Jenkins [Fri, 2 Jun 2017 05:52:51 +0000 (05:52 +0000)]
Merge "Add conditional for setting authlogin_nsswitch_use_ldap selboolean"
Jenkins [Thu, 1 Jun 2017 22:20:36 +0000 (22:20 +0000)]
Merge "Composable Role for Neutron LBaaS"
Jacob Liberman [Thu, 1 Jun 2017 14:33:21 +0000 (09:33 -0500)]
Add conditional for setting authlogin_nsswitch_use_ldap selboolean
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must
be enabled. This setting allows LDAP communications to the confined
LDAP/server port. This change includes a conditional for enabling this
Boolean only when selinux is in use.
Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe
Closes-Bug: #
1695002
Jenkins [Thu, 1 Jun 2017 20:41:35 +0000 (20:41 +0000)]
Merge "Restart docker after changing storage driver"
Doug Hellmann [Thu, 1 Jun 2017 16:55:44 +0000 (12:55 -0400)]
do not include remote name in branch spec for release notes
Reno will add the origin prefix if there is no local branch with the
desired name.
Change-Id: I76cc3199edacc4e35af44e01c57720100faee529
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
Doug Hellmann [Thu, 1 Jun 2017 16:50:51 +0000 (12:50 -0400)]
make release note a list of strings
Change-Id: I806e15f24309261bb4bf108aacc43a5c4d2d33bc
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
Jenkins [Wed, 31 May 2017 11:06:51 +0000 (11:06 +0000)]
Merge "Add missing octavia mysql user creation"
Steve Baker [Thu, 25 May 2017 23:12:10 +0000 (11:12 +1200)]
Restart docker after changing storage driver
This likely explains why CI appears to still be running the
devicemapper driver even though overlay2 is now the default.
Change-Id: Ic2d80bae1fddbdb1c80bae297031521dd78d896a
Closes-Bug: #
1692502
Jenkins [Fri, 26 May 2017 17:04:46 +0000 (17:04 +0000)]
Merge "Move ceilometer upgrade step out of base"
Jenkins [Fri, 26 May 2017 14:48:19 +0000 (14:48 +0000)]
Merge "Pass mistral::api service_name from t-h-t"
Pradeep Kilambi [Wed, 24 May 2017 20:10:55 +0000 (16:10 -0400)]
Move ceilometer upgrade step out of base
ceilometer-upgrade should only run on controller nodes.
Since its currently in base profile, it gets triggered
on compute as well. So instead split out the upgrade
into its own and include when we deploy notification
and central agents instead.
Change-Id: I2910e8aa5da7fded4cf94b57fb0a14fefd88adbe
Closes-bug: #
1693339
Jenkins [Wed, 24 May 2017 18:21:45 +0000 (18:21 +0000)]
Merge "Add support for autofencing to Pacemaker Remote."
Jenkins [Wed, 24 May 2017 18:21:28 +0000 (18:21 +0000)]
Merge "Enable mistral to run under mod_wsgi"
Martin André [Wed, 24 May 2017 16:46:59 +0000 (18:46 +0200)]
Add missing octavia mysql user creation
This patch makes sure the octavia mysql user is created when the
octavia_api service is enabled.
Change-Id: I270f3f6879737fc29370165e4a8fa8c9c19fffb3
Juan Antonio Osorio Robles [Tue, 23 May 2017 06:24:36 +0000 (09:24 +0300)]
Enable novajoin user on keystone profile
If novajoin is enabled, the keystone profile should create its user.
bp tls-via-certmonger-containers
Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
Jenkins [Mon, 22 May 2017 07:52:07 +0000 (07:52 +0000)]
Merge "TLS everywhere: Add resources for mongodb's TLS configuration"
Jenkins [Fri, 19 May 2017 17:31:22 +0000 (17:31 +0000)]
Merge "Bad example in firewall.pp"
Jenkins [Fri, 19 May 2017 17:30:47 +0000 (17:30 +0000)]
Merge "Switch to overlay2 driver for storage"
Cyril Lopez [Fri, 19 May 2017 10:16:13 +0000 (12:16 +0200)]
Bad example in firewall.pp
It was an error in the example to set firewall rule
Tested on newton.
Closes-Bug:
1691990
Change-Id: I091ad0305ac9d9fbb63853e46169fcaa6092456b
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
Dan Prince [Thu, 30 Mar 2017 17:24:55 +0000 (13:24 -0400)]
Switch to overlay2 driver for storage
This patch switches the default to the overlay2 storage driver and see
if it helps performance.
Background:
The loopback driver is not recommended for production. Most
other docker storage backends require extra disks (or partitions)
which we don't have on the root disk. Overlay seems to make the
most since for TripleO upgrades where we intend to update
in-place installations to use docker.
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I6896a9b3e9dc3e269bf5b0dc753bf8c985482daf
Jenkins [Thu, 18 May 2017 17:16:44 +0000 (17:16 +0000)]
Merge "Update tox configuration"
Jenkins [Thu, 18 May 2017 05:42:14 +0000 (05:42 +0000)]
Merge "Update gitignore not to exclude fixture hieradata"
Jenkins [Thu, 18 May 2017 00:13:41 +0000 (00:13 +0000)]
Merge "Handle duplicate/invalid entries in migration SSH inbound addresses"
Jenkins [Thu, 18 May 2017 00:13:19 +0000 (00:13 +0000)]
Merge "Disable SSH login for nova_migration user when migration over ssh is disabled."
Alex Schultz [Wed, 17 May 2017 20:45:35 +0000 (14:45 -0600)]
Update gitignore not to exclude fixture hieradata
The existing .gitignore is causing the hieradata we use for tests to be
excluded in git and our release tarballs. Lets adjust the gitignore not
to exclude the hiera files in spec/fixtures
Change-Id: Ic31687d0eb1c2e8acc92796d4c0eba096db8e533
Closes-Bug: #
1691559
Alex Schultz [Wed, 17 May 2017 16:59:30 +0000 (10:59 -0600)]
Update tox configuration
Update the tox configuration to pull in the openstack
upper-constraints.txt when running releasenotes. This will
fix the releasenotes job that is currently failing due to
a new version of sphinx. Additionally this change includes
updates from puppet-modulesync-configs.
Change-Id: Ie587bfde2367dfec796f1b07c01bba15d839a3b1
Related-Bug: #
1691511
Juan Antonio Osorio Robles [Tue, 2 May 2017 13:15:02 +0000 (16:15 +0300)]
TLS everywhere: Add resources for mongodb's TLS configuration
bp tls-via-certmonger
Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
Ryan Hefner [Mon, 9 May 2016 18:24:32 +0000 (14:24 -0400)]
Composable Role for Neutron LBaaS
Add composable service interface for Neutron LBaaSv2 service.
Change-Id: Ieeb21fafd340fdfbaddbe7633946fe0f05c640c9
Jenkins [Tue, 16 May 2017 15:03:12 +0000 (15:03 +0000)]
Merge "Use verify_on_create when creating pacemaker remote resources"
Jenkins [Mon, 15 May 2017 17:46:17 +0000 (17:46 +0000)]
Merge "vhostuser socket dir shall be created for vhostuserclient mode"
Karthik S [Fri, 24 Mar 2017 09:33:41 +0000 (05:33 -0400)]
vhostuser socket dir shall be created for vhostuserclient mode
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Closes-Bug: #
1675690
Co-Authored-By: Sanjay Upadhyay <supadhya@redhat.com>
Change-Id: I255f98c40869e7508ed01a03a96294284ecdc6a8
Signed-off-by: Karthik S <ksundara@redhat.com>
Jenkins [Thu, 11 May 2017 16:49:18 +0000 (16:49 +0000)]
Merge "Add support for Cinder "NAS secure" driver params"
Jenkins [Mon, 8 May 2017 20:26:04 +0000 (20:26 +0000)]
Merge "Migrates OpenDaylight to official repo"
Michele Baldessari [Sat, 6 May 2017 15:40:24 +0000 (17:40 +0200)]
Use verify_on_create when creating pacemaker remote resources
We currently create remote resources without waiting for their creation.
This leads to the following potential race (spotted by Marian Mkrcmari):
- On Step1 pacemaker bootstrap node creates the resource but the remote
resource is not yet created
- Step1 completes and Step2 starts
- On Step2 the remote node sets a property (or calls pcs cib) but the
remote is not yet set up so 'pcs cluster cib' will fail there with:
(err): Could not evaluate: backup_cib: Running: /usr/sbin/pcs cluster
cib /var/lib/pacemaker/cib/puppet-cib-backup20170506-15994-1swnk1i failed
with code: 1 ->
Note that when verify_on_create is set to true we are not using the cib
dump/push mechanism. That is fine because we create the remotes on
step1 and the dump/push mechanism is only needed starting from step2
when multiple nodes set cluster properties at the same time.
Tested by Marian Mkrcmari successfully as well.
Closes-Bug: #
1689028
Change-Id: I764526b3f3c06591d477cc92779d83a19802368e
Depends-On: I1db31dcc92b8695ab0522bba91df729b37f34e0f
Brad P. Crochet [Wed, 26 Apr 2017 17:46:17 +0000 (13:46 -0400)]
Pass mistral::api service_name from t-h-t
In order to have the chicken-egg work, service_name had to be explicitly
passed to ::mistral::api. This switches to using values from t-h-t.
Change-Id: Ib94e51f863ba59a1a1db47d58aed3ba4e5fc9650
Depends-On: Ie98dd5061d92dbc3c15bdd8926b0e3d62cc471f6
Brad P. Crochet [Thu, 20 Apr 2017 13:33:29 +0000 (09:33 -0400)]
Enable mistral to run under mod_wsgi
Mistral should run under mod_wsgi. Enable that.
Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9
Tim Rozet [Fri, 5 May 2017 17:41:34 +0000 (13:41 -0400)]
Migrates OpenDaylight to official repo
ODL repo has been moved from a personal github account into official ODL
repo.
Change-Id: I1248c22acc09962ef788ca19ee87b6bda8ef8450
Signed-off-by: Tim Rozet <trozet@redhat.com>
Michele Baldessari [Fri, 5 May 2017 10:29:39 +0000 (12:29 +0200)]
Remove limits for redis in /etc/security/limits.d
Now that puppet-redis supports ulimit for cluster managed redis (via
https://github.com/arioch/puppet-redis/pull/192), we need to remove the
file snippet as otherwise we will get a duplicate resource error.
We will need to create a THT change that at the very least sets the
redis::managed_by_cluster_manager key to true so that
/etc/security/limits.d/redis.conf gets created.
We also add code to not break backwards compatibility with the old hiera
key.
Change-Id: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d
Partial-Bug: #
1688464
Oliver Walsh [Fri, 5 May 2017 00:30:21 +0000 (01:30 +0100)]
Handle duplicate/invalid entries in migration SSH inbound addresses
An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.
This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.
Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #
1688308
Oliver Walsh [Thu, 4 May 2017 19:21:51 +0000 (20:21 +0100)]
Disable SSH login for nova_migration user when migration over ssh is disabled.
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #
1688321
Jenkins [Thu, 4 May 2017 17:30:30 +0000 (17:30 +0000)]
Merge "Restrict nova migration ssh tunnel"
Alan Bishop [Thu, 4 May 2017 16:27:27 +0000 (12:27 -0400)]
Add support for Cinder "NAS secure" driver params
Add ability to set Cinder's nas_secure_file_operations and
nas_secure_file_permissions driver parameters. Two sets of identically
named parameters are implemented by Cinder's NFS and NetApp back end
drivers.
The ability to control these parameters is crucial for supporting deployments
that require non-default values.
Partial-Bug: #
1688332
Depends-On: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9
Change-Id: I76e2ce10acf7b671be6a2785829ebb3012b79308
Jenkins [Thu, 4 May 2017 10:50:09 +0000 (10:50 +0000)]
Merge "MySQL client: Make CA file configurable"
Jenkins [Wed, 3 May 2017 21:14:50 +0000 (21:14 +0000)]
Merge "snmp: remove useless parameter for binding"
Oliver Walsh [Wed, 19 Apr 2017 13:39:42 +0000 (14:39 +0100)]
Restrict nova migration ssh tunnel
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
over ssh.
Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327
bp tripleo-cold-migration
Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
Jenkins [Wed, 3 May 2017 19:43:11 +0000 (19:43 +0000)]
Merge "IPv6 VIP addresses need to be /128"
Juan Antonio Osorio Robles [Wed, 3 May 2017 09:54:38 +0000 (12:54 +0300)]
MySQL client: Make CA file configurable
It used to be hardcoded to use the OpenSSL default CA Bundle, however,
this will be changed in t-h-t.
Change-Id: I75bdaf71d88d169e64687a180cb13c1f63418a0f
Michele Baldessari [Wed, 26 Apr 2017 09:40:51 +0000 (11:40 +0200)]
IPv6 VIP addresses need to be /128
We currently hardcode /64 as our VIP addresses when using IPv6.
The problem with this is that some server code might bind to that
IP as a source address when doing inter-cluster communication
(rabbitmq/galera for example). So when the VIP moves there will
be effectively a network outage between the nodes, which should not
happen.
Likely this was hardcoded to /64 because the RA IPaddr2 needs a nic
parameter when /128 is specified. This is due to:
https://bugzilla.redhat.com/show_bug.cgi?id=
1445628
We also make sure we use the ipv6_addrlabel option set to 99 so that
they will never be used as source ip addresses.
Depends-On: I7fcf15a00aedbdcfb21db501ad46c69fb97ec30c
Partial-Bug: #
1686357
Change-Id: Ibefde870512ad1e03ff12f7aea91b3734f03f96f
Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com>
Co-Authored-By: Marios Andreou <mandreou@redhat.com>
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Jenkins [Wed, 3 May 2017 07:39:07 +0000 (07:39 +0000)]
Merge "firewall: generally accept "jump" param and use tripleo:firewall for log rule"
Emilien Macchi [Tue, 2 May 2017 13:53:51 +0000 (09:53 -0400)]
snmp: remove useless parameter for binding
Binding is now done in THT via Hiera directly, so users can change the
option more easily.
Depends-On: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614
Change-Id: I9d5fd152bb73ea54c4d0d3bab862f11eaa4ebd79
Closes-Bug: #
1687628
Jenkins [Thu, 27 Apr 2017 17:33:56 +0000 (17:33 +0000)]
Merge "Fix wrong notify in swift proxy profile"
Jenkins [Thu, 27 Apr 2017 15:59:58 +0000 (15:59 +0000)]
Merge "Add linuxbridge agent profile"
Jenkins [Thu, 27 Apr 2017 14:52:12 +0000 (14:52 +0000)]
Merge "Include base apache module in tls_proxy resource"
Juan Antonio Osorio Robles [Thu, 27 Apr 2017 07:23:36 +0000 (10:23 +0300)]
Fix wrong notify in swift proxy profile
the TLS proxy was notifying neutron::server instead of swift proxy.
Change-Id: I212978c107a75209d5b7c266e608eb9a9e9cdc76
Juan Antonio Osorio Robles [Thu, 27 Apr 2017 06:56:13 +0000 (09:56 +0300)]
Include base apache module in tls_proxy resource
Other services include it by using the vhost resource from openstacklib.
If we include a service (such as swift-proxy) that uses the tls_proxy
resource, and we do so in a separate node or in its own container, it
will fail since the base apache module hadn't been included.
Change-Id: I0167e08b0b652618d8a1af792376bcf02c8fcd82
Chris Jones [Tue, 25 Apr 2017 15:05:27 +0000 (16:05 +0100)]
Add support for autofencing to Pacemaker Remote.
We now configure stonith devices for Pacemaker Remote nodes.
Change-Id: I87c60bd56feac6dedc00a3c458b805aa9b71d9ce
Depends-On: Ifb4d19a6b9920b0e340555d6441878c7234eb197
Partial-Bug: #
1686115
Michele Baldessari [Wed, 26 Apr 2017 08:12:50 +0000 (10:12 +0200)]
Add a flag to rabbitmq so that we can deploy with ha-mode: all again
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=
1441635.
Will propose another THT change to actually change the default to
-1 so we get this ha-mode:all by default.
Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
Partial-Bug: #
1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
Jenkins [Tue, 25 Apr 2017 17:33:53 +0000 (17:33 +0000)]
Merge "Enable internal network TLS for etcd"
Jenkins [Tue, 25 Apr 2017 13:35:02 +0000 (13:35 +0000)]
Merge "Update puppet-etcd version"
Jenkins [Tue, 25 Apr 2017 11:29:16 +0000 (11:29 +0000)]
Merge "Add support for Redfish hardware in Ironic"
Jenkins [Tue, 25 Apr 2017 09:53:09 +0000 (09:53 +0000)]
Merge "Include zaqar apache module"
Jenkins [Tue, 25 Apr 2017 01:58:09 +0000 (01:58 +0000)]
Merge "Dell SC: Add secondary DSM support"
Bogdan Dobrelya [Mon, 24 Apr 2017 16:07:00 +0000 (18:07 +0200)]
Update puppet-etcd version
Include the yaml config file for containers
Change-Id: I3ad463217ed3f2d6374627248236b274cfed72fb
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Dmitry Tantsur [Mon, 24 Apr 2017 12:48:28 +0000 (14:48 +0200)]
Add support for Redfish hardware in Ironic
Part of blueprint redfish-support
Depends-On: Icd065cec7114fc026b658ede0d78be2e777c15aa
Change-Id: Ib14f87800ae7657cf6176a4820248a2ce048241d
Jenkins [Mon, 24 Apr 2017 12:17:17 +0000 (12:17 +0000)]
Merge "Enable setting SubjectaltNames for haproxy and httpd certs"
Pradeep Kilambi [Tue, 18 Apr 2017 23:14:16 +0000 (19:14 -0400)]
Move ceilometer upgrade re-run out of collector
Since collector is deprecated, lets move this out of collector.pp
so it gets run and resource types are created appropriately even
when collector is not included.
Closes-bug: #
1676961
Change-Id: I32445a891c34f519ab16dcecc81993f8909f6481
Jenkins [Fri, 21 Apr 2017 13:39:13 +0000 (13:39 +0000)]
Merge "Allow to configure haproxy daemon's status"
Jenkins [Fri, 21 Apr 2017 13:10:25 +0000 (13:10 +0000)]
Merge "Cover gnocchi api step 4 and 5"
Jenkins [Fri, 21 Apr 2017 13:01:29 +0000 (13:01 +0000)]
Merge "Add resource profile for vmware nsx_v3"
Jenkins [Fri, 21 Apr 2017 12:55:50 +0000 (12:55 +0000)]
Merge "Add ML2 configuration for Bagpipe BGPVPN extension"
Jenkins [Fri, 21 Apr 2017 05:00:27 +0000 (05:00 +0000)]
Merge "Refactor SSHD config to allow both SSHD options and banner/motd to be set"
Jenkins [Fri, 21 Apr 2017 00:06:41 +0000 (00:06 +0000)]
Merge "Update UI language list"
Thomas Herve [Tue, 21 Mar 2017 08:51:26 +0000 (09:51 +0100)]
Include zaqar apache module
This includes the Zaqar apache module, allowing to run Zaqar behind
httpd.
Depends-On: I69b923dd76a60e9ec786cae886c137ba572ec906
Change-Id: Ib52144e5877d9293057713d6bdca557724baad5c
Jenkins [Thu, 20 Apr 2017 09:26:53 +0000 (09:26 +0000)]
Merge "Haproxy: When using TLS everywhere, use verifyhost for the balancermembers"
Oliver Walsh [Tue, 18 Apr 2017 11:51:36 +0000 (12:51 +0100)]
Refactor SSHD config to allow both SSHD options and banner/motd to be set
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
are mutually exclusive. This patch, and the next patchset of that review,
resolves the conflict.
Related-Bug:
1668543
Change-Id: I1d09530d69e42c0c36311789166554a889e46556
Alex Schultz [Wed, 12 Apr 2017 19:53:44 +0000 (13:53 -0600)]
Cover gnocchi api step 4 and 5
Update the gnocchi api to expose the redis information as a class
parameter so it can be tested correctly.
Change-Id: I075b4af5e7bb35f90f7b82f8fb1b6d6ad6363b71
Dan Prince [Wed, 19 Apr 2017 21:55:54 +0000 (16:55 -0500)]
Ensure /etc/docker/daemon.json
A recent Centos docker packaging change removed the default
/etc/docker/daemon.json file. As such we need to create an empty
json file if none exists before running Augeas to configure
the settings.
Change-Id: Ibfe04b468639002f55da7bb65d2606f730c700b7
Closes-bug: #
1684297
rajinir [Mon, 10 Apr 2017 16:46:03 +0000 (11:46 -0500)]
Dell SC: Add secondary DSM support
Adds support for a secondary DSM in case the primary becomes
unavailable.
Change-Id: Ibf8c333f62556d421d67c853f1f0740d7f9985bf
Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
Michele Baldessari [Wed, 19 Apr 2017 10:56:46 +0000 (12:56 +0200)]
Allow to configure haproxy daemon's status
Currently we hard-code the fact that haproxy starts as a daemon.
When running haproxy in a container we need this to be configurable
because the haproxy process will be pid number 1.
We are not changing the current semantics which have the 'daemon'
option always set, but we are allowing its disabling.
Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
Jenkins [Wed, 19 Apr 2017 10:45:55 +0000 (10:45 +0000)]
Merge "Ensure we configure ssl.conf"
Bartosz Stopa [Wed, 19 Apr 2017 07:18:27 +0000 (09:18 +0200)]
Add linuxbridge agent profile
Add a tripleo profile for neutron linuxbridge agent configuration.
Change-Id: Ie3ac03052f341c26735b423701e1decf7233d935
Partial-Bug: #
1652211
Jenkins [Wed, 19 Apr 2017 03:11:07 +0000 (03:11 +0000)]
Merge "Create bigswitch agent profile"
Jenkins [Tue, 18 Apr 2017 19:14:35 +0000 (19:14 +0000)]
Merge "Added release note for "Support for external swift proxy""
Lukas Bezdicka [Thu, 13 Apr 2017 17:21:45 +0000 (19:21 +0200)]
Ensure we configure ssl.conf
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.
Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug:
1682448
Resolves: rhbz#
1441977
Juan Antonio Osorio Robles [Tue, 18 Apr 2017 12:48:02 +0000 (15:48 +0300)]
Enable setting SubjectaltNames for haproxy and httpd certs
This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.
Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
Luca Lorenzetto [Tue, 18 Apr 2017 12:03:54 +0000 (14:03 +0200)]
Added release note for "Support for external swift proxy"
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
Juan Antonio Osorio Robles [Tue, 18 Apr 2017 11:49:09 +0000 (14:49 +0300)]
Haproxy: When using TLS everywhere, use verifyhost for the balancermembers
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
Jenkins [Tue, 18 Apr 2017 10:59:03 +0000 (10:59 +0000)]
Merge "Allow setting of keepalived router ID"
Jenkins [Tue, 18 Apr 2017 06:58:02 +0000 (06:58 +0000)]
Merge "HAproxy/heat_api: increase timeout to 10m"
Emilien Macchi [Mon, 17 Apr 2017 15:30:23 +0000 (11:30 -0400)]
HAproxy/heat_api: increase timeout to 10m
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug:
1666072
Jenkins [Mon, 17 Apr 2017 18:06:40 +0000 (18:06 +0000)]
Merge "Support for external swift proxy"
Jenkins [Sat, 15 Apr 2017 02:57:28 +0000 (02:57 +0000)]
Merge "Move ceilometer wsgi to step 3"
Jenkins [Sat, 15 Apr 2017 02:54:56 +0000 (02:54 +0000)]
Merge "Move gnocchi wsgi configuration to step 3"
Jenkins [Fri, 14 Apr 2017 23:59:15 +0000 (23:59 +0000)]
Merge "Dell SC: Add exclude_domain_ip option"
Luca Lorenzetto [Fri, 14 Apr 2017 08:45:57 +0000 (10:45 +0200)]
Support for external swift proxy
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
Jenkins [Thu, 13 Apr 2017 22:15:15 +0000 (22:15 +0000)]
Merge "Make install of kolla optional on the undercloud"
Jenkins [Thu, 13 Apr 2017 15:20:28 +0000 (15:20 +0000)]
Merge "etcd: Make HAProxy terminate TLS connections"
Thomas Herve [Wed, 12 Apr 2017 16:02:46 +0000 (18:02 +0200)]
Allow setting of keepalived router ID
By default the undercloud and the overcloud share virtual_router_id
definition, leading to errors like "ip address associated with VRID not
present in received packet". This allows setting the range for the IDs.
Change-Id: I0c822777824b469b0f8ef0f31b3708fe47d5b2d7
rajinir [Mon, 10 Apr 2017 16:41:29 +0000 (11:41 -0500)]
Dell SC: Add exclude_domain_ip option
This option allows users to exclude some fault domains.
Otherwise all domains are returned.
Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483
Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
Martin André [Wed, 12 Apr 2017 16:06:15 +0000 (18:06 +0200)]
Make install of kolla optional on the undercloud
This defaults to 'True' to keep backward compatibility and can be
disabled by setting 'enable_container_images_built' to false in
undercloud.conf.
Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef
Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
Code Review / apex-puppet-tripleo.git / log