Puppet cfgm class added for managing contrail-config service
This commit contains puppet code, files and templates to deploy the software packages and configuration for contrail config service. Change-Id: Ic43aa9cdd7a4ba021c5c004e5fd851bdfce364a2
This commit is contained in:
parent
57891cc730
commit
7fbbe0fb5a
|
@ -17,8 +17,9 @@ include contrail
|
|||
Exec { path => '/bin:/sbin:/usr/bin:/usr/sbin', refresh => 'echo NOOP_ON_REFRESH', timeout => 1800}
|
||||
|
||||
if $contrail::node_name =~ /^contrail.\d+$/ {
|
||||
class { 'contrail::database': }
|
||||
class { 'contrail::vip': }
|
||||
class { 'contrail::database': } ->
|
||||
class { 'contrail::vip': } ->
|
||||
class { 'contrail::cfgm': }
|
||||
}
|
||||
|
||||
if $contrail::node_name == $contrail::deployment_node {
|
||||
|
@ -26,6 +27,6 @@ if $contrail::node_name == $contrail::deployment_node {
|
|||
->
|
||||
class { 'contrail::setup':
|
||||
node_name => $contrail::node_name,
|
||||
require => [Class['contrail::database'],Class['contrail::vip']],
|
||||
require => Class['contrail::cfgm'],
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,442 @@
|
|||
#
|
||||
# This is the "master security properties file".
|
||||
#
|
||||
# In this file, various security properties are set for use by
|
||||
# java.security classes. This is where users can statically register
|
||||
# Cryptography Package Providers ("providers" for short). The term
|
||||
# "provider" refers to a package or set of packages that supply a
|
||||
# concrete implementation of a subset of the cryptography aspects of
|
||||
# the Java Security API. A provider may, for example, implement one or
|
||||
# more digital signature algorithms or message digest algorithms.
|
||||
#
|
||||
# Each provider must implement a subclass of the Provider class.
|
||||
# To register a provider in this master security properties file,
|
||||
# specify the Provider subclass name and priority in the format
|
||||
#
|
||||
# security.provider.<n>=<className>
|
||||
#
|
||||
# This declares a provider, and specifies its preference
|
||||
# order n. The preference order is the order in which providers are
|
||||
# searched for requested algorithms (when no specific provider is
|
||||
# requested). The order is 1-based; 1 is the most preferred, followed
|
||||
# by 2, and so on.
|
||||
#
|
||||
# <className> must specify the subclass of the Provider class whose
|
||||
# constructor sets the values of various properties that are required
|
||||
# for the Java Security API to look up the algorithms or other
|
||||
# facilities implemented by the provider.
|
||||
#
|
||||
# There must be at least one provider specification in java.security.
|
||||
# There is a default provider that comes standard with the JDK. It
|
||||
# is called the "SUN" provider, and its Provider subclass
|
||||
# named Sun appears in the sun.security.provider package. Thus, the
|
||||
# "SUN" provider is registered via the following:
|
||||
#
|
||||
# security.provider.1=sun.security.provider.Sun
|
||||
#
|
||||
# (The number 1 is used for the default provider.)
|
||||
#
|
||||
# Note: Providers can be dynamically registered instead by calls to
|
||||
# either the addProvider or insertProviderAt method in the Security
|
||||
# class.
|
||||
|
||||
#
|
||||
# List of providers and their preference orders (see above):
|
||||
#
|
||||
security.provider.1=sun.security.provider.Sun
|
||||
security.provider.2=sun.security.rsa.SunRsaSign
|
||||
security.provider.3=sun.security.ec.SunEC
|
||||
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
|
||||
security.provider.5=com.sun.crypto.provider.SunJCE
|
||||
security.provider.6=sun.security.jgss.SunProvider
|
||||
security.provider.7=com.sun.security.sasl.Provider
|
||||
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
|
||||
security.provider.9=sun.security.smartcardio.SunPCSC
|
||||
# the NSS security provider was not enabled for this build; it can be enabled
|
||||
# if NSS (libnss3) is available on the machine. The nss.cfg file may need
|
||||
# editing to reflect the location of the NSS installation.
|
||||
security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||
|
||||
#
|
||||
# Select the source of seed data for SecureRandom. By default an
|
||||
# attempt is made to use the entropy gathering device specified by
|
||||
# the securerandom.source property. If an exception occurs when
|
||||
# accessing the URL then the traditional system/thread activity
|
||||
# algorithm is used.
|
||||
#
|
||||
# On Solaris and Linux systems, if file:/dev/urandom is specified and it
|
||||
# exists, a special SecureRandom implementation is activated by default.
|
||||
# This "NativePRNG" reads random bytes directly from /dev/urandom.
|
||||
#
|
||||
# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
|
||||
# enables use of the Microsoft CryptoAPI seed functionality.
|
||||
#
|
||||
securerandom.source=file:/dev/urandom
|
||||
#
|
||||
# The entropy gathering device is described as a URL and can also
|
||||
# be specified with the system property "java.security.egd". For example,
|
||||
# -Djava.security.egd=file:/dev/urandom
|
||||
# Specifying this system property will override the securerandom.source
|
||||
# setting.
|
||||
|
||||
#
|
||||
# Class to instantiate as the javax.security.auth.login.Configuration
|
||||
# provider.
|
||||
#
|
||||
login.configuration.provider=com.sun.security.auth.login.ConfigFile
|
||||
|
||||
#
|
||||
# Default login configuration file
|
||||
#
|
||||
#login.config.url.1=file:${user.home}/.java.login.config
|
||||
|
||||
#
|
||||
# Class to instantiate as the system Policy. This is the name of the class
|
||||
# that will be used as the Policy object.
|
||||
#
|
||||
policy.provider=sun.security.provider.PolicyFile
|
||||
|
||||
# The default is to have a single system-wide policy file,
|
||||
# and a policy file in the user's home directory.
|
||||
policy.url.1=file:${java.home}/lib/security/java.policy
|
||||
policy.url.2=file:${user.home}/.java.policy
|
||||
|
||||
# whether or not we expand properties in the policy file
|
||||
# if this is set to false, properties (${...}) will not be expanded in policy
|
||||
# files.
|
||||
policy.expandProperties=true
|
||||
|
||||
# whether or not we allow an extra policy to be passed on the command line
|
||||
# with -Djava.security.policy=somefile. Comment out this line to disable
|
||||
# this feature.
|
||||
policy.allowSystemProperty=true
|
||||
|
||||
# whether or not we look into the IdentityScope for trusted Identities
|
||||
# when encountering a 1.1 signed JAR file. If the identity is found
|
||||
# and is trusted, we grant it AllPermission.
|
||||
policy.ignoreIdentityScope=false
|
||||
|
||||
#
|
||||
# Default keystore type.
|
||||
#
|
||||
keystore.type=jks
|
||||
|
||||
#
|
||||
# List of comma-separated packages that start with or equal this string
|
||||
# will cause a security exception to be thrown when
|
||||
# passed to checkPackageAccess unless the
|
||||
# corresponding RuntimePermission ("accessClassInPackage."+package) has
|
||||
# been granted.
|
||||
package.access=sun.,\
|
||||
org.GNOME.Accessibility.,\
|
||||
com.sun.xml.internal.,\
|
||||
com.sun.imageio.,\
|
||||
com.sun.istack.internal.,\
|
||||
com.sun.jmx.,\
|
||||
com.sun.naming.internal.,\
|
||||
com.sun.proxy.,\
|
||||
com.sun.corba.se.,\
|
||||
com.sun.script.,\
|
||||
com.sun.org.apache.bcel.internal.,\
|
||||
com.sun.org.apache.regexp.internal.,\
|
||||
com.sun.org.apache.xerces.internal.,\
|
||||
com.sun.org.apache.xpath.internal.,\
|
||||
com.sun.org.apache.xalan.internal.extensions.,\
|
||||
com.sun.org.apache.xalan.internal.lib.,\
|
||||
com.sun.org.apache.xalan.internal.res.,\
|
||||
com.sun.org.apache.xalan.internal.templates.,\
|
||||
com.sun.org.apache.xalan.internal.utils.,\
|
||||
com.sun.org.apache.xalan.internal.xslt.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.compiler.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.trax.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.util.,\
|
||||
com.sun.org.apache.xml.internal.res.,\
|
||||
com.sun.org.apache.xml.internal.serializer.utils.,\
|
||||
com.sun.org.apache.xml.internal.utils.,\
|
||||
com.sun.org.apache.xml.internal.security.,\
|
||||
com.sun.org.glassfish.,\
|
||||
org.jcp.xml.dsig.internal.,\
|
||||
oracle.jrockit.jfr.
|
||||
#
|
||||
# List of comma-separated packages that start with or equal this string
|
||||
# will cause a security exception to be thrown when
|
||||
# passed to checkPackageDefinition unless the
|
||||
# corresponding RuntimePermission ("defineClassInPackage."+package) has
|
||||
# been granted.
|
||||
#
|
||||
# by default, none of the class loaders supplied with the JDK call
|
||||
# checkPackageDefinition.
|
||||
#
|
||||
package.definition=sun.,\
|
||||
com.sun.xml.internal.,\
|
||||
com.sun.imageio.,\
|
||||
com.sun.istack.internal.,\
|
||||
com.sun.jmx.,\
|
||||
com.sun.naming.internal.,\
|
||||
com.sun.proxy.,\
|
||||
com.sun.corba.se.,\
|
||||
com.sun.script.,\
|
||||
com.sun.org.apache.bcel.internal.,\
|
||||
com.sun.org.apache.regexp.internal.,\
|
||||
com.sun.org.apache.xerces.internal.,\
|
||||
com.sun.org.apache.xpath.internal.,\
|
||||
com.sun.org.apache.xalan.internal.extensions.,\
|
||||
com.sun.org.apache.xalan.internal.lib.,\
|
||||
com.sun.org.apache.xalan.internal.res.,\
|
||||
com.sun.org.apache.xalan.internal.templates.,\
|
||||
com.sun.org.apache.xalan.internal.utils.,\
|
||||
com.sun.org.apache.xalan.internal.xslt.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.compiler.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.trax.,\
|
||||
com.sun.org.apache.xalan.internal.xsltc.util.,\
|
||||
com.sun.org.apache.xml.internal.res.,\
|
||||
com.sun.org.apache.xml.internal.serializer.utils.,\
|
||||
com.sun.org.apache.xml.internal.utils.,\
|
||||
com.sun.org.apache.xml.internal.security.,\
|
||||
com.sun.org.glassfish.,\
|
||||
org.jcp.xml.dsig.internal.,\
|
||||
oracle.jrockit.jfr.
|
||||
#
|
||||
# Determines whether this properties file can be appended to
|
||||
# or overridden on the command line via -Djava.security.properties
|
||||
#
|
||||
security.overridePropertiesFile=true
|
||||
|
||||
#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
#
|
||||
ssl.KeyManagerFactory.algorithm=SunX509
|
||||
ssl.TrustManagerFactory.algorithm=PKIX
|
||||
|
||||
#
|
||||
# The Java-level namelookup cache policy for successful lookups:
|
||||
#
|
||||
# any negative value: caching forever
|
||||
# any positive value: the number of seconds to cache an address for
|
||||
# zero: do not cache
|
||||
#
|
||||
# default value is forever (FOREVER). For security reasons, this
|
||||
# caching is made forever when a security manager is set. When a security
|
||||
# manager is not set, the default behavior in this implementation
|
||||
# is to cache for 30 seconds.
|
||||
#
|
||||
# NOTE: setting this to anything other than the default value can have
|
||||
# serious security implications. Do not set it unless
|
||||
# you are sure you are not exposed to DNS spoofing attack.
|
||||
#
|
||||
#networkaddress.cache.ttl=-1
|
||||
|
||||
# The Java-level namelookup cache policy for failed lookups:
|
||||
#
|
||||
# any negative value: cache forever
|
||||
# any positive value: the number of seconds to cache negative lookup results
|
||||
# zero: do not cache
|
||||
#
|
||||
# In some Microsoft Windows networking environments that employ
|
||||
# the WINS name service in addition to DNS, name service lookups
|
||||
# that fail may take a noticeably long time to return (approx. 5 seconds).
|
||||
# For this reason the default caching policy is to maintain these
|
||||
# results for 10 seconds.
|
||||
#
|
||||
#
|
||||
networkaddress.cache.negative.ttl=10
|
||||
|
||||
#
|
||||
# Properties to configure OCSP for certificate revocation checking
|
||||
#
|
||||
|
||||
# Enable OCSP
|
||||
#
|
||||
# By default, OCSP is not used for certificate revocation checking.
|
||||
# This property enables the use of OCSP when set to the value "true".
|
||||
#
|
||||
# NOTE: SocketPermission is required to connect to an OCSP responder.
|
||||
#
|
||||
# Example,
|
||||
# ocsp.enable=true
|
||||
|
||||
#
|
||||
# Location of the OCSP responder
|
||||
#
|
||||
# By default, the location of the OCSP responder is determined implicitly
|
||||
# from the certificate being validated. This property explicitly specifies
|
||||
# the location of the OCSP responder. The property is used when the
|
||||
# Authority Information Access extension (defined in RFC 3280) is absent
|
||||
# from the certificate or when it requires overriding.
|
||||
#
|
||||
# Example,
|
||||
# ocsp.responderURL=http://ocsp.example.net:80
|
||||
|
||||
#
|
||||
# Subject name of the OCSP responder's certificate
|
||||
#
|
||||
# By default, the certificate of the OCSP responder is that of the issuer
|
||||
# of the certificate being validated. This property identifies the certificate
|
||||
# of the OCSP responder when the default does not apply. Its value is a string
|
||||
# distinguished name (defined in RFC 2253) which identifies a certificate in
|
||||
# the set of certificates supplied during cert path validation. In cases where
|
||||
# the subject name alone is not sufficient to uniquely identify the certificate
|
||||
# then both the "ocsp.responderCertIssuerName" and
|
||||
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
|
||||
# property is set then those two properties are ignored.
|
||||
#
|
||||
# Example,
|
||||
# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
|
||||
|
||||
#
|
||||
# Issuer name of the OCSP responder's certificate
|
||||
#
|
||||
# By default, the certificate of the OCSP responder is that of the issuer
|
||||
# of the certificate being validated. This property identifies the certificate
|
||||
# of the OCSP responder when the default does not apply. Its value is a string
|
||||
# distinguished name (defined in RFC 2253) which identifies a certificate in
|
||||
# the set of certificates supplied during cert path validation. When this
|
||||
# property is set then the "ocsp.responderCertSerialNumber" property must also
|
||||
# be set. When the "ocsp.responderCertSubjectName" property is set then this
|
||||
# property is ignored.
|
||||
#
|
||||
# Example,
|
||||
# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
|
||||
|
||||
#
|
||||
# Serial number of the OCSP responder's certificate
|
||||
#
|
||||
# By default, the certificate of the OCSP responder is that of the issuer
|
||||
# of the certificate being validated. This property identifies the certificate
|
||||
# of the OCSP responder when the default does not apply. Its value is a string
|
||||
# of hexadecimal digits (colon or space separators may be present) which
|
||||
# identifies a certificate in the set of certificates supplied during cert path
|
||||
# validation. When this property is set then the "ocsp.responderCertIssuerName"
|
||||
# property must also be set. When the "ocsp.responderCertSubjectName" property
|
||||
# is set then this property is ignored.
|
||||
#
|
||||
# Example,
|
||||
# ocsp.responderCertSerialNumber=2A:FF:00
|
||||
|
||||
#
|
||||
# Policy for failed Kerberos KDC lookups:
|
||||
#
|
||||
# When a KDC is unavailable (network error, service failure, etc), it is
|
||||
# put inside a blacklist and accessed less often for future requests. The
|
||||
# value (case-insensitive) for this policy can be:
|
||||
#
|
||||
# tryLast
|
||||
# KDCs in the blacklist are always tried after those not on the list.
|
||||
#
|
||||
# tryLess[:max_retries,timeout]
|
||||
# KDCs in the blacklist are still tried by their order in the configuration,
|
||||
# but with smaller max_retries and timeout values. max_retries and timeout
|
||||
# are optional numerical parameters (default 1 and 5000, which means once
|
||||
# and 5 seconds). Please notes that if any of the values defined here is
|
||||
# more than what is defined in krb5.conf, it will be ignored.
|
||||
#
|
||||
# Whenever a KDC is detected as available, it is removed from the blacklist.
|
||||
# The blacklist is reset when krb5.conf is reloaded. You can add
|
||||
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
|
||||
# reloaded whenever a JAAS authentication is attempted.
|
||||
#
|
||||
# Example,
|
||||
# krb5.kdc.bad.policy = tryLast
|
||||
# krb5.kdc.bad.policy = tryLess:2,2000
|
||||
krb5.kdc.bad.policy = tryLast
|
||||
|
||||
# Algorithm restrictions for certification path (CertPath) processing
|
||||
#
|
||||
# In some environments, certain algorithms or key lengths may be undesirable
|
||||
# for certification path building and validation. For example, "MD2" is
|
||||
# generally no longer considered to be a secure hash algorithm. This section
|
||||
# describes the mechanism for disabling algorithms based on algorithm name
|
||||
# and/or key length. This includes algorithms used in certificates, as well
|
||||
# as revocation information such as CRLs and signed OCSP Responses.
|
||||
#
|
||||
# The syntax of the disabled algorithm string is described as this Java
|
||||
# BNF-style:
|
||||
# DisabledAlgorithms:
|
||||
# " DisabledAlgorithm { , DisabledAlgorithm } "
|
||||
#
|
||||
# DisabledAlgorithm:
|
||||
# AlgorithmName [Constraint]
|
||||
#
|
||||
# AlgorithmName:
|
||||
# (see below)
|
||||
#
|
||||
# Constraint:
|
||||
# KeySizeConstraint
|
||||
#
|
||||
# KeySizeConstraint:
|
||||
# keySize Operator DecimalInteger
|
||||
#
|
||||
# Operator:
|
||||
# <= | < | == | != | >= | >
|
||||
#
|
||||
# DecimalInteger:
|
||||
# DecimalDigits
|
||||
#
|
||||
# DecimalDigits:
|
||||
# DecimalDigit {DecimalDigit}
|
||||
#
|
||||
# DecimalDigit: one of
|
||||
# 1 2 3 4 5 6 7 8 9 0
|
||||
#
|
||||
# The "AlgorithmName" is the standard algorithm name of the disabled
|
||||
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
|
||||
# Documentation" for information about Standard Algorithm Names. Matching
|
||||
# is performed using a case-insensitive sub-element matching rule. (For
|
||||
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
|
||||
# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
|
||||
# sub-element of the certificate algorithm name, the algorithm will be
|
||||
# rejected during certification path building and validation. For example,
|
||||
# the assertion algorithm name "DSA" will disable all certificate algorithms
|
||||
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
|
||||
# will not disable algorithms related to "ECDSA".
|
||||
#
|
||||
# A "Constraint" provides further guidance for the algorithm being specified.
|
||||
# The "KeySizeConstraint" requires a key of a valid size range if the
|
||||
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
|
||||
# key size specified in number of bits. For example, "RSA keySize <= 1024"
|
||||
# indicates that any RSA key with key size less than or equal to 1024 bits
|
||||
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
|
||||
# that any RSA key with key size less than 1024 or greater than 2048 should
|
||||
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
|
||||
# algorithms.
|
||||
#
|
||||
# Note: This property is currently used by Oracle's PKIX implementation. It
|
||||
# is not guaranteed to be examined and used by other implementations.
|
||||
#
|
||||
# Example:
|
||||
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
|
||||
#
|
||||
#
|
||||
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
|
||||
|
||||
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
|
||||
# (SSL/TLS) processing
|
||||
#
|
||||
# In some environments, certain algorithms or key lengths may be undesirable
|
||||
# when using SSL/TLS. This section describes the mechanism for disabling
|
||||
# algorithms during SSL/TLS security parameters negotiation, including
|
||||
# protocol version negotiation, cipher suites selection, peer authentication
|
||||
# and key exchange mechanisms.
|
||||
#
|
||||
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
|
||||
# if they are enabled explicitly in an application.
|
||||
#
|
||||
# For PKI-based peer authentication and key exchange mechanisms, this list
|
||||
# of disabled algorithms will also be checked during certification path
|
||||
# building and validation, including algorithms used in certificates, as
|
||||
# well as revocation information such as CRLs and signed OCSP Responses.
|
||||
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
|
||||
#
|
||||
# See the specification of "jdk.certpath.disabledAlgorithms" for the
|
||||
# syntax of the disabled algorithm string.
|
||||
#
|
||||
# Note: This property is currently used by Oracle's JSSE implementation.
|
||||
# It is not guaranteed to be examined and used by other implementations.
|
||||
#
|
||||
# Example:
|
||||
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
|
||||
|
||||
# jdk.tls.disabledAlgorithms=SSLv3
|
|
@ -0,0 +1,27 @@
|
|||
|
||||
# Set root logger level to DEBUG and its only appender to CONSOLE
|
||||
log4j.rootLogger=TRACE, CONSOLE
|
||||
log4j.error
|
||||
|
||||
log4j.logger.de.fhhannover.inform.irond.proc=TRACE, A1, A2
|
||||
log4j.additivity.de.fhhannover.inform.irond.proc=false
|
||||
|
||||
log4j.appender.A1=org.apache.log4j.ConsoleAppender
|
||||
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.A1.layout.ConversionPattern=%d [%t] %-5p %x - %m%n
|
||||
|
||||
log4j.appender.A2=org.apache.log4j.FileAppender
|
||||
log4j.appender.A2.File=/var/log/contrail/ifmap-server.log
|
||||
log4j.appender.A2.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.A2.layout.ConversionPattern=%d [%t] %-5p %x - %m%n
|
||||
|
||||
log4j.logger.de.fhhannover.inform.irond.rawrequests=TRACE, A3
|
||||
log4j.additivity.de.fhhannover.inform.irond.rawrequests=false
|
||||
log4j.appender.A3=org.apache.log4j.FileAppender
|
||||
log4j.appender.A3.file=irond_raw.log
|
||||
log4j.appender.A3.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.A3.layout.ConversionPattern=%d %-5p %x - %m%n
|
||||
|
||||
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
|
||||
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.CONSOLE.layout.ConversionPattern=%-8r [%t] %-5p %C{1} %x - %m%n
|
|
@ -0,0 +1,15 @@
|
|||
visual=visual--1877135140-1
|
||||
test=test--1870931913-1
|
||||
test2=test2--1870931914-1
|
||||
test3=test3--1870931915-1
|
||||
api-server=api-server-1--0000000001-1
|
||||
control-node-1=control-node-1--1870931921-1
|
||||
control-node-2=control-node-1--1870931922-1
|
||||
control-node-3=control-node-1--1870931923-1
|
||||
control-node-4=control-node-1--1870931924-1
|
||||
control-node-5=control-node-1--1870931925-1
|
||||
control-node-6=control-node-1--1870931926-1
|
||||
control-node-7=control-node-1--1870931927-1
|
||||
control-node-8=control-node-1--1870931928-1
|
||||
control-node-9=control-node-1--1870931929-1
|
||||
control-node-10=control-node-10--1870931930-1
|
|
@ -0,0 +1,109 @@
|
|||
# Copyright 2015 Mirantis, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# This class installs IF-MAP server for Contrail.
|
||||
|
||||
class contrail::cfgm {
|
||||
|
||||
# Resources defaults
|
||||
Package { ensure => present }
|
||||
|
||||
File {
|
||||
ensure => present,
|
||||
mode => '0644',
|
||||
owner => root,
|
||||
group => root,
|
||||
require => Package['contrail-openstack-config'],
|
||||
}
|
||||
|
||||
Exec { path => '/usr/bin:/usr/sbin:/bin:/sbin' }
|
||||
|
||||
# Packages
|
||||
package { 'openjdk-7-jre-headless': }->
|
||||
package { 'ifmap-server': }->
|
||||
package { 'contrail-openstack-config': }->
|
||||
|
||||
# Java support files
|
||||
file {'/etc/java-7-openjdk/security/java.security':
|
||||
source => 'puppet:///modules/contrail/java.security',
|
||||
require => Package['openjdk-7-jre-headless'],
|
||||
}
|
||||
|
||||
file { '/etc/ifmap-server/log4j.properties':
|
||||
source => 'puppet:///modules/contrail/log4j.properties',
|
||||
require => Package['openjdk-7-jre-headless'],
|
||||
}
|
||||
|
||||
exec { 'update-alternatives-java7':
|
||||
command => 'update-java-alternatives --set java-1.7.0-openjdk-amd64',
|
||||
unless => 'test /etc/alternatives/java -ef /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java',
|
||||
require => Package['openjdk-7-jre-headless'],
|
||||
}
|
||||
|
||||
# Contrail config files
|
||||
file { '/etc/ifmap-server/publisher.properties':
|
||||
source => 'puppet:///modules/contrail/publisher.properties',
|
||||
require => Package['ifmap-server'],
|
||||
}
|
||||
|
||||
file { '/etc/contrail/contrail-api.conf':
|
||||
content => template('contrail/contrail-api.conf.erb'),
|
||||
}
|
||||
|
||||
file { '/etc/contrail/contrail-discovery.conf':
|
||||
content => template('contrail/contrail-discovery.conf.erb'),
|
||||
}
|
||||
|
||||
file { '/etc/contrail/contrail-keystone-auth.conf':
|
||||
content => template('contrail/contrail-keystone-auth.conf.erb'),
|
||||
}
|
||||
|
||||
file { '/etc/contrail/contrail-schema.conf':
|
||||
content => template('contrail/contrail-schema.conf.erb'),
|
||||
}
|
||||
|
||||
file { '/etc/contrail/contrail-svc-monitor.conf':
|
||||
content => template('contrail/contrail-svc-monitor.conf.erb'),
|
||||
}
|
||||
|
||||
file { '/etc/ifmap-server/basicauthusers.properties':
|
||||
content => template('contrail/basicauthusers.properties.erb'),
|
||||
}
|
||||
|
||||
file { '/etc/contrail/contrail-device-manager.conf':
|
||||
content => template('contrail/contrail-device-manager.conf.erb')
|
||||
}
|
||||
|
||||
# Contrail services
|
||||
# Rabbitmq service disabled
|
||||
service {'supervisor-support-service':
|
||||
ensure => stopped,
|
||||
enable => false,
|
||||
require => Package['contrail-openstack-config'],
|
||||
}
|
||||
|
||||
service { 'supervisor-config':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
require => Package['contrail-openstack-config'],
|
||||
subscribe => [File['/etc/contrail/contrail-api.conf'],
|
||||
File['/etc/contrail/contrail-discovery.conf'],
|
||||
File['/etc/contrail/contrail-keystone-auth.conf'],
|
||||
File['/etc/contrail/contrail-schema.conf'],
|
||||
File['/etc/contrail/contrail-svc-monitor.conf'],
|
||||
File['/etc/contrail/contrail-device-manager.conf'],
|
||||
File['/etc/ifmap-server/basicauthusers.properties']],
|
||||
}
|
||||
|
||||
}
|
|
@ -48,7 +48,7 @@ class contrail::setup ($node_name)
|
|||
try_sleep => 30,
|
||||
} ->
|
||||
# Installing components
|
||||
run_fabric { 'install_cfgm': } ->
|
||||
#run_fabric { 'install_cfgm': } ->
|
||||
run_fabric { 'install_control': } ->
|
||||
run_fabric { 'install_collector': } ->
|
||||
run_fabric { 'install_webui': } ->
|
||||
|
@ -60,7 +60,7 @@ class contrail::setup ($node_name)
|
|||
command => "sed -i '49s/service/services/g' ${pythonpath}/contrail_provisioning/config/quantum_in_keystone_setup.py",
|
||||
} ->
|
||||
# Setting up the components
|
||||
run_fabric { 'setup_cfgm': } ->
|
||||
#run_fabric { 'setup_cfgm': } ->
|
||||
exec {'update_neutron_pwd':
|
||||
command => "keystone --os-endpoint http://${contrail::mos_mgmt_vip}:35357/v2.0 --os-token ${contrail::admin_token} \
|
||||
--os-tenant-name services user-password-update --pass ${contrail::service_token} neutron"} ->
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
<%-
|
||||
nodes=scope.function_hiera(['nodes'])
|
||||
contrail_node_basename=scope.lookupvar('contrail::contrail_node_basename')
|
||||
priv_ip=Array.new
|
||||
nodes.each do |node|
|
||||
case node['role']
|
||||
when 'base-os'
|
||||
if node['user_node_name'] =~ /^#{contrail_node_basename}-.*/
|
||||
priv_ip << node['private_address']
|
||||
end
|
||||
end
|
||||
end
|
||||
-%>
|
||||
test:test
|
||||
test2:test2
|
||||
test3:test3
|
||||
api-server:api-server
|
||||
schema-transformer:schema-transformer
|
||||
svc-monitor:svc-monitor
|
||||
control-user:control-user-passwd
|
||||
control-node-1:control-node-1
|
||||
control-node-2:control-node-2
|
||||
control-node-3:control-node-3
|
||||
control-node-4:control-node-4
|
||||
control-node-5:control-node-5
|
||||
control-node-6:control-node-6
|
||||
control-node-7:control-node-7
|
||||
control-node-8:control-node-8
|
||||
control-node-9:control-node-9
|
||||
control-node-10:control-node-10
|
||||
dhcp:dhcp
|
||||
visual:visual
|
||||
sensor:sensor
|
||||
|
||||
# compliance testsuite users
|
||||
mapclient:mapclient
|
||||
helper:mapclient
|
||||
|
||||
# This is a read-only MAPC
|
||||
reader:reader
|
||||
<%- priv_ip.each do |ip| -%>
|
||||
<%= ip %>:<%= ip %>
|
||||
<%= ip %>.dns:<%= ip %>.dns
|
||||
<%- end -%>
|
|
@ -0,0 +1,41 @@
|
|||
<%-
|
||||
nodes=scope.function_hiera(['nodes'])
|
||||
contrail_node_basename=scope.lookupvar('contrail::contrail_node_basename')
|
||||
priv_ip=Array.new
|
||||
nodes.each do |node|
|
||||
case node['role']
|
||||
when 'base-os'
|
||||
if node['user_node_name'] =~ /^#{contrail_node_basename}-.*/
|
||||
priv_ip << node['private_address']
|
||||
end
|
||||
end
|
||||
end
|
||||
-%>
|
||||
[DEFAULTS]
|
||||
ifmap_server_ip=<%= scope.lookupvar('contrail::address') %>
|
||||
ifmap_server_port=8443
|
||||
ifmap_username=api-server
|
||||
ifmap_password=api-server
|
||||
cassandra_server_list=<%= priv_ip.map{ |ip| "#{ip}:9160" }.join(' ') %>
|
||||
listen_ip_addr=0.0.0.0
|
||||
listen_port=8082
|
||||
multi_tenancy=True
|
||||
log_file=/var/log/contrail/contrail-api.log
|
||||
log_local=1
|
||||
log_level=SYS_NOTICE
|
||||
disc_server_ip=<%= scope.lookupvar('contrail::contrail_private_vip') %>
|
||||
disc_server_port=5998
|
||||
zk_server_ip=<%= priv_ip.map{ |ip| "#{ip}:2181" }.join(',') %>
|
||||
redis_server_ip=$__contrail_redis_ip__
|
||||
rabbit_server=<%= scope.lookupvar('contrail::mos_mgmt_vip') %>
|
||||
rabbit_port=5673
|
||||
list_optimization_enabled=True
|
||||
auth = keystone
|
||||
rabbit_user = nova
|
||||
rabbit_password = <%= scope.lookupvar('contrail::rabbit_password') %>
|
||||
|
||||
[SECURITY]
|
||||
use_certs=False
|
||||
keyfile=/etc/contrail/ssl/private_keys/apiserver_key.pem
|
||||
certfile=/etc/contrail/ssl/certs/apiserver.pem
|
||||
ca_certs=/etc/contrail/ssl/certs/ca.pem
|
|
@ -0,0 +1,14 @@
|
|||
[DEFAULTS]
|
||||
api_server_ip=<%= scope.lookupvar('contrail::contrail_mgmt_vip') %>
|
||||
api_server_port=8082
|
||||
zk_server_ip=<%= priv_ip.map{ |ip| "#{ip}:2181" }.join(',') %>
|
||||
log_file=/var/log/contrail/contrail-device-manager.log
|
||||
cassandra_server_list=<%= priv_ip.map{ |ip| "#{ip}:9160" }.join(' ') %>
|
||||
disc_server_ip=<%= scope.lookupvar('contrail::contrail_private_vip') %>
|
||||
disc_server_port=5998
|
||||
log_local=1
|
||||
log_level=SYS_NOTICE
|
||||
rabbit_server=<%= scope.lookupvar('contrail::mos_mgmt_vip') %>
|
||||
rabbit_port=5673
|
||||
rabbit_user = nova
|
||||
rabbit_password = <%= scope.lookupvar('contrail::rabbit_password') %>
|
|
@ -0,0 +1,54 @@
|
|||
<%-
|
||||
nodes=scope.function_hiera(['nodes'])
|
||||
contrail_node_basename=scope.lookupvar('contrail::contrail_node_basename')
|
||||
priv_ip=Array.new
|
||||
nodes.each do |node|
|
||||
case node['role']
|
||||
when 'base-os'
|
||||
if node['user_node_name'] =~ /^#{contrail_node_basename}-.*/
|
||||
priv_ip << node['private_address']
|
||||
end
|
||||
end
|
||||
end
|
||||
-%>
|
||||
[DEFAULTS]
|
||||
zk_server_ip=<%= priv_ip.join(',') %>
|
||||
zk_server_port=2181
|
||||
listen_ip_addr=0.0.0.0
|
||||
listen_port=5998
|
||||
log_local=True
|
||||
log_file=/var/log/contrail/discovery.log
|
||||
cassandra_server_list=<%= priv_ip.map{ |ip| "#{ip}:9160" }.join(' ') %>
|
||||
log_level=SYS_NOTICE
|
||||
|
||||
# minimim time to allow client to cache service information (seconds)
|
||||
ttl_min=300
|
||||
|
||||
# maximum time to allow client to cache service information (seconds)
|
||||
ttl_max=1800
|
||||
|
||||
# health check ping interval <=0 for disabling
|
||||
hc_interval=5
|
||||
|
||||
# maximum hearbeats to miss before server will declare publisher out of
|
||||
# service.
|
||||
hc_max_miss=3
|
||||
|
||||
# use short TTL for agressive rescheduling if all services are not up
|
||||
ttl_short=1
|
||||
|
||||
# for DNS service, we use fixed policy
|
||||
# even when the cluster has more than two control nodes, only two of these
|
||||
# should provide the DNS service
|
||||
[DNS-SERVER]
|
||||
policy = fixed
|
||||
|
||||
######################################################################
|
||||
# Other service specific knobs ...
|
||||
|
||||
# use short TTL for agressive rescheduling if all services are not up
|
||||
# ttl_short=1
|
||||
|
||||
# specify policy to use when assigning services
|
||||
# policy = [load-balance | round-robin | fixed]
|
||||
######################################################################
|
|
@ -0,0 +1,11 @@
|
|||
[KEYSTONE]
|
||||
auth_host=<%= scope.lookupvar('contrail::mos_mgmt_vip') %>
|
||||
auth_protocol=http
|
||||
auth_port=35357
|
||||
auth_url=http://<%= scope.lookupvar('contrail::mos_mgmt_vip') %>:35357/v2.0
|
||||
admin_user=neutron
|
||||
admin_password=<%= scope.lookupvar('contrail::service_token') %>
|
||||
admin_token=<%= scope.lookupvar('contrail::admin_token') %>
|
||||
admin_tenant_name=services
|
||||
insecure=False
|
||||
memcache_servers=127.0.0.1:11211
|
|
@ -0,0 +1,33 @@
|
|||
<%-
|
||||
nodes=scope.function_hiera(['nodes'])
|
||||
contrail_node_basename=scope.lookupvar('contrail::contrail_node_basename')
|
||||
priv_ip=Array.new
|
||||
nodes.each do |node|
|
||||
case node['role']
|
||||
when 'base-os'
|
||||
if node['user_node_name'] =~ /^#{contrail_node_basename}-.*/
|
||||
priv_ip << node['private_address']
|
||||
end
|
||||
end
|
||||
end
|
||||
-%>
|
||||
[DEFAULTS]
|
||||
ifmap_server_ip=<%= scope.lookupvar('contrail::address') %>
|
||||
ifmap_server_port=8443
|
||||
ifmap_username=schema-transformer
|
||||
ifmap_password=schema-transformer
|
||||
api_server_ip=<%= scope.lookupvar('contrail::contrail_mgmt_vip') %>
|
||||
api_server_port=8082
|
||||
zk_server_ip=<%= priv_ip.map{ |ip| "#{ip}:2181" }.join(',') %>
|
||||
log_file=/var/log/contrail/contrail-schema.log
|
||||
cassandra_server_list=<%= priv_ip.map{ |ip| "#{ip}:9160" }.join(' ') %>
|
||||
disc_server_ip=<%= scope.lookupvar('contrail::contrail_private_vip') %>
|
||||
disc_server_port=5998
|
||||
log_local=1
|
||||
log_level=SYS_NOTICE
|
||||
|
||||
[SECURITY]
|
||||
use_certs=False
|
||||
keyfile=/etc/contrail/ssl/private_keys/schema_xfer_key.pem
|
||||
certfile=/etc/contrail/ssl/certs/schema_xfer.pem
|
||||
ca_certs=/etc/contrail/ssl/certs/ca.pem
|
|
@ -0,0 +1,42 @@
|
|||
<%-
|
||||
nodes=scope.function_hiera(['nodes'])
|
||||
contrail_node_basename=scope.lookupvar('contrail::contrail_node_basename')
|
||||
priv_ip=Array.new
|
||||
nodes.each do |node|
|
||||
case node['role']
|
||||
when 'base-os'
|
||||
if node['user_node_name'] =~ /^#{contrail_node_basename}-.*/
|
||||
priv_ip << node['private_address']
|
||||
end
|
||||
end
|
||||
end
|
||||
-%>
|
||||
[DEFAULTS]
|
||||
ifmap_server_ip=<%= scope.lookupvar('contrail::address') %>
|
||||
ifmap_server_port=8443
|
||||
ifmap_username=svc-monitor
|
||||
ifmap_password=svc-monitor
|
||||
api_server_ip=<%= scope.lookupvar('contrail::contrail_mgmt_vip') %>
|
||||
api_server_port=8082
|
||||
zk_server_ip=<%= priv_ip.map{ |ip| "#{ip}:2181" }.join(',') %>
|
||||
log_file=/var/log/contrail/contrail-svc-monitor.log
|
||||
cassandra_server_list=<%= priv_ip.map{ |ip| "#{ip}:9160" }.join(' ') %>
|
||||
disc_server_ip=<%= scope.lookupvar('contrail::contrail_private_vip') %>
|
||||
disc_server_port=5998
|
||||
region_name=RegionOne
|
||||
log_local=1
|
||||
log_level=SYS_NOTICE
|
||||
rabbit_server=<%= scope.lookupvar('contrail::mos_mgmt_vip') %>
|
||||
rabbit_port=5673
|
||||
rabbit_password = <%= scope.lookupvar('contrail::rabbit_password') %>
|
||||
rabbit_user = nova
|
||||
|
||||
[SECURITY]
|
||||
use_certs=False
|
||||
keyfile=/etc/contrail/ssl/private_keys/svc_monitor_key.pem
|
||||
certfile=/etc/contrail/ssl/certs/svc_monitor.pem
|
||||
ca_certs=/etc/contrail/ssl/certs/ca.pem
|
||||
|
||||
[SCHEDULER]
|
||||
analytics_server_ip=<%= scope.lookupvar('contrail::contrail_mgmt_vip') %>
|
||||
analytics_server_port=8081
|
Loading…
Reference in New Issue