stackforge/puppet-openstack-cloud
Code Issues Proposed changes

keyring: use a specific group for permissions

Browse Source 
- create a group 'cephkeyring'
- ensure nova and cinder are part of this group.

Note: I don't use Puppet to manage the users, since it's already managed
by puppet-cinder and puppet-nova.

Bug #402
This commit is contained in:
Emilien Macchi 2014-04-11 11:16:25 +02:00
parent a9bb8537d5
commit 9c73677a19
5 changed files with 40 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
manifests/compute/hypervisor.pp
View File

@ -141,14 +141,28 @@ Host *
Exec <<| tag == 'get_or_set_virsh_secret' |>> Exec <<| tag == 'get_or_set_virsh_secret' |>>
Exec <<| tag == 'set_secret_value_virsh' |>> Exec <<| tag == 'set_secret_value_virsh' |>>
# Configure Ceph keyring
Ceph::Key <<| title == $cinder_rbd_user |>> Ceph::Key <<| title == $cinder_rbd_user |>>
# If Cinder & Nova reside on the same node, we need a group
# where nova & cinder users have read permissions.
ensure_resource('group', 'cephkeyring', {
ensure => 'present'
})
# puppet-nova already manages 'nova' user
# we just want to ensure nova is part of the group.
ensure_resource('exec', 'add-nova-to-cephkeyring-group', {
command => 'useradd -G cephkeyring nova || true'
})
ensure_resource('file', "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring", { ensure_resource('file', "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring", {
owner => 'cinder', owner => 'cephkeyring',
group => 'cinder', group => 'cephkeyring',
mode => '0444', mode => '0400',
require => "Ceph::Key[${cinder_rbd_user}]", require => "Ceph::Key[${cinder_rbd_user}]",
}) })
Concat::Fragment <<| title == 'ceph-client-os' |>> Concat::Fragment <<| title == 'ceph-client-os' |>>
} else { } else {
$libvirt_disk_cachemodes_real = [] $libvirt_disk_cachemodes_real = []

20
manifests/volume/backend/rbd.pp
View File

@ -73,12 +73,26 @@ define cloud::volume::backend::rbd (
# Configure Ceph keyring # Configure Ceph keyring
Ceph::Key <<| title == $rbd_user |>> Ceph::Key <<| title == $rbd_user |>>
# If Cinder & Nova reside on the same node, we need a group
# where nova & cinder users have read permissions.
ensure_resource('group', 'cephkeyring', {
ensure => 'present'
})
# puppet-nova already manages 'cinder' user
# we just want to ensure cinder is part of the group.
ensure_resource('exec', 'add-cinder-to-cephkeyring-group', {
command => 'useradd -G cephkeyring cinder || true'
})
ensure_resource('file', "/etc/ceph/ceph.client.${rbd_user}.keyring", { ensure_resource('file', "/etc/ceph/ceph.client.${rbd_user}.keyring", {
owner => 'cinder', owner => 'cephkeyring',
group => 'cinder', group => 'cephkeyring',
mode => '0444', mode => '0400',
require => "Ceph::Key[${rbd_user}]", require => "Ceph::Key[${rbd_user}]",
}) })
Concat::Fragment <<| title == 'ceph-client-os' |>> Concat::Fragment <<| title == 'ceph-client-os' |>>
@cinder::type { $volume_backend_name: @cinder::type { $volume_backend_name:

4
spec/classes/cloud_compute_hypervisor_spec.rb
View File

@ -233,12 +233,14 @@ describe 'cloud::compute::hypervisor' do
should contain_class('ceilometer::agent::compute') should contain_class('ceilometer::agent::compute')
end end
it 'configure nova-conpute to support RBD backend' do it 'configure nova-compute to support RBD backend' do
should contain_nova_config('DEFAULT/libvirt_images_type').with('value' => 'rbd') should contain_nova_config('DEFAULT/libvirt_images_type').with('value' => 'rbd')
should contain_nova_config('DEFAULT/libvirt_images_rbd_pool').with('value' => 'nova') should contain_nova_config('DEFAULT/libvirt_images_rbd_pool').with('value' => 'nova')
should contain_nova_config('DEFAULT/libvirt_images_rbd_ceph_conf').with('value' => '/etc/ceph/ceph.conf') should contain_nova_config('DEFAULT/libvirt_images_rbd_ceph_conf').with('value' => '/etc/ceph/ceph.conf')
should contain_nova_config('DEFAULT/rbd_user').with('value' => 'cinder') should contain_nova_config('DEFAULT/rbd_user').with('value' => 'cinder')
should contain_nova_config('DEFAULT/rbd_secret_uuid').with('value' => 'secrete') should contain_nova_config('DEFAULT/rbd_secret_uuid').with('value' => 'secrete')
should contain_exec('add-nova-to-cephkeyring-group').with( :command => 'useradd -G cephkeyring nova || true')
should contain_group('cephkeyring').with(:ensure => 'present')
end end
it 'configure nova-compute with extra parameters' do it 'configure nova-compute with extra parameters' do

2
spec/classes/cloud_volume_controller_spec.rb
View File

@ -100,7 +100,7 @@ describe 'cloud::volume::controller' do
:default_volume_type => nil :default_volume_type => nil
) )
end end
xit 'should raise an error and fail' do it 'should raise an error and fail' do
should compile.and_raise_error(/when using multi-backend, you should define a default_volume_type value in cloud::volume::controller/) should compile.and_raise_error(/when using multi-backend, you should define a default_volume_type value in cloud::volume::controller/)
end end
end end

2
spec/classes/cloud_volume_storage_spec.rb
View File

@ -106,6 +106,8 @@ describe 'cloud::volume::storage' do
:os_password => 'secret', :os_password => 'secret',
:os_auth_url => 'http://keystone.host:5000/v2.0' :os_auth_url => 'http://keystone.host:5000/v2.0'
) )
should contain_exec('add-cinder-to-cephkeyring-group').with( :command => 'useradd -G cephkeyring cinder || true')
should contain_group('cephkeyring').with(:ensure => 'present')
end end
end end