Alex Schultz [Thu, 6 Apr 2017 21:36:51 +0000 (15:36 -0600)]
Enable splay for os-collect-config
At scale, having the os-collect-config instances all check in at the
same time can cause performance problems. This change enables splay and
sets it to a default maximum random sleep of 30 seconds prior to the
os-collect-config polling.
Change-Id: Iab8b51f4e5fb4727b8aa7e081f5cbfcbf11f7fcb
Depends-On: I88f623c9e8db9ed4a186918206a63faec8f7f673
Closes-Bug: #
1677314
Jenkins [Thu, 6 Apr 2017 20:16:29 +0000 (20:16 +0000)]
Merge "Use the local collector to bootstrap deployed servers"
Jenkins [Thu, 6 Apr 2017 16:35:30 +0000 (16:35 +0000)]
Merge "Disable ceilometer API"
Jenkins [Thu, 6 Apr 2017 16:35:16 +0000 (16:35 +0000)]
Merge "Use kolla api to set ownership"
Jenkins [Thu, 6 Apr 2017 12:44:21 +0000 (12:44 +0000)]
Merge "Don't disable satellite repo after registration"
Jenkins [Thu, 6 Apr 2017 10:50:37 +0000 (10:50 +0000)]
Merge "docker-puppet.py fail if any worker fails"
Jenkins [Thu, 6 Apr 2017 10:35:52 +0000 (10:35 +0000)]
Merge "Add manual ovs upgrade script for workaround ovs upgrade issue"
Jenkins [Thu, 6 Apr 2017 10:03:11 +0000 (10:03 +0000)]
Merge "Enforce upgrade_batch_tasks before upgrade_tasks order"
Jenkins [Thu, 6 Apr 2017 09:42:27 +0000 (09:42 +0000)]
Merge "add configurable timeouts for DB sync"
Jenkins [Thu, 6 Apr 2017 09:41:56 +0000 (09:41 +0000)]
Merge "Remove "Core" Service from the CI Environment file"
Jenkins [Thu, 6 Apr 2017 09:41:00 +0000 (09:41 +0000)]
Merge "Add network sysctl tweaks for security"
Jenkins [Thu, 6 Apr 2017 09:10:48 +0000 (09:10 +0000)]
Merge "Add monitoring agents deployment to CI"
Jenkins [Thu, 6 Apr 2017 08:10:28 +0000 (08:10 +0000)]
Merge "Ensure upgrade step orchestration accross roles."
Saravanan KR [Wed, 5 Apr 2017 11:59:52 +0000 (17:29 +0530)]
Remove "Core" Service from the CI Environment file
OS::TripleO::Services::Core is still referenced in the CI roles
enviornment file. Because of which CI is failing when service
template is modified. Removing the obsolete service.
Closes-Bug: #
1680043
Change-Id: I168452fa5c2e6d6d8fdf829b9b02996d9ca5532a
Jenkins [Thu, 6 Apr 2017 03:38:42 +0000 (03:38 +0000)]
Merge "Add logging agents deployment to CI"
Jenkins [Thu, 6 Apr 2017 02:10:20 +0000 (02:10 +0000)]
Merge "Add parameters for internal TLS for swift proxy"
Jenkins [Wed, 5 Apr 2017 22:27:34 +0000 (22:27 +0000)]
Merge "Ironic containers: chown /var/lib/ironic correctly"
Mike Bayer [Tue, 3 Jan 2017 16:55:56 +0000 (11:55 -0500)]
add configurable timeouts for DB sync
This patch integrates with the db_sync_timeout
parameter recently added to puppet-nova
and puppet-neutron in
I6b30a4d9e3ca25d9a473e4eb614a8769fa4567e7, which allow for the full
db_sync install to have more time than just Pupppet's
default of 300 seconds. Ultimately, similar timeouts
can be added for all other projects that feature
db sync phases, however Nova and Neutron are currently
the ones that are known to time out in some
environments.
Closes-bug: #
1661100
Change-Id: Ic47439a0a774e3d74e844d43b58956da8d1887da
Dan Prince [Wed, 29 Mar 2017 02:29:30 +0000 (22:29 -0400)]
Ironic containers: chown /var/lib/ironic correctly
This updates the docker version of ironic-conductor.yaml so
that it sets permissions on the entire /var/lib/ironic
tree correctly. Since
1a4ece16cea40075fe7332ed048b9c289b3ff424
we bind mount in /var/lib/ironic from the host (created via
Ansible if it didn't already exist). This caused a subtle
permissions issue in that the Ironic conductor service
can no longer create sub-directories it needs to operate.
Change-Id: I1eb6b5ddad7cd89ee887e2e429ebe245aa7b80dc
Closes-bug:
1677086
Jenkins [Wed, 5 Apr 2017 16:08:48 +0000 (16:08 +0000)]
Merge "Add l2gw neutron service plugin support"
Jenkins [Wed, 5 Apr 2017 16:02:15 +0000 (16:02 +0000)]
Merge "Addition of firewall rules for Nuage"
Jenkins [Wed, 5 Apr 2017 14:23:49 +0000 (14:23 +0000)]
Merge "Disable core dump for setuid programs"
Martin André [Wed, 5 Apr 2017 06:43:25 +0000 (08:43 +0200)]
Use kolla api to set ownership
Kolla provides a way to set ownership of files and directory inside the
containers. Use it instead of running an additional container to do the
job.
Change-Id: I554faf7c797f3997dd3ca854da032437acecf490
Juan Antonio Osorio Robles [Tue, 4 Apr 2017 07:01:56 +0000 (10:01 +0300)]
Add parameters for internal TLS for swift proxy
This adds the necessary parameter for swift proxy to be terminiated
internally by a TLS proxy.
bp tls-via-certmonger
Change-Id: I3cb9d53d75f982068f1025729c1793efaee87380
Depends-On: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
Steve Baker [Thu, 1 Dec 2016 01:02:54 +0000 (01:02 +0000)]
Use the local collector to bootstrap deployed servers
os-collect-config is already configured to use json files in
/var/lib/os-collect-config/local-data/ as a data source, so this can
be used in the deployed-server get-occ-config.sh to copy in the
required json to generate the required os-collect-config.conf.
Co-Authored-By: James Slagle <jslagle@redhat.com>
Closes-Bug: #
1679705
Change-Id: Ibde9e6bf360277d4ff64f66d637a5c7f0360e754
Jenkins [Wed, 5 Apr 2017 00:36:14 +0000 (00:36 +0000)]
Merge "Add params to tweak memory limit on mongodb"
Jenkins [Tue, 4 Apr 2017 23:29:12 +0000 (23:29 +0000)]
Merge "Remove kolla_config copy from services"
Martin Mágr [Tue, 14 Feb 2017 21:15:45 +0000 (22:15 +0100)]
Add monitoring agents deployment to CI
This patch enables deployment of sensu-client service in scenario001.
Depends-On: I4895e3b6d3d0e2c12c083133e423cafeecbafe88
Depends-On: Ibabd4688c00c6a12ea22055c95563d906716954d
Change-Id: I377811878712b7615c38094ecbf55dcc67d9ddd5
Jenkins [Tue, 4 Apr 2017 15:06:50 +0000 (15:06 +0000)]
Merge "Remove not-working all-in-one upgrade environment"
Jenkins [Tue, 4 Apr 2017 14:33:32 +0000 (14:33 +0000)]
Merge "Purge initial firewall for deployed-server's"
marios [Wed, 22 Mar 2017 14:09:22 +0000 (16:09 +0200)]
Enforce upgrade_batch_tasks before upgrade_tasks order
If we really want upgrade_batch_tasks before the upgrade_tasks
as described in the README then we should enforce the ordering
Noticed this working on bug
1671504 upgrade tasks were being
executed before batch upgrade tasks.
Closes-Bug:
1678101
Change-Id: Iaa1bce960a37c072b5f8441132705a6bb6eb6ede
Sofer Athlan-Guyot [Mon, 3 Apr 2017 16:28:21 +0000 (18:28 +0200)]
Ensure upgrade step orchestration accross roles.
Currently we don't enforce step ordering across role, only within
role. With custom role, we can reach a step5 on one role while the
cluster is still at step3, breaking the contract announced in the
README[1] where each step has a guarantied cluster state.
We have to remove the conditional here as well as jinja has no way to
access this information, but we need jinja to iterate over all enabled
role to create the orchestration.
This deals only with Upgrade tasks, there is another review to deal
with UpgradeBatch tasks.
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst
Closes-Bug: #
1679486
Change-Id: Ibc6b64424cde56419fe82f984d3cc3620f7eb028
Jenkins [Tue, 4 Apr 2017 01:59:11 +0000 (01:59 +0000)]
Merge "Add ceilometer ipmi agent"
Pradeep Kilambi [Mon, 3 Apr 2017 22:01:27 +0000 (18:01 -0400)]
Add params to tweak memory limit on mongodb
The puppet-tripleo change was added in
Ie9391aa39532507c5de8dd668a70d5b66e17c891.
Closes-bug: #
1656558
Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
lokesh-jain [Mon, 3 Apr 2017 20:32:53 +0000 (16:32 -0400)]
Addition of firewall rules for Nuage
Added VxLAN and metadata agent firewall rules to neutron-compute-plugin
for Nuage. Removed a deprecated parameter 'OSControllerIp' as well.
Change-Id: If10c300db48c66b9ebeaf74b5f5fee9132e75366
James Slagle [Mon, 3 Apr 2017 16:50:45 +0000 (12:50 -0400)]
Purge initial firewall for deployed-server's
We need to purge the initial firewall for deployed-server's, otherwise
if you have a default REJECT rule, the pacemaker cluster will fail to
initialize. This matches the behavior done when using images, see:
Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3
I0dee5ff045fbfe7b55d078583e16b107eec534aa
Change-Id: Ia83d17b609e4f737074482a980689cc57c3ad911
Closes-Bug: #
1679234
Martin André [Wed, 29 Mar 2017 12:11:21 +0000 (14:11 +0200)]
Remove kolla_config copy from services
Simplify the config of the containerized services by bind mounting in
the configurations instead of specifying them all in kolla config.
This is change is useful to limit the side effects of generating the
config files and running the container is two separate steps as config
directories are now bind-mounted inside the container instead of having
files being copied to the container. We've seen examples of Apache's
mod_ssl configuration file present on the container preventing it to
start when puppet configured apache not to load the ssl module (in case
TLS is disabled).
Co-Authored-By: Ian Main <imain@redhat.com>
Change-Id: I4ec5dd8b360faea71a044894a61790997f54d48a
Steven Hardy [Mon, 3 Apr 2017 15:18:16 +0000 (16:18 +0100)]
Remove not-working all-in-one upgrade environment
This won't work because we need to change the state of UpgradeLevelNovaCompute
and EnableConfigPurge during the upgrade - it should have been removed
before release, which was an oversight.
Removing this now to avoid further confusion in future.
Change-Id: I16853cdec6c8fe6ad54f17ae2ad1e0460f1574ea
Closes-Bug: #
1679214
Jenkins [Mon, 3 Apr 2017 14:54:18 +0000 (14:54 +0000)]
Merge "Qpid dispatch router composable role"
Jenkins [Mon, 3 Apr 2017 14:54:11 +0000 (14:54 +0000)]
Merge "Remove useless trailing '\n' in /etc/hosts file."
Jenkins [Mon, 3 Apr 2017 14:23:51 +0000 (14:23 +0000)]
Merge "Remove EC2 endpoint from EndpointMap"
Pradeep Kilambi [Tue, 28 Mar 2017 17:25:23 +0000 (13:25 -0400)]
Disable ceilometer API
Ceilometer API has been deprecated since Ocata. lets disable
it by default and add an env file to enable it if needed.
Closes-bug: #
1676968
Change-Id: I571f5467466c29271e0235e8fde6bdae07c20daf
Jenkins [Mon, 3 Apr 2017 10:34:16 +0000 (10:34 +0000)]
Merge "Change heat and mistral to use v3/ec2tokens url"
Jenkins [Mon, 3 Apr 2017 10:11:16 +0000 (10:11 +0000)]
Merge "Fixes port binding controller for OpenDaylight"
Jenkins [Sun, 2 Apr 2017 09:09:09 +0000 (09:09 +0000)]
Merge "Setting keystone region for tacker"
Jenkins [Sun, 2 Apr 2017 03:53:13 +0000 (03:53 +0000)]
Merge "Set auth flag so ceilometer auth is enabled"
Jenkins [Sat, 1 Apr 2017 16:28:19 +0000 (16:28 +0000)]
Merge "Add special case upgrade from openvswitch 2.5.0-14"
Jenkins [Fri, 31 Mar 2017 22:53:10 +0000 (22:53 +0000)]
Merge "Don't check haproxy if external load-balancer is used."
Pradeep Kilambi [Wed, 29 Mar 2017 19:20:40 +0000 (15:20 -0400)]
Set auth flag so ceilometer auth is enabled
Ceilometer Auth should be enabled even if ceilometer api
is not. Lets decouple these, this flag will be used in
puppet-tripleo where ceilometer::keystone::auth class
is initialized.
Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48
Closes-bug: #
1677354
marios [Tue, 28 Mar 2017 07:44:41 +0000 (10:44 +0300)]
Add special case upgrade from openvswitch 2.5.0-14
In [1] we removed the previously used special case upgrade code.
However we have since discovered that for openvswitch 2.5.0-14
the special case is still required with an extra flag to prevent
the restart. This adds the upgrade code back into the minor
update and 'manual upgrade' scripts for compute/swift. The
review at If998704b3c4199bbae8a1d068c31a71763f5c8a2 is adding
this logic for the ansible upgrade steps.
Related-Bug:
1669714
[1] https://review.openstack.org/#/q/
59e5f9597eb37f69045e470eb457b878728477d7
Change-Id: I3e5899e2d831b89745b2f37e61ff69dbf83ff595
Mathieu Bultel [Wed, 15 Feb 2017 15:36:17 +0000 (16:36 +0100)]
Add manual ovs upgrade script for workaround ovs upgrade issue
When we upgrade OVS from 2.5 to 2.6, the postrun package update
restart the services and drop the connectivity
We need to push this manual upgrade script and executed to the
nodes for newton to ocata
The special case is needed for 2.5.0-14 specifically see related
bug for more info (or, older where the postun tries restart).
See related review at [1] for the minor update/manual upgrade.
Related-Bug:
1669714
Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
[1] https://review.openstack.org/#/c/450607/
Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2
Jenkins [Fri, 31 Mar 2017 12:40:11 +0000 (12:40 +0000)]
Merge "Add missing ec2api::api::keystone_ec2_tokens_url config"
Dan Radez [Mon, 20 Mar 2017 15:41:36 +0000 (11:41 -0400)]
Setting keystone region for tacker
Change-Id: I170b7e4cff66f0a4b1b6d5735f93c9f0295a5ac5
Juan Antonio Osorio Robles [Fri, 31 Mar 2017 11:15:02 +0000 (14:15 +0300)]
Remove EC2 endpoint from EndpointMap
We are removing this in favor of just using the keystone uri and
appending /ec2tokens
Change-Id: Idab78d61f3931818aa91faad2d68c1fe20f68db6
Juan Antonio Osorio Robles [Fri, 31 Mar 2017 11:14:01 +0000 (14:14 +0300)]
Change heat and mistral to use v3/ec2tokens url
They were using v2.0 and we're getting rid of v2.0/ec2tokens in the
EndpointMap.
Change-Id: Ib9fbbdb0144bb4e250c561613bba6219506ff30f
Jenkins [Thu, 30 Mar 2017 22:04:37 +0000 (22:04 +0000)]
Merge "Re-Add bigswitch agent support"
Martin Mágr [Tue, 13 Dec 2016 13:02:22 +0000 (14:02 +0100)]
Add logging agents deployment to CI
This patch enables deployment of fluentd service in scenario001.
Depends-On: Ibabd4688c00c6a12ea22055c95563d906716954d
Change-Id: Ib24a67f9068efb60b754590503a503344ab1f1df
Jenkins [Thu, 30 Mar 2017 15:11:03 +0000 (15:11 +0000)]
Merge "Output service_metadata_settings in docker services.yaml"
Peng Liu [Tue, 7 Mar 2017 08:45:37 +0000 (16:45 +0800)]
Add l2gw neutron service plugin support
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging
two or more networks together to make them look at a single broadcast
domain. This patch implements the l2gw neutron service plugin support part
in t-h-t.
Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5
Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3
Partially-Implements: blueprint l2gw-service-integration
Signed-off-by: Peng Liu <pliu@redhat.com>
Jenkins [Thu, 30 Mar 2017 14:06:13 +0000 (14:06 +0000)]
Merge "Do not install openstack-heat-agents"
Jenkins [Thu, 30 Mar 2017 11:51:22 +0000 (11:51 +0000)]
Merge "[N->O] Fix wrong database connection for cell0 during upgrade."
Jenkins [Thu, 30 Mar 2017 11:51:07 +0000 (11:51 +0000)]
Merge "[N->O] is creating 2 default cell_v2 cells"
Jenkins [Thu, 30 Mar 2017 11:51:00 +0000 (11:51 +0000)]
Merge "Add NodeCreateBatchSize parameter"
Sofer Athlan-Guyot [Thu, 30 Mar 2017 10:06:13 +0000 (12:06 +0200)]
Don't check haproxy if external load-balancer is used.
Change-Id: Ia65796b04be9f7cadc57af30ef66788dd8cb7de8
Closes-Bug:
1677539
Jenkins [Thu, 30 Mar 2017 09:03:54 +0000 (09:03 +0000)]
Merge "Run cluster check on nodes configured in wsrep_cluster_address."
Juan Antonio Osorio Robles [Thu, 30 Mar 2017 08:50:48 +0000 (11:50 +0300)]
Output service_metadata_settings in docker services.yaml
This output gets nova metadata into the servers this is deployed to and
is necessary for the TLS-everywhere work.
bp tls-via-certmonger-containers
Change-Id: Iff54f7af9c63a529f88c6455047f6584d29154b4
Jenkins [Thu, 30 Mar 2017 07:38:25 +0000 (07:38 +0000)]
Merge "Include panko in the default dispatcher"
Jenkins [Thu, 30 Mar 2017 05:29:22 +0000 (05:29 +0000)]
Merge "Allow to configure policy.json for OpenStack projects"
Steve Baker [Wed, 29 Mar 2017 22:23:01 +0000 (11:23 +1300)]
Do not install openstack-heat-agents
Installing openstack-heat-agents is unnecessary since it has the same
effect as installing python-heat-agent-* which happens on the next
line.
Installing openstack-heat-agents is causing issues when mixing ocata
and master repos, since there hasn't been a release on master since
ocata was branched.
Change-Id: I1a75e16810b6a89cf1dd9ff4f4b3b5dccfc0466e
Closes-Bug: #
1677278
Pradeep Kilambi [Tue, 7 Feb 2017 21:37:35 +0000 (16:37 -0500)]
Add ceilometer ipmi agent
Closes-Bug: #
1662679
Change-Id: I3446d59b89d43859caedd2be4583099374944379
zshi [Wed, 29 Mar 2017 08:17:46 +0000 (16:17 +0800)]
Add network sysctl tweaks for security
* Disable Kernel Parameter for Sending ICMP Redirects:
- net.ipv4.conf.default.send_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host
to send invalid ICMP redirects to other router devices
in an attempt to corrupt routing and have users access
a system set up by the attacker as opposed to a valid
system.
* Disable Kernel Parameter for Accepting ICMP Redirects:
- net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect
messages to maliciously alter the system routing tables
and get them to send packets to incorrect networks and
allow your system packets to be captured.
* Disable Kernel Parameter for secure ICMP Redirects:
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP
redirects, except they come from gateways listed on
the default gateway list. It is assumed that these
gateways are known to your system, and that they are
likely to be secure.
* Enable Kernel Parameter to log suspicious packets:
- net.ipv4.conf.default.log_martians = 1
- net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets
allows an administrator to investigate the possibility
that an attacker is sending spoofed packets to their system.
* Ensure IPv6 redirects are not accepted by Default
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
Rationale: It is recommended that systems not accept ICMP
redirects as they could be tricked into routing traffic to
compromised machines. Setting hard routes within the system
(usually a single default route to a trusted router) protects
the system from bad routes.
Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
John Eckersberg [Thu, 3 Nov 2016 17:54:18 +0000 (13:54 -0400)]
Qpid dispatch router composable role
Note: since it replaces rabbitmq, in order to aim for the smallest
amount of changes the service_name is called 'rabbitmq' so all the
other services do not need additional logic to use qdr.
Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608
Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
Jenkins [Wed, 29 Mar 2017 02:47:59 +0000 (02:47 +0000)]
Merge "Modify pci_passthrough hiera value as string"
Emilien Macchi [Wed, 15 Mar 2017 01:09:11 +0000 (21:09 -0400)]
Allow to configure policy.json for OpenStack projects
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
Pradeep Kilambi [Tue, 28 Mar 2017 12:04:21 +0000 (08:04 -0400)]
Include panko in the default dispatcher
panko is enabled by default, we might as well make it
the default dispatcher along with gnocchi.
Closes-bug: #
1676900
Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
Jenkins [Tue, 28 Mar 2017 18:57:42 +0000 (18:57 +0000)]
Merge "Remove 'Controller' role references from overcloud.j2.yaml"
Jenkins [Tue, 28 Mar 2017 17:46:08 +0000 (17:46 +0000)]
Merge "N->O upgrade, blanks ipv6 rules before activating it."
Jenkins [Tue, 28 Mar 2017 17:44:49 +0000 (17:44 +0000)]
Merge "N->O Upgrade, make sure all nova placement parameter properly set."
Jenkins [Tue, 28 Mar 2017 17:44:18 +0000 (17:44 +0000)]
Merge "Stop openstack-nova-compute during nova-ironic upgrade"
Jenkins [Tue, 28 Mar 2017 17:38:03 +0000 (17:38 +0000)]
Merge "Only set EnableConfigPurge on major upgrades"
Jenkins [Tue, 28 Mar 2017 16:35:48 +0000 (16:35 +0000)]
Merge "Updated from global requirements"
Jenkins [Tue, 28 Mar 2017 16:35:41 +0000 (16:35 +0000)]
Merge "Swift auth url should use a suffix"
OpenStack Proposal Bot [Tue, 28 Mar 2017 13:03:01 +0000 (13:03 +0000)]
Updated from global requirements
Change-Id: I86fd68da7b2d96590f21a8511fa1a23dcf1a6dda
Jenkins [Tue, 28 Mar 2017 12:54:11 +0000 (12:54 +0000)]
Merge "MySQL: Use conditional instead of nested stack for TLS-specific bits"
Jenkins [Tue, 28 Mar 2017 11:08:34 +0000 (11:08 +0000)]
Merge "Apache: Use conditional instead of nested stack for TLS-specific bits"
Jenkins [Tue, 28 Mar 2017 11:01:52 +0000 (11:01 +0000)]
Merge "Rabbitmq: Use conditional instead of nested stack for TLS-specific bits"
Yurii Prokulevych [Thu, 23 Mar 2017 13:35:54 +0000 (14:35 +0100)]
Run cluster check on nodes configured in wsrep_cluster_address.
Attempt to check galera's cluster status fails when galera service
is not running on the same node.
Change-Id: I27fb0841d85cd0dc86e92ac2e21eedf5f8f863ab
Jenkins [Tue, 28 Mar 2017 09:28:13 +0000 (09:28 +0000)]
Merge "Remove kolla_config copy from keystone service."
Jenkins [Tue, 28 Mar 2017 09:26:31 +0000 (09:26 +0000)]
Merge "Nic config mappings for deployed-server"
Saravanan KR [Wed, 22 Mar 2017 14:10:29 +0000 (19:40 +0530)]
Modify pci_passthrough hiera value as string
Hiera value of nova::compute::pci_passthrough should be a string.
It has been modified to JSON with the heira hook changes. Modifying
it again back to string.
Closes-Bug: #
1675036
Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
zshi [Tue, 28 Mar 2017 06:18:52 +0000 (14:18 +0800)]
Disable core dump for setuid programs
The core dump of a setuid program is more likely
to contain sensitive data, as the program itself
runs with greater privileges than the user who
initiated execution of the program. Disabling the
ability for any setuid program to write a core
file decreases the risk of unauthorized access of
such data.
This change sets core dump for setuid programs
to '0'.
Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d
Signed-off-by: zshi <zshi@redhat.com>
Jenkins [Tue, 28 Mar 2017 05:58:06 +0000 (05:58 +0000)]
Merge "Restrict Access to Kernel Message Buffer"
Sven Anderson [Mon, 27 Mar 2017 19:39:00 +0000 (21:39 +0200)]
Add missing ec2api::api::keystone_ec2_tokens_url config
Change-Id: I9a19aff24dede2bea3bf2959afa7adde00817ee0
Related-Bug: #
1676491
Tim Rozet [Wed, 22 Mar 2017 23:55:31 +0000 (19:55 -0400)]
Fixes port binding controller for OpenDaylight
In Ocata and later, the port binding controller for ODL was changed by
default to be the pseudo agent controller, which requires a new feature
"host config" for OVS. This patch modifies the default to use
network-topology, which will work without any new host config features
implemented (previous way of port binding).
Closes-Bug:
1675211
Depends-On: I5004fdeb238dea81bc4f7e9437843a8a080d5b46
Change-Id: I6a6969d1d6b8d8b8ac31fecd57af85eb653245d2
Signed-off-by: Tim Rozet <trozet@redhat.com>
Jenkins [Mon, 27 Mar 2017 19:59:32 +0000 (19:59 +0000)]
Merge "Sort ResourceGroup resource list"
Dan Prince [Mon, 27 Mar 2017 17:57:06 +0000 (13:57 -0400)]
Remove 'Controller' role references from overcloud.j2.yaml
This patch again removes hard coded role references to
the overcloud.yaml template that was added in
fd15a091f7ab6927833275df17b96ecacc2b1827. This
breaks the composable undercloud work (undercloud-containers ci job as
well).
Change-Id: Ie30b2573dc4d2b45ebc0afc0e0d73bfdf41e4d4b
Closes-bug: #
1676528
Ian Main [Mon, 20 Mar 2017 20:27:06 +0000 (16:27 -0400)]
Remove kolla_config copy from keystone service.
Simplify the config of the keystone service by mounting in the
configurations instead of specifying them all in kolla config.
This is change is useful to limit the side effects of generating the
config files and running the container is two separate steps as config
directories are now bind-mounted inside the container instead of having
files being copied to the container. We've seen examples of Apache's
mod_ssl configuration file present on the container preventing it to
start when puppet configured apache not to load the ssl module (in case
TLS is disabled).
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Ie33ffc7c2b1acf3e4e505d38efb104bf013f2ce6
Jenkins [Mon, 27 Mar 2017 13:19:13 +0000 (13:19 +0000)]
Merge "Run nova-api hosts discovery after nova-compute start"
Jenkins [Mon, 27 Mar 2017 13:06:02 +0000 (13:06 +0000)]
Merge "docker/keystone: Bind mount entire fernet keys repository"
Pradeep Kilambi [Tue, 21 Mar 2017 12:50:07 +0000 (08:50 -0400)]
Swift auth url should use a suffix
gnocchi metricd and statsd are broken due to recent change
to support keystone v3. see I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a
We need swift auth url to have suffix so it knows what endpoint
to use.
Change-Id: I753f37e121b95813e345f200ad3f3e75ec4bd7e1
Code Review / apex-tripleo-heat-templates.git / log