summaryrefslogtreecommitdiffstats
path: root/puppet/services
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/services')
-rw-r--r--puppet/services/aodh-api.yaml6
-rw-r--r--puppet/services/barbican-api.yaml19
-rw-r--r--puppet/services/ceilometer-base.yaml7
-rw-r--r--puppet/services/ceph-external.yaml8
-rw-r--r--puppet/services/ceph-rgw.yaml12
-rw-r--r--puppet/services/cinder-api.yaml17
-rw-r--r--puppet/services/haproxy.yaml12
-rw-r--r--puppet/services/heat-api-cfn.yaml14
-rw-r--r--puppet/services/heat-api.yaml14
-rw-r--r--puppet/services/heat-base.yaml5
-rw-r--r--puppet/services/heat-engine.yaml2
-rw-r--r--puppet/services/horizon.yaml70
-rw-r--r--puppet/services/keepalived.yaml14
-rw-r--r--puppet/services/keystone.yaml26
-rw-r--r--puppet/services/manila-api.yaml5
-rw-r--r--puppet/services/monitoring/sensu-base.yaml17
-rw-r--r--puppet/services/neutron-api.yaml38
-rw-r--r--puppet/services/neutron-base.yaml7
-rw-r--r--puppet/services/neutron-l3.yaml22
-rw-r--r--puppet/services/nova-base.yaml94
-rw-r--r--puppet/services/opendaylight-api.yaml2
-rw-r--r--puppet/services/opendaylight-ovs.yaml6
-rw-r--r--puppet/services/pacemaker/haproxy.yaml2
-rw-r--r--puppet/services/panko-api.yaml84
-rw-r--r--puppet/services/panko-base.yaml74
-rw-r--r--puppet/services/services.yaml21
-rw-r--r--puppet/services/swift-proxy.yaml1
27 files changed, 414 insertions, 185 deletions
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index 48cc4af6..daed1665 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -21,11 +21,6 @@ parameters:
MonitoringSubscriptionAodhApi:
default: 'overcloud-ceilometer-aodh-api'
type: string
- EnableCombinationAlarms:
- default: false
- description: Combination alarms are deprecated in Newton, hence disabled
- by default. To enable, set this parameter to true.
- type: boolean
EnableInternalTLS:
type: boolean
default: false
@@ -83,7 +78,6 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
aodh::wsgi::apache::bind_host: {get_param: [ServiceNetMap, AodhApiNetwork]}
- tripleo::profile::base::aodh::api::enable_combination_alarms: {get_param: EnableCombinationAlarms}
service_config_settings:
get_attr: [AodhBase, role_data, service_config_settings]
step_config: |
diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml
index cf57680c..b266674f 100644
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@@ -52,6 +52,9 @@ parameters:
default: guest
description: The username for RabbitMQ
type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
@@ -85,7 +88,7 @@ outputs:
barbican::api::rabbit_heartbeat_timeout_threshold: 60
barbican::api::service_name: 'httpd'
barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
- barbican::wsgi::apache::ssl: false
+ barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
barbican::wsgi::apache::servername:
str_replace:
@@ -125,3 +128,17 @@ outputs:
barbican::keystone::auth::password: {get_param: BarbicanPassword}
barbican::keystone::auth::region: {get_param: KeystoneRegion}
barbican::keystone::auth::tenant: 'service'
+ nova_compute:
+ nova::compute::keymgr_api_class: >
+ castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+ nova::compute::barbican_endpoint:
+ get_param: [EndpointMap, BarbicanInternal, uri]
+ nova::compute::barbican_auth_endpoint:
+ get_param: [EndpointMap, KeystoneV3Internal, uri]
+ cinder_api:
+ cinder::api::keymgr_api_class: >
+ castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+ cinder::api::keymgr_encryption_api_url:
+ get_param: [EndpointMap, BarbicanInternal, uri]
+ cinder::api::keymgr_encryption_auth_url:
+ get_param: [EndpointMap, KeystoneV3Internal, uri]
diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml
index 4ace7526..ded1bc03 100644
--- a/puppet/services/ceilometer-base.yaml
+++ b/puppet/services/ceilometer-base.yaml
@@ -36,6 +36,12 @@ parameters:
type: string
constraints:
- allowed_values: ['gnocchi', 'database']
+ CeilometerEventDispatcher:
+ default: ['gnocchi']
+ description: Comma-separated list of Dispatchers to process events data
+ type: comma_delimited_list
+ constraints:
+ - allowed_values: ['panko', 'gnocchi', 'database']
CeilometerWorkers:
default: 0
description: Number of workers for Ceilometer service.
@@ -102,6 +108,7 @@ outputs:
ceilometer::agent::auth::auth_tenant_name: 'service'
ceilometer::agent::auth::auth_endpoint_type: 'internalURL'
ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher}
+ ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher}
ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]}
ceilometer::dispatcher::gnocchi::filter_project: 'service'
ceilometer::dispatcher::gnocchi::archive_policy: 'low'
diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml
index 9120687b..b708665f 100644
--- a/puppet/services/ceph-external.yaml
+++ b/puppet/services/ceph-external.yaml
@@ -99,6 +99,14 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
+ ceph::profile::params::manage_repo: false
+ # FIXME(gfidente): we should not have to list the packages explicitly in
+ # the templates, but this should stay until the following is fixed:
+ # https://bugs.launchpad.net/puppet-ceph/+bug/1629933
+ ceph::params::packages:
+ - ceph-base
+ - ceph-mon
+ - ceph-osd
service_config_settings:
glance_api:
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml
index 18a4b780..89c1a5ee 100644
--- a/puppet/services/ceph-rgw.yaml
+++ b/puppet/services/ceph-rgw.yaml
@@ -55,15 +55,9 @@ outputs:
- tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey}
tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken}
tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
- ceph::profile::params::frontend_type: 'civetweb'
- ceph_rgw_civetweb_bind_address: {get_param: [ServiceNetMap, CephRgwNetwork]}
- ceph::profile::params::rgw_frontends:
- list_join:
- - ''
- - - 'civetweb port='
- - '%{hiera("ceph_rgw_civetweb_bind_address")}'
- - ':'
- - {get_param: [EndpointMap, CephRgwInternal, port]}
+ tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]}
+ tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]}
+ ceph::params::user_radosgw: ceph
tripleo.ceph_rgw.firewall_rules:
'122 ceph rgw':
dport: {get_param: [EndpointMap, CephRgwInternal, port]}
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index fe48667a..803d8b83 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -43,6 +43,9 @@ parameters:
type: string
description: Set the number of workers for cinder::wsgi::apache
default: '"%{::os_workers}"'
+ EnableInternalTLS:
+ type: boolean
+ default: false
conditions:
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
@@ -55,6 +58,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
CinderBase:
type: ./cinder-base.yaml
@@ -94,21 +98,26 @@ outputs:
dport:
- 8776
- 13776
+ cinder::api::bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
+ cinder::api::service_name: 'httpd'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
- cinder::api::service_name: 'httpd'
- cinder::wsgi::apache::ssl: false
cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::servername:
str_replace:
template:
'"%{::fqdn_$NETWORK}"'
params:
- $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
-
if:
- cinder_workers_zero
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 0813cb7e..c8edade5 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -34,16 +34,6 @@ parameters:
description: The password for Redis
type: string
hidden: true
- ControlVirtualInterface:
- default: 'br-ex'
- description: Interface where virtual ip will be assigned.
- type: string
- PublicVirtualInterface:
- default: 'br-ex'
- description: >
- Specifies the interface where the public-facing virtual ip will be assigned.
- This should be int_public when a VLAN is being used.
- type: string
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
@@ -81,8 +71,6 @@ outputs:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
- tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface}
- tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml
index 1a86ec71..12d4a6a1 100644
--- a/puppet/services/heat-api-cfn.yaml
+++ b/puppet/services/heat-api-cfn.yaml
@@ -76,9 +76,11 @@ outputs:
include ::tripleo::profile::base::heat::api_cfn
service_config_settings:
keystone:
- heat::keystone::auth_cfn::tenant: 'service'
- heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]}
- heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]}
- heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
- heat::keystone::auth_cfn::password: {get_param: HeatPassword}
- heat::keystone::auth_cfn::region: {get_param: KeystoneRegion}
+ map_merge:
+ - get_attr: [HeatBase, role_data, service_config_settings, keystone]
+ - heat::keystone::auth_cfn::tenant: 'service'
+ heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]}
+ heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]}
+ heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
+ heat::keystone::auth_cfn::password: {get_param: HeatPassword}
+ heat::keystone::auth_cfn::region: {get_param: KeystoneRegion}
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index 2ea96fc0..b0cd16dd 100644
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -76,9 +76,11 @@ outputs:
include ::tripleo::profile::base::heat::api
service_config_settings:
keystone:
- heat::keystone::auth::tenant: 'service'
- heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
- heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
- heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
- heat::keystone::auth::password: {get_param: HeatPassword}
- heat::keystone::auth::region: {get_param: KeystoneRegion}
+ map_merge:
+ - get_attr: [HeatBase, role_data, service_config_settings, keystone]
+ - heat::keystone::auth::tenant: 'service'
+ heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
+ heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
+ heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
+ heat::keystone::auth::password: {get_param: HeatPassword}
+ heat::keystone::auth::region: {get_param: KeystoneRegion}
diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml
index 7eb58f56..a2a65d7d 100644
--- a/puppet/services/heat-base.yaml
+++ b/puppet/services/heat-base.yaml
@@ -77,3 +77,8 @@ outputs:
heat::cron::purge_deleted::destination: '/dev/null'
heat::db::database_db_max_retries: -1
heat::db::database_max_retries: -1
+ service_config_settings:
+ keystone:
+ tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'
+ tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin'
+ tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost'
diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml
index 20415eef..3f0e4105 100644
--- a/puppet/services/heat-engine.yaml
+++ b/puppet/services/heat-engine.yaml
@@ -105,4 +105,4 @@ outputs:
- "%{hiera('mysql_bind_host')}"
keystone:
# This is needed because the keystone profile handles creating the domain
- heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword}
+ tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword}
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 1e08415c..8eaf4044 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -24,7 +24,7 @@ parameters:
type: json
HorizonAllowedHosts:
default: '*'
- description: A list of IP/Hostname for the server Horizonis running on.
+ description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonSecret:
@@ -32,11 +32,6 @@ parameters:
type: string
hidden: true
default: ''
- NeutronMechanismDrivers:
- default: 'openvswitch'
- description: |
- The mechanism drivers for the Neutron tenant network.
- type: comma_delimited_list
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
@@ -45,6 +40,10 @@ parameters:
default: 'overcloud-horizon'
type: string
+conditions:
+
+ debug_empty: {equals : [{get_param: Debug}, '']}
+
outputs:
role_data:
description: Role data for the Horizon role.
@@ -52,33 +51,36 @@ outputs:
service_name: horizon
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
- neutron::plugins::ml2::mechanism_drivers:
- str_replace:
- template: MECHANISMS
- params:
- MECHANISMS: {get_param: NeutronMechanismDrivers}
- tripleo.horizon.firewall_rules:
- '126 horizon':
- dport:
- - 80
- - 443
- horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
- horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
- horizon::vhost_extra_params:
- add_listen: false
- priority: 10
- access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
- horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
- horizon::django_debug: {get_param: Debug}
- horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
- horizon::secret_key:
- yaql:
- expression: $.data.passwords.where($ != '').first()
- data:
- passwords:
- - {get_param: HorizonSecret}
- - {get_param: [DefaultPasswords, horizon_secret]}
- memcached_ipv6: {get_param: MemcachedIPv6}
+ map_merge:
+ - horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
+ tripleo.horizon.firewall_rules:
+ '126 horizon':
+ dport:
+ - 80
+ - 443
+ horizon::disable_password_reveal: true
+ horizon::enforce_password_check: true
+ horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
+ horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
+ horizon::vhost_extra_params:
+ add_listen: false
+ priority: 10
+ access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
+ options: ['FollowSymLinks','MultiViews']
+ horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
+ horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ horizon::secret_key:
+ yaql:
+ expression: $.data.passwords.where($ != '').first()
+ data:
+ passwords:
+ - {get_param: HorizonSecret}
+ - {get_param: [DefaultPasswords, horizon_secret]}
+ memcached_ipv6: {get_param: MemcachedIPv6}
+ -
+ if:
+ - debug_empty
+ - {}
+ - horizon::django_debug: {get_param: Debug}
step_config: |
include ::tripleo::profile::base::horizon
diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml
index 38cfbe22..fb0d32b6 100644
--- a/puppet/services/keepalived.yaml
+++ b/puppet/services/keepalived.yaml
@@ -19,14 +19,18 @@ parameters:
via parameter_defaults in the resource registry.
type: json
ControlVirtualInterface:
- default: 'br-ex'
- description: Interface where virtual ip will be assigned.
+ default: ''
+ description: >
+ Interface where virtual ip will be assigned. This value will be
+ automatically set by the deployment tool. Overriding here will
+ override automatic setting.
type: string
PublicVirtualInterface:
- default: 'br-ex'
+ default: ''
description: >
- Specifies the interface where the public-facing virtual ip will be assigned.
- This should be int_public when a VLAN is being used.
+ Interface where virtual ip will be assigned. This value will be
+ automatically set by the deployment tool. Overriding here will
+ override automatic setting.
type: string
MonitoringSubscriptionKeepalived:
default: 'overcloud-keepalived'
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 1f83b680..fe023a6a 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Keystone service configured with Puppet
@@ -32,6 +32,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ KeystoneTokenProvider:
+ description: The keystone token format
+ type: string
+ default: 'uuid'
+ constraints:
+ - allowed_values: ['uuid', 'fernet']
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
@@ -85,7 +91,7 @@ parameters:
description: Set the number of workers for keystone::wsgi::apache
default: '"%{::os_workers}"'
MonitoringSubscriptionKeystone:
- default: 'overcloud-kestone'
+ default: 'overcloud-keystone'
type: string
KeystoneCredential0:
type: string
@@ -93,6 +99,12 @@ parameters:
KeystoneCredential1:
type: string
description: The second Keystone credential key. Must be a valid key.
+ KeystoneFernetKey0:
+ type: string
+ description: The first Keystone fernet key. Must be a valid key.
+ KeystoneFernetKey1:
+ type: string
+ description: The second Keystone fernet key. Must be a valid key.
KeystoneLoggingSource:
type: json
default:
@@ -112,6 +124,9 @@ resources:
EndpointMap: {get_param: EndpointMap}
EnableInternalTLS: {get_param: EnableInternalTLS}
+conditions:
+ keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+
outputs:
role_data:
description: Role data for the Keystone role.
@@ -138,6 +153,8 @@ outputs:
keystone::roles::admin::password: {get_param: AdminPassword}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
+ keystone::token_provider: {get_param: KeystoneTokenProvider}
+ keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
keystone::enable_proxy_headers_parsing: true
keystone::enable_credential_setup: true
keystone::credential_keys:
@@ -145,6 +162,11 @@ outputs:
content: {get_param: KeystoneCredential0}
'/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1}
+ keystone::fernet_keys:
+ '/etc/keystone/fernet-keys/0':
+ content: {get_param: KeystoneFernetKey0}
+ '/etc/keystone/fernet-keys/1':
+ content: {get_param: KeystoneFernetKey1}
keystone::debug: {get_param: Debug}
keystone::rabbit_userid: {get_param: RabbitUserName}
keystone::rabbit_password: {get_param: RabbitPassword}
diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml
index 5f4ab6ba..b4b3d480 100644
--- a/puppet/services/manila-api.yaml
+++ b/puppet/services/manila-api.yaml
@@ -51,6 +51,11 @@ outputs:
manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
manila::keystone::authtoken::project_name: 'service'
+ tripleo.manila_api.firewall_rules:
+ '150 manila':
+ dport:
+ - 8786
+ - 13786
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml
index d7350d07..e5762328 100644
--- a/puppet/services/monitoring/sensu-base.yaml
+++ b/puppet/services/monitoring/sensu-base.yaml
@@ -43,7 +43,19 @@ parameters:
description: The RabbitMQ vhost used for monitoring purposes.
type: string
default: '/sensu'
-
+ SensuRedactVariables:
+ description: Variables from Sensu configuration, which have to be redacted.
+ type: array
+ default:
+ - password
+ - passwd
+ - pass
+ - api_key
+ - api_token
+ - access_key
+ - secret_key
+ - private_key
+ - secret
outputs:
role_data:
@@ -61,8 +73,7 @@ outputs:
sensu::rabbitmq_ssl: {get_param: MonitoringRabbitUseSSL}
sensu::rabbitmq_user: {get_param: MonitoringRabbitUserName}
sensu::rabbitmq_vhost: {get_param: MonitoringRabbitVhost}
- #sensu::redis_host: {get_param: MonitoringRedisHost}
- #sensu::redis_password: {get_param: MonitoringRedisPassword}
+ sensu::redact: {get_param: SensuRedactVariables}
sensu::sensu_plugin_provider: 'yum'
sensu::sensu_plugin_name: 'rubygem-sensu-plugin'
sensu::version: 'present'
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index 408eb795..5fd9d7a2 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -57,26 +57,20 @@ parameters:
default:
tag: openstack.neutron.api
path: /var/log/neutron/server.log
- ControllerCount:
- description: |
- Under normal conditions, this should not be overridden manually and is
- set at deployment time. The default value is present to allow the
- template to be used in environments that do not override it.
- default: 1
- type: number
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
- default: false
+ default: ''
+ type: string
description: |
- Whether to enable HA for virtual routers. While the default value is
- 'false', L3 HA will be automatically enabled if the number of nodes
- hosting controller configurations and DVR is disabled. This parameter is
- being deprecated in Newton and is scheduled to be removed in Ocata.
- Future releases will enable L3 HA by default if it is appropriate for the
- deployment type. Alternate mechanisms will be available to override.
- type: boolean
+ Whether to enable HA for virtual routers. When not set, L3 HA will be
+ automatically enabled if the number of nodes hosting controller
+ configurations and DVR is disabled. Valid values are 'true' or 'false'
+ This parameter is being deprecated in Newton and is scheduled to be
+ removed in Ocata. Future releases will enable L3 HA by default if it is
+ appropriate for the deployment type. Alternate mechanisms will be
+ available to override.
parameter_groups:
- label: deprecated
@@ -97,18 +91,6 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
-conditions:
-
- auto_enable_l3_ha:
- and:
- - not:
- equals:
- - get_param: ControllerCount
- - 1
- - equals:
- - get_param: NeutronEnableDVR
- - false
-
outputs:
role_data:
description: Role data for the Neutron Server agent service.
@@ -135,7 +117,6 @@ outputs:
neutron::server::api_workers: {get_param: NeutronWorkers}
neutron::server::rpc_workers: {get_param: NeutronWorkers}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
- neutron::server::l3_ha: {if: ["auto_enable_l3_ha", true, {get_param: NeutronL3HA}]}
neutron::server::enable_proxy_headers_parsing: true
neutron::keystone::authtoken::password: {get_param: NeutronPassword}
@@ -158,6 +139,7 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+ tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
step_config: |
include tripleo::profile::base::neutron::server
service_config_settings:
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 6bb4ba08..0b2cef07 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -50,16 +50,13 @@ parameters:
to false may result in configuration remnants after updates/upgrades.
NeutronGlobalPhysnetMtu:
type: number
- default: 1496
+ default: 1500
description: |
MTU of the underlying physical network. Neutron uses this value to
calculate MTU for all virtual network components. For flat and VLAN
networks, neutron uses this value without modification. For overlay
networks such as VXLAN, neutron automatically subtracts the overlay
- protocol overhead from this value. The default value of 1496 is
- currently in effect to compensate for some additional overhead when
- deploying with some network configurations (e.g. network isolation over
- single network interfaces)
+ protocol overhead from this value.
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml
index a89e3d75..a2157555 100644
--- a/puppet/services/neutron-l3.yaml
+++ b/puppet/services/neutron-l3.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Neutron L3 agent configured with Puppet
@@ -43,6 +43,10 @@ parameters:
tag: openstack.neutron.agent.l3
path: /var/log/neutron/l3-agent.log
+conditions:
+
+ external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]}
+
resources:
NeutronBase:
@@ -63,12 +67,16 @@ outputs:
- neutron
config_settings:
map_merge:
- - get_attr: [NeutronBase, role_data, config_settings]
+ - get_attr: [NeutronBase, role_data, config_settings]
+ - neutron::agents::l3::router_delete_namespaces: True
+ neutron::agents::l3::agent_mode: {get_param: NeutronL3AgentMode}
+ tripleo.neutron_l3.firewall_rules:
+ '106 neutron_l3 vrrp':
+ proto: vrrp
+ -
+ if:
+ - external_network_bridge_empty
+ - {}
- neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge}
- neutron::agents::l3::router_delete_namespaces: True
- neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode}
- tripleo.neutron_l3.firewall_rules:
- '106 neutron_l3 vrrp':
- proto: vrrp
step_config: |
include tripleo::profile::base::neutron::l3
diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml
index 8db00d8f..74a95d20 100644
--- a/puppet/services/nova-base.yaml
+++ b/puppet/services/nova-base.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova base service. Shared for all Nova services.
@@ -66,6 +66,9 @@ parameters:
type: string
description: Nova Compute upgrade level
default: ''
+conditions:
+
+ compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
outputs:
role_data:
@@ -73,45 +76,50 @@ outputs:
value:
service_name: nova_base
config_settings:
- nova::rabbit_password: {get_param: RabbitPassword}
- nova::rabbit_userid: {get_param: RabbitUserName}
- nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
- nova::rabbit_port: {get_param: RabbitClientPort}
- nova::database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://nova:'
- - {get_param: NovaPassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/nova'
- nova::api_database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://nova_api:'
- - {get_param: NovaPassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/nova_api'
- nova::debug: {get_param: Debug}
- nova::purge_config: {get_param: EnableConfigPurge}
- nova::network::neutron::neutron_project_name: 'service'
- nova::network::neutron::neutron_username: 'neutron'
- nova::network::neutron::dhcp_domain: ''
- nova::network::neutron::neutron_password: {get_param: NeutronPassword}
- nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]}
- nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]}
- nova::rabbit_heartbeat_timeout_threshold: 60
- nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL'
- nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed.
- nova::notify_on_state_change: 'vm_and_task_state'
- nova::notification_driver: messagingv2
- nova::network::neutron::neutron_auth_type: 'v3password'
- nova::db::database_db_max_retries: -1
- nova::db::database_max_retries: -1
- nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
- nova::use_ipv6: {get_param: NovaIPv6}
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
- nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge}
+ map_merge:
+ - nova::rabbit_password: {get_param: RabbitPassword}
+ nova::rabbit_userid: {get_param: RabbitUserName}
+ nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ nova::rabbit_port: {get_param: RabbitClientPort}
+ nova::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://nova:'
+ - {get_param: NovaPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/nova'
+ nova::api_database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://nova_api:'
+ - {get_param: NovaPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/nova_api'
+ nova::debug: {get_param: Debug}
+ nova::purge_config: {get_param: EnableConfigPurge}
+ nova::network::neutron::neutron_project_name: 'service'
+ nova::network::neutron::neutron_username: 'neutron'
+ nova::network::neutron::dhcp_domain: ''
+ nova::network::neutron::neutron_password: {get_param: NeutronPassword}
+ nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]}
+ nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]}
+ nova::rabbit_heartbeat_timeout_threshold: 60
+ nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL'
+ nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed.
+ nova::notify_on_state_change: 'vm_and_task_state'
+ nova::notification_driver: messagingv2
+ nova::network::neutron::neutron_auth_type: 'v3password'
+ nova::db::database_db_max_retries: -1
+ nova::db::database_max_retries: -1
+ nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
+ nova::use_ipv6: {get_param: NovaIPv6}
+ nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge}
+ -
+ if:
+ - compute_upgrade_level_empty
+ - {}
+ - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml
index 318c898e..253d63ef 100644
--- a/puppet/services/opendaylight-api.yaml
+++ b/puppet/services/opendaylight-api.yaml
@@ -59,6 +59,6 @@ outputs:
opendaylight::enable_l3: {get_param: OpenDaylightEnableL3}
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
opendaylight::enable_dhcp: {get_param: OpenDaylightEnableDHCP}
- opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpenDaylightApiNetwork]}
+ opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
step_config: |
include tripleo::profile::base::neutron::opendaylight
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index 268ca244..907ecddc 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -54,5 +54,11 @@ outputs:
template: MAPPINGS
params:
MAPPINGS: {get_param: OpenDaylightProviderMappings}
+ tripleo.opendaylight_ovs.firewall_rules:
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '136 neutron gre networks':
+ proto: 'gre'
step_config: |
include tripleo::profile::base::neutron::plugins::ovs::opendaylight
diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml
index 52104a71..e4115d64 100644
--- a/puppet/services/pacemaker/haproxy.yaml
+++ b/puppet/services/pacemaker/haproxy.yaml
@@ -38,7 +38,5 @@ outputs:
- get_attr: [LoadbalancerServiceBase, role_data, config_settings]
- tripleo::haproxy::haproxy_service_manage: false
tripleo::haproxy::mysql_clustercheck: true
- enable_keepalived: false
- tripleo::haproxy::keepalived: false
step_config: |
include ::tripleo::profile::pacemaker::haproxy
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
new file mode 100644
index 00000000..63f631a0
--- /dev/null
+++ b/puppet/services/panko-api.yaml
@@ -0,0 +1,84 @@
+heat_template_version: 2016-04-08
+
+description: >
+ OpenStack Panko API service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ MonitoringSubscriptionPankoApi:
+ default: 'overcloud-ceilometer-panko-api'
+ type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+resources:
+ PankoBase:
+ type: ./panko-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
+outputs:
+ role_data:
+ description: Role data for the Panko API service.
+ value:
+ service_name: panko_api
+ monitoring_subscription: {get_param: MonitoringSubscriptionPankoApi}
+ config_settings:
+ map_merge:
+ - get_attr: [PankoBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
+ - panko::wsgi::apache::ssl: {get_param: EnableInternalTLS}
+ panko::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ panko::api::service_name: 'httpd'
+ panko::api::enable_proxy_headers_parsing: true
+ tripleo.panko_api.firewall_rules:
+ '140 panko-api':
+ dport:
+ - 8779
+ - 13779
+ panko::api::host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ panko::wsgi::apache::bind_host: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ service_config_settings:
+ get_attr: [PankoBase, role_data, service_config_settings]
+ step_config: |
+ include tripleo::profile::base::panko::api
diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml
new file mode 100644
index 00000000..32754a55
--- /dev/null
+++ b/puppet/services/panko-base.yaml
@@ -0,0 +1,74 @@
+heat_template_version: 2016-04-08
+
+description: >
+ OpenStack Panko service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ PankoPassword:
+ description: The password for the panko services.
+ type: string
+ hidden: true
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+
+outputs:
+ role_data:
+ description: Role data for the Panko role.
+ value:
+ service_name: panko_base
+ config_settings:
+ panko_redis_password: {get_param: RedisPassword}
+ panko::db::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://panko:'
+ - {get_param: PankoPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/panko'
+ panko::debug: {get_param: Debug}
+ panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+ panko::keystone::authtoken::project_name: 'service'
+ panko::keystone::authtoken::password: {get_param: PankoPassword}
+ panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+ panko::auth::auth_password: {get_param: PankoPassword}
+ panko::auth::auth_region: 'regionOne'
+ panko::auth::auth_tenant_name: 'service'
+ service_config_settings:
+ keystone:
+ panko::keystone::auth::public_url: {get_param: [EndpointMap, PankoPublic, uri]}
+ panko::keystone::auth::internal_url: {get_param: [EndpointMap, PankoInternal, uri]}
+ panko::keystone::auth::admin_url: {get_param: [EndpointMap, PankoAdmin, uri]}
+ panko::keystone::auth::password: {get_param: PankoPassword}
+ panko::keystone::auth::region: {get_param: KeystoneRegion}
+ panko::keystone::auth::tenant: 'service'
+ mysql:
+ panko::db::mysql::user: panko
+ panko::db::mysql::password: {get_param: PankoPassword}
+ panko::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ panko::db::mysql::dbname: panko
+ panko::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml
index 176fd235..ffe2d2d4 100644
--- a/puppet/services/services.yaml
+++ b/puppet/services/services.yaml
@@ -54,8 +54,8 @@ outputs:
data: {s_names: {get_attr: [ServiceChain, role_data, service_name]}}
monitoring_subscriptions:
yaql:
- expression: list($.data.where($ != null).select($.get('monitoring_subscription')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
logging_sources:
# Transform the individual logging_source configuration from
# each service in the chain into a global list, adding some
@@ -78,8 +78,9 @@ outputs:
sources:
- {get_attr: [LoggingConfiguration, LoggingDefaultSources]}
- yaql:
- expression: list($.data.where($ != null).select($.get('logging_source')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
+
- {get_attr: [LoggingConfiguration, LoggingExtraSources]}
default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]}
pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]}
@@ -93,17 +94,17 @@ outputs:
groups:
- [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}]
- yaql:
- expression: list($.data.where($ != null).select($.get('logging_groups')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
- [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}]
config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}}
global_config_settings:
map_merge:
yaql:
- expression: list($.data.where($ != null).select($.get('global_config_settings')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
service_config_settings:
yaql:
- expression: $.data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {})
- data: {get_attr: [ServiceChain, role_data]}
+ expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {})
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
step_config: {list_join: ["\n", {get_attr: [ServiceChain, role_data, step_config]}]}
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index c8ae4849..ba184ab0 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -77,6 +77,7 @@ outputs:
swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
+ swift::proxy::ceilometer::nonblocking_notify: true
tripleo.swift_proxy.firewall_rules:
'122 swift proxy':
dport: