RadosGW fixes

move command to create signing certs for NSS db to radosgw
fix some file and package deps
add chain to make sure keystone will run fist
added file to makesure fastcgi.conf is usable
Conditionalize keystone usage in CEPH
Conditionalize keystone PKI usage in CEPH
fix package decl
add a2en for needed modules
add enabled sites link
distorize rgw_host
remove libnss
clean ceph::horizon class and includde in ceph::radosgw instead

deployment/puppet/ceph/manifests/init.pp

@@ -21,16 +21,18 @@ class ceph (
       $public_network            = $::fuel_settings['management_network_range'],
 
       # RadosGW settings
-      $rgw_host                         = $::fqdn,
+      $rgw_host                         = $::osfamily ? {'Debian'=> $::hostname, default => $::fqdn},
       $rgw_port                         = '6780',
       $rgw_keyring_path                 = '/etc/ceph/keyring.radosgw.gateway',
       $rgw_socket_path                  = '/tmp/radosgw.sock',
       $rgw_log_file                     = '/var/log/ceph/radosgw.log',
+      $rgw_use_keystone                 = true,
+      $rgw_use_pki                      = false,
       $rgw_keystone_url                 = "${cluster_node_address}:5000",
       $rgw_keystone_admin_token         = $::fuel_settings['keystone']['admin_token'],
       $rgw_keystone_token_cache_size    = '10',
       $rgw_keystone_accepted_roles      = '_member_, Member, admin, swiftoperator',
-      $rgw_keystone_revocation_interval = '60',
+      $rgw_keystone_revocation_interval = $::ceph::rgw_use_pki ? { false => 1000000, default => 60},
       $rgw_data                         = '/var/lib/ceph/radosgw',
       $rgw_dns_name                     = "*.${::domain}",
       $rgw_print_continue               = 'false',
@@ -97,11 +99,12 @@ class ceph (
       Service['ceph']
 
       if ($::ceph::use_rgw) {
-        include ceph::libnss, ceph::keystone, ceph::radosgw
+        include ceph::radosgw
         Class['ceph::mon'] ->
-        Class['ceph::libnss'] ->
-        Class[['ceph::keystone', 'ceph::radosgw']] ~>
+        Class['ceph::radosgw'] ~>
         Service['ceph']
+
+        Class['::keystone'] -> Class['ceph::radosgw']
       }
     }
 

deployment/puppet/ceph/manifests/keystone.pp

@@ -4,23 +4,7 @@ class ceph::keystone (
   $adm_ip    = $::ceph::rgw_adm_ip,
   $int_ip    = $::ceph::rgw_int_ip,
   $rgw_port  = $::ceph::rgw_port,
-  $use_ssl   = $::ceph::use_ssl,
-  $directory = $::ceph::rgw_nss_db_path,
 ) {
-  if ($use_ssl) {
-    exec {'creating OpenSSL certificates':
-      command => "openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
-      certutil -d ${directory} -A -n ca -t 'TCu,Cu,Tuw' && openssl x509  \
-      -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
-      certutil -A -d ${directory} -n signing_cert -t 'P,P,P'",
-      require => [File[$directory], Package[$::ceph::params::package_libnss]]
-    } ->
-    exec {'copy OpenSSL certificates':
-      command => "scp -r ${directory}/* ${::ceph::primary_mon}:${directory} && \
-                  ssh ${::ceph::primary_mon} '/etc/init.d/radosgw restart'",
-    }
-  }
-
   keystone_service {'swift':
     ensure      => present,
     type        => 'object-store',
@@ -34,11 +18,4 @@ class ceph::keystone (
     admin_url    => "http://${adm_ip}:${rgw_port}/swift/v1",
     internal_url => "http://${int_ip}:${rgw_port}/swift/v1",
   }
-
-  if ! defined(Class['keystone']) {
-    service { 'keystone':
-      ensure => 'running',
-      enable => true,
-    }
-  }
 }

deployment/puppet/ceph/manifests/libnss.pp

@@ -1,15 +0,0 @@
-# set up the OS-specific libnss package for Ceph
-class ceph::libnss {
-  package {$::ceph::params::package_libnss:
-    ensure => 'latest',
-  }
-
-  file {$::ceph::rgw_nss_db_path:
-    ensure  => 'directory',
-    mode    => '0755',
-    owner   => $::ceph::params::user_httpd,
-    group   => $::ceph::params::user_httpd,
-    require => Package['ceph']
-  }
-}
-

deployment/puppet/ceph/manifests/radosgw.pp

@@ -9,7 +9,6 @@ define apache::loadmodule () {
 # deploys Ceph radosgw as an Apache FastCGI application
 class ceph::radosgw (
   $keyring_path     = '/etc/ceph/keyring.radosgw.gateway',
-  $httpd_ssl        = $::ceph::params::dir_httpd_ssl,
   $radosgw_auth_key = 'client.radosgw.gateway',
   $rgw_user         = $::ceph::params::user_httpd,
 
@@ -19,24 +18,26 @@ class ceph::radosgw (
   $rgw_keyring_path                 = $::ceph::rgw_keyring_path,
   $rgw_socket_path                  = $::ceph::rgw_socket_path,
   $rgw_log_file                     = $::ceph::rgw_log_file,
+  $rgw_data                         = $::ceph::rgw_data,
+  $rgw_dns_name                     = $::ceph::rgw_dns_name,
+  $rgw_print_continue               = $::ceph::rgw_print_continue,
+
+  #rgw Keystone settings
+  $rgw_use_pki                      = $::ceph::rgw_use_pki,
+  $rgw_use_keystone                 = $::ceph::rgw_use_keystone,
   $rgw_keystone_url                 = $::ceph::rgw_keystone_url,
   $rgw_keystone_admin_token         = $::ceph::rgw_keystone_admin_token,
   $rgw_keystone_token_cache_size    = $::ceph::rgw_keystone_token_cache_size,
   $rgw_keystone_accepted_roles      = $::ceph::rgw_keystone_accepted_roles,
   $rgw_keystone_revocation_interval = $::ceph::rgw_keystone_revocation_interval,
-  $rgw_data                         = $::ceph::rgw_data,
-  $rgw_dns_name                     = $::ceph::rgw_dns_name,
-  $rgw_print_continue               = $::ceph::rgw_print_continue,
   $rgw_nss_db_path                  = $::ceph::rgw_nss_db_path,
-
-  $use_ssl   = $::ceph::use_ssl,
 ) {
 
   $dir_httpd_root = '/var/www/radosgw'
 
   package { [$::ceph::params::package_radosgw,
              $::ceph::params::package_fastcgi,
-             $::ceph::params::package_modssl
+             $::ceph::params::package_libnss,
             ]:
     ensure  => 'latest',
   }
@@ -72,25 +73,74 @@ class ceph::radosgw (
     'client.radosgw.gateway/rgw_socket_path':                  value => $rgw_socket_path;
     'client.radosgw.gateway/log_file':                         value => $rgw_log_file;
     'client.radosgw.gateway/user':                             value => $rgw_user;
-    'client.radosgw.gateway/rgw_keystone_url':                 value => $rgw_keystone_url;
-    'client.radosgw.gateway/rgw_keystone_admin_token':         value => $rgw_keystone_admin_token;
-    'client.radosgw.gateway/rgw_keystone_accepted_roles':      value => $rgw_keystone_accepted_roles;
-    'client.radosgw.gateway/rgw_keystone_token_cache_size':    value => $rgw_keystone_token_cache_size;
-    'client.radosgw.gateway/rgw_keystone_revocation_interval': value => $rgw_keystone_revocation_interval;
     'client.radosgw.gateway/rgw_data':                         value => $rgw_data;
     'client.radosgw.gateway/rgw_dns_name':                     value => $rgw_dns_name;
     'client.radosgw.gateway/rgw_print_continue':               value => $rgw_print_continue;
   }
 
-# TODO: CentOS conversion
-#  apache::loadmodule{['rewrite', 'fastcgi', 'ssl']: }
+  if ($use_ssl) {
 
-#  file {"${::ceph::params::dir_httpd_conf}/httpd.conf":
-#    ensure  => 'present',
-#    content => "ServerName ${fqdn}",
-#    notify  => Service['httpd'],
-#    require => Package[$::ceph::params::package_httpd],
-#  }
+    $httpd_ssl = $::ceph::params::dir_httpd_ssl
+    exec {'copy OpenSSL certificates':
+      command => "scp -r ${rgw_nss_db_path}/* ${::ceph::primary_mon}:${rgw_nss_db_path} && \
+                  ssh ${::ceph::primary_mon} '/etc/init.d/radosgw restart'",
+    }
+    exec {"generate SSL certificate on ${name}":
+      command => "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${httpd_ssl}apache.key -out ${httpd_ssl}apache.crt -subj '/C=RU/ST=Russia/L=Saratov/O=Mirantis/OU=CA/CN=localhost'",
+      returns => [0,1],
+    }
+  }
+
+  if ($rgw_use_keystone) {
+
+    ceph_conf {
+      'client.radosgw.gateway/rgw_keystone_url':                 value => $rgw_keystone_url;
+      'client.radosgw.gateway/rgw_keystone_admin_token':         value => $rgw_keystone_admin_token;
+      'client.radosgw.gateway/rgw_keystone_accepted_roles':      value => $rgw_keystone_accepted_roles;
+      'client.radosgw.gateway/rgw_keystone_token_cache_size':    value => $rgw_keystone_token_cache_size;
+      'client.radosgw.gateway/rgw_keystone_revocation_interval': value => $rgw_keystone_revocation_interval;
+    }
+
+    if ($rgw_use_pki) {
+
+      ceph_conf {
+      'client.radosgw.gateway/nss db path':                      value => $rgw_nss_db_path;
+      }
+
+      # This creates the signing certs used by radosgw to check cert revocation
+      #   status from keystone
+      exec {'create nss db signing certs':
+        command => "openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
+          certutil -d ${rgw_nss_db_path} -A -n ca -t 'TCu,Cu,Tuw' && \ 
+          openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
+          certutil -A -d ${rgw_nss_db_path} -n signing_cert -t 'P,P,P'",
+        user    => $rgw_user,
+      }
+
+      Exec["ceph-create-radosgw-keyring-on ${name}"] ->
+      Exec['create nss db signing certs'] ~>
+      Service['radosgw']
+
+    } #END rgw_use_pki
+
+  class {'ceph::keystone': }
+
+  } #END rgw_use_keystone
+
+  if ($::osfamily == 'Debian'){
+    #a2mod is provided by horizon module
+    a2mod { ['rewrite', 'fastcgi']: 
+      require => Package[$::ceph::params::package_fastcgi],
+      notify  => Service['httpd'],
+    }
+    
+    File["${::ceph::params::dir_httpd_sites}/rgw.conf"] ->
+    file {'/etc/apache2/sites-enabled/rgw.conf':
+      ensure => link,
+      target => "${::ceph::params::dir_httpd_sites}/rgw.conf",
+      notify => Service['httpd'],
+    }
+  }
 
   file {$rgw_log_file:
     ensure => present,
@@ -101,19 +151,11 @@ class ceph::radosgw (
          "${::ceph::rgw_data}/ceph-radosgw.gateway",
          $::ceph::rgw_data,
          $dir_httpd_root,
+         $rgw_nss_db_path,
         ]:
-    ensure => 'directory',
-    mode   => '0755',
-  }
-
-  if ($use_ssl) {
-    exec {"generate SSL certificate on ${name}":
-      command => "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${httpd_ssl}apache.key -out ${httpd_ssl}apache.crt -subj '/C=RU/ST=Russia/L=Saratov/O=Mirantis/OU=CA/CN=localhost'",
-      returns => [0,1],
-    }
-    ceph_conf{
-      'client.radosgw.gateway/nss db path': value => $rgw_nss_db_path;
-    }
+    ensure  => 'directory',
+    mode    => '0755',
+    recurse => true,
   }
 
   file { "${::ceph::params::dir_httpd_sites}/rgw.conf":
@@ -125,6 +167,11 @@ class ceph::radosgw (
     mode    => '0755',
   }
 
+  file {"${::ceph::params::dir_httpd_sites}/fastcgi.conf":
+    content => template('ceph/fastcgi.conf.erb'),
+    mode    => '0755',
+    }
+
   exec { "ceph-create-radosgw-keyring-on ${name}":
     command => "ceph-authtool --create-keyring ${keyring_path}",
     creates => $keyring_path,
@@ -145,14 +192,19 @@ class ceph::radosgw (
   }
 
   Ceph_conf <||> ->
-  Package[[$::ceph::params::package_httpd,
-           $::ceph::params::package_radosgw,]] ->
+  Package[$::ceph::params::package_httpd] ->
+  Package[[$::ceph::params::package_radosgw,
+           $::ceph::params::package_fastcgi,
+           $::ceph::params::package_libnss,]] ->
   File[["${::ceph::params::dir_httpd_sites}/rgw.conf",
-       $::ceph::params::dir_httpd_ssl,
-       "${::ceph::rgw_data}/ceph-radosgw.gateway",
-       $::ceph::rgw_data,
-       $dir_httpd_root,
-       $rgw_log_file,]] ->
+        "${::ceph::params::dir_httpd_sites}/fastcgi.conf",
+        "${dir_httpd_root}/s3gw.fcgi",
+        $::ceph::params::dir_httpd_ssl,
+        "${::ceph::rgw_data}/ceph-radosgw.gateway",
+        $::ceph::rgw_data,
+        $dir_httpd_root,
+        $rgw_nss_db_path,
+        $rgw_log_file,]] ->
   Exec["ceph-create-radosgw-keyring-on ${name}"] ->
   File[$keyring_path] ->
   Exec["ceph-generate-key-on ${name}"] ->

deployment/puppet/ceph/templates/fastcgi.conf.erb

@@ -0,0 +1,25 @@
+# This file is managed by Puppet
+
+# WARNING: this is a kludge:
+## The User/Group for httpd need to be set before we can load mod_fastcgi,
+## but /etc/httpd/conf.d/fastcgi.conf on RHEL gets loaded before
+## /etc/httpd/conf/httpd.conf, so we need to set them here :(
+## mod_fcgid does not have this bug,
+## but it does not handle child PHP processes appropriately per
+## http://serverfault.com/questions/303535/a-single-php-fastcgi-process-blocks-all-other-php-requests/305093#305093
+
+User apache
+Group apache
+
+LoadModule fastcgi_module modules/mod_fastcgi.so
+
+# dir for IPC socket files
+FastCgiIpcDir /var/run/mod_fastcgi
+
+# wrap all fastcgi script calls in suexec
+# Must be off in RHEL
+FastCgiWrapper Off
+
+# global FastCgiConfig can be overridden by FastCgiServer options in vhost config
+FastCgiConfig -idle-timeout 20 -maxClassProcesses 1
+

deployment/puppet/osnailyfacter/manifests/cluster_ha.pp

@@ -148,11 +148,10 @@ class osnailyfacter::cluster_ha {
     $primary_mon    = $controllers[0]['name']
 
     class {'ceph':
-      primary_mon          => $primary_mon,
-      cluster_node_address => $controller_node_public,
-      use_rgw              => $storage_hash['objects_ceph'],
-      use_ssl              => false,
-      glance_backend       => $glance_backend,
+      primary_mon                      => $primary_mon,
+      cluster_node_address             => $controller_node_public,
+      use_rgw                          => $storage_hash['objects_ceph'],
+      glance_backend                   => $glance_backend,
     }
   }
 

deployment/puppet/osnailyfacter/manifests/cluster_simple.pp

@@ -129,11 +129,10 @@ class osnailyfacter::cluster_simple {
     $primary_mons   = $controller
     $primary_mon    = $controller[0]['name']
     class {'ceph':
-      primary_mon          => $primary_mon,
-      cluster_node_address => $controller_node_public,
-      use_rgw              => $storage_hash['objects_ceph'],
-      use_ssl              => false,
-      glance_backend       => $glance_backend,
+      primary_mon                      => $primary_mon,
+      cluster_node_address             => $controller_node_public,
+      use_rgw                          => $storage_hash['objects_ceph'],
+      glance_backend                   => $glance_backend,
     }
   }