diff options
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 22 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 4 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker.pp | 20 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/clustercheck.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/rabbitmq_bundle.pp | 128 | ||||
| -rw-r--r-- | releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml | 6 | ||||
| -rw-r--r-- | releasenotes/notes/innodb_buffer_pool_size-6fa946cf008a4606.yaml | 4 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_docker_spec.rb | 2 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_swift_proxy_spec.rb | 4 | ||||
| -rw-r--r-- | test-requirements.txt | 2 |
11 files changed, 136 insertions, 73 deletions
@@ -1,7 +1,7 @@ Team and repository tags ======================== -[](http://governance.openstack.org/reference/tags/index.html) +[](https://governance.openstack.org/tc/reference/tags/index.html) <!-- Change things from this point on --> @@ -15,5 +15,5 @@ Lightweight composition layer for Puppet TripleO. * Source: http://git.openstack.org/cgit/openstack/puppet-tripleo * Bugs: http://bugs.launchpad.net/tripleo (tag: puppet) * Documentation: - * TripleO: http://docs.openstack.org/developer/tripleo-docs/index.html - * Testing with puppet: https://docs.openstack.org/developer/puppet-openstack-guide/testing.html + * TripleO: https://docs.openstack.org/tripleo-docs/latest/ + * Testing with puppet: https://docs.openstack.org/developer/puppet-openstack-guide/contributor/testing.html diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 3bf41cf..7e7d68b 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,6 +47,10 @@ # limit for the mysql service. # Defaults to false # +# [*innodb_buffer_pool_size*] +# (Optional) Configure the size of the MySQL buffer pool. +# Defaults to hiera('innodb_buffer_pool_size', undef) +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, + $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql ( # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap $mysql_server_default = { 'mysqld' => { - 'bind-address' => $bind_address, - 'max_connections' => $mysql_max_connections, - 'open_files_limit' => '-1', - 'innodb_file_per_table' => 'ON', - 'ssl' => $enable_internal_tls, - 'ssl-key' => $tls_keyfile, - 'ssl-cert' => $tls_certfile, - 'ssl-ca' => undef, + 'bind-address' => $bind_address, + 'max_connections' => $mysql_max_connections, + 'open_files_limit' => '-1', + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => 'ON', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 5f6d97c..d230366 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,7 +32,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -57,7 +57,7 @@ class tripleo::profile::base::docker ( $insecure_registry_address = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index d468110..de7e069 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -63,6 +63,10 @@ # be set to 60s. # Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # +# [*encryption*] +# (Optional) Whether or not to enable encryption of the pacemaker traffic +# Defaults to true +# class tripleo::profile::base::pacemaker ( $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker ( $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), + $encryption = true, ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker ( $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000), + '--ipv6' => '' + } + } else { + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000) + } + } + + if $encryption { + $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'}) } else { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } + $cluster_setup_extras = $cluster_setup_extras_pre } class { '::pacemaker': hacluster_pwd => hiera('hacluster_pwd'), diff --git a/manifests/profile/pacemaker/clustercheck.pp b/manifests/profile/pacemaker/clustercheck.pp index 958f4a2..c08bafc 100644 --- a/manifests/profile/pacemaker/clustercheck.pp +++ b/manifests/profile/pacemaker/clustercheck.pp @@ -26,14 +26,19 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to hiera('mysql_bind_host') # +# [*clustercheck_user*] +# (Optional) The name of the clustercheck user. +# Defaults to 'clustercheck' +# # [*clustercheck_password*] # (Optional) The password for the clustercheck user. -# Defaults to hiera('mysql::server::root_password') +# Defaults to hiera('mysql_clustercheck_password') # # class tripleo::profile::pacemaker::clustercheck ( $step = Integer(hiera('step')), - $clustercheck_password = hiera('mysql::server::root_password'), + $clustercheck_user = 'clustercheck', + $clustercheck_password = hiera('mysql_clustercheck_password'), $bind_address = hiera('mysql_bind_host'), ) { @@ -43,7 +48,7 @@ class tripleo::profile::pacemaker::clustercheck ( mode => '0600', owner => 'mysql', group => 'mysql', - content => "MYSQL_USERNAME=root\n + content => "MYSQL_USERNAME=${clustercheck_user}\n MYSQL_PASSWORD='${clustercheck_password}'\n MYSQL_HOST=localhost\n", } diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp index 5dd22d2..4d6b9af 100644 --- a/manifests/profile/pacemaker/rabbitmq_bundle.pp +++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp @@ -44,6 +44,10 @@ # (Optional) The list of rabbitmq nodes names # Defaults to hiera('rabbitmq_node_names') # +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -60,6 +64,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( $erlang_cookie = hiera('rabbitmq::erlang_cookie'), $user_ha_queues = hiera('rabbitmq::nr_ha_queues', 0), $rabbit_nodes = hiera('rabbitmq_node_names'), + $enable_internal_tls = hiera('enable_internal_tls', false), $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), ) { @@ -102,6 +107,76 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( } } + $storage_maps = { + 'rabbitmq-cfg-files' => { + 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', + 'target-dir' => '/var/lib/kolla/config_files/config.json', + 'options' => 'ro', + }, + 'rabbitmq-cfg-data' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', + 'target-dir' => '/var/lib/kolla/config_files/src', + 'options' => 'ro', + }, + 'rabbitmq-hosts' => { + 'source-dir' => '/etc/hosts', + 'target-dir' => '/etc/hosts', + 'options' => 'ro', + }, + 'rabbitmq-localtime' => { + 'source-dir' => '/etc/localtime', + 'target-dir' => '/etc/localtime', + 'options' => 'ro', + }, + 'rabbitmq-lib' => { + 'source-dir' => '/var/lib/rabbitmq', + 'target-dir' => '/var/lib/rabbitmq', + 'options' => 'rw', + }, + 'rabbitmq-pki-extracted' => { + 'source-dir' => '/etc/pki/ca-trust/extracted', + 'target-dir' => '/etc/pki/ca-trust/extracted', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-trust-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/cert.pem', + 'target-dir' => '/etc/pki/tls/cert.pem', + 'options' => 'ro', + }, + 'rabbitmq-dev-log' => { + 'source-dir' => '/dev/log', + 'target-dir' => '/dev/log', + 'options' => 'rw', + }, + } + + if $enable_internal_tls { + $storage_maps_tls = { + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/certs/rabbitmq.crt', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-key' => { + 'source-dir' => '/etc/pki/tls/private/rabbitmq.key', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key', + 'options' => 'ro', + }, + } + } else { + $storage_maps_tls = {} + } + pacemaker::resource::bundle { 'rabbitmq-bundle': image => $rabbitmq_docker_image, replicas => $rabbitmq_nodes_count, @@ -114,58 +189,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${rabbitmq_docker_control_port}", - storage_maps => { - 'rabbitmq-cfg-files' => { - 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', - 'target-dir' => '/var/lib/kolla/config_files/config.json', - 'options' => 'ro', - }, - 'rabbitmq-cfg-data' => { - 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', - 'target-dir' => '/var/lib/kolla/config_files/src', - 'options' => 'ro', - }, - 'rabbitmq-hosts' => { - 'source-dir' => '/etc/hosts', - 'target-dir' => '/etc/hosts', - 'options' => 'ro', - }, - 'rabbitmq-localtime' => { - 'source-dir' => '/etc/localtime', - 'target-dir' => '/etc/localtime', - 'options' => 'ro', - }, - 'rabbitmq-lib' => { - 'source-dir' => '/var/lib/rabbitmq', - 'target-dir' => '/var/lib/rabbitmq', - 'options' => 'rw', - }, - 'rabbitmq-pki-extracted' => { - 'source-dir' => '/etc/pki/ca-trust/extracted', - 'target-dir' => '/etc/pki/ca-trust/extracted', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-trust-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-cert' => { - 'source-dir' => '/etc/pki/tls/cert.pem', - 'target-dir' => '/etc/pki/tls/cert.pem', - 'options' => 'ro', - }, - 'rabbitmq-dev-log' => { - 'source-dir' => '/dev/log', - 'target-dir' => '/dev/log', - 'options' => 'rw', - }, - }, + storage_maps => merge($storage_maps, $storage_maps_tls), } # The default nr of ha queues is ceiling(N/2) diff --git a/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml b/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml new file mode 100644 index 0000000..65b0316 --- /dev/null +++ b/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Encryption is used for pacemaker traffic by default. This is achieved by + using a pre shared key for all the pacemaker cluster nodes (same as the one + that was used for the pacemaker remote communication). diff --git a/releasenotes/notes/innodb_buffer_pool_size-6fa946cf008a4606.yaml b/releasenotes/notes/innodb_buffer_pool_size-6fa946cf008a4606.yaml new file mode 100644 index 0000000..b4663eb --- /dev/null +++ b/releasenotes/notes/innodb_buffer_pool_size-6fa946cf008a4606.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Enable innodb_buffer_pool_size configuration for all MySQL databases. diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index e0947dc..2a15362 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -28,7 +28,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_service('docker') } it { is_expected.to contain_augeas('docker-sysconfig-options').with_changes([ - "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'", + "set OPTIONS '\"--log-driver=journald --signature-verification=false --iptables=false\"'", ]) } end diff --git a/spec/classes/tripleo_profile_base_swift_proxy_spec.rb b/spec/classes/tripleo_profile_base_swift_proxy_spec.rb index 68d7dde..0252237 100644 --- a/spec/classes/tripleo_profile_base_swift_proxy_spec.rb +++ b/spec/classes/tripleo_profile_base_swift_proxy_spec.rb @@ -30,7 +30,9 @@ describe 'tripleo::profile::base::swift::proxy' do include ::memcached class { '::swift::proxy': proxy_local_net_ip => '127.0.0.1', - }" + } + include ::swift::proxy::tempauth + " end context 'with ipv4 memcache servers' do diff --git a/test-requirements.txt b/test-requirements.txt index a23c7e7..629ab00 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,6 +1,6 @@ # This is required for the docs build jobs sphinx>=1.6.2 # BSD -openstackdocstheme>=1.11.0 # Apache-2.0 +openstackdocstheme>=1.16.0 # Apache-2.0 # This is required for the releasenotes build jobs # FIXME: reno is manually pinned to !=2.0.0 because of bug #1651995 |