stackforge/puppet-openstack-cloud
Code Issues Proposed changes
puppet-openstack-cloud/manifests/object/storage.pp
Emilien Macchi 5102e5130a Advanced Firewalling feature 
This patch enables Firewalling in this Puppet modules in a flexible way.

* Enable firewalling optionnaly (disabled by default).
* Enable 'pre' firewalling with defaults rules.
* Enable 'post' firewalling with DROP rule, with a debug option to
  disable it.
* Enable default rules for all services (OpenStack, etc).
* Ability to add custom firewall rules with Hiera
* Update puppetlabs-firewall refs
* Refactorize unit-tests
2014-11-16 21:36:42 +01:00

135 lines
4.2 KiB
Puppet
Raw Blame History

#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::object::storage
#
# Swift Storage node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::object::storage (
$storage_eth = '127.0.0.1',
$swift_zone = undef,
$object_port = '6000',
$container_port = '6001',
$account_port = '6002',
$fstype = 'xfs',
$device_config_hash = {},
$ring_container_device = 'sdb',
$ring_account_device = 'sdb',
$firewall_settings = {},
) {
include 'cloud::object'
class { 'swift::storage':
storage_local_net_ip => $storage_eth,
}
Rsync::Server::Module {
incoming_chmod => 'u=rwX,go=rX',
outgoing_chmod => 'u=rwX,go=rX',
}
Swift::Storage::Server {
#devices => $devices,
storage_local_net_ip => $storage_eth,
workers => inline_template('<%= @processorcount.to_i / 2 %>'),
replicator_concurrency => 2,
updater_concurrency => 1,
reaper_concurrency => 1,
require => Class['swift'],
mount_check => true,
}
# concurrency at 2 and 1 seems better see
# http://docs.openstack.org/trunk/openstack-object-storage/admin/content/general-service-tuning.html
swift::storage::server { $account_port:
type => 'account',
config_file_path => 'account-server.conf',
pipeline => ['healthcheck', 'account-server'],
log_facility => 'LOG_LOCAL2',
}
swift::storage::server { $container_port:
type => 'container',
config_file_path => 'container-server.conf',
workers => inline_template("<%= @processorcount.to_i / 2 %>
db_preallocation = on
allow_versions = on
"), # great hack :(
pipeline => ['healthcheck', 'container-server'],
log_facility => 'LOG_LOCAL4',
}
swift::storage::server { $object_port:
type => 'object',
config_file_path => 'object-server.conf',
pipeline => ['healthcheck', 'recon', 'object-server'],
log_facility => 'LOG_LOCAL6',
}
$swift_components = ['account', 'container', 'object']
swift::storage::filter::recon { $swift_components : }
swift::storage::filter::healthcheck { $swift_components : }
create_resources("swift::storage::${fstype}", $device_config_hash)
ensure_resource('cloud::object::set_io_scheduler', keys($device_config_hash))
@@ring_container_device { "${storage_eth}:${container_port}/${ring_container_device}":
zone => $swift_zone,
weight => '100.0',
}
@@ring_account_device { "${storage_eth}:${account_port}/${ring_account_device}":
zone => $swift_zone,
weight => '100.0',
}
$object_urls = prefix(keys($device_config_hash), "${storage_eth}:${object_port}/")
@@ring_object_device {$object_urls:
zone => $swift_zone,
weight => '100.0',
}
Swift::Ringsync<<| |>> ->
Swift::Storage::Server[$container_port] ->
Swift::Storage::Server[$account_port] ->
Swift::Storage::Server[$object_port]
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow swift-container access':
port => $container_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift-account access':
port => $account_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift-object access':
port => $object_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift rsync access':
port => '873',
extras => $firewall_settings,
}
}
}
View Git Blame Copy Permalink