diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/certmonger/mongodb.pp | 87 | ||||
-rw-r--r-- | manifests/firewall.pp | 2 | ||||
-rw-r--r-- | manifests/profile/base/certmonger_user.pp | 9 | ||||
-rw-r--r-- | manifests/profile/base/cinder/volume/netapp.pp | 2 | ||||
-rw-r--r-- | manifests/profile/base/cinder/volume/nfs.pp | 33 | ||||
-rw-r--r-- | manifests/profile/base/docker.pp | 35 | ||||
-rw-r--r-- | manifests/profile/base/keystone.pp | 3 | ||||
-rw-r--r-- | manifests/profile/base/neutron/ovs.pp | 17 | ||||
-rw-r--r-- | manifests/profile/base/nova.pp | 67 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker_remote.pp | 27 |
11 files changed, 247 insertions, 36 deletions
diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp new file mode 100644 index 0000000..0b2dd6a --- /dev/null +++ b/manifests/certmonger/mongodb.pp @@ -0,0 +1,87 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::mongodb +# +# Request a certificate for MongoDB and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*service_pem*] +# The file in PEM format that the HAProxy service will use as a certificate. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +class tripleo::certmonger::mongodb ( + $hostname, + $service_certificate, + $service_key, + $service_pem, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::mongodb::params + + $postsave_cmd = "systemctl restart ${::mongodb::params::service_name}" + certmonger_certificate { 'mongodb' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + concat { $service_pem : + ensure => present, + mode => '0640', + owner => $::mongodb::params::user, + group => $::mongodb::params::group, + } + concat::fragment { 'mongodb-key-fragment': + target => $service_pem, + source => $service_key, + order => '01', + require => Certmonger_certificate['mongodb'], + } + concat::fragment { 'mongodb-cert-fragment': + target => $service_pem, + source => $service_certificate, + order => '10', + require => Certmonger_certificate['mongodb'], + } + + Concat::Fragment['mongodb-key-fragment'] ~> Service<| title == $::mongodb::params::service_name |> + Concat::Fragment['mongodb-cert-fragment'] ~> Service<| title == $::mongodb::params::service_name |> +} diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 8c6a53b..b4d51d9 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -63,7 +63,7 @@ class tripleo::firewall( # anyone can add your own rules # example with Hiera: # - # tripleo::firewall::rules: + # tripleo::firewall::firewall_rules: # '300 allow custom application 1': # port: 999 # proto: udp diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index b63fb7f..4ba51ec 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -48,6 +48,11 @@ # it will create. # Defaults to hiera('libvirt_certificates_specs', {}). # +# [*mongodb_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('mongodb_certificate_specs',{}) +# # [*mysql_certificate_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -67,6 +72,7 @@ class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), + $mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}), @@ -87,6 +93,9 @@ class tripleo::profile::base::certmonger_user ( # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> } + unless empty($mongodb_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::mongodb', $mongodb_certificate_specs) + } unless empty($mysql_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs) } diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp index fc652c9..43978da 100644 --- a/manifests/profile/base/cinder/volume/netapp.pp +++ b/manifests/profile/base/cinder/volume/netapp.pp @@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp ( netapp_storage_pools => hiera('cinder::backend::netapp::netapp_storage_pools', undef), netapp_eseries_host_type => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef), netapp_webservice_path => hiera('cinder::backend::netapp::netapp_webservice_path', undef), + nas_secure_file_operations => hiera('cinder::backend::netapp::nas_secure_file_operations', undef), + nas_secure_file_permissions => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef), } } diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp index 7b1f1b9..e384a79 100644 --- a/manifests/profile/base/cinder/volume/nfs.pp +++ b/manifests/profile/base/cinder/volume/nfs.pp @@ -29,6 +29,23 @@ # (Optional) List of mount options for the NFS share # Defaults to '' # +# [*cinder_nas_secure_file_operations*] +# (Optional) Allow network-attached storage systems to operate in a secure +# environment where root level access is not permitted. If set to False, +# access is as the root user and insecure. If set to True, access is not as +# root. If set to auto, a check is done to determine if this is a new +# installation: True is used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# +# [*cinder_nas_secure_file_permissions*] +# (Optional) Set more secure file permissions on network-attached storage +# volume files to restrict broad other/world access. If set to False, +# volumes are created with open permissions. If set to True, volumes are +# created with permissions for the cinder user and group (660). If set to +# auto, a check is done to determine if this is a new installation: True is +# used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -36,9 +53,11 @@ # class tripleo::profile::base::cinder::volume::nfs ( $cinder_nfs_servers, - $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'), - $cinder_nfs_mount_options = '', - $step = hiera('step'), + $backend_name = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'), + $cinder_nfs_mount_options = '', + $cinder_nas_secure_file_operations = $::os_service_default, + $cinder_nas_secure_file_permissions = $::os_service_default, + $step = hiera('step'), ) { include ::tripleo::profile::base::cinder::volume @@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs ( package {'nfs-utils': } -> cinder::backend::nfs { $backend_name : - nfs_servers => $cinder_nfs_servers, - nfs_mount_options => $cinder_nfs_mount_options, - nfs_shares_config => '/etc/cinder/shares-nfs.conf', + nfs_servers => $cinder_nfs_servers, + nfs_mount_options => $cinder_nfs_mount_options, + nfs_shares_config => '/etc/cinder/shares-nfs.conf', + nas_secure_file_operations => $cinder_nas_secure_file_operations, + nas_secure_file_permissions => $cinder_nas_secure_file_permissions, } } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index d035f6a..bc784b5 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,6 +32,18 @@ # Configure a registry-mirror in the /etc/docker/daemon.json file. # (defaults to false) # +# [*docker_options*] +# OPTIONS that are used to startup the docker service. NOTE: +# --selinux-enabled is dropped due to recommendations here: +# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html +# Defaults to '--log-driver=journald --signature-verification=false' +# +# [*configure_storage*] +# Boolean. Whether to configure a docker storage backend. Defaults to true. +# +# [*storage_options*] +# Storage options to configure. Defaults to '-s overlay2' +# # [*step*] # step defaults to hiera('step') # @@ -39,6 +51,9 @@ class tripleo::profile::base::docker ( $docker_namespace = undef, $insecure_registry = false, $registry_mirror = false, + $docker_options = '--log-driver=journald --signature-verification=false', + $configure_storage = true, + $storage_options = '-s overlay2', $step = hiera('step'), ) { if $step >= 1 { @@ -57,9 +72,11 @@ class tripleo::profile::base::docker ( fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) - $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ] + $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", + "set OPTIONS '\"${docker_options}\"'" ] } else { - $changes = [ 'rm INSECURE_REGISTRY', ] + $changes = [ 'rm INSECURE_REGISTRY', + "set OPTIONS '\"${docker_options}\"'" ] } augeas { 'docker-sysconfig': @@ -95,6 +112,20 @@ class tripleo::profile::base::docker ( notify => Service['docker'], require => File['/etc/docker/daemon.json'], } + if $configure_storage { + if $storage_options == undef { + fail('You must provide a $storage_options in order to configure storage') + } + $storage_changes = [ "set DOCKER_STORAGE_OPTIONS '\" ${storage_options}\"'", ] + } else { + $storage_changes = [ 'rm DOCKER_STORAGE_OPTIONS', ] + } + + augeas { 'docker-sysconfig-storage': + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/docker-storage', + changes => $storage_changes, + } } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 31f5c93..72a7bc9 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -338,5 +338,8 @@ class tripleo::profile::base::keystone ( if hiera('ec2_api_enabled', false) { include ::ec2api::keystone::auth } + if hiera('novajoin_enabled', false) { + include ::nova::metadata::novajoin::auth + } } } diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp index bec7e96..97eb8e9 100644 --- a/manifests/profile/base/neutron/ovs.pp +++ b/manifests/profile/base/neutron/ovs.pp @@ -23,12 +23,27 @@ # for more details. # Defaults to hiera('step') # +# [*vhostuser_socket_dir*] +# (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir +# will be created with correct permissions, inorder to support vhostuser +# client mode. + class tripleo::profile::base::neutron::ovs( - $step = hiera('step'), + $step = hiera('step'), + $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef) ) { include ::tripleo::profile::base::neutron if $step >= 5 { + if $vhostuser_socket_dir { + file { $vhostuser_socket_dir: + ensure => directory, + owner => 'qemu', + group => 'qemu', + mode => '0775', + } + } + include ::neutron::agents::ml2::ovs # Optional since manage_service may be false and neutron server may not be colocated. diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 65355d4..d786940 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -129,6 +129,10 @@ class tripleo::profile::base::nova ( $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') } + validate_array($migration_ssh_localaddrs) + $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) } + $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs) + if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) include ::nova::config @@ -183,10 +187,10 @@ class tripleo::profile::base::nova ( # Nova SSH tunnel setup (cold-migration) # Server side - if !empty($migration_ssh_localaddrs) { - $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,',')) + if !empty($migration_ssh_localaddrs_real) { + $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,',')) $deny_type = 'LocalAddress' - $deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!')) + $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!')) ssh::server::match_block { 'nova_migration deny': name => $deny_name, @@ -217,31 +221,42 @@ class tripleo::profile::base::nova ( notify => Service['sshd'] } - file { '/etc/nova/migration/authorized_keys': - content => $migration_ssh_key['public_key'], - mode => '0640', - owner => 'root', - group => 'nova_migration', - require => Package['openstack-nova-migration'], - } + $migration_authorized_keys = $migration_ssh_key['public_key'] + $migration_identity = $migration_ssh_key['private_key'] + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_identity = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } - # Client side - file { '/etc/nova/migration/identity': - content => $migration_ssh_key['private_key'], - mode => '0600', - owner => 'nova', - group => 'nova', - require => Package['openstack-nova-migration'], - } - $migration_pkg_ensure = installed - } else { - $migration_pkg_ensure = absent + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] } - } else { - $migration_pkg_ensure = absent - } - package {'openstack-nova-migration': - ensure => $migration_pkg_ensure } } } diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index c1d745a..811b911 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -136,6 +136,7 @@ class tripleo::profile::base::pacemaker ( remote_address => $remotes_hash[$title], reconnect_interval => $remote_reconnect_interval, op_params => "monitor interval=${remote_monitor_interval}", + verify_on_create => true, tries => $remote_tries, try_sleep => $remote_try_sleep, } diff --git a/manifests/profile/base/pacemaker_remote.pp b/manifests/profile/base/pacemaker_remote.pp index e0fff63..dfe0a3e 100644 --- a/manifests/profile/base/pacemaker_remote.pp +++ b/manifests/profile/base/pacemaker_remote.pp @@ -22,6 +22,14 @@ # Authkey for pacemaker remote nodes # Defaults to unset # +# [*pcs_tries*] +# (Optional) The number of times pcs commands should be retried. +# Defaults to hiera('pcs_tries', 20) +# +# [*enable_fencing*] +# (Optional) Whether or not to manage stonith devices for nodes +# Defaults to hiera('enable_fencing', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -29,9 +37,28 @@ # class tripleo::profile::base::pacemaker_remote ( $remote_authkey, + $pcs_tries = hiera('pcs_tries', 20), + $enable_fencing = hiera('enable_fencing', false), $step = hiera('step'), ) { class { '::pacemaker::remote': remote_authkey => $remote_authkey, } + $enable_fencing_real = str2bool($enable_fencing) and $step >= 5 + + class { '::pacemaker::stonith': + disable => !$enable_fencing_real, + tries => $pcs_tries, + } + + if $enable_fencing_real { + include ::tripleo::fencing + + # enable stonith after all Pacemaker resources have been created + Pcmk_resource<||> -> Class['tripleo::fencing'] + Pcmk_constraint<||> -> Class['tripleo::fencing'] + Exec <| tag == 'pacemaker_constraint' |> -> Class['tripleo::fencing'] + # enable stonith after all fencing devices have been created + Class['tripleo::fencing'] -> Class['pacemaker::stonith'] + } } |