This PS updates the cinder volume template to restore rootwrap
operation.
Change-Id: Ifc6d2442e536e22dca0563bb16634fd9accf44e1
Signed-off-by: Pete Birley <pete@port.direct>
This PS disables the server status page of Apache.
On the page provided information which can aid the
malicious user in finding vulnerabilities in the system.
Change-Id: I11104b10359808dc78a214ebb531d710ec353f60
cinder-backup container should reference cinder-backup-rbd-keyring
not cinder-volume-rbd-keyring if the backend driver of cinder backup
is ceph.
Change-Id: Icb7f80a01fc332ee13a42533f8e41e447008c2f4
This disables static page on Apache which would disable Directory
Listings. This is done as a part of Security defect.
Change-Id: Ia1aa07c83c0db9dc33be6d1dfa7e2e60b3a33de9
This removes the NovaImages.list_images test from the rally
tests defined in the nova chart, as the updated rally version
seemingly doesn't include this test. This caused the multinode
periodic job to fail.
See: http://zuul.openstack.org/build/9628003399d640e683945260d9738ade
Change-Id: I9515fc3fee192ee6636e85a745071f93ff86c051
This patch set host_interface for update host_ip information in compute
node.
Currently helm chart defines the value of my_ip set "0.0.0.0",
therefore host_ip of compute node is null.
$ nova hypervisor-show {uuid}
+---------------------------+------------------------------------------+
| Property | Value |
+---------------------------+------------------------------------------+
| cpu_info_arch | x86_64 |
.
.
| host_ip | None |
Through this patch, OpenStack can provide appropriate values for
the required field.
Change-Id: I05f929cb2c777582c177e8c7a64b9fd431d554ec
This updates the Armada LMA manifest to include overrides for
recent changes to the LMA services in osh-infra
Change-Id: Ib1ec2c23570a86d63df35a9f0d690d9e625f1dd0
The repo used both openstackdocstheme and oslosphinx in requirements but
then configured openstackdocstheme, remove oslosphinx everywhere.
Instead of using sphinx-build, use docstheme-build-translated.sh to
build English and translated documents.
Update doc/source/conf.py for newer openstackdocstheme and require
a new enough version.
Remove module index - it does not exist, this is not a python repo where
autodoc works.
Remove sphinx-quickstart generated output from index.rst, it's not
needed anymore.
Change-Id: Ib3f09128226f0bcc78384b1ee2da811d62a5b59d
- Change all tests to support Mimic and Luminous releases
- Update ceph-config-helper dockerfile to use Mimic Ceph binaries
Change-Id: I06a545c1964eaa5b983c58db48b6ad4ccaaa3b8b
A change was merged that had commented out the check jobs. This
simply uncomments them so checks run against changes to
openstack-helm
The change can be found here: https://review.openstack.org/#/c/591808/48
Change-Id: Ia100f1248ebe783d154420c543a9b19fb1ba4ccc
neutron-sanity-check module load logging.conf file
but there is no config file.
Change-Id: I5e6dd298ccd9fb5432002f76bad3931ec035bb16
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
cinder volume can be created with glance image.
but network policy of glance didn't allow for cinder.
so it should be added cinder podSelector on glance network policy.
ex. openstack volume create --image XXX --size 1 valume-name
Change-Id: Ia41961e16e2583ab571ed8a851a2ee2d14aa71c5
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This patch fixes the network policy issue when use nodeport mode.
If you enable node port witout this patch, it will block by network policy.
so should be allowed tcp port of horizon when use nodeport.
Change-Id: I5e2622c29c6a32ab6d1c5d99d84d4f13382dab65
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.
Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
securitycontext with non-root user is implemented at pod level
and leveraged the helm-toolkit snippet
Fix for adding allowPrivilegeEscalation flag as a blanket
policy on the pod in the keyston chart
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I15333df4707948e50deb935ffc1ee599588e4788
This change sets lockout_failure_attempts and lockout_duration
configuration options in security_compliance group.
Change-Id: I72910e52239ace23b92d826794cd0603a061e6c3
This patchset updates the chart configuration overrides to account
for functionality supported with the move to Ocata over Newton.
This includes updating the OpenStack service logging configuration
to leverage the fluent handler/formatter that was introduced in the
Ocata release, updating Fluentd's configuration to filter out
duplicate logs, tagging logged events with their log level, and
creating separate indexes for the different log types created by
the elasticsearch templates. This also adds support for leveraging
ceph-radosgw's s3 API for Elasticsearch snapshots.
This also removes the barbican chart deployment from the
armada gate, to help alleviate resource consumption.
Change-Id: I45128bf102909e1762b832fc16ad04bedcfe4f00
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
This PS fixes the neutron db sync job to perform full db migrations
in addaion to tap-as-a-service when enabled.
Change-Id: Ieab54649344fb8737e2d8855f00a9ed574ace5ee
Signed-off-by: Pete Birley <pete@port.direct>
This disables the deployment of gnocchi, ceilometer and mongodb
from the multinode job until we can determine the root cause of
the failures in these charts
Change-Id: I8c936cae0b814841da12aabd6d3f95e902912bda
Random job names mean `helm upgrade` or indeed anything looks for
changes from rendered templates will see changes when there are none
causing churn and restarts.
Change-Id: I44331e00c288b517fccf69a4b60435efa2e13d61
