diff --git a/roles/identity/keystone-server.pp b/roles/identity/keystone-server.pp new file mode 100644 index 00000000..386da460 --- /dev/null +++ b/roles/identity/keystone-server.pp @@ -0,0 +1,92 @@ +# +# Copyright (C) 2013 eNovance SAS +# +# Authors: Mehdi Abaakouk +# Emilien Macchi +# Francois Charlier +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +class os_role_keystone ( + $local_ip = $ipaddress_eth1, +){ + + $encoded_user = uriescape($os_params::keystone_db_user) + $encoded_password = uriescape($os_params::keystone_db_password) + +# Configure Keystone + class { 'keystone': + enabled => true, + package_ensure => 'latest', + admin_token => $os_params::ks_admin_token, + compute_port => "8774", + verbose => false, + debug => false, + sql_connection => "mysql://${encoded_user}:${encoded_password}@${os_params::keystone_db_host}/keystone", + idle_timeout => 60, +# ToDo (EmilienM): Update to PKI tokens + token_format => "UUID", + } + + keystone_config { + "token/driver": value => "keystone.token.backends.memcache.Token"; + "token/expiration": value => "86400"; + "memcache/servers": value => inline_template("<%= scope.lookupvar('os_params::keystone_memchached').join(',') %>"); + "ec2/driver": value => "keystone.contrib.ec2.backends.sql.Ec2"; + "DEFAULT/syslog_log_facility": value => 'LOG_LOCAL0'; + "DEFAULT/use_syslog": value => 'yes'; + } + + +# Keystone Endpoints + Users + class { 'keystone::roles::admin': + email => $os_params::ks_admin_email, + password => $os_params::ks_admin_password, + } + + keystone_role { $os_params::keystone_roles_addons: ensure => present } + + class {"keystone::endpoint": + public_address => $os_params::ks_keystone_public_host, + admin_address => $os_params::ks_keystone_admin_host, + internal_address => $os_params::ks_keystone_internal_host, + public_port => $os_params::ks_keystone_public_port, + admin_port => $os_params::keystone_admin_port, + internal_port => $os_params::keystone_port, + region => 'RegionOne', + public_protocol => $os_params::ks_keystone_public_proto + } + + class{"swift::keystone::auth": + password => $os_params::ks_swift_password, + address => $os_params::ks_swift_internal_host, + port => $os_params::swift_port, + public_address => $os_params::ks_swift_public_host, + public_protocol => $os_params::ks_swift_public_proto, + public_port => $os_params::ks_swift_public_port + } + + class { 'ceilometer::keystone::auth': + password => $os_params::ks_ceilometer_password, + public_address => $os_params::ks_ceilometer_public_host, + admin_address => $os_params::ks_ceilometer_admin_host, + internal_address => $os_params::ks_ceilometer_internal_host, + public_protocol => $os_params::ks_ceilometer_public_proto, + port => $os_params::ceilometer_port, + } + + class{ 'swift::keystone::dispersion': + auth_pass => $os_params::ks_swift_dispersion_password + } + +} diff --git a/roles/identity/keystone.pp b/roles/identity/keystone.pp deleted file mode 100644 index 54abff04..00000000 --- a/roles/identity/keystone.pp +++ /dev/null @@ -1,253 +0,0 @@ -# -# Copyright (C) 2013 eNovance SAS -# -# Authors: Mehdi Abaakouk -# Emilien Macchi -# Francois Charlier -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -class os_role_keystone ( - $local_ip = $ipaddress_eth1, -){ - - $encoded_user = uriescape($os_params::keystone_db_user) - $encoded_password = uriescape($os_params::keystone_db_password) - -# Running Keystone service with WSGI and Apache2 - class {'apache': - default_vhost => false - } - - class { 'keystone::wsgi::apache': - port => 8082 - } - - apache::vhost { 'keystone_main_proxy': - servername => $::fqdn, - port => 5000, - docroot => $::keystone::params::keystone_wsgi_script_path, - docroot_owner => 'keystone', - docroot_group => 'keystone', - error_log_file => "${::fqdn}_main_error.log", - access_log_file => "${::fqdn}_main_access.log", - configure_firewall => false, - custom_fragment => inline_template(' -WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main -WSGIProcessGroup keystone -') - } - - apache::vhost { 'keystone_admin_proxy': - servername => $::fqdn, - port => 35357, - docroot => $::keystone::params::keystone_wsgi_script_path, - docroot_owner => 'keystone', - docroot_group => 'keystone', - error_log_file => "${::fqdn}_admin_error.log", - access_log_file => "${::fqdn}_admin_access.log", - configure_firewall => false, - custom_fragment => inline_template(' -WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin -WSGIProcessGroup keystone -') - } - -# Configure Keystone - class { 'keystone': - enabled => false, - package_ensure => 'latest', - admin_token => $os_params::ks_admin_token, - compute_port => "8774", - verbose => false, - debug => false, - sql_connection => "mysql://${encoded_user}:${encoded_password}@${os_params::keystone_db_host}/keystone", - idle_timeout => 60, -# ToDo (EmilienM): Update to PKI tokens - token_format => "UUID", - } - - keystone_config { - "token/driver": value => "keystone.token.backends.memcache.Token"; - "token/expiration": value => "86400"; - "memcache/servers": value => inline_template("<%= scope.lookupvar('os_params::keystone_memchached').join(',') %>"); - "ec2/driver": value => "keystone.contrib.ec2.backends.sql.Ec2"; - "DEFAULT/syslog_log_facility": value => 'LOG_LOCAL0'; - "DEFAULT/use_syslog": value => 'yes'; - } - -# Configure Load Balancers - @@haproxy::balancermember{"${fqdn}-keystone": - listening_service => "keystone_cluster", - server_names => $::hostname, - ipaddresses => $local_ip, - ports => $os_params::keystone_port, - options => "check inter 2000 rise 2 fall 5" - } - - @@haproxy::balancermember{"${fqdn}-keystone-admin": - listening_service => "keystone_admin_cluster", - server_names => $::hostname, - ipaddresses => $local_ip, - ports => $os_params::keystone_admin_port, - options => "check inter 2000 rise 2 fall 5" - } - - -# Keystone Endpoints + Users - class { 'keystone::roles::admin': - email => $os_params::ks_admin_email, - password => $os_params::ks_admin_password, - } - - keystone_role { $os_params::keystone_roles_addons: ensure => present } - - class {"keystone::endpoint": - public_address => $os_params::ks_keystone_public_host, - admin_address => $os_params::ks_keystone_admin_host, - internal_address => $os_params::ks_keystone_internal_host, - public_port => $os_params::ks_keystone_public_port, - admin_port => $os_params::keystone_admin_port, - internal_port => $os_params::keystone_port, - region => 'RegionOne', - public_protocol => $os_params::ks_keystone_public_proto - } - - class{"swift::keystone::auth": - password => $os_params::ks_swift_password, - address => $os_params::ks_swift_internal_host, - port => $os_params::swift_port, - public_address => $os_params::ks_swift_public_host, - public_protocol => $os_params::ks_swift_public_proto, - public_port => $os_params::ks_swift_public_port - } - - class { 'nova::keystone::auth': - password => $os_params::ks_nova_password, - public_address => $os_params::ks_nova_public_host, - admin_address => $os_params::ks_nova_admin_host, - internal_address => $os_params::ks_nova_internal_host, - public_protocol => $os_params::ks_nova_public_proto, - cinder => true, - } - - class { 'cinder::keystone::auth': - password => $os_params::ks_cinder_password, - public_address => $os_params::ks_cinder_public_host, - admin_address => $os_params::ks_cinder_admin_host, - internal_address => $os_params::ks_cinder_internal_host, - public_protocol => $os_params::ks_cinder_public_proto, - } - - class { 'glance::keystone::auth': - password => $os_params::ks_glance_password, - public_address => $os_params::ks_glance_public_host, - admin_address => $os_params::ks_glance_admin_host, - internal_address => $os_params::ks_glance_internal_host, - public_protocol => $os_params::ks_glance_public_proto, - } - - class { 'quantum::keystone::auth': - password => $os_params::ks_quantum_password, - public_address => $os_params::ks_quantum_public_host, - admin_address => $os_params::ks_quantum_admin_host, - internal_address => $os_params::ks_quantum_internal_host, - public_protocol => $os_params::ks_quantum_public_proto, - port => $os_params::quantum_port, - } - - class { 'ceilometer::keystone::auth': - password => $os_params::ks_ceilometer_password, - public_address => $os_params::ks_ceilometer_public_host, - admin_address => $os_params::ks_ceilometer_admin_host, - internal_address => $os_params::ks_ceilometer_internal_host, - public_protocol => $os_params::ks_ceilometer_public_proto, - port => $os_params::ceilometer_port, - } - -# Note for Midonet: endpoint is created manually since -# there is no Puppet module. - - keystone_tenant { $os_params::glance_swift_tenant: - ensure => present, - enabled => 'True', - description => 'glance images tenant' - } -> - keystone_user { $os_params::glance_swift_user: - ensure => present, - email => "${os_params::glance_swift_user}@localhost", - password => $os_params::glance_swift_password, - tenant => $os_params::glance_swift_tenant - } -> - keystone_user_role { "${os_params::glance_swift_user}@${os_params::glance_swift_tenant}": - ensure => present, - roles => 'admin' - } - - keystone_tenant { $os_params::ks_monitoring_tenant: - ensure => present, - enabled => 'True', - description => 'Monitoring Tenant' - } -> - keystone_user { $os_params::ks_monitoring_user: - ensure => present, - email => "${os_params::ks_monitoring_user}@localhost", - password => $os_params::ks_monitoring_password, - tenant => $os_params::ks_monitoring_tenant - } -> - keystone_user_role { "${os_params::ks_monitoring_user}@${os_params::ks_monitoring_tenant}": - ensure => present, - roles => 'admin' - } - -# Specific to Midonet -# keystone_tenant { $os_params::ks_midonet_tenant: -# ensure => present, -# enabled => 'True', -# description => 'Midonet Tenant' -# } -> -# keystone_user { $os_params::ks_midonet_username: -# ensure => present, -# email => "${os_params::ks_midonet_tenant}@localhost", -# password => $os_params::ks_midonet_password, -# tenant => $os_params::ks_midonet_tenant -# } -> -# keystone_user_role { "${os_params::ks_midonet_user}@${os_params::ks_midonet_tenant}": -# ensure => present, -# roles => ${os_params::ks_midonet_role} -# } - - class{ 'swift::keystone::dispersion': - auth_pass => $os_params::ks_swift_dispersion_password - } - -# Waiting apache is configured before using keystone (because of WSGI) - Service['httpd'] -> Keystone_tenant <| |> - Service['httpd'] -> Keystone_user <| |> - Service['httpd'] -> Keystone_role <| |> - Service['httpd'] -> Keystone_service <| |> - Service['httpd'] -> Keystone_user_role <| |> - Service['httpd'] -> Keystone_endpoint <| |> - - -# Due to Keystone WSGI, db need to be sync manually - exec { 'keystone-manage db_sync': - path => '/usr/bin', - user => 'keystone', - refreshonly => true, - notify => Service['keystone'], - subscribe => Package['keystone'], - require => User['keystone'], - } - -} diff --git a/roles/metering/common_ceilometer.pp b/roles/metering/ceilometer_common.pp similarity index 100% rename from roles/metering/common_ceilometer.pp rename to roles/metering/ceilometer_common.pp diff --git a/roles/metering/ceilometer.pp b/roles/metering/ceilometer_server.pp similarity index 99% rename from roles/metering/ceilometer.pp rename to roles/metering/ceilometer_server.pp index 6ce3af06..f0142274 100644 --- a/roles/metering/ceilometer.pp +++ b/roles/metering/ceilometer_server.pp @@ -34,4 +34,3 @@ class os_ceilometer{ # Ceilometer Central Agent is defined in site.pp since it must be installed on only node (not able to scale-out) } - diff --git a/roles/misc/mysql.pp b/roles/misc/mysql.pp new file mode 100644 index 00000000..e69de29b diff --git a/roles/common/rabbitmq.pp b/roles/misc/rabbitmq.pp similarity index 100% rename from roles/common/rabbitmq.pp rename to roles/misc/rabbitmq.pp diff --git a/roles/object-storage/common_swift.pp b/roles/object-storage/swift_common.pp similarity index 100% rename from roles/object-storage/common_swift.pp rename to roles/object-storage/swift_common.pp diff --git a/templates/check_galera_cluster b/templates/check_galera_cluster deleted file mode 100644 index fde41719..00000000 --- a/templates/check_galera_cluster +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -MYSQL_USERNAME="clustercheckuser" -MYSQL_PASSWORD="clustercheckpassword!" -ERR_FILE="/dev/null" -AVAILABLE_WHEN_DONOR=0 -WSREP_STATUS=`mysql --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} -e "SHOW STATUS LIKE 'wsrep_local_state';" 2>${ERR_FILE} | awk '{if (NR!=1){print $2}}' 2>${ERR_FILE}` - -if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]]; then - echo "OK - Percona XtraDB Cluster Node is synced." - exit 0 -else - echo "CRITICAL - Percona XtraDB Cluster Node is not synced." - exit 2 -fi diff --git a/templates/clustercheck b/templates/clustercheck deleted file mode 100755 index a72fd7b5..00000000 --- a/templates/clustercheck +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# -# Script to make a proxy (ie HAProxy) capable of monitoring Percona XtraDB Cluster nodes properly -# -# Author: Olaf van Zandwijk -# Documentation and download: https://github.com/olafz/percona-clustercheck -# -# Based on the original script from Unai Rodriguez -# - -MYSQL_USERNAME="clustercheckuser" -MYSQL_PASSWORD="clustercheckpassword!" -ERR_FILE="/dev/null" -AVAILABLE_WHEN_DONOR=0 - -# -# Perform the query to check the wsrep_local_state -# -WSREP_STATUS=`mysql --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} -e "SHOW STATUS LIKE 'wsrep_local_state';" 2>${ERR_FILE} | awk '{if (NR!=1){print $2}}' 2>${ERR_FILE}` - -if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]] -then - # Percona XtraDB Cluster node local state is 'Synced' => return HTTP 200 - /bin/echo -en "HTTP/1.1 200 OK\r\n" - /bin/echo -en "Content-Type: text/plain\r\n" - /bin/echo -en "\r\n" - /bin/echo -en "Mariadb Cluster Node is synced.\r\n" - /bin/echo -en "\r\n" -else - # Percona XtraDB Cluster node local state is not 'Synced' => return HTTP 503 - /bin/echo -en "HTTP/1.1 503 Service Unavailable\r\n" - /bin/echo -en "Content-Type: text/plain\r\n" - /bin/echo -en "\r\n" - /bin/echo -en "Mariadb Cluster Node is not synced.\r\n" - /bin/echo -en "\r\n" -fi diff --git a/templates/munin/munin-node.conf.Ubuntu b/templates/munin/munin-node.conf.Ubuntu deleted file mode 100644 index 49a49c79..00000000 --- a/templates/munin/munin-node.conf.Ubuntu +++ /dev/null @@ -1,54 +0,0 @@ -# -# Example config-file for munin-node -# - -log_level 4 -log_file /var/log/munin/munin-node.log -pid_file /var/run/munin/munin-node.pid - -background 1 -setsid 1 - -user root -group root - - -# Regexps for files to ignore -ignore_file [\#~]$ -ignore_file DEADJOE$ -ignore_file \.bak$ -ignore_file %$ -ignore_file \.dpkg-(tmp|new|old|dist)$ -ignore_file \.rpm(save|new)$ -ignore_file \.pod$ - -# Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 -# -#host_name localhost.localdomain - -# A list of addresses that are allowed to connect. This must be a -# regular expression, since Net::Server does not understand CIDR-style -# network notation unless the perl module Net::CIDR is installed. You -# may repeat the allow line as many times as you'd like - -allow ^127\.0\.0\.1$ -allow ^::1$ - -# If you have installed the Net::CIDR perl module, you can use one or more -# cidr_allow and cidr_deny address/mask patterns. A connecting client must -# match any cidr_allow, and not match any cidr_deny. Note that a netmask -# *must* be provided, even if it's /32 -# -# Example: -# -# cidr_allow 127.0.0.1/32 -# cidr_allow 192.0.2.0/24 -# cidr_deny 192.0.2.42/32 - -# Which address to bind to; -host * -# host 127.0.0.1 - -# And which port -port 4949 diff --git a/templates/munin/munin-node.conf.Ubuntu.precise b/templates/munin/munin-node.conf.Ubuntu.precise deleted file mode 100644 index 49a49c79..00000000 --- a/templates/munin/munin-node.conf.Ubuntu.precise +++ /dev/null @@ -1,54 +0,0 @@ -# -# Example config-file for munin-node -# - -log_level 4 -log_file /var/log/munin/munin-node.log -pid_file /var/run/munin/munin-node.pid - -background 1 -setsid 1 - -user root -group root - - -# Regexps for files to ignore -ignore_file [\#~]$ -ignore_file DEADJOE$ -ignore_file \.bak$ -ignore_file %$ -ignore_file \.dpkg-(tmp|new|old|dist)$ -ignore_file \.rpm(save|new)$ -ignore_file \.pod$ - -# Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 -# -#host_name localhost.localdomain - -# A list of addresses that are allowed to connect. This must be a -# regular expression, since Net::Server does not understand CIDR-style -# network notation unless the perl module Net::CIDR is installed. You -# may repeat the allow line as many times as you'd like - -allow ^127\.0\.0\.1$ -allow ^::1$ - -# If you have installed the Net::CIDR perl module, you can use one or more -# cidr_allow and cidr_deny address/mask patterns. A connecting client must -# match any cidr_allow, and not match any cidr_deny. Note that a netmask -# *must* be provided, even if it's /32 -# -# Example: -# -# cidr_allow 127.0.0.1/32 -# cidr_allow 192.0.2.0/24 -# cidr_deny 192.0.2.42/32 - -# Which address to bind to; -host * -# host 127.0.0.1 - -# And which port -port 4949 diff --git a/templates/mysqlchk b/templates/mysqlchk deleted file mode 100644 index 8de373d8..00000000 --- a/templates/mysqlchk +++ /dev/null @@ -1,18 +0,0 @@ -# default: on -# description: mysqlchk -service mysqlchk -{ -# this is a config for xinetd, place it in /etc/xinetd.d/ - disable = no - flags = REUSE - socket_type = stream - port = 9200 - wait = no - user = nobody - server = /usr/bin/clustercheck - log_on_failure += USERID - only_from = 0.0.0.0/0 - # recommended to put the IPs that need - # to connect exclusively (security purposes) - per_source = UNLIMITED -}