diff options
40 files changed, 673 insertions, 92 deletions
diff --git a/Puppetfile_extras b/Puppetfile_extras index 0b617b9..f224b9a 100644 --- a/Puppetfile_extras +++ b/Puppetfile_extras @@ -48,3 +48,7 @@ mod 'systemd', mod 'opendaylight', :git => 'https://github.com/dfarrell07/puppet-opendaylight', :ref => 'master' + +mod 'ssh', + :git => 'https://github.com/saz/puppet-ssh', + :ref => 'v3.0.1' diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp index 344adef..4a47938 100644 --- a/manifests/certmonger/rabbitmq.pp +++ b/manifests/certmonger/rabbitmq.pp @@ -31,10 +31,6 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # -# [*file_owner*] -# (Optional) The user which the certificate and key files belong to. -# Defaults to 'root' -# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 92edd71..e5d57e5 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -1377,7 +1377,7 @@ class tripleo::haproxy ( server_names => hiera('mysql_node_names', $controller_hosts_names_real), options => $mysql_member_options_real, } - if hiera('manage_firewall', true) { + if hiera('tripleo::firewall::manage_firewall', true) { include ::tripleo::firewall $mysql_firewall_rules = { '100 mysql_haproxy' => { @@ -1462,7 +1462,7 @@ class tripleo::haproxy ( server_names => hiera('redis_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } - if hiera('manage_firewall', true) { + if hiera('tripleo::firewall::manage_firewall', true) { include ::tripleo::firewall $redis_firewall_rules = { '100 redis_haproxy' => { @@ -1595,6 +1595,12 @@ class tripleo::haproxy ( server_names => $controller_hosts_names_real, mode => 'http', public_ssl_port => $ports[ui_ssl_port], + listen_options => { + # NOTE(dtrainor): in addition to the zaqar_ws endpoint, the HTTPS + # (443/tcp) endpoint that answers for the UI must also use a long-lived + # tunnel timeout for the same reasons mentioned above. + 'timeout' => ['tunnel 3600s'], + }, } } if $contrail_config { diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index da2aba3..16e0bd1 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -147,7 +147,7 @@ define tripleo::haproxy::endpoint ( server_names => $server_names, options => $member_options, } - if hiera('manage_firewall', true) { + if hiera('tripleo::firewall::manage_firewall', true) { include ::tripleo::firewall # This block will construct firewall rules only when we specify # a port for the regular service and also the ssl port for the service. diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 0834536..22fc000 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -66,7 +66,7 @@ class tripleo::profile::base::aodh::api ( } - if $step >= 4 { + if $step >= 3 { include ::aodh::api class { '::aodh::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/cinder/volume/dellps.pp b/manifests/profile/base/cinder/volume/dellps.pp index 1338240..e825b61 100644 --- a/manifests/profile/base/cinder/volume/dellps.pp +++ b/manifests/profile/base/cinder/volume/dellps.pp @@ -41,9 +41,9 @@ class tripleo::profile::base::cinder::volume::dellps ( san_thin_provision => hiera('cinder::backend::eqlx::san_thin_provision', undef), eqlx_group_name => hiera('cinder::backend::eqlx::eqlx_group_name', undef), eqlx_pool => hiera('cinder::backend::eqlx::eqlx_pool', undef), - eqlx_use_chap => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), - eqlx_chap_login => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), - eqlx_chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), + use_chap_auth => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), + chap_username => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), + chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), } } diff --git a/manifests/profile/base/database/mongodb.pp b/manifests/profile/base/database/mongodb.pp index 8967f5b..4740d67 100644 --- a/manifests/profile/base/database/mongodb.pp +++ b/manifests/profile/base/database/mongodb.pp @@ -30,10 +30,15 @@ # for more details. # Defaults to hiera('step') # +# [*memory_limit*] +# (Optional) Limit amount of memory mongodb can use +# Defaults to 20G +# class tripleo::profile::base::database::mongodb ( $mongodb_replset, $bootstrap_node = downcase(hiera('bootstrap_nodeid')), $step = hiera('step'), + $memory_limit = '20G', ) { if $step >= 2 { @@ -56,5 +61,11 @@ class tripleo::profile::base::database::mongodb ( } } + # Limit memory utilization + ::systemd::service_limits { 'mongod.service': + limits => { + 'MemoryLimit' => $memory_limit + } + } } } diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp index 505e29f..fc4771f 100644 --- a/manifests/profile/base/etcd.pp +++ b/manifests/profile/base/etcd.pp @@ -47,19 +47,12 @@ class tripleo::profile::base::etcd ( $step = hiera('step'), ) { if $step >= 1 { - if count($nodes) > 1 { - $cluster_enabled = true - } else { - $cluster_enabled = false - } - class {'::etcd': listen_client_urls => "http://${bind_ip}:${client_port}", advertise_client_urls => "http://${bind_ip}:${client_port}", listen_peer_urls => "http://${bind_ip}:${peer_port}", initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}", initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"), - cluster_enabled => $cluster_enabled, proxy => 'off', } } diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index f35735b..8e2da7e 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -63,7 +63,7 @@ class tripleo::profile::base::heat::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api class { '::heat::wsgi::apache_api': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index 2545dbc..02eb82a 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -63,7 +63,7 @@ class tripleo::profile::base::heat::api_cfn ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api_cfn class { '::heat::wsgi::apache_api_cfn': diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 872de8d..558d247 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -63,7 +63,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api_cloudwatch class { '::heat::wsgi::apache_api_cloudwatch': diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 278c25c..10eaaa6 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -31,7 +31,7 @@ class tripleo::profile::base::horizon ( $step = hiera('step'), $neutron_options = hiera('horizon::neutron_options', {}), ) { - if $step >= 4 { + if $step >= 3 { # Horizon include ::apache::mod::remoteip include ::apache::mod::status diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 9598d64..bb3f387 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -246,7 +246,10 @@ class tripleo::profile::base::keystone ( if hiera('barbican_api_enabled', false) { include ::barbican::keystone::auth } - if hiera('ceilometer_api_enabled', false) { + # ceilometer user is needed even when ceilometer api + # not running, so it can authenticate with keystone + # and dispatch data. + if hiera('ceilometer_auth_enabled', false) { include ::ceilometer::keystone::auth } if hiera('ceph_rgw_enabled', false) { diff --git a/manifests/profile/base/neutron/bgpvpn.pp b/manifests/profile/base/neutron/bgpvpn.pp index 9fa1d14..d6fdf4e 100644 --- a/manifests/profile/base/neutron/bgpvpn.pp +++ b/manifests/profile/base/neutron/bgpvpn.pp @@ -27,10 +27,11 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::bgpvpn ( - $step = hiera('step'), + $step = hiera('step'), ) { + include ::tripleo::profile::base::neutron + if $step >= 4 { - include ::tripleo::profile::base::neutron include ::neutron::services::bgpvpn } } diff --git a/manifests/profile/base/neutron/sriov.pp b/manifests/profile/base/neutron/sriov.pp index 00ecc21..24c7b63 100644 --- a/manifests/profile/base/neutron/sriov.pp +++ b/manifests/profile/base/neutron/sriov.pp @@ -33,6 +33,8 @@ class tripleo::profile::base::neutron::sriov( $mechanism_drivers = hiera('neutron::plugins::ml2::mechanism_drivers'), ) { + include ::tripleo::profile::base::neutron + if $step >= 4 { if 'sriovnicswitch' in $mechanism_drivers { include ::neutron::agents::ml2::sriov diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 36425f6..ab9b615 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -82,6 +82,15 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # +# [*migration_ssh_key*] +# (Optional) SSH key pair for migration SSH tunnel. +# Expects a hash with keys 'private_key' and 'public_key'. +# Defaults to {} +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false + class tripleo::profile::base::nova ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $libvirt_enabled = false, @@ -99,6 +108,8 @@ class tripleo::profile::base::nova ( $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), $nova_compute_enabled = false, $step = hiera('step'), + $migration_ssh_key = {}, + $libvirt_tls = false ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -114,7 +125,62 @@ class tripleo::profile::base::nova ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) - class { '::nova' : + include ::nova::config + class { '::nova::cache': + enabled => true, + backend => 'oslo_cache.memcache_pool', + memcache_servers => $memcache_servers, + } + include ::nova::placement + + if $step >= 4 and $manage_migration { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova', + client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'} + } + } + + if $migration_ssh_key != {} { + # Nova SSH tunnel setup (cold-migration) + + #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands + user { 'nova': + ensure => present, + shell => '/bin/bash', + } + + $private_key_parts = split($migration_ssh_key['public_key'], ' ') + $nova_public_key = { + type => $private_key_parts[0], + key => $private_key_parts[1] + } + $nova_private_key = { + type => $private_key_parts[0], + key => $migration_ssh_key['private_key'] + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + + class { '::nova': default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, @@ -131,23 +197,8 @@ class tripleo::profile::base::nova ( 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, }), + nova_public_key => $nova_public_key, + nova_private_key => $nova_private_key, } - include ::nova::config - class { '::nova::cache': - enabled => true, - backend => 'oslo_cache.memcache_pool', - memcache_servers => $memcache_servers, - } - include ::nova::placement } - - if $step >= 4 { - if $manage_migration { - class { '::nova::migration::libvirt': - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - } - } - } - } diff --git a/manifests/profile/base/nova/ec2api.pp b/manifests/profile/base/nova/ec2api.pp index f34b071..f8817d2 100644 --- a/manifests/profile/base/nova/ec2api.pp +++ b/manifests/profile/base/nova/ec2api.pp @@ -31,5 +31,6 @@ class tripleo::profile::base::nova::ec2api ( include ::ec2api::api include ::ec2api::db::sync include ::ec2api::metadata + include ::ec2api::keystone::authtoken } } diff --git a/manifests/profile/base/qdr.pp b/manifests/profile/base/qdr.pp new file mode 100644 index 0000000..9827f2e --- /dev/null +++ b/manifests/profile/base/qdr.pp @@ -0,0 +1,54 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::qdr +# +# Qpid dispatch router profile for tripleo +# +# === Parameters +# +# [*qdr_username*] +# Username for the qrouter daemon +# Defaults to undef +# +# [*qdr_password*] +# Password for the qrouter daemon +# Defaults to undef +# +# [*qdr_listener_port*] +# Port for the listener (not that we do not use qdr::listener_port +# directly because it requires a string and we have a number. +# Defaults to hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::qdr ( + $qdr_username = undef, + $qdr_password = undef, + $qdr_listener_port = hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672), + $step = hiera('step'), +) { + if $step >= 1 { + class { '::qdr': + listener_port => "${qdr_listener_port}", + } -> + qdr_user { $qdr_username: + ensure => present, + password => $qdr_password, + } + } +} diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp new file mode 100644 index 0000000..07f29f8 --- /dev/null +++ b/manifests/profile/base/securetty.pp @@ -0,0 +1,48 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::securetty +# +# Sets securetty Parameters +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*tty_list*] +# Hash of values for /etc/securetty console +# Defaults to hiera('securetty::tty_list') +# +class tripleo::profile::base::securetty ( + $step = hiera('step'), + $tty_list = hiera('tty_list', []), +) { + validate_array($tty_list) + + if $step >=1 { + $ttys = join($tty_list, "\n") + + file { '/etc/securetty': + ensure => file, + content => template( 'tripleo/securetty/securetty.erb' ), + owner => 'root', + group => 'root', + mode => '0600' + } + } +} diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp index e7916c1..f43089c 100644 --- a/manifests/profile/base/sshd.pp +++ b/manifests/profile/base/sshd.pp @@ -15,47 +15,45 @@ # # == Class: tripleo::profile::base::sshd # -# SSH profile for tripleo +# SSH composable service for TripleO # # === Parameters # # [*bannertext*] -# The text used within SSH Banner +# The text used within /etc/issue and /etc/issue.net # Defaults to hiera('BannerText') # +# [*motd*] +# The text used within SSH Banner +# Defaults to hiera('MOTD') +# class tripleo::profile::base::sshd ( $bannertext = hiera('BannerText', undef), + $motd = hiera('MOTD', undef), ) { - if $bannertext { - $action = 'set' - } else { - $action = 'rm' - } - - package {'openssh-server': - ensure => installed, - } + include ::ssh - augeas { 'sshd_config_banner': - context => '/files/etc/ssh/sshd_config', - changes => [ "${action} Banner /etc/issue" ], - notify => Service['sshd'] - } - - file { '/etc/issue': - ensure => file, - backup => false, - content => $bannertext, - owner => 'root', - group => 'root', - mode => '0600' + if $bannertext { + $filelist = [ '/etc/issue', '/etc/issue.net', ] + file { $filelist: + ensure => file, + backup => false, + content => $bannertext, + owner => 'root', + group => 'root', + mode => '0644' + } } - service { 'sshd': - ensure => 'running', - enable => true, - hasstatus => false, - require => Package['openssh-server'], + if $motd { + file { '/etc/motd': + ensure => file, + backup => false, + content => $motd, + owner => 'root', + group => 'root', + mode => '0644' + } } } diff --git a/manifests/profile/base/tuned.pp b/manifests/profile/base/tuned.pp new file mode 100644 index 0000000..8dfcea0 --- /dev/null +++ b/manifests/profile/base/tuned.pp @@ -0,0 +1,20 @@ +# == Class: tripleo::profile::base::tuned +# +# Configures tuned service. +# +# === Parameters: +# +# [*profile*] +# (optional) tuned active profile. +# Defaults to 'throughput-performance' +# +# +class tripleo::profile::base::tuned ( + $profile = 'throughput-performance' +) { + exec { 'tuned-adm': + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "tuned-adm profile ${profile}", + unless => "tuned-adm active | grep -q '${profile}'" + } +} diff --git a/manifests/ui.pp b/manifests/ui.pp index d51ef2e..d810b5d 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -33,8 +33,17 @@ # # [*enabled_languages*] # Which languages to show in the UI. -# An array. -# Defaults to ['en-GB', 'en', 'de', 'ja', 'ko-KR', 'zh-CN', 'es'] +# A hash. +# Defaults to +# { +# 'de' => 'German', +# 'en' => 'English', +# 'en-GB' => 'British English', +# 'es' => 'Spanish', +# 'ja' => 'Japanese', +# 'ko-KR' => 'Korean', +# 'zh-CN' => 'Simplified Chinese' +# } # # [*endpoint_proxy_keystone*] # The keystone proxy endpoint url @@ -94,7 +103,15 @@ class tripleo::ui ( $bind_host = hiera('controller_host'), $ui_port = 3000, $zaqar_default_queue = 'tripleo', - $enabled_languages = ['en-GB', 'en', 'de', 'ja', 'ko-KR', 'zh-CN', 'es'], + $enabled_languages = { + 'de' => 'German', + 'en' => 'English', + 'en-GB' => 'British English', + 'es' => 'Spanish', + 'ja' => 'Japanese', + 'ko-KR' => 'Korean', + 'zh-CN' => 'Simplified Chinese' + }, $endpoint_proxy_zaqar = undef, $endpoint_proxy_keystone = undef, $endpoint_proxy_heat = undef, diff --git a/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml b/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml new file mode 100644 index 0000000..a1a04c1 --- /dev/null +++ b/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Add a tunnel timeout to the HAProxy tripleo-ui configuration to ensure + Zaqar WebSocket tunnels persist longer than two minutes + https://bugs.launchpad.net/tripleo/+bug/1672826 diff --git a/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml b/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml new file mode 100644 index 0000000..00b7799 --- /dev/null +++ b/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml @@ -0,0 +1,4 @@ +--- +features: + - Configure ssh tunneling for nova cold-migration. Re-use the tunnel for + libvirt live-migration unless TLS is enabled. diff --git a/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml b/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml new file mode 100644 index 0000000..07407f2 --- /dev/null +++ b/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - We need ceilometer user in cases where ceilometer API is disabled. + This is to ensure other ceilometer services can still authenticate + with keystone. diff --git a/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml b/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml new file mode 100644 index 0000000..5c200dd --- /dev/null +++ b/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes horizon getting temporarily deconfigured during a stack update due + to the apache configuration occuring in step 3 but the horizon + configuration not occuring until step 4. diff --git a/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml b/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml new file mode 100644 index 0000000..012a16c --- /dev/null +++ b/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Fixes missing neutron base class in sriov diff --git a/manifests/profile/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml index e1caf4c..0857f63 100644 --- a/manifests/profile/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml +++ b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml @@ -1,6 +1,6 @@ --- fixes: - The rabbitmq user check is moved to step >= 2 from step >= 1. There - is no gaurantee that rabbitmq is running at step 1, especially if + is no guarantee that rabbitmq is running at step 1, especially if updating a failed stack that never made it past step 1 to begin with. diff --git a/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml b/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml new file mode 100644 index 0000000..1186bb9 --- /dev/null +++ b/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - Add a way for mongodb to limit amount of memory it comsumes + with systemd. A new param memory_limit has been added to + tripleo::profile::base::database::mongodb class with + default limit of 20G. diff --git a/releasenotes/notes/securetty-6a10eefd601e45ca.yaml b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml new file mode 100644 index 0000000..e5cfcf5 --- /dev/null +++ b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Allows granular level of control over the `/etc/securetty` file. + By allowing operators to specify the values in securetty, they + can improve security by limiting root console access. diff --git a/releasenotes/notes/sshd-437c531301f458bb.yaml b/releasenotes/notes/sshd-437c531301f458bb.yaml index 0086cb0..5997289 100644 --- a/releasenotes/notes/sshd-437c531301f458bb.yaml +++ b/releasenotes/notes/sshd-437c531301f458bb.yaml @@ -1,3 +1,5 @@ --- features: - - Added manifest and template to enable configuration of sshd_config + - Added /etc/issue & /etc/issue.net parameters + - Added MOTD banner parameters + - Added external module saz-ssh to allow management of sshd_config diff --git a/spec/classes/tripleo_profile_base_aodh_api_spec.rb b/spec/classes/tripleo_profile_base_aodh_api_spec.rb index f2a26bf..a82cf49 100644 --- a/spec/classes/tripleo_profile_base_aodh_api_spec.rb +++ b/spec/classes/tripleo_profile_base_aodh_api_spec.rb @@ -22,8 +22,8 @@ describe 'tripleo::profile::base::aodh::api' do "class { '::tripleo::profile::base::aodh': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }" end - context 'with step less than 4' do - let(:params) { { :step => 3 } } + context 'with step less than 3' do + let(:params) { { :step => 2 } } it 'should do nothing' do is_expected.to contain_class('tripleo::profile::base::aodh::api') @@ -33,9 +33,9 @@ describe 'tripleo::profile::base::aodh::api' do end end - context 'with step 4' do + context 'with step 3' do let(:params) { { - :step => 4, + :step => 3, } } it 'should trigger complete configuration' do diff --git a/spec/classes/tripleo_profile_base_horizon_spec.rb b/spec/classes/tripleo_profile_base_horizon_spec.rb new file mode 100644 index 0000000..fb076b8 --- /dev/null +++ b/spec/classes/tripleo_profile_base_horizon_spec.rb @@ -0,0 +1,57 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::horizon' do + shared_examples_for 'tripleo::profile::base::horizon' do + let(:pre_condition) do + "class { '::tripleo::profile::base::aodh': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }" + end + + context 'with step less than 3' do + let(:params) { { :step => 2 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::horizon') + is_expected.to_not contain_class('horizon') + end + end + + context 'with step 3' do + let(:params) { { + :step => 3, + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('horizon') + is_expected.to contain_class('apache::mod::remoteip') + is_expected.to contain_class('apache::mod::status') + end + end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::horizon' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb index b5677cc..8f7bfdc 100644 --- a/spec/classes/tripleo_profile_base_nova_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_spec.rb @@ -85,7 +85,12 @@ describe 'tripleo::profile::base::nova' do it { is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) is_expected.to contain_class('nova::config') is_expected.to contain_class('nova::cache') is_expected.to contain_class('nova::placement') @@ -109,11 +114,120 @@ describe 'tripleo::profile::base::nova' do it { is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::placement') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + } + end + + context 'with step 4 with libvirt TLS' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :libvirt_tls => true, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::placement') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled], + ) + } + end + + context 'with step 4 with libvirt and migration ssh key' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'}, + :nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'} + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::placement') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + } + end + + context 'with step 4 with libvirt TLS and migration ssh key' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :oslomsg_rpc_hosts => [ 'localhost' ], + :oslomsg_rpc_password => 'foo', + :libvirt_tls => true, + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :default_transport_url => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'}, + :nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'} + ) is_expected.to contain_class('nova::config') is_expected.to contain_class('nova::placement') is_expected.to contain_class('nova::cache') is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', :configure_libvirt => params[:libvirt_enabled], :configure_nova => params[:nova_compute_enabled] ) diff --git a/spec/classes/tripleo_profile_base_securetty_spec.rb b/spec/classes/tripleo_profile_base_securetty_spec.rb new file mode 100644 index 0000000..c57d8be --- /dev/null +++ b/spec/classes/tripleo_profile_base_securetty_spec.rb @@ -0,0 +1,72 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo::profile::base::securetty +# + +require 'spec_helper' + +describe 'tripleo::profile::base::securetty' do + + shared_examples_for 'tripleo::profile::base::securetty' do + + context 'with defaults step 1' do + let(:params) {{ :step => 1 }} + it { is_expected.to contain_class('tripleo::profile::base::securetty') } + it { + is_expected.to contain_file('/etc/securetty').with( + :content => ["# Managed by Puppet / TripleO Heat Templates", + "# A list of TTYs, from which root can log in", + "# see `man securetty` for reference", + "", + ""].join("\n"), + :owner => 'root', + :group => 'root', + :mode => '0600') + } + end + + context 'it should configure securtty' do + let(:params) {{ + :step => 1, + :tty_list => ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6'] + }} + + it 'should configure securetty values' do + is_expected.to contain_file('/etc/securetty').with( + :owner => 'root', + :group => 'root', + :mode => '0600', + ) + .with_content(/console/) + .with_content(/tty1/) + .with_content(/tty2/) + .with_content(/tty3/) + .with_content(/tty4/) + .with_content(/tty5/) + .with_content(/tty6/) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::securetty' + end + end +end diff --git a/spec/classes/tripleo_profile_base_sshd_spec.rb b/spec/classes/tripleo_profile_base_sshd_spec.rb index 210b41c..c611fe9 100644 --- a/spec/classes/tripleo_profile_base_sshd_spec.rb +++ b/spec/classes/tripleo_profile_base_sshd_spec.rb @@ -1,4 +1,4 @@ -# Copyright 2016 Red Hat, Inc. +# Copyright 2017 Red Hat, Inc. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -13,18 +13,64 @@ # License for the specific language governing permissions and limitations # under the License. # +# Unit tests for tripleo::profile::base::sshd +# require 'spec_helper' describe 'tripleo::profile::base::sshd' do - context 'with banner configured' do - it do - is_expected.to contain_file('/etc/issue').with({ - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0600', - }) + shared_examples_for 'tripleo::profile::base::sshd' do + + context 'it should do nothing' do + it do + is_expected.to contain_class('ssh') + is_expected.to_not contain_file('/etc/issue') + is_expected.to_not contain_file('/etc/issue.net') + is_expected.to_not contain_file('/etc/motd') + end + end + + context 'with issue and issue.net configured' do + let(:params) {{ :bannertext => 'foo' }} + it do + is_expected.to contain_file('/etc/issue').with({ + 'content' => 'foo', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + is_expected.to contain_file('/etc/issue.net').with({ + 'content' => 'foo', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + is_expected.to_not contain_file('/etc/motd') + end + end + + context 'with motd configured' do + let(:params) {{ :motd => 'foo' }} + it do + is_expected.to contain_file('/etc/motd').with({ + 'content' => 'foo', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + is_expected.to_not contain_file('/etc/issue') + is_expected.to_not contain_file('/etc/issue.net') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::sshd' end end end diff --git a/spec/classes/tripleo_profile_base_tuned_spec.rb b/spec/classes/tripleo_profile_base_tuned_spec.rb new file mode 100644 index 0000000..95b0f26 --- /dev/null +++ b/spec/classes/tripleo_profile_base_tuned_spec.rb @@ -0,0 +1,44 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::tuned' do + + shared_examples_for 'tripleo::profile::base::tuned' do + context 'with profile' do + let :params do + { + :profile => 'virtual-compute' + } + end + + it 'should run tuned-adm exec' do + is_expected.to contain_exec('tuned-adm') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) { + facts + } + + it_behaves_like 'tripleo::profile::base::tuned' + end + end +end diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index eadb444..9634e5d 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -39,3 +39,4 @@ memcached_node_ips: - '127.0.0.1' # octavia related items octavia::rabbit_password: 'password' +horizon::secret_key: 'secrete' diff --git a/templates/securetty/securetty.erb b/templates/securetty/securetty.erb new file mode 100644 index 0000000..c8c7b90 --- /dev/null +++ b/templates/securetty/securetty.erb @@ -0,0 +1,4 @@ +# Managed by Puppet / TripleO Heat Templates +# A list of TTYs, from which root can log in +# see `man securetty` for reference +<%= @ttys %> diff --git a/templates/ui/tripleo_ui_config.js.erb b/templates/ui/tripleo_ui_config.js.erb index c984cc3..f179637 100644 --- a/templates/ui/tripleo_ui_config.js.erb +++ b/templates/ui/tripleo_ui_config.js.erb @@ -18,7 +18,7 @@ window.tripleOUiConfig = { // If you choose more than one language, a language switcher will appear in // the navigation bar. // Only 'en' (English) is enabled by default. - 'languages': ['<%= @enabled_languages.join("', '") %>'], + 'languages': <%= @enabled_languages.to_json %>, // Logging // 'loggers': ['console'] |