Update roles + templates

Signed-off-by: Emilien Macchi <emilien.macchi@enovance.com>
2013-10-09 17:03:25 +02:00 · 2013-10-09 17:03:25 +02:00 · 6911eded2e
commit 6911eded2e
parent 2fef9647e6
12 changed files with 92 additions and 431 deletions
--- a/roles/identity/keystone-server.pp
+++ b/roles/identity/keystone-server.pp
@ -0,0 +1,92 @@
 #
 # Copyright (C) 2013 eNovance SAS <licensing@enovance.com>
 #
 # Authors: Mehdi Abaakouk <mehdi.abaakouk@enovance.com>
 #          Emilien Macchi <emilien.macchi@enovance.com>
 #          Francois Charlier <francois.charlier@enovance.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 class os_role_keystone (
  $local_ip = $ipaddress_eth1,
 ){
  $encoded_user = uriescape($os_params::keystone_db_user)
  $encoded_password = uriescape($os_params::keystone_db_password)
 # Configure Keystone
  class { 'keystone':
    enabled        => true,
    package_ensure => 'latest',
    admin_token    => $os_params::ks_admin_token,
    compute_port   => "8774",
    verbose        => false,
    debug          => false,
    sql_connection => "mysql://${encoded_user}:${encoded_password}@${os_params::keystone_db_host}/keystone",
    idle_timeout   => 60,
 # ToDo (EmilienM): Update to PKI tokens
    token_format   => "UUID",
  }
  keystone_config {
    "token/driver":     value => "keystone.token.backends.memcache.Token";
    "token/expiration": value => "86400";
    "memcache/servers": value => inline_template("<%= scope.lookupvar('os_params::keystone_memchached').join(',') %>");
    "ec2/driver":       value => "keystone.contrib.ec2.backends.sql.Ec2";
    "DEFAULT/syslog_log_facility": value => 'LOG_LOCAL0';
    "DEFAULT/use_syslog": value => 'yes';
  }
 # Keystone Endpoints + Users
  class { 'keystone::roles::admin': 
    email => $os_params::ks_admin_email,
    password => $os_params::ks_admin_password,
  }
  keystone_role { $os_params::keystone_roles_addons: ensure => present }
  class {"keystone::endpoint":
    public_address   => $os_params::ks_keystone_public_host,
    admin_address    => $os_params::ks_keystone_admin_host,
    internal_address => $os_params::ks_keystone_internal_host,
    public_port      => $os_params::ks_keystone_public_port,
    admin_port       => $os_params::keystone_admin_port,
    internal_port    => $os_params::keystone_port,
    region           => 'RegionOne',
    public_protocol  => $os_params::ks_keystone_public_proto
  }
  class{"swift::keystone::auth":
    password => $os_params::ks_swift_password,
    address => $os_params::ks_swift_internal_host,
    port => $os_params::swift_port,
    public_address => $os_params::ks_swift_public_host,
    public_protocol => $os_params::ks_swift_public_proto,
    public_port => $os_params::ks_swift_public_port
  }
  class { 'ceilometer::keystone::auth':
    password         => $os_params::ks_ceilometer_password,
    public_address   => $os_params::ks_ceilometer_public_host,
    admin_address    => $os_params::ks_ceilometer_admin_host,
    internal_address => $os_params::ks_ceilometer_internal_host,
    public_protocol  => $os_params::ks_ceilometer_public_proto,
    port             => $os_params::ceilometer_port,
  }
  class{ 'swift::keystone::dispersion':
    auth_pass => $os_params::ks_swift_dispersion_password
  }
 }
--- a/roles/identity/keystone.pp
+++ b/roles/identity/keystone.pp
@ -1,253 +0,0 @@
 #
 # Copyright (C) 2013 eNovance SAS <licensing@enovance.com>
 #
 # Authors: Mehdi Abaakouk <mehdi.abaakouk@enovance.com>
 #          Emilien Macchi <emilien.macchi@enovance.com>
 #          Francois Charlier <francois.charlier@enovance.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 class os_role_keystone (
  $local_ip = $ipaddress_eth1,
 ){
  $encoded_user = uriescape($os_params::keystone_db_user)
  $encoded_password = uriescape($os_params::keystone_db_password)
 # Running Keystone service with WSGI and Apache2
  class {'apache':
    default_vhost => false
  }
  class { 'keystone::wsgi::apache':
    port => 8082
  }
  apache::vhost { 'keystone_main_proxy':
    servername         => $::fqdn,
    port               => 5000,
    docroot            => $::keystone::params::keystone_wsgi_script_path,
    docroot_owner      => 'keystone',
    docroot_group      => 'keystone',
    error_log_file     => "${::fqdn}_main_error.log",
    access_log_file    => "${::fqdn}_main_access.log",
    configure_firewall => false,
    custom_fragment    => inline_template('
 WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main
 WSGIProcessGroup keystone
 ')
  }
  apache::vhost { 'keystone_admin_proxy':
    servername         => $::fqdn,
    port               => 35357,
    docroot            => $::keystone::params::keystone_wsgi_script_path,
    docroot_owner      => 'keystone',
    docroot_group      => 'keystone',
    error_log_file     => "${::fqdn}_admin_error.log",
    access_log_file    => "${::fqdn}_admin_access.log",
    configure_firewall => false,
    custom_fragment    => inline_template('
 WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin
 WSGIProcessGroup keystone
 ')
  }
 # Configure Keystone
  class { 'keystone':
    enabled        => false,
    package_ensure => 'latest',
    admin_token    => $os_params::ks_admin_token,
    compute_port   => "8774",
    verbose        => false,
    debug          => false,
    sql_connection => "mysql://${encoded_user}:${encoded_password}@${os_params::keystone_db_host}/keystone",
    idle_timeout   => 60,
 # ToDo (EmilienM): Update to PKI tokens
    token_format   => "UUID",
  }
  keystone_config {
    "token/driver":     value => "keystone.token.backends.memcache.Token";
    "token/expiration": value => "86400";
    "memcache/servers": value => inline_template("<%= scope.lookupvar('os_params::keystone_memchached').join(',') %>");
    "ec2/driver":       value => "keystone.contrib.ec2.backends.sql.Ec2";
    "DEFAULT/syslog_log_facility": value => 'LOG_LOCAL0';
    "DEFAULT/use_syslog": value => 'yes';
  }
 # Configure Load Balancers
  @@haproxy::balancermember{"${fqdn}-keystone":
    listening_service => "keystone_cluster",
    server_names      => $::hostname,
    ipaddresses       => $local_ip,
    ports             => $os_params::keystone_port,
    options           => "check inter 2000 rise 2 fall 5"
  }
  @@haproxy::balancermember{"${fqdn}-keystone-admin":
    listening_service => "keystone_admin_cluster",
    server_names      => $::hostname,
    ipaddresses       => $local_ip,
    ports             => $os_params::keystone_admin_port,
    options           => "check inter 2000 rise 2 fall 5"
  }
 # Keystone Endpoints + Users
  class { 'keystone::roles::admin': 
    email => $os_params::ks_admin_email,
    password => $os_params::ks_admin_password,
  }
  keystone_role { $os_params::keystone_roles_addons: ensure => present }
  class {"keystone::endpoint":
    public_address   => $os_params::ks_keystone_public_host,
    admin_address    => $os_params::ks_keystone_admin_host,
    internal_address => $os_params::ks_keystone_internal_host,
    public_port      => $os_params::ks_keystone_public_port,
    admin_port       => $os_params::keystone_admin_port,
    internal_port    => $os_params::keystone_port,
    region           => 'RegionOne',
    public_protocol  => $os_params::ks_keystone_public_proto
  }
  class{"swift::keystone::auth":
    password => $os_params::ks_swift_password,
    address => $os_params::ks_swift_internal_host,
    port => $os_params::swift_port,
    public_address => $os_params::ks_swift_public_host,
    public_protocol => $os_params::ks_swift_public_proto,
    public_port => $os_params::ks_swift_public_port
  }
  class { 'nova::keystone::auth':
    password         => $os_params::ks_nova_password,
    public_address   => $os_params::ks_nova_public_host,
    admin_address    => $os_params::ks_nova_admin_host,
    internal_address => $os_params::ks_nova_internal_host,
    public_protocol  => $os_params::ks_nova_public_proto,
    cinder => true,
  }
  class { 'cinder::keystone::auth':
    password         => $os_params::ks_cinder_password,
    public_address   => $os_params::ks_cinder_public_host,
    admin_address    => $os_params::ks_cinder_admin_host,
    internal_address => $os_params::ks_cinder_internal_host,
    public_protocol  => $os_params::ks_cinder_public_proto,
  }
  class { 'glance::keystone::auth':
    password         => $os_params::ks_glance_password,
    public_address   => $os_params::ks_glance_public_host,
    admin_address    => $os_params::ks_glance_admin_host,
    internal_address => $os_params::ks_glance_internal_host,
    public_protocol  => $os_params::ks_glance_public_proto,
  }
  class { 'quantum::keystone::auth':
    password         => $os_params::ks_quantum_password,
    public_address   => $os_params::ks_quantum_public_host,
    admin_address    => $os_params::ks_quantum_admin_host,
    internal_address => $os_params::ks_quantum_internal_host,
    public_protocol  => $os_params::ks_quantum_public_proto,
    port             => $os_params::quantum_port,
  }
  class { 'ceilometer::keystone::auth':
    password         => $os_params::ks_ceilometer_password,
    public_address   => $os_params::ks_ceilometer_public_host,
    admin_address    => $os_params::ks_ceilometer_admin_host,
    internal_address => $os_params::ks_ceilometer_internal_host,
    public_protocol  => $os_params::ks_ceilometer_public_proto,
    port             => $os_params::ceilometer_port,
  }
 # Note for Midonet: endpoint is created manually since
 # there is no Puppet module.
  keystone_tenant { $os_params::glance_swift_tenant:
    ensure      => present,
    enabled     => 'True',
    description => 'glance images tenant'
    } ->
  keystone_user { $os_params::glance_swift_user:
    ensure   => present,
    email    => "${os_params::glance_swift_user}@localhost",
    password => $os_params::glance_swift_password,
    tenant   => $os_params::glance_swift_tenant
  } -> 
  keystone_user_role { "${os_params::glance_swift_user}@${os_params::glance_swift_tenant}":
      ensure  => present,
      roles   => 'admin'
    }
  keystone_tenant { $os_params::ks_monitoring_tenant:
    ensure      => present,
    enabled     => 'True',
    description => 'Monitoring Tenant'
    } ->
  keystone_user { $os_params::ks_monitoring_user:
    ensure   => present,
    email    => "${os_params::ks_monitoring_user}@localhost",
    password => $os_params::ks_monitoring_password,
    tenant   => $os_params::ks_monitoring_tenant
  } -> 
  keystone_user_role { "${os_params::ks_monitoring_user}@${os_params::ks_monitoring_tenant}":
      ensure  => present,
      roles   => 'admin'
    }
 # Specific to Midonet
 #  keystone_tenant { $os_params::ks_midonet_tenant:
 #    ensure      => present,
 #    enabled     => 'True',
 #    description => 'Midonet Tenant'
 #    } ->
 #  keystone_user { $os_params::ks_midonet_username:
 #    ensure   => present,
 #    email    => "${os_params::ks_midonet_tenant}@localhost",
 #    password => $os_params::ks_midonet_password,
 #    tenant   => $os_params::ks_midonet_tenant
 #  } -> 
 #  keystone_user_role { "${os_params::ks_midonet_user}@${os_params::ks_midonet_tenant}":
 #      ensure  => present,
 #      roles   => ${os_params::ks_midonet_role}
 #    }
  class{ 'swift::keystone::dispersion':
    auth_pass => $os_params::ks_swift_dispersion_password
  }
 # Waiting apache is configured before using keystone (because of WSGI)
  Service['httpd'] -> Keystone_tenant <| |>
  Service['httpd'] -> Keystone_user <| |>
  Service['httpd'] -> Keystone_role  <| |>
  Service['httpd'] -> Keystone_service <| |>
  Service['httpd'] -> Keystone_user_role <| |>
  Service['httpd'] -> Keystone_endpoint <| |>
 # Due to Keystone WSGI, db need to be sync manually
  exec { 'keystone-manage db_sync':
    path        => '/usr/bin',
    user        => 'keystone',
    refreshonly => true,
    notify      => Service['keystone'],
    subscribe   => Package['keystone'],
    require     => User['keystone'],
  }
 }
--- a/roles/metering/ceilometer_common.pp
+++ b/roles/metering/ceilometer_common.pp
--- a/roles/metering/ceilometer_server.pp
+++ b/roles/metering/ceilometer_server.pp
@ -34,4 +34,3 @@ class os_ceilometer{
 # Ceilometer Central Agent is defined in site.pp since it must be installed on only node (not able to scale-out)
 }
--- a/roles/misc/mysql.pp
+++ b/roles/misc/mysql.pp
--- a/roles/common/rabbitmq.pp
+++ b/roles/common/rabbitmq.pp
--- a/roles/object-storage/swift_common.pp
+++ b/roles/object-storage/swift_common.pp
--- a/templates/check_galera_cluster
+++ b/templates/check_galera_cluster
@ -1,15 +0,0 @@
 #!/bin/bash
 MYSQL_USERNAME="clustercheckuser"
 MYSQL_PASSWORD="clustercheckpassword!"
 ERR_FILE="/dev/null"
 AVAILABLE_WHEN_DONOR=0
 WSREP_STATUS=`mysql --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} -e "SHOW STATUS LIKE 'wsrep_local_state';" 2>${ERR_FILE} | awk '{if (NR!=1){print $2}}' 2>${ERR_FILE}`
 if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]]; then
 	echo "OK - Percona XtraDB Cluster Node is synced."
 	exit 0
 else
 	echo "CRITICAL - Percona XtraDB Cluster Node is not synced."
 	exit 2
 fi
--- a/templates/clustercheck
+++ b/templates/clustercheck
@ -1,36 +0,0 @@
 #!/bin/bash 
 #
 # Script to make a proxy (ie HAProxy) capable of monitoring Percona XtraDB Cluster nodes properly
 #
 # Author: Olaf van Zandwijk <olaf.vanzandwijk@nedap.com>
 # Documentation and download: https://github.com/olafz/percona-clustercheck
 #
 # Based on the original script from Unai Rodriguez 
 #
 MYSQL_USERNAME="clustercheckuser" 
 MYSQL_PASSWORD="clustercheckpassword!" 
 ERR_FILE="/dev/null" 
 AVAILABLE_WHEN_DONOR=0
 #
 # Perform the query to check the wsrep_local_state
 #
 WSREP_STATUS=`mysql --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} -e "SHOW STATUS LIKE 'wsrep_local_state';" 2>${ERR_FILE} | awk '{if (NR!=1){print $2}}' 2>${ERR_FILE}` 
 if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]]
 then 
    # Percona XtraDB Cluster node local state is 'Synced' => return HTTP 200
    /bin/echo -en "HTTP/1.1 200 OK\r\n" 
    /bin/echo -en "Content-Type: text/plain\r\n" 
    /bin/echo -en "\r\n" 
    /bin/echo -en "Mariadb Cluster Node is synced.\r\n" 
    /bin/echo -en "\r\n" 
 else 
    # Percona XtraDB Cluster node local state is not 'Synced' => return HTTP 503
    /bin/echo -en "HTTP/1.1 503 Service Unavailable\r\n" 
    /bin/echo -en "Content-Type: text/plain\r\n" 
    /bin/echo -en "\r\n" 
    /bin/echo -en "Mariadb Cluster Node is not synced.\r\n" 
    /bin/echo -en "\r\n" 
 fi 
--- a/templates/munin/munin-node.conf.Ubuntu
+++ b/templates/munin/munin-node.conf.Ubuntu
@ -1,54 +0,0 @@
 #
 # Example config-file for munin-node
 #
 log_level 4
 log_file /var/log/munin/munin-node.log
 pid_file /var/run/munin/munin-node.pid
 background 1
 setsid 1
 user root
 group root
 # Regexps for files to ignore
 ignore_file [\#~]$
 ignore_file DEADJOE$
 ignore_file \.bak$
 ignore_file %$
 ignore_file \.dpkg-(tmp|new|old|dist)$
 ignore_file \.rpm(save|new)$
 ignore_file \.pod$
 # Set this if the client doesn't report the correct hostname when
 # telnetting to localhost, port 4949
 #
 #host_name localhost.localdomain
 # A list of addresses that are allowed to connect.  This must be a
 # regular expression, since Net::Server does not understand CIDR-style
 # network notation unless the perl module Net::CIDR is installed.  You
 # may repeat the allow line as many times as you'd like
 allow ^127\.0\.0\.1$
 allow ^::1$
 # If you have installed the Net::CIDR perl module, you can use one or more
 # cidr_allow and cidr_deny address/mask patterns.  A connecting client must
 # match any cidr_allow, and not match any cidr_deny.  Note that a netmask
 # *must* be provided, even if it's /32
 #
 # Example:
 #
 # cidr_allow 127.0.0.1/32
 # cidr_allow 192.0.2.0/24
 # cidr_deny  192.0.2.42/32
 # Which address to bind to;
 host *
 # host 127.0.0.1
 # And which port
 port 4949
--- a/templates/munin/munin-node.conf.Ubuntu.precise
+++ b/templates/munin/munin-node.conf.Ubuntu.precise
@ -1,54 +0,0 @@
 #
 # Example config-file for munin-node
 #
 log_level 4
 log_file /var/log/munin/munin-node.log
 pid_file /var/run/munin/munin-node.pid
 background 1
 setsid 1
 user root
 group root
 # Regexps for files to ignore
 ignore_file [\#~]$
 ignore_file DEADJOE$
 ignore_file \.bak$
 ignore_file %$
 ignore_file \.dpkg-(tmp|new|old|dist)$
 ignore_file \.rpm(save|new)$
 ignore_file \.pod$
 # Set this if the client doesn't report the correct hostname when
 # telnetting to localhost, port 4949
 #
 #host_name localhost.localdomain
 # A list of addresses that are allowed to connect.  This must be a
 # regular expression, since Net::Server does not understand CIDR-style
 # network notation unless the perl module Net::CIDR is installed.  You
 # may repeat the allow line as many times as you'd like
 allow ^127\.0\.0\.1$
 allow ^::1$
 # If you have installed the Net::CIDR perl module, you can use one or more
 # cidr_allow and cidr_deny address/mask patterns.  A connecting client must
 # match any cidr_allow, and not match any cidr_deny.  Note that a netmask
 # *must* be provided, even if it's /32
 #
 # Example:
 #
 # cidr_allow 127.0.0.1/32
 # cidr_allow 192.0.2.0/24
 # cidr_deny  192.0.2.42/32
 # Which address to bind to;
 host *
 # host 127.0.0.1
 # And which port
 port 4949
--- a/templates/mysqlchk
+++ b/templates/mysqlchk
@ -1,18 +0,0 @@
 # default: on 
 # description: mysqlchk 
 service mysqlchk 
 { 
 # this is a config for xinetd, place it in /etc/xinetd.d/
        disable = no 
        flags           = REUSE 
        socket_type     = stream 
        port            = 9200 
        wait            = no 
        user            = nobody 
        server          = /usr/bin/clustercheck
        log_on_failure  += USERID 
        only_from       = 0.0.0.0/0 
        # recommended to put the IPs that need 
        # to connect exclusively (security purposes) 
        per_source      = UNLIMITED 
 }
`@ -34,4 +34,3 @@ class os_ceilometer{`
	`# Ceilometer Central Agent is defined in site.pp since it must be installed on only node (not able to scale-out)`	`# Ceilometer Central Agent is defined in site.pp since it must be installed on only node (not able to scale-out)`

	`}`	`}`