7 files changed, 68 insertions, 24 deletions
diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp
index fc652c9..43978da 100644
--- a/manifests/profile/base/cinder/volume/netapp.pp
+++ b/manifests/profile/base/cinder/volume/netapp.pp
@@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp (
       netapp_storage_pools         => hiera('cinder::backend::netapp::netapp_storage_pools', undef),
       netapp_eseries_host_type     => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef),
       netapp_webservice_path       => hiera('cinder::backend::netapp::netapp_webservice_path', undef),
+      nas_secure_file_operations   => hiera('cinder::backend::netapp::nas_secure_file_operations', undef),
+      nas_secure_file_permissions  => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef),
     }
   }
 
diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp
index 7b1f1b9..e384a79 100644
--- a/manifests/profile/base/cinder/volume/nfs.pp
+++ b/manifests/profile/base/cinder/volume/nfs.pp
@@ -29,6 +29,23 @@
 #   (Optional) List of mount options for the NFS share
 #   Defaults to ''
 #
+# [*cinder_nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*cinder_nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -36,9 +53,11 @@
 #
 class tripleo::profile::base::cinder::volume::nfs (
   $cinder_nfs_servers,
-  $backend_name             = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
-  $cinder_nfs_mount_options = '',
-  $step                     = hiera('step'),
+  $backend_name                       = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
+  $cinder_nfs_mount_options           = '',
+  $cinder_nas_secure_file_operations  = $::os_service_default,
+  $cinder_nas_secure_file_permissions = $::os_service_default,
+  $step                               = hiera('step'),
 ) {
   include ::tripleo::profile::base::cinder::volume
 
@@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs (
 
     package {'nfs-utils': } ->
     cinder::backend::nfs { $backend_name :
-      nfs_servers       => $cinder_nfs_servers,
-      nfs_mount_options => $cinder_nfs_mount_options,
-      nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+      nfs_servers                 => $cinder_nfs_servers,
+      nfs_mount_options           => $cinder_nfs_mount_options,
+      nfs_shares_config           => '/etc/cinder/shares-nfs.conf',
+      nas_secure_file_operations  => $cinder_nas_secure_file_operations,
+      nas_secure_file_permissions => $cinder_nas_secure_file_permissions,
     }
   }
 
diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp
index 014ef35..3de1e97 100644
--- a/manifests/profile/base/database/mysql/client.pp
+++ b/manifests/profile/base/database/mysql/client.pp
@@ -35,6 +35,10 @@
 #   (Optional) Client IP address of the host that will be written in the mysql_read_default_file
 #   Defaults to undef
 #
+# [*ssl_ca*]
+#   (Optional) The SSL CA file to use to verify the MySQL server's certificate.
+#   Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -45,6 +49,7 @@ class tripleo::profile::base::database::mysql::client (
   $mysql_read_default_file   = '/etc/my.cnf.d/tripleo.cnf',
   $mysql_read_default_group  = 'tripleo',
   $mysql_client_bind_address = undef,
+  $ssl_ca                    = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
   $step                      = hiera('step'),
 ) {
   if $step >= 1 {
@@ -68,7 +73,7 @@ class tripleo::profile::base::database::mysql::client (
     if $enable_ssl {
       $changes_ssl = [
         "set ${mysql_read_default_group}/ssl '1'",
-        "set ${mysql_read_default_group}/ssl-ca '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'"
+        "set ${mysql_read_default_group}/ssl-ca '${ssl_ca}'"
       ]
     } else {
       $changes_ssl = [
diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp
index bec7e96..97eb8e9 100644
--- a/manifests/profile/base/neutron/ovs.pp
+++ b/manifests/profile/base/neutron/ovs.pp
@@ -23,12 +23,27 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*vhostuser_socket_dir*]
+#   (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir
+#   will be created with correct permissions, inorder to support vhostuser
+#   client mode.
+
 class tripleo::profile::base::neutron::ovs(
-  $step           = hiera('step'),
+  $step                 = hiera('step'),
+  $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef)
 ) {
   include ::tripleo::profile::base::neutron
 
   if $step >= 5 {
+    if $vhostuser_socket_dir {
+      file { $vhostuser_socket_dir:
+        ensure => directory,
+        owner  => 'qemu',
+        group  => 'qemu',
+        mode   => '0775',
+      }
+    }
+
     include ::neutron::agents::ml2::ovs
 
     # Optional since manage_service may be false and neutron server may not be colocated.
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index c1d745a..811b911 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker (
         remote_address     => $remotes_hash[$title],
         reconnect_interval => $remote_reconnect_interval,
         op_params          => "monitor interval=${remote_monitor_interval}",
+        verify_on_create   => true,
         tries              => $remote_tries,
         try_sleep          => $remote_try_sleep,
       }
diff --git a/manifests/profile/base/snmp.pp b/manifests/profile/base/snmp.pp
index 301ac9a..d12e34d 100644
--- a/manifests/profile/base/snmp.pp
+++ b/manifests/profile/base/snmp.pp
@@ -42,7 +42,6 @@ class tripleo::profile::base::snmp (
       authpass => $snmpd_password,
     }
     class { '::snmp':
-      agentaddress => ['udp:161','udp6:[::1]:161'],
       snmpd_config => [ join(['createUser ', $snmpd_user, ' MD5 "', $snmpd_password, '"']),
                         join(['rouser ', $snmpd_user]),
                         'proc  cron',
diff --git a/manifests/profile/pacemaker/database/redis.pp b/manifests/profile/pacemaker/database/redis.pp
index 3ef6815..4f5a861 100644
--- a/manifests/profile/pacemaker/database/redis.pp
+++ b/manifests/profile/pacemaker/database/redis.pp
@@ -32,9 +32,12 @@
 #   Defaults to hiera('step')
 #
 # [*redis_file_limit*]
-#   (Optional) The file limit to put in /etc/security/limits.d/redis.conf
+#   (Deprecated) The file limit to put in /etc/security/limits.d/redis.conf
 #   for when redis is managed by pacemaker. Defaults to hiera('redis_file_limit')
-#   or 10240 (default in redis systemd limits)
+#   or 10240 (default in redis systemd limits). Note this option is deprecated
+#   since puppet-redis grew support for ulimits in cluster configurations.
+#   https://github.com/arioch/puppet-redis/pull/192. Set redis::ulimit via hiera
+#   to control this limit.
 #
 # [*pcs_tries*]
 #   (Optional) The number of times pcs commands should be retried.
@@ -44,7 +47,7 @@ class tripleo::profile::pacemaker::database::redis (
   $bootstrap_node       = hiera('redis_short_bootstrap_node_name'),
   $enable_load_balancer = hiera('enable_load_balancer', true),
   $step                 = hiera('step'),
-  $redis_file_limit     = hiera('redis_file_limit', 10240),
+  $redis_file_limit     = undef,
   $pcs_tries            = hiera('pcs_tries', 20),
 ) {
   if $::hostname == downcase($bootstrap_node) {
@@ -54,19 +57,17 @@ class tripleo::profile::pacemaker::database::redis (
   }
 
   if $step >= 1 {
-    include ::redis
-    # Until puppet-redis grows support for /etc/security/limits.conf/redis.conf
-    # https://github.com/arioch/puppet-redis/issues/130
-    # we best explicitely set the file limit only in the pacemaker profile
-    # (the base profile does not need it as it is using systemd which has
-    # the limits set there)
-    file { '/etc/security/limits.d/redis.conf':
-      content => inline_template("redis soft nofile <%= @redis_file_limit %>\nredis hard nofile <%= @redis_file_limit %>\n"),
-      owner   => '0',
-      group   => '0',
-      mode    => '0644',
+    # If the old hiera key exists we use that to set the ulimit in order not to break
+    # operators which set it. We might remove this in a later release (post pike anyway)
+    $old_redis_file_limit = hiera('redis_file_limit', undef)
+    if $old_redis_file_limit != undef {
+      warning('redis_file_limit parameter is deprecated, use redis::ulimit in hiera.')
+      class { '::redis':
+        ulimit => $old_redis_file_limit,
+      }
+    } else {
+      include ::redis
     }
-
     if $pacemaker_master and hiera('stack_action') == 'UPDATE' {
       tripleo::pacemaker::resource_restart_flag { 'redis-master':
         # ouch, but trying to stay close how notification works in