diff options
-rw-r--r-- | manifests/haproxy.pp | 20 | ||||
-rw-r--r-- | manifests/haproxy/endpoint.pp | 26 | ||||
-rw-r--r-- | manifests/profile/base/logging/logrotate.pp | 112 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_logging_logrotate_spec.rb | 59 | ||||
-rw-r--r-- | templates/logrotate/containers_logrotate.conf.erb | 14 |
5 files changed, 213 insertions, 18 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index a3d088a..0933831 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -520,7 +520,6 @@ # 'ironic_inspector_port' (Defaults to 5050) # 'ironic_inspector_ssl_port' (Defaults to 13050) # 'keystone_admin_api_port' (Defaults to 35357) -# 'keystone_admin_api_ssl_port' (Defaults to 13357) # 'keystone_public_api_port' (Defaults to 5000) # 'keystone_public_api_ssl_port' (Defaults to 13000) # 'manila_api_port' (Defaults to 8786) @@ -708,7 +707,6 @@ class tripleo::haproxy ( ironic_inspector_port => 5050, ironic_inspector_ssl_port => 13050, keystone_admin_api_port => 35357, - keystone_admin_api_ssl_port => 13357, keystone_public_api_port => 5000, keystone_public_api_ssl_port => 13000, manila_api_port => 8786, @@ -894,16 +892,14 @@ class tripleo::haproxy ( if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), - service_port => $ports[keystone_admin_api_port], - ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), - mode => 'http', - listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), - public_ssl_port => $ports[keystone_admin_api_ssl_port], - service_network => $keystone_admin_network, - member_options => union($haproxy_member_options, $internal_tls_member_options), + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), + service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 9139061..4436e19 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -133,21 +133,35 @@ define tripleo::haproxy::endpoint ( } else { # internal service only $public_bind_opts = {} + $listen_options_real = $listen_options } if $use_internal_certificates { if !$service_network { fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") } - # NOTE(jaosorior): The key of the internal_certificates_specs hash must - # must match the convention haproxy-<network name> or else this - # will fail. Futherly, it must contain the path that we'll use under - # 'service_pem'. - $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + + if $service_network == 'external' and $public_certificate { + # NOTE(jaosorior): This service has been configured to use the external + # network. We should use the public certificate in this case. + $internal_cert_path = $public_certificate + } else { + # NOTE(jaosorior): This service is configured for the internal network. + # We use the certificate spec hash. The key of the + # internal_certificates_specs hash must must match the convention + # haproxy-<network name> or else this will fail. Futherly, it must + # contain the path that we'll use under 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + } $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path])) } else { - $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + if $service_network == 'external' and $public_certificate { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), + union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp new file mode 100644 index 0000000..1545875 --- /dev/null +++ b/manifests/profile/base/logging/logrotate.pp @@ -0,0 +1,112 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::logging::logrotate +# +# Installs a cron job that rotates containerized services logs. +# +# === Parameters +# +# [*step*] +# (Optional) String. The current step of the deployment +# Defaults to hiera('step') +# +# [*ensure*] +# (optional) Defaults to present. +# Valid values are present, absent. +# +# [*minute*] +# (optional) Defaults to '0'. Configures cron job for logrotate. +# +# [*hour*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*monthday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*month*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*weekday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*maxdelay*] +# (optional) Seconds. Defaults to 90. Should be a positive integer. +# Induces a random delay before running the cronjob to avoid running all +# cron jobs at the same time on all hosts this job is configured. +# +# [*user*] +# (optional) Defaults to 'root'. Configures cron job for logrotate. +# +# [*delaycompress*] +# (optional) Defaults to True. +# Configures the logrotate delaycompress parameter. +# +# [*size*] +# (optional) Defaults to '10M'. +# Configures the logrotate size parameter. +# +# [*rotate*] +# (optional) Defaults to 14. +# Configures the logrotate rotate parameter. +# +class tripleo::profile::base::logging::logrotate ( + $step = Integer(hiera('step')), + $ensure = present, + $minute = 0, + $hour = '*', + $monthday = '*', + $month = '*', + $weekday = '*', + Integer $maxdelay = 90, + $user = 'root', + $delaycompress = true, + $size = '10M', + $rotate = 14, +) { + + if $step >= 4 { + if $maxdelay == 0 { + $sleep = '' + } else { + $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " + } + + $svc = 'logrotate-crond' + $config = "/etc/${svc}.conf" + $state = "/var/lib/logrotate/${svc}.status" + $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}" + + file { "${config}": + ensure => $ensure, + owner => $user, + group => $user, + mode => '0640', + content => template('tripleo/logrotate/containers_logrotate.conf.erb'), + } + + cron { "${svc}": + ensure => $ensure, + command => "${cmd} 2>&1|logger -t ${svc}", + environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh', + user => $user, + minute => $minute, + hour => $hour, + monthday => $monthday, + month => $month, + weekday => $weekday, + } + } +} diff --git a/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb b/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb new file mode 100644 index 0000000..df109b4 --- /dev/null +++ b/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb @@ -0,0 +1,59 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::logging::logrotate' do + shared_examples_for 'tripleo::profile::base::logging::logrotate' do + + context 'with step less than 4' do + let(:params) { { :step => 3 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::logging::logrotate') + is_expected.to_not contain_cron('logrotate-crond') + is_expected.to_not contain_file('/etc/logrotate-crond.conf') + end + end + + context 'with defaults and step greater than 3' do + let(:params) { { :step => 4 } } + + it { is_expected.to contain_class('tripleo::profile::base::logging::logrotate') } + it { is_expected.to contain_cron('logrotate-crond').with( + :ensure => 'present', + :command => 'sleep `expr ${RANDOM} \\% 90`; /usr/sbin/logrotate -s ' + + '/var/lib/logrotate/logrotate-crond.status ' + + '/etc/logrotate-crond.conf 2>&1|logger -t logrotate-crond', + :user => 'root', + :minute => 0, + :hour => '*', + :monthday => '*', + :month => '*', + :weekday => '*') } + it { is_expected.to contain_file('/etc/logrotate-crond.conf') } + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::logging::logrotate' + end + end +end diff --git a/templates/logrotate/containers_logrotate.conf.erb b/templates/logrotate/containers_logrotate.conf.erb new file mode 100644 index 0000000..cbf17b4 --- /dev/null +++ b/templates/logrotate/containers_logrotate.conf.erb @@ -0,0 +1,14 @@ +/var/log/containers/*/*.log { + rotate <%= @rotate %> + size <%= @size %> + missingok + notifempty +<%- if @delaycompress %> + delaycompress +<%- end %> + postrotate + /sbin/lsof -nPs +L1 +D /var/log 2>&1|\ + /bin/perl -ne '/\S+\s+(\d+).*\/var\/log\/.*\(deleted\)/ && print "$1\n"' |\ + /bin/xargs -n1 -r -t kill -HUP + endscript +} |