diff options
| -rw-r--r-- | .gitignore | 4 | ||||
| -rw-r--r-- | Gemfile | 4 | ||||
| -rw-r--r-- | Puppetfile_extras | 2 | ||||
| -rw-r--r-- | bindep.txt | 9 | ||||
| -rw-r--r-- | manifests/certmonger/mongodb.pp | 87 | ||||
| -rw-r--r-- | manifests/firewall.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 9 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume/netapp.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume/nfs.pp | 33 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 35 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/ovs.pp | 17 | ||||
| -rw-r--r-- | manifests/profile/base/nova.pp | 67 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker.pp | 1 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker_remote.pp | 27 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_docker_spec.rb | 59 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_neutron_ovs_spec.rb | 73 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_nova_spec.rb | 160 | ||||
| -rw-r--r-- | spec/fixtures/hieradata/default.yaml | 2 | ||||
| -rw-r--r-- | spec/spec_helper_acceptance.rb | 57 | ||||
| -rw-r--r-- | test-requirements.txt | 11 | ||||
| -rw-r--r-- | tox.ini | 3 |
22 files changed, 554 insertions, 113 deletions
@@ -1,9 +1,11 @@ pkg/ Gemfile.lock vendor/ -spec/fixtures/ +spec/fixtures/modules +spec/fixtures/manifests .vagrant/ .bundle/ +.bundle*/ coverage/ .idea/ *.swp @@ -1,9 +1,7 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org" group :development, :test, :system_tests do - gem 'puppet-openstack_spec_helper', - :git => 'https://git.openstack.org/openstack/puppet-openstack_spec_helper', - :require => false + gem 'puppet-openstack_spec_helper', :require => 'false', :git => 'https://git.openstack.org/openstack/puppet-openstack_spec_helper' end if facterversion = ENV['FACTER_GEM_VERSION'] diff --git a/Puppetfile_extras b/Puppetfile_extras index 481a8ec..4bc9d3f 100644 --- a/Puppetfile_extras +++ b/Puppetfile_extras @@ -46,7 +46,7 @@ mod 'systemd', :ref => 'master' mod 'opendaylight', - :git => 'https://github.com/dfarrell07/puppet-opendaylight', + :git => 'https://git.opendaylight.org/gerrit/integration/packaging/puppet-opendaylight', :ref => 'master' mod 'ssh', @@ -1,2 +1,11 @@ # This is a cross-platform list tracking distribution packages needed by tests; # see http://docs.openstack.org/infra/bindep/ for additional information. + +libxml2-devel [test platform:rpm] +libxml2-dev [test platform:dpkg] +libxslt-devel [test platform:rpm] +libxslt1-dev [test platform:dpkg] +ruby-devel [test platform:rpm] +ruby-dev [test platform:dpkg] +zlib1g-dev [test platform:dpkg] +zlib-devel [test platform:rpm] diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp new file mode 100644 index 0000000..0b2dd6a --- /dev/null +++ b/manifests/certmonger/mongodb.pp @@ -0,0 +1,87 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::mongodb +# +# Request a certificate for MongoDB and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*service_pem*] +# The file in PEM format that the HAProxy service will use as a certificate. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +class tripleo::certmonger::mongodb ( + $hostname, + $service_certificate, + $service_key, + $service_pem, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::mongodb::params + + $postsave_cmd = "systemctl restart ${::mongodb::params::service_name}" + certmonger_certificate { 'mongodb' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + concat { $service_pem : + ensure => present, + mode => '0640', + owner => $::mongodb::params::user, + group => $::mongodb::params::group, + } + concat::fragment { 'mongodb-key-fragment': + target => $service_pem, + source => $service_key, + order => '01', + require => Certmonger_certificate['mongodb'], + } + concat::fragment { 'mongodb-cert-fragment': + target => $service_pem, + source => $service_certificate, + order => '10', + require => Certmonger_certificate['mongodb'], + } + + Concat::Fragment['mongodb-key-fragment'] ~> Service<| title == $::mongodb::params::service_name |> + Concat::Fragment['mongodb-cert-fragment'] ~> Service<| title == $::mongodb::params::service_name |> +} diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 8c6a53b..b4d51d9 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -63,7 +63,7 @@ class tripleo::firewall( # anyone can add your own rules # example with Hiera: # - # tripleo::firewall::rules: + # tripleo::firewall::firewall_rules: # '300 allow custom application 1': # port: 999 # proto: udp diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index b63fb7f..4ba51ec 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -48,6 +48,11 @@ # it will create. # Defaults to hiera('libvirt_certificates_specs', {}). # +# [*mongodb_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('mongodb_certificate_specs',{}) +# # [*mysql_certificate_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -67,6 +72,7 @@ class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), + $mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}), @@ -87,6 +93,9 @@ class tripleo::profile::base::certmonger_user ( # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> } + unless empty($mongodb_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::mongodb', $mongodb_certificate_specs) + } unless empty($mysql_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs) } diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp index fc652c9..43978da 100644 --- a/manifests/profile/base/cinder/volume/netapp.pp +++ b/manifests/profile/base/cinder/volume/netapp.pp @@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp ( netapp_storage_pools => hiera('cinder::backend::netapp::netapp_storage_pools', undef), netapp_eseries_host_type => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef), netapp_webservice_path => hiera('cinder::backend::netapp::netapp_webservice_path', undef), + nas_secure_file_operations => hiera('cinder::backend::netapp::nas_secure_file_operations', undef), + nas_secure_file_permissions => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef), } } diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp index 7b1f1b9..e384a79 100644 --- a/manifests/profile/base/cinder/volume/nfs.pp +++ b/manifests/profile/base/cinder/volume/nfs.pp @@ -29,6 +29,23 @@ # (Optional) List of mount options for the NFS share # Defaults to '' # +# [*cinder_nas_secure_file_operations*] +# (Optional) Allow network-attached storage systems to operate in a secure +# environment where root level access is not permitted. If set to False, +# access is as the root user and insecure. If set to True, access is not as +# root. If set to auto, a check is done to determine if this is a new +# installation: True is used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# +# [*cinder_nas_secure_file_permissions*] +# (Optional) Set more secure file permissions on network-attached storage +# volume files to restrict broad other/world access. If set to False, +# volumes are created with open permissions. If set to True, volumes are +# created with permissions for the cinder user and group (660). If set to +# auto, a check is done to determine if this is a new installation: True is +# used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -36,9 +53,11 @@ # class tripleo::profile::base::cinder::volume::nfs ( $cinder_nfs_servers, - $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'), - $cinder_nfs_mount_options = '', - $step = hiera('step'), + $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'), + $cinder_nfs_mount_options = '', + $cinder_nas_secure_file_operations = $::os_service_default, + $cinder_nas_secure_file_permissions = $::os_service_default, + $step = hiera('step'), ) { include ::tripleo::profile::base::cinder::volume @@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs ( package {'nfs-utils': } -> cinder::backend::nfs { $backend_name : - nfs_servers => $cinder_nfs_servers, - nfs_mount_options => $cinder_nfs_mount_options, - nfs_shares_config => '/etc/cinder/shares-nfs.conf', + nfs_servers => $cinder_nfs_servers, + nfs_mount_options => $cinder_nfs_mount_options, + nfs_shares_config => '/etc/cinder/shares-nfs.conf', + nas_secure_file_operations => $cinder_nas_secure_file_operations, + nas_secure_file_permissions => $cinder_nas_secure_file_permissions, } } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index d035f6a..bc784b5 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,6 +32,18 @@ # Configure a registry-mirror in the /etc/docker/daemon.json file. # (defaults to false) # +# [*docker_options*] +# OPTIONS that are used to startup the docker service. NOTE: +# --selinux-enabled is dropped due to recommendations here: +# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html +# Defaults to '--log-driver=journald --signature-verification=false' +# +# [*configure_storage*] +# Boolean. Whether to configure a docker storage backend. Defaults to true. +# +# [*storage_options*] +# Storage options to configure. Defaults to '-s overlay2' +# # [*step*] # step defaults to hiera('step') # @@ -39,6 +51,9 @@ class tripleo::profile::base::docker ( $docker_namespace = undef, $insecure_registry = false, $registry_mirror = false, + $docker_options = '--log-driver=journald --signature-verification=false', + $configure_storage = true, + $storage_options = '-s overlay2', $step = hiera('step'), ) { if $step >= 1 { @@ -57,9 +72,11 @@ class tripleo::profile::base::docker ( fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) - $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ] + $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", + "set OPTIONS '\"${docker_options}\"'" ] } else { - $changes = [ 'rm INSECURE_REGISTRY', ] + $changes = [ 'rm INSECURE_REGISTRY', + "set OPTIONS '\"${docker_options}\"'" ] } augeas { 'docker-sysconfig': @@ -95,6 +112,20 @@ class tripleo::profile::base::docker ( notify => Service['docker'], require => File['/etc/docker/daemon.json'], } + if $configure_storage { + if $storage_options == undef { + fail('You must provide a $storage_options in order to configure storage') + } + $storage_changes = [ "set DOCKER_STORAGE_OPTIONS '\" ${storage_options}\"'", ] + } else { + $storage_changes = [ 'rm DOCKER_STORAGE_OPTIONS', ] + } + + augeas { 'docker-sysconfig-storage': + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/docker-storage', + changes => $storage_changes, + } } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 31f5c93..72a7bc9 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -338,5 +338,8 @@ class tripleo::profile::base::keystone ( if hiera('ec2_api_enabled', false) { include ::ec2api::keystone::auth } + if hiera('novajoin_enabled', false) { + include ::nova::metadata::novajoin::auth + } } } diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp index bec7e96..97eb8e9 100644 --- a/manifests/profile/base/neutron/ovs.pp +++ b/manifests/profile/base/neutron/ovs.pp @@ -23,12 +23,27 @@ # for more details. # Defaults to hiera('step') # +# [*vhostuser_socket_dir*] +# (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir +# will be created with correct permissions, inorder to support vhostuser +# client mode. + class tripleo::profile::base::neutron::ovs( - $step = hiera('step'), + $step = hiera('step'), + $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef) ) { include ::tripleo::profile::base::neutron if $step >= 5 { + if $vhostuser_socket_dir { + file { $vhostuser_socket_dir: + ensure => directory, + owner => 'qemu', + group => 'qemu', + mode => '0775', + } + } + include ::neutron::agents::ml2::ovs # Optional since manage_service may be false and neutron server may not be colocated. diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 65355d4..d786940 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -129,6 +129,10 @@ class tripleo::profile::base::nova ( $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') } + validate_array($migration_ssh_localaddrs) + $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) } + $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs) + if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) include ::nova::config @@ -183,10 +187,10 @@ class tripleo::profile::base::nova ( # Nova SSH tunnel setup (cold-migration) # Server side - if !empty($migration_ssh_localaddrs) { - $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,',')) + if !empty($migration_ssh_localaddrs_real) { + $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,',')) $deny_type = 'LocalAddress' - $deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!')) + $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!')) ssh::server::match_block { 'nova_migration deny': name => $deny_name, @@ -217,31 +221,42 @@ class tripleo::profile::base::nova ( notify => Service['sshd'] } - file { '/etc/nova/migration/authorized_keys': - content => $migration_ssh_key['public_key'], - mode => '0640', - owner => 'root', - group => 'nova_migration', - require => Package['openstack-nova-migration'], - } + $migration_authorized_keys = $migration_ssh_key['public_key'] + $migration_identity = $migration_ssh_key['private_key'] + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_identity = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } - # Client side - file { '/etc/nova/migration/identity': - content => $migration_ssh_key['private_key'], - mode => '0600', - owner => 'nova', - group => 'nova', - require => Package['openstack-nova-migration'], - } - $migration_pkg_ensure = installed - } else { - $migration_pkg_ensure = absent + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] } - } else { - $migration_pkg_ensure = absent - } - package {'openstack-nova-migration': - ensure => $migration_pkg_ensure } } } diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index c1d745a..811b911 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker ( remote_address => $remotes_hash[$title], reconnect_interval => $remote_reconnect_interval, op_params => "monitor interval=${remote_monitor_interval}", + verify_on_create => true, tries => $remote_tries, try_sleep => $remote_try_sleep, } diff --git a/manifests/profile/base/pacemaker_remote.pp b/manifests/profile/base/pacemaker_remote.pp index e0fff63..dfe0a3e 100644 --- a/manifests/profile/base/pacemaker_remote.pp +++ b/manifests/profile/base/pacemaker_remote.pp @@ -22,6 +22,14 @@ # Authkey for pacemaker remote nodes # Defaults to unset # +# [*pcs_tries*] +# (Optional) The number of times pcs commands should be retried. +# Defaults to hiera('pcs_tries', 20) +# +# [*enable_fencing*] +# (Optional) Whether or not to manage stonith devices for nodes +# Defaults to hiera('enable_fencing', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -29,9 +37,28 @@ # class tripleo::profile::base::pacemaker_remote ( $remote_authkey, + $pcs_tries = hiera('pcs_tries', 20), + $enable_fencing = hiera('enable_fencing', false), $step = hiera('step'), ) { class { '::pacemaker::remote': remote_authkey => $remote_authkey, } + $enable_fencing_real = str2bool($enable_fencing) and $step >= 5 + + class { '::pacemaker::stonith': + disable => !$enable_fencing_real, + tries => $pcs_tries, + } + + if $enable_fencing_real { + include ::tripleo::fencing + + # enable stonith after all Pacemaker resources have been created + Pcmk_resource<||> -> Class['tripleo::fencing'] + Pcmk_constraint<||> -> Class['tripleo::fencing'] + Exec <| tag == 'pacemaker_constraint' |> -> Class['tripleo::fencing'] + # enable stonith after all fencing devices have been created + Class['tripleo::fencing'] -> Class['pacemaker::stonith'] + } } diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index b52fe24..0b988f6 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -27,7 +27,10 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } it { - is_expected.to contain_augeas('docker-sysconfig').with_changes(['rm INSECURE_REGISTRY']) + is_expected.to contain_augeas('docker-sysconfig').with_changes([ + 'rm INSECURE_REGISTRY', + "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'", + ]) } end @@ -42,7 +45,10 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_package('docker') } it { is_expected.to contain_service('docker') } it { - is_expected.to contain_augeas('docker-sysconfig').with_changes(["set INSECURE_REGISTRY '\"--insecure-registry foo:8787\"'"]) + is_expected.to contain_augeas('docker-sysconfig').with_changes([ + "set INSECURE_REGISTRY '\"--insecure-registry foo:8787\"'", + "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'", + ]) } end @@ -69,6 +75,55 @@ describe 'tripleo::profile::base::docker' do } end + context 'with step 1 and docker_options configured' do + let(:params) { { + :docker_options => '--log-driver=syslog', + :step => 1, + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-sysconfig').with_changes([ + "rm INSECURE_REGISTRY", + "set OPTIONS '\"--log-driver=syslog\"'", + ]) + } + end + + context 'with step 1 and storage_options configured' do + let(:params) { { + :step => 1, + :storage_options => '-s devicemapper', + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-sysconfig-storage').with_changes([ + "set DOCKER_STORAGE_OPTIONS '\" #{params[:storage_options]}\"'", + ]) + } + end + + context 'with step 1 and configure_storage disabled' do + let(:params) { { + :step => 1, + :configure_storage => false, + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-sysconfig-storage').with_changes([ + "rm DOCKER_STORAGE_OPTIONS", + ]) + } + end + end on_supported_os.each do |os, facts| diff --git a/spec/classes/tripleo_profile_base_neutron_ovs_spec.rb b/spec/classes/tripleo_profile_base_neutron_ovs_spec.rb new file mode 100644 index 0000000..14de7e1 --- /dev/null +++ b/spec/classes/tripleo_profile_base_neutron_ovs_spec.rb @@ -0,0 +1,73 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::neutron::ovs' do + + shared_examples_for 'tripleo::profile::base::neutron::ovs with default params' do + + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with defaults for all parameters' do + let(:params) { { :step => 5 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::neutron') + is_expected.to contain_class('neutron::agents::ml2::ovs') + is_expected.not_to contain_file('/var/lib/vhostuser_sockets') + end + end + end + + shared_examples_for 'tripleo::profile::base::neutron::ovs with vhostuser_socketdir' do + + before :each do + facts.merge!({ :step => params[:step], :vhostuser_socket_dir => params[:vhostuser_socket_dir] }) + end + + context 'with vhostuser_socketdir configured' do + let :params do + { + :step => 5, + :vhostuser_socket_dir => '/var/lib/vhostuser_sockets' + } + end + + it { is_expected.to contain_class('tripleo::profile::base::neutron') } + it { is_expected.to contain_class('neutron::agents::ml2::ovs') } + it { is_expected.to contain_file('/var/lib/vhostuser_sockets').with( + :ensure => 'directory', + :owner => 'qemu', + :group => 'qemu', + :mode => '0775', + ) } + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::neutron::ovs with default params' + it_behaves_like 'tripleo::profile::base::neutron::ovs with vhostuser_socketdir' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb index d77ba1b..a7f1cce 100644 --- a/spec/classes/tripleo_profile_base_nova_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_spec.rb @@ -95,9 +95,8 @@ describe 'tripleo::profile::base::nova' do is_expected.to contain_class('nova::cache') is_expected.to contain_class('nova::placement') is_expected.to_not contain_class('nova::migration::libvirt') - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'absent' - ) + is_expected.to_not contain_file('/etc/nova/migration/authorized_keys') + is_expected.to_not contain_file('/etc/nova/migration/identity') } end @@ -132,7 +131,22 @@ describe 'tripleo::profile::base::nova' do :configure_nova => params[:nova_compute_enabled] ) is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'absent' + :ensure => 'present' + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' ) } end @@ -169,7 +183,22 @@ describe 'tripleo::profile::base::nova' do :configure_nova => params[:nova_compute_enabled], ) is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'absent' + :ensure => 'present' + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' ) } end @@ -223,6 +252,9 @@ describe 'tripleo::profile::base::nova' do } ) is_expected.to_not contain_ssh__server__match_block('nova_migration deny') + is_expected.to contain_package('openstack-nova-migration').with( + :ensure => 'present' + ) is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( :content => 'ssh-rsa bar', :mode => '0640', @@ -235,8 +267,8 @@ describe 'tripleo::profile::base::nova' do :owner => 'nova', :group => 'nova', ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'installed' + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' ) } end @@ -297,6 +329,9 @@ describe 'tripleo::profile::base::nova' do 'DenyUsers' => 'nova_migration' } ) + is_expected.to contain_package('openstack-nova-migration').with( + :ensure => 'present' + ) is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( :content => 'ssh-rsa bar', :mode => '0640', @@ -309,8 +344,110 @@ describe 'tripleo::profile::base::nova' do :owner => 'nova', :group => 'nova', ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + + context 'with step 4 with libvirt and migration ssh key and invalid migration_ssh_localaddrs' do + let(:pre_condition) do + <<-eof + include ::nova::compute::libvirt::services + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } + eof + end + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, + :migration_ssh_localaddrs => ['127.0.0.1', ''] + } } + + it { is_expected.to_not compile } + end + + context 'with step 4 with libvirt and migration ssh key and duplicate migration_ssh_localaddrs' do + let(:pre_condition) do + <<-eof + include ::nova::compute::libvirt::services + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } + eof + end + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, + :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.1'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::placement') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'LocalAddress 127.0.0.1 User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to contain_ssh__server__match_block('nova_migration deny').with( + :type => 'LocalAddress', + :name => '!127.0.0.1', + :options => { + 'DenyUsers' => 'nova_migration' + } + ) is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'installed' + :ensure => 'present' + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => 'foo', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' ) } end @@ -365,6 +502,9 @@ describe 'tripleo::profile::base::nova' do } ) is_expected.to_not contain_ssh__server__match_block('nova_migration deny') + is_expected.to contain_package('openstack-nova-migration').with( + :ensure => 'present' + ) is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( :content => 'ssh-rsa bar', :mode => '0640', @@ -377,8 +517,8 @@ describe 'tripleo::profile::base::nova' do :owner => 'nova', :group => 'nova', ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'installed' + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' ) } end diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index 3cf2693..ad2da39 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -45,3 +45,5 @@ memcached_node_ips: octavia::rabbit_password: 'password' horizon::secret_key: 'secrete' service_names: ['sshd'] +#Neutron related +neutron::rabbit_password: 'password' diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 429e807..9196bc9 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,56 +1 @@ -require 'beaker-rspec' -require 'beaker/puppet_install_helper' - -run_puppet_install_helper - -RSpec.configure do |c| - # Project root - proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) - modname = JSON.parse(open('metadata.json').read)['name'].split('-')[1] - - # Readable test descriptions - c.formatter = :documentation - - # Configure all nodes in nodeset - c.before :suite do - # Install module and dependencies - hosts.each do |host| - - # install git - install_package host, 'git' - - zuul_ref = ENV['ZUUL_REF'] - zuul_branch = ENV['ZUUL_BRANCH'] - zuul_url = ENV['ZUUL_URL'] - - repo = 'openstack/puppet-openstack-integration' - - # Start out with clean moduledir, don't trust r10k to purge it - on host, "rm -rf /etc/puppet/modules/*" - # Install dependent modules via git or zuul - r = on host, "test -e /usr/zuul-env/bin/zuul-cloner", { :acceptable_exit_codes => [0,1] } - if r.exit_code == 0 - zuul_clone_cmd = '/usr/zuul-env/bin/zuul-cloner ' - zuul_clone_cmd += '--cache-dir /opt/git ' - zuul_clone_cmd += "--zuul-ref #{zuul_ref} " - zuul_clone_cmd += "--zuul-branch #{zuul_branch} " - zuul_clone_cmd += "--zuul-url #{zuul_url} " - zuul_clone_cmd += "git://git.openstack.org #{repo}" - on host, zuul_clone_cmd - else - on host, "git clone https://git.openstack.org/#{repo} #{repo}" - end - - on host, "ZUUL_REF=#{zuul_ref} ZUUL_BRANCH=#{zuul_branch} ZUUL_URL=#{zuul_url} bash #{repo}/install_modules.sh" - - # Install the module being tested - on host, "rm -fr /etc/puppet/modules/#{modname}" - puppet_module_install(:source => proj_root, :module_name => modname) - - on host, "rm -fr #{repo}" - - # List modules installed to help with debugging - on host, puppet('module','list'), { :acceptable_exit_codes => 0 } - end - end -end +require 'puppet-openstack_spec_helper/beaker_spec_helper' diff --git a/test-requirements.txt b/test-requirements.txt index bedd666..1ea50a8 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,4 +1,7 @@ -# this is required for the docs build jobs -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 -oslosphinx>=2.5.0 # Apache-2.0 -reno>=0.1.1 # Apache-2.0 +# This is required for the docs build jobs +sphinx>=1.5.1 # BSD +oslosphinx>=4.7.0 # Apache-2.0 + +# This is required for the releasenotes build jobs +# FIXME: reno is manually pinned to !=2.0.0 because of bug #1651995 +reno>=1.8.0,!=2.0.0 # Apache-2.0 @@ -3,6 +3,9 @@ minversion = 1.6 skipsdist = True envlist = releasenotes +[testenv] +install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages} + [testenv:releasenotes] deps = -rtest-requirements.txt commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html |