diff --git a/modules/puppet-dcmanager/PKG_INFO b/modules/puppet-dcmanager/PKG_INFO new file mode 100644 index 000000000..fca292742 --- /dev/null +++ b/modules/puppet-dcmanager/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-dcmanager +Version: 1.0.0 diff --git a/modules/puppet-dcmanager/centos/build_srpm.data b/modules/puppet-dcmanager/centos/build_srpm.data new file mode 100644 index 000000000..29c4710a7 --- /dev/null +++ b/modules/puppet-dcmanager/centos/build_srpm.data @@ -0,0 +1,3 @@ +SRC_DIR="src" +COPY_LIST="$SRC_DIR/LICENSE" +TIS_PATCH_VER=1 diff --git a/modules/puppet-dcmanager/centos/puppet-dcmanager.spec b/modules/puppet-dcmanager/centos/puppet-dcmanager.spec new file mode 100644 index 000000000..6124c98e9 --- /dev/null +++ b/modules/puppet-dcmanager/centos/puppet-dcmanager.spec @@ -0,0 +1,35 @@ +%global module_dir dcmanager + +Name: puppet-%{module_dir} +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet dcmanager module +License: Apache +Packager: Wind River + +URL: unknown + +Source0: %{name}-%{version}.tar.gz +Source1: LICENSE + +BuildArch: noarch + +BuildRequires: python2-devel + +%description +A puppet module for dcmanager + +%prep +%autosetup -c %{module_dir} + +# +# The src for this puppet module needs to be staged to puppet/modules +# +%install +install -d -m 0755 %{buildroot}%{_datadir}/puppet/modules/%{module_dir} +cp -R %{name}-%{version}/%{module_dir} %{buildroot}%{_datadir}/puppet/modules + +%files +%license %{name}-%{version}/LICENSE +%{_datadir}/puppet/modules/%{module_dir} + diff --git a/modules/puppet-dcmanager/src/LICENSE b/modules/puppet-dcmanager/src/LICENSE new file mode 100644 index 000000000..8d968b6cb --- /dev/null +++ b/modules/puppet-dcmanager/src/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-dcmanager/src/dcmanager/.fixtures.yml b/modules/puppet-dcmanager/src/dcmanager/.fixtures.yml new file mode 100644 index 000000000..8d2e42996 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/.fixtures.yml @@ -0,0 +1,19 @@ +fixtures: + repositories: + "apt": "git://github.com/puppetlabs/puppetlabs-apt.git" + "keystone": "git://github.com/stackforge/puppet-keystone.git" + "mysql": + repo: "git://github.com/puppetlabs/puppetlabs-mysql.git" + ref: 'origin/0.x' + "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git" + "sysctl": "git://github.com/duritong/puppet-sysctl.git" + "rabbitmq": + repo: "git://github.com/puppetlabs/puppetlabs-rabbitmq" + ref: 'origin/2.x' + "inifile": "git://github.com/puppetlabs/puppetlabs-inifile" + "qpid": "git://github.com/dprince/puppet-qpid.git" + 'postgresql': + repo: "git://github.com/puppetlabs/puppet-postgresql.git" + ref: 'origin/4.1.x' + symlinks: + "dcmanager": "#{source_dir}" diff --git a/modules/puppet-dcmanager/src/dcmanager/Gemfile b/modules/puppet-dcmanager/src/dcmanager/Gemfile new file mode 100644 index 000000000..89f2e1b25 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/Gemfile @@ -0,0 +1,14 @@ +source 'https://rubygems.org' + +group :development, :test do + gem 'puppetlabs_spec_helper', :require => false + gem 'puppet-lint', '~> 0.3.2' +end + +if puppetversion = ENV['PUPPET_GEM_VERSION'] + gem 'puppet', puppetversion, :require => false +else + gem 'puppet', :require => false +end + +# vim:ft=ruby diff --git a/modules/puppet-dcmanager/src/dcmanager/LICENSE b/modules/puppet-dcmanager/src/dcmanager/LICENSE new file mode 100644 index 000000000..8d968b6cb --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-dcmanager/src/dcmanager/Modulefile b/modules/puppet-dcmanager/src/dcmanager/Modulefile new file mode 100644 index 000000000..456eacefe --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/Modulefile @@ -0,0 +1,14 @@ +name 'puppetlabs-dcmanager' +version '2.1.0' +source 'https://github.com/stackforge/puppet-dcmanager' +author 'Puppet Labs' +license 'Apache License 2.0' +summary 'Puppet Labs dcmanager Module' +description 'Puppet module to install and configure the dcmanager platform service' +project_page 'https://launchpad.net/puppet-openstack' + +dependency 'puppetlabs/inifile', '>=1.0.0 <2.0.0' +dependency 'puppetlabs/mysql', '>=0.6.1 <1.0.0' +dependency 'puppetlabs/stdlib', '>=2.5.0' +dependency 'puppetlabs/rabbitmq', '>=2.0.2 <3.0.0' +dependency 'dprince/qpid', '>=1.0.0 <2.0.0' diff --git a/modules/puppet-dcmanager/src/dcmanager/Rakefile b/modules/puppet-dcmanager/src/dcmanager/Rakefile new file mode 100644 index 000000000..4c2b2ed07 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/Rakefile @@ -0,0 +1,6 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' + +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.send('disable_class_parameter_defaults') diff --git a/modules/puppet-dcmanager/src/dcmanager/lib/puppet/provider/dcmanager_config/ini_setting.rb b/modules/puppet-dcmanager/src/dcmanager/lib/puppet/provider/dcmanager_config/ini_setting.rb new file mode 100644 index 000000000..03a44fd7d --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/lib/puppet/provider/dcmanager_config/ini_setting.rb @@ -0,0 +1,37 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +Puppet::Type.type(:dcmanager_config).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/dcmanager/dcmanager.conf' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-dcmanager/src/dcmanager/lib/puppet/type/dcmanager_config.rb b/modules/puppet-dcmanager/src/dcmanager/lib/puppet/type/dcmanager_config.rb new file mode 100644 index 000000000..ebd345466 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/lib/puppet/type/dcmanager_config.rb @@ -0,0 +1,52 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +Puppet::Type.newtype(:dcmanager_config) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/dcmanager/dcmanager.conf' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/api.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/api.pp new file mode 100644 index 000000000..067a45bbc --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/api.pp @@ -0,0 +1,208 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# == Class: dcmanager::api +# +# Setup and configure the dcmanager API endpoint +# +# === Parameters +# +# [*keystone_password*] +# The password to use for authentication (keystone) +# +# [*keystone_enabled*] +# (optional) Use keystone for authentification +# Defaults to true +# +# [*keystone_tenant*] +# (optional) The tenant of the auth user +# Defaults to services +# +# [*keystone_user*] +# (optional) The name of the auth user +# Defaults to dcmanager +# +# [*keystone_auth_host*] +# (optional) The keystone host +# Defaults to localhost +# +# [*keystone_auth_port*] +# (optional) The keystone auth port +# Defaults to 5000 +# +# [*keystone_auth_protocol*] +# (optional) The protocol used to access the auth host +# Defaults to http. +# +# [*keystone_auth_admin_prefix*] +# (optional) The admin_prefix used to admin endpoint of the auth host +# This allow admin auth URIs like http://auth_host:5000/keystone. +# (where '/keystone' is the admin prefix) +# Defaults to false for empty. If defined, should be a string with a +# leading '/' and no trailing '/'. +# +# [*keystone_user_domain*] +# (Optional) domain name for auth user. +# Defaults to 'Default'. +# +# [*keystone_project_domain*] +# (Optional) domain name for auth project. +# Defaults to 'Default'. +# +# [*auth_type*] +# (Optional) Authentication type to load. +# Defaults to 'password'. +# +# [*service_port*] +# (optional) The dcmanager api port +# Defaults to 5000 +# +# [*package_ensure*] +# (optional) The state of the package +# Defaults to present +# +# [*bind_host*] +# (optional) The dcmanager api bind address +# Defaults to 0.0.0.0 +# +# [*pxeboot_host*] +# (optional) The dcmanager api pxeboot address +# Defaults to undef +# +# [*enabled*] +# (optional) The state of the service +# Defaults to true +# +class dcmanager::api ( + $keystone_password, + $keystone_admin_password, + $keystone_admin_user = 'admin', + $keystone_admin_tenant = 'admin', + $keystone_enabled = true, + $keystone_tenant = 'services', + $keystone_user = 'dcmanager', + $keystone_auth_host = 'localhost', + $keystone_auth_port = '5000', + $keystone_auth_protocol = 'http', + $keystone_auth_admin_prefix = false, + $keystone_auth_uri = false, + $keystone_auth_version = false, + $keystone_identity_uri = false, + $keystone_user_domain = 'Default', + $keystone_project_domain = 'Default', + $auth_type = 'password', + $service_port = '5000', + $package_ensure = 'latest', + $bind_host = '0.0.0.0', + $enabled = false +) { + + include dcmanager::params + + Dcmanager_config<||> ~> Service['dcmanager-api'] + Dcmanager_config<||> ~> Exec['dcmanager-dbsync'] + + if $::dcmanager::params::api_package { + Package['dcmanager'] -> Dcmanager_config<||> + Package['dcmanager'] -> Service['dcmanager-api'] + package { 'dcmanager': + ensure => $package_ensure, + name => $::dcmanager::params::api_package, + } + } + + dcmanager_config { + "DEFAULT/bind_host": value => $bind_host; + } + + + if $keystone_identity_uri { + dcmanager_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; } + dcmanager_config { 'cache/auth_uri': value => "${keystone_identity_uri}/v3"; } + } else { + dcmanager_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/v3"; } + } + + if $keystone_auth_uri { + dcmanager_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; } + } else { + dcmanager_config { + 'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/v3"; + } + } + + if $keystone_auth_version { + dcmanager_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; } + } else { + dcmanager_config { 'keystone_authtoken/auth_version': ensure => absent; } + } + + if $keystone_enabled { + dcmanager_config { + 'DEFAULT/auth_strategy': value => 'keystone' ; + } + dcmanager_config { + 'keystone_authtoken/auth_type': value => $auth_type; + 'keystone_authtoken/project_name': value => $keystone_tenant; + 'keystone_authtoken/username': value => $keystone_user; + 'keystone_authtoken/password': value => $keystone_password, secret=> true; + 'keystone_authtoken/user_domain_name': value => $keystone_user_domain; + 'keystone_authtoken/project_domain_name': value => $keystone_project_domain; + } + dcmanager_config { + 'cache/admin_tenant': value => $keystone_admin_tenant; + 'cache/admin_username': value => $keystone_admin_user; + 'cache/admin_password': value => $keystone_admin_password, secret=> true; + } + + if $keystone_auth_admin_prefix { + validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$') + dcmanager_config { + 'keystone_authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix; + } + } else { + dcmanager_config { + 'keystone_authtoken/auth_admin_prefix': ensure => absent; + } + } + } + else + { + dcmanager_config { + 'DEFAULT/auth_strategy': value => 'noauth' ; + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'dcmanager-api': + ensure => $ensure, + name => $::dcmanager::params::api_service, + enable => $enabled, + hasstatus => true, + hasrestart => true, + tag => 'dcmanager-service', + } + Keystone_endpoint<||> -> Service['dcmanager-api'] + + exec { 'dcmanager-dbsync': + command => $::dcmanager::params::db_sync_command, + path => '/usr/bin', + refreshonly => true, + logoutput => 'on_failure', + require => Package['dcmanager'], + # Only do the db sync if both controllers are running the same software + # version. Avoids impacting mate controller during an upgrade. + onlyif => "test $::controller_sw_versions_match = true", + } + +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/client.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/client.pp new file mode 100644 index 000000000..30e50302d --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/client.pp @@ -0,0 +1,30 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +# == Class: dcmanager::client +# +# Installs Dcmanager python client. +# +# === Parameters +# +# [*ensure*] +# Ensure state for package. Defaults to 'present'. +# +class dcmanager::client( + $package_ensure = 'present' +) { + + include dcmanager::params + + package { 'dcmanagerclient': + ensure => $package_ensure, + name => $::dcmanager::params::client_package, + } +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/db/postgresql.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/db/postgresql.pp new file mode 100644 index 000000000..2ef94a630 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/db/postgresql.pp @@ -0,0 +1,54 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +# Class that configures postgresql for dcmanager +# +# Requires the Puppetlabs postgresql module. +# === Parameters +# +# [*password*] +# (Required) Password to connect to the database. +# +# [*dbname*] +# (Optional) Name of the database. +# Defaults to 'dcmanager'. +# +# [*user*] +# (Optional) User to connect to the database. +# Defaults to 'dcmanager'. +# +# [*encoding*] +# (Optional) The charset to use for the database. +# Default to undef. +# +# [*privileges*] +# (Optional) Privileges given to the database user. +# Default to 'ALL' +# +class dcmanager::db::postgresql( + $password, + $dbname = 'dcmanager', + $user = 'dcmanager', + $encoding = undef, + $privileges = 'ALL', +) { + + ::openstacklib::db::postgresql { 'dcmanager': + password_hash => postgresql_password($user, $password), + dbname => $dbname, + user => $user, + encoding => $encoding, + privileges => $privileges, + } + + ::Openstacklib::Db::Postgresql['dcmanager'] ~> Service <| title == 'dcmanager-api' |> + ::Openstacklib::Db::Postgresql['dcmanager'] ~> Service <| title == 'dcmanager-manager' |> + ::Openstacklib::Db::Postgresql['dcmanager'] ~> Exec <| title == 'dcmanager-dbsync' |> +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/db/sync.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/db/sync.pp new file mode 100644 index 000000000..2b338cce1 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/db/sync.pp @@ -0,0 +1,21 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# + +class dcmanager::db::sync { + + include dcmanager::params + + exec { 'dcmanager-dbsync': + command => $::dcmanager::params::db_sync_command, + path => '/usr/bin', + refreshonly => true, + require => [File[$::dcmanager::params::dcmanager_conf], Class['dcmanager']], + logoutput => 'on_failure', + } +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/init.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/init.pp new file mode 100644 index 000000000..d9ae89497 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/init.pp @@ -0,0 +1,110 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +# +# == Parameters +# +# [use_syslog] +# Use syslog for logging. +# (Optional) Defaults to false. +# +# [log_facility] +# Syslog facility to receive log lines. +# (Optional) Defaults to LOG_USER. + +class dcmanager ( + $database_connection = '', + $database_idle_timeout = 3600, + $database_max_pool_size = 5, + $database_max_overflow = 10, + $control_exchange = 'openstack', + $rabbit_host = '127.0.0.1', + $rabbit_port = 5672, + $rabbit_hosts = false, + $rabbit_virtual_host = '/', + $rabbit_userid = 'guest', + $rabbit_password = false, + $package_ensure = 'present', + $use_stderr = false, + $log_file = 'dcmanager.log', + $log_dir = '/var/log/dcmanager', + $use_syslog = false, + $log_facility = 'LOG_USER', + $verbose = false, + $debug = false, + $dcmanager_api_port = 8119, + $dcmanager_mtc_inv_label = '/v1/', + $region_name = 'RegionOne', +) { + + include dcmanager::params + + Package['dcmanager'] -> Dcmanager_config<||> + + # this anchor is used to simplify the graph between dcmanager components by + # allowing a resource to serve as a point where the configuration of dcmanager begins + anchor { 'dcmanager-start': } + + package { 'dcmanager': + ensure => $package_ensure, + name => $::dcmanager::params::package_name, + require => Anchor['dcmanager-start'], + } + + file { $::dcmanager::params::dcmanager_conf: + ensure => present, + mode => '0600', + require => Package['dcmanager'], + } + + dcmanager_config { + 'DEFAULT/transport_url': value => $::platform::amqp::params::transport_url; + } + + dcmanager_config { + 'DEFAULT/verbose': value => $verbose; + 'DEFAULT/debug': value => $debug; + } + + # Automatically add psycopg2 driver to postgresql (only does this if it is missing) + $real_connection = regsubst($database_connection,'^postgresql:','postgresql+psycopg2:') + + dcmanager_config { + 'database/connection': value => $real_connection, secret => true; + 'database/idle_timeout': value => $database_idle_timeout; + 'database/max_pool_size': value => $database_max_pool_size; + 'database/max_overflow': value => $database_max_overflow; + } + + if $use_syslog { + dcmanager_config { + 'DEFAULT/use_syslog': value => true; + 'DEFAULT/syslog_log_facility': value => $log_facility; + } + } else { + dcmanager_config { + 'DEFAULT/use_syslog': value => false; + 'DEFAULT/use_stderr': value => false; + 'DEFAULT/log_file' : value => $log_file; + 'DEFAULT/log_dir' : value => $log_dir; + } + } + + dcmanager_config { + 'keystone_authtoken/region_name': value => $region_name; + } + + file {"/etc/bash_completion.d/dcmanager.bash_completion": + ensure => present, + mode => '0644', + content => generate('/bin/dcmanager', 'complete'), + } + +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp new file mode 100644 index 000000000..98f4b315d --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp @@ -0,0 +1,61 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# DEC 2017: creation +# + +# == Class: dcmanager::keystone::auth +# +# Configures dcmanager user, service and endpoint in Keystone. +# +class dcmanager::keystone::auth ( + $password, + $auth_name = 'dcmanager', + $auth_domain, + $email = 'dcmanager@localhost', + $tenant = 'services', + $region = 'SystemController', + $service_description = 'DCManagerService', + $service_name = undef, + $service_type = 'dcmanager', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:8119/v1', + $admin_url = 'http://127.0.0.1:8119/v1', + $internal_url = 'http://127.0.0.1:8119/v1', + $admin_project_name, + $admin_project_domain, +) { + + $real_service_name = pick($service_name, $auth_name) + + keystone::resource::service_identity { 'dcmanager': + configure_user => $configure_user, + configure_user_role => $configure_user_role, + configure_endpoint => $configure_endpoint, + service_type => $service_type, + service_description => $service_description, + service_name => $real_service_name, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } -> + + keystone_user_role { "${auth_name}@${admin_project_name}": + ensure => present, + user_domain => $auth_domain, + project_domain => $admin_project_domain, + roles => ['admin'], + } + +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/manager.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/manager.pp new file mode 100644 index 000000000..5b304fb0e --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/manager.pp @@ -0,0 +1,44 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +class dcmanager::manager ( + $package_ensure = 'latest', + $enabled = false +) { + + include dcmanager::params + + Dcmanager_config<||> ~> Service['dcmanager-manager'] + + if $::dcmanager::params::manager_package { + Package['dcmanager-manager'] -> Dcmanager_config<||> + Package['dcmanager-manager'] -> Service['dcmanager-manager'] + package { 'dcmanager-manager': + ensure => $package_ensure, + name => $::dcmanager::params::manager_package, + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'dcmanager-manager': + ensure => $ensure, + name => $::dcmanager::params::manager_service, + enable => $enabled, + hasstatus => false, + require => Package['dcmanager'], + } + + Exec<| title == 'dcmanager-dbsync' |> -> Service['dcmanager-manager'] +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/params.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/params.pp new file mode 100644 index 000000000..5cbfb5065 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/params.pp @@ -0,0 +1,47 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# + +class dcmanager::params { + + $dcmanager_dir = '/etc/dcmanager' + $dcmanager_conf = '/etc/dcmanager/dcmanager.conf' + + if $::osfamily == 'Debian' { + $package_name = 'distributedcloud-dcmanager' + $client_package = 'distributedcloud-client-dcmanagerclient' + $api_package = 'distributedcloud-dcmanager' + $api_service = 'dcmanager-api' + $manager_package = 'distributedcloud-dcmanager' + $manager_service = 'dcmanager-manager' + $db_sync_command = 'dcmanager-manage db_sync' + + } elsif($::osfamily == 'RedHat') { + + $package_name = 'distributedcloud-dcmanager' + $client_package = 'distributedcloud-client-dcmanagerclient' + $api_package = false + $api_service = 'dcmanager-api' + $manager_package = false + $manager_service = 'dcmanager-manager' + $db_sync_command = 'dcmanager-manage db_sync' + + } elsif($::osfamily == 'WRLinux') { + + $package_name = 'dcmanager' + $client_package = 'distributedcloud-client-dcmanagerclient' + $api_package = false + $api_service = 'dcmanager-api' + $manager_package = false + $manager_service = 'dcmanager-manager' + $db_sync_command = 'dcmanager-manage db_sync' + + } else { + fail("unsuported osfamily ${::osfamily}, currently WindRiver, Debian, Redhat are the only supported platforms") + } +} diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/rabbitmq.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/rabbitmq.pp new file mode 100644 index 000000000..335722e90 --- /dev/null +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/rabbitmq.pp @@ -0,0 +1,60 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2018: creation -lplant +# +# class for installing rabbitmq server for dcorch +# +# +class dcmanager::rabbitmq( + $userid = 'guest', + $password = 'guest', + $port = '5672', + $virtual_host = '/', + $enabled = true +) { + + # only configure dcmanager after the queue is up + Class['rabbitmq::service'] -> Anchor<| title == 'dcmanager-start' |> + + if ($enabled) { + if $userid == 'guest' { + $delete_guest_user = false + } else { + $delete_guest_user = true + rabbitmq_user { $userid: + admin => true, + password => $password, + provider => 'rabbitmqctl', + require => Class['rabbitmq::server'], + } + # I need to figure out the appropriate permissions + rabbitmq_user_permissions { "${userid}@${virtual_host}": + configure_permission => '.*', + write_permission => '.*', + read_permission => '.*', + provider => 'rabbitmqctl', + }->Anchor<| title == 'dcmanager-start' |> + } + $service_ensure = 'running' + } else { + $service_ensure = 'stopped' + } + + class { '::rabbitmq::server': + service_ensure => $service_ensure, + port => $port, + delete_guest_user => $delete_guest_user, + } + + if ($enabled) { + rabbitmq_vhost { $virtual_host: + provider => 'rabbitmqctl', + require => Class['rabbitmq::server'], + } + } +} diff --git a/modules/puppet-dcorch/PKG_INFO b/modules/puppet-dcorch/PKG_INFO new file mode 100644 index 000000000..345c89ae1 --- /dev/null +++ b/modules/puppet-dcorch/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-dcorch +Version: 1.0.0 diff --git a/modules/puppet-dcorch/centos/build_srpm.data b/modules/puppet-dcorch/centos/build_srpm.data new file mode 100644 index 000000000..29c4710a7 --- /dev/null +++ b/modules/puppet-dcorch/centos/build_srpm.data @@ -0,0 +1,3 @@ +SRC_DIR="src" +COPY_LIST="$SRC_DIR/LICENSE" +TIS_PATCH_VER=1 diff --git a/modules/puppet-dcorch/centos/puppet-dcorch.spec b/modules/puppet-dcorch/centos/puppet-dcorch.spec new file mode 100644 index 000000000..0fac8f487 --- /dev/null +++ b/modules/puppet-dcorch/centos/puppet-dcorch.spec @@ -0,0 +1,35 @@ +%global module_dir dcorch + +Name: puppet-%{module_dir} +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet dcorch module +License: Apache +Packager: Wind River + +URL: unknown + +Source0: %{name}-%{version}.tar.gz +Source1: LICENSE + +BuildArch: noarch + +BuildRequires: python2-devel + +%description +A puppet module for dcorch + +%prep +%autosetup -c %{module_dir} + +# +# The src for this puppet module needs to be staged to puppet/modules +# +%install +install -d -m 0755 %{buildroot}%{_datadir}/puppet/modules/%{module_dir} +cp -R %{name}-%{version}/%{module_dir} %{buildroot}%{_datadir}/puppet/modules + +%files +%license %{name}-%{version}/LICENSE +%{_datadir}/puppet/modules/%{module_dir} + diff --git a/modules/puppet-dcorch/src/LICENSE b/modules/puppet-dcorch/src/LICENSE new file mode 100644 index 000000000..8d968b6cb --- /dev/null +++ b/modules/puppet-dcorch/src/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-dcorch/src/dcorch/.fixtures.yml b/modules/puppet-dcorch/src/dcorch/.fixtures.yml new file mode 100644 index 000000000..49aee5cc0 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/.fixtures.yml @@ -0,0 +1,19 @@ +fixtures: + repositories: + "apt": "git://github.com/puppetlabs/puppetlabs-apt.git" + "keystone": "git://github.com/stackforge/puppet-keystone.git" + "mysql": + repo: "git://github.com/puppetlabs/puppetlabs-mysql.git" + ref: 'origin/0.x' + "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git" + "sysctl": "git://github.com/duritong/puppet-sysctl.git" + "rabbitmq": + repo: "git://github.com/puppetlabs/puppetlabs-rabbitmq" + ref: 'origin/2.x' + "inifile": "git://github.com/puppetlabs/puppetlabs-inifile" + "qpid": "git://github.com/dprince/puppet-qpid.git" + 'postgresql': + repo: "git://github.com/puppetlabs/puppet-postgresql.git" + ref: 'origin/4.1.x' + symlinks: + "dcorch": "#{source_dir}" diff --git a/modules/puppet-dcorch/src/dcorch/Gemfile b/modules/puppet-dcorch/src/dcorch/Gemfile new file mode 100644 index 000000000..89f2e1b25 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/Gemfile @@ -0,0 +1,14 @@ +source 'https://rubygems.org' + +group :development, :test do + gem 'puppetlabs_spec_helper', :require => false + gem 'puppet-lint', '~> 0.3.2' +end + +if puppetversion = ENV['PUPPET_GEM_VERSION'] + gem 'puppet', puppetversion, :require => false +else + gem 'puppet', :require => false +end + +# vim:ft=ruby diff --git a/modules/puppet-dcorch/src/dcorch/LICENSE b/modules/puppet-dcorch/src/dcorch/LICENSE new file mode 100644 index 000000000..8d968b6cb --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-dcorch/src/dcorch/Modulefile b/modules/puppet-dcorch/src/dcorch/Modulefile new file mode 100644 index 000000000..9caeace49 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/Modulefile @@ -0,0 +1,14 @@ +name 'puppetlabs-dcorch' +version '2.1.0' +source 'https://github.com/stackforge/puppet-dcorch' +author 'Puppet Labs' +license 'Apache License 2.0' +summary 'Puppet Labs dcorch Module' +description 'Puppet module to install and configure the dcorch platform service' +project_page 'https://launchpad.net/puppet-openstack' + +dependency 'puppetlabs/inifile', '>=1.0.0 <2.0.0' +dependency 'puppetlabs/mysql', '>=0.6.1 <1.0.0' +dependency 'puppetlabs/stdlib', '>=2.5.0' +dependency 'puppetlabs/rabbitmq', '>=2.0.2 <3.0.0' +dependency 'dprince/qpid', '>=1.0.0 <2.0.0' diff --git a/modules/puppet-dcorch/src/dcorch/Rakefile b/modules/puppet-dcorch/src/dcorch/Rakefile new file mode 100644 index 000000000..4c2b2ed07 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/Rakefile @@ -0,0 +1,6 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' + +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.send('disable_class_parameter_defaults') diff --git a/modules/puppet-dcorch/src/dcorch/lib/puppet/provider/dcorch_api_paste_ini/ini_setting.rb b/modules/puppet-dcorch/src/dcorch/lib/puppet/provider/dcorch_api_paste_ini/ini_setting.rb new file mode 100644 index 000000000..c346236ac --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/lib/puppet/provider/dcorch_api_paste_ini/ini_setting.rb @@ -0,0 +1,37 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +Puppet::Type.type(:dcorch_api_paste_ini).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/dcorch/api-paste.ini' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-dcorch/src/dcorch/lib/puppet/provider/dcorch_config/ini_setting.rb b/modules/puppet-dcorch/src/dcorch/lib/puppet/provider/dcorch_config/ini_setting.rb new file mode 100644 index 000000000..932e4f528 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/lib/puppet/provider/dcorch_config/ini_setting.rb @@ -0,0 +1,37 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +Puppet::Type.type(:dcorch_config).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/dcorch/dcorch.conf' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-dcorch/src/dcorch/lib/puppet/type/dcorch_api_paste_ini.rb b/modules/puppet-dcorch/src/dcorch/lib/puppet/type/dcorch_api_paste_ini.rb new file mode 100644 index 000000000..267e9b629 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/lib/puppet/type/dcorch_api_paste_ini.rb @@ -0,0 +1,52 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +Puppet::Type.newtype(:dcorch_api_paste_ini) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/dcorch/api-paste.ini' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-dcorch/src/dcorch/lib/puppet/type/dcorch_config.rb b/modules/puppet-dcorch/src/dcorch/lib/puppet/type/dcorch_config.rb new file mode 100644 index 000000000..ba86d1f52 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/lib/puppet/type/dcorch_config.rb @@ -0,0 +1,52 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +Puppet::Type.newtype(:dcorch_config) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/dcorch/dcorch.conf' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-dcorch/src/dcorch/manifests/api_proxy.pp b/modules/puppet-dcorch/src/dcorch/manifests/api_proxy.pp new file mode 100644 index 000000000..218a60361 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/api_proxy.pp @@ -0,0 +1,210 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# == Class: dcorch::api_proxy +# +# Setup and configure the dcorch API endpoint +# +# === Parameters +# +# [*keystone_password*] +# The password to use for authentication (keystone) +# +# [*keystone_enabled*] +# (optional) Use keystone for authentification +# Defaults to true +# +# [*keystone_tenant*] +# (optional) The tenant of the auth user +# Defaults to services +# +# [*keystone_user*] +# (optional) The name of the auth user +# Defaults to dcorch +# +# [*keystone_auth_host*] +# (optional) The keystone host +# Defaults to localhost +# +# [*keystone_auth_port*] +# (optional) The keystone auth port +# Defaults to 5000 +# +# [*keystone_auth_protocol*] +# (optional) The protocol used to access the auth host +# Defaults to http. +# +# [*keystone_auth_admin_prefix*] +# (optional) The admin_prefix used to admin endpoint of the auth host +# This allow admin auth URIs like http://auth_host:5000/keystone. +# (where '/keystone' is the admin prefix) +# Defaults to false for empty. If defined, should be a string with a +# leading '/' and no trailing '/'. +# +# [*keystone_user_domain*] +# (Optional) domain name for auth user. +# Defaults to 'Default'. +# +# [*keystone_project_domain*] +# (Optional) domain name for auth project. +# Defaults to 'Default'. +# +# [*auth_type*] +# (Optional) Authentication type to load. +# Defaults to 'password'. +# +# [*service_port*] +# (optional) The dcorch api port +# Defaults to 5000 +# +# [*package_ensure*] +# (optional) The state of the package +# Defaults to present +# +# [*bind_host*] +# (optional) The dcorch api bind address +# Defaults to 0.0.0.0 +# +# [*pxeboot_host*] +# (optional) The dcorch api pxeboot address +# Defaults to undef +# +# [*enabled*] +# (optional) The state of the service +# Defaults to true +# +class dcorch::api_proxy ( + $keystone_password, + $keystone_admin_password, + $keystone_admin_user = 'admin', + $keystone_admin_tenant = 'admin', + $keystone_enabled = true, + $keystone_tenant = 'services', + $keystone_user = 'dcorch', + $keystone_auth_host = 'localhost', + $keystone_auth_port = '5000', + $keystone_auth_protocol = 'http', + $keystone_auth_admin_prefix = false, + $keystone_auth_uri = false, + $keystone_auth_version = false, + $keystone_identity_uri = false, + $keystone_user_domain = 'Default', + $keystone_project_domain = 'Default', + $auth_type = 'password', + $service_port = '5000', + $package_ensure = 'latest', + $bind_host = '0.0.0.0', + $enabled = false +) { + + include dcorch::params + + Dcorch_config<||> ~> Service['dcorch-api-proxy'] + Dcorch_config<||> ~> Exec['dcorch-dbsync'] + Dcorch_api_paste_ini<||> ~> Service['dcorch-api-proxy'] + + if $::dcorch::params::api_package { + Package['dcorch'] -> Dcorch_config<||> + Package['dcorch'] -> Dcorch_api_paste_ini<||> + Package['dcorch'] -> Service['dcorch-api-proxy'] + package { 'dcorch': + ensure => $package_ensure, + name => $::dcorch::params::api_proxy_package, + } + } + + dcorch_config { + "DEFAULT/bind_host": value => $bind_host; + } + + + if $keystone_identity_uri { + dcorch_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; } + dcorch_config { 'cache/auth_uri': value => "${keystone_identity_uri}/v3"; } + } else { + dcorch_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; } + } + + if $keystone_auth_uri { + dcorch_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; } + } else { + dcorch_config { + 'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; + } + } + + if $keystone_auth_version { + dcorch_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; } + } else { + dcorch_config { 'keystone_authtoken/auth_version': ensure => absent; } + } + + if $keystone_enabled { + dcorch_config { + 'DEFAULT/auth_strategy': value => 'keystone' ; + } + dcorch_config { + 'keystone_authtoken/auth_type': value => $auth_type; + 'keystone_authtoken/project_name': value => $keystone_tenant; + 'keystone_authtoken/username': value => $keystone_user; + 'keystone_authtoken/password': value => $keystone_password, secret=> true; + 'keystone_authtoken/user_domain_name': value => $keystone_user_domain; + 'keystone_authtoken/project_domain_name': value => $keystone_project_domain; + } + dcorch_config { + 'cache/admin_tenant': value => $keystone_admin_tenant; + 'cache/admin_username': value => $keystone_admin_user; + 'cache/admin_password': value => $keystone_admin_password, secret=> true; + } + + if $keystone_auth_admin_prefix { + validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$') + dcorch_config { + 'keystone_authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix; + } + } else { + dcorch_config { + 'keystone_authtoken/auth_admin_prefix': ensure => absent; + } + } + } + else + { + dcorch_config { + 'DEFAULT/auth_strategy': value => 'noauth' ; + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'dcorch-api-proxy': + ensure => $ensure, + name => $::dcorch::params::api_proxy_service, + enable => $enabled, + hasstatus => true, + hasrestart => true, + tag => 'dcorch-service', + } + Keystone_endpoint<||> -> Service['dcorch-api-proxy'] + + exec { 'dcorch-dbsync': + command => $::dcorch::params::db_sync_command, + path => '/usr/bin', + refreshonly => true, + logoutput => 'on_failure', + require => Package['dcorch'], + # Only do the db sync if both controllers are running the same software + # version. Avoids impacting mate controller during an upgrade. + onlyif => "test $::controller_sw_versions_match = true", + } + +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/client.pp b/modules/puppet-dcorch/src/dcorch/manifests/client.pp new file mode 100644 index 000000000..58c46ed73 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/client.pp @@ -0,0 +1,31 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# +# + +# == Class: dcorch::client +# +# Installs dcorch python client. +# +# === Parameters +# +# [*ensure*] +# Ensure state for package. Defaults to 'present'. +# +class dcorch::client( + $package_ensure = 'present' +) { + + include dcorch::params + + package { 'dcorchclient': + ensure => $package_ensure, + name => $::dcorch::params::client_package, + } +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/db/postgresql.pp b/modules/puppet-dcorch/src/dcorch/manifests/db/postgresql.pp new file mode 100644 index 000000000..9bdfa6e16 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/db/postgresql.pp @@ -0,0 +1,54 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +# Class that configures postgresql for dcorch +# +# Requires the Puppetlabs postgresql module. +# === Parameters +# +# [*password*] +# (Required) Password to connect to the database. +# +# [*dbname*] +# (Optional) Name of the database. +# Defaults to 'dcorch'. +# +# [*user*] +# (Optional) User to connect to the database. +# Defaults to 'dcorch'. +# +# [*encoding*] +# (Optional) The charset to use for the database. +# Default to undef. +# +# [*privileges*] +# (Optional) Privileges given to the database user. +# Default to 'ALL' +# +class dcorch::db::postgresql( + $password, + $dbname = 'dcorch', + $user = 'dcorch', + $encoding = undef, + $privileges = 'ALL', +) { + + ::openstacklib::db::postgresql { 'dcorch': + password_hash => postgresql_password($user, $password), + dbname => $dbname, + user => $user, + encoding => $encoding, + privileges => $privileges, + } + + ::Openstacklib::Db::Postgresql['dcorch'] ~> Service <| title == 'dcorch-api-proxy' |> + ::Openstacklib::Db::Postgresql['dcorch'] ~> Service <| title == 'dcorch-engine' |> + ::Openstacklib::Db::Postgresql['dcorch'] ~> Exec <| title == 'dcorch-dbsync' |> +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/db/sync.pp b/modules/puppet-dcorch/src/dcorch/manifests/db/sync.pp new file mode 100644 index 000000000..d716f977f --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/db/sync.pp @@ -0,0 +1,21 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# + +class dcorch::db::sync { + + include dcorch::params + + exec { 'dcorch-dbsync': + command => $::dcorch::params::db_sync_command, + path => '/usr/bin', + refreshonly => true, + require => [File[$::dcorch::params::dcorch_conf], Class['dcorch']], + logoutput => 'on_failure', + } +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/engine.pp b/modules/puppet-dcorch/src/dcorch/manifests/engine.pp new file mode 100644 index 000000000..c51240206 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/engine.pp @@ -0,0 +1,44 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +class dcorch::engine ( + $package_ensure = 'latest', + $enabled = false +) { + + include dcorch::params + + Dcorch_config<||> ~> Service['dcorch-engine'] + + if $::dcorch::params::engine_package { + Package['dcorch-engine'] -> Dcorch_config<||> + Package['dcorch-engine'] -> Service['dcorch-engine'] + package { 'dcorch-engine': + ensure => $package_ensure, + name => $::dcorch::params::engine_package, + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'dcorch-engine': + ensure => $ensure, + name => $::dcorch::params::engine_service, + enable => $enabled, + hasstatus => false, + require => Package['dcorch'], + } + + Exec<| title == 'dcorch-dbsync' |> -> Service['dcorch-engine'] +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/init.pp b/modules/puppet-dcorch/src/dcorch/manifests/init.pp new file mode 100644 index 000000000..2d8943b3f --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/init.pp @@ -0,0 +1,158 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +# +# == Parameters +# +# [use_syslog] +# Use syslog for logging. +# (Optional) Defaults to false. +# +# [log_facility] +# Syslog facility to receive log lines. +# (Optional) Defaults to LOG_USER. + +class dcorch ( + $database_connection = '', + $database_idle_timeout = 3600, + $database_max_pool_size = 5, + $database_max_overflow = 10, + $control_exchange = 'openstack', + $rabbit_host = '127.0.0.1', + $rabbit_port = 5672, + $rabbit_hosts = false, + $rabbit_virtual_host = '/', + $rabbit_userid = 'guest', + $rabbit_password = false, + $package_ensure = 'present', + $api_paste_config = '/etc/dcorch/api-paste.ini', + $use_stderr = false, + $log_file = 'dcorch.log', + $log_dir = '/var/log/dcorch', + $use_syslog = false, + $log_facility = 'LOG_USER', + $verbose = false, + $debug = false, + $dcorch_api_port = 8118, + $dcorch_mtc_inv_label = '/v1/', + $region_name = 'RegionOne', + $proxy_bind_host = '0.0.0.0', + $proxy_remote_host = '127.0.0.1', + $compute_bind_port = 28774, + $compute_remote_port = 18774, + $platform_bind_port = 26385, + $platform_remote_port = 6385, + $volumev2_bind_port = 28776, + $volumev2_remote_port = 8776, + $network_bind_port = 29696, + $network_remote_port = 9696, + $patching_bind_port = 25491, + $patching_remote_port = 5491, +) { + + include dcorch::params + + Package['dcorch'] -> Dcorch_config<||> + Package['dcorch'] -> Dcorch_api_paste_ini<||> + + # this anchor is used to simplify the graph between dcorch components by + # allowing a resource to serve as a point where the configuration of dcorch begins + anchor { 'dcorch-start': } + + package { 'dcorch': + ensure => $package_ensure, + name => $::dcorch::params::package_name, + require => Anchor['dcorch-start'], + } + + file { $::dcorch::params::dcorch_conf: + ensure => present, + mode => '0600', + require => Package['dcorch'], + } + + file { $::dcorch::params::dcorch_paste_api_ini: + ensure => present, + mode => '0600', + require => Package['dcorch'], + } + + dcorch_config { + 'DEFAULT/transport_url': value => $::platform::amqp::params::transport_url; + } + + dcorch_config { + 'DEFAULT/verbose': value => $verbose; + 'DEFAULT/debug': value => $debug; + 'DEFAULT/api_paste_config': value => $api_paste_config; + } + + # Automatically add psycopg2 driver to postgresql (only does this if it is missing) + $real_connection = regsubst($database_connection,'^postgresql:','postgresql+psycopg2:') + + dcorch_config { + 'database/connection': value => $real_connection, secret => true; + 'database/idle_timeout': value => $database_idle_timeout; + 'database/max_pool_size': value => $database_max_pool_size; + 'database/max_overflow': value => $database_max_overflow; + } + + if $use_syslog { + dcorch_config { + 'DEFAULT/use_syslog': value => true; + 'DEFAULT/syslog_log_facility': value => $log_facility; + } + } else { + dcorch_config { + 'DEFAULT/use_syslog': value => false; + 'DEFAULT/use_stderr': value => false; + 'DEFAULT/log_file' : value => $log_file; + 'DEFAULT/log_dir' : value => $log_dir; + } + } + + dcorch_config { + 'keystone_authtoken/region_name': value => $region_name; + } + dcorch_config { + 'compute/bind_host' : value => $proxy_bind_host; + 'compute/bind_port' : value => $compute_bind_port; + 'compute/remote_host' : value => $proxy_remote_host; + 'compute/remote_port' : value => $compute_remote_port; + + 'platform/bind_host' : value => $proxy_bind_host; + 'platform/bind_port' : value => $platform_bind_port; + 'platform/remote_host' : value => $proxy_remote_host; + 'platform/remote_port' : value => $platform_remote_port; + + 'volume/bind_host' : value => $proxy_bind_host; + 'volume/bind_port' : value => $volumev2_bind_port; + 'volume/remote_host' : value => $proxy_remote_host; + 'volume/remote_port' : value => $volumev2_remote_port; + + 'network/bind_host' : value => $proxy_bind_host; + 'network/bind_port' : value => $network_bind_port; + 'network/remote_host' : value => $proxy_remote_host; + 'network/remote_port' : value => $network_remote_port; + + 'patching/bind_host' : value => $proxy_bind_host; + 'patching/bind_port' : value => $patching_bind_port; + 'patching/remote_host' : value => '0.0.0.0'; + 'patching/remote_port' : value => $patching_remote_port; + } + + dcorch_api_paste_ini { + 'pipeline:dcorch-api-proxy/pipeline': value => 'filter authtoken acceptor proxyapp'; + 'filter:filter/paste.filter_factory': value => 'dcorch.api.proxy.apps.filter:ApiFiller.factory'; + 'filter:authtoken/paste.filter_factory': value => 'keystonemiddleware.auth_token:filter_factory'; + 'filter:acceptor/paste.filter_factory': value => 'dcorch.api.proxy.apps.acceptor:Acceptor.factory'; + 'app:proxyapp/paste.app_factory': value => 'dcorch.api.proxy.apps.proxy:Proxy.factory'; + } +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp b/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp new file mode 100644 index 000000000..b80d93eea --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp @@ -0,0 +1,119 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# DEC 2017: creation (sysinv base) +# + +# == Class: dcorch::keystone::auth +# +# Configures dcorch user, service and endpoint in Keystone. +# +class dcorch::keystone::auth ( + $password, + $auth_name = 'dcorch', + $email = 'dcorch@localhost', + $tenant = 'services', + $region = 'SystemController', + $service_description = 'DcOrchService', + $service_name = 'dcorch', + $service_type = 'dcorch', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:8118/v1.0', + $admin_url = 'http://127.0.0.1:8118/v1.0', + $internal_url = 'http://127.0.0.1:8118/v1.0', + $neutron_proxy_internal_url = 'http://127.0.0.1:29696', + $nova_proxy_internal_url = 'http://127.0.0.1:28774/v2.1', + $sysinv_proxy_internal_url = 'http://127.0.0.1:26385/v1', + $cinder_proxy_internal_url_v2 = 'http://127.0.0.1:28776/v2/%(tenant_id)s', + $cinder_proxy_internal_url_v3 = 'http://127.0.0.1:28776/v3/%(tenant_id)s', + $patching_proxy_internal_url = 'http://127.0.0.1:25491', + $neutron_proxy_public_url = 'http://127.0.0.1:29696', + $nova_proxy_public_url = 'http://127.0.0.1:28774/v2.1', + $sysinv_proxy_public_url = 'http://127.0.0.1:26385/v1', + $cinder_proxy_public_url_v2 = 'http://127.0.0.1:28776/v2/%(tenant_id)s', + $cinder_proxy_public_url_v3 = 'http://127.0.0.1:28776/v3/%(tenant_id)s', + $patching_proxy_public_url = 'http://127.0.0.1:25491', +) { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + keystone::resource::service_identity { 'dcorch': + configure_user => $configure_user, + configure_user_role => $configure_user_role, + configure_endpoint => false, + service_type => $service_type, + service_description => $service_description, + service_name => $service_name, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } + + keystone_endpoint { "${region}/nova::compute" : + ensure => "present", + name => "nova", + type => "compute", + region => $region, + public_url => $nova_proxy_public_url, + admin_url => $nova_proxy_internal_url, + internal_url => $nova_proxy_internal_url + } + keystone_endpoint { "${region}/sysinv::platform" : + ensure => "present", + name => "sysinv", + type => "platform", + region => $region, + public_url => $sysinv_proxy_public_url, + admin_url => $sysinv_proxy_internal_url, + internal_url => $sysinv_proxy_internal_url + } + keystone_endpoint { "${region}/neutron::network" : + ensure => "present", + name => "neutron", + type => "network", + region => $region, + public_url => $neutron_proxy_public_url, + admin_url => $neutron_proxy_internal_url, + internal_url => $neutron_proxy_internal_url + } + + if $::openstack::cinder::params::service_enabled { + keystone_endpoint { "${region}/cinderv2::volumev2" : + ensure => "present", + name => "cinderv2", + type => "volumev2", + region => $region, + public_url => $cinder_proxy_public_url_v2, + admin_url => $cinder_proxy_internal_url_v2, + internal_url => $cinder_proxy_internal_url_v2 + } + keystone_endpoint { "${region}/cinderv3::volumev3" : + ensure => "present", + name => "cinderv3", + type => "volumev3", + region => $region, + public_url => $cinder_proxy_public_url_v3, + admin_url => $cinder_proxy_internal_url_v3, + internal_url => $cinder_proxy_internal_url_v3 + } + } + keystone_endpoint { "${region}/patching::patching" : + ensure => "present", + name => "patching", + type => "patching", + region => $region, + public_url => $patching_proxy_public_url, + admin_url => $patching_proxy_internal_url, + internal_url => $patching_proxy_internal_url + } + } +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/params.pp b/modules/puppet-dcorch/src/dcorch/manifests/params.pp new file mode 100644 index 000000000..c52548488 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/params.pp @@ -0,0 +1,62 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# + +class dcorch::params { + + $dcorch_dir = '/etc/dcorch' + $dcorch_conf = '/etc/dcorch/dcorch.conf' + $dcorch_paste_api_ini = '/etc/dcorch/api-paste.ini' + + if $::osfamily == 'Debian' { + $package_name = 'distributedcloud-dcorch' + $client_package = 'distributedcloud-client-dcorchclient' + $api_package = 'distributedcloud-dcorch' + $api_service = 'dcorch-api' + $engine_package = 'distributedcloud-dcorch' + $engine_service = 'dcorch-engine' + $snmp_package = 'distributedcloud-dcorch' + $snmp_service = 'dcorch-snmp' + $api_proxy_package = 'distributedcloud-dcorch' + $api_proxy_service = 'dcorch-api-proxy' + + $db_sync_command = 'dcorch-manage db_sync' + + } elsif($::osfamily == 'RedHat') { + + $package_name = 'distributedcloud-dcorch' + $client_package = 'distributedcloud-client-dcorchclient' + $api_package = false + $api_service = 'dcorch-api' + $engine_package = false + $engine_service = 'dcorch-engine' + $snmp_package = false + $snmp_service = 'dcorch-snmp' + $api_proxy_package = false + $api_proxy_service = 'dcorch-api-proxy' + + $db_sync_command = 'dcorch-manage db_sync' + + } elsif($::osfamily == 'WRLinux') { + + $package_name = 'dcorch' + $client_package = 'distributedcloud-client-dcorchclient' + $api_package = false + $api_service = 'dcorch-api' + $snmp_package = false + $snmp_service = 'dcorch-snmp' + $engine_package = false + $engine_service = 'dcorch-engine' + $api_proxy_package = false + $api_proxy_service = 'dcorch-api-proxy' + $db_sync_command = 'dcorch-manage db_sync' + + } else { + fail("unsuported osfamily ${::osfamily}, currently WindRiver, Debian, Redhat are the only supported platforms") + } +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/rabbitmq.pp b/modules/puppet-dcorch/src/dcorch/manifests/rabbitmq.pp new file mode 100644 index 000000000..d52cef6c8 --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/rabbitmq.pp @@ -0,0 +1,60 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017: creation -lplant +# +# class for installing rabbitmq server for dcorch +# +# +class dcorch::rabbitmq( + $userid = 'guest', + $password = 'guest', + $port = '5672', + $virtual_host = '/', + $enabled = true +) { + + # only configure dcorch after the queue is up + Class['rabbitmq::service'] -> Anchor<| title == 'dcorch-start' |> + + if ($enabled) { + if $userid == 'guest' { + $delete_guest_user = false + } else { + $delete_guest_user = true + rabbitmq_user { $userid: + admin => true, + password => $password, + provider => 'rabbitmqctl', + require => Class['rabbitmq::server'], + } + # I need to figure out the appropriate permissions + rabbitmq_user_permissions { "${userid}@${virtual_host}": + configure_permission => '.*', + write_permission => '.*', + read_permission => '.*', + provider => 'rabbitmqctl', + }->Anchor<| title == 'dcorch-start' |> + } + $service_ensure = 'running' + } else { + $service_ensure = 'stopped' + } + + class { '::rabbitmq::server': + service_ensure => $service_ensure, + port => $port, + delete_guest_user => $delete_guest_user, + } + + if ($enabled) { + rabbitmq_vhost { $virtual_host: + provider => 'rabbitmqctl', + require => Class['rabbitmq::server'], + } + } +} diff --git a/modules/puppet-dcorch/src/dcorch/manifests/snmp.pp b/modules/puppet-dcorch/src/dcorch/manifests/snmp.pp new file mode 100644 index 000000000..f997b617f --- /dev/null +++ b/modules/puppet-dcorch/src/dcorch/manifests/snmp.pp @@ -0,0 +1,50 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Dec 2017 Creation based off puppet-sysinv +# + +class dcorch::snmp ( + $package_ensure = 'latest', + $enabled = false, + $bind_host = '0.0.0.0', + $com_str = 'dcorchAlarmAggregator' +) { + + include dcorch::params + + Dcorch_config<||> ~> Service['dcorch-snmp'] + + if $::dcorch::params::snmp_package { + Package['dcorch-snmp'] -> Dcorch_config<||> + Package['dcorch-snmp'] -> Service['dcorch-snmp'] + package { 'dcorch-snmp': + ensure => $package_ensure, + name => $::dcorch::params::snmp_package, + } + } + dcorch_config { + 'snmp/snmp_ip': value => $bind_host; + 'snmp/snmp_comm_str': value => $com_str; + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'dcorch-snmp': + ensure => $ensure, + name => $::dcorch::params::snmp_service, + enable => $enabled, + hasstatus => false, + require => Package['dcorch'], + } + + Exec<| title == 'dcorch-dbsync' |> -> Service['dcorch-snmp'] +} diff --git a/modules/puppet-mtce/PKG_INFO b/modules/puppet-mtce/PKG_INFO new file mode 100644 index 000000000..2341216fe --- /dev/null +++ b/modules/puppet-mtce/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-mtce +Version: 1.0.0 diff --git a/modules/puppet-mtce/centos/build_srpm.data b/modules/puppet-mtce/centos/build_srpm.data new file mode 100644 index 000000000..b781aa56d --- /dev/null +++ b/modules/puppet-mtce/centos/build_srpm.data @@ -0,0 +1,3 @@ +SRC_DIR="src" +COPY_LIST="$SRC_DIR/LICENSE" +TIS_PATCH_VER=6 diff --git a/modules/puppet-mtce/centos/puppet-mtce.spec b/modules/puppet-mtce/centos/puppet-mtce.spec new file mode 100644 index 000000000..b5fecfbd2 --- /dev/null +++ b/modules/puppet-mtce/centos/puppet-mtce.spec @@ -0,0 +1,35 @@ +%global module_dir mtce + +Name: puppet-%{module_dir} +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet mtce module +License: Apache-2.0 +Packager: Wind River + +URL: unknown + +Source0: %{name}-%{version}.tar.gz +Source1: LICENSE + +BuildArch: noarch + +BuildRequires: python2-devel + +%description +A puppet module for mtce + +%prep +%autosetup -c %{module_dir} + +# +# The src for this puppet module needs to be staged to puppet/modules +# +%install +install -d -m 0755 %{buildroot}%{_datadir}/puppet/modules/%{module_dir} +cp -R %{name}-%{version}/%{module_dir} %{buildroot}%{_datadir}/puppet/modules + +%files +%license %{name}-%{version}/LICENSE +%{_datadir}/puppet/modules/%{module_dir} + diff --git a/modules/puppet-mtce/src/LICENSE b/modules/puppet-mtce/src/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/modules/puppet-mtce/src/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-mtce/src/mtce/manifests/init.pp b/modules/puppet-mtce/src/mtce/manifests/init.pp new file mode 100644 index 000000000..b6e294c11 --- /dev/null +++ b/modules/puppet-mtce/src/mtce/manifests/init.pp @@ -0,0 +1,8 @@ +# +# Copyright (c) 2015-2017 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class mtce () { + } diff --git a/modules/puppet-mtce/src/mtce/templates/mtc_ini.erb b/modules/puppet-mtce/src/mtce/templates/mtc_ini.erb new file mode 100644 index 000000000..30a781692 --- /dev/null +++ b/modules/puppet-mtce/src/mtce/templates/mtc_ini.erb @@ -0,0 +1,23 @@ +; Packstack managed Maintenance Configuration +[agent] ; Agent Configuration +keystone_auth_username = <%= @auth_username %> ; mtce auth username +keystone_auth_pw = <%= @auth_pw %> ; mtce auth password +keystone_auth_project = <%= @auth_project %> ; mtce auth project +keystone_user_domain = <%= @auth_user_domain %> ; mtce user domain +keystone_project_domain = <%= @auth_project_domain %> ; mtce project domain +keystone_auth_host = <%= @auth_host %> ; keystone auth url +keystone_auth_uri = <%= @auth_uri %> ; keystone auth uri +keystone_auth_port = <%= @auth_port %> ; keystone auth port +keystone_region_name = <%= @auth_region %> ; keystone region +keyring_directory = <%= @keyring_directory %> ; keyring directory +ceilometer_port = <%= @ceilometer_port %> ; ceilometer rest api port +multicast = <%= @mtce_multicast %> ; Heartbeat Multicast Address +heartbeat_period = <%= @heartbeat_period %> ; Heartbeat period in milliseconds +heartbeat_failure_threshold = <%= @heartbeat_failure_threshold %> ; Heartbeat failure threshold count. +heartbeat_degrade_threshold = <%= @heartbeat_degrade_threshold %> ; Heartbeat degrade threshold count. + +[timeouts] +compute_boot_timeout = <%= @compute_boot_timeout %> ; The max time (seconds) that Mtce waits for the mtcAlive +controller_boot_timeout = <%= @controller_boot_timeout %> ; message after which it will time out and fail the host. + + diff --git a/modules/puppet-mtce/src/mtce/templates/static_conf.erb b/modules/puppet-mtce/src/mtce/templates/static_conf.erb new file mode 100644 index 000000000..070cfe0c1 --- /dev/null +++ b/modules/puppet-mtce/src/mtce/templates/static_conf.erb @@ -0,0 +1,8 @@ +/var/lock tmpfs tmpfs 4 2 1 +/var/run tmpfs tmpfs 30 15 5 +/dev/shm tmpfs tmpfs 512 307 102 +/ rootfs rootfs 512 307 102 +/dev devtmpfs devtmpfs 512 307 102 +/boot <%= @boot_device %> boot 100 70 50 +/scratch /dev/mapper/cgts--vg-scratch--lv dev 512 307 102 +/var/log /dev/mapper/cgts--vg-log--lv dev 512 307 102 diff --git a/modules/puppet-nfv/PKG_INFO b/modules/puppet-nfv/PKG_INFO new file mode 100644 index 000000000..df3d2fbb5 --- /dev/null +++ b/modules/puppet-nfv/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-nfv +Version: 1.0.0 diff --git a/modules/puppet-nfv/centos/build_srpm.data b/modules/puppet-nfv/centos/build_srpm.data new file mode 100644 index 000000000..3b920846f --- /dev/null +++ b/modules/puppet-nfv/centos/build_srpm.data @@ -0,0 +1,2 @@ +SRC_DIR="src" +TIS_PATCH_VER=5 diff --git a/modules/puppet-nfv/centos/puppet-nfv.spec b/modules/puppet-nfv/centos/puppet-nfv.spec new file mode 100644 index 000000000..38693f9ce --- /dev/null +++ b/modules/puppet-nfv/centos/puppet-nfv.spec @@ -0,0 +1,34 @@ +%global module_dir nfv + +Name: puppet-%{module_dir} +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet nfv module +License: Apache-2.0 +Packager: Wind River + +URL: unknown + +Source0: %{name}-%{version}.tar.gz + +BuildArch: noarch + +BuildRequires: python2-devel + +%description +A puppet module for nfv + +%prep +%autosetup -c %{module_dir} + +# +# The src for this puppet module needs to be staged to puppet/modules +# +%install +install -d -m 0755 %{buildroot}%{_datadir}/puppet/modules/%{module_dir} +cp -R %{name}-%{version}/%{module_dir} %{buildroot}%{_datadir}/puppet/modules + +%files +%license %{name}-%{version}/LICENSE +%{_datadir}/puppet/modules/%{module_dir} + diff --git a/modules/puppet-nfv/src/LICENSE b/modules/puppet-nfv/src/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/modules/puppet-nfv/src/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_alarm_config/ini_setting.rb b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_alarm_config/ini_setting.rb new file mode 100644 index 000000000..8511f89a8 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_alarm_config/ini_setting.rb @@ -0,0 +1,31 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.type(:nfv_plugin_alarm_config).provide( + :ini_setting, + # set ini_setting as the parent provider + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + # implemented section as the first part of the namevar + resource[:name].split('/', 2).first + end + + def setting + # implemented setting as the second part of the namevar + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + # hard code the file path (this allows purging) + def self.file_path + '/etc/nfv/nfv_plugins/alarm_handlers/config.ini' + end +end diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_event_log_config/ini_setting.rb b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_event_log_config/ini_setting.rb new file mode 100644 index 000000000..763c7cb72 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_event_log_config/ini_setting.rb @@ -0,0 +1,31 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.type(:nfv_plugin_event_log_config).provide( + :ini_setting, + # set ini_setting as the parent provider + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + # implemented section as the first part of the namevar + resource[:name].split('/', 2).first + end + + def setting + # implemented setting as the second part of the namevar + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + # hard code the file path (this allows purging) + def self.file_path + '/etc/nfv/nfv_plugins/event_log_handlers/config.ini' + end +end diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_nfvi_config/ini_setting.rb b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_nfvi_config/ini_setting.rb new file mode 100644 index 000000000..2f798423d --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_plugin_nfvi_config/ini_setting.rb @@ -0,0 +1,31 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.type(:nfv_plugin_nfvi_config).provide( + :ini_setting, + # set ini_setting as the parent provider + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + # implemented section as the first part of the namevar + resource[:name].split('/', 2).first + end + + def setting + # implemented setting as the second part of the namevar + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + # hard code the file path (this allows purging) + def self.file_path + '/etc/nfv/nfv_plugins/nfvi_plugins/config.ini' + end +end diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_vim_config/ini_setting.rb b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_vim_config/ini_setting.rb new file mode 100644 index 000000000..ee2a2577e --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/provider/nfv_vim_config/ini_setting.rb @@ -0,0 +1,31 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.type(:nfv_vim_config).provide( + :ini_setting, + # set ini_setting as the parent provider + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + # implemented section as the first part of the namevar + resource[:name].split('/', 2).first + end + + def setting + # implemented setting as the second part of the namevar + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + # hard code the file path (this allows purging) + def self.file_path + '/etc/nfv/vim/config.ini' + end +end diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_alarm_config.rb b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_alarm_config.rb new file mode 100644 index 000000000..60f2fb3f7 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_alarm_config.rb @@ -0,0 +1,47 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.newtype(:nfv_plugin_alarm_config) do + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/nfv/nfv_plugins/alarm_handlers/config.ini' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_event_log_config.rb b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_event_log_config.rb new file mode 100644 index 000000000..e437d97f5 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_event_log_config.rb @@ -0,0 +1,47 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.newtype(:nfv_plugin_event_log_config) do + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/nfv/nfv_plugins/event_log_handlers/config.ini' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_nfvi_config.rb b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_nfvi_config.rb new file mode 100644 index 000000000..580f214bf --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_plugin_nfvi_config.rb @@ -0,0 +1,47 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.newtype(:nfv_plugin_nfvi_config) do + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/nfv/nfv_plugins/nfvi_plugins/config.ini' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_vim_config.rb b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_vim_config.rb new file mode 100644 index 000000000..2e76d4872 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/lib/puppet/type/nfv_vim_config.rb @@ -0,0 +1,47 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.newtype(:nfv_vim_config) do + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/nfv/vim/config.ini' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-nfv/src/nfv/manifests/alarm.pp b/modules/puppet-nfv/src/nfv/manifests/alarm.pp new file mode 100644 index 000000000..740d68f5b --- /dev/null +++ b/modules/puppet-nfv/src/nfv/manifests/alarm.pp @@ -0,0 +1,24 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class nfv::alarm ( + $enabled = false, + $storage_file = '/var/log/nfv-vim-alarms.log', +) { + + include nfv::params + + nfv_plugin_alarm_config { + /* File-Storage Information */ + 'File-Storage/file': value => $storage_file; + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } +} diff --git a/modules/puppet-nfv/src/nfv/manifests/event_log.pp b/modules/puppet-nfv/src/nfv/manifests/event_log.pp new file mode 100644 index 000000000..d735ab712 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/manifests/event_log.pp @@ -0,0 +1,24 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class nfv::event_log ( + $enabled = false, + $storage_file = '/var/log/nfv-vim-events.log', +) { + + include nfv::params + + nfv_plugin_event_log_config { + /* File-Storage Information */ + 'File-Storage/file': value => $storage_file; + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } +} diff --git a/modules/puppet-nfv/src/nfv/manifests/init.pp b/modules/puppet-nfv/src/nfv/manifests/init.pp new file mode 100644 index 000000000..111168d39 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/manifests/init.pp @@ -0,0 +1,52 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class nfv ( +) { + include nfv::params + + Package['nfv'] -> Nfv_vim_config<||> + Package['nfv-plugins'] -> Nfv_plugin_alarm_config<||> + Package['nfv-plugins'] -> Nfv_plugin_event_log_config<||> + Package['nfv-plugins'] -> Nfv_plugin_nfvi_config<||> + + # This anchor is used to simplify the graph between nfv components + # by allowing a resource to serve as a point where the configuration of + # nfv begins + anchor { 'nfv-start': } + + package { 'nfv': + ensure => 'present', + name => $::nfv::params::package_name, + require => Anchor['nfv-start'], + } + + file { $::nfv::params::nfv_vim_conf: + ensure => 'present', + require => Package['nfv'], + } + + package { 'nfv-plugins': + ensure => 'present', + name => $::nfv::params::nfv_plugin_package_name, + require => Anchor['nfv-start'], + } + + file { $::nfv::params::nfv_plugin_alarm_conf: + ensure => 'present', + require => Package['nfv-plugins'], + } + + file { $::nfv::params::nfv_plugin_event_log_conf: + ensure => 'present', + require => Package['nfv-plugins'], + } + + file { $::nfv::params::nfv_plugin_nfvi_conf: + ensure => 'present', + require => Package['nfv-plugins'], + } +} diff --git a/modules/puppet-nfv/src/nfv/manifests/keystone/auth.pp b/modules/puppet-nfv/src/nfv/manifests/keystone/auth.pp new file mode 100644 index 000000000..b490bf735 --- /dev/null +++ b/modules/puppet-nfv/src/nfv/manifests/keystone/auth.pp @@ -0,0 +1,43 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class nfv::keystone::auth ( + $auth_name = 'vim', + $password, + $tenant = 'services', + $email = 'vim@localhost', + $region = 'RegionOne', + $service_description = 'Virtual Infrastructure Manager', + $service_name = 'vim', + $service_type = 'nfv', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:4545', + $admin_url = 'http://127.0.0.1:4545', + $internal_url = 'http://127.0.0.1:4545', +) { + + $real_service_name = pick($service_name, $auth_name) + + keystone::resource::service_identity { $auth_name: + configure_user => $configure_user, + configure_user_role => $configure_user_role, + configure_endpoint => $configure_endpoint, + service_type => $service_type, + service_description => $service_description, + service_name => $real_service_name, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } + +} diff --git a/modules/puppet-nfv/src/nfv/manifests/nfvi.pp b/modules/puppet-nfv/src/nfv/manifests/nfvi.pp new file mode 100644 index 000000000..96315c70f --- /dev/null +++ b/modules/puppet-nfv/src/nfv/manifests/nfvi.pp @@ -0,0 +1,172 @@ +# +# Copyright (c) 2016-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class nfv::nfvi ( + $enabled = false, + $openstack_username = 'admin', + $openstack_tenant = 'admin', + $openstack_user_domain = 'Default', + $openstack_project_domain = 'Default', + $openstack_auth_protocol = 'http', + $openstack_auth_host = '127.0.0.1', + $openstack_auth_port = 5000, + $openstack_nova_api_host = '127.0.0.1', + $keystone_region_name = 'RegionOne', + $keystone_service_name = 'keystone', + $keystone_service_type = 'identity', + $keystone_endpoint_type = 'internal', + $ceilometer_region_name = 'RegionOne', + $ceilometer_service_name = 'ceilometer', + $ceilometer_service_type = 'metering', + $ceilometer_endpoint_type = 'admin', + $cinder_region_name = 'RegionOne', + $cinder_service_name = 'cinderv2', + $cinder_service_type = 'volumev2', + $cinder_endpoint_type = 'admin', + $cinder_endpoint_disabled = false, + $glance_region_name = 'RegionOne', + $glance_service_name = 'glance', + $glance_service_type = 'image', + $glance_endpoint_type = 'admin', + $neutron_region_name = 'RegionOne', + $neutron_service_name = 'neutron', + $neutron_service_type = 'network', + $neutron_endpoint_type = 'admin', + $neutron_endpoint_disabled = false, + $nova_region_name = 'RegionOne', + $nova_service_name = 'nova', + $nova_service_type = 'compute', + $nova_endpoint_type = 'admin', + $nova_endpoint_override = "http://localhost:18774", + $sysinv_region_name = 'RegionOne', + $sysinv_service_name = 'sysinv', + $sysinv_service_type = 'platform', + $sysinv_endpoint_type = 'admin', + $heat_region_name = 'RegionOne', + $mtc_endpoint_override = 'http://localhost:2112', + $guest_endpoint_override = 'http://localhost:2410', + $patching_region_name = 'RegionOne', + $patching_service_name = 'patching', + $patching_service_type = 'patching', + $patching_endpoint_type = 'admin', + $rabbit_host = '127.0.0.1', + $rabbit_port = 5672, + $rabbit_userid = 'guest', + $rabbit_password = 'guest', + $rabbit_virtual_host = '/', + $infrastructure_rest_api_host = '127.0.0.1', + $infrastructure_rest_api_port = 30001, + $infrastructure_rest_api_data_port_fault_handling_enabled = true, + $guest_rest_api_host = '127.0.0.1', + $guest_rest_api_port = 30002, + $compute_rest_api_host = '127.0.0.1', + $compute_rest_api_port = 30003, + $compute_rest_api_max_concurrent_requests = 128, + $compute_rest_api_max_request_wait_in_secs = 120, + $host_listener_host = '127.0.0.1', + $host_listener_port = 30004, + $identity_uri = undef, +) { + + include nfv::params + + nfv_plugin_nfvi_config { + + /* OpenStack Information */ + 'openstack/username': value => $openstack_username; + 'openstack/tenant': value => $openstack_tenant; + 'openstack/user_domain_name': value => $openstack_user_domain; + 'openstack/project_domain_name': value => $openstack_project_domain; + 'openstack/authorization_protocol': value => $openstack_auth_protocol; + 'openstack/authorization_ip': value => $openstack_auth_host; + 'openstack/authorization_port': value => $openstack_auth_port; + + 'keystone/region_name': value => $keystone_region_name; + 'keystone/service_name': value => $keystone_service_name; + 'keystone/service_type': value => $keystone_service_type; + 'keystone/endpoint_type': value => $keystone_endpoint_type; + + 'ceilometer/region_name': value => $ceilometer_region_name; + 'ceilometer/service_name': value => $ceilometer_service_name; + 'ceilometer/service_type': value => $ceilometer_service_type; + 'ceilometer/endpoint_type': value => $ceilometer_endpoint_type; + + 'cinder/region_name': value => $cinder_region_name; + 'cinder/service_name': value => $cinder_service_name; + 'cinder/service_type': value => $cinder_service_type; + 'cinder/endpoint_type': value => $cinder_endpoint_type; + 'cinder/endpoint_disabled': value => $cinder_endpoint_disabled; + + 'glance/region_name': value => $glance_region_name; + 'glance/service_name': value => $glance_service_name; + 'glance/service_type': value => $glance_service_type; + 'glance/endpoint_type': value => $glance_endpoint_type; + + 'neutron/region_name': value => $neutron_region_name; + 'neutron/service_name': value => $neutron_service_name; + 'neutron/service_type': value => $neutron_service_type; + 'neutron/endpoint_type': value => $neutron_endpoint_type; + 'neutron/endpoint_disabled': value => $neutron_endpoint_disabled; + + 'nova/region_name': value => $nova_region_name; + 'nova/service_name': value => $nova_service_name; + 'nova/service_type': value => $nova_service_type; + 'nova/endpoint_type': value => $nova_endpoint_type; + 'nova/endpoint_override': value => $nova_endpoint_override; + + 'sysinv/region_name': value => $sysinv_region_name; + 'sysinv/service_name': value => $sysinv_service_name; + 'sysinv/service_type': value => $sysinv_service_type; + 'sysinv/endpoint_type': value => $sysinv_endpoint_type; + + 'heat/region_name': value => $heat_region_name; + + 'mtc/endpoint_override': value => $mtc_endpoint_override; + + 'guest/endpoint_override': value => $guest_endpoint_override; + + 'patching/region_name': value => $patching_region_name; + 'patching/service_name': value => $patching_service_name; + 'patching/service_type': value => $patching_service_type; + 'patching/endpoint_type': value => $patching_endpoint_type; + + /* AMQP */ + 'amqp/host': value => $rabbit_host; + 'amqp/port': value => $rabbit_port; + 'amqp/user_id': value => $rabbit_userid; + 'amqp/password': value => $rabbit_password, secret => true; + 'amqp/virt_host': value => $rabbit_virtual_host; + + /* Infrastructure Rest-API */ + 'infrastructure-rest-api/host': value => $infrastructure_rest_api_host; + 'infrastructure-rest-api/port': value => $infrastructure_rest_api_port; + 'infrastructure-rest-api/data_port_fault_handling_enabled': value => $infrastructure_rest_api_data_port_fault_handling_enabled; + + /* Guest-Services Rest-API */ + 'guest-rest-api/host': value => $guest_rest_api_host; + 'guest-rest-api/port': value => $guest_rest_api_port; + + /* Compute Rest-API */ + 'compute-rest-api/host': value => $compute_rest_api_host; + 'compute-rest-api/port': value => $compute_rest_api_port; + 'compute-rest-api/max_concurrent_requests': value => $compute_rest_api_max_concurrent_requests; + 'compute-rest-api/max_request_wait_in_secs': value => $compute_rest_api_max_request_wait_in_secs; + + /* Host Listener */ + 'host-listener/host': value => $host_listener_host; + 'host-listener/port': value => $host_listener_port; + } + + if $identity_uri { + nfv_plugin_nfvi_config { 'openstack/authorization_uri': value => $identity_uri; } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } +} diff --git a/modules/puppet-nfv/src/nfv/manifests/params.pp b/modules/puppet-nfv/src/nfv/manifests/params.pp new file mode 100644 index 000000000..f5a80a0bc --- /dev/null +++ b/modules/puppet-nfv/src/nfv/manifests/params.pp @@ -0,0 +1,36 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class nfv::params { + + $nfv_conf_dir = '/etc/nfv' + $nfv_plugin_conf_dir = '/etc/nfv/nfv_plugins' + $nfv_vim_conf = '/etc/nfv/vim/config.ini' + $nfv_plugin_alarm_conf = '/etc/nfv/nfv_plugins/alarm_handlers/config.ini' + $nfv_plugin_event_log_conf = '/etc/nfv/nfv_plugins/event_log_handlers/config.ini' + $nfv_plugin_nfvi_conf = '/etc/nfv/nfv_plugins/nfvi_plugins/config.ini' + + if $::osfamily == 'Debian' { + $package_name = 'nfv-vim' + $nfv_plugin_package_name = 'nfv-plugins' + $nfv_common_package_name = 'nfv-common' + + } elsif($::osfamily == 'RedHat') { + + $package_name = 'nfv-vim' + $nfv_plugin_package_name = 'nfv-plugins' + $nfv_common_package_name = 'nfv-common' + + } elsif($::osfamily == 'WRLinux') { + + $package_name = 'nfv-vim' + $nfv_plugin_package_name = 'nfv-plugins' + $nfv_common_package_name = 'nfv-common' + + } else { + fail("unsuported osfamily ${::osfamily}, currently WindRiver, Debian, Redhat are the only supported platforms") + } +} diff --git a/modules/puppet-nfv/src/nfv/manifests/vim.pp b/modules/puppet-nfv/src/nfv/manifests/vim.pp new file mode 100644 index 000000000..519f7419a --- /dev/null +++ b/modules/puppet-nfv/src/nfv/manifests/vim.pp @@ -0,0 +1,92 @@ +# +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class nfv::vim ( + $enabled = false, + $debug_config_file = '/etc/nfv/vim/debug.ini', + $debug_handlers = 'syslog, stdout', + $debug_syslog_address = '/dev/log', + $debug_syslog_facility = 'user', + $database_dir = '/opt/platform/nfv/vim', + $alarm_namespace = 'nfv_vim.alarm.handlers.v1', + $alarm_handlers = 'File-Storage, Fault-Management', + $alarm_audit_interval = 30, + $alarm_config_file = '/etc/nfv/nfv_plugins/alarm_handlers/config.ini', + $event_log_namespace = 'nfv_vim.event_log.handlers.v1', + $event_log_handlers = 'File-Storage, Event-Log-Management', + $event_log_config_file ='/etc/nfv/nfv_plugins/event_log_handlers/config.ini', + $nfvi_namespace = 'nfv_vim.nfvi.plugins.v1', + $nfvi_config_file = '/etc/nfv/nfv_plugins/nfvi_plugins/config.ini', + $vim_rpc_ip = '127.0.0.1', + $vim_rpc_port = 4343, + $vim_api_ip = '0.0.0.0', + $vim_api_port = 4545, + $vim_api_rpc_ip = '127.0.0.1', + $vim_api_rpc_port = 0, + $vim_webserver_ip = '0.0.0.0', + $vim_webserver_port = 32323, + $vim_webserver_source_dir = '/usr/lib64/python2.7/site-packages/nfv_vim/webserver', + $instance_max_live_migrate_wait_in_secs = 180, + $instance_single_hypervisor = false, + $sw_mgmt_single_controller = false, +) { + + include nfv::params + + nfv_vim_config { + /* Debug Information */ + 'debug/config_file': value => $debug_config_file; + 'debug/handlers': value => $debug_handlers; + 'debug/syslog_address': value => $debug_syslog_address; + 'debug/syslog_facility': value => $debug_syslog_facility; + + /* Database */ + 'database/database_dir': value => $database_dir; + + /* Alarm */ + 'alarm/namespace': value => $alarm_namespace; + 'alarm/handlers': value => $alarm_handlers; + 'alarm/audit_interval': value => $alarm_audit_interval; + 'alarm/config_file': value => $alarm_config_file; + + /* Event Log */ + 'event-log/namespace': value => $event_log_namespace; + 'event-log/handlers': value => $event_log_handlers; + 'event-log/config_file': value => $event_log_config_file; + + /* NFVI */ + 'nfvi/namespace': value => $nfvi_namespace; + 'nfvi/config_file': value => $nfvi_config_file; + + /* INSTANCE CONFIGURATION */ + 'instance-configuration/max_live_migrate_wait_in_secs': value => $instance_max_live_migrate_wait_in_secs; + 'instance-configuration/single_hypervisor': value => $instance_single_hypervisor; + + /* VIM */ + 'vim/rpc_host': value => $vim_rpc_ip; + 'vim/rpc_port': value => $vim_rpc_port; + + /* VIM-API */ + 'vim-api/host': value => $vim_api_ip; + 'vim-api/port': value => $vim_api_port; + 'vim-api/rpc_host': value => $vim_api_rpc_ip; + 'vim-api/rpc_port': value => $vim_api_rpc_port; + + /* VIM-Webserver */ + 'vim-webserver/host': value => $vim_webserver_ip; + 'vim-webserver/port': value => $vim_webserver_port; + 'vim-webserver/source_dir': value => $vim_webserver_source_dir; + + /* SW-MGMT CONFIGURATION */ + 'sw-mgmt-configuration/single_controller': value => $sw_mgmt_single_controller; + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } +} diff --git a/modules/puppet-patching/PKG_INFO b/modules/puppet-patching/PKG_INFO new file mode 100644 index 000000000..01c10fdb4 --- /dev/null +++ b/modules/puppet-patching/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-patching +Version: 1.0.0 diff --git a/modules/puppet-patching/centos/build_srpm.data b/modules/puppet-patching/centos/build_srpm.data new file mode 100644 index 000000000..f579f0d2e --- /dev/null +++ b/modules/puppet-patching/centos/build_srpm.data @@ -0,0 +1,2 @@ +SRC_DIR="src" +TIS_PATCH_VER=2 diff --git a/modules/puppet-patching/centos/puppet-patching.spec b/modules/puppet-patching/centos/puppet-patching.spec new file mode 100644 index 000000000..2fad1c1dd --- /dev/null +++ b/modules/puppet-patching/centos/puppet-patching.spec @@ -0,0 +1,34 @@ +%global module_dir patching + +Name: puppet-%{module_dir} +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet patching module +License: Apache-2.0 +Packager: Wind River + +URL: unknown + +Source0: %{name}-%{version}.tar.gz + +BuildArch: noarch + +BuildRequires: python2-devel + +%description +A puppet module for patching + +%prep +%autosetup -c %{module_dir} + +# +# The src for this puppet module needs to be staged to packstack/puppet/modules +# +%install +install -d -m 0755 %{buildroot}%{_datadir}/puppet/modules/%{module_dir} +cp -R %{name}-%{version}/%{module_dir} %{buildroot}%{_datadir}/puppet/modules + +%files +%license %{name}-%{version}/LICENSE +%{_datadir}/puppet/modules/%{module_dir} + diff --git a/modules/puppet-patching/src/LICENSE b/modules/puppet-patching/src/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/modules/puppet-patching/src/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-patching/src/patching/LICENSE b/modules/puppet-patching/src/patching/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/modules/puppet-patching/src/patching/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-patching/src/patching/Modulefile b/modules/puppet-patching/src/patching/Modulefile new file mode 100644 index 000000000..63fbf8c8a --- /dev/null +++ b/modules/puppet-patching/src/patching/Modulefile @@ -0,0 +1,13 @@ +name 'patching' +version '2.1.0' +source 'https://github.com/stackforge/patching' +author 'Wind River' +license 'Apache-2.0' +summary 'Patching Module' +description 'Puppet module to install and configure the Patching service' +project_page 'https://launchpad.net/puppet' + +dependency 'puppetlabs/inifile', '>=1.0.0 <2.0.0' +dependency 'puppetlabs/mysql', '>=0.6.1 <1.0.0' +dependency 'puppetlabs/stdlib', '>=2.5.0' +dependency 'puppetlabs/rabbitmq', '>=2.0.2 <3.0.0' diff --git a/modules/puppet-patching/src/patching/lib/puppet/provider/patching_config/ini_setting.rb b/modules/puppet-patching/src/patching/lib/puppet/provider/patching_config/ini_setting.rb new file mode 100644 index 000000000..49bcf9382 --- /dev/null +++ b/modules/puppet-patching/src/patching/lib/puppet/provider/patching_config/ini_setting.rb @@ -0,0 +1,33 @@ +# +# Copyright (c) 2014-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.type(:patching_config).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/patching/patching.conf' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-patching/src/patching/lib/puppet/type/patching_config.rb b/modules/puppet-patching/src/patching/lib/puppet/type/patching_config.rb new file mode 100644 index 000000000..d549c7adc --- /dev/null +++ b/modules/puppet-patching/src/patching/lib/puppet/type/patching_config.rb @@ -0,0 +1,48 @@ +# +# Copyright (c) 2014-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.newtype(:patching_config) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/patching/patching.conf' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-patching/src/patching/manifests/api.pp b/modules/puppet-patching/src/patching/manifests/api.pp new file mode 100644 index 000000000..520bcf7ad --- /dev/null +++ b/modules/puppet-patching/src/patching/manifests/api.pp @@ -0,0 +1,79 @@ +# +# Copyright (c) 2014-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +class patching::api ( + $keystone_password, + $keystone_enabled = true, + $keystone_tenant = 'services', + $keystone_user = 'patching', + $keystone_user_domain = 'Default', + $keystone_project_domain = 'Default', + $keystone_auth_host = 'localhost', + $keystone_auth_port = '5000', + $keystone_auth_protocol = 'http', + $keystone_auth_admin_prefix = false, + $keystone_auth_uri = false, + $keystone_auth_version = false, + $keystone_identity_uri = false, + $auth_type = 'password', + $service_port = '5000', + $package_ensure = 'latest', + $bind_host = '0.0.0.0', + $enabled = true +) { + + include patching::params + + if $keystone_identity_uri { + patching_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; } + } else { + patching_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; } + } + + if $keystone_auth_uri { + patching_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; } + } else { + patching_config { + 'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; + } + } + + if $keystone_auth_version { + patching_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; } + } else { + patching_config { 'keystone_authtoken/auth_version': ensure => absent; } + } + + if $keystone_enabled { + patching_config { + 'DEFAULT/auth_strategy': value => 'keystone' ; + } + patching_config { + 'keystone_authtoken/auth_type': value => $auth_type; + 'keystone_authtoken/project_name': value => $keystone_tenant; + 'keystone_authtoken/username': value => $keystone_user; + 'keystone_authtoken/user_domain_name': value => $keystone_user_domain; + 'keystone_authtoken/project_domain_name': value => $keystone_project_domain; + 'keystone_authtoken/password': value => $keystone_password, secret => true; + } + + if $keystone_auth_admin_prefix { + validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$') + patching_config { + 'keystone_authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix; + } + } else { + patching_config { + 'keystone_authtoken/auth_admin_prefix': ensure => absent; + } + } + } + else + { + patching_config { + 'DEFAULT/auth_strategy': value => 'noauth' ; + } + } +} diff --git a/modules/puppet-patching/src/patching/manifests/init.pp b/modules/puppet-patching/src/patching/manifests/init.pp new file mode 100644 index 000000000..808259611 --- /dev/null +++ b/modules/puppet-patching/src/patching/manifests/init.pp @@ -0,0 +1,44 @@ +# +# Copyright (c) 2014-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class patching ( + $controller_multicast = '239.1.1.3', + $agent_multicast = '239.1.1.4', + $api_port = 5487, + $controller_port = 5488, + $agent_port = 5489, +) { + include patching::params + + file { $::patching::params::patching_conf: + ensure => present, + owner => 'patching', + group => 'patching', + mode => '0600', + } + + patching_config { + 'runtime/controller_multicast': value => $controller_multicast; + 'runtime/agent_multicast': value => $agent_multicast; + 'runtime/api_port': value => $api_port; + 'runtime/controller_port': value => $controller_port; + 'runtime/agent_port': value => $agent_port; + } + ~> + service { 'sw-patch-agent.service': + ensure => 'running', + enable => true, + subscribe => File[$::patching::params::patching_conf], + } + + if $::personality == "controller" { + service { 'sw-patch-controller-daemon.service': + ensure => 'running', + enable => true, + subscribe => Service['sw-patch-agent.service'], + } + } +} diff --git a/modules/puppet-patching/src/patching/manifests/keystone/auth.pp b/modules/puppet-patching/src/patching/manifests/keystone/auth.pp new file mode 100644 index 000000000..ed0541a52 --- /dev/null +++ b/modules/puppet-patching/src/patching/manifests/keystone/auth.pp @@ -0,0 +1,49 @@ +# +# Copyright (c) 2014-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class patching::keystone::auth ( + $auth_name = 'patching', + $password, + $tenant = 'services', + $email = 'patching@localhost', + $region = 'RegionOne', + $service_description = 'Patching Service', + $service_name = undef, + $service_type = 'patching', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:15491/v1', + $admin_url = 'http://127.0.0.1:5491/v1', + $internal_url = 'http://127.0.0.1:5491/v1', +) { + + $real_service_name = pick($service_name, $auth_name) + + + keystone::resource::service_identity { 'patching': + configure_user => $configure_user, + configure_user_role => $configure_user_role, + configure_endpoint => $configure_endpoint, + service_type => $service_type, + service_description => $service_description, + service_name => $real_service_name, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } + + # Assume we dont need backwards compatability + # if $configure_endpoint { + # Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| title == 'patch-server' |> + # } + +} diff --git a/modules/puppet-patching/src/patching/manifests/params.pp b/modules/puppet-patching/src/patching/manifests/params.pp new file mode 100644 index 000000000..e8aeede64 --- /dev/null +++ b/modules/puppet-patching/src/patching/manifests/params.pp @@ -0,0 +1,10 @@ +# +# Copyright (c) 2014-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class patching::params { + $patching_dir = '/etc/patching' + $patching_conf = '/etc/patching/patching.conf' +} \ No newline at end of file diff --git a/modules/puppet-sshd/centos/build_srpm.data b/modules/puppet-sshd/centos/build_srpm.data new file mode 100644 index 000000000..29c4710a7 --- /dev/null +++ b/modules/puppet-sshd/centos/build_srpm.data @@ -0,0 +1,3 @@ +SRC_DIR="src" +COPY_LIST="$SRC_DIR/LICENSE" +TIS_PATCH_VER=1 diff --git a/modules/puppet-sshd/centos/puppet-sshd.spec b/modules/puppet-sshd/centos/puppet-sshd.spec new file mode 100644 index 000000000..6056d5029 --- /dev/null +++ b/modules/puppet-sshd/centos/puppet-sshd.spec @@ -0,0 +1,34 @@ +%global module_dir sshd + +Name: puppet-%{module_dir} +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet sshd module +License: Apache-2.0 +Packager: Wind River + +URL: unknown + +Source0: %{name}-%{version}.tar.gz +Source1: LICENSE + +BuildArch: noarch + +BuildRequires: python2-devel + +%description +A puppet module for sshd + +%prep +%autosetup -c %{module_dir} + +# +# The src for this puppet module needs to be staged to puppet/modules +# +%install +install -d -m 0755 %{buildroot}%{_datadir}/puppet/modules/%{module_dir} +cp -R %{name}-%{version}/%{module_dir} %{buildroot}%{_datadir}/puppet/modules + +%files +%license %{name}-%{version}/LICENSE +%{_datadir}/puppet/modules/%{module_dir} diff --git a/modules/puppet-sshd/src/LICENSE b/modules/puppet-sshd/src/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/modules/puppet-sshd/src/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-sshd/src/sshd/manifests/init.pp b/modules/puppet-sshd/src/sshd/manifests/init.pp new file mode 100644 index 000000000..e015503e9 --- /dev/null +++ b/modules/puppet-sshd/src/sshd/manifests/init.pp @@ -0,0 +1,8 @@ +# +# Copyright (c) 2015-2017 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class sshd () { + } diff --git a/modules/puppet-sshd/src/sshd/templates/sshd_config.erb b/modules/puppet-sshd/src/sshd/templates/sshd_config.erb new file mode 100644 index 000000000..d3b0ee374 --- /dev/null +++ b/modules/puppet-sshd/src/sshd/templates/sshd_config.erb @@ -0,0 +1,139 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +LogLevel INFO + +# Authentication: + +LoginGraceTime 1m +PermitRootLogin no +#StrictModes yes +MaxAuthTries 4 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +#GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation yes +PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +# Make SSH connect faster on bootup +UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# default banner path +Banner /etc/issue.net + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server +DenyUsers admin secadmin operator +# Filtered cipher and MAC list, defaults can be obtained by ssh -Q cipher and ssh -Q mac +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com +MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com + +# This Match block prevents Password Authentication for root user +Match User root + PasswordAuthentication no + +<% if @nova_migration_subnet -%> +# This Match Block is used to allow Root Login exceptions over the +# internal subnet used by Nova Migrations +Match Address <%= @nova_migration_subnet %> + PermitRootLogin without-password +<% end -%> diff --git a/modules/puppet-sysinv/PKG_INFO b/modules/puppet-sysinv/PKG_INFO new file mode 100644 index 000000000..72c3266c1 --- /dev/null +++ b/modules/puppet-sysinv/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-sysinv +Version: 1.0.0 diff --git a/modules/puppet-sysinv/centos/build_srpm.data b/modules/puppet-sysinv/centos/build_srpm.data new file mode 100644 index 000000000..fd1bf4cda --- /dev/null +++ b/modules/puppet-sysinv/centos/build_srpm.data @@ -0,0 +1,3 @@ +SRC_DIR="src" +COPY_LIST="$SRC_DIR/LICENSE" +TIS_PATCH_VER=3 diff --git a/modules/puppet-sysinv/centos/puppet-sysinv.spec b/modules/puppet-sysinv/centos/puppet-sysinv.spec new file mode 100644 index 000000000..69960596b --- /dev/null +++ b/modules/puppet-sysinv/centos/puppet-sysinv.spec @@ -0,0 +1,35 @@ +%global module_dir sysinv + +Name: puppet-%{module_dir} +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet sysinv module +License: Apache +Packager: Wind River + +URL: unknown + +Source0: %{name}-%{version}.tar.gz +Source1: LICENSE + +BuildArch: noarch + +BuildRequires: python2-devel + +%description +A puppet module for sysinv + +%prep +%autosetup -c %{module_dir} + +# +# The src for this puppet module needs to be staged to puppet/modules +# +%install +install -d -m 0755 %{buildroot}%{_datadir}/puppet/modules/%{module_dir} +cp -R %{name}-%{version}/%{module_dir} %{buildroot}%{_datadir}/puppet/modules + +%files +%license %{name}-%{version}/LICENSE +%{_datadir}/puppet/modules/%{module_dir} + diff --git a/modules/puppet-sysinv/src/LICENSE b/modules/puppet-sysinv/src/LICENSE new file mode 100644 index 000000000..8d968b6cb --- /dev/null +++ b/modules/puppet-sysinv/src/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-sysinv/src/sysinv/.fixtures.yml b/modules/puppet-sysinv/src/sysinv/.fixtures.yml new file mode 100644 index 000000000..853f8f486 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/.fixtures.yml @@ -0,0 +1,19 @@ +fixtures: + repositories: + "apt": "git://github.com/puppetlabs/puppetlabs-apt.git" + "keystone": "git://github.com/stackforge/puppet-keystone.git" + "mysql": + repo: "git://github.com/puppetlabs/puppetlabs-mysql.git" + ref: 'origin/0.x' + "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git" + "sysctl": "git://github.com/duritong/puppet-sysctl.git" + "rabbitmq": + repo: "git://github.com/puppetlabs/puppetlabs-rabbitmq" + ref: 'origin/2.x' + "inifile": "git://github.com/puppetlabs/puppetlabs-inifile" + "qpid": "git://github.com/dprince/puppet-qpid.git" + 'postgresql': + repo: "git://github.com/puppetlabs/puppet-postgresql.git" + ref: 'origin/4.1.x' + symlinks: + "sysinv": "#{source_dir}" diff --git a/modules/puppet-sysinv/src/sysinv/Gemfile b/modules/puppet-sysinv/src/sysinv/Gemfile new file mode 100644 index 000000000..89f2e1b25 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/Gemfile @@ -0,0 +1,14 @@ +source 'https://rubygems.org' + +group :development, :test do + gem 'puppetlabs_spec_helper', :require => false + gem 'puppet-lint', '~> 0.3.2' +end + +if puppetversion = ENV['PUPPET_GEM_VERSION'] + gem 'puppet', puppetversion, :require => false +else + gem 'puppet', :require => false +end + +# vim:ft=ruby diff --git a/modules/puppet-sysinv/src/sysinv/LICENSE b/modules/puppet-sysinv/src/sysinv/LICENSE new file mode 100644 index 000000000..8d968b6cb --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-sysinv/src/sysinv/Modulefile b/modules/puppet-sysinv/src/sysinv/Modulefile new file mode 100644 index 000000000..64d85b4c6 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/Modulefile @@ -0,0 +1,14 @@ +name 'puppetlabs-sysinv' +version '2.1.0' +source 'https://github.com/stackforge/puppet-sysinv' +author 'Puppet Labs' +license 'Apache License 2.0' +summary 'Puppet Labs Sysinv Module' +description 'Puppet module to install and configure the Sysinv platform service' +project_page 'https://launchpad.net/puppet-openstack' + +dependency 'puppetlabs/inifile', '>=1.0.0 <2.0.0' +dependency 'puppetlabs/mysql', '>=0.6.1 <1.0.0' +dependency 'puppetlabs/stdlib', '>=2.5.0' +dependency 'puppetlabs/rabbitmq', '>=2.0.2 <3.0.0' +dependency 'dprince/qpid', '>=1.0.0 <2.0.0' diff --git a/modules/puppet-sysinv/src/sysinv/README.md b/modules/puppet-sysinv/src/sysinv/README.md new file mode 100644 index 000000000..47aeb960a --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/README.md @@ -0,0 +1,130 @@ +sysinv +======= + +#### Table of Contents + +1. [Overview - What is the sysinv module?](#overview) +2. [Module Description - What does the module do?](#module-description) +3. [Setup - The basics of getting started with sysinv](#setup) +4. [Implementation - An under-the-hood peek at what the module is doing](#implementation) +5. [Limitations - OS compatibility, etc.](#limitations) +6. [Development - Guide for contributing to the module](#development) +7. [Contributors - Those with commits](#contributors) +8. [Release Notes - Notes on the most recent updates to the module](#release-notes) + +Overview +-------- + +The sysinv module is a part of [Stackforge](https://github.com/stackfoge), an effort by the Openstack infrastructure team to provide continuous integration testing and code review for Openstack and Openstack community projects not part of the core software. The module its self is used to flexibly configure and manage the block storage service for Openstack. + +Module Description +------------------ + +The sysinv module is a thorough attempt to make Puppet capable of managing the entirety of sysinv. This includes manifests to provision such things as keystone endpoints, RPC configurations specific to sysinv, and database connections. Types are shipped as part of the sysinv module to assist in manipulation of configuration files. + +This module is tested in combination with other modules needed to build and leverage an entire Openstack software stack. These modules can be found, all pulled together in the [openstack module](https://github.com/stackfoge/puppet-openstack). + +Setup +----- + +**What the sysinv module affects** + +* sysinv, the block storage service for Openstack. + +### Installing sysinv + + example% puppet module install puppetlabs/sysinv + +### Beginning with sysinv + +To utilize the sysinv module's functionality you will need to declare multiple resources. The following is a modified excerpt from the [openstack module](https://github.com/stackfoge/puppet-openstack). This is not an exhaustive list of all the components needed, we recommend you consult and understand the [openstack module](https://github.com/stackforge/puppet-openstack) and the [core openstack](http://docs.openstack.org) documentation. + +**Define a sysinv control node** + +```puppet +class { '::sysinv': + sql_connection => 'mysql://sysinv:secret_block_password@openstack-controller.example.com/sysinv', + rabbit_password => 'secret_rpc_password_for_blocks',, + rabbit_host => 'openstack-controller.example.com', + verbose => true, +} + +class { '::sysinv::api': + keystone_password => $keystone_password, + keystone_enabled => $keystone_enabled, + keystone_user => $keystone_user, + keystone_auth_host => $keystone_auth_host, + keystone_auth_port => $keystone_auth_port, + keystone_auth_protocol => $keystone_auth_protocol, + service_port => $keystone_service_port, + package_ensure => $sysinv_api_package_ensure, + bind_host => $sysinv_bind_host, + enabled => $sysinv_api_enabled, +} + +class { '::sysinv::scheduler': scheduler_driver => 'sysinv.scheduler.simple.SimpleScheduler', } +``` + +**Define a sysinv storage node** + +```puppet +class { '::sysinv': + sql_connection => 'mysql://sysinv:secret_block_password@openstack-controller.example.com/sysinv', + rabbit_password => 'secret_rpc_password_for_blocks',, + rabbit_host => 'openstack-controller.example.com', + verbose => true, +} + +class { '::sysinv::volume': } + +class { '::sysinv::volume::iscsi': iscsi_ip_address => '10.0.0.2', } +``` + +Implementation +-------------- + +### sysinv + +sysinv is a combination of Puppet manifest and ruby code to delivery configuration and extra functionality through types and providers. + +Limitations +------------ + +* Setup of storage nodes is limited to Linux and LVM, i.e. Puppet won't configure a Nexenta appliacne but nova can be configured to use the Nexenta driver with Class['sysinv::volume::nexenta']. + +Development +----------- + +Developer documentation for the entire puppet-openstack project. + +* https://wiki.openstack.org/wiki/Puppet-openstack#Developer_documentation + +Contributors +------------ + +* https://github.com/stackforge/puppet-sysinv/graphs/contributors + +Release Notes +------------- + +**2.1.0** + +* Added configuration of Sysinv quotas. +* Added support for NetApp direct driver backend. +* Added support for ceph backend. +* Added support for SQL idle timeout. +* Added support for RabbitMQ clustering with single IP. +* Fixed allowed_hosts/database connection bug. +* Fixed lvm2 setup failure for Ubuntu. +* Removed unnecessary mysql::server dependency. +* Pinned RabbitMQ and database module versions. +* Various lint and bug fixes. + +**2.0.0** + +* Upstream is now part of stackfoge. +* Nexenta, NFS, and SAN support added as sysinv volume drivers. +* Postgres support added. +* The Apache Qpid and the RabbitMQ message brokers available as RPC backends. +* Configurability of scheduler_driver. +* Various cleanups and bug fixes. diff --git a/modules/puppet-sysinv/src/sysinv/Rakefile b/modules/puppet-sysinv/src/sysinv/Rakefile new file mode 100644 index 000000000..4c2b2ed07 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/Rakefile @@ -0,0 +1,6 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' + +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.send('disable_class_parameter_defaults') diff --git a/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/sysinv_api_paste_ini/ini_setting.rb b/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/sysinv_api_paste_ini/ini_setting.rb new file mode 100644 index 000000000..6f9d46b09 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/sysinv_api_paste_ini/ini_setting.rb @@ -0,0 +1,43 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +Puppet::Type.type(:sysinv_api_paste_ini).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/sysinv/api-paste.ini' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/sysinv_config/ini_setting.rb b/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/sysinv_config/ini_setting.rb new file mode 100644 index 000000000..1cd5765d6 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/sysinv_config/ini_setting.rb @@ -0,0 +1,43 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +Puppet::Type.type(:sysinv_config).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/sysinv/sysinv.conf' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/lib/puppet/type/sysinv_api_paste_ini.rb b/modules/puppet-sysinv/src/sysinv/lib/puppet/type/sysinv_api_paste_ini.rb new file mode 100644 index 000000000..ee9b2a0e7 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/type/sysinv_api_paste_ini.rb @@ -0,0 +1,58 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +Puppet::Type.newtype(:sysinv_api_paste_ini) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/sysinv/api-paste.ini' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-sysinv/src/sysinv/lib/puppet/type/sysinv_config.rb b/modules/puppet-sysinv/src/sysinv/lib/puppet/type/sysinv_config.rb new file mode 100644 index 000000000..c9aad2d24 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/type/sysinv_config.rb @@ -0,0 +1,58 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +Puppet::Type.newtype(:sysinv_config) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/sysinv/sysinv.conf' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-sysinv/src/sysinv/manifests/agent.pp b/modules/puppet-sysinv/src/sysinv/manifests/agent.pp new file mode 100644 index 000000000..741e44e59 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/agent.pp @@ -0,0 +1,58 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +class sysinv::agent ( + $agent_driver = false, + $package_ensure = 'latest', + $enabled = true +) { + + include sysinv::params + + # Pacemaker should be starting up agent + Sysinv_config<||> ~> Service['sysinv-agent'] + Sysinv_api_paste_ini<||> ~> Service['sysinv-agent'] + + if $agent_driver { + sysinv_config { + 'DEFAULT/agent_driver': value => $agent_driver; + } + } + + if $::sysinv::params::agent_package { + Package['sysinv-agent'] -> Sysinv_config<||> + Package['sysinv-agent'] -> Sysinv_api_paste_ini<||> + Package['sysinv-agent'] -> Service['sysinv-agent'] + package { 'sysinv-agent': + ensure => $package_ensure, + name => $::sysinv::params::agent_package, + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'sysinv-agent': + ensure => $ensure, + name => $::sysinv::params::agent_service, + enable => $enabled, + hasstatus => false, + require => Package['sysinv'], + } +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/api.pp b/modules/puppet-sysinv/src/sysinv/manifests/api.pp new file mode 100644 index 000000000..3444a8d98 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/api.pp @@ -0,0 +1,240 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# +# Nov 2017: rebase pike +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# == Class: sysinv::api +# +# Setup and configure the sysinv API endpoint +# +# === Parameters +# +# [*keystone_password*] +# The password to use for authentication (keystone) +# +# [*keystone_enabled*] +# (optional) Use keystone for authentification +# Defaults to true +# +# [*keystone_tenant*] +# (optional) The tenant of the auth user +# Defaults to services +# +# [*keystone_user*] +# (optional) The name of the auth user +# Defaults to sysinv +# +# [*keystone_auth_host*] +# (optional) The keystone host +# Defaults to localhost +# +# [*keystone_auth_port*] +# (optional) The keystone auth port +# Defaults to 5000 +# +# [*keystone_auth_protocol*] +# (optional) The protocol used to access the auth host +# Defaults to http. +# +# [*keystone_auth_admin_prefix*] +# (optional) The admin_prefix used to admin endpoint of the auth host +# This allow admin auth URIs like http://auth_host:5000/keystone. +# (where '/keystone' is the admin prefix) +# Defaults to false for empty. If defined, should be a string with a +# leading '/' and no trailing '/'. +# +# [*keystone_user_domain*] +# (Optional) domain name for auth user. +# Defaults to 'Default'. +# +# [*keystone_project_domain*] +# (Optional) domain name for auth project. +# Defaults to 'Default'. +# +# [*auth_type*] +# (Optional) Authentication type to load. +# Defaults to 'password'. +# +# [*service_port*] +# (optional) The sysinv api port +# Defaults to 5000 +# +# [*package_ensure*] +# (optional) The state of the package +# Defaults to present +# +# [*bind_host*] +# (optional) The sysinv api bind address +# Defaults to 0.0.0.0 +# +# [*pxeboot_host*] +# (optional) The sysinv api pxeboot address +# Defaults to undef +# +# [*enabled*] +# (optional) The state of the service +# Defaults to true +# +class sysinv::api ( + $keystone_password, + $keystone_enabled = true, + $keystone_tenant = 'services', + $keystone_user = 'sysinv', + $keystone_auth_host = 'localhost', + $keystone_auth_port = '5000', + $keystone_auth_protocol = 'http', + $keystone_auth_admin_prefix = false, + $keystone_auth_uri = false, + $keystone_auth_version = false, + $keystone_identity_uri = false, + $keystone_user_domain = 'Default', + $keystone_project_domain = 'Default', + $auth_type = 'password', + $service_port = '5000', + $package_ensure = 'latest', + $bind_host = '0.0.0.0', + $pxeboot_host = undef, + $enabled = true +) { + + include sysinv::params + + Sysinv_config<||> ~> Service['sysinv-api'] + Sysinv_config<||> ~> Exec['sysinv-dbsync'] + Sysinv_api_paste_ini<||> ~> Service['sysinv-api'] + + if $::sysinv::params::api_package { + Package['sysinv'] -> Sysinv_config<||> + Package['sysinv'] -> Sysinv_api_paste_ini<||> + Package['sysinv'] -> Service['sysinv-api'] + package { 'sysinv': + ensure => $package_ensure, + name => $::sysinv::params::api_package, + } + } + + sysinv_config { + "DEFAULT/sysinv_api_bind_ip": value => $bind_host; + } + + if $pxeboot_host { + sysinv_config { + "DEFAULT/sysinv_api_pxeboot_ip": value => $pxeboot_host; + } + } + + if $keystone_identity_uri { + sysinv_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; } + sysinv_api_paste_ini { 'filter:authtoken/auth_url': value => $keystone_identity_uri; } + } else { + sysinv_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; } + sysinv_api_paste_ini { 'filter:authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; } + } + + if $keystone_auth_uri { + sysinv_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; } + sysinv_api_paste_ini { 'filter:authtoken/auth_uri': value => $keystone_auth_uri; } + } else { + sysinv_config { + 'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; + } + sysinv_api_paste_ini { + 'filter:authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; + } + } + + if $keystone_auth_version { + sysinv_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; } + sysinv_api_paste_ini { 'filter:authtoken/auth_version': value => $keystone_auth_version; } + } else { + sysinv_config { 'keystone_authtoken/auth_version': ensure => absent; } + sysinv_api_paste_ini { 'filter:authtoken/auth_version': ensure => absent; } + } + + if $keystone_enabled { + sysinv_config { + 'DEFAULT/auth_strategy': value => 'keystone' ; + } + sysinv_config { + 'keystone_authtoken/auth_type': value => $auth_type; + 'keystone_authtoken/project_name': value => $keystone_tenant; + 'keystone_authtoken/username': value => $keystone_user; + 'keystone_authtoken/password': value => $keystone_password, secret=> true; + 'keystone_authtoken/user_domain_name': value => $keystone_user_domain; + 'keystone_authtoken/project_domain_name': value => $keystone_project_domain; + } + + sysinv_api_paste_ini { + 'filter:authtoken/project_name': value => $keystone_tenant; + 'filter:authtoken/username': value => $keystone_user; + 'filter:authtoken/password': value => $keystone_password, secret => true; + 'filter:authtoken/user_domain_name': value => $keystone_user_domain; + 'filter:authtoken/project_domain_name': value => $keystone_project_domain; + } + + if $keystone_auth_admin_prefix { + validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$') + sysinv_config { + 'keystone_authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix; + } + sysinv_api_paste_ini { + 'filter:authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix; + } + } else { + sysinv_config { + 'keystone_authtoken/auth_admin_prefix': ensure => absent; + } + sysinv_api_paste_ini { + 'filter:authtoken/auth_admin_prefix': ensure => absent; + } + } + } + else + { + sysinv_config { + 'DEFAULT/auth_strategy': value => 'noauth' ; + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'sysinv-api': + ensure => $ensure, + name => $::sysinv::params::api_service, + enable => $enabled, + hasstatus => true, + hasrestart => true, + tag => 'sysinv-service', + } + Keystone_endpoint<||> -> Service['sysinv-api'] + + exec { 'sysinv-dbsync': + command => $::sysinv::params::db_sync_command, + path => '/usr/bin', + user => 'sysinv', + refreshonly => true, + logoutput => 'on_failure', + require => Package['sysinv'], + # Only do the db sync if both controllers are running the same software + # version. Avoids impacting mate controller during an upgrade. + onlyif => "test $::controller_sw_versions_match = true", + } + +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/base.pp b/modules/puppet-sysinv/src/sysinv/manifests/base.pp new file mode 100644 index 000000000..c5fdf1beb --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/base.pp @@ -0,0 +1,45 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +class sysinv::base ( + $rabbit_password, + $sql_connection, + $rabbit_host = '127.0.0.1', + $rabbit_port = 5672, + $rabbit_hosts = undef, + $rabbit_virtual_host = '/', + $rabbit_userid = 'nova', + $package_ensure = 'present', + $api_paste_config = '/etc/sysinv/api-paste.ini', + $verbose = false +) { + + warning('The sysinv::base class is deprecated. Use sysinv instead.') + + class { '::sysinv': + rabbit_password => $rabbit_password, + sql_connection => $sql_connection, + rabbit_host => $rabbit_host, + rabbit_port => $rabbit_port, + rabbit_hosts => $rabbit_hosts, + rabbit_virtual_host => $rabbit_virtual_host, + rabbit_userid => $rabbit_userid, + package_ensure => $package_ensure, + api_paste_config => $api_paste_config, + verbose => $verbose, + } + +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/client.pp b/modules/puppet-sysinv/src/sysinv/manifests/client.pp new file mode 100644 index 000000000..48a0441ff --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/client.pp @@ -0,0 +1,36 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# == Class: sysinv::client +# +# Installs Sysinv python client. +# +# === Parameters +# +# [*ensure*] +# Ensure state for package. Defaults to 'present'. +# +class sysinv::client( + $package_ensure = 'present' +) { + + include sysinv::params + + package { 'cgtsclient': + ensure => $package_ensure, + name => $::sysinv::params::client_package, + } +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/conductor.pp b/modules/puppet-sysinv/src/sysinv/manifests/conductor.pp new file mode 100644 index 000000000..da407b912 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/conductor.pp @@ -0,0 +1,58 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +class sysinv::conductor ( + $conductor_driver = false, + $package_ensure = 'latest', + $enabled = true +) { + + include sysinv::params + + Sysinv_config<||> ~> Service['sysinv-conductor'] + + if $conductor_driver { + sysinv_config { + 'DEFAULT/conductor_driver': value => $conductor_driver; + } + } + + if $::sysinv::params::conductor_package { + Package['sysinv-conductor'] -> Sysinv_config<||> + Package['sysinv-conductor'] -> Sysinv_api_paste_ini<||> + Package['sysinv-conductor'] -> Service['sysinv-conductor'] + package { 'sysinv-conductor': + ensure => $package_ensure, + name => $::sysinv::params::conductor_package, + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'sysinv-conductor': + ensure => $ensure, + name => $::sysinv::params::conductor_service, + enable => $enabled, + hasstatus => false, + require => Package['sysinv'], + } + + Exec<| title == 'sysinv-dbsync' |> -> Service['sysinv-conductor'] +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/db/mysql.pp b/modules/puppet-sysinv/src/sysinv/manifests/db/mysql.pp new file mode 100644 index 000000000..dd895befc --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/db/mysql.pp @@ -0,0 +1,54 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +class sysinv::db::mysql ( + $password, + $dbname = 'sysinv', + $user = 'sysinv', + $host = '127.0.0.1', + $allowed_hosts = undef, + $charset = 'latin1', + $cluster_id = 'localzone' +) { + + Class['sysinv::db::mysql'] -> Exec<| title == 'sysinv-dbsync' |> + Database[$dbname] ~> Exec<| title == 'sysinv-dbsync' |> + + mysql::db { $dbname: + user => $user, + password => $password, + host => $host, + charset => $charset, + require => Class['mysql::config'], + } + + # Check allowed_hosts to avoid duplicate resource declarations + if is_array($allowed_hosts) and delete($allowed_hosts,$host) != [] { + $real_allowed_hosts = delete($allowed_hosts,$host) + } elsif is_string($allowed_hosts) and ($allowed_hosts != $host) { + $real_allowed_hosts = $allowed_hosts + } + + if $real_allowed_hosts { + # TODO this class should be in the mysql namespace + sysinv::db::mysql::host_access { $real_allowed_hosts: + user => $user, + password => $password, + database => $dbname, + } + } + +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/db/mysql/host_access.pp b/modules/puppet-sysinv/src/sysinv/manifests/db/mysql/host_access.pp new file mode 100644 index 000000000..7fd08ce7e --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/db/mysql/host_access.pp @@ -0,0 +1,32 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# +# Used to grant access to the sysinv mysql DB +# +define sysinv::db::mysql::host_access ($user, $password, $database) { + database_user { "${user}@${name}": + password_hash => mysql_password($password), + provider => 'mysql', + require => Database[$database], + } + database_grant { "${user}@${name}/${database}": + # TODO figure out which privileges to grant. + privileges => 'all', + provider => 'mysql', + require => Postgresql::Database_user["${user}@${name}"] + } +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/db/postgresql.pp b/modules/puppet-sysinv/src/sysinv/manifests/db/postgresql.pp new file mode 100644 index 000000000..8b6685907 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/db/postgresql.pp @@ -0,0 +1,60 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# Class that configures postgresql for sysinv +# +# Requires the Puppetlabs postgresql module. +# === Parameters +# +# [*password*] +# (Required) Password to connect to the database. +# +# [*dbname*] +# (Optional) Name of the database. +# Defaults to 'sysinv'. +# +# [*user*] +# (Optional) User to connect to the database. +# Defaults to 'sysinv'. +# +# [*encoding*] +# (Optional) The charset to use for the database. +# Default to undef. +# +# [*privileges*] +# (Optional) Privileges given to the database user. +# Default to 'ALL' +# +class sysinv::db::postgresql( + $password, + $dbname = 'sysinv', + $user = 'sysinv', + $encoding = undef, + $privileges = 'ALL', +) { + + ::openstacklib::db::postgresql { 'sysinv': + password_hash => postgresql_password($user, $password), + dbname => $dbname, + user => $user, + encoding => $encoding, + privileges => $privileges, + } + + ::Openstacklib::Db::Postgresql['sysinv'] ~> Service <| title == 'sysinv-api' |> + ::Openstacklib::Db::Postgresql['sysinv'] ~> Service <| title == 'sysinv-conductor' |> + ::Openstacklib::Db::Postgresql['sysinv'] ~> Exec <| title == 'sysinv-dbsync' |> +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/db/sync.pp b/modules/puppet-sysinv/src/sysinv/manifests/db/sync.pp new file mode 100644 index 000000000..28288f623 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/db/sync.pp @@ -0,0 +1,29 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +class sysinv::db::sync { + + include sysinv::params + + exec { 'sysinv-dbsync': + command => $::sysinv::params::db_sync_command, + path => '/usr/bin', + user => 'sysinv', + refreshonly => true, + require => [File[$::sysinv::params::sysinv_conf], Class['sysinv']], + logoutput => 'on_failure', + } +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/init.pp b/modules/puppet-sysinv/src/sysinv/manifests/init.pp new file mode 100644 index 000000000..4efac5cb7 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/init.pp @@ -0,0 +1,206 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# +# == Parameters +# +# [use_syslog] +# Use syslog for logging. +# (Optional) Defaults to false. +# +# [log_facility] +# Syslog facility to receive log lines. +# (Optional) Defaults to LOG_USER. + +class sysinv ( + $database_connection = '', + $database_idle_timeout = 3600, + $database_max_pool_size = 5, + $database_max_overflow = 10, + $journal_max_size = 51200, + $journal_min_size = 1024, + $journal_default_size = 1024, + $rpc_backend = 'sysinv.openstack.common.rpc.impl_kombu', + $control_exchange = 'openstack', + $rabbit_host = '127.0.0.1', + $rabbit_port = 5672, + $rabbit_hosts = false, + $rabbit_virtual_host = '/', + $rabbit_userid = 'guest', + $rabbit_password = false, + $qpid_hostname = 'localhost', + $qpid_port = '5672', + $qpid_username = 'guest', + $qpid_password = false, + $qpid_reconnect = true, + $qpid_reconnect_timeout = 0, + $qpid_reconnect_limit = 0, + $qpid_reconnect_interval_min = 0, + $qpid_reconnect_interval_max = 0, + $qpid_reconnect_interval = 0, + $qpid_heartbeat = 60, + $qpid_protocol = 'tcp', + $qpid_tcp_nodelay = true, + $package_ensure = 'present', + $api_paste_config = '/etc/sysinv/api-paste.ini', + $use_stderr = false, + $log_file = 'sysinv.log', + $log_dir = '/var/log/sysinv', + $use_syslog = false, + $log_facility = 'LOG_USER', + $verbose = false, + $debug = false, + $sysinv_api_port = 6385, + $sysinv_mtc_inv_label = '/v1/hosts/', + $region_name = 'RegionOne', + $neutron_region_name = 'RegionOne', + $cinder_region_name = 'RegionOne', + $nova_region_name = 'RegionOne', + $magnum_region_name = 'RegionOne' +) { + + include sysinv::params + + Package['sysinv'] -> Sysinv_config<||> + Package['sysinv'] -> Sysinv_api_paste_ini<||> + + # this anchor is used to simplify the graph between sysinv components by + # allowing a resource to serve as a point where the configuration of sysinv begins + anchor { 'sysinv-start': } + + package { 'sysinv': + ensure => $package_ensure, + name => $::sysinv::params::package_name, + require => Anchor['sysinv-start'], + } + + file { $::sysinv::params::sysinv_conf: + ensure => present, + owner => 'sysinv', + group => 'sysinv', + mode => '0600', + require => Package['sysinv'], + } + + file { $::sysinv::params::sysinv_paste_api_ini: + ensure => present, + owner => 'sysinv', + group => 'sysinv', + mode => '0600', + require => Package['sysinv'], + } + + if $rpc_backend == 'sysinv.openstack.common.rpc.impl_kombu' { + + if ! $rabbit_password { + fail('Please specify a rabbit_password parameter.') + } + + sysinv_config { + 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true; + 'DEFAULT/rabbit_userid': value => $rabbit_userid; + 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host; + 'DEFAULT/control_exchange': value => $control_exchange; + } + + if $rabbit_hosts { + sysinv_config { 'DEFAULT/rabbit_hosts': value => join($rabbit_hosts, ',') } + sysinv_config { 'DEFAULT/rabbit_ha_queues': value => true } + } else { + sysinv_config { 'DEFAULT/rabbit_host': value => $rabbit_host } + sysinv_config { 'DEFAULT/rabbit_port': value => $rabbit_port } + sysinv_config { 'DEFAULT/rabbit_hosts': value => "${rabbit_host}:${rabbit_port}" } + sysinv_config { 'DEFAULT/rabbit_ha_queues': value => false } + } + } + + if $rpc_backend == 'sysinv.openstack.common.rpc.impl_qpid' { + + if ! $qpid_password { + fail('Please specify a qpid_password parameter.') + } + + sysinv_config { + 'DEFAULT/qpid_hostname': value => $qpid_hostname; + 'DEFAULT/qpid_port': value => $qpid_port; + 'DEFAULT/qpid_username': value => $qpid_username; + 'DEFAULT/qpid_password': value => $qpid_password, secret => true; + 'DEFAULT/qpid_reconnect': value => $qpid_reconnect; + 'DEFAULT/qpid_reconnect_timeout': value => $qpid_reconnect_timeout; + 'DEFAULT/qpid_reconnect_limit': value => $qpid_reconnect_limit; + 'DEFAULT/qpid_reconnect_interval_min': value => $qpid_reconnect_interval_min; + 'DEFAULT/qpid_reconnect_interval_max': value => $qpid_reconnect_interval_max; + 'DEFAULT/qpid_reconnect_interval': value => $qpid_reconnect_interval; + 'DEFAULT/qpid_heartbeat': value => $qpid_heartbeat; + 'DEFAULT/qpid_protocol': value => $qpid_protocol; + 'DEFAULT/qpid_tcp_nodelay': value => $qpid_tcp_nodelay; + } + } + + sysinv_config { + 'DEFAULT/verbose': value => $verbose; + 'DEFAULT/debug': value => $debug; + 'DEFAULT/api_paste_config': value => $api_paste_config; + 'DEFAULT/rpc_backend': value => $rpc_backend; + } + + # Automatically add psycopg2 driver to postgresql (only does this if it is missing) + $real_connection = regsubst($database_connection,'^postgresql:','postgresql+psycopg2:') + + sysinv_config { + 'database/connection': value => $real_connection, secret => true; + 'database/idle_timeout': value => $database_idle_timeout; + 'database/max_pool_size': value => $database_max_pool_size; + 'database/max_overflow': value => $database_max_overflow; + } + + sysinv_config { + 'journal/journal_max_size': value => $journal_max_size; + 'journal/journal_min_size': value => $journal_min_size; + 'journal/journal_default_size': value => $journal_default_size; + } + + if $use_syslog { + sysinv_config { + 'DEFAULT/use_syslog': value => true; + 'DEFAULT/syslog_log_facility': value => $log_facility; + } + } else { + sysinv_config { + 'DEFAULT/use_syslog': value => false; + 'DEFAULT/use_stderr': value => false; + 'DEFAULT/log_file' : value => $log_file; + 'DEFAULT/log_dir' : value => $log_dir; + } + } + + sysinv_config { + 'DEFAULT/sysinv_api_port': value => $sysinv_api_port; + 'DEFAULT/MTC_INV_LABEL': value => $sysinv_mtc_inv_label; + } + + sysinv_config { + 'keystone_authtoken/region_name': value => $region_name; + 'keystone_authtoken/neutron_region_name': value => $neutron_region_name; + 'keystone_authtoken/cinder_region_name': value => $cinder_region_name; + 'keystone_authtoken/nova_region_name': value => $nova_region_name; + 'keystone_authtoken/magnum_region_name': value => $magnum_region_name; + } + + sysinv_api_paste_ini { + 'filter:authtoken/region_name': value => $region_name; + } +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/keystone/auth.pp b/modules/puppet-sysinv/src/sysinv/manifests/keystone/auth.pp new file mode 100644 index 000000000..6fef34762 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/keystone/auth.pp @@ -0,0 +1,57 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# == Class: sysinv::keystone::auth +# +# Configures Sysinv user, service and endpoint in Keystone. +# +class sysinv::keystone::auth ( + $password, + $auth_name = 'sysinv', + $email = 'sysinv@localhost', + $tenant = 'services', + $region = 'RegionOne', + $service_description = 'SysInvService', + $service_name = undef, + $service_type = 'platform', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:6385/v1', + $admin_url = 'http://127.0.0.1:6385/v1', + $internal_url = 'http://127.0.0.1:6385/v1', +) { + + $real_service_name = pick($service_name, $auth_name) + + keystone::resource::service_identity { 'platform': + configure_user => $configure_user, + configure_user_role => $configure_user_role, + configure_endpoint => $configure_endpoint, + service_type => $service_type, + service_description => $service_description, + service_name => $real_service_name, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } + +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/params.pp b/modules/puppet-sysinv/src/sysinv/manifests/params.pp new file mode 100644 index 000000000..438aa3768 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/params.pp @@ -0,0 +1,61 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +class sysinv::params { + + $sysinv_dir = '/etc/sysinv' + $sysinv_conf = '/etc/sysinv/sysinv.conf' + $sysinv_paste_api_ini = '/etc/sysinv/api-paste.ini' + + if $::osfamily == 'Debian' { + $package_name = 'sysinv' + $client_package = 'cgtsclient' + $api_package = 'sysinv' + $api_service = 'sysinv-api' + $conductor_package = 'sysinv' + $conductor_service = 'sysinv-conductor' + $agent_package = 'sysinv' + $agent_service = 'sysinv-agent' + $db_sync_command = 'sysinv-dbsync' + + } elsif($::osfamily == 'RedHat') { + + $package_name = 'sysinv' + $client_package = 'cgtscli' + $api_package = false + $api_service = 'sysinv-api' + $conductor_package = false + $conductor_service = 'sysinv-conductor' + $agent_package = false + $agent_service = 'sysinv-agent' + $db_sync_command = 'sysinv-dbsync' + + } elsif($::osfamily == 'WRLinux') { + + $package_name = 'sysinv' + $client_package = 'cgtscli' + $api_package = false + $api_service = 'sysinv-api' + $conductor_package = false + $conductor_service = 'sysinv-conductor' + $agent_package = false + $agent_service = 'sysinv-agent' + $db_sync_command = 'sysinv-dbsync' + + } else { + fail("unsuported osfamily ${::osfamily}, currently WindRiver, Debian, Redhat are the only supported platforms") + } +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/qpid.pp b/modules/puppet-sysinv/src/sysinv/manifests/qpid.pp new file mode 100644 index 000000000..6bdbfcf99 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/qpid.pp @@ -0,0 +1,51 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# +# class for installing qpid server for sysinv +# +# +class sysinv::qpid( + $enabled = true, + $user='guest', + $password='guest', + $file='/var/lib/qpidd/qpidd.sasldb', + $realm='OPENSTACK' +) { + + # only configure sysinv after the queue is up + Class['qpid::server'] -> Package<| title == 'sysinv' |> + + if ($enabled) { + $service_ensure = 'running' + + qpid_user { $user: + password => $password, + file => $file, + realm => $realm, + provider => 'saslpasswd2', + require => Class['qpid::server'], + } + + } else { + $service_ensure = 'stopped' + } + + class { '::qpid::server': + service_ensure => $service_ensure + } + +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/rabbitmq.pp b/modules/puppet-sysinv/src/sysinv/manifests/rabbitmq.pp new file mode 100644 index 000000000..4b6fa0818 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/rabbitmq.pp @@ -0,0 +1,68 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +# +# class for installing rabbitmq server for sysinv +# +# +class sysinv::rabbitmq( + $userid = 'guest', + $password = 'guest', + $port = '5672', + $virtual_host = '/', + $enabled = true +) { + + # only configure sysinv after the queue is up + Class['rabbitmq::service'] -> Anchor<| title == 'sysinv-start' |> + + if ($enabled) { + if $userid == 'guest' { + $delete_guest_user = false + } else { + $delete_guest_user = true + rabbitmq_user { $userid: + admin => true, + password => $password, + provider => 'rabbitmqctl', + require => Class['rabbitmq::server'], + } + # I need to figure out the appropriate permissions + rabbitmq_user_permissions { "${userid}@${virtual_host}": + configure_permission => '.*', + write_permission => '.*', + read_permission => '.*', + provider => 'rabbitmqctl', + }->Anchor<| title == 'sysinv-start' |> + } + $service_ensure = 'running' + } else { + $service_ensure = 'stopped' + } + + class { '::rabbitmq::server': + service_ensure => $service_ensure, + port => $port, + delete_guest_user => $delete_guest_user, + } + + if ($enabled) { + rabbitmq_vhost { $virtual_host: + provider => 'rabbitmqctl', + require => Class['rabbitmq::server'], + } + } +} diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_agent_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_agent_spec.rb new file mode 100644 index 000000000..a57074cbe --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_agent_spec.rb @@ -0,0 +1,87 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::agent' do + + describe 'on debian plateforms' do + + let :facts do + { :osfamily => 'Debian' } + end + + describe 'with default parameters' do + + it { should include_class('sysinv::params') } + + it { should contain_package('sysinv-agent').with( + :name => 'sysinv-agent', + :ensure => 'latest', + :before => 'Service[sysinv-agent]' + ) } + + it { should contain_service('sysinv-agent').with( + :name => 'sysinv-agent', + :enable => true, + :ensure => 'running', + :require => 'Package[sysinv]', + :hasstatus => true + ) } + end + + describe 'with parameters' do + + let :params do + { :agent_driver => 'sysinv.agent.filter_agent.FilterScheduler', + :package_ensure => 'present' + } + end + + it { should contain_sysinv_config('DEFAULT/agent_driver').with_value('sysinv.agent.filter_agent.FilterScheduler') } + it { should contain_package('sysinv-agent').with_ensure('present') } + end + end + + + describe 'on rhel plateforms' do + + let :facts do + { :osfamily => 'RedHat' } + end + + describe 'with default parameters' do + + it { should include_class('sysinv::params') } + + it { should contain_service('sysinv-agent').with( + :name => 'sysinv-agent', + :enable => true, + :ensure => 'running', + :require => 'Package[sysinv]' + ) } + end + + describe 'with parameters' do + + let :params do + { :agent_driver => 'sysinv.agent.filter_agent.FilterScheduler' } + end + + it { should contain_sysinv_config('DEFAULT/agent_driver').with_value('sysinv.agent.filter_agent.FilterScheduler') } + end + end +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_api_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_api_spec.rb new file mode 100644 index 000000000..5848e17fb --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_api_spec.rb @@ -0,0 +1,125 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::api' do + + let :req_params do + {:keystone_password => 'foo'} + end + let :facts do + {:osfamily => 'Debian'} + end + + describe 'with only required params' do + let :params do + req_params + end + + it { should contain_service('sysinv-api').with( + 'hasstatus' => true + )} + + it 'should configure sysinv api correctly' do + should contain_sysinv_config('DEFAULT/auth_strategy').with( + :value => 'keystone' + ) + #should contain_sysinv_config('DEFAULT/osapi_volume_listen').with( + # :value => '0.0.0.0' + #) + should contain_sysinv_api_paste_ini('filter:authtoken/service_protocol').with( + :value => 'http' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/service_host').with( + :value => 'localhost' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/service_port').with( + :value => '5000' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/auth_protocol').with( + :value => 'http' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/auth_host').with( + :value => 'localhost' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/auth_port').with( + :value => '5000' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/auth_admin_prefix').with( + :ensure => 'absent' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/admin_tenant_name').with( + :value => 'services' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/admin_user').with( + :value => 'sysinv' + ) + should contain_sysinv_api_paste_ini('filter:authtoken/admin_password').with( + :value => 'foo', + :secret => true + ) + end + end + + describe 'with only required params' do + let :params do + req_params.merge({'bind_host' => '192.168.1.3'}) + end + # it 'should configure sysinv api correctly' do + # should contain_sysinv_config('DEFAULT/osapi_volume_listen').with( + # :value => '192.168.1.3' + # ) + # end + end + + [ '/keystone', '/keystone/admin', '' ].each do |keystone_auth_admin_prefix| + describe "with keystone_auth_admin_prefix containing incorrect value #{keystone_auth_admin_prefix}" do + let :params do + { + :keystone_auth_admin_prefix => keystone_auth_admin_prefix, + :keystone_password => 'dummy' + } + end + + it { should contain_sysinv_api_paste_ini('filter:authtoken/auth_admin_prefix').with( + :value => keystone_auth_admin_prefix + )} + end + end + + [ + '/keystone/', + 'keystone/', + 'keystone', + '/keystone/admin/', + 'keystone/admin/', + 'keystone/admin' + ].each do |keystone_auth_admin_prefix| + describe "with keystone_auth_admin_prefix containing incorrect value #{keystone_auth_admin_prefix}" do + let :params do + { + :keystone_auth_admin_prefix => keystone_auth_admin_prefix, + :keystone_password => 'dummy' + } + end + + it { expect { should contain_sysinv_api_paste_ini('filter:authtoken/auth_admin_prefix') }.to \ + raise_error(Puppet::Error, /validate_re\(\): "#{keystone_auth_admin_prefix}" does not match/) } + end + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_client_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_client_spec.rb new file mode 100644 index 000000000..1ccc855e4 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_client_spec.rb @@ -0,0 +1,30 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::client' do + it { should contain_package('python-cgtsclient').with_ensure('present') } + let :facts do + {:osfamily => 'Debian'} + end + context 'with params' do + let :params do + {:package_ensure => 'latest'} + end + it { should contain_package('python-cgtsclient').with_ensure('latest') } + end +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_conductor_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_conductor_spec.rb new file mode 100644 index 000000000..5724a2389 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_conductor_spec.rb @@ -0,0 +1,87 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::conductor' do + + describe 'on debian plateforms' do + + let :facts do + { :osfamily => 'Debian' } + end + + describe 'with default parameters' do + + it { should include_class('sysinv::params') } + + it { should contain_package('sysinv-conductor').with( + :name => 'sysinv-conductor', + :ensure => 'latest', + :before => 'Service[sysinv-conductor]' + ) } + + it { should contain_service('sysinv-conductor').with( + :name => 'sysinv-conductor', + :enable => true, + :ensure => 'running', + :require => 'Package[sysinv]', + :hasstatus => true + ) } + end + + describe 'with parameters' do + + let :params do + { :conductor_driver => 'sysinv.conductor.filter_conductor.FilterScheduler', + :package_ensure => 'present' + } + end + + it { should contain_sysinv_config('DEFAULT/conductor_driver').with_value('sysinv.conductor.filter_conductor.FilterScheduler') } + it { should contain_package('sysinv-conductor').with_ensure('present') } + end + end + + + describe 'on rhel plateforms' do + + let :facts do + { :osfamily => 'RedHat' } + end + + describe 'with default parameters' do + + it { should include_class('sysinv::params') } + + it { should contain_service('sysinv-conductor').with( + :name => 'openstack-sysinv-conductor', + :enable => true, + :ensure => 'running', + :require => 'Package[sysinv]' + ) } + end + + describe 'with parameters' do + + let :params do + { :conductor_driver => 'sysinv.conductor.filter_conductor.FilterScheduler' } + end + + it { should contain_sysinv_config('DEFAULT/conductor_driver').with_value('sysinv.conductor.filter_conductor.FilterScheduler') } + end + end +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_mysql_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_mysql_spec.rb new file mode 100644 index 000000000..68b9605b5 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_mysql_spec.rb @@ -0,0 +1,92 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::db::mysql' do + + let :req_params do + {:password => 'pw'} + end + + let :facts do + {:osfamily => 'Debian'} + end + + let :pre_condition do + 'include mysql::server' + end + + describe 'with only required params' do + let :params do + req_params + end + it { should contain_mysql__db('sysinv').with( + :user => 'sysinv', + :password => 'pw', + :host => '127.0.0.1', + :charset => 'latin1' + ) } + end + describe "overriding allowed_hosts param to array" do + let :params do + { + :password => 'sysinvpass', + :allowed_hosts => ['127.0.0.1','%'] + } + end + + it {should_not contain_sysinv__db__mysql__host_access("127.0.0.1").with( + :user => 'sysinv', + :password => 'sysinvpass', + :database => 'sysinv' + )} + it {should contain_sysinv__db__mysql__host_access("%").with( + :user => 'sysinv', + :password => 'sysinvpass', + :database => 'sysinv' + )} + end + describe "overriding allowed_hosts param to string" do + let :params do + { + :password => 'sysinvpass2', + :allowed_hosts => '192.168.1.1' + } + end + + it {should contain_sysinv__db__mysql__host_access("192.168.1.1").with( + :user => 'sysinv', + :password => 'sysinvpass2', + :database => 'sysinv' + )} + end + + describe "overriding allowed_hosts param equals to host param " do + let :params do + { + :password => 'sysinvpass2', + :allowed_hosts => '127.0.0.1' + } + end + + it {should_not contain_sysinv__db__mysql__host_access("127.0.0.1").with( + :user => 'sysinv', + :password => 'sysinvpass2', + :database => 'sysinv' + )} + end +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_postgresql_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_postgresql_spec.rb new file mode 100644 index 000000000..4ec811e55 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_postgresql_spec.rb @@ -0,0 +1,42 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::db::postgresql' do + + let :req_params do + {:password => 'pw'} + end + + let :facts do + { + :postgres_default_version => '8.4', + :osfamily => 'RedHat', + } + end + + describe 'with only required params' do + let :params do + req_params + end + it { should contain_postgresql__db('sysinv').with( + :user => 'sysinv', + :password => 'pw' + ) } + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_sync_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_sync_spec.rb new file mode 100644 index 000000000..6bab71194 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_db_sync_spec.rb @@ -0,0 +1,32 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::db::sync' do + + let :facts do + {:osfamily => 'Debian'} + end + it { should contain_exec('sysinv-dbsync').with( + :command => 'sysinv-dbsync', + :path => '/usr/bin', + :user => 'sysinv', + :refreshonly => true, + :logoutput => 'on_failure' + ) } + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_keystone_auth_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_keystone_auth_spec.rb new file mode 100644 index 000000000..601e32c02 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_keystone_auth_spec.rb @@ -0,0 +1,67 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::keystone::auth' do + + let :req_params do + {:password => 'pw'} + end + + describe 'with only required params' do + + let :params do + req_params + end + + it 'should contain auth info' do + + should contain_keystone_user('sysinv').with( + :ensure => 'present', + :password => 'pw', + :email => 'sysinv@localhost', + :tenant => 'services' + ) + should contain_keystone_user_role('sysinv@services').with( + :ensure => 'present', + :roles => 'admin' + ) + # JKUNG commented this out for now, not volume + # should contain_keystone_service('sysinv').with( + # :ensure => 'present', + # :type => 'volume', + # :description => 'Sysinv Service' + # ) + + end + it { should contain_keystone_endpoint('RegionOne/sysinv').with( + :ensure => 'present', + :public_url => 'http://127.0.0.1:6385/v1/', #%(tenant_id)s', + :admin_url => 'http://127.0.0.1:6385/v1/', #%(tenant_id)s', + :internal_url => 'http://127.0.0.1:6385/v1/' #%(tenant_id)s' + ) } + + end + + describe 'when endpoint should not be configured' do + let :params do + req_params.merge(:configure_endpoint => false) + end + it { should_not contain_keystone_endpoint('RegionOne/sysinv') } + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_params_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_params_spec.rb new file mode 100644 index 000000000..05a278701 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_params_spec.rb @@ -0,0 +1,28 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::params' do + + let :facts do + {:osfamily => 'Debian'} + end + it 'should compile' do + subject + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_qpid_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_qpid_spec.rb new file mode 100644 index 000000000..9a46c6573 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_qpid_spec.rb @@ -0,0 +1,67 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::qpid' do + + let :facts do + {:puppetversion => '2.7', + :osfamily => 'RedHat'} + end + + describe 'with defaults' do + + it 'should contain all of the default resources' do + + should contain_class('qpid::server').with( + :service_ensure => 'running', + :port => '5672' + ) + + end + + it 'should contain user' do + + should contain_qpid_user('guest').with( + :password => 'guest', + :file => '/var/lib/qpidd/qpidd.sasldb', + :realm => 'OPENSTACK', + :provider => 'saslpasswd2' + ) + + end + + end + + describe 'when disabled' do + let :params do + { + :enabled => false + } + end + + it 'should be disabled' do + + should_not contain_qpid_user('guest') + should contain_class('qpid::server').with( + :service_ensure => 'stopped' + ) + + end + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_rabbitmq_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_rabbitmq_spec.rb new file mode 100644 index 000000000..0cc7b3fb1 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_rabbitmq_spec.rb @@ -0,0 +1,97 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' + +describe 'sysinv::rabbitmq' do + + let :facts do + { :puppetversion => '2.7', + :osfamily => 'Debian', + } + end + + describe 'with defaults' do + + it 'should contain all of the default resources' do + + should contain_class('rabbitmq::server').with( + :service_ensure => 'running', + :port => '5672', + :delete_guest_user => false + ) + + should contain_rabbitmq_vhost('/').with( + :provider => 'rabbitmqctl' + ) + end + + end + + describe 'when a rabbitmq user is specified' do + + let :params do + { + :userid => 'dan', + :password => 'pass' + } + end + + it 'should contain user and permissions' do + + should contain_rabbitmq_user('dan').with( + :admin => true, + :password => 'pass', + :provider => 'rabbitmqctl' + ) + + should contain_rabbitmq_user_permissions('dan@/').with( + :configure_permission => '.*', + :write_permission => '.*', + :read_permission => '.*', + :provider => 'rabbitmqctl' + ) + + end + + end + + describe 'when disabled' do + let :params do + { + :userid => 'dan', + :password => 'pass', + :enabled => false + } + end + + it 'should be disabled' do + + should_not contain_rabbitmq_user('dan') + should_not contain_rabbitmq_user_permissions('dan@/') + should contain_class('rabbitmq::server').with( + :service_ensure => 'stopped', + :port => '5672', + :delete_guest_user => false + ) + + should_not contain_rabbitmq_vhost('/') + + end + end + + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_spec.rb b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_spec.rb new file mode 100644 index 000000000..9764fdb73 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/classes/sysinv_spec.rb @@ -0,0 +1,189 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'spec_helper' +describe 'sysinv' do + let :req_params do + {:rabbit_password => 'guest', :sql_connection => 'mysql://user:password@host/database'} + end + + let :facts do + {:osfamily => 'Debian'} + end + + describe 'with only required params' do + let :params do + req_params + end + + it { should contain_class('sysinv::params') } + + it 'should contain default config' do + should contain_sysinv_config('DEFAULT/rpc_backend').with( + :value => 'sysinv.openstack.common.rpc.impl_kombu' + ) + should contain_sysinv_config('DEFAULT/control_exchange').with( + :value => 'openstack' + ) + should contain_sysinv_config('DEFAULT/rabbit_password').with( + :value => 'guest', + :secret => true + ) + should contain_sysinv_config('DEFAULT/rabbit_host').with( + :value => '127.0.0.1' + ) + should contain_sysinv_config('DEFAULT/rabbit_port').with( + :value => '5672' + ) + should contain_sysinv_config('DEFAULT/rabbit_hosts').with( + :value => '127.0.0.1:5672' + ) + should contain_sysinv_config('DEFAULT/rabbit_ha_queues').with( + :value => false + ) + should contain_sysinv_config('DEFAULT/rabbit_virtual_host').with( + :value => '/' + ) + should contain_sysinv_config('DEFAULT/rabbit_userid').with( + :value => 'guest' + ) + should contain_sysinv_config('DEFAULT/sql_connection').with( + :value => 'mysql://user:password@host/database', + :secret => true + ) + should contain_sysinv_config('DEFAULT/sql_idle_timeout').with( + :value => '3600' + ) + should contain_sysinv_config('DEFAULT/verbose').with( + :value => false + ) + should contain_sysinv_config('DEFAULT/debug').with( + :value => false + ) + should contain_sysinv_config('DEFAULT/api_paste_config').with( + :value => '/etc/sysinv/api-paste.ini' + ) + end + + it { should contain_file('/etc/sysinv/sysinv.conf').with( + :owner => 'sysinv', + :group => 'sysinv', + :mode => '0600', + :require => 'Package[sysinv]' + ) } + + it { should contain_file('/etc/sysinv/api-paste.ini').with( + :owner => 'sysinv', + :group => 'sysinv', + :mode => '0600', + :require => 'Package[sysinv]' + ) } + + end + describe 'with modified rabbit_hosts' do + let :params do + req_params.merge({'rabbit_hosts' => ['rabbit1:5672', 'rabbit2:5672']}) + end + + it 'should contain many' do + should_not contain_sysinv_config('DEFAULT/rabbit_host') + should_not contain_sysinv_config('DEFAULT/rabbit_port') + should contain_sysinv_config('DEFAULT/rabbit_hosts').with( + :value => 'rabbit1:5672,rabbit2:5672' + ) + should contain_sysinv_config('DEFAULT/rabbit_ha_queues').with( + :value => true + ) + end + end + + describe 'with a single rabbit_hosts entry' do + let :params do + req_params.merge({'rabbit_hosts' => ['rabbit1:5672']}) + end + + it 'should contain many' do + should_not contain_sysinv_config('DEFAULT/rabbit_host') + should_not contain_sysinv_config('DEFAULT/rabbit_port') + should contain_sysinv_config('DEFAULT/rabbit_hosts').with( + :value => 'rabbit1:5672' + ) + should contain_sysinv_config('DEFAULT/rabbit_ha_queues').with( + :value => true + ) + end + end + + describe 'with qpid rpc supplied' do + + let :params do + { + :sql_connection => 'mysql://user:password@host/database', + :qpid_password => 'guest', + :rpc_backend => 'sysinv.openstack.common.rpc.impl_qpid' + } + end + + it { should contain_sysinv_config('DEFAULT/sql_connection').with_value('mysql://user:password@host/database') } + it { should contain_sysinv_config('DEFAULT/rpc_backend').with_value('sysinv.openstack.common.rpc.impl_qpid') } + it { should contain_sysinv_config('DEFAULT/qpid_hostname').with_value('localhost') } + it { should contain_sysinv_config('DEFAULT/qpid_port').with_value('5672') } + it { should contain_sysinv_config('DEFAULT/qpid_username').with_value('guest') } + it { should contain_sysinv_config('DEFAULT/qpid_password').with_value('guest').with_secret(true) } + it { should contain_sysinv_config('DEFAULT/qpid_reconnect').with_value(true) } + it { should contain_sysinv_config('DEFAULT/qpid_reconnect_timeout').with_value('0') } + it { should contain_sysinv_config('DEFAULT/qpid_reconnect_limit').with_value('0') } + it { should contain_sysinv_config('DEFAULT/qpid_reconnect_interval_min').with_value('0') } + it { should contain_sysinv_config('DEFAULT/qpid_reconnect_interval_max').with_value('0') } + it { should contain_sysinv_config('DEFAULT/qpid_reconnect_interval').with_value('0') } + it { should contain_sysinv_config('DEFAULT/qpid_heartbeat').with_value('60') } + it { should contain_sysinv_config('DEFAULT/qpid_protocol').with_value('tcp') } + it { should contain_sysinv_config('DEFAULT/qpid_tcp_nodelay').with_value(true) } + + end + + describe 'with syslog disabled' do + let :params do + req_params + end + + it { should contain_sysinv_config('DEFAULT/use_syslog').with_value(false) } + end + + describe 'with syslog enabled' do + let :params do + req_params.merge({ + :use_syslog => 'true', + }) + end + + it { should contain_sysinv_config('DEFAULT/use_syslog').with_value(true) } + it { should contain_sysinv_config('DEFAULT/syslog_log_facility').with_value('LOG_USER') } + end + + describe 'with syslog enabled and custom settings' do + let :params do + req_params.merge({ + :use_syslog => 'true', + :log_facility => 'LOG_LOCAL0' + }) + end + + it { should contain_sysinv_config('DEFAULT/use_syslog').with_value(true) } + it { should contain_sysinv_config('DEFAULT/syslog_log_facility').with_value('LOG_LOCAL0') } + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/spec/spec_helper.rb b/modules/puppet-sysinv/src/sysinv/spec/spec_helper.rb new file mode 100644 index 000000000..1f7c6e6be --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/spec/spec_helper.rb @@ -0,0 +1,21 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2013-2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Aug 2016: rebase mitaka +# Jun 2016: rebase centos +# Jun 2015: uprev kilo +# Dec 2014: uprev juno +# Jul 2014: rename ironic +# Dec 2013: uprev grizzly, havana +# Nov 2013: integrate source from https://github.com/stackforge/puppet-sysinv +# + +require 'puppetlabs_spec_helper/module_spec_helper' + +RSpec.configure do |c| + c.alias_it_should_behave_like_to :it_configures, 'configures' +end diff --git a/puppet-manifests/centos/build_srpm.data b/puppet-manifests/centos/build_srpm.data new file mode 100644 index 000000000..d27f60998 --- /dev/null +++ b/puppet-manifests/centos/build_srpm.data @@ -0,0 +1,2 @@ +SRC_DIR="src" +TIS_PATCH_VER=57 diff --git a/puppet-manifests/centos/puppet-manifests.spec b/puppet-manifests/centos/puppet-manifests.spec new file mode 100644 index 000000000..616b1e95a --- /dev/null +++ b/puppet-manifests/centos/puppet-manifests.spec @@ -0,0 +1,100 @@ +Name: puppet-manifests +Version: 1.0.0 +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Puppet Configuration and Manifests +License: Apache-2.0 +Packager: Wind River +URL: unknown + +Source0: %{name}-%{version}.tar.gz +BuildArch: noarch + +# List all the required puppet modules + +# WRS puppet modules +Requires: puppet-dcorch +Requires: puppet-dcmanager +Requires: puppet-mtce +Requires: puppet-nfv +Requires: puppet-nova_api_proxy +Requires: puppet-patching +Requires: puppet-sysinv +Requires: puppet-sshd + +# Openstack puppet modules +Requires: puppet-aodh +Requires: puppet-ceilometer +Requires: puppet-ceph +Requires: puppet-cinder +Requires: puppet-glance +Requires: puppet-heat +Requires: puppet-horizon +Requires: puppet-keystone +Requires: puppet-neutron +Requires: puppet-nova +Requires: puppet-openstacklib +Requires: puppet-swift +Requires: puppet-tempest +Requires: puppet-vswitch +Requires: puppet-murano +Requires: puppet-magnum +Requires: puppet-ironic +Requires: puppet-panko + +# Puppetlabs puppet modules +Requires: puppet-concat +Requires: puppet-create_resources +Requires: puppet-drbd +Requires: puppet-firewall +Requires: puppet-haproxy +Requires: puppet-inifile +Requires: puppet-lvm +Requires: puppet-postgresql +Requires: puppet-rabbitmq +Requires: puppet-rsync +Requires: puppet-stdlib +Requires: puppet-sysctl +Requires: puppet-vcsrepo +Requires: puppet-xinetd + +# 3rdparty puppet modules +Requires: puppet-boolean +Requires: puppet-certmonger +Requires: puppet-dnsmasq +Requires: puppet-filemapper +Requires: puppet-kmod +Requires: puppet-ldap +Requires: puppet-network +Requires: puppet-nslcd +Requires: puppet-nssdb +Requires: puppet-puppi +Requires: puppet-vlan +Requires: puppet-ovs_dpdk + +%description +Platform puppet configuration files and manifests + +%define config_dir %{_sysconfdir}/puppet +%define module_dir %{_datadir}/puppet/modules +%define local_bindir /usr/local/bin + +%prep +%setup + +%install +install -m 755 -D bin/puppet-manifest-apply.sh %{buildroot}%{local_bindir}/puppet-manifest-apply.sh +install -m 755 -D bin/apply_network_config.sh %{buildroot}%{local_bindir}/apply_network_config.sh +install -d -m 0755 %{buildroot}%{config_dir} +install -m 640 etc/hiera.yaml %{buildroot}%{config_dir} +cp -R hieradata %{buildroot}%{config_dir} +cp -R manifests %{buildroot}%{config_dir} +install -d -m 0755 %{buildroot}%{module_dir} +cp -R modules/platform %{buildroot}%{module_dir} +cp -R modules/openstack %{buildroot}%{module_dir} + +%files +%defattr(-,root,root,-) +%license LICENSE +%{local_bindir} +%{config_dir} +%{module_dir} diff --git a/puppet-manifests/src/LICENSE b/puppet-manifests/src/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/puppet-manifests/src/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/puppet-manifests/src/bin/apply_network_config.sh b/puppet-manifests/src/bin/apply_network_config.sh new file mode 100755 index 000000000..dad86189f --- /dev/null +++ b/puppet-manifests/src/bin/apply_network_config.sh @@ -0,0 +1,405 @@ +#!/bin/bash + +################################################################################ +# Copyright (c) 2016 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +################################################################################ + +# +# Purpose of this script is to copy the puppet-built +# ifcfg-* network config files from the puppet dir +# to the /etc/sysconfig/network-scripts/. Only files that +# are detected as different are copied. +# +# Then for each network puppet config files that are different +# from /etc/sysconfig/network-scripts/ version of the same config file, perform a +# network restart on the related iface. +# +# Please note: function is_eq_ifcfg() is used to determine if +# cfg files are different +# + +export IFNAME_INCLUDE="ifcfg-*" +export RTNAME_INCLUDE="route-*" +ACQUIRE_LOCK=1 +RELEASE_LOCK=0 + +if [ ! -d /var/run/network-scripts.puppet/ ] ; then + # No puppet files? Nothing to do! + exit 1 +fi + +function log_it() { + logger "${0} ${1}" +} + +function do_if_up() { + local iface=$1 + log_it "Bringing $iface up" + /sbin/ifup $iface +} + +function do_if_down() { + local iface=$1 + log_it "Bringing $iface down" + /sbin/ifdown $iface +} + +function do_rm() { + local theFile=$1 + log_it "Removing $theFile" + /bin/rm $theFile +} + +function do_cp() { + local srcFile=$1 + local dstFile=$2 + log_it "copying network cfg $srcFile to $dstFile" + cp $srcFile $dstFile +} + +# Return items in list1 that are not in list2 +array_diff () { + list1=${!1} + list2=${!2} + + result=() + l2=" ${list2[*]} " + for item in ${list1[@]}; do + if [[ ! $l2 =~ " $item " ]] ; then + result+=($item) + fi + done + + echo ${result[@]} +} + +function normalized_cfg_attr_value() { + local cfg=$1 + local attr_name=$2 + local attr_value=$(cat $cfg | grep $attr_name= | awk -F "=" {'print $2'}) + + if [[ "${attr_name}" != "BOOTPROTO" ]]; then + echo "${attr_value}" + return $(true) + fi + # + # Special case BOOTPROTO attribute. + # + # The BOOTPROTO attribute is not populated consistently by various aspects + # of the system. Different values are used to indicate a manually + # configured interfaces (i.e., one that does not expect to have an IP + # address) and so to avoid reconfiguring an interface that has different + # values with the same meaning we normalize them here before making any + # decisions. + # + # From a user perspective the values "manual", "none", and "" all have the + # same meaning - an interface without an IP address while "dhcp" and + # "static" are distinct values with a separate meaning. In practice + # however, the only value that matters from a ifup/ifdown script point of + # view is "dhcp". All other values are ignored. + # + # In our system we set BOOTPROTO to "static" to indicate that IP address + # attributes exist and to "manual"/"none" to indicate that no IP address + # attributes exist. These are not needed by ifup/ifdown as it looks for + # the "IPADDR" attribute whenever BOOTPROTO is set to anything other than + # "dhcp". + # + if [[ "${attr_value}" == "none" ]]; then + attr_value="none" + fi + if [[ "${attr_value}" == "manual" ]]; then + attr_value="none" + fi + if [[ "${attr_value}" == "" ]]; then + attr_value="none" + fi + echo "${attr_value}" + return $(true) +} + +# +# returns $(true) if cfg file ( $1 ) has property propName ( $2 ) with a value of propValue ( $3 ) +# +function cfg_has_property_with_value() { + local cfg=$1 + local propname=$2 + local propvalue=$3 + if [ -f $cfg ]; then + if [[ "$(normalized_cfg_attr_value $cfg $propname)" == "${propvalue}" ]]; then + return $(true) + fi + fi + return $(false) +} + +# +# returns $(true) if cfg file is configured as a slave +# +function is_slave() { + cfg_has_property_with_value $1 "SLAVE" "yes" + return $? +} + +# +# returns $(true) if cfg file is configured for DHCP +# +function is_dhcp() { + cfg_has_property_with_value $1 "BOOTPROTO" "dhcp" +} + +# +# returns $(true) if cfg file is configured as a VLAN interface +# +function is_vlan() { + cfg_has_property_with_value $1 "VLAN" "yes" + return $? +} + +# +# returns $(true) if cfg file is configured as an ethernet interface. For the +# purposes of this script "ethernet" is considered as any interface that is not +# a vlan or a slave. This includes both regular ethernet interfaces and bonded +# interfaces. +# +function is_ethernet() { + if ! is_vlan $1; then + if ! is_slave $1; then + return $(true) + fi + fi + return $(false) +} + +# +# returns $(true) if cfg file represents an interface of the specified type. +# +function iftype_filter() { + local iftype=$1 + + return $(is_$iftype $2) +} + +# +# returns $(true) if ifcfg files have the same number of VFs +# +# +function is_eq_sriov_numvfs() { + local cfg_1=$1 + local cfg_2=$2 + + local sriov_numvfs_1=$(grep -o 'echo *[1-9].*sriov_numvfs' $cfg_1 | awk {'print $2'}) + local sriov_numvfs_2=$(grep -o 'echo *[1-9].*sriov_numvfs' $cfg_2 | awk {'print $2'}) + + sriov_numvfs_1=${sriov_numvfs_1:-0} + sriov_numvfs_2=${sriov_numvfs_2:-0} + + if [[ "${sriov_numvfs_1}" != "${sriov_numvfs_2}" ]]; then + log_it "$cfg_1 and $cfg_2 differ on attribute sriov_numvfs [${sriov_numvfs_1}:${sriov_numvfs_2}]" + return $(false) + fi + + return $(true) +} + +# +# returns $(true) if ifcfg files are equal +# +# Warning: Only compares against cfg file attributes: +# BOOTPROTO DEVICE IPADDR NETMASK GATEWAY SRIOV_NUMVFS +# +function is_eq_ifcfg() { + local cfg_1=$1 + local cfg_2=$2 + + for attr in BOOTPROTO DEVICE IPADDR NETMASK GATEWAY MTU + do + local attr_value1=$(normalized_cfg_attr_value $cfg_1 $attr) + local attr_value2=$(normalized_cfg_attr_value $cfg_2 $attr) + if [[ "${attr_value1}" != "${attr_value2}" ]]; then + log_it "$cfg_1 and $cfg_2 differ on attribute $attr" + return $(false) + fi + done + + is_eq_sriov_numvfs $1 $2 + return $? +} + +# Synchronize with sysinv-agent audit (ifup/down to query link speed). +function sysinv_agent_lock() { + case $1 in + $ACQUIRE_LOCK) + local lock_file="/var/run/apply_network_config.lock" + # Lock file should be the same as defined in sysinv agent code + local lock_timeout=5 + local max=15 + local n=1 + LOCK_FD=0 + exec {LOCK_FD}>$lock_file + while [[ $n -le $max ]] + do + flock -w $lock_timeout $LOCK_FD && break + log_it "Failed to get lock($LOCK_FD) after $lock_timeout seconds ($n/$max), will retry" + sleep 1 + ((n++)) + done + if [[ $n -gt $max ]]; then + log_it "Failed to acquire lock($LOCK_FD) even after $max retries" + exit 1 + fi + ;; + $RELEASE_LOCK) + [[ $LOCK_FD -gt 0 ]] && flock -u $LOCK_FD + ;; + esac +} + +# First thing to do is deal with the case of there being no routes left on an interface. +# In this case, there will be no route- in the puppet directory. +# We'll just create an empty one so that the below will loop will work in all cases. + +for rt_path in $(find /etc/sysconfig/network-scripts/ -name "${RTNAME_INCLUDE}"); do + rt=$(basename $rt_path) + + if [ ! -e /var/run/network-scripts.puppet/$rt ]; then + touch /var/run/network-scripts.puppet/$rt + fi +done + +for rt_path in $(find /var/run/network-scripts.puppet/ -name "${RTNAME_INCLUDE}"); do + rt=$(basename $rt_path) + iface_rt=${rt#route-} + + if [ -e /etc/sysconfig/network-scripts/$rt ]; then + # There is an existing route file. Check if there are changes. + diff -I ".*Last generated.*" -q /var/run/network-scripts.puppet/$rt \ + /etc/sysconfig/network-scripts/$rt >/dev/null 2>&1 + + if [ $? -ne 0 ] ; then + # We may need to perform some manual route deletes + # Look for route lines that are present in the current netscripts route file, + # but not in the new puppet version. Need to manually delete these routes. + grep -v HEADER /etc/sysconfig/network-scripts/$rt | while read oldRouteLine + do + grepCmd="grep -q '$oldRouteLine' $rt_path > /dev/null" + eval $grepCmd + if [ $? -ne 0 ] ; then + log_it "Removing route: $oldRouteLine" + $(/usr/sbin/ip route del $oldRouteLine) + fi + done + fi + fi + + + if [ -s /var/run/network-scripts.puppet/$rt ] ; then + # Whether this is a new routes file or there are changes, ultimately we will need + # to ifup the file to add any potentially new routes. + + do_cp /var/run/network-scripts.puppet/$rt /etc/sysconfig/network-scripts/$rt + /etc/sysconfig/network-scripts/ifup-routes $iface_rt + + else + # Puppet routes file is empty, because we created an empty one due to absence of any routes + # so that our check with the existing netscripts routes would work. + # Just delete the netscripts file as there are no static routes left on this interface. + do_rm /etc/sysconfig/network-scripts/$rt + fi + + # Puppet redhat.rb file does not support removing routes from the same resource file. + # Need to smoke the temp one so it will be properly recreated next time. + + do_cp /var/run/network-scripts.puppet/$rt /var/run/network-scripts.puppet/$iface_rt.back + do_rm /var/run/network-scripts.puppet/$rt + +done + + + + +upDown=() +changed=() +for cfg_path in $(find /var/run/network-scripts.puppet/ -name "${IFNAME_INCLUDE}"); do + cfg=$(basename $cfg_path) + + diff -I ".*Last generated.*" -q /var/run/network-scripts.puppet/$cfg \ + /etc/sysconfig/network-scripts/$cfg >/dev/null 2>&1 + + if [ $? -ne 0 ] ; then + # puppet file needs to be copied to network dir because diff detected + changed+=($cfg) + # but do we need to actually start the iface? + if is_dhcp /var/run/network-scripts.puppet/$cfg || \ + is_dhcp /etc/sysconfig/network-scripts/$cfg ; then + # if dhcp type iface, then too many possible attr's to compare against, so + # just add cfg to the upDown list because we know (from above) cfg file is changed + log_it "dhcp detected for $cfg - adding to upDown list" + upDown+=($cfg) + else + # not in dhcp situation so check if any significant + # cfg attributes have changed to warrant an iface restart + is_eq_ifcfg /var/run/network-scripts.puppet/$cfg \ + /etc/sysconfig/network-scripts/$cfg + if [ $? -ne 0 ] ; then + log_it "$cfg changed - adding to upDown list" + upDown+=($cfg) + fi + fi + fi +done + +current=() +for f in $(find /etc/sysconfig/network-scripts/ -name "${IFNAME_INCLUDE}"); do + current+=($(basename $f)) +done + +active=() +for f in $(find /var/run/network-scripts.puppet/ -name "${IFNAME_INCLUDE}"); do + active+=($(basename $f)) +done + +# synchronize with sysinv-agent audit +sysinv_agent_lock $ACQUIRE_LOCK + +remove=$(array_diff current[@] active[@]) +for r in ${remove[@]}; do + # Bring down interface before we execute network restart, interfaces + # that do not have an ifcfg are not managed by init script + iface=${r#ifcfg-} + do_if_down $iface + do_rm /etc/sysconfig/network-scripts/$r +done + +# now down the changed ifaces by dealing with vlan interfaces first so that +# they are brought down gracefully (i.e., without taking their dependencies +# away unexpectedly). +for iftype in vlan ethernet; do + for cfg in ${upDown[@]}; do + ifcfg=/etc/sysconfig/network-scripts/$cfg + if iftype_filter $iftype $ifcfg; then + do_if_down ${ifcfg#ifcfg-} + fi + done +done + +# now copy the puppet changed interfaces to /etc/sysconfig/network-scripts +for cfg in ${changed[@]}; do + do_cp /var/run/network-scripts.puppet/$cfg /etc/sysconfig/network-scripts/$cfg +done + +# now ifup changed ifaces by dealing with vlan interfaces last so that their +# dependencies are met before they are configured. +for iftype in ethernet vlan; do + for cfg in ${upDown[@]}; do + ifcfg=/var/run/network-scripts.puppet/$cfg + if iftype_filter $iftype $ifcfg; then + do_if_up ${ifcfg#ifcfg-} + fi + done +done + +# unlock: synchronize with sysinv-agent audit +sysinv_agent_lock $RELEASE_LOCK diff --git a/puppet-manifests/src/bin/puppet-manifest-apply.sh b/puppet-manifests/src/bin/puppet-manifest-apply.sh new file mode 100755 index 000000000..3774de15c --- /dev/null +++ b/puppet-manifests/src/bin/puppet-manifest-apply.sh @@ -0,0 +1,105 @@ +#!/usr/bin/env bash + +# Grab a lock before doing anything else +LOCKFILE=/var/lock/.puppet.applyscript.lock +LOCK_FD=200 +LOCK_TIMEOUT=60 + +eval "exec ${LOCK_FD}>$LOCKFILE" + +while :; do + flock -w $LOCK_TIMEOUT $LOCK_FD && break + logger -t $0 "Failed to get lock for puppet applyscript after $LOCK_TIMEOUT seconds. Trying again" + sleep 1 +done + +HIERADATA=$1 +HOST=$2 +PERSONALITY=$3 +MANIFEST=${4:-$PERSONALITY} +RUNTIMEDATA=$5 + + +PUPPET_MODULES_PATH=/usr/share/puppet/modules:/usr/share/openstack-puppet/modules +PUPPET_MANIFEST=/etc/puppet/manifests/${MANIFEST}.pp +PUPPET_TMP=/tmp/puppet + +# Setup log directory and file +DATETIME=$(date -u +"%Y-%m-%d-%H-%M-%S") +LOGDIR="/var/log/puppet/${DATETIME}_${PERSONALITY}" +LOGFILE=${LOGDIR}/puppet.log + +mkdir -p ${LOGDIR} +rm -f /var/log/puppet/latest +ln -s ${LOGDIR} /var/log/puppet/latest + +touch ${LOGFILE} +chmod 600 ${LOGFILE} + + +# Remove old log directories +declare -i NUM_DIRS=`ls -d1 /var/log/puppet/[0-9]* 2>/dev/null | wc -l` +declare -i MAX_DIRS=20 +if [ ${NUM_DIRS} -gt ${MAX_DIRS} ]; then + let -i RMDIRS=${NUM_DIRS}-${MAX_DIRS} + ls -d1 /var/log/puppet/[0-9]* | head -${RMDIRS} | xargs --no-run-if-empty rm -rf +fi + + +# Setup staging area and hiera data configuration +# (must match hierarchy defined in hiera.yaml) +rm -rf ${PUPPET_TMP} +mkdir -p ${PUPPET_TMP}/hieradata +cp /etc/puppet/hieradata/global.yaml ${PUPPET_TMP}/hieradata/global.yaml +cp /etc/puppet/hieradata/${PERSONALITY}.yaml ${PUPPET_TMP}/hieradata/personality.yaml +cp -f ${HIERADATA}/${HOST}.yaml ${PUPPET_TMP}/hieradata/host.yaml +cp -f ${HIERADATA}/system.yaml \ + ${HIERADATA}/secure_system.yaml \ + ${HIERADATA}/static.yaml \ + ${HIERADATA}/secure_static.yaml \ + ${PUPPET_TMP}/hieradata/ + +if [ -n "${RUNTIMEDATA}" ]; then + cp -f ${RUNTIMEDATA} ${PUPPET_TMP}/hieradata/runtime.yaml +fi + + +# Exit function to save logs from initial apply +function finish() +{ + local SAVEDLOGS=/var/log/puppet/first_apply.tgz + if [ ! -f ${SAVEDLOGS} ]; then + # Save the logs + tar czf ${SAVEDLOGS} ${LOGDIR} 2>/dev/null + fi +} +trap finish EXIT + + +# Set Keystone endpoint type to internal to prevent SSL cert failures during config +export OS_ENDPOINT_TYPE=internalURL +export CINDER_ENDPOINT_TYPE=internalURL +# Suppress stdlib deprecation warnings until all puppet modules can be updated +export STDLIB_LOG_DEPRECATIONS=false + +echo "Applying puppet ${MANIFEST} manifest..." +flock /var/run/puppet.lock \ + puppet apply --debug --trace --modulepath ${PUPPET_MODULES_PATH} ${PUPPET_MANIFEST} \ + < /dev/null 2>&1 | awk ' { system("date -u +%FT%T.%3N | tr \"\n\" \" \""); print $0; fflush(); } ' > ${LOGFILE} +if [ $? -ne 0 ] +then + echo "[FAILED]" + echo "See ${LOGFILE} for details" + exit 1 +else + grep -qE '^(.......)?Warning|^....-..-..T..:..:..([.]...)?(.......)?.Warning|^(.......)?Error|^....-..-..T..:..:..([.]...)?(.......)?.Error' ${LOGFILE} + if [ $? -eq 0 ] + then + echo "[WARNING]" + echo "Warnings found. See ${LOGFILE} for details" + exit 1 + fi + echo "[DONE]" +fi + +exit 0 diff --git a/puppet-manifests/src/etc/hiera.yaml b/puppet-manifests/src/etc/hiera.yaml new file mode 100644 index 000000000..e40d9c050 --- /dev/null +++ b/puppet-manifests/src/etc/hiera.yaml @@ -0,0 +1,17 @@ +--- +:backends: + - yaml + +:hierarchy: + - runtime + - host + - secure_system + - system + - secure_static + - static + - personality + - global + +:yaml: + # data is staged to a local directory by the puppet-manifest-apply.sh script + :datadir: /tmp/puppet/hieradata diff --git a/puppet-manifests/src/hieradata/compute.yaml b/puppet-manifests/src/hieradata/compute.yaml new file mode 100644 index 000000000..b704157dc --- /dev/null +++ b/puppet-manifests/src/hieradata/compute.yaml @@ -0,0 +1,54 @@ +# compute specific configuration data +--- + +# neutron +neutron::agents::dhcp::interface_driver: 'openvswitch' +neutron::agents::dhcp::enable_isolated_metadata: true +neutron::agents::dhcp::state_path: '/var/run/neutron' +neutron::agents::dhcp::root_helper: 'sudo' + +neutron::agents::l3::interface_driver: 'openvswitch' +neutron::agents::l3::metadata_port: 80 +neutron::agents::l3::agent_mode: 'dvr_snat' + +neutron::agents::ml2::sriov::manage_service: true +neutron::agents::ml2::sriov::polling_interval: 5 + + +# nova +nova::compute::enabled: true +nova::compute::manage_service: false +nova::compute::config_drive_format: 'iso9660' +nova::compute::instance_usage_audit: true +nova::compute::instance_usage_audit_period: 'hour' +nova::compute::allow_resize_to_same_host: true +nova::compute::force_raw_images: false +nova::compute::reserved_host_memory: 0 +# We want to start up instances on bootup +nova::compute::resume_guests_state_on_host_boot: true + +nova::compute::libvirt::compute_driver: 'libvirt.LibvirtDriver' +nova::compute::libvirt::migration_support: true +nova::compute::libvirt::libvirt_cpu_mode: 'none' +nova::compute::libvirt::live_migration_downtime: 500 +nova::compute::libvirt::live_migration_downtime_steps: 10 +nova::compute::libvirt::live_migration_downtime_delay: 75 +nova::compute::libvirt::live_migration_completion_timeout: 180 +nova::compute::libvirt::live_migration_progress_timeout: 0 +nova::compute::libvirt::remove_unused_base_images: true +nova::compute::libvirt::remove_unused_resized_minimum_age_seconds: 86400 +nova::compute::libvirt::remove_unused_original_minimum_age_seconds: 3600 +nova::compute::libvirt::live_migration_flag: "VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED" + +nova::network::neutron::neutron_username: 'neutron' +nova::network::neutron::neutron_project_name: 'services' +nova::network::neutron::neutron_user_domain_name: 'Default' +nova::network::neutron::neutron_project_domain_name: 'Default' +nova::network::neutron::neutron_region_name: RegionOne + + +# ceilometer +ceilometer::agent::polling::central_namespace: false +ceilometer::agent::polling::compute_namespace: true +ceilometer::agent::polling::instance_discovery_method: 'workload_partitioning' +ceilometer::agent::polling::ipmi_namespace: true diff --git a/puppet-manifests/src/hieradata/controller.yaml b/puppet-manifests/src/hieradata/controller.yaml new file mode 100644 index 000000000..d9c8b5b63 --- /dev/null +++ b/puppet-manifests/src/hieradata/controller.yaml @@ -0,0 +1,476 @@ +# controller specific configuration data +--- + +# platform + +# Default hostname required for initial bootstrap of controller-0. +# Configured hostname will override this value. +platform::params::hostname: 'controller-0' + +# Default controller hostname maps to the loopback address +# NOTE: Puppet doesn't support setting multiple IPs for the host resource, +# therefore setup an alias for the controller against localhost and +# then specify the IPv6 localhost as a separate entry. +# The IPv6 entry is required for LDAP clients to connect to the LDAP +# server when there are no IPv4 addresses configured, which occurs +# during the bootstrap phase. +platform::config::params::hosts: + localhost: + ip: '127.0.0.1' + host_aliases: + - localhost.localdomain + - controller + controller: + ip: '::1' + +# default parameters, runtime management network configured will override +platform::network::mgmt::params::subnet_version: 4 +platform::network::mgmt::params::controller0_address: 127.0.0.1 +platform::network::mgmt::params::controller1_address: 127.0.0.2 + +# default parameters, runtime values will be based on selected link +platform::drbd::params::link_speed: 10000 +platform::drbd::params::link_util: 40 +platform::drbd::params::num_parallel: 1 +platform::drbd::params::rtt_ms: 0.2 + +# Default LDAP configuration required for bootstrap of controller-0 +platform::ldap::params::server_id: '001' +platform::ldap::params::provider_uri: 'ldap://controller-1' + +# FIXME(mpeters): remove packstack specific variable +# workaround until openstack credentials module is updated to not reference +# hiera data +CONFIG_ADMIN_USER_DOMAIN_NAME: Default +CONFIG_ADMIN_PROJECT_DOMAIN_NAME: Default + + +# mtce +platform::mtce::agent::params::compute_boot_timeout: 720 +platform::mtce::agent::params::controller_boot_timeout: 1200 +platform::mtce::agent::params::heartbeat_period: 100 +platform::mtce::agent::params::heartbeat_failure_threshold: 10 +platform::mtce::agent::params::heartbeat_degrade_threshold: 6 + + +# postgresql +postgresql::globals::needs_initdb: false +postgresql::server::service_enable: false +postgresql::server::ip_mask_deny_postgres_user: '0.0.0.0/32' +postgresql::server::ip_mask_allow_all_users: '0.0.0.0/0' +postgresql::server::pg_hba_conf_path: "/etc/postgresql/pg_hba.conf" +postgresql::server::pg_ident_conf_path: "/etc/postgresql/pg_ident.conf" +postgresql::server::postgresql_conf_path: "/etc/postgresql/postgresql.conf" +postgresql::server::listen_addresses: "*" +postgresql::server::ipv4acls: ['host all all samenet md5'] +postgresql::server::log_line_prefix: 'db=%d,user=%u ' + + +# rabbitmq +rabbitmq::repos_ensure: false +rabbitmq::admin_enable: false +rabbitmq::package_provider: 'yum' +rabbitmq::default_host: 'controller' + + +# drbd +drbd::service_enable: false +drbd::service_ensure: 'stopped' + + +# haproxy +haproxy::merge_options: true + +platform::haproxy::params::global_options: + log: + - '127.0.0.1:514 local1 info' + user: 'haproxy' + group: 'wrs_protected' + chroot: '/var/lib/haproxy' + pidfile: '/var/run/haproxy.pid' + maxconn: '4000' + daemon: '' + stats: 'socket /var/lib/haproxy/stats' + ca-base: '/etc/ssl/certs' + crt-base: '/etc/ssl/private' + ssl-default-bind-ciphers: 'kEECDH+aRSA+AES:kRSA+AES:+AES256:!RC4-SHA:!kEDH:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!LOW:!EXP:!MD5:!aNULL:!eNULL' + ssl-default-bind-options: 'no-sslv3 no-tlsv10' + +haproxy::defaults_options: + log: 'global' + mode: 'http' + stats: 'enable' + option: + - 'httplog' + - 'dontlognull' + - 'forwardfor' + retries: '3' + timeout: + - 'http-request 10s' + - 'queue 10m' + - 'connect 10s' + - 'client 90s' + - 'server 90s' + - 'check 10s' + maxconn: '8000' + + +# ceph +ceph::public_addr: '127.0.0.1:5001' + + +# sysinv +sysinv::journal_max_size: 51200 +sysinv::journal_min_size: 1024 +sysinv::journal_default_size: 1024 + +sysinv::api::enabled: false +sysinv::api::keystone_tenant: 'services' +sysinv::api::keystone_user: 'sysinv' +sysinv::api::keystone_user_domain: 'Default' +sysinv::api::keystone_project_domain: 'Default' + +sysinv::conductor::enabled: false + + +# keystone +keystone::service::enabled: false +keystone::token_provider: 'fernet' +keystone::max_token_size: 255, +keystone::debug: false +keystone::service_name: 'openstack-keystone' +keystone::enable_ssl: false +keystone::use_syslog: true +keystone::log_facility: 'local2' +keystone::database_idle_timeout: 60 +keystone::database_max_pool_size: 1 +keystone::database_max_overflow: 50 +keystone::enable_bootstrap: false +keystone::sync_db: false +keystone::enable_proxy_headers_parsing: true +keystone::log_file: /dev/null + +keystone::endpoint::default_domain: 'Default' +keystone::endpoint::version: 'v3' +keystone::endpoint::region: 'RegionOne' +keystone::endpoint::admin_url: 'http://127.0.0.1:5000' + +keystone::ldap::identity_driver: 'sql' +keystone::ldap::assignment_driver: 'sql' + +keystone::security_compliance::unique_last_password_count: 2 +keystone::security_compliance::password_regex: '^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$' +keystone::security_compliance::password_regex_description: 'Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character' + +keystone::roles::admin::email: 'admin@localhost' +keystone::roles::admin::admin_tenant: 'admin' + +openstack::client::params::identity_auth_url: 'http://localhost:5000/v3' + +# glance +glance::api::enabled: false +glance::api::pipeline: 'keystone' +glance::api::database_max_pool_size: 1 +glance::api::database_max_overflow: 10 +glance::api::verbose: false +glance::api::debug: false +glance::api::use_syslog: true +glance::api::log_facility: 'local2' +glance::api::log_file: '/dev/null' +glance::api::multi_store: true +glance::api::cinder_catalog_info: 'volume:cinder:internalURL' +glance::api::graceful_shutdown: true +glance::api::enable_proxy_headers_parsing: true +glance::api::image_cache_dir: '/opt/cgcs/glance/image-cache' +glance::api::cache_raw_conversion_dir: '/opt/img-conversions/glance' +glance::api::scrubber_datadir: '/opt/cgcs/glance/scrubber' + +glance::registry::enabled: false +glance::registry::database_max_pool_size: 1 +glance::registry::database_max_overflow: 10 +glance::registry::verbose: false +glance::registry::debug: false +glance::registry::use_syslog: true +glance::registry::log_facility: 'local2' +glance::registry::log_file: '/dev/null' +glance::registry::graceful_shutdown: true + +glance::backend::rbd::multi_store: true +glance::backend::rbd::rbd_store_user: glance + +glance::backend::file::multi_store: true +glance::backend::file::filesystem_store_datadir: '/opt/cgcs/glance/images/' + +glance::notify::rabbitmq::notification_driver: 'messagingv2' + +# nova +nova::conductor::enabled: false +nova::scheduler::enabled: false +nova::consoleauth::enabled: false +nova::vncproxy::enabled: false +nova::serialproxy::enabled: false + +nova::scheduler::filter::ram_weight_multiplier: 0.0 +nova::scheduler::filter::disk_weight_multiplier: 0.0 +nova::scheduler::filter::io_ops_weight_multiplier: -5.0 +nova::scheduler::filter::pci_weight_multiplier: 0.0 +nova::scheduler::filter::soft_affinity_weight_multiplier: 0.0 +nova::scheduler::filter::soft_anti_affinity_weight_multiplier: 0.0 + +nova::cron::archive_deleted_rows::hour: '*/12' +nova::cron::archive_deleted_rows::destination: '/dev/null' + +nova::api::enabled: false +nova::api::enable_proxy_headers_parsing: true +# nova-api runs on an internal 18774 port and api proxy runs on 8774 +nova::api::osapi_compute_listen_port: 18774 +nova::api::allow_resize_to_same_host: true + +nova::network::neutron::default_floating_pool: 'public' + +nova_api_proxy::config::enabled: false +nova_api_proxy::config::eventlet_pool_size: 256 + +# this will trigger simple_setup for cell_v2 +nova::db::sync_api::cellv2_setup: true + +# neutron +neutron::core_plugin: 'neutron.plugins.ml2.plugin.Ml2Plugin' +neutron::service_plugins: + - 'router' +neutron::allow_overlapping_ips: true +neutron::vlan_transparent: true +neutron::pnet_audit_enabled: true + +neutron::server::enabled: false +neutron::server::database_idle_timeout: 60 +neutron::server::database_max_pool_size: 1 +neutron::server::database_max_overflow: 64 +neutron::server::enable_proxy_headers_parsing: true +neutron::server::network_scheduler_driver: 'neutron.scheduler.dhcp_agent_scheduler.WeightScheduler' +neutron::server::router_scheduler_driver: 'neutron.scheduler.l3_host_agent_scheduler.HostBasedScheduler' + +neutron::server::notifications::endpoint_type: 'internal' + +neutron::plugins::ml2::type_drivers: + - managed_flat + - managed_vlan + - managed_vxlan +neutron::plugins::ml2::tenant_network_types: + - vlan + - vxlan +neutron::plugins::ml2::mechanism_drivers: + - openvswitch + - sriovnicswitch + - l2population +neutron::plugins::ml2::enable_security_group: true +neutron::plugins::ml2::ensure_default_security_group: false +neutron::plugins::ml2::notify_interval: 10 +neutron::plugins::ml2::firewall_driver: 'neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver' + +neutron::bgp::bgp_speaker_driver: 'neutron_dynamic_routing.services.bgp.agent.driver.ryu.driver.RyuBgpDriver' + +neutron::services::bgpvpn::service_providers: + - 'BGPVPN:DynamicRoutingBGPVPNDriver:networking_bgpvpn.neutron.services.service_drivers.neutron_dynamic_routing.dr.DynamicRoutingBGPVPNDriver:default' + + +# ceilometer +ceilometer::metering_time_to_live: 86400 + +ceilometer::api::enabled: false +ceilometer::api::service_name: 'openstack-ceilometer-api' + +ceilometer::db::database_idle_timeout: 60 +ceilometer::db::database_max_pool_size: 1 +ceilometer::db::database_max_overflow: 10 + +ceilometer::collector::enabled: false +ceilometer::collector::meter_dispatchers: ['database'] + +ceilometer::agent::notification::enabled: false +ceilometer::agent::notification::disable_non_metric_meters: false + +ceilometer::agent::polling::central_namespace: true +ceilometer::agent::polling::compute_namespace: false +ceilometer::agent::polling::ipmi_namespace: true + +ceilometer::expirer::minute: 1 +ceilometer::expirer::hour: '*' +ceilometer::expirer::monthday: '*' + + +# aodh +aodh::use_syslog: true +aodh::log_facility: 'local2' +aodh::database_idle_timeout: 60 +aodh::database_max_pool_size: 1 +aodh::database_max_overflow: 10 +aodh::alarm_history_time_to_live: 86400 + +aodh::auth::auth_endpoint_type: 'internalURL' + +aodh::db::sync::user: 'root' + +aodh::api::enabled: false +aodh::api::service_name: 'openstack-aodh-api' +aodh::api::enable_proxy_headers_parsing: true + +aodh::notifier::enabled: false +aodh::evaluator::enabled: false +aodh::listener::enabled: false + +# panko +openstack::panko::params::event_time_to_live: 86400 + +panko::api::enabled: false +panko::api::service_name: 'openstack-panko-api' +panko::api::enable_proxy_headers_parsing: true + +panko::db::database_idle_timeout: 60 +panko::db::database_max_pool_size: 1 +panko::db::database_max_overflow: 10 + +panko::logging::use_syslog: true +panko::logging::syslog_log_facility: 'local2' + +# cinder +cinder::use_syslog: true +cinder::log_facility: 'local2' +cinder::database_idle_timeout: 60 +cinder::database_max_pool_size: 1 +cinder::database_max_overflow: 50 +cinder::rpc_response_timeout: 180 +cinder::backend_host: 'controller' +cinder::image_conversion_dir: '/opt/img-conversions/cinder' + + +cinder::api::nova_catalog_info: 'compute:nova:internalURL' +cinder::api::nova_catalog_admin_info: 'compute:nova:adminURL' +cinder::api::enable_proxy_headers_parsing: true + +cinder::ceilometer::notification_driver: 'messaging' + +cinder::scheduler::enabled: false +cinder::volume::enabled: false + + +# heat +heat::use_syslog: true +heat::log_facility: 'local6' +heat::database_idle_timeout: 60 +heat::database_max_pool_size: 1 +heat::database_max_overflow: 15 +heat::enable_proxy_headers_parsing: true +heat::heat_clients_insecure: true + +heat::api::enabled: false +heat::api_cfn::enabled: false +heat::api_cloudwatch::enabled: false + +heat::engine::enabled: false +heat::engine::deferred_auth_method: 'trusts' +# trusts_delegated_roles is set to empty list so all users can use heat +heat::engine::trusts_delegated_roles: [] +heat::engine::action_retry_limit: 1 +heat::engine::max_resources_per_stack: -1 +heat::engine::convergence_engine: false + +heat::keystone::domain::domain_name: 'heat' + +heat::keystone::auth_cfn::configure_user: false +heat::keystone::auth_cfn::configure_user_role: false + +# Murano +murano::db::postgresql::encoding: 'UTF8' +murano::use_syslog: true +murano::log_facility: 'local2' +murano::debug: 'False' +murano::engine::manage_service: true +murano::engine::enabled: false +openstack::murano::params::tcp_listen_options: '[binary, + {packet,raw}, + {reuseaddr,true}, + {backlog,128}, + {nodelay,true}, + {linger,{true,0}}, + {exit_on_close,false}, + {keepalive,true}]' +openstack::murano::params::rabbit_tcp_listen_options: + '[binary, + {packet, raw}, + {reuseaddr, true}, + {backlog, 128}, + {nodelay, true}, + {linger, {true, 0}}, + {exit_on_close, false}]' + +# SSL parameters +# this cipher list is taken from any cipher that is supported by rabbitmq and +# is currently in either lighttpd or haproxy's cipher lists +# constructed on 2017-04-05 +openstack::murano::params::rabbit_cipher_list: ["AES128-GCM-SHA256", + "AES128-SHA", + "AES128-SHA256", + "AES256-GCM-SHA384", + "AES256-SHA", + "AES256-SHA256", + "DHE-DSS-AES128-GCM-SHA256", + "DHE-DSS-AES128-SHA256", + "DHE-DSS-AES256-GCM-SHA384", + "DHE-DSS-AES256-SHA256", + "DHE-RSA-AES128-GCM-SHA256", + "DHE-RSA-AES128-SHA256", + "DHE-RSA-AES256-GCM-SHA384", + "DHE-RSA-AES256-SHA256", + "ECDH-ECDSA-AES128-GCM-SHA256", + "ECDH-ECDSA-AES128-SHA256", + "ECDH-ECDSA-AES256-GCM-SHA384", + "ECDH-ECDSA-AES256-SHA384", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES128-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-SHA", + "ECDHE-RSA-AES128-SHA256", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-SHA", + "ECDHE-RSA-AES256-SHA384", + "ECDH-RSA-AES128-GCM-SHA256", + "ECDH-RSA-AES128-SHA256", + "ECDH-RSA-AES256-GCM-SHA384", + "ECDH-RSA-AES256-SHA384"] + +# Magnum +magnum::logging::use_syslog: true +magnum::logging::log_facility: 'local2' +magnum::logging::debug: 'False' +magnum::db::postgresql::encoding: 'UTF8' +magnum::notification_driver: 'messagingv2' +magnum::conductor::enabled: false +magnum::password_symbols: '23456789,ABCDEFGHJKLMNPQRSTUVWXYZ,abcdefghijkmnopqrstuvwxyz,!@#$%^&*()<>{}+' +magnum::certificates::cert_manager_type: 'x509keypair' +magnum::clients::endpoint_type: 'internalURL' + +# Ironic +ironic::use_syslog: true +ironic::logging::log_facility: 'local2' +ironic::db::postgresql::encoding: 'UTF8' +ironic::logging::debug: false +ironic::api::enabled: false +ironic::conductor::enabled: false +ironic::conductor::enabled_drivers: ['pxe_ipmitool','pxe_ipmitool_socat'] +ironic::conductor::automated_clean: true +ironic::conductor::default_boot_option: 'local' +ironic::drivers::pxe::images_path: '/opt/img-conversions/ironic/images/' +ironic::drivers::pxe::instance_master_path: '/opt/img-conversions/ironic/master_images' + +# Dcorch +dcorch::use_syslog: true +dcorch::log_facility: 'local2' +dcorch::debug: false + +# Dcmanager +dcmanager::use_syslog: true +dcmanager::log_facility: 'local2' +dcmanager::debug: false diff --git a/puppet-manifests/src/hieradata/global.yaml b/puppet-manifests/src/hieradata/global.yaml new file mode 100644 index 000000000..403720fd1 --- /dev/null +++ b/puppet-manifests/src/hieradata/global.yaml @@ -0,0 +1,92 @@ +# global default configuration data (applicable to all personalities) +--- +classes: [] + +# platform +platform::params::controller_hostname: controller +platform::params::controller_0_hostname: controller-0 +platform::params::controller_1_hostname: controller-1 +platform::params::pxeboot_hostname: pxecontroller + +platform::amqp::auth_user: guest + +platform::users::params::wrsroot_password_max_age: 45 + + +# sysinv +sysinv::database_idle_timeout: 60 +sysinv::database_max_overflow: 64 +sysinv::database_max_pool_size: 1 +sysinv::use_syslog: true +sysinv::verbose: true +sysinv::log_facility: 'local6' + + +# neutron +neutron::state_path: '/var/run/neutron' +neutron::lock_path: '/var/run/neutron/lock' +neutron::root_helper: 'sudo' +neutron::host_driver: 'neutron.plugins.wrs.drivers.host.DefaultHostDriver' +neutron::fm_driver: 'neutron.plugins.wrs.drivers.fm.DefaultFmDriver' + +neutron::logging::use_syslog: true +neutron::logging::syslog_log_facility: 'local2' +neutron::logging::log_dir: false +neutron::logging::verbose: false +neutron::logging::debug: false + +neutron::core_plugin: 'ml2' +neutron::service_plugins: + - 'router' +neutron::allow_overlapping_ips: true +neutron::vlan_transparent: true +neutron::pnet_audit_enabled: true + +neutron::verbose: false +neutron::root_helper: 'sudo' +neutron::log_dir: false +neutron::use_syslog: true +neutron::host_driver: 'neutron.plugins.wrs.drivers.host.DefaultHostDriver' +neutron::fm_driver: 'neutron.plugins.wrs.drivers.fm.DefaultFmDriver' +neutron::vlan_transparent: true +neutron::state_path: '/var/run/neutron' +neutron::lock_path: '/var/run/neutron/lock' +neutron::notification_driver: ['messagingv2'] +neutron::dns_domain: 'openstacklocal' + + +# nova +nova::use_syslog: true +nova::debug: false +nova::log_facility: 'local6' +nova::notification_driver: 'messagingv2' +nova::notify_on_state_change: 'vm_and_task_state' +nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL' +nova::notify_on_state_change: 'vm_and_task_state' + +nova::database_idle_timeout: 60 +nova::database_max_pool_size: 1 +nova::database_max_overflow: 64 + + +# Set number of block device allocate retries and interval +# for volume create when VM boots and creates a new volume. +# The total block allocate retries time is set to 2 hours +# to satisfy the volume allocation time on slow RPM disks +# which may take 1 hour and a half per volume when several +# volumes are created in parallel. +nova::block_device_allocate_retries: 2400 +nova::block_device_allocate_retries_interval: 3 + +nova::disk_allocation_ratio: 1.0 +nova::cpu_allocation_ratio: 16.0 +nova::ram_allocation_ratio: 1.0 + +# require Nova Placement to use the internal endpoint only +nova::placement::os_interface: 'internal' + + +# ceilometer +ceilometer::telemetry_secret: '' +ceilometer::use_syslog: true +ceilometer::log_facility: 'local2' diff --git a/puppet-manifests/src/hieradata/storage.yaml b/puppet-manifests/src/hieradata/storage.yaml new file mode 100644 index 000000000..1a27d003f --- /dev/null +++ b/puppet-manifests/src/hieradata/storage.yaml @@ -0,0 +1,7 @@ +# storage specific configuration data +--- + +# ceilometer +ceilometer::agent::polling::central_namespace: false +ceilometer::agent::polling::compute_namespace: false +ceilometer::agent::polling::ipmi_namespace: true diff --git a/puppet-manifests/src/manifests/bootstrap.pp b/puppet-manifests/src/manifests/bootstrap.pp new file mode 100644 index 000000000..c53ac5a44 --- /dev/null +++ b/puppet-manifests/src/manifests/bootstrap.pp @@ -0,0 +1,21 @@ +# +# puppet manifest for controller initial bootstrap +# + +Exec { + timeout => 600, + path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin' +} + +include ::platform::config::bootstrap +include ::platform::users::bootstrap +include ::platform::ldap::bootstrap +include ::platform::drbd::bootstrap +include ::platform::postgresql::bootstrap +include ::platform::amqp::bootstrap + +include ::openstack::keystone::bootstrap +include ::openstack::client::bootstrap + +include ::platform::sysinv::bootstrap + diff --git a/puppet-manifests/src/manifests/compute.pp b/puppet-manifests/src/manifests/compute.pp new file mode 100644 index 000000000..52f4c2e2a --- /dev/null +++ b/puppet-manifests/src/manifests/compute.pp @@ -0,0 +1,50 @@ +# +# puppet manifest for compute hosts +# + +Exec { + timeout => 300, + path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin' +} + +include ::platform::config +include ::platform::users +include ::platform::sysctl::compute +include ::platform::dhclient +include ::platform::partitions +include ::platform::lvm::compute +include ::platform::vswitch +include ::platform::network +include ::platform::fstab +include ::platform::password +include ::platform::ldap::client +include ::platform::ntp::client +include ::platform::lldp +include ::platform::patching +include ::platform::remotelogging +include ::platform::mtce +include ::platform::sysinv +include ::platform::ceph +include ::platform::devices + +include ::openstack::client +include ::openstack::neutron +include ::openstack::neutron::agents +include ::openstack::nova +include ::openstack::nova::compute +include ::openstack::nova::storage +include ::openstack::nova::network +include ::openstack::nova::placement +include ::openstack::ceilometer +include ::openstack::ceilometer::polling + +class { '::platform::config::compute::post': + stage => post, +} + +class { '::ovs_dpdk': + stage => post, +} + + +hiera_include('classes') diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp new file mode 100644 index 000000000..789f7d9ce --- /dev/null +++ b/puppet-manifests/src/manifests/controller.pp @@ -0,0 +1,113 @@ +# +# puppet manifest for controller hosts +# + +Exec { + timeout => 600, + path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin' +} + +include ::firewall + +include ::platform::config +include ::platform::users +include ::platform::sysctl::controller +include ::platform::filesystem::controller +include ::platform::firewall::oam +include ::platform::dhclient +include ::platform::partitions +include ::platform::lvm::controller +include ::platform::network +include ::platform::drbd +include ::platform::exports +include ::platform::dns +include ::platform::ldap::server +include ::platform::ldap::client +include ::platform::password +include ::platform::ntp::server +include ::platform::lldp +include ::platform::amqp::rabbitmq +include ::platform::postgresql::server +include ::platform::haproxy::server + +include ::platform::patching +include ::platform::patching::api + +include ::platform::remotelogging +include ::platform::remotelogging::proxy + +include ::platform::sysinv +include ::platform::sysinv::api +include ::platform::sysinv::conductor + +include ::platform::mtce +include ::platform::mtce::agent + +include ::platform::nfv +include ::platform::nfv::api + +include ::platform::ceph +include ::platform::ceph::monitor +include ::platform::ceph::rgw + +include ::openstack::client +include ::openstack::keystone +include ::openstack::keystone::api + +include ::openstack::glance +include ::openstack::glance::api + +include ::openstack::cinder +include ::openstack::cinder::api + +include ::openstack::neutron +include ::openstack::neutron::api +include ::openstack::neutron::server + +include ::openstack::nova +include ::openstack::nova::api +include ::openstack::nova::network +include ::openstack::nova::controller +include ::openstack::nova::placement + +include ::openstack::ceilometer +include ::openstack::ceilometer::api +include ::openstack::ceilometer::collector +include ::openstack::ceilometer::polling + +include ::openstack::aodh +include ::openstack::aodh::api + +include ::openstack::panko +include ::openstack::panko::api + +include ::openstack::heat +include ::openstack::heat::api + +include ::openstack::horizon + +include ::openstack::murano +include ::openstack::murano::api + +include ::openstack::magnum +include ::openstack::magnum::api + +include ::openstack::ironic +include ::openstack::ironic::api + +include ::platform::dcmanager +include ::platform::dcmanager::manager +include ::platform::dcmanager::api + +include ::platform::dcorch +include ::platform::dcorch::engine +include ::platform::dcorch::api_proxy +include ::platform::dcorch::snmp + +include ::platform::sm + +class { '::platform::config::controller::post': + stage => post, +} + +hiera_include('classes') diff --git a/puppet-manifests/src/manifests/runtime.pp b/puppet-manifests/src/manifests/runtime.pp new file mode 100644 index 000000000..325039a3b --- /dev/null +++ b/puppet-manifests/src/manifests/runtime.pp @@ -0,0 +1,14 @@ +# +# puppet manifest for runtime apply of configuration that executes a set of +# tasks that have been identified to execute based on the specific configuration +# change performed. +# + +Exec { + timeout => 300, + path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin' +} + +include ::platform::config + +hiera_include('classes') diff --git a/puppet-manifests/src/manifests/storage.pp b/puppet-manifests/src/manifests/storage.pp new file mode 100644 index 000000000..fa77b4b24 --- /dev/null +++ b/puppet-manifests/src/manifests/storage.pp @@ -0,0 +1,38 @@ +# +# puppet manifest for storage hosts +# + +Exec { + timeout => 300, + path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin' +} + +include ::platform::config +include ::platform::users +include ::platform::sysctl::storage +include ::platform::dhclient +include ::platform::partitions +include ::platform::lvm::storage +include ::platform::network +include ::platform::fstab +include ::platform::password +include ::platform::ldap::client +include ::platform::ntp::client +include ::platform::lldp +include ::platform::patching +include ::platform::remotelogging +include ::platform::mtce +include ::platform::sysinv + +include ::platform::ceph +include ::platform::ceph::monitor +include ::platform::ceph::storage + +include ::openstack::ceilometer +include ::openstack::ceilometer::polling + +class { '::platform::config::storage::post': + stage => post, +} + +hiera_include('classes') diff --git a/puppet-manifests/src/manifests/upgrade.pp b/puppet-manifests/src/manifests/upgrade.pp new file mode 100644 index 000000000..5183c2f7a --- /dev/null +++ b/puppet-manifests/src/manifests/upgrade.pp @@ -0,0 +1,28 @@ +# +# puppet manifest for upgrade +# + +Exec { + timeout => 600, + path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin' +} + +class { '::platform::params': + controller_upgrade => true, +} + +include ::platform::users::upgrade +include ::platform::postgresql::upgrade +include ::platform::amqp::upgrade + +include ::openstack::keystone::upgrade +include ::openstack::client::upgrade + +include ::platform::mtce::upgrade + +include ::openstack::murano::upgrade +include ::openstack::ironic::upgrade + +include ::openstack::nova::upgrade + +include ::platform::drbd::upgrade diff --git a/puppet-manifests/src/modules/openstack/manifests/aodh.pp b/puppet-manifests/src/modules/openstack/manifests/aodh.pp new file mode 100644 index 000000000..a90ad8346 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/aodh.pp @@ -0,0 +1,115 @@ +class openstack::aodh::params ( + $api_port = 8042, + $region_name = undef, + $service_name = 'openstack-aodh', + $service_create = false, + $service_enabled = true, +) { } + + +class openstack::aodh + inherits ::openstack::aodh::params { + + if $service_enabled { + + include ::platform::params + include ::platform::amqp::params + + include ::aodh::auth + include ::aodh::client + include ::aodh::evaluator + include ::aodh::notifier + include ::aodh::listener + include ::aodh::keystone::authtoken + + if $::platform::params::init_database { + include ::aodh::db::postgresql + } + + class { '::aodh': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } + + # WRS register aodh-expirer-active in cron to run daily at the 35 minute mark + cron { 'aodh-expirer': + ensure => 'present', + command => '/usr/bin/aodh-expirer-active', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '35', + hour => '*/24', + user => 'root', + } + } +} + + +class openstack::aodh::firewall + inherits ::openstack::aodh::params { + + platform::firewall::rule { 'aodh-api': + service_name => 'aodh', + ports => $api_port, + } +} + + +class openstack::aodh::haproxy + inherits ::openstack::aodh::params { + + platform::haproxy::proxy { 'aodh-restapi': + server_name => 's-aodh-restapi', + public_port => $api_port, + private_port => $api_port, + } +} + + +class openstack::aodh::api + inherits ::openstack::aodh::params { + include ::platform::params + + # The aodh user and service are always required and they + # are used by subclouds when the service itself is disabled + # on System Controller + # whether it creates the endpoint is determined by + # aodh::keystone::auth::configure_endpoint which is + # set via sysinv puppet + if ($::openstack::aodh::params::service_create and + $::platform::params::init_keystone) { + include ::aodh::keystone::auth + } + + if $service_enabled { + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + $url_host = $::platform::network::mgmt::params::controller_address_url + + file { '/usr/share/aodh/aodh-api.conf': + ensure => file, + content => template('openstack/aodh-api.conf.erb'), + owner => 'root', + group => 'root', + mode => '0640', + } -> + class { '::aodh::api': + host => $api_host, + sync_db => $::platform::params::init_database, + enable_proxy_headers_parsing => true, + } + + include ::openstack::aodh::firewall + include ::openstack::aodh::haproxy + } +} + + +class openstack::aodh::runtime { + include ::platform::amqp::params + + class { '::aodh': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/ceilometer.pp b/puppet-manifests/src/modules/openstack/manifests/ceilometer.pp new file mode 100644 index 000000000..712db2c49 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/ceilometer.pp @@ -0,0 +1,237 @@ +class openstack::ceilometer::params ( + $api_port = 8777, + $region_name = undef, + $service_name = 'openstack-ceilometer', + $service_create = false, +) { } + + +class openstack::ceilometer { + include ::platform::amqp::params + + class { '::ceilometer': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + rabbit_qos_prefetch_count => 100, + } + + include ::ceilometer::agent::auth + include ::platform::params + include ::openstack::ceilometer::params + include ::openstack::cinder::params + include ::openstack::glance::params + + # FIXME(mpeters): generic parameter can be moved to the puppet module + ceilometer_config { + 'DEFAULT/executor_thread_pool_size': value => 16; + 'DEFAULT/shuffle_time_before_polling_task': value => 30; + 'DEFAULT/batch_polled_samples': value => true; + 'oslo_messaging_rabbit/rpc_conn_pool_size': value => 10; + 'oslo_messaging_rabbit/socket_timeout': value => 1.00; + 'compute/resource_update_interval': value => 60; + 'service_credentials/os_endpoint_type': value => 'internalURL'; + 'DEFAULT/region_name_for_services': value => $::openstack::ceilometer::params::region_name; + } + + if $::platform::params::region_config { + if $::openstack::glance::params::region_name != $::platform::params::region_2_name { + $shared_service_glance = [$::openstack::glance::params::service_type] + } else { + $shared_service_glance = [] + } + # skip the check if cinder region name has not been configured + if ($::openstack::cinder::params::region_name != undef and + $::openstack::cinder::params::region_name != $::platform::params::region_2_name) { + $shared_service_cinder = [$::openstack::cinder::params::service_type, + $::openstack::cinder::params::service_type_v2, + $::openstack::cinder::params::service_type_v3] + } else { + $shared_service_cinder = [] + } + $shared_services = concat($shared_service_glance, $shared_service_cinder) + ceilometer_config { + 'DEFAULT/region_name_for_shared_services': value => $::platform::params::region_1_name; + 'DEFAULT/shared_services_types': value => join($shared_services,','); + } + } + +} + + +class openstack::ceilometer::collector { + include ::platform::params + + if $::platform::params::init_database { + include ::ceilometer::db::postgresql + } + include ::ceilometer::keystone::authtoken + include ::ceilometer::expirer + + $cgcs_fs_directory = '/opt/cgcs' + $ceilometer_directory = "${cgcs_fs_directory}/ceilometer" + $ceilometer_directory_csv = "${ceilometer_directory}/csv" + $ceilometer_directory_versioned = "${ceilometer_directory}/${::platform::params::software_version}" + + file { "${ceilometer_directory}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${ceilometer_directory_csv}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${ceilometer_directory_versioned}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${ceilometer_directory_versioned}/pipeline.yaml": + source => '/etc/ceilometer/controller.yaml', + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0640', + } + + class { '::ceilometer::db': + sync_db => $::platform::params::init_database, + } + + include ::openstack::panko::params + if $::openstack::panko::params::service_enabled { + $event_dispatcher = ['panko'] + } else { + $event_dispatcher = undef + } + + class { '::ceilometer::collector': + collector_workers => $::platform::params::eng_workers_by_2, + event_dispatchers => $event_dispatcher + } + + class { '::ceilometer::agent::notification': + notification_workers => $::platform::params::eng_workers_by_2, + } + + # FIXME(mpeters): generic parameter can be moved to the puppet module + ceilometer_config { + 'DEFAULT/csv_location': value => "${ceilometer_directory_csv}"; + 'DEFAULT/csv_location_strict': value => true; + 'service_credentials/interface': value => 'internalURL'; + 'notification/batch_size': value => 100; + 'notification/batch_timeout': value => 5; + } +} + + +class openstack::ceilometer::polling { + include ::platform::params + + if $::personality == 'controller' { + $central_namespace = true + } else { + $central_namespace = false + } + + if str2bool($::disable_compute_services) { + $agent_enable = false + $compute_namespace = false + + file { '/etc/pmon.d/ceilometer-polling.conf': + ensure => absent, + } + } else { + $agent_enable = true + + if str2bool($::is_compute_subfunction) { + $pmon_target = "/etc/ceilometer/ceilometer-polling-compute.conf.pmon" + $compute_namespace = true + } else { + $pmon_target = "/etc/ceilometer/ceilometer-polling.conf.pmon" + $compute_namespace = false + } + + file { "/etc/pmon.d/ceilometer-polling.conf": + ensure => link, + target => $pmon_target, + owner => 'root', + group => 'root', + mode => '0640', + } + } + + class { '::ceilometer::agent::polling': + enabled => $agent_enable, + central_namespace => $central_namespace, + compute_namespace => $compute_namespace, + } +} + + +class openstack::ceilometer::firewall + inherits ::openstack::ceilometer::params { + + platform::firewall::rule { 'ceilometer-api': + service_name => 'ceilometer', + ports => $api_port, + } +} + + +class openstack::ceilometer::haproxy + inherits ::openstack::ceilometer::params { + + platform::haproxy::proxy { 'ceilometer-restapi': + server_name => 's-ceilometer', + public_port => $api_port, + private_port => $api_port, + } +} + + +class openstack::ceilometer::api + inherits ::openstack::ceilometer::params { + + include ::platform::params + $api_workers = $::platform::params::eng_workers_by_2 + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + $url_host = $::platform::network::mgmt::params::controller_address_url + + if ($::openstack::ceilometer::params::service_create and + $::platform::params::init_keystone) { + include ::ceilometer::keystone::auth + } + + file { '/usr/share/ceilometer/ceilometer-api.conf': + ensure => file, + content => template('openstack/ceilometer-api.conf.erb'), + owner => 'root', + group => 'root', + mode => '0640', + } -> + class { '::ceilometer::api': + host => $api_host, + api_workers => $api_workers, + enable_proxy_headers_parsing => true, + } + + include ::openstack::ceilometer::firewall + include ::openstack::ceilometer::haproxy +} + + +class openstack::ceilometer::runtime { + include ::platform::amqp::params + + class { '::ceilometer': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/cinder.pp b/puppet-manifests/src/modules/openstack/manifests/cinder.pp new file mode 100644 index 000000000..282f5956f --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/cinder.pp @@ -0,0 +1,748 @@ +# TODO (rchurch): Make sure all includes have the correct global scope +class openstack::cinder::params ( + $service_enabled = false, + $api_port = 8776, + $api_proxy_port = 28776, + $region_name = undef, + $service_name = 'openstack-cinder', + $service_type = 'volume', + $service_type_v2 = 'volumev2', + $service_type_v3 = 'volumev3', + $configure_endpoint = true, + $enabled_backends = [], + $cinder_address = undef, + $cinder_directory = '/opt/cgcs/cinder', + $cinder_image_conversion_dir = '/opt/img-conversions/cinder', + $cinder_device = '', + $cinder_size = undef, + $cinder_fs_device = '/dev/drbd4', + $cinder_vg_name = 'cinder-volumes', + $drbd_resource = 'drbd-cinder', + $iscsi_ip_address = undef, + # Flag files + $initial_cinder_config_flag = "${::platform::params::config_path}/.initial_cinder_config_complete", + $initial_cinder_lvm_config_flag = "${::platform::params::config_path}/.initial_cinder_lvm_config_complete", + $initial_cinder_ceph_config_flag = "${::platform::params::config_path}/.initial_cinder_ceph_config_complete", + $node_cinder_lvm_config_flag = '/etc/platform/.node_cinder_lvm_config_complete', + $node_cinder_ceph_config_flag = '/etc/platform/.node_cinder_ceph_config_complete', + ) { + $cinder_disk = regsubst($cinder_device, '-part\d+$', '') + + # Take appropriate actions based on the service states defined by: + # - $is_initial_cinder => first time ever when cinder is configured; + # - $is_initial_cinder_lvm => first time ever when LVM cinder is configured on the system; + # - $is_initial_cinder_ceph => first time ever when Ceph cinder is configured on the system; + # - $is_node_cinder_lvm => cinder LVM is configured/reconfigured on a node; + # - $is_node_cinder_ceph => cinder Ceph is configured/reconfigured on a node. + # These states are dependent on two aspects: + # 1. A flag file present on the disk either in: + # - DRBD synced /opt/platform, for system flags or in + # - local folder /etc/platform, for node specific flags + # 2. Controller standby or active state. Sometimes manifests are applied at the same time on both + # controllers with most configuration happenning on the active node and minimal on the standby. + if $service_enabled { + # Check if this is the first time we ever configure cinder on this system + if str2bool($::is_controller_active) and str2bool($::is_initial_cinder_config) { + $is_initial_cinder = true + } else { + $is_initial_cinder = false + } + + if 'lvm' in $enabled_backends { + # Check if this is the first time we ever configure LVM on this system + if str2bool($::is_controller_active) and str2bool($::is_initial_cinder_lvm_config) { + $is_initial_cinder_lvm = true + } else { + $is_initial_cinder_lvm = false + } + # Check if we should configure/reconfigure cinder LVM for this node. + # True in case of node reinstalls, device replacements, reconfigurations etc. + if str2bool($::is_node_cinder_lvm_config) { + $is_node_cinder_lvm = true + } else { + $is_node_cinder_lvm = false + } + } else { + $is_initial_cinder_lvm = false + $is_node_cinder_lvm = false + } + + if 'ceph' in $enabled_backends { + # Check if this is the first time we ever configure Ceph on this system + if str2bool($::is_controller_active) and str2bool($::is_initial_cinder_ceph_config) { + $is_initial_cinder_ceph = true + } else { + $is_initial_cinder_ceph = false + } + # Check if we should configure/reconfigure cinder LVM for this node. + # True in case of node reinstalls etc. + if str2bool($::is_node_cinder_ceph_config) { + $is_node_cinder_ceph = true + } else { + $is_node_cinder_ceph = false + } + } else { + $is_initial_cinder_ceph = false + $is_node_cinder_ceph = false + } + + # Cinder needs to be running on initial configuration of either Ceph or LVM + if str2bool($::is_controller_active) and ($is_initial_cinder_lvm or $is_initial_cinder_ceph) { + $enable_cinder_service = true + } else { + $enable_cinder_service = false + } + + } else { + $is_initial_cinder = false + $is_initial_cinder_lvm = false + $is_node_cinder_lvm = false + $is_initial_cinder_ceph = false + $is_node_cinder_ceph = false + $enable_cinder_service = false + } +} + +# Called from controller manifest +class openstack::cinder + inherits ::openstack::cinder::params { + + # TODO (rchurch): This will create the cinder DB on a system that may never run cinder. This make sense? + #if $is_initial_cinder { + if $::platform::params::init_database { + include platform::postgresql::server + include ::cinder::db::postgresql + } + + # TODO (rchurch): Make this happen after config_controller? If we do that we should + # exec 'cinder-manage db sync' as root instead of 'cinder' user + #if $is_initial_cinder { + if str2bool($::is_initial_config_primary) { + include ::cinder::db::sync + } + + include ::platform::params + include ::platform::amqp::params + + include ::platform::network::mgmt::params + $controller_address = $::platform::network::mgmt::params::controller_address + + group { 'cinder': + ensure => 'present', + gid => '165', + } + + user { 'cinder': + ensure => 'present', + comment => 'OpenStack Cinder Daemons', + gid => '165', + groups => ['nobody', 'cinder', $::platform::params::protected_group_name], + home => '/var/lib/cinder', + password => '!!', + password_max_age => '-1', + password_min_age => '-1', + shell => '/sbin/nologin', + uid => '165', + } + + if $service_enabled { + file { "${cinder_directory}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${cinder_image_conversion_dir}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${cinder_directory}/data": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + } else { + file { "${cinder_directory}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${cinder_directory}/data": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + } + + class { '::cinder': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } + + include ::cinder::keystone::authtoken + include ::cinder::scheduler + include ::cinder::client + include ::cinder::volume + include ::cinder::ceilometer + include ::cinder::glance + + include ::openstack::cinder::backends + + # TODO(mpeters): move to puppet module formal parameters + cinder_config { + 'DEFAULT/my_ip': value => $controller_address; + 'DEFAULT/state_path': value => "${cinder_directory}/data"; + # Reduce the number of RPCs that can be handled in parallel from the the + # default of 64. Doing too much at once (e.g. creating volumes) results + # in a lot of thrashing and operations time out. + # Liberty renamed this from rpc_thread_pool_size to executor_thread_pool_size + 'DEFAULT/executor_thread_pool_size': value => '32'; + } + + # Run cinder-manage to purge deleted rows daily at the 30 minute mark + cron { 'cinder-purge-deleted': + ensure => 'present', + command => '/usr/bin/cinder-purge-deleted-active', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '30', + hour => '*/24', + user => 'root', + } +} + +class openstack::cinder::backends::san + inherits ::openstack::cinder::params { + include ::openstack::cinder::emc_vnx + include ::openstack::cinder::hpe3par + include ::openstack::cinder::hpelefthand + } + +class openstack::cinder::backends + inherits ::openstack::cinder::params { + + class { '::cinder::backends': + enabled_backends => $enabled_backends + } + + if 'lvm' in $enabled_backends { + include ::openstack::cinder::lvm + } + + if 'ceph' in $enabled_backends { + include ::openstack::cinder::backends::ceph + } + + include openstack::cinder::backends::san +} + +class openstack::cinder::lvm::filesystem::drbd ( + $device = '/dev/drbd4', + $lv_name = 'cinder-lv', + $mountpoint = '/opt/cinder', + $port = '7792', + $vg_name = 'cinder-volumes', + $drbd_handoff = true, +) inherits ::openstack::cinder::params { + + include ::platform::drbd::params + include ::platform::drbd::cgcs::params + + if str2bool($::is_primary_disk_rotational) { + $resync_after = $::platform::drbd::cgcs::params::resource_name + } else { + $resync_after = undef + } + + if str2bool($::is_controller_active) { + $ha_primary = true + $initial_setup = true + $service_enable = true + $service_ensure = "running" + } else { + $ha_primary = false + $initial_setup = false + $service_enable = false + $service_ensure = "stopped" + } + + if $is_node_cinder_lvm { + + # prepare disk for drbd + file { '/etc/udev/mount.blacklist': + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + } -> + file_line { 'blacklist ${cinder_disk} automount': + ensure => present, + line => $cinder_disk, + path => '/etc/udev/mount.blacklist', + } + } + + drbd::resource { $drbd_resource: + disk => "\"${cinder_device}\"", + port => $port, + device => $device, + mountpoint => $mountpoint, + handlers => { + before-resync-target => + "/usr/local/sbin/sm-notify -s ${drbd_resource} -e sync-start", + after-resync-target => + "/usr/local/sbin/sm-notify -s ${drbd_resource} -e sync-end", + }, + host1 => $::platform::drbd::params::host1, + host2 => $::platform::drbd::params::host2, + ip1 => $::platform::drbd::params::ip1, + ip2 => $::platform::drbd::params::ip2, + manage => $is_node_cinder_lvm, + ha_primary => $ha_primary, + initial_setup => $initial_setup, + automount => $::platform::drbd::params::automount, + fs_type => $::platform::drbd::params::fs_type, + link_util => $::platform::drbd::params::link_util, + link_speed => $::platform::drbd::params::link_speed, + num_parallel => $::platform::drbd::params::num_parallel, + rtt_ms => $::platform::drbd::params::rtt_ms, + cpumask => $::platform::drbd::params::cpumask, + resync_after => $resync_after, + require => [ Class['::platform::partitions'], File_line['final filter: update lvm global_filter'] ] + } + + if $is_initial_cinder_lvm { + physical_volume { $device: + ensure => present, + require => Drbd::Resource[$drbd_resource] + } -> + volume_group { $vg_name: + ensure => present, + physical_volumes => $device, + } -> + # Create an initial LV, because the LVM ocf resource does not work with + # an empty VG. + logical_volume { 'anchor-lv': + ensure => present, + volume_group => $vg_name, + size => '1M', + size_is_minsize => true, + } -> + # Deactivate the VG now. If this isn't done, it prevents DRBD from + # being stopped later by the SM. + exec { 'Deactivate VG': + command => "vgchange -a ln ${vg_name}", + } -> + # Make sure the primary resource is in the correct state so that on swact to + # controller-1 sm has the resource in an acceptable state to become managed + # and primary. But, if this primary is a single controller we will restart + # SM so keep it primary + + # TODO (rchurch): fix up the drbd_handoff logic. + exec { 'Set $drbd_resource role': + command => str2bool($drbd_handoff) ? {true => "drbdadm secondary ${drbd_resource}", default => '/bin/true'}, + unless => "drbdadm role ${drbd_resource} | egrep '^Secondary'", + } + } +} + + +class openstack::cinder::lvm( + $lvm_type = 'thin', +) inherits ::openstack::cinder::params { + +# if $::platform::params::system_mode != 'simplex' { +# include ::openstack::cinder::lvm::filesystem::drbd +# } else { +# include ::openstack::cinder::lvm::filesystem::simplex +# } + include ::openstack::cinder::lvm::filesystem::drbd + + file_line { 'snapshot_autoextend_threshold': + path => '/etc/lvm/lvm.conf', + match => '^\s*snapshot_autoextend_threshold +=.*', + line => ' snapshot_autoextend_threshold = 80', + } + + file_line { 'snapshot_autoextend_percent': + path => '/etc/lvm/lvm.conf', + match => '^\s*snapshot_autoextend_percent +=.*', + line => ' snapshot_autoextend_percent = 20', + } + + file { "${cinder_directory}/iscsi-target": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + require => File[$cinder_directory], + } -> + file { "${cinder_directory}/iscsi-target/saveconfig.json": + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0600', + content => '{ + "fabric_modules": [], + "storage_objects": [], + "targets": [] + }', + } + + if $lvm_type == 'thin' { + $iscsi_lvm_config = { + 'lvm/iscsi_target_flags' => {'value' => 'direct'}, + 'lvm/lvm_type' => {'value' => 'thin'}, + 'DEFAULT/max_over_subscription_ratio' => {'value' => 1.0} + } + } else { + $iscsi_lvm_config = { + 'lvm/iscsi_target_flags' => {'value' => 'direct'}, + 'lvm/lvm_type' => {'value' => 'default'}, + 'lvm/volume_clear' => {'value' => 'none'} + } + } + + cinder::backend::iscsi { 'lvm': + iscsi_ip_address => $iscsi_ip_address, + extra_options => $iscsi_lvm_config , + volumes_dir => "${cinder_directory}/data/volumes", + } +} + +define openstack::cinder::backend::ceph( + $backend_enabled = false, + $backend_name, + $rbd_user = 'cinder', + $rbd_pool +) { + + if $backend_enabled { + cinder::backend::rbd {$backend_name: + backend_host => '$host', + rbd_pool => $rbd_pool, + rbd_user => $rbd_user, + } + } else { + cinder_config { + "${backend_name}/volume_backend_name": ensure => absent; + "${backend_name}/volume_driver": ensure => absent; + "${backend_name}/backend_host": ensure => absent; + "${backend_name}/rbd_ceph_conf": ensure => absent; + "${backend_name}/rbd_pool": ensure => absent; + } + } +} + + +class openstack::cinder::backends::ceph ( + $ceph_backend_configs = {} +) inherits ::openstack::cinder::params { + create_resources('openstack::cinder::backend::ceph', $ceph_backend_configs) +} + + +class openstack::cinder::emc_vnx( + $feature_enabled, + $config_params +) inherits ::openstack::cinder::params { + create_resources('cinder_config', hiera_hash('openstack::cinder::emc_vnx::config_params', {})) + + if $feature_enabled { + $scsi_id_ensure = 'link' + } else { + $scsi_id_ensure = 'absent' + } + + #TODO(rchurch): Evaluate this with Pike... Still needed? + # During creating EMC cinder bootable volume, linuxscsi.py in + # python2-os-brick-1.1.0-1.el7.noarch invokes "scsi_id" command and + # fails as "scsi_id" is not in the search PATH. So create a symlink + # here. The fix is already in the later version of os-brick. We + # can remove this code when python2-os-brick is upgraded. + file { '/usr/bin/scsi_id': + ensure => $scsi_id_ensure, + owner => 'root', + group => 'root', + target => '/lib/udev/scsi_id', + } +} + + +class openstack::cinder::hpe3par( + $feature_enabled, + $config_params +) inherits ::openstack::cinder::params { + create_resources('cinder_config', hiera_hash('openstack::cinder::hpe3par::config_params', {})) + + # As HP SANs are addon PS supported options, make sure we have explicit + # logging showing this is being included when the feature is enabled. + if $feature_enabled { + exec {'Including hpe3par configuration': + path => [ '/usr/bin', '/usr/sbin', '/bin', '/sbin' ], + command => 'echo Including hpe3par configuration', + } + } +} + + +class openstack::cinder::hpelefthand( + $feature_enabled, + $config_params +) inherits ::openstack::cinder::params { + create_resources('cinder_config', hiera_hash('openstack::cinder::hpelefthand::config_params', {})) + + # As HP SANs are addon PS supported options, make sure we have explicit + # logging showing this is being included when the feature is enabled. + if $feature_enabled { + exec {'Including hpelefthand configuration': + path => [ '/usr/bin', '/usr/sbin', '/bin', '/sbin' ], + command => 'echo Including hpelefthand configuration', + } + } +} + + +class openstack::cinder::firewall + inherits ::openstack::cinder::params { + + if $service_enabled { + platform::firewall::rule { 'cinder-api': + service_name => 'cinder', + ports => $api_port, + } + } +} + + +class openstack::cinder::haproxy + inherits ::openstack::cinder::params { + + if $service_enabled { + platform::haproxy::proxy { 'cinder-restapi': + server_name => 's-cinder', + public_port => $api_port, + private_port => $api_port, + } + } +} + + +define openstack::cinder::api::backend( + $type_enabled = false, + $type_name, + $backend_name +) { + # Run it on the active controller, otherwise the prefetch step tries to query + # cinder and can fail + if str2bool($::is_controller_active) { + if $type_enabled { + cinder_type { $type_name: + ensure => present, + properties => ["volume_backend_name=${backend_name}"] + } + } else { + cinder_type { $type_name: + ensure => absent + } + } + } +} + +class openstack::cinder::api::backends( + $ceph_type_configs = {} +) inherits ::openstack::cinder::params { + + # Only include cinder_type the first time an lvm or ceph backend is + # initialized + if $is_initial_cinder_lvm { + ::openstack::cinder::api::backend { 'lvm-store': + type_enabled => true, + type_name => 'iscsi', + backend_name => 'lvm' + } + } + + # Add/Remove any additional cinder ceph tier types + create_resources('openstack::cinder::api::backend', $ceph_type_configs) + + # Add SAN volume types here when/if required +} + + +# Called from the controller manifest +class openstack::cinder::api( + $default_volume_type = $::os_service_default +) inherits ::openstack::cinder::params { + + include ::platform::params + $api_workers = $::platform::params::eng_workers + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + + $upgrade = $::platform::params::controller_upgrade + if $service_enabled and (str2bool($::is_controller_active) or $upgrade) { + include ::cinder::keystone::auth + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::dcorch::keystone::auth + include ::platform::dcorch::firewall + include ::platform::dcorch::haproxy + } + } + + class { '::cinder::api': + bind_host => $api_host, + service_workers => $api_workers, + sync_db => $::platform::params::init_database, + enabled => str2bool($enable_cinder_service), + default_volume_type => $default_volume_type + } + + if $::openstack::cinder::params::configure_endpoint { + include ::openstack::cinder::firewall + include ::openstack::cinder::haproxy + } + include ::openstack::cinder::api::backends + + class { '::openstack::cinder::pre': + stage => pre + } + + class { '::openstack::cinder::post': + stage => post + } +} + +class openstack::cinder::pre { + include ::openstack::cinder::params + $enabled = str2bool($::openstack::cinder::params::enable_cinder_service) + if $::platform::params::distributed_cloud_role =='systemcontroller' and $enabled { + # need to enable cinder-api-proxy in order to apply the cinder manifest + exec { 'Enable Dcorch Cinder API Proxy': + command => "systemctl enable dcorch-cinder-api-proxy; systemctl start dcorch-cinder-api-proxy", + } + } +} + +class openstack::cinder::post + inherits openstack::cinder::params { + + # Ensure that phases are marked as complete + if $is_initial_cinder { + file { $initial_cinder_config_flag: + ensure => present + } + } + + if $is_initial_cinder_lvm { + file { $initial_cinder_lvm_config_flag: + ensure => present + } + } + + if $is_initial_cinder_ceph { + file { $initial_cinder_ceph_config_flag: + ensure => present + } + } + + if $is_node_cinder_lvm { + file { $node_cinder_lvm_config_flag: + ensure => present + } + } + + if $is_node_cinder_ceph { + file { $node_cinder_ceph_config_flag: + ensure => present + } + } + + # cinder-api needs to be running in order to apply the cinder manifest, + # however, it needs to be stopped/disabled to allow SM to manage the service. + # To allow for the transition it must be explicitly stopped. Once puppet + # can directly handle SM managed services, then this can be removed. + exec { 'Disable OpenStack - Cinder API': + command => "systemctl stop openstack-cinder-api; systemctl disable openstack-cinder-api", + require => Class['openstack::cinder'], + } + + if $::platform::params::distributed_cloud_role =='systemcontroller' { + # stop and disable the cinder api proxy to allow SM to manage the service + exec { 'Disable Dcorch Cinder API Proxy': + command => "systemctl stop dcorch-cinder-api-proxy; systemctl disable dcorch-cinder-api-proxy", + require => Class['openstack::cinder'], + } + } + + if $is_node_cinder_lvm { + exec { "Update cinder-volumes monitoring state to enabled": + command => "rmon_resource_notify --resource-name cinder-volumes --resource-type lvg --resource-state enabled --volume-group cinder-volume", + logoutput => true, + tries => 2, + try_sleep => 1, + returns => [ 0, 1 ], + } + } +} + + +class openstack::cinder::reload { + platform::sm::restart {'cinder-volume': } + platform::sm::restart {'cinder-scheduler': } + platform::sm::restart {'cinder-api': } +} + +# Called for runtime changes +class openstack::cinder::runtime + inherits ::openstack::cinder::params { + + include ::openstack::cinder + include ::openstack::cinder::api + + class { '::openstack::cinder::reload': + stage => post + } +} + +# Called for runtime changes on region +class openstack::cinder::endpoint::runtime { + if str2bool($::is_controller_active) { + include ::cinder::keystone::auth + } +} + +# Called for SAN backend runtime changes => cinder.conf only changes +class openstack::cinder::backends::san::runtime + inherits ::openstack::cinder::params { + class { '::cinder::backends': + enabled_backends => $enabled_backends + } + + include ::openstack::cinder::backends::san + + class { '::openstack::cinder::reload': + stage => post + } +} + + +# Called for rbd backend runtime changes +class openstack::cinder::backends::ceph::runtime + inherits ::openstack::cinder::params { + class { '::cinder::backends': + enabled_backends => $enabled_backends + } + + include ::openstack::cinder::backends::ceph + include ::openstack::cinder::api::backends + + class { '::openstack::cinder::reload': + stage => post + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/client.pp b/puppet-manifests/src/modules/openstack/manifests/client.pp new file mode 100644 index 000000000..b21889a76 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/client.pp @@ -0,0 +1,78 @@ +class openstack::client::params ( + $admin_username, + $identity_auth_url, + $identity_region = 'RegionOne', + $identity_api_version = 3, + $admin_user_domain = 'Default', + $admin_project_domain = 'Default', + $admin_project_name = 'admin', + $keystone_identity_region = 'RegionOne', +) { } + +class openstack::client + inherits ::openstack::client::params { + + include ::openstack::client::credentials::params + $keyring_file = $::openstack::client::credentials::params::keyring_file + + file {"/etc/nova/openrc": + ensure => "present", + mode => '0640', + owner => 'nova', + group => 'root', + content => template('openstack/openrc.admin.erb'), + } + + file {"/etc/nova/ldap_openrc_template": + ensure => "present", + mode => '0644', + content => template('openstack/openrc.ldap.erb'), + } + + file {"/etc/bash_completion.d/openstack": + ensure => "present", + mode => '0644', + content => generate('/usr/bin/openstack', 'complete'), + } +} + + +class openstack::client::credentials::params ( + $keyring_base, + $keyring_directory, + $keyring_file, +) { } + +class openstack::client::credentials + inherits ::openstack::client::credentials::params { + + Class['::platform::drbd::platform'] -> + file { "${keyring_base}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${keyring_directory}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${keyring_file}": + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0755', + content => "keyring get CGCS admin" + } +} + +class openstack::client::bootstrap { + include ::openstack::client + include ::openstack::client::credentials +} + +class openstack::client::upgrade { + include ::openstack::client +} diff --git a/puppet-manifests/src/modules/openstack/manifests/glance.pp b/puppet-manifests/src/modules/openstack/manifests/glance.pp new file mode 100644 index 000000000..ad5b168e7 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/glance.pp @@ -0,0 +1,185 @@ +class openstack::glance::params ( + $service_enabled = true, + $api_port = 9292, + $api_host, + $region_name = undef, + $service_type = 'image', + $glance_directory = '/opt/cgcs/glance', + $glance_image_conversion_dir = '/opt/img-conversions/glance', + $enabled_backends = [], + $service_create = false, + $configured_registry_host = '0.0.0.0', + $glance_cached = false, +) { } + + +class openstack::glance + inherits ::openstack::glance::params { + + if $service_enabled { + include ::platform::params + include ::platform::amqp::params + + file { "${glance_directory}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${glance_directory}/image-cache": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${glance_directory}/images": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + file { "${glance_image_conversion_dir}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + + $bind_host = $::platform::network::mgmt::params::subnet_version ? { + 6 => '::', + default => '0.0.0.0', + } + + if $::platform::params::init_database { + class { "::glance::db::postgresql": + encoding => 'UTF8', + } + } + + include ::glance::api::authtoken + include ::glance::registry::authtoken + + class { '::glance::registry': + bind_host => $bind_host, + workers => $::platform::params::eng_workers, + } + + # Run glance-manage to purge deleted rows daily at the 45 minute mark + cron { 'glance-purge-deleted': + ensure => 'present', + command => '/usr/bin/glance-purge-deleted-active', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '45', + hour => '*/24', + user => 'root', + } + + # In glance cached mode run the pruner once every 6 hours to clean + # stale or orphaned images + if $::openstack::glance::params::glance_cached { + cron { 'glance-cache-pruner': + ensure => 'present', + command => '/usr/bin/glance-cache-pruner --config-file /etc/glance/glance-api.conf', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '15', + hour => '*/6', + user => 'root', + } + } + + class { '::glance::notify::rabbitmq': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } + + if 'file' in $enabled_backends { + include ::glance::backend::file + } + + if 'rbd' in $enabled_backends { + include ::glance::backend::rbd + } + } +} + + +class openstack::glance::firewall + inherits ::openstack::glance::params { + + platform::firewall::rule { 'glance-api': + service_name => 'glance', + ports => $api_port, + } +} + + +class openstack::glance::haproxy + inherits ::openstack::glance::params { + + platform::haproxy::proxy { 'glance-restapi': + server_name => 's-glance', + public_port => $api_port, + private_port => $api_port, + private_ip_address => $api_host, + } +} + + +class openstack::glance::api + inherits ::openstack::glance::params { + include ::platform::params + + if $service_enabled { + if ($::openstack::glance::params::service_create and + $::platform::params::init_keystone) { + include ::glance::keystone::auth + } + + include ::platform::params + $api_workers = $::platform::params::eng_workers + + include ::platform::network::mgmt::params + # magical hack for magical config - glance option registry_host requires brackets + if $configured_registry_host == '0.0.0.0' { + $registry_host = $::platform::network::mgmt::params::subnet_version ? { + 6 => '::0', + default => '0.0.0.0', + # TO-DO(mmagr): Add IPv6 support when hostnames are used + } + } else { + $registry_host = $configured_registry_host + } + + # enable copy-on-write cloning from glance to cinder only for rbd + # this speeds up creation of volumes from images + $show_image_direct_url = ('rbd' in $enabled_backends) + + class { '::glance::api': + bind_host => $api_host, + registry_host => $registry_host, + workers => $api_workers, + sync_db => $::platform::params::init_database, + show_image_direct_url => $show_image_direct_url, + } + + include ::openstack::glance::firewall + include ::openstack::glance::haproxy + } +} + + +class openstack::glance::api::reload { + platform::sm::restart {'glance-api': } +} + +class openstack::glance::api::runtime + inherits ::openstack::glance::params { + + if $service_enabled { + include ::openstack::glance::api + + class { '::openstack::glance::api::reload': + stage => post + } + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/heat.pp b/puppet-manifests/src/modules/openstack/manifests/heat.pp new file mode 100644 index 000000000..fa2ac5b08 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/heat.pp @@ -0,0 +1,235 @@ +class openstack::heat::params ( + $api_port = 8004, + $cfn_port = 8000, + $cloudwatch_port = 8003, + $region_name = undef, + $domain_name = undef, + $domain_admin = undef, + $domain_pwd = undef, + $service_name = 'openstack-heat', + $service_tenant = undef, + $default_endpoint_type = "internalURL", + $service_create = false, + $service_enabled = true, +) { + include ::platform::params + $api_workers = $::platform::params::eng_workers + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address +} + + +class openstack::heat + inherits ::openstack::heat::params { + + include ::platform::params + + if $service_enabled { + include ::platform::amqp::params + + if $::platform::params::init_database { + include ::heat::db::postgresql + } + include ::heat::keystone::authtoken + + class { '::heat': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + heat_clients_endpoint_type => $default_endpoint_type, + sync_db => $::platform::params::init_database, + } + + class { '::heat::engine': + num_engine_workers => $::platform::params::eng_workers + } + } + + if $::platform::params::region_config { + if $::openstack::glance::params::region_name != $::platform::params::region_2_name { + $shared_service_glance = [$::openstack::glance::params::service_type] + } else { + $shared_service_glance = [] + } + # skip the check if cinder region name has not been configured + if ($::openstack::cinder::params::region_name != undef and + $::openstack::cinder::params::region_name != $::platform::params::region_2_name) { + $shared_service_cinder = [$::openstack::cinder::params::service_type, $::openstack::cinder::params::service_type_v2, $::openstack::cinder::params::service_type_v3] + } else { + $shared_service_cinder = [] + } + $shared_services = concat($shared_service_glance, $shared_service_cinder) + heat_config { + 'DEFAULT/region_name_for_shared_services': value => $::platform::params::region_1_name; + 'DEFAULT/shared_services_types': value => join($shared_services,','); + } + # Subclouds use the region one service tenant and heat domain. In region + # mode we duplicate these in each region. + if $::platform::params::distributed_cloud_role != 'subcloud' { + keystone_tenant { $service_tenant: + ensure => present, + enabled => true, + description => "Tenant for $::platform::params::region_2_name", + } + class { '::heat::keystone::domain': + domain_name => $domain_name, + domain_admin => $domain_admin, + manage_domain => true, + manage_user => true, + manage_role => true, + } + } + } + else { + if str2bool($::is_initial_config_primary) { + # Only setup roles and domain information on the controller during initial config + if $service_enabled { + keystone_user_role { 'admin@admin': + ensure => present, + roles => ['admin', '_member_', 'heat_stack_owner'], + require => Class['::heat::engine'], + } + } else { + keystone_user_role { 'admin@admin': + ensure => present, + roles => ['admin', '_member_', 'heat_stack_owner'], + } + } + + # Heat stack owner needs to be created + keystone_role { 'heat_stack_owner': + ensure => present, + } + + class { '::heat::keystone::domain': + manage_domain => true, + manage_user => true, + manage_role => true, + } + } else { + # Second controller does not invoke keystone, but does need configuration + class { '::heat::keystone::domain': + manage_domain => false, + manage_user => false, + manage_role => false, + } + } + } + + if $service_enabled { + # clients_heat endpoint type is publicURL to support wait conditions + heat_config { + 'clients_neutron/endpoint_type': value => $default_endpoint_type; + 'clients_nova/endpoint_type': value => $default_endpoint_type; + 'clients_glance/endpoint_type': value => $default_endpoint_type; + 'clients_cinder/endpoint_type': value => $default_endpoint_type; + 'clients_ceilometer/endpoint_type':value => $default_endpoint_type; + 'clients_heat/endpoint_type': value => "publicURL"; + 'clients_keystone/endpoint_type': value => $default_endpoint_type; + } + + # Run heat-manage purge_deleted daily at the 20 minute mark + cron { 'heat-purge-deleted': + ensure => 'present', + command => '/usr/bin/heat-purge-deleted-active', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '20', + hour => '*/24', + user => 'root', + } + } +} + + + +class openstack::heat::firewall + inherits ::openstack::heat::params { + + platform::firewall::rule { 'heat-api': + service_name => 'heat', + ports => $api_port, + } + + platform::firewall::rule { 'heat-cfn': + service_name => 'heat-cfn', + ports => $cfn_port, + } + + platform::firewall::rule { 'heat-cloudwatch': + service_name => 'heat-cloudwatch', + ports => $cloudwatch_port, + } +} + + +class openstack::heat::haproxy + inherits ::openstack::heat::params { + + platform::haproxy::proxy { 'heat-restapi': + server_name => 's-heat', + public_port => $api_port, + private_port => $api_port, + } + + platform::haproxy::proxy { 'heat-cfn-restapi': + server_name => 's-heat-cfn', + public_port => $cfn_port, + private_port => $cfn_port, + } + + platform::haproxy::proxy { 'heat-cloudwatch': + server_name => 's-heat-cloudwatch', + public_port => $cloudwatch_port, + private_port => $cloudwatch_port, + } +} + + +class openstack::heat::api + inherits ::openstack::heat::params { + + # The heat user and service are always required and they + # are used by subclouds when the service itself is disabled + # on System Controller + # whether it creates the endpoint is determined by + # heat::keystone::auth::configure_endpoint which is + # set via sysinv puppet + if ($::openstack::heat::params::service_create and + $::platform::params::init_keystone) { + include ::heat::keystone::auth + include ::heat::keystone::auth_cfn + } + + if $service_enabled { + class { '::heat::api': + bind_host => $api_host, + workers => $api_workers, + } + + class { '::heat::api_cfn': + bind_host => $api_host, + workers => $api_workers, + } + + class { '::heat::api_cloudwatch': + bind_host => $api_host, + workers => $api_workers, + } + + include ::openstack::heat::firewall + include ::openstack::heat::haproxy + } +} + + +class openstack::heat::engine::reload { + platform::sm::restart {'heat-engine': } +} + +class openstack::heat::engine::runtime { + include ::openstack::heat + + class {'::openstack::heat::engine::reload': + stage => post + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/horizon.pp b/puppet-manifests/src/modules/openstack/manifests/horizon.pp new file mode 100644 index 000000000..be26df994 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/horizon.pp @@ -0,0 +1,229 @@ +class openstack::horizon::params ( + $enable_https = false, + $lockout_period = 300, + $lockout_retries = 3, + + $secret_key, + $horizon_ssl = false, + $horizon_cert = undef, + $horizon_key = undef, + $horizon_ca = undef, + + $neutron_enable_lb = false, + $neutron_enable_firewall = false, + $neutron_enable_vpn = false, + + $openstack_host, + + $tpm_object = undef, + $tpm_engine = '/usr/lib64/openssl/engines/libtpm2.so', +) { } + + +class openstack::horizon + inherits ::openstack::horizon::params { + + include ::platform::params + include ::platform::network::mgmt::params + include ::platform::network::pxeboot::params + include ::openstack::keystone::params + + $controller_address = $::platform::network::mgmt::params::controller_address + $mgmt_subnet_network = $::platform::network::mgmt::params::subnet_network + $mgmt_subnet_prefixlen = $::platform::network::mgmt::params::subnet_prefixlen + $pxeboot_subnet_network = $::platform::network::pxeboot::params::subnet_network + $pxeboot_subnet_prefixlen = $::platform::network::pxeboot::params::subnet_prefixlen + + $keystone_api_version = $::openstack::keystone::params::api_version + $keystone_auth_uri = $::openstack::keystone::params::auth_uri + $keystone_host_url = $::openstack::keystone::params::host_url + + #The intention here is to set up /www as a chroot'ed + #environment for lighttpd so that it will remain in a jail under /www. + + user { 'www': + ensure => 'present', + shell => '/sbin/nologin', + groups => ['wrs_protected'], + } + + file { "/www/tmp": + path => "/www/tmp", + ensure => directory, + mode => '1700', + } + + file {"/www/var": + path => "/www/var", + ensure => directory, + owner => "www", + require => User['www'] + } + + file {"/www/var/log": + path => "/www/var/log", + ensure => directory, + owner => "www", + require => User['www'] + } + + file {"/etc/lighttpd/lighttpd.conf": + ensure => present, + content => template('openstack/lighttpd.conf.erb') + } + + file {"/etc/lighttpd/lighttpd-inc.conf": + ensure => present, + content => template('openstack/lighttpd-inc.conf.erb') + } + + $workers = $::platform::params::eng_workers_by_2 + + include ::openstack::murano::params + if $::openstack::murano::params::service_enabled { + $murano_enabled = 'True' + } else { + $murano_enabled = 'False' + } + + include ::openstack::magnum::params + if $::openstack::magnum::params::service_enabled { + $magnum_enabled = 'True' + } else { + $magnum_enabled = 'False' + } + + include ::horizon::params + file { '/etc/openstack-dashboard/horizon-config.ini': + content => template('openstack/horizon-params.erb'), + ensure => present, + mode => '0644', + owner => 'root', + group => $::horizon::params::apache_group, + } + + if str2bool($::is_initial_config) { + exec { 'Stop lighttpd': + command => "systemctl stop lighttpd; systemctl disable lighttpd", + require => User['www'] + } + } + + $is_django_debug = 'False' + $bind_host = $::platform::network::mgmt::params::subnet_version ? { + 6 => '::0', + default => '0.0.0.0', + # TO-DO(mmagr): Add IPv6 support when hostnames are used + } + + if $::platform::params::region_config { + $horizon_keystone_url = "${keystone_auth_uri}/${keystone_api_version}" + $region_2_name = $::platform::params::region_2_name + $region_openstack_host = $openstack_host + file { '/etc/openstack-dashboard/region-config.ini': + content => template('openstack/horizon-region-config.erb'), + ensure => present, + mode => '0644', + } + } else { + $horizon_keystone_url = "http://${$keystone_host_url}:5000/${keystone_api_version}" + + file { '/etc/openstack-dashboard/region-config.ini': + ensure => absent, + } + } + + class {'::horizon': + secret_key => $secret_key, + keystone_url => $horizon_keystone_url, + keystone_default_role => '_member_', + server_aliases => [$controller_address, $::fqdn, 'localhost'], + allowed_hosts => '*', + hypervisor_options => {'can_set_mount_point' => false, }, + django_debug => $is_django_debug, + file_upload_temp_dir => '/var/tmp', + listen_ssl => $horizon_ssl, + horizon_cert => $horizon_cert, + horizon_key => $horizon_key, + horizon_ca => $horizon_ca, + neutron_options => { + 'enable_lb' => $neutron_enable_lb, + 'enable_firewall' => $neutron_enable_firewall, + 'enable_vpn' => $neutron_enable_vpn + }, + configure_apache => false, + compress_offline => false, + } + + # hack for memcached, for now we bind to localhost on ipv6 + # https://bugzilla.redhat.com/show_bug.cgi?id=1210658 + $memcached_bind_host = $::platform::network::mgmt::params::subnet_version ? { + 6 => 'localhost6', + default => '0.0.0.0', + # TO-DO(mmagr): Add IPv6 support when hostnames are used + } + + if str2bool($::selinux) { + selboolean{ 'httpd_can_network_connect': + value => on, + persistent => true, + } + } + + # Run clearsessions daily at the 40 minute mark + cron { 'clearsessions': + ensure => 'present', + command => '/usr/bin/horizon-clearsessions', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '40', + hour => '*/24', + user => 'root', + } + + include ::openstack::horizon::firewall +} + + +class openstack::horizon::firewall + inherits ::openstack::horizon::params { + + # horizon is run behind a proxy server, therefore + # set the dashboard access based on the configuration + # of HTTPS for external protocols. The horizon + # server runs on port 8080 behind the proxy server. + if $enable_https { + $firewall_port = 443 + } else { + $firewall_port = 80 + } + + platform::firewall::rule { 'dashboard': + host => 'ALL', + service_name => 'horizon', + ports => $firewall_port, + } +} + + +class openstack::horizon::reload { + + # Remove all active Horizon user sessions + # so that we don't use any stale cached data + # such as endpoints + exec { "remove-Horizon-user-sessions": + path => ['/usr/bin'], + command => "/usr/bin/rm -f /var/tmp/sessionid*", + } + + platform::sm::restart {'horizon': } + platform::sm::restart {'lighttpd': } +} + + +class openstack::horizon::runtime { + include ::openstack::horizon + + class {'::openstack::horizon::reload': + stage => post + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/ironic.pp b/puppet-manifests/src/modules/openstack/manifests/ironic.pp new file mode 100644 index 000000000..fbc7bebfb --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/ironic.pp @@ -0,0 +1,176 @@ +class openstack::ironic::params ( + $api_port = 6485, + $service_enabled = false, + $service_name = 'openstack-ironic', + $region_name = undef, + $default_endpoint_type = "internalURL", + $tftp_server = undef, + $provisioning_network = undef, + $controller_0_if = undef, + $controller_1_if = undef, + $netmask = undef, +) { + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + + include ::platform::params + $sw_version = $::platform::params::software_version + $ironic_basedir = "/opt/cgcs/ironic" + $ironic_versioned_dir = "${ironic_basedir}/${sw_version}" + $ironic_tftpboot_dir = "${ironic_versioned_dir}/tftpboot" +} + + +class openstack::ironic::firewall + inherits ::openstack::ironic::params { + + if $service_enabled { + platform::firewall::rule { 'ironic-api': + service_name => 'ironic', + ports => $api_port, + } + } +} + +class openstack::ironic::haproxy + inherits ::openstack::ironic::params { + + if $service_enabled { + platform::haproxy::proxy { 'ironic-restapi': + server_name => 's-ironic-restapi', + public_port => $api_port, + private_port => $api_port, + } + + platform::haproxy::proxy { 'ironic-tftp-restapi': + server_name => 's-ironic-tftp-restapi', + public_port => $api_port, + private_port => $api_port, + public_ip_address => $tftp_server, + enable_https => false, + } + } +} + +class openstack::ironic + inherits ::openstack::ironic::params { + + include ::platform::params + include ::platform::amqp::params + include ::platform::network::mgmt::params + include ::ironic::neutron + include ::ironic::glance + + if $::platform::params::init_database { + include ::ironic::db::postgresql + } + + if str2bool($::is_initial_config_primary) { + include ::ironic::db::sync + } + + class {'::ironic': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + sync_db => false, + my_ip => $api_host, + } + if $tftp_server != undef { + $ipa_api_url = "http://$tftp_server:$api_port" + } + else { + $ipa_api_url = undef + } + + # provisioning and cleaning networks are intentionally the same + class {'::ironic::conductor': + provisioning_network => $provisioning_network, + cleaning_network => $provisioning_network, + api_url => $ipa_api_url, + } + + $tftp_master_path = "${ironic_tftpboot_dir}/master_images" + class {'::ironic::drivers::pxe': + tftp_server => $tftp_server, + tftp_root => $ironic_tftpboot_dir, + tftp_master_path => $tftp_master_path, + pxe_append_params => 'nofb nomodeset vga=normal console=ttyS0,115200n8', + } + + # configure tftp root directory + if $::platform::params::init_database { + $ironic_tftp_root_dir = "/opt/cgcs/ironic/${sw_version}" + file { "${$ironic_basedir}": + ensure => 'directory', + owner => 'ironic', + group => 'root', + mode => '0755', + } -> + file { "${ironic_versioned_dir}": + ensure => 'directory', + owner => 'ironic', + group => 'root', + mode => '0755', + } -> + file { "${ironic_tftpboot_dir}": + ensure => 'directory', + owner => 'ironic', + group => 'root', + mode => '0755', + } + } + if str2bool($::is_controller_active) { + file { "${ironic_tftpboot_dir}/pxelinux.0": + owner => 'root', + group => 'root', + mode => '0755', + source => "/usr/share/syslinux/pxelinux.0" + } + file { "${ironic_tftpboot_dir}/chain.c32": + owner => 'root', + group => 'root', + mode => '0755', + source => "/usr/share/syslinux/chain.c32" + } + } +} + +class openstack::ironic::api + inherits ::openstack::ironic::params { + + class { '::ironic::api': + port => $api_port, + host_ip => $api_host, + } + + if $service_enabled { + include ::ironic::keystone::auth + } + + include ::openstack::ironic::haproxy + include ::openstack::ironic::firewall + +} + +class openstack::ironic::upgrade + inherits ::openstack::ironic::params{ + + file { "${$ironic_basedir}": + ensure => 'directory', + owner => 'ironic', + group => 'root', + mode => '0755', + } -> + file { "${ironic_versioned_dir}": + ensure => 'directory', + owner => 'ironic', + group => 'root', + mode => '0755', + } -> + file { "${ironic_tftpboot_dir}": + ensure => 'directory', + owner => 'ironic', + group => 'root', + mode => '0755', + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp new file mode 100644 index 000000000..bfa9f1237 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp @@ -0,0 +1,364 @@ +class openstack::keystone::params( + $api_version, + $api_port = 5000, + $admin_port = 5000, + $identity_uri, + $auth_uri, + $host_url, + $region_name = undef, + $service_name = 'openstack-keystone', + $token_expiration = 3600, + $service_create = false, + $fernet_keys_rotation_minute = '25', + $fernet_keys_rotation_hour = '0', + $fernet_keys_rotation_month = '*/1', + $fernet_keys_rotation_monthday = '1', + $fernet_keys_rotation_weekday = '*', +) {} + +class openstack::keystone ( +) inherits ::openstack::keystone::params { + + include ::platform::params + + if !$::platform::params::region_config { + include ::platform::amqp::params + include ::platform::network::mgmt::params + include ::platform::drbd::cgcs::params + + $keystone_key_repo_path = "${::platform::drbd::cgcs::params::mountpoint}/keystone" + $eng_workers = $::platform::params::eng_workers + + # FIXME(mpeters): binding to wildcard address to allow bootstrap transition + # Not sure if there is a better way to transition from the localhost address + # to the management address while still being able to authenticate the client + if str2bool($::is_initial_config_primary) { + $enabled = true + $bind_host = $::platform::network::mgmt::params::subnet_version ? { + 6 => '[::]', + default => '0.0.0.0', + } + } else { + $enabled = false + $bind_host = $::platform::network::mgmt::params::controller_address_url + } + + Class[$name] -> Class['::openstack::client'] + + include ::keystone::client + + + # Configure keystone graceful shutdown timeout + # TODO(mpeters): move to puppet-keystone for module configuration + keystone_config { + "DEFAULT/graceful_shutdown_timeout": value => 15; + } + + # (Pike Rebase) Disable token post expiration window since this + # allows authentication for upto 2 days worth of stale tokens. + # TODO(knasim): move this to puppet-keystone along with graceful + # shutdown timeout param + keystone_config { + "token/allow_expired_window": value => 0; + } + + + file { "/etc/keystone/keystone-extra.conf": + ensure => present, + owner => 'root', + group => 'keystone', + mode => '0640', + content => template('openstack/keystone-extra.conf.erb'), + } -> + class { '::keystone': + enabled => $enabled, + enable_fernet_setup => false, + fernet_key_repository => "$keystone_key_repo_path/fernet-keys", + default_transport_url => $::platform::amqp::params::transport_url, + service_name => $service_name, + token_expiration => $token_expiration, + } + + # Keystone users can only be added to the SQL backend (write support for + # the LDAP backend has been removed). We can therefore set password rules + # irrespective of the backend + if ! str2bool($::is_restore_in_progress) { + # If the Restore is in progress then we need to apply the Keystone + # Password rules as a runtime manifest, as the passwords in the hiera records + # records may not be rule-compliant if this system was upgraded from R4 + # (where-in password rules were not in affect) + include ::keystone::security_compliance + } + + include ::keystone::ldap + + # Set up cron job that will rotate fernet keys. This is done every month on + # the first day of the month at 00:25 by default. The cron job only runs on + # the active controller. + cron { 'keystone-fernet-keys-rotater': + ensure => 'present', + command => '/usr/bin/keystone-fernet-keys-rotate-active', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => $fernet_keys_rotation_minute, + hour => $fernet_keys_rotation_hour, + month => $fernet_keys_rotation_month, + monthday => $fernet_keys_rotation_monthday, + weekday => $fernet_keys_rotation_weekday, + user => 'root', + } + } else { + class { '::keystone': + enabled => false, + } + } +} + + +class openstack::keystone::firewall + inherits ::openstack::keystone::params { + + if !$::platform::params::region_config { + platform::firewall::rule { 'keystone-api': + service_name => 'keystone', + ports => $api_port, + } + } +} + + +class openstack::keystone::haproxy + inherits ::openstack::keystone::params { + + include ::platform::params + + if !$::platform::params::region_config { + platform::haproxy::proxy { 'keystone-restapi': + server_name => 's-keystone', + public_port => $api_port, + private_port => $api_port, + } + } +} + + +class openstack::keystone::api + inherits ::openstack::keystone::params { + + include ::platform::params + + if ($::openstack::keystone::params::service_create and + $::platform::params::init_keystone) { + include ::keystone::endpoint + } + + include ::openstack::keystone::firewall + include ::openstack::keystone::haproxy +} + + +class openstack::keystone::bootstrap( + $default_domain = 'Default', +) { + include ::platform::params + include ::platform::amqp::params + include ::platform::drbd::cgcs::params + + $keystone_key_repo_path = "${::platform::drbd::cgcs::params::mountpoint}/keystone" + $eng_workers = $::platform::params::eng_workers + $bind_host = '0.0.0.0' + + if ($::platform::params::init_keystone and + !$::platform::params::region_config) { + include ::keystone::db::postgresql + + Class[$name] -> Class['::openstack::client'] + + # Create the parent directory for fernet keys repository + file { "${keystone_key_repo_path}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + require => Class['::platform::drbd::cgcs'], + } -> + file { "/etc/keystone/keystone-extra.conf": + ensure => present, + owner => 'root', + group => 'keystone', + mode => '0640', + content => template('openstack/keystone-extra.conf.erb'), + } -> + class { '::keystone': + enabled => true, + enable_bootstrap => true, + fernet_key_repository => "$keystone_key_repo_path/fernet-keys", + sync_db => true, + default_domain => $default_domain, + default_transport_url => $::platform::amqp::params::transport_url, + } + + include ::keystone::client + include ::keystone::endpoint + include ::keystone::roles::admin + + # Ensure the default _member_ role is present + keystone_role { '_member_': + ensure => present, + } + + + # disabling the admin token per openstack recommendation + include ::keystone::disable_admin_token_auth + } +} + + +class openstack::keystone::reload { + platform::sm::restart {'keystone': } +} + + +class openstack::keystone::server::runtime { + include ::openstack::client + include ::openstack::keystone + + class {'::openstack::keystone::reload': + stage => post + } +} + + +class openstack::keystone::endpoint::runtime { + + if str2bool($::is_controller_active) { + include ::keystone::endpoint + + include ::sysinv::keystone::auth + include ::patching::keystone::auth + include ::nfv::keystone::auth + + include ::openstack::aodh::params + if $::openstack::aodh::params::service_enabled { + include ::aodh::keystone::auth + } + + include ::ceilometer::keystone::auth + + include ::openstack::heat::params + if $::openstack::heat::params::service_enabled { + include ::heat::keystone::auth + include ::heat::keystone::auth_cfn + } + + include ::neutron::keystone::auth + include ::nova::keystone::auth + include ::nova::keystone::auth_placement + + include ::openstack::panko::params + if $::openstack::panko::params::service_enabled { + include ::panko::keystone::auth + } + + include ::openstack::cinder::params + if $::openstack::cinder::params::service_enabled { + include ::cinder::keystone::auth + } + + include ::openstack::glance::params + include ::glance::keystone::auth + + include ::openstack::murano::params + if $::openstack::murano::params::service_enabled { + include ::murano::keystone::auth + } + + include ::openstack::magnum::params + if $::openstack::magnum::params::service_enabled { + include ::magnum::keystone::auth + include ::magnum::keystone::domain + } + + include ::openstack::ironic::params + if $::openstack::ironic::params::service_enabled { + include ::ironic::keystone::auth + } + + include ::platform::ceph::params + if $::platform::ceph::params::rgw_enabled { + include ::platform::ceph::rgw::keystone::auth + } + + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::dcorch::keystone::auth + include ::dcmanager::keystone::auth + } + } +} + +class openstack::keystone::upgrade ( + $upgrade_token_cmd, + $upgrade_url = undef, + $upgrade_token_file = undef, +) { + + if $::platform::params::init_keystone { + include ::keystone::db::postgresql + include ::platform::params + include ::platform::amqp::params + include ::platform::network::mgmt::params + include ::platform::drbd::cgcs::params + + # the unit address is actually the configured default of the loopback address. + $bind_host = $::platform::network::mgmt::params::controller0_address + $eng_workers = $::platform::params::eng_workers + + $keystone_key_repo = "${::platform::drbd::cgcs::params::mountpoint}/keystone" + + # TODO(aning): For R5->R6 upgrade, a local keystone fernet keys repository may + # need to be setup for the local keystone instance on standby controller to + # service specific upgrade operations, since we need to keep the keys repository + # in /opt/cgcs/keystone/fernet-keys intact so that service won't fail on active + # controller during upgrade. Once the upgade finishes, the temparary local + # fernet keys repository will be deleted. + + # Need to create the parent directory for fernet keys repository + # This is a workaround to a puppet bug. + file { "${keystone_key_repo}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755' + } -> + file { "/etc/keystone/keystone-extra.conf": + ensure => present, + owner => 'root', + group => 'keystone', + mode => '0640', + content => template('openstack/keystone-extra.conf.erb'), + } -> + class { '::keystone': + upgrade_token_cmd => $upgrade_token_cmd, + upgrade_token_file => $upgrade_token_file, + enable_fernet_setup => true, + enable_bootstrap => false, + fernet_key_repository => "$keystone_key_repo/fernet-keys", + sync_db => false, + default_domain => undef, + default_transport_url => $::platform::amqp::params::transport_url, + } + + + # Panko is a new non-optional service in 18.xx. + # Ensure its service account and endpoints are created + include ::panko::keystone::auth + + # Always remove the upgrade token file after all 18.xx + # services have been added + file { $upgrade_token_file : + ensure => absent, + } + + include ::keystone::client + } + +} diff --git a/puppet-manifests/src/modules/openstack/manifests/magnum.pp b/puppet-manifests/src/modules/openstack/manifests/magnum.pp new file mode 100644 index 000000000..c70e18ea7 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/magnum.pp @@ -0,0 +1,85 @@ +class openstack::magnum::params ( + $api_port = 9511, + $service_enabled = false, + $service_name = 'openstack-magnum', +) {} + + +class openstack::magnum + inherits ::openstack::magnum::params { + + if $::platform::params::init_database { + include ::magnum::db::postgresql + } + + if str2bool($::is_initial_config_primary) { + class { '::magnum::db::sync': } + } + + include ::platform::params + include ::platform::amqp::params + + include ::magnum::client + include ::magnum::clients + include ::magnum::db + include ::magnum::logging + include ::magnum::conductor + include ::magnum::certificates + + class {'::magnum': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } + + if $::platform::params::init_database { + include ::magnum::db::postgresql + } +} + +class openstack::magnum::firewall + inherits ::openstack::magnum::params { + + if $service_enabled { + platform::firewall::rule { 'magnum-api': + service_name => 'magnum', + ports => $api_port, + } + } +} + + +class openstack::magnum::haproxy + inherits ::openstack::magnum::params { + + if $service_enabled { + platform::haproxy::proxy { 'magnum-restapi': + server_name => 's-magnum', + public_port => $api_port, + private_port => $api_port, + } + } +} + +class openstack::magnum::api + inherits ::openstack::magnum::params { + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + + if $service_enabled { + include ::magnum::keystone::auth + include ::magnum::keystone::authtoken + include ::magnum::keystone::domain + } + + class { '::magnum::api': + enabled => false, + host => $api_host, + sync_db => false, + } + + include ::openstack::magnum::haproxy + include ::openstack::magnum::firewall + +} + diff --git a/puppet-manifests/src/modules/openstack/manifests/murano.pp b/puppet-manifests/src/modules/openstack/manifests/murano.pp new file mode 100644 index 000000000..f5c858d15 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/murano.pp @@ -0,0 +1,288 @@ +class openstack::murano::params ( + $api_port = 8082, + $auth_password = 'guest', + $auth_user = 'guest', + $service_enabled = false, + $disable_murano_agent = true, + $service_name = 'openstack-murano', + $database_idle_timeout = 60, + $database_max_pool_size = 1, + $database_max_overflow = 10, + $rabbit_normal_port = '5672', + $rabbit_ssl_port = '5671', + $rabbit_certs_dir = '/etc/ssl/private/murano-rabbit', + $tcp_listen_options, + $rabbit_tcp_listen_options, + $rabbit_cipher_list, + $tlsv2 = 'tlsv1.2', + $tlsv1 = 'tlsv1.1', + $ssl_fail_if_no_peer_cert = true, + $disk_free_limit = '10000000', + $heartbeat = '30', + $ssl = false, +) {} + +class openstack::murano::firewall + inherits ::openstack::murano::params { + + if $service_enabled { + platform::firewall::rule { 'murano-api': + service_name => 'murano', + ports => $api_port, + } + + if $disable_murano_agent != true { + if $ssl == true { + platform::firewall::rule { 'murano-rabbit-ssl': + service_name => 'murano-rabbit-ssl', + ports => 5671, + } + platform::firewall::rule { 'murano-rabbit-regular': + service_name => 'murano-rabbit-regular', + ports => 5672, + ensure => absent, + } + } else { + platform::firewall::rule { 'murano-rabbit-regular': + service_name => 'murano-rabbit-regular', + ports => 5672, + } + platform::firewall::rule { 'murano-rabbit-ssl': + service_name => 'murano-rabbit-ssl', + ports => 5671, + ensure => absent, + } + } + } else { + platform::firewall::rule { 'murano-rabbit-regular': + service_name => 'murano-rabbit-regular', + ports => 5672, + ensure => absent, + } + platform::firewall::rule { 'murano-rabbit-ssl': + service_name => 'murano-rabbit-ssl', + ports => 5671, + ensure => absent, + } + } + } +} + +class openstack::murano::haproxy + inherits ::openstack::murano::params { + + if $service_enabled { + platform::haproxy::proxy { 'murano-restapi': + server_name => 's-murano-restapi', + public_port => $api_port, + private_port => $api_port, + } + } +} + +class openstack::murano + inherits ::openstack::murano::params { + + if $::platform::params::init_database { + include ::murano::db::postgresql + } + + if str2bool($::is_initial_config_primary) { + class { '::murano::db::sync': } + } + + include ::platform::params + include ::platform::amqp::params + + include ::murano::client + + class { '::murano::dashboard': + sync_db => false, + } + + class { '::murano::engine': + workers => $::platform::params::eng_workers_by_4, + } + + if $ssl { + $murano_rabbit_port = $rabbit_ssl_port + $murano_cacert = "${rabbit_certs_dir}/ca-cert.pem" + } else { + $murano_rabbit_port = $rabbit_normal_port + $murano_cacert = undef + } + + include ::murano::params + + class {'::murano': + use_syslog => true, + log_facility => 'local2', + service_host => $::platform::network::mgmt::params::controller_address, + service_port => '8082', + database_idle_timeout => $database_idle_timeout, + database_max_pool_size => $database_max_pool_size, + database_max_overflow => $database_max_overflow, + sync_db => false, + rabbit_own_user => $::openstack::murano::params::auth_user, + rabbit_own_password => $::openstack::murano::params::auth_password, + rabbit_own_host => $::platform::network::oam::params::controller_address, + rabbit_own_port => $murano_rabbit_port, + rabbit_own_vhost => "/", + rabbit_own_use_ssl => $ssl, + rabbit_own_ca_certs => $murano_cacert, + disable_murano_agent => $disable_murano_agent, + api_workers => $::platform::params::eng_workers_by_4, + default_transport_url => $::platform::amqp::params::transport_url, + } + + # this rabbitmq is separate from the main one and used only for murano + case $::platform::amqp::params::backend { + 'rabbitmq': { + enable_murano_agent_rabbitmq { 'rabbitmq': } + } + default: {} + } +} + +class openstack::murano::api + inherits ::openstack::murano::params { + include ::platform::params + + class { '::murano::api': + enabled => false, + host => $::platform::network::mgmt::params::controller_address, + } + + $upgrade = $::platform::params::controller_upgrade + if $service_enabled and (str2bool($::is_controller_active) or $upgrade) { + include ::murano::keystone::auth + } + + include ::openstack::murano::haproxy + include ::openstack::murano::firewall + +} + +define enable_murano_agent_rabbitmq { + include ::openstack::murano::params + include ::platform::params + + # Rabbit configuration parameters + $amqp_platform_sw_version = $::platform::params::software_version + $kombu_ssl_ca_certs = "$::openstack::murano::params::rabbit_certs_dir/ca-cert.pem" + $kombu_ssl_keyfile = "$::openstack::murano::params::rabbit_certs_dir/key.pem" + $kombu_ssl_certfile = "$::openstack::murano::params::rabbit_certs_dir/cert.pem" + + $murano_rabbit_dir = "/var/lib/rabbitmq/murano" + $rabbit_home = "${murano_rabbit_dir}/${amqp_platform_sw_version}" + $mnesia_base = "${rabbit_home}/mnesia" + $rabbit_node = $::platform::amqp::params::node + $murano_rabbit_node = "murano-${rabbit_node}" + $default_user = $::openstack::murano::params::auth_user + $default_pass = $::openstack::murano::params::auth_password + $disk_free_limit = $::openstack::murano::params::disk_free_limit + $heartbeat = $::openstack::murano::params::heartbeat + $port = $::openstack::murano::params::rabbit_normal_port + + $rabbit_cipher_list = $::openstack::murano::params::rabbit_cipher_list + + $ssl_interface = $::platform::network::oam::params::controller_address + $ssl_port = $::openstack::murano::params::rabbit_ssl_port + $tlsv2 = $::openstack::murano::params::tlsv2 + $tlsv1 = $::openstack::murano::params::tlsv1 + $fail_if_no_peer_cert = $::openstack::murano::params::ssl_fail_if_no_peer_cert + + $tcp_listen_options = $::openstack::murano::params::tcp_listen_options + $rabbit_tcp_listen_options = $::openstack::murano::params::rabbit_tcp_listen_options + + # murano rabbit ssl certificates are placed here + file { "$::openstack::murano::params::rabbit_certs_dir": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + + if $::platform::params::init_database { + file { "${murano_rabbit_dir}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + + file { "${rabbit_home}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + + file { "${mnesia_base}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> Class['::rabbitmq'] + } + + if $::openstack::murano::params::ssl { + $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ] + file { $files_to_set_owner: + owner => 'rabbitmq', + group => 'rabbitmq', + require => Package['rabbitmq-server'], + notify => Service['rabbitmq-server'], + } + $rabbitmq_conf_template= 'openstack/murano-rabbitmq.config.ssl.erb' + + } else { + $rabbitmq_conf_template= 'openstack/murano-rabbitmq.config.erb' + } + + file { "/etc/rabbitmq/murano-rabbitmq.config": + ensure => present, + owner => 'rabbitmq', + group => 'rabbitmq', + mode => '0640', + content => template($rabbitmq_conf_template), + } + + file { "/etc/rabbitmq/murano-rabbitmq-env.conf": + ensure => present, + owner => 'rabbitmq', + group => 'rabbitmq', + mode => '0640', + content => template('openstack/murano-rabbitmq-env.conf.erb'), + } +} + +class openstack::murano::upgrade { + include ::platform::params + + $amqp_platform_sw_version = $::platform::params::software_version + $murano_rabbit_dir = "/var/lib/rabbitmq/murano" + $rabbit_home = "${murano_rabbit_dir}/${amqp_platform_sw_version}" + $mnesia_base = "${rabbit_home}/mnesia" + + file { "${murano_rabbit_dir}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + + file { "${rabbit_home}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + + file { "${mnesia_base}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/neutron.pp b/puppet-manifests/src/modules/openstack/manifests/neutron.pp new file mode 100644 index 000000000..0e94dffdf --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/neutron.pp @@ -0,0 +1,322 @@ +class openstack::neutron::params ( + $api_port = 9696, + $bgp_port = 179, + $region_name = undef, + $service_name = 'openstack-neutron', + $bgp_router_id = undef, + $l3_agent_enabled = true, + $service_create = false, + $configure_endpoint = true +) { } + +class openstack::neutron + inherits ::openstack::neutron::params { + + include ::platform::params + include ::platform::amqp::params + + include ::neutron::logging + + class { '::neutron': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + pnet_audit_enabled => $::platform::params::sdn_enabled ? { true => false, default => true }, + } +} + + +define openstack::neutron::sdn::controller ( + $transport, + $ip_address, + $port, +) { + include ::platform::params + include ::platform::network::oam::params + include ::platform::network::mgmt::params + + $oam_interface = $::platform::network::oam::params::interface_name + $mgmt_subnet_network = $::platform::network::mgmt::params::subnet_network + $mgmt_subnet_prefixlen = $::platform::network::mgmt::params::subnet_prefixlen + $oam_address = $::platform::network::oam::params::controller_address + $system_type = $::platform::params::system_type + + $mgmt_subnet = "${mgmt_subnet_network}/${mgmt_subnet_prefixlen}" + + if $system_type == 'Standard' { + if $transport == 'tls' { + $firewall_proto_transport = 'tcp' + } else { + $firewall_proto_transport = $transport + } + + platform::firewall::rule { $name: + service_name => $name, + table => 'nat', + chain => 'POSTROUTING', + proto => $firewall_proto_transport, + outiface => $oam_interface, + tosource => $oam_address, + destination => $ip_address, + host => $mgmt_subnet, + jump => 'SNAT', + } + } +} + + +class openstack::neutron::odl::params( + $username = undef, + $password= undef, + $url = undef, + $controller_config = {}, + $port_binding_controller = undef, +) {} + +class openstack::neutron::odl + inherits ::openstack::neutron::odl::params { + + include ::platform::params + + if $::platform::params::sdn_enabled { + create_resources('openstack::neutron::sdn::controller', $controller_config, {}) + } + class {'::neutron::plugins::ml2::opendaylight': + odl_username => $username, + odl_password => $password, + odl_url => $url, + port_binding_controller => $port_binding_controller, + } +} + + +class openstack::neutron::bgp + inherits ::openstack::neutron::params { + + if $bgp_router_id { + class {'::neutron::bgp': + bgp_router_id => $bgp_router_id, + } + + class {'::neutron::services::bgpvpn': + } + + exec { 'systemctl enable neutron-bgp-dragent.service': + command => "systemctl enable neutron-bgp-dragent.service", + } + + exec { 'systemctl restart neutron-bgp-dragent.service': + command => "systemctl restart neutron-bgp-dragent.service", + } + + file { '/etc/pmon.d/': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + file { "/etc/pmon.d/neutron-bgp-dragent.conf": + ensure => link, + target => "/etc/neutron/pmon/neutron-bgp-dragent.conf", + owner => 'root', + group => 'root', + } + } else { + exec { 'pmon-stop neutron-bgp-dragent': + command => "pmon-stop neutron-bgp-dragent", + } -> + exec { 'rm -f /etc/pmon.d/neutron-bgp-dragent.conf': + command => "rm -f /etc/pmon.d/neutron-bgp-dragent.conf", + } -> + exec { 'systemctl disable neutron-bgp-dragent.service': + command => "systemctl disable neutron-bgp-dragent.service", + } -> + exec { 'systemctl stop neutron-bgp-dragent.service': + command => "systemctl stop neutron-bgp-dragent.service", + } + } +} + + +class openstack::neutron::sfc ( + $sfc_drivers = undef, + $flowclassifier_drivers = undef, + $sfc_quota_flow_classifier = undef, + $sfc_quota_port_chain = undef, + $sfc_quota_port_pair_group = undef, + $sfc_quota_port_pair = undef, +) inherits ::openstack::neutron::params { + + if $sfc_drivers { + class {'::neutron::sfc': + sfc_drivers => $sfc_drivers, + flowclassifier_drivers => $flowclassifier_drivers, + quota_flow_classifier => $sfc_quota_flow_classifier, + quota_port_chain => $sfc_quota_port_chain, + quota_port_pair_group => $sfc_quota_port_pair_group, + quota_port_pair => $sfc_quota_port_pair, + } + } +} + + +class openstack::neutron::server { + + include ::platform::params + if $::platform::params::init_database { + include ::neutron::db::postgresql + } + include ::neutron::plugins::ml2 + + include ::neutron::server::notifications + + include ::neutron::keystone::authtoken + + class { '::neutron::server': + api_workers => $::platform::params::eng_workers, + rpc_workers => $::platform::params::eng_workers, + sync_db => $::platform::params::init_database, + } + + file { '/etc/neutron/api-paste.ini': + ensure => file, + mode => '0640', + } + + Class['::neutron::server'] -> File['/etc/neutron/api-paste.ini'] + + include ::openstack::neutron::bgp + include ::openstack::neutron::odl + include ::openstack::neutron::sfc +} + + +class openstack::neutron::agents + inherits ::openstack::neutron::params { + + if str2bool($::disable_compute_services) { + $pmon_ensure = absent + + class {'::neutron::agents::vswitch': + service_ensure => stopped, + } + class {'::neutron::agents::l3': + enabled => false + } + class {'::neutron::agents::dhcp': + enabled => false + } + class {'::neutron::agents::metadata': + enabled => false, + } + class {'::neutron::agents::ml2::sriov': + enabled => false + } + } else { + $pmon_ensure = link + + class {'::neutron::agents::metadata': + metadata_workers => $::platform::params::eng_workers_by_4 + } + + class { '::neutron::agents::l3': + enabled => $l3_agent_enabled, + } + + include ::neutron::agents::dhcp + include ::neutron::agents::ml2::sriov + } + + file { "/etc/pmon.d/neutron-dhcp-agent.conf": + ensure => $pmon_ensure, + target => "/etc/neutron/pmon/neutron-dhcp-agent.conf", + owner => 'root', + group => 'root', + mode => '0755', + } + + file { "/etc/pmon.d/neutron-metadata-agent.conf": + ensure => $pmon_ensure, + target => "/etc/neutron/pmon/neutron-metadata-agent.conf", + owner => 'root', + group => 'root', + mode => '0755', + } + + file { "/etc/pmon.d/neutron-sriov-nic-agent.conf": + ensure => $pmon_ensure, + target => "/etc/neutron/pmon/neutron-sriov-nic-agent.conf", + owner => 'root', + group => 'root', + mode => '0755', + } +} + + +class openstack::neutron::firewall + inherits ::openstack::neutron::params { + + platform::firewall::rule { 'neutron-api': + service_name => 'neutron', + ports => $api_port, + } + + if $bgp_router_id { + platform::firewall::rule { 'ryu-bgp-port': + service_name => 'neutron', + ports => $bgp_port, + } + } else { + platform::firewall::rule { 'ryu-bgp-port': + service_name => 'neutron', + ports => $bgp_port, + ensure => absent + } + } + +} + + +class openstack::neutron::haproxy + inherits ::openstack::neutron::params { + + platform::haproxy::proxy { 'neutron-restapi': + server_name => 's-neutron', + public_port => $api_port, + private_port => $api_port, + } +} + + +class openstack::neutron::api + inherits ::openstack::neutron::params { + + include ::platform::params + + if ($::openstack::neutron::params::service_create and + $::platform::params::init_keystone) { + + include ::neutron::keystone::auth + } + + if $::openstack::neutron::params::configure_endpoint { + include ::openstack::neutron::firewall + include ::openstack::neutron::haproxy + } +} + + +class openstack::neutron::server::reload { + platform::sm::restart {'neutron-server': } +} + + +class openstack::neutron::server::runtime { + include ::openstack::neutron + include ::openstack::neutron::server + include ::openstack::neutron::firewall + + class {'::openstack::neutron::server::reload': + stage => post + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/nova.pp b/puppet-manifests/src/modules/openstack/manifests/nova.pp new file mode 100644 index 000000000..9e5d4c3ba --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/nova.pp @@ -0,0 +1,701 @@ +class openstack::nova::params ( + $nova_api_port = 8774, + $nova_ec2_port = 8773, + $placement_port = 8778, + $nova_novnc_port = 6080, + $nova_serial_port = 6083, + $region_name = undef, + $service_name = 'openstack-nova', + $service_create = false, + $configure_endpoint = true, + $timeout = '55m', +) { + include ::platform::network::mgmt::params + include ::platform::network::infra::params + + # migration is performed over the managemet network if configured, otherwise + # the management network is used + if $::platform::network::infra::params::interface_name { + $migration_version = $::platform::network::infra::params::subnet_version + $migration_ip = $::platform::network::infra::params::interface_address + $migration_network = $::platform::network::infra::params::subnet_network + $migration_prefixlen = $::platform::network::infra::params::subnet_prefixlen + } else { + $migration_version = $::platform::network::mgmt::params::subnet_version + $migration_ip = $::platform::network::mgmt::params::interface_address + $migration_network = $::platform::network::mgmt::params::subnet_network + $migration_prefixlen = $::platform::network::mgmt::params::subnet_prefixlen + } + + # NOTE: this variable is used in the sshd_config, and therefore needs to + # match the Ruby ERB template. + $nova_migration_subnet = "${migration_network}/${migration_prefixlen}" +} + + +class openstack::nova { + + include ::platform::params + include ::platform::amqp::params + + include ::platform::network::mgmt::params + $metadata_host = $::platform::network::mgmt::params::controller_address + + class { '::nova': + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } + + # User nova is created during python-nova rpm install. + # Just update it's permissions. + user { 'nova': + ensure => 'present', + groups => ['nova', $::platform::params::protected_group_name], + } + + # TODO(mpeters): move to nova puppet module as formal parameters + nova_config { + 'DEFAULT/notification_format': value => 'unversioned'; + 'DEFAULT/metadata_host': value => $metadata_host; + } +} + +class openstack::nova::sshd + inherits ::openstack::nova::params { + + service { 'sshd': + ensure => 'running', + enable => true, + } + + file { "/etc/ssh/sshd_config": + notify => Service['sshd'], + ensure => 'present' , + mode => '0600', + owner => 'root', + group => 'root', + content => template('sshd/sshd_config.erb'), + } + +} + +class openstack::nova::controller + inherits ::openstack::nova::params { + + include ::platform::params + + if $::platform::params::init_database { + include ::nova::db::postgresql + include ::nova::db::postgresql_api + } + + include ::nova::pci + include ::nova::scheduler + include ::nova::scheduler::filter + include ::nova::compute::ironic + include ::nova::compute::serial + + include ::openstack::nova::sshd + + # TODO(mpeters): move to nova puppet module as formal parameters + nova_config{ + # network load balance, vswitch available utilization weigher + 'metrics/weight_multiplier': value => 1.0; + 'metrics/weight_setting': value => 'vswitch.max_avail=100.0'; + 'metrics/weight_setting_multi': value => 'vswitch.multi_avail=100.0'; + 'metrics/required': value => false; + 'metrics/weight_of_unavailable': value => -10000.0; + 'metrics/platform_cpu_threshold': value => 80; + 'metrics/platform_mem_threshold': value => 80; + } + + class { '::nova::conductor': + workers => $::platform::params::eng_workers_by_2, + } + + # Run nova-manage to purge deleted rows daily at 15 minute mark + cron { 'nova-purge-deleted': + ensure => 'present', + command => '/usr/bin/nova-purge-deleted-active', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '15', + hour => '*/24', + user => 'root', + } +} + + +class openstack::nova::compute ( + $ssh_keys, + $host_private_key, + $host_public_key, + $host_public_header, + $host_key_type, + $migration_private_key, + $migration_public_key, + $migration_key_type, + $pci_pt_whitelist = [], + $pci_sriov_whitelist = undef, + $iscsi_initiator_name = undef, +) inherits ::openstack::nova::params { + include ::nova::pci + include ::platform::params + + include ::platform::network::mgmt::params + include ::platform::network::infra::params + include ::nova::keystone::auth + include ::nova::keystone::authtoken + + include ::openstack::nova::sshd + + $host_private_key_file = $host_key_type ? { + 'ssh-rsa' => "/etc/ssh/ssh_host_rsa_key", + 'ssh-dsa' => "/etc/ssh/ssh_host_dsa_key", + 'ssh-ecdsa' => "/etc/ssh/ssh_host_ecdsa_key", + default => undef + } + + if ! $host_private_key_file { + fail("Unable to determine name of private key file. Type specified was '${host_key_type}' but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.") + } + + $host_public_key_file = $host_key_type ? { + 'ssh-rsa' => "/etc/ssh/ssh_host_rsa_key.pub", + 'ssh-dsa' => "/etc/ssh/ssh_host_dsa_key.pub", + 'ssh-ecdsa' => "/etc/ssh/ssh_host_ecdsa_key.pub", + default => undef + } + + if ! $host_public_key_file { + fail("Unable to determine name of public key file. Type specified was '${host_key_type}' but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.") + } + + file { '/etc/ssh': + ensure => directory, + mode => '0700', + owner => 'root', + group => 'root', + } -> + + file { $host_private_key_file: + content => $host_private_key, + mode => '0600', + owner => 'root', + group => 'root', + } -> + + file { $host_public_key_file: + content => "${host_public_header} ${host_public_key}", + mode => '0644', + owner => 'root', + group => 'root', + } + + $migration_private_key_file = $migration_key_type ? { + 'ssh-rsa' => '/root/.ssh/id_rsa', + 'ssh-dsa' => '/root/.ssh/id_dsa', + 'ssh-ecdsa' => '/root/.ssh/id_ecdsa', + default => undef + } + + if ! $migration_private_key_file { + fail("Unable to determine name of private key file. Type specified was '${migration_key_type}' but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.") + } + + $migration_auth_options = [ + "from=\"${nova_migration_subnet}\"", + "command=\"/usr/bin/nova_authorized_cmds\"" ] + + file { '/root/.ssh': + ensure => directory, + mode => '0700', + owner => 'root', + group => 'root', + } -> + + file { $migration_private_key_file: + content => $migration_private_key, + mode => '0600', + owner => 'root', + group => 'root', + } -> + + ssh_authorized_key { 'nova-migration-key-authorization': + ensure => present, + key => $migration_public_key, + type => $migration_key_type, + user => 'root', + require => File['/root/.ssh'], + options => $migration_auth_options, + } + + # remove root user's known_hosts as a preventive measure + # to ensure it doesn't interfere client side authentication + # during VM migration. + file { '/root/.ssh/known_hosts': + ensure => absent, + } + + create_resources(sshkey, $ssh_keys, {}) + + class { '::nova::compute': + vncserver_proxyclient_address => $::platform::params::hostname, + } + + if str2bool($::is_virtual) { + # check that we actually support KVM virtualization + $kvm_exists = inline_template("<% if File.exists?('/dev/kvm') -%>true<% else %>false<% end -%>") + if $::virtual == 'kvm' and str2bool($kvm_exists) { + $libvirt_virt_type = 'kvm' + } else { + $libvirt_virt_type = 'qemu' + } + } else { + $libvirt_virt_type = 'kvm' + } + + $libvirt_vnc_bind_host = $migration_version ? { + 4 => '0.0.0.0', + 6 => '::0', + } + + include ::openstack::glance::params + if "rbd" in $::openstack::glance::params::enabled_backends { + $libvirt_inject_partition = "-2" + $libvirt_images_type = "rbd" + } else { + $libvirt_inject_partition = "-1" + $libvirt_images_type = "default" + } + + $compute_monitors = "cpu.virt_driver" + + class { '::nova::compute::libvirt': + libvirt_virt_type => $libvirt_virt_type, + vncserver_listen => $libvirt_vnc_bind_host, + libvirt_inject_partition => $libvirt_inject_partition, + } + + # TODO(mpeters): convert hard coded config values to hiera class parameters + nova_config { + 'DEFAULT/my_ip': value => $migration_ip; + + 'libvirt/libvirt_images_type': value => $libvirt_images_type; + 'libvirt/live_migration_inbound_addr': value => "${::platform::params::hostname}-infra"; + 'libvirt/live_migration_uri': ensure => absent; + + # enable auto-converge by default + 'libvirt/live_migration_permit_auto_converge': value => "True"; + + # Change the nfs mount options to provide faster detection of unclean + # shutdown (e.g. if controller is powered down). + "DEFAULT/nfs_mount_options": value => $::platform::params::nfs_mount_options; + + # WRS extension: compute_resource_debug + "DEFAULT/compute_resource_debug": value => "False"; + + # WRS extension: reap running deleted VMs + "DEFAULT/running_deleted_instance_action": value => "reap"; + "DEFAULT/running_deleted_instance_poll_interval": value => "60"; + + # Delete rbd_user, for now + "DEFAULT/rbd_user": ensure => 'absent'; + + # write metadata to a special configuration drive + "DEFAULT/mkisofs_cmd": value => "/usr/bin/genisoimage"; + + # configure metrics + "DEFAULT/compute_available_monitors": + value => "nova.compute.monitors.all_monitors"; + "DEFAULT/compute_monitors": value => $compute_monitors; + + # need retries under heavy I/O loads + "DEFAULT/network_allocate_retries": value => 2; + + # TODO(mpeters): confirm if this is still required - deprecated + 'DEFAULT/volume_api_class': value => 'nova.volume.cinder.API'; + + 'DEFAULT/default_ephemeral_format': value => 'ext4'; + + # turn on service tokens + 'service_user/send_service_user_token': value => 'true'; + 'service_user/project_name': value => $::nova::keystone::auth::tenant; + 'service_user/password': value => $::nova::keystone::auth::password; + 'service_user/username': value => $::nova::keystone::auth::auth_name; + 'service_user/region_name': value => $::nova::keystone::auth::region; + 'service_user/auth_url': value => $::nova::keystone::authtoken::auth_url; + 'service_user/user_domain_name': value => $::nova::keystone::authtoken::user_domain_name; + 'service_user/project_domain_name': value => $::nova::keystone::authtoken::project_domain_name; + 'service_user/auth_type': value => 'password'; + } + + file_line {'cgroup_controllers': + ensure => present, + path => '/etc/libvirt/qemu.conf', + line => 'cgroup_controllers = [ "cpu", "cpuacct" ]', + match => '^cgroup_controllers = .*', + } + + class { '::nova::compute::neutron': + libvirt_vif_driver => 'nova.virt.libvirt.vif.LibvirtGenericVIFDriver', + libvirt_qemu_dpdk_options => 'type=secondary,prefix=vs,channels=4,cpu=0', + } + + # The pci_passthrough option in the nova::compute class is not sufficient. + # In particular, it sets the pci_passthrough_whitelist in nova.conf to an + # empty string if the list is empty, causing the nova-compute process to fail. + if $pci_sriov_whitelist { + class { '::nova::compute::pci': + passthrough => generate("/usr/bin/nova-sriov", + $pci_pt_whitelist, $pci_sriov_whitelist), + } + } else { + class { '::nova::compute::pci': + passthrough => $pci_pt_whitelist, + } + } + + if $iscsi_initiator_name { + $initiator_content = "InitiatorName=${iscsi_initiator_name}\n" + file { "/etc/iscsi/initiatorname.iscsi": + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0644', + content => $initiator_content, + } -> + exec { "Restart iscsid.service": + command => "bash -c 'systemctl restart iscsid.service'", + onlyif => "systemctl status iscsid.service", + } + } +} + +define openstack::nova::storage::wipe_new_pv { + $cmd = join(["/sbin/pvs --nosuffix --noheadings ",$name," 2>/dev/null | grep nova-local || true"]) + $result = generate("/bin/sh", "-c", $cmd) + if $result !~ /nova-local/ { + exec { "Wipe New PV not in VG - $name": + provider => shell, + command => "wipefs -a $name", + before => Lvm::Volume[instances_lv], + require => Exec['remove device mapper mapping'] + } + } +} + +define openstack::nova::storage::wipe_pv_and_format { + if $name !~ /part/ { + exec { "Wipe removing PV $name": + provider => shell, + command => "wipefs -a $name", + require => File_line[disable_old_lvg_disks] + } -> + exec { "GPT format disk PV - $name": + provider => shell, + command => "parted -a optimal --script $name -- mktable gpt", + } + } + else { + exec { "Wipe removing PV $name": + provider => shell, + command => "wipefs -a $name", + require => File_line[disable_old_lvg_disks] + } + } +} + +class openstack::nova::storage ( + $adding_pvs, + $removing_pvs, + $final_pvs, + $lvm_global_filter = '[]', + $lvm_update_filter = '[]', + $instance_backing = 'image', + $instances_lv_size = 0, + $concurrent_disk_operations = 2, +) { + $adding_pvs_str = join($adding_pvs," ") + $removing_pvs_str = join($removing_pvs," ") + + # Ensure partitions update prior to local storage configuration + Class['::platform::partitions'] -> Class[$name] + + case $instance_backing { + 'image': { + $images_type = 'default' + $images_volume_group = absent + $images_rbd_pool = absent + $round_to_extent = false + $local_monitor_state = 'disabled' + $instances_lv_size_real = 'max' + } + 'lvm': { + $images_type = 'lvm' + $images_volume_group = 'nova-local' + $images_rbd_pool = absent + $round_to_extent = true + $local_monitor_state = 'enabled' + $instances_lv_size_real = $instances_lv_size + } + 'remote': { + $images_type = 'rbd' + $images_volume_group = absent + $images_rbd_pool = 'ephemeral' + $round_to_extent = false + $local_monitor_state = 'disabled' + $instances_lv_size_real = 'max' + } + default: { + fail("Unsupported instance backing: ${instance_backing}") + } + } + + nova_config { + "DEFAULT/concurrent_disk_operations": value => $concurrent_disk_operations; + } + + ::openstack::nova::storage::wipe_new_pv { $adding_pvs: } + ::openstack::nova::storage::wipe_pv_and_format { $removing_pvs: } + + file_line { 'enable_new_lvg_disks': + path => '/etc/lvm/lvm.conf', + line => " global_filter = ${lvm_update_filter}", + match => '^[ ]*global_filter =', + } -> + nova_config { + "libvirt/images_type": value => $images_type; + "libvirt/images_volume_group": value => $images_volume_group; + "libvirt/images_rbd_pool": value => $images_rbd_pool; + } -> + exec { 'umount /etc/nova/instances': + command => 'umount /etc/nova/instances; true', + } -> + exec { 'umount /dev/nova-local/instances_lv': + command => 'umount /dev/nova-local/instances_lv; true', + } -> + exec { 'remove udev leftovers': + unless => 'vgs nova-local', + command => 'rm -rf /dev/nova-local || true', + } -> + exec { 'remove device mapper mapping': + command => "dmsetup remove /dev/mapper/nova--local-instances_lv || true", + } -> + file_line { 'disable_old_lvg_disks': + path => '/etc/lvm/lvm.conf', + line => " global_filter = ${lvm_global_filter}", + match => '^[ ]*global_filter =', + } -> + exec { 'add device mapper mapping': + command => 'lvchange -ay /dev/nova-local/instances_lv || true', + } -> + lvm::volume { 'instances_lv': + ensure => 'present', + vg => 'nova-local', + pv => $final_pvs, + size => $instances_lv_size_real, + round_to_extent => $round_to_extent, + allow_reduce => true, + nuke_fs_on_resize_failure => true, + } -> + filesystem { '/dev/nova-local/instances_lv': + ensure => present, + fs_type => 'ext4', + options => '-F -F', + require => Logical_volume['instances_lv'] + } -> + file { '/etc/nova/instances': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + exec { 'mount /dev/nova-local/instances_lv': + unless => 'mount | grep -q /etc/nova/instances', + command => 'mount -t ext4 /dev/nova-local/instances_lv /etc/nova/instances', + } -> + exec { "Update nova-local monitoring state to ${local_monitor_state}": + command => "rmon_resource_notify --resource-name nova-local --resource-type lvg --resource-state ${local_monitor_state} --volume-group nova-local", + logoutput => true, + tries => 2, + try_sleep => 1, + returns => [ 0, 1 ], + } -> + exec { 'Enable instance_lv monitoring': + command => "rmon_resource_notify --resource-name /etc/nova/instances --resource-type mount --resource-state enabled --device /dev/mapper/nova--local-instances_lv --mount-point /etc/nova/instances", + logoutput => true, + tries => 2, + try_sleep => 1, + returns => [ 0, 1 ], + } +} + + +class openstack::nova::network { + include ::nova::network::neutron +} + + +class openstack::nova::placement { + include ::nova::placement +} + + +class openstack::nova::firewall + inherits ::openstack::nova::params { + + platform::firewall::rule { 'nova-api-rules': + service_name => 'nova', + ports => $nova_api_port, + } + + platform::firewall::rule { 'nova-placement-api': + service_name => 'placement', + ports => $placement_port, + } + + platform::firewall::rule { 'nova-novnc': + service_name => 'nova-novnc', + ports => $nova_novnc_port, + } + + platform::firewall::rule { 'nova-serial': + service_name => 'nova-serial', + ports => $nova_serial_port, + } +} + + +class openstack::nova::haproxy + inherits ::openstack::nova::params { + + platform::haproxy::proxy { 'nova-restapi': + server_name => 's-nova', + public_port => $nova_api_port, + private_port => $nova_api_port, + } + + platform::haproxy::proxy { 'placement-restapi': + server_name => 's-placement', + public_port => $placement_port, + private_port => $placement_port, + } + + platform::haproxy::proxy { 'nova-novnc': + server_name => 's-nova-novnc', + public_port => $nova_novnc_port, + private_port => $nova_novnc_port, + x_forwarded_proto => false, + } + + platform::haproxy::proxy { 'nova-serial': + server_name => 's-nova-serial', + public_port => $nova_serial_port, + private_port => $nova_serial_port, + server_timeout => $timeout, + client_timeout => $timeout, + x_forwarded_proto => false, + } +} + + +class openstack::nova::api::services + inherits ::openstack::nova::params { + + include ::nova::pci + include ::platform::params + + include ::nova::vncproxy + include ::nova::serialproxy + include ::nova::consoleauth + include ::nova_api_proxy::config + + class {'::nova::api': + sync_db => $::platform::params::init_database, + sync_db_api => $::platform::params::init_database, + osapi_compute_workers => $::platform::params::eng_workers, + metadata_workers => $::platform::params::eng_workers, + } +} + + +class openstack::nova::api + inherits ::openstack::nova::params { + + include ::platform::params + + if ($::openstack::nova::params::service_create and + $::platform::params::init_keystone) { + include ::nova::keystone::auth + include ::nova::keystone::auth_placement + } + + include ::openstack::nova::api::services + + if $::openstack::nova::params::configure_endpoint { + include ::openstack::nova::firewall + include ::openstack::nova::haproxy + } +} + + +class openstack::nova::conductor::reload { + exec { 'signal-nova-conductor': + command => "pkill -HUP nova-conductor", + } +} + + +class openstack::nova::api::reload { + platform::sm::restart {'nova-api': } +} + + +class openstack::nova::controller::runtime { + include ::openstack::nova + include ::openstack::nova::controller + include ::openstack::nova::api::services + + class {'::openstack::nova::api::reload': + stage => post + } + + class {'::openstack::nova::conductor::reload': + stage => post + } +} + + +class openstack::nova::api::runtime { + + # both the service configuration and firewall/haproxy needs to be updated + include ::openstack::nova + include ::openstack::nova::api + include ::nova::compute::serial + + class {'::openstack::nova::api::reload': + stage => post + } +} + + +class openstack::nova::compute::reload { + exec { 'pmon-restart-nova-compute': + command => "pmon-restart nova-compute", + } +} + + +class openstack::nova::compute::runtime { + include ::openstack::nova + include ::openstack::nova::compute + + class {'::openstack::nova::compute::reload': + stage => post + } +} + + +class openstack::nova::upgrade { + include ::nova::keystone::auth_placement +} diff --git a/puppet-manifests/src/modules/openstack/manifests/panko.pp b/puppet-manifests/src/modules/openstack/manifests/panko.pp new file mode 100644 index 000000000..024daa4db --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/panko.pp @@ -0,0 +1,117 @@ +class openstack::panko::params ( + $api_port = 8977, + $region_name = undef, + $service_name = 'openstack-panko', + $service_create = false, + $event_time_to_live = '-1', + $service_enabled = true, +) { } + +class openstack::panko + inherits ::openstack::panko::params { + + if $service_enabled { + + include ::platform::params + + include ::panko::client + include ::panko::keystone::authtoken + + if $::platform::params::init_database { + include ::panko::db::postgresql + } + + class { '::panko::db': + } + + panko_config { + 'database/event_time_to_live': value => $event_time_to_live; + } + + # WRS register panko-expirer-active in cron to run once each hour + cron { 'panko-expirer': + ensure => 'present', + command => '/usr/bin/panko-expirer-active', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => 10, + hour => '*', + monthday => '*', + user => 'root', + } + } +} + + +class openstack::panko::firewall + inherits ::openstack::panko::params { + + platform::firewall::rule { 'panko-api': + service_name => 'panko', + ports => $api_port, + } +} + +class openstack::panko::haproxy + inherits ::openstack::panko::params { + + platform::haproxy::proxy { 'panko-restapi': + server_name => 's-panko-restapi', + public_port => $api_port, + private_port => $api_port, + } +} + + +class openstack::panko::api + inherits ::openstack::panko::params { + + include ::platform::params + + # The panko user and service are always required and they + # are used by subclouds when the service itself is disabled + # on System Controller + # whether it creates the endpoint is determined by + # panko::keystone::auth::configure_endpoint which is + # set via sysinv puppet + if $::openstack::panko::params::service_create and + $::platform::params::init_keystone { + include ::panko::keystone::auth + } + + if $service_enabled { + + $api_workers = $::platform::params::eng_workers_by_2 + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + $url_host = $::platform::network::mgmt::params::controller_address_url + + if $::platform::params::init_database { + include ::panko::db::postgresql + } + + file { '/usr/share/panko/panko-api.conf': + ensure => file, + content => template('openstack/panko-api.conf.erb'), + owner => 'root', + group => 'root', + mode => '0640', + } -> + class { '::panko::api': + host => $api_host, + workers => $api_workers, + sync_db => $::platform::params::init_database, + } + + include ::openstack::panko::firewall + include ::openstack::panko::haproxy + } +} + +class openstack::panko::runtime + inherits ::openstack::panko::params { + + panko_config { + 'database/event_time_to_live': value => $event_time_to_live; + } +} diff --git a/puppet-manifests/src/modules/openstack/templates/aodh-api.conf.erb b/puppet-manifests/src/modules/openstack/templates/aodh-api.conf.erb new file mode 100644 index 000000000..f6a5176cc --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/aodh-api.conf.erb @@ -0,0 +1 @@ +bind='<%= @url_host %>:<%= @api_port %>' diff --git a/puppet-manifests/src/modules/openstack/templates/ceilometer-api.conf.erb b/puppet-manifests/src/modules/openstack/templates/ceilometer-api.conf.erb new file mode 100644 index 000000000..766f1e417 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/ceilometer-api.conf.erb @@ -0,0 +1,2 @@ +bind='<%= @url_host %>:<%= @api_port %>' +workers=<%= @api_workers %> diff --git a/puppet-manifests/src/modules/openstack/templates/cinder-lvm-simplex.erb b/puppet-manifests/src/modules/openstack/templates/cinder-lvm-simplex.erb new file mode 100644 index 000000000..e9dbad88a --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/cinder-lvm-simplex.erb @@ -0,0 +1,21 @@ +lvremove <%= @cinder_vg_name %> -f || true +pvremove <%= @cinder_device %> --force --force -y || true +dd if=/dev/zero of=<%= @cinder_disk %> bs=512 count=34 +size=$(blockdev --getsz <%= @cinder_disk %>) +dd if=/dev/zero of=<%= @cinder_disk %> bs=512 seek=$(($size - 34)) count=34 + +echo 'Wait for udev on disk before continuing' +udevadm settle + +echo 'Create partition table' +parted -a optimal --script <%= @cinder_disk %> -- mktable gpt + +echo 'Create primary partition' +parted -a optimal --script <%= @cinder_disk %> -- mkpart primary 2 100% + +echo 'Wait for udev before continuing' +udevadm settle + +echo 'Wipe' +wipefs -a <%= @cinder_device %> + diff --git a/puppet-manifests/src/modules/openstack/templates/horizon-params.erb b/puppet-manifests/src/modules/openstack/templates/horizon-params.erb new file mode 100644 index 000000000..115fa8320 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/horizon-params.erb @@ -0,0 +1,11 @@ +[horizon_params] +https_enabled = <%= @enable_https %> +[auth] +lockout_period = <%= @lockout_period %> +lockout_retries = <%= @lockout_retries %> +[optional_tabs] +murano_enabled = <%= @murano_enabled %> +magnum_enabled = <%= @magnum_enabled %> +[deployment] +workers = <%= @workers %> + diff --git a/puppet-manifests/src/modules/openstack/templates/horizon-region-config.erb b/puppet-manifests/src/modules/openstack/templates/horizon-region-config.erb new file mode 100644 index 000000000..93546b344 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/horizon-region-config.erb @@ -0,0 +1,4 @@ +[shared_services] +region_name = <%= @region_2_name %> +openstack_host = <%= @region_openstack_host %> + diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-extra.conf.erb b/puppet-manifests/src/modules/openstack/templates/keystone-extra.conf.erb new file mode 100644 index 000000000..dfbe4a0f4 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/keystone-extra.conf.erb @@ -0,0 +1,2 @@ +PUBLIC_BIND_ADDR=<%= @bind_host %> +TIS_PUBLIC_WORKERS=<%=@eng_workers %> diff --git a/puppet-manifests/src/modules/openstack/templates/lighttpd-inc.conf.erb b/puppet-manifests/src/modules/openstack/templates/lighttpd-inc.conf.erb new file mode 100644 index 000000000..2031858c0 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/lighttpd-inc.conf.erb @@ -0,0 +1,2 @@ +var.management_ip_network = "<%= @mgmt_subnet_network %>/<%= @mgmt_subnet_prefixlen %>" +var.pxeboot_ip_network = "<%= @pxeboot_subnet_network %>/<%= @pxeboot_subnet_prefixlen %>" diff --git a/puppet-manifests/src/modules/openstack/templates/lighttpd.conf.erb b/puppet-manifests/src/modules/openstack/templates/lighttpd.conf.erb new file mode 100755 index 000000000..6be64f051 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/lighttpd.conf.erb @@ -0,0 +1,389 @@ +# This file is managed by Puppet. DO NOT EDIT. + +# lighttpd configuration file +# +# use it as a base for lighttpd 1.0.0 and above +# +# $Id: lighttpd.conf,v 1.7 2004/11/03 22:26:05 weigon Exp $ + +############ Options you really have to take care of #################### + +## modules to load +# at least mod_access and mod_accesslog should be loaded +# all other module should only be loaded if really neccesary +# - saves some time +# - saves memory +server.modules = ( +# "mod_rewrite", +# "mod_redirect", +# "mod_alias", + "mod_access", +# "mod_cml", +# "mod_trigger_b4_dl", +# "mod_auth", +# "mod_status", +# "mod_setenv", +# "mod_fastcgi", + "mod_proxy", +# "mod_simple_vhost", +# "mod_evhost", +# "mod_userdir", +# "mod_cgi", +# "mod_compress", +# "mod_ssi", +# "mod_usertrack", +# "mod_expire", +# "mod_secdownload", +# "mod_rrdtool", +# "mod_webdav", + "mod_setenv", + "mod_accesslog" ) + +## a static document-root, for virtual-hosting take look at the +## server.virtual-* options +server.document-root = "/pages/" + +## where to send error-messages to +server.errorlog = "/var/log/lighttpd-error.log" + +# files to check for if .../ is requested +index-file.names = ( "index.php", "index.html", + "index.htm", "default.htm" ) + +## set the event-handler (read the performance section in the manual) +# server.event-handler = "freebsd-kqueue" # needed on OS X + +# mimetype mapping +mimetype.assign = ( + ".pdf" => "application/pdf", + ".sig" => "application/pgp-signature", + ".spl" => "application/futuresplash", + ".class" => "application/octet-stream", + ".ps" => "application/postscript", + ".torrent" => "application/x-bittorrent", + ".dvi" => "application/x-dvi", + ".gz" => "application/x-gzip", + ".pac" => "application/x-ns-proxy-autoconfig", + ".swf" => "application/x-shockwave-flash", + ".tar.gz" => "application/x-tgz", + ".tgz" => "application/x-tgz", + ".tar" => "application/x-tar", + ".zip" => "application/zip", + ".mp3" => "audio/mpeg", + ".m3u" => "audio/x-mpegurl", + ".wma" => "audio/x-ms-wma", + ".wax" => "audio/x-ms-wax", + ".ogg" => "application/ogg", + ".wav" => "audio/x-wav", + ".gif" => "image/gif", + ".jpg" => "image/jpeg", + ".jpeg" => "image/jpeg", + ".png" => "image/png", + ".svg" => "image/svg+xml", + ".xbm" => "image/x-xbitmap", + ".xpm" => "image/x-xpixmap", + ".xwd" => "image/x-xwindowdump", + ".css" => "text/css", + ".html" => "text/html", + ".htm" => "text/html", + ".js" => "text/javascript", + ".asc" => "text/plain", + ".c" => "text/plain", + ".cpp" => "text/plain", + ".log" => "text/plain", + ".conf" => "text/plain", + ".text" => "text/plain", + ".txt" => "text/plain", + ".dtd" => "text/xml", + ".xml" => "text/xml", + ".mpeg" => "video/mpeg", + ".mpg" => "video/mpeg", + ".mov" => "video/quicktime", + ".qt" => "video/quicktime", + ".avi" => "video/x-msvideo", + ".asf" => "video/x-ms-asf", + ".asx" => "video/x-ms-asf", + ".wmv" => "video/x-ms-wmv", + ".bz2" => "application/x-bzip", + ".tbz" => "application/x-bzip-compressed-tar", + ".tar.bz2" => "application/x-bzip-compressed-tar", + ".rpm" => "application/x-rpm", + ".cfg" => "text/plain" + ) + +# Use the "Content-Type" extended attribute to obtain mime type if possible +#mimetype.use-xattr = "enable" + + +## send a different Server: header +## be nice and keep it at lighttpd +# server.tag = "lighttpd" + +#### accesslog module +accesslog.filename = "/var/log/lighttpd-access.log" + + +## deny access the file-extensions +# +# ~ is for backupfiles from vi, emacs, joe, ... +# .inc is often used for code includes which should in general not be part +# of the document-root +url.access-deny = ( "~", ".inc" ) + +$HTTP["url"] =~ "\.pdf$" { + server.range-requests = "disable" +} + +## +# which extensions should not be handle via static-file transfer +# +# .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +######### Options that are good to be but not neccesary to be changed ####### + +## bind to port (default: 80) +#server.port = 81 + +## bind to localhost (default: all interfaces) +#server.bind = "grisu.home.kneschke.de" + +## error-handler for status 404 +#server.error-handler-404 = "/error-handler.html" +#server.error-handler-404 = "/error-handler.php" + +## to help the rc.scripts +server.pid-file = "/var/run/lighttpd.pid" + + +###### virtual hosts +## +## If you want name-based virtual hosting add the next three settings and load +## mod_simple_vhost +## +## document-root = +## virtual-server-root + virtual-server-default-host + virtual-server-docroot +## or +## virtual-server-root + http-host + virtual-server-docroot +## +#simple-vhost.server-root = "/home/weigon/wwwroot/servers/" +#simple-vhost.default-host = "grisu.home.kneschke.de" +#simple-vhost.document-root = "/pages/" + + +## +## Format: .html +## -> ..../status-404.html for 'File not found' +#server.errorfile-prefix = "/home/weigon/projects/lighttpd/doc/status-" + +## virtual directory listings +## +## disabled as per Nessus scan CVE: 5.0 40984 +## Please do NOT enable as this is a security +## vulnerability. If you want dir listing for +## our dir path then a) either add a dir index (index.html) +## file within your dir path, or b) add your path as an exception +## rule (see the one for feeds/ dir below) +dir-listing.activate = "disable" + +## enable debugging +#debug.log-request-header = "enable" +#debug.log-response-header = "enable" +#debug.log-request-handling = "enable" +#debug.log-file-not-found = "enable" + +### only root can use these options +# +# chroot() to directory (default: no chroot() ) +server.chroot = "/www" + +## change uid to (default: don't care) +server.username = "www" + +## change uid to (default: don't care) +server.groupname = "wrs_protected" + +## defaults to /var/tmp +server.upload-dirs = ( "/tmp" ) + +## change max-keep-alive-idle (default: 5 secs) +server.max-keep-alive-idle = 0 + +#### compress module +#compress.cache-dir = "/tmp/lighttpd/cache/compress/" +#compress.filetype = ("text/plain", "text/html") + +#### proxy module +## read proxy.txt for more info + +# Proxy all non-static content to the local horizon dashboard +$HTTP["url"] !~ "^/(rel-[^/]*|feed|updates|static)/" { + proxy.server = ( "" => + ( "localhost" => + ( + "host" => "127.0.0.1", + "port" => 8080 + ) + ) + ) +} + +#### fastcgi module +## read fastcgi.txt for more info +## for PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini +#fastcgi.server = ( ".php" => +# ( "localhost" => +# ( +# "socket" => "/tmp/php-fastcgi.socket", +# "bin-path" => "/usr/local/bin/php" +# ) +# ) +# ) + +#### CGI module +#cgi.assign = ( ".pl" => "/usr/bin/perl", +# ".cgi" => "/usr/bin/perl" ) +# + +#### SSL engine +$SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/ssl/private/server-cert.pem" + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA" +} + +#### Listen to IPv6 +$SERVER["socket"] == "[::]:80" { } +$SERVER["socket"] == "[::]:443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/ssl/private/server-cert.pem" + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA" +} + +#### status module +#status.status-url = "/server-status" +#status.config-url = "/server-config" + +#### auth module +## read authentication.txt for more info +#auth.backend = "plain" +#auth.backend.plain.userfile = "lighttpd.user" +#auth.backend.plain.groupfile = "lighttpd.group" + +#auth.backend.ldap.hostname = "localhost" +#auth.backend.ldap.base-dn = "dc=my-domain,dc=com" +#auth.backend.ldap.filter = "(uid=$)" + +#auth.require = ( "/server-status" => +# ( +# "method" => "digest", +# "realm" => "download archiv", +# "require" => "user=jan" +# ), +# "/server-config" => +# ( +# "method" => "digest", +# "realm" => "download archiv", +# "require" => "valid-user" +# ) +# ) + +#### url handling modules (rewrite, redirect, access) +#url.rewrite = ( "^/$" => "/server-status" ) +#url.redirect = ( "^/wishlist/(.+)" => "http://www.123.org/$1" ) + +#### both rewrite/redirect support back reference to regex conditional using %n +#$HTTP["host"] =~ "^www\.(.*)" { +# url.redirect = ( "^/(.*)" => "http://%1/$1" ) +#} + +# +# define a pattern for the host url finding +# %% => % sign +# %0 => domain name + tld +# %1 => tld +# %2 => domain name without tld +# %3 => subdomain 1 name +# %4 => subdomain 2 name +# +#evhost.path-pattern = "/home/storage/dev/www/%3/htdocs/" + +#### expire module +#expire.url = ( "/buggy/" => "access 2 hours", "/asdhas/" => "access plus 1 seconds 2 minutes") + +#### ssi +#ssi.extension = ( ".shtml" ) + +#### rrdtool +#rrdtool.binary = "/usr/bin/rrdtool" +#rrdtool.db-name = "/var/www/lighttpd.rrd" + +#### setenv +#setenv.add-request-header = ( "TRAV_ENV" => "mysql://user@host/db" ) +#setenv.add-response-header = ( "X-Secret-Message" => "42" ) + +## for mod_trigger_b4_dl +# trigger-before-download.gdbm-filename = "/home/weigon/testbase/trigger.db" +# trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" ) +# trigger-before-download.trigger-url = "^/trigger/" +# trigger-before-download.download-url = "^/download/" +# trigger-before-download.deny-url = "http://127.0.0.1/index.html" +# trigger-before-download.trigger-timeout = 10 + +## for mod_cml +## don't forget to add index.cml to server.indexfiles +# cml.extension = ".cml" +# cml.memcache-hosts = ( "127.0.0.1:11211" ) + +#### variable usage: +## variable name without "." is auto prefixed by "var." and becomes "var.bar" +#bar = 1 +#var.mystring = "foo" + +## integer add +#bar += 1 +## string concat, with integer cast as string, result: "www.foo1.com" +#server.name = "www." + mystring + var.bar + ".com" +## array merge +#index-file.names = (foo + ".php") + index-file.names +#index-file.names += (foo + ".php") + +#### include +#include /etc/lighttpd/lighttpd-inc.conf +## same as above if you run: "lighttpd -f /etc/lighttpd/lighttpd.conf" +#include "lighttpd-inc.conf" + +#### include_shell +#include_shell "echo var.a=1" +## the above is same as: +#var.a=1 + +# deny access to feed directories for external connections. +# Only enable access to dir listing for feed directory if on internal network +# (i.e. mgmt or pxeboot networks) +include "/etc/lighttpd/lighttpd-inc.conf" +$HTTP["remoteip"] != "127.0.0.1" { + $HTTP["url"] =~ "^/(rel-[^/]*|feed|updates)/" { + dir-listing.activate = "enable" + } + $HTTP["remoteip"] != var.management_ip_network { + $HTTP["remoteip"] != var.pxeboot_ip_network { + $HTTP["url"] =~ "^/(rel-[^/]*|feed|updates)/" { + url.access-deny = ( "" ) + } + } + } +} +$HTTP["scheme"] == "https" { + setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; ") +} + +<%- unless @tpm_object.nil? -%> +server.tpm-object = "<%= @tpm_object %>" +server.tpm-engine = "<%= @tpm_engine %>" +<%- end -%> + diff --git a/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq-env.conf.erb b/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq-env.conf.erb new file mode 100644 index 000000000..9af749e82 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq-env.conf.erb @@ -0,0 +1,4 @@ +HOME=<%= @rabbit_home %> +NODE_PORT=<%= @port %> +RABBITMQ_MNESIA_BASE=<%= @mnesia_base %> +RABBITMQ_NODENAME=<%= @murano_rabbit_node %> diff --git a/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq.config.erb b/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq.config.erb new file mode 100644 index 000000000..a594e8979 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq.config.erb @@ -0,0 +1,18 @@ +% This file managed by Puppet +% Template Path: rabbitmq/templates/rabbitmq.config +[ + {rabbit, [ + {tcp_listen_options, + <%= @rabbit_tcp_listen_options %> + }, + {disk_free_limit, <%= @disk_free_limit %>}, + {heartbeat, <%= @heartbeat %>}, + {tcp_listen_options, <%= @tcp_listen_options %>}, + {default_user, <<"<%= @default_user %>">>}, + {default_pass, <<"<%= @default_pass %>">>} + ]}, + {kernel, [ + + ]} +]. +% EOF \ No newline at end of file diff --git a/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq.config.ssl.erb b/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq.config.ssl.erb new file mode 100644 index 000000000..66c0b7152 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/murano-rabbitmq.config.ssl.erb @@ -0,0 +1,30 @@ +% This file managed by Puppet +% Template Path: rabbitmq/templates/rabbitmq.config +[ + {ssl, [{versions, ['<%= @tlsv2 %>', '<%= @tlsv1 %>']}]}, + {rabbit, [ + {tcp_listen_options, + <%= @rabbit_tcp_listen_options %> + }, + {tcp_listeners, []}, + {ssl_listeners, [{"<%= @ssl_interface %>", <%= @ssl_port %>}]}, + {ssl_options, [ + {cacertfile,"<%= @kombu_ssl_ca_certs %>"}, + {certfile,"<%= @kombu_ssl_certfile %>"}, + {keyfile,"<%= @kombu_ssl_keyfile %>"}, + {verify,verify_none}, + {fail_if_no_peer_cert,<%= @fail_if_no_peer_cert %>} + ,{versions, ['<%= @tlsv2 %>', '<%= @tlsv1 %>']} + ,{ciphers,<%= @rabbit_cipher_list %>} + ]}, + {disk_free_limit, <%= @disk_free_limit %>}, + {heartbeat, <%= @heartbeat %>}, + {tcp_listen_options, <%= @tcp_listen_options %>}, + {default_user, <<"<%= @default_user %>">>}, + {default_pass, <<"<%= @default_pass %>">>} + ]}, + {kernel, [ + + ]} +]. +% EOF diff --git a/puppet-manifests/src/modules/openstack/templates/openrc.admin.erb b/puppet-manifests/src/modules/openstack/templates/openrc.admin.erb new file mode 100644 index 000000000..ce0435201 --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/openrc.admin.erb @@ -0,0 +1,25 @@ +unset OS_SERVICE_TOKEN + +export OS_ENDPOINT_TYPE=internalURL +export CINDER_ENDPOINT_TYPE=internalURL + +export OS_USERNAME=<%= @admin_username %> +export OS_PASSWORD=`TERM=linux <%= @keyring_file %> 2>/dev/null` +export OS_AUTH_URL=<%= @identity_auth_url %> + +export OS_PROJECT_NAME=<%= @admin_project_name %> +export OS_USER_DOMAIN_NAME=<%= @admin_user_domain %> +export OS_PROJECT_DOMAIN_NAME=<%= @admin_project_domain %> +export OS_IDENTITY_API_VERSION=<%= @identity_api_version %> +export OS_REGION_NAME=<%= @identity_region %> +<%- if @keystone_identity_region != @identity_region -%> +export OS_KEYSTONE_REGION_NAME=<%= @keystone_identity_region %> +<%- end -%> +export OS_INTERFACE=internal + +if [ ! -z "${OS_PASSWORD}" ]; then + export PS1='[\u@\h \W(keystone_$OS_USERNAME)]\$ ' +else + echo 'Openstack Admin credentials can only be loaded from the active controller.' + export PS1='\h:\w\$ ' +fi diff --git a/puppet-manifests/src/modules/openstack/templates/openrc.ldap.erb b/puppet-manifests/src/modules/openstack/templates/openrc.ldap.erb new file mode 100644 index 000000000..9bd6afece --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/openrc.ldap.erb @@ -0,0 +1,14 @@ +unset OS_SERVICE_TOKEN +export OS_ENDPOINT_TYPE=internalURL +export CINDER_ENDPOINT_TYPE=internalURL + +export OS_AUTH_URL=<%= @identity_auth_url %> + +export OS_PROJECT_NAME=admin +export OS_USER_DOMAIN_NAME=<%= @admin_user_domain %> +export OS_PROJECT_DOMAIN_NAME=<%= @admin_project_domain %> +export OS_IDENTITY_API_VERSION=<%= @identity_api_version %> +export OS_REGION_NAME=<%= @identity_region %> +<%- if @keystone_identity_region != @identity_region -%> +export OS_KEYSTONE_REGION_NAME=<%= @keystone_identity_region %> +<%- end -%> diff --git a/puppet-manifests/src/modules/openstack/templates/panko-api.conf.erb b/puppet-manifests/src/modules/openstack/templates/panko-api.conf.erb new file mode 100644 index 000000000..763aac83e --- /dev/null +++ b/puppet-manifests/src/modules/openstack/templates/panko-api.conf.erb @@ -0,0 +1,3 @@ +bind='<%= @url_host %>:<%= @api_port %>' +workers=<%= @api_workers %> + diff --git a/puppet-manifests/src/modules/platform/files/ldap.cgcs-shell.ldif b/puppet-manifests/src/modules/platform/files/ldap.cgcs-shell.ldif new file mode 100644 index 000000000..95005fda8 --- /dev/null +++ b/puppet-manifests/src/modules/platform/files/ldap.cgcs-shell.ldif @@ -0,0 +1,4 @@ +dn: uid=operator,ou=People,dc=cgcs,dc=local +changetype: modify +replace: loginShell +loginShell: /usr/local/bin/cgcs_cli diff --git a/puppet-manifests/src/modules/platform/lib/facter/boot_disk_device_path.rb b/puppet-manifests/src/modules/platform/lib/facter/boot_disk_device_path.rb new file mode 100644 index 000000000..dfe6860ef --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/boot_disk_device_path.rb @@ -0,0 +1,5 @@ +Facter.add("boot_disk_device_path") do + setcode do + Facter::Util::Resolution.exec('find -L /dev/disk/by-path/ -samefile $(df --output=source /boot | tail -1) | tail -1') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/controller_sw_versions_match.rb b/puppet-manifests/src/modules/platform/lib/facter/controller_sw_versions_match.rb new file mode 100644 index 000000000..30d60788d --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/controller_sw_versions_match.rb @@ -0,0 +1,11 @@ +# Returns true if controllers are running the same software version (or if only +# one controller is configured). Will always return true if: +# 1. Manifests are being applied on any node other than a controller. +# 2. Manifests are being applied as part of a reconfig. Reconfigs can not be +# done while a system is being upgraded. + +Facter.add("controller_sw_versions_match") do + setcode do + ! (ENV['CONTROLLER_SW_VERSIONS_MISMATCH'] == "true") + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/disable_compute_services.rb b/puppet-manifests/src/modules/platform/lib/facter/disable_compute_services.rb new file mode 100644 index 000000000..250c1b13f --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/disable_compute_services.rb @@ -0,0 +1,7 @@ +# Returns true if compute services should be disabled + +Facter.add("disable_compute_services") do + setcode do + File.exist?('/var/run/.disable_compute_services') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/install_uuid.rb b/puppet-manifests/src/modules/platform/lib/facter/install_uuid.rb new file mode 100644 index 000000000..2d0dedd3d --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/install_uuid.rb @@ -0,0 +1,6 @@ +Facter.add("install_uuid") do + setcode do + Facter::Util::Resolution.exec("awk -F= '{if ($1 == \"INSTALL_UUID\") { print $2; }}' /etc/platform/platform.conf") + end +end + diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_controller_active.rb b/puppet-manifests/src/modules/platform/lib/facter/is_controller_active.rb new file mode 100644 index 000000000..8b1913c77 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_controller_active.rb @@ -0,0 +1,10 @@ +# Check if current node is the active controller + +require 'facter' + +Facter.add("is_controller_active") do + setcode do + Facter::Core::Execution.exec("pgrep -f sysinv-api") + $?.exitstatus == 0 + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_ceph_config.rb b/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_ceph_config.rb new file mode 100644 index 000000000..4d3ffe830 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_ceph_config.rb @@ -0,0 +1,8 @@ +# Returns true if cinder ceph needs to be configured + +Facter.add("is_initial_cinder_ceph_config") do + setcode do + conf_path = Facter::Core::Execution.exec("hiera --config /etc/puppet/hiera.yaml platform::params::config_path") + ! File.exist?(conf_path +'.initial_cinder_ceph_config_complete') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_config.rb b/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_config.rb new file mode 100644 index 000000000..fe85d37d8 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_config.rb @@ -0,0 +1,8 @@ +# Returns true is this is the initial cinder config for this system + +Facter.add("is_initial_cinder_config") do + setcode do + conf_path = Facter::Core::Execution.exec("hiera --config /etc/puppet/hiera.yaml platform::params::config_path") + ! File.exist?(conf_path + '.initial_cinder_config_complete') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_lvm_config.rb b/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_lvm_config.rb new file mode 100644 index 000000000..3707edd71 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_initial_cinder_lvm_config.rb @@ -0,0 +1,8 @@ +# Returns true if cinder lvm needs to be configured + +Facter.add("is_initial_cinder_lvm_config") do + setcode do + conf_path = Facter::Core::Execution.exec("hiera --config /etc/puppet/hiera.yaml platform::params::config_path") + ! File.exist?(conf_path + '.initial_cinder_lvm_config_complete') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_initial_config.rb b/puppet-manifests/src/modules/platform/lib/facter/is_initial_config.rb new file mode 100644 index 000000000..53872eb4b --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_initial_config.rb @@ -0,0 +1,7 @@ +# Returns true is this is the initial config for this node + +Facter.add("is_initial_config") do + setcode do + ! File.exist?('/etc/platform/.initial_config_complete') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_initial_config_primary.rb b/puppet-manifests/src/modules/platform/lib/facter/is_initial_config_primary.rb new file mode 100644 index 000000000..81941c2c3 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_initial_config_primary.rb @@ -0,0 +1,8 @@ +# Returns true is this is the primary initial config (ie. first controller) + +Facter.add("is_initial_config_primary") do + setcode do + ENV['INITIAL_CONFIG_PRIMARY'] == "true" + end +end + diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_keystone_running.rb b/puppet-manifests/src/modules/platform/lib/facter/is_keystone_running.rb new file mode 100644 index 000000000..2dad5de89 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_keystone_running.rb @@ -0,0 +1,6 @@ +# Returns whether keystone is running on the local host +Facter.add(:is_keystone_running) do + setcode do + Facter::Util::Resolution.exec('pgrep -c -f "\[keystone\-admin\]"') != '0' + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_node_cinder_ceph_config.rb b/puppet-manifests/src/modules/platform/lib/facter/is_node_cinder_ceph_config.rb new file mode 100644 index 000000000..9a5123657 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_node_cinder_ceph_config.rb @@ -0,0 +1,7 @@ +# Returns true if cinder Ceph needs to be configured on current node + +Facter.add("is_node_cinder_ceph_config") do + setcode do + ! File.exist?('/etc/platform/.node_cinder_ceph_config_complete') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_node_cinder_lvm_config.rb b/puppet-manifests/src/modules/platform/lib/facter/is_node_cinder_lvm_config.rb new file mode 100644 index 000000000..af6cba6ff --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_node_cinder_lvm_config.rb @@ -0,0 +1,7 @@ +# Returns true if cinder LVM needs to be configured on current node + +Facter.add("is_node_cinder_lvm_config") do + setcode do + ! File.exist?('/etc/platform/.node_cinder_lvm_config_complete') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_primary_disk_rotational.rb b/puppet-manifests/src/modules/platform/lib/facter/is_primary_disk_rotational.rb new file mode 100644 index 000000000..d80896f83 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_primary_disk_rotational.rb @@ -0,0 +1,6 @@ +require 'facter' +Facter.add(:is_primary_disk_rotational) do + rootfs_partition = Facter::Core::Execution.exec("df --output=source / | tail -1") + rootfs_device = Facter::Core::Execution.exec("basename #{rootfs_partition} | sed 's/[0-9]*$//;s/p[0-9]*$//'") + setcode "cat /sys/block/#{rootfs_device}/queue/rotational" +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/is_restore_in_progress.rb b/puppet-manifests/src/modules/platform/lib/facter/is_restore_in_progress.rb new file mode 100644 index 000000000..51a007b03 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/is_restore_in_progress.rb @@ -0,0 +1,7 @@ +# Returns true if restore is in progress + +Facter.add("is_restore_in_progress") do + setcode do + File.exist?('/etc/platform/.restore_in_progress') + end +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/physical_core_count.rb b/puppet-manifests/src/modules/platform/lib/facter/physical_core_count.rb new file mode 100644 index 000000000..0e0fd5ef0 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/physical_core_count.rb @@ -0,0 +1,4 @@ +# Returns number of physical cores +Facter.add(:physical_core_count) do + setcode "awk '/^cpu cores/ {c=$4} /physical id/ {a[$4]=1} END {n=0; for (i in a) n++; print (n>0 && c>0) ? n*c : 1}' /proc/cpuinfo" +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/platform_res_mem.rb b/puppet-manifests/src/modules/platform/lib/facter/platform_res_mem.rb new file mode 100644 index 000000000..e27d863c1 --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/platform_res_mem.rb @@ -0,0 +1,3 @@ +Facter.add(:platform_res_mem) do + setcode "memtop | awk 'FNR == 3 {a=$13+$14} END {print a}'" +end diff --git a/puppet-manifests/src/modules/platform/lib/facter/system_info.rb b/puppet-manifests/src/modules/platform/lib/facter/system_info.rb new file mode 100644 index 000000000..25be29eec --- /dev/null +++ b/puppet-manifests/src/modules/platform/lib/facter/system_info.rb @@ -0,0 +1,5 @@ +Facter.add("system_info") do + setcode do + Facter::Util::Resolution.exec('uname -r') + end +end diff --git a/puppet-manifests/src/modules/platform/manifests/amqp.pp b/puppet-manifests/src/modules/platform/manifests/amqp.pp new file mode 100644 index 000000000..a053d6bbf --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/amqp.pp @@ -0,0 +1,156 @@ +class platform::amqp::params ( + $auth_password = 'guest', + $auth_user = 'guest', + $backend = 'rabbitmq', + $node = 'rabbit@localhost', + $host = 'localhost', + $host_url = 'localhost', + $port = 5672, + $protocol = 'tcp', + $ssl_enabled = false, +) { + $transport_url = "rabbit://${auth_user}:${auth_password}@${host_url}:${port}" +} + + +class platform::amqp::rabbitmq ( + $service_enabled = false, +) inherits ::platform::amqp::params { + + include ::platform::params + + File <| path == '/etc/rabbitmq/rabbitmq.config' |> { + ensure => present, + owner => 'rabbitmq', + group => 'rabbitmq', + mode => '0640', + } + + file { '/var/log/rabbitmq': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + + if $service_enabled { + $service_ensure = 'running' + } + elsif str2bool($::is_initial_config_primary) { + $service_ensure = 'running' + + # ensure service is stopped after initial configuration + class { '::platform::amqp::post': + stage => post + } + } else { + $service_ensure = 'stopped' + } + + $rabbit_dbdir = "/var/lib/rabbitmq/${::platform::params::software_version}" + + class { '::rabbitmq': + port => $port, + ssl => $ssl_enabled, + default_user => $auth_user, + default_pass => $auth_password, + service_ensure => $service_ensure, + rabbitmq_home => $rabbit_dbdir, + environment_variables => { + 'RABBITMQ_NODENAME' => $node, + 'RABBITMQ_MNESIA_BASE' => "${rabbit_dbdir}/mnesia", + 'HOME' => $rabbit_dbdir, + }, + config_variables => { + 'disk_free_limit' => '100000000', + 'heartbeat' => '30', + 'tcp_listen_options' => '[binary, + {packet,raw}, + {reuseaddr,true}, + {backlog,128}, + {nodelay,true}, + {linger,{true,0}}, + {exit_on_close,false}, + {keepalive,true}]', + } + } +} + + +class platform::amqp::post { + # rabbitmq-server needs to be running in order to apply the initial manifest, + # however, it needs to be stopped/disabled to allow SM to manage the service. + # To allow for the transition it must be explicitely stopped. Once puppet + # can directly handle SM managed services, then this can be removed. + exec { 'stop rabbitmq-server service': + command => "systemctl stop rabbitmq-server; systemctl disable rabbitmq-server", + } +} + + +class platform::amqp::bootstrap { + include ::platform::params + + Class['::platform::drbd::rabbit'] -> Class[$name] + + class { '::platform::amqp::rabbitmq': + service_enabled => true, + } + + # Ensure the rabbit data directory is created in the rabbit filesystem. + $rabbit_dbdir = "/var/lib/rabbitmq/${::platform::params::software_version}" + file { "${rabbit_dbdir}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> Class['::rabbitmq'] + + rabbitmq_policy {'notifications_queues_maxlen@/': + require => Class['::rabbitmq'], + pattern => '.*notifications.*', + priority => 0, + applyto => 'queues', + definition => { + 'max-length' => '10000', + }, + } + + rabbitmq_policy {'sample_queues_maxlen@/': + require => Class['::rabbitmq'], + pattern => '.*sample$', + priority => 0, + applyto => 'queues', + definition => { + 'max-length' => '100000', + }, + } + + rabbitmq_policy {'all_queues_ttl@/': + require => Class['::rabbitmq'], + pattern => '.*', + priority => 0, + applyto => 'queues', + definition => { + 'expires' => '14400000', + } + } +} + +class platform::amqp::upgrade { + include ::platform::params + + class { '::platform::amqp::rabbitmq': + service_enabled => true, + } + + # Ensure the rabbit data directory is created in the rabbit filesystem. + $rabbit_dbdir = "/var/lib/rabbitmq/${::platform::params::software_version}" + file { "${rabbit_dbdir}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> Class['::rabbitmq'] + +} diff --git a/puppet-manifests/src/modules/platform/manifests/anchors.pp b/puppet-manifests/src/modules/platform/manifests/anchors.pp new file mode 100644 index 000000000..58fbc6673 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/anchors.pp @@ -0,0 +1,4 @@ +class platform::anchors { + anchor { 'platform::networking': } -> + anchor { 'platform::services': } +} diff --git a/puppet-manifests/src/modules/platform/manifests/ceph.pp b/puppet-manifests/src/modules/platform/manifests/ceph.pp new file mode 100644 index 000000000..39c3e20c9 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/ceph.pp @@ -0,0 +1,314 @@ +class platform::ceph::params( + $service_enabled = false, + $cluster_uuid = undef, + $cluster_name = 'ceph', + $authentication_type = 'none', + $mon_lv_name = 'ceph-mon-lv', + $mon_lv_size = 0, + $mon_mountpoint = '/var/lib/ceph/mon', + $mon_0_host = undef, + $mon_0_ip = undef, + $mon_0_addr = undef, + $mon_1_host = undef, + $mon_1_ip = undef, + $mon_1_addr = undef, + $mon_2_host = undef, + $mon_2_ip = undef, + $mon_2_addr = undef, + $rgw_enabled = false, + $rgw_client_name = 'radosgw.gateway', + $rgw_user_name = 'root', + $rgw_frontend_type = 'civetweb', + $rgw_port = 7480, + $rgw_log_file = '/var/log/radosgw/radosgw.log', + $rgw_admin_domain = undef, + $rgw_admin_project = undef, + $rgw_admin_user = 'swift', + $rgw_admin_password = undef, + $rgw_max_put_size = '53687091200', + $rgw_gc_max_objs = '977', + $rgw_gc_obj_min_wait = '600', + $rgw_gc_processor_max_time = '300', + $rgw_gc_processor_period = '300', +) { } + + +class platform::ceph + inherits ::platform::ceph::params { + + if $service_enabled { + class { '::ceph': + fsid => $cluster_uuid, + authentication_type => $authentication_type, + } -> + ceph_config { + "mon.${mon_0_host}/host": value => $mon_0_host; + "mon.${mon_0_host}/mon_addr": value => $mon_0_addr; + "mon.${mon_1_host}/host": value => $mon_1_host; + "mon.${mon_1_host}/mon_addr": value => $mon_1_addr; + "mon.${mon_2_host}/host": value => $mon_2_host; + "mon.${mon_2_host}/mon_addr": value => $mon_2_addr; + "mon/mon clock drift allowed": value => ".1"; + } + } +} + + +class platform::ceph::monitor + inherits ::platform::ceph::params { + + if $service_enabled { + file { '/var/lib/ceph': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + + platform::filesystem { $mon_lv_name: + lv_name => $mon_lv_name, + lv_size => $mon_lv_size, + mountpoint => $mon_mountpoint, + } -> Class['::ceph'] + + file { "/etc/pmon.d/ceph.conf": + ensure => link, + target => "/etc/ceph/ceph.conf.pmon", + owner => 'root', + group => 'root', + mode => '0640', + } + + # ensure configuration is complete before creating monitors + Class['::ceph'] -> Ceph::Mon <| |> + + # On active controller ensure service is started to + # allow in-service configuration. + # TODO(oponcea): Remove the pmon flag file created by systemctl start ceph + if str2bool($::is_controller_active) { + $service_ensure = "running" + } else { + $service_ensure = "stopped" + } + + # default configuration for all ceph monitor resources + Ceph::Mon { + fsid => $cluster_uuid, + authentication_type => $authentication_type, + service_ensure => $service_ensure, + } + + if $::hostname == $mon_0_host { + ceph::mon { $mon_0_host: + public_addr => $mon_0_ip, + } + } + elsif $::hostname == $mon_1_host { + ceph::mon { $mon_1_host: + public_addr => $mon_1_ip, + } + } + elsif $::hostname == $mon_2_host { + ceph::mon { $mon_2_host: + public_addr => $mon_2_ip, + } + } + } +} + + +define platform_ceph_osd( + $osd_id, + $osd_uuid, + $disk_path, + $data_path, + $journal_path, + $tier_name, +) { + # Only set the crush location for additional tiers + if $tier_name != 'storage' { + ceph_config { + "osd.${$osd_id}/host": value => "${$::platform::params::hostname}-${$tier_name}"; + "osd.${$osd_id}/crush_location": value => "root=${tier_name}-tier host=${$::platform::params::hostname}-${$tier_name}"; + } + } + file { "/var/lib/ceph/osd/ceph-${osd_id}": + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } -> + ceph::osd { $disk_path: + uuid => $osd_uuid, + } -> + exec { "configure journal location ${name}": + logoutput => true, + command => template('platform/ceph.journal.location.erb') + } +} + + +define platform_ceph_journal( + $disk_path, + $journal_sizes, +) { + exec { "configure journal partitions ${name}": + logoutput => true, + command => template('platform/ceph.journal.partitions.erb') + } +} + + +class platform::ceph::storage( + $osd_config = {}, + $journal_config = {}, +) inherits ::platform::ceph::params { + + # Ensure partitions update prior to ceph storage configuration + Class['::platform::partitions'] -> Class[$name] + + file { '/var/lib/ceph/osd': + path => '/var/lib/ceph/osd', + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + + # Journal disks need to be prepared before the OSDs are configured + Platform_ceph_journal <| |> -> Platform_ceph_osd <| |> + + # default configuration for all ceph object resources + Ceph::Osd { + cluster => $cluster_name, + cluster_uuid => $cluster_uuid, + } + + create_resources('platform_ceph_osd', $osd_config) + create_resources('platform_ceph_journal', $journal_config) +} + + +class platform::ceph::firewall + inherits ::platform::ceph::params { + + if $rgw_enabled { + platform::firewall::rule { 'ceph-radosgw': + service_name => 'ceph-radosgw', + ports => $rgw_port, + } + } +} + + +class platform::ceph::haproxy + inherits ::platform::ceph::params { + + if $rgw_enabled { + platform::haproxy::proxy { 'ceph-radosgw-restapi': + server_name => 's-ceph-radosgw', + public_port => $rgw_port, + private_port => $rgw_port, + } + } +} + + +class platform::ceph::rgw + inherits ::platform::ceph::params { + + if $rgw_enabled { + include ::platform::params + + include ::openstack::keystone::params + $auth_host = $::openstack::keystone::params::host_url + + if ($::platform::params::init_keystone and + !$::platform::params::region_config) { + include ::platform::ceph::rgw::keystone::auth + } + + ceph::rgw { $rgw_client_name: + user => $rgw_user_name, + frontend_type => $rgw_frontend_type, + rgw_frontends => "${rgw_frontend_type} port=${auth_host}:${rgw_port}", + # service is managed by SM + rgw_enable => false, + # The location of the log file shoule be the same as what's specified in + # /etc/logrotate.d/radosgw in order for log rotation to work properly + log_file => $rgw_log_file, + } + + ceph::rgw::keystone { $rgw_client_name: + # keystone admin token is disabled after initial keystone configuration + # for security reason. Use keystone service tenant credentials instead. + rgw_keystone_admin_token => '', + rgw_keystone_url => $::openstack::keystone::params::auth_uri, + rgw_keystone_version => $::openstack::keystone::params::api_version, + rgw_keystone_accepted_roles => 'admin,_member_', + use_pki => false, + rgw_keystone_admin_domain => $rgw_admin_domain, + rgw_keystone_admin_project => $rgw_admin_project, + rgw_keystone_admin_user => $rgw_admin_user, + rgw_keystone_admin_password => $rgw_admin_password, + } + + ceph_config { + # increase limit for single operation uploading to 50G (50*1024*1024*1024) + "client.$rgw_client_name/rgw_max_put_size": value => $rgw_max_put_size; + # increase frequency and scope of garbage collection + "client.$rgw_client_name/rgw_gc_max_objs": value => $rgw_gc_max_objs; + "client.$rgw_client_name/rgw_gc_obj_min_wait": value => $rgw_gc_obj_min_wait; + "client.$rgw_client_name/rgw_gc_processor_max_time": value => $rgw_gc_processor_max_time; + "client.$rgw_client_name/rgw_gc_processor_period": value => $rgw_gc_processor_period; + } + } + + include ::platform::ceph::firewall + include ::platform::ceph::haproxy +} + + +class platform::ceph::rgw::keystone::auth( + $password, + $auth_name = 'swift', + $tenant = 'services', + $email = 'swift@localhost', + $region = 'RegionOne', + $service_name = 'swift', + $service_description = 'Openstack Object-Store Service', + $configure_endpoint= true, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:8080/swift/v1', + $admin_url = 'http://127.0.0.1:8080/swift/v1', + $internal_url = 'http://127.0.0.1:8080/swift/v1', +) { + # create a swift compatible endpoint for the object-store service + keystone::resource::service_identity { 'swift': + configure_endpoint => $configure_endpoint, + configure_user => $configure_user, + configure_user_role => $configure_user_role, + service_name => $service_name, + service_type => 'object-store', + service_description => $service_description, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } +} + + +class platform::ceph::controller::runtime { + include ::platform::ceph::monitor + include ::platform::ceph +} + +class platform::ceph::compute::runtime { + include ::platform::ceph +} diff --git a/puppet-manifests/src/modules/platform/manifests/config.pp b/puppet-manifests/src/modules/platform/manifests/config.pp new file mode 100644 index 000000000..a813b0df1 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/config.pp @@ -0,0 +1,298 @@ +class platform::config::params ( + $config_uuid = 'install', + $hosts = {}, + $timezone = 'UTC', +) { } + +class platform::config + inherits ::platform::config::params { + + include ::platform::params + include ::platform::anchors + + stage { 'pre': + before => Stage["main"], + } + + stage { 'post': + require => Stage["main"], + } + + class { '::platform::config::pre': + stage => pre + } + + class { '::platform::config::post': + stage => post, + } +} + + +class platform::config::file { + + include ::platform::params + include ::platform::network::mgmt::params + include ::platform::network::infra::params + include ::platform::network::oam::params + + # dependent template variables + $management_interface = $::platform::network::mgmt::params::interface_name + $infrastructure_interface = $::platform::network::infra::params::interface_name + $oam_interface = $::platform::network::oam::params::interface_name + + $platform_conf = '/etc/platform/platform.conf' + + file_line { "${platform_conf} sw_version": + path => $platform_conf, + line => "sw_version=${::platform::params::software_version}", + match => '^sw_version=', + } + + if $management_interface { + file_line { "${platform_conf} management_interface": + path => $platform_conf, + line => "management_interface=${management_interface}", + match => '^management_interface=', + } + } + + if $infrastructure_interface { + file_line { "${platform_conf} infrastructure_interface": + path => '/etc/platform/platform.conf', + line => "infrastructure_interface=${infrastructure_interface}", + match => '^infrastructure_interface=', + } + } + + if $oam_interface { + file_line { "${platform_conf} oam_interface": + path => $platform_conf, + line => "oam_interface=${oam_interface}", + match => '^oam_interface=', + } + } + + file_line { "${platform_conf} vswitch_type": + path => $platform_conf, + line => "vswitch_type=${::platform::params::vswitch_type}", + match => '^vswitch_type=', + } + + if $::platform::params::system_type { + file_line { "${platform_conf} system_type": + path => $platform_conf, + line => "system_type=${::platform::params::system_type}", + match => '^system_type=*', + } + } + + if $::platform::params::system_mode { + file_line { "${platform_conf} system_mode": + path => $platform_conf, + line => "system_mode=${::platform::params::system_mode}", + match => '^system_mode=*', + } + } + + if $::platform::params::security_profile { + file_line { "${platform_conf} security_profile": + path => $platform_conf, + line => "security_profile=${::platform::params::security_profile}", + match => '^security_profile=*', + } + } + + if $::platform::params::sdn_enabled { + file_line { "${platform_conf}f sdn_enabled": + path => $platform_conf, + line => "sdn_enabled=yes", + match => '^sdn_enabled=', + } + } + else { + file_line { "${platform_conf} sdn_enabled": + path => $platform_conf, + line => 'sdn_enabled=no', + match => '^sdn_enabled=', + } + } + + if $::platform::params::region_config { + file_line { "${platform_conf} region_config": + path => $platform_conf, + line => 'region_config=yes', + match => '^region_config=', + } + file_line { "${platform_conf} region_1_name": + path => $platform_conf, + line => "region_1_name=${::platform::params::region_1_name}", + match => '^region_1_name=', + } + file_line { "${platform_conf} region_2_name": + path => $platform_conf, + line => "region_2_name=${::platform::params::region_2_name}", + match => '^region_2_name=', + } + } else { + file_line { "${platform_conf} region_config": + path => $platform_conf, + line => 'region_config=no', + match => '^region_config=', + } + } + + if $::platform::params::distributed_cloud_role { + file_line { "${platform_conf} distributed_cloud_role": + path => $platform_conf, + line => "distributed_cloud_role=${::platform::params::distributed_cloud_role}", + match => '^distributed_cloud_role=', + } + } + +} + + +class platform::config::hostname { + include ::platform::params + + file { "/etc/hostname": + ensure => present, + owner => root, + group => root, + mode => '0644', + content => "${::platform::params::hostname}\n", + notify => Exec["set-hostname"], + } + + exec { "set-hostname": + command => 'hostname -F /etc/hostname', + unless => "test `hostname` = `cat /etc/hostname`", + } +} + + +class platform::config::hosts + inherits ::platform::config::params { + + # The localhost should resolve to the IPv4 loopback address only, therefore + # ensure the IPv6 address is removed from configured hosts + resources { 'host': purge => true } + + $localhost = { + 'localhost' => { + ip => '127.0.0.1', + host_aliases => ['localhost.localdomain', 'localhost4', 'localhost4.localdomain4'] + }, + } + + $merged_hosts = merge($localhost, $hosts) + create_resources('host', $merged_hosts, {}) +} + + +class platform::config::timezone + inherits ::platform::config::params { + exec { 'Configure Timezone': + command => "ln -sf /usr/share/zoneinfo/${timezone} /etc/localtime", + } +} + + +class platform::config::pre { + group { 'nobody': + ensure => 'present', + gid => '99', + } + + include ::platform::config::timezone + include ::platform::config::hostname + include ::platform::config::hosts + include ::platform::config::file +} + + +class platform::config::post + inherits ::platform::config::params { + + include ::platform::params + + service { 'crond': + ensure => 'running', + enable => true, + } + + # When applying manifests to upgrade controller-1, we do not want SM or the + # sysinv-agent or anything else that depends on these flags to start. + if ! $::platform::params::controller_upgrade { + + if ! str2bool($::is_initial_config_primary) { + file { '/etc/platform/.initial_config_complete': + ensure => present, + } + } + + file { '/etc/platform/.config_applied': + ensure => present, + mode => '0640', + content => "CONFIG_UUID=${config_uuid}" + } + } +} + +class platform::config::controller::post +{ + include ::platform::params + + if str2bool($::is_initial_config_primary) { + # copy configured hosts to redundant storage + file { "${::platform::params::config_path}/hosts": + source => '/etc/hosts', + replace => false, + } + } + + file { "/etc/platform/.initial_controller_config_complete": + ensure => present, + } + + file { "/var/run/.controller_config_complete": + ensure => present, + } +} + +class platform::config::compute::post +{ + file { "/etc/platform/.initial_compute_config_complete": + ensure => present, + } + + file { "/var/run/.compute_config_complete": + ensure => present, + } +} + +class platform::config::storage::post +{ + file { "/etc/platform/.initial_storage_config_complete": + ensure => present, + } + + file { "/var/run/.storage_config_complete": + ensure => present, + } +} + +class platform::config::bootstrap { + stage { 'pre': + before => Stage["main"], + } + + stage { 'post': + require => Stage["main"], + } + + include ::platform::params + include ::platform::anchors + include ::platform::config::hostname + include ::platform::config::hosts +} diff --git a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp new file mode 100644 index 000000000..ccc801869 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp @@ -0,0 +1,82 @@ +class platform::dcmanager::params ( + $api_port = 8119, + $region_name = undef, + $domain_name = undef, + $domain_admin = undef, + $domain_pwd = undef, + $service_name = 'dcmanager', + $default_endpoint_type = "internalURL", + $service_create = false, +) { + include ::platform::params + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address +} + + +class platform::dcmanager + inherits ::platform::dcmanager::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::platform::params + include ::platform::amqp::params + + if $::platform::params::init_database { + include ::dcmanager::db::postgresql + } + + class { '::dcmanager': + rabbit_host => $::platform::amqp::params::host_url, + rabbit_port => $::platform::amqp::params::port, + rabbit_userid => $::platform::amqp::params::auth_user, + rabbit_password => $::platform::amqp::params::auth_password, + } + } +} + + +class platform::dcmanager::firewall + inherits ::platform::dcmanager::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + platform::firewall::rule { 'dcmanager-api': + service_name => 'dcmanager', + ports => $api_port, + } + } +} + + +class platform::dcmanager::haproxy + inherits ::platform::dcmanager::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + platform::haproxy::proxy { 'dcmanager-restapi': + server_name => 's-dcmanager', + public_port => $api_port, + private_port => $api_port, + } + } +} + +class platform::dcmanager::manager { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::dcmanager::manager + } +} + +class platform::dcmanager::api + inherits ::platform::dcmanager::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + if ($::platform::dcmanager::params::service_create and + $::platform::params::init_keystone) { + include ::dcmanager::keystone::auth + } + + class { '::dcmanager::api': + bind_host => $api_host, + } + + + include ::platform::dcmanager::firewall + include ::platform::dcmanager::haproxy + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/dcorch.pp b/puppet-manifests/src/modules/platform/manifests/dcorch.pp new file mode 100644 index 000000000..f3bdbf59d --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/dcorch.pp @@ -0,0 +1,146 @@ +class platform::dcorch::params ( + $api_port = 8118, + $region_name = undef, + $domain_name = undef, + $domain_admin = undef, + $domain_pwd = undef, + $service_name = 'dcorch', + $default_endpoint_type = "internalURL", + $service_create = false, + $neutron_api_proxy_port = 29696, + $nova_api_proxy_port = 28774, + $sysinv_api_proxy_port = 26385, + $cinder_api_proxy_port = 28776, + $cinder_enable_ports = false, + $patch_api_proxy_port = 25491, +) { + include ::platform::params + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address +} + + +class platform::dcorch + inherits ::platform::dcorch::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::platform::params + include ::platform::amqp::params + + if $::platform::params::init_database { + include ::dcorch::db::postgresql + } + + class { '::dcorch': + rabbit_host => $::platform::amqp::params::host_url, + rabbit_port => $::platform::amqp::params::port, + rabbit_userid => $::platform::amqp::params::auth_user, + rabbit_password => $::platform::amqp::params::auth_password, + proxy_bind_host => $api_host, + proxy_remote_host => $api_host, + } + } +} + + +class platform::dcorch::firewall + inherits ::platform::dcorch::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::openstack::cinder::params + platform::firewall::rule { 'dcorch-api': + service_name => 'dcorch', + ports => $api_port, + } + platform::firewall::rule { 'dcorch-sysinv-api-proxy': + service_name => 'dcorch-sysinv-api-proxy', + ports => $sysinv_api_proxy_port, + } + platform::firewall::rule { 'dcorch-nova-api-proxy': + service_name => 'dcorch-nova-api-proxy', + ports => $nova_api_proxy_port, + } + platform::firewall::rule { 'dcorch-neutron-api-proxy': + service_name => 'dcorch-neutron-api-proxy', + ports => $neutron_api_proxy_port, + } + if $::openstack::cinder::params::service_enabled { + platform::firewall::rule { 'dcorch-cinder-api-proxy': + service_name => 'dcorch-cinder-api-proxy', + ports => $cinder_api_proxy_port, + } + } + platform::firewall::rule { 'dcorch-patch-api-proxy': + service_name => 'dcorch-patch-api-proxy', + ports => $patch_api_proxy_port, + } + } +} + + +class platform::dcorch::haproxy + inherits ::platform::dcorch::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::openstack::cinder::params + platform::haproxy::proxy { 'dcorch-neutron-api-proxy': + server_name => 's-dcorch-neutron-api-proxy', + public_port => $neutron_api_proxy_port, + private_port => $neutron_api_proxy_port, + } + platform::haproxy::proxy { 'dcorch-nova-api-proxy': + server_name => 's-dcorch-nova-api-proxy', + public_port => $nova_api_proxy_port, + private_port => $nova_api_proxy_port, + } + platform::haproxy::proxy { 'dcorch-sysinv-api-proxy': + server_name => 's-dcorch-sysinv-api-proxy', + public_port => $sysinv_api_proxy_port, + private_port => $sysinv_api_proxy_port, + } + if $::openstack::cinder::params::service_enabled { + platform::haproxy::proxy { 'dcorch-cinder-api-proxy': + server_name => 's-cinder-dc-api-proxy', + public_port => $cinder_api_proxy_port, + private_port => $cinder_api_proxy_port, + } + } + platform::haproxy::proxy { 'dcorch-patch-api-proxy': + server_name => 's-dcorch-patch-api-proxy', + public_port => $patch_api_proxy_port, + private_port => $patch_api_proxy_port, + } + } +} + +class platform::dcorch::engine + inherits ::platform::dcorch::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::dcorch::engine + } +} + +class platform::dcorch::snmp + inherits ::platform::dcorch::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + class { '::dcorch::snmp': + bind_host => $api_host, + } + } +} + + +class platform::dcorch::api_proxy + inherits ::platform::dcorch::params { + if $::platform::params::distributed_cloud_role =='systemcontroller' { + if ($::platform::dcorch::params::service_create and + $::platform::params::init_keystone) { + include ::dcorch::keystone::auth + } + + class { '::dcorch::api_proxy': + bind_host => $api_host, + } + + include ::platform::dcorch::firewall + include ::platform::dcorch::haproxy + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/devices.pp b/puppet-manifests/src/modules/platform/manifests/devices.pp new file mode 100644 index 000000000..4d729ea36 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/devices.pp @@ -0,0 +1,46 @@ +define qat_device_files( + $qat_idx, + $device_id, +) { + if $device_id == "dh895xcc"{ + file { "/etc/dh895xcc_dev${qat_idx}.conf": + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0640', + notify => Service['qat_service'], + } + } + + if $device_id == "c62x"{ + file { "/etc/c62x_dev${qat_idx}.conf": + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0640', + notify => Service['qat_service'], + } + } +} + +class platform::devices::qat ( + $device_config = {}, + $service_enabled = false +) +{ + if $service_enabled { + create_resources('qat_device_files', $device_config) + + service { 'qat_service': + ensure => 'running', + enable => true, + hasrestart => true, + notify => Service['sysinv-agent'], + } + } +} + +class platform::devices { + include ::platform::devices::qat +} + diff --git a/puppet-manifests/src/modules/platform/manifests/dhclient.pp b/puppet-manifests/src/modules/platform/manifests/dhclient.pp new file mode 100644 index 000000000..a7f5a5c31 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/dhclient.pp @@ -0,0 +1,24 @@ +class platform::dhclient::params ( + $infra_client_id = undef +) {} + + +class platform::dhclient + inherits ::platform::dhclient::params { + + include ::platform::network::infra::params + $infra_interface = $::platform::network::infra::params::interface_name + $infra_subnet_version = $::platform::network::infra::params::subnet_version + + file { "/etc/dhcp/dhclient.conf": + ensure => 'present', + replace => true, + content => template('platform/dhclient.conf.erb'), + before => Class['::platform::network::apply'], + } +} + + +class platform::dhclient::runtime { + include ::platform::dhclient +} diff --git a/puppet-manifests/src/modules/platform/manifests/dns.pp b/puppet-manifests/src/modules/platform/manifests/dns.pp new file mode 100644 index 000000000..f71678aad --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/dns.pp @@ -0,0 +1,102 @@ +class platform::dns::dnsmasq { + + # dependent template variables + $install_uuid = $::install_uuid + + include ::platform::params + $config_path = $::platform::params::config_path + $pxeboot_hostname = $::platform::params::pxeboot_hostname + $mgmt_hostname = $::platform::params::controller_hostname + + include ::platform::network::pxeboot::params + $pxeboot_interface = $::platform::network::pxeboot::params::interface_name + $pxeboot_subnet_version = $::platform::network::pxeboot::params::subnet_version + $pxeboot_subnet_start = $::platform::network::pxeboot::params::subnet_start + $pxeboot_subnet_end = $::platform::network::pxeboot::params::subnet_end + $pxeboot_controller_address = $::platform::network::pxeboot::params::controller_address + + if $pxeboot_subnet_version == 4 { + $pxeboot_subnet_netmask = $::platform::network::pxeboot::params::subnet_netmask + } else { + $pxeboot_subnet_netmask = $::platform::network::pxeboot::params::subnet_prefixlen + } + + include ::platform::network::mgmt::params + $mgmt_interface = $::platform::network::mgmt::params::interface_name + $mgmt_subnet_version = $::platform::network::mgmt::params::subnet_version + $mgmt_subnet_start = $::platform::network::mgmt::params::subnet_start + $mgmt_subnet_end = $::platform::network::mgmt::params::subnet_end + $mgmt_controller_address = $::platform::network::mgmt::params::controller_address + $mgmt_network_mtu = $::platform::network::mgmt::params::mtu + + if $mgmt_subnet_version == 4 { + $mgmt_subnet_netmask = $::platform::network::mgmt::params::subnet_netmask + } else { + $mgmt_subnet_netmask = $::platform::network::mgmt::params::subnet_prefixlen + } + + include ::platform::network::infra::params + $infra_interface = $::platform::network::infra::params::interface_name + $infra_subnet_version = $::platform::network::infra::params::subnet_version + $infra_subnet_start = $::platform::network::infra::params::subnet_start + $infra_subnet_end = $::platform::network::infra::params::subnet_end + $infra_network_mtu = $::platform::network::infra::params::mtu + + if $infra_subnet_version == 4 { + $infra_subnet_netmask = $::platform::network::infra::params::subnet_netmask + } else { + $infra_subnet_netmask = $::platform::network::infra::params::subnet_prefixlen + } + + include ::openstack::ironic::params + $ironic_tftp_dir_version = $::platform::params::software_version + $ironic_tftpboot_dir = $::openstack::ironic::params::ironic_tftpboot_dir + case $::hostname { + $::platform::params::controller_0_hostname: { + $ironic_tftp_interface = $::openstack::ironic::params::controller_0_if + } + $::platform::params::controller_1_hostname: { + $ironic_tftp_interface = $::openstack::ironic::params::controller_1_if + } + default: { + $ironic_tftp_interface = undef + } + } + + file { "/etc/dnsmasq.conf": + ensure => 'present', + replace => true, + content => template('platform/dnsmasq.conf.erb'), + } +} + + +class platform::dns::resolv ( + $servers, +) { + file { "/etc/resolv.conf": + ensure => 'present', + replace => true, + content => template('platform/resolv.conf.erb') + } +} + + +class platform::dns { + include ::platform::dns::resolv + include ::platform::dns::dnsmasq +} + + +class platform::dns::dnsmasq::reload { + platform::sm::restart {'dnsmasq': } +} + + +class platform::dns::runtime { + include ::platform::dns::dnsmasq + + class {'::platform::dns::dnsmasq::reload': + stage => post + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/drbd.pp b/puppet-manifests/src/modules/platform/manifests/drbd.pp new file mode 100644 index 000000000..47972f4ca --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/drbd.pp @@ -0,0 +1,439 @@ +class platform::drbd::params ( + $automount = false, + $ha_primary = false, + $initial_setup = false, + $fs_type = 'ext4', + $link_speed, + $link_util, + $num_parallel, + $rtt_ms, + $cpumask = false, +) { + include ::platform::params + $host1 = $::platform::params::controller_0_hostname + $host2 = $::platform::params::controller_1_hostname + + include ::platform::network::mgmt::params + include ::platform::network::infra::params + + if $::platform::network::infra::params::interface_name { + $ip1 = $::platform::network::infra::params::controller0_address + $ip2 = $::platform::network::infra::params::controller1_address + } else { + $ip1 = $::platform::network::mgmt::params::controller0_address + $ip2 = $::platform::network::mgmt::params::controller1_address + } + + $manage = str2bool($::is_initial_config) +} + + +define platform::drbd::filesystem ( + $lv_name, + $vg_name, + $lv_size, + $port, + $device, + $mountpoint, + $resync_after = undef, + $sm_service = $title, + $ha_primary_override = undef, + $initial_setup_override = undef, + $automount_override = undef, + $manage_override = undef, + $ip2_override = undef, +) { + + if $manage_override == undef { + $drbd_manage = $::platform::drbd::params::manage + } else { + $drbd_manage = $manage_override + } + if $ha_primary_override == undef { + $drbd_primary = $::platform::drbd::params::ha_primary + } else { + $drbd_primary = $ha_primary_override + } + if $initial_setup_override == undef { + $drbd_initial = $::platform::drbd::params::initial_setup + } else { + $drbd_initial = $initial_setup_override + } + if $automount_override == undef { + $drbd_automount = $::platform::drbd::params::automount + } else { + $drbd_automount = $automount_override + } + if $ip2_override == undef { + $ip2 = $::platform::drbd::params::ip2 + } else { + $ip2 = $ip2_override + } + + + logical_volume { $lv_name: + ensure => present, + volume_group => $vg_name, + size => "${lv_size}G", + size_is_minsize => true, + } -> + + + drbd::resource { $title: + disk => "/dev/${vg_name}/${lv_name}", + port => $port, + device => $device, + mountpoint => $mountpoint, + handlers => { + before-resync-target => + "/usr/local/sbin/sm-notify -s ${sm_service} -e sync-start", + after-resync-target => + "/usr/local/sbin/sm-notify -s ${sm_service} -e sync-end", + }, + host1 => $::platform::drbd::params::host1, + host2 => $::platform::drbd::params::host2, + ip1 => $::platform::drbd::params::ip1, + ip2 => $ip2, + manage => $drbd_manage, + ha_primary => $drbd_primary, + initial_setup => $drbd_initial, + automount => $drbd_automount, + fs_type => $::platform::drbd::params::fs_type, + link_util => $::platform::drbd::params::link_util, + link_speed => $::platform::drbd::params::link_speed, + num_parallel => $::platform::drbd::params::num_parallel, + rtt_ms => $::platform::drbd::params::rtt_ms, + cpumask => $::platform::drbd::params::cpumask, + resync_after => $resync_after, + } + + if str2bool($::is_initial_config_primary) { + # NOTE: The DRBD file system can only be resized immediately if not peering, + # otherwise it must wait for the peer backing storage device to be + # resized before issuing the resize locally. + Drbd::Resource[$title] -> + + exec { "drbd resize ${title}": + command => "drbdadm -- --assume-peer-has-space resize ${title}", + } -> + + exec { "resize2fs ${title}": + command => "resize2fs ${device}", + } + } +} + + +class platform::drbd::pgsql::params ( + $device = '/dev/drbd0', + $lv_name = 'pgsql-lv', + $lv_size = '2', + $mountpoint = '/var/lib/postgresql', + $port = '7789', + $resource_name = 'drbd-pgsql', + $vg_name = 'cgts-vg', +) {} + +class platform::drbd::pgsql ( +) inherits ::platform::drbd::pgsql::params { + + platform::drbd::filesystem { $resource_name: + vg_name => $vg_name, + lv_name => $lv_name, + lv_size => $lv_size, + port => $port, + device => $device, + mountpoint => $mountpoint, + sm_service => 'drbd-pg', + } +} + + +class platform::drbd::rabbit::params ( + $device = '/dev/drbd1', + $lv_name = 'rabbit-lv', + $lv_size = '2', + $mountpoint = '/var/lib/rabbitmq', + $port = '7799', + $resource_name = 'drbd-rabbit', + $vg_name = 'cgts-vg', +) {} + +class platform::drbd::rabbit () + inherits ::platform::drbd::rabbit::params { + + platform::drbd::filesystem { $resource_name: + vg_name => $vg_name, + lv_name => $lv_name, + lv_size => $lv_size, + port => $port, + device => $device, + mountpoint => $mountpoint, + resync_after => 'drbd-pgsql', + } +} + + +class platform::drbd::platform::params ( + $device = '/dev/drbd2', + $lv_name = 'platform-lv', + $lv_size = '2', + $mountpoint = '/opt/platform', + $port = '7790', + $vg_name = 'cgts-vg', + $resource_name = 'drbd-platform', +) {} + +class platform::drbd::platform () + inherits ::platform::drbd::platform::params { + + platform::drbd::filesystem { $resource_name: + vg_name => $vg_name, + lv_name => $lv_name, + lv_size => $lv_size, + port => $port, + device => $device, + mountpoint => $mountpoint, + resync_after => 'drbd-rabbit', + } +} + + +class platform::drbd::cgcs::params ( + $device = '/dev/drbd3', + $lv_name = 'cgcs-lv', + $lv_size = '2', + $mountpoint = '/opt/cgcs', + $port = '7791', + $resource_name = 'drbd-cgcs', + $vg_name = 'cgts-vg', +) {} + +class platform::drbd::cgcs () + inherits ::platform::drbd::cgcs::params { + + platform::drbd::filesystem { $resource_name: + vg_name => $vg_name, + lv_name => $lv_name, + lv_size => $lv_size, + port => $port, + device => $device, + mountpoint => $mountpoint, + resync_after => 'drbd-platform', + } +} + + +class platform::drbd::extension::params ( + $device = '/dev/drbd5', + $lv_name = 'extension-lv', + $lv_size = '1', + $mountpoint = '/opt/extension', + $port = '7793', + $resource_name = 'drbd-extension', + $vg_name = 'cgts-vg', +) {} + +class platform::drbd::extension ( +) inherits ::platform::drbd::extension::params { + + include ::platform::params + include ::openstack::cinder::params + include ::platform::drbd::cgcs::params + + if ($::platform::params::system_mode != 'simplex' and + 'lvm' in $::openstack::cinder::params::enabled_backends) { + $resync_after = $::openstack::cinder::params::drbd_resource + } elsif str2bool($::is_primary_disk_rotational) { + $resync_after = $::platform::drbd::cgcs::params::resource_name + } else { + $resync_after = undef + } + + platform::drbd::filesystem { $resource_name: + vg_name => $vg_name, + lv_name => $lv_name, + lv_size => $lv_size, + port => $port, + device => $device, + mountpoint => $mountpoint, + resync_after => $resync_after, + } +} + +class platform::drbd::extension::upgrade ( +) inherits ::platform::drbd::extension::params { + + $drbd_primary = true + $drbd_initial = true + $drbd_automount =true + $drbd_manage = true + + # ip2_override should be removed in R6. It is required for drbd-extension + # when upgrading from R4->R5 only. This is so "on controller-1" is set to + # 127.0.0.1 and not 127.0.0.2. drbd-extension is new to R5. + # + # on controller-1 { + # address ipv4 127.0.0.1:7793; + # } + # + + platform::drbd::filesystem { $resource_name: + vg_name => $vg_name, + lv_name => $lv_name, + lv_size => $lv_size, + port => $port, + device => $device, + mountpoint => $mountpoint, + manage_override => $drbd_manage, + ha_primary_override => $drbd_primary, + initial_setup_override => $drbd_initial, + automount_override => $drbd_automount, + ip2_override => $::platform::drbd::params::ip1, + } +} + +class platform::drbd::patch_vault::params ( + $service_enabled = false, + $device = '/dev/drbd6', + $lv_name = 'patch-vault-lv', + $lv_size = '1', + $mountpoint = '/opt/patch-vault', + $port = '7794', + $resource_name = 'drbd-patch-vault', + $vg_name = 'cgts-vg', +) {} + +class platform::drbd::patch_vault ( +) inherits ::platform::drbd::patch_vault::params { + + if str2bool($::is_initial_config_primary) { + $drbd_primary = true + $drbd_initial = true + $drbd_automount = true + $drbd_manage = true + } else { + $drbd_primary = undef + $drbd_initial = undef + $drbd_automount = undef + $drbd_manage = undef + } + + if $service_enabled { + platform::drbd::filesystem { $resource_name: + vg_name => $vg_name, + lv_name => $lv_name, + lv_size => $lv_size, + port => $port, + device => $device, + mountpoint => $mountpoint, + resync_after => 'drbd-extension', + manage_override => $drbd_manage, + ha_primary_override => $drbd_primary, + initial_setup_override => $drbd_initial, + automount_override => $drbd_automount, + } + } +} + +class platform::drbd( + $service_enable = false, + $service_ensure = 'stopped', +) { + if str2bool($::is_initial_config_primary) { + class { '::drbd': + service_enable => true, + service_ensure => 'running', + } + } else { + class { '::drbd': + service_enable => $service_enable, + service_ensure => $service_ensure, + } + include ::drbd + } + + include ::platform::drbd::params + include ::platform::drbd::pgsql + include ::platform::drbd::rabbit + include ::platform::drbd::platform + include ::platform::drbd::cgcs + include ::platform::drbd::extension + include ::platform::drbd::patch_vault + + # network changes need to be applied prior to DRBD resources + Anchor['platform::networking'] -> + Drbd::Resource <| |> -> + Anchor['platform::services'] +} + + +class platform::drbd::bootstrap { + + class { '::drbd': + service_enable => true, + service_ensure => 'running' + } + + # override the defaults to initialize and activate the file systems + class { '::platform::drbd::params': + ha_primary => true, + initial_setup => true, + automount => true, + } + + include ::platform::drbd::pgsql + include ::platform::drbd::rabbit + include ::platform::drbd::platform + include ::platform::drbd::cgcs + include ::platform::drbd::extension +} + + +class platform::drbd::runtime { + + class { '::platform::drbd': + service_enable => true, + service_ensure => 'running', + } +} + + +class platform::drbd::pgsql::runtime { + include ::platform::drbd::params + include ::platform::drbd::pgsql +} + + +class platform::drbd::cgcs::runtime { + include ::platform::drbd::params + include ::platform::drbd::cgcs +} + + +class platform::drbd::extension::runtime { + include ::platform::drbd::params + include ::platform::drbd::extension +} + +class platform::drbd::upgrade { + # On upgrading controller-1 (R4->R5) we need to make this new drbd resource + # the primary as it does not currently exists controller-0. This code MUST + # be removed in R6. + + class { '::drbd': + wfc_timeout => 1, + degr_wfc_timeout => 1, + service_enable => true, + service_ensure => 'running' + } + + include ::platform::drbd::params + include ::platform::drbd::extension::upgrade + +} + +class platform::drbd::patch_vault::runtime { + include ::platform::drbd::params + include ::platform::drbd::patch_vault +} diff --git a/puppet-manifests/src/modules/platform/manifests/exports.pp b/puppet-manifests/src/modules/platform/manifests/exports.pp new file mode 100644 index 000000000..dede9ccdf --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/exports.pp @@ -0,0 +1,19 @@ +class platform::exports { + + include ::platform::params + + file { '/etc/exports': + ensure => present, + mode => '0600', + owner => 'root', + group => 'root', + } -> + file_line { '/etc/exports /etc/platform': + path => '/etc/exports', + line => "/etc/platform\t\t ${::platform::params::mate_ipaddress}(no_root_squash,no_subtree_check,rw)", + match => '^/etc/platform\s', + } -> + exec { 'Re-export filesystems': + command => 'exportfs -r', + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/filesystem.pp b/puppet-manifests/src/modules/platform/manifests/filesystem.pp new file mode 100644 index 000000000..8f2cb7168 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/filesystem.pp @@ -0,0 +1,192 @@ +class platform::filesystem::params ( + $fs_type = 'ext4', + $vg_name = 'cgts-vg', +) {} + + +define platform::filesystem ( + $lv_name, + $lv_size, + $mountpoint, +) { + include ::platform::filesystem::params + $vg_name = $::platform::filesystem::params::vg_name + + $device = "/dev/${vg_name}/${lv_name}" + + # create logical volume + logical_volume { $lv_name: + ensure => present, + volume_group => $vg_name, + size => "${lv_size}G", + size_is_minsize => true, + } -> + + # create filesystem + filesystem { $device: + ensure => present, + fs_type => 'ext4', + } -> + + file { $mountpoint: + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0750', + } -> + + mount { $name: + name => "$mountpoint", + atboot => 'yes', + ensure => 'mounted', + device => "${device}", + options => 'defaults', + fstype => $::platform::filesystem::params::fs_type, + } -> + + # The above mount resource doesn't actually remount devices that were already present in /etc/fstab, but were + # unmounted during manifest application. To get around this, we attempt to mount them again, if they are not + # already mounted. + exec { "mount $device": + unless => "mount | awk '{print \$3}' | grep -Fxq $mountpoint", + command => "mount $mountpoint", + } +} + + +define platform::filesystem::resize( + $lv_name, + $lv_size, + $devmapper, +) { + include ::platform::filesystem::params + $vg_name = $::platform::filesystem::params::vg_name + + $device = "/dev/${vg_name}/${lv_name}" + + # TODO (rchurch): Fix this... Allowing return code 5 so that lvextends using the same size doesn't blow up + exec { "lvextend $device": + command => "lvextend -L${lv_size}G ${device}", + returns => [0, 5] + } -> + # After a partition extend, make sure that there is no leftover drbd + # type metadata from a previous install. Drbd writes its meta at the + # very end of a block device causing confusion for blkid. + exec { "wipe end of device $device": + command => "dd if=/dev/zero of=${device} bs=512 seek=$(($(blockdev --getsz ${device}) - 34)) count=34", + onlyif => "blkid ${device} | grep TYPE=\\\"drbd\\\"", + } -> + exec { "resize2fs $devmapper": + command => "resize2fs $devmapper" + } +} + + +class platform::filesystem::backup::params ( + $lv_name = 'backup-lv', + $lv_size = '5', + $mountpoint = '/opt/backups', + $devmapper = '/dev/mapper/cgts--vg-backup--lv' +) {} + +class platform::filesystem::backup + inherits ::platform::filesystem::backup::params { + + platform::filesystem { $lv_name: + lv_name => $lv_name, + lv_size => $lv_size, + mountpoint => $mountpoint, + } +} + + +class platform::filesystem::scratch::params ( + $lv_size = '8', + $lv_name = 'scratch-lv', + $mountpoint = '/scratch', + $devmapper = '/dev/mapper/cgts--vg-scratch--lv' +) { } + +class platform::filesystem::scratch + inherits ::platform::filesystem::scratch::params { + + platform::filesystem { $lv_name: + lv_name => $lv_name, + lv_size => $lv_size, + mountpoint => $mountpoint, + } +} + + +class platform::filesystem::img_conversions::params ( + $lv_size = '8', + $lv_name = 'img-conversions-lv', + $mountpoint = '/opt/img-conversions', + $devmapper = '/dev/mapper/cgts--vg-img--conversions--lv' +) {} + +class platform::filesystem::img_conversions + inherits ::platform::filesystem::img_conversions::params { + include ::openstack::cinder::params + include ::openstack::glance::params + + platform::filesystem { $lv_name: + lv_name => $lv_name, + lv_size => $lv_size, + mountpoint => $mountpoint, + } +} + + +class platform::filesystem::controller { + include ::platform::filesystem::backup + include ::platform::filesystem::scratch + include ::platform::filesystem::img_conversions +} + + +class platform::filesystem::backup::runtime { + + include ::platform::filesystem::backup::params + $lv_name = $::platform::filesystem::backup::params::lv_name + $lv_size = $::platform::filesystem::backup::params::lv_size + $devmapper = $::platform::filesystem::backup::params::devmapper + + platform::filesystem::resize { $lv_name: + lv_name => $lv_name, + lv_size => $lv_size, + devmapper => $devmapper, + } +} + + +class platform::filesystem::scratch::runtime { + + include ::platform::filesystem::scratch::params + $lv_name = $::platform::filesystem::scratch::params::lv_name + $lv_size = $::platform::filesystem::scratch::params::lv_size + $devmapper = $::platform::filesystem::scratch::params::devmapper + + platform::filesystem::resize { $lv_name: + lv_name => $lv_name, + lv_size => $lv_size, + devmapper => $devmapper, + } +} + + +class platform::filesystem::img_conversions::runtime { + + include ::platform::filesystem::img_conversions::params + include ::openstack::cinder::params + include ::openstack::glance::params + $lv_name = $::platform::filesystem::img_conversions::params::lv_name + $lv_size = $::platform::filesystem::img_conversions::params::lv_size + $devmapper = $::platform::filesystem::img_conversions::params::devmapper + + platform::filesystem::resize { $lv_name: + lv_name => $lv_name, + lv_size => $lv_size, + devmapper => $devmapper, + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/firewall.pp b/puppet-manifests/src/modules/platform/manifests/firewall.pp new file mode 100644 index 000000000..246cbc217 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/firewall.pp @@ -0,0 +1,347 @@ +define platform::firewall::rule ( + $chain = 'INPUT', + $destination = undef, + $ensure = present, + $host = 'ALL', + $jump = undef, + $outiface = undef, + $ports = undef, + $proto = 'tcp', + $service_name, + $table = undef, + $tosource = undef, +) { + + include ::platform::params + include ::platform::network::oam::params + + $ip_version = $::platform::network::oam::params::subnet_version + + $provider = $ip_version ? { + 6 => 'ip6tables', + default => 'iptables', + } + + $source = $host ? { + 'ALL' => $ip_version ? { + 6 => '::/0', + default => '0.0.0.0/0' + }, + default => $host, + } + + $heading = $chain ? { + 'OUTPUT' => 'outgoing', + 'POSTROUTING' => 'forwarding', + default => 'incoming', + } + + # NAT rule + if $jump == 'SNAT' or $jump == 'MASQUERADE' { + firewall { "500 ${service_name} ${heading} ${title}": + chain => $chain, + table => $table, + proto => $proto, + outiface => $outiface, + jump => $jump, + tosource => $tosource, + destination => $destination, + source => $source, + provider => $provider, + ensure => $ensure, + } + } + else { + if $ports == undef { + firewall { "500 ${service_name} ${heading} ${title}": + chain => $chain, + proto => $proto, + action => 'accept', + source => $source, + provider => $provider, + ensure => $ensure, + } + } + else { + firewall { "500 ${service_name} ${heading} ${title}": + chain => $chain, + proto => $proto, + dport => $ports, + action => 'accept', + source => $source, + provider => $provider, + ensure => $ensure, + } + } + } +} + + +define platform::firewall::common ( + $version, + $interface, +) { + + $provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'} + + firewall { "000 platform accept non-oam ${version}": + proto => 'all', + iniface => "! ${$interface}", + action => 'accept', + provider => $provider, + } + + firewall { "001 platform accept related ${version}": + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + action => 'accept', + provider => $provider, + } + + # explicitly drop some types of traffic without logging + firewall { "800 platform drop tcf-agent udp ${version}": + proto => 'udp', + dport => 1534, + action => 'drop', + provider => $provider, + } + + firewall { "800 platform drop tcf-agent tcp ${version}": + proto => 'tcp', + dport => 1534, + action => 'drop', + provider => $provider, + } + + firewall { "800 platform drop all avahi-daemon ${version}": + proto => 'udp', + dport => 5353, + action => 'drop', + provider => $provider, + } + + firewall { "999 platform log dropped ${version}": + proto => 'all', + limit => '2/min', + jump => 'LOG', + log_prefix => "${provider}-in-dropped: ", + log_level => 4, + provider => $provider, + } + + firewall { "000 platform forward non-oam ${version}": + chain => 'FORWARD', + proto => 'all', + iniface => "! ${interface}", + action => 'accept', + provider => $provider, + } + + firewall { "001 platform forward related ${version}": + chain => 'FORWARD', + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + action => 'accept', + provider => $provider, + } + + firewall { "999 platform log dropped ${version} forwarded": + chain => 'FORWARD', + proto => 'all', + limit => '2/min', + jump => 'LOG', + log_prefix => "${provider}-fwd-dropped: ", + log_level => 4, + provider => $provider, + } +} + +# Declare OAM service rules +define platform::firewall::services ( + $version, +) { + # platform rules to be applied before custom rules + Firewall { + require => undef, + } + + $provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'} + + $proto_icmp = $version ? {'ipv4' => 'icmp', 'ipv6' => 'ipv6-icmp'} + + # Provider specific service rules + firewall { "010 platform accept sm ${version}": + proto => 'udp', + dport => [2222, 2223], + action => 'accept', + provider => $provider, + } + + firewall { "011 platform accept ssh ${version}": + proto => 'tcp', + dport => 22, + action => 'accept', + provider => $provider, + } + + firewall { "200 platform accept icmp ${version}": + proto => $proto_icmp, + action => 'accept', + provider => $provider, + } + + firewall { "201 platform accept ntp ${version}": + proto => 'udp', + dport => 123, + action => 'accept', + provider => $provider, + } + + firewall { "202 platform accept snmp ${version}": + proto => 'udp', + dport => 161, + action => 'accept', + provider => $provider, + } + + firewall { "202 platform accept snmp trap ${version}": + proto => 'udp', + dport => 162, + action => 'accept', + provider => $provider, + } + + # allow IGMP Query traffic if IGMP Snooping is + # enabled on the TOR switch + firewall { "204 platform accept igmp ${version}": + proto => 'igmp', + action => 'accept', + provider => $provider, + } +} + + +define platform::firewall::hooks ( + $version = undef, +) { + $protocol = $version ? {'ipv4' => 'IPv4', 'ipv6' => 'IPv6'} + + $input_pre_chain = 'INPUT-custom-pre' + $input_post_chain = 'INPUT-custom-post' + + firewallchain { "$input_pre_chain:filter:$protocol": + ensure => present, + }-> + firewallchain { "$input_post_chain:filter:$protocol": + ensure => present, + }-> + firewall { "100 $input_pre_chain $version": + proto => 'all', + chain => 'INPUT', + jump => "$input_pre_chain" + }-> + firewall { "900 $input_post_chain $version": + proto => 'all', + chain => 'INPUT', + jump => "$input_post_chain" + } +} + + +class platform::firewall::custom ( + $version = undef, + $rules_file = undef, +) { + + $restore = $version ? { + 'ipv4' => 'iptables-restore', + 'ipv6' => 'ip6tables-restore'} + + exec { 'Flush firewall custom pre rules': + command => "iptables --flush INPUT-custom-pre", + } -> + exec { 'Flush firewall custom post rules': + command => "iptables --flush INPUT-custom-post", + } -> + exec { 'Apply firewall custom rules': + command => "$restore --noflush $rules_file", + } +} + + +class platform::firewall::oam ( + $rules_file = undef, +) { + + include ::platform::network::oam::params + $interface_name = $::platform::network::oam::params::interface_name + $subnet_version = $::platform::network::oam::params::subnet_version + + $version = $subnet_version ? { + 4 => 'ipv4', + 6 => 'ipv6', + } + + platform::firewall::common { 'platform:firewall:ipv4': + interface => $interface_name, + version => 'ipv4', + } + + platform::firewall::common { 'platform:firewall:ipv6': + interface => $interface_name, + version => 'ipv6', + } + + platform::firewall::services { 'platform:firewall:services': + version => $version, + } + + # Set default table policies + firewallchain { 'INPUT:filter:IPv4': + ensure => present, + policy => drop, + before => undef, + purge => false, + } + + firewallchain { 'INPUT:filter:IPv6': + ensure => present, + policy => drop, + before => undef, + purge => false, + } + + firewallchain { 'FORWARD:filter:IPv4': + ensure => present, + policy => drop, + before => undef, + purge => false, + } + + firewallchain { 'FORWARD:filter:IPv6': + ensure => present, + policy => drop, + before => undef, + purge => false, + } + + if $rules_file { + + platform::firewall::hooks { '::platform:firewall:hooks': + version => $version, + } + + class { '::platform::firewall::custom': + version => $version, + rules_file => $rules_file, + } + + # ensure custom rules are applied before system rules + Class['::platform::firewall::custom'] -> Firewall <| |> + } +} + + +class platform::firewall::runtime { + include ::platform::firewall::oam +} diff --git a/puppet-manifests/src/modules/platform/manifests/fstab.pp b/puppet-manifests/src/modules/platform/manifests/fstab.pp new file mode 100644 index 000000000..2a8b38607 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/fstab.pp @@ -0,0 +1,20 @@ +class platform::fstab { + include ::platform::params + + if $::personality != 'controller' { + exec { 'Unmount NFS filesystems': + command => 'umount -a -t nfs ; sleep 5 ;', + } -> + mount { '/opt/platform': + device => 'controller-platform-nfs:/opt/platform', + fstype => 'nfs', + ensure => 'present', + options => "${::platform::params::nfs_mount_options},_netdev", + atboot => 'yes', + remounts => true, + } -> + exec { 'Remount NFS filesystems': + command => 'umount -a -t nfs ; sleep 1 ; mount -a -t nfs', + } + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/haproxy.pp b/puppet-manifests/src/modules/platform/manifests/haproxy.pp new file mode 100644 index 000000000..142f8d1f7 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/haproxy.pp @@ -0,0 +1,152 @@ +class platform::haproxy::params ( + $enable_https = false, + $private_ip_address, + $public_ip_address, + + $global_options = undef, + $tpm_object = undef, + $tpm_engine = '/usr/lib64/openssl/engines/libtpm2.so', +) { } + + +define platform::haproxy::proxy ( + $server_name, + $private_port, + $public_port, + $public_ip_address = undef, + $private_ip_address = undef, + $server_timeout = undef, + $client_timeout = undef, + $x_forwarded_proto = true, + $enable_https = undef, +) { + include ::platform::haproxy::params + + if $enable_https != undef { + $https_enabled = $enable_https + } else { + $https_enabled = $::platform::haproxy::params::enable_https + } + + if $x_forwarded_proto { + if $https_enabled { + $ssl_option = 'ssl crt /etc/ssl/private/server-cert.pem' + $proto = 'X-Forwarded-Proto:\ https' + } else { + $ssl_option = ' ' + $proto = 'X-Forwarded-Proto:\ http' + } + } else { + $ssl_option = ' ' + $proto = undef + } + + if $public_ip_address { + $public_ip = $public_ip_address + } else { + $public_ip = $::platform::haproxy::params::public_ip_address + } + + if $private_ip_address { + $private_ip = $private_ip_address + } else { + $private_ip = $::platform::haproxy::params::private_ip_address + } + + if $client_timeout { + $real_client_timeout = "client ${client_timeout}" + } else { + $real_client_timeout = undef + } + + haproxy::frontend { $name: + collect_exported => false, + name => "${name}", + bind => { + "${public_ip}:${public_port}" => $ssl_option, + }, + options => { + 'default_backend' => "${name}-internal", + 'reqadd' => $proto, + 'timeout' => $real_client_timeout, + }, + } + + if $server_timeout { + $timeout_option = "server ${server_timeout}" + } else { + $timeout_option = undef + } + + haproxy::backend { $name: + collect_exported => false, + name => "${name}-internal", + options => { + 'server' => "${server_name} ${private_ip}:${private_port}", + 'timeout' => $timeout_option, + } + } +} + + +class platform::haproxy::server { + + include ::platform::params + include ::platform::haproxy::params + + # If TPM mode is enabled then we need to configure + # the TPM object and the TPM OpenSSL engine in HAPROXY + $tpm_object = $::platform::haproxy::params::tpm_object + $tpm_engine = $::platform::haproxy::params::tpm_engine + if $tpm_object != undef { + $tpm_options = {'tpm-object' => $tpm_object, 'tpm-engine' => $tpm_engine} + $global_options = merge($::platform::haproxy::params::global_options, $tpm_options) + } else { + $global_options = $::platform::haproxy::params::global_options + } + + class { '::haproxy': + global_options => $global_options, + } + + user { 'haproxy': + ensure => 'present', + shell => '/sbin/nologin', + groups => [$::platform::params::protected_group_name], + } -> Class['::haproxy'] +} + + +class platform::haproxy::reload { + platform::sm::restart {'haproxy': } +} + + +class platform::haproxy::runtime { + include ::platform::haproxy::server + + include ::platform::patching::haproxy + include ::platform::sysinv::haproxy + include ::platform::nfv::haproxy + include ::platform::ceph::haproxy + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::platform::dcmanager::haproxy + include ::platform::dcorch::haproxy + } + include ::openstack::keystone::haproxy + include ::openstack::neutron::haproxy + include ::openstack::nova::haproxy + include ::openstack::glance::haproxy + include ::openstack::cinder::haproxy + include ::openstack::aodh::haproxy + include ::openstack::ceilometer::haproxy + include ::openstack::heat::haproxy + include ::openstack::murano::haproxy + include ::openstack::magnum::haproxy + include ::openstack::ironic::haproxy + include ::openstack::panko::haproxy + + class {'::platform::haproxy::reload': + stage => post + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/ldap.pp b/puppet-manifests/src/modules/platform/manifests/ldap.pp new file mode 100644 index 000000000..c59e86289 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/ldap.pp @@ -0,0 +1,146 @@ +class platform::ldap::params ( + $admin_pw, + $admin_hashed_pw = undef, + $provider_uri = undef, + $server_id = undef, + $ldapserver_remote = false, + $ldapserver_host = undef, + $bind_anonymous = false, +) {} + +class platform::ldap::server + inherits ::platform::ldap::params { + if ! $ldapserver_remote { + include ::platform::ldap::server::local + } +} + +class platform::ldap::server::local + inherits ::platform::ldap::params { + exec { 'slapd-convert-config': + command => '/usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/schema/', + onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf' + } + + exec { 'slapd-conf-move-backup': + command => '/bin/mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.backup', + onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf' + } + + service { 'nscd': + ensure => 'running', + enable => true, + name => 'nscd', + hasstatus => true, + hasrestart => true, + } + + service { 'openldap': + ensure => 'running', + enable => true, + name => "slapd", + hasstatus => true, + hasrestart => true, + } + + exec { 'stop-openldap': + command => '/usr/bin/systemctl stop slapd.service', + } + + exec { 'update-slapd-conf': + command => "/bin/sed -i \\ + -e 's#provider=ldap.*#provider=${provider_uri}#' \\ + -e 's:serverID.*:serverID ${server_id}:' \\ + -e 's:credentials.*:credentials=${admin_pw}:' \\ + -e 's:^rootpw .*:rootpw ${admin_hashed_pw}:' \\ + -e 's:modulepath .*:modulepath /usr/lib64/openldap:' \\ + /etc/openldap/slapd.conf", + onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf' + } + + file { "/usr/local/etc/ldapscripts/ldapscripts.passwd": + content => $admin_pw, + } + + file { "/usr/share/cracklib/cracklib-small": + ensure => link, + target => "/usr/share/cracklib/cracklib-small.pwd", + } + + # start openldap with updated config and updated nsswitch + # then convert slapd config to db format. Note, slapd must have run and created the db prior to this. + Exec['stop-openldap'] -> + Exec['update-slapd-conf'] -> + Service['nscd'] -> + Service['nslcd'] -> + Service['openldap'] -> + Exec['slapd-convert-config'] -> + Exec['slapd-conf-move-backup'] +} + + +class platform::ldap::client + inherits ::platform::ldap::params { + file { "/etc/openldap/ldap.conf": + ensure => 'present', + replace => true, + content => template('platform/ldap.conf.erb'), + } + + file { "/etc/nslcd.conf": + ensure => 'present', + replace => true, + content => template('platform/nslcd.conf.erb'), + } -> + service { 'nslcd': + ensure => 'running', + enable => true, + name => 'nslcd', + hasstatus => true, + hasrestart => true, + } +} + +class platform::ldap::bootstrap + inherits ::platform::ldap::params { + include ::platform::params + # Local ldap server is configured during bootstrap. It is later + # replaced by remote ldapserver configuration (if needed) during + # application of controller / compute / storage manifest. + include ::platform::ldap::server::local + include ::platform::ldap::client + + Class['platform::ldap::server::local'] -> Class[$name] + + $dn = 'cn=ldapadmin,dc=cgcs,dc=local' + + exec { 'populate initial ldap configuration': + command => "ldapadd -D ${dn} -w ${admin_pw} -f /etc/openldap/initial_config.ldif" + } -> + exec { "create ldap admin user": + command => "ldapadduser admin root" + } -> + exec { "create ldap operator user": + command => "ldapadduser operator users" + } -> + exec { 'create ldap protected group': + command => "ldapaddgroup ${::platform::params::protected_group_name} ${::platform::params::protected_group_id}" + } -> + exec { "add admin to wrs protected group" : + command => "ldapaddusertogroup admin ${::platform::params::protected_group_name}", + } -> + exec { "add operator to wrs protected group" : + command => "ldapaddusertogroup operator ${::platform::params::protected_group_name}", + } -> + + # Change operator shell from default to /usr/local/bin/cgcs_cli + file { "/tmp/ldap.cgcs-shell.ldif": + ensure => present, + replace => true, + source => "puppet:///modules/${module_name}/ldap.cgcs-shell.ldif" + } -> + exec { 'ldap cgcs-cli shell update': + command => + "ldapmodify -D ${dn} -w ${admin_pw} -f /tmp/ldap.cgcs-shell.ldif" + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/lldp.pp b/puppet-manifests/src/modules/platform/manifests/lldp.pp new file mode 100644 index 000000000..4011f342a --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/lldp.pp @@ -0,0 +1,27 @@ +class platform::lldp::params( + $tx_interval = 30, + $tx_hold = 4, +) {} + + +class platform::lldp + inherits ::platform::lldp::params { + include ::platform::params + + $hostname = $::platform::params::hostname + $system = $::platform::params::system_name + $version = $::platform::params::software_version + + file { "/etc/lldpd.conf": + ensure => 'present', + replace => true, + content => template('platform/lldp.conf.erb'), + notify => Service['lldpd'], + } + + service { 'lldpd': + ensure => 'running', + enable => true, + hasrestart => true, + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/lvm.pp b/puppet-manifests/src/modules/platform/manifests/lvm.pp new file mode 100644 index 000000000..5d938d527 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/lvm.pp @@ -0,0 +1,154 @@ +class platform::lvm::params ( + $transition_filter = '[]', + $final_filter = '[]', +) {} + + +class platform::lvm + inherits platform::lvm::params { + + file_line { 'use_lvmetad': + path => '/etc/lvm/lvm.conf', + match => '^[^#]*use_lvmetad = 1', + line => ' use_lvmetad = 0', + } + + exec { 'disable lvm2-lvmetad.service': + command => "systemctl stop lvm2-lvmetad.service ; systemctl disable lvm2-lvmetad.service", + onlyif => "systemctl status lvm2-lvmetad.service", + } +} + + +define platform::lvm::global_filter($filter) { + file_line { "$name: update lvm global_filter": + path => '/etc/lvm/lvm.conf', + line => " global_filter = $filter", + match => '^[ ]*global_filter =', + } +} + + +define platform::lvm::umount { + exec { "umount disk $name": + command => "umount $name; true", + } +} + + +class platform::lvm::vg::cgts_vg( + $vg_name = 'cgts-vg', + $physical_volumes = [], +) inherits platform::lvm::params { + + ::platform::lvm::umount { $physical_volumes: + } -> + physical_volume { $physical_volumes: + ensure => present, + } -> + volume_group { $vg_name: + ensure => present, + physical_volumes => $physical_volumes, + } +} + +class platform::lvm::vg::cinder_volumes( + $vg_name = 'cinder-volumes', + $physical_volumes = [], +) inherits platform::lvm::params { + # Let cinder manifests set up DRBD synced volume group +} + +class platform::lvm::vg::nova_local( + $vg_name = 'nova-local', + $physical_volumes = [], +) inherits platform::lvm::params { + # TODO(rchurch): refactor portions of openstack::nova::storage an move here +} + +################## +# Controller Hosts +################## + +class platform::lvm::controller::vgs { + include ::platform::lvm::vg::cgts_vg + include ::platform::lvm::vg::cinder_volumes + include ::platform::lvm::vg::nova_local +} + +class platform::lvm::controller + inherits ::platform::lvm::params { + + ::platform::lvm::global_filter { "transition filter": + filter => $transition_filter, + before => Class['::platform::lvm::controller::vgs'] + } + + ::platform::lvm::global_filter { "final filter": + filter => $final_filter, + require => Class['::platform::lvm::controller::vgs'] + } + + include ::platform::lvm + include ::platform::lvm::controller::vgs +} + + +class platform::lvm::controller::runtime { + include ::platform::lvm::controller +} + +############### +# Compute Hosts +############### + +class platform::lvm::compute::vgs { + include ::platform::lvm::vg::nova_local +} + +class platform::lvm::compute + inherits ::platform::lvm::params { + + ::platform::lvm::global_filter { "transition filter": + filter => $transition_filter, + before => Class['::platform::lvm::compute::vgs'] + } + + ::platform::lvm::global_filter { "final filter": + filter => $final_filter, + require => Class['::platform::lvm::compute::vgs'] + } + + include ::platform::lvm + include ::platform::lvm::compute::vgs +} + + +class platform::lvm::compute::runtime { + include ::platform::lvm::compute +} + +############### +# Storage Hosts +############### + +class platform::lvm::storage::vgs { + include ::platform::lvm::vg::cgts_vg +} + +class platform::lvm::storage + inherits ::platform::lvm::params { + + ::platform::lvm::global_filter { "final filter": + filter => $final_filter, + before => Class['::platform::lvm::storage::vgs'] + } + + include ::platform::lvm + include ::platform::lvm::storage::vgs +} + + +class platform::lvm::storage::runtime { + include ::platform::lvm::storage +} diff --git a/puppet-manifests/src/modules/platform/manifests/mtce.pp b/puppet-manifests/src/modules/platform/manifests/mtce.pp new file mode 100644 index 000000000..23039b9e7 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/mtce.pp @@ -0,0 +1,97 @@ +class platform::mtce::params ( + $auth_host = undef, + $auth_port = undef, + $auth_uri = undef, + $auth_username = undef, + $auth_pw = undef, + $auth_project = undef, + $auth_user_domain = undef, + $auth_project_domain = undef, + $auth_region = undef, + $compute_boot_timeout = undef, + $controller_boot_timeout = undef, + $heartbeat_degrade_threshold = undef, + $heartbeat_failure_threshold = undef, + $heartbeat_period = undef, + $mtce_multicast = undef, +) { } + + +class platform::mtce + inherits ::platform::mtce::params { + + include ::openstack::ceilometer::params + $ceilometer_port = $::openstack::ceilometer::params::api_port + + include ::openstack::client::credentials::params + $keyring_directory = $::openstack::client::credentials::params::keyring_directory + + file { "/etc/mtc.ini": + ensure => present, + mode => '0755', + content => template('mtce/mtc_ini.erb'), + } + + $boot_device = $::boot_disk_device_path + + file { "/etc/rmonfiles.d/static.conf": + ensure => present, + mode => '0644', + content => template('mtce/static_conf.erb'), + } +} + + +class platform::mtce::agent + inherits ::platform::mtce::params { + + if $::platform::params::init_keystone { + # configure a mtce keystone user + keystone_user { $auth_username: + password => $auth_pw, + ensure => present, + enabled => true, + } + + # assign an admin role for this mtce user on the services tenant + keystone_user_role { "${auth_username}@${auth_project}": + ensure => present, + user_domain => $auth_user_domain, + project_domain => $auth_project_domain, + roles => ['admin'], + } + } +} + + +class platform::mtce::reload { + exec {'signal-mtc-agent': + command => "pkill -HUP mtcAgent", + } + exec {'signal-hbs-agent': + command => "pkill -HUP hbsAgent", + } + + # mtcClient and hbsClient don't currently reload all configuration, + # therefore they must be restarted. Move to HUP if daemon updated. + exec {'pmon-restart-hbs-client': + command => "pmon-restart hbsClient", + } + exec {'pmon-restart-mtc-client': + command => "pmon-restart mtcClient", + } +} + +class platform::mtce::runtime { + include ::platform::mtce + + class {'::platform::mtce::reload': + stage => post + } +} + +class platform::mtce::upgrade { + # configure a mtce user that added in release 5 + # to be removed in release 6 + include ::platform::mtce::agent +} \ No newline at end of file diff --git a/puppet-manifests/src/modules/platform/manifests/network.pp b/puppet-manifests/src/modules/platform/manifests/network.pp new file mode 100644 index 000000000..bd151546a --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/network.pp @@ -0,0 +1,181 @@ +class platform::network::pxeboot::params( + # shared parametes with base class - required for auto hiera parameter lookup + $interface_name = undef, + $interface_address = undef, + $subnet_version = undef, + $subnet_network = undef, + $subnet_network_url = undef, + $subnet_prefixlen = undef, + $subnet_netmask = undef, + $subnet_start = undef, + $subnet_end = undef, + $gateway_address = undef, + $controller_address = undef, # controller floating + $controller_address_url = undef, # controller floating url address + $controller0_address = undef, # controller unit0 + $controller1_address = undef, # controller unit1 + $mtu = 1500, +) { } + + +class platform::network::mgmt::params( + # shared parametes with base class - required for auto hiera parameter lookup + $interface_name = undef, + $interface_address = undef, + $subnet_version = undef, + $subnet_network = undef, + $subnet_network_url = undef, + $subnet_prefixlen = undef, + $subnet_netmask = undef, + $subnet_start = undef, + $subnet_end = undef, + $gateway_address = undef, + $controller_address = undef, # controller floating + $controller_address_url = undef, # controller floating url address + $controller0_address = undef, # controller unit0 + $controller1_address = undef, # controller unit1 + $mtu = 1500, + # network type specific parameters + $platform_nfs_address = undef, + $cgcs_nfs_address = undef, +) { } + + +class platform::network::infra::params( + # shared parametes with base class - required for auto hiera parameter lookup + $interface_name = undef, + $interface_address = undef, + $subnet_version = undef, + $subnet_network = undef, + $subnet_network_url = undef, + $subnet_prefixlen = undef, + $subnet_netmask = undef, + $subnet_start = undef, + $subnet_end = undef, + $gateway_address = undef, + $controller_address = undef, # controller floating + $controller_address_url = undef, # controller floating url address + $controller0_address = undef, # controller unit0 + $controller1_address = undef, # controller unit1 + $mtu = 1500, + # network type specific parameters + $cgcs_nfs_address = undef, +) { } + +class platform::network::oam::params( + # shared parametes with base class - required for auto hiera parameter lookup + $interface_name = undef, + $interface_address = undef, + $subnet_version = undef, + $subnet_network = undef, + $subnet_network_url = undef, + $subnet_prefixlen = undef, + $subnet_netmask = undef, + $subnet_start = undef, + $subnet_end = undef, + $gateway_address = undef, + $controller_address = undef, # controller floating + $controller_address_url = undef, # controller floating url address + $controller0_address = undef, # controller unit0 + $controller1_address = undef, # controller unit1 + $mtu = 1500, +) { } + + +define network_address ( + $address, + $ifname, +) { + # addresses should only be configured if running in simplex, otherwise SM + # will configure them on the active controller. + exec { "Configuring ${name} IP address": + command => "ip addr replace ${address} dev ${ifname}", + onlyif => "test -f /etc/platform/simplex", + } +} + +class platform::addresses ( + $address_config = {}, +) { + create_resources('network_address', $address_config, {}) +} + + +class platform::interfaces ( + $network_config = {}, + $route_config = {}, +) { + create_resources('network_config', $network_config, {}) + create_resources('network_route', $route_config, {}) +} + +class platform::network::apply { + include ::platform::interfaces + include ::platform::addresses + + Network_config <| |> -> + Exec['apply-network-config'] -> + Network_address <| |> -> + Anchor['platform::networking'] + + # Adding Network_route dependency separately, in case it's empty, + # as puppet bug will remove dependency altogether if + # Network_route is empty. See below. + # https://projects.puppetlabs.com/issues/18399 + Network_config <| |> -> + Network_route <| |> -> + Exec['apply-network-config'] + + exec {'apply-network-config': + command => 'apply_network_config.sh', + } +} + + +class platform::network ( + $mlx4_core_options = undef, +) { + include ::platform::params + include ::platform::network::mgmt::params + include ::platform::network::infra::params + + include ::platform::network::apply + + $management_interface = $::platform::network::mgmt::params::interface_name + $infrastructure_interface = $::platform::network::infra::params::interface_name + + $testcmd = '/usr/local/bin/connectivity_test' + + if $management_interface { + exec { 'connectivity-test-management': + command => "${testcmd} -t 70 -i ${management_interface} controller-platform-nfs; /bin/true", + require => Anchor['platform::networking'], + onlyif => "test ! -f /etc/platform/simplex", + } + } + + if $infrastructure_interface { + exec { 'connectivity-test-infrastructure': + command => "${testcmd} -t 120 -i ${infrastructure_interface} controller-nfs; /bin/true", + require => Anchor['platform::networking'], + onlyif => "test ! -f /etc/platform/simplex", + } + } + + if $mlx4_core_options { + exec { 'mlx4-core-config': + command => '/usr/bin/mlx4_core_config.sh', + subscribe => File['/etc/modprobe.d/mlx4_sriov.conf'], + refreshonly => true + } + + file {'/etc/modprobe.d/mlx4_sriov.conf': + content => "options mlx4_core ${mlx4_core_options}" + } + } +} + + +class platform::network::runtime { + include ::platform::network::apply +} diff --git a/puppet-manifests/src/modules/platform/manifests/nfv.pp b/puppet-manifests/src/modules/platform/manifests/nfv.pp new file mode 100644 index 000000000..734a5aa06 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/nfv.pp @@ -0,0 +1,93 @@ +class platform::nfv::params ( + $api_port = 4545, + $region_name = undef, + $service_create = false, +) { } + + +class platform::nfv { + include ::platform::params + include ::platform::amqp::params + + group { 'nfv': + ensure => 'present', + gid => '172', + } + + user { 'nfv': + ensure => 'present', + comment => 'nfv', + gid => '172', + groups => ['nobody', 'nfv', $::platform::params::protected_group_name], + home => '/var/lib/nfv', + password => '!!', + password_max_age => '-1', + password_min_age => '-1', + shell => '/sbin/nologin', + uid => '172', + } + + file {'/opt/platform/nfv': + ensure => directory, + mode => '0755', + } + + include ::nfv + include ::nfv::vim + + class { '::nfv::nfvi': + rabbit_host => $::platform::amqp::params::host, + rabbit_port => $::platform::amqp::params::port, + rabbit_userid => $::platform::amqp::params::auth_user, + rabbit_password => $::platform::amqp::params::auth_password, + } +} + + +class platform::nfv::reload { + platform::sm::restart {'vim': } +} + + +class platform::nfv::runtime { + include ::platform::nfv + + class {'::platform::nfv::reload': + stage => post + } +} + + +class platform::nfv::firewall + inherits ::platform::nfv::params { + + platform::firewall::rule { 'nfv-vim-api': + service_name => 'nfv-vim', + ports => $api_port, + } +} + + +class platform::nfv::haproxy + inherits ::platform::nfv::params { + + platform::haproxy::proxy { 'vim-restapi': + server_name => 's-vim-restapi', + public_port => $api_port, + private_port => $api_port, + } +} + + +class platform::nfv::api + inherits ::platform::nfv::params { + + if ($::platform::nfv::params::service_create and + $::platform::params::init_keystone) { + include ::nfv::keystone::auth + } + + include ::platform::nfv::firewall + include ::platform::nfv::haproxy +} + diff --git a/puppet-manifests/src/modules/platform/manifests/ntp.pp b/puppet-manifests/src/modules/platform/manifests/ntp.pp new file mode 100644 index 000000000..26db63485 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/ntp.pp @@ -0,0 +1,108 @@ +class platform::ntp ( + $servers = [], + $ntpdate_timeout, +) { + file {'ntpdate_override_dir': + path => '/etc/systemd/system/ntpdate.service.d', + ensure => directory, + mode => '0755', + } + + file { 'ntpdate_tis_override': + path => '/etc/systemd/system/ntpdate.service.d/tis_override.conf', + ensure => file, + mode => '0644', + content => template('platform/ntp.override.erb'), + } + + exec { 'enable-ntpdate': + command => '/usr/bin/systemctl enable ntpdate.service', + } + + exec { 'enable-ntpd': + command => '/usr/bin/systemctl enable ntpd.service', + } + + exec { 'start-ntpdate': + command => '/usr/bin/systemctl start ntpdate.service', + returns => [ 0, 1 ], + onlyif => "grep -q '^server' /etc/ntp.conf", + } + + exec { 'systemd-daemon-reload': + command => '/usr/bin/systemctl daemon-reload', + } + + exec { 'stop-ntpdate': + command => '/usr/bin/systemctl stop ntpdate.service', + returns => [ 0, 1 ], + } + + exec { 'stop-ntpd': + command => '/usr/bin/systemctl stop ntpd.service', + returns => [ 0, 1 ], + } + + service { 'ntpd': + ensure => 'running', + enable => true, + name => 'ntpd', + hasstatus => true, + hasrestart => true, + } + + File['ntp_config'] -> + File['ntp_config_initial'] -> + File['ntpdate_override_dir'] -> + File['ntpdate_tis_override'] -> + Exec['enable-ntpdate'] -> + Exec['enable-ntpd'] -> + Exec['systemd-daemon-reload'] -> + Exec['stop-ntpdate'] -> + Exec['stop-ntpd'] -> + Exec['start-ntpdate'] -> + Service['ntpd'] +} + + +class platform::ntp::server { + + include ::platform::ntp + + include ::platform::params + $peer_server = $::platform::params::mate_hostname + + file { 'ntp_config': + path => '/etc/ntp.conf', + ensure => file, + mode => '0640', + content => template('platform/ntp.conf.server.erb'), + } + file { 'ntp_config_initial': + path => '/etc/ntp_initial.conf', + ensure => file, + mode => '0640', + content => template('platform/ntp_initial.conf.server.erb'), + } +} + + +class platform::ntp::client { + + if $::personality != 'controller' { + include ::platform::ntp + + file { 'ntp_config': + path => '/etc/ntp.conf', + ensure => file, + mode => '0644', + content => template('platform/ntp.conf.client.erb'), + } + file { 'ntp_config_initial': + path => '/etc/ntp_initial.conf', + ensure => file, + mode => '0644', + content => template('platform/ntp_initial.conf.client.erb'), + } + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/params.pp b/puppet-manifests/src/modules/platform/manifests/params.pp new file mode 100644 index 000000000..3e1cdd788 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/params.pp @@ -0,0 +1,75 @@ +class platform::params ( + $config_path = undef, + $controller_hostname, + $controller_0_hostname = undef, + $controller_1_hostname = undef, + $controller_upgrade = false, + $hostname, + $mate_hostname = undef, + $mate_ipaddress = undef, + $nfs_proto = 'udp', + $nfs_rw_size = 1024, + $pxeboot_hostname, + $region_1_name = undef, + $region_2_name = undef, + $region_config = false, + $distributed_cloud_role = undef, + $sdn_enabled = false, + $software_version = undef, + $system_mode = undef, + $system_type = undef, + $system_name = undef, + $vswitch_type = undef, + $security_profile = undef, +) { + $ipv4 = 4 + $ipv6 = 6 + + $nfs_mount_options = "timeo=30,proto=$nfs_proto,vers=3,rsize=$nfs_rw_size,wsize=$nfs_rw_size" + + $protected_group_name = 'wrs_protected' + $protected_group_id = '345' + + # PUPPET 4 treats custom facts as strings. We convert to int by adding zero. + $phys_core_count = 0 + $::physical_core_count + $plat_res_mem = 0 + $::platform_res_mem + + # Engineering parameters common to openstack services: + + # max number of workers + $eng_max_workers = 20 + # total system memory per worker + $eng_worker_mb = 2000 + # memory headroom per worker (e.g., buffers, cached) + $eng_overhead_mb = 1000 + # number of workers we can support based on memory + if $::personality == 'controller' and str2bool($::is_compute_subfunction) { + # Controller memory available for small footprint + # Consistent with sysinv get_platform_reserved_memory() + if str2bool($::is_virtual) { + $eng_controller_mem = 6000 + } else { + #If we have a reduced footprint xeon-d and if the platform memory + #has not been increased by the user to the standard 14.5GB we use a + #lowered worker count to save memory + if $phys_core_count <= 8 and $plat_res_mem < 14500 { + $eng_controller_mem = 7000 + } else { + $eng_controller_mem = 10500 + } + } + } else { + $eng_controller_mem = $::memorysize_mb + } + $eng_workers_mem = floor($eng_controller_mem) / ($eng_worker_mb + $eng_overhead_mb) + + # number of workers per service + $eng_workers = min($eng_max_workers, $eng_workers_mem, max($phys_core_count, 2)) + $eng_workers_by_2 = min($eng_max_workers, $eng_workers_mem, max($phys_core_count/2, 2)) + $eng_workers_by_4 = min($eng_max_workers, $eng_workers_mem, max($phys_core_count/4, 2)) + $eng_workers_by_5 = min($eng_max_workers, $eng_workers_mem, max($phys_core_count/5, 2)) + $eng_workers_by_6 = min($eng_max_workers, $eng_workers_mem, max($phys_core_count/6, 2)) + + $init_database = (str2bool($::is_initial_config_primary) or $controller_upgrade) + $init_keystone = (str2bool($::is_initial_config_primary) or $controller_upgrade) +} diff --git a/puppet-manifests/src/modules/platform/manifests/partitions.pp b/puppet-manifests/src/modules/platform/manifests/partitions.pp new file mode 100644 index 000000000..3b179d0cf --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/partitions.pp @@ -0,0 +1,62 @@ +class platform::partitions::params ( + $create_config = undef, + $modify_config = undef, + $shutdown_drbd_resource = undef, + $delete_config = undef, + $check_config = undef, +) {} + + +define platform_manage_partition( + $action = $name, + $config = undef, + $shutdown_drbd_resource = undef, + $system_mode = undef, +) { + if $config { + # For drbd partitions, modifications can only be done on standby + # controller as we need to: + # - stop DRBD [drbd is in-use on active, so it can't be stopped there] + # - manage-partitions: backup meta, resize partition, restore meta + # - start DRBD + # For AIO SX we make an exception as all instances are down on host lock. + # see https://docs.linbit.com/doc/users-guide-83/s-resizing/ + exec { "manage-partitions-${action}": + logoutput => true, + command => template('platform/partitions.manage.erb') + } + } +} + + +class platform::partitions + inherits ::platform::partitions::params { + + # Ensure partitions are updated before the PVs and VGs are setup + Platform_manage_partition <| |> -> Physical_volume <| |> + Platform_manage_partition <| |> -> Volume_group <| |> + + # Perform partition updates in a particular order: deletions, + # modifications, then creations. + + # NOTE: Currently we are executing partition changes serially, not in bulk. + platform_manage_partition { 'check': + config => $check_config, + } -> + platform_manage_partition { 'delete': + config => $delete_config, + } -> + platform_manage_partition { 'modify': + config => $modify_config, + shutdown_drbd_resource => $shutdown_drbd_resource, + system_mode => $::platform::params::system_mode, + } -> + platform_manage_partition { 'create': + config => $create_config, + } +} + + +class platform::partitions::runtime { + include ::platform::partitions +} diff --git a/puppet-manifests/src/modules/platform/manifests/password.pp b/puppet-manifests/src/modules/platform/manifests/password.pp new file mode 100644 index 000000000..c570f8f39 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/password.pp @@ -0,0 +1,32 @@ +class platform::password { + + file { "/etc/pam.d/passwd": + ensure => present, + content => template('platform/pam.passwd.erb'), + } + + file_line { "/etc/nsswitch.conf add passwd ldap": + path => '/etc/nsswitch.conf', + line => 'passwd: files sss ldap', + match => '^passwd: *files sss', + } + + file_line { "/etc/nsswitch.conf add shadow ldap": + path => '/etc/nsswitch.conf', + line => 'shadow: files sss ldap', + match => '^shadow: *files sss', + } + + file_line { "/etc/nsswitch.conf add group ldap": + path => '/etc/nsswitch.conf', + line => 'group: files sss ldap', + match => '^group: *files sss', + } + + file_line { "/etc/nsswitch.conf add sudoers ldap": + path => '/etc/nsswitch.conf', + line => 'sudoers: files ldap', + match => '^sudoers: *files', + } + +} diff --git a/puppet-manifests/src/modules/platform/manifests/patching.pp b/puppet-manifests/src/modules/platform/manifests/patching.pp new file mode 100644 index 000000000..fe7455980 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/patching.pp @@ -0,0 +1,72 @@ +class platform::patching::params ( + $private_port = 5491, + $public_port = 15491, + $server_timeout = '300s', + $region_name = undef, + $service_create = false, +) { } + + +class platform::patching + inherits ::platform::patching::params { + + include ::platform::params + + group { 'patching': + ensure => 'present', + } -> + user { 'patching': + ensure => 'present', + comment => 'patching Daemons', + groups => ['nobody', 'patching', $::platform::params::protected_group_name], + home => '/var/lib/patching', + password => '!!', + password_max_age => '-1', + password_min_age => '-1', + shell => '/sbin/nologin', + } -> + file { "/etc/patching": + ensure => "directory", + owner => 'patching', + group => 'patching', + mode => '0755', + } -> + class { '::patching': } +} + + +class platform::patching::firewall + inherits ::platform::patching::params { + + platform::firewall::rule { 'patching-api': + service_name => 'patching', + ports => $public_port, + } +} + + +class platform::patching::haproxy + inherits ::platform::patching::params { + + platform::haproxy::proxy { 'patching-restapi': + server_name => 's-patching', + public_port => $public_port, + private_port => $private_port, + server_timeout => $server_timeout, + } +} + + +class platform::patching::api ( +) inherits ::platform::patching::params { + + include ::patching::api + + if ($::platform::patching::params::service_create and + $::platform::params::init_keystone) { + include ::patching::keystone::auth + } + + include ::platform::patching::firewall + include ::platform::patching::haproxy +} diff --git a/puppet-manifests/src/modules/platform/manifests/postgresql.pp b/puppet-manifests/src/modules/platform/manifests/postgresql.pp new file mode 100644 index 000000000..499c4d7cc --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/postgresql.pp @@ -0,0 +1,216 @@ +class platform::postgresql::params + inherits ::platform::params { + + $root_dir = '/var/lib/postgresql' + $config_dir = '/etc/postgresql' + + $data_dir = "${root_dir}/${::platform::params::software_version}" + + $password = undef +} + + +class platform::postgresql::server ( + $ipv4acl = undef, +) inherits ::platform::postgresql::params { + + include ::platform::params + + # Set up autovacuum + postgresql::server::config_entry { 'track_counts': + value => 'on', + } + postgresql::server::config_entry { 'autovacuum': + value => 'on', + } + # Only log autovacuum calls that are slow + postgresql::server::config_entry { 'log_autovacuum_min_duration': + value => '100', + } + # Make autovacuum more aggressive + postgresql::server::config_entry { 'autovacuum_max_workers': + value => '5', + } + postgresql::server::config_entry { 'autovacuum_vacuum_scale_factor': + value => '0.05', + } + postgresql::server::config_entry { 'autovacuum_analyze_scale_factor': + value => '0.1', + } + postgresql::server::config_entry { 'autovacuum_vacuum_cost_delay': + value => '-1', + } + postgresql::server::config_entry { 'autovacuum_vacuum_cost_limit': + value => '-1', + } + + # Set up logging + postgresql::server::config_entry { 'log_destination': + value => 'syslog', + } + postgresql::server::config_entry { 'syslog_facility': + value => 'LOCAL0', + } + + # log postgres operations that exceed 1 second + postgresql::server::config_entry { 'log_min_duration_statement': + value => '1000', + } + + # Set large values for postgres in normal mode + # In AIO or virtual box, use reduced settings + # + + # Normal mode + # 1500 connections + # 80 MB shared buffer + # work_mem 512 MB since some ceilometer queries entail extensive + # sorting as well as hash joins and hash based aggregation. + # checkpoint_segments increased to reduce frequency of checkpoints + if str2bool($::is_compute_subfunction) or str2bool($::is_virtual) { + # AIO or virtual box + # 700 connections needs about 80MB shared buffer + # Leave work_mem as the default for vbox and AIO + # Leave checkpoint_segments as the default for vbox and AIO + postgresql::server::config_entry { 'max_connections': + value => '700', + } + postgresql::server::config_entry { 'shared_buffers': + value => '80MB', + } + } else { + postgresql::server::config_entry { 'max_connections': + value => '1500', + } + postgresql::server::config_entry { 'shared_buffers': + value => '80MB', + } + postgresql::server::config_entry { 'work_mem': + value => '512MB', + } + postgresql::server::config_entry { 'checkpoint_segments': + value => '10', + } + } + + if str2bool($::is_initial_config_primary) { + $service_ensure = 'running' + + # ensure service is stopped after initial configuration + class { '::platform::postgresql::post': + stage => post + } + } else { + $service_ensure = 'stopped' + } + + class {"::postgresql::globals": + datadir => $data_dir, + confdir => $config_dir, + } -> + + class {"::postgresql::server": + ip_mask_allow_all_users => $ipv4acl, + service_ensure => $service_ensure, + } +} + + +class platform::postgresql::post { + # postgresql needs to be running in order to apply the initial manifest, + # however, it needs to be stopped/disabled to allow SM to manage the service. + # To allow for the transition it must be explicitely stopped. Once puppet + # can directly handle SM managed services, then this can be removed. + exec { 'stop postgresql service': + command => "systemctl stop postgresql; systemctl disable postgresql", + } +} + + +class platform::postgresql::bootstrap + inherits ::platform::postgresql::params { + + Class['::platform::drbd::pgsql'] -> Class[$name] + + exec { 'Empty pg dir': + command => "rm -fR ${root_dir}/*", + } -> + + exec { 'Create pg datadir': + command => "mkdir -p ${data_dir}", + } -> + + exec { 'Change pg dir permissions': + command => "chown -R postgres:postgres ${root_dir}", + } -> + + file_line { 'allow sudo with no tty': + path => '/etc/sudoers', + match => '^Defaults *requiretty', + line => '#Defaults requiretty', + } -> + + exec { 'Create pg database': + command => "sudo -u postgres initdb -D ${data_dir}", + } -> + + exec { 'Move Config files': + command => "mkdir -p ${config_dir} && mv ${data_dir}/*.conf ${config_dir}/ && ln -s ${config_dir}/*.conf ${data_dir}/", + } -> + + class {"::postgresql::globals": + datadir => $data_dir, + confdir => $config_dir, + } -> + + class {"::postgresql::server": + } + + # Allow local postgres user as trusted for simplex upgrade scripts + postgresql::server::pg_hba_rule { 'postgres trusted local access': + type => 'local', + user => 'postgres', + auth_method => 'trust', + database => 'all', + order => '000', + } + + postgresql::server::role {'admin': + password_hash => 'admin', + superuser => true, + } +} + +class platform::postgresql::upgrade + inherits ::platform::postgresql::params { + + exec { 'Move Config files': + command => "mkdir -p ${config_dir} && mv ${data_dir}/*.conf ${config_dir}/ && ln -s ${config_dir}/*.conf ${data_dir}/", + } -> + + class {"::postgresql::globals": + datadir => $data_dir, + confdir => $config_dir, + needs_initdb => false, + } -> + + class {"::postgresql::server": + } + + include ::aodh::db::postgresql + include ::ceilometer::db::postgresql + include ::cinder::db::postgresql + include ::glance::db::postgresql + include ::heat::db::postgresql + include ::murano::db::postgresql + include ::magnum::db::postgresql + include ::neutron::db::postgresql + include ::nova::db::postgresql + include ::nova::db::postgresql_api + include ::panko::db::postgresql + include ::sysinv::db::postgresql + include ::keystone::db::postgresql + include ::ironic::db::postgresql + +} + diff --git a/puppet-manifests/src/modules/platform/manifests/remotelogging.pp b/puppet-manifests/src/modules/platform/manifests/remotelogging.pp new file mode 100644 index 000000000..7e840cc81 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/remotelogging.pp @@ -0,0 +1,111 @@ +class platform::remotelogging::params ( + $enabled = false, + $ip_address = undef, + $port = undef, + $transport = 'tcp', + $service_name = 'remotelogging', +) {} + + +class platform::remotelogging + inherits ::platform::remotelogging::params { + + if $enabled { + include ::platform::params + $system_name = $::platform::params::system_name + + if($transport == 'tls') { + $server = "{tcp(\"$ip_address\" port($port) tls(peer-verify(\"required-untrusted\")));};" + } else { + $server = "{$transport(\"$ip_address\" port($port));};" + } + + $destination = "destination remote_log_server " + $destination_line = "$destination $server" + + file_line { 'conf-add-log-server': + path => '/etc/syslog-ng/syslog-ng.conf', + line => $destination_line, + match => $destination, + } -> + file_line { 'add-haproxy-host': + path => '/etc/syslog-ng/remotelogging.conf', + line => " set(\"$system_name haproxy.log $::hostname\", value(\"HOST\") condition(filter(f_local1)));", + match => '^ set\(.*haproxy\.log', + } -> + file_line { 'conf-add-remote': + path => '/etc/syslog-ng/syslog-ng.conf', + line => '@include "remotelogging.conf"', + match => '#@include \"remotelogging.conf\"', + } -> + exec { 'conf-add-name': + command => "/bin/sed -i 's/ set(\"[^ ]* \\(.*value(\"HOST\").*\\)/ set(\"${system_name} \\1/' /etc/syslog-ng/remotelogging.conf" + } -> + exec { "remotelogging-update-tc": + command => "/usr/local/bin/remotelogging_tc_setup.sh ${port}" + } -> + Exec['syslog-ng-reload'] + + } else { + # remove remote logging configuration from syslog-ng + file_line { 'exclude remotelogging conf': + path => '/etc/syslog-ng/syslog-ng.conf', + line => '#@include "remotelogging.conf"', + match => '@include \"remotelogging.conf\"', + } -> + Exec["syslog-ng-reload"] + } + + exec { "syslog-ng-reload": + command => '/usr/bin/systemctl reload syslog-ng' + } +} + + +class platform::remotelogging::proxy( + $table = 'nat', + $chain = 'POSTROUTING', + $jump = 'MASQUERADE', +) inherits ::platform::remotelogging::params { + + include ::platform::network::oam::params + + $oam_interface = $::platform::network::oam::params::interface_name + + if $enabled { + + if $transport == 'tls' { + $firewall_proto_transport = 'tcp' + } else { + $firewall_proto_transport = $transport + } + + platform::firewall::rule { 'remotelogging-nat': + service_name => $service_name, + table => $table, + chain => $chain, + proto => $firewall_proto_transport, + outiface => $oam_interface, + jump => $jump, + } + + } else { + platform::firewall::rule { 'remotelogging-nat': + service_name => $service_name, + table => $table, + chain => $chain, + outiface => $oam_interface, + jump => $jump, + ensure => absent + } + } +} + + +class platform::remotelogging::runtime { + include ::platform::remotelogging + + if $::personality == 'controller' { + include ::platform::remotelogging::proxy + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/scratch.pp b/puppet-manifests/src/modules/platform/manifests/scratch.pp new file mode 100644 index 000000000..e69de29bb diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp new file mode 100644 index 000000000..3ebd48831 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -0,0 +1,1263 @@ +class platform::sm::params ( + $mgmt_ip_multicast = undef, + $infra_ip_multicast = undef, +) { } + +class platform::sm + inherits ::platform::sm::params { + + include ::platform::params + $controller_0_hostname = $::platform::params::controller_0_hostname + $controller_1_hostname = $::platform::params::controller_1_hostname + $platform_sw_version = $::platform::params::software_version + $region_config = $::platform::params::region_config + $region_2_name = $::platform::params::region_2_name + $system_mode = $::platform::params::system_mode + + include ::platform::network::pxeboot::params + if $::platform::network::pxeboot::params::interface_name { + $pxeboot_ip_interface = $::platform::network::pxeboot::params::interface_name + } else { + # Fallback to using the management interface for PXE boot network + $pxeboot_ip_interface = $::platform::network::mgmt::params::interface_name + } + $pxeboot_ip_param_ip = $::platform::network::pxeboot::params::controller_address + $pxeboot_ip_param_mask = $::platform::network::pxeboot::params::subnet_prefixlen + + include ::platform::network::mgmt::params + $mgmt_ip_interface = $::platform::network::mgmt::params::interface_name + $mgmt_ip_param_ip = $::platform::network::mgmt::params::controller_address + $mgmt_ip_param_mask = $::platform::network::mgmt::params::subnet_prefixlen + + include ::platform::network::infra::params + $infra_ip_interface = $::platform::network::infra::params::interface_name + + include ::platform::network::oam::params + $oam_ip_interface = $::platform::network::oam::params::interface_name + $oam_ip_param_ip = $::platform::network::oam::params::controller_address + $oam_ip_param_mask = $::platform::network::oam::params::subnet_prefixlen + + include ::platform::drbd::cgcs::params + $cgcs_drbd_resource = $::platform::drbd::cgcs::params::resource_name + $cgcs_fs_device = $::platform::drbd::cgcs::params::device + $cgcs_fs_directory = $::platform::drbd::cgcs::params::mountpoint + + include ::platform::drbd::pgsql::params + $pg_drbd_resource = $::platform::drbd::pgsql::params::resource_name + $pg_fs_device = $::platform::drbd::pgsql::params::device + $pg_fs_directory = $::platform::drbd::pgsql::params::mountpoint + $pg_data_dir = "${pg_fs_directory}/${platform_sw_version}" + + include ::platform::drbd::platform::params + $platform_drbd_resource = $::platform::drbd::platform::params::resource_name + $platform_fs_device = $::platform::drbd::platform::params::device + $platform_fs_directory = $::platform::drbd::platform::params::mountpoint + + include ::platform::drbd::rabbit::params + $rabbit_drbd_resource = $::platform::drbd::rabbit::params::resource_name + $rabbit_fs_device = $::platform::drbd::rabbit::params::device + $rabbit_fs_directory = $::platform::drbd::rabbit::params::mountpoint + + include ::platform::drbd::extension::params + $extension_drbd_resource = $::platform::drbd::extension::params::resource_name + $extension_fs_device = $::platform::drbd::extension::params::device + $extension_fs_directory = $::platform::drbd::extension::params::mountpoint + + include ::platform::drbd::patch_vault::params + $drbd_patch_enabled = $::platform::drbd::patch_vault::params::service_enabled + $patch_drbd_resource = $::platform::drbd::patch_vault::params::resource_name + $patch_fs_device = $::platform::drbd::patch_vault::params::device + $patch_fs_directory = $::platform::drbd::patch_vault::params::mountpoint + + include ::openstack::keystone::params + $keystone_api_version = $::openstack::keystone::params::api_version + $keystone_identity_uri = $::openstack::keystone::params::identity_uri + $keystone_host_url = $::openstack::keystone::params::host_url + $keystone_region = $::openstack::keystone::params::region_name + + include ::platform::amqp::params + $amqp_server_port = $::platform::amqp::params::port + $rabbit_node_name = $::platform::amqp::params::node + $rabbit_mnesia_base = "/var/lib/rabbitmq/${platform_sw_version}/mnesia" + $murano_rabbit_node_name = "murano-$rabbit_node_name" + $murano_rabbit_mnesia_base = "/var/lib/rabbitmq/murano/${platform_sw_version}/mnesia" + $murano_rabbit_config_file = "/etc/rabbitmq/murano-rabbitmq" + + include ::platform::ldap::params + $ldapserver_remote = $::platform::ldap::params::ldapserver_remote + + # This variable is used also in create_sm_db.sql. + # please change that one as well when modifying this variable + $rabbit_pid = "/var/run/rabbitmq/rabbitmq.pid" + $murano_rabbit_env_config_file = "/etc/rabbitmq/murano-rabbitmq-env.conf" + + $murano_rabbit_pid = "/var/run/rabbitmq/murano-rabbit.pid" + $murano_rabbit_dist_port = 25673 + + $rabbitmq_server = '/usr/lib/rabbitmq/bin/rabbitmq-server' + $rabbitmqctl = '/usr/lib/rabbitmq/bin/rabbitmqctl' + + ############ NFS Parameters ################ + + # Platform NFS network is over the management network + $platform_nfs_ip_interface = $::platform::network::mgmt::params::interface_name + $platform_nfs_ip_param_ip = $::platform::network::mgmt::params::platform_nfs_address + $platform_nfs_ip_param_mask = $::platform::network::mgmt::params::subnet_prefixlen + $platform_nfs_ip_network_url = $::platform::network::mgmt::params::subnet_network_url + + # CGCS NFS network is over the infrastructure network if configured + if $infra_ip_interface { + $cgcs_nfs_ip_interface = $::platform::network::infra::params::interface_name + $cgcs_nfs_ip_param_ip = $::platform::network::infra::params::cgcs_nfs_address + $cgcs_nfs_ip_network_url = $::platform::network::infra::params::subnet_network_url + $cgcs_nfs_ip_param_mask = $::platform::network::infra::params::subnet_prefixlen + + $cinder_ip_interface = $::platform::network::infra::params::interface_name + $cinder_ip_param_mask = $::platform::network::infra::params::subnet_prefixlen + } else { + $cgcs_nfs_ip_interface = $::platform::network::mgmt::params::interface_name + $cgcs_nfs_ip_param_ip = $::platform::network::mgmt::params::cgcs_nfs_address + $cgcs_nfs_ip_network_url = $::platform::network::mgmt::params::subnet_network_url + $cgcs_nfs_ip_param_mask = $::platform::network::mgmt::params::subnet_prefixlen + + $cinder_ip_interface = $::platform::network::mgmt::params::interface_name + $cinder_ip_param_mask = $::platform::network::mgmt::params::subnet_prefixlen + } + + $platform_nfs_subnet_url = "${platform_nfs_ip_network_url}/${platform_nfs_ip_param_mask}" + $cgcs_nfs_subnet_url = "${cgcs_nfs_ip_network_url}/${cgcs_nfs_ip_param_mask}" + + $nfs_server_mgmt_exports = "${cgcs_nfs_subnet_url}:${cgcs_fs_directory},${platform_nfs_subnet_url}:${platform_fs_directory},${platform_nfs_subnet_url}:${extension_fs_directory}" + $nfs_server_mgmt_mounts = "${cgcs_fs_device}:${cgcs_fs_directory},${platform_fs_device}:${platform_fs_directory},${extension_fs_device}:${extension_fs_directory}" + + ################## Openstack Parameters ###################### + + # Keystone + if $region_config { + $os_mgmt_ip = $keystone_identity_uri + $os_keystone_auth_url = "${os_mgmt_ip}/${keystone_api_version}" + $os_region_name = $region_2_name + } else { + $os_auth_ip = $keystone_host_url + $os_keystone_auth_url = "http://${os_auth_ip}:5000/${keystone_api_version}" + $os_region_name = $keystone_region + } + + $ost_cl_ctrl_host = $::platform::network::mgmt::params::controller_address_url + + include ::openstack::client::params + + $os_username = $::openstack::client::params::admin_username + $os_project_name = 'admin' + $os_auth_url = $os_keystone_auth_url + $system_url = "http://${ost_cl_ctrl_host}:6385" + $os_user_domain_name = $::openstack::client::params::admin_user_domain + $os_project_domain_name = $::openstack::client::params::admin_project_domain + + # Nova + $db_server_port = '5432' + + include ::openstack::nova::params + $novnc_console_port = $::openstack::nova::params::nova_novnc_port + + # Heat + include ::openstack::heat::params + $heat_api_cfn_port = $::openstack::heat::params::cfn_port + $heat_api_cloudwatch_port = $::openstack::heat::params::cloudwatch_port + $heat_api_port = $::openstack::heat::params::api_port + + # Neutron + include ::openstack::neutron::params + $neutron_region_name = $::openstack::neutron::params::region_name + $neutron_plugin_config = "/etc/neutron/plugin.ini" + $neutron_sriov_plugin_config = "/etc/neutron/plugins/ml2/ml2_conf_sriov.ini" + + # Cinder + include ::openstack::cinder::params + $cinder_region_name = $::openstack::cinder::params::region_name + $cinder_ip_param_ip = $::openstack::cinder::params::cinder_address + $cinder_backends = $::openstack::cinder::params::enabled_backends + $cinder_drbd_resource = $::openstack::cinder::params::drbd_resource + $cinder_vg_name = $::openstack::cinder::params::cinder_vg_name + $cinder_service_enabled = $::openstack::cinder::params::service_enabled + + # Glance + include ::openstack::glance::params + $glance_region_name = $::openstack::glance::params::region_name + $glance_cached = $::openstack::glance::params::glance_cached + + # Murano + include ::openstack::murano::params + $murano_configured = $::openstack::murano::params::service_enabled + $disable_murano_agent = $::openstack::murano::params::disable_murano_agent + + # Magnum + include ::openstack::magnum::params + $magnum_configured = $::openstack::magnum::params::service_enabled + + # Ironic + include ::openstack::ironic::params + $ironic_configured = $::openstack::ironic::params::service_enabled + $ironic_tftp_ip = $::openstack::ironic::params::tftp_server + $ironic_controller_0_nic = $::openstack::ironic::params::controller_0_if + $ironic_controller_1_nic = $::openstack::ironic::params::controller_1_if + $ironic_netmask = $::openstack::ironic::params::netmask + $ironic_tftproot = $::openstack::ironic::params::ironic_tftpboot_dir + + # Ceph-Rados-Gateway + include ::platform::ceph::params + $ceph_configured = $::platform::ceph::params::service_enabled + $rgw_configured = $::platform::ceph::params::rgw_enabled + + if $system_mode == 'simplex' { + $hostunit = '0' + $management_my_unit_ip = $::platform::network::mgmt::params::controller0_address + $oam_my_unit_ip = $::platform::network::oam::params::controller_address + } else { + case $::hostname { + $controller_0_hostname: { + $hostunit = '0' + $management_my_unit_ip = $::platform::network::mgmt::params::controller0_address + $management_peer_unit_ip = $::platform::network::mgmt::params::controller1_address + $oam_my_unit_ip = $::platform::network::oam::params::controller0_address + $oam_peer_unit_ip = $::platform::network::oam::params::controller1_address + $infra_my_unit_ip = $::platform::network::infra::params::controller0_address + $infra_peer_unit_ip = $::platform::network::infra::params::controller1_address + } + $controller_1_hostname: { + $hostunit = '1' + $management_my_unit_ip = $::platform::network::mgmt::params::controller1_address + $management_peer_unit_ip = $::platform::network::mgmt::params::controller0_address + $oam_my_unit_ip = $::platform::network::oam::params::controller1_address + $oam_peer_unit_ip = $::platform::network::oam::params::controller0_address + $infra_my_unit_ip = $::platform::network::infra::params::controller1_address + $infra_peer_unit_ip = $::platform::network::infra::params::controller0_address + } + default: { + $hostunit = '2' + $management_my_unit_ip = undef + $management_peer_unit_ip = undef + $oam_my_unit_ip = undef + $oam_peer_unit_ip = undef + $infra_my_unit_ip = undef + $infra_peer_unit_ip = undef + } + } + } + + + # Add a shell for the postgres. By default WRL sets the shell to /bin/false. + user { 'postgres': + shell => '/bin/sh' + } + + if $system_mode == 'simplex' { + exec { 'Deprovision oam-ip service group member': + command => "sm-deprovision service-group-member oam-services oam-ip", + } -> + exec { 'Deprovision oam-ip service': + command => "sm-deprovision service oam-ip", + } + + exec { 'Configure OAM Interface': + command => "sm-configure interface controller oam-interface \"\" ${oam_my_unit_ip} 2222 2223 \"\" 2222 2223", + } + + exec { 'Configure Management Interface': + command => "sm-configure interface controller management-interface ${mgmt_ip_multicast} ${management_my_unit_ip} 2222 2223 \"\" 2222 2223", + } + } else { + exec { 'Configure OAM Interface': + command => "sm-configure interface controller oam-interface \"\" ${oam_my_unit_ip} 2222 2223 ${oam_peer_unit_ip} 2222 2223", + } + exec { 'Configure Management Interface': + command => "sm-configure interface controller management-interface ${mgmt_ip_multicast} ${management_my_unit_ip} 2222 2223 ${management_peer_unit_ip} 2222 2223", + } + } + + exec { 'Configure OAM IP': + command => "sm-configure service_instance oam-ip oam-ip \"ip=${oam_ip_param_ip},cidr_netmask=${oam_ip_param_mask},nic=${oam_ip_interface},arp_count=7\"", + } + + + if $system_mode == 'duplex-direct' or $system_mode == 'simplex' { + exec { 'Configure Management IP': + command => "sm-configure service_instance management-ip management-ip \"ip=${mgmt_ip_param_ip},cidr_netmask=${mgmt_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7,dc=yes\"", + } + } else { + exec { 'Configure Management IP': + command => "sm-configure service_instance management-ip management-ip \"ip=${mgmt_ip_param_ip},cidr_netmask=${mgmt_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7\"", + } + } + + # Create the PXEBoot IP service if it is configured + if str2bool($::is_initial_config) { + exec { 'Configure PXEBoot IP service in SM (service-group-member pxeboot-ip)': + command => "sm-provision service-group-member controller-services pxeboot-ip", + } -> + exec { 'Configure PXEBoot IP service in SM (service pxeboot-ip)': + command => "sm-provision service pxeboot-ip", + } + } + + if $system_mode == 'duplex-direct' or $system_mode == 'simplex' { + exec { 'Configure PXEBoot IP': + command => "sm-configure service_instance pxeboot-ip pxeboot-ip \"ip=${pxeboot_ip_param_ip},cidr_netmask=${pxeboot_ip_param_mask},nic=${pxeboot_ip_interface},arp_count=7,dc=yes\"", + } + } else { + exec { 'Configure PXEBoot IP': + command => "sm-configure service_instance pxeboot-ip pxeboot-ip \"ip=${pxeboot_ip_param_ip},cidr_netmask=${pxeboot_ip_param_mask},nic=${pxeboot_ip_interface},arp_count=7\"", + } + } + + exec { 'Configure Postgres DRBD': + command => "sm-configure service_instance drbd-pg drbd-pg:${hostunit} \"drbd_resource=${pg_drbd_resource}\"", + } + + exec { 'Configure Postgres FileSystem': + command => "sm-configure service_instance pg-fs pg-fs \"rmon_rsc_name=database-storage,device=${pg_fs_device},directory=${pg_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", + } + + exec { 'Configure Postgres': + command => "sm-configure service_instance postgres postgres \"pgctl=/usr/bin/pg_ctl,pgdata=${pg_data_dir}\"", + } + + exec { 'Configure Rabbit DRBD': + command => "sm-configure service_instance drbd-rabbit drbd-rabbit:${hostunit} \"drbd_resource=${rabbit_drbd_resource}\"", + } + + exec { 'Configure Rabbit FileSystem': + command => "sm-configure service_instance rabbit-fs rabbit-fs \"rmon_rsc_name=messaging-storage,device=${rabbit_fs_device},directory=${rabbit_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", + } + + exec { 'Configure Rabbit': + command => "sm-configure service_instance rabbit rabbit \"server=${rabbitmq_server},ctl=${rabbitmqctl},pid_file=${rabbit_pid},nodename=${rabbit_node_name},mnesia_base=${rabbit_mnesia_base},ip=${mgmt_ip_param_ip}\"", + } + + exec { 'Configure CGCS DRBD': + command => "sm-configure service_instance drbd-cgcs drbd-cgcs:${hostunit} drbd_resource=${cgcs_drbd_resource}", + } + + exec { 'Configure CGCS FileSystem': + command => "sm-configure service_instance cgcs-fs cgcs-fs \"rmon_rsc_name=cloud-storage,device=${cgcs_fs_device},directory=${cgcs_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", + } + + exec { 'Configure CGCS Export FileSystem': + command => "sm-configure service_instance cgcs-export-fs cgcs-export-fs \"fsid=1,directory=${cgcs_fs_directory},options=rw,sync,no_root_squash,no_subtree_check,clientspec=${cgcs_nfs_subnet_url},unlock_on_stop=true\"", + } + + exec { 'Configure Extension DRBD': + command => "sm-configure service_instance drbd-extension drbd-extension:${hostunit} \"drbd_resource=${extension_drbd_resource}\"", + } + + exec { 'Configure Extension FileSystem': + command => "sm-configure service_instance extension-fs extension-fs \"rmon_rsc_name=extension-storage,device=${extension_fs_device},directory=${extension_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", + } + + exec { 'Configure Extension Export FileSystem': + command => "sm-configure service_instance extension-export-fs extension-export-fs \"fsid=1,directory=${extension_fs_directory},options=rw,sync,no_root_squash,no_subtree_check,clientspec=${platform_nfs_subnet_url},unlock_on_stop=true\"", + } + + if $drbd_patch_enabled { + exec { 'Configure Patch-vault DRBD': + command => "sm-configure service_instance drbd-patch-vault drbd-patch-vault:${hostunit} \"drbd_resource=${patch_drbd_resource}\"", + } + + exec { 'Configure Patch-vault FileSystem': + command => "sm-configure service_instance patch-vault-fs patch-vault-fs \"rmon_rsc_name=patch-vault-storage,device=${patch_fs_device},directory=${patch_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", + } + } + + if $system_mode == 'duplex-direct' or $system_mode == 'simplex' { + exec { 'Configure CGCS NFS': + command => "sm-configure service_instance cgcs-nfs-ip cgcs-nfs-ip \"ip=${cgcs_nfs_ip_param_ip},cidr_netmask=${cgcs_nfs_ip_param_mask},nic=${cgcs_nfs_ip_interface},arp_count=7,dc=yes\"", + } + } else { + exec { 'Configure CGCS NFS': + command => "sm-configure service_instance cgcs-nfs-ip cgcs-nfs-ip \"ip=${cgcs_nfs_ip_param_ip},cidr_netmask=${cgcs_nfs_ip_param_mask},nic=${cgcs_nfs_ip_interface},arp_count=7\"", + } + } + + if $region_config { + exec { 'Deprovision OpenStack - Keystone (service-group-member)': + command => "sm-deprovision service-group-member cloud-services keystone", + } -> + exec { 'Deprovision OpenStack - Keystone (service)': + command => "sm-deprovision service keystone", + } + + if $glance_region_name != $region_2_name { + $configure_glance = false + + exec { 'Deprovision OpenStack - Glance Registry (service-group-member)': + command => "sm-deprovision service-group-member cloud-services glance-registry", + } -> + exec { 'Deprovision OpenStack - Glance Registry (service)': + command => "sm-deprovision service glance-registry", + } -> + exec { 'Deprovision OpenStack - Glance API (service-group-member)': + command => "sm-deprovision service-group-member cloud-services glance-api", + } -> + exec { 'Deprovision OpenStack - Glance API (service)': + command => "sm-deprovision service glance-api", + } + } else { + $configure_glance = true + if $glance_cached { + exec { 'Deprovision OpenStack - Glance Registry (service-group-member)': + command => "sm-deprovision service-group-member cloud-services glance-registry", + } -> + exec { 'Deprovision OpenStack - Glance Registry (service)': + command => "sm-deprovision service glance-registry", + } + } + } + } else { + exec { 'Configure OpenStack - Keystone': + command => "sm-configure service_instance keystone keystone \"config=/etc/keystone/keystone.conf,user=root,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},os_auth_url=${os_auth_url}, \"", + } + $configure_glance = true + } + + if $configure_glance { + if !$glance_cached { + exec { 'Configure OpenStack - Glance Registry': + command => "sm-configure service_instance glance-registry glance-registry \"config=/etc/glance/glance-registry.conf,user=root,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},keystone_get_token_url=${os_auth_url}/tokens\"", + } -> + exec { 'Provision OpenStack - Glance Registry (service-group-member)': + command => "sm-provision service-group-member cloud-services glance-registry", + } -> + exec { 'Provision OpenStack - Glance Registry (service)': + command => "sm-provision service glance-registry", + } + } + + exec { 'Configure OpenStack - Glance API': + command => "sm-configure service_instance glance-api glance-api \"config=/etc/glance/glance-api.conf,user=root,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},os_auth_url=${os_auth_url}\"", + } -> + exec { 'Provision OpenStack - Glance API (service-group-member)': + command => "sm-provision service-group-member cloud-services glance-api", + } -> + exec { 'Provision OpenStack - Glance API (service)': + command => "sm-provision service glance-api", + } + } + + if $cinder_service_enabled { + exec { 'Configure OpenStack - Cinder API': + command => "sm-configure service_instance cinder-api cinder-api \"config=/etc/cinder/cinder.conf,user=root,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},keystone_get_token_url=${os_auth_url}/tokens\"", + } -> + exec { 'Provision OpenStack - Cinder API (service-group-member)': + command => "sm-provision service-group-member cloud-services cinder-api", + } -> + exec { 'Provision OpenStack - Cinder API (service)': + command => "sm-provision service cinder-api", + } + + exec { 'Configure OpenStack - Cinder Scheduler': + command => "sm-configure service_instance cinder-scheduler cinder-scheduler \"config=/etc/cinder/cinder.conf,user=root,amqp_server_port=${amqp_server_port}\"", + } -> + exec { 'Provision OpenStack - Cinder Scheduler (service-group-member)': + command => "sm-provision service-group-member cloud-services cinder-scheduler", + } -> + exec { 'Provision OpenStack - Cinder Scheduler (service)': + command => "sm-provision service cinder-scheduler", + } + + exec { 'Configure OpenStack - Cinder Volume': + command => "sm-configure service_instance cinder-volume cinder-volume \"config=/etc/cinder/cinder.conf,user=root,amqp_server_port=${amqp_server_port},multibackend=true\"", + } -> + exec { 'Provision OpenStack - Cinder Volume (service-group-member)': + command => "sm-provision service-group-member cloud-services cinder-volume", + } -> + exec { 'Configure Cinder Volume in SM': + command => "sm-provision service cinder-volume", + } + + if 'lvm' in $cinder_backends { + # Cinder DRBD + exec { 'Configure Cinder LVM in SM (service-group-member drbd-cinder)': + command => "sm-provision service-group-member controller-services drbd-cinder", + } -> + exec { 'Configure Cinder LVM in SM (service drbd-cinder)': + command => "sm-provision service drbd-cinder", + } -> + + # Cinder LVM + exec { 'Configure Cinder LVM in SM (service-group-member cinder-lvm)': + command => "sm-provision service-group-member controller-services cinder-lvm", + } -> + exec { 'Configure Cinder LVM in SM (service cinder-lvm)': + command => "sm-provision service cinder-lvm", + } -> + + # TGTd + exec { 'Configure Cinder LVM in SM (service-group-member iscsi)': + command => "sm-provision service-group-member controller-services iscsi", + } -> + exec { 'Configure Cinder LVM in SM (service iscsi)': + command => "sm-provision service iscsi", + } -> + + exec { 'Configure Cinder DRBD service instance': + command => "sm-configure service_instance drbd-cinder drbd-cinder:${hostunit} drbd_resource=${cinder_drbd_resource}", + } + exec { 'Configure Cinder LVM service instance': + command => "sm-configure service_instance cinder-lvm cinder-lvm \"rmon_rsc_name=volume-storage,volgrpname=${cinder_vg_name}\"", + } + exec { 'Configure iscsi service instance': + command => "sm-configure service_instance iscsi iscsi \"\"", + } + + + # Cinder IP + exec { 'Configure Cinder LVM in SM (service-group-member cinder-ip)': + command => "sm-provision service-group-member controller-services cinder-ip", + } -> + exec { 'Configure Cinder LVM in SM (service cinder-ip)': + command => "sm-provision service cinder-ip", + } + + if $system_mode == 'duplex-direct' or $system_mode == 'simplex' { + exec { 'Configure Cinder IP service instance': + command => "sm-configure service_instance cinder-ip cinder-ip \"ip=${cinder_ip_param_ip},cidr_netmask=${cinder_ip_param_mask},nic=${cinder_ip_interface},arp_count=7,dc=yes\"", + } + } else { + exec { 'Configure Cinder IP service instance': + command => "sm-configure service_instance cinder-ip cinder-ip \"ip=${cinder_ip_param_ip},cidr_netmask=${cinder_ip_param_mask},nic=${cinder_ip_interface},arp_count=7\"", + } + } + } + } else { + exec { 'Deprovision OpenStack - Cinder API (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services cinder-api", + } -> + exec { 'Deprovision OpenStack - Cinder API (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service cinder-api", + } -> + exec { 'Deprovision OpenStack - Cinder Scheduler (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services cinder-scheduler", + } -> + exec { 'Deprovision OpenStack - Cinder Scheduler (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service cinder-scheduler", + } -> + exec { 'Deprovision OpenStack - Cinder Volume (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services cinder-volume", + } -> + exec { 'Deprovision OpenStack - Cinder Volume (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service cinder-volume", + } + } + + if $region_config { + if $neutron_region_name != $region_2_name { + $configure_neturon = false + + exec { 'Deprovision OpenStack - Neutron Server (service-group-member)': + command => "sm-deprovision service-group-member cloud-services neutron-server", + } -> + exec { 'Deprovision OpenStack - Neutron Server (service)': + command => "sm-deprovision service neutron-server", + } + } else { + $configure_neturon = true + } + } else { + $configure_neturon = true + } + + if $configure_neturon { + exec { 'Configure OpenStack - Neutron Server': + command => "sm-configure service_instance neutron-server neutron-server \"config=/etc/neutron/neutron.conf,plugin_config=${neutron_plugin_config},sriov_plugin_config=${neutron_sriov_plugin_config},user=root,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},keystone_get_token_url=${os_auth_url}/tokens\"", + } + } + + exec { 'Configure OpenStack - Nova API': + command => "sm-configure service_instance nova-api nova-api \"config=/etc/nova/nova.conf,user=root,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},keystone_get_token_url=${os_auth_url}/tokens\"", + } + + exec { 'Configure OpenStack - Nova Placement API': + command => "sm-configure service_instance nova-placement-api nova-placement-api \"config=/etc/nova/nova.conf,user=root,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},keystone_get_token_url=${os_auth_url}/tokens,host=${mgmt_ip_param_ip}\"", + } + + exec { 'Configure OpenStack - Nova Scheduler': + command => "sm-configure service_instance nova-scheduler nova-scheduler \"config=/etc/nova/nova.conf,database_server_port=${db_server_port},amqp_server_port=${amqp_server_port}\"", + } + + exec { 'Configure OpenStack - Nova Conductor': + command => "sm-configure service_instance nova-conductor nova-conductor \"config=/etc/nova/nova.conf,database_server_port=${db_server_port},amqp_server_port=${amqp_server_port}\"", + } + + exec { 'Configure OpenStack - Nova Console Authorization': + command => "sm-configure service_instance nova-console-auth nova-console-auth \"config=/etc/nova/nova.conf,user=root,database_server_port=${db_server_port},amqp_server_port=${amqp_server_port}\"", + } + + exec { 'Configure OpenStack - Nova NoVNC': + command => "sm-configure service_instance nova-novnc nova-novnc \"config=/etc/nova/nova.conf,user=root,console_port=${novnc_console_port}\"", + } + + exec { 'Configure OpenStack - Ceilometer Collector': + command => "sm-configure service_instance ceilometer-collector ceilometer-collector \"config=/etc/ceilometer/ceilometer.conf\"", + } + + exec { 'Configure OpenStack - Ceilometer API': + command => "sm-configure service_instance ceilometer-api ceilometer-api \"config=/etc/ceilometer/ceilometer.conf\"", + } + + exec { 'Configure OpenStack - Ceilometer Agent Notification': + command => "sm-configure service_instance ceilometer-agent-notification ceilometer-agent-notification \"config=/etc/ceilometer/ceilometer.conf\"", + } + + if $::openstack::heat::params::service_enabled { + exec { 'Configure OpenStack - Heat Engine': + command => "sm-configure service_instance heat-engine heat-engine \"config=/etc/heat/heat.conf,user=root,database_server_port=${db_server_port},amqp_server_port=${amqp_server_port}\"", + } + + exec { 'Configure OpenStack - Heat API': + command => "sm-configure service_instance heat-api heat-api \"config=/etc/heat/heat.conf,user=root,server_port=${heat_api_port}\"", + } + + exec { 'Configure OpenStack - Heat API CFN': + command => "sm-configure service_instance heat-api-cfn heat-api-cfn \"config=/etc/heat/heat.conf,user=root,server_port=${heat_api_cfn_port}\"", + } + + exec { 'Configure OpenStack - Heat API CloudWatch': + command => "sm-configure service_instance heat-api-cloudwatch heat-api-cloudwatch \"config=/etc/heat/heat.conf,user=root,server_port=${heat_api_cloudwatch_port}\"", + } + } else { + exec { 'Deprovision OpenStack - Heat Engine (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services heat-engine", + } -> + exec { 'Deprovision OpenStack - Heat Engine(service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service heat-engine", + } + + exec { 'Deprovision OpenStack - Heat API (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services heat-api", + } -> + exec { 'Deprovision OpenStack - Heat API (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service heat-api", + } + + exec { 'Deprovision OpenStack - Heat API CFN (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services heat-api-cfn", + } -> + exec { 'Deprovision OpenStack - Heat API CFN (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service heat-api-cfn", + } + + exec { 'Deprovision OpenStack - Heat API CloudWatch (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services heat-api-cloudwatch", + } -> + exec { 'Deprovision OpenStack - Heat API CloudWatch (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service heat-api-cloudwatch", + } + } + + # AODH + if $::openstack::aodh::params::service_enabled { + + exec { 'Configure OpenStack - AODH API': + command => "sm-configure service_instance aodh-api aodh-api \"config=/etc/aodh/aodh.conf\"", + } + + exec { 'Configure OpenStack - AODH Evaluator': + command => "sm-configure service_instance aodh-evaluator aodh-evaluator \"config=/etc/aodh/aodh.conf\"", + } + + exec { 'Configure OpenStack - AODH Listener': + command => "sm-configure service_instance aodh-listener aodh-listener \"config=/etc/aodh/aodh.conf\"", + } + + exec { 'Configure OpenStack - AODH Notifier': + command => "sm-configure service_instance aodh-notifier aodh-notifier \"config=/etc/aodh/aodh.conf\"", + } + } else { + exec { 'Deprovision OpenStack - AODH API (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services aodh-api", + } -> + exec { 'Deprovision OpenStack - AODH API (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service aodh-api", + } + + exec { 'Deprovision OpenStack - AODH Evaluator (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services aodh-evaluator", + } -> + exec { 'Deprovision OpenStack - AODH Evaluator (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service aodh-evaluator", + } + + exec { 'Deprovision OpenStack - AODH Listener (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services aodh-listener", + } -> + exec { 'Deprovision OpenStack - AODH Listener (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service aodh-listener", + } + + exec { 'Deprovision OpenStack - AODH Notifier (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services aodh-notifier", + } -> + exec { 'Deprovision OpenStack - AODH Notifier (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service aodh-notifier", + } + } + + # Panko + if $::openstack::panko::params::service_enabled { + exec { 'Configure OpenStack - Panko API': + command => "sm-configure service_instance panko-api panko-api \"config=/etc/panko/panko.conf\"", + } + } else { + exec { 'Deprovision OpenStack - Panko API (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services panko-api", + } -> + exec { 'Deprovision OpenStack - Panko API (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service panko-api", + } + } + + # Murano + exec { 'Configure OpenStack - Murano API': + command => "sm-configure service_instance murano-api murano-api \"config=/etc/murano/murano.conf\"", + } + + exec { 'Configure OpenStack - Murano Engine': + command => "sm-configure service_instance murano-engine murano-engine \"config=/etc/murano/murano.conf\"", + } + + # Magnum + exec { 'Configure OpenStack - Magnum API': + command => "sm-configure service_instance magnum-api magnum-api \"config=/etc/magnum/magnum.conf\"", + } + + exec { 'Configure OpenStack - Magnum Conductor': + command => "sm-configure service_instance magnum-conductor magnum-conductor \"config=/etc/magnum/magnum.conf\"", + } + + # Ironic + exec { 'Configure OpenStack - Ironic API': + command => "sm-configure service_instance ironic-api ironic-api \"config=/etc/ironic/ironic.conf\"", + } + + exec { 'Configure OpenStack - Ironic Conductor': + command => "sm-configure service_instance ironic-conductor ironic-conductor \"config=/etc/ironic/ironic.conf,tftproot=${ironic_tftproot}\"", + } + + exec { 'Configure OpenStack - Nova Compute': + command => "sm-configure service_instance nova-compute nova-compute \"config=/etc/nova/nova-ironic.conf\"", + } + + exec { 'Configure OpenStack - Nova Serialproxy': + command => "sm-configure service_instance nova-serialproxy nova-serialproxy \"config=/etc/nova/nova-ironic.conf\"", + } + + #exec { 'Configure Power Management Conductor': + # command => "sm-configure service_instance power-mgmt-conductor power-mgmt-conductor \"config=/etc/power_mgmt/power-mgmt-conductor.ini\"", + #} + + #exec { 'Configure Power Management API': + # command => "sm-configure service_instance power-mgmt-api power-mgmt-api \"config=/etc/power_mgmt/power-mgmt-api.ini\"", + #} + + exec { 'Configure NFS Management': + command => "sm-configure service_instance nfs-mgmt nfs-mgmt \"exports=${nfs_server_mgmt_exports},mounts=${nfs_server_mgmt_mounts}\"", + } + + exec { 'Configure Platform DRBD': + command => "sm-configure service_instance drbd-platform drbd-platform:${hostunit} \"drbd_resource=${platform_drbd_resource}\"", + } + + exec { 'Configure Platform FileSystem': + command => "sm-configure service_instance platform-fs platform-fs \"rmon_rsc_name=platform-storage,device=${platform_fs_device},directory=${platform_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", + } + + exec { 'Configure Platform Export FileSystem': + command => "sm-configure service_instance platform-export-fs platform-export-fs \"fsid=0,directory=${platform_fs_directory},options=rw,sync,no_root_squash,no_subtree_check,clientspec=${platform_nfs_subnet_url},unlock_on_stop=true\"", + } + + if $system_mode == 'duplex-direct' or $system_mode == 'simplex' { + exec { 'Configure Platform NFS': + command => "sm-configure service_instance platform-nfs-ip platform-nfs-ip \"ip=${platform_nfs_ip_param_ip},cidr_netmask=${platform_nfs_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7,dc=yes\"", + } + } else { + exec { 'Configure Platform NFS': + command => "sm-configure service_instance platform-nfs-ip platform-nfs-ip \"ip=${platform_nfs_ip_param_ip},cidr_netmask=${platform_nfs_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7\"", + } + } + + exec { 'Configure System Inventory API': + command => "sm-configure service_instance sysinv-inv sysinv-inv \"dbg=false,os_username=${os_username},os_project_name=${os_project_name},os_user_domain_name=${os_user_domain_name},os_project_domain_name=${os_project_domain_name},os_auth_url=${os_auth_url},os_region_name=${os_region_name},system_url=${system_url}\"", + } + + exec { 'Configure System Inventory Conductor': + command => "sm-configure service_instance sysinv-conductor sysinv-conductor \"dbg=false\"", + } + + exec { 'Configure Maintenance Agent': + command => "sm-configure service_instance mtc-agent mtc-agent \"state=active,logging=true,mode=normal,dbg=false\"", + } + + exec { 'Configure Heartbeat Service Agent': + command => "sm-configure service_instance hbs-agent hbs-agent \"state=active,logging=true,dbg=false\"", + } + + exec { 'Configure DNS Mask': + command => "sm-configure service_instance dnsmasq dnsmasq \"\"", + } + + exec { 'Configure Fault Manager': + command => "sm-configure service_instance fm-mgr fm-mgr \"\"", + } + + exec { 'Configure Open LDAP': + command => "sm-configure service_instance open-ldap open-ldap \"\"", + } + + if $infra_ip_interface { + exec { 'Configure Infrastructure Interface': + command => "sm-configure interface controller infrastructure-interface ${infra_ip_multicast} ${infra_my_unit_ip} 2222 2223 ${infra_peer_unit_ip} 2222 2223", + } + } + + if $system_mode == 'duplex-direct' or $system_mode == 'duplex' { + exec { 'Configure System Mode': + command => "sm-configure system --cpe_mode ${system_mode}", + } + + } + + if $system_mode == 'simplex' { + exec { 'Configure oam-service redundancy model': + command => "sm-configure service_group yes controller oam-services N 1 0 \"\" directory-services", + } + + exec { 'Configure controller-services redundancy model': + command => "sm-configure service_group yes controller controller-services N 1 0 \"\" directory-services", + } + + exec { 'Configure cloud-services redundancy model': + command => "sm-configure service_group yes controller cloud-services N 1 0 \"\" directory-services", + } + + exec { 'Configure vim-services redundancy model': + command => "sm-configure service_group yes controller vim-services N 1 0 \"\" directory-services", + } + + exec { 'Configure patching-services redundancy model': + command => "sm-configure service_group yes controller patching-services N 1 0 \"\" \"\"", + } + + exec { 'Configure directory-services redundancy model': + command => "sm-configure service_group yes controller directory-services N 1 0 \"\" \"\"", + } + + exec { 'Configure web-services redundancy model': + command => "sm-configure service_group yes controller web-services N 1 0 \"\" \"\"", + } + + } + + exec { 'Provision extension-fs (service-group-member)': + command => "sm-provision service-group-member controller-services extension-fs", + } -> + exec { 'Provision extension-fs (service)': + command => "sm-provision service extension-fs", + } -> + exec { 'Provision drbd-extension (service-group-member)': + command => "sm-provision service-group-member controller-services drbd-extension", + } -> + exec { 'Provision drbd-extension (service)': + command => "sm-provision service drbd-extension", + } -> + exec { 'Provision extension-export-fs (service-group-member)': + command => "sm-provision service-group-member controller-services extension-export-fs", + } -> + exec { 'Provision extension-export-fs (service)': + command => "sm-provision service extension-export-fs", + } + + if $drbd_patch_enabled { + exec { 'Provision patch-vault-fs (service-group-member)': + command => "sm-provision service-group-member controller-services patch-vault-fs", + } -> + exec { 'Provision patch-vault-fs (service)': + command => "sm-provision service patch-vault-fs", + } -> + exec { 'Provision drbd-patch-vault (service-group-member)': + command => "sm-provision service-group-member controller-services drbd-patch-vault", + } -> + exec { 'Provision drbd-patch-vault (service)': + command => "sm-provision service drbd-patch-vault", + } + } + + exec { 'Configure Murano Rabbit': + command => "sm-configure service_instance murano-rabbit murano-rabbit \"server=${rabbitmq_server},ctl=${rabbitmqctl},nodename=${murano_rabbit_node_name},mnesia_base=${murano_rabbit_mnesia_base},ip=${oam_ip_param_ip},config_file=${murano_rabbit_config_file},env_config_file=${murano_rabbit_env_config_file},pid_file=${murano_rabbit_pid},dist_port=${murano_rabbit_dist_port}\"", + } + + # optionally bring up/down Murano and murano agent's rabbitmq + if $disable_murano_agent { + exec { 'Deprovision Murano Rabbitmq (service-group-member)': + command => "sm-deprovision service-group-member controller-services murano-rabbit", + } -> + exec { 'Deprovision Murano Rabbitmq (service)': + command => "sm-deprovision service murano-rabbit", + } + } else { + exec { 'Provision Murano Rabbitmq (service-group-member)': + command => "sm-provision service-group-member controller-services murano-rabbit", + } -> + exec { 'Provision Murano Rabbitmq (service)': + command => "sm-provision service murano-rabbit", + } + } + + if $murano_configured { + exec { 'Provision OpenStack - Murano API (service-group-member)': + command => "sm-provision service-group-member cloud-services murano-api", + } -> + exec { 'Provision OpenStack - Murano API (service)': + command => "sm-provision service murano-api", + } -> + exec { 'Provision OpenStack - Murano Engine (service-group-member)': + command => "sm-provision service-group-member cloud-services murano-engine", + } -> + exec { 'Provision OpenStack - Murano Engine (service)': + command => "sm-provision service murano-engine", + } + } else { + exec { 'Deprovision OpenStack - Murano API (service-group-member)': + command => "sm-deprovision service-group-member cloud-services murano-api", + } -> + exec { 'Deprovision OpenStack - Murano API (service)': + command => "sm-deprovision service murano-api", + } -> + exec { 'Deprovision OpenStack - Murano Engine (service-group-member)': + command => "sm-deprovision service-group-member cloud-services murano-engine", + } -> + exec { 'Deprovision OpenStack - Murano Engine (service)': + command => "sm-deprovision service murano-engine", + } + } + + # optionally bring up/down Magnum + if $magnum_configured { + exec { 'Provision OpenStack - Magnum API (service-group-member)': + command => "sm-provision service-group-member cloud-services magnum-api", + } -> + exec { 'Provision OpenStack - Magnum API (service)': + command => "sm-provision service magnum-api", + } -> + exec { 'Provision OpenStack - Magnum Conductor (service-group-member)': + command => "sm-provision service-group-member cloud-services magnum-conductor", + } -> + exec { 'Provision OpenStack - Magnum Conductor (service)': + command => "sm-provision service magnum-conductor", + } + } else { + exec { 'Deprovision OpenStack - Magnum API (service-group-member)': + command => "sm-deprovision service-group-member cloud-services magnum-api", + } -> + exec { 'Deprovision OpenStack - Magnum API (service)': + command => "sm-deprovision service magnum-api", + } -> + exec { 'Deprovision OpenStack - Magnum Conductor (service-group-member)': + command => "sm-deprovision service-group-member cloud-services magnum-conductor", + } -> + exec { 'Deprovision OpenStack - Magnum Conductor (service)': + command => "sm-deprovision service magnum-conductor", + } + } + + # optionally bring up/down Ironic + if $ironic_configured { + exec { 'Provision OpenStack - Ironic API (service-group-member)': + command => "sm-provision service-group-member cloud-services ironic-api", + } -> + exec { 'Provision OpenStack - Ironic API (service)': + command => "sm-provision service ironic-api", + } -> + exec { 'Provision OpenStack - Ironic Conductor (service-group-member)': + command => "sm-provision service-group-member cloud-services ironic-conductor", + } -> + exec { 'Provision OpenStack - Ironic Conductor (service)': + command => "sm-provision service ironic-conductor", + } -> + exec { 'Provision OpenStack - Nova Compute (service-group-member)': + command => "sm-provision service-group-member cloud-services nova-compute", + } -> + exec { 'Provision OpenStack - Nova Compute (service)': + command => "sm-provision service nova-compute", + } -> + exec { 'Provision OpenStack - Nova Serialproxy (service-group-member)': + command => "sm-provision service-group-member cloud-services nova-serialproxy", + } -> + exec { 'Provision OpenStack - Nova Serialproxy (service)': + command => "sm-provision service nova-serialproxy", + } + if $ironic_tftp_ip != undef { + case $::hostname { + $controller_0_hostname: { + exec { 'Configure Ironic TFTP IP service instance': + command => "sm-configure service_instance ironic-tftp-ip ironic-tftp-ip \"ip=${ironic_tftp_ip},cidr_netmask=${ironic_netmask},nic=${ironic_controller_0_nic},arp_count=7\"", + } + } + $controller_1_hostname: { + exec { 'Configure Ironic TFTP IP service instance': + command => "sm-configure service_instance ironic-tftp-ip ironic-tftp-ip \"ip=${ironic_tftp_ip},cidr_netmask=${ironic_netmask},nic=${ironic_controller_1_nic},arp_count=7\"", + } + } + default: { + } + } + + exec { 'Provision Ironic TFTP Floating IP (service-group-member)': + command => "sm-provision service-group-member controller-services ironic-tftp-ip", + } -> + exec { 'Provision Ironic TFTP Floating IP (service)': + command => "sm-provision service ironic-tftp-ip", + } + } + } else { + exec { 'Deprovision OpenStack - Ironic API (service-group-member)': + command => "sm-deprovision service-group-member cloud-services ironic-api", + } -> + exec { 'Deprovision OpenStack - Ironic API (service)': + command => "sm-deprovision service ironic-api", + } -> + exec { 'Deprovision OpenStack - Ironic Conductor (service-group-member)': + command => "sm-deprovision service-group-member cloud-services ironic-conductor", + } -> + exec { 'Deprovision OpenStack - Ironic Conductor (service)': + command => "sm-deprovision service ironic-conductor", + } -> + exec { 'Deprovision OpenStack - Nova Compute (service-group-member)': + command => "sm-deprovision service-group-member cloud-services nova-compute", + } -> + exec { 'Deprovision OpenStack - Nova Compute (service)': + command => "sm-deprovision service nova-compute", + } -> + exec { 'Deprovision OpenStack - Nova Serialproxy (service-group-member)': + command => "sm-deprovision service-group-member cloud-services nova-serialproxy", + } -> + exec { 'Deprovision OpenStack - Nova Serialproxy (service)': + command => "sm-deprovision service nova-serialproxy", + } -> + exec { 'Provision Ironic TFTP Floating IP (service-group-member)': + command => "sm-deprovision service-group-member controller-services ironic-tftp-ip", + } -> + exec { 'Provision Ironic TFTP Floating IP (service)': + command => "sm-deprovision service ironic-tftp-ip", + } + } + + if $ceph_configured { + # Ceph-Rest-API + exec { 'Provision Ceph-Rest-Api (service-domain-member storage-services)': + command => "sm-provision service-domain-member controller storage-services", + } -> + exec { 'Provision Ceph-Rest-Api (service-group storage-services)': + command => "sm-provision service-group storage-services", + } -> + exec { 'Provision Ceph-Rest-Api (service-group-member ceph-rest-api)': + command => "sm-provision service-group-member storage-services ceph-rest-api", + } -> + exec { 'Provision Ceph-Rest-Api (service ceph-rest-api)': + command => "sm-provision service ceph-rest-api", + } -> + + # Ceph-Manager + exec { 'Provision Ceph-Manager (service-domain-member storage-monitoring-services)': + command => "sm-provision service-domain-member controller storage-monitoring-services", + } -> + exec { 'Provision Ceph-Manager service-group storage-monitoring-services)': + command => "sm-provision service-group storage-monitoring-services", + } -> + exec { 'Provision Ceph-Manager (service-group-member ceph-manager)': + command => "sm-provision service-group-member storage-monitoring-services ceph-manager", + } -> + exec { 'Provision Ceph-Manager in SM (service ceph-manager)': + command => "sm-provision service ceph-manager", + } + } + + # Ceph-Rados-Gateway + if $rgw_configured { + exec {'Provision Ceph-Rados-Gateway (service-group-member ceph-radosgw)': + command => "sm-provision service-group-member storage-monitoring-services ceph-radosgw" + } -> + exec { 'Provision Ceph-Rados-Gateway (service ceph-radosgw)': + command => "sm-provision service ceph-radosgw", + } + } + + if $ldapserver_remote { + # if remote LDAP server is configured, deprovision local openldap service. + exec { 'Deprovision open-ldap service group member': + command => "/usr/bin/sm-deprovision service-group-member directory-services open-ldap", + } -> + exec { 'Deprovision open-ldap service': + command => "/usr/bin/sm-deprovision service open-ldap", + } + } + + if $::platform::params::distributed_cloud_role =='systemcontroller' { + exec { 'Provision distributed-cloud-services (service-domain-member distributed-cloud-services)': + command => "sm-provision service-domain-member controller distributed-cloud-services", + } -> + exec { 'Provision distributed-cloud-services (service-group distributed-cloud-services)': + command => "sm-provision service-group distributed-cloud-services", + } -> + exec { 'Provision DCManager-Manager (service-group-member dcmanager-manager)': + command => "sm-provision service-group-member distributed-cloud-services dcmanager-manager", + } -> + exec { 'Provision DCManager-Manager in SM (service dcmanager-manager)': + command => "sm-provision service dcmanager-manager", + } -> + exec { 'Provision DCManager-RestApi (service-group-member dcmanager-api)': + command => "sm-provision service-group-member distributed-cloud-services dcmanager-api", + } -> + exec { 'Provision DCManager-RestApi in SM (service dcmanager-api)': + command => "sm-provision service dcmanager-api", + } -> + exec { 'Provision DCOrch-Engine (service-group-member dcorch-engine)': + command => "sm-provision service-group-member distributed-cloud-services dcorch-engine", + } -> + exec { 'Provision DCOrch-Engine in SM (service dcorch-engine)': + command => "sm-provision service dcorch-engine", + } -> + exec { 'Provision DCOrch-Snmp (service-group-member dcorch-snmp)': + command => "sm-provision service-group-member distributed-cloud-services dcorch-snmp", + } -> + exec { 'Provision DCOrch-Snmp in SM (service dcorch-snmp)': + command => "sm-provision service dcorch-snmp", + } -> + exec { 'Provision DCOrch-Sysinv-Api-Proxy (service-group-member dcorch-sysinv-api-proxy)': + command => "sm-provision service-group-member distributed-cloud-services dcorch-sysinv-api-proxy", + } -> + exec { 'Provision DCOrch-Sysinv-Api-Proxy in SM (service dcorch-sysinv-api-proxy)': + command => "sm-provision service dcorch-sysinv-api-proxy", + } -> + exec { 'Provision DCOrch-Nova-Api-Proxy (service-group-member dcorch-nova-api-proxy)': + command => "sm-provision service-group-member distributed-cloud-services dcorch-nova-api-proxy", + } -> + exec { 'Provision DCOrch-Nova-Api-Proxy in SM (service dcorch-nova-api-proxy)': + command => "sm-provision service dcorch-nova-api-proxy", + } -> + exec { 'Provision DCOrch-Neutron-Api-Proxy (service-group-member dcorch-neutron-api-proxy)': + command => "sm-provision service-group-member distributed-cloud-services dcorch-neutron-api-proxy", + } -> + exec { 'Provision DCOrch-Neutron-Api-Proxy in SM (service dcorch-neutron-api-proxy)': + command => "sm-provision service dcorch-neutron-api-proxy", + } -> + exec { 'Provision DCOrch-Patch-Api-Proxy (service-group-member dcorch-patch-api-proxy)': + command => "sm-provision service-group-member distributed-cloud-services dcorch-patch-api-proxy", + } -> + exec { 'Provision DCOrch-Patch-Api-Proxy in SM (service dcorch-patch-api-proxy)': + command => "sm-provision service dcorch-patch-api-proxy", + } -> + exec { 'Configure Platform - DCManager-Manager': + command => "sm-configure service_instance dcmanager-manager dcmanager-manager \"\"", + } -> + exec { 'Configure OpenStack - DCManager-API': + command => "sm-configure service_instance dcmanager-api dcmanager-api \"\"", + } -> + exec { 'Configure OpenStack - DCOrch-Engine': + command => "sm-configure service_instance dcorch-engine dcorch-engine \"\"", + } -> + exec { 'Configure OpenStack - DCOrch-Snmp': + command => "sm-configure service_instance dcorch-snmp dcorch-snmp \"\"", + } -> + exec { 'Configure OpenStack - DCOrch-sysinv-api-proxy': + command => "sm-configure service_instance dcorch-sysinv-api-proxy dcorch-sysinv-api-proxy \"\"", + } -> + exec { 'Configure OpenStack - DCOrch-nova-api-proxy': + command => "sm-configure service_instance dcorch-nova-api-proxy dcorch-nova-api-proxy \"\"", + } -> + exec { 'Configure OpenStack - DCOrch-neutron-api-proxy': + command => "sm-configure service_instance dcorch-neutron-api-proxy dcorch-neutron-api-proxy \"\"", + } -> + exec { 'Configure OpenStack - DCOrch-patch-api-proxy': + command => "sm-configure service_instance dcorch-patch-api-proxy dcorch-patch-api-proxy \"\"", + } + if $cinder_service_enabled { + notice("Enable cinder-api-proxy") + exec { 'Provision DCOrch-Cinder-Api-Proxy (service-group-member dcorch-cinder-api-proxy)': + command => "sm-provision service-group-member distributed-cloud-services dcorch-cinder-api-proxy", + } -> + exec { 'Provision DCOrch-Cinder-Api-Proxy in SM (service dcorch-cinder-api-proxy)': + command => "sm-provision service dcorch-cinder-api-proxy", + } -> + exec { 'Configure OpenStack - DCOrch-cinder-api-proxy': + command => "sm-configure service_instance dcorch-cinder-api-proxy dcorch-cinder-api-proxy \"\"", + } + } + } +} + + +define platform::sm::restart { + exec {"sm-restart-${name}": + command => "sm-restart-safe service ${name}", + } +} + + +# WARNING: +# This should only be invoked in a standalone / simplex mode. +# It is currently used during infrastructure network post-install apply +# to ensure SM reloads the updated configuration after the manifests +# are applied. +# Semantic checks enforce the standalone condition (all hosts locked) +class platform::sm::reload { + + # Ensure service(s) are restarted before SM is restarted + Platform::Sm::Restart <| |> -> Class[$name] + + exec { 'pmon-stop-sm': + command => 'pmon-stop sm' + } -> + file { '/var/run/sm/sm.db': + ensure => absent + } -> + exec { 'pmon-start-sm': + command => 'pmon-start sm' + } +} + + +class platform::sm::norestart::runtime { + include ::platform::sm +} + +class platform::sm::runtime { + include ::platform::sm + + class { 'platform::sm::reload': + stage => post, + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/snmp.pp b/puppet-manifests/src/modules/platform/manifests/snmp.pp new file mode 100644 index 000000000..c5d0fad6d --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/snmp.pp @@ -0,0 +1,28 @@ +class platform::snmp::params ( + $community_strings = [], + $trap_destinations = [], + $system_name = '', + $system_location = '?', + $system_contact = '?', + $system_info = '', + $software_version = '', +) { } + +class platform::snmp::runtime + inherits ::platform::snmp::params { + + $software_version = $::platform::params::software_version + $system_info = $::system_info + + file { "/etc/snmp/snmpd.conf": + ensure => 'present', + replace => true, + content => template('platform/snmpd.conf.erb') + } -> + + # send HUP signal to snmpd if it is running + exec { 'notify-snmp': + command => "/usr/bin/pkill -HUP snmpd", + onlyif => "ps -ef | pgrep snmpd" + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/sysctl.pp b/puppet-manifests/src/modules/platform/manifests/sysctl.pp new file mode 100644 index 000000000..c4e827901 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/sysctl.pp @@ -0,0 +1,140 @@ +class platform::sysctl::params ( + $ip_forwarding = false, + $ip_version = $::platform::params::ipv4, + $low_latency = false, +) inherits ::platform::params {} + + +class platform::sysctl + inherits ::platform::sysctl::params { + + # Increase min_free_kbytes to 128 MiB from 88 MiB, helps prevent OOM + sysctl::value { 'vm.min_free_kbytes': + value => '131072' + } + + # Set sched_nr_migrate to standard linux default + sysctl::value { 'kernel.sched_nr_migrate': + value => '8', + } + + # Tuning options for low latency compute + if $low_latency { + # Increase VM stat interval + sysctl::value { 'vm.stat_interval': + value => '10', + } + + # Disable timer migration + sysctl::value { 'kernel.timer_migration': + value => '0', + } + + # Disable RT throttling + sysctl::value { 'kernel.sched_rt_runtime_us': + value => '1000000', + } + } else { + # Disable NUMA balancing + sysctl::value { 'kernel.numa_balancing': + value => '0', + } + } +} + + +class platform::sysctl::controller + inherits ::platform::sysctl::params { + + include ::platform::sysctl + + # Engineer VM page cache tunables to prevent significant IO delays that may + # occur if we flush a buildup of dirty pages. Engineer VM settings to make + # writebacks more regular. Note that Linux default proportion of page cache that + # can be dirty is rediculously large for systems > 8GB RAM, and can result in + # many seconds of IO wait, especially if GBs of dirty pages are written at once. + # Note the following settings are currently only applied to controller, + # though these are intended to be applicable to all blades. For unknown reason, + # there was negative impact to VM traffic on computes. + + # dirty_background_bytes limits magnitude of pending IO, so + # choose setting of 3 seconds dirty holding x 200 MB/s write speed (SSD) + sysctl::value { 'vm.dirty_background_bytes': + value => '600000000' + } + + # dirty_ratio should be larger than dirty_background_bytes, set 1.3x larger + sysctl::value { 'vm.dirty_bytes': + value => '800000000' + } + + # prefer reclaim of dentries and inodes, set larger than default of 100 + sysctl::value { 'vm.vfs_cache_pressure': + value => '500' + } + + # reduce dirty expiry to 10s from default 30s + sysctl::value { 'vm.dirty_expire_centisecs': + value => '1000' + } + + # reduce dirty writeback to 1s from default 5s + sysctl::value { 'vm.dirty_writeback_centisecs': + value => '100' + } + + # Setting max to 160 MB to support more connections + # When increasing postgres connections, add 7.5 MB for every 100 connections + sysctl::value { 'kernel.shmmax': + value => '167772160' + } + + if $ip_forwarding { + + if $ip_version == $::platform::params::ipv6 { + # sysctl does not support ipv6 rp_filter + sysctl::value { 'net.ipv6.conf.all.forwarding': + value => '1' + } + + } else { + sysctl::value { 'net.ipv4.ip_forward': + value => '1' + } + + sysctl::value { 'net.ipv4.conf.default.rp_filter': + value => '0' + } + + sysctl::value { 'net.ipv4.conf.all.rp_filter': + value => '0' + } + + # If this manifest is applied without rebooting the controller, as is done + # when config_controller is run, any existing interfaces will not have + # their rp_filter setting changed. This is because the kernel uses a MAX + # of the 'all' setting (which is now 0) and the current setting for the + # interface (which will be 1). When a blade is rebooted, the interfaces + # come up with the new 'default' setting so all is well. + exec { 'Clear rp_filter for existing interfaces': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "bash -c 'for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > \$f; done'", + } + } + } +} + + +class platform::sysctl::compute { + include ::platform::sysctl +} + + +class platform::sysctl::storage { + include ::platform::sysctl +} + + +class platform::sysctl::controller::runtime { + include ::platform::sysctl::controller +} diff --git a/puppet-manifests/src/modules/platform/manifests/sysinv.pp b/puppet-manifests/src/modules/platform/manifests/sysinv.pp new file mode 100644 index 000000000..82ee63752 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/sysinv.pp @@ -0,0 +1,156 @@ +class platform::sysinv::params ( + $api_port = 6385, + $region_name = undef, + $service_create = false, +) { } + +class platform::sysinv + inherits ::platform::sysinv::params { + + Anchor['platform::services'] -> Class[$name] + + include ::platform::params + include ::platform::amqp::params + + # sysinv-agent is started on all hosts + include ::sysinv::agent + + group { 'sysinv': + ensure => 'present', + gid => '168', + } -> + + user { 'sysinv': + ensure => 'present', + comment => 'sysinv Daemons', + gid => '168', + groups => ['nobody', 'sysinv', 'wrs_protected'], + home => '/var/lib/sysinv', + password => '!!', + password_max_age => '-1', + password_min_age => '-1', + shell => '/sbin/nologin', + uid => '168', + } -> + + file { "/etc/sysinv": + ensure => "directory", + owner => 'sysinv', + group => 'sysinv', + mode => '0750', + } -> + + class { '::sysinv': + rabbit_host => $::platform::amqp::params::host_url, + rabbit_port => $::platform::amqp::params::port, + rabbit_userid => $::platform::amqp::params::auth_user, + rabbit_password => $::platform::amqp::params::auth_password, + } + + # Note: The log format strings are prefixed with "sysinv" because it is + # interpreted as the program by syslog-ng, which allows the sysinv logs to be + # filtered and directed to their own file. + + # TODO(mpeters): update puppet-sysinv to permit configuration of log formats + # once the log configuration has been moved to oslo::log + sysinv_config { + "DEFAULT/logging_context_format_string": value => + 'sysinv %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s'; + "DEFAULT/logging_default_format_string": value => + 'sysinv %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s'; + } + + $sysinv_db_connection = $::sysinv::database_connection + file { "/etc/fm.conf": + ensure => 'present', + content => template('platform/fm.conf.erb'), + } + + if str2bool($::is_initial_config_primary) { + $software_version = $::platform::params::software_version + + Class['::sysinv'] -> + + file { '/opt/platform/sysinv': + ensure => directory, + owner => 'sysinv', + mode => '0755', + } -> + + file { "/opt/platform/sysinv/${software_version}": + ensure => directory, + owner => 'sysinv', + mode => '0755', + } -> + + file { "/opt/platform/sysinv/${software_version}/sysinv.conf.default": + source => '/etc/sysinv/sysinv.conf', + } + } +} + + +class platform::sysinv::conductor { + + Class['::platform::drbd::platform'] -> Class[$name] + + include ::sysinv::conductor +} + + +class platform::sysinv::firewall + inherits ::platform::sysinv::params { + + platform::firewall::rule { 'sysinv-api': + service_name => 'sysinv', + ports => $api_port, + } +} + + +class platform::sysinv::haproxy + inherits ::platform::sysinv::params { + + platform::haproxy::proxy { 'sysinv-restapi': + server_name => 's-sysinv', + public_port => $api_port, + private_port => $api_port, + } +} + + +class platform::sysinv::api + inherits ::platform::sysinv::params { + + include ::platform::params + include ::sysinv::api + + if ($::platform::sysinv::params::service_create and + $::platform::params::init_keystone) { + include ::sysinv::keystone::auth + } + + # TODO(mpeters): move to sysinv puppet module parameters + sysinv_config { + "DEFAULT/sysinv_api_workers": value => $::platform::params::eng_workers_by_5; + } + + include ::platform::sysinv::firewall + include ::platform::sysinv::haproxy +} + + +class platform::sysinv::bootstrap { + include ::sysinv::db::postgresql + include ::sysinv::keystone::auth + + include ::platform::sysinv + + class { '::sysinv::api': + enabled => true + } + + class { '::sysinv::conductor': + enabled => true + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/users.pp b/puppet-manifests/src/modules/platform/manifests/users.pp new file mode 100644 index 000000000..5f0c2fe6f --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/users.pp @@ -0,0 +1,72 @@ +class platform::users::params ( + $wrsroot_password = undef, + $wrsroot_password_max_age = undef, +) {} + + +class platform::users + inherits ::platform::users::params { + + include ::platform::params + + group { 'wrs': + ensure => 'present', + } -> + + # WRS: Create a 'wrs_protected' group for wrsroot and all openstack services + # (including TiS services: sysinv, etc.). + group { $::platform::params::protected_group_name: + ensure => 'present', + gid => $::platform::params::protected_group_id, + } -> + + user { 'wrsroot': + ensure => 'present', + groups => ['wrs', 'root', $::platform::params::protected_group_name], + home => '/home/wrsroot', + password => $wrsroot_password, + password_max_age => $wrsroot_password_max_age, + shell => '/bin/sh', + } -> + + # WRS: Keyring should only be executable by 'wrs_protected'. + file { '/usr/bin/keyring': + owner => 'root', + group => $::platform::params::protected_group_name, + mode => '0750', + } +} + + +class platform::users::bootstrap + inherits ::platform::users::params { + + include ::platform::params + + group { 'wrs': + ensure => 'present', + } -> + + group { $::platform::params::protected_group_name: + ensure => 'present', + gid => $::platform::params::protected_group_id, + } -> + + user { 'wrsroot': + ensure => 'present', + groups => ['wrs', 'root', $::platform::params::protected_group_name], + home => '/home/wrsroot', + password_max_age => $wrsroot_password_max_age, + shell => '/bin/sh', + } +} + + +class platform::users::runtime { + include ::platform::users +} + +class platform::users::upgrade { + include ::platform::users +} + diff --git a/puppet-manifests/src/modules/platform/manifests/vswitch.pp b/puppet-manifests/src/modules/platform/manifests/vswitch.pp new file mode 100644 index 000000000..79e502f31 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/vswitch.pp @@ -0,0 +1,35 @@ +class platform::vswitch { + + Class[$name] -> Class['::platform::network'] + + include ::platform::vswitch::ovsdb +} + + +class platform::vswitch::ovsdb { + include ::platform::params + + if $::platform::params::sdn_enabled { + $pmon_ensure = 'link' + $service_ensure = 'running' + } else { + $pmon_ensure = 'absent' + $service_ensure = 'stopped' + } + + # ensure pmon soft link + file { "/etc/pmon.d/ovsdb-server.conf": + ensure => $pmon_ensure, + target => "/etc/openvswitch/ovsdb-server.pmon.conf", + owner => 'root', + group => 'root', + mode => '0755', + } + + # service management (start ovsdb-server) + service { "openvswitch": + ensure => $service_ensure, + enable => $::platform::params::sdn_enabled, + } + +} diff --git a/puppet-manifests/src/modules/platform/templates/ceph.journal.location.erb b/puppet-manifests/src/modules/platform/templates/ceph.journal.location.erb new file mode 100644 index 000000000..ed33fb9d9 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ceph.journal.location.erb @@ -0,0 +1 @@ +/usr/sbin/ceph-manage-journal location '{"osdid": <%= @osd_id %>, "journal_path": "<%= @journal_path %>", "data_path": "<%= @data_path %>"}' \ No newline at end of file diff --git a/puppet-manifests/src/modules/platform/templates/ceph.journal.partitions.erb b/puppet-manifests/src/modules/platform/templates/ceph.journal.partitions.erb new file mode 100644 index 000000000..c3e63a8a9 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ceph.journal.partitions.erb @@ -0,0 +1 @@ +/usr/sbin/ceph-manage-journal partitions '{"disk_path": "<%= @disk_path %>", "journals": <%= @journal_sizes %>}' \ No newline at end of file diff --git a/puppet-manifests/src/modules/platform/templates/dhclient.conf.erb b/puppet-manifests/src/modules/platform/templates/dhclient.conf.erb new file mode 100644 index 000000000..e512924b2 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/dhclient.conf.erb @@ -0,0 +1,27 @@ +option wrs-install-uuid code 224 = string; +option dhcp6.wrs-install-uuid code 224 = string; +request subnet-mask, broadcast-address, time-offset, routers, + domain-name, domain-name-servers, host-name, wrs-install-uuid, + dhcp6.wrs-install-uuid, netbios-name-servers, netbios-scope, + interface-mtu, dhcp6.domain-name-servers; + +timeout 30; + +# Changed for CGCS to improve Dead Office Recovery (DOR behavior) +retry 5; + +# By default, use a hardware address based client-id for both IPv4 and IPv6. +# We change this via puppet to ensure that interfaces that share the same MAC +# are not using the same client-id value. +send dhcp6.client-id = concat(00:03:00, hardware); +send dhcp-client-identifier = concat(00:03:00, hardware); + +<%- if @infra_client_id != nil -%> +interface "<%= @infra_interface %>" { +<%- if @infra_subnet_version == 4 -%> + send dhcp-client-identifier <%= @infra_client_id %>; +<%- else -%> + send dhcp6.client-id <%= @infra_client_id %>; +<%- end -%> +} +<%- end -%> diff --git a/puppet-manifests/src/modules/platform/templates/dnsmasq.conf.erb b/puppet-manifests/src/modules/platform/templates/dnsmasq.conf.erb new file mode 100644 index 000000000..a4693ed9a --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/dnsmasq.conf.erb @@ -0,0 +1,121 @@ +# Only listen on the following interfaces +<%- if @pxeboot_interface != nil -%> +interface=<%= @pxeboot_interface %> +<%- end -%> +interface=<%= @mgmt_interface %> +<%- if @infra_interface != nil -%> +interface=<%= @infra_interface %> +<%- end -%> +<%- if @ironic_tftp_interface != nil -%> +interface=<%= @ironic_tftp_interface %> +<%- end -%> +bind-interfaces + +# Serve addresses from the pxeboot subnet +dhcp-range=set:pxeboot,<%= @pxeboot_subnet_start %>,<%= @pxeboot_subnet_end %>,<%= @pxeboot_subnet_netmask %>,1h + +# Serve addresses from the management subnet +dhcp-range=set:mgmt,<%= @mgmt_subnet_start %>,static,<%= @mgmt_subnet_netmask %>,1d + +<%- if @mgmt_subnet_version == 4 -%> +<%- if @mgmt_gateway_address != nil -%> +dhcp-option=tag:mgmt,option:router,<%= @mgmt_gateway_address %> +<%- else -%> +# Use the floating controller address as the default route +dhcp-option=tag:mgmt,option:router,<%= @mgmt_controller_address %> +<%- end -%> +<%- end -%> + +# Provide DNS services on the floating pxeboot address +dhcp-option=tag:pxeboot,option:dns-server,<%= @pxeboot_controller_address %> + +<%- if @mgmt_subnet_version == 4 -%> +# Provide DNS services on the floating management address +dhcp-option=tag:mgmt,option:dns-server,<%= @mgmt_controller_address %> +dhcp-option=tag:mgmt,option:mtu,<%= @mgmt_network_mtu %> +<%- else -%> +dhcp-option=tag:mgmt,option6:dns-server,[<%= @mgmt_controller_address %>] +<%- end -%> + +<%- if @infra_interface != nil -%> +# Serve addresses from the infrastructure subnet +dhcp-range=set:infra,<%= @infra_subnet_start %>,static,<%= @infra_subnet_netmask %>,1d + +# Provide DNS services on the floating infrastructure address +<%- if @infra_subnet_version == 4 -%> +dhcp-option=tag:infra,option:dns-server +dhcp-option=tag:infra,option:router +dhcp-option=tag:infra,option:mtu,<%= @infra_network_mtu %> +<%- else -%> +dhcp-option=tag:infra,option6:dns-server +<%- end -%> +<%- end -%> + +# Provide private option 224 as install_uuid +dhcp-option=224,<%= @install_uuid %> +dhcp-option=option6:224,<%= @install_uuid %> + +# Configure PXE boot + +# Enable UEFI support +# We use a different bootloader if the client is configured +# to UEFI vs BIOS (Legacy) +# Type Architecture Name +# ---- ----------------- +# 0 Intel x86PC +# 1 NEC/PC98 +# 2 EFI Itanium +# 3 DEC Alpha +# 4 Arc x86 +# 5 Intel Lean Client +# 6 EFI IA32 +# 7 EFI BC (EFI Byte Code) +# 8 EFI Xscale +# 9 EFI x86-64 +# +dhcp-match=set:efi,option:client-arch,2 +dhcp-match=set:efi,option:client-arch,6 +dhcp-match=set:efi,option:client-arch,7 +dhcp-match=set:efi,option:client-arch,8 +dhcp-match=set:efi,option:client-arch,9 +dhcp-match=set:bios,option:client-arch,0 +dhcp-match=set:bios,option:client-arch,1 +dhcp-match=set:bios,option:client-arch,3 +dhcp-match=set:bios,option:client-arch,4 +dhcp-match=set:bios,option:client-arch,5 + +# TFTP support +enable-tftp +tftp-max=200 +<%- if @pxeboot_interface != nil -%> +tftp-root=/pxeboot,<%= @pxeboot_interface %> +<%- else -%> +tftp-root=/pxeboot,<%= @mgmt_interface %> +<%- end -%> +<%- if @ironic_tftp_interface != nil -%> +tftp-root=<%= @ironic_tftpboot_dir %>,<%= @ironic_tftp_interface %> +<%- end -%> + +dhcp-boot=tag:bios,tag:pxeboot,pxelinux.0,<%= @pxeboot_hostname %>,<%= @pxeboot_controller_address %> +dhcp-boot=tag:bios,tag:mgmt,pxelinux.0,<%= @mgmt_hostname %>,<%= @mgmt_controller_address %> + +dhcp-boot=tag:efi,tag:pxeboot,EFI/grubx64.efi,<%= @pxeboot_hostname %>,<%= @pxeboot_controller_address %> +dhcp-boot=tag:efi,tag:mgmt,EFI/grubx64.efi,<%= @mgmt_hostname %>,<%= @mgmt_controller_address %> + +# Do not forward queries for plain names (no dots) +domain-needed +local=// +port=53 +bogus-priv +clear-on-reload +user=root + +# Invoke this script for each lease +dhcp-script=/usr/bin/sysinv-dnsmasq-lease-update + +# Dynamic files are located on a replicated filesystem +dhcp-hostsfile=<%= @config_path %>/dnsmasq.hosts +dhcp-leasefile=<%= @config_path %>/dnsmasq.leases +addn-hosts=<%= @config_path %>/dnsmasq.addn_hosts +# File for distributed cloud subcloud ip translation +addn-hosts=<%= @config_path %>/dnsmasq.addn_hosts_dc diff --git a/puppet-manifests/src/modules/platform/templates/fm.conf.erb b/puppet-manifests/src/modules/platform/templates/fm.conf.erb new file mode 100644 index 000000000..f6f418da4 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/fm.conf.erb @@ -0,0 +1,9 @@ +################################################### +# +# fm.conf +# +# The configuration file for the fmManager process. +# +################################################### +event_log_max_size=4000 +sql_connection=<%= @sysinv_db_connection %> diff --git a/puppet-manifests/src/modules/platform/templates/ldap.conf.erb b/puppet-manifests/src/modules/platform/templates/ldap.conf.erb new file mode 100644 index 000000000..8f8878602 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ldap.conf.erb @@ -0,0 +1,11 @@ +# +# LDAP Defaults +# +# +# See ldap.conf(5) for details +# This file should be world readable but not world writable. +# +BASE dc=cgcs,dc=local +URI ldap://<%= @ldapserver_host %> +pam_lookup_policy yes +sudoers_base ou=SUDOers,dc=cgcs,dc=local diff --git a/puppet-manifests/src/modules/platform/templates/lldp.conf.erb b/puppet-manifests/src/modules/platform/templates/lldp.conf.erb new file mode 100644 index 000000000..0df6469d4 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/lldp.conf.erb @@ -0,0 +1,4 @@ +configure system hostname '<%= @hostname %>:<%= @system %>' +configure system description 'Titanium Cloud version <%= @version %>' +configure lldp tx-interval <%= @tx_interval %> +configure lldp tx-hold <%= @tx_hold %> diff --git a/puppet-manifests/src/modules/platform/templates/nslcd.conf.erb b/puppet-manifests/src/modules/platform/templates/nslcd.conf.erb new file mode 100644 index 000000000..eff746863 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/nslcd.conf.erb @@ -0,0 +1,146 @@ +# This is the configuration file for the LDAP nameservice +# switch library's nslcd daemon. It configures the mapping +# between NSS names (see /etc/nsswitch.conf) and LDAP +# information in the directory. +# See the manual page nslcd.conf(5) for more information. +# +# The user and group nslcd should run as. +# +uid nslcd +gid ldap + +# The uri pointing to the LDAP server to use for name lookups. +# Multiple entries may be specified. The address that is used +# here should be resolvable without using LDAP (obviously). +# uri ldap://127.0.0.1/ +# uri ldaps://127.0.0.1/ +# uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator +# uri ldap://127.0.0.1/ +# +uri ldap://<%= @ldapserver_host %> + +# The distinguished name of the search base. +base dc=cgcs,dc=local + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +# binddn cn=ldapadmin,dc=cgcs,dc=local +# The credentials to bind with. +# Optional: default is no credentials. +# Note that if you set a bindpw you should check the permissions of this file. +# bindpw secretpw +<%- if @bind_anonymous != true -%> +binddn cn=ldapadmin,dc=cgcs,dc=local +bindpw <%= @admin_pw %> +<%- end -%> + +# The distinguished name to perform password modifications by root by. +rootpwmoddn cn=ldapadmin,dc=cgcs,dc=local + +# The default search scope. +#scope sub +#scope one +#scope base + +# Customize certain database lookups. +#base group ou=Groups,dc=example,dc=com +#base passwd ou=People,dc=example,dc=com +#base shadow ou=People,dc=example,dc=com +#scope group onelevel +#scope hosts sub + +# Bind/connect timelimit. +#bind_timelimit 30 + +# Search timelimit. +#timelimit 30 + +# Idle timelimit. nslcd will close connections if the +# server has not been contacted for the number of seconds. +#idle_timelimit 3600 + +# Use StartTLS without verifying the server certificate. +#ssl start_tls +#tls_reqcert never + +# CA certificates for server certificate verification +#tls_cacertdir /etc/ssl/certs +#tls_cacertfile /etc/ssl/ca.cert + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Mappings for Services for UNIX 3.5 +#filter passwd (objectClass=User) +#map passwd uid msSFU30Name +#map passwd userPassword msSFU30Password +#map passwd homeDirectory msSFU30HomeDirectory +#map passwd homeDirectory msSFUHomeDirectory +#filter shadow (objectClass=User) +#map shadow uid msSFU30Name +#map shadow userPassword msSFU30Password +#filter group (objectClass=Group) +#map group member msSFU30PosixMember + +# Mappings for Services for UNIX 2.0 +#filter passwd (objectClass=User) +#map passwd uid msSFUName +#map passwd userPassword msSFUPassword +#map passwd homeDirectory msSFUHomeDirectory +#map passwd gecos msSFUName +#filter shadow (objectClass=User) +#map shadow uid msSFUName +#map shadow userPassword msSFUPassword +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=Group) +#map group member posixMember + +# Mappings for Active Directory +#pagesize 1000 +#referrals off +#idle_timelimit 800 +#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map passwd uid sAMAccountName +#map passwd homeDirectory unixHomeDirectory +#map passwd gecos displayName +#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map shadow uid sAMAccountName +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=group) + +# Alternative mappings for Active Directory +# (replace the SIDs in the objectSid mappings with the value for your domain) +#pagesize 1000 +#referrals off +#idle_timelimit 800 +#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) +#map passwd uid cn +#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 +#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 +#map passwd homeDirectory "/home/$cn" +#map passwd gecos displayName +#map passwd loginShell "/bin/bash" +#filter group (|(objectClass=group)(objectClass=person)) +#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 + +# Mappings for AIX SecureWay +#filter passwd (objectClass=aixAccount) +#map passwd uid userName +#map passwd userPassword passwordChar +#map passwd uidNumber uid +#map passwd gidNumber gid +#filter group (objectClass=aixAccessGroup) +#map group cn groupName +#map group gidNumber gid +# This comment prevents repeated auto-migration of settings. + diff --git a/puppet-manifests/src/modules/platform/templates/ntp.conf.client.erb b/puppet-manifests/src/modules/platform/templates/ntp.conf.client.erb new file mode 100644 index 000000000..a7e604b54 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ntp.conf.client.erb @@ -0,0 +1,19 @@ +driftfile /var/lib/ntp/drift + +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. +restrict 127.0.0.1 +restrict -6 ::1 + +# Use orphan mode if external servers are unavailable (or not configured) +tos orphan 12 + +<%- scope['platform::ntp::servers'].each do |server| -%> +server <%= server %> +<%- end -%> diff --git a/puppet-manifests/src/modules/platform/templates/ntp.conf.server.erb b/puppet-manifests/src/modules/platform/templates/ntp.conf.server.erb new file mode 100644 index 000000000..427b72b39 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ntp.conf.server.erb @@ -0,0 +1,26 @@ +driftfile /var/lib/ntp/drift + +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. +restrict 127.0.0.1 +restrict -6 ::1 + +# orphan - Use orphan mode if external servers are unavailable (or not configured). +# minclock - Prevent clustering algorithm from casting out any outlyers by setting +# minclock to the maximum number of ntp servers that can be configured +# (3 external plus peer controller). Default value is 3. +tos orphan 12 minclock 4 + +# Use the other controller node as a peer, this is especially important if +# there are no external servers +peer <%= @peer_server %> + +<%- scope['platform::ntp::servers'].each do |server| -%> +server <%= server %> +<%- end -%> diff --git a/puppet-manifests/src/modules/platform/templates/ntp.override.erb b/puppet-manifests/src/modules/platform/templates/ntp.override.erb new file mode 100644 index 000000000..a981340eb --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ntp.override.erb @@ -0,0 +1,4 @@ +[Service] +ExecStart= +ExecStart=/usr/sbin/ntpd -g -q -n -c /etc/ntp_initial.conf +TimeoutStartSec=<%= @ntpdate_timeout %> diff --git a/puppet-manifests/src/modules/platform/templates/ntp_initial.conf.client.erb b/puppet-manifests/src/modules/platform/templates/ntp_initial.conf.client.erb new file mode 100644 index 000000000..a55ebe22d --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ntp_initial.conf.client.erb @@ -0,0 +1,5 @@ +# This config file is used for the initial ntpd execution that will be used +# to set the time when a node is first booted. +<%- scope['platform::ntp::servers'].each do |server| -%> +server <%= server %> +<%- end -%> diff --git a/puppet-manifests/src/modules/platform/templates/ntp_initial.conf.server.erb b/puppet-manifests/src/modules/platform/templates/ntp_initial.conf.server.erb new file mode 100644 index 000000000..cdfe4ec2a --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/ntp_initial.conf.server.erb @@ -0,0 +1,9 @@ +# This config file is used for the initial ntpd execution that will be used +# to set the time when a node is first booted. +<%- scope['platform::ntp::servers'].each do |server| -%> +server <%= server %> +<%- end -%> + +# Use the other controller node for initial time synchronization in case +# none of the external servers are available. +server <%= @peer_server %> diff --git a/puppet-manifests/src/modules/platform/templates/pam.passwd.erb b/puppet-manifests/src/modules/platform/templates/pam.passwd.erb new file mode 100644 index 000000000..f53499243 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/pam.passwd.erb @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password diff --git a/puppet-manifests/src/modules/platform/templates/partitions.manage.erb b/puppet-manifests/src/modules/platform/templates/partitions.manage.erb new file mode 100644 index 000000000..d633db2ed --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/partitions.manage.erb @@ -0,0 +1,49 @@ +/bin/true # puppet requires this for correct template parsing + +<% if @shutdown_drbd_resource and (@is_controller_active.to_s == 'false' or @system_mode == 'simplex') -%> +sm-unmanage service <%= @shutdown_drbd_resource %> + +<% if @shutdown_drbd_resource == 'drbd-cinder' and @system_mode == 'simplex' -%> +sm-unmanage service cinder-lvm +targetctl clear || exit 5 +lvchange -an cinder-volumes || exit 10 +vgchange -an cinder-volumes || exit 20 +drbdadm secondary drbd-cinder || exit 30 +<% end -%> + +DRBD_UNCONFIGURED_TIMEOUT=180 +DRBD_UNCONFIGURED_DELAY=0 +while [[ $DRBD_UNCONFIGURED_DELAY -lt $DRBD_UNCONFIGURED_TIMEOUT ]]; do + drbdadm down <%= @shutdown_drbd_resource %> + drbd_info=$(drbd-overview | grep <%= @shutdown_drbd_resource %> | awk '{print $2}') + + if [[ ${drbd_info} == "Unconfigured" ]]; then + break + else + sleep 2 + DRBD_UNCONFIGURED_DELAY=$((DRBD_UNCONFIGURED_DELAY + 2)) + fi +done + +if [[ DRBD_UNCONFIGURED_DELAY -eq DRBD_UNCONFIGURED_TIMEOUT ]]; then + exit 40 +fi + +<% end -%> + +manage-partitions <%= @action %> '<%= @config %>' + +<% if @shutdown_drbd_resource and (@is_controller_active.to_s == 'false' or @system_mode == 'simplex') -%> +drbdadm up <%= @shutdown_drbd_resource %> || exit 30 + +<% if @shutdown_drbd_resource == 'drbd-cinder' and @system_mode == 'simplex' -%> +drbdadm primary drbd-cinder || exit 50 +vgchange -ay cinder-volumes || exit 60 +lvchange -ay cinder-volumes || exit 70 +targetctl restore || exit 75 +sm-manage service <%= @shutdown_drbd_resource %> +sm-manage service cinder-lvm +<% end -%> + +sm-manage service <%= @shutdown_drbd_resource %> +<% end -%> diff --git a/puppet-manifests/src/modules/platform/templates/resolv.conf.erb b/puppet-manifests/src/modules/platform/templates/resolv.conf.erb new file mode 100644 index 000000000..c182dfa51 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/resolv.conf.erb @@ -0,0 +1,3 @@ +<%- scope['platform::dns::resolv::servers'].each do |server| -%> +nameserver <%= server %> +<%- end -%> diff --git a/puppet-manifests/src/modules/platform/templates/snmpd.conf.erb b/puppet-manifests/src/modules/platform/templates/snmpd.conf.erb new file mode 100644 index 000000000..7acfcb8c4 --- /dev/null +++ b/puppet-manifests/src/modules/platform/templates/snmpd.conf.erb @@ -0,0 +1,33 @@ +########################################################################### +# +# snmpd.conf +# +# - This file is managed by Puppet. DO NOT EDIT. +# +########################################################################### +# incl/excl subtree mask +view all included .1 80 + +sysDescr <%= @software_version %> <%= @system_info %> +sysObjectID 1.3.6.1.4.1.731.3 +sysContact <%= @system_contact %> +sysName <%= @system_name %> +sysLocation <%= @system_location %> +sysServices 72 + +[snmp] clientaddr oamcontroller +dlmod cgtsAgentPlugin /usr/lib64/libcgtsAgentPlugin.so.1 +dlmod snmpAuditPlugin /usr/lib64/libsnmpAuditPlugin.so.1 + +# Insert the snmpAudit hander into specific sections of the mib tree +injectHandler snmpAudit null +injectHandler snmpAudit bulk_to_next +<%- @community_strings.each do |community| -%> +rocommunity <%= community %> +rocommunity6 <%= community %> +<%- end -%> +<%- @trap_destinations.each do |destination| -%> +trap2sink <%= destination %> +<%- end -%> + +