Newer versions of paramiko (pulled in via ansible install)
now require libffi-dev to build.
Closes-bug: #1583321
Change-Id: If3794ededacfcf53857328a19627cf0331878822
Previously VPN service relied on default behaviours and an open
firewall. This specifies more values and ensures the firewall is
properly set. Additionally, test coverage is expanded.
Closes-Bug:1564213
Change-Id: Iefaccddaad54c412195802f97811722bb593b2ca
Config updates can be time consuming, especially in testing environments
that utilize virt-on-virt. Rather than timing out workers that are taking
a long time to process an update, bump the timeout to 5 minutes and allow
the requesting orchestrator to time out its request at shorter deadlines
instead.
Change-Id: Ibee73d7a43864da645b5d7198a5df2f2bf936ea9
With the switch to rootwrap, the API service now runs as the gunicorn
user but /etc/nginx/sites-enabled is still owned by root. This updates
the DIB element to ensure its writable by gunicorn for config rendering.
Also makes a trivial update to releasenotes to remove the UNRELEASED
flag from mitaka.
Change-Id: Ieac128e47a44dd48acd00f68cd8e3a9ca15441ec
Closes-bug: #1558577
Used for setting up conntrackd between two clustered peers.
Partially-implements: blueprint appliance-ha
Change-Id: Ice3f4dbed02b877bc64ae73879a74acc26cca47e
This adds a new IP manager driver for configuring addresses
and routes via keepalived instead of directly. It used when
the logical resource is configured to be highly-available,
according to configuration pushed by the orchestrator.
We rely on a 'ha_resource' flag attached to the main config
dict to enable it, and use specific HA config about peers and
cluster priority contained in the 'ha_config' section of the
main config.
The resulting keepalived cluster contains a VRRP instance for
each interface, with the exception of the management interface.
Partially-implements: blueprint appliance-ha
Change-Id: I5ababa41d65642b00f6b808197af9b2a59ebc67a
SNAT was incorrectly applied to traffic originating from the appliance.
This change marks the traffic so that the NAT rule is skipped and adds
clarifying comments to SNAT code.
Change-Id: Ifa6ea089c5bff6c57f4ba22095ef357eeb1ff786
Closes-Bug: 1550541
In order to remove the auto-addition of external networks, we need
to remove the assumption in the appliance that all routers have one.
This avoids adding external network related iptables rules when the
router config does not have an external port.
Change-Id: Ifaf53a26f6d89da199101f386f4674c9f39f8326
It seems that dnsmasq sometimes mistakes IPV6 addresses in dhcp-host config
options for hardware addresses; to work around this, only ever specify *one*
IPv4 and IPv6 address for the dhcp-host config value.
Closes-bug: 1545054
Change-Id: I8f508bf12a09efb46027737f3d1d285aef826f67
Make defaults can be override by local settings, it is useful because
users might use non-standard SSH ports and so on.
Change-Id: Ic30e611f73ce844848efb452b53f86242be9219d
The default MTU for the management interface is sometimes bigger than
allowable by the physical infrastructure. Make the MTU configurable in
cloud-init and via config json. For cloud-init default it to the minimum size
for IPv6 if the value is not specified in boot command.
Change-Id: Ib4d4381f6977aabbeefd2f520bb5fc26ea54ffcd
Closes-Bug: #1539786