diff options
Diffstat (limited to 'puppet/services')
22 files changed, 399 insertions, 35 deletions
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 9bd282f8..6e53b1f7 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -77,13 +77,15 @@ outputs: - "%{hiera('apache_remote_proxy_ips_network')}" - generate_service_certificates: true + tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' + tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' apache_certificates_specs: map_merge: repeat: template: httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index 80823526..0441e3a5 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -53,6 +53,8 @@ outputs: - get_attr: [CeilometerServiceBase, role_data, config_settings] - ceilometer_redis_password: {get_param: RedisPassword} central_namespace: true + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::polling upgrade_tasks: diff --git a/puppet/services/ceilometer-agent-compute.yaml b/puppet/services/ceilometer-agent-compute.yaml index 546bcd98..8462dd0c 100644 --- a/puppet/services/ceilometer-agent-compute.yaml +++ b/puppet/services/ceilometer-agent-compute.yaml @@ -47,6 +47,8 @@ outputs: - get_attr: [CeilometerServiceBase, role_data, config_settings] - ceilometer::agent::compute::instance_discovery_method: {get_param: InstanceDiscoveryMethod} compute_namespace: true + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::polling upgrade_tasks: diff --git a/puppet/services/ceilometer-agent-notification.yaml b/puppet/services/ceilometer-agent-notification.yaml index 4ee43f49..d854e4cb 100644 --- a/puppet/services/ceilometer-agent-notification.yaml +++ b/puppet/services/ceilometer-agent-notification.yaml @@ -47,6 +47,8 @@ outputs: - ceilometer config_settings: get_attr: [CeilometerServiceBase, role_data, config_settings] + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::notification upgrade_tasks: diff --git a/puppet/services/cinder-backend-netapp.yaml b/puppet/services/cinder-backend-netapp.yaml new file mode 100644 index 00000000..29a0ce1b --- /dev/null +++ b/puppet/services/cinder-backend-netapp.yaml @@ -0,0 +1,129 @@ +heat_template_version: ocata + +description: Openstack Cinder Netapp backend + +parameters: + CinderEnableNetappBackend: + type: boolean + default: true + CinderNetappBackendName: + type: string + default: 'tripleo_netapp' + CinderNetappLogin: + type: string + CinderNetappPassword: + type: string + hidden: true + CinderNetappServerHostname: + type: string + CinderNetappServerPort: + type: string + default: '80' + CinderNetappSizeMultiplier: + type: string + default: '1.2' + CinderNetappStorageFamily: + type: string + default: 'ontap_cluster' + CinderNetappStorageProtocol: + type: string + default: 'nfs' + CinderNetappTransportType: + type: string + default: 'http' + CinderNetappVfiler: + type: string + default: '' + CinderNetappVolumeList: + type: string + default: '' + CinderNetappVserver: + type: string + default: '' + CinderNetappPartnerBackendName: + type: string + default: '' + CinderNetappNfsShares: + type: string + default: '' + CinderNetappNfsSharesConfig: + type: string + default: '/etc/cinder/shares.conf' + CinderNetappNfsMountOptions: + type: string + default: '' + CinderNetappCopyOffloadToolPath: + type: string + default: '' + CinderNetappControllerIps: + type: string + default: '' + CinderNetappSaPassword: + type: string + default: '' + hidden: true + CinderNetappStoragePools: + type: string + default: '' + CinderNetappHostType: + type: string + default: '' + CinderNetappWebservicePath: + type: string + default: '/devmgr/v2' + # DEPRECATED options for compatibility with older versions + CinderNetappEseriesHostType: + type: string + default: 'linux_dm_mp' + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +parameter_groups: +- label: deprecated + description: Do not use deprecated params, they will be removed. + parameters: + - CinderNetappEseriesHostType + +outputs: + role_data: + description: Role data for the Cinder NetApp backend. + value: + service_name: cinder_backend_netapp + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_netapp_backend: {get_param: CinderEnableNetappBackend} + cinder::backend::netapp::title: {get_param: CinderNetappBackendName} + cinder::backend::netapp::netapp_login: {get_param: CinderNetappLogin} + cinder::backend::netapp::netapp_password: {get_param: CinderNetappPassword} + cinder::backend::netapp::netapp_server_hostname: {get_param: CinderNetappServerHostname} + cinder::backend::netapp::netapp_server_port: {get_param: CinderNetappServerPort} + cinder::backend::netapp::netapp_size_multiplier: {get_param: CinderNetappSizeMultiplier} + cinder::backend::netapp::netapp_storage_family: {get_param: CinderNetappStorageFamily} + cinder::backend::netapp::netapp_storage_protocol: {get_param: CinderNetappStorageProtocol} + cinder::backend::netapp::netapp_transport_type: {get_param: CinderNetappTransportType} + cinder::backend::netapp::netapp_vfiler: {get_param: CinderNetappVfiler} + cinder::backend::netapp::netapp_volume_list: {get_param: CinderNetappVolumeList} + cinder::backend::netapp::netapp_vserver: {get_param: CinderNetappVserver} + cinder::backend::netapp::netapp_partner_backend_name: {get_param: CinderNetappPartnerBackendName} + cinder::backend::netapp::nfs_shares: {get_param: CinderNetappNfsShares} + cinder::backend::netapp::nfs_shares_config: {get_param: CinderNetappNfsSharesConfig} + cinder::backend::netapp::nfs_mount_options: {get_param: CinderNetappNfsMountOptions} + cinder::backend::netapp::netapp_copyoffload_tool_path: {get_param: CinderNetappCopyOffloadToolPath} + cinder::backend::netapp::netapp_controller_ips: {get_param: CinderNetappControllerIps} + cinder::backend::netapp::netapp_sa_password: {get_param: CinderNetappSaPassword} + cinder::backend::netapp::netapp_storage_pools: {get_param: CinderNetappStoragePools} + cinder::backend::netapp::netapp_host_type: {get_param: CinderNetappHostType} + cinder::backend::netapp::netapp_webservice_path: {get_param: CinderNetappWebservicePath} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/external-swift-proxy.yaml b/puppet/services/external-swift-proxy.yaml new file mode 100644 index 00000000..75f5b6a0 --- /dev/null +++ b/puppet/services/external-swift-proxy.yaml @@ -0,0 +1,70 @@ +heat_template_version: ocata + +description: > + External Swift Proxy endpoint configured with Puppet + +parameters: + ExternalPublicUrl: + description: Public endpoint url for the external swift proxy + type: string + ExternalInternalUrl: + description: Internal endpoint url for the external swift proxy + type: string + ExternalAdminUrl: + description: External endpoint url for the external swift proxy + type: string + ExternalSwiftUserTenant: + description: Tenant where swift user will be set as admin + type: string + default: 'service' + SwiftPassword: + description: The password for the swift service account, used by the swift proxy services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + +outputs: + role_data: + description: Role data for External Swift proxy. + value: + service_name: external_swift_proxy + config_settings: + + step_config: + + service_config_settings: + keystone: + swift::keystone::auth::public_url: {get_param: ExternalPublicUrl} + swift::keystone::auth::internal_url: {get_param: ExternalInternalUrl} + swift::keystone::auth::admin_url: {get_param: ExternalAdminUrl} + swift::keystone::auth::public_url_s3: '' + swift::keystone::auth::internal_url_s3: '' + swift::keystone::auth::admin_url_s3: '' + swift::keystone::auth::password: {get_param: SwiftPassword} + swift::keystone::auth::region: {get_param: KeystoneRegion} + swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant} + swift::keystone::auth::configure_s3_endpoint: false + swift::keystone::auth::operator_roles: + - admin + - swiftoperator + - ResellerAdmin + diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index f61e6154..de41c0e8 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -119,6 +119,7 @@ parameters: conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']} resources: @@ -153,14 +154,13 @@ outputs: - '/glance' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} glance::api::enable_proxy_headers_parsing: true glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': @@ -168,6 +168,8 @@ outputs: - 9292 - 13292 glance::api::authtoken::project_name: 'service' + glance::keystone::authtoken::user_domain_name: 'Default' + glance::keystone::authtoken::project_domain_name: 'Default' glance::api::pipeline: 'keystone' glance::api::show_image_direct_url: true # NOTE: bind IP is found in Heat replacing the network name with the @@ -195,10 +197,11 @@ outputs: - {get_param: [ServiceNetMap, GlanceApiNetwork]} glance_notifier_strategy: {get_param: GlanceNotifierStrategy} glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] } glance::backend::swift::swift_store_user: service:glance glance::backend::swift::swift_store_key: {get_param: GlancePassword} glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::swift::swift_store_auth_version: 3 glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} glance_backend: {get_param: GlanceBackend} @@ -210,6 +213,11 @@ outputs: tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} + - + if: + - glance_workers_unset + - {} + - glance::api::workers: {get_param: GlanceWorkers} service_config_settings: keystone: glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index be910d10..666967b9 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -45,6 +45,10 @@ parameters: default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo'] description: Enabled Ironic drivers type: comma_delimited_list + IronicEnabledHardwareTypes: + default: ['ipmi'] + description: Enabled Ironic hardware types + type: comma_delimited_list IronicIPXEEnabled: default: true description: Whether to use iPXE instead of PXE for deployment. @@ -92,6 +96,7 @@ outputs: ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} ironic::conductor::provisioning_network: {get_param: IronicProvisioningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} + ironic::conductor::enabled_hardware_types: {get_param: IronicEnabledHardwareTypes} # We need an endpoint containing a real IP, not a VIP here ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]} ironic::conductor::http_url: @@ -112,6 +117,7 @@ outputs: # NOTE(dtantsur): UEFI only works with iPXE currently for us ironic::drivers::pxe::uefi_pxe_config_template: '$pybasedir/drivers/modules/ipxe_config.template' ironic::drivers::pxe::uefi_pxe_bootfile_name: 'ipxe.efi' + ironic::drivers::interfaces::enabled_console_interfaces: ['ipmitool-socat', 'no-console'] ironic::drivers::interfaces::enabled_network_interfaces: ['flat', 'neutron'] ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface} tripleo.ironic_conductor.firewall_rules: diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 94b15d4b..2a335b67 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -22,6 +22,10 @@ parameters: default: 1048576 description: Configures sysctl kernel.pid_max key type: number + KernelDisableIPv6: + default: 0 + description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys + type: number outputs: role_data: @@ -57,6 +61,10 @@ outputs: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + net.ipv6.conf.default.disable_ipv6: + value: {get_param: KernelDisableIPv6} + net.ipv6.conf.all.disable_ipv6: + value: {get_param: KernelDisableIPv6} # prevent neutron bridges from autoconfiguring ipv6 addresses net.ipv6.conf.all.accept_ra: value: 0 diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 632d9b0b..8a0e750d 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -119,27 +119,27 @@ parameters: Cron to purge expired tokens - Ensure default: 'present' KeystoneCronTokenFlushMinute: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Minute default: '1' KeystoneCronTokenFlushHour: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Hour - default: '0' + default: '*' KeystoneCronTokenFlushMonthday: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Month Day default: '*' KeystoneCronTokenFlushMonth: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Month default: '*' KeystoneCronTokenFlushWeekday: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Week Day default: '*' diff --git a/puppet/services/metrics/collectd.yaml b/puppet/services/metrics/collectd.yaml index 49b2d4c2..d2d9f3dc 100644 --- a/puppet/services/metrics/collectd.yaml +++ b/puppet/services/metrics/collectd.yaml @@ -70,7 +70,9 @@ parameters: CollectdSecurityLevel: type: string description: > - Security level setting for remote collectd connection. + Security level setting for remote collectd connection. If it is + set to Sign or Encrypt the CollectdPassword and CollectdUsername + parameters need to be set. default: 'None' constraints: - allowed_values: diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index aba2b1ed..4b5f36ac 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -81,4 +81,4 @@ outputs: - name: Install sensu package if it was disabled tags: step3 yum: name=sensu state=latest - when: sensu_client.rc != 0 + when: sensu_client_enabled.rc != 0 diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml index db9f0836..0cd1f829 100644 --- a/puppet/services/network/contrail-vrouter.yaml +++ b/puppet/services/network/contrail-vrouter.yaml @@ -27,7 +27,7 @@ parameters: description: vRouter physical interface type: string ContrailVrouterGateway: - default: '192.0.2.1' + default: '192.168.24.1' description: vRouter default gateway type: string ContrailVrouterNetmask: diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 9b9d1c72..a0305b81 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -21,13 +21,13 @@ parameters: NeutronWorkers: default: '' description: | - Sets the number of API and RPC workers for the Neutron service. The - default value results in the configuration being left unset and a - system-dependent default will be chosen (usually the number of - processors). Please note that this can result in a large number of - processes and memory consumption on systems with a large core count. On - such systems it is recommended that a non-default value be selected that - matches the load requirements. + Sets the number of API and RPC workers for the Neutron service. + The default value results in the configuration being left unset + and a system-dependent default will be chosen (usually the number + of processors). Please note that this can result in a large number + of processes and memory consumption on systems with a large core + count. On such systems it is recommended that a non-default value + be selected that matches the load requirements. type: string NeutronPassword: description: The password for the neutron service and db account, used by neutron agents. @@ -92,6 +92,7 @@ parameter_groups: conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']} resources: @@ -136,8 +137,6 @@ outputs: neutron::policy::policies: {get_param: NeutronApiPolicies} neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - neutron::server::api_workers: {get_param: NeutronWorkers} - neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} @@ -178,6 +177,12 @@ outputs: - 'localhost' - {get_param: [ServiceNetMap, NeutronApiNetwork]} tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} + - + if: + - neutron_workers_unset + - {} + - neutron::server::api_workers: {get_param: NeutronWorkers} + neutron::server::rpc_workers: {get_param: NeutronWorkers} step_config: | include tripleo::profile::base::neutron::server service_config_settings: diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 9f605062..b41cb3cc 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -30,6 +30,10 @@ parameters: type: number default: 0 description: The number of neutron dhcp agents to schedule per network + NeutronDnsDomain: + type: string + default: openstacklocal + description: Domain to use for building the hostnames. NeutronCorePlugin: default: 'ml2' description: | @@ -95,6 +99,7 @@ outputs: neutron::debug: {get_param: Debug} neutron::purge_config: {get_param: EnableConfigPurge} neutron::allow_overlapping_ips: true + neutron::dns_domain: {get_param: NeutronDnsDomain} neutron::rabbit_heartbeat_timeout_threshold: 60 neutron::host: '%{::fqdn}' neutron::db::database_db_max_retries: -1 diff --git a/puppet/services/neutron-bigswitch-agent.yaml b/puppet/services/neutron-bigswitch-agent.yaml index 845f0da0..8f56e0a9 100644 --- a/puppet/services/neutron-bigswitch-agent.yaml +++ b/puppet/services/neutron-bigswitch-agent.yaml @@ -26,6 +26,4 @@ outputs: value: service_name: neutron_bigswitch_agent step_config: | - if hiera('step') >= 4 { - include ::neutron::agents::bigswitch - } + include ::tripleo::profile::base::neutron::agents::bigswitch diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 18d9b924..21910cc4 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -227,7 +227,7 @@ outputs: - name: Run puppet apply to set tranport_url in nova.conf tags: step5 when: is_bootstrap_node - command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp + command: puppet apply --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes /root/nova-api_upgrade_manifest.pp register: puppet_apply_nova_api_upgrade failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] changed_when: puppet_apply_nova_api_upgrade.rc == 2 diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index a9737eb6..b1711436 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -79,6 +79,13 @@ parameters: type: string description: Nova Compute upgrade level default: auto + MigrationSshKey: + type: json + description: > + SSH key for migration. + Expects a dictionary with keys 'public_key' and 'private_key'. + Values should be identical to SSH public/private key files. + default: {} resources: NovaBase: @@ -111,6 +118,7 @@ outputs: # we manage migration in nova common puppet profile nova::compute::libvirt::migration_support: false tripleo::profile::base::nova::manage_migration: true + tripleo::profile::base::nova::migration_ssh_key: {get_param: MigrationSshKey} tripleo::profile::base::nova::nova_compute_enabled: true nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName} nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index faf1ae48..21a5e78a 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -32,6 +32,36 @@ parameters: MonitoringSubscriptionNovaLibvirt: default: 'overcloud-nova-libvirt' type: string + EnableInternalTLS: + type: boolean + default: false + UseTLSTransportForLiveMigration: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + set the libvirt URI's transport to tls and configure the + relevant keys for libvirt. + LibvirtCACert: + type: string + default: '/etc/ipa/ca.crt' + description: This specifies the CA certificate to use for TLS in libvirt. + This file will be symlinked to the default CA path in libvirt, + which is /etc/pki/CA/cacert.pem. Note that due to limitations + GNU TLS, which is the TLS backend for libvirt, the file must + be less than 65K (so we can't use the system's CA bundle). The + current default reflects TripleO's default CA, which is + FreeIPA. It will only be used if internal TLS is enabled. + +conditions: + + use_tls_for_live_migration: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForLiveMigration} + - true resources: NovaBase: @@ -66,10 +96,61 @@ outputs: tripleo.nova_libvirt.firewall_rules: '200 nova_libvirt': dport: - - 16509 - 16514 - '49152-49215' - '5900-5999' + - + if: + - use_tls_for_live_migration + - + generate_service_certificates: true + tripleo::profile::base::nova::libvirt_tls: true + nova::migration::libvirt::live_migration_inbound_addr: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + tripleo::certmonger::ca::libvirt::origin_ca_pem: + get_param: LibvirtCACert + tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' + tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' + libvirt_certificates_specs: + libvirt-server-cert: + service_certificate: '/etc/pki/libvirt/servercert.pem' + service_key: '/etc/pki/libvirt/private/serverkey.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + libvirt-client-cert: + service_certificate: '/etc/pki/libvirt/clientcert.pem' + service_key: '/etc/pki/libvirt/private/clientkey.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + - {} step_config: | include tripleo::profile::base::nova::libvirt + metadata_settings: + if: + - use_tls_for_live_migration + - + - service: libvirt + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - null diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index a2286d16..9820b431 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -90,14 +90,11 @@ outputs: # fluentd user. yaql: expression: > - set($.data.groups.flatten()).where($) + set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($) data: - groups: - - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}] - - yaql: - expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null)) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}] + default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]} + extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]} + role_data: {get_attr: [ServiceChain, role_data]} config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: map_merge: diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml index 12998c33..e09a8894 100644 --- a/puppet/services/sshd.yaml +++ b/puppet/services/sshd.yaml @@ -22,6 +22,33 @@ parameters: default: '' description: Configures Banner text in sshd_config type: string + MessageOfTheDay: + default: '' + description: Configures /etc/motd text + type: string + SshServerOptions: + default: + HostKey: + - '/etc/ssh/ssh_host_rsa_key' + - '/etc/ssh/ssh_host_ecdsa_key' + - '/etc/ssh/ssh_host_ed25519_key' + SyslogFacility: 'AUTHPRIV' + AuthorizedKeysFile: '.ssh/authorized_keys' + PasswordAuthentication: 'no' + ChallengeResponseAuthentication: 'no' + GSSAPIAuthentication: 'yes' + GSSAPICleanupCredentials: 'no' + UsePAM: 'yes' + X11Forwarding: 'yes' + UsePrivilegeSeparation: 'sandbox' + AcceptEnv: + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL LANGUAGE' + - 'XMODIFIERS' + Subsystem: 'sftp /usr/libexec/openssh/sftp-server' + description: Mapping of sshd_config values + type: json outputs: role_data: @@ -30,5 +57,7 @@ outputs: service_name: sshd config_settings: tripleo::profile::base::sshd::bannertext: {get_param: BannerText} + tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} + tripleo::profile::base::sshd::options: {get_param: SshServerOptions} step_config: | include ::tripleo::profile::base::sshd diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index 2e3c818f..f62d5e18 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -42,6 +42,14 @@ parameters: default: true description: 'Use a local directory for Swift storage services when building rings' type: boolean + SwiftRingGetTempurl: + default: '' + description: A temporary Swift URL to download rings from. + type: string + SwiftRingPutTempurl: + default: '' + description: A temporary Swift URL to upload rings to. + type: string conditions: swift_use_local_dir: @@ -59,6 +67,8 @@ outputs: value: service_name: swift_ringbuilder config_settings: + tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl} + tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl} tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower} |