diff options
| -rw-r--r-- | manifests/database/mysql.pp | 367 | ||||
| -rw-r--r-- | manifests/loadbalancer.pp | 81 |
2 files changed, 74 insertions, 374 deletions
diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp deleted file mode 100644 index 1d621a5..0000000 --- a/manifests/database/mysql.pp +++ /dev/null @@ -1,367 +0,0 @@ -# -# Copyright (C) 2015 eNovance SAS <licensing@enovance.com> -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless optional by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::database::mysql -# -# Configure a MySQL for TripleO with or without HA. -# -# === Parameters -# -# [*bind_address*] -# (optional) IP to bind MySQL daemon. -# Defaults to undef -# -# [*mysql_root_password*] -# (optional) MySQL root password. -# Defaults to 'secrete' -# -# [*mysql_sys_maint_password*] -# (optional) The MySQL debian-sys-maint password. -# Debian only parameter. -# Defaults to 'sys-maint' -# -# [*galera_clustercheck_dbpassword*] -# (optional) The MySQL password for Galera cluster check -# Defaults to 'password' -# -# [*galera_clustercheck_dbuser*] -# (optional) The MySQL username for Galera cluster check (using monitoring database) -# Defaults to 'clustercheck' -# -# [*galera_clustercheck_ipaddress*] -# (optional) The name or ip address of host running monitoring database (clustercheck) -# Defaults to undef -# -# [*galera_gcache*] -# (optional) Size of the Galera gcache -# wsrep_provider_options, for master/slave mode -# Defaults to '1G' -# -# [*galera_master*] -# (optional) Hostname or IP of the Galera master node, databases and users -# resources are created on this node and propagated on the cluster. -# Defining to false means we disable MySQL HA and run a single node setup. -# Defaults to false -# -# [*controller_host*] -# (optional) Array of internal ip of the controller nodes. -# They need access to all OpenStack databases. -# Defaults to false -# -# [*database_host*] -# (optional) Array of internal ip of the database nodes. -# Used to boostrap Galera cluster. -# Defaults to false -# -# [*ceilometer_database_connection*] -# (optional) URL to connect at Ceilometer database. -# Example: 'mysql://user:password@host/database' -# Defaults to undef -# -# [*cinder_database_connection*] -# (optional) URL to connect at Cinder database. -# Example: 'mysql://user:password@host/database' -# Defaults to undef -# -# [*glance_database_connection*] -# (optional) URL to connect at Glance database. -# Example: 'mysql://user:password@host/database' -# Defaults to undef -# -# [*heat_database_connection*] -# (optional) URL to connect at Heat database. -# Example: 'mysql://user:password@host/database' -# Defaults to undef -# -# [*keystone_database_connection*] -# (optional) URL to connect at Keystone database. -# Example: 'mysql://user:password@host/database' -# Defaults to undef -# -# [*neutron_database_connection*] -# (optional) URL to connect at Neutron database. -# Example: 'mysql://user:password@host/database' -# Defaults to undef -# -# [*nova_database_connection*] -# (optional) URL to connect at Nova database. -# Example: 'mysql://user:password@host/database' -# Defaults to undef -# -class tripleo::database::mysql ( - $bind_address = undef, - $mysql_root_password = 'secrete', - $mysql_sys_maint_password = 'sys-maint', - $galera_clustercheck_dbpassword = 'secrete', - $galera_clustercheck_dbuser = 'clustercheck', - $galera_clustercheck_ipaddress = undef, - $galera_gcache = '1G', - $galera_master = false, - $controller_host = false, - $database_host = false, - $ceilometer_database_connection = undef, - $cinder_database_connection = undef, - $glance_database_connection = undef, - $heat_database_connection = undef, - $keystone_database_connection = undef, - $neutron_database_connection = undef, - $nova_database_connection = undef, -) { - - include ::xinetd - - $gcomm_definition = inline_template('<%= @database_host.join(",") + "?pc.wait_prim=no" -%>') - - # If HA enabled - if $galera_master { - # Specific to Galera master node - if $::hostname == $galera_master { - mysql_database { 'monitoring': - ensure => 'present', - charset => 'utf8', - collate => 'utf8_unicode_ci', - require => File['/root/.my.cnf'], - } - mysql_user { "${galera_clustercheck_dbuser}@localhost": - ensure => 'present', - password_hash => mysql_password($galera_clustercheck_dbpassword), - require => File['/root/.my.cnf'], - } - mysql_grant { "${galera_clustercheck_dbuser}@localhost/monitoring": - ensure => 'present', - options => ['GRANT'], - privileges => ['ALL'], - table => 'monitoring.*', - user => "${galera_clustercheck_dbuser}@localhost", - } - Database_user<<| |>> - } else { - # NOTE(sileht): Only the master must create the password - # into the database, slave nodes must just use the password. - # The one in the database have been retrieved via galera. - file { "${::root_home}/.my.cnf": - content => "[client]\nuser=root\nhost=localhost\npassword=${mysql_root_password}\n", - owner => 'root', - mode => '0600', - } - } - - # Specific to Red Hat or Debian systems - case $::osfamily { - 'RedHat': { - $mysql_server_package_name = 'mariadb-galera-server' - $mysql_client_package_name = 'mariadb' - $wsrep_provider = '/usr/lib64/galera/libgalera_smm.so' - $mysql_server_config_file = '/etc/my.cnf' - $mysql_init_file = '/usr/lib/systemd/system/mysql-bootstrap.service' - - if $::hostname == $galera_master { - $mysql_service_name = 'mysql-bootstrap' - } else { - $mysql_service_name = 'mariadb' - } - - # In Red Hat, the package does not perform the mysql db installation. - # We need to do this manually. - # Note: in MariaDB repository, package perform this action in post-install, - # but MariaDB is not packaged for Red Hat / CentOS 7 in MariaDB repository. - exec { 'bootstrap-mysql': - command => '/usr/bin/mysql_install_db --rpm --user=mysql', - unless => 'test -d /var/lib/mysql/mysql', - before => Service['mysqld'], - require => [Package[$mysql_server_package_name], File[$mysql_server_config_file]], - } - - } - 'Debian': { - $mysql_server_package_name = 'mariadb-galera-server' - $mysql_client_package_name = 'mariadb-client' - $wsrep_provider = '/usr/lib/galera/libgalera_smm.so' - $mysql_server_config_file = '/etc/mysql/my.cnf' - $mysql_init_file = '/etc/init.d/mysql-bootstrap' - - if $::hostname == $galera_master { - $mysql_service_name = 'mysql-bootstrap' - } else { - $mysql_service_name = 'mysql' - } - - mysql_user { 'debian-sys-maint@localhost': - ensure => 'present', - password_hash => mysql_password($mysql_sys_maint_password), - require => File['/root/.my.cnf'], - } - - file{'/etc/mysql/debian.cnf': - ensure => file, - content => template('tripleo/database/debian.cnf.erb'), - owner => 'root', - group => 'root', - mode => '0600', - require => Exec['clean-mysql-binlog'], - } - } - default: { - err "${::osfamily} not supported yet" - } - } - - file { $mysql_init_file : - content => template("tripleo/database/etc_initd_mysql_${::osfamily}"), - owner => 'root', - mode => '0755', - group => 'root', - notify => Service['mysqld'], - before => Package[$mysql_server_package_name], - } - - class { '::mysql::server': - manage_config_file => false, - config_file => $mysql_server_config_file, - package_name => $mysql_server_package_name, - service_name => $mysql_service_name, - override_options => { - 'mysqld' => { - 'bind-address' => $bind_address, - }, - }, - root_password => $mysql_root_password, - notify => Service['xinetd'], - } - - file { $mysql_server_config_file: - content => template('tripleo/database/mysql.conf.erb'), - mode => '0644', - owner => 'root', - group => 'root', - notify => [Service['mysqld'],Exec['clean-mysql-binlog']], - require => Package[$mysql_server_package_name], - } - - class { '::mysql::client': - package_name => $mysql_client_package_name, - } - - # Haproxy http monitoring - augeas { 'mysqlchk': - context => '/files/etc/services', - changes => [ - 'ins service-name after service-name[last()]', - 'set service-name[last()] "mysqlchk"', - 'set service-name[. = "mysqlchk"]/port 9200', - 'set service-name[. = "mysqlchk"]/protocol tcp', - ], - onlyif => 'match service-name[. = "mysqlchk"] size == 0', - notify => [ Service['xinetd'], Exec['reload_xinetd'] ], - } - file { - '/etc/xinetd.d/mysqlchk': - content => template('tripleo/database/mysqlchk.erb'), - owner => 'root', - group => 'root', - mode => '0755', - require => File['/usr/bin/clustercheck'], - notify => [ Service['xinetd'], Exec['reload_xinetd'] ]; - '/usr/bin/clustercheck': - ensure => present, - content => template('tripleo/database/clustercheck.erb'), - mode => '0755', - owner => 'root', - group => 'root'; - } - - exec{'clean-mysql-binlog': - # first sync take a long time - command => "/bin/bash -c '/usr/bin/mysqladmin --defaults-file=/root/.my.cnf shutdown ; /bin/rm ${::mysql::params::datadir}/ib_logfile*'", - path => '/usr/bin', - notify => Service['mysqld'], - refreshonly => true, - onlyif => "stat ${::mysql::params::datadir}/ib_logfile0 && test `du -sh ${::mysql::params::datadir}/ib_logfile0 | cut -f1` != '256M'", - } - } else { - # When HA is disabled - class { '::mysql::server': - override_options => { - 'mysqld' => { - 'bind-address' => $bind_address, - }, - }, - root_password => $mysql_root_password, - } - } - - # On master node (when using Galera) or single node (when no HA) - if $galera_master == $::hostname or ! $galera_master { - # Create all the database schemas - $allowed_hosts = ['%',$controller_host] - $keystone_dsn = split($keystone_database_connection, '[@:/?]') - class { '::keystone::db::mysql': - user => $keystone_dsn[3], - password => $keystone_dsn[4], - host => $keystone_dsn[5], - dbname => $keystone_dsn[6], - allowed_hosts => $allowed_hosts, - } - $glance_dsn = split($glance_database_connection, '[@:/?]') - class { '::glance::db::mysql': - user => $glance_dsn[3], - password => $glance_dsn[4], - host => $glance_dsn[5], - dbname => $glance_dsn[6], - allowed_hosts => $allowed_hosts, - } - $nova_dsn = split($nova_database_connection, '[@:/?]') - class { '::nova::db::mysql': - user => $nova_dsn[3], - password => $nova_dsn[4], - host => $nova_dsn[5], - dbname => $nova_dsn[6], - allowed_hosts => $allowed_hosts, - } - $neutron_dsn = split($neutron_database_connection, '[@:/?]') - class { '::neutron::db::mysql': - user => $neutron_dsn[3], - password => $neutron_dsn[4], - host => $neutron_dsn[5], - dbname => $neutron_dsn[6], - allowed_hosts => $allowed_hosts, - } - $cinder_dsn = split($cinder_database_connection, '[@:/?]') - class { '::cinder::db::mysql': - user => $cinder_dsn[3], - password => $cinder_dsn[4], - host => $cinder_dsn[5], - dbname => $cinder_dsn[6], - allowed_hosts => $allowed_hosts, - } - $heat_dsn = split($heat_database_connection, '[@:/?]') - class { '::heat::db::mysql': - user => $heat_dsn[3], - password => $heat_dsn[4], - host => $heat_dsn[5], - dbname => $heat_dsn[6], - allowed_hosts => $allowed_hosts, - } - $ceilometer_dsn = split($ceilometer_database_connection, '[@:/?]') - class { '::ceilometer::db::mysql': - user => $ceilometer_dsn[3], - password => $ceilometer_dsn[4], - host => $ceilometer_dsn[5], - dbname => $ceilometer_dsn[6], - allowed_hosts => $allowed_hosts, - } - } - -} diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 102deeb..f9877a6 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -132,6 +132,11 @@ # When set, enables SSL on the Horizon public API endpoint using the specified file. # Defaults to undef # +# [*ironic_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the Ironic public API endpoint using the specified file. +# Defaults to undef +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to false @@ -196,10 +201,18 @@ # (optional) Enable or not Horizon dashboard binding # Defaults to false # +# [*ironic*] +# (optional) Enable or not Ironic API binding +# Defaults to false +# # [*mysql*] # (optional) Enable or not MySQL Galera binding # Defaults to false # +# [*mysql_clustercheck*] +# (optional) Enable check via clustercheck for mysql +# Defaults to false +# # [*rabbitmq*] # (optional) Enable or not RabbitMQ binding # Defaults to false @@ -232,6 +245,7 @@ class tripleo::loadbalancer ( $swift_certificate = undef, $heat_certificate = undef, $horizon_certificate = undef, + $ironic_certificate = undef, $keystone_admin = false, $keystone_public = false, $neutron = false, @@ -248,7 +262,9 @@ class tripleo::loadbalancer ( $heat_cloudwatch = false, $heat_cfn = false, $horizon = false, + $ironic = false, $mysql = false, + $mysql_clustercheck = false, $rabbitmq = false, $redis = false, ) { @@ -394,6 +410,11 @@ class tripleo::loadbalancer ( } else { $horizon_bind_certificate = $service_certificate } + if $ironic_certificate { + $ironic_bind_certificate = $ironic_certificate + } else { + $ironic_bind_certificate = $service_certificate + } $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip) $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip) @@ -517,6 +538,10 @@ class tripleo::loadbalancer ( "${heat_api_vip}:8004" => [], "${public_virtual_ip}:13004" => ['ssl', 'crt', $heat_bind_certificate], } + $heat_options = { + 'option' => [ 'httpchk GET /' ], + 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", + } $heat_cw_bind_opts = { "${heat_api_vip}:8003" => [], "${public_virtual_ip}:13003" => ['ssl', 'crt', $heat_bind_certificate], @@ -530,6 +555,9 @@ class tripleo::loadbalancer ( "${heat_api_vip}:8004" => [], "${public_virtual_ip}:8004" => [], } + $heat_options = { + 'option' => [ 'httpchk GET /' ], + } $heat_cw_bind_opts = { "${heat_api_vip}:8003" => [], "${public_virtual_ip}:8003" => [], @@ -553,6 +581,19 @@ class tripleo::loadbalancer ( } } + $ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip) + if $ironic_bind_certificate { + $ironic_bind_opts = { + "${ironic_api_vip}:6385" => [], + "${public_virtual_ip}:13385" => ['ssl', 'crt', $ironic_bind_certificate], + } + } else { + $ironic_bind_opts = { + "${ironic_api_vip}:6385" => [], + "${public_virtual_ip}:6385" => [], + } + } + sysctl::value { 'net.ipv4.ip_nonlocal_bind': value => '1' } class { '::haproxy': @@ -790,10 +831,9 @@ class tripleo::loadbalancer ( if $heat_api { haproxy::listen { 'heat_api': bind => $heat_bind_opts, - options => { - 'option' => [ 'httpchk GET /' ], - }, + options => $heat_options, collect_exported => false, + mode => 'http', } haproxy::balancermember { 'heat_api': listening_service => 'heat_api', @@ -855,13 +895,40 @@ class tripleo::loadbalancer ( } } + if $mysql_clustercheck { + $mysql_listen_options = { + 'option' => [ 'httpchk' ], + 'timeout' => [ 'client 0', 'server 0' ], + 'stick-table' => 'type ip size 1000', + 'stick' => 'on dst', + } + $mysql_member_options = ['check', 'inter 2000', 'rise 2', 'fall 5', 'backup', 'port 9200', 'on-marked-down shutdown-sessions'] + } else { + $mysql_listen_options = { + 'timeout' => [ 'client 0', 'server 0' ], + } + $mysql_member_options = ['check', 'inter 2000', 'rise 2', 'fall 5', 'backup'] + } + + if $ironic { + haproxy::listen { 'ironic': + bind => $ironic_bind_opts, + collect_exported => false, + } + haproxy::balancermember { 'ironic': + listening_service => 'ironic', + ports => '6385', + ipaddresses => hiera('ironic_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => [], + } + } + if $mysql { haproxy::listen { 'mysql': ipaddress => [hiera('mysql_vip', $controller_virtual_ip)], ports => 3306, - options => { - 'timeout' => [ 'client 0', 'server 0' ], - }, + options => $mysql_listen_options, collect_exported => false, } haproxy::balancermember { 'mysql-backup': @@ -869,7 +936,7 @@ class tripleo::loadbalancer ( ports => '3306', ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5', 'backup'], + options => $mysql_member_options, } } |