summaryrefslogtreecommitdiffstats
path: root/puppet/services
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/services')
-rw-r--r--puppet/services/aodh-api.yaml18
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml50
-rw-r--r--puppet/services/apache.yaml46
-rw-r--r--puppet/services/barbican-api.yaml144
-rw-r--r--puppet/services/ceilometer-api.yaml15
-rw-r--r--puppet/services/ceilometer-base.yaml7
-rw-r--r--puppet/services/ceph-base.yaml32
-rw-r--r--puppet/services/ceph-external.yaml34
-rw-r--r--puppet/services/ceph-mon.yaml2
-rw-r--r--puppet/services/ceph-rgw.yaml12
-rw-r--r--puppet/services/cinder-api.yaml42
-rw-r--r--puppet/services/glance-api.yaml150
-rw-r--r--puppet/services/glance-base.yaml128
-rw-r--r--puppet/services/glance-registry.yaml76
-rw-r--r--puppet/services/gnocchi-api.yaml14
-rw-r--r--puppet/services/gnocchi-statsd.yaml4
-rw-r--r--puppet/services/haproxy-internal-tls-certmonger.yaml51
-rw-r--r--puppet/services/haproxy-public-tls-certmonger.yaml37
-rw-r--r--puppet/services/haproxy.yaml51
-rw-r--r--puppet/services/heat-api-cfn.yaml14
-rw-r--r--puppet/services/heat-api.yaml14
-rw-r--r--puppet/services/heat-base.yaml5
-rw-r--r--puppet/services/heat-engine.yaml3
-rw-r--r--puppet/services/horizon.yaml71
-rw-r--r--puppet/services/keepalived.yaml17
-rw-r--r--puppet/services/kernel.yaml10
-rw-r--r--puppet/services/keystone.yaml52
-rw-r--r--puppet/services/logging/fluentd-config.yaml2
-rw-r--r--puppet/services/manila-api.yaml35
-rw-r--r--puppet/services/manila-backend-cephfs.yaml6
-rw-r--r--puppet/services/manila-backend-generic.yaml4
-rw-r--r--puppet/services/manila-backend-netapp.yaml4
-rw-r--r--puppet/services/manila-base.yaml22
-rw-r--r--puppet/services/manila-scheduler.yaml9
-rw-r--r--puppet/services/manila-share.yaml10
-rw-r--r--puppet/services/mistral-api.yaml52
-rw-r--r--puppet/services/mistral-base.yaml93
-rw-r--r--puppet/services/mistral-engine.yaml38
-rw-r--r--puppet/services/mistral-executor.yaml38
-rw-r--r--puppet/services/monitoring/sensu-base.yaml17
-rw-r--r--puppet/services/monitoring/sensu-client.yaml17
-rw-r--r--puppet/services/neutron-api.yaml48
-rw-r--r--puppet/services/neutron-base.yaml9
-rw-r--r--puppet/services/neutron-l3.yaml19
-rw-r--r--puppet/services/neutron-ovs-agent.yaml6
-rw-r--r--puppet/services/neutron-ovs-dpdk-agent.yaml2
-rw-r--r--puppet/services/neutron-plugin-ml2.yaml2
-rw-r--r--puppet/services/neutron-plugin-opencontrail.yaml2
-rw-r--r--puppet/services/nova-api.yaml97
-rw-r--r--puppet/services/nova-base.yaml94
-rw-r--r--puppet/services/nova-conductor.yaml11
-rw-r--r--puppet/services/nova-libvirt.yaml7
-rw-r--r--puppet/services/nova-metadata.yaml14
-rw-r--r--puppet/services/nova-scheduler.yaml2
-rw-r--r--puppet/services/nova-vnc-proxy.yaml5
-rw-r--r--puppet/services/opendaylight-api.yaml18
-rw-r--r--puppet/services/opendaylight-ovs.yaml17
-rw-r--r--puppet/services/pacemaker/haproxy.yaml2
-rw-r--r--puppet/services/panko-api.yaml84
-rw-r--r--puppet/services/panko-base.yaml74
-rw-r--r--puppet/services/rabbitmq.yaml2
-rw-r--r--puppet/services/sahara-base.yaml12
-rw-r--r--puppet/services/services.yaml21
-rw-r--r--puppet/services/swift-proxy.yaml15
-rw-r--r--puppet/services/swift-ringbuilder.yaml11
-rw-r--r--puppet/services/swift-storage.yaml2
-rw-r--r--puppet/services/tripleo-firewall.yaml2
67 files changed, 1547 insertions, 477 deletions
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index f4f5bad8..daed1665 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -21,11 +21,9 @@ parameters:
MonitoringSubscriptionAodhApi:
default: 'overcloud-ceilometer-aodh-api'
type: string
- EnableCombinationAlarms:
- default: false
- description: Combination alarms are deprecated in Newton, hence disabled
- by default. To enable, set this parameter to true.
+ EnableInternalTLS:
type: boolean
+ default: false
resources:
AodhBase:
@@ -41,6 +39,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -52,7 +51,7 @@ outputs:
map_merge:
- get_attr: [AodhBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- - aodh::wsgi::apache::ssl: false
+ - aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS}
aodh::wsgi::apache::servername:
str_replace:
template:
@@ -60,20 +59,25 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]}
aodh::api::service_name: 'httpd'
+ aodh::api::enable_proxy_headers_parsing: true
tripleo.aodh_api.firewall_rules:
'128 aodh-api':
dport:
- 8042
- 13042
+ aodh::api::host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- aodh::api::host: {get_param: [ServiceNetMap, AodhApiNetwork]}
aodh::wsgi::apache::bind_host: {get_param: [ServiceNetMap, AodhApiNetwork]}
- tripleo::profile::base::aodh::api::enable_combination_alarms: {get_param: EnableCombinationAlarms}
service_config_settings:
get_attr: [AodhBase, role_data, service_config_settings]
step_config: |
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..87e53f13
--- /dev/null
+++ b/puppet/services/apache-internal-tls-certmonger.yaml
@@ -0,0 +1,50 @@
+heat_template_version: 2016-10-14
+
+description: >
+ Apache service TLS configurations.
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ # The following parameters are not needed by the template but are
+ # required to pass the pep8 tests
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: Role data for the Apache role.
+ value:
+ service_name: apache_internal_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ apache_certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ httpd-NETWORK:
+ service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+ hostname: "%{::fqdn_NETWORK}"
+ principal: "HTTP/%{::fqdn_NETWORK}"
+ for_each:
+ NETWORK:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # network will be handled in another template.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index c9792019..382e0ff9 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -27,6 +27,17 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+
+resources:
+
+ ApacheTLS:
+ type: OS::TripleO::Services::ApacheTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
outputs:
role_data:
@@ -34,19 +45,22 @@ outputs:
value:
service_name: apache
config_settings:
- # for the given network; replacement examples (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
- apache::server_signature: 'Off'
- apache::server_tokens: 'Prod'
- apache_remote_proxy_ips_network:
- str_replace:
- template: "NETWORK_subnet"
- params:
- NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
- apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
- apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
- apache::mod::remoteip::proxy_ips:
- - "%{hiera('apache_remote_proxy_ips_network')}"
+ map_merge:
+ - get_attr: [ApacheTLS, role_data, config_settings]
+ -
+ # for the given network; replacement examples (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
+ apache::server_signature: 'Off'
+ apache::server_tokens: 'Prod'
+ apache_remote_proxy_ips_network:
+ str_replace:
+ template: "NETWORK_subnet"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
+ apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
+ apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
+ apache::mod::remoteip::proxy_ips:
+ - "%{hiera('apache_remote_proxy_ips_network')}"
diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml
new file mode 100644
index 00000000..b266674f
--- /dev/null
+++ b/puppet/services/barbican-api.yaml
@@ -0,0 +1,144 @@
+heat_template_version: 2016-04-08
+
+description: >
+ OpenStack Barbican API service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ BarbicanPassword:
+ description: The password for the barbican service account.
+ type: string
+ hidden: true
+ BarbicanWorkers:
+ description: Set the number of workers for barbican::wsgi::apache
+ default: '"%{::processorcount}"'
+ type: string
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ RabbitClientPort:
+ default: 5672
+ description: Set rabbit subscriber port, change this if using SSL
+ type: number
+ RabbitClientUseSSL:
+ default: false
+ description: >
+ Rabbit client subscriber parameter to specify
+ an SSL connection to the RabbitMQ host.
+ type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+resources:
+
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Barbican API role.
+ value:
+ service_name: barbican_api
+ config_settings:
+ map_merge:
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
+ - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
+ barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+ barbican::keystone::authtoken::project_name: 'service'
+ barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
+ barbican::api::db_auto_create: false
+ barbican::api::enabled_certificate_plugins: ['simple_certificate']
+ barbican::api::logging::debug: {get_param: Debug}
+ barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ barbican::api::rabbit_userid: {get_param: RabbitUserName}
+ barbican::api::rabbit_password: {get_param: RabbitPassword}
+ barbican::api::rabbit_port: {get_param: RabbitClientPort}
+ barbican::api::rabbit_heartbeat_timeout_threshold: 60
+ barbican::api::service_name: 'httpd'
+ barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
+ barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
+ barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
+ barbican::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
+ barbican::db::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://barbican:'
+ - {get_param: BarbicanPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/barbican'
+ tripleo.barbican_api.firewall_rules:
+ '117 barbican':
+ dport:
+ - 9311
+ - 13311
+ step_config: |
+ include ::tripleo::profile::base::barbican::api
+ service_config_settings:
+ mysql:
+ barbican::db::mysql::password: {get_param: BarbicanPassword}
+ barbican::db::mysql::user: barbican
+ barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ barbican::db::mysql::dbname: barbican
+ barbican::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
+ keystone:
+ barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
+ barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
+ barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
+ barbican::keystone::auth::password: {get_param: BarbicanPassword}
+ barbican::keystone::auth::region: {get_param: KeystoneRegion}
+ barbican::keystone::auth::tenant: 'service'
+ nova_compute:
+ nova::compute::keymgr_api_class: >
+ castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+ nova::compute::barbican_endpoint:
+ get_param: [EndpointMap, BarbicanInternal, uri]
+ nova::compute::barbican_auth_endpoint:
+ get_param: [EndpointMap, KeystoneV3Internal, uri]
+ cinder_api:
+ cinder::api::keymgr_api_class: >
+ castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+ cinder::api::keymgr_encryption_api_url:
+ get_param: [EndpointMap, BarbicanInternal, uri]
+ cinder::api::keymgr_encryption_auth_url:
+ get_param: [EndpointMap, KeystoneV3Internal, uri]
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index ecea38b2..97b255a9 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -26,7 +26,9 @@ parameters:
default:
tag: openstack.ceilometer.api
path: /var/log/ceilometer/api.log
-
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
CeilometerServiceBase:
@@ -42,6 +44,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -68,9 +71,15 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- ceilometer::api::service_name: 'httpd'
- ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
+ ceilometer::api::enable_proxy_headers_parsing: true
+ ceilometer::api::host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
- ceilometer::wsgi::apache::ssl: false
+ ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
ceilometer::wsgi::apache::servername:
str_replace:
template:
diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml
index 4ace7526..ded1bc03 100644
--- a/puppet/services/ceilometer-base.yaml
+++ b/puppet/services/ceilometer-base.yaml
@@ -36,6 +36,12 @@ parameters:
type: string
constraints:
- allowed_values: ['gnocchi', 'database']
+ CeilometerEventDispatcher:
+ default: ['gnocchi']
+ description: Comma-separated list of Dispatchers to process events data
+ type: comma_delimited_list
+ constraints:
+ - allowed_values: ['panko', 'gnocchi', 'database']
CeilometerWorkers:
default: 0
description: Number of workers for Ceilometer service.
@@ -102,6 +108,7 @@ outputs:
ceilometer::agent::auth::auth_tenant_name: 'service'
ceilometer::agent::auth::auth_endpoint_type: 'internalURL'
ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher}
+ ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher}
ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]}
ceilometer::dispatcher::gnocchi::filter_project: 'service'
ceilometer::dispatcher::gnocchi::archive_policy: 'low'
diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml
index ce8d9158..786e9ddd 100644
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
Ceph base service. Shared by all Ceph services.
@@ -29,9 +29,20 @@ parameters:
GlanceRbdPoolName:
default: images
type: string
+ GlanceBackend:
+ default: swift
+ description: The short name of the Glance backend to use. Should be one
+ of swift, rbd, or file
+ type: string
+ constraints:
+ - allowed_values: ['swift', 'file', 'rbd']
GnocchiRbdPoolName:
default: metrics
type: string
+ NovaEnableRbdBackend:
+ default: false
+ description: Whether to enable or not the Rbd backend for Nova
+ type: boolean
NovaRbdPoolName:
default: vms
type: string
@@ -63,6 +74,16 @@ parameter_groups:
parameters:
- ControllerEnableCephStorage
+conditions:
+ glance_multiple_locations:
+ and:
+ - equals:
+ - get_param: GlanceBackend
+ - rbd
+ - equals:
+ - get_param: NovaEnableRbdBackend
+ - true
+
outputs:
role_data:
description: Role data for the Ceph base service.
@@ -75,6 +96,12 @@ outputs:
ceph::profile::params::manage_repo: false
ceph::profile::params::authentication_type: cephx
ceph::profile::params::fsid: {get_param: CephClusterFSID}
+ # FIXME(gfidente): we should not have to list the packages explicitly in the templates,
+ # but this has to stay until https://bugs.launchpad.net/puppet-ceph/+bug/1629933 is fixed
+ ceph::params::packages:
+ - ceph-base
+ - ceph-mon
+ - ceph-osd
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
@@ -122,3 +149,6 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
+ service_config_settings:
+ glance_api:
+ glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml
index 52c4824f..b708665f 100644
--- a/puppet/services/ceph-external.yaml
+++ b/puppet/services/ceph-external.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
Ceph External service.
@@ -27,9 +27,20 @@ parameters:
GlanceRbdPoolName:
default: images
type: string
+ GlanceBackend:
+ default: swift
+ description: The short name of the Glance backend to use. Should be one
+ of swift, rbd, or file
+ type: string
+ constraints:
+ - allowed_values: ['swift', 'file', 'rbd']
GnocchiRbdPoolName:
default: metrics
type: string
+ NovaEnableRbdBackend:
+ default: false
+ description: Whether to enable or not the Rbd backend for Nova
+ type: boolean
NovaRbdPoolName:
default: vms
type: string
@@ -51,6 +62,16 @@ parameters:
default: 'overcloud-ceph-external'
type: string
+conditions:
+ glance_multiple_locations:
+ and:
+ - equals:
+ - get_param: GlanceBackend
+ - rbd
+ - equals:
+ - get_param: NovaEnableRbdBackend
+ - true
+
outputs:
role_data:
description: Role data for the Ceph External service.
@@ -78,5 +99,16 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
+ ceph::profile::params::manage_repo: false
+ # FIXME(gfidente): we should not have to list the packages explicitly in
+ # the templates, but this should stay until the following is fixed:
+ # https://bugs.launchpad.net/puppet-ceph/+bug/1629933
+ ceph::params::packages:
+ - ceph-base
+ - ceph-mon
+ - ceph-osd
+ service_config_settings:
+ glance_api:
+ glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
step_config: |
include ::tripleo::profile::base::ceph::client
diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml
index 552086ab..3471f16c 100644
--- a/puppet/services/ceph-mon.yaml
+++ b/puppet/services/ceph-mon.yaml
@@ -101,5 +101,7 @@ outputs:
'110 ceph_mon':
dport:
- 6789
+ service_config_settings:
+ get_attr: [CephBase, role_data, service_config_settings]
step_config: |
include ::tripleo::profile::base::ceph::mon
diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml
index 18a4b780..89c1a5ee 100644
--- a/puppet/services/ceph-rgw.yaml
+++ b/puppet/services/ceph-rgw.yaml
@@ -55,15 +55,9 @@ outputs:
- tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey}
tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken}
tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
- ceph::profile::params::frontend_type: 'civetweb'
- ceph_rgw_civetweb_bind_address: {get_param: [ServiceNetMap, CephRgwNetwork]}
- ceph::profile::params::rgw_frontends:
- list_join:
- - ''
- - - 'civetweb port='
- - '%{hiera("ceph_rgw_civetweb_bind_address")}'
- - ':'
- - {get_param: [EndpointMap, CephRgwInternal, port]}
+ tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]}
+ tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]}
+ ceph::params::user_radosgw: ceph
tripleo.ceph_rgw.firewall_rules:
'122 ceph rgw':
dport: {get_param: [EndpointMap, CephRgwInternal, port]}
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 9c96acc4..803d8b83 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Cinder API service configured with Puppet
@@ -39,9 +39,27 @@ parameters:
default:
tag: openstack.cinder.api
path: /var/log/cinder/cinder-api.log
+ CinderWorkers:
+ type: string
+ description: Set the number of workers for cinder::wsgi::apache
+ default: '"%{::os_workers}"'
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+ cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
resources:
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
CinderBase:
type: ./cinder-base.yaml
properties:
@@ -61,6 +79,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
- cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
cinder::keystone::authtoken::password: {get_param: CinderPassword}
@@ -79,12 +98,31 @@ outputs:
dport:
- 8776
- 13776
+ cinder::api::bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
+ cinder::api::service_name: 'httpd'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ -
+ if:
+ - cinder_workers_zero
+ - {}
+ - cinder::wsgi::apache::workers: {get_param: CinderWorkers}
step_config: |
include ::tripleo::profile::base::cinder::api
service_config_settings:
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 80ba9aef..33abdbf9 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -18,32 +18,14 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
- CephClientUserName:
- default: openstack
- type: string
Debug:
default: ''
description: Set to True to enable debugging on all services.
type: string
- GlanceNotifierStrategy:
- description: Strategy to use for Glance notification queue
- type: string
- default: noop
- GlanceLogFile:
- description: The filepath of the file to use for logging messages from Glance.
- type: string
- default: ''
GlancePassword:
description: The password for the glance service and db account, used by the glance services.
type: string
hidden: true
- GlanceBackend:
- default: swift
- description: The short name of the Glance backend to use. Should be one
- of swift, rbd, or file
- type: string
- constraints:
- - allowed_values: ['swift', 'file', 'rbd']
GlanceWorkers:
default: ''
description: |
@@ -55,31 +37,6 @@ parameters:
memory consumption. It is recommended that a suitable non-default value
be selected on such systems.
type: string
- GlanceRbdPoolName:
- default: images
- type: string
- RabbitPassword:
- description: The password for RabbitMQ
- type: string
- hidden: true
- RabbitUserName:
- default: guest
- description: The username for RabbitMQ
- type: string
- RabbitClientPort:
- default: 5672
- description: Set rabbit subscriber port, change this if using SSL
- type: number
- RabbitClientUseSSL:
- default: false
- description: >
- Rabbit client subscriber parameter to specify
- an SSL connection to the RabbitMQ host.
- type: string
- KeystoneRegion:
- type: string
- default: 'regionOne'
- description: Keystone region for endpoint
MonitoringSubscriptionGlanceApi:
default: 'overcloud-glance-api'
type: string
@@ -89,6 +46,14 @@ parameters:
tag: openstack.glance.api
path: /var/log/glance/api.log
+resources:
+ GlanceBase:
+ type: ./glance-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
outputs:
role_data:
description: Role data for the Glance API role.
@@ -99,65 +64,46 @@ outputs:
logging_groups:
- glance
config_settings:
- glance::api::database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://glance:'
- - {get_param: GlancePassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/glance'
- glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
- glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
- glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
- glance::api::registry_host:
- str_replace:
- template: "'REGISTRY_HOST'"
- params:
- REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]}
- glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] }
- glance::api::authtoken::password: {get_param: GlancePassword}
- glance::api::enable_proxy_headers_parsing: true
- glance::api::debug: {get_param: Debug}
- glance::api::workers: {get_param: GlanceWorkers}
- glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
- glance_log_file: {get_param: GlanceLogFile}
- glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] }
- glance::backend::swift::swift_store_user: service:glance
- glance::backend::swift::swift_store_key: {get_param: GlancePassword}
- glance::backend::swift::swift_store_create_container_on_put: true
- glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
- glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
- glance_backend: {get_param: GlanceBackend}
- glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
- glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
- glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
- glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
- glance::registry::db::database_db_max_retries: -1
- glance::registry::db::database_max_retries: -1
- tripleo.glance_api.firewall_rules:
- '112 glance_api':
- dport:
- - 9292
- - 13292
- glance::api::authtoken::project_name: 'service'
- glance::api::pipeline: 'keystone'
- glance::api::show_image_direct_url: true
- # NOTE: bind IP is found in Heat replacing the network name with the
- # local node IP for the given network; replacement examples
- # (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+ map_merge:
+ - get_attr: [GlanceBase, role_data, config_settings]
+ - glance::api::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://glance:'
+ - {get_param: GlancePassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/glance'
+ glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
+ glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+ glance::api::registry_host:
+ str_replace:
+ template: "'REGISTRY_HOST'"
+ params:
+ REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]}
+ glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] }
+ glance::api::authtoken::password: {get_param: GlancePassword}
+ glance::api::enable_proxy_headers_parsing: true
+ glance::api::debug: {get_param: Debug}
+ glance::api::workers: {get_param: GlanceWorkers}
+ tripleo.glance_api.firewall_rules:
+ '112 glance_api':
+ dport:
+ - 9292
+ - 13292
+ glance::api::authtoken::project_name: 'service'
+ glance::api::pipeline: 'keystone'
+ glance::api::show_image_direct_url: true
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]}
step_config: |
include ::tripleo::profile::base::glance::api
service_config_settings:
- keystone:
- glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
- glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
- glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
- glance::keystone::auth::password: {get_param: GlancePassword }
- glance::keystone::auth::region: {get_param: KeystoneRegion}
- glance::keystone::auth::tenant: 'service'
+ get_attr: [GlanceBase, role_data, service_config_settings]
diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml
new file mode 100644
index 00000000..cc979af9
--- /dev/null
+++ b/puppet/services/glance-base.yaml
@@ -0,0 +1,128 @@
+heat_template_version: 2016-10-14
+
+description: >
+ OpenStack Glance Common settings with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ CephClientUserName:
+ default: openstack
+ type: string
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ GlanceNotifierStrategy:
+ description: Strategy to use for Glance notification queue
+ type: string
+ default: noop
+ GlanceLogFile:
+ description: The filepath of the file to use for logging messages from Glance.
+ type: string
+ default: ''
+ GlancePassword:
+ description: The password for the glance service and db account, used by the glance services.
+ type: string
+ hidden: true
+ GlanceBackend:
+ default: swift
+ description: The short name of the Glance backend to use. Should be one
+ of swift, rbd, or file
+ type: string
+ constraints:
+ - allowed_values: ['swift', 'file', 'rbd']
+ GlanceNfsEnabled:
+ default: false
+ description: >
+ When using GlanceBackend 'file', mount NFS share for image storage.
+ type: boolean
+ GlanceNfsShare:
+ default: ''
+ description: >
+ NFS share to mount for image storage (when GlanceNfsEnabled is true)
+ type: string
+ GlanceNfsOptions:
+ default: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
+ description: >
+ NFS mount options for image storage (when GlanceNfsEnabled is true)
+ type: string
+ GlanceRbdPoolName:
+ default: images
+ type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
+ RabbitClientPort:
+ default: 5672
+ description: Set rabbit subscriber port, change this if using SSL
+ type: number
+ RabbitClientUseSSL:
+ default: false
+ description: >
+ Rabbit client subscriber parameter to specify
+ an SSL connection to the RabbitMQ host.
+ type: string
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+
+outputs:
+ role_data:
+ description: Role data for the Glance common role.
+ value:
+ service_name: glance_base
+ config_settings:
+ glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
+ glance_log_file: {get_param: GlanceLogFile}
+ glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::backend::swift::swift_store_user: service:glance
+ glance::backend::swift::swift_store_key: {get_param: GlancePassword}
+ glance::backend::swift::swift_store_create_container_on_put: true
+ glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
+ glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
+ glance_backend: {get_param: GlanceBackend}
+ glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
+ glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
+ glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
+ glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ glance::notify::rabbitmq::notification_driver: messagingv2
+ glance::registry::db::database_db_max_retries: -1
+ glance::registry::db::database_max_retries: -1
+ tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
+ tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
+ tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
+ service_config_settings:
+ keystone:
+ glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
+ glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
+ glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
+ glance::keystone::auth::password: {get_param: GlancePassword }
+ glance::keystone::auth::region: {get_param: KeystoneRegion}
+ glance::keystone::auth::tenant: 'service'
+ mysql:
+ glance::db::mysql::password: {get_param: GlancePassword}
+ glance::db::mysql::user: glance
+ glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ glance::db::mysql::dbname: glance
+ glance::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml
index 30df67fe..c45582d4 100644
--- a/puppet/services/glance-registry.yaml
+++ b/puppet/services/glance-registry.yaml
@@ -46,6 +46,14 @@ parameters:
tag: openstack.glance.registry
path: /var/log/glance/registry.log
+resources:
+ GlanceBase:
+ type: ./glance-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
outputs:
role_data:
description: Role data for the Glance Registry role.
@@ -56,43 +64,37 @@ outputs:
logging_groups:
- glance
config_settings:
- glance::registry::database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://glance:'
- - {get_param: GlancePassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/glance'
- glance::registry::authtoken::password: {get_param: GlancePassword}
- glance::registry::authtoken::project_name: 'service'
- glance::registry::pipeline: 'keystone'
- glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
- glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
- glance::registry::debug: {get_param: Debug}
- glance::registry::workers: {get_param: GlanceWorkers}
- glance::registry::db::database_db_max_retries: -1
- glance::registry::db::database_max_retries: -1
- tripleo.glance_registry.firewall_rules:
- '112 glance_registry':
- dport:
- - 9191
- # NOTE: bind IP is found in Heat replacing the network name with the
- # local node IP for the given network; replacement examples
- # (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]}
+ map_merge:
+ - get_attr: [GlanceBase, role_data, config_settings]
+
+ - glance::registry::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://glance:'
+ - {get_param: GlancePassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/glance'
+ glance::registry::authtoken::password: {get_param: GlancePassword}
+ glance::registry::authtoken::project_name: 'service'
+ glance::registry::pipeline: 'keystone'
+ glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+ glance::registry::debug: {get_param: Debug}
+ glance::registry::workers: {get_param: GlanceWorkers}
+ tripleo.glance_registry.firewall_rules:
+ '112 glance_registry':
+ dport:
+ - 9191
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]}
step_config: |
include ::tripleo::profile::base::glance::registry
service_config_settings:
- mysql:
- glance::db::mysql::password: {get_param: GlancePassword}
- glance::db::mysql::user: glance
- glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
- glance::db::mysql::dbname: glance
- glance::db::mysql::allowed_hosts:
- - '%'
- - "%{hiera('mysql_bind_host')}"
+ get_attr: [GlanceBase, role_data, config_settings]
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index 15121790..ac15de4f 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -41,6 +41,9 @@ parameters:
default:
tag: openstack.gnocchi.api
path: /var/log/gnocchi/app.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
@@ -57,6 +60,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -77,12 +81,13 @@ outputs:
- 8041
- 13041
gnocchi::api::enabled: true
+ gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
gnocchi::keystone::authtoken::project_name: 'service'
- gnocchi::wsgi::apache::ssl: false
+ gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
gnocchi::wsgi::apache::servername:
str_replace:
template:
@@ -97,7 +102,12 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
- gnocchi::api::host: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
+ gnocchi::api::host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml
index 04339f46..983d6c91 100644
--- a/puppet/services/gnocchi-statsd.yaml
+++ b/puppet/services/gnocchi-statsd.yaml
@@ -39,5 +39,9 @@ outputs:
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
+ - tripleo.gnocchi_statsd.firewall_rules:
+ '140 gnocchi-statsd':
+ dport: 8125
+ proto: 'udp'
step_config: |
include ::tripleo::profile::base::gnocchi::statsd
diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..c6d53542
--- /dev/null
+++ b/puppet/services/haproxy-internal-tls-certmonger.yaml
@@ -0,0 +1,51 @@
+heat_template_version: 2016-10-14
+
+description: >
+ HAProxy deployment with TLS enabled, powered by certmonger
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: Role data for the HAProxy internal TLS via certmonger role.
+ value:
+ service_name: haproxy_internal_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ tripleo::haproxy::use_internal_certificates: true
+ certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ haproxy-NETWORK:
+ service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem'
+ service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key'
+ hostname: "%{hiera('cloud_name_NETWORK')}"
+ postsave_cmd: "" # TODO
+ principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
+ for_each:
+ NETWORK:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # network will be handled in another template.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml
new file mode 100644
index 00000000..1551d16a
--- /dev/null
+++ b/puppet/services/haproxy-public-tls-certmonger.yaml
@@ -0,0 +1,37 @@
+heat_template_version: 2016-10-14
+
+description: >
+ HAProxy deployment with TLS enabled, powered by certmonger
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: Role data for the HAProxy public TLS via certmonger role.
+ value:
+ service_name: haproxy_public_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem'
+ certificates_specs:
+ haproxy-external:
+ service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem'
+ service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt'
+ service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key'
+ hostname: "%{hiera('cloud_name_external')}"
+ postsave_cmd: "" # TODO
+ principal: "haproxy/%{hiera('cloud_name_external')}"
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 974928c5..c8edade5 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
HAproxy service configured with Puppet
@@ -34,20 +34,26 @@ parameters:
description: The password for Redis
type: string
hidden: true
- ControlVirtualInterface:
- default: 'br-ex'
- description: Interface where virtual ip will be assigned.
- type: string
- PublicVirtualInterface:
- default: 'br-ex'
- description: >
- Specifies the interface where the public-facing virtual ip will be assigned.
- This should be int_public when a VLAN is being used.
- type: string
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
+resources:
+
+ HAProxyPublicTLS:
+ type: OS::TripleO::Services::HAProxyPublicTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+ HAProxyInternalTLS:
+ type: OS::TripleO::Services::HAProxyInternalTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
outputs:
role_data:
description: Role data for the HAproxy role.
@@ -55,14 +61,19 @@ outputs:
service_name: haproxy
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
- tripleo.haproxy.firewall_rules:
- '107 haproxy stats':
- dport: 1993
- tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
- tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
- tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
- tripleo::haproxy::redis_password: {get_param: RedisPassword}
- tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface}
- tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface}
+ map_merge:
+ - get_attr: [HAProxyPublicTLS, role_data, config_settings]
+ - get_attr: [HAProxyInternalTLS, role_data, config_settings]
+ - tripleo.haproxy.firewall_rules:
+ '107 haproxy stats':
+ dport: 1993
+ tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+ tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
+ tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
+ tripleo::haproxy::redis_password: {get_param: RedisPassword}
+ tripleo::profile::base::haproxy::certificates_specs:
+ map_merge:
+ - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
+ - get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
step_config: |
include ::tripleo::profile::base::haproxy
diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml
index a47fec5a..12d4a6a1 100644
--- a/puppet/services/heat-api-cfn.yaml
+++ b/puppet/services/heat-api-cfn.yaml
@@ -76,9 +76,11 @@ outputs:
include ::tripleo::profile::base::heat::api_cfn
service_config_settings:
keystone:
- heat::keystone::auth_cfn::tenant: 'service'
- heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]}
- heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]}
- heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
- heat::keystone::auth_cfn::password: {get_param: HeatPassword}
- heat::keystone::auth::region: {get_param: KeystoneRegion}
+ map_merge:
+ - get_attr: [HeatBase, role_data, service_config_settings, keystone]
+ - heat::keystone::auth_cfn::tenant: 'service'
+ heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]}
+ heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]}
+ heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
+ heat::keystone::auth_cfn::password: {get_param: HeatPassword}
+ heat::keystone::auth_cfn::region: {get_param: KeystoneRegion}
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index 2ea96fc0..b0cd16dd 100644
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -76,9 +76,11 @@ outputs:
include ::tripleo::profile::base::heat::api
service_config_settings:
keystone:
- heat::keystone::auth::tenant: 'service'
- heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
- heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
- heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
- heat::keystone::auth::password: {get_param: HeatPassword}
- heat::keystone::auth::region: {get_param: KeystoneRegion}
+ map_merge:
+ - get_attr: [HeatBase, role_data, service_config_settings, keystone]
+ - heat::keystone::auth::tenant: 'service'
+ heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
+ heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
+ heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
+ heat::keystone::auth::password: {get_param: HeatPassword}
+ heat::keystone::auth::region: {get_param: KeystoneRegion}
diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml
index 7eb58f56..a2a65d7d 100644
--- a/puppet/services/heat-base.yaml
+++ b/puppet/services/heat-base.yaml
@@ -77,3 +77,8 @@ outputs:
heat::cron::purge_deleted::destination: '/dev/null'
heat::db::database_db_max_retries: -1
heat::db::database_max_retries: -1
+ service_config_settings:
+ keystone:
+ tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'
+ tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin'
+ tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost'
diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml
index 24c36362..3f0e4105 100644
--- a/puppet/services/heat-engine.yaml
+++ b/puppet/services/heat-engine.yaml
@@ -103,3 +103,6 @@ outputs:
heat::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ keystone:
+ # This is needed because the keystone profile handles creating the domain
+ tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword}
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 6ea5ec4e..8eaf4044 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -24,18 +24,14 @@ parameters:
type: json
HorizonAllowedHosts:
default: '*'
- description: A list of IP/Hostname allowed to connect to horizon
+ description: A list of IP/Hostname for the server Horizon is running on.
+ Used for header checks.
type: comma_delimited_list
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
- NeutronMechanismDrivers:
- default: 'openvswitch'
- description: |
- The mechanism drivers for the Neutron tenant network.
- type: comma_delimited_list
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
@@ -44,6 +40,10 @@ parameters:
default: 'overcloud-horizon'
type: string
+conditions:
+
+ debug_empty: {equals : [{get_param: Debug}, '']}
+
outputs:
role_data:
description: Role data for the Horizon role.
@@ -51,33 +51,36 @@ outputs:
service_name: horizon
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
- neutron::plugins::ml2::mechanism_drivers:
- str_replace:
- template: MECHANISMS
- params:
- MECHANISMS: {get_param: NeutronMechanismDrivers}
- tripleo.horizon.firewall_rules:
- '126 horizon':
- dport:
- - 80
- - 443
- horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
- horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
- horizon::vhost_extra_params:
- add_listen: false
- priority: 10
- access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
- horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
- horizon::django_debug: {get_param: Debug}
- horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
- horizon::secret_key:
- yaql:
- expression: $.data.passwords.where($ != '').first()
- data:
- passwords:
- - {get_param: HorizonSecret}
- - {get_param: [DefaultPasswords, horizon_secret]}
- memcached_ipv6: {get_param: MemcachedIPv6}
+ map_merge:
+ - horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
+ tripleo.horizon.firewall_rules:
+ '126 horizon':
+ dport:
+ - 80
+ - 443
+ horizon::disable_password_reveal: true
+ horizon::enforce_password_check: true
+ horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
+ horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
+ horizon::vhost_extra_params:
+ add_listen: false
+ priority: 10
+ access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
+ options: ['FollowSymLinks','MultiViews']
+ horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
+ horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ horizon::secret_key:
+ yaql:
+ expression: $.data.passwords.where($ != '').first()
+ data:
+ passwords:
+ - {get_param: HorizonSecret}
+ - {get_param: [DefaultPasswords, horizon_secret]}
+ memcached_ipv6: {get_param: MemcachedIPv6}
+ -
+ if:
+ - debug_empty
+ - {}
+ - horizon::django_debug: {get_param: Debug}
step_config: |
include ::tripleo::profile::base::horizon
diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml
index 2b069d67..fb0d32b6 100644
--- a/puppet/services/keepalived.yaml
+++ b/puppet/services/keepalived.yaml
@@ -19,14 +19,18 @@ parameters:
via parameter_defaults in the resource registry.
type: json
ControlVirtualInterface:
- default: 'br-ex'
- description: Interface where virtual ip will be assigned.
+ default: ''
+ description: >
+ Interface where virtual ip will be assigned. This value will be
+ automatically set by the deployment tool. Overriding here will
+ override automatic setting.
type: string
PublicVirtualInterface:
- default: 'br-ex'
+ default: ''
description: >
- Specifies the interface where the public-facing virtual ip will be assigned.
- This should be int_public when a VLAN is being used.
+ Interface where virtual ip will be assigned. This value will be
+ automatically set by the deployment tool. Overriding here will
+ override automatic setting.
type: string
MonitoringSubscriptionKeepalived:
default: 'overcloud-keepalived'
@@ -41,5 +45,8 @@ outputs:
config_settings:
tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface}
tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface}
+ tripleo.keepalived.firewall_rules:
+ '106 keepalived vrrp':
+ proto: vrrp
step_config: |
include ::tripleo::profile::base::keepalived
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 2f01578e..69898718 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -18,6 +18,10 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ KernelPidMax:
+ default: 1048576
+ description: Configures sysctl kernel.pid_max key
+ type: number
outputs:
role_data:
@@ -39,11 +43,17 @@ outputs:
net.netfilter.nf_conntrack_max:
value: 500000
# prevent neutron bridges from autoconfiguring ipv6 addresses
+ net.ipv6.conf.all.accept_ra:
+ value: 0
net.ipv6.conf.default.accept_ra:
value: 0
+ net.ipv6.conf.all.autoconf:
+ value: 0
net.ipv6.conf.default.autoconf:
value: 0
net.core.netdev_max_backlog:
value: 10000
+ kernel.pid_max:
+ value: {get_param: KernelPidMax}
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index e3531636..fe023a6a 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Keystone service configured with Puppet
@@ -32,6 +32,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ KeystoneTokenProvider:
+ description: The keystone token format
+ type: string
+ default: 'uuid'
+ constraints:
+ - allowed_values: ['uuid', 'fernet']
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
@@ -83,9 +89,9 @@ parameters:
KeystoneWorkers:
type: string
description: Set the number of workers for keystone::wsgi::apache
- default: '"%{::processorcount}"'
+ default: '"%{::os_workers}"'
MonitoringSubscriptionKeystone:
- default: 'overcloud-kestone'
+ default: 'overcloud-keystone'
type: string
KeystoneCredential0:
type: string
@@ -93,11 +99,20 @@ parameters:
KeystoneCredential1:
type: string
description: The second Keystone credential key. Must be a valid key.
+ KeystoneFernetKey0:
+ type: string
+ description: The first Keystone fernet key. Must be a valid key.
+ KeystoneFernetKey1:
+ type: string
+ description: The second Keystone fernet key. Must be a valid key.
KeystoneLoggingSource:
type: json
default:
tag: openstack.keystone
path: /var/log/keystone/keystone.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
@@ -107,6 +122,10 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
+conditions:
+ keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
outputs:
role_data:
@@ -130,9 +149,12 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/keystone'
keystone::admin_token: {get_param: AdminToken}
+ keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
+ keystone::token_provider: {get_param: KeystoneTokenProvider}
+ keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
keystone::enable_proxy_headers_parsing: true
keystone::enable_credential_setup: true
keystone::credential_keys:
@@ -140,6 +162,11 @@ outputs:
content: {get_param: KeystoneCredential0}
'/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1}
+ keystone::fernet_keys:
+ '/etc/keystone/fernet-keys/0':
+ content: {get_param: KeystoneFernetKey0}
+ '/etc/keystone/fernet-keys/1':
+ content: {get_param: KeystoneFernetKey1}
keystone::debug: {get_param: Debug}
keystone::rabbit_userid: {get_param: RabbitUserName}
keystone::rabbit_password: {get_param: RabbitPassword}
@@ -163,7 +190,8 @@ outputs:
ec2/driver:
value: 'keystone.contrib.ec2.backends.sql.Ec2'
keystone::service_name: 'httpd'
- keystone::wsgi::apache::ssl: false
+ keystone::enable_ssl: {get_param: EnableInternalTLS}
+ keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::servername:
str_replace:
template:
@@ -188,15 +216,25 @@ outputs:
- 13000
- 35357
- 13357
+ keystone::admin_bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+ keystone::public_bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- # NOTE: this applies to all 4 bind IP settings below...
- keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
- keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+ # NOTE: this applies to all 2 bind IP settings below...
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
step_config: |
diff --git a/puppet/services/logging/fluentd-config.yaml b/puppet/services/logging/fluentd-config.yaml
index e051781e..58b423fd 100644
--- a/puppet/services/logging/fluentd-config.yaml
+++ b/puppet/services/logging/fluentd-config.yaml
@@ -70,7 +70,7 @@ parameters:
- tag_pattern: '**'
type: record_transformer
record:
- nodename: '${hostname}'
+ host: '${hostname}'
- tag_pattern: 'openstack.**'
type: record_transformer
diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml
index 4d3fd47c..b4b3d480 100644
--- a/puppet/services/manila-api.yaml
+++ b/puppet/services/manila-api.yaml
@@ -51,6 +51,11 @@ outputs:
manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
manila::keystone::authtoken::project_name: 'service'
+ tripleo.manila_api.firewall_rules:
+ '150 manila':
+ dport:
+ - 8786
+ - 13786
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
@@ -62,21 +67,15 @@ outputs:
step_config: |
include ::tripleo::profile::base::manila::api
service_config_settings:
- keystone:
- manila::keystone::auth::tenant: 'service'
- manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]}
- manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]}
- manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]}
- manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]}
- manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]}
- manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]}
- manila::keystone::auth::password: {get_param: ManilaPassword}
- manila::keystone::auth::region: {get_param: KeystoneRegion}
- mysql:
- manila::db::mysql::password: {get_param: ManilaPassword}
- manila::db::mysql::user: manila
- manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
- manila::db::mysql::dbname: manila
- manila::db::mysql::allowed_hosts:
- - '%'
- - "%{hiera('mysql_bind_host')}"
+ map_merge:
+ - get_attr: [ManilaBase, role_data, service_config_settings]
+ - keystone:
+ manila::keystone::auth::tenant: 'service'
+ manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]}
+ manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]}
+ manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]}
+ manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]}
+ manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]}
+ manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]}
+ manila::keystone::auth::password: {get_param: ManilaPassword}
+ manila::keystone::auth::region: {get_param: KeystoneRegion}
diff --git a/puppet/services/manila-backend-cephfs.yaml b/puppet/services/manila-backend-cephfs.yaml
index 89a36d21..0fc39e2a 100644
--- a/puppet/services/manila-backend-cephfs.yaml
+++ b/puppet/services/manila-backend-cephfs.yaml
@@ -19,9 +19,6 @@ parameters:
via parameter_defaults in the resource registry.
type: json
# CephFS Native backend params:
- ManilaCephFSNativeEnableBackend:
- type: boolean
- default: false
ManilaCephFSNativeBackendName:
type: string
default: cephfsnative
@@ -33,7 +30,7 @@ parameters:
default: 'cephfs'
ManilaCephFSNativeCephFSConfPath:
type: string
- default: '/etc/ceph/cephfs.conf'
+ default: '/etc/ceph/ceph.conf'
ManilaCephFSNativeCephFSAuthId:
type: string
default: 'manila'
@@ -50,7 +47,6 @@ outputs:
value:
service_name: manila_backend_cephfs
config_settings:
- manila::backend::cephfsnative::enable_backend: {get_param: ManilaCephFSNativeEnableBackend}
manila::backend::cephfsnative::title: {get_param: ManilaCephFSNativeBackendName}
manila::backend::cephfsnative::driver_handles_share_servers: {get_param: ManilaCephFSNativeDriverHandlesShareServers}
manila::backend::cephfsnative::share_backend_name: {get_param: ManilaCephFSNativeShareBackendName}
diff --git a/puppet/services/manila-backend-generic.yaml b/puppet/services/manila-backend-generic.yaml
index 5c001c82..c527666e 100644
--- a/puppet/services/manila-backend-generic.yaml
+++ b/puppet/services/manila-backend-generic.yaml
@@ -4,9 +4,6 @@ description: >
Openstack Manila generic backend.
parameters:
- ManilaGenericEnableBackend:
- type: boolean
- default: false
ManilaGenericBackendName:
type: string
default: tripleo_generic
@@ -73,7 +70,6 @@ outputs:
value:
service_name: manila_backend_generic
config_settings:
- manila_generic_enable_backend: {get_param: ManilaGenericEnableBackend}
manila::backend::generic::title: {get_param: ManilaGenericBackendName}
manila::backend::generic::driver_handles_share_servers: {get_param: ManilaGenericDriverHandlesShareServers}
manila::backend::generic::smb_template_config_path: {get_param: ManilaGenericSmbTemplateConfigPath}
diff --git a/puppet/services/manila-backend-netapp.yaml b/puppet/services/manila-backend-netapp.yaml
index c95a8da7..e6d2f250 100644
--- a/puppet/services/manila-backend-netapp.yaml
+++ b/puppet/services/manila-backend-netapp.yaml
@@ -4,9 +4,6 @@ description: >
Openstack Manila netapp backend.
parameters:
- ManilaNetappEnableBackend:
- type: boolean
- default: false
ManilaNetappDriverHandlesShareServers:
type: string
default: true
@@ -88,7 +85,6 @@ outputs:
value:
service_name: manila_backend_netapp
config_settings:
- manila_netapp_enable_backend: {get_param: ManilaNetappEnableBackend}
manila::backend::netapp::title: {get_param: ManilaNetappBackendName}
manila::backend::netapp::netapp_login: {get_param: ManilaNetappLogin}
manila::backend::netapp::driver_handles_share_servers: {get_param: ManilaNetappDriverHandlesShareServers}
diff --git a/puppet/services/manila-base.yaml b/puppet/services/manila-base.yaml
index d228577a..844bd3a3 100644
--- a/puppet/services/manila-base.yaml
+++ b/puppet/services/manila-base.yaml
@@ -40,6 +40,10 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ ManilaPassword:
+ description: The password for the manila service account.
+ type: string
+ hidden: true
outputs:
role_data:
@@ -54,3 +58,21 @@ outputs:
manila::debug: {get_param: Debug}
manila::db::database_db_max_retries: -1
manila::db::database_max_retries: -1
+ manila::sql_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://manila:'
+ - {get_param: ManilaPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/manila'
+ service_config_settings:
+ mysql:
+ manila::db::mysql::password: {get_param: ManilaPassword}
+ manila::db::mysql::user: manila
+ manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ manila::db::mysql::dbname: manila
+ manila::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/manila-scheduler.yaml b/puppet/services/manila-scheduler.yaml
index 474cc24f..d96b677b 100644
--- a/puppet/services/manila-scheduler.yaml
+++ b/puppet/services/manila-scheduler.yaml
@@ -57,14 +57,5 @@ outputs:
manila::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]}
manila::network::neutron::neutron_admin_auth_url: {get_param: [EndpointMap, NeutronAdmin, uri]}
manila::network::neutron::neutron_admin_password: {get_param: NeutronPassword}
- manila::sql_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://manila:'
- - {get_param: ManilaPassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/manila'
step_config: |
include ::tripleo::profile::base::manila::scheduler
diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml
index e42d2fae..49c69fc1 100644
--- a/puppet/services/manila-share.yaml
+++ b/puppet/services/manila-share.yaml
@@ -21,6 +21,10 @@ parameters:
MonitoringSubscriptionManilaShare:
default: 'overcloud-manila-share'
type: string
+ ManilaPassword:
+ description: The password for the manila service account.
+ type: string
+ hidden: true
resources:
ManilaBase:
@@ -40,5 +44,11 @@ outputs:
map_merge:
- get_attr: [ManilaBase, role_data, config_settings]
- manila::volume::cinder::cinder_admin_tenant_name: 'service'
+ manila::keystone::authtoken::password: {get_param: ManilaPassword}
+ manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+ manila::keystone::authtoken::project_name: 'service'
+ service_config_settings:
+ get_attr: [ManilaBase, role_data, service_config_settings]
step_config: |
include ::tripleo::profile::base::manila::share
diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml
new file mode 100644
index 00000000..44d30358
--- /dev/null
+++ b/puppet/services/mistral-api.yaml
@@ -0,0 +1,52 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral API service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ MistralWorkers:
+ default: 1
+ description: The number of workers for the mistral-api.
+ type: number
+
+resources:
+ MistralBase:
+ type: ./mistral-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Mistral API role.
+ value:
+ service_name: mistral_api
+ config_settings:
+ map_merge:
+ - get_attr: [MistralBase, role_data, config_settings]
+ - mistral::api::api_workers: {get_param: MistralWorkers}
+ mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]}
+ tripleo.mistral_api.firewall_rules:
+ '133 mistral':
+ dport:
+ - 8989
+ - 13989
+ service_config_settings:
+ get_attr: [MistralBase, role_data, service_config_settings]
+ step_config: |
+ include ::tripleo::profile::base::mistral::api
diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml
new file mode 100644
index 00000000..a11624c0
--- /dev/null
+++ b/puppet/services/mistral-base.yaml
@@ -0,0 +1,93 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral base service. Shared for all Mistral services.
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
+ RabbitClientUseSSL:
+ default: false
+ description: >
+ Rabbit client subscriber parameter to specify
+ an SSL connection to the RabbitMQ host.
+ type: string
+ RabbitClientPort:
+ default: 5672
+ description: Set rabbit subscriber port, change this if using SSL
+ type: number
+ MistralPassword:
+ description: The password for the Mistral service and db account, used by the Mistral services.
+ type: string
+ hidden: true
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+
+outputs:
+ role_data:
+ description: Shared role data for the Mistral services.
+ value:
+ service_name: mistral_base
+ config_settings:
+ mistral::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://mistral:'
+ - {get_param: MistralPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/mistral'
+ mistral::rabbit_userid: {get_param: RabbitUserName}
+ mistral::rabbit_password: {get_param: RabbitPassword}
+ mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ mistral::rabbit_port: {get_param: RabbitClientPort}
+ mistral::debug: {get_param: Debug}
+ mistral::keystone_password: {get_param: MistralPassword}
+ mistral::keystone_tenant: 'service'
+ mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]}
+ mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+ service_config_settings:
+ keystone:
+ mistral::keystone::auth::tenant: 'service'
+ mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]}
+ mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]}
+ mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]}
+ mistral::keystone::auth::password: {get_param: MistralPassword}
+ mistral::keystone::auth::region: {get_param: KeystoneRegion}
+ mysql:
+ mistral::db::mysql::user: mistral
+ mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ mistral::db::mysql::dbname: mistral
+ mistral::db::mysql::password: {get_param: MistralPassword}
+ mistral::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/mistral-engine.yaml b/puppet/services/mistral-engine.yaml
new file mode 100644
index 00000000..10af670d
--- /dev/null
+++ b/puppet/services/mistral-engine.yaml
@@ -0,0 +1,38 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral Engine service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+resources:
+ MistralBase:
+ type: ./mistral-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Mistral Engine role.
+ value:
+ service_name: mistral_engine
+ config_settings:
+ get_attr: [MistralBase, role_data, config_settings]
+ step_config: |
+ include ::tripleo::profile::base::mistral::engine
diff --git a/puppet/services/mistral-executor.yaml b/puppet/services/mistral-executor.yaml
new file mode 100644
index 00000000..7afaf0db
--- /dev/null
+++ b/puppet/services/mistral-executor.yaml
@@ -0,0 +1,38 @@
+heat_template_version: 2016-04-08
+
+description: >
+ Openstack Mistral API service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+resources:
+ MistralBase:
+ type: ./mistral-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+outputs:
+ role_data:
+ description: Role data for the Mistral Executor role.
+ value:
+ service_name: mistral_executor
+ config_settings:
+ get_attr: [MistralBase, role_data, config_settings]
+ step_config: |
+ include ::tripleo::profile::base::mistral::executor
diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml
index d7350d07..e5762328 100644
--- a/puppet/services/monitoring/sensu-base.yaml
+++ b/puppet/services/monitoring/sensu-base.yaml
@@ -43,7 +43,19 @@ parameters:
description: The RabbitMQ vhost used for monitoring purposes.
type: string
default: '/sensu'
-
+ SensuRedactVariables:
+ description: Variables from Sensu configuration, which have to be redacted.
+ type: array
+ default:
+ - password
+ - passwd
+ - pass
+ - api_key
+ - api_token
+ - access_key
+ - secret_key
+ - private_key
+ - secret
outputs:
role_data:
@@ -61,8 +73,7 @@ outputs:
sensu::rabbitmq_ssl: {get_param: MonitoringRabbitUseSSL}
sensu::rabbitmq_user: {get_param: MonitoringRabbitUserName}
sensu::rabbitmq_vhost: {get_param: MonitoringRabbitVhost}
- #sensu::redis_host: {get_param: MonitoringRedisHost}
- #sensu::redis_password: {get_param: MonitoringRedisPassword}
+ sensu::redact: {get_param: SensuRedactVariables}
sensu::sensu_plugin_provider: 'yum'
sensu::sensu_plugin_name: 'rubygem-sensu-plugin'
sensu::version: 'present'
diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml
index 3f37e750..a26c7458 100644
--- a/puppet/services/monitoring/sensu-client.yaml
+++ b/puppet/services/monitoring/sensu-client.yaml
@@ -18,6 +18,13 @@ parameters:
Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ AdminPassword:
+ description: Keystone admin user password
+ type: string
+ KeystoneRegion:
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ type: string
SensuClientCustomConfig:
default: {}
description: Hash containing custom sensu-client variables.
@@ -44,6 +51,14 @@ outputs:
- sensu::api: false
sensu::client: true
sensu::server: false
- sensu::client_custom: {get_param: SensuClientCustomConfig}
+ sensu::client_custom:
+ map_merge:
+ - {get_param: SensuClientCustomConfig}
+ - openstack:
+ username: 'admin'
+ password: {get_param: AdminPassword}
+ auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ tenant_name: 'admin'
+ region: {get_param: KeystoneRegion}
step_config: |
include ::tripleo::profile::base::monitoring::sensu
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index 3b531ab3..5fd9d7a2 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -57,26 +57,20 @@ parameters:
default:
tag: openstack.neutron.api
path: /var/log/neutron/server.log
- ControllerCount:
- description: |
- Under normal conditions, this should not be overridden manually and is
- set at deployment time. The default value is present to allow the
- template to be used in environments that do not override it.
- default: 1
- type: number
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
- default: false
+ default: ''
+ type: string
description: |
- Whether to enable HA for virtual routers. While the default value is
- 'false', L3 HA will be automatically enabled if the number of nodes
- hosting controller configurations and DVR is disabled. This parameter is
- being deprecated in Newton and is scheduled to be removed in Ocata.
- Future releases will enable L3 HA by default if it is appropriate for the
- deployment type. Alternate mechanisms will be available to override.
- type: boolean
+ Whether to enable HA for virtual routers. When not set, L3 HA will be
+ automatically enabled if the number of nodes hosting controller
+ configurations and DVR is disabled. Valid values are 'true' or 'false'
+ This parameter is being deprecated in Newton and is scheduled to be
+ removed in Ocata. Future releases will enable L3 HA by default if it is
+ appropriate for the deployment type. Alternate mechanisms will be
+ available to override.
parameter_groups:
- label: deprecated
@@ -97,18 +91,6 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
-conditions:
-
- auto_enable_l3_ha:
- and:
- - not:
- equals:
- - get_param: ControllerCount
- - 1
- - equals:
- - get_param: NeutronEnableDVR
- - false
-
outputs:
role_data:
description: Role data for the Neutron Server agent service.
@@ -135,7 +117,7 @@ outputs:
neutron::server::api_workers: {get_param: NeutronWorkers}
neutron::server::rpc_workers: {get_param: NeutronWorkers}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
- neutron::server::l3_ha: {if: ["auto_enable_l3_ha", true, {get_param: NeutronL3HA}]}
+ neutron::server::enable_proxy_headers_parsing: true
neutron::keystone::authtoken::password: {get_param: NeutronPassword}
neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] }
@@ -145,16 +127,11 @@ outputs:
neutron::server::notifications::password: {get_param: NovaPassword}
neutron::keystone::authtoken::project_name: 'service'
neutron::server::sync_db: true
- tripleo.neutron_server.firewall_rules:
- '114 neutron server':
+ tripleo.neutron_api.firewall_rules:
+ '114 neutron api':
dport:
- 9696
- 13696
- '118 neutron vxlan networks':
- proto: 'udp'
- dport: 4789
- '106 vrrp':
- proto: vrrp
neutron::server::router_distributed: {get_param: NeutronEnableDVR}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
@@ -162,6 +139,7 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+ tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
step_config: |
include tripleo::profile::base::neutron::server
service_config_settings:
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 32d50d41..0b2cef07 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -33,7 +33,7 @@ parameters:
from neutron.core_plugins namespace.
type: string
NeutronServicePlugins:
- default: "router,qos"
+ default: "router,qos,trunk"
description: |
Comma-separated list of service plugin entrypoints to be loaded from the
neutron.service_plugins namespace.
@@ -50,16 +50,13 @@ parameters:
to false may result in configuration remnants after updates/upgrades.
NeutronGlobalPhysnetMtu:
type: number
- default: 1496
+ default: 1500
description: |
MTU of the underlying physical network. Neutron uses this value to
calculate MTU for all virtual network components. For flat and VLAN
networks, neutron uses this value without modification. For overlay
networks such as VXLAN, neutron automatically subtracts the overlay
- protocol overhead from this value. The default value of 1496 is
- currently in effect to compensate for some additional overhead when
- deploying with some network configurations (e.g. network isolation over
- single network interfaces)
+ protocol overhead from this value.
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml
index 9e223374..a2157555 100644
--- a/puppet/services/neutron-l3.yaml
+++ b/puppet/services/neutron-l3.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Neutron L3 agent configured with Puppet
@@ -43,6 +43,10 @@ parameters:
tag: openstack.neutron.agent.l3
path: /var/log/neutron/l3-agent.log
+conditions:
+
+ external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]}
+
resources:
NeutronBase:
@@ -63,9 +67,16 @@ outputs:
- neutron
config_settings:
map_merge:
- - get_attr: [NeutronBase, role_data, config_settings]
+ - get_attr: [NeutronBase, role_data, config_settings]
+ - neutron::agents::l3::router_delete_namespaces: True
+ neutron::agents::l3::agent_mode: {get_param: NeutronL3AgentMode}
+ tripleo.neutron_l3.firewall_rules:
+ '106 neutron_l3 vrrp':
+ proto: vrrp
+ -
+ if:
+ - external_network_bridge_empty
+ - {}
- neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge}
- neutron::agents::l3::router_delete_namespaces: True
- neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode}
step_config: |
include tripleo::profile::base::neutron::l3
diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml
index cbe65638..cca0deee 100644
--- a/puppet/services/neutron-ovs-agent.yaml
+++ b/puppet/services/neutron-ovs-agent.yaml
@@ -117,5 +117,11 @@ outputs:
# internal_api_subnet - > IP/CIDR
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver}
+ tripleo.neutron_ovs_agent.firewall_rules:
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '136 neutron gre networks':
+ proto: 'gre'
step_config: |
include ::tripleo::profile::base::neutron::ovs
diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml
index cc772c9d..fdfa1c03 100644
--- a/puppet/services/neutron-ovs-dpdk-agent.yaml
+++ b/puppet/services/neutron-ovs-dpdk-agent.yaml
@@ -22,7 +22,7 @@ parameters:
description: List of cores to be used for DPDK Poll Mode Driver
type: string
constraints:
- - allowed_pattern: "[0-9,-]+"
+ - allowed_pattern: "'[0-9,-]+'"
NeutronDpdkMemoryChannels:
description: Number of memory channels to be used for DPDK
type: string
diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml
index 17e8bca1..5dbae3dc 100644
--- a/puppet/services/neutron-plugin-ml2.yaml
+++ b/puppet/services/neutron-plugin-ml2.yaml
@@ -33,7 +33,7 @@ parameters:
default: 'datacentre'
description: If set, flat networks to configure in neutron plugins.
NeutronPluginExtensions:
- default: "qos,port_security,trunk"
+ default: "qos,port_security"
description: |
Comma-separated list of extensions enabled for the Neutron plugin.
type: comma_delimited_list
diff --git a/puppet/services/neutron-plugin-opencontrail.yaml b/puppet/services/neutron-plugin-opencontrail.yaml
index 4e294965..098c9d05 100644
--- a/puppet/services/neutron-plugin-opencontrail.yaml
+++ b/puppet/services/neutron-plugin-opencontrail.yaml
@@ -59,7 +59,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions
+ - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions,/usr/lib/python2.7/site-packages/neutron_lbaas/extensions
neutron::plugins::opencontrail::api_server_ip: {get_param: ContrailApiServerIp}
neutron::plugins::opencontrail::api_server_port: {get_param: ContrailApiServerPort}
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index b2ec0038..49bd84bc 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova API service configured with Puppet
@@ -51,8 +51,22 @@ parameters:
default:
tag: openstack.nova.api
path: /var/log/nova/nova-api.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+ nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
resources:
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
NovaBase:
type: ./nova-base.yaml
properties:
@@ -71,40 +85,55 @@ outputs:
- nova
config_settings:
map_merge:
- - get_attr: [NovaBase, role_data, config_settings]
+ - get_attr: [NovaBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
+ - nova::cron::archive_deleted_rows::hour: '"*/12"'
+ nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+ tripleo.nova_api.firewall_rules:
+ '113 nova_api':
+ dport:
+ - 8773
+ - 3773
+ - 8774
+ - 13774
+ - 8775
+ nova::keystone::authtoken::project_name: 'service'
+ nova::keystone::authtoken::password: {get_param: NovaPassword}
+ nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+ nova::api::enabled: true
+ nova::api::default_floating_pool: 'public'
+ nova::api::sync_db_api: true
+ nova::api::enable_proxy_headers_parsing: true
+ nova::api::api_bind_address:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
+ nova::api::service_name: 'httpd'
+ nova::wsgi::apache::ssl: {get_param: EnableInternalTLS}
+ # NOTE: bind IP is found in Heat replacing the network name with the local node IP
+ # for the given network; replacement examples (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]}
+ nova::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
+ nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
+ nova::api::instance_name_template: {get_param: InstanceNameTemplate}
+ nova_enable_db_purge: {get_param: NovaEnableDBPurge}
+ -
+ if:
+ - nova_workers_zero
+ - {}
- nova::api::osapi_compute_workers: {get_param: NovaWorkers}
- nova::api::metadata_workers: {get_param: NovaWorkers}
- nova::cron::archive_deleted_rows::hour: '"*/12"'
- nova::cron::archive_deleted_rows::destination: '"/dev/null"'
- tripleo.nova_api.firewall_rules:
- '113 nova_api':
- dport:
- - 6080
- - 13080
- - 8773
- - 3773
- - 8774
- - 13774
- - 8775
- nova::keystone::authtoken::project_name: 'service'
- nova::keystone::authtoken::password: {get_param: NovaPassword}
- nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
- nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
- nova::api::enabled: true
- nova::api::default_floating_pool: 'public'
- nova::api::sync_db_api: true
- nova::api::enable_proxy_headers_parsing: true
- # NOTE: bind IP is found in Heat replacing the network name with the local node IP
- # for the given network; replacement examples (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]}
- nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
- nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- nova::api::instance_name_template: {get_param: InstanceNameTemplate}
- nova_enable_db_purge: {get_param: NovaEnableDBPurge}
-
+ nova::wsgi::apache::workers: {get_param: NovaWorkers}
step_config: |
include tripleo::profile::base::nova::api
service_config_settings:
diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml
index 8db00d8f..74a95d20 100644
--- a/puppet/services/nova-base.yaml
+++ b/puppet/services/nova-base.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova base service. Shared for all Nova services.
@@ -66,6 +66,9 @@ parameters:
type: string
description: Nova Compute upgrade level
default: ''
+conditions:
+
+ compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
outputs:
role_data:
@@ -73,45 +76,50 @@ outputs:
value:
service_name: nova_base
config_settings:
- nova::rabbit_password: {get_param: RabbitPassword}
- nova::rabbit_userid: {get_param: RabbitUserName}
- nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
- nova::rabbit_port: {get_param: RabbitClientPort}
- nova::database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://nova:'
- - {get_param: NovaPassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/nova'
- nova::api_database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://nova_api:'
- - {get_param: NovaPassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/nova_api'
- nova::debug: {get_param: Debug}
- nova::purge_config: {get_param: EnableConfigPurge}
- nova::network::neutron::neutron_project_name: 'service'
- nova::network::neutron::neutron_username: 'neutron'
- nova::network::neutron::dhcp_domain: ''
- nova::network::neutron::neutron_password: {get_param: NeutronPassword}
- nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]}
- nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]}
- nova::rabbit_heartbeat_timeout_threshold: 60
- nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL'
- nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed.
- nova::notify_on_state_change: 'vm_and_task_state'
- nova::notification_driver: messagingv2
- nova::network::neutron::neutron_auth_type: 'v3password'
- nova::db::database_db_max_retries: -1
- nova::db::database_max_retries: -1
- nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
- nova::use_ipv6: {get_param: NovaIPv6}
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
- nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge}
+ map_merge:
+ - nova::rabbit_password: {get_param: RabbitPassword}
+ nova::rabbit_userid: {get_param: RabbitUserName}
+ nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ nova::rabbit_port: {get_param: RabbitClientPort}
+ nova::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://nova:'
+ - {get_param: NovaPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/nova'
+ nova::api_database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://nova_api:'
+ - {get_param: NovaPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/nova_api'
+ nova::debug: {get_param: Debug}
+ nova::purge_config: {get_param: EnableConfigPurge}
+ nova::network::neutron::neutron_project_name: 'service'
+ nova::network::neutron::neutron_username: 'neutron'
+ nova::network::neutron::dhcp_domain: ''
+ nova::network::neutron::neutron_password: {get_param: NeutronPassword}
+ nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]}
+ nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]}
+ nova::rabbit_heartbeat_timeout_threshold: 60
+ nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL'
+ nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed.
+ nova::notify_on_state_change: 'vm_and_task_state'
+ nova::notification_driver: messagingv2
+ nova::network::neutron::neutron_auth_type: 'v3password'
+ nova::db::database_db_max_retries: -1
+ nova::db::database_max_retries: -1
+ nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
+ nova::use_ipv6: {get_param: NovaIPv6}
+ nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge}
+ -
+ if:
+ - compute_upgrade_level_empty
+ - {}
+ - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml
index 2671cdd3..a10d9560 100644
--- a/puppet/services/nova-conductor.yaml
+++ b/puppet/services/nova-conductor.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova Conductor service configured with Puppet
@@ -31,6 +31,9 @@ parameters:
tag: openstack.nova.scheduler
path: /var/log/nova/nova-scheduler.log
+conditions:
+ nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+
resources:
NovaBase:
type: ./nova-base.yaml
@@ -50,7 +53,11 @@ outputs:
- nova
config_settings:
map_merge:
- - get_attr: [NovaBase, role_data, config_settings]
+ - get_attr: [NovaBase, role_data, config_settings]
+ -
+ if:
+ - nova_workers_zero
+ - {}
- nova::conductor::workers: {get_param: NovaWorkers}
step_config: |
include tripleo::profile::base::nova::conductor
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index b5ca2437..70774bac 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -50,6 +50,13 @@ outputs:
tripleo::profile::base::nova::libvirt_enabled: true
nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
+ tripleo.nova_libvirt.firewall_rules:
+ '200 nova_libvirt':
+ dport:
+ - 16509
+ - 16514
+ - '49152-49215'
+ - '5900-5999'
step_config: |
include tripleo::profile::base::nova::libvirt
diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml
index 92373c56..40931da6 100644
--- a/puppet/services/nova-metadata.yaml
+++ b/puppet/services/nova-metadata.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova API service configured with Puppet
@@ -23,12 +23,20 @@ parameters:
description: Number of workers for Nova API service.
type: number
+conditions:
+ nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+
outputs:
role_data:
description: Role data for the Nova Metadata service.
value:
service_name: nova_metadata
config_settings:
- nova::api::metadata_workers: {get_param: NovaWorkers}
- nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+ map_merge:
+ - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+ -
+ if:
+ - nova_workers_zero
+ - {}
+ - nova::api::metadata_workers: {get_param: NovaWorkers}
step_config: ""
diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml
index d89e3e11..d4e5fff6 100644
--- a/puppet/services/nova-scheduler.yaml
+++ b/puppet/services/nova-scheduler.yaml
@@ -58,7 +58,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- - nova::scheduler::filter::ram_allocation_ratio: '1.0'
+ - nova::ram_allocation_ratio: '1.0'
nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters}
nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters}
step_config: |
diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml
index 85d59ae6..e6b0703f 100644
--- a/puppet/services/nova-vnc-proxy.yaml
+++ b/puppet/services/nova-vnc-proxy.yaml
@@ -57,5 +57,10 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]}
+ tripleo.nova_vnc_proxy.firewall_rules:
+ '137 nova_vnc_proxy':
+ dport:
+ - 6080
+ - 13080
step_config: |
include tripleo::profile::base::nova::vncproxy
diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml
index d2ee036e..253d63ef 100644
--- a/puppet/services/opendaylight-api.yaml
+++ b/puppet/services/opendaylight-api.yaml
@@ -8,10 +8,6 @@ parameters:
default: 8081
description: Set opendaylight service port
type: number
- EnableOpenDaylightOnController:
- default: false
- description: Whether to install OpenDaylight on control nodes.
- type: boolean
OpenDaylightUsername:
default: 'admin'
description: The username for the opendaylight server.
@@ -33,14 +29,6 @@ parameters:
description: List of features to install with ODL
type: comma_delimited_list
default: ["odl-netvirt-openstack","odl-netvirt-ui"]
- OpenDaylightConnectionProtocol:
- description: L7 protocol used for REST access
- type: string
- default: 'http'
- OpenDaylightCheckURL:
- description: URL postfix to verify ODL has finished starting up
- type: string
- default: 'restconf/operational/network-topology:network-topology/topology/netvirt:1'
OpenDaylightApiVirtualIP:
type: string
default: ''
@@ -66,15 +54,11 @@ outputs:
service_name: opendaylight_api
config_settings:
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
- odl_on_controller: {get_param: EnableOpenDaylightOnController}
- opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::username: {get_param: OpenDaylightUsername}
opendaylight::password: {get_param: OpenDaylightPassword}
opendaylight::enable_l3: {get_param: OpenDaylightEnableL3}
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
opendaylight::enable_dhcp: {get_param: OpenDaylightEnableDHCP}
- opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
- opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpenDaylightApiNetwork]}
+ opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
step_config: |
include tripleo::profile::base::neutron::opendaylight
- include tripleo::profile::base::neutron::plugins::ovs::opendaylight
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index 8bcb72f7..907ecddc 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -19,6 +19,11 @@ parameters:
OpenDaylightApiVirtualIP:
type: string
default: ''
+ OpenDaylightProviderMappings:
+ description: Mappings between logical networks and physical interfaces.
+ Required for VLAN deployments. For example physnet1 -> eth1.
+ type: comma_delimited_list
+ default: "datacentre:br-ex"
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
@@ -43,5 +48,17 @@ outputs:
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
+ neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
+ neutron::plugins::ovs::opendaylight::provider_mappings:
+ str_replace:
+ template: MAPPINGS
+ params:
+ MAPPINGS: {get_param: OpenDaylightProviderMappings}
+ tripleo.opendaylight_ovs.firewall_rules:
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '136 neutron gre networks':
+ proto: 'gre'
step_config: |
include tripleo::profile::base::neutron::plugins::ovs::opendaylight
diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml
index 52104a71..e4115d64 100644
--- a/puppet/services/pacemaker/haproxy.yaml
+++ b/puppet/services/pacemaker/haproxy.yaml
@@ -38,7 +38,5 @@ outputs:
- get_attr: [LoadbalancerServiceBase, role_data, config_settings]
- tripleo::haproxy::haproxy_service_manage: false
tripleo::haproxy::mysql_clustercheck: true
- enable_keepalived: false
- tripleo::haproxy::keepalived: false
step_config: |
include ::tripleo::profile::pacemaker::haproxy
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
new file mode 100644
index 00000000..63f631a0
--- /dev/null
+++ b/puppet/services/panko-api.yaml
@@ -0,0 +1,84 @@
+heat_template_version: 2016-04-08
+
+description: >
+ OpenStack Panko API service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ MonitoringSubscriptionPankoApi:
+ default: 'overcloud-ceilometer-panko-api'
+ type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+resources:
+ PankoBase:
+ type: ./panko-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
+outputs:
+ role_data:
+ description: Role data for the Panko API service.
+ value:
+ service_name: panko_api
+ monitoring_subscription: {get_param: MonitoringSubscriptionPankoApi}
+ config_settings:
+ map_merge:
+ - get_attr: [PankoBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
+ - panko::wsgi::apache::ssl: {get_param: EnableInternalTLS}
+ panko::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ panko::api::service_name: 'httpd'
+ panko::api::enable_proxy_headers_parsing: true
+ tripleo.panko_api.firewall_rules:
+ '140 panko-api':
+ dport:
+ - 8779
+ - 13779
+ panko::api::host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ panko::wsgi::apache::bind_host: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ service_config_settings:
+ get_attr: [PankoBase, role_data, service_config_settings]
+ step_config: |
+ include tripleo::profile::base::panko::api
diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml
new file mode 100644
index 00000000..32754a55
--- /dev/null
+++ b/puppet/services/panko-base.yaml
@@ -0,0 +1,74 @@
+heat_template_version: 2016-04-08
+
+description: >
+ OpenStack Panko service configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ PankoPassword:
+ description: The password for the panko services.
+ type: string
+ hidden: true
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+
+outputs:
+ role_data:
+ description: Role data for the Panko role.
+ value:
+ service_name: panko_base
+ config_settings:
+ panko_redis_password: {get_param: RedisPassword}
+ panko::db::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://panko:'
+ - {get_param: PankoPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/panko'
+ panko::debug: {get_param: Debug}
+ panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+ panko::keystone::authtoken::project_name: 'service'
+ panko::keystone::authtoken::password: {get_param: PankoPassword}
+ panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+ panko::auth::auth_password: {get_param: PankoPassword}
+ panko::auth::auth_region: 'regionOne'
+ panko::auth::auth_tenant_name: 'service'
+ service_config_settings:
+ keystone:
+ panko::keystone::auth::public_url: {get_param: [EndpointMap, PankoPublic, uri]}
+ panko::keystone::auth::internal_url: {get_param: [EndpointMap, PankoInternal, uri]}
+ panko::keystone::auth::admin_url: {get_param: [EndpointMap, PankoAdmin, uri]}
+ panko::keystone::auth::password: {get_param: PankoPassword}
+ panko::keystone::auth::region: {get_param: KeystoneRegion}
+ panko::keystone::auth::tenant: 'service'
+ mysql:
+ panko::db::mysql::user: panko
+ panko::db::mysql::password: {get_param: PankoPassword}
+ panko::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ panko::db::mysql::dbname: panko
+ panko::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 5387529d..44a09a42 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -71,6 +71,7 @@ outputs:
rabbitmq::port: '5672'
rabbitmq::package_source: undef
rabbitmq::repos_ensure: false
+ rabbitmq::tcp_keepalive: true
rabbitmq_environment:
RABBITMQ_NODENAME: "rabbit@%{::hostname}"
RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"'
@@ -78,7 +79,6 @@ outputs:
inet_dist_listen_min: '25672'
inet_dist_listen_max: '25672'
rabbitmq_config_variables:
- tcp_listen_options: '[binary, {packet, raw}, {reuseaddr, true}, {backlog, 128}, {nodelay, true}, {exit_on_close, false}, {keepalive, true}]'
cluster_partition_handling: 'pause_minority'
queue_master_locator: '<<"min-masters">>'
loopback_users: '[]'
diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml
index 5fc8ed61..4072a150 100644
--- a/puppet/services/sahara-base.yaml
+++ b/puppet/services/sahara-base.yaml
@@ -44,6 +44,10 @@ parameters:
type: string
default: ''
description: Set to True to enable debugging on all services.
+ SaharaPlugins:
+ default: ["ambari","cdh","mapr","vanilla","spark","storm"]
+ description: Sahara enabled plugin list
+ type: comma_delimited_list
outputs:
role_data:
@@ -69,13 +73,7 @@ outputs:
sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
sahara::use_neutron: true
- sahara::plugins:
- - ambari
- - cdh
- - mapr
- - vanilla
- - spark
- - storm
+ sahara::plugins: {get_param: SaharaPlugins}
sahara::rpc_backend: rabbit
sahara::admin_tenant_name: 'service'
sahara::db::database_db_max_retries: -1
diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml
index 7b5fa40c..ffe2d2d4 100644
--- a/puppet/services/services.yaml
+++ b/puppet/services/services.yaml
@@ -54,8 +54,8 @@ outputs:
data: {s_names: {get_attr: [ServiceChain, role_data, service_name]}}
monitoring_subscriptions:
yaql:
- expression: list($.data.where($ != null).select($.get('monitoring_subscription')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
logging_sources:
# Transform the individual logging_source configuration from
# each service in the chain into a global list, adding some
@@ -78,8 +78,9 @@ outputs:
sources:
- {get_attr: [LoggingConfiguration, LoggingDefaultSources]}
- yaql:
- expression: list($.data.where($ != null).select($.get('logging_sources')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
+
- {get_attr: [LoggingConfiguration, LoggingExtraSources]}
default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]}
pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]}
@@ -93,17 +94,17 @@ outputs:
groups:
- [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}]
- yaql:
- expression: list($.data.where($ != null).select($.get('logging_groups')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
- [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}]
config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}}
global_config_settings:
map_merge:
yaql:
- expression: list($.data.where($ != null).select($.get('global_config_settings')).where($ != null))
- data: {get_attr: [ServiceChain, role_data]}
+ expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null))
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
service_config_settings:
yaql:
- expression: $.data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {})
- data: {get_attr: [ServiceChain, role_data]}
+ expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {})
+ data: {role_data: {get_attr: [ServiceChain, role_data]}}
step_config: {list_join: ["\n", {get_attr: [ServiceChain, role_data, step_config]}]}
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 8b990bcd..129f9b10 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -41,6 +41,14 @@ parameters:
MonitoringSubscriptionSwiftProxy:
default: 'overcloud-swift-proxy'
type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
resources:
SwiftBase:
@@ -66,6 +74,10 @@ outputs:
swift::proxy::authtoken::project_name: 'service'
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
swift::proxy::workers: {get_param: SwiftWorkers}
+ swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
+ swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
+ swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
+ swift::proxy::ceilometer::nonblocking_notify: true
tripleo.swift_proxy.firewall_rules:
'122 swift proxy':
dport:
@@ -75,6 +87,7 @@ outputs:
- admin
- swiftoperator
- ResellerAdmin
+ swift::proxy::versioned_writes::allow_versioned_writes: true
swift::proxy::pipeline:
- 'catch_errors'
- 'healthcheck'
@@ -87,6 +100,8 @@ outputs:
- 'authtoken'
- 'keystone'
- 'staticweb'
+ - 'versioned_writes'
+ - 'ceilometer'
- 'proxy-logging'
- 'proxy-server'
swift::proxy::account_autocreate: true
diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml
index e151d185..5c70b6ab 100644
--- a/puppet/services/swift-ringbuilder.yaml
+++ b/puppet/services/swift-ringbuilder.yaml
@@ -38,7 +38,10 @@ parameters:
default: {}
description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
type: json
-
+ SwiftUseLocalDir:
+ default: true
+ description: 'Use a local directory for Swift storage services when building rings'
+ type: boolean
outputs:
role_data:
@@ -48,18 +51,18 @@ outputs:
config_settings:
tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild}
tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas}
+ tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower}
+ tripleo::profile::base::swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours}
tripleo::profile::base::swift::ringbuilder::raw_disk_prefix: 'r1z1-'
tripleo::profile::base::swift::ringbuilder::raw_disks:
yaql:
expression: $.data.raw_disk_lists.flatten()
data:
raw_disk_lists:
- - [':%PORT%/d1']
+ - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]}
- repeat:
template: ':%PORT%/DEVICE'
for_each:
DEVICE: {get_param: SwiftRawDisks}
- swift::ringbuilder::part_power: {get_param: SwiftPartPower}
- swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours}
step_config: |
include ::tripleo::profile::base::swift::ringbuilder
diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml
index 7fbb8d90..cffe78f5 100644
--- a/puppet/services/swift-storage.yaml
+++ b/puppet/services/swift-storage.yaml
@@ -86,7 +86,7 @@ outputs:
swift::storage::all::account_pipeline:
- healthcheck
- account-server
- swift::storage::disks: {get_param: SwiftRawDisks}
+ swift::storage::disks::args: {get_param: SwiftRawDisks}
swift::storage::all::storage_local_net_ip: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
step_config: |
include ::tripleo::profile::base::swift::storage
diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml
index f6ec458f..7eb39905 100644
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@@ -19,7 +19,7 @@ parameters:
via parameter_defaults in the resource registry.
type: json
ManageFirewall:
- default: false
+ default: true
description: Whether to manage IPtables rules.
type: boolean
PurgeFirewallRules: