17 Commits

Author SHA1 Message Date
Mehdi Abaakouk
39f5b64394 Telemetry services need to access to Storage
Gnocchi stores data in Swift or Ceph. So when composable roles are used
it needs to access to the Storage network to connect to them.

Change-Id: I11f4ec4a91a9240bde6d504a84351185ed5a6997
2018-04-23 09:36:01 +02:00
Pradeep Kilambi
2da94c529a Include pacemaker in Telemetry role
Since we include redis in telemetry role, we also need
pacemaker for redis containers to start
correctly.

Closes-bug: #1756959

Change-Id: I6b5a07f33b50f443c63b04b1ef1d2c81a2c24963
2018-03-22 11:40:55 +00:00
Giulio Fidente
e99296b3f4 Add CephClient and CephExternal to the Telemetry role
Previously the deployment of the Telemetry role with Ceph would
fail as the Ceph clients didn't get configured on the Telemetry
nodes.

Closes-Bug: 1746525
Change-Id: I0644d028c269afce4c561bbf5b8ca1f2c4addda2
2018-01-31 15:25:46 +01:00
James Slagle
2a25edaf3b Sync services on roles/Telemetry.yaml
The standalone Telemetry role at roles/Telemetry.yaml had an incorrect list of
services. The list has been updated to remove services such as MySQL and
RabbitMQ and the services common to all TripleO roles have been added.

Change-Id: I2e3f84ac61eec8dd49cd30ca19b6ebbe25735e27
Closes-Bug: #1745503
2018-01-25 18:28:54 -05:00
lhinds
7e68dbdf8c Implements AIDE Intrusion Detection System
Introduces a service to configure AIDE Intrusion Detection.

This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.

AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
2018-01-15 13:10:16 +00:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Juan Antonio Osorio Robles
898ad4f54b Add IPSEC composable service
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-12-05 13:10:18 +00:00
lhinds
502fde7a64 Implements management of /etc/login.defs
Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
2017-11-29 09:23:25 +00:00
Pradeep Kilambi
5ebbc81c2a Remove deprecated Telemetry services from roles data
Ceilometer API, Collector and Expirer are removed from upstream,
so lets clean these deprecated services.

Change-Id: Ifd28a3029cd39644833ab0e9fc66efb7b5b67c9d
2017-11-07 12:54:41 +00:00
Alex Schultz
50c975d159 Add missing Docker service
The example composable roles are missing the docker service declaration
so they currently do not work when trying to deploy with containerized
services.

Change-Id: I986ae561b950e74aacea10bce84673e8d0c9bd97
Closes-Bug: #1713755
2017-08-29 09:31:03 -06:00
Jenkins
26d7023a07 Merge "Add Ceilometer API and Collector service to roles_data" 2017-08-23 00:10:37 +00:00
Bogdan Dobrelya
8a03456056 Add logrotate with crond service
Add a docker service template to provide containerized services
logs rotation with a crond job.
Add OS::TripleO::Services::LogrotateCrond to CI multinode-containers
and to all environments among with generic services like Ntp or Kernel.
Set it to OS::Heat::None for non containerized environments and
only enable it to the environments/docker.yaml.

Closes-bug: #1700912

Change-Id: Ic94373f0a0758e9959e1f896481780674437147d
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-08-21 08:56:29 +02:00
Juan Antonio Osorio Robles
0bf9c789c7 Add certmonger user profile to all overcloud roles
This is needed for TLS everywhere, else the certs won't be requested.

Change-Id: I9849e009843683a75fefa6e9f4b8213bcff3a889
Closes-Bug: #1711424
2017-08-17 20:40:19 +03:00
Pradeep Kilambi
2bbc07a969 Add Ceilometer API and Collector service to roles_data
Ceilometer api and collector are disabled in pike. During upgrade case,
if its not in the roles_data the disable task doesnt get picked
up and continue to run. This should be removed in Queen cycle.

Change-Id: I3bf555ac9488fc6622e6a62a809150082a85ea54
2017-08-17 13:29:19 -04:00
Joe Talerico
c2b2cc555a Adding Tuned Service
Allow the user to set a specific Tuned profile on a given host.

Defaults to throughput-performance

Change-Id: I0c66193d2733b7a82ad44b1cd0d2187dd732065a
2017-07-25 17:08:37 +00:00
Steven Hardy
cba5288867 Make network-isolation environment rendered for all roles
Currently there's some hard-coded references to roles here, rendering
from the roles_data.yaml is a step towards making the use of isolated
networks for custom roles easier.

Partial-Bug: #1633090
Depends-On: Ib681729cc2728ca4b0486c14166b6b702edfcaab
Change-Id: If3989f24f077738845d2edbee405bd9198e7b7db
2017-06-13 11:19:02 +01:00
Alex Schultz
0b259c8d39 Standardize example role definitions
As we create new standard roles, we should include them from a single
location for ease of use and to reduce the duplication of the role
definitions elsewhere. This change adds a roles folder to the THT that
can be used with the new roles commands in python-tripleoclient by the
end user to generate a roles_data.yaml from a standard set of roles.

Depends-On: I326bae5bdee088e03aa89128d253612ef89e5c0c
Change-Id: Iad3e9b215c6f21ba761c8360bb7ed531e34520e6
Related-Blueprint: example-custom-role-environments
2017-06-07 20:20:03 +00:00