diff options
Diffstat (limited to 'puppet/services')
118 files changed, 3031 insertions, 602 deletions
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 65afffad..48cc4af6 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -21,6 +21,14 @@ parameters: MonitoringSubscriptionAodhApi: default: 'overcloud-ceilometer-aodh-api' type: string + EnableCombinationAlarms: + default: false + description: Combination alarms are deprecated in Newton, hence disabled + by default. To enable, set this parameter to true. + type: boolean + EnableInternalTLS: + type: boolean + default: false resources: AodhBase: @@ -36,6 +44,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -47,20 +56,35 @@ outputs: map_merge: - get_attr: [AodhBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - - aodh::wsgi::apache::ssl: false + - aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS} + aodh::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::api::service_name: 'httpd' + aodh::api::enable_proxy_headers_parsing: true tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: - 8042 - 13042 + aodh::api::host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - aodh::api::host: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::wsgi::apache::bind_host: {get_param: [ServiceNetMap, AodhApiNetwork]} + tripleo::profile::base::aodh::api::enable_combination_alarms: {get_param: EnableCombinationAlarms} + service_config_settings: + get_attr: [AodhBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::aodh::api diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index 187345ad..0e2410f7 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -59,14 +59,7 @@ outputs: value: service_name: aodh_base config_settings: - aodh::evaluator::coordination_url: - list_join: - - '' - - - 'redis://:' - - {get_param: RedisPassword} - - '@' - - "%{hiera('redis_vip')}" - - ':6379/' + aodh_redis_password: {get_param: RedisPassword} aodh::db::database_connection: list_join: - '' @@ -87,18 +80,21 @@ outputs: aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } aodh::auth::auth_password: {get_param: AodhPassword} - aodh::keystone::auth::public_url: {get_param: [EndpointMap, AodhPublic, uri]} - aodh::keystone::auth::internal_url: {get_param: [EndpointMap, AodhInternal, uri]} - aodh::keystone::auth::admin_url: {get_param: [EndpointMap, AodhAdmin, uri]} - aodh::keystone::auth::password: {get_param: AodhPassword} - aodh::keystone::auth::region: {get_param: KeystoneRegion} - aodh::keystone::auth::tenant: 'service' - aodh::db::mysql::user: aodh - aodh::db::mysql::password: {get_param: AodhPassword} - aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - aodh::db::mysql::dbname: aodh - aodh::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" aodh::auth::auth_region: 'regionOne' aodh::auth::auth_tenant_name: 'service' + service_config_settings: + keystone: + aodh::keystone::auth::public_url: {get_param: [EndpointMap, AodhPublic, uri]} + aodh::keystone::auth::internal_url: {get_param: [EndpointMap, AodhInternal, uri]} + aodh::keystone::auth::admin_url: {get_param: [EndpointMap, AodhAdmin, uri]} + aodh::keystone::auth::password: {get_param: AodhPassword} + aodh::keystone::auth::region: {get_param: KeystoneRegion} + aodh::keystone::auth::tenant: 'service' + mysql: + aodh::db::mysql::user: aodh + aodh::db::mysql::password: {get_param: AodhPassword} + aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + aodh::db::mysql::dbname: aodh + aodh::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml new file mode 100644 index 00000000..87e53f13 --- /dev/null +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -0,0 +1,50 @@ +heat_template_version: 2016-10-14 + +description: > + Apache service TLS configurations. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + # The following parameters are not needed by the template but are + # required to pass the pep8 tests + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the Apache role. + value: + service_name: apache_internal_tls_certmonger + config_settings: + generate_service_certificates: true + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + hostname: "%{::fqdn_NETWORK}" + principal: "HTTP/%{::fqdn_NETWORK}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 7595e4c3..382e0ff9 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -5,6 +5,14 @@ description: > automatically via other services which run via Apache. parameters: + ApacheMaxRequestWorkers: + default: 256 + description: Maximum number of simultaneously processed requests. + type: number + ApacheServerLimit: + default: 256 + description: Maximum number of Apache processes. + type: number ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -19,6 +27,17 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + + +resources: + + ApacheTLS: + type: OS::TripleO::Services::ApacheTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} outputs: role_data: @@ -26,17 +45,22 @@ outputs: value: service_name: apache config_settings: - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} - apache::server_signature: 'Off' - apache::server_tokens: 'Prod' - apache_remote_proxy_ips_network: - str_replace: - template: "NETWORK_subnet" - params: - NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} - apache::mod::remoteip::proxy_ips: - - "%{hiera('apache_remote_proxy_ips_network')}" + map_merge: + - get_attr: [ApacheTLS, role_data, config_settings] + - + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::server_signature: 'Off' + apache::server_tokens: 'Prod' + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers } + apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml new file mode 100644 index 00000000..ab6b0ec7 --- /dev/null +++ b/puppet/services/barbican-api.yaml @@ -0,0 +1,130 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Barbican API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + BarbicanPassword: + description: The password for the barbican service account. + type: string + hidden: true + BarbicanWorkers: + description: Set the number of workers for barbican::wsgi::apache + default: '"%{::processorcount}"' + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + EnableInternalTLS: + type: boolean + default: false + +resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Barbican API role. + value: + service_name: barbican_api + config_settings: + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} + barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + barbican::keystone::authtoken::project_name: 'service' + barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} + barbican::api::db_auto_create: false + barbican::api::enabled_certificate_plugins: ['simple_certificate'] + barbican::api::logging::debug: {get_param: Debug} + barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + barbican::api::rabbit_userid: {get_param: RabbitUserName} + barbican::api::rabbit_password: {get_param: RabbitPassword} + barbican::api::rabbit_port: {get_param: RabbitClientPort} + barbican::api::rabbit_heartbeat_timeout_threshold: 60 + barbican::api::service_name: 'httpd' + barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]} + barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS} + barbican::wsgi::apache::workers: {get_param: BarbicanWorkers} + barbican::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]} + barbican::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://barbican:' + - {get_param: BarbicanPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/barbican' + tripleo.barbican_api.firewall_rules: + '117 barbican': + dport: + - 9311 + - 13311 + step_config: | + include ::tripleo::profile::base::barbican::api + service_config_settings: + mysql: + barbican::db::mysql::password: {get_param: BarbicanPassword} + barbican::db::mysql::user: barbican + barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + barbican::db::mysql::dbname: barbican + barbican::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone: + barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]} + barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]} + barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]} + barbican::keystone::auth::password: {get_param: BarbicanPassword} + barbican::keystone::auth::region: {get_param: KeystoneRegion} + barbican::keystone::auth::tenant: 'service' diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index 5d980d79..c4abc307 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -25,6 +25,11 @@ parameters: MonitoringSubscriptionCeilometerCentral: default: 'overcloud-ceilometer-agent-central' type: string + CeilometerAgentCentralLoggingSource: + type: json + default: + tag: openstack.ceilometer.agent.central + path: /var/log/ceilometer/central.log resources: CeilometerServiceBase: @@ -40,16 +45,12 @@ outputs: value: service_name: ceilometer_agent_central monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCentral} + logging_source: {get_param: CeilometerAgentCentralLoggingSource} + logging_groups: + - ceilometer config_settings: map_merge: - get_attr: [CeilometerServiceBase, role_data, config_settings] - - ceilometer::agent::central::coordination_url: - list_join: - - '' - - - 'redis://:' - - {get_param: RedisPassword} - - '@' - - "%{hiera('redis_vip')}" - - ':6379/' + - ceilometer_redis_password: {get_param: RedisPassword} step_config: | include ::tripleo::profile::base::ceilometer::agent::central diff --git a/puppet/services/ceilometer-agent-notification.yaml b/puppet/services/ceilometer-agent-notification.yaml index bedb8b04..ea403aa1 100644 --- a/puppet/services/ceilometer-agent-notification.yaml +++ b/puppet/services/ceilometer-agent-notification.yaml @@ -21,6 +21,11 @@ parameters: MonitoringSubscriptionCeilometerNotification: default: 'overcloud-ceilometer-agent-notification' type: string + CeilometerAgentNotificationLoggingSource: + type: json + default: + tag: openstack.ceilometer.agent.notification + path: /var/log/ceilometer/agent-notification.log resources: @@ -37,6 +42,9 @@ outputs: value: service_name: ceilometer_agent_notification monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerNotification} + logging_source: {get_param: CeilometerAgentNotificationLoggingSource} + logging_groups: + - ceilometer config_settings: get_attr: [CeilometerServiceBase, role_data, config_settings] step_config: | diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 5df9f2b3..97b255a9 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -21,7 +21,14 @@ parameters: MonitoringSubscriptionCeilometerApi: default: 'overcloud-ceilometer-api' type: string - + CeilometerApiLoggingSource: + type: json + default: + tag: openstack.ceilometer.api + path: /var/log/ceilometer/api.log + EnableInternalTLS: + type: boolean + default: false resources: CeilometerServiceBase: @@ -37,6 +44,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -44,6 +52,9 @@ outputs: value: service_name: ceilometer_api monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerApi} + logging_source: {get_param: CeilometerApiLoggingSource} + logging_groups: + - ceilometer config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] @@ -60,8 +71,22 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - ceilometer::api::service_name: 'httpd' - ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + ceilometer::api::enable_proxy_headers_parsing: true + ceilometer::api::host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} - ceilometer::wsgi::apache::ssl: false + ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS} + ceilometer::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::api diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 62fdd5c1..4ace7526 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -101,29 +101,32 @@ outputs: ceilometer::agent::auth::auth_region: {get_param: KeystoneRegion} ceilometer::agent::auth::auth_tenant_name: 'service' ceilometer::agent::auth::auth_endpoint_type: 'internalURL' - ceilometer::db::mysql::password: {get_param: CeilometerPassword} ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher} ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]} ceilometer::dispatcher::gnocchi::filter_project: 'service' ceilometer::dispatcher::gnocchi::archive_policy: 'low' ceilometer::dispatcher::gnocchi::resources_definition_file: 'gnocchi_resources.yaml' - ceilometer::keystone::auth::public_url: {get_param: [EndpointMap, CeilometerPublic, uri]} - ceilometer::keystone::auth::internal_url: {get_param: [EndpointMap, CeilometerInternal, uri]} - ceilometer::keystone::auth::admin_url: {get_param: [EndpointMap, CeilometerAdmin, uri]} - ceilometer::keystone::auth::password: {get_param: CeilometerPassword} - ceilometer::keystone::auth::region: {get_param: KeystoneRegion} - ceilometer::keystone::auth::tenant: 'service' ceilometer::rabbit_userid: {get_param: RabbitUserName} ceilometer::rabbit_password: {get_param: RabbitPassword} ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL} ceilometer::rabbit_port: {get_param: RabbitClientPort} - ceilometer::db::mysql::user: ceilometer - ceilometer::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - ceilometer::db::mysql::dbname: ceilometer - ceilometer::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" ceilometer::rabbit_heartbeat_timeout_threshold: 60 ceilometer::db::database_db_max_retries: -1 ceilometer::db::database_max_retries: -1 ceilometer::telemetry_secret: {get_param: CeilometerMeteringSecret} + service_config_settings: + keystone: + ceilometer::keystone::auth::public_url: {get_param: [EndpointMap, CeilometerPublic, uri]} + ceilometer::keystone::auth::internal_url: {get_param: [EndpointMap, CeilometerInternal, uri]} + ceilometer::keystone::auth::admin_url: {get_param: [EndpointMap, CeilometerAdmin, uri]} + ceilometer::keystone::auth::password: {get_param: CeilometerPassword} + ceilometer::keystone::auth::region: {get_param: KeystoneRegion} + ceilometer::keystone::auth::tenant: 'service' + mysql: + ceilometer::db::mysql::password: {get_param: CeilometerPassword} + ceilometer::db::mysql::user: ceilometer + ceilometer::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ceilometer::db::mysql::dbname: ceilometer + ceilometer::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index 9dbb2759..e3f1ef4e 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -21,6 +21,11 @@ parameters: MonitoringSubscriptionCeilometerCollector: default: 'overcloud-ceilometer-collector' type: string + CeilometerCollectorLoggingSource: + type: json + default: + tag: openstack.ceilometer.collector + path: /var/log/ceilometer/collector.log resources: CeilometerServiceBase: @@ -30,13 +35,27 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + MongoDbBase: + type: ./database/mongodb-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Ceilometer Collector role. value: service_name: ceilometer_collector monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCollector} + logging_source: {get_param: CeilometerCollectorLoggingSource} + logging_groups: + - ceilometer config_settings: - get_attr: [CeilometerServiceBase, role_data, config_settings] + map_merge: + - get_attr: [MongoDbBase, role_data, config_settings] + - get_attr: [CeilometerServiceBase, role_data, config_settings] + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::collector diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml index ce8d9158..786e9ddd 100644 --- a/puppet/services/ceph-base.yaml +++ b/puppet/services/ceph-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Ceph base service. Shared by all Ceph services. @@ -29,9 +29,20 @@ parameters: GlanceRbdPoolName: default: images type: string + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] GnocchiRbdPoolName: default: metrics type: string + NovaEnableRbdBackend: + default: false + description: Whether to enable or not the Rbd backend for Nova + type: boolean NovaRbdPoolName: default: vms type: string @@ -63,6 +74,16 @@ parameter_groups: parameters: - ControllerEnableCephStorage +conditions: + glance_multiple_locations: + and: + - equals: + - get_param: GlanceBackend + - rbd + - equals: + - get_param: NovaEnableRbdBackend + - true + outputs: role_data: description: Role data for the Ceph base service. @@ -75,6 +96,12 @@ outputs: ceph::profile::params::manage_repo: false ceph::profile::params::authentication_type: cephx ceph::profile::params::fsid: {get_param: CephClusterFSID} + # FIXME(gfidente): we should not have to list the packages explicitly in the templates, + # but this has to stay until https://bugs.launchpad.net/puppet-ceph/+bug/1629933 is fixed + ceph::params::packages: + - ceph-base + - ceph-mon + - ceph-osd # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -122,3 +149,6 @@ outputs: CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + service_config_settings: + glance_api: + glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index 52c4824f..9120687b 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Ceph External service. @@ -27,9 +27,20 @@ parameters: GlanceRbdPoolName: default: images type: string + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] GnocchiRbdPoolName: default: metrics type: string + NovaEnableRbdBackend: + default: false + description: Whether to enable or not the Rbd backend for Nova + type: boolean NovaRbdPoolName: default: vms type: string @@ -51,6 +62,16 @@ parameters: default: 'overcloud-ceph-external' type: string +conditions: + glance_multiple_locations: + and: + - equals: + - get_param: GlanceBackend + - rbd + - equals: + - get_param: NovaEnableRbdBackend + - true + outputs: role_data: description: Role data for the Ceph External service. @@ -78,5 +99,8 @@ outputs: CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + service_config_settings: + glance_api: + glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} step_config: | include ::tripleo::profile::base::ceph::client diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index a2b3f13e..3471f16c 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -76,6 +76,9 @@ outputs: - get_attr: [CephBase, role_data, config_settings] - ceph::profile::params::ms_bind_ipv6: {get_param: CephIPv6} ceph::profile::params::mon_key: {get_param: CephMonKey} + ceph::profile::params::osd_pool_default_pg_num: 32 + ceph::profile::params::osd_pool_default_pgp_num: 32 + ceph::profile::params::osd_pool_default_size: 3 # repeat returns items in a list, so we need to map_merge twice tripleo::profile::base::ceph::mon::ceph_pools: map_merge: @@ -90,13 +93,15 @@ outputs: - {get_param: GnocchiRbdPoolName} template: <%pool%>: - pg_num: 32 - pgp_num: 32 - size: 3 + pg_num: "%{hiera('ceph::profile::params::osd_pool_default_pg_num')}" + pgp_num: "%{hiera('ceph::profile::params::osd_pool_default_pgp_num')}" + size: "%{hiera('ceph::profile::params::osd_pool_default_size')}" - {get_param: CephPools} tripleo.ceph_mon.firewall_rules: '110 ceph_mon': dport: - 6789 + service_config_settings: + get_attr: [CephBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceph::mon diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml new file mode 100644 index 00000000..89c1a5ee --- /dev/null +++ b/puppet/services/ceph-rgw.yaml @@ -0,0 +1,73 @@ +heat_template_version: 2016-04-08 + +description: > + Ceph RadosGW service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + AdminToken: + description: The keystone auth secret and db password. + type: string + hidden: true + CephRgwKey: + description: The cephx key for the radosgw client. Can be created + with ceph-authtool --gen-print-key. + type: string + hidden: true + SwiftPassword: + description: The password for the swift service account, used by the Ceph RGW services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +resources: + CephBase: + type: ./ceph-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Ceph RadosGW service. + value: + service_name: ceph_rgw + config_settings: + map_merge: + - get_attr: [CephBase, role_data, config_settings] + - tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey} + tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken} + tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} + tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} + ceph::params::user_radosgw: ceph + tripleo.ceph_rgw.firewall_rules: + '122 ceph rgw': + dport: {get_param: [EndpointMap, CephRgwInternal, port]} + step_config: | + include ::tripleo::profile::base::ceph::rgw + service_config_settings: + keystone: + ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} + ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} + ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} + ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} + ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} + ceph::rgw::keystone::auth::tenant: 'service' diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 94c94a65..803d8b83 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Cinder API service configured with Puppet @@ -34,9 +34,32 @@ parameters: MonitoringSubscriptionCinderApi: default: 'overcloud-cinder-api' type: string + CinderApiLoggingSource: + type: json + default: + tag: openstack.cinder.api + path: /var/log/cinder/cinder-api.log + CinderWorkers: + type: string + description: Set the number of workers for cinder::wsgi::apache + default: '"%{::os_workers}"' + EnableInternalTLS: + type: boolean + default: false + +conditions: + cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + CinderBase: type: ./cinder-base.yaml properties: @@ -50,26 +73,19 @@ outputs: value: service_name: cinder_api monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi} + logging_source: {get_param: CinderApiLoggingSource} + logging_groups: + - cinder config_settings: map_merge: - get_attr: [CinderBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} cinder::keystone::authtoken::project_name: 'service' - cinder::keystone::auth::tenant: 'service' - cinder::keystone::auth::public_url: {get_param: [EndpointMap, CinderPublic, uri]} - cinder::keystone::auth::internal_url: {get_param: [EndpointMap, CinderInternal, uri]} - cinder::keystone::auth::admin_url: {get_param: [EndpointMap, CinderAdmin, uri]} - cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]} - cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]} - cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]} - cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]} - cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]} - cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]} - cinder::keystone::auth::password: {get_param: CinderPassword} - cinder::keystone::auth::region: {get_param: KeystoneRegion} cinder::api::enable_proxy_headers_parsing: true + cinder::api::nova_catalog_info: 'compute:Compute Service:internalURL' # TODO(emilien) move it to puppet-cinder cinder::config: @@ -82,11 +98,52 @@ outputs: dport: - 8776 - 13776 + cinder::api::bind_host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS} + cinder::api::service_name: 'httpd' # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} + - + if: + - cinder_workers_zero + - {} + - cinder::wsgi::apache::workers: {get_param: CinderWorkers} step_config: | include ::tripleo::profile::base::cinder::api + service_config_settings: + keystone: + cinder::keystone::auth::tenant: 'service' + cinder::keystone::auth::public_url: {get_param: [EndpointMap, CinderPublic, uri]} + cinder::keystone::auth::internal_url: {get_param: [EndpointMap, CinderInternal, uri]} + cinder::keystone::auth::admin_url: {get_param: [EndpointMap, CinderAdmin, uri]} + cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]} + cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]} + cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]} + cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]} + cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]} + cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]} + cinder::keystone::auth::password: {get_param: CinderPassword} + cinder::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + cinder::db::mysql::password: {get_param: CinderPassword} + cinder::db::mysql::user: cinder + cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + cinder::db::mysql::dbname: cinder + cinder::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/cinder-base.yaml b/puppet/services/cinder-base.yaml index 0db17189..59c9b844 100644 --- a/puppet/services/cinder-base.yaml +++ b/puppet/services/cinder-base.yaml @@ -60,20 +60,12 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/cinder' - cinder::db::mysql::password: {get_param: CinderPassword} cinder::debug: {get_param: Debug} cinder::rabbit_use_ssl: {get_param: RabbitClientUseSSL} cinder::rabbit_userid: {get_param: RabbitUserName} cinder::rabbit_password: {get_param: RabbitPassword} cinder::rabbit_port: {get_param: RabbitClientPort} - cinder::db::mysql::user: cinder - cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - cinder::db::mysql::dbname: cinder - cinder::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" cinder::rabbit_heartbeat_timeout_threshold: 60 - cinder::host: hostgroup cinder::cron::db_purge::destination: '/dev/null' cinder::db::database_db_max_retries: -1 cinder::db::database_max_retries: -1 diff --git a/puppet/services/cinder-scheduler.yaml b/puppet/services/cinder-scheduler.yaml index 1326e267..94c263ea 100644 --- a/puppet/services/cinder-scheduler.yaml +++ b/puppet/services/cinder-scheduler.yaml @@ -21,6 +21,11 @@ parameters: MonitoringSubscriptionCinderScheduler: default: 'overcloud-cinder-scheduler' type: string + CinderSchedulerLoggingSource: + type: json + default: + tag: openstack.cinder.scheduler + path: /var/log/cinder/cinder-scheduler.log resources: @@ -37,6 +42,9 @@ outputs: value: service_name: cinder_scheduler monitoring_subscription: {get_param: MonitoringSubscriptionCinderScheduler} + logging_source: {get_param: CinderSchedulerLoggingSource} + logging_groups: + - cinder config_settings: map_merge: - get_attr: [CinderBase, role_data, config_settings] diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index c84c784e..82e16f39 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -59,6 +59,11 @@ parameters: MonitoringSubscriptionCinderVolume: default: 'overcloud-cinder-volume' type: string + CinderVolumeLoggingSource: + type: json + default: + tag: openstack.cinder.volume + path: /var/log/cinder/cinder-volume.log resources: @@ -75,6 +80,9 @@ outputs: value: service_name: cinder_volume monitoring_subscription: {get_param: MonitoringSubscriptionCinderVolume} + logging_source: {get_param: CinderVolumeLoggingSource} + logging_groups: + - cinder config_settings: map_merge: - get_attr: [CinderBase, role_data, config_settings] diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 36962a34..01daeafe 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -19,6 +19,15 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MongoDbLoggingSource: + type: json + description: Fluentd logging configuration for mongodb. + default: + tag: database.mongodb + path: /var/log/mongodb/mongodb.log + format: >- + /(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+\+\d{4}) + (?<message>.*)$/ resources: MongoDbBase: @@ -33,6 +42,9 @@ outputs: description: Service mongodb using composable services. value: service_name: mongodb + logging_groups: + - mongodb + logging_source: {get_param: MongoDbLoggingSource} config_settings: map_merge: - get_attr: [MongoDbBase, role_data, config_settings] diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index b0eea481..094a7c9f 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -74,5 +74,11 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::bind_address: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index adc1b4cb..33abdbf9 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -18,64 +18,41 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - CephClientUserName: - default: openstack - type: string Debug: default: '' description: Set to True to enable debugging on all services. type: string - GlanceNotifierStrategy: - description: Strategy to use for Glance notification queue - type: string - default: noop - GlanceLogFile: - description: The filepath of the file to use for logging messages from Glance. - type: string - default: '' GlancePassword: description: The password for the glance service and db account, used by the glance services. type: string hidden: true - GlanceBackend: - default: swift - description: The short name of the Glance backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] GlanceWorkers: - default: 0 - description: Number of workers for Glance service. - type: number - GlanceRbdPoolName: - default: images - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitClientPort: - default: 5672 - description: Set rabbit subscriber port, change this if using SSL - type: number - RabbitClientUseSSL: - default: false - description: > - Rabbit client subscriber parameter to specify - an SSL connection to the RabbitMQ host. - type: string - KeystoneRegion: + default: '' + description: | + Number of API worker processes for Glance. If left unset (empty string), the + default value will result in the configuration being left unset and a + system-dependent default value will be chosen (e.g.: number of + processors). Please note that this will create a large number of + processes on systems with a large number of CPUs resulting in excess + memory consumption. It is recommended that a suitable non-default value + be selected on such systems. type: string - default: 'regionOne' - description: Keystone region for endpoint MonitoringSubscriptionGlanceApi: default: 'overcloud-glance-api' type: string + GlanceApiLoggingSource: + type: json + default: + tag: openstack.glance.api + path: /var/log/glance/api.log + +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} outputs: role_data: @@ -83,64 +60,50 @@ outputs: value: service_name: glance_api monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi} + logging_source: {get_param: GlanceApiLoggingSource} + logging_groups: + - glance config_settings: - glance::api::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::api::registry_host: - str_replace: - template: "'REGISTRY_HOST'" - params: - REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} - glance::api::authtoken::password: {get_param: GlancePassword} - glance::api::enable_proxy_headers_parsing: true - glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} - glance_notifier_strategy: {get_param: GlanceNotifierStrategy} - glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::backend::swift::swift_store_user: service:glance - glance::backend::swift::swift_store_key: {get_param: GlancePassword} - glance::backend::swift::swift_store_create_container_on_put: true - glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} - glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} - glance_backend: {get_param: GlanceBackend} - glance::db::mysql::password: {get_param: GlancePassword} - glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} - glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} - glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} - glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_api.firewall_rules: - '112 glance_api': - dport: - - 9292 - - 13292 - glance::keystone::auth::tenant: 'service' - glance::api::authtoken::project_name: 'service' - glance::api::pipeline: 'keystone' - glance::api::show_image_direct_url: true - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + - glance::api::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::registry_host: + str_replace: + template: "'REGISTRY_HOST'" + params: + REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} + glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } + glance::api::authtoken::password: {get_param: GlancePassword} + glance::api::enable_proxy_headers_parsing: true + glance::api::debug: {get_param: Debug} + glance::api::workers: {get_param: GlanceWorkers} + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 + glance::api::authtoken::project_name: 'service' + glance::api::pipeline: 'keystone' + glance::api::show_image_direct_url: true + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api + service_config_settings: + get_attr: [GlanceBase, role_data, service_config_settings] diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml new file mode 100644 index 00000000..cc979af9 --- /dev/null +++ b/puppet/services/glance-base.yaml @@ -0,0 +1,128 @@ +heat_template_version: 2016-10-14 + +description: > + OpenStack Glance Common settings with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + GlanceNotifierStrategy: + description: Strategy to use for Glance notification queue + type: string + default: noop + GlanceLogFile: + description: The filepath of the file to use for logging messages from Glance. + type: string + default: '' + GlancePassword: + description: The password for the glance service and db account, used by the glance services. + type: string + hidden: true + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] + GlanceNfsEnabled: + default: false + description: > + When using GlanceBackend 'file', mount NFS share for image storage. + type: boolean + GlanceNfsShare: + default: '' + description: > + NFS share to mount for image storage (when GlanceNfsEnabled is true) + type: string + GlanceNfsOptions: + default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' + description: > + NFS mount options for image storage (when GlanceNfsEnabled is true) + type: string + GlanceRbdPoolName: + default: images + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Glance common role. + value: + service_name: glance_base + config_settings: + glance_notifier_strategy: {get_param: GlanceNotifierStrategy} + glance_log_file: {get_param: GlanceLogFile} + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_user: service:glance + glance::backend::swift::swift_store_key: {get_param: GlancePassword} + glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + glance_backend: {get_param: GlanceBackend} + glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} + glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} + glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} + glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + glance::notify::rabbitmq::notification_driver: messagingv2 + glance::registry::db::database_db_max_retries: -1 + glance::registry::db::database_max_retries: -1 + tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} + tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} + tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} + service_config_settings: + keystone: + glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} + glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} + glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} + glance::keystone::auth::password: {get_param: GlancePassword } + glance::keystone::auth::region: {get_param: KeystoneRegion} + glance::keystone::auth::tenant: 'service' + mysql: + glance::db::mysql::password: {get_param: GlancePassword} + glance::db::mysql::user: glance + glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::dbname: glance + glance::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index d5f01d46..c45582d4 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -27,12 +27,32 @@ parameters: type: string hidden: true GlanceWorkers: - default: 0 - description: Number of workers for Glance service. - type: number + default: '' + description: | + Number of worker processes for glance registry. If left unset (empty + string), the default value will result in the configuration being left + unset and a system-dependent default value will be chosen (e.g.: number of + processors). Please note that this will create a large number of processes + on systems with a large number of CPUs resulting in excess memory + consumption. It is recommended that a suitable non-default value be + selected on such systems. + type: string MonitoringSubscriptionGlanceRegistry: default: 'overcloud-glance-registry' type: string + GlanceRegistryLoggingSource: + type: json + default: + tag: openstack.glance.registry + path: /var/log/glance/registry.log + +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} outputs: role_data: @@ -40,41 +60,41 @@ outputs: value: service_name: glance_registry monitoring_subscription: {get_param: MonitoringSubscriptionGlanceRegistry} + logging_source: {get_param: GlanceRegistryLoggingSource} + logging_groups: + - glance config_settings: - glance::registry::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::registry::authtoken::password: {get_param: GlancePassword} - glance::registry::authtoken::project_name: 'service' - glance::registry::pipeline: 'keystone' - glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::registry::debug: {get_param: Debug} - glance::registry::workers: {get_param: GlanceWorkers} - glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_registry.firewall_rules: - '112 glance_registry': - dport: - - 9191 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + + - glance::registry::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::registry::authtoken::password: {get_param: GlancePassword} + glance::registry::authtoken::project_name: 'service' + glance::registry::pipeline: 'keystone' + glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::registry::debug: {get_param: Debug} + glance::registry::workers: {get_param: GlanceWorkers} + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} step_config: | include ::tripleo::profile::base::glance::registry + service_config_settings: + get_attr: [GlanceBase, role_data, config_settings] diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 650865e2..ac15de4f 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -36,6 +36,14 @@ parameters: MonitoringSubscriptionGnocchiApi: default: 'overcloud-gnocchi-api' type: string + GnocchiApiLoggingSource: + type: json + default: + tag: openstack.gnocchi.api + path: /var/log/gnocchi/app.log + EnableInternalTLS: + type: boolean + default: false resources: @@ -52,6 +60,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -59,6 +68,9 @@ outputs: value: service_name: gnocchi_api monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi} + logging_source: {get_param: GnocchiApiLoggingSource} + logging_groups: + - gnocchi config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] @@ -69,18 +81,19 @@ outputs: - 8041 - 13041 gnocchi::api::enabled: true + gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' - gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] } - gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]} - gnocchi::keystone::auth::password: {get_param: GnocchiPassword} - gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] } - gnocchi::keystone::auth::region: {get_param: KeystoneRegion} - gnocchi::keystone::auth::tenant: 'service' gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' - gnocchi::wsgi::apache::ssl: false + gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} + gnocchi::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples @@ -89,10 +102,31 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} - gnocchi::api::host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} + gnocchi::api::host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri]} step_config: | include ::tripleo::profile::base::gnocchi::api + service_config_settings: + keystone: + gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] } + gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]} + gnocchi::keystone::auth::password: {get_param: GnocchiPassword} + gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] } + gnocchi::keystone::auth::region: {get_param: KeystoneRegion} + gnocchi::keystone::auth::tenant: 'service' + mysql: + gnocchi::db::mysql::password: {get_param: GnocchiPassword} + gnocchi::db::mysql::user: gnocchi + gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + gnocchi::db::mysql::dbname: gnocchi + gnocchi::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index 9f114ac4..556baae0 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -56,6 +56,7 @@ outputs: service_name: gnocchi_base config_settings: #Gnocchi engine + gnocchi_redis_password: {get_param: RedisPassword} gnocchi::debug: {get_param: Debug} gnocchi::db::database_connection: list_join: @@ -66,16 +67,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/gnocchi' - gnocchi::db::mysql::password: {get_param: GnocchiPassword} gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types' - gnocchi::storage::coordination_url: - list_join: - - '' - - - 'redis://:' - - {get_param: RedisPassword} - - '@' - - "%{hiera('redis_vip')}" - - ':6379/' gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 2 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} @@ -94,9 +86,3 @@ outputs: gnocchi::statsd::project_id: '6c38cd8d-099a-4cb2-aecf-17be688e8616' gnocchi::statsd::flush_delay: 10 gnocchi::statsd::archive_policy_name: 'low' - gnocchi::db::mysql::user: gnocchi - gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - gnocchi::db::mysql::dbname: gnocchi - gnocchi::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/gnocchi-metricd.yaml b/puppet/services/gnocchi-metricd.yaml index ebdebd1e..1400bc98 100644 --- a/puppet/services/gnocchi-metricd.yaml +++ b/puppet/services/gnocchi-metricd.yaml @@ -21,6 +21,10 @@ parameters: MonitoringSubscriptionGnocchiMetricd: default: 'overcloud-gnocchi-metricd' type: string + GnocchiMetricdWorkers: + default: '' + description: Number of workers for Gnocchi MetricD + type: string resources: GnocchiServiceBase: @@ -39,5 +43,6 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - gnocchi::metricd::workers: {get_param: GnocchiMetricdWorkers} step_config: | include ::tripleo::profile::base::gnocchi::metricd diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index 04339f46..983d6c91 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -39,5 +39,9 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - tripleo.gnocchi_statsd.firewall_rules: + '140 gnocchi-statsd': + dport: 8125 + proto: 'udp' step_config: | include ::tripleo::profile::base::gnocchi::statsd diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml new file mode 100644 index 00000000..c6d53542 --- /dev/null +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -0,0 +1,51 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy internal TLS via certmonger role. + value: + service_name: haproxy_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::use_internal_certificates: true + certificates_specs: + map_merge: + repeat: + template: + haproxy-NETWORK: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key' + hostname: "%{hiera('cloud_name_NETWORK')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_NETWORK')}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml new file mode 100644 index 00000000..1551d16a --- /dev/null +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -0,0 +1,37 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy public TLS via certmonger role. + value: + service_name: haproxy_public_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + certificates_specs: + haproxy-external: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key' + hostname: "%{hiera('cloud_name_external')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_external')}" diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 974928c5..0813cb7e 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > HAproxy service configured with Puppet @@ -48,6 +48,22 @@ parameters: default: 'overcloud-haproxy' type: string +resources: + + HAProxyPublicTLS: + type: OS::TripleO::Services::HAProxyPublicTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + HAProxyInternalTLS: + type: OS::TripleO::Services::HAProxyInternalTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the HAproxy role. @@ -55,14 +71,21 @@ outputs: service_name: haproxy monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: - tripleo.haproxy.firewall_rules: - '107 haproxy stats': - dport: 1993 - tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} - tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} - tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} - tripleo::haproxy::redis_password: {get_param: RedisPassword} - tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} - tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] + - tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} + tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} + tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} + tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + tripleo::profile::base::haproxy::certificates_specs: + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] + - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 61a69078..12d4a6a1 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -33,6 +33,11 @@ parameters: MonitoringSubscriptionHeatApiCnf: default: 'overcloud-heat-api-cfn' type: string + HeatApiCfnLoggingSource: + type: json + default: + tag: openstack.heat.api.cfn + path: /var/log/heat/heat-api-cfn.log resources: HeatBase: @@ -48,16 +53,13 @@ outputs: value: service_name: heat_api_cfn monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf} + logging_source: {get_param: HeatApiCfnLoggingSource} + logging_groups: + - heat config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - heat::api_cfn::workers: {get_param: HeatWorkers} - heat::keystone::auth_cfn::tenant: 'service' - heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]} - heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]} - heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} - heat::keystone::auth_cfn::password: {get_param: HeatPassword} - heat::keystone::auth::region: {get_param: KeystoneRegion} tripleo.heat_api_cfn.firewall_rules: '125 heat_cfn': dport: @@ -72,3 +74,13 @@ outputs: heat::api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} step_config: | include ::tripleo::profile::base::heat::api_cfn + service_config_settings: + keystone: + map_merge: + - get_attr: [HeatBase, role_data, service_config_settings, keystone] + - heat::keystone::auth_cfn::tenant: 'service' + heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]} + heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]} + heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} + heat::keystone::auth_cfn::password: {get_param: HeatPassword} + heat::keystone::auth_cfn::region: {get_param: KeystoneRegion} diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index c12e56ef..6dfeaaf3 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -25,6 +25,11 @@ parameters: MonitoringSubscriptionHeatApiCloudwatch: default: 'overcloud-heat-api-cloudwatch' type: string + HeatApiCloudwatchLoggingSource: + type: json + default: + tag: openstack.heat.api.cloudwatch + path: /var/log/heat/heat-api-cloudwatch.log resources: HeatBase: @@ -40,6 +45,9 @@ outputs: value: service_name: heat_api_cloudwatch monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCloudwatch} + logging_source: {get_param: HeatApiCloudwatchLoggingSource} + logging_groups: + - heat config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 64b0c53b..b0cd16dd 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -33,6 +33,11 @@ parameters: MonitoringSubscriptionHeatApi: default: 'overcloud-heat-api' type: string + HeatApiLoggingSource: + type: json + default: + tag: openstack.heat.api + path: /var/log/heat/heat-api.log resources: HeatBase: @@ -48,16 +53,13 @@ outputs: value: service_name: heat_api monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi} + logging_source: {get_param: HeatApiLoggingSource} + logging_groups: + - heat config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - heat::api::workers: {get_param: HeatWorkers} - heat::keystone::auth::tenant: 'service' - heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]} - heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]} - heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} - heat::keystone::auth::password: {get_param: HeatPassword} - heat::keystone::auth::region: {get_param: KeystoneRegion} tripleo.heat_api.firewall_rules: '125 heat_api': dport: @@ -72,3 +74,13 @@ outputs: heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} step_config: | include ::tripleo::profile::base::heat::api + service_config_settings: + keystone: + map_merge: + - get_attr: [HeatBase, role_data, service_config_settings, keystone] + - heat::keystone::auth::tenant: 'service' + heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]} + heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]} + heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} + heat::keystone::auth::password: {get_param: HeatPassword} + heat::keystone::auth::region: {get_param: KeystoneRegion} diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml index 7eb58f56..a2a65d7d 100644 --- a/puppet/services/heat-base.yaml +++ b/puppet/services/heat-base.yaml @@ -77,3 +77,8 @@ outputs: heat::cron::purge_deleted::destination: '/dev/null' heat::db::database_db_max_retries: -1 heat::db::database_max_retries: -1 + service_config_settings: + keystone: + tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack' + tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin' + tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost' diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index 089bf531..20415eef 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -43,6 +43,11 @@ parameters: MonitoringSubscriptionHeatEngine: default: 'overcloud-heat-engine' type: string + HeatEngineLoggingSource: + type: json + default: + tag: openstack.heat.engine + path: /var/log/heat/heat-engine.log resources: HeatBase: @@ -58,6 +63,9 @@ outputs: value: service_name: heat_engine monitoring_subscription: {get_param: MonitoringSubscriptionHeatEngine} + logging_source: {get_param: HeatEngineLoggingSource} + logging_groups: + - heat config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] @@ -75,14 +83,7 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/heat' heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} - heat::db::mysql::password: {get_param: HeatPassword} heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} - heat::db::mysql::user: heat - heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - heat::db::mysql::dbname: heat - heat::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" heat::engine::auth_encryption_key: yaql: expression: $.data.passwords.where($ != '').first() @@ -92,3 +93,16 @@ outputs: - {get_param: [DefaultPasswords, heat_auth_encryption_key]} step_config: | include ::tripleo::profile::base::heat::engine + + service_config_settings: + mysql: + heat::db::mysql::password: {get_param: HeatPassword} + heat::db::mysql::user: heat + heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + heat::db::mysql::dbname: heat + heat::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone: + # This is needed because the keystone profile handles creating the domain + heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 6ea5ec4e..cea0c0b0 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -24,7 +24,8 @@ parameters: type: json HorizonAllowedHosts: default: '*' - description: A list of IP/Hostname allowed to connect to horizon + description: A list of IP/Hostname for the server Horizonis running on. + Used for header checks. type: comma_delimited_list HorizonSecret: description: Secret key for Django @@ -62,6 +63,7 @@ outputs: dport: - 80 - 443 + horizon::disable_password_reveal: true horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache horizon::django_session_engine: 'django.contrib.sessions.backends.cache' horizon::vhost_extra_params: diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index 5c3f370e..c8a2e833 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -58,12 +58,6 @@ outputs: ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} # This is used to build links in responses ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} - ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]} - ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} - ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} - ironic::keystone::auth::auth_name: 'ironic' - ironic::keystone::auth::password: {get_param: IronicPassword } - ironic::keystone::auth::tenant: 'service' tripleo.ironic_api.firewall_rules: '133 ironic api': dport: @@ -71,3 +65,19 @@ outputs: - 13385 step_config: | include ::tripleo::profile::base::ironic::api + service_config_settings: + keystone: + ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]} + ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} + ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::keystone::auth::auth_name: 'ironic' + ironic::keystone::auth::password: {get_param: IronicPassword } + ironic::keystone::auth::tenant: 'service' + mysql: + ironic::db::mysql::password: {get_param: IronicPassword} + ironic::db::mysql::user: ironic + ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ironic::db::mysql::dbname: ironic + ironic::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/ironic-base.yaml b/puppet/services/ironic-base.yaml index 2f242da8..0ff393c6 100644 --- a/puppet/services/ironic-base.yaml +++ b/puppet/services/ironic-base.yaml @@ -65,12 +65,5 @@ outputs: ironic::rabbit_password: {get_param: RabbitPassword} ironic::rabbit_port: {get_param: RabbitClientPort} ironic::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - ironic::db::mysql::password: {get_param: IronicPassword} - ironic::db::mysql::user: ironic - ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - ironic::db::mysql::dbname: ironic - ironic::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" step_config: | include ::tripleo::profile::base::ironic diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml index 2b069d67..38cfbe22 100644 --- a/puppet/services/keepalived.yaml +++ b/puppet/services/keepalived.yaml @@ -41,5 +41,8 @@ outputs: config_settings: tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} + tripleo.keepalived.firewall_rules: + '106 keepalived vrrp': + proto: vrrp step_config: | include ::tripleo::profile::base::keepalived diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 2f01578e..69898718 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -18,6 +18,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + KernelPidMax: + default: 1048576 + description: Configures sysctl kernel.pid_max key + type: number outputs: role_data: @@ -39,11 +43,17 @@ outputs: net.netfilter.nf_conntrack_max: value: 500000 # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.all.accept_ra: + value: 0 net.ipv6.conf.default.accept_ra: value: 0 + net.ipv6.conf.all.autoconf: + value: 0 net.ipv6.conf.default.autoconf: value: 0 net.core.netdev_max_backlog: value: 10000 + kernel.pid_max: + value: {get_param: KernelPidMax} step_config: | include ::tripleo::profile::base::kernel diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 79033047..d819e043 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Keystone service configured with Puppet @@ -32,6 +32,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + KeystoneTokenProvider: + description: The keystone token format + type: string + default: 'uuid' + constraints: + - allowed_values: ['uuid', 'fernet'] ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -83,10 +89,24 @@ parameters: KeystoneWorkers: type: string description: Set the number of workers for keystone::wsgi::apache - default: '"%{::processorcount}"' + default: '"%{::os_workers}"' MonitoringSubscriptionKeystone: - default: 'overcloud-kestone' + default: 'overcloud-keystone' + type: string + KeystoneCredential0: type: string + description: The first Keystone credential key. Must be a valid key. + KeystoneCredential1: + type: string + description: The second Keystone credential key. Must be a valid key. + KeystoneLoggingSource: + type: json + default: + tag: openstack.keystone + path: /var/log/keystone/keystone.log + EnableInternalTLS: + type: boolean + default: false resources: @@ -96,6 +116,10 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + +conditions: + keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} outputs: role_data: @@ -103,7 +127,9 @@ outputs: value: service_name: keystone monitoring_subscription: {get_param: MonitoringSubscriptionKeystone} - config_settings: + logging_source: {get_param: KeystoneLoggingSource} + logging_groups: + - keystone config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] @@ -117,12 +143,20 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/keystone' keystone::admin_token: {get_param: AdminToken} + keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} + keystone::token_provider: {get_param: KeystoneTokenProvider} + keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} keystone::enable_proxy_headers_parsing: true + keystone::enable_credential_setup: true + keystone::credential_keys: + '/etc/keystone/credential-keys/0': + content: {get_param: KeystoneCredential0} + '/etc/keystone/credential-keys/1': + content: {get_param: KeystoneCredential1} keystone::debug: {get_param: Debug} - keystone::db::mysql::password: {get_param: AdminToken} keystone::rabbit_userid: {get_param: RabbitUserName} keystone::rabbit_password: {get_param: RabbitPassword} keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} @@ -136,13 +170,6 @@ outputs: keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} keystone::endpoint::region: {get_param: KeystoneRegion} keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} - keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::db::mysql::user: keystone - keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - keystone::db::mysql::dbname: keystone - keystone::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" keystone::rabbit_heartbeat_timeout_threshold: 60 keystone::cron::token_flush::maxdelay: 3600 keystone::roles::admin::service_tenant: 'service' @@ -152,8 +179,20 @@ outputs: ec2/driver: value: 'keystone.contrib.ec2.backends.sql.Ec2' keystone::service_name: 'httpd' - keystone::wsgi::apache::ssl: false - + keystone::enable_ssl: {get_param: EnableInternalTLS} + keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS} + keystone::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::servername_admin: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} # override via extraconfig: keystone::wsgi::apache::threads: 1 @@ -166,16 +205,35 @@ outputs: - 13000 - 35357 - 13357 + keystone::admin_bind_host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - # NOTE: this applies to all 4 bind IP settings below... - keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + # NOTE: this applies to all 2 bind IP settings below... keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | include ::tripleo::profile::base::keystone + service_config_settings: + mysql: + keystone::db::mysql::password: {get_param: AdminToken} + keystone::db::mysql::user: keystone + keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + keystone::db::mysql::dbname: keystone + keystone::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/logging/fluentd-base.yaml b/puppet/services/logging/fluentd-base.yaml new file mode 100644 index 00000000..c8f67556 --- /dev/null +++ b/puppet/services/logging/fluentd-base.yaml @@ -0,0 +1,37 @@ +heat_template_version: 2016-04-08 + +description: Fluentd base service + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: > + Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + +outputs: + role_data: + description: Role data for the Fluentd role. + value: + service_name: fluentd_base + config_settings: + fluentd::package_name: fluentd + fluentd::service_name: fluentd + fluentd::config_file: /etc/fluentd/fluent.conf + fluentd::config_owner: fluentd + fluentd::config_group: fluentd + fluentd::config_path: /etc/fluentd/config.d + fluentd::plugin_provider: yum + fluentd::service_provider: systemd + fluentd::repo_install: false diff --git a/puppet/services/logging/fluentd-client.yaml b/puppet/services/logging/fluentd-client.yaml new file mode 100644 index 00000000..3ae7110f --- /dev/null +++ b/puppet/services/logging/fluentd-client.yaml @@ -0,0 +1,64 @@ +heat_template_version: 2016-10-14 + +description: Fluentd client configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: > + Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + FluentdBase: + type: ./fluentd-base.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + + LoggingConfiguration: + type: OS::TripleO::LoggingConfiguration + +outputs: + role_data: + description: Role data for the Fluentd client role. + value: + service_name: fluentd_client + config_settings: + map_merge: + - get_attr: [FluentdBase, role_data, config_settings] + - tripleo::profile::base::logging::fluentd::fluentd_servers: + get_attr: [LoggingConfiguration, LoggingServers] + tripleo::profile::base::logging::fluentd::fluentd_filters: + yaql: + expression: > + $.data.filters.flatten().where($) + data: + filters: + - get_attr: [LoggingConfiguration, LoggingDefaultFilters] + - get_attr: [LoggingConfiguration, LoggingExtraFilters] + tripleo::profile::base::logging::fluentd::fluentd_pos_file_path: + get_attr: [LoggingConfiguration, LoggingPosFilePath] + tripleo::profile::base::logging::fluentd::fluentd_use_ssl: + get_attr: [LoggingConfiguration, LoggingUsesSSL] + tripleo::profile::base::logging::fluentd::fluentd_ssl_certificate: + get_attr: [LoggingConfiguration, LoggingSSLCertificate] + tripleo::profile::base::logging::fluentd::fluentd_ssl_key: + get_attr: [LoggingConfiguration, LoggingSSLKey] + tripleo::profile::base::logging::fluentd::fluentd_ssl_key_passphrase: + get_attr: [LoggingConfiguration, LoggingSSLKeyPassphrase] + tripleo::profile::base::logging::fluentd::fluentd_shared_key: + get_attr: [LoggingConfiguration, LoggingSharedKey] + step_config: | + include ::tripleo::profile::base::logging::fluentd diff --git a/puppet/services/logging/fluentd-config.yaml b/puppet/services/logging/fluentd-config.yaml new file mode 100644 index 00000000..58b423fd --- /dev/null +++ b/puppet/services/logging/fluentd-config.yaml @@ -0,0 +1,154 @@ +heat_template_version: 2016-10-14 + +description: Fluentd logging configuration + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: > + Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + LoggingDefaultFormat: + description: > + Default format used to parse messages from log files. + type: string + default: >- + /(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d+) + (?<pid>\d+) + (?<priority>\S+) + (?<message>.*)$/ + LoggingPosFilePath: + description: > + Directory in which to place fluentd pos_file files (used to track + file position for the 'tail' input type). + type: string + default: /var/cache/fluentd + LoggingDefaultGroups: + description: > + Make fluentd user a member of these groups. Only override this parameter + if you want to modify the default list of groups. Use + LoggingExtraGroups to add the fluentd user to additional groups. + type: comma_delimited_list + default: + - root + LoggingExtraGroups: + description: > + Make fluentd user a member of these groups (in addition to + LoggingDefaultGroups and the groups provided by individual + composable services). + type: comma_delimited_list + default: [] + LoggingServers: + description: | + A list of destinations to which fluentd will forward log messages. Expects + a list of dictionaries of the form: + + - host: loghost1.example.com + port: 24224 + - host: loghost2.example.com + port: 24224 + type: json + default: [] + LoggingDefaultFilters: + description: > + A list of fluentd default filters. This will be passed verbatim + to the 'filter' key of a fluentd::config resource. Only override this + if you do not want the default set of filters; use LoggingExtraFilters + if you just want to add additional servers. + type: json + default: + - tag_pattern: '**' + type: record_transformer + record: + host: '${hostname}' + + - tag_pattern: 'openstack.**' + type: record_transformer + record: + component: '${tag_parts[1]}' + LoggingExtraFilters: + description: > + A list of additional fluentd filters. This will be passed + verbatim to the 'filter' key of a fluentd::config resource. + type: json + default: [] + LoggingUsesSSL: + description: > + A boolean value indicating whether or not we should forward log messages + use the secure_forward plugin. + type: boolean + default: false + LoggingSSLCertificate: + description: > + PEM-encoded SSL CA certificate for fluentd. + type: string + default: "" + LoggingSSLKey: + description: > + PEM-encoded key for fluentd CA certificate (used by in_secure_forward). + type: string + default: "" + LoggingSSLKeyPassphrase: + description: > + Passphrase for LoggingSSLKey (used by in_secure_forward). + type: string + default: "" + LoggingSharedKey: + description: > + Shared secret for fluentd secure-forward plugin. + type: string + default: "" + LoggingDefaultSources: + description: > + A list of default logging sources for fluentd. You should only override + this parameter if you wish to disable the default logging sources. Use + LoggingExtraSources to define additional source configurations. + type: json + default: [] + LoggingExtraSources: + description: > + A list of additional logging sources for fluentd. These will be combined + with the LoggingDefaultSources and any logging sources defined by + composable services. + type: json + default: [] + +outputs: + LoggingDefaultFormat: + value: {get_param: LoggingDefaultFormat} + LoggingDefaultFilters: + value: {get_param: LoggingDefaultFilters} + LoggingExtraFilters: + value: {get_param: LoggingExtraFilters} + LoggingDefaultGroups: + value: {get_param: LoggingDefaultGroups} + LoggingExtraGroups: + value: {get_param: LoggingExtraGroups} + LoggingPosFilePath: + value: {get_param: LoggingPosFilePath} + LoggingSSLCertificate: + value: {get_param: LoggingSSLCertificate} + LoggingSSLKey: + value: {get_param: LoggingSSLKey} + LoggingSSLKeyPassphrase: + value: {get_param: LoggingSSLKeyPassphrase} + LoggingServers: + value: {get_param: LoggingServers} + LoggingSharedKey: + value: {get_param: LoggingSharedKey} + LoggingUsesSSL: + value: {get_param: LoggingUsesSSL} + LoggingDefaultSources: + value: {get_param: LoggingDefaultSources} + LoggingExtraSources: + value: {get_param: LoggingExtraSources} diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index 2e43730d..b4b3d480 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -51,14 +51,11 @@ outputs: manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' - manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} - manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} - manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} - manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]} - manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]} - manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} - manila::keystone::auth::password: {get_param: ManilaPassword } - manila::keystone::auth::region: {get_param: KeystoneRegion } + tripleo.manila_api.firewall_rules: + '150 manila': + dport: + - 8786 + - 13786 # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): @@ -66,6 +63,19 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR manila::api::bind_host: {get_param: [ServiceNetMap, ManilaApiNetwork]} + manila::api::enable_proxy_headers_parsing: true step_config: | include ::tripleo::profile::base::manila::api - + service_config_settings: + map_merge: + - get_attr: [ManilaBase, role_data, service_config_settings] + - keystone: + manila::keystone::auth::tenant: 'service' + manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} + manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} + manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} + manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]} + manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]} + manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} + manila::keystone::auth::password: {get_param: ManilaPassword} + manila::keystone::auth::region: {get_param: KeystoneRegion} diff --git a/puppet/services/manila-backend-cephfs.yaml b/puppet/services/manila-backend-cephfs.yaml new file mode 100644 index 00000000..0fc39e2a --- /dev/null +++ b/puppet/services/manila-backend-cephfs.yaml @@ -0,0 +1,57 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Manila Cephfs backend + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + # CephFS Native backend params: + ManilaCephFSNativeBackendName: + type: string + default: cephfsnative + ManilaCephFSNativeDriverHandlesShareServers: + type: boolean + default: false + ManilaCephFSNativeShareBackendName: + type: string + default: 'cephfs' + ManilaCephFSNativeCephFSConfPath: + type: string + default: '/etc/ceph/ceph.conf' + ManilaCephFSNativeCephFSAuthId: + type: string + default: 'manila' + ManilaCephFSNativeCephFSClusterName: + type: string + default: 'ceph' + ManilaCephFSNativeCephFSEnableSnapshots: + type: boolean + default: true + +outputs: + role_data: + description: Role data for the Manila Cephfs backend. + value: + service_name: manila_backend_cephfs + config_settings: + manila::backend::cephfsnative::title: {get_param: ManilaCephFSNativeBackendName} + manila::backend::cephfsnative::driver_handles_share_servers: {get_param: ManilaCephFSNativeDriverHandlesShareServers} + manila::backend::cephfsnative::share_backend_name: {get_param: ManilaCephFSNativeShareBackendName} + manila::backend::cephfsnative::cephfs_conf_path: {get_param: ManilaCephFSNativeCephFSConfPath} + manila::backend::cephfsnative::cephfs_auth_id: {get_param: ManilaCephFSNativeCephFSAuthId} + manila::backend::cephfsnative::cephfs_cluster_name: {get_param: ManilaCephFSNativeCephFSClusterName} + manila::backend::cephfsnative::cephfs_enable_snapshots: {get_param: ManilaCephFSNativeCephFSEnableSnapshots} + step_config: diff --git a/puppet/services/manila-backend-generic.yaml b/puppet/services/manila-backend-generic.yaml new file mode 100644 index 00000000..c527666e --- /dev/null +++ b/puppet/services/manila-backend-generic.yaml @@ -0,0 +1,89 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Manila generic backend. + +parameters: + ManilaGenericBackendName: + type: string + default: tripleo_generic + ManilaGenericDriverHandlesShareServers: + type: string + default: true + ManilaGenericSmbTemplateConfigPath: + type: string + default: '$state_path/smb.conf' + ManilaGenericVolumeNameTemplate: + type: string + default: 'manila-share-%s' + ManilaGenericVolumeSnapshotNameTemplate: + type: string + default: 'manila-snapshot-%s' + ManilaGenericShareMountPath: + type: string + default: '/shares' + ManilaGenericMaxTimeToCreateVolume: + type: string + default: '180' + ManilaGenericMaxTimeToAttach: + type: string + default: '120' + ManilaGenericServiceInstanceSmbConfigPath: + type: string + default: '$share_mount_path/smb.conf' + ManilaGenericShareVolumeFsType: + type: string + default: 'ext4' + ManilaGenericCinderVolumeType: + type: string + default: '' + ManilaServiceInstanceUser: + type: string + default: '' + ManilaServiceInstancePassword: #SET THIS via parameter_defaults + type: string + hidden: true + ManilaServiceInstanceFlavorId: + type: number + default: 1 + ManilaServiceNetworkCidr: + type: string + default: '172.16.0.0/16' + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Manila Generic backend. + value: + service_name: manila_backend_generic + config_settings: + manila::backend::generic::title: {get_param: ManilaGenericBackendName} + manila::backend::generic::driver_handles_share_servers: {get_param: ManilaGenericDriverHandlesShareServers} + manila::backend::generic::smb_template_config_path: {get_param: ManilaGenericSmbTemplateConfigPath} + manila::backend::generic::volume_name_template: {get_param: ManilaGenericVolumeNameTemplate} + manila::backend::generic::volume_snapshot_name_template: {get_param: ManilaGenericVolumeSnapshotNameTemplate} + manila::backend::generic::share_mount_path: {get_param: ManilaGenericShareMountPath} + manila::backend::generic::max_time_to_create_volume: {get_param: ManilaGenericMaxTimeToCreateVolume} + manila::backend::generic::max_time_to_attach: {get_param: ManilaGenericMaxTimeToAttach} + manila::backend::generic::service_instance_smb_config_path: {get_param: ManilaGenericServiceInstanceSmbConfigPath} + manila::backend::generic::share_volume_fstype: {get_param: ManilaGenericShareVolumeFsType} + manila::backend::generic::cinder_volume_type: {get_param: ManilaGenericCinderVolumeType} + manila::service_instance::service_instance_user: {get_param: ManilaServiceInstanceUser} + manila::service_instance::service_instance_password: {get_param: ManilaServiceInstancePassword} + manila::service_instance::service_instance_flavor_id: {get_param: ManilaServiceInstanceFlavorId} + manila::service_instance::service_network_cidr: {get_param: ManilaServiceNetworkCidr} + + step_config: diff --git a/puppet/services/manila-backend-netapp.yaml b/puppet/services/manila-backend-netapp.yaml new file mode 100644 index 00000000..e6d2f250 --- /dev/null +++ b/puppet/services/manila-backend-netapp.yaml @@ -0,0 +1,108 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Manila netapp backend. + +parameters: + ManilaNetappDriverHandlesShareServers: + type: string + default: true + ManilaNetappBackendName: + type: string + default: tripleo_netapp + ManilaNetappLogin: + type: string + default: '' + ManilaNetappPassword: + type: string + default: '' + ManilaNetappServerHostname: + type: string + default: '' + ManilaNetappTransportType: + type: string + default: 'http' + ManilaNetappStorageFamily: + type: string + default: 'ontap_cluster' + ManilaNetappServerPort: + type: number + default: 80 + ManilaNetappVolumeNameTemplate: + type: string + default: 'share_%(share_id)s' + ManilaNetappVserver: + type: string + default: '' + ManilaNetappVserverNameTemplate: + type: string + default: 'os_%s' + ManilaNetappLifNameTemplate: + type: string + default: 'os_%(net_allocation_id)s' + ManilaNetappAggrNameSearchPattern: + type: string + default: '(.*)' + ManilaNetappRootVolumeAggr: + type: string + default: '' + ManilaNetappRootVolume: + type: string + default: 'root' + ManilaNetappPortNameSearchPattern: + type: string + default: '(.*)' + ManilaNetappTraceFlags: + type: string + default: '' + ManilaNetappEnabledShareProtocols: + type: string + default: 'nfs3, nfs4.0' + ManilaNetappVolumeSnapshotReservePercent: + type: number + default: 5 + ManilaNetappSnapmirrorQuiesceTimeout: + type: number + default: 3600 + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Manila Netapp backend. + value: + service_name: manila_backend_netapp + config_settings: + manila::backend::netapp::title: {get_param: ManilaNetappBackendName} + manila::backend::netapp::netapp_login: {get_param: ManilaNetappLogin} + manila::backend::netapp::driver_handles_share_servers: {get_param: ManilaNetappDriverHandlesShareServers} + manila::backend::netapp::netapp_password: {get_param: ManilaNetappPassword} + manila::backend::netapp::netapp_server_hostname: {get_param: ManilaNetappServerHostname} + manila::backend::netapp::netapp_transport_type: {get_param: ManilaNetappTransportType} + manila::backend::netapp::netapp_storage_family: {get_param: ManilaNetappStorageFamily} + manila::backend::netapp::netapp_server_port: {get_param: ManilaNetappServerPort} + manila::backend::netapp::netapp_volume_name_template: {get_param: ManilaNetappVolumeNameTemplate} + manila::backend::netapp::netapp_vserver: {get_param: ManilaNetappVserver} + manila::backend::netapp::netapp_vserver_name_template: {get_param: ManilaNetappVserverNameTemplate} + manila::backend::netapp::netapp_lif_name_template: {get_param: ManilaNetappLifNameTemplate} + manila::backend::netapp::netapp_aggregate_name_search_pattern: {get_param: ManilaNetappAggrNameSearchPattern} + manila::backend::netapp::netapp_root_volume_aggregate: {get_param: ManilaNetappRootVolumeAggr} + manila::backend::netapp::netapp_root_volume: {get_param: ManilaNetappRootVolume} + manila::backend::netapp::netapp_port_name_search_pattern: {get_param: ManilaNetappPortNameSearchPattern} + manila::backend::netapp::netapp_trace_flags: {get_param: ManilaNetappTraceFlags} + manila::backend::netapp::netapp_enabled_share_protocols: {get_param: ManilaNetappEnabledShareProtocols} + manila::backend::netapp::netapp_volume_snapshot_reserve_percent: {get_param: ManilaNetappVolumeSnapshotReservePercent} + manila::backend::netapp::netapp_snapmirror_quiesce_timeout: {get_param: ManilaNetappSnapmirrorQuiesceTimeout} + step_config: diff --git a/puppet/services/manila-base.yaml b/puppet/services/manila-base.yaml index 78bf1c63..844bd3a3 100644 --- a/puppet/services/manila-base.yaml +++ b/puppet/services/manila-base.yaml @@ -40,55 +40,10 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number - # Config specific parameters, to be provided via parameter_defaults - ManilaGenericEnableBackend: - type: boolean - default: true - ManilaGenericBackendName: - type: string - default: tripleo_generic - ManilaGenericDriverHandlesShareServers: - type: string - default: true - ManilaGenericSmbTemplateConfigPath: - type: string - default: '$state_path/smb.conf' - ManilaGenericVolumeNameTemplate: - type: string - default: 'manila-share-%s' - ManilaGenericVolumeSnapshotNameTemplate: - type: string - default: 'manila-snapshot-%s' - ManilaGenericShareMountPath: - type: string - default: '/shares' - ManilaGenericMaxTimeToCreateVolume: - type: string - default: '180' - ManilaGenericMaxTimeToAttach: - type: string - default: '120' - ManilaGenericServiceInstanceSmbConfigPath: - type: string - default: '$share_mount_path/smb.conf' - ManilaGenericShareVolumeFsType: - type: string - default: 'ext4' - ManilaGenericCinderVolumeType: - type: string - default: '' - ManilaGenericServiceInstanceUser: - type: string - default: '' - ManilaGenericServiceInstancePassword: #SET THIS via parameter_defaults + ManilaPassword: + description: The password for the manila service account. type: string hidden: true - ManilaGenericServiceInstanceFlavorId: - type: number - default: 1 - ManilaGenericServiceNetworkCidr: - type: string - default: '172.16.0.0/16' outputs: role_data: @@ -101,28 +56,23 @@ outputs: manila::rabbit_use_ssl: {get_param: RabbitClientUseSSL} manila::rabbit_port: {get_param: RabbitClientPort} manila::debug: {get_param: Debug} - manila::db::mysql::user: manila - manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - manila::db::mysql::dbname: manila manila::db::database_db_max_retries: -1 manila::db::database_max_retries: -1 - manila_generic_enable_backend: {get_param: ManilaGenericEnableBackend} - manila::backend::generic::title: {get_param: ManilaGenericBackendName} - manila::backend::generic::driver_handles_share_servers: {get_param: ManilaGenericDriverHandlesShareServers} - manila::backend::generic::smb_template_config_path: {get_param: ManilaGenericSmbTemplateConfigPath} - manila::backend::generic::volume_name_template: {get_param: ManilaGenericVolumeNameTemplate} - manila::backend::generic::volume_snapshot_name_template: {get_param: ManilaGenericVolumeSnapshotNameTemplate} - manila::backend::generic::share_mount_path: {get_param: ManilaGenericShareMountPath} - manila::backend::generic::max_time_to_create_volume: {get_param: ManilaGenericMaxTimeToCreateVolume} - manila::backend::generic::max_time_to_attach: {get_param: ManilaGenericMaxTimeToAttach} - manila::backend::generic::service_instance_smb_config_path: {get_param: ManilaGenericServiceInstanceSmbConfigPath} - manila::backend::generic::share_volume_fstype: {get_param: ManilaGenericShareVolumeFsType} - manila::backend::generic::cinder_volume_type: {get_param: ManilaGenericCinderVolumeType} - manila::service_instance::service_instance_user: {get_param: ManilaGenericServiceInstanceUser} - manila::service_instance::service_instance_password: {get_param: ManilaGenericServiceInstancePassword} - manila::service_instance::service_instance_flavor_id: {get_param: ManilaGenericServiceInstanceFlavorId} - manila::service_instance::service_network_cidr: {get_param: ManilaGenericServiceNetworkCidr} - manila::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - + manila::sql_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://manila:' + - {get_param: ManilaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/manila' + service_config_settings: + mysql: + manila::db::mysql::password: {get_param: ManilaPassword} + manila::db::mysql::user: manila + manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + manila::db::mysql::dbname: manila + manila::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/manila-scheduler.yaml b/puppet/services/manila-scheduler.yaml index 28addd68..d96b677b 100644 --- a/puppet/services/manila-scheduler.yaml +++ b/puppet/services/manila-scheduler.yaml @@ -54,18 +54,8 @@ outputs: - manila::compute::nova::nova_admin_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} manila::compute::nova::nova_admin_password: {get_param: NovaPassword} manila::compute::nova::nova_admin_tenant_name: 'service' - manila::db::mysql::password: {get_param: ManilaPassword} manila::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} manila::network::neutron::neutron_admin_auth_url: {get_param: [EndpointMap, NeutronAdmin, uri]} manila::network::neutron::neutron_admin_password: {get_param: NeutronPassword} - manila::sql_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://manila:' - - {get_param: ManilaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/manila' step_config: | include ::tripleo::profile::base::manila::scheduler diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml index e42d2fae..49c69fc1 100644 --- a/puppet/services/manila-share.yaml +++ b/puppet/services/manila-share.yaml @@ -21,6 +21,10 @@ parameters: MonitoringSubscriptionManilaShare: default: 'overcloud-manila-share' type: string + ManilaPassword: + description: The password for the manila service account. + type: string + hidden: true resources: ManilaBase: @@ -40,5 +44,11 @@ outputs: map_merge: - get_attr: [ManilaBase, role_data, config_settings] - manila::volume::cinder::cinder_admin_tenant_name: 'service' + manila::keystone::authtoken::password: {get_param: ManilaPassword} + manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::project_name: 'service' + service_config_settings: + get_attr: [ManilaBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::manila::share diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml new file mode 100644 index 00000000..44d30358 --- /dev/null +++ b/puppet/services/mistral-api.yaml @@ -0,0 +1,52 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MistralWorkers: + default: 1 + description: The number of workers for the mistral-api. + type: number + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral API role. + value: + service_name: mistral_api + config_settings: + map_merge: + - get_attr: [MistralBase, role_data, config_settings] + - mistral::api::api_workers: {get_param: MistralWorkers} + mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]} + tripleo.mistral_api.firewall_rules: + '133 mistral': + dport: + - 8989 + - 13989 + service_config_settings: + get_attr: [MistralBase, role_data, service_config_settings] + step_config: | + include ::tripleo::profile::base::mistral::api diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml new file mode 100644 index 00000000..a11624c0 --- /dev/null +++ b/puppet/services/mistral-base.yaml @@ -0,0 +1,93 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral base service. Shared for all Mistral services. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + MistralPassword: + description: The password for the Mistral service and db account, used by the Mistral services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Shared role data for the Mistral services. + value: + service_name: mistral_base + config_settings: + mistral::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://mistral:' + - {get_param: MistralPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/mistral' + mistral::rabbit_userid: {get_param: RabbitUserName} + mistral::rabbit_password: {get_param: RabbitPassword} + mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + mistral::rabbit_port: {get_param: RabbitClientPort} + mistral::debug: {get_param: Debug} + mistral::keystone_password: {get_param: MistralPassword} + mistral::keystone_tenant: 'service' + mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + service_config_settings: + keystone: + mistral::keystone::auth::tenant: 'service' + mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]} + mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]} + mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]} + mistral::keystone::auth::password: {get_param: MistralPassword} + mistral::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + mistral::db::mysql::user: mistral + mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + mistral::db::mysql::dbname: mistral + mistral::db::mysql::password: {get_param: MistralPassword} + mistral::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/mistral-engine.yaml b/puppet/services/mistral-engine.yaml new file mode 100644 index 00000000..10af670d --- /dev/null +++ b/puppet/services/mistral-engine.yaml @@ -0,0 +1,38 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral Engine service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral Engine role. + value: + service_name: mistral_engine + config_settings: + get_attr: [MistralBase, role_data, config_settings] + step_config: | + include ::tripleo::profile::base::mistral::engine diff --git a/puppet/services/mistral-executor.yaml b/puppet/services/mistral-executor.yaml new file mode 100644 index 00000000..7afaf0db --- /dev/null +++ b/puppet/services/mistral-executor.yaml @@ -0,0 +1,38 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral Executor role. + value: + service_name: mistral_executor + config_settings: + get_attr: [MistralBase, role_data, config_settings] + step_config: | + include ::tripleo::profile::base::mistral::executor diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml index d7350d07..e5762328 100644 --- a/puppet/services/monitoring/sensu-base.yaml +++ b/puppet/services/monitoring/sensu-base.yaml @@ -43,7 +43,19 @@ parameters: description: The RabbitMQ vhost used for monitoring purposes. type: string default: '/sensu' - + SensuRedactVariables: + description: Variables from Sensu configuration, which have to be redacted. + type: array + default: + - password + - passwd + - pass + - api_key + - api_token + - access_key + - secret_key + - private_key + - secret outputs: role_data: @@ -61,8 +73,7 @@ outputs: sensu::rabbitmq_ssl: {get_param: MonitoringRabbitUseSSL} sensu::rabbitmq_user: {get_param: MonitoringRabbitUserName} sensu::rabbitmq_vhost: {get_param: MonitoringRabbitVhost} - #sensu::redis_host: {get_param: MonitoringRedisHost} - #sensu::redis_password: {get_param: MonitoringRedisPassword} + sensu::redact: {get_param: SensuRedactVariables} sensu::sensu_plugin_provider: 'yum' sensu::sensu_plugin_name: 'rubygem-sensu-plugin' sensu::version: 'present' diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index 3f37e750..a26c7458 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -18,6 +18,13 @@ parameters: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + AdminPassword: + description: Keystone admin user password + type: string + KeystoneRegion: + default: 'regionOne' + description: Keystone region for endpoint + type: string SensuClientCustomConfig: default: {} description: Hash containing custom sensu-client variables. @@ -44,6 +51,14 @@ outputs: - sensu::api: false sensu::client: true sensu::server: false - sensu::client_custom: {get_param: SensuClientCustomConfig} + sensu::client_custom: + map_merge: + - {get_param: SensuClientCustomConfig} + - openstack: + username: 'admin' + password: {get_param: AdminPassword} + auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + tenant_name: 'admin' + region: {get_param: KeystoneRegion} step_config: | include ::tripleo::profile::base::monitoring::sensu diff --git a/puppet/services/network/contrail-analytics.yaml b/puppet/services/network/contrail-analytics.yaml new file mode 100644 index 00000000..1c2331fa --- /dev/null +++ b/puppet/services/network/contrail-analytics.yaml @@ -0,0 +1,90 @@ +heat_template_version: 2016-04-08 + +description: > + Contrail Analytics service deployment using puppet, this YAML file + creates the interface between the HOT template + and the puppet manifest that actually installs + and configures Contrail Analytics. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ContrailAnalyticsHostIP: + description: host IP address of Analytics + type: string + ContrailAnalyticsRedisServerIp: + description: Redis server ip address + type: string + ContrailAnalyticsCollectorServerHttpPort: + description: Collector http port + type: number + default: 8089 + ContrailAnalyticsCollectorSandeshPort: + description: Collector sandesh port + type: number + default: 8086 + ContrailAnalyticsHttpServerPort: + description: Analytics http port + type: number + default: 8090 + ContrailAnalyticsListenAddress: + default: '0.0.0.0' + description: IP address Config API is listening on + type: string + ContrailAnalyticsListenPort: + default: 8082 + description: Port Config API is listening on + type: number + ContrailAnalyticsRedisServerPort: + description: Redis server port + type: number + default: 6379 + ContrailAnalyticsRestApiIp: + description: IP address Analytics rest interface listens on + type: string + default: '0.0.0.0' + ContrailAnalyticsRestApiPort: + description: Analytics rest port + type: number + default: 8081 + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role Contrail Analytics using composable services. + value: + service_name: contrail_analytics + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::analytics::collector_http_server_port: {get_param: ContrailAnalyticsCollectorServerHttpPort} + contrail::analytics::collector_sandesh_port: {get_param: ContrailAnalyticsCollectorSandeshPort} + contrail::analytics::host_ip: {get_param: ContrailAnalyticsHostIP} + contrail::analytics::http_server_port: {get_param: ContrailAnalyticsHttpServerPort} + contrail::analytics::listen_ip_address: {get_param: ContrailAnalyticsListenAddress} + contrail::analytics::listen_port: {get_param: ContrailAnalyticsListenPort} + contrail::analytics::redis_server: {get_param: ContrailAnalyticsRedisServerIp} + contrail::analytics::redis_server_port: {get_param: ContrailAnalyticsRedisServerPort} + contrail::analytics::rest_api_ip: {get_param: ContrailAnalyticsRestApiIp} + contrail::analytics::rest_api_port: {get_param: ContrailAnalyticsRestApiPort} + step_config: | + include ::tripleo::network::contrail::analytics diff --git a/puppet/services/network/contrail-base.yaml b/puppet/services/network/contrail-base.yaml new file mode 100644 index 00000000..03dbea5b --- /dev/null +++ b/puppet/services/network/contrail-base.yaml @@ -0,0 +1,100 @@ +heat_template_version: 2016-04-08 + +description: > + Base parameters for all Contrail Services. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + AdminPassword: + description: Keystone admin user password + type: string + AdminTenantName: + description: Keystone admin tenant name + type: string + AdminToken: + description: Keystone admin token + type: string + AdminUser: + description: Keystone admin user name + type: string + AuthHost: + description: Keystone host IP address + type: string + AuthPort: + default: 35357 + description: Keystone port + type: number + AuthProtocol: + default: 'http' + description: Keystone authentication protocol + type: string + ContrailDiscoveryServerIp: + description: Discovery server ip address + type: string + ContrailKafkaBrokerList: + description: List of kafka servers + type: comma_delimited_list + ContrailAuth: + default: 'keystone' + description: Keystone authentication method + type: string + ContrailCassandraServerList: + default: [] + description: List of cassandra servers + type: comma_delimited_list + ContrailDiscoveryServerPort: + description: Discovery server port + type: number + default: 5998 + ContrailInsecure: + default: false + description: Keystone insecure mode + type: boolean + ContrailMemcachedServer: + default: '127.0.0.1:12111' + description: Memcached server + type: string + ContrailMultiTenancy: + default: true + description: Turn on/off multi-tenancy + type: boolean + ContrailZkServerIp: + default: [] + description: List of zookeeper servers + type: comma_delimited_list + +outputs: + role_data: + description: Shared role data for the Contrail services. + value: + service_name: contrail_base + config_settings: + contrail::admin_password: {get_param: AdminPassword} + contrail::admin_tenant_name: {get_param: AdminTenantName} + contrail::admin_token: {get_param: AdminToken} + contrail::admin_user: {get_param: AdminUser} + contrail::auth_host: {get_param: [EndpointMap, KeystoneInternal, host] } + contrail::auth_port: {get_param: [EndpointMap, KeystoneInternal, port] } + contrail::auth_protocol: {get_param: [EndpointMap, KeystoneInternal, protocol] } + contrail::disc_server_ip: {get_param: ContrailDiscoveryServerIp} + contrail::kafka_broker_list: {get_param: ContrailKafkaBrokerList} + contrail::auth: {get_param: ContrailAuth} + contrail::cassandra_server_list: {get_param: ContrailCassandraServerList} + contrail::disc_server_port: {get_param: ContrailDiscoveryServerPort} + contrail::insecure: {get_param: ContrailInsecure} + contrail::memcached_server: {get_param: ContrailMemcachedServer} + contrail::multi_tenancy: {get_param: ContrailMultiTenancy} + contrail::zk_server_ip: {get_param: ContrailZkServerIp} diff --git a/puppet/services/network/contrail-config.yaml b/puppet/services/network/contrail-config.yaml new file mode 100644 index 00000000..0987fc75 --- /dev/null +++ b/puppet/services/network/contrail-config.yaml @@ -0,0 +1,72 @@ +heat_template_version: 2016-04-08 + +description: > + Contrail Config service deployment using puppet, this YAML file + creates the interface between the HOT template + and the puppet manifest that actually installs + and configures Contrail Config. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ContrailConfigIfmapServerIp: + description: Ifmap server ip address + type: string + ContrailConfigIfmapUserName: + description: Ifmap user name + type: string + ContrailConfigIfmapUserPassword: + description: Ifmap user password + type: string + ContrailConfigRabbitServerIp: + description: RabbitMq server ip address + type: string + ContrailConfigRedisServerIp: + description: Redis server ip address + type: string + ContrailConfigListenAddress: + default: '0.0.0.0' + description: IP address Config API is listening on + type: string + ContrailConfigListenPort: + default: 8082 + description: Port Config API is listening on + type: number + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role Contrail Config using composable services. + value: + service_name: contrail_config + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::config::ifmap_password: {get_param: ContrailConfigIfmapUserPassword} + contrail::config::ifmap_server_ip: {get_param: ContrailConfigIfmapServerIp} + contrail::config::ifmap_username: {get_param: ContrailConfigIfmapUserName} + contrail::config::listen_ip_address: {get_param: ContrailConfigListenAddress} + contrail::config::listen_port: {get_param: ContrailConfigListenPort} + contrail::config::rabbit_server: {get_param: ContrailConfigRabbitServerIp} + contrail::config::redis_server: {get_param: ContrailConfigRedisServerIp} + step_config: | + include ::tripleo::network::contrail::config diff --git a/puppet/services/network/contrail-control.yaml b/puppet/services/network/contrail-control.yaml new file mode 100644 index 00000000..9356e9e9 --- /dev/null +++ b/puppet/services/network/contrail-control.yaml @@ -0,0 +1,54 @@ +heat_template_version: 2016-04-08 + +description: > + Contrail Control service deployment using puppet, this YAML file + creates the interface between the HOT template + and the puppet manifest that actually installs + and configures Contrail Control. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ContrailControlHostIP: + description: host IP address of Analytics + type: string + ContrailControlIfmapUserName: + description: Ifmap user name + type: string + ContrailControlIfmapUserPassword: + description: Ifmap user password + type: string + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role Contrail Control using composable services. + value: + service_name: contrail_control + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::control::host_ip: {get_param: ContrailControlHostIP} + contrail::control::ifmap_username: {get_param: ContrailControlIfmapUserName} + contrail::control::ifmap_password: {get_param: ContrailControlIfmapUserPassword} + step_config: | + include ::tripleo::network::contrail::control diff --git a/puppet/services/network/contrail-database.yaml b/puppet/services/network/contrail-database.yaml new file mode 100644 index 00000000..e5712618 --- /dev/null +++ b/puppet/services/network/contrail-database.yaml @@ -0,0 +1,51 @@ +heat_template_version: 2016-04-08 + +description: > + Contrail Database service deployment using puppet, this YAML file + creates the interface between the HOT template + and the puppet manifest that actually installs + and configures Contrail Database. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ContrailDatabaseHostIP: + description: host IP address of Database node + type: string + ContrailDatabaseMinDisk: + description: Minimum disk size for database + type: number + default: 64 + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role Contrail Database using composable services. + value: + service_name: contrail_database + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::database::host_ip: {get_param: ContrailDatabaseHostIP} + contrail::database::minimum_diskGB: {get_param: ContrailDatabaseMinDisk} + step_config: | + include ::tripleo::profile::contrail::database diff --git a/puppet/services/network/contrail-webui.yaml b/puppet/services/network/contrail-webui.yaml new file mode 100644 index 00000000..72b9e1c0 --- /dev/null +++ b/puppet/services/network/contrail-webui.yaml @@ -0,0 +1,69 @@ +heat_template_version: 2016-04-08 + +description: > + Contrail WebUI service deployment using puppet, this YAML file + creates the interface between the HOT template + and the puppet manifest that actually installs + and configures Contrail WebUI. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ContrailWebUiAnalyticsVip: + description: Contrail Analytics VIP + type: string + ContrailWebUiConfigVip: + description: Contrail Config VIP + type: string + ContrailWebUiNeutronVip: + description: Neutron VIP + type: string + ContrailWebuiHttpPort: + default: 8080 + description: HTTP Port of Webui + type: number + ContrailWebuiHttpsPort: + default: 8143 + description: HTTPS Port of Webui + type: number + ContrailWebUiRedisIp: + description: Redis IP + type: string + default: '127.0.0.1' + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role Contrail WebUI using composable services. + value: + service_name: contrail_webui + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::webui::contrail_analytics_vip: {get_param: ContrailWebUiAnalyticsVip} + contrail::webui::contrail_config_vip: {get_param: ContrailWebUiConfigVip} + contrail::webui::contrail_webui_http_port: {get_param: ContrailWebuiHttpPort} + contrail::webui::contrail_webui_https_port: {get_param: ContrailWebuiHttpsPort} + contrail::webui::neutron_vip: {get_param: ContrailWebUiNeutronVip} + contrail::webui::redis_ip: {get_param: ContrailWebUiRedisIp} + step_config: | + include ::tripleo::network::contrail::webui diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 72ae7d9c..408eb795 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Neutron Server configured with Puppet @@ -37,10 +37,6 @@ parameters: default: 'True' description: Allow automatic l3-agent failover type: string - NeutronL3HA: - default: false - description: Whether to enable HA for virtual routers - type: boolean NovaPassword: description: The password for the nova service and db account, used by nova-api. type: string @@ -56,6 +52,41 @@ parameters: MonitoringSubscriptionNeutronServer: default: 'overcloud-neutron-server' type: string + NeutronApiLoggingSource: + type: json + default: + tag: openstack.neutron.api + path: /var/log/neutron/server.log + ControllerCount: + description: | + Under normal conditions, this should not be overridden manually and is + set at deployment time. The default value is present to allow the + template to be used in environments that do not override it. + default: 1 + type: number + + # DEPRECATED: the following options are deprecated and are currently maintained + # for backwards compatibility. They will be removed in the Ocata cycle. + NeutronL3HA: + default: false + description: | + Whether to enable HA for virtual routers. While the default value is + 'false', L3 HA will be automatically enabled if the number of nodes + hosting controller configurations and DVR is disabled. This parameter is + being deprecated in Newton and is scheduled to be removed in Ocata. + Future releases will enable L3 HA by default if it is appropriate for the + deployment type. Alternate mechanisms will be available to override. + type: boolean + +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - NeutronL3HA resources: @@ -66,16 +97,31 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} +conditions: + + auto_enable_l3_ha: + and: + - not: + equals: + - get_param: ControllerCount + - 1 + - equals: + - get_param: NeutronEnableDVR + - false + outputs: role_data: description: Role data for the Neutron Server agent service. value: service_name: neutron_api monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer} + logging_source: {get_param: NeutronApiLoggingSource} + logging_groups: + - neutron config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::server::database_connection: + - neutron::server::database_connection: list_join: - '' - - {get_param: [EndpointMap, MysqlInternal, protocol]} @@ -84,18 +130,13 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' - neutron::keystone::auth::tenant: 'service' - neutron::keystone::auth::public_url: {get_param: [EndpointMap, NeutronPublic, uri]} - neutron::keystone::auth::internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] } - neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] } - neutron::keystone::auth::password: {get_param: NeutronPassword} - neutron::keystone::auth::region: {get_param: KeystoneRegion} neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} - neutron::server::l3_ha: {get_param: NeutronL3HA} + neutron::server::l3_ha: {if: ["auto_enable_l3_ha", true, {get_param: NeutronL3HA}]} + neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] } @@ -105,23 +146,11 @@ outputs: neutron::server::notifications::password: {get_param: NovaPassword} neutron::keystone::authtoken::project_name: 'service' neutron::server::sync_db: true - neutron::db::mysql::password: {get_param: NeutronPassword} - neutron::db::mysql::user: neutron - neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - neutron::db::mysql::dbname: ovs_neutron - neutron::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - tripleo.neutron_server.firewall_rules: - '114 neutron server': + tripleo.neutron_api.firewall_rules: + '114 neutron api': dport: - 9696 - 13696 - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '106 vrrp': - proto: vrrp neutron::server::router_distributed: {get_param: NeutronEnableDVR} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): @@ -131,3 +160,19 @@ outputs: neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} step_config: | include tripleo::profile::base::neutron::server + service_config_settings: + keystone: + neutron::keystone::auth::tenant: 'service' + neutron::keystone::auth::public_url: {get_param: [EndpointMap, NeutronPublic, uri]} + neutron::keystone::auth::internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] } + neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] } + neutron::keystone::auth::password: {get_param: NeutronPassword} + neutron::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + neutron::db::mysql::password: {get_param: NeutronPassword} + neutron::db::mysql::user: neutron + neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + neutron::db::mysql::dbname: ovs_neutron + neutron::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 4eb417c0..0b2cef07 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -33,7 +33,7 @@ parameters: from neutron.core_plugins namespace. type: string NeutronServicePlugins: - default: "router,qos" + default: "router,qos,trunk" description: | Comma-separated list of service plugin entrypoints to be loaded from the neutron.service_plugins namespace. diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index b2ad5dab..2cd08f98 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -34,6 +34,11 @@ parameters: MonitoringSubscriptionNeutronDhcp: default: 'overcloud-neutron-dhcp' type: string + NeutronDhcpAgentLoggingSource: + type: json + default: + tag: openstack.neutron.agent.dhcp + path: /var/log/neutron/dhcp-agent.log resources: @@ -50,6 +55,9 @@ outputs: value: service_name: neutron_dhcp monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp} + logging_source: {get_param: NeutronDhcpAgentLoggingSource} + logging_groups: + - neutron config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] diff --git a/puppet/services/neutron-l3-compute-dvr.yaml b/puppet/services/neutron-l3-compute-dvr.yaml index 5eb3e252..b6c29116 100644 --- a/puppet/services/neutron-l3-compute-dvr.yaml +++ b/puppet/services/neutron-l3-compute-dvr.yaml @@ -29,6 +29,11 @@ parameters: MonitoringSubscriptionNeutronL3Dvr: default: 'overcloud-neutron-l3-dvr' type: string + NeutronL3ComputeAgentLoggingSource: + type: json + default: + tag: openstack.neutron.agent.l3-compute + path: /var/log/neutron/l3-agent.log resources: @@ -45,6 +50,9 @@ outputs: value: service_name: neutron_l3_compute_dvr monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3Dvr} + logging_source: {get_param: NeutronL3ComputeAgentLoggingSource} + logging_groups: + - neutron config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index de62a507..a2157555 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Neutron L3 agent configured with Puppet @@ -37,6 +37,15 @@ parameters: MonitoringSubscriptionNeutronL3: default: 'overcloud-neutron-l3-agent' type: string + NeutronL3AgentLoggingSource: + type: json + default: + tag: openstack.neutron.agent.l3 + path: /var/log/neutron/l3-agent.log + +conditions: + + external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]} resources: @@ -53,11 +62,21 @@ outputs: value: service_name: neutron_l3 monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3} + logging_source: {get_param: NeutronL3AgentLoggingSource} + logging_groups: + - neutron config_settings: map_merge: - - get_attr: [NeutronBase, role_data, config_settings] + - get_attr: [NeutronBase, role_data, config_settings] + - neutron::agents::l3::router_delete_namespaces: True + neutron::agents::l3::agent_mode: {get_param: NeutronL3AgentMode} + tripleo.neutron_l3.firewall_rules: + '106 neutron_l3 vrrp': + proto: vrrp + - + if: + - external_network_bridge_empty + - {} - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge} - neutron::agents::l3::router_delete_namespaces: True - neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode} step_config: | include tripleo::profile::base::neutron::l3 diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 320ae0ce..8be4c6d6 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -23,9 +23,16 @@ parameters: type: string hidden: true NeutronWorkers: - default: 0 - description: Number of workers for Neutron service. - type: number + default: '' + description: | + Sets the number of worker processes for the neutron metadata agent. The + default value results in the configuration being left unset and a + system-dependent default will be chosen (usually the number of + processors). Please note that this can result in a large number of + processes and memory consumption on systems with a large core count. On + such systems it is recommended that a non-default value be selected that + matches the load requirements. + type: string NeutronPassword: description: The password for the neutron service and db account, used by neutron agents. type: string @@ -33,6 +40,11 @@ parameters: MonitoringSubscriptionNeutronMetadata: default: 'overcloud-neutron-metadata' type: string + NeutronMetadataAgentLoggingSource: + type: json + default: + tag: openstack.neutron.agent.metadata + path: /var/log/neutron/metadata-agent.log resources: @@ -49,6 +61,9 @@ outputs: value: service_name: neutron_metadata monitoring_subscription: {get_param: MonitoringSubscriptionNeutronMetadata} + logging_source: {get_param: NeutronMetadataAgentLoggingSource} + logging_groups: + - neutron config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] @@ -57,11 +72,6 @@ outputs: neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' - # NOTE: bind IP is found in Heat replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - neutron::agents::metadata::metadata_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} + neutron::agents::metadata::metadata_ip: '"%{hiera(\"nova_metadata_vip\")}"' step_config: | include tripleo::profile::base::neutron::metadata diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index 36b609fc..cca0deee 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -56,6 +56,19 @@ parameters: MonitoringSubscriptionNeutronOvs: default: 'overcloud-neutron-ovs-agent' type: string + NeutronOVSFirewallDriver: + default: '' + description: | + Configure the classname of the firewall driver to use for implementing + security groups. Possible values depend on system configuration. Some + examples are: noop, openvswitch, iptables_hybrid. The default value of an + empty string will result in a default supported configuration. + type: string + NeutronOpenVswitchAgentLoggingSource: + type: json + default: + tag: openstack.neutron.agent.openvswitch + path: /var/log/neutron/openvswitch-agent.log resources: @@ -72,10 +85,13 @@ outputs: value: service_name: neutron_ovs_agent monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs} + logging_source: {get_param: NeutronOpenVswitchAgentLoggingSource} + logging_groups: + - neutron config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::agents::ml2::ovs::l2_population: {get_param: NeutronEnableL2Pop} + - neutron::agents::ml2::ovs::l2_population: {get_param: NeutronEnableL2Pop} neutron::agents::ml2::ovs::enable_distributed_routing: {get_param: NeutronEnableDVR} neutron::agents::ml2::ovs::arp_responder: {get_param: NeutronEnableARPResponder} neutron::agents::ml2::ovs::bridge_mappings: @@ -100,5 +116,12 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} + neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver} + tripleo.neutron_ovs_agent.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' step_config: | include ::tripleo::profile::base::neutron::ovs diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index 8ee98a3d..fdfa1c03 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -22,7 +22,7 @@ parameters: description: List of cores to be used for DPDK Poll Mode Driver type: string constraints: - - allowed_pattern: "[0-9,-]+" + - allowed_pattern: "'[0-9,-]+'" NeutronDpdkMemoryChannels: description: Number of memory channels to be used for DPDK type: string @@ -65,7 +65,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronOvsAgent, role_data, config_settings] - neutron::agents::ml2::ovs::enable_dpdk: true + - neutron::agents::ml2::ovs::enable_dpdk: true neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} vswitch::dpdk::core_list: {get_param: NeutronDpdkCoreList} diff --git a/puppet/services/neutron-plugin-opencontrail.yaml b/puppet/services/neutron-plugin-opencontrail.yaml index 4e294965..098c9d05 100644 --- a/puppet/services/neutron-plugin-opencontrail.yaml +++ b/puppet/services/neutron-plugin-opencontrail.yaml @@ -59,7 +59,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions + - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions,/usr/lib/python2.7/site-packages/neutron_lbaas/extensions neutron::plugins::opencontrail::api_server_ip: {get_param: ContrailApiServerIp} neutron::plugins::opencontrail::api_server_port: {get_param: ContrailApiServerPort} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index e1dbd8e1..49bd84bc 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova API service configured with Puppet @@ -46,8 +46,27 @@ parameters: MonitoringSubscriptionNovaApi: default: 'overcloud-nova-api' type: string + NovaApiLoggingSource: + type: json + default: + tag: openstack.nova.api + path: /var/log/nova/nova-api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + NovaBase: type: ./nova-base.yaml properties: @@ -61,47 +80,82 @@ outputs: value: service_name: nova_api monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi} + logging_source: {get_param: NovaApiLoggingSource} + logging_groups: + - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - nova::cron::archive_deleted_rows::hour: '"*/12"' + nova::cron::archive_deleted_rows::destination: '"/dev/null"' + tripleo.nova_api.firewall_rules: + '113 nova_api': + dport: + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::api::enabled: true + nova::api::default_floating_pool: 'public' + nova::api::sync_db_api: true + nova::api::enable_proxy_headers_parsing: true + nova::api::api_bind_address: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::service_name: 'httpd' + nova::wsgi::apache::ssl: {get_param: EnableInternalTLS} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::api::instance_name_template: {get_param: InstanceNameTemplate} + nova_enable_db_purge: {get_param: NovaEnableDBPurge} + - + if: + - nova_workers_zero + - {} - nova::api::osapi_compute_workers: {get_param: NovaWorkers} - nova::api::metadata_workers: {get_param: NovaWorkers} - nova::cron::archive_deleted_rows::hour: '"*/12"' - nova::cron::archive_deleted_rows::destination: '"/dev/null"' - tripleo.nova_api.firewall_rules: - '113 nova_api': - dport: - - 6080 - - 13080 - - 8773 - - 3773 - - 8774 - - 13774 - - 8775 - nova::keystone::authtoken::project_name: 'service' - nova::keystone::authtoken::password: {get_param: NovaPassword} - nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - nova::api::enabled: true - nova::api::default_floating_pool: 'public' - nova::api::sync_db_api: true - nova::api::enable_proxy_headers_parsing: true - nova::keystone::auth::tenant: 'service' - nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]} - nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]} - nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} - nova::keystone::auth::password: {get_param: NovaPassword} - nova::keystone::auth::region: {get_param: KeystoneRegion} - # NOTE: bind IP is found in Heat replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} - nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - nova::api::instance_name_template: {get_param: InstanceNameTemplate} - nova_enable_db_purge: {get_param: NovaEnableDBPurge} - + nova::wsgi::apache::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::api + service_config_settings: + keystone: + nova::keystone::auth::tenant: 'service' + nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]} + nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]} + nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} + nova::keystone::auth::password: {get_param: NovaPassword} + nova::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + nova::db::mysql::password: {get_param: NovaPassword} + nova::db::mysql::user: nova + nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql::dbname: nova + nova::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + nova::db::mysql_api::password: {get_param: NovaPassword} + nova::db::mysql_api::user: nova_api + nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql_api::dbname: nova_api + nova::db::mysql_api::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 24a63bb4..8db00d8f 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -95,20 +95,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' - nova::db::mysql::password: {get_param: NovaPassword} - nova::db::mysql::user: nova - nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql::dbname: nova - nova::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - nova::db::mysql_api::password: {get_param: NovaPassword} - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" nova::debug: {get_param: Debug} nova::purge_config: {get_param: EnableConfigPurge} nova::network::neutron::neutron_project_name: 'service' @@ -123,18 +109,6 @@ outputs: nova::notify_on_state_change: 'vm_and_task_state' nova::notification_driver: messagingv2 nova::network::neutron::neutron_auth_type: 'v3password' - nova::db::mysql::user: nova - nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql::dbname: nova - nova::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" nova::db::database_db_max_retries: -1 nova::db::database_max_retries: -1 nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index ccdcb52f..f7f2510e 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -70,6 +70,11 @@ parameters: MonitoringSubscriptionNovaCompute: default: 'overcloud-nova-compute' type: string + NovaComputeLoggingSource: + type: json + default: + tag: openstack.nova.compute + path: /var/log/nova/nova-compute.log resources: NovaBase: @@ -85,6 +90,9 @@ outputs: value: service_name: nova_compute monitoring_subscription: {get_param: MonitoringSubscriptionNovaCompute} + logging_source: {get_param: NovaComputeLoggingSource} + logging_groups: + - nova config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] @@ -128,7 +136,10 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR nova::compute::vncserver_proxyclient_address: {get_param: [ServiceNetMap, NovaVncProxyNetwork]} - nova::compute::vncproxy_host: {get_param: [EndpointMap, NovaPublic, host]} + nova::compute::vncproxy_host: {get_param: [EndpointMap, NovaPublic, host_nobrackets]} + nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]} + nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]} + nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} step_config: | # TODO(emilien): figure how to deal with libvirt profile. # We'll probably treat it like we do with Neutron plugins. diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index 5dbc7cac..a10d9560 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova Conductor service configured with Puppet @@ -25,6 +25,14 @@ parameters: MonitoringSubscriptionNovaConductor: default: 'overcloud-nova-conductor' type: string + NovaSchedulerLoggingSource: + type: json + default: + tag: openstack.nova.scheduler + path: /var/log/nova/nova-scheduler.log + +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} resources: NovaBase: @@ -40,9 +48,16 @@ outputs: value: service_name: nova_conductor monitoring_subscription: {get_param: MonitoringSubscriptionNovaConductor} + logging_source: {get_param: NovaSchedulerLoggingSource} + logging_groups: + - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - + if: + - nova_workers_zero + - {} - nova::conductor::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::conductor diff --git a/puppet/services/nova-consoleauth.yaml b/puppet/services/nova-consoleauth.yaml index 13e3a26a..85e60420 100644 --- a/puppet/services/nova-consoleauth.yaml +++ b/puppet/services/nova-consoleauth.yaml @@ -21,6 +21,11 @@ parameters: MonitoringSubscriptionNovaConsoleauth: default: 'overcloud-nova-consoleauth' type: string + NovaConsoleauthLoggingSource: + type: json + default: + tag: openstack.nova.consoleauth + path: /var/log/nova/nova-consoleauth.log resources: NovaBase: @@ -36,6 +41,9 @@ outputs: value: service_name: nova_consoleauth monitoring_subscription: {get_param: MonitoringSubscriptionNovaConsoleauth} + logging_source: {get_param: NovaConsoleauthLoggingSource} + logging_groups: + - nova config_settings: get_attr: [NovaBase, role_data, config_settings] step_config: | diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index b5ca2437..70774bac 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -50,6 +50,13 @@ outputs: tripleo::profile::base::nova::libvirt_enabled: true nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType} nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType} + tripleo.nova_libvirt.firewall_rules: + '200 nova_libvirt': + dport: + - 16509 + - 16514 + - '49152-49215' + - '5900-5999' step_config: | include tripleo::profile::base::nova::libvirt diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml new file mode 100644 index 00000000..40931da6 --- /dev/null +++ b/puppet/services/nova-metadata.yaml @@ -0,0 +1,42 @@ +heat_template_version: 2016-10-14 + +description: > + OpenStack Nova API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NovaWorkers: + default: 0 + description: Number of workers for Nova API service. + type: number + +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + +outputs: + role_data: + description: Role data for the Nova Metadata service. + value: + service_name: nova_metadata + config_settings: + map_merge: + - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - + if: + - nova_workers_zero + - {} + - nova::api::metadata_workers: {get_param: NovaWorkers} + step_config: "" diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index 3ffc9c5a..d4e5fff6 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -32,6 +32,11 @@ parameters: MonitoringSubscriptionNovaScheduler: default: 'overcloud-nova-scheduler' type: string + NovaSchedulerLoggingSource: + type: json + default: + tag: openstack.nova.scheduler + path: /var/log/nova/nova-scheduler.log resources: NovaBase: @@ -47,10 +52,13 @@ outputs: value: service_name: nova_scheduler monitoring_subscription: {get_param: MonitoringSubscriptionNovaScheduler} + logging_source: {get_param: NovaSchedulerLoggingSource} + logging_groups: + - nova config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - - nova::scheduler::filter::ram_allocation_ratio: '1.0' + - nova::ram_allocation_ratio: '1.0' nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters} nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} step_config: | diff --git a/puppet/services/nova-vncproxy.yaml b/puppet/services/nova-vnc-proxy.yaml index ce15fccc..e6b0703f 100644 --- a/puppet/services/nova-vncproxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -21,6 +21,11 @@ parameters: MonitoringSubscriptionNovaVNCProxy: default: 'overcloud-nova-vncproxy' type: string + NovaVncproxyLoggingSource: + type: json + default: + tag: openstack.nova.vncproxy + path: /var/log/nova/nova-vncproxy.log resources: NovaBase: @@ -34,21 +39,17 @@ outputs: role_data: description: Role data for the Nova Vncproxy service. value: - service_name: nova_vncproxy + service_name: nova_vnc_proxy monitoring_subscription: {get_param: MonitoringSubscriptionNovaVNCProxy} + logging_source: {get_param: NovaVncproxyLoggingSource} + logging_groups: + - nova config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::vncproxy::enabled: true nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]} - # Remove brackets that may come if the IP address is IPv6. - # For DNS names and IPv4, this will just get NovaVNCProxyPublic - nova::vncproxy::common::vncproxy_host: - str_replace: - template: {get_param: [EndpointMap, NovaVNCProxyPublic, host]} - params: - '[': '' - ']': '' + nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]} nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): @@ -56,5 +57,10 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]} + tripleo.nova_vnc_proxy.firewall_rules: + '137 nova_vnc_proxy': + dport: + - 6080 + - 13080 step_config: | include tripleo::profile::base::nova::vncproxy diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index d2ee036e..253d63ef 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -8,10 +8,6 @@ parameters: default: 8081 description: Set opendaylight service port type: number - EnableOpenDaylightOnController: - default: false - description: Whether to install OpenDaylight on control nodes. - type: boolean OpenDaylightUsername: default: 'admin' description: The username for the opendaylight server. @@ -33,14 +29,6 @@ parameters: description: List of features to install with ODL type: comma_delimited_list default: ["odl-netvirt-openstack","odl-netvirt-ui"] - OpenDaylightConnectionProtocol: - description: L7 protocol used for REST access - type: string - default: 'http' - OpenDaylightCheckURL: - description: URL postfix to verify ODL has finished starting up - type: string - default: 'restconf/operational/network-topology:network-topology/topology/netvirt:1' OpenDaylightApiVirtualIP: type: string default: '' @@ -66,15 +54,11 @@ outputs: service_name: opendaylight_api config_settings: opendaylight::odl_rest_port: {get_param: OpenDaylightPort} - odl_on_controller: {get_param: EnableOpenDaylightOnController} - opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::username: {get_param: OpenDaylightUsername} opendaylight::password: {get_param: OpenDaylightPassword} opendaylight::enable_l3: {get_param: OpenDaylightEnableL3} opendaylight::extra_features: {get_param: OpenDaylightFeatures} opendaylight::enable_dhcp: {get_param: OpenDaylightEnableDHCP} - opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} - opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpenDaylightApiNetwork]} + opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} step_config: | include tripleo::profile::base::neutron::opendaylight - include tripleo::profile::base::neutron::plugins::ovs::opendaylight diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 8bcb72f7..907ecddc 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -19,6 +19,11 @@ parameters: OpenDaylightApiVirtualIP: type: string default: '' + OpenDaylightProviderMappings: + description: Mappings between logical networks and physical interfaces. + Required for VLAN deployments. For example physnet1 -> eth1. + type: comma_delimited_list + default: "datacentre:br-ex" EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -43,5 +48,17 @@ outputs: opendaylight::odl_rest_port: {get_param: OpenDaylightPort} opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} + neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} + neutron::plugins::ovs::opendaylight::provider_mappings: + str_replace: + template: MAPPINGS + params: + MAPPINGS: {get_param: OpenDaylightProviderMappings} + tripleo.opendaylight_ovs.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 5d1d666a..abfb9c80 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -66,6 +66,16 @@ parameters: ] } type: json + PacemakerLoggingSource: + type: json + default: + tag: system.pacemaker + path: /var/log/pacemaker.log,/var/log/cluster/corosync.log + format: >- + /^(?<time>[^ ]*\s*[^ ]* [^ ]*) + \[(?<pid>[^ ]*)\] + (?<host>[^ ]*) + (?<message>.*)$/ outputs: role_data: @@ -73,6 +83,9 @@ outputs: value: service_name: pacemaker monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker} + logging_groups: + - haclient + logging_source: {get_param: PacemakerLoggingSource} config_settings: pacemaker::corosync::cluster_name: 'tripleo_cluster' pacemaker::corosync::manage_fw: false diff --git a/puppet/services/pacemaker/cinder-api.yaml b/puppet/services/pacemaker/cinder-api.yaml index e4bcfc3e..6823789e 100644 --- a/puppet/services/pacemaker/cinder-api.yaml +++ b/puppet/services/pacemaker/cinder-api.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: cinder_api monitoring_subscription: {get_attr: [CinderApiBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [CinderApiBase, role_data, logging_source]} + logging_groups: {get_attr: [CinderApiBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [CinderApiBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/cinder-scheduler.yaml b/puppet/services/pacemaker/cinder-scheduler.yaml index eb578e5c..15e44be2 100644 --- a/puppet/services/pacemaker/cinder-scheduler.yaml +++ b/puppet/services/pacemaker/cinder-scheduler.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: cinder_scheduler monitoring_subscription: {get_attr: [CinderSchedulerBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [CinderSchedulerBase, role_data, logging_source]} + logging_groups: {get_attr: [CinderSchedulerBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [CinderSchedulerBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/cinder-volume.yaml b/puppet/services/pacemaker/cinder-volume.yaml index d5dedf34..d91a0181 100644 --- a/puppet/services/pacemaker/cinder-volume.yaml +++ b/puppet/services/pacemaker/cinder-volume.yaml @@ -34,10 +34,13 @@ outputs: value: service_name: cinder_volume monitoring_subscription: {get_attr: [CinderVolumeBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [CinderVolumeBase, role_data, logging_source]} + logging_groups: {get_attr: [CinderVolumeBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [CinderVolumeBase, role_data, config_settings] - cinder::volume::manage_service: false cinder::volume::enabled: false + cinder::host: hostgroup step_config: include ::tripleo::profile::pacemaker::cinder::volume diff --git a/puppet/services/pacemaker/database/mongodb.yaml b/puppet/services/pacemaker/database/mongodb.yaml index 64ae2e91..982b6064 100644 --- a/puppet/services/pacemaker/database/mongodb.yaml +++ b/puppet/services/pacemaker/database/mongodb.yaml @@ -22,7 +22,7 @@ parameters: resources: MongoDbBase: - type: ../../database/mongodb-base.yaml + type: ../../database/mongodb.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index d555ed0a..7deaf0ca 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -35,6 +35,21 @@ outputs: value: service_name: mysql config_settings: - get_attr: [MysqlBase, role_data, config_settings] + map_merge: + - get_attr: [MysqlBase, role_data, config_settings] + - tripleo::profile::pacemaker::database::mysql::bind_address: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr: + get_param: [ServiceNetMap, MysqlNetwork] step_config: | include ::tripleo::profile::pacemaker::database::mysql diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml index d9156e67..196754eb 100644 --- a/puppet/services/pacemaker/database/redis.yaml +++ b/puppet/services/pacemaker/database/redis.yaml @@ -21,7 +21,7 @@ parameters: resources: RedisBase: - type: ../../database/redis-base.yaml + type: ../../database/redis.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} diff --git a/puppet/services/pacemaker/glance-api.yaml b/puppet/services/pacemaker/glance-api.yaml index 684785af..20a439f6 100644 --- a/puppet/services/pacemaker/glance-api.yaml +++ b/puppet/services/pacemaker/glance-api.yaml @@ -58,6 +58,8 @@ outputs: value: service_name: glance_api monitoring_subscription: {get_attr: [GlanceApiBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [GlanceApiBase, role_data, logging_source]} + logging_groups: {get_attr: [GlanceApiBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [GlanceApiBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/glance-registry.yaml b/puppet/services/pacemaker/glance-registry.yaml index 5bcabcab..41f89fdd 100644 --- a/puppet/services/pacemaker/glance-registry.yaml +++ b/puppet/services/pacemaker/glance-registry.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: glance_registry monitoring_subscription: {get_attr: [GlanceRegistryBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [GlanceRegistryBase, role_data, logging_source]} + logging_groups: {get_attr: [GlanceRegistryBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [GlanceRegistryBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/heat-api-cfn.yaml b/puppet/services/pacemaker/heat-api-cfn.yaml index eae01b58..dd25905b 100644 --- a/puppet/services/pacemaker/heat-api-cfn.yaml +++ b/puppet/services/pacemaker/heat-api-cfn.yaml @@ -33,6 +33,8 @@ outputs: value: service_name: heat_api_cfn monitoring_subscription: {get_attr: [HeatApiCfnBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [HeatApiCfnBase, role_data, logging_source]} + logging_groups: {get_attr: [HeatApiCfnBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [HeatApiCfnBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/heat-api-cloudwatch.yaml b/puppet/services/pacemaker/heat-api-cloudwatch.yaml index 5608ae91..18d2a0d5 100644 --- a/puppet/services/pacemaker/heat-api-cloudwatch.yaml +++ b/puppet/services/pacemaker/heat-api-cloudwatch.yaml @@ -33,6 +33,8 @@ outputs: value: service_name: heat_api_cloudwatch monitoring_subscription: {get_attr: [HeatApiCloudwatchBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [HeatApiCloudwatchBase, role_data, logging_source]} + logging_groups: {get_attr: [HeatApiCloudwatchBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [HeatApiCloudwatchBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/heat-api.yaml b/puppet/services/pacemaker/heat-api.yaml index 6fd790c4..43122cb0 100644 --- a/puppet/services/pacemaker/heat-api.yaml +++ b/puppet/services/pacemaker/heat-api.yaml @@ -33,6 +33,8 @@ outputs: value: service_name: heat_api monitoring_subscription: {get_attr: [HeatApiBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [HeatApiBase, role_data, logging_source]} + logging_groups: {get_attr: [HeatApiBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [HeatApiBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/heat-engine.yaml b/puppet/services/pacemaker/heat-engine.yaml index b8c962a8..54bfdad2 100644 --- a/puppet/services/pacemaker/heat-engine.yaml +++ b/puppet/services/pacemaker/heat-engine.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: heat_engine monitoring_subscription: {get_attr: [HeatEngineBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [HeatEngineBase, role_data, logging_source]} + logging_groups: {get_attr: [HeatEngineBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [HeatEngineBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/keystone.yaml b/puppet/services/pacemaker/keystone.yaml index 0a479c9a..908b9bbd 100644 --- a/puppet/services/pacemaker/keystone.yaml +++ b/puppet/services/pacemaker/keystone.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: keystone monitoring_subscription: {get_attr: [KeystoneServiceBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [KeystoneServiceBase, role_data, logging_source]} + logging_groups: {get_attr: [KeystoneServiceBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [KeystoneServiceBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/neutron-dhcp.yaml b/puppet/services/pacemaker/neutron-dhcp.yaml index 9b9e5849..7fca73d6 100644 --- a/puppet/services/pacemaker/neutron-dhcp.yaml +++ b/puppet/services/pacemaker/neutron-dhcp.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: neutron_dhcp monitoring_subscription: {get_attr: [NeutronDhcpBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NeutronDhcpBase, role_data, logging_source]} + logging_groups: {get_attr: [NeutronDhcpBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NeutronDhcpBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/neutron-l3.yaml b/puppet/services/pacemaker/neutron-l3.yaml index 21ac02d4..cdb87f50 100644 --- a/puppet/services/pacemaker/neutron-l3.yaml +++ b/puppet/services/pacemaker/neutron-l3.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: neutron_l3 monitoring_subscription: {get_attr: [NeutronL3Base, role_data, monitoring_subscription]} + logging_source: {get_attr: [NeutronL3Base, role_data, logging_source]} + logging_groups: {get_attr: [NeutronL3Base, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NeutronL3Base, role_data, config_settings] diff --git a/puppet/services/pacemaker/neutron-metadata.yaml b/puppet/services/pacemaker/neutron-metadata.yaml index 8c22d42d..49a31eb5 100644 --- a/puppet/services/pacemaker/neutron-metadata.yaml +++ b/puppet/services/pacemaker/neutron-metadata.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: neutron_metadata monitoring_subscription: {get_attr: [NeutronMetadataBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NeutronMetadataBase, role_data, logging_source]} + logging_groups: {get_attr: [NeutronMetadataBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NeutronMetadataBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/neutron-ovs-agent.yaml b/puppet/services/pacemaker/neutron-ovs-agent.yaml index 18d60735..a2bd7c83 100644 --- a/puppet/services/pacemaker/neutron-ovs-agent.yaml +++ b/puppet/services/pacemaker/neutron-ovs-agent.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: neutron_ovs_agent monitoring_subscription: {get_attr: [NeutronOvsBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NeutronOvsBase, role_data, logging_source]} + logging_groups: {get_attr: [NeutronOvsBase, role_data, logging_groups]} config_settings: get_attr: [NeutronOvsBase, role_data, config_settings] step_config: | diff --git a/puppet/services/pacemaker/nova-api.yaml b/puppet/services/pacemaker/nova-api.yaml index 3d565348..b86e438a 100644 --- a/puppet/services/pacemaker/nova-api.yaml +++ b/puppet/services/pacemaker/nova-api.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: nova_api monitoring_subscription: {get_attr: [NovaApiBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NovaApiBase, role_data, logging_source]} + logging_groups: {get_attr: [NovaApiBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NovaApiBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/nova-conductor.yaml b/puppet/services/pacemaker/nova-conductor.yaml index 9d55a48a..a0a766ec 100644 --- a/puppet/services/pacemaker/nova-conductor.yaml +++ b/puppet/services/pacemaker/nova-conductor.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: nova_conductor monitoring_subscription: {get_attr: [NovaConductorBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NovaConductorBase, role_data, logging_source]} + logging_groups: {get_attr: [NovaConductorBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NovaConductorBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/nova-consoleauth.yaml b/puppet/services/pacemaker/nova-consoleauth.yaml index 814505fb..5d51eb47 100644 --- a/puppet/services/pacemaker/nova-consoleauth.yaml +++ b/puppet/services/pacemaker/nova-consoleauth.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: nova_consoleauth monitoring_subscription: {get_attr: [NovaConsoleauthBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NovaConsoleauthBase, role_data, logging_source]} + logging_groups: {get_attr: [NovaConsoleauthBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NovaConsoleauthBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/nova-scheduler.yaml b/puppet/services/pacemaker/nova-scheduler.yaml index 27692268..8828ee11 100644 --- a/puppet/services/pacemaker/nova-scheduler.yaml +++ b/puppet/services/pacemaker/nova-scheduler.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: nova_scheduler monitoring_subscription: {get_attr: [NovaSchedulerBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NovaSchedulerBase, role_data, logging_source]} + logging_groups: {get_attr: [NovaSchedulerBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NovaSchedulerBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/nova-vncproxy.yaml b/puppet/services/pacemaker/nova-vnc-proxy.yaml index 0ec5de68..ebe84a03 100644 --- a/puppet/services/pacemaker/nova-vncproxy.yaml +++ b/puppet/services/pacemaker/nova-vnc-proxy.yaml @@ -22,7 +22,7 @@ parameters: resources: NovaVncproxyBase: - type: ../nova-vncproxy.yaml + type: ../nova-vnc-proxy.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} @@ -32,8 +32,10 @@ outputs: role_data: description: Role data for the Nova Vncproxy role. value: - service_name: nova_vncproxy + service_name: nova_vnc_proxy monitoring_subscription: {get_attr: [NovaVncproxyBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [NovaVncproxyBase, role_data, logging_source]} + logging_groups: {get_attr: [NovaVncproxyBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [NovaVncproxyBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/sahara-api.yaml b/puppet/services/pacemaker/sahara-api.yaml index 214e8dbb..3dfb7d94 100644 --- a/puppet/services/pacemaker/sahara-api.yaml +++ b/puppet/services/pacemaker/sahara-api.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: sahara_api monitoring_subscription: {get_attr: [SaharaApiBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [SaharaApiBase, role_data, logging_source]} + logging_groups: {get_attr: [SaharaApiBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [SaharaApiBase, role_data, config_settings] diff --git a/puppet/services/pacemaker/sahara-engine.yaml b/puppet/services/pacemaker/sahara-engine.yaml index aa85115d..a06d11b3 100644 --- a/puppet/services/pacemaker/sahara-engine.yaml +++ b/puppet/services/pacemaker/sahara-engine.yaml @@ -34,6 +34,8 @@ outputs: value: service_name: sahara_engine monitoring_subscription: {get_attr: [SaharaEngineBase, role_data, monitoring_subscription]} + logging_source: {get_attr: [SaharaEngineBase, role_data, logging_source]} + logging_groups: {get_attr: [SaharaEngineBase, role_data, logging_groups]} config_settings: map_merge: - get_attr: [SaharaEngineBase, role_data, config_settings] diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index a0669dcd..44a09a42 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -38,6 +38,13 @@ parameters: type: string default: '' hidden: true + RabbitHAQueues: + description: + The number of HA queues to be configured in rabbit. The default is 0 which will + be automatically overridden to CEIL(N/2) where N is the number of nodes running + rabbitmq. + default: 0 + type: number MonitoringSubscriptionRabbitmq: default: 'overcloud-rabbitmq' type: string @@ -58,21 +65,22 @@ outputs: dport: - 4369 - 5672 - - 35672 + - 25672 rabbitmq::delete_guest_user: false rabbitmq::wipe_db_on_cookie_change: true rabbitmq::port: '5672' rabbitmq::package_source: undef rabbitmq::repos_ensure: false + rabbitmq::tcp_keepalive: true rabbitmq_environment: RABBITMQ_NODENAME: "rabbit@%{::hostname}" - RABBITMQ_SERVER_ERL_ARGS: '"+K true +A30 +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' + RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' rabbitmq_kernel_variables: - inet_dist_listen_min: '35672' - inet_dist_listen_max: '35672' + inet_dist_listen_min: '25672' + inet_dist_listen_max: '25672' rabbitmq_config_variables: - tcp_listen_options: '[binary, {packet, raw}, {reuseaddr, true}, {backlog, 128}, {nodelay, true}, {exit_on_close, false}, {keepalive, true}]' cluster_partition_handling: 'pause_minority' + queue_master_locator: '<<"min-masters">>' loopback_users: '[]' rabbitmq::erlang_cookie: yaql: @@ -88,5 +96,7 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR rabbitmq::node_ip_address: {get_param: [ServiceNetMap, RabbitmqNetwork]} + rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} + step_config: | include ::tripleo::profile::base::rabbitmq diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 7f15ca72..54e63df4 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -33,6 +33,11 @@ parameters: MonitoringSubscriptionSaharaApi: default: 'overcloud-sahara-api' type: string + SaharaApiLoggingSource: + type: json + default: + tag: openstack.sahara.api + path: /var/log/sahara/sahara-api.log resources: SaharaBase: @@ -48,16 +53,14 @@ outputs: value: service_name: sahara_api monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi} + logging_source: {get_param: SaharaApiLoggingSource} + logging_groups: + - sahara config_settings: map_merge: - get_attr: [SaharaBase, role_data, config_settings] - sahara::port: {get_param: [EndpointMap, SaharaInternal, port]} sahara::service::api::api_workers: {get_param: SaharaWorkers} - sahara::keystone::auth::public_url: {get_param: [EndpointMap, SaharaPublic, uri]} - sahara::keystone::auth::internal_url: {get_param: [EndpointMap, SaharaInternal, uri]} - sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} - sahara::keystone::auth::password: {get_param: SaharaPassword } - sahara::keystone::auth::region: {get_param: KeystoneRegion} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -71,3 +74,19 @@ outputs: - 13386 step_config: | include ::tripleo::profile::base::sahara::api + service_config_settings: + keystone: + sahara::keystone::auth::tenant: 'service' + sahara::keystone::auth::public_url: {get_param: [EndpointMap, SaharaPublic, uri]} + sahara::keystone::auth::internal_url: {get_param: [EndpointMap, SaharaInternal, uri]} + sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} + sahara::keystone::auth::password: {get_param: SaharaPassword } + sahara::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + sahara::db::mysql::password: {get_param: SaharaPassword} + sahara::db::mysql::user: sahara + sahara::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + sahara::db::mysql::dbname: sahara + sahara::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index c1ab8e8b..4072a150 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -44,6 +44,10 @@ parameters: type: string default: '' description: Set to True to enable debugging on all services. + SaharaPlugins: + default: ["ambari","cdh","mapr","vanilla","spark","storm"] + description: Sahara enabled plugin list + type: comma_delimited_list outputs: role_data: @@ -60,13 +64,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/sahara' - sahara::db::mysql::password: {get_param: SaharaPassword} - sahara::db::mysql::user: sahara - sahara::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - sahara::db::mysql::dbname: sahara - sahara::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" sahara::rabbit_password: {get_param: RabbitPassword} sahara::rabbit_user: {get_param: RabbitUserName} sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL} @@ -76,15 +73,8 @@ outputs: sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } sahara::use_neutron: true - sahara::plugins: - - ambari - - cdh - - mapr - - vanilla - - spark - - storm + sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit sahara::admin_tenant_name: 'service' - sahara::keystone::auth::tenant: 'service' sahara::db::database_db_max_retries: -1 sahara::db::database_max_retries: -1 diff --git a/puppet/services/sahara-engine.yaml b/puppet/services/sahara-engine.yaml index 9224fd5f..287c1c05 100644 --- a/puppet/services/sahara-engine.yaml +++ b/puppet/services/sahara-engine.yaml @@ -21,6 +21,11 @@ parameters: MonitoringSubscriptionSaharaEngine: default: 'overcloud-sahara-engine' type: string + SaharaEngineLoggingSource: + type: json + default: + tag: openstack.sahara.engine + path: /var/log/sahara/sahara-engine.log resources: SaharaBase: @@ -36,6 +41,9 @@ outputs: value: service_name: sahara_engine monitoring_subscription: {get_param: MonitoringSubscriptionSaharaEngine} + logging_source: {get_param: SaharaEngineLoggingSource} + logging_groups: + - sahara config_settings: map_merge: - get_attr: [SaharaBase, role_data, config_settings] diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index b54a6d7a..ffe2d2d4 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -39,6 +39,9 @@ resources: EndpointMap: {get_param: EndpointMap} DefaultPasswords: {get_param: DefaultPasswords} + LoggingConfiguration: + type: OS::TripleO::LoggingConfiguration + outputs: role_data: description: Combined Role data for this set of services. @@ -51,12 +54,57 @@ outputs: data: {s_names: {get_attr: [ServiceChain, role_data, service_name]}} monitoring_subscriptions: yaql: - expression: list($.data.subscriptions.where($ != null)) - data: {subscriptions: {get_attr: [ServiceChain, role_data, monitoring_subscription]}} + expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + logging_sources: + # Transform the individual logging_source configuration from + # each service in the chain into a global list, adding some + # default configuration at the same time. + yaql: + expression: > + let( + default_format => $.data.default_format, + pos_file_path => $.data.pos_file_path, + sources => $.data.sources.flatten() + ) -> + $sources.where($ != null).select({ + 'type' => 'tail', + 'tag' => $.tag, + 'path' => $.path, + 'format' => $.get('format', $default_format), + 'pos_file' => $.get('pos_file', $pos_file_path + '/' + $.tag + '.pos') + }) + data: + sources: + - {get_attr: [LoggingConfiguration, LoggingDefaultSources]} + - yaql: + expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + + - {get_attr: [LoggingConfiguration, LoggingExtraSources]} + default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]} + pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]} + logging_groups: + # Build a list of unique groups to which we should add the + # fluentd user. + yaql: + expression: > + set($.data.groups.flatten()).where($) + data: + groups: + - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}] + - yaql: + expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}] config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: map_merge: yaql: - expression: list($.data.configs.where($ != null)) - data: {configs: {get_attr: [ServiceChain, role_data, global_config_settings]}} + expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + service_config_settings: + yaql: + expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) + data: {role_data: {get_attr: [ServiceChain, role_data]}} step_config: {list_join: ["\n", {get_attr: [ServiceChain, role_data, step_config]}]} diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index d7b0cd7c..ba1d99f1 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -41,6 +41,14 @@ parameters: MonitoringSubscriptionSwiftProxy: default: 'overcloud-swift-proxy' type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string resources: SwiftBase: @@ -66,29 +74,19 @@ outputs: swift::proxy::authtoken::project_name: 'service' swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} swift::proxy::workers: {get_param: SwiftWorkers} - swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]} - swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]} - swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]} - swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]} - swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]} - swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} - swift::keystone::auth::password: {get_param: SwiftPassword} - swift::keystone::auth::region: {get_param: KeystoneRegion} + swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName} + swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword} + swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} tripleo.swift_proxy.firewall_rules: '122 swift proxy': dport: - 8080 - 13808 - swift::keystone::auth::tenant: 'service' - swift::keystone::auth::configure_s3_endpoint: false - swift::keystone::auth::operator_roles: - - admin - - swiftoperator - - ResellerAdmin swift::proxy::keystone::operator_roles: - admin - swiftoperator - ResellerAdmin + swift::proxy::versioned_writes::allow_versioned_writes: true swift::proxy::pipeline: - 'catch_errors' - 'healthcheck' @@ -101,6 +99,8 @@ outputs: - 'authtoken' - 'keystone' - 'staticweb' + - 'versioned_writes' + - 'ceilometer' - 'proxy-logging' - 'proxy-server' swift::proxy::account_autocreate: true @@ -113,3 +113,19 @@ outputs: swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]} step_config: | include ::tripleo::profile::base::swift::proxy + service_config_settings: + keystone: + swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]} + swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]} + swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]} + swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]} + swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]} + swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} + swift::keystone::auth::password: {get_param: SwiftPassword} + swift::keystone::auth::region: {get_param: KeystoneRegion} + swift::keystone::auth::tenant: 'service' + swift::keystone::auth::configure_s3_endpoint: false + swift::keystone::auth::operator_roles: + - admin + - swiftoperator + - ResellerAdmin diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index e151d185..5c70b6ab 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -38,7 +38,10 @@ parameters: default: {} description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' type: json - + SwiftUseLocalDir: + default: true + description: 'Use a local directory for Swift storage services when building rings' + type: boolean outputs: role_data: @@ -48,18 +51,18 @@ outputs: config_settings: tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} + tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower} + tripleo::profile::base::swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours} tripleo::profile::base::swift::ringbuilder::raw_disk_prefix: 'r1z1-' tripleo::profile::base::swift::ringbuilder::raw_disks: yaql: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - [':%PORT%/d1'] + - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: DEVICE: {get_param: SwiftRawDisks} - swift::ringbuilder::part_power: {get_param: SwiftPartPower} - swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours} step_config: | include ::tripleo::profile::base::swift::ringbuilder diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 7fbb8d90..cffe78f5 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -86,7 +86,7 @@ outputs: swift::storage::all::account_pipeline: - healthcheck - account-server - swift::storage::disks: {get_param: SwiftRawDisks} + swift::storage::disks::args: {get_param: SwiftRawDisks} swift::storage::all::storage_local_net_ip: {get_param: [ServiceNetMap, SwiftStorageNetwork]} step_config: | include ::tripleo::profile::base::swift::storage diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml index 7aa3706f..eb5237fe 100644 --- a/puppet/services/time/ntp.yaml +++ b/puppet/services/time/ntp.yaml @@ -32,7 +32,7 @@ outputs: value: service_name: ntp config_settings: - ntp::ntpservers: {get_param: NtpServer} + ntp::servers: {get_param: NtpServer} tripleo.ntp.firewall_rules: '105 ntp': dport: 123 diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index f6ec458f..7eb39905 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -19,7 +19,7 @@ parameters: via parameter_defaults in the resource registry. type: json ManageFirewall: - default: false + default: true description: Whether to manage IPtables rules. type: boolean PurgeFirewallRules: |