diff options
-rw-r--r-- | manifests/loadbalancer.pp | 20 | ||||
-rw-r--r-- | manifests/profile/base/keystone.pp | 6 | ||||
-rw-r--r-- | manifests/profile/base/neutron/dhcp.pp | 8 | ||||
-rw-r--r-- | manifests/profile/pacemaker/keystone.pp | 4 | ||||
-rw-r--r-- | manifests/selinux.pp | 96 | ||||
-rw-r--r-- | spec/classes/tripleo_selinux_spec.rb | 106 | ||||
-rw-r--r-- | templates/selinux/sysconfig_selinux.erb | 11 |
7 files changed, 227 insertions, 24 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 664590b..a13b151 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -175,10 +175,6 @@ # (optional) Enable or not Glance registry binding # Defaults to false # -# [*nova_ec2*] -# (optional) Enable or not Nova EC2 API binding -# Defaults to false -# # [*nova_osapi*] # (optional) Enable or not Nova API binding # Defaults to false @@ -284,8 +280,6 @@ # 'neutron_api_ssl_port' (Defaults to 13696) # 'nova_api_port' (Defaults to 8774) # 'nova_api_ssl_port' (Defaults to 13774) -# 'nova_ec2_port' (Defaults to 8773) -# 'nova_ec2_ssl_port' (Defaults to 13773) # 'nova_metadata_port' (Defaults to 8775) # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) @@ -332,7 +326,6 @@ class tripleo::loadbalancer ( $manila = false, $glance_api = false, $glance_registry = false, - $nova_ec2 = false, $nova_osapi = false, $nova_metadata = false, $nova_novncproxy = false, @@ -383,8 +376,6 @@ class tripleo::loadbalancer ( neutron_api_ssl_port => 13696, nova_api_port => 8774, nova_api_ssl_port => 13774, - nova_ec2_port => 8773, - nova_ec2_ssl_port => 13773, nova_metadata_port => 8775, nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, @@ -717,17 +708,6 @@ class tripleo::loadbalancer ( } $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) - if $nova_ec2 { - ::tripleo::loadbalancer::endpoint { 'nova_ec2': - public_virtual_ip => $public_virtual_ip, - internal_ip => $nova_api_vip, - service_port => $ports[nova_ec2_port], - ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[nova_ec2_ssl_port], - } - } - if $nova_osapi { ::tripleo::loadbalancer::endpoint { 'nova_osapi': public_virtual_ip => $public_virtual_ip, diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index f79adfd..a5060b8 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -84,21 +84,21 @@ class tripleo::profile::base::keystone ( content => hiera('keystone_signing_certificate'), owner => 'keystone', group => 'keystone', - notify => Service['keystone'], + notify => Service[$::apache::params::service_name], require => File['/etc/keystone/ssl/certs'], } file { '/etc/keystone/ssl/private/signing_key.pem': content => hiera('keystone_signing_key'), owner => 'keystone', group => 'keystone', - notify => Service['keystone'], + notify => Service[$::apache::params::service_name], require => File['/etc/keystone/ssl/private'], } file { '/etc/keystone/ssl/certs/ca.pem': content => hiera('keystone_ca_certificate'), owner => 'keystone', group => 'keystone', - notify => Service['keystone'], + notify => Service[$::apache::params::service_name], require => File['/etc/keystone/ssl/certs'], } } diff --git a/manifests/profile/base/neutron/dhcp.pp b/manifests/profile/base/neutron/dhcp.pp index 534026e..180fd37 100644 --- a/manifests/profile/base/neutron/dhcp.pp +++ b/manifests/profile/base/neutron/dhcp.pp @@ -35,6 +35,14 @@ class tripleo::profile::base::neutron::dhcp ( include ::tripleo::profile::base::neutron include ::neutron::agents::dhcp + file { '/etc/neutron/dnsmasq-neutron.conf': + content => $neutron_dnsmasq_options, + owner => 'neutron', + group => 'neutron', + notify => Service['neutron-dhcp-service'], + require => Package['neutron'], + } + Service<| title == 'neutron-server' |> -> Service <| title == 'neutron-dhcp' |> } } diff --git a/manifests/profile/pacemaker/keystone.pp b/manifests/profile/pacemaker/keystone.pp index cec0b8f..42c44d4 100644 --- a/manifests/profile/pacemaker/keystone.pp +++ b/manifests/profile/pacemaker/keystone.pp @@ -50,7 +50,7 @@ class tripleo::profile::pacemaker::keystone ( $pacemaker_master = false } - if $step >= 6 and $pacemaker_master { + if $step >= 5 and $pacemaker_master { $manage_roles = true Pacemaker::Resource::Service[$::apache::params::service_name] -> Class['::keystone::roles::admin'] Pacemaker::Resource::Service[$::apache::params::service_name] -> Class['::keystone::endpoint'] @@ -72,6 +72,7 @@ class tripleo::profile::pacemaker::keystone ( second_resource => 'openstack-core-clone', first_action => 'start', second_action => 'start', + before => Pacemaker::Resource::Service[$::apache::params::service_name], require => [Pacemaker::Resource::Service['haproxy'], Pacemaker::Resource::Ocf['openstack-core']], } @@ -84,6 +85,7 @@ class tripleo::profile::pacemaker::keystone ( second_resource => 'openstack-core-clone', first_action => 'start', second_action => 'start', + before => Pacemaker::Resource::Service[$::apache::params::service_name], require => [Pacemaker::Resource::Ocf['rabbitmq'], Pacemaker::Resource::Ocf['openstack-core']], } diff --git a/manifests/selinux.pp b/manifests/selinux.pp new file mode 100644 index 0000000..c5d13e2 --- /dev/null +++ b/manifests/selinux.pp @@ -0,0 +1,96 @@ +# +# Copyright (C) 2014 eNovance SAS <licensing@enovance.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::selinux +# +# Helper class to configure SELinux on nodes +# +# === Parameters: +# +# [*mode*] +# (optional) SELinux mode the system should be in +# Defaults to 'enforcing' +# Possible values : disabled, permissive, enforcing +# +# [*directory*] +# (optional) Path where to find the SELinux modules +# Defaults to '/usr/share/selinux' +# +# [*booleans*] +# (optional) Set of booleans to persistently enables +# SELinux booleans are the one getsebool -a returns +# Defaults [] +# Example: ['rsync_full_access', 'haproxy_connect_any'] +# +# [*modules*] +# (optional) Set of modules to load on the system +# Defaults [] +# Example: ['module1', 'module2'] +# Note: Those module should be in the $directory path +# +class tripleo::selinux ( + $mode = 'enforcing', + $directory = '/usr/share/selinux/', + $booleans = [], + $modules = [], +) { + + if $::osfamily != 'RedHat' { + fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS") + } + + Selboolean { + persistent => true, + value => 'on', + } + + Selmodule { + ensure => present, + selmoduledir => $directory, + } + + file { '/etc/selinux/config': + ensure => present, + mode => '0444', + content => template('tripleo/selinux/sysconfig_selinux.erb') + } + + $current_mode = $::selinux? { + false => 'disabled', + default => $::selinux_current_mode, + } + + if $current_mode != $mode { + case $mode { + /^(disabled|permissive)$/: { + if $current_mode == 'enforcing' { + exec { '/sbin/setenforce 0': } + } + } + 'enforcing': { + exec { '/sbin/setenforce 1': } + } + default: { + fail('You must specify a mode (enforcing, permissive, or disabled)') + } + } + } + + selboolean { $booleans : + persistent => true, + } + selmodule { $modules: } + +} diff --git a/spec/classes/tripleo_selinux_spec.rb b/spec/classes/tripleo_selinux_spec.rb new file mode 100644 index 0000000..301006b --- /dev/null +++ b/spec/classes/tripleo_selinux_spec.rb @@ -0,0 +1,106 @@ +# Copyright (C) 2014 eNovance SAS <licensing@enovance.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo::selinux +# + +require 'spec_helper' + +describe 'tripleo::selinux' do + + shared_examples_for 'manage selinux' do + + context 'with selinux enforcing' do + before :each do + facts.merge!( :selinux_current_mode => 'enforcing' ) + end + + let :params do + { :mode => 'disabled', + :booleans => ['foo', 'bar'], + :modules => ['module1', 'module2'], + :directory => '/path/to/modules'} + end + + it 'runs setenforce 0' do + is_expected.to contain_exec('/sbin/setenforce 0') + end + + it 'enables the SELinux boolean' do + is_expected.to contain_selboolean('foo').with( + :persistent => true, + :value => 'on', + ) + end + + it 'enables the SELinux modules' do + is_expected.to contain_selmodule('module1').with( + :ensure => 'present', + :selmoduledir => '/path/to/modules', + ) + end + + end + + context 'with selinux disabled' do + before :each do + facts.merge!( :selinux => 'false' ) + end + + let :params do + { :mode => 'enforcing', + :booleans => ['foo', 'bar'], + :modules => ['module1', 'module2'], + :directory => '/path/to/modules'} + end + + it 'runs setenforce 1' do + is_expected.to contain_exec('/sbin/setenforce 1') + end + + it 'enables the SELinux boolean' do + is_expected.to contain_selboolean('foo').with( + :persistent => true, + :value => 'on', + ) + end + + it 'enables the SELinux modules' do + is_expected.to contain_selmodule('module1').with( + :ensure => 'present', + :selmoduledir => '/path/to/modules', + ) + end + + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + it_raises 'a Puppet::Error', /OS family unsuppored yet \(Debian\), SELinux support is only limited to RedHat family OS/ + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'manage selinux' + end + +end diff --git a/templates/selinux/sysconfig_selinux.erb b/templates/selinux/sysconfig_selinux.erb new file mode 100644 index 0000000..dfb1e53 --- /dev/null +++ b/templates/selinux/sysconfig_selinux.erb @@ -0,0 +1,11 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=<%= @mode %> +# SELINUXTYPE= can take one of these two values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted |