9 files changed, 159 insertions, 35 deletions

diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index b63fb7f..4ba51ec 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -48,6 +48,11 @@
 #   it will create.
 #   Defaults to hiera('libvirt_certificates_specs', {}).
 #
+# [*mongodb_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('mongodb_certificate_specs',{})
+#
 # [*mysql_certificate_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@@ -67,6 +72,7 @@ class tripleo::profile::base::certmonger_user (
   $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
   $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
   $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
+  $mongodb_certificate_specs  = hiera('mongodb_certificate_specs',{}),
   $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
   $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
   $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
@@ -87,6 +93,9 @@ class tripleo::profile::base::certmonger_user (
     # existing and need to be refreshed if it changed.
     Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
   }
+  unless empty($mongodb_certificate_specs) {
+    ensure_resource('class', 'tripleo::certmonger::mongodb', $mongodb_certificate_specs)
+  }
   unless empty($mysql_certificate_specs) {
     ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
   }
diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp
index fc652c9..43978da 100644
--- a/manifests/profile/base/cinder/volume/netapp.pp
+++ b/manifests/profile/base/cinder/volume/netapp.pp
@@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp (
       netapp_storage_pools         => hiera('cinder::backend::netapp::netapp_storage_pools', undef),
       netapp_eseries_host_type     => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef),
       netapp_webservice_path       => hiera('cinder::backend::netapp::netapp_webservice_path', undef),
+      nas_secure_file_operations   => hiera('cinder::backend::netapp::nas_secure_file_operations', undef),
+      nas_secure_file_permissions  => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef),
     }
   }
 
diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp
index 7b1f1b9..e384a79 100644
--- a/manifests/profile/base/cinder/volume/nfs.pp
+++ b/manifests/profile/base/cinder/volume/nfs.pp
@@ -29,6 +29,23 @@
 #   (Optional) List of mount options for the NFS share
 #   Defaults to ''
 #
+# [*cinder_nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*cinder_nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -36,9 +53,11 @@
 #
 class tripleo::profile::base::cinder::volume::nfs (
   $cinder_nfs_servers,
-  $backend_name             = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
-  $cinder_nfs_mount_options = '',
-  $step                     = hiera('step'),
+  $backend_name                       = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
+  $cinder_nfs_mount_options           = '',
+  $cinder_nas_secure_file_operations  = $::os_service_default,
+  $cinder_nas_secure_file_permissions = $::os_service_default,
+  $step                               = hiera('step'),
 ) {
   include ::tripleo::profile::base::cinder::volume
 
@@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs (
 
     package {'nfs-utils': } ->
     cinder::backend::nfs { $backend_name :
-      nfs_servers       => $cinder_nfs_servers,
-      nfs_mount_options => $cinder_nfs_mount_options,
-      nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+      nfs_servers                 => $cinder_nfs_servers,
+      nfs_mount_options           => $cinder_nfs_mount_options,
+      nfs_shares_config           => '/etc/cinder/shares-nfs.conf',
+      nas_secure_file_operations  => $cinder_nas_secure_file_operations,
+      nas_secure_file_permissions => $cinder_nas_secure_file_permissions,
     }
   }
 
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index d035f6a..bc784b5 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,6 +32,18 @@
 #   Configure a registry-mirror in the /etc/docker/daemon.json file.
 #   (defaults to false)
 #
+# [*docker_options*]
+#   OPTIONS that are used to startup the docker service.  NOTE:
+#   --selinux-enabled is dropped due to recommendations here:
+#   https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
+#   Defaults to '--log-driver=journald --signature-verification=false'
+#
+# [*configure_storage*]
+#   Boolean. Whether to configure a docker storage backend. Defaults to true.
+#
+# [*storage_options*]
+#   Storage options to configure. Defaults to '-s overlay2'
+#
 # [*step*]
 #   step defaults to hiera('step')
 #
@@ -39,6 +51,9 @@ class tripleo::profile::base::docker (
   $docker_namespace = undef,
   $insecure_registry = false,
   $registry_mirror = false,
+  $docker_options = '--log-driver=journald --signature-verification=false',
+  $configure_storage = true,
+  $storage_options = '-s overlay2',
   $step = hiera('step'),
 ) {
   if $step >= 1 {
@@ -57,9 +72,11 @@ class tripleo::profile::base::docker (
         fail('You must provide a $docker_namespace in order to configure insecure registry')
       }
       $namespace = strip($docker_namespace.split('/')[0])
-      $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ]
+      $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'",
+                    "set OPTIONS '\"${docker_options}\"'" ]
     } else {
-      $changes = [ 'rm INSECURE_REGISTRY', ]
+      $changes = [ 'rm INSECURE_REGISTRY',
+                    "set OPTIONS '\"${docker_options}\"'" ]
     }
 
     augeas { 'docker-sysconfig':
@@ -95,6 +112,20 @@ class tripleo::profile::base::docker (
       notify    => Service['docker'],
       require   => File['/etc/docker/daemon.json'],
     }
+    if $configure_storage {
+      if $storage_options == undef {
+        fail('You must provide a $storage_options in order to configure storage')
+      }
+      $storage_changes = [ "set DOCKER_STORAGE_OPTIONS '\" ${storage_options}\"'", ]
+    } else {
+      $storage_changes = [ 'rm DOCKER_STORAGE_OPTIONS', ]
+    }
+
+    augeas { 'docker-sysconfig-storage':
+      lens    => 'Shellvars.lns',
+      incl    => '/etc/sysconfig/docker-storage',
+      changes => $storage_changes,
+    }
 
   }
 }
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 31f5c93..72a7bc9 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -338,5 +338,8 @@ class tripleo::profile::base::keystone (
     if hiera('ec2_api_enabled', false) {
       include ::ec2api::keystone::auth
     }
+    if hiera('novajoin_enabled', false) {
+      include ::nova::metadata::novajoin::auth
+    }
   }
 }
diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp
index bec7e96..97eb8e9 100644
--- a/manifests/profile/base/neutron/ovs.pp
+++ b/manifests/profile/base/neutron/ovs.pp
@@ -23,12 +23,27 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*vhostuser_socket_dir*]
+#   (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir
+#   will be created with correct permissions, inorder to support vhostuser
+#   client mode.
+
 class tripleo::profile::base::neutron::ovs(
-  $step           = hiera('step'),
+  $step                 = hiera('step'),
+  $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef)
 ) {
   include ::tripleo::profile::base::neutron
 
   if $step >= 5 {
+    if $vhostuser_socket_dir {
+      file { $vhostuser_socket_dir:
+        ensure => directory,
+        owner  => 'qemu',
+        group  => 'qemu',
+        mode   => '0775',
+      }
+    }
+
     include ::neutron::agents::ml2::ovs
 
     # Optional since manage_service may be false and neutron server may not be colocated.
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 65355d4..d786940 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -129,6 +129,10 @@ class tripleo::profile::base::nova (
     $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
   }
 
+  validate_array($migration_ssh_localaddrs)
+  $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) }
+  $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
+
   if $step >= 4 or ($step >= 3 and $sync_db) {
     $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
     include ::nova::config
@@ -183,10 +187,10 @@ class tripleo::profile::base::nova (
         # Nova SSH tunnel setup (cold-migration)
 
         # Server side
-        if !empty($migration_ssh_localaddrs) {
-          $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,','))
+        if !empty($migration_ssh_localaddrs_real) {
+          $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
           $deny_type = 'LocalAddress'
-          $deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!'))
+          $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
 
           ssh::server::match_block { 'nova_migration deny':
             name    => $deny_name,
@@ -217,31 +221,42 @@ class tripleo::profile::base::nova (
           notify  => Service['sshd']
         }
 
-        file { '/etc/nova/migration/authorized_keys':
-          content => $migration_ssh_key['public_key'],
-          mode    => '0640',
-          owner   => 'root',
-          group   => 'nova_migration',
-          require => Package['openstack-nova-migration'],
-        }
+        $migration_authorized_keys = $migration_ssh_key['public_key']
+        $migration_identity = $migration_ssh_key['private_key']
+        $migration_user_shell = '/bin/bash'
+      }
+      else {
+        # Remove the keys and prevent login when migration over SSH is not enabled
+        $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+        $migration_identity = '# Migration over SSH disabled by TripleO'
+        $migration_user_shell = '/sbin/nologin'
+      }
 
-        # Client side
-        file { '/etc/nova/migration/identity':
-          content => $migration_ssh_key['private_key'],
-          mode    => '0600',
-          owner   => 'nova',
-          group   => 'nova',
-          require => Package['openstack-nova-migration'],
-        }
-        $migration_pkg_ensure = installed
-      } else {
-        $migration_pkg_ensure = absent
+      package { 'openstack-nova-migration':
+        ensure => present,
+        tag    => ['openstack', 'nova-package'],
+      }
+
+      file { '/etc/nova/migration/authorized_keys':
+        content => $migration_authorized_keys,
+        mode    => '0640',
+        owner   => 'root',
+        group   => 'nova_migration',
+        require => Package['openstack-nova-migration']
+      }
+
+      file { '/etc/nova/migration/identity':
+        content => $migration_identity,
+        mode    => '0600',
+        owner   => 'nova',
+        group   => 'nova',
+        require => Package['openstack-nova-migration']
+      }
+
+      user {'nova_migration':
+        shell   => $migration_user_shell,
+        require => Package['openstack-nova-migration']
       }
-    } else {
-      $migration_pkg_ensure = absent
-    }
-    package {'openstack-nova-migration':
-      ensure => $migration_pkg_ensure
     }
   }
 }
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index c1d745a..811b911 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker (
         remote_address     => $remotes_hash[$title],
         reconnect_interval => $remote_reconnect_interval,
         op_params          => "monitor interval=${remote_monitor_interval}",
+        verify_on_create   => true,
         tries              => $remote_tries,
         try_sleep          => $remote_try_sleep,
       }
diff --git a/manifests/profile/base/pacemaker_remote.pp b/manifests/profile/base/pacemaker_remote.pp
index e0fff63..dfe0a3e 100644
--- a/manifests/profile/base/pacemaker_remote.pp
+++ b/manifests/profile/base/pacemaker_remote.pp
@@ -22,6 +22,14 @@
 #   Authkey for pacemaker remote nodes
 #   Defaults to unset
 #
+# [*pcs_tries*]
+#   (Optional) The number of times pcs commands should be retried.
+#   Defaults to hiera('pcs_tries', 20)
+#
+# [*enable_fencing*]
+#   (Optional) Whether or not to manage stonith devices for nodes
+#   Defaults to hiera('enable_fencing', false)
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -29,9 +37,28 @@
 #
 class tripleo::profile::base::pacemaker_remote (
   $remote_authkey,
+  $pcs_tries      = hiera('pcs_tries', 20),
+  $enable_fencing = hiera('enable_fencing', false),
   $step           = hiera('step'),
 ) {
   class { '::pacemaker::remote':
     remote_authkey => $remote_authkey,
   }
+  $enable_fencing_real = str2bool($enable_fencing) and $step >= 5
+
+  class { '::pacemaker::stonith':
+    disable => !$enable_fencing_real,
+    tries   => $pcs_tries,
+  }
+
+  if $enable_fencing_real {
+    include ::tripleo::fencing
+
+    # enable stonith after all Pacemaker resources have been created
+    Pcmk_resource<||> -> Class['tripleo::fencing']
+    Pcmk_constraint<||> -> Class['tripleo::fencing']
+    Exec <| tag == 'pacemaker_constraint' |> -> Class['tripleo::fencing']
+    # enable stonith after all fencing devices have been created
+    Class['tripleo::fencing'] -> Class['pacemaker::stonith']
+  }
 }