diff --git a/manifests/init.pp b/manifests/init.pp index f64e2f2..8351f56 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -61,9 +61,12 @@ String $cleanup_sh = $zookeeper::params::cleanup_sh, Optional[String] $client_ip = $zookeeper::params::client_ip, Integer $client_port = $zookeeper::params::client_port, + Integer $commit_log_count = $zookeeper::params::commit_log_count, Optional[Integer] $secure_client_port = $zookeeper::params::secure_client_port, Optional[Boolean] $ssl = $zookeeper::params::ssl, Optional[String] $ssl_clientauth = $zookeeper::params::ssl_clientauth, + Optional[Boolean] $enforce_auth_enabled = $zookeeper::params::enforce_auth_enabled, + Optional[String] $enforce_auth_schemes = $zookeeper::params::enforce_auth_schemes, Optional[String] $keystore_location = $zookeeper::params::keystore_location, Optional[String] $keystore_type = $zookeeper::params::keystore_type, Optional[String] $keystore_password = $zookeeper::params::keystore_password, @@ -79,6 +82,7 @@ Optional[String] $truststore_quorum_location = $zookeeper::params::truststore_quorum_location, Optional[String] $truststore_quorum_type = $zookeeper::params::truststore_quorum_type, Optional[String] $truststore_quorum_password = $zookeeper::params::truststore_quorum_password, + Optional[String] $ssl_quorum_clientauth = $zookeeper::params::ssl_quorum_clientauth, Optional[Boolean] $ssl_quorum_hostname_verification = $zookeeper::params::ssl_quorum_hostname_verification, Optional[String] $ssl_quorum_ciphersuites = $zookeeper::params::ssl_quorum_ciphersuites, Optional[String] $ssl_quorum_protocol = $zookeeper::params::ssl_quorum_protocol, @@ -104,18 +108,29 @@ Integer $pre_alloc_size = $zookeeper::params::pre_alloc_size, Integer $snap_count = $zookeeper::params::snap_count, Integer $snap_retain_count = $zookeeper::params::snap_retain_count, + Integer $snap_size_limit_kb = $zookeeper::params::snap_size_limit_kb, Integer $sync_limit = $zookeeper::params::sync_limit, Integer $tick_time = $zookeeper::params::tick_time, + Optional[Integer] $txn_log_size_limit_kb = $zookeeper::params::txn_log_size_limit_kb, Integer $global_outstanding_limit = $zookeeper::params::global_outstanding_limit, Boolean $use_sasl_auth = $zookeeper::params::use_sasl_auth, String $zoo_dir = $zookeeper::params::zoo_dir, String $zoo_main = $zookeeper::params::zoo_main, Boolean $quorum_listen_on_all_ips = $zookeeper::params::quorum_listen_on_all_ips, + # Admin server properties + Optional[Boolean] $admin_server_enabled = $zookeeper::params::admin_server_enabled, + Optional[String] $admin_server_address = $zookeeper::params::admin_server_address, + Optional[Integer] $admin_server_port = $zookeeper::params::admin_server_port, + Optional[Integer] $admin_idle_timeout = $zookeeper::params::admin_idle_timeout, + Optional[String] $admin_command_url = $zookeeper::params::admin_command_url, + Optional[Boolean] $admin_force_https = $zookeeper::params::admin_force_https, + Optional[Boolean] $admin_port_unification = $zookeeper::params::admin_port_unification, # log4j properties String $environment_file = $zookeeper::params::environment_file, String $log4j_prop = $zookeeper::params::log4j_prop, String $maxfilesize = $zookeeper::params::maxfilesize, Integer $maxbackupindex = $zookeeper::params::maxbackupindex, + Optional[Integer] $max_connexions = $zookeeper::params::max_connexions, Optional[Integer] $max_allowed_connections = $zookeeper::params::max_allowed_connections, String $peer_type = $zookeeper::params::peer_type, String $rollingfile_threshold = $zookeeper::params::rollingfile_threshold, diff --git a/manifests/params.pp b/manifests/params.pp index d11da79..5ed7093 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -128,8 +128,11 @@ $cleanup_sh = '/usr/share/zookeeper/bin/zkCleanup.sh' $client_ip = undef # use e.g. $::ipaddress if you want to bind to single interface $client_port = 2181 + $commit_log_count = 500 $secure_client_port = undef $ssl = false + $enforce_auth_enabled = undef + $enforce_auth_schemes = undef $ssl_protocol = 'TLSv1.2' $ssl_ciphersuites = '' $ssl_hostname_verification = true @@ -146,6 +149,7 @@ $truststore_quorum_location = '/etc/ssl/certs/ca-certificates.crt' $truststore_quorum_password = undef $truststore_quorum_type = 'PEM' + $ssl_quorum_clientauth = undef $ssl_quorum_ciphersuites = '' $ssl_quorum_hostname_verification = true $ssl_quorum_protocol = 'TLSv1.2' @@ -168,6 +172,7 @@ $max_allowed_connections = undef $max_session_timeout = undef $min_session_timeout = undef + $max_connexions = undef $observers = [] # interval in hours, purging enabled when >= 1 $purge_interval = 0 @@ -176,13 +181,24 @@ $snap_count = 10000 # since zookeeper 3.4, for earlier version cron task might be used $snap_retain_count = 3 + $snap_size_limit_kb = 4194304 $sync_limit = 5 $tick_time = 2000 + $txn_log_size_limit_kb = undef $global_outstanding_limit = 1000 $use_sasl_auth = false $zoo_dir = '/usr/lib/zookeeper' $zoo_main = 'org.apache.zookeeper.server.quorum.QuorumPeerMain' + # Admin server properties + $admin_server_enabled = true + $admin_server_address = "0.0.0.0" + $admin_server_port = 8080 + $admin_idle_timeout = 30000 + $admin_command_url = "/commands" + $admin_force_https = false + $admin_port_unification = false + # log4j properties $log4j_prop = 'INFO,ROLLINGFILE' $peer_type = 'UNSET' diff --git a/templates/conf/zoo.cfg.erb b/templates/conf/zoo.cfg.erb index 09cb3bb..9feb4aa 100644 --- a/templates/conf/zoo.cfg.erb +++ b/templates/conf/zoo.cfg.erb @@ -71,6 +71,42 @@ preAllocSize=<%= scope.lookupvar("zookeeper::pre_alloc_size") %> # snapCount is 10,000. snapCount=<%= scope.lookupvar("zookeeper::snap_count") %> +# ZooKeeper records its transactions using snapshots and a transaction log +# (think write-ahead log). The total size in bytes allowed in the set of +# transactions recorded in the transaction log before a snapshot can be taken +# (and the transaction log rolled) is determined by snapSize. +# In order to prevent all of the machines in the quorum from taking a snapshot +# at the same time, each ZooKeeper server will take a snapshot when the +# size in bytes of the set of transactions in the transaction log reaches a +# runtime generated random value in the [snapSize/2+1, snapSize] range. +# Each file system has a minimum standard file size and in order to for +# valid functioning of this feature, the number chosen must be larger than +# that value. The default snapSizeLimitInKb is 4,194,304 (4GB). +# A non-positive value will disable the feature. +snapSizeLimitInKb=<%= scope.lookupvar("zookeeper::snap_size_limit_kb") %> + +# Zookeeper maintains an in-memory list of last committed requests for fast +# synchronization with followers when the followers are not too behind. +# This improves sync performance in case when your snapshots are +# large (>100,000). The default value is 500 which is the recommended minimum. +commitLogCount=<%= scope.lookupvar("zookeeper::commit_log_count") %> + +# Transaction log file size in Kb +# This feature is turned off by default and snapCount and +# snapSizeLimitInKb are the only values that limit transaction log size. +# When enabled Zookeeper will roll the log when any of the limits is hit. +# Please note that actual log size can exceed this value by the size of the +# serialized transaction. On the other hand, if this value is set too close +# to (or smaller than) preAllocSize, it can cause Zookeeper to roll the log for +# every transaction. While this is not a correctness issue, this may cause +# severely degraded performance. To avoid this and to get most out of this +# feature, it is recommended to set the value to N * preAllocSize where N >= 2. +<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::txn_log_size_limit_kb")) -%> +txnLogSizeLimitInKb=<%= scope.lookupvar("zookeeper::txn_log_size_limit_kb") %> +<% else -%> +# txnLogSizeLimitInKb= +<% end -%> + # If this option is defined, requests will be will logged to a trace file named # traceFile.year.month.day. #traceFile= @@ -100,7 +136,15 @@ autopurge.snapRetainCount=<%= scope.lookupvar("zookeeper::snap_retain_count") %> # Defaults to 0. autopurge.purgeInterval=<%= scope.lookupvar("zookeeper::purge_interval") %> -# Maximum allowed connections +# Maximum of concurrent connections (per client Port of each server ) +<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::max_connexions")) -%> +maxCnxns=<%= scope.lookupvar("zookeeper::max_connexions") %> +<% else -%> +#maxCnxns=0 +<% end -%> + +# Maximum of concurrent connections (at the socket level) that a single client +# identified by IP address, may make to a single member of the ZooKeeper ensemble <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::max_allowed_connections")) -%> maxClientCnxns=<%= scope.lookupvar("zookeeper::max_allowed_connections") %> <% else -%> @@ -112,14 +156,16 @@ maxClientCnxns=<%= scope.lookupvar("zookeeper::max_allowed_connections") %> peerType=<%= scope.lookupvar("zookeeper::peer_type") %> <% end -%> -# The minimum session timeout in milliseconds that the server will allow the # client to negotiate. Defaults to 2 times the tickTime. +# The minimum session timeout in milliseconds that the server will allow the +# client to negotiate. Defaults to 2 times the tickTime. <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::min_session_timeout")) -%> minSessionTimeout=<%= scope.lookupvar("zookeeper::min_session_timeout") %> <% else -%> #minSessionTimeout=2 <% end -%> -# The maximum session timeout in milliseconds that the server will allow the # client to negotiate. Defaults to 20 times the tickTime. +# The maximum session timeout in milliseconds that the server will allow the +# client to negotiate. Defaults to 20 times the tickTime. <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::max_session_timeout")) -%> maxSessionTimeout=<%= scope.lookupvar("zookeeper::max_session_timeout") %> <% else -%> @@ -148,6 +194,20 @@ secureClientPort=<%= scope.lookupvar("zookeeper::secure_client_port") %> # Client TLS configuration serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory +# Server will only accept connections and requests from clients that have +# authenticated with server via configured auth scheme +<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::enforce_auth_enabled")) -%> +enforce.auth.enabled=<%= scope.lookupvar("zookeeper::enforce_auth_enabled") %> +# Comma separated list of authentication schemes +<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::enforce_auth_schemes")) -%> +enforce.auth.schemes=<%= scope.lookupvar("zookeeper::enforce_auth_schemes") %> +<% else -%> +#enforce.auth.schemes= +<% end -%> +<% else -%> +#enforce.auth.enabled= +<% end -%> + # Force TLS version ssl.protocol=<%= scope.lookupvar("zookeeper::ssl_protocol") %> # Hostname verification (default yes) @@ -165,7 +225,6 @@ ssl.keyStore.type=<%= scope.lookupvar("zookeeper::keystore_type") %> ssl.keyStore.password=<%= scope.lookupvar("zookeeper::keystore_password") %> <% end -%> - ## Hint: if PEM is used, private key must be in PKCS#8 format # Line must begin with "-----BEGIN PRIVATE KEY-----" # and not "-----BEGIN RSA PRIVATE KEY-----" @@ -185,7 +244,10 @@ sslQuorum=<%= scope.lookupvar("zookeeper::ssl_quorum") %> ssl.quorum.protocol=<%= scope.lookupvar("zookeeper::ssl_quorum_protocol") %> # Hostname verification from node to node (default yes) ssl.quorum.hostnameVerification=<%= scope.lookupvar("zookeeper::ssl_quorum_hostname_verification") %> - +<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::ssl_quorum_clientauth")) -%> +# Client authentication from node to node +ssl.quorum.clientAuth=<%= scope.lookupvar("zookeeper::ssl_quorum_clientauth") %> +<% end -%> ## Hint: if PEM is used, private key must be in PKCS#8 format # Line must begin with "-----BEGIN PRIVATE KEY-----" # and not "-----BEGIN RSA PRIVATE KEY-----" @@ -215,6 +277,26 @@ ssl.quorum.ciphersuites=<%=ssl.ciphersuites=scope.lookupvar("zookeeper:ssl_quoru 4lw.commands.whitelist=<%= scope.lookupvar("zookeeper::whitelist_4lw").join(',') %> <% end -%> +## AdminServer configuration +# Set to "false" to disable the AdminServer. Enabled by default. +<% if scope.lookupvar("zookeeper::admin_server_enabled") -%> +admin.enableServer=true +# The address the embedded Jetty server listens on. Defaults to 0.0.0.0. +admin.serverAddress=<%= scope.lookupvar("zookeeper::admin_server_address") %> +# The port the embedded Jetty server listens on. Defaults to 8080. +admin.serverPort=<%= scope.lookupvar("zookeeper::admin_server_port") %> +# Maximum idle time in milliseconds that a connection can wait. Defaults to 30000 ms. +admin.idleTimeout=<%= scope.lookupvar("zookeeper::admin_idle_timeout") %> +# Commands URL relative to the root URL. Defaults to "/commands". +admin.commandURL=<%= scope.lookupvar("zookeeper::admin_command_url") %> +# Force AdminServer to use SSL. Defaults to disabled. +admin.forceHttps=<%= scope.lookupvar("zookeeper::admin_force_https") %> +# Accept both HTTP and HTTPS traffic. Defaults to disabled. +admin.portUnification=<%= scope.lookupvar("zookeeper::admin_port_unification") %> +<% else -%> +admin.enableServer=false +<% end -%> + # Supported since 3.6 ## Metrics Providers #