As of firefly (v0.80), ceph object gateway is running on civetweb
(embedded into the ceph-radosgw daemon) instead of apache and fastcgi.
Using civetweb simplifies the ceph object gateway installation and
configuration.
Change-Id: Idba61e094390e3c75a6e5d9b35a8e8e47a2a696f
Closes-Bug: #1671808
Nova placement API is recommended in Newton and is mandatory in Ocata.
Scheduling will not work without it. We configure services according to:
https://docs.openstack.org/developer/nova/placement.html
Change-Id: Ic014ac162f50324c0341cc3013cd093d7125d53e
Closes-bug: #1670354
VMware not supported since Fuel 10. So this commit removes
vmware-related manifests.
Implements: blueprint remove-vmware
Change-Id: If5f0c837fe843f9cfd30648fe6e115267467982b
This commit implements the same feature used for the Fuel master node
[0] with rate-limiting requests to SSH with iptables. The protection
used only when enabled and only for the not provided [1] networks.
[0] I0f452c8b0a808789aa4c2cd85d1d00556b210a39
[1] I34c9907d781b81253ed6942c67b16f8480de3bb5
DocImpact
Closes-Bug: #1563721
Depends-On: I7bbd96fb43fcd6030621671d0056f56324f50956
Change-Id: Id053e61ae16d126126dfb94cb4d9358dd7126d52
Co-Authored-By: Alex Schultz <aschultz@mirantis.com>
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
This commit change restriction for SSH access only from networks
provided on UI instead of all local networks by default.
DocImpact
Depends-On: I34c9907d781b81253ed6942c67b16f8480de3bb5
Change-Id: Ifca70a377c74d233fbca50de7245bce01079ad56
Closes-Bug: #1419657
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
Glance V3 experimental API has been removed in Mitaka in
favour of standalone Glance Artifacts Repository (GLARE) API.
This patch adds a new service, haproxy settings and tests.
Change-Id: I1df8b9aa8698619e726ad583a1a5ad6d5d671e07
Closes-bug: #1555697
* RUN annotation caused duplication for tasks in the old folder
* RUN should only be used if you need non-standard run configuration
* With ROLE annotation there's no need to update all the tests
when you add new astute.yaml fixture for existing role
* Fix manifest variable in broken tests
Change-Id: I7a1c98bdb51590d8d80cee387de35d5581cf1da2
Partial-bug: #1535339
- Update yaml-to-rspec assignments to match with a new set of
fixtures
- Fix errors in rspec tests to make the work properly with up to
date fixtures
Integration tests are disabled because this patch affects noop
rspec tests only.
Fuel-CI: disable
Partial-bug: #1535339
Change-Id: I02a289d2d206a1f4ac3c829503bbae582717cae1
Use custom mappings (#RUN notation) of noop fixtures
for noop integration tests.
Iteration 2: recover mappings as it before the regression
and map all for the tasks w/o mappings.
Closes-bug: #1561890
Change-Id: I6ca3363ea4b2fae1ec73d61122caef6764ba79d1
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
0.12.0 is finally released. Our customization is included
in it as it was implemented in following pull request:
https://github.com/puppetlabs/puppetlabs-mongodb/pull/194
This patch also contains improvements for timeouts during
replica initialization and user/db creation.
Additional changes:
* get rid of useless openstack/mongo class
* add an ability to configure some mongo parameters
through hiera
* move firewall rule to appropriate place
Closes-bug: #1538521
Closes-bug: #1475948
Change-Id: I757b77fcf836f37a8136fa0987cca13ff646712a
This change switches out our mysql and galera modules for the
puppetlabs-mysql and michaeltchapman-galera.
This change includes the following updates:
- mysql module removed
- galera module removed
- mysql hacks were removed from openstacklib module
https://review.fuel-infra.org/#/c/16445/
- galera::client moved to openstack::galera::client
- db modulars updated to use openstack::galera::client
- database task updated to use galera module
- create cluster::mysql to do pacemaker configuration for mysql
- remove osnailyfacter::mysql_user
- additional database noop tests
- additional unit tests
Change-Id: Idd0957c677b87a2d8794e993417ef9e2f0ddf4a6
Implements-Blueprint: mysql-galera-librarian
Closes-Bug: #1524747
Compute nodes need to open vnc to management net
so novavncproxy can forward it.
Change-Id: I18c15706ff1290638e26fb46291a6ac4276ad07d
Closes-Bug: #1529112
Since I8b51651adc2634544f510de8838ebaabcd1e7d43 we no longer have
'node_role' key in Hiera. So we should fix all rspec tests that
are using this key.
Change-Id: I1e22e9c94f834563df5b6d7192b690aed7db6dd6
Closes-bug: #1529888
Apply different rules per different roles, as some nodes should not have
some rules. Also delete some old unused rules.
Change-Id: Ic862f083d76a8d624a52dde83bc048b6ed9aaf93
Closes-Bug: #1524864
Use openstack::firewall::multi_net and get_routable_networks_for_network_role()
to collect firewall rules for multi-rack deployment.
Also openstack::firewall usage replaced by osnailefacter granule directly.
Change-Id: I87f5a6b64f8bc50514c1eca8ef0d70a5fe87d852
Closes-bug: #1520613
Refactors firewall rules to create source
based rules that only permit connections
from the management network for most services.
The only services that should have public access
are Horizon and OpenStack APIs. And from those,
nova metadata and nova VNC should only be
accessible internally. All other services should
accept connections from private or storage
networks.
New defined type openstack::firewall::multi_net
accepts firewall definitions with an array of
source networks.
New function prepare_firewall_rules creates a hash
of firewall rules coming from an array of source
networks.
Removed unneeded openstack::firewall::allow class.
Obsoleted openstack::firewall:vnc defined type.
Sorted parameters on openstack::firewall and added
docstrings
DocImpact: TBD
Change-Id: Ie63c01dcbd0bbd9adf17363b0db0b0a99b837b4e
Closes-Bug: #1514014
This traffic should be limited to iscsi IP on
storage network, not 0.0.0.0.
Added corresponding unit and noop tests for
coverage.
Change-Id: I8201c1120fbadad1edad520a51b06ca22d122bf2
Closes-Bug: #1501734
Allow direct connections from management network only.
All other connections are terminated by HA-Proxy with SSL.
Change-Id: Ia168ee16c40a9ee6937de4633fce798fffcb4217
Closes-bug: #1501737
This change introduces new iptables chain for baremetal network
Following rules added:
* new chain for baremetal network
* allow pings from VIP on controller
* allow rsyslog on conductor
* allow TFTP on conductor
* drop all other traffic from baremetal network
Additional helper module for TFTP added.
Partially Implements: blueprint fuel-integrate-ironic
Change-Id: Idb756c48c88da0dbdd0a8850df4f268ceed42cf2
Add routable networks from all nodegroups to novnc_range parameter in the firewall.
Closes-bug: #1500494
Change-Id: I2fa5394d6ba67d2d6807a5a85d271309964ff405
Restrict access to Keystone API from network with
'keystone/api' role, so from outside a cloud it
could be reached only via public VIP.
Change-Id: I6e2004e53591e0cc0b2a5b43a83532d3de9aef9a
Closes-bug: #1489057
This changes leverages the rabbitmq management plugin to dump
exchanges, queues, bindings, users, virtual hosts, permissions and
parameters from the running system. Specifically this change adds the
following:
* The dumping rabbitMQ definitions (users/vhosts/exchanges/etc) during
the end of the deployment
* The possibility to restore definitions to the rabbitmq-server ocf
script during rabbitMQ startup.
* Enabled rabbitmq admin plugin, but restricts it to localhost traffic.
This reverts Ic01c26200f6019a8112b1c5fb04a282e64b3b3e6 but adds
firewall rules to mitigate the issue.
DocImpact: The dump_rabbit_definitions task can be used to backup the
rabbitmq definitions and if custom definitions (users/vhosts/etc) are
created it must be run or the changes may be lost during the rabbitmq
failover via pacemaker.
Change-Id: I715f7c2ae527f7e105b9f6b7d82c443e8accf178
Closes-bug: #1383258
Related-bug: #1450443
Co-Authored-By: Alex Schultz <aschultz@mirantis.com>
We can run noop tests via 'rake spec'. This will allow us to:
- Make sure that catalog compiles and there are no dependency
cycles in the graph.
- Use RSpec tests to check that needed puppet resources present
in the catalog for specific astute.yaml configuration.
In order to test just execute these commands:
export WORKSPACE=/tmp/fuel_noop_tests
mkdir -p $WORKSPACE
./utils/jenkins/fuel_noop_tests.sh
It iterates over astsute.yaml files and runs rspec tests for puppet
tasks configured in the astute.yaml for the node.
In order to run specific test and/or specific astute.yaml, you can
set appropriate env variables. For example:
export NOOP_TEST="keystone/*"
export NOOP_YAMLS="tests/noop/astute.yaml/novanet_flat.primary-controller.yaml"
./utils/jenkins/fuel_noop_tests.sh
If you also want to store puppet logs in case of errors, please set
PUPPET_LOGS_DIR env variable:
export PUPPET_LOGS_DIR=/tmp/puppet_error_logs
If you want to store all the delcarated File and Package resources,
please set NOOP_SAVE_RESOURCES_DIR env variable:
export NOOP_SAVE_RESOURCES_DIR=/tmp/puppet_resources
Related-bug: #1402738
Implement blueprint deployment-dryrun
Fuel CI temporarily disabled since this change does not affect
MOS deplyoment process, only CI itself.
Fuel-CI: disable
Change-Id: I38b23832d1e8701440aacb300256f513c466c762