diff options
43 files changed, 212 insertions, 303 deletions
diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml index f1dee045..5afcf5de 100644 --- a/network/endpoints/endpoint_data.yaml +++ b/network/endpoints/endpoint_data.yaml @@ -146,15 +146,15 @@ Nova: Internal: vip_param: NovaApi uri_suffixes: - '': /v2.1/%(tenant_id)s + '': /v2.1 Public: vip_param: Public uri_suffixes: - '': /v2.1/%(tenant_id)s + '': /v2.1 Admin: vip_param: NovaApi uri_suffixes: - '': /v2.1/%(tenant_id)s + '': /v2.1 port: 8774 NovaVNCProxy: diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml index 43b9921e..e1b8984f 100644 --- a/network/endpoints/endpoint_map.yaml +++ b/network/endpoints/endpoint_map.yaml @@ -1688,7 +1688,7 @@ outputs: IP_ADDRESS: {get_param: NovaApiVirtualIP} - ':' - get_param: [EndpointMap, NovaAdmin, port] - - /v2.1/%(tenant_id)s + - /v2.1 uri_no_suffix: list_join: - '' @@ -1727,7 +1727,7 @@ outputs: IP_ADDRESS: {get_param: NovaApiVirtualIP} - ':' - get_param: [EndpointMap, NovaInternal, port] - - /v2.1/%(tenant_id)s + - /v2.1 uri_no_suffix: list_join: - '' @@ -1766,7 +1766,7 @@ outputs: IP_ADDRESS: {get_param: PublicVirtualIP} - ':' - get_param: [EndpointMap, NovaPublic, port] - - /v2.1/%(tenant_id)s + - /v2.1 uri_no_suffix: list_join: - '' diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml index a2608784..9f253024 100644 --- a/overcloud-resource-registry-puppet.yaml +++ b/overcloud-resource-registry-puppet.yaml @@ -178,6 +178,7 @@ resource_registry: OS::TripleO::Services::Ntp: puppet/services/time/ntp.yaml OS::TripleO::Services::SwiftProxy: puppet/services/swift-proxy.yaml OS::TripleO::Services::SwiftStorage: puppet/services/swift-storage.yaml + OS::TripleO::Services::SwiftRingBuilder: puppet/services/swift-ringbuilder.yaml OS::TripleO::Services::Snmp: puppet/services/snmp.yaml OS::TripleO::Services::Timezone: puppet/services/time/timezone.yaml OS::TripleO::Services::CeilometerApi: puppet/services/ceilometer-api.yaml diff --git a/overcloud.yaml b/overcloud.yaml index 9b03e4c4..38944d72 100644 --- a/overcloud.yaml +++ b/overcloud.yaml @@ -255,18 +255,6 @@ parameters: description: A random string to be used as a salt when hashing to determine mappings in the ring. type: string hidden: true - SwiftMinPartHours: - type: number - default: 1 - description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance. - SwiftPartPower: - default: 10 - description: Partition Power to use when building Swift rings - type: number - SwiftReplicas: - type: number - default: 3 - description: How many replicas to use in the swift rings. # Compute-specific params ComputeCount: @@ -401,6 +389,7 @@ parameters: - OS::TripleO::Services::Ntp - OS::TripleO::Services::SwiftProxy - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp - OS::TripleO::Services::Timezone - OS::TripleO::Services::CeilometerApi @@ -499,6 +488,7 @@ parameters: - OS::TripleO::Services::Kernel - OS::TripleO::Services::Ntp - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp - OS::TripleO::Services::Timezone description: A list of service resources (configured in the Heat @@ -715,9 +705,6 @@ resources: RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]} RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]} SwiftHashSuffix: {get_param: SwiftHashSuffix} - SwiftMinPartHours: {get_param: SwiftMinPartHours} - SwiftPartPower: {get_param: SwiftPartPower} - SwiftReplicas: { get_param: SwiftReplicas} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_attr: [EndpointMap, endpoint_map]} MysqlVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]} @@ -848,10 +835,7 @@ resources: KeyName: {get_param: KeyName} Flavor: {get_param: OvercloudSwiftStorageFlavor} HashSuffix: {get_param: SwiftHashSuffix} - MinPartHours: {get_param: SwiftMinPartHours} - PartPower: {get_param: SwiftPartPower} Image: {get_param: SwiftStorageImage} - Replicas: { get_param: SwiftReplicas} UpdateIdentifier: {get_param: UpdateIdentifier} ServiceNetMap: {get_param: ServiceNetMap} Hostname: diff --git a/puppet/controller-config-pacemaker.yaml b/puppet/controller-config-pacemaker.yaml index dfebcf82..5116cac7 100644 --- a/puppet/controller-config-pacemaker.yaml +++ b/puppet/controller-config-pacemaker.yaml @@ -29,7 +29,6 @@ resources: list_join: - '' - - get_file: manifests/overcloud_controller_pacemaker.pp - - get_file: manifests/ringbuilder.pp - {get_param: StepConfig} outputs: diff --git a/puppet/controller-config.yaml b/puppet/controller-config.yaml index 458aff32..cadba703 100644 --- a/puppet/controller-config.yaml +++ b/puppet/controller-config.yaml @@ -29,7 +29,6 @@ resources: list_join: - '' - - get_file: manifests/overcloud_controller.pp - - get_file: manifests/ringbuilder.pp - {get_param: StepConfig} outputs: diff --git a/puppet/controller.yaml b/puppet/controller.yaml index a8a64b36..679fd90b 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -250,22 +250,6 @@ parameters: in the ring. hidden: true type: string - SwiftMinPartHours: - type: number - default: 1 - description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance. - SwiftPartPower: - default: 10 - description: Partition Power to use when building Swift rings - type: number - SwiftRingBuild: - default: true - description: Whether to manage Swift rings or not - type: boolean - SwiftReplicas: - type: number - default: 3 - description: How many replicas to use in the swift rings. UpgradeLevelNovaCompute: type: string description: Nova Compute upgrade level @@ -585,10 +569,6 @@ resources: control_virtual_interface: {get_param: ControlVirtualInterface} public_virtual_interface: {get_param: PublicVirtualInterface} swift_hash_suffix: {get_param: SwiftHashSuffix} - swift_part_power: {get_param: SwiftPartPower} - swift_ring_build: {get_param: SwiftRingBuild} - swift_replicas: {get_param: SwiftReplicas} - swift_min_part_hours: {get_param: SwiftMinPartHours} enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} swift_proxy_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftProxyNetwork]}]} @@ -713,10 +693,6 @@ resources: swift::proxy::proxy_local_net_ip: {get_input: swift_proxy_network} swift::storage::all::storage_local_net_ip: {get_input: swift_management_network} swift::swift_hash_path_suffix: {get_input: swift_hash_suffix} - tripleo::ringbuilder::build_ring: { get_input: swift_ring_build } - tripleo::ringbuilder::part_power: {get_input: swift_part_power} - tripleo::ringbuilder::replicas: {get_input: swift_replicas} - tripleo::ringbuilder::min_part_hours: {get_input: swift_min_part_hours} # Cinder tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: {get_input: cinder_iscsi_network} diff --git a/puppet/hieradata/compute.yaml b/puppet/hieradata/compute.yaml index 62728332..fe203be7 100644 --- a/puppet/hieradata/compute.yaml +++ b/puppet/hieradata/compute.yaml @@ -1,6 +1,5 @@ # Hiera data here applies to all compute nodes -nova::host: "%{::fqdn}" nova::notify_on_state_change: 'vm_and_task_state' nova::notification_driver: messagingv2 nova::compute::instance_usage_audit: true @@ -19,6 +18,4 @@ nova::compute::reserved_host_memory: 2048 ceilometer::agent::auth::auth_tenant_name: 'service' ceilometer::agent::auth::auth_endpoint_type: 'internalURL' -neutron::host: "%{::fqdn}" - compute_classes: [] diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml index 072c7c0d..3ec656dc 100644 --- a/puppet/hieradata/controller.yaml +++ b/puppet/hieradata/controller.yaml @@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true controller_classes: [] # firewall tripleo::firewall::firewall_rules: - '101 mongodb_config': - dport: 27019 - '102 mongodb_sharding': - dport: 27018 - '103 mongod': - dport: 27017 - '104 mysql galera': - dport: - - 873 - - 3306 - - 4444 - - 4567 - - 4568 - - 9200 - '105 ntp': - dport: 123 - proto: udp - '106 vrrp': - proto: vrrp - '107 haproxy stats': - dport: 1993 - '108 redis': - dport: - - 6379 - - 26379 - '109 rabbitmq': - dport: - - 4369 - - 5672 - - 35672 - '110 ceph': - dport: - - 6789 - - '6800-6810' - '111 keystone': - dport: - - 5000 - - 13000 - - 35357 - - 13357 - '112 glance': - dport: - - 9292 - - 9191 - - 13292 - '113 nova': - dport: - - 6080 - - 13080 - - 8773 - - 3773 - - 8774 - - 13774 - - 8775 - '114 neutron server': - dport: - - 9696 - - 13696 - '115 neutron dhcp input': - proto: 'udp' - dport: 67 - '116 neutron dhcp output': - proto: 'udp' - chain: 'OUTPUT' - dport: 68 - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '119 cinder': - dport: - - 8776 - - 13776 - '120 iscsi initiator': - dport: 3260 - '121 memcached': - dport: 11211 - '122 swift proxy': - dport: - - 8080 - - 13808 - '123 swift storage': - dport: - - 873 - - 6000 - - 6001 - - 6002 - '124 ceilometer': - dport: - - 8777 - - 13777 - '125 heat': - dport: - - 8000 - - 13800 - - 8003 - - 13003 - - 8004 - - 13004 - '126 horizon': - dport: - - 80 - - 443 - '127 snmp': - dport: 161 - proto: 'udp' '128 aodh': dport: - 8042 - 13042 - '129 gnocchi-api': - dport: - - 8041 - - 13041 - '130 pacemaker tcp': - proto: 'tcp' - dport: - - 2224 - - 3121 - - 21064 - '131 pacemaker udp': - proto: 'udp' - dport: 5405 - '132 sahara': - dport: - - 8386 - - 13386 diff --git a/puppet/manifests/ringbuilder.pp b/puppet/manifests/ringbuilder.pp deleted file mode 100644 index 2411ff84..00000000 --- a/puppet/manifests/ringbuilder.pp +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright 2015 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -define add_devices( - $swift_zones = '1' -){ - - # NOTE(dprince): Swift zones is not yet properly wired into the Heat - # templates. See: https://review.openstack.org/#/c/97758/3 - # For now our regex supports the r1z1-192.0.2.6:%PORT%/d1 syntax or the - # newer r1z%<controller or SwiftStorage><N>%-192.0.2.6:%PORT%/d1 syntax. - $server_num_or_device = regsubst($name,'^r1z%+[A-Za-z]*([0-9]+)%+-(.*)$','\1') - if (is_integer($server_num_or_device)) { - $server_num = $server_num_or_device - } else { - $server_num = '1' - } - # Function to place server in its zone. Zone is calculated by - # server number in heat template modulo the number of zones + 1. - $zone = (($server_num%$swift_zones) + 1) - - # add the rings - $base = regsubst($name,'^r1.*-(.*)$','\1') - $object = regsubst($base, '%PORT%', '6000') - ring_object_device { $object: - zone => '1', - weight => 100, - } - $container = regsubst($base, '%PORT%', '6001') - ring_container_device { $container: - zone => '1', - weight => 100, - } - $account = regsubst($base, '%PORT%', '6002') - ring_account_device { $account: - zone => '1', - weight => 100, - } -} - -class tripleo::ringbuilder ( - $swift_zones = '1', - $devices = '', - $build_ring = true, - $part_power, - $replicas, - $min_part_hours, -) { - - validate_bool($build_ring) - - if $build_ring { - - $device_array = strip(split(rstrip($devices), ',')) - - # create local rings - swift::ringbuilder::create{ ['object', 'account', 'container']: - part_power => $part_power, - replicas => min(count($device_array), $replicas), - min_part_hours => $min_part_hours, - } -> - - # add all other devices - add_devices {$device_array: - swift_zones => $swift_zones, - } -> - - # rebalance - swift::ringbuilder::rebalance{ ['object', 'account', 'container']: - seed => 999, - } - - Ring_object_device<| |> ~> Exec['rebalance_object'] - Ring_object_device<| |> ~> Exec['rebalance_account'] - Ring_object_device<| |> ~> Exec['rebalance_container'] - - } -} - -if hiera('step') >= 2 { - # pre-install swift here so we can build rings - include ::swift -} - -if hiera('step') >= 3 { - include ::tripleo::ringbuilder -} diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 5dce7c3d..d0f3767d 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -23,6 +23,12 @@ outputs: value: service_name: ceilometer-api config_settings: - get_attr: [CeilometerServiceBase, role_data, config_settings] + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - tripleo.ceilometer_api.firewall_rules: + '124 ceilometer': + dport: + - 8777 + - 13777 step_config: | include ::tripleo::profile::base::ceilometer::api diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 68a59450..257264ac 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -53,5 +53,10 @@ outputs: - {get_param: NovaRbdPoolName} - {get_param: GlanceRbdPoolName} - {get_param: GnocchiRbdPoolName} + tripleo.ceph_mon.firewall_rules: + '110 ceph': + dport: + - 6789 + - '6800-6810' step_config: | include ::tripleo::profile::base::ceph::mon diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 0b4817ac..0cefb380 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -39,5 +39,10 @@ outputs: cinder::api::keystone_password: {get_param: CinderPassword} cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} + tripleo.cinder_api.firewall_rules: + '119 cinder': + dport: + - 8776 + - 13776 step_config: | include ::tripleo::profile::base::cinder::api diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index 69a38b04..8f63ff6a 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -76,5 +76,8 @@ outputs: tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName} + tripleo.cinder_volume.firewall_rules: + '120 iscsi initiator': + dport: 3260 step_config: | include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index c2d36fc7..6885cfd6 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -25,5 +25,12 @@ outputs: - get_attr: [MongoDbBase, role_data, config_settings] - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]} mongodb::server::service_manage: True + tripleo.mongodb.firewall_rules: + '101 mongodb_config': + dport: 27019 + '102 mongodb_sharding': + dport: 27018 + '103 mongod': + dport: 27017 step_config: | - include ::tripleo::profile::base::database::mongodb
\ No newline at end of file + include ::tripleo::profile::base::database::mongodb diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 992dc11e..0a19b2a7 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -17,5 +17,14 @@ outputs: value: service_name: mysql config_settings: + tripleo.mysql.firewall_rules: + '104 mysql galera': + dport: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 step_config: | include ::tripleo::profile::base::database::mysql diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index 080f72b6..ef005f77 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -22,5 +22,10 @@ outputs: config_settings: map_merge: - get_attr: [RedisBase, role_data, config_settings] + - tripleo.redis.firewall_rules: + '108 redis': + dport: + - 6379 + - 26379 step_config: | include ::tripleo::profile::base::database::redis diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 120c57ff..ee4c17c7 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -104,5 +104,10 @@ outputs: glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} glance::keystone::auth::password: {get_param: GlancePassword } + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 step_config: | include ::tripleo::profile::base::glance::api diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index 6d2144e1..f9d9dd6b 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -49,5 +49,9 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 step_config: | include ::tripleo::profile::base::glance::registry diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index f6877632..bf23cda1 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -24,5 +24,10 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - tripleo.gnocchi_api.firewall_rules: + '129 gnocchi-api': + dport: + - 8041 + - 13041 step_config: | include ::tripleo::profile::base::gnocchi::api diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 73b40003..1a629c1d 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -15,5 +15,9 @@ outputs: description: Role data for the HAproxy role. value: service_name: haproxy + config_settings: + tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 8d237330..67c89bb9 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -40,5 +40,10 @@ outputs: heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} heat::keystone::auth_cfn::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.heat_api_cfn.firewall_rules: + '125 heat_cfn': + dport: + - 8000 + - 13800 step_config: | include ::tripleo::profile::base::heat::api_cfn diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index c996cf13..32a0a58d 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -27,5 +27,10 @@ outputs: map_merge: - get_attr: [HeatBase, role_data, config_settings] - heat::api_cloudwatch::workers: {get_param: HeatWorkers} + tripleo.heat_api_cloudwatch.firewall_rules: + '125 heat_cloudwatch': + dport: + - 8003 + - 13003 step_config: | include ::tripleo::profile::base::heat::api_cloudwatch diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 41c7d9a1..0bb208d1 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -40,5 +40,10 @@ outputs: heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} heat::keystone::auth::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.heat_api.firewall_rules: + '125 heat_api': + dport: + - 8004 + - 13004 step_config: | include ::tripleo::profile::base::heat::api diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 022e3fbf..dc7ba8c9 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -31,5 +31,10 @@ outputs: template: MECHANISMS params: MECHANISMS: {get_param: NeutronMechanismDrivers} + tripleo.horizon.firewall_rules: + '126 horizon': + dport: + - 80 + - 443 step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 83bab349..de920de3 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -136,5 +136,12 @@ outputs: keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} # override via extraconfig: keystone::wsgi::apache::threads: 1 + tripleo.keystone.firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - 35357 + - 13357 step_config: | include ::tripleo::profile::base::keystone diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index 55f8c08e..ceb29b55 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -16,5 +16,8 @@ outputs: value: service_name: memcached config_settings: + tripleo.memcached.firewall_rules: + '121 memcached': + dport: 11211 step_config: | include ::tripleo::profile::base::memcached diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 7143cd99..301759c7 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -61,3 +61,4 @@ outputs: params: PLUGINS: {get_param: NeutronServicePlugins} neutron::debug: {get_param: Debug} + neutron::host: '"%{::fqdn}"' diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index 5b903eac..1c57aa45 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -28,5 +28,13 @@ outputs: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} + tripleo.neutron_dhcp.firewall_rules: + '115 neutron dhcp input': + proto: 'udp' + dport: 67 + '116 neutron dhcp output': + proto: 'udp' + chain: 'OUTPUT' + dport: 68 step_config: | include tripleo::profile::base::neutron::dhcp diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-server.yaml index 61af11f9..253a6bfe 100644 --- a/puppet/services/neutron-server.yaml +++ b/puppet/services/neutron-server.yaml @@ -72,5 +72,15 @@ outputs: neutron::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + tripleo.neutron_server.firewall_rules: + '114 neutron server': + dport: + - 9696 + - 13696 + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '106 vrrp': + proto: vrrp step_config: | include tripleo::profile::base::neutron::server diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index f6c41052..0dd8fd51 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -32,5 +32,15 @@ outputs: nova::api::metadata_workers: {get_param: NovaWorkers} nova::cron::archive_deleted_rows::hour: '"*/12"' nova::cron::archive_deleted_rows::destination: '"/dev/null"' + tripleo.nova_api.firewall_rules: + '113 nova_api': + dport: + - 6080 + - 13080 + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 step_config: | include tripleo::profile::base::nova::api diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 99ae520a..c94e0246 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -38,7 +38,7 @@ parameters: outputs: role_data: - description: Role data for the Neutron base service. + description: Role data for the Nova base service. value: service_name: nova-base config_settings: @@ -79,3 +79,4 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" nova::debug: {get_param: Debug} + nova::host: '"%{::fqdn}"' diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 3b78befe..9520cb9c 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -16,5 +16,15 @@ outputs: value: service_name: pacemaker config_settings: + tripleo.pacemaker.firewall_rules: + '130 pacemaker tcp': + proto: 'tcp' + dport: + - 2224 + - 3121 + - 21064 + '131 pacemaker udp': + proto: 'udp' + dport: 5405 step_config: | include ::tripleo::profile::base::pacemaker diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 7b4b10ef..3c5909ca 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -36,5 +36,11 @@ outputs: rabbitmq::default_user: {get_param: RabbitUserName} rabbitmq::default_pass: {get_param: RabbitPassword} rabbit_ipv6: {get_param: RabbitIPv6} + tripleo.rabbitmq.firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - 5672 + - 35672 step_config: | include ::tripleo::profile::base::rabbitmq diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index a0a98b17..c9112019 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -49,5 +49,10 @@ outputs: sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} sahara::keystone::auth::password: {get_param: SaharaPassword } sahara::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.sahara_api.firewall_rules: + '132 sahara': + dport: + - 8386 + - 13386 step_config: | include ::tripleo::profile::base::sahara::api diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index 36e510b9..458f444b 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -28,5 +28,9 @@ outputs: config_settings: snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName} snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} + tripleo.snmp.firewall_rules: + '127 snmp': + dport: 161 + proto: 'udp' step_config: | include ::tripleo::profile::base::snmp diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 3ae1b01e..12165cc1 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -51,5 +51,10 @@ outputs: swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} swift::keystone::auth::password: {get_param: SwiftPassword} swift::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.swift_proxy.firewall_rules: + '122 swift proxy': + dport: + - 8080 + - 13808 step_config: | include ::tripleo::profile::base::swift::proxy diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml new file mode 100644 index 00000000..b341b0fc --- /dev/null +++ b/puppet/services/swift-ringbuilder.yaml @@ -0,0 +1,40 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Swift Ringbuilder + +parameters: + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + SwiftMinPartHours: + type: number + default: 1 + description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance. + SwiftPartPower: + default: 10 + description: Partition Power to use when building Swift rings + type: number + SwiftRingBuild: + default: true + description: Whether to manage Swift rings or not + type: boolean + SwiftReplicas: + type: number + default: 3 + description: How many replicas to use in the swift rings. + +outputs: + role_data: + description: Role data for Swift Ringbuilder configuration. + value: + service_name: swift-ringbuilder + config_settings: + tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} + tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} + swift::ringbuilder::part_power: {get_param: SwiftPartPower} + swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours} + step_config: | + include ::tripleo::profile::base::swift::ringbuilder diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 02746a95..d63dc87c 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -41,5 +41,12 @@ outputs: # Swift swift::storage::all::mount_check: {get_param: SwiftMountCheck} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} + tripleo.swift_storage.firewall_rules: + '123 swift storage': + dport: + - 873 + - 6000 + - 6001 + - 6002 step_config: | include ::tripleo::profile::base::swift::storage diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml index a0e51fec..59d25dd2 100644 --- a/puppet/services/time/ntp.yaml +++ b/puppet/services/time/ntp.yaml @@ -24,5 +24,9 @@ outputs: service_name: ntp config_settings: ntp::ntpservers: {get_param: NtpServer} + tripleo.ntp.firewall_rules: + '105 ntp': + dport: 123 + proto: udp step_config: | include ::ntp diff --git a/puppet/swift-devices-and-proxy-config.yaml b/puppet/swift-devices-and-proxy-config.yaml index 92ef5c1c..14df831f 100644 --- a/puppet/swift-devices-and-proxy-config.yaml +++ b/puppet/swift-devices-and-proxy-config.yaml @@ -20,7 +20,7 @@ resources: datafiles: swift_devices_and_proxy: mapped_data: - tripleo::ringbuilder::devices: + tripleo::profile::base::swift::ringbuilder::devices: list_join: - ", " - - list_join: diff --git a/puppet/swift-storage-post.yaml b/puppet/swift-storage-post.yaml index 1c36a047..306a4d6e 100644 --- a/puppet/swift-storage-post.yaml +++ b/puppet/swift-storage-post.yaml @@ -44,7 +44,6 @@ resources: list_join: - '' - - get_file: manifests/overcloud_object.pp - - get_file: manifests/ringbuilder.pp - {get_param: [RoleData, step_config]} StorageRingbuilderDeployment_Step2: diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml index 7b41c72b..034592a7 100644 --- a/puppet/swift-storage.yaml +++ b/puppet/swift-storage.yaml @@ -18,22 +18,6 @@ parameters: default: default description: Name of an existing Nova key pair to enable SSH access to the instances type: string - MinPartHours: - type: number - default: 1 - description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance. - PartPower: - default: 10 - description: Partition Power to use when building Swift rings - type: number - RingBuild: - default: true - description: Whether to manage Swift rings or not - type: boolean - Replicas: - type: number - default: 3 - description: How many replicas to use in the swift rings. SnmpdReadonlyUserName: default: ro_snmp_user description: The user name for SNMPd with readonly rights running on all Overcloud nodes @@ -288,11 +272,7 @@ resources: raw_data: {get_file: hieradata/object.yaml} mapped_data: # data supplied directly to this deployment configuration, etc swift::swift_hash_path_suffix: { get_input: swift_hash_suffix } - tripleo::ringbuilder::build_ring: { get_input: swift_ring_build } - tripleo::ringbuilder::part_power: { get_input: swift_part_power } - tripleo::ringbuilder::replicas: {get_input: swift_replicas } swift::storage::all::storage_local_net_ip: {get_input: swift_management_network} - tripleo::ringbuilder::min_part_hours: { get_input: swift_min_part_hours } snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} tripleo::packages::enable_install: {get_input: enable_package_install} @@ -311,10 +291,6 @@ resources: snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName} snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} swift_hash_suffix: {get_param: HashSuffix} - swift_min_part_hours: {get_param: MinPartHours} - swift_ring_build: {get_param: RingBuild} - swift_part_power: {get_param: PartPower} - swift_replicas: { get_param: Replicas} enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]} |