diff options
| -rwxr-xr-x | extraconfig/tasks/major_upgrade_ceph_mon.sh | 63 | ||||
| -rwxr-xr-x | extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh | 29 | ||||
| -rw-r--r-- | extraconfig/tasks/major_upgrade_pacemaker.yaml | 18 | ||||
| -rw-r--r-- | network/service_net_map.yaml | 1 | ||||
| -rw-r--r-- | overcloud-resource-registry-puppet.yaml | 1 | ||||
| -rw-r--r-- | overcloud.yaml | 1 | ||||
| -rw-r--r-- | puppet/controller.yaml | 88 | ||||
| -rw-r--r-- | puppet/services/aodh-api.yaml | 8 | ||||
| -rw-r--r-- | puppet/services/apache.yaml | 40 | ||||
| -rw-r--r-- | puppet/services/ceilometer-api.yaml | 8 | ||||
| -rw-r--r-- | puppet/services/gnocchi-api.yaml | 9 | ||||
| -rw-r--r-- | puppet/services/haproxy.yaml | 40 | ||||
| -rw-r--r-- | puppet/services/horizon.yaml | 39 | ||||
| -rw-r--r-- | puppet/services/keystone.yaml | 153 | ||||
| -rw-r--r-- | puppet/services/neutron-api.yaml | 6 | ||||
| -rw-r--r-- | puppet/services/neutron-base.yaml | 10 | ||||
| -rw-r--r-- | puppet/services/neutron-metadata.yaml | 6 | ||||
| -rw-r--r-- | puppet/services/nova-api.yaml | 24 | ||||
| -rw-r--r-- | puppet/services/nova-base.yaml | 4 | ||||
| -rw-r--r-- | puppet/services/nova-vncproxy.yaml | 6 |
20 files changed, 360 insertions, 194 deletions
diff --git a/extraconfig/tasks/major_upgrade_ceph_mon.sh b/extraconfig/tasks/major_upgrade_ceph_mon.sh new file mode 100755 index 00000000..38befbbf --- /dev/null +++ b/extraconfig/tasks/major_upgrade_ceph_mon.sh @@ -0,0 +1,63 @@ +#!/bin/bash +set -eu +set -o pipefail + +echo INFO: starting $(basename "$0") + +# Exit if not running +if ! pidof ceph-mon; then + echo INFO: ceph-mon is not running, skipping + exit 0 +fi + +# Exit if not Hammer +INSTALLED_VERSION=$(ceph --version | awk '{print $3}') +if ! [[ "$INSTALLED_VERSION" =~ ^0\.94.* ]]; then + echo INFO: version of Ceph installed is not 0.94, skipping + exit 0 +fi + +MON_PID=$(pidof ceph-mon) +MON_ID=$(hostname -s) + +# Stop daemon using Hammer sysvinit script +service ceph stop mon.${MON_ID} + +# Ensure it's stopped +timeout 60 bash -c "while kill -0 ${MON_PID} 2> /dev/null; do + sleep 2; +done" + +# Update to Jewel +yum -y -q update ceph-mon + +# Restart/Exit if not on Jewel, only in that case we need the changes +UPDATED_VERSION=$(ceph --version | awk '{print $3}') +if [[ "$UPDATED_VERSION" =~ ^0\.94.* ]]; then + echo WARNING: Ceph was not upgraded, restarting daemons + service ceph start mon.${MON_ID} +elif [[ "$UPDATED_VERSION" =~ ^10\.2.* ]]; then + echo INFO: Ceph was upgraded to Jewel + + # RPM could own some of these but we can't take risks on the pre-existing files + for d in /var/lib/ceph/mon /var/log/ceph /var/run/ceph /etc/ceph; do + chown -R ceph:ceph $d + done + + # Replay udev events with newer rules + udevadm trigger + + # Enable systemd unit + systemctl enable ceph-mon.target + systemctl enable ceph-mon@${MON_ID} + systemctl start ceph-mon@${MON_ID} + + # Wait for daemon to be back in the quorum + timeout 300 bash -c "until (ceph quorum_status | jq .quorum_names | grep -sq ${MON_ID}); do + echo Waiting for mon.${MON_ID} to re-join quorum; + sleep 10; + done" +else + echo ERROR: Ceph was upgraded to an unknown release, daemon is stopped, need manual intervention + exit 1 +fi diff --git a/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh b/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh index 2ee473ce..0b702630 100755 --- a/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh +++ b/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh @@ -18,7 +18,7 @@ STONITH_STATE=$(pcs property show stonith-enabled | grep "stonith-enabled" | awk pcs property set stonith-enabled=false # If for some reason rpm-python are missing we want to error out early enough -if [ ! rpm -q rpm-python &> /dev/null ]; then +if ! rpm -q rpm-python &> /dev/null; then echo_error "ERROR: upgrade cannot start without rpm-python installed" exit 1 fi @@ -155,17 +155,19 @@ wsrep_on = ON wsrep_cluster_address = gcomm://localhost EOF -if [ "$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)" = "$(facter hostname)" ]; then - if [ $DO_MYSQL_UPGRADE -eq 1 ]; then - # Scripts run via heat have no HOME variable set and this confuses - # mysqladmin - export HOME=/root - mkdir /var/lib/mysql || /bin/true - chown mysql:mysql /var/lib/mysql - chmod 0755 /var/lib/mysql - restorecon -R /var/lib/mysql/ - mysql_install_db --datadir=/var/lib/mysql --user=mysql - chown -R mysql:mysql /var/lib/mysql/ +if [ $DO_MYSQL_UPGRADE -eq 1 ]; then + # Scripts run via heat have no HOME variable set and this confuses + # mysqladmin + export HOME=/root + + mkdir /var/lib/mysql || /bin/true + chown mysql:mysql /var/lib/mysql + chmod 0755 /var/lib/mysql + restorecon -R /var/lib/mysql/ + mysql_install_db --datadir=/var/lib/mysql --user=mysql + chown -R mysql:mysql /var/lib/mysql/ + + if [ "$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)" = "$(facter hostname)" ]; then mysqld_safe --wsrep-new-cluster & # We have a populated /root/.my.cnf with root/password here so # we need to temporarily rename it because the newly created @@ -182,6 +184,9 @@ fi # If we reached here without error we can safely blow away the origin # mysql dir from every controller + +# TODO: What if the upgrade fails on the bootstrap node, but not on +# this controller. Data may be lost. if [ $DO_MYSQL_UPGRADE -eq 1 ]; then rm -r $MYSQL_TEMP_UPGRADE_BACKUP_DIR fi diff --git a/extraconfig/tasks/major_upgrade_pacemaker.yaml b/extraconfig/tasks/major_upgrade_pacemaker.yaml index c70a954f..c2e14880 100644 --- a/extraconfig/tasks/major_upgrade_pacemaker.yaml +++ b/extraconfig/tasks/major_upgrade_pacemaker.yaml @@ -32,6 +32,23 @@ resources: # map_merge with input_values instead of feeding params into scripts # via str_replace on bash snippets + CephMonUpgradeConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: major_upgrade_ceph_mon.sh} + + CephMonUpgradeDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: controller_servers} + config: {get_resource: CephMonUpgradeConfig} + input_values: {get_param: input_values} + batch_create: + max_batch_size: 1 + rolling_update: + max_batch_size: 1 + ControllerPacemakerUpgradeConfig_Step1: type: OS::Heat::SoftwareConfig properties: @@ -57,6 +74,7 @@ resources: ControllerPacemakerUpgradeDeployment_Step1: type: OS::Heat::SoftwareDeploymentGroup + depends_on: CephMonUpgradeDeployment properties: servers: {get_param: controller_servers} config: {get_resource: ControllerPacemakerUpgradeConfig_Step1} diff --git a/network/service_net_map.yaml b/network/service_net_map.yaml index 50f5c55a..e30a6304 100644 --- a/network/service_net_map.yaml +++ b/network/service_net_map.yaml @@ -13,6 +13,7 @@ parameters: ServiceNetMapDefaults: default: + ApacheNetwork: internal_api NeutronTenantNetwork: tenant CeilometerApiNetwork: internal_api AodhApiNetwork: internal_api diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml index a8d76c0c..a1a8d921 100644 --- a/overcloud-resource-registry-puppet.yaml +++ b/overcloud-resource-registry-puppet.yaml @@ -130,6 +130,7 @@ resource_registry: # services OS::TripleO::Services: puppet/services/services.yaml + OS::TripleO::Services::Apache: puppet/services/apache.yaml OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMon: OS::Heat::None OS::TripleO::Services::CephOSD: OS::Heat::None diff --git a/overcloud.yaml b/overcloud.yaml index 38a36800..82fdedc3 100644 --- a/overcloud.yaml +++ b/overcloud.yaml @@ -435,7 +435,6 @@ resources: properties: CloudDomain: {get_param: CloudDomain} controllerExtraConfig: {get_param: controllerExtraConfig} - HorizonSecret: {get_resource: HorizonSecret} PcsdPassword: {get_resource: PcsdPassword} RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]} RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]} diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 28fd08da..0225231e 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -83,10 +83,6 @@ parameters: type: string constraints: - custom_constraint: nova.flavor - HorizonSecret: - description: Secret key for Django - type: string - hidden: true controllerImage: type: string default: overcloud-full @@ -96,10 +92,6 @@ parameters: default: 'REBUILD_PRESERVE_EPHEMERAL' description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt. type: string - InstanceNameTemplate: - default: 'instance-%08x' - description: Template string to be used to generate instance names - type: string KeyName: default: default description: Name of an existing Nova key pair to enable SSH access to the instances @@ -110,39 +102,14 @@ parameters: default: false description: Whether to manage IPtables rules. type: boolean - MemcachedIPv6: - default: false - description: Enable IPv6 features in Memcached. - type: boolean PurgeFirewallRules: default: false description: Whether IPtables rules should be purged before setting up the new ones. type: boolean - NeutronMetadataProxySharedSecret: - description: Shared secret to prevent spoofing - type: string - hidden: true - NeutronPassword: - description: The password for the neutron service and db account, used by neutron agents. - type: string - hidden: true NeutronPublicInterface: default: nic1 description: What interface to bridge onto br-ex for network nodes. type: string - NovaEnableDBPurge: - default: true - description: | - Whether to create cron job for purging soft deleted rows in Nova database. - type: boolean - NovaIPv6: - default: false - description: Enable IPv6 features in Nova - type: boolean - NovaPassword: - description: The password for the nova service and db account, used by nova-api. - type: string - hidden: true PcsdPassword: type: string description: The password for the 'pcsd' user. @@ -162,10 +129,6 @@ parameters: default: {} description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' type: json - UpgradeLevelNovaCompute: - type: string - description: Nova Compute upgrade level - default: '' ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -392,43 +355,15 @@ resources: server: {get_resource: Controller} input_values: bootstack_nodeid: {get_attr: [Controller, name]} - horizon_secret: {get_param: HorizonSecret} debug: {get_param: Debug} - keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] } enable_fencing: {get_param: EnableFencing} enable_load_balancer: {get_param: EnableLoadBalancer} manage_firewall: {get_param: ManageFirewall} purge_firewall_rules: {get_param: PurgeFirewallRules} - neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - nova_enable_db_purge: {get_param: NovaEnableDBPurge} - nova_ipv6: {get_param: NovaIPv6} corosync_ipv6: {get_param: CorosyncIPv6} - memcached_ipv6: {get_param: MemcachedIPv6} - nova_password: {get_param: NovaPassword} - upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute} - instance_name_template: {get_param: InstanceNameTemplate} fencing_config: {get_param: FencingConfig} pcsd_password: {get_param: PcsdPassword} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} - glance_api_servers: { get_param: [EndpointMap, GlanceInternal, uri]} - neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]} - nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]} - nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]} - horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]} - horizon_subnet: - str_replace: - template: "['SUBNET']" - params: - SUBNET: - get_attr: - - NetIpMap - - net_ip_map - - str_replace: - template: "NETWORK_subnet" - params: - NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} redis_vip: {get_param: RedisVirtualIP} ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]} @@ -489,37 +424,14 @@ resources: tripleo::fencing::config: {get_input: fencing_config} # Neutron - neutron::bind_host: {get_input: neutron_api_network} - neutron::agents::metadata::metadata_ip: {get_input: neutron_api_network} snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} - - # Nova - nova::upgrade_level_compute: {get_input: upgrade_level_nova_compute} - nova::use_ipv6: {get_input: nova_ipv6} - nova::api::api_bind_address: {get_input: nova_api_network} - nova::api::metadata_listen: {get_input: nova_metadata_network} - nova::glance_api_servers: {get_input: glance_api_servers} - nova::api::neutron_metadata_proxy_shared_secret: {get_input: neutron_metadata_proxy_shared_secret} - nova::api::instance_name_template: {get_input: instance_name_template} - nova::vncproxy::host: {get_input: nova_api_network} - nova_enable_db_purge: {get_input: nova_enable_db_purge} - - # Horizon - apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet} - apache::ip: {get_input: horizon_network} - horizon::django_debug: {get_input: debug} - horizon::secret_key: {get_input: horizon_secret} - horizon::bind_address: {get_input: horizon_network} - horizon::keystone_url: {get_input: keystone_auth_uri} - # Redis redis_vip: {get_input: redis_vip} # Firewall tripleo::firewall::manage_firewall: {get_input: manage_firewall} tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules} # Misc - memcached_ipv6: {get_input: memcached_ipv6} tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4308052b..cc1f4b09 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -27,6 +27,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Aodh API service. @@ -35,6 +42,7 @@ outputs: config_settings: map_merge: - get_attr: [AodhBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - aodh::wsgi::apache::ssl: false aodh::api::service_name: 'httpd' tripleo.aodh_api.firewall_rules: diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml new file mode 100644 index 00000000..758d9510 --- /dev/null +++ b/puppet/services/apache.yaml @@ -0,0 +1,40 @@ +heat_template_version: 2016-10-14 + +description: > + Apache service configured with Puppet. Note this is typically included + automatically via other services which run via Apache. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the Apache role. + value: + service_name: apache + config_settings: + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 201a2b7b..2baac511 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -28,6 +28,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Ceilometer API role. @@ -35,6 +42,7 @@ outputs: service_name: ceilometer_api config_settings: map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [CeilometerServiceBase, role_data, config_settings] - tripleo.ceilometer_api.firewall_rules: '124 ceilometer': diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index ec42f3f5..dc6e7de7 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -35,6 +35,7 @@ parameters: description: Keystone region for endpoint resources: + GnocchiServiceBase: type: ./gnocchi-base.yaml properties: @@ -42,6 +43,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Gnocchi role. @@ -49,6 +57,7 @@ outputs: service_name: gnocchi_api config_settings: map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [GnocchiServiceBase, role_data, config_settings] - tripleo.gnocchi_api.firewall_rules: '129 gnocchi-api': diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index c0e1c113..6885449e 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -55,27 +55,27 @@ outputs: '107 haproxy stats': dport: 1993 # TODO(emilien) make it composable to find which services are actually running - tripleo::haproxy::keystone_admin: true - tripleo::haproxy::keystone_public: true - tripleo::haproxy::neutron: true - tripleo::haproxy::cinder: true - tripleo::haproxy::glance_api: true - tripleo::haproxy::glance_registry: true - tripleo::haproxy::nova_osapi: true - tripleo::haproxy::nova_metadata: true - tripleo::haproxy::nova_novncproxy: true + tripleo::haproxy::keystone_admin: '"%{hiera(\"keystone_enabled\")}"' + tripleo::haproxy::keystone_public: '"%{hiera(\"keystone_enabled\")}"' + tripleo::haproxy::neutron: '"%{hiera(\"neutron_api_enabled\")}"' + tripleo::haproxy::cinder: '"%{hiera(\"cinder_api_enabled\")}"' + tripleo::haproxy::glance_api: '"%{hiera(\"glance_api_enabled\")}"' + tripleo::haproxy::glance_registry: '"%{hiera(\"glance_registry_enabled\")}"' + tripleo::haproxy::nova_osapi: '"%{hiera(\"nova_api_enabled\")}"' + tripleo::haproxy::nova_metadata: '"%{hiera(\"nova_api_enabled\")}"' + tripleo::haproxy::nova_novncproxy: '"%{hiera(\"nova_vncproxy_enabled\")}"' tripleo::haproxy::mysql: true - tripleo::haproxy::redis: true - tripleo::haproxy::sahara: true - tripleo::haproxy::swift_proxy_server: true - tripleo::haproxy::ceilometer: true - tripleo::haproxy::aodh: true - tripleo::haproxy::gnocchi: true - tripleo::haproxy::heat_api: true - tripleo::haproxy::heat_cloudwatch: true - tripleo::haproxy::heat_cfn: true - tripleo::haproxy::horizon: true - tripleo::haproxy::ironic: true + tripleo::haproxy::redis: '"%{hiera(\"redis_enabled\")}"' + tripleo::haproxy::sahara: '"%{hiera(\"sahara_api_enabled\")}"' + tripleo::haproxy::swift_proxy_server: '"%{hiera(\"swift_proxy_enabled\")}"' + tripleo::haproxy::ceilometer: '"%{hiera(\"ceilometer_api_enabled\")}"' + tripleo::haproxy::aodh: '"%{hiera(\"aodh_api_enabled\")}"' + tripleo::haproxy::gnocchi: '"%{hiera(\"gnocchi_api_enabled\")}"' + tripleo::haproxy::heat_api: '"%{hiera(\"heat_api_enabled\")}"' + tripleo::haproxy::heat_cloudwatch: '"%{hiera(\"heat_api_cloudwatch_enabled\")}"' + tripleo::haproxy::heat_cfn: '"%{hiera(\"heat_api_cfn_enabled\")}"' + tripleo::haproxy::horizon: '"%{hiera(\"horizon_enabled\")}"' + tripleo::haproxy::ironic: '"%{hiera(\"ironic_api_enabled\")}"' tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index c5d96819..1ea686b9 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Horizon service configured with Puppet @@ -10,6 +10,10 @@ parameters: via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string DefaultPasswords: default: {} type: json @@ -22,11 +26,20 @@ parameters: default: '*' description: A list of IP/Hostname allowed to connect to horizon type: comma_delimited_list + HorizonSecret: + description: Secret key for Django + type: string + hidden: true + default: '' NeutronMechanismDrivers: default: 'openvswitch' description: | The mechanism drivers for the Neutron tenant network. type: comma_delimited_list + MemcachedIPv6: + default: false + description: Enable IPv6 features in Memcached. + type: boolean outputs: role_data: @@ -51,5 +64,29 @@ outputs: add_listen: false priority: 10 access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, HorizonNetwork]} + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" + horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} + horizon::django_debug: {get_param: Debug} + horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::secret_key: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: HorizonSecret} + - {get_param: [DefaultPasswords, horizon_secret]} + memcached_ipv6: {get_param: MemcachedIPv6} step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index c763c391..45531abc 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -84,81 +84,94 @@ parameters: type: string description: Set the number of workers for keystone::wsgi::apache default: '"%{::processorcount}"' + +resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Keystone role. value: service_name: keystone config_settings: - keystone::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://keystone:' - - {get_param: AdminToken} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/keystone' - keystone::admin_token: {get_param: AdminToken} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} - keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} - keystone::enable_proxy_headers_parsing: true - keystone::debug: {get_param: Debug} - keystone::db::mysql::password: {get_param: AdminToken} - keystone::rabbit_userid: {get_param: RabbitUserName} - keystone::rabbit_password: {get_param: RabbitPassword} - keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - keystone::rabbit_port: {get_param: RabbitClientPort} - keystone::notification_driver: {get_param: KeystoneNotificationDriver} - keystone::notification_format: {get_param: KeystoneNotificationFormat} - keystone::roles::admin::email: {get_param: AdminEmail} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - keystone::endpoint::region: {get_param: KeystoneRegion} - keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} - keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::db::mysql::user: keystone - keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - keystone::db::mysql::dbname: keystone - keystone::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - keystone::rabbit_heartbeat_timeout_threshold: 60 - keystone::cron::token_flush::maxdelay: 3600 - keystone::roles::admin::service_tenant: 'service' - keystone::roles::admin::admin_tenant: 'admin' - keystone::cron::token_flush::destination: '/dev/null' - keystone::config::keystone_config: - ec2/driver: - value: 'keystone.contrib.ec2.backends.sql.Ec2' - keystone::service_name: 'httpd' - keystone::wsgi::apache::ssl: false - - keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} - # override via extraconfig: - keystone::wsgi::apache::threads: 1 - keystone::db::database_db_max_retries: -1 - keystone::db::database_max_retries: -1 - tripleo.keystone.firewall_rules: - '111 keystone': - dport: - - 5000 - - 13000 - - 35357 - - 13357 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - # NOTE: this applies to all 4 bind IP settings below... - keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + config_settings: + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - keystone::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://keystone:' + - {get_param: AdminToken} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/keystone' + keystone::admin_token: {get_param: AdminToken} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} + keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} + keystone::enable_proxy_headers_parsing: true + keystone::debug: {get_param: Debug} + keystone::db::mysql::password: {get_param: AdminToken} + keystone::rabbit_userid: {get_param: RabbitUserName} + keystone::rabbit_password: {get_param: RabbitPassword} + keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + keystone::rabbit_port: {get_param: RabbitClientPort} + keystone::notification_driver: {get_param: KeystoneNotificationDriver} + keystone::notification_format: {get_param: KeystoneNotificationFormat} + keystone::roles::admin::email: {get_param: AdminEmail} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + keystone::endpoint::region: {get_param: KeystoneRegion} + keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} + keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + keystone::db::mysql::user: keystone + keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + keystone::db::mysql::dbname: keystone + keystone::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone::rabbit_heartbeat_timeout_threshold: 60 + keystone::cron::token_flush::maxdelay: 3600 + keystone::roles::admin::service_tenant: 'service' + keystone::roles::admin::admin_tenant: 'admin' + keystone::cron::token_flush::destination: '/dev/null' + keystone::config::keystone_config: + ec2/driver: + value: 'keystone.contrib.ec2.backends.sql.Ec2' + keystone::service_name: 'httpd' + keystone::wsgi::apache::ssl: false + + keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} + # override via extraconfig: + keystone::wsgi::apache::threads: 1 + keystone::db::database_db_max_retries: -1 + keystone::db::database_max_retries: -1 + tripleo.keystone.firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - 35357 + - 13357 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + # NOTE: this applies to all 4 bind IP settings below... + keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | include ::tripleo::profile::base::keystone diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 35ac32db..cd8a20a1 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -111,5 +111,11 @@ outputs: '106 vrrp': proto: vrrp neutron::server::router_distributed: {get_param: NeutronEnableDVR} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} step_config: | include tripleo::profile::base::neutron::server diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 39ffea24..4eb417c0 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -48,6 +48,15 @@ parameters: description: > Remove configuration that is not generated by TripleO. Setting to false may result in configuration remnants after updates/upgrades. + NeutronGlobalPhysnetMtu: + type: number + default: 1500 + description: | + MTU of the underlying physical network. Neutron uses this value to + calculate MTU for all virtual network components. For flat and VLAN + networks, neutron uses this value without modification. For overlay + networks such as VXLAN, neutron automatically subtracts the overlay + protocol overhead from this value. ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -87,3 +96,4 @@ outputs: neutron::host: '"%{::fqdn}"' #NOTE: extra quoting is needed neutron::db::database_db_max_retries: -1 neutron::db::database_max_retries: -1 + neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index b9ec277a..6bb931b1 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -53,5 +53,11 @@ outputs: neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + neutron::agents::metadata::metadata_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} step_config: | include tripleo::profile::base::neutron::metadata diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index c2bd395e..b5c3815e 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -30,6 +30,19 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + NeutronMetadataProxySharedSecret: + description: Shared secret to prevent spoofing + type: string + hidden: true + InstanceNameTemplate: + default: 'instance-%08x' + description: Template string to be used to generate instance names + type: string + NovaEnableDBPurge: + default: true + description: | + Whether to create cron job for purging soft deleted rows in Nova database. + type: boolean resources: NovaBase: @@ -75,5 +88,16 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::api::instance_name_template: {get_param: InstanceNameTemplate} + nova_enable_db_purge: {get_param: NovaEnableDBPurge} + step_config: | include tripleo::profile::base::nova::api diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 471ece34..24a63bb4 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -95,14 +95,14 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' - nova::db::mysql::password: {get_input: nova_password} + nova::db::mysql::password: {get_param: NovaPassword} nova::db::mysql::user: nova nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql::dbname: nova nova::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" - nova::db::mysql_api::password: {get_input: nova_password} + nova::db::mysql_api::password: {get_param: NovaPassword} nova::db::mysql_api::user: nova_api nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql_api::dbname: nova_api diff --git a/puppet/services/nova-vncproxy.yaml b/puppet/services/nova-vncproxy.yaml index 0a1785d8..7444d7d8 100644 --- a/puppet/services/nova-vncproxy.yaml +++ b/puppet/services/nova-vncproxy.yaml @@ -46,5 +46,11 @@ outputs: '[': '' ']': '' nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]} step_config: | include tripleo::profile::base::nova::vncproxy |