Chapter 8. Puppet Parameters
Note
Choose from the following roles to be configured on the host.
broker- Installs the broker and Management Console applications.
node- Installs the node component and cartridges.
msgserver- Installs an ActiveMQ message broker.
datastore- Installs MongoDB (not sharded/replicated).
nameserver- Installs a BIND DNS server configured with a TSIG key for dynamic updates.
['broker','node','msgserver','datastore','nameserver']
This sets the method for providing packages to the installation process. Currently, the only supported option for OpenShift Enterprise is none, meaning installation sources must already set up when the module executes (for example, using RHSM or RHN Classic).
The network domain, or cloud domain, under which applications and hosts will be placed.
'example.com'
These parameters supply the FQDN of the hosts containing the respective components. Used for configuring the host’s name at installation and for configuring the broker application to reach the required services.
domain (for example, broker.example.com), except nameserver=ns1.example.com.
Note
IP addresses of the first three MongoDB servers in a replica set. Add datastoreX_ip_addr parameters for larger clusters.
undef
IP of a name server instance or current IP if installing on this node. This is used by every host to configure its primary name server.
When the name server is remote, use this to specify the key for updates. This is the Key: field from the .private key file generated by the dnssec-keygen command. This field is required on all node hosts.
When using a BIND key, use this algorithm for the BIND key.
'HMAC-MD5'
When the name server is remote, this Kerberos keytab together with a Kerberos principal can be used instead of the dnssec key for updates.
When the name server is remote, this Kerberos principal together with a Kerberos keytab can be used instead of the dnssec key for updates.
This and the aws_secret_key parameter are Amazon AWS security credentials. The aws_access_key_id is a string which identifies an access credential.
This is the secret portion of Amazon AWS security credentials indicated by the aws_access_key_id parameter.
This is the ID string for an AWS Hosted zone which will contain the OpenShift Enterprise application records.
List of upstream DNS servers to use when installing a nameserver on this node.
['8.8.8.8']
This is used for node hosts to record its broker. It is also the default for the name server IP if none is given.
The virtual IP address that will front-end the broker cluster.
undef
The host name that represents the broker API cluster. This name is associated to the broker_virtual_ip_address parameter and added to BIND for DNS resolution.
'changeme'
This is used for node hosts to give a public IP, if different from the one on its NIC.
The following resource limits must be the same within a given district.
- node_profile
- This is the specific node’s gear profile. Default:
'small' - node_quota_files
- The max number of files allowed in each gear. Default:
'80000' - node_quota_blocks
- The max storage capacity allowed in each gear (1 block = 1024 bytes). Default:
'1048576' - node_max_active_gears
- This is used for limiting or guiding gear placement. For no overcommit, this must be:
(Total System Memory - 1G) /
memory_limit_in_bytesDefault:'100' - node_no_overcommit_active
- This enforces the
node_max_active_gearsparameter in a more stringent manner than normal. However, it also adds overhead to gear creation, so it should only be set totruewhen required. For example, in the case of enforcing single tenancy on a node.Default:false - node_limits_nproc
- The max number of processes. Default:
'250' - node_tc_max_bandwidth
- mbit/sec, total bandwidth allowed for all gears. Default:
'800' - node_tc_user_share
- mbit/sec, one user is allotted. Default:
'2' - node_cpu_shares
- The CPU share percentage for each gear. Default:
'128' - node_cpu_cfs_quota_us
- Default:
'100000' - node_memory_limit_in_bytes
- Gear memory limit in bytes. Default:
'536870912'(512MB) - node_memsw_limit_in_bytes
- Gear max memory limit including swap (512M + 100M swap). Default:
'641728512' - node_memory_oom_control
- Kill processes when hitting out of memory. Default:
'1' - node_throttle_cpu_shares
- The CPU share percentage each gear receives at throttle. Default:
'128' - node_throttle_cpu_cfs_quota_us
- Default:
'30000' - node_throttle_apply_period
- Default:
120 - node_throttle_apply_percent
- Default:
'30' - node_throttle_restore_percent
- Default:
'70' - node_boosted_cpu_cfs_quota_us
- Default:
'200000' - node_boosted_cpu_shares
- The CPU share percentage each gear receives while boosted. Default:
'30000'
Enabling this configures NTP. It is important that the time be synchronized across hosts because MCollective messages have a TTL of 60 seconds and may be dropped if the clocks are too far out of sync. However, NTP is not necessary if the clock will be kept in sync by some other means.
true
If the configure_ntp parameter is set to true (default), this parameter allows users to specify an array of NTP servers used for clock synchronization.
['time.apple.com iburst', 'pool.ntp.org iburst', 'clock.redhat.com iburst']
Note
iburst after every NTP server definition to speed up the initial synchronization.
Set to true to cluster ActiveMQ for high availability and scalability of OpenShift Enterprise message queues.
false
An array of ActiveMQ server host names. Required when the msgserver_cluster parameter is set to true.
undef
An array of ActiveMQ server host names. Required when the msgserver_cluster is set to true.
$msgserver_cluster_members
Password used by ActiveMQ’s amquser. The amquser is used to authenticate ActiveMQ inter-cluster communication. Only used when the msgserver_cluster is set to true.
'changeme'
This is the password for the admin user for the ActiveMQ Admin Console, which is not needed by OpenShift Enterprise, but might be useful in troubleshooting.
This is the user and password shared between broker and node for communicating over the MCollective topic channels in ActiveMQ. Must be the same on all broker and node hosts.
'mcollective' / 'marionette'
This is the user name and password of the administrative user that will be created in the MongoDB datastore. These credentials are not used by in this module or by OpenShift Enterprise, but an administrative user must be added to MongoDB in order for it to enforce authentication.
'admin' / 'mongopass'
Note
CONF_NO_DATASTORE_AUTH_FOR_LOCALHOST is enabled.
This is the user name and password of the normal user that will be created for the broker to connect to the MongoDB datastore. The broker application’s MongoDB plug-in is also configured with these values.
'openshift' / 'mongopass'
This is the name of the database in MongoDB in which the broker will store data.
'openshift_broker'
The TCP port used for MongoDB to listen on.
'27017'
Enables or disables MongoDB replica sets for database high availability.
false
The MongoDB replica set name when the mongodb_replicasets parameter is set to true.
'openshift'
Set the host as the primary with true or secondary with false. Must be set on one and only one host within the mongodb_replicasets_members array.
undef
The IP address of the primary host within the MongoDB replica set.
undef
An array of [host:port] of replica set hosts.
undef
The file containing the mongodb_key used to authenticate MongoDB replica set members.
'/etc/mongodb.keyfile'
The key used by members of a MongoDB replica set to authenticate one another.
'changeme'
This user and password are entered in the /etc/openshift/htpasswd file as a test user. Red Hat recommends removing the user after installation or using a different authentication method.
'demo' / 'changeme'
Salt and private keys used when generating secure authentication tokens for application-to-broker communication. Requests like scale up or down and Jenkins builds use these authentication tokens. This value must be the same on all broker nodes.
Relative path to the product logo URL.
ose_version parameter is undefined, the default is /assets/logo-origin.svg. If the ose_version parameter is defined, the deafult is /assets/logo-enterprise-horizontal.svg.
OpenShift instance name.
ose_version parameter is undefined, the default is OpenShift Origin. If the ose_version parameter is defined, the deafult is OpenShift Enterprise.
This setting is applied on a per-scalable-application basis. When set to true, OpenShift Enterprise allows multiple instances of the HAProxy gear for a given scalable application to be established on the same node. Otherwise, on a per-scalable-application basis, a maximum of one HAProxy gear can be created for every node in the deployment. The latter is the default behavior, which protects scalable applications from single points of failure at the node level.
false
Session secrets used to encode cookies used by the broker and Management Console applications. These values must be the same on all broker nodes.
undef
List of all gear sizes that will be used in this OpenShift Enterprise installation.
['small']
Default gear size if one is not specified.
'small'
List of all gear sizes that newly created users will be able to create.
['small']
Default max number of domains a user is allowed to use.
'10'
Default max number of gears a user is allowed to use.
'100'
DNS plug-in used by the broker to register application DNS entries. Only one option is supported with OpenShift Enterprise:
-
nsupdate - An nsupdate-based plug-in. Supports TSIG and GSS-TSIG based authentication. Uses the
bind_keyparameter for TSIG and thebind_krb_keytabandbind_krb_principalparameters for GSS-TSIG.
'nsupdate'
Authentication setup for users of the OpenShift service. Options:
-
mongo - Stores user names and passwords in MongoDB.
-
kerberos - Kerberos-based authentication. Uses the
broker_krb_service_name,broker_krb_auth_realms,broker_krb_keytabparameters. -
htpasswd - Stores user names and passwords in the
/etc/openshift/htpasswdfile. -
ldap - LDAP-based authentication. Uses the
broker_ldap_uriparameter.
'htpasswd'
The KrbServiceName value for a mod_auth_kerb configuration.
The KrbAuthRealms value for a mod_auth_kerb configuration.
The Krb5KeyTab value of mod_auth_kerb is not configurable. The keytab is expected to be at /var/www/openshift/broker/httpd/conf.d/http.keytab.
The URI to the LDAP server, for example:
ldap://ldap.example.com:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)
LDAP DN (Distinguished name) of the user to bind to the directory with. For example:
cn=administrator,cn=Users,dc=domain,dc=com
Password of the bind user set in the broker_ldap_bind_dn parameter.
The kernel.shmmax sysctl setting for the /etc/sysctl.conf file.
shmmax = shmall * PAGE_SIZE - PAGE_SIZE = getconf PAGE_SIZE - shmall = cat /proc/sys/kernel/shmall
shmmax to a value higher than 80% of total available RAM on the system (expressed in BYTES).
kernel.shmmax = 68719476736
The kernel.shmall sysctl setting for the /etc/sysctl.conf file. Defaults to 2097152 BYTES
ceil(shmmax/PAGE_SIZE)
kernel.shmall = 4294967296
Specify the container type to use on the node. Currently, the selinux plug-in is the default and only supported option for OpenShift Enterprise.
'selinux'
Specify one or more plug-ins to use to register HTTP and WebSocket connections for applications. Options:
-
apache-vhost - A Virtual Host-based plug-in for HTTP and HTTPS. Suited for installations with less application create and delete activity. Easier to customize. If
apache-mod-rewriteis also selected,apache-vhostis be ignored. -
nodejs-websocket - A WebSocket proxy listening on ports 8000 and 8443.
-
haproxy-sni-proxy - A TLS proxy using SNI routing on ports 2303 through 2308.
-
apache-mod-rewrite - Deprecated in OpenShift Enterprise 2.2. A
mod_rewrite-based plug-in for HTTP and HTTPS requests. Suited for installations with many create, delete, and scale actions. Cannot be used at the same time as theapache-vhostplug-in.
['apache-vhost','nodejs-websocket']
List of user names who have UIDs in the range of OpenShift Enterprise gears but must be excluded from gear setups.
[]
External facing network device. Used for routing and traffic control setup.
'eth0'
Public and private keys used for gears on the default domain. Both values must be defined or default self-signed keys will be generated.
Name of supplementary UNIX group to add a gear to.
Enable or disable the OpenShift Enterprise node Watchman service.
true
Number of restarts to attempt before waiting RETRY_PERIOD.
'3'
Number of seconds to wait before accepting another gear restart.
'300'
Number of seconds to wait before resetting retries.
'28800'
Number of seconds a gear must remain inconsistent with its state before Watchman attempts to reset state.
'900'
Wait at least this number of seconds since last check before checking gear state on the node. Use this to reduce the impact of Watchman’s GearStatePlugin on the system.
'0'
Define a custom MOTD to be displayed to users who connect to their gears directly. If undefined, uses the default MOTD included with the node package.
undef
Set development mode and extra logging.
false
Install a Getty shell which displays DNS, IP, and login information. Used for the all-in-one VM installation.
Set up DNS entries for this host in a locally-installed BIND DNS instance.
false
The name of a zone to create which will contain OpenShift Enterprise infrastructure hosts. If this is unset, then no infrastructure zone or other artifacts will be created.
''
A dnssec symmetric key which grants update access to the infrastructure zone resource records. This is ignored unless the dns_infrastructure_zone parameter is set.
''
When using a BIND key, use this algorithm for the infrastructure BIND key. This is ignored unless the dns_infrastructure_zone parameter is set.
'HMAC-MD5'
An array of hashes containing host name and IP address pairs to populate the infrastructure zone. This is ignored unless the dns_infrastructure_zone parameter is set.
dns_infrastructure_zone parameter. Matching FQDNs are placed in the dns_infrastructure_zone. Host names anchored with a dot (.) are added verbatim.
$dns_infrastructure_names = [
{hostname => "10.0.0.1", ipaddr => "broker1"},
{hostname => "10.0.0.2", ipaddr => "data1"},
{hostname => "10.0.0.3", ipaddr => "message1"},
{hostname => "10.0.0.11", ipaddr => "node1"},
{hostname => "10.0.0.12", ipaddr => "node2"},
{hostname => "10.0.0.13", ipaddr => "node3"},
][]
Indicate whether or not this module configures the firewall for you.
List of cartridges to be installed on the node. Options:
- cron
- diy
- haproxy
- mongodb
- nodejs
- perl
- php
- postgresql
- python
- ruby
- jenkins
- jenkins-client
- mysql
- jbossews
- jbosseap (requires add-on subscription)
['cron','diy','haproxy','mongodb','nodejs','perl','php','postgresql','python','ruby','jenkins','jenkins-client','mysql']
Indicate whether or not this module will configure the resolv.conf file and network for you.
true
Set this to the X.Y release version (for example, 2.2) of OpenShift Enterprise to ensure an OpenShift Enterprise supported configuration is used.
README_OSE.asciidoc distributed with the openshift_origin Puppet module for more details.
undef
Set this to true to allow OpenShift Enterprise unsupported configurations. Only appropriate for proof of concept environments.
ose_version parameter is set.
false
