RETIRED, Lightweight composition layer for Puppet TripleO

Go to file

Michele Baldessari 4db9d1531a Enforce firewall rules before pacemaker-auth We want to make sure that any firewall rule set to open pacemaker ports is executed before we run any commands that invoke pcs to authenticate remote nodes. It simply makes sense from a high-level POV to explicitely open up firewall rules before we invoke pcs commands that will talk to remote nodes. I have actually seen one case in the wild where during a scaleup the node being scaled up was waiting on Exec['wait-for-settle'] and the bootstrap node failed to contact pcs on the scaled up node because there the firewall rules were never opened up as it was waiting on the 'wait-for-settle' step. Note that we cannot impose the ordering via a too-generic Firewall<\|\|> collector because in tripleo::firewall we have Service<\|\|> -> Class['tripleo::firewall::post'] and we would create a circular dependency. Tested a queens deploy with this change and we are correctly guaranteed to open up firewalling before invoking pcs: Mar 05 16:22:51 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[swift_storage]/Tripleo::Firewall::Rule[123 swift storage]/Firewall[123 swift storage ipv4]/ensure) created Mar 05 16:22:52 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[swift_storage]/Tripleo::Firewall::Rule[123 swift storage]/Firewall[123 swift storage ipv6]/ensure) created Mar 05 16:22:52 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[tripleo_firewall]/Tripleo::Firewall::Rule[003 accept ssh from any]/Firewall[003 accept ssh from any ipv4]/ensure) created Mar 05 16:22:52 controller-0. puppet-user[18840]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[tripleo_firewall]/Tripleo::Firewall::Rule[003 accept ssh from any]/Firewall[003 accept ssh from any ipv6]/ensure) created Mar 05 16:22:52 controller-0. puppet-user[18840]: (Exec[reauthenticate-across-all-nodes](provider=posix)) Executing '/sbin/pcs cluster auth controller-0 controller-1 controller-2 database-0 database-1 database-2 messaging-0 messaging-1 messag ing-2 -u hacluster -p foobar --force' Mar 05 16:22:52 controller-0. puppet-user[18840]: Executing: '/sbin/pcs cluster auth controller-0 controller-1 controller-2 database-0 database-1 database-2 messaging-0 messaging-1 messaging-2 -u hacluster -p AQtEeE6e3FDEqrfm --force' Mar 05 16:22:55 controller-0. puppet-user[18840]: (Exec[Create Cluster tripleo_cluster](provider=posix)) Executing '/sbin/pcs cluster setup --wait --name tripleo_cluster controller-0 controller-1 controller-2 database-0 database-1 database-2 messaging-0 messaging-1 messaging-2 --token 10000 --encryption 1' Mar 05 16:22:55 controller-0. puppet-user[18840]: Executing: '/sbin/pcs cluster setup --wait --name tripleo_cluster controller-0 controller-1 controller-2 database-0 database-1 database-2 messaging-0 messaging-1 messaging-2 --token 10000 --en cryption 1' Mar 05 16:23:20 controller-0. puppet-user[18840]: (Exec[Start Cluster tripleo_cluster](provider=posix)) Executing check '/sbin/pcs status >/dev/null 2>&1' Mar 05 16:23:20 controller-0. puppet-user[18840]: Executing: '/sbin/pcs status >/dev/null 2>&1' Mar 05 16:23:21 controller-0. puppet-user[18840]: (Exec[Start Cluster tripleo_cluster](provider=posix)) Executing '/sbin/pcs cluster start --all' Mar 05 16:23:21 controller-0. puppet-user[18840]: Executing: '/sbin/pcs cluster start --all' Change-Id: I775ad1abf87368d013054e9a5dab22931f21f86c Closes-Bug: #1866209 (cherry picked from commit `88e119d747`)		2020-03-07 14:10:31 +00:00
doc	Follow the new PTI for document build	2018-02-28 14:42:12 +08:00
files	Add certmonger-grafana-refresh script	2019-08-20 08:23:58 +02:00
lib	Explicitly convert stonith_level fact to int	2019-11-28 20:36:26 +00:00
manifests	Enforce firewall rules before pacemaker-auth	2020-03-07 14:10:31 +00:00
releasenotes	Add support for glance multistore	2020-02-27 06:00:27 -08:00
spec	Merge "Enable sudo rule creation" into stable/train	2020-03-02 20:57:02 +00:00
templates	Remove neutron wrappers	2020-02-10 17:16:38 -05:00
zuul.d	remove tripleo-ci-centos-7-scenario010-multinode-oooq-container	2019-10-02 20:27:50 -06:00
.gitignore	Dissuade .gitignore references to personal tools	2018-10-08 11:47:08 +08:00
.gitreview	Update .gitreview for stable/train	2019-10-21 14:18:55 +00:00
.sync.yml	Initial msync run for all Puppet OpenStack modules	2015-08-18 14:30:54 +02:00
Gemfile	Load puppet-openstack_spec_helper locally during tests	2018-02-12 10:53:40 +08:00
LICENSE	Add basic structure for a Puppet module	2015-02-02 11:39:21 -05:00
Puppetfile_extras	Updating pinned versions	2019-12-10 09:02:09 -07:00
README.md	Add release note link in README	2018-06-27 22:47:34 +08:00
Rakefile	Composable HA	2017-01-25 19:32:31 +00:00
bindep.txt	Add Puppet package to bindep, for module build	2017-10-27 13:50:15 -07:00
metadata.json	bump metadata for new train version	2019-12-19 11:03:47 -07:00
setup.cfg	Force to use markdown to prevent pypi issue	2019-07-01 20:45:00 +02:00
setup.py	chmod +x setup.py	2017-10-06 12:28:56 -07:00
tox.ini	Update TOX/UPPER_CONSTRAINTS_FILE for stable/train	2019-10-21 14:19:02 +00:00

README.md

Team and repository tags

puppet-tripleo

Lightweight composition layer for Puppet TripleO.

Contributing

Free software: Apache License (2.0)
Source: http://git.openstack.org/cgit/openstack/puppet-tripleo
Bugs: http://bugs.launchpad.net/tripleo (tag: puppet)
Documentation:
- TripleO: https://docs.openstack.org/tripleo-docs/latest/
- Testing with puppet: https://docs.openstack.org/puppet-openstack-guide/latest/contributor/testing.html
- Release Notes https://docs.openstack.org/releasenotes/puppet-tripleo