diff options
Diffstat (limited to 'manifests')
30 files changed, 980 insertions, 60 deletions
diff --git a/manifests/certmonger/ca/local.pp b/manifests/certmonger/ca/local.pp new file mode 100644 index 0000000..ea08dec --- /dev/null +++ b/manifests/certmonger/ca/local.pp @@ -0,0 +1,37 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::ca::local +# +# Does the necessary action to extract and trust certmonger's local CA. +# +# === Parameters: +# +# [*ca_pem*] +# (optional) PEM file that will contain the local CA certificate. +# Defaults to '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem' +# +class tripleo::certmonger::ca::local( + $ca_pem = '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem', +){ + $ca_pkcs12 = '/var/lib/certmonger/local/creds' + $extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''" + $trust_ca_cmd = 'update-ca-trust extract' + exec { 'extract-and-trust-ca': + command => "${extract_cmd} && ${trust_ca_cmd}", + path => '/usr/bin', + creates => $ca_pem, + require => Package['certmonger'], + } +} diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp new file mode 100644 index 0000000..2b738e6 --- /dev/null +++ b/manifests/certmonger/haproxy.pp @@ -0,0 +1,75 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::haproxy +# +# Request a certificate for the HAProxy service and does the necessary logic to +# get it into a format that the service understands. +# +# === Parameters +# +# [*service_pem*] +# The file in PEM format that the HAProxy service will use as a certificate. +# +# [*service_certificate*] +# The certificate file that certmonger will be tracking. +# +# [*service_key*] +# The key file that certmonger will use for the certificate. +# +# [*hostname*] +# The hostname that certmonger will use as the common name for the +# certificate. +# +# [*postsave_cmd*] +# The post-save-command that certmonger will use once it renews the +# certificate. +# +# [*principal*] +# The haproxy service principal that is set for HAProxy in kerberos. +# +define tripleo::certmonger::haproxy ( + $service_pem, + $service_certificate, + $service_key, + $hostname, + $postsave_cmd, + $principal = undef, +){ + certmonger_certificate { "${title}-cert": + hostname => $hostname, + certfile => $service_certificate, + keyfile => $service_key, + postsave_cmd => $postsave_cmd, + principal => $principal, + } + concat { $service_pem : + ensure => present, + mode => '0640', + owner => 'haproxy', + group => 'haproxy', + } + concat::fragment { "${title}-cert-fragment": + target => $service_pem, + source => $service_certificate, + order => '01', + require => Certmonger_certificate["${title}-cert"], + } + concat::fragment { "${title}-key-fragment": + target => $service_pem, + source => $service_key, + order => 10, + require => Certmonger_certificate["${title}-cert"], + } +} diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 7698881..edcb5e7 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -86,6 +86,24 @@ class tripleo::firewall( 'stage' => 'runtime', 'firewall_settings' => $firewall_post_extras, }) + + # Allow composable services to load their own custom + # example with Hiera. + # NOTE(dprince): In the future when we have a better hiera + # heat hook we might refactor this to use hiera's merging + # capabilities instead. Until then rolling up the flat service + # keys and dynamically creating firewall rules for each service + # will allow us to compose and should work fine. + # + # Each service can load its rules by using this form: + # + # tripleo.<service name with underscores>.firewall_rules: + # '300 allow custom application 1': + # dport: 999 + # proto: udp + # action: accept + $service_names = reject(hiera('service_names', []), '^$') + tripleo::firewall::service_rules { $service_names: } } } diff --git a/manifests/firewall/service_rules.pp b/manifests/firewall/service_rules.pp new file mode 100644 index 0000000..4739f16 --- /dev/null +++ b/manifests/firewall/service_rules.pp @@ -0,0 +1,38 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Define: tripleo::firewall::service_rules +# +# Define used to create firewall rules for composable services. +# +# === Parameters: +# +# [*service_name*] +# (optional) The service_name to load firewall rules for. +# Defaults to $title +# +define tripleo::firewall::service_rules ($service_name = $title) { + + $underscore_name = regsubst($service_name, '-', '_') + + # This allows each composable service to load its own custom rules by + # creating its own flat hiera key named: + # tripleo.<service name with underscores>.firewall_rules + $service_firewall_rules = hiera("tripleo.${underscore_name}.firewall_rules", {}) + + if !empty($service_firewall_rules) { + create_resources('tripleo::firewall::rule', $service_firewall_rules) + } + +} diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 94bfcff..ac6cb6c 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -117,4 +117,16 @@ define tripleo::haproxy::endpoint ( server_names => $server_names, options => $member_options, } + if hiera('manage_firewall', true) { + include ::tripleo::firewall + $firewall_rules = { + "100 ${name}_haproxy" => { + 'dport' => $service_port, + }, + "100 ${name}_haproxy_ssl" => { + 'dport' => $public_ssl_port, + }, + } + create_resources('tripleo::firewall::rule', $firewall_rules) + } } diff --git a/manifests/network/os_net_config.pp b/manifests/network/os_net_config.pp new file mode 100644 index 0000000..7e07f6c --- /dev/null +++ b/manifests/network/os_net_config.pp @@ -0,0 +1,35 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::network::os_net_config +# +# Configure os-net-config for TripleO. +# +class tripleo::network::os_net_config { + + include ::vswitch::ovs + ensure_packages('os-net-config', { ensure => present }) + + exec { 'os-net-config': + command => '/bin/os-net-config -c /etc/os-net-config/config.json -v --detailed-exit-codes', + returns => [0, 2], + require => [ + Package['os-net-config'], + Package['openvswitch'], + Service['openvswitch'], + ], + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp new file mode 100644 index 0000000..27df6e4 --- /dev/null +++ b/manifests/profile/base/database/mysql.pp @@ -0,0 +1,85 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::database::mysql +# +# MySQL profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*mysql_server_options*] +# (Optional) Extras options to deploy MySQL. Useful when deploying Galera cluster. +# Should be an hash. +# Defaults to {} +# +# [*manage_resources*] +# (Optional) Whether or not manage root user, root my.cnf, and service. +# Defaults to true +# +# [*remove_default_accounts*] +# (Optional) Whether or not remove default MySQL accounts. +# Defaults to true +# +class tripleo::profile::base::database::mysql ( + $step = hiera('step'), + $mysql_server_options = {}, + $manage_resources = true, + $remove_default_accounts = true, +) { + + validate_hash($mysql_server_options) + + # non-ha scenario + if $manage_resources { + $mysql_step = 2 + } else { + # ha scenario + $mysql_step = 1 + } + if $step >= $mysql_step { + if str2bool(hiera('enable_galera', true)) { + $mysql_config_file = '/etc/my.cnf.d/galera.cnf' + } else { + $mysql_config_file = '/etc/my.cnf.d/server.cnf' + } + # TODO Galara + # FIXME: due to https://bugzilla.redhat.com/show_bug.cgi?id=1298671 we + # set bind-address to a hostname instead of an ip address; to move Mysql + # from internal_api on another network we'll have to customize both + # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap + $mysql_server_default = { + 'mysqld' => { + 'bind-address' => $::hostname, + 'max_connections' => hiera('mysql_max_connections'), + 'open_files_limit' => '-1', + } + } + $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) + class { '::mysql::server': + config_file => $mysql_config_file, + override_options => $mysql_server_options_real, + create_root_user => $manage_resources, + create_root_my_cnf => $manage_resources, + service_manage => $manage_resources, + service_enabled => $manage_resources, + remove_default_accounts => $remove_default_accounts, + } + } + +} diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index 31a5415..7951941 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -27,13 +27,61 @@ # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# tripleo::profile::base::haproxy::certificates_specs: +# undercloud-haproxy-public-cert: +# service_pem: <haproxy ready pem file> +# service_certificate: <service certificate path> +# service_key: <service key path> +# hostname: <undercloud fqdn> +# postsave_cmd: <command to update certificate on resubmit> +# principal: "haproxy/<undercloud fqdn>" +# Defaults to {}. +# class tripleo::profile::base::haproxy ( - $enable_load_balancer = hiera('enable_load_balancer', true), - $step = hiera('step'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $step = hiera('step'), + $generate_service_certificates = hiera('generate_service_certificates', false), + $certmonger_ca = hiera('certmonger_ca', 'local'), + $certificates_specs = {}, ) { if $step >= 1 { if $enable_load_balancer { + if str2bool($generate_service_certificates) { + include ::certmonger + # This is only needed for certmonger's local CA. For any other CA this + # operation (trusting the CA) should be done by the deployer. + if $certmonger_ca == 'local' { + class { '::tripleo::certmonger::ca::local': + notify => Class['::tripleo::haproxy'] + } + } + + Certmonger_certificate { + ca => $certmonger_ca, + ensure => 'present', + wait => true, + require => Class['::certmonger'], + } + create_resources('::tripleo::certmonger::haproxy', $certificates_specs) + } + include ::tripleo::haproxy } } diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index 0fc30d8..1311f20 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -42,6 +42,16 @@ class tripleo::profile::base::heat ( $manage_db_purge = hiera('heat_enable_db_purge', true), ) { + # Domain resources will be created at step5 on the pacemaker_master so we + # configure heat.conf at step3 and 4 but actually create the domain later. + if $step == 3 or $step == 4 { + class { '::heat::keystone::domain': + manage_domain => false, + manage_user => false, + manage_role => false, + } + } + if $step >= 4 { class { '::heat' : notification_driver => $notification_driver, diff --git a/manifests/certmonger.pp b/manifests/profile/base/monitoring/fluentd.pp index e5f5e04..1ea7d39 100644 --- a/manifests/certmonger.pp +++ b/manifests/profile/base/monitoring/fluentd.pp @@ -12,26 +12,29 @@ # License for the specific language governing permissions and limitations # under the License. # -# == Class: tripleo::certmonger +# == Class: tripleo::profile::base::monitoring::fluentd # -# Sets some default defaults necessary for the global certmonger setup. +# FluentD configuration for TripleO # # === Parameters # -# [*global_ca*] -# The certmonger nickname for the CA that will be used. +# [*step*] +# (Optional) String. The current step of the deployment +# Defaults to hiera('step') # -class tripleo::certmonger ( - $global_ca -){ - include ::certmonger +class tripleo::profile::base::monitoring::fluentd ( + $step = hiera('step', undef) +) { - Certmonger_certificate { - ca => $global_ca, - ensure => 'present', - certbackend => 'FILE', - keybackend => 'FILE', - wait => true, - require => Class['::certmonger'], + if $step == undef or $step >= 3 { + include ::fluentd + + ::fluentd::plugin { 'rubygem-fluent-plugin-add': + plugin_provider => 'yum', + } + + ::fluentd::plugin { 'rubygem-fluent-plugin-elasticsearch': + plugin_provider => 'yum', + } } } diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 52a4c73..877184d 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*step*] # (Optional) The current step of the deployment # Defaults to hiera('step') @@ -35,26 +39,32 @@ # Defaults to false # class tripleo::profile::base::nova ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), $manage_migration = false, $libvirt_enabled = false, $nova_compute_enabled = false, ) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } if hiera('nova::use_ipv6', false) { - $memcached_servers = suffix(hiera('memcache_node_ips_v6'), ':11211') + $memcache_servers = suffix(hiera('memcache_node_ips_v6'), ':11211') } else { - $memcached_servers = suffix(hiera('memcache_node_ips'), ':11211') + $memcache_servers = suffix(hiera('memcache_node_ips'), ':11211') } - if $step >= 3 { + + if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { include ::nova - # TODO(emilien): once we merge https://review.openstack.org/#/c/325983/ - # let's override the value this way. - warning('Overriding memcached_servers from puppet-tripleo until 325983 lands.') - Nova { - memcached_servers => $memcached_servers, - } include ::nova::config + class { '::nova::cache': + enabled => true, + backend => 'oslo_cache.memcache_pool', + memcache_servers => $memcache_servers, + } } if $step >= 4 { diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 9c7d295..285e0b7 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -49,5 +49,11 @@ class tripleo::profile::base::nova::api ( } include ::nova::network::neutron } + + if $step >= 5 { + if hiera('nova_enable_db_purge', true) { + include ::nova::cron::archive_deleted_rows + } + } } diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index c734906..076996a 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -38,6 +38,9 @@ class tripleo::profile::base::nova::compute ( # deploy basic bits for nova-compute include ::nova::compute + # If Service['nova-conductor'] is in catalog, make sure we start it + # before nova-compute. + Service<| title == 'nova-conductor' |> -> Service['nova-compute'] # deploy bits to connect nova compute to neutron include ::nova::network::neutron diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index fc58891..de3de3c 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -38,9 +38,9 @@ class tripleo::profile::base::pacemaker ( $pacemaker_master = false } - $enable_fencing = str2bool(hiera('enable_fencing', false)) and hiera('step') >= 5 + $enable_fencing = str2bool(hiera('enable_fencing', false)) and $step >= 5 - if hiera('step') >= 1 { + if $step >= 1 { $pacemaker_cluster_members = downcase(regsubst(hiera('controller_node_names'), ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { @@ -78,15 +78,9 @@ class tripleo::profile::base::pacemaker ( } } - if hiera('step') >= 2 { + if $step >= 2 { if $pacemaker_master { include ::pacemaker::resource_defaults - - # Create an openstack-core dummy resource. See RHBZ 1290121 - pacemaker::resource::ocf { 'openstack-core': - ocf_agent_name => 'heartbeat:Dummy', - clone_params => true, - } } } diff --git a/manifests/profile/base/swift/add_devices.pp b/manifests/profile/base/swift/add_devices.pp new file mode 100644 index 0000000..f61f418 --- /dev/null +++ b/manifests/profile/base/swift/add_devices.pp @@ -0,0 +1,59 @@ +# Copyright 2015 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# == Function: tripleo::profile::base::swift::add_devices +# +# Swift add_devices helper function +# +# === Parameters +# +# [*swift_zones*] +# (Optional) The number of swift zones. + +define tripleo::profile::base::swift::add_devices( + $swift_zones = '1' +){ + + # NOTE(dprince): Swift zones is not yet properly wired into the Heat + # templates. See: https://review.openstack.org/#/c/97758/3 + # For now our regex supports the r1z1-192.0.2.6:%PORT%/d1 syntax or the + # newer r1z%<controller or SwiftStorage><N>%-192.0.2.6:%PORT%/d1 syntax. + $server_num_or_device = regsubst($name,'^r1z%+[A-Za-z]*([0-9]+)%+-(.*)$','\1') + if (is_integer($server_num_or_device)) { + $server_num = $server_num_or_device + } else { + $server_num = '1' + } + # Function to place server in its zone. Zone is calculated by + # server number in heat template modulo the number of zones + 1. + $zone = (($server_num%$swift_zones) + 1) + + # add the rings + $base = regsubst($name,'^r1.*-(.*)$','\1') + $object = regsubst($base, '%PORT%', '6000') + ring_object_device { $object: + zone => '1', + weight => 100, + } + $container = regsubst($base, '%PORT%', '6001') + ring_container_device { $container: + zone => '1', + weight => 100, + } + $account = regsubst($base, '%PORT%', '6002') + ring_account_device { $account: + zone => '1', + weight => 100, + } +} diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp new file mode 100644 index 0000000..d94c6be --- /dev/null +++ b/manifests/profile/base/swift/ringbuilder.pp @@ -0,0 +1,77 @@ +# Copyright 2015 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# == Class: tripleo::profile::base::swift::ringbuilder +# +# Swift ringbuilder profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# [*swift_zones*] +# (Optional) The swift zones +# Defaults to 1 +# [*devices*] +# (Optional) The swift devices +# Defaults to '' +# [*build_ring*] = true, +# (Optional) Whether to build the ring +# Defaults to true +# [*replicas*] +# replicas + +class tripleo::profile::base::swift::ringbuilder ( + $step = hiera('step'), + $swift_zones = '1', + $devices = '', + $build_ring = true, + $replicas, +) { + + if $step >= 2 { + # pre-install swift here so we can build rings + include ::swift + } + + if $step >= 3 { + validate_bool($build_ring) + + if $build_ring { + + $device_array = strip(split(rstrip($devices), ',')) + + # create local rings + swift::ringbuilder::create{ ['object', 'account', 'container']: + replicas => min(count($device_array), $replicas), + } -> + + # add all other devices + tripleo::profile::base::swift::add_devices {$device_array: + swift_zones => $swift_zones, + } -> + + # rebalance + swift::ringbuilder::rebalance{ ['object', 'account', 'container']: + seed => 999, + } + + Ring_object_device<| |> ~> Exec['rebalance_object'] + Ring_object_device<| |> ~> Exec['rebalance_account'] + Ring_object_device<| |> ~> Exec['rebalance_container'] + } + } +} diff --git a/manifests/profile/pacemaker/apache.pp b/manifests/profile/pacemaker/apache.pp new file mode 100644 index 0000000..4b0b16e --- /dev/null +++ b/manifests/profile/pacemaker/apache.pp @@ -0,0 +1,58 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::pacemaker::apache +# +# Apache Pacemaker HA profile for tripleo +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::pacemaker::apache ( + $bootstrap_node = hiera('bootstrap_nodeid'), + $step = hiera('step'), +) { + + if $::hostname == downcase($bootstrap_node) { + $pacemaker_master = true + } else { + $pacemaker_master = false + } + + if $step >= 5 and $pacemaker_master { + include ::apache::params + pacemaker::resource::service { $::apache::params::service_name: + clone_params => 'interleave=true', + verify_on_create => true, + } + pacemaker::constraint::base { 'openstack-core-then-httpd-constraint': + constraint_type => 'order', + first_resource => 'openstack-core-clone', + second_resource => "${::apache::params::service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::apache::params::service_name], + Pacemaker::Resource::Ocf['openstack-core']], + } + } + +} diff --git a/manifests/profile/pacemaker/core.pp b/manifests/profile/pacemaker/core.pp new file mode 100644 index 0000000..b8b0781 --- /dev/null +++ b/manifests/profile/pacemaker/core.pp @@ -0,0 +1,59 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::pacemaker::core +# +# Core Pacemaker HA profile for tripleo +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::pacemaker::core ( + $bootstrap_node = hiera('bootstrap_nodeid'), + $step = hiera('step'), +) { + + if $::hostname == downcase($bootstrap_node) { + $pacemaker_master = true + } else { + $pacemaker_master = false + } + + if $step >= 2 and $pacemaker_master { + pacemaker::resource::ocf { 'openstack-core': + ocf_agent_name => 'heartbeat:Dummy', + clone_params => 'interleave=true', + } + } + + if $step >= 5 and $pacemaker_master { + pacemaker::constraint::base { 'galera-then-openstack-core-constraint': + constraint_type => 'order', + first_resource => 'galera-master', + second_resource => 'openstack-core-clone', + first_action => 'promote', + second_action => 'start', + require => [Pacemaker::Resource::Ocf['galera'], + Pacemaker::Resource::Ocf['openstack-core']], + } + } +} diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp new file mode 100644 index 0000000..cc95092 --- /dev/null +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -0,0 +1,173 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::pacemaker::database::mysql +# +# MySQL with Pacemaker profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::pacemaker::database::mysql ( + $step = hiera('step'), +) { + + if $::hostname == downcase(hiera('bootstrap_nodeid')) { + $pacemaker_master = true + } else { + $pacemaker_master = false + } + $mysql_bind_host = hiera('mysql_bind_host') + $galera_nodes = downcase(hiera('galera_node_names', $::hostname)) + $galera_nodes_count = count(split($galera_nodes, ',')) + $mysqld_options = { + 'mysqld' => { + 'skip-name-resolve' => '1', + 'binlog_format' => 'ROW', + 'default-storage-engine' => 'innodb', + 'innodb_autoinc_lock_mode' => '2', + 'innodb_locks_unsafe_for_binlog'=> '1', + 'query_cache_size' => '0', + 'query_cache_type' => '0', + 'bind-address' => $::hostname, + 'max_connections' => hiera('mysql_max_connections'), + 'open_files_limit' => '-1', + 'wsrep_on' => 'ON', + 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', + 'wsrep_cluster_name' => 'galera_cluster', + 'wsrep_cluster_address' => "gcomm://${galera_nodes}", + 'wsrep_slave_threads' => '1', + 'wsrep_certify_nonPK' => '1', + 'wsrep_max_ws_rows' => '131072', + 'wsrep_max_ws_size' => '1073741824', + 'wsrep_debug' => '0', + 'wsrep_convert_LOCK_to_trx' => '0', + 'wsrep_retry_autocommit' => '1', + 'wsrep_auto_increment_control' => '1', + 'wsrep_drupal_282555_workaround'=> '0', + 'wsrep_causal_reads' => '0', + 'wsrep_sst_method' => 'rsync', + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://[${mysql_bind_host}]:4567;", + } + } + + class { '::tripleo::profile::base::database::mysql': + manage_resources => false, + remove_default_accounts => $pacemaker_master, + mysql_server_options => $mysqld_options, + } + + if $step >= 2 and $pacemaker_master { + if $pacemaker_master { + pacemaker::resource::ocf { 'galera' : + ocf_agent_name => 'heartbeat:galera', + op_params => 'promote timeout=300s on-fail=block', + master_params => '', + meta_params => "master-max=${galera_nodes_count} ordered=true", + resource_params => "additional_parameters='--open-files-limit=16384' enable_creation=true wsrep_cluster_address='gcomm://${galera_nodes}'", + require => Class['::mysql::server'], + before => Exec['galera-ready'], + } + exec { 'galera-ready' : + command => '/usr/bin/clustercheck >/dev/null', + timeout => 30, + tries => 180, + try_sleep => 10, + environment => ['AVAILABLE_WHEN_READONLY=0'], + require => Exec['create-root-sysconfig-clustercheck'], + } + # We add a clustercheck db user and we will switch /etc/sysconfig/clustercheck + # to it in a later step. We do this only on one node as it will replicate on + # the other members. We also make sure that the permissions are the minimum necessary + mysql_user { 'clustercheck@localhost': + ensure => 'present', + password_hash => mysql_password(hiera('mysql_clustercheck_password')), + require => Exec['galera-ready'], + } + mysql_grant { 'clustercheck@localhost/*.*': + ensure => 'present', + options => ['GRANT'], + privileges => ['PROCESS'], + table => '*.*', + user => 'clustercheck@localhost', + } + } + # This step is to create a sysconfig clustercheck file with the root user and empty password + # on the first install only (because later on the clustercheck db user will be used) + # We are using exec and not file in order to not have duplicate definition errors in puppet + # when we later set the the file to contain the clustercheck data + exec { 'create-root-sysconfig-clustercheck': + command => "/bin/echo 'MYSQL_USERNAME=root\nMYSQL_PASSWORD=\'\'\nMYSQL_HOST=localhost\n' > /etc/sysconfig/clustercheck", + unless => '/bin/test -e /etc/sysconfig/clustercheck && grep -q clustercheck /etc/sysconfig/clustercheck', + } + xinetd::service { 'galera-monitor' : + port => '9200', + server => '/usr/bin/clustercheck', + per_source => 'UNLIMITED', + log_on_success => '', + log_on_failure => 'HOST', + flags => 'REUSE', + service_type => 'UNLISTED', + user => 'root', + group => 'root', + require => Exec['create-root-sysconfig-clustercheck'], + } + } + + if $step >= 4 or ( $step >= 3 and $pacemaker_master ) { + # At this stage we are guaranteed that the clustercheck db user exists + # so we switch the resource agent to use it. + $mysql_clustercheck_password = hiera('mysql_clustercheck_password') + file { '/etc/sysconfig/clustercheck' : + ensure => file, + mode => '0600', + owner => 'root', + group => 'root', + content => "MYSQL_USERNAME=clustercheck\n +MYSQL_PASSWORD='${mysql_clustercheck_password}'\n +MYSQL_HOST=localhost\n", + } + } + + if $step >= 5 { + # We now make sure that the root db password is set to a random one + # At first installation /root/.my.cnf will be empty and we connect without a root + # password. On second runs or updates /root/.my.cnf will already be populated + # with proper credentials. This step happens on every node because this sql + # statement does not automatically replicate across nodes. + $mysql_root_password = hiera('mysql::server::root_password') + exec { 'galera-set-root-password': + command => "/bin/touch /root/.my.cnf && /bin/echo \"UPDATE mysql.user SET Password = PASSWORD('${mysql_root_password}') WHERE user = 'root'; flush privileges;\" | /bin/mysql --defaults-extra-file=/root/.my.cnf -u root", + } + file { '/root/.my.cnf' : + ensure => file, + mode => '0600', + owner => 'root', + group => 'root', + content => "[client] + user=root + password=\"${mysql_root_password}\" + + [mysql] + user=root + password=\"${mysql_root_password}\"", + require => Exec['galera-set-root-password'], + } + } + +} diff --git a/manifests/profile/pacemaker/database/redis.pp b/manifests/profile/pacemaker/database/redis.pp index 9bb96ae..27dcbe9 100644 --- a/manifests/profile/pacemaker/database/redis.pp +++ b/manifests/profile/pacemaker/database/redis.pp @@ -18,9 +18,6 @@ # # === Parameters # -# [*redis_vip*] -# Redis virtual IP -# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') @@ -36,7 +33,6 @@ # class tripleo::profile::pacemaker::database::redis ( - $redis_vip, $bootstrap_node = hiera('bootstrap_nodeid'), $enable_load_balancer = hiera('enable_load_balancer', true), $step = hiera('step'), diff --git a/manifests/profile/pacemaker/gnocchi.pp b/manifests/profile/pacemaker/gnocchi.pp index a6d472c..c8630ce 100644 --- a/manifests/profile/pacemaker/gnocchi.pp +++ b/manifests/profile/pacemaker/gnocchi.pp @@ -31,16 +31,11 @@ # for more details. # Defaults to hiera('step') # -# [*sync_db*] -# (Optional) Whether to run db sync -# Defaults to undef -# class tripleo::profile::pacemaker::gnocchi ( $gnocchi_indexer_backend = downcase(hiera('gnocchi_indexer_backend', 'mysql')), $bootstrap_node = hiera('bootstrap_nodeid'), $step = hiera('step'), - $sync_db = true, ) { Service <| tag == 'gnocchi-service' |> { @@ -64,15 +59,26 @@ class tripleo::profile::pacemaker::gnocchi ( } } - if $step >= 3 and $sync_db { + if $step >= 3 { include ::gnocchi include ::gnocchi::config include ::gnocchi::client - include ::gnocchi::db::sync + if $pacemaker_master { + include ::gnocchi::db::sync + } } if $step >= 5 and $pacemaker_master { + pacemaker::constraint::base { 'keystone-then-gnocchi-metricd-constraint': + constraint_type => 'order', + first_resource => 'openstack-core-clone', + second_resource => "${::gnocchi::params::metricd_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::gnocchi::params::metricd_service_name], + Pacemaker::Resource::Ocf['openstack-core']], + } pacemaker::constraint::base { 'gnocchi-metricd-then-gnocchi-statsd-constraint': constraint_type => 'order', first_resource => "${::gnocchi::params::metricd_service_name}-clone", diff --git a/manifests/profile/pacemaker/gnocchi/api.pp b/manifests/profile/pacemaker/gnocchi/api.pp index da65731..ede4c9a 100644 --- a/manifests/profile/pacemaker/gnocchi/api.pp +++ b/manifests/profile/pacemaker/gnocchi/api.pp @@ -28,6 +28,7 @@ class tripleo::profile::pacemaker::gnocchi::api ( ) { include ::tripleo::profile::pacemaker::gnocchi + include ::tripleo::profile::pacemaker::apache class { '::tripleo::profile::base::gnocchi::api': step => $step, diff --git a/manifests/profile/pacemaker/keystone.pp b/manifests/profile/pacemaker/keystone.pp index 5a3701b..1cd5178 100644 --- a/manifests/profile/pacemaker/keystone.pp +++ b/manifests/profile/pacemaker/keystone.pp @@ -51,6 +51,7 @@ class tripleo::profile::pacemaker::keystone ( } include ::tripleo::profile::base::keystone + include ::tripleo::profile::pacemaker::apache if $step >= 5 and $pacemaker_master and $enable_load_balancer { pacemaker::constraint::base { 'haproxy-then-keystone-constraint': @@ -76,6 +77,9 @@ class tripleo::profile::pacemaker::keystone ( require => [Pacemaker::Resource::Ocf['rabbitmq'], Pacemaker::Resource::Ocf['openstack-core']], } + File['/etc/keystone/ssl/certs/ca.pem'] -> Pacemaker::Resource::Service[$::apache::params::service_name] + File['/etc/keystone/ssl/private/signing_key.pem'] -> Pacemaker::Resource::Service[$::apache::params::service_name] + File['/etc/keystone/ssl/certs/signing_cert.pem'] -> Pacemaker::Resource::Service[$::apache::params::service_name] } } diff --git a/manifests/profile/pacemaker/manila.pp b/manifests/profile/pacemaker/manila.pp index 37cab9f..f3666c2 100644 --- a/manifests/profile/pacemaker/manila.pp +++ b/manifests/profile/pacemaker/manila.pp @@ -122,7 +122,6 @@ class tripleo::profile::pacemaker::manila ( include ::tripleo::profile::base::manila::scheduler include ::tripleo::profile::base::manila::share - $manila_generic_enable = hiera('manila_generic_enable_backend', false) if $manila_generic_enable { $manila_generic_backend = hiera('manila::backend::generic::title') manila::backend::generic { $manila_generic_backend : diff --git a/manifests/profile/pacemaker/neutron.pp b/manifests/profile/pacemaker/neutron.pp index 75a75b3..0298298 100644 --- a/manifests/profile/pacemaker/neutron.pp +++ b/manifests/profile/pacemaker/neutron.pp @@ -181,5 +181,31 @@ class tripleo::profile::pacemaker::neutron ( Pacemaker::Resource::Service[$::neutron::params::metadata_agent_service]] } } + + #VSM + if 'cisco_n1kv' in hiera('neutron::plugins::ml2::mechanism_drivers') { + pacemaker::resource::ocf { 'vsm-p' : + ocf_agent_name => 'heartbeat:VirtualDomain', + resource_params => 'force_stop=true config=/var/spool/cisco/vsm/vsm_primary_deploy.xml', + require => Class['n1k_vsm'], + meta_params => 'resource-stickiness=INFINITY', + } + if str2bool(hiera('n1k_vsm::pacemaker_control', true)) { + pacemaker::resource::ocf { 'vsm-s' : + ocf_agent_name => 'heartbeat:VirtualDomain', + resource_params => 'force_stop=true config=/var/spool/cisco/vsm/vsm_secondary_deploy.xml', + require => Class['n1k_vsm'], + meta_params => 'resource-stickiness=INFINITY', + } + pacemaker::constraint::colocation { 'vsm-colocation-contraint': + source => 'vsm-p', + target => 'vsm-s', + score => '-INFINITY', + require => [Pacemaker::Resource::Ocf['vsm-p'], + Pacemaker::Resource::Ocf['vsm-s']], + } + } + } + } } diff --git a/manifests/profile/pacemaker/nova.pp b/manifests/profile/pacemaker/nova.pp index 13c6128..62a8042 100644 --- a/manifests/profile/pacemaker/nova.pp +++ b/manifests/profile/pacemaker/nova.pp @@ -26,6 +26,13 @@ class tripleo::profile::pacemaker::nova ( $step = hiera('step'), ) { - include ::tripleo::profile::base::nova + Service <| + tag == 'nova-service' + |> { + hasrestart => true, + restart => '/bin/true', + start => '/bin/true', + stop => '/bin/true', + } } diff --git a/manifests/profile/pacemaker/nova/api.pp b/manifests/profile/pacemaker/nova/api.pp index 8a6dc8d..5e8f15f 100644 --- a/manifests/profile/pacemaker/nova/api.pp +++ b/manifests/profile/pacemaker/nova/api.pp @@ -48,6 +48,40 @@ class tripleo::profile::pacemaker::nova::api ( pacemaker::resource::service { $::nova::params::api_service_name: clone_params => 'interleave=true', } + + pacemaker::constraint::base { 'nova-vncproxy-then-nova-api-constraint': + constraint_type => 'order', + first_resource => "${::nova::params::vncproxy_service_name}-clone", + second_resource => "${::nova::params::api_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::nova::params::vncproxy_service_name], + Pacemaker::Resource::Service[$::nova::params::api_service_name]], + } + pacemaker::constraint::colocation { 'nova-api-with-nova-vncproxy-colocation': + source => "${::nova::params::api_service_name}-clone", + target => "${::nova::params::vncproxy_service_name}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::nova::params::vncproxy_service_name], + Pacemaker::Resource::Service[$::nova::params::api_service_name]], + } + pacemaker::constraint::base { 'nova-api-then-nova-scheduler-constraint': + constraint_type => 'order', + first_resource => "${::nova::params::api_service_name}-clone", + second_resource => "${::nova::params::scheduler_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::nova::params::api_service_name], + Pacemaker::Resource::Service[$::nova::params::scheduler_service_name]], + } + pacemaker::constraint::colocation { 'nova-scheduler-with-nova-api-colocation': + source => "${::nova::params::scheduler_service_name}-clone", + target => "${::nova::params::api_service_name}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::nova::params::api_service_name], + Pacemaker::Resource::Service[$::nova::params::scheduler_service_name]], + } + } } diff --git a/manifests/profile/pacemaker/nova/conductor.pp b/manifests/profile/pacemaker/nova/conductor.pp index 495c92e..3e390e0 100644 --- a/manifests/profile/pacemaker/nova/conductor.pp +++ b/manifests/profile/pacemaker/nova/conductor.pp @@ -47,6 +47,30 @@ class tripleo::profile::pacemaker::nova::conductor ( pacemaker::resource::service { $::nova::params::conductor_service_name: clone_params => 'interleave=true', } + + pacemaker::constraint::base { 'nova-scheduler-then-nova-conductor-constraint': + constraint_type => 'order', + first_resource => "${::nova::params::scheduler_service_name}-clone", + second_resource => "${::nova::params::conductor_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::nova::params::scheduler_service_name], + Pacemaker::Resource::Service[$::nova::params::conductor_service_name]], + } + pacemaker::constraint::colocation { 'nova-conductor-with-nova-scheduler-colocation': + source => "${::nova::params::conductor_service_name}-clone", + target => "${::nova::params::scheduler_service_name}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::nova::params::scheduler_service_name], + Pacemaker::Resource::Service[$::nova::params::conductor_service_name]], + } + + + # If Service['nova-compute'] is in catalog, make sure we start it after + # nova-conductor pcmk resource. + # Also make sure to restart nova-compute if nova-conductor pcmk resource changed + # the state, since nova-compute is deployed at a previous step. + Pacemaker::Resource::Service[$::nova::params::conductor_service_name] ~> Service<| title == 'nova-compute' |> } } diff --git a/manifests/profile/pacemaker/nova/consoleauth.pp b/manifests/profile/pacemaker/nova/consoleauth.pp index fb9428a..ad538c4 100644 --- a/manifests/profile/pacemaker/nova/consoleauth.pp +++ b/manifests/profile/pacemaker/nova/consoleauth.pp @@ -47,6 +47,40 @@ class tripleo::profile::pacemaker::nova::consoleauth ( pacemaker::resource::service { $::nova::params::consoleauth_service_name: clone_params => 'interleave=true', } + + pacemaker::constraint::base { 'keystone-then-nova-consoleauth-constraint': + constraint_type => 'order', + first_resource => 'openstack-core-clone', + second_resource => "${::nova::params::consoleauth_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::nova::params::consoleauth_service_name], + Pacemaker::Resource::Ocf['openstack-core']], + } + pacemaker::constraint::colocation { 'nova-consoleauth-with-openstack-core': + source => "${::nova::params::consoleauth_service_name}-clone", + target => 'openstack-core-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::nova::params::consoleauth_service_name], + Pacemaker::Resource::Ocf['openstack-core']], + } + pacemaker::constraint::base { 'nova-consoleauth-then-nova-vncproxy-constraint': + constraint_type => 'order', + first_resource => "${::nova::params::consoleauth_service_name}-clone", + second_resource => "${::nova::params::vncproxy_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::nova::params::consoleauth_service_name], + Pacemaker::Resource::Service[$::nova::params::vncproxy_service_name]], + } + pacemaker::constraint::colocation { 'nova-vncproxy-with-nova-consoleauth-colocation': + source => "${::nova::params::vncproxy_service_name}-clone", + target => "${::nova::params::consoleauth_service_name}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::nova::params::consoleauth_service_name], + Pacemaker::Resource::Service[$::nova::params::vncproxy_service_name]], + } + } } diff --git a/manifests/profile/pacemaker/sahara.pp b/manifests/profile/pacemaker/sahara.pp index e6e5117..0627017 100644 --- a/manifests/profile/pacemaker/sahara.pp +++ b/manifests/profile/pacemaker/sahara.pp @@ -18,18 +18,13 @@ # # === Parameters # -# [*bootstrap_node*] -# (Optional) The hostname of the node responsible for bootstrapping tasks -# Defaults to hiera('bootstrap_nodeid') -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::pacemaker::sahara ( - $bootstrap_node = hiera('bootstrap_nodeid'), - $step = hiera('step'), + $step = hiera('step'), ) { Service <| tag == 'sahara-service' |> { @@ -39,11 +34,5 @@ class tripleo::profile::pacemaker::sahara ( stop => '/bin/true', } - if $::hostname == downcase($bootstrap_node) { - $pacemaker_master = true - } else { - $pacemaker_master = false - } - include ::tripleo::profile::base::sahara } |