the defaults in Python [0] and oslo.log [1] are such that when using
separate config file for logging configuration (log-config-append)
the log fomat of dates containes miliseconds twice (as in sec,ms.ms)
which is exactly what is currently seen in logs of OpenStack services
deployed by openstack-helm.
When not provided with datefmt log formatter option, Python effectively
uses '%Y-%m-%d %H:%M:%S,%f' [0] as a default time formatting string to
render `%(asctime)s`, but the defaults in oslo.log add another `.%f`
to it [1].
Since `log-date-format` oslo.log option has no effect when using
log-config-append, we need to explicitly set date format to avoid double
miliseconds rendering in date of log entries.
[0] 6ee41793d2/Lib/logging/__init__.py (L427-L428)
[1] http://git.openstack.org/cgit/openstack/oslo.log/tree/oslo_log/_options.py?id=7c5f8362b26313217b6c248e77be3dc8e2ef74a5#n148
Change-Id: I47aa7ce96770d94b905b56d6fe4abad428f01047
Add documentation describing steps to deploy tap-as-a-service neutron
plugin as L2 Agent ext, and to deploy tap-as-a-service-dashboard
plugin in horizon.
Change-Id: I3e671d58b612a517af9cd2902401f91aad4bcd78
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
Expose additional Horizon security params in accordance with the
OpenStack Security Guide [0]
- Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True
- Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False
[0] https://docs.openstack.org/security-guide/dashboard/checklist.html
Change-Id: I355ddbc9fb1dcd0a6100ee650afd54680ef9ffbd
This adds both a periodic and experimental job for deploying Ceph
and the OSH components via Armada. This job will then generate new
passphrases for the OSH components, render an updated manifest for
the OSH components including the new passphrases, then applies the
updated OSH manifest to validate the ability for all deployed
charts to update those passphrases successfully
Change-Id: I42d19bbf8161b60311c4b8101217cdcfbdf6b568
the release name is currently hard-coded to 'newton' while the default
images are for ocata (and the oldest supported release is also ocata).
Change-Id: Iac5112bb978309a07114fcfd0bd899ef3f3d56d0
this role is not actually required since ~Kilo
I3f1b70b78b91bfac9af5fadb71140679b208c999
plus the heat chart already sets the trusts_delegated_roles option
for Heat to pass all roles to the trust
Change-Id: Icf900f318d3173d63c5967857d96f7d2a7f9aa5b
This adds both a periodic and experimental job for deploying Ceph
and the OSH components via Armada. This job will then generate a
new release uuid, render an updated manifest for all previously
deployed releases, then apply that manifest to validate the
ability for all deployed charts to update successfully with the
new release uuid annotation
Change-Id: I6f2125f3505904c4714688e7a9900b8d6bea49b4
This adds wait timeouts to nova and neutron to circumvent timeout
issues with deploying those two releases
Change-Id: I3fcc9ef5f16ecbc6dc33fc52df22c2d5ff504fb7
This updates the openstack-helm Armada job to instead deploy
only Ceph, the OpenStack service charts, and their dependencies.
This is dependent on the addition of the Armada job for Ceph and
the LMA components to openstack-helm-infra. This also updates the
jobs definition to use the osh-gate-runner playbook instead, as
well as sets the job both to a periodic and experimental job
Depends-On: https://review.openstack.org/#/c/634676/
Depends-On: https://review.openstack.org/#/c/633067/
Change-Id: I7e191a153f123e04e123acc33fb691d8117062a9
In accordance with the OpenStack Security Guide this PS updates
the cinder.conf to explicity set the auth_strategy param.
Change-Id: Ie0a2b9ffebb597166851226eabac4924c34e1404
Signed-off-by: Pete Birley <pete@port.direct>
This simply adds the release uuid value to the chart overrids in
the Armada manifests, which allows for validation that the release
uuid is appropriately added as an annotation to the resulting pods
Change-Id: I53dc31ed9849ea321064184817549c0e90c34378
1. Chart name : change from "ceph" to "ceph-rgw"
2. Postfix of environment variable's name
: change from "OPENSTACK" to "CEPH"
Change-Id: I03a4e12457cec1811b6fa03367811f74e4bb8b83
Signed-off-by: Deokjin Kim <deokjin81.kim@samsung.com>
To get openstack related metrics, prometheus-openstack-exporter need to
access to keystone. So add prometheus-openstack-exporter to network
policy of keystone.
Change-Id: I31106a10e512578a35122949c3cff698b1bc482b
Signed-off-by: Deokjin Kim <deokjin81.kim@samsung.com>
This PS moves the default to use public endpoints for heat clients
eg: waitcondition url generation consumed by cloudinit in vms.
Change-Id: I24113c969f2b310a48cf128a1ada78930c69a4e1
Signed-off-by: Pete Birley <pete@port.direct>
This change adds a zuul check job to export any templated python
contained in the helm charts and scan it with bandit for any
potential security flaws.
This also adds two nosec comments on the instances of subprocess
used as they currently do not appear to be malicious, as well
as changing the endpoint_update python code to prevent sql
injection, which satisfies bandit code B608.
Change-Id: I2212d26514c3510353d16a4592893dd2e85cb369
This PS allows to customize (and disable) information about OS and
Apache version displayed on pages with error messages.
Change-Id: Ic4d19bcc90dadf5cf26faa5c8fb39de00a6f3212
This PS updates the cinder volume template to restore rootwrap
operation.
Change-Id: Ifc6d2442e536e22dca0563bb16634fd9accf44e1
Signed-off-by: Pete Birley <pete@port.direct>
This parameter has been deprecated in Newton and removed [1]
in Ocata.
[1] https://review.openstack.org/#/c/385604/
Change-Id: Ib80cc6634d0fba8ddd2a8e5c9d26a6a0524164b8
This PS disables the server status page of Apache.
On the page provided information which can aid the
malicious user in finding vulnerabilities in the system.
Change-Id: I11104b10359808dc78a214ebb531d710ec353f60
cinder-backup container should reference cinder-backup-rbd-keyring
not cinder-volume-rbd-keyring if the backend driver of cinder backup
is ceph.
Change-Id: Icb7f80a01fc332ee13a42533f8e41e447008c2f4
This disables static page on Apache which would disable Directory
Listings. This is done as a part of Security defect.
Change-Id: Ia1aa07c83c0db9dc33be6d1dfa7e2e60b3a33de9
