summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile/base')
-rw-r--r--manifests/profile/base/certmonger_user.pp6
-rw-r--r--manifests/profile/base/database/mysql.pp22
-rw-r--r--manifests/profile/base/docker.pp62
-rw-r--r--manifests/profile/base/nova/libvirt.pp17
-rw-r--r--manifests/profile/base/pacemaker.pp20
5 files changed, 56 insertions, 71 deletions
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 7a6559e..2ac4b6e 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -80,13 +80,16 @@ class tripleo::profile::base::certmonger_user (
unless empty($haproxy_certificates_specs) {
$reload_haproxy = ['systemctl reload haproxy']
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
- Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+ if defined(Class['::haproxy']) {
+ Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+ }
} else {
$reload_haproxy = []
}
class { '::tripleo::certmonger::ca::crl' :
reload_cmds => $reload_haproxy,
}
+ Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
include ::tripleo::certmonger::ca::libvirt
unless empty($apache_certificates_specs) {
@@ -98,6 +101,7 @@ class tripleo::profile::base::certmonger_user (
ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs)
}
unless empty($haproxy_certificates_specs) {
+ include ::tripleo::certmonger::haproxy_dirs
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 3bf41cf..7e7d68b 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -47,6 +47,10 @@
# limit for the mysql service.
# Defaults to false
#
+# [*innodb_buffer_pool_size*]
+# (Optional) Configure the size of the MySQL buffer pool.
+# Defaults to hiera('innodb_buffer_pool_size', undef)
+#
# [*manage_resources*]
# (Optional) Whether or not manage root user, root my.cnf, and service.
# Defaults to true
@@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql (
$certificate_specs = {},
$enable_internal_tls = hiera('enable_internal_tls', false),
$generate_dropin_file_limit = false,
+ $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef),
$manage_resources = true,
$mysql_server_options = {},
$mysql_max_connections = hiera('mysql_max_connections', undef),
@@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql (
# MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap
$mysql_server_default = {
'mysqld' => {
- 'bind-address' => $bind_address,
- 'max_connections' => $mysql_max_connections,
- 'open_files_limit' => '-1',
- 'innodb_file_per_table' => 'ON',
- 'ssl' => $enable_internal_tls,
- 'ssl-key' => $tls_keyfile,
- 'ssl-cert' => $tls_certfile,
- 'ssl-ca' => undef,
+ 'bind-address' => $bind_address,
+ 'max_connections' => $mysql_max_connections,
+ 'open_files_limit' => '-1',
+ 'innodb_buffer_pool_size' => $innodb_buffer_pool_size,
+ 'innodb_file_per_table' => 'ON',
+ 'ssl' => $enable_internal_tls,
+ 'ssl-key' => $tls_keyfile,
+ 'ssl-cert' => $tls_certfile,
+ 'ssl-ca' => undef,
}
}
$mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options)
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index e042947..d230366 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,7 +32,7 @@
# OPTIONS that are used to startup the docker service. NOTE:
# --selinux-enabled is dropped due to recommendations here:
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
-# Defaults to '--log-driver=journald --signature-verification=false'
+# Defaults to '--log-driver=journald --signature-verification=false --iptables=false'
#
# [*configure_storage*]
# Boolean. Whether to configure a docker storage backend. Defaults to true.
@@ -43,18 +43,6 @@
# [*step*]
# step defaults to hiera('step')
#
-# [*configure_libvirt_polkit*]
-# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
-# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
-#
-# [*docker_nova_uid*]
-# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
-# Defaults to 42436
-#
-# [*services_enabled*]
-# List of TripleO services enabled on the role.
-# Defaults to hiera('services_names')
-#
# DEPRECATED PARAMETERS
#
# [*docker_namespace*]
@@ -69,24 +57,15 @@
class tripleo::profile::base::docker (
$insecure_registry_address = undef,
$registry_mirror = false,
- $docker_options = '--log-driver=journald --signature-verification=false',
+ $docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
$configure_storage = true,
$storage_options = '-s overlay2',
$step = Integer(hiera('step')),
- $configure_libvirt_polkit = undef,
- $docker_nova_uid = 42436,
- $services_enabled = hiera('service_names', []),
# DEPRECATED PARAMETERS
$docker_namespace = undef,
$insecure_registry = false,
) {
- if $configure_libvirt_polkit == undef {
- $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
- } else {
- $configure_libvirt_polkit_real = $configure_libvirt_polkit
- }
-
if $step >= 1 {
package {'docker':
ensure => installed,
@@ -176,41 +155,4 @@ class tripleo::profile::base::docker (
}
}
- if ($step >= 4 and $configure_libvirt_polkit_real) {
- # Workaround for polkit authorization for libvirtd socket on host
- #
- # This creates a local user with the kolla nova uid, and sets the polkit rule to
- # allow both it and the nova user from the nova rpms, should it exist (uid 162).
-
- group { 'docker_nova_group':
- name => 'docker_nova',
- gid => $docker_nova_uid
- }
- -> user { 'docker_nova_user':
- name => 'docker_nova',
- uid => $docker_nova_uid,
- gid => $docker_nova_uid,
- shell => '/sbin/nologin',
- comment => 'OpenStack Nova Daemons',
- groups => ['nobody']
- }
-
- # Similar to the polkit rule in the openstack-nova rpm spec
- # but allow both the 'docker_nova' and 'nova' user
- $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
-polkit.addRule(function(action, subject) {
- if (action.id == "org.libvirt.unix.manage" &&
- /^(docker_)?nova$/.test(subject.user)) {
- return polkit.Result.YES;
- }
-});
-'
- package {'polkit':
- ensure => installed,
- }
- -> file {'/etc/polkit-1/rules.d/50-nova.rules':
- content => $docker_nova_polkit_rule,
- mode => '0644'
- }
- }
}
diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp
index 83f0c38..6c865dc 100644
--- a/manifests/profile/base/nova/libvirt.pp
+++ b/manifests/profile/base/nova/libvirt.pp
@@ -23,8 +23,13 @@
# for more details.
# Defaults to hiera('step')
#
+# [*libvirtd_config*]
+# (Optional) Overrides for libvirtd config options
+# Default to {}
+#
class tripleo::profile::base::nova::libvirt (
$step = Integer(hiera('step')),
+ $libvirtd_config = {},
) {
include ::tripleo::profile::base::nova::compute_libvirt_shared
@@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt (
include ::tripleo::profile::base::nova::migration::client
include ::nova::compute::libvirt::services
+ $libvirtd_config_default = {
+ unix_sock_group => {value => '"libvirt"'},
+ auth_unix_ro => {value => '"none"'},
+ auth_unix_rw => {value => '"none"'},
+ unix_sock_ro_perms => {value => '"0777"'},
+ unix_sock_rw_perms => {value => '"0770"'}
+ }
+
+ class { '::nova::compute::libvirt::config':
+ libvirtd_config => merge($libvirtd_config_default, $libvirtd_config)
+ }
+
file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
'/etc/libvirt/qemu/networks/default.xml']:
ensure => absent,
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index d468110..de7e069 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -63,6 +63,10 @@
# be set to 60s.
# Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
#
+# [*encryption*]
+# (Optional) Whether or not to enable encryption of the pacemaker traffic
+# Defaults to true
+#
class tripleo::profile::base::pacemaker (
$step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20),
@@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker (
$remote_tries = hiera('pacemaker_remote_tries', 5),
$remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60),
$cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef),
+ $encryption = true,
) {
if count($remote_short_node_names) != count($remote_node_ips) {
@@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker (
$pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G'))
$corosync_ipv6 = str2bool(hiera('corosync_ipv6', false))
if $corosync_ipv6 {
- $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' }
+ $cluster_setup_extras_pre = {
+ '--token' => hiera('corosync_token_timeout', 1000),
+ '--ipv6' => ''
+ }
+ } else {
+ $cluster_setup_extras_pre = {
+ '--token' => hiera('corosync_token_timeout', 1000)
+ }
+ }
+
+ if $encryption {
+ $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'})
} else {
- $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) }
+ $cluster_setup_extras = $cluster_setup_extras_pre
}
class { '::pacemaker':
hacluster_pwd => hiera('hacluster_pwd'),