Mv pacemaker and firewall out of controller
This patch moves settings for pacemaker and the tripleo firewall out of controller.yaml. Related bug: #1604414 Change-Id: I0164717bfd79cdea3de8eb7a64771028bea201ac
This commit is contained in:
parent
7ab48cc832
commit
827d110a34
|
@ -440,9 +440,7 @@ resources:
|
||||||
properties:
|
properties:
|
||||||
CloudDomain: {get_param: CloudDomain}
|
CloudDomain: {get_param: CloudDomain}
|
||||||
controllerExtraConfig: {get_param: controllerExtraConfig}
|
controllerExtraConfig: {get_param: controllerExtraConfig}
|
||||||
PcsdPassword: {get_resource: PcsdPassword}
|
|
||||||
RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
|
RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
|
||||||
RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]}
|
|
||||||
ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
|
ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
|
||||||
EndpointMap: {get_attr: [EndpointMap, endpoint_map]}
|
EndpointMap: {get_attr: [EndpointMap, endpoint_map]}
|
||||||
Hostname:
|
Hostname:
|
||||||
|
|
|
@ -23,18 +23,10 @@ parameters:
|
||||||
...
|
...
|
||||||
}
|
}
|
||||||
type: json
|
type: json
|
||||||
CorosyncIPv6:
|
|
||||||
default: false
|
|
||||||
description: Enable IPv6 in Corosync
|
|
||||||
type: boolean
|
|
||||||
Debug:
|
Debug:
|
||||||
default: ''
|
default: ''
|
||||||
description: Set to True to enable debugging on all services.
|
description: Set to True to enable debugging on all services.
|
||||||
type: string
|
type: string
|
||||||
EnableFencing:
|
|
||||||
default: false
|
|
||||||
description: Whether to enable fencing in Pacemaker or not.
|
|
||||||
type: boolean
|
|
||||||
EnableLoadBalancer:
|
EnableLoadBalancer:
|
||||||
default: true
|
default: true
|
||||||
description: Whether to deploy a LoadBalancer on the Controller
|
description: Whether to deploy a LoadBalancer on the Controller
|
||||||
|
@ -45,38 +37,6 @@ parameters:
|
||||||
Additional hieradata to inject into the cluster, note that
|
Additional hieradata to inject into the cluster, note that
|
||||||
ControllerExtraConfig takes precedence over ExtraConfig.
|
ControllerExtraConfig takes precedence over ExtraConfig.
|
||||||
type: json
|
type: json
|
||||||
FencingConfig:
|
|
||||||
default: {}
|
|
||||||
description: |
|
|
||||||
Pacemaker fencing configuration. The JSON should have
|
|
||||||
the following structure:
|
|
||||||
{
|
|
||||||
"devices": [
|
|
||||||
{
|
|
||||||
"agent": "AGENT_NAME",
|
|
||||||
"host_mac": "HOST_MAC_ADDRESS",
|
|
||||||
"params": {"PARAM_NAME": "PARAM_VALUE"}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
For instance:
|
|
||||||
{
|
|
||||||
"devices": [
|
|
||||||
{
|
|
||||||
"agent": "fence_xvm",
|
|
||||||
"host_mac": "52:54:00:aa:bb:cc",
|
|
||||||
"params": {
|
|
||||||
"multicast_address": "225.0.0.12",
|
|
||||||
"port": "baremetal_0",
|
|
||||||
"manage_fw": true,
|
|
||||||
"manage_key_file": true,
|
|
||||||
"key_file": "/etc/fence_xvm.key",
|
|
||||||
"key_file_password": "abcdef"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
type: json
|
|
||||||
OvercloudControlFlavor:
|
OvercloudControlFlavor:
|
||||||
description: Flavor for control nodes to request when deploying.
|
description: Flavor for control nodes to request when deploying.
|
||||||
default: baremetal
|
default: baremetal
|
||||||
|
@ -98,33 +58,13 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
constraints:
|
constraints:
|
||||||
- custom_constraint: nova.keypair
|
- custom_constraint: nova.keypair
|
||||||
ManageFirewall:
|
|
||||||
default: false
|
|
||||||
description: Whether to manage IPtables rules.
|
|
||||||
type: boolean
|
|
||||||
PurgeFirewallRules:
|
|
||||||
default: false
|
|
||||||
description: Whether IPtables rules should be purged before setting up the new ones.
|
|
||||||
type: boolean
|
|
||||||
NeutronPublicInterface:
|
NeutronPublicInterface:
|
||||||
default: nic1
|
default: nic1
|
||||||
description: What interface to bridge onto br-ex for network nodes.
|
description: What interface to bridge onto br-ex for network nodes.
|
||||||
type: string
|
type: string
|
||||||
PcsdPassword:
|
|
||||||
type: string
|
|
||||||
description: The password for the 'pcsd' user.
|
|
||||||
hidden: true
|
|
||||||
RedisPassword:
|
|
||||||
description: The password for Redis
|
|
||||||
type: string
|
|
||||||
hidden: true
|
|
||||||
RedisVirtualIP:
|
RedisVirtualIP:
|
||||||
type: string
|
type: string
|
||||||
default: '' # Has to be here because of the ignored empty value bug
|
default: '' # Has to be here because of the ignored empty value bug
|
||||||
RedisVirtualIPUri:
|
|
||||||
type: string
|
|
||||||
default: '' # Has to be here because of the ignored empty value bug
|
|
||||||
description: An IP address which is wrapped in brackets in case of IPv6
|
|
||||||
SwiftRawDisks:
|
SwiftRawDisks:
|
||||||
default: {}
|
default: {}
|
||||||
description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
|
description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
|
||||||
|
@ -358,17 +298,9 @@ resources:
|
||||||
server: {get_resource: Controller}
|
server: {get_resource: Controller}
|
||||||
input_values:
|
input_values:
|
||||||
bootstack_nodeid: {get_attr: [Controller, name]}
|
bootstack_nodeid: {get_attr: [Controller, name]}
|
||||||
debug: {get_param: Debug}
|
|
||||||
enable_fencing: {get_param: EnableFencing}
|
|
||||||
enable_load_balancer: {get_param: EnableLoadBalancer}
|
enable_load_balancer: {get_param: EnableLoadBalancer}
|
||||||
manage_firewall: {get_param: ManageFirewall}
|
|
||||||
purge_firewall_rules: {get_param: PurgeFirewallRules}
|
|
||||||
corosync_ipv6: {get_param: CorosyncIPv6}
|
|
||||||
fencing_config: {get_param: FencingConfig}
|
|
||||||
pcsd_password: {get_param: PcsdPassword}
|
|
||||||
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
|
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
|
||||||
redis_vip: {get_param: RedisVirtualIP}
|
redis_vip: {get_param: RedisVirtualIP}
|
||||||
ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]}
|
|
||||||
|
|
||||||
# Map heat metadata into hiera datafiles
|
# Map heat metadata into hiera datafiles
|
||||||
ControllerConfig:
|
ControllerConfig:
|
||||||
|
@ -421,17 +353,10 @@ resources:
|
||||||
bootstack_nodeid: {get_input: bootstack_nodeid}
|
bootstack_nodeid: {get_input: bootstack_nodeid}
|
||||||
|
|
||||||
# Pacemaker
|
# Pacemaker
|
||||||
enable_fencing: {get_input: enable_fencing}
|
|
||||||
enable_load_balancer: {get_input: enable_load_balancer}
|
enable_load_balancer: {get_input: enable_load_balancer}
|
||||||
hacluster_pwd: {get_input: pcsd_password}
|
|
||||||
corosync_ipv6: {get_input: corosync_ipv6}
|
|
||||||
tripleo::fencing::config: {get_input: fencing_config}
|
|
||||||
|
|
||||||
# Redis
|
# Redis
|
||||||
redis_vip: {get_input: redis_vip}
|
redis_vip: {get_input: redis_vip}
|
||||||
# Firewall
|
|
||||||
tripleo::firewall::manage_firewall: {get_input: manage_firewall}
|
|
||||||
tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
|
|
||||||
# Misc
|
# Misc
|
||||||
tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
|
tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
|
||||||
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
|
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
heat_template_version: 2016-04-08
|
heat_template_version: 2016-10-14
|
||||||
|
|
||||||
description: >
|
description: >
|
||||||
Pacemaker service configured with Puppet
|
Pacemaker service configured with Puppet
|
||||||
|
@ -21,6 +21,51 @@ parameters:
|
||||||
MonitoringSubscriptionPacemaker:
|
MonitoringSubscriptionPacemaker:
|
||||||
default: 'overcloud-pacemaker'
|
default: 'overcloud-pacemaker'
|
||||||
type: string
|
type: string
|
||||||
|
CorosyncIPv6:
|
||||||
|
default: false
|
||||||
|
description: Enable IPv6 in Corosync
|
||||||
|
type: boolean
|
||||||
|
EnableFencing:
|
||||||
|
default: false
|
||||||
|
description: Whether to enable fencing in Pacemaker or not.
|
||||||
|
type: boolean
|
||||||
|
PcsdPassword:
|
||||||
|
type: string
|
||||||
|
description: The password for the 'pcsd' user for pacemaker.
|
||||||
|
hidden: true
|
||||||
|
default: ''
|
||||||
|
FencingConfig:
|
||||||
|
default: {}
|
||||||
|
description: |
|
||||||
|
Pacemaker fencing configuration. The JSON should have
|
||||||
|
the following structure:
|
||||||
|
{
|
||||||
|
"devices": [
|
||||||
|
{
|
||||||
|
"agent": "AGENT_NAME",
|
||||||
|
"host_mac": "HOST_MAC_ADDRESS",
|
||||||
|
"params": {"PARAM_NAME": "PARAM_VALUE"}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
For instance:
|
||||||
|
{
|
||||||
|
"devices": [
|
||||||
|
{
|
||||||
|
"agent": "fence_xvm",
|
||||||
|
"host_mac": "52:54:00:aa:bb:cc",
|
||||||
|
"params": {
|
||||||
|
"multicast_address": "225.0.0.12",
|
||||||
|
"port": "baremetal_0",
|
||||||
|
"manage_fw": true,
|
||||||
|
"manage_key_file": true,
|
||||||
|
"key_file": "/etc/fence_xvm.key",
|
||||||
|
"key_file_password": "abcdef"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
type: json
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
|
@ -44,5 +89,15 @@ outputs:
|
||||||
'131 pacemaker udp':
|
'131 pacemaker udp':
|
||||||
proto: 'udp'
|
proto: 'udp'
|
||||||
dport: 5405
|
dport: 5405
|
||||||
|
corosync_ipv6: {get_param: CorosyncIPv6}
|
||||||
|
tripleo::fencing::config: {get_param: FencingConfig}
|
||||||
|
enable_fencing: {get_param: EnableFencing}
|
||||||
|
hacluster_pwd:
|
||||||
|
yaql:
|
||||||
|
expression: $.data.passwords.where($ != '').first()
|
||||||
|
data:
|
||||||
|
passwords:
|
||||||
|
- {get_param: PcsdPassword}
|
||||||
|
- {get_param: [DefaultPasswords, pcsd_password]}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::pacemaker
|
include ::tripleo::profile::base::pacemaker
|
||||||
|
|
|
@ -18,11 +18,22 @@ parameters:
|
||||||
description: Mapping of service endpoint -> protocol. Typically set
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
via parameter_defaults in the resource registry.
|
via parameter_defaults in the resource registry.
|
||||||
type: json
|
type: json
|
||||||
|
ManageFirewall:
|
||||||
|
default: false
|
||||||
|
description: Whether to manage IPtables rules.
|
||||||
|
type: boolean
|
||||||
|
PurgeFirewallRules:
|
||||||
|
default: false
|
||||||
|
description: Whether IPtables rules should be purged before setting up the new ones.
|
||||||
|
type: boolean
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
description: Role data for the TripleO firewall settings
|
description: Role data for the TripleO firewall settings
|
||||||
value:
|
value:
|
||||||
service_name: tripleo_firewall
|
service_name: tripleo_firewall
|
||||||
|
config_settings:
|
||||||
|
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
|
||||||
|
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::firewall
|
include ::tripleo::firewall
|
||||||
|
|
Loading…
Reference in New Issue