summaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/firewall.pp2
-rw-r--r--manifests/profile/base/docker.pp35
-rw-r--r--manifests/profile/base/nova.pp67
3 files changed, 75 insertions, 29 deletions
diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index 8c6a53b..b4d51d9 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -63,7 +63,7 @@ class tripleo::firewall(
# anyone can add your own rules
# example with Hiera:
#
- # tripleo::firewall::rules:
+ # tripleo::firewall::firewall_rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index d035f6a..bc784b5 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,6 +32,18 @@
# Configure a registry-mirror in the /etc/docker/daemon.json file.
# (defaults to false)
#
+# [*docker_options*]
+# OPTIONS that are used to startup the docker service. NOTE:
+# --selinux-enabled is dropped due to recommendations here:
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
+# Defaults to '--log-driver=journald --signature-verification=false'
+#
+# [*configure_storage*]
+# Boolean. Whether to configure a docker storage backend. Defaults to true.
+#
+# [*storage_options*]
+# Storage options to configure. Defaults to '-s overlay2'
+#
# [*step*]
# step defaults to hiera('step')
#
@@ -39,6 +51,9 @@ class tripleo::profile::base::docker (
$docker_namespace = undef,
$insecure_registry = false,
$registry_mirror = false,
+ $docker_options = '--log-driver=journald --signature-verification=false',
+ $configure_storage = true,
+ $storage_options = '-s overlay2',
$step = hiera('step'),
) {
if $step >= 1 {
@@ -57,9 +72,11 @@ class tripleo::profile::base::docker (
fail('You must provide a $docker_namespace in order to configure insecure registry')
}
$namespace = strip($docker_namespace.split('/')[0])
- $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ]
+ $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'",
+ "set OPTIONS '\"${docker_options}\"'" ]
} else {
- $changes = [ 'rm INSECURE_REGISTRY', ]
+ $changes = [ 'rm INSECURE_REGISTRY',
+ "set OPTIONS '\"${docker_options}\"'" ]
}
augeas { 'docker-sysconfig':
@@ -95,6 +112,20 @@ class tripleo::profile::base::docker (
notify => Service['docker'],
require => File['/etc/docker/daemon.json'],
}
+ if $configure_storage {
+ if $storage_options == undef {
+ fail('You must provide a $storage_options in order to configure storage')
+ }
+ $storage_changes = [ "set DOCKER_STORAGE_OPTIONS '\" ${storage_options}\"'", ]
+ } else {
+ $storage_changes = [ 'rm DOCKER_STORAGE_OPTIONS', ]
+ }
+
+ augeas { 'docker-sysconfig-storage':
+ lens => 'Shellvars.lns',
+ incl => '/etc/sysconfig/docker-storage',
+ changes => $storage_changes,
+ }
}
}
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 65355d4..d786940 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -129,6 +129,10 @@ class tripleo::profile::base::nova (
$memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
}
+ validate_array($migration_ssh_localaddrs)
+ $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) }
+ $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
+
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
include ::nova::config
@@ -183,10 +187,10 @@ class tripleo::profile::base::nova (
# Nova SSH tunnel setup (cold-migration)
# Server side
- if !empty($migration_ssh_localaddrs) {
- $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,','))
+ if !empty($migration_ssh_localaddrs_real) {
+ $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
$deny_type = 'LocalAddress'
- $deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!'))
+ $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
ssh::server::match_block { 'nova_migration deny':
name => $deny_name,
@@ -217,31 +221,42 @@ class tripleo::profile::base::nova (
notify => Service['sshd']
}
- file { '/etc/nova/migration/authorized_keys':
- content => $migration_ssh_key['public_key'],
- mode => '0640',
- owner => 'root',
- group => 'nova_migration',
- require => Package['openstack-nova-migration'],
- }
+ $migration_authorized_keys = $migration_ssh_key['public_key']
+ $migration_identity = $migration_ssh_key['private_key']
+ $migration_user_shell = '/bin/bash'
+ }
+ else {
+ # Remove the keys and prevent login when migration over SSH is not enabled
+ $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+ $migration_identity = '# Migration over SSH disabled by TripleO'
+ $migration_user_shell = '/sbin/nologin'
+ }
- # Client side
- file { '/etc/nova/migration/identity':
- content => $migration_ssh_key['private_key'],
- mode => '0600',
- owner => 'nova',
- group => 'nova',
- require => Package['openstack-nova-migration'],
- }
- $migration_pkg_ensure = installed
- } else {
- $migration_pkg_ensure = absent
+ package { 'openstack-nova-migration':
+ ensure => present,
+ tag => ['openstack', 'nova-package'],
+ }
+
+ file { '/etc/nova/migration/authorized_keys':
+ content => $migration_authorized_keys,
+ mode => '0640',
+ owner => 'root',
+ group => 'nova_migration',
+ require => Package['openstack-nova-migration']
+ }
+
+ file { '/etc/nova/migration/identity':
+ content => $migration_identity,
+ mode => '0600',
+ owner => 'nova',
+ group => 'nova',
+ require => Package['openstack-nova-migration']
+ }
+
+ user {'nova_migration':
+ shell => $migration_user_shell,
+ require => Package['openstack-nova-migration']
}
- } else {
- $migration_pkg_ensure = absent
- }
- package {'openstack-nova-migration':
- ensure => $migration_pkg_ensure
}
}
}