diff options
Diffstat (limited to 'manifests/profile/base')
40 files changed, 668 insertions, 114 deletions
diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 22fc000..5c539fc 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -68,6 +68,7 @@ class tripleo::profile::base::aodh::api ( if $step >= 3 { include ::aodh::api + include ::apache::mod::ssl class { '::aodh::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 71e4ea1..211e442 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -158,6 +158,7 @@ class tripleo::profile::base::barbican::api ( include ::barbican::api::logging include ::barbican::keystone::notification include ::barbican::quota + include ::apache::mod::ssl class { '::barbican::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp index 2855bd2..a85be5d 100644 --- a/manifests/profile/base/ceilometer.pp +++ b/manifests/profile/base/ceilometer.pp @@ -104,5 +104,4 @@ class tripleo::profile::base::ceilometer ( } include ::ceilometer::config } - } diff --git a/manifests/profile/base/ceilometer/agent/notification.pp b/manifests/profile/base/ceilometer/agent/notification.pp index 7fe8e81..3fa139a 100644 --- a/manifests/profile/base/ceilometer/agent/notification.pp +++ b/manifests/profile/base/ceilometer/agent/notification.pp @@ -27,6 +27,7 @@ class tripleo::profile::base::ceilometer::agent::notification ( $step = hiera('step'), ) { include ::tripleo::profile::base::ceilometer + include ::tripleo::profile::base::ceilometer::upgrade if $step >= 4 { include ::ceilometer::agent::auth diff --git a/manifests/profile/base/ceilometer/agent/polling.pp b/manifests/profile/base/ceilometer/agent/polling.pp index 3706c2e..fedf035 100644 --- a/manifests/profile/base/ceilometer/agent/polling.pp +++ b/manifests/profile/base/ceilometer/agent/polling.pp @@ -51,6 +51,10 @@ class tripleo::profile::base::ceilometer::agent::polling ( ) { include ::tripleo::profile::base::ceilometer + if $central_namespace { + include ::tripleo::profile::base::ceilometer::upgrade + } + if $step >= 4 { include ::ceilometer::agent::auth class { '::ceilometer::agent::polling': @@ -60,5 +64,4 @@ class tripleo::profile::base::ceilometer::agent::polling ( coordination_url => join(['redis://:', $ceilometer_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']), } } - } diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 1080355..0176380 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -65,6 +65,7 @@ class tripleo::profile::base::ceilometer::api ( if $step >= 3 { include ::ceilometer::api + include ::apache::mod::ssl class { '::ceilometer::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp index 6b58286..a2c1e29 100644 --- a/manifests/profile/base/ceilometer/collector.pp +++ b/manifests/profile/base/ceilometer/collector.pp @@ -84,13 +84,4 @@ class tripleo::profile::base::ceilometer::collector ( include ::ceilometer::collector include ::ceilometer::dispatcher::gnocchi } - - # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types - # are created safely. - if $step >= 5 and $sync_db { - exec {'ceilometer-db-upgrade': - command => 'ceilometer-upgrade --skip-metering-database', - path => ['/usr/bin', '/usr/sbin'], - } - } } diff --git a/manifests/profile/base/ceilometer/upgrade.pp b/manifests/profile/base/ceilometer/upgrade.pp new file mode 100644 index 0000000..d0fc9be --- /dev/null +++ b/manifests/profile/base/ceilometer/upgrade.pp @@ -0,0 +1,49 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::ceilometer::upgrade +# +# Ceilometer upgrade profile for tripleo +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# + +class tripleo::profile::base::ceilometer::upgrade ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + # Run ceilometer-upgrade in step 5 so gnocchi resource types + # are created safely. + if $step >= 5 and $sync_db { + exec {'ceilometer-db-upgrade': + command => 'ceilometer-upgrade --skip-metering-database', + path => ['/usr/bin', '/usr/sbin'], + } + } +} diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 4d91ac9..4ba51ec 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -48,6 +48,11 @@ # it will create. # Defaults to hiera('libvirt_certificates_specs', {}). # +# [*mongodb_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('mongodb_certificate_specs',{}) +# # [*mysql_certificate_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -58,12 +63,19 @@ # it will create. # Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}). # +# [*etcd_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}). +# class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), + $mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), + $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}), ) { include ::tripleo::certmonger::ca::libvirt @@ -81,10 +93,16 @@ class tripleo::profile::base::certmonger_user ( # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> } + unless empty($mongodb_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::mongodb', $mongodb_certificate_specs) + } unless empty($mysql_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs) } unless empty($rabbitmq_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs) } + unless empty($etcd_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs) + } } diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index c432fd6..2fd9a65 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -76,6 +76,7 @@ class tripleo::profile::base::cinder::api ( if $step >= 4 or ($step >= 3 and $sync_db) { include ::cinder::api + include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/cinder/volume/dellsc.pp b/manifests/profile/base/cinder/volume/dellsc.pp index ab6bbeb..a60eadf 100644 --- a/manifests/profile/base/cinder/volume/dellsc.pp +++ b/manifests/profile/base/cinder/volume/dellsc.pp @@ -35,16 +35,20 @@ class tripleo::profile::base::cinder::volume::dellsc ( if $step >= 4 { cinder::backend::dellsc_iscsi { $backend_name : - san_ip => hiera('cinder::backend::dellsc_iscsi::san_ip', undef), - san_login => hiera('cinder::backend::dellsc_iscsi::san_login', undef), - san_password => hiera('cinder::backend::dellsc_iscsi::san_password', undef), - dell_sc_ssn => hiera('cinder::backend::dellsc_iscsi::dell_sc_ssn', undef), - iscsi_ip_address => hiera('cinder::backend::dellsc_iscsi::iscsi_ip_address', undef), - iscsi_port => hiera('cinder::backend::dellsc_iscsi::iscsi_port', undef), - dell_sc_api_port => hiera('cinder::backend::dellsc_iscsi::dell_sc_api_port', undef), - dell_sc_server_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_server_folder', undef), - dell_sc_volume_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_volume_folder', undef), - excluded_domain_ip => hiera('cinder::backend::dellsc_iscsi::excluded_domain_ip', undef), + san_ip => hiera('cinder::backend::dellsc_iscsi::san_ip', undef), + san_login => hiera('cinder::backend::dellsc_iscsi::san_login', undef), + san_password => hiera('cinder::backend::dellsc_iscsi::san_password', undef), + dell_sc_ssn => hiera('cinder::backend::dellsc_iscsi::dell_sc_ssn', undef), + iscsi_ip_address => hiera('cinder::backend::dellsc_iscsi::iscsi_ip_address', undef), + iscsi_port => hiera('cinder::backend::dellsc_iscsi::iscsi_port', undef), + dell_sc_api_port => hiera('cinder::backend::dellsc_iscsi::dell_sc_api_port', undef), + dell_sc_server_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_server_folder', undef), + dell_sc_volume_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_volume_folder', undef), + excluded_domain_ip => hiera('cinder::backend::dellsc_iscsi::excluded_domain_ip', undef), + secondary_san_ip => hiera('cinder::backend::dellsc_iscsi::secondary_san_ip', undef), + secondary_san_login => hiera('cinder::backend::dellsc_iscsi::secondary_san_login', undef), + secondary_san_password => hiera('cinder::backend::dellsc_iscsi::secondary_san_password', undef), + secondary_sc_api_port => hiera('cinder::backend::dellsc_iscsi::secondary_sc_api_port', undef), } } diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp index fc652c9..43978da 100644 --- a/manifests/profile/base/cinder/volume/netapp.pp +++ b/manifests/profile/base/cinder/volume/netapp.pp @@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp ( netapp_storage_pools => hiera('cinder::backend::netapp::netapp_storage_pools', undef), netapp_eseries_host_type => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef), netapp_webservice_path => hiera('cinder::backend::netapp::netapp_webservice_path', undef), + nas_secure_file_operations => hiera('cinder::backend::netapp::nas_secure_file_operations', undef), + nas_secure_file_permissions => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef), } } diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp index 7b1f1b9..e384a79 100644 --- a/manifests/profile/base/cinder/volume/nfs.pp +++ b/manifests/profile/base/cinder/volume/nfs.pp @@ -29,6 +29,23 @@ # (Optional) List of mount options for the NFS share # Defaults to '' # +# [*cinder_nas_secure_file_operations*] +# (Optional) Allow network-attached storage systems to operate in a secure +# environment where root level access is not permitted. If set to False, +# access is as the root user and insecure. If set to True, access is not as +# root. If set to auto, a check is done to determine if this is a new +# installation: True is used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# +# [*cinder_nas_secure_file_permissions*] +# (Optional) Set more secure file permissions on network-attached storage +# volume files to restrict broad other/world access. If set to False, +# volumes are created with open permissions. If set to True, volumes are +# created with permissions for the cinder user and group (660). If set to +# auto, a check is done to determine if this is a new installation: True is +# used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -36,9 +53,11 @@ # class tripleo::profile::base::cinder::volume::nfs ( $cinder_nfs_servers, - $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'), - $cinder_nfs_mount_options = '', - $step = hiera('step'), + $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'), + $cinder_nfs_mount_options = '', + $cinder_nas_secure_file_operations = $::os_service_default, + $cinder_nas_secure_file_permissions = $::os_service_default, + $step = hiera('step'), ) { include ::tripleo::profile::base::cinder::volume @@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs ( package {'nfs-utils': } -> cinder::backend::nfs { $backend_name : - nfs_servers => $cinder_nfs_servers, - nfs_mount_options => $cinder_nfs_mount_options, - nfs_shares_config => '/etc/cinder/shares-nfs.conf', + nfs_servers => $cinder_nfs_servers, + nfs_mount_options => $cinder_nfs_mount_options, + nfs_shares_config => '/etc/cinder/shares-nfs.conf', + nas_secure_file_operations => $cinder_nas_secure_file_operations, + nas_secure_file_permissions => $cinder_nas_secure_file_permissions, } } diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index b4ac8ac..2dac028 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -199,6 +199,9 @@ class tripleo::profile::base::database::mysql ( if hiera('nova_placement_enabled', false) { include ::nova::db::mysql_placement } + if hiera('octavia_api_enabled', false) { + include ::octavia::db::mysql + } if hiera('sahara_api_enabled', false) { include ::sahara::db::mysql } diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index 014ef35..3de1e97 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -35,6 +35,10 @@ # (Optional) Client IP address of the host that will be written in the mysql_read_default_file # Defaults to undef # +# [*ssl_ca*] +# (Optional) The SSL CA file to use to verify the MySQL server's certificate. +# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -45,6 +49,7 @@ class tripleo::profile::base::database::mysql::client ( $mysql_read_default_file = '/etc/my.cnf.d/tripleo.cnf', $mysql_read_default_group = 'tripleo', $mysql_client_bind_address = undef, + $ssl_ca = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $step = hiera('step'), ) { if $step >= 1 { @@ -68,7 +73,7 @@ class tripleo::profile::base::database::mysql::client ( if $enable_ssl { $changes_ssl = [ "set ${mysql_read_default_group}/ssl '1'", - "set ${mysql_read_default_group}/ssl-ca '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'" + "set ${mysql_read_default_group}/ssl-ca '${ssl_ca}'" ] } else { $changes_ssl = [ diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 4797d86..29f8b75 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,6 +32,18 @@ # Configure a registry-mirror in the /etc/docker/daemon.json file. # (defaults to false) # +# [*docker_options*] +# OPTIONS that are used to startup the docker service. NOTE: +# --selinux-enabled is dropped due to recommendations here: +# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html +# Defaults to '--log-driver=journald --signature-verification=false' +# +# [*configure_storage*] +# Boolean. Whether to configure a docker storage backend. Defaults to true. +# +# [*storage_options*] +# Storage options to configure. Defaults to '-s overlay2' +# # [*step*] # step defaults to hiera('step') # @@ -39,6 +51,9 @@ class tripleo::profile::base::docker ( $docker_namespace = undef, $insecure_registry = false, $registry_mirror = false, + $docker_options = '--log-driver=journald --signature-verification=false', + $configure_storage = true, + $storage_options = '-s overlay2', $step = hiera('step'), ) { if $step >= 1 { @@ -57,9 +72,11 @@ class tripleo::profile::base::docker ( fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) - $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ] + $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", + "set OPTIONS '\"${docker_options}\"'" ] } else { - $changes = [ 'rm INSECURE_REGISTRY', ] + $changes = [ 'rm INSECURE_REGISTRY', + "set OPTIONS '\"${docker_options}\"'" ] } augeas { 'docker-sysconfig': @@ -79,12 +96,37 @@ class tripleo::profile::base::docker ( $mirror_changes = [ 'rm dict/entry[. = "registry-mirrors"]', ] } + file { '/etc/docker/daemon.json': + ensure => 'present', + content => '{}', + mode => '0644', + replace => false, + require => Package['docker'] + } + augeas { 'docker-daemon.json': lens => 'Json.lns', incl => '/etc/docker/daemon.json', changes => $mirror_changes, subscribe => Package['docker'], notify => Service['docker'], + require => File['/etc/docker/daemon.json'], + } + if $configure_storage { + if $storage_options == undef { + fail('You must provide a $storage_options in order to configure storage') + } + $storage_changes = [ "set DOCKER_STORAGE_OPTIONS '\" ${storage_options}\"'", ] + } else { + $storage_changes = [ 'rm DOCKER_STORAGE_OPTIONS', ] + } + + augeas { 'docker-sysconfig-storage': + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/docker-storage', + changes => $storage_changes, + notify => Service['docker'], + require => Package['docker'], } } diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp index c29c937..9f5d180 100644 --- a/manifests/profile/base/etcd.pp +++ b/manifests/profile/base/etcd.pp @@ -34,26 +34,63 @@ # (Optional) Array of host(s) for etcd nodes. # Defaults to hiera('etcd_node_ips', []). # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'etcd' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::etcd::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "etcd/<overcloud controller fqdn>" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::etcd ( - $bind_ip = '127.0.0.1', - $client_port = '2379', - $peer_port = '2380', - $nodes = hiera('etcd_node_names', []), - $step = hiera('step'), + $bind_ip = '127.0.0.1', + $client_port = '2379', + $peer_port = '2380', + $nodes = hiera('etcd_node_names', []), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $step = hiera('step'), ) { + + validate_hash($certificate_specs) + + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + $protocol = 'https' + } else { + $tls_certfile = undef + $tls_keyfile = undef + $protocol = 'http' + } + if $step >= 2 { class {'::etcd': - listen_client_urls => "http://${bind_ip}:${client_port}", - advertise_client_urls => "http://${bind_ip}:${client_port}", - listen_peer_urls => "http://${bind_ip}:${peer_port}", - initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}", - initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"), + listen_client_urls => "${protocol}://${bind_ip}:${client_port}", + advertise_client_urls => "${protocol}://${bind_ip}:${client_port}", + listen_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_cluster => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"), proxy => 'off', + cert_file => $tls_certfile, + key_file => $tls_keyfile, + client_cert_auth => $enable_internal_tls, + peer_cert_file => $tls_certfile, + peer_key_file => $tls_keyfile, + peer_client_cert_auth => $enable_internal_tls, } } } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index ce04abf..a4e9a30 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -47,6 +47,14 @@ # This is set by t-h-t. # Defaults to hiera('gnocchi_api_network', undef) # +# [*gnocchi_redis_password*] +# (Required) Password for the gnocchi redis user for the coordination url +# Defaults to hiera('gnocchi_redis_password') +# +# [*redis_vip*] +# (Required) Redis ip address for the coordination url +# Defaults to hiera('redis_vip') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -58,6 +66,8 @@ class tripleo::profile::base::gnocchi::api ( $enable_internal_tls = hiera('enable_internal_tls', false), $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), $gnocchi_network = hiera('gnocchi_api_network', undef), + $gnocchi_redis_password = hiera('gnocchi_redis_password'), + $redis_vip = hiera('redis_vip'), $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -85,6 +95,7 @@ class tripleo::profile::base::gnocchi::api ( if $step >= 3 { include ::gnocchi::api + include ::apache::mod::ssl class { '::gnocchi::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, @@ -93,7 +104,7 @@ class tripleo::profile::base::gnocchi::api ( if $step >= 4 { class { '::gnocchi::storage': - coordination_url => join(['redis://:', hiera('gnocchi_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']), + coordination_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']), } case $gnocchi_backend { 'swift': { include ::gnocchi::storage::swift } diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index 8e2da7e..79eb77e 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -65,6 +65,7 @@ class tripleo::profile::base::heat::api ( if $step >= 3 { include ::heat::api + include ::apache::mod::ssl class { '::heat::wsgi::apache_api': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index 02eb82a..dad7b76 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cfn ( if $step >= 3 { include ::heat::api_cfn + include ::apache::mod::ssl class { '::heat::wsgi::apache_api_cfn': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 558d247..428bcf2 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( if $step >= 3 { include ::heat::api_cloudwatch + include ::apache::mod::ssl class { '::heat::wsgi::apache_api_cloudwatch': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 941c0bd..5ebf167 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -44,6 +44,7 @@ class tripleo::profile::base::ironic::conductor ( include ::ironic::drivers::drac include ::ironic::drivers::ilo include ::ironic::drivers::ipmi + include ::ironic::drivers::redfish # TODO: deprecated code cleanup, remove in Queens ironic_config { 'ssh/libvirt_uri': ensure => absent; diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 290abee..c7eea14 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -211,6 +211,7 @@ class tripleo::profile::base::keystone ( } include ::keystone::config + include ::apache::mod::ssl class { '::keystone::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, @@ -221,6 +222,12 @@ class tripleo::profile::base::keystone ( if $ldap_backend_enable { validate_hash($ldap_backends_config) + if !str2bool($::selinux) { + selboolean { 'authlogin_nsswitch_use_ldap': + value => on, + persistent => true, + } + } create_resources('::keystone::ldap_backend', $ldap_backends_config, { create_domain_entry => $manage_domain, }) @@ -337,5 +344,8 @@ class tripleo::profile::base::keystone ( if hiera('ec2_api_enabled', false) { include ::ec2api::keystone::auth } + if hiera('novajoin_enabled', false) { + include ::nova::metadata::novajoin::auth + } } } diff --git a/manifests/profile/base/mistral/api.pp b/manifests/profile/base/mistral/api.pp index 50708f1..4f81725 100644 --- a/manifests/profile/base/mistral/api.pp +++ b/manifests/profile/base/mistral/api.pp @@ -18,6 +18,27 @@ # # === Parameters # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*mistral_api_network*] +# (Optional) The network name where the mistral API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('mistral_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') @@ -28,8 +49,11 @@ # Defaults to hiera('step') # class tripleo::profile::base::mistral::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $mistral_api_network = hiera('mistral_api_network', undef), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,8 +63,24 @@ class tripleo::profile::base::mistral::api ( include ::tripleo::profile::base::mistral - if $step >= 4 or ($step >= 3 and $sync_db) { + if $enable_internal_tls { + if !$mistral_api_network { + fail('mistral_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${mistral_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${mistral_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + + if $step >= 3 { include ::mistral::api + include ::apache::mod::ssl + class { '::mistral::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/neutron/agents/bigswitch.pp b/manifests/profile/base/neutron/agents/bigswitch.pp new file mode 100644 index 0000000..137dec0 --- /dev/null +++ b/manifests/profile/base/neutron/agents/bigswitch.pp @@ -0,0 +1,31 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::bigswitch +# +# Bigswitch Neutron agent profile +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::bigswitch( + $step = hiera('step'), +) { + if $step >= 4 { + include ::neutron::agents::bigswitch + } +} diff --git a/manifests/profile/base/neutron/lbaas.pp b/manifests/profile/base/neutron/lbaas.pp new file mode 100644 index 0000000..a6e42ee --- /dev/null +++ b/manifests/profile/base/neutron/lbaas.pp @@ -0,0 +1,44 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::lbaas +# +# Neutron LBaaS Agent profile for tripleo +# +# === Parameters +# +# [*manage_haproxy_package*] +# (Optional) Whether to manage the haproxy package. +# Defaults to hiera('manage_haproxy_package', false) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::lbaas( + $manage_haproxy_package = hiera('manage_haproxy_package', false), + $step = hiera('step'), +) { + + include ::tripleo::profile::base::neutron + + #LBaaS Driver needs to be run @ $step>=5 as the neutron service needs to already be active which is run @ $step==4 + if $step >= 5 { + include ::neutron::services::lbaas + class {'::neutron::agents::lbaas': + manage_haproxy_package => $manage_haproxy_package + } + } +} diff --git a/manifests/profile/base/neutron/linuxbridge.pp b/manifests/profile/base/neutron/linuxbridge.pp new file mode 100644 index 0000000..9f4899a --- /dev/null +++ b/manifests/profile/base/neutron/linuxbridge.pp @@ -0,0 +1,20 @@ +# == Class: tripleo::profile::base::neutron::linuxbridge +# +# Neutron linuxbridge agent profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templatee +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::linuxbridge( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 5 { + include ::neutron::agents::ml2::linuxbridge + } +} diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp index bec7e96..97eb8e9 100644 --- a/manifests/profile/base/neutron/ovs.pp +++ b/manifests/profile/base/neutron/ovs.pp @@ -23,12 +23,27 @@ # for more details. # Defaults to hiera('step') # +# [*vhostuser_socket_dir*] +# (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir +# will be created with correct permissions, inorder to support vhostuser +# client mode. + class tripleo::profile::base::neutron::ovs( - $step = hiera('step'), + $step = hiera('step'), + $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef) ) { include ::tripleo::profile::base::neutron if $step >= 5 { + if $vhostuser_socket_dir { + file { $vhostuser_socket_dir: + ensure => directory, + owner => 'qemu', + group => 'qemu', + mode => '0775', + } + } + include ::neutron::agents::ml2::ovs # Optional since manage_service may be false and neutron server may not be colocated. diff --git a/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp b/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp new file mode 100644 index 0000000..161cd75 --- /dev/null +++ b/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::ml2::bagpipe +# +# Neutron Bagpipe ML2 profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::plugins::ml2::bagpipe ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::plugins::ml2::bagpipe + } +} diff --git a/manifests/profile/base/neutron/plugins/nsx_v3.pp b/manifests/profile/base/neutron/plugins/nsx_v3.pp new file mode 100644 index 0000000..33fa0cf --- /dev/null +++ b/manifests/profile/base/neutron/plugins/nsx_v3.pp @@ -0,0 +1,45 @@ +# Copyright 2017 VMware, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::nsx_v3 +# +# VMware NSXv3 Neutron profile for tripleo +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::plugins::nsx_v3 ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + include ::tripleo::profile::base::neutron + + if $step >= 4 or ( $step >= 3 and $sync_db ) { + include ::neutron::plugins::nsx_v3 + } +} diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index ab9b615..d786940 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -87,29 +87,35 @@ # Expects a hash with keys 'private_key' and 'public_key'. # Defaults to {} # +# [*migration_ssh_localaddrs*] +# (Optional) Restrict ssh migration to clients connecting via this list of +# IPs. +# Defaults to [] (no restriction) +# # [*libvirt_tls*] # (Optional) Whether or not libvird TLS service is enabled. # Defaults to false class tripleo::profile::base::nova ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $libvirt_enabled = false, - $manage_migration = false, - $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), - $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_rpc_password = hiera('nova::rabbit_password'), - $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), - $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_notify_password = hiera('nova::rabbit_password'), - $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), - $nova_compute_enabled = false, - $step = hiera('step'), - $migration_ssh_key = {}, - $libvirt_tls = false + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $libvirt_enabled = false, + $manage_migration = false, + $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), + $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_rpc_password = hiera('nova::rabbit_password'), + $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), + $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_notify_password = hiera('nova::rabbit_password'), + $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), + $nova_compute_enabled = false, + $step = hiera('step'), + $migration_ssh_key = {}, + $migration_ssh_localaddrs = [], + $libvirt_tls = false ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -123,6 +129,10 @@ class tripleo::profile::base::nova ( $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') } + validate_array($migration_ssh_localaddrs) + $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) } + $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs) + if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) include ::nova::config @@ -131,10 +141,29 @@ class tripleo::profile::base::nova ( backend => 'oslo_cache.memcache_pool', memcache_servers => $memcache_servers, } + class { '::nova': + default_transport_url => os_transport_url({ + 'transport' => $oslomsg_rpc_proto, + 'hosts' => $oslomsg_rpc_hosts, + 'port' => $oslomsg_rpc_port, + 'username' => $oslomsg_rpc_username, + 'password' => $oslomsg_rpc_password, + 'ssl' => $oslomsg_use_ssl_real, + }), + notification_transport_url => os_transport_url({ + 'transport' => $oslomsg_notify_proto, + 'hosts' => $oslomsg_notify_hosts, + 'port' => $oslomsg_notify_port, + 'username' => $oslomsg_notify_username, + 'password' => $oslomsg_notify_password, + 'ssl' => $oslomsg_use_ssl_real, + }), + } include ::nova::placement + } - if $step >= 4 and $manage_migration { - + if $step >= 4 { + if $manage_migration { # Libvirt setup (live-migration) if $libvirt_tls { class { '::nova::migration::libvirt': @@ -148,57 +177,86 @@ class tripleo::profile::base::nova ( transport => 'ssh', configure_libvirt => $libvirt_enabled, configure_nova => $nova_compute_enabled, - client_user => 'nova', - client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'} + client_user => 'nova_migration', + client_extraparams => {'keyfile' => '/etc/nova/migration/identity'} } } - if $migration_ssh_key != {} { + $services_enabled = hiera('service_names', []) + if !empty($migration_ssh_key) and 'sshd' in $services_enabled { # Nova SSH tunnel setup (cold-migration) - #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands - user { 'nova': - ensure => present, - shell => '/bin/bash', - } + # Server side + if !empty($migration_ssh_localaddrs_real) { + $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,',')) + $deny_type = 'LocalAddress' + $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!')) - $private_key_parts = split($migration_ssh_key['public_key'], ' ') - $nova_public_key = { - type => $private_key_parts[0], - key => $private_key_parts[1] + ssh::server::match_block { 'nova_migration deny': + name => $deny_name, + type => $deny_type, + order => 2, + options => { + 'DenyUsers' => 'nova_migration' + }, + notify => Service['sshd'] + } } - $nova_private_key = { - type => $private_key_parts[0], - key => $migration_ssh_key['private_key'] + else { + $allow_type = 'User' } - } else { - $nova_public_key = undef - $nova_private_key = undef + $allow_name = 'nova_migration' + + ssh::server::match_block { 'nova_migration allow': + name => $allow_name, + type => $allow_type, + order => 1, + options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + }, + notify => Service['sshd'] + } + + $migration_authorized_keys = $migration_ssh_key['public_key'] + $migration_identity = $migration_ssh_key['private_key'] + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_identity = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' } - } else { - $nova_public_key = undef - $nova_private_key = undef - } - class { '::nova': - default_transport_url => os_transport_url({ - 'transport' => $oslomsg_rpc_proto, - 'hosts' => $oslomsg_rpc_hosts, - 'port' => $oslomsg_rpc_port, - 'username' => $oslomsg_rpc_username, - 'password' => $oslomsg_rpc_password, - 'ssl' => $oslomsg_use_ssl_real, - }), - notification_transport_url => os_transport_url({ - 'transport' => $oslomsg_notify_proto, - 'hosts' => $oslomsg_notify_hosts, - 'port' => $oslomsg_notify_port, - 'username' => $oslomsg_notify_username, - 'password' => $oslomsg_notify_password, - 'ssl' => $oslomsg_use_ssl_real, - }), - nova_public_key => $nova_public_key, - nova_private_key => $nova_private_key, + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] + } } } } diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 95a1721..bdb3007 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -94,6 +94,7 @@ class tripleo::profile::base::nova::api ( $tls_keyfile = undef } if $step >= 4 or ($step >= 3 and $sync_db) { + include ::apache::mod::ssl class { '::nova::wsgi::apache_api': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index 16bfe17..c78b3c2 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -74,6 +74,7 @@ class tripleo::profile::base::nova::placement ( } if $step >= 3 { + include ::apache::mod::ssl class { '::nova::wsgi::apache_placement': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index c1d745a..811b911 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker ( remote_address => $remotes_hash[$title], reconnect_interval => $remote_reconnect_interval, op_params => "monitor interval=${remote_monitor_interval}", + verify_on_create => true, tries => $remote_tries, try_sleep => $remote_try_sleep, } diff --git a/manifests/profile/base/pacemaker_remote.pp b/manifests/profile/base/pacemaker_remote.pp index e0fff63..dfe0a3e 100644 --- a/manifests/profile/base/pacemaker_remote.pp +++ b/manifests/profile/base/pacemaker_remote.pp @@ -22,6 +22,14 @@ # Authkey for pacemaker remote nodes # Defaults to unset # +# [*pcs_tries*] +# (Optional) The number of times pcs commands should be retried. +# Defaults to hiera('pcs_tries', 20) +# +# [*enable_fencing*] +# (Optional) Whether or not to manage stonith devices for nodes +# Defaults to hiera('enable_fencing', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -29,9 +37,28 @@ # class tripleo::profile::base::pacemaker_remote ( $remote_authkey, + $pcs_tries = hiera('pcs_tries', 20), + $enable_fencing = hiera('enable_fencing', false), $step = hiera('step'), ) { class { '::pacemaker::remote': remote_authkey => $remote_authkey, } + $enable_fencing_real = str2bool($enable_fencing) and $step >= 5 + + class { '::pacemaker::stonith': + disable => !$enable_fencing_real, + tries => $pcs_tries, + } + + if $enable_fencing_real { + include ::tripleo::fencing + + # enable stonith after all Pacemaker resources have been created + Pcmk_resource<||> -> Class['tripleo::fencing'] + Pcmk_constraint<||> -> Class['tripleo::fencing'] + Exec <| tag == 'pacemaker_constraint' |> -> Class['tripleo::fencing'] + # enable stonith after all fencing devices have been created + Class['tripleo::fencing'] -> Class['pacemaker::stonith'] + } } diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp index 90e80a2..165969f 100644 --- a/manifests/profile/base/panko/api.pp +++ b/manifests/profile/base/panko/api.pp @@ -79,6 +79,7 @@ class tripleo::profile::base::panko::api ( class { '::panko::api': sync_db => $sync_db, } + include ::apache::mod::ssl class { '::panko::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/snmp.pp b/manifests/profile/base/snmp.pp index 301ac9a..d12e34d 100644 --- a/manifests/profile/base/snmp.pp +++ b/manifests/profile/base/snmp.pp @@ -42,7 +42,6 @@ class tripleo::profile::base::snmp ( authpass => $snmpd_password, } class { '::snmp': - agentaddress => ['udp:161','udp6:[::1]:161'], snmpd_config => [ join(['createUser ', $snmpd_user, ' MD5 "', $snmpd_password, '"']), join(['rouser ', $snmpd_user]), 'proc cron', diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp index 2b86032..3f0245d 100644 --- a/manifests/profile/base/sshd.pp +++ b/manifests/profile/base/sshd.pp @@ -27,14 +27,19 @@ # The text used within SSH Banner # Defaults to hiera('MOTD') # +# [*options*] +# Hash of SSHD options to set. See the puppet-ssh module documentation for +# details. +# Defaults to {} + class tripleo::profile::base::sshd ( $bannertext = hiera('BannerText', undef), $motd = hiera('MOTD', undef), + $options = {} ) { - include ::ssh::server - - if $bannertext { + if $bannertext and $bannertext != '' { + $sshd_options_banner = {'Banner' => '/etc/issue.net'} $filelist = [ '/etc/issue', '/etc/issue.net', ] file { $filelist: ensure => file, @@ -44,9 +49,12 @@ class tripleo::profile::base::sshd ( group => 'root', mode => '0644' } + } else { + $sshd_options_banner = {} } - if $motd { + if $motd and $motd != '' { + $sshd_options_motd = {'PrintMotd' => 'yes'} file { '/etc/motd': ensure => file, backup => false, @@ -55,5 +63,23 @@ class tripleo::profile::base::sshd ( group => 'root', mode => '0644' } + } else { + $sshd_options_motd = {} + } + + $sshd_options = merge( + $options, + $sshd_options_banner, + $sshd_options_motd + ) + + # NB (owalsh) in puppet-ssh hiera takes precedence over the class param + # we need to control this, so error if it's set in hiera + if hiera('ssh:server::options', undef) { + err('ssh:server::options must not be set, use tripleo::profile::base::sshd::options') + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => $sshd_options } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index e80c8c9..4e0e568 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -127,7 +127,7 @@ class tripleo::profile::base::swift::proxy ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::neutron::server'], + notify => Class['::swift::proxy'], } } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp index 89a03ad..243dcc7 100644 --- a/manifests/profile/base/zaqar.pp +++ b/manifests/profile/base/zaqar.pp @@ -50,11 +50,15 @@ class tripleo::profile::base::zaqar ( uri => $database_connection, } include ::zaqar::transport::websocket + include ::apache::mod::ssl include ::zaqar::transport::wsgi # TODO (bcrochet): At some point, the transports should be split out to - # seperate services. - include ::zaqar::server + # separate services. + class { '::zaqar::server': + service_name => 'httpd', # TODO cleanup when passed by t-h-t. + } + include ::zaqar::wsgi::apache zaqar::server_instance{ '1': transport => 'websocket' } |