3 files changed, 34 insertions, 12 deletions

diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 3bf41cf..7e7d68b 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -47,6 +47,10 @@
 #   limit for the mysql service.
 #   Defaults to false
 #
+# [*innodb_buffer_pool_size*]
+#   (Optional) Configure the size of the MySQL buffer pool.
+#   Defaults to hiera('innodb_buffer_pool_size', undef)
+#
 # [*manage_resources*]
 #   (Optional) Whether or not manage root user, root my.cnf, and service.
 #   Defaults to true
@@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql (
   $certificate_specs             = {},
   $enable_internal_tls           = hiera('enable_internal_tls', false),
   $generate_dropin_file_limit    = false,
+  $innodb_buffer_pool_size       = hiera('innodb_buffer_pool_size', undef),
   $manage_resources              = true,
   $mysql_server_options          = {},
   $mysql_max_connections         = hiera('mysql_max_connections', undef),
@@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql (
     # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap
     $mysql_server_default = {
       'mysqld' => {
-        'bind-address'          => $bind_address,
-        'max_connections'       => $mysql_max_connections,
-        'open_files_limit'      => '-1',
-        'innodb_file_per_table' => 'ON',
-        'ssl'                   => $enable_internal_tls,
-        'ssl-key'               => $tls_keyfile,
-        'ssl-cert'              => $tls_certfile,
-        'ssl-ca'                => undef,
+        'bind-address'            => $bind_address,
+        'max_connections'         => $mysql_max_connections,
+        'open_files_limit'        => '-1',
+        'innodb_buffer_pool_size' => $innodb_buffer_pool_size,
+        'innodb_file_per_table'   => 'ON',
+        'ssl'                     => $enable_internal_tls,
+        'ssl-key'                 => $tls_keyfile,
+        'ssl-cert'                => $tls_certfile,
+        'ssl-ca'                  => undef,
       }
     }
     $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options)
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index 5f6d97c..d230366 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,7 +32,7 @@
 #   OPTIONS that are used to startup the docker service.  NOTE:
 #   --selinux-enabled is dropped due to recommendations here:
 #   https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
-#   Defaults to '--log-driver=journald --signature-verification=false'
+#   Defaults to '--log-driver=journald --signature-verification=false --iptables=false'
 #
 # [*configure_storage*]
 #   Boolean. Whether to configure a docker storage backend. Defaults to true.
@@ -57,7 +57,7 @@
 class tripleo::profile::base::docker (
   $insecure_registry_address = undef,
   $registry_mirror = false,
-  $docker_options = '--log-driver=journald --signature-verification=false',
+  $docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
   $configure_storage = true,
   $storage_options = '-s overlay2',
   $step = Integer(hiera('step')),
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index d468110..de7e069 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -63,6 +63,10 @@
 #   be set to 60s.
 #   Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
 #
+# [*encryption*]
+#   (Optional) Whether or not to enable encryption of the pacemaker traffic
+#   Defaults to true
+#
 class tripleo::profile::base::pacemaker (
   $step                      = Integer(hiera('step')),
   $pcs_tries                 = hiera('pcs_tries', 20),
@@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker (
   $remote_tries              = hiera('pacemaker_remote_tries', 5),
   $remote_try_sleep          = hiera('pacemaker_remote_try_sleep', 60),
   $cluster_recheck_interval  = hiera('pacemaker_cluster_recheck_interval', undef),
+  $encryption                = true,
 ) {
 
   if count($remote_short_node_names) != count($remote_node_ips) {
@@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker (
     $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G'))
     $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false))
     if $corosync_ipv6 {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' }
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000),
+        '--ipv6' => ''
+      }
+    } else {
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000)
+      }
+    }
+
+    if $encryption {
+      $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'})
     } else {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) }
+      $cluster_setup_extras = $cluster_setup_extras_pre
     }
     class { '::pacemaker':
       hacluster_pwd => hiera('hacluster_pwd'),