Update roles + templates

Signed-off-by: Emilien Macchi <emilien.macchi@enovance.com>

roles/identity/keystone-server.pp

@@ -0,0 +1,92 @@
+#
+# Copyright (C) 2013 eNovance SAS <licensing@enovance.com>
+#
+# Authors: Mehdi Abaakouk <mehdi.abaakouk@enovance.com>
+#          Emilien Macchi <emilien.macchi@enovance.com>
+#          Francois Charlier <francois.charlier@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+class os_role_keystone (
+  $local_ip = $ipaddress_eth1,
+){
+
+  $encoded_user = uriescape($os_params::keystone_db_user)
+  $encoded_password = uriescape($os_params::keystone_db_password)
+
+# Configure Keystone
+  class { 'keystone':
+    enabled        => true,
+    package_ensure => 'latest',
+    admin_token    => $os_params::ks_admin_token,
+    compute_port   => "8774",
+    verbose        => false,
+    debug          => false,
+    sql_connection => "mysql://${encoded_user}:${encoded_password}@${os_params::keystone_db_host}/keystone",
+    idle_timeout   => 60,
+# ToDo (EmilienM): Update to PKI tokens
+    token_format   => "UUID",
+  }
+
+  keystone_config {
+    "token/driver":     value => "keystone.token.backends.memcache.Token";
+    "token/expiration": value => "86400";
+    "memcache/servers": value => inline_template("<%= scope.lookupvar('os_params::keystone_memchached').join(',') %>");
+    "ec2/driver":       value => "keystone.contrib.ec2.backends.sql.Ec2";
+    "DEFAULT/syslog_log_facility": value => 'LOG_LOCAL0';
+    "DEFAULT/use_syslog": value => 'yes';
+  }
+
+
+# Keystone Endpoints + Users
+  class { 'keystone::roles::admin': 
+    email => $os_params::ks_admin_email,
+    password => $os_params::ks_admin_password,
+  }
+
+  keystone_role { $os_params::keystone_roles_addons: ensure => present }
+
+  class {"keystone::endpoint":
+    public_address   => $os_params::ks_keystone_public_host,
+    admin_address    => $os_params::ks_keystone_admin_host,
+    internal_address => $os_params::ks_keystone_internal_host,
+    public_port      => $os_params::ks_keystone_public_port,
+    admin_port       => $os_params::keystone_admin_port,
+    internal_port    => $os_params::keystone_port,
+    region           => 'RegionOne',
+    public_protocol  => $os_params::ks_keystone_public_proto
+  }
+
+  class{"swift::keystone::auth":
+    password => $os_params::ks_swift_password,
+    address => $os_params::ks_swift_internal_host,
+    port => $os_params::swift_port,
+    public_address => $os_params::ks_swift_public_host,
+    public_protocol => $os_params::ks_swift_public_proto,
+    public_port => $os_params::ks_swift_public_port
+  }
+
+  class { 'ceilometer::keystone::auth':
+    password         => $os_params::ks_ceilometer_password,
+    public_address   => $os_params::ks_ceilometer_public_host,
+    admin_address    => $os_params::ks_ceilometer_admin_host,
+    internal_address => $os_params::ks_ceilometer_internal_host,
+    public_protocol  => $os_params::ks_ceilometer_public_proto,
+    port             => $os_params::ceilometer_port,
+  }
+
+  class{ 'swift::keystone::dispersion':
+    auth_pass => $os_params::ks_swift_dispersion_password
+  }
+
+}

roles/identity/keystone.pp

@@ -1,253 +0,0 @@
-#
-# Copyright (C) 2013 eNovance SAS <licensing@enovance.com>
-#
-# Authors: Mehdi Abaakouk <mehdi.abaakouk@enovance.com>
-#          Emilien Macchi <emilien.macchi@enovance.com>
-#          Francois Charlier <francois.charlier@enovance.com>
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-class os_role_keystone (
-  $local_ip = $ipaddress_eth1,
-){
-
-  $encoded_user = uriescape($os_params::keystone_db_user)
-  $encoded_password = uriescape($os_params::keystone_db_password)
-
-# Running Keystone service with WSGI and Apache2
-  class {'apache':
-    default_vhost => false
-  }
-
-  class { 'keystone::wsgi::apache':
-    port => 8082
-  }
-
-  apache::vhost { 'keystone_main_proxy':
-    servername         => $::fqdn,
-    port               => 5000,
-    docroot            => $::keystone::params::keystone_wsgi_script_path,
-    docroot_owner      => 'keystone',
-    docroot_group      => 'keystone',
-    error_log_file     => "${::fqdn}_main_error.log",
-    access_log_file    => "${::fqdn}_main_access.log",
-    configure_firewall => false,
-    custom_fragment    => inline_template('
-WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main
-WSGIProcessGroup keystone
-')
-  }
-
-  apache::vhost { 'keystone_admin_proxy':
-    servername         => $::fqdn,
-    port               => 35357,
-    docroot            => $::keystone::params::keystone_wsgi_script_path,
-    docroot_owner      => 'keystone',
-    docroot_group      => 'keystone',
-    error_log_file     => "${::fqdn}_admin_error.log",
-    access_log_file    => "${::fqdn}_admin_access.log",
-    configure_firewall => false,
-    custom_fragment    => inline_template('
-WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin
-WSGIProcessGroup keystone
-')
-  }
-
-# Configure Keystone
-  class { 'keystone':
-    enabled        => false,
-    package_ensure => 'latest',
-    admin_token    => $os_params::ks_admin_token,
-    compute_port   => "8774",
-    verbose        => false,
-    debug          => false,
-    sql_connection => "mysql://${encoded_user}:${encoded_password}@${os_params::keystone_db_host}/keystone",
-    idle_timeout   => 60,
-# ToDo (EmilienM): Update to PKI tokens
-    token_format   => "UUID",
-  }
-
-  keystone_config {
-    "token/driver":     value => "keystone.token.backends.memcache.Token";
-    "token/expiration": value => "86400";
-    "memcache/servers": value => inline_template("<%= scope.lookupvar('os_params::keystone_memchached').join(',') %>");
-    "ec2/driver":       value => "keystone.contrib.ec2.backends.sql.Ec2";
-    "DEFAULT/syslog_log_facility": value => 'LOG_LOCAL0';
-    "DEFAULT/use_syslog": value => 'yes';
-  }
-
-# Configure Load Balancers
-  @@haproxy::balancermember{"${fqdn}-keystone":
-    listening_service => "keystone_cluster",
-    server_names      => $::hostname,
-    ipaddresses       => $local_ip,
-    ports             => $os_params::keystone_port,
-    options           => "check inter 2000 rise 2 fall 5"
-  }
-
-  @@haproxy::balancermember{"${fqdn}-keystone-admin":
-    listening_service => "keystone_admin_cluster",
-    server_names      => $::hostname,
-    ipaddresses       => $local_ip,
-    ports             => $os_params::keystone_admin_port,
-    options           => "check inter 2000 rise 2 fall 5"
-  }
-
-
-# Keystone Endpoints + Users
-  class { 'keystone::roles::admin': 
-    email => $os_params::ks_admin_email,
-    password => $os_params::ks_admin_password,
-  }
-
-  keystone_role { $os_params::keystone_roles_addons: ensure => present }
-
-  class {"keystone::endpoint":
-    public_address   => $os_params::ks_keystone_public_host,
-    admin_address    => $os_params::ks_keystone_admin_host,
-    internal_address => $os_params::ks_keystone_internal_host,
-    public_port      => $os_params::ks_keystone_public_port,
-    admin_port       => $os_params::keystone_admin_port,
-    internal_port    => $os_params::keystone_port,
-    region           => 'RegionOne',
-    public_protocol  => $os_params::ks_keystone_public_proto
-  }
-
-  class{"swift::keystone::auth":
-    password => $os_params::ks_swift_password,
-    address => $os_params::ks_swift_internal_host,
-    port => $os_params::swift_port,
-    public_address => $os_params::ks_swift_public_host,
-    public_protocol => $os_params::ks_swift_public_proto,
-    public_port => $os_params::ks_swift_public_port
-  }
-
-  class { 'nova::keystone::auth':
-    password         => $os_params::ks_nova_password,
-    public_address   => $os_params::ks_nova_public_host,
-    admin_address    => $os_params::ks_nova_admin_host,
-    internal_address => $os_params::ks_nova_internal_host,
-    public_protocol  => $os_params::ks_nova_public_proto,
-    cinder => true,
-  }
-
-  class { 'cinder::keystone::auth':
-    password         => $os_params::ks_cinder_password,
-    public_address   => $os_params::ks_cinder_public_host,
-    admin_address    => $os_params::ks_cinder_admin_host,
-    internal_address => $os_params::ks_cinder_internal_host,
-    public_protocol  => $os_params::ks_cinder_public_proto,
-  }
-
-  class { 'glance::keystone::auth':
-    password         => $os_params::ks_glance_password,
-    public_address   => $os_params::ks_glance_public_host,
-    admin_address    => $os_params::ks_glance_admin_host,
-    internal_address => $os_params::ks_glance_internal_host,
-    public_protocol  => $os_params::ks_glance_public_proto,
-  }
-
-  class { 'quantum::keystone::auth':
-    password         => $os_params::ks_quantum_password,
-    public_address   => $os_params::ks_quantum_public_host,
-    admin_address    => $os_params::ks_quantum_admin_host,
-    internal_address => $os_params::ks_quantum_internal_host,
-    public_protocol  => $os_params::ks_quantum_public_proto,
-    port             => $os_params::quantum_port,
-  }
-
-  class { 'ceilometer::keystone::auth':
-    password         => $os_params::ks_ceilometer_password,
-    public_address   => $os_params::ks_ceilometer_public_host,
-    admin_address    => $os_params::ks_ceilometer_admin_host,
-    internal_address => $os_params::ks_ceilometer_internal_host,
-    public_protocol  => $os_params::ks_ceilometer_public_proto,
-    port             => $os_params::ceilometer_port,
-  }
-
-# Note for Midonet: endpoint is created manually since
-# there is no Puppet module.
-
-  keystone_tenant { $os_params::glance_swift_tenant:
-    ensure      => present,
-    enabled     => 'True',
-    description => 'glance images tenant'
-    } ->
-  keystone_user { $os_params::glance_swift_user:
-    ensure   => present,
-    email    => "${os_params::glance_swift_user}@localhost",
-    password => $os_params::glance_swift_password,
-    tenant   => $os_params::glance_swift_tenant
-  } -> 
-  keystone_user_role { "${os_params::glance_swift_user}@${os_params::glance_swift_tenant}":
-      ensure  => present,
-      roles   => 'admin'
-    }
-
-  keystone_tenant { $os_params::ks_monitoring_tenant:
-    ensure      => present,
-    enabled     => 'True',
-    description => 'Monitoring Tenant'
-    } ->
-  keystone_user { $os_params::ks_monitoring_user:
-    ensure   => present,
-    email    => "${os_params::ks_monitoring_user}@localhost",
-    password => $os_params::ks_monitoring_password,
-    tenant   => $os_params::ks_monitoring_tenant
-  } -> 
-  keystone_user_role { "${os_params::ks_monitoring_user}@${os_params::ks_monitoring_tenant}":
-      ensure  => present,
-      roles   => 'admin'
-    }
-
-# Specific to Midonet
-#  keystone_tenant { $os_params::ks_midonet_tenant:
-#    ensure      => present,
-#    enabled     => 'True',
-#    description => 'Midonet Tenant'
-#    } ->
-#  keystone_user { $os_params::ks_midonet_username:
-#    ensure   => present,
-#    email    => "${os_params::ks_midonet_tenant}@localhost",
-#    password => $os_params::ks_midonet_password,
-#    tenant   => $os_params::ks_midonet_tenant
-#  } -> 
-#  keystone_user_role { "${os_params::ks_midonet_user}@${os_params::ks_midonet_tenant}":
-#      ensure  => present,
-#      roles   => ${os_params::ks_midonet_role}
-#    }
-
-  class{ 'swift::keystone::dispersion':
-    auth_pass => $os_params::ks_swift_dispersion_password
-  }
-
-# Waiting apache is configured before using keystone (because of WSGI)
-  Service['httpd'] -> Keystone_tenant <| |>
-  Service['httpd'] -> Keystone_user <| |>
-  Service['httpd'] -> Keystone_role  <| |>
-  Service['httpd'] -> Keystone_service <| |>
-  Service['httpd'] -> Keystone_user_role <| |>
-  Service['httpd'] -> Keystone_endpoint <| |>
-
-
-# Due to Keystone WSGI, db need to be sync manually
-  exec { 'keystone-manage db_sync':
-    path        => '/usr/bin',
-    user        => 'keystone',
-    refreshonly => true,
-    notify      => Service['keystone'],
-    subscribe   => Package['keystone'],
-    require     => User['keystone'],
-  }
-
-}

roles/metering/ceilometer_server.pp

@@ -34,4 +34,3 @@ class os_ceilometer{
 # Ceilometer Central Agent is defined in site.pp since it must be installed on only node (not able to scale-out)
 
 }
-

templates/check_galera_cluster

@@ -1,15 +0,0 @@
-#!/bin/bash
-
-MYSQL_USERNAME="clustercheckuser"
-MYSQL_PASSWORD="clustercheckpassword!"
-ERR_FILE="/dev/null"
-AVAILABLE_WHEN_DONOR=0
-WSREP_STATUS=`mysql --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} -e "SHOW STATUS LIKE 'wsrep_local_state';" 2>${ERR_FILE} | awk '{if (NR!=1){print $2}}' 2>${ERR_FILE}`
-
-if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]]; then
-	echo "OK - Percona XtraDB Cluster Node is synced."
-	exit 0
-else
-	echo "CRITICAL - Percona XtraDB Cluster Node is not synced."
-	exit 2
-fi

templates/clustercheck

@@ -1,36 +0,0 @@
-#!/bin/bash 
-#
-# Script to make a proxy (ie HAProxy) capable of monitoring Percona XtraDB Cluster nodes properly
-#
-# Author: Olaf van Zandwijk <olaf.vanzandwijk@nedap.com>
-# Documentation and download: https://github.com/olafz/percona-clustercheck
-#
-# Based on the original script from Unai Rodriguez 
-#
-
-MYSQL_USERNAME="clustercheckuser" 
-MYSQL_PASSWORD="clustercheckpassword!" 
-ERR_FILE="/dev/null" 
-AVAILABLE_WHEN_DONOR=0
-
-#
-# Perform the query to check the wsrep_local_state
-#
-WSREP_STATUS=`mysql --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} -e "SHOW STATUS LIKE 'wsrep_local_state';" 2>${ERR_FILE} | awk '{if (NR!=1){print $2}}' 2>${ERR_FILE}` 
- 
-if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]]
-then 
-    # Percona XtraDB Cluster node local state is 'Synced' => return HTTP 200
-    /bin/echo -en "HTTP/1.1 200 OK\r\n" 
-    /bin/echo -en "Content-Type: text/plain\r\n" 
-    /bin/echo -en "\r\n" 
-    /bin/echo -en "Mariadb Cluster Node is synced.\r\n" 
-    /bin/echo -en "\r\n" 
-else 
-    # Percona XtraDB Cluster node local state is not 'Synced' => return HTTP 503
-    /bin/echo -en "HTTP/1.1 503 Service Unavailable\r\n" 
-    /bin/echo -en "Content-Type: text/plain\r\n" 
-    /bin/echo -en "\r\n" 
-    /bin/echo -en "Mariadb Cluster Node is not synced.\r\n" 
-    /bin/echo -en "\r\n" 
-fi 

templates/munin/munin-node.conf.Ubuntu

@@ -1,54 +0,0 @@
-#
-# Example config-file for munin-node
-#
-
-log_level 4
-log_file /var/log/munin/munin-node.log
-pid_file /var/run/munin/munin-node.pid
-
-background 1
-setsid 1
-
-user root
-group root
-
-
-# Regexps for files to ignore
-ignore_file [\#~]$
-ignore_file DEADJOE$
-ignore_file \.bak$
-ignore_file %$
-ignore_file \.dpkg-(tmp|new|old|dist)$
-ignore_file \.rpm(save|new)$
-ignore_file \.pod$
-
-# Set this if the client doesn't report the correct hostname when
-# telnetting to localhost, port 4949
-#
-#host_name localhost.localdomain
-
-# A list of addresses that are allowed to connect.  This must be a
-# regular expression, since Net::Server does not understand CIDR-style
-# network notation unless the perl module Net::CIDR is installed.  You
-# may repeat the allow line as many times as you'd like
-
-allow ^127\.0\.0\.1$
-allow ^::1$
-
-# If you have installed the Net::CIDR perl module, you can use one or more
-# cidr_allow and cidr_deny address/mask patterns.  A connecting client must
-# match any cidr_allow, and not match any cidr_deny.  Note that a netmask
-# *must* be provided, even if it's /32
-#
-# Example:
-#
-# cidr_allow 127.0.0.1/32
-# cidr_allow 192.0.2.0/24
-# cidr_deny  192.0.2.42/32
-
-# Which address to bind to;
-host *
-# host 127.0.0.1
-
-# And which port
-port 4949

templates/munin/munin-node.conf.Ubuntu.precise

@@ -1,54 +0,0 @@
-#
-# Example config-file for munin-node
-#
-
-log_level 4
-log_file /var/log/munin/munin-node.log
-pid_file /var/run/munin/munin-node.pid
-
-background 1
-setsid 1
-
-user root
-group root
-
-
-# Regexps for files to ignore
-ignore_file [\#~]$
-ignore_file DEADJOE$
-ignore_file \.bak$
-ignore_file %$
-ignore_file \.dpkg-(tmp|new|old|dist)$
-ignore_file \.rpm(save|new)$
-ignore_file \.pod$
-
-# Set this if the client doesn't report the correct hostname when
-# telnetting to localhost, port 4949
-#
-#host_name localhost.localdomain
-
-# A list of addresses that are allowed to connect.  This must be a
-# regular expression, since Net::Server does not understand CIDR-style
-# network notation unless the perl module Net::CIDR is installed.  You
-# may repeat the allow line as many times as you'd like
-
-allow ^127\.0\.0\.1$
-allow ^::1$
-
-# If you have installed the Net::CIDR perl module, you can use one or more
-# cidr_allow and cidr_deny address/mask patterns.  A connecting client must
-# match any cidr_allow, and not match any cidr_deny.  Note that a netmask
-# *must* be provided, even if it's /32
-#
-# Example:
-#
-# cidr_allow 127.0.0.1/32
-# cidr_allow 192.0.2.0/24
-# cidr_deny  192.0.2.42/32
-
-# Which address to bind to;
-host *
-# host 127.0.0.1
-
-# And which port
-port 4949

templates/mysqlchk

@@ -1,18 +0,0 @@
-# default: on 
-# description: mysqlchk 
-service mysqlchk 
-{ 
-# this is a config for xinetd, place it in /etc/xinetd.d/
-        disable = no 
-        flags           = REUSE 
-        socket_type     = stream 
-        port            = 9200 
-        wait            = no 
-        user            = nobody 
-        server          = /usr/bin/clustercheck
-        log_on_failure  += USERID 
-        only_from       = 0.0.0.0/0 
-        # recommended to put the IPs that need 
-        # to connect exclusively (security purposes) 
-        per_source      = UNLIMITED 
-}