aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docker/firstboot/start_docker_agents.sh27
-rw-r--r--environments/enable-internal-tls.yaml4
-rw-r--r--environments/monitoring-environment.yaml36
-rw-r--r--environments/neutron-opendaylight-l3.yaml2
-rw-r--r--environments/neutron-opendaylight.yaml2
-rw-r--r--environments/storage-environment.yaml22
-rw-r--r--environments/tls-endpoints-public-dns.yaml3
-rw-r--r--environments/tls-endpoints-public-ip.yaml3
-rw-r--r--environments/tls-everywhere-endpoints-dns.yaml6
-rw-r--r--extraconfig/tasks/major_upgrade_block_storage.sh14
-rw-r--r--extraconfig/tasks/major_upgrade_ceph_storage.sh14
-rw-r--r--extraconfig/tasks/major_upgrade_compute.sh14
-rwxr-xr-xextraconfig/tasks/major_upgrade_controller_pacemaker_1.sh26
-rw-r--r--extraconfig/tasks/major_upgrade_object_storage.sh13
-rwxr-xr-xextraconfig/tasks/yum_update.sh33
-rw-r--r--network/endpoints/endpoint_data.yaml15
-rw-r--r--network/endpoints/endpoint_map.yaml249
-rw-r--r--network/service_net_map.j2.yaml1
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml1
-rw-r--r--overcloud.j2.yaml3
-rw-r--r--puppet/services/aodh-api.yaml13
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml50
-rw-r--r--puppet/services/apache.yaml46
-rw-r--r--puppet/services/ceilometer-api.yaml14
-rw-r--r--puppet/services/cinder-api.yaml31
-rw-r--r--puppet/services/glance-base.yaml18
-rw-r--r--puppet/services/horizon.yaml3
-rw-r--r--puppet/services/keystone.yaml26
-rw-r--r--puppet/services/mistral-api.yaml52
-rw-r--r--puppet/services/mistral-base.yaml93
-rw-r--r--puppet/services/mistral-engine.yaml38
-rw-r--r--puppet/services/mistral-executor.yaml38
-rw-r--r--puppet/services/monitoring/sensu-client.yaml17
-rw-r--r--puppet/services/nova-api.yaml1
-rw-r--r--puppet/services/nova-libvirt.yaml4
-rw-r--r--puppet/services/opendaylight-api.yaml5
-rw-r--r--puppet/services/opendaylight-ovs.yaml1
-rw-r--r--puppet/services/rabbitmq.yaml2
-rw-r--r--puppet/services/swift-proxy.yaml12
-rw-r--r--puppet/services/swift-storage.yaml2
40 files changed, 873 insertions, 81 deletions
diff --git a/docker/firstboot/start_docker_agents.sh b/docker/firstboot/start_docker_agents.sh
index 68625032..acb44ce5 100644
--- a/docker/firstboot/start_docker_agents.sh
+++ b/docker/firstboot/start_docker_agents.sh
@@ -18,7 +18,9 @@ echo "127.0.0.1 $HOSTNAME.localdomain $HOSTNAME" >> /etc/hosts
#echo "ADD_REGISTRY='--registry-mirror $docker_registry'" >> /etc/sysconfig/docker
# Local docker registry 1.8
-if [ $docker_namespace_is_registry ]; then
+# NOTE(mandre) $docker_namespace_is_registry is not a bash variable but is
+# a place holder for text replacement done via heat
+if [ "$docker_namespace_is_registry" = True ]; then
/usr/bin/systemctl stop docker.service
# if namespace is used with local registry, trim all namespacing
trim_var=$docker_registry
@@ -32,6 +34,25 @@ DOCKER_PULL_PID=$!
mkdir -p /var/lib/etc-data/json-config #FIXME: this should be a docker data container
+# NOTE(flaper87): Heat Agent required mounts
+AGENT_COMMAND_MOUNTS="-v /var/lib/etc-data:/var/lib/etc-data \
+ -v /run:/run \
+ -v /etc:/host/etc \
+ -v /usr/bin/atomic:/usr/bin/atomic \
+ -v /var/lib/dhclient:/var/lib/dhclient \
+ -v /var/lib/cloud:/var/lib/cloud \
+ -v /var/lib/heat-cfntools:/var/lib/heat-cfntools \
+ -v /etc/sysconfig/docker:/etc/sysconfig/docker \
+ -v /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2"
+
+
+# NOTE(flaper87): Some of these commands may not be present depending on the
+# atomic version.
+for docker_cmd in docker docker-current docker-latest; do
+ if [ -f "/usr/bin/$docker_cmd" ]; then
+ AGENT_COMMAND_MOUNTS+=" -v /usr/bin/$docker_cmd:/usr/bin/$docker_cmd"
+ fi
+done
# heat-docker-agents service
cat <<EOF > /etc/systemd/system/heat-docker-agents.service
@@ -46,7 +67,9 @@ User=root
Restart=on-failure
ExecStartPre=-/usr/bin/docker kill heat-agents
ExecStartPre=-/usr/bin/docker rm heat-agents
-ExecStart=/usr/bin/docker run --name heat-agents --privileged --net=host -v /var/lib/etc-data:/var/lib/etc-data -v /run:/run -v /etc:/host/etc -v /usr/bin/atomic:/usr/bin/atomic -v /var/lib/dhclient:/var/lib/dhclient -v /var/lib/cloud:/var/lib/cloud -v /var/lib/heat-cfntools:/var/lib/heat-cfntools -v /usr/bin/docker:/usr/bin/docker --entrypoint=/usr/bin/os-collect-config $agent_image
+ExecStart=/usr/bin/docker run --name heat-agents --privileged --net=host \
+ $AGENT_COMMAND_MOUNTS \
+ --entrypoint=/usr/bin/os-collect-config $agent_image
ExecStop=/usr/bin/docker stop heat-agents
[Install]
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 801dcde9..5116c6da 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -1,2 +1,6 @@
+# A Heat environment file which can be used to enable a
+# a TLS for in the internal network via certmonger
parameter_defaults:
EnableInternalTLS: true
+resource_registry:
+ OS::TripleO::Services::ApacheTLS: ../../puppet/services/apache-internal-tls-certmonger.yaml
diff --git a/environments/monitoring-environment.yaml b/environments/monitoring-environment.yaml
index 62ab06dc..f4aa67a9 100644
--- a/environments/monitoring-environment.yaml
+++ b/environments/monitoring-environment.yaml
@@ -1,30 +1,16 @@
-## A Heat environment file which can be used to set up monitoring
-## and logging agents
+## A Heat environment file which can be used to set up monitoring agents
resource_registry:
OS::TripleO::Services::SensuClient: ../puppet/services/monitoring/sensu-client.yaml
#parameter_defaults:
- #### Sensu settings ####
- ##MonitoringRabbitHost: 10.10.10.10
- ##MonitoringRabbitPort: 5672
- ##MonitoringRabbitUserName: sensu
- ##MonitoringRabbitPassword: sensu
- ##MonitoringRabbitUseSSL: false
- ##MonitoringRabbitVhost: "/sensu"
- ##SensuClientCustomConfig:
- ## - api:
- ## - warning: 10
- ## critical: 20
- ## openstack:
- ## - username: admin
- ## password: changeme
- ## project_name: admin
- ## auth_url: http://controller:5000/v2.0
- ## region_name: RegionOne
-
- #### EFK settings ####
- ## TBD
-
- #### Grafana/Graphite settings ####
- ## TBD
+# MonitoringRabbitHost: 10.10.10.10
+# MonitoringRabbitPort: 5672
+# MonitoringRabbitUserName: sensu
+# MonitoringRabbitPassword: sensu
+# MonitoringRabbitUseSSL: false
+# MonitoringRabbitVhost: "/sensu"
+# SensuClientCustomConfig:
+# api:
+# warning: 10
+# critical: 20
diff --git a/environments/neutron-opendaylight-l3.yaml b/environments/neutron-opendaylight-l3.yaml
index 0e8fb9aa..00be3048 100644
--- a/environments/neutron-opendaylight-l3.yaml
+++ b/environments/neutron-opendaylight-l3.yaml
@@ -2,12 +2,12 @@
resource_registry:
OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None
+ OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None
OS::TripleO::Services::OpenDaylightApi: ../puppet/services/opendaylight-api.yaml
OS::TripleO::Services::OpenDaylightOvs: ../puppet/services/opendaylight-ovs.yaml
OS::TripleO::Services::NeutronL3Agent: OS::Heat::None
parameter_defaults:
- EnableOpenDaylightOnController: true
NeutronEnableForceMetadata: true
NeutronMechanismDrivers: 'opendaylight'
NeutronServicePlugins: "networking_odl.l3.l3_odl.OpenDaylightL3RouterPlugin"
diff --git a/environments/neutron-opendaylight.yaml b/environments/neutron-opendaylight.yaml
index a0fe4514..35c90aab 100644
--- a/environments/neutron-opendaylight.yaml
+++ b/environments/neutron-opendaylight.yaml
@@ -2,10 +2,10 @@
resource_registry:
OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None
+ OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None
OS::TripleO::Services::OpenDaylightApi: ../puppet/services/opendaylight-api.yaml
OS::TripleO::Services::OpenDaylightOvs: ../puppet/services/opendaylight-ovs.yaml
parameter_defaults:
- EnableOpenDaylightOnController: true
NeutronEnableForceMetadata: true
NeutronMechanismDrivers: 'opendaylight'
diff --git a/environments/storage-environment.yaml b/environments/storage-environment.yaml
index 8cf34622..8e02c300 100644
--- a/environments/storage-environment.yaml
+++ b/environments/storage-environment.yaml
@@ -34,18 +34,18 @@ parameter_defaults:
# CinderNfsServers: ''
- #### GLANCE FILE BACKEND PACEMAKER SETTINGS (used for mounting NFS) ####
+ #### GLANCE NFS SETTINGS ####
- ## Whether to make Glance 'file' backend a mount managed by Pacemaker
- # GlanceFilePcmkManage: false
- ## File system type of the mount
- # GlanceFilePcmkFstype: nfs
- ## Pacemaker mount point, e.g. '192.168.122.1:/export/glance' for NFS
- ## (If using IPv6, use both double- and single-quotes,
- ## e.g. "'[fdd0::1]:/export/glance'")
- # GlanceFilePcmkDevice: ''
- ## Options for the mount managed by Pacemaker
- # GlanceFilePcmkOptions: ''
+ ## Make sure to set `GlanceBackend: file` when enabling NFS
+ ##
+ ## Whether to make Glance 'file' backend a NFS mount
+ # GlanceNfsEnabled: false
+ ## NFS share for image storage, e.g. '192.168.122.1:/export/glance'
+ ## (If using IPv6, use both double- and single-quotes,
+ ## e.g. "'[fdd0::1]:/export/glance'")
+ # GlanceNfsShare: ''
+ ## Mount options for the NFS image storage mount point
+ # GlanceNfsOptions: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
#### CEPH SETTINGS ####
diff --git a/environments/tls-endpoints-public-dns.yaml b/environments/tls-endpoints-public-dns.yaml
index 5d2c9921..79c7599f 100644
--- a/environments/tls-endpoints-public-dns.yaml
+++ b/environments/tls-endpoints-public-dns.yaml
@@ -40,6 +40,9 @@ parameter_defaults:
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
+ MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
+ MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
+ MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
diff --git a/environments/tls-endpoints-public-ip.yaml b/environments/tls-endpoints-public-ip.yaml
index fb39ee5a..a49ca343 100644
--- a/environments/tls-endpoints-public-ip.yaml
+++ b/environments/tls-endpoints-public-ip.yaml
@@ -40,6 +40,9 @@ parameter_defaults:
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'}
+ MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
+ MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
+ MistralPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'}
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
diff --git a/environments/tls-everywhere-endpoints-dns.yaml b/environments/tls-everywhere-endpoints-dns.yaml
index 88a108a6..c3fbaf49 100644
--- a/environments/tls-everywhere-endpoints-dns.yaml
+++ b/environments/tls-everywhere-endpoints-dns.yaml
@@ -8,6 +8,9 @@ parameter_defaults:
CeilometerAdmin: {protocol: 'https', port: '8777', host: 'CLOUDNAME'}
CeilometerInternal: {protocol: 'https', port: '8777', host: 'CLOUDNAME'}
CeilometerPublic: {protocol: 'https', port: '13777', host: 'CLOUDNAME'}
+ CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
+ CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
+ CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
@@ -34,6 +37,9 @@ parameter_defaults:
ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
+ MistralAdmin: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
+ MistralInternal: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
+ MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'}
NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
diff --git a/extraconfig/tasks/major_upgrade_block_storage.sh b/extraconfig/tasks/major_upgrade_block_storage.sh
index 07666245..39861826 100644
--- a/extraconfig/tasks/major_upgrade_block_storage.sh
+++ b/extraconfig/tasks/major_upgrade_block_storage.sh
@@ -4,5 +4,19 @@
#
set -eu
+# Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205
+if [[ -n $(rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart") ]]; then
+ echo "Manual upgrade of openvswitch - restart in postun detected"
+ mkdir OVS_UPGRADE || true
+ pushd OVS_UPGRADE
+ echo "Attempting to downloading latest openvswitch with yumdownloader"
+ yumdownloader --resolve openvswitch
+ echo "Updating openvswitch with nopostun option"
+ rpm -U --replacepkgs --nopostun ./*.rpm
+ popd
+else
+ echo "Skipping manual upgrade of openvswitch - no restart in postun detected"
+fi
+
yum -y install python-zaqarclient # needed for os-collect-config
yum -y -q update
diff --git a/extraconfig/tasks/major_upgrade_ceph_storage.sh b/extraconfig/tasks/major_upgrade_ceph_storage.sh
index 56b54e22..d84cad45 100644
--- a/extraconfig/tasks/major_upgrade_ceph_storage.sh
+++ b/extraconfig/tasks/major_upgrade_ceph_storage.sh
@@ -49,6 +49,20 @@ timeout 60 bash -c "while kill -0 ${OSD_PIDS} 2> /dev/null; do
sleep 2;
done"
+# Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205
+if [[ -n $(rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart") ]]; then
+ echo "Manual upgrade of openvswitch - restart in postun detected"
+ mkdir OVS_UPGRADE || true
+ pushd OVS_UPGRADE
+ echo "Attempting to downloading latest openvswitch with yumdownloader"
+ yumdownloader --resolve openvswitch
+ echo "Updating openvswitch with nopostun option"
+ rpm -U --replacepkgs --nopostun ./*.rpm
+ popd
+else
+ echo "Skipping manual upgrade of openvswitch - no restart in postun detected"
+fi
+
# Update (Ceph to Jewel)
yum -y install python-zaqarclient # needed for os-collect-config
yum -y update
diff --git a/extraconfig/tasks/major_upgrade_compute.sh b/extraconfig/tasks/major_upgrade_compute.sh
index a1df695f..f5105a1a 100644
--- a/extraconfig/tasks/major_upgrade_compute.sh
+++ b/extraconfig/tasks/major_upgrade_compute.sh
@@ -18,6 +18,20 @@ set -eu
crudini --set /etc/nova/nova.conf upgrade_levels compute $upgrade_level_nova_compute
+# Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205
+if [[ -n \$(rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart") ]]; then
+ echo "Manual upgrade of openvswitch - restart in postun detected"
+ mkdir OVS_UPGRADE || true
+ pushd OVS_UPGRADE
+ echo "Attempting to downloading latest openvswitch with yumdownloader"
+ yumdownloader --resolve openvswitch
+ echo "Updating openvswitch with nopostun option"
+ rpm -U --replacepkgs --nopostun ./*.rpm
+ popd
+else
+ echo "Skipping manual upgrade of openvswitch - no restart in postun detected"
+fi
+
yum -y install python-zaqarclient # needed for os-collect-config
yum -y update
diff --git a/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh b/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh
index 23074fcb..fbdbc30b 100755
--- a/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh
+++ b/extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh
@@ -17,8 +17,10 @@ check_disk_for_mysql_dump
# nodes where a service fails to stop, which could be fatal during an upgrade
# procedure. So we remember the stonith state. If it was enabled we reenable it
# at the end of this script
-STONITH_STATE=$(pcs property show stonith-enabled | grep "stonith-enabled" | awk '{ print $2 }')
-pcs property set stonith-enabled=false
+if [[ -n $(is_bootstrap_node) ]]; then
+ STONITH_STATE=$(pcs property show stonith-enabled | grep "stonith-enabled" | awk '{ print $2 }')
+ pcs property set stonith-enabled=false
+fi
# Migrate to HA NG and fix up rabbitmq queues
# We fix up the rabbitmq ha queues after the migration because it will
@@ -120,6 +122,20 @@ if [ $DO_MYSQL_UPGRADE -eq 1 ]; then
mv /var/lib/mysql $MYSQL_TEMP_UPGRADE_BACKUP_DIR
fi
+# Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205
+if [[ -n $(rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart") ]]; then
+ echo "Manual upgrade of openvswitch - restart in postun detected"
+ mkdir OVS_UPGRADE || true
+ pushd OVS_UPGRADE
+ echo "Attempting to downloading latest openvswitch with yumdownloader"
+ yumdownloader --resolve openvswitch
+ echo "Updating openvswitch with nopostun option"
+ rpm -U --replacepkgs --nopostun ./*.rpm
+ popd
+else
+ echo "Skipping manual upgrade of openvswitch - no restart in postun detected"
+fi
+
yum -y install python-zaqarclient # needed for os-collect-config
yum -y -q update
@@ -170,8 +186,10 @@ if [ $DO_MYSQL_UPGRADE -eq 1 ]; then
fi
# Let's reset the stonith back to true if it was true, before starting the cluster
-if [ $STONITH_STATE == "true" ]; then
- pcs -f /var/lib/pacemaker/cib/cib.xml property set stonith-enabled=true
+if [[ -n $(is_bootstrap_node) ]]; then
+ if [ $STONITH_STATE == "true" ]; then
+ pcs -f /var/lib/pacemaker/cib/cib.xml property set stonith-enabled=true
+ fi
fi
# Pin messages sent to compute nodes to kilo, these will be upgraded later
diff --git a/extraconfig/tasks/major_upgrade_object_storage.sh b/extraconfig/tasks/major_upgrade_object_storage.sh
index f82457ce..2667bb16 100644
--- a/extraconfig/tasks/major_upgrade_object_storage.sh
+++ b/extraconfig/tasks/major_upgrade_object_storage.sh
@@ -23,6 +23,19 @@ function systemctl_swift {
done
}
+# Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205
+if [[ -n \$(rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart") ]]; then
+ echo "Manual upgrade of openvswitch - restart in postun detected"
+ mkdir OVS_UPGRADE || true
+ pushd OVS_UPGRADE
+ echo "Attempting to downloading latest openvswitch with yumdownloader"
+ yumdownloader --resolve openvswitch
+ echo "Updating openvswitch with nopostun option"
+ rpm -U --replacepkgs --nopostun ./*.rpm
+ popd
+else
+ echo "Skipping manual upgrade of openvswitch - no restart in postun detected"
+fi
systemctl_swift stop
diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh
index b045e5ea..c2d7d58d 100755
--- a/extraconfig/tasks/yum_update.sh
+++ b/extraconfig/tasks/yum_update.sh
@@ -44,6 +44,25 @@ fi
pacemaker_status=$(systemctl is-active pacemaker)
+# Fix the redis/rabbit resource start/stop timeouts. See https://bugs.launchpad.net/tripleo/+bug/1633455
+# and https://bugs.launchpad.net/tripleo/+bug/1634851
+if [[ "$pacemaker_status" == "active" && \
+ "$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)" = "$(facter hostname)" ]] ; then
+ if pcs resource show rabbitmq | grep -E "start.*timeout=100"; then
+ pcs resource update rabbitmq op start timeout=200s
+ fi
+ if pcs resource show rabbitmq | grep -E "stop.*timeout=90"; then
+ pcs resource update rabbitmq op stop timeout=200s
+ fi
+ if pcs resource show redis | grep -E "start.*timeout=120"; then
+ pcs resource update redis op start timeout=200s
+ fi
+ if pcs resource show redis | grep -E "stop.*timeout=120"; then
+ pcs resource update redis op stop timeout=200s
+ fi
+fi
+
+
if [[ "$pacemaker_status" == "active" ]] ; then
echo "Pacemaker running, stopping cluster node and doing full package update"
node_count=$(pcs status xml | grep -o "<nodes_configured.*/>" | grep -o 'number="[0-9]*"' | grep -o "[0-9]*")
@@ -61,6 +80,20 @@ else
exit 0
fi
+# Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205
+if [[ -n $(rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart") ]]; then
+ echo "Manual upgrade of openvswitch - restart in postun detected"
+ mkdir OVS_UPGRADE || true
+ pushd OVS_UPGRADE
+ echo "Attempting to downloading latest openvswitch with yumdownloader"
+ yumdownloader --resolve openvswitch
+ echo "Updating openvswitch with nopostun option"
+ rpm -U --replacepkgs --nopostun ./*.rpm
+ popd
+else
+ echo "Skipping manual upgrade of openvswitch - no restart in postun detected"
+fi
+
command=${command:-update}
full_command="yum -q -y $command $command_arguments"
echo "Running: $full_command"
diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml
index bfbd759d..1df3b665 100644
--- a/network/endpoints/endpoint_data.yaml
+++ b/network/endpoints/endpoint_data.yaml
@@ -157,6 +157,21 @@ Manila:
V1: /v1/%(tenant_id)s
port: 8786
+Mistral:
+ Internal:
+ net_param: MistralApi
+ uri_suffixes:
+ '': /v2
+ Public:
+ net_param: Public
+ uri_suffixes:
+ '': /v2
+ Admin:
+ net_param: MistralApi
+ uri_suffixes:
+ '': /v2
+ port: 8989
+
Neutron:
Internal:
net_param: NeutronApi
diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml
index b2746471..43fb20cc 100644
--- a/network/endpoints/endpoint_map.yaml
+++ b/network/endpoints/endpoint_map.yaml
@@ -57,6 +57,9 @@ parameters:
ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaPublic: {protocol: http, port: '8786', host: IP_ADDRESS}
+ MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
+ MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
+ MistralPublic: {protocol: http, port: '8989', host: IP_ADDRESS}
MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
@@ -4249,6 +4252,252 @@ outputs:
template: NETWORK_uri
- ':'
- get_param: [EndpointMap, ManilaPublic, port]
+ MistralAdmin:
+ host:
+ str_replace:
+ template:
+ get_param: [EndpointMap, MistralAdmin, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, MistralApiNetwork]
+ template: NETWORK_uri
+ host_nobrackets:
+ str_replace:
+ template:
+ get_param: [EndpointMap, MistralAdmin, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ port:
+ get_param: [EndpointMap, MistralAdmin, port]
+ protocol:
+ get_param: [EndpointMap, MistralAdmin, protocol]
+ uri:
+ list_join:
+ - ''
+ - - get_param: [EndpointMap, MistralAdmin, protocol]
+ - ://
+ - str_replace:
+ template:
+ get_param: [EndpointMap, MistralAdmin, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, MistralApiNetwork]
+ template: NETWORK_uri
+ - ':'
+ - get_param: [EndpointMap, MistralAdmin, port]
+ - /v2
+ uri_no_suffix:
+ list_join:
+ - ''
+ - - get_param: [EndpointMap, MistralAdmin, protocol]
+ - ://
+ - str_replace:
+ template:
+ get_param: [EndpointMap, MistralAdmin, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, MistralApiNetwork]
+ template: NETWORK_uri
+ - ':'
+ - get_param: [EndpointMap, MistralAdmin, port]
+ MistralInternal:
+ host:
+ str_replace:
+ template:
+ get_param: [EndpointMap, MistralInternal, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, MistralApiNetwork]
+ template: NETWORK_uri
+ host_nobrackets:
+ str_replace:
+ template:
+ get_param: [EndpointMap, MistralInternal, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ port:
+ get_param: [EndpointMap, MistralInternal, port]
+ protocol:
+ get_param: [EndpointMap, MistralInternal, protocol]
+ uri:
+ list_join:
+ - ''
+ - - get_param: [EndpointMap, MistralInternal, protocol]
+ - ://
+ - str_replace:
+ template:
+ get_param: [EndpointMap, MistralInternal, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, MistralApiNetwork]
+ template: NETWORK_uri
+ - ':'
+ - get_param: [EndpointMap, MistralInternal, port]
+ - /v2
+ uri_no_suffix:
+ list_join:
+ - ''
+ - - get_param: [EndpointMap, MistralInternal, protocol]
+ - ://
+ - str_replace:
+ template:
+ get_param: [EndpointMap, MistralInternal, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, MistralApiNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, MistralApiNetwork]
+ template: NETWORK_uri
+ - ':'
+ - get_param: [EndpointMap, MistralInternal, port]
+ MistralPublic:
+ host:
+ str_replace:
+ template:
+ get_param: [EndpointMap, MistralPublic, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, PublicNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, PublicNetwork]
+ template: NETWORK_uri
+ host_nobrackets:
+ str_replace:
+ template:
+ get_param: [EndpointMap, MistralPublic, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, PublicNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - get_param: [ServiceNetMap, PublicNetwork]
+ port:
+ get_param: [EndpointMap, MistralPublic, port]
+ protocol:
+ get_param: [EndpointMap, MistralPublic, protocol]
+ uri:
+ list_join:
+ - ''
+ - - get_param: [EndpointMap, MistralPublic, protocol]
+ - ://
+ - str_replace:
+ template:
+ get_param: [EndpointMap, MistralPublic, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, PublicNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, PublicNetwork]
+ template: NETWORK_uri
+ - ':'
+ - get_param: [EndpointMap, MistralPublic, port]
+ - /v2
+ uri_no_suffix:
+ list_join:
+ - ''
+ - - get_param: [EndpointMap, MistralPublic, protocol]
+ - ://
+ - str_replace:
+ template:
+ get_param: [EndpointMap, MistralPublic, host]
+ params:
+ CLOUDNAME:
+ get_param:
+ - CloudEndpoints
+ - get_param: [ServiceNetMap, PublicNetwork]
+ IP_ADDRESS:
+ get_param:
+ - NetIpMap
+ - str_replace:
+ params:
+ NETWORK:
+ get_param: [ServiceNetMap, PublicNetwork]
+ template: NETWORK_uri
+ - ':'
+ - get_param: [EndpointMap, MistralPublic, port]
MysqlInternal:
host:
str_replace:
diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml
index f93056ae..61c97f13 100644
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@@ -57,6 +57,7 @@ parameters:
CephRgwNetwork: storage
PublicNetwork: external
OpendaylightApiNetwork: internal_api
+ MistralApiNetwork: internal_api
# We special-case the default ResolveNetwork for the CephStorage role
# for backwards compatibility, all other roles default to internal_api
CephStorageHostnameResolveNetwork: storage
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 79b2ab16..980a7189 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -99,6 +99,7 @@ resource_registry:
# services
OS::TripleO::Services: puppet/services/services.yaml
OS::TripleO::Services::Apache: puppet/services/apache.yaml
+ OS::TripleO::Services::ApacheTLS: OS::Heat::None
OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
OS::TripleO::Services::CephMon: OS::Heat::None
OS::TripleO::Services::CephRgw: OS::Heat::None
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index b7d441a4..3e4dae8c 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -580,6 +580,9 @@ outputs:
GnocchiInternalVip:
description: VIP for Gnocchi API internal endpoint
value: {get_attr: [VipMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, GnocchiApiNetwork]}]}
+ MistralInternalVip:
+ description: VIP for Mistral API internal endpoint
+ value: {get_attr: [VipMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, MistralApiNetwork]}]}
HeatInternalVip:
description: VIP for Heat API internal endpoint
value: {get_attr: [VipMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, HeatApiNetwork]}]}
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index da043c80..48cc4af6 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -26,6 +26,9 @@ parameters:
description: Combination alarms are deprecated in Newton, hence disabled
by default. To enable, set this parameter to true.
type: boolean
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
AodhBase:
@@ -41,6 +44,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -52,7 +56,7 @@ outputs:
map_merge:
- get_attr: [AodhBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- - aodh::wsgi::apache::ssl: false
+ - aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS}
aodh::wsgi::apache::servername:
str_replace:
template:
@@ -66,13 +70,18 @@ outputs:
dport:
- 8042
- 13042
+ aodh::api::host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- aodh::api::host: {get_param: [ServiceNetMap, AodhApiNetwork]}
aodh::wsgi::apache::bind_host: {get_param: [ServiceNetMap, AodhApiNetwork]}
tripleo::profile::base::aodh::api::enable_combination_alarms: {get_param: EnableCombinationAlarms}
service_config_settings:
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..87e53f13
--- /dev/null
+++ b/puppet/services/apache-internal-tls-certmonger.yaml
@@ -0,0 +1,50 @@
+heat_template_version: 2016-10-14
+
+description: >
+ Apache service TLS configurations.
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ # The following parameters are not needed by the template but are
+ # required to pass the pep8 tests
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: Role data for the Apache role.
+ value:
+ service_name: apache_internal_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ apache_certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ httpd-NETWORK:
+ service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+ hostname: "%{::fqdn_NETWORK}"
+ principal: "HTTP/%{::fqdn_NETWORK}"
+ for_each:
+ NETWORK:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # network will be handled in another template.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index c9792019..382e0ff9 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -27,6 +27,17 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+
+resources:
+
+ ApacheTLS:
+ type: OS::TripleO::Services::ApacheTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
outputs:
role_data:
@@ -34,19 +45,22 @@ outputs:
value:
service_name: apache
config_settings:
- # for the given network; replacement examples (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
- apache::server_signature: 'Off'
- apache::server_tokens: 'Prod'
- apache_remote_proxy_ips_network:
- str_replace:
- template: "NETWORK_subnet"
- params:
- NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
- apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
- apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
- apache::mod::remoteip::proxy_ips:
- - "%{hiera('apache_remote_proxy_ips_network')}"
+ map_merge:
+ - get_attr: [ApacheTLS, role_data, config_settings]
+ -
+ # for the given network; replacement examples (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
+ apache::server_signature: 'Off'
+ apache::server_tokens: 'Prod'
+ apache_remote_proxy_ips_network:
+ str_replace:
+ template: "NETWORK_subnet"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
+ apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
+ apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
+ apache::mod::remoteip::proxy_ips:
+ - "%{hiera('apache_remote_proxy_ips_network')}"
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index 27c32bfd..97b255a9 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -26,7 +26,9 @@ parameters:
default:
tag: openstack.ceilometer.api
path: /var/log/ceilometer/api.log
-
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
CeilometerServiceBase:
@@ -42,6 +44,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -69,9 +72,14 @@ outputs:
# internal_api_subnet - > IP/CIDR
- ceilometer::api::service_name: 'httpd'
ceilometer::api::enable_proxy_headers_parsing: true
- ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
+ ceilometer::api::host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
- ceilometer::wsgi::apache::ssl: false
+ ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
ceilometer::wsgi::apache::servername:
str_replace:
template:
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 9c96acc4..fe48667a 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Cinder API service configured with Puppet
@@ -39,9 +39,23 @@ parameters:
default:
tag: openstack.cinder.api
path: /var/log/cinder/cinder-api.log
+ CinderWorkers:
+ type: string
+ description: Set the number of workers for cinder::wsgi::apache
+ default: '"%{::os_workers}"'
+
+conditions:
+ cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
resources:
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
CinderBase:
type: ./cinder-base.yaml
properties:
@@ -61,6 +75,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
- cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
cinder::keystone::authtoken::password: {get_param: CinderPassword}
@@ -85,6 +100,20 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::api::service_name: 'httpd'
+ cinder::wsgi::apache::ssl: false
+ cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ -
+ if:
+ - cinder_workers_zero
+ - {}
+ - cinder::wsgi::apache::workers: {get_param: CinderWorkers}
step_config: |
include ::tripleo::profile::base::cinder::api
service_config_settings:
diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml
index 3294fc0f..cc979af9 100644
--- a/puppet/services/glance-base.yaml
+++ b/puppet/services/glance-base.yaml
@@ -44,6 +44,21 @@ parameters:
type: string
constraints:
- allowed_values: ['swift', 'file', 'rbd']
+ GlanceNfsEnabled:
+ default: false
+ description: >
+ When using GlanceBackend 'file', mount NFS share for image storage.
+ type: boolean
+ GlanceNfsShare:
+ default: ''
+ description: >
+ NFS share to mount for image storage (when GlanceNfsEnabled is true)
+ type: string
+ GlanceNfsOptions:
+ default: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
+ description: >
+ NFS mount options for image storage (when GlanceNfsEnabled is true)
+ type: string
GlanceRbdPoolName:
default: images
type: string
@@ -92,6 +107,9 @@ outputs:
glance::notify::rabbitmq::notification_driver: messagingv2
glance::registry::db::database_db_max_retries: -1
glance::registry::db::database_max_retries: -1
+ tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
+ tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
+ tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
service_config_settings:
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 6ea5ec4e..1e08415c 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -24,7 +24,8 @@ parameters:
type: json
HorizonAllowedHosts:
default: '*'
- description: A list of IP/Hostname allowed to connect to horizon
+ description: A list of IP/Hostname for the server Horizonis running on.
+ Used for header checks.
type: comma_delimited_list
HorizonSecret:
description: Secret key for Django
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index e3531636..1f83b680 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -83,7 +83,7 @@ parameters:
KeystoneWorkers:
type: string
description: Set the number of workers for keystone::wsgi::apache
- default: '"%{::processorcount}"'
+ default: '"%{::os_workers}"'
MonitoringSubscriptionKeystone:
default: 'overcloud-kestone'
type: string
@@ -98,6 +98,9 @@ parameters:
default:
tag: openstack.keystone
path: /var/log/keystone/keystone.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
@@ -107,6 +110,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -130,6 +134,7 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/keystone'
keystone::admin_token: {get_param: AdminToken}
+ keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
@@ -163,7 +168,8 @@ outputs:
ec2/driver:
value: 'keystone.contrib.ec2.backends.sql.Ec2'
keystone::service_name: 'httpd'
- keystone::wsgi::apache::ssl: false
+ keystone::enable_ssl: {get_param: EnableInternalTLS}
+ keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::servername:
str_replace:
template:
@@ -188,15 +194,25 @@ outputs:
- 13000
- 35357
- 13357
+ keystone::admin_bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+ keystone::public_bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- # NOTE: this applies to all 4 bind IP settings below...
- keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
- keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+ # NOTE: this applies to all 2 bind IP settings below...
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
step_config: |
diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml
new file mode 100644
index 00000000..44d30358
--- /dev/null
+++ b/puppet/services/mistral-api.yaml
@@ -0,0 +1,52 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral API service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ MistralWorkers:
+ default: 1
+ description: The number of workers for the mistral-api.
+ type: number
+
+resources:
+ MistralBase:
+ type: ./mistral-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Mistral API role.
+ value:
+ service_name: mistral_api
+ config_settings:
+ map_merge:
+ - get_attr: [MistralBase, role_data, config_settings]
+ - mistral::api::api_workers: {get_param: MistralWorkers}
+ mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]}
+ tripleo.mistral_api.firewall_rules:
+ '133 mistral':
+ dport:
+ - 8989
+ - 13989
+ service_config_settings:
+ get_attr: [MistralBase, role_data, service_config_settings]
+ step_config: |
+ include ::tripleo::profile::base::mistral::api
diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml
new file mode 100644
index 00000000..a11624c0
--- /dev/null
+++ b/puppet/services/mistral-base.yaml
@@ -0,0 +1,93 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral base service. Shared for all Mistral services.
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
+ RabbitClientUseSSL:
+ default: false
+ description: >
+ Rabbit client subscriber parameter to specify
+ an SSL connection to the RabbitMQ host.
+ type: string
+ RabbitClientPort:
+ default: 5672
+ description: Set rabbit subscriber port, change this if using SSL
+ type: number
+ MistralPassword:
+ description: The password for the Mistral service and db account, used by the Mistral services.
+ type: string
+ hidden: true
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+
+outputs:
+ role_data:
+ description: Shared role data for the Mistral services.
+ value:
+ service_name: mistral_base
+ config_settings:
+ mistral::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://mistral:'
+ - {get_param: MistralPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/mistral'
+ mistral::rabbit_userid: {get_param: RabbitUserName}
+ mistral::rabbit_password: {get_param: RabbitPassword}
+ mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ mistral::rabbit_port: {get_param: RabbitClientPort}
+ mistral::debug: {get_param: Debug}
+ mistral::keystone_password: {get_param: MistralPassword}
+ mistral::keystone_tenant: 'service'
+ mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]}
+ mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+ service_config_settings:
+ keystone:
+ mistral::keystone::auth::tenant: 'service'
+ mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]}
+ mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]}
+ mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]}
+ mistral::keystone::auth::password: {get_param: MistralPassword}
+ mistral::keystone::auth::region: {get_param: KeystoneRegion}
+ mysql:
+ mistral::db::mysql::user: mistral
+ mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ mistral::db::mysql::dbname: mistral
+ mistral::db::mysql::password: {get_param: MistralPassword}
+ mistral::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/mistral-engine.yaml b/puppet/services/mistral-engine.yaml
new file mode 100644
index 00000000..10af670d
--- /dev/null
+++ b/puppet/services/mistral-engine.yaml
@@ -0,0 +1,38 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral Engine service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+resources:
+ MistralBase:
+ type: ./mistral-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Mistral Engine role.
+ value:
+ service_name: mistral_engine
+ config_settings:
+ get_attr: [MistralBase, role_data, config_settings]
+ step_config: |
+ include ::tripleo::profile::base::mistral::engine
diff --git a/puppet/services/mistral-executor.yaml b/puppet/services/mistral-executor.yaml
new file mode 100644
index 00000000..7afaf0db
--- /dev/null
+++ b/puppet/services/mistral-executor.yaml
@@ -0,0 +1,38 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral API service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+resources:
+ MistralBase:
+ type: ./mistral-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Mistral Executor role.
+ value:
+ service_name: mistral_executor
+ config_settings:
+ get_attr: [MistralBase, role_data, config_settings]
+ step_config: |
+ include ::tripleo::profile::base::mistral::executor
diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml
index 3f37e750..a26c7458 100644
--- a/puppet/services/monitoring/sensu-client.yaml
+++ b/puppet/services/monitoring/sensu-client.yaml
@@ -18,6 +18,13 @@ parameters:
Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ AdminPassword:
+ description: Keystone admin user password
+ type: string
+ KeystoneRegion:
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ type: string
SensuClientCustomConfig:
default: {}
description: Hash containing custom sensu-client variables.
@@ -44,6 +51,14 @@ outputs:
- sensu::api: false
sensu::client: true
sensu::server: false
- sensu::client_custom: {get_param: SensuClientCustomConfig}
+ sensu::client_custom:
+ map_merge:
+ - {get_param: SensuClientCustomConfig}
+ - openstack:
+ username: 'admin'
+ password: {get_param: AdminPassword}
+ auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ tenant_name: 'admin'
+ region: {get_param: KeystoneRegion}
step_config: |
include ::tripleo::profile::base::monitoring::sensu
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index ba7fb2e1..bf479437 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -118,7 +118,6 @@ outputs:
'"%{::fqdn_$NETWORK}"'
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]}
nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index b5ca2437..31732580 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -50,6 +50,10 @@ outputs:
tripleo::profile::base::nova::libvirt_enabled: true
nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
+ tripleo.nova_libvirt.firewall_rules:
+ '200 nova_libvirt':
+ dport:
+ - 16509
step_config: |
include tripleo::profile::base::nova::libvirt
diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml
index 30351dfb..318c898e 100644
--- a/puppet/services/opendaylight-api.yaml
+++ b/puppet/services/opendaylight-api.yaml
@@ -8,10 +8,6 @@ parameters:
default: 8081
description: Set opendaylight service port
type: number
- EnableOpenDaylightOnController:
- default: false
- description: Whether to install OpenDaylight on control nodes.
- type: boolean
OpenDaylightUsername:
default: 'admin'
description: The username for the opendaylight server.
@@ -58,7 +54,6 @@ outputs:
service_name: opendaylight_api
config_settings:
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
- odl_on_controller: {get_param: EnableOpenDaylightOnController}
opendaylight::username: {get_param: OpenDaylightUsername}
opendaylight::password: {get_param: OpenDaylightPassword}
opendaylight::enable_l3: {get_param: OpenDaylightEnableL3}
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index ea7410ca..268ca244 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -48,6 +48,7 @@ outputs:
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
+ neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
neutron::plugins::ovs::opendaylight::provider_mappings:
str_replace:
template: MAPPINGS
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 5387529d..44a09a42 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -71,6 +71,7 @@ outputs:
rabbitmq::port: '5672'
rabbitmq::package_source: undef
rabbitmq::repos_ensure: false
+ rabbitmq::tcp_keepalive: true
rabbitmq_environment:
RABBITMQ_NODENAME: "rabbit@%{::hostname}"
RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"'
@@ -78,7 +79,6 @@ outputs:
inet_dist_listen_min: '25672'
inet_dist_listen_max: '25672'
rabbitmq_config_variables:
- tcp_listen_options: '[binary, {packet, raw}, {reuseaddr, true}, {backlog, 128}, {nodelay, true}, {exit_on_close, false}, {keepalive, true}]'
cluster_partition_handling: 'pause_minority'
queue_master_locator: '<<"min-masters">>'
loopback_users: '[]'
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index ed0d12cf..35e21181 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -41,6 +41,14 @@ parameters:
MonitoringSubscriptionSwiftProxy:
default: 'overcloud-swift-proxy'
type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
resources:
SwiftBase:
@@ -66,6 +74,9 @@ outputs:
swift::proxy::authtoken::project_name: 'service'
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
swift::proxy::workers: {get_param: SwiftWorkers}
+ swift::proxy::ceilometer::rabbit_host: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
+ swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
tripleo.swift_proxy.firewall_rules:
'122 swift proxy':
dport:
@@ -89,6 +100,7 @@ outputs:
- 'keystone'
- 'staticweb'
- 'versioned_writes'
+ - 'ceilometer'
- 'proxy-logging'
- 'proxy-server'
swift::proxy::account_autocreate: true
diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml
index 7fbb8d90..cffe78f5 100644
--- a/puppet/services/swift-storage.yaml
+++ b/puppet/services/swift-storage.yaml
@@ -86,7 +86,7 @@ outputs:
swift::storage::all::account_pipeline:
- healthcheck
- account-server
- swift::storage::disks: {get_param: SwiftRawDisks}
+ swift::storage::disks::args: {get_param: SwiftRawDisks}
swift::storage::all::storage_local_net_ip: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
step_config: |
include ::tripleo::profile::base::swift::storage