diff options
63 files changed, 699 insertions, 426 deletions
diff --git a/all-nodes-validation.yaml b/all-nodes-validation.yaml index 65d01d0f..eea3e40a 100644 --- a/all-nodes-validation.yaml +++ b/all-nodes-validation.yaml @@ -10,6 +10,10 @@ parameters: default: '' description: A string containing a space separated list of IP addresses used to ping test each available network interface. type: string + ValidateFqdn: + default: false + description: Optional validation to ensure FQDN as set by Nova matches the name set in /etc/hosts. + type: boolean resources: AllNodesValidationsImpl: @@ -19,6 +23,8 @@ resources: inputs: - name: ping_test_ips default: {get_param: PingTestIps} + - name: validate_fqdn + default: {get_param: ValidateFqdn} config: {get_file: ./validation-scripts/all-nodes.sh} outputs: diff --git a/capabilities-map.yaml b/capabilities-map.yaml index 66dc1d1d..83b3ac40 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -308,6 +308,11 @@ topics: description: > Enable various Neutron plugins and backends environments: + - file: environments/neutron-bgpvpn.yaml + title: Neutron BGPVPN Service Plugin + description: Enables Neutron BGPVPN Service Plugin + requires: + - overcloud-resource-registry-puppet.yaml - file: environments/neutron-ml2-bigswitch.yaml title: BigSwitch Extensions description: > diff --git a/docker/docker-steps.j2 b/docker/docker-steps.j2 index 76232d14..2f5953d3 100644 --- a/docker/docker-steps.j2 +++ b/docker/docker-steps.j2 @@ -159,12 +159,12 @@ resources: value: yaql: expression: - # select 'step_config' only from services that do not have a docker_image - $.data.service_names.zip($.data.step_config, $.data.docker_image).where($[2] = null).where($[1] != null).select($[1]).join("\n") + # select 'step_config' only from services that do not have a docker_config + $.data.service_names.zip($.data.step_config, $.data.docker_config).where($[2] = null).where($[1] != null).select($[1]).join("\n") data: service_names: {get_param: [role_data, {{role.name}}, service_names]} step_config: {get_param: [role_data, {{role.name}}, step_config]} - docker_image: {get_param: [role_data, {{role.name}}, docker_image]} + docker_config: {get_param: [role_data, {{role.name}}, docker_config]} {{role.name}}DockerConfig: type: OS::Heat::Value @@ -173,12 +173,11 @@ resources: value: yaql: expression: - # select 'docker_config' only from services that have a docker_image - $.data.service_names.zip($.data.docker_config, $.data.docker_image).where($[2] != null).select($[1]).reduce($1.mergeWith($2), {}) + # select 'docker_config' only from services that have it + $.data.service_names.zip($.data.docker_config).where($[1] != null).select($[1]).reduce($1.mergeWith($2), {}) data: service_names: {get_param: [role_data, {{role.name}}, service_names]} docker_config: {get_param: [role_data, {{role.name}}, docker_config]} - docker_image: {get_param: [role_data, {{role.name}}, docker_image]} # Here we are dumping all the docker container startup configuration data # so that we can have access to how they are started outside of heat diff --git a/docker/firstboot/setup_docker_host.sh b/docker/firstboot/setup_docker_host.sh index b2287e91..8b4c6a03 100755 --- a/docker/firstboot/setup_docker_host.sh +++ b/docker/firstboot/setup_docker_host.sh @@ -1,26 +1,8 @@ #!/bin/bash set -eux -# TODO This would be better in puppet +# This file contains setup steps that can't be or have not yet been moved to +# puppet -# TODO remove this when built image includes docker -if [ ! -f "/usr/bin/docker" ]; then - yum -y install docker -fi - -# NOTE(mandre) $docker_namespace_is_registry is not a bash variable but is -# a place holder for text replacement done via heat -if [ "$docker_namespace_is_registry" = "True" ]; then - /usr/bin/systemctl stop docker.service - # if namespace is used with local registry, trim all namespacing - trim_var=$docker_registry - registry_host="${trim_var%%/*}" - /bin/sed -i -r "s/^[# ]*INSECURE_REGISTRY *=.+$/INSECURE_REGISTRY='--insecure-registry $registry_host'/" /etc/sysconfig/docker -fi - -# enable and start docker -/usr/bin/systemctl enable docker.service -/usr/bin/systemctl start docker.service - -# Disable libvirtd +# Disable libvirtd since it conflicts with nova_libvirt container /usr/bin/systemctl disable libvirtd.service /usr/bin/systemctl stop libvirtd.service diff --git a/docker/services/README.rst b/docker/services/README.rst index 881a2a37..219f35eb 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -58,27 +58,34 @@ are re-asserted when applying latter ones. the container itself at the /var/lib/kolla/config_files/config.json location and drives how kolla's external config mechanisms work. - * docker_image: The full name of the docker image that will be used. - * docker_config: Data that is passed to the docker-cmd hook to configure a container, or step of containers at each step. See the available steps below and the related docker-cmd hook documentation in the heat-agents project. - * puppet_tags: Puppet resource tag names that are used to generate config - files with puppet. Only the named config resources are used to generate - a config file. Any service that specifies tags will have the default - tags of 'file,concat,file_line' appended to the setting. - Example: keystone_config - - * config_volume: The name of the volume (directory) where config files - will be generated for this service. Use this as the location to - bind mount into the running Kolla container for configuration. - - * config_image: The name of the docker image that will be used for - generating configuration files. This is often the same value as - 'docker_image' above but some containers share a common set of - config files which are generated in a common base container. + * puppet_config: This section is a nested set of key value pairs + that drive the creation of config files using puppet. + Required parameters include: + + * puppet_tags: Puppet resource tag names that are used to generate config + files with puppet. Only the named config resources are used to generate + a config file. Any service that specifies tags will have the default + tags of 'file,concat,file_line' appended to the setting. + Example: keystone_config + + * config_volume: The name of the volume (directory) where config files + will be generated for this service. Use this as the location to + bind mount into the running Kolla container for configuration. + + * config_image: The name of the docker image that will be used for + generating configuration files. This is often the same container + that the runtime service uses. Some services share a common set of + config files which are generated in a common base container. + + * step_config: This setting controls the manifest that is used to + create docker config files via puppet. The puppet tags below are + used along with this manifest to generate a config directory for + this container. * docker_puppet_tasks: This section provides data to drive the docker-puppet.py tool directly. The task is executed only once diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index e83f4f19..68a64a7d 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -51,15 +51,14 @@ outputs: - - "['Mongodb_database', 'Mongodb_user', 'Mongodb_replset'].each |String $val| { noop_resource($val) }" - {get_attr: [MongodbPuppetBase, role_data, step_config]} # BEGIN DOCKER SETTINGS # - docker_image: &mongodb_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMongodbImage} ] puppet_config: config_volume: mongodb puppet_tags: file # set this even though file is the default step_config: *step_config - config_image: *mongodb_image + config_image: &mongodb_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMongodbImage} ] kolla_config: /var/lib/kolla/config_files/mongodb.json: command: /usr/bin/mongod --unixSocketPrefix=/var/run/mongodb --config /etc/mongod.conf run diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index c34ebe93..46b856e3 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -60,15 +60,14 @@ outputs: - - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }" - {get_attr: [MysqlPuppetBase, role_data, step_config]} # BEGIN DOCKER SETTINGS # - docker_image: &mysql_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMysqlImage} ] puppet_config: config_volume: mysql puppet_tags: file # set this even though file is the default step_config: *step_config - config_image: *mysql_image + config_image: &mysql_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMysqlImage} ] kolla_config: /var/lib/kolla/config_files/mysql.json: command: /usr/bin/mysqld_safe diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index 73d76ad5..77e4aa01 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -49,15 +49,14 @@ outputs: get_attr: [GlanceApiPuppetBase, role_data, step_config] service_config_settings: {get_attr: [GlanceApiPuppetBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS # - docker_image: &glance_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerGlanceApiImage} ] puppet_config: config_volume: glance_api puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config step_config: *step_config - config_image: *glance_image + config_image: &glance_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerGlanceApiImage} ] kolla_config: /var/lib/kolla/config_files/glance-api.json: command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf diff --git a/docker/services/heat-api-cfn.yaml b/docker/services/heat-api-cfn.yaml index 2f54c0f1..2a27efb4 100644 --- a/docker/services/heat-api-cfn.yaml +++ b/docker/services/heat-api-cfn.yaml @@ -55,10 +55,6 @@ outputs: get_attr: [HeatBase, role_data, step_config] service_config_settings: {get_attr: [HeatBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &heat_api_cfn_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiCfnImage} ] puppet_config: config_volume: heat puppet_tags: heat_config,file,concat,file_line @@ -78,7 +74,10 @@ outputs: docker_config: step_4: heat_api_cfn: - image: *heat_api_cfn_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiCfnImage} ] net: host privileged: false restart: always diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index a212d254..c429870b 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -55,10 +55,6 @@ outputs: get_attr: [HeatBase, role_data, step_config] service_config_settings: {get_attr: [HeatBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &heat_api_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiImage} ] puppet_config: config_volume: heat puppet_tags: heat_config,file,concat,file_line @@ -78,7 +74,10 @@ outputs: docker_config: step_4: heat_api: - image: *heat_api_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiImage} ] net: host privileged: false restart: always diff --git a/docker/services/heat-engine.yaml b/docker/services/heat-engine.yaml index c60a3840..85a00b1d 100644 --- a/docker/services/heat-engine.yaml +++ b/docker/services/heat-engine.yaml @@ -50,15 +50,14 @@ outputs: get_attr: [HeatBase, role_data, step_config] service_config_settings: {get_attr: [HeatBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &heat_engine_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatEngineImage} ] puppet_config: config_volume: heat puppet_tags: heat_config,file,concat,file_line step_config: *step_config - config_image: *heat_engine_image + config_image: &heat_engine_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHeatEngineImage} ] kolla_config: /var/lib/kolla/config_files/heat_engine.json: command: /usr/bin/heat-engine --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf diff --git a/docker/services/ironic-api.yaml b/docker/services/ironic-api.yaml index ca42c9ec..5ae82d46 100644 --- a/docker/services/ironic-api.yaml +++ b/docker/services/ironic-api.yaml @@ -52,10 +52,6 @@ outputs: get_attr: [IronicApiBase, role_data, step_config] service_config_settings: {get_attr: [IronicApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &ironic_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerIronicApiImage} ] puppet_config: config_volume: ironic puppet_tags: ironic_config @@ -75,7 +71,10 @@ outputs: docker_config: step_3: ironic_db_sync: - image: *ironic_image + image: &ironic_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerIronicApiImage} ] net: host privileged: false detach: false diff --git a/docker/services/ironic-conductor.yaml b/docker/services/ironic-conductor.yaml index ff470008..8c18a160 100644 --- a/docker/services/ironic-conductor.yaml +++ b/docker/services/ironic-conductor.yaml @@ -59,10 +59,6 @@ outputs: get_attr: [IronicConductorBase, role_data, step_config] service_config_settings: {get_attr: [IronicConductorBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &ironic_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerIronicConductorImage} ] puppet_config: config_volume: ironic puppet_tags: ironic_config @@ -89,7 +85,10 @@ outputs: docker_config: step_4: ironic-init-dirs: - image: *ironic_image + image: &ironic_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerIronicConductorImage} ] user: root command: ['/bin/bash', '-c', 'mkdir /var/lib/ironic/httpboot && mkdir /var/lib/ironic/tftpboot'] volumes: diff --git a/docker/services/ironic-pxe.yaml b/docker/services/ironic-pxe.yaml index 25505192..370b665e 100644 --- a/docker/services/ironic-pxe.yaml +++ b/docker/services/ironic-pxe.yaml @@ -40,10 +40,6 @@ outputs: step_config: &step_config '' service_config_settings: {} # BEGIN DOCKER SETTINGS - docker_image: &ironic_pxe_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerIronicPxeImage} ] puppet_config: config_volume: ironic puppet_tags: ironic_config @@ -103,7 +99,10 @@ outputs: step_4: ironic_pxe_tftp: start_order: 90 - image: *ironic_pxe_image + image: &ironic_pxe_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerIronicPxeImage} ] net: host privileged: false restart: always diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 358277a5..bd3a010e 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -56,15 +56,14 @@ outputs: - {get_attr: [KeystoneBase, role_data, step_config]} service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &keystone_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ] puppet_config: config_volume: keystone puppet_tags: keystone_config step_config: *step_config - config_image: *keystone_image + config_image: &keystone_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ] kolla_config: /var/lib/kolla/config_files/keystone.json: command: /usr/sbin/httpd -DFOREGROUND diff --git a/docker/services/memcached.yaml b/docker/services/memcached.yaml index 9467567f..a78be3c8 100644 --- a/docker/services/memcached.yaml +++ b/docker/services/memcached.yaml @@ -46,15 +46,14 @@ outputs: get_attr: [MemcachedBase, role_data, step_config] service_config_settings: {get_attr: [MemcachedBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &memcached_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMemcachedImage} ] puppet_config: config_volume: 'memcached' puppet_tags: 'file' step_config: *step_config - config_image: *memcached_image + config_image: &memcached_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMemcachedImage} ] kolla_config: {} docker_config: step_1: diff --git a/docker/services/mistral-api.yaml b/docker/services/mistral-api.yaml index 7680bc62..4dd3b74c 100644 --- a/docker/services/mistral-api.yaml +++ b/docker/services/mistral-api.yaml @@ -52,10 +52,6 @@ outputs: get_attr: [MistralApiBase, role_data, step_config] service_config_settings: {get_attr: [MistralApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &mistral_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMistralApiImage} ] puppet_config: config_volume: mistral puppet_tags: mistral_config @@ -76,7 +72,10 @@ outputs: step_3: mistral_db_sync: start_order: 1 - image: *mistral_image + image: &mistral_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMistralApiImage} ] net: host privileged: false detach: false diff --git a/docker/services/mistral-engine.yaml b/docker/services/mistral-engine.yaml index d61ab1c2..fd72e344 100644 --- a/docker/services/mistral-engine.yaml +++ b/docker/services/mistral-engine.yaml @@ -53,10 +53,6 @@ outputs: get_attr: [MistralBase, role_data, step_config] service_config_settings: {get_attr: [MistralBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &mistral_engine_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMistralEngineImage} ] puppet_config: config_volume: mistral puppet_tags: mistral_config @@ -76,7 +72,10 @@ outputs: docker_config: step_4: mistral_engine: - image: *mistral_engine_image + image: &mistral_engine_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMistralEngineImage} ] net: host privileged: false restart: always diff --git a/docker/services/mistral-executor.yaml b/docker/services/mistral-executor.yaml index 42286426..0274ff48 100644 --- a/docker/services/mistral-executor.yaml +++ b/docker/services/mistral-executor.yaml @@ -53,10 +53,6 @@ outputs: get_attr: [MistralBase, role_data, step_config] service_config_settings: {get_attr: [MistralBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &mistral_executor_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMistralExecutorImage} ] puppet_config: config_volume: mistral puppet_tags: mistral_config @@ -76,7 +72,10 @@ outputs: docker_config: step_4: mistral_executor: - image: *mistral_executor_image + image: &mistral_executor_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMistralExecutorImage} ] net: host privileged: false restart: always diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml index 71389046..ed03de6c 100644 --- a/docker/services/neutron-api.yaml +++ b/docker/services/neutron-api.yaml @@ -53,10 +53,6 @@ outputs: get_attr: [NeutronBase, role_data, step_config] service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &neutron_api_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronApiImage} ] puppet_config: config_volume: neutron puppet_tags: neutron_config,neutron_api_config @@ -80,7 +76,10 @@ outputs: docker_config: step_3: neutron_db_sync: - image: *neutron_api_image + image: &neutron_api_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronApiImage} ] net: host privileged: false detach: false diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index ccde63f2..a4854d90 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -53,10 +53,6 @@ outputs: get_attr: [NeutronBase, role_data, step_config] service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &neutron_dhcp_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronApiImage} ] puppet_config: config_volume: neutron puppet_tags: neutron_config,neutron_dhcp_agent_config @@ -80,7 +76,10 @@ outputs: docker_config: step_4: neutron_dhcp: - image: *neutron_dhcp_image + image: &neutron_dhcp_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronApiImage} ] net: host pid: host privileged: true diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index d9a78288..61ad8f4a 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -49,11 +49,6 @@ outputs: config_settings: {get_attr: [NeutronL3Base, role_data, config_settings]} step_config: &step_config get_attr: [NeutronL3Base, role_data, step_config] - docker_image: &neutron_l3_agent_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronL3AgentImage} ] - puppet_config: puppet_tags: neutron_config,neutron_l3_agent_config config_volume: neutron @@ -77,7 +72,10 @@ outputs: docker_config: step_4: neutronl3agent: - image: *neutron_l3_agent_image + image: &neutron_l3_agent_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronL3AgentImage} ] net: host pid: host privileged: true diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index 6dcf91d9..4102693b 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -44,15 +44,14 @@ outputs: config_settings: {get_attr: [NeutronOvsAgentBase, role_data, config_settings]} step_config: &step_config get_attr: [NeutronOvsAgentBase, role_data, step_config] - docker_image: &neutron_ovs_agent_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerOpenvswitchImage} ] puppet_config: config_volume: neutron puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2 step_config: *step_config - config_image: *neutron_ovs_agent_image + config_image: &neutron_ovs_agent_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerOpenvswitchImage} ] kolla_config: /var/lib/kolla/config_files/neutron-openvswitch-agent.json: command: /usr/bin/neutron-openvswitch-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini diff --git a/docker/services/neutron-plugin-ml2.yaml b/docker/services/neutron-plugin-ml2.yaml index 5d1a348a..34864d3a 100644 --- a/docker/services/neutron-plugin-ml2.yaml +++ b/docker/services/neutron-plugin-ml2.yaml @@ -48,14 +48,13 @@ outputs: get_attr: [NeutronBase, role_data, step_config] service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &docker_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] puppet_config: config_volume: 'neutron' puppet_tags: '' step_config: *step_config - config_image: *docker_image + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: {} docker_config: {} diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 8a892325..1c57bbf5 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -53,10 +53,6 @@ outputs: get_attr: [NovaApiBase, role_data, step_config] service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_api_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaApiImage} ] puppet_config: config_volume: nova puppet_tags: nova_config @@ -77,7 +73,10 @@ outputs: step_3: nova_api_db_sync: start_order: 1 - image: *nova_api_image + image: &nova_api_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaApiImage} ] net: host detach: false volumes: &nova_api_volumes diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 9f4e353a..7fc00b47 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -45,15 +45,14 @@ outputs: config_settings: {get_attr: [NovaComputeBase, role_data, config_settings]} step_config: &step_config get_attr: [NovaComputeBase, role_data, step_config] - docker_image: &nova_compute_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] puppet_config: config_volume: nova_libvirt puppet_tags: nova_config,nova_paste_api_ini step_config: *step_config - config_image: *nova_compute_image + config_image: &nova_compute_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] kolla_config: /var/lib/kolla/config_files/nova-compute.json: command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf diff --git a/docker/services/nova-conductor.yaml b/docker/services/nova-conductor.yaml index 8bc81e32..09a6d0f6 100644 --- a/docker/services/nova-conductor.yaml +++ b/docker/services/nova-conductor.yaml @@ -51,10 +51,6 @@ outputs: get_attr: [NovaConductorBase, role_data, step_config] service_config_settings: {get_attr: [NovaConductorBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_conductor_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaConductorImage} ] puppet_config: config_volume: nova puppet_tags: nova_config @@ -74,7 +70,10 @@ outputs: docker_config: step_4: nova_conductor: - image: *nova_conductor_image + image: &nova_conductor_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaConductorImage} ] net: host privileged: false restart: always diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 5b46010f..d3c0af44 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -47,10 +47,6 @@ outputs: config_settings: {get_attr: [NovaIronicBase, role_data, config_settings]} step_config: &step_config get_attr: [NovaIronicBase, role_data, step_config] - docker_image: &nova_ironic_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] puppet_config: config_volume: nova puppet_tags: nova_config,nova_paste_api_ini @@ -74,7 +70,10 @@ outputs: docker_config: step_5: novacompute: - image: *nova_ironic_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] net: host privileged: true user: root diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index ed54f3d9..e25b2014 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -50,10 +50,6 @@ outputs: config_settings: {get_attr: [NovaLibvirtBase, role_data, config_settings]} step_config: &step_config get_attr: [NovaLibvirtBase, role_data, step_config] - docker_image: &libvirt_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerLibvirtImage} ] puppet_config: config_volume: nova_libvirt puppet_tags: nova_config @@ -73,7 +69,10 @@ outputs: docker_config: step_3: nova_libvirt: - image: *libvirt_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerLibvirtImage} ] net: host pid: host privileged: true diff --git a/docker/services/nova-metadata.yaml b/docker/services/nova-metadata.yaml index 90c4c1c9..b452c61b 100644 --- a/docker/services/nova-metadata.yaml +++ b/docker/services/nova-metadata.yaml @@ -41,7 +41,6 @@ outputs: get_attr: [NovaMetadataBase, role_data, step_config] service_config_settings: {get_attr: [NovaMetadataBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: '' puppet_config: config_volume: '' puppet_tags: '' diff --git a/docker/services/nova-placement.yaml b/docker/services/nova-placement.yaml index 8da48d37..0f32e33f 100644 --- a/docker/services/nova-placement.yaml +++ b/docker/services/nova-placement.yaml @@ -49,10 +49,6 @@ outputs: get_attr: [NovaPlacementBase, role_data, step_config] service_config_settings: {get_attr: [NovaPlacementBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_placement_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaPlacementImage} ] puppet_config: config_volume: nova_placement puppet_tags: nova_config @@ -96,7 +92,10 @@ outputs: step_3: nova_placement: start_order: 1 - image: *nova_placement_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaPlacementImage} ] net: host user: root restart: always diff --git a/docker/services/nova-scheduler.yaml b/docker/services/nova-scheduler.yaml index c24d5b26..0b64ca37 100644 --- a/docker/services/nova-scheduler.yaml +++ b/docker/services/nova-scheduler.yaml @@ -50,18 +50,14 @@ outputs: get_attr: [NovaSchedulerBase, role_data, step_config] service_config_settings: {get_attr: [NovaSchedulerBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_scheduler_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaSchedulerImage} ] puppet_config: - config_volume: nova - puppet_tags: nova_config - step_config: *step_config - config_image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaBaseImage} ] + config_volume: nova + puppet_tags: nova_config + step_config: *step_config + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaBaseImage} ] kolla_config: /var/lib/kolla/config_files/nova_scheduler.json: command: /usr/bin/nova-scheduler @@ -73,7 +69,10 @@ outputs: docker_config: step_4: nova_scheduler: - image: *nova_scheduler_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaSchedulerImage} ] net: host privileged: false restart: always diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index ed440718..573ec178 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -50,15 +50,14 @@ outputs: get_attr: [RabbitmqBase, role_data, step_config] service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &rabbitmq_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerRabbitmqImage} ] puppet_config: config_volume: rabbitmq puppet_tags: file step_config: *step_config - config_image: *rabbitmq_image + config_image: &rabbitmq_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerRabbitmqImage} ] kolla_config: /var/lib/kolla/config_files/rabbitmq.json: command: /usr/lib/rabbitmq/bin/rabbitmq-server diff --git a/docker/services/services.yaml b/docker/services/services.yaml index 3f094ff8..892da77c 100644 --- a/docker/services/services.yaml +++ b/docker/services/services.yaml @@ -67,7 +67,6 @@ outputs: {get_attr: [PuppetServices, role_data, global_config_settings]} step_config: {get_attr: [ServiceChain, role_data, step_config]} - docker_image: {get_attr: [ServiceChain, role_data, docker_image]} puppet_config: {get_attr: [ServiceChain, role_data, puppet_config]} kolla_config: map_merge: {get_attr: [ServiceChain, role_data, kolla_config]} diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index 66118412..93e21c81 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -46,15 +46,14 @@ outputs: get_attr: [SwiftProxyBase, role_data, step_config] service_config_settings: {get_attr: [SwiftProxyBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &swift_proxy_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] puppet_config: config_volume: swift puppet_tags: swift_proxy_config step_config: *step_config - config_image: *swift_proxy_image + config_image: &swift_proxy_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] kolla_config: /var/lib/kolla/config_files/swift_proxy.json: command: /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf diff --git a/docker/services/swift-ringbuilder.yaml b/docker/services/swift-ringbuilder.yaml index 027a6956..21102505 100644 --- a/docker/services/swift-ringbuilder.yaml +++ b/docker/services/swift-ringbuilder.yaml @@ -70,14 +70,13 @@ outputs: get_attr: [SwiftRingbuilderBase, role_data, step_config] service_config_settings: {get_attr: [SwiftRingbuilderBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &docker_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] puppet_config: config_volume: 'swift' puppet_tags: exec,ring_object_device,swift::ringbuilder::create,tripleo::profile::base::swift::add_devices,swift::ringbuilder::rebalance step_config: *step_config - config_image: *docker_image + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] kolla_config: {} docker_config: {} diff --git a/docker/services/swift-storage.yaml b/docker/services/swift-storage.yaml index 2eb55632..8e76504c 100644 --- a/docker/services/swift-storage.yaml +++ b/docker/services/swift-storage.yaml @@ -58,15 +58,14 @@ outputs: get_attr: [SwiftStorageBase, role_data, step_config] service_config_settings: {get_attr: [SwiftStorageBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &swift_proxy_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] puppet_config: config_volume: swift puppet_tags: swift_config,swift_container_config,swift_container_sync_realms_config,swift_account_config,swift_object_config,swift_object_expirer_config step_config: *step_config - config_image: *swift_proxy_image + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] kolla_config: /var/lib/kolla/config_files/swift_account_auditor.json: command: /usr/bin/swift-account-auditor /etc/swift/account-server.conf diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index 30905ffe..3ec819e0 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -46,15 +46,14 @@ outputs: get_attr: [ZaqarBase, role_data, step_config] service_config_settings: {get_attr: [ZaqarBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &zaqar_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ] puppet_config: config_volume: zaqar puppet_tags: zaqar_config step_config: *step_config - config_image: *zaqar_image + config_image: &zaqar_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ] kolla_config: /var/lib/kolla/config_files/zaqar.json: command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf diff --git a/environments/docker.yaml b/environments/docker.yaml index 1d816d34..2a1215a2 100644 --- a/environments/docker.yaml +++ b/environments/docker.yaml @@ -3,6 +3,8 @@ resource_registry: # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml OS::TripleO::Services::Docker: ../puppet/services/docker.yaml + # The compute node still needs extra initialization steps + OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml #NOTE (dprince) add roles to be docker enabled as we support them OS::TripleO::Services::NovaLibvirt: ../docker/services/nova-libvirt.yaml @@ -46,3 +48,4 @@ parameter_defaults: - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::ComputeNeutronOvsAgent + - OS::TripleO::Services::Docker diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index ff4ecfbe..f485e4a5 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -2,6 +2,7 @@ # a TLS for in the internal network via certmonger parameter_defaults: EnableInternalTLS: true + RabbitClientUseSSL: true # Required for novajoin to enroll the overcloud nodes ServerMetadata: @@ -11,6 +12,8 @@ resource_registry: OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml + OS::TripleO::Services::RabbitMQTLS: ../puppet/services/rabbitmq-internal-tls-certmonger.yaml + # We use apache as a TLS proxy OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml diff --git a/environments/neutron-bgpvpn.yaml b/environments/neutron-bgpvpn.yaml new file mode 100644 index 00000000..dc6c1454 --- /dev/null +++ b/environments/neutron-bgpvpn.yaml @@ -0,0 +1,16 @@ +# A Heat environment file that can be used to deploy Neutron BGPVPN service +# +# Currently there are four types of service provider for Neutron BGPVPN +# The default option is a dummy driver that allows to enable the API. +# In order to enable other backend, replace the content of BgpvpnServiceProvider +# +# - Bagpipe: BGPVPN:BaGPipe:networking_bgpvpn.neutron.services.service_drivers.bagpipe.bagpipe.BaGPipeBGPVPNDriver:default +# - OpenContrail: BGPVPN:OpenContrail:networking_bgpvpn.neutron.services.service_drivers.opencontrail.opencontrail.OpenContrailBGPVPNDriver:default +# - OpenDaylight: BGPVPN:OpenDaylight:networking_bgpvpn.neutron.services.service_drivers.opendaylight.odl.OpenDaylightBgpvpnDriver:default +# - Nuage: BGPVPN:Nuage:nuage_neutron.bgpvpn.services.service_drivers.driver.NuageBGPVPNDriver:default +resource_registry: + OS::TripleO::Services::NeutronBgpvpnApi: ../puppet/services/neutron-bgpvpn-api.yaml + +parameter_defaults: + NeutronServicePlugins: 'networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin' + BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index ae012b21..212e9379 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -145,6 +145,7 @@ resource_registry: OS::TripleO::Services::Kernel: puppet/services/kernel.yaml OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml OS::TripleO::Services::MySQLTLS: OS::Heat::None + OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml @@ -169,6 +170,7 @@ resource_registry: OS::TripleO::Services::PacemakerRemote: OS::Heat::None OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml + OS::TripleO::Services::RabbitMQTLS: OS::Heat::None OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index cba92415..d8787c87 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -74,7 +74,7 @@ outputs: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} - barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} @@ -135,14 +135,14 @@ outputs: nova::compute::barbican_endpoint: get_param: [EndpointMap, BarbicanInternal, uri] nova::compute::barbican_auth_endpoint: - get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] + get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] cinder_api: cinder::api::keymgr_api_class: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager cinder::api::keymgr_encryption_api_url: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: - get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] + get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 49a5f613..140c6f63 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -167,7 +167,7 @@ outputs: - name: Stop cinder_api service (running under httpd) tags: step1 service: name=httpd state=stopped - when: "cinder_apache.rc == 0" + when: cinder_apache.rc == 0 - name: Stop and disable cinder_api service (pre-upgrade not under httpd) tags: step1 when: cinder_api_enabled.rc == 0 diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index ce389dc1..b06f9993 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -48,6 +48,68 @@ parameters: EnableInternalTLS: type: boolean default: false + CephClientUserName: + default: openstack + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + GlanceNotifierStrategy: + description: Strategy to use for Glance notification queue + type: string + default: noop + GlanceLogFile: + description: The filepath of the file to use for logging messages from Glance. + type: string + default: '' + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] + GlanceNfsEnabled: + default: false + description: > + When using GlanceBackend 'file', mount NFS share for image storage. + type: boolean + GlanceNfsShare: + default: '' + description: > + NFS share to mount for image storage (when GlanceNfsEnabled is true) + type: string + GlanceNfsOptions: + default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' + description: > + NFS mount options for image storage (when GlanceNfsEnabled is true) + type: string + GlanceRbdPoolName: + default: images + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} @@ -62,13 +124,6 @@ resources: EndpointMap: {get_param: EndpointMap} EnableInternalTLS: {get_param: EnableInternalTLS} - GlanceBase: - type: ./glance-base.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - outputs: role_data: description: Role data for the Glance API role. @@ -80,7 +135,6 @@ outputs: - glance config_settings: map_merge: - - get_attr: [GlanceBase, role_data, config_settings] - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: list_join: @@ -132,10 +186,41 @@ outputs: - use_tls_proxy - 'localhost' - {get_param: [ServiceNetMap, GlanceApiNetwork]} + glance_notifier_strategy: {get_param: GlanceNotifierStrategy} + glance_log_file: {get_param: GlanceLogFile} + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_user: service:glance + glance::backend::swift::swift_store_key: {get_param: GlancePassword} + glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + glance_backend: {get_param: GlanceBackend} + glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} + glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} + glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} + glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + glance::notify::rabbitmq::notification_driver: messagingv2 + tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} + tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} + tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} + service_config_settings: + keystone: + glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} + glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} + glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} + glance::keystone::auth::password: {get_param: GlancePassword } + glance::keystone::auth::region: {get_param: KeystoneRegion} + glance::keystone::auth::tenant: 'service' + mysql: + glance::db::mysql::password: {get_param: GlancePassword} + glance::db::mysql::user: glance + glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::dbname: glance + glance::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" step_config: | include ::tripleo::profile::base::glance::api - service_config_settings: - get_attr: [GlanceBase, role_data, service_config_settings] upgrade_tasks: - name: Check if glance_api is deployed command: systemctl is-enabled openstack-glance-api diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml deleted file mode 100644 index f5548982..00000000 --- a/puppet/services/glance-base.yaml +++ /dev/null @@ -1,126 +0,0 @@ -heat_template_version: ocata - -description: > - OpenStack Glance Common settings with Puppet - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - CephClientUserName: - default: openstack - type: string - Debug: - default: '' - description: Set to True to enable debugging on all services. - type: string - GlanceNotifierStrategy: - description: Strategy to use for Glance notification queue - type: string - default: noop - GlanceLogFile: - description: The filepath of the file to use for logging messages from Glance. - type: string - default: '' - GlancePassword: - description: The password for the glance service and db account, used by the glance services. - type: string - hidden: true - GlanceBackend: - default: swift - description: The short name of the Glance backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] - GlanceNfsEnabled: - default: false - description: > - When using GlanceBackend 'file', mount NFS share for image storage. - type: boolean - GlanceNfsShare: - default: '' - description: > - NFS share to mount for image storage (when GlanceNfsEnabled is true) - type: string - GlanceNfsOptions: - default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' - description: > - NFS mount options for image storage (when GlanceNfsEnabled is true) - type: string - GlanceRbdPoolName: - default: images - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitClientPort: - default: 5672 - description: Set rabbit subscriber port, change this if using SSL - type: number - RabbitClientUseSSL: - default: false - description: > - Rabbit client subscriber parameter to specify - an SSL connection to the RabbitMQ host. - type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint - -outputs: - role_data: - description: Role data for the Glance common role. - value: - service_name: glance_base - config_settings: - glance_notifier_strategy: {get_param: GlanceNotifierStrategy} - glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::backend::swift::swift_store_user: service:glance - glance::backend::swift::swift_store_key: {get_param: GlancePassword} - glance::backend::swift::swift_store_create_container_on_put: true - glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} - glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} - glance_backend: {get_param: GlanceBackend} - glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} - glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} - glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} - glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - glance::notify::rabbitmq::notification_driver: messagingv2 - tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} - tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} - tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} - service_config_settings: - keystone: - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::keystone::auth::tenant: 'service' - mysql: - glance::db::mysql::password: {get_param: GlancePassword} - glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 483f0a45..c4d44853 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -38,8 +38,23 @@ parameters: default: tag: openstack.heat.api.cfn path: /var/log/heat/heat-api-cfn.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + HeatBase: type: ./heat-base.yaml properties: @@ -59,19 +74,32 @@ outputs: config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - - heat::api_cfn::workers: {get_param: HeatWorkers} - tripleo.heat_api_cfn.firewall_rules: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - tripleo.heat_api_cfn.firewall_rules: '125 heat_cfn': dport: - 8000 - 13800 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): + heat::api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiCfnNetwork]} + heat::wsgi::apache_api_cfn::ssl: {get_param: EnableInternalTLS} + heat::api_cfn::service_name: 'httpd' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - heat::api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiCfnNetwork]} + heat::wsgi::apache_api_cfn::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]} + - + if: + - heat_workers_zero + - {} + - heat::wsgi::apache_api_cfn::workers: {get_param: HeatWorkers} step_config: | include ::tripleo::profile::base::heat::api_cfn service_config_settings: @@ -94,7 +122,16 @@ outputs: shell: /usr/bin/systemctl show 'openstack-heat-api-cfn' --property ActiveState | grep '\bactive\b' when: heat_api_cfn_enabled.rc == 0 tags: step0,validation - - name: Stop heat_api_cfn service + - name: check for heat_api_cfn running under apache (post upgrade) tags: step1 - when: heat_api_cfn_enabled.rc == 0 - service: name=openstack-heat-api-cfn state=stopped + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_cfn_wsgi" + register: heat_api_cfn_apache + ignore_errors: true + - name: Stop heat_api_cfn service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: heat_api_cfn_apache.rc == 0 + - name: Stop and disable heat_api_cfn service (pre-upgrade not under httpd) + tags: step1 + when: heat_api_cfn_apache.rc == 0 + service: name=openstack-heat-api-cfn state=stopped enabled=no diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index 8879bcb2..7f8fa1fe 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -30,8 +30,23 @@ parameters: default: tag: openstack.heat.api.cloudwatch path: /var/log/heat/heat-api-cloudwatch.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + HeatBase: type: ./heat-base.yaml properties: @@ -51,19 +66,34 @@ outputs: config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - - heat::api_cloudwatch::workers: {get_param: HeatWorkers} - tripleo.heat_api_cloudwatch.firewall_rules: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - tripleo.heat_api_cloudwatch.firewall_rules: '125 heat_cloudwatch': dport: - 8003 - 13003 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): + heat::api_cloudwatch::bind_host: + get_param: [ServiceNetMap, HeatApiCloudwatchNetwork] + heat::wsgi::apache_api_cloudwatch::ssl: {get_param: EnableInternalTLS} + heat::api_cloudwatch::service_name: 'httpd' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - heat::api_cloudwatch::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api_cloudwatch::bind_host: + get_param: [ServiceNetMap, HeatApiCloudwatchNetwork] + heat::wsgi::apache_api_cloudwatch::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HeatApiCloudwatchNetwork]} + - + if: + - heat_workers_zero + - {} + - heat::wsgi::apache_api_cloudwatch::workers: {get_param: HeatWorkers} step_config: | include ::tripleo::profile::base::heat::api_cloudwatch upgrade_tasks: @@ -76,7 +106,16 @@ outputs: shell: /usr/bin/systemctl show 'openstack-heat-api-cloudwatch' --property ActiveState | grep '\bactive\b' when: heat_api_cloudwatch_enabled.rc == 0 tags: step0,validation - - name: Stop heat_api_cloudwatch service + - name: check for heat_api_cloudwatch running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_cloudwatch_wsgi" + register: heat_api_cloudwatch_apache + ignore_errors: true + - name: Stop heat_api_cloudwatch service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: heat_api_cloudwatch_apache.rc == 0 + - name: Stop and disable heat_api_cloudwatch service (pre-upgrade not under httpd) tags: step1 when: heat_api_cloudwatch_enabled.rc == 0 - service: name=openstack-heat-api-cloudwatch state=stopped + service: name=openstack-heat-api-cloudwatch state=stopped enabled=no diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 2464011b..e21369e8 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -38,8 +38,23 @@ parameters: default: tag: openstack.heat.api path: /var/log/heat/heat-api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + HeatBase: type: ./heat-base.yaml properties: @@ -59,19 +74,32 @@ outputs: config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - - heat::api::workers: {get_param: HeatWorkers} - tripleo.heat_api.firewall_rules: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - tripleo.heat_api.firewall_rules: '125 heat_api': dport: - 8004 - 13004 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): + heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + heat::api::service_name: 'httpd' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]} + - + if: + - heat_workers_zero + - {} + - heat::wsgi::apache_api::workers: {get_param: HeatWorkers} step_config: | include ::tripleo::profile::base::heat::api service_config_settings: @@ -94,7 +122,16 @@ outputs: shell: /usr/bin/systemctl show 'openstack-heat-api' --property ActiveState | grep '\bactive\b' when: heat_api_enabled.rc == 0 tags: step0,validation - - name: Stop heat_api service + - name: check for heat_api running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_wsgi" + register: heat_api_apache + ignore_errors: true + - name: Stop heat_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: heat_api_apache.rc == 0 + - name: Stop and disable heat_api service (pre-upgrade not under httpd) tags: step1 when: heat_api_enabled.rc == 0 - service: name=openstack-heat-api state=stopped + service: name=openstack-heat-api state=stopped enabled=no diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index f40c8d99..f9a15391 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -232,7 +232,7 @@ outputs: keystone::cron::token_flush::maxdelay: 3600 keystone::roles::admin::service_tenant: 'service' keystone::roles::admin::admin_tenant: 'admin' - keystone::cron::token_flush::destination: '/dev/null' + keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log' keystone::config::keystone_config: ec2/driver: value: 'keystone.contrib.ec2.backends.sql.Ec2' diff --git a/puppet/services/neutron-bgpvpn-api.yaml b/puppet/services/neutron-bgpvpn-api.yaml new file mode 100644 index 00000000..f01cf6f1 --- /dev/null +++ b/puppet/services/neutron-bgpvpn-api.yaml @@ -0,0 +1,34 @@ +heat_template_version: ocata + +description: > + BGPVPN API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + BgpvpnServiceProvider: + default: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' + description: Backend to use as a service provider for BGPVPN + type: string + +outputs: + role_data: + description: Role data for the BGPVPN role. + value: + service_name: neutron_bgpvpn_api + config_settings: + neutron::services::bgpvpn::service_providers: {get_param: BgpvpnServiceProvider} + step_config: | + include ::tripleo::profile::base::neutron::bgpvpn diff --git a/puppet/services/pacemaker/rabbitmq.yaml b/puppet/services/pacemaker/rabbitmq.yaml index b018df35..caada950 100644 --- a/puppet/services/pacemaker/rabbitmq.yaml +++ b/puppet/services/pacemaker/rabbitmq.yaml @@ -68,3 +68,5 @@ outputs: fi pcs resource update rabbitmq set_policy='ha-all ^(?!amq\\.).* {"ha-mode":"exactly","ha-params":'"$nr_queues}" --wait=600 when: is_bootstrap_node and migrate_rabbit_ha_mode + metadata_settings: + get_attr: [RabbitMQServiceBase, role_data, metadata_settings] diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml new file mode 100644 index 00000000..39d6b903 --- /dev/null +++ b/puppet/services/rabbitmq-internal-tls-certmonger.yaml @@ -0,0 +1,47 @@ +heat_template_version: ocata + +description: > + RabbitMQ configurations for using TLS via certmonger. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + # The following parameters are not needed by the template but are + # required to pass the pep8 tests + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: RabbitMQ configurations for using TLS via certmonger. + value: + service_name: rabbitmq_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::profile::base::rabbitmq::certificate_specs: + service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + service_key: '/etc/pki/tls/private/rabbitmq.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + principal: + str_replace: + template: "rabbitmq/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + metadata_settings: + - service: rabbitmq + network: {get_param: [ServiceNetMap, RabbitmqNetwork]} + type: node diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 2c4ccbc9..92a0015a 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -48,6 +48,18 @@ parameters: MonitoringSubscriptionRabbitmq: default: 'overcloud-rabbitmq' type: string + EnableInternalTLS: + type: boolean + default: false + +resources: + + RabbitMQTLS: + type: OS::TripleO::Services::RabbitMQTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} outputs: role_data: @@ -56,51 +68,62 @@ outputs: service_name: rabbitmq monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} config_settings: - rabbitmq::file_limit: {get_param: RabbitFDLimit} - rabbitmq::default_user: {get_param: RabbitUserName} - rabbitmq::default_pass: {get_param: RabbitPassword} - rabbit_ipv6: {get_param: RabbitIPv6} - tripleo.rabbitmq.firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - 5672 - - 25672 - rabbitmq::delete_guest_user: false - rabbitmq::wipe_db_on_cookie_change: true - rabbitmq::port: '5672' - rabbitmq::package_provider: yum - rabbitmq::package_source: undef - rabbitmq::repos_ensure: false - rabbitmq::tcp_keepalive: true - rabbitmq_environment: - NODE_PORT: '' - NODE_IP_ADDRESS: '' - RABBITMQ_NODENAME: "rabbit@%{::hostname}" - RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' - 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}" - rabbitmq_kernel_variables: - inet_dist_listen_min: '25672' - inet_dist_listen_max: '25672' - rabbitmq_config_variables: - cluster_partition_handling: 'pause_minority' - queue_master_locator: '<<"min-masters">>' - loopback_users: '[]' - rabbitmq::erlang_cookie: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: RabbitCookie} - - {get_param: [DefaultPasswords, rabbit_cookie]} - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - rabbitmq::interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} - rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} + map_merge: + - get_attr: [RabbitMQTLS, role_data, config_settings] + - + rabbitmq::file_limit: {get_param: RabbitFDLimit} + rabbitmq::default_user: {get_param: RabbitUserName} + rabbitmq::default_pass: {get_param: RabbitPassword} + rabbit_ipv6: {get_param: RabbitIPv6} + tripleo.rabbitmq.firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - 5672 + - 25672 + rabbitmq::delete_guest_user: false + rabbitmq::wipe_db_on_cookie_change: true + rabbitmq::port: '5672' + rabbitmq::package_provider: yum + rabbitmq::package_source: undef + rabbitmq::repos_ensure: false + rabbitmq::tcp_keepalive: true + rabbitmq_environment: + NODE_PORT: '' + NODE_IP_ADDRESS: '' + RABBITMQ_NODENAME: "rabbit@%{::hostname}" + RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' + 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}" + rabbitmq_kernel_variables: + inet_dist_listen_min: '25672' + inet_dist_listen_max: '25672' + rabbitmq_config_variables: + cluster_partition_handling: 'pause_minority' + queue_master_locator: '<<"min-masters">>' + loopback_users: '[]' + rabbitmq::erlang_cookie: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: RabbitCookie} + - {get_param: [DefaultPasswords, rabbit_cookie]} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + rabbitmq::interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} + rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} + rabbitmq::ssl: {get_param: EnableInternalTLS} + rabbitmq::ssl_port: '5672' + rabbitmq::ssl_depth: 1 + rabbitmq::ssl_only: {get_param: EnableInternalTLS} + rabbitmq::ssl_interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} + # TODO(jaosorior): Remove this once we set a proper default in + # puppet-tripleo + tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} step_config: | include ::tripleo::profile::base::rabbitmq upgrade_tasks: @@ -110,4 +133,5 @@ outputs: - name: Start rabbitmq service tags: step4 service: name=rabbitmq-server state=started - + metadata_settings: + get_attr: [RabbitMQTLS, role_data, metadata_settings] diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index 224989be..d5131f61 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -70,12 +70,14 @@ outputs: sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL} sahara::rabbit_port: {get_param: RabbitClientPort} sahara::debug: {get_param: Debug} + # Remove admin_password when https://review.openstack.org/442619 is merged. sahara::admin_password: {get_param: SaharaPassword} - sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - sahara::identity_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } sahara::use_neutron: true sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit - sahara::admin_tenant_name: 'service' sahara::db::database_db_max_retries: -1 sahara::db::database_max_retries: -1 + sahara::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + sahara::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + sahara::keystone::authtoken::password: {get_param: SaharaPassword} + sahara::keystone::authtoken::project_name: 'service' diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 9b0d2de1..0c3cc1ec 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -31,9 +31,9 @@ parameters: description: Timeout for requests going from swift-proxy to swift a/c/o services. type: number SwiftWorkers: - default: 0 + default: auto description: Number of workers for Swift service. - type: number + type: string KeystoneRegion: type: string default: 'regionOne' diff --git a/puppet/services/vpp.yaml b/puppet/services/vpp.yaml index 59866d39..7c8f8a28 100644 --- a/puppet/services/vpp.yaml +++ b/puppet/services/vpp.yaml @@ -42,6 +42,16 @@ outputs: step_config: | include ::tripleo::profile::base::vpp upgrade_tasks: + - name: Check if vpp is deployed + command: systemctl is-enabled vpp + tags: common + ignore_errors: True + register: vpp_enabled + - name: "PreUpgrade step0,validation: Check service vpp is running" + shell: /usr/bin/systemctl show 'vpp' --property ActiveState | grep '\bactive\b' + when: vpp_enabled.rc == 0 + tags: step0,validation - name: Stop vpp service - tags: step2 + tags: step1 + when: vpp_enabled.rc == 0 service: name=vpp state=stopped diff --git a/releasenotes/notes/add-bgpvpn-support-f60c5a9cee0bb393.yaml b/releasenotes/notes/add-bgpvpn-support-f60c5a9cee0bb393.yaml new file mode 100644 index 00000000..2af6aa72 --- /dev/null +++ b/releasenotes/notes/add-bgpvpn-support-f60c5a9cee0bb393.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for BGPVPN Neutron service plugin diff --git a/releasenotes/notes/add-parameters-for-heat-apis-over-httpd-df83ab04d9f9ebb2.yaml b/releasenotes/notes/add-parameters-for-heat-apis-over-httpd-df83ab04d9f9ebb2.yaml new file mode 100644 index 00000000..b3a62ced --- /dev/null +++ b/releasenotes/notes/add-parameters-for-heat-apis-over-httpd-df83ab04d9f9ebb2.yaml @@ -0,0 +1,6 @@ +--- +features: + - The relevant parameters have been added to deploy the heat APIs over httpd. + This means that the HeatWorkers now affect httpd instead of the heat API + themselves, and that the apache hieradata will also be deployed in the + nodes where the heat APIs run. diff --git a/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml new file mode 100644 index 00000000..c744e0f7 --- /dev/null +++ b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml @@ -0,0 +1,4 @@ +--- +features: + - Sahara is now deployed with keystone_authtoken parameters and move + forward with Keystone v3 version. diff --git a/roles_data.yaml b/roles_data.yaml index 1fddf72f..e0c1c42d 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -52,6 +52,7 @@ - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::NeutronBgpvpnApi - OS::TripleO::Services::NeutronDhcpAgent - OS::TripleO::Services::NeutronL3Agent - OS::TripleO::Services::NeutronMetadataAgent diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 32987cb2..5bd6dcdd 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -23,6 +23,13 @@ envs_containing_endpoint_map = ['tls-endpoints-public-dns.yaml', 'tls-endpoints-public-ip.yaml', 'tls-everywhere-endpoints-dns.yaml'] ENDPOINT_MAP_FILE = 'endpoint_map.yaml' +REQUIRED_DOCKER_SECTIONS = ['service_name', 'docker_config', 'kolla_config', + 'puppet_config', 'config_settings', 'step_config'] +OPTIONAL_DOCKER_SECTIONS = ['docker_puppet_tasks', 'upgrade_tasks', + 'service_config_settings'] +DOCKER_PUPPET_CONFIG_SECTIONS = ['config_volume', 'puppet_tags', 'step_config', + 'config_image'] + def exit_usage(): print('Usage %s <yaml file or directory>' % sys.argv[0]) @@ -69,6 +76,7 @@ def validate_hci_compute_services_default(env_filename, env_tpl): return 1 return 0 + def validate_mysql_connection(settings): no_op = lambda *args: False error_status = [0] @@ -109,6 +117,55 @@ def validate_mysql_connection(settings): return error_status[0] +def validate_docker_service(filename, tpl): + if 'outputs' in tpl and 'role_data' in tpl['outputs']: + if 'value' not in tpl['outputs']['role_data']: + print('ERROR: invalid role_data for filename: %s' + % filename) + return 1 + role_data = tpl['outputs']['role_data']['value'] + + for section_name in REQUIRED_DOCKER_SECTIONS: + if section_name not in role_data: + print('ERROR: %s is required in role_data for %s.' + % (section_name, filename)) + return 1 + + for section_name in role_data.keys(): + if section_name in REQUIRED_DOCKER_SECTIONS: + continue + else: + if section_name in OPTIONAL_DOCKER_SECTIONS: + continue + else: + print('ERROR: %s is extra in role_data for %s.' + % (section_name, filename)) + return 1 + + if 'puppet_config' in role_data: + puppet_config = role_data['puppet_config'] + for key in puppet_config: + if key in DOCKER_PUPPET_CONFIG_SECTIONS: + continue + else: + print('ERROR: %s should not be in puppet_config section.' + % key) + return 1 + for key in DOCKER_PUPPET_CONFIG_SECTIONS: + if key not in puppet_config: + print('ERROR: %s is required in puppet_config for %s.' + % (key, filename)) + return 1 + + if 'parameters' in tpl: + for param in required_params: + if param not in tpl['parameters']: + print('ERROR: parameter %s is required for %s.' + % (param, filename)) + return 1 + return 0 + + def validate_service(filename, tpl): if 'outputs' in tpl and 'role_data' in tpl['outputs']: if 'value' not in tpl['outputs']['role_data']: @@ -158,6 +215,10 @@ def validate(filename): filename != './puppet/services/services.yaml'): retval = validate_service(filename, tpl) + if (filename.startswith('./docker/services/') and + filename != './docker/services/services.yaml'): + retval = validate_docker_service(filename, tpl) + if filename.endswith('hyperconverged-ceph.yaml'): retval = validate_hci_compute_services_default(filename, tpl) diff --git a/validation-scripts/all-nodes.sh b/validation-scripts/all-nodes.sh index 0b8b3523..f1f4cc11 100644 --- a/validation-scripts/all-nodes.sh +++ b/validation-scripts/all-nodes.sh @@ -67,5 +67,23 @@ function ping_default_gateways() { echo "SUCCESS" } +# Verify the FQDN from the nova/ironic deployment matches +# FQDN in the heat templates. +function fqdn_check() { + HOSTNAME=$(hostname) + SHORT_NAME=$(hostname -s) + FQDN_FROM_HOSTS=$(awk '$3 == "'${SHORT_NAME}'"{print $2}' /etc/hosts) + echo -n "Checking hostname vs /etc/hosts entry..." + if [[ $HOSTNAME != $FQDN_FROM_HOSTS ]]; then + echo "FAILURE" + echo -e "System hostname: ${HOSTNAME}\nEntry from /etc/hosts: ${FQDN_FROM_HOSTS}\n" + exit 1 + fi + echo "SUCCESS" +} + ping_controller_ips "$ping_test_ips" ping_default_gateways +if [[ $validate_fqdn == "True" ]];then + fqdn_check +fi |