diff options
96 files changed, 2388 insertions, 1007 deletions
diff --git a/lib/puppet/parser/functions/netmask_to_cidr.rb b/lib/puppet/parser/functions/netmask_to_cidr.rb new file mode 100644 index 0000000..68ee4cf --- /dev/null +++ b/lib/puppet/parser/functions/netmask_to_cidr.rb @@ -0,0 +1,14 @@ +# Custom function to transform netmask from IP notation to +# CIDR format. Input is an IP address, output a CIDR: +# 255.255.255.0 = 24 +# The CIDR formated netmask is needed for some +# Contrail configuration files +require 'ipaddr' +module Puppet::Parser::Functions + newfunction(:netmask_to_cidr, :type => :rvalue) do |args| + if args[0].class != String + raise Puppet::ParseError, "Syntax error: #{args[0]} must be a String" + end + IPAddr.new(args[0]).to_i.to_s(2).count("1") + end +end diff --git a/lib/puppet/provider/sriov_vf_config/numvfs.rb b/lib/puppet/provider/sriov_vf_config/numvfs.rb index cfa663c..22acf21 100644 --- a/lib/puppet/provider/sriov_vf_config/numvfs.rb +++ b/lib/puppet/provider/sriov_vf_config/numvfs.rb @@ -12,7 +12,7 @@ Puppet::Type.type(:sriov_vf_config).provide(:numvfs) do if File.file?(sriov_numvfs_path) _set_numvfs else - fail("#{sriov_numvfs_path} doesn't exist. Check if #{sriov_get_interface} is a valid network interface supporting SR-IOV") + warning("#{sriov_numvfs_path} doesn't exist. Check if #{sriov_get_interface} is a valid network interface supporting SR-IOV") end end diff --git a/manifests/certmonger/ca/crl.pp b/manifests/certmonger/ca/crl.pp index 59a3681..2454460 100644 --- a/manifests/certmonger/ca/crl.pp +++ b/manifests/certmonger/ca/crl.pp @@ -49,7 +49,7 @@ # (optional) Defaults to '0'. # # [*hour*] -# (optional) Defaults to '1'. +# (optional) Defaults to '*/2'. # # [*monthday*] # (optional) Defaults to '*'. @@ -78,10 +78,10 @@ class tripleo::certmonger::ca::crl ( $crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin', $crl_preprocessed_format = 'DER', $minute = '0', - $hour = '1', + $hour = '*/2', $monthday = '*', $month = '*', - $weekday = '6', + $weekday = '*', $maxdelay = 0, $reload_cmds = [], ) { diff --git a/manifests/certmonger/ca/local.pp b/manifests/certmonger/ca/local.pp index b7b7328..78dc09a 100644 --- a/manifests/certmonger/ca/local.pp +++ b/manifests/certmonger/ca/local.pp @@ -34,6 +34,6 @@ class tripleo::certmonger::ca::local( creates => $ca_pem, tries => 5, try_sleep => 1, - require => Service['certmonger'], } + Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |> } diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp index dd9b184..0988c55 100644 --- a/manifests/certmonger/mysql.pp +++ b/manifests/certmonger/mysql.pp @@ -31,6 +31,12 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# This parameter can take both a string or an array of strings. +# Defaults to $hostname +# # [*principal*] # (Optional) The haproxy service principal that is set for MySQL in kerberos. # Defaults to undef @@ -40,6 +46,7 @@ class tripleo::certmonger::mysql ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = $hostname, $principal = undef, ) { include ::certmonger @@ -51,7 +58,7 @@ class tripleo::certmonger::mysql ( certfile => $service_certificate, keyfile => $service_key, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames, principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 6da6dcf..924699b 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -155,6 +155,10 @@ # When set, enables SSL on the haproxy stats endpoint using the specified file. # Defaults to undef # +# [*haproxy_stats*] +# (optional) Enable or not the haproxy stats interface +# Defaults to true +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to hiera('keystone_enabled', false) @@ -279,6 +283,10 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_max_conn*] +# (optional) Set the maxconn parameter for mysql +# Defaults to undef +# # [*mysql_member_options*] # The options to use for the mysql HAProxy balancer members. # If this parameter is undefined, the actual value configured will depend @@ -571,6 +579,7 @@ class tripleo::haproxy ( $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $crl_file = undef, $haproxy_stats_certificate = undef, + $haproxy_stats = true, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), $neutron = hiera('neutron_api_enabled', false), @@ -602,6 +611,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_max_conn = undef, $mysql_member_options = undef, $rabbitmq = false, $etcd = hiera('etcd_enabled', false), @@ -668,6 +678,8 @@ class tripleo::haproxy ( contrail_discovery_ssl_port => 15998, contrail_analytics_port => 8090, contrail_analytics_ssl_port => 18090, + contrail_analytics_rest_port => 8081, + contrail_analytics_ssl_rest_port => 18081, contrail_webui_http_port => 8080, contrail_webui_https_port => 8143, docker_registry_port => 8787, @@ -871,19 +883,21 @@ class tripleo::haproxy ( listen_options => $default_listen_options, } - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) - } else { - $stats_config = $stats_base - } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, + if $haproxy_stats { + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } + haproxy::listen { 'haproxy.stats': + bind => $haproxy_stats_bind_opts, + mode => 'http', + options => { + 'stats' => $stats_config, + }, + collect_exported => false, + } } if $keystone_admin { @@ -1036,7 +1050,7 @@ class tripleo::haproxy ( mode => 'http', public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, - #member_options => union($haproxy_member_options, $internal_tls_member_options), + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1314,6 +1328,7 @@ class tripleo::haproxy ( 'timeout server' => '90m', 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options @@ -1324,6 +1339,7 @@ class tripleo::haproxy ( $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options @@ -1575,7 +1591,7 @@ class tripleo::haproxy ( if $contrail_config { ::tripleo::haproxy::endpoint { 'contrail_config': public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('contrail_config_vip', $controller_virtual_ip), + internal_ip => hiera('contrail_config_vip', hiera('internal_api_virtual_ip')), service_port => $ports[contrail_config_port], ip_addresses => hiera('contrail_config_node_ips'), server_names => hiera('contrail_config_node_ips'), @@ -1583,7 +1599,7 @@ class tripleo::haproxy ( } ::tripleo::haproxy::endpoint { 'contrail_discovery': public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('contrail_config_vip', $controller_virtual_ip), + internal_ip => hiera('contrail_config_vip', hiera('internal_api_virtual_ip')), service_port => $ports[contrail_discovery_port], ip_addresses => hiera('contrail_config_node_ips'), server_names => hiera('contrail_config_node_ips'), @@ -1593,17 +1609,25 @@ class tripleo::haproxy ( if $contrail_analytics { ::tripleo::haproxy::endpoint { 'contrail_analytics': public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('contrail_analytics_vip', $controller_virtual_ip), + internal_ip => hiera('contrail_analytics_vip', hiera('internal_api_virtual_ip')), service_port => $ports[contrail_analytics_port], ip_addresses => hiera('contrail_config_node_ips'), server_names => hiera('contrail_config_node_ips'), public_ssl_port => $ports[contrail_analytics_ssl_port], } + ::tripleo::haproxy::endpoint { 'contrail_analytics_rest': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('contrail_analytics_vip', hiera('internal_api_virtual_ip')), + service_port => $ports[contrail_analytics_rest_port], + ip_addresses => hiera('contrail_analytics_node_ips', $::contrail_analytics_node_ips), + server_names => hiera('contrail_analytics_node_ips', $::contrail_analytics_node_ips), + public_ssl_port => $ports[contrail_analytics_ssl_rest_port], + } } if $contrail_webui { ::tripleo::haproxy::endpoint { 'contrail_webui_http': public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('contrail_webui_vip', $controller_virtual_ip), + internal_ip => hiera('contrail_webui_vip', hiera('internal_api_virtual_ip')), service_port => $ports[contrail_webui_http_port], ip_addresses => hiera('contrail_config_node_ips'), server_names => hiera('contrail_config_node_ips'), @@ -1611,7 +1635,7 @@ class tripleo::haproxy ( } ::tripleo::haproxy::endpoint { 'contrail_webui_https': public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('contrail_webui_vip', $controller_virtual_ip), + internal_ip => hiera('contrail_webui_vip', hiera('internal_api_virtual_ip')), service_port => $ports[contrail_webui_https_port], ip_addresses => hiera('contrail_config_node_ips'), server_names => hiera('contrail_config_node_ips'), diff --git a/manifests/host/sriov.pp b/manifests/host/sriov.pp index b94c472..c06796d 100644 --- a/manifests/host/sriov.pp +++ b/manifests/host/sriov.pp @@ -16,7 +16,7 @@ class tripleo::host::sriov ( ) { if !empty($number_of_vfs) { - sriov_vf_config { $number_of_vfs: ensure => present } + sriov_vf_config { $number_of_vfs: } # the numvfs configuration needs to be persisted for every boot tripleo::host::sriov::numvfs_persistence {'persistent_numvfs': diff --git a/manifests/network/contrail/analytics.pp b/manifests/network/contrail/analytics.pp index 296fa19..6cfb60e 100644 --- a/manifests/network/contrail/analytics.pp +++ b/manifests/network/contrail/analytics.pp @@ -46,7 +46,7 @@ # [*api_server*] # (optional) IP address of api server # String value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*api_port*] # (optional) port of api server @@ -68,11 +68,6 @@ # Integer value. # Defaults to hiera('contrail::auth_port') # -# [*auth_port_ssl*] -# (optional) keystone ssl port. -# Integer value. -# Defaults to hiera('contrail::auth_port_ssl') -# # [*auth_protocol*] # (optional) authentication protocol. # String value. @@ -106,7 +101,7 @@ # [*disc_server_ip*] # (optional) IPv4 address of discovery server. # String (IPv4) value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail::disc_server_ip') # # [*disc_server_port*] # (optional) port Discovery server listens on. @@ -133,10 +128,10 @@ # String (IPv4) value + port # Defaults to hiera('contrail::memcached_server') # -# [*public_vip*] +# [*internal_vip*] # (optional) Public virtual IP address # String (IPv4) value -# Defaults to hiera('public_virtual_ip') +# Defaults to hiera('internal_api_virtual_ip') # # [*rabbit_server*] # (optional) IPv4 addresses of rabbit server. @@ -194,26 +189,25 @@ class tripleo::network::contrail::analytics( $admin_tenant_name = hiera('contrail::admin_tenant_name'), $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), - $api_server = hiera('contrail_config_vip'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $api_port = hiera('contrail::api_port'), $auth_host = hiera('contrail::auth_host'), $auth_port = hiera('contrail::auth_port'), $auth_protocol = hiera('contrail::auth_protocol'), - $auth_port_ssl = hiera('contrail::auth_port_ssl'), $analytics_aaa_mode = hiera('contrail::analytics_aaa_mode'), $cassandra_server_list = hiera('contrail_analytics_database_node_ips'), $ca_file = hiera('contrail::service_certificate',false), $cert_file = hiera('contrail::service_certificate',false), $collector_http_server_port = hiera('contrail::analytics::collector_http_server_port'), $collector_sandesh_port = hiera('contrail::analytics::collector_sandesh_port'), - $disc_server_ip = hiera('contrail_config_vip'), + $disc_server_ip = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $disc_server_port = hiera('contrail::disc_server_port'), $http_server_port = hiera('contrail::analytics::http_server_port'), $host_ip = hiera('contrail::analytics::host_ip'), $insecure = hiera('contrail::insecure'), $kafka_broker_list = hiera('contrail_analytics_database_node_ips'), $memcached_servers = hiera('contrail::memcached_server'), - $public_vip = hiera('public_virtual_ip'), + $internal_vip = hiera('internal_api_virtual_ip'), $rabbit_server = hiera('rabbitmq_node_ips'), $rabbit_user = hiera('contrail::rabbit_user'), $rabbit_password = hiera('contrail::rabbit_password'), @@ -227,7 +221,7 @@ class tripleo::network::contrail::analytics( { $cassandra_server_list_9042 = join([join($cassandra_server_list, ':9042 '),':9042'],'') $kafka_broker_list_9092 = join([join($kafka_broker_list, ':9092 '),':9092'],'') - $rabbit_server_list_5672 = join([join($rabbit_server, ":${rabbit_port},"),":${rabbit_port}"],'') + $rabbit_server_list_5672 = join([join($rabbit_server, ':5672,'),':5672'],'') $redis_config = "bind ${host_ip} 127.0.0.1" $zk_server_ip_2181 = join([join($zk_server_ip, ':2181 '),':2181'],'') $zk_server_ip_2181_comma = join([join($zk_server_ip, ':2181,'),':2181'],'') @@ -238,7 +232,7 @@ class tripleo::network::contrail::analytics( 'admin_tenant_name' => $admin_tenant_name, 'admin_user' => $admin_user, 'auth_host' => $auth_host, - 'auth_port' => $auth_port_ssl, + 'auth_port' => $auth_port, 'auth_protocol' => $auth_protocol, 'insecure' => $insecure, 'certfile' => $cert_file, @@ -246,8 +240,8 @@ class tripleo::network::contrail::analytics( } $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, - 'AUTHN_PORT' => $auth_port_ssl, + 'AUTHN_SERVER' => $auth_host, + 'AUTHN_PORT' => $auth_port, 'AUTHN_PROTOCOL' => $auth_protocol, 'certfile' => $cert_file, 'cafile' => $ca_file, @@ -265,7 +259,7 @@ class tripleo::network::contrail::analytics( } $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, + 'AUTHN_SERVER' => $auth_host, }, } } @@ -354,6 +348,7 @@ class tripleo::network::contrail::analytics( 'disc_server_ip' => $disc_server_ip, 'disc_server_port' => $disc_server_port, }, + 'KEYSTONE' => $keystone_config, }, redis_config => $redis_config, topology_config => { @@ -380,7 +375,7 @@ class tripleo::network::contrail::analytics( keystone_admin_user => $admin_user, keystone_admin_password => $admin_password, keystone_admin_tenant_name => $admin_tenant_name, - openstack_vip => $public_vip, + openstack_vip => $auth_host, } } } diff --git a/manifests/network/contrail/analyticsdatabase.pp b/manifests/network/contrail/analyticsdatabase.pp index cf3016a..1cffaf2 100644 --- a/manifests/network/contrail/analyticsdatabase.pp +++ b/manifests/network/contrail/analyticsdatabase.pp @@ -24,10 +24,10 @@ # String (IPv4) value # Defaults to hiera('contrail::auth_host') # -# [*auth_port_ssl*] -# (optional) keystone ssl port. +# [*auth_port*] +# (optional) keystone port. # Integer value. -# Defaults to hiera('contrail::auth_port_ssl') +# Defaults to hiera('contrail::auth_port') # # [*auth_protocol*] # (optional) authentication protocol. @@ -37,7 +37,7 @@ # [*api_server*] # (optional) IPv4 VIP of Contrail Config API # String (IPv4) value -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*api_port*] # (optional) Port of Contrail Config API @@ -82,7 +82,7 @@ # [*disc_server_ip*] # (optional) IPv4 VIP of Contrail Discovery # String (IPv4) value -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*disc_server_port*] # (optional) port Discovery server listens on. @@ -104,10 +104,10 @@ # List value # Defaults to hiera('contrail_analytics_database_short_node_names', '') # -# [*public_vip*] +# [*internal_vip*] # (optional) Public VIP # String (IPv4) value -# Defaults to hiera('public_virtual_ip') +# Defaults to hiera('internal_api_virtual_ip') # # [*step*] # (optional) step in the stack @@ -122,31 +122,31 @@ class tripleo::network::contrail::analyticsdatabase( $step = Integer(hiera('step')), $auth_host = hiera('contrail::auth_host'), - $api_server = hiera('contrail_config_vip'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $api_port = hiera('contrail::api_port'), $admin_password = hiera('contrail::admin_password'), $admin_tenant_name = hiera('contrail::admin_tenant_name'), $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), - $auth_port_ssl = hiera('contrail::auth_port_ssl'), $auth_protocol = hiera('contrail::auth_protocol'), + $auth_port = hiera('contrail::auth_port'), $cassandra_servers = hiera('contrail_analytics_database_node_ips'), $ca_file = hiera('contrail::service_certificate',false), $cert_file = hiera('contrail::service_certificate',false), - $disc_server_ip = hiera('contrail_config_vip'), + $disc_server_ip = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $disc_server_port = hiera('contrail::disc_server_port'), $host_ip = hiera('contrail::analytics::database::host_ip'), $host_name = $::hostname, $kafka_hostnames = hiera('contrail_analytics_database_short_node_names', ''), - $public_vip = hiera('public_virtual_ip'), + $internal_vip = hiera('internal_api_virtual_ip'), $zookeeper_server_ips = hiera('contrail_database_node_ips'), ) { if $auth_protocol == 'https' { $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, - 'AUTHN_PORT' => $auth_port_ssl, + 'AUTHN_SERVER' => $auth_host, + 'AUTHN_PORT' => $auth_port, 'AUTHN_PROTOCOL' => $auth_protocol, 'certfile' => $cert_file, 'cafile' => $ca_file, @@ -155,7 +155,7 @@ class tripleo::network::contrail::analyticsdatabase( } else { $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, + 'AUTHN_SERVER' => $auth_host, }, } } @@ -196,7 +196,7 @@ class tripleo::network::contrail::analyticsdatabase( keystone_admin_user => $admin_user, keystone_admin_password => $admin_password, keystone_admin_tenant_name => $admin_tenant_name, - openstack_vip => $public_vip, + openstack_vip => $auth_host, } } } diff --git a/manifests/network/contrail/config.pp b/manifests/network/contrail/config.pp index 3fc4fd8..2cd1613 100644 --- a/manifests/network/contrail/config.pp +++ b/manifests/network/contrail/config.pp @@ -48,7 +48,7 @@ # [*api_server*] # (optional) VIP of Config API # String (IPv4) value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*api_port*] # (optional) Port of Config API @@ -68,11 +68,6 @@ # (optional) keystone port. # Defaults to hiera('contrail::auth_port') # -# [*auth_port_ssl*] -# (optional) keystone ssl port. -# Integer value. -# Defaults to hiera('contrail::auth_port_ssl') -# # [*auth_protocol*] # (optional) authentication protocol. # Defaults to hiera('contrail::auth_protocol') @@ -105,7 +100,7 @@ # [*disc_server_ip*] # (optional) IPv4 address of discovery server. # String (IPv4) value. -# Defaults to hiera('contrail_config_vip'), +# Defaults to hiera('contrail::disc_server_ip') # # [*disc_server_port*] # (optional) port of discovery server @@ -175,10 +170,10 @@ # String (IPv4) value + port # Defaults to hiera('contrail::memcached_server') # -# [*public_vip*] +# [*internal_vip*] # (optional) Public virtual ip # String value. -# Defaults to hiera('public_virtual_ip') +# Defaults to hiera('internal_api_virtual_ip') # # [*step*] # (optional) Step stack is in @@ -222,19 +217,18 @@ class tripleo::network::contrail::config( $admin_tenant_name = hiera('contrail::admin_tenant_name'), $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), - $api_server = hiera('contrail_config_vip'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $api_port = hiera('contrail::api_port'), $auth = hiera('contrail::auth'), $auth_host = hiera('contrail::auth_host'), $auth_port = hiera('contrail::auth_port'), - $auth_port_ssl = hiera('contrail::auth_port_ssl'), $auth_protocol = hiera('contrail::auth_protocol'), $cassandra_server_list = hiera('contrail_database_node_ips'), $ca_file = hiera('contrail::service_certificate',false), $cert_file = hiera('contrail::service_certificate',false), $config_hostnames = hiera('contrail_config_short_node_names'), $control_server_list = hiera('contrail_control_node_ips'), - $disc_server_ip = hiera('contrail_config_vip'), + $disc_server_ip = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $disc_server_port = hiera('contrail::disc_server_port'), $host_ip = hiera('contrail::config::host_ip'), $ifmap_password = hiera('contrail::config::ifmap_password'), @@ -248,7 +242,7 @@ class tripleo::network::contrail::config( $linklocal_service_name = 'metadata', $linklocal_service_ip = '169.254.169.254', $memcached_servers = hiera('contrail::memcached_server'), - $public_vip = hiera('public_virtual_ip'), + $internal_vip = hiera('internal_api_virtual_ip'), $rabbit_server = hiera('rabbitmq_node_ips'), $rabbit_user = hiera('contrail::rabbit_user'), $rabbit_password = hiera('contrail::rabbit_password'), @@ -275,7 +269,7 @@ class tripleo::network::contrail::config( 'admin_token' => $admin_token, 'admin_user' => $admin_user, 'auth_host' => $auth_host, - 'auth_port' => $auth_port_ssl, + 'auth_port' => $auth_port, 'auth_protocol' => $auth_protocol, 'insecure' => $insecure, 'memcached_servers' => $memcached_servers, @@ -285,8 +279,8 @@ class tripleo::network::contrail::config( } $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, - 'AUTHN_PORT' => $auth_port_ssl, + 'AUTHN_SERVER' => $auth_host, + 'AUTHN_PORT' => $auth_port, 'AUTHN_PROTOCOL' => $auth_protocol, 'certfile' => $cert_file, 'cafile' => $ca_file, @@ -308,7 +302,7 @@ class tripleo::network::contrail::config( } $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, + 'AUTHN_SERVER' => $auth_host, }, } } @@ -341,6 +335,8 @@ class tripleo::network::contrail::config( }, device_manager_config => { 'DEFAULTS' => { + 'api_server_ip' => $api_server, + 'api_server_port' => $api_port, 'cassandra_server_list' => $cassandra_server_list_9160, 'disc_server_ip' => $disc_server_ip, 'disc_server_port' => $disc_server_port, @@ -360,6 +356,8 @@ class tripleo::network::contrail::config( keystone_config => $keystone_config, schema_config => { 'DEFAULTS' => { + 'api_server_ip' => $api_server, + 'api_server_port' => $api_port, 'cassandra_server_list' => $cassandra_server_list_9160, 'disc_server_ip' => $disc_server_ip, 'disc_server_port' => $disc_server_port, @@ -375,6 +373,8 @@ class tripleo::network::contrail::config( }, svc_monitor_config => { 'DEFAULTS' => { + 'api_server_ip' => $api_server, + 'api_server_port' => $api_port, 'cassandra_server_list' => $cassandra_server_list_9160, 'disc_server_ip' => $disc_server_ip, 'disc_server_port' => $disc_server_port, @@ -400,7 +400,7 @@ class tripleo::network::contrail::config( keystone_admin_user => $admin_user, keystone_admin_password => $admin_password, keystone_admin_tenant_name => $admin_tenant_name, - openstack_vip => $public_vip, + openstack_vip => $auth_host, } if $config_hostnames[0] == $::hostname { class {'::contrail::config::provision_linklocal': diff --git a/manifests/network/contrail/control.pp b/manifests/network/contrail/control.pp index 530d607..bad533e 100644 --- a/manifests/network/contrail/control.pp +++ b/manifests/network/contrail/control.pp @@ -29,6 +29,11 @@ # String value. # Defaults to hiera('contrail::admin_tenant_name'), # +# [*admin_token*] +# (optional) admin token +# String value. +# Defaults to hiera('contrail::admin_token'), +# # [*admin_user*] # (optional) admin user name. # String value. @@ -37,7 +42,7 @@ # [*api_server*] # (optional) IP address of api server # String value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*api_port*] # (optional) port of api server @@ -60,7 +65,7 @@ # [*disc_server_ip*] # (optional) IPv4 address of discovery server. # String (IPv4) value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail::disc_server_ip'), # # [*disc_server_port*] # (optional) port Discovery server listens on. @@ -96,10 +101,15 @@ # String (IPv4) value + port # Defaults to hiera('contrail::memcached_servers'), # -# [*public_vip*] +# [*manage_named*] +# (optional) switch for managing named +# String +# Defaults to hiera('contrail::manage_named'), +# +# [*internal_vip*] # (optional) Public Virtual IP address # String (IPv4) value -# Defaults to hiera('public_virtual_ip') +# Defaults to hiera('internal_api_virtual_ip') # # [*router_asn*] # (optional) Autonomus System Number @@ -120,13 +130,14 @@ class tripleo::network::contrail::control( $step = Integer(hiera('step')), $admin_password = hiera('contrail::admin_password'), $admin_tenant_name = hiera('contrail::admin_tenant_name'), + $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), - $api_server = hiera('contrail_config_vip'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $api_port = hiera('contrail::api_port'), $auth_host = hiera('contrail::auth_host'), $auth_port = hiera('contrail::auth_port'), $auth_protocol = hiera('contrail::auth_protocol'), - $disc_server_ip = hiera('contrail_config_vip'), + $disc_server_ip = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $disc_server_port = hiera('contrail::disc_server_port'), $host_ip = hiera('contrail::control::host_ip'), $ibgp_auto_mesh = true, @@ -134,9 +145,10 @@ class tripleo::network::contrail::control( $ifmap_username = hiera('contrail::control::host_ip'), $insecure = hiera('contrail::insecure'), $memcached_servers = hiera('contrail::memcached_server'), - $public_vip = hiera('public_virtual_ip'), + $internal_vip = hiera('internal_api_virtual_ip'), $router_asn = hiera('contrail::control::asn'), $secret = hiera('contrail::control::rndc_secret'), + $manage_named = hiera('contrail::control::manage_named'), ) { $control_ifmap_user = "${ifmap_username}.control" @@ -147,6 +159,7 @@ class tripleo::network::contrail::control( if $step >= 3 { class {'::contrail::control': secret => $secret, + manage_named => $manage_named, control_config => { 'DEFAULT' => { 'hostip' => $host_ip, diff --git a/manifests/network/contrail/database.pp b/manifests/network/contrail/database.pp index 3d6b40b..35ac9cd 100644 --- a/manifests/network/contrail/database.pp +++ b/manifests/network/contrail/database.pp @@ -39,16 +39,16 @@ # String value. # Defaults to hiera('contrail::admin_user') # +# [*api_server*] +# (optional) VIP of Config API +# String (IPv4) value. +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) +# # [*api_port*] # (optional) Port of Config API # String value. # Defaults to hiera('contrail::api_port') # -# [*api_server*] -# (optional) VIP of Config API -# String (IPv4) value. -# Defaults to hiera('contrail_config_vip') -# # [*auth_host*] # (optional) keystone server ip address # String (IPv4) value. @@ -62,7 +62,7 @@ # [*disc_server_ip*] # (optional) IPv4 address of discovery server. # String (IPv4) value. -# Defaults to hiera('contrail_config_vip'), +# Defaults to hiera('contrail::disc_server_ip') # # [*disc_server_port*] # (optional) port Discovery server listens on. @@ -78,10 +78,10 @@ # String value. # Defaults to $::hostname # -# [*public_vip*] +# [*internal_vip*] # (optional) Public virtual ip # String value. -# Defaults to hiera('public_virtual_ip') +# Defaults to hiera('internal_api_virtual_ip') # # [*step*] # (optional) Step stack is in @@ -108,15 +108,15 @@ class tripleo::network::contrail::database( $admin_tenant_name = hiera('contrail::admin_tenant_name'), $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $api_port = hiera('contrail::api_port'), - $api_server = hiera('contrail_config_vip'), $auth_host = hiera('contrail::auth_host'), $cassandra_servers = hiera('contrail_database_node_ips'), - $disc_server_ip = hiera('contrail_config_vip'), + $disc_server_ip = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $disc_server_port = hiera('contrail::disc_server_port'), $host_ip = hiera('contrail::database::host_ip'), $host_name = $::hostname, - $public_vip = hiera('public_virtual_ip'), + $internal_vip = hiera('internal_api_virtual_ip'), $step = Integer(hiera('step')), $zookeeper_client_ip = hiera('contrail::database::host_ip'), $zookeeper_hostnames = hiera('contrail_database_short_node_names'), @@ -160,7 +160,7 @@ class tripleo::network::contrail::database( keystone_admin_user => $admin_user, keystone_admin_password => $admin_password, keystone_admin_tenant_name => $admin_tenant_name, - openstack_vip => $public_vip, + openstack_vip => $auth_host, } } } diff --git a/manifests/network/contrail/heat.pp b/manifests/network/contrail/heat.pp index 4ef2a31..cc4b5ec 100644 --- a/manifests/network/contrail/heat.pp +++ b/manifests/network/contrail/heat.pp @@ -24,21 +24,31 @@ # String value. # Defaults to hiera('contrail::admin_password') # +# [*admin_tenant_name*] +# (optional) admin tenant name. +# String value. +# Defaults to hiera('contrail::admin_tenant_name') +# +# [*admin_token*] +# (optional) admin token +# String value. +# Defaults to hiera('contrail::admin_token') +# # [*admin_user*] # (optional) admin user name. # String value. # Defaults to hiera('contrail::admin_user') # +# [*api_server*] +# (optional) IP address of api server +# String value. +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) +# # [*api_port*] # (optional) port of api server # String value. # Defaults to hiera('contrail::api_port') # -# [*api_server*] -# (optional) IP address of api server -# String value. -# Defaults to hiera('contrail_config_vip') -# # [*auth_host*] # (optional) keystone server ip address # String (IPv4) value. @@ -56,14 +66,16 @@ # class tripleo::network::contrail::heat( $admin_password = hiera('contrail::admin_password'), + $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $api_port = 8082, - $api_server = hiera('contrail_config_vip'), $auth_host = hiera('contrail::auth_host'), $step = Integer(hiera('step')), $use_ssl = 'False', ) { + class {'::contrail::heat': heat_config => { 'clients_contrail' => { diff --git a/manifests/network/contrail/neutron_plugin.pp b/manifests/network/contrail/neutron_plugin.pp index d9aa587..52cdc62 100644 --- a/manifests/network/contrail/neutron_plugin.pp +++ b/manifests/network/contrail/neutron_plugin.pp @@ -22,16 +22,16 @@ # String value. # Defaults to hiera('contrail::admin_user') # +# [*api_server*] +# (optional) IP address of api server +# String value. +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) +# # [*api_port*] # (optional) port of api server # String value. # Defaults to hiera('contrail::api_port') # -# [*api_server*] -# (optional) IP address of api server -# String value. -# Defaults to hiera('contrail_config_vip') -# # [*auth_host*] # (optional) keystone server ip address # String (IPv4) value. @@ -42,11 +42,6 @@ # Integer value. # Defaults to hiera('contrail::auth_port') # -# [*auth_port_ssl*] -# (optional) keystone ssl port. -# Integer value. -# Defaults to hiera('contrail::auth_port_ssl') -# # [*auth_protocol*] # (optional) authentication protocol. # String value. @@ -62,6 +57,14 @@ # String value. # Defaults to hiera('contrail::service_certificate',false) # +# [*api_server_ip*] +# IP address of the API Server +# Defaults to $::os_service_default +# +# [*api_server_port*] +# Port of the API Server. +# Defaults to $::os_service_default +# # [*contrail_extensions*] # Array of OpenContrail extensions to be supported # Defaults to $::os_service_default @@ -71,6 +74,26 @@ # contrail_extensions => ['ipam:neutron_plugin_contrail.plugins.opencontrail.contrail_plugin_ipam.NeutronPluginContrailIpam'] # } # +# [*keystone_auth_url*] +# Url of the keystone auth server +# Defaults to $::os_service_default +# +# [*keystone_admin_user*] +# Admin user name +# Defaults to $::os_service_default +# +# [*keystone_admin_tenant_name*] +# Admin_tenant_name +# Defaults to $::os_service_default +# +# [*keystone_admin_password*] +# Admin password +# Defaults to $::os_service_default +# +# [*keystone_admin_token*] +# Admin token +# Defaults to $::os_service_default +# # [*package_ensure*] # (optional) Ensure state for package. # Defaults to 'present'. @@ -81,21 +104,20 @@ # Defaults to false. # class tripleo::network::contrail::neutron_plugin ( - $admin_password = hiera('contrail::admin_password'), - $admin_tenant_name = hiera('contrail::admin_tenant_name'), - $admin_token = hiera('contrail::admin_token'), - $admin_user = hiera('contrail::admin_user'), - $api_port = hiera('contrail::api_port'), - $api_server = hiera('contrail_config_vip'), - $auth_host = hiera('contrail::auth_host'), - $auth_port = hiera('contrail::auth_port'), - $auth_port_ssl = hiera('contrail::auth_port_ssl'), - $auth_protocol = hiera('contrail::auth_protocol'), - $ca_file = hiera('tripleo::haproxy::service_certificate',false), - $cert_file = hiera('tripleo::haproxy::service_certificate',false), - $contrail_extensions = hiera('contrail::vrouter::contrail_extensions'), - $package_ensure = 'present', - $purge_config = false, + $contrail_extensions = hiera('contrail::vrouter::contrail_extensions'), + $admin_password = hiera('contrail::admin_password'), + $admin_tenant_name = hiera('contrail::admin_tenant_name'), + $admin_token = hiera('contrail::admin_token'), + $admin_user = hiera('contrail::admin_user'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), + $api_port = hiera('contrail::api_port'), + $auth_host = hiera('contrail::auth_host'), + $auth_port = hiera('contrail::auth_port'), + $auth_protocol = hiera('contrail::auth_protocol'), + $ca_file = hiera('tripleo::haproxy::service_certificate',false), + $cert_file = hiera('tripleo::haproxy::service_certificate',false), + $purge_config = false, + $package_ensure = 'present', ) { include ::neutron::deps @@ -159,8 +181,8 @@ class tripleo::network::contrail::neutron_plugin ( command => '/usr/sbin/usermod -a -G haproxy neutron', } + $auth_url = join([$auth_protocol,'://',$auth_host,':',$auth_port,'/v2.0']) if $auth_protocol == 'https' { - $auth_url = join([$auth_protocol,'://',$auth_host,':',$auth_port_ssl,'/v2.0']) neutron_plugin_opencontrail { 'APISERVER/api_server_ip': value => $api_server; 'APISERVER/api_server_port': value => $api_port; @@ -177,12 +199,11 @@ class tripleo::network::contrail::neutron_plugin ( 'keystone_authtoken/admin_password': value => $admin_password, secret =>true; 'keystone_authtoken/auth_host': value => $auth_host; 'keystone_authtoken/auth_protocol': value => $auth_protocol; - 'keystone_authtoken/auth_port': value => $auth_port_ssl; + 'keystone_authtoken/auth_port': value => $auth_port; 'keystone_authtoken/cafile': value => $ca_file; 'keystone_authtoken/certfile': value => $cert_file; } } else { - $auth_url = join([$auth_protocol,'://',$auth_host,':',$auth_port,'/v2.0']) neutron_plugin_opencontrail { 'APISERVER/api_server_ip': value => $api_server; 'APISERVER/api_server_port': value => $api_port; diff --git a/manifests/network/contrail/provision.pp b/manifests/network/contrail/provision.pp index 742c4a2..393e3b1 100644 --- a/manifests/network/contrail/provision.pp +++ b/manifests/network/contrail/provision.pp @@ -19,6 +19,10 @@ # # == Parameters: # +# [*host_ip*] +# (required) host IP address of Control +# String (IPv4) value. +# # [*admin_password*] # (optional) admin password # String value. @@ -42,7 +46,7 @@ # [*api_server*] # (optional) IP address of api server # String value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*auth_host*] # (optional) keystone server ip address diff --git a/manifests/network/contrail/vrouter.pp b/manifests/network/contrail/vrouter.pp index 678a77d..37c7a7b 100644 --- a/manifests/network/contrail/vrouter.pp +++ b/manifests/network/contrail/vrouter.pp @@ -45,7 +45,7 @@ # [*api_server*] # (optional) IP address of api server # String value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*api_port*] # (optional) port of api server @@ -62,11 +62,6 @@ # Integer value. # Defaults to hiera('contrail::auth_port') # -# [*auth_port_ssl*] -# (optional) keystone ssl port. -# Integer value. -# Defaults to hiera('contrail::auth_port_ssl') -# # [*auth_protocol*] # (optional) authentication protocol. # String value. @@ -90,7 +85,7 @@ # [*disc_server_ip*] # (optional) IPv4 address of discovery server. # String (IPv4) value. -# Defaults to hiera('contrail_config_vip'), +# Defaults to hiera('contrail::disc_server_ip') # # [*disc_server_port*] # (optional) port Discovery server listens on. @@ -132,16 +127,21 @@ # String value. # Defaults to hiera('contrail::vrouter::physical_interface') # -# [*public_vip*] +# [*internal_vip*] # (optional) Public VIP to Keystone # String (IPv4) value. -# Defaults to hiera('public_virtual_ip') +# Defaults to hiera('internal_api_virtual_ip') # # [*is_tsn*] # (optional) Turns vrouter into TSN # String value. # Defaults to hiera('contrail::vrouter::is_tsn',false) # +# [*is_dpdk*] +# (optional) Turns vrouter into DPDK Compute Node +# String value. +# Defaults to hiera('contrail::vrouter::is_dpdk',false) +# class tripleo::network::contrail::vrouter ( $step = Integer(hiera('step')), $admin_password = hiera('contrail::admin_password'), @@ -149,15 +149,14 @@ class tripleo::network::contrail::vrouter ( $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), $api_port = hiera('contrail::api_port'), - $api_server = hiera('contrail_config_vip'), + $api_server = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $auth_host = hiera('contrail::auth_host'), $auth_port = hiera('contrail::auth_port'), - $auth_port_ssl = hiera('contrail::auth_port_ssl'), $auth_protocol = hiera('contrail::auth_protocol'), $ca_file = hiera('contrail::service_certificate',false), $cert_file = hiera('contrail::service_certificate',false), - $control_server = hiera('contrail_control_node_ips'), - $disc_server_ip = hiera('contrail_config_vip'), + $control_server = hiera('contrail::vrouter::control_node_ips'), + $disc_server_ip = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $disc_server_port = hiera('contrail::disc_server_port'), $gateway = hiera('contrail::vrouter::gateway'), $host_ip = hiera('contrail::vrouter::host_ip'), @@ -166,18 +165,23 @@ class tripleo::network::contrail::vrouter ( $metadata_secret = hiera('contrail::vrouter::metadata_proxy_shared_secret'), $netmask = hiera('contrail::vrouter::netmask'), $physical_interface = hiera('contrail::vrouter::physical_interface'), - $public_vip = hiera('public_virtual_ip'), + $internal_vip = hiera('internal_api_virtual_ip'), $is_tsn = hiera('contrail::vrouter::is_tsn',false), + $is_dpdk = hiera('contrail::vrouter::is_dpdk',false), ) { $cidr = netmask_to_cidr($netmask) notify { 'cidr': message => $cidr, } - $macaddress = inline_template("<%= scope.lookupvar('::macaddress_${physical_interface}') -%>") #include ::contrail::vrouter # NOTE: it's not possible to use this class without a functional # contrail controller up and running - $control_server_list = join($control_server, ' ') + if size($control_server) == 0 { + #$control_server_list = join(hiera('contrail_control_node_ips'), ' ') + $control_server_list = '' + } else { + $control_server_list = join($control_server, ' ') + } if $auth_protocol == 'https' { $keystone_config = { 'KEYSTONE' => { @@ -186,7 +190,7 @@ class tripleo::network::contrail::vrouter ( 'admin_token' => $admin_token, 'admin_user' => $admin_user, 'auth_host' => $auth_host, - 'auth_port' => $auth_port_ssl, + 'auth_port' => $auth_port, 'auth_protocol' => $auth_protocol, 'insecure' => $insecure, 'memcached_servers' => $memcached_servers, @@ -196,8 +200,8 @@ class tripleo::network::contrail::vrouter ( } $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, - 'AUTHN_PORT' => $auth_port_ssl, + 'AUTHN_SERVER' => $auth_host, + 'AUTHN_PORT' => $auth_port, 'AUTHN_PROTOCOL' => $auth_protocol, 'certfile' => $cert_file, 'cafile' => $ca_file, @@ -219,18 +223,59 @@ class tripleo::network::contrail::vrouter ( } $vnc_api_lib_config = { 'auth' => { - 'AUTHN_SERVER' => $public_vip, + 'AUTHN_SERVER' => $auth_host, }, } } if $is_tsn { + $macaddress = inline_template("<%= scope.lookupvar('::macaddress_${physical_interface}') -%>") $vrouter_agent_config = { - 'DEBUG' => { + 'DEFAULT' => { 'agent_mode' => 'tsn', }, + 'DNS' => { + 'server' => $control_server_list, + }, + 'CONTROL-NODE' => { + 'server' => $control_server_list, + }, + 'NETWORKS' => { + 'control_network_ip' => $host_ip, + }, + 'VIRTUAL-HOST-INTERFACE' => { + 'compute_node_address' => $host_ip, + 'gateway' => $gateway, + 'ip' => "${host_ip}/${cidr}", + 'name' => 'vhost0', + 'physical_interface' => $physical_interface, + }, + 'METADATA' => { + 'metadata_proxy_secret' => $metadata_secret, + }, + 'DISCOVERY' => { + 'server' => $disc_server_ip, + 'port' => $disc_server_port, + }, + } + } elsif $is_dpdk { + $pciaddress = generate('/bin/cat','/etc/contrail/dpdk_pci') + $macaddress = generate('/bin/cat','/etc/contrail/dpdk_mac') + $vrouter_agent_config = { + 'DEFAULT' => { + 'platform' => 'dpdk', + 'physical_uio_driver' => 'uio_pci_generic', + 'physical_interface_mac' => $macaddress, + 'physical_interface_address' => $pciaddress, + }, + 'DNS' => { + 'server' => $control_server_list, + }, 'CONTROL-NODE' => { 'server' => $control_server_list, }, + 'NETWORKS' => { + 'control_network_ip' => $host_ip, + }, 'VIRTUAL-HOST-INTERFACE' => { 'compute_node_address' => $host_ip, 'gateway' => $gateway, @@ -247,10 +292,17 @@ class tripleo::network::contrail::vrouter ( }, } } else { + $macaddress = inline_template("<%= scope.lookupvar('::macaddress_${physical_interface}') -%>") $vrouter_agent_config = { + 'DNS' => { + 'server' => $control_server_list, + }, 'CONTROL-NODE' => { 'server' => $control_server_list, }, + 'NETWORKS' => { + 'control_network_ip' => $host_ip, + }, 'VIRTUAL-HOST-INTERFACE' => { 'compute_node_address' => $host_ip, 'gateway' => $gateway, @@ -272,6 +324,7 @@ class tripleo::network::contrail::vrouter ( gateway => $gateway, host_ip => $host_ip, is_tsn => $is_tsn, + is_dpdk => $is_dpdk, macaddr => $macaddress, mask => $cidr, netmask => $netmask, @@ -297,6 +350,7 @@ class tripleo::network::contrail::vrouter ( keystone_admin_password => $admin_password, keystone_admin_tenant_name => $admin_tenant_name, is_tsn => $is_tsn, + is_dpdk => $is_dpdk, } } } diff --git a/manifests/network/contrail/webui.pp b/manifests/network/contrail/webui.pp index b621811..f0b1af6 100644 --- a/manifests/network/contrail/webui.pp +++ b/manifests/network/contrail/webui.pp @@ -49,16 +49,6 @@ # Integer value. # Defaults to hiera('contrail::auth_port_public') # -# [*auth_port_ssl*] -# (optional) keystone ssl port. -# Integer value. -# Defaults to hiera('contrail::auth_port_ssl') -# -# [*auth_port_ssl_public*] -# (optional) keystone public ssl port. -# Integer value. -# Defaults to hiera('contrail::auth_port_ssl_public') -# # [*auth_protocol*] # (optional) authentication protocol. # String value. @@ -77,12 +67,12 @@ # [*contrail_analytics_vip*] # (optional) VIP of Contrail Analytics # String (IPv4) value. -# Defaults to hiera('contrail_analytics_vip') +# Defaults to hiera('contrail_analytics_vip',hiera('internal_api_virtual_ip')) # # [*contrail_config_vip*] # (optional) VIP of Contrail Config # String (IPv4) value. -# Defaults to hiera('contrail_config_vip') +# Defaults to hiera('contrail_config_vip',hiera('internal_api_virtual_ip')) # # [*contrail_webui_http_port*] # (optional) Webui HTTP Port @@ -97,7 +87,7 @@ # [*neutron_vip*] # (optional) VIP of Neutron # String (IPv4) value. -# Defaults to hiera('neutron_api_vip') +# Defaults to hiera('internal_api_virtual_ip') # # [*redis_ip*] # (optional) IP of Redis @@ -109,31 +99,25 @@ class tripleo::network::contrail::webui( $admin_tenant_name = hiera('contrail::admin_tenant_name'), $admin_token = hiera('contrail::admin_token'), $admin_user = hiera('contrail::admin_user'), - $auth_host = hiera('contrail::auth_host'), + $auth_host = hiera('internal_api_virtual_ip'), $auth_protocol = hiera('contrail::auth_protocol'), $auth_port_public = hiera('contrail::auth_port_public'), - $auth_port_ssl_public = hiera('contrail::auth_port_ssl_public'), $cassandra_server_list = hiera('contrail_database_node_ips'), - $cert_file = hiera('contrail::cert_file'), - $contrail_analytics_vip = hiera('contrail_analytics_vip'), - $contrail_config_vip = hiera('contrail_config_vip'), + $cert_file = hiera('contrail::service_certificate',false), + $contrail_analytics_vip = hiera('contrail_analytics_vip',hiera('internal_api_virtual_ip')), + $contrail_config_vip = hiera('contrail_config_vip',hiera('internal_api_virtual_ip')), $contrail_webui_http_port = hiera('contrail::webui::http_port'), $contrail_webui_https_port = hiera('contrail::webui::https_port'), - $neutron_vip = hiera('neutron_api_vip'), + $neutron_vip = hiera('internal_api_virtual_ip'), $redis_ip = hiera('contrail::webui::redis_ip'), ) { - if $auth_protocol == 'https' { - $auth_port = $auth_port_ssl_public - } else { - $auth_port = $auth_port_public - } class {'::contrail::webui': admin_user => $admin_user, admin_password => $admin_password, admin_token => $admin_token, admin_tenant_name => $admin_tenant_name, - auth_port => $auth_port, + auth_port => $auth_port_public, auth_protocol => $auth_protocol, cassandra_ip => $cassandra_server_list, cert_file => $cert_file, diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 300c0ca..d6ec32b 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -23,6 +23,10 @@ # This is set by t-h-t. # Defaults to hiera('aodh_api_network', undef) # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -47,10 +51,16 @@ class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } include ::tripleo::profile::base::aodh @@ -66,7 +76,7 @@ class tripleo::profile::base::aodh::api ( } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::aodh::api include ::apache::mod::ssl class { '::aodh::wsgi::apache': diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6a30a40..11c1da3 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -23,6 +23,10 @@ # This is set by t-h-t. # Defaults to hiera('ceilometer_api_network', undef) # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::ceilometer::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::ceilometer if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::ceilometer::api include ::apache::mod::ssl class { '::ceilometer::wsgi::apache': diff --git a/manifests/profile/base/ceilometer/upgrade.pp b/manifests/profile/base/ceilometer/upgrade.pp index f192b48..0031b79 100644 --- a/manifests/profile/base/ceilometer/upgrade.pp +++ b/manifests/profile/base/ceilometer/upgrade.pp @@ -42,8 +42,16 @@ class tripleo::profile::base::ceilometer::upgrade ( # are created safely. if $step >= 5 and $sync_db { exec {'ceilometer-db-upgrade': - command => 'ceilometer-upgrade --skip-metering-database', - path => ['/usr/bin', '/usr/sbin'], + command => 'ceilometer-upgrade --skip-metering-database', + path => ['/usr/bin', '/usr/sbin'], + # LP#1703444 - When this runs, it talks to gnocchi on all controllers + # which then reaches out to keystone via haproxy. Since the deployment + # may restart httpd on these other nodes it can result in an intermittent + # 503 which fails this command. We should retry the upgrade in case of + # error since we cannot ensure that there might not be some other deploy + # process running on the other nodes. + try_sleep => 5, + tries => 10 } } } diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 3581540..bdfdd17 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -20,11 +20,11 @@ # # [*cinder_enable_pure_backend*] # (Optional) Whether to enable the pure backend -# Defaults to true +# Defaults to false # # [*cinder_enable_dellsc_backend*] # (Optional) Whether to enable the delsc backend -# Defaults to true +# Defaults to false # # [*cinder_enable_hpelefthand_backend*] # (Optional) Whether to enable the hpelefthand backend @@ -32,7 +32,7 @@ # # [*cinder_enable_dellps_backend*] # (Optional) Whether to enable the dellps backend -# Defaults to true +# Defaults to false # # [*cinder_enable_iscsi_backend*] # (Optional) Whether to enable the iscsi backend @@ -40,19 +40,23 @@ # # [*cinder_enable_netapp_backend*] # (Optional) Whether to enable the netapp backend -# Defaults to true +# Defaults to false # # [*cinder_enable_nfs_backend*] # (Optional) Whether to enable the nfs backend -# Defaults to true +# Defaults to false # # [*cinder_enable_rbd_backend*] # (Optional) Whether to enable the rbd backend -# Defaults to true +# Defaults to false # # [*cinder_enable_scaleio_backend*] # (Optional) Whether to enable the scaleio backend -# Defaults to true +# Defaults to false +# +#[*cinder_enable_vrts_hs_backend*] +# (Optional) Whether to enable the Veritas HyperScale backend +# Defaults to false # # [*cinder_user_enabled_backends*] # (Optional) List of additional backend stanzas to activate @@ -73,6 +77,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_enable_nfs_backend = false, $cinder_enable_rbd_backend = false, $cinder_enable_scaleio_backend = false, + $cinder_enable_vrts_hs_backend = false, $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), $step = Integer(hiera('step')), ) { @@ -144,6 +149,13 @@ class tripleo::profile::base::cinder::volume ( $cinder_scaleio_backend_name = undef } + if $cinder_enable_vrts_hs_backend { + include ::tripleo::profile::base::cinder::volume::veritas_hyperscale + $cinder_veritas_hyperscale_backend_name = 'Veritas_HyperScale' + } else { + $cinder_veritas_hyperscale_backend_name = undef + } + $backends = delete_undef_values([$cinder_iscsi_backend_name, $cinder_rbd_backend_name, $cinder_pure_backend_name, @@ -153,6 +165,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_netapp_backend_name, $cinder_nfs_backend_name, $cinder_scaleio_backend_name, + $cinder_veritas_hyperscale_backend_name, $cinder_user_enabled_backends]) # NOTE(aschultz): during testing it was found that puppet 3 may incorrectly # include a "" in the previous array which is not removed by the diff --git a/manifests/profile/base/cinder/volume/veritas_hyperscale.pp b/manifests/profile/base/cinder/volume/veritas_hyperscale.pp new file mode 100644 index 0000000..4516d01 --- /dev/null +++ b/manifests/profile/base/cinder/volume/veritas_hyperscale.pp @@ -0,0 +1,44 @@ +# Copyright (c) 2017 Veritas Technologies LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::veritas_hyperscale +# +# Cinder Volume Veritas HyperScale profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) The name of Veritas HyperScale cinder backend. +# Currently the backend name is hard-coded in the driver, and it won't +# function if other value is set in hiera. +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::veritas_hyperscale ( + # Note: Currently the backend name is hard-coded in the driver, and it won't + # function if other value is set in hiera. + $backend_name = hiera('cinder::backend::veritas_hyperscale::volume_backend_name', 'Veritas_HyperScale'), + $step = Integer(hiera('step')), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::veritas_hyperscale { $backend_name : + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 8eb6079..3bf41cf 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -95,6 +95,9 @@ class tripleo::profile::base::database::mysql ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + + # Force users/grants created to use TLS connections + Openstacklib::Db::Mysql <||> { tls_options => ['SSL'] } } else { $tls_certfile = undef $tls_keyfile = undef @@ -217,6 +220,13 @@ class tripleo::profile::base::database::mysql ( if hiera('ec2_api_enabled', false) { include ::ec2api::db::mysql } + if hiera('zaqar_enabled', false) and hiera('zaqar::db::mysql::user', '') == 'zaqar' { + # NOTE: by default zaqar uses mongodb + include ::zaqar::db::mysql + } + if hiera('veritas_hyperscale_controller_enabled', false) { + include ::veritas_hyperscale::db::mysql + } } } diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index 1e55f05..68d524b 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -53,13 +53,6 @@ class tripleo::profile::base::database::mysql::client ( $step = Integer(hiera('step')), ) { if $step >= 1 { - # If the folder /etc/my.cnf.d does not exist (e.g. if mariadb is not - # present in the base image but installed as a package afterwards), - # create it. We do not want to touch the permissions in case it already - # exists due to the mariadb server package being pre-installed - # Note: We use exec instead of file in the case that the mysql class is - # included on this node as well (we'd get duplicate declaration in such a - # situation when using file) if $mysql_client_bind_address { $client_bind_changes = [ "set ${mysql_read_default_group}/bind-address '${mysql_client_bind_address}'" @@ -85,15 +78,37 @@ class tripleo::profile::base::database::mysql::client ( $conf_changes = union($client_bind_changes, $changes_ssl) # Create /etc/my.cnf.d/tripleo.cnf - exec { 'directory-create-etc-my.cnf.d': - command => 'mkdir -p /etc/my.cnf.d', - unless => 'test -d /etc/my.cnf.d', - path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], - } -> + # If the folder /etc/my.cnf.d does not exist (e.g. if mariadb is not + # present in the base image but installed as a package afterwards), + # create it. We do not want to touch the permissions in case it already + # exists due to the mariadb server package being pre-installed + if $::uuid == 'docker' { + # When generating configuration with docker-puppet, services do + # not include any profile that would ensure creation of /etc/my.cnf.d, + # so we enforce the check here. + file {'/etc/my.cnf.d': + ensure => 'directory' + } + } else { + # Otherwise, depending on the role, puppet may run this profile + # concurrently with the mysql profile, so we use an exec resource + # in order to avoid getting duplicate declaration errors + exec { 'directory-create-etc-my.cnf.d': + command => 'mkdir -p /etc/my.cnf.d', + unless => 'test -d /etc/my.cnf.d', + path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], + before => Augeas['tripleo-mysql-client-conf'] + } + } + augeas { 'tripleo-mysql-client-conf': incl => $mysql_read_default_file, lens => 'Puppet.lns', changes => $conf_changes, } + + # If a profile created a file resource for the parent directory, + # ensure it is being run before the config file generation + File<| title == '/etc/my.cnf.d' |> -> Augeas['tripleo-mysql-client-conf'] } } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 28a2764..2c9824a 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -19,14 +19,10 @@ # # === Parameters # -# [*docker_namespace*] -# The namespace to be used when setting INSECURE_REGISTRY -# this will be split on "/" to derive the docker registry -# (defaults to undef) -# -# [*insecure_registry*] -# Set docker_namespace to INSECURE_REGISTRY, used when a local registry -# is enabled (defaults to false) +# [*insecure_registry_address*] +# The host/port combiniation of the insecure registry. This is used to configure +# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. +# Example: 127.0.0.1:8787 (defaults to unset) # # [*registry_mirror*] # Configure a registry-mirror in the /etc/docker/daemon.json file. @@ -59,9 +55,19 @@ # List of TripleO services enabled on the role. # Defaults to hiera('services_names') # +# DEPRECATED PARAMETERS +# +# [*docker_namespace*] +# DEPRECATED: The namespace to be used when setting INSECURE_REGISTRY +# this will be split on "/" to derive the docker registry +# (defaults to undef) +# +# [*insecure_registry*] +# DEPRECATED: Set docker_namespace to INSECURE_REGISTRY, used when a local registry +# is enabled (defaults to false) +# class tripleo::profile::base::docker ( - $docker_namespace = undef, - $insecure_registry = false, + $insecure_registry_address = undef, $registry_mirror = false, $docker_options = '--log-driver=journald --signature-verification=false', $configure_storage = true, @@ -69,7 +75,10 @@ class tripleo::profile::base::docker ( $step = Integer(hiera('step')), $configure_libvirt_polkit = undef, $docker_nova_uid = 42436, - $services_enabled = hiera('service_names', []) + $services_enabled = hiera('service_names', []), + # DEPRECATED PARAMETERS + $docker_namespace = undef, + $insecure_registry = false, ) { if $configure_libvirt_polkit == undef { @@ -89,22 +98,37 @@ class tripleo::profile::base::docker ( require => Package['docker'], } + if $docker_options { + $options_changes = [ "set OPTIONS '\"${docker_options}\"'" ] + } else { + $options_changes = [ 'rm OPTIONS' ] + } + + augeas { 'docker-sysconfig-options': + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/docker', + changes => $options_changes, + subscribe => Package['docker'], + notify => Service['docker'], + } + if $insecure_registry { + warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registry_address instead.') if $docker_namespace == undef { fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) - $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", - "set OPTIONS '\"${docker_options}\"'" ] + $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'" ] + } elsif $insecure_registry_address { + $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${insecure_registry_address}\"'" ] } else { - $changes = [ 'rm INSECURE_REGISTRY', - "set OPTIONS '\"${docker_options}\"'" ] + $registry_changes = [ 'rm INSECURE_REGISTRY' ] } - augeas { 'docker-sysconfig': + augeas { 'docker-sysconfig-registry': lens => 'Shellvars.lns', incl => '/etc/sysconfig/docker', - changes => $changes, + changes => $registry_changes, subscribe => Package['docker'], notify => Service['docker'], } diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index 2896185..d9c89d5 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -127,12 +127,12 @@ class tripleo::profile::base::glance::api ( } } case $glance_backend { - 'swift': { $backend_store = 'glance.store.swift.Store' } - 'file': { $backend_store = 'glance.store.filesystem.Store' } - 'rbd': { $backend_store = 'glance.store.rbd.Store' } + 'swift': { $backend_store = 'swift' } + 'file': { $backend_store = 'file' } + 'rbd': { $backend_store = 'rbd' } default: { fail('Unrecognized glance_backend parameter.') } } - $http_store = ['glance.store.http.Store'] + $http_store = ['http'] $glance_store = concat($http_store, $backend_store) # TODO: notifications, scrubber, etc. diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index ff90590..2221b37 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_network = hiera('heat_api_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api include ::apache::mod::ssl class { '::heat::wsgi::apache_api': diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index e14760a..1014b04 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cfn ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_cfn_network = hiera('heat_api_cfn_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api_cfn ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api_cfn include ::apache::mod::ssl diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 83d5307..4caac9d 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cloudwatch ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api_cloudwatch include ::apache::mod::ssl diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 12482b6..3f01d01 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -23,15 +23,31 @@ # for more details. # Defaults to hiera('step') # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) # +# [*memcached_ips*] +# (Optional) Array of ipv4 or ipv6 addresses for memcache. +# Defaults to hiera('memcached_node_ips') +# class tripleo::profile::base::horizon ( $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), $neutron_options = hiera('horizon::neutron_options', {}), + $memcached_ips = hiera('memcached_node_ips') ) { - if $step >= 3 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip include ::apache::mod::status @@ -41,12 +57,14 @@ class tripleo::profile::base::horizon ( $_profile_support = 'None' } $neutron_options_real = merge({'profile_support' => $_profile_support }, $neutron_options) - $memcached_ipv6 = hiera('memcached_ipv6', false) - if $memcached_ipv6 { - $horizon_memcached_servers = hiera('memcached_node_ips_v6', '[::1]') + + if is_ipv6_address($memcached_ips[0]) { + $horizon_memcached_servers = prefix(any2array(normalize_ip_for_uri($memcached_ips)), 'inet6:') + } else { - $horizon_memcached_servers = hiera('memcached_node_ips', '127.0.0.1') + $horizon_memcached_servers = any2array(normalize_ip_for_uri($memcached_ips)) } + class { '::horizon': cache_server_ip => $horizon_memcached_servers, neutron_options => $neutron_options_real, diff --git a/manifests/profile/base/ironic/api.pp b/manifests/profile/base/ironic/api.pp index 94b7efe..bbc91f5 100644 --- a/manifests/profile/base/ironic/api.pp +++ b/manifests/profile/base/ironic/api.pp @@ -18,16 +18,68 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*ironic_api_network*] +# (Optional) The network name where the ironic API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('ironic_api_network', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step of the deployment # Defaults to hiera('step') # class tripleo::profile::base::ironic::api ( - $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $ironic_api_network = hiera('ironic_api_network', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::ironic - if $step >= 4 { - include ::ironic::api + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false } + + if $enable_internal_tls { + if !$ironic_api_network { + fail('ironic_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${ironic_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${ironic_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { + include ::ironic::api + include ::apache::mod::ssl + class { '::ironic::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } + } + } diff --git a/manifests/profile/base/iscsid.pp b/manifests/profile/base/iscsid.pp new file mode 100644 index 0000000..3637097 --- /dev/null +++ b/manifests/profile/base/iscsid.pp @@ -0,0 +1,45 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::iscsid +# +# Nova Compute profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::iscsid ( + $step = Integer(hiera('step')), +) { + + if $step >= 2 { + # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique + # https://bugzilla.redhat.com/show_bug.cgi?id=1244328 + ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' }) + exec { 'reset-iscsi-initiator-name': + command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi', + onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset', + before => File['/etc/iscsi/.initiator_reset'], + require => Package['iscsi-initiator-utils'], + tag => 'iscsid_config' + } + file { '/etc/iscsi/.initiator_reset': + ensure => present, + } + } +} diff --git a/manifests/profile/base/kernel.pp b/manifests/profile/base/kernel.pp index df13a98..48caf37 100644 --- a/manifests/profile/base/kernel.pp +++ b/manifests/profile/base/kernel.pp @@ -17,14 +17,32 @@ # # Load and configure Kernel modules. # -class tripleo::profile::base::kernel { +# === Parameters +# +# [*module_list*] +# (Optional) List of kernel modules to load. +# Defaults to hiera('kernel_modules') +# +# [*sysctl_settings*] +# (Optional) List of sysctl settings to load. +# Defaults to hiera('sysctl_settings') +# +class tripleo::profile::base::kernel ( + $module_list = hiera('kernel_modules', undef), + $sysctl_settings = hiera('sysctl_settings', undef), +) { - if hiera('kernel_modules', undef) { - create_resources(kmod::load, hiera('kernel_modules'), { }) + if $module_list { + create_resources(kmod::load, $module_list, { }) } - if hiera('sysctl_settings', undef) { - create_resources(sysctl::value, hiera('sysctl_settings'), { }) + if $sysctl_settings { + create_resources(sysctl::value, $sysctl_settings, { }) } Exec <| tag == 'kmod::load' |> -> Sysctl <| |> + # RHEL 7.4+ workaround where this functionality is built into the + # kernel instead of being built as a module. + # That way, we can support both 7.3 and 7.4 RHEL versions. + # https://bugzilla.redhat.com/show_bug.cgi?id=1387537 + Exec <| title == 'modprobe nf_conntrack_proto_sctp' |> { returns => [0,1] } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 91a660c..47b5276 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -347,5 +347,8 @@ class tripleo::profile::base::keystone ( if hiera('novajoin_enabled', false) { include ::nova::metadata::novajoin::auth } + if hiera('veritas_hyperscale_controller_enabled', false) { + include ::veritas_hyperscale::hs_keystone + } } } diff --git a/manifests/profile/base/lvm.pp b/manifests/profile/base/lvm.pp new file mode 100644 index 0000000..91810ce --- /dev/null +++ b/manifests/profile/base/lvm.pp @@ -0,0 +1,40 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::lvm +# +# LVM profile for tripleo +# +# === Parameters +# +# [*enable_udev*] +# (Optional) Whether to enable udev usage by LVM. +# Defaults to true +# +class tripleo::profile::base::lvm ( + $enable_udev = true, +) { + + if $enable_udev { + $udev_options_value = 1 + } else { + $udev_options_value = 0 + } + augeas {'udev options in lvm.conf': + context => '/files/etc/lvm/lvm.conf/activation/dict/', + changes => ["set udev_sync/int ${udev_options_value}", + "set udev_rules/int ${udev_options_value}"], + } + +} diff --git a/manifests/profile/base/metrics/collectd.pp b/manifests/profile/base/metrics/collectd.pp index 098f795..088e6e2 100644 --- a/manifests/profile/base/metrics/collectd.pp +++ b/manifests/profile/base/metrics/collectd.pp @@ -23,6 +23,11 @@ # for more details. # Defaults to hiera('step') # +# [*enable_file_logging*] +# (Optional) Boolean. Whether to enable logfile plugin. +# which we should send metrics. +# Defaults to false +# # [*collectd_server*] # (Optional) String. The name or address of a collectd server to # which we should send metrics. @@ -49,6 +54,7 @@ class tripleo::profile::base::metrics::collectd ( $step = Integer(hiera('step')), + $enable_file_logging = false, $collectd_server = undef, $collectd_port = undef, $collectd_username = undef, @@ -58,6 +64,9 @@ class tripleo::profile::base::metrics::collectd ( ) { if $step >= 3 { include ::collectd + if $enable_file_logging { + include ::collectd::plugin::logfile + } if ! ($collectd_securitylevel in [undef, 'None', 'Sign', 'Encrypt']) { fail('collectd_securitylevel must be one of (None, Sign, Encrypt).') diff --git a/manifests/profile/base/mistral/api.pp b/manifests/profile/base/mistral/api.pp index 2ea5c9a..b5ca85e 100644 --- a/manifests/profile/base/mistral/api.pp +++ b/manifests/profile/base/mistral/api.pp @@ -56,9 +56,9 @@ class tripleo::profile::base::mistral::api ( $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { - $sync_db = true + $is_bootstrap = true } else { - $sync_db = false + $is_bootstrap = false } include ::tripleo::profile::base::mistral @@ -74,7 +74,7 @@ class tripleo::profile::base::mistral::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::mistral::api include ::apache::mod::ssl class { '::mistral::wsgi::apache': diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp index 5d25ae2..7a35b6b 100644 --- a/manifests/profile/base/neutron/opendaylight.pp +++ b/manifests/profile/base/neutron/opendaylight.pp @@ -28,12 +28,12 @@ # # [*node_name*] # (Optional) The short hostname of node -# Defaults to hiera('bootstack_nodeid') +# Defaults to hiera('bootstrap_nodeid') # class tripleo::profile::base::neutron::opendaylight ( $step = Integer(hiera('step')), $odl_api_ips = hiera('opendaylight_api_node_ips'), - $node_name = hiera('bootstack_nodeid') + $node_name = hiera('bootstrap_nodeid') ) { if $step >= 1 { diff --git a/manifests/profile/base/neutron/opendaylight/configure_cluster.pp b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp new file mode 100644 index 0000000..022e8ae --- /dev/null +++ b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp @@ -0,0 +1,45 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Configures an OpenDaylight cluster. +# It creates the akka configuration file for ODL to cluster correctly +# It will not configure clustering if less than 3 nodes +# +# == Function: tripleo::profile::base::neutron::opendaylight::configure_cluster +# +# == Parameters +# +# [*node_name*] +# The short hostname of node +# +# [*odl_api_ips*] Array of IPs per ODL node +# Defaults to empty array +# +define tripleo::profile::base::neutron::opendaylight::configure_cluster( + $node_name, + $odl_api_ips = [], +) { + validate_array($odl_api_ips) + if size($odl_api_ips) > 2 { + $node_string = split($node_name, '-') + $ha_node_index = $node_string[-1] + 1 + $ha_node_ip_str = join($odl_api_ips, ' ') + exec { 'Configure ODL Clustering': + command => "configure_cluster.sh ${ha_node_index} ${ha_node_ip_str}", + path => '/opt/opendaylight/bin/:/usr/sbin:/usr/bin:/sbin:/bin', + creates => '/opt/opendaylight/configuration/initial/akka.conf' + } + } +} + diff --git a/manifests/profile/base/neutron/opendaylight/create_cluster.pp b/manifests/profile/base/neutron/opendaylight/create_cluster.pp new file mode 100644 index 0000000..94cd898 --- /dev/null +++ b/manifests/profile/base/neutron/opendaylight/create_cluster.pp @@ -0,0 +1,43 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Configures an OpenDaylight cluster. +# It creates the akka configuration file for ODL to cluster correctly +# It will not configure clustering if less than 3 nodes +# +# == Class: tripleo::profile::base::neutron::opendaylight::create_cluster +# +# OpenDaylight class only used for creating clusters with container deployments +# +# === Parameters +# +# [*odl_api_ips*] +# (Optional) List of OpenStack Controller IPs for ODL API +# Defaults to hiera('opendaylight_api_node_ips') +# +# [*node_name*] +# (Optional) The short hostname of node +# Defaults to hiera('bootstrap_nodeid') +# +class tripleo::profile::base::neutron::opendaylight::create_cluster ( + $odl_api_ips = hiera('opendaylight_api_node_ips'), + $node_name = hiera('bootstrap_nodeid') +) { + + tripleo::profile::base::neutron::opendaylight::configure_cluster {'ODL cluster': + node_name => $node_name, + odl_api_ips => $odl_api_ips, + } + +} diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 0dee53e..60ef443 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -113,10 +113,7 @@ class tripleo::profile::base::neutron::server ( $l3_ha = false } - # We start neutron-server on the bootstrap node first, because - # it will try to populate tables and we need to make sure this happens - # before it starts on other nodes - if $step >= 4 and $sync_db or $step >= 5 and !$sync_db { + if $step >= 4 or ($step >= 3 and $sync_db) { if $enable_internal_tls { if !$neutron_network { fail('neutron_api_network is not set in the hieradata.') @@ -130,9 +127,14 @@ class tripleo::profile::base::neutron::server ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::neutron::server'], } + Tripleo::Tls_proxy['neutron-api'] ~> Anchor<| title == 'neutron::service::begin' |> } + } + # We start neutron-server on the bootstrap node first, because + # it will try to populate tables and we need to make sure this happens + # before it starts on other nodes + if $step >= 4 and $sync_db or $step >= 5 and !$sync_db { include ::neutron::server::notifications # We need to override the hiera value neutron::server::sync_db which is set diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 65e8ebc..eb6856f 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -22,14 +22,6 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # -# [*libvirt_enabled*] -# (Optional) Whether or not Libvirt is enabled. -# Defaults to false -# -# [*manage_migration*] -# (Optional) Whether or not manage Nova Live migration -# Defaults to false -# # [*oslomsg_rpc_proto*] # Protocol driver for the oslo messaging rpc service # Defaults to hiera('messaging_rpc_service_name', rabbit) @@ -74,65 +66,43 @@ # Enable ssl oslo messaging services # Defaults to hiera('nova::rabbit_use_ssl', '0') # -# [*nova_compute_enabled*] -# (Optional) Whether or not nova-compute is enabled. -# Defaults to false -# # [*step*] # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*migration_ssh_key*] -# (Optional) SSH key pair for migration SSH tunnel. -# Expects a hash with keys 'private_key' and 'public_key'. -# Defaults to {} -# -# [*migration_ssh_localaddrs*] -# (Optional) Restrict ssh migration to clients connecting via this list of -# IPs. -# Defaults to [] (no restriction) -# -# [*libvirt_tls*] -# (Optional) Whether or not libvird TLS service is enabled. -# Defaults to false +# [*memcached_ips*] +# (Optional) Array of ipv4 or ipv6 addresses for memcache. +# Defaults to hiera('memcached_node_ips') class tripleo::profile::base::nova ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $libvirt_enabled = false, - $manage_migration = false, - $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), - $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_rpc_password = hiera('nova::rabbit_password'), - $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), - $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_notify_password = hiera('nova::rabbit_password'), - $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), - $nova_compute_enabled = false, - $step = Integer(hiera('step')), - $migration_ssh_key = {}, - $migration_ssh_localaddrs = [], - $libvirt_tls = false + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), + $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_rpc_password = hiera('nova::rabbit_password'), + $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), + $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_notify_password = hiera('nova::rabbit_password'), + $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), + $step = Integer(hiera('step')), + $memcached_ips = hiera('memcached_node_ips'), ) { + if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { $sync_db = false } - if hiera('nova::use_ipv6', false) { - $memcache_servers = suffix(hiera('memcached_node_ips_v6'), ':11211') + if is_ipv6_address($memcached_ips[0]) { + $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:') } else { - $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') + $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } - validate_array($migration_ssh_localaddrs) - $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) } - $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs) - if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) include ::nova::config @@ -161,102 +131,4 @@ class tripleo::profile::base::nova ( } include ::nova::placement } - - if $step >= 4 { - if $manage_migration { - # Libvirt setup (live-migration) - if $libvirt_tls { - class { '::nova::migration::libvirt': - transport => 'tls', - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - } - } else { - # Reuse the cold-migration SSH tunnel when TLS is not enabled - class { '::nova::migration::libvirt': - transport => 'ssh', - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - client_user => 'nova_migration', - client_extraparams => {'keyfile' => '/etc/nova/migration/identity'} - } - } - - $services_enabled = hiera('service_names', []) - if !empty($migration_ssh_key) and 'sshd' in $services_enabled { - # Nova SSH tunnel setup (cold-migration) - - # Server side - if !empty($migration_ssh_localaddrs_real) { - $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,',')) - $deny_type = 'LocalAddress' - $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!')) - - ssh::server::match_block { 'nova_migration deny': - name => $deny_name, - type => $deny_type, - order => 2, - options => { - 'DenyUsers' => 'nova_migration' - }, - notify => Service['sshd'] - } - } - else { - $allow_type = 'User' - } - $allow_name = 'nova_migration' - - ssh::server::match_block { 'nova_migration allow': - name => $allow_name, - type => $allow_type, - order => 1, - options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - }, - notify => Service['sshd'] - } - - $migration_authorized_keys = $migration_ssh_key['public_key'] - $migration_identity = $migration_ssh_key['private_key'] - $migration_user_shell = '/bin/bash' - } - else { - # Remove the keys and prevent login when migration over SSH is not enabled - $migration_authorized_keys = '# Migration over SSH disabled by TripleO' - $migration_identity = '# Migration over SSH disabled by TripleO' - $migration_user_shell = '/sbin/nologin' - } - - package { 'openstack-nova-migration': - ensure => present, - tag => ['openstack', 'nova-package'], - } - - file { '/etc/nova/migration/authorized_keys': - content => $migration_authorized_keys, - mode => '0640', - owner => 'root', - group => 'nova_migration', - require => Package['openstack-nova-migration'] - } - - file { '/etc/nova/migration/identity': - content => $migration_identity, - mode => '0600', - owner => 'nova', - group => 'nova', - require => Package['openstack-nova-migration'] - } - - user {'nova_migration': - shell => $migration_user_shell, - require => Package['openstack-nova-migration'] - } - } - } } diff --git a/manifests/profile/base/nova/authtoken.pp b/manifests/profile/base/nova/authtoken.pp index d8285ba..7eb37bc 100644 --- a/manifests/profile/base/nova/authtoken.pp +++ b/manifests/profile/base/nova/authtoken.pp @@ -21,34 +21,22 @@ # for more details. # Defaults to hiera('step') # -# [*use_ipv6*] -# (Optional) Flag indicating if ipv6 should be used for caching -# Defaults to hiera('nova::use_ipv6', false) -# -# [*memcache_nodes_ipv6*] -# (Optional) Array of ipv6 addresses for memcache. Used if use_ipv6 is true. -# Defaults to hiera('memcached_node_ipvs_v6', ['::1']) -# -# [*memcache_nodes_ipv4*] -# (Optional) Array of ipv4 addresses for memcache. Used by default unless -# use_ipv6 is set to true. -# Defaults to hiera('memcached_node_ips', ['127.0.0.1']) +# [*memcached_ips*] +# (Optional) Array of ipv4 or ipv6 addresses for memcache. +# Defaults to hiera('memcached_node_ips') # class tripleo::profile::base::nova::authtoken ( $step = Integer(hiera('step')), - $use_ipv6 = hiera('nova::use_ipv6', false), - $memcache_nodes_ipv6 = hiera('memcached_node_ips_v6', ['::1']), - $memcache_nodes_ipv4 = hiera('memcached_node_ips', ['127.0.0.1']), + $memcached_ips = hiera('memcached_node_ips'), ) { if $step >= 3 { - $memcached_ips = $use_ipv6 ? { - true => $memcache_nodes_ipv6, - default => $memcache_nodes_ipv4 + if is_ipv6_address($memcached_ips[0]) { + $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:') + } else { + $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } - $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') - class { '::nova::keystone::authtoken': memcached_servers => $memcache_servers } diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index bd50204..3eae880 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -45,19 +45,6 @@ class tripleo::profile::base::nova::compute ( # deploy bits to connect nova compute to neutron include ::nova::network::neutron - - # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique - # https://bugzilla.redhat.com/show_bug.cgi?id=1244328 - ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' }) - exec { 'reset-iscsi-initiator-name': - command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi', - onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset', - before => File['/etc/iscsi/.initiator_reset'], - require => Package['iscsi-initiator-utils'], - } - file { '/etc/iscsi/.initiator_reset': - ensure => present, - } } # If NFS is used as a Cinder backend diff --git a/manifests/profile/base/nova/compute/libvirt.pp b/manifests/profile/base/nova/compute/libvirt.pp index ec592cb..8a7c4d6 100644 --- a/manifests/profile/base/nova/compute/libvirt.pp +++ b/manifests/profile/base/nova/compute/libvirt.pp @@ -28,16 +28,13 @@ class tripleo::profile::base::nova::compute::libvirt ( ) { if $step >= 4 { include ::tripleo::profile::base::nova::compute + include ::tripleo::profile::base::nova::migration::client # Ceph + Libvirt $rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false) $rbd_persistent_storage = hiera('rbd_persistent_storage', false) if $rbd_ephemeral_storage or $rbd_persistent_storage { - $client_keys = hiera('ceph::profile::params::client_keys') - $client_user = join(['client.', hiera('nova::compute::rbd::libvirt_rbd_user')]) - class { '::nova::compute::rbd': - libvirt_rbd_secret_key => $client_keys[$client_user]['secret'], - } + include ::nova::compute::rbd } if $rbd_ephemeral_storage { diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp index b639858..06baa39 100644 --- a/manifests/profile/base/nova/libvirt.pp +++ b/manifests/profile/base/nova/libvirt.pp @@ -28,6 +28,7 @@ class tripleo::profile::base::nova::libvirt ( ) { if $step >= 4 { include ::tripleo::profile::base::nova + include ::tripleo::profile::base::nova::migration::client include ::nova::compute::libvirt::services file { ['/etc/libvirt/qemu/networks/autostart/default.xml', diff --git a/manifests/profile/base/ui.pp b/manifests/profile/base/nova/migration.pp index 681496a..0c4c844 100644 --- a/manifests/profile/base/ui.pp +++ b/manifests/profile/base/nova/migration.pp @@ -12,15 +12,24 @@ # License for the specific language governing permissions and limitations # under the License. # -# == Class: tripleo::profile::base::ui +# == Class: tripleo::profile::base::nova::migration # -# UI profile for tripleo +# Nova migration profile for tripleo, common to both client and target. +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') # -class tripleo::profile::base::ui () { - package {'openstack-tripleo-ui': } - - include ::apache - include ::tripleo::ui +class tripleo::profile::base::nova::migration ( + $step = Integer(hiera('step')), +) { + if $step >= 3 { + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + } } - diff --git a/manifests/profile/base/nova/migration/client.pp b/manifests/profile/base/nova/migration/client.pp new file mode 100644 index 0000000..12b83dc --- /dev/null +++ b/manifests/profile/base/nova/migration/client.pp @@ -0,0 +1,100 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration +# +# Nova migration client profile for tripleo +# +# === Parameters +# +# [*libvirt_enabled*] +# (Optional) Whether or not Libvirt is enabled. +# Defaults to false +# +# [*nova_compute_enabled*] +# (Optional) Whether or not nova-compute is enabled. +# Defaults to false +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +# [*ssh_private_key*] +# (Optional) SSH private_key for migration SSH tunnel. +# Defaults to '' +# +# [*ssh_port*] +# (Optional) Port that SSH target services is listening on. +# Defaults to 22 +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false + +class tripleo::profile::base::nova::migration::client ( + $libvirt_enabled = false, + $nova_compute_enabled = false, + $step = Integer(hiera('step')), + $ssh_private_key = '', + $ssh_port = 22, + $libvirt_tls = false, +) { + + include ::tripleo::profile::base::nova::migration + + if $step >= 4 { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova_migration', + client_extraparams => {'keyfile' => '/etc/nova/migration/identity'}, + client_port => $ssh_port + } + } + + if !empty($ssh_private_key) { + # Nova SSH tunnel setup (cold-migration) + $migration_identity = $ssh_private_key + } + else { + $migration_identity = '# Migration over SSH disabled by TripleO' + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + file_line { 'nova_ssh_port': + ensure => present, + path => '/var/lib/nova/.ssh/config', + after => '^Host \*$', + line => " Port ${ssh_port}", + } + } +} diff --git a/manifests/profile/base/nova/migration/target.pp b/manifests/profile/base/nova/migration/target.pp new file mode 100644 index 0000000..7c21028 --- /dev/null +++ b/manifests/profile/base/nova/migration/target.pp @@ -0,0 +1,120 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration::target +# +# Nova migration target profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +# [*ssh_authorized_keys*] +# (Optional) List of SSH public keys authorized for migration. +# If no keys are provided then migration over ssh will be disabled. +# Defaults to [] +# +# [*ssh_localaddrs*] +# (Optional) Restrict ssh migration to clients connecting via this list of +# IPs. +# Defaults to [] (no restriction) +# +# [*services_enabled*] +# (Optional) List of services enabled on the current role. +# If the nova_migration_target service is not enabled then migration over +# ssh will be disabled. +# Defaults to hiera('service_names', []) + +class tripleo::profile::base::nova::migration::target ( + $step = Integer(hiera('step')), + $ssh_authorized_keys = [], + $ssh_localaddrs = [], + $services_enabled = hiera('service_names', []), +) { + + include ::tripleo::profile::base::nova::migration + + validate_array($ssh_localaddrs) + $ssh_localaddrs.each |$x| { validate_ip_address($x) } + $ssh_localaddrs_real = unique($ssh_localaddrs) + validate_array($ssh_authorized_keys) + $ssh_authorized_keys_real = join($ssh_authorized_keys, '\n') + + if $step >= 4 { + if !empty($ssh_authorized_keys_real) { + if ('nova_migration_target' in $services_enabled) { + if !empty($ssh_localaddrs_real) { + $allow_type = sprintf('LocalAddress %s User', join($ssh_localaddrs_real,',')) + $deny_type = 'LocalAddress' + $deny_name = sprintf('!%s', join($ssh_localaddrs_real,',!')) + + ssh::server::match_block { 'nova_migration deny': + name => $deny_name, + type => $deny_type, + order => 2, + options => { + 'DenyUsers' => 'nova_migration' + }, + notify => Service['sshd'] + } + } + else { + $allow_type = 'User' + } + $allow_name = 'nova_migration' + + ssh::server::match_block { 'nova_migration allow': + name => $allow_name, + type => $allow_type, + order => 1, + options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + }, + notify => Service['sshd'] + } + $migration_authorized_keys = $ssh_authorized_keys_real + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] + } + } +} diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index ac78287..48af39a 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -54,9 +54,9 @@ class tripleo::profile::base::nova::placement ( $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { - $sync_db = true + $is_bootstrap = true } else { - $sync_db = false + $is_bootstrap = false } include ::tripleo::profile::base::nova @@ -73,7 +73,7 @@ class tripleo::profile::base::nova::placement ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::apache::mod::ssl class { '::nova::wsgi::apache_placement': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 8ab6049..d0b4a05 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -166,4 +166,7 @@ class tripleo::profile::base::rabbitmq ( } } + if $step >= 1 and hiera('veritas_hyperscale_controller_enabled', false) { + include ::veritas_hyperscale::hs_rabbitmq + } } diff --git a/manifests/profile/base/swift/dispersion.pp b/manifests/profile/base/swift/dispersion.pp new file mode 100644 index 0000000..44af463 --- /dev/null +++ b/manifests/profile/base/swift/dispersion.pp @@ -0,0 +1,33 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::swift::dispersion +# +# Swift dispersion profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::swift::dispersion ( + $step = Integer(hiera('step')), +) { + if $step >= 5 { + include ::swift::client + include ::swift::dispersion + } +} diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index b047c36..afb5fa6 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*ceilometer_enabled*] # Whether the ceilometer pipeline is enabled. # Defaults to true @@ -96,6 +100,7 @@ # defaults to 8080 # class tripleo::profile::base::swift::proxy ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), $ceilometer_messaging_hosts = any2array(hiera('rabbitmq_node_names', undef)), @@ -113,7 +118,12 @@ class tripleo::profile::base::swift::proxy ( $tls_proxy_fqdn = undef, $tls_proxy_port = 8080, ) { - if $step >= 4 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + if $step >= 4 or ($step >= 3 and $is_bootstrap) { if $enable_internal_tls { if !$swift_proxy_network { fail('swift_proxy_network is not set in the hieradata.') @@ -127,9 +137,11 @@ class tripleo::profile::base::swift::proxy ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::swift::proxy'], } + Tripleo::Tls_proxy['swift-proxy-api'] ~> Anchor<| title == 'swift::service::begin' |> } + } + if $step >= 4 { $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config include ::swift::proxy diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp index b9171b0..cd84d04 100644 --- a/manifests/profile/base/zaqar.pp +++ b/manifests/profile/base/zaqar.pp @@ -18,9 +18,17 @@ # # === Parameters # -# [*sync_db*] -# (Optional) Whether to run db sync -# Defaults to true +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*management_store*] +# (Optional) The management store for Zaqar. +# Defaults to 'mongodb' +# +# [*messaging_store*] +# (Optional) The messaging store for Zaqar. +# Defaults to 'mongodb' # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -28,27 +36,53 @@ # Defaults to hiera('step') # class tripleo::profile::base::zaqar ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $management_store = 'mongodb', + $messaging_store = 'mongodb', $step = Integer(hiera('step')), ) { - if $step >= 4 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::zaqar - if str2bool(hiera('mongodb::server::ipv6', false)) { - $mongo_node_ips_with_port_prefixed = prefix(hiera('mongodb_node_ips'), '[') - $mongo_node_ips_with_port = suffix($mongo_node_ips_with_port_prefixed, ']:27017') - } else { - $mongo_node_ips_with_port = suffix(hiera('mongodb_node_ips'), ':27017') + if $messaging_store == 'mongodb' or $management_store == 'mongodb' { + if str2bool(hiera('mongodb::server::ipv6', false)) { + $mongo_node_ips_with_port_prefixed = prefix(hiera('mongodb_node_ips'), '[') + $mongo_node_ips_with_port = suffix($mongo_node_ips_with_port_prefixed, ']:27017') + } else { + $mongo_node_ips_with_port = suffix(hiera('mongodb_node_ips'), ':27017') + } + $mongodb_replset = hiera('mongodb::server::replset') + $mongo_node_string = join($mongo_node_ips_with_port, ',') + $mongo_database_connection = "mongodb://${mongo_node_string}/zaqar?replicaSet=${mongodb_replset}" } - $mongodb_replset = hiera('mongodb::server::replset') - $mongo_node_string = join($mongo_node_ips_with_port, ',') - $database_connection = "mongodb://${mongo_node_string}/zaqar?replicaSet=${mongodb_replset}" - class { '::zaqar::management::mongodb': - uri => $database_connection, + + if $messaging_store == 'swift' { + include ::zaqar::messaging::swift + } elsif $messaging_store == 'mongodb' { + class {'::zaqar::messaging::mongodb': + uri => $mongo_database_connection, + } + } else { + fail("unsupported Zaqar messaging_store set: ${messaging_store}") } - class {'::zaqar::messaging::mongodb': - uri => $database_connection, + + if $management_store == 'sqlalchemy' { + include ::zaqar::management::sqlalchemy + } elsif $management_store == 'mongodb' { + class { '::zaqar::management::mongodb': + uri => $mongo_database_connection, + } + } else { + fail("unsupported Zaqar management_store set: ${management_store}") } + include ::zaqar::transport::websocket include ::apache::mod::ssl include ::zaqar::transport::wsgi diff --git a/manifests/profile/pacemaker/cinder/backup_bundle.pp b/manifests/profile/pacemaker/cinder/backup_bundle.pp index a5e1a9b..2a82c3e 100644 --- a/manifests/profile/pacemaker/cinder/backup_bundle.pp +++ b/manifests/profile/pacemaker/cinder/backup_bundle.pp @@ -85,13 +85,8 @@ class tripleo::profile::pacemaker::cinder::backup_bundle ( 'options' => 'ro', }, 'cinder-backup-cfg-data' => { - 'source-dir' => '/var/lib/config-data/cinder/etc/cinder', - 'target-dir' => '/etc/cinder', - 'options' => 'ro', - }, - 'cinder-backup-cfg-ceph' => { - 'source-dir' => '/var/lib/config-data/cinder/etc/ceph', - 'target-dir' => '/etc/ceph', + 'source-dir' => '/var/lib/config-data/puppet-generated/cinder/', + 'target-dir' => '/var/lib/kolla/config_files/src', 'options' => 'ro', }, 'cinder-backup-hosts' => { diff --git a/manifests/profile/pacemaker/cinder/volume_bundle.pp b/manifests/profile/pacemaker/cinder/volume_bundle.pp index 39199a5..8d58036 100644 --- a/manifests/profile/pacemaker/cinder/volume_bundle.pp +++ b/manifests/profile/pacemaker/cinder/volume_bundle.pp @@ -85,8 +85,8 @@ class tripleo::profile::pacemaker::cinder::volume_bundle ( 'options' => 'ro', }, 'cinder-volume-cfg-data' => { - 'source-dir' => '/var/lib/config-data/cinder/etc/cinder', - 'target-dir' => '/etc/cinder', + 'source-dir' => '/var/lib/config-data/puppet-generated/cinder/', + 'target-dir' => '/var/lib/kolla/config_files/src', 'options' => 'ro', }, 'cinder-volume-hosts' => { diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index 3aff62f..b9f2a65 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -26,11 +26,39 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. # Defaults to hiera('mysql_bind_host') # +# [*innodb_flush_log_at_trx_commit*] +# (Optional) Disk flush behavior for MySQL under Galera. A value of +# '1' indicates flush to disk per transaction. A value of '2' indicates +# flush to disk every second, flushing all unflushed transactions in +# one step. +# Defaults to hiera('innodb_flush_log_at_trx_commit', '1') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -41,11 +69,15 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::database::mysql ( - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -70,35 +102,49 @@ class tripleo::profile::pacemaker::database::mysql ( $processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') } $cluster_host_map = join($processed_galera_name_pairs, ';') + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' + } + $mysqld_options = { 'mysqld' => { - 'skip-name-resolve' => '1', - 'binlog_format' => 'ROW', - 'default-storage-engine' => 'innodb', - 'innodb_autoinc_lock_mode' => '2', - 'innodb_locks_unsafe_for_binlog'=> '1', - 'innodb_file_per_table' => 'ON', - 'query_cache_size' => '0', - 'query_cache_type' => '0', - 'bind-address' => $bind_address, - 'max_connections' => hiera('mysql_max_connections'), - 'open_files_limit' => '-1', - 'wsrep_on' => 'ON', - 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', - 'wsrep_cluster_name' => 'galera_cluster', - 'wsrep_cluster_address' => "gcomm://${galera_nodes}", - 'wsrep_slave_threads' => '1', - 'wsrep_certify_nonPK' => '1', - 'wsrep_max_ws_rows' => '131072', - 'wsrep_max_ws_size' => '1073741824', - 'wsrep_debug' => '0', - 'wsrep_convert_LOCK_to_trx' => '0', - 'wsrep_retry_autocommit' => '1', - 'wsrep_auto_increment_control' => '1', - 'wsrep_drupal_282555_workaround'=> '0', - 'wsrep_causal_reads' => '0', - 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'skip-name-resolve' => '1', + 'binlog_format' => 'ROW', + 'default-storage-engine' => 'innodb', + 'innodb_autoinc_lock_mode' => '2', + 'innodb_locks_unsafe_for_binlog' => '1', + 'innodb_file_per_table' => 'ON', + 'innodb_flush_log_at_trx_commit' => $innodb_flush_log_at_trx_commit, + 'query_cache_size' => '0', + 'query_cache_type' => '0', + 'bind-address' => $bind_address, + 'max_connections' => hiera('mysql_max_connections'), + 'open_files_limit' => '-1', + 'wsrep_on' => 'ON', + 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', + 'wsrep_cluster_name' => 'galera_cluster', + 'wsrep_cluster_address' => "gcomm://${galera_nodes}", + 'wsrep_slave_threads' => '1', + 'wsrep_certify_nonPK' => '1', + 'wsrep_max_ws_rows' => '131072', + 'wsrep_max_ws_size' => '1073741824', + 'wsrep_debug' => '0', + 'wsrep_convert_LOCK_to_trx' => '0', + 'wsrep_retry_autocommit' => '1', + 'wsrep_auto_increment_control' => '1', + 'wsrep_drupal_282555_workaround' => '0', + 'wsrep_causal_reads' => '0', + 'wsrep_sst_method' => 'rsync', + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 56e9e28..a80b2de 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -215,7 +215,7 @@ MYSQL_HOST=localhost\n", 'options' => 'ro', }, 'mysql-cfg-data' => { - 'source-dir' => '/var/lib/config-data/mysql', + 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/', 'target-dir' => '/var/lib/kolla/config_files/src', 'options' => 'ro', }, diff --git a/manifests/profile/pacemaker/database/redis_bundle.pp b/manifests/profile/pacemaker/database/redis_bundle.pp index dd090d7..ea153a8 100644 --- a/manifests/profile/pacemaker/database/redis_bundle.pp +++ b/manifests/profile/pacemaker/database/redis_bundle.pp @@ -83,77 +83,62 @@ class tripleo::profile::pacemaker::database::redis_bundle ( run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${redis_docker_control_port}", storage_maps => { - 'redis-cfg-files' => { + 'redis-cfg-files' => { 'source-dir' => '/var/lib/kolla/config_files/redis.json', 'target-dir' => '/var/lib/kolla/config_files/config.json', 'options' => 'ro', }, - 'redis-cfg-data-redis' => { - 'source-dir' => '/var/lib/config-data/redis/etc/redis', - 'target-dir' => '/etc/redis', + 'redis-cfg-data-redis' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/redis/', + 'target-dir' => '/var/lib/kolla/config_files/src', 'options' => 'ro', }, - 'redis-cfg-data-redis-conf' => { - 'source-dir' => '/var/lib/config-data/redis/etc/redis.conf', - 'target-dir' => '/etc/redis.conf', - 'options' => 'ro', - }, - 'redis-cfg-data-redis-conf-puppet' => { - 'source-dir' => '/var/lib/config-data/redis/etc/redis.conf.puppet', - 'target-dir' => '/etc/redis.conf.puppet', - 'options' => 'ro', - }, - 'redis-cfg-data-redis-sentinel' => { - 'source-dir' => '/var/lib/config-data/redis/etc/redis-sentinel.conf', - 'target-dir' => '/etc/redis-sentinel.conf', - 'options' => 'ro', - }, - 'redis-hosts' => { + 'redis-hosts' => { 'source-dir' => '/etc/hosts', 'target-dir' => '/etc/hosts', 'options' => 'ro', }, - 'redis-localtime' => { + 'redis-localtime' => { 'source-dir' => '/etc/localtime', 'target-dir' => '/etc/localtime', 'options' => 'ro', }, - 'redis-lib' => { + 'redis-lib' => { 'source-dir' => '/var/lib/redis', 'target-dir' => '/var/lib/redis', 'options' => 'rw', }, - 'redis-log' => { + 'redis-log' => { 'source-dir' => '/var/log/redis', 'target-dir' => '/var/log/redis', 'options' => 'rw', }, - 'redis-run' => { + 'redis-run' => { 'source-dir' => '/var/run/redis', 'target-dir' => '/var/run/redis', 'options' => 'rw', }, - 'redis-pki-extracted' => { + 'redis-pki-extracted' => { 'source-dir' => '/etc/pki/ca-trust/extracted', 'target-dir' => '/etc/pki/ca-trust/extracted', 'options' => 'ro', }, - 'redis-pki-ca-bundle-crt' => { + 'redis-pki-ca-bundle-crt' => { 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', 'options' => 'ro', }, - 'redis-pki-ca-bundle-trust-crt' => { + 'redis-pki-ca-bundle-trust-crt' => { 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', 'options' => 'ro', }, - 'redis-pki-cert' => { + 'redis-pki-cert' => { 'source-dir' => '/etc/pki/tls/cert.pem', 'target-dir' => '/etc/pki/tls/cert.pem', 'options' => 'ro', }, - 'redis-dev-log' => { + 'redis-dev-log' => { 'source-dir' => '/dev/log', 'target-dir' => '/dev/log', 'options' => 'rw', diff --git a/manifests/profile/pacemaker/haproxy_bundle.pp b/manifests/profile/pacemaker/haproxy_bundle.pp index 9c1bdf3..b785ea7 100644 --- a/manifests/profile/pacemaker/haproxy_bundle.pp +++ b/manifests/profile/pacemaker/haproxy_bundle.pp @@ -30,6 +30,11 @@ # (Optional) Whether load balancing is enabled for this cluster # Defaults to hiera('enable_load_balancer', true) # +# [*deployed_ssl_cert_path*] +# (Optional) The filepath of the certificate as it will be stored in +# the controller. +# Defaults to '/etc/pki/tls/private/overcloud_endpoint.pem' +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -40,11 +45,12 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::haproxy_bundle ( - $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), - $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), - $enable_load_balancer = hiera('enable_load_balancer', true), - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), + $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $deployed_ssl_cert_path = '/etc/pki/tls/private/overcloud_endpoint.pem', + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { include ::tripleo::profile::base::haproxy @@ -98,8 +104,8 @@ class tripleo::profile::pacemaker::haproxy_bundle ( 'options' => 'ro', }, 'haproxy-cfg-data' => { - 'source-dir' => '/var/lib/config-data/haproxy/etc', - 'target-dir' => '/etc', + 'source-dir' => '/var/lib/config-data/puppet-generated/haproxy/', + 'target-dir' => '/var/lib/kolla/config_files/src', 'options' => 'ro', }, 'haproxy-hosts' => { @@ -137,6 +143,11 @@ class tripleo::profile::pacemaker::haproxy_bundle ( 'target-dir' => '/dev/log', 'options' => 'rw', }, + 'haproxy-cert' => { + 'source-dir' => $deployed_ssl_cert_path, + 'target-dir' => $deployed_ssl_cert_path, + 'options' => 'ro', + }, }, } $control_vip = hiera('controller_virtual_ip') diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp index 0a6295c..2f848b4 100644 --- a/manifests/profile/pacemaker/rabbitmq_bundle.pp +++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp @@ -121,8 +121,8 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( 'options' => 'ro', }, 'rabbitmq-cfg-data' => { - 'source-dir' => '/var/lib/config-data/rabbitmq/etc/rabbitmq', - 'target-dir' => '/etc/rabbitmq', + 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', + 'target-dir' => '/var/lib/kolla/config_files/src', 'options' => 'ro', }, 'rabbitmq-hosts' => { diff --git a/manifests/ui.pp b/manifests/ui.pp index 825ffc2..d744044 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -136,13 +136,16 @@ class tripleo::ui ( $endpoint_config_swift = undef, ) { + package {'openstack-tripleo-ui': } + include ::apache include ::apache::mod::proxy include ::apache::mod::proxy_http include ::apache::mod::proxy_wstunnel ::apache::vhost { 'tripleo-ui': ensure => 'present', + require => Package['openstack-tripleo-ui'], servername => $servername, ip => $bind_host, port => $ui_port, diff --git a/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml b/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml new file mode 100644 index 0000000..8359456 --- /dev/null +++ b/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added new parameter mysql_maxconn to the tripleo::haproxy class, + allowing haproxy maxconn to be configured for the MySQL server. diff --git a/releasenotes/notes/allow-missing-pci-dev-for-sriov-bbc29f62fcac10ff.yaml b/releasenotes/notes/allow-missing-pci-dev-for-sriov-bbc29f62fcac10ff.yaml new file mode 100644 index 0000000..f2fc2f2 --- /dev/null +++ b/releasenotes/notes/allow-missing-pci-dev-for-sriov-bbc29f62fcac10ff.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Allow VF configuration files to be written for non-existent PCI devices to + allow updates while physical functions are currently in use by a guest. diff --git a/releasenotes/notes/contrail-move-traffic-to-internal_api-ddc96d24c7018b81.yaml b/releasenotes/notes/contrail-move-traffic-to-internal_api-ddc96d24c7018b81.yaml new file mode 100644 index 0000000..2505c54 --- /dev/null +++ b/releasenotes/notes/contrail-move-traffic-to-internal_api-ddc96d24c7018b81.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + Traffic between Contrail nodes used the public network. This release will + move the traffic to the internal_api network per default and also allows + to optionally use the storage_mgmt network. This is in preparation for + for composable networks, where Contrail will have its own network. +features: + - | + This release allows to enable Contrail DPDK on the compute nodes. diff --git a/releasenotes/notes/innodb_flush_log_at_trx_commit-eb7d99749ca3c911.yaml b/releasenotes/notes/innodb_flush_log_at_trx_commit-eb7d99749ca3c911.yaml new file mode 100644 index 0000000..7dbd5a7 --- /dev/null +++ b/releasenotes/notes/innodb_flush_log_at_trx_commit-eb7d99749ca3c911.yaml @@ -0,0 +1,17 @@ +--- +features: + - | + Enable innodb_flush_log_at_trx_commit configuration for Galera only. +upgrade: + - | + Setting the innodb_flush_log_at_trx_commit flag to the value of "2" instead + of its default value of "1" means that the underlying MySQL/MariaDB engine + will no longer flush transactions to disk on a per-transaction basis; + instead, flushes occur once per second. This leads to far fewer + disk writes and can dramatically improve write performance, at the cost + of durability (e.g. will lose the last second's worth of transactions) + if the database engine is ungracefully shut down. The + clustered nature of Galera mitigates this risk in that transactions + are replicated to other nodes before completion, and the setting of + "2" is considered to be generally safe for a Galera cluster, with the + exception case of simultaneous power loss for all nodes. diff --git a/releasenotes/notes/nf_conntrack_proto_sctp-a64300a3fc7b4e55.yaml b/releasenotes/notes/nf_conntrack_proto_sctp-a64300a3fc7b4e55.yaml new file mode 100644 index 0000000..9aad5ee --- /dev/null +++ b/releasenotes/notes/nf_conntrack_proto_sctp-a64300a3fc7b4e55.yaml @@ -0,0 +1,9 @@ +--- +issues: + - | + Ignore failures if nf_conntrack_proto_sctp module failed to load. + Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the + kernel instead of as a module as the sctp support. + TripleO will still try to load the module to support RHEL 7.3, but + in the future will remove the module management and rely on the kernel + provided in newer versions of RHEL. diff --git a/releasenotes/notes/start-httpd-step3-and-4-2bd7be9e1429ef6d.yaml b/releasenotes/notes/start-httpd-step3-and-4-2bd7be9e1429ef6d.yaml new file mode 100644 index 0000000..02e0d48 --- /dev/null +++ b/releasenotes/notes/start-httpd-step3-and-4-2bd7be9e1429ef6d.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - In order to avoid service restarts, all services deploy their httpd + configuration at the same time. Thus, httpd now starts in step 3 for the + bootstrap nodes, and step 4 for all other nodes. diff --git a/releasenotes/notes/swift-dispersion-profile-09dc69980028e751.yaml b/releasenotes/notes/swift-dispersion-profile-09dc69980028e751.yaml new file mode 100644 index 0000000..18c8642 --- /dev/null +++ b/releasenotes/notes/swift-dispersion-profile-09dc69980028e751.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Added a new profile for the setup of the Swift dispersion tool. This will + be executed in step 5 or later to ensure Swift and Keystone are already up + and running. diff --git a/releasenotes/notes/veritas-hyperscale-driver-profile-970b5cb72f9fdcba.yaml b/releasenotes/notes/veritas-hyperscale-driver-profile-970b5cb72f9fdcba.yaml new file mode 100644 index 0000000..0f98d44 --- /dev/null +++ b/releasenotes/notes/veritas-hyperscale-driver-profile-970b5cb72f9fdcba.yaml @@ -0,0 +1,3 @@ +--- +features: + - New profile for Veritas HyperScale Cinder backend. diff --git a/releasenotes/notes/zaqar_undercloud_backends-66c268161cf7840e.yaml b/releasenotes/notes/zaqar_undercloud_backends-66c268161cf7840e.yaml new file mode 100644 index 0000000..d1a463b --- /dev/null +++ b/releasenotes/notes/zaqar_undercloud_backends-66c268161cf7840e.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Support configurable backends Zaqar backends. + Updates the Zaqar profile so that we have support for configuring + alternate versions of the messaging and management backends. diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index 4661b77..d045d6a 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -20,6 +20,7 @@ # -- General configuration ------------------------------------------------ + # If your documentation needs a minimal Sphinx version, state it here. #needs_sphinx = '1.0' @@ -27,7 +28,7 @@ # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ - 'oslosphinx', + 'openstackdocstheme', 'reno.sphinxext', ] @@ -99,7 +100,7 @@ pygments_style = 'sphinx' # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'default' +html_theme = 'openstackdocs' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the @@ -107,7 +108,7 @@ html_theme = 'default' #html_theme_options = {} # Add any paths that contain custom themes here, relative to this directory. -#html_theme_path = [] +# html_theme_path = [] # The name for this set of Sphinx documents. If None, it defaults to # "<project> v<release> documentation". @@ -137,7 +138,7 @@ html_static_path = ['_static'] # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. -#html_last_updated_fmt = '%b %d, %Y' +html_last_updated_fmt = '%Y-%m-%d %H:%M' # If true, SmartyPants will be used to convert quotes and dashes to # typographically correct entities. @@ -260,3 +261,8 @@ texinfo_documents = [ # -- Options for Internationalization output ------------------------------ locale_dirs = ['locale/'] + +# openstackdocstheme options +repository_name = 'openstack/puppet-tripleo' +bug_project = 'puppet-tripleo' +bug_tag = '' diff --git a/spec/classes/tripleo_certmonger_ca_local_spec.rb b/spec/classes/tripleo_certmonger_ca_local_spec.rb index 7ee9383..b6ecebc 100644 --- a/spec/classes/tripleo_certmonger_ca_local_spec.rb +++ b/spec/classes/tripleo_certmonger_ca_local_spec.rb @@ -21,6 +21,11 @@ require 'spec_helper' describe 'tripleo::certmonger::ca::local' do shared_examples_for 'tripleo::certmonger::ca::local' do + + let :pre_condition do + "include ::certmonger" + end + let :params do { :ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem', diff --git a/spec/classes/tripleo_haproxy_spec.rb b/spec/classes/tripleo_haproxy_spec.rb new file mode 100644 index 0000000..966729a --- /dev/null +++ b/spec/classes/tripleo_haproxy_spec.rb @@ -0,0 +1,115 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::haproxy' do + + shared_examples_for 'tripleo::haproxy' do + let :params do { + :controller_virtual_ip => '10.1.0.1', + :public_virtual_ip => '192.168.0.1' + } + end + + describe "default settings" do + it 'should configure haproxy' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'timeout client' => "90m", + 'timeout server' => "90m", + 'maxconn' => :undef + } + ) + end + end + + describe "set clustercheck" do + before :each do + params.merge!({ + :mysql_clustercheck => true, + }) + end + + it 'should configure haproxy with clustercheck' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'timeout client' => "90m", + 'timeout server' => "90m", + 'option' => ["tcpka", "httpchk"], + 'timeout client' => "90m", + 'timeout server' => "90m", + 'stick-table' => "type ip size 1000", + 'stick' => "on dst", + 'maxconn' => :undef + } + ) + end + end + + describe "override maxconn with clustercheck" do + before :each do + params.merge!({ + :mysql_clustercheck => true, + :mysql_max_conn => 6500, + }) + end + + it 'should configure haproxy' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'option' => ["tcpka", "httpchk"], + 'timeout client' => "90m", + 'timeout server' => "90m", + 'stick-table' => "type ip size 1000", + 'stick' => "on dst", + 'maxconn' => 6500 + } + ) + end + end + + describe "override maxconn without clustercheck" do + before :each do + params.merge!({ + :mysql_max_conn => 6500, + }) + end + + it 'should configure haproxy' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'timeout client' => "90m", + 'timeout server' => "90m", + 'maxconn' => 6500 + } + ) + end + end + + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ }) + end + + it_behaves_like 'tripleo::haproxy' + end + end + +end
\ No newline at end of file diff --git a/spec/classes/tripleo_host_sriov_spec.rb b/spec/classes/tripleo_host_sriov_spec.rb index 920eb9b..eb2213a 100644 --- a/spec/classes/tripleo_host_sriov_spec.rb +++ b/spec/classes/tripleo_host_sriov_spec.rb @@ -17,8 +17,8 @@ describe 'tripleo::host::sriov' do end it 'configures numvfs' do - is_expected.to contain_sriov_vf_config('eth0:4').with( :ensure => 'present' ) - is_expected.to contain_sriov_vf_config('eth1:5').with( :ensure => 'present') + is_expected.to contain_sriov_vf_config('eth0:4') + is_expected.to contain_sriov_vf_config('eth1:5') is_expected.to contain_tripleo__host__sriov__numvfs_persistence('persistent_numvfs').with( :vf_defs => ['eth0:4','eth1:5'], :content_string => "#!/bin/bash\n" diff --git a/spec/classes/tripleo_profile_base_aodh_api_spec.rb b/spec/classes/tripleo_profile_base_aodh_api_spec.rb index a82cf49..27bd735 100644 --- a/spec/classes/tripleo_profile_base_aodh_api_spec.rb +++ b/spec/classes/tripleo_profile_base_aodh_api_spec.rb @@ -33,12 +33,35 @@ describe 'tripleo::profile::base::aodh::api' do end end - context 'with step 3' do + context 'with step 3 and not bootstrap' do let(:params) { { :step => 3, } } it 'should trigger complete configuration' do + is_expected.not_to contain_class('aodh::api') + is_expected.not_to contain_class('aodh::wsgi::apache') + end + end + + context 'with step 3 and bootstrap' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com' + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('aodh::api') + is_expected.to contain_class('aodh::wsgi::apache') + end + end + + context 'with step 4' do + let(:params) { { + :step => 4, + } } + + it 'should trigger complete configuration' do is_expected.to contain_class('aodh::api') is_expected.to contain_class('aodh::wsgi::apache') end diff --git a/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb b/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb index cec2b54..9cb657f 100644 --- a/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb +++ b/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb @@ -32,9 +32,32 @@ describe 'tripleo::profile::base::ceilometer::api' do end end - context 'with step 3' do + context 'with step 3 and not bootstrap' do let(:params) { { - :step => 3, + :step => 3, + } } + + it 'should trigger complete configuration' do + is_expected.not_to contain_class('ceilometer::api') + is_expected.not_to contain_class('ceilometer::wsgi::apache') + end + end + + context 'with step 3 and bootstrap' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com' + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('ceilometer::api') + is_expected.to contain_class('ceilometer::wsgi::apache') + end + end + + context 'with step 4' do + let(:params) { { + :step => 4, } } it 'should trigger complete configuration' do diff --git a/spec/classes/tripleo_profile_base_cinder_veritas_hyperscale_spec.rb b/spec/classes/tripleo_profile_base_cinder_veritas_hyperscale_spec.rb new file mode 100644 index 0000000..63c1147 --- /dev/null +++ b/spec/classes/tripleo_profile_base_cinder_veritas_hyperscale_spec.rb @@ -0,0 +1,57 @@ +# +# Copyright (c) 2017 Veritas Technologies LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::cinder::volume::veritas_hyperscale' do + shared_examples_for 'tripleo::profile::base::cinder::volume::veritas_hyperscale' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with step less than 4' do + let(:params) { { :step => 3 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::cinder::volume::veritas_hyperscale') + is_expected.to contain_class('tripleo::profile::base::cinder::volume') + is_expected.to contain_class('tripleo::profile::base::cinder') + is_expected.to_not contain_cinder__backend__veritas_hyperscale('Veritas_HyperScale') + end + end + + context 'with step 4' do + let(:params) { { + :step => 4, + } } + + it 'should trigger complete configuration' do + is_expected.to contain_cinder__backend__veritas_hyperscale('Veritas_HyperScale') + end + end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::cinder::volume::veritas_hyperscale' + end + end +end diff --git a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb index aa3dd89..03f5325 100644 --- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb +++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb @@ -132,6 +132,25 @@ describe 'tripleo::profile::base::cinder::volume' do end end + context 'with only veritas hyperscale' do + before :each do + params.merge!({ + :cinder_enable_vrts_hs_backend => true, + :cinder_enable_iscsi_backend => false, + }) + end + it 'should configure only veritas hyperscale' do + is_expected.to contain_class('tripleo::profile::base::cinder::volume::veritas_hyperscale') + is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::iscsi') + is_expected.to contain_class('tripleo::profile::base::cinder::volume') + is_expected.to contain_class('tripleo::profile::base::cinder') + is_expected.to contain_class('cinder::volume') + is_expected.to contain_class('cinder::backends').with( + :enabled_backends => ['Veritas_HyperScale'] + ) + end + end + context 'with only nfs' do before :each do params.merge!({ @@ -183,6 +202,7 @@ describe 'tripleo::profile::base::cinder::volume' do is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::dellsc') is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::dellps') is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::netapp') + is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::veritas_hyperscale') is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::nfs') is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::rbd') is_expected.to contain_class('tripleo::profile::base::cinder::volume') @@ -197,13 +217,14 @@ describe 'tripleo::profile::base::cinder::volume' do context 'with all tripleo backends' do before :each do params.merge!({ - :cinder_enable_nfs_backend => true, - :cinder_enable_rbd_backend => true, - :cinder_enable_iscsi_backend => true, - :cinder_enable_pure_backend => true, - :cinder_enable_dellsc_backend => true, - :cinder_enable_dellps_backend => true, - :cinder_enable_netapp_backend => true, + :cinder_enable_nfs_backend => true, + :cinder_enable_rbd_backend => true, + :cinder_enable_iscsi_backend => true, + :cinder_enable_pure_backend => true, + :cinder_enable_dellsc_backend => true, + :cinder_enable_dellps_backend => true, + :cinder_enable_netapp_backend => true, + :cinder_enable_vrts_hs_backend => true, }) end it 'should configure all backends' do @@ -212,6 +233,7 @@ describe 'tripleo::profile::base::cinder::volume' do is_expected.to contain_class('tripleo::profile::base::cinder::volume::dellsc') is_expected.to contain_class('tripleo::profile::base::cinder::volume::dellps') is_expected.to contain_class('tripleo::profile::base::cinder::volume::netapp') + is_expected.to contain_class('tripleo::profile::base::cinder::volume::veritas_hyperscale') is_expected.to contain_class('tripleo::profile::base::cinder::volume::nfs') is_expected.to contain_class('tripleo::profile::base::cinder::volume::rbd') is_expected.to contain_class('tripleo::profile::base::cinder::volume') @@ -219,7 +241,7 @@ describe 'tripleo::profile::base::cinder::volume' do is_expected.to contain_class('cinder::volume') is_expected.to contain_class('cinder::backends').with( :enabled_backends => ['tripleo_iscsi', 'tripleo_ceph', 'tripleo_pure', 'tripleo_dellps', - 'tripleo_dellsc', 'tripleo_netapp','tripleo_nfs'] + 'tripleo_dellsc', 'tripleo_netapp','tripleo_nfs','Veritas_HyperScale'] ) end end diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index bb21055..dc5efa7 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -27,8 +27,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } it { - is_expected.to contain_augeas('docker-sysconfig').with_changes([ - 'rm INSECURE_REGISTRY', + is_expected.to contain_augeas('docker-sysconfig-options').with_changes([ "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'", ]) } @@ -45,9 +44,8 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } it { - is_expected.to contain_augeas('docker-sysconfig').with_changes([ + is_expected.to contain_augeas('docker-sysconfig-registry').with_changes([ "set INSECURE_REGISTRY '\"--insecure-registry foo:8787\"'", - "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'", ]) } end @@ -85,8 +83,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } it { - is_expected.to contain_augeas('docker-sysconfig').with_changes([ - "rm INSECURE_REGISTRY", + is_expected.to contain_augeas('docker-sysconfig-options').with_changes([ "set OPTIONS '\"--log-driver=syslog\"'", ]) } diff --git a/spec/classes/tripleo_profile_base_horizon_spec.rb b/spec/classes/tripleo_profile_base_horizon_spec.rb index fb076b8..d8a672b 100644 --- a/spec/classes/tripleo_profile_base_horizon_spec.rb +++ b/spec/classes/tripleo_profile_base_horizon_spec.rb @@ -31,11 +31,37 @@ describe 'tripleo::profile::base::horizon' do end end - context 'with step 3' do + context 'with step 3 and not bootstrap' do let(:params) { { :step => 3, } } + it 'should not configure anything' do + is_expected.to_not contain_class('horizon') + is_expected.to_not contain_class('apache::mod::remoteip') + is_expected.to_not contain_class('apache::mod::status') + end + end + + context 'with step 3 and bootstrap' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com' + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('horizon') + is_expected.to contain_class('apache::mod::remoteip') + is_expected.to contain_class('apache::mod::status') + end + end + + context 'with step 4' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com' + } } + it 'should trigger complete configuration' do is_expected.to contain_class('horizon') is_expected.to contain_class('apache::mod::remoteip') diff --git a/spec/classes/tripleo_profile_base_iscsid_spec.rb b/spec/classes/tripleo_profile_base_iscsid_spec.rb new file mode 100644 index 0000000..04f3c2c --- /dev/null +++ b/spec/classes/tripleo_profile_base_iscsid_spec.rb @@ -0,0 +1,42 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::iscsid' do + shared_examples_for 'tripleo::profile::base::iscsid' do + context 'default params' do + let(:params) { { :step => 2, } } + + it { + is_expected.to contain_package('iscsi-initiator-utils') + is_expected.to contain_exec('reset-iscsi-initiator-name') + is_expected.to contain_file('/etc/iscsi/.initiator_reset') + } + end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::iscsid' + end + end +end diff --git a/spec/classes/tripleo_profile_base_kernel_spec.rb b/spec/classes/tripleo_profile_base_kernel_spec.rb new file mode 100644 index 0000000..4c2aab2 --- /dev/null +++ b/spec/classes/tripleo_profile_base_kernel_spec.rb @@ -0,0 +1,59 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::kernel' do + + shared_examples_for 'tripleo::profile::base::kernel' do + context 'with kernel modules' do + let :params do + { + :module_list => { + 'nf_conntrack' => {}, + } + } + end + + it 'should load kernel module' do + is_expected.to contain_kmod__load('nf_conntrack') + end + end + context 'with sysctl settings' do + let :params do + { + :sysctl_settings => { + 'net.ipv4.tcp_keepalive_intvl' => { 'value' => '1'}, + } + } + end + + it 'should load kernel module' do + is_expected.to contain_sysctl__value('net.ipv4.tcp_keepalive_intvl') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) { + facts + } + + it_behaves_like 'tripleo::profile::base::kernel' + end + end +end diff --git a/spec/classes/tripleo_profile_base_lvm_spec.rb b/spec/classes/tripleo_profile_base_lvm_spec.rb new file mode 100644 index 0000000..ac0031f --- /dev/null +++ b/spec/classes/tripleo_profile_base_lvm_spec.rb @@ -0,0 +1,53 @@ +# coding: utf-8 +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::lvm' do + + shared_examples_for 'tripleo::profile::base::lvm' do + + context 'with default params' do + it 'should enable udev_sync and udev_rules' do + is_expected.to contain_augeas('udev options in lvm.conf') + .with_changes(["set udev_sync/int 1", + "set udev_rules/int 1"]) + end + end + + context 'with enable_udev false' do + let(:params) { { :enable_udev => false } } + + it 'should disable udev_sync and udev_rules' do + is_expected.to contain_augeas('udev options in lvm.conf') + .with_changes(["set udev_sync/int 0", + "set udev_rules/int 0"]) + end + end + end + + + on_supported_os.each do |os, facts| + context 'on #{os}' do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::lvm' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_authtoken_spec.rb b/spec/classes/tripleo_profile_base_nova_authtoken_spec.rb index f910729..0a87bf4 100644 --- a/spec/classes/tripleo_profile_base_nova_authtoken_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_authtoken_spec.rb @@ -32,6 +32,7 @@ describe 'tripleo::profile::base::nova::authtoken' do context 'with step 3' do let(:params) { { :step => 3, + :memcached_ips => '127.0.0.1', } } it { @@ -44,7 +45,7 @@ describe 'tripleo::profile::base::nova::authtoken' do context 'with step 3 with ipv6' do let(:params) { { :step => 3, - :use_ipv6 => true, + :memcached_ips => '::1', } } it { diff --git a/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb index 32482a9..db9e77e 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb @@ -41,6 +41,12 @@ describe 'tripleo::profile::base::nova::compute::libvirt' do class { '::tripleo::profile::base::nova::compute': step => #{params[:step]}, } + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::migration::client': + step => #{params[:step]} + } eos end diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb index 545a1fa..b3959c4 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb @@ -27,9 +27,6 @@ describe 'tripleo::profile::base::nova::compute' do is_expected.to_not contain_class('tripleo::profile::base::nova') is_expected.to_not contain_class('nova::compute') is_expected.to_not contain_class('nova::network::neutron') - is_expected.to_not contain_package('iscsi-initiator-utils') - is_expected.to_not contain_exec('reset-iscsi-initiator-name') - is_expected.to_not contain_file('/etc/iscsi/.initiator_reset') } end @@ -40,6 +37,12 @@ describe 'tripleo::profile::base::nova::compute' do step => #{params[:step]}, oslomsg_rpc_hosts => [ '127.0.0.1' ], } + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::migration::client': + step => #{params[:step]} + } eos end @@ -52,9 +55,6 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') - is_expected.to contain_package('iscsi-initiator-utils') - is_expected.to contain_exec('reset-iscsi-initiator-name') - is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to_not contain_package('nfs-utils') } end @@ -68,9 +68,6 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') - is_expected.to contain_package('iscsi-initiator-utils') - is_expected.to contain_exec('reset-iscsi-initiator-name') - is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to contain_package('nfs-utils') } end diff --git a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb index 36a6110..d9a06b2 100644 --- a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb @@ -39,6 +39,12 @@ describe 'tripleo::profile::base::nova::libvirt' do step => #{params[:step]}, oslomsg_rpc_hosts => [ '127.0.0.1' ], } + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::migration::client': + step => #{params[:step]} + } eos end diff --git a/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb new file mode 100644 index 0000000..91294dd --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb @@ -0,0 +1,188 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::migration::client' do + shared_examples_for 'tripleo::profile::base::nova::migration::client' do + + context 'with step 4' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => false, + :configure_nova => false + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt TLS' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + :libvirt_tls => true, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled], + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt and migration ssh key' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + :ssh_private_key => 'foo' + } } + + it { + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => 'foo', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt TLS and migration ssh key' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + :libvirt_tls => true, + :ssh_private_key => 'foo' + } } + + it { + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => 'foo', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + it_behaves_like 'tripleo::profile::base::nova::migration::client' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_migration_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_spec.rb new file mode 100644 index 0000000..86c790e --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_migration_spec.rb @@ -0,0 +1,40 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::migration' do + shared_examples_for 'tripleo::profile::base::nova::migration' do + + context 'with step 3' do + let(:params) { { + :step => 3, + } } + + it { + is_expected.to contain_package('openstack-nova-migration') + } + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + it_behaves_like 'tripleo::profile::base::nova::migration' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb new file mode 100644 index 0000000..a14b89a --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb @@ -0,0 +1,283 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::migration::target' do + shared_examples_for 'tripleo::profile::base::nova::migration::target' do + + context 'with step 4 without authorized_keys' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :services_enabled => ['docker', 'nova_migration_target'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' + ) + } + end + + context 'with step 4 without nova_migration_target service enabled' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['bar', 'baz'], + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' + ) + } + end + + context 'with step 4 with invalid ssh_authorized_keys' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => 'ssh-rsa bar', + } } + + it { is_expected.to_not compile } + end + + context 'with step 4 with nova_migration_target services enabled' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to_not contain_ssh__server__match_block('nova_migration deny') + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar\nssh-rsa baz', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + + context 'with step 4 with ssh_localaddrs' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'], + :ssh_localaddrs => ['127.0.0.1', '127.0.0.2'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'LocalAddress 127.0.0.1,127.0.0.2 User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to contain_ssh__server__match_block('nova_migration deny').with( + :type => 'LocalAddress', + :name => '!127.0.0.1,!127.0.0.2', + :options => { + 'DenyUsers' => 'nova_migration' + } + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar\nssh-rsa baz', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + + context 'with step 4 with duplicate ssh_localaddrs' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'], + :ssh_localaddrs => ['127.0.0.1', '127.0.0.1'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'LocalAddress 127.0.0.1 User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to contain_ssh__server__match_block('nova_migration deny').with( + :type => 'LocalAddress', + :name => '!127.0.0.1', + :options => { + 'DenyUsers' => 'nova_migration' + } + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar\nssh-rsa baz', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + + context 'with step 4 with invalid ssh_localaddrs' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'], + :ssh_localaddrs => ['127.0.0.1', ''] + } } + + it { is_expected.to_not compile } + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + it_behaves_like 'tripleo::profile::base::nova::migration::target' + end + end +end
\ No newline at end of file diff --git a/spec/classes/tripleo_profile_base_nova_placement_spec.rb b/spec/classes/tripleo_profile_base_nova_placement_spec.rb index 04e032a..574489e 100644 --- a/spec/classes/tripleo_profile_base_nova_placement_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_placement_spec.rb @@ -67,8 +67,7 @@ eos } end - - context 'with step 3' do + context 'with step 3 and not bootstrap' do let(:params) { { :step => 3, } } @@ -77,15 +76,30 @@ eos is_expected.to contain_class('tripleo::profile::base::nova::placement') is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::keystone::authtoken') + is_expected.not_to contain_class('nova::wsgi::apache_placement') + } + end + + context 'with step 3 and bootstrap' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com' + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::placement') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova::keystone::authtoken') is_expected.to contain_class('nova::wsgi::apache_placement') } end - context 'with step 3 with enable_internal_tls and skip generate certs' do + context 'with step 3 and bootstrap with enable_internal_tls and skip generate certs' do let(:params) { { :step => 3, :enable_internal_tls => true, :nova_placement_network => 'bar', + :bootstrap_node => 'node.example.com', :certificates_specs => { 'httpd-bar' => { 'hostname' => 'foo', diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb index a7f1cce..c6878c6 100644 --- a/spec/classes/tripleo_profile_base_nova_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_spec.rb @@ -100,429 +100,6 @@ describe 'tripleo::profile::base::nova' do } end - context 'with step 4 with libvirt' do - let(:pre_condition) { - 'include ::nova::compute::libvirt::services' - } - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/sbin/nologin' - ) - } - end - - context 'with step 4 with libvirt TLS' do - let(:pre_condition) { - 'include ::nova::compute::libvirt::services' - } - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :libvirt_tls => true, - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'tls', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled], - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/sbin/nologin' - ) - } - end - - context 'with step 4 with libvirt and migration ssh key' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to_not contain_ssh__server__match_block('nova_migration deny') - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - - context 'with step 4 with libvirt and migration ssh key and migration_ssh_localaddrs' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, - :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.2'] - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'LocalAddress 127.0.0.1,127.0.0.2 User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to contain_ssh__server__match_block('nova_migration deny').with( - :type => 'LocalAddress', - :name => '!127.0.0.1,!127.0.0.2', - :options => { - 'DenyUsers' => 'nova_migration' - } - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - - context 'with step 4 with libvirt and migration ssh key and invalid migration_ssh_localaddrs' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, - :migration_ssh_localaddrs => ['127.0.0.1', ''] - } } - - it { is_expected.to_not compile } - end - - context 'with step 4 with libvirt and migration ssh key and duplicate migration_ssh_localaddrs' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, - :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.1'] - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'LocalAddress 127.0.0.1 User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to contain_ssh__server__match_block('nova_migration deny').with( - :type => 'LocalAddress', - :name => '!127.0.0.1', - :options => { - 'DenyUsers' => 'nova_migration' - } - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - - context 'with step 4 with libvirt TLS and migration ssh key' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :libvirt_tls => true, - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'tls', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to_not contain_ssh__server__match_block('nova_migration deny') - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - end diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index 5d978cc..1164448 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -33,6 +33,9 @@ cinder::keystone::authtoken::password: 'password' gnocchi::keystone::authtoken::password: 'password' gnocchi::storage::ceph::ceph_username: 'gnocchi' gnocchi::storage::ceph::ceph_secret: 'password' +# haproxy related items +mysql_enabled: true +controller_node_ips: '10.1.0.1,10.1.0.2' # nova related items nova::rabbit_password: 'password' nova::keystone::authtoken::password: 'password' @@ -45,6 +48,5 @@ memcached_node_ips: # octavia related items octavia::rabbit_password: 'password' horizon::secret_key: 'secrete' -service_names: ['sshd'] #Neutron related neutron::rabbit_password: 'password' diff --git a/spec/functions/netmask_to_cidr_spec.rb b/spec/functions/netmask_to_cidr_spec.rb new file mode 100644 index 0000000..e076456 --- /dev/null +++ b/spec/functions/netmask_to_cidr_spec.rb @@ -0,0 +1,6 @@ +require 'spec_helper' +require 'puppet' + +describe 'netmask_to_cidr' do + it { should run.with_params('255.255.255.0').and_return(24) } +end diff --git a/test-requirements.txt b/test-requirements.txt index 152ebef..a23c7e7 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,6 +1,6 @@ # This is required for the docs build jobs -sphinx!=1.6.1,>=1.5.1 # BSD -oslosphinx>=4.7.0 # Apache-2.0 +sphinx>=1.6.2 # BSD +openstackdocstheme>=1.11.0 # Apache-2.0 # This is required for the releasenotes build jobs # FIXME: reno is manually pinned to !=2.0.0 because of bug #1651995 |