diff options
101 files changed, 1948 insertions, 531 deletions
diff --git a/Puppetfile_extras b/Puppetfile_extras index 0b617b9..f224b9a 100644 --- a/Puppetfile_extras +++ b/Puppetfile_extras @@ -48,3 +48,7 @@ mod 'systemd', mod 'opendaylight', :git => 'https://github.com/dfarrell07/puppet-opendaylight', :ref => 'master' + +mod 'ssh', + :git => 'https://github.com/saz/puppet-ssh', + :ref => 'v3.0.1' diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp new file mode 100644 index 0000000..2588e46 --- /dev/null +++ b/manifests/certmonger/apache_dirs.pp @@ -0,0 +1,55 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# : = Class: tripleo::certmonger::apache_dirs +# +# Creates the necessary directories for apache's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where apache's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where apache's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::apache_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } +} diff --git a/manifests/certmonger/ca/libvirt.pp b/manifests/certmonger/ca/libvirt.pp new file mode 100644 index 0000000..9fa9e74 --- /dev/null +++ b/manifests/certmonger/ca/libvirt.pp @@ -0,0 +1,42 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::ca::libvirt +# +# Sets the necessary file that will be used by both libvirt servers and +# clients. +# +# === Parameters: +# +# [*origin_ca_pem*] +# (Optional) Path to the CA certificate that libvirt will use. This is not +# assumed automatically or uses the system CA bundle as is the case of other +# services because a limitation with the file sizes in GNU TLS, which libvirt +# uses as a TLS backend. +# Defaults to undef +# +class tripleo::certmonger::ca::libvirt( + $origin_ca_pem = undef +){ + if $origin_ca_pem { + $ensure_file = 'link' + } else { + $ensure_file = 'absent' + } + file { '/etc/pki/CA/cacert.pem': + ensure => $ensure_file, + mode => '0644', + target => $origin_ca_pem, + } +} diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index 94b48b7..74c0b5a 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -55,6 +55,7 @@ define tripleo::certmonger::httpd ( postsave_cmd => $postsave_cmd, ca => $certmonger_ca, wait => true, + tag => 'apache-cert', require => Class['::certmonger'], } diff --git a/manifests/certmonger/libvirt.pp b/manifests/certmonger/libvirt.pp new file mode 100644 index 0000000..b7dbb0a --- /dev/null +++ b/manifests/certmonger/libvirt.pp @@ -0,0 +1,78 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::libvirt +# +# Request a certificate for libvirt and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*file_owner*] +# (Optional) The user which the certificate and key files belong to. +# Defaults to 'root' +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +define tripleo::certmonger::libvirt ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::nova::params + + $postsave_cmd = "systemctl restart ${::nova::params::libvirt_service_name}" + certmonger_certificate { $name : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + tag => 'libvirt-cert', + require => Class['::certmonger'], + } + + # Just register the files in puppet's resource catalog. Certmonger should + # give the right permissions. + file { $service_certificate : + require => Certmonger_certificate[$name], + } + file { $service_key : + require => Certmonger_certificate[$name], + } + + File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |> + File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |> +} diff --git a/manifests/certmonger/libvirt_dirs.pp b/manifests/certmonger/libvirt_dirs.pp new file mode 100644 index 0000000..c42ca0d --- /dev/null +++ b/manifests/certmonger/libvirt_dirs.pp @@ -0,0 +1,60 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::libvirt_dirs +# +# Creates the necessary directories for libvirt's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where libvirt's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*certificate_dir*] +# (Optional) Directory where libvirt's certificates will be stored. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where libvirt's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::libvirt_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> + } + +} diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp index 344adef..4a47938 100644 --- a/manifests/certmonger/rabbitmq.pp +++ b/manifests/certmonger/rabbitmq.pp @@ -31,10 +31,6 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # -# [*file_owner*] -# (Optional) The user which the certificate and key files belong to. -# Defaults to 'root' -# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 92edd71..a6bd1eb 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -428,6 +428,10 @@ # (optional) Specify the network ec2_api_metadata is running on. # Defaults to hiera('ec2_api_network', undef) # +# [*etcd_network*] +# (optional) Specify the network etcd is running on. +# Defaults to hiera('etcd_network', undef) +# # [*opendaylight_network*] # (optional) Specify the network opendaylight is running on. # Defaults to hiera('opendaylight_api_network', undef) @@ -623,6 +627,7 @@ class tripleo::haproxy ( $ovn_dbs_network = hiera('ovn_dbs_network', undef), $ec2_api_network = hiera('ec2_api_network', undef), $ec2_api_metadata_network = hiera('ec2_api_network', undef), + $etcd_network = hiera('etcd_network', undef), $sahara_network = hiera('sahara_api_network', undef), $swift_proxy_server_network = hiera('swift_proxy_network', undef), $tacker_network = hiera('tacker_api_network', undef), @@ -651,6 +656,7 @@ class tripleo::haproxy ( contrail_webui_https_port => 8143, docker_registry_port => 8787, docker_registry_ssl_port => 13787, + etcd_port => 2379, glance_api_port => 9292, glance_api_ssl_port => 13292, gnocchi_api_port => 8041, @@ -750,7 +756,7 @@ class tripleo::haproxy ( 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], @@ -762,7 +768,7 @@ class tripleo::haproxy ( } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], } } @@ -791,11 +797,6 @@ class tripleo::haproxy ( "${redis_vip}:6379" => $haproxy_listen_bind_param, } - $etcd_vip = hiera('etcd_vip', $controller_virtual_ip) - $etcd_bind_opts = { - "${etcd_vip}:2379" => $haproxy_listen_bind_param, - } - class { '::haproxy': service_manage => $haproxy_service_manage, global_options => { @@ -821,12 +822,20 @@ class tripleo::haproxy ( }, } + + $default_listen_options = { + 'option' => [ 'httpchk', ], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } Tripleo::Haproxy::Endpoint { haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, + listen_options => $default_listen_options, } $stats_base = ['enable', 'uri /'] @@ -852,11 +861,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -864,11 +869,6 @@ class tripleo::haproxy ( } if $keystone_public { - $keystone_listen_opts = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } if $service_certificate { $keystone_public_tls_listen_opts = { 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', @@ -877,7 +877,9 @@ class tripleo::haproxy ( 'option' => 'forwardfor', } } else { - $keystone_public_tls_listen_opts = {} + $keystone_public_tls_listen_opts = { + 'option' => [ 'httpchk GET /v3', ], + } } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -886,7 +888,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), + listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -901,11 +903,6 @@ class tripleo::haproxy ( ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -920,11 +917,6 @@ class tripleo::haproxy ( ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => hiera('cinder_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -939,11 +931,6 @@ class tripleo::haproxy ( ip_addresses => hiera('congress_node_ips', $controller_hosts_real), server_names => hiera('congress_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[congress_api_ssl_port], service_network => $congress_network, } @@ -957,11 +944,6 @@ class tripleo::haproxy ( ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[manila_api_ssl_port], service_network => $manila_network, } @@ -987,11 +969,6 @@ class tripleo::haproxy ( ip_addresses => hiera('tacker_node_ips', $controller_hosts_real), server_names => hiera('tacker_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[tacker_api_ssl_port], service_network => $tacker_network, } @@ -1018,11 +995,7 @@ class tripleo::haproxy ( server_names => hiera('glance_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}), service_network => $glance_api_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } @@ -1037,11 +1010,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, #member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1057,11 +1025,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real), server_names => hiera('nova_placement_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_placement_ssl_port], service_network => $nova_placement_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1074,6 +1037,9 @@ class tripleo::haproxy ( service_port => $ports[nova_metadata_port], ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real), + listen_options => { + 'option' => [ 'httpchk', ], + }, service_network => $nova_metadata_network, } } @@ -1085,10 +1051,11 @@ class tripleo::haproxy ( service_port => $ports[nova_novnc_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), - listen_options => { + listen_options => merge($default_listen_options, { + 'option' => [ 'tcpka' ], 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], - }, + }), public_ssl_port => $ports[nova_novnc_ssl_port], service_network => $nova_novncproxy_network, } @@ -1102,11 +1069,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real), server_names => hiera('ec2_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ec2_api_ssl_port], service_network => $ec2_api_network, } @@ -1130,11 +1092,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1149,11 +1106,6 @@ class tripleo::haproxy ( ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1167,11 +1119,6 @@ class tripleo::haproxy ( service_port => $ports[panko_api_port], ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), server_names => hiera('panko_api_node_names', $controller_hosts_names_real), - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[panko_api_ssl_port], service_network => $panko_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1199,11 +1146,6 @@ class tripleo::haproxy ( ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1224,6 +1166,7 @@ class tripleo::haproxy ( if $swift_proxy_server { $swift_proxy_server_listen_options = { + 'option' => [ 'httpchk GET /healthcheck', ], 'timeout client' => '2m', 'timeout server' => '2m', } @@ -1236,22 +1179,23 @@ class tripleo::haproxy ( listen_options => $swift_proxy_server_listen_options, public_ssl_port => $ports[swift_proxy_ssl_port], service_network => $swift_proxy_server_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) - $heat_base_options = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} + $heat_timeout_options = { + 'timeout client' => '10m', + 'timeout server' => '10m', + } if $service_certificate { $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - $heat_options = merge($heat_base_options, $heat_ssl_options) + $heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options) } else { - $heat_options = $heat_base_options + $heat_options = merge($default_listen_options, $heat_timeout_options) } if $heat_api { @@ -1377,7 +1321,7 @@ class tripleo::haproxy ( server_names => hiera('mysql_node_names', $controller_hosts_names_real), options => $mysql_member_options_real, } - if hiera('manage_firewall', true) { + if hiera('tripleo::firewall::manage_firewall', true) { include ::tripleo::firewall $mysql_firewall_rules = { '100 mysql_haproxy' => { @@ -1407,19 +1351,15 @@ class tripleo::haproxy ( } if $etcd { - haproxy::listen { 'etcd': - bind => $etcd_bind_opts, - options => { + ::tripleo::haproxy::endpoint { 'etcd': + internal_ip => hiera('etcd_vip', $controller_virtual_ip), + service_port => $ports[etcd_port], + ip_addresses => hiera('etcd_node_ips', $controller_hosts_real), + server_names => hiera('etcd_node_names', $controller_hosts_names_real), + service_network => $etcd_network, + listen_options => { 'balance' => 'source', - }, - collect_exported => false, - } - haproxy::balancermember { 'etcd': - listening_service => 'etcd', - ports => '2379', - ipaddresses => hiera('etcd_node_ips', $controller_hosts_real), - server_names => hiera('etcd_node_names', $controller_hosts_names_real), - options => $haproxy_member_options, + } } } @@ -1462,7 +1402,7 @@ class tripleo::haproxy ( server_names => hiera('redis_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } - if hiera('manage_firewall', true) { + if hiera('tripleo::firewall::manage_firewall', true) { include ::tripleo::firewall $redis_firewall_rules = { '100 redis_haproxy' => { @@ -1514,6 +1454,7 @@ class tripleo::haproxy ( server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceph_rgw_ssl_port], service_network => $ceph_rgw_network, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }), } } @@ -1595,6 +1536,12 @@ class tripleo::haproxy ( server_names => $controller_hosts_names_real, mode => 'http', public_ssl_port => $ports[ui_ssl_port], + listen_options => { + # NOTE(dtrainor): in addition to the zaqar_ws endpoint, the HTTPS + # (443/tcp) endpoint that answers for the UI must also use a long-lived + # tunnel timeout for the same reasons mentioned above. + 'timeout' => ['tunnel 3600s'], + }, } } if $contrail_config { @@ -1641,6 +1588,10 @@ class tripleo::haproxy ( ip_addresses => hiera('contrail_config_node_ips'), server_names => hiera('contrail_config_node_ips'), public_ssl_port => $ports[contrail_webui_https_port], + listen_options => { + 'balance' => 'source', + 'hash-type' => 'consistent', + } } } } diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index da2aba3..16e0bd1 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -147,7 +147,7 @@ define tripleo::haproxy::endpoint ( server_names => $server_names, options => $member_options, } - if hiera('manage_firewall', true) { + if hiera('tripleo::firewall::manage_firewall', true) { include ::tripleo::firewall # This block will construct firewall rules only when we specify # a port for the regular service and also the ssl port for the service. diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp index a6d5832..35b0821 100644 --- a/manifests/keepalived.pp +++ b/manifests/keepalived.pp @@ -59,6 +59,17 @@ # A string. # Defaults to false # +# [*ovndbs_virtual_ip*] +# Virtual IP on the OVNDBs service. +# A string. +# Defaults to false +# +# [*virtual_router_id_base*] +# Base for range used for virtual router IDs. +# An integer. +# Defaults to 50 +# + class tripleo::keepalived ( $controller_virtual_ip, $control_virtual_interface, @@ -68,6 +79,8 @@ class tripleo::keepalived ( $storage_virtual_ip = false, $storage_mgmt_virtual_ip = false, $redis_virtual_ip = false, + $ovndbs_virtual_ip = false, + $virtual_router_id_base = 50, ) { case $::osfamily { @@ -93,7 +106,7 @@ class tripleo::keepalived ( } # KEEPALIVE INSTANCE CONTROL - keepalived::instance { '51': + keepalived::instance { "${$virtual_router_id_base + 1}": interface => $control_virtual_interface, virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])], state => 'MASTER', @@ -102,7 +115,7 @@ class tripleo::keepalived ( } # KEEPALIVE INSTANCE PUBLIC - keepalived::instance { '52': + keepalived::instance { "${$virtual_router_id_base + 2}": interface => $public_virtual_interface, virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])], state => 'MASTER', @@ -119,7 +132,7 @@ class tripleo::keepalived ( $internal_api_virtual_netmask = '32' } # KEEPALIVE INTERNAL API NETWORK - keepalived::instance { '53': + keepalived::instance { "${$virtual_router_id_base + 3}": interface => $internal_api_virtual_interface, virtual_ips => [join(["${internal_api_virtual_ip}/${internal_api_virtual_netmask}", ' dev ', $internal_api_virtual_interface])], state => 'MASTER', @@ -136,7 +149,7 @@ class tripleo::keepalived ( $storage_virtual_netmask = '32' } # KEEPALIVE STORAGE NETWORK - keepalived::instance { '54': + keepalived::instance { "${$virtual_router_id_base + 4}": interface => $storage_virtual_interface, virtual_ips => [join(["${storage_virtual_ip}/${storage_virtual_netmask}", ' dev ', $storage_virtual_interface])], state => 'MASTER', @@ -153,7 +166,7 @@ class tripleo::keepalived ( $storage_mgmt_virtual_netmask = '32' } # KEEPALIVE STORAGE MANAGEMENT NETWORK - keepalived::instance { '55': + keepalived::instance { "${$virtual_router_id_base + 5}": interface => $storage_mgmt_virtual_interface, virtual_ips => [join(["${storage_mgmt_virtual_ip}/${storage_mgmt_virtual_netmask}", ' dev ', $storage_mgmt_virtual_interface])], state => 'MASTER', @@ -170,7 +183,7 @@ class tripleo::keepalived ( $redis_virtual_netmask = '32' } # KEEPALIVE STORAGE MANAGEMENT NETWORK - keepalived::instance { '56': + keepalived::instance { "${$virtual_router_id_base + 6}": interface => $redis_virtual_interface, virtual_ips => [join(["${redis_virtual_ip}/${redis_virtual_netmask}", ' dev ', $redis_virtual_interface])], state => 'MASTER', @@ -178,4 +191,16 @@ class tripleo::keepalived ( priority => 101, } } + + if $ovndbs_virtual_ip and $ovndbs_virtual_ip != $controller_virtual_ip { + $ovndbs_virtual_interface = interface_for_ip($ovndbs_virtual_ip) + # KEEPALIVE OVNDBS MANAGEMENT NETWORK + keepalived::instance { "${$virtual_router_id_base + 7}": + interface => $ovndbs_virtual_interface, + virtual_ips => [join([$ovndbs_virtual_ip, ' dev ', $ovndbs_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + } } diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index af4a5b3..22fc000 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -39,14 +39,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -57,17 +49,12 @@ class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { include ::tripleo::profile::base::aodh if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$aodh_network { fail('aodh_api_network is not set in the hieradata.') } @@ -79,7 +66,7 @@ class tripleo::profile::base::aodh::api ( } - if $step >= 4 { + if $step >= 3 { include ::aodh::api class { '::aodh::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 22984b1..71e4ea1 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -105,7 +97,6 @@ class tripleo::profile::base::barbican::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), @@ -126,10 +117,6 @@ class tripleo::profile::base::barbican::api ( } if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$barbican_network { fail('barbican_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6ef4748..1080355 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -39,14 +39,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -56,16 +48,11 @@ class tripleo::profile::base::ceilometer::api ( $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { include ::tripleo::profile::base::ceilometer if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$ceilometer_network { fail('ceilometer_api_network is not set in the hieradata.') } @@ -76,7 +63,7 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::ceilometer::api class { '::ceilometer::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp index 20eab54..6b58286 100644 --- a/manifests/profile/base/ceilometer/collector.pp +++ b/manifests/profile/base/ceilometer/collector.pp @@ -85,4 +85,12 @@ class tripleo::profile::base::ceilometer::collector ( include ::ceilometer::dispatcher::gnocchi } + # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types + # are created safely. + if $step >= 5 and $sync_db { + exec {'ceilometer-db-upgrade': + command => 'ceilometer-upgrade --skip-metering-database', + path => ['/usr/bin', '/usr/sbin'], + } + } } diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 8443de0..d00f7cd 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -60,7 +60,7 @@ class tripleo::profile::base::ceph::rgw ( $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) include ::ceph::params - include ::ceph::profile::base + include ::ceph::profile::client ceph::rgw { $rgw_name: frontend_type => 'civetweb', rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}", diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 586c7e4..4d91ac9 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -43,6 +43,11 @@ # it will create. # Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). # +# [*libvirt_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('libvirt_certificates_specs', {}). +# # [*mysql_certificate_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -56,12 +61,20 @@ class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), ) { + include ::tripleo::certmonger::ca::libvirt + unless empty($apache_certificates_specs) { + include ::tripleo::certmonger::apache_dirs ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) } + unless empty($libvirt_certificates_specs) { + include ::tripleo::certmonger::libvirt_dirs + ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) + } unless empty($haproxy_certificates_specs) { ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 450a8e6..c432fd6 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -61,7 +53,6 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -73,10 +64,6 @@ class tripleo::profile::base::cinder::api ( include ::tripleo::profile::base::cinder if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$cinder_api_network { fail('cinder_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 9fb1594..e1370a3 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*cinder_enable_pure_backend*] +# (Optional) Whether to enable the pure backend +# Defaults to true +# # [*cinder_enable_dellsc_backend*] # (Optional) Whether to enable the delsc backend # Defaults to true @@ -60,6 +64,7 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( + $cinder_enable_pure_backend = false, $cinder_enable_dellsc_backend = false, $cinder_enable_hpelefthand_backend = false, $cinder_enable_dellps_backend = false, @@ -76,6 +81,13 @@ class tripleo::profile::base::cinder::volume ( if $step >= 4 { include ::cinder::volume + if $cinder_enable_pure_backend { + include ::tripleo::profile::base::cinder::volume::pure + $cinder_pure_backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure') + } else { + $cinder_pure_backend_name = undef + } + if $cinder_enable_dellsc_backend { include ::tripleo::profile::base::cinder::volume::dellsc $cinder_dellsc_backend_name = hiera('cinder::backend::dellsc_iscsi::volume_backend_name', 'tripleo_dellsc') @@ -134,6 +146,7 @@ class tripleo::profile::base::cinder::volume ( $backends = delete_undef_values([$cinder_iscsi_backend_name, $cinder_rbd_backend_name, + $cinder_pure_backend_name, $cinder_dellps_backend_name, $cinder_dellsc_backend_name, $cinder_hpelefthand_backend_name, diff --git a/manifests/profile/base/cinder/volume/dellps.pp b/manifests/profile/base/cinder/volume/dellps.pp index 1338240..e825b61 100644 --- a/manifests/profile/base/cinder/volume/dellps.pp +++ b/manifests/profile/base/cinder/volume/dellps.pp @@ -41,9 +41,9 @@ class tripleo::profile::base::cinder::volume::dellps ( san_thin_provision => hiera('cinder::backend::eqlx::san_thin_provision', undef), eqlx_group_name => hiera('cinder::backend::eqlx::eqlx_group_name', undef), eqlx_pool => hiera('cinder::backend::eqlx::eqlx_pool', undef), - eqlx_use_chap => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), - eqlx_chap_login => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), - eqlx_chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), + use_chap_auth => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), + chap_username => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), + chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), } } diff --git a/manifests/profile/base/cinder/volume/dellsc.pp b/manifests/profile/base/cinder/volume/dellsc.pp index 534bcb7..ab6bbeb 100644 --- a/manifests/profile/base/cinder/volume/dellsc.pp +++ b/manifests/profile/base/cinder/volume/dellsc.pp @@ -44,6 +44,7 @@ class tripleo::profile::base::cinder::volume::dellsc ( dell_sc_api_port => hiera('cinder::backend::dellsc_iscsi::dell_sc_api_port', undef), dell_sc_server_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_server_folder', undef), dell_sc_volume_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_volume_folder', undef), + excluded_domain_ip => hiera('cinder::backend::dellsc_iscsi::excluded_domain_ip', undef), } } diff --git a/manifests/profile/base/cinder/volume/pure.pp b/manifests/profile/base/cinder/volume/pure.pp new file mode 100644 index 0000000..e524919 --- /dev/null +++ b/manifests/profile/base/cinder/volume/pure.pp @@ -0,0 +1,65 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::pure +# +# Cinder Volume pure profile for tripleo +# +# === Parameters +# +# [*san_ip*] +# (required) IP address of PureStorage management VIP. +# +# [*pure_api_token*] +# (required) API token for management of PureStorage array. +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_pure' +# +# [*pure_storage_protocol*] +# (optional) Must be either 'iSCSI' or 'FC'. This will determine +# which Volume Driver will be configured; PureISCSIDriver or PureFCDriver. +# Defaults to 'iSCSI' +# +# [*use_multipath_for_image_xfer*] +# (optional) . +# Defaults to True +# +# [*use_chap_auth*] +# (optional) Only affects the PureISCSIDriver. +# Defaults to False +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::pure ( + $backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure'), + $step = hiera('step'), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::pure { $backend_name : + san_ip => hiera('cinder::backend::pure::san_ip', undef), + pure_api_token => hiera('cinder::backend::pure::pure_api_token', undef), + pure_storage_protocol => hiera('cinder::backend::pure::pure_storage_protocol', undef), + use_chap_auth => hiera('cinder::backend::pure::use_chap_auth', undef), + use_multipath_for_image_xfer => hiera('cinder::backend::pure::use_multipath_for_image_xfer', undef), + } + } + +} diff --git a/manifests/profile/base/database/mongodb.pp b/manifests/profile/base/database/mongodb.pp index 8967f5b..4740d67 100644 --- a/manifests/profile/base/database/mongodb.pp +++ b/manifests/profile/base/database/mongodb.pp @@ -30,10 +30,15 @@ # for more details. # Defaults to hiera('step') # +# [*memory_limit*] +# (Optional) Limit amount of memory mongodb can use +# Defaults to 20G +# class tripleo::profile::base::database::mongodb ( $mongodb_replset, $bootstrap_node = downcase(hiera('bootstrap_nodeid')), $step = hiera('step'), + $memory_limit = '20G', ) { if $step >= 2 { @@ -56,5 +61,11 @@ class tripleo::profile::base::database::mongodb ( } } + # Limit memory utilization + ::systemd::service_limits { 'mongod.service': + limits => { + 'MemoryLimit' => $memory_limit + } + } } } diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 80b07d4..b4ac8ac 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,12 +47,6 @@ # limit for the mysql service. # Defaults to false # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# MySQL. This could be as many as specified by the $certificates_specs -# variable. -# Defaults to hiera('generate_service_certificate', false). -# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -82,7 +76,6 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, - $generate_service_certificates = hiera('generate_service_certificates', false), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -100,9 +93,6 @@ class tripleo::profile::base::database::mysql ( validate_hash($certificate_specs) if $enable_internal_tls { - if $generate_service_certificates { - ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs) - } $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] } else { diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index 22384a9..014ef35 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -82,6 +82,7 @@ class tripleo::profile::base::database::mysql::client ( # Create /etc/my.cnf.d/tripleo.cnf exec { 'directory-create-etc-my.cnf.d': command => 'mkdir -p /etc/my.cnf.d', + unless => 'test -d /etc/my.cnf.d', path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], } -> augeas { 'tripleo-mysql-client-conf': diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 5e18a85..4797d86 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -28,12 +28,17 @@ # Set docker_namespace to INSECURE_REGISTRY, used when a local registry # is enabled (defaults to false) # +# [*registry_mirror*] +# Configure a registry-mirror in the /etc/docker/daemon.json file. +# (defaults to false) +# # [*step*] # step defaults to hiera('step') # class tripleo::profile::base::docker ( $docker_namespace = undef, $insecure_registry = false, + $registry_mirror = false, $step = hiera('step'), ) { if $step >= 1 { @@ -64,5 +69,23 @@ class tripleo::profile::base::docker ( subscribe => Package['docker'], notify => Service['docker'], } + + if $registry_mirror { + $mirror_changes = [ + 'set dict/entry[. = "registry-mirrors"] "registry-mirrors', + "set dict/entry[. = \"registry-mirrors\"]/array/string \"${registry_mirror}\"" + ] + } else { + $mirror_changes = [ 'rm dict/entry[. = "registry-mirrors"]', ] + } + + augeas { 'docker-daemon.json': + lens => 'Json.lns', + incl => '/etc/docker/daemon.json', + changes => $mirror_changes, + subscribe => Package['docker'], + notify => Service['docker'], + } + } } diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp index 0452575..cb262d9 100644 --- a/manifests/profile/base/docker_registry.pp +++ b/manifests/profile/base/docker_registry.pp @@ -31,18 +31,28 @@ # network # Defaults to hiera('controller_admin_host') # +# [*enable_container_images_build*] +# (Optional) Whether to install tools to build docker container images +# Defaults to hiera('enable_container_images_build', true) +# class tripleo::profile::base::docker_registry ( - $registry_host = hiera('controller_host'), - $registry_port = 8787, - $registry_admin_host = hiera('controller_admin_host'), + $registry_host = hiera('controller_host'), + $registry_port = 8787, + $registry_admin_host = hiera('controller_admin_host'), + $enable_container_images_build = hiera('enable_container_images_build', true), ) { + + include ::tripleo::profile::base::docker + # We want a v2 registry package{'docker-registry': ensure => absent, allow_virtual => false, } package{'docker-distribution': } - package{'docker': } + if str2bool($enable_container_images_build) { + package{'openstack-kolla': } + } file { '/etc/docker-distribution/registry/config.yml' : ensure => file, content => template('tripleo/docker_distribution/registry_config.yml.erb'), @@ -67,9 +77,4 @@ class tripleo::profile::base::docker_registry ( enable => true, require => Package['docker-distribution'], } - service { 'docker': - ensure => running, - enable => true, - require => Package['docker'], - } } diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp index 505e29f..c29c937 100644 --- a/manifests/profile/base/etcd.pp +++ b/manifests/profile/base/etcd.pp @@ -46,20 +46,13 @@ class tripleo::profile::base::etcd ( $nodes = hiera('etcd_node_names', []), $step = hiera('step'), ) { - if $step >= 1 { - if count($nodes) > 1 { - $cluster_enabled = true - } else { - $cluster_enabled = false - } - + if $step >= 2 { class {'::etcd': listen_client_urls => "http://${bind_ip}:${client_port}", advertise_client_urls => "http://${bind_ip}:${client_port}", listen_peer_urls => "http://${bind_ip}:${peer_port}", initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}", initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"), - cluster_enabled => $cluster_enabled, proxy => 'off', } } diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index e5807f6..8ed7fb7 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -38,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*glance_backend*] # (Optional) Glance backend(s) to use. # Defaults to downcase(hiera('glance_backend', 'swift')) @@ -91,7 +83,6 @@ class tripleo::profile::base::glance::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $glance_backend = downcase(hiera('glance_backend', 'swift')), $glance_network = hiera('glance_api_network', undef), $glance_nfs_enabled = false, @@ -102,10 +93,6 @@ class tripleo::profile::base::glance::api ( $tls_proxy_fqdn = undef, $tls_proxy_port = 9292, ) { - if $enable_internal_tls and $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 2fde1fc..ce04abf 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -38,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*gnocchi_backend*] # (Optional) Gnocchi backend string file, swift or rbd # Defaults to swift @@ -64,7 +56,6 @@ class tripleo::profile::base::gnocchi::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), $gnocchi_network = hiera('gnocchi_api_network', undef), $step = hiera('step'), @@ -78,10 +69,6 @@ class tripleo::profile::base::gnocchi::api ( include ::tripleo::profile::base::gnocchi if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$gnocchi_network { fail('gnocchi_api_network is not set in the hieradata.') } @@ -96,13 +83,15 @@ class tripleo::profile::base::gnocchi::api ( include ::gnocchi::db::sync } - if $step >= 4 { + if $step >= 3 { include ::gnocchi::api class { '::gnocchi::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, } + } + if $step >= 4 { class { '::gnocchi::storage': coordination_url => join(['redis://:', hiera('gnocchi_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']), } @@ -113,4 +102,13 @@ class tripleo::profile::base::gnocchi::api ( default: { fail('Unrecognized gnocchi_backend parameter.') } } } + + # Re-run gnochci upgrade with storage as swift/ceph should be up at this + # stage. + if $step >= 5 and $sync_db { + exec {'run gnocchi upgrade with storage': + command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf', + path => ['/usr/bin', '/usr/sbin'], + } + } } diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index 8568b28..9a03487 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -36,14 +36,6 @@ # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -52,18 +44,10 @@ class tripleo::profile::base::haproxy ( $certificates_specs = {}, $enable_load_balancer = hiera('enable_load_balancer', true), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { if $step >= 1 { if $enable_load_balancer { - if str2bool($generate_service_certificates) { - ensure_resources('tripleo::certmonger::haproxy', $certificates_specs) - # The haproxy fronends (or listen resources) depend on the certificate - # existing and need to be refreshed if it changed. - Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> - } - class {'::tripleo::haproxy': internal_certificates_specs => $certificates_specs, } diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index 9ffba9c..8e2da7e 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -34,14 +34,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*heat_api_network*] # (Optional) The network name where the heat API endpoint is listening on. # This is set by t-h-t. @@ -55,17 +47,12 @@ class tripleo::profile::base::heat::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $heat_api_network = hiera('heat_api_network', undef), $step = hiera('step'), ) { include ::tripleo::profile::base::heat if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$heat_api_network { fail('heat_api_network is not set in the hieradata.') } @@ -76,7 +63,7 @@ class tripleo::profile::base::heat::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api class { '::heat::wsgi::apache_api': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index 987d3b2..02eb82a 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -34,14 +34,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*heat_api_cfn_network*] # (Optional) The network name where the heat cfn endpoint is listening on. # This is set by t-h-t. @@ -55,17 +47,12 @@ class tripleo::profile::base::heat::api_cfn ( $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $heat_api_cfn_network = hiera('heat_api_cfn_network', undef), $step = hiera('step'), ) { include ::tripleo::profile::base::heat if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$heat_api_cfn_network { fail('heat_api_cfn_network is not set in the hieradata.') } @@ -76,7 +63,7 @@ class tripleo::profile::base::heat::api_cfn ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api_cfn class { '::heat::wsgi::apache_api_cfn': diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 4dd2607..558d247 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -34,14 +34,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*heat_api_cloudwatch_network*] # (Optional) The network name where the heat cloudwatch endpoint is listening # on. This is set by t-h-t. @@ -55,17 +47,12 @@ class tripleo::profile::base::heat::api_cloudwatch ( $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), $step = hiera('step'), ) { include ::tripleo::profile::base::heat if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$heat_api_cloudwatch_network { fail('heat_api_cloudwatch_network is not set in the hieradata.') } @@ -76,7 +63,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api_cloudwatch class { '::heat::wsgi::apache_api_cloudwatch': diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 278c25c..10eaaa6 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -31,7 +31,7 @@ class tripleo::profile::base::horizon ( $step = hiera('step'), $neutron_options = hiera('horizon::neutron_options', {}), ) { - if $step >= 4 { + if $step >= 3 { # Horizon include ::apache::mod::remoteip include ::apache::mod::status diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 7f90da9..941c0bd 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor ( if $step >= 4 { include ::ironic::conductor + include ::ironic::drivers::interfaces include ::ironic::drivers::pxe if $manage_pxe { include ::ironic::pxe @@ -43,7 +44,10 @@ class tripleo::profile::base::ironic::conductor ( include ::ironic::drivers::drac include ::ironic::drivers::ilo include ::ironic::drivers::ipmi - include ::ironic::drivers::ssh + # TODO: deprecated code cleanup, remove in Queens + ironic_config { + 'ssh/libvirt_uri': ensure => absent; + } # Configure access to other services include ::ironic::drivers::inspector diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 9b2fc51..290abee 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*heat_admin_domain*] # domain name for heat admin # Defaults to undef @@ -67,6 +59,15 @@ # heat admin user name # Defaults to undef # +# [*ldap_backends_config*] +# Configuration for keystone::ldap_backend. This takes a hash that will +# create each backend specified. +# Defaults to undef +# +# [*ldap_backend_enable*] +# Enables creating per-domain LDAP backends for keystone. +# Default to false +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -130,11 +131,12 @@ class tripleo::profile::base::keystone ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $heat_admin_domain = undef, $heat_admin_email = undef, $heat_admin_password = undef, $heat_admin_user = undef, + $ldap_backends_config = undef, + $ldap_backend_enable = false, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), @@ -163,10 +165,6 @@ class tripleo::profile::base::keystone ( } if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$public_endpoint_network { fail('keystone_public_api_network is not set in the hieradata.') } @@ -208,6 +206,10 @@ class tripleo::profile::base::keystone ( }), } + if 'amqp' in [$oslomsg_rpc_proto, $oslomsg_notify_proto]{ + include ::keystone::messaging::amqp + } + include ::keystone::config class { '::keystone::wsgi::apache': ssl_cert => $tls_certfile, @@ -216,6 +218,13 @@ class tripleo::profile::base::keystone ( ssl_key_admin => $tls_keyfile_admin, } include ::keystone::cors + + if $ldap_backend_enable { + validate_hash($ldap_backends_config) + create_resources('::keystone::ldap_backend', $ldap_backends_config, { + create_domain_entry => $manage_domain, + }) + } } if $step >= 4 and $manage_db_purge { @@ -255,7 +264,10 @@ class tripleo::profile::base::keystone ( if hiera('barbican_api_enabled', false) { include ::barbican::keystone::auth } - if hiera('ceilometer_api_enabled', false) { + # ceilometer user is needed even when ceilometer api + # not running, so it can authenticate with keystone + # and dispatch data. + if hiera('ceilometer_auth_enabled', false) { include ::ceilometer::keystone::auth } if hiera('ceph_rgw_enabled', false) { @@ -300,13 +312,16 @@ class tripleo::profile::base::keystone ( if hiera('nova_placement_enabled', false) { include ::nova::keystone::auth_placement } + if hiera('octavia_api_enabled', false) { + include ::octavia::keystone::auth + } if hiera('panko_api_enabled', false) { include ::panko::keystone::auth } if hiera('sahara_api_enabled', false) { include ::sahara::keystone::auth } - if hiera('swift_proxy_enabled', false) { + if hiera('swift_proxy_enabled', false) or hiera('external_swift_proxy_enabled',false) { include ::swift::keystone::auth } if hiera('tacker_enabled', false) { diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp index 9e1aa8d..fc996e9 100644 --- a/manifests/profile/base/logging/fluentd.pp +++ b/manifests/profile/base/logging/fluentd.pp @@ -71,105 +71,109 @@ class tripleo::profile::base::logging::fluentd ( $fluentd_listen_syslog = true, $fluentd_syslog_port = 42185 ) { - include ::fluentd - if $fluentd_groups { - user { $::fluentd::config_owner: - ensure => present, - groups => $fluentd_groups, - membership => 'minimum', + if $step >= 4 { + include ::fluentd + + if $fluentd_groups { + Package<| tag == 'openstack' |> -> + user { $::fluentd::config_owner: + ensure => present, + groups => $fluentd_groups, + membership => 'minimum', + } } - } - if $fluentd_pos_file_path { - file { $fluentd_pos_file_path: - ensure => 'directory', - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0750', + if $fluentd_pos_file_path { + file { $fluentd_pos_file_path: + ensure => 'directory', + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0750', + } } - } - ::fluentd::plugin { 'rubygem-fluent-plugin-add': - plugin_provider => 'yum', - } + ::fluentd::plugin { 'rubygem-fluent-plugin-add': + plugin_provider => 'yum', + } - if $fluentd_sources { - ::fluentd::config { '100-openstack-sources.conf': - config => { - 'source' => $fluentd_sources, + if $fluentd_sources { + ::fluentd::config { '100-openstack-sources.conf': + config => { + 'source' => $fluentd_sources, + } } } - } - if $fluentd_listen_syslog { - # fluentd will receive syslog messages by listening on a local udp - # socket. - ::fluentd::config { '110-system-sources.conf': - config => { - 'source' => { - 'type' => 'syslog', - 'tag' => 'system.messages', - 'port' => $fluentd_syslog_port, + if $fluentd_listen_syslog { + # fluentd will receive syslog messages by listening on a local udp + # socket. + ::fluentd::config { '110-system-sources.conf': + config => { + 'source' => { + 'type' => 'syslog', + 'tag' => 'system.messages', + 'port' => $fluentd_syslog_port, + } } } - } - file { '/etc/rsyslog.d/fluentd.conf': - content => "*.* @127.0.0.1:${fluentd_syslog_port}", - owner => 'root', - group => 'root', - mode => '0644', - } ~> exec { 'reload rsyslog': - command => '/bin/systemctl restart rsyslog', + file { '/etc/rsyslog.d/fluentd.conf': + content => "*.* @127.0.0.1:${fluentd_syslog_port}", + owner => 'root', + group => 'root', + mode => '0644', + } ~> exec { 'reload rsyslog': + command => '/bin/systemctl restart rsyslog', + } } - } - if $fluentd_filters { - ::fluentd::config { '200-openstack-filters.conf': - config => { - 'filter' => $fluentd_filters, + if $fluentd_filters { + ::fluentd::config { '200-openstack-filters.conf': + config => { + 'filter' => $fluentd_filters, + } } } - } - if $fluentd_servers and !empty($fluentd_servers) { - if $fluentd_use_ssl { - ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': - plugin_provider => 'yum', - } + if $fluentd_servers and !empty($fluentd_servers) { + if $fluentd_use_ssl { + ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': + plugin_provider => 'yum', + } - file {'/etc/fluentd/ca_cert.pem': - content => $fluentd_ssl_certificate, - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0444', - } + file {'/etc/fluentd/ca_cert.pem': + content => $fluentd_ssl_certificate, + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0444', + } - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - # lint:ignore:single_quote_string_with_variables - # lint:ignore:quoted_booleans - 'type' => 'secure_forward', - 'tag_pattern' => '**', - 'self_hostname' => '${hostname}', - 'secure' => 'true', - 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', - 'shared_key' => $fluentd_shared_key, - 'server' => $fluentd_servers, - # lint:endignore - # lint:endignore + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + # lint:ignore:single_quote_string_with_variables + # lint:ignore:quoted_booleans + 'type' => 'secure_forward', + 'tag_pattern' => '**', + 'self_hostname' => '${hostname}', + 'secure' => 'true', + 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', + 'shared_key' => $fluentd_shared_key, + 'server' => $fluentd_servers, + # lint:endignore + # lint:endignore + } } } - } - } else { - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - 'type' => 'forward', - 'tag_pattern' => '**', - 'server' => $fluentd_servers, + } else { + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + 'type' => 'forward', + 'tag_pattern' => '**', + 'server' => $fluentd_servers, + } } } } diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp new file mode 100644 index 0000000..fb5e000 --- /dev/null +++ b/manifests/profile/base/neutron/agents/bagpipe.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::bagpipe +# +# Neutron Bagpipe Agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::bagpipe ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::agents::bagpipe + } +} diff --git a/manifests/profile/base/neutron/agents/l2gw.pp b/manifests/profile/base/neutron/agents/l2gw.pp new file mode 100644 index 0000000..10cd662 --- /dev/null +++ b/manifests/profile/base/neutron/agents/l2gw.pp @@ -0,0 +1,35 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Peng Liu <pliu@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agent::l2gw +# +# Neutron L2 Gateway agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::l2gw ( + $step = hiera('step'), +) { + if $step >= 4 { + include ::neutron::agents::l2gw + } +} diff --git a/manifests/profile/base/neutron/agents/vpp.pp b/manifests/profile/base/neutron/agents/vpp.pp new file mode 100644 index 0000000..e961aa7 --- /dev/null +++ b/manifests/profile/base/neutron/agents/vpp.pp @@ -0,0 +1,49 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::vpp +# +# Neutron VPP Agent profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*etcd_host*] +# (Optional) etcd server VIP. +# Defaults to hiera('etcd_vip') +# +# [*etcd_port*] +# (Optional) etcd server listening port. +# Defaults to 2379 +# +class tripleo::profile::base::neutron::agents::vpp( + $step = hiera('step'), + $etcd_host = hiera('etcd_vip'), + $etcd_port = 2379, +) { + if empty($etcd_host) { + fail('etcd_vip not set in hieradata') + } + + if $step >= 4 { + class { '::neutron::agents::ml2::vpp': + etcd_host => $etcd_host, + etcd_port => $etcd_port, + } + } +} diff --git a/manifests/profile/base/neutron/bgpvpn.pp b/manifests/profile/base/neutron/bgpvpn.pp index 9fa1d14..d6fdf4e 100644 --- a/manifests/profile/base/neutron/bgpvpn.pp +++ b/manifests/profile/base/neutron/bgpvpn.pp @@ -27,10 +27,11 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::bgpvpn ( - $step = hiera('step'), + $step = hiera('step'), ) { + include ::tripleo::profile::base::neutron + if $step >= 4 { - include ::tripleo::profile::base::neutron include ::neutron::services::bgpvpn } } diff --git a/manifests/profile/base/neutron/l2gw.pp b/manifests/profile/base/neutron/l2gw.pp new file mode 100644 index 0000000..da71108 --- /dev/null +++ b/manifests/profile/base/neutron/l2gw.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Peng Liu <pliu@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::l2gw +# +# Neutron L2 Gateway Service plugin profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::l2gw ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::services::l2gw + } +} diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp index 52d4ca1..1702fed 100644 --- a/manifests/profile/base/neutron/plugins/ml2.pp +++ b/manifests/profile/base/neutron/plugins/ml2.pp @@ -81,5 +81,9 @@ class tripleo::profile::base::neutron::plugins::ml2 ( include ::neutron::plugins::ml2::fujitsu include ::neutron::plugins::ml2::fujitsu::fossw } + + if 'vpp' in $mechanism_drivers { + include ::tripleo::profile::base::neutron::plugins::ml2::vpp + } } } diff --git a/manifests/profile/base/neutron/plugins/ml2/vpp.pp b/manifests/profile/base/neutron/plugins/ml2/vpp.pp new file mode 100644 index 0000000..217e4cf --- /dev/null +++ b/manifests/profile/base/neutron/plugins/ml2/vpp.pp @@ -0,0 +1,49 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::ml2::vpp +# +# VPP Neutron ML2 profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*etcd_host*] +# (Optional) etcd server VIP. +# Defaults to hiera('etcd_vip') +# +# [*etcd_port*] +# (Optional) etcd server listening port. +# Defaults to 2379 +# +class tripleo::profile::base::neutron::plugins::ml2::vpp ( + $step = hiera('step'), + $etcd_host = hiera('etcd_vip'), + $etcd_port = 2379, +) { + if empty($etcd_host) { + fail('etcd_vip not set in hieradata') + } + + if $step >= 4 { + class { '::neutron::plugins::ml2::vpp': + etcd_host => $etcd_host, + etcd_port => $etcd_port, + } + } +} diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 5d6909f..d67a40c 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*l3_ha_override*] # (Optional) Override the calculated value for neutron::server::l3_ha # by default this is calculated to enable when DVR is not enabled @@ -95,7 +87,6 @@ class tripleo::profile::base::neutron::server ( $certificates_specs = hiera('apache_certificates_specs', {}), $dvr_enabled = hiera('neutron::server::router_distributed', false), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $l3_ha_override = '', $l3_nodes = hiera('neutron_l3_short_node_names', []), $neutron_network = hiera('neutron_api_network', undef), @@ -104,10 +95,6 @@ class tripleo::profile::base::neutron::server ( $tls_proxy_fqdn = undef, $tls_proxy_port = 9696, ) { - if $enable_internal_tls and $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { diff --git a/manifests/profile/base/neutron/sriov.pp b/manifests/profile/base/neutron/sriov.pp index 00ecc21..24c7b63 100644 --- a/manifests/profile/base/neutron/sriov.pp +++ b/manifests/profile/base/neutron/sriov.pp @@ -33,6 +33,8 @@ class tripleo::profile::base::neutron::sriov( $mechanism_drivers = hiera('neutron::plugins::ml2::mechanism_drivers'), ) { + include ::tripleo::profile::base::neutron + if $step >= 4 { if 'sriovnicswitch' in $mechanism_drivers { include ::neutron::agents::ml2::sriov diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 36425f6..ab9b615 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -82,6 +82,15 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # +# [*migration_ssh_key*] +# (Optional) SSH key pair for migration SSH tunnel. +# Expects a hash with keys 'private_key' and 'public_key'. +# Defaults to {} +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false + class tripleo::profile::base::nova ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $libvirt_enabled = false, @@ -99,6 +108,8 @@ class tripleo::profile::base::nova ( $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), $nova_compute_enabled = false, $step = hiera('step'), + $migration_ssh_key = {}, + $libvirt_tls = false ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -114,7 +125,62 @@ class tripleo::profile::base::nova ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) - class { '::nova' : + include ::nova::config + class { '::nova::cache': + enabled => true, + backend => 'oslo_cache.memcache_pool', + memcache_servers => $memcache_servers, + } + include ::nova::placement + + if $step >= 4 and $manage_migration { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova', + client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'} + } + } + + if $migration_ssh_key != {} { + # Nova SSH tunnel setup (cold-migration) + + #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands + user { 'nova': + ensure => present, + shell => '/bin/bash', + } + + $private_key_parts = split($migration_ssh_key['public_key'], ' ') + $nova_public_key = { + type => $private_key_parts[0], + key => $private_key_parts[1] + } + $nova_private_key = { + type => $private_key_parts[0], + key => $migration_ssh_key['private_key'] + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + + class { '::nova': default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, @@ -131,23 +197,8 @@ class tripleo::profile::base::nova ( 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, }), + nova_public_key => $nova_public_key, + nova_private_key => $nova_private_key, } - include ::nova::config - class { '::nova::cache': - enabled => true, - backend => 'oslo_cache.memcache_pool', - memcache_servers => $memcache_servers, - } - include ::nova::placement } - - if $step >= 4 { - if $manage_migration { - class { '::nova::migration::libvirt': - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - } - } - } - } diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index cda2b66..95a1721 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -36,14 +36,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*nova_api_network*] # (Optional) The network name where the nova API endpoint is listening on. # This is set by t-h-t. @@ -63,7 +55,6 @@ class tripleo::profile::base::nova::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), $step = hiera('step'), @@ -93,10 +84,6 @@ class tripleo::profile::base::nova::api ( # https://bugs.launchpad.net/nova/+bug/1661360 if $nova_api_wsgi_enabled { if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$nova_api_network { fail('nova_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 0eb2ed7..84b8bd5 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -48,10 +48,12 @@ class tripleo::profile::base::nova::compute ( # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique # https://bugzilla.redhat.com/show_bug.cgi?id=1244328 + ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' }) exec { 'reset-iscsi-initiator-name': command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi', onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset', before => File['/etc/iscsi/.initiator_reset'], + require => Package['iscsi-initiator-utils'], } file { '/etc/iscsi/.initiator_reset': ensure => present, diff --git a/manifests/profile/base/nova/ec2api.pp b/manifests/profile/base/nova/ec2api.pp index f34b071..f8817d2 100644 --- a/manifests/profile/base/nova/ec2api.pp +++ b/manifests/profile/base/nova/ec2api.pp @@ -31,5 +31,6 @@ class tripleo::profile::base::nova::ec2api ( include ::ec2api::api include ::ec2api::db::sync include ::ec2api::metadata + include ::ec2api::keystone::authtoken } } diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index 46658b8..16bfe17 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -36,14 +36,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*nova_placement_network*] # (Optional) The network name where the nova placement endpoint is listening on. # This is set by t-h-t. @@ -58,7 +50,6 @@ class tripleo::profile::base::nova::placement ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $nova_placement_network = hiera('nova_placement_network', undef), $step = hiera('step'), ) { @@ -72,10 +63,6 @@ class tripleo::profile::base::nova::placement ( include ::tripleo::profile::base::nova::authtoken if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$nova_placement_network { fail('nova_placement_network is not set in the hieradata.') } diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index 6021731..c1d745a 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -55,6 +55,14 @@ # (Optional) Number of seconds to sleep between remote creation tries # Defaults to hiera('pacemaker_remote_try_sleep', 60) # +# [*cluster_recheck_interval*] +# (Optional) Set the cluster-wide cluster-recheck-interval property +# If the hiera key does not exist or if it is set to undef, the property +# won't be changed from its default value when there are no pacemaker_remote +# nodes. In presence of pacemaker_remote nodes and an undef value it will +# be set to 60s. +# Defaults to hiera('pacemaker_cluster_recheck_interval', undef) +# class tripleo::profile::base::pacemaker ( $step = hiera('step'), $pcs_tries = hiera('pcs_tries', 20), @@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker ( $remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20), $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), + $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker ( if $step >= 2 { if $pacemaker_master { include ::pacemaker::resource_defaults + # When we have a non-zero number of pacemaker remote nodes we + # want to set the cluster-recheck-interval property to something + # lower (unless the operator has explicitely set a value) + if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => '60s', + tries => $pcs_tries, + } + } elsif $cluster_recheck_interval != undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => $cluster_recheck_interval, + tries => $pcs_tries, + } + } } } diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp index a6643ce..90e80a2 100644 --- a/manifests/profile/base/panko/api.pp +++ b/manifests/profile/base/panko/api.pp @@ -38,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*panko_network*] # (Optional) The network name where the panko endpoint is listening on. # This is set by t-h-t. @@ -60,7 +52,6 @@ class tripleo::profile::base::panko::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $panko_network = hiera('panko_api_network', undef), $step = hiera('step'), ) { @@ -73,10 +64,6 @@ class tripleo::profile::base::panko::api ( include ::tripleo::profile::base::panko if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$panko_network { fail('panko_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/qdr.pp b/manifests/profile/base/qdr.pp new file mode 100644 index 0000000..9827f2e --- /dev/null +++ b/manifests/profile/base/qdr.pp @@ -0,0 +1,54 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::qdr +# +# Qpid dispatch router profile for tripleo +# +# === Parameters +# +# [*qdr_username*] +# Username for the qrouter daemon +# Defaults to undef +# +# [*qdr_password*] +# Password for the qrouter daemon +# Defaults to undef +# +# [*qdr_listener_port*] +# Port for the listener (not that we do not use qdr::listener_port +# directly because it requires a string and we have a number. +# Defaults to hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::qdr ( + $qdr_username = undef, + $qdr_password = undef, + $qdr_listener_port = hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672), + $step = hiera('step'), +) { + if $step >= 1 { + class { '::qdr': + listener_port => "${qdr_listener_port}", + } -> + qdr_user { $qdr_username: + ensure => present, + password => $qdr_password, + } + } +} diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index b04d721..8551f19 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -42,12 +42,6 @@ # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_environment'). # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# MySQL. This could be as many as specified by the $certificates_specs -# variable. -# Defaults to hiera('generate_service_certificate', false). -# # [*inet_dist_interface*] # (Optional) Address to bind the inter-cluster interface # to. It is the inet_dist_use_interface option in the kernel variables @@ -87,7 +81,6 @@ class tripleo::profile::base::rabbitmq ( $config_variables = hiera('rabbitmq_config_variables'), $enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t $environment = hiera('rabbitmq_environment'), - $generate_service_certificates = hiera('generate_service_certificates', false), $inet_dist_interface = hiera('rabbitmq::interface', undef), $ipv6 = str2bool(hiera('rabbit_ipv6', false)), $kernel_variables = hiera('rabbitmq_kernel_variables'), @@ -98,9 +91,6 @@ class tripleo::profile::base::rabbitmq ( $step = hiera('step'), ) { if $enable_internal_tls { - if $generate_service_certificates { - ensure_resource('class', 'tripleo::certmonger::rabbitmq', $certificate_specs) - } $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] } else { @@ -120,7 +110,7 @@ class tripleo::profile::base::rabbitmq ( if $inet_dist_interface { $real_kernel_variables = merge( $kernel_variables, - { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) }, + { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) } ) } else { $real_kernel_variables = $kernel_variables @@ -160,6 +150,9 @@ class tripleo::profile::base::rabbitmq ( ssl_key => $tls_keyfile, } } + } + + if $step >= 2 { # In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency # to Service['rabbitmq-server'] will not work. Sticking with UPDATE action. if $stack_action == 'UPDATE' { diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp new file mode 100644 index 0000000..07f29f8 --- /dev/null +++ b/manifests/profile/base/securetty.pp @@ -0,0 +1,48 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::securetty +# +# Sets securetty Parameters +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*tty_list*] +# Hash of values for /etc/securetty console +# Defaults to hiera('securetty::tty_list') +# +class tripleo::profile::base::securetty ( + $step = hiera('step'), + $tty_list = hiera('tty_list', []), +) { + validate_array($tty_list) + + if $step >=1 { + $ttys = join($tty_list, "\n") + + file { '/etc/securetty': + ensure => file, + content => template( 'tripleo/securetty/securetty.erb' ), + owner => 'root', + group => 'root', + mode => '0600' + } + } +} diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp index e7916c1..2b86032 100644 --- a/manifests/profile/base/sshd.pp +++ b/manifests/profile/base/sshd.pp @@ -15,47 +15,45 @@ # # == Class: tripleo::profile::base::sshd # -# SSH profile for tripleo +# SSH composable service for TripleO # # === Parameters # # [*bannertext*] -# The text used within SSH Banner +# The text used within /etc/issue and /etc/issue.net # Defaults to hiera('BannerText') # +# [*motd*] +# The text used within SSH Banner +# Defaults to hiera('MOTD') +# class tripleo::profile::base::sshd ( $bannertext = hiera('BannerText', undef), + $motd = hiera('MOTD', undef), ) { - if $bannertext { - $action = 'set' - } else { - $action = 'rm' - } - - package {'openssh-server': - ensure => installed, - } + include ::ssh::server - augeas { 'sshd_config_banner': - context => '/files/etc/ssh/sshd_config', - changes => [ "${action} Banner /etc/issue" ], - notify => Service['sshd'] - } - - file { '/etc/issue': - ensure => file, - backup => false, - content => $bannertext, - owner => 'root', - group => 'root', - mode => '0600' + if $bannertext { + $filelist = [ '/etc/issue', '/etc/issue.net', ] + file { $filelist: + ensure => file, + backup => false, + content => $bannertext, + owner => 'root', + group => 'root', + mode => '0644' + } } - service { 'sshd': - ensure => 'running', - enable => true, - hasstatus => false, - require => Package['openssh-server'], + if $motd { + file { '/etc/motd': + ensure => file, + backup => false, + content => $motd, + owner => 'root', + group => 'root', + mode => '0644' + } } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 0d9ba68..e80c8c9 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -46,6 +46,22 @@ # Username for messaging nova queue # Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*memcache_port*] # (Optional) memcache port # Defaults to 11211 @@ -59,6 +75,26 @@ # for more details. # Defaults to hiera('step') # +# [*swift_proxy_network*] +# (Optional) The network name where the swift proxy endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('swift_proxy_network', undef) +# +# [*tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::swift::proxy ( $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), @@ -67,11 +103,33 @@ class tripleo::profile::base::swift::proxy ( $ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'), $ceilometer_messaging_use_ssl = '0', $ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), $memcache_port = 11211, $memcache_servers = hiera('memcached_node_ips'), $step = hiera('step'), + $swift_proxy_network = hiera('swift_proxy_network', undef), + $tls_proxy_bind_ip = undef, + $tls_proxy_fqdn = undef, + $tls_proxy_port = 8080, ) { if $step >= 4 { + if $enable_internal_tls { + if !$swift_proxy_network { + fail('swift_proxy_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key'] + + ::tripleo::tls_proxy { 'swift-proxy-api': + servername => $tls_proxy_fqdn, + ip => $tls_proxy_bind_ip, + port => $tls_proxy_port, + tls_cert => $tls_certfile, + tls_key => $tls_keyfile, + notify => Class['::neutron::server'], + } + } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config include ::swift::proxy diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp index 7e5fc74..f7cfea4 100644 --- a/manifests/profile/base/swift/ringbuilder.pp +++ b/manifests/profile/base/swift/ringbuilder.pp @@ -63,6 +63,12 @@ # Minimum amount of time before partitions can be moved. # Defaults to undef # +# [*swift_ring_get_tempurl*] +# GET tempurl to fetch Swift rings from +# +# [*swift_ring_put_tempurl*] +# PUT tempurl to upload Swift rings to +# class tripleo::profile::base::swift::ringbuilder ( $replicas, $build_ring = true, @@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder ( $swift_storage_node_ips = hiera('swift_storage_node_ips', []), $part_power = undef, $min_part_hours = undef, + $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''), + $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''), ) { + + if $step == 2 and $swift_ring_get_tempurl != '' { + exec{'fetch_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz", + returns => [0, 3] + } ~> + exec{'extract_swift_ring_tarball': + path => ['/bin'], + command => 'tar xzf /tmp/swift-rings.tar.gz -C /', + returns => [0, 2] + } + } + if $step >= 2 { # pre-install swift here so we can build rings include ::swift @@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder ( Ring_object_device<| |> ~> Exec['rebalance_container'] } } + + if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' { + exec{'create_swift_ring_tarball': + path => ['/bin', '/usr/bin'], + command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/', + unless => 'swift-recon --md5 | grep -q "doesn\'t match"' + } ~> + exec{'upload_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz", + require => Exec['create_swift_ring_tarball'], + refreshonly => true, + } + } } diff --git a/manifests/profile/base/tuned.pp b/manifests/profile/base/tuned.pp new file mode 100644 index 0000000..8dfcea0 --- /dev/null +++ b/manifests/profile/base/tuned.pp @@ -0,0 +1,20 @@ +# == Class: tripleo::profile::base::tuned +# +# Configures tuned service. +# +# === Parameters: +# +# [*profile*] +# (optional) tuned active profile. +# Defaults to 'throughput-performance' +# +# +class tripleo::profile::base::tuned ( + $profile = 'throughput-performance' +) { + exec { 'tuned-adm': + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "tuned-adm profile ${profile}", + unless => "tuned-adm active | grep -q '${profile}'" + } +} diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index bc5e644..031e80c 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -120,7 +120,7 @@ class tripleo::profile::pacemaker::database::mysql ( if $step >= 1 and $pacemaker_master and hiera('stack_action') == 'UPDATE' { tripleo::pacemaker::resource_restart_flag { 'galera-master': subscribe => File['mysql-config-file'], - } + } ~> Exec<| title == 'galera-ready' |> } if $step >= 2 { @@ -145,7 +145,7 @@ class tripleo::profile::pacemaker::database::mysql ( }, require => [Class['::mysql::server'], Pacemaker::Property['galera-role-node-property']], - before => Exec['galera-ready'], + notify => Exec['galera-ready'], } exec { 'galera-ready' : command => '/usr/bin/clustercheck >/dev/null', @@ -153,6 +153,7 @@ class tripleo::profile::pacemaker::database::mysql ( tries => 180, try_sleep => 10, environment => ['AVAILABLE_WHEN_READONLY=0'], + refreshonly => true, require => Exec['create-root-sysconfig-clustercheck'], } # We add a clustercheck db user and we will switch /etc/sysconfig/clustercheck diff --git a/manifests/ui.pp b/manifests/ui.pp index d51ef2e..b2ed178 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -33,8 +33,16 @@ # # [*enabled_languages*] # Which languages to show in the UI. -# An array. -# Defaults to ['en-GB', 'en', 'de', 'ja', 'ko-KR', 'zh-CN', 'es'] +# A hash. +# Defaults to +# { +# 'de' => 'German', +# 'en' => 'English', +# 'es' => 'Spanish', +# 'ja' => 'Japanese', +# 'ko-KR' => 'Korean', +# 'zh-CN' => 'Simplified Chinese' +# } # # [*endpoint_proxy_keystone*] # The keystone proxy endpoint url @@ -94,7 +102,14 @@ class tripleo::ui ( $bind_host = hiera('controller_host'), $ui_port = 3000, $zaqar_default_queue = 'tripleo', - $enabled_languages = ['en-GB', 'en', 'de', 'ja', 'ko-KR', 'zh-CN', 'es'], + $enabled_languages = { + 'de' => 'German', + 'en' => 'English', + 'es' => 'Spanish', + 'ja' => 'Japanese', + 'ko-KR' => 'Korean', + 'zh-CN' => 'Simplified Chinese' + }, $endpoint_proxy_zaqar = undef, $endpoint_proxy_keystone = undef, $endpoint_proxy_heat = undef, diff --git a/releasenotes/notes/add-bagpipe-driver-9163f5b22096fde0.yaml b/releasenotes/notes/add-bagpipe-driver-9163f5b22096fde0.yaml new file mode 100644 index 0000000..df6b232 --- /dev/null +++ b/releasenotes/notes/add-bagpipe-driver-9163f5b22096fde0.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for Bagpipe Neutron driver as backend in BGPVPN scenarios diff --git a/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml new file mode 100644 index 0000000..0fb9271 --- /dev/null +++ b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add keystone::ldap_backend call as resource when is trigged to setup a LDAP + backend as keystone domain. This allows per-domain LDAP backends for + keystone. diff --git a/releasenotes/notes/add-octavia-auth-to-keystone-d0353544c0e27b57.yaml b/releasenotes/notes/add-octavia-auth-to-keystone-d0353544c0e27b57.yaml new file mode 100644 index 0000000..f2836d5 --- /dev/null +++ b/releasenotes/notes/add-octavia-auth-to-keystone-d0353544c0e27b57.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Octavia is now properly registered with keystone when deployed. diff --git a/releasenotes/notes/add-support-for-pure-cinder-d45e6aaf3e243c91.yaml b/releasenotes/notes/add-support-for-pure-cinder-d45e6aaf3e243c91.yaml new file mode 100644 index 0000000..da326e4 --- /dev/null +++ b/releasenotes/notes/add-support-for-pure-cinder-d45e6aaf3e243c91.yaml @@ -0,0 +1,3 @@ +--- +features: + - Added Pure Storage FlashArray iSCSI and FC backend support for cinder diff --git a/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml b/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml new file mode 100644 index 0000000..a1a04c1 --- /dev/null +++ b/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Add a tunnel timeout to the HAProxy tripleo-ui configuration to ensure + Zaqar WebSocket tunnels persist longer than two minutes + https://bugs.launchpad.net/tripleo/+bug/1672826 diff --git a/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml b/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml new file mode 100644 index 0000000..00b7799 --- /dev/null +++ b/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml @@ -0,0 +1,4 @@ +--- +features: + - Configure ssh tunneling for nova cold-migration. Re-use the tunnel for + libvirt live-migration unless TLS is enabled. diff --git a/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml b/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml new file mode 100644 index 0000000..07407f2 --- /dev/null +++ b/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - We need ceilometer user in cases where ceilometer API is disabled. + This is to ensure other ceilometer services can still authenticate + with keystone. diff --git a/releasenotes/notes/enable-support-for-external-swift-proxy-f12c99b34516a023.yaml b/releasenotes/notes/enable-support-for-external-swift-proxy-f12c99b34516a023.yaml new file mode 100644 index 0000000..83b05bb --- /dev/null +++ b/releasenotes/notes/enable-support-for-external-swift-proxy-f12c99b34516a023.yaml @@ -0,0 +1,5 @@ +--- +features: + - Added support for external swift proxy. Users may need to + configure endpoints pointing to swift proxy service + already available. diff --git a/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml b/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml new file mode 100644 index 0000000..5c200dd --- /dev/null +++ b/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes horizon getting temporarily deconfigured during a stack update due + to the apache configuration occuring in step 3 but the horizon + configuration not occuring until step 4. diff --git a/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml b/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml new file mode 100644 index 0000000..012a16c --- /dev/null +++ b/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Fixes missing neutron base class in sriov diff --git a/releasenotes/notes/heat_api_timeout-cbb01242534cec79.yaml b/releasenotes/notes/heat_api_timeout-cbb01242534cec79.yaml new file mode 100644 index 0000000..a3b7d91 --- /dev/null +++ b/releasenotes/notes/heat_api_timeout-cbb01242534cec79.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - For Heat API, increase the HAproxy timeout from 2 minutes to 10 minutes so + we give a chance to Heat to use the rpc_response_timeout value which is set + to 600 by default in TripleO. diff --git a/releasenotes/notes/ironic-ssh-removal-e5f40b477cf7357c.yaml b/releasenotes/notes/ironic-ssh-removal-e5f40b477cf7357c.yaml new file mode 100644 index 0000000..206ed12 --- /dev/null +++ b/releasenotes/notes/ironic-ssh-removal-e5f40b477cf7357c.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Out-of-box support for Ironic ``*_ssh`` drivers was removed. These drivers + were deprecated in the Newton release. diff --git a/releasenotes/notes/l2gw_agent_support-2bc24b539da738a8.yaml b/releasenotes/notes/l2gw_agent_support-2bc24b539da738a8.yaml new file mode 100644 index 0000000..66e8f35 --- /dev/null +++ b/releasenotes/notes/l2gw_agent_support-2bc24b539da738a8.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for l2 gateway Neutron agent support. diff --git a/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml new file mode 100644 index 0000000..694f492 --- /dev/null +++ b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for l2 gateway Neutron service plugin. diff --git a/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml new file mode 100644 index 0000000..b6f211c --- /dev/null +++ b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml @@ -0,0 +1,4 @@ +--- +features: + - Include the amqp messaging class when the oslo.messaging rpc + protocol is enabled for AMQP 1.0. diff --git a/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml new file mode 100644 index 0000000..0857f63 --- /dev/null +++ b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The rabbitmq user check is moved to step >= 2 from step >= 1. There + is no guarantee that rabbitmq is running at step 1, especially if + updating a failed stack that never made it past step 1 to begin + with. diff --git a/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml new file mode 100644 index 0000000..c354431 --- /dev/null +++ b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - Re-run gnocchi and ceilometer upgrade in step5. This is required + for gnocchi resource types to be created in ceilometer and gnocchi + to function properly. diff --git a/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml b/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml new file mode 100644 index 0000000..1186bb9 --- /dev/null +++ b/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - Add a way for mongodb to limit amount of memory it comsumes + with systemd. A new param memory_limit has been added to + tripleo::profile::base::database::mongodb class with + default limit of 20G. diff --git a/releasenotes/notes/securetty-6a10eefd601e45ca.yaml b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml new file mode 100644 index 0000000..e5cfcf5 --- /dev/null +++ b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Allows granular level of control over the `/etc/securetty` file. + By allowing operators to specify the values in securetty, they + can improve security by limiting root console access. diff --git a/releasenotes/notes/sshd-437c531301f458bb.yaml b/releasenotes/notes/sshd-437c531301f458bb.yaml index 0086cb0..5997289 100644 --- a/releasenotes/notes/sshd-437c531301f458bb.yaml +++ b/releasenotes/notes/sshd-437c531301f458bb.yaml @@ -1,3 +1,5 @@ --- features: - - Added manifest and template to enable configuration of sshd_config + - Added /etc/issue & /etc/issue.net parameters + - Added MOTD banner parameters + - Added external module saz-ssh to allow management of sshd_config diff --git a/releasenotes/notes/vpp-ml2-9c1321fa30f3b172.yaml b/releasenotes/notes/vpp-ml2-9c1321fa30f3b172.yaml new file mode 100644 index 0000000..2f8ae14 --- /dev/null +++ b/releasenotes/notes/vpp-ml2-9c1321fa30f3b172.yaml @@ -0,0 +1,3 @@ +--- +features: + - Adds support for networking-vpp ML2 mechanism driver and agent. diff --git a/spec/classes/tripleo_profile_base_aodh_api_spec.rb b/spec/classes/tripleo_profile_base_aodh_api_spec.rb index f2a26bf..a82cf49 100644 --- a/spec/classes/tripleo_profile_base_aodh_api_spec.rb +++ b/spec/classes/tripleo_profile_base_aodh_api_spec.rb @@ -22,8 +22,8 @@ describe 'tripleo::profile::base::aodh::api' do "class { '::tripleo::profile::base::aodh': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }" end - context 'with step less than 4' do - let(:params) { { :step => 3 } } + context 'with step less than 3' do + let(:params) { { :step => 2 } } it 'should do nothing' do is_expected.to contain_class('tripleo::profile::base::aodh::api') @@ -33,9 +33,9 @@ describe 'tripleo::profile::base::aodh::api' do end end - context 'with step 4' do + context 'with step 3' do let(:params) { { - :step => 4, + :step => 3, } } it 'should trigger complete configuration' do diff --git a/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb b/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb index 936df4f..cec2b54 100644 --- a/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb +++ b/spec/classes/tripleo_profile_base_ceilometer_api_spec.rb @@ -22,8 +22,8 @@ describe 'tripleo::profile::base::ceilometer::api' do "class { '::tripleo::profile::base::ceilometer': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }" end - context 'with step less than 4' do - let(:params) { { :step => 3 } } + context 'with step less than 2' do + let(:params) { { :step => 2 } } it 'should do nothing' do is_expected.to contain_class('tripleo::profile::base::ceilometer::api') @@ -32,9 +32,9 @@ describe 'tripleo::profile::base::ceilometer::api' do end end - context 'with step 4' do + context 'with step 3' do let(:params) { { - :step => 4, + :step => 3, } } it 'should trigger complete configuration' do diff --git a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb index 23b198a..0f9aad7 100644 --- a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb +++ b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb @@ -128,6 +128,32 @@ describe 'tripleo::profile::base::ceilometer::collector' do is_expected.to contain_class('ceilometer::dispatcher::gnocchi') end end + + context 'with step 5 on bootstrap node' do + let(:params) { { + :step => 5, + :bootstrap_node => 'node.example.com', + :mongodb_node_ips => ['127.0.0.1',], + :mongodb_replset => 'replicaset' + } } + + it 'should trigger complete configuration' do + is_expected.to contain_exec('ceilometer-db-upgrade') + end + end + + context 'with step 5 not on bootstrap node' do + let(:params) { { + :step => 5, + :bootstrap_node => 'somethingelse.example.com', + :mongodb_node_ips => ['127.0.0.1',], + :mongodb_replset => 'replicaset' + } } + + it 'should trigger complete configuration' do + is_expected.to_not contain_exec('ceilometer-db-upgrade') + end + end end diff --git a/spec/classes/tripleo_profile_base_cinder_volume_pure_spec.rb b/spec/classes/tripleo_profile_base_cinder_volume_pure_spec.rb new file mode 100644 index 0000000..fa03dac --- /dev/null +++ b/spec/classes/tripleo_profile_base_cinder_volume_pure_spec.rb @@ -0,0 +1,58 @@ +# +# Copyright (C) 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::cinder::volume::pure' do + shared_examples_for 'tripleo::profile::base::cinder::volume::pure' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with step less than 4' do + let(:params) { { :step => 3 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::cinder::volume::pure') + is_expected.to contain_class('tripleo::profile::base::cinder::volume') + is_expected.to contain_class('tripleo::profile::base::cinder') + is_expected.to_not contain_cinder__backend__pure('tripleo_pure') + end + end + + context 'with step 4' do + let(:params) { { + :step => 4, + } } + + it 'should trigger complete configuration' do + # TODO(aschultz): check hiera parameters + is_expected.to contain_cinder__backend__pure('tripleo_pure') + end + end + end + + + on_supported_os.each do |os, facts| + context 'on #{os}' do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::cinder::volume::pure' + end + end +end diff --git a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb index 1542a49..aa3dd89 100644 --- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb +++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb @@ -56,6 +56,25 @@ describe 'tripleo::profile::base::cinder::volume' do end end + context 'with only pure' do + before :each do + params.merge!({ + :cinder_enable_pure_backend => true, + :cinder_enable_iscsi_backend => false, + }) + end + it 'should configure only pure' do + is_expected.to contain_class('tripleo::profile::base::cinder::volume::pure') + is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::iscsi') + is_expected.to contain_class('tripleo::profile::base::cinder::volume') + is_expected.to contain_class('tripleo::profile::base::cinder') + is_expected.to contain_class('cinder::volume') + is_expected.to contain_class('cinder::backends').with( + :enabled_backends => ['tripleo_pure'] + ) + end + end + context 'with only dellsc' do before :each do params.merge!({ @@ -116,8 +135,8 @@ describe 'tripleo::profile::base::cinder::volume' do context 'with only nfs' do before :each do params.merge!({ - :cinder_enable_nfs_backend => true, - :cinder_enable_iscsi_backend => false, + :cinder_enable_nfs_backend => true, + :cinder_enable_iscsi_backend => false, }) end it 'should configure only nfs' do @@ -135,8 +154,8 @@ describe 'tripleo::profile::base::cinder::volume' do context 'with only rbd' do before :each do params.merge!({ - :cinder_enable_rbd_backend => true, - :cinder_enable_iscsi_backend => false, + :cinder_enable_rbd_backend => true, + :cinder_enable_iscsi_backend => false, }) end it 'should configure only ceph' do @@ -160,6 +179,7 @@ describe 'tripleo::profile::base::cinder::volume' do end it 'should configure only user backend' do is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::iscsi') + is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::pure') is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::dellsc') is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::dellps') is_expected.to_not contain_class('tripleo::profile::base::cinder::volume::netapp') @@ -177,16 +197,18 @@ describe 'tripleo::profile::base::cinder::volume' do context 'with all tripleo backends' do before :each do params.merge!({ + :cinder_enable_nfs_backend => true, + :cinder_enable_rbd_backend => true, :cinder_enable_iscsi_backend => true, + :cinder_enable_pure_backend => true, :cinder_enable_dellsc_backend => true, :cinder_enable_dellps_backend => true, :cinder_enable_netapp_backend => true, - :cinder_enable_nfs_backend => true, - :cinder_enable_rbd_backend => true, }) end it 'should configure all backends' do is_expected.to contain_class('tripleo::profile::base::cinder::volume::iscsi') + is_expected.to contain_class('tripleo::profile::base::cinder::volume::pure') is_expected.to contain_class('tripleo::profile::base::cinder::volume::dellsc') is_expected.to contain_class('tripleo::profile::base::cinder::volume::dellps') is_expected.to contain_class('tripleo::profile::base::cinder::volume::netapp') @@ -196,7 +218,7 @@ describe 'tripleo::profile::base::cinder::volume' do is_expected.to contain_class('tripleo::profile::base::cinder') is_expected.to contain_class('cinder::volume') is_expected.to contain_class('cinder::backends').with( - :enabled_backends => ['tripleo_iscsi', 'tripleo_ceph', 'tripleo_dellps', + :enabled_backends => ['tripleo_iscsi', 'tripleo_ceph', 'tripleo_pure', 'tripleo_dellps', 'tripleo_dellsc', 'tripleo_netapp','tripleo_nfs'] ) end @@ -206,7 +228,7 @@ describe 'tripleo::profile::base::cinder::volume' do on_supported_os.each do |os, facts| - context "on #{os}" do + context 'on #{os}' do let(:facts) do facts.merge({ :hostname => 'node.example.com' }) end diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index 587cc29..b52fe24 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -54,6 +54,21 @@ describe 'tripleo::profile::base::docker' do it_raises 'a Puppet::Error', /You must provide a \$docker_namespace in order to configure insecure registry/ end + + context 'with step 1 and registry_mirror configured' do + let(:params) { { + :registry_mirror => 'http://foo/bar', + :step => 1, + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-daemon.json').with_changes(['set dict/entry[. = "registry-mirrors"] "registry-mirrors', "set dict/entry[. = \"registry-mirrors\"]/array/string \"http://foo/bar\""]) + } + end + end on_supported_os.each do |os, facts| diff --git a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb new file mode 100644 index 0000000..805a28e --- /dev/null +++ b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb @@ -0,0 +1,101 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::gnocchi::api' do + shared_examples_for 'tripleo::profile::base::gnocchi::api' do + let(:pre_condition) do + "class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }" + end + + context 'with step less than 3' do + let(:params) { { :step => 2 } } + + it { + is_expected.to contain_class('tripleo::profile::base::gnocchi::api') + is_expected.to_not contain_class('gnocchi::api') + is_expected.to_not contain_class('gnocchi::wsgi::apache') + } + end + + context 'with step 3 on bootstrap' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com', + } } + + it { + is_expected.to contain_class('gnocchi::db::sync') + is_expected.to contain_class('gnocchi::api') + is_expected.to contain_class('gnocchi::wsgi::apache') + } + end + + context 'with step 3' do + let(:params) { { + :step => 3, + } } + + it { + is_expected.to_not contain_class('gnocchi::db::sync') + is_expected.to contain_class('gnocchi::api') + is_expected.to contain_class('gnocchi::wsgi::apache') + } + end + + # TODO(aschultz): fix profile class to not include hiera look ups in the + # step 4 so we can properly test it + #context 'with step 4' do + # let(:params) { { + # :step => 4, + # } } + # + # it { + # is_expected.to contain_class('gnocchi::api') + # is_expected.to contain_class('gnocchi::wsgi::apache') + # is_expected.to contain_class('gnocchi::storage') + # } + #end + # + #context 'with step 5 on bootstrap' do + # let(:params) { { + # :step => 5, + # :bootstrap_node => 'node.example.com' + # } } + # + # it { + # is_expected.to contain_class('gnocchi::api') + # is_expected.to contain_class('gnocchi::wsgi::apache') + # is_expected.to contain_exec('run gnocchi upgrade with storage').with( + # :command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf', + # :path => ['/usr/bin', '/usr/sbin'] + # ) + # } + #end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::gnocchi::api' + end + end +end diff --git a/spec/classes/tripleo_profile_base_horizon_spec.rb b/spec/classes/tripleo_profile_base_horizon_spec.rb new file mode 100644 index 0000000..fb076b8 --- /dev/null +++ b/spec/classes/tripleo_profile_base_horizon_spec.rb @@ -0,0 +1,57 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::horizon' do + shared_examples_for 'tripleo::profile::base::horizon' do + let(:pre_condition) do + "class { '::tripleo::profile::base::aodh': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }" + end + + context 'with step less than 3' do + let(:params) { { :step => 2 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::horizon') + is_expected.to_not contain_class('horizon') + end + end + + context 'with step 3' do + let(:params) { { + :step => 3, + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('horizon') + is_expected.to contain_class('apache::mod::remoteip') + is_expected.to contain_class('apache::mod::status') + end + end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::horizon' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb index d052682..545a1fa 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb @@ -27,6 +27,7 @@ describe 'tripleo::profile::base::nova::compute' do is_expected.to_not contain_class('tripleo::profile::base::nova') is_expected.to_not contain_class('nova::compute') is_expected.to_not contain_class('nova::network::neutron') + is_expected.to_not contain_package('iscsi-initiator-utils') is_expected.to_not contain_exec('reset-iscsi-initiator-name') is_expected.to_not contain_file('/etc/iscsi/.initiator_reset') } @@ -51,6 +52,7 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_package('iscsi-initiator-utils') is_expected.to contain_exec('reset-iscsi-initiator-name') is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to_not contain_package('nfs-utils') @@ -66,6 +68,7 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_package('iscsi-initiator-utils') is_expected.to contain_exec('reset-iscsi-initiator-name') is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to contain_package('nfs-utils') diff --git a/spec/classes/tripleo_profile_base_nova_placement_spec.rb b/spec/classes/tripleo_profile_base_nova_placement_spec.rb index 2a18320..04e032a 100644 --- a/spec/classes/tripleo_profile_base_nova_placement_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_placement_spec.rb @@ -49,7 +49,6 @@ eos let(:params) { { :step => 1, :enable_internal_tls => true, - :generate_service_certificates => true, :nova_placement_network => 'bar', :certificates_specs => { 'httpd-bar' => { @@ -63,7 +62,6 @@ eos it { is_expected.to contain_class('tripleo::profile::base::nova::placement') is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_tripleo__certmonger__httpd('httpd-bar') is_expected.to_not contain_class('nova::keystone::authtoken') is_expected.to_not contain_class('nova::wsgi::apache_placement') } @@ -87,7 +85,6 @@ eos let(:params) { { :step => 3, :enable_internal_tls => true, - :generate_service_certificates => false, :nova_placement_network => 'bar', :certificates_specs => { 'httpd-bar' => { @@ -102,7 +99,6 @@ eos it { is_expected.to contain_class('tripleo::profile::base::nova::placement') is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to_not contain_tripleo__certmonger__httpd('foo') is_expected.to contain_class('nova::keystone::authtoken') is_expected.to contain_class('nova::wsgi::apache_placement').with( :ssl_cert => '/foo.pem', diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb index b5677cc..8f7bfdc 100644 --- a/spec/classes/tripleo_profile_base_nova_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_spec.rb @@ -85,7 +85,12 @@ describe 'tripleo::profile::base::nova' do it { is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) is_expected.to contain_class('nova::config') is_expected.to contain_class('nova::cache') is_expected.to contain_class('nova::placement') @@ -109,11 +114,120 @@ describe 'tripleo::profile::base::nova' do it { is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::placement') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + } + end + + context 'with step 4 with libvirt TLS' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :libvirt_tls => true, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::placement') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled], + ) + } + end + + context 'with step 4 with libvirt and migration ssh key' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'}, + :nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'} + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::placement') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + } + end + + context 'with step 4 with libvirt TLS and migration ssh key' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :libvirt_tls => true, + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'}, + :nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'} + ) is_expected.to contain_class('nova::config') is_expected.to contain_class('nova::placement') is_expected.to contain_class('nova::cache') is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', :configure_libvirt => params[:libvirt_enabled], :configure_nova => params[:nova_compute_enabled] ) diff --git a/spec/classes/tripleo_profile_base_securetty_spec.rb b/spec/classes/tripleo_profile_base_securetty_spec.rb new file mode 100644 index 0000000..c57d8be --- /dev/null +++ b/spec/classes/tripleo_profile_base_securetty_spec.rb @@ -0,0 +1,72 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo::profile::base::securetty +# + +require 'spec_helper' + +describe 'tripleo::profile::base::securetty' do + + shared_examples_for 'tripleo::profile::base::securetty' do + + context 'with defaults step 1' do + let(:params) {{ :step => 1 }} + it { is_expected.to contain_class('tripleo::profile::base::securetty') } + it { + is_expected.to contain_file('/etc/securetty').with( + :content => ["# Managed by Puppet / TripleO Heat Templates", + "# A list of TTYs, from which root can log in", + "# see `man securetty` for reference", + "", + ""].join("\n"), + :owner => 'root', + :group => 'root', + :mode => '0600') + } + end + + context 'it should configure securtty' do + let(:params) {{ + :step => 1, + :tty_list => ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6'] + }} + + it 'should configure securetty values' do + is_expected.to contain_file('/etc/securetty').with( + :owner => 'root', + :group => 'root', + :mode => '0600', + ) + .with_content(/console/) + .with_content(/tty1/) + .with_content(/tty2/) + .with_content(/tty3/) + .with_content(/tty4/) + .with_content(/tty5/) + .with_content(/tty6/) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::securetty' + end + end +end diff --git a/spec/classes/tripleo_profile_base_sshd_spec.rb b/spec/classes/tripleo_profile_base_sshd_spec.rb index 210b41c..e84a1f5 100644 --- a/spec/classes/tripleo_profile_base_sshd_spec.rb +++ b/spec/classes/tripleo_profile_base_sshd_spec.rb @@ -1,4 +1,4 @@ -# Copyright 2016 Red Hat, Inc. +# Copyright 2017 Red Hat, Inc. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -13,18 +13,64 @@ # License for the specific language governing permissions and limitations # under the License. # +# Unit tests for tripleo::profile::base::sshd +# require 'spec_helper' describe 'tripleo::profile::base::sshd' do - context 'with banner configured' do - it do - is_expected.to contain_file('/etc/issue').with({ - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0600', - }) + shared_examples_for 'tripleo::profile::base::sshd' do + + context 'it should do nothing' do + it do + is_expected.to contain_class('ssh::server') + is_expected.to_not contain_file('/etc/issue') + is_expected.to_not contain_file('/etc/issue.net') + is_expected.to_not contain_file('/etc/motd') + end + end + + context 'with issue and issue.net configured' do + let(:params) {{ :bannertext => 'foo' }} + it do + is_expected.to contain_file('/etc/issue').with({ + 'content' => 'foo', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + is_expected.to contain_file('/etc/issue.net').with({ + 'content' => 'foo', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + is_expected.to_not contain_file('/etc/motd') + end + end + + context 'with motd configured' do + let(:params) {{ :motd => 'foo' }} + it do + is_expected.to contain_file('/etc/motd').with({ + 'content' => 'foo', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + is_expected.to_not contain_file('/etc/issue') + is_expected.to_not contain_file('/etc/issue.net') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::sshd' end end end diff --git a/spec/classes/tripleo_profile_base_swift_ringbuilder.rb b/spec/classes/tripleo_profile_base_swift_ringbuilder.rb new file mode 100644 index 0000000..0139815 --- /dev/null +++ b/spec/classes/tripleo_profile_base_swift_ringbuilder.rb @@ -0,0 +1,65 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::swift::ringbuilder' do + shared_examples_for 'tripleo::profile::base::swift::ringbuilder' do + + let :pre_condition do + "class { '::swift': + swift_hash_path_prefix => 'foo', + }" + end + + context 'with step 2 and swift_ring_get_tempurl set' do + let(:params) { { + :step => 2, + :replicas => 1, + :swift_ring_get_tempurl=> 'http://something' + } } + + it 'should fetch and extract swift rings' do + is_expected.to contain_exec('fetch_swift_ring_tarball') + is_expected.to contain_exec('extract_swift_ring_tarball') + end + end + + context 'with step 5 and swift_ring_put_tempurl set' do + let(:params) { { + :step => 5, + :replicas => 1, + :swift_ring_put_tempurl=> 'http://something' + } } + + it 'should pack and upload swift rings' do + is_expected.to contain_exec('create_swift_ring_tarball') + is_expected.to contain_exec('upload_swift_ring_tarball') + end + end + + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::profile::base::swift::ringbuilder' + end + end +end diff --git a/spec/classes/tripleo_profile_base_tuned_spec.rb b/spec/classes/tripleo_profile_base_tuned_spec.rb new file mode 100644 index 0000000..95b0f26 --- /dev/null +++ b/spec/classes/tripleo_profile_base_tuned_spec.rb @@ -0,0 +1,44 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::tuned' do + + shared_examples_for 'tripleo::profile::base::tuned' do + context 'with profile' do + let :params do + { + :profile => 'virtual-compute' + } + end + + it 'should run tuned-adm exec' do + is_expected.to contain_exec('tuned-adm') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) { + facts + } + + it_behaves_like 'tripleo::profile::base::tuned' + end + end +end diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index eadb444..16f39a5 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -28,6 +28,8 @@ ceph::profile::params::rgw_keystone_admin_password: 'keystone_admin_password' # cinder related items cinder::rabbit_password: 'password' cinder::keystone::authtoken::password: 'password' +# gnocchi related items +gnocchi::keystone::authtoken::password: 'password' # nova related items nova::rabbit_password: 'password' nova::keystone::authtoken::password: 'password' @@ -39,3 +41,4 @@ memcached_node_ips: - '127.0.0.1' # octavia related items octavia::rabbit_password: 'password' +horizon::secret_key: 'secrete' diff --git a/templates/securetty/securetty.erb b/templates/securetty/securetty.erb new file mode 100644 index 0000000..c8c7b90 --- /dev/null +++ b/templates/securetty/securetty.erb @@ -0,0 +1,4 @@ +# Managed by Puppet / TripleO Heat Templates +# A list of TTYs, from which root can log in +# see `man securetty` for reference +<%= @ttys %> diff --git a/templates/ui/tripleo_ui_config.js.erb b/templates/ui/tripleo_ui_config.js.erb index c984cc3..f179637 100644 --- a/templates/ui/tripleo_ui_config.js.erb +++ b/templates/ui/tripleo_ui_config.js.erb @@ -18,7 +18,7 @@ window.tripleOUiConfig = { // If you choose more than one language, a language switcher will appear in // the navigation bar. // Only 'en' (English) is enabled by default. - 'languages': ['<%= @enabled_languages.join("', '") %>'], + 'languages': <%= @enabled_languages.to_json %>, // Logging // 'loggers': ['console'] |