From 827d110a34c611956620cddddeab51dedb4f63e6 Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Fri, 26 Aug 2016 13:48:39 -0400 Subject: [PATCH] Mv pacemaker and firewall out of controller This patch moves settings for pacemaker and the tripleo firewall out of controller.yaml. Related bug: #1604414 Change-Id: I0164717bfd79cdea3de8eb7a64771028bea201ac --- overcloud.yaml | 2 - puppet/controller.yaml | 75 --------------------------- puppet/services/pacemaker.yaml | 57 +++++++++++++++++++- puppet/services/tripleo-firewall.yaml | 11 ++++ 4 files changed, 67 insertions(+), 78 deletions(-) diff --git a/overcloud.yaml b/overcloud.yaml index a85c57c048..04c6100d83 100644 --- a/overcloud.yaml +++ b/overcloud.yaml @@ -440,9 +440,7 @@ resources: properties: CloudDomain: {get_param: CloudDomain} controllerExtraConfig: {get_param: controllerExtraConfig} - PcsdPassword: {get_resource: PcsdPassword} RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]} - RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]} ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]} EndpointMap: {get_attr: [EndpointMap, endpoint_map]} Hostname: diff --git a/puppet/controller.yaml b/puppet/controller.yaml index a4f87525de..7650c1e822 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -23,18 +23,10 @@ parameters: ... } type: json - CorosyncIPv6: - default: false - description: Enable IPv6 in Corosync - type: boolean Debug: default: '' description: Set to True to enable debugging on all services. type: string - EnableFencing: - default: false - description: Whether to enable fencing in Pacemaker or not. - type: boolean EnableLoadBalancer: default: true description: Whether to deploy a LoadBalancer on the Controller @@ -45,38 +37,6 @@ parameters: Additional hieradata to inject into the cluster, note that ControllerExtraConfig takes precedence over ExtraConfig. type: json - FencingConfig: - default: {} - description: | - Pacemaker fencing configuration. The JSON should have - the following structure: - { - "devices": [ - { - "agent": "AGENT_NAME", - "host_mac": "HOST_MAC_ADDRESS", - "params": {"PARAM_NAME": "PARAM_VALUE"} - } - ] - } - For instance: - { - "devices": [ - { - "agent": "fence_xvm", - "host_mac": "52:54:00:aa:bb:cc", - "params": { - "multicast_address": "225.0.0.12", - "port": "baremetal_0", - "manage_fw": true, - "manage_key_file": true, - "key_file": "/etc/fence_xvm.key", - "key_file_password": "abcdef" - } - } - ] - } - type: json OvercloudControlFlavor: description: Flavor for control nodes to request when deploying. default: baremetal @@ -98,33 +58,13 @@ parameters: type: string constraints: - custom_constraint: nova.keypair - ManageFirewall: - default: false - description: Whether to manage IPtables rules. - type: boolean - PurgeFirewallRules: - default: false - description: Whether IPtables rules should be purged before setting up the new ones. - type: boolean NeutronPublicInterface: default: nic1 description: What interface to bridge onto br-ex for network nodes. type: string - PcsdPassword: - type: string - description: The password for the 'pcsd' user. - hidden: true - RedisPassword: - description: The password for Redis - type: string - hidden: true RedisVirtualIP: type: string default: '' # Has to be here because of the ignored empty value bug - RedisVirtualIPUri: - type: string - default: '' # Has to be here because of the ignored empty value bug - description: An IP address which is wrapped in brackets in case of IPv6 SwiftRawDisks: default: {} description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' @@ -358,17 +298,9 @@ resources: server: {get_resource: Controller} input_values: bootstack_nodeid: {get_attr: [Controller, name]} - debug: {get_param: Debug} - enable_fencing: {get_param: EnableFencing} enable_load_balancer: {get_param: EnableLoadBalancer} - manage_firewall: {get_param: ManageFirewall} - purge_firewall_rules: {get_param: PurgeFirewallRules} - corosync_ipv6: {get_param: CorosyncIPv6} - fencing_config: {get_param: FencingConfig} - pcsd_password: {get_param: PcsdPassword} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} redis_vip: {get_param: RedisVirtualIP} - ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]} # Map heat metadata into hiera datafiles ControllerConfig: @@ -421,17 +353,10 @@ resources: bootstack_nodeid: {get_input: bootstack_nodeid} # Pacemaker - enable_fencing: {get_input: enable_fencing} enable_load_balancer: {get_input: enable_load_balancer} - hacluster_pwd: {get_input: pcsd_password} - corosync_ipv6: {get_input: corosync_ipv6} - tripleo::fencing::config: {get_input: fencing_config} # Redis redis_vip: {get_input: redis_vip} - # Firewall - tripleo::firewall::manage_firewall: {get_input: manage_firewall} - tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules} # Misc tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 3101676195..5d1d666ac4 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Pacemaker service configured with Puppet @@ -21,6 +21,51 @@ parameters: MonitoringSubscriptionPacemaker: default: 'overcloud-pacemaker' type: string + CorosyncIPv6: + default: false + description: Enable IPv6 in Corosync + type: boolean + EnableFencing: + default: false + description: Whether to enable fencing in Pacemaker or not. + type: boolean + PcsdPassword: + type: string + description: The password for the 'pcsd' user for pacemaker. + hidden: true + default: '' + FencingConfig: + default: {} + description: | + Pacemaker fencing configuration. The JSON should have + the following structure: + { + "devices": [ + { + "agent": "AGENT_NAME", + "host_mac": "HOST_MAC_ADDRESS", + "params": {"PARAM_NAME": "PARAM_VALUE"} + } + ] + } + For instance: + { + "devices": [ + { + "agent": "fence_xvm", + "host_mac": "52:54:00:aa:bb:cc", + "params": { + "multicast_address": "225.0.0.12", + "port": "baremetal_0", + "manage_fw": true, + "manage_key_file": true, + "key_file": "/etc/fence_xvm.key", + "key_file_password": "abcdef" + } + } + ] + } + type: json outputs: role_data: @@ -44,5 +89,15 @@ outputs: '131 pacemaker udp': proto: 'udp' dport: 5405 + corosync_ipv6: {get_param: CorosyncIPv6} + tripleo::fencing::config: {get_param: FencingConfig} + enable_fencing: {get_param: EnableFencing} + hacluster_pwd: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: PcsdPassword} + - {get_param: [DefaultPasswords, pcsd_password]} step_config: | include ::tripleo::profile::base::pacemaker diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index 14965b4fb6..f6ec458f43 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -18,11 +18,22 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + ManageFirewall: + default: false + description: Whether to manage IPtables rules. + type: boolean + PurgeFirewallRules: + default: false + description: Whether IPtables rules should be purged before setting up the new ones. + type: boolean outputs: role_data: description: Role data for the TripleO firewall settings value: service_name: tripleo_firewall + config_settings: + tripleo::firewall::manage_firewall: {get_param: ManageFirewall} + tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules} step_config: | include ::tripleo::firewall