96795a94da
Right now when we deploy an HA bundle on a pacemaker remote node,
the deploy will fail due to the fact that the bundle includes
tripleo::profile::base::pacemaker which makes a call to
hiera('hacluster_pwd') which will fail on pcmk remote nodes.
While we could noop the profile on pcmk nodes, it's much simpler
to just make sure this hiera key exists on pcmk remote nodes.
Also make sure that pacemaker::corosync::manage_fw is set to false
on remote nodes, otherwise the mere inclusion of the pacemaker
profile will cause iptables-save to run in a container and thus failing.
Change-Id: I09b3e54a470cc2d600a701d23463962501c5c9d6
121 lines
3.5 KiB
YAML
121 lines
3.5 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
Pacemaker remote service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
PacemakerRemoteAuthkey:
|
|
type: string
|
|
description: The authkey for the pacemaker remote service.
|
|
hidden: true
|
|
default: ''
|
|
PcsdPassword:
|
|
type: string
|
|
description: The password for the 'pcsd' user for pacemaker.
|
|
hidden: true
|
|
default: ''
|
|
MonitoringSubscriptionPacemakerRemote:
|
|
default: 'overcloud-pacemaker_remote'
|
|
type: string
|
|
EnableFencing:
|
|
default: false
|
|
description: Whether to enable fencing in Pacemaker or not.
|
|
type: boolean
|
|
FencingConfig:
|
|
default: {}
|
|
description: |
|
|
Pacemaker fencing configuration. The JSON should have
|
|
the following structure:
|
|
{
|
|
"devices": [
|
|
{
|
|
"agent": "AGENT_NAME",
|
|
"host_mac": "HOST_MAC_ADDRESS",
|
|
"params": {"PARAM_NAME": "PARAM_VALUE"}
|
|
}
|
|
]
|
|
}
|
|
For instance:
|
|
{
|
|
"devices": [
|
|
{
|
|
"agent": "fence_xvm",
|
|
"host_mac": "52:54:00:aa:bb:cc",
|
|
"params": {
|
|
"multicast_address": "225.0.0.12",
|
|
"port": "baremetal_0",
|
|
"manage_fw": true,
|
|
"manage_key_file": true,
|
|
"key_file": "/etc/fence_xvm.key",
|
|
"key_file_password": "abcdef"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
type: json
|
|
PacemakerRemoteLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: system.pacemaker_remote
|
|
path: /var/log/pacemaker.log
|
|
format: >-
|
|
/^(?<time>[^ ]*\s*[^ ]* [^ ]*)
|
|
\[(?<pid>[^ ]*)\]
|
|
(?<host>[^ ]*)
|
|
(?<message>.*)$/
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Pacemaker remote role.
|
|
value:
|
|
service_name: pacemaker_remote
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote}
|
|
logging_groups:
|
|
- haclient
|
|
logging_source: {get_param: PacemakerRemoteLoggingSource}
|
|
config_settings:
|
|
tripleo.pacemaker_remote.firewall_rules:
|
|
'130 pacemaker_remote tcp':
|
|
proto: 'tcp'
|
|
dport:
|
|
- 3121
|
|
tripleo::fencing::config: {get_param: FencingConfig}
|
|
enable_fencing: {get_param: EnableFencing}
|
|
tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey}
|
|
pacemaker::corosync::manage_fw: false
|
|
hacluster_pwd:
|
|
yaql:
|
|
expression: $.data.passwords.where($ != '').first()
|
|
data:
|
|
passwords:
|
|
- {get_param: PcsdPassword}
|
|
- {get_param: [DefaultPasswords, pcsd_password]}
|
|
step_config: |
|
|
include ::tripleo::profile::base::pacemaker_remote
|