summaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/profile/base/cinder/volume/netapp.pp2
-rw-r--r--manifests/profile/base/cinder/volume/nfs.pp33
-rw-r--r--manifests/profile/base/database/mysql/client.pp7
-rw-r--r--manifests/profile/base/neutron/ovs.pp17
-rw-r--r--manifests/profile/base/pacemaker.pp1
-rw-r--r--manifests/profile/base/snmp.pp1
-rw-r--r--manifests/profile/pacemaker/database/redis.pp31
7 files changed, 68 insertions, 24 deletions
diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp
index fc652c9..43978da 100644
--- a/manifests/profile/base/cinder/volume/netapp.pp
+++ b/manifests/profile/base/cinder/volume/netapp.pp
@@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp (
netapp_storage_pools => hiera('cinder::backend::netapp::netapp_storage_pools', undef),
netapp_eseries_host_type => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef),
netapp_webservice_path => hiera('cinder::backend::netapp::netapp_webservice_path', undef),
+ nas_secure_file_operations => hiera('cinder::backend::netapp::nas_secure_file_operations', undef),
+ nas_secure_file_permissions => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef),
}
}
diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp
index 7b1f1b9..e384a79 100644
--- a/manifests/profile/base/cinder/volume/nfs.pp
+++ b/manifests/profile/base/cinder/volume/nfs.pp
@@ -29,6 +29,23 @@
# (Optional) List of mount options for the NFS share
# Defaults to ''
#
+# [*cinder_nas_secure_file_operations*]
+# (Optional) Allow network-attached storage systems to operate in a secure
+# environment where root level access is not permitted. If set to False,
+# access is as the root user and insecure. If set to True, access is not as
+# root. If set to auto, a check is done to determine if this is a new
+# installation: True is used if so, otherwise False. Default is auto.
+# Defaults to $::os_service_default
+#
+# [*cinder_nas_secure_file_permissions*]
+# (Optional) Set more secure file permissions on network-attached storage
+# volume files to restrict broad other/world access. If set to False,
+# volumes are created with open permissions. If set to True, volumes are
+# created with permissions for the cinder user and group (660). If set to
+# auto, a check is done to determine if this is a new installation: True is
+# used if so, otherwise False. Default is auto.
+# Defaults to $::os_service_default
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -36,9 +53,11 @@
#
class tripleo::profile::base::cinder::volume::nfs (
$cinder_nfs_servers,
- $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
- $cinder_nfs_mount_options = '',
- $step = hiera('step'),
+ $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
+ $cinder_nfs_mount_options = '',
+ $cinder_nas_secure_file_operations = $::os_service_default,
+ $cinder_nas_secure_file_permissions = $::os_service_default,
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::cinder::volume
@@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs (
package {'nfs-utils': } ->
cinder::backend::nfs { $backend_name :
- nfs_servers => $cinder_nfs_servers,
- nfs_mount_options => $cinder_nfs_mount_options,
- nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+ nfs_servers => $cinder_nfs_servers,
+ nfs_mount_options => $cinder_nfs_mount_options,
+ nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+ nas_secure_file_operations => $cinder_nas_secure_file_operations,
+ nas_secure_file_permissions => $cinder_nas_secure_file_permissions,
}
}
diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp
index 014ef35..3de1e97 100644
--- a/manifests/profile/base/database/mysql/client.pp
+++ b/manifests/profile/base/database/mysql/client.pp
@@ -35,6 +35,10 @@
# (Optional) Client IP address of the host that will be written in the mysql_read_default_file
# Defaults to undef
#
+# [*ssl_ca*]
+# (Optional) The SSL CA file to use to verify the MySQL server's certificate.
+# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -45,6 +49,7 @@ class tripleo::profile::base::database::mysql::client (
$mysql_read_default_file = '/etc/my.cnf.d/tripleo.cnf',
$mysql_read_default_group = 'tripleo',
$mysql_client_bind_address = undef,
+ $ssl_ca = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
$step = hiera('step'),
) {
if $step >= 1 {
@@ -68,7 +73,7 @@ class tripleo::profile::base::database::mysql::client (
if $enable_ssl {
$changes_ssl = [
"set ${mysql_read_default_group}/ssl '1'",
- "set ${mysql_read_default_group}/ssl-ca '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'"
+ "set ${mysql_read_default_group}/ssl-ca '${ssl_ca}'"
]
} else {
$changes_ssl = [
diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp
index bec7e96..97eb8e9 100644
--- a/manifests/profile/base/neutron/ovs.pp
+++ b/manifests/profile/base/neutron/ovs.pp
@@ -23,12 +23,27 @@
# for more details.
# Defaults to hiera('step')
#
+# [*vhostuser_socket_dir*]
+# (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir
+# will be created with correct permissions, inorder to support vhostuser
+# client mode.
+
class tripleo::profile::base::neutron::ovs(
- $step = hiera('step'),
+ $step = hiera('step'),
+ $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef)
) {
include ::tripleo::profile::base::neutron
if $step >= 5 {
+ if $vhostuser_socket_dir {
+ file { $vhostuser_socket_dir:
+ ensure => directory,
+ owner => 'qemu',
+ group => 'qemu',
+ mode => '0775',
+ }
+ }
+
include ::neutron::agents::ml2::ovs
# Optional since manage_service may be false and neutron server may not be colocated.
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index c1d745a..811b911 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker (
remote_address => $remotes_hash[$title],
reconnect_interval => $remote_reconnect_interval,
op_params => "monitor interval=${remote_monitor_interval}",
+ verify_on_create => true,
tries => $remote_tries,
try_sleep => $remote_try_sleep,
}
diff --git a/manifests/profile/base/snmp.pp b/manifests/profile/base/snmp.pp
index 301ac9a..d12e34d 100644
--- a/manifests/profile/base/snmp.pp
+++ b/manifests/profile/base/snmp.pp
@@ -42,7 +42,6 @@ class tripleo::profile::base::snmp (
authpass => $snmpd_password,
}
class { '::snmp':
- agentaddress => ['udp:161','udp6:[::1]:161'],
snmpd_config => [ join(['createUser ', $snmpd_user, ' MD5 "', $snmpd_password, '"']),
join(['rouser ', $snmpd_user]),
'proc cron',
diff --git a/manifests/profile/pacemaker/database/redis.pp b/manifests/profile/pacemaker/database/redis.pp
index 3ef6815..4f5a861 100644
--- a/manifests/profile/pacemaker/database/redis.pp
+++ b/manifests/profile/pacemaker/database/redis.pp
@@ -32,9 +32,12 @@
# Defaults to hiera('step')
#
# [*redis_file_limit*]
-# (Optional) The file limit to put in /etc/security/limits.d/redis.conf
+# (Deprecated) The file limit to put in /etc/security/limits.d/redis.conf
# for when redis is managed by pacemaker. Defaults to hiera('redis_file_limit')
-# or 10240 (default in redis systemd limits)
+# or 10240 (default in redis systemd limits). Note this option is deprecated
+# since puppet-redis grew support for ulimits in cluster configurations.
+# https://github.com/arioch/puppet-redis/pull/192. Set redis::ulimit via hiera
+# to control this limit.
#
# [*pcs_tries*]
# (Optional) The number of times pcs commands should be retried.
@@ -44,7 +47,7 @@ class tripleo::profile::pacemaker::database::redis (
$bootstrap_node = hiera('redis_short_bootstrap_node_name'),
$enable_load_balancer = hiera('enable_load_balancer', true),
$step = hiera('step'),
- $redis_file_limit = hiera('redis_file_limit', 10240),
+ $redis_file_limit = undef,
$pcs_tries = hiera('pcs_tries', 20),
) {
if $::hostname == downcase($bootstrap_node) {
@@ -54,19 +57,17 @@ class tripleo::profile::pacemaker::database::redis (
}
if $step >= 1 {
- include ::redis
- # Until puppet-redis grows support for /etc/security/limits.conf/redis.conf
- # https://github.com/arioch/puppet-redis/issues/130
- # we best explicitely set the file limit only in the pacemaker profile
- # (the base profile does not need it as it is using systemd which has
- # the limits set there)
- file { '/etc/security/limits.d/redis.conf':
- content => inline_template("redis soft nofile <%= @redis_file_limit %>\nredis hard nofile <%= @redis_file_limit %>\n"),
- owner => '0',
- group => '0',
- mode => '0644',
+ # If the old hiera key exists we use that to set the ulimit in order not to break
+ # operators which set it. We might remove this in a later release (post pike anyway)
+ $old_redis_file_limit = hiera('redis_file_limit', undef)
+ if $old_redis_file_limit != undef {
+ warning('redis_file_limit parameter is deprecated, use redis::ulimit in hiera.')
+ class { '::redis':
+ ulimit => $old_redis_file_limit,
+ }
+ } else {
+ include ::redis
}
-
if $pacemaker_master and hiera('stack_action') == 'UPDATE' {
tripleo::pacemaker::resource_restart_flag { 'redis-master':
# ouch, but trying to stay close how notification works in