diff options
Diffstat (limited to 'manifests/profile/base')
-rw-r--r-- | manifests/profile/base/aodh/api.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/barbican/api.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/ceilometer/api.pp | 3 | ||||
-rw-r--r-- | manifests/profile/base/cinder/api.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/database/mongodb.pp | 11 | ||||
-rw-r--r-- | manifests/profile/base/gnocchi/api.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/keystone.pp | 5 | ||||
-rw-r--r-- | manifests/profile/base/nova.pp | 87 | ||||
-rw-r--r-- | manifests/profile/base/nova/api.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/nova/placement.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/panko/api.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/swift/ringbuilder.pp | 36 | ||||
-rw-r--r-- | manifests/profile/base/zaqar.pp | 1 |
13 files changed, 129 insertions, 21 deletions
diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 1c03059..a9c94f4 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -81,6 +81,7 @@ class tripleo::profile::base::aodh::api ( if $step >= 3 { include ::aodh::api + include ::apache::mod::ssl class { '::aodh::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index b464317..42ac8cd 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -99,6 +99,7 @@ class tripleo::profile::base::barbican::api ( include ::barbican::api::logging include ::barbican::keystone::notification include ::barbican::quota + include ::apache::mod::ssl class { '::barbican::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6ef4748..468f79a 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -76,8 +76,9 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::ceilometer::api + include ::apache::mod::ssl class { '::ceilometer::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 450a8e6..ef5bd06 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -89,6 +89,7 @@ class tripleo::profile::base::cinder::api ( if $step >= 4 or ($step >= 3 and $sync_db) { include ::cinder::api + include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/database/mongodb.pp b/manifests/profile/base/database/mongodb.pp index 8967f5b..4740d67 100644 --- a/manifests/profile/base/database/mongodb.pp +++ b/manifests/profile/base/database/mongodb.pp @@ -30,10 +30,15 @@ # for more details. # Defaults to hiera('step') # +# [*memory_limit*] +# (Optional) Limit amount of memory mongodb can use +# Defaults to 20G +# class tripleo::profile::base::database::mongodb ( $mongodb_replset, $bootstrap_node = downcase(hiera('bootstrap_nodeid')), $step = hiera('step'), + $memory_limit = '20G', ) { if $step >= 2 { @@ -56,5 +61,11 @@ class tripleo::profile::base::database::mongodb ( } } + # Limit memory utilization + ::systemd::service_limits { 'mongod.service': + limits => { + 'MemoryLimit' => $memory_limit + } + } } } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 6304a51..029eb99 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -98,6 +98,7 @@ class tripleo::profile::base::gnocchi::api ( if $step >= 3 { include ::gnocchi::api + include ::apache::mod::ssl class { '::gnocchi::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index bc8b4db..9aa3eb3 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -161,6 +161,7 @@ class tripleo::profile::base::keystone ( } include ::keystone::config + include ::apache::mod::ssl class { '::keystone::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, @@ -171,7 +172,9 @@ class tripleo::profile::base::keystone ( if $ldap_backend_enable { validate_hash($ldap_backends_config) - create_resources('::keystone::ldap_backend', $ldap_backends_config) + create_resources('::keystone::ldap_backend', $ldap_backends_config, { + create_domain_entry => $manage_domain, + }) } } diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index cb34521..b4330a9 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -62,6 +62,15 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # +# [*migration_ssh_key*] +# (Optional) SSH key pair for migration SSH tunnel. +# Expects a hash with keys 'private_key' and 'public_key'. +# Defaults to {} +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false + class tripleo::profile::base::nova ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $libvirt_enabled = false, @@ -74,6 +83,8 @@ class tripleo::profile::base::nova ( $messaging_use_ssl = hiera('nova::rabbit_use_ssl', '0'), $nova_compute_enabled = false, $step = hiera('step'), + $migration_ssh_key = {}, + $libvirt_tls = false ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -89,18 +100,6 @@ class tripleo::profile::base::nova ( if $step >= 4 or ($step >= 3 and $sync_db) { $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($messaging_use_ssl))) - # TODO(ccamacho): remove sprintf once we properly type the port, needs - # to be a string for the os_transport_url function. - class { '::nova' : - default_transport_url => os_transport_url({ - 'transport' => $messaging_driver, - 'hosts' => $messaging_hosts, - 'port' => sprintf('%s', $messaging_port), - 'username' => $messaging_username, - 'password' => $messaging_password, - 'ssl' => $messaging_use_ssl_real, - }), - } include ::nova::config class { '::nova::cache': enabled => true, @@ -108,15 +107,65 @@ class tripleo::profile::base::nova ( memcache_servers => $memcache_servers, } include ::nova::placement - } - if $step >= 4 { - if $manage_migration { - class { '::nova::migration::libvirt': - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, + if $step >= 4 and $manage_migration { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova', + client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'} + } } + + if $migration_ssh_key != {} { + # Nova SSH tunnel setup (cold-migration) + + #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands + user { 'nova': + ensure => present, + shell => '/bin/bash', + } + + $private_key_parts = split($migration_ssh_key['public_key'], ' ') + $nova_public_key = { + 'type' => $private_key_parts[0], + key => $private_key_parts[1] + } + $nova_private_key = { + 'type' => $private_key_parts[0], + key => $migration_ssh_key['private_key'] + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + } else { + $nova_public_key = undef + $nova_private_key = undef } - } + class { '::nova' : + default_transport_url => os_transport_url({ + 'transport' => $messaging_driver, + 'hosts' => $messaging_hosts, + 'port' => sprintf('%s', $messaging_port), + 'username' => $messaging_username, + 'password' => $messaging_password, + 'ssl' => $messaging_use_ssl_real, + }), + nova_public_key => $nova_public_key, + nova_private_key => $nova_private_key, + } + } } diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 287d14c..f09f083 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -116,6 +116,7 @@ class tripleo::profile::base::nova::api ( $tls_keyfile = undef } if $step >= 4 or ($step >= 3 and $sync_db) { + include ::apache::mod::ssl class { '::nova::wsgi::apache_api': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index c429373..614a3e7 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -86,6 +86,7 @@ class tripleo::profile::base::nova::placement ( } if $step >= 3 { + include ::apache::mod::ssl class { '::nova::wsgi::apache_placement': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp index a6643ce..be6df8d 100644 --- a/manifests/profile/base/panko/api.pp +++ b/manifests/profile/base/panko/api.pp @@ -92,6 +92,7 @@ class tripleo::profile::base::panko::api ( class { '::panko::api': sync_db => $sync_db, } + include ::apache::mod::ssl class { '::panko::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp index 7e5fc74..f7cfea4 100644 --- a/manifests/profile/base/swift/ringbuilder.pp +++ b/manifests/profile/base/swift/ringbuilder.pp @@ -63,6 +63,12 @@ # Minimum amount of time before partitions can be moved. # Defaults to undef # +# [*swift_ring_get_tempurl*] +# GET tempurl to fetch Swift rings from +# +# [*swift_ring_put_tempurl*] +# PUT tempurl to upload Swift rings to +# class tripleo::profile::base::swift::ringbuilder ( $replicas, $build_ring = true, @@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder ( $swift_storage_node_ips = hiera('swift_storage_node_ips', []), $part_power = undef, $min_part_hours = undef, + $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''), + $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''), ) { + + if $step == 2 and $swift_ring_get_tempurl != '' { + exec{'fetch_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz", + returns => [0, 3] + } ~> + exec{'extract_swift_ring_tarball': + path => ['/bin'], + command => 'tar xzf /tmp/swift-rings.tar.gz -C /', + returns => [0, 2] + } + } + if $step >= 2 { # pre-install swift here so we can build rings include ::swift @@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder ( Ring_object_device<| |> ~> Exec['rebalance_container'] } } + + if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' { + exec{'create_swift_ring_tarball': + path => ['/bin', '/usr/bin'], + command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/', + unless => 'swift-recon --md5 | grep -q "doesn\'t match"' + } ~> + exec{'upload_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz", + require => Exec['create_swift_ring_tarball'], + refreshonly => true, + } + } } diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp index 89a03ad..7fbcd34 100644 --- a/manifests/profile/base/zaqar.pp +++ b/manifests/profile/base/zaqar.pp @@ -50,6 +50,7 @@ class tripleo::profile::base::zaqar ( uri => $database_connection, } include ::zaqar::transport::websocket + include ::apache::mod::ssl include ::zaqar::transport::wsgi # TODO (bcrochet): At some point, the transports should be split out to |