diff options
Diffstat (limited to 'manifests/profile')
-rw-r--r-- | manifests/profile/base/certmonger_user.pp | 12 | ||||
-rw-r--r-- | manifests/profile/base/cinder/volume.pp | 13 | ||||
-rw-r--r-- | manifests/profile/base/cinder/volume/pure.pp | 65 | ||||
-rw-r--r-- | manifests/profile/base/database/mysql/client.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/ironic/conductor.pp | 6 | ||||
-rw-r--r-- | manifests/profile/base/keystone.pp | 21 | ||||
-rw-r--r-- | manifests/profile/base/logging/fluentd.pp | 160 | ||||
-rw-r--r-- | manifests/profile/base/neutron/agents/bagpipe.pp | 37 | ||||
-rw-r--r-- | manifests/profile/base/neutron/agents/l2gw.pp | 35 | ||||
-rw-r--r-- | manifests/profile/base/neutron/agents/vpp.pp | 49 | ||||
-rw-r--r-- | manifests/profile/base/neutron/plugins/ml2.pp | 4 | ||||
-rw-r--r-- | manifests/profile/base/neutron/plugins/ml2/vpp.pp | 49 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker.pp | 25 | ||||
-rw-r--r-- | manifests/profile/base/rabbitmq.pp | 2 | ||||
-rw-r--r-- | manifests/profile/base/sshd.pp | 56 | ||||
-rw-r--r-- | manifests/profile/base/swift/proxy.pp | 58 | ||||
-rw-r--r-- | manifests/profile/base/swift/ringbuilder.pp | 36 | ||||
-rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 5 |
18 files changed, 523 insertions, 111 deletions
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 586c7e4..424ef09 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -43,6 +43,11 @@ # it will create. # Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). # +# [*libvirt_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('libvirt_certificates_specs', {}). +# # [*mysql_certificate_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -56,12 +61,19 @@ class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), ) { + include ::tripleo::certmonger::ca::libvirt + unless empty($apache_certificates_specs) { ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) } + unless empty($libvirt_certificates_specs) { + include ::tripleo::certmonger::libvirt_dirs + ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) + } unless empty($haproxy_certificates_specs) { ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 9fb1594..e1370a3 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*cinder_enable_pure_backend*] +# (Optional) Whether to enable the pure backend +# Defaults to true +# # [*cinder_enable_dellsc_backend*] # (Optional) Whether to enable the delsc backend # Defaults to true @@ -60,6 +64,7 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( + $cinder_enable_pure_backend = false, $cinder_enable_dellsc_backend = false, $cinder_enable_hpelefthand_backend = false, $cinder_enable_dellps_backend = false, @@ -76,6 +81,13 @@ class tripleo::profile::base::cinder::volume ( if $step >= 4 { include ::cinder::volume + if $cinder_enable_pure_backend { + include ::tripleo::profile::base::cinder::volume::pure + $cinder_pure_backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure') + } else { + $cinder_pure_backend_name = undef + } + if $cinder_enable_dellsc_backend { include ::tripleo::profile::base::cinder::volume::dellsc $cinder_dellsc_backend_name = hiera('cinder::backend::dellsc_iscsi::volume_backend_name', 'tripleo_dellsc') @@ -134,6 +146,7 @@ class tripleo::profile::base::cinder::volume ( $backends = delete_undef_values([$cinder_iscsi_backend_name, $cinder_rbd_backend_name, + $cinder_pure_backend_name, $cinder_dellps_backend_name, $cinder_dellsc_backend_name, $cinder_hpelefthand_backend_name, diff --git a/manifests/profile/base/cinder/volume/pure.pp b/manifests/profile/base/cinder/volume/pure.pp new file mode 100644 index 0000000..e524919 --- /dev/null +++ b/manifests/profile/base/cinder/volume/pure.pp @@ -0,0 +1,65 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::pure +# +# Cinder Volume pure profile for tripleo +# +# === Parameters +# +# [*san_ip*] +# (required) IP address of PureStorage management VIP. +# +# [*pure_api_token*] +# (required) API token for management of PureStorage array. +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_pure' +# +# [*pure_storage_protocol*] +# (optional) Must be either 'iSCSI' or 'FC'. This will determine +# which Volume Driver will be configured; PureISCSIDriver or PureFCDriver. +# Defaults to 'iSCSI' +# +# [*use_multipath_for_image_xfer*] +# (optional) . +# Defaults to True +# +# [*use_chap_auth*] +# (optional) Only affects the PureISCSIDriver. +# Defaults to False +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::pure ( + $backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure'), + $step = hiera('step'), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::pure { $backend_name : + san_ip => hiera('cinder::backend::pure::san_ip', undef), + pure_api_token => hiera('cinder::backend::pure::pure_api_token', undef), + pure_storage_protocol => hiera('cinder::backend::pure::pure_storage_protocol', undef), + use_chap_auth => hiera('cinder::backend::pure::use_chap_auth', undef), + use_multipath_for_image_xfer => hiera('cinder::backend::pure::use_multipath_for_image_xfer', undef), + } + } + +} diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index 22384a9..014ef35 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -82,6 +82,7 @@ class tripleo::profile::base::database::mysql::client ( # Create /etc/my.cnf.d/tripleo.cnf exec { 'directory-create-etc-my.cnf.d': command => 'mkdir -p /etc/my.cnf.d', + unless => 'test -d /etc/my.cnf.d', path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], } -> augeas { 'tripleo-mysql-client-conf': diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 7f90da9..941c0bd 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor ( if $step >= 4 { include ::ironic::conductor + include ::ironic::drivers::interfaces include ::ironic::drivers::pxe if $manage_pxe { include ::ironic::pxe @@ -43,7 +44,10 @@ class tripleo::profile::base::ironic::conductor ( include ::ironic::drivers::drac include ::ironic::drivers::ilo include ::ironic::drivers::ipmi - include ::ironic::drivers::ssh + # TODO: deprecated code cleanup, remove in Queens + ironic_config { + 'ssh/libvirt_uri': ensure => absent; + } # Configure access to other services include ::ironic::drivers::inspector diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index bb3f387..ec896e7 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -59,6 +59,15 @@ # heat admin user name # Defaults to undef # +# [*ldap_backends_config*] +# Configuration for keystone::ldap_backend. This takes a hash that will +# create each backend specified. +# Defaults to undef +# +# [*ldap_backend_enable*] +# Enables creating per-domain LDAP backends for keystone. +# Default to false +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -126,6 +135,8 @@ class tripleo::profile::base::keystone ( $heat_admin_email = undef, $heat_admin_password = undef, $heat_admin_user = undef, + $ldap_backends_config = undef, + $ldap_backend_enable = false, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), @@ -207,6 +218,13 @@ class tripleo::profile::base::keystone ( ssl_key_admin => $tls_keyfile_admin, } include ::keystone::cors + + if $ldap_backend_enable { + validate_hash($ldap_backends_config) + create_resources('::keystone::ldap_backend', $ldap_backends_config, { + create_domain_entry => $manage_domain, + }) + } } if $step >= 4 and $manage_db_purge { @@ -294,6 +312,9 @@ class tripleo::profile::base::keystone ( if hiera('nova_placement_enabled', false) { include ::nova::keystone::auth_placement } + if hiera('octavia_api_enabled', false) { + include ::octavia::keystone::auth + } if hiera('panko_api_enabled', false) { include ::panko::keystone::auth } diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp index 9e1aa8d..fc996e9 100644 --- a/manifests/profile/base/logging/fluentd.pp +++ b/manifests/profile/base/logging/fluentd.pp @@ -71,105 +71,109 @@ class tripleo::profile::base::logging::fluentd ( $fluentd_listen_syslog = true, $fluentd_syslog_port = 42185 ) { - include ::fluentd - if $fluentd_groups { - user { $::fluentd::config_owner: - ensure => present, - groups => $fluentd_groups, - membership => 'minimum', + if $step >= 4 { + include ::fluentd + + if $fluentd_groups { + Package<| tag == 'openstack' |> -> + user { $::fluentd::config_owner: + ensure => present, + groups => $fluentd_groups, + membership => 'minimum', + } } - } - if $fluentd_pos_file_path { - file { $fluentd_pos_file_path: - ensure => 'directory', - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0750', + if $fluentd_pos_file_path { + file { $fluentd_pos_file_path: + ensure => 'directory', + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0750', + } } - } - ::fluentd::plugin { 'rubygem-fluent-plugin-add': - plugin_provider => 'yum', - } + ::fluentd::plugin { 'rubygem-fluent-plugin-add': + plugin_provider => 'yum', + } - if $fluentd_sources { - ::fluentd::config { '100-openstack-sources.conf': - config => { - 'source' => $fluentd_sources, + if $fluentd_sources { + ::fluentd::config { '100-openstack-sources.conf': + config => { + 'source' => $fluentd_sources, + } } } - } - if $fluentd_listen_syslog { - # fluentd will receive syslog messages by listening on a local udp - # socket. - ::fluentd::config { '110-system-sources.conf': - config => { - 'source' => { - 'type' => 'syslog', - 'tag' => 'system.messages', - 'port' => $fluentd_syslog_port, + if $fluentd_listen_syslog { + # fluentd will receive syslog messages by listening on a local udp + # socket. + ::fluentd::config { '110-system-sources.conf': + config => { + 'source' => { + 'type' => 'syslog', + 'tag' => 'system.messages', + 'port' => $fluentd_syslog_port, + } } } - } - file { '/etc/rsyslog.d/fluentd.conf': - content => "*.* @127.0.0.1:${fluentd_syslog_port}", - owner => 'root', - group => 'root', - mode => '0644', - } ~> exec { 'reload rsyslog': - command => '/bin/systemctl restart rsyslog', + file { '/etc/rsyslog.d/fluentd.conf': + content => "*.* @127.0.0.1:${fluentd_syslog_port}", + owner => 'root', + group => 'root', + mode => '0644', + } ~> exec { 'reload rsyslog': + command => '/bin/systemctl restart rsyslog', + } } - } - if $fluentd_filters { - ::fluentd::config { '200-openstack-filters.conf': - config => { - 'filter' => $fluentd_filters, + if $fluentd_filters { + ::fluentd::config { '200-openstack-filters.conf': + config => { + 'filter' => $fluentd_filters, + } } } - } - if $fluentd_servers and !empty($fluentd_servers) { - if $fluentd_use_ssl { - ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': - plugin_provider => 'yum', - } + if $fluentd_servers and !empty($fluentd_servers) { + if $fluentd_use_ssl { + ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': + plugin_provider => 'yum', + } - file {'/etc/fluentd/ca_cert.pem': - content => $fluentd_ssl_certificate, - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0444', - } + file {'/etc/fluentd/ca_cert.pem': + content => $fluentd_ssl_certificate, + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0444', + } - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - # lint:ignore:single_quote_string_with_variables - # lint:ignore:quoted_booleans - 'type' => 'secure_forward', - 'tag_pattern' => '**', - 'self_hostname' => '${hostname}', - 'secure' => 'true', - 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', - 'shared_key' => $fluentd_shared_key, - 'server' => $fluentd_servers, - # lint:endignore - # lint:endignore + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + # lint:ignore:single_quote_string_with_variables + # lint:ignore:quoted_booleans + 'type' => 'secure_forward', + 'tag_pattern' => '**', + 'self_hostname' => '${hostname}', + 'secure' => 'true', + 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', + 'shared_key' => $fluentd_shared_key, + 'server' => $fluentd_servers, + # lint:endignore + # lint:endignore + } } } - } - } else { - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - 'type' => 'forward', - 'tag_pattern' => '**', - 'server' => $fluentd_servers, + } else { + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + 'type' => 'forward', + 'tag_pattern' => '**', + 'server' => $fluentd_servers, + } } } } diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp new file mode 100644 index 0000000..fb5e000 --- /dev/null +++ b/manifests/profile/base/neutron/agents/bagpipe.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::bagpipe +# +# Neutron Bagpipe Agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::bagpipe ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::agents::bagpipe + } +} diff --git a/manifests/profile/base/neutron/agents/l2gw.pp b/manifests/profile/base/neutron/agents/l2gw.pp new file mode 100644 index 0000000..10cd662 --- /dev/null +++ b/manifests/profile/base/neutron/agents/l2gw.pp @@ -0,0 +1,35 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Peng Liu <pliu@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agent::l2gw +# +# Neutron L2 Gateway agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::l2gw ( + $step = hiera('step'), +) { + if $step >= 4 { + include ::neutron::agents::l2gw + } +} diff --git a/manifests/profile/base/neutron/agents/vpp.pp b/manifests/profile/base/neutron/agents/vpp.pp new file mode 100644 index 0000000..e961aa7 --- /dev/null +++ b/manifests/profile/base/neutron/agents/vpp.pp @@ -0,0 +1,49 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::vpp +# +# Neutron VPP Agent profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*etcd_host*] +# (Optional) etcd server VIP. +# Defaults to hiera('etcd_vip') +# +# [*etcd_port*] +# (Optional) etcd server listening port. +# Defaults to 2379 +# +class tripleo::profile::base::neutron::agents::vpp( + $step = hiera('step'), + $etcd_host = hiera('etcd_vip'), + $etcd_port = 2379, +) { + if empty($etcd_host) { + fail('etcd_vip not set in hieradata') + } + + if $step >= 4 { + class { '::neutron::agents::ml2::vpp': + etcd_host => $etcd_host, + etcd_port => $etcd_port, + } + } +} diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp index 52d4ca1..1702fed 100644 --- a/manifests/profile/base/neutron/plugins/ml2.pp +++ b/manifests/profile/base/neutron/plugins/ml2.pp @@ -81,5 +81,9 @@ class tripleo::profile::base::neutron::plugins::ml2 ( include ::neutron::plugins::ml2::fujitsu include ::neutron::plugins::ml2::fujitsu::fossw } + + if 'vpp' in $mechanism_drivers { + include ::tripleo::profile::base::neutron::plugins::ml2::vpp + } } } diff --git a/manifests/profile/base/neutron/plugins/ml2/vpp.pp b/manifests/profile/base/neutron/plugins/ml2/vpp.pp new file mode 100644 index 0000000..217e4cf --- /dev/null +++ b/manifests/profile/base/neutron/plugins/ml2/vpp.pp @@ -0,0 +1,49 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::ml2::vpp +# +# VPP Neutron ML2 profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*etcd_host*] +# (Optional) etcd server VIP. +# Defaults to hiera('etcd_vip') +# +# [*etcd_port*] +# (Optional) etcd server listening port. +# Defaults to 2379 +# +class tripleo::profile::base::neutron::plugins::ml2::vpp ( + $step = hiera('step'), + $etcd_host = hiera('etcd_vip'), + $etcd_port = 2379, +) { + if empty($etcd_host) { + fail('etcd_vip not set in hieradata') + } + + if $step >= 4 { + class { '::neutron::plugins::ml2::vpp': + etcd_host => $etcd_host, + etcd_port => $etcd_port, + } + } +} diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index 6021731..c1d745a 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -55,6 +55,14 @@ # (Optional) Number of seconds to sleep between remote creation tries # Defaults to hiera('pacemaker_remote_try_sleep', 60) # +# [*cluster_recheck_interval*] +# (Optional) Set the cluster-wide cluster-recheck-interval property +# If the hiera key does not exist or if it is set to undef, the property +# won't be changed from its default value when there are no pacemaker_remote +# nodes. In presence of pacemaker_remote nodes and an undef value it will +# be set to 60s. +# Defaults to hiera('pacemaker_cluster_recheck_interval', undef) +# class tripleo::profile::base::pacemaker ( $step = hiera('step'), $pcs_tries = hiera('pcs_tries', 20), @@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker ( $remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20), $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), + $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker ( if $step >= 2 { if $pacemaker_master { include ::pacemaker::resource_defaults + # When we have a non-zero number of pacemaker remote nodes we + # want to set the cluster-recheck-interval property to something + # lower (unless the operator has explicitely set a value) + if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => '60s', + tries => $pcs_tries, + } + } elsif $cluster_recheck_interval != undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => $cluster_recheck_interval, + tries => $pcs_tries, + } + } } } diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 9d1417c..8551f19 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -110,7 +110,7 @@ class tripleo::profile::base::rabbitmq ( if $inet_dist_interface { $real_kernel_variables = merge( $kernel_variables, - { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) }, + { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) } ) } else { $real_kernel_variables = $kernel_variables diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp index e7916c1..f43089c 100644 --- a/manifests/profile/base/sshd.pp +++ b/manifests/profile/base/sshd.pp @@ -15,47 +15,45 @@ # # == Class: tripleo::profile::base::sshd # -# SSH profile for tripleo +# SSH composable service for TripleO # # === Parameters # # [*bannertext*] -# The text used within SSH Banner +# The text used within /etc/issue and /etc/issue.net # Defaults to hiera('BannerText') # +# [*motd*] +# The text used within SSH Banner +# Defaults to hiera('MOTD') +# class tripleo::profile::base::sshd ( $bannertext = hiera('BannerText', undef), + $motd = hiera('MOTD', undef), ) { - if $bannertext { - $action = 'set' - } else { - $action = 'rm' - } - - package {'openssh-server': - ensure => installed, - } + include ::ssh - augeas { 'sshd_config_banner': - context => '/files/etc/ssh/sshd_config', - changes => [ "${action} Banner /etc/issue" ], - notify => Service['sshd'] - } - - file { '/etc/issue': - ensure => file, - backup => false, - content => $bannertext, - owner => 'root', - group => 'root', - mode => '0600' + if $bannertext { + $filelist = [ '/etc/issue', '/etc/issue.net', ] + file { $filelist: + ensure => file, + backup => false, + content => $bannertext, + owner => 'root', + group => 'root', + mode => '0644' + } } - service { 'sshd': - ensure => 'running', - enable => true, - hasstatus => false, - require => Package['openssh-server'], + if $motd { + file { '/etc/motd': + ensure => file, + backup => false, + content => $motd, + owner => 'root', + group => 'root', + mode => '0644' + } } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 0d9ba68..e80c8c9 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -46,6 +46,22 @@ # Username for messaging nova queue # Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*memcache_port*] # (Optional) memcache port # Defaults to 11211 @@ -59,6 +75,26 @@ # for more details. # Defaults to hiera('step') # +# [*swift_proxy_network*] +# (Optional) The network name where the swift proxy endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('swift_proxy_network', undef) +# +# [*tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::swift::proxy ( $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), @@ -67,11 +103,33 @@ class tripleo::profile::base::swift::proxy ( $ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'), $ceilometer_messaging_use_ssl = '0', $ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), $memcache_port = 11211, $memcache_servers = hiera('memcached_node_ips'), $step = hiera('step'), + $swift_proxy_network = hiera('swift_proxy_network', undef), + $tls_proxy_bind_ip = undef, + $tls_proxy_fqdn = undef, + $tls_proxy_port = 8080, ) { if $step >= 4 { + if $enable_internal_tls { + if !$swift_proxy_network { + fail('swift_proxy_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key'] + + ::tripleo::tls_proxy { 'swift-proxy-api': + servername => $tls_proxy_fqdn, + ip => $tls_proxy_bind_ip, + port => $tls_proxy_port, + tls_cert => $tls_certfile, + tls_key => $tls_keyfile, + notify => Class['::neutron::server'], + } + } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config include ::swift::proxy diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp index 7e5fc74..f7cfea4 100644 --- a/manifests/profile/base/swift/ringbuilder.pp +++ b/manifests/profile/base/swift/ringbuilder.pp @@ -63,6 +63,12 @@ # Minimum amount of time before partitions can be moved. # Defaults to undef # +# [*swift_ring_get_tempurl*] +# GET tempurl to fetch Swift rings from +# +# [*swift_ring_put_tempurl*] +# PUT tempurl to upload Swift rings to +# class tripleo::profile::base::swift::ringbuilder ( $replicas, $build_ring = true, @@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder ( $swift_storage_node_ips = hiera('swift_storage_node_ips', []), $part_power = undef, $min_part_hours = undef, + $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''), + $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''), ) { + + if $step == 2 and $swift_ring_get_tempurl != '' { + exec{'fetch_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz", + returns => [0, 3] + } ~> + exec{'extract_swift_ring_tarball': + path => ['/bin'], + command => 'tar xzf /tmp/swift-rings.tar.gz -C /', + returns => [0, 2] + } + } + if $step >= 2 { # pre-install swift here so we can build rings include ::swift @@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder ( Ring_object_device<| |> ~> Exec['rebalance_container'] } } + + if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' { + exec{'create_swift_ring_tarball': + path => ['/bin', '/usr/bin'], + command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/', + unless => 'swift-recon --md5 | grep -q "doesn\'t match"' + } ~> + exec{'upload_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz", + require => Exec['create_swift_ring_tarball'], + refreshonly => true, + } + } } diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index bc5e644..031e80c 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -120,7 +120,7 @@ class tripleo::profile::pacemaker::database::mysql ( if $step >= 1 and $pacemaker_master and hiera('stack_action') == 'UPDATE' { tripleo::pacemaker::resource_restart_flag { 'galera-master': subscribe => File['mysql-config-file'], - } + } ~> Exec<| title == 'galera-ready' |> } if $step >= 2 { @@ -145,7 +145,7 @@ class tripleo::profile::pacemaker::database::mysql ( }, require => [Class['::mysql::server'], Pacemaker::Property['galera-role-node-property']], - before => Exec['galera-ready'], + notify => Exec['galera-ready'], } exec { 'galera-ready' : command => '/usr/bin/clustercheck >/dev/null', @@ -153,6 +153,7 @@ class tripleo::profile::pacemaker::database::mysql ( tries => 180, try_sleep => 10, environment => ['AVAILABLE_WHEN_READONLY=0'], + refreshonly => true, require => Exec['create-root-sysconfig-clustercheck'], } # We add a clustercheck db user and we will switch /etc/sysconfig/clustercheck |