diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/certmonger/haproxy.pp | 5 | ||||
| -rw-r--r-- | manifests/certmonger/haproxy_dirs.pp | 55 | ||||
| -rw-r--r-- | manifests/haproxy.pp | 50 | ||||
| -rw-r--r-- | manifests/haproxy/endpoint.pp | 8 | ||||
| -rw-r--r-- | manifests/haproxy/stats.pp | 74 | ||||
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 1 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume.pp | 37 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume/dellemc_unity.pp | 47 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 22 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 62 | ||||
| -rw-r--r-- | manifests/profile/base/haproxy.pp | 7 | ||||
| -rw-r--r-- | manifests/profile/base/nova/libvirt.pp | 17 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker.pp | 20 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/haproxy.pp | 10 |
14 files changed, 302 insertions, 113 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index a5d1bf8..3def337 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -84,6 +84,7 @@ define tripleo::certmonger::haproxy ( postsave_cmd => $postsave_cmd, principal => $principal, wait => true, + tag => 'haproxy-cert', require => Class['::certmonger'], } concat { $service_pem : @@ -91,12 +92,14 @@ define tripleo::certmonger::haproxy ( mode => '0640', owner => 'haproxy', group => 'haproxy', + tag => 'haproxy-cert', require => Package[$::haproxy::params::package_name], } concat::fragment { "${title}-cert-fragment": target => $service_pem, source => $service_certificate, order => '01', + tag => 'haproxy-cert', require => Certmonger_certificate["${title}-cert"], } @@ -106,6 +109,7 @@ define tripleo::certmonger::haproxy ( target => $service_pem, source => $ca_pem, order => '10', + tag => 'haproxy-cert', require => Class['tripleo::certmonger::ca::local'], } } @@ -114,6 +118,7 @@ define tripleo::certmonger::haproxy ( target => $service_pem, source => $service_key, order => 20, + tag => 'haproxy-cert', require => Certmonger_certificate["${title}-cert"], } } diff --git a/manifests/certmonger/haproxy_dirs.pp b/manifests/certmonger/haproxy_dirs.pp new file mode 100644 index 0000000..86058c3 --- /dev/null +++ b/manifests/certmonger/haproxy_dirs.pp @@ -0,0 +1,55 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the haproxy License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.haproxy.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# : = Class: tripleo::certmonger::haproxy_dirs +# +# Creates the necessary directories for haproxy's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where haproxy's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where haproxy's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::haproxy_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> + } +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 5a59c10..a3d088a 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -53,6 +53,11 @@ # Should haproxy run in daemon mode or not # Defaults to true # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*controller_hosts*] # IPs of host or group of hosts to load-balance the services # Can be a string or an array. @@ -563,6 +568,7 @@ class tripleo::haproxy ( $haproxy_daemon = true, $haproxy_stats_user = 'admin', $haproxy_stats_password = undef, + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $controller_hosts = hiera('controller_node_ips'), $controller_hosts_names = hiera('controller_node_names', undef), $contrail_config_hosts = hiera('contrail_config_node_ips', undef), @@ -766,12 +772,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - # TODO(bnemec): When we have support for SSL on private and admin endpoints, - # have the haproxy stats endpoint use that certificate by default. - if $haproxy_stats_certificate { - $haproxy_stats_bind_certificate = $haproxy_stats_certificate - } - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $service_certificate { # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the @@ -809,16 +809,6 @@ class tripleo::haproxy ( } } - if $haproxy_stats_bind_certificate { - $haproxy_stats_bind_opts = { - "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), - } - } else { - $haproxy_stats_bind_opts = { - "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, - } - } - $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, @@ -881,22 +871,24 @@ class tripleo::haproxy ( use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, listen_options => $default_listen_options, + manage_firewall => $manage_firewall, } if $haproxy_stats { - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + if $haproxy_stats_certificate { + $haproxy_stats_certificate_real = $haproxy_stats_certificate + } elsif $use_internal_certificates { + # NOTE(jaosorior): Right now it's hardcoded to use the ctlplane network + $haproxy_stats_certificate_real = $internal_certificates_specs["haproxy-ctlplane"]['service_pem'] } else { - $stats_config = $stats_base + $haproxy_stats_certificate_real = undef } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, + class { '::tripleo::haproxy::stats': + haproxy_listen_bind_param => $haproxy_listen_bind_param, + ip => $controller_virtual_ip, + password => $haproxy_stats_password, + certificate => $haproxy_stats_certificate_real, + user => $haproxy_stats_user, } } @@ -1361,7 +1353,7 @@ class tripleo::haproxy ( server_names => hiera('mysql_node_names', $controller_hosts_names_real), options => $mysql_member_options_real, } - if hiera('tripleo::firewall::manage_firewall', true) { + if $manage_firewall { include ::tripleo::firewall $mysql_firewall_rules = { '100 mysql_haproxy' => { @@ -1443,7 +1435,7 @@ class tripleo::haproxy ( server_names => hiera('redis_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } - if hiera('tripleo::firewall::manage_firewall', true) { + if $manage_firewall { include ::tripleo::firewall $redis_firewall_rules = { '100 redis_haproxy' => { diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index f1e80e8..9139061 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -86,6 +86,11 @@ # fetching the certificate for that specific network. # Defaults to undef # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# define tripleo::haproxy::endpoint ( $internal_ip, $service_port, @@ -103,6 +108,7 @@ define tripleo::haproxy::endpoint ( $use_internal_certificates = false, $internal_certificates_specs = {}, $service_network = undef, + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), ) { if $public_virtual_ip { # service exposed to the public network @@ -158,7 +164,7 @@ define tripleo::haproxy::endpoint ( server_names => $server_names, options => $member_options, } - if hiera('tripleo::firewall::manage_firewall', true) { + if $manage_firewall { include ::tripleo::firewall # This block will construct firewall rules only when we specify # a port for the regular service and also the ssl port for the service. diff --git a/manifests/haproxy/stats.pp b/manifests/haproxy/stats.pp new file mode 100644 index 0000000..f185c29 --- /dev/null +++ b/manifests/haproxy/stats.pp @@ -0,0 +1,74 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::haproxy::stats +# +# Configure the HAProxy stats interface +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. +# +# [*ip*] +# IP Address on which the stats interface is listening on. This right now +# assumes that it's in the ctlplane network. +# +# [*password*] +# Password for haproxy stats authentication. When set, authentication is +# enabled on the haproxy stats endpoint. +# A string. +# Defaults to undef +# +# [*certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the haproxy stats endpoint using the specified file. +# Defaults to undef +# +# [*user*] +# Username for haproxy stats authentication. +# A string. +# Defaults to 'admin' +# +class tripleo::haproxy::stats ( + $haproxy_listen_bind_param, + $ip, + $password = undef, + $certificate = undef, + $user = 'admin' +) { + if $certificate { + $haproxy_stats_bind_opts = { + "${ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $certificate]), + } + } else { + $haproxy_stats_bind_opts = { + "${ip}:1993" => $haproxy_listen_bind_param, + } + } + + $stats_base = ['enable', 'uri /'] + if $password { + $stats_config = union($stats_base, ["auth ${user}:${password}"]) + } else { + $stats_config = $stats_base + } + haproxy::listen { 'haproxy.stats': + bind => $haproxy_stats_bind_opts, + mode => 'http', + options => { + 'stats' => $stats_config, + }, + collect_exported => false, + } +} diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 7a6559e..231a1d0 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -98,6 +98,7 @@ class tripleo::profile::base::certmonger_user ( ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) } unless empty($haproxy_certificates_specs) { + include ::tripleo::certmonger::haproxy_dirs ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index bdfdd17..252bae1 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -26,6 +26,10 @@ # (Optional) Whether to enable the delsc backend # Defaults to false # +# [*cinder_enable_dellemc_unity_backend*] +# (Optional) Whether to enable the unity backend +# Defaults to false +# # [*cinder_enable_hpelefthand_backend*] # (Optional) Whether to enable the hpelefthand backend # Defaults to false @@ -68,18 +72,19 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( - $cinder_enable_pure_backend = false, - $cinder_enable_dellsc_backend = false, - $cinder_enable_hpelefthand_backend = false, - $cinder_enable_dellps_backend = false, - $cinder_enable_iscsi_backend = true, - $cinder_enable_netapp_backend = false, - $cinder_enable_nfs_backend = false, - $cinder_enable_rbd_backend = false, - $cinder_enable_scaleio_backend = false, - $cinder_enable_vrts_hs_backend = false, - $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), - $step = Integer(hiera('step')), + $cinder_enable_pure_backend = false, + $cinder_enable_dellsc_backend = false, + $cinder_enable_dellemc_unity_backend = false, + $cinder_enable_hpelefthand_backend = false, + $cinder_enable_dellps_backend = false, + $cinder_enable_iscsi_backend = true, + $cinder_enable_netapp_backend = false, + $cinder_enable_nfs_backend = false, + $cinder_enable_rbd_backend = false, + $cinder_enable_scaleio_backend = false, + $cinder_enable_vrts_hs_backend = false, + $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::cinder @@ -100,6 +105,13 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellsc_backend_name = undef } + if $cinder_enable_dellemc_unity_backend { + include ::tripleo::profile::base::cinder::volume::dellemc_unity + $cinder_dellemc_unity_backend_name = hiera('cinder::backend::dellemc_unity::volume_backend_name', 'tripleo_dellemc_unity') + } else { + $cinder_dellemc_unity_backend_name = undef + } + if $cinder_enable_hpelefthand_backend { include ::tripleo::profile::base::cinder::volume::hpelefthand $cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand') @@ -161,6 +173,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_pure_backend_name, $cinder_dellps_backend_name, $cinder_dellsc_backend_name, + $cinder_dellemc_unity_backend_name, $cinder_hpelefthand_backend_name, $cinder_netapp_backend_name, $cinder_nfs_backend_name, diff --git a/manifests/profile/base/cinder/volume/dellemc_unity.pp b/manifests/profile/base/cinder/volume/dellemc_unity.pp new file mode 100644 index 0000000..fb9c36f --- /dev/null +++ b/manifests/profile/base/cinder/volume/dellemc_unity.pp @@ -0,0 +1,47 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::dellemc_unity +# +# Cinder Volume dellemc_unity profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_dellemc_unity' +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::dellemc_unity ( + $backend_name = hiera('cinder::backend::dellemc_unity::volume_backend_name', 'tripleo_dellemc_unity'), + $step = Integer(hiera('step')), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::dellemc_unity { $backend_name : + san_ip => hiera('cinder::backend::dellemc_unity::san_ip', undef), + san_login => hiera('cinder::backend::dellemc_unity::san_login', undef), + san_password => hiera('cinder::backend::dellemc_unity::san_password', undef), + storage_protocol => hiera('cinder::backend::dellemc_unity::storage_protocol', undef), + unity_io_ports => hiera('cinder::backend::dellemc_unity::unity_io_ports', undef), + unity_storage_pool_names => hiera('cinder::backend::dellemc_unity::unity_storage_pool_names', undef), + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 3bf41cf..7e7d68b 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,6 +47,10 @@ # limit for the mysql service. # Defaults to false # +# [*innodb_buffer_pool_size*] +# (Optional) Configure the size of the MySQL buffer pool. +# Defaults to hiera('innodb_buffer_pool_size', undef) +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, + $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql ( # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap $mysql_server_default = { 'mysqld' => { - 'bind-address' => $bind_address, - 'max_connections' => $mysql_max_connections, - 'open_files_limit' => '-1', - 'innodb_file_per_table' => 'ON', - 'ssl' => $enable_internal_tls, - 'ssl-key' => $tls_keyfile, - 'ssl-cert' => $tls_certfile, - 'ssl-ca' => undef, + 'bind-address' => $bind_address, + 'max_connections' => $mysql_max_connections, + 'open_files_limit' => '-1', + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => 'ON', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index e042947..d230366 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,7 +32,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -43,18 +43,6 @@ # [*step*] # step defaults to hiera('step') # -# [*configure_libvirt_polkit*] -# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host. -# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled -# -# [*docker_nova_uid*] -# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container. -# Defaults to 42436 -# -# [*services_enabled*] -# List of TripleO services enabled on the role. -# Defaults to hiera('services_names') -# # DEPRECATED PARAMETERS # # [*docker_namespace*] @@ -69,24 +57,15 @@ class tripleo::profile::base::docker ( $insecure_registry_address = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), - $configure_libvirt_polkit = undef, - $docker_nova_uid = 42436, - $services_enabled = hiera('service_names', []), # DEPRECATED PARAMETERS $docker_namespace = undef, $insecure_registry = false, ) { - if $configure_libvirt_polkit == undef { - $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled - } else { - $configure_libvirt_polkit_real = $configure_libvirt_polkit - } - if $step >= 1 { package {'docker': ensure => installed, @@ -176,41 +155,4 @@ class tripleo::profile::base::docker ( } } - if ($step >= 4 and $configure_libvirt_polkit_real) { - # Workaround for polkit authorization for libvirtd socket on host - # - # This creates a local user with the kolla nova uid, and sets the polkit rule to - # allow both it and the nova user from the nova rpms, should it exist (uid 162). - - group { 'docker_nova_group': - name => 'docker_nova', - gid => $docker_nova_uid - } - -> user { 'docker_nova_user': - name => 'docker_nova', - uid => $docker_nova_uid, - gid => $docker_nova_uid, - shell => '/sbin/nologin', - comment => 'OpenStack Nova Daemons', - groups => ['nobody'] - } - - # Similar to the polkit rule in the openstack-nova rpm spec - # but allow both the 'docker_nova' and 'nova' user - $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions -polkit.addRule(function(action, subject) { - if (action.id == "org.libvirt.unix.manage" && - /^(docker_)?nova$/.test(subject.user)) { - return polkit.Result.YES; - } -}); -' - package {'polkit': - ensure => installed, - } - -> file {'/etc/polkit-1/rules.d/50-nova.rules': - content => $docker_nova_polkit_rule, - mode => '0644' - } - } } diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index 4f3322c..145f283 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -36,6 +36,11 @@ # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -44,12 +49,14 @@ class tripleo::profile::base::haproxy ( $certificates_specs = {}, $enable_load_balancer = hiera('enable_load_balancer', true), + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $step = Integer(hiera('step')), ) { if $step >= 1 { if $enable_load_balancer { class {'::tripleo::haproxy': internal_certificates_specs => $certificates_specs, + manage_firewall => $manage_firewall, } unless hiera('tripleo::haproxy::haproxy_service_manage', true) { diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp index 83f0c38..6c865dc 100644 --- a/manifests/profile/base/nova/libvirt.pp +++ b/manifests/profile/base/nova/libvirt.pp @@ -23,8 +23,13 @@ # for more details. # Defaults to hiera('step') # +# [*libvirtd_config*] +# (Optional) Overrides for libvirtd config options +# Default to {} +# class tripleo::profile::base::nova::libvirt ( $step = Integer(hiera('step')), + $libvirtd_config = {}, ) { include ::tripleo::profile::base::nova::compute_libvirt_shared @@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt ( include ::tripleo::profile::base::nova::migration::client include ::nova::compute::libvirt::services + $libvirtd_config_default = { + unix_sock_group => {value => '"libvirt"'}, + auth_unix_ro => {value => '"none"'}, + auth_unix_rw => {value => '"none"'}, + unix_sock_ro_perms => {value => '"0777"'}, + unix_sock_rw_perms => {value => '"0770"'} + } + + class { '::nova::compute::libvirt::config': + libvirtd_config => merge($libvirtd_config_default, $libvirtd_config) + } + file { ['/etc/libvirt/qemu/networks/autostart/default.xml', '/etc/libvirt/qemu/networks/default.xml']: ensure => absent, diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index d468110..de7e069 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -63,6 +63,10 @@ # be set to 60s. # Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # +# [*encryption*] +# (Optional) Whether or not to enable encryption of the pacemaker traffic +# Defaults to true +# class tripleo::profile::base::pacemaker ( $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker ( $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), + $encryption = true, ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker ( $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000), + '--ipv6' => '' + } + } else { + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000) + } + } + + if $encryption { + $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'}) } else { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } + $cluster_setup_extras = $cluster_setup_extras_pre } class { '::pacemaker': hacluster_pwd => hiera('hacluster_pwd'), diff --git a/manifests/profile/pacemaker/haproxy.pp b/manifests/profile/pacemaker/haproxy.pp index 7331071..5198243 100644 --- a/manifests/profile/pacemaker/haproxy.pp +++ b/manifests/profile/pacemaker/haproxy.pp @@ -26,6 +26,11 @@ # (Optional) Whether load balancing is enabled for this cluster # Defaults to hiera('enable_load_balancer', true) # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -38,10 +43,13 @@ class tripleo::profile::pacemaker::haproxy ( $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), $enable_load_balancer = hiera('enable_load_balancer', true), + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), ) { - include ::tripleo::profile::base::haproxy + class {'::tripleo::profile::base::haproxy': + manage_firewall => $manage_firewall, + } if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true |