

This patch resolves a few issues I noticed when porting our
Horizon service to support the new heat hiera agent hook (which
uses Json instead of Yaml).

 -we only need to set django_debug if the string is non-empty. This
  should match previous behavior.

 -remove the duplicated NeutronMechanismDrivers setting. This is already
  managed in the neutron services and shouldn't be set here.

Change-Id: I473e110bb9b14cb8f57d41c4fc398871548726b0
Partial-bug: #1596373

8 years agoMerge "Fix external Load Balancer deployment"
Jenkins [Wed, 16 Nov 2016 02:30:11 +0000 (02:30 +0000)]
Merge "Fix external Load Balancer deployment"

8 years agoMerge "Revert "Adjust MTU to compensate for VLAN tag issue""
Jenkins [Wed, 16 Nov 2016 00:38:32 +0000 (00:38 +0000)]
Merge "Revert "Adjust MTU to compensate for VLAN tag issue""

8 years agoMerge "Enable internal TLS for Barbican API"
Jenkins [Tue, 15 Nov 2016 18:25:02 +0000 (18:25 +0000)]
Merge "Enable internal TLS for Barbican API"

8 years agoMerge "Define keystone token provider"
Jenkins [Tue, 15 Nov 2016 14:57:27 +0000 (14:57 +0000)]
Merge "Define keystone token provider"

8 years agoMerge "Disable password reveal in horizon"
Jenkins [Tue, 15 Nov 2016 13:07:57 +0000 (13:07 +0000)]
Merge "Disable password reveal in horizon"

8 years agoReplace ceilometer-dbsync by ceilometer-upgrade
Steven Hardy [Tue, 15 Nov 2016 11:31:35 +0000 (11:31 +0000)]
Replace ceilometer-dbsync by ceilometer-upgrade

https://review.openstack.org/#/c/388688/ has removed ceilometer-dbsync so
ceilometer-upgrade must be used instead.

Additionally, ceilometer-dbsync enabled option --skip-gnocchi-resource-types
and ceilometer-upgrade doesn't, so i'm setting it by default to ensure backwards compatibility.

Note this is based on the corresponding fix to puppet-ceilometer ref

https://review.openstack.org/#/c/396570

Change-Id: Ic0a15c75d1cd3e3f70eeafd9ba09d50c58cc1293
Closes-Bug: #1641076

8 years agoFix external Load Balancer deployment
Michele Baldessari [Tue, 15 Nov 2016 10:25:38 +0000 (11:25 +0100)]
Fix external Load Balancer deployment

Deployments using external LB will file like this:
  deploy_stderr: |
    + RESTART_FOLDER=/var/lib/tripleo/pacemaker-restarts
    + [[ -d /var/lib/tripleo/pacemaker-restarts ]]
    ++ systemctl is-active haproxy
    + haproxy_status=unknown
  deploy_status_code: 3
openstack software deployment show 4f339ca4-7600-4ca0-b0ef-f798bc47b6cf

The reason is that via https://review.openstack.org/#/c/393644/ we
introducted the haproxy restart like this:
haproxy_status=$(systemctl is-active haproxy)
if [ "$haproxy_status" = "active" ]; then
    systemctl reload haproxy
fi

The problem is that if haproxy is not running/installed systemctl
is-active can fail and the script will terminate with an error return
code. Let's just move the call inside the if so the script does not fail
in case haproxy is not there.

The snippet before the change (on a system without haproxy installed):
[root@mrg-09 tmp]# ./test.sh
++ systemctl is-active haproxy
+ haproxy_status=unknown
[root@mrg-09 tmp]# echo $?
3

After this change:
[root@mrg-09 tmp]# ./test.sh
++ systemctl is-active haproxy
+ '[' unknown = active ']'
[root@mrg-09 tmp]# echo $?
0

Change-Id: I837c63a9dbcde8c922f843c442974fa79cf1eede
Closes-Bug: #1641904

8 years agoDefine keystone token provider
Alex Schultz [Mon, 14 Nov 2016 21:51:18 +0000 (14:51 -0700)]
Define keystone token provider

In order to eventually enable fernet tokens for keystone, we need to be
specify the token provider. This change codifies the current default
used by TripleO of uuid tokens and fernet token setup disabled.

Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a
Closes-Bug: #1641763

8 years agoMerge "Fix typo in Keystone Sensu subscription"
Jenkins [Mon, 14 Nov 2016 17:02:23 +0000 (17:02 +0000)]
Merge "Fix typo in Keystone Sensu subscription"

8 years agoMerge "Use default Sensu redact"
Jenkins [Mon, 14 Nov 2016 13:18:42 +0000 (13:18 +0000)]
Merge "Use default Sensu redact"

8 years agoFix up Newton->Ocata rabbitmq ha policy
Michele Baldessari [Thu, 20 Oct 2016 18:27:11 +0000 (20:27 +0200)]
Fix up Newton->Ocata rabbitmq ha policy

In ocata we changed the ha policy to "ha-exactly" via the following changes:
- tht: Iace6daf27a76cb8ef1050ada0de7ff1f530916c6
- puppet-tripleo: Ib62001c03e1e08f58cf0c6e0ba07a8879a584084

We initially also took care of changing this policy (which is set in the
pacemaker resource agent) for the M/N upgrade path:
I2468a096b5d7042bc801a742a7a85fb1521c1c02

In the end we decided against changing the policy in Newton as well (it
was only for ocata) as it was too close to the release date and we took
the safer path.
This patch does two things:
1) It renames the upgrade function to "newton_ocata" since that is the
only upgrade path we need to take care of
2) It reinstates the actual upgrade function which was mistakenly
removed via an unrelated change in the ceilometer upgrade path:
If9d6987cd0a8fc5d3f9de518ba422d97d5149732

Closes-Bug: #1628998

Change-Id: I3a97505d2ae1ae27f3080ffe74c33fdabffd2420

8 years agoMerge "Fixes missing OVS Firewall config with OpenDaylight"
Jenkins [Mon, 14 Nov 2016 07:36:34 +0000 (07:36 +0000)]
Merge "Fixes missing OVS Firewall config with OpenDaylight"

8 years agoEnable internal TLS for Barbican API
Juan Antonio Osorio Robles [Mon, 14 Nov 2016 07:09:52 +0000 (09:09 +0200)]
Enable internal TLS for Barbican API

This adds the necessary hieradata for enabling TLS in the internal
network for Barbican API.

bp tls-via-certmonger
Depends-On: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9

Change-Id: Ib100faa9dc222f836695a0e8f6e101dc7637d1d6

8 years agoMerge "Configure civetweb bind socket via puppet-tripleo"
Jenkins [Sat, 12 Nov 2016 13:11:42 +0000 (13:11 +0000)]
Merge "Configure civetweb bind socket via puppet-tripleo"

8 years agoMerge "Neutron L3 service cleanups for hiera json hook"
Jenkins [Fri, 11 Nov 2016 21:19:03 +0000 (21:19 +0000)]
Merge "Neutron L3 service cleanups for hiera json hook"

8 years agoMerge "Enable internal TLS for Cinder API"
Jenkins [Fri, 11 Nov 2016 21:04:52 +0000 (21:04 +0000)]
Merge "Enable internal TLS for Cinder API"

8 years agoMerge "Increasing neutron timeout for low memory usage"
Jenkins [Fri, 11 Nov 2016 20:21:43 +0000 (20:21 +0000)]
Merge "Increasing neutron timeout for low memory usage"

8 years agoMerge "Handle null role_data in services"
Jenkins [Fri, 11 Nov 2016 19:20:08 +0000 (19:20 +0000)]
Merge "Handle null role_data in services"

8 years agoFixes missing OVS Firewall config with OpenDaylight
Tim Rozet [Fri, 11 Nov 2016 18:59:06 +0000 (13:59 -0500)]
Fixes missing OVS Firewall config with OpenDaylight

Currently OVS tunnel firewall rules are held within the neutron ovs
agent service heat template.  That service is not used with ODL, so
consequently ODL was missing the VXLAN and GRE firewall rules and
traffic would not pass between nodes.  This adds the missing rules to
the OpenDaylight OVS service.

Closes-Bug: 1641191

Change-Id: Icfd7db6a3e8fcdd02646fb7e413f40f26b03b994
Signed-off-by: Tim Rozet <trozet@redhat.com>
8 years agoConfigure civetweb bind socket via puppet-tripleo
Giulio Fidente [Wed, 9 Nov 2016 20:08:15 +0000 (21:08 +0100)]
Configure civetweb bind socket via puppet-tripleo

When the civetweb binding IP is version 6 it needs to be enclosed
in brackets or the bind socket parsing fails. The mangling happens
in puppet-tripleo, this change updates the templates to push the
appropriate hiera keys.

Change-Id: Ic7004d768ed5e0f2382ffaa57961ea0ef9162527
Closes-Bug: #1636515
Depends-On: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c

8 years agoMerge "Fix inconsistent Manila service naming"
Jenkins [Fri, 11 Nov 2016 14:47:28 +0000 (14:47 +0000)]
Merge "Fix inconsistent Manila service naming"

8 years agoIncreasing neutron timeout for low memory usage
Arx Cruz [Mon, 24 Oct 2016 14:27:11 +0000 (16:27 +0200)]
Increasing neutron timeout for low memory usage

We are noticing several tests failing in our low memory environment
because of timeout in neutron requests.
As an example the test
tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON
fails because it requests to plug a vif, and send request to neutron,
which responds in more than neutron_url_timeout, and since the option
vif_plugging_is_fatal is set to True as default, the test fails.
Shortly thereafter, checking in neutron log you can see the request,
returning with the proper status, after more than neutron_url_timeout,
however, it's already too late once nova already marked the instance
with error status, and so the test fails.

Closes-Bug: #1641135

Change-Id: If0991c114f199490ac0deb71eb569a42d4711359

8 years agoUse default Sensu redact
Martin Mágr [Tue, 8 Nov 2016 09:04:41 +0000 (10:04 +0100)]
Use default Sensu redact

By default sensu-puppet is overring default list of varibles which should
be redacted. This patch enables to configure redact list and uses default
value given by [1]. This patch also serves as a workaround until [2]
is merged in the module itself (or in case it won't get merged).

[1] https://sensuapp.org/docs/0.24/reference/clients.html
[2] https://github.com/sensu/sensu-puppet/pull/580

Closes-Bug: #1641080
Closes-Bug: rhbz#1392473
Change-Id: I21201f734d2fbf5f571091603126cf11cfdd8c40

8 years agoMerge "Add missing Barbican endpoint from tls-everywhere environment"
Jenkins [Fri, 11 Nov 2016 09:00:55 +0000 (09:00 +0000)]
Merge "Add missing Barbican endpoint from tls-everywhere environment"

8 years agoMerge "Fix race during major-upgrade-pacemaker step"
Jenkins [Thu, 10 Nov 2016 19:00:08 +0000 (19:00 +0000)]
Merge "Fix race during major-upgrade-pacemaker step"

8 years agoMerge "Removes deprecated overcloud VIP outputs"
Jenkins [Thu, 10 Nov 2016 18:36:33 +0000 (18:36 +0000)]
Merge "Removes deprecated overcloud VIP outputs"

8 years agoMerge "Fixes incorrect reference to OpendaylightApiNetwork"
Jenkins [Thu, 10 Nov 2016 18:08:11 +0000 (18:08 +0000)]
Merge "Fixes incorrect reference to OpendaylightApiNetwork"

8 years agoMerge "Ensure heat-domain hiera is in nodes that contain keystone"
Jenkins [Thu, 10 Nov 2016 18:07:58 +0000 (18:07 +0000)]
Merge "Ensure heat-domain hiera is in nodes that contain keystone"

8 years agoFix inconsistent Manila service naming
Steven Hardy [Thu, 10 Nov 2016 17:06:47 +0000 (17:06 +0000)]
Fix inconsistent Manila service naming

The capitalization of OS::Tripleo is wrong compared to all other services
so correct this for avoidance of confusion when folks write custom roles_data
files or pass custom service lists via *Services parameters.

Change-Id: Ib73c80871b45586edb5774e90280ff89fc0d9895
Closes-Bug: 1640871

8 years agoFix typo in Keystone Sensu subscription
Martin Mágr [Tue, 8 Nov 2016 08:51:08 +0000 (09:51 +0100)]
Fix typo in Keystone Sensu subscription

Closes-Bug: rhbz#1392428
Closes-Bug: #1640834
Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe

8 years agoMerge "Select bootstrap node by list index not name"
Jenkins [Thu, 10 Nov 2016 15:07:35 +0000 (15:07 +0000)]
Merge "Select bootstrap node by list index not name"

8 years agoNeutron L3 service cleanups for hiera json hook
Dan Prince [Thu, 3 Nov 2016 11:53:46 +0000 (07:53 -0400)]
Neutron L3 service cleanups for hiera json hook

This patch resolves a few issues I noticed when porting our
Neutron L3 service to support the new heat hiera agent hook (which
uses Json instead of Yaml).

 - If NeutronExternalNetworkBridge is an emptry string '' Json was
   dropping the single quotes thus causing the bridge to get set
   incorrectly in the config file. To correct this we use a heat
   conditional to avoid setting the external bridge (the '' default
   is what we want in this case) if the bridge is an empty string.

Change-Id: I5037cbde6b76a37a4c22c4616278420e9d759109
Partial-bug: #1596373

8 years agoHandle null role_data in services
Dan Prince [Thu, 10 Nov 2016 12:42:13 +0000 (07:42 -0500)]
Handle null role_data in services

This patch updates the Yaql expressions that work on role_data
so that they evaluate properly when the get_attr for role_data
is null.

I hit issues using this for the heat undercloud installer and this
seems to resolve them.

Change-Id: I0493d0525cd3ad280339f26ef9d3aa311af9962e

8 years agoSelect bootstrap node by list index not name
Steven Hardy [Wed, 9 Nov 2016 11:35:03 +0000 (11:35 +0000)]
Select bootstrap node by list index not name

Modify the syntax used to access the ResourceGroup attributes so we
always select the first node from the group, e.g even if the node
named "0" in the ResourceGroup nested stack has been removed due to
the removal policy.

Change-Id: I8b1c9538976a1518b220187a0034ad41a738d5a6
Closes-Bug: #1640449

8 years agoMerge "Add firewall rules for manila api service"
Jenkins [Thu, 10 Nov 2016 08:53:40 +0000 (08:53 +0000)]
Merge "Add firewall rules for manila api service"

8 years agoAdd firewall rules for manila api service
Tom Barron [Wed, 9 Nov 2016 19:01:23 +0000 (14:01 -0500)]
Add firewall rules for manila api service

When the manila api service is deployed
on a different role than the controller the
iptables rules on that role fail to ACCEPT
tcp at the manila API ports.

Add tripleo.manila_api.firewall_rules to
the relevant puppet services module.

Change-Id: I1c5459f5ba989657fd99fd72c7ac9f8781cc7206
Closes-Bug: #1640568

8 years agoMerge "Reload haproxy configuration as a post-deployment step"
Jenkins [Wed, 9 Nov 2016 18:10:34 +0000 (18:10 +0000)]
Merge "Reload haproxy configuration as a post-deployment step"

8 years agoMerge "ceilometer compute agent needs restart on compute upgrade"
Jenkins [Wed, 9 Nov 2016 17:05:41 +0000 (17:05 +0000)]
Merge "ceilometer compute agent needs restart on compute upgrade"

8 years agoMerge "set url_base option in static web middleware"
Jenkins [Wed, 9 Nov 2016 16:30:18 +0000 (16:30 +0000)]
Merge "set url_base option in static web middleware"

8 years agoDisable password reveal in horizon
Alex Schultz [Wed, 9 Nov 2016 15:22:44 +0000 (08:22 -0700)]
Disable password reveal in horizon

To improve security,  we should disable the password reveal option in
horizon by default. An end user can override this options via their own
custom hiera if they would ultimately like to have this functionality.

Change-Id: Ie88dac5610840eb4b327252b32dc469099ba5f5f
Depends-On: Iacf899d595a2a3c522df1b96ca527731937ec698
Closes-Bug: 1640492

8 years agoFix race during major-upgrade-pacemaker step
Michele Baldessari [Wed, 9 Nov 2016 08:05:08 +0000 (09:05 +0100)]
Fix race during major-upgrade-pacemaker step

Currently when we call the major-upgrade step we do the following:
"""
...
if [[ -n $(is_bootstrap_node) ]]; then
    check_clean_cluster
fi
...
if [[ -n $(is_bootstrap_node) ]]; then
    migrate_full_to_ng_ha
fi
...
for service in $(services_to_migrate); do
    manage_systemd_service stop "${service%%-clone}"
    ...
done
"""

The problem with the above code is that it is open to the following race
condition:
1. Code gets run first on a non-bootstrap controller node so we start
stopping a bunch of services
2. Pacemaker notices will notice that services are down and will mark
the service as stopped
3. Code gets run on the bootstrap node (controller-0) and the
check_clean_cluster function will fail and exit
4. Eventually also the script on the non-bootstrap controller node will
timeout and exit because the cluster never shut down (it never actually
started the shutdown because we failed at 3)

Let's make sure we first only call the HA NG migration step as a
separate heat step. Only afterwards we start shutting down the systemd
services on all nodes.

We also need to move the STONITH_STATE variable into a file because it
is being used across two different scripts (1 and 2) and we need to
store that state.

Co-Authored-By: Athlan-Guyot Sofer <sathlang@redhat.com>
Closes-Bug: #1640407
Change-Id: Ifb9b9e633fcc77604cca2590071656f4b2275c60

8 years agoMerge "Defaults kernel.pid_max to 1048576"
Jenkins [Wed, 9 Nov 2016 13:45:28 +0000 (13:45 +0000)]
Merge "Defaults kernel.pid_max to 1048576"

8 years agoMerge "Enable internal TLS for Nova API"
Jenkins [Wed, 9 Nov 2016 13:30:18 +0000 (13:30 +0000)]
Merge "Enable internal TLS for Nova API"

8 years agoMerge "Add Sahara plugins list as a configurable parameter"
Jenkins [Wed, 9 Nov 2016 10:51:12 +0000 (10:51 +0000)]
Merge "Add Sahara plugins list as a configurable parameter"

8 years agoset url_base option in static web middleware
Thiago da Silva [Wed, 2 Nov 2016 18:10:51 +0000 (14:10 -0400)]
set url_base option in static web middleware

Depends-On: Icf45cf2aece398b836c87ddffde5d3056e96dc4d

Change-Id: I3577dc38a0b52092ee5e98a381eb52c3d2768c10
Signed-off-by: Thiago da Silva <thiago@redhat.com>
8 years agoMerge "Enable internal TLS for gnocchi"
Jenkins [Tue, 8 Nov 2016 16:22:00 +0000 (16:22 +0000)]
Merge "Enable internal TLS for gnocchi"

8 years agoceilometer compute agent needs restart on compute upgrade
Pradeep Kilambi [Tue, 8 Nov 2016 13:59:10 +0000 (08:59 -0500)]
ceilometer compute agent needs restart on compute upgrade

After compute nodes are upgraded, the ceilometer compute agent
doesnt poll and throws warnings. Restarting the compute agent
at this step gets the service back to its normal state.

Closes-Bug: #1640177

Change-Id: I7392de43e933b1d16002e12e407748ae289d5e99

8 years agoMerge "Do not reference CephBase from CephExternal service"
Jenkins [Tue, 8 Nov 2016 15:29:01 +0000 (15:29 +0000)]
Merge "Do not reference CephBase from CephExternal service"

8 years agoMerge "Use --globoff when downloading artifacts"
Jenkins [Tue, 8 Nov 2016 15:19:19 +0000 (15:19 +0000)]
Merge "Use --globoff when downloading artifacts"

8 years agoMerge "Add SNMP role to the CephStorage nodes"
Jenkins [Tue, 8 Nov 2016 15:08:47 +0000 (15:08 +0000)]
Merge "Add SNMP role to the CephStorage nodes"

8 years agoReload haproxy configuration as a post-deployment step
Carlos Camacho [Fri, 4 Nov 2016 08:27:48 +0000 (09:27 +0100)]
Reload haproxy configuration as a post-deployment step

After deploying a fresh installed Overcloud or updating the stack
the haproxy configuration is updated correctly but no change in the
HA proxy stats happens.

This submission will add the missing resources to run pre and post
puppet tasks.

Closes-bug: 1640175

Change-Id: I2f08704daeee502c618256695a30ce244a1d7ba5

8 years agoUse --globoff when downloading artifacts
Giulio Fidente [Tue, 8 Nov 2016 11:39:05 +0000 (12:39 +0100)]
Use --globoff when downloading artifacts

We do not encode the chars like [] possibly found in  the artifacts
URL, so curl tries to glob against IPv6 addresses in brackets. This
change adds --globoff to the curl options so that IPv6 addresses in
brackets are not misinterpreted.

Closes-Bug: 1640148
Change-Id: Ic86ba1e5fb674bc15b4bcc6bd3ea9e943c4fbf8e

8 years agoEnable internal TLS for Cinder API
Juan Antonio Osorio Robles [Tue, 1 Nov 2016 10:13:32 +0000 (12:13 +0200)]
Enable internal TLS for Cinder API

This adds the necessary hieradata for enabling TLS in the internal
network for Cinder API.

bp tls-via-certmonger
Depends-On: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863

Change-Id: I126e890076bc96b1cd166a919eff6aa1bb80510b

8 years agoRemoves deprecated overcloud VIP outputs
Tim Rozet [Mon, 7 Nov 2016 21:48:35 +0000 (16:48 -0500)]
Removes deprecated overcloud VIP outputs

These VIPs were previously used to create endpoints, but are no longer
used.  The one exception is KeystoneAdminVip, which is used by the
python-client.

Closes-Bug: 1639956

Change-Id: Iafdf37b6ee91806d683592a99e025a8de4c0ff20
Signed-off-by: Tim Rozet <trozet@redhat.com>
8 years agoFixes incorrect reference to OpendaylightApiNetwork
Tim Rozet [Mon, 7 Nov 2016 21:34:45 +0000 (16:34 -0500)]
Fixes incorrect reference to OpendaylightApiNetwork

The renaming of the network to conform to correct case parsing was done
and converted OpenDaylightApiNetwork -> OpendaylightApiNetwork.  There
was still a reference to the old network name which would result in an
empty value being pass to odl_bind_ip.

Closes-Bug: 1639944

Change-Id: I17fe348c4651420112b9b37711654a454e30b291
Signed-off-by: Tim Rozet <trozet@redhat.com>
8 years agoAdd missing Barbican endpoint from tls-everywhere environment
Juan Antonio Osorio Robles [Wed, 2 Nov 2016 09:01:33 +0000 (11:01 +0200)]
Add missing Barbican endpoint from tls-everywhere environment

Change-Id: Ibabf09a8b6f35c9b086efeffcf7db89ab8d6b63b

8 years agoEnsure heat-domain hiera is in nodes that contain keystone
Juan Antonio Osorio Robles [Wed, 2 Nov 2016 10:06:05 +0000 (12:06 +0200)]
Ensure heat-domain hiera is in nodes that contain keystone

The commit that this depends on only works if heat is deployed in the
same node as keystone. Once we deploy them in different nodes, keystone
won't be able to retrieve the appropriate hieradata. This fixes that by
setting the appropriate hieradata to be deployed on the keystone service
by the heat profiles.

Change-Id: I1f08db68a14486526879d1a5a1ff78cb17686924
Depends-On: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe

8 years agoMerge "Move per role Services defaults into environment file"
Jenkins [Mon, 7 Nov 2016 16:09:13 +0000 (16:09 +0000)]
Merge "Move per role Services defaults into environment file"

8 years agoMerge "Change nova ram_allocation_ratio to match puppet-nova"
Jenkins [Mon, 7 Nov 2016 14:48:11 +0000 (14:48 +0000)]
Merge "Change nova ram_allocation_ratio to match puppet-nova"

8 years agoMerge "Add an optional extra node admin ssh key parameter"
Jenkins [Mon, 7 Nov 2016 14:12:20 +0000 (14:12 +0000)]
Merge "Add an optional extra node admin ssh key parameter"

8 years agoMove per role Services defaults into environment file
Steven Hardy [Thu, 27 Oct 2016 08:38:43 +0000 (09:38 +0100)]
Move per role Services defaults into environment file

For parameter merge strategies to work we need to merge multiple environment
files, which doesn't consider the defaults defined in the heat template.

Moving where we define these defaults will enable the merge strategies
applied when appending services to roles in environment files to work.

Change-Id: I1ef1ad685c8a15308d051665c576a98b277f2496
Closes-Bug: #1635409

8 years agoMerge "Move db settings from manila-api to manila-base"
Jenkins [Mon, 7 Nov 2016 13:35:30 +0000 (13:35 +0000)]
Merge "Move db settings from manila-api to manila-base"

8 years agoMerge "Include keystone authtoken config in manila-share service"
Jenkins [Mon, 7 Nov 2016 13:34:35 +0000 (13:34 +0000)]
Merge "Include keystone authtoken config in manila-share service"

8 years agoMerge "Ensure we update ceph and composable nodes"
Jenkins [Mon, 7 Nov 2016 12:50:45 +0000 (12:50 +0000)]
Merge "Ensure we update ceph and composable nodes"

8 years agoAdd an optional extra node admin ssh key parameter
Steven Hardy [Wed, 26 Oct 2016 12:15:06 +0000 (13:15 +0100)]
Add an optional extra node admin ssh key parameter

This can be used to pass the e.g. the tripleo-validations ssh key into
the deployment.

Change-Id: I861b9e2252a9c8122dcf7df261386f1ea5200c4f
Related-Bug: #1635226

8 years agoMerge "swift/proxy: remove swift::proxy::ceilometer::rabbit_host"
Jenkins [Sat, 5 Nov 2016 16:55:26 +0000 (16:55 +0000)]
Merge "swift/proxy: remove swift::proxy::ceilometer::rabbit_host"

8 years agoMerge "nova: add missing vnc console port in firewall"
Jenkins [Sat, 5 Nov 2016 12:11:54 +0000 (12:11 +0000)]
Merge "nova: add missing vnc console port in firewall"

8 years agoMerge "nova/libvirt: add missing ports for live-migration"
Jenkins [Sat, 5 Nov 2016 12:11:47 +0000 (12:11 +0000)]
Merge "nova/libvirt: add missing ports for live-migration"

8 years agoMove db settings from manila-api to manila-base
Ben Nemec [Fri, 4 Nov 2016 19:11:36 +0000 (14:11 -0500)]
Move db settings from manila-api to manila-base

manila-share also needs the db configuration so the db-sync works
correctly when manila-api is running on a non-controller node.

Change-Id: Ib8a6f10ef6a650275fc011e51acfc4b5c7c99164
Closes-Bug: 1633077

8 years agoInclude keystone authtoken config in manila-share service
Ben Nemec [Fri, 4 Nov 2016 17:28:18 +0000 (12:28 -0500)]
Include keystone authtoken config in manila-share service

Because manila-share is a pacemaker-managed service, it has to be
on the controller node.  If you deploy the api services to a
different node, then manila-share loses access to the authtoken
hieradata generated by manila-api.  Adding it explicitly to the
manila-share config allows this setup to deploy sanely.

Note that I'm having a different problem with manila db-syncs in
this setup, so there's likely another patch required to get it
fully working.

Change-Id: Iac782fa67ea912d24b9905dd8bbafb8ff28dd669
Partial-Bug: 1633077

8 years agoMerge "Updated Nuage neutron plugin name"
Jenkins [Fri, 4 Nov 2016 17:23:08 +0000 (17:23 +0000)]
Merge "Updated Nuage neutron plugin name"

8 years agoswift/proxy: remove swift::proxy::ceilometer::rabbit_host
Emilien Macchi [Mon, 31 Oct 2016 14:42:10 +0000 (10:42 -0400)]
swift/proxy: remove swift::proxy::ceilometer::rabbit_host

The param is now managed in puppet-tripleo like other services.

Change-Id: I306aa6ac6e2cfc0d4602e15e11564a6be096a121
Depends-On: Ibc0ed642931dd3ada7ee594bb8c70a1c3462206d

8 years agoMerge "Update openstack-puppet-modules dependencies"
Jenkins [Fri, 4 Nov 2016 14:08:15 +0000 (14:08 +0000)]
Merge "Update openstack-puppet-modules dependencies"

8 years agoMerge "Fixup the start of swift services"
Jenkins [Fri, 4 Nov 2016 14:08:08 +0000 (14:08 +0000)]
Merge "Fixup the start of swift services"

8 years agoMerge "Add option to disable "d1" Swift device"
Jenkins [Fri, 4 Nov 2016 13:24:39 +0000 (13:24 +0000)]
Merge "Add option to disable "d1" Swift device"

8 years agoDefaults kernel.pid_max to 1048576
Giulio Fidente [Fri, 4 Nov 2016 10:12:43 +0000 (11:12 +0100)]
Defaults kernel.pid_max to 1048576

In some scenarios we reach the kernel.pid_max value, this change
adds a parameter to the Kernel service for configuration of the
sysctl key and defaults it to 1048576.

Change-Id: Id8f3e6b7ed9846022898d7158fe9180418847085
Closes-Bug: #1639191

8 years agonova: add missing vnc console port in firewall
Emilien Macchi [Wed, 2 Nov 2016 17:37:07 +0000 (13:37 -0400)]
nova: add missing vnc console port in firewall

- Remove vncproxy firewall rules from nova-api service
- Add vncproxy firewall rules to nova-vncproxy service
- Add console port range firewall rules to nova-libvirt service

Change-Id: I421ae21c130cac6f25e7c0869b941ba77441172c

8 years agonova/libvirt: add missing ports for live-migration
Emilien Macchi [Mon, 31 Oct 2016 15:02:48 +0000 (11:02 -0400)]
nova/libvirt: add missing ports for live-migration

Some ports are missing to support live-migration. This patch adds them.

Documented here:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/migrating-instances/chapter-1-how-to-migrate-a-live-instance

Change-Id: I72634a9940c11602522322235e51bf27cb664e57

8 years agoMerge "Rework gnocchi-upgrade to run in a separate upgrade step"
Jenkins [Thu, 3 Nov 2016 17:28:58 +0000 (17:28 +0000)]
Merge "Rework gnocchi-upgrade to run in a separate upgrade step"

8 years agoMerge "gnocchi statsd should be able to send data to port 8125"
Jenkins [Thu, 3 Nov 2016 08:36:35 +0000 (08:36 +0000)]
Merge "gnocchi statsd should be able to send data to port 8125"

8 years agoFixup the start of swift services
marios [Wed, 2 Nov 2016 14:23:30 +0000 (16:23 +0200)]
Fixup the start of swift services

Seems the conditional has changed and we should pickup the
tripleo::profile::base::swift::storage::enable_swift_storage
hiera data.

After controller nodes are upgraded the swift services were down
even though there was no stand-alone swift node (the current
conditional was failing as that hiera isn't set any more)

Closes-Bug: 1638821
Change-Id: Id1383c1e54f9cae13fd375e90da525230e5d23eb

8 years agoAdd Sahara plugins list as a configurable parameter
Carlos Camacho [Wed, 2 Nov 2016 13:45:33 +0000 (14:45 +0100)]
Add Sahara plugins list as a configurable parameter

The hardcoded list should be configurable, and defaulted
to their current value.

Change-Id: I517aa61f21c6f4d0975b10a7aa85177c543487e0
Closes-bug: 1560098

8 years agoEnsure we update ceph and composable nodes
Lukas Bezdicka [Tue, 1 Nov 2016 18:01:08 +0000 (19:01 +0100)]
Ensure we update ceph and composable nodes

The update configuration is generated into ceph.yaml and into
{rolename}.yaml. We should ensure puppet hiera is looking for
these files.

Change-Id: I261d16bc365b3d19adc502385edcc509a53ffc2a
Closes-Bug: #1638346
Resolves: rhbz#1388977

8 years agoDo not reference CephBase from CephExternal service
Giulio Fidente [Wed, 2 Nov 2016 11:13:18 +0000 (12:13 +0100)]
Do not reference CephBase from CephExternal service

We want CephExternal to work without referencing CephBase which
instead defines common settings for hosted Ceph deployments.

This change fixes a reference to CephBase which was mistakenly
introduced with fix for bug #1632285.

Change-Id: Id27e935f91ad76a6877b3aa7588f54d6140aa41f
Closes-Bug: #1635014

8 years agoRevert "Adjust MTU to compensate for VLAN tag issue"
Ihar Hrachyshka [Wed, 2 Nov 2016 10:43:58 +0000 (10:43 +0000)]
Revert "Adjust MTU to compensate for VLAN tag issue"

This reverts commit 4223b88b708e145c1dcdc38e4209ecc9029dd91f.

The underlying neutron bug with native ofctl interface was fixed in Newton.
We no longer need to dumb down deployment MTU to accommodate Neutron.

Change-Id: I9082c2d198a02ac3321488df67a66d336556d64c

8 years agognocchi statsd should be able to send data to port 8125
Pradeep Kilambi [Tue, 1 Nov 2016 19:43:41 +0000 (15:43 -0400)]
gnocchi statsd should be able to send data to port 8125

currently udp port 8125 is blocked by default. This can cause issues
when sending statsd data.

Change-Id: Icb5569c4e3dc981e9a8accf32eedd3370552cb34

8 years agoMerge "Add Barbican to the overcloud"
Jenkins [Tue, 1 Nov 2016 17:27:20 +0000 (17:27 +0000)]
Merge "Add Barbican to the overcloud"

8 years agoUpdate openstack-puppet-modules dependencies
Lukas Bezdicka [Tue, 1 Nov 2016 12:15:22 +0000 (13:15 +0100)]
Update openstack-puppet-modules dependencies

OPM package is metadata package with unversioned requirements which
means that update does not update the dependencies. This leaves us
with old puppet modules and old puppet during the puppet run.

Change-Id: I80f8a73142a09bb4178bb5a396d256ba81ba98a8
Closes-Bug: #1638266
Resolves: rhbz#1390559

8 years agoRework gnocchi-upgrade to run in a separate upgrade step
Pradeep Kilambi [Wed, 19 Oct 2016 11:32:25 +0000 (07:32 -0400)]
Rework gnocchi-upgrade to run in a separate upgrade step

gnocchi when configured with swift will require keystone
to be available to authenticate to migrate to v3. At this
step keystone is not available and gnocchi upgrade fails
with auth error. Instead start apache in step 3, start
apache first and then run gnocchi upgrade in a separate
step and let upgrade happen here.

Closes-Bug: #1634897

Change-Id: I22d02528420e4456f84b80905a7b3a80653fa7b0

8 years agoMerge "Re-add NFS backend for Glance"
Jenkins [Tue, 1 Nov 2016 12:23:47 +0000 (12:23 +0000)]
Merge "Re-add NFS backend for Glance"

8 years agoChange nova ram_allocation_ratio to match puppet-nova
Steven Hardy [Tue, 1 Nov 2016 11:15:38 +0000 (11:15 +0000)]
Change nova ram_allocation_ratio to match puppet-nova

The interface for this moved to init.pp, the one we currently
use now only outputs a warning, it doesn't actually set anything.

Change-Id: Idc40cf0dc4ff0f598e0918e0de8b3233b524cdd5
Closes-Bug: 1638254