opendev/puppet-infracloud
Code Issues Proposed changes
121afc07bd
puppet-infracloud/manifests/controller.pp
Paul Belanger 6a10fc12d4 Remove dns_servers from provider-subnet-infracloud 
Because of the way glean works, we don't actually need to have a DNS
server setup to boot our images. In this case, it is actually
problematic for centos-7, because glean overwrites our
/etc/resolv.conf file.

Change-Id: Ie81bc593ac3257021e0636b6c111c37e8b87b747
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-10 19:52:56 -04:00

424 lines
12 KiB
Puppet
Raw Blame History

# Class: OpenStack Infra Cloud
#
class infracloud::controller(
$br_name,
$glance_admin_password,
$glance_mysql_password,
$keystone_admin_password,
$keystone_admin_token,
$keystone_mysql_password,
$keystone_rabbit_password,
$neutron_admin_password,
$neutron_mysql_password,
$neutron_rabbit_password,
$neutron_subnet_allocation_pools,
$neutron_subnet_cidr,
$neutron_subnet_gateway,
$nova_admin_password,
$nova_mysql_password,
$nova_rabbit_password,
$root_mysql_password,
$ssl_key_file_contents,
$ssl_cert_file_contents,
$controller_public_address = $::fqdn,
$mysql_max_connections = 1024,
$openstack_release = 'mitaka',
) {
$keystone_auth_uri = "https://${controller_public_address}:5000"
$keystone_admin_uri = "https://${controller_public_address}:35357"
include ::infracloud::params
$ssl_cert_path = "${::infracloud::params::cert_path}/openstack_infra_ca.crt"
### Certificate Chain ###
class { '::infracloud::cacert':
cacert_content => $ssl_cert_file_contents,
}
### Networking ###
class { '::infracloud::veth':
br_name => $br_name,
}
### Repos and selinux ###
case $::osfamily {
'Debian': {
include ::apt
case $::operatingsystem {
'Ubuntu': {
class { '::openstack_extras::repo::debian::ubuntu':
release => $openstack_release,
package_require => true,
}
}
'Debian': {
class { '::openstack_extras::repo::debian::debian':
release => $openstack_release,
package_require => true,
}
}
default: {
fail("Unsupported operating system: ${::operatingsystem}")
}
}
}
'RedHat': {
class { '::openstack_extras::repo::redhat::redhat':
release => $openstack_release,
package_require => true,
}
package { 'erlang':
ensure => present,
before => Class['::rabbitmq'],
}
class { '::selinux':
mode => 'permissive',
}
}
default: {
fail("Unsupported osfamily: ${::osfamily} The 'infracloud' module only supports osfamily Debian or RedHat.")
}
}
### Database ###
class { '::mysql::server':
root_password => $root_mysql_password,
restart => true,
override_options => {
'mysqld' => {
'max_connections' => $mysql_max_connections,
}
}
}
### Messaging ###
file { '/etc/rabbitmq/ssl/private':
ensure => directory,
owner => 'root',
mode => '0755',
}
infracloud::ssl_key { 'rabbitmq':
key_content => $ssl_key_file_contents,
key_path => "/etc/rabbitmq/ssl/private/${controller_public_address}.pem",
require => Package['rabbitmq-server'],
}
class { '::rabbitmq':
delete_guest_user => true,
environment_variables => {
'RABBITMQ_NODE_IP_ADDRESS' => '127.0.0.1',
},
ssl => true,
ssl_only => true,
ssl_cacert => $ssl_cert_path,
ssl_cert => $ssl_cert_path,
ssl_key => "/etc/rabbitmq/ssl/private/${controller_public_address}.pem",
require => File[$ssl_cert_path],
}
### Keystone ###
class { '::keystone::db::mysql':
password => $keystone_mysql_password,
}
infracloud::rabbitmq_user { 'keystone':
password => $keystone_rabbit_password,
}
# keystone.conf
class { '::keystone':
database_connection => "mysql://keystone:${keystone_mysql_password}@127.0.0.1/keystone",
catalog_type => 'sql',
admin_token => $keystone_admin_token,
service_name => 'httpd',
enable_ssl => true,
admin_bind_host => $controller_public_address,
rabbit_userid => 'keystone',
rabbit_password => $keystone_rabbit_password,
rabbit_host => $controller_public_address,
rabbit_port => '5671',
rabbit_use_ssl => true,
# Hack to work around a bug in the puppet module
# https://review.openstack.org/#/c/280462/
kombu_ssl_ca_certs => [],
kombu_ssl_certfile => [],
kombu_ssl_keyfile => [],
}
# keystone admin user, projects
class { '::keystone::roles::admin':
email => 'postmaster@example.com',
password => $keystone_admin_password,
}
# keystone auth endpoints
class { '::keystone::endpoint':
public_url => $keystone_auth_uri,
admin_url => $keystone_admin_uri,
version => '',
}
# apache server
include ::apache
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
mode => '0710',
}
$keystone_ssl_key_path = "/etc/ssl/private/${controller_public_address}-keystone.pem"
# keystone vhost
class { '::keystone::wsgi::apache':
ssl_key => $keystone_ssl_key_path,
ssl_cert => $ssl_cert_path,
subscribe => Class['::infracloud::cacert'],
require => File['/etc/ssl/private'],
}
infracloud::ssl_key { 'keystone':
key_content => $ssl_key_file_contents,
key_path => $keystone_ssl_key_path,
notify => Service['httpd'],
require => [ Package['keystone'], File['/etc/ssl/private'] ],
}
### Glance ###
$glance_database_connection = "mysql://glance:${glance_mysql_password}@127.0.0.1/glance"
class { '::glance::db::mysql':
password => $glance_mysql_password,
}
# glance-api.conf
class { '::glance::api':
database_connection => $glance_database_connection,
keystone_password => $glance_admin_password,
auth_uri => $keystone_auth_uri,
identity_uri => $keystone_admin_uri,
cert_file => $ssl_cert_path,
key_file => "/etc/glance/ssl/private/${controller_public_address}.pem",
subscribe => Class['::infracloud::cacert'],
}
infracloud::ssl_key { 'glance':
key_content => $ssl_key_file_contents,
notify => Service[$::glance::params::api_service_name],
require => Package[$::glance::params::api_package_name],
}
# glance-registry.conf
class { '::glance::registry':
database_connection => $glance_database_connection,
keystone_password => $glance_admin_password,
auth_uri => $keystone_auth_uri,
identity_uri => $keystone_admin_uri,
}
# set filesystem_store_datadir to /var/lib/glance/images in glance-api.conf
# and glance-registry.conf
class { '::glance::backend::file': }
# keystone user, role, service, endpoints for glance service
class { '::glance::keystone::auth':
password => $glance_admin_password,
public_url => "https://${controller_public_address}:9292",
admin_url => "https://${controller_public_address}:9292",
}
### Neutron server ###
sysctl::value { 'net.ipv4.conf.default.rp_filter':
value => 0
}
sysctl::value { 'net.ipv4.conf.all.rp_filter':
value => 0
}
class { '::neutron::db::mysql':
password => $neutron_mysql_password,
}
infracloud::rabbitmq_user { 'neutron':
password => $neutron_rabbit_password,
}
# neutron.conf
class { '::neutron':
core_plugin => 'ml2',
enabled => true,
rabbit_user => 'neutron',
rabbit_password => $neutron_rabbit_password,
rabbit_host => $controller_public_address,
rabbit_port => '5671',
rabbit_use_ssl => true,
use_ssl => true,
cert_file => $ssl_cert_path,
key_file => "/etc/neutron/ssl/private/${controller_public_address}.pem",
subscribe => Class['::infracloud::cacert'],
}
infracloud::ssl_key { 'neutron':
key_content => $ssl_key_file_contents,
notify => Service['neutron-server'],
require => Package['neutron'],
}
# keystone user, role, service, endpoints for neutron service
class { '::neutron::keystone::auth':
password => $neutron_admin_password,
public_url => "https://${controller_public_address}:9696/",
admin_url => "https://${controller_public_address}:9696/",
}
# neutron-server service and related neutron.conf and api-paste.conf params
class { '::neutron::server':
password => $neutron_admin_password,
database_connection => "mysql://neutron:${neutron_mysql_password}@127.0.0.1/neutron?charset=utf8",
sync_db => true,
auth_uri => $keystone_auth_uri,
auth_url => $keystone_admin_uri,
}
# neutron client package
class { '::neutron::client': }
# neutron.conf nova credentials
class { '::neutron::server::notifications':
auth_url => $keystone_admin_uri,
password => $nova_admin_password,
}
# ML2
class { '::neutron::plugins::ml2':
type_drivers => ['flat', 'vlan'],
tenant_network_types => [],
mechanism_drivers => ['linuxbridge'],
flat_networks => ['provider'],
network_vlan_ranges => ['provider'],
enable_security_group => true,
}
class { '::neutron::agents::ml2::linuxbridge':
physical_interface_mappings => ['provider:veth2'],
require => Class['infracloud::veth'],
}
# Fix for https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1453188
file { '/usr/bin/neutron-plugin-linuxbridge-agent':
ensure => link,
target => '/usr/bin/neutron-linuxbridge-agent',
before => Package['neutron-plugin-linuxbridge-agent'],
}
# Fix to make sure linuxbridge-agent can reach rabbit after moving it
Neutron_config['oslo_messaging_rabbit/rabbit_hosts'] ~> Service['neutron-plugin-linuxbridge-agent']
# DHCP
class { '::neutron::agents::dhcp':
interface_driver => 'neutron.agent.linux.interface.BridgeInterfaceDriver',
dhcp_delete_namespaces => true,
}
# Provider network
neutron_network { 'public':
shared => true,
provider_network_type => 'flat',
provider_physical_network => 'provider',
}
# Provider subnet with three allication pools representing three "subnets"
neutron_subnet { 'provider-subnet-infracloud':
cidr => $neutron_subnet_cidr,
gateway_ip => $neutron_subnet_gateway,
network_name => 'public',
allocation_pools => $neutron_subnet_allocation_pools,
}
### Nova ###
class { '::nova::db':
database_connection => "mysql://nova:${nova_mysql_password}@127.0.0.1/nova?charset=utf8",
api_database_connection => "mysql://nova_api:${nova_mysql_password}@127.0.0.1/nova_api?charset=utf8"
}
class { '::nova::db::mysql':
password => $nova_mysql_password,
host => '127.0.0.1',
}
class { '::nova::db::mysql_api':
password => $nova_mysql_password,
host => '127.0.0.1',
}
infracloud::rabbitmq_user { 'nova':
password => $nova_rabbit_password,
}
# nova.conf - general
class { '::nova':
rabbit_userid => 'nova',
rabbit_password => $nova_rabbit_password,
rabbit_host => $controller_public_address,
rabbit_port => '5671',
rabbit_use_ssl => true,
glance_api_servers => "https://${controller_public_address}:9292",
use_ssl => true,
cert_file => $ssl_cert_path,
key_file => "/etc/nova/ssl/private/${controller_public_address}.pem",
subscribe => Class['::infracloud::cacert'],
}
infracloud::ssl_key { 'nova':
key_content => $ssl_key_file_contents,
notify => Service['nova-api'],
require => Class['::nova'],
}
# keystone user, role, service, endpoints for nova service
class { '::nova::keystone::auth':
password => $nova_admin_password,
public_url => "https://${controller_public_address}:8774/v2/%(tenant_id)s",
admin_url => "https://${controller_public_address}:8774/v2/%(tenant_id)s",
configure_ec2_endpoint => false,
configure_endpoint_v3 => false,
}
# nova.conf neutron credentials
class { '::nova::network::neutron':
neutron_auth_url => $keystone_admin_uri,
neutron_password => $neutron_admin_password,
neutron_auth_plugin => 'password',
neutron_url => "https://${controller_public_address}:9696",
}
# api service and endpoint-related params in nova.conf
class { '::nova::api':
enabled => true,
enabled_apis => 'osapi_compute',
admin_password => $nova_admin_password,
auth_uri => $keystone_auth_uri,
identity_uri => $keystone_admin_uri,
osapi_v3 => false,
}
# conductor service
class { '::nova::conductor':
enabled => true,
}
# scheduler service
class { '::nova::scheduler':
enabled => true,
}
### Logging ###
class { '::infracloud::logs': }
}
View Git Blame Copy Permalink