Christian Schwede [Wed, 30 Nov 2016 07:32:12 +0000 (07:32 +0000)]
Set memcache_servers in /etc/swift/object-expirer.conf
This defaults to 127.0.0.1:11211 without setting these explicitly. The
object-expirer is working without a correct memcache server, however it
is slower and warnings will be logged.
Related-Bug:
1627927
Depends-On: Ie139f018c4a742b014dd4d682970e154d66a8c6d
Change-Id: I89a879592a264d541cf42f007584e2e78058c867
Christian Schwede [Tue, 29 Nov 2016 10:32:03 +0000 (11:32 +0100)]
Enable object-expirer on Swift proxy profile
This service is required to delete expired automatically. It is often
run on the proxy nodes, therefore adding it to the Swift proxy profile.
Change-Id: I3250c205ffc166ae628bc427de2e3492d086c3bb
Closes-Bug:
1645657
Jenkins [Mon, 28 Nov 2016 18:13:31 +0000 (18:13 +0000)]
Merge "Enable TLS in the internal network for Panko API"
Jenkins [Mon, 28 Nov 2016 09:45:47 +0000 (09:45 +0000)]
Merge "adding new swift middleware that is typically enabled by default"
Jenkins [Fri, 25 Nov 2016 16:27:51 +0000 (16:27 +0000)]
Merge "Enable internal TLS for MySQL"
Jenkins [Fri, 25 Nov 2016 14:45:13 +0000 (14:45 +0000)]
Merge "Do not configure state matching when using GRE"
Juan Antonio Osorio Robles [Fri, 25 Nov 2016 06:51:22 +0000 (08:51 +0200)]
Enable TLS in the internal network for Panko API
This optionally enables TLS for Panko API in the internal network.
If internal TLS is enabled, each node that is serving the Panko API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ie9be7ce19601435b1b83b4ba58d9c7e8d53f23ba
Juan Antonio Osorio Robles [Wed, 28 Sep 2016 09:32:35 +0000 (09:32 +0000)]
Enable internal TLS for MySQL
this adds the necessary code in the manfiest to configure TLS
if internal TLS is enabled. this also adds the capability of
auto-generating the certificate via certmonger.
bp tls-via-certmonger
Change-Id: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
Brent Eagles [Wed, 23 Nov 2016 22:29:58 +0000 (18:59 -0330)]
Do not configure state matching when using GRE
The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.
Closes-Bug: #
1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
Jenkins [Wed, 23 Nov 2016 15:51:51 +0000 (15:51 +0000)]
Merge "Remove Combination alarms support"
Jenkins [Wed, 23 Nov 2016 14:56:33 +0000 (14:56 +0000)]
Merge "Proxy manila in http mode"
Jenkins [Wed, 23 Nov 2016 13:54:33 +0000 (13:54 +0000)]
Merge "Move calculation of neutron l3_ha into puppet profile"
Jenkins [Tue, 22 Nov 2016 11:13:41 +0000 (11:13 +0000)]
Merge "Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchi"
Juan Antonio Osorio Robles [Tue, 22 Nov 2016 09:49:13 +0000 (11:49 +0200)]
Proxy manila in http mode
It needs it so HAProxy will be able to set the X-Forwarded-Proto header.
Related-Bug: #
1640126
Change-Id: I1726fa1742bc70518338b80fc6d27567bb020e7c
Juan Antonio Osorio Robles [Tue, 22 Nov 2016 08:31:02 +0000 (10:31 +0200)]
Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchi
HAProxy won't pass X-Forwarded-Proto to these services in mode tcp, so we need
to switch it to http in order for it to work and for the services to properly
set the protocol in the links they serve.
Change-Id: Ib10282159fb9269eebe81af23171ec9fb1297cd0
Closes-Bug: #
1640126
Jenkins [Tue, 22 Nov 2016 00:59:08 +0000 (00:59 +0000)]
Merge "firewall: stop using stdlib stages"
Jenkins [Mon, 21 Nov 2016 23:58:42 +0000 (23:58 +0000)]
Merge "Adds auto-detection for VIP interfaces"
Jenkins [Mon, 21 Nov 2016 21:19:37 +0000 (21:19 +0000)]
Merge "Add panko service support"
Emilien Macchi [Mon, 21 Nov 2016 14:57:09 +0000 (09:57 -0500)]
firewall: stop using stdlib stages
Using Puppet stdlib in TripleO is risky because it exposes deployments
to dependency cycles in the catalog.
We should rather use native functions to make orchestrations, like
ordering and dependencies management.
This patch:
- removes usage of stages from stdlib
- use ordering to make sure we run pre rules before post
- use ordering to make sure we start all Services in catalog before post
rules. It ensure that we don't drop all traffic before starting the
services, which could lead to services errors (e.g. trying to reach database
or amqp)
Change-Id: Iec4705d6b785a40ccf6f43809b94b726ccd47fef
Closes-Bug: #
1643575
Steven Hardy [Thu, 17 Nov 2016 11:02:57 +0000 (11:02 +0000)]
Move calculation of neutron l3_ha into puppet profile
This is currently calculated in t-h-t but has a hard-coded reference
to the ControllerCount which is incompatible with custom-roles.
So instead calculate the setting based on the number of neutron API
services running (on any role, not just Controller), combined with
whether DVR is enabled (equivalent to current t-h-t logic).
To avoid breaking the NeutronL3HA parameter in t-h-t we maintain an
optional parameter to override the calculated value.
Change-Id: I01c50973eec8138ec61304f2982d5026142f267c
Partial-Bug: #
1629187
Tim Rozet [Mon, 24 Oct 2016 20:30:22 +0000 (16:30 -0400)]
Adds auto-detection for VIP interfaces
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan
deployments ends up being the wrong interface. The public VIP interface
was also defaulted to 'br-ex' which would be incorrect for vlan based
deployments. Since a user has already given the nic template (and in
most cases the subnet that corresponds to the nic) the installer should
be able to figure out which interface the public/control vip should be
on.
These changes enable that type of auto-detection, unless a user
explicitly overrides the heat parameters for ControlVirtualInterface and
PublicVirtualInterface. Also removes calling keepalived from haproxy
now that the services are composed separately on the Controller role.
Partial-Bug:
1606632
Change-Id: I05105fce85be8ace986db351cdca2916f405ed04
Signed-off-by: Tim Rozet <trozet@redhat.com>
Steven Hardy [Thu, 17 Nov 2016 17:37:45 +0000 (17:37 +0000)]
Replace hard-coded haproxy/keepalived coupling
We have a variable in hiera which tells us if the keepalived
service is enabled, so use it here. Without this any deployment
disabling OS::TripleO::Services::Keepalived will fail.
Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23
Closes-Bug: #
1642677
Pradeep Kilambi [Wed, 16 Nov 2016 21:10:57 +0000 (16:10 -0500)]
Remove Combination alarms support
combination alarms are completely removed in Ocata.
Remove this from tripleo.
Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
Jenkins [Thu, 17 Nov 2016 08:07:53 +0000 (08:07 +0000)]
Merge "Sort parameters in keystone profile alphabetically"
Jenkins [Wed, 16 Nov 2016 18:33:58 +0000 (18:33 +0000)]
Merge "Prepare 6.0.0 (ocata-1)"
Juan Antonio Osorio Robles [Wed, 16 Nov 2016 12:21:04 +0000 (14:21 +0200)]
Sort parameters in keystone profile alphabetically
Change-Id: I035c26e0f50e4b3fc0f6085fa5a4bf524e4852b7
Juan Antonio Osorio Robles [Wed, 16 Nov 2016 06:34:08 +0000 (08:34 +0200)]
Remove explicit hiera calls for heat in keystone profile
These are now passed via the heat profiles in t-h-t (via
heat-base.yaml and heat-engine.yaml) and use the actual names of
keystone parameters instead.
Change-Id: Id0f5dd03b6757df989339c93b58a5b7eac3402a2
Depends-On: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
Emilien Macchi [Wed, 16 Nov 2016 02:38:14 +0000 (21:38 -0500)]
Prepare 6.0.0 (ocata-1)
Prepare the first release of Ocata.
Change-Id: Ib8173d1ce26752216aeaab835f483503cf82b217
Jenkins [Tue, 15 Nov 2016 18:21:14 +0000 (18:21 +0000)]
Merge " Enable TLS in the internal network for Barbican API"
Pradeep Kilambi [Thu, 10 Nov 2016 21:41:32 +0000 (16:41 -0500)]
Add panko service support
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
Jenkins [Mon, 14 Nov 2016 09:36:37 +0000 (09:36 +0000)]
Merge "Fix barbican server name to not use aodh hiera"
Juan Antonio Osorio Robles [Mon, 14 Nov 2016 07:04:46 +0000 (09:04 +0200)]
Enable TLS in the internal network for Barbican API
This optionally enables TLS for Barbican API in the internal network.
If internal TLS is enabled, each node that is serving the Barbican API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
Jenkins [Fri, 11 Nov 2016 19:23:10 +0000 (19:23 +0000)]
Merge "Normalize civetweb binding address if IPv6"
Jenkins [Fri, 11 Nov 2016 19:19:40 +0000 (19:19 +0000)]
Merge "Enable TLS in the internal network for Cinder API"
Jenkins [Fri, 11 Nov 2016 15:43:03 +0000 (15:43 +0000)]
Merge "Ensure keepalived is restarted when necessary."
Giulio Fidente [Wed, 9 Nov 2016 20:01:51 +0000 (21:01 +0100)]
Normalize civetweb binding address if IPv6
The civetweb binding format is IP:PORT; this change ensures the IP
is enclosed in brackets if IPv6.
To do so we add the bind_ip and bind_port parameters to the
rgw service class.
Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
Co-Authored-By: Lukas Bezdicka <social@v3.sk>
Related-Bug: #
1636515
Pradeep Kilambi [Thu, 10 Nov 2016 23:19:27 +0000 (18:19 -0500)]
Fix barbican server name to not use aodh hiera
this looks like a copy/paste error. Let barbican use its own
hiera data.
Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b
Ben Nemec [Thu, 10 Nov 2016 23:03:58 +0000 (23:03 +0000)]
Fix puppet lint failure
I'm not sure how this merged, but it's causing failures in other
patches to puppet-tripleo.
Change-Id: Ib20d349fa9abd6347739190bb29a02b6e3eb839d
Thiago da Silva [Wed, 9 Nov 2016 22:47:45 +0000 (17:47 -0500)]
adding new swift middleware that is typically enabled by default
These are features that are typically enabled by default
in any swift cluster.
Change-Id: Ie323f68255a73d46e774cbf49d9353c3bf90c35e
Signed-off-by: Thiago da Silva <thiago@redhat.com>
Jenkins [Wed, 9 Nov 2016 13:27:01 +0000 (13:27 +0000)]
Merge "Enable TLS in the internal network for Nova API"
Jenkins [Wed, 9 Nov 2016 13:26:32 +0000 (13:26 +0000)]
Merge "Better way to ensure keepalived before haproxy."
Jenkins [Wed, 9 Nov 2016 13:22:42 +0000 (13:22 +0000)]
Merge "Wrong default in docstring"
Jenkins [Wed, 9 Nov 2016 10:48:44 +0000 (10:48 +0000)]
Merge "Pass X-Forwarded-Proto for missing services"
Sofer Athlan-Guyot [Tue, 8 Nov 2016 15:44:26 +0000 (16:44 +0100)]
Ensure keepalived is restarted when necessary.
If os-collect-config/config.json is updated before an upgrade/update,
then the os-net-config run will automatically erase the keepalived
managed ips.
This is a hackish way to ensure that keepalived is restarted during the
next phase in order to have the ip recreated.
It basically adds a comment line to the keepalived.conf file (making it
different than the puppet one) if it's there. This will force a puppet
restart of the keepalive service puting the ips back on the undercloud.
Change-Id: I56b706ff44ba31aa87a63f870940831ce02a6e77
Closes-Bug: #
1640213
Related-Bug: #
1638029
Jenkins [Tue, 8 Nov 2016 18:00:24 +0000 (18:00 +0000)]
Merge "Add proper handling of IPv6 addresses for rabbit host/port handling"
Sofer Athlan-Guyot [Tue, 8 Nov 2016 09:16:53 +0000 (10:16 +0100)]
Better way to ensure keepalived before haproxy.
The lastest patchset of https://review.openstack.org/393361 was actually
not working.
The `if defined` idiom depends on *evaluation* order.
At the time it's red in the haproxy.pp class, the line that loads the
class 'haproxy' has still not yet been reached and thus the `defined`
result is false. The constraint is not added.
For this reason, the use of `defined` in module is not advised by
puppetlabs[1].
[1] https://docs.puppet.com/puppet/latest/reference/function.html#defined
Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256
Relates-To: #
1638029
Jenkins [Tue, 8 Nov 2016 16:19:48 +0000 (16:19 +0000)]
Merge "Enable TLS in the internal network for gnocchi"
Jenkins [Tue, 8 Nov 2016 16:12:46 +0000 (16:12 +0000)]
Merge "Improve failed mysql node removal time in HA deploys."
MikeG451 [Tue, 8 Nov 2016 15:30:50 +0000 (15:30 +0000)]
Wrong default in docstring
Update default doc default for bind_host to match previous change
http://review.openstack.org/386817/
Change-Id: Iff048ba7152c1b7e945f284311215c8f872c1409
Closes-bug: #
1640104
Juan Antonio Osorio Robles [Tue, 8 Nov 2016 11:22:13 +0000 (13:22 +0200)]
Pass X-Forwarded-Proto for missing services
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in
order to return links with the correct protocol when SSL is enabled.
This enables it in HAProxy
Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8
Closes-Bug: #
1640126
Chris Jones [Fri, 4 Nov 2016 10:01:24 +0000 (10:01 +0000)]
Improve failed mysql node removal time in HA deploys.
In HA deployments, we now check mysql nodes every 1s and removed them
immediately if they are failed. Previously we would check every 2s and
allow them to fail 5 checks before being removed, producing errors from
other OpenStack services for 10s, which causes confusion and delay for
operators.
Additionally, these check options are now also a class parameter so can
be overridden by operators.
Closes-Bug: #
1639189
Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
Brent Eagles [Tue, 8 Nov 2016 04:32:29 +0000 (01:02 -0330)]
Add proper handling of IPv6 addresses for rabbit host/port handling
This patch changes the rabbit_hosts config generation to work properly
with IPv6 addresses.
Closes-Bug: #
1639881
Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
Steven Hardy [Mon, 7 Nov 2016 11:35:05 +0000 (11:35 +0000)]
Increase haproxy timeouts
It's been proposed this may help with the
('Connection aborted.', BadStatusLine("''",)) errors.
This patch increase queue, server and client timeouts to 2m (default is 1m)
Related-Bug: #
1638908
Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
Emilien Macchi [Mon, 31 Oct 2016 14:39:43 +0000 (10:39 -0400)]
swift/proxy: configure rabbitmq properly
Use rabbitmq_node_ips to find out where rabbitmq nodes are, and have
correct ipv6 syntax if required.
Closes-Bug:
1637443
Change-Id: Ibc0ed642931dd3ada7ee594bb8c70a1c3462206d
Jenkins [Thu, 3 Nov 2016 10:07:47 +0000 (10:07 +0000)]
Merge "Fix default for barbican documentation"
Jenkins [Thu, 3 Nov 2016 08:47:05 +0000 (08:47 +0000)]
Merge "Make sure keepalived is restarted before haproxy."
Alex Schultz [Tue, 1 Nov 2016 19:43:17 +0000 (13:43 -0600)]
Create heat user in keystone profile
Rather than use the heat::keystone::domain class which also includes the
configuration options, we should just create the user for heat in
keystone independently of the configuration.
Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe
Related-Bug: #
1638350
Closes-Bug: #
1638626
Juan Antonio Osorio Robles [Tue, 1 Nov 2016 10:06:49 +0000 (12:06 +0200)]
Enable TLS in the internal network for Cinder API
This optionally enables TLS for Cinder API in the internal network.
If internal TLS is enabled, each node that is serving the Cinder API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863
Juan Antonio Osorio Robles [Tue, 1 Nov 2016 12:09:33 +0000 (14:09 +0200)]
Fix default for barbican documentation
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
Jenkins [Tue, 1 Nov 2016 12:59:19 +0000 (12:59 +0000)]
Merge "Add barbican profile rspec testing"
Jenkins [Tue, 1 Nov 2016 12:58:55 +0000 (12:58 +0000)]
Merge "Add barbican profile"
Jenkins [Tue, 1 Nov 2016 12:12:57 +0000 (12:12 +0000)]
Merge "Fixes transparent binding to OpenDaylight in HA Proxy"
Jenkins [Tue, 1 Nov 2016 11:23:19 +0000 (11:23 +0000)]
Merge "NFS mounting for Glance file backend"
Juan Antonio Osorio Robles [Wed, 19 Oct 2016 07:30:18 +0000 (10:30 +0300)]
Enable TLS in the internal network for Nova API
This optionally enables TLS for Nova API in the internal network.
If internal TLS is enabled, each node that is serving the Nova API
service will use certmonger to request its certificate.
Note that this doesn't enable internal TLS for the nova metadata
service since it doesn't run over httpd. This will be handled in
a later commit.
bp tls-via-certmonger
Change-Id: I88380a1ed8fd597a1a80488cbc6ce357f133bd70
Sofer Athlan-Guyot [Mon, 31 Oct 2016 14:53:13 +0000 (15:53 +0100)]
Make sure keepalived is restarted before haproxy.
When using SSL setup for undercloud, the admin and public vip required
for ssl binding by haproxy are created by keepalived.
This makes sure that keepalived is started before haproxy and thus that
the interfaces are indeed present.
This patch also ensures this is happening for overcloud ssl
configuration. The case where another load-balancing technology other
than haproxy is used is not covered.
Closes-Bug: #
1638029
Change-Id: I98cb0dcd7f389a1dd38ec8324429bfef4979aa66
Jenkins [Mon, 31 Oct 2016 17:16:12 +0000 (17:16 +0000)]
Merge "Release 5.4.0"
Jenkins [Mon, 31 Oct 2016 12:56:52 +0000 (12:56 +0000)]
Merge "Calculate zaqar mongo from mongodb_node_ips"
Jenkins [Mon, 31 Oct 2016 12:06:10 +0000 (12:06 +0000)]
Merge "Reload haproxy if any configuration changes on HA"
Jenkins [Mon, 31 Oct 2016 11:48:53 +0000 (11:48 +0000)]
Merge "Enable TLS in the internal network for aodh"
Emilien Macchi [Mon, 31 Oct 2016 11:34:50 +0000 (07:34 -0400)]
Release 5.4.0
New Newton release
Change-Id: I152fbd1dcaac37474183d60654db15a9a4918209
Jenkins [Mon, 31 Oct 2016 09:39:36 +0000 (09:39 +0000)]
Merge "Enable TLS in the internal network for ceilometer"
Tim Rozet [Sun, 30 Oct 2016 13:44:18 +0000 (09:44 -0400)]
Fixes transparent binding to OpenDaylight in HA Proxy
ODL was missing transparent binding mode, which causes HA deployments to
fail since HA Proxy will try to come up on every node (even without
VIP).
Closes-Bug:
1637833
Change-Id: I0bb7839cdcfeacb4ca1a9fc6f878e8b51330be92
Signed-off-by: Tim Rozet <trozet@redhat.com>
Juan Antonio Osorio Robles [Thu, 27 Oct 2016 14:38:52 +0000 (17:38 +0300)]
Clean up service name from cinder api
Since the service_name is now being passed from t-h-t, we can clean
it up from the profile in puppet.
Change-Id: I724af8c355c3077be64cf472cedbca80af55da01
Depends-On: I13638cd1af52537bef8540f0d5fa5f5f7decd392
Brad P. Crochet [Thu, 27 Oct 2016 09:04:36 +0000 (05:04 -0400)]
Calculate zaqar mongo from mongodb_node_ips
In order to make the zaqar service fully composable, the mongo ips need
to be calculated without assuming that mongo and zaqar are on the same
node.
Change-Id: I0b077e85ba5fcd9fdfd33956cf33ce2403fcb088
Jenkins [Thu, 27 Oct 2016 07:02:34 +0000 (07:02 +0000)]
Merge "Set redis file descriptor limit when run via pacemaker"
Juan Antonio Osorio Robles [Wed, 26 Oct 2016 16:38:55 +0000 (19:38 +0300)]
Reload haproxy if any configuration changes on HA
In some cases, for instance, when updating from a non-SSL setup in
HAProxy to an SSL setup, we don't reload haproxy's configuration.
This is problematic since we need HAProxy to serve the certificates
and the new endpoints.
This forces the reload when puppet notices changes.
Change-Id: Ie1dd809e6beef33fadad48de55e488219fb7d686
Closes-Bug: #
1636921
Jenkins [Wed, 26 Oct 2016 15:55:15 +0000 (15:55 +0000)]
Merge "Deploy cinder over Apache httpd"
Jenkins [Wed, 26 Oct 2016 13:33:25 +0000 (13:33 +0000)]
Merge "Only restart haproxy services when enable_load_balancer is defined"
Jenkins [Wed, 26 Oct 2016 13:28:08 +0000 (13:28 +0000)]
Merge "Remove the hardcoded tcp_keepalive false parameter"
Michele Baldessari [Tue, 25 Oct 2016 12:36:56 +0000 (14:36 +0200)]
Only restart haproxy services when enable_load_balancer is defined
If we upgrade a cloud that was configured with external load balancer
the process will fail during convergence step because it will try to
restart haproxy which is not configured when an external load balancer
is configured.
Closes-Bug: #
1636527
Change-Id: I6f6caec3e5c96e77437c1c83e625f39649a66c48
Michele Baldessari [Fri, 21 Oct 2016 08:02:39 +0000 (10:02 +0200)]
Set redis file descriptor limit when run via pacemaker
The current redis file descriptor limit is 4096 because of two reasons:
- It is run via the redis user
- It is not started via systemd which has explicit LimitNOFILE set to
10240 (which matches the default configuration of maximum 10000
clients)
Create an /etc/security/limits.d/redis.conf file in order to increase
the fd limit value With this change we correctly get the following
limits:
[root@overcloud-controller-0 ~]# pcs status |grep -A2 redis
Master/Slave Set: redis-master [redis]
Masters: [ overcloud-controller-2 ]
Slaves: [ overcloud-controller-0 overcloud-controller-1 ]
[root@overcloud-controller-0 ~]# cat /proc/`pgrep redis`/limits | grep open
Max open files 10240 10240 files
Previously this limit was set to 4096.
Change-Id: I7691581bad92ad9442cecd82cf44f5ac78ed169f
Closes-Bug: #
1635334
Jenkins [Sun, 23 Oct 2016 08:47:56 +0000 (08:47 +0000)]
Merge "Enable communication between UI and the Undercloud by making HAProxy proxy for the UI"
Jenkins [Sun, 23 Oct 2016 08:09:44 +0000 (08:09 +0000)]
Merge "Enable haproxy statistics unix socket"
Jenkins [Sat, 22 Oct 2016 21:45:27 +0000 (21:45 +0000)]
Merge "Increase haproxy client/server timeout for swift-proxy"
Jenkins [Sat, 22 Oct 2016 21:44:51 +0000 (21:44 +0000)]
Merge "Use HAProxy for docker-registry endpoint"
Jenkins [Fri, 21 Oct 2016 21:05:51 +0000 (21:05 +0000)]
Merge "Deploy monitoring/logging agents sooner"
Jenkins [Fri, 21 Oct 2016 21:04:23 +0000 (21:04 +0000)]
Merge "Add zaqar profiles"
Jiri Stransky [Thu, 20 Oct 2016 17:26:16 +0000 (19:26 +0200)]
NFS mounting for Glance file backend
Previously we did this with Pacemaker, but with move to NG HA
architecture we lost the ability to use NFS mounts as image storage for
Glance. This reimplements the mounting without utilizing Pacemaker. The
mount is by default also written to /etc/fstab so that it persists over
reboot, but this behavior can be disabled.
This could also go to puppet-glance eventually, but not yet -- we need
this backported to Newton because it's a TripleO regression. I don't
think puppet-glance would allow backporting this to Newton, because from
their point of view it would be a RFE rather than a regression.
Change-Id: I45ad34c36587a8d695069368cf791f1efb68256c
Related-Bug: #
1635606
John Trowbridge [Fri, 21 Oct 2016 14:47:17 +0000 (10:47 -0400)]
Increase haproxy client/server timeout for swift-proxy
The upload and extraction for the plan tarball to swift can take
longer than the default one minute in slower environments. Doubling
the timeout to two minutes has proven to help.
This is only a partial fix, because the error reporting for this
issue also needs to be improved.
Change-Id: I06592d38fdfefacc8bdf76289a0bfa20eb33a89b
Partial-Bug:
1635269
Jenkins [Fri, 21 Oct 2016 12:57:11 +0000 (12:57 +0000)]
Merge "Removes logic dependent on 'odl_on_controller'"
Jenkins [Fri, 21 Oct 2016 12:05:31 +0000 (12:05 +0000)]
Merge "Enable TLS in the internal network for keystone"
Martin Mágr [Tue, 4 Oct 2016 10:29:51 +0000 (12:29 +0200)]
Deploy monitoring/logging agents sooner
To be able to monitor during deployment, we need sensu clients
and fluentd collectors be deployed as soon as it is possible.
Change-Id: I952f0d6de6f6327d5c923b8f1d7a5979758dbc59
Michele Baldessari [Fri, 21 Oct 2016 05:44:24 +0000 (07:44 +0200)]
Remove the hardcoded tcp_keepalive false parameter
In change I35921652bd84d1d6be0727051294983d4a0dde10 we want to remove
all those duplicate tcp_listen_option entries. One consequence of that
is that we need to set rabbitmq::tcp_keepalive to true via hiera
(as opposed to forcing it via the tcp_listen_option hash).
For this to work we need to remove this forced parameter override.
Note that even if I35921652bd84d1d6be0727051294983d4a0dde10 and this
change don't merge at the exact same time it is still okay because
we do force tcp_keepalive to true via the tcp_listen_options.
Change-Id: I608477d5714a5081b3b4ab3b9fc2932bdd598301
Jenkins [Thu, 20 Oct 2016 21:51:42 +0000 (21:51 +0000)]
Merge "pacemaker/mysql: wait step 2 to remove default accounts"
Jenkins [Thu, 20 Oct 2016 15:34:43 +0000 (15:34 +0000)]
Merge "Fixes missing ODL ML2 Authentication info"
Steve Baker [Thu, 20 Oct 2016 01:51:55 +0000 (14:51 +1300)]
Use HAProxy for docker-registry endpoint
The docker tooling has a preference for interacting with encrypted
endpoints. Terminating the docker-registry endpoint with HAProxy
allows the SSL VIP to be used for this purpose.
Change-Id: Ifebfa7256e0887d6f26a478ff8dc82b0ef5f65f6
Juan Antonio Osorio Robles [Tue, 27 Sep 2016 08:58:50 +0000 (08:58 +0000)]
Enable TLS in the internal network for gnocchi
This optionally enables TLS for gnocchi in the internal network.
If internal TLS is enabled, each node that is serving the gnocchi
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ie983933e062ac6a7f0af4d88b32634e6ce17838b
Juan Antonio Osorio Robles [Tue, 27 Sep 2016 08:45:07 +0000 (08:45 +0000)]
Enable TLS in the internal network for aodh
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the aodh
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I50ef0c8fbecb19d6597a28290daa61a91f3b13fc
Juan Antonio Osorio Robles [Tue, 27 Sep 2016 07:15:53 +0000 (07:15 +0000)]
Enable TLS in the internal network for ceilometer
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the ceilometer
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
Juan Antonio Osorio Robles [Wed, 13 Jul 2016 09:27:23 +0000 (12:27 +0300)]
Enable TLS in the internal network for keystone
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
Code Review / apex-puppet-tripleo.git / log