Commit Graph

51 Commits

Author SHA1 Message Date
Monty Taylor 185bbcbe52 Retire repo
Depends-On: https://review.opendev.org/720892
Change-Id: I295517b9ab66af664b96831e38011130468c2599
2020-04-22 10:19:09 -05:00
OpenDev Sysadmins a23ab15d29 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:26:01 +00:00
Ian Wienand 79b7674ca1 Replace openstack.org git:// URLs with https://
This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.

This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.

This update should result in no functional change.

For more information see the thread at

 http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html

Change-Id: Id8c256042f2f6dff4e736cadd93f3bf91d6cfaa9
2019-03-24 20:35:39 +00:00
Zuul 2f5ec4d79a Merge "Explicitly set selinux seltype for rules link" 2018-07-25 02:41:31 +00:00
Zuul 182b59aae2 Merge "Ensure iptables service is running" 2018-07-25 02:41:00 +00:00
Zuul 05ebb06499 Merge "Ensure firewalld package is absent, not purged" 2018-07-25 02:40:59 +00:00
Colleen Murphy 84da3ad042 Update Gemfile for Zuulv3
The logic in the Gemfile was relying on Zuulv2 variables to find out
whether the spec helper gem was already available on disk, and since
Zuulv3 has changed things it was failing to find it and downloading the
master version instead. This patch ensures the Gemfile looks for the gem
in the right place when running in CI.

Change-Id: Ib463032f91ecaa759f504fbf399ccfbdd94536b9
2018-07-12 09:57:44 +02:00
Colleen Murphy cef0960c6d Explicitly set selinux seltype for rules link
Puppet seems to have some issue with creating a symlink in
/etc/sysconfig on CentOS, where it creates the link on the first run and
then corrects the seltype on the second run, breaking idempotency tests.
If we make sure to explicitly set it up front, puppet doesn't get
confused. This patch also removes the mode setting since setting the
permissions mode on a symlink doesn't make sense.

Change-Id: I7019c48220425fc583b9b431eff08a6261ee2ebc
2018-07-10 21:20:43 +02:00
Colleen Murphy 73089a0566 Ensure iptables service is running
On Ubuntu, the iptables service starts running when it is installed. On
CentOS, that's not the case, and signaling a restart in puppet does not
actually start the service. The result is that while the iptables
service is stopped, `iptables -S` is empty. This patch adds ensure =>
running to the service resources so that iptables behaves the same on
CentOS and Ubuntu.

Change-Id: I0584c988bcebeee5133f85d55f8d389d78ebac70
2018-07-10 21:20:39 +02:00
Colleen Murphy ffe7e12145 Ensure firewalld package is absent, not purged
There seems to be a longstanding, inexplicably unresolved bug[1][2] in
the puppet package resource on CentOS where an uninstalled package will
repeatedly be reported as being "created" when it is not installed and
when the resource has ensure => purged. This breaks idempotency tests
and is just confusing. Setting the resource to absent instead of purge
works correctly and should be sufficient for ensuring firewalld isn't
interfering..

[1] https://projects.puppetlabs.com/issues/2833
[2] https://projects.puppetlabs.com/issues/3707

Change-Id: I702cf0130b311a5cd6786b4c4dd76fa03adbd2f7
2018-07-10 20:53:54 +02:00
Ian Wienand ac4f7e77e3 Allow allowed_hosts to not have ipv6 interfaces
This puts a conditional around the AAAA lookup so we can add hosts in
clouds that don't provide an IPv6 address.

Change-Id: I97e82a41fdbe31e7bce6f05b8e6aa39834c42548
2018-02-21 13:40:23 +11:00
James E. Blair 8f2af6849c Add support for resolving hostnames in rules
This allows us to specify rules with hostnames, but have puppet
resolve those to IP addresses before writing out the iptables
config.  This ensures that iptables will always be able to start,
as well as keeping firewalls up to date as hosts change.

Change-Id: I7a0dfbab67bdba72c0a56acc611503795d2bc350
Depends-On: I29d36cc527351e3e6d2ee2dc1919988379b8db3a
2017-12-14 12:54:08 -08:00
Colleen Murphy e69236f2e6 Depend on helper gem for spec_helper_acceptance
Instead of keeping a local copy of spec_helper_acceptance.rb and
requiring updates to all modules for any change, we can move it into the
common helper gem and require it from there. This will make it easier to
create and review changes that affect all puppet modules. Also change
the Gemfile to look for the gem in the local workspace if running in a
zuul environment.

Change-Id: I10a82afb33c487b3914f1f6449e76d7b9e91cf48
2017-08-18 10:41:43 +02:00
Colleen Murphy 227d6dc253 Update beaker setup for xenial
Add a xenial nodeset and update the spec helper to install puppet 3 from
the Ubuntu repos instead of from puppetlabs.

Change-Id: I875a48bea886036bbb1cb00500252b46efb928f7
2017-06-11 21:49:27 +02:00
Paul Belanger 33d815763c
Add bindep.txt file
Bindep is a tool for checking the presence of binary packages needed
to use an application / library. It started life as a way to make it
easier to set up a development environment for OpenStack projects.

Change-Id: I72e610badbf7a6cfe840e31e9b3a0c93cdda6da8
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-01 21:10:03 -04:00
Jenkins 25561a16c8 Merge "Use site-agnostic default parameter values" 2016-12-21 07:41:52 +00:00
Ian Wienand 0b5f1ebeaf Fedora: pre-install iptables to work-around dependency issue
As described in the comment, we need to pre-install the iptables
package before the iptables-service package to avoid dependency
issues.  This was causing F25 build failures.

Change-Id: I9541a1c8f11566198b6fa622e36c4be59d6670d2
2016-12-20 09:57:50 +11:00
K Jonathan Harker f01c69ce28 Use site-agnostic default parameter values
Set the default snmp hosts to the empty set rather than
cacti.openstack.org.

Change-Id: Ibae45af594fc2b18024fcc2d6ef040afd4ddd926
Depends-On: I173ca1efae4644c89cfab68d6beeba0a1dae9ce2
2016-08-29 16:39:09 -07:00
K Jonathan Harker d921031e8a Parameterize SNMP source hosts
Downstream consumers of this module likely don't need or want to open
snmp access from cacti.openstack.org. Parameterize the hosts to allow
snmp from so that downstreams don't have to fork the module in order to
remove the access.

Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7
2016-08-29 16:28:54 -07:00
Paul Belanger 5b178cefd3
Add ip6tables service support for Red Hat
Currently we don't start ip6tables service on centos-7. This fixes
that.

Change-Id: I64e62074b41e49cc2dc9b6bafcfbeeded2029487
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-08-29 13:25:32 -04:00
Paul Belanger 47ed5aabad
Ensure service logic run regardless of using chroot
We want to stop notify from working in a chroot, however we need to
make sure we properly setup our Service correctly. As a result, move
the logic outside of our chroot checks.

Change-Id: I4c9284ed8ed23944aa3649338b1a09abdc8b80df
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-07-05 17:26:49 -04:00
Spencer Krum ace48981af Use new infra_spec_helper for gem dependencies
Change-Id: Ia509d1855e80a3fa3ae6a51841b432422eb683c3
2016-06-21 18:38:39 -07:00
James E. Blair af2c407515 Change cacti IPv6 address
Change-Id: Iec462c12648a60ff2c275826f654408dbc22c033
2016-05-23 10:58:00 -07:00
James E. Blair 9457575632 Change cacti IP address
Change-Id: Ifdd3edabb442eea5bb67898e8a08bc323d6165a0
2016-05-23 10:53:13 -07:00
Spencer Krum 5151e454c4 Pin google-api-client; sanitize Gemfile
Change-Id: Ie0f080efe4df357325be1c753ed0f745e99cfd08
2016-04-14 15:19:40 -07:00
Andrey Nikitin 86262df7c8 Indentation of the class parameters is refactored
Indentation of those parameters are changed
to follow Puppet Style Guide recommendation [0].

[0]. https://docs.puppetlabs.com/guides/style_guide.html

Change-Id: I336a845d5b2256c90987e1295545dbf26fd2076b
2016-03-22 12:49:38 +03:00
Clark Boylan 95670757ae Really stop using firewalld
On some centos7 builds there is no firewalld so we have to be a bit more
smarter about how we disable it. New method is to run an exec that stops
the service if it is running then use a package resource to uninstall it
completely. All of this happens before we install the iptables service
so they should not confict with each other.

One trick is we have to "purge" the package, because it may well have
dependencies (on RAX images, firewalld-fail2ban is installed along
with a bunch of other monitoring-type things by the "helpful"
tool-installation script that runs automatically).  The "yum" provider
in puppet actually says to do this in it's documentation:

  Using this provider's `uninstallable` feature will not remove
  dependent packages. To remove dependent packages with this provider
  use the `purgeable` feature, but note this feature is destructive
  and should be used with the utmost care."

Change-Id: I0750de9e75b63190531a3d39a5fcbb19f8e8c49e
2015-09-14 16:22:46 -07:00
Clark Boylan 7503162cc4 Disable firewalld on centos7 and greater
Firewalld is enabled by default on centos7. Unfortunately
iptables-service and firewalld appear to confuse each other resulting in
no firewall rules at all. Fix this by disabling firewalld allowing
iptables-service to be in charge and apply the rules it has configured.

Change-Id: I0089502b134c91ef2e8d11cef1e016ce314ecf96
2015-08-27 15:31:56 -07:00
Spencer Krum a2d7123013 Fix target path for regular git clone during tests
Use same target directory for zuul-cloner and
the regular git command.

Change-Id: I3f22133f8b61f3ec383c84bc54887cfa67260a1b
Co-Authored-By: Fabien Boucher <fabien.boucher@enovance.com>
2015-08-19 16:36:31 -07:00
Colleen Murphy 599f8e21b3 Add Gemfile and puppet 4 checks
In anticipation of puppet 4, start trying to deal with puppet 4 things
that can be helpfully predicted by puppet lint plugins. Also fix lint
errors caught by the puppet-lint-absolute_classname-check gem as well
as arrow alignment errors not caught before.

Change-Id: I56bce05c9c8d1b7924b78c78b74e4755d9a02936
2015-08-03 18:19:57 -07:00
Spencer Krum 63c72d1258 Boilerplate beaker-rspec files
Change-Id: I2e7cadd0586081b000ae0063bcb7a013306fc15b
2015-07-28 02:04:34 -07:00
Jens Rosenboom 8d08af0a9b Use service-name netfilter-persistent for Vivid
Starting from Ubuntu Vivid, there is no service called iptables-persistent
anymore, the service netfilter-persistent now includes calling the tasks
from iptables-persistent.

Change-Id: Ie8bf4eafb9d9d2e02e2ed21fb4e4e899399450de
2015-07-15 15:40:17 +02:00
Jeremy Stanley edda5ec179 Replace ci.o.o links with docs.o.o/infra
The http://ci.openstack.org/ documentation site has been deprecated,
replaced by redirects to corresponding paths within
http://docs.openstack.org/infra/ where other Project Infrastructure
documentation already resides.

Change-Id: Ib5eb11101dec53b9da30460543239613ecc1f6e8
2015-05-14 21:38:17 +00:00
Ramy Asselin 8335bcc5d3 Rename openstackci to openstackinfra
Change-Id: I0003cda967df9dc7e10e26144ba23459467386a9
2015-04-20 13:44:24 -07:00
Jeremy Stanley 100cf05540 Add missing LICENSE file
The content of this project is Apache 2 licensed, but we should
include a standard LICENSE file just to be clear about that.

Change-Id: Iee6320b9d7e35fbe8d3b0a9794f3e485c18ef2c8
2015-01-29 22:57:46 +00:00
Ramy Asselin e41667be3c Add module boilerplate files for puppet-iptables
Change-Id: I1b99b39b16f682e940778ab1dda7759c3fd784de
2015-01-28 15:28:13 -08:00
Attila Fazekas 1938c72b93 iptables on fedora
The systemd version of iptables requires the 'iptables-services' package
for having the `regular` iptables rule restore on service startup.

The service also needs to be enabled explicitly.

Another iptables related issue with multinode_setup.sh,
tries to executes the iptables command without login shell.

The non-login shell does not contains /usr/sbin in PATH,
so multinode_setup.sh changed to use login shell defaults.

Warning: This change enables the iptables service on all
distribution.

Change-Id: I3174e43b3b19e28073a4364dd0f66fc39b0fa815
2014-08-14 11:23:53 +02:00
Monty Taylor 6ca8392c27 Don't manage iptables if we're in a choot
In chroots, as with diskimage-builder, managing service starts is
tricky. Also, we don't need to restart the service then, because
the service will get started on boot of the image.

Change-Id: Iaf90005039b8196ba3a0ac05c96d71e034f0b0b1
2014-07-05 15:58:05 -07:00
Elizabeth Krumbach Joseph 593465a104 Update some deprecated Puppet variable references
While getting these scripts to run on Puppet 3 with Fedora 20, I got
a series of warnings about the deprecation of variable names. These
changes should also continue to work fine on Puppet 2.7.

Change-Id: I232f5f5a9abbe94be9fe2d3b8c82f009c03a11f3
2014-01-29 14:50:05 -08:00
Jeremy Stanley e164471e36 The facter osfamily of Ubuntu is Debian.
Clean up facter osfamily matches to just use Debian, not Ubuntu.
This is manually tested and confirmed to at least be the case on
Oneiric, Precise and Quantal.

Change-Id: I27b184ac419910f9c3271c3b4e57886333282a5f
Reviewed-on: https://review.openstack.org/27399
Reviewed-by: Spencer Krum <krum.spencer@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
2013-04-25 21:37:00 +00:00
Jeremy Stanley f6b9dc7ea8 Jenkins slave puppetry for CentOS.
The install scripts now look for CentOS in release files. Also some
instances of facter's operatingsystem are switched to osfamily and
capitalization of RedHat is normalized to match what facter uses.

Change-Id: I3bbca5481d0d5e6de9e62bfd6e2b0a85264ed6ed
Reviewed-on: https://review.openstack.org/27398
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
2013-04-25 21:36:58 +00:00
Dan Prince 3263da2819 Add RHEL support to iptables module.
Updates the iptables module so that it uses parameters
to define the package, service, and files used to setup and
configure persistent iptables rules.

With these updates the module should now support both
RHEL and Ubuntu.

Change-Id: I45af4e72065c9baaf1d9a03f18b47f6effdce322
Reviewed-on: https://review.openstack.org/23278
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
2013-03-04 18:24:37 +00:00
Nachi Ueno 53a8e73187 Remove iptables forwarding rule for quantum-gate
Original default fowarding rule drops all packet including
the packets from quantum-dhcp. In this patch, we remove
forwarding rule

Change-Id: I68ec7440595a158e0a5f572868f37f54f5ffa1ba
Reviewed-on: https://review.openstack.org/18353
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
2012-12-19 01:14:32 +00:00
James E. Blair b2e3236903 Make iptables additional rules a list.
A list of iptables commands that come after the "-A OPENSTACK-INPUT"
bit.

Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3
Reviewed-on: https://review.openstack.org/17172
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
2012-11-30 01:39:28 +00:00
Paul Belanger 6e40791b0b Puppet lint fixes
Change-Id: I00cfd6765bf3f7acd44263347655228d5a839852
Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-on: https://review.openstack.org/15844
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
2012-11-13 21:38:48 +00:00
James E. Blair fbbd435ea2 Add cacti host.
Change-Id: I67cc116ad8a2b2586856965ae1e341d735d69fd3
Reviewed-on: https://review.openstack.org/14582
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
2012-10-23 00:45:21 +00:00
Clark Boylan d0981f5a63 Add ipv6 functionality to iptables module.
Rackspace nova cloud supports ipv6. Add ip6tables support to the
iptables module so that we can take advantage of ipv6 on this cloud
platform.

Change-Id: I628b7c71ff486a925cdb3d44277cca0d6ae7c985
Reviewed-on: https://review.openstack.org/14315
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
2012-10-11 21:20:08 +00:00
Matthew Wagoner f61a443a90 style edits to puppet config files
Change-Id: I4f7314bcb1cb58f94ff7a78aebe27ec4591fc11c
Reviewed-on: https://review.openstack.org/14187
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
2012-10-10 21:01:08 +00:00
Hengqing Hu fa51e50883 Remove trailing whitespaces in regular file
Change-Id: I06d4ed2a8153820f7253c6602bfa8c05af59e06f
2012-03-09 16:02:04 +08:00
Andrew Hutchings 8a91936e0a Add bzr to iptables
Adds bzr to jenkins iptables
Adds symlink for rules.v4 to rules

Change-Id: I058cccde7e39860655c3762ca06e2bd5d93f3a1c
2012-02-15 17:48:00 -08:00