Emilien Macchi [Sun, 5 Nov 2017 04:26:57 +0000 (15:26 +1100)]
Release 7.4.4 (pike)
Change-Id: Iad6ff5ec5871775faf8ad961074e2914968ef184
Zuul [Thu, 2 Nov 2017 11:27:58 +0000 (11:27 +0000)]
Merge "Allow 'cinder' as a backend for Glance" into stable/pike
Emilien Macchi [Wed, 25 Oct 2017 16:57:16 +0000 (09:57 -0700)]
Prepare puppet-tripleo 7.4.3
Change-Id: Iefcd78e600d0da33c25cedf15f00208edd7c9915
Emilien Macchi [Fri, 27 Oct 2017 20:50:47 +0000 (13:50 -0700)]
[pike] Add Puppet package to bindep, for module build
We need Puppet package deployed from bindep so we can
run puppet module build with the new zuul v3 job.
Change-Id: I82bffbc332c03bb20cb067be84c0de908cb1a236
Martin André [Thu, 19 Oct 2017 14:29:03 +0000 (16:29 +0200)]
Add option to disable running mistral-api via wsgi
The tripleo container do not yet have the required packages to run
mistral-api on top of apache so we're looking for a way to disable it.
Change-Id: I54627f1c5a8867738a55bee42075bb6087830c61
Related-Bug: #
1724607
(cherry picked from commit
5eb571c4053f40d74aa5e6d136ab10c08094ddb9)
Zuul [Tue, 24 Oct 2017 07:50:41 +0000 (07:50 +0000)]
Merge "Set meta container-attribute-target=host attribute" into stable/pike
Michele Baldessari [Wed, 18 Oct 2017 10:00:21 +0000 (12:00 +0200)]
Make sure tuned package is installed before calling tuned-adm
With https://review.openstack.org/#/c/511509 we start erroring out
properly on puppet errors. One of the jobs that is now failing is:
http://logs.openstack.org/09/511509/7/check/legacy-tripleo-ci-centos-7-undercloud-containers/
5d3fecc/logs/var/log/undercloud_install.txt.gz
Reason for this is that we include the tripleo::base::tuned profile which has:
exec { 'tuned-adm':
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "tuned-adm profile ${profile}",
unless => "tuned-adm active | grep -q '${profile}'"
}
So if the tuned package is not installed by other means we get:
"Error: /Stage[main]/Tripleo::Profile::Base::Tuned/Exec[tuned-adm]: Could not evaluate: Could not find command 'tuned-adm'",
Let's add the package here in the profile instead of installing it
via tripleo.sh, that way also a split stack deployment is covered.
Change-Id: I130cdc59000e0c5e5fa7c542fbe6b782651a7eb7
Closes-Bug: #
1724518
(cherry picked from commit
32ef340901027926ed3f77ae37d8e0d20e38e15d)
Alan Bishop [Tue, 10 Oct 2017 17:02:37 +0000 (13:02 -0400)]
Allow 'cinder' as a backend for Glance
Allow 'cinder' as a valid Glance backend. This value is already supported
by puppet-glance.
Change-Id: I850047e32f3608b3ce490e52e2e540695cb1a4ff
(cherry picked from commit
edd7621f1db83d9b71ce3a168d2813880a660444)
Jenkins [Fri, 13 Oct 2017 20:17:30 +0000 (20:17 +0000)]
Merge "Disables port status for all ODL deployments" into stable/pike
Jenkins [Fri, 13 Oct 2017 06:43:44 +0000 (06:43 +0000)]
Merge "ovn HA: Enable ip_nonlocal_bind sysctl flag" into stable/pike
Numan Siddique [Wed, 4 Oct 2017 13:51:00 +0000 (19:21 +0530)]
ovn HA: Enable ip_nonlocal_bind sysctl flag
In the case of ovn HA, the ovsdb-server's running in the cluster
try to open a TCP socket on the VIP.
Closes-bug: #
1720761
Change-Id: I6f762534350a3f96696c87ccd2d14545dccc8a0b
(cherry picked from commit
a6483f39f9767c40e6823c7f28526441a436560a)
Tim Rozet [Thu, 5 Oct 2017 16:42:52 +0000 (12:42 -0400)]
Disables port status for all ODL deployments
Port status was already disabled in HA deployments pending a fix for:
https://bugs.opendaylight.org//show_bug.cgi?id=9147
However even in noha deployments port status will not work because ODL
is unable to bind to a specific IP for websocket, meaning it binds to
all IPs and haproxy cannot bind the VIP. Therefore we need to disable
it for all deployments until also this bug is fixed:
https://bugs.opendaylight.org//show_bug.cgi?id=9256
Related-Bug:
1718508
Change-Id: I2f2dc3ece97c97fc8477d4129d69719866a7f0c1
Signed-off-by: Tim Rozet <trozet@redhat.com>
(cherry picked from commit
2471a8669d35f8b35ed00e9365623b37e335cd79)
Emilien Macchi [Tue, 10 Oct 2017 04:59:23 +0000 (21:59 -0700)]
Release 7.4.2
Change-Id: I540110159943986b7511939afb1525727e751902
Cédric Jeanneret [Wed, 4 Oct 2017 10:27:25 +0000 (12:27 +0200)]
Allow to override HAProxy global options.
You can either append new options or override existing one.
This can be particularly useful in case you want to set your own log
options, for example.
Change-Id: I19005b7e70e624d3b64b6c2ac8eaadfdec3944db
Closes-Bug:
1721246
(cherry picked from commit
e62efd0782fd6521893102101daaa21f0cd8a275)
Jenkins [Sat, 7 Oct 2017 03:37:16 +0000 (03:37 +0000)]
Merge "Allow to configure snmpd_config" into stable/pike
Emilien Macchi [Mon, 2 Oct 2017 20:47:10 +0000 (13:47 -0700)]
Allow to configure snmpd_config
Expose a new Puppet parameter to snmp profile, ``snmpd_config`` which
is an array definded to undef by default.
It can be used to override all snmpd configuration for advanced
deployments.
If used, all parameters have to be configured included users and
passwords, which should be the same as given to snmpd_password
and snmpd_user. There is no logic that will verify the content
of ``snmpd_config``.
Example of hieradata which configures snmpd_config:
snmpd_config:
- 'createUser ro_snmp_user MD5 "secrete"',
- 'rouser ro_snmp_user'
- 'proc neutron-server'
- 'proc nova-api'
Change-Id: Ief2518d5e47137215a34e9ae3b35c27c87fa6e08
Closes-Bug: #
1720868
(cherry picked from commit
c211ba78cabde54be2e3a6672f6e1d33d1d580f0)
Honza Pokorny [Mon, 11 Sep 2017 17:53:41 +0000 (14:53 -0300)]
Add a new configuration option for GUI loggers
This allows us to set up logging for the TripleO GUI. By default, it enables
the 'console' and 'zaqar' loggers.
Change-Id: Iafc874643c29e63ff670831fe80f6601c3051865
Closes-Bug: #
1716458
(cherry picked from commit
5158c7ab1669d9d3e8c8163be9fdfc9b3a3aea96)
Michele Baldessari [Fri, 25 Aug 2017 08:21:11 +0000 (10:21 +0200)]
Set meta container-attribute-target=host attribute
This is needed because when we run bundles we actually
want to store attributes on a per-node basis and not on a per-bundle
basis. By activating this attribute pacemaker will pass
some extra OCS_RESKEY_CRM_meta attributes that will help us in this
decision.
We can merge this once we have packages for pacemaker and
resource-agents releases that contain the necessary fixes.
Proper pacemaker and resource-agents are now in the repo [1] so
we can merge it and backport it to pike.
[1] https://buildlogs.centos.org/centos/7/cloud/x86_64/openstack-pike/
Closes-Bug: #
1713007
Change-Id: I0dd06e953b4c81f217d0f4199b2337e4c3358086
(cherry picked from commit
6bcb011723ad7b75f18914c887dc4fa4bad4d620)
Tim Rozet [Wed, 20 Sep 2017 19:49:50 +0000 (15:49 -0400)]
Disables port status updates with ODL in HA
ODL enables a feature by default to communicate port state to Neutron
via a websocket connection. The current implementation does not work in
HA, but does work with a noHA deployment. Therefore this patch disables
port status for HA deployments only until there is proper support.
Depends-On: I7eb752ad692e5522051f8393376890fcac9a09fe
Closes-Bug:
1718508
Change-Id: I13b5b72285d3c70cdee4d81678470d52be385aaf
Signed-off-by: Tim Rozet <trozet@redhat.com>
(cherry picked from commit
228d7b456c6d5c4958c9add8f9021a83a4360510)
Lars Kellogg-Stedman [Mon, 11 Sep 2017 16:00:18 +0000 (10:00 -0600)]
Allow log path transformation in fluentd glue
Logs in a containerized deployment are not in the same location as on
a baremetal deployment. This commit adds the $fluentd_path_transform
paramter to the fluentd glue module. This is a regular expression that
is used to transform log paths. To use this feature, include in your
hiera configuration something like:
tripleo::profile::base::logging::fluentd::fluentd_path_transform:
- /var/log/
- /var/log/containers/
Change-Id: I585b6877074353b5de62e5efaabfbe62432c473d
Partial-bug: #
1716427
(cherry picked from commit
1ff0903a3950bc4adbc8c84b5153df6ca0fb6a3d)
Emilien Macchi [Mon, 25 Sep 2017 17:03:51 +0000 (10:03 -0700)]
Release 7.4.1
Change-Id: I7686a2a9132f2770f7fd0bf0e5d4f235e2b1b82b
Oliver Walsh [Wed, 6 Sep 2017 10:19:48 +0000 (11:19 +0100)]
Support for Ocata-Pike live-migration over ssh
In Ocata all live-migration over ssh is performed on the default ssh port (22).
In Pike the containerized live-migration over ssh is on port 2022 as the
docker host's sshd is using port 22.
To allow live migration during upgrade we need to temporarily pin the Pike
computes to port 22 and in the final converge we can switch over to port 2022.
This patch make the necessary puppet-tripleo change to allow this:
- Adds support in sshd profile for listening on multiple ports.
- Adds a profile to allow proxying to the containerized sshd from the
baremetal sshd
Change-Id: I0b80b81711f683be539939e7d084365ff63546d3
Related-bug:
1714171
(cherry picked from commit
05a413c34fa1266d38bf991a1f5ed2795631f0b7)
Jenkins [Sat, 16 Sep 2017 16:03:42 +0000 (16:03 +0000)]
Merge "added release note for new haproxy_socket_access" into stable/pike
Cédric Jeanneret [Wed, 13 Sep 2017 10:18:42 +0000 (12:18 +0200)]
added release note for new haproxy_socket_access
Change-Id: I4024177fdf97bef929d6a699662acbf56abdb0af
(cherry picked from commit
9939df4c177040e67433ca19f55dca18067d9923)
Cédric Jeanneret [Tue, 12 Sep 2017 15:01:29 +0000 (17:01 +0200)]
Added new parameter for HAProxy configuration
This allow to set the socket access level to admin instead of default
"user".
This "admin" access adds the capability to interact with HAproxy in
order to manage its configuration, at least temporarly.
This changes keeps the default "user" access level, as "admin" might
break things if misused.
Change-Id: I1a4612b9f8aacc410b48a04dac3bf300bbb0e08e
Closes-bug: #
1716692
(cherry picked from commit
33479418eec7c1a18d57d755be47eca800b918a6)
Jan Provaznik [Fri, 1 Sep 2017 09:33:14 +0000 (11:33 +0200)]
Move manila backend configuration from pacemaker to base
There is no reason to keep backend configuration in pacemaker-specific
manifest. This configuration is used no matter whether pacemaker is
used or not.
Change-Id: I63b53d230372a323db1d35a3774283ad2e29fbb1
Closes-Bug: #
1714310
(cherry picked from commit
7327cc88246abe6473b7b29703af408adeccc88d)
Jenkins [Wed, 6 Sep 2017 22:42:07 +0000 (22:42 +0000)]
Merge "Change references from nsx_v3 to nsx" into stable/pike
Jenkins [Wed, 6 Sep 2017 09:37:27 +0000 (09:37 +0000)]
Merge "Use TLS proxy for Redis' internal TLS" into stable/pike
Jenkins [Wed, 6 Sep 2017 09:05:12 +0000 (09:05 +0000)]
Merge "Enable TLS for rabbitmq's replication traffic" into stable/pike
Jay Jahns [Sat, 26 Aug 2017 03:24:43 +0000 (20:24 -0700)]
Change references from nsx_v3 to nsx
This patch changes references from nsx_v3 to nsx since the nsx_v3 functionality
is the only one supported at this time.
Change-Id: Id73f675844b0df2eafa45507d1c28f16cd0b15b2
Closes-Bug: #
1713191
(cherry picked from commit
f27c45a0925546f3b9627fce7d223a1bba140ce0)
Martin André [Wed, 23 Aug 2017 10:44:42 +0000 (12:44 +0200)]
Use TLS proxy for Redis' internal TLS
This uses the tls_proxy resource in front of the Redis server when
internal TLS is enabled.
bp tls-via-certmonger
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147
(cherry picked from commit
2d1d7875aa6f0b68005c84189627bc0716a7693f)
Juan Antonio Osorio Robles [Mon, 28 Aug 2017 06:07:16 +0000 (09:07 +0300)]
Enable TLS for rabbitmq's replication traffic
This follows the RabbitMQ docs [1] for enabling TLS for the replication
traffic. It reuses the certificate that rabbitmq already has.
Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so
we are not able to do proper verification of the certificates, since we
can't allocate a certificate for shortnames. So, until pacemaker can
track the rabbit nodes through their FQDNs, we don't set any verification
options.
[1] https://www.rabbitmq.com/clustering-ssl.html
Depends on: https://github.com/voxpupuli/puppet-rabbitmq/pull/574
bp tls-via-certmonger
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847
(cherry picked from commit
52404b85dc140d9ddc4605365454df0e052ee2cb)
rajinir [Thu, 3 Aug 2017 20:32:28 +0000 (15:32 -0500)]
Support for Dell EMC VNX Manila Driver
This changes adds Dell EMC VNX backend as composable service
and matches the tripleo-heat-templates.
Change-Id: Iab80dc636913610704e1ceb2642ce738b68bb827
Implements: blueprint support-dellemc-vnx-manila
(cherry picked from commit
eca5b4dfb22a9e9476cd835d2e211def4c9bd5c9)
Emilien Macchi [Mon, 4 Sep 2017 18:10:35 +0000 (11:10 -0700)]
Prepare 7.4.0 (pike-rc2)
Change-Id: I6e1b8c305aad3fb03bd62072b376b34303ecfe24
Jenkins [Fri, 1 Sep 2017 18:36:55 +0000 (18:36 +0000)]
Merge "Fix enabling zaqar keystone endpoint and MySQL database" into stable/pike
Jenkins [Fri, 1 Sep 2017 10:30:36 +0000 (10:30 +0000)]
Merge "Add manifests to install and configure stunnel" into stable/pike
Jenkins [Fri, 1 Sep 2017 08:54:40 +0000 (08:54 +0000)]
Merge "Repair immediate VF configuration for PCI SR-IOV" into stable/pike
Juan Antonio Osorio Robles [Thu, 31 Aug 2017 09:45:14 +0000 (12:45 +0300)]
Fix enabling zaqar keystone endpoint and MySQL database
The zaqar service name switched to zaqar-api[1], so the hieradata key
is zaqar_api_enabled now instead of zaqar_enabled.
[1] I9b451eac4427a52ad8eec62ff89acc6c6d3ab799
Closes-Bug: #
1714213
Change-Id: I692658337e7afc9d0a99b245f8b0b4f76a076bc4
(cherry picked from commit
bc6a526f91c156e1cecfb9226ae3686102e655d4)
Juan Antonio Osorio Robles [Thu, 24 Aug 2017 13:21:11 +0000 (13:21 +0000)]
Add manifests to install and configure stunnel
Some services (such as Redis) can't use mod_proxy as a TLS proxy,
since they're not HTTP services. So stunnel is necessary for these.
Thus, we add manifests to configure it as such.
bp tls-via-certmonger
Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c
(cherry picked from commit
f85199c77826017e383534051ada57ef1ea4ddcc)
Emilien Macchi [Wed, 30 Aug 2017 21:31:34 +0000 (14:31 -0700)]
Use Python to compute release notes version
Leave the version fields blank, since the release notes document
applies to all versions.
That will avoid manual changes in the future like we did until now.
Change-Id: I9c64787b278b53a0f4125275678ded3f46d05be2
(cherry picked from commit
aefd5f7afd238b50eff71fe6f583ef7cadb54d12)
Jenkins [Thu, 31 Aug 2017 01:51:59 +0000 (01:51 +0000)]
Merge "HAProxy: Make certmonger bundle the cert and key on renewal" into stable/pike
Jenkins [Thu, 31 Aug 2017 01:51:53 +0000 (01:51 +0000)]
Merge "Certmonger: Only attempt to reload haproxy is it's active" into stable/pike
Jenkins [Thu, 31 Aug 2017 00:27:50 +0000 (00:27 +0000)]
Merge "Support for Dell EMC Unity Manila Driver" into stable/pike
Jenkins [Thu, 31 Aug 2017 00:27:08 +0000 (00:27 +0000)]
Merge "Support for Dell EMC Isilon Manila Driver" into stable/pike
Juan Antonio Osorio Robles [Wed, 23 Aug 2017 09:20:20 +0000 (12:20 +0300)]
HAProxy: Make certmonger bundle the cert and key on renewal
the postsave command is ran by certmonger when a certificate is
requested (which will happen on certificate renewal). The previous
command given didn't take into account the file that haproxy expects,
which is a bundled PEM file with both the certificate and the key. Thus,
certmonger would have never generated a new bundle that haproxy would
use, resulting in haproxy always having an old bundle after certificate
expiration.
This fixes that.
Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
Closes-Bug: #
1712514
(cherry picked from commit
e1791a37d557b14bb8f833363cabe5c98e151548)
Juan Antonio Osorio Robles [Wed, 23 Aug 2017 06:01:53 +0000 (09:01 +0300)]
Certmonger: Only attempt to reload haproxy is it's active
Previously, certmonger tried to reload haproxy every time after a
certificate is requested. This is useful for certificate resubmits or
renewals. However, it turned out problematic on installation, when
haproxy is not yet active, as it would try many times and end up having
a race-condition with puppet.
This checks if haproxy is active and only then will it attempt to reload
it.
Change-Id: I51f9cccb5d1518a9647778e7bf6f9426a02ceb60
Closes-Bug: #
1712377
(cherry picked from commit
351ab932514f13d7a139b0b41fdc4f6f7e990c8f)
rajinir [Thu, 3 Aug 2017 16:13:19 +0000 (11:13 -0500)]
Support for Dell EMC Unity Manila Driver
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470
Implements: blueprint dellemc-unity-manila
(cherry picked from commit
2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
rajinir [Fri, 28 Jul 2017 23:50:06 +0000 (18:50 -0500)]
Support for Dell EMC Isilon Manila Driver
This changes adds Dell EMC Isilon backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb
Implements: blueprint dellemc-isilon-manila
(cherry picked from commit
75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
Giulio Fidente [Mon, 28 Aug 2017 07:56:18 +0000 (09:56 +0200)]
Add /etc/ceph into pacemaker bundles
We missed to mount the Ceph config files into the docker/pacemaker
profiles.
Change-Id: I23b6890b4cf7f1e6fe84b6be280dde82218275fc
Closes-Bug: #
1713421
(cherry picked from commit
b18ae72c6aaad9eb98d7e4490a6572441f63b9a1)
Alex Schultz [Thu, 24 Aug 2017 16:07:23 +0000 (10:07 -0600)]
Enable config for docker daemon debug
Exposes a way to configure the docker daemon with debug enabled.
Change-Id: I654a70c8bb7753679be83d78ca653ed44c3a7395
Related-Bug: #
1710533
(cherry picked from commit
44b90c9a79146139cbcbe7f560bd1df667cca780)
Jenkins [Sat, 26 Aug 2017 18:41:07 +0000 (18:41 +0000)]
Merge "Fix panko port to match tht" into stable/pike
Brent Eagles [Thu, 24 Aug 2017 19:43:01 +0000 (17:13 -0230)]
Repair immediate VF configuration for PCI SR-IOV
Change I71edc135432ab2193741c37ce977dd11172401e6 broke the host VF
configuration that set VF counts when the puppet is applied. This patch
re-adds the ensure => present property required for proper behavior.
Change-Id: Ibd18c4f3b7f0d8cee330f94f87e7ad4ea7ceeffb
Closes-Bug: #
1712903
(cherry picked from commit
1e133f31466bf17df66b0f552a2ce5b3b056e666)
Jenkins [Fri, 25 Aug 2017 23:05:14 +0000 (23:05 +0000)]
Merge "Update UPPER_CONSTRAINTS_FILE for stable/pike" into stable/pike
Jenkins [Fri, 25 Aug 2017 22:30:25 +0000 (22:30 +0000)]
Merge "Update .gitreview for stable/pike" into stable/pike
Pradeep Kilambi [Wed, 23 Aug 2017 12:43:36 +0000 (08:43 -0400)]
Fix panko port to match tht
In templates we use 13977 as the port for panko. The
old 13779 is reserved for trove so it conflicts.
Closes-bug: #
1712566
Change-Id: I77444199eef6c2b9abbd819829b4fea2d698e2db
(cherry picked from commit
5064677dda8e4f140df6d024089e95afe11a91f1)
Juan Antonio Osorio Robles [Thu, 24 Aug 2017 06:25:33 +0000 (09:25 +0300)]
Add /bin to PATH for CRL cronjob
Checking the root's mail (/var/mail/root) I finally saw the root cause
of the CRL cronjob not working.
/bin/sh: curl: command not found
now, curl, (and most commands used by that cronjob) is in the /bin bash,
so we need to add it to the environment's PATH for the cronjob.
Change-Id: If10855b801782eeaf2006cd57071d74d13daf8c2
Closes-Bug: #
1712404
(cherry picked from commit
139ac85028947f476a085e89bd54f3dfacd886cf)
OpenStack Release Bot [Thu, 24 Aug 2017 21:04:52 +0000 (21:04 +0000)]
Update UPPER_CONSTRAINTS_FILE for stable/pike
Change-Id: Ibc02e4e87593f18c4c48a9e8197a4cd3c16d9cd4
OpenStack Release Bot [Thu, 24 Aug 2017 21:04:51 +0000 (21:04 +0000)]
Update .gitreview for stable/pike
Change-Id: Ib750ba8a4e76a25ffd2352b420e97548447eae97
Jenkins [Thu, 24 Aug 2017 18:10:12 +0000 (18:10 +0000)]
Merge "Use resource collector for the fencing -> stonith ordering"
Jenkins [Thu, 24 Aug 2017 17:56:15 +0000 (17:56 +0000)]
Merge "TLS-everywhere/libvirt: Make postsave command configurable"
Juan Antonio Osorio Robles [Tue, 22 Aug 2017 18:14:22 +0000 (18:14 +0000)]
TLS-everywhere/libvirt: Make postsave command configurable
This is requires for when libvirt is running over a container, since
we shouldn't try to restart the libvirt process, but the container
itself.
bp tls-via-certmonger-containers
Change-Id: I26a7748b37059ea37f460d8c70ef684cc41b16d3
Jenkins [Thu, 24 Aug 2017 10:51:11 +0000 (10:51 +0000)]
Merge "Add OVN DBs bundle support for pacemaker HA"
Michele Baldessari [Wed, 23 Aug 2017 15:45:41 +0000 (17:45 +0200)]
Use resource collector for the fencing -> stonith ordering
Change Ifef08033043a4cc90a6261e962d2fdecdf275650 moved the stonith
property definition to the pacemaker_master node. This means that the
Class['tripleo::fencing'] -> Class['pacemaker::stonith'] ordering
breaks on non-boostrap pacemaker nodes because the pacemaker::stonith
property is not defined there any longer.
Let's fix this by simply using a resource collector and set the ordering
on that instead of adding yet anoth if statement. Ordering on
enablement of stonith is actually more correct formally.
Tested this on a broken setup successfully.
Closes-Bug: #
1712605
Change-Id: I616d340bdf75da9d9eb8b83b2e804dff3d07d58e
Juan Antonio Osorio Robles [Tue, 22 Aug 2017 18:06:14 +0000 (21:06 +0300)]
Add -s (silent) to curl command for CRL refresh
Without it, it doesn't reload the services it should.
Change-Id: I43e6188700deb585f905ca700e69b6875f0ded45
Closes-Bug: #
1712404
Jenkins [Mon, 21 Aug 2017 23:55:32 +0000 (23:55 +0000)]
Merge "Do not create fs and server side key from manila"
Jenkins [Mon, 21 Aug 2017 11:42:06 +0000 (11:42 +0000)]
Merge "Certmonger: Make postsave command configurable"
Jenkins [Sat, 19 Aug 2017 03:07:04 +0000 (03:07 +0000)]
Merge "Support for Dell EMC VMAX Manila Driver"
Jenkins [Sat, 19 Aug 2017 03:06:59 +0000 (03:06 +0000)]
Merge "Support for Dell EMC VMAX ISCSI Cinder Driver"
Jenkins [Sat, 19 Aug 2017 03:06:46 +0000 (03:06 +0000)]
Merge "Allow configuring multiple insecure registries"
Jenkins [Sat, 19 Aug 2017 03:06:40 +0000 (03:06 +0000)]
Merge "Add TLS for nova metadata service"
Juan Antonio Osorio Robles [Wed, 16 Aug 2017 06:26:42 +0000 (09:26 +0300)]
Certmonger: Make postsave command configurable
We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.
This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.
bp tls-via-certmonger-containers
Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
Jenkins [Fri, 18 Aug 2017 15:23:32 +0000 (15:23 +0000)]
Merge "Enable TLS in the internal network for horizon"
Jenkins [Fri, 18 Aug 2017 15:23:26 +0000 (15:23 +0000)]
Merge "Create separate resource for HAProxy horizon endpoint"
Jenkins [Fri, 18 Aug 2017 07:45:47 +0000 (07:45 +0000)]
Merge "Move barbican's database creation to mysql profile"
Jenkins [Fri, 18 Aug 2017 03:16:51 +0000 (03:16 +0000)]
Merge "Release Pike rc1 - 7.3.0"
Juan Antonio Osorio Robles [Thu, 17 Aug 2017 17:29:32 +0000 (17:29 +0000)]
Add TLS for nova metadata service
This adds a TLS proxy in front of it so it serves TLS in the internal
network.
bp tls-via-certmonger
Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
Jenkins [Thu, 17 Aug 2017 16:08:27 +0000 (16:08 +0000)]
Merge "Remove extra keystone admin haproxy listen and allow TLS"
Jiri Stransky [Thu, 10 Aug 2017 16:16:46 +0000 (18:16 +0200)]
Allow configuring multiple insecure registries
If we're using local registries, we may want to use different
registries e.g. for Ceph and for OpenStack. We allow multiple
registries in general for this purpose, and we should also allow it in
the insecure registry configuration.
Change-Id: I5cddd20a123a85516577bde1b793a30d43171285
Related-Bug: #
1709310
Jenkins [Thu, 17 Aug 2017 13:44:24 +0000 (13:44 +0000)]
Merge "HAProxy: Set listen options for internal services too"
Jenkins [Thu, 17 Aug 2017 13:38:28 +0000 (13:38 +0000)]
Merge "Add logrotate-crond configuration"
Juan Antonio Osorio Robles [Tue, 1 Aug 2017 13:05:36 +0000 (16:05 +0300)]
Enable TLS in the internal network for horizon
This enables the usage of TLS by the apache vhost that hosts horizon.
bp tls-via-certmonger
Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
Juan Antonio Osorio Robles [Mon, 7 Aug 2017 11:09:15 +0000 (14:09 +0300)]
Create separate resource for HAProxy horizon endpoint
This removes clutter from the main haproxy manifest and allows TLS in
the internal network as well. Trying to keep the previous behavior.
bp tls-via-certmonger-containers
Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502
Emilien Macchi [Thu, 17 Aug 2017 05:32:59 +0000 (22:32 -0700)]
Release Pike rc1 - 7.3.0
Change-Id: Id3277c97052e1dd88e6d2de6c5f92b32b95fa210
Juan Antonio Osorio Robles [Tue, 15 Aug 2017 16:52:07 +0000 (19:52 +0300)]
Move barbican's database creation to mysql profile
This makes sure that the database creation is only executed on the mysql
profile (or container if that's enabled), and stops the conflicts and
errors that were happening when barbican was deployed in containerized
environments.
Change-Id: Ib5c99482f62397fc5fb79a9dc537dfb06ee7f4df
Closes-Bug: #
1710928
Numan Siddique [Mon, 17 Jul 2017 11:15:57 +0000 (16:45 +0530)]
Add OVN DBs bundle support for pacemaker HA
It uses the control-port 3125.
Partial-bug: #
1699085
Change-Id: I4787321e10cc35beeb5ec3f585dafb2268ea4f21
Bogdan Dobrelya [Wed, 2 Aug 2017 13:42:38 +0000 (15:42 +0200)]
Add logrotate-crond configuration
Generate a cron job and a config for logrotate
to be run against containerized services logs.
Related-bug: #
1700912
Change-Id: Ib9d5d8ca236296179182613e1ff625deea168614
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Juan Antonio Osorio Robles [Tue, 15 Aug 2017 16:02:42 +0000 (19:02 +0300)]
Remove extra keystone admin haproxy listen and allow TLS
The current code exposes an unused public listen directive in HAProxy
for the keystone admin endpoint. This is not ideal and should be
removed, as it exposes the service unnecessarily. We should stick to
just exposing it to the ctlplane network as is the default.
If folks really need to expose it to the public network, they can do so
by modifying the ServiceNetMap through t-h-t and setting the keystone
admin endpoint's network to external.
Now, for "single" or "internal" haproxy endpoints, this adds the ability
to detect if they're using the external network, and thus use TLS on it.
Which is something a deployer would want if they exposed the keystone
admin endpoint in such a way.
Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
Closes-Bug: #
1710909
Closes-Bug: #
1639996
Jenkins [Wed, 16 Aug 2017 00:39:17 +0000 (00:39 +0000)]
Merge "Replace enabled languages with excluded languages in UI"
Jenkins [Tue, 15 Aug 2017 17:35:53 +0000 (17:35 +0000)]
Merge "Enable TLS configuration for containerized HAProxy"
Jenkins [Tue, 15 Aug 2017 06:59:07 +0000 (06:59 +0000)]
Merge "Use rabbitmq ipv6 flag"
Jenkins [Mon, 14 Aug 2017 23:01:54 +0000 (23:01 +0000)]
Merge "Fix legacy nova/cinder encryption key manager configuration"
John Eckersberg [Mon, 26 Jun 2017 21:11:50 +0000 (17:11 -0400)]
Use rabbitmq ipv6 flag
The internal details of enabling IPv6 have moved upstream[1], so just
set the ipv6 flag when desired and don't worry about the details
anymore!
[1] https://github.com/puppetlabs/puppetlabs-rabbitmq/pull/552
Closes-Bug: #
1710658
Change-Id: Ib22507c4d02f0fae5c0189ab7e040efac3df7e2f
rajinir [Fri, 4 Aug 2017 15:37:17 +0000 (10:37 -0500)]
Support for Dell EMC VMAX Manila Driver
This changes adds Dell EMC VMAX backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I6e3b4ed6477c7ee56aef4e9849893229ca648c85
Implements: blueprint dellemc-vmax-manila
rajinir [Mon, 31 Jul 2017 20:56:28 +0000 (15:56 -0500)]
Support for Dell EMC VMAX ISCSI Cinder Driver
This changes adds Dell EMC VMAX ISCSI backend as composable service
and matches the tripleo-heat-templates.
Change-Id: Ifc169c60994856e382b76b72e020624ca64eef9f
Implements: blueprint dellemc-vmax-isci
Jenkins [Sat, 12 Aug 2017 14:54:00 +0000 (14:54 +0000)]
Merge "Run online_data_migrations for Ironic on upgrade"
Jenkins [Sat, 12 Aug 2017 14:53:44 +0000 (14:53 +0000)]
Merge "Enable TLS configuration for containerized Galera"
Jenkins [Fri, 11 Aug 2017 12:41:46 +0000 (12:41 +0000)]
Merge "Do not include manila ceph key resource twice"
Jenkins [Fri, 11 Aug 2017 12:03:01 +0000 (12:03 +0000)]
Merge "Modify resource dependencies of certmonger_user resources"
Jan Provaznik [Tue, 11 Jul 2017 10:21:19 +0000 (12:21 +0200)]
Do not create fs and server side key from manila
Both fs and key are handled by ceph-ansible, move fs and key
creation out of manila manifest to assure that it works with and
without ceph-ansbile.
Client-side manila key is created from ceph-mds and ceph-external
templates in I6308a317ffe0af244396aba5197c85e273e69f68.
Depends-On: I6308a317ffe0af244396aba5197c85e273e69f68
Partially-Implements: blueprint nfs-ganesha
Change-Id: I2b5567a39ac8737e80758b705818cc1807dc8bf1
Juan Antonio Osorio Robles [Tue, 8 Aug 2017 14:40:29 +0000 (17:40 +0300)]
HAProxy: Set listen options for internal services too
This was missed from a previous commit, as described in the bug report.
We need to set this variable in this case as well, else it will use the
undefined variable, thus ignoring anything that the user had set.
Change-Id: I6810e7bb3eed16a6478974ac759c3f720a41120a
Closes-Bug: #
1709332
Code Review / apex-puppet-tripleo.git / log