Mv pacemaker and firewall out of controller

This patch moves settings for pacemaker and the tripleo firewall
out of controller.yaml.

Related bug: #1604414

Change-Id: I0164717bfd79cdea3de8eb7a64771028bea201ac
changes/98/361398/13
Dan Prince 6 years ago
parent 7ab48cc832
commit 827d110a34
  1. 2
      overcloud.yaml
  2. 75
      puppet/controller.yaml
  3. 57
      puppet/services/pacemaker.yaml
  4. 11
      puppet/services/tripleo-firewall.yaml

@ -440,9 +440,7 @@ resources:
properties:
CloudDomain: {get_param: CloudDomain}
controllerExtraConfig: {get_param: controllerExtraConfig}
PcsdPassword: {get_resource: PcsdPassword}
RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]}
ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
EndpointMap: {get_attr: [EndpointMap, endpoint_map]}
Hostname:

@ -23,18 +23,10 @@ parameters:
...
}
type: json
CorosyncIPv6:
default: false
description: Enable IPv6 in Corosync
type: boolean
Debug:
default: ''
description: Set to True to enable debugging on all services.
type: string
EnableFencing:
default: false
description: Whether to enable fencing in Pacemaker or not.
type: boolean
EnableLoadBalancer:
default: true
description: Whether to deploy a LoadBalancer on the Controller
@ -45,38 +37,6 @@ parameters:
Additional hieradata to inject into the cluster, note that
ControllerExtraConfig takes precedence over ExtraConfig.
type: json
FencingConfig:
default: {}
description: |
Pacemaker fencing configuration. The JSON should have
the following structure:
{
"devices": [
{
"agent": "AGENT_NAME",
"host_mac": "HOST_MAC_ADDRESS",
"params": {"PARAM_NAME": "PARAM_VALUE"}
}
]
}
For instance:
{
"devices": [
{
"agent": "fence_xvm",
"host_mac": "52:54:00:aa:bb:cc",
"params": {
"multicast_address": "225.0.0.12",
"port": "baremetal_0",
"manage_fw": true,
"manage_key_file": true,
"key_file": "/etc/fence_xvm.key",
"key_file_password": "abcdef"
}
}
]
}
type: json
OvercloudControlFlavor:
description: Flavor for control nodes to request when deploying.
default: baremetal
@ -98,33 +58,13 @@ parameters:
type: string
constraints:
- custom_constraint: nova.keypair
ManageFirewall:
default: false
description: Whether to manage IPtables rules.
type: boolean
PurgeFirewallRules:
default: false
description: Whether IPtables rules should be purged before setting up the new ones.
type: boolean
NeutronPublicInterface:
default: nic1
description: What interface to bridge onto br-ex for network nodes.
type: string
PcsdPassword:
type: string
description: The password for the 'pcsd' user.
hidden: true
RedisPassword:
description: The password for Redis
type: string
hidden: true
RedisVirtualIP:
type: string
default: '' # Has to be here because of the ignored empty value bug
RedisVirtualIPUri:
type: string
default: '' # Has to be here because of the ignored empty value bug
description: An IP address which is wrapped in brackets in case of IPv6
SwiftRawDisks:
default: {}
description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
@ -358,17 +298,9 @@ resources:
server: {get_resource: Controller}
input_values:
bootstack_nodeid: {get_attr: [Controller, name]}
debug: {get_param: Debug}
enable_fencing: {get_param: EnableFencing}
enable_load_balancer: {get_param: EnableLoadBalancer}
manage_firewall: {get_param: ManageFirewall}
purge_firewall_rules: {get_param: PurgeFirewallRules}
corosync_ipv6: {get_param: CorosyncIPv6}
fencing_config: {get_param: FencingConfig}
pcsd_password: {get_param: PcsdPassword}
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
redis_vip: {get_param: RedisVirtualIP}
ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]}
# Map heat metadata into hiera datafiles
ControllerConfig:
@ -421,17 +353,10 @@ resources:
bootstack_nodeid: {get_input: bootstack_nodeid}
# Pacemaker
enable_fencing: {get_input: enable_fencing}
enable_load_balancer: {get_input: enable_load_balancer}
hacluster_pwd: {get_input: pcsd_password}
corosync_ipv6: {get_input: corosync_ipv6}
tripleo::fencing::config: {get_input: fencing_config}
# Redis
redis_vip: {get_input: redis_vip}
# Firewall
tripleo::firewall::manage_firewall: {get_input: manage_firewall}
tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
# Misc
tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}

@ -1,4 +1,4 @@
heat_template_version: 2016-04-08
heat_template_version: 2016-10-14
description: >
Pacemaker service configured with Puppet
@ -21,6 +21,51 @@ parameters:
MonitoringSubscriptionPacemaker:
default: 'overcloud-pacemaker'
type: string
CorosyncIPv6:
default: false
description: Enable IPv6 in Corosync
type: boolean
EnableFencing:
default: false
description: Whether to enable fencing in Pacemaker or not.
type: boolean
PcsdPassword:
type: string
description: The password for the 'pcsd' user for pacemaker.
hidden: true
default: ''
FencingConfig:
default: {}
description: |
Pacemaker fencing configuration. The JSON should have
the following structure:
{
"devices": [
{
"agent": "AGENT_NAME",
"host_mac": "HOST_MAC_ADDRESS",
"params": {"PARAM_NAME": "PARAM_VALUE"}
}
]
}
For instance:
{
"devices": [
{
"agent": "fence_xvm",
"host_mac": "52:54:00:aa:bb:cc",
"params": {
"multicast_address": "225.0.0.12",
"port": "baremetal_0",
"manage_fw": true,
"manage_key_file": true,
"key_file": "/etc/fence_xvm.key",
"key_file_password": "abcdef"
}
}
]
}
type: json
outputs:
role_data:
@ -44,5 +89,15 @@ outputs:
'131 pacemaker udp':
proto: 'udp'
dport: 5405
corosync_ipv6: {get_param: CorosyncIPv6}
tripleo::fencing::config: {get_param: FencingConfig}
enable_fencing: {get_param: EnableFencing}
hacluster_pwd:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: PcsdPassword}
- {get_param: [DefaultPasswords, pcsd_password]}
step_config: |
include ::tripleo::profile::base::pacemaker

@ -18,11 +18,22 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ManageFirewall:
default: false
description: Whether to manage IPtables rules.
type: boolean
PurgeFirewallRules:
default: false
description: Whether IPtables rules should be purged before setting up the new ones.
type: boolean
outputs:
role_data:
description: Role data for the TripleO firewall settings
value:
service_name: tripleo_firewall
config_settings:
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
step_config: |
include ::tripleo::firewall

Loading…
Cancel
Save