Merge "Add user 'dteselkin'"
diff --git a/apache/server/proxy/openstack/oadh.yml b/apache/server/proxy/openstack/oadh.yml
new file mode 100644
index 0000000..d8ae2eb
--- /dev/null
+++ b/apache/server/proxy/openstack/oadh.yml
@@ -0,0 +1,25 @@
+parameters:
+ _param:
+ apache_ssl:
+ enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
+ apache_proxy_openstack_api_host: ${_param:cluster_public_host}
+ apache_proxy_openstack_api_address: 0.0.0.0
+ apache_proxy_openstack_aodh_host: ${_param:aodh_service_host}
+ apache:
+ server:
+ enabled: true
+ site:
+ apache_proxy_openstack_api_aodh:
+ enabled: true
+ type: proxy
+ name: openstack_api_aodh
+ proxy:
+ host: ${_param:apache_proxy_openstack_aodh_host}
+ port: 8042
+ protocol: http
+ host:
+ name: ${_param:apache_proxy_openstack_api_host}
+ port: 8042
+ address: ${_param:apache_proxy_openstack_api_address}
+ ssl: ${_param:apache_proxy_ssl}
diff --git a/fluentd/label/default_output/elasticsearch.yml b/fluentd/label/default_output/elasticsearch.yml
index aa96b31..398ea8c 100644
--- a/fluentd/label/default_output/elasticsearch.yml
+++ b/fluentd/label/default_output/elasticsearch.yml
@@ -1,5 +1,6 @@
classes:
- service.fluentd.agent.output.elasticsearch
+- system.fluentd.label.default_output.filter.common
parameters:
_param:
fluentd_elasticsearch_host: 127.0.0.1
@@ -9,32 +10,6 @@
config:
label:
default_output:
- filter:
- drop_nested_timestamp_and_sensitive_data:
- tag: "openstack.**"
- type: record_transformer
- enable_ruby: true
- remove_keys: '["_dummy_1", "_dummy_2", "_dummy_3"]'
- record:
- - name: _dummy_1
- value: ${fluentd:dollar}{if record.has_key?("context"); record["context"].delete("timestamp") ; end; nil }
- - name: _dummy_2
- value: ${fluentd:dollar}{if record.has_key?("context"); record["context"].delete("auth_token"); end; nil}
- - name: _dummy_3
- value: ${fluentd:dollar}{if record.has_key?("context"); record["context"].delete("auth_token_info"); end; nil}
- drop_hostname_field:
- tag: "openstack.**"
- type: record_transformer
- enable_ruby: true
- remove_keys: '["hostname"]'
- change_pid_field_value:
- tag: "haproxy.**"
- type: record_transformer
- enable_ruby: true
- record:
- - name: Pid
- value: ${fluentd:dollar}{record["pid"]}
- remove_keys: '["pid"]'
match:
elasticsearch_output:
host: ${_param:fluentd_elasticsearch_host}
diff --git a/fluentd/label/default_output/filter/common.yml b/fluentd/label/default_output/filter/common.yml
new file mode 100644
index 0000000..e9d2a67
--- /dev/null
+++ b/fluentd/label/default_output/filter/common.yml
@@ -0,0 +1,32 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ default_output:
+ filter:
+ drop_nested_timestamp_and_sensitive_data:
+ tag: "openstack.**"
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: '["_dummy_1", "_dummy_2", "_dummy_3"]'
+ record:
+ - name: _dummy_1
+ value: ${fluentd:dollar}{if record.has_key?("context"); record["context"].delete("timestamp") ; end; nil }
+ - name: _dummy_2
+ value: ${fluentd:dollar}{if record.has_key?("context"); record["context"].delete("auth_token"); end; nil}
+ - name: _dummy_3
+ value: ${fluentd:dollar}{if record.has_key?("context"); record["context"].delete("auth_token_info"); end; nil}
+ drop_hostname_field:
+ tag: "openstack.**"
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: '["hostname"]'
+ change_pid_field_value:
+ tag: "haproxy.**"
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: Pid
+ value: ${fluentd:dollar}{record["pid"]}
+ remove_keys: '["pid"]'
diff --git a/fluentd/label/default_output/forward.yml b/fluentd/label/default_output/forward.yml
new file mode 100644
index 0000000..50f55fa
--- /dev/null
+++ b/fluentd/label/default_output/forward.yml
@@ -0,0 +1,16 @@
+classes:
+- service.fluentd.agent.output.forward
+- system.fluentd.label.default_output.filter.common
+parameters:
+ _param:
+ fluentd_forward_host: 127.0.0.1
+ fluentd_forward_port: 24224
+ fluentd:
+ agent:
+ config:
+ label:
+ default_output:
+ match:
+ forward_output:
+ host: ${_param:fluentd_forward_host}
+ port: ${_param:fluentd_forward_port}
diff --git a/horizon/server/plugin/octavia.yml b/horizon/server/plugin/octavia.yml
new file mode 100644
index 0000000..2dd5c69
--- /dev/null
+++ b/horizon/server/plugin/octavia.yml
@@ -0,0 +1,9 @@
+parameters:
+ horizon:
+ server:
+ plugin:
+ octavia-dashboard:
+ source:
+ engine: pkg
+ name: python-octavia-dashboard
+
diff --git a/jenkins/client/job/oscore/tests.yml b/jenkins/client/job/oscore/tests.yml
index bccb9b7..c082306 100644
--- a/jenkins/client/job/oscore/tests.yml
+++ b/jenkins/client/job/oscore/tests.yml
@@ -99,6 +99,11 @@
OPENSTACK_API_VERSION:
type: string
default: "3"
+ # security test
+ RUN_SECURITY_CHECK:
+ type: boolean
+ description: Whether to run Openscap XCCDF evaluation
+ default: 'false'
# test
TEST_CONF:
type: string
@@ -682,7 +687,7 @@
trigger:
gerrit:
project:
- "^salt-formulas/(nova|cinder|glance|keystone|horizon|neutron|designate|heat|ironic|barbican|aodh|ceilometer|gnocchi|panko|manila|salt|linux|reclass|galera|memcached|rabbitmq|bind|apache|runtest|oslo-templates|auditd|octavia)$":
+ "^salt-formulas/(nova|cinder|glance|keystone|horizon|neutron|designate|heat|ironic|barbican|aodh|ceilometer|gnocchi|panko|manila|salt|linux|reclass|galera|memcached|rabbitmq|bind|apache|runtest|oslo-templates|auditd|octavia|openscap)$":
compare_type: 'REG_EXP'
branches:
- master
diff --git a/kubernetes/common/addons/fluentd.yml b/kubernetes/common/addons/fluentd.yml
new file mode 100644
index 0000000..16a6874
--- /dev/null
+++ b/kubernetes/common/addons/fluentd.yml
@@ -0,0 +1,36 @@
+parameters:
+ _param:
+ kubernetes_fluentd_aggregator_image: ${_param:mcp_docker_registry}/mirantis/external/fluentd-kubernetes-daemonset:stable
+ kubernetes_fluentd_enabled: false
+ kubernetes_fluentd_namespace: stacklight
+ kubernetes_fluentd_aggregator_resources_limits_memory: 500Mi
+ kubernetes_fluentd_aggregator_resources_requests_memory: 500Mi
+ kubernetes_fluentd_aggregator_bind_port: 24224
+ kubernetes_fluentd_aggregator_bind_host_port: 31950
+ kubernetes_fluentd_aggregator_config_output_es_host: 127.0.0.1
+ kubernetes_fluentd_aggregator_config_output_es_port: 9200
+ kubernetes_fluentd_aggregator_config_output_es_scheme: http
+ kubernetes_fluentd_aggregator_config_dir: /fluentd/etc
+ kubernetes:
+ common:
+ addons:
+ fluentd:
+ enabled: ${_param:kubernetes_fluentd_enabled}
+ namespace: ${_param:kubernetes_fluentd_namespace}
+ aggregator:
+ image: ${_param:kubernetes_fluentd_aggregator_image}
+ resources:
+ limits:
+ memory: ${_param:kubernetes_fluentd_aggregator_resources_limits_memory}
+ requests:
+ memory: ${_param:kubernetes_fluentd_aggregator_resources_requests_memory}
+ bind:
+ port: ${_param:kubernetes_fluentd_aggregator_bind_port}
+ host_port: ${_param:kubernetes_fluentd_aggregator_bind_host_port}
+ config:
+ config_dir: ${_param:kubernetes_fluentd_aggregator_config_dir}
+ output:
+ es:
+ host: ${_param:kubernetes_fluentd_aggregator_config_output_es_host}
+ port: ${_param:kubernetes_fluentd_aggregator_config_output_es_port}
+ scheme: ${_param:kubernetes_fluentd_aggregator_config_output_es_scheme}
diff --git a/kubernetes/common/init.yml b/kubernetes/common/init.yml
index 45d688f..f21c6f8 100644
--- a/kubernetes/common/init.yml
+++ b/kubernetes/common/init.yml
@@ -51,8 +51,6 @@
kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/cni-plugins_v0.7.1-48-g696b1f9.tar.gz
kubernetes_cniplugins_source_hash: md5=5ec1cf5e989097c6127ea5365e277b02
kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.10.0-4
- kubernetes_fluentd_aggregator_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
- kubernetes_fluentd_logger_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-stackdriver
kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:v1.2.2-12
@@ -71,48 +69,8 @@
kubernetes_contrail_network_controller_enabled: false
kubernetes_metallb_enabled: false
kubernetes_sriov_enabled: false
- kubernetes_fluentd_enabled: false
kubernetes_telegraf_enabled: false
- # the rest of fluentd related params, the non bools
- kubernetes_fluentd_namespace: stacklight
- kubernetes_fluentd_aggregator_resources_limits_memory: 500Mi
- kubernetes_fluentd_aggregator_resources_requests_memory: 500Mi
- kubernetes_fluentd_aggregator_config_forward_input_bind_port: 24224
- kubernetes_fluentd_aggregator_config_general_time_format: '%Y-%m-%dT%H:%M:%S.%N%z'
- kubernetes_fluentd_aggregator_config_systemd_filter_docker_parse_format: /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
- kubernetes_fluentd_aggregator_config_output_log_level: 'info'
- kubernetes_fluentd_aggregator_config_output_logstash_format: true
- kubernetes_fluentd_aggregator_config_output_logstash_prefix: 'log'
- kubernetes_fluentd_aggregator_config_output_logstash_dateformat: '%Y.%m.%d'
- kubernetes_fluentd_aggregator_config_output_num_threads: 8
- kubernetes_fluentd_aggregator_config_output_max_retry_wait: 30
- kubernetes_fluentd_aggregator_config_output_flush_interval: '10s'
- kubernetes_fluentd_aggregator_config_output_buffer_chunk_limit: '2m'
- kubernetes_fluentd_aggregator_config_output_buffer_queue_limit: 32
- kubernetes_fluentd_aggregator_config_output_request_timeout: '10s'
- kubernetes_fluentd_aggregator_config_output_es_host: 127.0.0.1
- kubernetes_fluentd_aggregator_config_output_es_port: 9200
- kubernetes_fluentd_aggregator_config_output_es_scheme: http
-
- kubernetes_fluentd_logger_resources_limits_memory: 500Mi
- kubernetes_fluentd_logger_resources_requests_memory: 500Mi
- kubernetes_fluentd_logger_config_kubernetes_input_time_format: '%Y-%m-%dT%H:%M:%S.%NZ'
- kubernetes_fluentd_logger_config_forward_output_require_ack_response: true
- kubernetes_fluentd_logger_config_forward_output_ack_response_timeout: 30
- kubernetes_fluentd_logger_config_forward_output_recover_wait: '10s'
- kubernetes_fluentd_logger_config_forward_output_heartbeat_interval: '1s'
- kubernetes_fluentd_logger_config_forward_output_phi_threshold: 16
- kubernetes_fluentd_logger_config_forward_output_send_timeout: '10s'
- kubernetes_fluentd_logger_config_forward_output_hard_timeout: '10s'
- kubernetes_fluentd_logger_config_forward_output_expire_dns_cache: 15
- kubernetes_fluentd_logger_config_forward_output_heartbeat_type: 'tcp'
- kubernetes_fluentd_logger_config_forward_output_buffer_chunk_limit: '2M'
- kubernetes_fluentd_logger_config_forward_output_buffer_queue_limit: 32
- kubernetes_fluentd_logger_config_forward_output_flush_interval: '5s'
- kubernetes_fluentd_logger_config_forward_output_max_retry_wait: 15
- kubernetes_fluentd_logger_config_forward_output_num_threads: 8
-
# telegraf stuff
kubernetes_telegraf_namespace: stacklight
kubernetes_telegraf_resources_limits_memory: 500Mi
@@ -172,64 +130,6 @@
image: ${_param:kubernetes_contrail_network_controller_image}
flannel:
image: ${_param:kubernetes_flannel_image}
- fluentd:
- enabled: ${_param:kubernetes_fluentd_enabled}
- namespace: ${_param:kubernetes_fluentd_namespace}
- aggregator:
- image: ${_param:kubernetes_fluentd_aggregator_image}
- resources:
- limits:
- memory: ${_param:kubernetes_fluentd_aggregator_resources_limits_memory}
- requests:
- memory: ${_param:kubernetes_fluentd_aggregator_resources_requests_memory}
- config:
- forward_input:
- bind:
- port: ${_param:kubernetes_fluentd_aggregator_config_forward_input_bind_port}
- general:
- time_format: ${_param:kubernetes_fluentd_aggregator_config_general_time_format}
- systemd_filter:
- docker_parse_format: ${_param:kubernetes_fluentd_aggregator_config_systemd_filter_docker_parse_format}
- output:
- log_level: ${_param:kubernetes_fluentd_aggregator_config_output_log_level}
- logstash_format: ${_param:kubernetes_fluentd_aggregator_config_output_logstash_format}
- logstash_prefix: ${_param:kubernetes_fluentd_aggregator_config_output_logstash_prefix}
- logstash_dateformat: ${_param:kubernetes_fluentd_aggregator_config_output_logstash_dateformat}
- request_timeout: ${_param:kubernetes_fluentd_aggregator_config_output_request_timeout}
- buffer_chunk_limit: ${_param:kubernetes_fluentd_aggregator_config_output_buffer_chunk_limit}
- buffer_queue_limit: ${_param:kubernetes_fluentd_aggregator_config_output_buffer_queue_limit}
- flush_interval: ${_param:kubernetes_fluentd_aggregator_config_output_flush_interval}
- num_threads: ${_param:kubernetes_fluentd_aggregator_config_output_num_threads}
- max_retry_wait: ${_param:kubernetes_fluentd_aggregator_config_output_max_retry_wait}
- es:
- host: ${_param:kubernetes_fluentd_aggregator_config_output_es_host}
- port: ${_param:kubernetes_fluentd_aggregator_config_output_es_port}
- scheme: ${_param:kubernetes_fluentd_aggregator_config_output_es_scheme}
- logger:
- image: ${_param:kubernetes_fluentd_logger_image}
- resources:
- limits:
- memory: ${_param:kubernetes_fluentd_logger_resources_limits_memory}
- requests:
- memory: ${_param:kubernetes_fluentd_logger_resources_requests_memory}
- config:
- kubernetes_input:
- time_format: ${_param:kubernetes_fluentd_logger_config_kubernetes_input_time_format}
- forward_output:
- require_ack_response: ${_param:kubernetes_fluentd_logger_config_forward_output_require_ack_response}
- ack_response_timeout: ${_param:kubernetes_fluentd_logger_config_forward_output_ack_response_timeout}
- recover_wait: ${_param:kubernetes_fluentd_logger_config_forward_output_recover_wait}
- heartbeat_interval: ${_param:kubernetes_fluentd_logger_config_forward_output_heartbeat_interval}
- phi_threshold: ${_param:kubernetes_fluentd_logger_config_forward_output_phi_threshold}
- send_timeout: ${_param:kubernetes_fluentd_logger_config_forward_output_send_timeout}
- hard_timeout: ${_param:kubernetes_fluentd_logger_config_forward_output_hard_timeout}
- expire_dns_cache: ${_param:kubernetes_fluentd_logger_config_forward_output_expire_dns_cache}
- heartbeat_type: ${_param:kubernetes_fluentd_logger_config_forward_output_heartbeat_type}
- buffer_chunk_limit: ${_param:kubernetes_fluentd_logger_config_forward_output_buffer_chunk_limit}
- buffer_queue_limit: ${_param:kubernetes_fluentd_logger_config_forward_output_buffer_queue_limit}
- flush_interval: ${_param:kubernetes_fluentd_logger_config_forward_output_flush_interval}
- max_retry_wait: ${_param:kubernetes_fluentd_logger_config_forward_output_max_retry_wait}
- num_threads: ${_param:kubernetes_fluentd_logger_config_forward_output_num_threads}
telegraf:
enabled: ${_param:kubernetes_telegraf_enabled}
image: ${_param:kubernetes_telegraf_image}
diff --git a/manila/common/cluster.yml b/manila/common/cluster.yml
index 9ea811e..ad1254b 100644
--- a/manila/common/cluster.yml
+++ b/manila/common/cluster.yml
@@ -1,7 +1,5 @@
classes:
- service.manila.common.cluster
-- service.haproxy.proxy.single
-- system.haproxy.proxy.listen.openstack.manila
- system.salt.minion.cert.mysql.clients.openstack.manila
- system.salt.minion.cert.rabbitmq.clients.openstack.manila
parameters:
@@ -12,6 +10,7 @@
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
openstack_rabbitmq_port: 5672
+ cluster_internal_protocol: 'http'
manila:
common:
version: ${_param:openstack_version}
@@ -54,4 +53,4 @@
auth_type: password
user_domain_id: default
project_domain_id: default
- protocol: 'http'
+ protocol: ${_param:cluster_internal_protocol}
diff --git a/manila/common/single.yml b/manila/common/single.yml
index f984ab7..c5a6f97 100644
--- a/manila/common/single.yml
+++ b/manila/common/single.yml
@@ -9,6 +9,7 @@
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
openstack_rabbitmq_port: 5672
+ cluster_internal_protocol: 'http'
manila:
common:
version: ${_param:openstack_version}
@@ -51,4 +52,4 @@
auth_type: password
user_domain_id: default
project_domain_id: default
- protocol: 'http'
+ protocol: ${_param:cluster_internal_protocol}
diff --git a/manila/control/cluster.yml b/manila/control/cluster.yml
index 7ea128b..75b6f76 100644
--- a/manila/control/cluster.yml
+++ b/manila/control/cluster.yml
@@ -1,7 +1,8 @@
classes:
- - system.manila.common.cluster
- - system.apache.server.site.manila
- - system.haproxy.proxy.listen.openstack.manila
+ - service.haproxy.proxy.single
+ - system.manila.common.cluster
+ - system.apache.server.site.manila
+ - system.haproxy.proxy.listen.openstack.manila
parameters:
manila:
common:
diff --git a/manila/share/init.yml b/manila/share/init.yml
index 2c6558e..346bfcd 100644
--- a/manila/share/init.yml
+++ b/manila/share/init.yml
@@ -1,5 +1,5 @@
classes:
- - service.manila.common.cluster
+ - system.manila.common.cluster
parameters:
manila:
common:
diff --git a/nova/compute/libvirt/ssl/init.yml b/nova/compute/libvirt/ssl/init.yml
index 9931cbd..87742e0 100644
--- a/nova/compute/libvirt/ssl/init.yml
+++ b/nova/compute/libvirt/ssl/init.yml
@@ -4,6 +4,7 @@
nova:
compute:
libvirt:
+ uri: qemu+tls://${linux:system:name}.${_param:cluster_domain}/system
tls:
enabled: True
key_file: ${_param:libvirtd_server_ssl_key_file}
diff --git a/salt/minion/cert/libvirtd/client.yml b/salt/minion/cert/libvirtd/client.yml
index bf0ce83..31c1b32 100644
--- a/salt/minion/cert/libvirtd/client.yml
+++ b/salt/minion/cert/libvirtd/client.yml
@@ -18,4 +18,7 @@
key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
key_file: ${_param:libvirtd_client_ssl_key_file}
cert_file: ${_param:libvirtd_client_ssl_cert_file}
- ca_file: ${_param:libvirtd_ssl_ca_file}
\ No newline at end of file
+ ca_file: ${_param:libvirtd_ssl_ca_file}
+ user: root
+ group: nova
+ mode: 640
diff --git a/salt/minion/cert/libvirtd/server.yml b/salt/minion/cert/libvirtd/server.yml
index 9080672..b091d86 100644
--- a/salt/minion/cert/libvirtd/server.yml
+++ b/salt/minion/cert/libvirtd/server.yml
@@ -18,4 +18,7 @@
key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
key_file: ${_param:libvirtd_server_ssl_key_file}
cert_file: ${_param:libvirtd_server_ssl_cert_file}
- ca_file: ${_param:libvirtd_ssl_ca_file}
\ No newline at end of file
+ ca_file: ${_param:libvirtd_ssl_ca_file}
+ user: root
+ group: nova
+ mode: 640