summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lib/puppet/parser/functions/list_to_hash.rb31
-rw-r--r--manifests/firewall/rule.pp38
-rw-r--r--manifests/loadbalancer.pp2
-rw-r--r--manifests/loadbalancer/endpoint.pp16
-rw-r--r--manifests/profile/base/glance/api.pp68
-rw-r--r--manifests/profile/base/glance/registry.pp64
-rw-r--r--manifests/profile/pacemaker/glance.pp129
-rw-r--r--spec/classes/tripleo_firewall_spec.rb7
8 files changed, 324 insertions, 31 deletions
diff --git a/lib/puppet/parser/functions/list_to_hash.rb b/lib/puppet/parser/functions/list_to_hash.rb
new file mode 100644
index 0000000..c6449a9
--- /dev/null
+++ b/lib/puppet/parser/functions/list_to_hash.rb
@@ -0,0 +1,31 @@
+# This function is an hack because we are not enabling Puppet parser
+# that would allow us to manipulate data iterations directly in manifests.
+#
+# Example:
+# keystone_vips = ['192.168.0.1:5000', '192.168.0.2:5000']
+# $keystone_bind_opts = ['transparent']
+#
+# Using this function:
+# $keystone_vips_hash = list_to_hash($keystone_vips, $keystone_bind_opts)
+#
+# Would return:
+# $keystone_vips_hash = {
+# '192.168.0.1:5000' => ['transparent'],
+# '192.168.0.2:5000' => ['transparent'],
+# }
+#
+# Disclaimer: this function is an hack and will disappear once TripleO enable
+# Puppet parser.
+#
+
+module Puppet::Parser::Functions
+ newfunction(:list_to_hash, :type => :rvalue, :doc => <<-EOS
+ This function returns an hash from a specified array
+ EOS
+ ) do |argv|
+ arr1 = argv[0]
+ arr2 = argv[1]
+ h = arr1.each_with_object({}) { |v,h| h[v] = arr2 }
+ return h
+ end
+end
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 02afbc2..ca9c6d0 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -47,29 +47,35 @@
# (optional) The chain associated to the rule.
# Defaults to 'INPUT'
#
-# [*extras*]
+# [*destination*]
+# (optional) The destination cidr associated to the rule.
+# Defaults to undef
+#
+# [*extras*]
# (optional) Hash of any puppetlabs-firewall supported parameters.
# Defaults to {}
#
define tripleo::firewall::rule (
- $port = undef,
- $proto = 'tcp',
- $action = 'accept',
- $state = ['NEW'],
- $source = '0.0.0.0/0',
- $iniface = undef,
- $chain = 'INPUT',
- $extras = {},
+ $port = undef,
+ $proto = 'tcp',
+ $action = 'accept',
+ $state = ['NEW'],
+ $source = '0.0.0.0/0',
+ $iniface = undef,
+ $chain = 'INPUT',
+ $destination = undef,
+ $extras = {},
) {
$basic = {
- 'port' => $port,
- 'proto' => $proto,
- 'action' => $action,
- 'state' => $state,
- 'source' => $source,
- 'iniface' => $iniface,
- 'chain' => $chain,
+ 'port' => $port,
+ 'proto' => $proto,
+ 'action' => $action,
+ 'state' => $state,
+ 'source' => $source,
+ 'iniface' => $iniface,
+ 'chain' => $chain,
+ 'destination' => $destination,
}
$rule = merge($basic, $extras)
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 70ccbc1..664590b 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -558,8 +558,6 @@ class tripleo::loadbalancer (
"${redis_vip}:6379" => $haproxy_listen_bind_param,
}
- sysctl::value { 'net.ipv4.ip_nonlocal_bind': value => '1' }
-
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp
index e6bb185..f75f79a 100644
--- a/manifests/loadbalancer/endpoint.pp
+++ b/manifests/loadbalancer/endpoint.pp
@@ -88,13 +88,9 @@ define tripleo::loadbalancer::endpoint (
# service exposed to the public network
if $public_certificate {
- $public_bind_opts = {
- "${public_virtual_ip}:${public_ssl_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]),
- }
+ $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
- $public_bind_opts = {
- "${public_virtual_ip}:${service_port}" => $haproxy_listen_bind_param,
- }
+ $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
} else {
# internal service only
@@ -102,13 +98,9 @@ define tripleo::loadbalancer::endpoint (
}
if $internal_certificate {
- $internal_bind_opts = {
- "${internal_ip}:${service_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]),
- }
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
- $internal_bind_opts = {
- "${internal_ip}:${service_port}" => $haproxy_listen_bind_param,
- }
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
new file mode 100644
index 0000000..22b4dc9
--- /dev/null
+++ b/manifests/profile/base/glance/api.pp
@@ -0,0 +1,68 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::glance::api
+#
+# Glance API profile for tripleo
+#
+# === Parameters
+#
+# [*manage_service*]
+# (Optional) Whether to manage the glance service
+# Defaults to undef
+#
+# [*enabled*]
+# (Optional) Whether to enable the glance service
+# Defaults to undef
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*glance_backend*]
+# (Optional) Glance backend(s) to use.
+# Defaults to downcase(hiera('glance_backend', 'swift'))
+#
+class tripleo::profile::base::glance::api (
+ $manage_service = undef,
+ $enabled = undef,
+ $step = hiera('step'),
+ $glance_backend = downcase(hiera('glance_backend', 'swift')),
+) {
+
+ if $step >= 4 {
+ case $glance_backend {
+ 'swift': { $backend_store = 'glance.store.swift.Store' }
+ 'file': { $backend_store = 'glance.store.filesystem.Store' }
+ 'rbd': { $backend_store = 'glance.store.rbd.Store' }
+ default: { fail('Unrecognized glance_backend parameter.') }
+ }
+ $http_store = ['glance.store.http.Store']
+ $glance_store = concat($http_store, $backend_store)
+
+ # TODO: notifications, scrubber, etc.
+ include ::glance
+ include ::glance::config
+ class { '::glance::api':
+ known_stores => $glance_store,
+ manage_service => $manage_service,
+ enabled => $enabled,
+ }
+ include ::glance::notify::rabbitmq
+ include join(['::glance::backend::', $glance_backend])
+ }
+
+}
+
diff --git a/manifests/profile/base/glance/registry.pp b/manifests/profile/base/glance/registry.pp
new file mode 100644
index 0000000..bed4a5e
--- /dev/null
+++ b/manifests/profile/base/glance/registry.pp
@@ -0,0 +1,64 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::glance::registry
+#
+# Glance Registry profile for tripleo
+#
+# === Parameters
+#
+# [*sync_db*]
+# (Optional) Whether to run db sync
+# Defaults to undef
+#
+# [*manage_service*]
+# (Optional) Whether to manage the glance service
+# Defaults to undef
+#
+# [*enabled*]
+# (Optional) Whether to enable the glance service
+# Defaults to undef
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*glance_backend*]
+# (Optional) Glance backend(s) to use.
+# Defaults to downcase(hiera('glance_backend', 'swift'))
+#
+class tripleo::profile::base::glance::registry (
+ $sync_db = undef,
+ $manage_service = undef,
+ $enabled = undef,
+ $step = hiera('step'),
+ $glance_backend = downcase(hiera('glance_backend', 'swift')),
+) {
+
+ if $step >= 4 {
+ # TODO: notifications, scrubber, etc.
+ include ::glance
+ include ::glance::config
+ class { '::glance::registry' :
+ sync_db => $sync_db,
+ manage_service => $manage_service,
+ enabled => $enabled,
+ }
+ include ::glance::notify::rabbitmq
+ include join(['::glance::backend::', $glance_backend])
+ }
+
+}
+
diff --git a/manifests/profile/pacemaker/glance.pp b/manifests/profile/pacemaker/glance.pp
new file mode 100644
index 0000000..5727622
--- /dev/null
+++ b/manifests/profile/pacemaker/glance.pp
@@ -0,0 +1,129 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::pacemaker::glance
+#
+# Glance Pacemaker HA profile for tripleo
+#
+# === Parameters
+#
+# [*bootstrap_node*]
+# (Optional) The hostname of the node responsible for bootstrapping tasks
+# Defaults to hiera('bootstrap_nodeid')
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*glance_backend*]
+# (Optional) Glance backend(s) to use.
+# Defaults to downcase(hiera('glance_backend', 'swift'))
+#
+# [*glance_file_pcmk_manage*]
+# (Optional) Whether or not manage glance_file_pcmk.
+# Defaults to hiera('glance_file_pcmk_manage', false)
+#
+# [*glance_file_pcmk_device*]
+# (Optional) Device to mount glance file backend.
+# Defaults to hiera('glance_file_pcmk_device', '')
+#
+# [*glance_file_pcmk_directory*]
+# (Optional) Directory to mount glance file backend.
+# Defaults to hiera('glance_file_pcmk_directory', '')
+#
+# [*glance_file_pcmk_fstype*]
+# (Optional) Filesystem type to mount glance file backend.
+# Defaults to hiera('glance_file_pcmk_fstype', '')
+#
+# [*glance_file_pcmk_options*]
+# (Optional) pcmk options to mount Glance file backend..
+# Defaults to hiera('glance_file_pcmk_options', '')
+#
+class tripleo::profile::pacemaker::glance (
+ $bootstrap_node = hiera('bootstrap_nodeid'),
+ $step = hiera('step'),
+ $glance_backend = downcase(hiera('glance_backend', 'swift')),
+ $glance_file_pcmk_manage = hiera('glance_file_pcmk_manage', false),
+ $glance_file_pcmk_device = hiera('glance_file_pcmk_device', ''),
+ $glance_file_pcmk_directory = hiera('glance_file_pcmk_directory', ''),
+ $glance_file_pcmk_fstype = hiera('glance_file_pcmk_fstype', ''),
+ $glance_file_pcmk_options = hiera('glance_file_pcmk_options', ''),
+) {
+
+ if $::hostname == downcase($bootstrap_node) {
+ $pacemaker_master = true
+ } else {
+ $pacemaker_master = false
+ }
+
+ if $step >= 4 {
+ class { '::tripleo::profile::base::glance::api':
+ manage_service => false,
+ enabled => false,
+ }
+ class { '::tripleo::profile::base::glance::registry':
+ sync_db => $pacemaker_master,
+ manage_service => false,
+ enabled => false,
+ }
+ if $glance_backend == 'file' and $glance_file_pcmk_manage {
+ $secontext = 'context="system_u:object_r:glance_var_lib_t:s0"'
+ pacemaker::resource::filesystem { 'glance-fs':
+ device => $glance_file_pcmk_device,
+ directory => $glance_file_pcmk_directory,
+ fstype => $glance_file_pcmk_fstype,
+ fsoptions => join([$secontext, $glance_file_pcmk_options],','),
+ clone_params => '',
+ }
+ }
+ }
+
+ if $step >= 5 and $pacemaker_master {
+ pacemaker::resource::service { $::glance::params::registry_service_name :
+ clone_params => 'interleave=true',
+ require => Pacemaker::Resource::Ocf['openstack-core'],
+ }
+ pacemaker::resource::service { $::glance::params::api_service_name :
+ clone_params => 'interleave=true',
+ }
+
+ pacemaker::constraint::base { 'keystone-then-glance-registry-constraint':
+ constraint_type => 'order',
+ first_resource => 'openstack-core-clone',
+ second_resource => "${::glance::params::registry_service_name}-clone",
+ first_action => 'start',
+ second_action => 'start',
+ require => [Pacemaker::Resource::Service[$::glance::params::registry_service_name],
+ Pacemaker::Resource::Ocf['openstack-core']],
+ }
+ pacemaker::constraint::base { 'glance-registry-then-glance-api-constraint':
+ constraint_type => 'order',
+ first_resource => "${::glance::params::registry_service_name}-clone",
+ second_resource => "${::glance::params::api_service_name}-clone",
+ first_action => 'start',
+ second_action => 'start',
+ require => [Pacemaker::Resource::Service[$::glance::params::registry_service_name],
+ Pacemaker::Resource::Service[$::glance::params::api_service_name]],
+ }
+ pacemaker::constraint::colocation { 'glance-api-with-glance-registry-colocation':
+ source => "${::glance::params::api_service_name}-clone",
+ target => "${::glance::params::registry_service_name}-clone",
+ score => 'INFINITY',
+ require => [Pacemaker::Resource::Service[$::glance::params::registry_service_name],
+ Pacemaker::Resource::Service[$::glance::params::api_service_name]],
+ }
+ }
+
+}
diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb
index 7d1d1ec..aa5d1d7 100644
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@@ -73,7 +73,8 @@ describe 'tripleo::firewall' do
:manage_firewall => true,
:firewall_rules => {
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
- '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
+ '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
+ '302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'}
}
)
end
@@ -90,6 +91,10 @@ describe 'tripleo::firewall' do
:action => 'accept',
:state => ['NEW'],
)
+ is_expected.to contain_firewall('302 fwd custom cidr 1').with(
+ :chain => 'FORWARD',
+ :destination => '192.0.2.0/24',
+ )
end
end