6 files changed, 52 insertions, 9 deletions

diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp
index fc652c9..43978da 100644
--- a/manifests/profile/base/cinder/volume/netapp.pp
+++ b/manifests/profile/base/cinder/volume/netapp.pp
@@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp (
       netapp_storage_pools         => hiera('cinder::backend::netapp::netapp_storage_pools', undef),
       netapp_eseries_host_type     => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef),
       netapp_webservice_path       => hiera('cinder::backend::netapp::netapp_webservice_path', undef),
+      nas_secure_file_operations   => hiera('cinder::backend::netapp::nas_secure_file_operations', undef),
+      nas_secure_file_permissions  => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef),
     }
   }
 
diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp
index 7b1f1b9..e384a79 100644
--- a/manifests/profile/base/cinder/volume/nfs.pp
+++ b/manifests/profile/base/cinder/volume/nfs.pp
@@ -29,6 +29,23 @@
 #   (Optional) List of mount options for the NFS share
 #   Defaults to ''
 #
+# [*cinder_nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*cinder_nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -36,9 +53,11 @@
 #
 class tripleo::profile::base::cinder::volume::nfs (
   $cinder_nfs_servers,
-  $backend_name             = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
-  $cinder_nfs_mount_options = '',
-  $step                     = hiera('step'),
+  $backend_name                       = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
+  $cinder_nfs_mount_options           = '',
+  $cinder_nas_secure_file_operations  = $::os_service_default,
+  $cinder_nas_secure_file_permissions = $::os_service_default,
+  $step                               = hiera('step'),
 ) {
   include ::tripleo::profile::base::cinder::volume
 
@@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs (
 
     package {'nfs-utils': } ->
     cinder::backend::nfs { $backend_name :
-      nfs_servers       => $cinder_nfs_servers,
-      nfs_mount_options => $cinder_nfs_mount_options,
-      nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+      nfs_servers                 => $cinder_nfs_servers,
+      nfs_mount_options           => $cinder_nfs_mount_options,
+      nfs_shares_config           => '/etc/cinder/shares-nfs.conf',
+      nas_secure_file_operations  => $cinder_nas_secure_file_operations,
+      nas_secure_file_permissions => $cinder_nas_secure_file_permissions,
     }
   }
 
diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp
index 014ef35..3de1e97 100644
--- a/manifests/profile/base/database/mysql/client.pp
+++ b/manifests/profile/base/database/mysql/client.pp
@@ -35,6 +35,10 @@
 #   (Optional) Client IP address of the host that will be written in the mysql_read_default_file
 #   Defaults to undef
 #
+# [*ssl_ca*]
+#   (Optional) The SSL CA file to use to verify the MySQL server's certificate.
+#   Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -45,6 +49,7 @@ class tripleo::profile::base::database::mysql::client (
   $mysql_read_default_file   = '/etc/my.cnf.d/tripleo.cnf',
   $mysql_read_default_group  = 'tripleo',
   $mysql_client_bind_address = undef,
+  $ssl_ca                    = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
   $step                      = hiera('step'),
 ) {
   if $step >= 1 {
@@ -68,7 +73,7 @@ class tripleo::profile::base::database::mysql::client (
     if $enable_ssl {
       $changes_ssl = [
         "set ${mysql_read_default_group}/ssl '1'",
-        "set ${mysql_read_default_group}/ssl-ca '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'"
+        "set ${mysql_read_default_group}/ssl-ca '${ssl_ca}'"
       ]
     } else {
       $changes_ssl = [
diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp
index bec7e96..97eb8e9 100644
--- a/manifests/profile/base/neutron/ovs.pp
+++ b/manifests/profile/base/neutron/ovs.pp
@@ -23,12 +23,27 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*vhostuser_socket_dir*]
+#   (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir
+#   will be created with correct permissions, inorder to support vhostuser
+#   client mode.
+
 class tripleo::profile::base::neutron::ovs(
-  $step           = hiera('step'),
+  $step                 = hiera('step'),
+  $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef)
 ) {
   include ::tripleo::profile::base::neutron
 
   if $step >= 5 {
+    if $vhostuser_socket_dir {
+      file { $vhostuser_socket_dir:
+        ensure => directory,
+        owner  => 'qemu',
+        group  => 'qemu',
+        mode   => '0775',
+      }
+    }
+
     include ::neutron::agents::ml2::ovs
 
     # Optional since manage_service may be false and neutron server may not be colocated.
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index c1d745a..811b911 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker (
         remote_address     => $remotes_hash[$title],
         reconnect_interval => $remote_reconnect_interval,
         op_params          => "monitor interval=${remote_monitor_interval}",
+        verify_on_create   => true,
         tries              => $remote_tries,
         try_sleep          => $remote_try_sleep,
       }
diff --git a/manifests/profile/base/snmp.pp b/manifests/profile/base/snmp.pp
index 301ac9a..d12e34d 100644
--- a/manifests/profile/base/snmp.pp
+++ b/manifests/profile/base/snmp.pp
@@ -42,7 +42,6 @@ class tripleo::profile::base::snmp (
       authpass => $snmpd_password,
     }
     class { '::snmp':
-      agentaddress => ['udp:161','udp6:[::1]:161'],
       snmpd_config => [ join(['createUser ', $snmpd_user, ' MD5 "', $snmpd_password, '"']),
                         join(['rouser ', $snmpd_user]),
                         'proc  cron',