Juan Antonio Osorio Robles [Wed, 28 Sep 2016 09:51:13 +0000 (09:51 +0000)]
Enable TLS in the internal networkf or Mysql
This adds the necessary hieradata for enabling TLS for MySQL (which
happens to run on the internal network). It also adds a template so
this can be done via certmonger. As with other services, this will
fill the necessary specs for the certificate to be requested in a
hash that will be consumed in puppet-tripleo.
Note that this only enables that we can now use TLS, however, we still
need to configure the services (or limit the users the services use)
to only connect via SSL. But that will be done in another patch, as
there is some things that need to land before we can do this (changes
in puppetlabs-mysql and puppet-openstacklib).
Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118
Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
Jenkins [Thu, 24 Nov 2016 19:25:01 +0000 (19:25 +0000)]
Merge "Increase reserved memory for computes when enabling DVR"
Jenkins [Thu, 24 Nov 2016 19:24:54 +0000 (19:24 +0000)]
Merge "Disable Neutron agents with OVN."
Jenkins [Thu, 24 Nov 2016 19:24:48 +0000 (19:24 +0000)]
Merge "Make Ceilometer notifications non-blocking"
Jenkins [Thu, 24 Nov 2016 17:30:28 +0000 (17:30 +0000)]
Merge "Remove conditional for neutron l3_ha"
Jenkins [Thu, 24 Nov 2016 12:57:23 +0000 (12:57 +0000)]
Merge "Run os-net-config before restarting cluster on update"
Joe Talerico [Tue, 18 Oct 2016 16:01:27 +0000 (12:01 -0400)]
Disable Neutron agents with OVN.
OVN natively implements services that are provided by Neutron agents.
This patch disables the Neutron DHCP agent as well as the OVS agent
for compute nodes.
Closes-bug:
1634580
Change-Id: I70631c2facbbf08257868e26e14af942ad7f2893
Jenkins [Thu, 24 Nov 2016 09:23:59 +0000 (09:23 +0000)]
Merge "Explicitly set rabbit hosts so its not overridden during upgrade"
Jenkins [Thu, 24 Nov 2016 06:45:11 +0000 (06:45 +0000)]
Merge "Add panko api support to service templates"
Jenkins [Wed, 23 Nov 2016 18:50:49 +0000 (18:50 +0000)]
Merge "Add necessary parameters for encrypted volumes support"
Brent Eagles [Tue, 22 Nov 2016 20:48:45 +0000 (17:18 -0330)]
Run os-net-config before restarting cluster on update
Running os-net-config before restarting the cluster prevents changes to
the interface files caused by changes to implementation from bouncing
network interfaces after the cluster has restarted.
Closes-Bug: #
1644138
Change-Id: I65fb104465ff3d37ddc791634302994334136014
Jenkins [Wed, 23 Nov 2016 17:05:45 +0000 (17:05 +0000)]
Merge "Make the CloudDomain defaults match the doc strings"
Jenkins [Wed, 23 Nov 2016 15:57:20 +0000 (15:57 +0000)]
Merge "Remove Combination alarms support"
Pradeep Kilambi [Wed, 23 Nov 2016 15:39:08 +0000 (10:39 -0500)]
Explicitly set rabbit hosts so its not overridden during upgrade
During ceilometer pre upgrade, rabbit host config gets overridden in
ceilometer conf as its setting to defaults. This explicitly sets the
host info in standalone manifest.
Closes-Bug: #
1644278
Change-Id: I862ea7165c5d42ba1f9a19111a8be8934c0ef883
Jenkins [Wed, 23 Nov 2016 15:27:38 +0000 (15:27 +0000)]
Merge "Configure Keystone Fernet Keys"
Jenkins [Wed, 23 Nov 2016 15:27:08 +0000 (15:27 +0000)]
Merge "Fix resource_registry path in enable-internal-tls"
Jenkins [Wed, 23 Nov 2016 10:35:25 +0000 (10:35 +0000)]
Merge "Fix ovs 2.4 to 2.5 upgrade - minor update non controllers"
Jenkins [Wed, 23 Nov 2016 10:09:21 +0000 (10:09 +0000)]
Merge "Containerized Services for Composable Roles"
Jenkins [Wed, 23 Nov 2016 01:29:08 +0000 (01:29 +0000)]
Merge "Enables auto-detection for VIP interfaces"
Julie Pichon [Tue, 22 Nov 2016 20:39:33 +0000 (20:39 +0000)]
Make the CloudDomain defaults match the doc strings
Not having the default easily accessible is causing issues for the UI,
as it cannot guess at it and can accidentally overwrite the value with
an empty string (the expected default when unset). The default is
already helpfully spelled out in the doc string for each file, this
updates the parameter to match it.
Change-Id: Ic284f9904e8f1d01cc717d59a0759f679d94106d
Closes-Bug: #
1643670
marios [Tue, 22 Nov 2016 18:19:26 +0000 (20:19 +0200)]
Fix ovs 2.4 to 2.5 upgrade - minor update non controllers
In I9b1f0eaa0d36a28e20b507bec6a4e9b3af1781ae and
I11fcf688982ceda5eef7afc8904afae44300c2d9 we landed a workaround
for the openvswitch 2.4 to 2.5 upgrade discussed in the bug below.
Unfortunately testing has revealed a problem with the minor update
case specifically for non controllers. It seems we would exit
before the ovs workaround has had a chance to execute. This moves
the block up a few lines to avoid this condition. As with the
other two reviews noted here, this will need to go into newton
and then mitaka too.
Change-Id: If905de82d96302334ebe02de9c43f00faed9b72b
Related-Bug:
1635205
Juan Antonio Osorio Robles [Tue, 22 Nov 2016 12:32:07 +0000 (14:32 +0200)]
Fix resource_registry path in enable-internal-tls
It had a wrong path and thus crashed when one tried to use it.
Change-Id: Ida4f899c76cce6e819d7e0effaf038f699763bee
Closes-Bug: #
1643863
Ian Main [Wed, 15 Jun 2016 06:46:44 +0000 (06:46 +0000)]
Containerized Services for Composable Roles
This change modifies the template interface to support containers and
converts the compute services to composable roles.
Co-Authored-By: Dan Prince <dprince@redhat.com>
Co-Authored-By: Flavio Percoco <flavio@redhat.com>
Co-Authored-By: Martin André <m.andre@redhat.com>
Co-Authored-By: Steve Baker <sbaker@redhat.com>
Change-Id: I82fa58e19de94ec78ca242154bc6ecc592112d1b
Jenkins [Tue, 22 Nov 2016 04:15:23 +0000 (04:15 +0000)]
Merge "Disable Options Indexes in horizon"
Jenkins [Mon, 21 Nov 2016 16:33:14 +0000 (16:33 +0000)]
Merge "Enable enforce_password_check"
Juan Antonio Osorio Robles [Wed, 16 Nov 2016 08:20:46 +0000 (10:20 +0200)]
Add necessary parameters for encrypted volumes support
If barbican is set, it will configure cinder and nova-compute with
the necessary parameters to enable encrypted volumes to be created if
requested.
Change-Id: Id13811cf8e090706c590ffff46c237ff8131efd9
Christian Schwede [Mon, 31 Oct 2016 22:03:11 +0000 (23:03 +0100)]
Make Ceilometer notifications non-blocking
Ceilometer notifications can be sent in a background thread, unblocking
the Swift proxy in case the RabbitMQ is not processing notifications
quick enough or even unavailable.
There is a default queue size of 1000 notifications. If more messages
are added to the queue these will be discarded, and a warning log entry
will be emitted.
Change-Id: I98022dcbf661a5bb7425f49ba8525225d61212dc
Steven Hardy [Fri, 18 Nov 2016 11:45:57 +0000 (11:45 +0000)]
Disable keepalived for HA deployments via t-h-t
Currently this is disabled via a conditional in the keepalived
profile in puppet-tripleo, but this will be incompatible with
the planned composable upgrades implementation. Instead we should
disable the service template by mapping to OS::Heat::None, and
ensure the haproxy manifest uses the t-h-t generated hiera value
keepalived_enabled instead of hard-coding a hiera override in the
haproxy template.
Change-Id: I85a8b1cca7268506de22adfb3a8ce7faa4f157ef
Partial-Bug: #
1642936
Depends-On: I90faf51881bd05920067c1e1d82baf5d7586af23
Jenkins [Fri, 18 Nov 2016 11:08:16 +0000 (11:08 +0000)]
Merge "Use j2 loops in post.j2.yaml"
Jenkins [Fri, 18 Nov 2016 08:31:55 +0000 (08:31 +0000)]
Merge "Correct AllNodesDeploySteps depends_on"
Andreas Karis [Fri, 18 Nov 2016 00:30:11 +0000 (19:30 -0500)]
Disable Options Indexes in horizon
Security scanners complain that directory listings are enabled in horizon.
Change-Id: I1d7cfcb3521e8235a99bc452f1b7b92c20ce72ac
Closes-Bug: #
1637576
Pradeep Kilambi [Thu, 10 Nov 2016 23:34:40 +0000 (18:34 -0500)]
Add panko api support to service templates
This integrates panko service api into tripleo heat templates.
By default, we will disable this service, an environment service
file is included to enable if needed.
Depends-On: I35f283bdf8dd0ed979c65633724f0464695130a4
Change-Id: I07da3030c6dc69cce7327b54091da15a0c58798e
Steven Hardy [Thu, 17 Nov 2016 11:10:56 +0000 (11:10 +0000)]
Remove conditional for neutron l3_ha
This is handled in puppet-tripleo instead so we can remove the
hard-coded reference to ControllerCount and instead use the
hiera neutron_api_node_names to derive the number of neutron API
nodes regardless of roles.
Note that the NeutronL3HA parameter is maintained despite being
marked deprecated because we need to backport this bugfix so we
can't just remove it. I'm not sure if we want to consider removing
the deprecation as leaving the override parameter in place seems
fairly low overhead.
Closes-Bug: #
1629187
Change-Id: I7a77836dcaf809cc7959fca7691a4cd7d4af5d6a
Depends-On: I01c50973eec8138ec61304f2982d5026142f267c
Adam Young [Mon, 14 Nov 2016 19:54:25 +0000 (14:54 -0500)]
Configure Keystone Fernet Keys
Provision the Keystone Fernet Token provider
by installing 2 keys with dynamic content
generated by python-tripleoclient.
Note that this only sets up the necessary keys to use fernet as a token
provider, however, this does not intend to set it up as the default
provider; This will be discussed and will come as part of another
commit.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ic070d160b519b8637997dbde165dbf15275e0dfe
Change-Id: Iaa5499614417000c1b9ba42a776a50cb22c1bb30
Luke Hinds [Tue, 15 Nov 2016 13:51:36 +0000 (13:51 +0000)]
Enable enforce_password_check
By setting ENFORCE_PASSWORD_CHECK to `True`, it displays an 'Admin
Password' field on the Change Password form to verify that it is indeed
the admin logged-in who wants to change the password.
Change-Id: Ib11bef93b6b0c74063052875fa361290bf1e92fd
Depends-On: If7af97df7a011569a7e14fbab4f880688d7b82c3
Closes-Bug: #
1640806
Pradeep Kilambi [Wed, 16 Nov 2016 21:09:48 +0000 (16:09 -0500)]
Remove Combination alarms support
combination alarms are completely removed in Ocata.
Remove this from tripleo.
Change-Id: Iec2e26ebdaa108ddbb2cf45fc4b6c68023fb6ce0
Jenkins [Wed, 16 Nov 2016 16:23:14 +0000 (16:23 +0000)]
Merge "Do not manage overcloud repositories when using external Ceph"
Jenkins [Wed, 16 Nov 2016 16:22:49 +0000 (16:22 +0000)]
Merge "Use keystone profile parameter to pass heat password"
Jenkins [Wed, 16 Nov 2016 12:49:21 +0000 (12:49 +0000)]
Merge "Fix up Newton->Ocata rabbitmq ha policy"
Jenkins [Wed, 16 Nov 2016 12:15:25 +0000 (12:15 +0000)]
Merge "Replace ceilometer-dbsync by ceilometer-upgrade"
John Fulton [Tue, 15 Nov 2016 16:35:27 +0000 (11:35 -0500)]
Do not manage overcloud repositories when using external Ceph
ceph::profile::params::manage_repo should default to false when
using external Ceph.
Overcloud Ceph clients use Ceph packages, which may be provided by
the 'ceph' metapackage, but not for all repos, see related bug. So,
this change also includes a list of packages as a workaround as
used in change Ie55d22301dd22102d471e6002dfcaad4bfadd5f6.
Change-Id: I338e51637aa39d3f7bbbad0263740f728d42cb9b
Closes-bug:
1641989
Related-Bug:
1629933
Steven Hardy [Tue, 15 Nov 2016 22:49:18 +0000 (22:49 +0000)]
Correct AllNodesDeploySteps depends_on
This is wrong atm, it should loop to create a list for the depends_on
not multiple depends_on statements.
Note this was first corrected in https://review.openstack.org/#/c/330659/
but we need it as a standalone patch that can be backported.
Change-Id: I4d1d6346f2147e573fc0900038f1ad1d782e75ee
Closes-Bug: #
1642069
Juan Antonio Osorio Robles [Wed, 16 Nov 2016 06:32:26 +0000 (08:32 +0200)]
Use keystone profile parameter to pass heat password
Instead of relying on an explicit hiera call to get the stack domain
password, this uses the keystone parameter to introduce that value
instead.
Change-Id: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
Dan Prince [Tue, 15 Nov 2016 22:12:37 +0000 (17:12 -0500)]
Nova base cleanups for hiera json hook
This patch resolves an issue with nova-base.yaml that prevents
it from working with the new heat hiera agent hook (which
uses Json instead of Yaml).
It updates the service so that we only set the upgrade level if it
is not an empty string.
Partial-bug: #
1596373
Change-Id: I595f2e16c33a6f935c7ca8935fec445d19c7b8f3
Dan Prince [Thu, 3 Nov 2016 11:44:17 +0000 (07:44 -0400)]
Horizon service cleanups for hiera json hook
This patch resolves a few issues I noticed when porting our
Horizon service to support the new heat hiera agent hook (which
uses Json instead of Yaml).
-we only need to set django_debug if the string is non-empty. This
should match previous behavior.
-remove the duplicated NeutronMechanismDrivers setting. This is already
managed in the neutron services and shouldn't be set here.
Change-Id: I473e110bb9b14cb8f57d41c4fc398871548726b0
Partial-bug: #
1596373
Jenkins [Wed, 16 Nov 2016 02:30:11 +0000 (02:30 +0000)]
Merge "Fix external Load Balancer deployment"
Jenkins [Wed, 16 Nov 2016 00:38:32 +0000 (00:38 +0000)]
Merge "Revert "Adjust MTU to compensate for VLAN tag issue""
Jenkins [Tue, 15 Nov 2016 18:25:02 +0000 (18:25 +0000)]
Merge "Enable internal TLS for Barbican API"
Jenkins [Tue, 15 Nov 2016 14:57:27 +0000 (14:57 +0000)]
Merge "Define keystone token provider"
Jenkins [Tue, 15 Nov 2016 13:07:57 +0000 (13:07 +0000)]
Merge "Disable password reveal in horizon"
Steven Hardy [Tue, 15 Nov 2016 11:31:35 +0000 (11:31 +0000)]
Replace ceilometer-dbsync by ceilometer-upgrade
https://review.openstack.org/#/c/388688/ has removed ceilometer-dbsync so
ceilometer-upgrade must be used instead.
Additionally, ceilometer-dbsync enabled option --skip-gnocchi-resource-types
and ceilometer-upgrade doesn't, so i'm setting it by default to ensure backwards compatibility.
Note this is based on the corresponding fix to puppet-ceilometer ref
https://review.openstack.org/#/c/396570
Change-Id: Ic0a15c75d1cd3e3f70eeafd9ba09d50c58cc1293
Closes-Bug: #
1641076
Michele Baldessari [Tue, 15 Nov 2016 10:25:38 +0000 (11:25 +0100)]
Fix external Load Balancer deployment
Deployments using external LB will file like this:
deploy_stderr: |
+ RESTART_FOLDER=/var/lib/tripleo/pacemaker-restarts
+ [[ -d /var/lib/tripleo/pacemaker-restarts ]]
++ systemctl is-active haproxy
+ haproxy_status=unknown
deploy_status_code: 3
openstack software deployment show
4f339ca4-7600-4ca0-b0ef-
f798bc47b6cf
The reason is that via https://review.openstack.org/#/c/393644/ we
introducted the haproxy restart like this:
haproxy_status=$(systemctl is-active haproxy)
if [ "$haproxy_status" = "active" ]; then
systemctl reload haproxy
fi
The problem is that if haproxy is not running/installed systemctl
is-active can fail and the script will terminate with an error return
code. Let's just move the call inside the if so the script does not fail
in case haproxy is not there.
The snippet before the change (on a system without haproxy installed):
[root@mrg-09 tmp]# ./test.sh
++ systemctl is-active haproxy
+ haproxy_status=unknown
[root@mrg-09 tmp]# echo $?
3
After this change:
[root@mrg-09 tmp]# ./test.sh
++ systemctl is-active haproxy
+ '[' unknown = active ']'
[root@mrg-09 tmp]# echo $?
0
Change-Id: I837c63a9dbcde8c922f843c442974fa79cf1eede
Closes-Bug: #
1641904
Alex Schultz [Mon, 14 Nov 2016 21:51:18 +0000 (14:51 -0700)]
Define keystone token provider
In order to eventually enable fernet tokens for keystone, we need to be
specify the token provider. This change codifies the current default
used by TripleO of uuid tokens and fernet token setup disabled.
Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a
Closes-Bug: #
1641763
Jenkins [Mon, 14 Nov 2016 17:02:23 +0000 (17:02 +0000)]
Merge "Fix typo in Keystone Sensu subscription"
Jenkins [Mon, 14 Nov 2016 13:18:42 +0000 (13:18 +0000)]
Merge "Use default Sensu redact"
Michele Baldessari [Thu, 20 Oct 2016 18:27:11 +0000 (20:27 +0200)]
Fix up Newton->Ocata rabbitmq ha policy
In ocata we changed the ha policy to "ha-exactly" via the following changes:
- tht: Iace6daf27a76cb8ef1050ada0de7ff1f530916c6
- puppet-tripleo: Ib62001c03e1e08f58cf0c6e0ba07a8879a584084
We initially also took care of changing this policy (which is set in the
pacemaker resource agent) for the M/N upgrade path:
I2468a096b5d7042bc801a742a7a85fb1521c1c02
In the end we decided against changing the policy in Newton as well (it
was only for ocata) as it was too close to the release date and we took
the safer path.
This patch does two things:
1) It renames the upgrade function to "newton_ocata" since that is the
only upgrade path we need to take care of
2) It reinstates the actual upgrade function which was mistakenly
removed via an unrelated change in the ceilometer upgrade path:
If9d6987cd0a8fc5d3f9de518ba422d97d5149732
Closes-Bug: #
1628998
Change-Id: I3a97505d2ae1ae27f3080ffe74c33fdabffd2420
Jenkins [Mon, 14 Nov 2016 07:36:34 +0000 (07:36 +0000)]
Merge "Fixes missing OVS Firewall config with OpenDaylight"
Juan Antonio Osorio Robles [Mon, 14 Nov 2016 07:09:52 +0000 (09:09 +0200)]
Enable internal TLS for Barbican API
This adds the necessary hieradata for enabling TLS in the internal
network for Barbican API.
bp tls-via-certmonger
Depends-On: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
Change-Id: Ib100faa9dc222f836695a0e8f6e101dc7637d1d6
Jenkins [Sat, 12 Nov 2016 13:11:42 +0000 (13:11 +0000)]
Merge "Configure civetweb bind socket via puppet-tripleo"
Jenkins [Fri, 11 Nov 2016 21:19:03 +0000 (21:19 +0000)]
Merge "Neutron L3 service cleanups for hiera json hook"
Jenkins [Fri, 11 Nov 2016 21:04:52 +0000 (21:04 +0000)]
Merge "Enable internal TLS for Cinder API"
Jenkins [Fri, 11 Nov 2016 20:21:43 +0000 (20:21 +0000)]
Merge "Increasing neutron timeout for low memory usage"
Jenkins [Fri, 11 Nov 2016 19:20:08 +0000 (19:20 +0000)]
Merge "Handle null role_data in services"
Tim Rozet [Fri, 11 Nov 2016 18:59:06 +0000 (13:59 -0500)]
Fixes missing OVS Firewall config with OpenDaylight
Currently OVS tunnel firewall rules are held within the neutron ovs
agent service heat template. That service is not used with ODL, so
consequently ODL was missing the VXLAN and GRE firewall rules and
traffic would not pass between nodes. This adds the missing rules to
the OpenDaylight OVS service.
Closes-Bug:
1641191
Change-Id: Icfd7db6a3e8fcdd02646fb7e413f40f26b03b994
Signed-off-by: Tim Rozet <trozet@redhat.com>
Giulio Fidente [Wed, 9 Nov 2016 20:08:15 +0000 (21:08 +0100)]
Configure civetweb bind socket via puppet-tripleo
When the civetweb binding IP is version 6 it needs to be enclosed
in brackets or the bind socket parsing fails. The mangling happens
in puppet-tripleo, this change updates the templates to push the
appropriate hiera keys.
Change-Id: Ic7004d768ed5e0f2382ffaa57961ea0ef9162527
Closes-Bug: #
1636515
Depends-On: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
Jenkins [Fri, 11 Nov 2016 14:47:28 +0000 (14:47 +0000)]
Merge "Fix inconsistent Manila service naming"
Arx Cruz [Mon, 24 Oct 2016 14:27:11 +0000 (16:27 +0200)]
Increasing neutron timeout for low memory usage
We are noticing several tests failing in our low memory environment
because of timeout in neutron requests.
As an example the test
tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON
fails because it requests to plug a vif, and send request to neutron,
which responds in more than neutron_url_timeout, and since the option
vif_plugging_is_fatal is set to True as default, the test fails.
Shortly thereafter, checking in neutron log you can see the request,
returning with the proper status, after more than neutron_url_timeout,
however, it's already too late once nova already marked the instance
with error status, and so the test fails.
Closes-Bug: #
1641135
Change-Id: If0991c114f199490ac0deb71eb569a42d4711359
Brent Eagles [Wed, 5 Oct 2016 18:06:00 +0000 (15:36 -0230)]
Increase reserved memory for computes when enabling DVR
This patch adds an example increased value for NovaReservedHostMemory
and some documentation around tuning this value when DVR is enabled.
Closes-Bug: #
1630583
Change-Id: I2718d72d307a1c90061606e5f36c96f964cd2fb5
Martin Mágr [Tue, 8 Nov 2016 09:04:41 +0000 (10:04 +0100)]
Use default Sensu redact
By default sensu-puppet is overring default list of varibles which should
be redacted. This patch enables to configure redact list and uses default
value given by [1]. This patch also serves as a workaround until [2]
is merged in the module itself (or in case it won't get merged).
[1] https://sensuapp.org/docs/0.24/reference/clients.html
[2] https://github.com/sensu/sensu-puppet/pull/580
Closes-Bug: #
1641080
Closes-Bug: rhbz#
1392473
Change-Id: I21201f734d2fbf5f571091603126cf11cfdd8c40
Jenkins [Fri, 11 Nov 2016 09:00:55 +0000 (09:00 +0000)]
Merge "Add missing Barbican endpoint from tls-everywhere environment"
Jenkins [Thu, 10 Nov 2016 19:00:08 +0000 (19:00 +0000)]
Merge "Fix race during major-upgrade-pacemaker step"
Jenkins [Thu, 10 Nov 2016 18:36:33 +0000 (18:36 +0000)]
Merge "Removes deprecated overcloud VIP outputs"
Jenkins [Thu, 10 Nov 2016 18:08:11 +0000 (18:08 +0000)]
Merge "Fixes incorrect reference to OpendaylightApiNetwork"
Jenkins [Thu, 10 Nov 2016 18:07:58 +0000 (18:07 +0000)]
Merge "Ensure heat-domain hiera is in nodes that contain keystone"
Steven Hardy [Thu, 10 Nov 2016 17:06:47 +0000 (17:06 +0000)]
Fix inconsistent Manila service naming
The capitalization of OS::Tripleo is wrong compared to all other services
so correct this for avoidance of confusion when folks write custom roles_data
files or pass custom service lists via *Services parameters.
Change-Id: Ib73c80871b45586edb5774e90280ff89fc0d9895
Closes-Bug:
1640871
Martin Mágr [Tue, 8 Nov 2016 08:51:08 +0000 (09:51 +0100)]
Fix typo in Keystone Sensu subscription
Closes-Bug: rhbz#
1392428
Closes-Bug: #
1640834
Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe
Jenkins [Thu, 10 Nov 2016 15:07:35 +0000 (15:07 +0000)]
Merge "Select bootstrap node by list index not name"
Steven Hardy [Thu, 10 Nov 2016 14:16:29 +0000 (14:16 +0000)]
Use j2 loops in post.j2.yaml
Simplify this file by removing the hard-coded resources and instead
generate the resources for each step via a loop.
Change-Id: Id89863b9e75769e1a85ebe8bfa4a554f7b38e357
Dan Prince [Thu, 3 Nov 2016 11:53:46 +0000 (07:53 -0400)]
Neutron L3 service cleanups for hiera json hook
This patch resolves a few issues I noticed when porting our
Neutron L3 service to support the new heat hiera agent hook (which
uses Json instead of Yaml).
- If NeutronExternalNetworkBridge is an emptry string '' Json was
dropping the single quotes thus causing the bridge to get set
incorrectly in the config file. To correct this we use a heat
conditional to avoid setting the external bridge (the '' default
is what we want in this case) if the bridge is an empty string.
Change-Id: I5037cbde6b76a37a4c22c4616278420e9d759109
Partial-bug: #
1596373
Dan Prince [Thu, 10 Nov 2016 12:42:13 +0000 (07:42 -0500)]
Handle null role_data in services
This patch updates the Yaql expressions that work on role_data
so that they evaluate properly when the get_attr for role_data
is null.
I hit issues using this for the heat undercloud installer and this
seems to resolve them.
Change-Id: I0493d0525cd3ad280339f26ef9d3aa311af9962e
Steven Hardy [Wed, 9 Nov 2016 11:35:03 +0000 (11:35 +0000)]
Select bootstrap node by list index not name
Modify the syntax used to access the ResourceGroup attributes so we
always select the first node from the group, e.g even if the node
named "0" in the ResourceGroup nested stack has been removed due to
the removal policy.
Change-Id: I8b1c9538976a1518b220187a0034ad41a738d5a6
Closes-Bug: #
1640449
Jenkins [Thu, 10 Nov 2016 08:53:40 +0000 (08:53 +0000)]
Merge "Add firewall rules for manila api service"
Tom Barron [Wed, 9 Nov 2016 19:01:23 +0000 (14:01 -0500)]
Add firewall rules for manila api service
When the manila api service is deployed
on a different role than the controller the
iptables rules on that role fail to ACCEPT
tcp at the manila API ports.
Add tripleo.manila_api.firewall_rules to
the relevant puppet services module.
Change-Id: I1c5459f5ba989657fd99fd72c7ac9f8781cc7206
Closes-Bug: #
1640568
Jenkins [Wed, 9 Nov 2016 18:10:34 +0000 (18:10 +0000)]
Merge "Reload haproxy configuration as a post-deployment step"
Jenkins [Wed, 9 Nov 2016 17:05:41 +0000 (17:05 +0000)]
Merge "ceilometer compute agent needs restart on compute upgrade"
Jenkins [Wed, 9 Nov 2016 16:30:18 +0000 (16:30 +0000)]
Merge "set url_base option in static web middleware"
Alex Schultz [Wed, 9 Nov 2016 15:22:44 +0000 (08:22 -0700)]
Disable password reveal in horizon
To improve security, we should disable the password reveal option in
horizon by default. An end user can override this options via their own
custom hiera if they would ultimately like to have this functionality.
Change-Id: Ie88dac5610840eb4b327252b32dc469099ba5f5f
Depends-On: Iacf899d595a2a3c522df1b96ca527731937ec698
Closes-Bug:
1640492
Michele Baldessari [Wed, 9 Nov 2016 08:05:08 +0000 (09:05 +0100)]
Fix race during major-upgrade-pacemaker step
Currently when we call the major-upgrade step we do the following:
"""
...
if [[ -n $(is_bootstrap_node) ]]; then
check_clean_cluster
fi
...
if [[ -n $(is_bootstrap_node) ]]; then
migrate_full_to_ng_ha
fi
...
for service in $(services_to_migrate); do
manage_systemd_service stop "${service%%-clone}"
...
done
"""
The problem with the above code is that it is open to the following race
condition:
1. Code gets run first on a non-bootstrap controller node so we start
stopping a bunch of services
2. Pacemaker notices will notice that services are down and will mark
the service as stopped
3. Code gets run on the bootstrap node (controller-0) and the
check_clean_cluster function will fail and exit
4. Eventually also the script on the non-bootstrap controller node will
timeout and exit because the cluster never shut down (it never actually
started the shutdown because we failed at 3)
Let's make sure we first only call the HA NG migration step as a
separate heat step. Only afterwards we start shutting down the systemd
services on all nodes.
We also need to move the STONITH_STATE variable into a file because it
is being used across two different scripts (1 and 2) and we need to
store that state.
Co-Authored-By: Athlan-Guyot Sofer <sathlang@redhat.com>
Closes-Bug: #
1640407
Change-Id: Ifb9b9e633fcc77604cca2590071656f4b2275c60
Jenkins [Wed, 9 Nov 2016 13:45:28 +0000 (13:45 +0000)]
Merge "Defaults kernel.pid_max to
1048576"
Jenkins [Wed, 9 Nov 2016 13:30:18 +0000 (13:30 +0000)]
Merge "Enable internal TLS for Nova API"
Jenkins [Wed, 9 Nov 2016 10:51:12 +0000 (10:51 +0000)]
Merge "Add Sahara plugins list as a configurable parameter"
Thiago da Silva [Wed, 2 Nov 2016 18:10:51 +0000 (14:10 -0400)]
set url_base option in static web middleware
Depends-On: Icf45cf2aece398b836c87ddffde5d3056e96dc4d
Change-Id: I3577dc38a0b52092ee5e98a381eb52c3d2768c10
Signed-off-by: Thiago da Silva <thiago@redhat.com>
Jenkins [Tue, 8 Nov 2016 16:22:00 +0000 (16:22 +0000)]
Merge "Enable internal TLS for gnocchi"
Pradeep Kilambi [Tue, 8 Nov 2016 13:59:10 +0000 (08:59 -0500)]
ceilometer compute agent needs restart on compute upgrade
After compute nodes are upgraded, the ceilometer compute agent
doesnt poll and throws warnings. Restarting the compute agent
at this step gets the service back to its normal state.
Closes-Bug: #
1640177
Change-Id: I7392de43e933b1d16002e12e407748ae289d5e99
Jenkins [Tue, 8 Nov 2016 15:29:01 +0000 (15:29 +0000)]
Merge "Do not reference CephBase from CephExternal service"
Jenkins [Tue, 8 Nov 2016 15:19:19 +0000 (15:19 +0000)]
Merge "Use --globoff when downloading artifacts"
Jenkins [Tue, 8 Nov 2016 15:08:47 +0000 (15:08 +0000)]
Merge "Add SNMP role to the CephStorage nodes"
Carlos Camacho [Fri, 4 Nov 2016 08:27:48 +0000 (09:27 +0100)]
Reload haproxy configuration as a post-deployment step
After deploying a fresh installed Overcloud or updating the stack
the haproxy configuration is updated correctly but no change in the
HA proxy stats happens.
This submission will add the missing resources to run pre and post
puppet tasks.
Closes-bug:
1640175
Change-Id: I2f08704daeee502c618256695a30ce244a1d7ba5
Giulio Fidente [Tue, 8 Nov 2016 11:39:05 +0000 (12:39 +0100)]
Use --globoff when downloading artifacts
We do not encode the chars like [] possibly found in the artifacts
URL, so curl tries to glob against IPv6 addresses in brackets. This
change adds --globoff to the curl options so that IPv6 addresses in
brackets are not misinterpreted.
Closes-Bug:
1640148
Change-Id: Ic86ba1e5fb674bc15b4bcc6bd3ea9e943c4fbf8e
Juan Antonio Osorio Robles [Tue, 1 Nov 2016 10:13:32 +0000 (12:13 +0200)]
Enable internal TLS for Cinder API
This adds the necessary hieradata for enabling TLS in the internal
network for Cinder API.
bp tls-via-certmonger
Depends-On: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863
Change-Id: I126e890076bc96b1cd166a919eff6aa1bb80510b