Browse Source

Initial support for tls_priorities

We add initial support for being able to specify tls priorities in
pacemaker. For bundles this will happen via an env variable because
pacemaker_remote is started normally as a process and there is no
sourcing of /etc/sysconfig/pacemaker.

Tested on both queens and stein. Via a deploy and a redeploy against
existing cloud. Observed that:
A) We got PCMK_tls_priorities inside /etc/sysconfig/pacemaker with the
value that was passed in THT
B) Containers had the following env variable set:
  "PCMK_tls_priorities=normal",

The '-e' addition is a noop in case the PCMK_tls_priorities is unset
so that we do not change the signature of the resources and hence do
not needlessly restart the HA resource.

Depends-On: I1971810f6a90f244ed5ced972a5fe7fde29dde86
Change-Id: I703b5a429f48063474aace85bc45d948f5c91435
(cherry picked from commit f1a593b642)
tags/10.5.1
Michele Baldessari 2 months ago
parent
commit
dbae850692

+ 7
- 0
manifests/profile/base/pacemaker.pp View File

@@ -81,6 +81,11 @@
81 81
 #  (Optional) Boolean driving the Instance HA controlplane configuration
82 82
 #  Defaults to false
83 83
 #
84
+# [*tls_priorities*]
85
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
86
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
87
+#
88
+
84 89
 class tripleo::profile::base::pacemaker (
85 90
   $step                      = Integer(hiera('step')),
86 91
   $pcs_tries                 = hiera('pcs_tries', 20),
@@ -96,6 +101,7 @@ class tripleo::profile::base::pacemaker (
96 101
   $cluster_recheck_interval  = hiera('pacemaker_cluster_recheck_interval', undef),
97 102
   $encryption                = true,
98 103
   $enable_instanceha         = hiera('tripleo::instanceha', false),
104
+  $tls_priorities            = hiera('tripleo::pacemaker::tls_priorities', undef),
99 105
 ) {
100 106
 
101 107
   if count($remote_short_node_names) != count($remote_node_ips) {
@@ -161,6 +167,7 @@ class tripleo::profile::base::pacemaker (
161 167
       cluster_setup_extras => $cluster_setup_extras,
162 168
       remote_authkey       => $remote_authkey,
163 169
       cluster_members_addr => $pacemaker_node_ips_real,
170
+      tls_priorities       => $tls_priorities,
164 171
     }
165 172
     if str2bool(hiera('docker_enabled', false)) {
166 173
       include ::systemd::systemctl::daemon_reload

+ 6
- 0
manifests/profile/base/pacemaker_remote.pp View File

@@ -40,6 +40,10 @@
40 40
 #   (Optional) Whether or not to manage stonith devices for nodes
41 41
 #   Defaults to hiera('enable_fencing', false)
42 42
 #
43
+# [*tls_priorities*]
44
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
45
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
46
+#
43 47
 # [*step*]
44 48
 #   (Optional) The current step in deployment. See tripleo-heat-templates
45 49
 #   for more details.
@@ -51,6 +55,7 @@ class tripleo::profile::base::pacemaker_remote (
51 55
   $pcs_user       = 'hacluster',
52 56
   $pcs_password   = hiera('hacluster_pwd', undef),
53 57
   $enable_fencing = hiera('enable_fencing', false),
58
+  $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
54 59
   $step           = Integer(hiera('step')),
55 60
 ) {
56 61
   if $pcs_password == undef {
@@ -61,6 +66,7 @@ class tripleo::profile::base::pacemaker_remote (
61 66
     pcs_password   => $pcs_password,
62 67
     remote_authkey => $remote_authkey,
63 68
     use_pcsd       => true,
69
+    tls_priorities => $tls_priorities,
64 70
   }
65 71
   if str2bool(hiera('docker_enabled', false)) {
66 72
     include ::systemd::systemctl::daemon_reload

+ 10
- 1
manifests/profile/pacemaker/cinder/backup_bundle.pp View File

@@ -47,6 +47,9 @@
47 47
 #   (optional) Container backend to use when creating the bundle
48 48
 #   Defaults to 'docker'
49 49
 #
50
+# [*tls_priorities*]
51
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
52
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
50 53
 #
51 54
 class tripleo::profile::pacemaker::cinder::backup_bundle (
52 55
   $bootstrap_node             = hiera('cinder_backup_short_bootstrap_node_name'),
@@ -54,6 +57,7 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
54 57
   $docker_volumes             = [],
55 58
   $docker_environment         = ['KOLLA_CONFIG_STRATEGY=COPY_ALWAYS'],
56 59
   $container_backend          = 'docker',
60
+  $tls_priorities             = hiera('tripleo::pacemaker::tls_priorities', undef),
57 61
   $pcs_tries                  = hiera('pcs_tries', 20),
58 62
   $step                       = Integer(hiera('step')),
59 63
 ) {
@@ -180,6 +184,11 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
180 184
 
181 185
       $docker_env_arr = delete(any2array($docker_environment), '').flatten()
182 186
       $docker_env = join($docker_env_arr.map |$var| { "-e ${var}" }, ' ')
187
+      if $tls_priorities != undef {
188
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
189
+      } else {
190
+        $tls_priorities_real = ''
191
+      }
183 192
 
184 193
       pacemaker::resource::bundle { $::cinder::params::backup_service :
185 194
         image             => $cinder_backup_docker_image,
@@ -190,7 +199,7 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
190 199
           expression         => ['cinder-backup-role eq true'],
191 200
         },
192 201
         container_options => 'network=host',
193
-        options           => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}",
202
+        options           => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}${tls_priorities_real}",
194 203
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
195 204
         storage_maps      => $storage_maps,
196 205
         container_backend => $container_backend,

+ 10
- 1
manifests/profile/pacemaker/cinder/volume_bundle.pp View File

@@ -47,6 +47,9 @@
47 47
 #   (optional) Container backend to use when creating the bundle
48 48
 #   Defaults to 'docker'
49 49
 #
50
+# [*tls_priorities*]
51
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
52
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
50 53
 #
51 54
 class tripleo::profile::pacemaker::cinder::volume_bundle (
52 55
   $bootstrap_node             = hiera('cinder_volume_short_bootstrap_node_name'),
@@ -56,6 +59,7 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
56 59
   $pcs_tries                  = hiera('pcs_tries', 20),
57 60
   $step                       = Integer(hiera('step')),
58 61
   $container_backend          = 'docker',
62
+  $tls_priorities             = hiera('tripleo::pacemaker::tls_priorities', undef),
59 63
 ) {
60 64
   if $::hostname == downcase($bootstrap_node) {
61 65
     $pacemaker_master = true
@@ -181,6 +185,11 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
181 185
 
182 186
       $docker_env_arr = delete(any2array($docker_environment), '').flatten()
183 187
       $docker_env = join($docker_env_arr.map |$var| { "-e ${var}" }, ' ')
188
+      if $tls_priorities != undef {
189
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
190
+      } else {
191
+        $tls_priorities_real = ''
192
+      }
184 193
 
185 194
       pacemaker::resource::bundle { $::cinder::params::volume_service:
186 195
         image             => $cinder_volume_docker_image,
@@ -191,7 +200,7 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
191 200
           expression         => ['cinder-volume-role eq true'],
192 201
         },
193 202
         container_options => 'network=host',
194
-        options           => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}",
203
+        options           => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}${tls_priorities_real}",
195 204
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
196 205
         storage_maps      => $storage_maps,
197 206
         container_backend => $container_backend,

+ 10
- 1
manifests/profile/pacemaker/database/mysql_bundle.pp View File

@@ -118,6 +118,9 @@
118 118
 #   (optional) Container backend to use when creating the bundle
119 119
 #   Defaults to 'docker'
120 120
 #
121
+# [*tls_priorities*]
122
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
123
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
121 124
 #
122 125
 class tripleo::profile::pacemaker::database::mysql_bundle (
123 126
   $mysql_docker_image             = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef),
@@ -138,6 +141,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
138 141
   $ipv6                           = str2bool(hiera('mysql_ipv6', false)),
139 142
   $mysql_server_options           = hiera('tripleo::profile::base::database::mysql::mysql_server_options', {}),
140 143
   $container_backend              = 'docker',
144
+  $tls_priorities                 = hiera('tripleo::pacemaker::tls_priorities', undef),
141 145
   $pcs_tries                      = hiera('pcs_tries', 20),
142 146
   $step                           = Integer(hiera('step')),
143 147
 ) {
@@ -402,6 +406,11 @@ MYSQL_HOST=localhost\n",
402 406
       } else {
403 407
         $storage_maps_tls = {}
404 408
       }
409
+      if $tls_priorities != undef {
410
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
411
+      } else {
412
+        $tls_priorities_real = ''
413
+      }
405 414
 
406 415
       pacemaker::resource::bundle { 'galera-bundle':
407 416
         image             => $mysql_docker_image,
@@ -413,7 +422,7 @@ MYSQL_HOST=localhost\n",
413 422
           expression         => ['galera-role eq true'],
414 423
         },
415 424
         container_options => 'network=host',
416
-        options           => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
425
+        options           => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
417 426
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
418 427
         network           => "control-port=${control_port}",
419 428
         storage_maps      => merge($storage_maps, $storage_maps_tls),

+ 10
- 1
manifests/profile/pacemaker/database/redis_bundle.pp View File

@@ -95,6 +95,9 @@
95 95
 #   (optional) Container backend to use when creating the bundle
96 96
 #   Defaults to 'docker'
97 97
 #
98
+# [*tls_priorities*]
99
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
100
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
98 101
 #
99 102
 class tripleo::profile::pacemaker::database::redis_bundle (
100 103
   $certificate_specs         = hiera('redis_certificate_specs', {}),
@@ -112,6 +115,7 @@ class tripleo::profile::pacemaker::database::redis_bundle (
112 115
   $tls_proxy_bind_ip         = undef,
113 116
   $tls_proxy_fqdn            = undef,
114 117
   $tls_proxy_port            = 6379,
118
+  $tls_priorities            = hiera('tripleo::pacemaker::tls_priorities', undef),
115 119
 ) {
116 120
   if $::hostname == downcase($bootstrap_node) {
117 121
     $pacemaker_master = true
@@ -313,6 +317,11 @@ slave-announce-port ${local_tuple[0][2]}
313 317
       } else {
314 318
         $storage_maps_tls = {}
315 319
       }
320
+      if $tls_priorities != undef {
321
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
322
+      } else {
323
+        $tls_priorities_real = ''
324
+      }
316 325
 
317 326
       pacemaker::resource::bundle { 'redis-bundle':
318 327
         image             => $redis_docker_image,
@@ -324,7 +333,7 @@ slave-announce-port ${local_tuple[0][2]}
324 333
           expression         => ['redis-role eq true'],
325 334
         },
326 335
         container_options => 'network=host',
327
-        options           => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
336
+        options           => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
328 337
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
329 338
         network           => "control-port=${redis_docker_control_port}",
330 339
         storage_maps      => merge($storage_maps, $storage_maps_tls),

+ 12
- 1
manifests/profile/pacemaker/haproxy_bundle.pp View File

@@ -71,6 +71,10 @@
71 71
 #   (optional) Container backend to use when creating the bundle
72 72
 #   Defaults to 'docker'
73 73
 #
74
+# [*tls_priorities*]
75
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
76
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
77
+#
74 78
 # [*step*]
75 79
 #   (Optional) The current step in deployment. See tripleo-heat-templates
76 80
 #   for more details.
@@ -93,6 +97,7 @@ class tripleo::profile::pacemaker::haproxy_bundle (
93 97
   $meta_params              = '',
94 98
   $op_params                = '',
95 99
   $container_backend        = 'docker',
100
+  $tls_priorities           = hiera('tripleo::pacemaker::tls_priorities', undef),
96 101
   $step                     = Integer(hiera('step')),
97 102
   $pcs_tries                = hiera('pcs_tries', 20),
98 103
 ) {
@@ -239,12 +244,18 @@ class tripleo::profile::pacemaker::haproxy_bundle (
239 244
         $storage_maps_internal_tls = {}
240 245
       }
241 246
 
247
+      if $tls_priorities != undef {
248
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
249
+      } else {
250
+        $tls_priorities_real = ''
251
+      }
252
+
242 253
       pacemaker::resource::bundle { 'haproxy-bundle':
243 254
         image             => $haproxy_docker_image,
244 255
         replicas          => $haproxy_nodes_count,
245 256
         location_rule     => $haproxy_location_rule,
246 257
         container_options => 'network=host',
247
-        options           => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
258
+        options           => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
248 259
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
249 260
         storage_maps      => merge($storage_maps, $cert_storage_maps, $storage_maps_internal_tls),
250 261
         container_backend => $container_backend,

+ 10
- 1
manifests/profile/pacemaker/manila/share_bundle.pp View File

@@ -51,6 +51,9 @@
51 51
 #   (optional) Container backend to use when creating the bundle
52 52
 #   Defaults to 'docker'
53 53
 #
54
+# [*tls_priorities*]
55
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
56
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
54 57
 #
55 58
 class tripleo::profile::pacemaker::manila::share_bundle (
56 59
   $bootstrap_node             = hiera('manila_share_short_bootstrap_node_name'),
@@ -59,6 +62,7 @@ class tripleo::profile::pacemaker::manila::share_bundle (
59 62
   $docker_environment         = ['KOLLA_CONFIG_STRATEGY=COPY_ALWAYS'],
60 63
   $ceph_nfs_enabled           = hiera('ceph_nfs_enabled', false),
61 64
   $container_backend          = 'docker',
65
+  $tls_priorities             = hiera('tripleo::pacemaker::tls_priorities', undef),
62 66
   $pcs_tries                  = hiera('pcs_tries', 20),
63 67
   $step                       = Integer(hiera('step')),
64 68
 ) {
@@ -200,6 +204,11 @@ class tripleo::profile::pacemaker::manila::share_bundle (
200 204
       $docker_env_arr = delete(any2array($docker_environment), '').flatten()
201 205
       $docker_env = join($docker_env_arr.map |$var| { "-e ${var}" }, ' ')
202 206
 
207
+      if $tls_priorities != undef {
208
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
209
+      } else {
210
+        $tls_priorities_real = ''
211
+      }
203 212
       pacemaker::resource::bundle { $::manila::params::share_service:
204 213
         image             => $manila_share_docker_image,
205 214
         replicas          => 1,
@@ -209,7 +218,7 @@ class tripleo::profile::pacemaker::manila::share_bundle (
209 218
           expression         => ['manila-share-role eq true'],
210 219
         },
211 220
         container_options => 'network=host',
212
-        options           => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}",
221
+        options           => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}${tls_priorities_real}",
213 222
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
214 223
         storage_maps      => $storage_maps,
215 224
         container_backend => $container_backend,

+ 11
- 1
manifests/profile/pacemaker/ovn_dbs_bundle.pp View File

@@ -56,6 +56,10 @@
56 56
 #   (optional) Container backend to use when creating the bundle
57 57
 #   Defaults to 'docker'
58 58
 #
59
+# [*tls_priorities*]
60
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
61
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
62
+#
59 63
 
60 64
 class tripleo::profile::pacemaker::ovn_dbs_bundle (
61 65
   $ovn_dbs_docker_image = hiera('tripleo::profile::pacemaker::ovn_dbs_bundle::ovn_dbs_docker_image', undef),
@@ -67,6 +71,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
67 71
   $nb_db_port           = 6641,
68 72
   $sb_db_port           = 6642,
69 73
   $container_backend    = 'docker',
74
+  $tls_priorities       = hiera('tripleo::pacemaker::tls_priorities', undef),
70 75
 ) {
71 76
 
72 77
   if $::hostname == downcase($bootstrap_node) {
@@ -99,6 +104,11 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
99 104
         score              => 0,
100 105
         expression         => ['ovn-dbs-role eq true'],
101 106
       }
107
+      if $tls_priorities != undef {
108
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
109
+      } else {
110
+        $tls_priorities_real = ''
111
+      }
102 112
 
103 113
       pacemaker::resource::bundle { 'ovn-dbs-bundle':
104 114
         image             => $ovn_dbs_docker_image,
@@ -106,7 +116,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
106 116
         masters           => 1,
107 117
         location_rule     => $ovn_dbs_location_rule,
108 118
         container_options => 'network=host',
109
-        options           => '--log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
119
+        options           => "--log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
110 120
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
111 121
         network           => "control-port=${ovn_dbs_control_port}",
112 122
         storage_maps      => {

+ 11
- 1
manifests/profile/pacemaker/rabbitmq_bundle.pp View File

@@ -83,6 +83,10 @@
83 83
 #   (optional) Container backend to use when creating the bundle
84 84
 #   Defaults to 'docker'
85 85
 #
86
+# [*tls_priorities*]
87
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
88
+#   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
89
+#
86 90
 class tripleo::profile::pacemaker::rabbitmq_bundle (
87 91
   $rabbitmq_docker_image        = hiera('tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image', undef),
88 92
   $rabbitmq_docker_control_port = hiera('tripleo::profile::pacemaker::rabbitmq_bundle::control_port', '3122'),
@@ -101,6 +105,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
101 105
   $pcs_tries                    = hiera('pcs_tries', 20),
102 106
   $step                         = Integer(hiera('step')),
103 107
   $container_backend            = 'docker',
108
+  $tls_priorities               = hiera('tripleo::pacemaker::tls_priorities', undef),
104 109
 ) {
105 110
   # is this an additional nova cell?
106 111
   if hiera('nova_is_additional_cell', undef) {
@@ -248,6 +253,11 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
248 253
       } else {
249 254
         $storage_maps_tls = {}
250 255
       }
256
+      if $tls_priorities != undef {
257
+        $tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
258
+      } else {
259
+        $tls_priorities_real = ''
260
+      }
251 261
 
252 262
       pacemaker::resource::bundle { 'rabbitmq-bundle':
253 263
         image             => $rabbitmq_docker_image,
@@ -259,7 +269,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
259 269
         },
260 270
         container_options => 'network=host',
261 271
         # lint:ignore:140chars
262
-        options           => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS -e LANG=en_US.UTF-8 -e LC_ALL=en_US.UTF-8',
272
+        options           => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS -e LANG=en_US.UTF-8 -e LC_ALL=en_US.UTF-8${tls_priorities_real}",
263 273
         # lint:endignore
264 274
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
265 275
         network           => "control-port=${rabbitmq_docker_control_port}",

Loading…
Cancel
Save