summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--network/endpoints/endpoint_data.yaml6
-rw-r--r--network/endpoints/endpoint_map.yaml6
-rw-r--r--overcloud-resource-registry-puppet.yaml1
-rw-r--r--overcloud.yaml20
-rw-r--r--puppet/controller-config-pacemaker.yaml1
-rw-r--r--puppet/controller-config.yaml1
-rw-r--r--puppet/controller.yaml24
-rw-r--r--puppet/hieradata/compute.yaml3
-rw-r--r--puppet/hieradata/controller.yaml122
-rw-r--r--puppet/manifests/ringbuilder.pp99
-rw-r--r--puppet/services/ceilometer-api.yaml8
-rw-r--r--puppet/services/ceph-mon.yaml5
-rw-r--r--puppet/services/cinder-api.yaml5
-rw-r--r--puppet/services/cinder-volume.yaml3
-rw-r--r--puppet/services/database/mongodb.yaml9
-rw-r--r--puppet/services/database/mysql.yaml9
-rw-r--r--puppet/services/database/redis.yaml5
-rw-r--r--puppet/services/glance-api.yaml5
-rw-r--r--puppet/services/glance-registry.yaml4
-rw-r--r--puppet/services/gnocchi-api.yaml5
-rw-r--r--puppet/services/haproxy.yaml4
-rw-r--r--puppet/services/heat-api-cfn.yaml5
-rw-r--r--puppet/services/heat-api-cloudwatch.yaml5
-rw-r--r--puppet/services/heat-api.yaml5
-rw-r--r--puppet/services/horizon.yaml5
-rw-r--r--puppet/services/keystone.yaml7
-rw-r--r--puppet/services/memcached.yaml3
-rw-r--r--puppet/services/neutron-base.yaml1
-rw-r--r--puppet/services/neutron-dhcp.yaml8
-rw-r--r--puppet/services/neutron-server.yaml10
-rw-r--r--puppet/services/nova-api.yaml10
-rw-r--r--puppet/services/nova-base.yaml3
-rw-r--r--puppet/services/pacemaker.yaml10
-rw-r--r--puppet/services/rabbitmq.yaml6
-rw-r--r--puppet/services/sahara-api.yaml5
-rw-r--r--puppet/services/snmp.yaml4
-rw-r--r--puppet/services/swift-proxy.yaml5
-rw-r--r--puppet/services/swift-ringbuilder.yaml40
-rw-r--r--puppet/services/swift-storage.yaml7
-rw-r--r--puppet/services/time/ntp.yaml4
-rw-r--r--puppet/swift-devices-and-proxy-config.yaml2
-rw-r--r--puppet/swift-storage-post.yaml1
-rw-r--r--puppet/swift-storage.yaml24
43 files changed, 212 insertions, 303 deletions
diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml
index f1dee045..5afcf5de 100644
--- a/network/endpoints/endpoint_data.yaml
+++ b/network/endpoints/endpoint_data.yaml
@@ -146,15 +146,15 @@ Nova:
Internal:
vip_param: NovaApi
uri_suffixes:
- '': /v2.1/%(tenant_id)s
+ '': /v2.1
Public:
vip_param: Public
uri_suffixes:
- '': /v2.1/%(tenant_id)s
+ '': /v2.1
Admin:
vip_param: NovaApi
uri_suffixes:
- '': /v2.1/%(tenant_id)s
+ '': /v2.1
port: 8774
NovaVNCProxy:
diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml
index 43b9921e..e1b8984f 100644
--- a/network/endpoints/endpoint_map.yaml
+++ b/network/endpoints/endpoint_map.yaml
@@ -1688,7 +1688,7 @@ outputs:
IP_ADDRESS: {get_param: NovaApiVirtualIP}
- ':'
- get_param: [EndpointMap, NovaAdmin, port]
- - /v2.1/%(tenant_id)s
+ - /v2.1
uri_no_suffix:
list_join:
- ''
@@ -1727,7 +1727,7 @@ outputs:
IP_ADDRESS: {get_param: NovaApiVirtualIP}
- ':'
- get_param: [EndpointMap, NovaInternal, port]
- - /v2.1/%(tenant_id)s
+ - /v2.1
uri_no_suffix:
list_join:
- ''
@@ -1766,7 +1766,7 @@ outputs:
IP_ADDRESS: {get_param: PublicVirtualIP}
- ':'
- get_param: [EndpointMap, NovaPublic, port]
- - /v2.1/%(tenant_id)s
+ - /v2.1
uri_no_suffix:
list_join:
- ''
diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml
index a2608784..9f253024 100644
--- a/overcloud-resource-registry-puppet.yaml
+++ b/overcloud-resource-registry-puppet.yaml
@@ -178,6 +178,7 @@ resource_registry:
OS::TripleO::Services::Ntp: puppet/services/time/ntp.yaml
OS::TripleO::Services::SwiftProxy: puppet/services/swift-proxy.yaml
OS::TripleO::Services::SwiftStorage: puppet/services/swift-storage.yaml
+ OS::TripleO::Services::SwiftRingBuilder: puppet/services/swift-ringbuilder.yaml
OS::TripleO::Services::Snmp: puppet/services/snmp.yaml
OS::TripleO::Services::Timezone: puppet/services/time/timezone.yaml
OS::TripleO::Services::CeilometerApi: puppet/services/ceilometer-api.yaml
diff --git a/overcloud.yaml b/overcloud.yaml
index 9b03e4c4..38944d72 100644
--- a/overcloud.yaml
+++ b/overcloud.yaml
@@ -255,18 +255,6 @@ parameters:
description: A random string to be used as a salt when hashing to determine mappings in the ring.
type: string
hidden: true
- SwiftMinPartHours:
- type: number
- default: 1
- description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance.
- SwiftPartPower:
- default: 10
- description: Partition Power to use when building Swift rings
- type: number
- SwiftReplicas:
- type: number
- default: 3
- description: How many replicas to use in the swift rings.
# Compute-specific params
ComputeCount:
@@ -401,6 +389,7 @@ parameters:
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::SwiftProxy
- OS::TripleO::Services::SwiftStorage
+ - OS::TripleO::Services::SwiftRingBuilder
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::CeilometerApi
@@ -499,6 +488,7 @@ parameters:
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::SwiftStorage
+ - OS::TripleO::Services::SwiftRingBuilder
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Timezone
description: A list of service resources (configured in the Heat
@@ -715,9 +705,6 @@ resources:
RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]}
SwiftHashSuffix: {get_param: SwiftHashSuffix}
- SwiftMinPartHours: {get_param: SwiftMinPartHours}
- SwiftPartPower: {get_param: SwiftPartPower}
- SwiftReplicas: { get_param: SwiftReplicas}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_attr: [EndpointMap, endpoint_map]}
MysqlVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
@@ -848,10 +835,7 @@ resources:
KeyName: {get_param: KeyName}
Flavor: {get_param: OvercloudSwiftStorageFlavor}
HashSuffix: {get_param: SwiftHashSuffix}
- MinPartHours: {get_param: SwiftMinPartHours}
- PartPower: {get_param: SwiftPartPower}
Image: {get_param: SwiftStorageImage}
- Replicas: { get_param: SwiftReplicas}
UpdateIdentifier: {get_param: UpdateIdentifier}
ServiceNetMap: {get_param: ServiceNetMap}
Hostname:
diff --git a/puppet/controller-config-pacemaker.yaml b/puppet/controller-config-pacemaker.yaml
index dfebcf82..5116cac7 100644
--- a/puppet/controller-config-pacemaker.yaml
+++ b/puppet/controller-config-pacemaker.yaml
@@ -29,7 +29,6 @@ resources:
list_join:
- ''
- - get_file: manifests/overcloud_controller_pacemaker.pp
- - get_file: manifests/ringbuilder.pp
- {get_param: StepConfig}
outputs:
diff --git a/puppet/controller-config.yaml b/puppet/controller-config.yaml
index 458aff32..cadba703 100644
--- a/puppet/controller-config.yaml
+++ b/puppet/controller-config.yaml
@@ -29,7 +29,6 @@ resources:
list_join:
- ''
- - get_file: manifests/overcloud_controller.pp
- - get_file: manifests/ringbuilder.pp
- {get_param: StepConfig}
outputs:
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index a8a64b36..679fd90b 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -250,22 +250,6 @@ parameters:
in the ring.
hidden: true
type: string
- SwiftMinPartHours:
- type: number
- default: 1
- description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance.
- SwiftPartPower:
- default: 10
- description: Partition Power to use when building Swift rings
- type: number
- SwiftRingBuild:
- default: true
- description: Whether to manage Swift rings or not
- type: boolean
- SwiftReplicas:
- type: number
- default: 3
- description: How many replicas to use in the swift rings.
UpgradeLevelNovaCompute:
type: string
description: Nova Compute upgrade level
@@ -585,10 +569,6 @@ resources:
control_virtual_interface: {get_param: ControlVirtualInterface}
public_virtual_interface: {get_param: PublicVirtualInterface}
swift_hash_suffix: {get_param: SwiftHashSuffix}
- swift_part_power: {get_param: SwiftPartPower}
- swift_ring_build: {get_param: SwiftRingBuild}
- swift_replicas: {get_param: SwiftReplicas}
- swift_min_part_hours: {get_param: SwiftMinPartHours}
enable_package_install: {get_param: EnablePackageInstall}
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
swift_proxy_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftProxyNetwork]}]}
@@ -713,10 +693,6 @@ resources:
swift::proxy::proxy_local_net_ip: {get_input: swift_proxy_network}
swift::storage::all::storage_local_net_ip: {get_input: swift_management_network}
swift::swift_hash_path_suffix: {get_input: swift_hash_suffix}
- tripleo::ringbuilder::build_ring: { get_input: swift_ring_build }
- tripleo::ringbuilder::part_power: {get_input: swift_part_power}
- tripleo::ringbuilder::replicas: {get_input: swift_replicas}
- tripleo::ringbuilder::min_part_hours: {get_input: swift_min_part_hours}
# Cinder
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: {get_input: cinder_iscsi_network}
diff --git a/puppet/hieradata/compute.yaml b/puppet/hieradata/compute.yaml
index 62728332..fe203be7 100644
--- a/puppet/hieradata/compute.yaml
+++ b/puppet/hieradata/compute.yaml
@@ -1,6 +1,5 @@
# Hiera data here applies to all compute nodes
-nova::host: "%{::fqdn}"
nova::notify_on_state_change: 'vm_and_task_state'
nova::notification_driver: messagingv2
nova::compute::instance_usage_audit: true
@@ -19,6 +18,4 @@ nova::compute::reserved_host_memory: 2048
ceilometer::agent::auth::auth_tenant_name: 'service'
ceilometer::agent::auth::auth_endpoint_type: 'internalURL'
-neutron::host: "%{::fqdn}"
-
compute_classes: []
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index 072c7c0d..3ec656dc 100644
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true
controller_classes: []
# firewall
tripleo::firewall::firewall_rules:
- '101 mongodb_config':
- dport: 27019
- '102 mongodb_sharding':
- dport: 27018
- '103 mongod':
- dport: 27017
- '104 mysql galera':
- dport:
- - 873
- - 3306
- - 4444
- - 4567
- - 4568
- - 9200
- '105 ntp':
- dport: 123
- proto: udp
- '106 vrrp':
- proto: vrrp
- '107 haproxy stats':
- dport: 1993
- '108 redis':
- dport:
- - 6379
- - 26379
- '109 rabbitmq':
- dport:
- - 4369
- - 5672
- - 35672
- '110 ceph':
- dport:
- - 6789
- - '6800-6810'
- '111 keystone':
- dport:
- - 5000
- - 13000
- - 35357
- - 13357
- '112 glance':
- dport:
- - 9292
- - 9191
- - 13292
- '113 nova':
- dport:
- - 6080
- - 13080
- - 8773
- - 3773
- - 8774
- - 13774
- - 8775
- '114 neutron server':
- dport:
- - 9696
- - 13696
- '115 neutron dhcp input':
- proto: 'udp'
- dport: 67
- '116 neutron dhcp output':
- proto: 'udp'
- chain: 'OUTPUT'
- dport: 68
- '118 neutron vxlan networks':
- proto: 'udp'
- dport: 4789
- '119 cinder':
- dport:
- - 8776
- - 13776
- '120 iscsi initiator':
- dport: 3260
- '121 memcached':
- dport: 11211
- '122 swift proxy':
- dport:
- - 8080
- - 13808
- '123 swift storage':
- dport:
- - 873
- - 6000
- - 6001
- - 6002
- '124 ceilometer':
- dport:
- - 8777
- - 13777
- '125 heat':
- dport:
- - 8000
- - 13800
- - 8003
- - 13003
- - 8004
- - 13004
- '126 horizon':
- dport:
- - 80
- - 443
- '127 snmp':
- dport: 161
- proto: 'udp'
'128 aodh':
dport:
- 8042
- 13042
- '129 gnocchi-api':
- dport:
- - 8041
- - 13041
- '130 pacemaker tcp':
- proto: 'tcp'
- dport:
- - 2224
- - 3121
- - 21064
- '131 pacemaker udp':
- proto: 'udp'
- dport: 5405
- '132 sahara':
- dport:
- - 8386
- - 13386
diff --git a/puppet/manifests/ringbuilder.pp b/puppet/manifests/ringbuilder.pp
deleted file mode 100644
index 2411ff84..00000000
--- a/puppet/manifests/ringbuilder.pp
+++ /dev/null
@@ -1,99 +0,0 @@
-# Copyright 2015 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-define add_devices(
- $swift_zones = '1'
-){
-
- # NOTE(dprince): Swift zones is not yet properly wired into the Heat
- # templates. See: https://review.openstack.org/#/c/97758/3
- # For now our regex supports the r1z1-192.0.2.6:%PORT%/d1 syntax or the
- # newer r1z%<controller or SwiftStorage><N>%-192.0.2.6:%PORT%/d1 syntax.
- $server_num_or_device = regsubst($name,'^r1z%+[A-Za-z]*([0-9]+)%+-(.*)$','\1')
- if (is_integer($server_num_or_device)) {
- $server_num = $server_num_or_device
- } else {
- $server_num = '1'
- }
- # Function to place server in its zone. Zone is calculated by
- # server number in heat template modulo the number of zones + 1.
- $zone = (($server_num%$swift_zones) + 1)
-
- # add the rings
- $base = regsubst($name,'^r1.*-(.*)$','\1')
- $object = regsubst($base, '%PORT%', '6000')
- ring_object_device { $object:
- zone => '1',
- weight => 100,
- }
- $container = regsubst($base, '%PORT%', '6001')
- ring_container_device { $container:
- zone => '1',
- weight => 100,
- }
- $account = regsubst($base, '%PORT%', '6002')
- ring_account_device { $account:
- zone => '1',
- weight => 100,
- }
-}
-
-class tripleo::ringbuilder (
- $swift_zones = '1',
- $devices = '',
- $build_ring = true,
- $part_power,
- $replicas,
- $min_part_hours,
-) {
-
- validate_bool($build_ring)
-
- if $build_ring {
-
- $device_array = strip(split(rstrip($devices), ','))
-
- # create local rings
- swift::ringbuilder::create{ ['object', 'account', 'container']:
- part_power => $part_power,
- replicas => min(count($device_array), $replicas),
- min_part_hours => $min_part_hours,
- } ->
-
- # add all other devices
- add_devices {$device_array:
- swift_zones => $swift_zones,
- } ->
-
- # rebalance
- swift::ringbuilder::rebalance{ ['object', 'account', 'container']:
- seed => 999,
- }
-
- Ring_object_device<| |> ~> Exec['rebalance_object']
- Ring_object_device<| |> ~> Exec['rebalance_account']
- Ring_object_device<| |> ~> Exec['rebalance_container']
-
- }
-}
-
-if hiera('step') >= 2 {
- # pre-install swift here so we can build rings
- include ::swift
-}
-
-if hiera('step') >= 3 {
- include ::tripleo::ringbuilder
-}
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index 5dce7c3d..d0f3767d 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -23,6 +23,12 @@ outputs:
value:
service_name: ceilometer-api
config_settings:
- get_attr: [CeilometerServiceBase, role_data, config_settings]
+ map_merge:
+ - get_attr: [CeilometerServiceBase, role_data, config_settings]
+ - tripleo.ceilometer_api.firewall_rules:
+ '124 ceilometer':
+ dport:
+ - 8777
+ - 13777
step_config: |
include ::tripleo::profile::base::ceilometer::api
diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml
index 68a59450..257264ac 100644
--- a/puppet/services/ceph-mon.yaml
+++ b/puppet/services/ceph-mon.yaml
@@ -53,5 +53,10 @@ outputs:
- {get_param: NovaRbdPoolName}
- {get_param: GlanceRbdPoolName}
- {get_param: GnocchiRbdPoolName}
+ tripleo.ceph_mon.firewall_rules:
+ '110 ceph':
+ dport:
+ - 6789
+ - '6800-6810'
step_config: |
include ::tripleo::profile::base::ceph::mon
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 0b4817ac..0cefb380 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -39,5 +39,10 @@ outputs:
cinder::api::keystone_password: {get_param: CinderPassword}
cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
+ tripleo.cinder_api.firewall_rules:
+ '119 cinder':
+ dport:
+ - 8776
+ - 13776
step_config: |
include ::tripleo::profile::base::cinder::api
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index 69a38b04..8f63ff6a 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -76,5 +76,8 @@ outputs:
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
+ tripleo.cinder_volume.firewall_rules:
+ '120 iscsi initiator':
+ dport: 3260
step_config: |
include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index c2d36fc7..6885cfd6 100644
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -25,5 +25,12 @@ outputs:
- get_attr: [MongoDbBase, role_data, config_settings]
- tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
mongodb::server::service_manage: True
+ tripleo.mongodb.firewall_rules:
+ '101 mongodb_config':
+ dport: 27019
+ '102 mongodb_sharding':
+ dport: 27018
+ '103 mongod':
+ dport: 27017
step_config: |
- include ::tripleo::profile::base::database::mongodb \ No newline at end of file
+ include ::tripleo::profile::base::database::mongodb
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 992dc11e..0a19b2a7 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -17,5 +17,14 @@ outputs:
value:
service_name: mysql
config_settings:
+ tripleo.mysql.firewall_rules:
+ '104 mysql galera':
+ dport:
+ - 873
+ - 3306
+ - 4444
+ - 4567
+ - 4568
+ - 9200
step_config: |
include ::tripleo::profile::base::database::mysql
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index 080f72b6..ef005f77 100644
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -22,5 +22,10 @@ outputs:
config_settings:
map_merge:
- get_attr: [RedisBase, role_data, config_settings]
+ - tripleo.redis.firewall_rules:
+ '108 redis':
+ dport:
+ - 6379
+ - 26379
step_config: |
include ::tripleo::profile::base::database::redis
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 120c57ff..ee4c17c7 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -104,5 +104,10 @@ outputs:
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
+ tripleo.glance_api.firewall_rules:
+ '112 glance_api':
+ dport:
+ - 9292
+ - 13292
step_config: |
include ::tripleo::profile::base::glance::api
diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml
index 6d2144e1..f9d9dd6b 100644
--- a/puppet/services/glance-registry.yaml
+++ b/puppet/services/glance-registry.yaml
@@ -49,5 +49,9 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
+ tripleo.glance_registry.firewall_rules:
+ '112 glance_registry':
+ dport:
+ - 9191
step_config: |
include ::tripleo::profile::base::glance::registry
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index f6877632..bf23cda1 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -24,5 +24,10 @@ outputs:
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
+ - tripleo.gnocchi_api.firewall_rules:
+ '129 gnocchi-api':
+ dport:
+ - 8041
+ - 13041
step_config: |
include ::tripleo::profile::base::gnocchi::api
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 73b40003..1a629c1d 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -15,5 +15,9 @@ outputs:
description: Role data for the HAproxy role.
value:
service_name: haproxy
+ config_settings:
+ tripleo.haproxy.firewall_rules:
+ '107 haproxy stats':
+ dport: 1993
step_config: |
include ::tripleo::profile::base::haproxy
diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml
index 8d237330..67c89bb9 100644
--- a/puppet/services/heat-api-cfn.yaml
+++ b/puppet/services/heat-api-cfn.yaml
@@ -40,5 +40,10 @@ outputs:
heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
heat::keystone::auth_cfn::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.heat_api_cfn.firewall_rules:
+ '125 heat_cfn':
+ dport:
+ - 8000
+ - 13800
step_config: |
include ::tripleo::profile::base::heat::api_cfn
diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml
index c996cf13..32a0a58d 100644
--- a/puppet/services/heat-api-cloudwatch.yaml
+++ b/puppet/services/heat-api-cloudwatch.yaml
@@ -27,5 +27,10 @@ outputs:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- heat::api_cloudwatch::workers: {get_param: HeatWorkers}
+ tripleo.heat_api_cloudwatch.firewall_rules:
+ '125 heat_cloudwatch':
+ dport:
+ - 8003
+ - 13003
step_config: |
include ::tripleo::profile::base::heat::api_cloudwatch
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index 41c7d9a1..0bb208d1 100644
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -40,5 +40,10 @@ outputs:
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
heat::keystone::auth::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.heat_api.firewall_rules:
+ '125 heat_api':
+ dport:
+ - 8004
+ - 13004
step_config: |
include ::tripleo::profile::base::heat::api
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 022e3fbf..dc7ba8c9 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -31,5 +31,10 @@ outputs:
template: MECHANISMS
params:
MECHANISMS: {get_param: NeutronMechanismDrivers}
+ tripleo.horizon.firewall_rules:
+ '126 horizon':
+ dport:
+ - 80
+ - 443
step_config: |
include ::tripleo::profile::base::horizon
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 83bab349..de920de3 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -136,5 +136,12 @@ outputs:
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
# override via extraconfig:
keystone::wsgi::apache::threads: 1
+ tripleo.keystone.firewall_rules:
+ '111 keystone':
+ dport:
+ - 5000
+ - 13000
+ - 35357
+ - 13357
step_config: |
include ::tripleo::profile::base::keystone
diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml
index 55f8c08e..ceb29b55 100644
--- a/puppet/services/memcached.yaml
+++ b/puppet/services/memcached.yaml
@@ -16,5 +16,8 @@ outputs:
value:
service_name: memcached
config_settings:
+ tripleo.memcached.firewall_rules:
+ '121 memcached':
+ dport: 11211
step_config: |
include ::tripleo::profile::base::memcached
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 7143cd99..301759c7 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -61,3 +61,4 @@ outputs:
params:
PLUGINS: {get_param: NeutronServicePlugins}
neutron::debug: {get_param: Debug}
+ neutron::host: '"%{::fqdn}"'
diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml
index 5b903eac..1c57aa45 100644
--- a/puppet/services/neutron-dhcp.yaml
+++ b/puppet/services/neutron-dhcp.yaml
@@ -28,5 +28,13 @@ outputs:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
+ tripleo.neutron_dhcp.firewall_rules:
+ '115 neutron dhcp input':
+ proto: 'udp'
+ dport: 67
+ '116 neutron dhcp output':
+ proto: 'udp'
+ chain: 'OUTPUT'
+ dport: 68
step_config: |
include tripleo::profile::base::neutron::dhcp
diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-server.yaml
index 61af11f9..253a6bfe 100644
--- a/puppet/services/neutron-server.yaml
+++ b/puppet/services/neutron-server.yaml
@@ -72,5 +72,15 @@ outputs:
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ tripleo.neutron_server.firewall_rules:
+ '114 neutron server':
+ dport:
+ - 9696
+ - 13696
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '106 vrrp':
+ proto: vrrp
step_config: |
include tripleo::profile::base::neutron::server
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index f6c41052..0dd8fd51 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -32,5 +32,15 @@ outputs:
nova::api::metadata_workers: {get_param: NovaWorkers}
nova::cron::archive_deleted_rows::hour: '"*/12"'
nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+ tripleo.nova_api.firewall_rules:
+ '113 nova_api':
+ dport:
+ - 6080
+ - 13080
+ - 8773
+ - 3773
+ - 8774
+ - 13774
+ - 8775
step_config: |
include tripleo::profile::base::nova::api
diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml
index 99ae520a..c94e0246 100644
--- a/puppet/services/nova-base.yaml
+++ b/puppet/services/nova-base.yaml
@@ -38,7 +38,7 @@ parameters:
outputs:
role_data:
- description: Role data for the Neutron base service.
+ description: Role data for the Nova base service.
value:
service_name: nova-base
config_settings:
@@ -79,3 +79,4 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
nova::debug: {get_param: Debug}
+ nova::host: '"%{::fqdn}"'
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index 3b78befe..9520cb9c 100644
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -16,5 +16,15 @@ outputs:
value:
service_name: pacemaker
config_settings:
+ tripleo.pacemaker.firewall_rules:
+ '130 pacemaker tcp':
+ proto: 'tcp'
+ dport:
+ - 2224
+ - 3121
+ - 21064
+ '131 pacemaker udp':
+ proto: 'udp'
+ dport: 5405
step_config: |
include ::tripleo::profile::base::pacemaker
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 7b4b10ef..3c5909ca 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -36,5 +36,11 @@ outputs:
rabbitmq::default_user: {get_param: RabbitUserName}
rabbitmq::default_pass: {get_param: RabbitPassword}
rabbit_ipv6: {get_param: RabbitIPv6}
+ tripleo.rabbitmq.firewall_rules:
+ '109 rabbitmq':
+ dport:
+ - 4369
+ - 5672
+ - 35672
step_config: |
include ::tripleo::profile::base::rabbitmq
diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml
index a0a98b17..c9112019 100644
--- a/puppet/services/sahara-api.yaml
+++ b/puppet/services/sahara-api.yaml
@@ -49,5 +49,10 @@ outputs:
sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
sahara::keystone::auth::password: {get_param: SaharaPassword }
sahara::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.sahara_api.firewall_rules:
+ '132 sahara':
+ dport:
+ - 8386
+ - 13386
step_config: |
include ::tripleo::profile::base::sahara::api
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index 36e510b9..458f444b 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -28,5 +28,9 @@ outputs:
config_settings:
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
+ tripleo.snmp.firewall_rules:
+ '127 snmp':
+ dport: 161
+ proto: 'udp'
step_config: |
include ::tripleo::profile::base::snmp
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 3ae1b01e..12165cc1 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -51,5 +51,10 @@ outputs:
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.swift_proxy.firewall_rules:
+ '122 swift proxy':
+ dport:
+ - 8080
+ - 13808
step_config: |
include ::tripleo::profile::base::swift::proxy
diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml
new file mode 100644
index 00000000..b341b0fc
--- /dev/null
+++ b/puppet/services/swift-ringbuilder.yaml
@@ -0,0 +1,40 @@
+heat_template_version: 2016-04-08
+
+description: >
+ OpenStack Swift Ringbuilder
+
+parameters:
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ SwiftMinPartHours:
+ type: number
+ default: 1
+ description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance.
+ SwiftPartPower:
+ default: 10
+ description: Partition Power to use when building Swift rings
+ type: number
+ SwiftRingBuild:
+ default: true
+ description: Whether to manage Swift rings or not
+ type: boolean
+ SwiftReplicas:
+ type: number
+ default: 3
+ description: How many replicas to use in the swift rings.
+
+outputs:
+ role_data:
+ description: Role data for Swift Ringbuilder configuration.
+ value:
+ service_name: swift-ringbuilder
+ config_settings:
+ tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild}
+ tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas}
+ swift::ringbuilder::part_power: {get_param: SwiftPartPower}
+ swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours}
+ step_config: |
+ include ::tripleo::profile::base::swift::ringbuilder
diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml
index 02746a95..d63dc87c 100644
--- a/puppet/services/swift-storage.yaml
+++ b/puppet/services/swift-storage.yaml
@@ -41,5 +41,12 @@ outputs:
# Swift
swift::storage::all::mount_check: {get_param: SwiftMountCheck}
tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
+ tripleo.swift_storage.firewall_rules:
+ '123 swift storage':
+ dport:
+ - 873
+ - 6000
+ - 6001
+ - 6002
step_config: |
include ::tripleo::profile::base::swift::storage
diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml
index a0e51fec..59d25dd2 100644
--- a/puppet/services/time/ntp.yaml
+++ b/puppet/services/time/ntp.yaml
@@ -24,5 +24,9 @@ outputs:
service_name: ntp
config_settings:
ntp::ntpservers: {get_param: NtpServer}
+ tripleo.ntp.firewall_rules:
+ '105 ntp':
+ dport: 123
+ proto: udp
step_config: |
include ::ntp
diff --git a/puppet/swift-devices-and-proxy-config.yaml b/puppet/swift-devices-and-proxy-config.yaml
index 92ef5c1c..14df831f 100644
--- a/puppet/swift-devices-and-proxy-config.yaml
+++ b/puppet/swift-devices-and-proxy-config.yaml
@@ -20,7 +20,7 @@ resources:
datafiles:
swift_devices_and_proxy:
mapped_data:
- tripleo::ringbuilder::devices:
+ tripleo::profile::base::swift::ringbuilder::devices:
list_join:
- ", "
- - list_join:
diff --git a/puppet/swift-storage-post.yaml b/puppet/swift-storage-post.yaml
index 1c36a047..306a4d6e 100644
--- a/puppet/swift-storage-post.yaml
+++ b/puppet/swift-storage-post.yaml
@@ -44,7 +44,6 @@ resources:
list_join:
- ''
- - get_file: manifests/overcloud_object.pp
- - get_file: manifests/ringbuilder.pp
- {get_param: [RoleData, step_config]}
StorageRingbuilderDeployment_Step2:
diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml
index 7b41c72b..034592a7 100644
--- a/puppet/swift-storage.yaml
+++ b/puppet/swift-storage.yaml
@@ -18,22 +18,6 @@ parameters:
default: default
description: Name of an existing Nova key pair to enable SSH access to the instances
type: string
- MinPartHours:
- type: number
- default: 1
- description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance.
- PartPower:
- default: 10
- description: Partition Power to use when building Swift rings
- type: number
- RingBuild:
- default: true
- description: Whether to manage Swift rings or not
- type: boolean
- Replicas:
- type: number
- default: 3
- description: How many replicas to use in the swift rings.
SnmpdReadonlyUserName:
default: ro_snmp_user
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
@@ -288,11 +272,7 @@ resources:
raw_data: {get_file: hieradata/object.yaml}
mapped_data: # data supplied directly to this deployment configuration, etc
swift::swift_hash_path_suffix: { get_input: swift_hash_suffix }
- tripleo::ringbuilder::build_ring: { get_input: swift_ring_build }
- tripleo::ringbuilder::part_power: { get_input: swift_part_power }
- tripleo::ringbuilder::replicas: {get_input: swift_replicas }
swift::storage::all::storage_local_net_ip: {get_input: swift_management_network}
- tripleo::ringbuilder::min_part_hours: { get_input: swift_min_part_hours }
snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}
tripleo::packages::enable_install: {get_input: enable_package_install}
@@ -311,10 +291,6 @@ resources:
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
swift_hash_suffix: {get_param: HashSuffix}
- swift_min_part_hours: {get_param: MinPartHours}
- swift_ring_build: {get_param: RingBuild}
- swift_part_power: {get_param: PartPower}
- swift_replicas: { get_param: Replicas}
enable_package_install: {get_param: EnablePackageInstall}
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}