diff options
Diffstat (limited to 'manifests/profile/base')
34 files changed, 797 insertions, 277 deletions
diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 300c0ca..d6ec32b 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -23,6 +23,10 @@ # This is set by t-h-t. # Defaults to hiera('aodh_api_network', undef) # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -47,10 +51,16 @@ class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } include ::tripleo::profile::base::aodh @@ -66,7 +76,7 @@ class tripleo::profile::base::aodh::api ( } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::aodh::api include ::apache::mod::ssl class { '::aodh::wsgi::apache': diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6a30a40..11c1da3 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -23,6 +23,10 @@ # This is set by t-h-t. # Defaults to hiera('ceilometer_api_network', undef) # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::ceilometer::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::ceilometer if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::ceilometer::api include ::apache::mod::ssl class { '::ceilometer::wsgi::apache': diff --git a/manifests/profile/base/ceilometer/upgrade.pp b/manifests/profile/base/ceilometer/upgrade.pp index f192b48..0031b79 100644 --- a/manifests/profile/base/ceilometer/upgrade.pp +++ b/manifests/profile/base/ceilometer/upgrade.pp @@ -42,8 +42,16 @@ class tripleo::profile::base::ceilometer::upgrade ( # are created safely. if $step >= 5 and $sync_db { exec {'ceilometer-db-upgrade': - command => 'ceilometer-upgrade --skip-metering-database', - path => ['/usr/bin', '/usr/sbin'], + command => 'ceilometer-upgrade --skip-metering-database', + path => ['/usr/bin', '/usr/sbin'], + # LP#1703444 - When this runs, it talks to gnocchi on all controllers + # which then reaches out to keystone via haproxy. Since the deployment + # may restart httpd on these other nodes it can result in an intermittent + # 503 which fails this command. We should retry the upgrade in case of + # error since we cannot ensure that there might not be some other deploy + # process running on the other nodes. + try_sleep => 5, + tries => 10 } } } diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 3581540..bdfdd17 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -20,11 +20,11 @@ # # [*cinder_enable_pure_backend*] # (Optional) Whether to enable the pure backend -# Defaults to true +# Defaults to false # # [*cinder_enable_dellsc_backend*] # (Optional) Whether to enable the delsc backend -# Defaults to true +# Defaults to false # # [*cinder_enable_hpelefthand_backend*] # (Optional) Whether to enable the hpelefthand backend @@ -32,7 +32,7 @@ # # [*cinder_enable_dellps_backend*] # (Optional) Whether to enable the dellps backend -# Defaults to true +# Defaults to false # # [*cinder_enable_iscsi_backend*] # (Optional) Whether to enable the iscsi backend @@ -40,19 +40,23 @@ # # [*cinder_enable_netapp_backend*] # (Optional) Whether to enable the netapp backend -# Defaults to true +# Defaults to false # # [*cinder_enable_nfs_backend*] # (Optional) Whether to enable the nfs backend -# Defaults to true +# Defaults to false # # [*cinder_enable_rbd_backend*] # (Optional) Whether to enable the rbd backend -# Defaults to true +# Defaults to false # # [*cinder_enable_scaleio_backend*] # (Optional) Whether to enable the scaleio backend -# Defaults to true +# Defaults to false +# +#[*cinder_enable_vrts_hs_backend*] +# (Optional) Whether to enable the Veritas HyperScale backend +# Defaults to false # # [*cinder_user_enabled_backends*] # (Optional) List of additional backend stanzas to activate @@ -73,6 +77,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_enable_nfs_backend = false, $cinder_enable_rbd_backend = false, $cinder_enable_scaleio_backend = false, + $cinder_enable_vrts_hs_backend = false, $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), $step = Integer(hiera('step')), ) { @@ -144,6 +149,13 @@ class tripleo::profile::base::cinder::volume ( $cinder_scaleio_backend_name = undef } + if $cinder_enable_vrts_hs_backend { + include ::tripleo::profile::base::cinder::volume::veritas_hyperscale + $cinder_veritas_hyperscale_backend_name = 'Veritas_HyperScale' + } else { + $cinder_veritas_hyperscale_backend_name = undef + } + $backends = delete_undef_values([$cinder_iscsi_backend_name, $cinder_rbd_backend_name, $cinder_pure_backend_name, @@ -153,6 +165,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_netapp_backend_name, $cinder_nfs_backend_name, $cinder_scaleio_backend_name, + $cinder_veritas_hyperscale_backend_name, $cinder_user_enabled_backends]) # NOTE(aschultz): during testing it was found that puppet 3 may incorrectly # include a "" in the previous array which is not removed by the diff --git a/manifests/profile/base/cinder/volume/veritas_hyperscale.pp b/manifests/profile/base/cinder/volume/veritas_hyperscale.pp new file mode 100644 index 0000000..4516d01 --- /dev/null +++ b/manifests/profile/base/cinder/volume/veritas_hyperscale.pp @@ -0,0 +1,44 @@ +# Copyright (c) 2017 Veritas Technologies LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::veritas_hyperscale +# +# Cinder Volume Veritas HyperScale profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) The name of Veritas HyperScale cinder backend. +# Currently the backend name is hard-coded in the driver, and it won't +# function if other value is set in hiera. +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::veritas_hyperscale ( + # Note: Currently the backend name is hard-coded in the driver, and it won't + # function if other value is set in hiera. + $backend_name = hiera('cinder::backend::veritas_hyperscale::volume_backend_name', 'Veritas_HyperScale'), + $step = Integer(hiera('step')), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::veritas_hyperscale { $backend_name : + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 8eb6079..3bf41cf 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -95,6 +95,9 @@ class tripleo::profile::base::database::mysql ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + + # Force users/grants created to use TLS connections + Openstacklib::Db::Mysql <||> { tls_options => ['SSL'] } } else { $tls_certfile = undef $tls_keyfile = undef @@ -217,6 +220,13 @@ class tripleo::profile::base::database::mysql ( if hiera('ec2_api_enabled', false) { include ::ec2api::db::mysql } + if hiera('zaqar_enabled', false) and hiera('zaqar::db::mysql::user', '') == 'zaqar' { + # NOTE: by default zaqar uses mongodb + include ::zaqar::db::mysql + } + if hiera('veritas_hyperscale_controller_enabled', false) { + include ::veritas_hyperscale::db::mysql + } } } diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index 1e55f05..68d524b 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -53,13 +53,6 @@ class tripleo::profile::base::database::mysql::client ( $step = Integer(hiera('step')), ) { if $step >= 1 { - # If the folder /etc/my.cnf.d does not exist (e.g. if mariadb is not - # present in the base image but installed as a package afterwards), - # create it. We do not want to touch the permissions in case it already - # exists due to the mariadb server package being pre-installed - # Note: We use exec instead of file in the case that the mysql class is - # included on this node as well (we'd get duplicate declaration in such a - # situation when using file) if $mysql_client_bind_address { $client_bind_changes = [ "set ${mysql_read_default_group}/bind-address '${mysql_client_bind_address}'" @@ -85,15 +78,37 @@ class tripleo::profile::base::database::mysql::client ( $conf_changes = union($client_bind_changes, $changes_ssl) # Create /etc/my.cnf.d/tripleo.cnf - exec { 'directory-create-etc-my.cnf.d': - command => 'mkdir -p /etc/my.cnf.d', - unless => 'test -d /etc/my.cnf.d', - path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], - } -> + # If the folder /etc/my.cnf.d does not exist (e.g. if mariadb is not + # present in the base image but installed as a package afterwards), + # create it. We do not want to touch the permissions in case it already + # exists due to the mariadb server package being pre-installed + if $::uuid == 'docker' { + # When generating configuration with docker-puppet, services do + # not include any profile that would ensure creation of /etc/my.cnf.d, + # so we enforce the check here. + file {'/etc/my.cnf.d': + ensure => 'directory' + } + } else { + # Otherwise, depending on the role, puppet may run this profile + # concurrently with the mysql profile, so we use an exec resource + # in order to avoid getting duplicate declaration errors + exec { 'directory-create-etc-my.cnf.d': + command => 'mkdir -p /etc/my.cnf.d', + unless => 'test -d /etc/my.cnf.d', + path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], + before => Augeas['tripleo-mysql-client-conf'] + } + } + augeas { 'tripleo-mysql-client-conf': incl => $mysql_read_default_file, lens => 'Puppet.lns', changes => $conf_changes, } + + # If a profile created a file resource for the parent directory, + # ensure it is being run before the config file generation + File<| title == '/etc/my.cnf.d' |> -> Augeas['tripleo-mysql-client-conf'] } } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 28a2764..2c9824a 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -19,14 +19,10 @@ # # === Parameters # -# [*docker_namespace*] -# The namespace to be used when setting INSECURE_REGISTRY -# this will be split on "/" to derive the docker registry -# (defaults to undef) -# -# [*insecure_registry*] -# Set docker_namespace to INSECURE_REGISTRY, used when a local registry -# is enabled (defaults to false) +# [*insecure_registry_address*] +# The host/port combiniation of the insecure registry. This is used to configure +# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. +# Example: 127.0.0.1:8787 (defaults to unset) # # [*registry_mirror*] # Configure a registry-mirror in the /etc/docker/daemon.json file. @@ -59,9 +55,19 @@ # List of TripleO services enabled on the role. # Defaults to hiera('services_names') # +# DEPRECATED PARAMETERS +# +# [*docker_namespace*] +# DEPRECATED: The namespace to be used when setting INSECURE_REGISTRY +# this will be split on "/" to derive the docker registry +# (defaults to undef) +# +# [*insecure_registry*] +# DEPRECATED: Set docker_namespace to INSECURE_REGISTRY, used when a local registry +# is enabled (defaults to false) +# class tripleo::profile::base::docker ( - $docker_namespace = undef, - $insecure_registry = false, + $insecure_registry_address = undef, $registry_mirror = false, $docker_options = '--log-driver=journald --signature-verification=false', $configure_storage = true, @@ -69,7 +75,10 @@ class tripleo::profile::base::docker ( $step = Integer(hiera('step')), $configure_libvirt_polkit = undef, $docker_nova_uid = 42436, - $services_enabled = hiera('service_names', []) + $services_enabled = hiera('service_names', []), + # DEPRECATED PARAMETERS + $docker_namespace = undef, + $insecure_registry = false, ) { if $configure_libvirt_polkit == undef { @@ -89,22 +98,37 @@ class tripleo::profile::base::docker ( require => Package['docker'], } + if $docker_options { + $options_changes = [ "set OPTIONS '\"${docker_options}\"'" ] + } else { + $options_changes = [ 'rm OPTIONS' ] + } + + augeas { 'docker-sysconfig-options': + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/docker', + changes => $options_changes, + subscribe => Package['docker'], + notify => Service['docker'], + } + if $insecure_registry { + warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registry_address instead.') if $docker_namespace == undef { fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) - $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", - "set OPTIONS '\"${docker_options}\"'" ] + $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'" ] + } elsif $insecure_registry_address { + $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${insecure_registry_address}\"'" ] } else { - $changes = [ 'rm INSECURE_REGISTRY', - "set OPTIONS '\"${docker_options}\"'" ] + $registry_changes = [ 'rm INSECURE_REGISTRY' ] } - augeas { 'docker-sysconfig': + augeas { 'docker-sysconfig-registry': lens => 'Shellvars.lns', incl => '/etc/sysconfig/docker', - changes => $changes, + changes => $registry_changes, subscribe => Package['docker'], notify => Service['docker'], } diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index 2896185..d9c89d5 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -127,12 +127,12 @@ class tripleo::profile::base::glance::api ( } } case $glance_backend { - 'swift': { $backend_store = 'glance.store.swift.Store' } - 'file': { $backend_store = 'glance.store.filesystem.Store' } - 'rbd': { $backend_store = 'glance.store.rbd.Store' } + 'swift': { $backend_store = 'swift' } + 'file': { $backend_store = 'file' } + 'rbd': { $backend_store = 'rbd' } default: { fail('Unrecognized glance_backend parameter.') } } - $http_store = ['glance.store.http.Store'] + $http_store = ['http'] $glance_store = concat($http_store, $backend_store) # TODO: notifications, scrubber, etc. diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index ff90590..2221b37 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_network = hiera('heat_api_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api include ::apache::mod::ssl class { '::heat::wsgi::apache_api': diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index e14760a..1014b04 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cfn ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_cfn_network = hiera('heat_api_cfn_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api_cfn ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api_cfn include ::apache::mod::ssl diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 83d5307..4caac9d 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cloudwatch ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api_cloudwatch include ::apache::mod::ssl diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 12482b6..3f01d01 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -23,15 +23,31 @@ # for more details. # Defaults to hiera('step') # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) # +# [*memcached_ips*] +# (Optional) Array of ipv4 or ipv6 addresses for memcache. +# Defaults to hiera('memcached_node_ips') +# class tripleo::profile::base::horizon ( $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), $neutron_options = hiera('horizon::neutron_options', {}), + $memcached_ips = hiera('memcached_node_ips') ) { - if $step >= 3 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip include ::apache::mod::status @@ -41,12 +57,14 @@ class tripleo::profile::base::horizon ( $_profile_support = 'None' } $neutron_options_real = merge({'profile_support' => $_profile_support }, $neutron_options) - $memcached_ipv6 = hiera('memcached_ipv6', false) - if $memcached_ipv6 { - $horizon_memcached_servers = hiera('memcached_node_ips_v6', '[::1]') + + if is_ipv6_address($memcached_ips[0]) { + $horizon_memcached_servers = prefix(any2array(normalize_ip_for_uri($memcached_ips)), 'inet6:') + } else { - $horizon_memcached_servers = hiera('memcached_node_ips', '127.0.0.1') + $horizon_memcached_servers = any2array(normalize_ip_for_uri($memcached_ips)) } + class { '::horizon': cache_server_ip => $horizon_memcached_servers, neutron_options => $neutron_options_real, diff --git a/manifests/profile/base/iscsid.pp b/manifests/profile/base/iscsid.pp new file mode 100644 index 0000000..3637097 --- /dev/null +++ b/manifests/profile/base/iscsid.pp @@ -0,0 +1,45 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::iscsid +# +# Nova Compute profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::iscsid ( + $step = Integer(hiera('step')), +) { + + if $step >= 2 { + # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique + # https://bugzilla.redhat.com/show_bug.cgi?id=1244328 + ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' }) + exec { 'reset-iscsi-initiator-name': + command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi', + onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset', + before => File['/etc/iscsi/.initiator_reset'], + require => Package['iscsi-initiator-utils'], + tag => 'iscsid_config' + } + file { '/etc/iscsi/.initiator_reset': + ensure => present, + } + } +} diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 91a660c..47b5276 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -347,5 +347,8 @@ class tripleo::profile::base::keystone ( if hiera('novajoin_enabled', false) { include ::nova::metadata::novajoin::auth } + if hiera('veritas_hyperscale_controller_enabled', false) { + include ::veritas_hyperscale::hs_keystone + } } } diff --git a/manifests/profile/base/lvm.pp b/manifests/profile/base/lvm.pp new file mode 100644 index 0000000..91810ce --- /dev/null +++ b/manifests/profile/base/lvm.pp @@ -0,0 +1,40 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::lvm +# +# LVM profile for tripleo +# +# === Parameters +# +# [*enable_udev*] +# (Optional) Whether to enable udev usage by LVM. +# Defaults to true +# +class tripleo::profile::base::lvm ( + $enable_udev = true, +) { + + if $enable_udev { + $udev_options_value = 1 + } else { + $udev_options_value = 0 + } + augeas {'udev options in lvm.conf': + context => '/files/etc/lvm/lvm.conf/activation/dict/', + changes => ["set udev_sync/int ${udev_options_value}", + "set udev_rules/int ${udev_options_value}"], + } + +} diff --git a/manifests/profile/base/mistral/api.pp b/manifests/profile/base/mistral/api.pp index 2ea5c9a..b5ca85e 100644 --- a/manifests/profile/base/mistral/api.pp +++ b/manifests/profile/base/mistral/api.pp @@ -56,9 +56,9 @@ class tripleo::profile::base::mistral::api ( $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { - $sync_db = true + $is_bootstrap = true } else { - $sync_db = false + $is_bootstrap = false } include ::tripleo::profile::base::mistral @@ -74,7 +74,7 @@ class tripleo::profile::base::mistral::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::mistral::api include ::apache::mod::ssl class { '::mistral::wsgi::apache': diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp index 5d25ae2..7a35b6b 100644 --- a/manifests/profile/base/neutron/opendaylight.pp +++ b/manifests/profile/base/neutron/opendaylight.pp @@ -28,12 +28,12 @@ # # [*node_name*] # (Optional) The short hostname of node -# Defaults to hiera('bootstack_nodeid') +# Defaults to hiera('bootstrap_nodeid') # class tripleo::profile::base::neutron::opendaylight ( $step = Integer(hiera('step')), $odl_api_ips = hiera('opendaylight_api_node_ips'), - $node_name = hiera('bootstack_nodeid') + $node_name = hiera('bootstrap_nodeid') ) { if $step >= 1 { diff --git a/manifests/profile/base/neutron/opendaylight/create_cluster.pp b/manifests/profile/base/neutron/opendaylight/create_cluster.pp index c3e4f7f..94cd898 100644 --- a/manifests/profile/base/neutron/opendaylight/create_cluster.pp +++ b/manifests/profile/base/neutron/opendaylight/create_cluster.pp @@ -28,11 +28,11 @@ # # [*node_name*] # (Optional) The short hostname of node -# Defaults to hiera('bootstack_nodeid') +# Defaults to hiera('bootstrap_nodeid') # class tripleo::profile::base::neutron::opendaylight::create_cluster ( $odl_api_ips = hiera('opendaylight_api_node_ips'), - $node_name = hiera('bootstack_nodeid') + $node_name = hiera('bootstrap_nodeid') ) { tripleo::profile::base::neutron::opendaylight::configure_cluster {'ODL cluster': diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 0dee53e..60ef443 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -113,10 +113,7 @@ class tripleo::profile::base::neutron::server ( $l3_ha = false } - # We start neutron-server on the bootstrap node first, because - # it will try to populate tables and we need to make sure this happens - # before it starts on other nodes - if $step >= 4 and $sync_db or $step >= 5 and !$sync_db { + if $step >= 4 or ($step >= 3 and $sync_db) { if $enable_internal_tls { if !$neutron_network { fail('neutron_api_network is not set in the hieradata.') @@ -130,9 +127,14 @@ class tripleo::profile::base::neutron::server ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::neutron::server'], } + Tripleo::Tls_proxy['neutron-api'] ~> Anchor<| title == 'neutron::service::begin' |> } + } + # We start neutron-server on the bootstrap node first, because + # it will try to populate tables and we need to make sure this happens + # before it starts on other nodes + if $step >= 4 and $sync_db or $step >= 5 and !$sync_db { include ::neutron::server::notifications # We need to override the hiera value neutron::server::sync_db which is set diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 65e8ebc..eb6856f 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -22,14 +22,6 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # -# [*libvirt_enabled*] -# (Optional) Whether or not Libvirt is enabled. -# Defaults to false -# -# [*manage_migration*] -# (Optional) Whether or not manage Nova Live migration -# Defaults to false -# # [*oslomsg_rpc_proto*] # Protocol driver for the oslo messaging rpc service # Defaults to hiera('messaging_rpc_service_name', rabbit) @@ -74,65 +66,43 @@ # Enable ssl oslo messaging services # Defaults to hiera('nova::rabbit_use_ssl', '0') # -# [*nova_compute_enabled*] -# (Optional) Whether or not nova-compute is enabled. -# Defaults to false -# # [*step*] # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*migration_ssh_key*] -# (Optional) SSH key pair for migration SSH tunnel. -# Expects a hash with keys 'private_key' and 'public_key'. -# Defaults to {} -# -# [*migration_ssh_localaddrs*] -# (Optional) Restrict ssh migration to clients connecting via this list of -# IPs. -# Defaults to [] (no restriction) -# -# [*libvirt_tls*] -# (Optional) Whether or not libvird TLS service is enabled. -# Defaults to false +# [*memcached_ips*] +# (Optional) Array of ipv4 or ipv6 addresses for memcache. +# Defaults to hiera('memcached_node_ips') class tripleo::profile::base::nova ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $libvirt_enabled = false, - $manage_migration = false, - $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), - $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_rpc_password = hiera('nova::rabbit_password'), - $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), - $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_notify_password = hiera('nova::rabbit_password'), - $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), - $nova_compute_enabled = false, - $step = Integer(hiera('step')), - $migration_ssh_key = {}, - $migration_ssh_localaddrs = [], - $libvirt_tls = false + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), + $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_rpc_password = hiera('nova::rabbit_password'), + $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), + $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_notify_password = hiera('nova::rabbit_password'), + $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), + $step = Integer(hiera('step')), + $memcached_ips = hiera('memcached_node_ips'), ) { + if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { $sync_db = false } - if hiera('nova::use_ipv6', false) { - $memcache_servers = suffix(hiera('memcached_node_ips_v6'), ':11211') + if is_ipv6_address($memcached_ips[0]) { + $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:') } else { - $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') + $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } - validate_array($migration_ssh_localaddrs) - $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) } - $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs) - if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) include ::nova::config @@ -161,102 +131,4 @@ class tripleo::profile::base::nova ( } include ::nova::placement } - - if $step >= 4 { - if $manage_migration { - # Libvirt setup (live-migration) - if $libvirt_tls { - class { '::nova::migration::libvirt': - transport => 'tls', - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - } - } else { - # Reuse the cold-migration SSH tunnel when TLS is not enabled - class { '::nova::migration::libvirt': - transport => 'ssh', - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - client_user => 'nova_migration', - client_extraparams => {'keyfile' => '/etc/nova/migration/identity'} - } - } - - $services_enabled = hiera('service_names', []) - if !empty($migration_ssh_key) and 'sshd' in $services_enabled { - # Nova SSH tunnel setup (cold-migration) - - # Server side - if !empty($migration_ssh_localaddrs_real) { - $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,',')) - $deny_type = 'LocalAddress' - $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!')) - - ssh::server::match_block { 'nova_migration deny': - name => $deny_name, - type => $deny_type, - order => 2, - options => { - 'DenyUsers' => 'nova_migration' - }, - notify => Service['sshd'] - } - } - else { - $allow_type = 'User' - } - $allow_name = 'nova_migration' - - ssh::server::match_block { 'nova_migration allow': - name => $allow_name, - type => $allow_type, - order => 1, - options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - }, - notify => Service['sshd'] - } - - $migration_authorized_keys = $migration_ssh_key['public_key'] - $migration_identity = $migration_ssh_key['private_key'] - $migration_user_shell = '/bin/bash' - } - else { - # Remove the keys and prevent login when migration over SSH is not enabled - $migration_authorized_keys = '# Migration over SSH disabled by TripleO' - $migration_identity = '# Migration over SSH disabled by TripleO' - $migration_user_shell = '/sbin/nologin' - } - - package { 'openstack-nova-migration': - ensure => present, - tag => ['openstack', 'nova-package'], - } - - file { '/etc/nova/migration/authorized_keys': - content => $migration_authorized_keys, - mode => '0640', - owner => 'root', - group => 'nova_migration', - require => Package['openstack-nova-migration'] - } - - file { '/etc/nova/migration/identity': - content => $migration_identity, - mode => '0600', - owner => 'nova', - group => 'nova', - require => Package['openstack-nova-migration'] - } - - user {'nova_migration': - shell => $migration_user_shell, - require => Package['openstack-nova-migration'] - } - } - } } diff --git a/manifests/profile/base/nova/authtoken.pp b/manifests/profile/base/nova/authtoken.pp index d8285ba..7eb37bc 100644 --- a/manifests/profile/base/nova/authtoken.pp +++ b/manifests/profile/base/nova/authtoken.pp @@ -21,34 +21,22 @@ # for more details. # Defaults to hiera('step') # -# [*use_ipv6*] -# (Optional) Flag indicating if ipv6 should be used for caching -# Defaults to hiera('nova::use_ipv6', false) -# -# [*memcache_nodes_ipv6*] -# (Optional) Array of ipv6 addresses for memcache. Used if use_ipv6 is true. -# Defaults to hiera('memcached_node_ipvs_v6', ['::1']) -# -# [*memcache_nodes_ipv4*] -# (Optional) Array of ipv4 addresses for memcache. Used by default unless -# use_ipv6 is set to true. -# Defaults to hiera('memcached_node_ips', ['127.0.0.1']) +# [*memcached_ips*] +# (Optional) Array of ipv4 or ipv6 addresses for memcache. +# Defaults to hiera('memcached_node_ips') # class tripleo::profile::base::nova::authtoken ( $step = Integer(hiera('step')), - $use_ipv6 = hiera('nova::use_ipv6', false), - $memcache_nodes_ipv6 = hiera('memcached_node_ips_v6', ['::1']), - $memcache_nodes_ipv4 = hiera('memcached_node_ips', ['127.0.0.1']), + $memcached_ips = hiera('memcached_node_ips'), ) { if $step >= 3 { - $memcached_ips = $use_ipv6 ? { - true => $memcache_nodes_ipv6, - default => $memcache_nodes_ipv4 + if is_ipv6_address($memcached_ips[0]) { + $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:') + } else { + $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } - $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') - class { '::nova::keystone::authtoken': memcached_servers => $memcache_servers } diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index bd50204..3eae880 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -45,19 +45,6 @@ class tripleo::profile::base::nova::compute ( # deploy bits to connect nova compute to neutron include ::nova::network::neutron - - # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique - # https://bugzilla.redhat.com/show_bug.cgi?id=1244328 - ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' }) - exec { 'reset-iscsi-initiator-name': - command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi', - onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset', - before => File['/etc/iscsi/.initiator_reset'], - require => Package['iscsi-initiator-utils'], - } - file { '/etc/iscsi/.initiator_reset': - ensure => present, - } } # If NFS is used as a Cinder backend diff --git a/manifests/profile/base/nova/compute/libvirt.pp b/manifests/profile/base/nova/compute/libvirt.pp index ec592cb..8a7c4d6 100644 --- a/manifests/profile/base/nova/compute/libvirt.pp +++ b/manifests/profile/base/nova/compute/libvirt.pp @@ -28,16 +28,13 @@ class tripleo::profile::base::nova::compute::libvirt ( ) { if $step >= 4 { include ::tripleo::profile::base::nova::compute + include ::tripleo::profile::base::nova::migration::client # Ceph + Libvirt $rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false) $rbd_persistent_storage = hiera('rbd_persistent_storage', false) if $rbd_ephemeral_storage or $rbd_persistent_storage { - $client_keys = hiera('ceph::profile::params::client_keys') - $client_user = join(['client.', hiera('nova::compute::rbd::libvirt_rbd_user')]) - class { '::nova::compute::rbd': - libvirt_rbd_secret_key => $client_keys[$client_user]['secret'], - } + include ::nova::compute::rbd } if $rbd_ephemeral_storage { diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp index b639858..06baa39 100644 --- a/manifests/profile/base/nova/libvirt.pp +++ b/manifests/profile/base/nova/libvirt.pp @@ -28,6 +28,7 @@ class tripleo::profile::base::nova::libvirt ( ) { if $step >= 4 { include ::tripleo::profile::base::nova + include ::tripleo::profile::base::nova::migration::client include ::nova::compute::libvirt::services file { ['/etc/libvirt/qemu/networks/autostart/default.xml', diff --git a/manifests/profile/base/nova/migration.pp b/manifests/profile/base/nova/migration.pp new file mode 100644 index 0000000..0c4c844 --- /dev/null +++ b/manifests/profile/base/nova/migration.pp @@ -0,0 +1,35 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration +# +# Nova migration profile for tripleo, common to both client and target. +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# + +class tripleo::profile::base::nova::migration ( + $step = Integer(hiera('step')), +) { + if $step >= 3 { + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + } +} diff --git a/manifests/profile/base/nova/migration/client.pp b/manifests/profile/base/nova/migration/client.pp new file mode 100644 index 0000000..12b83dc --- /dev/null +++ b/manifests/profile/base/nova/migration/client.pp @@ -0,0 +1,100 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration +# +# Nova migration client profile for tripleo +# +# === Parameters +# +# [*libvirt_enabled*] +# (Optional) Whether or not Libvirt is enabled. +# Defaults to false +# +# [*nova_compute_enabled*] +# (Optional) Whether or not nova-compute is enabled. +# Defaults to false +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +# [*ssh_private_key*] +# (Optional) SSH private_key for migration SSH tunnel. +# Defaults to '' +# +# [*ssh_port*] +# (Optional) Port that SSH target services is listening on. +# Defaults to 22 +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false + +class tripleo::profile::base::nova::migration::client ( + $libvirt_enabled = false, + $nova_compute_enabled = false, + $step = Integer(hiera('step')), + $ssh_private_key = '', + $ssh_port = 22, + $libvirt_tls = false, +) { + + include ::tripleo::profile::base::nova::migration + + if $step >= 4 { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova_migration', + client_extraparams => {'keyfile' => '/etc/nova/migration/identity'}, + client_port => $ssh_port + } + } + + if !empty($ssh_private_key) { + # Nova SSH tunnel setup (cold-migration) + $migration_identity = $ssh_private_key + } + else { + $migration_identity = '# Migration over SSH disabled by TripleO' + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + file_line { 'nova_ssh_port': + ensure => present, + path => '/var/lib/nova/.ssh/config', + after => '^Host \*$', + line => " Port ${ssh_port}", + } + } +} diff --git a/manifests/profile/base/nova/migration/target.pp b/manifests/profile/base/nova/migration/target.pp new file mode 100644 index 0000000..7c21028 --- /dev/null +++ b/manifests/profile/base/nova/migration/target.pp @@ -0,0 +1,120 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration::target +# +# Nova migration target profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +# [*ssh_authorized_keys*] +# (Optional) List of SSH public keys authorized for migration. +# If no keys are provided then migration over ssh will be disabled. +# Defaults to [] +# +# [*ssh_localaddrs*] +# (Optional) Restrict ssh migration to clients connecting via this list of +# IPs. +# Defaults to [] (no restriction) +# +# [*services_enabled*] +# (Optional) List of services enabled on the current role. +# If the nova_migration_target service is not enabled then migration over +# ssh will be disabled. +# Defaults to hiera('service_names', []) + +class tripleo::profile::base::nova::migration::target ( + $step = Integer(hiera('step')), + $ssh_authorized_keys = [], + $ssh_localaddrs = [], + $services_enabled = hiera('service_names', []), +) { + + include ::tripleo::profile::base::nova::migration + + validate_array($ssh_localaddrs) + $ssh_localaddrs.each |$x| { validate_ip_address($x) } + $ssh_localaddrs_real = unique($ssh_localaddrs) + validate_array($ssh_authorized_keys) + $ssh_authorized_keys_real = join($ssh_authorized_keys, '\n') + + if $step >= 4 { + if !empty($ssh_authorized_keys_real) { + if ('nova_migration_target' in $services_enabled) { + if !empty($ssh_localaddrs_real) { + $allow_type = sprintf('LocalAddress %s User', join($ssh_localaddrs_real,',')) + $deny_type = 'LocalAddress' + $deny_name = sprintf('!%s', join($ssh_localaddrs_real,',!')) + + ssh::server::match_block { 'nova_migration deny': + name => $deny_name, + type => $deny_type, + order => 2, + options => { + 'DenyUsers' => 'nova_migration' + }, + notify => Service['sshd'] + } + } + else { + $allow_type = 'User' + } + $allow_name = 'nova_migration' + + ssh::server::match_block { 'nova_migration allow': + name => $allow_name, + type => $allow_type, + order => 1, + options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + }, + notify => Service['sshd'] + } + $migration_authorized_keys = $ssh_authorized_keys_real + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] + } + } +} diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index ac78287..48af39a 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -54,9 +54,9 @@ class tripleo::profile::base::nova::placement ( $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { - $sync_db = true + $is_bootstrap = true } else { - $sync_db = false + $is_bootstrap = false } include ::tripleo::profile::base::nova @@ -73,7 +73,7 @@ class tripleo::profile::base::nova::placement ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::apache::mod::ssl class { '::nova::wsgi::apache_placement': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/qdr.pp b/manifests/profile/base/qdr.pp index 37cf9e5..577f3d5 100644 --- a/manifests/profile/base/qdr.pp +++ b/manifests/profile/base/qdr.pp @@ -19,18 +19,22 @@ # === Parameters # # [*qdr_username*] -# Username for the qrouter daemon +# Username for the qdrouter daemon # Defaults to undef # # [*qdr_password*] -# Password for the qrouter daemon +# Password for the qdrouter daemon # Defaults to undef # # [*qdr_listener_port*] -# Port for the listener (not that we do not use qdr::listener_port +# Port for the listener (note that we do not use qdr::listener_port # directly because it requires a string and we have a number. # Defaults to hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672) # +# [*qdr_node_names*] +# Set of nodes for qdr mesh deployment setup +# Defaults to hiera('rabbitmq_node_names') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -41,11 +45,69 @@ class tripleo::profile::base::qdr ( $qdr_password = undef, $qdr_listener_port = hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672), $step = Integer(hiera('step')), + $qdr_node_names = pick(hiera('qdr_node_names',undef),hiera('rabbitmq_node_names')), ) { if $step >= 1 { + # For multi-node deployments of the dispatch router, a mesh of + # inter-router links is created. Bi-directional links must + # not be configured. + # + # Example: For nodes A, B, C + # Node Inter-Router Link + # A: [] + # B: [A] + # C: [A,B] + # + # NB: puppet 4.8 introduces break(), which would be favord to + # the following + $connectors = $qdr_node_names.reduce([]) |$memo, $node| { + if $::hostname in $node { + $memo + true + } else { + if true in $memo { + $memo + } else { + $memo + [{'host' => $node, + 'role' => 'inter-router', + 'port' => '25672'}] + } + } + } - true + + $router_mode = size($qdr_node_names) ? { + 1 => 'standalone', + default => 'interior', + } + + $extra_listeners = size($qdr_node_names) ? { + 1 => [], + default => [{'host' => '0.0.0.0', + 'port' => '25672', + 'role' => 'inter-router'}], + } + + $extra_addresses = [{'prefix' => 'openstack.org/om/rpc/multicast', + 'distribution' => 'multicast'}, + {'prefix' => 'openstack.org/om/rpc/unicast', + 'distribution' => 'closest'}, + {'prefix' => 'openstack.org/om/rpc/anycast', + 'distribution' => 'balanced'}, + {'prefix' => 'openstack.org/om/notify/multicast', + 'distribution' => 'multicast'}, + {'prefix' => 'openstack.org/om/notify/unicast', + 'distribution' => 'closest'}, + {'prefix' => 'openstack.org/om/notify/anycast', + 'distribution' => 'balanced'}] + class { '::qdr': - listener_port => "${qdr_listener_port}", - } -> + listener_addr => '0.0.0.0', + listener_port => "${qdr_listener_port}", + router_mode => $router_mode, + connectors => $connectors, + extra_listeners => $extra_listeners, + extra_addresses => $extra_addresses, + } + qdr_user { $qdr_username: ensure => present, password => $qdr_password, diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 8ab6049..d0b4a05 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -166,4 +166,7 @@ class tripleo::profile::base::rabbitmq ( } } + if $step >= 1 and hiera('veritas_hyperscale_controller_enabled', false) { + include ::veritas_hyperscale::hs_rabbitmq + } } diff --git a/manifests/profile/base/swift/dispersion.pp b/manifests/profile/base/swift/dispersion.pp new file mode 100644 index 0000000..44af463 --- /dev/null +++ b/manifests/profile/base/swift/dispersion.pp @@ -0,0 +1,33 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::swift::dispersion +# +# Swift dispersion profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::swift::dispersion ( + $step = Integer(hiera('step')), +) { + if $step >= 5 { + include ::swift::client + include ::swift::dispersion + } +} diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index b047c36..afb5fa6 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*ceilometer_enabled*] # Whether the ceilometer pipeline is enabled. # Defaults to true @@ -96,6 +100,7 @@ # defaults to 8080 # class tripleo::profile::base::swift::proxy ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), $ceilometer_messaging_hosts = any2array(hiera('rabbitmq_node_names', undef)), @@ -113,7 +118,12 @@ class tripleo::profile::base::swift::proxy ( $tls_proxy_fqdn = undef, $tls_proxy_port = 8080, ) { - if $step >= 4 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + if $step >= 4 or ($step >= 3 and $is_bootstrap) { if $enable_internal_tls { if !$swift_proxy_network { fail('swift_proxy_network is not set in the hieradata.') @@ -127,9 +137,11 @@ class tripleo::profile::base::swift::proxy ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::swift::proxy'], } + Tripleo::Tls_proxy['swift-proxy-api'] ~> Anchor<| title == 'swift::service::begin' |> } + } + if $step >= 4 { $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config include ::swift::proxy diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp index b9171b0..cd84d04 100644 --- a/manifests/profile/base/zaqar.pp +++ b/manifests/profile/base/zaqar.pp @@ -18,9 +18,17 @@ # # === Parameters # -# [*sync_db*] -# (Optional) Whether to run db sync -# Defaults to true +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*management_store*] +# (Optional) The management store for Zaqar. +# Defaults to 'mongodb' +# +# [*messaging_store*] +# (Optional) The messaging store for Zaqar. +# Defaults to 'mongodb' # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -28,27 +36,53 @@ # Defaults to hiera('step') # class tripleo::profile::base::zaqar ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $management_store = 'mongodb', + $messaging_store = 'mongodb', $step = Integer(hiera('step')), ) { - if $step >= 4 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::zaqar - if str2bool(hiera('mongodb::server::ipv6', false)) { - $mongo_node_ips_with_port_prefixed = prefix(hiera('mongodb_node_ips'), '[') - $mongo_node_ips_with_port = suffix($mongo_node_ips_with_port_prefixed, ']:27017') - } else { - $mongo_node_ips_with_port = suffix(hiera('mongodb_node_ips'), ':27017') + if $messaging_store == 'mongodb' or $management_store == 'mongodb' { + if str2bool(hiera('mongodb::server::ipv6', false)) { + $mongo_node_ips_with_port_prefixed = prefix(hiera('mongodb_node_ips'), '[') + $mongo_node_ips_with_port = suffix($mongo_node_ips_with_port_prefixed, ']:27017') + } else { + $mongo_node_ips_with_port = suffix(hiera('mongodb_node_ips'), ':27017') + } + $mongodb_replset = hiera('mongodb::server::replset') + $mongo_node_string = join($mongo_node_ips_with_port, ',') + $mongo_database_connection = "mongodb://${mongo_node_string}/zaqar?replicaSet=${mongodb_replset}" } - $mongodb_replset = hiera('mongodb::server::replset') - $mongo_node_string = join($mongo_node_ips_with_port, ',') - $database_connection = "mongodb://${mongo_node_string}/zaqar?replicaSet=${mongodb_replset}" - class { '::zaqar::management::mongodb': - uri => $database_connection, + + if $messaging_store == 'swift' { + include ::zaqar::messaging::swift + } elsif $messaging_store == 'mongodb' { + class {'::zaqar::messaging::mongodb': + uri => $mongo_database_connection, + } + } else { + fail("unsupported Zaqar messaging_store set: ${messaging_store}") } - class {'::zaqar::messaging::mongodb': - uri => $database_connection, + + if $management_store == 'sqlalchemy' { + include ::zaqar::management::sqlalchemy + } elsif $management_store == 'mongodb' { + class { '::zaqar::management::mongodb': + uri => $mongo_database_connection, + } + } else { + fail("unsupported Zaqar management_store set: ${management_store}") } + include ::zaqar::transport::websocket include ::apache::mod::ssl include ::zaqar::transport::wsgi |