summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/loadbalancer.pp20
-rw-r--r--manifests/profile/base/keystone.pp6
-rw-r--r--manifests/profile/base/neutron/dhcp.pp8
-rw-r--r--manifests/profile/pacemaker/keystone.pp4
-rw-r--r--manifests/selinux.pp96
-rw-r--r--spec/classes/tripleo_selinux_spec.rb106
-rw-r--r--templates/selinux/sysconfig_selinux.erb11
7 files changed, 227 insertions, 24 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 664590b..a13b151 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -175,10 +175,6 @@
# (optional) Enable or not Glance registry binding
# Defaults to false
#
-# [*nova_ec2*]
-# (optional) Enable or not Nova EC2 API binding
-# Defaults to false
-#
# [*nova_osapi*]
# (optional) Enable or not Nova API binding
# Defaults to false
@@ -284,8 +280,6 @@
# 'neutron_api_ssl_port' (Defaults to 13696)
# 'nova_api_port' (Defaults to 8774)
# 'nova_api_ssl_port' (Defaults to 13774)
-# 'nova_ec2_port' (Defaults to 8773)
-# 'nova_ec2_ssl_port' (Defaults to 13773)
# 'nova_metadata_port' (Defaults to 8775)
# 'nova_novnc_port' (Defaults to 6080)
# 'nova_novnc_ssl_port' (Defaults to 13080)
@@ -332,7 +326,6 @@ class tripleo::loadbalancer (
$manila = false,
$glance_api = false,
$glance_registry = false,
- $nova_ec2 = false,
$nova_osapi = false,
$nova_metadata = false,
$nova_novncproxy = false,
@@ -383,8 +376,6 @@ class tripleo::loadbalancer (
neutron_api_ssl_port => 13696,
nova_api_port => 8774,
nova_api_ssl_port => 13774,
- nova_ec2_port => 8773,
- nova_ec2_ssl_port => 13773,
nova_metadata_port => 8775,
nova_novnc_port => 6080,
nova_novnc_ssl_port => 13080,
@@ -717,17 +708,6 @@ class tripleo::loadbalancer (
}
$nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
- if $nova_ec2 {
- ::tripleo::loadbalancer::endpoint { 'nova_ec2':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => $nova_api_vip,
- service_port => $ports[nova_ec2_port],
- ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[nova_ec2_ssl_port],
- }
- }
-
if $nova_osapi {
::tripleo::loadbalancer::endpoint { 'nova_osapi':
public_virtual_ip => $public_virtual_ip,
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index f79adfd..a5060b8 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -84,21 +84,21 @@ class tripleo::profile::base::keystone (
content => hiera('keystone_signing_certificate'),
owner => 'keystone',
group => 'keystone',
- notify => Service['keystone'],
+ notify => Service[$::apache::params::service_name],
require => File['/etc/keystone/ssl/certs'],
}
file { '/etc/keystone/ssl/private/signing_key.pem':
content => hiera('keystone_signing_key'),
owner => 'keystone',
group => 'keystone',
- notify => Service['keystone'],
+ notify => Service[$::apache::params::service_name],
require => File['/etc/keystone/ssl/private'],
}
file { '/etc/keystone/ssl/certs/ca.pem':
content => hiera('keystone_ca_certificate'),
owner => 'keystone',
group => 'keystone',
- notify => Service['keystone'],
+ notify => Service[$::apache::params::service_name],
require => File['/etc/keystone/ssl/certs'],
}
}
diff --git a/manifests/profile/base/neutron/dhcp.pp b/manifests/profile/base/neutron/dhcp.pp
index 534026e..180fd37 100644
--- a/manifests/profile/base/neutron/dhcp.pp
+++ b/manifests/profile/base/neutron/dhcp.pp
@@ -35,6 +35,14 @@ class tripleo::profile::base::neutron::dhcp (
include ::tripleo::profile::base::neutron
include ::neutron::agents::dhcp
+ file { '/etc/neutron/dnsmasq-neutron.conf':
+ content => $neutron_dnsmasq_options,
+ owner => 'neutron',
+ group => 'neutron',
+ notify => Service['neutron-dhcp-service'],
+ require => Package['neutron'],
+ }
+
Service<| title == 'neutron-server' |> -> Service <| title == 'neutron-dhcp' |>
}
}
diff --git a/manifests/profile/pacemaker/keystone.pp b/manifests/profile/pacemaker/keystone.pp
index cec0b8f..42c44d4 100644
--- a/manifests/profile/pacemaker/keystone.pp
+++ b/manifests/profile/pacemaker/keystone.pp
@@ -50,7 +50,7 @@ class tripleo::profile::pacemaker::keystone (
$pacemaker_master = false
}
- if $step >= 6 and $pacemaker_master {
+ if $step >= 5 and $pacemaker_master {
$manage_roles = true
Pacemaker::Resource::Service[$::apache::params::service_name] -> Class['::keystone::roles::admin']
Pacemaker::Resource::Service[$::apache::params::service_name] -> Class['::keystone::endpoint']
@@ -72,6 +72,7 @@ class tripleo::profile::pacemaker::keystone (
second_resource => 'openstack-core-clone',
first_action => 'start',
second_action => 'start',
+ before => Pacemaker::Resource::Service[$::apache::params::service_name],
require => [Pacemaker::Resource::Service['haproxy'],
Pacemaker::Resource::Ocf['openstack-core']],
}
@@ -84,6 +85,7 @@ class tripleo::profile::pacemaker::keystone (
second_resource => 'openstack-core-clone',
first_action => 'start',
second_action => 'start',
+ before => Pacemaker::Resource::Service[$::apache::params::service_name],
require => [Pacemaker::Resource::Ocf['rabbitmq'],
Pacemaker::Resource::Ocf['openstack-core']],
}
diff --git a/manifests/selinux.pp b/manifests/selinux.pp
new file mode 100644
index 0000000..c5d13e2
--- /dev/null
+++ b/manifests/selinux.pp
@@ -0,0 +1,96 @@
+#
+# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::selinux
+#
+# Helper class to configure SELinux on nodes
+#
+# === Parameters:
+#
+# [*mode*]
+# (optional) SELinux mode the system should be in
+# Defaults to 'enforcing'
+# Possible values : disabled, permissive, enforcing
+#
+# [*directory*]
+# (optional) Path where to find the SELinux modules
+# Defaults to '/usr/share/selinux'
+#
+# [*booleans*]
+# (optional) Set of booleans to persistently enables
+# SELinux booleans are the one getsebool -a returns
+# Defaults []
+# Example: ['rsync_full_access', 'haproxy_connect_any']
+#
+# [*modules*]
+# (optional) Set of modules to load on the system
+# Defaults []
+# Example: ['module1', 'module2']
+# Note: Those module should be in the $directory path
+#
+class tripleo::selinux (
+ $mode = 'enforcing',
+ $directory = '/usr/share/selinux/',
+ $booleans = [],
+ $modules = [],
+) {
+
+ if $::osfamily != 'RedHat' {
+ fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS")
+ }
+
+ Selboolean {
+ persistent => true,
+ value => 'on',
+ }
+
+ Selmodule {
+ ensure => present,
+ selmoduledir => $directory,
+ }
+
+ file { '/etc/selinux/config':
+ ensure => present,
+ mode => '0444',
+ content => template('tripleo/selinux/sysconfig_selinux.erb')
+ }
+
+ $current_mode = $::selinux? {
+ false => 'disabled',
+ default => $::selinux_current_mode,
+ }
+
+ if $current_mode != $mode {
+ case $mode {
+ /^(disabled|permissive)$/: {
+ if $current_mode == 'enforcing' {
+ exec { '/sbin/setenforce 0': }
+ }
+ }
+ 'enforcing': {
+ exec { '/sbin/setenforce 1': }
+ }
+ default: {
+ fail('You must specify a mode (enforcing, permissive, or disabled)')
+ }
+ }
+ }
+
+ selboolean { $booleans :
+ persistent => true,
+ }
+ selmodule { $modules: }
+
+}
diff --git a/spec/classes/tripleo_selinux_spec.rb b/spec/classes/tripleo_selinux_spec.rb
new file mode 100644
index 0000000..301006b
--- /dev/null
+++ b/spec/classes/tripleo_selinux_spec.rb
@@ -0,0 +1,106 @@
+# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo::selinux
+#
+
+require 'spec_helper'
+
+describe 'tripleo::selinux' do
+
+ shared_examples_for 'manage selinux' do
+
+ context 'with selinux enforcing' do
+ before :each do
+ facts.merge!( :selinux_current_mode => 'enforcing' )
+ end
+
+ let :params do
+ { :mode => 'disabled',
+ :booleans => ['foo', 'bar'],
+ :modules => ['module1', 'module2'],
+ :directory => '/path/to/modules'}
+ end
+
+ it 'runs setenforce 0' do
+ is_expected.to contain_exec('/sbin/setenforce 0')
+ end
+
+ it 'enables the SELinux boolean' do
+ is_expected.to contain_selboolean('foo').with(
+ :persistent => true,
+ :value => 'on',
+ )
+ end
+
+ it 'enables the SELinux modules' do
+ is_expected.to contain_selmodule('module1').with(
+ :ensure => 'present',
+ :selmoduledir => '/path/to/modules',
+ )
+ end
+
+ end
+
+ context 'with selinux disabled' do
+ before :each do
+ facts.merge!( :selinux => 'false' )
+ end
+
+ let :params do
+ { :mode => 'enforcing',
+ :booleans => ['foo', 'bar'],
+ :modules => ['module1', 'module2'],
+ :directory => '/path/to/modules'}
+ end
+
+ it 'runs setenforce 1' do
+ is_expected.to contain_exec('/sbin/setenforce 1')
+ end
+
+ it 'enables the SELinux boolean' do
+ is_expected.to contain_selboolean('foo').with(
+ :persistent => true,
+ :value => 'on',
+ )
+ end
+
+ it 'enables the SELinux modules' do
+ is_expected.to contain_selmodule('module1').with(
+ :ensure => 'present',
+ :selmoduledir => '/path/to/modules',
+ )
+ end
+
+ end
+
+ end
+
+ context 'on Debian platforms' do
+ let :facts do
+ { :osfamily => 'Debian' }
+ end
+
+ it_raises 'a Puppet::Error', /OS family unsuppored yet \(Debian\), SELinux support is only limited to RedHat family OS/
+ end
+
+ context 'on RedHat platforms' do
+ let :facts do
+ { :osfamily => 'RedHat' }
+ end
+
+ it_configures 'manage selinux'
+ end
+
+end
diff --git a/templates/selinux/sysconfig_selinux.erb b/templates/selinux/sysconfig_selinux.erb
new file mode 100644
index 0000000..dfb1e53
--- /dev/null
+++ b/templates/selinux/sysconfig_selinux.erb
@@ -0,0 +1,11 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=<%= @mode %>
+# SELINUXTYPE= can take one of these two values:
+# targeted - Targeted processes are protected,
+# minimum - Modification of targeted policy. Only selected processes are protected.
+# mls - Multi Level Security protection.
+SELINUXTYPE=targeted