aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2015-09-03loadbalancer: use 'source' for novnc balance modeEmilien Macchi1-0/+3
When establishing a connection from the client (Web Browser) to the novncproxy (loadbalanced by HAproxy), we need to make sure the client will stick on the same server the time he's connected, because HAproxy load-balance to another novncproxy node, the client will loose the connection and timeout like 'Connection Reset By Peer error'. This patch aims to configure novnc HAproxy configuration to balance using 'source' mode, so it will make sure the server remains the same while the connection is established. Change-Id: Ibbb7162b763f1fd2854a10a92a681910e0683c0a Closes-BZ: 1257324
2015-08-07Remove httpchk option from haproxy listenersGiulio Fidente1-55/+9
To make sure we don't use the ssl-hello-chk option set by the puppet-haproxy module we used to redefine the listener options for all listeners. With this change a default for the options hash is provided to the puppet class instead. This change also configures use of tcpka only where wanted, as documented by [1], removing it from the haproxy defaults section, given it wasn't used anyway by the other listeners which were indeed overriding options. 1. https://github.com/beekhof/osp-ha-deploy/blob/master/pcmk/lb.scenario Change-Id: Ic8deb77533f561cea7ce7db1d20f6be5e2dc0d33
2015-08-05Enable Manila ServiceRyan Hefner1-0/+46
Adds bindings to the Manila service for HAProxy. Change-Id: I175d5b7e35a781d04452fc6aee610e8dca005419
2015-07-27Fix HAProxy config for Nova EC2 APIJiri Stransky1-1/+1
EC2 API returns 400 for unauthenticated requests, making HAProxy believe that the service is down. We'll use TCP check instead of HTTP check for EC2 API. Change-Id: Ide7f9390603c9893b95cacd51d468461255dcf07
2015-07-23Merge "Implement firewalling in tripleo::firewall"Jenkins2-69/+92
2015-07-17Listener options for Ironic/ceilometer/glance_registryJames Slagle1-0/+9
This updates some of the listener options set by loadbalancer.pp. Iroinc needs to pass in the option to do a httpchk, otherwise puppet-haproxy defaults it to doing a ssl-hello-chk, which won't work against the non-ssl loadbalancer server. Ceilometer and glance_registry both don't support a httpchk against the root (/) of their webservers (they return a straight 401) so disable those checks completely. Change-Id: Ibfc81175842a748eb077b132b0818c4ea17bbcf6
2015-07-16Add param to configure HAProxy default maxconn (per frontend)Giulio Fidente1-2/+8
The default per frontend maxconn is set to 2000, which can easily be reached with modern hardware with multiple logic cores; this change adds a parameter to configure the default maxconn value, default it to 4096 and also increases the global maxconn to 20480 to preserve the 1:5 ratio. Change-Id: I3fffc51ecc704ceccb86ca008ecba02578c29eb5
2015-07-15Implement firewalling in tripleo::firewallYanis Guenane2-69/+92
Currently firewalling is implemented in tripleo/init.pp this commit moves it to its own scope tripleo/firewall.pp. This is done so that in tripleo-heat-templates we can have a simple and generic `include tripleo::firewall` in every manifest - unconditional. The rest of the behavior will all be managed by hiera. If a user wants to enable firewalling: ``` tripleo::firewall::manage_firewall: true ``` If a user wants to specify firewall rules: ``` tripleo::firewall::firewall_rules: '103 mongod': port: 27017 ``` Change-Id: I144c60db2a568a94dce5b51257f1d10980173325
2015-07-14Merge "Add missing options to Ceilometer/Ironic/Horizon"Jenkins1-2/+3
2015-07-14Merge "Remove mode tcp enforcement where unneeded, we default to mode tcp"Jenkins1-4/+0
2015-07-10Merge "Implement Advanced Firewalling support"Jenkins4-1/+257
2015-07-10Add missing options to Ceilometer/Ironic/HorizonGiulio Fidente1-2/+3
Backend options for Ceilometer and Ironic are aligned with what we use for the other OpenStack services. Listener options for Horizon is updated so that we do cookie tracking as suggested by refarch doc. Change-Id: I4640d974a3ab8188919eaae79dde71463234b5ff
2015-07-09Merge "Add class to set noop on various puppet resources"Jenkins1-0/+68
2015-07-08Merge "Add tripleo::packages"Jenkins1-0/+54
2015-07-08Remove mode tcp enforcement where unneeded, we default to mode tcpGiulio Fidente1-4/+0
Change-Id: Ic0ae6b743a732ccd2cf7e395b5ab172bf3daaf7d
2015-07-08Merge "Fix Heat 302 redirects"Jenkins1-3/+9
2015-07-05Merge "Remove database code from puppet-tripleo"Jenkins1-367/+0
2015-07-03Add class to set noop on various puppet resourcesDan Prince1-0/+68
This patch adds a new tripleo::noop class that can be used to help switch all resources of a given type to noop mode. The class does this via Puppet resource collectors to enable the noop metaparam on all resources of the specified type. When a resource is in noop mode no action will get taken (however puppet stdout will log information about what would happen if noop were removed). The motivation for this patch is to be able to do something like this and run puppet to configure select resources (like only config files): class {'tripleo::noop': file => false } It is important to note that when tripleo::noop is used all common resources default to noop mode. This could be used alongside docker containers to provide a mechanism to pre-configure all related config files for a set of docker containers ahead of time. Change-Id: I67f9dbbf33a2d6bcee5005ae0b6b1aa7091039ad
2015-06-29Fix Heat 302 redirectsBen Nemec1-3/+9
When doing a heat stack-show, Heat initially returns a 302 redirect. With the existing loadbalancer config for SSL, this results in a redirect to an http:// address pointing at the SSL port, which naturally doesn't work. The fix for this is to use the rsprep haproxy option to rewrite the Location header in responses from the Heat api server. This allows us to properly handle redirect traffic as https. Also note that http header rewriting requires "mode http", so that is added here as well. Change-Id: I7e5c5b1877e9aa46c4b88dfba45c1fddf61727fc
2015-06-25Enable support for loadbalancing IronicBen Nemec1-0/+44
Just like any other OpenStack API endpoint. Change-Id: Iaa45d7bef94c3c42df0988a58f146bb8a530f74e
2015-06-25Add tripleo::packagesDan Prince1-0/+54
This adds a new class to help configure package installation and upgrades. The previous approach was to use a global package declaration at the top of each manifest within the tripleo-heat-templates. The new approach is to use a Package collector (<| |>) to allow us to configure the package provider within a class. This should help remove some of the duplicated logic within the triplo-heat-template manifests and is also a good fit for puppet-tripleo in that is generic and unlikely to change that often. In addition to installation this class also support upgrades to puppet managed packages as well. Change-Id: Ie8fbc344149bc8c9977e127de77636903607617a
2015-06-25Merge "Introduce param to enable use of clustercheck"Jenkins1-4/+21
2015-06-25Merge "Use mode tcp for glance-registry balancing"Jenkins1-1/+1
2015-06-25Use mode tcp for glance-registry balancingGiulio Fidente1-1/+1
The glance-registry service is returning 401 to httpchk, which makes haproxy think it is down. This change switches the check mode to tcp. Closes-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1234637 Closes-Bug: 1468566 Change-Id: Icdd80aa9cd56e5afd3707eb7fa38aaedb8535af6
2015-06-25Introduce param to enable use of clustercheckGiulio Fidente1-4/+21
In the pacemaker scenario we want to use the clustercheck script to evict galera nodes which are out of sync. This change adds a parameter meant to enable use of clustercheck for the mysql service. Change-Id: I7199c7e5d759a76f58c0f48b40e9d460a3163886 Closes-Bug: 1456701
2015-06-23Remove control over the galera_master_nodeGiulio Fidente1-23/+2
We do not want to give users control over the galera_master_node, this should be gathered using the clustercheck script instead. Depends-On: I56ebd2d8405ac35c707666d993b396f04aeb683e Change-Id: Ib6a36e9283b73133251fb9ff3f33e71c50edb3db Closes-Bug: 1467918 Closes-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1234817
2015-06-12Implement Advanced Firewalling supportEmilien Macchi4-1/+257
* Provide a Define function which will allow to manage IPtables rules. * Manage rules in 'pre' and 'post' Puppet stages, it allows to create rules before and after regular Puppet stages (ie: to make sure no rule exists *before* and everything is blocked *after* regular Puppet stages) Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89
2015-06-12Configure fencing devicesJiri Stransky1-0/+62
Adds a class to configure fence devices and a helper function which helps to select the devices for configuration on appropriate nodes. Depends on patches outside OpenStack's Gerrit: https://github.com/redhat-openstack/puppet-pacemaker/pull/50 https://github.com/redhat-openstack/puppet-pacemaker/pull/52 Change-Id: I819fc8c126ec47cd207c59b3dcf92ff699649c5a
2015-06-03Configure virtual IPs for split out networksDan Prince1-33/+107
This patch optionally creates new virtual IPs for the storage, storage_mgmt, and internal_api networks if ip addresses are provided. Additionally the HAproxy configuration is updated to use hiera lookups to obtain virtual IPs for alternate networks. By default the ctlplane VIP is still used. Change-Id: I20483574920a1da689374b0eb1b39b0391c3d243
2015-06-02Use node IP lists for HA Proxy ipaddressesDan Prince1-19/+19
This patch updates the loadbalancer class so that it defaults to trying to use the node IP list for each respective service. This data is provided via Hiera directly (all-nodes-config provides it via the Heat templates). By default the ctlplane IP address list is still used if no service node IP list is provided. Change-Id: I34cbdf8bd525e6ab61859fe8b8c18fe613dabbfe
2015-06-02Drop nova_meta and glance_registry on public vipDan Prince1-2/+2
This patch removes the public VIP for the nova metadata and glance registry services. Change-Id: I0878f7b3eeed6e16c5d30bdf76ebca56eb49d042
2015-06-02Allow use of ssl for public api endpointsBen Nemec1-28/+261
There are two methods included: Setting $service_certificate will enable SSL for all public endpoints with the same cert file, while service-specific certificate settings allow using a cert file for just one service. Change-Id: I6f87ed2ebbea08ff1a0dff981559c8f4fc8b67cc
2015-05-14Increase global maxconn to 10000 and remove per-instance limitGiulio Fidente1-2/+6
The per-instance limit to 150 can easily be reached for the database when OpenStack services are running on hosts with many CPUs. The global maxconn is increased as per astapor. See [1]. 1. https://bugzilla.redhat.com/show_bug.cgi?id=1218322 Change-Id: Ia9258372ca4f707929f11097193a91c138069725
2015-05-13Remove database code from puppet-tripleoYanis Guenane1-367/+0
The Galera code has been merged upstream directly into tripleo-heat-templates[1], since this code is not used we can remove it. [1] https://review.openstack.org/#/c/177765/ Change-Id: I536cf9b561b93ff26d03183331b6a527ab851286
2015-05-11Add support for haproxy_service_manageGiulio Fidente1-1/+7
We want to let the caller decide upon having the haproxy service started and enabled or not on boot. Change-Id: I24a9fd2245a974120892a8887c8b58647c65cba9
2015-04-28Merge "Make setup of keepalived optional via manage_vip parameter"Jenkins1-37/+44
2015-04-20Merge "Enable access to HAProxy stats page"Jenkins1-2/+2
2015-04-20Merge "Do not make RabbitMQ listen on public vip"Jenkins1-1/+1
2015-04-16Merge "Loadbalancer: Add support for Redis"Jenkins2-0/+65
2015-04-16Do not make RabbitMQ listen on public vipYanis Guenane1-1/+1
Currently RabbitMQ is listening on both private vip and public vip. There is no need for RabbitMQ to listen on the public vip, so we remove it. Change-Id: I82ea2e1e18b7710ae391ffe4903439a9330b1461
2015-04-16Loadbalancer: Add support for RedisYanis Guenane2-0/+65
Add support for Redis in the loadbalancer setup. Redis loadbalancing system is particular as it does not provide clustering capabilities yet, hence this pattern[1] will be applied. [1] https://github.com/falsecz/haredis Change-Id: I80a6c284af9eceb6b669a03c5d93256261523331
2015-04-15Make setup of keepalived optional via manage_vip parameterGiulio Fidente1-34/+41
Change-Id: I98b9b3dbc48009ce255d964ac580e1a31f279f1e
2015-04-13Enable access to HAProxy stats pageYanis Guenane1-2/+2
Enable access to the HAProxy stats page. The listen directive is bound to the controller virtual IP address. Change-Id: Ie0012da77ffdd9bfa8f06341aca2d70991558a28
2015-04-07Rethink the backup option for GaleraYanis Guenane1-8/+19
Initial logic for the backup option in the HAProxy was wrong and wouldn't do what expected. Current logic is implemented as follow 1. User passes an array of Galera IP addresses 2. User passes an array of Galera hostnames 3. User passes a Galera master IP and Galera master hostname Result : * Set a backend line with Galera master IP and Galera master hostname * Remove those data from the two arrays of IP and Hostnames * Set backend lines for whatever is left on those array with the backup option on Change-Id: Idfd72de4fafdce2a9c16945961fee996a98049b7
2015-04-01Fix backend line syntaxYanis Guenane1-1/+31
Currently since only one node was the backend until this commit[1], servername was deducted from the $::hostname fact. Since commit[1], several node can be the backend for a service, so we need to provide their servername also. The current situation result with HAProxy refusing to start because current lint look like server 192.0.2.2:8776 check fall 5 inter 2000 rise 2 when they really should look like server MYHOSTNAME 192.0.2.2:8776 check fall 5 inter 2000 rise 2 Resulting in error message : 'server' expects <name> and <addr>[:<port>] as arguments. [1] https://review.openstack.org/#/c/168044/ Change-Id: I75424cf02f2d24308f33105f67d82a8d411e372d
2015-03-31Rename controller_host to controller_hostsYanis Guenane1-19/+35
Since we can have many controller_hosts backend in a setup, we use the plural term to define it. Change-Id: I2a46c250bc3325eef9c3128cac2ab45c88b1ae75
2015-03-31loadbalancer: Enable backup mode for GaleraYanis Guenane1-1/+11
This commit allows to enable backup mode for non master galera node. Change-Id: I8b27f470ae171d77c8c8283797ff1502ef44e17f
2015-03-18Merge "loadbalancer: drop undef on required params"Jenkins1-5/+5
2015-03-18loadbalancer: drop undef on required paramsDan Prince1-5/+5
This should allow puppet to validate the required params. Change-Id: I16b6ae1a9fbcb388bfe5a2a95022a2fdffbf0cd1
2015-03-17Add Puppet 4.x lint checksGael Chamoulaud2-36/+36
- This changes the puppet-lint requirement to 1.1.x, so that we can use puppet-lint plugins. Most of these plugins are for 4.x compat, but some just catch common errors. Change-Id: I2660b960b6ef696bd5dc8a6965b4a9aa25409b66 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>