From 55b83f9e22f1c6ab86ddc3056c002136bdd1c0e9 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 6 Oct 2015 10:34:57 -0700 Subject: [PATCH] Add controller class and supporting manifests This adds a manifest to install the controller components as referenced in the Infra Cloud guide[1]: - single-node mysql - single-node rabbitmq - keystone using the uuid token provider and apache/wsgi with ssl - glance api and registry - neutron server and ml2 linuxbridge plugin and agent supporting a provider network[2] - nova api, scheduler, conductor [1] http://docs.openstack.org/infra/system-config/infra-cloud.html [2] http://docs.openstack.org/networking-guide/deploy_scenario4b.html Change-Id: I380f62e48b29103d5abffad24abd9aeca4621f02 --- manifests/controller.pp | 324 +++++++++++++++++++++++++++++++++++++ manifests/rabbitmq_user.pp | 13 ++ manifests/ssl.pp | 53 ++++++ manifests/veth.pp | 25 +++ 4 files changed, 415 insertions(+) create mode 100644 manifests/controller.pp create mode 100644 manifests/rabbitmq_user.pp create mode 100644 manifests/ssl.pp create mode 100644 manifests/veth.pp diff --git a/manifests/controller.pp b/manifests/controller.pp new file mode 100644 index 0000000..9298348 --- /dev/null +++ b/manifests/controller.pp @@ -0,0 +1,324 @@ +# class: OpenStack Infra Cloud +class infracloud::controller( + $neutron_rabbit_password, + $nova_rabbit_password, + $root_mysql_password, + $keystone_mysql_password, + $glance_mysql_password, + $neutron_mysql_password, + $nova_mysql_password, + $glance_admin_password, + $keystone_admin_password, + $neutron_admin_password, + $nova_admin_password, + $keystone_admin_token, + $ssl_chain_file_contents, + $keystone_ssl_key_file_contents, + $keystone_ssl_cert_file_contents, + $neutron_ssl_key_file_contents, + $neutron_ssl_cert_file_contents, + $glance_ssl_key_file_contents, + $glance_ssl_cert_file_contents, + $nova_ssl_key_file_contents, + $nova_ssl_cert_file_contents, + $controller_management_address, + $controller_public_address = $::fqdn, +) { + + $keystone_auth_uri = "https://${controller_public_address}:5000" + $keystone_admin_uri = "https://${controller_public_address}:35357" + + ### Certificate Chain ### + + # This chain file needs to sign every other cert + $ssl_chain_path = "/etc/ssl/certs/${controller_public_address}-ca.pem" + file { $ssl_chain_path: + ensure => present, + content => $ssl_chain_file_contents, + mode => '0644', + } + + ### Networking ### + + include ::infracloud::veth + + ### Repos ### + + include ::apt + + class { '::openstack_extras::repo::debian::ubuntu': + release => 'kilo', + package_require => true, + } + + ### Database ### + + class { '::mysql::server': + root_password => $root_mysql_password, + } + + ### Messaging ### + + class { '::rabbitmq': + delete_guest_user => true, + environment_variables => { + 'RABBITMQ_NODE_IP_ADDRESS' => $controller_management_address, + } + } + + ### Keystone ### + + class { '::keystone::db::mysql': + password => $keystone_mysql_password, + } + + # keystone.conf + class { '::keystone': + database_connection => "mysql://keystone:${keystone_mysql_password}@127.0.0.1/keystone", + catalog_type => 'sql', + admin_token => $keystone_admin_token, + service_name => 'httpd', + enable_ssl => true, + admin_bind_host => $controller_public_address, + } + + # keystone admin user, projects + class { '::keystone::roles::admin': + email => 'postmaster@no.test', + password => $keystone_admin_password, + } + + # keystone auth endpoints + class { '::keystone::endpoint': + public_url => $keystone_auth_uri, + admin_url => $keystone_admin_uri, + } + + # apache server + include ::apache + + $keystone_ssl_key_path = "/etc/ssl/private/${controller_public_address}-keystone.pem" + $keystone_ssl_cert_path = "/etc/ssl/certs/${controller_public_address}-keystone.pem" + + # keystone vhost + class { '::keystone::wsgi::apache': + ssl_key => $keystone_ssl_key_path, + ssl_cert => $keystone_ssl_cert_path, + ssl_chain => $ssl_chain_path, + } + + infracloud::ssl { 'keystone': + key_content => $keystone_ssl_key_file_contents, + cert_content => $keystone_ssl_cert_file_contents, + key_path => $keystone_ssl_key_path, + cert_path => $keystone_ssl_cert_path, + } + + ### Glance ### + + $glance_database_connection = "mysql://glance:${glance_mysql_password}@127.0.0.1/glance" + + class { '::glance::db::mysql': + password => $glance_mysql_password, + } + + # glance-api.conf + class { '::glance::api': + bind_host => $controller_public_address, + database_connection => $glance_database_connection, + keystone_password => $glance_admin_password, + auth_uri => $keystone_auth_uri, + identity_uri => $keystone_admin_uri, + cert_file => "/etc/glance/ssl/certs/${controller_public_address}.pem", + key_file => "/etc/glance/ssl/private/${controller_public_address}.pem", + } + + infracloud::ssl { 'glance': + key_content => $glance_ssl_key_file_contents, + cert_content => $glance_ssl_cert_file_contents, + before => Service['glance-api'], + } + + # glance-registry.conf + class { '::glance::registry': + database_connection => $glance_database_connection, + keystone_password => $glance_admin_password, + auth_uri => $keystone_auth_uri, + identity_uri => $keystone_admin_uri, + } + + # keystone user, role, service, endpoints for glance service + class { '::glance::keystone::auth': + password => $glance_admin_password, + public_url => "https://${controller_public_address}:9292", + admin_url => "https://${controller_public_address}:9292", + } + + ### Neutron server ### + sysctl::value { 'net.ipv4.conf.default.rp_filter': + value => 0 + } + sysctl::value { 'net.ipv4.conf.all.rp_filter': + value => 0 + } + + class { '::neutron::db::mysql': + password => $neutron_mysql_password, + } + + infracloud::rabbitmq_user { 'neutron': + password => $neutron_rabbit_password, + } + + # neutron.conf + class { '::neutron': + core_plugin => 'ml2', + enabled => true, + rabbit_user => 'neutron', + rabbit_password => $neutron_rabbit_password, + rabbit_host => $controller_management_address, + use_ssl => true, + cert_file => "/etc/neutron/ssl/certs/${controller_public_address}.pem", + key_file => "/etc/neutron/ssl/private/${controller_public_address}.pem", + } + + infracloud::ssl { 'neutron': + key_content => $neutron_ssl_key_file_contents, + cert_content => $neutron_ssl_cert_file_contents, + before => Service['neutron-server'], + } + + # keystone user, role, service, endpoints for neutron service + class { '::neutron::keystone::auth': + password => $neutron_admin_password, + public_url => "https://${controller_public_address}:9696/", + admin_url => "https://${controller_public_address}:9696/", + } + + # neutron-server service and related neutron.conf and api-paste.conf params + class { '::neutron::server': + auth_password => $neutron_admin_password, + database_connection => "mysql://neutron:${neutron_mysql_password}@127.0.0.1/neutron?charset=utf8", + sync_db => true, + auth_uri => $keystone_auth_uri, + identity_uri => $keystone_admin_uri, + } + + # neutron client package + class { '::neutron::client': } + + # neutron.conf nova credentials + class { '::neutron::server::notifications': + nova_url => "https://${controller_public_address}:8774/v2", + nova_admin_auth_url => "${keystone_admin_uri}/v2.0", + nova_admin_username => 'nova', + nova_admin_password => $nova_admin_password, + nova_admin_tenant_name => 'services', + } + + # ML2 + class { '::neutron::plugins::ml2': + type_drivers => ['flat', 'vlan'], + tenant_network_types => [], + mechanism_drivers => ['linuxbridge'], + flat_networks => ['provider'], + network_vlan_ranges => ['provider'], + enable_security_group => true, + } + class { '::neutron::agents::ml2::linuxbridge': + physical_interface_mappings => ['provider:veth2'], + require => Class['infracloud::veth'], + } + # Fix for https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1453188 + file { '/usr/bin/neutron-plugin-linuxbridge-agent': + ensure => link, + target => '/usr/bin/neutron-linuxbridge-agent', + before => Package['neutron-plugin-linuxbridge-agent'], + } + + # DHCP + class { '::neutron::agents::dhcp': + interface_driver => 'neutron.agent.linux.interface.BridgeInterfaceDriver', + dhcp_delete_namespaces => true, + } + + # Provider network + neutron_network { 'provider-net': + shared => true, + provider_network_type => 'flat', + provider_physical_network => 'provider', + } + + # Provider subnet with three allication pools representing three "subnets" + neutron_subnet { 'provider-subnet-53-54-55': + cidr => '15.184.52.0/22', + gateway_ip => '15.184.52.1', + network_name => 'provider-net', + allocation_pools => [ + 'start=15.184.53.2,end=15.184.53.254', + 'start=15.184.54.2,end=15.184.54.254', + 'start=15.184.55.2,end=15.184.55.254' + ], + } + + ### Nova ### + + class { '::nova::db::mysql': + password => $nova_mysql_password, + host => '127.0.0.1', + } + + infracloud::rabbitmq_user { 'nova': + password => $nova_rabbit_password, + } + + # nova.conf - general + class { '::nova': + database_connection => "mysql://nova:${nova_mysql_password}@127.0.0.1/nova?charset=utf8", + rabbit_userid => 'nova', + rabbit_password => $nova_rabbit_password, + rabbit_host => $controller_management_address, + glance_api_servers => "https://${controller_public_address}:9292", + use_ssl => true, + cert_file => "/etc/nova/ssl/certs/${controller_public_address}.pem", + key_file => "/etc/nova/ssl/private/${controller_public_address}.pem", + } + infracloud::ssl { 'nova': + key_content => $nova_ssl_key_file_contents, + cert_content => $nova_ssl_cert_file_contents, + before => Service['nova-api'], + require => Class['::nova'], + } + + # keystone user, role, service, endpoints for nova service + class { '::nova::keystone::auth': + password => $nova_admin_password, + public_url => "https://${controller_public_address}:8774/v2/%(tenant_id)s", + admin_url => "https://${controller_public_address}:8774/v2/%(tenant_id)s", + } + + # nova.conf neutron credentials + class { '::nova::network::neutron': + neutron_admin_password => $neutron_admin_password, + neutron_url => "https://${controller_public_address}:9696", + } + + # api service and endpoint-related params in nova.conf + class { '::nova::api': + enabled => true, + enabled_apis => 'osapi_compute,metadata', + admin_password => $nova_admin_password, + auth_uri => $keystone_auth_uri, + identity_uri => $keystone_admin_uri, + } + + # conductor service + class { '::nova::conductor': + enabled => true, + } + + # scheduler service + class { '::nova::scheduler': + enabled => true, + } +} diff --git a/manifests/rabbitmq_user.pp b/manifests/rabbitmq_user.pp new file mode 100644 index 0000000..9abc77c --- /dev/null +++ b/manifests/rabbitmq_user.pp @@ -0,0 +1,13 @@ +define infracloud::rabbitmq_user( + $password, +) { + rabbitmq_user { $name: + admin => false, + password => $password, + } + rabbitmq_user_permissions { "${name}@/": + configure_permission => '.*', + read_permission => '.*', + write_permission => '.*', + } +} diff --git a/manifests/ssl.pp b/manifests/ssl.pp new file mode 100644 index 0000000..4bcbdb3 --- /dev/null +++ b/manifests/ssl.pp @@ -0,0 +1,53 @@ +define infracloud::ssl( + $key_content, + $cert_content, + $key_path = undef, + $cert_path = undef, +) { + if $key_path == undef { + $_key_path = "/etc/${name}/ssl/private/${::fqdn}.pem" + } else { + $_key_path = $key_path + } + if $cert_path == undef { + $_cert_path = "/etc/${name}/ssl/certs/${::fqdn}.pem" + } else { + $_cert_path = $cert_path + } + + # If the user isn't providing an unexpected path, create the directory + # structure. + if $key_path == undef and $cert_path == undef { + file { "/etc/${name}/ssl": + ensure => directory, + owner => $name, + mode => '0775', + } + file { "/etc/${name}/ssl/private": + ensure => directory, + owner => $name, + mode => '0755', + require => File["/etc/${name}/ssl"], + before => File[$_key_path] + } + file { "/etc/${name}/ssl/certs": + ensure => directory, + owner => $name, + mode => '0750', + require => File["/etc/${name}/ssl"], + before => File[$_cert_path], + } + } + + file { $_key_path: + ensure => present, + content => $key_content, + owner => $name, + mode => '0600', + } + file { $_cert_path: + ensure => present, + content => $cert_content, + mode => '0644', + } +} diff --git a/manifests/veth.pp b/manifests/veth.pp new file mode 100644 index 0000000..ff136cb --- /dev/null +++ b/manifests/veth.pp @@ -0,0 +1,25 @@ +# Create a veth pair to connect the neutron bridge to the vlan bridge +class infracloud::veth { + exec { 'create veth pair': + command => '/sbin/ip link add veth1 type veth peer name veth2', + unless => '/sbin/ip link show | /bin/grep veth1 && /sbin/ip link show | /bin/grep veth2', + } + + exec { 'attach veth pair': + command => '/sbin/brctl addif br-vlan25 veth1', + unless => '/sbin/brctl show br-vlan25 | /bin/grep veth1', + require => Exec['create veth pair'], + } + + exec { 'turn on veth1': + command => '/sbin/ip link set dev veth1 up', + unless => '/sbin/ip link show dev veth1 | /bin/grep "state UP"', + require => Exec['attach veth pair'], + } + + exec { 'turn on veth2': + command => '/sbin/ip link set dev veth2 up', + unless => '/sbin/ip link show dev veth2 | /bin/grep "state UP"', + require => Exec['attach veth pair'], + } +}