summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/haproxy.pp20
-rw-r--r--manifests/haproxy/endpoint.pp26
-rw-r--r--manifests/profile/base/barbican/api.pp4
-rw-r--r--manifests/profile/base/database/mysql.pp3
-rw-r--r--manifests/profile/base/logging/logrotate.pp112
-rw-r--r--metadata.json2
-rw-r--r--releasenotes/source/conf.py4
-rw-r--r--spec/classes/tripleo_profile_base_barbican_api_spec.rb3
-rw-r--r--spec/classes/tripleo_profile_base_logging_logrotate_spec.rb59
-rw-r--r--templates/logrotate/containers_logrotate.conf.erb14
10 files changed, 219 insertions, 28 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 83ca930..4d37458 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -524,7 +524,6 @@
# 'ironic_inspector_port' (Defaults to 5050)
# 'ironic_inspector_ssl_port' (Defaults to 13050)
# 'keystone_admin_api_port' (Defaults to 35357)
-# 'keystone_admin_api_ssl_port' (Defaults to 13357)
# 'keystone_public_api_port' (Defaults to 5000)
# 'keystone_public_api_ssl_port' (Defaults to 13000)
# 'manila_api_port' (Defaults to 8786)
@@ -713,7 +712,6 @@ class tripleo::haproxy (
ironic_inspector_port => 5050,
ironic_inspector_ssl_port => 13050,
keystone_admin_api_port => 35357,
- keystone_admin_api_ssl_port => 13357,
keystone_public_api_port => 5000,
keystone_public_api_ssl_port => 13000,
manila_api_port => 8786,
@@ -862,16 +860,14 @@ class tripleo::haproxy (
if $keystone_admin {
::tripleo::haproxy::endpoint { 'keystone_admin':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
- service_port => $ports[keystone_admin_api_port],
- ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
- server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
- mode => 'http',
- listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
- public_ssl_port => $ports[keystone_admin_api_ssl_port],
- service_network => $keystone_admin_network,
- member_options => union($haproxy_member_options, $internal_tls_member_options),
+ internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_admin_api_port],
+ ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
+ server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
+ mode => 'http',
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
+ service_network => $keystone_admin_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 9139061..4436e19 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -133,21 +133,35 @@ define tripleo::haproxy::endpoint (
} else {
# internal service only
$public_bind_opts = {}
+ $listen_options_real = $listen_options
}
if $use_internal_certificates {
if !$service_network {
fail("The service_network for this service is undefined. Can't configure TLS for the internal network.")
}
- # NOTE(jaosorior): The key of the internal_certificates_specs hash must
- # must match the convention haproxy-<network name> or else this
- # will fail. Futherly, it must contain the path that we'll use under
- # 'service_pem'.
- $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+
+ if $service_network == 'external' and $public_certificate {
+ # NOTE(jaosorior): This service has been configured to use the external
+ # network. We should use the public certificate in this case.
+ $internal_cert_path = $public_certificate
+ } else {
+ # NOTE(jaosorior): This service is configured for the internal network.
+ # We use the certificate spec hash. The key of the
+ # internal_certificates_specs hash must must match the convention
+ # haproxy-<network name> or else this will fail. Futherly, it must
+ # contain the path that we'll use under 'service_pem'.
+ $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+ }
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
} else {
- $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ if $service_network == 'external' and $public_certificate {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+ union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+ } else {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ }
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 40a0a99..48bf4b8 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api (
include ::tripleo::profile::base::barbican
- if $step >= 3 and $sync_db {
- include ::barbican::db::mysql
- }
-
if $step >= 4 or ( $step >= 3 and $sync_db ) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
class { '::barbican::api':
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 7e7d68b..7bb8c74 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -171,6 +171,9 @@ class tripleo::profile::base::database::mysql (
if hiera('cinder_api_enabled', false) {
include ::cinder::db::mysql
}
+ if hiera('barbican_api_enabled', false) {
+ include ::barbican::db::mysql
+ }
if hiera('congress_enabled', false) {
include ::congress::db::mysql
}
diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp
new file mode 100644
index 0000000..1545875
--- /dev/null
+++ b/manifests/profile/base/logging/logrotate.pp
@@ -0,0 +1,112 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::logging::logrotate
+#
+# Installs a cron job that rotates containerized services logs.
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) String. The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ensure*]
+# (optional) Defaults to present.
+# Valid values are present, absent.
+#
+# [*minute*]
+# (optional) Defaults to '0'. Configures cron job for logrotate.
+#
+# [*hour*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*monthday*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*month*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*weekday*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*maxdelay*]
+# (optional) Seconds. Defaults to 90. Should be a positive integer.
+# Induces a random delay before running the cronjob to avoid running all
+# cron jobs at the same time on all hosts this job is configured.
+#
+# [*user*]
+# (optional) Defaults to 'root'. Configures cron job for logrotate.
+#
+# [*delaycompress*]
+# (optional) Defaults to True.
+# Configures the logrotate delaycompress parameter.
+#
+# [*size*]
+# (optional) Defaults to '10M'.
+# Configures the logrotate size parameter.
+#
+# [*rotate*]
+# (optional) Defaults to 14.
+# Configures the logrotate rotate parameter.
+#
+class tripleo::profile::base::logging::logrotate (
+ $step = Integer(hiera('step')),
+ $ensure = present,
+ $minute = 0,
+ $hour = '*',
+ $monthday = '*',
+ $month = '*',
+ $weekday = '*',
+ Integer $maxdelay = 90,
+ $user = 'root',
+ $delaycompress = true,
+ $size = '10M',
+ $rotate = 14,
+) {
+
+ if $step >= 4 {
+ if $maxdelay == 0 {
+ $sleep = ''
+ } else {
+ $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
+ }
+
+ $svc = 'logrotate-crond'
+ $config = "/etc/${svc}.conf"
+ $state = "/var/lib/logrotate/${svc}.status"
+ $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}"
+
+ file { "${config}":
+ ensure => $ensure,
+ owner => $user,
+ group => $user,
+ mode => '0640',
+ content => template('tripleo/logrotate/containers_logrotate.conf.erb'),
+ }
+
+ cron { "${svc}":
+ ensure => $ensure,
+ command => "${cmd} 2>&1|logger -t ${svc}",
+ environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
+ user => $user,
+ minute => $minute,
+ hour => $hour,
+ monthday => $monthday,
+ month => $month,
+ weekday => $weekday,
+ }
+ }
+}
diff --git a/metadata.json b/metadata.json
index 821ce7c..82284f4 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
{
"name": "openstack-tripleo",
- "version": "7.2.0",
+ "version": "7.3.0",
"author": "OpenStack Contributors",
"summary": "Puppet module for TripleO",
"license": "Apache-2.0",
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index bba17b6..7224ef2 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -53,9 +53,9 @@ copyright = u'2017, Puppet TripleO Developers'
# built documents.
#
# The short X.Y version.
-version = '7.2.0'
+version = '7.3.0'
# The full version, including alpha/beta/rc tags.
-release = '7.2.0'
+release = '7.3.0'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
diff --git a/spec/classes/tripleo_profile_base_barbican_api_spec.rb b/spec/classes/tripleo_profile_base_barbican_api_spec.rb
index 169642e..881cc0a 100644
--- a/spec/classes/tripleo_profile_base_barbican_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_barbican_api_spec.rb
@@ -45,7 +45,6 @@ describe 'tripleo::profile::base::barbican::api' do
it 'should trigger complete configuration' do
is_expected.to contain_class('tripleo::profile::base::barbican::api')
is_expected.to contain_class('tripleo::profile::base::barbican')
- is_expected.to contain_class('barbican::db::mysql')
is_expected.to contain_class('barbican::db::sync')
is_expected.to contain_class('barbican::api')
is_expected.to contain_class('barbican::api::logging')
@@ -64,7 +63,6 @@ describe 'tripleo::profile::base::barbican::api' do
it 'should not trigger any configuration' do
is_expected.to contain_class('tripleo::profile::base::barbican::api')
is_expected.to contain_class('tripleo::profile::base::barbican')
- is_expected.to_not contain_class('barbican::db::mysql')
is_expected.to_not contain_class('barbican::db::sync')
is_expected.to_not contain_class('barbican::api')
is_expected.to_not contain_class('barbican::api::logging')
@@ -81,7 +79,6 @@ describe 'tripleo::profile::base::barbican::api' do
} }
it 'should trigger complete configuration with out db items' do
- is_expected.to_not contain_class('barbican::db::mysql')
# TODO(aschultz): barbican::api includes this automatically
#is_expected.to_not contain_class('barbican::db::sync')
is_expected.to contain_class('barbican::api')
diff --git a/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb b/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb
new file mode 100644
index 0000000..df109b4
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb
@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::logging::logrotate' do
+ shared_examples_for 'tripleo::profile::base::logging::logrotate' do
+
+ context 'with step less than 4' do
+ let(:params) { { :step => 3 } }
+
+ it 'should do nothing' do
+ is_expected.to contain_class('tripleo::profile::base::logging::logrotate')
+ is_expected.to_not contain_cron('logrotate-crond')
+ is_expected.to_not contain_file('/etc/logrotate-crond.conf')
+ end
+ end
+
+ context 'with defaults and step greater than 3' do
+ let(:params) { { :step => 4 } }
+
+ it { is_expected.to contain_class('tripleo::profile::base::logging::logrotate') }
+ it { is_expected.to contain_cron('logrotate-crond').with(
+ :ensure => 'present',
+ :command => 'sleep `expr ${RANDOM} \\% 90`; /usr/sbin/logrotate -s ' +
+ '/var/lib/logrotate/logrotate-crond.status ' +
+ '/etc/logrotate-crond.conf 2>&1|logger -t logrotate-crond',
+ :user => 'root',
+ :minute => 0,
+ :hour => '*',
+ :monthday => '*',
+ :month => '*',
+ :weekday => '*') }
+ it { is_expected.to contain_file('/etc/logrotate-crond.conf') }
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let (:facts) {
+ facts
+ }
+ it_behaves_like 'tripleo::profile::base::logging::logrotate'
+ end
+ end
+end
diff --git a/templates/logrotate/containers_logrotate.conf.erb b/templates/logrotate/containers_logrotate.conf.erb
new file mode 100644
index 0000000..cbf17b4
--- /dev/null
+++ b/templates/logrotate/containers_logrotate.conf.erb
@@ -0,0 +1,14 @@
+/var/log/containers/*/*.log {
+ rotate <%= @rotate %>
+ size <%= @size %>
+ missingok
+ notifempty
+<%- if @delaycompress %>
+ delaycompress
+<%- end %>
+ postrotate
+ /sbin/lsof -nPs +L1 +D /var/log 2>&1|\
+ /bin/perl -ne '/\S+\s+(\d+).*\/var\/log\/.*\(deleted\)/ && print "$1\n"' |\
+ /bin/xargs -n1 -r -t kill -HUP
+ endscript
+}