diff options
Diffstat (limited to 'manifests/profile')
| -rw-r--r-- | manifests/profile/base/aodh/api.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume/dellps.pp | 6 | ||||
| -rw-r--r-- | manifests/profile/base/database/mongodb.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/etcd.pp | 7 | ||||
| -rw-r--r-- | manifests/profile/base/heat/api.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/heat/api_cfn.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/heat/api_cloudwatch.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/horizon.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 5 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/agents/l2gw.pp | 35 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/sriov.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/nova.pp | 87 | ||||
| -rw-r--r-- | manifests/profile/base/nova/ec2api.pp | 1 | ||||
| -rw-r--r-- | manifests/profile/base/sshd.pp | 56 | ||||
| -rw-r--r-- | manifests/profile/base/swift/proxy.pp | 69 | ||||
| -rw-r--r-- | manifests/profile/base/tuned.pp | 20 |
16 files changed, 245 insertions, 64 deletions
diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 0834536..22fc000 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -66,7 +66,7 @@ class tripleo::profile::base::aodh::api ( } - if $step >= 4 { + if $step >= 3 { include ::aodh::api class { '::aodh::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/cinder/volume/dellps.pp b/manifests/profile/base/cinder/volume/dellps.pp index 1338240..e825b61 100644 --- a/manifests/profile/base/cinder/volume/dellps.pp +++ b/manifests/profile/base/cinder/volume/dellps.pp @@ -41,9 +41,9 @@ class tripleo::profile::base::cinder::volume::dellps ( san_thin_provision => hiera('cinder::backend::eqlx::san_thin_provision', undef), eqlx_group_name => hiera('cinder::backend::eqlx::eqlx_group_name', undef), eqlx_pool => hiera('cinder::backend::eqlx::eqlx_pool', undef), - eqlx_use_chap => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), - eqlx_chap_login => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), - eqlx_chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), + use_chap_auth => hiera('cinder::backend::eqlx::eqlx_use_chap', undef), + chap_username => hiera('cinder::backend::eqlx::eqlx_chap_login', undef), + chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef), } } diff --git a/manifests/profile/base/database/mongodb.pp b/manifests/profile/base/database/mongodb.pp index 8967f5b..4740d67 100644 --- a/manifests/profile/base/database/mongodb.pp +++ b/manifests/profile/base/database/mongodb.pp @@ -30,10 +30,15 @@ # for more details. # Defaults to hiera('step') # +# [*memory_limit*] +# (Optional) Limit amount of memory mongodb can use +# Defaults to 20G +# class tripleo::profile::base::database::mongodb ( $mongodb_replset, $bootstrap_node = downcase(hiera('bootstrap_nodeid')), $step = hiera('step'), + $memory_limit = '20G', ) { if $step >= 2 { @@ -56,5 +61,11 @@ class tripleo::profile::base::database::mongodb ( } } + # Limit memory utilization + ::systemd::service_limits { 'mongod.service': + limits => { + 'MemoryLimit' => $memory_limit + } + } } } diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp index 505e29f..fc4771f 100644 --- a/manifests/profile/base/etcd.pp +++ b/manifests/profile/base/etcd.pp @@ -47,19 +47,12 @@ class tripleo::profile::base::etcd ( $step = hiera('step'), ) { if $step >= 1 { - if count($nodes) > 1 { - $cluster_enabled = true - } else { - $cluster_enabled = false - } - class {'::etcd': listen_client_urls => "http://${bind_ip}:${client_port}", advertise_client_urls => "http://${bind_ip}:${client_port}", listen_peer_urls => "http://${bind_ip}:${peer_port}", initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}", initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"), - cluster_enabled => $cluster_enabled, proxy => 'off', } } diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index f35735b..8e2da7e 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -63,7 +63,7 @@ class tripleo::profile::base::heat::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api class { '::heat::wsgi::apache_api': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index 2545dbc..02eb82a 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -63,7 +63,7 @@ class tripleo::profile::base::heat::api_cfn ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api_cfn class { '::heat::wsgi::apache_api_cfn': diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 872de8d..558d247 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -63,7 +63,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::heat::api_cloudwatch class { '::heat::wsgi::apache_api_cloudwatch': diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 278c25c..10eaaa6 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -31,7 +31,7 @@ class tripleo::profile::base::horizon ( $step = hiera('step'), $neutron_options = hiera('horizon::neutron_options', {}), ) { - if $step >= 4 { + if $step >= 3 { # Horizon include ::apache::mod::remoteip include ::apache::mod::status diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 9598d64..bb3f387 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -246,7 +246,10 @@ class tripleo::profile::base::keystone ( if hiera('barbican_api_enabled', false) { include ::barbican::keystone::auth } - if hiera('ceilometer_api_enabled', false) { + # ceilometer user is needed even when ceilometer api + # not running, so it can authenticate with keystone + # and dispatch data. + if hiera('ceilometer_auth_enabled', false) { include ::ceilometer::keystone::auth } if hiera('ceph_rgw_enabled', false) { diff --git a/manifests/profile/base/neutron/agents/l2gw.pp b/manifests/profile/base/neutron/agents/l2gw.pp new file mode 100644 index 0000000..10cd662 --- /dev/null +++ b/manifests/profile/base/neutron/agents/l2gw.pp @@ -0,0 +1,35 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Peng Liu <pliu@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agent::l2gw +# +# Neutron L2 Gateway agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::l2gw ( + $step = hiera('step'), +) { + if $step >= 4 { + include ::neutron::agents::l2gw + } +} diff --git a/manifests/profile/base/neutron/sriov.pp b/manifests/profile/base/neutron/sriov.pp index 00ecc21..24c7b63 100644 --- a/manifests/profile/base/neutron/sriov.pp +++ b/manifests/profile/base/neutron/sriov.pp @@ -33,6 +33,8 @@ class tripleo::profile::base::neutron::sriov( $mechanism_drivers = hiera('neutron::plugins::ml2::mechanism_drivers'), ) { + include ::tripleo::profile::base::neutron + if $step >= 4 { if 'sriovnicswitch' in $mechanism_drivers { include ::neutron::agents::ml2::sriov diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 36425f6..ab9b615 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -82,6 +82,15 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # +# [*migration_ssh_key*] +# (Optional) SSH key pair for migration SSH tunnel. +# Expects a hash with keys 'private_key' and 'public_key'. +# Defaults to {} +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false + class tripleo::profile::base::nova ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $libvirt_enabled = false, @@ -99,6 +108,8 @@ class tripleo::profile::base::nova ( $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), $nova_compute_enabled = false, $step = hiera('step'), + $migration_ssh_key = {}, + $libvirt_tls = false ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -114,7 +125,62 @@ class tripleo::profile::base::nova ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) - class { '::nova' : + include ::nova::config + class { '::nova::cache': + enabled => true, + backend => 'oslo_cache.memcache_pool', + memcache_servers => $memcache_servers, + } + include ::nova::placement + + if $step >= 4 and $manage_migration { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova', + client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'} + } + } + + if $migration_ssh_key != {} { + # Nova SSH tunnel setup (cold-migration) + + #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands + user { 'nova': + ensure => present, + shell => '/bin/bash', + } + + $private_key_parts = split($migration_ssh_key['public_key'], ' ') + $nova_public_key = { + type => $private_key_parts[0], + key => $private_key_parts[1] + } + $nova_private_key = { + type => $private_key_parts[0], + key => $migration_ssh_key['private_key'] + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + + class { '::nova': default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, @@ -131,23 +197,8 @@ class tripleo::profile::base::nova ( 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, }), + nova_public_key => $nova_public_key, + nova_private_key => $nova_private_key, } - include ::nova::config - class { '::nova::cache': - enabled => true, - backend => 'oslo_cache.memcache_pool', - memcache_servers => $memcache_servers, - } - include ::nova::placement } - - if $step >= 4 { - if $manage_migration { - class { '::nova::migration::libvirt': - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - } - } - } - } diff --git a/manifests/profile/base/nova/ec2api.pp b/manifests/profile/base/nova/ec2api.pp index f34b071..f8817d2 100644 --- a/manifests/profile/base/nova/ec2api.pp +++ b/manifests/profile/base/nova/ec2api.pp @@ -31,5 +31,6 @@ class tripleo::profile::base::nova::ec2api ( include ::ec2api::api include ::ec2api::db::sync include ::ec2api::metadata + include ::ec2api::keystone::authtoken } } diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp index e7916c1..f43089c 100644 --- a/manifests/profile/base/sshd.pp +++ b/manifests/profile/base/sshd.pp @@ -15,47 +15,45 @@ # # == Class: tripleo::profile::base::sshd # -# SSH profile for tripleo +# SSH composable service for TripleO # # === Parameters # # [*bannertext*] -# The text used within SSH Banner +# The text used within /etc/issue and /etc/issue.net # Defaults to hiera('BannerText') # +# [*motd*] +# The text used within SSH Banner +# Defaults to hiera('MOTD') +# class tripleo::profile::base::sshd ( $bannertext = hiera('BannerText', undef), + $motd = hiera('MOTD', undef), ) { - if $bannertext { - $action = 'set' - } else { - $action = 'rm' - } - - package {'openssh-server': - ensure => installed, - } + include ::ssh - augeas { 'sshd_config_banner': - context => '/files/etc/ssh/sshd_config', - changes => [ "${action} Banner /etc/issue" ], - notify => Service['sshd'] - } - - file { '/etc/issue': - ensure => file, - backup => false, - content => $bannertext, - owner => 'root', - group => 'root', - mode => '0600' + if $bannertext { + $filelist = [ '/etc/issue', '/etc/issue.net', ] + file { $filelist: + ensure => file, + backup => false, + content => $bannertext, + owner => 'root', + group => 'root', + mode => '0644' + } } - service { 'sshd': - ensure => 'running', - enable => true, - hasstatus => false, - require => Package['openssh-server'], + if $motd { + file { '/etc/motd': + ensure => file, + backup => false, + content => $motd, + owner => 'root', + group => 'root', + mode => '0644' + } } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 0d9ba68..3c1734b 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -46,6 +46,22 @@ # Username for messaging nova queue # Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*memcache_port*] # (Optional) memcache port # Defaults to 11211 @@ -59,6 +75,26 @@ # for more details. # Defaults to hiera('step') # +# [*swift_proxy_network*] +# (Optional) The network name where the swift proxy endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('swift_proxy_network', undef) +# +# [*tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to hiera('swift::proxy::proxy_local_net_ip') +# +# [*tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::swift::proxy ( $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), @@ -67,14 +103,45 @@ class tripleo::profile::base::swift::proxy ( $ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'), $ceilometer_messaging_use_ssl = '0', $ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), $memcache_port = 11211, $memcache_servers = hiera('memcached_node_ips'), $step = hiera('step'), + $swift_proxy_network = hiera('swift_proxy_network', undef), + # FIXME(jaosorior): This will be undef when we pass this to t-h-t + $tls_proxy_bind_ip = hiera('swift::proxy::proxy_local_net_ip', '127.0.0.1'), + $tls_proxy_fqdn = undef, + $tls_proxy_port = 8080, ) { if $step >= 4 { + if $enable_internal_tls { + if !$swift_proxy_network { + fail('swift_proxy_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key'] + + ::tripleo::tls_proxy { 'swift-proxy-api': + # FIXME(jaosorior): This will be cleaned up in a subsequent commit. + servername => hiera("fqdn_${swift_proxy_network}", $tls_proxy_fqdn), + ip => $tls_proxy_bind_ip, + port => $tls_proxy_port, + tls_cert => $tls_certfile, + tls_key => $tls_keyfile, + notify => Class['::neutron::server'], + } + # FIXME(jaosorior): This will be cleaned up when we pass it via t-h-t + $proxy_bind_ip = 'localhost' + } else { + # FIXME(jaosorior): This will be cleaned up when we pass it via t-h-t + $proxy_bind_ip = $tls_proxy_bind_ip + } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config - include ::swift::proxy + class { '::swift::proxy' : + proxy_local_net_ip => $proxy_bind_ip, + } include ::swift::proxy::proxy_logging include ::swift::proxy::healthcheck class { '::swift::proxy::cache': diff --git a/manifests/profile/base/tuned.pp b/manifests/profile/base/tuned.pp new file mode 100644 index 0000000..8dfcea0 --- /dev/null +++ b/manifests/profile/base/tuned.pp @@ -0,0 +1,20 @@ +# == Class: tripleo::profile::base::tuned +# +# Configures tuned service. +# +# === Parameters: +# +# [*profile*] +# (optional) tuned active profile. +# Defaults to 'throughput-performance' +# +# +class tripleo::profile::base::tuned ( + $profile = 'throughput-performance' +) { + exec { 'tuned-adm': + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "tuned-adm profile ${profile}", + unless => "tuned-adm active | grep -q '${profile}'" + } +} |