diff options
19 files changed, 321 insertions, 6 deletions
diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp index 20eab54..6b58286 100644 --- a/manifests/profile/base/ceilometer/collector.pp +++ b/manifests/profile/base/ceilometer/collector.pp @@ -85,4 +85,12 @@ class tripleo::profile::base::ceilometer::collector ( include ::ceilometer::dispatcher::gnocchi } + # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types + # are created safely. + if $step >= 5 and $sync_db { + exec {'ceilometer-db-upgrade': + command => 'ceilometer-upgrade --skip-metering-database', + path => ['/usr/bin', '/usr/sbin'], + } + } } diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 8443de0..d00f7cd 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -60,7 +60,7 @@ class tripleo::profile::base::ceph::rgw ( $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) include ::ceph::params - include ::ceph::profile::base + include ::ceph::profile::client ceph::rgw { $rgw_name: frontend_type => 'civetweb', rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}", diff --git a/manifests/profile/base/cinder/volume/dellps.pp b/manifests/profile/base/cinder/volume/dellps.pp index 1338240..e825b61 100644 --- a/manifests/profile/base/cinder/volume/dellps.pp +++ b/manifests/profile/base/cinder/volume/dellps.pp @@ -41,9 +41,9 @@ class tripleo::profile::base::cinder::volume::dellps ( san_thin_provision => hiera('cinder::backend::eqlx::san_thin_provision', undef), eqlx_group_name => hiera('cinder::backend::eqlx::eqlx_group_name', undef), eqlx_pool => hiera('cinder::backend::eqlx::eqlx_pool', undef), - eqlx_use_chap => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), - eqlx_chap_login => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), - eqlx_chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), + use_chap_auth => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), + chap_username => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), + chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), } } diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp index 0452575..2f1783d 100644 --- a/manifests/profile/base/docker_registry.pp +++ b/manifests/profile/base/docker_registry.pp @@ -43,6 +43,7 @@ class tripleo::profile::base::docker_registry ( } package{'docker-distribution': } package{'docker': } + package{'openstack-kolla': } file { '/etc/docker-distribution/registry/config.yml' : ensure => file, content => template('tripleo/docker_distribution/registry_config.yml.erb'), diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 5b4c0c2..79ee265 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -100,4 +100,13 @@ class tripleo::profile::base::gnocchi::api ( default: { fail('Unrecognized gnocchi_backend parameter.') } } } + + # Re-run gnochci upgrade with storage as swift/ceph should be up at this + # stage. + if $step >= 5 and $sync_db { + exec {'run gnocchi upgrade with storage': + command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf', + path => ['/usr/bin', '/usr/sbin'], + } + } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 937f5e2..9598d64 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -195,6 +195,10 @@ class tripleo::profile::base::keystone ( }), } + if 'amqp' in [$oslomsg_rpc_proto, $oslomsg_notify_proto]{ + include ::keystone::messaging::amqp + } + include ::keystone::config class { '::keystone::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/neutron/bgpvpn.pp b/manifests/profile/base/neutron/bgpvpn.pp index 9fa1d14..d6fdf4e 100644 --- a/manifests/profile/base/neutron/bgpvpn.pp +++ b/manifests/profile/base/neutron/bgpvpn.pp @@ -27,10 +27,11 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::bgpvpn ( - $step = hiera('step'), + $step = hiera('step'), ) { + include ::tripleo::profile::base::neutron + if $step >= 4 { - include ::tripleo::profile::base::neutron include ::neutron::services::bgpvpn } } diff --git a/manifests/profile/base/qdr.pp b/manifests/profile/base/qdr.pp new file mode 100644 index 0000000..9827f2e --- /dev/null +++ b/manifests/profile/base/qdr.pp @@ -0,0 +1,54 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::qdr +# +# Qpid dispatch router profile for tripleo +# +# === Parameters +# +# [*qdr_username*] +# Username for the qrouter daemon +# Defaults to undef +# +# [*qdr_password*] +# Password for the qrouter daemon +# Defaults to undef +# +# [*qdr_listener_port*] +# Port for the listener (not that we do not use qdr::listener_port +# directly because it requires a string and we have a number. +# Defaults to hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::qdr ( + $qdr_username = undef, + $qdr_password = undef, + $qdr_listener_port = hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672), + $step = hiera('step'), +) { + if $step >= 1 { + class { '::qdr': + listener_port => "${qdr_listener_port}", + } -> + qdr_user { $qdr_username: + ensure => present, + password => $qdr_password, + } + } +} diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 6def08b..9d1417c 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -150,6 +150,9 @@ class tripleo::profile::base::rabbitmq ( ssl_key => $tls_keyfile, } } + } + + if $step >= 2 { # In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency # to Service['rabbitmq-server'] will not work. Sticking with UPDATE action. if $stack_action == 'UPDATE' { diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp new file mode 100644 index 0000000..07f29f8 --- /dev/null +++ b/manifests/profile/base/securetty.pp @@ -0,0 +1,48 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::securetty +# +# Sets securetty Parameters +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*tty_list*] +# Hash of values for /etc/securetty console +# Defaults to hiera('securetty::tty_list') +# +class tripleo::profile::base::securetty ( + $step = hiera('step'), + $tty_list = hiera('tty_list', []), +) { + validate_array($tty_list) + + if $step >=1 { + $ttys = join($tty_list, "\n") + + file { '/etc/securetty': + ensure => file, + content => template( 'tripleo/securetty/securetty.erb' ), + owner => 'root', + group => 'root', + mode => '0600' + } + } +} diff --git a/manifests/profile/base/tuned.pp b/manifests/profile/base/tuned.pp new file mode 100644 index 0000000..8dfcea0 --- /dev/null +++ b/manifests/profile/base/tuned.pp @@ -0,0 +1,20 @@ +# == Class: tripleo::profile::base::tuned +# +# Configures tuned service. +# +# === Parameters: +# +# [*profile*] +# (optional) tuned active profile. +# Defaults to 'throughput-performance' +# +# +class tripleo::profile::base::tuned ( + $profile = 'throughput-performance' +) { + exec { 'tuned-adm': + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "tuned-adm profile ${profile}", + unless => "tuned-adm active | grep -q '${profile}'" + } +} diff --git a/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml new file mode 100644 index 0000000..b6f211c --- /dev/null +++ b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml @@ -0,0 +1,4 @@ +--- +features: + - Include the amqp messaging class when the oslo.messaging rpc + protocol is enabled for AMQP 1.0. diff --git a/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml new file mode 100644 index 0000000..0857f63 --- /dev/null +++ b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The rabbitmq user check is moved to step >= 2 from step >= 1. There + is no guarantee that rabbitmq is running at step 1, especially if + updating a failed stack that never made it past step 1 to begin + with. diff --git a/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml new file mode 100644 index 0000000..c354431 --- /dev/null +++ b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - Re-run gnocchi and ceilometer upgrade in step5. This is required + for gnocchi resource types to be created in ceilometer and gnocchi + to function properly. diff --git a/releasenotes/notes/securetty-6a10eefd601e45ca.yaml b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml new file mode 100644 index 0000000..e5cfcf5 --- /dev/null +++ b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Allows granular level of control over the `/etc/securetty` file. + By allowing operators to specify the values in securetty, they + can improve security by limiting root console access. diff --git a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb index 23b198a..0f9aad7 100644 --- a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb +++ b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb @@ -128,6 +128,32 @@ describe 'tripleo::profile::base::ceilometer::collector' do is_expected.to contain_class('ceilometer::dispatcher::gnocchi') end end + + context 'with step 5 on bootstrap node' do + let(:params) { { + :step => 5, + :bootstrap_node => 'node.example.com', + :mongodb_node_ips => ['127.0.0.1',], + :mongodb_replset => 'replicaset' + } } + + it 'should trigger complete configuration' do + is_expected.to contain_exec('ceilometer-db-upgrade') + end + end + + context 'with step 5 not on bootstrap node' do + let(:params) { { + :step => 5, + :bootstrap_node => 'somethingelse.example.com', + :mongodb_node_ips => ['127.0.0.1',], + :mongodb_replset => 'replicaset' + } } + + it 'should trigger complete configuration' do + is_expected.to_not contain_exec('ceilometer-db-upgrade') + end + end end diff --git a/spec/classes/tripleo_profile_base_securetty_spec.rb b/spec/classes/tripleo_profile_base_securetty_spec.rb new file mode 100644 index 0000000..c57d8be --- /dev/null +++ b/spec/classes/tripleo_profile_base_securetty_spec.rb @@ -0,0 +1,72 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo::profile::base::securetty +# + +require 'spec_helper' + +describe 'tripleo::profile::base::securetty' do + + shared_examples_for 'tripleo::profile::base::securetty' do + + context 'with defaults step 1' do + let(:params) {{ :step => 1 }} + it { is_expected.to contain_class('tripleo::profile::base::securetty') } + it { + is_expected.to contain_file('/etc/securetty').with( + :content => ["# Managed by Puppet / TripleO Heat Templates", + "# A list of TTYs, from which root can log in", + "# see `man securetty` for reference", + "", + ""].join("\n"), + :owner => 'root', + :group => 'root', + :mode => '0600') + } + end + + context 'it should configure securtty' do + let(:params) {{ + :step => 1, + :tty_list => ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6'] + }} + + it 'should configure securetty values' do + is_expected.to contain_file('/etc/securetty').with( + :owner => 'root', + :group => 'root', + :mode => '0600', + ) + .with_content(/console/) + .with_content(/tty1/) + .with_content(/tty2/) + .with_content(/tty3/) + .with_content(/tty4/) + .with_content(/tty5/) + .with_content(/tty6/) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::securetty' + end + end +end diff --git a/spec/classes/tripleo_profile_base_tuned_spec.rb b/spec/classes/tripleo_profile_base_tuned_spec.rb new file mode 100644 index 0000000..95b0f26 --- /dev/null +++ b/spec/classes/tripleo_profile_base_tuned_spec.rb @@ -0,0 +1,44 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::tuned' do + + shared_examples_for 'tripleo::profile::base::tuned' do + context 'with profile' do + let :params do + { + :profile => 'virtual-compute' + } + end + + it 'should run tuned-adm exec' do + is_expected.to contain_exec('tuned-adm') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) { + facts + } + + it_behaves_like 'tripleo::profile::base::tuned' + end + end +end diff --git a/templates/securetty/securetty.erb b/templates/securetty/securetty.erb new file mode 100644 index 0000000..c8c7b90 --- /dev/null +++ b/templates/securetty/securetty.erb @@ -0,0 +1,4 @@ +# Managed by Puppet / TripleO Heat Templates +# A list of TTYs, from which root can log in +# see `man securetty` for reference +<%= @ttys %> |