diff options
40 files changed, 334 insertions, 89 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml index 0af0e822..e510d679 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -2,12 +2,6 @@ # repository for deployment using puppet. It groups configuration by topic, # describes possible combinations of environments and resource capabilities. -# root_template: identifies repository's root template -# root_environment: identifies root_environment, this one is special in terms of -# order in which the environments are merged before deploying. This one serves as -# a base and it's parameters/resource_registry gets overridden by other environments -# if used. - # topics: # High Level grouping by purpose of environments # Attributes: @@ -38,8 +32,6 @@ # only when that given environment is used. (resource_type of that environment can # be implemented using multiple templates). -root_template: overcloud.yaml -root_environment: overcloud-resource-registry-puppet.yaml topics: - title: Base Resources Configuration description: diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml index 56013adf..ef51a779 100644 --- a/ci/environments/multinode-3nodes.yaml +++ b/ci/environments/multinode-3nodes.yaml @@ -56,6 +56,7 @@ - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::Sshd - name: Controller CountDefault: 1 @@ -77,3 +78,4 @@ - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd diff --git a/ci/environments/multinode-container-upgrade.yaml b/ci/environments/multinode-container-upgrade.yaml index 44a0ce73..df60a6e3 100644 --- a/ci/environments/multinode-container-upgrade.yaml +++ b/ci/environments/multinode-container-upgrade.yaml @@ -48,6 +48,7 @@ parameter_defaults: - OS::TripleO::Services::Timezone - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/multinode.yaml b/ci/environments/multinode.yaml index d0d6ba99..650bbf01 100644 --- a/ci/environments/multinode.yaml +++ b/ci/environments/multinode.yaml @@ -52,6 +52,7 @@ parameter_defaults: - OS::TripleO::Services::Timezone - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml index c97080fb..8a520b57 100644 --- a/ci/environments/multinode_major_upgrade.yaml +++ b/ci/environments/multinode_major_upgrade.yaml @@ -56,6 +56,7 @@ parameter_defaults: - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Pacemaker - OS::TripleO::Services::Horizon + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml index 38d24ee1..8236ee8f 100644 --- a/ci/environments/scenario002-multinode.yaml +++ b/ci/environments/scenario002-multinode.yaml @@ -61,6 +61,7 @@ parameter_defaults: - OS::TripleO::Services::Ec2Api - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario003-multinode.yaml b/ci/environments/scenario003-multinode.yaml index 5472b494..fbc3165e 100644 --- a/ci/environments/scenario003-multinode.yaml +++ b/ci/environments/scenario003-multinode.yaml @@ -55,6 +55,7 @@ parameter_defaults: - OS::TripleO::Services::MistralExecutor - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml index 25fad4bb..b81b54f0 100644 --- a/ci/environments/scenario004-multinode.yaml +++ b/ci/environments/scenario004-multinode.yaml @@ -69,6 +69,7 @@ parameter_defaults: - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/environments/external-loadbalancer-vip-v6.yaml b/environments/external-loadbalancer-vip-v6.yaml index bd455175..c8375fc7 100644 --- a/environments/external-loadbalancer-vip-v6.yaml +++ b/environments/external-loadbalancer-vip-v6.yaml @@ -1,4 +1,9 @@ resource_registry: + OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_v6.yaml + OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api_v6.yaml + OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage_v6.yaml + OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt_v6.yaml + OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip_v6.yaml OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/external_from_pool_v6.yaml OS::TripleO::Controller::Ports::InternalApiPort: ../network/ports/internal_api_from_pool_v6.yaml OS::TripleO::Controller::Ports::StoragePort: ../network/ports/storage_from_pool_v6.yaml diff --git a/environments/external-loadbalancer-vip.yaml b/environments/external-loadbalancer-vip.yaml index dec9b835..33f145d9 100644 --- a/environments/external-loadbalancer-vip.yaml +++ b/environments/external-loadbalancer-vip.yaml @@ -1,4 +1,9 @@ resource_registry: + OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external.yaml + OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api.yaml + OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage.yaml + OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt.yaml + OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/external_from_pool.yaml OS::TripleO::Controller::Ports::InternalApiPort: ../network/ports/internal_api_from_pool.yaml OS::TripleO::Controller::Ports::StoragePort: ../network/ports/storage_from_pool.yaml diff --git a/environments/fixed-ip-vips-v6.yaml b/environments/fixed-ip-vips-v6.yaml new file mode 100644 index 00000000..c288d7b0 --- /dev/null +++ b/environments/fixed-ip-vips-v6.yaml @@ -0,0 +1,21 @@ +# This template allows the IPs to be preselected for each VIP. Note that +# this template should be included after other templates which affect the +# network such as network-isolation.yaml. + +resource_registry: + OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_v6.yaml + OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api_v6.yaml + OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage_v6.yaml + OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt_v6.yaml + OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml + +parameter_defaults: + # Set the IP addresses of the VIPs here. + # NOTE: we will eventually move to one VIP per service + # + ControlFixedIPs: [{'ip_address':'192.168.24.240'}] + PublicVirtualFixedIps: [{'ip_address':'2001:db8:fd00:1000:0000:0000:0000:0005'}] + InternalApiVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0005'}] + StorageVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:3000:0000:0000:0000:000'}] + StorageMgmtVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:4000:0000:0000:0000:0005'}] + RedisVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0006'}] diff --git a/environments/fixed-ip-vips.yaml b/environments/fixed-ip-vips.yaml new file mode 100644 index 00000000..3860f41d --- /dev/null +++ b/environments/fixed-ip-vips.yaml @@ -0,0 +1,21 @@ +# This template allows the IPs to be preselected for each VIP. Note that +# this template should be included after other templates which affect the +# network such as network-isolation.yaml. + +resource_registry: + OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external.yaml + OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api.yaml + OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage.yaml + OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt.yaml + OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml + +parameter_defaults: + # Set the IP addresses of the VIPs here. + # NOTE: we will eventually move to one VIP per service + # + ControlFixedIPs: [{'ip_address':'192.168.24.240'}] + PublicVirtualFixedIps: [{'ip_address':'10.0.0.240'}] + InternalApiVirtualFixedIPs: [{'ip_address':'172.16.2.240'}] + StorageVirtualFixedIPs: [{'ip_address':'172.16.1.240'}] + StorageMgmtVirtualFixedIPs: [{'ip_address':'172.16.3.240'}] + RedisVirtualFixedIPs: [{'ip_address':'172.16.2.241'}] diff --git a/environments/sshd-banner.yaml b/environments/sshd-banner.yaml index 041c0990..894bf1c9 100644 --- a/environments/sshd-banner.yaml +++ b/environments/sshd-banner.yaml @@ -1,6 +1,3 @@ -resource_registry: - OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml - parameter_defaults: BannerText: | ****************************************************************** @@ -11,3 +8,6 @@ parameter_defaults: * evidence of criminal activity, system personnel may provide * * the evidence from such monitoring to law enforcement officials.* ****************************************************************** + MessageOfTheDay: | + ALERT! You are entering into a secured area! + This service is restricted to authorized users only. diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml index 2540fbe5..7a2716da 100644 --- a/environments/undercloud.yaml +++ b/environments/undercloud.yaml @@ -11,6 +11,7 @@ parameter_defaults: NeutronBridgeMappings: ctlplane:br-ctlplane NeutronAgentExtensions: [] NeutronFlatNetworks: '*' + NeutronDnsDomain: '' NovaSchedulerAvailableFilters: 'tripleo_common.filters.list.tripleo_filters' NovaSchedulerDefaultFilters: ['RetryFilter', 'TripleOCapabilitiesFilter', 'ComputeCapabilitiesFilter', 'AvailabilityZoneFilter', 'RamFilter', 'DiskFilter', 'ComputeFilter', 'ImagePropertiesFilter', 'ServerGroupAntiAffinityFilter', 'ServerGroupAffinityFilter'] NeutronDhcpAgentsPerNetwork: 2 diff --git a/extraconfig/tasks/run_puppet.sh b/extraconfig/tasks/run_puppet.sh index b7771e33..e3f6c493 100755 --- a/extraconfig/tasks/run_puppet.sh +++ b/extraconfig/tasks/run_puppet.sh @@ -10,7 +10,10 @@ function run_puppet { export FACTER_deploy_config_name="${role}Deployment_Step${step}" if [ -e "/etc/puppet/hieradata/heat_config_${FACTER_deploy_config_name}.json" ]; then set +e - puppet apply --detailed-exitcodes "${manifest}" + puppet apply --detailed-exitcodes \ + --modulepath \ + /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules \ + "${manifest}" rc=$? echo "puppet apply exited with exit code $rc" else diff --git a/hosts-config.yaml b/hosts-config.yaml index 5a211716..c02c4208 100644 --- a/hosts-config.yaml +++ b/hosts-config.yaml @@ -31,7 +31,7 @@ outputs: The content that should be appended to your /etc/hosts if you want to get hostname-based access to the deployed nodes (useful for testing without setting up a DNS). - value: {get_attr: [hostsConfigImpl, config, hosts]} + value: {get_param: hosts} OS::stack_id: description: The ID of the hostsConfigImpl resource. value: {get_resource: hostsConfigImpl} diff --git a/network/networks.j2.yaml b/network/networks.j2.yaml new file mode 100644 index 00000000..ef977d8d --- /dev/null +++ b/network/networks.j2.yaml @@ -0,0 +1,17 @@ +heat_template_version: ocata + +description: Create networks to split out Overcloud traffic + +resources: + + {%- for network in networks %} + {%- if network.name != 'InternalApi' %} + {{network.name}}Network: + {%- else %} + InternalNetwork: + {%- endif %} + type: OS::TripleO::Network::{{network.name}} + {%- endfor %} + + NetworkExtraConfig: + type: OS::TripleO::Network::ExtraConfig diff --git a/network/networks.yaml b/network/networks.yaml deleted file mode 100644 index 26033ee2..00000000 --- a/network/networks.yaml +++ /dev/null @@ -1,26 +0,0 @@ -heat_template_version: ocata - -description: Create networks to split out Overcloud traffic - -resources: - - ExternalNetwork: - type: OS::TripleO::Network::External - - InternalNetwork: - type: OS::TripleO::Network::InternalApi - - StorageMgmtNetwork: - type: OS::TripleO::Network::StorageMgmt - - StorageNetwork: - type: OS::TripleO::Network::Storage - - TenantNetwork: - type: OS::TripleO::Network::Tenant - - ManagementNetwork: - type: OS::TripleO::Network::Management - - NetworkExtraConfig: - type: OS::TripleO::Network::ExtraConfig diff --git a/network_data.yaml b/network_data.yaml new file mode 100644 index 00000000..6d62605b --- /dev/null +++ b/network_data.yaml @@ -0,0 +1,30 @@ +# List of networks, used for j2 templating of enabled networks +# +# Supported values: +# +# name: Name of the network (mandatory) +# name_lower: lowercase version of name used for filenames +# (optional, defaults to name.lower()) +# vlan: vlan for the network (optional) +# gateway: gateway for the network (optional) +# enabled: Is the network enabled (optional, defaults to true) +# vip: Enable creation of a virtual IP on this network +# [TODO] (dsneddon@redhat.com) - Enable dynamic creation of VIP ports, to support +# VIPs on non-default networks. See https://bugs.launchpad.net/tripleo/+bug/1667104 +# +- name: External + vip: true +- name: InternalApi + name_lower: internal_api + vip: true +- name: Storage + vip: true +- name: StorageMgmt + name_lower: storage_mgmt + vip: true +- name: Tenant + vip: false # Tenant network does not use VIPs +- name: Management + # Management network is disabled by default + enabled: false + vip: false # Management network does not use VIPs diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index ee75de6d..dd0cec76 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -22,22 +22,16 @@ resource_registry: OS::TripleO::Tasks::{{role.name}}PostConfig: OS::Heat::None OS::TripleO::{{role.name}}ExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml # Port assignments for the {{role.name}} role + {%- if role.name != 'ObjectStorage' %} + {%- for network in networks %} + OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: network/ports/noop.yaml + {%- endfor %} + {%- else %} # Note we have to special-case ObjectStorage for backwards compatibility - {% if role.name != 'ObjectStorage' %} - OS::TripleO::{{role.name}}::Ports::ExternalPort: network/ports/noop.yaml - OS::TripleO::{{role.name}}::Ports::InternalApiPort: network/ports/noop.yaml - OS::TripleO::{{role.name}}::Ports::StoragePort: network/ports/noop.yaml - OS::TripleO::{{role.name}}::Ports::StorageMgmtPort: network/ports/noop.yaml - OS::TripleO::{{role.name}}::Ports::TenantPort: network/ports/noop.yaml - OS::TripleO::{{role.name}}::Ports::ManagementPort: network/ports/noop.yaml - {% else %} - OS::TripleO::SwiftStorage::Ports::ExternalPort: network/ports/noop.yaml - OS::TripleO::SwiftStorage::Ports::InternalApiPort: network/ports/noop.yaml - OS::TripleO::SwiftStorage::Ports::StoragePort: network/ports/noop.yaml - OS::TripleO::SwiftStorage::Ports::StorageMgmtPort: network/ports/noop.yaml - OS::TripleO::SwiftStorage::Ports::TenantPort: network/ports/noop.yaml - OS::TripleO::SwiftStorage::Ports::ManagementPort: network/ports/noop.yaml - {% endif %} + {%- for network in networks %} + OS::TripleO::SwiftStorage::Ports::{{network.name}}Port: network/ports/noop.yaml + {%- endfor %} + {%- endif %} OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-noop.yaml {% endfor %} @@ -48,6 +42,9 @@ resource_registry: OS::TripleO::ServiceServerMetadataHook: OS::Heat::None OS::TripleO::Server: OS::Nova::Server +{% for role in roles %} + OS::TripleO::{{role.name}}Server: OS::TripleO::Server +{% endfor %} # This creates the "heat-admin" user for all OS images by default # To disable, replace with firstboot/userdata_default.yaml @@ -83,12 +80,9 @@ resource_registry: # TripleO overcloud networks OS::TripleO::Network: network/networks.yaml - OS::TripleO::Network::External: OS::Heat::None - OS::TripleO::Network::InternalApi: OS::Heat::None - OS::TripleO::Network::StorageMgmt: OS::Heat::None - OS::TripleO::Network::Storage: OS::Heat::None - OS::TripleO::Network::Tenant: OS::Heat::None - OS::TripleO::Network::Management: OS::Heat::None + {%- for network in networks %} + OS::TripleO::Network::{{network.name}}: OS::Heat::None + {%- endfor %} OS::TripleO::Network::ExtraConfig: OS::Heat::None @@ -97,10 +91,10 @@ resource_registry: OS::TripleO::Network::Ports::NetIpListMap: network/ports/net_ip_list_map.yaml # Port assignments for the VIPs - OS::TripleO::Network::Ports::ExternalVipPort: network/ports/noop.yaml - OS::TripleO::Network::Ports::InternalApiVipPort: network/ports/noop.yaml - OS::TripleO::Network::Ports::StorageVipPort: network/ports/noop.yaml - OS::TripleO::Network::Ports::StorageMgmtVipPort: network/ports/noop.yaml + {%- for network in networks if network.vip|default(false) %} + OS::TripleO::Network::Ports::{{network.name}}VipPort: network/ports/noop.yaml + {%- endfor %} + OS::TripleO::Network::Ports::RedisVipPort: network/ports/ctlplane_vip.yaml OS::TripleO::Network::Ports::ControlPlaneVipPort: OS::Neutron::Port @@ -176,8 +170,8 @@ resource_registry: OS::TripleO::Services::Memcached: puppet/services/memcached.yaml OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None - OS::TripleO::Services::Sshd: OS::Heat::None OS::TripleO::Services::Securetty: OS::Heat::None + OS::TripleO::Services::Sshd: puppet/services/sshd.yaml OS::TripleO::Services::Redis: puppet/services/database/redis.yaml OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index a2d501d3..54092fa2 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -51,7 +51,9 @@ parameters: type: string ControlFixedIPs: default: [] - description: Should be used for arbitrary ips. + description: > + Control the IP allocation for the ControlVirtualIP port. E.g. + [{'ip_address':'1.2.3.4'}] type: json InternalApiVirtualFixedIPs: default: [] diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml index 16fb4b90..b9e5c6fe 100644 --- a/puppet/blockstorage-role.yaml +++ b/puppet/blockstorage-role.yaml @@ -126,7 +126,7 @@ parameters: resources: BlockStorage: - type: OS::TripleO::Server + type: OS::TripleO::BlockStorageServer metadata: os-collect-config: command: {get_param: ConfigCommand} diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml index 4b022452..075f42ba 100644 --- a/puppet/cephstorage-role.yaml +++ b/puppet/cephstorage-role.yaml @@ -132,7 +132,7 @@ parameters: resources: CephStorage: - type: OS::TripleO::Server + type: OS::TripleO::CephStorageServer metadata: os-collect-config: command: {get_param: ConfigCommand} diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml index 37331f37..351b3823 100644 --- a/puppet/compute-role.yaml +++ b/puppet/compute-role.yaml @@ -145,7 +145,7 @@ parameters: resources: NovaCompute: - type: OS::TripleO::Server + type: OS::TripleO::ComputeServer metadata: os-collect-config: command: {get_param: ConfigCommand} diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml index 68623e2d..92eb70ad 100644 --- a/puppet/controller-role.yaml +++ b/puppet/controller-role.yaml @@ -165,7 +165,7 @@ parameter_groups: resources: Controller: - type: OS::TripleO::Server + type: OS::TripleO::ControllerServer metadata: os-collect-config: command: {get_param: ConfigCommand} diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index c0a0778c..28092773 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -51,10 +51,11 @@ resources: - " crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n" - " crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n" - " crudini --set /etc/nova/nova.conf placement project_name service\n\n" + - " crudini --set /etc/nova/nova.conf placement os_interface internal\n\n" - str_replace: template: | crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD' - crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME' + crudini --set /etc/nova/nova.conf placement os_region_name 'REGION_NAME' crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL' params: SERVICE_PASSWORD: { get_param: NovaPassword } diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml index a329d13f..84b646a2 100644 --- a/puppet/objectstorage-role.yaml +++ b/puppet/objectstorage-role.yaml @@ -127,7 +127,7 @@ parameters: resources: SwiftStorage: - type: OS::Nova::Server + type: OS::Nova::ObjectStorageServer metadata: os-collect-config: command: {get_param: ConfigCommand} diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index 9cfc65a1..960f0d58 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -148,7 +148,7 @@ parameters: resources: {{role}}: - type: OS::TripleO::Server + type: OS::TripleO::{{role.name}}Server metadata: os-collect-config: command: {get_param: ConfigCommand} diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index f61e6154..de41c0e8 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -119,6 +119,7 @@ parameters: conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']} resources: @@ -153,14 +154,13 @@ outputs: - '/glance' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} glance::api::enable_proxy_headers_parsing: true glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': @@ -168,6 +168,8 @@ outputs: - 9292 - 13292 glance::api::authtoken::project_name: 'service' + glance::keystone::authtoken::user_domain_name: 'Default' + glance::keystone::authtoken::project_domain_name: 'Default' glance::api::pipeline: 'keystone' glance::api::show_image_direct_url: true # NOTE: bind IP is found in Heat replacing the network name with the @@ -195,10 +197,11 @@ outputs: - {get_param: [ServiceNetMap, GlanceApiNetwork]} glance_notifier_strategy: {get_param: GlanceNotifierStrategy} glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] } glance::backend::swift::swift_store_user: service:glance glance::backend::swift::swift_store_key: {get_param: GlancePassword} glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::swift::swift_store_auth_version: 3 glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} glance_backend: {get_param: GlanceBackend} @@ -210,6 +213,11 @@ outputs: tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} + - + if: + - glance_workers_unset + - {} + - glance::api::workers: {get_param: GlanceWorkers} service_config_settings: keystone: glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 9b9d1c72..a0305b81 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -21,13 +21,13 @@ parameters: NeutronWorkers: default: '' description: | - Sets the number of API and RPC workers for the Neutron service. The - default value results in the configuration being left unset and a - system-dependent default will be chosen (usually the number of - processors). Please note that this can result in a large number of - processes and memory consumption on systems with a large core count. On - such systems it is recommended that a non-default value be selected that - matches the load requirements. + Sets the number of API and RPC workers for the Neutron service. + The default value results in the configuration being left unset + and a system-dependent default will be chosen (usually the number + of processors). Please note that this can result in a large number + of processes and memory consumption on systems with a large core + count. On such systems it is recommended that a non-default value + be selected that matches the load requirements. type: string NeutronPassword: description: The password for the neutron service and db account, used by neutron agents. @@ -92,6 +92,7 @@ parameter_groups: conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']} resources: @@ -136,8 +137,6 @@ outputs: neutron::policy::policies: {get_param: NeutronApiPolicies} neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - neutron::server::api_workers: {get_param: NeutronWorkers} - neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} @@ -178,6 +177,12 @@ outputs: - 'localhost' - {get_param: [ServiceNetMap, NeutronApiNetwork]} tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} + - + if: + - neutron_workers_unset + - {} + - neutron::server::api_workers: {get_param: NeutronWorkers} + neutron::server::rpc_workers: {get_param: NeutronWorkers} step_config: | include tripleo::profile::base::neutron::server service_config_settings: diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 9f605062..b41cb3cc 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -30,6 +30,10 @@ parameters: type: number default: 0 description: The number of neutron dhcp agents to schedule per network + NeutronDnsDomain: + type: string + default: openstacklocal + description: Domain to use for building the hostnames. NeutronCorePlugin: default: 'ml2' description: | @@ -95,6 +99,7 @@ outputs: neutron::debug: {get_param: Debug} neutron::purge_config: {get_param: EnableConfigPurge} neutron::allow_overlapping_ips: true + neutron::dns_domain: {get_param: NeutronDnsDomain} neutron::rabbit_heartbeat_timeout_threshold: 60 neutron::host: '%{::fqdn}' neutron::db::database_db_max_retries: -1 diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 18d9b924..21910cc4 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -227,7 +227,7 @@ outputs: - name: Run puppet apply to set tranport_url in nova.conf tags: step5 when: is_bootstrap_node - command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp + command: puppet apply --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes /root/nova-api_upgrade_manifest.pp register: puppet_apply_nova_api_upgrade failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] changed_when: puppet_apply_nova_api_upgrade.rc == 2 diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index b297424e..21a5e78a 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -32,6 +32,36 @@ parameters: MonitoringSubscriptionNovaLibvirt: default: 'overcloud-nova-libvirt' type: string + EnableInternalTLS: + type: boolean + default: false + UseTLSTransportForLiveMigration: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + set the libvirt URI's transport to tls and configure the + relevant keys for libvirt. + LibvirtCACert: + type: string + default: '/etc/ipa/ca.crt' + description: This specifies the CA certificate to use for TLS in libvirt. + This file will be symlinked to the default CA path in libvirt, + which is /etc/pki/CA/cacert.pem. Note that due to limitations + GNU TLS, which is the TLS backend for libvirt, the file must + be less than 65K (so we can't use the system's CA bundle). The + current default reflects TripleO's default CA, which is + FreeIPA. It will only be used if internal TLS is enabled. + +conditions: + + use_tls_for_live_migration: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForLiveMigration} + - true resources: NovaBase: @@ -70,5 +100,57 @@ outputs: - '49152-49215' - '5900-5999' + - + if: + - use_tls_for_live_migration + - + generate_service_certificates: true + tripleo::profile::base::nova::libvirt_tls: true + nova::migration::libvirt::live_migration_inbound_addr: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + tripleo::certmonger::ca::libvirt::origin_ca_pem: + get_param: LibvirtCACert + tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' + tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' + libvirt_certificates_specs: + libvirt-server-cert: + service_certificate: '/etc/pki/libvirt/servercert.pem' + service_key: '/etc/pki/libvirt/private/serverkey.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + libvirt-client-cert: + service_certificate: '/etc/pki/libvirt/clientcert.pem' + service_key: '/etc/pki/libvirt/private/clientkey.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + - {} step_config: | include tripleo::profile::base::nova::libvirt + metadata_settings: + if: + - use_tls_for_live_migration + - + - service: libvirt + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - null diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml index 12998c33..e09a8894 100644 --- a/puppet/services/sshd.yaml +++ b/puppet/services/sshd.yaml @@ -22,6 +22,33 @@ parameters: default: '' description: Configures Banner text in sshd_config type: string + MessageOfTheDay: + default: '' + description: Configures /etc/motd text + type: string + SshServerOptions: + default: + HostKey: + - '/etc/ssh/ssh_host_rsa_key' + - '/etc/ssh/ssh_host_ecdsa_key' + - '/etc/ssh/ssh_host_ed25519_key' + SyslogFacility: 'AUTHPRIV' + AuthorizedKeysFile: '.ssh/authorized_keys' + PasswordAuthentication: 'no' + ChallengeResponseAuthentication: 'no' + GSSAPIAuthentication: 'yes' + GSSAPICleanupCredentials: 'no' + UsePAM: 'yes' + X11Forwarding: 'yes' + UsePrivilegeSeparation: 'sandbox' + AcceptEnv: + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL LANGUAGE' + - 'XMODIFIERS' + Subsystem: 'sftp /usr/libexec/openssh/sftp-server' + description: Mapping of sshd_config values + type: json outputs: role_data: @@ -30,5 +57,7 @@ outputs: service_name: sshd config_settings: tripleo::profile::base::sshd::bannertext: {get_param: BannerText} + tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} + tripleo::profile::base::sshd::options: {get_param: SshServerOptions} step_config: | include ::tripleo::profile::base::sshd diff --git a/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml new file mode 100644 index 00000000..e8941b7c --- /dev/null +++ b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + If TLS in the internal network is enabled, libvirt's transport defaults to + using TLS. This can be changed by setting the ``UseTLSTransportForLiveMigration`` + parameter, which is ``true`` by default. diff --git a/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml b/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml new file mode 100644 index 00000000..b0ad9d93 --- /dev/null +++ b/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - Previously only the VIPs and their associated hostnames were present + in the HostsEntry output, due to the hosts_entries output on the + hosts-config.yaml nested stack being empty. It was referencing an + invalid attribute. See + https://bugs.launchpad.net/tripleo/+bug/1683517 + + diff --git a/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml b/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml new file mode 100644 index 00000000..072e85aa --- /dev/null +++ b/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml @@ -0,0 +1,4 @@ +--- +features: + - Deploy Glance with Keystone v3 endpoints and make + sure it doesn't rely on Keystone v2 anymore. diff --git a/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml b/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml new file mode 100644 index 00000000..5b58d3d4 --- /dev/null +++ b/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml @@ -0,0 +1,8 @@ +--- +features: + - The server resource type, OS::TripleO::Server can now be + mapped per role instead of globally. This allows users to + mix baremetal (OS::Nova::Server) and + deployed-server (OS::Heat::DeployedServer) server resources + in the same deployment. See + https://blueprints.launchpad.net/tripleo/+spec/pluggable-server-type-per-role diff --git a/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml new file mode 100644 index 00000000..4cc01df8 --- /dev/null +++ b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added ability to manage MOTD Banner + Enabled SSHD composible service by default. Puppet-ssh manages the sshd config. diff --git a/tools/process-templates.py b/tools/process-templates.py index 1c8c4ba6..69ed96a6 100755 --- a/tools/process-templates.py +++ b/tools/process-templates.py @@ -32,6 +32,9 @@ def parse_opts(argv): parser.add_argument('-r', '--roles-data', metavar='ROLES_DATA', help="""relative path to the roles_data.yaml file.""", default='roles_data.yaml') + parser.add_argument('-n', '--network-data', metavar='NETWORK_DATA', + help="""relative path to the network_data.yaml file.""", + default='network_data.yaml') parser.add_argument('--safe', action='store_true', help="""Enable safe mode (do not overwrite files).""", @@ -71,11 +74,15 @@ def _j2_render_to_file(j2_template, j2_data, outfile_name=None, out_f.write(r_template) -def process_templates(template_path, role_data_path, output_dir, overwrite): +def process_templates(template_path, role_data_path, output_dir, + network_data_path, overwrite): with open(role_data_path) as role_data_file: role_data = yaml.safe_load(role_data_file) + with open(network_data_path) as network_data_file: + network_data = yaml.safe_load(network_data_file) + j2_excludes_path = os.path.join(template_path, 'j2_excludes.yaml') with open(j2_excludes_path) as role_data_file: j2_excludes = yaml.safe_load(role_data_file) @@ -150,7 +157,8 @@ def process_templates(template_path, role_data_path, output_dir, overwrite): print("jinja2 rendering normal template %s" % f) with open(file_path) as j2_template: template_data = j2_template.read() - j2_data = {'roles': role_data} + j2_data = {'roles': role_data, + 'networks': network_data} out_f = os.path.basename(f).replace('.j2.yaml', '.yaml') out_f_path = os.path.join(out_dir, out_f) _j2_render_to_file(template_data, j2_data, out_f_path, @@ -164,5 +172,7 @@ def process_templates(template_path, role_data_path, output_dir, overwrite): opts = parse_opts(sys.argv) role_data_path = os.path.join(opts.base_path, opts.roles_data) +network_data_path = os.path.join(opts.base_path, opts.network_data) -process_templates(opts.base_path, role_data_path, opts.output_dir, (not opts.safe)) +process_templates(opts.base_path, role_data_path, opts.output_dir, + network_data_path, (not opts.safe)) |