Damien Ciabrini [Mon, 10 Apr 2017 14:27:35 +0000 (14:27 +0000)]
Puppet module to deploy MySQL bundle for HA
This module is used by tripleo-heat-templates to configure and deploy
Kolla-based mysql containers managed by pacemaker.
We use short-lived containers that call pcs via puppet to create
the needed pacemaker resources, properties and constraints.
Co-Authored-By: Michele Baldesari <michele@acksyn.org>
Partial-Bug: #
1692842
Depends-On: I44fbd7f89ab22b72e8d3fc0a0e3fe54a9418a60f
Depends-On: Ie9b7e7d2a3cec4b121915a17c1e809e4ec950e7f
Change-Id: I3b4d8ad2eec70080419882d5d822f78ebd3721ae
Jenkins [Wed, 24 May 2017 18:21:45 +0000 (18:21 +0000)]
Merge "Add support for autofencing to Pacemaker Remote."
Jenkins [Wed, 24 May 2017 18:21:28 +0000 (18:21 +0000)]
Merge "Enable mistral to run under mod_wsgi"
Juan Antonio Osorio Robles [Tue, 23 May 2017 06:24:36 +0000 (09:24 +0300)]
Enable novajoin user on keystone profile
If novajoin is enabled, the keystone profile should create its user.
bp tls-via-certmonger-containers
Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
Jenkins [Mon, 22 May 2017 07:52:07 +0000 (07:52 +0000)]
Merge "TLS everywhere: Add resources for mongodb's TLS configuration"
Jenkins [Fri, 19 May 2017 17:31:22 +0000 (17:31 +0000)]
Merge "Bad example in firewall.pp"
Jenkins [Fri, 19 May 2017 17:30:47 +0000 (17:30 +0000)]
Merge "Switch to overlay2 driver for storage"
Cyril Lopez [Fri, 19 May 2017 10:16:13 +0000 (12:16 +0200)]
Bad example in firewall.pp
It was an error in the example to set firewall rule
Tested on newton.
Closes-Bug:
1691990
Change-Id: I091ad0305ac9d9fbb63853e46169fcaa6092456b
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
Dan Prince [Thu, 30 Mar 2017 17:24:55 +0000 (13:24 -0400)]
Switch to overlay2 driver for storage
This patch switches the default to the overlay2 storage driver and see
if it helps performance.
Background:
The loopback driver is not recommended for production. Most
other docker storage backends require extra disks (or partitions)
which we don't have on the root disk. Overlay seems to make the
most since for TripleO upgrades where we intend to update
in-place installations to use docker.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
Jenkins [Thu, 18 May 2017 17:16:44 +0000 (17:16 +0000)]
Merge "Update tox configuration"
Jenkins [Thu, 18 May 2017 05:42:14 +0000 (05:42 +0000)]
Merge "Update gitignore not to exclude fixture hieradata"
Jenkins [Thu, 18 May 2017 00:13:41 +0000 (00:13 +0000)]
Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"
Jenkins [Thu, 18 May 2017 00:13:19 +0000 (00:13 +0000)]
Merge "Disable SSH login for nova_migration user when migration over ssh is disabled."
Alex Schultz [Wed, 17 May 2017 20:45:35 +0000 (14:45 -0600)]
Update gitignore not to exclude fixture hieradata
The existing .gitignore is causing the hieradata we use for tests to be
excluded in git and our release tarballs. Lets adjust the gitignore not
to exclude the hiera files in spec/fixtures
Change-Id: Ic31687d0eb1c2e8acc92796d4c0eba096db8e533
Closes-Bug: #
1691559
Alex Schultz [Wed, 17 May 2017 16:59:30 +0000 (10:59 -0600)]
Update tox configuration
Update the tox configuration to pull in the openstack
upper-constraints.txt when running releasenotes. This will
fix the releasenotes job that is currently failing due to
a new version of sphinx. Additionally this change includes
updates from puppet-modulesync-configs.
Change-Id: Ie587bfde2367dfec796f1b07c01bba15d839a3b1
Related-Bug: #
1691511
Juan Antonio Osorio Robles [Tue, 2 May 2017 13:15:02 +0000 (16:15 +0300)]
TLS everywhere: Add resources for mongodb's TLS configuration
bp tls-via-certmonger
Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
Jenkins [Tue, 16 May 2017 15:03:12 +0000 (15:03 +0000)]
Merge "Use verify_on_create when creating pacemaker remote resources"
Jenkins [Mon, 15 May 2017 17:46:17 +0000 (17:46 +0000)]
Merge "vhostuser socket dir shall be created for vhostuserclient mode"
Karthik S [Fri, 24 Mar 2017 09:33:41 +0000 (05:33 -0400)]
vhostuser socket dir shall be created for vhostuserclient mode
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Closes-Bug: #
1675690
Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com>
Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8
Signed-off-by: Karthik S <ksundara@redhat.com>
Jenkins [Thu, 11 May 2017 16:49:18 +0000 (16:49 +0000)]
Merge "Add support for Cinder "NAS secure" driver params"
Jenkins [Mon, 8 May 2017 20:26:04 +0000 (20:26 +0000)]
Merge "Migrates OpenDaylight to official repo"
Michele Baldessari [Sat, 6 May 2017 15:40:24 +0000 (17:40 +0200)]
Use verify_on_create when creating pacemaker remote resources
We currently create remote resources without waiting for their creation.
This leads to the following potential race (spotted by Marian Mkrcmari):
- On Step1 pacemaker bootstrap node creates the resource but the remote
resource is not yet created
- Step1 completes and Step2 starts
- On Step2 the remote node sets a property (or calls pcs cib) but the
remote is not yet set up so 'pcs cluster cib' will fail there with:
(err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster
cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed
with code: 1 ->
Note that when verify_on_create is set to true we are not using the cib
dump/push mechanism. That is fine because we create the remotes on
step1 and the dump/push mechanism is only needed starting from step2
when multiple nodes set cluster properties at the same time.
Tested by Marian Mkrcmari successfully as well.
Closes-Bug: #
1689028
Change-Id: I764526b3f3c06591d477cc92779d83a19802368e
Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
Brad P. Crochet [Thu, 20 Apr 2017 13:33:29 +0000 (09:33 -0400)]
Enable mistral to run under mod_wsgi
Mistral should run under mod_wsgi. Enable that.
Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
Tim Rozet [Fri, 5 May 2017 17:41:34 +0000 (13:41 -0400)]
Migrates OpenDaylight to official repo
ODL repo has been moved from a personal github account into official ODL
repo.
Change-Id: I1248c22acc09962ef788ca19ee87b6bda8ef8450
Signed-off-by: Tim Rozet <trozet@redhat.com>
Michele Baldessari [Fri, 5 May 2017 10:29:39 +0000 (12:29 +0200)]
Remove limits for redis in /etc/security/limits.d
Now that puppet-redis supports ulimit for cluster managed redis (via
https://github.com/arioch/puppet-redis/pull/192), we need to remove the
file snippet as otherwise we will get a duplicate resource error.
We will need to create a THT change that at the very least sets the
redis::managed_by_cluster_manager key to true so that
/etc/security/limits.d/redis.conf gets created.
We also add code to not break backwards compatibility with the old hiera
key.
Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d
Partial-Bug: #
1688464
Oliver Walsh [Fri, 5 May 2017 00:30:21 +0000 (01:30 +0100)]
Handle duplicate/invalid entries in migration SSH inbound addresses
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #
1688308
Oliver Walsh [Thu, 4 May 2017 19:21:51 +0000 (20:21 +0100)]
Disable SSH login for nova_migration user when migration over ssh is disabled.
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #
1688321
Jenkins [Thu, 4 May 2017 17:30:30 +0000 (17:30 +0000)]
Merge "Restrict nova migration ssh tunnel"
Alan Bishop [Thu, 4 May 2017 16:27:27 +0000 (12:27 -0400)]
Add support for Cinder "NAS secure" driver params
Add ability to set Cinder's nas_secure_file_operations and
nas_secure_file_permissions driver parameters. Two sets of identically
named parameters are implemented by Cinder's NFS and NetApp back end
drivers.
The ability to control these parameters is crucial for supporting deployments
that require non-default values.
Partial-Bug: #
1688332
Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9
Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
Jenkins [Thu, 4 May 2017 10:50:09 +0000 (10:50 +0000)]
Merge "MySQL client: Make CA file configurable"
Jenkins [Wed, 3 May 2017 21:14:50 +0000 (21:14 +0000)]
Merge "snmp: remove useless parameter for binding"
Oliver Walsh [Wed, 19 Apr 2017 13:39:42 +0000 (14:39 +0100)]
Restrict nova migration ssh tunnel
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
Jenkins [Wed, 3 May 2017 19:43:11 +0000 (19:43 +0000)]
Merge "IPv6 VIP addresses need to be /128"
Juan Antonio Osorio Robles [Wed, 3 May 2017 09:54:38 +0000 (12:54 +0300)]
MySQL client: Make CA file configurable
It used to be hardcoded to use the OpenSSL default CA Bundle, however,
this will be changed in t-h-t.
Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
Michele Baldessari [Wed, 26 Apr 2017 09:40:51 +0000 (11:40 +0200)]
IPv6 VIP addresses need to be /128
We currently hardcode /64 as our VIP addresses when using IPv6.
The problem with this is that some server code might bind to that
IP as a source address when doing inter-cluster communication
(rabbitmq/galera for example). So when the VIP moves there will
be effectively a network outage between the nodes, which should not
happen.
Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic
parameter when /128 is specified. This is due to:
https://bugzilla.redhat.com/show_bug.cgi?id=
1445628
We also make sure we use the ipv6_addrlabel option set to 99 so that
they will never be used as source ip addresses.
Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c
Partial-Bug: #
1686357
Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
Co-Authored-By: Marios Andreou <mandreou@redhat.com>
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Jenkins [Wed, 3 May 2017 07:39:07 +0000 (07:39 +0000)]
Merge "firewall: generally accept "jump" param and use tripleo:firewall for log rule"
Emilien Macchi [Tue, 2 May 2017 13:53:51 +0000 (09:53 -0400)]
snmp: remove useless parameter for binding
Binding is now done in THT via Hiera directly, so users can change the
option more easily.
Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614
Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79
Closes-Bug: #
1687628
Jenkins [Thu, 27 Apr 2017 17:33:56 +0000 (17:33 +0000)]
Merge "Fix wrong notify in swift proxy profile"
Jenkins [Thu, 27 Apr 2017 15:59:58 +0000 (15:59 +0000)]
Merge "Add linuxbridge agent profile"
Jenkins [Thu, 27 Apr 2017 14:52:12 +0000 (14:52 +0000)]
Merge "Include base apache module in tls_proxy resource"
Juan Antonio Osorio Robles [Thu, 27 Apr 2017 07:23:36 +0000 (10:23 +0300)]
Fix wrong notify in swift proxy profile
the TLS proxy was notifying neutron::server instead of swift proxy.
Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
Juan Antonio Osorio Robles [Thu, 27 Apr 2017 06:56:13 +0000 (09:56 +0300)]
Include base apache module in tls_proxy resource
Other services include it by using the vhost resource from openstacklib.
If we include a service (such as swift-proxy) that uses the tls_proxy
resource, and we do so in a separate node or in its own container, it
will fail since the base apache module hadn't been included.
Change-Id: I0167e08b0b652618d8a1af792376bcf02c8fcd82
Chris Jones [Tue, 25 Apr 2017 15:05:27 +0000 (16:05 +0100)]
Add support for autofencing to Pacemaker Remote.
We now configure stonith devices for Pacemaker Remote nodes.
Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce
Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197
Partial-Bug: #
1686115
Michele Baldessari [Wed, 26 Apr 2017 08:12:50 +0000 (10:12 +0200)]
Add a flag to rabbitmq so that we can deploy with ha-mode: all again
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=
1441635.
Will propose another THT change to actually change the default to
-1 so we get this ha-mode:all by default.
Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
Partial-Bug: #
1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
Jenkins [Tue, 25 Apr 2017 17:33:53 +0000 (17:33 +0000)]
Merge "Enable internal network TLS for etcd"
Jenkins [Tue, 25 Apr 2017 13:35:02 +0000 (13:35 +0000)]
Merge "Update puppet-etcd version"
Jenkins [Tue, 25 Apr 2017 11:29:16 +0000 (11:29 +0000)]
Merge "Add support for Redfish hardware in Ironic"
Jenkins [Tue, 25 Apr 2017 09:53:09 +0000 (09:53 +0000)]
Merge "Include zaqar apache module"
Jenkins [Tue, 25 Apr 2017 01:58:09 +0000 (01:58 +0000)]
Merge "Dell SC: Add secondary DSM support"
Bogdan Dobrelya [Mon, 24 Apr 2017 16:07:00 +0000 (18:07 +0200)]
Update puppet-etcd version
Include the yaml config file for containers
Change-Id: I3ad463217ed3f2d6374627248236b274cfed72fb
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Dmitry Tantsur [Mon, 24 Apr 2017 12:48:28 +0000 (14:48 +0200)]
Add support for Redfish hardware in Ironic
Part of blueprint redfish-support
Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa
Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
Jenkins [Mon, 24 Apr 2017 12:17:17 +0000 (12:17 +0000)]
Merge "Enable setting SubjectaltNames for haproxy and httpd certs"
Pradeep Kilambi [Tue, 18 Apr 2017 23:14:16 +0000 (19:14 -0400)]
Move ceilometer upgrade re-run out of collector
Since collector is deprecated, lets move this out of collector.pp
so it gets run and resource types are created appropriately even
when collector is not included.
Closes-bug: #
1676961
Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
Jenkins [Fri, 21 Apr 2017 13:39:13 +0000 (13:39 +0000)]
Merge "Allow to configure haproxy daemon's status"
Jenkins [Fri, 21 Apr 2017 13:10:25 +0000 (13:10 +0000)]
Merge "Cover gnocchi api step 4 and 5"
Jenkins [Fri, 21 Apr 2017 13:01:29 +0000 (13:01 +0000)]
Merge "Add resource profile for vmware nsx_v3"
Jenkins [Fri, 21 Apr 2017 12:55:50 +0000 (12:55 +0000)]
Merge "Add ML2 configuration for Bagpipe BGPVPN extension"
Jenkins [Fri, 21 Apr 2017 05:00:27 +0000 (05:00 +0000)]
Merge "Refactor SSHD config to allow both SSHD options and banner/motd to be set"
Jenkins [Fri, 21 Apr 2017 00:06:41 +0000 (00:06 +0000)]
Merge "Update UI language list"
Thomas Herve [Tue, 21 Mar 2017 08:51:26 +0000 (09:51 +0100)]
Include zaqar apache module
This includes the Zaqar apache module, allowing to run Zaqar behind
httpd.
Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906
Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
Jenkins [Thu, 20 Apr 2017 09:26:53 +0000 (09:26 +0000)]
Merge "Haproxy: When using TLS everywhere, use verifyhost for the balancermembers"
Oliver Walsh [Tue, 18 Apr 2017 11:51:36 +0000 (12:51 +0100)]
Refactor SSHD config to allow both SSHD options and banner/motd to be set
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
are mutually exclusive. This patch, and the next patchset of that review,
resolves the conflict.
Related-Bug:
1668543
Change-Id: I1d09530d69e42c0c36311789166554a889e46556
Alex Schultz [Wed, 12 Apr 2017 19:53:44 +0000 (13:53 -0600)]
Cover gnocchi api step 4 and 5
Update the gnocchi api to expose the redis information as a class
parameter so it can be tested correctly.
Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
Dan Prince [Wed, 19 Apr 2017 21:55:54 +0000 (16:55 -0500)]
Ensure /etc/docker/daemon.json
A recent Centos docker packaging change removed the default
/etc/docker/daemon.json file. As such we need to create an empty
json file if none exists before running Augeas to configure
the settings.
Change-Id: Ibfe04b468639002f55da7bb65d2606f730c700b7
Closes-bug: #
1684297
rajinir [Mon, 10 Apr 2017 16:46:03 +0000 (11:46 -0500)]
Dell SC: Add secondary DSM support
Adds support for a secondary DSM in case the primary becomes
unavailable.
Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf
Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
Michele Baldessari [Wed, 19 Apr 2017 10:56:46 +0000 (12:56 +0200)]
Allow to configure haproxy daemon's status
Currently we hard-code the fact that haproxy starts as a daemon.
When running haproxy in a container we need this to be configurable
because the haproxy process will be pid number 1.
We are not changing the current semantics which have the 'daemon'
option always set, but we are allowing its disabling.
Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
Jenkins [Wed, 19 Apr 2017 10:45:55 +0000 (10:45 +0000)]
Merge "Ensure we configure ssl.conf"
Bartosz Stopa [Wed, 19 Apr 2017 07:18:27 +0000 (09:18 +0200)]
Add linuxbridge agent profile
Add a tripleo profile for neutron linuxbridge agent configuration.
Change-Id: Ie3ac03052f341c26735b423701e1decf7233d935
Partial-Bug: #
1652211
Jenkins [Wed, 19 Apr 2017 03:11:07 +0000 (03:11 +0000)]
Merge "Create bigswitch agent profile"
Jenkins [Tue, 18 Apr 2017 19:14:35 +0000 (19:14 +0000)]
Merge "Added release note for "Support for external swift proxy""
Lukas Bezdicka [Thu, 13 Apr 2017 17:21:45 +0000 (19:21 +0200)]
Ensure we configure ssl.conf
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug:
1682448
Resolves: rhbz#
1441977
Juan Antonio Osorio Robles [Tue, 18 Apr 2017 12:48:02 +0000 (15:48 +0300)]
Enable setting SubjectaltNames for haproxy and httpd certs
This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.
Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
Luca Lorenzetto [Tue, 18 Apr 2017 12:03:54 +0000 (14:03 +0200)]
Added release note for "Support for external swift proxy"
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
Juan Antonio Osorio Robles [Tue, 18 Apr 2017 11:49:09 +0000 (14:49 +0300)]
Haproxy: When using TLS everywhere, use verifyhost for the balancermembers
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
Jenkins [Tue, 18 Apr 2017 10:59:03 +0000 (10:59 +0000)]
Merge "Allow setting of keepalived router ID"
Jenkins [Tue, 18 Apr 2017 06:58:02 +0000 (06:58 +0000)]
Merge "HAproxy/heat_api: increase timeout to 10m"
Emilien Macchi [Mon, 17 Apr 2017 15:30:23 +0000 (11:30 -0400)]
HAproxy/heat_api: increase timeout to 10m
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug:
1666072
Jenkins [Mon, 17 Apr 2017 18:06:40 +0000 (18:06 +0000)]
Merge "Support for external swift proxy"
Jenkins [Sat, 15 Apr 2017 02:57:28 +0000 (02:57 +0000)]
Merge "Move ceilometer wsgi to step 3"
Jenkins [Sat, 15 Apr 2017 02:54:56 +0000 (02:54 +0000)]
Merge "Move gnocchi wsgi configuration to step 3"
Jenkins [Fri, 14 Apr 2017 23:59:15 +0000 (23:59 +0000)]
Merge "Dell SC: Add exclude_domain_ip option"
Luca Lorenzetto [Fri, 14 Apr 2017 08:45:57 +0000 (10:45 +0200)]
Support for external swift proxy
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
Jenkins [Thu, 13 Apr 2017 22:15:15 +0000 (22:15 +0000)]
Merge "Make install of kolla optional on the undercloud"
Jenkins [Thu, 13 Apr 2017 15:20:28 +0000 (15:20 +0000)]
Merge "etcd: Make HAProxy terminate TLS connections"
Thomas Herve [Wed, 12 Apr 2017 16:02:46 +0000 (18:02 +0200)]
Allow setting of keepalived router ID
By default the undercloud and the overcloud share virtual_router_id
definition, leading to errors like "ip address associated with VRID not
present in received packet". This allows setting the range for the IDs.
Change-Id: I0c822777824b469b0f8ef0f31b3708fe47d5b2d7
rajinir [Mon, 10 Apr 2017 16:41:29 +0000 (11:41 -0500)]
Dell SC: Add exclude_domain_ip option
This option allows users to exclude some fault domains.
Otherwise all domains are returned.
Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483
Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
Martin André [Wed, 12 Apr 2017 16:06:15 +0000 (18:06 +0200)]
Make install of kolla optional on the undercloud
This defaults to 'True' to keep backward compatibility and can be
disabled by setting 'enable_container_images_built' to false in
undercloud.conf.
Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef
Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
Alex Schultz [Wed, 12 Apr 2017 16:34:07 +0000 (10:34 -0600)]
Move gnocchi wsgi configuration to step 3
We configure apache in step3 so we need to configure the gnocchi api in
step 3 as well to prevent unnecessary service restarts during updates.
Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be
Related-Bug: #
1664418
Alex Schultz [Wed, 12 Apr 2017 16:03:22 +0000 (10:03 -0600)]
Move ceilometer wsgi to step 3
Apache is configured in step 3 so if we configure ceilometer in step 4,
the configuration is removed on updates. We need to configure it in step
3 with the other apache services to ensure we don't have issues on
updates.
Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423
Related-Bug: #
1664418
Jenkins [Wed, 12 Apr 2017 15:58:21 +0000 (15:58 +0000)]
Merge "Stop SSHD profile clobbering SSH client config"
Ricardo Noriega [Wed, 12 Apr 2017 10:26:19 +0000 (12:26 +0200)]
Add ML2 configuration for Bagpipe BGPVPN extension
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5
Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
Jenkins [Wed, 12 Apr 2017 10:14:09 +0000 (10:14 +0000)]
Merge "Ensure directory exists for certificates for httpd"
Feng Pan [Fri, 7 Apr 2017 20:24:10 +0000 (16:24 -0400)]
Enable internal network TLS for etcd
bp secure-etcd
Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
Oliver Walsh [Tue, 11 Apr 2017 20:42:44 +0000 (21:42 +0100)]
Stop SSHD profile clobbering SSH client config
Including the ::ssh manifest will manage both client and server config.
Managing the client config was not intended and will clobber the OS
default config with the puppet ssh moduled defaults.
Follow up for https://review.openstack.org/443113 where I found the issue after
the changes merged.
Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
Related-Bug:
1668543
Juan Antonio Osorio Robles [Fri, 24 Mar 2017 09:31:12 +0000 (11:31 +0200)]
Ensure directory exists for certificates for httpd
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
Julie Pichon [Tue, 11 Apr 2017 10:41:49 +0000 (11:41 +0100)]
Update UI language list
Change-Id: I848b3cc747f1be06aeda57ba15d4ec557c23ad46
Depends-On: Idf3d82058d87d9c8a3b6d8973d5166043dad2252
Jenkins [Tue, 11 Apr 2017 06:10:03 +0000 (06:10 +0000)]
Merge "Add registry_mirror to base::docker profile"
Jenkins [Tue, 11 Apr 2017 02:25:15 +0000 (02:25 +0000)]
Merge "Use docker profile in docker_registry"
Juan Antonio Osorio Robles [Mon, 10 Apr 2017 13:09:51 +0000 (16:09 +0300)]
etcd: Make HAProxy terminate TLS connections
When TLS is enabled for the internal network, HAProxy needs to handle
etcd's TLS termination. Else it will use plain text.
bp secure-etcd
Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
Jenkins [Mon, 10 Apr 2017 13:45:40 +0000 (13:45 +0000)]
Merge "Move etcd to step 2"
Code Review / apex-puppet-tripleo.git / log