3 files changed, 45 insertions, 7 deletions
diff --git a/manifests/profile/base/cinder/volume/netapp.pp b/manifests/profile/base/cinder/volume/netapp.pp
index fc652c9..43978da 100644
--- a/manifests/profile/base/cinder/volume/netapp.pp
+++ b/manifests/profile/base/cinder/volume/netapp.pp
@@ -59,6 +59,8 @@ class tripleo::profile::base::cinder::volume::netapp (
       netapp_storage_pools         => hiera('cinder::backend::netapp::netapp_storage_pools', undef),
       netapp_eseries_host_type     => hiera('cinder::backend::netapp::netapp_eseries_host_type', undef),
       netapp_webservice_path       => hiera('cinder::backend::netapp::netapp_webservice_path', undef),
+      nas_secure_file_operations   => hiera('cinder::backend::netapp::nas_secure_file_operations', undef),
+      nas_secure_file_permissions  => hiera('cinder::backend::netapp::nas_secure_file_permissions', undef),
     }
   }
 
diff --git a/manifests/profile/base/cinder/volume/nfs.pp b/manifests/profile/base/cinder/volume/nfs.pp
index 7b1f1b9..e384a79 100644
--- a/manifests/profile/base/cinder/volume/nfs.pp
+++ b/manifests/profile/base/cinder/volume/nfs.pp
@@ -29,6 +29,23 @@
 #   (Optional) List of mount options for the NFS share
 #   Defaults to ''
 #
+# [*cinder_nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*cinder_nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -36,9 +53,11 @@
 #
 class tripleo::profile::base::cinder::volume::nfs (
   $cinder_nfs_servers,
-  $backend_name             = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
-  $cinder_nfs_mount_options = '',
-  $step                     = hiera('step'),
+  $backend_name                       = hiera('cinder::backend::nfs::volume_backend_name', 'tripleo_nfs'),
+  $cinder_nfs_mount_options           = '',
+  $cinder_nas_secure_file_operations  = $::os_service_default,
+  $cinder_nas_secure_file_permissions = $::os_service_default,
+  $step                               = hiera('step'),
 ) {
   include ::tripleo::profile::base::cinder::volume
 
@@ -52,9 +71,11 @@ class tripleo::profile::base::cinder::volume::nfs (
 
     package {'nfs-utils': } ->
     cinder::backend::nfs { $backend_name :
-      nfs_servers       => $cinder_nfs_servers,
-      nfs_mount_options => $cinder_nfs_mount_options,
-      nfs_shares_config => '/etc/cinder/shares-nfs.conf',
+      nfs_servers                 => $cinder_nfs_servers,
+      nfs_mount_options           => $cinder_nfs_mount_options,
+      nfs_shares_config           => '/etc/cinder/shares-nfs.conf',
+      nas_secure_file_operations  => $cinder_nas_secure_file_operations,
+      nas_secure_file_permissions => $cinder_nas_secure_file_permissions,
     }
   }
 
diff --git a/manifests/profile/base/neutron/ovs.pp b/manifests/profile/base/neutron/ovs.pp
index bec7e96..97eb8e9 100644
--- a/manifests/profile/base/neutron/ovs.pp
+++ b/manifests/profile/base/neutron/ovs.pp
@@ -23,12 +23,27 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*vhostuser_socket_dir*]
+#   (Optional) vhostuser socket dir, The directory where $vhostuser_socket_dir
+#   will be created with correct permissions, inorder to support vhostuser
+#   client mode.
+
 class tripleo::profile::base::neutron::ovs(
-  $step           = hiera('step'),
+  $step                 = hiera('step'),
+  $vhostuser_socket_dir = hiera('neutron::agents::ml2::ovs::vhostuser_socket_dir', undef)
 ) {
   include ::tripleo::profile::base::neutron
 
   if $step >= 5 {
+    if $vhostuser_socket_dir {
+      file { $vhostuser_socket_dir:
+        ensure => directory,
+        owner  => 'qemu',
+        group  => 'qemu',
+        mode   => '0775',
+      }
+    }
+
     include ::neutron::agents::ml2::ovs
 
     # Optional since manage_service may be false and neutron server may not be colocated.