summaryrefslogtreecommitdiffstats
path: root/puppet/services
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/services')
-rw-r--r--puppet/services/aodh-api.yaml7
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml75
-rw-r--r--puppet/services/apache.yaml46
-rw-r--r--puppet/services/barbican-api.yaml7
-rw-r--r--puppet/services/ceilometer-agent-ipmi.yaml77
-rw-r--r--puppet/services/ceilometer-api.yaml7
-rw-r--r--puppet/services/ceilometer-base.yaml9
-rw-r--r--puppet/services/ceph-rgw.yaml2
-rw-r--r--puppet/services/cinder-api.yaml7
-rw-r--r--puppet/services/cinder-backend-netapp.yaml129
-rw-r--r--puppet/services/cinder-volume.yaml6
-rw-r--r--puppet/services/congress.yaml9
-rw-r--r--puppet/services/database/mongodb.yaml5
-rw-r--r--puppet/services/database/mysql-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/database/mysql.yaml39
-rw-r--r--puppet/services/ec2-api.yaml12
-rw-r--r--puppet/services/external-swift-proxy.yaml70
-rw-r--r--puppet/services/glance-api.yaml7
-rw-r--r--puppet/services/gnocchi-api.yaml7
-rw-r--r--puppet/services/gnocchi-base.yaml6
-rw-r--r--puppet/services/heat-api.yaml7
-rw-r--r--puppet/services/heat-engine.yaml6
-rw-r--r--puppet/services/horizon.yaml5
-rw-r--r--puppet/services/ironic-api.yaml7
-rw-r--r--puppet/services/ironic-conductor.yaml21
-rw-r--r--puppet/services/kernel.yaml32
-rw-r--r--puppet/services/keystone.yaml46
-rw-r--r--puppet/services/mistral-api.yaml7
-rw-r--r--puppet/services/mistral-base.yaml6
-rw-r--r--puppet/services/monitoring/sensu-client.yaml2
-rw-r--r--puppet/services/network/contrail-vrouter.yaml2
-rw-r--r--puppet/services/neutron-api.yaml16
-rw-r--r--puppet/services/neutron-base.yaml11
-rw-r--r--puppet/services/neutron-bigswitch-agent.yaml31
-rw-r--r--puppet/services/neutron-compute-plugin-nuage.yaml10
-rw-r--r--puppet/services/neutron-compute-plugin-ovn.yaml1
-rw-r--r--puppet/services/neutron-l2gw-api.yaml54
-rw-r--r--puppet/services/neutron-ovs-agent.yaml35
-rw-r--r--puppet/services/neutron-ovs-dpdk-agent.yaml10
-rw-r--r--puppet/services/neutron-plugin-ml2-odl.yaml45
-rw-r--r--puppet/services/neutron-plugin-nuage.yaml7
-rw-r--r--puppet/services/nova-api.yaml17
-rw-r--r--puppet/services/nova-base.yaml22
-rw-r--r--puppet/services/nova-compute.yaml8
-rw-r--r--puppet/services/nova-ironic.yaml4
-rw-r--r--puppet/services/octavia-api.yaml7
-rw-r--r--puppet/services/octavia-base.yaml6
-rw-r--r--puppet/services/opendaylight-ovs.yaml42
-rw-r--r--puppet/services/openvswitch-upgrade.yaml50
-rw-r--r--puppet/services/ovn-dbs.yaml6
-rw-r--r--puppet/services/pacemaker.yaml16
-rw-r--r--puppet/services/panko-api.yaml7
-rw-r--r--puppet/services/qdr.yaml60
-rw-r--r--puppet/services/rabbitmq-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/rabbitmq.yaml37
-rw-r--r--puppet/services/sahara-api.yaml7
-rw-r--r--puppet/services/securetty.yaml36
-rw-r--r--puppet/services/services.yaml11
-rw-r--r--puppet/services/swift-proxy.yaml33
-rw-r--r--puppet/services/swift-ringbuilder.yaml10
-rw-r--r--puppet/services/tacker.yaml8
-rw-r--r--puppet/services/tripleo-firewall.yaml6
-rw-r--r--puppet/services/zaqar.yaml7
63 files changed, 1100 insertions, 282 deletions
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index d7c87b61..7cc6e4c6 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ AodhApiPolicies:
+ description: |
+ A hash of policies to configure for Aodh API.
+ e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
AodhBase:
@@ -61,6 +67,7 @@ outputs:
aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi'
aodh::api::service_name: 'httpd'
aodh::api::enable_proxy_headers_parsing: true
+ aodh::policy::policies: {get_param: AodhApiPolicies}
tripleo.aodh_api.firewall_rules:
'128 aodh-api':
dport:
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
deleted file mode 100644
index 4c94f440..00000000
--- a/puppet/services/apache-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-heat_template_version: ocata
-
-description: >
- Apache service TLS configurations.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-resources:
-
- ApacheNetworks:
- type: OS::Heat::Value
- properties:
- value:
- # NOTE(jaosorior) Get unique network names to create
- # certificates for those. We skip the tenant network since
- # we don't need a certificate for that, and the external
- # network will be handled in another template.
- yaql:
- expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
- data:
- map:
- get_param: ServiceNetMap
-
-outputs:
- role_data:
- description: Role data for the Apache role.
- value:
- service_name: apache_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- apache_certificates_specs:
- map_merge:
- repeat:
- template:
- httpd-NETWORK:
- service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
- service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
- hostname: "%{hiera('fqdn_NETWORK')}"
- principal: "HTTP/%{hiera('fqdn_NETWORK')}"
- for_each:
- NETWORK: {get_attr: [ApacheNetworks, value]}
- metadata_settings:
- repeat:
- template:
- - service: HTTP
- network: $NETWORK
- type: node
- for_each:
- $NETWORK: {get_attr: [ApacheNetworks, value]}
- upgrade_tasks:
- - name: Check if httpd is deployed
- command: systemctl is-enabled httpd
- tags: common
- ignore_errors: True
- register: httpd_enabled
- - name: "PreUpgrade step0,validation: Check service httpd is running"
- shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
- when: httpd_enabled.rc == 0
- tags: step0,validation
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 2d950151..6e53b1f7 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -31,13 +31,25 @@ parameters:
type: boolean
default: false
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
- ApacheTLS:
- type: OS::TripleO::Services::ApacheTLS
+ ApacheNetworks:
+ type: OS::Heat::Value
properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ value:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # is for HAProxy so it isn't used for apache either.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
outputs:
role_data:
@@ -46,7 +58,6 @@ outputs:
service_name: apache
config_settings:
map_merge:
- - get_attr: [ApacheTLS, role_data, config_settings]
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
@@ -64,8 +75,33 @@ outputs:
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
+ -
+ generate_service_certificates: true
+ tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
+ tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
+ apache_certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ httpd-NETWORK:
+ service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
+ hostname: "%{hiera('fqdn_NETWORK')}"
+ principal: "HTTP/%{hiera('fqdn_NETWORK')}"
+ for_each:
+ NETWORK: {get_attr: [ApacheNetworks, value]}
metadata_settings:
- get_attr: [ApacheTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ repeat:
+ template:
+ - service: HTTP
+ network: $NETWORK
+ type: node
+ for_each:
+ $NETWORK: {get_attr: [ApacheNetworks, value]}
+ - null
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml
index d8787c87..91a5b01c 100644
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@@ -55,6 +55,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ BarbicanPolicies:
+ description: |
+ A hash of policies to configure for Barbican.
+ e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -77,6 +83,7 @@ outputs:
barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
+ barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
diff --git a/puppet/services/ceilometer-agent-ipmi.yaml b/puppet/services/ceilometer-agent-ipmi.yaml
new file mode 100644
index 00000000..26647dfd
--- /dev/null
+++ b/puppet/services/ceilometer-agent-ipmi.yaml
@@ -0,0 +1,77 @@
+heat_template_version: ocata
+
+description: >
+ OpenStack Ceilometer Ipmi Agent service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ RedisPassword:
+ description: The password for the redis service account.
+ type: string
+ hidden: true
+ MonitoringSubscriptionCeilometerIpmi:
+ default: 'overcloud-ceilometer-agent-ipmi'
+ type: string
+ CeilometerAgentIpmiLoggingSource:
+ type: json
+ default:
+ tag: openstack.ceilometer.agent.ipmi
+ path: /var/log/ceilometer/ipmi.log
+
+resources:
+ CeilometerServiceBase:
+ type: ./ceilometer-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Ceilometer Agent Ipmi role.
+ value:
+ service_name: ceilometer_agent_ipmi
+ monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerIpmi}
+ logging_source: {get_param: CeilometerAgentIpmiLoggingSource}
+ logging_groups:
+ - ceilometer
+ config_settings:
+ map_merge:
+ - get_attr: [CeilometerServiceBase, role_data, config_settings]
+ - ceilometer_redis_password: {get_param: RedisPassword}
+ ipmi_namespace: true
+ step_config: |
+ include ::tripleo::profile::base::ceilometer::agent::polling
+ upgrade_tasks:
+ - name: Check if ceilometer-agent-ipmi is deployed
+ command: systemctl is-enabled openstack-ceilometer-ipmi
+ tags: common
+ ignore_errors: True
+ register: ceilometer_ipmi_enabled
+ - name: "PreUpgrade step0,validation: Check if openstack-ceilometer-ipmi is running"
+ shell: >
+ /usr/bin/systemctl show 'openstack-ceilometer-ipmi' --property ActiveState |
+ grep '\bactive\b'
+ when: ceilometer_ipmi_enabled.rc == 0
+ tags: step0,validation
+ - name: Stop openstack-ceilometer-ipmi service
+ tags: step1
+ when: ceilometer_ipmi_enabled.rc == 0
+ service: name=openstack-ceilometer-ipmi state=stopped
+ - name: Install openstack-ceilometer-ipmi package if it was disabled
+ tags: step3
+ yum: name=openstack-ceilometer-ipmi state=latest
+ when: ceilometer_ipmi_enabled.rc != 0
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index f5ee9d40..ba94b451 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -29,6 +29,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ CeilometerApiPolicies:
+ description: |
+ A hash of policies to configure for Ceilometer API.
+ e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
CeilometerServiceBase:
@@ -78,6 +84,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
+ ceilometer::policy::policies: {get_param: CeilometerApiPolicies}
ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
ceilometer::wsgi::apache::servername:
diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml
index a9c84289..e1613720 100644
--- a/puppet/services/ceilometer-base.yaml
+++ b/puppet/services/ceilometer-base.yaml
@@ -37,7 +37,7 @@ parameters:
constraints:
- allowed_values: ['gnocchi', 'database']
CeilometerEventDispatcher:
- default: ['gnocchi']
+ default: ['panko', 'gnocchi']
description: Comma-separated list of Dispatchers to process events data
type: comma_delimited_list
constraints:
@@ -76,6 +76,11 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ CeilometerApiEndpoint:
+ default: false
+ description: Whether to create or skip API endpoint. Set this to
+ false, if you choose to disable Ceilometer API service.
+ type: boolean
outputs:
role_data:
@@ -83,6 +88,7 @@ outputs:
value:
service_name: ceilometer_base
config_settings:
+ ceilometer_auth_enabled: true
ceilometer::debug: {get_param: Debug}
ceilometer::db::database_connection:
list_join:
@@ -133,6 +139,7 @@ outputs:
ceilometer::keystone::auth::password: {get_param: CeilometerPassword}
ceilometer::keystone::auth::region: {get_param: KeystoneRegion}
ceilometer::keystone::auth::tenant: 'service'
+ ceilometer::keystone::auth::configure_endpoint: {get_param: CeilometerApiEndpoint}
mysql:
ceilometer::db::mysql::password: {get_param: CeilometerPassword}
ceilometer::db::mysql::user: ceilometer
diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml
index 01531971..49856115 100644
--- a/puppet/services/ceph-rgw.yaml
+++ b/puppet/services/ceph-rgw.yaml
@@ -73,7 +73,7 @@ outputs:
ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
- ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ]
+ ceph::rgw::keystone::auth::roles: [ 'admin', 'Member', '_member_' ]
ceph::rgw::keystone::auth::tenant: service
ceph::rgw::keystone::auth::user: swift
ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 958b0e7d..c1e6b0b0 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -46,6 +46,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ CinderApiPolicies:
+ description: |
+ A hash of policies to configure for Cinder API.
+ e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
@@ -86,6 +92,7 @@ outputs:
cinder::keystone::authtoken::project_name: 'service'
cinder::keystone::authtoken::user_domain_name: 'Default'
cinder::keystone::authtoken::project_domain_name: 'Default'
+ cinder::policy::policies: {get_param: CinderApiPolicies}
cinder::api::enable_proxy_headers_parsing: true
cinder::api::nova_catalog_info: 'compute:nova:internalURL'
diff --git a/puppet/services/cinder-backend-netapp.yaml b/puppet/services/cinder-backend-netapp.yaml
new file mode 100644
index 00000000..29a0ce1b
--- /dev/null
+++ b/puppet/services/cinder-backend-netapp.yaml
@@ -0,0 +1,129 @@
+heat_template_version: ocata
+
+description: Openstack Cinder Netapp backend
+
+parameters:
+ CinderEnableNetappBackend:
+ type: boolean
+ default: true
+ CinderNetappBackendName:
+ type: string
+ default: 'tripleo_netapp'
+ CinderNetappLogin:
+ type: string
+ CinderNetappPassword:
+ type: string
+ hidden: true
+ CinderNetappServerHostname:
+ type: string
+ CinderNetappServerPort:
+ type: string
+ default: '80'
+ CinderNetappSizeMultiplier:
+ type: string
+ default: '1.2'
+ CinderNetappStorageFamily:
+ type: string
+ default: 'ontap_cluster'
+ CinderNetappStorageProtocol:
+ type: string
+ default: 'nfs'
+ CinderNetappTransportType:
+ type: string
+ default: 'http'
+ CinderNetappVfiler:
+ type: string
+ default: ''
+ CinderNetappVolumeList:
+ type: string
+ default: ''
+ CinderNetappVserver:
+ type: string
+ default: ''
+ CinderNetappPartnerBackendName:
+ type: string
+ default: ''
+ CinderNetappNfsShares:
+ type: string
+ default: ''
+ CinderNetappNfsSharesConfig:
+ type: string
+ default: '/etc/cinder/shares.conf'
+ CinderNetappNfsMountOptions:
+ type: string
+ default: ''
+ CinderNetappCopyOffloadToolPath:
+ type: string
+ default: ''
+ CinderNetappControllerIps:
+ type: string
+ default: ''
+ CinderNetappSaPassword:
+ type: string
+ default: ''
+ hidden: true
+ CinderNetappStoragePools:
+ type: string
+ default: ''
+ CinderNetappHostType:
+ type: string
+ default: ''
+ CinderNetappWebservicePath:
+ type: string
+ default: '/devmgr/v2'
+ # DEPRECATED options for compatibility with older versions
+ CinderNetappEseriesHostType:
+ type: string
+ default: 'linux_dm_mp'
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ type: json
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+
+parameter_groups:
+- label: deprecated
+ description: Do not use deprecated params, they will be removed.
+ parameters:
+ - CinderNetappEseriesHostType
+
+outputs:
+ role_data:
+ description: Role data for the Cinder NetApp backend.
+ value:
+ service_name: cinder_backend_netapp
+ config_settings:
+ tripleo::profile::base::cinder::volume::cinder_enable_netapp_backend: {get_param: CinderEnableNetappBackend}
+ cinder::backend::netapp::title: {get_param: CinderNetappBackendName}
+ cinder::backend::netapp::netapp_login: {get_param: CinderNetappLogin}
+ cinder::backend::netapp::netapp_password: {get_param: CinderNetappPassword}
+ cinder::backend::netapp::netapp_server_hostname: {get_param: CinderNetappServerHostname}
+ cinder::backend::netapp::netapp_server_port: {get_param: CinderNetappServerPort}
+ cinder::backend::netapp::netapp_size_multiplier: {get_param: CinderNetappSizeMultiplier}
+ cinder::backend::netapp::netapp_storage_family: {get_param: CinderNetappStorageFamily}
+ cinder::backend::netapp::netapp_storage_protocol: {get_param: CinderNetappStorageProtocol}
+ cinder::backend::netapp::netapp_transport_type: {get_param: CinderNetappTransportType}
+ cinder::backend::netapp::netapp_vfiler: {get_param: CinderNetappVfiler}
+ cinder::backend::netapp::netapp_volume_list: {get_param: CinderNetappVolumeList}
+ cinder::backend::netapp::netapp_vserver: {get_param: CinderNetappVserver}
+ cinder::backend::netapp::netapp_partner_backend_name: {get_param: CinderNetappPartnerBackendName}
+ cinder::backend::netapp::nfs_shares: {get_param: CinderNetappNfsShares}
+ cinder::backend::netapp::nfs_shares_config: {get_param: CinderNetappNfsSharesConfig}
+ cinder::backend::netapp::nfs_mount_options: {get_param: CinderNetappNfsMountOptions}
+ cinder::backend::netapp::netapp_copyoffload_tool_path: {get_param: CinderNetappCopyOffloadToolPath}
+ cinder::backend::netapp::netapp_controller_ips: {get_param: CinderNetappControllerIps}
+ cinder::backend::netapp::netapp_sa_password: {get_param: CinderNetappSaPassword}
+ cinder::backend::netapp::netapp_storage_pools: {get_param: CinderNetappStoragePools}
+ cinder::backend::netapp::netapp_host_type: {get_param: CinderNetappHostType}
+ cinder::backend::netapp::netapp_webservice_path: {get_param: CinderNetappWebservicePath}
+ step_config: |
+ include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index b52955ef..26f1a96f 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -94,11 +94,7 @@ outputs:
tripleo::profile::base::cinder::volume::cinder_enable_nfs_backend: {get_param: CinderEnableNfsBackend}
tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend}
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions}
- tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers:
- str_replace:
- template: SERVERS
- params:
- SERVERS: {get_param: CinderNfsServers}
+ tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers}
tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol}
diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml
index fd1ee24b..5f6b5657 100644
--- a/puppet/services/congress.yaml
+++ b/puppet/services/congress.yaml
@@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ CongressPolicies:
+ description: |
+ A hash of policies to configure for Congress.
+ e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
role_data:
@@ -73,6 +79,7 @@ outputs:
congress::rabbit_port: {get_param: RabbitClientPort}
congress::server::bind_host: {get_param: [ServiceNetMap, CongressApiNetwork]}
+ congress::keystone::authtoken::password: {get_param: CongressPassword}
congress::keystone::authtoken::project_name: 'service'
congress::keystone::authtoken::user_domain_name: 'Default'
congress::keystone::authtoken::project_domain_name: 'Default'
@@ -86,10 +93,12 @@ outputs:
congress::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ congress::policy::policies: {get_param: CongressPolicies}
service_config_settings:
keystone:
congress::keystone::auth::tenant: 'service'
+ congress::keystone::auth::region: {get_param: KeystoneRegion}
congress::keystone::auth::password: {get_param: CongressPassword}
congress::keystone::auth::public_url: {get_param: [EndpointMap, CongressPublic, uri]}
congress::keystone::auth::internal_url: {get_param: [EndpointMap, CongressInternal, uri]}
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index 63ec4446..50597216 100644
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -19,6 +19,10 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ MongodbMemoryLimit:
+ default: '20G'
+ description: Limit the amount of memory mongodb uses with systemd.
+ type: string
MongoDbLoggingSource:
type: json
description: Fluentd logging configuration for mongodb.
@@ -49,6 +53,7 @@ outputs:
map_merge:
- get_attr: [MongoDbBase, role_data, config_settings]
- tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
+ tripleo::profile::base::database::mongodb::memory_limit: {get_param: MongodbMemoryLimit}
mongodb::server::service_manage: True
tripleo.mongodb.firewall_rules:
'101 mongodb_config':
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
deleted file mode 100644
index 9f7eaf57..00000000
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- MySQL configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: MySQL configurations for using TLS via certmonger.
- value:
- service_name: mysql_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::database::mysql::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/mysql.crt'
- service_key: '/etc/pki/tls/private/mysql.key'
- hostname:
- str_replace:
- template: "%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- principal:
- str_replace:
- template: "mysql/%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- metadata_settings:
- - service: mysql
- network: {get_param: [ServiceNetMap, MysqlNetwork]}
- type: vip
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 808f1353..da55da3c 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -23,6 +23,10 @@ parameters:
description: Configures MySQL max_connections config setting
type: number
default: 4096
+ MysqlIncreaseFileLimit:
+ description: Flag to increase MySQL open-files-limit to 16384
+ type: boolean
+ default: true
MysqlRootPassword:
type: string
hidden: true
@@ -38,13 +42,13 @@ parameters:
description: The password for the nova db account
type: string
hidden: true
+ EnableInternalTLS:
+ type: boolean
+ default: false
-resources:
+conditions:
- MySQLTLS:
- type: OS::TripleO::Services::MySQLTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -53,7 +57,6 @@ outputs:
service_name: mysql
config_settings:
map_merge:
- - get_attr: [MySQLTLS, role_data, config_settings]
-
# The Galera package should work in cluster and
# non-cluster modes based on the config file.
@@ -96,10 +99,32 @@ outputs:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
tripleo::profile::base::database::mysql::client_bind_address:
{get_param: [ServiceNetMap, MysqlNetwork]}
+ tripleo::profile::base::database::mysql::generate_dropin_file_limit:
+ {get_param: MysqlIncreaseFileLimit}
+ - generate_service_certificates: true
+ tripleo::profile::base::database::mysql::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/mysql.crt'
+ service_key: '/etc/pki/tls/private/mysql.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ principal:
+ str_replace:
+ template: "mysql/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql
metadata_settings:
- get_attr: [MySQLTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: mysql
+ network: {get_param: [ServiceNetMap, MysqlNetwork]}
+ type: vip
+ - null
upgrade_tasks:
- name: Check for galera root password
tags: step0
diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml
index 10f6d311..d1adefe5 100644
--- a/puppet/services/ec2-api.yaml
+++ b/puppet/services/ec2-api.yaml
@@ -42,6 +42,12 @@ parameters:
default: 'false'
description: Set to true to enable package installation via Puppet
type: boolean
+ Ec2ApiPolicies:
+ description: |
+ A hash of policies to configure for EC2-API.
+ e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
@@ -67,6 +73,7 @@ outputs:
ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword}
ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ec2api::policy::policies: {get_param: Ec2ApiPolicies}
ec2api::api::enabled: true
ec2api::package_manage: {get_param: EnablePackageInstall}
ec2api::api::ec2api_listen:
@@ -91,6 +98,11 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/ec2_api'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+ ec2api::api::keystone_ec2_tokens_url:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
+ - '/ec2tokens'
-
if:
- nova_workers_zero
diff --git a/puppet/services/external-swift-proxy.yaml b/puppet/services/external-swift-proxy.yaml
new file mode 100644
index 00000000..75f5b6a0
--- /dev/null
+++ b/puppet/services/external-swift-proxy.yaml
@@ -0,0 +1,70 @@
+heat_template_version: ocata
+
+description: >
+ External Swift Proxy endpoint configured with Puppet
+
+parameters:
+ ExternalPublicUrl:
+ description: Public endpoint url for the external swift proxy
+ type: string
+ ExternalInternalUrl:
+ description: Internal endpoint url for the external swift proxy
+ type: string
+ ExternalAdminUrl:
+ description: External endpoint url for the external swift proxy
+ type: string
+ ExternalSwiftUserTenant:
+ description: Tenant where swift user will be set as admin
+ type: string
+ default: 'service'
+ SwiftPassword:
+ description: The password for the swift service account, used by the swift proxy services.
+ type: string
+ hidden: true
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+resources:
+
+outputs:
+ role_data:
+ description: Role data for External Swift proxy.
+ value:
+ service_name: external_swift_proxy
+ config_settings:
+
+ step_config:
+
+ service_config_settings:
+ keystone:
+ swift::keystone::auth::public_url: {get_param: ExternalPublicUrl}
+ swift::keystone::auth::internal_url: {get_param: ExternalInternalUrl}
+ swift::keystone::auth::admin_url: {get_param: ExternalAdminUrl}
+ swift::keystone::auth::public_url_s3: ''
+ swift::keystone::auth::internal_url_s3: ''
+ swift::keystone::auth::admin_url_s3: ''
+ swift::keystone::auth::password: {get_param: SwiftPassword}
+ swift::keystone::auth::region: {get_param: KeystoneRegion}
+ swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant}
+ swift::keystone::auth::configure_s3_endpoint: false
+ swift::keystone::auth::operator_roles:
+ - admin
+ - swiftoperator
+ - ResellerAdmin
+
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index b06f9993..f61e6154 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -110,6 +110,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ GlanceApiPolicies:
+ description: |
+ A hash of policies to configure for Glance API.
+ e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
@@ -155,6 +161,7 @@ outputs:
glance::api::enable_proxy_headers_parsing: true
glance::api::debug: {get_param: Debug}
glance::api::workers: {get_param: GlanceWorkers}
+ glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo.glance_api.firewall_rules:
'112 glance_api':
dport:
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index f4629917..cd323703 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -44,6 +44,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ GnocchiApiPolicies:
+ description: |
+ A hash of policies to configure for Gnocchi API.
+ e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -83,6 +89,7 @@ outputs:
gnocchi::api::enabled: true
gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
+ gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index d7555561..dc6daece 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -32,10 +32,6 @@ parameters:
CephClientUserName:
default: openstack
type: string
- KeystoneRegion:
- type: string
- default: 'regionOne'
- description: Keystone region for endpoint
RedisPassword:
description: The password for the redis service account.
type: string
@@ -72,7 +68,7 @@ outputs:
gnocchi::storage::swift::swift_user: 'service:gnocchi'
gnocchi::storage::swift::swift_auth_version: 3
gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword}
- gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
gnocchi::storage::ceph::ceph_pool: {get_param: GnocchiRbdPoolName}
gnocchi::storage::ceph::ceph_username: {get_param: CephClientUserName}
gnocchi::storage::ceph::ceph_keyring:
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index e21369e8..f8128bb8 100644
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -41,6 +41,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ HeatApiPolicies:
+ description: |
+ A hash of policies to configure for Heat API.
+ e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]}
@@ -82,6 +88,7 @@ outputs:
- 13004
heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]}
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
+ heat::policy::policies: {get_param: HeatApiPolicies}
heat::api::service_name: 'httpd'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml
index a166f3a7..98dac4c9 100644
--- a/puppet/services/heat-engine.yaml
+++ b/puppet/services/heat-engine.yaml
@@ -112,7 +112,11 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/heat'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
- heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]}
+ heat::keystone_ec2_uri:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
+ - '/ec2tokens'
heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword}
heat::engine::auth_encryption_key:
yaql:
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 7ae518b5..8fb13c16 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -40,6 +40,10 @@ parameters:
type: string
hidden: true
default: ''
+ HorizonSecureCookies:
+ description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
+ type: boolean
+ default: true
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
@@ -88,6 +92,7 @@ outputs:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
+ horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
memcached_ipv6: {get_param: MemcachedIPv6}
-
if:
diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index e24d0de6..1f18cb1b 100644
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -29,6 +29,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ IronicApiPolicies:
+ description: |
+ A hash of policies to configure for Ironic API.
+ e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
IronicBase:
@@ -64,6 +70,7 @@ outputs:
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
# This is used to build links in responses
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
+ ironic::policy::policies: {get_param: IronicApiPolicies}
tripleo.ironic_api.firewall_rules:
'133 ironic api':
dport:
diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml
index 56e1a90b..be910d10 100644
--- a/puppet/services/ironic-conductor.yaml
+++ b/puppet/services/ironic-conductor.yaml
@@ -32,6 +32,15 @@ parameters:
created yet) and should be changed to an actual UUID in
a post-deployment stack update.
type: string
+ IronicDefaultNetworkInterface:
+ default: 'flat'
+ description: Network interface implementation to use by default.
+ Set to "flat" (the default) to use one flat provider network.
+ Set to "neutron" to make Ironic interact with the Neutron
+ ML2 driver to enable other network types and certain
+ advances networking features. Requires
+ IronicProvisioningNetwork to be correctly set.
+ type: string
IronicEnabledDrivers:
default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo']
description: Enabled Ironic drivers
@@ -48,6 +57,15 @@ parameters:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
+ IronicProvisioningNetwork:
+ default: 'provisioning'
+ description: Name or UUID of the *overcloud* network used for provisioning
+ of bare metal nodes, if IronicDefaultNetworkInterface is
+ set to "neutron". The default value of "provisioning" can be
+ left during the initial deployment (when no networks are
+ created yet) and should be changed to an actual UUID in
+ a post-deployment stack update.
+ type: string
MonitoringSubscriptionIronicConductor:
default: 'overcloud-ironic-conductor'
type: string
@@ -72,6 +90,7 @@ outputs:
- ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase}
ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork}
+ ironic::conductor::provisioning_network: {get_param: IronicProvisioningNetwork}
ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers}
# We need an endpoint containing a real IP, not a VIP here
ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]}
@@ -93,6 +112,8 @@ outputs:
# NOTE(dtantsur): UEFI only works with iPXE currently for us
ironic::drivers::pxe::uefi_pxe_config_template: '$pybasedir/drivers/modules/ipxe_config.template'
ironic::drivers::pxe::uefi_pxe_bootfile_name: 'ipxe.efi'
+ ironic::drivers::interfaces::enabled_network_interfaces: ['flat', 'neutron']
+ ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface}
tripleo.ironic_conductor.firewall_rules:
'134 ironic conductor TFTP':
dport: 69
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index fec455d1..2a335b67 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -22,6 +22,10 @@ parameters:
default: 1048576
description: Configures sysctl kernel.pid_max key
type: number
+ KernelDisableIPv6:
+ default: 0
+ description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+ type: number
outputs:
role_data:
@@ -31,7 +35,7 @@ outputs:
config_settings:
kernel_modules:
nf_conntrack: {}
- ip_conntrack_proto_sctp: {}
+ nf_conntrack_proto_sctp: {}
sysctl_settings:
net.ipv4.tcp_keepalive_intvl:
value: 1
@@ -39,10 +43,28 @@ outputs:
value: 5
net.ipv4.tcp_keepalive_time:
value: 5
+ net.ipv4.conf.default.send_redirects:
+ value: 0
+ net.ipv4.conf.all.send_redirects:
+ value: 0
+ net.ipv4.conf.default.accept_redirects:
+ value: 0
+ net.ipv4.conf.default.secure_redirects:
+ value: 0
+ net.ipv4.conf.all.secure_redirects:
+ value: 0
+ net.ipv4.conf.default.log_martians:
+ value: 1
+ net.ipv4.conf.all.log_martians:
+ value: 1
net.nf_conntrack_max:
value: 500000
net.netfilter.nf_conntrack_max:
value: 500000
+ net.ipv6.conf.default.disable_ipv6:
+ value: {get_param: KernelDisableIPv6}
+ net.ipv6.conf.all.disable_ipv6:
+ value: {get_param: KernelDisableIPv6}
# prevent neutron bridges from autoconfiguring ipv6 addresses
net.ipv6.conf.all.accept_ra:
value: 0
@@ -52,9 +74,17 @@ outputs:
value: 0
net.ipv6.conf.default.autoconf:
value: 0
+ net.ipv6.conf.default.accept_redirects:
+ value: 0
+ net.ipv6.conf.all.accept_redirects:
+ value: 0
net.core.netdev_max_backlog:
value: 10000
kernel.pid_max:
value: {get_param: KernelPidMax}
+ kernel.dmesg_restrict:
+ value: 1
+ fs.suid_dumpable:
+ value: 0
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 17616867..8a0e750d 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -119,27 +119,27 @@ parameters:
Cron to purge expired tokens - Ensure
default: 'present'
KeystoneCronTokenFlushMinute:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Minute
default: '1'
KeystoneCronTokenFlushHour:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Hour
- default: '0'
+ default: '*'
KeystoneCronTokenFlushMonthday:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Month Day
default: '*'
KeystoneCronTokenFlushMonth:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Month
default: '*'
KeystoneCronTokenFlushWeekday:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Week Day
default: '*'
@@ -158,6 +158,22 @@ parameters:
description: >
Cron to purge expired tokens - User
default: 'keystone'
+ KeystonePolicies:
+ description: |
+ A hash of policies to configure for Keystone.
+ e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
+ KeystoneLDAPDomainEnable:
+ description: Trigger to call ldap_backend puppet keystone define.
+ type: boolean
+ default: False
+ KeystoneLDAPBackendConfigs:
+ description: Hash containing the configurations for the LDAP backends
+ configured in keystone.
+ type: json
+ default: {}
+ hidden: true
resources:
@@ -171,6 +187,7 @@ resources:
conditions:
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+ keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
outputs:
role_data:
@@ -197,6 +214,7 @@ outputs:
keystone::admin_token: {get_param: AdminToken}
keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
+ keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}
@@ -293,6 +311,15 @@ outputs:
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
+ -
+ if:
+ - keystone_ldap_domain_enabled
+ -
+ tripleo::profile::base::keystone::ldap_backend_enable: True
+ keystone::using_domain_config: True
+ tripleo::profile::base::keystone::ldap_backends_config:
+ get_param: KeystoneLDAPBackendConfigs
+ - {}
step_config: |
include ::tripleo::profile::base::keystone
@@ -305,6 +332,13 @@ outputs:
keystone::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ horizon:
+ if:
+ - keystone_ldap_domain_enabled
+ -
+ horizon::keystone_multidomain_support: true
+ horizon::keystone_default_domain: 'Default'
+ - {}
# Ansible tasks to handle upgrade
upgrade_tasks:
- name: Stop keystone service (running under httpd)
diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml
index 1c7d6bd3..02c69392 100644
--- a/puppet/services/mistral-api.yaml
+++ b/puppet/services/mistral-api.yaml
@@ -22,6 +22,12 @@ parameters:
default: 1
description: The number of workers for the mistral-api.
type: number
+ MistralApiPolicies:
+ description: |
+ A hash of policies to configure for Mistral API.
+ e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
MistralBase:
@@ -41,6 +47,7 @@ outputs:
- get_attr: [MistralBase, role_data, config_settings]
- mistral::api::api_workers: {get_param: MistralWorkers}
mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]}
+ mistral::policy::policies: {get_param: MistralApiPolicies}
tripleo.mistral_api.firewall_rules:
'133 mistral':
dport:
diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml
index e1030346..d5c21694 100644
--- a/puppet/services/mistral-base.yaml
+++ b/puppet/services/mistral-base.yaml
@@ -74,7 +74,11 @@ outputs:
mistral::keystone_password: {get_param: MistralPassword}
mistral::keystone_tenant: 'service'
mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
- mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]}
+ mistral::keystone_ec2_uri:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
+ - '/ec2tokens'
mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
service_config_settings:
keystone:
diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml
index aba2b1ed..4b5f36ac 100644
--- a/puppet/services/monitoring/sensu-client.yaml
+++ b/puppet/services/monitoring/sensu-client.yaml
@@ -81,4 +81,4 @@ outputs:
- name: Install sensu package if it was disabled
tags: step3
yum: name=sensu state=latest
- when: sensu_client.rc != 0
+ when: sensu_client_enabled.rc != 0
diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml
index db9f0836..0cd1f829 100644
--- a/puppet/services/network/contrail-vrouter.yaml
+++ b/puppet/services/network/contrail-vrouter.yaml
@@ -27,7 +27,7 @@ parameters:
description: vRouter physical interface
type: string
ContrailVrouterGateway:
- default: '192.0.2.1'
+ default: '192.168.24.1'
description: vRouter default gateway
type: string
ContrailVrouterNetmask:
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index bb102c08..9b9d1c72 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -57,6 +57,15 @@ parameters:
default:
tag: openstack.neutron.api
path: /var/log/neutron/server.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ NeutronApiPolicies:
+ description: |
+ A hash of policies to configure for Neutron API.
+ e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
@@ -71,10 +80,6 @@ parameters:
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
- EnableInternalTLS:
- type: boolean
- default: false
-
parameter_groups:
- label: deprecated
description: |
@@ -128,6 +133,7 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/ovs_neutron'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+ neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::api_workers: {get_param: NeutronWorkers}
@@ -204,3 +210,5 @@ outputs:
tags: step1
when: neutron_server_enabled.rc == 0
service: name=neutron-server state=stopped
+ metadata_settings:
+ get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 55361939..9f605062 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -22,6 +22,10 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ DatabaseSyncTimeout:
+ default: 300
+ description: DB Sync Timeout default
+ type: number
NeutronDhcpAgentsPerNetwork:
type: number
default: 0
@@ -44,10 +48,10 @@ parameters:
description: Set to True to enable debugging on all services.
EnableConfigPurge:
type: boolean
- default: true
+ default: false
description: >
- Remove configuration that is not generated by TripleO. Setting
- to false may result in configuration remnants after updates/upgrades.
+ Remove configuration that is not generated by TripleO. Used to avoid
+ configuration remnants after upgrades.
NeutronGlobalPhysnetMtu:
type: number
default: 1500
@@ -95,6 +99,7 @@ outputs:
neutron::host: '%{::fqdn}'
neutron::db::database_db_max_retries: -1
neutron::db::database_max_retries: -1
+ neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu}
- if:
- dhcp_agents_zero
diff --git a/puppet/services/neutron-bigswitch-agent.yaml b/puppet/services/neutron-bigswitch-agent.yaml
new file mode 100644
index 00000000..845f0da0
--- /dev/null
+++ b/puppet/services/neutron-bigswitch-agent.yaml
@@ -0,0 +1,31 @@
+heat_template_version: ocata
+
+description: >
+ Installs bigswitch agent and enables the services
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+
+outputs:
+ role_data:
+ description: Configure the bigswitch agent services
+ value:
+ service_name: neutron_bigswitch_agent
+ step_config: |
+ if hiera('step') >= 4 {
+ include ::neutron::agents::bigswitch
+ }
diff --git a/puppet/services/neutron-compute-plugin-nuage.yaml b/puppet/services/neutron-compute-plugin-nuage.yaml
index 04431e28..ea717690 100644
--- a/puppet/services/neutron-compute-plugin-nuage.yaml
+++ b/puppet/services/neutron-compute-plugin-nuage.yaml
@@ -22,6 +22,10 @@ parameters:
description: The password for the nova service account, used by nova-api.
type: string
hidden: true
+ NuageMetadataPort:
+ description: TCP Port to listen for metadata server requests
+ type: string
+ default: '9697'
outputs:
role_data:
@@ -32,5 +36,11 @@ outputs:
tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service'
tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword}
tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]}
+ tripleo.neutron_compute_plugin_nuage.firewall_rules:
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '100 metadata agent':
+ dport: {get_param: NuageMetadataPort}
step_config: |
include ::tripleo::profile::base::neutron::agents::nuage
diff --git a/puppet/services/neutron-compute-plugin-ovn.yaml b/puppet/services/neutron-compute-plugin-ovn.yaml
index e3a4da99..0dca29ab 100644
--- a/puppet/services/neutron-compute-plugin-ovn.yaml
+++ b/puppet/services/neutron-compute-plugin-ovn.yaml
@@ -48,6 +48,7 @@ outputs:
ovn::controller::ovn_encap_type: {get_param: OVNTunnelEncapType}
ovn::controller::ovn_encap_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]}
ovn::controller::ovn_bridge_mappings: {get_param: NeutronBridgeMappings}
+ nova::compute::force_config_drive: true
tripleo.neutron_compute_plugin_ovn.firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
diff --git a/puppet/services/neutron-l2gw-api.yaml b/puppet/services/neutron-l2gw-api.yaml
new file mode 100644
index 00000000..b6f0d281
--- /dev/null
+++ b/puppet/services/neutron-l2gw-api.yaml
@@ -0,0 +1,54 @@
+heat_template_version: ocata
+
+description: >
+ L2 Gateway service plugin configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ L2gwServiceDefaultInterfaceName:
+ default: 'FortyGigE1/0/1'
+ description: default interface name of the L2 gateway
+ type: string
+ L2gwServiceDefaultDeviceName:
+ default: 'Switch1'
+ description: default device name of the L2 gateway
+ type: string
+ L2gwServiceQuotaL2Gateway:
+ default: 5
+ description: quota of the L2 gateway
+ type: number
+ L2gwServicePeriodicMonitoringInterval:
+ default: 5
+ description: The periodic interval at which the plugin
+ type: number
+ L2gwServiceProvider:
+ default: ["L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default"]
+ description: Backend to use as a service provider for L2 Gateway
+ type: comma_delimited_list
+
+outputs:
+ role_data:
+ description: Role data for the L2 Gateway role.
+ value:
+ service_name: neutron_l2gw_api
+ config_settings:
+ neutron::services::l2gw::default_interface_name: {get_param: L2gwServiceDefaultInterfaceName}
+ neutron::services::l2gw::default_device_name: {get_param: L2gwServiceDefaultDeviceName}
+ neutron::services::l2gw::quota_l2_gateway: {get_param: L2gwServiceQuotaL2Gateway}
+ neutron::services::l2gw::periodic_monitoring_interval: {get_param: L2gwServicePeriodicMonitoringInterval}
+ neutron::services::l2gw::service_providers: {get_param: L2gwServiceProvider}
+ step_config: |
+ include tripleo::profile::base::neutron::l2gw
diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml
index 01471ba2..ef2485d4 100644
--- a/puppet/services/neutron-ovs-agent.yaml
+++ b/puppet/services/neutron-ovs-agent.yaml
@@ -82,6 +82,9 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ OpenVswitchUpgrade:
+ type: ./openvswitch-upgrade.yaml
+
outputs:
role_data:
description: Role data for the Neutron OVS agent service.
@@ -121,16 +124,22 @@ outputs:
step_config: |
include ::tripleo::profile::base::neutron::ovs
upgrade_tasks:
- - name: Check if neutron_ovs_agent is deployed
- command: systemctl is-enabled neutron-openvswitch-agent
- tags: common
- ignore_errors: True
- register: neutron_ovs_agent_enabled
- - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running"
- shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b'
- when: neutron_ovs_agent_enabled.rc == 0
- tags: step0,validation
- - name: Stop neutron_ovs_agent service
- tags: step1
- when: neutron_ovs_agent_enabled.rc == 0
- service: name=neutron-openvswitch-agent state=stopped
+ yaql:
+ expression: $.data.ovs_upgrade + $.data.neutron_ovs_upgrade
+ data:
+ ovs_upgrade:
+ get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks]
+ neutron_ovs_upgrade:
+ - name: Check if neutron_ovs_agent is deployed
+ command: systemctl is-enabled neutron-openvswitch-agent
+ tags: common
+ ignore_errors: True
+ register: neutron_ovs_agent_enabled
+ - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running"
+ shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b'
+ when: neutron_ovs_agent_enabled.rc == 0
+ tags: step0,validation
+ - name: Stop neutron_ovs_agent service
+ tags: step1
+ when: neutron_ovs_agent_enabled.rc == 0
+ service: name=neutron-openvswitch-agent state=stopped
diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml
index e25bc495..80516fe6 100644
--- a/puppet/services/neutron-ovs-dpdk-agent.yaml
+++ b/puppet/services/neutron-ovs-dpdk-agent.yaml
@@ -62,6 +62,9 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ OpenVswitchUpgrade:
+ type: ./openvswitch-upgrade.yaml
+
outputs:
role_data:
description: Role data for the Neutron OVS DPDK Agent service.
@@ -69,7 +72,10 @@ outputs:
service_name: neutron_ovs_dpdk_agent
config_settings:
map_merge:
- - get_attr: [NeutronOvsAgent, role_data, config_settings]
+ - map_replace:
+ - get_attr: [NeutronOvsAgent, role_data, config_settings]
+ - keys:
+ tripleo.neutron_ovs_agent.firewall_rules: tripleo.neutron_ovs_dpdk_agent.firewall_rules
- neutron::agents::ml2::ovs::enable_dpdk: true
neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType}
neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir}
@@ -79,3 +85,5 @@ outputs:
vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory}
vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType}
step_config: {get_attr: [NeutronOvsAgent, role_data, step_config]}
+ upgrade_tasks:
+ get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks]
diff --git a/puppet/services/neutron-plugin-ml2-odl.yaml b/puppet/services/neutron-plugin-ml2-odl.yaml
new file mode 100644
index 00000000..acacadfa
--- /dev/null
+++ b/puppet/services/neutron-plugin-ml2-odl.yaml
@@ -0,0 +1,45 @@
+heat_template_version: ocata
+
+description: >
+ OpenStack Neutron ML2/OpenDaylight plugin configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ OpenDaylightPortBindingController:
+ description: OpenDaylight port binding controller
+ type: string
+ default: 'network-topology'
+
+resources:
+
+ NeutronMl2Base:
+ type: ./neutron-plugin-ml2.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Neutron ML2/ODL plugin.
+ value:
+ service_name: neutron_plugin_ml2_odl
+ config_settings:
+ map_merge:
+ - get_attr: [NeutronMl2Base, role_data, config_settings]
+ - neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController}
+ step_config: |
+ include ::tripleo::profile::base::neutron::plugins::ml2
diff --git a/puppet/services/neutron-plugin-nuage.yaml b/puppet/services/neutron-plugin-nuage.yaml
index e09cd704..6229a3f1 100644
--- a/puppet/services/neutron-plugin-nuage.yaml
+++ b/puppet/services/neutron-plugin-nuage.yaml
@@ -19,10 +19,6 @@ parameters:
via parameter_defaults in the resource registry.
type: json
# Config specific parameters, to be provided via parameter_defaults
- NeutronNuageOSControllerIp:
- description: IP address of the OpenStack Controller
- type: string
-
NeutronNuageNetPartitionName:
description: Specifies the title that you will see on the VSD
type: string
@@ -76,8 +72,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- - neutron::plugins::nuage::nuage_oscontroller_ip: {get_param: NeutronNuageOSControllerIp}
- neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName}
+ - neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName}
neutron::plugins::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp}
neutron::plugins::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername}
neutron::plugins::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword}
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 473c24b4..18d9b924 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -62,6 +62,12 @@ parameters:
default: 300
description: Timeout for Nova db sync
type: number
+ NovaApiPolicies:
+ description: |
+ A hash of policies to configure for Nova API.
+ e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
@@ -145,6 +151,7 @@ outputs:
nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
+ nova::policy::policies: {get_param: NovaApiPolicies}
-
if:
- nova_workers_zero
@@ -227,7 +234,7 @@ outputs:
- name: Setup cell_v2 (map cell0)
tags: step5
when: is_bootstrap_node
- command: nova-manage cell_v2 map_cell0
+ shell: nova-manage cell_v2 map_cell0 --database_connection=$(hiera nova::cell0_database_connection)
- name: Setup cell_v2 (create default cell)
tags: step5
when: is_bootstrap_node
@@ -243,15 +250,15 @@ outputs:
command: nova-manage db sync
async: {get_param: NovaDbSyncTimeout}
poll: 10
- - name: Setup cell_v2 (migrate hosts)
- tags: step5
- when: is_bootstrap_node
- command: nova-manage cell_v2 map_cell_and_hosts
- name: Setup cell_v2 (get cell uuid)
tags: step5
when: is_bootstrap_node
shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}'
register: nova_api_cell_uuid
+ - name: Setup cell_v2 (migrate hosts)
+ tags: step5
+ when: is_bootstrap_node
+ command: nova-manage cell_v2 discover_hosts --cell_uuid {{nova_api_cell_uuid.stdout}} --verbose
- name: Setup cell_v2 (migrate instances)
tags: step5
when: is_bootstrap_node
diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml
index ceacb0b2..9e7f0145 100644
--- a/puppet/services/nova-base.yaml
+++ b/puppet/services/nova-base.yaml
@@ -52,16 +52,20 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ DatabaseSyncTimeout:
+ default: 300
+ description: DB Sync Timeout default
+ type: number
Debug:
type: string
default: ''
description: Set to True to enable debugging on all services.
EnableConfigPurge:
type: boolean
- default: true
+ default: false
description: >
- Remove configuration that is not generated by TripleO. Setting
- to false may result in configuration remnants after updates/upgrades.
+ Remove configuration that is not generated by TripleO. Used to avoid
+ configuration remnants after upgrades.
NovaIPv6:
default: false
description: Enable IPv6 features in Nova
@@ -151,6 +155,16 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/nova'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+ nova::cell0_database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://nova:'
+ - {get_param: NovaPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/nova_cell0'
+ - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
nova::api_database_connection:
list_join:
- ''
@@ -188,6 +202,8 @@ outputs:
nova::network::neutron::neutron_auth_type: 'v3password'
nova::db::database_db_max_retries: -1
nova::db::database_max_retries: -1
+ nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
+ nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout}
nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
nova::use_ipv6: {get_param: NovaIPv6}
nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge}
diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml
index 9057c71e..b1711436 100644
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@@ -52,7 +52,7 @@ parameters:
For different formats, refer to the nova.conf documentation for
pci_passthrough_whitelist configuration
type: json
- default: {}
+ default: ''
NovaVcpuPinSet:
description: >
A list or range of physical CPU cores to reserve for virtual machine
@@ -108,7 +108,11 @@ outputs:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- nova::compute::libvirt::manage_libvirt_services: false
- nova::compute::pci_passthrough: {get_param: NovaPCIPassthrough}
+ nova::compute::pci_passthrough:
+ str_replace:
+ template: "JSON_PARAM"
+ params:
+ JSON_PARAM: {get_param: NovaPCIPassthrough}
nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet}
nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory}
# we manage migration in nova common puppet profile
diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml
index 843f44c5..f1d8dff7 100644
--- a/puppet/services/nova-ironic.yaml
+++ b/puppet/services/nova-ironic.yaml
@@ -51,3 +51,7 @@ outputs:
nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager'
step_config: |
include tripleo::profile::base::nova::compute::ironic
+ upgrade_tasks:
+ - name: Stop openstack-nova-compute service
+ tags: step1
+ service: name=openstack-nova-compute state=stopped enabled=no
diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml
index 909a3030..2f898a67 100644
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@@ -34,6 +34,12 @@ parameters:
default:
tag: openstack.octavia.api
path: /var/log/octavia/api.log
+ OctaviaApiPolicies:
+ description: |
+ A hash of policies to configure for Octavia API.
+ e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -57,6 +63,7 @@ outputs:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::db::database_connection:
list_join:
- ''
diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml
index a3f616ff..db15aa15 100644
--- a/puppet/services/octavia-base.yaml
+++ b/puppet/services/octavia-base.yaml
@@ -24,10 +24,10 @@ parameters:
description: Set to True to enable debugging on all services.
EnableConfigPurge:
type: boolean
- default: true
+ default: false
description: >
- Remove configuration that is not generated by TripleO. Setting
- to false may result in configuration remnants after updates/upgrades.
+ Remove configuration that is not generated by TripleO. Used to avoid
+ configuration remnants after upgrades.
RabbitPassword:
description: The password for RabbitMQ
type: string
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index 3db0848e..ed572b4d 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -48,6 +48,10 @@ parameters:
default: {}
type: json
+resources:
+ OpenVswitchUpgrade:
+ type: ./openvswitch-upgrade.yaml
+
outputs:
role_data:
description: Role data for the OpenDaylight service.
@@ -60,11 +64,7 @@ outputs:
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
- neutron::plugins::ovs::opendaylight::provider_mappings:
- str_replace:
- template: MAPPINGS
- params:
- MAPPINGS: {get_param: OpenDaylightProviderMappings}
+ neutron::plugins::ovs::opendaylight::provider_mappings: {get_param: OpenDaylightProviderMappings}
tripleo.opendaylight_ovs.firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
@@ -74,16 +74,22 @@ outputs:
step_config: |
include tripleo::profile::base::neutron::plugins::ovs::opendaylight
upgrade_tasks:
- - name: Check if openvswitch is deployed
- command: systemctl is-enabled openvswitch
- tags: common
- ignore_errors: True
- register: openvswitch_enabled
- - name: "PreUpgrade step0,validation: Check service openvswitch is running"
- shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b'
- when: openvswitch_enabled.rc == 0
- tags: step0,validation
- - name: Stop openvswitch service
- tags: step1
- when: openvswitch_enabled.rc == 0
- service: name=openvswitch state=stopped
+ yaql:
+ expression: $.data.ovs_upgrade + $.data.opendaylight_upgrade
+ data:
+ ovs_upgrade:
+ get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks]
+ opendaylight_upgrade:
+ - name: Check if openvswitch is deployed
+ command: systemctl is-enabled openvswitch
+ tags: common
+ ignore_errors: True
+ register: openvswitch_enabled
+ - name: "PreUpgrade step0,validation: Check service openvswitch is running"
+ shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b'
+ when: openvswitch_enabled.rc == 0
+ tags: step0,validation
+ - name: Stop openvswitch service
+ tags: step1
+ when: openvswitch_enabled.rc == 0
+ service: name=openvswitch state=stopped
diff --git a/puppet/services/openvswitch-upgrade.yaml b/puppet/services/openvswitch-upgrade.yaml
new file mode 100644
index 00000000..fea1ba96
--- /dev/null
+++ b/puppet/services/openvswitch-upgrade.yaml
@@ -0,0 +1,50 @@
+heat_template_version: ocata
+
+description: >
+ Openvswitch package special handling for upgrade.
+
+outputs:
+ role_data:
+ description: Upgrade task for special handling of Openvswitch (OVS) upgrade.
+ value:
+ service_name: openvswitch_upgrade
+ upgrade_tasks:
+ - name: Check openvswitch version.
+ tags: step2
+ register: ovs_version
+ ignore_errors: true
+ shell: rpm -qa | awk -F- '/^openvswitch-2/{print $2 "-" $3}'
+ - name: Check openvswitch packaging.
+ tags: step2
+ shell: rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep -q "systemctl.*try-restart"
+ register: ovs_packaging_issue
+ ignore_errors: true
+ - block:
+ - name: "Ensure empty directory: emptying."
+ file:
+ state: absent
+ path: /root/OVS_UPGRADE
+ - name: "Ensure empty directory: creating."
+ file:
+ state: directory
+ path: /root/OVS_UPGRADE
+ owner: root
+ group: root
+ mode: 0750
+ - name: Download OVS packages.
+ command: yumdownloader --destdir /root/OVS_UPGRADE --resolve openvswitch
+ - name: Get rpm list for manual upgrade of OVS.
+ shell: ls -1 /root/OVS_UPGRADE/*.rpm
+ register: ovs_list_of_rpms
+ - name: Manual upgrade of OVS
+ shell: |
+ rpm -U --test {{item}} 2>&1 | grep "already installed" || \
+ rpm -U --replacepkgs --notriggerun --nopostun {{item}};
+ args:
+ chdir: /root/OVS_UPGRADE
+ with_items:
+ - "{{ovs_list_of_rpms.stdout_lines}}"
+ tags: step2
+ when: "'2.5.0-14' in '{{ovs_version.stdout}}'
+ or
+ ovs_packaging_issue|succeeded"
diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml
index 7f81afde..6b8be77c 100644
--- a/puppet/services/ovn-dbs.yaml
+++ b/puppet/services/ovn-dbs.yaml
@@ -36,5 +36,11 @@ outputs:
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
ovn::northd::dbs_listen_ip: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+ tripleo.ovn_dbs.firewall_rules:
+ '121 OVN DB server ports':
+ proto: 'tcp'
+ dport:
+ - {get_param: OVNNorthboundServerPort}
+ - {get_param: OVNSouthboundServerPort}
step_config: |
include ::tripleo::profile::base::neutron::ovn_northd
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index 762d0092..f7a0edf8 100644
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -87,10 +87,16 @@ parameters:
\[(?<pid>[^ ]*)\]
(?<host>[^ ]*)
(?<message>.*)$/
+
+ EnableLoadBalancer:
+ default: true
+ description: Whether to deploy a LoadBalancer on the Controller
+ type: boolean
+
PacemakerResources:
type: comma_delimited_list
description: List of resources managed by pacemaker
- default: ['rabbitmq','haproxy','galera']
+ default: ['rabbitmq', 'galera']
outputs:
role_data:
@@ -135,6 +141,8 @@ outputs:
- name: Check pacemaker cluster running before upgrade
tags: step0,validation
pacemaker_cluster: state=online check_and_fail=true
+ async: 30
+ poll: 4
- name: Stop pacemaker cluster
tags: step2
pacemaker_cluster: state=offline
@@ -147,3 +155,9 @@ outputs:
resource: "{{ item }}"
max_wait: 500
with_items: {get_param: PacemakerResources}
+ - name: Check pacemaker haproxy resource
+ tags: step4
+ pacemaker_is_active:
+ resource: haproxy
+ max_wait: 500
+ when: {get_param: EnableLoadBalancer}
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
index eed98257..43e7aa18 100644
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ PankoApiPolicies:
+ description: |
+ A hash of policies to configure for Panko API.
+ e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
PankoBase:
@@ -58,6 +64,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ panko::policy::policies: {get_param: PankoApiPolicies}
panko::api::service_name: 'httpd'
panko::api::enable_proxy_headers_parsing: true
tripleo.panko_api.firewall_rules:
diff --git a/puppet/services/qdr.yaml b/puppet/services/qdr.yaml
new file mode 100644
index 00000000..f8746cec
--- /dev/null
+++ b/puppet/services/qdr.yaml
@@ -0,0 +1,60 @@
+heat_template_version: ocata
+
+description: >
+ Qpid dispatch router service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ RabbitUserName:
+ default: guest
+ description: The username for Qdr
+ type: string
+ RabbitPassword:
+ description: The password for Qdr
+ type: string
+ hidden: true
+ RabbitClientPort:
+ description: Listening port for Qdr
+ default: 5672
+ type: number
+ MonitoringSubscriptionQdr:
+ default: 'overcloud-qdr'
+ type: string
+
+outputs:
+ role_data:
+ description: Role data for the Qdr role.
+ value:
+ service_name: rabbitmq
+ monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
+ global_config_settings:
+ messaging_notify_service_name: 'amqp'
+ messaging_rpc_service_name: 'amqp'
+ keystone::messaging::amqp::amqp_pre_settled: 'notify'
+ config_settings:
+ tripleo.rabbitmq.firewall_rules:
+ '109 qdr':
+ dport:
+ - {get_param: RabbitClientPort}
+ qdr::listener_addr: {get_param: [ServiceNetMap, QdrNetwork]}
+ # cannot pass qdr::listener_port directly because it needs to be a string
+ # we do the conversion in the puppet layer
+ tripleo::profile::base::qdr::qdr_listener_port: {get_param: RabbitClientPort}
+ tripleo::profile::base::qdr::qdr_username: {get_param: RabbitUserName}
+ tripleo::profile::base::qdr::qdr_password: {get_param: RabbitPassword}
+
+ step_config: |
+ include ::tripleo::profile::base::qdr
diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml
deleted file mode 100644
index 39d6b903..00000000
--- a/puppet/services/rabbitmq-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- RabbitMQ configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: RabbitMQ configurations for using TLS via certmonger.
- value:
- service_name: rabbitmq_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::rabbitmq::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
- service_key: '/etc/pki/tls/private/rabbitmq.key'
- hostname:
- str_replace:
- template: "%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- principal:
- str_replace:
- template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- metadata_settings:
- - service: rabbitmq
- network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- type: node
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 92a0015a..47479783 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -52,14 +52,8 @@ parameters:
type: boolean
default: false
-resources:
-
- RabbitMQTLS:
- type: OS::TripleO::Services::RabbitMQTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
- DefaultPasswords: {get_param: DefaultPasswords}
- EndpointMap: {get_param: EndpointMap}
+conditions:
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -69,7 +63,6 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
config_settings:
map_merge:
- - get_attr: [RabbitMQTLS, role_data, config_settings]
-
rabbitmq::file_limit: {get_param: RabbitFDLimit}
rabbitmq::default_user: {get_param: RabbitUserName}
@@ -124,6 +117,24 @@ outputs:
# TODO(jaosorior): Remove this once we set a proper default in
# puppet-tripleo
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
+ -
+ if:
+ - internal_tls_enabled
+ - generate_service_certificates: true
+ tripleo::profile::base::rabbitmq::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
+ service_key: '/etc/pki/tls/private/rabbitmq.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ principal:
+ str_replace:
+ template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::rabbitmq
upgrade_tasks:
@@ -134,4 +145,10 @@ outputs:
tags: step4
service: name=rabbitmq-server state=started
metadata_settings:
- get_attr: [RabbitMQTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: rabbitmq
+ network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ type: node
+ - null
diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml
index 96b3d6e3..d9f2115a 100644
--- a/puppet/services/sahara-api.yaml
+++ b/puppet/services/sahara-api.yaml
@@ -38,6 +38,12 @@ parameters:
default:
tag: openstack.sahara.api
path: /var/log/sahara/sahara-api.log
+ SaharaApiPolicies:
+ description: |
+ A hash of policies to configure for Sahara API.
+ e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
SaharaBase:
@@ -60,6 +66,7 @@ outputs:
map_merge:
- get_attr: [SaharaBase, role_data, config_settings]
- sahara::port: {get_param: [EndpointMap, SaharaInternal, port]}
+ sahara::policy::policies: {get_param: SaharaApiPolicies}
sahara::service::api::api_workers: {get_param: SaharaWorkers}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
diff --git a/puppet/services/securetty.yaml b/puppet/services/securetty.yaml
new file mode 100644
index 00000000..6d32fe82
--- /dev/null
+++ b/puppet/services/securetty.yaml
@@ -0,0 +1,36 @@
+heat_template_version: ocata
+
+description: >
+ Configure securetty values
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ TtyValues:
+ default: {}
+ description: Configures console values in securetty
+ type: json
+ constraints:
+ - length: { min: 1}
+
+outputs:
+ role_data:
+ description: Console data for the securetty
+ value:
+ service_name: securetty
+ config_settings:
+ tripleo::profile::base::securetty::tty_list: {get_param: TtyValues}
+ step_config: |
+ include ::tripleo::profile::base::securetty
diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml
index a2286d16..9820b431 100644
--- a/puppet/services/services.yaml
+++ b/puppet/services/services.yaml
@@ -90,14 +90,11 @@ outputs:
# fluentd user.
yaql:
expression: >
- set($.data.groups.flatten()).where($)
+ set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($)
data:
- groups:
- - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}]
- - yaql:
- expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}]
+ default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]}
+ extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]}
+ role_data: {get_attr: [ServiceChain, role_data]}
config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}}
global_config_settings:
map_merge:
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 0c3cc1ec..0ecc942c 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -63,10 +63,14 @@ parameters:
Rabbit client subscriber parameter to specify
an SSL connection to the RabbitMQ host.
type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
conditions:
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]}
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
resources:
SwiftBase:
@@ -76,6 +80,14 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ TLSProxyBase:
+ type: OS::TripleO::Services::TLSProxyBase
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
outputs:
role_data:
description: Role data for the Swift proxy service.
@@ -85,7 +97,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [SwiftBase, role_data, config_settings]
-
+ - get_attr: [TLSProxyBase, role_data, config_settings]
- swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::authtoken::password: {get_param: SwiftPassword}
@@ -146,7 +158,22 @@ outputs:
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+ tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, SwiftProxyNetwork]
+ tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+ tripleo::profile::base::swift::proxy::tls_proxy_port:
+ get_param: [EndpointMap, SwiftInternal, port]
+ swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
+ swift::proxy::proxy_local_net_ip:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, SwiftProxyNetwork]}
step_config: |
include ::tripleo::profile::base::swift::proxy
service_config_settings:
@@ -169,3 +196,5 @@ outputs:
- name: Stop swift_proxy service
tags: step1
service: name=openstack-swift-proxy state=stopped
+ metadata_settings:
+ get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml
index 2e3c818f..f62d5e18 100644
--- a/puppet/services/swift-ringbuilder.yaml
+++ b/puppet/services/swift-ringbuilder.yaml
@@ -42,6 +42,14 @@ parameters:
default: true
description: 'Use a local directory for Swift storage services when building rings'
type: boolean
+ SwiftRingGetTempurl:
+ default: ''
+ description: A temporary Swift URL to download rings from.
+ type: string
+ SwiftRingPutTempurl:
+ default: ''
+ description: A temporary Swift URL to upload rings to.
+ type: string
conditions:
swift_use_local_dir:
@@ -59,6 +67,8 @@ outputs:
value:
service_name: swift_ringbuilder
config_settings:
+ tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl}
+ tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl}
tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild}
tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas}
tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower}
diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml
index a4c139b5..c14e061b 100644
--- a/puppet/services/tacker.yaml
+++ b/puppet/services/tacker.yaml
@@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ TackerPolicies:
+ description: |
+ A hash of policies to configure for Tacker.
+ e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
role_data:
@@ -87,10 +93,12 @@ outputs:
tacker::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ tacker::policy::policies: {get_param: TackerPolicies}
service_config_settings:
keystone:
tacker::keystone::auth::tenant: 'service'
+ tacker::keystone::auth::region: {get_param: KeystoneRegion}
tacker::keystone::auth::password: {get_param: TackerPassword}
tacker::keystone::auth::public_url: {get_param: [EndpointMap, TackerPublic, uri]}
tacker::keystone::auth::internal_url: {get_param: [EndpointMap, TackerInternal, uri]}
diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml
index 67e14d9c..ff2b067f 100644
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@@ -37,3 +37,9 @@ outputs:
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
step_config: |
include ::tripleo::firewall
+ upgrade_tasks:
+ - name: blank ipv6 rule before activating ipv6 firewall.
+ tags: step3
+ shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
+ args:
+ creates: /etc/sysconfig/ip6tables.n-o-upgrade
diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml
index a320f694..33769d02 100644
--- a/puppet/services/zaqar.yaml
+++ b/puppet/services/zaqar.yaml
@@ -30,6 +30,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ ZaqarPolicies:
+ description: |
+ A hash of policies to configure for Zaqar.
+ e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
@@ -38,6 +44,7 @@ outputs:
value:
service_name: zaqar
config_settings:
+ zaqar::policy::policies: {get_param: ZaqarPolicies}
zaqar::keystone::authtoken::password: {get_param: ZaqarPassword}
zaqar::keystone::authtoken::project_name: 'service'
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}