diff options
-rw-r--r-- | manifests/profile/base/docker.pp | 59 | ||||
-rw-r--r-- | manifests/profile/base/novajoin.pp | 83 | ||||
-rw-r--r-- | spec/classes/tripleo_certmonger_ca_local_spec.rb (renamed from spec/classes/tripleo_certmonger_ca_local.rb) | 0 | ||||
-rw-r--r-- | spec/classes/tripleo_certmonger_etcd_spec.rb (renamed from spec/classes/tripleo_certmonger_etcd.rb) | 0 | ||||
-rw-r--r-- | spec/classes/tripleo_certmonger_mysql_spec.rb (renamed from spec/classes/tripleo_certmonger_mysql.rb) | 0 | ||||
-rw-r--r-- | spec/classes/tripleo_certmonger_rabbitmq_spec.rb (renamed from spec/classes/tripleo_certmonger_rabbitmq.rb) | 0 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_docker_spec.rb | 79 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_novajoin_spec.rb | 126 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_swift_ringbuilder_spec.rb (renamed from spec/classes/tripleo_profile_base_swift_ringbuilder.rb) | 0 | ||||
-rw-r--r-- | spec/defines/tripleo_certmonger_httpd_spec.rb (renamed from spec/classes/tripleo_certmonger_httpd.rb) | 2 |
10 files changed, 349 insertions, 0 deletions
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 29f8b75..67fbd71 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -47,6 +47,18 @@ # [*step*] # step defaults to hiera('step') # +# [*configure_libvirt_polkit*] +# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host. +# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled +# +# [*docker_nova_uid*] +# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container. +# Defaults to 42436 +# +# [*services_enabled*] +# List of TripleO services enabled on the role. +# Defaults to hiera('services_names') +# class tripleo::profile::base::docker ( $docker_namespace = undef, $insecure_registry = false, @@ -55,7 +67,17 @@ class tripleo::profile::base::docker ( $configure_storage = true, $storage_options = '-s overlay2', $step = hiera('step'), + $configure_libvirt_polkit = undef, + $docker_nova_uid = 42436, + $services_enabled = hiera('service_names', []) ) { + + if $configure_libvirt_polkit == undef { + $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled + } else { + $configure_libvirt_polkit_real = $configure_libvirt_polkit + } + if $step >= 1 { package {'docker': ensure => installed, @@ -130,4 +152,41 @@ class tripleo::profile::base::docker ( } } + if ($step >= 4 and $configure_libvirt_polkit_real) { + # Workaround for polkit authorization for libvirtd socket on host + # + # This creates a local user with the kolla nova uid, and sets the polkit rule to + # allow both it and the nova user from the nova rpms, should it exist (uid 162). + + group { 'docker_nova_group': + name => 'docker_nova', + gid => $docker_nova_uid + } -> + user { 'docker_nova_user': + name => 'docker_nova', + uid => $docker_nova_uid, + gid => $docker_nova_uid, + shell => '/sbin/nologin', + comment => 'OpenStack Nova Daemons', + groups => ['nobody'] + } + + # Similar to the polkit rule in the openstack-nova rpm spec + # but allow both the 'docker_nova' and 'nova' user + $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + /^(docker_)?nova$/.test(subject.user)) { + return polkit.Result.YES; + } +}); +' + package {'polkit': + ensure => installed, + } -> + file {'/etc/polkit-1/rules.d/50-nova.rules': + content => $docker_nova_polkit_rule, + mode => '0644' + } + } } diff --git a/manifests/profile/base/novajoin.pp b/manifests/profile/base/novajoin.pp new file mode 100644 index 0000000..f9c1ea9 --- /dev/null +++ b/manifests/profile/base/novajoin.pp @@ -0,0 +1,83 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::novajoin +# +# novajoin vendordata plugin profile for tripleo +# +# === Parameters +# +# [*service_password*] +# The password for the novajoin service. +# +# [*enable_ipa_client_install*] +# Enable FreeIPA client installation for the node this runs on. +# Defaults to false +# +# [*oslomsg_rpc_hosts*] +# list of the oslo messaging rpc host fqdns +# Defaults to hiera('rabbitmq_node_names') +# +# [*oslomsg_rpc_proto*] +# Protocol driver for the oslo messaging rpc service +# Defaults to hiera('messaging_rpc_service_name', rabbit) +# +# [*oslomsg_rpc_password*] +# Password for oslo messaging rpc service +# Defaults to undef +# +# [*oslomsg_rpc_port*] +# IP port for oslo messaging rpc service +# Defaults to '5672' +# +# [*oslomsg_rpc_username*] +# Username for oslo messaging rpc service +# Defaults to 'guest' +# +# [*oslomsg_use_ssl*] +# Enable ssl oslo messaging services +# Defaults to '0' +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# + +class tripleo::profile::base::novajoin ( + $service_password, + $enable_ipa_client_install = false, + $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), + $oslomsg_rpc_password = undef, + $oslomsg_rpc_port = '5672', + $oslomsg_rpc_username = 'guest', + $oslomsg_use_ssl = '0', + $step = hiera('step'), +) { + if $step >= 3 { + $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) + class { '::nova::metadata::novajoin::api' : + service_password => $service_password, + enable_ipa_client_install => $enable_ipa_client_install, + transport_url => os_transport_url({ + 'transport' => $oslomsg_rpc_proto, + 'hosts' => $oslomsg_rpc_hosts, + 'port' => sprintf('%s', $oslomsg_rpc_port), + 'username' => $oslomsg_rpc_username, + 'password' => $oslomsg_rpc_password, + 'ssl' => $oslomsg_use_ssl_real, + }), + } + } +} diff --git a/spec/classes/tripleo_certmonger_ca_local.rb b/spec/classes/tripleo_certmonger_ca_local_spec.rb index 7ee9383..7ee9383 100644 --- a/spec/classes/tripleo_certmonger_ca_local.rb +++ b/spec/classes/tripleo_certmonger_ca_local_spec.rb diff --git a/spec/classes/tripleo_certmonger_etcd.rb b/spec/classes/tripleo_certmonger_etcd_spec.rb index fc0aad3..fc0aad3 100644 --- a/spec/classes/tripleo_certmonger_etcd.rb +++ b/spec/classes/tripleo_certmonger_etcd_spec.rb diff --git a/spec/classes/tripleo_certmonger_mysql.rb b/spec/classes/tripleo_certmonger_mysql_spec.rb index 23b1e4f..23b1e4f 100644 --- a/spec/classes/tripleo_certmonger_mysql.rb +++ b/spec/classes/tripleo_certmonger_mysql_spec.rb diff --git a/spec/classes/tripleo_certmonger_rabbitmq.rb b/spec/classes/tripleo_certmonger_rabbitmq_spec.rb index 5c011ce..5c011ce 100644 --- a/spec/classes/tripleo_certmonger_rabbitmq.rb +++ b/spec/classes/tripleo_certmonger_rabbitmq_spec.rb diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index 0b988f6..bb21055 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -124,6 +124,85 @@ describe 'tripleo::profile::base::docker' do } end + context 'with step 4 and configure_libvirt_polkit disabled' do + let(:params) { { + :step => 4, + :configure_libvirt_polkit => false + } } + it { + is_expected.to_not contain_group('docker_nova_group') + is_expected.to_not contain_user('docker_nova_user') + is_expected.to_not contain_package('polkit') + is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules') + } + end + + context 'with step 4 and configure_libvirt_polkit enabled' do + let(:params) { { + :step => 4, + :configure_libvirt_polkit => true + } } + it { + is_expected.to contain_group('docker_nova_group').with( + :name => 'docker_nova', + :gid => 42436 + ) + is_expected.to contain_user('docker_nova_user').with( + :name => 'docker_nova', + :uid => 42436, + :gid => 42436, + :shell => '/sbin/nologin', + :groups => ['nobody'] + ) + is_expected.to contain_package('polkit') + is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules') + } + end + + context 'with step 4 and nova_compute service installed' do + let(:params) { { + :step => 4, + :services_enabled => ['docker', 'nova_compute'] + } } + it { + is_expected.to contain_group('docker_nova_group').with( + :name => 'docker_nova', + :gid => 42436 + ) + is_expected.to contain_user('docker_nova_user').with( + :name => 'docker_nova', + :uid => 42436, + :gid => 42436, + :shell => '/sbin/nologin', + :groups => ['nobody'] + ) + is_expected.to contain_package('polkit') + is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules') + } + end + + context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do + let(:params) { { + :step => 4, + :configure_libvirt_polkit => true, + :docker_nova_uid => 12345 + } } + it { + is_expected.to contain_group('docker_nova_group').with( + :name => 'docker_nova', + :gid => 12345 + ) + is_expected.to contain_user('docker_nova_user').with( + :name => 'docker_nova', + :uid => 12345, + :gid => 12345, + :shell => '/sbin/nologin', + :groups => ['nobody'] + ) + is_expected.to contain_package('polkit') + is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules') + } + end end on_supported_os.each do |os, facts| diff --git a/spec/classes/tripleo_profile_base_novajoin_spec.rb b/spec/classes/tripleo_profile_base_novajoin_spec.rb new file mode 100644 index 0000000..e157d4f --- /dev/null +++ b/spec/classes/tripleo_profile_base_novajoin_spec.rb @@ -0,0 +1,126 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::novajoin' do + + let :pre_condition do + "include nova + class { '::nova::metadata::novajoin::authtoken': + password => 'passw0rd', + }" + end + + let :params do + { :oslomsg_rpc_hosts => ['some.server.com'], + :oslomsg_rpc_password => 'somepassword', + :service_password => 'passw0rd', + :step => 5 + } + end + + shared_examples_for 'tripleo::profile::base::novajoin' do + + context 'with step less than 3' do + before do + params.merge!({ :step => 2 }) + end + + it 'should not do anything' do + is_expected.to_not contain_class('nova::metadata::novajoin::api') + end + end + + context 'with step 3' do + before do + params.merge!({ :step => 3 }) + end + + it 'should provide basic initialization' do + is_expected.to contain_class('nova::metadata::novajoin::api').with( + :transport_url => 'rabbit://guest:somepassword@some.server.com:5672/?ssl=0' + ) + end + end + + context 'with multiple hosts' do + before do + params.merge!({ :oslomsg_rpc_hosts => ['some.server.com', 'someother.server.com'] }) + end + + it 'should construct a multihost URL' do + is_expected.to contain_class('nova::metadata::novajoin::api').with( + :transport_url => 'rabbit://guest:somepassword@some.server.com:5672,guest:somepassword@someother.server.com:5672/?ssl=0' + ) + end + end + + context 'with username provided' do + before do + params.merge!({ :oslomsg_rpc_username => 'bunny' }) + end + + it 'should construct URL with username' do + is_expected.to contain_class('nova::metadata::novajoin::api').with( + :transport_url => 'rabbit://bunny:somepassword@some.server.com:5672/?ssl=0' + ) + end + end + + context 'with username and password provided' do + before do + params.merge!( + { :oslomsg_rpc_username => 'bunny', + :oslomsg_rpc_password => 'carrot' + } + ) + end + + it 'should construct URL with username and password' do + is_expected.to contain_class('nova::metadata::novajoin::api').with( + :transport_url => 'rabbit://bunny:carrot@some.server.com:5672/?ssl=0' + ) + end + end + + context 'with multiple hosts and user info provided' do + before do + params.merge!( + { :oslomsg_rpc_hosts => ['some.server.com', 'someother.server.com'], + :oslomsg_rpc_username => 'bunny', + :oslomsg_rpc_password => 'carrot' + } + ) + end + + it 'should distributed user info across hosts URL' do + is_expected.to contain_class('nova::metadata::novajoin::api').with( + :transport_url => 'rabbit://bunny:carrot@some.server.com:5672,bunny:carrot@someother.server.com:5672/?ssl=0' + ) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + it_behaves_like 'tripleo::profile::base::novajoin' + end + end +end diff --git a/spec/classes/tripleo_profile_base_swift_ringbuilder.rb b/spec/classes/tripleo_profile_base_swift_ringbuilder_spec.rb index 0139815..0139815 100644 --- a/spec/classes/tripleo_profile_base_swift_ringbuilder.rb +++ b/spec/classes/tripleo_profile_base_swift_ringbuilder_spec.rb diff --git a/spec/classes/tripleo_certmonger_httpd.rb b/spec/defines/tripleo_certmonger_httpd_spec.rb index da5ce94..f01e594 100644 --- a/spec/classes/tripleo_certmonger_httpd.rb +++ b/spec/defines/tripleo_certmonger_httpd_spec.rb @@ -20,6 +20,8 @@ require 'spec_helper' describe 'tripleo::certmonger::httpd' do + let(:title) { 'httpd-cert' } + shared_examples_for 'tripleo::certmonger::httpd' do let :params do { |