aboutsummaryrefslogtreecommitdiffstats
path: root/spec/classes
AgeCommit message (Collapse)AuthorFilesLines
2017-01-05firewall: add IPv6 supportEmilien Macchi1-13/+57
This patch adds support for ip6tables rules in TripleO, in a intuitive and flexible fashion. 1) Default firewal rules 'source' parameter to undef. It was 0.0.0.0/0 before but now undef, so we don't need complex logic to support ipv6 rules. undef will create empty source, which is the same as 0.0.0.0/0 or ::/0. 2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules. 3) Automatically create IPv6 rules like it's for IPv4. 4) Only create rules that can be created, depending on source/destination ip version. This patch should be backward compatible and adds a layer of security for IPv6 deployments. If previous deployments were manually creating Ipv6 rules, it's possible that this patch will override them. Our framework is able to configure any rule, so it shouldn't be a problem for upgrades. Co-Authored-By: Ben Nemec <bnemec@redhat.com> Closes-Bug: #1654050 Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
2017-01-04Adds a profile for the Ceph MDS serviceGiulio Fidente1-0/+59
This change adds a profile to deploy the Ceph MDS service and some basic unit tests for it. Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c Partial-Bug: #1644784
2017-01-04Merge "Adds ability to populate SSH Banner text"Jenkins1-0/+30
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-2/+15
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-12-21Adds ability to populate SSH Banner textLuke Hinds1-0/+30
A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306
2016-12-19Merge "Disable legacy ceilometer api by default"Jenkins1-2/+14
2016-12-17Merge "Add tripleo::ui rspec tests"Jenkins1-0/+99
2016-12-09Disable legacy ceilometer api by defaultPradeep Kilambi1-2/+14
Ceilometer api is deprectaed in Ocata. Lets disable by default. This can still be enabled by setting enable_legacy_ceilometer_api param. Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09Merge "Add cinder profile spec tests"Jenkins13-0/+1084
2016-12-09Merge "Delete MidoNet deprecated classes and their tests"Jenkins3-216/+0
2016-12-07Delete MidoNet deprecated classes and their testsAlejandro Andreu3-216/+0
MidoNet no longer uses the API component. It has been renamed/refactored to "cluster" as it can be seen on the docs at https://blog.midonet.org/introducing-midonet-cluster-services/ Also there is no need to have a Cassandra and Zookeeper dedicated classes, as we leverage this through the use of the midonet_openstack puppet module. Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270 Partial-Bug: #1647302
2016-12-06Add tripleo::ui rspec testsAlex Schultz1-0/+99
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
2016-12-05Add cinder profile spec testsAlex Schultz13-0/+1084
This change adds rspec testing for the cinder profiles with in puppet-tripleo. Additionally while testing, it was found that the backends may incorrectly have an extra , included in the settings for cinder volume when running puppet 3. This change includes a fix the cinder volume backends to make sure we are not improperly configuring it with a trailing comma. Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles9-10/+10
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-25Merge "Do not configure state matching when using GRE"Jenkins1-1/+3
2016-11-24Do not configure state matching when using GREBrent Eagles1-1/+3
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
2016-11-17Remove Combination alarms supportPradeep Kilambi1-16/+0
combination alarms are completely removed in Ocata. Remove this from tripleo. Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
2016-11-11Normalize civetweb binding address if IPv6Giulio Fidente1-4/+12
The civetweb binding format is IP:PORT; this change ensures the IP is enclosed in brackets if IPv6. To do so we add the bind_ip and bind_port parameters to the rgw service class. Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c Co-Authored-By: Lukas Bezdicka <social@v3.sk> Related-Bug: #1636515
2016-11-01Merge "Add barbican profile rspec testing"Jenkins2-0/+163
2016-10-19Add barbican profile rspec testingAlex Schultz2-0/+163
This change adds rspec tests for the barbican profiles to ensure they function as expected. Change-Id: I73f5405ade2cc73024efbeb2cfbfc831a2120f51
2016-10-17Add port to rabbitmq node ip listBrent Eagles2-3/+3
We use the rabbit_hosts configuration for most of our services but we haven't been adding the configured port. This patch appends the IP port used provided to the service's heat template to the IPs in the list. Note: while we could use the value set for the rabbitmq server in rabbitmq::port, it doesn't allow for dealing with SSL. This also is also backwards compatible with the RabbitClientPort parameters used in the heat templates. Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b Closes-Bug: #1633580
2016-10-14packages: run upgrade at 'setup' stageEmilien Macchi1-3/+2
Instead of using an operator to make sure we upgrade package before any service, which causes dependency cycles with iptables puppet module, let's do another approach where we upgrade rpms in the 'setup' stage, which is a stage that runs before configure and running services. In that way, we'll remove dependency cycles and make sure packages are upgrades before configure and running TripleO services. Change-Id: I1be83f88be1959885c980ab4f428477d412751f7
2016-10-07Only run ceilometer::db::sync on bootstrap nodeAlex Schultz1-2/+7
The ceilometer::db::sync is included by default in ceilometer::db but we only want it to run on the bootstrap node. This change passes the sync_db parameter to ceilometer::db to manage the db sync process rather than trying to manage the inclusion of ceilometer::db::sync within the profile class. Change-Id: Ib56db1a90dd6fbfe7582fc57b7728df81942cce2 Closes-Bug: #1629373
2016-10-05Add ceph profile rspec testingAlex Schultz5-0/+401
This change adds rspec testing for the ceph profiles in puppet-tripleo. Change-Id: I08954e011848d6b747735f11b3cbff5707460c26
2016-09-30Add ceilometer profile rspec testingAlex Schultz4-0/+308
This change adds rspec testing for the ceilometer profiles. While writing these tests, the tripleo::profile::base::ceilometer::collector class needed to have the hiera lookups moved to class parameters to allow for testing the possible options around the database backend. These tests add coverage for ipv4 and ipv6 configurations for the collector profile as well as excluding mongodb on the backend. Change-Id: I1abae040104e8492a9fe266de74080e1e7701731
2016-09-30Add aodh profile rspec testingAlex Schultz5-0/+339
This change adds rspec testing for the aodh profile and serves as an example as to how to add in spec testing using hieradata to provide some required parameters. This testing adds improved coverage for expectations around computed configuration items as well as for conditions around the steps within the tripleo deployment Change-Id: Ic763a544289a222fea97020a98821c1e375651a3
2016-09-23Merge "Add in rspec-puppet-facts support"Jenkins9-173/+128
2016-09-21Add in rspec-puppet-facts supportAlex Schultz9-173/+128
This change pulls in rspec-puppet-facts to provide the basic default facts for puppet-tripleo rspec tests. rspec-puppet-facts provides an easy to use interface to allow for the same set of tests to be executed with multiple sets of operating system facts. In most cases this includes defaults for Debian/RedHat based systems. In puppet-tripleo's case this is just RHEL/CentOS. We are removing the Fedora listing from the metadata.json as we only support RHEL and CentOS for tripleo. This change also updates the existing rspec tests to leverage rspec-puppet-facts to be more consistent with how facts are defined. Change-Id: I0ddc71799d74ee95b9828aea6a8dcb4abb4e4e62
2016-09-21Add FQDN testcase in swift proxy profile rspec testsEmilien Macchi1-0/+15
Add more coverage in our unit testing for FQDNs. Change-Id: I74859cdecc0d81138b2fe986883c4f7c49b8cab3
2016-09-20swift: normalize memcache servers IP addressesEmilien Macchi1-0/+89
In the case of memcache servers are IPv6, make sure brackets set in the way we construct the list of memcache server + memcache port parameter. Also add unit-tests to test that the output is what we want in the configuration. Depends-On: I8d361ce9cfcfe6a3f8592b2b7991971a3c748c75 Closes-Bug: 1625335 Change-Id: I9fb8168d8fb56c9d8465d58a45fd8c6edfee6fdd
2016-08-29Configure the numvfs for SRIOV interfaceskarthik s1-0/+39
This patch shall create VFs via the PCI SYS interface. Default value : $::os_service_default Sample Format : ['eth0:4','eth2:128'] For values as in sample format, the sriov_numvfs config files for eth0 and eth2 will have the values 4 and 128 respectively The SR-IOV numvfs configuration shall be persisted in /sbin/ifup-local so that, during the bootup of the compute nodes, the numvfs configuration will be restored. Change-Id: I7450b904475bdf46498d9af633416b3eba12f761 Implements: blueprint tripleo-sriov Signed-off-by: karthik s <ksundara@redhat.com>
2016-05-05Add tripleo::selinuxJames Slagle1-0/+106
Adds a class to configure SELinux. The code is taken from puppet-openstack-cloud: https://github.com/redhat-cip/puppet-openstack-cloud This allows to share the same code for usage by both the Undercloud and Overcloud. Co-Authored By: Emilien Macchi <emilien@redhat.com> Co-Authored By: Yanis Guenane <yguenane@redhat.com> blueprint undercloud-elements Change-Id: If214005df733d41c2fa4e197df247d8a14baaa14
2016-05-05Add dport/sport parameter to firewall ruleJames Slagle1-2/+16
The port parameter to puppetlabs-firewall is actually deprecated[1]. This adds support for using the new parameter names dport and sport. The port parameter is still retained in puppet-tripleo for backwards compatibily for anyone using that interface. It is marked deprecated in the documentation, however no deprecation warning is needed because there is already a warning from from puppetlabs-firewall. blueprint undercloud-elements Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
2016-04-20Add destination parameter to firewall ruleJames Slagle1-1/+6
Specifying a destination cidr is already supported by puppetlabs-firewall, we just need to pass through the parameter in rule.pp in puppet-tripleo. This will allow creating iptables rules that forward network traffic for a given cidr via puppet-tripleo. Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
2016-01-20packages: secure upgrade workflow from dependency cyclesEmilien Macchi1-5/+1
Change the workflow to be: Upgrade all packages before any services that is notified & managed by Puppet. It also disable the Exec timeout so we rely on Heat timeout and not on the 300s that are the default in Puppet [1] Example: we upgrade and OpenStack config will change (obviously). Puppet catalog will contain 3 important things: * config resources * service resources * package-upgrade Exec resource with that patch, what will happen: * puppet will update config first or second and notify services * puppet will run package-upgrade first or second but before the package-upgrade Exec resource * at the very end, puppet will restart services That way, we avoid complications with Puppet dependency cycle issues. [1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout Closes-Bug: 1536349 Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
2015-12-23Upgrade all packages after puppet managed onesDan Prince1-0/+52
This updates tripleo::packages so that when enable_upgrade is used it will: 1) upgrade puppet managed packages (will trigger puppet dependencies) 2) then upgrade all packages via exec 3) then restart services NOTE: the intention here is that the Exec['update-packages'] will always execute if enable_upgrade is set. It is not idempotent in this regard because I think we always want to execute it if enable_upgrade is set. Change-Id: I02f7cf07792765359f19fdf357024d9e48690e42 Related-bug: #1522943
2015-12-14Modify cassandra dependencyJaume Devesa1-7/+16
Switch to locp/cassandra module since it has much more options than midonet/puppet-cassandra and it is already defined on the openstack-puppet-modules packages in RHEL. More info: https://bugzilla.redhat.com/show_bug.cgi?id=1285718 Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b Change-Id: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
2015-12-08Fix unit tests failing against Puppet 4.3.xGael Chamoulaud1-0/+1
Change-Id: Ie2f3e29005570805fbf2ca75a930fab746f5f299 Related-bug: #1517805 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-11-30Merge "Fix unit tests failing against Puppet 4.3.0"Jenkins1-1/+4
2015-11-25Fix unit tests failing against Puppet 4.3.0Gael Chamoulaud1-1/+4
Change-Id: I10c0d35b473026a5e1ede265099f73c803402adc Related-bug: #1517805 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-11-23MidoNet services manifestsJaume Devesa4-0/+293
Provide TripleO overcloud manifests to deploy MidoNet and the cluster services that needs to run. Change-Id: I24f852e74fc4652d4609e1a71897e813448055fe
2015-07-15Implement firewalling in tripleo::firewallYanis Guenane2-91/+114
Currently firewalling is implemented in tripleo/init.pp this commit moves it to its own scope tripleo/firewall.pp. This is done so that in tripleo-heat-templates we can have a simple and generic `include tripleo::firewall` in every manifest - unconditional. The rest of the behavior will all be managed by hiera. If a user wants to enable firewalling: ``` tripleo::firewall::manage_firewall: true ``` If a user wants to specify firewall rules: ``` tripleo::firewall::firewall_rules: '103 mongod': port: 27017 ``` Change-Id: I144c60db2a568a94dce5b51257f1d10980173325
2015-06-12Implement Advanced Firewalling supportEmilien Macchi1-0/+114
* Provide a Define function which will allow to manage IPtables rules. * Manage rules in 'pre' and 'post' Puppet stages, it allows to create rules before and after regular Puppet stages (ie: to make sure no rule exists *before* and everything is blocked *after* regular Puppet stages) Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89