aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--capabilities-map.yaml8
-rw-r--r--ci/environments/multinode-3nodes.yaml2
-rw-r--r--ci/environments/multinode-container-upgrade.yaml1
-rw-r--r--ci/environments/multinode.yaml1
-rw-r--r--ci/environments/multinode_major_upgrade.yaml1
-rw-r--r--ci/environments/scenario002-multinode.yaml1
-rw-r--r--ci/environments/scenario003-multinode.yaml1
-rw-r--r--ci/environments/scenario004-multinode.yaml1
-rw-r--r--environments/external-loadbalancer-vip-v6.yaml5
-rw-r--r--environments/external-loadbalancer-vip.yaml5
-rw-r--r--environments/fixed-ip-vips-v6.yaml21
-rw-r--r--environments/fixed-ip-vips.yaml21
-rw-r--r--environments/sshd-banner.yaml6
-rw-r--r--environments/undercloud.yaml1
-rwxr-xr-xextraconfig/tasks/run_puppet.sh5
-rw-r--r--hosts-config.yaml2
-rw-r--r--network/networks.j2.yaml17
-rw-r--r--network/networks.yaml26
-rw-r--r--network_data.yaml30
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml46
-rw-r--r--overcloud.j2.yaml4
-rw-r--r--puppet/blockstorage-role.yaml2
-rw-r--r--puppet/cephstorage-role.yaml2
-rw-r--r--puppet/compute-role.yaml2
-rw-r--r--puppet/controller-role.yaml2
-rw-r--r--puppet/major_upgrade_steps.j2.yaml3
-rw-r--r--puppet/objectstorage-role.yaml2
-rw-r--r--puppet/role.role.j2.yaml2
-rw-r--r--puppet/services/glance-api.yaml14
-rw-r--r--puppet/services/neutron-api.yaml23
-rw-r--r--puppet/services/neutron-base.yaml5
-rw-r--r--puppet/services/nova-api.yaml2
-rw-r--r--puppet/services/nova-libvirt.yaml82
-rw-r--r--puppet/services/sshd.yaml29
-rw-r--r--releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml6
-rw-r--r--releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml9
-rw-r--r--releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml4
-rw-r--r--releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml8
-rw-r--r--releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml5
-rwxr-xr-xtools/process-templates.py16
40 files changed, 334 insertions, 89 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml
index 0af0e822..e510d679 100644
--- a/capabilities-map.yaml
+++ b/capabilities-map.yaml
@@ -2,12 +2,6 @@
# repository for deployment using puppet. It groups configuration by topic,
# describes possible combinations of environments and resource capabilities.
-# root_template: identifies repository's root template
-# root_environment: identifies root_environment, this one is special in terms of
-# order in which the environments are merged before deploying. This one serves as
-# a base and it's parameters/resource_registry gets overridden by other environments
-# if used.
-
# topics:
# High Level grouping by purpose of environments
# Attributes:
@@ -38,8 +32,6 @@
# only when that given environment is used. (resource_type of that environment can
# be implemented using multiple templates).
-root_template: overcloud.yaml
-root_environment: overcloud-resource-registry-puppet.yaml
topics:
- title: Base Resources Configuration
description:
diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml
index 56013adf..ef51a779 100644
--- a/ci/environments/multinode-3nodes.yaml
+++ b/ci/environments/multinode-3nodes.yaml
@@ -56,6 +56,7 @@
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::MySQLClient
+ - OS::TripleO::Services::Sshd
- name: Controller
CountDefault: 1
@@ -77,3 +78,4 @@
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
+ - OS::TripleO::Services::Sshd
diff --git a/ci/environments/multinode-container-upgrade.yaml b/ci/environments/multinode-container-upgrade.yaml
index 44a0ce73..df60a6e3 100644
--- a/ci/environments/multinode-container-upgrade.yaml
+++ b/ci/environments/multinode-container-upgrade.yaml
@@ -48,6 +48,7 @@ parameter_defaults:
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
+ - OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu
diff --git a/ci/environments/multinode.yaml b/ci/environments/multinode.yaml
index d0d6ba99..650bbf01 100644
--- a/ci/environments/multinode.yaml
+++ b/ci/environments/multinode.yaml
@@ -52,6 +52,7 @@ parameter_defaults:
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
+ - OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu
diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml
index c97080fb..8a520b57 100644
--- a/ci/environments/multinode_major_upgrade.yaml
+++ b/ci/environments/multinode_major_upgrade.yaml
@@ -56,6 +56,7 @@ parameter_defaults:
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Pacemaker
- OS::TripleO::Services::Horizon
+ - OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu
diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml
index 38d24ee1..8236ee8f 100644
--- a/ci/environments/scenario002-multinode.yaml
+++ b/ci/environments/scenario002-multinode.yaml
@@ -61,6 +61,7 @@ parameter_defaults:
- OS::TripleO::Services::Ec2Api
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
+ - OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu
diff --git a/ci/environments/scenario003-multinode.yaml b/ci/environments/scenario003-multinode.yaml
index 5472b494..fbc3165e 100644
--- a/ci/environments/scenario003-multinode.yaml
+++ b/ci/environments/scenario003-multinode.yaml
@@ -55,6 +55,7 @@ parameter_defaults:
- OS::TripleO::Services::MistralExecutor
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
+ - OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu
diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml
index 25fad4bb..b81b54f0 100644
--- a/ci/environments/scenario004-multinode.yaml
+++ b/ci/environments/scenario004-multinode.yaml
@@ -69,6 +69,7 @@ parameter_defaults:
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
+ - OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu
diff --git a/environments/external-loadbalancer-vip-v6.yaml b/environments/external-loadbalancer-vip-v6.yaml
index bd455175..c8375fc7 100644
--- a/environments/external-loadbalancer-vip-v6.yaml
+++ b/environments/external-loadbalancer-vip-v6.yaml
@@ -1,4 +1,9 @@
resource_registry:
+ OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_v6.yaml
+ OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api_v6.yaml
+ OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage_v6.yaml
+ OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt_v6.yaml
+ OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip_v6.yaml
OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/external_from_pool_v6.yaml
OS::TripleO::Controller::Ports::InternalApiPort: ../network/ports/internal_api_from_pool_v6.yaml
OS::TripleO::Controller::Ports::StoragePort: ../network/ports/storage_from_pool_v6.yaml
diff --git a/environments/external-loadbalancer-vip.yaml b/environments/external-loadbalancer-vip.yaml
index dec9b835..33f145d9 100644
--- a/environments/external-loadbalancer-vip.yaml
+++ b/environments/external-loadbalancer-vip.yaml
@@ -1,4 +1,9 @@
resource_registry:
+ OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external.yaml
+ OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api.yaml
+ OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage.yaml
+ OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt.yaml
+ OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml
OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/external_from_pool.yaml
OS::TripleO::Controller::Ports::InternalApiPort: ../network/ports/internal_api_from_pool.yaml
OS::TripleO::Controller::Ports::StoragePort: ../network/ports/storage_from_pool.yaml
diff --git a/environments/fixed-ip-vips-v6.yaml b/environments/fixed-ip-vips-v6.yaml
new file mode 100644
index 00000000..c288d7b0
--- /dev/null
+++ b/environments/fixed-ip-vips-v6.yaml
@@ -0,0 +1,21 @@
+# This template allows the IPs to be preselected for each VIP. Note that
+# this template should be included after other templates which affect the
+# network such as network-isolation.yaml.
+
+resource_registry:
+ OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_v6.yaml
+ OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api_v6.yaml
+ OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage_v6.yaml
+ OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt_v6.yaml
+ OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml
+
+parameter_defaults:
+ # Set the IP addresses of the VIPs here.
+ # NOTE: we will eventually move to one VIP per service
+ #
+ ControlFixedIPs: [{'ip_address':'192.168.24.240'}]
+ PublicVirtualFixedIps: [{'ip_address':'2001:db8:fd00:1000:0000:0000:0000:0005'}]
+ InternalApiVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0005'}]
+ StorageVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:3000:0000:0000:0000:000'}]
+ StorageMgmtVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:4000:0000:0000:0000:0005'}]
+ RedisVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0006'}]
diff --git a/environments/fixed-ip-vips.yaml b/environments/fixed-ip-vips.yaml
new file mode 100644
index 00000000..3860f41d
--- /dev/null
+++ b/environments/fixed-ip-vips.yaml
@@ -0,0 +1,21 @@
+# This template allows the IPs to be preselected for each VIP. Note that
+# this template should be included after other templates which affect the
+# network such as network-isolation.yaml.
+
+resource_registry:
+ OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external.yaml
+ OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api.yaml
+ OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage.yaml
+ OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt.yaml
+ OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml
+
+parameter_defaults:
+ # Set the IP addresses of the VIPs here.
+ # NOTE: we will eventually move to one VIP per service
+ #
+ ControlFixedIPs: [{'ip_address':'192.168.24.240'}]
+ PublicVirtualFixedIps: [{'ip_address':'10.0.0.240'}]
+ InternalApiVirtualFixedIPs: [{'ip_address':'172.16.2.240'}]
+ StorageVirtualFixedIPs: [{'ip_address':'172.16.1.240'}]
+ StorageMgmtVirtualFixedIPs: [{'ip_address':'172.16.3.240'}]
+ RedisVirtualFixedIPs: [{'ip_address':'172.16.2.241'}]
diff --git a/environments/sshd-banner.yaml b/environments/sshd-banner.yaml
index 041c0990..894bf1c9 100644
--- a/environments/sshd-banner.yaml
+++ b/environments/sshd-banner.yaml
@@ -1,6 +1,3 @@
-resource_registry:
- OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml
-
parameter_defaults:
BannerText: |
******************************************************************
@@ -11,3 +8,6 @@ parameter_defaults:
* evidence of criminal activity, system personnel may provide *
* the evidence from such monitoring to law enforcement officials.*
******************************************************************
+ MessageOfTheDay: |
+ ALERT! You are entering into a secured area!
+ This service is restricted to authorized users only.
diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index 2540fbe5..7a2716da 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -11,6 +11,7 @@ parameter_defaults:
NeutronBridgeMappings: ctlplane:br-ctlplane
NeutronAgentExtensions: []
NeutronFlatNetworks: '*'
+ NeutronDnsDomain: ''
NovaSchedulerAvailableFilters: 'tripleo_common.filters.list.tripleo_filters'
NovaSchedulerDefaultFilters: ['RetryFilter', 'TripleOCapabilitiesFilter', 'ComputeCapabilitiesFilter', 'AvailabilityZoneFilter', 'RamFilter', 'DiskFilter', 'ComputeFilter', 'ImagePropertiesFilter', 'ServerGroupAntiAffinityFilter', 'ServerGroupAffinityFilter']
NeutronDhcpAgentsPerNetwork: 2
diff --git a/extraconfig/tasks/run_puppet.sh b/extraconfig/tasks/run_puppet.sh
index b7771e33..e3f6c493 100755
--- a/extraconfig/tasks/run_puppet.sh
+++ b/extraconfig/tasks/run_puppet.sh
@@ -10,7 +10,10 @@ function run_puppet {
export FACTER_deploy_config_name="${role}Deployment_Step${step}"
if [ -e "/etc/puppet/hieradata/heat_config_${FACTER_deploy_config_name}.json" ]; then
set +e
- puppet apply --detailed-exitcodes "${manifest}"
+ puppet apply --detailed-exitcodes \
+ --modulepath \
+ /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules \
+ "${manifest}"
rc=$?
echo "puppet apply exited with exit code $rc"
else
diff --git a/hosts-config.yaml b/hosts-config.yaml
index 5a211716..c02c4208 100644
--- a/hosts-config.yaml
+++ b/hosts-config.yaml
@@ -31,7 +31,7 @@ outputs:
The content that should be appended to your /etc/hosts if you want to get
hostname-based access to the deployed nodes (useful for testing without
setting up a DNS).
- value: {get_attr: [hostsConfigImpl, config, hosts]}
+ value: {get_param: hosts}
OS::stack_id:
description: The ID of the hostsConfigImpl resource.
value: {get_resource: hostsConfigImpl}
diff --git a/network/networks.j2.yaml b/network/networks.j2.yaml
new file mode 100644
index 00000000..ef977d8d
--- /dev/null
+++ b/network/networks.j2.yaml
@@ -0,0 +1,17 @@
+heat_template_version: ocata
+
+description: Create networks to split out Overcloud traffic
+
+resources:
+
+ {%- for network in networks %}
+ {%- if network.name != 'InternalApi' %}
+ {{network.name}}Network:
+ {%- else %}
+ InternalNetwork:
+ {%- endif %}
+ type: OS::TripleO::Network::{{network.name}}
+ {%- endfor %}
+
+ NetworkExtraConfig:
+ type: OS::TripleO::Network::ExtraConfig
diff --git a/network/networks.yaml b/network/networks.yaml
deleted file mode 100644
index 26033ee2..00000000
--- a/network/networks.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-heat_template_version: ocata
-
-description: Create networks to split out Overcloud traffic
-
-resources:
-
- ExternalNetwork:
- type: OS::TripleO::Network::External
-
- InternalNetwork:
- type: OS::TripleO::Network::InternalApi
-
- StorageMgmtNetwork:
- type: OS::TripleO::Network::StorageMgmt
-
- StorageNetwork:
- type: OS::TripleO::Network::Storage
-
- TenantNetwork:
- type: OS::TripleO::Network::Tenant
-
- ManagementNetwork:
- type: OS::TripleO::Network::Management
-
- NetworkExtraConfig:
- type: OS::TripleO::Network::ExtraConfig
diff --git a/network_data.yaml b/network_data.yaml
new file mode 100644
index 00000000..6d62605b
--- /dev/null
+++ b/network_data.yaml
@@ -0,0 +1,30 @@
+# List of networks, used for j2 templating of enabled networks
+#
+# Supported values:
+#
+# name: Name of the network (mandatory)
+# name_lower: lowercase version of name used for filenames
+# (optional, defaults to name.lower())
+# vlan: vlan for the network (optional)
+# gateway: gateway for the network (optional)
+# enabled: Is the network enabled (optional, defaults to true)
+# vip: Enable creation of a virtual IP on this network
+# [TODO] (dsneddon@redhat.com) - Enable dynamic creation of VIP ports, to support
+# VIPs on non-default networks. See https://bugs.launchpad.net/tripleo/+bug/1667104
+#
+- name: External
+ vip: true
+- name: InternalApi
+ name_lower: internal_api
+ vip: true
+- name: Storage
+ vip: true
+- name: StorageMgmt
+ name_lower: storage_mgmt
+ vip: true
+- name: Tenant
+ vip: false # Tenant network does not use VIPs
+- name: Management
+ # Management network is disabled by default
+ enabled: false
+ vip: false # Management network does not use VIPs
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index ee75de6d..dd0cec76 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -22,22 +22,16 @@ resource_registry:
OS::TripleO::Tasks::{{role.name}}PostConfig: OS::Heat::None
OS::TripleO::{{role.name}}ExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
# Port assignments for the {{role.name}} role
+ {%- if role.name != 'ObjectStorage' %}
+ {%- for network in networks %}
+ OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: network/ports/noop.yaml
+ {%- endfor %}
+ {%- else %}
# Note we have to special-case ObjectStorage for backwards compatibility
- {% if role.name != 'ObjectStorage' %}
- OS::TripleO::{{role.name}}::Ports::ExternalPort: network/ports/noop.yaml
- OS::TripleO::{{role.name}}::Ports::InternalApiPort: network/ports/noop.yaml
- OS::TripleO::{{role.name}}::Ports::StoragePort: network/ports/noop.yaml
- OS::TripleO::{{role.name}}::Ports::StorageMgmtPort: network/ports/noop.yaml
- OS::TripleO::{{role.name}}::Ports::TenantPort: network/ports/noop.yaml
- OS::TripleO::{{role.name}}::Ports::ManagementPort: network/ports/noop.yaml
- {% else %}
- OS::TripleO::SwiftStorage::Ports::ExternalPort: network/ports/noop.yaml
- OS::TripleO::SwiftStorage::Ports::InternalApiPort: network/ports/noop.yaml
- OS::TripleO::SwiftStorage::Ports::StoragePort: network/ports/noop.yaml
- OS::TripleO::SwiftStorage::Ports::StorageMgmtPort: network/ports/noop.yaml
- OS::TripleO::SwiftStorage::Ports::TenantPort: network/ports/noop.yaml
- OS::TripleO::SwiftStorage::Ports::ManagementPort: network/ports/noop.yaml
- {% endif %}
+ {%- for network in networks %}
+ OS::TripleO::SwiftStorage::Ports::{{network.name}}Port: network/ports/noop.yaml
+ {%- endfor %}
+ {%- endif %}
OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-noop.yaml
{% endfor %}
@@ -48,6 +42,9 @@ resource_registry:
OS::TripleO::ServiceServerMetadataHook: OS::Heat::None
OS::TripleO::Server: OS::Nova::Server
+{% for role in roles %}
+ OS::TripleO::{{role.name}}Server: OS::TripleO::Server
+{% endfor %}
# This creates the "heat-admin" user for all OS images by default
# To disable, replace with firstboot/userdata_default.yaml
@@ -83,12 +80,9 @@ resource_registry:
# TripleO overcloud networks
OS::TripleO::Network: network/networks.yaml
- OS::TripleO::Network::External: OS::Heat::None
- OS::TripleO::Network::InternalApi: OS::Heat::None
- OS::TripleO::Network::StorageMgmt: OS::Heat::None
- OS::TripleO::Network::Storage: OS::Heat::None
- OS::TripleO::Network::Tenant: OS::Heat::None
- OS::TripleO::Network::Management: OS::Heat::None
+ {%- for network in networks %}
+ OS::TripleO::Network::{{network.name}}: OS::Heat::None
+ {%- endfor %}
OS::TripleO::Network::ExtraConfig: OS::Heat::None
@@ -97,10 +91,10 @@ resource_registry:
OS::TripleO::Network::Ports::NetIpListMap: network/ports/net_ip_list_map.yaml
# Port assignments for the VIPs
- OS::TripleO::Network::Ports::ExternalVipPort: network/ports/noop.yaml
- OS::TripleO::Network::Ports::InternalApiVipPort: network/ports/noop.yaml
- OS::TripleO::Network::Ports::StorageVipPort: network/ports/noop.yaml
- OS::TripleO::Network::Ports::StorageMgmtVipPort: network/ports/noop.yaml
+ {%- for network in networks if network.vip|default(false) %}
+ OS::TripleO::Network::Ports::{{network.name}}VipPort: network/ports/noop.yaml
+ {%- endfor %}
+
OS::TripleO::Network::Ports::RedisVipPort: network/ports/ctlplane_vip.yaml
OS::TripleO::Network::Ports::ControlPlaneVipPort: OS::Neutron::Port
@@ -176,8 +170,8 @@ resource_registry:
OS::TripleO::Services::Memcached: puppet/services/memcached.yaml
OS::TripleO::Services::SaharaApi: OS::Heat::None
OS::TripleO::Services::SaharaEngine: OS::Heat::None
- OS::TripleO::Services::Sshd: OS::Heat::None
OS::TripleO::Services::Securetty: OS::Heat::None
+ OS::TripleO::Services::Sshd: puppet/services/sshd.yaml
OS::TripleO::Services::Redis: puppet/services/database/redis.yaml
OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml
OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index a2d501d3..54092fa2 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -51,7 +51,9 @@ parameters:
type: string
ControlFixedIPs:
default: []
- description: Should be used for arbitrary ips.
+ description: >
+ Control the IP allocation for the ControlVirtualIP port. E.g.
+ [{'ip_address':'1.2.3.4'}]
type: json
InternalApiVirtualFixedIPs:
default: []
diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml
index 16fb4b90..b9e5c6fe 100644
--- a/puppet/blockstorage-role.yaml
+++ b/puppet/blockstorage-role.yaml
@@ -126,7 +126,7 @@ parameters:
resources:
BlockStorage:
- type: OS::TripleO::Server
+ type: OS::TripleO::BlockStorageServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml
index 4b022452..075f42ba 100644
--- a/puppet/cephstorage-role.yaml
+++ b/puppet/cephstorage-role.yaml
@@ -132,7 +132,7 @@ parameters:
resources:
CephStorage:
- type: OS::TripleO::Server
+ type: OS::TripleO::CephStorageServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml
index 37331f37..351b3823 100644
--- a/puppet/compute-role.yaml
+++ b/puppet/compute-role.yaml
@@ -145,7 +145,7 @@ parameters:
resources:
NovaCompute:
- type: OS::TripleO::Server
+ type: OS::TripleO::ComputeServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index 68623e2d..92eb70ad 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -165,7 +165,7 @@ parameter_groups:
resources:
Controller:
- type: OS::TripleO::Server
+ type: OS::TripleO::ControllerServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index c0a0778c..28092773 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -51,10 +51,11 @@ resources:
- " crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n"
- " crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n"
- " crudini --set /etc/nova/nova.conf placement project_name service\n\n"
+ - " crudini --set /etc/nova/nova.conf placement os_interface internal\n\n"
- str_replace:
template: |
crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD'
- crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME'
+ crudini --set /etc/nova/nova.conf placement os_region_name 'REGION_NAME'
crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL'
params:
SERVICE_PASSWORD: { get_param: NovaPassword }
diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml
index a329d13f..84b646a2 100644
--- a/puppet/objectstorage-role.yaml
+++ b/puppet/objectstorage-role.yaml
@@ -127,7 +127,7 @@ parameters:
resources:
SwiftStorage:
- type: OS::Nova::Server
+ type: OS::Nova::ObjectStorageServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 9cfc65a1..960f0d58 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -148,7 +148,7 @@ parameters:
resources:
{{role}}:
- type: OS::TripleO::Server
+ type: OS::TripleO::{{role.name}}Server
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index f61e6154..de41c0e8 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -119,6 +119,7 @@ parameters:
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+ glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']}
resources:
@@ -153,14 +154,13 @@ outputs:
- '/glance'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
- glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::enable_v1_api: false
glance::api::enable_v2_api: true
glance::api::authtoken::password: {get_param: GlancePassword}
glance::api::enable_proxy_headers_parsing: true
glance::api::debug: {get_param: Debug}
- glance::api::workers: {get_param: GlanceWorkers}
glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo.glance_api.firewall_rules:
'112 glance_api':
@@ -168,6 +168,8 @@ outputs:
- 9292
- 13292
glance::api::authtoken::project_name: 'service'
+ glance::keystone::authtoken::user_domain_name: 'Default'
+ glance::keystone::authtoken::project_domain_name: 'Default'
glance::api::pipeline: 'keystone'
glance::api::show_image_direct_url: true
# NOTE: bind IP is found in Heat replacing the network name with the
@@ -195,10 +197,11 @@ outputs:
- {get_param: [ServiceNetMap, GlanceApiNetwork]}
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
glance_log_file: {get_param: GlanceLogFile}
- glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
glance::backend::swift::swift_store_user: service:glance
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
glance::backend::swift::swift_store_create_container_on_put: true
+ glance::backend::swift::swift_store_auth_version: 3
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
glance_backend: {get_param: GlanceBackend}
@@ -210,6 +213,11 @@ outputs:
tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
+ -
+ if:
+ - glance_workers_unset
+ - {}
+ - glance::api::workers: {get_param: GlanceWorkers}
service_config_settings:
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index 9b9d1c72..a0305b81 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -21,13 +21,13 @@ parameters:
NeutronWorkers:
default: ''
description: |
- Sets the number of API and RPC workers for the Neutron service. The
- default value results in the configuration being left unset and a
- system-dependent default will be chosen (usually the number of
- processors). Please note that this can result in a large number of
- processes and memory consumption on systems with a large core count. On
- such systems it is recommended that a non-default value be selected that
- matches the load requirements.
+ Sets the number of API and RPC workers for the Neutron service.
+ The default value results in the configuration being left unset
+ and a system-dependent default will be chosen (usually the number
+ of processors). Please note that this can result in a large number
+ of processes and memory consumption on systems with a large core
+ count. On such systems it is recommended that a non-default value
+ be selected that matches the load requirements.
type: string
NeutronPassword:
description: The password for the neutron service and db account, used by neutron agents.
@@ -92,6 +92,7 @@ parameter_groups:
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+ neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
resources:
@@ -136,8 +137,6 @@ outputs:
neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
- neutron::server::api_workers: {get_param: NeutronWorkers}
- neutron::server::rpc_workers: {get_param: NeutronWorkers}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
neutron::server::enable_proxy_headers_parsing: true
neutron::keystone::authtoken::password: {get_param: NeutronPassword}
@@ -178,6 +177,12 @@ outputs:
- 'localhost'
- {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
+ -
+ if:
+ - neutron_workers_unset
+ - {}
+ - neutron::server::api_workers: {get_param: NeutronWorkers}
+ neutron::server::rpc_workers: {get_param: NeutronWorkers}
step_config: |
include tripleo::profile::base::neutron::server
service_config_settings:
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 9f605062..b41cb3cc 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -30,6 +30,10 @@ parameters:
type: number
default: 0
description: The number of neutron dhcp agents to schedule per network
+ NeutronDnsDomain:
+ type: string
+ default: openstacklocal
+ description: Domain to use for building the hostnames.
NeutronCorePlugin:
default: 'ml2'
description: |
@@ -95,6 +99,7 @@ outputs:
neutron::debug: {get_param: Debug}
neutron::purge_config: {get_param: EnableConfigPurge}
neutron::allow_overlapping_ips: true
+ neutron::dns_domain: {get_param: NeutronDnsDomain}
neutron::rabbit_heartbeat_timeout_threshold: 60
neutron::host: '%{::fqdn}'
neutron::db::database_db_max_retries: -1
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 18d9b924..21910cc4 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -227,7 +227,7 @@ outputs:
- name: Run puppet apply to set tranport_url in nova.conf
tags: step5
when: is_bootstrap_node
- command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp
+ command: puppet apply --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes /root/nova-api_upgrade_manifest.pp
register: puppet_apply_nova_api_upgrade
failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2]
changed_when: puppet_apply_nova_api_upgrade.rc == 2
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index b297424e..21a5e78a 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -32,6 +32,36 @@ parameters:
MonitoringSubscriptionNovaLibvirt:
default: 'overcloud-nova-libvirt'
type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ UseTLSTransportForLiveMigration:
+ type: boolean
+ default: true
+ description: If set to true and if EnableInternalTLS is enabled, it will
+ set the libvirt URI's transport to tls and configure the
+ relevant keys for libvirt.
+ LibvirtCACert:
+ type: string
+ default: '/etc/ipa/ca.crt'
+ description: This specifies the CA certificate to use for TLS in libvirt.
+ This file will be symlinked to the default CA path in libvirt,
+ which is /etc/pki/CA/cacert.pem. Note that due to limitations
+ GNU TLS, which is the TLS backend for libvirt, the file must
+ be less than 65K (so we can't use the system's CA bundle). The
+ current default reflects TripleO's default CA, which is
+ FreeIPA. It will only be used if internal TLS is enabled.
+
+conditions:
+
+ use_tls_for_live_migration:
+ and:
+ - equals:
+ - {get_param: EnableInternalTLS}
+ - true
+ - equals:
+ - {get_param: UseTLSTransportForLiveMigration}
+ - true
resources:
NovaBase:
@@ -70,5 +100,57 @@ outputs:
- '49152-49215'
- '5900-5999'
+ -
+ if:
+ - use_tls_for_live_migration
+ -
+ generate_service_certificates: true
+ tripleo::profile::base::nova::libvirt_tls: true
+ nova::migration::libvirt::live_migration_inbound_addr:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ tripleo::certmonger::ca::libvirt::origin_ca_pem:
+ get_param: LibvirtCACert
+ tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
+ tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
+ libvirt_certificates_specs:
+ libvirt-server-cert:
+ service_certificate: '/etc/pki/libvirt/servercert.pem'
+ service_key: '/etc/pki/libvirt/private/serverkey.pem'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ principal:
+ str_replace:
+ template: "libvirt/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ libvirt-client-cert:
+ service_certificate: '/etc/pki/libvirt/clientcert.pem'
+ service_key: '/etc/pki/libvirt/private/clientkey.pem'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ principal:
+ str_replace:
+ template: "libvirt/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ - {}
step_config: |
include tripleo::profile::base::nova::libvirt
+ metadata_settings:
+ if:
+ - use_tls_for_live_migration
+ -
+ - service: libvirt
+ network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ type: node
+ - null
diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml
index 12998c33..e09a8894 100644
--- a/puppet/services/sshd.yaml
+++ b/puppet/services/sshd.yaml
@@ -22,6 +22,33 @@ parameters:
default: ''
description: Configures Banner text in sshd_config
type: string
+ MessageOfTheDay:
+ default: ''
+ description: Configures /etc/motd text
+ type: string
+ SshServerOptions:
+ default:
+ HostKey:
+ - '/etc/ssh/ssh_host_rsa_key'
+ - '/etc/ssh/ssh_host_ecdsa_key'
+ - '/etc/ssh/ssh_host_ed25519_key'
+ SyslogFacility: 'AUTHPRIV'
+ AuthorizedKeysFile: '.ssh/authorized_keys'
+ PasswordAuthentication: 'no'
+ ChallengeResponseAuthentication: 'no'
+ GSSAPIAuthentication: 'yes'
+ GSSAPICleanupCredentials: 'no'
+ UsePAM: 'yes'
+ X11Forwarding: 'yes'
+ UsePrivilegeSeparation: 'sandbox'
+ AcceptEnv:
+ - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
+ - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
+ - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
+ - 'XMODIFIERS'
+ Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
+ description: Mapping of sshd_config values
+ type: json
outputs:
role_data:
@@ -30,5 +57,7 @@ outputs:
service_name: sshd
config_settings:
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+ tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+ tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
step_config: |
include ::tripleo::profile::base::sshd
diff --git a/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml
new file mode 100644
index 00000000..e8941b7c
--- /dev/null
+++ b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - |
+ If TLS in the internal network is enabled, libvirt's transport defaults to
+ using TLS. This can be changed by setting the ``UseTLSTransportForLiveMigration``
+ parameter, which is ``true`` by default.
diff --git a/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml b/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml
new file mode 100644
index 00000000..b0ad9d93
--- /dev/null
+++ b/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+ - Previously only the VIPs and their associated hostnames were present
+ in the HostsEntry output, due to the hosts_entries output on the
+ hosts-config.yaml nested stack being empty. It was referencing an
+ invalid attribute. See
+ https://bugs.launchpad.net/tripleo/+bug/1683517
+
+
diff --git a/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml b/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml
new file mode 100644
index 00000000..072e85aa
--- /dev/null
+++ b/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - Deploy Glance with Keystone v3 endpoints and make
+ sure it doesn't rely on Keystone v2 anymore.
diff --git a/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml b/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml
new file mode 100644
index 00000000..5b58d3d4
--- /dev/null
+++ b/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - The server resource type, OS::TripleO::Server can now be
+ mapped per role instead of globally. This allows users to
+ mix baremetal (OS::Nova::Server) and
+ deployed-server (OS::Heat::DeployedServer) server resources
+ in the same deployment. See
+ https://blueprints.launchpad.net/tripleo/+spec/pluggable-server-type-per-role
diff --git a/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml
new file mode 100644
index 00000000..4cc01df8
--- /dev/null
+++ b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Added ability to manage MOTD Banner
+ Enabled SSHD composible service by default. Puppet-ssh manages the sshd config.
diff --git a/tools/process-templates.py b/tools/process-templates.py
index 1c8c4ba6..69ed96a6 100755
--- a/tools/process-templates.py
+++ b/tools/process-templates.py
@@ -32,6 +32,9 @@ def parse_opts(argv):
parser.add_argument('-r', '--roles-data', metavar='ROLES_DATA',
help="""relative path to the roles_data.yaml file.""",
default='roles_data.yaml')
+ parser.add_argument('-n', '--network-data', metavar='NETWORK_DATA',
+ help="""relative path to the network_data.yaml file.""",
+ default='network_data.yaml')
parser.add_argument('--safe',
action='store_true',
help="""Enable safe mode (do not overwrite files).""",
@@ -71,11 +74,15 @@ def _j2_render_to_file(j2_template, j2_data, outfile_name=None,
out_f.write(r_template)
-def process_templates(template_path, role_data_path, output_dir, overwrite):
+def process_templates(template_path, role_data_path, output_dir,
+ network_data_path, overwrite):
with open(role_data_path) as role_data_file:
role_data = yaml.safe_load(role_data_file)
+ with open(network_data_path) as network_data_file:
+ network_data = yaml.safe_load(network_data_file)
+
j2_excludes_path = os.path.join(template_path, 'j2_excludes.yaml')
with open(j2_excludes_path) as role_data_file:
j2_excludes = yaml.safe_load(role_data_file)
@@ -150,7 +157,8 @@ def process_templates(template_path, role_data_path, output_dir, overwrite):
print("jinja2 rendering normal template %s" % f)
with open(file_path) as j2_template:
template_data = j2_template.read()
- j2_data = {'roles': role_data}
+ j2_data = {'roles': role_data,
+ 'networks': network_data}
out_f = os.path.basename(f).replace('.j2.yaml', '.yaml')
out_f_path = os.path.join(out_dir, out_f)
_j2_render_to_file(template_data, j2_data, out_f_path,
@@ -164,5 +172,7 @@ def process_templates(template_path, role_data_path, output_dir, overwrite):
opts = parse_opts(sys.argv)
role_data_path = os.path.join(opts.base_path, opts.roles_data)
+network_data_path = os.path.join(opts.base_path, opts.network_data)
-process_templates(opts.base_path, role_data_path, opts.output_dir, (not opts.safe))
+process_templates(opts.base_path, role_data_path, opts.output_dir,
+ network_data_path, (not opts.safe))