openstack
/
puppet-tripleo
Code Issues Proposed changes

Initial support for tls_priorities 

We add initial support for being able to specify tls priorities in
pacemaker. For bundles this will happen via an env variable because
pacemaker_remote is started normally as a process and there is no
sourcing of /etc/sysconfig/pacemaker.

Tested on both queens and stein. Via a deploy and a redeploy against
existing cloud. Observed that:
A) We got PCMK_tls_priorities inside /etc/sysconfig/pacemaker with the
value that was passed in THT
B) Containers had the following env variable set:
  "PCMK_tls_priorities=normal",

The '-e' addition is a noop in case the PCMK_tls_priorities is unset
so that we do not change the signature of the resources and hence do
not needlessly restart the HA resource.

NB: cherry-pick needed manual adjustment due to missing context (i.e.
    we're not backporting podman support in rocky and queens)

Depends-On: I1971810f6a90f244ed5ced972a5fe7fde29dde86
Change-Id: I703b5a429f48063474aace85bc45d948f5c91435
(cherry picked from commit f1a593b642)
(cherry picked from commit dbae850692)
(cherry picked from commit 6aae98b3f1)
This commit is contained in:
Michele Baldessari 2019-07-10 22:25:07 +02:00
parent a341443018
commit f13e634249
10 changed files with 100 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
manifests/profile/base/pacemaker.pp
View File

@ -71,6 +71,11 @@
# (Optional) Boolean driving the Instance HA controlplane configuration
# Defaults to false
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
class tripleo::profile::base::pacemaker (
$step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20),
@ -84,6 +89,7 @@ class tripleo::profile::base::pacemaker (
$cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef),
$encryption = true,
$enable_instanceha = hiera('tripleo::instanceha', false),
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
) {
if count($remote_short_node_names) != count($remote_node_ips) {
@ -131,6 +137,7 @@ class tripleo::profile::base::pacemaker (
setup_cluster => $pacemaker_master,
cluster_setup_extras => $cluster_setup_extras,
remote_authkey => $remote_authkey,
tls_priorities => $tls_priorities,
}
if str2bool(hiera('docker_enabled', false)) {
include ::systemd::systemctl::daemon_reload

6
manifests/profile/base/pacemaker_remote.pp
View File

@ -30,6 +30,10 @@
# (Optional) Whether or not to manage stonith devices for nodes
# Defaults to hiera('enable_fencing', false)
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -39,10 +43,12 @@ class tripleo::profile::base::pacemaker_remote (
$remote_authkey,
$pcs_tries = hiera('pcs_tries', 20),
$enable_fencing = hiera('enable_fencing', false),
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
$step = Integer(hiera('step')),
) {
class { '::pacemaker::remote':
remote_authkey => $remote_authkey,
tls_priorities => $tls_priorities,
}
if str2bool(hiera('docker_enabled', false)) {
include ::systemd::systemctl::daemon_reload

11
manifests/profile/pacemaker/cinder/backup_bundle.pp
View File

@ -43,12 +43,16 @@
# for more details.
# Defaults to hiera('step')
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
class tripleo::profile::pacemaker::cinder::backup_bundle (
$bootstrap_node = hiera('cinder_backup_short_bootstrap_node_name'),
$cinder_backup_docker_image = hiera('tripleo::profile::pacemaker::cinder::backup_bundle::cinder_backup_docker_image', undef),
$docker_volumes = [],
$docker_environment = ['KOLLA_CONFIG_STRATEGY=COPY_ALWAYS'],
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
$pcs_tries = hiera('pcs_tries', 20),
$step = Integer(hiera('step')),
) {
@ -170,6 +174,11 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
$docker_env_arr = delete(any2array($docker_environment), '').flatten()
$docker_env = join($docker_env_arr.map |$var| { "-e ${var}" }, ' ')
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { $::cinder::params::backup_service :
image => $cinder_backup_docker_image,
@ -180,7 +189,7 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
expression => ['cinder-backup-role eq true'],
},
container_options => 'network=host',
options => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}",
options => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
storage_maps => $storage_maps,
}

12
manifests/profile/pacemaker/cinder/volume_bundle.pp
View File

@ -43,6 +43,10 @@
# for more details.
# Defaults to hiera('step')
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
#
class tripleo::profile::pacemaker::cinder::volume_bundle (
$bootstrap_node = hiera('cinder_volume_short_bootstrap_node_name'),
@ -51,6 +55,7 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
$docker_environment = ['KOLLA_CONFIG_STRATEGY=COPY_ALWAYS'],
$pcs_tries = hiera('pcs_tries', 20),
$step = Integer(hiera('step')),
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@ -170,6 +175,11 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
$docker_env_arr = delete(any2array($docker_environment), '').flatten()
$docker_env = join($docker_env_arr.map |$var| { "-e ${var}" }, ' ')
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { $::cinder::params::volume_service:
image => $cinder_volume_docker_image,
@ -180,7 +190,7 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
expression => ['cinder-volume-role eq true'],
},
container_options => 'network=host',
options => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}",
options => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
storage_maps => $storage_maps,
}

11
manifests/profile/pacemaker/database/mysql_bundle.pp
View File

@ -114,6 +114,9 @@
# for more details.
# Defaults to hiera('step')
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
class tripleo::profile::pacemaker::database::mysql_bundle (
$mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef),
@ -133,6 +136,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
$sst_tls_options = undef,
$ipv6 = str2bool(hiera('mysql_ipv6', false)),
$mysql_server_options = hiera('tripleo::profile::base::database::mysql::mysql_server_options', {}),
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
$pcs_tries = hiera('pcs_tries', 20),
$step = Integer(hiera('step')),
) {
@ -384,6 +388,11 @@ MYSQL_HOST=localhost\n",
} else {
$storage_maps_tls = {}
}
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { 'galera-bundle':
image => $mysql_docker_image,
@ -395,7 +404,7 @@ MYSQL_HOST=localhost\n",
expression => ['galera-role eq true'],
},
container_options => 'network=host',
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
options => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${control_port}",
storage_maps => merge($storage_maps, $storage_maps_tls),

11
manifests/profile/pacemaker/database/redis_bundle.pp
View File

@ -91,6 +91,9 @@
# enable_internal_tls is set.
# defaults to 6379
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
class tripleo::profile::pacemaker::database::redis_bundle (
$certificate_specs = hiera('redis_certificate_specs', {}),
@ -107,6 +110,7 @@ class tripleo::profile::pacemaker::database::redis_bundle (
$tls_proxy_bind_ip = undef,
$tls_proxy_fqdn = undef,
$tls_proxy_port = 6379,
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@ -303,6 +307,11 @@ slave-announce-port ${local_tuple[0][2]}
} else {
$storage_maps_tls = {}
}
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { 'redis-bundle':
image => $redis_docker_image,
@ -314,7 +323,7 @@ slave-announce-port ${local_tuple[0][2]}
expression => ['redis-role eq true'],
},
container_options => 'network=host',
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
options => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${redis_docker_control_port}",
storage_maps => merge($storage_maps, $storage_maps_tls),

13
manifests/profile/pacemaker/haproxy_bundle.pp
View File

@ -67,6 +67,10 @@
# (optional) Additional op parameters to pass to "pcs resource create" for the VIP
# Defaults to ''
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -88,6 +92,7 @@ class tripleo::profile::pacemaker::haproxy_bundle (
$deployed_ssl_cert_path = hiera('tripleo::haproxy::service_certificate', undef),
$meta_params = '',
$op_params = '',
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
$step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20),
) {
@ -235,12 +240,18 @@ class tripleo::profile::pacemaker::haproxy_bundle (
$storage_maps_internal_tls = {}
}
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { 'haproxy-bundle':
image => $haproxy_docker_image,
replicas => $haproxy_nodes_count,
location_rule => $haproxy_location_rule,
container_options => 'network=host',
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
options => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
storage_maps => merge($storage_maps, $cert_storage_maps, $storage_maps_internal_tls),
}

12
manifests/profile/pacemaker/manila/share_bundle.pp
View File

@ -47,6 +47,10 @@
# for more details.
# Defaults to hiera('step')
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
#
class tripleo::profile::pacemaker::manila::share_bundle (
$bootstrap_node = hiera('manila_share_short_bootstrap_node_name'),
@ -54,6 +58,7 @@ class tripleo::profile::pacemaker::manila::share_bundle (
$docker_volumes = [],
$docker_environment = ['KOLLA_CONFIG_STRATEGY=COPY_ALWAYS'],
$ceph_nfs_enabled = hiera('ceph_nfs_enabled', false),
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
$pcs_tries = hiera('pcs_tries', 20),
$step = Integer(hiera('step')),
) {
@ -195,6 +200,11 @@ class tripleo::profile::pacemaker::manila::share_bundle (
$docker_env_arr = delete(any2array($docker_environment), '').flatten()
$docker_env = join($docker_env_arr.map |$var| { "-e ${var}" }, ' ')
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { $::manila::params::share_service:
image => $manila_share_docker_image,
replicas => 1,
@ -204,7 +214,7 @@ class tripleo::profile::pacemaker::manila::share_bundle (
expression => ['manila-share-role eq true'],
},
container_options => 'network=host',
options => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}",
options => "--ipc=host --privileged=true --user=root --log-driver=journald ${docker_env}${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
storage_maps => $storage_maps,
}

14
manifests/profile/pacemaker/ovn_dbs_bundle.pp
View File

@ -52,6 +52,10 @@
# The TCP port in which the OVN Southbound DB listens to.
# Defaults to 6642
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
class tripleo::profile::pacemaker::ovn_dbs_bundle (
$ovn_dbs_docker_image = hiera('tripleo::profile::pacemaker::ovn_dbs_bundle::ovn_dbs_docker_image', undef),
@ -61,7 +65,8 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
$pcs_tries = hiera('pcs_tries', 20),
$ovn_dbs_vip = hiera('ovn_dbs_vip'),
$nb_db_port = 6641,
$sb_db_port = 6642
$sb_db_port = 6642,
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
) {
if $::hostname == downcase($bootstrap_node) {
@ -100,6 +105,11 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
score => 0,
expression => ['ovn-dbs-role eq true'],
}
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { 'ovn-dbs-bundle':
image => $ovn_dbs_docker_image,
@ -107,7 +117,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
masters => 1,
location_rule => $ovn_dbs_location_rule,
container_options => 'network=host',
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
options => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${ovn_dbs_control_port}",
storage_maps => {

12
manifests/profile/pacemaker/rabbitmq_bundle.pp
View File

@ -61,6 +61,10 @@
# (Optional) The number of times pcs commands should be retried.
# Defaults to hiera('pcs_tries', 20)
#
# [*tls_priorities*]
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
class tripleo::profile::pacemaker::rabbitmq_bundle (
$rabbitmq_docker_image = hiera('tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image', undef),
$rabbitmq_docker_control_port = hiera('tripleo::profile::pacemaker::rabbitmq_bundle::control_port', '3122'),
@ -72,6 +76,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
$rabbitmq_extra_policies = hiera('rabbitmq_extra_policies', {'ha-promote-on-shutdown' => 'always'}),
$pcs_tries = hiera('pcs_tries', 20),
$step = Integer(hiera('step')),
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@ -201,6 +206,11 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
} else {
$storage_maps_tls = {}
}
if $tls_priorities != undef {
$tls_priorities_real = " -e PCMK_tls_priorities=${tls_priorities}"
} else {
$tls_priorities_real = ''
}
pacemaker::resource::bundle { 'rabbitmq-bundle':
image => $rabbitmq_docker_image,
@ -211,7 +221,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
expression => ['rabbitmq-role eq true'],
},
container_options => 'network=host',
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
options => "--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${rabbitmq_docker_control_port}",
storage_maps => merge($storage_maps, $storage_maps_tls),