|
|
|
@ -66,8 +66,13 @@ parameters: |
|
|
|
of the internal network. Use this parameter with caution and be aware of |
|
|
|
opening memcached to external network can be dangerous. |
|
|
|
type: string |
|
|
|
MemcachedTLS: |
|
|
|
default: false |
|
|
|
description: Set to True to enable TLS on Memcached service. |
|
|
|
type: boolean |
|
|
|
|
|
|
|
conditions: |
|
|
|
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]} |
|
|
|
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']} |
|
|
|
service_debug: |
|
|
|
or: |
|
|
|
@ -87,63 +92,86 @@ outputs: |
|
|
|
service_name: memcached |
|
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} |
|
|
|
config_settings: |
|
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP |
|
|
|
# for the given network; replacement examples (eg. for internal_api): |
|
|
|
# internal_api -> IP |
|
|
|
# internal_api_uri -> [IP] |
|
|
|
# internal_api_subnet - > IP/CIDR |
|
|
|
memcached::listen_ip: |
|
|
|
str_replace: |
|
|
|
template: |
|
|
|
"%{hiera('$NETWORK')}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
memcached::listen_ip_uri: |
|
|
|
str_replace: |
|
|
|
template: |
|
|
|
"%{hiera('$NETWORK_uri')}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
memcached::max_connections: {get_param: MemcachedMaxConnections} |
|
|
|
memcached::max_memory: {get_param: MemcachedMaxMemory} |
|
|
|
# https://access.redhat.com/security/cve/cve-2018-1000115 |
|
|
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP. |
|
|
|
memcached::udp_port: 0 |
|
|
|
memcached::verbosity: |
|
|
|
list_join: |
|
|
|
- '' |
|
|
|
- - 'v' |
|
|
|
- if: |
|
|
|
- service_debug |
|
|
|
- 'v' |
|
|
|
map_merge: |
|
|
|
- |
|
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP |
|
|
|
# for the given network; replacement examples (eg. for internal_api): |
|
|
|
# internal_api -> IP |
|
|
|
# internal_api_uri -> [IP] |
|
|
|
# internal_api_subnet - > IP/CIDR |
|
|
|
memcached::listen_ip: |
|
|
|
str_replace: |
|
|
|
template: |
|
|
|
"%{hiera('$NETWORK')}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
memcached::listen_ip_uri: |
|
|
|
str_replace: |
|
|
|
template: |
|
|
|
"%{hiera('$NETWORK_uri')}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
memcached::max_connections: {get_param: MemcachedMaxConnections} |
|
|
|
memcached::max_memory: {get_param: MemcachedMaxMemory} |
|
|
|
# https://access.redhat.com/security/cve/cve-2018-1000115 |
|
|
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP. |
|
|
|
memcached::udp_port: 0 |
|
|
|
memcached::verbosity: |
|
|
|
list_join: |
|
|
|
- '' |
|
|
|
memcached::disable_cachedump: true |
|
|
|
tripleo::memcached::firewall_rules: |
|
|
|
# https://access.redhat.com/security/cve/cve-2018-1000115 |
|
|
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP. |
|
|
|
# Memcached traffic shouldn't be open on the internet. |
|
|
|
# Even if binding is configured on internal_api network, enforce it |
|
|
|
# via firewall as well. |
|
|
|
if: |
|
|
|
- memcached_network_unset |
|
|
|
- map_merge: |
|
|
|
repeat: |
|
|
|
for_each: |
|
|
|
<%net_cidr%>: |
|
|
|
get_param: |
|
|
|
- ServiceData |
|
|
|
- net_cidr_map |
|
|
|
- {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
template: |
|
|
|
'121 memcached <%net_cidr%>': |
|
|
|
dport: 11211 |
|
|
|
proto: 'tcp' |
|
|
|
source: <%net_cidr%> |
|
|
|
- '121 memcached': |
|
|
|
dport: 11211 |
|
|
|
proto: 'tcp' |
|
|
|
source: {get_param: MemcachedIpSubnet} |
|
|
|
memcached::logstdout: true |
|
|
|
- - 'v' |
|
|
|
- if: |
|
|
|
- service_debug |
|
|
|
- 'v' |
|
|
|
- '' |
|
|
|
memcached::disable_cachedump: true |
|
|
|
tripleo::memcached::firewall_rules: |
|
|
|
# https://access.redhat.com/security/cve/cve-2018-1000115 |
|
|
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP. |
|
|
|
# Memcached traffic shouldn't be open on the internet. |
|
|
|
# Even if binding is configured on internal_api network, enforce it |
|
|
|
# via firewall as well. |
|
|
|
if: |
|
|
|
- memcached_network_unset |
|
|
|
- map_merge: |
|
|
|
repeat: |
|
|
|
for_each: |
|
|
|
<%net_cidr%>: |
|
|
|
get_param: |
|
|
|
- ServiceData |
|
|
|
- net_cidr_map |
|
|
|
- {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
template: |
|
|
|
'121 memcached <%net_cidr%>': |
|
|
|
dport: 11211 |
|
|
|
proto: 'tcp' |
|
|
|
source: <%net_cidr%> |
|
|
|
- '121 memcached': |
|
|
|
dport: 11211 |
|
|
|
proto: 'tcp' |
|
|
|
source: {get_param: MemcachedIpSubnet} |
|
|
|
memcached::logstdout: true |
|
|
|
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS} |
|
|
|
- |
|
|
|
if: |
|
|
|
- internal_tls_enabled |
|
|
|
- generate_service_certificates: true |
|
|
|
tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt' |
|
|
|
tripleo::profile::base::memcached::certificate_specs: |
|
|
|
service_certificate: '/etc/pki/tls/certs/memcached.crt' |
|
|
|
service_key: '/etc/pki/tls/private/memcached.key' |
|
|
|
hostname: |
|
|
|
str_replace: |
|
|
|
template: "%{hiera('fqdn_$NETWORK')}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
principal: |
|
|
|
str_replace: |
|
|
|
template: "memcached/%{hiera('fqdn_$NETWORK')}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh" |
|
|
|
- {} |
|
|
|
service_config_settings: |
|
|
|
collectd: |
|
|
|
tripleo.collectd.plugins.memcached: |
|
|
|
@ -167,10 +195,21 @@ outputs: |
|
|
|
dest: "/" |
|
|
|
merge: true |
|
|
|
preserve_properties: true |
|
|
|
- source: "/var/lib/kolla/config_files/src-tls/*" |
|
|
|
dest: "/" |
|
|
|
merge: true |
|
|
|
preserve_properties: true |
|
|
|
optional: true |
|
|
|
permissions: |
|
|
|
- path: /var/log/memcached |
|
|
|
owner: memcached:memcached |
|
|
|
recurse: true |
|
|
|
- path: /etc/pki/tls/certs/memcached.crt |
|
|
|
owner: memcached:memcached |
|
|
|
optional: true |
|
|
|
- path: /etc/pki/tls/private/memcached.key |
|
|
|
owner: memcached:memcached |
|
|
|
optional: true |
|
|
|
docker_config: |
|
|
|
step_1: |
|
|
|
memcached: |
|
|
|
@ -188,8 +227,22 @@ outputs: |
|
|
|
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro |
|
|
|
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z |
|
|
|
- /var/log/containers/memcached:/var/log/memcached:rw |
|
|
|
- if: |
|
|
|
- internal_tls_enabled |
|
|
|
- |
|
|
|
- /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro |
|
|
|
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro |
|
|
|
- null |
|
|
|
environment: |
|
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS |
|
|
|
metadata_settings: |
|
|
|
if: |
|
|
|
- internal_tls_enabled |
|
|
|
- |
|
|
|
- service: memcached |
|
|
|
network: {get_param: [ServiceNetMap, MemcachedNetwork]} |
|
|
|
type: node |
|
|
|
- null |
|
|
|
host_prep_tasks: |
|
|
|
- name: create persistent directories |
|
|
|
file: |
|
|
|
|
Zuul
2 weeks ago
Gerrit Code Review