diff options
| -rw-r--r-- | manifests/certmonger/haproxy.pp | 5 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 16 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 42 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql_bundle.pp | 127 | ||||
| -rw-r--r-- | metadata.json | 2 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_docker_spec.rb | 7 |
6 files changed, 154 insertions, 45 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 97efe59..cff9f34 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -63,8 +63,9 @@ define tripleo::certmonger::haproxy ( # This is only needed for certmonger's local CA. For any other CA this # operation (trusting the CA) should be done by the deployer. if $certmonger_ca == 'local' { - class { '::tripleo::certmonger::ca::local': - notify => Class['::tripleo::haproxy'] + include ::tripleo::certmonger::ca::local + if defined(Class['::haproxy']) { + Class['::tripleo::certmonger::ca::local'] ~> Class['::haproxy'] } } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 7b9f7a6..8eb6cd3 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -91,6 +91,22 @@ class tripleo::profile::base::docker ( ensure => installed, } + $docker_unit_override="[Service]\nMountFlags=\n" + + file {'/etc/systemd/system/docker.service.d': + ensure => directory, + require => Package['docker'], + } + -> file {'/etc/systemd/system/docker.service.d/99-unset-mountflags.conf': + content => $docker_unit_override, + } + ~> exec { 'systemd daemon-reload': + command => 'systemctl daemon-reload', + path => ['/usr/bin', '/usr/sbin'], + refreshonly => true, + notify => Service['docker'] + } + service { 'docker': ensure => 'running', enable => true, diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index b9f2a65..14faa23 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -59,6 +59,20 @@ # one step. # Defaults to hiera('innodb_flush_log_at_trx_commit', '1') # +# [*sst_tls_cipher*] +# (Optional) When enable_internal_tls is true, defines the list of +# ciphers that the socat may use to tunnel SST connections. +# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*sst_tls_options*] +# (Optional) When enable_internal_tls is true, defines additional +# parameters to be passed to socat for tunneling SST connections. +# Defaults to undef +# +# [*ipv6*] +# (Optional) Whether to deploy MySQL on IPv6 network. +# Defaults to str2bool(hiera('mysql_ipv6', false)) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -76,6 +90,9 @@ class tripleo::profile::pacemaker::database::mysql ( $enable_internal_tls = hiera('enable_internal_tls', false), $gmcast_listen_addr = hiera('mysql_bind_host'), $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), + $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_options = undef, + $ipv6 = str2bool(hiera('mysql_ipv6', false)), $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), ) { @@ -105,17 +122,36 @@ class tripleo::profile::pacemaker::database::mysql ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $sst_tls = { + 'tcert' => $tls_certfile, + 'tkey' => $tls_keyfile, + } if $ca_file { $tls_ca_options = "socket.ssl_ca=${ca_file}" + $sst_tca = { 'tca' => $ca_file } } else { $tls_ca_options = '' + $sst_tca = {} } $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $wsrep_sst_method = 'rsync_tunnel' + if $ipv6 { + $sst_ipv6 = 'pf=ip6' + } else { + $sst_ipv6 = undef + } + $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + $sst_sockopt = { + 'sockopt' => join(delete_undef_values($all_sst_options), ',') + } + $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) } } else { $tls_options = '' + $wsrep_sst_method = 'rsync' + $mysqld_options_sst = {} } - $mysqld_options = { + $mysqld_options_mysqld = { 'mysqld' => { 'skip-name-resolve' => '1', 'binlog_format' => 'ROW', @@ -143,11 +179,13 @@ class tripleo::profile::pacemaker::database::mysql ( 'wsrep_auto_increment_control' => '1', 'wsrep_drupal_282555_workaround' => '0', 'wsrep_causal_reads' => '0', - 'wsrep_sst_method' => 'rsync', + 'wsrep_sst_method' => $wsrep_sst_method, 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } + $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst) + # since we are configuring rsync for wsrep_sst_method, we ought to make sure # it's installed. We only includ this at step 2 since puppet-rsync may be # included later and also adds the package resource. diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 1bcdbbe..436947d 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -60,6 +60,27 @@ # connections from other nodes in the cluster. # Defaults to hiera('mysql_bind_host') # +# [*innodb_flush_log_at_trx_commit*] +# (Optional) Disk flush behavior for MySQL under Galera. A value of +# '1' indicates flush to disk per transaction. A value of '2' indicates +# flush to disk every second, flushing all unflushed transactions in +# one step. +# Defaults to hiera('innodb_flush_log_at_trx_commit', '1') +# +# [*sst_tls_cipher*] +# (Optional) When enable_internal_tls is true, defines the list of +# ciphers that the socat may use to tunnel SST connections. +# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*sst_tls_options*] +# (Optional) When enable_internal_tls is true, defines additional +# parameters to be passed to socat for tunneling SST connections. +# Defaults to undef +# +# [*ipv6*] +# (Optional) Whether to deploy MySQL on IPv6 network. +# Defaults to str2bool(hiera('mysql_ipv6', false)) +# # [*pcs_tries*] # (Optional) The number of times pcs commands should be retried. # Defaults to hiera('pcs_tries', 20) @@ -71,16 +92,20 @@ # # class tripleo::profile::pacemaker::database::mysql_bundle ( - $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), - $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $ca_file = undef, - $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), - $enable_internal_tls = hiera('enable_internal_tls', false), - $gmcast_listen_addr = hiera('mysql_bind_host'), - $pcs_tries = hiera('pcs_tries', 20), - $step = Integer(hiera('step')), + $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), + $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), + $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_options = undef, + $ipv6 = str2bool(hiera('mysql_ipv6', false)), + $pcs_tries = hiera('pcs_tries', 20), + $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -110,52 +135,74 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $sst_tls = { + 'tcert' => $tls_certfile, + 'tkey' => $tls_keyfile, + } if $ca_file { $tls_ca_options = "socket.ssl_ca=${ca_file}" + $sst_tca = { 'tca' => $ca_file } } else { $tls_ca_options = '' + $sst_tca = {} } $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $wsrep_sst_method = 'rsync_tunnel' + if $ipv6 { + $sst_ipv6 = 'pf=ip6' + } else { + $sst_ipv6 = undef + } + $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + $sst_sockopt = { + 'sockopt' => join(delete_undef_values($all_sst_options), ',') + } + $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) } } else { $tls_options = '' + $wsrep_sst_method = 'rsync' + $mysqld_options_sst = {} } - $mysqld_options = { + $mysqld_options_mysqld = { 'mysqld' => { - 'pid-file' => '/var/lib/mysql/mariadb.pid', - 'skip-name-resolve' => '1', - 'binlog_format' => 'ROW', - 'default-storage-engine' => 'innodb', - 'innodb_autoinc_lock_mode' => '2', - 'innodb_locks_unsafe_for_binlog'=> '1', - 'innodb_file_per_table' => 'ON', - 'query_cache_size' => '0', - 'query_cache_type' => '0', - 'bind-address' => $bind_address, - 'max_connections' => hiera('mysql_max_connections'), - 'open_files_limit' => '-1', - 'wsrep_on' => 'ON', - 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', - 'wsrep_cluster_name' => 'galera_cluster', - 'wsrep_cluster_address' => "gcomm://${galera_nodes}", - 'wsrep_slave_threads' => '1', - 'wsrep_certify_nonPK' => '1', - 'wsrep_max_ws_rows' => '131072', - 'wsrep_max_ws_size' => '1073741824', - 'wsrep_debug' => '0', - 'wsrep_convert_LOCK_to_trx' => '0', - 'wsrep_retry_autocommit' => '1', - 'wsrep_auto_increment_control' => '1', - 'wsrep_drupal_282555_workaround'=> '0', - 'wsrep_causal_reads' => '0', - 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", + 'pid-file' => '/var/lib/mysql/mariadb.pid', + 'skip-name-resolve' => '1', + 'binlog_format' => 'ROW', + 'default-storage-engine' => 'innodb', + 'innodb_autoinc_lock_mode' => '2', + 'innodb_locks_unsafe_for_binlog' => '1', + 'innodb_file_per_table' => 'ON', + 'innodb_flush_log_at_trx_commit' => $innodb_flush_log_at_trx_commit, + 'query_cache_size' => '0', + 'query_cache_type' => '0', + 'bind-address' => $bind_address, + 'max_connections' => hiera('mysql_max_connections'), + 'open_files_limit' => '-1', + 'wsrep_on' => 'ON', + 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', + 'wsrep_cluster_name' => 'galera_cluster', + 'wsrep_cluster_address' => "gcomm://${galera_nodes}", + 'wsrep_slave_threads' => '1', + 'wsrep_certify_nonPK' => '1', + 'wsrep_max_ws_rows' => '131072', + 'wsrep_max_ws_size' => '1073741824', + 'wsrep_debug' => '0', + 'wsrep_convert_LOCK_to_trx' => '0', + 'wsrep_retry_autocommit' => '1', + 'wsrep_auto_increment_control' => '1', + 'wsrep_drupal_282555_workaround' => '0', + 'wsrep_causal_reads' => '0', + 'wsrep_sst_method' => $wsrep_sst_method, + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", }, 'mysqld_safe' => { - 'pid-file' => '/var/lib/mysql/mariadb.pid', + 'pid-file' => '/var/lib/mysql/mariadb.pid', } } + $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst) + # remove_default_accounts parameter will execute some mysql commands # to remove the default accounts created by MySQL package. # We need MySQL running to run the commands successfully, so better to diff --git a/metadata.json b/metadata.json index 61d0f57..36759b2 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "7.4.3", + "version": "7.4.4", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index 328948e..1b05b87 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -26,6 +26,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_class('tripleo::profile::base::docker') } it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } + it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') } it { is_expected.to contain_augeas('docker-sysconfig-options').with_changes([ "set OPTIONS '\"--log-driver=journald --signature-verification=false --iptables=false\"'", @@ -43,6 +44,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_class('tripleo::profile::base::docker') } it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } + it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') } it { is_expected.to contain_augeas('docker-sysconfig-registry').with_changes([ "set INSECURE_REGISTRY '\"--insecure-registry foo:8787\"'", @@ -81,6 +83,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_class('tripleo::profile::base::docker') } it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } + it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') } it { is_expected.to contain_augeas('docker-daemon.json').with_changes( ['set dict/entry[. = "registry-mirrors"] "registry-mirrors', @@ -99,6 +102,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_class('tripleo::profile::base::docker') } it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } + it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') } it { is_expected.to contain_augeas('docker-daemon.json').with_changes( ['rm dict/entry[. = "registry-mirrors"]', @@ -117,6 +121,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_class('tripleo::profile::base::docker') } it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } + it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') } it { is_expected.to contain_augeas('docker-sysconfig-options').with_changes([ "set OPTIONS '\"--log-driver=syslog\"'", @@ -133,6 +138,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_class('tripleo::profile::base::docker') } it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } + it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') } it { is_expected.to contain_augeas('docker-sysconfig-storage').with_changes([ "set DOCKER_STORAGE_OPTIONS '\" #{params[:storage_options]}\"'", @@ -149,6 +155,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_class('tripleo::profile::base::docker') } it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } + it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') } it { is_expected.to contain_augeas('docker-sysconfig-storage').with_changes([ "rm DOCKER_STORAGE_OPTIONS", |