This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.
This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.
This update should result in no functional change.
For more information see the thread at
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html
Change-Id: Id8c256042f2f6dff4e736cadd93f3bf91d6cfaa9
The logic in the Gemfile was relying on Zuulv2 variables to find out
whether the spec helper gem was already available on disk, and since
Zuulv3 has changed things it was failing to find it and downloading the
master version instead. This patch ensures the Gemfile looks for the gem
in the right place when running in CI.
Change-Id: Ib463032f91ecaa759f504fbf399ccfbdd94536b9
Puppet seems to have some issue with creating a symlink in
/etc/sysconfig on CentOS, where it creates the link on the first run and
then corrects the seltype on the second run, breaking idempotency tests.
If we make sure to explicitly set it up front, puppet doesn't get
confused. This patch also removes the mode setting since setting the
permissions mode on a symlink doesn't make sense.
Change-Id: I7019c48220425fc583b9b431eff08a6261ee2ebc
On Ubuntu, the iptables service starts running when it is installed. On
CentOS, that's not the case, and signaling a restart in puppet does not
actually start the service. The result is that while the iptables
service is stopped, `iptables -S` is empty. This patch adds ensure =>
running to the service resources so that iptables behaves the same on
CentOS and Ubuntu.
Change-Id: I0584c988bcebeee5133f85d55f8d389d78ebac70
There seems to be a longstanding, inexplicably unresolved bug[1][2] in
the puppet package resource on CentOS where an uninstalled package will
repeatedly be reported as being "created" when it is not installed and
when the resource has ensure => purged. This breaks idempotency tests
and is just confusing. Setting the resource to absent instead of purge
works correctly and should be sufficient for ensuring firewalld isn't
interfering..
[1] https://projects.puppetlabs.com/issues/2833
[2] https://projects.puppetlabs.com/issues/3707
Change-Id: I702cf0130b311a5cd6786b4c4dd76fa03adbd2f7
This puts a conditional around the AAAA lookup so we can add hosts in
clouds that don't provide an IPv6 address.
Change-Id: I97e82a41fdbe31e7bce6f05b8e6aa39834c42548
This allows us to specify rules with hostnames, but have puppet
resolve those to IP addresses before writing out the iptables
config. This ensures that iptables will always be able to start,
as well as keeping firewalls up to date as hosts change.
Change-Id: I7a0dfbab67bdba72c0a56acc611503795d2bc350
Depends-On: I29d36cc527351e3e6d2ee2dc1919988379b8db3a
Instead of keeping a local copy of spec_helper_acceptance.rb and
requiring updates to all modules for any change, we can move it into the
common helper gem and require it from there. This will make it easier to
create and review changes that affect all puppet modules. Also change
the Gemfile to look for the gem in the local workspace if running in a
zuul environment.
Change-Id: I10a82afb33c487b3914f1f6449e76d7b9e91cf48
Add a xenial nodeset and update the spec helper to install puppet 3 from
the Ubuntu repos instead of from puppetlabs.
Change-Id: I875a48bea886036bbb1cb00500252b46efb928f7
Bindep is a tool for checking the presence of binary packages needed
to use an application / library. It started life as a way to make it
easier to set up a development environment for OpenStack projects.
Change-Id: I72e610badbf7a6cfe840e31e9b3a0c93cdda6da8
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
As described in the comment, we need to pre-install the iptables
package before the iptables-service package to avoid dependency
issues. This was causing F25 build failures.
Change-Id: I9541a1c8f11566198b6fa622e36c4be59d6670d2
Set the default snmp hosts to the empty set rather than
cacti.openstack.org.
Change-Id: Ibae45af594fc2b18024fcc2d6ef040afd4ddd926
Depends-On: I173ca1efae4644c89cfab68d6beeba0a1dae9ce2
Downstream consumers of this module likely don't need or want to open
snmp access from cacti.openstack.org. Parameterize the hosts to allow
snmp from so that downstreams don't have to fork the module in order to
remove the access.
Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7
Currently we don't start ip6tables service on centos-7. This fixes
that.
Change-Id: I64e62074b41e49cc2dc9b6bafcfbeeded2029487
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We want to stop notify from working in a chroot, however we need to
make sure we properly setup our Service correctly. As a result, move
the logic outside of our chroot checks.
Change-Id: I4c9284ed8ed23944aa3649338b1a09abdc8b80df
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
On some centos7 builds there is no firewalld so we have to be a bit more
smarter about how we disable it. New method is to run an exec that stops
the service if it is running then use a package resource to uninstall it
completely. All of this happens before we install the iptables service
so they should not confict with each other.
One trick is we have to "purge" the package, because it may well have
dependencies (on RAX images, firewalld-fail2ban is installed along
with a bunch of other monitoring-type things by the "helpful"
tool-installation script that runs automatically). The "yum" provider
in puppet actually says to do this in it's documentation:
Using this provider's `uninstallable` feature will not remove
dependent packages. To remove dependent packages with this provider
use the `purgeable` feature, but note this feature is destructive
and should be used with the utmost care."
Change-Id: I0750de9e75b63190531a3d39a5fcbb19f8e8c49e
Firewalld is enabled by default on centos7. Unfortunately
iptables-service and firewalld appear to confuse each other resulting in
no firewall rules at all. Fix this by disabling firewalld allowing
iptables-service to be in charge and apply the rules it has configured.
Change-Id: I0089502b134c91ef2e8d11cef1e016ce314ecf96
Use same target directory for zuul-cloner and
the regular git command.
Change-Id: I3f22133f8b61f3ec383c84bc54887cfa67260a1b
Co-Authored-By: Fabien Boucher <fabien.boucher@enovance.com>
In anticipation of puppet 4, start trying to deal with puppet 4 things
that can be helpfully predicted by puppet lint plugins. Also fix lint
errors caught by the puppet-lint-absolute_classname-check gem as well
as arrow alignment errors not caught before.
Change-Id: I56bce05c9c8d1b7924b78c78b74e4755d9a02936
Starting from Ubuntu Vivid, there is no service called iptables-persistent
anymore, the service netfilter-persistent now includes calling the tasks
from iptables-persistent.
Change-Id: Ie8bf4eafb9d9d2e02e2ed21fb4e4e899399450de
The http://ci.openstack.org/ documentation site has been deprecated,
replaced by redirects to corresponding paths within
http://docs.openstack.org/infra/ where other Project Infrastructure
documentation already resides.
Change-Id: Ib5eb11101dec53b9da30460543239613ecc1f6e8
The content of this project is Apache 2 licensed, but we should
include a standard LICENSE file just to be clear about that.
Change-Id: Iee6320b9d7e35fbe8d3b0a9794f3e485c18ef2c8
The systemd version of iptables requires the 'iptables-services' package
for having the `regular` iptables rule restore on service startup.
The service also needs to be enabled explicitly.
Another iptables related issue with multinode_setup.sh,
tries to executes the iptables command without login shell.
The non-login shell does not contains /usr/sbin in PATH,
so multinode_setup.sh changed to use login shell defaults.
Warning: This change enables the iptables service on all
distribution.
Change-Id: I3174e43b3b19e28073a4364dd0f66fc39b0fa815
In chroots, as with diskimage-builder, managing service starts is
tricky. Also, we don't need to restart the service then, because
the service will get started on boot of the image.
Change-Id: Iaf90005039b8196ba3a0ac05c96d71e034f0b0b1
While getting these scripts to run on Puppet 3 with Fedora 20, I got
a series of warnings about the deprecation of variable names. These
changes should also continue to work fine on Puppet 2.7.
Change-Id: I232f5f5a9abbe94be9fe2d3b8c82f009c03a11f3
Clean up facter osfamily matches to just use Debian, not Ubuntu.
This is manually tested and confirmed to at least be the case on
Oneiric, Precise and Quantal.
Change-Id: I27b184ac419910f9c3271c3b4e57886333282a5f
Reviewed-on: https://review.openstack.org/27399
Reviewed-by: Spencer Krum <krum.spencer@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
The install scripts now look for CentOS in release files. Also some
instances of facter's operatingsystem are switched to osfamily and
capitalization of RedHat is normalized to match what facter uses.
Change-Id: I3bbca5481d0d5e6de9e62bfd6e2b0a85264ed6ed
Reviewed-on: https://review.openstack.org/27398
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Updates the iptables module so that it uses parameters
to define the package, service, and files used to setup and
configure persistent iptables rules.
With these updates the module should now support both
RHEL and Ubuntu.
Change-Id: I45af4e72065c9baaf1d9a03f18b47f6effdce322
Reviewed-on: https://review.openstack.org/23278
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Original default fowarding rule drops all packet including
the packets from quantum-dhcp. In this patch, we remove
forwarding rule
Change-Id: I68ec7440595a158e0a5f572868f37f54f5ffa1ba
Reviewed-on: https://review.openstack.org/18353
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
A list of iptables commands that come after the "-A OPENSTACK-INPUT"
bit.
Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3
Reviewed-on: https://review.openstack.org/17172
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Change-Id: I00cfd6765bf3f7acd44263347655228d5a839852
Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-on: https://review.openstack.org/15844
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: I67cc116ad8a2b2586856965ae1e341d735d69fd3
Reviewed-on: https://review.openstack.org/14582
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Rackspace nova cloud supports ipv6. Add ip6tables support to the
iptables module so that we can take advantage of ipv6 on this cloud
platform.
Change-Id: I628b7c71ff486a925cdb3d44277cca0d6ae7c985
Reviewed-on: https://review.openstack.org/14315
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: I4f7314bcb1cb58f94ff7a78aebe27ec4591fc11c
Reviewed-on: https://review.openstack.org/14187
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins