diff options
Diffstat (limited to 'puppet/services')
| -rw-r--r-- | puppet/services/certmonger-user.yaml | 17 | ||||
| -rw-r--r-- | puppet/services/cinder-backend-netapp.yaml | 8 | ||||
| -rw-r--r-- | puppet/services/cinder-volume.yaml | 16 | ||||
| -rw-r--r-- | puppet/services/disabled/ceilometer-expirer-disabled.yaml | 20 | ||||
| -rw-r--r-- | puppet/services/gnocchi-base.yaml | 10 | ||||
| -rw-r--r-- | puppet/services/haproxy.yaml | 6 | ||||
| -rw-r--r-- | puppet/services/horizon.yaml | 2 | ||||
| -rw-r--r-- | puppet/services/ironic-conductor.yaml | 6 | ||||
| -rw-r--r-- | puppet/services/nova-compute.yaml | 26 | ||||
| -rw-r--r-- | puppet/services/pacemaker_remote.yaml | 38 |
10 files changed, 128 insertions, 21 deletions
diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml index 6ad451a8..0508c557 100644 --- a/puppet/services/certmonger-user.yaml +++ b/puppet/services/certmonger-user.yaml @@ -26,11 +26,28 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + DefaultCRLURL: + default: 'http://ipa-ca/ipa/crl/MasterCRL.bin' + description: URI where to get the CRL to be configured in the nodes. + type: string + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: description: Role data for the certmonger-user service value: service_name: certmonger_user + config_settings: + tripleo::certmonger::ca::crl::crl_source: + if: + - internal_tls_enabled + - {get_param: DefaultCRLURL} + - null step_config: | include ::tripleo::profile::base::certmonger_user diff --git a/puppet/services/cinder-backend-netapp.yaml b/puppet/services/cinder-backend-netapp.yaml index bddc8e1a..fbde4c0a 100644 --- a/puppet/services/cinder-backend-netapp.yaml +++ b/puppet/services/cinder-backend-netapp.yaml @@ -93,6 +93,12 @@ parameters: CinderNetappWebservicePath: type: string default: '/devmgr/v2' + CinderNetappNasSecureFileOperations: + type: string + default: 'false' + CinderNetappNasSecureFilePermissions: + type: string + default: 'false' # DEPRECATED options for compatibility with older versions CinderNetappEseriesHostType: type: string @@ -133,5 +139,7 @@ outputs: cinder::backend::netapp::netapp_storage_pools: {get_param: CinderNetappStoragePools} cinder::backend::netapp::netapp_host_type: {get_param: CinderNetappHostType} cinder::backend::netapp::netapp_webservice_path: {get_param: CinderNetappWebservicePath} + cinder::backend::netapp::nas_secure_file_operations: {get_param: CinderNetappNasSecureFileOperations} + cinder::backend::netapp::nas_secure_file_permissions: {get_param: CinderNetappNasSecureFilePermissions} step_config: | include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index fe95222b..1f8c345d 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -40,6 +40,20 @@ parameters: NFS servers used by Cinder NFS backend. Effective when CinderEnableNfsBackend is true. type: comma_delimited_list + CinderNasSecureFileOperations: + default: false + description: > + Controls whether security enhanced NFS file operations are enabled. + Valid values are 'auto', 'true' or 'false'. Effective when + CinderEnableNfsBackend is true. + type: string + CinderNasSecureFilePermissions: + default: false + description: > + Controls whether security enhanced NFS file permissions are enabled. + Valid values are 'auto', 'true' or 'false'. Effective when + CinderEnableNfsBackend is true. + type: string CinderRbdPoolName: default: volumes type: string @@ -105,6 +119,8 @@ outputs: tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend} tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions} tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers} + tripleo::profile::base::cinder::volume::nfs::cinder_nas_secure_file_operations: {get_param: CinderNasSecureFileOperations} + tripleo::profile::base::cinder::volume::nfs::cinder_nas_secure_file_permissions: {get_param: CinderNasSecureFilePermissions} tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol} diff --git a/puppet/services/disabled/ceilometer-expirer-disabled.yaml b/puppet/services/disabled/ceilometer-expirer-disabled.yaml index 9b7b47ef..7be394b6 100644 --- a/puppet/services/disabled/ceilometer-expirer-disabled.yaml +++ b/puppet/services/disabled/ceilometer-expirer-disabled.yaml @@ -27,24 +27,12 @@ parameters: via parameter_defaults in the resource registry. type: json -resources: - CeilometerServiceBase: - type: ../ceilometer-base.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - outputs: role_data: description: Role data for the disabling Ceilometer Expirer role. value: service_name: ceilometer_expirer_disabled - config_settings: - map_merge: - - get_attr: [CeilometerServiceBase, role_data, config_settings] - - ceilometer::expirer::enable_cron: false - step_config: | - include ::tripleo::profile::base::ceilometer::expirer + upgrade_tasks: + - name: Remove ceilometer expirer cron tab on upgrade + tags: step1 + shell: '/usr/bin/crontab -u ceilometer -r' diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index f4067ef6..b4af7e85 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -34,6 +34,10 @@ parameters: default: 30 description: Delay between processing metrics. type: number + NumberOfStorageSacks: + default: 128 + description: Number of storage sacks to create. + type: number GnocchiPassword: description: The password for the gnocchi service and db account. type: string @@ -87,7 +91,11 @@ outputs: query: read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo - gnocchi::db::sync::extra_opts: '' + gnocchi::db::sync::extra_opts: + str_replace: + template: " --sacks-number NUM_SACKS" + params: + NUM_SACKS: {get_param: NumberOfStorageSacks} gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay} gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 3 diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index a71491c0..619cf131 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -50,6 +50,11 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + InternalTLSCRLPEMFile: + default: '/etc/pki/CA/crl/overcloud-crl.pem' + type: string + description: Specifies the default CRL PEM file to use for revocation if + TLS is used for services in the internal network. resources: @@ -89,6 +94,7 @@ outputs: tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword} tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} + tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile} tripleo::profile::base::haproxy::certificates_specs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 93bced8b..092d0720 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -55,7 +55,7 @@ parameters: HorizonSecureCookies: description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon type: boolean - default: true + default: false MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index b1676715..0e8c8e12 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -164,6 +164,12 @@ outputs: ironic::my_ip: {get_param: [ServiceNetMap, IronicNetwork]} ironic::pxe::common::http_port: {get_param: IronicIPXEPort} # Credentials to access other services + ironic::cinder::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::cinder::username: 'ironic' + ironic::cinder::password: {get_param: IronicPassword} + ironic::cinder::project_name: 'service' + ironic::cinder::user_domain_name: 'Default' + ironic::cinder::project_domain_name: 'Default' ironic::glance::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} ironic::glance::username: 'ironic' ironic::glance::password: {get_param: IronicPassword} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index e39e997a..68a71e42 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -105,6 +105,22 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + # Merging role-specific parameters (RoleParameters) with the default parameters. + # RoleParameters will have the precedence over the default parameters. + RoleParametersValue: + type: OS::Heat::Value + properties: + type: json + value: + map_replace: + - map_replace: + - nova::compute::vcpu_pin_set: NovaVcpuPinSet + nova::compute::reserved_host_memory: NovaReservedHostMemory + - values: {get_param: [RoleParameters]} + - values: + NovaVcpuPinSet: {get_param: NovaVcpuPinSet} + NovaReservedHostMemory: {get_param: NovaReservedHostMemory} + outputs: role_data: description: Role data for the Nova Compute service. @@ -117,14 +133,18 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [RoleParametersValue, value] - nova::compute::libvirt::manage_libvirt_services: false nova::compute::pci_passthrough: str_replace: template: "JSON_PARAM" params: - JSON_PARAM: {get_param: NovaPCIPassthrough} - nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet} - nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory} + map_replace: + - map_replace: + - JSON_PARAM: NovaPCIPassthrough + - values: {get_param: [RoleParameters]} + - values: + NovaPCIPassthrough: {get_param: NovaPCIPassthrough} # we manage migration in nova common puppet profile nova::compute::libvirt::migration_support: false tripleo::profile::base::nova::manage_migration: true diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml index 74aaf599..c49b0848 100644 --- a/puppet/services/pacemaker_remote.yaml +++ b/puppet/services/pacemaker_remote.yaml @@ -34,6 +34,42 @@ parameters: MonitoringSubscriptionPacemakerRemote: default: 'overcloud-pacemaker_remote' type: string + EnableFencing: + default: false + description: Whether to enable fencing in Pacemaker or not. + type: boolean + FencingConfig: + default: {} + description: | + Pacemaker fencing configuration. The JSON should have + the following structure: + { + "devices": [ + { + "agent": "AGENT_NAME", + "host_mac": "HOST_MAC_ADDRESS", + "params": {"PARAM_NAME": "PARAM_VALUE"} + } + ] + } + For instance: + { + "devices": [ + { + "agent": "fence_xvm", + "host_mac": "52:54:00:aa:bb:cc", + "params": { + "multicast_address": "225.0.0.12", + "port": "baremetal_0", + "manage_fw": true, + "manage_key_file": true, + "key_file": "/etc/fence_xvm.key", + "key_file_password": "abcdef" + } + } + ] + } + type: json PacemakerRemoteLoggingSource: type: json default: @@ -60,6 +96,8 @@ outputs: proto: 'tcp' dport: - 3121 + tripleo::fencing::config: {get_param: FencingConfig} + enable_fencing: {get_param: EnableFencing} tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey} step_config: | include ::tripleo::profile::base::pacemaker_remote |