diff options
Diffstat (limited to 'manifests/profile/base')
-rw-r--r-- | manifests/profile/base/certmonger_user.pp | 6 | ||||
-rw-r--r-- | manifests/profile/base/database/mysql.pp | 22 | ||||
-rw-r--r-- | manifests/profile/base/docker.pp | 62 | ||||
-rw-r--r-- | manifests/profile/base/nova/libvirt.pp | 17 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker.pp | 20 |
5 files changed, 56 insertions, 71 deletions
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 7a6559e..2ac4b6e 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -80,13 +80,16 @@ class tripleo::profile::base::certmonger_user ( unless empty($haproxy_certificates_specs) { $reload_haproxy = ['systemctl reload haproxy'] Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> - Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + if defined(Class['::haproxy']) { + Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + } } else { $reload_haproxy = [] } class { '::tripleo::certmonger::ca::crl' : reload_cmds => $reload_haproxy, } + Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl'] include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { @@ -98,6 +101,7 @@ class tripleo::profile::base::certmonger_user ( ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) } unless empty($haproxy_certificates_specs) { + include ::tripleo::certmonger::haproxy_dirs ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 3bf41cf..7e7d68b 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,6 +47,10 @@ # limit for the mysql service. # Defaults to false # +# [*innodb_buffer_pool_size*] +# (Optional) Configure the size of the MySQL buffer pool. +# Defaults to hiera('innodb_buffer_pool_size', undef) +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, + $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql ( # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap $mysql_server_default = { 'mysqld' => { - 'bind-address' => $bind_address, - 'max_connections' => $mysql_max_connections, - 'open_files_limit' => '-1', - 'innodb_file_per_table' => 'ON', - 'ssl' => $enable_internal_tls, - 'ssl-key' => $tls_keyfile, - 'ssl-cert' => $tls_certfile, - 'ssl-ca' => undef, + 'bind-address' => $bind_address, + 'max_connections' => $mysql_max_connections, + 'open_files_limit' => '-1', + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => 'ON', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index e042947..d230366 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,7 +32,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -43,18 +43,6 @@ # [*step*] # step defaults to hiera('step') # -# [*configure_libvirt_polkit*] -# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host. -# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled -# -# [*docker_nova_uid*] -# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container. -# Defaults to 42436 -# -# [*services_enabled*] -# List of TripleO services enabled on the role. -# Defaults to hiera('services_names') -# # DEPRECATED PARAMETERS # # [*docker_namespace*] @@ -69,24 +57,15 @@ class tripleo::profile::base::docker ( $insecure_registry_address = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), - $configure_libvirt_polkit = undef, - $docker_nova_uid = 42436, - $services_enabled = hiera('service_names', []), # DEPRECATED PARAMETERS $docker_namespace = undef, $insecure_registry = false, ) { - if $configure_libvirt_polkit == undef { - $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled - } else { - $configure_libvirt_polkit_real = $configure_libvirt_polkit - } - if $step >= 1 { package {'docker': ensure => installed, @@ -176,41 +155,4 @@ class tripleo::profile::base::docker ( } } - if ($step >= 4 and $configure_libvirt_polkit_real) { - # Workaround for polkit authorization for libvirtd socket on host - # - # This creates a local user with the kolla nova uid, and sets the polkit rule to - # allow both it and the nova user from the nova rpms, should it exist (uid 162). - - group { 'docker_nova_group': - name => 'docker_nova', - gid => $docker_nova_uid - } - -> user { 'docker_nova_user': - name => 'docker_nova', - uid => $docker_nova_uid, - gid => $docker_nova_uid, - shell => '/sbin/nologin', - comment => 'OpenStack Nova Daemons', - groups => ['nobody'] - } - - # Similar to the polkit rule in the openstack-nova rpm spec - # but allow both the 'docker_nova' and 'nova' user - $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions -polkit.addRule(function(action, subject) { - if (action.id == "org.libvirt.unix.manage" && - /^(docker_)?nova$/.test(subject.user)) { - return polkit.Result.YES; - } -}); -' - package {'polkit': - ensure => installed, - } - -> file {'/etc/polkit-1/rules.d/50-nova.rules': - content => $docker_nova_polkit_rule, - mode => '0644' - } - } } diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp index 83f0c38..6c865dc 100644 --- a/manifests/profile/base/nova/libvirt.pp +++ b/manifests/profile/base/nova/libvirt.pp @@ -23,8 +23,13 @@ # for more details. # Defaults to hiera('step') # +# [*libvirtd_config*] +# (Optional) Overrides for libvirtd config options +# Default to {} +# class tripleo::profile::base::nova::libvirt ( $step = Integer(hiera('step')), + $libvirtd_config = {}, ) { include ::tripleo::profile::base::nova::compute_libvirt_shared @@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt ( include ::tripleo::profile::base::nova::migration::client include ::nova::compute::libvirt::services + $libvirtd_config_default = { + unix_sock_group => {value => '"libvirt"'}, + auth_unix_ro => {value => '"none"'}, + auth_unix_rw => {value => '"none"'}, + unix_sock_ro_perms => {value => '"0777"'}, + unix_sock_rw_perms => {value => '"0770"'} + } + + class { '::nova::compute::libvirt::config': + libvirtd_config => merge($libvirtd_config_default, $libvirtd_config) + } + file { ['/etc/libvirt/qemu/networks/autostart/default.xml', '/etc/libvirt/qemu/networks/default.xml']: ensure => absent, diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index d468110..de7e069 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -63,6 +63,10 @@ # be set to 60s. # Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # +# [*encryption*] +# (Optional) Whether or not to enable encryption of the pacemaker traffic +# Defaults to true +# class tripleo::profile::base::pacemaker ( $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker ( $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), + $encryption = true, ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker ( $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000), + '--ipv6' => '' + } + } else { + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000) + } + } + + if $encryption { + $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'}) } else { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } + $cluster_setup_extras = $cluster_setup_extras_pre } class { '::pacemaker': hacluster_pwd => hiera('hacluster_pwd'), |