openstack
/
cookbook-openstack-common
Code Issues Proposed changes

Corrects rabbitmq user, yum cache cleaning 

- corrects the rabbitmq 'guest' user to 'openstack' to for a more secure
  installation, as 'guest' is not secure and is deleted in other
  non-Chef deployments.
- adds update_yum_cache attribute to conditionally include the yum
  recipe, removing the hardcoded entries from the run lists. This
  prevents yum.conf from showing up on Debian-based machines.
- enforces GPG checking for RDO packages, uses correct key.

Change-Id: I89714e06eab803985ebffcdff5ff77655287c3e6
This commit is contained in:
Samuel Cassiba 2017-04-07 15:18:33 -07:00
parent baa6f22baf
commit 1e2bd7a338
6 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
attributes/default.rb
View File

@ -134,11 +134,12 @@ default['openstack']['apt']['live_updates_enabled'] = true
default['openstack']['apt']['uri'] = 'http://ubuntu-cloud.archive.canonical.com/ubuntu'
default['openstack']['apt']['components'] = ['main']
default['openstack']['yum']['update_yum_cache'] = false
default['openstack']['yum']['rdo_enabled'] = true
default['openstack']['yum']['uri'] = "http://mirror.centos.org/centos/$releasever/cloud/$basearch/openstack-#{node['openstack']['release']}"
default['openstack']['yum']['repo-key'] = "https://github.com/redhat-openstack/rdo-release/raw/#{node['openstack']['release']}/RPM-GPG-KEY-CentOS-SIG-Cloud"
default['openstack']['yum']['repo-key'] = "https://github.com/rdo-infra/rdo-release/raw/#{node['openstack']['release']}-rdo/RPM-GPG-KEY-CentOS-SIG-Cloud"
# Enforcing GnuPG signature check for RDO repo. Set this to false if you want to disable the check.
default['openstack']['yum']['gpgcheck'] = false
default['openstack']['yum']['gpgcheck'] = true
default['openstack']['endpoints']['family'] = 'inet'
# Set a default region that other regions are set to - such that changing the region for all services can be done in one place

2
attributes/messaging.rb
View File

@ -44,7 +44,7 @@ services = %w(bare-metal block-storage compute database image
###################################################################
default['openstack']['mq']['server_role'] = 'os-ops-messaging'
default['openstack']['mq']['service_type'] = 'rabbit'
default['openstack']['mq']['user'] = 'guest'
default['openstack']['mq']['user'] = 'openstack'
default['openstack']['mq']['vhost'] = '/'
# defined in oslo/messaging/_drivers/amqp.py

1
recipes/default.rb
View File

@ -39,6 +39,7 @@ when 'debian'
end
end
when 'rhel'
include_recipe 'yum' if node['openstack']['yum']['update_yum_cache']
if node['openstack']['yum']['rdo_enabled']
repo_action = :add

5
spec/default-redhat_spec.rb
View File

@ -15,6 +15,7 @@ describe 'openstack-common::default' do
before do
node.set['openstack']['yum']['rdo_enabled'] = true
node.set['openstack']['yum']['gpgcheck'] = true
node.set['openstack']['yum']['update_yum_cache'] = true
end
it 'adds RDO yum repository' do
@ -24,6 +25,10 @@ describe 'openstack-common::default' do
.with(gpgcheck: true)
end
it 'includes yum recipe' do
expect(chef_run).to include_recipe('yum')
end
it 'includes yum-epel recipe' do
expect(chef_run).to include_recipe('yum-epel')
end

2
spec/default_spec.rb
View File

@ -53,7 +53,7 @@ describe 'openstack-common::default' do
context 'rabbit mq' do
rabbit_opts = {
'userid' => 'guest',
'userid' => 'openstack',
'vhost' => '/',
'port' => '5672',
'host' => '127.0.0.1',

4
spec/endpoints_spec.rb
View File

@ -103,9 +103,9 @@ describe 'openstack-common::default' do
it do
allow(subject).to receive(:node).and_return(chef_run.node)
allow(subject).to receive(:get_password)
.with('user', 'guest')
.with('user', 'openstack')
.and_return('mypass')
expected = 'rabbit://guest:mypass@127.0.0.1:5672/'
expected = 'rabbit://openstack:mypass@127.0.0.1:5672/'
expect(subject.rabbit_transport_url('compute')).to eq(expected)
end