aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/certmonger/mongodb.pp87
-rw-r--r--manifests/firewall.pp2
-rw-r--r--manifests/profile/base/certmonger_user.pp9
-rw-r--r--manifests/profile/base/cinder/volume/netapp.pp2
-rw-r--r--manifests/profile/base/cinder/volume/nfs.pp33
-rw-r--r--manifests/profile/base/docker.pp35
-rw-r--r--manifests/profile/base/keystone.pp3
-rw-r--r--manifests/profile/base/neutron/ovs.pp17
-rw-r--r--manifests/profile/base/nova.pp67
-rw-r--r--manifests/profile/base/pacemaker.pp1
-rw-r--r--manifests/profile/base/pacemaker_remote.pp27
11 files changed, 247 insertions, 36 deletions
diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp
new file mode 100644
index 0000000..0b2dd6a
--- /dev/null
+++ b/manifests/certmonger/mongodb.pp
@@ -0,0 +1,87 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::mongodb
+#
+# Request a certificate for MongoDB and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*service_pem*]
+# The file in PEM format that the HAProxy service will use as a certificate.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*principal*]
+# (Optional) The service principal that is set for the service in kerberos.
+# Defaults to undef
+#
+class tripleo::certmonger::mongodb (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $service_pem,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::mongodb::params
+
+ $postsave_cmd = "systemctl restart ${::mongodb::params::service_name}"
+ certmonger_certificate { 'mongodb' :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+
+ concat { $service_pem :
+ ensure => present,
+ mode => '0640',
+ owner => $::mongodb::params::user,
+ group => $::mongodb::params::group,
+ }
+ concat::fragment { 'mongodb-key-fragment':
+ target => $service_pem,
+ source => $service_key,
+ order => '01',
+ require => Certmonger_certificate['mongodb'],
+ }
+ concat::fragment { 'mongodb-cert-fragment':
+ target => $service_pem,
+ source => $service_certificate,
+ order => '10',
+ require => Certmonger_certificate['mongodb'],
+ }
+
+ Concat::Fragment['mongodb-key-fragment'] ~> Service<| title == $::mongodb::params::service_name |>
+ Concat::Fragment['mongodb-cert-fragment'] ~> Service<| title == $::mongodb::params::service_name |>
+}
diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index 8c6a53b..b4d51d9 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -63,7 +63,7 @@ class tripleo::firewall(
# anyone can add your own rules
# example with Hiera:
#
- # tripleo::firewall::rules:
+ # tripleo::firewall::firewall_rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index b63fb7f..4ba51ec 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -48,6 +48,11 @@
# it will create.
# Defaults to hiera('libvirt_certificates_specs', {}).
#
+# [*mongodb_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('mongodb_certificate_specs',{})
+#
# [*mysql_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@@ -67,6 +72,7 @@ class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
+ $mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
@@ -87,6 +93,9 @@ class tripleo::profile::base::certmonger_user (
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
}
+ unless empty($mongodb_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::mongodb', $mongodb_certificate_specs)
+ }
unless empty($mysql_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
}
diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp
index fc652c9..43978da 100644
--- a/manifests/profile/base/cinder/volume/netapp.pp
+++ b/manifests/profile/base/cinder/volume/netapp.pp
@@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp (
netapp_storage_pools => hiera('cinder::backend::netapp::netapp_storage_pools', undef),
netapp_eseries_host_type => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef),
netapp_webservice_path => hiera('cinder::backend::netapp::netapp_webservice_path', undef),
+ nas_secure_file_operations => hiera('cinder::backend::netapp::nas_secure_file_operations', undef),
+ nas_secure_file_permissions => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef),
}
}
diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp
index 7b1f1b9..e384a79 100644
--- a/manifests/profile/base/cinder/volume/nfs.pp
+++ b/manifests/profile/base/cinder/volume/nfs.pp
@@ -29,6 +29,23 @@
# (Optional) List of mount options for the NFS share
# Defaults to ''
#
+# [*cinder_nas_secure_file_operations*]
+# (Optional) Allow network-attached storage systems to operate in a secure
+# environment where root level access is not permitted. If set to False,
+# access is as the root user and insecure. If set to True, access is not as
+# root. If set to auto, a check is done to determine if this is a new
+# installation: True is used if so, otherwise False. Default is auto.
+# Defaults to $::os_service_default
+#
+# [*cinder_nas_secure_file_permissions*]
+# (Optional) Set more secure file permissions on network-attached storage
+# volume files to restrict broad other/world access. If set to False,
+# volumes are created with open permissions. If set to True, volumes are
+# created with permissions for the cinder user and group (660). If set to
+# auto, a check is done to determine if this is a new installation: True is
+# used if so, otherwise False. Default is auto.
+# Defaults to $::os_service_default
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -36,9 +53,11 @@
#
class tripleo::profile::base::cinder::volume::nfs (
$cinder_nfs_servers,
- $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
- $cinder_nfs_mount_options = '',
- $step = hiera('step'),
+ $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
+ $cinder_nfs_mount_options = '',
+ $cinder_nas_secure_file_operations = $::os_service_default,
+ $cinder_nas_secure_file_permissions = $::os_service_default,
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::cinder::volume
@@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs (
package {'nfs-utils': } ->
cinder::backend::nfs { $backend_name :
- nfs_servers => $cinder_nfs_servers,
- nfs_mount_options => $cinder_nfs_mount_options,
- nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+ nfs_servers => $cinder_nfs_servers,
+ nfs_mount_options => $cinder_nfs_mount_options,
+ nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+ nas_secure_file_operations => $cinder_nas_secure_file_operations,
+ nas_secure_file_permissions => $cinder_nas_secure_file_permissions,
}
}
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index d035f6a..bc784b5 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,6 +32,18 @@
# Configure a registry-mirror in the /etc/docker/daemon.json file.
# (defaults to false)
#
+# [*docker_options*]
+# OPTIONS that are used to startup the docker service. NOTE:
+# --selinux-enabled is dropped due to recommendations here:
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
+# Defaults to '--log-driver=journald --signature-verification=false'
+#
+# [*configure_storage*]
+# Boolean. Whether to configure a docker storage backend. Defaults to true.
+#
+# [*storage_options*]
+# Storage options to configure. Defaults to '-s overlay2'
+#
# [*step*]
# step defaults to hiera('step')
#
@@ -39,6 +51,9 @@ class tripleo::profile::base::docker (
$docker_namespace = undef,
$insecure_registry = false,
$registry_mirror = false,
+ $docker_options = '--log-driver=journald --signature-verification=false',
+ $configure_storage = true,
+ $storage_options = '-s overlay2',
$step = hiera('step'),
) {
if $step >= 1 {
@@ -57,9 +72,11 @@ class tripleo::profile::base::docker (
fail('You must provide a $docker_namespace in order to configure insecure registry')
}
$namespace = strip($docker_namespace.split('/')[0])
- $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ]
+ $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'",
+ "set OPTIONS '\"${docker_options}\"'" ]
} else {
- $changes = [ 'rm INSECURE_REGISTRY', ]
+ $changes = [ 'rm INSECURE_REGISTRY',
+ "set OPTIONS '\"${docker_options}\"'" ]
}
augeas { 'docker-sysconfig':
@@ -95,6 +112,20 @@ class tripleo::profile::base::docker (
notify => Service['docker'],
require => File['/etc/docker/daemon.json'],
}
+ if $configure_storage {
+ if $storage_options == undef {
+ fail('You must provide a $storage_options in order to configure storage')
+ }
+ $storage_changes = [ "set DOCKER_STORAGE_OPTIONS '\" ${storage_options}\"'", ]
+ } else {
+ $storage_changes = [ 'rm DOCKER_STORAGE_OPTIONS', ]
+ }
+
+ augeas { 'docker-sysconfig-storage':
+ lens => 'Shellvars.lns',
+ incl => '/etc/sysconfig/docker-storage',
+ changes => $storage_changes,
+ }
}
}
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 31f5c93..72a7bc9 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -338,5 +338,8 @@ class tripleo::profile::base::keystone (
if hiera('ec2_api_enabled', false) {
include ::ec2api::keystone::auth
}
+ if hiera('novajoin_enabled', false) {
+ include ::nova::metadata::novajoin::auth
+ }
}
}
diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp
index bec7e96..97eb8e9 100644
--- a/manifests/profile/base/neutron/ovs.pp
+++ b/manifests/profile/base/neutron/ovs.pp
@@ -23,12 +23,27 @@
# for more details.
# Defaults to hiera('step')
#
+# [*vhostuser_socket_dir*]
+# (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir
+# will be created with correct permissions, inorder to support vhostuser
+# client mode.
+
class tripleo::profile::base::neutron::ovs(
- $step = hiera('step'),
+ $step = hiera('step'),
+ $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef)
) {
include ::tripleo::profile::base::neutron
if $step >= 5 {
+ if $vhostuser_socket_dir {
+ file { $vhostuser_socket_dir:
+ ensure => directory,
+ owner => 'qemu',
+ group => 'qemu',
+ mode => '0775',
+ }
+ }
+
include ::neutron::agents::ml2::ovs
# Optional since manage_service may be false and neutron server may not be colocated.
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 65355d4..d786940 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -129,6 +129,10 @@ class tripleo::profile::base::nova (
$memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
}
+ validate_array($migration_ssh_localaddrs)
+ $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) }
+ $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
+
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
include ::nova::config
@@ -183,10 +187,10 @@ class tripleo::profile::base::nova (
# Nova SSH tunnel setup (cold-migration)
# Server side
- if !empty($migration_ssh_localaddrs) {
- $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,','))
+ if !empty($migration_ssh_localaddrs_real) {
+ $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
$deny_type = 'LocalAddress'
- $deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!'))
+ $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
ssh::server::match_block { 'nova_migration deny':
name => $deny_name,
@@ -217,31 +221,42 @@ class tripleo::profile::base::nova (
notify => Service['sshd']
}
- file { '/etc/nova/migration/authorized_keys':
- content => $migration_ssh_key['public_key'],
- mode => '0640',
- owner => 'root',
- group => 'nova_migration',
- require => Package['openstack-nova-migration'],
- }
+ $migration_authorized_keys = $migration_ssh_key['public_key']
+ $migration_identity = $migration_ssh_key['private_key']
+ $migration_user_shell = '/bin/bash'
+ }
+ else {
+ # Remove the keys and prevent login when migration over SSH is not enabled
+ $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+ $migration_identity = '# Migration over SSH disabled by TripleO'
+ $migration_user_shell = '/sbin/nologin'
+ }
- # Client side
- file { '/etc/nova/migration/identity':
- content => $migration_ssh_key['private_key'],
- mode => '0600',
- owner => 'nova',
- group => 'nova',
- require => Package['openstack-nova-migration'],
- }
- $migration_pkg_ensure = installed
- } else {
- $migration_pkg_ensure = absent
+ package { 'openstack-nova-migration':
+ ensure => present,
+ tag => ['openstack', 'nova-package'],
+ }
+
+ file { '/etc/nova/migration/authorized_keys':
+ content => $migration_authorized_keys,
+ mode => '0640',
+ owner => 'root',
+ group => 'nova_migration',
+ require => Package['openstack-nova-migration']
+ }
+
+ file { '/etc/nova/migration/identity':
+ content => $migration_identity,
+ mode => '0600',
+ owner => 'nova',
+ group => 'nova',
+ require => Package['openstack-nova-migration']
+ }
+
+ user {'nova_migration':
+ shell => $migration_user_shell,
+ require => Package['openstack-nova-migration']
}
- } else {
- $migration_pkg_ensure = absent
- }
- package {'openstack-nova-migration':
- ensure => $migration_pkg_ensure
}
}
}
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index c1d745a..811b911 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker (
remote_address => $remotes_hash[$title],
reconnect_interval => $remote_reconnect_interval,
op_params => "monitor interval=${remote_monitor_interval}",
+ verify_on_create => true,
tries => $remote_tries,
try_sleep => $remote_try_sleep,
}
diff --git a/manifests/profile/base/pacemaker_remote.pp b/manifests/profile/base/pacemaker_remote.pp
index e0fff63..dfe0a3e 100644
--- a/manifests/profile/base/pacemaker_remote.pp
+++ b/manifests/profile/base/pacemaker_remote.pp
@@ -22,6 +22,14 @@
# Authkey for pacemaker remote nodes
# Defaults to unset
#
+# [*pcs_tries*]
+# (Optional) The number of times pcs commands should be retried.
+# Defaults to hiera('pcs_tries', 20)
+#
+# [*enable_fencing*]
+# (Optional) Whether or not to manage stonith devices for nodes
+# Defaults to hiera('enable_fencing', false)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -29,9 +37,28 @@
#
class tripleo::profile::base::pacemaker_remote (
$remote_authkey,
+ $pcs_tries = hiera('pcs_tries', 20),
+ $enable_fencing = hiera('enable_fencing', false),
$step = hiera('step'),
) {
class { '::pacemaker::remote':
remote_authkey => $remote_authkey,
}
+ $enable_fencing_real = str2bool($enable_fencing) and $step >= 5
+
+ class { '::pacemaker::stonith':
+ disable => !$enable_fencing_real,
+ tries => $pcs_tries,
+ }
+
+ if $enable_fencing_real {
+ include ::tripleo::fencing
+
+ # enable stonith after all Pacemaker resources have been created
+ Pcmk_resource<||> -> Class['tripleo::fencing']
+ Pcmk_constraint<||> -> Class['tripleo::fencing']
+ Exec <| tag == 'pacemaker_constraint' |> -> Class['tripleo::fencing']
+ # enable stonith after all fencing devices have been created
+ Class['tripleo::fencing'] -> Class['pacemaker::stonith']
+ }
}