diff options
Diffstat (limited to 'puppet/services')
184 files changed, 4669 insertions, 1037 deletions
diff --git a/puppet/services/README.rst b/puppet/services/README.rst index f19b6cca..7a18ef0c 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -16,6 +16,39 @@ Each service may define its own input parameters and defaults. Operators will use the parameter_defaults section of any Heat environment to set per service parameters. +Apart from sevice specific inputs, there are few default parameters for all +the services. Following are the list of default parameters: + + * ServiceNetMap: Mapping of service_name -> network name. Default mappings + for service to network names are defined in + ../network/service_net_map.j2.yaml, which may be overridden via + ServiceNetMap values added to a user environment file via + parameter_defaults. + + * EndpointMap: Mapping of service endpoint -> protocol. Contains a mapping of + endpoint data generated for all services, based on the data included in + ../network/endpoints/endpoint_data.yaml. + + * DefaultPasswords: Mapping of service -> default password. Used to pass some + passwords from the parent templates, this is a legacy interface and should + not be used by new services. + + * RoleName: Name of the role on which this service is deployed. A service can + be deployed in multiple roles. This is an internal parameter (should not be + set via environment file), which is fetched from the name attribute of the + roles_data.yaml template. + + * RoleParameters: Parameter specific to a role on which the service is + applied. Using the format "<RoleName>Parameters" in the parameter_defaults + of user environment file, parameters can be provided for a specific role. + For example, in order to provide a parameter specific to "Compute" role, + below is the format:: + + parameter_defaults: + ComputeParameters: + Param1: value + + Config Settings --------------- diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index d7c87b61..561b48cb 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Aodh API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -24,6 +32,12 @@ parameters: EnableInternalTLS: type: boolean default: false + AodhApiPolicies: + description: | + A hash of policies to configure for Aodh API. + e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: AodhBase: @@ -32,6 +46,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} ApacheServiceBase: type: ./apache.yaml @@ -39,6 +55,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: @@ -61,6 +79,7 @@ outputs: aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi' aodh::api::service_name: 'httpd' aodh::api::enable_proxy_headers_parsing: true + aodh::policy::policies: {get_param: AodhApiPolicies} tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: @@ -86,6 +105,12 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - - name: Stop aodh_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped + yaql: + expression: $.data.apache_upgrade + $.data.aodh_api_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + aodh_api_upgrade: + - name: Stop aodh_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index c2c2d023..331fe9a9 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Aodh service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -61,15 +69,15 @@ outputs: config_settings: aodh_redis_password: {get_param: RedisPassword} aodh::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://aodh:' - - {get_param: AodhPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/aodh' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: aodh + password: {get_param: AodhPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /aodh + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo aodh::debug: {get_param: Debug} aodh::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::rabbit_userid: {get_param: RabbitUserName} @@ -77,11 +85,13 @@ outputs: aodh::rabbit_use_ssl: {get_param: RabbitClientUseSSL} aodh::rabbit_port: {get_param: RabbitClientPort} aodh::keystone::authtoken::project_name: 'service' + aodh::keystone::authtoken::user_domain_name: 'Default' + aodh::keystone::authtoken::project_domain_name: 'Default' aodh::keystone::authtoken::password: {get_param: AodhPassword} - aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::auth::auth_password: {get_param: AodhPassword} - aodh::auth::auth_region: 'regionOne' + aodh::auth::auth_region: {get_param: KeystoneRegion} aodh::auth::auth_tenant_name: 'service' service_config_settings: keystone: diff --git a/puppet/services/aodh-evaluator.yaml b/puppet/services/aodh-evaluator.yaml index b8be4a91..669c11dd 100644 --- a/puppet/services/aodh-evaluator.yaml +++ b/puppet/services/aodh-evaluator.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Aodh Evaluator service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/aodh-listener.yaml b/puppet/services/aodh-listener.yaml index f5c9330d..17710ecb 100644 --- a/puppet/services/aodh-listener.yaml +++ b/puppet/services/aodh-listener.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Aodh Listener service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/aodh-notifier.yaml b/puppet/services/aodh-notifier.yaml index 84c50dd6..2eed1b75 100644 --- a/puppet/services/aodh-notifier.yaml +++ b/puppet/services/aodh-notifier.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Aodh Notifier service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml deleted file mode 100644 index 4c94f440..00000000 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ /dev/null @@ -1,75 +0,0 @@ -heat_template_version: ocata - -description: > - Apache service TLS configurations. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -resources: - - ApacheNetworks: - type: OS::Heat::Value - properties: - value: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap - -outputs: - role_data: - description: Role data for the Apache role. - value: - service_name: apache_internal_tls_certmonger - config_settings: - generate_service_certificates: true - apache_certificates_specs: - map_merge: - repeat: - template: - httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd-NETWORK.key' - hostname: "%{hiera('fqdn_NETWORK')}" - principal: "HTTP/%{hiera('fqdn_NETWORK')}" - for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} - metadata_settings: - repeat: - template: - - service: HTTP - network: $NETWORK - type: node - for_each: - $NETWORK: {get_attr: [ApacheNetworks, value]} - upgrade_tasks: - - name: Check if httpd is deployed - command: systemctl is-enabled httpd - tags: common - ignore_errors: True - register: httpd_enabled - - name: "PreUpgrade step0,validation: Check service httpd is running" - shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' - when: httpd_enabled.rc == 0 - tags: step0,validation diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2d950151..23fcab90 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Apache service configured with Puppet. Note this is typically included @@ -22,6 +22,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -30,14 +38,31 @@ parameters: EnableInternalTLS: type: boolean default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: - ApacheTLS: - type: OS::TripleO::Services::ApacheTLS + ApacheNetworks: + type: OS::Heat::Value properties: - ServiceNetMap: {get_param: ServiceNetMap} + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # is for HAProxy so it isn't used for apache either. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap outputs: role_data: @@ -46,13 +71,13 @@ outputs: service_name: apache config_settings: map_merge: - - get_attr: [ApacheTLS, role_data, config_settings] - # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::default_vhost: false apache::server_signature: 'Off' apache::server_tokens: 'Prod' apache_remote_proxy_ips_network: @@ -64,8 +89,37 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + - if: + - internal_tls_enabled + - + generate_service_certificates: true + apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile} + tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' + tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' + hostname: "%{hiera('fqdn_NETWORK')}" + principal: "HTTP/%{hiera('fqdn_NETWORK')}" + for_each: + NETWORK: {get_attr: [ApacheNetworks, value]} + - {} metadata_settings: - get_attr: [ApacheTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} + - null upgrade_tasks: - name: Check if httpd is deployed command: systemctl is-enabled httpd @@ -76,3 +130,6 @@ outputs: shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' when: httpd_enabled.rc == 0 tags: step0,validation + - name: Ensure mod_ssl package is installed + tags: step3 + yum: name=mod_ssl state=latest diff --git a/puppet/services/auditd.yaml b/puppet/services/auditd.yaml index 8085ac8b..3eff534b 100644 --- a/puppet/services/auditd.yaml +++ b/puppet/services/auditd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > AuditD configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index cba92415..53fba63e 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Barbican API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -55,6 +63,12 @@ parameters: EnableInternalTLS: type: boolean default: false + BarbicanPolicies: + description: | + A hash of policies to configure for Barbican. + e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -64,6 +78,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -74,9 +90,10 @@ outputs: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} - barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' + barbican::policy::policies: {get_param: BarbicanPolicies} barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false barbican::api::enabled_certificate_plugins: ['simple_certificate'] @@ -97,15 +114,15 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]} barbican::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://barbican:' - - {get_param: BarbicanPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/barbican' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: barbican + password: {get_param: BarbicanPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /barbican + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo tripleo.barbican_api.firewall_rules: '117 barbican': dport: @@ -135,27 +152,33 @@ outputs: nova::compute::barbican_endpoint: get_param: [EndpointMap, BarbicanInternal, uri] nova::compute::barbican_auth_endpoint: - get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] + get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] cinder_api: cinder::api::keymgr_api_class: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager cinder::api::keymgr_encryption_api_url: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: - get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] + get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - - name: Check if barbican_api is deployed - command: systemctl is-enabled openstack-barbican-api - tags: common - ignore_errors: True - register: barbican_api_enabled - - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running" - shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b' - when: barbican_api_enabled.rc == 0 - tags: step0,validation - - name: Install openstack-barbican-api package if it was disabled - tags: step3 - yum: name=openstack-barbican-api state=latest - when: barbican_api_enabled.rc != 0 + yaql: + expression: $.data.apache_upgrade + $.data.barbican_api_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + barbican_api_upgrade: + - name: Check if barbican_api is deployed + command: systemctl is-enabled openstack-barbican-api + tags: common + ignore_errors: True + register: barbican_api_enabled + - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running" + shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b' + when: barbican_api_enabled.rc == 0 + tags: step0,validation + - name: Install openstack-barbican-api package if it was disabled + tags: step3 + yum: name=openstack-barbican-api state=latest + when: barbican_api_enabled.rc != 0 diff --git a/puppet/services/ca-certs.yaml b/puppet/services/ca-certs.yaml index 735e6dde..6249c1ab 100644 --- a/puppet/services/ca-certs.yaml +++ b/puppet/services/ca-certs.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > HAproxy service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index 80823526..2dbaf554 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ceilometer Central Agent service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -38,6 +46,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -53,6 +63,8 @@ outputs: - get_attr: [CeilometerServiceBase, role_data, config_settings] - ceilometer_redis_password: {get_param: RedisPassword} central_namespace: true + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::polling upgrade_tasks: diff --git a/puppet/services/ceilometer-agent-compute.yaml b/puppet/services/ceilometer-agent-compute.yaml index 546bcd98..c453a43d 100644 --- a/puppet/services/ceilometer-agent-compute.yaml +++ b/puppet/services/ceilometer-agent-compute.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ceilometer Compute Agent service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -35,6 +43,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -47,6 +57,8 @@ outputs: - get_attr: [CeilometerServiceBase, role_data, config_settings] - ceilometer::agent::compute::instance_discovery_method: {get_param: InstanceDiscoveryMethod} compute_namespace: true + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::polling upgrade_tasks: diff --git a/puppet/services/ceilometer-agent-ipmi.yaml b/puppet/services/ceilometer-agent-ipmi.yaml new file mode 100644 index 00000000..7dd1e78d --- /dev/null +++ b/puppet/services/ceilometer-agent-ipmi.yaml @@ -0,0 +1,87 @@ +heat_template_version: pike + +description: > + OpenStack Ceilometer Ipmi Agent service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RedisPassword: + description: The password for the redis service account. + type: string + hidden: true + MonitoringSubscriptionCeilometerIpmi: + default: 'overcloud-ceilometer-agent-ipmi' + type: string + CeilometerAgentIpmiLoggingSource: + type: json + default: + tag: openstack.ceilometer.agent.ipmi + path: /var/log/ceilometer/ipmi.log + +resources: + CeilometerServiceBase: + type: ./ceilometer-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceilometer Agent Ipmi role. + value: + service_name: ceilometer_agent_ipmi + monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerIpmi} + logging_source: {get_param: CeilometerAgentIpmiLoggingSource} + logging_groups: + - ceilometer + config_settings: + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - ceilometer_redis_password: {get_param: RedisPassword} + ipmi_namespace: true + step_config: | + include ::tripleo::profile::base::ceilometer::agent::polling + upgrade_tasks: + - name: Check if ceilometer-agent-ipmi is deployed + command: systemctl is-enabled openstack-ceilometer-ipmi + tags: common + ignore_errors: True + register: ceilometer_ipmi_enabled + - name: "PreUpgrade step0,validation: Check if openstack-ceilometer-ipmi is running" + shell: > + /usr/bin/systemctl show 'openstack-ceilometer-ipmi' --property ActiveState | + grep '\bactive\b' + when: ceilometer_ipmi_enabled.rc == 0 + tags: step0,validation + - name: Stop openstack-ceilometer-ipmi service + tags: step1 + when: ceilometer_ipmi_enabled.rc == 0 + service: name=openstack-ceilometer-ipmi state=stopped + - name: Install openstack-ceilometer-ipmi package if it was disabled + tags: step3 + yum: name=openstack-ceilometer-ipmi state=latest + when: ceilometer_ipmi_enabled.rc != 0 diff --git a/puppet/services/ceilometer-agent-notification.yaml b/puppet/services/ceilometer-agent-notification.yaml index 4ee43f49..6e893564 100644 --- a/puppet/services/ceilometer-agent-notification.yaml +++ b/puppet/services/ceilometer-agent-notification.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ceilometer Notification Agent service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -35,6 +43,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -47,6 +57,8 @@ outputs: - ceilometer config_settings: get_attr: [CeilometerServiceBase, role_data, config_settings] + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::notification upgrade_tasks: diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index f5ee9d40..74b0c3d2 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ceilometer API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CeilometerApiPolicies: + description: | + A hash of policies to configure for Ceilometer API. + e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: CeilometerServiceBase: @@ -37,6 +51,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} ApacheServiceBase: type: ./apache.yaml @@ -44,6 +60,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: @@ -78,6 +96,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + ceilometer::policy::policies: {get_param: CeilometerApiPolicies} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS} ceilometer::wsgi::apache::servername: @@ -93,6 +112,12 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - - name: Stop ceilometer_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped + yaql: + expression: $.data.apache_upgrade + $.data.ceilometer_api_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + ceilometer_api_upgrade: + - name: Stop ceilometer_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 874c6893..b3e2c3a4 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ceilometer service configured with Puppet @@ -13,15 +13,19 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - CeilometerBackend: - default: 'mongodb' - description: The ceilometer backend type. - type: string CeilometerMeteringSecret: description: Secret shared by the ceilometer services. type: string @@ -30,25 +34,31 @@ parameters: description: The password for the ceilometer service account. type: string hidden: true - CeilometerMeterDispatcher: - default: ['gnocchi'] - description: Comma-seperated list of Dispatcher to process meter data - type: comma_delimited_list - constraints: - - allowed_values: ['gnocchi', 'database'] - CeilometerEventDispatcher: - default: ['gnocchi'] - description: Comma-separated list of Dispatchers to process events data - type: comma_delimited_list - constraints: - - allowed_values: ['panko', 'gnocchi', 'database'] CeilometerWorkers: default: 0 description: Number of workers for Ceilometer service. type: number + ManageEventPipeline: + default: false + description: Whether to manage event_pipeline.yaml. + type: boolean EventPipelinePublishers: - default: ['notifier://?topic=alarm.all'] - description: A list of publishers to put in event_pipeline.yaml. + default: ['gnocchi://'] + description: > + A list of publishers to put in event_pipeline.yaml. When the + collector is used, override this with notifier:// publisher. + Set ManageEventPipeline to true for override to take effect. + type: comma_delimited_list + ManagePipeline: + default: false + description: Whether to manage pipeline.yaml. + type: boolean + PipelinePublishers: + default: ['gnocchi://'] + description: > + A list of publishers to put in pipeline.yaml. When the + collector is used, override this with notifier:// publisher. + Set ManagePipeline to true for override to take effect. type: comma_delimited_list Debug: default: '' @@ -76,6 +86,19 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + CeilometerApiEndpoint: + default: false + description: Whether to create or skip API endpoint. Set this to + false, if you choose to disable Ceilometer API service. + type: boolean + SnmpdReadonlyUserName: + default: ro_snmp_user + description: The user name for SNMPd with readonly rights running on all Overcloud nodes + type: string + SnmpdReadonlyUserPassword: + description: The user password for SNMPd with readonly rights running on all Overcloud nodes + type: string + hidden: true outputs: role_data: @@ -84,31 +107,23 @@ outputs: service_name: ceilometer_base config_settings: ceilometer::debug: {get_param: Debug} - ceilometer::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - - '://ceilometer:' - - {get_param: CeilometerPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/ceilometer' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' - ceilometer_backend: {get_param: CeilometerBackend} - # we include db_sync class in puppet-tripleo - ceilometer::db::sync_db: false ceilometer::keystone::authtoken::project_name: 'service' + ceilometer::keystone::authtoken::user_domain_name: 'Default' + ceilometer::keystone::authtoken::project_domain_name: 'Default' ceilometer::keystone::authtoken::password: {get_param: CeilometerPassword} - ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword} ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + ceilometer::agent::notification::manage_event_pipeline: {get_param: ManageEventPipeline} ceilometer::agent::notification::event_pipeline_publishers: {get_param: EventPipelinePublishers} + ceilometer::agent::notification::manage_pipeline: {get_param: ManagePipeline} + ceilometer::agent::notification::pipeline_publishers: {get_param: PipelinePublishers} ceilometer::agent::auth::auth_region: {get_param: KeystoneRegion} ceilometer::agent::auth::auth_tenant_name: 'service' + ceilometer::agent::auth::auth_user_domain_name: 'Default' + ceilometer::agent::auth::auth_project_domain_name: 'Default' ceilometer::agent::auth::auth_endpoint_type: 'internalURL' - ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher} - ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher} ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]} ceilometer::dispatcher::gnocchi::filter_project: 'service' ceilometer::dispatcher::gnocchi::archive_policy: 'low' @@ -118,17 +133,19 @@ outputs: ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL} ceilometer::rabbit_port: {get_param: RabbitClientPort} ceilometer::rabbit_heartbeat_timeout_threshold: 60 - ceilometer::db::database_db_max_retries: -1 - ceilometer::db::database_max_retries: -1 ceilometer::telemetry_secret: {get_param: CeilometerMeteringSecret} + ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName} + ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} service_config_settings: keystone: + ceilometer_auth_enabled: true ceilometer::keystone::auth::public_url: {get_param: [EndpointMap, CeilometerPublic, uri]} ceilometer::keystone::auth::internal_url: {get_param: [EndpointMap, CeilometerInternal, uri]} ceilometer::keystone::auth::admin_url: {get_param: [EndpointMap, CeilometerAdmin, uri]} ceilometer::keystone::auth::password: {get_param: CeilometerPassword} ceilometer::keystone::auth::region: {get_param: KeystoneRegion} ceilometer::keystone::auth::tenant: 'service' + ceilometer::keystone::auth::configure_endpoint: {get_param: CeilometerApiEndpoint} mysql: ceilometer::db::mysql::password: {get_param: CeilometerPassword} ceilometer::db::mysql::user: ceilometer diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index b0ec971f..3ec18420 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -1,7 +1,8 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ceilometer Collector service configured with Puppet + This service is deprecated and will be removed in future releases. parameters: ServiceNetMap: @@ -13,11 +14,27 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + CeilometerBackend: + default: 'mongodb' + description: The ceilometer backend type. + type: string + CeilometerPassword: + description: The password for the ceilometer service account. + type: string + hidden: true MonitoringSubscriptionCeilometerCollector: default: 'overcloud-ceilometer-collector' type: string @@ -26,7 +43,32 @@ parameters: default: tag: openstack.ceilometer.collector path: /var/log/ceilometer/collector.log - + CeilometerMeterDispatcher: + default: ['gnocchi'] + description: Comma-seperated list of Dispatcher to process meter data + Note that database option is deprecated and will not be + supported in future. + type: comma_delimited_list + constraints: + - allowed_values: ['gnocchi', 'database'] + CeilometerEventDispatcher: + default: ['panko', 'gnocchi'] + description: Comma-separated list of Dispatchers to process events data + Note that database option is deprecated and will not be + supported in future. + type: comma_delimited_list + constraints: + - allowed_values: ['panko', 'gnocchi', 'database'] + CeilometerEventTTL: + default: '86400' + description: Number of seconds that events are kept in the database for + (<= 0 means forever) + type: string + CeilometerMeteringTTL: + default: '86400' + description: Number of seconds that samples are kept in the database for + (<= 0 means forever) + type: string resources: CeilometerServiceBase: type: ./ceilometer-base.yaml @@ -34,6 +76,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} MongoDbBase: type: ./database/mongodb-base.yaml @@ -41,6 +85,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -55,6 +101,25 @@ outputs: map_merge: - get_attr: [MongoDbBase, role_data, config_settings] - get_attr: [CeilometerServiceBase, role_data, config_settings] + - ceilometer::db::database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: ceilometer + password: {get_param: CeilometerPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /ceilometer + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + ceilometer_backend: {get_param: CeilometerBackend} + ceilometer::event_time_to_live: {get_param: CeilometerEventTTL} + ceilometer::metering_time_to_live: {get_param: CeilometerMeteringTTL} + # we include db_sync class in puppet-tripleo + ceilometer::db::sync_db: false + ceilometer::db::database_db_max_retries: -1 + ceilometer::db::database_max_retries: -1 + ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher} + ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher} service_config_settings: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | diff --git a/puppet/services/ceilometer-expirer.yaml b/puppet/services/ceilometer-expirer.yaml index 714434b1..775e921a 100644 --- a/puppet/services/ceilometer-expirer.yaml +++ b/puppet/services/ceilometer-expirer.yaml @@ -1,7 +1,9 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ceilometer Expirer service configured with Puppet + Note, This service is deprecated and will be removed in + future releases. parameters: ServiceNetMap: @@ -13,6 +15,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +39,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml index 033d3f77..5f19af68 100644 --- a/puppet/services/ceph-base.yaml +++ b/puppet/services/ceph-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph base service. Shared by all Ceph services. @@ -55,6 +55,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/ceph-client.yaml b/puppet/services/ceph-client.yaml index f972e21b..ec34fcae 100644 --- a/puppet/services/ceph-client.yaml +++ b/puppet/services/ceph-client.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph Client service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index 134f47c4..599532c4 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph External service. @@ -53,6 +53,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/ceph-mds.yaml b/puppet/services/ceph-mds.yaml index b68567fb..270d3a26 100644 --- a/puppet/services/ceph-mds.yaml +++ b/puppet/services/ceph-mds.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph MDS service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -31,6 +39,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index d589ef89..c36f0537 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph Monitor service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -78,6 +86,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/ceph-osd.yaml b/puppet/services/ceph-osd.yaml index a97fa116..24b2886a 100644 --- a/puppet/services/ceph-osd.yaml +++ b/puppet/services/ceph-osd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph OSD service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -47,6 +55,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 01531971..ad91b4ec 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph RadosGW service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -43,6 +51,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -73,7 +83,7 @@ outputs: ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} - ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ] + ceph::rgw::keystone::auth::roles: [ 'admin', 'Member', '_member_' ] ceph::rgw::keystone::auth::tenant: service ceph::rgw::keystone::auth::user: swift ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml new file mode 100644 index 00000000..6ad451a8 --- /dev/null +++ b/puppet/services/certmonger-user.yaml @@ -0,0 +1,36 @@ +heat_template_version: pike + +description: > + Requests certificates using certmonger through Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the certmonger-user service + value: + service_name: certmonger_user + step_config: | + include ::tripleo::profile::base::certmonger_user diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index c0ea7aaa..036209f3 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Cinder API service configured with Puppet @@ -22,6 +22,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -46,6 +54,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CinderApiPolicies: + description: | + A hash of policies to configure for Cinder API. + e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} @@ -58,6 +72,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} CinderBase: @@ -66,6 +82,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -80,10 +98,13 @@ outputs: map_merge: - get_attr: [CinderBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} cinder::keystone::authtoken::project_name: 'service' + cinder::keystone::authtoken::user_domain_name: 'Default' + cinder::keystone::authtoken::project_domain_name: 'Default' + cinder::policy::policies: {get_param: CinderApiPolicies} cinder::api::enable_proxy_headers_parsing: true cinder::api::nova_catalog_info: 'compute:nova:internalURL' @@ -150,25 +171,31 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - - name: Check if cinder_api is deployed - command: systemctl is-enabled openstack-cinder-api - tags: common - ignore_errors: True - register: cinder_api_enabled - - name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running" - shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' - when: cinder_api_enabled.rc == 0 - tags: step0,validation - - name: check for cinder running under apache (post upgrade) - tags: step1 - shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder" - register: cinder_apache - ignore_errors: true - - name: Stop cinder_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped - when: "cinder_apache.rc == 0" - - name: Stop and disable cinder_api service (pre-upgrade not under httpd) - tags: step1 - when: cinder_api_enabled.rc == 0 - service: name=openstack-cinder-api state=stopped enabled=no + yaql: + expression: $.data.apache_upgrade + $.data.cinder_api_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + cinder_api_upgrade: + - name: Check if cinder_api is deployed + command: systemctl is-enabled openstack-cinder-api + tags: common + ignore_errors: True + register: cinder_api_enabled + - name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running" + shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' + when: cinder_api_enabled.rc == 0 + tags: step0,validation + - name: check for cinder running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q cinder" + register: cinder_apache + ignore_errors: true + - name: Stop cinder_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: cinder_apache.rc == 0 + - name: Stop and disable cinder_api service (pre-upgrade not under httpd) + tags: step1 + when: cinder_api_enabled.rc == 0 + service: name=openstack-cinder-api state=stopped enabled=no diff --git a/puppet/services/cinder-backend-dellps.yaml b/puppet/services/cinder-backend-dellps.yaml index 1f15c53e..d0382534 100644 --- a/puppet/services/cinder-backend-dellps.yaml +++ b/puppet/services/cinder-backend-dellps.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -heat_template_version: ocata +heat_template_version: pike description: > Openstack Cinder Dell EMC PS Series backend @@ -58,6 +58,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} type: json diff --git a/puppet/services/cinder-backend-dellsc.yaml b/puppet/services/cinder-backend-dellsc.yaml index 6a6196ac..a6b7d5c7 100644 --- a/puppet/services/cinder-backend-dellsc.yaml +++ b/puppet/services/cinder-backend-dellsc.yaml @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -heat_template_version: ocata +heat_template_version: pike description: > Openstack Cinder Dell EMC Storage Center backend @@ -58,6 +58,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} type: json diff --git a/puppet/services/cinder-backend-netapp.yaml b/puppet/services/cinder-backend-netapp.yaml new file mode 100644 index 00000000..bddc8e1a --- /dev/null +++ b/puppet/services/cinder-backend-netapp.yaml @@ -0,0 +1,137 @@ +heat_template_version: pike + +description: Openstack Cinder Netapp backend + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CinderEnableNetappBackend: + type: boolean + default: true + CinderNetappBackendName: + type: string + default: 'tripleo_netapp' + CinderNetappLogin: + type: string + CinderNetappPassword: + type: string + hidden: true + CinderNetappServerHostname: + type: string + CinderNetappServerPort: + type: string + default: '80' + CinderNetappSizeMultiplier: + type: string + default: '1.2' + CinderNetappStorageFamily: + type: string + default: 'ontap_cluster' + CinderNetappStorageProtocol: + type: string + default: 'nfs' + CinderNetappTransportType: + type: string + default: 'http' + CinderNetappVfiler: + type: string + default: '' + CinderNetappVolumeList: + type: string + default: '' + CinderNetappVserver: + type: string + default: '' + CinderNetappPartnerBackendName: + type: string + default: '' + CinderNetappNfsShares: + type: string + default: '' + CinderNetappNfsSharesConfig: + type: string + default: '/etc/cinder/shares.conf' + CinderNetappNfsMountOptions: + type: string + default: '' + CinderNetappCopyOffloadToolPath: + type: string + default: '' + CinderNetappControllerIps: + type: string + default: '' + CinderNetappSaPassword: + type: string + default: '' + hidden: true + CinderNetappStoragePools: + type: string + default: '' + CinderNetappHostType: + type: string + default: '' + CinderNetappWebservicePath: + type: string + default: '/devmgr/v2' + # DEPRECATED options for compatibility with older versions + CinderNetappEseriesHostType: + type: string + default: 'linux_dm_mp' + +parameter_groups: +- label: deprecated + description: Do not use deprecated params, they will be removed. + parameters: + - CinderNetappEseriesHostType + +outputs: + role_data: + description: Role data for the Cinder NetApp backend. + value: + service_name: cinder_backend_netapp + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_netapp_backend: {get_param: CinderEnableNetappBackend} + cinder::backend::netapp::title: {get_param: CinderNetappBackendName} + cinder::backend::netapp::netapp_login: {get_param: CinderNetappLogin} + cinder::backend::netapp::netapp_password: {get_param: CinderNetappPassword} + cinder::backend::netapp::netapp_server_hostname: {get_param: CinderNetappServerHostname} + cinder::backend::netapp::netapp_server_port: {get_param: CinderNetappServerPort} + cinder::backend::netapp::netapp_size_multiplier: {get_param: CinderNetappSizeMultiplier} + cinder::backend::netapp::netapp_storage_family: {get_param: CinderNetappStorageFamily} + cinder::backend::netapp::netapp_storage_protocol: {get_param: CinderNetappStorageProtocol} + cinder::backend::netapp::netapp_transport_type: {get_param: CinderNetappTransportType} + cinder::backend::netapp::netapp_vfiler: {get_param: CinderNetappVfiler} + cinder::backend::netapp::netapp_volume_list: {get_param: CinderNetappVolumeList} + cinder::backend::netapp::netapp_vserver: {get_param: CinderNetappVserver} + cinder::backend::netapp::netapp_partner_backend_name: {get_param: CinderNetappPartnerBackendName} + cinder::backend::netapp::nfs_shares: {get_param: CinderNetappNfsShares} + cinder::backend::netapp::nfs_shares_config: {get_param: CinderNetappNfsSharesConfig} + cinder::backend::netapp::nfs_mount_options: {get_param: CinderNetappNfsMountOptions} + cinder::backend::netapp::netapp_copyoffload_tool_path: {get_param: CinderNetappCopyOffloadToolPath} + cinder::backend::netapp::netapp_controller_ips: {get_param: CinderNetappControllerIps} + cinder::backend::netapp::netapp_sa_password: {get_param: CinderNetappSaPassword} + cinder::backend::netapp::netapp_storage_pools: {get_param: CinderNetappStoragePools} + cinder::backend::netapp::netapp_host_type: {get_param: CinderNetappHostType} + cinder::backend::netapp::netapp_webservice_path: {get_param: CinderNetappWebservicePath} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-backend-pure.yaml b/puppet/services/cinder-backend-pure.yaml new file mode 100644 index 00000000..576896a4 --- /dev/null +++ b/puppet/services/cinder-backend-pure.yaml @@ -0,0 +1,76 @@ +# Copyright (c) 2017 Pure Storage Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +heat_template_version: pike + +description: > + Openstack Cinder Pure Storage FlashArray backend + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + CinderEnablePureBackend: + type: boolean + default: true + CinderPureBackendName: + type: string + default: 'tripleo_pure' + CinderPureStorageProtocol: + type: string + default: 'iSCSI' + CinderPureSanIp: + type: string + CinderPureAPIToken: + type: string + CinderPureUseChap: + type: boolean + default: false + CinderPureMultipathXfer: + type: boolean + default: true + +outputs: + role_data: + description: Role data for the Cinder Pure Storage FlashArray backend. + value: + service_name: cinder_backend_pure + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_pure_backend: {get_param: CinderEnablePureBackend} + cinder::backend::pure::volume_backend_name: {get_param: CinderPureBackendName} + cinder::backend::pure::pure_storage_protocol: {get_param: CinderPureStorageProtocol} + cinder::backend::pure::san_ip: {get_param: CinderPureSanIp} + cinder::backend::pure::pure_api_token: {get_input: PureAPIToken} + cinder::backend::pure::use_chap_auth: {get_input: PureUseChap} + cinder::backend::pure::use_multipath_for_image_xfer: {get_input: PureMultipathXfer} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-backend-scaleio.yaml b/puppet/services/cinder-backend-scaleio.yaml index eb709cd5..832cc099 100644 --- a/puppet/services/cinder-backend-scaleio.yaml +++ b/puppet/services/cinder-backend-scaleio.yaml @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -heat_template_version: ocata +heat_template_version: pike description: > Openstack Cinder Dell EMC ScaleIO backend @@ -78,6 +78,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} type: json @@ -106,6 +114,6 @@ outputs: cinder::backend::scaleio::sio_round_volume_capacity: {get_param: CinderScaleIORoundVolumeCapacity} cinder::backend::scaleio::sio_unmap_volume_before_deletion: {get_param: CinderScaleIOUnmapVolumeBeforeDeletion} cinder::backend::scaleio::sio_max_over_subscription_ratio: {get_param: CinderScaleIOMaxOverSubscriptionRatio} - cinder::backend::scaleio::sio_thin_provision: {get_param: CinderScaleIOThinProvision} + cinder::backend::scaleio::sio_thin_provision: {get_param: CinderScaleIOSanThinProvision} step_config: | include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-backup.yaml b/puppet/services/cinder-backup.yaml index 14be07af..629a0f5b 100644 --- a/puppet/services/cinder-backup.yaml +++ b/puppet/services/cinder-backup.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Cinder Backup service configured with Puppet @@ -25,6 +25,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -42,6 +50,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/cinder-base.yaml b/puppet/services/cinder-base.yaml index 88e7edb7..2ba5aa52 100644 --- a/puppet/services/cinder-base.yaml +++ b/puppet/services/cinder-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Cinder base service. Shared by all Cinder services. @@ -21,6 +21,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -92,15 +100,15 @@ outputs: service_name: cinder_base config_settings: cinder::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://cinder:' - - {get_param: CinderPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/cinder' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: cinder + password: {get_param: CinderPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /cinder + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo cinder::debug: {get_param: Debug} cinder::rabbit_use_ssl: {get_param: RabbitClientUseSSL} cinder::rabbit_userid: {get_param: RabbitUserName} diff --git a/puppet/services/cinder-hpelefthand-iscsi.yaml b/puppet/services/cinder-hpelefthand-iscsi.yaml index ca7d2838..3ea0fd87 100644 --- a/puppet/services/cinder-hpelefthand-iscsi.yaml +++ b/puppet/services/cinder-hpelefthand-iscsi.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Configure Cinder HPELeftHandISCSIDriver @@ -32,6 +32,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} type: json diff --git a/puppet/services/cinder-scheduler.yaml b/puppet/services/cinder-scheduler.yaml index f8361f6f..806f9bb4 100644 --- a/puppet/services/cinder-scheduler.yaml +++ b/puppet/services/cinder-scheduler.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Cinder Scheduler service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -35,6 +43,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index b52955ef..fe95222b 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Cinder Volume service configured with Puppet @@ -55,6 +55,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -77,6 +85,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -94,11 +104,7 @@ outputs: tripleo::profile::base::cinder::volume::cinder_enable_nfs_backend: {get_param: CinderEnableNfsBackend} tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend} tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions} - tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: - str_replace: - template: SERVERS - params: - SERVERS: {get_param: CinderNfsServers} + tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers} tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol} diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml index 8bc9f2e3..8fbcd99d 100644 --- a/puppet/services/congress.yaml +++ b/puppet/services/congress.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Congress service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -47,6 +55,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + CongressPolicies: + description: | + A hash of policies to configure for Congress. + e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -56,15 +70,15 @@ outputs: config_settings: congress_password: {get_param: CongressPassword} congress::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://congress:' - - {get_param: CongressPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/congress' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: congress + password: {get_param: CongressPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /congress + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo congress::debug: {get_param: Debug} congress::rpc_backend: rabbit congress::rabbit_userid: {get_param: RabbitUserName} @@ -73,9 +87,12 @@ outputs: congress::rabbit_port: {get_param: RabbitClientPort} congress::server::bind_host: {get_param: [ServiceNetMap, CongressApiNetwork]} + congress::keystone::authtoken::password: {get_param: CongressPassword} congress::keystone::authtoken::project_name: 'service' - congress::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - congress::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + congress::keystone::authtoken::user_domain_name: 'Default' + congress::keystone::authtoken::project_domain_name: 'Default' + congress::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + congress::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} congress::db::mysql::password: {get_param: CongressPassword} congress::db::mysql::user: congress @@ -84,10 +101,12 @@ outputs: congress::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + congress::policy::policies: {get_param: CongressPolicies} service_config_settings: keystone: congress::keystone::auth::tenant: 'service' + congress::keystone::auth::region: {get_param: KeystoneRegion} congress::keystone::auth::password: {get_param: CongressPassword} congress::keystone::auth::public_url: {get_param: [EndpointMap, CongressPublic, uri]} congress::keystone::auth::internal_url: {get_param: [EndpointMap, CongressInternal, uri]} diff --git a/puppet/services/database/mongodb-base.yaml b/puppet/services/database/mongodb-base.yaml index c27fcb7f..b5fced4c 100644 --- a/puppet/services/database/mongodb-base.yaml +++ b/puppet/services/database/mongodb-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Configuration details for MongoDB service using composable roles @@ -24,6 +24,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 63ec4446..5bd621d2 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > MongoDb service deployment using puppet @@ -14,11 +14,23 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MongodbMemoryLimit: + default: '20G' + description: Limit the amount of memory mongodb uses with systemd. + type: string MongoDbLoggingSource: type: json description: Fluentd logging configuration for mongodb. @@ -36,6 +48,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -49,6 +63,7 @@ outputs: map_merge: - get_attr: [MongoDbBase, role_data, config_settings] - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]} + tripleo::profile::base::database::mongodb::memory_limit: {get_param: MongodbMemoryLimit} mongodb::server::service_manage: True tripleo.mongodb.firewall_rules: '101 mongodb_config': diff --git a/puppet/services/database/mysql-client.yaml b/puppet/services/database/mysql-client.yaml index 78456e28..19d732dd 100644 --- a/puppet/services/database/mysql-client.yaml +++ b/puppet/services/database/mysql-client.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Mysql client settings @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -21,6 +29,11 @@ parameters: EnableInternalTLS: type: boolean default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. outputs: role_data: @@ -30,5 +43,6 @@ outputs: config_settings: tripleo::profile::base::database::mysql::client::mysql_client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]} tripleo::profile::base::database::mysql::client::enable_ssl: {get_param: EnableInternalTLS} + tripleo::profile::base::database::mysql::client::ssl_ca: {get_param: InternalTLSCAFile} step_config: | include ::tripleo::profile::base::database::mysql::client diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml deleted file mode 100644 index 9f7eaf57..00000000 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ /dev/null @@ -1,47 +0,0 @@ -heat_template_version: ocata - -description: > - MySQL configurations for using TLS via certmonger. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: MySQL configurations for using TLS via certmonger. - value: - service_name: mysql_internal_tls_certmonger - config_settings: - generate_service_certificates: true - tripleo::profile::base::database::mysql::certificate_specs: - service_certificate: '/etc/pki/tls/certs/mysql.crt' - service_key: '/etc/pki/tls/private/mysql.key' - hostname: - str_replace: - template: "%{hiera('cloud_name_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - principal: - str_replace: - template: "mysql/%{hiera('cloud_name_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - metadata_settings: - - service: mysql - network: {get_param: [ServiceNetMap, MysqlNetwork]} - type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 808f1353..2bde9033 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > MySQL service deployment using puppet @@ -14,6 +14,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -23,6 +31,10 @@ parameters: description: Configures MySQL max_connections config setting type: number default: 4096 + MysqlIncreaseFileLimit: + description: Flag to increase MySQL open-files-limit to 16384 + type: boolean + default: true MysqlRootPassword: type: string hidden: true @@ -38,13 +50,13 @@ parameters: description: The password for the nova db account type: string hidden: true + EnableInternalTLS: + type: boolean + default: false -resources: +conditions: - MySQLTLS: - type: OS::TripleO::Services::MySQLTLS - properties: - ServiceNetMap: {get_param: ServiceNetMap} + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -53,7 +65,6 @@ outputs: service_name: mysql config_settings: map_merge: - - get_attr: [MySQLTLS, role_data, config_settings] - # The Galera package should work in cluster and # non-cluster modes based on the config file. @@ -96,10 +107,32 @@ outputs: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} tripleo::profile::base::database::mysql::client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::generate_dropin_file_limit: + {get_param: MysqlIncreaseFileLimit} + - generate_service_certificates: true + tripleo::profile::base::database::mysql::certificate_specs: + service_certificate: '/etc/pki/tls/certs/mysql.crt' + service_key: '/etc/pki/tls/private/mysql.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + principal: + str_replace: + template: "mysql/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql metadata_settings: - get_attr: [MySQLTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip + - null upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 2b7dd430..89fa8065 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Redis service configured with Puppet @@ -8,6 +8,10 @@ parameters: description: The password for Redis type: string hidden: true + RedisFDLimit: + description: Configure Redis FD limit + type: string + default: 10240 ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -17,6 +21,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -42,3 +54,5 @@ outputs: redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}" redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' + redis::sentinel::sentinel_bind: {get_param: [ServiceNetMap, RedisNetwork]} + redis::ulimit: {get_param: RedisFDLimit} diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index 5ea25ca8..df406a8c 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Redis service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -26,6 +34,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/disabled/ceilometer-collector.yaml b/puppet/services/disabled/ceilometer-collector.yaml new file mode 100644 index 00000000..64fd476d --- /dev/null +++ b/puppet/services/disabled/ceilometer-collector.yaml @@ -0,0 +1,38 @@ +heat_template_version: pike + +description: > + OpenStack Ceilometer Collector service, disabled since pike + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the disabled Ceilometer Collector role. + value: + service_name: ceilometer_collector + upgrade_tasks: + - name: Stop and disable ceilometer_collector service on upgrade + tags: step1 + service: name=openstack-ceilometer-collector state=stopped enabled=no diff --git a/puppet/services/disabled/ceilometer-expirer.yaml b/puppet/services/disabled/ceilometer-expirer.yaml new file mode 100644 index 00000000..182193ec --- /dev/null +++ b/puppet/services/disabled/ceilometer-expirer.yaml @@ -0,0 +1,38 @@ +heat_template_version: pike + +description: > + OpenStack Ceilometer Expirer service, disabled since pike + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the disabled Ceilometer Expirer role. + value: + service_name: ceilometer_expirer + upgrade_tasks: + - name: Stop and disable ceilometer_expirer service on upgrade + tags: step1 + service: name=openstack-ceilometer-expirer state=stopped enabled=no diff --git a/puppet/services/disabled/glance-registry.yaml b/puppet/services/disabled/glance-registry.yaml index 7bf4a1fd..b2cd03ee 100644 --- a/puppet/services/disabled/glance-registry.yaml +++ b/puppet/services/disabled/glance-registry.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Glance Registry service, disabled since ocata @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/docker.yaml b/puppet/services/docker.yaml new file mode 100644 index 00000000..2be21122 --- /dev/null +++ b/puppet/services/docker.yaml @@ -0,0 +1,51 @@ +heat_template_version: pike + +description: > + Configures docker on the host + +parameters: + DockerNamespace: + description: namespace + default: tripleoupstream + type: string + DockerNamespaceIsRegistry: + type: boolean + default: false + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +outputs: + role_data: + description: Role data for the docker service + value: + service_name: docker + config_settings: + tripleo::profile::base::docker::docker_namespace: {get_param: DockerNamespace} + tripleo::profile::base::docker::insecure_registry: {get_param: DockerNamespaceIsRegistry} + step_config: | + include ::tripleo::profile::base::docker + upgrade_tasks: + - name: Install docker packages on upgrade if missing + tags: step3 + yum: name=docker state=latest + diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml index 10f6d311..aa878a91 100644 --- a/puppet/services/ec2-api.yaml +++ b/puppet/services/ec2-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack EC2-API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -30,6 +38,15 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + Ec2ApiExternalNetwork: + type: string + default: '' + description: Name of the external network, which is used to connect VPCs to + Internet and to allocate Elastic IPs + NovaDefaultFloatingPool: + default: 'public' + description: Default pool for floating IP addresses + type: string MonitoringSubscriptionEc2Api: default: 'overcloud-ec2-api' type: string @@ -42,10 +59,17 @@ parameters: default: 'false' description: Set to true to enable package installation via Puppet type: boolean + Ec2ApiPolicies: + description: | + A hash of policies to configure for EC2-API. + e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]} + external_network_unset: {equals : [{get_param: Ec2ApiExternalNetwork}, '']} outputs: role_data: @@ -67,6 +91,7 @@ outputs: ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ec2api::policy::policies: {get_param: Ec2ApiPolicies} ec2api::api::enabled: true ec2api::package_manage: {get_param: EnablePackageInstall} ec2api::api::ec2api_listen: @@ -82,21 +107,31 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, Ec2ApiMetadataNetwork]} ec2api::db::database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: ec2_api + password: {get_param: Ec2ApiPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /ec2_api + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + ec2api::api::keystone_ec2_tokens_url: list_join: - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://ec2_api:' - - {get_param: Ec2ApiPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/ec2_api' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' - if: - nova_workers_zero - {} - ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers} ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers} + - + if: + - external_network_unset + - ec2api::api::external_network: {get_param: NovaDefaultFloatingPool} + - ec2api::api::external_network: {get_param: Ec2ApiExternalNetwork} step_config: | include tripleo::profile::base::nova::ec2api service_config_settings: diff --git a/puppet/services/etcd.yaml b/puppet/services/etcd.yaml index 7cdd8451..2e87764d 100644 --- a/puppet/services/etcd.yaml +++ b/puppet/services/etcd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Etcd service configured with Puppet @@ -13,18 +13,33 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json EtcdInitialClusterToken: - default: 'etcd-tripleo' description: Initial cluster token for the etcd cluster during bootstrap. type: string + hidden: true MonitoringSubscriptionEtcd: default: 'overcloud-etcd' type: string + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -33,27 +48,47 @@ outputs: service_name: etcd monitoring_subscription: {get_param: MonitoringSubscriptionEtcd} config_settings: - etcd::etcd_name: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} - # NOTE: bind IP is found in Heat replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - tripleo::profile::base::etcd::bind_ip: {get_param: [ServiceNetMap, EtcdNetwork]} - tripleo::profile::base::etcd::client_port: '2379' - tripleo::profile::base::etcd::peer_port: '2380' - etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken} - etcd::manage_package: false - tripleo.etcd.firewall_rules: - '141 etcd': - dport: - - 2379 - - 2380 + map_merge: + - + etcd::etcd_name: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + tripleo::profile::base::etcd::bind_ip: {get_param: [ServiceNetMap, EtcdNetwork]} + tripleo::profile::base::etcd::client_port: '2379' + tripleo::profile::base::etcd::peer_port: '2380' + etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken} + etcd::manage_package: false + tripleo.etcd.firewall_rules: + '141 etcd': + dport: + - 2379 + - 2380 + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::etcd::certificate_specs: + service_certificate: '/etc/pki/tls/certs/etcd.crt' + service_key: '/etc/pki/tls/private/etcd.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + principal: + str_replace: + template: "etcd/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + - {} step_config: | include ::tripleo::profile::base::etcd upgrade_tasks: @@ -71,3 +106,11 @@ outputs: - name: Stop etcd service tags: step2 service: name=etcd state=stopped + metadata_settings: + if: + - internal_tls_enabled + - + - service: etcd + network: {get_param: [ServiceNetMap, EtcdNetwork]} + type: node + - null diff --git a/puppet/services/external-swift-proxy.yaml b/puppet/services/external-swift-proxy.yaml new file mode 100644 index 00000000..206536d7 --- /dev/null +++ b/puppet/services/external-swift-proxy.yaml @@ -0,0 +1,78 @@ +heat_template_version: pike + +description: > + External Swift Proxy endpoint configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ExternalPublicUrl: + description: Public endpoint url for the external swift proxy + type: string + ExternalInternalUrl: + description: Internal endpoint url for the external swift proxy + type: string + ExternalAdminUrl: + description: External endpoint url for the external swift proxy + type: string + ExternalSwiftUserTenant: + description: Tenant where swift user will be set as admin + type: string + default: 'service' + SwiftPassword: + description: The password for the swift service account, used by the swift proxy services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +resources: + +outputs: + role_data: + description: Role data for External Swift proxy. + value: + service_name: external_swift_proxy + config_settings: + + step_config: + + service_config_settings: + keystone: + swift::keystone::auth::public_url: {get_param: ExternalPublicUrl} + swift::keystone::auth::internal_url: {get_param: ExternalInternalUrl} + swift::keystone::auth::admin_url: {get_param: ExternalAdminUrl} + swift::keystone::auth::public_url_s3: '' + swift::keystone::auth::internal_url_s3: '' + swift::keystone::auth::admin_url_s3: '' + swift::keystone::auth::password: {get_param: SwiftPassword} + swift::keystone::auth::region: {get_param: KeystoneRegion} + swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant} + swift::keystone::auth::configure_s3_endpoint: false + swift::keystone::auth::operator_roles: + - admin + - swiftoperator + - ResellerAdmin + diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index ce389dc1..28151744 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Glance API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -48,9 +56,78 @@ parameters: EnableInternalTLS: type: boolean default: false + CephClientUserName: + default: openstack + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + GlanceNotifierStrategy: + description: Strategy to use for Glance notification queue + type: string + default: noop + GlanceLogFile: + description: The filepath of the file to use for logging messages from Glance. + type: string + default: '' + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] + GlanceNfsEnabled: + default: false + description: > + When using GlanceBackend 'file', mount NFS share for image storage. + type: boolean + GlanceNfsShare: + default: '' + description: > + NFS share to mount for image storage (when GlanceNfsEnabled is true) + type: string + GlanceNfsOptions: + default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' + description: > + NFS mount options for image storage (when GlanceNfsEnabled is true) + type: string + GlanceRbdPoolName: + default: images + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + GlanceApiPolicies: + description: | + A hash of policies to configure for Glance API. + e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']} resources: @@ -60,15 +137,10 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} - GlanceBase: - type: ./glance-base.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - outputs: role_data: description: Role data for the Glance API role. @@ -80,33 +152,34 @@ outputs: - glance config_settings: map_merge: - - get_attr: [GlanceBase, role_data, config_settings] - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: glance + password: {get_param: GlancePassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /glance + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} glance::api::enable_proxy_headers_parsing: true glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} + glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': dport: - 9292 - 13292 glance::api::authtoken::project_name: 'service' + glance::keystone::authtoken::user_domain_name: 'Default' + glance::keystone::authtoken::project_domain_name: 'Default' glance::api::pipeline: 'keystone' glance::api::show_image_direct_url: true # NOTE: bind IP is found in Heat replacing the network name with the @@ -132,10 +205,47 @@ outputs: - use_tls_proxy - 'localhost' - {get_param: [ServiceNetMap, GlanceApiNetwork]} + glance_notifier_strategy: {get_param: GlanceNotifierStrategy} + glance_log_file: {get_param: GlanceLogFile} + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] } + glance::backend::swift::swift_store_user: service:glance + glance::backend::swift::swift_store_key: {get_param: GlancePassword} + glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::swift::swift_store_auth_version: 3 + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + glance_backend: {get_param: GlanceBackend} + glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} + glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} + glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} + glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + glance::notify::rabbitmq::notification_driver: messagingv2 + tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} + tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} + tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} + - + if: + - glance_workers_unset + - {} + - glance::api::workers: {get_param: GlanceWorkers} + service_config_settings: + keystone: + glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} + glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} + glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} + glance::keystone::auth::password: {get_param: GlancePassword } + glance::keystone::auth::region: {get_param: KeystoneRegion} + glance::keystone::auth::tenant: 'service' + mysql: + glance::db::mysql::password: {get_param: GlancePassword} + glance::db::mysql::user: glance + glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::dbname: glance + glance::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" step_config: | include ::tripleo::profile::base::glance::api - service_config_settings: - get_attr: [GlanceBase, role_data, service_config_settings] upgrade_tasks: - name: Check if glance_api is deployed command: systemctl is-enabled openstack-glance-api diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml deleted file mode 100644 index f5548982..00000000 --- a/puppet/services/glance-base.yaml +++ /dev/null @@ -1,126 +0,0 @@ -heat_template_version: ocata - -description: > - OpenStack Glance Common settings with Puppet - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - CephClientUserName: - default: openstack - type: string - Debug: - default: '' - description: Set to True to enable debugging on all services. - type: string - GlanceNotifierStrategy: - description: Strategy to use for Glance notification queue - type: string - default: noop - GlanceLogFile: - description: The filepath of the file to use for logging messages from Glance. - type: string - default: '' - GlancePassword: - description: The password for the glance service and db account, used by the glance services. - type: string - hidden: true - GlanceBackend: - default: swift - description: The short name of the Glance backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] - GlanceNfsEnabled: - default: false - description: > - When using GlanceBackend 'file', mount NFS share for image storage. - type: boolean - GlanceNfsShare: - default: '' - description: > - NFS share to mount for image storage (when GlanceNfsEnabled is true) - type: string - GlanceNfsOptions: - default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' - description: > - NFS mount options for image storage (when GlanceNfsEnabled is true) - type: string - GlanceRbdPoolName: - default: images - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitClientPort: - default: 5672 - description: Set rabbit subscriber port, change this if using SSL - type: number - RabbitClientUseSSL: - default: false - description: > - Rabbit client subscriber parameter to specify - an SSL connection to the RabbitMQ host. - type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint - -outputs: - role_data: - description: Role data for the Glance common role. - value: - service_name: glance_base - config_settings: - glance_notifier_strategy: {get_param: GlanceNotifierStrategy} - glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::backend::swift::swift_store_user: service:glance - glance::backend::swift::swift_store_key: {get_param: GlancePassword} - glance::backend::swift::swift_store_create_container_on_put: true - glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} - glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} - glance_backend: {get_param: GlanceBackend} - glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} - glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} - glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} - glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - glance::notify::rabbitmq::notification_driver: messagingv2 - tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} - tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} - tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} - service_config_settings: - keystone: - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::keystone::auth::tenant: 'service' - mysql: - glance::db::mysql::password: {get_param: GlancePassword} - glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 08a939a6..2411d42d 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Gnocchi service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -44,6 +52,12 @@ parameters: EnableInternalTLS: type: boolean default: false + GnocchiApiPolicies: + description: | + A hash of policies to configure for Gnocchi API. + e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -53,6 +67,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} ApacheServiceBase: type: ./apache.yaml @@ -60,6 +76,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: @@ -83,10 +101,13 @@ outputs: gnocchi::api::enabled: true gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' - gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + gnocchi::policy::policies: {get_param: GnocchiApiPolicies} + gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' + gnocchi::keystone::authtoken::user_domain_name: 'Default' + gnocchi::keystone::authtoken::project_domain_name: 'Default' gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} gnocchi::wsgi::apache::servername: str_replace: @@ -103,10 +124,6 @@ outputs: # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi' - - gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri]} step_config: | include ::tripleo::profile::base::gnocchi::api service_config_settings: @@ -128,6 +145,12 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - - name: Stop gnocchi_api service (running under httpd) - tags: step1 - service: name=httpd state=stopped + yaql: + expression: $.data.apache_upgrade + $.data.gnocchi_api_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + gnocchi_api_upgrade: + - name: Stop gnocchi_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index c6310056..d62c349e 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Gnocchi service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -22,6 +30,10 @@ parameters: default: 'mysql' description: The short name of the Gnocchi indexer backend to use. type: string + MetricProcessingDelay: + default: 60 + description: Delay between processing metrics. + type: number GnocchiPassword: description: The password for the gnocchi service and db account. type: string @@ -32,10 +44,6 @@ parameters: CephClientUserName: default: openstack type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint RedisPassword: description: The password for the redis service account. type: string @@ -59,19 +67,21 @@ outputs: gnocchi_redis_password: {get_param: RedisPassword} gnocchi::debug: {get_param: Debug} gnocchi::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://gnocchi:' - - {get_param: GnocchiPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/gnocchi' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: gnocchi + password: {get_param: GnocchiPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /gnocchi + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo gnocchi::db::sync::extra_opts: '--skip-storage' + gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay} gnocchi::storage::swift::swift_user: 'service:gnocchi' - gnocchi::storage::swift::swift_auth_version: 2 + gnocchi::storage::swift::swift_auth_version: 3 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} + gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneV3Internal, uri]} gnocchi::storage::ceph::ceph_pool: {get_param: GnocchiRbdPoolName} gnocchi::storage::ceph::ceph_username: {get_param: CephClientUserName} gnocchi::storage::ceph::ceph_keyring: diff --git a/puppet/services/gnocchi-metricd.yaml b/puppet/services/gnocchi-metricd.yaml index 9d76c2e7..5ada99fa 100644 --- a/puppet/services/gnocchi-metricd.yaml +++ b/puppet/services/gnocchi-metricd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Gnocchi service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -33,6 +41,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index bb8d3bce..5ba1dfc7 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Gnocchi service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index ae226163..1866bb97 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > HAProxy deployment with TLS enabled, powered by certmonger @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index 6013b026..7ebacdbc 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > HAProxy deployment with TLS enabled, powered by certmonger @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index bd5b9ef6..a71491c0 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > HAproxy service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -37,6 +45,11 @@ parameters: MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. resources: @@ -46,6 +59,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} HAProxyInternalTLS: type: OS::TripleO::Services::HAProxyInternalTLS @@ -53,6 +68,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -71,6 +88,7 @@ outputs: tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} tripleo::profile::base::haproxy::certificates_specs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] @@ -96,8 +114,6 @@ outputs: when: haproxy_enabled.rc == 0 service: name=haproxy state=started metadata_settings: - yaql: - expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))' - data: - public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} - internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} + list_concat: + - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} + - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 483f0a45..92d73cfb 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Heat CloudFormation API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -38,14 +46,33 @@ parameters: default: tag: openstack.heat.api.cfn path: /var/log/heat/heat-api-cfn.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} + HeatBase: type: ./heat-base.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -59,19 +86,32 @@ outputs: config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - - heat::api_cfn::workers: {get_param: HeatWorkers} - tripleo.heat_api_cfn.firewall_rules: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - tripleo.heat_api_cfn.firewall_rules: '125 heat_cfn': dport: - 8000 - 13800 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): + heat::api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiCfnNetwork]} + heat::wsgi::apache_api_cfn::ssl: {get_param: EnableInternalTLS} + heat::api_cfn::service_name: 'httpd' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - heat::api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiCfnNetwork]} + heat::wsgi::apache_api_cfn::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]} + - + if: + - heat_workers_zero + - {} + - heat::wsgi::apache_api_cfn::workers: {get_param: HeatWorkers} step_config: | include ::tripleo::profile::base::heat::api_cfn service_config_settings: @@ -94,7 +134,16 @@ outputs: shell: /usr/bin/systemctl show 'openstack-heat-api-cfn' --property ActiveState | grep '\bactive\b' when: heat_api_cfn_enabled.rc == 0 tags: step0,validation - - name: Stop heat_api_cfn service + - name: check for heat_api_cfn running under apache (post upgrade) tags: step1 - when: heat_api_cfn_enabled.rc == 0 - service: name=openstack-heat-api-cfn state=stopped + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_cfn_wsgi" + register: heat_api_cfn_apache + ignore_errors: true + - name: Stop heat_api_cfn service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: heat_api_cfn_apache.rc == 0 + - name: Stop and disable heat_api_cfn service (pre-upgrade not under httpd) + tags: step1 + when: heat_api_cfn_apache.rc == 0 + service: name=openstack-heat-api-cfn state=stopped enabled=no diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index 8879bcb2..a740d201 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Heat CloudWatch API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -30,14 +38,33 @@ parameters: default: tag: openstack.heat.api.cloudwatch path: /var/log/heat/heat-api-cloudwatch.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} + HeatBase: type: ./heat-base.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -51,19 +78,34 @@ outputs: config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - - heat::api_cloudwatch::workers: {get_param: HeatWorkers} - tripleo.heat_api_cloudwatch.firewall_rules: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - tripleo.heat_api_cloudwatch.firewall_rules: '125 heat_cloudwatch': dport: - 8003 - 13003 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): + heat::api_cloudwatch::bind_host: + get_param: [ServiceNetMap, HeatApiCloudwatchNetwork] + heat::wsgi::apache_api_cloudwatch::ssl: {get_param: EnableInternalTLS} + heat::api_cloudwatch::service_name: 'httpd' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - heat::api_cloudwatch::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api_cloudwatch::bind_host: + get_param: [ServiceNetMap, HeatApiCloudwatchNetwork] + heat::wsgi::apache_api_cloudwatch::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HeatApiCloudwatchNetwork]} + - + if: + - heat_workers_zero + - {} + - heat::wsgi::apache_api_cloudwatch::workers: {get_param: HeatWorkers} step_config: | include ::tripleo::profile::base::heat::api_cloudwatch upgrade_tasks: @@ -76,7 +118,16 @@ outputs: shell: /usr/bin/systemctl show 'openstack-heat-api-cloudwatch' --property ActiveState | grep '\bactive\b' when: heat_api_cloudwatch_enabled.rc == 0 tags: step0,validation - - name: Stop heat_api_cloudwatch service + - name: check for heat_api_cloudwatch running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_cloudwatch_wsgi" + register: heat_api_cloudwatch_apache + ignore_errors: true + - name: Stop heat_api_cloudwatch service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: heat_api_cloudwatch_apache.rc == 0 + - name: Stop and disable heat_api_cloudwatch service (pre-upgrade not under httpd) tags: step1 when: heat_api_cloudwatch_enabled.rc == 0 - service: name=openstack-heat-api-cloudwatch state=stopped + service: name=openstack-heat-api-cloudwatch state=stopped enabled=no diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 2464011b..ced7f0c4 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Heat API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -38,14 +46,39 @@ parameters: default: tag: openstack.heat.api path: /var/log/heat/heat-api.log + EnableInternalTLS: + type: boolean + default: false + HeatApiPolicies: + description: | + A hash of policies to configure for Heat API. + e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json + +conditions: + heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} + HeatBase: type: ./heat-base.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -59,19 +92,33 @@ outputs: config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - - heat::api::workers: {get_param: HeatWorkers} - tripleo.heat_api.firewall_rules: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - tripleo.heat_api.firewall_rules: '125 heat_api': dport: - 8004 - 13004 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): + heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + heat::policy::policies: {get_param: HeatApiPolicies} + heat::api::service_name: 'httpd' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} + heat::wsgi::apache_api::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]} + - + if: + - heat_workers_zero + - {} + - heat::wsgi::apache_api::workers: {get_param: HeatWorkers} step_config: | include ::tripleo::profile::base::heat::api service_config_settings: @@ -94,7 +141,16 @@ outputs: shell: /usr/bin/systemctl show 'openstack-heat-api' --property ActiveState | grep '\bactive\b' when: heat_api_enabled.rc == 0 tags: step0,validation - - name: Stop heat_api service + - name: check for heat_api running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_wsgi" + register: heat_api_apache + ignore_errors: true + - name: Stop heat_api service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: heat_api_apache.rc == 0 + - name: Stop and disable heat_api service (pre-upgrade not under httpd) tags: step1 when: heat_api_enabled.rc == 0 - service: name=openstack-heat-api state=stopped + service: name=openstack-heat-api state=stopped enabled=no diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml index e83a9edd..dfd823db 100644 --- a/puppet/services/heat-base.yaml +++ b/puppet/services/heat-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Heat base service. Shared for all Heat services. @@ -39,6 +39,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -125,7 +133,9 @@ outputs: value: 'role:admin' heat::rabbit_heartbeat_timeout_threshold: 60 heat::keystone::authtoken::project_name: 'service' - heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + heat::keystone::authtoken::user_domain_name: 'Default' + heat::keystone::authtoken::project_domain_name: 'Default' + heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } heat::keystone::authtoken::password: {get_param: HeatPassword} heat::keystone::domain::domain_name: 'heat_stack' diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index a166f3a7..1d5f054b 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Heat Engine service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -65,6 +73,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -84,35 +94,33 @@ outputs: heat::engine::max_nested_stack_depth: 6 heat::engine::max_resources_per_stack: {get_param: HeatMaxResourcesPerStack} heat::engine::heat_metadata_server_url: - list_join: - - '' - - - {get_param: [EndpointMap, HeatCfnPublic, protocol]} - - '://' - - {get_param: [EndpointMap, HeatCfnPublic, host]} - - ':' - - {get_param: [EndpointMap, HeatCfnPublic, port]} + make_url: + scheme: {get_param: [EndpointMap, HeatCfnPublic, protocol]} + host: {get_param: [EndpointMap, HeatCfnPublic, host]} + port: {get_param: [EndpointMap, HeatCfnPublic, port]} heat::engine::heat_waitcondition_server_url: - list_join: - - '' - - - {get_param: [EndpointMap, HeatCfnPublic, protocol]} - - '://' - - {get_param: [EndpointMap, HeatCfnPublic, host]} - - ':' - - {get_param: [EndpointMap, HeatCfnPublic, port]} - - '/v1/waitcondition' + make_url: + scheme: {get_param: [EndpointMap, HeatCfnPublic, protocol]} + host: {get_param: [EndpointMap, HeatCfnPublic, host]} + port: {get_param: [EndpointMap, HeatCfnPublic, port]} + path: /v1/waitcondition heat::engine::convergence_engine: {get_param: HeatConvergenceEngine} tripleo::profile::base::heat::manage_db_purge: {get_param: HeatEnableDBPurge} heat::database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: heat + password: {get_param: HeatPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /heat + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + heat::keystone_ec2_uri: list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://heat:' - - {get_param: HeatPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/heat' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' - heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} heat::engine::auth_encryption_key: yaql: diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 60b009a8..2914ee24 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Horizon service configured with Puppet @@ -17,6 +17,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -40,6 +48,10 @@ parameters: type: string hidden: true default: '' + HorizonSecureCookies: + description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon + type: boolean + default: true MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. @@ -78,7 +90,7 @@ outputs: access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' options: ['FollowSymLinks','MultiViews'] horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} - horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} horizon::password_validator: {get_param: [HorizonPasswordValidator]} horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: @@ -88,6 +100,7 @@ outputs: passwords: - {get_param: HorizonSecret} - {get_param: [DefaultPasswords, horizon_secret]} + horizon::secure_cookies: {get_param: [HorizonSecureCookies]} memcached_ipv6: {get_param: MemcachedIPv6} - if: diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index 7aab6f8d..945033a1 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ironic API configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + IronicApiPolicies: + description: | + A hash of policies to configure for Ironic API. + e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: IronicBase: @@ -37,6 +51,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -49,8 +65,10 @@ outputs: - get_attr: [IronicBase, role_data, config_settings] - ironic::api::authtoken::password: {get_param: IronicPassword} ironic::api::authtoken::project_name: 'service' + ironic::api::authtoken::user_domain_name: 'Default' + ironic::api::authtoken::project_domain_name: 'Default' ironic::api::authtoken::username: 'ironic' - ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples @@ -62,6 +80,7 @@ outputs: ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} # This is used to build links in responses ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::policy::policies: {get_param: IronicApiPolicies} tripleo.ironic_api.firewall_rules: '133 ironic api': dport: diff --git a/puppet/services/ironic-base.yaml b/puppet/services/ironic-base.yaml index d186b047..da485161 100644 --- a/puppet/services/ironic-base.yaml +++ b/puppet/services/ironic-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ironic services configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -52,15 +60,15 @@ outputs: service_name: ironic_base config_settings: ironic::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://ironic:' - - {get_param: IronicPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/ironic' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: ironic + password: {get_param: IronicPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /ironic + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo ironic::debug: {get_param: Debug} ironic::rabbit_userid: {get_param: RabbitUserName} ironic::rabbit_password: {get_param: RabbitPassword} diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index f9547bef..76b1bf3d 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Ironic conductor configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -32,10 +40,30 @@ parameters: created yet) and should be changed to an actual UUID in a post-deployment stack update. type: string + IronicDefaultBootOption: + default: 'local' + description: How to boot the bare metal instances. Set to 'local' (the + default) to use local bootloader (requires grub2 for partition + images). Set to 'netboot' to make the instances boot from + controllers using PXE/iPXE. + type: string + IronicDefaultNetworkInterface: + default: 'flat' + description: Network interface implementation to use by default. + Set to "flat" (the default) to use one flat provider network. + Set to "neutron" to make Ironic interact with the Neutron + ML2 driver to enable other network types and certain + advances networking features. Requires + IronicProvisioningNetwork to be correctly set. + type: string IronicEnabledDrivers: default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo'] description: Enabled Ironic drivers type: comma_delimited_list + IronicEnabledHardwareTypes: + default: ['ipmi'] + description: Enabled Ironic hardware types + type: comma_delimited_list IronicIPXEEnabled: default: true description: Whether to use iPXE instead of PXE for deployment. @@ -44,6 +72,19 @@ parameters: default: 8088 description: Port to use for serving images when iPXE is used. type: string + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true + IronicProvisioningNetwork: + default: 'provisioning' + description: Name or UUID of the *overcloud* network used for provisioning + of bare metal nodes, if IronicDefaultNetworkInterface is + set to "neutron". The default value of "provisioning" can be + left during the initial deployment (when no networks are + created yet) and should be changed to an actual UUID in + a post-deployment stack update. + type: string MonitoringSubscriptionIronicConductor: default: 'overcloud-ironic-conductor' type: string @@ -55,6 +96,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -65,12 +108,13 @@ outputs: config_settings: map_merge: - get_attr: [IronicBase, role_data, config_settings] - # FIXME: I have no idea why neutron_url is in "api" manifest - - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} - ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} + - ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase} ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} + ironic::conductor::provisioning_network: {get_param: IronicProvisioningNetwork} + ironic::conductor::default_boot_option: {get_param: IronicDefaultBootOption} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} + ironic::conductor::enabled_hardware_types: {get_param: IronicEnabledHardwareTypes} # We need an endpoint containing a real IP, not a VIP here ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]} ironic::conductor::http_url: @@ -91,6 +135,9 @@ outputs: # NOTE(dtantsur): UEFI only works with iPXE currently for us ironic::drivers::pxe::uefi_pxe_config_template: '$pybasedir/drivers/modules/ipxe_config.template' ironic::drivers::pxe::uefi_pxe_bootfile_name: 'ipxe.efi' + ironic::drivers::interfaces::enabled_console_interfaces: ['ipmitool-socat', 'no-console'] + ironic::drivers::interfaces::enabled_network_interfaces: ['flat', 'neutron'] + ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface} tripleo.ironic_conductor.firewall_rules: '134 ironic conductor TFTP': dport: 69 @@ -104,7 +151,40 @@ outputs: # the VIP, but rather a real IP of the host. ironic::my_ip: {get_param: [ServiceNetMap, IronicNetwork]} ironic::pxe::common::http_port: {get_param: IronicIPXEPort} - + # Credentials to access other services + ironic::glance::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::glance::username: 'ironic' + ironic::glance::password: {get_param: IronicPassword} + ironic::glance::project_name: 'service' + ironic::glance::user_domain_name: 'Default' + ironic::glance::project_domain_name: 'Default' + ironic::neutron::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::neutron::username: 'ironic' + ironic::neutron::password: {get_param: IronicPassword} + ironic::neutron::project_name: 'service' + ironic::neutron::user_domain_name: 'Default' + ironic::neutron::project_domain_name: 'Default' + ironic::service_catalog::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::service_catalog::username: 'ironic' + ironic::service_catalog::password: {get_param: IronicPassword} + ironic::service_catalog::project_name: 'service' + ironic::service_catalog::user_domain_name: 'Default' + ironic::service_catalog::project_domain_name: 'Default' + ironic::swift::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::swift::username: 'ironic' + ironic::swift::password: {get_param: IronicPassword} + ironic::swift::project_name: 'service' + ironic::swift::user_domain_name: 'Default' + ironic::swift::project_domain_name: 'Default' + # ironic-inspector support is not implemented, but let's configure + # the credentials for consistency. + ironic::drivers::inspector::enabled: false + ironic::drivers::inspector::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::drivers::inspector::username: 'ironic' + ironic::drivers::inspector::password: {get_param: IronicPassword} + ironic::drivers::inspector::project_name: 'service' + ironic::drivers::inspector::user_domain_name: 'Default' + ironic::drivers::inspector::project_domain_name: 'Default' step_config: | include ::tripleo::profile::base::ironic::conductor upgrade_tasks: diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml index 38f9f3be..44e6b248 100644 --- a/puppet/services/keepalived.yaml +++ b/puppet/services/keepalived.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Keepalived service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -52,12 +60,12 @@ outputs: - tripleo.keepalived.firewall_rules: '106 keepalived vrrp': proto: vrrp - - + - if: - control_iface_empty - {} - tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} - - + - if: - public_iface_empty - {} diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index fec455d1..3f9b0b7e 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Load kernel modules with kmod and configure kernel options with sysctl. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -22,6 +30,32 @@ parameters: default: 1048576 description: Configures sysctl kernel.pid_max key type: number + KernelDisableIPv6: + default: 0 + description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys + type: number + NeighbourGcThreshold1: + default: 1024 + description: Configures sysctl net.ipv4.neigh.default.gc_thresh1 value. + This is the minimum number of entries to keep in the ARP + cache. The garbage collector will not run if there are + fewer than this number of entries in the cache. + type: number + NeighbourGcThreshold2: + default: 2048 + description: Configures sysctl net.ipv4.neigh.default.gc_thresh2 value. + This is the soft maximum number of entries to keep in the + ARP cache. The garbage collector will allow the number of + entries to exceed this for 5 seconds before collection will + be performed. + type: number + NeighbourGcThreshold3: + default: 4096 + description: Configures sysctl net.ipv4.neigh.default.gc_thresh3 value. + This is the hard maximum number of entries to keep in the + ARP cache. The garbage collector will always run if there + are more than this number of entries in the cache. + type: number outputs: role_data: @@ -31,7 +65,7 @@ outputs: config_settings: kernel_modules: nf_conntrack: {} - ip_conntrack_proto_sctp: {} + nf_conntrack_proto_sctp: {} sysctl_settings: net.ipv4.tcp_keepalive_intvl: value: 1 @@ -39,10 +73,28 @@ outputs: value: 5 net.ipv4.tcp_keepalive_time: value: 5 + net.ipv4.conf.default.send_redirects: + value: 0 + net.ipv4.conf.all.send_redirects: + value: 0 + net.ipv4.conf.default.accept_redirects: + value: 0 + net.ipv4.conf.default.secure_redirects: + value: 0 + net.ipv4.conf.all.secure_redirects: + value: 0 + net.ipv4.conf.default.log_martians: + value: 1 + net.ipv4.conf.all.log_martians: + value: 1 net.nf_conntrack_max: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + net.ipv6.conf.default.disable_ipv6: + value: {get_param: KernelDisableIPv6} + net.ipv6.conf.all.disable_ipv6: + value: {get_param: KernelDisableIPv6} # prevent neutron bridges from autoconfiguring ipv6 addresses net.ipv6.conf.all.accept_ra: value: 0 @@ -52,9 +104,24 @@ outputs: value: 0 net.ipv6.conf.default.autoconf: value: 0 + net.ipv6.conf.default.accept_redirects: + value: 0 + net.ipv6.conf.all.accept_redirects: + value: 0 net.core.netdev_max_backlog: value: 10000 kernel.pid_max: value: {get_param: KernelPidMax} + kernel.dmesg_restrict: + value: 1 + fs.suid_dumpable: + value: 0 + #avoid neighbour table overflow on large deployments + net.ipv4.neigh.default.gc_thresh1: + value: {get_param: NeighbourGcThreshold1} + net.ipv4.neigh.default.gc_thresh2: + value: {get_param: NeighbourGcThreshold2} + net.ipv4.neigh.default.gc_thresh3: + value: {get_param: NeighbourGcThreshold3} step_config: | include ::tripleo::profile::base::kernel diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index f40c8d99..7262e478 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Keystone service configured with Puppet @@ -35,7 +35,7 @@ parameters: KeystoneTokenProvider: description: The keystone token format type: string - default: 'uuid' + default: 'fernet' constraints: - allowed_values: ['uuid', 'fernet'] ServiceNetMap: @@ -47,6 +47,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -119,27 +127,27 @@ parameters: Cron to purge expired tokens - Ensure default: 'present' KeystoneCronTokenFlushMinute: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Minute default: '1' KeystoneCronTokenFlushHour: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Hour - default: '0' + default: '*' KeystoneCronTokenFlushMonthday: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Month Day default: '*' KeystoneCronTokenFlushMonth: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Month default: '*' KeystoneCronTokenFlushWeekday: - type: string + type: comma_delimited_list description: > Cron to purge expired tokens - Week Day default: '*' @@ -158,6 +166,22 @@ parameters: description: > Cron to purge expired tokens - User default: 'keystone' + KeystonePolicies: + description: | + A hash of policies to configure for Keystone. + e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json + KeystoneLDAPDomainEnable: + description: Trigger to call ldap_backend puppet keystone define. + type: boolean + default: False + KeystoneLDAPBackendConfigs: + description: Hash containing the configurations for the LDAP backends + configured in keystone. + type: json + default: {} + hidden: true resources: @@ -167,10 +191,13 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} conditions: keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} + keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]} outputs: role_data: @@ -185,18 +212,19 @@ outputs: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - keystone::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://keystone:' - - {get_param: AdminToken} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/keystone' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: keystone + password: {get_param: AdminToken} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /keystone + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo keystone::admin_token: {get_param: AdminToken} keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} + keystone::policy::policies: {get_param: KeystonePolicies} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} @@ -213,6 +241,7 @@ outputs: content: {get_param: KeystoneFernetKey0} '/etc/keystone/fernet-keys/1': content: {get_param: KeystoneFernetKey1} + keystone::fernet_replace_keys: false keystone::debug: {get_param: Debug} keystone::rabbit_userid: {get_param: RabbitUserName} keystone::rabbit_password: {get_param: RabbitPassword} @@ -232,7 +261,7 @@ outputs: keystone::cron::token_flush::maxdelay: 3600 keystone::roles::admin::service_tenant: 'service' keystone::roles::admin::admin_tenant: 'admin' - keystone::cron::token_flush::destination: '/dev/null' + keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log' keystone::config::keystone_config: ec2/driver: value: 'keystone.contrib.ec2.backends.sql.Ec2' @@ -293,6 +322,15 @@ outputs: keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay} keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination} keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser} + - + if: + - keystone_ldap_domain_enabled + - + tripleo::profile::base::keystone::ldap_backend_enable: True + keystone::using_domain_config: True + tripleo::profile::base::keystone::ldap_backends_config: + get_param: KeystoneLDAPBackendConfigs + - {} step_config: | include ::tripleo::profile::base::keystone @@ -305,10 +343,22 @@ outputs: keystone::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" - # Ansible tasks to handle upgrade - upgrade_tasks: - - name: Stop keystone service (running under httpd) - tags: step1 - service: name=httpd state=stopped + horizon: + if: + - keystone_ldap_domain_enabled + - + horizon::keystone_multidomain_support: true + horizon::keystone_default_domain: 'Default' + - {} metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + yaql: + expression: $.data.apache_upgrade + $.data.keystone_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + keystone_upgrade: + - name: Stop keystone service (running under httpd) + tags: step1 + service: name=httpd state=stopped diff --git a/puppet/services/logging/fluentd-base.yaml b/puppet/services/logging/fluentd-base.yaml index 65ad80ed..21049a9e 100644 --- a/puppet/services/logging/fluentd-base.yaml +++ b/puppet/services/logging/fluentd-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: Fluentd base service @@ -12,6 +12,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: > diff --git a/puppet/services/logging/fluentd-client.yaml b/puppet/services/logging/fluentd-client.yaml index 57595b82..e34f31fa 100644 --- a/puppet/services/logging/fluentd-client.yaml +++ b/puppet/services/logging/fluentd-client.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: Fluentd client configured with Puppet @@ -12,6 +12,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: > @@ -24,6 +32,8 @@ resources: type: ./fluentd-base.yaml properties: EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} diff --git a/puppet/services/logging/fluentd-config.yaml b/puppet/services/logging/fluentd-config.yaml index 68f98aff..9ade6419 100644 --- a/puppet/services/logging/fluentd-config.yaml +++ b/puppet/services/logging/fluentd-config.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: Fluentd logging configuration @@ -12,6 +12,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: > diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index 7b78c82e..2710d789 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Manila-api service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -37,6 +45,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -48,9 +58,11 @@ outputs: map_merge: - get_attr: [ManilaBase, role_data, config_settings] - manila::keystone::authtoken::password: {get_param: ManilaPassword} - manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + manila::keystone::authtoken::auth_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' + manila::keystone::authtoken::user_domain_name: 'Default' + manila::keystone::authtoken::project_domain_name: 'Default' tripleo.manila_api.firewall_rules: '150 manila': dport: diff --git a/puppet/services/manila-backend-cephfs.yaml b/puppet/services/manila-backend-cephfs.yaml index 36ef1ea9..f4c7a074 100644 --- a/puppet/services/manila-backend-cephfs.yaml +++ b/puppet/services/manila-backend-cephfs.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Manila Cephfs backend @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -39,7 +47,7 @@ parameters: default: 'ceph' ManilaCephFSNativeCephFSEnableSnapshots: type: boolean - default: true + default: false ManilaCephFSDataPoolName: default: manila_data type: string diff --git a/puppet/services/manila-backend-generic.yaml b/puppet/services/manila-backend-generic.yaml index 23831a6a..7be92399 100644 --- a/puppet/services/manila-backend-generic.yaml +++ b/puppet/services/manila-backend-generic.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Manila generic backend. @@ -58,6 +58,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} type: json diff --git a/puppet/services/manila-backend-netapp.yaml b/puppet/services/manila-backend-netapp.yaml index 1f6fcf4f..b1068488 100644 --- a/puppet/services/manila-backend-netapp.yaml +++ b/puppet/services/manila-backend-netapp.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Manila netapp backend. @@ -73,6 +73,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} type: json diff --git a/puppet/services/manila-base.yaml b/puppet/services/manila-base.yaml index c183bc08..a299fffa 100644 --- a/puppet/services/manila-base.yaml +++ b/puppet/services/manila-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Manila base service. Shared by manila-api/scheduler/share services @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -59,15 +67,15 @@ outputs: manila::db::database_db_max_retries: -1 manila::db::database_max_retries: -1 manila::sql_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://manila:' - - {get_param: ManilaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/manila' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: manila + password: {get_param: ManilaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /manila + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo service_config_settings: mysql: manila::db::mysql::password: {get_param: ManilaPassword} diff --git a/puppet/services/manila-scheduler.yaml b/puppet/services/manila-scheduler.yaml index c8114f2b..b3d1ffa2 100644 --- a/puppet/services/manila-scheduler.yaml +++ b/puppet/services/manila-scheduler.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Manila-scheduler service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -41,6 +49,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml index 6ac0d2cf..50d7f7c6 100644 --- a/puppet/services/manila-share.yaml +++ b/puppet/services/manila-share.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Manila-share service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -33,6 +41,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index 146cc306..5b98e02b 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Memcached service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/metrics/collectd.yaml b/puppet/services/metrics/collectd.yaml index 49b2d4c2..da77ef0e 100644 --- a/puppet/services/metrics/collectd.yaml +++ b/puppet/services/metrics/collectd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: Collectd client service @@ -17,6 +17,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json CollectdDefaultPlugins: default: - disk @@ -70,7 +78,9 @@ parameters: CollectdSecurityLevel: type: string description: > - Security level setting for remote collectd connection. + Security level setting for remote collectd connection. If it is + set to Sign or Encrypt the CollectdPassword and CollectdUsername + parameters need to be set. default: 'None' constraints: - allowed_values: diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml index 1c7d6bd3..00406736 100644 --- a/puppet/services/mistral-api.yaml +++ b/puppet/services/mistral-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Mistral API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -22,6 +30,12 @@ parameters: default: 1 description: The number of workers for the mistral-api. type: number + MistralApiPolicies: + description: | + A hash of policies to configure for Mistral API. + e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: MistralBase: @@ -30,6 +44,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -41,6 +57,7 @@ outputs: - get_attr: [MistralBase, role_data, config_settings] - mistral::api::api_workers: {get_param: MistralWorkers} mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]} + mistral::policy::policies: {get_param: MistralApiPolicies} tripleo.mistral_api.firewall_rules: '133 mistral': dport: diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index e1030346..2e708650 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Mistral base service. Shared for all Mistral services. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -57,15 +65,15 @@ outputs: service_name: mistral_base config_settings: mistral::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://mistral:' - - {get_param: MistralPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/mistral' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: mistral + password: {get_param: MistralPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /mistral + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo mistral::rabbit_userid: {get_param: RabbitUserName} mistral::rabbit_password: {get_param: RabbitPassword} mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL} @@ -74,7 +82,11 @@ outputs: mistral::keystone_password: {get_param: MistralPassword} mistral::keystone_tenant: 'service' mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + mistral::keystone_ec2_uri: + list_join: + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} service_config_settings: keystone: diff --git a/puppet/services/mistral-engine.yaml b/puppet/services/mistral-engine.yaml index 03a2a55c..6a0fed1a 100644 --- a/puppet/services/mistral-engine.yaml +++ b/puppet/services/mistral-engine.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Mistral Engine service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -26,6 +34,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/mistral-executor.yaml b/puppet/services/mistral-executor.yaml index 0f6adb07..57f29dd4 100644 --- a/puppet/services/mistral-executor.yaml +++ b/puppet/services/mistral-executor.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Mistral API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -26,6 +34,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml index a8303a59..5e7e9940 100644 --- a/puppet/services/monitoring/sensu-base.yaml +++ b/puppet/services/monitoring/sensu-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: Sensu base service @@ -17,6 +17,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json MonitoringRabbitHost: description: RabbitMQ host Sensu has to connect to. type: string @@ -29,7 +37,18 @@ parameters: default: false description: > RabbitMQ client subscriber parameter to specify an SSL connection - to the RabbitMQ host. + to the RabbitMQ host. Set MonitoringRabbitUseSSL to true without + specifying a private key or cert chain to use SSL transport, + but not cert auth. + type: string + MonitoringRabbitSSLPrivateKey: + default: '' + description: Private key to be used by Sensu to connect to RabbitMQ host. + type: string + MonitoringRabbitSSLCertChain: + default: '' + description: > + Private SSL cert chain to be used by Sensu to connect to RabbitMQ host. type: string MonitoringRabbitPassword: description: The RabbitMQ password used for monitoring purposes. @@ -71,6 +90,8 @@ outputs: sensu::rabbitmq_password: {get_param: MonitoringRabbitPassword} sensu::rabbitmq_port: {get_param: MonitoringRabbitPort} sensu::rabbitmq_ssl: {get_param: MonitoringRabbitUseSSL} + sensu::rabbitmq_ssl_private_key: {get_param: MonitoringRabbitSSLPrivateKey} + sensu::rabbitmq_ssl_cert_chain: {get_param: MonitoringRabbitSSLCertChain} sensu::rabbitmq_user: {get_param: MonitoringRabbitUserName} sensu::rabbitmq_vhost: {get_param: MonitoringRabbitVhost} sensu::redact: {get_param: SensuRedactVariables} diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index aba2b1ed..25e2b947 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: Sensu client configured with Puppet @@ -12,6 +12,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: > @@ -38,6 +46,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -81,4 +91,4 @@ outputs: - name: Install sensu package if it was disabled tags: step3 yum: name=sensu state=latest - when: sensu_client.rc != 0 + when: sensu_client_enabled.rc != 0 diff --git a/puppet/services/network/contrail-analytics-database.yaml b/puppet/services/network/contrail-analytics-database.yaml index 67341ed3..9b78437b 100644 --- a/puppet/services/network/contrail-analytics-database.yaml +++ b/puppet/services/network/contrail-analytics-database.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail Analytics Database service deployment using puppet, this YAML file @@ -16,6 +16,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-analytics.yaml b/puppet/services/network/contrail-analytics.yaml index e3e0ec4b..f85ba7cc 100644 --- a/puppet/services/network/contrail-analytics.yaml +++ b/puppet/services/network/contrail-analytics.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail Analytics service deployment using puppet, this YAML file @@ -16,6 +16,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-base.yaml b/puppet/services/network/contrail-base.yaml index bc56a3ca..bdcdbb86 100644 --- a/puppet/services/network/contrail-base.yaml +++ b/puppet/services/network/contrail-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Base parameters for all Contrail Services. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/network/contrail-config.yaml b/puppet/services/network/contrail-config.yaml index 185b6094..feda5854 100644 --- a/puppet/services/network/contrail-config.yaml +++ b/puppet/services/network/contrail-config.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail Config service deployment using puppet, this YAML file @@ -16,6 +16,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -37,6 +45,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-control.yaml b/puppet/services/network/contrail-control.yaml index 0964989b..f1108547 100644 --- a/puppet/services/network/contrail-control.yaml +++ b/puppet/services/network/contrail-control.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail Control service deployment using puppet, this YAML file @@ -16,6 +16,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -37,6 +45,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-database.yaml b/puppet/services/network/contrail-database.yaml index b47c2c36..5ce25a2e 100644 --- a/puppet/services/network/contrail-database.yaml +++ b/puppet/services/network/contrail-database.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail Database service deployment using puppet, this YAML file @@ -16,6 +16,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-heat.yaml b/puppet/services/network/contrail-heat.yaml index 4dfc6579..da86714e 100644 --- a/puppet/services/network/contrail-heat.yaml +++ b/puppet/services/network/contrail-heat.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail Heat plugin adds Contrail specific heat resources enabling heat @@ -14,6 +14,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -27,6 +35,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-neutron-plugin.yaml b/puppet/services/network/contrail-neutron-plugin.yaml index 2f2ceb37..0c5e2a86 100644 --- a/puppet/services/network/contrail-neutron-plugin.yaml +++ b/puppet/services/network/contrail-neutron-plugin.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Opencontrail plugin @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -30,6 +38,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-provision.yaml b/puppet/services/network/contrail-provision.yaml index 765be9a9..8918f6da 100644 --- a/puppet/services/network/contrail-provision.yaml +++ b/puppet/services/network/contrail-provision.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Provision Contrail services after deployment @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -26,6 +34,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-tsn.yaml b/puppet/services/network/contrail-tsn.yaml index 88adc4a5..9d48e0e6 100644 --- a/puppet/services/network/contrail-tsn.yaml +++ b/puppet/services/network/contrail-tsn.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail TSN Service @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -41,6 +49,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml index db9f0836..f03ed9c6 100644 --- a/puppet/services/network/contrail-vrouter.yaml +++ b/puppet/services/network/contrail-vrouter.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Compute OpenContrail plugin @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -27,7 +35,7 @@ parameters: description: vRouter physical interface type: string ContrailVrouterGateway: - default: '192.0.2.1' + default: '192.168.24.1' description: vRouter default gateway type: string ContrailVrouterNetmask: @@ -42,6 +50,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/network/contrail-webui.yaml b/puppet/services/network/contrail-webui.yaml index 3786cdd1..f723e6a8 100644 --- a/puppet/services/network/contrail-webui.yaml +++ b/puppet/services/network/contrail-webui.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contrail WebUI service deployment using puppet, this YAML file @@ -16,6 +16,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index bb191ff0..8e1e0b80 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Server configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -21,13 +29,13 @@ parameters: NeutronWorkers: default: '' description: | - Sets the number of API and RPC workers for the Neutron service. The - default value results in the configuration being left unset and a - system-dependent default will be chosen (usually the number of - processors). Please note that this can result in a large number of - processes and memory consumption on systems with a large core count. On - such systems it is recommended that a non-default value be selected that - matches the load requirements. + Sets the number of API and RPC workers for the Neutron service. + The default value results in the configuration being left unset + and a system-dependent default will be chosen (usually the number + of processors). Please note that this can result in a large number + of processes and memory consumption on systems with a large core + count. On such systems it is recommended that a non-default value + be selected that matches the load requirements. type: string NeutronPassword: description: The password for the neutron service and db account, used by neutron agents. @@ -57,6 +65,15 @@ parameters: default: tag: openstack.neutron.api path: /var/log/neutron/server.log + EnableInternalTLS: + type: boolean + default: false + NeutronApiPolicies: + description: | + A hash of policies to configure for Neutron API. + e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. @@ -71,10 +88,6 @@ parameters: removed in Ocata. Future releases will enable L3 HA by default if it is appropriate for the deployment type. Alternate mechanisms will be available to override. - EnableInternalTLS: - type: boolean - default: false - parameter_groups: - label: deprecated description: | @@ -87,6 +100,7 @@ parameter_groups: conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']} resources: @@ -96,6 +110,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} NeutronBase: @@ -104,6 +120,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -119,27 +137,28 @@ outputs: - get_attr: [NeutronBase, role_data, config_settings] - get_attr: [TLSProxyBase, role_data, config_settings] - neutron::server::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://neutron:' - - {get_param: NeutronPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/ovs_neutron' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' - neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: neutron + password: {get_param: NeutronPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /ovs_neutron + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + neutron::policy::policies: {get_param: NeutronApiPolicies} + neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - neutron::server::api_workers: {get_param: NeutronWorkers} - neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} - neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneV3Admin, uri ] } + neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] } neutron::server::notifications::tenant_name: 'service' neutron::server::notifications::project_name: 'service' neutron::server::notifications::password: {get_param: NovaPassword} neutron::keystone::authtoken::project_name: 'service' + neutron::keystone::authtoken::user_domain_name: 'Default' + neutron::keystone::authtoken::project_domain_name: 'Default' neutron::server::sync_db: true tripleo.neutron_api.firewall_rules: '114 neutron api': @@ -147,6 +166,7 @@ outputs: - 9696 - 13696 neutron::server::router_distributed: {get_param: NeutronEnableDVR} + neutron::server::enable_dvr: {get_param: NeutronEnableDVR} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -170,6 +190,12 @@ outputs: - 'localhost' - {get_param: [ServiceNetMap, NeutronApiNetwork]} tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} + - + if: + - neutron_workers_unset + - {} + - neutron::server::api_workers: {get_param: NeutronWorkers} + neutron::server::rpc_workers: {get_param: NeutronWorkers} step_config: | include tripleo::profile::base::neutron::server service_config_settings: @@ -202,3 +228,5 @@ outputs: tags: step1 when: neutron_server_enabled.rc == 0 service: name=neutron-server state=stopped + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 55361939..57581b58 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron base service. Shared for all Neutron agents. @@ -22,10 +22,18 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + DatabaseSyncTimeout: + default: 300 + description: DB Sync Timeout default + type: number NeutronDhcpAgentsPerNetwork: type: number default: 0 description: The number of neutron dhcp agents to schedule per network + NeutronDnsDomain: + type: string + default: openstacklocal + description: Domain to use for building the hostnames. NeutronCorePlugin: default: 'ml2' description: | @@ -44,10 +52,10 @@ parameters: description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. NeutronGlobalPhysnetMtu: type: number default: 1500 @@ -66,6 +74,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -91,10 +107,12 @@ outputs: neutron::debug: {get_param: Debug} neutron::purge_config: {get_param: EnableConfigPurge} neutron::allow_overlapping_ips: true + neutron::dns_domain: {get_param: NeutronDnsDomain} neutron::rabbit_heartbeat_timeout_threshold: 60 neutron::host: '%{::fqdn}' neutron::db::database_db_max_retries: -1 neutron::db::database_max_retries: -1 + neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} - if: - dhcp_agents_zero diff --git a/puppet/services/neutron-bgpvpn-api.yaml b/puppet/services/neutron-bgpvpn-api.yaml new file mode 100644 index 00000000..a70337d1 --- /dev/null +++ b/puppet/services/neutron-bgpvpn-api.yaml @@ -0,0 +1,42 @@ +heat_template_version: pike + +description: > + BGPVPN API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + BgpvpnServiceProvider: + default: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default' + description: Backend to use as a service provider for BGPVPN + type: string + +outputs: + role_data: + description: Role data for the BGPVPN role. + value: + service_name: neutron_bgpvpn_api + config_settings: + neutron::services::bgpvpn::service_providers: {get_param: BgpvpnServiceProvider} + step_config: | + include ::tripleo::profile::base::neutron::bgpvpn diff --git a/puppet/services/neutron-bigswitch-agent.yaml b/puppet/services/neutron-bigswitch-agent.yaml new file mode 100644 index 00000000..3faf7887 --- /dev/null +++ b/puppet/services/neutron-bigswitch-agent.yaml @@ -0,0 +1,37 @@ +heat_template_version: pike + +description: > + Installs bigswitch agent and enables the services + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + +outputs: + role_data: + description: Configure the bigswitch agent services + value: + service_name: neutron_bigswitch_agent + step_config: | + include ::tripleo::profile::base::neutron::agents::bigswitch diff --git a/puppet/services/neutron-compute-plugin-midonet.yaml b/puppet/services/neutron-compute-plugin-midonet.yaml index 5b6fcca6..75b03044 100644 --- a/puppet/services/neutron-compute-plugin-midonet.yaml +++ b/puppet/services/neutron-compute-plugin-midonet.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Compute Midonet plugin @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/neutron-compute-plugin-nuage.yaml b/puppet/services/neutron-compute-plugin-nuage.yaml index 04431e28..a1657258 100644 --- a/puppet/services/neutron-compute-plugin-nuage.yaml +++ b/puppet/services/neutron-compute-plugin-nuage.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Compute Nuage plugin @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -22,6 +30,10 @@ parameters: description: The password for the nova service account, used by nova-api. type: string hidden: true + NuageMetadataPort: + description: TCP Port to listen for metadata server requests + type: string + default: '9697' outputs: role_data: @@ -32,5 +44,11 @@ outputs: tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service' tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword} tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]} + tripleo.neutron_compute_plugin_nuage.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '100 metadata agent': + dport: {get_param: NuageMetadataPort} step_config: | include ::tripleo::profile::base::neutron::agents::nuage diff --git a/puppet/services/neutron-compute-plugin-ovn.yaml b/puppet/services/neutron-compute-plugin-ovn.yaml index e3a4da99..b5ce790d 100644 --- a/puppet/services/neutron-compute-plugin-ovn.yaml +++ b/puppet/services/neutron-compute-plugin-ovn.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Compute OVN agent @@ -12,6 +12,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -48,6 +56,7 @@ outputs: ovn::controller::ovn_encap_type: {get_param: OVNTunnelEncapType} ovn::controller::ovn_encap_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} ovn::controller::ovn_bridge_mappings: {get_param: NeutronBridgeMappings} + nova::compute::force_config_drive: true tripleo.neutron_compute_plugin_ovn.firewall_rules: '118 neutron vxlan networks': proto: 'udp' diff --git a/puppet/services/neutron-compute-plugin-plumgrid.yaml b/puppet/services/neutron-compute-plugin-plumgrid.yaml index 09aa6191..08cecf64 100644 --- a/puppet/services/neutron-compute-plugin-plumgrid.yaml +++ b/puppet/services/neutron-compute-plugin-plumgrid.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Compute Plumgrid plugin @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index fe7f9f31..91582db8 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron DHCP agent configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -52,6 +60,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-l2gw-agent.yaml b/puppet/services/neutron-l2gw-agent.yaml new file mode 100644 index 00000000..39c443f7 --- /dev/null +++ b/puppet/services/neutron-l2gw-agent.yaml @@ -0,0 +1,106 @@ +heat_template_version: pike + +description: > + L2 Gateway agent configured with Puppet +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + L2gwAgentOvsdbHosts: + default: '' + description: L2 gateway agent OVSDB server list. + type: comma_delimited_list + L2gwAgentEnableManager: + default: false + description: Connection can be initiated by the ovsdb server. + type: boolean + L2gwAgentManagerTableListeningPort: + default: 6632 + description: port number for L2 gateway agent, so that it can listen + type: number + L2gwAgentPeriodicInterval: + default: 20 + description: The L2 gateway agent checks connection state with the OVSDB + servers. The interval is number of seconds between attempts. + type: number + L2gwAgentMaxConnectionRetries: + default: 10 + description: The L2 gateway agent retries to connect to the OVSDB server + type: number + L2gwAgentSocketTimeout: + default: 30 + description: socket timeout + type: number + MonitoringSubscriptionNeutronL2gwAgent: + default: 'overcloud-neutron-l2gw-agent' + type: string + NeutronL2gwAgentLoggingSource: + type: json + default: + tag: openstack.neutron.agent.l2gw + path: /var/log/neutron/l2gw-agent.log + +conditions: + internal_manager_enabled: {equals: [{get_param: L2gwAgentEnableManager}, True]} + +outputs: + role_data: + description: Role data for the L2 Gateway role. + value: + service_name: neutron_l2gw_agent + monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent} + logging_source: {get_param: NeutronL2gwAgentLoggingSource} + logging_groups: + - neutron + config_settings: + map_merge: + - neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts} + neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager} + neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort} + neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval} + neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries} + neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout} + - + if: + - internal_manager_enabled + - tripleo.neutron_l2gw_agent.firewall_rules: + '142 neutron l2gw agent input': + proto: 'tcp' + dport: {get_param: L2gwAgentManagerTableListeningPort} + - null + + step_config: | + include tripleo::profile::base::neutron::agents::l2gw + upgrade_tasks: + - name: Check if neutron_l2gw_agent is deployed + command: systemctl is-enabled neutron-l2gw-agent + tags: common + ignore_errors: True + register: neutron_l2gw_agent_enabled + - name: "PreUpgrade step0,validation: Check service neutron-l2gw-agent is running" + shell: /usr/bin/systemctl show 'neutron-l2gw-agent' --property ActiveState | grep '\bactive\b' + when: neutron_l2gw_agent_enabled.rc == 0 + tags: step0,validation + - name: Stop neutron_l2gw_agent service + tags: step1 + when: neutron_l2gw_agent_enabled.rc == 0 + service: name=neutron-l2gw-agent state=stopped diff --git a/puppet/services/neutron-l2gw-api.yaml b/puppet/services/neutron-l2gw-api.yaml new file mode 100644 index 00000000..1ad009b4 --- /dev/null +++ b/puppet/services/neutron-l2gw-api.yaml @@ -0,0 +1,62 @@ +heat_template_version: pike + +description: > + L2 Gateway service plugin configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + L2gwServiceDefaultInterfaceName: + default: 'FortyGigE1/0/1' + description: default interface name of the L2 gateway + type: string + L2gwServiceDefaultDeviceName: + default: 'Switch1' + description: default device name of the L2 gateway + type: string + L2gwServiceQuotaL2Gateway: + default: 5 + description: quota of the L2 gateway + type: number + L2gwServicePeriodicMonitoringInterval: + default: 5 + description: The periodic interval at which the plugin + type: number + L2gwServiceProvider: + default: ["L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default"] + description: Backend to use as a service provider for L2 Gateway + type: comma_delimited_list + +outputs: + role_data: + description: Role data for the L2 Gateway role. + value: + service_name: neutron_l2gw_api + config_settings: + neutron::services::l2gw::default_interface_name: {get_param: L2gwServiceDefaultInterfaceName} + neutron::services::l2gw::default_device_name: {get_param: L2gwServiceDefaultDeviceName} + neutron::services::l2gw::quota_l2_gateway: {get_param: L2gwServiceQuotaL2Gateway} + neutron::services::l2gw::periodic_monitoring_interval: {get_param: L2gwServicePeriodicMonitoringInterval} + neutron::services::l2gw::service_providers: {get_param: L2gwServiceProvider} + step_config: | + include tripleo::profile::base::neutron::l2gw diff --git a/puppet/services/neutron-l3-compute-dvr.yaml b/puppet/services/neutron-l3-compute-dvr.yaml index 1d6a2371..1a4a4f68 100644 --- a/puppet/services/neutron-l3-compute-dvr.yaml +++ b/puppet/services/neutron-l3-compute-dvr.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron L3 agent for DVR enabled compute nodes @@ -14,6 +14,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -52,6 +60,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index cd9870bd..0598639c 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron L3 agent configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -60,6 +68,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 32ef567c..593fae43 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Metadata agent configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -46,6 +54,9 @@ parameters: tag: openstack.neutron.agent.metadata path: /var/log/neutron/metadata-agent.log +conditions: + neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']} + resources: NeutronBase: @@ -54,6 +65,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -68,11 +81,15 @@ outputs: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret} - neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers} neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}" + - + if: + - neutron_workers_unset + - {} + - neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers} step_config: | include tripleo::profile::base::neutron::metadata upgrade_tasks: diff --git a/puppet/services/neutron-midonet.yaml b/puppet/services/neutron-midonet.yaml index 9198f352..8ace3e59 100644 --- a/puppet/services/neutron-midonet.yaml +++ b/puppet/services/neutron-midonet.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Midonet plugin and services @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index 01471ba2..76d5c269 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron OVS agent configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -81,6 +89,11 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml outputs: role_data: @@ -121,16 +134,22 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::ovs upgrade_tasks: - - name: Check if neutron_ovs_agent is deployed - command: systemctl is-enabled neutron-openvswitch-agent - tags: common - ignore_errors: True - register: neutron_ovs_agent_enabled - - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" - shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' - when: neutron_ovs_agent_enabled.rc == 0 - tags: step0,validation - - name: Stop neutron_ovs_agent service - tags: step1 - when: neutron_ovs_agent_enabled.rc == 0 - service: name=neutron-openvswitch-agent state=stopped + yaql: + expression: $.data.ovs_upgrade + $.data.neutron_ovs_upgrade + data: + ovs_upgrade: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] + neutron_ovs_upgrade: + - name: Check if neutron_ovs_agent is deployed + command: systemctl is-enabled neutron-openvswitch-agent + tags: common + ignore_errors: True + register: neutron_ovs_agent_enabled + - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" + shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' + when: neutron_ovs_agent_enabled.rc == 0 + tags: step0,validation + - name: Stop neutron_ovs_agent service + tags: step1 + when: neutron_ovs_agent_enabled.rc == 0 + service: name=neutron-openvswitch-agent state=stopped diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index e25bc495..8f3f7b27 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron OVS DPDK configured with Puppet for Compute Role @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -61,6 +69,11 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml outputs: role_data: @@ -69,7 +82,10 @@ outputs: service_name: neutron_ovs_dpdk_agent config_settings: map_merge: - - get_attr: [NeutronOvsAgent, role_data, config_settings] + - map_replace: + - get_attr: [NeutronOvsAgent, role_data, config_settings] + - keys: + tripleo.neutron_ovs_agent.firewall_rules: tripleo.neutron_ovs_dpdk_agent.firewall_rules - neutron::agents::ml2::ovs::enable_dpdk: true neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} @@ -79,3 +95,5 @@ outputs: vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory} vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType} step_config: {get_attr: [NeutronOvsAgent, role_data, step_config]} + upgrade_tasks: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] diff --git a/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml b/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml index becd25c9..a1516955 100644 --- a/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml +++ b/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Configure hieradata for Fujitsu C-Fabric plugin configuration @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -53,6 +61,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml index 85971f17..c4bf0758 100644 --- a/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml +++ b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: Configure hieradata for Fujitsu fossw plugin configuration @@ -12,6 +12,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -56,6 +64,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-plugin-ml2-odl.yaml b/puppet/services/neutron-plugin-ml2-odl.yaml new file mode 100644 index 00000000..6424b76a --- /dev/null +++ b/puppet/services/neutron-plugin-ml2-odl.yaml @@ -0,0 +1,55 @@ +heat_template_version: pike + +description: > + OpenStack Neutron ML2/OpenDaylight plugin configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OpenDaylightPortBindingController: + description: OpenDaylight port binding controller + type: string + default: 'network-topology' + +resources: + + NeutronMl2Base: + type: ./neutron-plugin-ml2.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Neutron ML2/ODL plugin. + value: + service_name: neutron_plugin_ml2_odl + config_settings: + map_merge: + - get_attr: [NeutronMl2Base, role_data, config_settings] + - neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController} + step_config: | + include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-ml2-ovn.yaml b/puppet/services/neutron-plugin-ml2-ovn.yaml index 4d4c3900..4cda87b6 100644 --- a/puppet/services/neutron-plugin-ml2-ovn.yaml +++ b/puppet/services/neutron-plugin-ml2-ovn.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron ML2/OVN plugin configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -60,6 +68,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 3abd04f3..130f889b 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron ML2 Plugin configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -68,6 +76,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-plugin-nsx.yaml b/puppet/services/neutron-plugin-nsx.yaml new file mode 100644 index 00000000..c4088e6c --- /dev/null +++ b/puppet/services/neutron-plugin-nsx.yaml @@ -0,0 +1,74 @@ +heat_template_version: pike + +description: > + OpenStack Neutron NSX + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + DefaultOverlayTz: + description: UUID of the default NSX overlay transport zone. + type: string + DefaultTier0Router: + description: UUID of the default tier0 router that will be used for connecting to + tier1 logical routers and configuring external networks. + type: string + NsxApiManagers: + description: IP address of one or more NSX managers separated by commas. + type: string + NsxApiUser: + description: User name of NSX Manager. + type: string + NsxApiPassword: + description: Password of NSX Manager. + type: string + NativeDhcpMetadata: + default: True + description: This is the flag to indicate if using native DHCP/Metadata or not. + type: string + DhcpProfileUuid: + description: This is the UUID of the NSX DHCP Profile that will be used to enable + native DHCP service. + type: string + MetadataProxyUuid: + description: This is the UUID of the NSX Metadata Proxy that will be used to enable + native metadata service. + type: string + +outputs: + role_data: + description: Role data for the Neutron NSX plugin + value: + service_name: neutron_plugin_nsx + config_settings: + neutron::plugins::nsx_v3::default_overlay_tz: {get_param: DefaultOverlayTz} + neutron::plugins::nsx_v3::default_tier0_router: {get_param: DefaultTier0Router} + neutron::plugins::nsx_v3::nsx_api_managers: {get_param: NsxApiManagers} + neutron::plugins::nsx_v3::nsx_api_user: {get_param: NsxApiUser} + neutron::plugins::nsx_v3::nsx_api_password: {get_param: NsxApiPassword} + neutron::plugins::nsx_v3::native_dhcp_metadata: {get_param: NativeDhcpMetadata} + neutron::plugins::nsx_v3::dhcp_profile_uuid: {get_param: DhcpProfileUuid} + neutron::plugins::nsx_v3::metadata_proxy_uuid: {get_param: MetadataProxyUuid} + + step_config: | + include tripleo::profile::base::neutron::plugins::nsx_v3 diff --git a/puppet/services/neutron-plugin-nuage.yaml b/puppet/services/neutron-plugin-nuage.yaml index e09cd704..953ffeb6 100644 --- a/puppet/services/neutron-plugin-nuage.yaml +++ b/puppet/services/neutron-plugin-nuage.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Nuage plugin @@ -13,16 +13,20 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json # Config specific parameters, to be provided via parameter_defaults - NeutronNuageOSControllerIp: - description: IP address of the OpenStack Controller - type: string - NeutronNuageNetPartitionName: description: Specifies the title that you will see on the VSD type: string @@ -67,6 +71,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -76,8 +82,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::plugins::nuage::nuage_oscontroller_ip: {get_param: NeutronNuageOSControllerIp} - neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} + - neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} neutron::plugins::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp} neutron::plugins::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername} neutron::plugins::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword} diff --git a/puppet/services/neutron-plugin-plumgrid.yaml b/puppet/services/neutron-plugin-plumgrid.yaml index f948dd07..a158010c 100644 --- a/puppet/services/neutron-plugin-plumgrid.yaml +++ b/puppet/services/neutron-plugin-plumgrid.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron Plumgrid plugin @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -92,15 +100,15 @@ outputs: service_name: neutron_plugin_plumgrid config_settings: neutron::plugins::plumgrid::connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://neutron:' - - {get_param: NeutronPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/ovs_neutron' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: neutron + password: {get_param: NeutronPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /ovs_neutron + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneInternal, host]} neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword} neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} diff --git a/puppet/services/neutron-sriov-agent.yaml b/puppet/services/neutron-sriov-agent.yaml index d3c82d88..c124d1e6 100644 --- a/puppet/services/neutron-sriov-agent.yaml +++ b/puppet/services/neutron-sriov-agent.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron SR-IOV nic agent configured with Puppet @@ -14,6 +14,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -54,6 +62,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/neutron-vpp-agent.yaml b/puppet/services/neutron-vpp-agent.yaml new file mode 100644 index 00000000..cb72f67b --- /dev/null +++ b/puppet/services/neutron-vpp-agent.yaml @@ -0,0 +1,56 @@ +heat_template_version: pike + +description: > + OpenStack Neutron ML2/VPP agent configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: > + Mapping of service_name -> network name. Typically set via + parameter_defaults in the resource registry. This mapping overrides those + in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronVPPAgentPhysnets: + description: > + List of <physical_network>:<VPP Interface> + Example: "physnet1:GigabitEthernet2/2/0,physnet2:GigabitEthernet2/3/0" + type: comma_delimited_list + default: "" + +resources: + + NeutronBase: + type: ./neutron-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron ML2/VPP agent service. + value: + service_name: neutron_vpp_agent + config_settings: + map_merge: + - get_attr: [NeutronBase, role_data, config_settings] + - tripleo::profile::base::neutron::agents::vpp::physnet_mapping: {get_param: NeutronVPPAgentPhysnets} + step_config: | + include ::tripleo::profile::base::neutron::agents::vpp
\ No newline at end of file diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index f27b53f2..835edf0a 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -62,6 +70,12 @@ parameters: default: 300 description: Timeout for Nova db sync type: number + NovaApiPolicies: + description: | + A hash of policies to configure for Nova API. + e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -75,6 +89,8 @@ resources: # ServiceNetMap: {get_param: ServiceNetMap} # DefaultPasswords: {get_param: DefaultPasswords} # EndpointMap: {get_param: EndpointMap} + # RoleName: {get_param: RoleName} + # RoleParameters: {get_param: RoleParameters} # EnableInternalTLS: {get_param: EnableInternalTLS} NovaBase: @@ -83,6 +99,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -110,8 +128,10 @@ outputs: - 13774 - 8775 nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::user_domain_name: 'Default' + nova::keystone::authtoken::project_domain_name: 'Default' nova::keystone::authtoken::password: {get_param: NovaPassword} - nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::api::enabled: true nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool} @@ -143,6 +163,7 @@ outputs: nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} nova::api::instance_name_template: {get_param: InstanceNameTemplate} nova_enable_db_purge: {get_param: NovaEnableDBPurge} + nova::policy::policies: {get_param: NovaApiPolicies} - if: - nova_workers_zero @@ -218,14 +239,14 @@ outputs: - name: Run puppet apply to set tranport_url in nova.conf tags: step5 when: is_bootstrap_node - command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp + command: puppet apply --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes /root/nova-api_upgrade_manifest.pp register: puppet_apply_nova_api_upgrade failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] changed_when: puppet_apply_nova_api_upgrade.rc == 2 - name: Setup cell_v2 (map cell0) tags: step5 when: is_bootstrap_node - command: nova-manage cell_v2 map_cell0 + shell: nova-manage cell_v2 map_cell0 --database_connection=$(hiera nova::cell0_database_connection) - name: Setup cell_v2 (create default cell) tags: step5 when: is_bootstrap_node @@ -241,15 +262,15 @@ outputs: command: nova-manage db sync async: {get_param: NovaDbSyncTimeout} poll: 10 - - name: Setup cell_v2 (migrate hosts) - tags: step5 - when: is_bootstrap_node - command: nova-manage cell_v2 map_cell_and_hosts - name: Setup cell_v2 (get cell uuid) tags: step5 when: is_bootstrap_node shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' register: nova_api_cell_uuid + - name: Setup cell_v2 (migrate hosts) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 discover_hosts --cell_uuid {{nova_api_cell_uuid.stdout}} --verbose - name: Setup cell_v2 (migrate instances) tags: step5 when: is_bootstrap_node diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index ceacb0b2..ea21af8a 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova base service. Shared for all Nova services. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -52,16 +60,20 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + DatabaseSyncTimeout: + default: 300 + description: DB Sync Timeout default + type: number Debug: type: string default: '' description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. NovaIPv6: default: false description: Enable IPv6 features in Nova @@ -142,35 +154,45 @@ outputs: nova::placement::os_region_name: {get_param: KeystoneRegion} nova::placement::os_interface: {get_param: NovaPlacementAPIInterface} nova::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://nova:' - - {get_param: NovaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/nova' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: nova + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /nova + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + nova::cell0_database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: nova + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /nova_cell0 + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo nova::api_database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://nova_api:' - - {get_param: NovaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/nova_api' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: nova_api + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /nova_api + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo nova::placement_database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://nova_placement:' - - {get_param: NovaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/nova_placement' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: nova_placement + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /nova_placement + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo nova::debug: {get_param: Debug} nova::purge_config: {get_param: EnableConfigPurge} nova::network::neutron::neutron_project_name: 'service' @@ -188,6 +210,8 @@ outputs: nova::network::neutron::neutron_auth_type: 'v3password' nova::db::database_db_max_retries: -1 nova::db::database_max_retries: -1 + nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} + nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout} nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} nova::use_ipv6: {get_param: NovaIPv6} nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index d208bede..16ccb9e0 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova Compute service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -52,7 +60,7 @@ parameters: For different formats, refer to the nova.conf documentation for pci_passthrough_whitelist configuration type: json - default: {} + default: '' NovaVcpuPinSet: description: > A list or range of physical CPU cores to reserve for virtual machine @@ -79,6 +87,13 @@ parameters: type: string description: Nova Compute upgrade level default: auto + MigrationSshKey: + type: json + description: > + SSH key for migration. + Expects a dictionary with keys 'public_key' and 'private_key'. + Values should be identical to SSH public/private key files. + default: {} resources: NovaBase: @@ -87,6 +102,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -101,12 +118,22 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::compute::libvirt::manage_libvirt_services: false - nova::compute::pci_passthrough: {get_param: NovaPCIPassthrough} + nova::compute::pci_passthrough: + str_replace: + template: "JSON_PARAM" + params: + JSON_PARAM: {get_param: NovaPCIPassthrough} nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet} nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory} # we manage migration in nova common puppet profile nova::compute::libvirt::migration_support: false tripleo::profile::base::nova::manage_migration: true + tripleo::profile::base::nova::migration_ssh_key: {get_param: MigrationSshKey} + tripleo::profile::base::nova::migration_ssh_localaddrs: + - "%{hiera('cold_migration_ssh_inbound_addr')}" + - "%{hiera('live_migration_ssh_inbound_addr')}" + live_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + cold_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaColdMigrationNetwork]} tripleo::profile::base::nova::nova_compute_enabled: true nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName} nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} @@ -163,6 +190,9 @@ outputs: template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" params: LEVEL: {get_param: UpgradeLevelNovaCompute} + - name: install openstack-nova-migration + tags: step3 + yum: name=openstack-nova-migration state=latest - name: Start nova-compute service tags: step6 service: name=openstack-nova-compute state=started diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index 4574cae8..30eb1277 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova Conductor service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -45,6 +53,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/nova-consoleauth.yaml b/puppet/services/nova-consoleauth.yaml index 82f329bc..fa1168aa 100644 --- a/puppet/services/nova-consoleauth.yaml +++ b/puppet/services/nova-consoleauth.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova Consoleauth service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -34,6 +42,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml index 5eb2170a..4f664329 100644 --- a/puppet/services/nova-ironic.yaml +++ b/puppet/services/nova-ironic.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova Compute service configured with Puppet and using Ironic @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -30,6 +38,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -44,10 +54,14 @@ outputs: nova::compute::vnc_enabled: false nova::ironic::common::password: {get_param: IronicPassword} nova::ironic::common::project_name: 'service' - nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::ironic::common::username: 'ironic' nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]} nova::network::neutron::dhcp_domain: '' nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager' step_config: | include tripleo::profile::base::nova::compute::ironic + upgrade_tasks: + - name: Stop openstack-nova-compute service + tags: step1 + service: name=openstack-nova-compute state=stopped enabled=no diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index faf1ae48..4e762b57 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Libvirt service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -32,6 +40,48 @@ parameters: MonitoringSubscriptionNovaLibvirt: default: 'overcloud-nova-libvirt' type: string + EnableInternalTLS: + type: boolean + default: false + UseTLSTransportForLiveMigration: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + set the libvirt URI's transport to tls and configure the + relevant keys for libvirt. + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + LibvirtCACert: + type: string + default: '' + description: This specifies the CA certificate to use for TLS in libvirt. + This file will be symlinked to the default CA path in libvirt, + which is /etc/pki/CA/cacert.pem. Note that due to limitations + GNU TLS, which is the TLS backend for libvirt, the file must + be less than 65K (so we can't use the system's CA bundle). + This parameter should be used if the default (which comes from + the InternalTLSCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. + +conditions: + + use_tls_for_live_migration: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForLiveMigration} + - true + + libvirt_specific_ca_unset: + equals: + - {get_param: LibvirtCACert} + - '' resources: NovaBase: @@ -40,6 +90,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -66,10 +118,64 @@ outputs: tripleo.nova_libvirt.firewall_rules: '200 nova_libvirt': dport: - - 16509 - 16514 - '49152-49215' - '5900-5999' + - + if: + - use_tls_for_live_migration + - + generate_service_certificates: true + tripleo::profile::base::nova::libvirt_tls: true + nova::migration::libvirt::live_migration_inbound_addr: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + tripleo::certmonger::ca::libvirt::origin_ca_pem: + if: + - libvirt_specific_ca_unset + - get_param: InternalTLSCAFile + - get_param: LibvirtCACert + tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' + tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' + libvirt_certificates_specs: + libvirt-server-cert: + service_certificate: '/etc/pki/libvirt/servercert.pem' + service_key: '/etc/pki/libvirt/private/serverkey.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + libvirt-client-cert: + service_certificate: '/etc/pki/libvirt/clientcert.pem' + service_key: '/etc/pki/libvirt/private/clientkey.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + - {} step_config: | include tripleo::profile::base::nova::libvirt + metadata_settings: + if: + - use_tls_for_live_migration + - + - service: libvirt + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - null diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml index 376f95b1..335b2c28 100644 --- a/puppet/services/nova-metadata.yaml +++ b/puppet/services/nova-metadata.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/nova-placement.yaml b/puppet/services/nova-placement.yaml index b59e2fc6..86aa079e 100644 --- a/puppet/services/nova-placement.yaml +++ b/puppet/services/nova-placement.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova Placement API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -52,6 +60,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} NovaBase: @@ -60,6 +70,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index e4b6bb43..5da6d43e 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova Scheduler service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -45,6 +53,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index 42335ade..2db44d6f 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Nova Vncproxy service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -34,6 +42,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml index 909a3030..e64a00f5 100644 --- a/puppet/services/octavia-api.yaml +++ b/puppet/services/octavia-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Octavia API service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -34,6 +42,12 @@ parameters: default: tag: openstack.octavia.api path: /var/log/octavia/api.log + OctaviaApiPolicies: + description: | + A hash of policies to configure for Octavia API. + e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -43,6 +57,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -57,16 +73,17 @@ outputs: map_merge: - get_attr: [OctaviaBase, role_data, config_settings] - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://octavia:' - - {get_param: OctaviaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/octavia' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: octavia + password: {get_param: OctaviaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /octavia + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} octavia::keystone::authtoken::project_name: 'service' octavia::keystone::authtoken::password: {get_param: OctaviaPassword} @@ -77,7 +94,6 @@ outputs: - 9876 - 13876 octavia::api::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]} - neutron::server::service_providers: ['LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default'] step_config: | include tripleo::profile::base::octavia::api service_config_settings: @@ -96,3 +112,5 @@ outputs: octavia::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + neutron_api: + neutron::server::service_providers: ['LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default'] diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml index b537a2bc..19dc5b47 100644 --- a/puppet/services/octavia-base.yaml +++ b/puppet/services/octavia-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Octavia base service. Shared for all Octavia services @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -24,10 +32,10 @@ parameters: description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. RabbitPassword: description: The password for RabbitMQ type: string @@ -56,7 +64,7 @@ outputs: octavia::debug: {get_param: Debug} octavia::purge_config: {get_param: EnableConfigPurge} octavia::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - tripleo::profile::base::octavia::rabbit_user: {get_param: RabbitUserName} - tripleo::profile::base::octavia::rabbit_password: {get_param: RabbitPassword} - tripleo::profile::base::octavia::rabbit_port: {get_param: RabbitClientPort} + octavia::rabbit_userid: {get_param: RabbitUserName} + octavia::rabbit_password: {get_param: RabbitPassword} + octavia::rabbit_port: {get_param: RabbitClientPort} diff --git a/puppet/services/octavia-health-manager.yaml b/puppet/services/octavia-health-manager.yaml index 51d32f23..853567d3 100644 --- a/puppet/services/octavia-health-manager.yaml +++ b/puppet/services/octavia-health-manager.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Octavia Health Manager service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -39,6 +47,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/octavia-housekeeping.yaml b/puppet/services/octavia-housekeeping.yaml index 84c33433..6c556fa7 100644 --- a/puppet/services/octavia-housekeeping.yaml +++ b/puppet/services/octavia-housekeeping.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Octavia Housekeeping service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -46,6 +54,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/octavia-worker.yaml b/puppet/services/octavia-worker.yaml index 9212b76b..4feae415 100644 --- a/puppet/services/octavia-worker.yaml +++ b/puppet/services/octavia-worker.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Octavia Worker service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -69,6 +77,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index 1e7aa479..af85f4a3 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenDaylight SDN Controller. @@ -28,7 +28,7 @@ parameters: OpenDaylightFeatures: description: List of features to install with ODL type: comma_delimited_list - default: ["odl-netvirt-openstack","odl-netvirt-ui"] + default: ["odl-netvirt-openstack","odl-netvirt-ui","odl-jolokia"] OpenDaylightApiVirtualIP: type: string default: '' @@ -46,6 +46,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json outputs: role_data: @@ -59,12 +67,36 @@ outputs: opendaylight::extra_features: {get_param: OpenDaylightFeatures} opendaylight::enable_dhcp: {get_param: OpenDaylightEnableDHCP} opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} - opendaylight::nb_connection_protocol: {get_param: OpenDayLightConnectionProtocol} + opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} tripleo.opendaylight_api.firewall_rules: '137 opendaylight api': dport: - {get_param: OpenDaylightPort} - 6640 - 6653 + - 2550 step_config: | include tripleo::profile::base::neutron::opendaylight + upgrade_tasks: + - name: Check if opendaylight is deployed + command: systemctl is-enabled opendaylight + tags: common + ignore_errors: True + register: opendaylight_enabled + - name: "PreUpgrade step0,validation: Check service opendaylight is running" + shell: /usr/bin/systemctl show 'opendaylight' --property ActiveState | grep '\bactive\b' + when: opendaylight_enabled.rc == 0 + tags: step0,validation + - name: Stop opendaylight service + tags: step1 + when: opendaylight_enabled.rc == 0 + service: name=opendaylight state=stopped + - name: Removes ODL snapshots, data, journal directories + file: + state: absent + path: /opt/opendaylight/{{item}} + tags: step2 + with_items: + - snapshots + - data + - journal diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index cfec3c48..0d859be1 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenDaylight OVS Configuration. @@ -47,6 +47,18 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml outputs: role_data: @@ -60,11 +72,7 @@ outputs: opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} - neutron::plugins::ovs::opendaylight::provider_mappings: - str_replace: - template: MAPPINGS - params: - MAPPINGS: {get_param: OpenDaylightProviderMappings} + neutron::plugins::ovs::opendaylight::provider_mappings: {get_param: OpenDaylightProviderMappings} tripleo.opendaylight_ovs.firewall_rules: '118 neutron vxlan networks': proto: 'udp' @@ -73,3 +81,23 @@ outputs: proto: 'gre' step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight + upgrade_tasks: + yaql: + expression: $.data.ovs_upgrade + $.data.opendaylight_upgrade + data: + ovs_upgrade: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] + opendaylight_upgrade: + - name: Check if openvswitch is deployed + command: systemctl is-enabled openvswitch + tags: common + ignore_errors: True + register: openvswitch_enabled + - name: "PreUpgrade step0,validation: Check service openvswitch is running" + shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b' + when: openvswitch_enabled.rc == 0 + tags: step0,validation + - name: Stop openvswitch service + tags: step1 + when: openvswitch_enabled.rc == 0 + service: name=openvswitch state=stopped diff --git a/puppet/services/openvswitch-upgrade.yaml b/puppet/services/openvswitch-upgrade.yaml new file mode 100644 index 00000000..f6e78462 --- /dev/null +++ b/puppet/services/openvswitch-upgrade.yaml @@ -0,0 +1,50 @@ +heat_template_version: pike + +description: > + Openvswitch package special handling for upgrade. + +outputs: + role_data: + description: Upgrade task for special handling of Openvswitch (OVS) upgrade. + value: + service_name: openvswitch_upgrade + upgrade_tasks: + - name: Check openvswitch version. + tags: step2 + register: ovs_version + ignore_errors: true + shell: rpm -qa | awk -F- '/^openvswitch-2/{print $2 "-" $3}' + - name: Check openvswitch packaging. + tags: step2 + shell: rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep -q "systemctl.*try-restart" + register: ovs_packaging_issue + ignore_errors: true + - block: + - name: "Ensure empty directory: emptying." + file: + state: absent + path: /root/OVS_UPGRADE + - name: "Ensure empty directory: creating." + file: + state: directory + path: /root/OVS_UPGRADE + owner: root + group: root + mode: 0750 + - name: Download OVS packages. + command: yumdownloader --destdir /root/OVS_UPGRADE --resolve openvswitch + - name: Get rpm list for manual upgrade of OVS. + shell: ls -1 /root/OVS_UPGRADE/*.rpm + register: ovs_list_of_rpms + - name: Manual upgrade of OVS + shell: | + rpm -U --test {{item}} 2>&1 | grep "already installed" || \ + rpm -U --replacepkgs --notriggerun --nopostun {{item}}; + args: + chdir: /root/OVS_UPGRADE + with_items: + - "{{ovs_list_of_rpms.stdout_lines}}" + tags: step2 + when: "'2.5.0-14' in '{{ovs_version.stdout}}' + or + ovs_packaging_issue|succeeded" diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml index 7f81afde..20c38d8a 100644 --- a/puppet/services/ovn-dbs.yaml +++ b/puppet/services/ovn-dbs.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OVN databases configured with puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -36,5 +44,11 @@ outputs: ovn::northbound::port: {get_param: OVNNorthboundServerPort} ovn::southbound::port: {get_param: OVNSouthboundServerPort} ovn::northd::dbs_listen_ip: {get_param: [ServiceNetMap, OvnDbsNetwork]} + tripleo.ovn_dbs.firewall_rules: + '121 OVN DB server ports': + proto: 'tcp' + dport: + - {get_param: OVNNorthboundServerPort} + - {get_param: OVNSouthboundServerPort} step_config: | include ::tripleo::profile::base::neutron::ovn_northd diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 5be58c18..1c89011c 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Pacemaker service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -87,10 +95,16 @@ parameters: \[(?<pid>[^ ]*)\] (?<host>[^ ]*) (?<message>.*)$/ + + EnableLoadBalancer: + default: true + description: Whether to deploy a LoadBalancer on the Controller + type: boolean + PacemakerResources: type: comma_delimited_list description: List of resources managed by pacemaker - default: ['rabbitmq','haproxy'] + default: ['rabbitmq', 'galera'] outputs: role_data: @@ -135,6 +149,8 @@ outputs: - name: Check pacemaker cluster running before upgrade tags: step0,validation pacemaker_cluster: state=online check_and_fail=true + async: 30 + poll: 4 - name: Stop pacemaker cluster tags: step2 pacemaker_cluster: state=offline @@ -143,5 +159,13 @@ outputs: pacemaker_cluster: state=online - name: Check pacemaker resource tags: step4 - pacemaker_resource: state=started resource={{item}} check_mode=true wait_for_resource=true timeout=500 + pacemaker_is_active: + resource: "{{ item }}" + max_wait: 500 with_items: {get_param: PacemakerResources} + - name: Check pacemaker haproxy resource + tags: step4 + pacemaker_is_active: + resource: haproxy + max_wait: 500 + when: {get_param: EnableLoadBalancer} diff --git a/puppet/services/pacemaker/ceph-rbdmirror.yaml b/puppet/services/pacemaker/ceph-rbdmirror.yaml index 7686028d..7ecb64d1 100644 --- a/puppet/services/pacemaker/ceph-rbdmirror.yaml +++ b/puppet/services/pacemaker/ceph-rbdmirror.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Ceph RBD mirror service. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/pacemaker/cinder-backup.yaml b/puppet/services/pacemaker/cinder-backup.yaml index e75ac973..d888d4a4 100644 --- a/puppet/services/pacemaker/cinder-backup.yaml +++ b/puppet/services/pacemaker/cinder-backup.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Cinder Backup service with Pacemaker configured with Puppet @@ -25,6 +25,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -39,6 +47,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} CinderBackupBackend: {get_param: CinderBackupBackend} CinderBackupRbdPoolName: {get_param: CinderBackupRbdPoolName} CephClientUserName: {get_param: CephClientUserName} diff --git a/puppet/services/pacemaker/cinder-volume.yaml b/puppet/services/pacemaker/cinder-volume.yaml index bef47a57..659368a4 100644 --- a/puppet/services/pacemaker/cinder-volume.yaml +++ b/puppet/services/pacemaker/cinder-volume.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Cinder Volume service with Pacemaker configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -27,6 +35,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 93bf5967..d8e942d0 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > MySQL with Pacemaker service deployment using puppet @@ -14,6 +14,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -28,6 +36,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml index e702d28b..5bc28ed4 100644 --- a/puppet/services/pacemaker/database/redis.yaml +++ b/puppet/services/pacemaker/database/redis.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Redis service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -26,6 +34,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -37,5 +47,6 @@ outputs: - get_attr: [RedisBase, role_data, config_settings] - redis::service_manage: false redis::notify_service: false + redis::managed_by_cluster_manager: true step_config: | include ::tripleo::profile::pacemaker::database::redis diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 598deaef..0fb83939 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > HAproxy service with Pacemaker configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -26,6 +34,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/pacemaker/manila-share.yaml b/puppet/services/pacemaker/manila-share.yaml index ddc13df3..12f6529c 100644 --- a/puppet/services/pacemaker/manila-share.yaml +++ b/puppet/services/pacemaker/manila-share.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > The manila-share service with Pacemaker configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -27,6 +35,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/pacemaker/rabbitmq.yaml b/puppet/services/pacemaker/rabbitmq.yaml index b018df35..79257201 100644 --- a/puppet/services/pacemaker/rabbitmq.yaml +++ b/puppet/services/pacemaker/rabbitmq.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > RabbitMQ service with Pacemaker configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -26,6 +34,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -39,32 +49,5 @@ outputs: - rabbitmq::service_manage: false step_config: | include ::tripleo::profile::pacemaker::rabbitmq - upgrade_tasks: - - name: get bootstrap nodeid - tags: common - command: hiera bootstrap_nodeid - register: bootstrap_node - - name: set is_bootstrap_node fact - tags: common - set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}} - - name: get rabbitmq policy - tags: common - shell: pcs resource show rabbitmq | grep -q -E "Attributes:.*\"ha-mode\":\"all\"" - register: rabbit_ha_mode - when: is_bootstrap_node - ignore_errors: true - - name: set migrate_rabbit_ha_mode fact - tags: common - set_fact: migrate_rabbit_ha_mode={{rabbit_ha_mode.rc == 0}} - when: is_bootstrap_node - - name: Fixup for rabbitmq ha-queues LP#1668600 - tags: step0,pre-upgrade - shell: | - nr_controllers=$(($(hiera controller_node_names | grep -o "," |wc -l) + 1)) - nr_queues=$(($nr_controllers / 2 + ($nr_controllers % 2))) - if ! [ $nr_queues -gt 0 -a $nr_queues -le $nr_controllers ]; then - echo "ERROR: The nr. of HA queues during the rabbit upgrade is out of range: $nr_queues" - exit 1 - fi - pcs resource update rabbitmq set_policy='ha-all ^(?!amq\\.).* {"ha-mode":"exactly","ha-params":'"$nr_queues}" --wait=600 - when: is_bootstrap_node and migrate_rabbit_ha_mode + metadata_settings: + get_attr: [RabbitMQServiceBase, role_data, metadata_settings] diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml index daee43e6..74aaf599 100644 --- a/puppet/services/pacemaker_remote.yaml +++ b/puppet/services/pacemaker_remote.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Pacemaker remote service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index eed98257..a41e34f7 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -1,7 +1,9 @@ -heat_template_version: ocata +heat_template_version: pike description: > - OpenStack Panko API service configured with Puppet + OpenStack Panko API service configured with Puppet. + Note, This service is deprecated in Pike release and will + be disabled in future releases. parameters: ServiceNetMap: @@ -13,6 +15,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -24,6 +34,12 @@ parameters: EnableInternalTLS: type: boolean default: false + PankoApiPolicies: + description: | + A hash of policies to configure for Panko API. + e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: PankoBase: @@ -32,6 +48,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} ApacheServiceBase: type: ./apache.yaml @@ -39,6 +57,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: @@ -58,6 +78,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + panko::policy::policies: {get_param: PankoApiPolicies} panko::api::service_name: 'httpd' panko::api::enable_proxy_headers_parsing: true tripleo.panko_api.firewall_rules: @@ -85,21 +106,27 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - - name: Check if httpd is deployed - command: systemctl is-enabled httpd - tags: common - ignore_errors: True - register: httpd_enabled - - name: "PreUpgrade step0,validation: Check if httpd is running" - shell: > - /usr/bin/systemctl show 'httpd' --property ActiveState | - grep '\bactive\b' - when: httpd_enabled.rc == 0 - tags: step0,validation - - name: Stop panko-api service (running under httpd) - tags: step1 - service: name=httpd state=stopped - when: httpd_enabled.rc == 0 - - name: Install openstack-panko-api package if it was not installed - tags: step3 - yum: name=openstack-panko-api state=latest + yaql: + expression: $.data.apache_upgrade + $.data.panko_api_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + panko_api_upgrade: + - name: Check if httpd is deployed + command: systemctl is-enabled httpd + tags: common + ignore_errors: True + register: httpd_enabled + - name: "PreUpgrade step0,validation: Check if httpd is running" + shell: > + /usr/bin/systemctl show 'httpd' --property ActiveState | + grep '\bactive\b' + when: httpd_enabled.rc == 0 + tags: step0,validation + - name: Stop panko-api service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: httpd_enabled.rc == 0 + - name: Install openstack-panko-api package if it was not installed + tags: step3 + yum: name=openstack-panko-api state=latest diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml index 998e64ee..84817bcf 100644 --- a/puppet/services/panko-base.yaml +++ b/puppet/services/panko-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Panko service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -38,20 +46,22 @@ outputs: service_name: panko_base config_settings: panko::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://panko:' - - {get_param: PankoPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/panko' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: panko + password: {get_param: PankoPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /panko + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo panko::debug: {get_param: Debug} panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::keystone::authtoken::project_name: 'service' + panko::keystone::authtoken::user_domain_name: 'Default' + panko::keystone::authtoken::project_domain_name: 'Default' panko::keystone::authtoken::password: {get_param: PankoPassword} - panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::auth::auth_password: {get_param: PankoPassword} panko::auth::auth_region: 'regionOne' diff --git a/puppet/services/qdr.yaml b/puppet/services/qdr.yaml new file mode 100644 index 00000000..0659a945 --- /dev/null +++ b/puppet/services/qdr.yaml @@ -0,0 +1,68 @@ +heat_template_version: pike + +description: > + Qpid dispatch router service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RabbitUserName: + default: guest + description: The username for Qdr + type: string + RabbitPassword: + description: The password for Qdr + type: string + hidden: true + RabbitClientPort: + description: Listening port for Qdr + default: 5672 + type: number + MonitoringSubscriptionQdr: + default: 'overcloud-qdr' + type: string + +outputs: + role_data: + description: Role data for the Qdr role. + value: + service_name: rabbitmq + monitoring_subscription: {get_param: MonitoringSubscriptionQdr} + global_config_settings: + messaging_notify_service_name: 'amqp' + messaging_rpc_service_name: 'amqp' + keystone::messaging::amqp::amqp_pre_settled: 'notify' + config_settings: + tripleo.rabbitmq.firewall_rules: + '109 qdr': + dport: + - {get_param: RabbitClientPort} + qdr::listener_addr: {get_param: [ServiceNetMap, QdrNetwork]} + # cannot pass qdr::listener_port directly because it needs to be a string + # we do the conversion in the puppet layer + tripleo::profile::base::qdr::qdr_listener_port: {get_param: RabbitClientPort} + tripleo::profile::base::qdr::qdr_username: {get_param: RabbitUserName} + tripleo::profile::base::qdr::qdr_password: {get_param: RabbitPassword} + + step_config: | + include ::tripleo::profile::base::qdr diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 2c4ccbc9..1a42fdad 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > RabbitMQ service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -40,14 +48,20 @@ parameters: hidden: true RabbitHAQueues: description: - The number of HA queues to be configured in rabbit. The default is 0 which will - be automatically overridden to CEIL(N/2) where N is the number of nodes running - rabbitmq. - default: 0 + The number of HA queues to be configured in rabbit. The default is -1 which + translates to "ha-mode all". The special value 0 will be automatically + overridden to CEIL(N/2) where N is the number of nodes running rabbitmq. + default: -1 type: number MonitoringSubscriptionRabbitmq: default: 'overcloud-rabbitmq' type: string + EnableInternalTLS: + type: boolean + default: false + +conditions: + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -56,51 +70,79 @@ outputs: service_name: rabbitmq monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} config_settings: - rabbitmq::file_limit: {get_param: RabbitFDLimit} - rabbitmq::default_user: {get_param: RabbitUserName} - rabbitmq::default_pass: {get_param: RabbitPassword} - rabbit_ipv6: {get_param: RabbitIPv6} - tripleo.rabbitmq.firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - 5672 - - 25672 - rabbitmq::delete_guest_user: false - rabbitmq::wipe_db_on_cookie_change: true - rabbitmq::port: '5672' - rabbitmq::package_provider: yum - rabbitmq::package_source: undef - rabbitmq::repos_ensure: false - rabbitmq::tcp_keepalive: true - rabbitmq_environment: - NODE_PORT: '' - NODE_IP_ADDRESS: '' - RABBITMQ_NODENAME: "rabbit@%{::hostname}" - RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' - 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}" - rabbitmq_kernel_variables: - inet_dist_listen_min: '25672' - inet_dist_listen_max: '25672' - rabbitmq_config_variables: - cluster_partition_handling: 'pause_minority' - queue_master_locator: '<<"min-masters">>' - loopback_users: '[]' - rabbitmq::erlang_cookie: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: RabbitCookie} - - {get_param: [DefaultPasswords, rabbit_cookie]} - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - rabbitmq::interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} - rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} + map_merge: + - + rabbitmq::file_limit: {get_param: RabbitFDLimit} + rabbitmq::default_user: {get_param: RabbitUserName} + rabbitmq::default_pass: {get_param: RabbitPassword} + rabbit_ipv6: {get_param: RabbitIPv6} + tripleo.rabbitmq.firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - 5672 + - 25672 + rabbitmq::delete_guest_user: false + rabbitmq::wipe_db_on_cookie_change: true + rabbitmq::port: '5672' + rabbitmq::package_provider: yum + rabbitmq::package_source: undef + rabbitmq::repos_ensure: false + rabbitmq::tcp_keepalive: true + rabbitmq_environment: + NODE_PORT: '' + NODE_IP_ADDRESS: '' + RABBITMQ_NODENAME: "rabbit@%{::hostname}" + RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' + 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}" + rabbitmq_kernel_variables: + inet_dist_listen_min: '25672' + inet_dist_listen_max: '25672' + rabbitmq_config_variables: + cluster_partition_handling: 'pause_minority' + queue_master_locator: '<<"min-masters">>' + loopback_users: '[]' + rabbitmq::erlang_cookie: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: RabbitCookie} + - {get_param: [DefaultPasswords, rabbit_cookie]} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + rabbitmq::interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} + rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} + rabbitmq::ssl: {get_param: EnableInternalTLS} + rabbitmq::ssl_port: '5672' + rabbitmq::ssl_depth: 1 + rabbitmq::ssl_only: {get_param: EnableInternalTLS} + rabbitmq::ssl_interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} + # TODO(jaosorior): Remove this once we set a proper default in + # puppet-tripleo + tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::rabbitmq::certificate_specs: + service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + service_key: '/etc/pki/tls/private/rabbitmq.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + principal: + str_replace: + template: "rabbitmq/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + - {} step_config: | include ::tripleo::profile::base::rabbitmq upgrade_tasks: @@ -110,4 +152,11 @@ outputs: - name: Start rabbitmq service tags: step4 service: name=rabbitmq-server state=started - + metadata_settings: + if: + - internal_tls_enabled + - + - service: rabbitmq + network: {get_param: [ServiceNetMap, RabbitmqNetwork]} + type: node + - null diff --git a/puppet/services/releasenotes/notes/mod_ssl-e7fd4db71189242e.yaml b/puppet/services/releasenotes/notes/mod_ssl-e7fd4db71189242e.yaml new file mode 100644 index 00000000..eb7b513c --- /dev/null +++ b/puppet/services/releasenotes/notes/mod_ssl-e7fd4db71189242e.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - When a service is deployed in WSGI with Apache, make sure mode_ssl + package is deployed during the upgrade process, it's now required + by default so Apache can start properly. diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 96b3d6e3..3df4ce7c 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Sahara API service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -38,6 +46,12 @@ parameters: default: tag: openstack.sahara.api path: /var/log/sahara/sahara-api.log + SaharaApiPolicies: + description: | + A hash of policies to configure for Sahara API. + e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: SaharaBase: @@ -46,6 +60,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -60,6 +76,7 @@ outputs: map_merge: - get_attr: [SaharaBase, role_data, config_settings] - sahara::port: {get_param: [EndpointMap, SaharaInternal, port]} + sahara::policy::policies: {get_param: SaharaApiPolicies} sahara::service::api::api_workers: {get_param: SaharaWorkers} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index 224989be..1ee6d175 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Sahara base service. Shared for all Sahara services. @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -56,26 +64,28 @@ outputs: service_name: sahara_base config_settings: sahara::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://sahara:' - - {get_param: SaharaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/sahara' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: sahara + password: {get_param: SaharaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /sahara + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo sahara::rabbit_password: {get_param: RabbitPassword} sahara::rabbit_user: {get_param: RabbitUserName} sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL} sahara::rabbit_port: {get_param: RabbitClientPort} sahara::debug: {get_param: Debug} + # Remove admin_password when https://review.openstack.org/442619 is merged. sahara::admin_password: {get_param: SaharaPassword} - sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - sahara::identity_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } sahara::use_neutron: true sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit - sahara::admin_tenant_name: 'service' sahara::db::database_db_max_retries: -1 sahara::db::database_max_retries: -1 + sahara::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + sahara::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + sahara::keystone::authtoken::password: {get_param: SaharaPassword} + sahara::keystone::authtoken::project_name: 'service' diff --git a/puppet/services/sahara-engine.yaml b/puppet/services/sahara-engine.yaml index c0b6b3e6..b6c108ea 100644 --- a/puppet/services/sahara-engine.yaml +++ b/puppet/services/sahara-engine.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Sahara Engine service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -34,6 +42,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: diff --git a/puppet/services/securetty.yaml b/puppet/services/securetty.yaml new file mode 100644 index 00000000..84a370f0 --- /dev/null +++ b/puppet/services/securetty.yaml @@ -0,0 +1,44 @@ +heat_template_version: pike + +description: > + Configure securetty values + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + TtyValues: + default: {} + description: Configures console values in securetty + type: json + constraints: + - length: { min: 1} + +outputs: + role_data: + description: Console data for the securetty + value: + service_name: securetty + config_settings: + tripleo::profile::base::securetty::tty_list: {get_param: TtyValues} + step_config: | + include ::tripleo::profile::base::securetty diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index a2286d16..0e7b6d2b 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Utility stack to convert an array of services into a set of combined @@ -26,6 +26,14 @@ parameters: description: Mapping of service -> default password. Used to help pass top level passwords managed by Heat into services. type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + description: Role Specific parameters to be provided to service + default: {} + type: json resources: @@ -38,6 +46,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} LoggingConfiguration: type: OS::TripleO::LoggingConfiguration @@ -90,14 +100,11 @@ outputs: # fluentd user. yaql: expression: > - set($.data.groups.flatten()).where($) + set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($) data: - groups: - - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}] - - yaql: - expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null)) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}] + default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]} + extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]} + role_data: {get_attr: [ServiceChain, role_data]} config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: map_merge: diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index 80c29f95..ffa5d317 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > SNMP client configured with Puppet, to facilitate Ceilometer Hardware @@ -15,6 +15,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -28,6 +36,14 @@ parameters: description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true + SnmpdBindHost: + description: An array of bind host addresses on which SNMP daemon will listen. + type: comma_delimited_list + default: ['udp:161','udp6:[::1]:161'] + SnmpdOptions: + description: A string containing the commandline options passed to snmpd + type: string + default: '-LS0-5d' outputs: role_data: @@ -37,6 +53,8 @@ outputs: config_settings: tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName} tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword} + snmp::agentaddress: {get_param: SnmpdBindHost} + snmp::snmpd_options: {get_param: SnmpdOptions} tripleo.snmp.firewall_rules: '127 snmp': dport: 161 diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml index 41e144a0..30058f03 100644 --- a/puppet/services/sshd.yaml +++ b/puppet/services/sshd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Configure sshd_config @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -22,6 +30,33 @@ parameters: default: '' description: Configures Banner text in sshd_config type: string + MessageOfTheDay: + default: '' + description: Configures /etc/motd text + type: string + SshServerOptions: + default: + HostKey: + - '/etc/ssh/ssh_host_rsa_key' + - '/etc/ssh/ssh_host_ecdsa_key' + - '/etc/ssh/ssh_host_ed25519_key' + SyslogFacility: 'AUTHPRIV' + AuthorizedKeysFile: '.ssh/authorized_keys' + PasswordAuthentication: 'no' + ChallengeResponseAuthentication: 'no' + GSSAPIAuthentication: 'yes' + GSSAPICleanupCredentials: 'no' + UsePAM: 'yes' + X11Forwarding: 'yes' + UsePrivilegeSeparation: 'sandbox' + AcceptEnv: + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL LANGUAGE' + - 'XMODIFIERS' + Subsystem: 'sftp /usr/libexec/openssh/sftp-server' + description: Mapping of sshd_config values + type: json outputs: role_data: @@ -29,6 +64,8 @@ outputs: value: service_name: sshd config_settings: - BannerText: {get_param: BannerText} + tripleo::profile::base::sshd::bannertext: {get_param: BannerText} + tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} + tripleo::profile::base::sshd::options: {get_param: SshServerOptions} step_config: | include ::tripleo::profile::base::sshd diff --git a/puppet/services/swift-base.yaml b/puppet/services/swift-base.yaml index 6046d5e8..3066aecd 100644 --- a/puppet/services/swift-base.yaml +++ b/puppet/services/swift-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Swift Proxy service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 9b0d2de1..f3b7ee4a 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Swift Proxy service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -31,9 +39,9 @@ parameters: description: Timeout for requests going from swift-proxy to swift a/c/o services. type: number SwiftWorkers: - default: 0 + default: auto description: Number of workers for Swift service. - type: number + type: string KeystoneRegion: type: string default: 'regionOne' @@ -63,10 +71,14 @@ parameters: Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host. type: string + EnableInternalTLS: + type: boolean + default: false conditions: ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]} + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: SwiftBase: @@ -75,6 +87,16 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -85,7 +107,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - + - get_attr: [TLSProxyBase, role_data, config_settings] - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} @@ -146,7 +168,22 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_bind_ip: + get_param: [ServiceNetMap, SwiftProxyNetwork] + tripleo::profile::base::swift::proxy::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_port: + get_param: [EndpointMap, SwiftInternal, port] + swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]} + swift::proxy::proxy_local_net_ip: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, SwiftProxyNetwork]} step_config: | include ::tripleo::profile::base::swift::proxy service_config_settings: @@ -169,3 +206,5 @@ outputs: - name: Stop swift_proxy service tags: step1 service: name=openstack-swift-proxy state=stopped + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index 2e3c818f..3808dbcc 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Swift Ringbuilder @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -42,6 +50,14 @@ parameters: default: true description: 'Use a local directory for Swift storage services when building rings' type: boolean + SwiftRingGetTempurl: + default: '' + description: A temporary Swift URL to download rings from. + type: string + SwiftRingPutTempurl: + default: '' + description: A temporary Swift URL to upload rings to. + type: string conditions: swift_use_local_dir: @@ -59,6 +75,8 @@ outputs: value: service_name: swift_ringbuilder config_settings: + tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl} + tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl} tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower} diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 261aadeb..f1a9b930 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Swift Storage service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -55,6 +63,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} conditions: swift_mount_check: diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml index 6f92066e..e121feb3 100644 --- a/puppet/services/tacker.yaml +++ b/puppet/services/tacker.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Tacker service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -47,6 +55,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + TackerPolicies: + description: | + A hash of policies to configure for Tacker. + e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -56,15 +70,15 @@ outputs: config_settings: tacker_password: {get_param: TackerPassword} tacker::db::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://tacker:' - - {get_param: TackerPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/tacker' - - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: tacker + password: {get_param: TackerPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /tacker + query: + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo tacker::debug: {get_param: Debug} tacker::rpc_backend: rabbit @@ -75,8 +89,10 @@ outputs: tacker::server::bind_host: {get_param: [ServiceNetMap, TackerApiNetwork]} tacker::keystone::authtoken::project_name: 'service' - tacker::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - tacker::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + tacker::keystone::authtoken::user_domain_name: 'Default' + tacker::keystone::authtoken::project_domain_name: 'Default' + tacker::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + tacker::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tacker::db::mysql::password: {get_param: TackerPassword} tacker::db::mysql::user: tacker @@ -85,10 +101,12 @@ outputs: tacker::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + tacker::policy::policies: {get_param: TackerPolicies} service_config_settings: keystone: tacker::keystone::auth::tenant: 'service' + tacker::keystone::auth::region: {get_param: KeystoneRegion} tacker::keystone::auth::password: {get_param: TackerPassword} tacker::keystone::auth::public_url: {get_param: [EndpointMap, TackerPublic, uri]} tacker::keystone::auth::internal_url: {get_param: [EndpointMap, TackerInternal, uri]} diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml index b14d7bcc..92c3f9ef 100644 --- a/puppet/services/time/ntp.yaml +++ b/puppet/services/time/ntp.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > NTP service deployment using puppet, this YAML file @@ -16,6 +16,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/time/timezone.yaml b/puppet/services/time/timezone.yaml index 5d0eeae3..aece02cf 100644 --- a/puppet/services/time/timezone.yaml +++ b/puppet/services/time/timezone.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Composable Timezone service @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index 67e14d9c..9fb590ef 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > TripleO Firewall settings @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -37,3 +45,9 @@ outputs: tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules} step_config: | include ::tripleo::firewall + upgrade_tasks: + - name: blank ipv6 rule before activating ipv6 firewall. + tags: step3 + shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables + args: + creates: /etc/sysconfig/ip6tables.n-o-upgrade diff --git a/puppet/services/tripleo-packages.yaml b/puppet/services/tripleo-packages.yaml index 737be829..2b9b8834 100644 --- a/puppet/services/tripleo-packages.yaml +++ b/puppet/services/tripleo-packages.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > TripleO Package installation settings @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set diff --git a/puppet/services/vpp.yaml b/puppet/services/vpp.yaml index 59866d39..e3e28a2f 100644 --- a/puppet/services/vpp.yaml +++ b/puppet/services/vpp.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Vpp service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -42,6 +50,16 @@ outputs: step_config: | include ::tripleo::profile::base::vpp upgrade_tasks: + - name: Check if vpp is deployed + command: systemctl is-enabled vpp + tags: common + ignore_errors: True + register: vpp_enabled + - name: "PreUpgrade step0,validation: Check service vpp is running" + shell: /usr/bin/systemctl show 'vpp' --property ActiveState | grep '\bactive\b' + when: vpp_enabled.rc == 0 + tags: step0,validation - name: Stop vpp service - tags: step2 + tags: step1 + when: vpp_enabled.rc == 0 service: name=vpp state=stopped diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index a320f694..6bc296a3 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Openstack Zaqar service. Shared for all Heat services. @@ -18,6 +18,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json Debug: default: '' description: Set to True to enable debugging on all services. @@ -30,7 +38,32 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + ZaqarPolicies: + description: | + A hash of policies to configure for Zaqar. + e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json + ZaqarWorkers: + type: string + description: Set the number of workers for zaqar::wsgi::apache + default: '%{::os_workers}' + EnableInternalTLS: + type: boolean + default: false + +conditions: + zaqar_workers_zero: {equals : [{get_param: ZaqarWorkers}, 0]} + +resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -38,15 +71,31 @@ outputs: value: service_name: zaqar config_settings: - zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} - zaqar::keystone::authtoken::project_name: 'service' - zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - zaqar::debug: {get_param: Debug} - zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} - zaqar::transport::wsgi::bind: {get_param: [ServiceNetMap, ZaqarApiNetwork]} - zaqar::message_pipeline: 'zaqar.notification.notifier' - zaqar::unreliable: true + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - zaqar::policy::policies: {get_param: ZaqarPolicies} + zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} + zaqar::keystone::authtoken::project_name: 'service' + zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + zaqar::debug: {get_param: Debug} + zaqar::server::service_name: 'httpd' + zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} + zaqar::wsgi::apache::ssl: false + zaqar::wsgi::apache::bind_host: {get_param: [ServiceNetMap, ZaqarApiNetwork]} + zaqar::message_pipeline: 'zaqar.notification.notifier' + zaqar::unreliable: true + zaqar::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, ZaqarApiNetwork]} + - + if: + - zaqar_workers_zero + - {} + - zaqar::wsgi::apache::workers: {get_param: ZaqarWorkers} service_config_settings: keystone: zaqar::keystone::auth::password: {get_param: ZaqarPassword} @@ -65,22 +114,37 @@ outputs: step_config: | include ::tripleo::profile::base::zaqar upgrade_tasks: - - name: Check if zaqar is deployed - command: systemctl is-enabled openstack-zaqar - tags: common - ignore_errors: True - register: zaqar_enabled - - name: "PreUpgrade step0,validation: Check if openstack-zaqar is running" - shell: > - /usr/bin/systemctl show 'openstack-zaqar' --property ActiveState | - grep '\bactive\b' - when: zaqar_enabled.rc == 0 - tags: step0,validation - - name: Stop zaqar service - tags: step1 - when: zaqar_enabled.rc == 0 - service: name=openstack-zaqar state=stopped - - name: Install openstack-zaqar package if it was disabled - tags: step3 - yum: name=openstack-zaqar state=latest - when: zaqar_enabled.rc != 0 + yaql: + expression: $.data.apache_upgrade + $.data.zaqar_upgrade + data: + apache_upgrade: + get_attr: [ApacheServiceBase, role_data, upgrade_tasks] + zaqar_upgrade: + - name: Check if zaqar is deployed + command: systemctl is-enabled openstack-zaqar + tags: common + ignore_errors: True + register: zaqar_enabled + - name: "PreUpgrade step0,validation: Check if openstack-zaqar is running" + shell: > + /usr/bin/systemctl show 'openstack-zaqar' --property ActiveState | + grep '\bactive\b' + when: zaqar_enabled.rc == 0 + tags: step0,validation + - name: Check for zaqar running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi" + register: zaqar_apache + ignore_errors: true + - name: Stop zaqar service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: zaqar_apache.rc == 0 + - name: Stop and disable zaqar service (pre-upgrade not under httpd) + tags: step1 + when: zaqar_enabled.rc == 0 + service: name=openstack-zaqar state=stopped enabled=no + - name: Install openstack-zaqar package if it was disabled + tags: step3 + yum: name=openstack-zaqar state=latest + when: zaqar_enabled.rc != 0 |