openstack/puppet-tripleo
Code Issues Proposed changes

Update cephx keys with ACLs for openstack services.

Browse Source 
This patch will set file system ACLs on the ceph client keyring.
This will help resolve (1) for OSP Ocata and before

Change-Id: I0c1bc3d2362c6500b1a515d99f641f8c1468754a
Partial-Bug: #1720787
1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
This commit is contained in:
Keith Schincke
2017-11-13 23:15:21 -05:00
parent 2b80eeb55e
commit 48c417519f
8 changed files with 71 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/profile/base/cinder/volume.pp
View File

@@ -70,6 +70,10 @@
# (Optional) List of additional backend stanzas to activate # (Optional) List of additional backend stanzas to activate
# Defaults to hiera('cinder_user_enabled_backends') # Defaults to hiera('cinder_user_enabled_backends')
# #
# [*cinder_rbd_client_name*]
# (Optional) Name of RBD client
# Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
#
# [*step*] # [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates # (Optional) The current step in deployment. See tripleo-heat-templates
# for more details. # for more details.
@@ -89,6 +93,7 @@ class tripleo::profile::base::cinder::volume (
$cinder_enable_scaleio_backend = false, $cinder_enable_scaleio_backend = false,
$cinder_enable_vrts_hs_backend = false, $cinder_enable_vrts_hs_backend = false,
$cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
$cinder_rbd_client_name = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
) { ) {
include ::tripleo::profile::base::cinder include ::tripleo::profile::base::cinder
@@ -164,6 +169,13 @@ class tripleo::profile::base::cinder::volume (
include ::tripleo::profile::base::cinder::volume::rbd include ::tripleo::profile::base::cinder::volume::rbd
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph') $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
path => ['/bin', '/usr/bin'],
command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
}
Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
$cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef) $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
if $cinder_rbd_extra_pools { if $cinder_rbd_extra_pools {
$base_name = $cinder_rbd_backend_name $base_name = $cinder_rbd_backend_name

14
manifests/profile/base/glance/api.pp
View File

@@ -79,6 +79,9 @@
# enable_internal_tls is set. # enable_internal_tls is set.
# defaults to 9292 # defaults to 9292
# #
# [*glance_rbd_client_name*]
# RBD client naem
# (optional) Defaults to hiera('glance::backend::rbd::rbd_store_user')
class tripleo::profile::base::glance::api ( class tripleo::profile::base::glance::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}), $certificates_specs = hiera('apache_certificates_specs', {}),
@@ -92,6 +95,7 @@ class tripleo::profile::base::glance::api (
$tls_proxy_bind_ip = undef, $tls_proxy_bind_ip = undef,
$tls_proxy_fqdn = undef, $tls_proxy_fqdn = undef,
$tls_proxy_port = 9292, $tls_proxy_port = 9292,
$glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'),
) { ) {
if $::hostname == downcase($bootstrap_node) { if $::hostname == downcase($bootstrap_node) {
$sync_db = true $sync_db = true
@@ -129,7 +133,15 @@ class tripleo::profile::base::glance::api (
case $glance_backend { case $glance_backend {
'swift': { $backend_store = 'swift' } 'swift': { $backend_store = 'swift' }
'file': { $backend_store = 'file' } 'file': { $backend_store = 'file' }
'rbd': { $backend_store = 'rbd' } 'rbd': {
$backend_store = 'rbd'
exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
path => ['/bin', '/usr/bin'],
command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
}
Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
}
'cinder': { $backend_store = 'cinder' } 'cinder': { $backend_store = 'cinder' }
default: { fail('Unrecognized glance_backend parameter.') } default: { fail('Unrecognized glance_backend parameter.') }
} }

15
manifests/profile/base/gnocchi/api.pp
View File

@@ -55,6 +55,10 @@
# (Required) Redis ip address for the coordination url # (Required) Redis ip address for the coordination url
# Defaults to hiera('redis_vip') # Defaults to hiera('redis_vip')
# #
# [*gnocchi_rbd_client_name*]
# (Optional) RBD Client username.
# Defaults to hiera('gnocchi::storage::ceph::ceph_username')
#
# [*step*] # [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates # (Optional) The current step in deployment. See tripleo-heat-templates
# for more details. # for more details.
@@ -68,6 +72,7 @@ class tripleo::profile::base::gnocchi::api (
$gnocchi_network = hiera('gnocchi_api_network', undef), $gnocchi_network = hiera('gnocchi_api_network', undef),
$gnocchi_redis_password = hiera('gnocchi_redis_password'), $gnocchi_redis_password = hiera('gnocchi_redis_password'),
$redis_vip = hiera('redis_vip'), $redis_vip = hiera('redis_vip'),
$gnocchi_rbd_client_name = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
) { ) {
if $::hostname == downcase($bootstrap_node) { if $::hostname == downcase($bootstrap_node) {
@@ -124,7 +129,15 @@ class tripleo::profile::base::gnocchi::api (
} }
} }
'file': { include ::gnocchi::storage::file } 'file': { include ::gnocchi::storage::file }
'rbd': { include ::gnocchi::storage::ceph } 'rbd': {
include ::gnocchi::storage::ceph
exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
path => ['/bin', '/usr/bin'],
command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
}
Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
}
default: { fail('Unrecognized gnocchi_backend parameter.') } default: { fail('Unrecognized gnocchi_backend parameter.') }
} }
} }

7
manifests/profile/base/manila/share.pp
View File

@@ -141,6 +141,13 @@ class tripleo::profile::base::manila::share (
"client.${cephfs_auth_id}/client mount uid": value => 0; "client.${cephfs_auth_id}/client mount uid": value => 0;
"client.${cephfs_auth_id}/client mount gid": value => 0; "client.${cephfs_auth_id}/client mount gid": value => 0;
} }
exec{ "exec-setfacl-${cephfs_auth_id}}":
path => ['/bin', '/usr/bin' ],
command => "setfacl -m u:manila:r-- ${keyring_path}",
unless => "getfacl ${keyring_path} | grep -q user:manila:r--",
}
Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
} }
# manila netapp: # manila netapp:

11
manifests/profile/base/nova/compute_libvirt_shared.pp
View File

@@ -18,12 +18,17 @@
# #
# === Parameters # === Parameters
# #
# [*nova_rbd_client_name*]
# (optional) name of RBD client
# defaults to hiera('nova::compute::rbd::libvirt_rbd_user')
#
# [*step*] # [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates # (Optional) The current step in deployment. See tripleo-heat-templates
# for more details. # for more details.
# Defaults to hiera('step') # Defaults to hiera('step')
# #
class tripleo::profile::base::nova::compute_libvirt_shared ( class tripleo::profile::base::nova::compute_libvirt_shared (
$nova_rbd_client_name = hiera('nova::compute::rbd::libvirt_rbd_user','openstack'),
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
) { ) {
if $step >= 4 { if $step >= 4 {
@@ -32,6 +37,12 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
$rbd_persistent_storage = hiera('rbd_persistent_storage', false) $rbd_persistent_storage = hiera('rbd_persistent_storage', false)
if $rbd_ephemeral_storage or $rbd_persistent_storage { if $rbd_ephemeral_storage or $rbd_persistent_storage {
include ::nova::compute::rbd include ::nova::compute::rbd
exec{ "exec-setfacl-${nova_rbd_client_name}-nova":
path => ['/bin', '/usr/bin'],
command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--",
}
Ceph::Key<| title == "client.${nova_rbd_client_name}" |> -> Exec["exec-setfacl-${nova_rbd_client_name}-nova"]
} }
if $rbd_ephemeral_storage { if $rbd_ephemeral_storage {

3
metadata.json
View File

@@ -25,6 +25,7 @@
"dependencies": [ "dependencies": [
{ "name": "puppetlabs/stdlib", "version_requirement": ">= 4.12.0 < 5.0.0" }, { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.12.0 < 5.0.0" },
{ "name": "sensu/sensu" }, { "name": "sensu/sensu" },
{ "name": "yelp/uchiwa" } { "name": "yelp/uchiwa" },
{ "name": "openstack/ceph"}
] ]
} }

6
spec/classes/tripleo_profile_base_cinder_volume_spec.rb
View File

@@ -28,7 +28,9 @@ describe 'tripleo::profile::base::cinder::volume' do
end end
let(:pre_condition) do let(:pre_condition) do
"class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }" "
class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }
"
end end
context 'with step less than 4' do context 'with step less than 4' do
@@ -175,6 +177,7 @@ describe 'tripleo::profile::base::cinder::volume' do
params.merge!({ params.merge!({
:cinder_enable_rbd_backend => true, :cinder_enable_rbd_backend => true,
:cinder_enable_iscsi_backend => false, :cinder_enable_iscsi_backend => false,
:cinder_rbd_client_name => 'openstack'
}) })
end end
it 'should configure only ceph' do it 'should configure only ceph' do
@@ -186,6 +189,7 @@ describe 'tripleo::profile::base::cinder::volume' do
is_expected.to contain_class('cinder::backends').with( is_expected.to contain_class('cinder::backends').with(
:enabled_backends => ['tripleo_ceph'] :enabled_backends => ['tripleo_ceph']
) )
is_expected.to contain_exec('exec-setfacl-openstack-cinder')
end end
context 'additional rbd pools' do context 'additional rbd pools' do
# The list of additional rbd pools is not an input, but instead comes # The list of additional rbd pools is not an input, but instead comes

8
spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
View File

@@ -19,7 +19,9 @@ require 'spec_helper'
describe 'tripleo::profile::base::gnocchi::api' do describe 'tripleo::profile::base::gnocchi::api' do
shared_examples_for 'tripleo::profile::base::gnocchi::api' do shared_examples_for 'tripleo::profile::base::gnocchi::api' do
let(:pre_condition) do let(:pre_condition) do
"class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }" "
class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }
"
end end
context 'with step less than 3' do context 'with step less than 3' do
@@ -94,7 +96,8 @@ describe 'tripleo::profile::base::gnocchi::api' do
:step => 4, :step => 4,
:gnocchi_backend => 'rbd', :gnocchi_backend => 'rbd',
:gnocchi_redis_password => 'gnocchi', :gnocchi_redis_password => 'gnocchi',
:redis_vip => '127.0.0.1' :redis_vip => '127.0.0.1',
:gnocchi_rbd_client_name => 'openstack'
} } } }
it { it {
@@ -107,6 +110,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
:redis_url => 'redis://:gnocchi@127.0.0.1:6379/' :redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
) )
is_expected.to contain_class('gnocchi::storage::ceph') is_expected.to contain_class('gnocchi::storage::ceph')
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
} }
end end