stackforge/puppet-openstack-cloud
Code Issues Proposed changes

Retire stackforge/puppet-openstack-cloud

Browse Source
This commit is contained in:
Monty Taylor 2015-10-17 16:04:23 -04:00
parent e8d6d0ff25
commit 4fc9478060
197 changed files with 7 additions and 21703 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.forgeignore
View File

@ -1,14 +0,0 @@
- pkg/
- spec/
- Rakefile
- Puppetfile
- coverage/
- .git/
- .forgeignore
- .travis.yml
- .gitignore
- doc/
- .yardoc/
- Gemfile
- Gemfile.lock
- .fixtures.yml

9
.gitignore vendored
View File

@ -1,9 +0,0 @@
*.swp
spec/fixtures/modules/*
spec/fixtures/manifests/site.pp
Gemfile.lock
.vendor
doc/
.yardoc
.librarian/
.tmp/

4
.gitreview
View File

@ -1,4 +0,0 @@
[gerrit]
host=review.openstack.org
port=29418
project=stackforge/puppet-openstack-cloud.git

15
.travis.yml
View File

@ -1,15 +0,0 @@
language: ruby
script: "bundle exec rake test COV=y SPEC_OPTS='--format documentation --color --backtrace'"
rvm:
- 1.9.3
- 2.0.0
matrix:
fast_finish: true
env:
matrix:
- PUPPET_GEM_VERSION="~> 3.3.0"
- PUPPET_GEM_VERSION="~> 3.4.0"
- PUPPET_GEM_VERSION="~> 3.6.0"
- PUPPET_GEM_VERSION="~> 3.7.0"
notifications:
email: false

120
CHANGELOG.md
View File

@ -1,120 +0,0 @@
##2014-10-24 - Features release 2.2.0
###Summary
* Sensu as first implementation of monitoring system
* Glance now supports NFS image storage backend
* Cinder now supports EMC VNX & iSCSI volume backends
* Nova now supports NFS instance storage backend
* Neutron now supports Cisco plugins with N1KV hardware (experimental)
* RabbitMQ can now be load-balanced by HAproxy
* Keystone roles for Heat are now created automatically
* Support for keepalived authentification
* MongoDB replicaset is now an option, so MongoDB can be standalone
* MySQL Galera has been tweaked to have better performances at scale
* Nova configuration has been tweaked to use read-only database feature and have better performances at scale
* Trove has been disabled by default since it's still in experimental status
* HAproxy: Allow user to bind multiple public/private IPs
* keepalived: allow vrrp traffic on a dedicated interface
* When running KVM, we check if VTX is really enabled
* HAproxy checks have been improve for OpenStack services
* Neutron: allow to specify tunnel type (i.e. VXLAN)
* Horizon: ALLOWED_HOST can now be controlled by the module
* Horizon: Allow user to speficy broader apache vhost settings
* Nova/RBD: support for RHEL 7
####Bugfixes
* Fix correct Puppet Ceph dependencies which could lead to bootstrap issues
* Fix issues with instance live migration support (nova configuration)
* Fix HAproxy checks for Spice (TCP instead of HTTP)
####Known Bugs
* No known bugs
##2014-07-15 - Features release 2.1.0
###Summary
* Advanced logging support with kibana3, elasticsearch and fluentd
* Improve SSL termination support
* File backend support for Glance
* OpenStack Database as a Service support (Trove) as experimental
* Pacemaker support in Red-Hat
* heat-engine is no more managed as a single point of failure
####Bugfixes
* Fix heat-cfn & heat-cloudwatch HAproxy binding
* Fix issues when using SSL termination
####Known Bugs
* No known bugs
##2014-06-19 - Features release 2.0.0
###Summary
* Icehouse release support
* OpenStack Object Storage support (Swift)
* Neutron Metadata multi-worker
* RBD flexibility on compute nodes
* Keystone and Nova v3 API support
* SSL termination support
####Bugfixes
* Fix nova-compute service when using RBD backend
* Fix cinder-volume service when creating a volume type
* Enable to have Swift Storage & Ceph OSD on same nodes
####Known Bugs
* No known bugs
##2014-05-06 - Features release 1.3.0
###Summary
* High Availability refactorization
* OpenStack services separation in different classes
* DHCP Agent: Add support of DNS server declaration
* Defaults values for all puppet parameters, can now support Hiera.
* Fix all unit tests to pass Travis
####Bugfixes
* Fix HAproxy configuration for Heat API binding
####Known Bugs
* When using RBD as Nova Backend, nova-compute should be notified
* When creating a volume type, cinder-volume should be notified
* Impossible to attach a volume backend by RBD if not using RBD backend for Nova
##2014-04-22 - Features release 1.2.0
###Summary
* Now supports Ubuntu 12.04
* Now supports Now supports Red Hat OpenStack Platform 4
* Can be deployed on 3 nodes
* Add cluster note type support for RabbitMQ configuration
* Block storage can now be backend by multiple RBD pools
####Bugfixes
* Fix a bug in Horizon in HTTP/HTTPS binding
####Known Bugs
* No known bugs
##2014-04-01 - Features release 1.1.0
###Summary
* Updated puppetlabs-rabbitmq to 3.1.0 (RabbitMQ to 3.2.4)
* Add Cinder Muli-backend support
* NetApp support for Cinder as a backend
* Keystone uses now MySQL for tokens storage (due to several issues with Memcache backend)
* Back to upstream puppet-horizon from stackforge
* Servername parameter support in Horizon configuration to allow SSL redirections
* puppet-openstack-cloud module QA is done by Travis
* network: add dhcp\_lease\_duration parameter support
####Bugfixes
* neutron: increase agent polling interval
####Known Bugs
* Bug in Horizon in HTTP/HTTPS binding (fixed in 1.2.0)
##2014-03-13 - First stable version 1.0.0
###Summary
* First stable version.
####Bugfixes
* No
####Known Bugs
* No known bugs

19
Gemfile
View File

@ -1,19 +0,0 @@
source 'https://rubygems.org'
group :development, :test do
gem 'puppetlabs_spec_helper'
gem 'puppet-lint-param-docs', '1.1.0'
gem 'metadata-json-lint'
gem 'json'
gem 'webmock'
gem 'r10k'
gem 'librarian-puppet-simple', '~> 0.0.3'
end
if puppetversion = ENV['PUPPET_GEM_VERSION']
gem 'puppet', puppetversion, :require => false
else
gem 'puppet', :require => false
end
# vim:ft=ruby

176
LICENSE
View File

@ -1,176 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.

238
Puppetfile
View File

@ -1,238 +0,0 @@
#
# Copyright 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Puppetfile
forge 'http://forge.puppetlabs.com'
# OpenStack projects
mod 'openstacklib',
:git => 'git://github.com/enovance/puppet-openstacklib.git',
:ref => '176d7d65911eafab9d04d2053e77c69ff2c40e44'
mod 'ceilometer',
:git => 'git://github.com/enovance/puppet-ceilometer.git',
:ref => '64d8cfb8c1637871bba8c692d0c8184b75aceba2'
mod 'cinder',
:git => 'git://github.com/enovance/puppet-cinder.git',
:ref => '8d9524fac34daf7ef0ac336ef32fd3f75b6bddb1'
mod 'glance',
:git => 'git://github.com/enovance/puppet-glance.git',
:ref => '57685754d3e96cfaf863c9a98bf6b517e4ddb334'
mod 'heat',
:git => 'git://github.com/enovance/puppet-heat.git',
:ref => 'f2d08f6c340e19ad39d257f7a82c57afe6e342cc'
mod 'horizon',
:git => 'git://github.com/enovance/puppet-horizon.git',
:ref => 'f04c63881735c59a4d74390f20a35edd3a69e71e'
mod 'keystone',
:git => 'git://github.com/enovance/puppet-keystone.git',
:ref => '4b2623d4ec41957b0274d8a457e3019fdf1e342b'
mod 'neutron',
:git => 'git://github.com/enovance/puppet-neutron.git',
:ref => 'e981bc2533b349fae3e06ca3989f1bceece94610'
mod 'nova',
:git => 'git://github.com/enovance/puppet-nova.git',
:ref => 'cc1a2a348a7953298c75881a5c4afafeb3d0a4e4'
mod 'swift',
:git => 'git://github.com/enovance/puppet-swift.git',
:ref => '1e4ebee1e88f946dfe4ed078437dc20b28698b53'
mod 'tempest',
:git => 'git://github.com/enovance/puppet-tempest.git',
:ref => 'f5e87cad5de119bd483006f06efcd22a34d8bdc4'
mod 'trove',
:git => 'git://github.com/enovance/puppet-trove.git',
:ref => '16e82e68ea62efec3ec7e11d7b9887e16b773372'
# Dependency
mod 'apache',
:git => 'git://github.com/enovance/puppetlabs-apache.git',
:ref => 'e4ec6d4985fdb23e26c809e0d5786823d0689f90'
mod 'apt',
:git => 'git://github.com/enovance/puppetlabs-apt.git',
:ref => '9b001af8775c7231ea2656b7eb43d6141b536f49'
mod 'boolean',
:git => 'git://github.com/enovance/puppet-boolean.git',
:ref => '157011a4eaa27f1202a9d94335ee4876b26d377e'
mod 'ceph',
:git => 'git://github.com/enovance/puppet-ceph.git',
:ref => '3b58acf9fdf567bf40d17b3c803c940f1ddc70d1'
#FIXME
mod 'cloud',
:git => 'git://github.com/stackforge/puppet-openstack-cloud.git',
:ref => 'master'
mod 'common',
:git => 'git://github.com/enovance/puppet-module-common.git',
:ref => '2d0606fce1078222dd483e731ec32807f5b4ca53'
mod 'cassandra',
:git => 'git://github.com/enovance/cassandra.git',
:ref => '124f472128d178f52e2233d6aa8a0f1285f73c49'
mod 'concat',
:git => 'git://github.com/enovance/puppet-concat.git',
:ref => 'ab06c2b8c09d9da82b53a62a5389427720519cd5'
mod 'contrail',
:git => 'git://github.com/enovance/puppet-contrail.git',
:ref => '2b135d5b9f00c26b357bf2f55082701f01e0670a'
mod 'corosync',
:git => 'git://github.com/enovance/puppetlabs-corosync.git',
:ref => '7bbdcd8c57beab6ba24b06ef5aaee2462f8d3d24'
mod 'dnsclient',
:git => 'git://github.com/enovance/puppet-module-dnsclient.git',
:ref => '4158b30f4660623f98dcdbd1ce9b482556180b57'
mod 'datacat',
:git => 'git://github.com/enovance/puppet-datacat.git',
:ref => '6a2017b31a8808de35b89d90b9e2b681ef9a0918'
mod 'elasticsearch',
:git => 'git://github.com/enovance/puppet-elasticsearch.git',
:ref => '6d08442e8382f0f47388d4185122992c2d73cd9b'
mod 'gcc',
:git => 'git://github.com/enovance/puppetlabs-gcc.git',
:ref => '272e6595a2f4824dafa71a2b751960659c05c35d'
mod 'git',
:git => 'git://github.com/enovance/puppetlabs-git.git',
:ref => '0df1f62130a7752c728efb7555f2b07ca178ee5b'
mod 'hiera',
:git => 'git://github.com/enovance/puppet-hiera.git',
:ref => '1d407be61d800034409e4595a6fb73004b10f70f'
mod 'java',
:git => 'git://github.com/enovance/puppetlabs-java.git',
:ref => '5f60d5e2c041848b4c3e71c0aa6ba99b87774d4a'
mod 'firewall',
:git => 'git://github.com/enovance/puppetlabs-firewall.git',
:ref => '4ed1b43e1629c1b6108133b0fc3be603d03ffe6c'
mod 'fluentd',
:git => 'git://github.com/enovance/puppet-fluentd.git',
:ref => 'f77c3f27e0b91a60c1ee413aa0f4f5704c97955a'
mod 'haproxy',
:git => 'git://github.com/enovance/puppetlabs-haproxy.git',
:ref => 'fc1166f28d411dfd4f59d4bfd6936595c014a11b'
mod 'inifile',
:git => 'git://github.com/enovance/puppetlabs-inifile.git',
:ref => 'ae23a4db97d2815ec305d0529912685f07746d3c'
mod 'kafka',
:git => 'git://github.com/enovance/puppet-kafka.git',
:ref => '9ed9993ef53e4c1f2897e5191ee7fccfac866dfe'
mod 'keepalived',
:git => 'git://github.com/enovance/puppet-module-keepalived.git',
:ref => 'eb345b6d3b25106cbe166028f2b8dd9974a10230'
mod 'kibana3',
:git => 'git://github.com/enovance/kibana3.git',
:ref => '1c448ef538bb08236cad382b2621d6d09bee1f63'
mod 'vcsrepo',
:git => 'git://github.com/enovance/puppetlabs-vcsrepo.git',
:ref => '4592bfd59cd5d4795069798a14b483e16c98c1ff'
mod 'kmod',
:git => 'git://github.com/enovance/puppet-kmod.git',
:ref => 'accc40093e6f8ee9cc472e9eb6ba3bab4bad3a1f'
mod 'kwalify',
:git => 'git://github.com/puppetlabs/puppetlabs-kwalify.git',
:ref => 'e0079c6485d7cbfc846d956e650913e1b3ccfb6d'
mod 'libvirt',
:git => 'git://github.com/enovance/puppetlabs-libvirt.git',
:ref => '05808874715ca3e899861a0af139e6a48255d3cb'
mod 'limits',
:git => 'git://github.com/enovance/puppet-limits.git',
:ref => '8cb15495e55ce86bacf17f6a80a8c70ac35fc9c0'
mod 'logrotate',
:git => 'git://github.com/enovance/puppet-logrotate.git',
:ref => 'f4d12356301fa2992f51dc7225037bb07556cb28'
mod 'memcached',
:git => 'git://github.com/enovance/puppet-memcached.git',
:ref => 'd009260de3c7623003318555ec5ca61217ea3ca1'
mod 'mongodb',
:git => 'git://github.com/enovance/puppetlabs-mongodb.git',
:ref => '030100a176a72a32e265b77790d8d15407a13729'
mod 'mysql',
:git => 'git://github.com/enovance/puppetlabs-mysql.git',
:ref => '8b814d4d2cb5786a15e8e37fb3b7444d5d5f0d3f'
# TODO(EmilienM) Come back to upstream after
# https://github.com/ghoneycutt/puppet-module-nfs/pull/43 got merged.
mod 'nfs',
:git => 'git://github.com/enovance/puppet-module-nfs.git',
:ref => '6f840a522679c6a8ebe340d86f9c4325a2103629'
mod 'ntp',
:git => 'git://github.com/enovance/puppetlabs-ntp.git',
:ref => 'eb02ba2937ce86fb609ae41499767244b78ec58d'
mod 'pacemaker',
:git => 'git://github.com/enovance/puppet-pacemaker.git',
:ref => '56bbb3580bb7fa62bf57c2ed7a30b938e42b8cc3'
mod 'partial',
:git => 'git://github.com/enovance/puppet-partial.git',
:ref => '1308d5341872911359e884fd84e4dd175fda632f'
mod 'postgresql',
:git => 'git://github.com/enovance/puppetlabs-postgresql.git',
:ref => '0b483a2796e77d670e326a01fce57465d2c08774'
mod 'puppetdb',
:git => 'git://github.com/enovance/puppetlabs-puppetdb.git',
:ref => 'b482ad8efa94283099cee0aaedd194f50753f7b0'
mod 'puppetdbquery',
:git => 'git://github.com/enovance/puppet-puppetdbquery.git',
:ref => '89194917744f929bb600c31d7d6f822b529f5f03'
# TODO(emilienM) https://tickets.puppetlabs.com/browse/PDB-1223
mod 'rabbitmq',
:git => 'git://github.com/enovance/puppetlabs-rabbitmq.git',
:ref => '7d3a3a1859d344c4e49d4c257c4ea0b9b0460c33'
mod 'redis',
:git => 'git://github.com/arioch/puppet-redis.git',
:ref => '51e35cc9a743dd8f992effae25d92e18aafe8b46'
mod 'rhnreg_ks',
:git => 'git://github.com/enovance/puppet-rhnreg_ks.git',
:ref => '8fdc051992b44a09f39d3b510d7cd6db5ed5ff66'
mod 'rpcbind',
:git => 'git://github.com/enovance/puppet-module-rpcbind.git',
:ref => 'da943d26f09f9658159c1190e058bf1af88f465d'
mod 'rsync',
:git => 'git://github.com/enovance/puppetlabs-rsync.git',
:ref => '7122983d89bf68bc4170415cc03212f6a8a4636e'
mod 'sensu',
:git => 'git://github.com/enovance/sensu-puppet.git',
:ref => '4a16ebf3503bfc9ae6192ae3120cb29b9e5c8445'
mod 'ssh',
:git => 'git://github.com/enovance/puppet-ssh.git',
:ref => '3906425ff06bcabc4d677a3f01372d8a26f93e94'
mod 'rsyslog',
:git => 'git://github.com/enovance/puppet-rsyslog.git',
:ref => '67c7c501b916ebd1a27a8a218d49602339526c4f'
mod 'stdlib',
:git => 'git://github.com/enovance/puppetlabs-stdlib.git',
:ref => 'fb42396c75d90ce3a9473e2a7ed22682266ea03f'
mod 'sudo',
:git => 'git://github.com/enovance/puppet-sudo.git',
:ref => '6875e3c16bb17149fb24d49d45e8dc32bacbdfaf'
mod 'sysctl',
:git => 'git://github.com/enovance/puppet-sysctl.git',
:ref => 'aca277a3d407359ced96267cd2b3205bd8ab9c48'
mod 'types',
:git => 'git://github.com/enovance/puppet-module-types.git',
:ref => '4c58ae8b6cdb1a9da3da9654a35375e274019dfb'
mod 'uchiwa',
:git => 'git://github.com/enovance/yelp-uchiwa.git',
:ref => '8eafd8167ff7d4f1cd696e4d098e3e1497c28279'
mod 'vswitch',
:git => 'git://github.com/enovance/puppet-vswitch.git',
:ref => '49dbaff15e8f017dbe365ebf08eb505472b695a1'
mod 'wget',
:git => 'git://github.com/enovance/puppet-wget.git',
:ref => '1c3ea6f1c822a99b52defb87305ea5977cba4293'
mod 'xinetd',
:git => 'git://github.com/enovance/puppetlabs-xinetd.git',
:ref => '0740f5343b54523d9ed27f65c05f6c9f045f022b'
mod 'openstack_extras',
:git => 'git://github.com/enovance/puppet-openstack_extras.git',
:ref => '537ed9e3750178fcfffa3ae476727cb1f4e65fb9'
mod 'staging',
:git => 'git://github.com/enovance/puppet-staging.git',
:ref => 'bc434a71e19aae54223d57c274e2e1a7f9546d5e'
mod 'zookeeper',
:git => 'git://github.com/enovance/puppet-zookeeper-1.git',
:ref => '2617a4e5e01aaa7b597c533a3229cba71db4517b'

151
README.md
View File

@ -1,151 +0,0 @@
# puppet-openstack-cloud
[![Build Status](https://api.travis-ci.org/enovance/puppet-openstack-cloud.svg?branch=master)](https://travis-ci.org/enovance/puppet-openstack-cloud)
[![Puppet Forge](http://img.shields.io/puppetforge/v/eNovance/cloud.svg)](https://forge.puppetlabs.com/eNovance/cloud)
[![License](http://img.shields.io/:license-apache-blue.svg)](http://www.apache.org/licenses/LICENSE-2.0.html)
#### Table of Contents
1. [Overview - What is the cloud module?](#overview)
2. [Module Description - What does the module do?](#module-description)
3. [Setup - The basics of getting started with puppet-openstack-cloud](#setup)
4. [Implementation - An under-the-hood peek at what the module is doing](#implementation)
5. [Limitations - OS compatibility, etc.](#limitations)
6. [Getting Involved - How to go deeper](#involved)
7. [Development - Guide for contributing to the module](#development)
8. [Contributors - Those with commits](#contributors)
9. [Release Notes - Notes on the most recent updates to the module](#release-notes)
## Overview
The [puppet-openstack-cloud](https://wiki.openstack.org/wiki/Puppet-openstack/puppet-openstack-cloud) module is a flexible Puppet composition layer capable of configuring the core [OpenStack](http://docs.openstack.org/) services:
* [Nova](https://github.com/stackforge/puppet-nova) (compute)
* [Glance](https://github.com/stackforge/puppet-glance) (image)
* [Keystone](https://github.com/stackforge/puppet-keystone) (identity)
* [Cinder](https://github.com/stackforge/puppet-cinder) (volume)
* [Horizon](https://github.com/stackforge/puppet-horizon) (dashboard)
* [Heat](https://github.com/stackforge/puppet-heat) (orchestration)
* [Ceilometer](https://github.com/stackforge/puppet-ceilometer) (telemetry)
* [Neutron](https://github.com/stackforge/puppet-neutron) (networking)
* [Swift](https://github.com/stackforge/puppet-swift) (object storage)
* [Trove](https://github.com/stackforge/puppet-trove) (database as a service)
Cinder, Glance and Nova can use Ceph as backend storage, using [puppet-ceph](https://github.com/enovance/puppet-ceph).
Only KVM and QEMU are supported as hypervisors, for now.
Neutron use ML2 plugin with GRE and Open-vSwitch drivers.
Cinder has multi-backend support:
* RBD (default)
* NetAPP
* iSCSI
* EMC VNX direct
* NFS
Glance supports different backends:
* RBD (default)
* file
* NFS (mount a NFS share by using file backend)
* Swift
Neutron supports:
* ML2 plugin with OVS agent (GRE + VXLAN supported)
* Cisco plugin with N1KV agent (non-ML2)
Trove support is now experimental.
[Puppet Modules](http://docs.puppetlabs.com/learning/modules1.html#modules) are a collection of related contents that can be used to model the configuration of a discrete service.
These Puppet modules are based on the [openstack documentation](http://docs.openstack.org/).
## Module Description
There are a lot of moving pieces in OpenStack, consequently there are several Puppet modules needed to cover all these pieces. Each module is then made up of several class definitions, resource declarations, defined resources, and custom types/providers. A common pattern to reduce this complexity in Puppet is to create a composite module that bundles all these component type modules into a common set of configurations. The cloud module is doing this compositing and exposing a set of variables needed to be successful in getting a functional stack up and running.
### Pre-module Dependencies
* [Puppet](http://docs.puppetlabs.com/puppet/) 3 or greater
* [Facter](http://www.puppetlabs.com/puppet/related-projects/facter/) 1.6.1 or greater (versions that support the osfamily fact)
### Notes about Puppet3
Puppet 3.x isn't yet available on Debian/RedHat stable osfamily, but hopefully puppet provides a Official repository, please see [this page](http://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html) for the setup.
**Platforms**
These modules have been fully tested on Ubuntu Precise and Debian Wheezy and RHEL 6.
## Setup
**What the cloud module affects**
* The entirety of OpenStack!
### Installing Puppet
Puppet Labs provides two tools for getting started with managing configuration modeling with Puppet, Puppet Enterprise or its underlying opensource projects, i.e. Puppet and MCollective.
* [Puppet Enterprise](http://docs.puppetlabs.com/#puppet-enterprisepelatest) is a complete configuration management platform, with an optimized set of components proven to work well together. Is free up to 10 nodes so if you're just using Puppet for OpenStack management this might just work perfectly. It will come configured with a handful of extra components that make for a richer experience, like a web interface for managing the orchestration of Puppet and certificate management.
* [Puppet](http://docs.puppetlabs.com/#puppetpuppet) manages your servers: you describe machine configurations in an easy-to-read declarative language, and Puppet will bring your systems into the desired state and keep them there. This is the opensource version of Puppet and should be available in your operating system's package repositories but it is generally suggested you use the [yum](http://yum.puppetlabs.com) or [apt](http://apt.puppetlabs.com) repositories from Puppet Labs if possible.
Consult the documentation linked above to help you make your decision but don't fret about the choice to much, opensource Puppet agents are compatible with Puppet Enterprise Puppet masters.
### Optional Puppet features
The swift portions of this module needs Puppet's [exported resources](http://docs.puppetlabs.com/puppet/3/reference/lang_exported.html). Exported resources leverages the PuppetDB to export and share data across other Puppet managed nodes.
### Installing latest unstable cloud module from source
cd /etc/puppet/modules
git clone git@github.com:redhat-openstack/openstack-puppet-modules.git modules
cd modules
git checkout -b puppet-openstack-cloud origin/enovance
gem install --no-ri --no-rdoc r10k
# a debian package is available in jessie
PUPPETFILE=./Puppetfile PUPPETFILE_DIR=../ r10k --verbose 3 puppetfile install
**Pre-puppet setup**
The things that follow can be handled by Puppet but are out of scope of this document and are not included in the cloud module.
### Beginning with puppet-openstack-cloud
Utilization of this module can come in many forms. It was designed to be capable of deploying all services to a single node or distributed across several. This is not an exhaustive list, we recommend you consult and understand all the manifests included in this module and the [core openstack](http://docs.openstack.org) documentation.
## Implementation
(more doc should be written here)
## Limitations
* Deploys only with rabbitmq and mysql RPC/data backends.
* Not backwards compatible with pre-2.x release of the cloud modules.
## Getting Involved
Need a feature? Found a bug? Let us know!
We are extremely interested in growing a community of OpenStack experts and users around these modules so they can serve as an example of consolidated best practices of how to deploy OpenStack.
The best way to get help with this set of modules is to email the group associated with this project:
dev [at] enovance [dot] com
Issues should be opened here:
https://bugs.launchpad.net/puppet-openstack-cloud/+filebug
## Contributors
* http://stackalytics.com/?project_type=stackforge&module=puppet-openstack-cloud&release=all&metric=commits
## Release Notes
See [CHANGELOG](https://github.com/stackforge/puppet-openstack-cloud/blob/master/CHANGELOG.md) file.

7
README.rst Normal file
View File

@ -0,0 +1,7 @@
This project is no longer maintained.
The contents of this repository are still available in the Git source code
management system. To see the contents of this repository before it reached
its end of life, please check out the previous commit with
"git checkout HEAD^1".

80
Rakefile
View File

@ -1,80 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
#
NAME = 'eNovance-cloud'
TDIR = File.expand_path(File.dirname(__FILE__))
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'puppet-syntax/tasks/puppet-syntax'
PuppetLint.configuration.fail_on_warnings = true
PuppetLint.configuration.send('disable_80chars')
# for manifest loadbalancer.pp +39 (default value as an array of variables)
PuppetLint.configuration.send('disable_class_parameter_defaults')
# manifests/image/api.pp - WARNING: string containing only a variable on line 189
PuppetLint.configuration.send('disable_only_variable_string')
# For stonith-enabled (it's a string not a bool)
PuppetLint.configuration.send('disable_quoted_booleans')
# Ignore all upstream modules
exclude_paths = ['spec/**/*','pkg/**/*','vendor/**/*']
exclude_lint_paths = exclude_paths
PuppetLint.configuration.ignore_paths = exclude_lint_paths
PuppetSyntax.exclude_paths = exclude_paths
task(:default).clear
task :default => :test
desc 'Run syntax, lint and spec tests'
task :test => [:syntax,:lint,:validate_puppetfile,:validate_metadata_json,:spec]
desc 'Run syntax, lint and spec tests (without fixture purge = train/airplane)'
task :test_keep => [:syntax,:lint,:validate_puppetfile,:validate_metadata_json,:spec_prep,:spec_standalone]
if ENV['COV']
desc 'Run syntax, lint, spec tests and coverage'
task :cov => [:syntax,:lint,:validate_puppetfile,:validate_metadata_json,:spec_prep,:spec_standalone]
end
desc "Validate the Puppetfile syntax"
task :validate_puppetfile do
$stderr.puts "---> syntax:puppetfile"
sh "r10k puppetfile check"
end
desc "Validate the metadata.json syntax"
task :validate_metadata_json do
$stderr.puts "---> syntax:metadata.json"
sh "metadata-json-lint metadata.json"
end
namespace :module do
desc "Build #{NAME} module (in a clean env) Please use this for puppetforge"
task :build do
exec "rsync -rv --exclude-from=#{TDIR}/.forgeignore . /tmp/#{NAME};cd /tmp/#{NAME};puppet module build"
end
end
Rake::Task[:spec_prep].clear
desc 'Create the fixtures directory'
task :spec_prep do
FileUtils::mkdir_p('spec/fixtures/modules')
FileUtils::mkdir_p('spec/fixtures/manifests')
FileUtils::touch('spec/fixtures/manifests/site.pp')
sh 'librarian-puppet install --path=spec/fixtures/modules'
if File.exists?('spec/fixtures/modules/cloud')
FileUtils::rm_rf('spec/fixtures/modules/cloud')
FileUtils::ln_s(TDIR, 'spec/fixtures/modules/cloud')
end
end
Rake::Task[:spec_clean].clear
desc 'Clean up the fixtures directory'
task :spec_clean do
sh 'librarian-puppet clean --path=spec/fixtures/modules'
if File.zero?('spec/fixtures/manifests/site.pp')
FileUtils::rm_f('spec/fixtures/manifests/site.pp')
end
end

11
files/qemu/qemu.conf
View File

@ -1,11 +0,0 @@
# Managed by Puppet
# Module cloud::compute::hypervisor
user = "root"
group = "root"
cgroup_device_acl = [
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
"/dev/ptmx", "/dev/kvm", "/dev/kqemu",
"/dev/rtc", "/dev/hpet", "/dev/net/tun",
]
clear_emulator_capabilities = 1

40
lib/facter/edeploy.rb
View File

@ -1,40 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Fact: edeploy
#
Facter.add('edeploy_role_version') do
setcode do
if File.executable?('/usr/sbin/edeploy')
Facter::Util::Resolution.exec('/usr/sbin/edeploy version')
end
end
end
Facter.add('edeploy_role_name') do
setcode do
if File.executable?('/usr/sbin/edeploy')
Facter::Util::Resolution.exec('/usr/sbin/edeploy role')
end
end
end
Facter.add('edeploy_profile') do
setcode do
if File.executable?('/usr/sbin/edeploy')
Facter::Util::Resolution.exec('/usr/sbin/edeploy profile')
end
end
end

22
lib/facter/galera_bootstrapped.rb
View File

@ -1,22 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Fact: galera_bootstrapped
#
Facter.add('galera_bootstrapped') do
setcode do
FileTest.exists?('/var/lib/mysql/grastate.dat')
end
end

27
lib/facter/vtx.rb
View File

@ -1,27 +0,0 @@
# Fact: vtx
#
# Purpose:
# Determine whether VT-X is enabled on the node.
#
# Resolution:
# Checks for vmx (intel) or svm (amd) is part of /proc/cpuinfo flags
#
# Caveats:
#
# Author: Emilien Macchi <emilien.macchi@enovance.com>
Facter.add('vtx') do
confine :kernel => :linux
setcode do
result = false
begin
# test on Intel and AMD plateforms
if File.read('/proc/cpuinfo') =~ /(vmx|svm)/
result = true
end
rescue
end
result
end
end

151
manifests/clustering.pp
View File

@ -1,151 +0,0 @@
#
# Copyright (C) 2015 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::clustering
#
# Initialize Pacemaker / Corosync cluster
#
# === Parameters:
#
# [*cluster_members*]
# (required) Array of hostnames of cluster nodes
#
# [*cluster_ip*]
# (optional) IP address used by Corosync to send multicast traffic
# Defaults to '127.0.0.1'
#
# [*cluster_auth*]
# (optional) Controls corosync's ability to authenticate and encrypt
# multicast messages.
# Defaults to false
#
# [*cluster_authkey*]
# (optional) Specifies the path to the CA which is used to sign Corosync's
# certificate.
# Defaults to '/var/lib/puppet/ssl/certs/ca.pem'
#
# [*cluster_recheck_interval*]
# (optional) This tells the cluster to periodically recalculate the ideal
# state of the cluster.
# Defaults to 5min
#
# [*pe_warn_series_max*]
# (optional) The number of PE inputs resulting in WARNINGs to save. Used when
# reporting problems.
# Defaults to 1000
#
# [*pe_input_series_max*]
# (optional) The number of "normal" PE inputs to save. Used when reporting
# problems.
# Defaults to 1000
#
# [*pe_error_series_max*]
# (optional) The number of PE inputs resulting in ERRORs to save. Used when
# reporting problems.
# Defaults to 1000
#
# [*multicast_address*]
# (optionnal) IP address used to send multicast traffic
# Defaults to '239.192.168.1'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be a hash.
# Default to {}
#
class cloud::clustering (
$cluster_members,
$cluster_ip = '127.0.0.1',
$cluster_auth = false,
$cluster_authkey = '/var/lib/puppet/ssl/certs/ca.pem',
$cluster_recheck_interval = '5min',
$pe_warn_series_max = 1000,
$pe_input_series_max = 1000,
$pe_error_series_max = 1000,
$multicast_address = '239.192.168.1',
$firewall_settings = {},
) {
if $::osfamily == 'RedHat' {
$packages = ['corosync', 'pacemaker', 'pcs']
$set_votequorum = true
Service['pcsd'] -> Cs_property<||>
Service['pacemaker'] -> Cs_property<||>
service { 'pcsd':
ensure => 'running',
enable => true,
require => Class['corosync'],
} -> service { 'pacemaker':
ensure => 'running',
enable => true,
require => Class['corosync'],
}
} else {
$packages = ['corosync', 'pacemaker']
$set_votequorum = false
}
class { 'corosync':
enable_secauth => $cluster_auth,
authkey => $cluster_authkey,
bind_address => $cluster_ip,
multicast_address => $multicast_address,
packages => $packages,
set_votequorum => $set_votequorum,
quorum_members => $cluster_members,
}
corosync::service { 'pacemaker':
version => '0',
}
Package['corosync'] -> Cs_property<||>
cs_property {
# Doesn't work with pcs yet (Fedora20), but will work in future:
# -> https://github.com/feist/pcs/issues/20
#'cluster-recheck-interval': value => $cluster_recheck_interval;
'pe-warn-series-max': value => $pe_warn_series_max;
'pe-input-series-max': value => $pe_input_series_max;
'pe-error-series-max': value => $pe_error_series_max;
}
if count($cluster_members) < 3 {
# stonith is not required for less then 3 nodes, also quorum can be hold
# only with three or more nodes
cs_property {
'no-quorum-policy': value => 'ignore';
'stonith-enabled': value => 'false';
}
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow vrrp access':
port => undef,
proto => 'vrrp',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow corosync tcp access':
port => ['2224', '3121', '21064'],
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow corosync udp access':
port => ['5404', '5405'],
proto => 'udp',
extras => $firewall_settings,
}
}
}

55
manifests/clustering/pacemaker_colocation.pp
View File

@ -1,55 +0,0 @@
#
# Copyright (C) 2015 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Configure a Pacemaker colocation rule
#
# === Parameters
#
# [*service*]
# (required) Name of the service to be colocated with others
# Defaults to $name
#
# [*colocated_with*]
# (optional) List of services to be colocated with service1
# Should be an array.
# Defaults to []
#
# [*order*]
# (optional) Do not use in a manifest. It is used to iterate
# through the list of services to be colocated with $service.
# Defaults to '0'
define cloud::clustering::pacemaker_colocation(
$service = $name,
$colocated_with = [],
$order = '0'
) {
$service1 = inline_template('<%= @colocated_with[@order.to_i] %>')
if $service1 {
$colocation_name = "${service}-with-${service1}"
cs_colocation { $colocation_name :
primitives => [ "p_${service}", "p_${service1}" ],
}
$neworder = inline_template('<%= @order.to_i + 1 %>')
cloud::clustering::pacemaker_colocation { "${service}-${neworder}":
service => $service,
colocated_with => $colocated_with,
order => $neworder
}
}
}

55
manifests/clustering/pacemaker_order.pp
View File

@ -1,55 +0,0 @@
#
# Copyright (C) 2015 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Configure a Pacemaker order constraint
#
# === Parameters
#
# [*first*]
# (required) List of services to be executed before $service
# Should be an array.
# Defaults to []
#
# [*service*]
# (optional) Service to be executed after all services in $first
# Defaults to $name
#
# [*order*]
# (optional) Do not use in a manifest. It is used to iterate
# through the list of services to be executed before $service.
# Defaults to '0'
define cloud::clustering::pacemaker_order(
$first = [],
$service = $name,
$order = '0'
) {
$service1 = inline_template('<%= @first[@order.to_i] %>')
if $service1 {
$order_name = "${service1}-before-${service}"
cs_order { $order_name :
first => "p_${service1}",
second => "p_${service}",
}
$neworder = inline_template('<%= @order.to_i + 1 %>')
cloud::clustering::pacemaker_order { "${service}-${neworder}":
first => $first,
service => $service,
order => $neworder
}
}
}

111
manifests/clustering/pacemaker_service.pp
View File

@ -1,111 +0,0 @@
#
# Copyright (C) 2015 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Configure a service to be controlled by Pacemaker
#
#
# === Parameters
#
# [*service_name*]
# (optional) Name of the service to be put under Pacemaker control
# Defaults to $name
#
# [*primitive_class*]
# (optional) Pacemaker primitive class
# Defaults to 'systemd'
#
# [*primitive_provider*]
# (optional) Pacemaker primitive provider for OCF scripts
# Examples: 'ocf','heartbeat'
# Defaults to false
#
# [*primitive_type*]
# (optional) The type of the primitive: OCF file name, or operating
# system-native service if using systemd, upstart or lsb as
# primitive_class
# Defaults to $service_name
#
# [*clone*]
# (optional) Create a cloned resource
# Defaults to false
#
# [*colocated_services*]
# (optional) A list of resources that should be colocated with this
# one
# Example: ["service2","service3"]
# Defaults to []
#
# [*start_after*]
# (optional) A list of resources that should be started before this
# resource can be started. This will create a set of order constraints
# where every resourece in $start_after should be started before this
# resource can start
# Example: ["service2","service3"]
# Defaults to []
#
# [*requires*]
# (optional) A list of required Puppet resources
# Defaults to []
#
# Example:
# cloud::clustering::pacemaker_service { 'openstack-glance-api' :
# service_name => 'openstack-glance-api',
# primitive_class => 'systemd',
# primitive_provider => false,
# primitive_type => 'openstack-glance-api',
# clone => false,
# colocated_services => ["openstack-keystone"],
# start_after => ["openstack-keystone"],
# requires => Package['openstack-glance'],
# }
define cloud::clustering::pacemaker_service (
$service_name = $name,
$primitive_class = 'systemd',
$primitive_provider = false,
$primitive_type = $service_name,
$clone = false,
$colocated_services = [],
$start_after = [],
$requires = [],
) {
openstack_extras::pacemaker::service { $service_name :
ensure => present,
metadata => {},
ms_metadata => {},
operations => {},
parameters => {},
primitive_class => $primitive_class,
primitive_provider => $primitive_provider,
primitive_type => $primitive_type,
use_handler => false,
clone => $clone,
require => $requires,
}
if $colocated_services {
cloud::clustering::pacemaker_colocation { $service_name :
service => $service_name,
colocated_with => $colocated_services
}
}
if $start_after {
cloud::clustering::pacemaker_order { $service_name :
first => $start_after,
service => $service_name
}
}
}

193
manifests/compute.pp
View File

@ -1,193 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::compute
#
# Common class for compute nodes
#
# === Parameters:
#
# [*nova_db_host*]
# (optional) Hostname or IP address to connect to nova database
# Defaults to '127.0.0.1'
#
# [*nova_db_use_slave*]
# (optional) Enable slave connection for nova, this assume
# the haproxy is used and mysql loadbalanced port for read operation is 3307
# Defaults to false
#
# [*nova_db_user*]
# (optional) Username to connect to nova database
# Defaults to 'nova'
#
# [*nova_db_password*]
# (optional) Password to connect to nova database
# Defaults to 'novapassword'
#
# [*nova_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults to 5000
#
# [*rabbit_hosts*]
# (optional) List of RabbitMQ servers. Should be an array.
# Defaults to ['127.0.0.1:5672']
#
# [*rabbit_password*]
# (optional) Password to connect to nova queues.
# Defaults to 'rabbitpassword'
#
# [*ks_glance_internal_host*]
# (optional) Internal Hostname or IP to connect to Glance API
# Defaults to '127.0.0.1'
#
# [*ks_glance_internal_proto*]
# (optional) Internal protocol to connect to Glance API
# Defaults to 'http'
#
# [*glance_api_port*]
# (optional) TCP port to connect to Glance API
# Defaults to '9292'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*neutron_endpoint*]
# (optional) Host running auth service.
# Defaults to '127.0.0.1'
#
# [*neutron_protocol*]
# (optional) Protocol to connect to Neutron service.
# Defaults to 'http'
#
# [*neutron_password*]
# (optional) Password to connect to Neutron service.
# Defaults to 'neutronpassword'
#
# [*neutron_region_name*]
# (optional) Name of the Neutron Region.
# Defaults to 'RegionOne'
#
# [*memcache_servers*]
# (optionnal) Memcached servers used by Keystone. Should be an array.
# Defaults to ['127.0.0.1:11211']
#
# [*availability_zone*]
# (optional) Name of the default Nova availability zone.
# Defaults to 'RegionOne'
#
# [*cinder_endpoint_type*]
# (optional) Cinder endpoint type to use.
# Defaults to 'publicURL'
#
class cloud::compute(
$nova_db_host = '127.0.0.1',
$nova_db_use_slave = false,
$nova_db_user = 'nova',
$nova_db_password = 'novapassword',
$nova_db_idle_timeout = 5000,
$rabbit_hosts = ['127.0.0.1:5672'],
$rabbit_password = 'rabbitpassword',
$ks_glance_internal_host = '127.0.0.1',
$ks_glance_internal_proto = 'http',
$glance_api_port = 9292,
$verbose = true,
$debug = true,
$use_syslog = true,
$log_facility = 'LOG_LOCAL0',
$neutron_endpoint = '127.0.0.1',
$neutron_protocol = 'http',
$neutron_password = 'neutronpassword',
$neutron_region_name = 'RegionOne',
$memcache_servers = ['127.0.0.1:11211'],
$availability_zone = 'RegionOne',
$cinder_endpoint_type = 'publicURL'
) {
if !defined(Resource['nova_config']) {
resources { 'nova_config':
purge => true;
}
}
# Disable twice logging if syslog is enabled
if $use_syslog {
$log_dir = false
nova_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/nova'
}
$encoded_user = uriescape($nova_db_user)
$encoded_password = uriescape($nova_db_password)
if $nova_db_use_slave {
$slave_connection_url = "mysql://${encoded_user}:${encoded_password}@${nova_db_host}:3307/nova?charset=utf8"
} else {
$slave_connection_url = false
}
class { 'nova::db':
database_connection => "mysql://${encoded_user}:${encoded_password}@${nova_db_host}/nova?charset=utf8",
slave_connection => $slave_connection_url,
database_idle_timeout => $nova_db_idle_timeout,
}
class { 'nova':
rabbit_userid => 'nova',
rabbit_hosts => $rabbit_hosts,
rabbit_password => $rabbit_password,
glance_api_servers => "${ks_glance_internal_proto}://${ks_glance_internal_host}:${glance_api_port}",
memcached_servers => $memcache_servers,
verbose => $verbose,
debug => $debug,
log_dir => $log_dir,
log_facility => $log_facility,
use_syslog => $use_syslog,
nova_shell => '/bin/bash',
}
class { 'nova::network::neutron':
neutron_admin_password => $neutron_password,
neutron_admin_auth_url => "${neutron_protocol}://${neutron_endpoint}:35357/v2.0",
neutron_url => "${neutron_protocol}://${neutron_endpoint}:9696",
neutron_region_name => $neutron_region_name
}
nova_config {
'DEFAULT/resume_guests_state_on_host_boot': value => true;
'DEFAULT/servicegroup_driver': value => 'mc';
'DEFAULT/glance_num_retries': value => '10';
'DEFAULT/cinder_catalog_info': value => "volume:cinder:${cinder_endpoint_type}";
}
}

140
manifests/compute/api.pp
View File

@ -1,140 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::compute::api
#
# Install a Nova-API node
#
# === Parameters:
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol used to connect to Keystone API.
# Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_nova_password*]
# (optional) Password used by Nova to connect to Keystone API
# Defaults to 'novapassword'
#
# [*neutron_metadata_proxy_shared_secret*]
# (optional) Shared secret to validate proxies Neutron metadata requests
# Defaults to 'metadatapassword'
#
# [*api_eth*]
# (optional) Hostname or IP to bind Nova API.
# Defaults to '127.0.0.1'
#
# [*ks_nova_public_port*]
# (optional) TCP port for bind Nova API.
# Defaults to '8774'
#
# [*ks_ec2_public_port*]
# (optional) TCP port for bind Nova EC2 API.
# Defaults to '8773'
#
# [*ks_metadata_public_port*]
# (optional) TCP port for bind Nova metadata API.
# Defaults to '8775'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
# [*pacemaker_enabled*]
# (optional) Manage Nova API with Pacemaker or not.
# Default to false
#
class cloud::compute::api(
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_proto = 'http',
$ks_nova_password = 'novapassword',
$neutron_metadata_proxy_shared_secret = 'metadatapassword',
$api_eth = '127.0.0.1',
$ks_nova_public_port = '8774',
$ks_ec2_public_port = '8773',
$ks_metadata_public_port = '8775',
$firewall_settings = {},
$pacemaker_enabled = false,
){
include cloud::compute
include cloud::params
include nova::params
class { 'nova::api':
enabled => true,
auth_host => $ks_keystone_internal_host,
auth_protocol => $ks_keystone_internal_proto,
admin_password => $ks_nova_password,
api_bind_address => $api_eth,
metadata_listen => $api_eth,
neutron_metadata_proxy_shared_secret => $neutron_metadata_proxy_shared_secret,
osapi_v3 => true,
}
if $pacemaker_enabled {
cloud::clustering::pacemaker_service { $::nova::params::api_service_name:
service_name => $::nova::params::api_service_name,
primitive_class => $::cloud::params::service_provider,
requires => Package[$::nova::params::api_package_name],
}
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow nova-api access':
port => $ks_nova_public_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow nova-metadata access':
port => $ks_metadata_public_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow nova-ec2 access':
port => $ks_ec2_public_port,
extras => $firewall_settings,
}
}
include 'nova::cron::archive_deleted_rows'
@@haproxy::balancermember{"${::fqdn}-compute_api_ec2":
listening_service => 'ec2_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_ec2_public_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-compute_api_nova":
listening_service => 'nova_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_nova_public_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-compute_api_metadata":
listening_service => 'metadata_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_metadata_public_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

26
manifests/compute/cert.pp
View File

@ -1,26 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Compute Certificate node
#
class cloud::compute::cert {
include 'cloud::compute'
class { 'nova::cert':
enabled => true,
}
}

26
manifests/compute/conductor.pp
View File

@ -1,26 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Compute Conductor node
#
class cloud::compute::conductor {
include 'cloud::compute'
class { 'nova::conductor':
enabled => true,
}
}

26
manifests/compute/consoleauth.pp
View File

@ -1,26 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Compute Authenfication Console node
#
class cloud::compute::consoleauth {
include 'cloud::compute'
class { 'nova::consoleauth':
enabled => true,
}
}

95
manifests/compute/consoleproxy.pp
View File

@ -1,95 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::compute::consoleproxy
#
# Compute Proxy Console node
#
# === Parameters:
#
# [*api_eth*]
# (optional) Hostname or IP to bind Nova spicehtmlproxy service.
# Defaults to '127.0.0.1'
#
# [*console*]
# (optional) Nova's console type (spice or novnc)
# Defaults to 'novnc'
#
# [*protocol*]
# (optional) Nova's console protocol.
# Defaults to 'http'
#
# [*novnc_port*]
# (optional) TCP port to bind Nova novnc service.
# Defaults to '6080'
#
# [*spice_port*]
# (optional) TCP port to bind Nova spicehtmlproxy service.
# Defaults to '6082'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::compute::consoleproxy(
$api_eth = '127.0.0.1',
$console = 'novnc',
$protocol = 'http',
$novnc_port = '6080',
$spice_port = '6082',
$firewall_settings = {},
){
include 'cloud::compute'
case $console {
'spice': {
$port = $spice_port
class { 'nova::spicehtml5proxy':
enabled => true,
host => $api_eth,
port => $port
}
}
'novnc': {
$port = $novnc_port
class { 'nova::vncproxy':
enabled => true,
host => $api_eth,
port => $port,
vncproxy_protocol => $protocol
}
}
default: {
fail("Unsupported console type ${console}")
}
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ "100 allow ${console} access":
port => $port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-compute_${console}":
listening_service => "${console}_cluster",
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $port,
options => 'check inter 2000 rise 2 fall 5'
}
}

423
manifests/compute/hypervisor.pp
View File

@ -1,423 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::compute::hypervisor
#
# Hypervisor Compute node
#
# === Parameters:
#
# [*server_proxyclient_address*]
# (optional) The IP address of the server running the console proxy client
# Defaults to '127.0.0.1'
#
# [*libvirt_type*]
# (optional) Libvirt domain type. Options are: kvm, lxc, qemu, uml, xen
# Replaces libvirt_type
# Defaults to 'kvm'
#
# [*ks_nova_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_nova_public_host*]
# (optional) Public Hostname or IP to connect to Nova API
# Defaults to '127.0.0.1'
#
# [*nova_ssh_public_key*]
# (optional) Install public key in .ssh/authorized_keys for the 'nova' user.
# Note: this parameter use the 'content' provider of Puppet, in consequence
# you must provide the entire ssh public key in this parameter.
# Defaults to undef
#
# [*nova_ssh_private_key*]
# (optional) Install private key into .ssh/id_rsa.
# Note: this parameter use the 'content' provider of Puppet, in consequence
# you must provide the entire ssh privatekey in this parameter.
# Defaults to undef
#
# [*console*]
# (optional) Nova's console type (spice or novnc)
# Defaults to 'novnc'
#
# [*novnc_port*]
# (optional) TCP port to connect to Nova vncproxy service.
# Defaults to '6080'
#
# [*spice_port*]
# (optional) TCP port to connect to Nova spicehtmlproxy service.
# Defaults to '6082'
#
# [*cinder_rbd_user*]
# (optional) The RADOS client name for accessing rbd volumes.
# Defaults to 'cinder'
#
# [*nova_rbd_pool*]
# (optional) The RADOS pool in which rbd volumes are stored.
# Defaults to 'vms'
#
# [*nova_rbd_secret_uuid*]
# (optional) The libvirt uuid of the secret for the cinder_rbd_user.
# Defaults to undef
#
# [*vm_rbd*]
# (optional) Enable or not ceph capabilities on compute node to store
# nova instances on ceph storage.
# Default to false.
#
# [*volume_rbd*]
# (optional) Enable or not ceph capabilities on compute node to attach
# cinder volumes backend by ceph on nova instances.
# Default to false.
#
# [*manage_tso*]
# (optional) Allow to manage or not TSO issue.
# Default to true.
#
# [*nfs_enabled*]
# (optional) Store (or not) instances on a NFS share.
# Defaults to false
#
# [*nfs_device*]
# (optional) NFS device to mount
# Example: 'nfs.example.com:/vol1'
# Required when nfs_enabled is at true.
# Defaults to false
#
# [*nfs_options*]
# (optional) NFS mount options
# Example: 'nfsvers=3,noacl'
# Defaults to 'defaults'
#
# [*filesystem_store_datadir*]
# (optional) Full path of data directory to store the instances.
# Don't modify this parameter if you don't know what you do.
# You may have side effects (SElinux for example).
# Defaults to '/var/lib/nova/instances'
#
# [*nova_shell*]
# (optional) Full path of shell to run for nova user.
# To disable live migration & resize, set it to '/bin/nologin' or false.
# Otherwise, set the value to '/bin/bash'.
# Need to be a valid shell path.
# Defaults to false
#
# [*ks_console_public_proto*]
# (optional) Protocol used to connect to console service.
# Defaults to false (use nova_public_proto)
#
# [*ks_console_public_host*]
# (optional) Hostname or IP used to connect to console service.
# Defaults to false (use nova_public_host)
#
# [*include_vswitch*]
# (optional) Should the class cloud::network::vswitch should be included.
# Defaults to true
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::compute::hypervisor(
$server_proxyclient_address = '127.0.0.1',
$libvirt_type = 'kvm',
$ks_nova_public_proto = 'http',
$ks_nova_public_host = '127.0.0.1',
$nova_ssh_private_key = undef,
$nova_ssh_public_key = undef,
$console = 'novnc',
$novnc_port = '6080',
$spice_port = '6082',
$ks_console_public_proto = 'http',
$ks_console_public_host = '127.0.0.1',
$cinder_rbd_user = 'cinder',
$nova_rbd_pool = 'vms',
$nova_rbd_secret_uuid = undef,
$vm_rbd = false,
$volume_rbd = false,
$manage_tso = true,
$nova_shell = false,
$firewall_settings = {},
$include_vswitch = true,
# when using NFS storage backend
$nfs_enabled = false,
$nfs_device = false,
$nfs_options = 'defaults',
$filesystem_store_datadir = '/var/lib/nova/instances',
) inherits cloud::params {
include 'cloud::compute'
include 'cloud::params'
include 'cloud::telemetry'
include 'cloud::network'
if $include_vswitch {
include 'cloud::network::vswitch'
}
if $libvirt_type == 'kvm' and ! $::vtx {
fail('libvirt_type is set to KVM and VTX seems to be disabled on this node.')
}
if $nfs_enabled {
if ! $vm_rbd {
# There is no NFS backend in Nova.
# We mount the NFS share in filesystem_store_datadir to fake the
# backend.
if $nfs_device {
file { $filesystem_store_datadir:
ensure => 'directory',
owner => 'nova',
group => 'nova',
mode => '0755'
}
nova_config { 'DEFAULT/instances_path': value => $filesystem_store_datadir; }
$nfs_mount = {
"${filesystem_store_datadir}" => {
'ensure' => 'mounted',
'fstype' => 'nfs',
'device' => $nfs_device,
'options' => $nfs_options
}
}
ensure_resource('class', 'nfs', {})
create_resources('types::mount', $nfs_mount, {require => File[$filesystem_store_datadir]})
# Not using /var/lib/nova/instances may cause side effects.
if $filesystem_store_datadir != '/var/lib/nova/instances' {
warning('filesystem_store_datadir is not /var/lib/nova/instances so you may have side effects (SElinux, etc)')
}
} else {
fail('When running NFS backend, you need to provide nfs_device parameter.')
}
} else {
fail('When running NFS backend, vm_rbd parameter cannot be set to true.')
}
}
file{ '/var/lib/nova/.ssh':
ensure => directory,
mode => '0700',
owner => 'nova',
group => 'nova',
require => Class['nova']
} ->
file{ '/var/lib/nova/.ssh/id_rsa':
ensure => present,
mode => '0600',
owner => 'nova',
group => 'nova',
content => $nova_ssh_private_key
} ->
file{ '/var/lib/nova/.ssh/authorized_keys':
ensure => present,
mode => '0600',
owner => 'nova',
group => 'nova',
content => $nova_ssh_public_key
} ->
file{ '/var/lib/nova/.ssh/config':
ensure => present,
mode => '0600',
owner => 'nova',
group => 'nova',
content => "
Host *
StrictHostKeyChecking no
"
}
if $nova_shell {
ensure_resource ('user', 'nova', {
'ensure' => 'present',
'system' => true,
'home' => '/var/lib/nova',
'managehome' => false,
'shell' => $nova_shell,
})
}
case $console {
'spice': {
$vnc_enabled = false
class { 'nova::compute::spice':
server_listen => '0.0.0.0',
server_proxyclient_address => $server_proxyclient_address,
proxy_host => $ks_console_public_host,
proxy_protocol => $ks_console_public_proto,
proxy_port => $spice_port,
}
}
'novnc': {
$vnc_enabled = true
}
default: {
fail("unsupported console type ${console}")
}
}
class { 'nova::compute':
enabled => true,
vnc_enabled => $vnc_enabled,
vncserver_proxyclient_address => $server_proxyclient_address,
vncproxy_host => $ks_console_public_host,
vncproxy_protocol => $ks_console_public_proto,
vncproxy_port => $novnc_port,
virtio_nic => false,
neutron_enabled => true,
default_availability_zone => $::cloud::compute::availability_zone,
}
if $::osfamily == 'RedHat' {
file { '/etc/libvirt/qemu.conf':
ensure => file,
source => 'puppet:///modules/cloud/qemu/qemu.conf',
owner => root,
group => root,
mode => '0644',
notify => Service['libvirtd']
}
if $vm_rbd and ($::operatingsystemmajrelease < 7) {
fail("RBD image backend in Nova is not supported in RHEL ${::operatingsystemmajrelease}.")
}
}
# Disabling TSO/GSO/GRO
if $manage_tso {
if $::osfamily == 'Debian' {
ensure_resource ('exec','enable-tso-script', {
'command' => '/usr/sbin/update-rc.d disable-tso defaults',
'unless' => '/bin/ls /etc/rc*.d | /bin/grep disable-tso',
'onlyif' => '/usr/bin/test -f /etc/init.d/disable-tso'
})
} elsif $::osfamily == 'RedHat' {
ensure_resource ('exec','enable-tso-script', {
'command' => '/usr/sbin/chkconfig disable-tso on',
'unless' => '/bin/ls /etc/rc*.d | /bin/grep disable-tso',
'onlyif' => '/usr/bin/test -f /etc/init.d/disable-tso'
})
}
ensure_resource ('exec','start-tso-script', {
'command' => '/etc/init.d/disable-tso start',
'unless' => '/usr/bin/test -f /var/run/disable-tso.pid',
'onlyif' => '/usr/bin/test -f /etc/init.d/disable-tso'
})
}
if $::osfamily == 'Debian' {
service { 'dbus':
ensure => running,
enable => true,
before => Class['nova::compute::libvirt'],
}
}
Service<| title == 'dbus' |> { enable => true }
Service<| title == 'libvirt-bin' |> { enable => true }
class { 'nova::compute::neutron': }
if $vm_rbd or $volume_rbd {
include 'cloud::storage::rbd'
$libvirt_disk_cachemodes_real = ['network=writeback']
# when nova uses ceph for instances storage
if $vm_rbd {
class { 'nova::compute::rbd':
libvirt_rbd_user => $cinder_rbd_user,
libvirt_images_rbd_pool => $nova_rbd_pool
}
} else {
# when nova only needs to attach ceph volumes to instances
nova_config {
'libvirt/rbd_user': value => $cinder_rbd_user;
}
}
# we don't want puppet-nova manages keyring
nova_config {
'libvirt/rbd_secret_uuid': value => $nova_rbd_secret_uuid;
}
File <<| tag == 'ceph_compute_secret_file' |>>
Exec <<| tag == 'get_or_set_virsh_secret' |>>
# After setting virsh key, we need to restart nova-compute
# otherwise nova will fail to connect to RADOS.
Exec <<| tag == 'set_secret_value_virsh' |>> ~> Service['nova-compute']
# If Cinder & Nova reside on the same node, we need a group
# where nova & cinder users have read permissions.
ensure_resource('group', 'cephkeyring', {
ensure => 'present'
})
ensure_resource ('exec','add-nova-to-group', {
'command' => 'usermod -a -G cephkeyring nova',
'path' => ['/usr/sbin', '/usr/bin', '/bin', '/sbin'],
'unless' => 'groups nova | grep cephkeyring'
})
# Configure Ceph keyring
Ceph::Key <<| title == $cinder_rbd_user |>>
ensure_resource(
'file',
"/etc/ceph/ceph.client.${cinder_rbd_user}.keyring", {
owner => 'root',
group => 'cephkeyring',
mode => '0440',
require => Ceph::Key[$cinder_rbd_user],
notify => Service['nova-compute'],
}
)
Concat::Fragment <<| title == 'ceph-client-os' |>>
} else {
$libvirt_disk_cachemodes_real = []
}
class { 'nova::compute::libvirt':
libvirt_type => $libvirt_type,
# Needed to support migration but we still use Spice:
vncserver_listen => '0.0.0.0',
migration_support => true,
libvirt_disk_cachemodes => $libvirt_disk_cachemodes_real,
libvirt_service_name => $::cloud::params::libvirt_service_name,
libvirt_inject_key => false,
libvirt_inject_partition => '-2',
}
# Extra config for nova-compute
nova_config {
'libvirt/live_migration_flag': value => 'VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE,VIR_MIGRATE_PERSIST_DEST';
'libvirt/block_migration_flag': value => 'VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE,VIR_MIGRATE_NON_SHARED_INC';
}
class { 'ceilometer::agent::compute': }
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow instances console access':
port => '5900-5999',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow instances migration access':
port => ['16509', '49152-49215'],
extras => $firewall_settings,
}
}
}

40
manifests/compute/scheduler.pp
View File

@ -1,40 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::compute::scheduler
#
# Compute Scheduler node
#
# === Parameters:
#
# [*scheduler_default_filters*]
# (optional) A comma separated list of filters to be used by default
# Defaults to false
#
class cloud::compute::scheduler(
$scheduler_default_filters = false
){
include 'cloud::compute'
class { 'nova::scheduler':
enabled => true,
}
class { 'nova::scheduler::filter':
scheduler_default_filters => $scheduler_default_filters,
}
}

211
manifests/dashboard.pp
View File

@ -1,211 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::dashboard
#
# Installs the OpenStack Dashboard (Horizon)
#
# === Parameters:
#
# [*ks_keystone_internal_host*]
# (optional) Internal address for endpoint.
# Defaults to '127.0.0.1'
#
# [*secret_key*]
# (optional) Secret key. This is used by Django to provide cryptographic
# signing, and should be set to a unique, unpredictable value.
# Defaults to 'secrete'
#
# [*horizon_port*]
# (optional) Port used to connect to OpenStack Dashboard
# Defaults to '80'
#
# [*horizon_ssl_port*]
# (optional) Port used to connect to OpenStack Dashboard using SSL
# Defaults to '443'
#
# [*api_eth*]
# (optional) Which interface we bind the Horizon server.
# Defaults to '127.0.0.1'
#
# [*servername*]
# (optional) DNS name used to connect to OpenStack Dashboard.
# Default value fqdn.
#
# [*listen_ssl*]
# (optional) Enable SSL on OpenStack Dashboard vhost
# It requires SSL files (keys and certificates)
# Defaults false
#
# [*keystone_proto*]
# (optional) Protocol (http or https) of keystone endpoint.
# Defaults to 'http'
#
# [*keystone_host*]
# (optional) IP / Host of keystone endpoint.
# Defaults '127.0.0.1'
#
# [*keystone_port*]
# (optional) TCP port of keystone endpoint.
# Defaults to '5000'
#
# [*debug*]
# (optional) Enable debug or not.
# Defaults to true
#
# [*horizon_cert*]
# (required with listen_ssl) Certificate to use for SSL support.
#
# [*horizon_key*]
# (required with listen_ssl) Private key to use for SSL support.
#
# [*horizon_ca*]
# (required with listen_ssl) CA certificate to use for SSL support.
#
# [*ssl_forward*]
# (optional) Forward HTTPS proto in the headers
# Useful when activating SSL binding on HAproxy and not in Horizon.
# Defaults to false
#
# [*os_endpoint_type*]
# (optional) endpoint type to use for the endpoints in the Keystone
# service catalog. Defaults to 'undef'.
#
# [*allowed_hosts*]
# (optional) List of hosts which will be set as value of ALLOWED_HOSTS
# parameter in settings_local.py. This is used by Django for
# security reasons. Can be set to * in environments where security is
# deemed unimportant.
# Defaults to ::fqdn.
#
# [*vhost_extra_params*]
# (optionnal) extra parameter to pass to the apache::vhost class
# Defaults to {}
#
# [*neutron_extra_options*]
# (optional) Enable optional services provided by neutron
# Useful when using cisco n1kv plugin, vpnaas or fwaas.
# Default to {}
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::dashboard(
$ks_keystone_internal_host = '127.0.0.1',
$secret_key = 'secrete',
$horizon_port = 80,
$horizon_ssl_port = 443,
$servername = $::fqdn,
$api_eth = '127.0.0.1',
$keystone_host = '127.0.0.1',
$keystone_proto = 'http',
$keystone_port = 5000,
$debug = true,
$listen_ssl = false,
$horizon_cert = undef,
$horizon_key = undef,
$horizon_ca = undef,
$ssl_forward = false,
$os_endpoint_type = undef,
$allowed_hosts = $::fqdn,
$vhost_extra_params = {},
$neutron_extra_options = {},
$firewall_settings = {},
) {
# We build the param needed for horizon class
$keystone_url = "${keystone_proto}://${keystone_host}:${keystone_port}/v2.0"
# Apache2 specific configuration
if $ssl_forward {
$setenvif = ['X-Forwarded-Proto https HTTPS=1']
} else {
$setenvif = []
}
$extra_params = {
'add_listen' => true,
'setenvif' => $setenvif
}
$vhost_extra_params_real = merge ($extra_params, $vhost_extra_params)
$neutron_options = {
'enable_lb' => true
}
$neutron_options_real = merge ($neutron_options, $neutron_extra_options)
class { 'horizon':
secret_key => $secret_key,
servername => $servername,
bind_address => $api_eth,
keystone_url => $keystone_url,
cache_server_ip => false,
django_debug => $debug,
neutron_options => $neutron_options_real,
listen_ssl => $listen_ssl,
horizon_cert => $horizon_cert,
horizon_key => $horizon_key,
horizon_ca => $horizon_ca,
vhost_extra_params => $vhost_extra_params_real,
openstack_endpoint_type => $os_endpoint_type,
allowed_hosts => $allowed_hosts,
}
if ($::osfamily == 'Debian') {
# TODO(Goneri): HACK to ensure Horizon can cache its files
$horizon_var_dir = ['/var/lib/openstack-dashboard/static/js','/var/lib/openstack-dashboard/static/css']
file {$horizon_var_dir:
ensure => directory,
owner => 'horizon',
group => 'horizon',
}
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow horizon access':
port => $horizon_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-horizon":
listening_service => 'horizon_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $horizon_port,
options => "check inter 2000 rise 2 fall 5 cookie ${::hostname}"
}
if $listen_ssl {
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow horizon ssl access':
port => $horizon_ssl_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-horizon-ssl":
listening_service => 'horizon_ssl_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $horizon_ssl_port,
options => "check inter 2000 rise 2 fall 5 cookie ${::hostname}"
}
}
}

92
manifests/database/dbaas.pp
View File

@ -1,92 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::dbaas
#
# Common class to install OpenStack Database as a Service (Trove)
#
# === Parameters:
#
# [*trove_db_host*]
# (optional) Hostname or IP address to connect to trove database
# Defaults to '127.0.0.1'
#
# [*trove_db_user*]
# (optional) Username to connect to trove database
# Defaults to 'trove'
#
# [*trove_db_password*]
# (optional) Password to connect to trove database
# Defaults to 'trovepassword'
#
# [*trove_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults to 5000
#
# [*rabbit_hosts*]
# (optional) List of RabbitMQ servers. Should be an array.
# Defaults to ['127.0.0.1:5672']
#
# [*rabbit_password*]
# (optional) Password to connect to nova queues.
# Defaults to 'rabbitpassword'
#
# [*nova_admin_username*]
# (optional) Trove username used to connect to nova.
# Defaults to 'trove'
#
# [*nova_admin_password*]
# (optional) Trove password used to connect to nova.
# Defaults to 'trovepassword'
#
# [*nova_admin_tenant_name*]
# (optional) Trove tenant name used to connect to nova.
# Defaults to 'services'
#
class cloud::database::dbaas(
$trove_db_host = '127.0.0.1',
$trove_db_user = 'trove',
$trove_db_password = 'trovepassword',
$trove_db_idle_timeout = 5000,
$rabbit_hosts = ['127.0.0.1:5672'],
$rabbit_password = 'rabbitpassword',
$nova_admin_username = 'trove',
$nova_admin_tenant_name = 'services',
$nova_admin_password = 'trovepassword',
) {
$encoded_user = uriescape($trove_db_user)
$encoded_password = uriescape($trove_db_password)
class { 'trove':
database_connection => "mysql://${encoded_user}:${encoded_password}@${trove_db_host}/trove?charset=utf8",
database_idle_timeout => $trove_db_idle_timeout,
mysql_module => '2.2',
rabbit_hosts => $rabbit_hosts,
rabbit_password => $rabbit_password,
rabbit_userid => 'trove',
nova_proxy_admin_pass => $nova_admin_password,
nova_proxy_admin_user => $nova_admin_username,
nova_proxy_admin_tenant_name => $nova_admin_tenant_name
}
exec {'trove_db_sync':
command => 'trove-manage db_sync',
user => 'trove',
path => '/usr/bin',
unless => "/usr/bin/mysql trove -h ${trove_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables"
}
}

104
manifests/database/dbaas/api.pp
View File

@ -1,104 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::dbaas::api
#
# Class to install API service of OpenStack Database as a Service (Trove)
#
# === Parameters:
#
# [*ks_trove_password*]
# (required) Password used by trove for Keystone authentication.
# Default: 'trovepassword'
#
# [*verbose*]
# (optional) Rather to log the trove api service at verbose level.
# Default: true
#
# [*debug*]
# (optional) Rather to log the trove api service at debug level.
# Default: true
#
# [*use_syslog*]
# (optional) Use syslog for logging.
# Defaults to true
#
# [*api_eth*]
# (optional) Hostname or IP to bind Trove API.
# Defaults to '127.0.0.1'
#
# [*ks_trove_public_port*]
# (optional) TCP public port used to connect to Trove API.
# Defaults to '8779'
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_port*]
# (optional) TCP internal port used to connect to Keystone API.
# Defaults to '5000'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol used to connect to Keystone API.
# Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::dbaas::api(
$ks_trove_password = 'trovepassword',
$verbose = true,
$debug = true,
$use_syslog = true,
$api_eth = '127.0.0.1',
$ks_trove_public_port = '8779',
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = '5000',
$ks_keystone_internal_proto = 'http',
$firewall_settings = {},
) {
include 'cloud::database::dbaas'
class { 'trove::api':
verbose => $verbose,
debug => $debug,
use_syslog => $use_syslog,
bind_host => $api_eth,
bind_port => $ks_trove_public_port,
auth_url => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}/v2.0",
keystone_password => $ks_trove_password,
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow trove-api access':
port => $ks_trove_public_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-trove_api":
listening_service => 'trove_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_trove_public_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

65
manifests/database/dbaas/conductor.pp
View File

@ -1,65 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::dbaas::conductor
#
# Class to install Conductor service of OpenStack Database as a Service (Trove)
#
# === Parameters:
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_port*]
# (optional) TCP internal port used to connect to Keystone API.
# Defaults to '5000'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol used to connect to Keystone API.
# Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*verbose*]
# (optional) Rather to log the trove api service at verbose level.
# Default: true
#
# [*debug*]
# (optional) Rather to log the trove api service at debug level.
# Default: true
#
# [*use_syslog*]
# (optional) Use syslog for logging.
# Defaults to true
#
class cloud::database::dbaas::conductor(
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = '5000',
$ks_keystone_internal_proto = 'http',
$verbose = true,
$debug = true,
$use_syslog = true,
) {
include 'cloud::database::dbaas'
class { 'trove::conductor':
auth_url => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}/v2.0",
debug => $debug,
verbose => $verbose,
use_syslog => $use_syslog
}
}

65
manifests/database/dbaas/taskmanager.pp
View File

@ -1,65 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::dbaas::taskmanager
#
# Class to install Taskmanager service of OpenStack Database as a Service (Trove)
#
# === Parameters:
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_port*]
# (optional) TCP internal port used to connect to Keystone API.
# Defaults to '5000'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol used to connect to Keystone API.
# Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*verbose*]
# (optional) Rather to log the trove api service at verbose level.
# Default: true
#
# [*debug*]
# (optional) Rather to log the trove api service at debug level.
# Default: true
#
# [*use_syslog*]
# (optional) Use syslog for logging.
# Defaults to true
#
class cloud::database::dbaas::taskmanager(
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = '5000',
$ks_keystone_internal_proto = 'http',
$debug = true,
$verbose = true,
$use_syslog = true
) {
include 'cloud::database::dbaas'
class { 'trove::taskmanager':
auth_url => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}/v2.0",
debug => $debug,
verbose => $verbose,
use_syslog => $use_syslog
}
}

40
manifests/database/nosql/cassandra.pp
View File

@ -1,40 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::cassandra
#
# Install a Cassandra node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql::cassandra (
$firewall_settings = {},
){
include ::cassandra
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow cassandra access':
port => '7000',
extras => $firewall_settings,
}
}
}

58
manifests/database/nosql/elasticsearch.pp
View File

@ -1,58 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::elasticsearch
#
# Install an ElasticSearch server
#
# === Parameters:
#
# [*listen_port*]
# (optional) Port on which ElasticSearch instance should listen
# Defaults to '9200'
#
# [*listen_ip*]
# (optional) IP address on which ElasticSearch instance should listen
# Defaults to '127.0.0.1'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql::elasticsearch (
$listen_port = '9200',
$listen_ip = '127.0.0.1',
$firewall_settings = {},
){
include ::elasticsearch
@@haproxy::balancermember{"${::fqdn}-es_cluster":
listening_service => 'elasticsearch',
server_names => $::hostname,
ipaddresses => $listen_ip,
ports => $listen_port,
options => 'check inter 2000 rise 2 fall 5'
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow elasticsearch access':
port => $listen_port,
extras => $firewall_settings,
}
}
}

40
manifests/database/nosql/kafka.pp
View File

@ -1,40 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::kafka
#
# Install a Kafka broket
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql::kafka (
$firewall_settings = {},
){
include ::kafka::broker
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow kafka access':
port => '9092',
extras => $firewall_settings,
}
}
}

48
manifests/database/nosql/memcached.pp
View File

@ -1,48 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::memcached
#
# Install a Memcached server (used by OpenStack services)
#
# === Parameters:
#
# [*listen_ip*]
# (optional) IP address on which memcached instance should listen
# Defaults to '127.0.0.1'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql::memcached (
$listen_ip = '127.0.0.1',
$firewall_settings = {},
){
class { '::memcached':
listen_ip => $listen_ip,
max_memory => '60%',
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow memcached access':
port => '11211',
extras => $firewall_settings,
}
}
}

64
manifests/database/nosql/mongodb/mongod.pp
View File

@ -1,64 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::mongodb::mongod
#
# Install a MongoDB server & the replicasets
#
# === Parameters:
#
# [*enable*]
# (optional) Should mongod be running.
# Defaults to 'true'
#
# [*replset*]
# (optional) MongoDB replicaset to configure
# Define the replset to enable on the mongodb server
# Example:
# { 'ceilometer' => { 'members' => '10.0.0.1:27017' }}
# Defaults to {}
#
# [*mongod_port*]
# (optional) Port for the firewall to enable
# Based on the mode the mongod process is started with, the port
# it will listen on might change.
# Defaults to '27017'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Defaults to {}
#
class cloud::database::nosql::mongodb::mongod(
$enable = true,
$replset = {},
$mongod_port = '27017',
$firewall_settings = {},
) {
if $enable {
include ::mongodb::globals
include ::mongodb::server
create_resources('mongodb_replset', $replset)
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow mongod access':
port => $mongod_port,
extras => $firewall_settings,
}
}
}
}

69
manifests/database/nosql/mongodb/mongos.pp
View File

@ -1,69 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::mongodb::mongos
#
# Install and configure mongos (daemon responsible for sharding in MongoDB)
#
# === Parameters:
#
# [*enable*]
# (optional) Should mongos be running.
# Defaults to 'true'
#
# [*shards*]
# (optional) Hash of shards to create
# Example :
# { 'ceilometer' =>
# {
# 'member' => 'ceilometer/10.0.0.1:27018',
# 'keys' => [{'ceilometer.name' => { 'name' => 1 }}, {'ceilometer.foo' => { 'bar' => 1 }}]
# }
# }
# Defaults to {}
#
# [*mongos_port*]
# (optional) Port for the firewall to enable
# Based on the mode the mongos process is started with, the port
# it will listen on might change.
# Defaults to '27017'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Defaults to {}
#
#
class cloud::database::nosql::mongodb::mongos(
$enable = true,
$shards = {},
$mongos_port = '27017',
$firewall_settings = {},
) {
if $enable {
include ::mongodb::globals
include ::mongodb::mongos
create_resources('mongodb_shard', $shards)
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow mongos access':
port => $mongos_port,
extras => $firewall_settings,
}
}
}
}

67
manifests/database/nosql/redis/sentinel.pp
View File

@ -1,67 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::redis::sentinel
#
# Install a Redis sentinel node (used by OpenStack & monitoring services)
#
# === Parameters:
#
# [*port*]
# (optional) Port where Redis is binded.
# Used for firewall purpose.
# Default to 26379
#
# [*haproxy_monitor_ip*]
# (optional) IP on which the HAProxy API is listening on
# Used for redis master failover purpose
# Default to 127.0.0.1
#
# [*haproxy_monitor_port*]
# (optional) Port on which the HAProxy API is listening on
# Used for redis master failover purpose
# Default to 10300
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql::redis::sentinel(
$port = 26379,
$haproxy_monitor_ip = '127.0.0.1',
$haproxy_monitor_port = '10300',
$firewall_settings = {},
) {
include ::redis::sentinel
file { '/bin/redis-notifications.sh':
ensure => present,
owner => 'root',
group => 'root',
mode => '0755',
content => template('cloud/database/redis-notifications.sh.erb'),
before => Service['redis-sentinel'],
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow redis sentinel access':
port => $port,
extras => $firewall_settings,
}
}
}

59
manifests/database/nosql/redis/server.pp
View File

@ -1,59 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::redis::server
#
# Install a Redis server (used by OpenStack & monitoring services)
#
# === Parameters:
#
# [*bind_ip*]
# (optional) Address on which Redis is listening on
# Defaults to '127.0.0.1'
#
# [*port*]
# (optional) Port where Redis is binded.
# Used for firewall purpose.
# Default to 6379
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql::redis::server(
$bind_ip = '127.0.0.1',
$port = 6379,
$firewall_settings = {},
) {
include ::redis
@@haproxy::balancermember{"${::fqdn}-redis":
listening_service => 'redis_cluster',
server_names => $::hostname,
ipaddresses => $bind_ip,
ports => $port,
options => 'check inter 2000 rise 2 fall 5'
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow redis server access':
port => $port,
extras => $firewall_settings,
}
}
}

40
manifests/database/nosql/zookeeper.pp
View File

@ -1,40 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::database::nosql::zookeeper
#
# Install a Zookeeper node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql::zookeeper (
$firewall_settings = {},
){
include ::zookeeper
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow zookeeper access':
port => '2181',
extras => $firewall_settings,
}
}
}

572
manifests/database/sql/mysql.pp
View File

@ -1,572 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless optional by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# MySQL Galera Node
#
# === Parameters
#
# [*api_eth*]
# (optional) Hostname or IP to bind MySQL daemon.
# Defaults to '127.0.0.1'
#
# [*galera_master_name*]
# (optional) Hostname or IP of the Galera master node, databases and users
# resources are created on this node and propagated on the cluster.
# Defaults to 'mgmt001'
#
# [*galera_internal_ips*]
# (optional) Array of internal ip of the galera nodes.
# Defaults to ['127.0.0.1']
#
# [*galera_gcache*]
# (optional) Size of the Galera gcache
# wsrep_provider_options, for master/slave mode
# Defaults to '1G'
#
# [*keystone_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*keystone_db_user*]
# (optional) Name of keystone DB user.
# Defaults to trove
#
# [*keystone_db_password*]
# (optional) Password that will be used for the Keystone db user.
# Defaults to 'keystonepassword'
#
# [*keystone_db_allowed_hosts*]
# (optional) Hosts allowed to use the database
# Defaults to ['127.0.0.1']
#
# [*cinder_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*cinder_db_user*]
# (optional) Name of cinder DB user.
# Defaults to trove
#
# [*cinder_db_password*]
# (optional) Password that will be used for the cinder db user.
# Defaults to 'cinderpassword'
#
# [*cinder_db_allowed_hosts*]
# (optional) Hosts allowed to use the database
# Defaults to ['127.0.0.1']
#
# [*glance_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*glance_db_user*]
# (optional) Name of glance DB user.
# Defaults to trove
#
# [*glance_db_password*]
# (optional) Password that will be used for the glance db user.
# Defaults to 'glancepassword'
#
# [*glance_db_allowed_hosts*]
# (optional) Hosts allowed to use the database
# Defaults to ['127.0.0.1']
#
# [*heat_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*heat_db_user*]
# (optional) Name of heat DB user.
# Defaults to trove
#
# [*heat_db_password*]
# (optional) Password that will be used for the heat db user.
# Defaults to 'heatpassword'
#
# [*heat_db_allowed_hosts*]
# (optional) Hosts allowed to use the database
# Defaults to ['127.0.0.1']
#
# [*nova_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*nova_db_user*]
# (optional) Name of nova DB user.
# Defaults to trove
#
# [*nova_db_password*]
# (optional) Password that will be used for the nova db user.
# Defaults to 'novapassword'
#
# [*nova_db_allowed_hosts*]
# (optional) Hosts allowed to use the database
# Defaults to ['127.0.0.1']
#
# [*neutron_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*neutron_db_user*]
# (optional) Name of neutron DB user.
# Defaults to trove
#
# [*neutron_db_password*]
# (optional) Password that will be used for the neutron db user.
# Defaults to 'neutronpassword'
#
# [*neutron_db_allowed_hosts*]
# (optional) Hosts allowed to use the database
# Defaults to ['127.0.0.1']
#
# [*trove_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*trove_db_user*]
# (optional) Name of trove DB user.
# Defaults to trove
#
# [*trove_db_password*]
# (optional) Password that will be used for the trove db user.
# Defaults to 'trovepassword'
#
# [*trove_db_allowed_hosts*]
# (optional) Hosts allowed to use the database
# Defaults to ['127.0.0.1']
#
# [*mysql_root_password*]
# (optional) The MySQL root password.
# Puppet will attempt to set the root password and update `/root/.my.cnf` with it.
# Defaults to 'rootpassword'
#
# [*mysql_sys_maint_password*]
# (optional) The MySQL debian-sys-maint password.
# Debian only parameter.
# Defaults to 'sys_maint'
#
# [*galera_clustercheck_dbuser*]
# (optional) The MySQL username for Galera cluster check (using monitoring database)
# Defaults to 'clustercheck'
#
# [*galera_clustercheck_dbpassword*]
# (optional) The MySQL password for Galera cluster check
# Defaults to 'clustercheckpassword'
#
# [*galera_clustercheck_ipaddress*]
# (optional) The name or ip address of host running monitoring database (clustercheck)
# Defaults to '127.0.0.1'
#
# [*open_files_limit*]
# (optional) An integer that specifies the open_files_limit for MySQL
# Defaults to 65535
#
# [*max_connections*]
# (optional) An integer that specifies the max_connections for MySQL
# Defaults to 4096
#
# [*mysql_systemd_override_settings*]
# (optional) An hash of setting to override for MariaDB unit file.
# Defaults to {}
# Example : { 'LimitNOFILE' => 'infinity', 'LimitNPROC' => 4, 'TimeoutSec' => '30' }
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::sql::mysql (
$api_eth = '127.0.0.1',
$galera_master_name = 'mgmt001',
$galera_internal_ips = ['127.0.0.1'],
$galera_gcache = '1G',
$keystone_db_host = '127.0.0.1',
$keystone_db_user = 'keystone',
$keystone_db_password = 'keystonepassword',
$keystone_db_allowed_hosts = ['127.0.0.1'],
$cinder_db_host = '127.0.0.1',
$cinder_db_user = 'cinder',
$cinder_db_password = 'cinderpassword',
$cinder_db_allowed_hosts = ['127.0.0.1'],
$glance_db_host = '127.0.0.1',
$glance_db_user = 'glance',
$glance_db_password = 'glancepassword',
$glance_db_allowed_hosts = ['127.0.0.1'],
$heat_db_host = '127.0.0.1',
$heat_db_user = 'heat',
$heat_db_password = 'heatpassword',
$heat_db_allowed_hosts = ['127.0.0.1'],
$nova_db_host = '127.0.0.1',
$nova_db_user = 'nova',
$nova_db_password = 'novapassword',
$nova_db_allowed_hosts = ['127.0.0.1'],
$neutron_db_host = '127.0.0.1',
$neutron_db_user = 'neutron',
$neutron_db_password = 'neutronpassword',
$neutron_db_allowed_hosts = ['127.0.0.1'],
$trove_db_host = '127.0.0.1',
$trove_db_user = 'trove',
$trove_db_password = 'trovepassword',
$trove_db_allowed_hosts = ['127.0.0.1'],
$mysql_root_password = 'rootpassword',
$mysql_sys_maint_password = 'sys_maint',
$galera_clustercheck_dbuser = 'clustercheck',
$galera_clustercheck_dbpassword = 'clustercheckpassword',
$galera_clustercheck_ipaddress = '127.0.0.1',
$open_files_limit = 65535,
$max_connections = 4096,
$mysql_systemd_override_settings = {},
$firewall_settings = {},
) {
include 'xinetd'
if $mysql_systemd_override_settings['LimitNOFILE'] {
$open_files_limit_real = $mysql_systemd_override_settings['LimitNOFILE']
$mysql_systemd_override_settings_real = $mysql_systemd_override_settings
} else {
$open_files_limit_real = $open_files_limit
$mysql_systemd_override_settings_real = merge($mysql_systemd_override_settings, { 'LimitNOFILE' => $open_files_limit})
}
$gcomm_definition = inline_template('<%= @galera_internal_ips.join(",") + "?pc.wait_prim=no" -%>')
# Specific to the Galera master node
if $::hostname == $galera_master_name {
$mysql_root_password_real = $mysql_root_password
# OpenStack DB
class { 'keystone::db::mysql':
dbname => 'keystone',
user => $keystone_db_user,
password => $keystone_db_password,
host => $keystone_db_host,
allowed_hosts => $keystone_db_allowed_hosts,
}
class { 'glance::db::mysql':
dbname => 'glance',
user => $glance_db_user,
password => $glance_db_password,
host => $glance_db_host,
allowed_hosts => $glance_db_allowed_hosts,
}
class { 'nova::db::mysql':
dbname => 'nova',
user => $nova_db_user,
password => $nova_db_password,
host => $nova_db_host,
allowed_hosts => $nova_db_allowed_hosts,
}
class { 'cinder::db::mysql':
dbname => 'cinder',
user => $cinder_db_user,
password => $cinder_db_password,
host => $cinder_db_host,
allowed_hosts => $cinder_db_allowed_hosts,
}
class { 'neutron::db::mysql':
dbname => 'neutron',
user => $neutron_db_user,
password => $neutron_db_password,
host => $neutron_db_host,
allowed_hosts => $neutron_db_allowed_hosts,
}
class { 'heat::db::mysql':
dbname => 'heat',
user => $heat_db_user,
password => $heat_db_password,
host => $heat_db_host,
allowed_hosts => $heat_db_allowed_hosts,
}
class { 'trove::db::mysql':
dbname => 'trove',
user => $trove_db_user,
password => $trove_db_password,
host => $trove_db_host,
allowed_hosts => $trove_db_allowed_hosts,
}
# Monitoring DB
mysql_database { 'monitoring':
ensure => 'present',
charset => 'utf8',
collate => 'utf8_general_ci',
require => File['/root/.my.cnf']
}
mysql_user { "${galera_clustercheck_dbuser}@localhost":
ensure => 'present',
# can not change password in clustercheck script
password_hash => mysql_password($galera_clustercheck_dbpassword),
require => File['/root/.my.cnf']
}
mysql_grant { "${galera_clustercheck_dbuser}@localhost/monitoring":
ensure => 'present',
options => ['GRANT'],
privileges => ['ALL'],
table => 'monitoring.*',
user => "${galera_clustercheck_dbuser}@localhost",
}
Database_user<<| |>>
} else {
# NOTE(sileht): Only the master must create the password
# into the database, slave nodes must just use the password.
# The one in the database have been retrieved via galera.
file { "${::root_home}/.my.cnf":
content => "[client]\nuser=root\nhost=localhost\npassword=${mysql_root_password}\n",
owner => 'root',
mode => '0600',
}
}
# Specific to Red Hat or Debian systems:
case $::osfamily {
'RedHat': {
# Specific to Red Hat
$mysql_server_package_name = 'mariadb-galera-server'
$mysql_client_package_name = 'mariadb'
$wsrep_provider = '/usr/lib64/galera/libgalera_smm.so'
$mysql_server_config_file = '/etc/my.cnf'
$mysql_init_file = '/usr/lib/systemd/system/mysql-bootstrap.service'
if $::hostname == $galera_master_name {
$mysql_service_name = 'mysql-bootstrap'
if !str2bool($::galera_bootstrapped) {
$wsrep_new_cluster = '--wsrep-new-cluster'
} else {
$wsrep_new_cluster = ''
}
} else {
$mysql_service_name = 'mariadb'
}
$dirs = [ '/var/run/mysqld', '/var/log/mysql' ]
file { $dirs:
ensure => directory,
mode => '0750',
before => Service['mysqld'],
owner => 'mysql'
}
# In Red Hat, the package does not perform the mysql db installation.
# We need to do this manually.
# Note: in MariaDB repository, package perform this action in post-install,
# but MariaDB is not packaged for Red Hat / CentOS 7 in MariaDB repository.
exec { 'bootstrap-mysql':
command => '/usr/bin/mysql_install_db --rpm --user=mysql',
unless => '/usr/bin/test -d /var/lib/mysql/mysql',
before => Service['mysqld'],
require => [Package[$mysql_server_package_name], File[$mysql_server_config_file]]
}
if $::operatingsystemmajrelease >= 7 {
file { "/etc/systemd/system/${mysql_service_name}.service.d" :
ensure => directory,
}
file { "/etc/systemd/system/${mysql_service_name}.service.d/custom.conf" :
content => template('cloud/database/systemd-custom.conf.erb'),
owner => 'root',
mode => '0755',
group => 'root',
notify => [Service['mysqld'], Exec['mariadb-sysctl-daemon-reload']],
}
exec { 'mariadb-sysctl-daemon-reload' :
command => '/usr/bin/systemctl daemon-reload',
refreshonly => true,
notify => Service['mysqld'],
}
}
} # RedHat
'Debian': {
# Specific to Debian / Ubuntu
$mysql_server_package_name = 'mariadb-galera-server'
$mysql_client_package_name = 'mariadb-client'
$wsrep_provider = '/usr/lib/galera/libgalera_smm.so'
$mysql_server_config_file = '/etc/mysql/my.cnf'
$mysql_init_file = '/etc/init.d/mysql-bootstrap'
if $::hostname == $galera_master_name {
$mysql_service_name = 'mysql-bootstrap'
} else {
$mysql_service_name = 'mysql'
}
mysql_user { 'debian-sys-maint@localhost':
ensure => 'present',
password_hash => mysql_password($mysql_sys_maint_password),
require => File['/root/.my.cnf']
}
file{'/etc/mysql/debian.cnf':
ensure => file,
content => template('cloud/database/debian.cnf.erb'),
owner => 'root',
group => 'root',
mode => '0600',
require => Exec['clean-mysql-binlog'],
}
} # Debian
default: {
fail("${::osfamily} not supported yet")
}
}
# This is due to this bug: https://bugs.launchpad.net/codership-mysql/+bug/1087368
# The backport to API 23 requires a command line option --wsrep-new-cluster:
# http://bazaar.launchpad.net/~codership/codership-mysql/wsrep-5.5/revision/3844?start_revid=3844
# and the mysql init script cannot have arguments passed to the daemon
# using /etc/default/mysql standart mechanism.
# To check that the mysqld support the options you can :
# strings `which mysqld` | grep wsrep-new-cluster
# TODO: to be remove as soon as the API 25 is packaged, ie galera 3 ...
if $::osfamily == 'RedHat' and $::operatingsystemmajrelease >= 7 {
$mysql_service_notify = Exec['mariadb-sysctl-daemon-reload']
} else {
$mysql_service_notify = Service['mysqld']
}
file { $mysql_init_file :
content => template("cloud/database/etc_initd_mysql_${::osfamily}"),
owner => 'root',
mode => '0755',
group => 'root',
notify => $mysql_service_notify,
before => Package[$mysql_server_package_name],
}
if $::osfamily == 'Debian' {
# The startup time can be longer than the default 30s so we take
# care of it there. Until this bug is not resolved
# https://mariadb.atlassian.net/browse/MDEV-5540, we have to do it
# the ugly way.
file_line { 'debian_increase_mysql_startup_time':
line => 'MYSQLD_STARTUP_TIMEOUT=120',
path => '/etc/init.d/mysql',
after => '^CONF=',
require => Package[$mysql_server_package_name],
notify => Service['mysqld'],
}
}
class { 'mysql::server':
manage_config_file => false,
config_file => $mysql_server_config_file,
package_name => $mysql_server_package_name,
service_name => $mysql_service_name,
override_options => {
'mysqld' => {
'bind-address' => $api_eth
}
},
root_password => $mysql_root_password_real,
notify => Service['xinetd'],
}
file { $mysql_server_config_file:
content => template('cloud/database/mysql.conf.erb'),
mode => '0644',
owner => 'root',
group => 'root',
notify => [Service['mysqld'],Exec['clean-mysql-binlog']],
require => Package[$mysql_server_package_name],
}
class { 'mysql::client':
package_name => $mysql_client_package_name,
}
# Haproxy http monitoring
augeas { 'mysqlchk':
context => '/files/etc/services',
changes => [
'ins service-name after service-name[last()]',
'set service-name[last()] "mysqlchk"',
'set service-name[. = "mysqlchk"]/port 8200',
'set service-name[. = "mysqlchk"]/protocol tcp',
],
onlyif => 'match service-name[. = "mysqlchk"] size == 0',
notify => [ Service['xinetd'], Exec['reload_xinetd'] ]
}
file {
'/etc/xinetd.d/mysqlchk':
content => template('cloud/database/mysqlchk.erb'),
owner => 'root',
group => 'root',
mode => '0755',
require => File['/usr/bin/clustercheck'],
notify => [ Service['xinetd'], Exec['reload_xinetd'] ];
'/usr/bin/clustercheck':
ensure => present,
content => template('cloud/database/clustercheck.erb'),
mode => '0755',
owner => 'root',
group => 'root';
}
# The puppet-xinetd module do not correctly reload
# the configuration on “notify”
# TODO(Goneri): remove this once https://github.com/puppetlabs/puppetlabs-xinetd/pull/9
# get merged
exec{ 'reload_xinetd':
command => '/usr/bin/pkill -F /var/run/xinetd.pid --signal HUP',
refreshonly => true,
require => Service['xinetd'],
}
exec{'clean-mysql-binlog':
# first sync take a long time
command => "/bin/bash -c '/usr/bin/mysqladmin --defaults-file=/root/.my.cnf shutdown ; /bin/rm ${::mysql::params::datadir}/ib_logfile*'",
path => '/usr/bin',
notify => Service['mysqld'],
refreshonly => true,
onlyif => "stat ${::mysql::params::datadir}/ib_logfile0 && test `du -sh ${::mysql::params::datadir}/ib_logfile0 | cut -f1` != '256M'",
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow galera access':
port => ['3306', '4567', '4568', '4444'],
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow mysqlchk access':
port => '8200',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow mysql rsync access':
port => '873',
extras => $firewall_settings,
}
}
@@haproxy::balancermember{$::fqdn:
listening_service => 'galera_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => '3306',
options =>
inline_template('check inter 2000 rise 2 fall 5 port 8200 <% if @hostname != @galera_master_name -%>backup<% end %> on-marked-down shutdown-sessions')
}
@@haproxy::balancermember{"${::fqdn}-readonly":
listening_service => 'galera_readonly_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => '3306',
options =>
inline_template('check inter 2000 rise 2 fall 5 port 8200 <% if @hostname == @galera_master_name -%>backup<% end %> on-marked-down shutdown-sessions')
}
}

51
manifests/firewall/post.pp
View File

@ -1,51 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::firewall::post
#
# Firewall rules during 'post' Puppet stage
#
# === Parameters:
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to false
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::firewall::post(
$debug = false,
$firewall_settings = {},
){
if $debug {
warning('debug is enabled, the traffic is not blocked.')
} else {
firewall { '998 log all':
proto => 'all',
jump => 'LOG',
}
cloud::firewall::rule{ '999 drop all':
proto => 'all',
action => 'drop',
extras => $firewall_settings,
}
notice('At this stage, all network traffic is blocked.')
}
}

57
manifests/firewall/pre.pp
View File

@ -1,57 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::firewall::pre
#
# Firewall rules during 'pre' Puppet stage
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::firewall::pre(
$firewall_settings = {},
){
# ensure the correct packages are installed
include firewall
# defaults 'pre' rules
cloud::firewall::rule{ '000 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
extras => $firewall_settings,
}
cloud::firewall::rule{ '001 accept all icmp':
proto => 'icmp',
extras => $firewall_settings,
}
cloud::firewall::rule{ '002 accept all to lo interface':
proto => 'all',
iniface => 'lo',
extras => $firewall_settings,
}
cloud::firewall::rule{ '003 accept ssh':
port => '22',
extras => $firewall_settings,
}
}

46
manifests/firewall/rule.pp
View File

@ -1,46 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Define::
#
# cloud::firewall
#
define cloud::firewall::rule (
$port = undef,
$proto = 'tcp',
$action = 'accept',
$state = ['NEW'],
$source = '0.0.0.0/0',
$iniface = undef,
$chain = 'INPUT',
$extras = {},
) {
$basic = {
'port' => $port,
'proto' => $proto,
'action' => $action,
'state' => $state,
'source' => $source,
'iniface' => $iniface,
'chain' => $chain,
}
$rule = merge($basic, $extras)
validate_hash($rule)
create_resources('firewall', { "${title}" => $rule })
}

756
manifests/identity.pp
View File

@ -1,756 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::identity
#
# Install Identity Server (Keystone)
#
# === Parameters:
#
# [*identity_roles_addons*]
# (optional) Extra keystone roles to create
# Defaults to ['SwiftOperator', 'ResellerAdmin']
#
# [*keystone_db_host*]
# (optional) Hostname or IP address to connect to keystone database
# Defaults to '127.0.0.1'
#
# [*keystone_db_user*]
# (optional) Username to connect to keystone database
# Defaults to 'keystone'
#
# [*keystone_db_password*]
# (optional) Password to connect to keystone database
# Defaults to 'keystonepassword'
#
# [*keystone_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults to 5000
#
# [*memcache_servers*]
# (optionnal) Memcached servers used by Keystone. Should be an array.
# Defaults to ['127.0.0.1:11211']
#
# [*ks_admin_email*]
# (optional) Email address of admin user in Keystone
# Defaults to 'no-reply@keystone.openstack'
#
# [*ks_admin_password*]
# (optional) Password of admin user in Keystone
# Defaults to 'adminpassword'
#
# [*ks_admin_tenant*]
# (optional) Admin tenant name in Keystone
# Defaults to 'admin'
#
# [*ks_admin_token*]
# (required) Admin token used by Keystone.
#
# [*ks_glance_internal_host*]
# (optional) Internal Hostname or IP to connect to Glance API
# Defaults to '127.0.0.1'
#
# [*ks_glance_admin_host*]
# (optional) Admin Hostname or IP to connect to Glance API
# Defaults to '127.0.0.1'
#
# [*ks_glance_public_host*]
# (optional) Public Hostname or IP to connect to Glance API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_internal_host*]
# (optional) Internal Hostname or IP to connect to Ceilometer API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_admin_host*]
# (optional) Admin Hostname or IP to connect to Ceilometer API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_public_host*]
# (optional) Public Hostname or IP to connect to Ceilometer API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_admin_host*]
# (optional) Admin Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_public_host*]
# (optional) Public Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_nova_internal_host*]
# (optional) Internal Hostname or IP to connect to Nova API
# Defaults to '127.0.0.1'
#
# [*ks_nova_admin_host*]
# (optional) Admin Hostname or IP to connect to Nova API
# Defaults to '127.0.0.1'
#
# [*ks_nova_public_host*]
# (optional) Public Hostname or IP to connect to Nova API
# Defaults to '127.0.0.1'
#
# [*ks_cinder_internal_host*]
# (optional) Internal Hostname or IP to connect to Cinder API
# Defaults to '127.0.0.1'
#
# [*ks_cinder_admin_host*]
# (optional) Admin Hostname or IP to connect to Cinder API
# Defaults to '127.0.0.1'
#
# [*ks_cinder_public_host*]
# (optional) Public Hostname or IP to connect to Cinder API
# Defaults to '127.0.0.1'
#
# [*ks_trove_internal_host*]
# (optional) Internal Hostname or IP to connect to Trove API
# Defaults to '127.0.0.1'
#
# [*ks_trove_admin_host*]
# (optional) Admin Hostname or IP to connect to Trove API
# Defaults to '127.0.0.1'
#
# [*ks_trove_public_host*]
# (optional) Public Hostname or IP to connect to Trove API
# Defaults to '127.0.0.1'
#
# [*ks_neutron_internal_host*]
# (optional) Internal Hostname or IP to connect to Neutron API
# Defaults to '127.0.0.1'
#
# [*ks_neutron_admin_host*]
# (optional) Admin Hostname or IP to connect to Neutron API
# Defaults to '127.0.0.1'
#
# [*ks_neutron_public_host*]
# (optional) Public Hostname or IP to connect to Neutron API
# Defaults to '127.0.0.1'
#
# [*ks_heat_internal_host*]
# (optional) Internal Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_heat_admin_host*]
# (optional) Admin Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_heat_public_host*]
# (optional) Public Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_swift_internal_host*]
# (optional) Internal Hostname or IP to connect to Swift API
# Defaults to '127.0.0.1'
#
# [*ks_swift_admin_host*]
# (optional) Admin Hostname or IP to connect to Swift API
# Defaults to '127.0.0.1'
#
# [*ks_swift_public_host*]
# (optional) Public Hostname or IP to connect to Swift API
# Defaults to '127.0.0.1'
#
# [*ks_trove_password*]
# (optional) Password used by Trove to connect to Keystone API
# Defaults to 'trovepassword'
#
# [*ks_ceilometer_password*]
# (optional) Password used by Ceilometer to connect to Keystone API
# Defaults to 'ceilometerpassword'
#
# [*ks_swift_password*]
# (optional) Password used by Swift to connect to Keystone API
# Defaults to 'swiftpassword'
#
# [*ks_nova_password*]
# (optional) Password used by Nova to connect to Keystone API
# Defaults to 'novapassword'
#
# [*ks_neutron_password*]
# (optional) Password used by Neutron to connect to Keystone API
# Defaults to 'neutronpassword'
#
# [*ks_heat_password*]
# (optional) Password used by Heat to connect to Keystone API
# Defaults to 'heatpassword'
#
# [*ks_glance_password*]
# (optional) Password used by Glance to connect to Keystone API
# Defaults to 'glancepassword'
#
# [*ks_cinder_password*]
# (optional) Password used by Cinder to connect to Keystone API
# Defaults to 'cinderpassword'
#
# [*ks_swift_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_swift_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_swift_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_ceilometer_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_ceilometer_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_ceilometer_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_heat_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_heat_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_heat_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_public_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_nova_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_nova_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_nova_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_neutron_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_neutron_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_neutron_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_trove_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_trove_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_trove_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_glance_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_glance_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_glance_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_cinder_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_cinder_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_cinder_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_ceilometer_public_port*]
# (optional) TCP port to connect to Ceilometer API from public network
# Defaults to '8777'
#
# [*ks_keystone_internal_port*]
# (optional) TCP port to connect to Keystone API from internal network
# Defaults to '5000'
#
# [*ks_keystone_public_port*]
# (optional) TCP port to connect to Keystone API from public network
# Defaults to '5000'
#
# [*ks_keystone_admin_port*]
# (optional) TCP port to connect to Keystone API from admin network
# Defaults to '35357'
#
# [*ks_swift_public_port*]
# (optional) TCP port to connect to Swift API from public network
# Defaults to '8080'
#
# [*ks_trove_public_port*]
# (optional) TCP port to connect to Trove API from public network
# Defaults to '8779'
#
# [*ks_nova_public_port*]
# (optional) TCP port to connect to Nova API from public network
# Defaults to '8774'
#
# [*ks_ec2_public_port*]
# (optional) TCP port to connect to EC2 API from public network
# Defaults to '8773'
#
# [*ks_swift_dispersion_password*]
# (optional) Password of the dispersion tenant, used for swift-dispersion-report
# and swift-dispersion-populate tools.
# Defaults to 'dispersion'
#
# [*ks_cinder_public_port*]
# (optional) TCP port to connect to Cinder API from public network
# Defaults to '8776'
#
# [*ks_neutron_public_port*]
# (optional) TCP port to connect to Neutron API from public network
# Defaults to '9696'
#
# [*ks_heat_public_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8004'
#
# [*ks_heat_cfn_public_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8000'
#
# [*ks_glance_api_public_port*]
# (optional) TCP port to connect to Glance API from public network
# Defaults to '9292'
#
# [*api_eth*]
# (optional) Which interface we bind the Keystone server.
# Defaults to '127.0.0.1'
#
# [*region*]
# (optional) OpenStack Region Name
# Defaults to 'RegionOne'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*token_driver*]
# (optional) Driver to store tokens
# Defaults to 'keystone.token.persistence.backends.sql.Token'
#
# [*token_expiration*]
# (optional) Amount of time a token should remain valid (in seconds)
# Defaults to '3600' (1 hour)
#
# [*cinder_enabled*]
# (optional) Enable or not Cinder (Block Storage Service)
# Defaults to true
#
# [*trove_enabled*]
# (optional) Enable or not Trove (Database as a Service)
# Experimental feature.
# Defaults to false
#
# [*swift_enabled*]
# (optional) Enable or not OpenStack Swift (Stockage as a Service)
# Defaults to true
#
# [*ks_token_expiration*]
# (optional) Amount of time a token should remain valid (seconds).
# Defaults to 3600 (1 hour).
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::identity (
$swift_enabled = true,
$cinder_enabled = true,
$trove_enabled = false,
$identity_roles_addons = ['SwiftOperator', 'ResellerAdmin'],
$keystone_db_host = '127.0.0.1',
$keystone_db_user = 'keystone',
$keystone_db_password = 'keystonepassword',
$keystone_db_idle_timeout = 5000,
$memcache_servers = ['127.0.0.1:11211'],
$ks_admin_email = 'no-reply@keystone.openstack',
$ks_admin_password = 'adminpassword',
$ks_admin_tenant = 'admin',
$ks_admin_token = undef,
$ks_ceilometer_admin_host = '127.0.0.1',
$ks_ceilometer_internal_host = '127.0.0.1',
$ks_ceilometer_password = 'ceilometerpassword',
$ks_ceilometer_public_host = '127.0.0.1',
$ks_ceilometer_public_port = 8777,
$ks_ceilometer_public_proto = 'http',
$ks_ceilometer_admin_proto = 'http',
$ks_ceilometer_internal_proto = 'http',
$ks_cinder_admin_host = '127.0.0.1',
$ks_cinder_internal_host = '127.0.0.1',
$ks_cinder_password = 'cinderpassword',
$ks_cinder_public_host = '127.0.0.1',
$ks_cinder_public_proto = 'http',
$ks_cinder_admin_proto = 'http',
$ks_cinder_internal_proto = 'http',
$ks_cinder_public_port = 8776,
$ks_glance_admin_host = '127.0.0.1',
$ks_glance_internal_host = '127.0.0.1',
$ks_glance_password = 'glancepassword',
$ks_glance_public_host = '127.0.0.1',
$ks_glance_public_proto = 'http',
$ks_glance_internal_proto = 'http',
$ks_glance_admin_proto = 'http',
$ks_glance_api_public_port = 9292,
$ks_heat_admin_host = '127.0.0.1',
$ks_heat_internal_host = '127.0.0.1',
$ks_heat_password = 'heatpassword',
$ks_heat_public_host = '127.0.0.1',
$ks_heat_public_proto = 'http',
$ks_heat_admin_proto = 'http',
$ks_heat_internal_proto = 'http',
$ks_heat_public_port = 8004,
$ks_heat_cfn_public_port = 8000,
$ks_keystone_admin_host = '127.0.0.1',
$ks_keystone_admin_port = 35357,
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = 5000,
$ks_keystone_public_host = '127.0.0.1',
$ks_keystone_public_port = 5000,
$ks_keystone_public_proto = 'http',
$ks_neutron_admin_host = '127.0.0.1',
$ks_keystone_admin_proto = 'http',
$ks_keystone_internal_proto = 'http',
$ks_neutron_internal_host = '127.0.0.1',
$ks_neutron_password = 'neutronpassword',
$ks_neutron_public_host = '127.0.0.1',
$ks_neutron_public_proto = 'http',
$ks_neutron_admin_proto = 'http',
$ks_neutron_internal_proto = 'http',
$ks_neutron_public_port = 9696,
$ks_nova_admin_host = '127.0.0.1',
$ks_nova_internal_host = '127.0.0.1',
$ks_nova_password = 'novapassword',
$ks_nova_public_host = '127.0.0.1',
$ks_nova_public_proto = 'http',
$ks_nova_internal_proto = 'http',
$ks_nova_admin_proto = 'http',
$ks_nova_public_port = 8774,
$ks_ec2_public_port = 8773,
$ks_swift_dispersion_password = 'dispersion',
$ks_swift_internal_host = '127.0.0.1',
$ks_swift_admin_host = '127.0.0.1',
$ks_swift_password = 'swiftpassword',
$ks_swift_public_host = '127.0.0.1',
$ks_swift_public_port = 8080,
$ks_swift_public_proto = 'http',
$ks_swift_admin_proto = 'http',
$ks_swift_internal_proto = 'http',
$ks_trove_admin_host = '127.0.0.1',
$ks_trove_internal_host = '127.0.0.1',
$ks_trove_password = 'trovepassword',
$ks_trove_public_host = '127.0.0.1',
$ks_trove_public_port = 8779,
$ks_trove_public_proto = 'http',
$ks_trove_admin_proto = 'http',
$ks_trove_internal_proto = 'http',
$api_eth = '127.0.0.1',
$region = 'RegionOne',
$verbose = true,
$debug = true,
$log_facility = 'LOG_LOCAL0',
$use_syslog = true,
$ks_token_expiration = 3600,
$token_driver = 'keystone.token.persistence.backends.sql.Token',
$firewall_settings = {},
){
$encoded_user = uriescape($keystone_db_user)
$encoded_password = uriescape($keystone_db_password)
if $use_syslog {
$log_dir = false
$log_file = false
keystone_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/keystone'
$log_file = 'keystone.log'
}
# Configure Keystone
class { 'keystone':
enabled => true,
admin_token => $ks_admin_token,
compute_port => $ks_nova_public_port,
debug => $debug,
database_idle_timeout => $keystone_db_idle_timeout,
log_facility => $log_facility,
database_connection => "mysql://${encoded_user}:${encoded_password}@${keystone_db_host}/keystone?charset=utf8",
token_provider => 'keystone.token.providers.uuid.Provider',
use_syslog => $use_syslog,
verbose => $verbose,
public_bind_host => $api_eth,
admin_bind_host => $api_eth,
log_dir => $log_dir,
log_file => $log_file,
public_port => $ks_keystone_public_port,
admin_port => $ks_keystone_admin_port,
token_driver => $token_driver,
token_expiration => $ks_token_expiration,
admin_endpoint => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}/",
public_endpoint => "${ks_keystone_public_proto}://${ks_keystone_public_host}:${ks_keystone_public_port}/",
}
keystone_config {
'ec2/driver': value => 'keystone.contrib.ec2.backends.sql.Ec2';
}
# Keystone Endpoints + Users
class { 'keystone::roles::admin':
email => $ks_admin_email,
password => $ks_admin_password,
admin_tenant => $ks_admin_tenant,
}
keystone_role { $identity_roles_addons: ensure => present }
class {'keystone::endpoint':
public_url => "${ks_keystone_public_proto}://${ks_keystone_public_host}:${ks_keystone_public_port}",
internal_url => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}",
admin_url => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}",
region => $region,
}
# TODO(EmilienM) Disable WSGI - bug #98
#include 'apache'
# class {'keystone::wsgi::apache':
# servername => $::fqdn,
# admin_port => $ks_keystone_admin_port,
# public_port => $ks_keystone_public_port,
# # TODO(EmilienM) not sure workers is useful when using WSGI backend
# workers => $::processorcount,
# ssl => false
# }
if $swift_enabled {
class {'swift::keystone::auth':
password => $ks_swift_password,
public_address => $ks_swift_public_host,
public_port => $ks_swift_public_port,
public_protocol => $ks_swift_public_proto,
admin_protocol => $ks_swift_admin_proto,
internal_protocol => $ks_swift_internal_proto,
admin_address => $ks_swift_admin_host,
internal_address => $ks_swift_internal_host,
region => $region
}
class {'swift::keystone::dispersion':
auth_pass => $ks_swift_dispersion_password
}
}
class {'ceilometer::keystone::auth':
admin_address => $ks_ceilometer_admin_host,
internal_address => $ks_ceilometer_internal_host,
public_address => $ks_ceilometer_public_host,
public_protocol => $ks_ceilometer_public_proto,
admin_protocol => $ks_ceilometer_admin_proto,
internal_protocol => $ks_ceilometer_internal_proto,
port => $ks_ceilometer_public_port,
region => $region,
password => $ks_ceilometer_password
}
class { 'nova::keystone::auth':
admin_address => $ks_nova_admin_host,
internal_address => $ks_nova_internal_host,
public_address => $ks_nova_public_host,
compute_port => $ks_nova_public_port,
public_protocol => $ks_nova_public_proto,
admin_protocol => $ks_nova_admin_proto,
internal_protocol => $ks_nova_internal_proto,
ec2_port => $ks_ec2_public_port,
region => $region,
password => $ks_nova_password
}
class { 'neutron::keystone::auth':
admin_address => $ks_neutron_admin_host,
internal_address => $ks_neutron_internal_host,
public_address => $ks_neutron_public_host,
public_protocol => $ks_neutron_public_proto,
internal_protocol => $ks_neutron_internal_proto,
admin_protocol => $ks_neutron_admin_proto,
port => $ks_neutron_public_port,
region => $region,
password => $ks_neutron_password
}
if $cinder_enabled {
class { 'cinder::keystone::auth':
admin_address => $ks_cinder_admin_host,
internal_address => $ks_cinder_internal_host,
public_address => $ks_cinder_public_host,
port => $ks_cinder_public_port,
public_protocol => $ks_cinder_public_proto,
admin_protocol => $ks_cinder_admin_proto,
internal_protocol => $ks_cinder_internal_proto,
region => $region,
password => $ks_cinder_password
}
}
class { 'glance::keystone::auth':
admin_address => $ks_glance_admin_host,
internal_address => $ks_glance_internal_host,
public_address => $ks_glance_public_host,
port => $ks_glance_api_public_port,
public_protocol => $ks_glance_public_proto,
internal_protocol => $ks_glance_internal_proto,
admin_protocol => $ks_glance_admin_proto,
region => $region,
password => $ks_glance_password
}
class { 'heat::keystone::auth':
admin_address => $ks_heat_admin_host,
internal_address => $ks_heat_internal_host,
public_address => $ks_heat_public_host,
port => $ks_heat_public_port,
public_protocol => $ks_heat_public_proto,
internal_protocol => $ks_heat_internal_proto,
admin_protocol => $ks_heat_admin_proto,
region => $region,
password => $ks_heat_password
}
class { 'heat::keystone::auth_cfn':
admin_address => $ks_heat_admin_host,
internal_address => $ks_heat_internal_host,
public_address => $ks_heat_public_host,
port => $ks_heat_cfn_public_port,
public_protocol => $ks_heat_public_proto,
internal_protocol => $ks_heat_internal_proto,
admin_protocol => $ks_heat_admin_proto,
region => $region,
password => $ks_heat_password
}
if $trove_enabled {
class {'trove::keystone::auth':
admin_address => $ks_trove_admin_host,
internal_address => $ks_trove_internal_host,
public_address => $ks_trove_public_host,
public_protocol => $ks_trove_public_proto,
admin_protocol => $ks_trove_admin_proto,
internal_protocol => $ks_trove_internal_proto,
port => $ks_trove_public_port,
region => $region,
password => $ks_trove_password
}
}
# Purge expored tokens every days at midnight
class { 'keystone::cron::token_flush': }
# Note(EmilienM):
# We check if DB tables are created, if not we populate Keystone DB.
# It's a hack to fit with our setup where we run MySQL/Galera
# TODO(Goneri)
# We have to do this only on the primary node of the galera cluster to avoid race condition
# https://github.com/enovance/puppet-openstack-cloud/issues/156
exec {'keystone_db_sync':
command => 'keystone-manage db_sync',
path => '/usr/bin',
user => 'keystone',
unless => "/usr/bin/mysql keystone -h ${keystone_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables"
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow keystone access':
port => $ks_keystone_public_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow keystone admin access':
port => $ks_keystone_admin_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-keystone_api":
listening_service => 'keystone_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_keystone_public_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-keystone_api_admin":
listening_service => 'keystone_api_admin_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_keystone_admin_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

306
manifests/image/api.pp
View File

@ -1,306 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::image::api
#
# Install API Image Server (Glance API)
#
# === Parameters:
#
# [*glance_db_host*]
# (optional) Hostname or IP address to connect to glance database
# Defaults to '127.0.0.1'
#
# [*glance_db_user*]
# (optional) Username to connect to glance database
# Defaults to 'glance'
#
# [*glance_db_password*]
# (optional) Password to connect to glance database
# Defaults to 'glancepassword'
#
# [*glance_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults to 5000
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_glance_internal_host*]
# (optional) Internal Hostname or IP to connect to Glance
# Defaults to '127.0.0.1'
#
# [*ks_glance_api_internal_port*]
# (optional) TCP port to connect to Glance API from internal network
# Defaults to '9292'
#
# [*ks_glance_registry_internal_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_glance_registry_internal_port*]
# (optional) TCP port to connect to Glance Registry from internal network
# Defaults to '9191'
#
# [*ks_glance_password*]
# (optional) Password used by Glance to connect to Keystone API
# Defaults to 'glancepassword'
#
# [*rabbit_host*]
# (optional) IP or Hostname of one RabbitMQ server.
# Defaults to '127.0.0.1'
#
# [*rabbit_password*]
# (optional) Password to connect to glance queue.
# Defaults to 'rabbitpassword'
#
# [*api_eth*]
# (optional) Which interface we bind the Glance API server.
# Defaults to '127.0.0.1'
#
# [*openstack_vip*]
# (optional) Hostname of IP used to connect to Glance registry
# Defaults to '127.0.0.1'
#
# [*glance_rbd_pool*]
# (optional) Name of the Ceph pool which which store the glance images
# Defaults to 'images'
#
# [*glance_rbd_user*]
# (optional) User name used to acces to the glance rbd pool
# Defaults to 'glance'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*backend*]
# (optionnal) Backend to use to store images
# Can be 'rbd', 'file', 'nfs' or 'swift'
# Defaults to 'rbd'
#
# [*known_stores*]
# (optionnal) Tell to Glance API which backends can be used
# Can be 'rbd', 'http', 'file', or and 'swift'.
# Should be an array.
# Defaults to ['rbd', 'http']
#
# [*filesystem_store_datadir*]
# (optional) Full path of data directory to store the images.
# Defaults to '/var/lib/glance/images/'
#
# [*nfs_device*]
# (optionnal) NFS device to mount
# Example: 'nfs.example.com:/vol1'
# Required when running 'nfs' backend.
# Defaults to false
#
# [*nfs_options*]
# (optional) NFS mount options
# Example: 'nfsvers=3,noacl'
# Defaults to 'defaults'
#
# [*pipeline*]
# (optional) Partial name of a pipeline in your paste configuration file with the
# service name removed.
# Defaults to 'keystone'.
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::image::api(
$glance_db_host = '127.0.0.1',
$glance_db_user = 'glance',
$glance_db_password = 'glancepassword',
$glance_db_idle_timeout = 5000,
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_proto = 'http',
$ks_glance_internal_host = '127.0.0.1',
$ks_glance_api_internal_port = '9292',
$ks_glance_registry_internal_port = '9191',
$ks_glance_registry_internal_proto = 'http',
$ks_glance_password = 'glancepassword',
$rabbit_password = 'rabbit_password',
$rabbit_host = '127.0.0.1',
$api_eth = '127.0.0.1',
$openstack_vip = '127.0.0.1',
$glance_rbd_pool = 'images',
$glance_rbd_user = 'glance',
$verbose = true,
$debug = true,
$log_facility = 'LOG_LOCAL0',
$use_syslog = true,
$backend = 'rbd',
$known_stores = ['rbd', 'http'],
$filesystem_store_datadir = '/var/lib/glance/images/',
$nfs_device = false,
$nfs_options = 'defaults',
$pipeline = 'keystone',
$firewall_settings = {},
) {
# Disable twice logging if syslog is enabled
if $use_syslog {
$log_dir = false
$log_file_api = false
$log_file_registry = false
glance_api_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/glance'
$log_file_api = '/var/log/glance/api.log'
$log_file_registry = '/var/log/glance/registry.log'
}
$encoded_glance_user = uriescape($glance_db_user)
$encoded_glance_password = uriescape($glance_db_password)
class { 'glance::api':
database_connection => "mysql://${encoded_glance_user}:${encoded_glance_password}@${glance_db_host}/glance?charset=utf8",
database_idle_timeout => $glance_db_idle_timeout,
mysql_module => '2.2',
registry_host => $openstack_vip,
registry_port => $ks_glance_registry_internal_port,
verbose => $verbose,
debug => $debug,
auth_host => $ks_keystone_internal_host,
auth_protocol => $ks_keystone_internal_proto,
registry_client_protocol => $ks_glance_registry_internal_proto,
keystone_password => $ks_glance_password,
keystone_tenant => 'services',
keystone_user => 'glance',
show_image_direct_url => true,
log_dir => $log_dir,
log_file => $log_file_api,
log_facility => $log_facility,
bind_host => $api_eth,
bind_port => $ks_glance_api_internal_port,
use_syslog => $use_syslog,
pipeline => 'keystone',
known_stores => $known_stores,
}
# TODO(EmilienM) Disabled for now
# Follow-up: https://github.com/enovance/puppet-openstack-cloud/issues/160
#
# class { 'glance::notify::rabbitmq':
# rabbit_password => $rabbit_password,
# rabbit_userid => 'glance',
# rabbit_host => $rabbit_host,
# }
glance_api_config {
'DEFAULT/notifier_driver': value => 'noop';
# TODO(EmilienM) Drop this line when https://review.openstack.org/#/c/133521/ has been merged.
'keystone_authtoken/identity_uri': value => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:35357";
}
if ($backend == 'rbd') {
class { 'glance::backend::rbd':
rbd_store_user => $glance_rbd_user,
rbd_store_pool => $glance_rbd_pool
}
Ceph::Key <<| title == $glance_rbd_user |>> ->
file { '/etc/ceph/ceph.client.glance.keyring':
owner => 'glance',
group => 'glance',
mode => '0400',
require => Ceph::Key[$glance_rbd_user],
notify => Service['glance-api','glance-registry']
}
Concat::Fragment <<| title == 'ceph-client-os' |>>
} elsif ($backend == 'file') {
class { 'glance::backend::file':
filesystem_store_datadir => $filesystem_store_datadir
}
} elsif ($backend == 'swift') {
class { 'glance::backend::swift':
swift_store_user => 'services:glance',
swift_store_key => $ks_glance_password,
swift_store_auth_address => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:35357/v2.0/",
swift_store_create_container_on_put => true,
}
} elsif ($backend == 'nfs') {
# There is no NFS backend in Glance.
# We mount the NFS share in filesystem_store_datadir to fake the
# backend.
if $nfs_device {
file { $filesystem_store_datadir:
ensure => 'directory',
owner => 'glance',
group => 'glance',
mode => '0755'
} ->
class { 'glance::backend::file':
filesystem_store_datadir => $filesystem_store_datadir
}
$nfs_mount = {
"${filesystem_store_datadir}" => {
'ensure' => 'mounted',
'fstype' => 'nfs',
'device' => $nfs_device,
'options' => $nfs_options
}
}
ensure_resource('class', 'nfs', {})
create_resources('types::mount', $nfs_mount, {require => File[$filesystem_store_datadir]})
} else {
fail('When running NFS backend, you need to provide nfs_device parameter.')
}
} else {
fail("${backend} is not a Glance supported backend.")
}
class { 'glance::cache::cleaner': }
class { 'glance::cache::pruner': }
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow glance-api access':
port => $ks_glance_api_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-glance_api":
listening_service => 'glance_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_glance_api_internal_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

166
manifests/image/registry.pp
View File

@ -1,166 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::image::registry
#
# Install Registry Image Server (Glance Registry)
#
# === Parameters:
#
# [*glance_db_host*]
# (optional) Hostname or IP address to connect to glance database
# Defaults to '127.0.0.1'
#
# [*glance_db_user*]
# (optional) Username to connect to glance database
# Defaults to 'glance'
#
# [*glance_db_password*]
# (optional) Password to connect to glance database
# Defaults to 'glancepassword'
#
# [*glance_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults 5000
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_glance_internal_host*]
# (optional) Internal Hostname or IP to connect to Glance
# Defaults to '127.0.0.1'
#
# [*ks_glance_registry_internal_port*]
# (optional) TCP port to connect to Glance Registry from internal network
# Defaults to '9191'
#
# [*ks_glance_password*]
# (optional) Password used by Glance to connect to Keystone API
# Defaults to 'glancepassword'
#
# [*api_eth*]
# (optional) Which interface we bind the Glance API server.
# Defaults to '127.0.0.1'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::image::registry(
$glance_db_host = '127.0.0.1',
$glance_db_user = 'glance',
$glance_db_password = 'glancepassword',
$glance_db_idle_timeout = 5000,
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_proto = 'http',
$ks_glance_internal_host = '127.0.0.1',
$ks_glance_registry_internal_port = '9191',
$ks_glance_password = 'glancepassword',
$api_eth = '127.0.0.1',
$verbose = true,
$debug = true,
$log_facility = 'LOG_LOCAL0',
$use_syslog = true,
$firewall_settings = {},
) {
# Disable twice logging if syslog is enabled
if $use_syslog {
$log_dir = false
$log_file_api = false
$log_file_registry = false
glance_registry_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/glance'
$log_file_api = '/var/log/glance/api.log'
$log_file_registry = '/var/log/glance/registry.log'
}
$encoded_glance_user = uriescape($glance_db_user)
$encoded_glance_password = uriescape($glance_db_password)
class { 'glance::registry':
database_connection => "mysql://${encoded_glance_user}:${encoded_glance_password}@${glance_db_host}/glance?charset=utf8",
database_idle_timeout => $glance_db_idle_timeout,
mysql_module => '2.2',
verbose => $verbose,
debug => $debug,
auth_host => $ks_keystone_internal_host,
auth_protocol => $ks_keystone_internal_proto,
keystone_password => $ks_glance_password,
keystone_tenant => 'services',
keystone_user => 'glance',
bind_host => $api_eth,
log_dir => $log_dir,
log_file => $log_file_registry,
bind_port => $ks_glance_registry_internal_port,
use_syslog => $use_syslog,
log_facility => $log_facility,
}
glance_registry_config {
# TODO(EmilienM) Drop this line when https://review.openstack.org/#/c/133521/ been merged.
'keystone_authtoken/identity_uri': value => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:35357";
}
exec {'glance_db_sync':
command => 'glance-manage db_sync',
user => 'glance',
path => '/usr/bin',
unless => "/usr/bin/mysql glance -h ${glance_db_host} -u ${encoded_glance_user} -p${encoded_glance_password} -e \"show tables\" | /bin/grep Tables"
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow glance-registry access':
port => $ks_glance_registry_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-glance_registry":
listening_service => 'glance_registry_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_glance_registry_internal_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

253
manifests/init.pp
View File

@ -1,253 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud
#
# Installs the system requirements
#
# === Parameters:
#
# [*rhn_registration*]
# (optional) The RedHat network authentication token
# Defaults to undef
#
# [*root_password*]
# (optional) Unix root password
# Defaults to 'root'
#
# [*dns_ips*]
# (optional) Hostname or IP of the Domain Name Server (dns) used
# Should by an array.
# Defaults to google public dns ['8.8.8.8', '8.8.4.4']
#
# [*site_domain*]
# (optional) Domain name (used for search and domain fields
# of resolv.conf configuration file
# Defaults to 'mydomain'
#
# [*motd_title*]
# (optional) A string used in the top of the server's motd
# Defaults to 'eNovance IT Operations'
#
# [*selinux_mode*]
# (optional) SELinux mode the system should be in
# Defaults to 'permissive'
# Possible values : disabled, permissive, enforcing
#
# [*selinux_directory*]
# (optional) Path where to find the SELinux modules
# Defaults to '/usr/share/selinux'
#
# [*selinux_booleans*]
# (optional) Set of booleans to persistently enables
# SELinux booleans are the one getsebool -a returns
# Defaults []
# Example: ['rsync_full_access', 'haproxy_connect_any']
#
# [*selinux_modules*]
# (optional) Set of modules to load on the system
# Defaults []
# Example: ['module1', 'module2']
# Note: Those module should be in the $directory path
#
# [*limits*]
# (optional) Set of limits to set in /etc/security/limits.d/
# Defaults {}
# Example:
# {
# 'mysql_nofile' => {
# 'ensure' => 'present',
# 'user' => 'mysql',
# 'limit_type' => 'nofile',
# 'both' => '16384',
# },
# }
#
# [*sysctl*]
# (optional) Set of sysctl values to set.
# Defaults {}
# Example:
# {
# 'net.ipv4.ip_forward' => {
# 'value' => '1',
# },
# 'net.ipv6.conf.all.forwarding => {
# 'value' => '1',
# },
# }
#
# [*manage_firewall*]
# (optional) Completely enable or disable firewall settings
# (false means disabled, and true means enabled)
# Defaults to false
#
# [*firewall_rules*]
# (optional) Allow to add custom firewall rules
# Should be an hash.
# Default to {}
#
# [*purge_firewall_rules*]
# (optional) Boolean, purge all firewall resources
# Defaults to false
#
# [*firewall_pre_extras*]
# (optional) Allow to add custom parameters to firewall rules (pre stage)
# Should be an hash.
# Default to {}
#
# [*firewall_post_extras*]
# (optional) Allow to add custom parameters to firewall rules (post stage)
# Should be an hash.
# Default to {}
#
class cloud(
$rhn_registration = undef,
$root_password = 'root',
$dns_ips = ['8.8.8.8', '8.8.4.4'],
$site_domain = 'mydomain',
$motd_title = 'eNovance IT Operations',
$selinux_mode = 'permissive',
$selinux_directory = '/usr/share/selinux',
$selinux_booleans = [],
$selinux_modules = [],
$limits = {},
$sysctl = {},
$manage_firewall = false,
$firewall_rules = {},
$purge_firewall_rules = false,
$firewall_pre_extras = {},
$firewall_post_extras = {},
) {
include ::stdlib
if ! ($::osfamily in [ 'RedHat', 'Debian' ]) {
fail("OS family unsuppored yet (${::osfamily}), module puppet-openstack-cloud only support RedHat or Debian")
}
# motd
file
{
'/etc/motd':
ensure => file,
mode => '0644',
content => "
############################################################################
# ${motd_title} #
############################################################################
# #
# *** RESTRICTED ACCESS *** #
# Only the authorized users may access this system. #
# Any attempted unauthorized access or any action affecting this computer #
# system is punishable by the law of local country. #
# #
############################################################################
This node is under the control of Puppet ${::puppetversion}.
";
}
# DNS
class { 'dnsclient':
nameservers => $dns_ips,
domain => $site_domain
}
# Sudo
include ::sudo
include ::sudo::configs
# NTP
include ::ntp
# Security Limits
include ::limits
create_resources('limits::limits', $limits)
# sysctl values
include ::sysctl::base
create_resources('sysctl::value', $sysctl)
# SELinux
if $::osfamily == 'RedHat' {
class {'cloud::selinux' :
mode => $selinux_mode,
booleans => $selinux_booleans,
modules => $selinux_modules,
directory => $selinux_directory,
stage => 'setup',
}
}
# Strong root password for all servers
user { 'root':
ensure => 'present',
gid => '0',
password => $root_password,
uid => '0',
}
$cron_service_name = $::osfamily ? {
'RedHat' => 'crond',
default => 'cron',
}
service { 'cron':
ensure => running,
name => $cron_service_name,
enable => true
}
if $::osfamily == 'RedHat' and $rhn_registration {
create_resources('rhn_register', {
"rhn-${::hostname}" => $rhn_registration
} )
}
if $manage_firewall {
# Only purges IPv4 rules
if $purge_firewall_rules {
resources { 'firewall':
purge => true
}
}
# anyone can add your own rules
# example with Hiera:
#
# cloud::firewall::rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
# action: accept
# '301 allow custom application 2':
# port: 8081
# proto: tcp
# action: accept
#
create_resources('cloud::firewall::rule', $firewall_rules)
ensure_resource('class', 'cloud::firewall::pre', {
'firewall_settings' => $firewall_pre_extras,
'stage' => 'setup',
})
ensure_resource('class', 'cloud::firewall::post', {
'stage' => 'runtime',
'firewall_settings' => $firewall_post_extras,
})
}
}

24
manifests/install/puppetdb/config.pp
View File

@ -1,24 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::install::puppetdb::config
#
# Configure the puppetdb connection
#
class cloud::install::puppetdb::config {
include ::puppetdb::master::config
}

41
manifests/install/puppetdb/server.pp
View File

@ -1,41 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::install::puppetdb::server
#
# Configure the puppetdb server
#
class cloud::install::puppetdb::server {
include ::puppetdb
include ::apache
apache::vhost { 'puppetdb' :
docroot => '/tmp',
ssl => true,
ssl_cert => '/etc/puppet/ssl/puppetdb.pem',
ssl_key => '/etc/puppet/ssl/puppetdb.pem',
port => '8081',
servername => $::fqdn,
proxy_pass => [
{
'path' => '/',
'url' => 'http://localhost:8080/'
}
],
require => Class['::puppetdb'],
}
}

1052
manifests/loadbalancer.pp
View File

File diff suppressed because it is too large Load Diff

79
manifests/loadbalancer/binding.pp
View File

@ -1,79 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Author: Emilien Macchi <emilien.macchi@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Define: cloud::loadbalancer::binding
#
define cloud::loadbalancer::binding (
$ip,
$port,
$httpchk = undef,
$options = undef,
$bind_options = undef,
$firewall_settings = {},
){
include cloud::loadbalancer
# join all VIP together
$vip_public_ip_array = any2array($::cloud::loadbalancer::vip_public_ip)
$vip_internal_ip_array = any2array($::cloud::loadbalancer::vip_internal_ip)
if $::cloud::loadbalancer::vip_public_ip and $::cloud::loadbalancer::vip_internal_ip {
$all_vip_array = union($vip_public_ip_array, $vip_internal_ip_array)
}
if $::cloud::loadbalancer::vip_public_ip and ! $::cloud::loadbalancer::vip_internal_ip {
$all_vip_array = $vip_public_ip_array
}
if ! $::cloud::loadbalancer::vip_public_ip and $::cloud::loadbalancer::vip_internal_ip {
$all_vip_array = $vip_internal_ip_array
}
if ! $::cloud::loadbalancer::vip_internal_ip and ! $::cloud::loadbalancer::vip_public_ip {
fail('vip_public_ip and vip_internal_ip are both set to false, no binding is possible.')
}
# when we do not want binding
if ($ip == false) {
notice("no HAproxy binding for ${name} has been enabled.")
} else {
# when we want both internal & public binding
if ($ip == true) {
$listen_ip_real = $all_vip_array
} else {
# when binding is specified in parameter
if (member($all_vip_array, $ip)) {
$listen_ip_real = $ip
} else {
fail("${ip} is not part of VIP pools.")
}
}
cloud::loadbalancer::listen_http { $name :
ports => $port,
httpchk => $httpchk,
options => $options,
listen_ip => $listen_ip_real,
bind_options => $bind_options;
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ "100 allow ${name} binding access":
port => $port,
extras => $firewall_settings,
}
}
}
}

45
manifests/loadbalancer/listen_http.pp
View File

@ -1,45 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Define::
#
# cloud::loadbalancer::listen_http
#
define cloud::loadbalancer::listen_http(
$ports = 'unset',
$httpchk = 'httpchk',
$options = {},
$bind_options = [],
$listen_ip = ['0.0.0.0']) {
$options_basic = {'mode' => 'http',
'balance' => 'roundrobin',
'option' => ['tcpka', 'forwardfor', 'tcplog', $httpchk] }
$options_custom = merge($options_basic, $options)
if $options_custom['mode'] == 'http' {
$final_options = merge($options_custom, { 'http-check' => 'expect ! rstatus ^5' })
} else {
$final_options = $options_custom
}
haproxy::listen { $name:
ipaddress => $listen_ip,
ports => $ports,
options => $final_options,
bind_options => $bind_options,
}
}

24
manifests/logging.pp
View File

@ -1,24 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::logging
#
# Configure common logging
#
class cloud::logging{
include ::fluentd
}

73
manifests/logging/agent.pp
View File

@ -1,73 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::logging::agent
#
# Configure logging agent
#
# === Parameters:
#
# [*syslog_enable*]
# (optional) Enable the configuration of rsyslog
# Defaults to false
#
# [*sources*]
# (optional) Fluentd sources
# Defaults to empty hash
#
# [*matches*]
# (optional) Fluentd matches
# Defaults to empty hash
#
# [*plugins*]
# (optional) Fluentd plugins to install
# Defaults to empty hash
#
# [*logrotate_rule*]
# (optional) A log rotate rule for the logging agent
# Defaults to empty hash
#
class cloud::logging::agent(
$syslog_enable = false,
$sources = {},
$matches = {},
$plugins = {},
$logrotate_rule = $cloud::params::logging_agent_logrotate_rule,
) inherits cloud::params {
include cloud::logging
if $syslog_enable {
include rsyslog::client
}
file { '/var/db':
ensure => directory,
} ->
file { '/var/db/td-agent':
ensure => 'directory',
owner => 'td-agent',
group => 'td-agent',
require => Class['fluentd'],
}
ensure_resource('fluentd::configfile', keys($sources))
ensure_resource('fluentd::configfile', keys($matches))
create_resources('fluentd::source', $sources, {'require' => 'File[/var/db/td-agent]', 'notify' => 'Service[td-agent]'})
create_resources('fluentd::match', $matches, {'notify' => 'Service[td-agent]'})
create_resources('fluentd::install_plugin', $plugins)
create_resources('logrotate::rule', $logrotate_rule)
}

65
manifests/logging/server.pp
View File

@ -1,65 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::logging::server
#
# [*kibana_port*]
# (optional) Port of Kibana service.
# Defaults to '8300'
#
# [*kibana_bind_ip*]
# (optional) Address on which kibana is listening on
# Defaults to '127.0.0.1'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::logging::server(
$kibana_port = '8300',
$kibana_bind_ip = '127.0.0.1',
$firewall_settings = {},
) {
Class['cloud::database::nosql::elasticsearch'] -> Class['kibana3']
Class['cloud::database::nosql::elasticsearch'] -> Class['cloud::logging::agent']
include ::kibana3
include cloud::database::nosql::elasticsearch
include cloud::logging::agent
# Elasticsearch 1.4 ships with a security setting that prevents Kibana from connecting.
# We need to allow http cors in fluentd instance.
elasticsearch::instance {'fluentd' :
config => { 'http' => { 'cors.enabled' => true } }
}
@@haproxy::balancermember{"${::fqdn}-kibana":
listening_service => 'kibana',
server_names => $::hostname,
ipaddresses => $kibana_bind_ip,
ports => $kibana_port,
options => 'check inter 2000 rise 2 fall 5'
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow kibana access':
port => $kibana_port,
extras => $firewall_settings,
}
}
}

182
manifests/messaging.pp
View File

@ -1,182 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::messaging
#
# Install Messsaging Server (RabbitMQ)
#
# === Parameters:
#
# [*rabbit_names*]
# (optional) List of RabbitMQ servers. Should be an array.
# Defaults to $::hostname
#
# [*rabbit_password*]
# (optional) Password to connect to OpenStack queues.
# Defaults to 'rabbitpassword'
#
# [*cluster_node_type*]
# (optional) Store the queues on the disc or in the RAM.
# Could be set to 'disk' or 'ram'.
# Defaults to 'disc'
#
# [*cluster_count*]
# (optional) Queue is mirrored to count nodes in the cluster.
# If there are less than count nodes in the cluster, the queue
# is mirrored to all nodes. If there are more than count nodes
# in the cluster, and a node containing a mirror goes down,
# then a new mirror will be created on another node.
# If a value is set, RabbitMQ policy will be 'exactly'.
# Otherwise, undef will set the policy to 'all' by default.
# To enable this feature, you need 'haproxy_binding' to true.
# Defaults to undef
#
# [*haproxy_binding*]
# (optional) Enable or not HAproxy binding for load-balancing.
# Defaults to false
#
# [*rabbitmq_ip*]
# (optional) IP address of RabbitMQ interface.
# Required when using HAproxy binding.
# Defaults to $::ipaddress
#
# [*rabbitmq_port*]
# (optional) Port of RabbitMQ service.
# Defaults to '5672'
#
# [*erlang_cookie*]
# (required) Erlang cookie to use.
# When running a cluster, this value should be the same for all
# the nodes.
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::messaging(
$erlang_cookie,
$cluster_node_type = 'disc',
$cluster_count = undef,
$rabbit_names = $::hostname,
$rabbit_password = 'rabbitpassword',
$haproxy_binding = false,
$rabbitmq_ip = $::ipaddress,
$rabbitmq_port = '5672',
$firewall_settings = {},
){
# we ensure having an array
$array_rabbit_names = any2array($rabbit_names)
Class['rabbitmq'] -> Rabbitmq_vhost <<| |>>
Class['rabbitmq'] -> Rabbitmq_user <<| |>>
Class['rabbitmq'] -> Rabbitmq_user_permissions <<| |>>
# Packaging issue: https://bugzilla.redhat.com/show_bug.cgi?id=1033305
if $::osfamily == 'RedHat' {
$package_provider = 'yum'
file {'/usr/sbin/rabbitmq-plugins':
ensure => link,
target => '/usr/lib/rabbitmq/bin/rabbitmq-plugins'
}
file {'/usr/sbin/rabbitmq-env':
ensure => link,
target => '/usr/lib/rabbitmq/bin/rabbitmq-env'
}
}
else {
$package_provider = $rabbitmq::params::package_provider
}
class { 'rabbitmq':
delete_guest_user => true,
config_cluster => true,
cluster_nodes => $array_rabbit_names,
wipe_db_on_cookie_change => true,
cluster_node_type => $cluster_node_type,
node_ip_address => $rabbitmq_ip,
port => $rabbitmq_port,
erlang_cookie => $erlang_cookie,
package_provider => $package_provider,
}
rabbitmq_vhost { ['/', '/sensu']:
provider => 'rabbitmqctl',
require => Class['rabbitmq'],
}
rabbitmq_user { ['nova','glance','neutron','cinder','ceilometer','heat','trove', 'sensu']:
admin => true,
password => $rabbit_password,
provider => 'rabbitmqctl',
require => Class['rabbitmq']
}
rabbitmq_user_permissions {[
'nova@/',
'glance@/',
'neutron@/',
'cinder@/',
'ceilometer@/',
'heat@/',
'trove@/',
'sensu@/sensu',
]:
configure_permission => '.*',
write_permission => '.*',
read_permission => '.*',
provider => 'rabbitmqctl',
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow rabbitmq access':
port => $rabbitmq_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow rabbitmq management access':
port => '55672',
extras => $firewall_settings,
}
}
if $haproxy_binding {
if $cluster_count {
$policy_name = "ha-exactly-${cluster_count}@/"
$definition = {
'ha-mode' => 'exactly',
'ha-params' => $cluster_count,
}
} else {
$policy_name = 'ha-all@/'
$definition = {
'ha-mode' => 'all',
}
}
rabbitmq_policy { $policy_name:
pattern => '^(?!amq\.).*',
definition => $definition,
}
@@haproxy::balancermember{"${::fqdn}-rabbitmq":
listening_service => 'rabbitmq_cluster',
server_names => $::hostname,
ipaddresses => $rabbitmq_ip,
ports => $rabbitmq_port,
options => 'check inter 5s rise 2 fall 3'
}
}
}

21
manifests/monitoring/agent/sensu.pp
View File

@ -1,21 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
class cloud::monitoring::agent::sensu {
Package['sensu'] -> Sensu::Plugin <<| |>>
include ::sensu
}

134
manifests/monitoring/server/sensu.pp
View File

@ -1,134 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# [*checks*]
# (optionnal) Hash of checks and their respective options
# Defaults to {}.
# Example :
# $checks = {
# 'ntp' => {
# 'command' => '/etc/sensu/plugins/check-ntp.sh'},
# 'http' => {
# 'command' => '/etc/sensu/plugins/check-http.sh'},
# }
#
# [*handlers*]
# (optionnal) Hash of handlers and their respective options
# Defaults to {}.
# Example :
# $handlers = {
# 'mail' => {
# 'command' => 'mail -s "Sensu Alert" contact@example.com'},
# }
#
# [*plugins*]
# (optionnal) Hash of handlers and their respective options
# Defaults to {}.
# Example :
# $plugins = {
# 'http://www.example.com/ntp.sh' => {
# 'type' => 'url',
# 'install_path' => '/etc/sensu/plugins',
# }
# }
#
# [*manage_sensu_plugins*]
# (optionnal) A boolean that determines if the Sensu plugins resources should be exported
# from this node
# Defaults to 'false'
#
# [*sensu_api_ip*]
# (optionnal) IP address to bind the sensu_api to
# Defaults to '%{::ipaddress}'
#
# [*sensu_api_port*]
# (optionnal) Port to bind the sensu_api to
# Defaults to '4568'
#
# [*uchiwa_ip*]
# (optionnal) IP address to bind uchiwa to
# Defaults to '%{::ipaddress}'
#
# [*uchiwa_port*]
# (optionnal) Port to bind uchiwa to
# Defaults to '3000'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::monitoring::server::sensu (
$checks = {},
$handlers = {},
$plugins = {},
$manage_sensu_plugins = false,
$sensu_api_ip = $::ipaddress,
$sensu_api_port = '4568',
$uchiwa_ip = $::ipaddress,
$uchiwa_port = '3000',
$firewall_settings = {},
) {
include cloud::params
Service['sensu-api'] -> Service['uchiwa']
Service['sensu-server'] -> Service['uchiwa']
Service['sensu-server'] -> Sensu::Plugin <<| |>>
include cloud::monitoring::agent::sensu
create_resources('sensu::check', $checks)
create_resources('sensu::handler', $handlers)
if $manage_sensu_plugins {
create_resources('@@sensu::plugin', $plugins)
}
include ::uchiwa
uchiwa::api { 'OpenStack' :
host => $sensu_api_ip,
port => $sensu_api_port,
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow sensu_dashboard access':
port => $uchiwa_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow sensu_api access':
port => $sensu_api_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-sensu_dashboard":
listening_service => 'sensu_dashboard',
server_names => $::hostname,
ipaddresses => $uchiwa_ip,
ports => $uchiwa_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-sensu_api":
listening_service => 'sensu_api',
server_names => $::hostname,
ipaddresses => $sensu_api_ip,
ports => $sensu_api_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

124
manifests/network.pp
View File

@ -1,124 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network
#
# Common class for network nodes
#
# === Parameters:
#
# [*rabbit_hosts*]
# (optional) List of RabbitMQ servers. Should be an array.
# Defaults to ['127.0.0.1:5672']
#
# [*rabbit_password*]
# (optional) Password to connect to nova queues.
# Defaults to 'rabbitpassword'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*api_eth*]
# (optional) Which interface we bind the Neutron API server.
# Defaults to '127.0.0.1'
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*dhcp_lease_duration*]
# (optional) DHCP Lease duration (in seconds)
# Defaults to '120'
#
# [*plugin*]
# (optional) Neutron plugin name
# Supported values: 'ml2', 'n1kv', 'opencontrail'.
# Defaults to 'ml2'
#
# [*service_plugins*]
# (optional) List of service plugin entrypoints to be loaded from the neutron
# service_plugins namespace
# Defaults to ['neutron.services.loadbalancer.plugin.LoadBalancerPlugin','neutron.services.metering.metering_plugin.MeteringPlugin','neutron.services.l3_router.l3_router_plugin.L3RouterPlugin']
#
class cloud::network(
$verbose = true,
$debug = true,
$rabbit_hosts = ['127.0.0.1:5672'],
$rabbit_password = 'rabbitpassword',
$api_eth = '127.0.0.1',
$use_syslog = true,
$log_facility = 'LOG_LOCAL0',
$dhcp_lease_duration = '120',
$plugin = 'ml2',
$service_plugins = ['neutron.services.loadbalancer.plugin.LoadBalancerPlugin','neutron.services.metering.metering_plugin.MeteringPlugin','neutron.services.l3_router.l3_router_plugin.L3RouterPlugin'],
) {
# Disable twice logging if syslog is enabled
if $use_syslog {
$log_dir = false
neutron_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/neutron'
}
case $plugin {
'ml2': {
$core_plugin = 'neutron.plugins.ml2.plugin.Ml2Plugin'
}
'n1kv': {
$core_plugin = 'neutron.plugins.cisco.network_plugin.PluginV2'
}
'opencontrail': {
$core_plugin = 'neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2'
}
default: {
fail("${plugin} plugin is not supported.")
}
}
class { 'neutron':
allow_overlapping_ips => true,
verbose => $verbose,
debug => $debug,
rabbit_user => 'neutron',
rabbit_hosts => $rabbit_hosts,
rabbit_password => $rabbit_password,
rabbit_virtual_host => '/',
bind_host => $api_eth,
log_facility => $log_facility,
use_syslog => $use_syslog,
dhcp_agents_per_network => '2',
core_plugin => $core_plugin,
service_plugins => $service_plugins,
log_dir => $log_dir,
dhcp_lease_duration => $dhcp_lease_duration,
report_interval => '30',
}
}

59
manifests/network/contrail/analytics.pp
View File

@ -1,59 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::analytics
#
# Install a Contrail analytics node
#
# === Parameters:
#
# [*bind_ip*]
# (optional) Address on which the Contrail analytics api is listening on
# Defaults to '127.0.0.1'
#
# [*port*]
# (optional) Port where Contrail analytics api is bound to
# Used for firewall purpose.
# Default to 8081
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::contrail::analytics (
$bind_ip = '127.0.0.1',
$port = 8081,
$firewall_settings = {},
){
include ::contrail::analytics
@@haproxy::balancermember{"${::fqdn}-contrail-analytics-api":
listening_service => 'contrail_analytics_api',
server_names => $::hostname,
ipaddresses => $bind_ip,
ports => $port,
options => 'check inter 2000 rise 2 fall 5'
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow contrail analytics access':
port => [$port, '8086'],
extras => $firewall_settings,
}
}
}

78
manifests/network/contrail/config.pp
View File

@ -1,78 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::config
#
# Install a Contrail config node
#
# === Parameters:
#
# [*api_bind_ip*]
# (optional) Address on which the Contrail config api is listening on
# Defaults to '127.0.0.1'
#
# [*discovery_bind_ip*]
# (optional) Address on which the Contrail discovery is listening on
# Defaults to '127.0.0.1'
#
# [*api_port*]
# (optional) Port where Contrail config api is bound to
# Used for firewall purpose.
# Default to 9100
#
# [*discovery_port*]
# (optional) Port where Contrail discovery is bound to
# Used for firewall purpose.
# Default to 9110
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::contrail::config (
$api_bind_ip = '127.0.0.1',
$discovery_bind_ip = '127.0.0.1',
$api_port = 9100,
$discovery_port = 9110,
$firewall_settings = {},
){
include ::contrail::config
@@haproxy::balancermember{"${::fqdn}-contrail-config-api":
listening_service => 'contrail_config_api',
server_names => $::hostname,
ipaddresses => $api_bind_ip,
ports => $api_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-contrail-config-discovery":
listening_service => 'contrail_config_discovery',
server_names => $::hostname,
ipaddresses => $discovery_bind_ip,
ports => $discovery_port,
options => 'check inter 2000 rise 2 fall 5'
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow contrail config access':
port => ['8443', '8087', '8088', $discovery_port, $api_port],
extras => $firewall_settings,
}
}
}

40
manifests/network/contrail/control.pp
View File

@ -1,40 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::control
#
# Install a Contrail control node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::contrail::control (
$firewall_settings = {},
){
include ::contrail::control
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow contrail control access':
port => ['8083', '5269', '8092', '8093'],
extras => $firewall_settings,
}
}
}

46
manifests/network/contrail/database.pp
View File

@ -1,46 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::database
#
# Install a Contrail database node
#
# === Parameters:
#
# [*port*]
# (optional) Port where Kafka is bound to
# Used for firewall purpose.
# Default to 9042
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::contrail::database (
$port = 9042,
$firewall_settings = {},
){
include ::contrail::database
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow contrail database access':
port => $port,
extras => $firewall_settings,
}
}
}

183
manifests/network/contrail/haproxy.pp
View File

@ -1,183 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::haproxy
#
# Create the haproxy stanzas for Contrail related services
#
# === Parameters:
#
# [*contrail_analytics_api*]
# (optional) Enable or not Contrail analytics api public binding.
# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false.
# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options.
# If set to false, no binding will be configure
# Defaults to false
#
# [*contrail_config_api*]
# (optional) Enable or not Contrail config api binding.
# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false.
# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options.
# If set to false, no binding will be configure.
# Defaults to false
#
# [*contrail_config_discovery*]
# (optional) Enable or not Contrail discoverybinding.
# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false.
# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options.
# If set to false, no binding will be configure.
# Defaults to false
#
# [*contrail_webui_http*]
# (optional) Enable or not Contrail webui http binding.
# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false.
# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options.
# If set to false, no binding will be configure.
# Defaults to true
#
# [*contrail_webui_https*]
# (optional) Enable or not Contrail webui https binding.
# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false.
# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options.
# If set to false, no binding will be configure
# Defaults to true
#
# [*contrail_analytics_api_bind_options*]
# (optional) A hash of options that are inserted into the HAproxy listening
# service configuration block.
# Defaults to []
#
# [*contrail_config_api_bind_options*]
# (optional) A hash of options that are inserted into the HAproxy listening
# service configuration block.
# Defaults to []
#
# [*contrail_config_discovery_bind_options*]
# (optional) A hash of options that are inserted into the HAproxy listening
# service configuration block.
# Defaults to []
#
# [*contrail_webui_http_bind_options*]
# (optional) A hash of options that are inserted into the HAproxy listening
# service configuration block.
# Defaults to []
#
# [*contrail_webui_https_bind_options*]
# (optional) A hash of options that are inserted into the HAproxy listening
# service configuration block.
# Defaults to []
#
# [*contrail_analytics_api_port*]
# (optional) TCP port to connect to Contrail analytics api from public network
# Defaults to '8081'
#
# [*contrail_config_api_port*]
# (optional) TCP port to connect to Contrail config api from public network
# Defaults to '8082'
#
# [*contrail_config_discovery_port*]
# (optional) TCP port to connect to Contrail discovery from public network
# Defaults to '5998'
#
# [*contrail_webui_http_port*]
# (optional) TCP port to connect to Contrail webui http from public network
# Defaults to '8079'
#
# [*contrail_webui_https_port*]
# (optional) TCP port to connect to Contrail webui https from public network
# Defaults to '8143'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::contrail::haproxy (
$contrail_analytics_api = false,
$contrail_config_api = false,
$contrail_config_discovery = false,
$contrail_webui_http = false,
$contrail_webui_https = false,
$contrail_analytics_api_bind_options = [],
$contrail_config_api_bind_options = [],
$contrail_config_discovery_bind_options = [],
$contrail_webui_http_bind_options = [],
$contrail_webui_https_bind_options = [],
$contrail_analytics_api_port = 8081,
$contrail_config_api_port = 8082,
$contrail_config_discovery_port = 5998,
$contrail_webui_http_port = 8079,
$contrail_webui_https_port = 8143,
$firewall_settings = {},
){
cloud::loadbalancer::binding { 'contrail_analytics_api':
ip => $contrail_analytics_api,
port => $contrail_analytics_api_port,
bind_options => $contrail_analytics_api_bind_options,
firewall_settings => $firewall_settings,
options => {
'balance' => 'roundrobin',
'option' => ['nolinger', 'tcp-check'],
'default-server' => 'error-limit 1 on-error mark-down',
},
}
cloud::loadbalancer::binding { 'contrail_config_api':
ip => $contrail_config_api,
port => $contrail_config_api_port,
bind_options => $contrail_config_api_bind_options,
firewall_settings => $firewall_settings,
options => {
'balance' => 'roundrobin',
'option' => ['nolinger'],
},
}
cloud::loadbalancer::binding { 'contrail_config_discovery':
ip => $contrail_config_discovery,
port => $contrail_config_discovery_port,
bind_options => $contrail_config_discovery_bind_options,
firewall_settings => $firewall_settings,
options => {
'balance' => 'roundrobin',
'option' => ['nolinger'],
},
}
cloud::loadbalancer::binding { 'contrail_webui_http':
ip => $contrail_webui_http,
port => $contrail_webui_http_port,
bind_options => $contrail_webui_http_bind_options,
firewall_settings => $firewall_settings,
options => {
'balance' => 'source',
},
}
cloud::loadbalancer::binding { 'contrail_webui_https':
ip => $contrail_webui_https,
port => $contrail_webui_https_port,
bind_options => $contrail_webui_https_bind_options,
httpchk => 'ssl-hello-chk',
firewall_settings => $firewall_settings,
options => {
'mode' => 'tcp',
'balance' => 'source',
'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }',
}
}
}

79
manifests/network/contrail/rabbitmq.pp
View File

@ -1,79 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::rabbitmq
#
# This resource creates RabbitMQ resources for Contrail
#
# == Parameters:
#
# [*user*]
# (optional) The username to use when connecting to Rabbit
# Defaults to 'contrail'
#
# [*password*]
# (optional) The password to use when connecting to Rabbit
# Defaults to 'contrailpassword'
#
# [*vhost*]
# (optional) The virtual host to use when connecting to Rabbit
# Defaults to '/'
#
# [*is_admin*]
# (optional) If the user should be admin or not
# Defaults to true
#
# [*configure_permission*]
# (optional) Define configure permission
# Defaults to '.*'
#
# [*write_permission*]
# (optional) Define write permission
# Defaults to '.*'
#
# [*read_permission*]
# (optional) Define read permission
# Defaults to '.*'
#
class cloud::network::contrail::rabbitmq (
$user = 'contrail',
$password = 'contrailpassword',
$vhost = '/',
$is_admin = true,
$configure_permission = '.*',
$write_permission = '.*',
$read_permission = '.*',
) {
rabbitmq_user { $user :
admin => $is_admin,
password => $password,
provider => 'rabbitmqctl',
}
if !defined(Rabbitmq_vhost[$vhost]) {
rabbitmq_vhost { $vhost :
provider => 'rabbitmqctl',
}
}
rabbitmq_user_permissions { "${user}@${vhost}" :
configure_permission => $configure_permission,
write_permission => $write_permission,
read_permission => $read_permission,
provider => 'rabbitmqctl',
}
}

27
manifests/network/contrail/vrouter.pp
View File

@ -1,27 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::vrouter
#
# Install a Contrail vrouter agent on the node
#
# === Parameters:
#
class cloud::network::contrail::vrouter (
){
include ::contrail::vrouter
}

78
manifests/network/contrail/webui.pp
View File

@ -1,78 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::contrail::webui
#
# Install a Contrail webui node
#
# === Parameters:
#
# [*http_bind_ip*]
# (optional) Address on which the Contrail webui http service is listening on
# Defaults to '127.0.0.1'
#
# [*https_bind_ip*]
# (optional) Address on which the Contrail webui https service is listening on
# Defaults to '127.0.0.1'
#
# [*http_port*]
# (optional) Port where Contrail webui http service is bound to
# Used for firewall purpose.
# Default to 9100
#
# [*https_port*]
# (optional) Port where Contrail webui https is bound to
# Used for firewall purpose.
# Default to 9110
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::contrail::webui (
$http_bind_ip = '127.0.0.1',
$https_bind_ip = '127.0.0.1',
$http_port = 8080,
$https_port = 8143,
$firewall_settings = {},
){
include ::contrail::webui
@@haproxy::balancermember{"${::fqdn}-contrail-webui-http":
listening_service => 'contrail_webui_http',
server_names => $::hostname,
ipaddresses => $http_bind_ip,
ports => $http_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-contrail-webui-https":
listening_service => 'contrail_webui_https',
server_names => $::hostname,
ipaddresses => $https_bind_ip,
ports => $https_port,
options => 'check inter 2000 rise 2 fall 5'
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow contrail webui access':
port => [$http_port, $https_port],
extras => $firewall_settings,
}
}
}

366
manifests/network/controller.pp
View File

@ -1,366 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Network Controller node (API + Scheduler)
#
# === Parameters:
#
# [*neutron_db_host*]
# (optional) Host where user should be allowed all privileges for database.
# Defaults to 127.0.0.1
#
# [*neutron_db_user*]
# (optional) Name of neutron DB user.
# Defaults to trove
#
# [*neutron_db_password*]
# (optional) Password that will be used for the neutron db user.
# Defaults to 'neutronpassword'
#
# [*neutron_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults to 5000
#
# [*ks_neutron_password*]
# (optional) Password used by Neutron to connect to Keystone API
# Defaults to 'neutronpassword'
#
# [*ks_keystone_admin_host*]
# (optional) Admin Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_public_port*]
# (optional) TCP port to connect to Keystone API from public network
# Defaults to '5000'
#
# [*ks_neutron_public_port*]
# (optional) TCP port to connect to Neutron API from public network
# Defaults to '9696'
#
# [*api_eth*]
# (optional) Which interface we bind the Neutron server.
# Defaults to '127.0.0.1'
#
# [*ks_admin_tenant*]
# (optional) Admin tenant name in Keystone
# Defaults to 'admin'
#
# [*nova_url*]
# (optional) URL for connection to nova (Only supports one nova region
# currently).
# Defaults to 'http://127.0.0.1:8774/v2'
#
# [*nova_admin_auth_url*]
# (optional) Authorization URL for connection to nova in admin context.
# Defaults to 'http://127.0.0.1:5000/v2.0'
#
# [*nova_admin_username*]
# (optional) Username for connection to nova in admin context
# Defaults to 'nova'
#
# [*nova_admin_tenant_name*]
# (optional) The name of the admin nova tenant
# Defaults to 'services'
#
# [*nova_admin_password*]
# (optional) Password for connection to nova in admin context.
# Defaults to 'novapassword'
#
# [*nova_region_name*]
# (optional) Name of nova region to use. Useful if keystone manages more than
# one region.
# Defaults to 'RegionOne'
#
# [*manage_ext_network*]
# (optionnal) Manage or not external network with provider network API
# Defaults to false.
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
# [*tenant_network_types*]
# (optional) Handled tenant network types
# Defaults to ['gre']
# Possible value ['local', 'flat', 'vlan', 'gre', 'vxlan']
#
# [*type_drivers*]
# (optional) Drivers to load
# Defaults to ['gre', 'vlan', 'flat']
# Possible value ['local', 'flat', 'vlan', 'gre', 'vxlan']
#
# [*plugin*]
# (optional) Neutron plugin name
# Supported values: 'ml2', 'n1kv', 'opencontrail'.
# Defaults to 'ml2'
#
# [*l3_ha*]
# (optional) Enable L3 agent HA
# Defaults to false.
#
# [*router_distributed*]
# (optional) Create distributed tenant routers by default
# Right now, DVR is not compatible with l3_ha
# Defaults to false
#
# [*ks_keystone_admin_port*]
# (optional) TCP port to connect to Keystone API from admin network
# Defaults to '35357'
#
# [*ks_keystone_admin_user*]
# (optional) Admin user to connect to Keystone API
# Defaults to 'admin'
#
# [*ks_keystone_admin_password*]
# (optional) Password for admin user to connect to Keystone API
# Defaults to 'password'
#
# [*ks_keystone_admin_token*]
# (optional) Token to connect to Keystone API as admin user
# Defaults to undef
#
# [*provider_vlan_ranges*]
# (optionnal) VLAN range for provider networks
# Defaults to ['physnet1:1000:2999']
#
# [*flat_networks*]
# (optionnal) List of physical_network names with which flat networks
# can be created. Use * to allow flat networks with arbitrary
# physical_network names.
# Should be an array.
# Default to ['public'].
#
# [*n1kv_vsm_ip*]
# (required) N1KV VSM (Virtual Supervisor Module) VM's IP.
# Defaults to 127.0.0.1
#
# [*n1kv_vsm_password*]
# (required) N1KV VSM (Virtual Supervisor Module) password.
# Defaults to secrete
#
# [*tunnel_id_ranges*]
# (optional) GRE tunnel id ranges. used by he ml2 plugin
# List of colon-separated id ranges
# Defaults to ['1:10000']
#
# [*vni_ranges*]
# (optional) VxLan Network ID range. used by the ml2 plugin
# List of colon-separated id ranges
# Defaults to ['1:10000']
#
# [*contrail_api_server_ip*]
# (optional) IP address of the Contrail API
# Defaults to 127.0.0.1
#
# [*contrail_api_server_port*]
# (optional) Port of the Contrail API
# Defaults to 8082
#
# [*contrail_multi_tenancy*]
# (optional) Should Contrail support multi tenancy
# Boolean.
# Defaults to true
#
# [*contrail_extensions*]
# (optional) Array of extensions enabled for Contrail
# Array of extensions
# Defaults to ['']
#
# [*mechanism_drivers*]
# (optional) Neutron mechanism drivers to run
# List of drivers.
# Note: if l3-ha is True, do not include l2population (not compatible in Juno).
# Defaults to ['linuxbridge', 'openvswitch','l2population']
#
class cloud::network::controller(
$neutron_db_host = '127.0.0.1',
$neutron_db_user = 'neutron',
$neutron_db_password = 'neutronpassword',
$neutron_db_idle_timeout = 5000,
$ks_neutron_password = 'neutronpassword',
$ks_keystone_admin_host = '127.0.0.1',
$ks_keystone_admin_proto = 'http',
$ks_keystone_admin_port = 35357,
$ks_keystone_admin_user = 'admin',
$ks_admin_tenant = 'admin',
$ks_keystone_admin_password = 'password',
$ks_keystone_admin_token = undef,
$ks_keystone_public_port = 5000,
$ks_neutron_public_port = 9696,
$api_eth = '127.0.0.1',
$nova_url = 'http://127.0.0.1:8774/v2',
$nova_admin_auth_url = 'http://127.0.0.1:5000/v2.0',
$nova_admin_username = 'nova',
$nova_admin_tenant_name = 'services',
$nova_admin_password = 'novapassword',
$nova_region_name = 'RegionOne',
$manage_ext_network = false,
$firewall_settings = {},
$flat_networks = ['public'],
$tenant_network_types = ['gre'],
$type_drivers = ['gre', 'vlan', 'flat'],
$provider_vlan_ranges = ['physnet1:1000:2999'],
$plugin = 'ml2',
$mechanism_drivers = ['linuxbridge', 'openvswitch','l2population'],
$l3_ha = false,
$router_distributed = false,
# only needed by cisco n1kv plugin
$n1kv_vsm_ip = '127.0.0.1',
$n1kv_vsm_password = 'secrete',
# only needed by ml2 plugin
$tunnel_id_ranges = ['1:10000'],
$vni_ranges = ['1:10000'],
# only needed by opencontrail plugin
$contrail_api_server_ip = '127.0.0.1',
$contrail_api_server_port = '8082',
$contrail_multi_tenancy = true,
$contrail_extensions = [''],
) {
include 'cloud::network'
include ::neutron::quota
$encoded_user = uriescape($neutron_db_user)
$encoded_password = uriescape($neutron_db_password)
if $l3_ha and $router_distributed {
fail 'l3_ha and router_distributed are mutually exclusive, only one of them can be set to true'
}
validate_array($mechanism_drivers)
if $l3_ha and member($mechanism_drivers, 'l2population') {
fail 'l3_ha does not work with l2population mechanism driver in Juno.'
}
class { 'neutron::server':
auth_password => $ks_neutron_password,
auth_host => $ks_keystone_admin_host,
auth_protocol => $ks_keystone_admin_proto,
auth_port => $ks_keystone_public_port,
database_connection => "mysql://${encoded_user}:${encoded_password}@${neutron_db_host}/neutron?charset=utf8",
database_idle_timeout => $neutron_db_idle_timeout,
mysql_module => '2.2',
api_workers => $::processorcount,
agent_down_time => '60',
l3_ha => $l3_ha,
router_distributed => $router_distributed,
}
case $plugin {
'ml2': {
$core_plugin = 'neutron.plugins.ml2.plugin.Ml2Plugin'
class { 'neutron::plugins::ml2':
type_drivers => $type_drivers,
tenant_network_types => $tenant_network_types,
network_vlan_ranges => $provider_vlan_ranges,
tunnel_id_ranges => $tunnel_id_ranges,
vni_ranges => $vni_ranges,
flat_networks => $flat_networks,
mechanism_drivers => $mechanism_drivers,
enable_security_group => true
}
}
'n1kv': {
$core_plugin = 'neutron.plugins.cisco.network_plugin.PluginV2'
class { 'neuton::plugins::cisco':
database_user => $neutron_db_user,
database_password => $neutron_db_password,
database_host => $neutron_db_host,
keystone_auth_url => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}/v2.0/",
keystone_password => $ks_neutron_password,
vswitch_plugin => 'neutron.plugins.cisco.n1kv.n1kv_neutron_plugin.N1kvNeutronPluginV2',
}
neutron_plugin_cisco {
'securitygroup/firewall_driver': value => 'neutron.agent.firewall.NoopFirewallDriver';
"N1KV:${n1kv_vsm_ip}/username": value => 'admin';
"N1KV:${n1kv_vsm_ip}/password": value => $n1kv_vsm_password;
# TODO (EmilienM) not sure about this one:
'database/connection': value => "mysql://${neutron_db_user}:${neutron_db_password}@${neutron_db_host}/neutron";
}
}
'opencontrail': {
$core_plugin = 'neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2'
class { 'neutron::plugins::opencontrail':
api_server_ip => $contrail_api_server_ip ,
api_server_port => $contrail_api_server_port,
multi_tenancy => $contrail_multi_tenancy,
contrail_extensions => $contrail_extensions,
keystone_auth_url => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}/v2.0/",
keystone_admin_user => $ks_keystone_admin_user,
keystone_admin_tenant_name => $ks_admin_tenant,
keystone_admin_password => $ks_keystone_admin_password,
keystone_admin_token => $ks_keystone_admin_token,
}
}
default: {
fail("${plugin} plugin is not supported.")
}
}
class { 'neutron::server::notifications':
nova_url => $nova_url,
nova_admin_auth_url => $nova_admin_auth_url,
nova_admin_username => $nova_admin_username,
nova_admin_tenant_name => $nova_admin_tenant_name,
nova_admin_password => $nova_admin_password,
nova_region_name => $nova_region_name
}
if $manage_ext_network {
neutron_network {'public':
provider_network_type => 'flat',
provider_physical_network => 'public',
shared => true,
router_external => true
}
}
# Note(EmilienM):
# We check if DB tables are created, if not we populate Neutron DB.
# It's a hack to fit with our setup where we run MySQL/Galera
Neutron_config<| |> ->
exec {'neutron_db_sync':
command => 'neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head',
path => '/usr/bin',
user => 'neutron',
unless => "/usr/bin/mysql neutron -h ${neutron_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables",
require => 'Neutron_config[DEFAULT/service_plugins]',
notify => Service['neutron-server']
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow neutron-server access':
port => $ks_neutron_public_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-neutron_api":
listening_service => 'neutron_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_neutron_public_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

87
manifests/network/dhcp.pp
View File

@ -1,87 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class:
#
# Network DHCP node
#
# === Parameters:
#
# [*veth_mtu*]
# (optional) Enforce the default virtual interface MTU (option 26)
# Defaults to 1500
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*dnsmasq_dns_servers*]
# (optional) An array of DNS IP used to configure Virtual server resolver
# Defaults to false
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::dhcp(
$veth_mtu = 1500,
$debug = true,
$dnsmasq_dns_servers = false,
$firewall_settings = {},
) {
include 'cloud::network'
include 'cloud::network::vswitch'
class { 'neutron::agents::dhcp':
debug => $debug,
dnsmasq_config_file => '/etc/neutron/dnsmasq-neutron.conf',
enable_isolated_metadata => true
}
if $dnsmasq_dns_servers {
neutron_dhcp_agent_config { 'DEFAULT/dnsmasq_dns_servers':
value => join($dnsmasq_dns_servers, ',')
}
} else {
neutron_dhcp_agent_config { 'DEFAULT/dnsmasq_dns_servers':
ensure => absent
}
}
file { '/etc/neutron/dnsmasq-neutron.conf':
content => template('cloud/network/dnsmasq-neutron.conf.erb'),
owner => 'root',
mode => '0755',
group => 'root',
notify => Service['neutron-dhcp-agent']
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow dhcp in access':
port => '67',
proto => 'udp',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow dhcp out access':
port => '68',
proto => 'udp',
chain => 'OUTPUT',
extras => $firewall_settings,
}
}
}

132
manifests/network/l3.pp
View File

@ -1,132 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class:
#
# Network L3 node
#
# === Parameters:
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*ext_provider_net*]
# (optional) Manage L3 with another provider
# Defaults to false
#
# [*external_int*]
# (optional) The name of the external nic
# Defaults to eth1
#
# [*manage_tso*]
# (optional) Disable TSO on Neutron interfaces
# Defaults to true
#
# [*ha_enabled*]
# (optional) Enable HA for L3 agent or not.
# Defaults to false
#
# [*ha_vrrp_auth_type*]
# (optional) VRRP authentication type. Can be AH or PASS.
# Defaults to "PASS"
#
# [*ha_vrrp_auth_password*]
# (optional) VRRP authentication password. Required if ha_enabled = true.
# Defaults to undef
#
# [*allow_automatic_l3agent_failover*]
# (optional) Automatically reschedule routers from offline L3 agents to online
# L3 agents.
# Defaults to 'False'
#
# [*agent_mode*]
# (optional) The working mode for the agent.
# 'legacy': default behavior (without DVR)
# 'dvr': enable DVR for an L3 agent running on compute node (DVR in production)
# 'dvr_snat': enable DVR with centralized SNAT support (DVR for single-host, for testing only)
# Right now, DVR is not compatible with ha_enabled
# Defaults to 'legacy'
#
class cloud::network::l3(
$external_int = 'eth1',
$ext_provider_net = false,
$debug = true,
$manage_tso = true,
$ha_enabled = false,
$ha_vrrp_auth_type = 'PASS',
$ha_vrrp_auth_password = undef,
$allow_automatic_l3agent_failover = false,
$agent_mode = 'legacy',
) {
include 'cloud::network'
include 'cloud::network::vswitch'
if $ha_enabled and $agent_mode != 'legacy' {
fail 'ha_enabled requires agent_mode to be set to legacy'
}
if ! $ext_provider_net {
vs_bridge{'br-ex':
external_ids => 'bridge-id=br-ex',
} ->
vs_port{$external_int:
ensure => present,
bridge => 'br-ex'
}
$external_network_bridge_real = 'br-ex'
} else {
$external_network_bridge_real = ''
}
class { 'neutron::agents::l3':
debug => $debug,
external_network_bridge => $external_network_bridge_real,
ha_enabled => $ha_enabled,
ha_vrrp_auth_type => $ha_vrrp_auth_type,
ha_vrrp_auth_password => $ha_vrrp_auth_password,
allow_automatic_l3agent_failover => $allow_automatic_l3agent_failover,
agent_mode => $agent_mode,
}
class { 'neutron::agents::metering':
debug => $debug,
}
# Disabling TSO/GSO/GRO
if $manage_tso {
if $::osfamily == 'Debian' {
ensure_resource ('exec','enable-tso-script', {
'command' => '/usr/sbin/update-rc.d disable-tso defaults',
'unless' => '/bin/ls /etc/rc*.d | /bin/grep disable-tso',
'onlyif' => '/usr/bin/test -f /etc/init.d/disable-tso'
})
} elsif $::osfamily == 'RedHat' {
ensure_resource ('exec','enable-tso-script', {
'command' => '/usr/sbin/chkconfig disable-tso on',
'unless' => '/bin/ls /etc/rc*.d | /bin/grep disable-tso',
'onlyif' => '/usr/bin/test -f /etc/init.d/disable-tso'
})
}
ensure_resource ('exec','start-tso-script', {
'command' => '/etc/init.d/disable-tso start',
'unless' => '/usr/bin/test -f /var/run/disable-tso.pid',
'onlyif' => '/usr/bin/test -f /etc/init.d/disable-tso'
})
}
}

43
manifests/network/lbaas.pp
View File

@ -1,43 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class:
#
# Network LBaaS node
#
# === Parameters:
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*manage_haproxy_pkg*]
# (optional) Manage or not HAproxy package
# Defaults to true
#
class cloud::network::lbaas(
$debug = true,
$manage_haproxy_pkg = true
) {
include 'cloud::network'
include 'cloud::network::vswitch'
class { 'neutron::agents::lbaas':
manage_haproxy_package => $manage_haproxy_pkg,
debug => $debug,
}
}

93
manifests/network/metadata.pp
View File

@ -1,93 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::network::metadata
#
# Network Metadata node
#
# === Parameters:
#
# [*enabled*]
# (optional) State of the metadata service.
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*ks_neutron_password*]
# (optional) Password used by Neutron to connect to Keystone API
# Defaults to 'neutronpassword'
#
# [*neutron_metadata_proxy_shared_secret*]
# (optional) Shared secret to validate proxies Neutron metadata requests
# Defaults to 'metadatapassword'
#
# [*nova_metadata_server*]
# (optional) Hostname or IP of the Nova metadata server
# Defaults to '127.0.0.1'
#
# [*ks_keystone_admin_host*]
# (optional) Admin Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_admin_port*]
# (optional) TCP port to connect to Keystone API from admin network
# Defaults to '35357'
#
# [*ks_nova_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*auth_region*]
# (optional) OpenStack Region Name
# Defaults to 'RegionOne'
#
class cloud::network::metadata(
$enabled = true,
$debug = true,
$ks_neutron_password = 'neutronpassword',
$neutron_metadata_proxy_shared_secret = 'asecreteaboutneutron',
$nova_metadata_server = '127.0.0.1',
$ks_keystone_admin_proto = 'http',
$ks_keystone_admin_port = 35357,
$ks_keystone_admin_host = '127.0.0.1',
$auth_region = 'RegionOne',
$ks_nova_internal_proto = 'http'
) {
include 'cloud::network'
include 'cloud::network::vswitch'
class { 'neutron::agents::metadata':
enabled => $enabled,
shared_secret => $neutron_metadata_proxy_shared_secret,
debug => $debug,
metadata_ip => $nova_metadata_server,
auth_url => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}/v2.0",
auth_password => $ks_neutron_password,
auth_region => $auth_region,
metadata_workers => $::processorcount,
}
neutron_metadata_agent_config {
'DEFAULT/nova_metadata_protocol': value => $ks_nova_internal_proto;
}
}

25
manifests/network/vpn.pp
View File

@ -1,25 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Network VPNaaS node
#
class cloud::network::vpn{
include 'cloud::network'
include 'cloud::network::vswitch'
class { 'neutron::agents::vpnaas': }
}

259
manifests/network/vswitch.pp
View File

@ -1,259 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Network vswitch class
#
# === Parameters:
#
# [*driver*]
# (optional) Neutron vswitch driver
# Supported values: 'ml2_ovs', 'ml2_lb', 'n1kv_vem'.
# Note: 'n1kv_vem' currently works only on Red Hat systems.
# Defaults to 'ml2_ovs'
#
# [*external_int*]
# (optionnal) Network interface to bind the external provider network
# Defaults to 'eth1'.
#
# [*external_bridge*]
# (optionnal) OVS bridge used to bind external provider network
# Defaults to 'br-pub'.
#
# [*manage_ext_network*]
# (optionnal) Manage or not external network with provider network API
# Defaults to false.
#
# [*tunnel_eth*]
# (optional) Interface IP used to build the tunnels
# Defaults to '127.0.0.1'
#
# [*tunnel_typeis]
# (optional) List of types of tunnels to use when utilizing tunnels
# Defaults to ['gre']
#
# [*provider_bridge_mappings*]
# (optional) List of <physical_network>:<bridge>
#
# [*enable_distributed_routing*]
# (optional) Enable support for distributed routing on L2 agent.
# Defaults to false.
#
# [*n1kv_vsm_ip*]
# (required) N1KV VSM (Virtual Supervisor Module) VM's IP.
# Defaults to 127.0.0.1
#
# [*n1kv_vsm_domainid*]
# (required) N1KV VSM DomainID.
# Defaults to 1000
#
# [*host_mgmt_intf*]
# (required) Management Interface of node where VEM will be installed.
# Defaults to eth1
#
# [*uplink_profile*]
# (optional) Uplink Interfaces that will be managed by VEM. The uplink
# port-profile that configures these interfaces should also be specified.
# (format)
# $uplink_profile = { 'eth1' => 'profile1',
# 'eth2' => 'profile2'
# },
# Defaults to empty
#
# [*vtep_config*]
# (optional) Virtual tunnel interface configuration.
# Eg:VxLAN tunnel end-points.
# (format)
# $vtep_config = { 'vtep1' => { 'profile' => 'virtprof1',
# 'ipmode' => 'dhcp'
# },
# 'vtep2' => { 'profile' => 'virtprof2',
# 'ipmode' => 'static',
# 'ipaddress' => '192.168.1.1',
# 'netmask' => '255.255.255.0'
# }
# },
# Defaults to empty
#
# [*node_type*]
# (optional). Specify the type of node: 'compute' (or) 'network'.
# Defaults to 'compute'
#
# All the above parameter values will be used in the config file: n1kv.conf
#
# [*vteps_in_same_subnet*]
# (optional)
# The VXLAN tunnel interfaces created on VEM can belong to same IP-subnet.
# In such case, set this parameter to true. This results in below
# 'sysctl:ipv4' values to be modified.
# rp_filter (reverse path filtering) set to 2(Loose).Default is 1(Strict)
# arp_ignore (arp reply mode) set to 1:reply only if target ip matches
# that of incoming interface. Default is 0
# Please refer Linux Documentation for detailed description
# http://lxr.free-electrons.com/source/Documentation/networking/ip-sysctl.txt
#
# If the tunnel interfaces are not in same subnet set this parameter to false.
# Note that setting to false causes no change in the sysctl settings and does
# not revert the changes made if it was originally set to true on a previous
# catalog run.
#
# Defaults to false
#
# [*n1kv_source*]
# (optional)
# n1kv_source ==> VEM package location. One of below
# A)URL of yum repository that hosts VEM package.
# B)VEM RPM/DPKG file name, If present locally in 'files' folder
# C)If not specified, assumes that VEM image is available in
# default enabled repositories.
# Defaults to empty
#
# [*n1kv_version*]
# (optional). Specify VEM package version to be installed.
# Not applicable if 'n1kv_source' is a file. (Option-B above)
# Defaults to 'present'
#
# [*tunnel_types*]
# (optional) List of types of tunnels to use when utilizing tunnels.
# Supported tunnel types are: vxlan.
# Defaults to ['gre']
#
# [*n1kv_vsm_domain_id*]
# (optional) N1000 KV Domain ID (does nothing?)
# Defaults to 1000
#
# [*enable_tunneling*]
# (optional) Enable or not tunneling.
# Should be disable if using VLAN but enabled if using GRE or VXLAN.
# Defailts to true
#
# [*l2_population*]
# (optional) Enable or not L2 population.
# If enabled, should be part of mechanism_drivers in cloud::network::controller.
# Should be disabled if running L3 HA with VRRP in Juno.
# Defaults to true
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::vswitch(
# common
$driver = 'ml2_ovs',
$manage_ext_network = false,
$external_int = 'eth1',
$external_bridge = 'br-pub',
$firewall_settings = {},
# common to ml2
$tunnel_types = ['gre'],
$tunnel_eth = '127.0.0.1',
$enable_tunneling = true,
$l2_population = true,
# ml2_ovs
$provider_bridge_mappings = ['public:br-pub'],
$enable_distributed_routing = false,
# n1kv_vem
$n1kv_vsm_ip = '127.0.0.1',
$n1kv_vsm_domain_id = 1000,
$host_mgmt_intf = 'eth1',
$uplink_profile = {},
$vtep_config = {},
$node_type = 'compute',
$vteps_in_same_subnet = false,
$n1kv_source = '',
$n1kv_version = 'present',
) {
include 'cloud::network'
case $driver {
'ml2_ovs': {
class { 'neutron::agents::ml2::ovs':
enable_tunneling => $enable_tunneling,
l2_population => $l2_population,
polling_interval => '15',
tunnel_types => $tunnel_types,
bridge_mappings => $provider_bridge_mappings,
local_ip => $tunnel_eth,
enable_distributed_routing => $enable_distributed_routing
}
if $::osfamily == 'RedHat' {
kmod::load { 'ip_gre': }
}
}
'ml2_lb': {
class { 'neutron::agents::ml2::linuxbridge':
l2_population => $l2_population,
polling_interval => '15',
tunnel_types => $tunnel_types,
local_ip => $tunnel_eth
}
if $::osfamily == 'RedHat' {
kmod::load { 'ip_gre': }
}
}
'n1kv_vem': {
# We don't check if we are on Red Hat system
# (already done by puppet-neutron)
class { 'neutron::agents::n1kv_vem':
n1kv_vsm_ip => $n1kv_vsm_ip,
n1kv_vsm_domain_id => $n1kv_vsm_domain_id,
host_mgmt_intf => $host_mgmt_intf,
uplink_profile => $uplink_profile,
vtep_config => $vtep_config,
node_type => $node_type,
vteps_in_same_subnet => $vteps_in_same_subnet,
n1kv_source => $n1kv_source,
n1kv_version => $n1kv_version,
}
ensure_resource('package', 'nexus1000v', {
ensure => present
})
}
default: {
fail("${driver} driver is not supported.")
}
}
if $manage_ext_network {
vs_port {$external_int:
ensure => present,
bridge => $external_bridge
}
}
if $::cloud::manage_firewall {
if ('gre' in $tunnel_types) {
cloud::firewall::rule{ '100 allow gre access':
port => undef,
proto => 'gre',
extras => $firewall_settings,
}
}
if ('vxlan' in $tunnel_types) {
cloud::firewall::rule{ '100 allow vxlan access':
port => '4789',
proto => 'udp',
extras => $firewall_settings,
}
}
}
}

33
manifests/object.pp
View File

@ -1,33 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::object
#
# Common class for object storage nodes
#
# === Parameters:
#
# [*swift_hash_suffix*]
# (required) String of text to be used as a salt when hashing to determine mappings in the ring.
#
class cloud::object(
$swift_hash_suffix = undef
) {
class { 'swift':
swift_hash_suffix => $swift_hash_suffix,
}
}

178
manifests/object/controller.pp
View File

@ -1,178 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::object::controller
#
# Swift Proxy node
#
# === Parameters:
#
# [*ks_keystone_admin_host*]
# (optional) Admin Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_admin_port*]
# (optional) TCP port to connect to Keystone API from admin network
# Defaults to '35357'
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_port*]
# (optional) TCP port to connect to Keystone API from internal network
# Defaults to '5000'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_admin_proto*]
# (optional) Protocol for admin endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_swift_internal_port*]
# (optional) TCP port to connect to Swift from internal network
# Defaults to '8080'
#
# [*ks_swift_password*]
# (optional) Password used by Swift to connect to Keystone API
# Defaults to 'swiftpassword'
#
# [*ks_swift_dispersion_password*]
# (optional) Password of the dispersion tenant, used for swift-dispersion-report
# and swift-dispersion-populate tools.
# Defaults to 'dispersion'
#
# [*api_eth*]
# (optional) Which interface we bind the Swift proxy server.
# Defaults to '127.0.0.1'
#
# [*memcache_servers*]
# (optionnal) Memcached servers used by Keystone. Should be an array.
# Defaults to ['127.0.0.1:11211']
#
# [*statsd_host*]
# (optional) Hostname or IP of the statd server.
# Defaults to '127.0.0.1'
#
# [*statsd_port*]
# (optional) TCP port of the statd server
# Defaults to '4125'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::object::controller(
$ks_keystone_admin_host = '127.0.0.1',
$ks_keystone_admin_port = 35357,
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = 5000,
$ks_swift_dispersion_password = 'dispersion',
$ks_swift_internal_port = 8080,
$ks_keystone_internal_proto = 'http',
$ks_keystone_admin_proto = 'http',
$ks_swift_password = 'swiftpassword',
$statsd_host = '127.0.0.1',
$statsd_port = 4125,
$memcache_servers = ['127.0.0.1:11211'],
$api_eth = '127.0.0.1',
$firewall_settings = {},
) {
include 'cloud::object'
class { 'swift::proxy':
proxy_local_net_ip => $api_eth,
port => $ks_swift_internal_port,
pipeline => [
'catch_errors', 'healthcheck', 'cache', 'bulk', 'ratelimit',
'swift3', 's3token', 'container_quotas', 'account_quotas', 'tempurl',
'formpost', 'authtoken', 'keystone', 'staticweb',
'proxy-logging', 'proxy-server'],
account_autocreate => true,
log_level => 'DEBUG',
workers => inline_template('<%= @processorcount.to_i * 2 %>
cors_allow_origin = <%= scope.lookupvar("swift_cors_allow_origin") %>
log_statsd_host = <%= scope.lookupvar("statsd_host") %>
log_statsd_port = <%= scope.lookupvar("statsd_port") %>
log_statsd_default_sample_rate = 1
'),
}
class{'swift::proxy::cache':
memcache_servers => inline_template(
'<%= scope.lookupvar("memcache_servers").join(",") %>'),
}
class { 'swift::proxy::account_quotas': }
class { 'swift::proxy::bulk': }
class { 'swift::proxy::catch_errors': }
class { 'swift::proxy::container_quotas': }
class { 'swift::proxy::formpost': }
class { 'swift::proxy::healthcheck': }
class { 'swift::proxy::proxy_logging': }
class { 'swift::proxy::ratelimit': }
class { 'swift::proxy::slo': }
class { 'swift::proxy::staticweb': }
class { 'swift::proxy::tempurl': }
class { 'swift::proxy::keystone':
operator_roles => ['admin', 'SwiftOperator', 'ResellerAdmin'],
}
class { 'swift::proxy::authtoken':
admin_password => $ks_swift_password,
auth_host => $ks_keystone_admin_host,
auth_port => $ks_keystone_admin_port,
auth_protocol => $ks_keystone_admin_proto,
delay_auth_decision => inline_template('1
cache = swift.cache')
}
class { 'swift::proxy::swift3':
ensure => 'latest',
}
class { 'swift::proxy::s3token':
auth_host => $ks_keystone_admin_host,
auth_port => $ks_keystone_admin_port,
auth_protocol => $ks_keystone_internal_proto
}
class { 'swift::dispersion':
auth_url => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}/v2.0",
swift_dir => '/etc/swift',
auth_pass => $ks_swift_dispersion_password,
endpoint_type => 'internalURL'
}
Swift::Ringsync<<| |>> #~> Service["swift-proxy"]
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow swift-proxy access':
port => $ks_swift_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-swift_api":
listening_service => 'swift_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_swift_internal_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

70
manifests/object/ringbuilder.pp
View File

@ -1,70 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::object::ringbuilder
#
# Swift ring builder node
#
# === Parameters:
#
# [*enabled*]
# (optional) Enable or not the Swift ringbuilder rsync server
# Defaults to false
#
# [*rsyncd_ipaddress*]
# (optional) Hostname or IP of the swift ringbuilder rsync daemon
# Defaults to '127.0.0.1'
#
# [*replicas*]
# (optional) Number of replicas to kept
# Defaults to '3'
#
# [*swift_rsync_max_connections*]
# (optional) Max number of connections to the rsync daemon
# Defaults to '5'
#
class cloud::object::ringbuilder(
$enabled = false,
$rsyncd_ipaddress = '127.0.0.1',
$replicas = 3,
$swift_rsync_max_connections = 5,
) {
include cloud::object
if $enabled {
Ring_object_device <<| |>>
Ring_container_device <<| |>>
Ring_account_device <<| |>>
class {'swift::ringbuilder' :
part_power => 15,
replicas => $replicas,
min_part_hours => 24,
}
class {'swift::ringserver' :
local_net_ip => $rsyncd_ipaddress,
max_connections => $swift_rsync_max_connections,
}
# exports rsync gets that can be used to sync the ring files
@@swift::ringsync { ['account', 'object', 'container']:
ring_server => $rsyncd_ipaddress,
}
}
}

26
manifests/object/set_io_scheduler.pp
View File

@ -1,26 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Swift set_io_scheduler
#
define cloud::object::set_io_scheduler(){
# TODO: Add it on server boot
exec{"/bin/echo deadline > /sys/block/${name}/queue/scheduler":
onlyif => [
"/usr/bin/test '-e /sys/block/${name}/queue/scheduler'",
"/bin/grep -v -F '[deadline]' /sys/block/${name}/queue/scheduler"
],
}
}

172
manifests/object/storage.pp
View File

@ -1,172 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::object::storage
#
# Swift Storage node
#
# === Parameters:
#
# [*storage_eth*]
# (optional) IP or hostname of the Swift storage node
# Defaults to '127.0.0.1'
#
# [*swift_zone*]
# (optional) Name of the swift zone
# Defaults to undef
#
# [*object_port*]
# (optional) TCP port number of the Object middleware
# Defaults to '6000'
#
# [*container_port*]
# (optional) TCP port number of the container middleware
# Defaults to '6001'
#
# [*account_port*]
# (optional) TCP port number of the account middleware
# Defaults to '6002'
#
# [*fstype*]
# (optional) Name of the File-System type
# Defaults to 'xfs'
#
# [*device_config_hash*]
# (optional) A hash of options to pass to io scheduler
# Defaults to {}
#
# [*ring_container_device*]
# (optional) The name of the container device
# Defaults to 'sdb'
#
# [*ring_account_device*]
# (optional) The name of the account device
# Defaults to 'sdb'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::object::storage(
$storage_eth = '127.0.0.1',
$swift_zone = undef,
$object_port = '6000',
$container_port = '6001',
$account_port = '6002',
$fstype = 'xfs',
$device_config_hash = {},
$ring_container_device = 'sdb',
$ring_account_device = 'sdb',
$firewall_settings = {},
) {
include 'cloud::object'
include 'cloud::object::tweaking'
class { 'swift::storage':
storage_local_net_ip => $storage_eth,
}
Rsync::Server::Module {
incoming_chmod => 'u=rwX,go=rX',
outgoing_chmod => 'u=rwX,go=rX',
}
Swift::Storage::Server {
#devices => $devices,
storage_local_net_ip => $storage_eth,
workers => inline_template('<%= @processorcount.to_i / 2 %>'),
replicator_concurrency => 2,
updater_concurrency => 1,
reaper_concurrency => 1,
require => Class['swift'],
mount_check => true,
}
# concurrency at 2 and 1 seems better see
# http://docs.openstack.org/trunk/openstack-object-storage/admin/content/general-service-tuning.html
swift::storage::server { $account_port:
type => 'account',
config_file_path => 'account-server.conf',
pipeline => ['healthcheck', 'account-server'],
log_facility => 'LOG_LOCAL2',
}
swift::storage::server { $container_port:
type => 'container',
config_file_path => 'container-server.conf',
workers => inline_template("<%= @processorcount.to_i / 2 %>
db_preallocation = on
allow_versions = on
"), # great hack :(
pipeline => ['healthcheck', 'container-server'],
log_facility => 'LOG_LOCAL4',
}
swift::storage::server { $object_port:
type => 'object',
config_file_path => 'object-server.conf',
pipeline => ['healthcheck', 'recon', 'object-server'],
log_facility => 'LOG_LOCAL6',
}
$swift_components = ['account', 'container', 'object']
swift::storage::filter::recon { $swift_components : }
swift::storage::filter::healthcheck { $swift_components : }
create_resources("swift::storage::${fstype}", $device_config_hash)
ensure_resource('cloud::object::set_io_scheduler', keys($device_config_hash))
@@ring_container_device { "${storage_eth}:${container_port}/${ring_container_device}":
zone => $swift_zone,
weight => '100.0',
}
@@ring_account_device { "${storage_eth}:${account_port}/${ring_account_device}":
zone => $swift_zone,
weight => '100.0',
}
$object_urls = prefix(keys($device_config_hash), "${storage_eth}:${object_port}/")
@@ring_object_device {$object_urls:
zone => $swift_zone,
weight => '100.0',
}
Swift::Ringsync<<| |>> ->
Swift::Storage::Server[$container_port] ->
Swift::Storage::Server[$account_port] ->
Swift::Storage::Server[$object_port]
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow swift-container access':
port => $container_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift-account access':
port => $account_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift-object access':
port => $object_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift rsync access':
port => '873',
extras => $firewall_settings,
}
}
}

70
manifests/object/tweaking.pp
View File

@ -1,70 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Swift tweaking
#
class cloud::object::tweaking {
kmod::load { 'ip_conntrack': }
$swift_tuning = {
'net.ipv4.tcp_tw_recycle' => { value => 1 },
'net.ipv4.tcp_tw_reuse' => { value => 1 },
'net.ipv4.tcp_syncookies' => { value => 0 },
'net.ipv4.ip_local_port_range' => { value => "10000\t65000" },
'net.core.netdev_max_backlog' => { value => 300000 },
'net.ipv4.tcp_sack' => { value => 0 },
}
case $::osfamily {
'Debian' : {
$debian_swift_tuning = {
'net.ipv4.netfilter.ip_conntrack_max' => { value => 524288 },
'net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait' => { value => 2 },
'net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait' => { value => 2 },
}
$swift_tuning_real = merge($swift_tuning, $debian_swift_tuning)
}
default : {
$redhat_swift_tuning = {
'net.netfilter.nf_conntrack_max' => { value => 524288 },
'net.netfilter.nf_conntrack_tcp_timeout_time_wait' => { value => 2 },
'net.netfilter.nf_conntrack_tcp_timeout_close_wait' => { value => 2 },
}
$swift_tuning_real = merge($swift_tuning, $redhat_swift_tuning)
}
}
$require = {
require => Kmod::Load['ip_conntrack']
}
create_resources(sysctl::value,$swift_tuning_real,$require)
file { '/var/log/swift':
ensure => directory,
owner => swift,
group => swift,
}
logrotate::rule { 'swift':
path => '/var/log/swift/*.log',
rotate => 7,
rotate_every => 'day',
missingok => true,
ifempty => false,
compress => true,
delaycompress => true,
}
}

177
manifests/orchestration.pp
View File

@ -1,177 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::orchestration
#
# Orchestration common node
#
# === Parameters:
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_admin_host*]
# (optional) Admin Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_port*]
# (optional) TCP port to connect to Keystone API from internal network
# Defaults to '5000'
#
# [*ks_keystone_admin_port*]
# (optional) TCP port to connect to Keystone API from admin network
# Defaults to '35357'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_admin_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_heat_public_host*]
# (optional) Public Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_heat_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_heat_password*]
# (optional) Password used by Heat to connect to Keystone API
# Defaults to 'heatpassword'
#
# [*heat_db_host*]
# (optional) Hostname or IP address to connect to heat database
# Defaults to '127.0.0.1'
#
# [*heat_db_user*]
# (optional) Username to connect to heat database
# Defaults to 'heat'
#
# [*heat_db_password*]
# (optional) Password to connect to heat database
# Defaults to 'heatpassword'
#
# [*heat_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults to 5000
#
# [*rabbit_hosts*]
# (optional) List of RabbitMQ servers. Should be an array.
# Defaults to ['127.0.0.1:5672']
#
# [*rabbit_password*]
# (optional) Password to connect to heat queues.
# Defaults to 'rabbitpassword'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*os_endpoint_type*]
# (optional) The type of the OpenStack endpoint (public/internal/admin) URL
# Defaults to 'publicURL'
#
class cloud::orchestration(
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = '5000',
$ks_keystone_internal_proto = 'http',
$ks_keystone_admin_host = '127.0.0.1',
$ks_keystone_admin_port = '35357',
$ks_keystone_admin_proto = 'http',
$ks_heat_public_host = '127.0.0.1',
$ks_heat_public_proto = 'http',
$ks_heat_password = 'heatpassword',
$heat_db_host = '127.0.0.1',
$heat_db_user = 'heat',
$heat_db_password = 'heatpassword',
$heat_db_idle_timeout = 5000,
$rabbit_hosts = ['127.0.0.1:5672'],
$rabbit_password = 'rabbitpassword',
$verbose = true,
$debug = true,
$use_syslog = true,
$log_facility = 'LOG_LOCAL0',
$os_endpoint_type = 'publicURL'
) {
# Disable twice logging if syslog is enabled
if $use_syslog {
$log_dir = false
heat_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/heat'
}
$encoded_user = uriescape($heat_db_user)
$encoded_password = uriescape($heat_db_password)
class { 'heat':
keystone_host => $ks_keystone_admin_host,
keystone_port => $ks_keystone_admin_port,
keystone_protocol => $ks_keystone_admin_proto,
keystone_password => $ks_heat_password,
auth_uri => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}/v2.0",
keystone_ec2_uri => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}/v2.0/ec2tokens",
database_connection => "mysql://${encoded_user}:${encoded_password}@${heat_db_host}/heat?charset=utf8",
database_idle_timeout => $heat_db_idle_timeout,
mysql_module => '2.2',
rabbit_hosts => $rabbit_hosts,
rabbit_password => $rabbit_password,
rabbit_userid => 'heat',
verbose => $verbose,
debug => $debug,
log_facility => $log_facility,
use_syslog => $use_syslog,
log_dir => $log_dir,
}
# Note(EmilienM):
# We check if DB tables are created, if not we populate Heat DB.
# It's a hack to fit with our setup where we run MySQL/Galera
# TODO(Goneri)
# We have to do this only on the primary node of the galera cluster to avoid race condition
# https://github.com/enovance/puppet-openstack-cloud/issues/156
exec {'heat_db_sync':
command => 'heat-manage --config-file /etc/heat/heat.conf db_sync',
path => '/usr/bin',
user => 'heat',
unless => "/usr/bin/mysql heat -h ${heat_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables"
}
heat_config {
'clients/endpoint_type': value => $os_endpoint_type;
}
}

115
manifests/orchestration/api.pp
View File

@ -1,115 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::image::api
#
# Orchestration APIs node
#
# === Parameters:
#
# [*ks_heat_internal_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8004'
#
# [*ks_heat_cfn_internal_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8000'
#
# [*ks_heat_cloudwatch_internal_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8003'
#
# [*api_eth*]
# (optional) Which interface we bind the Heat server.
# Defaults to '127.0.0.1'
#
# [*workers*]
# (optional) The number of Heat API workers
# Defaults to $::processorcount
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::orchestration::api(
$ks_heat_internal_port = 8004,
$ks_heat_cfn_internal_port = 8000,
$ks_heat_cloudwatch_internal_port = 8003,
$api_eth = '127.0.0.1',
$workers = $::processorcount,
$firewall_settings = {},
) {
include 'cloud::orchestration'
class { 'heat::api':
bind_host => $api_eth,
bind_port => $ks_heat_internal_port,
workers => $workers
}
class { 'heat::api_cfn':
bind_host => $api_eth,
bind_port => $ks_heat_cfn_internal_port,
workers => $workers
}
class { 'heat::api_cloudwatch':
bind_host => $api_eth,
bind_port => $ks_heat_cloudwatch_internal_port,
workers => $workers
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow heat-api access':
port => $ks_heat_internal_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow heat-cfn access':
port => $ks_heat_cfn_internal_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow heat-cloudwatch access':
port => $ks_heat_cloudwatch_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-heat_api":
listening_service => 'heat_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_heat_internal_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-heat_cfn_api":
listening_service => 'heat_cfn_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_heat_cfn_internal_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-heat_cloudwatch_api":
listening_service => 'heat_cloudwatch_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_heat_cloudwatch_internal_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

75
manifests/orchestration/engine.pp
View File

@ -1,75 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::orchestration::engine
#
# Orchestration engine node
#
# === Parameters:
#
# [*enabled*]
# (optional) State of the orchestration engine service.
# Defaults to true
#
# [*ks_heat_public_host*]
# (optional) Public Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_heat_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_heat_password*]
# (optional) Password used by Heat to connect to Keystone API
# Defaults to 'heatpassword'
#
# [*ks_heat_cfn_public_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8000'
#
# [*ks_heat_cloudwatch_public_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8003'
#
# [*auth_encryption_key*]
# (optional) Encryption key used for authentication info in database
# Defaults to 'secrete'
#
class cloud::orchestration::engine(
$enabled = true,
$ks_heat_public_host = '127.0.0.1',
$ks_heat_public_proto = 'http',
$ks_heat_password = 'heatpassword',
$ks_heat_cfn_public_port = 8000,
$ks_heat_cloudwatch_public_port = 8003,
$auth_encryption_key = 'secrete'
) {
include 'cloud::orchestration'
class { 'heat::engine':
enabled => $enabled,
auth_encryption_key => $auth_encryption_key,
heat_metadata_server_url => "${ks_heat_public_proto}://${ks_heat_public_host}:${ks_heat_cfn_public_port}",
heat_waitcondition_server_url => "${ks_heat_public_proto}://${ks_heat_public_host}:${ks_heat_cfn_public_port}/v1/waitcondition",
heat_watch_server_url => "${ks_heat_public_proto}://${ks_heat_public_host}:${ks_heat_cloudwatch_public_port}",
# TODO (EmilienM): Need to be updated in Juno
# The default deferred_auth_method of password is deprecated as of Icehouse, so although it is still the default, deployers are
# strongly encouraged to move to using deferred_auth_method=trusts, which is planned to become the default for Juno.
# 'trusts' requires Keystone API v3 enabled, otherwise we have to use 'password'.
deferred_auth_method => 'password',
}
}

77
manifests/params.pp
View File

@ -1,77 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::params
#
# Configure set of default parameters
#
class cloud::params {
# cloud::logging::agent
$logging_agent_logrotate_rule = {
'td-agent' => {
'path' => '/var/log/td-agent/td-agent.log',
'rotate' => 30,
'compress' => true,
'delaycompress' => true,
'ifempty' => false,
'create' => true,
'create_mode' => '640',
'create_owner' => 'td-agent',
'create_group' => 'td-agent',
'sharedscripts' => true,
'postrotate' => ['pid=/var/run/td-agent/td-agent.pid', 'test -s $pid && kill -USR1 "$(cat $pid)"'],
}
}
$puppetmaster_service_name = 'puppetmaster'
case $::osfamily {
'RedHat': {
# Specific to Red Hat
$start_haproxy_service = '"/usr/bin/systemctl start haproxy"'
$horizon_auth_url = 'dashboard'
$libvirt_service_name = 'libvirtd'
$keepalived_name_is_process = false
$keepalived_vrrp_script = 'systemctl status haproxy.service'
$puppetmaster_package_name = 'puppet-server'
$redis_service_name = 'redis'
$service_provider = 'systemd'
} # RedHat
'Debian': {
# Specific to Debian / Ubuntu
$start_haproxy_service = '"/etc/init.d/haproxy start"'
$horizon_auth_url = 'horizon'
$keepalived_name_is_process = true
$keepalived_vrrp_script = undef
$puppetmaster_package_name = 'puppetmaster'
$redis_service_name = 'redis-server'
case $::operatingsystem {
'Ubuntu': {
$libvirt_service_name = 'libvirt-bin'
$service_provider = 'upstart'
}
default: {
$libvirt_service_name = 'libvirtd'
$service_provider = 'lsb'
}
}
} # Debian
default: {
fail("Unsupported osfamily (${::osfamily})")
}
}
}

98
manifests/selinux.pp
View File

@ -1,98 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::selinux
#
# Helper class to configure SELinux on nodes
#
# === Parameters:
#
# [*mode*]
# (optional) SELinux mode the system should be in
# Defaults to 'permissive'
# Possible values : disabled, permissive, enforcing
#
# [*directory*]
# (optional) Path where to find the SELinux modules
# Defaults to '/usr/share/selinux'
#
# [*booleans*]
# (optional) Set of booleans to persistently enables
# SELinux booleans are the one getsebool -a returns
# Defaults []
# Example: ['rsync_full_access', 'haproxy_connect_any']
#
# [*modules*]
# (optional) Set of modules to load on the system
# Defaults []
# Example: ['module1', 'module2']
# Note: Those module should be in the $directory path
#
class cloud::selinux (
$mode = 'permissive',
$directory = '/usr/share/selinux/',
$booleans = [],
$modules = [],
) {
if $::osfamily != 'RedHat' {
fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS")
}
Selboolean {
persistent => true,
value => 'on',
}
Selmodule {
ensure => present,
selmoduledir => $directory,
}
file { '/etc/selinux/config':
ensure => present,
mode => '0444',
content => template('cloud/selinux/sysconfig_selinux.erb')
}
$current_mode = $::selinux? {
'false' => 'disabled',
false => 'disabled',
default => $::selinux_current_mode,
}
if $current_mode != $mode {
case $mode {
/^(disabled|permissive)$/: {
if $current_mode == 'enforcing' {
exec { 'setenforce 0': }
}
}
'enforcing': {
exec { 'setenforce 1': }
}
default: {
fail('You must specify a mode (enforcing, permissive, or disabled)')
}
}
}
selboolean { $booleans :
persistent => true,
}
selmodule { $modules: }
}

49
manifests/storage/rbd.pp
View File

@ -1,49 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::storage::rbd
#
# === Parameters:
#
# [*fsid*] The cluster's fsid.
# Mandatory. Get one with `uuidgen -r`.
#
# [*cluster_network*]
# (optional) The cluster internal network
# Defaults to '127.0.0.1/24'
#
# [*public_network*]
# (optional) The cluster public (where clients are) network
# Defaults to '127.0.0.1/24'
#
class cloud::storage::rbd (
$fsid = undef,
$cluster_network = '127.0.0.1/24',
$public_network = '127.0.0.1/24'
) {
class { 'ceph::conf':
fsid => $fsid,
auth_type => 'cephx',
cluster_network => $cluster_network,
public_network => $public_network,
enable_service => true
}
Exec {
path => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin'
}
}

37
manifests/storage/rbd/key.pp
View File

@ -1,37 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::storage::rbd::key
#
# === Parameters:
#
# [*enabled*]
# (optional) Configure or not the ceph admin keyring
# Defaults to true
#
class cloud::storage::rbd::key (
$enabled = false
) {
if $enabled {
if !empty($::ceph_admin_key) {
@@ceph::key { 'admin':
secret => $::ceph_admin_key,
keyring_path => '/etc/ceph/keyring',
}
}
}
}

61
manifests/storage/rbd/monitor.pp
View File

@ -1,61 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::storage::rbd::monitor
#
# Ceph monitor
#
# === Parameters:
#
# [*id*]
# (optional) Then uuid of the cluster
# Defaults to $::uniqueid
#
# [*mon_addr*]
# (optional) Which interface we bind the Ceph monitor
# Defaults to '127.0.0.1'
#
# [*monitor_secret*]]
# (optional) Password of the Ceph monitor
# Defaults to 'cephsecret'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::storage::rbd::monitor (
$id = $::uniqueid,
$mon_addr = '127.0.0.1',
$monitor_secret = 'cephmonsecret',
$firewall_settings = {},
) {
include 'cloud::storage::rbd'
ceph::mon { $id:
monitor_secret => $monitor_secret,
mon_port => 6789,
mon_addr => $mon_addr,
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow ceph-mon access':
port => '6789',
extras => $firewall_settings,
}
}
}

73
manifests/storage/rbd/osd.pp
View File

@ -1,73 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::storage::rbd::osd
#
# Ceph OSD
#
# === Parameters:
#
# [*public_address*]
# (optional) Which interface we bind the Ceph OSD
# Defaults to '127.0.0.1'
#
# [*cluster_address*]
# (optional) Which interface we bind internal the Ceph OSD
# Defaults to '127.0.0.1'
#
# [*devices*]]
# (optional) An array of device, should be full-qualified or short.
# Defaults to ['sdb','/dev/sdc']
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::storage::rbd::osd (
$public_address = '127.0.0.1',
$cluster_address = '127.0.0.1',
$devices = ['sdb','/dev/sdc'],
$firewall_settings = {},
) {
include 'cloud::storage::rbd'
class { 'ceph::osd' :
public_address => $public_address,
cluster_address => $cluster_address,
}
if is_array($devices) {
if '/dev/' in $devices {
ceph::osd::device { $devices: }
}
else {
$osd_ceph = prefix($devices,'/dev/')
ceph::osd::device { $osd_ceph: }
}
}
elsif is_hash($devices) {
create_resources('ceph::osd::device', $devices)
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow ceph-osd access':
port => '6800-6810',
extras => $firewall_settings,
}
}
}

153
manifests/storage/rbd/pools.pp
View File

@ -1,153 +0,0 @@
#
# Copyright (C) 2013 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::storage::rbd::pools
#
# Configure Ceph RBD pools (images,volumes,backup,nova)
#
# === Parameters:
#
# [*setup_pools*]
# (optional) Create or not Ceph pools
# Defaults to false
#
# [*glance_rbd_pool*]
# (optional) Name of the Ceph pool which which store the glance images
# Defaults to 'images'
#
# [*glance_rbd_user*]
# (optional) User name used to acces to the glance rbd pool
# Defaults to 'glance'
#
# [*ceph_fsid*] The cluster's fsid.
# Mandatory. Get one with `uuidgen -r`.
#
# [*cinder_backup_pool*]
# (optional) Name of the Ceph pool which which store the cinder backups
# Defaults to 'volumes'
#
# [*cinder_backup_user*]
# (optional) User name used to acces to the backup rbd pool
# Defaults to 'cinder'
#
# [*cinder_rbd_pool*]
# (optional) Name of the Ceph pool which which store the cinder images
# Defaults to 'volumes'
#
# [*cinder_rbd_user*]
# (optional) User name used to acces to the cinder rbd pool
# Defaults to 'cinder'
#
# [*nova_rbd_pool*]
# (optional) The RADOS pool in which rbd volumes are stored.
# Defaults to 'vms'
#
class cloud::storage::rbd::pools(
$setup_pools = false,
$glance_rbd_user = 'glance',
$glance_rbd_pool = 'images',
$cinder_rbd_user = 'cinder',
$cinder_rbd_pool = 'volumes',
$nova_rbd_pool = 'vms',
$cinder_backup_user = 'cinder',
$cinder_backup_pool = 'cinder_backup',
$ceph_fsid = undef
) {
if $setup_pools {
if !empty($::ceph_admin_key) {
exec { "create_${glance_rbd_pool}_pool":
command => "rados mkpool ${glance_rbd_pool}",
unless => "rados lspools | grep -sq ${glance_rbd_pool}",
}
exec { "create_${glance_rbd_pool}_user_and_key":
command => "ceph auth get-or-create client.${glance_rbd_user} mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=${glance_rbd_pool}'",
unless => "ceph auth list 2> /dev/null | egrep -sq '^client.${glance_rbd_user}$'",
require => Exec["create_${glance_rbd_pool}_pool"];
}
exec { "create_${cinder_rbd_pool}_pool":
command => "rados mkpool ${cinder_rbd_pool}",
unless => "/usr/bin/rados lspools | grep -sq ${cinder_rbd_pool}",
}
exec { "create_${cinder_rbd_pool}_user_and_key":
# TODO: point PG num with a cluster variable
command => "ceph auth get-or-create client.${cinder_rbd_user} mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rx pool=${glance_rbd_pool}, allow rwx pool=${cinder_rbd_pool}, allow rwx pool=${nova_rbd_pool}'",
unless => "ceph auth list 2> /dev/null | egrep -sq '^client.${cinder_rbd_user}$'",
require => Exec["create_${cinder_rbd_pool}_pool"];
}
# Note(EmilienM): We use the same keyring for Nova and Cinder.
exec { "create_${nova_rbd_pool}_pool":
command => "rados mkpool ${nova_rbd_pool}",
unless => "/usr/bin/rados lspools | grep -sq ${nova_rbd_pool}",
}
if $::ceph_keyring_glance {
# NOTE(fc): Puppet needs to run a second time to enter this
@@ceph::key { $glance_rbd_user:
secret => $::ceph_keyring_glance,
keyring_path => "/etc/ceph/ceph.client.${glance_rbd_user}.keyring"
}
Ceph::Key <<| title == $glance_rbd_user |>>
}
if $::ceph_keyring_cinder {
# NOTE(fc): Puppet needs to run a second time to enter this
@@ceph::key { $cinder_rbd_user:
secret => $::ceph_keyring_cinder,
keyring_path => "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring"
}
Ceph::Key <<| title == $cinder_rbd_user |>>
}
$clients = [$glance_rbd_user, $cinder_rbd_user]
@@concat::fragment { 'ceph-clients-os':
target => '/etc/ceph/ceph.conf',
order => '95',
content => template('cloud/storage/ceph/ceph-client.conf.erb')
}
@@file { '/etc/ceph/secret.xml':
content => template('cloud/storage/ceph/secret-compute.xml.erb'),
tag => 'ceph_compute_secret_file',
}
if $::osfamily == 'RedHat' {
$libvirt_package_name = 'libvirt'
} else {
$libvirt_package_name = 'libvirt-bin'
}
@@exec { 'get_or_set_virsh_secret':
command => 'virsh secret-define --file /etc/ceph/secret.xml',
unless => "virsh secret-list | tail -n +3 | cut -f1 -d' ' | grep -sq ${ceph_fsid}",
tag => 'ceph_compute_get_secret',
require => [Package[$libvirt_package_name],File['/etc/ceph/secret.xml']],
notify => Exec['set_secret_value_virsh'],
}
@@exec { 'set_secret_value_virsh':
command => "virsh secret-set-value --secret ${ceph_fsid} --base64 ${::ceph_keyring_cinder}",
tag => 'ceph_compute_set_secret',
refreshonly => true,
}
} # !empty($::ceph_admin_key)
} # if setup pools
} # class

134
manifests/telemetry.pp
View File

@ -1,134 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::telemetry
#
# Common telemetry class, used by Controller, Storage,
# Network and Compute nodes
#
# === Parameters:
#
# [*ceilometer_secret*]
# Secret key for signing messages.
# Defaults to 'ceilometersecret'
#
# [*rabbit_hosts*]
# (optional) List of RabbitMQ servers. Should be an array.
# Defaults to ['127.0.0.1:5672']
#
# [*rabbit_password*]
# (optional) Password to connect to nova queues.
# Defaults to 'rabbitpassword'
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_keystone_internal_port*]
# (optional) TCP port to connect to Keystone API from internal network
# Defaults to '5000'
#
# [*ks_keystone_admin_host*]
# (optional) Admin Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_public_host*]
# (optional) Public Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_password*]
# (optional) Password used by Ceilometer to connect to Keystone API
# Defaults to 'ceilometerpassword'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*region*]
# (optional) the keystone region of this node
# Defaults to 'RegionOne'
#
# [*os_endpoint_type*]
# (optional) The type of the OpenStack endpoint (public/internal/admin) URL
# Defaults to 'publicURL'
#
class cloud::telemetry(
$ceilometer_secret = 'ceilometersecret',
$rabbit_hosts = ['127.0.0.1:5672'],
$rabbit_password = 'rabbitpassword' ,
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = '5000',
$ks_keystone_internal_proto = 'http',
$ks_ceilometer_password = 'ceilometerpassword',
$region = 'RegionOne',
$verbose = true,
$debug = true,
$log_facility = 'LOG_LOCAL0',
$use_syslog = true,
$os_endpoint_type = 'publicURL'
){
# Disable twice logging if syslog is enabled
if $use_syslog {
$log_dir = false
ceilometer_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/ceilometer'
}
class { 'ceilometer':
metering_secret => $ceilometer_secret,
rabbit_hosts => $rabbit_hosts,
rabbit_password => $rabbit_password,
rabbit_userid => 'ceilometer',
verbose => $verbose,
debug => $debug,
log_dir => $log_dir,
use_syslog => $use_syslog,
log_facility => $log_facility
}
ceilometer_config {
'service_credentials/os_endpoint_type': value => $os_endpoint_type;
}
class { 'ceilometer::agent::auth':
auth_url => "${ks_keystone_internal_proto}://${ks_keystone_internal_host}:${ks_keystone_internal_port}/v2.0",
auth_password => $ks_ceilometer_password,
auth_region => $region
}
}

25
manifests/telemetry/alarmevaluator.pp
View File

@ -1,25 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Telemetry Alarm Evaluator nodes
#
class cloud::telemetry::alarmevaluator(
){
include 'cloud::telemetry'
class { 'ceilometer::alarm::evaluator': }
}

25
manifests/telemetry/alarmnotifier.pp
View File

@ -1,25 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Telemetry Alarm Notifier nodes
#
class cloud::telemetry::alarmnotifier(
){
include 'cloud::telemetry'
class { 'ceilometer::alarm::notifier': }
}

92
manifests/telemetry/api.pp
View File

@ -1,92 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::telemetry::api
#
# Telemetry API nodes
#
# === Parameters:
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_proto*]
# (optional) Protocol for public endpoint. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_ceilometer_password*]
# (optional) Password used by Ceilometer to connect to Keystone API
# Defaults to 'ceilometerpassword'
#
# [*ks_ceilometer_internal_port*]
# (optional) TCP port to connect to Ceilometer API from public network
# Defaults to '8777'
#
# [*api_eth*]
# (optional) Which interface we bind the Ceilometer API server.
# Defaults to '127.0.0.1'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::telemetry::api(
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_proto = 'http',
$ks_ceilometer_internal_port = '8777',
$ks_ceilometer_password = 'ceilometerpassword',
$api_eth = '127.0.0.1',
$firewall_settings = {},
){
include 'cloud::telemetry'
class { 'ceilometer::api':
keystone_password => $ks_ceilometer_password,
keystone_host => $ks_keystone_internal_host,
keystone_protocol => $ks_keystone_internal_proto,
host => $api_eth
}
# Configure TTL for samples
# Purge datas older than one month
# Run the script once a day but with a random time to avoid
# issues with MongoDB access
class { 'ceilometer::expirer':
time_to_live => '2592000',
minute => '0',
hour => '0',
}
Cron <<| title == 'ceilometer-expirer' |>> { command => "sleep $((\$RANDOM % 86400)) && ${::ceilometer::params::expirer_command}" }
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow ceilometer-api access':
port => $ks_ceilometer_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-ceilometer_api":
listening_service => 'ceilometer_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_ceilometer_internal_port,
options => 'check inter 2000 rise 2 fall 5'
}
}

26
manifests/telemetry/centralagent.pp
View File

@ -1,26 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#
# == Class: cloud::telemetry::centralagent
#
# Telemetry Central Agent node
#
class cloud::telemetry::centralagent{
include 'cloud::telemetry'
include 'ceilometer::agent::central'
}

56
manifests/telemetry/collector.pp
View File

@ -1,56 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#
# == Class: cloud::telemetry::collector
#
# Telemetry Collector nodes
#
# === Parameters:
#
# [*mongo_nodes*]
# (optional) An array of mongo db nodes
# Defaults to ['127.0.0.1:27017']
#
# [*replicaset_enabled*]
# (optional) Enable or not mongo replicat (using ceilometer name)
# Defaults to true
#
class cloud::telemetry::collector(
$mongo_nodes = ['127.0.0.1:27017'],
$replicaset_enabled = true,
){
include 'cloud::telemetry'
$s_mongo_nodes = join($mongo_nodes, ',')
if $replicaset_enabled {
$db_conn = "mongodb://${s_mongo_nodes}/ceilometer?replicaSet=ceilometer"
} else {
$db_conn = "mongodb://${s_mongo_nodes}/ceilometer"
}
mongodb_conn_validator { $mongo_nodes:
before => Class['ceilometer::db']
}
class { 'ceilometer::db':
database_connection => $db_conn,
sync_db => true,
}
class { 'ceilometer::collector': }
}

24
manifests/telemetry/notification.pp
View File

@ -1,24 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Telemetry Notifications nodes
#
class cloud::telemetry::notification {
include 'cloud::telemetry'
class { 'ceilometer::agent::notification': }
}

138
manifests/volume.pp
View File

@ -1,138 +0,0 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#
# == Class: cloud::volume
#
# Common class for volume nodes
#
# === Parameters:
#
# [*cinder_db_host*]
# (optional) Cinder database host
# Defaults to '127.0.0.1'
#
# [*cinder_db_user*]
# (optional) Cinder database user
# Defaults to 'cinder'
#
# [*cinder_db_password*]
# (optional) Cinder database password
# Defaults to 'cinderpassword'
#
# [*cinder_db_idle_timeout*]
# (optional) Timeout before idle SQL connections are reaped.
# Defaults to 5000
#
# [*rabbit_hosts*]
# (optional) List of RabbitMQ servers. Should be an array.
# Defaults to ['127.0.0.1:5672']
#
# [*rabbit_password*]
# (optional) Password to connect to cinder queues.
# Defaults to 'rabbitpassword'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*storage_availability_zone*]
# (optional) The storage availability zone
# Defaults to 'nova'
#
# [*nova_endpoint_type*]
# (optional) The type of the OpenStack endpoint (public/internal/admin) URL
# Defaults to 'publicURL'
#
class cloud::volume(
$cinder_db_host = '127.0.0.1',
$cinder_db_user = 'cinder',
$cinder_db_password = 'cinderpassword',
$cinder_db_idle_timeout = 5000,
$rabbit_hosts = ['127.0.0.1:5672'],
$rabbit_password = 'rabbitpassword',
$verbose = true,
$debug = true,
$log_facility = 'LOG_LOCAL0',
$storage_availability_zone = 'nova',
$use_syslog = true,
$nova_endpoint_type = 'publicURL'
) {
# Disable twice logging if syslog is enabled
if $use_syslog {
$log_dir = false
cinder_config {
'DEFAULT/logging_context_format_string': value => '%(process)d: %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s';
'DEFAULT/logging_default_format_string': value => '%(process)d: %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(funcName)s %(pathname)s:%(lineno)d';
'DEFAULT/logging_exception_prefix': value => '%(process)d: TRACE %(name)s %(instance)s';
}
} else {
$log_dir = '/var/log/cinder'
}
$encoded_user = uriescape($cinder_db_user)
$encoded_password = uriescape($cinder_db_password)
class { 'cinder':
database_connection => "mysql://${encoded_user}:${encoded_password}@${cinder_db_host}/cinder?charset=utf8",
database_idle_timeout => $cinder_db_idle_timeout,
mysql_module => '2.2',
rabbit_userid => 'cinder',
rabbit_hosts => $rabbit_hosts,
rabbit_password => $rabbit_password,
rabbit_virtual_host => '/',
verbose => $verbose,
debug => $debug,
log_dir => $log_dir,
log_facility => $log_facility,
use_syslog => $use_syslog,
storage_availability_zone => $storage_availability_zone
}
cinder_config {
'DEFAULT/nova_catalog_info': value => "compute:nova:${nova_endpoint_type}";
}
class { 'cinder::ceilometer': }
# Note(EmilienM):
# We check if DB tables are created, if not we populate Cinder DB.
# It's a hack to fit with our setup where we run MySQL/Galera
# TODO(Goneri)
# We have to do this only on the primary node of the galera cluster to avoid race condition
# https://github.com/enovance/puppet-openstack-cloud/issues/156
exec {'cinder_db_sync':
command => 'cinder-manage db sync',
path => '/usr/bin',
user => 'cinder',
unless => "/usr/bin/mysql cinder -h ${cinder_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables"
}
}

Some files were not shown because too many files have changed in this diff Show More