diff options
26 files changed, 538 insertions, 508 deletions
diff --git a/environments/neutron-opendaylight-l3.yaml b/environments/neutron-opendaylight-l3.yaml index 92f02a49..d61270b2 100644 --- a/environments/neutron-opendaylight-l3.yaml +++ b/environments/neutron-opendaylight-l3.yaml @@ -2,7 +2,7 @@ resource_registry: OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::OpenDaylight: puppet/services/opendaylight.yaml + OS::TripleO::Services::OpenDaylight: puppet/services/opendaylight-api.yaml OS::TripleO::Services::OpenDaylightOvs: puppet/services/opendaylight-ovs.yaml OS::TripleO::Services::NeutronL3Agent: OS::Heat::None diff --git a/environments/neutron-opendaylight.yaml b/environments/neutron-opendaylight.yaml index afc2ef98..8fa2e542 100644 --- a/environments/neutron-opendaylight.yaml +++ b/environments/neutron-opendaylight.yaml @@ -2,7 +2,7 @@ resource_registry: OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::OpenDaylight: puppet/services/opendaylight.yaml + OS::TripleO::Services::OpenDaylight: puppet/services/opendaylight-api.yaml OS::TripleO::Services::OpenDaylightOvs: puppet/services/opendaylight-ovs.yaml parameter_defaults: diff --git a/extraconfig/tasks/major_upgrade_ceph_mon.sh b/extraconfig/tasks/major_upgrade_ceph_mon.sh new file mode 100755 index 00000000..38befbbf --- /dev/null +++ b/extraconfig/tasks/major_upgrade_ceph_mon.sh @@ -0,0 +1,63 @@ +#!/bin/bash +set -eu +set -o pipefail + +echo INFO: starting $(basename "$0") + +# Exit if not running +if ! pidof ceph-mon; then + echo INFO: ceph-mon is not running, skipping + exit 0 +fi + +# Exit if not Hammer +INSTALLED_VERSION=$(ceph --version | awk '{print $3}') +if ! [[ "$INSTALLED_VERSION" =~ ^0\.94.* ]]; then + echo INFO: version of Ceph installed is not 0.94, skipping + exit 0 +fi + +MON_PID=$(pidof ceph-mon) +MON_ID=$(hostname -s) + +# Stop daemon using Hammer sysvinit script +service ceph stop mon.${MON_ID} + +# Ensure it's stopped +timeout 60 bash -c "while kill -0 ${MON_PID} 2> /dev/null; do + sleep 2; +done" + +# Update to Jewel +yum -y -q update ceph-mon + +# Restart/Exit if not on Jewel, only in that case we need the changes +UPDATED_VERSION=$(ceph --version | awk '{print $3}') +if [[ "$UPDATED_VERSION" =~ ^0\.94.* ]]; then + echo WARNING: Ceph was not upgraded, restarting daemons + service ceph start mon.${MON_ID} +elif [[ "$UPDATED_VERSION" =~ ^10\.2.* ]]; then + echo INFO: Ceph was upgraded to Jewel + + # RPM could own some of these but we can't take risks on the pre-existing files + for d in /var/lib/ceph/mon /var/log/ceph /var/run/ceph /etc/ceph; do + chown -R ceph:ceph $d + done + + # Replay udev events with newer rules + udevadm trigger + + # Enable systemd unit + systemctl enable ceph-mon.target + systemctl enable ceph-mon@${MON_ID} + systemctl start ceph-mon@${MON_ID} + + # Wait for daemon to be back in the quorum + timeout 300 bash -c "until (ceph quorum_status | jq .quorum_names | grep -sq ${MON_ID}); do + echo Waiting for mon.${MON_ID} to re-join quorum; + sleep 10; + done" +else + echo ERROR: Ceph was upgraded to an unknown release, daemon is stopped, need manual intervention + exit 1 +fi diff --git a/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh b/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh index d67d5a1a..0b702630 100755 --- a/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh +++ b/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh @@ -18,7 +18,7 @@ STONITH_STATE=$(pcs property show stonith-enabled | grep "stonith-enabled" | awk pcs property set stonith-enabled=false # If for some reason rpm-python are missing we want to error out early enough -if [ ! rpm -q rpm-python &> /dev/null ]; then +if ! rpm -q rpm-python &> /dev/null; then echo_error "ERROR: upgrade cannot start without rpm-python installed" exit 1 fi @@ -155,17 +155,19 @@ wsrep_on = ON wsrep_cluster_address = gcomm://localhost EOF -if [ "$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)" = "$(facter hostname)" ]; then - if [ $DO_MYSQL_UPGRADE -eq 1 ]; then - # Scripts run via heat have no HOME variable set and this confuses - # mysqladmin - export HOME=/root - mkdir /var/lib/mysql || /bin/true - chown mysql:mysql /var/lib/mysql - chmod 0755 /var/lib/mysql - restorecon -R /var/lib/mysql/ - mysql_install_db --datadir=/var/lib/mysql --user=mysql - chown -R mysql:mysql /var/lib/mysql/ +if [ $DO_MYSQL_UPGRADE -eq 1 ]; then + # Scripts run via heat have no HOME variable set and this confuses + # mysqladmin + export HOME=/root + + mkdir /var/lib/mysql || /bin/true + chown mysql:mysql /var/lib/mysql + chmod 0755 /var/lib/mysql + restorecon -R /var/lib/mysql/ + mysql_install_db --datadir=/var/lib/mysql --user=mysql + chown -R mysql:mysql /var/lib/mysql/ + + if [ "$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)" = "$(facter hostname)" ]; then mysqld_safe --wsrep-new-cluster & # We have a populated /root/.my.cnf with root/password here so # we need to temporarily rename it because the newly created @@ -182,6 +184,9 @@ fi # If we reached here without error we can safely blow away the origin # mysql dir from every controller + +# TODO: What if the upgrade fails on the bootstrap node, but not on +# this controller. Data may be lost. if [ $DO_MYSQL_UPGRADE -eq 1 ]; then rm -r $MYSQL_TEMP_UPGRADE_BACKUP_DIR fi @@ -199,3 +204,5 @@ crudini --set /etc/ceilometer/ceilometer.conf DEFAULT rpc_backend rabbit # https://bugzilla.redhat.com/show_bug.cgi?id=1284058 # Ifd1861e3df46fad0e44ff9b5cbd58711bbc87c97 Swift Ceilometer middleware no longer exists crudini --set /etc/swift/proxy-server.conf pipeline:main pipeline "catch_errors healthcheck cache ratelimit tempurl formpost authtoken keystone staticweb proxy-logging proxy-server" +# LP: 1615035, required only for M/N upgrade. +crudini --set /etc/nova/nova.conf DEFAULT scheduler_host_manager host_manager diff --git a/extraconfig/tasks/major_upgrade_pacemaker.yaml b/extraconfig/tasks/major_upgrade_pacemaker.yaml index c70a954f..c2e14880 100644 --- a/extraconfig/tasks/major_upgrade_pacemaker.yaml +++ b/extraconfig/tasks/major_upgrade_pacemaker.yaml @@ -32,6 +32,23 @@ resources: # map_merge with input_values instead of feeding params into scripts # via str_replace on bash snippets + CephMonUpgradeConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: major_upgrade_ceph_mon.sh} + + CephMonUpgradeDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: controller_servers} + config: {get_resource: CephMonUpgradeConfig} + input_values: {get_param: input_values} + batch_create: + max_batch_size: 1 + rolling_update: + max_batch_size: 1 + ControllerPacemakerUpgradeConfig_Step1: type: OS::Heat::SoftwareConfig properties: @@ -57,6 +74,7 @@ resources: ControllerPacemakerUpgradeDeployment_Step1: type: OS::Heat::SoftwareDeploymentGroup + depends_on: CephMonUpgradeDeployment properties: servers: {get_param: controller_servers} config: {get_resource: ControllerPacemakerUpgradeConfig_Step1} diff --git a/network/ports/net_ip_list_map.yaml b/network/ports/net_ip_list_map.yaml index 32272bd6..36f3358e 100644 --- a/network/ports/net_ip_list_map.yaml +++ b/network/ports/net_ip_list_map.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2015-04-30 +heat_template_version: 2016-10-14 parameters: ControlPlaneIpList: @@ -22,6 +22,12 @@ parameters: ManagementIpList: default: [] type: comma_delimited_list + EnabledServices: + default: [] + type: comma_delimited_list + ServiceNetMap: + default: {} + type: json outputs: net_ip_map: @@ -36,3 +42,32 @@ outputs: storage_mgmt: {get_param: StorageMgmtIpList} tenant: {get_param: TenantIpList} management: {get_param: ManagementIpList} + service_ips: + description: > + Map of enabled services to a list of their IP addresses + value: + yaql: + # This filters any entries where the value hasn't been substituted for + # a list, e.g it's still $service_network. This happens when there is + # no network defined for the service in the ServiceNetMap, which is OK + # as not all services have to be bound to a network, so we filter them + expression: dict($.data.map.items().where(not isString($[1]))) + data: + map: + map_replace: + - map_replace: + - map_merge: + repeat: + template: + SERVICE_node_ips: SERVICE_network + for_each: + SERVICE: {get_param: EnabledServices} + - values: {get_param: ServiceNetMap} + - values: + ctlplane: {get_param: ControlPlaneIpList} + external: {get_param: ExternalIpList} + internal_api: {get_param: InternalApiIpList} + storage: {get_param: StorageIpList} + storage_mgmt: {get_param: StorageMgmtIpList} + tenant: {get_param: TenantIpList} + management: {get_param: ManagementIpList} diff --git a/network/service_net_map.yaml b/network/service_net_map.yaml index 50f5c55a..e30a6304 100644 --- a/network/service_net_map.yaml +++ b/network/service_net_map.yaml @@ -13,6 +13,7 @@ parameters: ServiceNetMapDefaults: default: + ApacheNetwork: internal_api NeutronTenantNetwork: tenant CeilometerApiNetwork: internal_api AodhApiNetwork: internal_api diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml index 57399210..c9870982 100644 --- a/overcloud-resource-registry-puppet.yaml +++ b/overcloud-resource-registry-puppet.yaml @@ -130,6 +130,7 @@ resource_registry: # services OS::TripleO::Services: puppet/services/services.yaml + OS::TripleO::Services::Apache: puppet/services/apache.yaml OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMon: OS::Heat::None OS::TripleO::Services::CephOSD: OS::Heat::None diff --git a/overcloud.yaml b/overcloud.yaml index 80ae6b6e..82fdedc3 100644 --- a/overcloud.yaml +++ b/overcloud.yaml @@ -435,7 +435,6 @@ resources: properties: CloudDomain: {get_param: CloudDomain} controllerExtraConfig: {get_param: controllerExtraConfig} - HorizonSecret: {get_resource: HorizonSecret} PcsdPassword: {get_resource: PcsdPassword} RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]} RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]} @@ -587,6 +586,8 @@ resources: StorageMgmtIpList: {get_attr: [Controller, storage_mgmt_ip_address]} TenantIpList: {get_attr: [Controller, tenant_ip_address]} ManagementIpList: {get_attr: [Controller, management_ip_address]} + EnabledServices: {get_attr: [ControllerServiceChain, role_data, service_names]} + ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map_lower]} allNodesConfig: type: OS::TripleO::AllNodes::SoftwareConfig @@ -607,32 +608,23 @@ resources: - list_join: - '\n' - {get_attr: [CephStorage, hosts_entry]} + enabled_services: + list_join: + - ',' + - {get_attr: [ControllerServiceChain, role_data, service_names]} + - {get_attr: [ComputeServiceChain, role_data, service_names]} + - {get_attr: [BlockStorageServiceChain, role_data, service_names]} + - {get_attr: [ObjectStorageServiceChain, role_data, service_names]} + - {get_attr: [CephStorageServiceChain, role_data, service_names]} controller_ips: {get_attr: [Controller, ip_address]} controller_names: {get_attr: [Controller, hostname]} + service_ips: {get_attr: [ControllerIpListMap, service_ips]} + # FIXME(shardy): These require further work to move into service_ips rabbit_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, RabbitmqNetwork]}]} - mongo_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, MongodbNetwork]}]} - redis_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, RedisNetwork]}]} memcache_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, MemcachedNetwork]}]} - mysql_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, MysqlNetwork]}]} - horizon_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, HorizonNetwork]}]} - heat_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, HeatApiNetwork]}]} - swift_proxy_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, SwiftProxyNetwork]}]} - ceilometer_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, CeilometerApiNetwork]}]} - aodh_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, AodhApiNetwork]}]} - gnocchi_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, GnocchiApiNetwork]}]} - nova_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, NovaApiNetwork]}]} - nova_metadata_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, NovaMetadataNetwork]}]} - glance_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, GlanceApiNetwork]}]} - glance_registry_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, GlanceRegistryNetwork]}]} - cinder_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, CinderApiNetwork]}]} - manila_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, ManilaApiNetwork]}]} - neutron_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, NeutronApiNetwork]}]} keystone_public_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, KeystonePublicApiNetwork]}]} keystone_admin_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, KeystoneAdminApiNetwork]}]} - sahara_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, SaharaApiNetwork]}]} - ironic_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, IronicApiNetwork]}]} ceph_mon_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, CephPublicNetwork]}]} - opendaylight_api_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, OpenDaylightApiNetwork]}]} ceph_mon_node_names: {get_attr: [Controller, hostname]} DeployIdentifier: {get_param: DeployIdentifier} UpdateIdentifier: {get_param: UpdateIdentifier} @@ -960,6 +952,9 @@ resources: RoleData: {get_attr: [CephStorageServiceChain, role_data]} outputs: + ManagedEndpoints: + description: Asserts that the keystone endpoints have been provisioned. + value: true KeystoneURL: description: URL for the Overcloud Keystone service value: {get_attr: [EndpointMap, endpoint_map, KeystonePublic, uri]} diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml index ddde5498..644c1938 100644 --- a/puppet/all-nodes-config.yaml +++ b/puppet/all-nodes-config.yaml @@ -1,63 +1,31 @@ -heat_template_version: 2015-04-30 +heat_template_version: 2016-10-14 description: 'All Nodes Config for Puppet' parameters: hosts: type: comma_delimited_list + # FIXME(shardy) this can be comma_delimited_list when + # https://bugs.launchpad.net/heat/+bug/1617019 is fixed + enabled_services: + type: string controller_ips: type: comma_delimited_list + service_ips: + type: json controller_names: type: comma_delimited_list rabbit_node_ips: type: comma_delimited_list - mongo_node_ips: - type: comma_delimited_list - redis_node_ips: - type: comma_delimited_list memcache_node_ips: type: comma_delimited_list - mysql_node_ips: - type: comma_delimited_list - horizon_node_ips: - type: comma_delimited_list - heat_api_node_ips: - type: comma_delimited_list - swift_proxy_node_ips: - type: comma_delimited_list - ceilometer_api_node_ips: - type: comma_delimited_list - aodh_api_node_ips: - type: comma_delimited_list - nova_api_node_ips: - type: comma_delimited_list - nova_metadata_node_ips: - type: comma_delimited_list - glance_api_node_ips: - type: comma_delimited_list - glance_registry_node_ips: - type: comma_delimited_list - gnocchi_api_node_ips: - type: comma_delimited_list - cinder_api_node_ips: - type: comma_delimited_list - manila_api_node_ips: - type: comma_delimited_list - neutron_api_node_ips: - type: comma_delimited_list keystone_public_api_node_ips: type: comma_delimited_list keystone_admin_api_node_ips: type: comma_delimited_list - sahara_api_node_ips: - type: comma_delimited_list - ironic_api_node_ips: - type: comma_delimited_list ceph_mon_node_ips: type: comma_delimited_list ceph_mon_node_names: type: comma_delimited_list - opendaylight_api_node_ips: - type: comma_delimited_list DeployIdentifier: type: string description: > @@ -94,252 +62,99 @@ resources: bootstrap_nodeid_ip: {get_input: bootstrap_nodeid_ip} all_nodes: mapped_data: - controller_node_ips: - list_join: - - ',' - - {get_param: controller_ips} - controller_node_names: - list_join: - - ',' - - {get_param: controller_names} - galera_node_names: - list_join: - - ',' - - {get_param: controller_names} - rabbitmq_node_ips: &rabbit_nodes_array - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: rabbit_node_ips} - mongodb_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: mongo_node_ips} - redis_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: redis_node_ips} - memcached_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: memcache_node_ips} - memcached_node_ips_v6: - str_replace: - template: "['inet6:[SERVERS_LIST]']" - params: - SERVERS_LIST: - list_join: - - "]','inet6:[" - - {get_param: memcache_node_ips} - mysql_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: mysql_node_ips} - horizon_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: horizon_node_ips} - heat_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: heat_api_node_ips} - swift_proxy_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: swift_proxy_node_ips} - ceilometer_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: ceilometer_api_node_ips} - aodh_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: aodh_api_node_ips} - gnocchi_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: gnocchi_api_node_ips} - nova_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: nova_api_node_ips} - nova_metadata_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: nova_metadata_node_ips} - glance_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: glance_api_node_ips} - glance_registry_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: glance_registry_node_ips} - cinder_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: cinder_api_node_ips} - manila_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: manila_api_node_ips} - neutron_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: neutron_api_node_ips} - # TODO: pass a `midonet_api_node_ips` var - midonet_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: neutron_api_node_ips} - keystone_public_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: keystone_public_api_node_ips} - keystone_admin_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: keystone_admin_api_node_ips} - sahara_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: sahara_api_node_ips} - ironic_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: ironic_api_node_ips} - opendaylight_api_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: opendaylight_api_node_ips} - tripleo::profile::base::ceph::ceph_mon_initial_members: - list_join: - - ',' - - {get_param: ceph_mon_node_names} - tripleo::profile::base::ceph::ceph_mon_host: - list_join: - - ',' - - {get_param: ceph_mon_node_ips} - tripleo::profile::base::ceph::ceph_mon_host_v6: - str_replace: - template: "'[IPS_LIST]'" - params: - IPS_LIST: - list_join: - - '],[' - - {get_param: ceph_mon_node_ips} - # NOTE(gfidente): interpolation with %{} in the - # hieradata file can't be used as it returns string - ceilometer::rabbit_hosts: *rabbit_nodes_array - aodh::rabbit_hosts: *rabbit_nodes_array - cinder::rabbit_hosts: *rabbit_nodes_array - glance::notify::rabbitmq::rabbit_hosts: *rabbit_nodes_array - manila::rabbit_hosts: *rabbit_nodes_array - heat::rabbit_hosts: *rabbit_nodes_array - neutron::rabbit_hosts: *rabbit_nodes_array - nova::rabbit_hosts: *rabbit_nodes_array - keystone::rabbit_hosts: *rabbit_nodes_array - sahara::rabbit_hosts: *rabbit_nodes_array - ironic::rabbit_hosts: *rabbit_nodes_array + map_merge: + - enabled_services: {get_param: enabled_services} + # This writes out a mapping of service_name_enabled: 'true' + # For any services not enabled, hiera foo_enabled will + # return nil, as it's undefined + - map_merge: + repeat: + template: + # Note this must be string 'true' due to + # https://bugs.launchpad.net/heat/+bug/1617203 + SERVICE_enabled: 'true' + for_each: + SERVICE: + str_split: [',', {get_param: enabled_services}] + # provides a mapping of service_name_ips to a list of IPs + - {get_param: service_ips} + - controller_node_ips: + list_join: + - ',' + - {get_param: controller_ips} + controller_node_names: + list_join: + - ',' + - {get_param: controller_names} + galera_node_names: + list_join: + - ',' + - {get_param: controller_names} + rabbitmq_node_ips: &rabbit_nodes_array + str_replace: + template: "['SERVERS_LIST']" + params: + SERVERS_LIST: + list_join: + - "','" + - {get_param: rabbit_node_ips} + memcached_node_ips_v6: + str_replace: + template: "['inet6:[SERVERS_LIST]']" + params: + SERVERS_LIST: + list_join: + - "]','inet6:[" + - {get_param: memcache_node_ips} + keystone_public_api_node_ips: + str_replace: + template: "['SERVERS_LIST']" + params: + SERVERS_LIST: + list_join: + - "','" + - {get_param: keystone_public_api_node_ips} + keystone_admin_api_node_ips: + str_replace: + template: "['SERVERS_LIST']" + params: + SERVERS_LIST: + list_join: + - "','" + - {get_param: keystone_admin_api_node_ips} + tripleo::profile::base::ceph::ceph_mon_initial_members: + list_join: + - ',' + - {get_param: ceph_mon_node_names} + tripleo::profile::base::ceph::ceph_mon_host: + list_join: + - ',' + - {get_param: ceph_mon_node_ips} + tripleo::profile::base::ceph::ceph_mon_host_v6: + str_replace: + template: "'[IPS_LIST]'" + params: + IPS_LIST: + list_join: + - '],[' + - {get_param: ceph_mon_node_ips} + # NOTE(gfidente): interpolation with %{} in the + # hieradata file can't be used as it returns string + ceilometer::rabbit_hosts: *rabbit_nodes_array + aodh::rabbit_hosts: *rabbit_nodes_array + cinder::rabbit_hosts: *rabbit_nodes_array + glance::notify::rabbitmq::rabbit_hosts: *rabbit_nodes_array + manila::rabbit_hosts: *rabbit_nodes_array + heat::rabbit_hosts: *rabbit_nodes_array + neutron::rabbit_hosts: *rabbit_nodes_array + nova::rabbit_hosts: *rabbit_nodes_array + keystone::rabbit_hosts: *rabbit_nodes_array + sahara::rabbit_hosts: *rabbit_nodes_array + ironic::rabbit_hosts: *rabbit_nodes_array - deploy_identifier: {get_param: DeployIdentifier} - update_identifier: {get_param: UpdateIdentifier} - stack_action: {get_param: StackAction} + deploy_identifier: {get_param: DeployIdentifier} + update_identifier: {get_param: UpdateIdentifier} + stack_action: {get_param: StackAction} outputs: config_id: diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 28fd08da..0225231e 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -83,10 +83,6 @@ parameters: type: string constraints: - custom_constraint: nova.flavor - HorizonSecret: - description: Secret key for Django - type: string - hidden: true controllerImage: type: string default: overcloud-full @@ -96,10 +92,6 @@ parameters: default: 'REBUILD_PRESERVE_EPHEMERAL' description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt. type: string - InstanceNameTemplate: - default: 'instance-%08x' - description: Template string to be used to generate instance names - type: string KeyName: default: default description: Name of an existing Nova key pair to enable SSH access to the instances @@ -110,39 +102,14 @@ parameters: default: false description: Whether to manage IPtables rules. type: boolean - MemcachedIPv6: - default: false - description: Enable IPv6 features in Memcached. - type: boolean PurgeFirewallRules: default: false description: Whether IPtables rules should be purged before setting up the new ones. type: boolean - NeutronMetadataProxySharedSecret: - description: Shared secret to prevent spoofing - type: string - hidden: true - NeutronPassword: - description: The password for the neutron service and db account, used by neutron agents. - type: string - hidden: true NeutronPublicInterface: default: nic1 description: What interface to bridge onto br-ex for network nodes. type: string - NovaEnableDBPurge: - default: true - description: | - Whether to create cron job for purging soft deleted rows in Nova database. - type: boolean - NovaIPv6: - default: false - description: Enable IPv6 features in Nova - type: boolean - NovaPassword: - description: The password for the nova service and db account, used by nova-api. - type: string - hidden: true PcsdPassword: type: string description: The password for the 'pcsd' user. @@ -162,10 +129,6 @@ parameters: default: {} description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' type: json - UpgradeLevelNovaCompute: - type: string - description: Nova Compute upgrade level - default: '' ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -392,43 +355,15 @@ resources: server: {get_resource: Controller} input_values: bootstack_nodeid: {get_attr: [Controller, name]} - horizon_secret: {get_param: HorizonSecret} debug: {get_param: Debug} - keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] } enable_fencing: {get_param: EnableFencing} enable_load_balancer: {get_param: EnableLoadBalancer} manage_firewall: {get_param: ManageFirewall} purge_firewall_rules: {get_param: PurgeFirewallRules} - neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - nova_enable_db_purge: {get_param: NovaEnableDBPurge} - nova_ipv6: {get_param: NovaIPv6} corosync_ipv6: {get_param: CorosyncIPv6} - memcached_ipv6: {get_param: MemcachedIPv6} - nova_password: {get_param: NovaPassword} - upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute} - instance_name_template: {get_param: InstanceNameTemplate} fencing_config: {get_param: FencingConfig} pcsd_password: {get_param: PcsdPassword} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} - glance_api_servers: { get_param: [EndpointMap, GlanceInternal, uri]} - neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]} - nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]} - nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]} - horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]} - horizon_subnet: - str_replace: - template: "['SUBNET']" - params: - SUBNET: - get_attr: - - NetIpMap - - net_ip_map - - str_replace: - template: "NETWORK_subnet" - params: - NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} redis_vip: {get_param: RedisVirtualIP} ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]} @@ -489,37 +424,14 @@ resources: tripleo::fencing::config: {get_input: fencing_config} # Neutron - neutron::bind_host: {get_input: neutron_api_network} - neutron::agents::metadata::metadata_ip: {get_input: neutron_api_network} snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} - - # Nova - nova::upgrade_level_compute: {get_input: upgrade_level_nova_compute} - nova::use_ipv6: {get_input: nova_ipv6} - nova::api::api_bind_address: {get_input: nova_api_network} - nova::api::metadata_listen: {get_input: nova_metadata_network} - nova::glance_api_servers: {get_input: glance_api_servers} - nova::api::neutron_metadata_proxy_shared_secret: {get_input: neutron_metadata_proxy_shared_secret} - nova::api::instance_name_template: {get_input: instance_name_template} - nova::vncproxy::host: {get_input: nova_api_network} - nova_enable_db_purge: {get_input: nova_enable_db_purge} - - # Horizon - apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet} - apache::ip: {get_input: horizon_network} - horizon::django_debug: {get_input: debug} - horizon::secret_key: {get_input: horizon_secret} - horizon::bind_address: {get_input: horizon_network} - horizon::keystone_url: {get_input: keystone_auth_uri} - # Redis redis_vip: {get_input: redis_vip} # Firewall tripleo::firewall::manage_firewall: {get_input: manage_firewall} tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules} # Misc - memcached_ipv6: {get_input: memcached_ipv6} tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4308052b..cc1f4b09 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -27,6 +27,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Aodh API service. @@ -35,6 +42,7 @@ outputs: config_settings: map_merge: - get_attr: [AodhBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - aodh::wsgi::apache::ssl: false aodh::api::service_name: 'httpd' tripleo.aodh_api.firewall_rules: diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml new file mode 100644 index 00000000..758d9510 --- /dev/null +++ b/puppet/services/apache.yaml @@ -0,0 +1,40 @@ +heat_template_version: 2016-10-14 + +description: > + Apache service configured with Puppet. Note this is typically included + automatically via other services which run via Apache. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the Apache role. + value: + service_name: apache + config_settings: + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 201a2b7b..2baac511 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -28,6 +28,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Ceilometer API role. @@ -35,6 +42,7 @@ outputs: service_name: ceilometer_api config_settings: map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [CeilometerServiceBase, role_data, config_settings] - tripleo.ceilometer_api.firewall_rules: '124 ceilometer': diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index d21e5b2b..dc6e7de7 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -23,7 +23,7 @@ parameters: type: string hidden: true GnocchiBackend: - default: file + default: swift description: The short name of the Gnocchi backend to use. Should be one of swift, rbd, or file type: string @@ -35,6 +35,7 @@ parameters: description: Keystone region for endpoint resources: + GnocchiServiceBase: type: ./gnocchi-base.yaml properties: @@ -42,6 +43,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Gnocchi role. @@ -49,6 +57,7 @@ outputs: service_name: gnocchi_api config_settings: map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [GnocchiServiceBase, role_data, config_settings] - tripleo.gnocchi_api.firewall_rules: '129 gnocchi-api': diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index 9b9cafb8..9f114ac4 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -40,6 +40,10 @@ parameters: description: The password for the redis service account. type: string hidden: true + Debug: + type: string + default: '' + description: Set to True to enable debugging on all services. outputs: aux_parameters: @@ -52,7 +56,7 @@ outputs: service_name: gnocchi_base config_settings: #Gnocchi engine - gnocchi::debug: {get_input: debug} + gnocchi::debug: {get_param: Debug} gnocchi::db::database_connection: list_join: - '' diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index c0e1c113..6885449e 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -55,27 +55,27 @@ outputs: '107 haproxy stats': dport: 1993 # TODO(emilien) make it composable to find which services are actually running - tripleo::haproxy::keystone_admin: true - tripleo::haproxy::keystone_public: true - tripleo::haproxy::neutron: true - tripleo::haproxy::cinder: true - tripleo::haproxy::glance_api: true - tripleo::haproxy::glance_registry: true - tripleo::haproxy::nova_osapi: true - tripleo::haproxy::nova_metadata: true - tripleo::haproxy::nova_novncproxy: true + tripleo::haproxy::keystone_admin: '"%{hiera(\"keystone_enabled\")}"' + tripleo::haproxy::keystone_public: '"%{hiera(\"keystone_enabled\")}"' + tripleo::haproxy::neutron: '"%{hiera(\"neutron_api_enabled\")}"' + tripleo::haproxy::cinder: '"%{hiera(\"cinder_api_enabled\")}"' + tripleo::haproxy::glance_api: '"%{hiera(\"glance_api_enabled\")}"' + tripleo::haproxy::glance_registry: '"%{hiera(\"glance_registry_enabled\")}"' + tripleo::haproxy::nova_osapi: '"%{hiera(\"nova_api_enabled\")}"' + tripleo::haproxy::nova_metadata: '"%{hiera(\"nova_api_enabled\")}"' + tripleo::haproxy::nova_novncproxy: '"%{hiera(\"nova_vncproxy_enabled\")}"' tripleo::haproxy::mysql: true - tripleo::haproxy::redis: true - tripleo::haproxy::sahara: true - tripleo::haproxy::swift_proxy_server: true - tripleo::haproxy::ceilometer: true - tripleo::haproxy::aodh: true - tripleo::haproxy::gnocchi: true - tripleo::haproxy::heat_api: true - tripleo::haproxy::heat_cloudwatch: true - tripleo::haproxy::heat_cfn: true - tripleo::haproxy::horizon: true - tripleo::haproxy::ironic: true + tripleo::haproxy::redis: '"%{hiera(\"redis_enabled\")}"' + tripleo::haproxy::sahara: '"%{hiera(\"sahara_api_enabled\")}"' + tripleo::haproxy::swift_proxy_server: '"%{hiera(\"swift_proxy_enabled\")}"' + tripleo::haproxy::ceilometer: '"%{hiera(\"ceilometer_api_enabled\")}"' + tripleo::haproxy::aodh: '"%{hiera(\"aodh_api_enabled\")}"' + tripleo::haproxy::gnocchi: '"%{hiera(\"gnocchi_api_enabled\")}"' + tripleo::haproxy::heat_api: '"%{hiera(\"heat_api_enabled\")}"' + tripleo::haproxy::heat_cloudwatch: '"%{hiera(\"heat_api_cloudwatch_enabled\")}"' + tripleo::haproxy::heat_cfn: '"%{hiera(\"heat_api_cfn_enabled\")}"' + tripleo::haproxy::horizon: '"%{hiera(\"horizon_enabled\")}"' + tripleo::haproxy::ironic: '"%{hiera(\"ironic_api_enabled\")}"' tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index c5d96819..1ea686b9 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Horizon service configured with Puppet @@ -10,6 +10,10 @@ parameters: via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string DefaultPasswords: default: {} type: json @@ -22,11 +26,20 @@ parameters: default: '*' description: A list of IP/Hostname allowed to connect to horizon type: comma_delimited_list + HorizonSecret: + description: Secret key for Django + type: string + hidden: true + default: '' NeutronMechanismDrivers: default: 'openvswitch' description: | The mechanism drivers for the Neutron tenant network. type: comma_delimited_list + MemcachedIPv6: + default: false + description: Enable IPv6 features in Memcached. + type: boolean outputs: role_data: @@ -51,5 +64,29 @@ outputs: add_listen: false priority: 10 access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, HorizonNetwork]} + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" + horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} + horizon::django_debug: {get_param: Debug} + horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::secret_key: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: HorizonSecret} + - {get_param: [DefaultPasswords, horizon_secret]} + memcached_ipv6: {get_param: MemcachedIPv6} step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index c763c391..45531abc 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -84,81 +84,94 @@ parameters: type: string description: Set the number of workers for keystone::wsgi::apache default: '"%{::processorcount}"' + +resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Keystone role. value: service_name: keystone config_settings: - keystone::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://keystone:' - - {get_param: AdminToken} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/keystone' - keystone::admin_token: {get_param: AdminToken} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} - keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} - keystone::enable_proxy_headers_parsing: true - keystone::debug: {get_param: Debug} - keystone::db::mysql::password: {get_param: AdminToken} - keystone::rabbit_userid: {get_param: RabbitUserName} - keystone::rabbit_password: {get_param: RabbitPassword} - keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - keystone::rabbit_port: {get_param: RabbitClientPort} - keystone::notification_driver: {get_param: KeystoneNotificationDriver} - keystone::notification_format: {get_param: KeystoneNotificationFormat} - keystone::roles::admin::email: {get_param: AdminEmail} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - keystone::endpoint::region: {get_param: KeystoneRegion} - keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} - keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::db::mysql::user: keystone - keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - keystone::db::mysql::dbname: keystone - keystone::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - keystone::rabbit_heartbeat_timeout_threshold: 60 - keystone::cron::token_flush::maxdelay: 3600 - keystone::roles::admin::service_tenant: 'service' - keystone::roles::admin::admin_tenant: 'admin' - keystone::cron::token_flush::destination: '/dev/null' - keystone::config::keystone_config: - ec2/driver: - value: 'keystone.contrib.ec2.backends.sql.Ec2' - keystone::service_name: 'httpd' - keystone::wsgi::apache::ssl: false - - keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} - # override via extraconfig: - keystone::wsgi::apache::threads: 1 - keystone::db::database_db_max_retries: -1 - keystone::db::database_max_retries: -1 - tripleo.keystone.firewall_rules: - '111 keystone': - dport: - - 5000 - - 13000 - - 35357 - - 13357 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - # NOTE: this applies to all 4 bind IP settings below... - keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + config_settings: + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - keystone::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://keystone:' + - {get_param: AdminToken} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/keystone' + keystone::admin_token: {get_param: AdminToken} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} + keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} + keystone::enable_proxy_headers_parsing: true + keystone::debug: {get_param: Debug} + keystone::db::mysql::password: {get_param: AdminToken} + keystone::rabbit_userid: {get_param: RabbitUserName} + keystone::rabbit_password: {get_param: RabbitPassword} + keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + keystone::rabbit_port: {get_param: RabbitClientPort} + keystone::notification_driver: {get_param: KeystoneNotificationDriver} + keystone::notification_format: {get_param: KeystoneNotificationFormat} + keystone::roles::admin::email: {get_param: AdminEmail} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + keystone::endpoint::region: {get_param: KeystoneRegion} + keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} + keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + keystone::db::mysql::user: keystone + keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + keystone::db::mysql::dbname: keystone + keystone::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone::rabbit_heartbeat_timeout_threshold: 60 + keystone::cron::token_flush::maxdelay: 3600 + keystone::roles::admin::service_tenant: 'service' + keystone::roles::admin::admin_tenant: 'admin' + keystone::cron::token_flush::destination: '/dev/null' + keystone::config::keystone_config: + ec2/driver: + value: 'keystone.contrib.ec2.backends.sql.Ec2' + keystone::service_name: 'httpd' + keystone::wsgi::apache::ssl: false + + keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} + # override via extraconfig: + keystone::wsgi::apache::threads: 1 + keystone::db::database_db_max_retries: -1 + keystone::db::database_max_retries: -1 + tripleo.keystone.firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - 35357 + - 13357 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + # NOTE: this applies to all 4 bind IP settings below... + keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | include ::tripleo::profile::base::keystone diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 35ac32db..cd8a20a1 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -111,5 +111,11 @@ outputs: '106 vrrp': proto: vrrp neutron::server::router_distributed: {get_param: NeutronEnableDVR} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} step_config: | include tripleo::profile::base::neutron::server diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index b9ec277a..6bb931b1 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -53,5 +53,11 @@ outputs: neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + neutron::agents::metadata::metadata_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} step_config: | include tripleo::profile::base::neutron::metadata diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index c2bd395e..b5c3815e 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -30,6 +30,19 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + NeutronMetadataProxySharedSecret: + description: Shared secret to prevent spoofing + type: string + hidden: true + InstanceNameTemplate: + default: 'instance-%08x' + description: Template string to be used to generate instance names + type: string + NovaEnableDBPurge: + default: true + description: | + Whether to create cron job for purging soft deleted rows in Nova database. + type: boolean resources: NovaBase: @@ -75,5 +88,16 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::api::instance_name_template: {get_param: InstanceNameTemplate} + nova_enable_db_purge: {get_param: NovaEnableDBPurge} + step_config: | include tripleo::profile::base::nova::api diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 471ece34..24a63bb4 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -95,14 +95,14 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' - nova::db::mysql::password: {get_input: nova_password} + nova::db::mysql::password: {get_param: NovaPassword} nova::db::mysql::user: nova nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql::dbname: nova nova::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" - nova::db::mysql_api::password: {get_input: nova_password} + nova::db::mysql_api::password: {get_param: NovaPassword} nova::db::mysql_api::user: nova_api nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql_api::dbname: nova_api diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 13ec03ea..e8849a06 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -40,6 +40,19 @@ parameters: default: '' description: Libvirt VIF driver configuration for the network type: string + NovaPCIPassthrough: + description: > + List of PCI Passthrough whitelist parameters. + Example - + NovaPCIPassthrough: + - vendor_id: "8086" + product_id: "154c" + address: "0000:05:00.0" + physical_network: "datacentre" + For different formats, refer to the nova.conf documentation for + pci_passthrough_whitelist configuration + type: json + default: '' NovaVcpuPinSet: description: > A list or range of physical CPU cores to reserve for virtual machine @@ -47,6 +60,14 @@ parameters: Ex. NovaVcpuPinSet: ['4-12','^8'] will reserve cores from 4-12 excluding 8 type: comma_delimited_list default: [] + NovaReservedHostMemory: + description: > + Reserved RAM for host processes. + type: number + default: 2048 + constraints: + - range: { min: 512 } + resources: NovaBase: type: ./nova-base.yaml @@ -64,7 +85,13 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::compute::libvirt::manage_libvirt_services: false + nova::compute::pci_passthrough: + str_replace: + template: "'JSON_PARAM'" + params: + JSON_PARAM: {get_param: NovaPCIPassthrough} nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet} + nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory} # we manage migration in nova common puppet profile nova::compute::libvirt::migration_support: false tripleo::profile::base::nova::manage_migration: true @@ -89,11 +116,6 @@ outputs: # encryption work will obsolete the need to use TUNNELLED transport # mode. nova::migration::live_migration_tunnelled: {get_param: NovaEnableRbdBackend} - # Changing the default from 512MB. The current templates can not deploy - # overclouds with swap. On an idle compute node, we see ~1024MB of RAM - # used. 2048 is suggested to account for other possible operations for - # example openvswitch. - nova::compute::reserved_host_memory: 2048 nova::compute::neutron::libvirt_vif_driver: {get_param: NovaComputeLibvirtVifDriver} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples diff --git a/puppet/services/nova-vncproxy.yaml b/puppet/services/nova-vncproxy.yaml index 0a1785d8..7444d7d8 100644 --- a/puppet/services/nova-vncproxy.yaml +++ b/puppet/services/nova-vncproxy.yaml @@ -46,5 +46,11 @@ outputs: '[': '' ']': '' nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]} step_config: | include tripleo::profile::base::nova::vncproxy diff --git a/puppet/services/opendaylight.yaml b/puppet/services/opendaylight-api.yaml index c8da7014..64dd7663 100644 --- a/puppet/services/opendaylight.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -63,7 +63,7 @@ outputs: role_data: description: Role data for the OpenDaylight service. value: - service_name: opendaylight + service_name: opendaylight_api config_settings: opendaylight::odl_rest_port: {get_param: OpenDaylightPort} odl_on_controller: {get_param: EnableOpenDaylightOnController} |