140 Commits

Author SHA1 Message Date
Zuul
2ebc2ee3af Merge "Run Octavia configuration on the overcloud" 2018-01-22 19:50:12 +00:00
Or Idgar
9d692aaa2f Run Octavia configuration on the overcloud
Fully configuring Octavia requires resources such as the load balancer
management network and amphora image to be created in the overcloud
during deployment. This is handled through some ansible driven through a
mistral workflow. This patch enables configuring and triggering this
workflow from heat.

Co-Authored-By: Brent Eagles <beagles@redhat.com>
Depends-on: If07ded033be9f44b7c7a7e09214032fa89a02e77

Change-Id: I2d10dbd33b3a0ed0463096849d01aa2c1b9f293e
2018-01-16 13:19:09 +00:00
lhinds
7e68dbdf8c Implements AIDE Intrusion Detection System
Introduces a service to configure AIDE Intrusion Detection.

This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.

AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
2018-01-15 13:10:16 +00:00
Daniel Alvarez
85e006d19d Add support for OVN Metadata Agent
This patch adds support for networking-ovn-metadata-agent.
It will deploy the agent on compute nodes and disable Nova
force_config_drive.

The following two patches have been squashed into this one:
* https://review.openstack.org/#/c/525164/
* https://review.openstack.org/#/c/522813/
The reason behind the squash is that we had interdepenencies
and this patch alone wouldn't be testing the code properly
without the two other ones since scenario007 job in baremetal
has been removed for this cycle.

UpgradeImpact

Depends-On: I678652294cb8f964c34b742a0bc0ea360d736fb9
Depends-On: If3dffde5e0db8f7607a9708d36d54d1600fe5da8
Depends-On: I38f775479d178f5b252619635b67f876bc8c5ed5
Depends-On: Ifdd42437333730a3b3e6f36cbab6df0a2971a5a1
Depends-On: I940cec6d670df39ac6e2a3559a028acbeee99331

Change-Id: Idc2bb4e31a64502ac6fcdac771d823509dc328e7
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
2018-01-12 09:40:06 +00:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Zuul
20a5994716 Merge "Add multiple secret store backends for barbican" 2017-12-08 01:23:23 +00:00
Ade Lee
f8decc73fc Add multiple secret store backends for barbican
Change-Id: I7aaa242ee1ecbfcbcc7502b0ce8e5a9191d307f2
Depends-On: I07e52897897f453382f74aa4fdaa98c37e6eca30
2017-12-05 13:07:50 -05:00
Juan Antonio Osorio Robles
898ad4f54b Add IPSEC composable service
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-12-05 13:10:18 +00:00
lhinds
502fde7a64 Implements management of /etc/login.defs
Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
2017-11-29 09:23:25 +00:00
Zuul
b2bc4f36a3 Merge "logging: merge fluentd-client and fluentd-base" 2017-11-22 10:41:19 +00:00
Zuul
a4877d7272 Merge "Removes manila-generic-config from TripleO" 2017-11-21 16:54:11 +00:00
Zuul
301e8d84e9 Merge "Deploy Ceph Luminous and add support for CephMgr service" 2017-11-21 01:48:51 +00:00
Giulio Fidente
3cea68f12c Deploy Ceph Luminous and add support for CephMgr service
The upgrade of Ceph to Luminous requires a new daemon, ceph-mgr, to be
deployed with every ceph-mon. This submission adds support for the
deployment of ceph-mgr via ceph-ansible.

Change-Id: I4226233d02b70980c6b53518ae2d511b653ce2de
Depends-On: I3645c6c3f68fcefc93fa8699796ba8892aa946c8
Implements: blueprint ceph-luminous
2017-11-20 21:11:23 +01:00
Lars Kellogg-Stedman
f982eb55c4 logging: merge fluentd-client and fluentd-base
The fluentd implementation was originally split across multiple files
in order to support both client and server services. we ultimately
decided to only implement the client as part of tripleo so this
division is no longer necessary.  This commit merges
fluentd-client.yaml and fluentd-base.yaml into fluentd.yaml, and
renames things appropriately.

Partial-bug: #1715187
Depends-On: Iace34b7baae8822d2233d97adabf6ebc8833adab
Change-Id: Idb9886f04d56ffc75a78c4059ff319b58b4acf9f
2017-11-17 11:04:52 +01:00
Juan Antonio Osorio Robles
97f9a01f79 Add rsyslog-sidecar resource and configuration
This introduces a "sidecar" container, which is meant to be used
besides other containers (or as part of the pod). It merely uses
rsyslog to listen on a specific UNIX socket and outputs what it
gets to stdout.

This adds the service to each relevant role and introduces a
composable service which merely configures the container. Subsequently
it'll be used as part of other templates.

Note that it is only enabled if "stdout logging" is enabled.

bp logging-stdout-rsyslog
Depends-On: I4864ddca223becd0a17f902729cf2e566df5e521

Change-Id: I2c54acaaa820961c936f1fbe304f42162f720496
2017-11-17 10:38:57 +02:00
Zuul
5840413021 Merge "Barbican: Add ability to specify KEK for simple crypto plugin" 2017-11-13 14:18:39 +00:00
Pradeep Kilambi
5ebbc81c2a Remove deprecated Telemetry services from roles data
Ceilometer API, Collector and Expirer are removed from upstream,
so lets clean these deprecated services.

Change-Id: Ifd28a3029cd39644833ab0e9fc66efb7b5b67c9d
2017-11-07 12:54:41 +00:00
Ade Lee
2089a53afd Barbican: Add ability to specify KEK for simple crypto plugin
It adds the profile to enable the backend and a relevant environment
file that will be used.

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I44391b91b01bc03c9773410152e117ec6bbba491
Change-Id: I39ce9f203af0dea20f7c14ba8b484f600f4aad49
2017-11-02 15:31:17 +00:00
Saravanan KR
739b05f528 Added a new role definition for SR-IOV Compute role
In order to support the role generation command, a new role for
hosting SR-IOV workloads has been added. This also removes the
SR_IOV services from the default compute so that compute and compute
sriov can co-exist in the same cluster.
Closes-Bug: #1715829

Change-Id: If48bd6a69209da556cc75ece035b341eb59f41a9
2017-10-25 15:16:28 +05:30
Victoria Martinez de la Cruz
6740f94914 Removes manila-generic-config from TripleO
Generic driver is not intended to be used in real environments
since it introduces a SPOF in the data path. Due to this, it
doesn't make sense and generates confusion to have the environment
file, so in this patch set we simply remove it.

Change-Id: I2e1db2bd614eae65e59712f50dc3391f16f6b388
Closes-Bug: #1708680
2017-10-16 16:54:47 -03:00
Zuul
7b3e9f7d54 Merge "Remove Heat Cloudwatch API" 2017-10-16 09:22:39 +00:00
Jenkins
efd86fb1a8 Merge "Add a Skydive composable service" 2017-10-13 20:37:59 +00:00
Alex Schultz
5c3efe66a4 Remove Heat Cloudwatch API
The heatwatch api has long be deprecated[0] so this should not be in the
roles and environment configuration.

[0]
http://lists.openstack.org/pipermail/openstack-dev/2015-April/061834.html

Change-Id: I322979c34a92565a7dd54248c312b692e9c83f74
Closes-Bug: #1720865
2017-10-11 09:54:38 +02:00
Bernard Cafarelli
7059ca1316 Add networking-sfc support
Enables deployment of service function chaining via the networking-sfc
project.

Implements: blueprint networking-sfc-support

Co-Authored-By: Bernard Cafarelli <bcafarel@redhat.com>
Change-Id: I230b31dc9ed0ecc5046064628ba2f2505e589522
Depends-On: Icd433ddc6ae7de19a09f9e33b410a362c317138a
2017-10-10 13:33:32 +00:00
Sylvain Baubeau
d31bc3a573 Add a Skydive composable service
This commits adds one service for the agent, and one
other for the analyzer. When using multiple controller nodes,
the analyzers are deployed in cluster mode, with a single etcd node.
These services are deployed as containers using a Mistral
workflow with Ansible.

Depends-on: I0442d2a75a4931a4bd8399c58ff6b016d5486945
Change-Id: I56c53158f9ed294dac95dbd7087d057e427f16a1
2017-10-04 10:32:07 +02:00
Derek Higgins
a850d8059f Add IronicPxe to the default controller
It doesn't exist in the non containerized openstack so leave it
stubbed out by default.

Change-Id: I5fcb1f0b9958ac90f034a12f1ee733dae6571f9c
2017-09-25 17:07:47 +01:00
Jenkins
9126ca5459 Merge "Add Swift dispersion profile" 2017-09-11 12:21:12 +00:00
Brent Eagles
94c9c2f954 Add Neutron SR-IOV agent container
This patch adds support for running the neutron SR-IOV agent in a
container.

Depends-On: I4a63845a97c890d7d408731ec5509c320289f18f
Depends-On: Ie5d8cd7863c0d042cc6a4e1fc52602d8a03a1935
Depends-On: I1b5ab0a64ae1f5735f1bd5a68e6ae8bdcf47ddec

Closes-Bug: #1715388

Change-Id: I7ee603b32eddacd02d846dff00dd1b786d4a7ad9
2017-09-06 22:18:24 -02:30
Ricardo Noriega
a18a94e498 Add Bagpipe driver composable service
The BaGPipe driver for the BGPVPN service plugin is designed
  to work jointly with the openvswitch ML2 mechanism driver.

Change-Id: I17ed258231e7efdd1ca8e0697d074b11961ed0ae
Depends-On: I1e0227d8055f456043fe63c6a9cbd722d7bf84a7
Partially-Implements: blueprint bgpvpn-service-integration
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-09-01 11:56:47 +02:00
rajinir
f6c9906d51 Add support for Dell EMC Isilon Manila backend
This change adds support for manila::backend::dellemc_isilon

Change-Id: I92592e4b717d4b1812ccd810ec1daaedd181c3dd
Implements: blueprint dellemc-isilon-manila
2017-08-30 04:42:09 +00:00
rajinir
04daabdc84 Add support for Dell EMC VMAX Manila Backend
This change adds support for manila::backend::dellemc_vmax

Change-Id: I92e189c8741c496ef6c27130f73829c327a99f1b
Implements: blueprint dellemc-vmax-manila
2017-08-30 04:42:01 +00:00
rajinir
c771899055 Add support for Dell EMC VMAX ISCSI Backend
This change adds a new define for cinder::backend::dellemc_vmax_iscsi

Change-Id: I7c685e0a3186da138964f17b487fb0c3533f58c7
Implements: blueprint dellemc-vmax-isci
2017-08-30 04:41:47 +00:00
Jenkins
6f4cb34571 Merge "Add support for Dell EMC VNX Manila Backend" 2017-08-28 19:58:10 +00:00
Jenkins
2c4653cb7c Merge "Add support for Dell EMC Unity Manila Backend" 2017-08-28 19:54:11 +00:00
Christian Schwede
beb5fde051 Add Swift dispersion profile
This runs the swift-dispersion-populate tool after deploying Swift,
which makes it possible to run swift-dispersion-report later on to check
the current dispersion within the cluster.

This is helpful to do sanity checks before rebalancing rings and to
check the overall health of the cluster.

Change-Id: Ic76a3c2cd671be538f116cdf98adf458d8869d8e
2017-08-25 13:11:59 +02:00
Jenkins
26d7023a07 Merge "Add Ceilometer API and Collector service to roles_data" 2017-08-23 00:10:37 +00:00
rajinir
a3debcfa8b Add support for Dell EMC VNX Manila Backend
This change adds support for manila::backend::dellemc_vnx

Change-Id: I5fa5c2d6956429d1b9c12a5af6d4a887ed0624d9
Implements: blueprint dellemc-vnx-manila
2017-08-22 11:40:23 -05:00
rajinir
c5ee7b7714 Add support for Dell EMC Unity Manila Backend
This change adds support for manila::backend::dellemc_unity

Change-Id: Idec67d190b12359e8e6f1c157577088fa84ef41d
Implements: blueprint dellemc-unity-manila
2017-08-22 11:40:23 -05:00
Bogdan Dobrelya
8a03456056 Add logrotate with crond service
Add a docker service template to provide containerized services
logs rotation with a crond job.
Add OS::TripleO::Services::LogrotateCrond to CI multinode-containers
and to all environments among with generic services like Ntp or Kernel.
Set it to OS::Heat::None for non containerized environments and
only enable it to the environments/docker.yaml.

Closes-bug: #1700912

Change-Id: Ic94373f0a0758e9959e1f896481780674437147d
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-08-21 08:56:29 +02:00
Jenkins
2d14386548 Merge "Add support for Dell EMC Unity Cinder backend" 2017-08-19 00:10:52 +00:00
Pradeep Kilambi
2bbc07a969 Add Ceilometer API and Collector service to roles_data
Ceilometer api and collector are disabled in pike. During upgrade case,
if its not in the roles_data the disable task doesnt get picked
up and continue to run. This should be removed in Queen cycle.

Change-Id: I3bf555ac9488fc6622e6a62a809150082a85ea54
2017-08-17 13:29:19 -04:00
rajinir
9353db123d Add support for Dell EMC Unity Cinder backend
This change adds a new define for cinder::backend::dellemc_unity.

Change-Id: I7f9dbb707cf9b5c90ec2f31dcff82cd578805b80
Implements: blueprint dellemc-unity-cinder
2017-08-17 08:36:14 +00:00
Steven Hardy
612ba25124 Convert objectstorage-role.yaml to role.role.j2.yaml
Add some special-casing for backwards compatibility, such that the
ObjectStorage role can be rendered via j2 for support of composable networks.

Change-Id: I52abbefe2f5035059ccbed925990faab020c6c89
Partially-Implements: blueprint composable-networks
2017-08-11 15:11:55 +01:00
Steven Hardy
d8e2531820 Convert compute-role.yaml to role.role.j2.yaml
Add some special-casing for backwards compatibility, such that the
Compute role can be rendered via j2 for support of composable networks.

Change-Id: Ieee446583f77bb9423609d444c576788cf930121
Partially-Implements: blueprint composable-networks
2017-08-11 15:06:34 +01:00
Steven Hardy
1aad286ca3 Convert controller-role.yaml to role.role.j2.yaml
Add deprecated role-specific parameters to role definition, in
order to special-case some parameters for backwards compatibility,
such that the Controller role can be rendered via j2 for support
of composable networks.

Co-Authored By: Dan Sneddon <dsneddon@redhat.com>
Change-Id: I5983f03ae1b7f0b6add793914540b8ca405f9b2b
Partially-Implements: blueprint composable-networks
2017-08-11 15:06:34 +01:00
Numan Siddique
5f313f27c9 Add 'ovn-controller' service
Presently the ovn-controller service (puppet/services/neutron-compute-plugin-ovn.yaml)
is started only on compute nodes. But for the cases where the controller nodes
provide the north/south traffic, we need ovn-controller service runninng in controller
nodes as well.

This patch
 - Renames the neutron-compute-plugin-ovn.yaml to ovn-controller.yaml which makes more
   sense and sets the service name as 'ovn-controller'.
 - Adds the service 'ovn-controller' to Controller and Compute roles.
 - Adds the missing 'upgrade_tasks' section in ovn-dbs.yaml and ovn-controller.yaml

Depends-On: Ie3f09dc70a582f3d14de093043e232820f837bc3
Depends-On: Ide11569d81f5f28bafccc168b624be505174fc53
Change-Id: Ib7747406213d18fd65b86820c1f86ee7c39f7cf5
2017-07-27 18:22:03 +00:00
Joe Talerico
c2b2cc555a Adding Tuned Service
Allow the user to set a specific Tuned profile on a given host.

Defaults to throughput-performance

Change-Id: I0c66193d2733b7a82ad44b1cd0d2187dd732065a
2017-07-25 17:08:37 +00:00
Jenkins
86621ff34a Merge "Add support for nova live/cold-migration with containers" 2017-07-24 15:22:39 +00:00
Oliver Walsh
4a7f3398f1 Add support for nova live/cold-migration with containers
Updates hieradata for changes in https://review.openstack.org/471950.
Creates a new service - NovaMigrationTarget. On baremetal this just configures
live/cold-migration. On docker is includes a container running a second sshd
services on an alternative port.
Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd
containers.

Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427
Implements: blueprint tripleo-cold-migration
Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc
Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
2017-07-23 02:26:55 +01:00
abhishek.kane
91c1a81531 Add composable services for the Veritas HyperScale.
Add a composable service for each of:
  - the Veritas HyperScale's Cinder backend.
  - installing the Veritas HyperScale controller packages.

Change-Id: I99ee827825ec2a6a3c695de1ca1c1015859fe398
Depends-On: I316b22f4f7f9f68fe5c46075dc348a70e437fb1d
Depends-On: I9168bffa5c73a205d1bb84b831b06081c40af549
Signed-off-by: abhishek.kane <abhishek.kane@veritas.com>
2017-07-17 13:27:25 +05:30