diff options
Diffstat (limited to 'puppet/services')
90 files changed, 2064 insertions, 820 deletions
diff --git a/puppet/services/README.rst b/puppet/services/README.rst index 8fe51fa3..6e4e9c1d 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -22,8 +22,8 @@ Config Settings Each service may define a config_settings output variable which returns Hiera settings to be configured. -Steps ------ +Deployment Steps +---------------- Each service may define an output variable which returns a puppet manifest snippet that will run at each of the following steps. Earlier manifests @@ -49,8 +49,42 @@ are re-asserted when applying latter ones. 5) Service activation (Pacemaker) - 6) Fencing (Pacemaker) +Upgrade Steps +------------- + +Each service template may optionally define a `upgrade_tasks` key, which is a +list of ansible tasks to be performed during the upgrade process. + +Similar to the step_config, we allow a series of steps for the per-service +upgrade sequence, defined as ansible tasks with a tag e.g "step1" for the first +step, "step2" for the second, etc. + + Steps/tages correlate to the following: + + 1) Quiesce the control-plane, e.g disable LoadBalancer, stop pacemaker cluster + + 2) Stop all control-plane services, ready for upgrade + + 3) Perform a package update, (either specific packages or the whole system) + + 4) Start services needed for migration tasks (e.g DB) + + 5) Perform any migration tasks, e.g DB sync commands + + 6) Start control-plane services + + 7) Any additional online migration tasks (e.g data migrations) + +Nova Server Metadata Settings +----------------------------- + +One can use the hook of type `OS::TripleO::ServiceServerMetadataHook` to pass +entries to the nova instances' metadata. It is, however, disabled by default. +In order to overwrite it one needs to define it in the resource registry. An +implementation of this hook needs to conform to the following: -Note: Not all roles currently support all steps: +* It needs to define an input called `RoleData` of json type. This gets as + input the contents of the `role_data` for each role's ServiceChain. - * ObjectStorage role only supports steps 2, 3 and 4 +* This needs to define an output called `metadata` which will be given to the + Nova Server resource as the instance's metadata. diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index d3d9b5ad..0cc7ad8b 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -21,11 +21,9 @@ parameters: MonitoringSubscriptionAodhApi: default: 'overcloud-ceilometer-aodh-api' type: string - EnableCombinationAlarms: - default: false - description: Combination alarms are deprecated in Newton, hence disabled - by default. To enable, set this parameter to true. + EnableInternalTLS: type: boolean + default: false resources: AodhBase: @@ -41,6 +39,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -52,29 +51,34 @@ outputs: map_merge: - get_attr: [AodhBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - - aodh::wsgi::apache::ssl: false + - aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS} aodh::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::api::service_name: 'httpd' + aodh::api::enable_proxy_headers_parsing: true tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: - 8042 - 13042 + aodh::api::host: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - aodh::api::host: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::wsgi::apache::bind_host: {get_param: [ServiceNetMap, AodhApiNetwork]} - tripleo::profile::base::aodh::api::enable_combination_alarms: {get_param: EnableCombinationAlarms} service_config_settings: - get_attr: [AodhBase, role_data, service_config_settings] + get_attr: [AodhBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::aodh::api diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index 5314b837..0e2410f7 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -59,14 +59,7 @@ outputs: value: service_name: aodh_base config_settings: - aodh::evaluator::coordination_url: - list_join: - - '' - - - 'redis://:' - - {get_param: RedisPassword} - - '@' - - "%{hiera('redis_vip')}" - - ':6379/' + aodh_redis_password: {get_param: RedisPassword} aodh::db::database_connection: list_join: - '' @@ -87,13 +80,6 @@ outputs: aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } aodh::auth::auth_password: {get_param: AodhPassword} - aodh::db::mysql::user: aodh - aodh::db::mysql::password: {get_param: AodhPassword} - aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - aodh::db::mysql::dbname: aodh - aodh::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" aodh::auth::auth_region: 'regionOne' aodh::auth::auth_tenant_name: 'service' service_config_settings: @@ -104,3 +90,11 @@ outputs: aodh::keystone::auth::password: {get_param: AodhPassword} aodh::keystone::auth::region: {get_param: KeystoneRegion} aodh::keystone::auth::tenant: 'service' + mysql: + aodh::db::mysql::user: aodh + aodh::db::mysql::password: {get_param: AodhPassword} + aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + aodh::db::mysql::dbname: aodh + aodh::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml new file mode 100644 index 00000000..1d76b9a3 --- /dev/null +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -0,0 +1,50 @@ +heat_template_version: 2016-10-14 + +description: > + Apache service TLS configurations. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + # The following parameters are not needed by the template but are + # required to pass the pep8 tests + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the Apache role. + value: + service_name: apache_internal_tls_certmonger + config_settings: + generate_service_certificates: true + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + hostname: "%{hiera('fqdn_NETWORK')}" + principal: "HTTP/%{hiera('fqdn_NETWORK')}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index c9792019..382e0ff9 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -27,6 +27,17 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + + +resources: + + ApacheTLS: + type: OS::TripleO::Services::ApacheTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} outputs: role_data: @@ -34,19 +45,22 @@ outputs: value: service_name: apache config_settings: - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} - apache::server_signature: 'Off' - apache::server_tokens: 'Prod' - apache_remote_proxy_ips_network: - str_replace: - template: "NETWORK_subnet" - params: - NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} - apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers } - apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } - apache::mod::remoteip::proxy_ips: - - "%{hiera('apache_remote_proxy_ips_network')}" + map_merge: + - get_attr: [ApacheTLS, role_data, config_settings] + - + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::server_signature: 'Off' + apache::server_tokens: 'Prod' + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers } + apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml new file mode 100644 index 00000000..24687d03 --- /dev/null +++ b/puppet/services/barbican-api.yaml @@ -0,0 +1,144 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Barbican API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + BarbicanPassword: + description: The password for the barbican service account. + type: string + hidden: true + BarbicanWorkers: + description: Set the number of workers for barbican::wsgi::apache + default: '%{::processorcount}' + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + EnableInternalTLS: + type: boolean + default: false + +resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Barbican API role. + value: + service_name: barbican_api + config_settings: + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} + barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + barbican::keystone::authtoken::project_name: 'service' + barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} + barbican::api::db_auto_create: false + barbican::api::enabled_certificate_plugins: ['simple_certificate'] + barbican::api::logging::debug: {get_param: Debug} + barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + barbican::api::rabbit_userid: {get_param: RabbitUserName} + barbican::api::rabbit_password: {get_param: RabbitPassword} + barbican::api::rabbit_port: {get_param: RabbitClientPort} + barbican::api::rabbit_heartbeat_timeout_threshold: 60 + barbican::api::service_name: 'httpd' + barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]} + barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS} + barbican::wsgi::apache::workers: {get_param: BarbicanWorkers} + barbican::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]} + barbican::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://barbican:' + - {get_param: BarbicanPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/barbican' + tripleo.barbican_api.firewall_rules: + '117 barbican': + dport: + - 9311 + - 13311 + step_config: | + include ::tripleo::profile::base::barbican::api + service_config_settings: + mysql: + barbican::db::mysql::password: {get_param: BarbicanPassword} + barbican::db::mysql::user: barbican + barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + barbican::db::mysql::dbname: barbican + barbican::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone: + barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]} + barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]} + barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]} + barbican::keystone::auth::password: {get_param: BarbicanPassword} + barbican::keystone::auth::region: {get_param: KeystoneRegion} + barbican::keystone::auth::tenant: 'service' + nova_compute: + nova::compute::keymgr_api_class: > + castellan.key_manager.barbican_key_manager.BarbicanKeyManager + nova::compute::barbican_endpoint: + get_param: [EndpointMap, BarbicanInternal, uri] + nova::compute::barbican_auth_endpoint: + get_param: [EndpointMap, KeystoneV3Internal, uri] + cinder_api: + cinder::api::keymgr_api_class: > + castellan.key_manager.barbican_key_manager.BarbicanKeyManager + cinder::api::keymgr_encryption_api_url: + get_param: [EndpointMap, BarbicanInternal, uri] + cinder::api::keymgr_encryption_auth_url: + get_param: [EndpointMap, KeystoneV3Internal, uri] diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index 2ae46d0e..c4abc307 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -51,13 +51,6 @@ outputs: config_settings: map_merge: - get_attr: [CeilometerServiceBase, role_data, config_settings] - - ceilometer::agent::central::coordination_url: - list_join: - - '' - - - 'redis://:' - - {get_param: RedisPassword} - - '@' - - "%{hiera('redis_vip')}" - - ':6379/' + - ceilometer_redis_password: {get_param: RedisPassword} step_config: | include ::tripleo::profile::base::ceilometer::agent::central diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 50431e3d..2e2d3f2d 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -26,7 +26,9 @@ parameters: default: tag: openstack.ceilometer.api path: /var/log/ceilometer/api.log - + EnableInternalTLS: + type: boolean + default: false resources: CeilometerServiceBase: @@ -42,6 +44,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -68,16 +71,22 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - ceilometer::api::service_name: 'httpd' - ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + ceilometer::api::enable_proxy_headers_parsing: true + ceilometer::api::host: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} - ceilometer::wsgi::apache::ssl: false + ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS} ceilometer::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} service_config_settings: - get_attr: [CeilometerServiceBase, role_data, service_config_settings] + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::api diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 25fccd9e..24c71cbb 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -31,11 +31,17 @@ parameters: type: string hidden: true CeilometerMeterDispatcher: - default: 'gnocchi' - description: Dispatcher to process meter data - type: string + default: ['gnocchi'] + description: Comma-seperated list of Dispatcher to process meter data + type: comma_delimited_list constraints: - allowed_values: ['gnocchi', 'database'] + CeilometerEventDispatcher: + default: ['gnocchi'] + description: Comma-separated list of Dispatchers to process events data + type: comma_delimited_list + constraints: + - allowed_values: ['panko', 'gnocchi', 'database'] CeilometerWorkers: default: 0 description: Number of workers for Ceilometer service. @@ -44,6 +50,14 @@ parameters: default: false description: Whether to store events in ceilometer. type: boolean + EnableLegacyCeilometerApi: + default: false + description: Enable legacy ceilometer Api service if needed. + type: boolean + EventPipelinePublishers: + default: ['notifier://?topic=alarm.all'] + description: A list of publishers to put in event_pipeline.yaml. + type: comma_delimited_list Debug: default: '' description: Set to True to enable debugging on all services. @@ -87,6 +101,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ceilometer' + enable_legacy_ceilometer_api: {get_param: EnableLegacyCeilometerApi} ceilometer_backend: {get_param: CeilometerBackend} ceilometer::metering_secret: {get_param: CeilometerMeteringSecret} # we include db_sync class in puppet-tripleo @@ -98,11 +113,12 @@ outputs: ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword} ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::notification::store_events: {get_param: CeilometerStoreEvents} + ceilometer::agent::notification::event_pipeline_publishers: {get_param: EventPipelinePublishers} ceilometer::agent::auth::auth_region: {get_param: KeystoneRegion} ceilometer::agent::auth::auth_tenant_name: 'service' ceilometer::agent::auth::auth_endpoint_type: 'internalURL' - ceilometer::db::mysql::password: {get_param: CeilometerPassword} ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher} + ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher} ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]} ceilometer::dispatcher::gnocchi::filter_project: 'service' ceilometer::dispatcher::gnocchi::archive_policy: 'low' @@ -111,12 +127,6 @@ outputs: ceilometer::rabbit_password: {get_param: RabbitPassword} ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL} ceilometer::rabbit_port: {get_param: RabbitClientPort} - ceilometer::db::mysql::user: ceilometer - ceilometer::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - ceilometer::db::mysql::dbname: ceilometer - ceilometer::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" ceilometer::rabbit_heartbeat_timeout_threshold: 60 ceilometer::db::database_db_max_retries: -1 ceilometer::db::database_max_retries: -1 @@ -129,3 +139,11 @@ outputs: ceilometer::keystone::auth::password: {get_param: CeilometerPassword} ceilometer::keystone::auth::region: {get_param: KeystoneRegion} ceilometer::keystone::auth::tenant: 'service' + mysql: + ceilometer::db::mysql::password: {get_param: CeilometerPassword} + ceilometer::db::mysql::user: ceilometer + ceilometer::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ceilometer::db::mysql::dbname: ceilometer + ceilometer::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index 4d15be8e..e3f1ef4e 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -55,5 +55,7 @@ outputs: map_merge: - get_attr: [MongoDbBase, role_data, config_settings] - get_attr: [CeilometerServiceBase, role_data, config_settings] + service_config_settings: + get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::collector diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml index ce8d9158..8faf5640 100644 --- a/puppet/services/ceph-base.yaml +++ b/puppet/services/ceph-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Ceph base service. Shared by all Ceph services. @@ -29,9 +29,20 @@ parameters: GlanceRbdPoolName: default: images type: string + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] GnocchiRbdPoolName: default: metrics type: string + NovaEnableRbdBackend: + default: false + description: Whether to enable or not the Rbd backend for Nova + type: boolean NovaRbdPoolName: default: vms type: string @@ -63,6 +74,16 @@ parameter_groups: parameters: - ControllerEnableCephStorage +conditions: + glance_multiple_locations: + and: + - equals: + - get_param: GlanceBackend + - rbd + - equals: + - get_param: NovaEnableRbdBackend + - true + outputs: role_data: description: Role data for the Ceph base service. @@ -75,6 +96,12 @@ outputs: ceph::profile::params::manage_repo: false ceph::profile::params::authentication_type: cephx ceph::profile::params::fsid: {get_param: CephClusterFSID} + # FIXME(gfidente): we should not have to list the packages explicitly in the templates, + # but this has to stay until https://bugs.launchpad.net/puppet-ceph/+bug/1629933 is fixed + ceph::params::packages: + - ceph-base + - ceph-mon + - ceph-osd # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -92,33 +119,33 @@ outputs: NETWORK: {get_param: [ServiceNetMap, CephMonNetwork]} ceph::profile::params::public_addr: {get_param: [ServiceNetMap, CephMonNetwork]} ceph::profile::params::client_keys: - str_replace: - template: "{ - client.admin: { - secret: 'ADMIN_KEY', - mode: '0600', - cap_mon: 'allow *', - cap_osd: 'allow *', + map_replace: + - client.admin: + secret: {get_param: CephAdminKey} + mode: '0600' + cap_mon: 'allow *' + cap_osd: 'allow *' cap_mds: 'allow *' - }, - client.bootstrap-osd: { - secret: 'ADMIN_KEY', - keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring', + client.bootstrap-osd: + secret: {get_param: CephAdminKey} + keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring' cap_mon: 'allow profile bootstrap-osd' - }, - client.CLIENT_USER: { - secret: 'CLIENT_KEY', - mode: '0644', - cap_mon: 'allow r', - cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' - } - }" - params: - CLIENT_USER: {get_param: CephClientUserName} - CLIENT_KEY: {get_param: CephClientKey} - ADMIN_KEY: {get_param: CephAdminKey} - NOVA_POOL: {get_param: NovaRbdPoolName} - CINDER_POOL: {get_param: CinderRbdPoolName} - CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} - GLANCE_POOL: {get_param: GlanceRbdPoolName} - GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + CEPH_CLIENT_KEY: + secret: {get_param: CephClientKey} + mode: '0644' + cap_mon: 'allow r' + cap_osd: + str_replace: + template: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' + params: + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + - keys: + CEPH_CLIENT_KEY: + list_join: ['.', ['client', {get_param: CephClientUserName}]] + service_config_settings: + glance_api: + glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index 52c4824f..b708665f 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Ceph External service. @@ -27,9 +27,20 @@ parameters: GlanceRbdPoolName: default: images type: string + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] GnocchiRbdPoolName: default: metrics type: string + NovaEnableRbdBackend: + default: false + description: Whether to enable or not the Rbd backend for Nova + type: boolean NovaRbdPoolName: default: vms type: string @@ -51,6 +62,16 @@ parameters: default: 'overcloud-ceph-external' type: string +conditions: + glance_multiple_locations: + and: + - equals: + - get_param: GlanceBackend + - rbd + - equals: + - get_param: NovaEnableRbdBackend + - true + outputs: role_data: description: Role data for the Ceph External service. @@ -78,5 +99,16 @@ outputs: CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + ceph::profile::params::manage_repo: false + # FIXME(gfidente): we should not have to list the packages explicitly in + # the templates, but this should stay until the following is fixed: + # https://bugs.launchpad.net/puppet-ceph/+bug/1629933 + ceph::params::packages: + - ceph-base + - ceph-mon + - ceph-osd + service_config_settings: + glance_api: + glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} step_config: | include ::tripleo::profile::base::ceph::client diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 552086ab..3471f16c 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -101,5 +101,7 @@ outputs: '110 ceph_mon': dport: - 6789 + service_config_settings: + get_attr: [CephBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceph::mon diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 18a4b780..4b85d28f 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -55,15 +55,9 @@ outputs: - tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey} tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken} tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - ceph::profile::params::frontend_type: 'civetweb' - ceph_rgw_civetweb_bind_address: {get_param: [ServiceNetMap, CephRgwNetwork]} - ceph::profile::params::rgw_frontends: - list_join: - - '' - - - 'civetweb port=' - - '%{hiera("ceph_rgw_civetweb_bind_address")}' - - ':' - - {get_param: [EndpointMap, CephRgwInternal, port]} + tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} + tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} + ceph::params::user_radosgw: ceph tripleo.ceph_rgw.firewall_rules: '122 ceph rgw': dport: {get_param: [EndpointMap, CephRgwInternal, port]} @@ -74,6 +68,7 @@ outputs: ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} + ceph::rgw::keystone::auth::user: 'swift' ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} ceph::rgw::keystone::auth::tenant: 'service' diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 875a3aa1..6cb2b194 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Cinder API service configured with Puppet @@ -39,9 +39,27 @@ parameters: default: tag: openstack.cinder.api path: /var/log/cinder/cinder-api.log + CinderWorkers: + type: string + description: Set the number of workers for cinder::wsgi::apache + default: '%{::os_workers}' + EnableInternalTLS: + type: boolean + default: false + +conditions: + cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + CinderBase: type: ./cinder-base.yaml properties: @@ -61,6 +79,7 @@ outputs: config_settings: map_merge: - get_attr: [CinderBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} @@ -79,12 +98,31 @@ outputs: dport: - 8776 - 13776 + cinder::api::bind_host: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS} + cinder::api::service_name: 'httpd' # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} + - + if: + - cinder_workers_zero + - {} + - cinder::wsgi::apache::workers: {get_param: CinderWorkers} step_config: | include ::tripleo::profile::base::cinder::api service_config_settings: @@ -101,3 +139,11 @@ outputs: cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]} cinder::keystone::auth::password: {get_param: CinderPassword} cinder::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + cinder::db::mysql::password: {get_param: CinderPassword} + cinder::db::mysql::user: cinder + cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + cinder::db::mysql::dbname: cinder + cinder::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/cinder-base.yaml b/puppet/services/cinder-base.yaml index 0db17189..59c9b844 100644 --- a/puppet/services/cinder-base.yaml +++ b/puppet/services/cinder-base.yaml @@ -60,20 +60,12 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/cinder' - cinder::db::mysql::password: {get_param: CinderPassword} cinder::debug: {get_param: Debug} cinder::rabbit_use_ssl: {get_param: RabbitClientUseSSL} cinder::rabbit_userid: {get_param: RabbitUserName} cinder::rabbit_password: {get_param: RabbitPassword} cinder::rabbit_port: {get_param: RabbitClientPort} - cinder::db::mysql::user: cinder - cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - cinder::db::mysql::dbname: cinder - cinder::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" cinder::rabbit_heartbeat_timeout_threshold: 60 - cinder::host: hostgroup cinder::cron::db_purge::destination: '/dev/null' cinder::db::database_db_max_retries: -1 cinder::db::database_max_retries: -1 diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml new file mode 100644 index 00000000..3ba51fb6 --- /dev/null +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -0,0 +1,43 @@ +heat_template_version: 2016-10-14 + +description: > + MySQL configurations for using TLS via certmonger. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + # The following parameters are not needed by the template but are + # required to pass the pep8 tests + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: MySQL configurations for using TLS via certmonger. + value: + service_name: mysql_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::profile::base::database::mysql::certificate_specs: + service_certificate: '/etc/pki/tls/certs/mysql.crt' + service_key: '/etc/pki/tls/private/mysql.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + principal: + str_replace: + template: "mysql/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 094a7c9f..abe752e2 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -35,50 +35,68 @@ parameters: description: Whether to use Galera instead of regular MariaDB. type: boolean +resources: + + MySQLTLS: + type: OS::TripleO::Services::MySQLTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + outputs: role_data: description: Service MySQL using composable services. value: service_name: mysql config_settings: - # The Galera package should work in cluster and - # non-cluster modes based on the config file. - # We set the package name here explicitly so - # that it matches what we pre-install - # in tripleo-puppet-elements. - mysql::server::package_name: 'mariadb-galera-server' - mysql::server::manage_config_file: true - tripleo.mysql.firewall_rules: - '104 mysql galera': - dport: - - 873 - - 3306 - - 4444 - - 4567 - - 4568 - - 9200 - mysql_max_connections: {get_param: MysqlMaxConnections} - mysql::server::root_password: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: MysqlRootPassword} - - {get_param: [DefaultPasswords, mysql_root_password]} - mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} - enable_galera: {get_param: EnableGalera} - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} - tripleo::profile::base::database::mysql::bind_address: - str_replace: - template: - '"%{::fqdn_$NETWORK}"' - params: - $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + map_merge: + - get_attr: [MySQLTLS, role_data, config_settings] + - + # The Galera package should work in cluster and + # non-cluster modes based on the config file. + # We set the package name here explicitly so + # that it matches what we pre-install + # in tripleo-puppet-elements. + mysql::server::package_name: 'mariadb-galera-server' + mysql::server::manage_config_file: true + tripleo.mysql.firewall_rules: + '104 mysql galera': + dport: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 + mysql_max_connections: {get_param: MysqlMaxConnections} + mysql::server::root_password: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: MysqlRootPassword} + - {get_param: [DefaultPasswords, mysql_root_password]} + mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} + enable_galera: {get_param: EnableGalera} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::bind_address: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql + upgrade_tasks: + - name: Stop service + tags: step2 + service: name=mariadb state=stopped + - name: Start service + tags: step4 + service: name=mariadb state=started + diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 4ed3c007..2fab0eb6 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -39,6 +39,6 @@ outputs: # internal_api_subnet - > IP/CIDR redis::bind: {get_param: [ServiceNetMap, RedisNetwork]} redis::port: 6379 - redis::sentinel::master_name: '"%{hiera(\"bootstrap_nodeid\")}"' - redis::sentinel::redis_host: '"%{hiera(\"bootstrap_nodeid_ip\")}"' + redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}" + redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index c399bf4e..33abdbf9 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -18,32 +18,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - CephClientUserName: - default: openstack - type: string Debug: default: '' description: Set to True to enable debugging on all services. type: string - GlanceNotifierStrategy: - description: Strategy to use for Glance notification queue - type: string - default: noop - GlanceLogFile: - description: The filepath of the file to use for logging messages from Glance. - type: string - default: '' GlancePassword: description: The password for the glance service and db account, used by the glance services. type: string hidden: true - GlanceBackend: - default: swift - description: The short name of the Glance backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] GlanceWorkers: default: '' description: | @@ -55,31 +37,6 @@ parameters: memory consumption. It is recommended that a suitable non-default value be selected on such systems. type: string - GlanceRbdPoolName: - default: images - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitClientPort: - default: 5672 - description: Set rabbit subscriber port, change this if using SSL - type: number - RabbitClientUseSSL: - default: false - description: > - Rabbit client subscriber parameter to specify - an SSL connection to the RabbitMQ host. - type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint MonitoringSubscriptionGlanceApi: default: 'overcloud-glance-api' type: string @@ -89,6 +46,14 @@ parameters: tag: openstack.glance.api path: /var/log/glance/api.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance API role. @@ -99,66 +64,46 @@ outputs: logging_groups: - glance config_settings: - glance::api::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::api::registry_host: - str_replace: - template: "'REGISTRY_HOST'" - params: - REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} - glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } - glance::api::authtoken::password: {get_param: GlancePassword} - glance::api::enable_proxy_headers_parsing: true - glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} - glance_notifier_strategy: {get_param: GlanceNotifierStrategy} - glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::backend::swift::swift_store_user: service:glance - glance::backend::swift::swift_store_key: {get_param: GlancePassword} - glance::backend::swift::swift_store_create_container_on_put: true - glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} - glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} - glance_backend: {get_param: GlanceBackend} - glance::db::mysql::password: {get_param: GlancePassword} - glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} - glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} - glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} - glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_api.firewall_rules: - '112 glance_api': - dport: - - 9292 - - 13292 - glance::api::authtoken::project_name: 'service' - glance::api::pipeline: 'keystone' - glance::api::show_image_direct_url: true - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + - glance::api::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::registry_host: + str_replace: + template: "'REGISTRY_HOST'" + params: + REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} + glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } + glance::api::authtoken::password: {get_param: GlancePassword} + glance::api::enable_proxy_headers_parsing: true + glance::api::debug: {get_param: Debug} + glance::api::workers: {get_param: GlanceWorkers} + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 + glance::api::authtoken::project_name: 'service' + glance::api::pipeline: 'keystone' + glance::api::show_image_direct_url: true + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: - keystone: - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::keystone::auth::tenant: 'service' + get_attr: [GlanceBase, role_data, service_config_settings] diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml new file mode 100644 index 00000000..cc979af9 --- /dev/null +++ b/puppet/services/glance-base.yaml @@ -0,0 +1,128 @@ +heat_template_version: 2016-10-14 + +description: > + OpenStack Glance Common settings with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + GlanceNotifierStrategy: + description: Strategy to use for Glance notification queue + type: string + default: noop + GlanceLogFile: + description: The filepath of the file to use for logging messages from Glance. + type: string + default: '' + GlancePassword: + description: The password for the glance service and db account, used by the glance services. + type: string + hidden: true + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] + GlanceNfsEnabled: + default: false + description: > + When using GlanceBackend 'file', mount NFS share for image storage. + type: boolean + GlanceNfsShare: + default: '' + description: > + NFS share to mount for image storage (when GlanceNfsEnabled is true) + type: string + GlanceNfsOptions: + default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' + description: > + NFS mount options for image storage (when GlanceNfsEnabled is true) + type: string + GlanceRbdPoolName: + default: images + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Glance common role. + value: + service_name: glance_base + config_settings: + glance_notifier_strategy: {get_param: GlanceNotifierStrategy} + glance_log_file: {get_param: GlanceLogFile} + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_user: service:glance + glance::backend::swift::swift_store_key: {get_param: GlancePassword} + glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + glance_backend: {get_param: GlanceBackend} + glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} + glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} + glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} + glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + glance::notify::rabbitmq::notification_driver: messagingv2 + glance::registry::db::database_db_max_retries: -1 + glance::registry::db::database_max_retries: -1 + tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} + tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} + tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} + service_config_settings: + keystone: + glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} + glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} + glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} + glance::keystone::auth::password: {get_param: GlancePassword } + glance::keystone::auth::region: {get_param: KeystoneRegion} + glance::keystone::auth::tenant: 'service' + mysql: + glance::db::mysql::password: {get_param: GlancePassword} + glance::db::mysql::user: glance + glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::dbname: glance + glance::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index 2b7b4345..c45582d4 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -46,6 +46,14 @@ parameters: tag: openstack.glance.registry path: /var/log/glance/registry.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance Registry role. @@ -56,40 +64,37 @@ outputs: logging_groups: - glance config_settings: - glance::registry::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::registry::authtoken::password: {get_param: GlancePassword} - glance::registry::authtoken::project_name: 'service' - glance::registry::pipeline: 'keystone' - glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::registry::debug: {get_param: Debug} - glance::registry::workers: {get_param: GlanceWorkers} - glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_registry.firewall_rules: - '112 glance_registry': - dport: - - 9191 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + + - glance::registry::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::registry::authtoken::password: {get_param: GlancePassword} + glance::registry::authtoken::project_name: 'service' + glance::registry::pipeline: 'keystone' + glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::registry::debug: {get_param: Debug} + glance::registry::workers: {get_param: GlanceWorkers} + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} step_config: | include ::tripleo::profile::base::glance::registry + service_config_settings: + get_attr: [GlanceBase, role_data, config_settings] diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 481a44cb..b3d39e0f 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -41,6 +41,9 @@ parameters: default: tag: openstack.gnocchi.api path: /var/log/gnocchi/app.log + EnableInternalTLS: + type: boolean + default: false resources: @@ -57,6 +60,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -77,16 +81,17 @@ outputs: - 8041 - 13041 gnocchi::api::enabled: true + gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' - gnocchi::wsgi::apache::ssl: false + gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} gnocchi::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend} @@ -97,7 +102,12 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} - gnocchi::api::host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} + gnocchi::api::host: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} @@ -112,3 +122,11 @@ outputs: gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] } gnocchi::keystone::auth::region: {get_param: KeystoneRegion} gnocchi::keystone::auth::tenant: 'service' + mysql: + gnocchi::db::mysql::password: {get_param: GnocchiPassword} + gnocchi::db::mysql::user: gnocchi + gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + gnocchi::db::mysql::dbname: gnocchi + gnocchi::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index 9f114ac4..556baae0 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -56,6 +56,7 @@ outputs: service_name: gnocchi_base config_settings: #Gnocchi engine + gnocchi_redis_password: {get_param: RedisPassword} gnocchi::debug: {get_param: Debug} gnocchi::db::database_connection: list_join: @@ -66,16 +67,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/gnocchi' - gnocchi::db::mysql::password: {get_param: GnocchiPassword} gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types' - gnocchi::storage::coordination_url: - list_join: - - '' - - - 'redis://:' - - {get_param: RedisPassword} - - '@' - - "%{hiera('redis_vip')}" - - ':6379/' gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 2 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} @@ -94,9 +86,3 @@ outputs: gnocchi::statsd::project_id: '6c38cd8d-099a-4cb2-aecf-17be688e8616' gnocchi::statsd::flush_delay: 10 gnocchi::statsd::archive_policy_name: 'low' - gnocchi::db::mysql::user: gnocchi - gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - gnocchi::db::mysql::dbname: gnocchi - gnocchi::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index 04339f46..983d6c91 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -39,5 +39,9 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - tripleo.gnocchi_statsd.firewall_rules: + '140 gnocchi-statsd': + dport: 8125 + proto: 'udp' step_config: | include ::tripleo::profile::base::gnocchi::statsd diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml new file mode 100644 index 00000000..c6d53542 --- /dev/null +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -0,0 +1,51 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy internal TLS via certmonger role. + value: + service_name: haproxy_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::use_internal_certificates: true + certificates_specs: + map_merge: + repeat: + template: + haproxy-NETWORK: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key' + hostname: "%{hiera('cloud_name_NETWORK')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_NETWORK')}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml new file mode 100644 index 00000000..1551d16a --- /dev/null +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -0,0 +1,37 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy public TLS via certmonger role. + value: + service_name: haproxy_public_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + certificates_specs: + haproxy-external: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key' + hostname: "%{hiera('cloud_name_external')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_external')}" diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 974928c5..675a79ec 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > HAproxy service configured with Puppet @@ -34,20 +34,26 @@ parameters: description: The password for Redis type: string hidden: true - ControlVirtualInterface: - default: 'br-ex' - description: Interface where virtual ip will be assigned. - type: string - PublicVirtualInterface: - default: 'br-ex' - description: > - Specifies the interface where the public-facing virtual ip will be assigned. - This should be int_public when a VLAN is being used. - type: string MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string +resources: + + HAProxyPublicTLS: + type: OS::TripleO::Services::HAProxyPublicTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + HAProxyInternalTLS: + type: OS::TripleO::Services::HAProxyInternalTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the HAproxy role. @@ -55,14 +61,26 @@ outputs: service_name: haproxy monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: - tripleo.haproxy.firewall_rules: - '107 haproxy stats': - dport: 1993 - tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} - tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} - tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} - tripleo::haproxy::redis_password: {get_param: RedisPassword} - tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} - tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] + - tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} + tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} + tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::profile::base::haproxy::certificates_specs: + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] + - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] step_config: | include ::tripleo::profile::base::haproxy + upgrade_tasks: + - name: Stop haproxy service + tags: step1 + service: name=haproxy state=stopped + - name: Start haproxy service + tags: step4 # Needed at step 4 for mysql + service: name=haproxy state=started diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index a47fec5a..12d4a6a1 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -76,9 +76,11 @@ outputs: include ::tripleo::profile::base::heat::api_cfn service_config_settings: keystone: - heat::keystone::auth_cfn::tenant: 'service' - heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]} - heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]} - heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} - heat::keystone::auth_cfn::password: {get_param: HeatPassword} - heat::keystone::auth::region: {get_param: KeystoneRegion} + map_merge: + - get_attr: [HeatBase, role_data, service_config_settings, keystone] + - heat::keystone::auth_cfn::tenant: 'service' + heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]} + heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]} + heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} + heat::keystone::auth_cfn::password: {get_param: HeatPassword} + heat::keystone::auth_cfn::region: {get_param: KeystoneRegion} diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 2ea96fc0..b0cd16dd 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -76,9 +76,11 @@ outputs: include ::tripleo::profile::base::heat::api service_config_settings: keystone: - heat::keystone::auth::tenant: 'service' - heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]} - heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]} - heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} - heat::keystone::auth::password: {get_param: HeatPassword} - heat::keystone::auth::region: {get_param: KeystoneRegion} + map_merge: + - get_attr: [HeatBase, role_data, service_config_settings, keystone] + - heat::keystone::auth::tenant: 'service' + heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]} + heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]} + heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} + heat::keystone::auth::password: {get_param: HeatPassword} + heat::keystone::auth::region: {get_param: KeystoneRegion} diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml index 7eb58f56..a2a65d7d 100644 --- a/puppet/services/heat-base.yaml +++ b/puppet/services/heat-base.yaml @@ -77,3 +77,8 @@ outputs: heat::cron::purge_deleted::destination: '/dev/null' heat::db::database_db_max_retries: -1 heat::db::database_max_retries: -1 + service_config_settings: + keystone: + tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack' + tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin' + tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost' diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index 1e7bec23..3f0e4105 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -83,14 +83,7 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/heat' heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} - heat::db::mysql::password: {get_param: HeatPassword} heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} - heat::db::mysql::user: heat - heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - heat::db::mysql::dbname: heat - heat::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" heat::engine::auth_encryption_key: yaql: expression: $.data.passwords.where($ != '').first() @@ -100,3 +93,16 @@ outputs: - {get_param: [DefaultPasswords, heat_auth_encryption_key]} step_config: | include ::tripleo::profile::base::heat::engine + + service_config_settings: + mysql: + heat::db::mysql::password: {get_param: HeatPassword} + heat::db::mysql::user: heat + heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + heat::db::mysql::dbname: heat + heat::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone: + # This is needed because the keystone profile handles creating the domain + tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword} diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 6ea5ec4e..e59dc202 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -24,18 +24,14 @@ parameters: type: json HorizonAllowedHosts: default: '*' - description: A list of IP/Hostname allowed to connect to horizon + description: A list of IP/Hostname for the server Horizon is running on. + Used for header checks. type: comma_delimited_list HorizonSecret: description: Secret key for Django type: string hidden: true default: '' - NeutronMechanismDrivers: - default: 'openvswitch' - description: | - The mechanism drivers for the Neutron tenant network. - type: comma_delimited_list MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. @@ -44,6 +40,10 @@ parameters: default: 'overcloud-horizon' type: string +conditions: + + debug_empty: {equals : [{get_param: Debug}, '']} + outputs: role_data: description: Role data for the Horizon role. @@ -51,33 +51,37 @@ outputs: service_name: horizon monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} - neutron::plugins::ml2::mechanism_drivers: - str_replace: - template: MECHANISMS - params: - MECHANISMS: {get_param: NeutronMechanismDrivers} - tripleo.horizon.firewall_rules: - '126 horizon': - dport: - - 80 - - 443 - horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache - horizon::django_session_engine: 'django.contrib.sessions.backends.cache' - horizon::vhost_extra_params: - add_listen: false - priority: 10 - access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' - horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} - horizon::django_debug: {get_param: Debug} - horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} - horizon::secret_key: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: HorizonSecret} - - {get_param: [DefaultPasswords, horizon_secret]} - memcached_ipv6: {get_param: MemcachedIPv6} + map_merge: + - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} + tripleo.horizon.firewall_rules: + '126 horizon': + dport: + - 80 + - 443 + horizon::enable_secure_proxy_ssl_header: true + horizon::disable_password_reveal: true + horizon::enforce_password_check: true + horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache + horizon::django_session_engine: 'django.contrib.sessions.backends.cache' + horizon::vhost_extra_params: + add_listen: false + priority: 10 + access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' + options: ['FollowSymLinks','MultiViews'] + horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} + horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::secret_key: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: HorizonSecret} + - {get_param: [DefaultPasswords, horizon_secret]} + memcached_ipv6: {get_param: MemcachedIPv6} + - + if: + - debug_empty + - {} + - horizon::django_debug: {get_param: Debug} step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index 19e54f5b..c8a2e833 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -73,3 +73,11 @@ outputs: ironic::keystone::auth::auth_name: 'ironic' ironic::keystone::auth::password: {get_param: IronicPassword } ironic::keystone::auth::tenant: 'service' + mysql: + ironic::db::mysql::password: {get_param: IronicPassword} + ironic::db::mysql::user: ironic + ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ironic::db::mysql::dbname: ironic + ironic::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/ironic-base.yaml b/puppet/services/ironic-base.yaml index 2f242da8..0ff393c6 100644 --- a/puppet/services/ironic-base.yaml +++ b/puppet/services/ironic-base.yaml @@ -65,12 +65,5 @@ outputs: ironic::rabbit_password: {get_param: RabbitPassword} ironic::rabbit_port: {get_param: RabbitClientPort} ironic::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - ironic::db::mysql::password: {get_param: IronicPassword} - ironic::db::mysql::user: ironic - ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - ironic::db::mysql::dbname: ironic - ironic::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" step_config: | include ::tripleo::profile::base::ironic diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 4ac9fc30..f173aa63 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -68,7 +68,7 @@ outputs: list_join: - '' - - 'http://' - - '%{hiera("ironic_conductor_http_host")}:' + - "%{hiera('ironic_conductor_http_host')}:" - {get_param: IronicIPXEPort} ironic::drivers::pxe::ipxe_enabled: {get_param: IronicIPXEEnabled} ironic::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml index 2b069d67..b4f1a100 100644 --- a/puppet/services/keepalived.yaml +++ b/puppet/services/keepalived.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Keepalived service configured with Puppet @@ -19,19 +19,28 @@ parameters: via parameter_defaults in the resource registry. type: json ControlVirtualInterface: - default: 'br-ex' - description: Interface where virtual ip will be assigned. + default: '' + description: > + Interface where virtual ip will be assigned. This value will be + automatically set by the deployment tool. Overriding here will + override automatic setting. type: string PublicVirtualInterface: - default: 'br-ex' + default: '' description: > - Specifies the interface where the public-facing virtual ip will be assigned. - This should be int_public when a VLAN is being used. + Interface where virtual ip will be assigned. This value will be + automatically set by the deployment tool. Overriding here will + override automatic setting. type: string MonitoringSubscriptionKeepalived: default: 'overcloud-keepalived' type: string +conditions: + + control_iface_empty: {equals : [{get_param: ControlVirtualInterface}, '']} + public_iface_empty: {equals : [{get_param: PublicVirtualInterface}, '']} + outputs: role_data: description: Role data for the Keepalived role. @@ -39,7 +48,27 @@ outputs: service_name: keepalived monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived} config_settings: - tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} - tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} + map_merge: + - tripleo.keepalived.firewall_rules: + '106 keepalived vrrp': + proto: vrrp + - + if: + - control_iface_empty + - {} + - tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} + - + if: + - public_iface_empty + - {} + - tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} step_config: | include ::tripleo::profile::base::keepalived + upgrade_tasks: + - name: Stop keepalived service + tags: step1 + service: name=keepalived state=stopped + - name: Start keepalived service + tags: step4 # Needed at step 4 for mysql + service: name=keepalived state=started + diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 2f01578e..69898718 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -18,6 +18,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + KernelPidMax: + default: 1048576 + description: Configures sysctl kernel.pid_max key + type: number outputs: role_data: @@ -39,11 +43,17 @@ outputs: net.netfilter.nf_conntrack_max: value: 500000 # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.all.accept_ra: + value: 0 net.ipv6.conf.default.accept_ra: value: 0 + net.ipv6.conf.all.autoconf: + value: 0 net.ipv6.conf.default.autoconf: value: 0 net.core.netdev_max_backlog: value: 10000 + kernel.pid_max: + value: {get_param: KernelPidMax} step_config: | include ::tripleo::profile::base::kernel diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index b7a807fa..e48d7037 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Keystone service configured with Puppet @@ -32,6 +32,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + KeystoneTokenProvider: + description: The keystone token format + type: string + default: 'uuid' + constraints: + - allowed_values: ['uuid', 'fernet'] ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -83,9 +89,9 @@ parameters: KeystoneWorkers: type: string description: Set the number of workers for keystone::wsgi::apache - default: '"%{::processorcount}"' + default: '%{::os_workers}' MonitoringSubscriptionKeystone: - default: 'overcloud-kestone' + default: 'overcloud-keystone' type: string KeystoneCredential0: type: string @@ -93,11 +99,20 @@ parameters: KeystoneCredential1: type: string description: The second Keystone credential key. Must be a valid key. + KeystoneFernetKey0: + type: string + description: The first Keystone fernet key. Must be a valid key. + KeystoneFernetKey1: + type: string + description: The second Keystone fernet key. Must be a valid key. KeystoneLoggingSource: type: json default: tag: openstack.keystone path: /var/log/keystone/keystone.log + EnableInternalTLS: + type: boolean + default: false resources: @@ -107,6 +122,10 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + +conditions: + keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} outputs: role_data: @@ -130,9 +149,12 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/keystone' keystone::admin_token: {get_param: AdminToken} + keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} + keystone::token_provider: {get_param: KeystoneTokenProvider} + keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: @@ -140,8 +162,12 @@ outputs: content: {get_param: KeystoneCredential0} '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} + keystone::fernet_keys: + '/etc/keystone/fernet-keys/0': + content: {get_param: KeystoneFernetKey0} + '/etc/keystone/fernet-keys/1': + content: {get_param: KeystoneFernetKey1} keystone::debug: {get_param: Debug} - keystone::db::mysql::password: {get_param: AdminToken} keystone::rabbit_userid: {get_param: RabbitUserName} keystone::rabbit_password: {get_param: RabbitPassword} keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} @@ -155,12 +181,6 @@ outputs: keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} keystone::endpoint::region: {get_param: KeystoneRegion} keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} - keystone::db::mysql::user: keystone - keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - keystone::db::mysql::dbname: keystone - keystone::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" keystone::rabbit_heartbeat_timeout_threshold: 60 keystone::cron::token_flush::maxdelay: 3600 keystone::roles::admin::service_tenant: 'service' @@ -170,17 +190,18 @@ outputs: ec2/driver: value: 'keystone.contrib.ec2.backends.sql.Ec2' keystone::service_name: 'httpd' - keystone::wsgi::apache::ssl: false + keystone::enable_ssl: {get_param: EnableInternalTLS} + keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS} keystone::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::servername_admin: str_replace: template: - '"%{::fqdn_$NETWORK}"' + "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} @@ -195,16 +216,46 @@ outputs: - 13000 - 35357 - 13357 + keystone::admin_bind_host: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - # NOTE: this applies to all 4 bind IP settings below... - keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + # NOTE: this applies to all 2 bind IP settings below... keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | include ::tripleo::profile::base::keystone + service_config_settings: + mysql: + keystone::db::mysql::password: {get_param: AdminToken} + keystone::db::mysql::user: keystone + keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + keystone::db::mysql::dbname: keystone + keystone::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + # Ansible tasks to handle upgrade + upgrade_tasks: + - name: Stop keystone service (running under httpd) + tags: step2 + service: name=httpd state=stopped + - name: Sync keystone DB + tags: step5 + command: keystone-manage db_sync + - name: Start keystone service (running under httpd) + tags: step6 + service: name=httpd state=started diff --git a/puppet/services/logging/fluentd-config.yaml b/puppet/services/logging/fluentd-config.yaml index e051781e..58b423fd 100644 --- a/puppet/services/logging/fluentd-config.yaml +++ b/puppet/services/logging/fluentd-config.yaml @@ -70,7 +70,7 @@ parameters: - tag_pattern: '**' type: record_transformer record: - nodename: '${hostname}' + host: '${hostname}' - tag_pattern: 'openstack.**' type: record_transformer diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index 9882adc4..b4b3d480 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -51,6 +51,11 @@ outputs: manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' + tripleo.manila_api.firewall_rules: + '150 manila': + dport: + - 8786 + - 13786 # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): @@ -62,13 +67,15 @@ outputs: step_config: | include ::tripleo::profile::base::manila::api service_config_settings: - keystone: - manila::keystone::auth::tenant: 'service' - manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} - manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} - manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} - manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]} - manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]} - manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} - manila::keystone::auth::password: {get_param: ManilaPassword} - manila::keystone::auth::region: {get_param: KeystoneRegion} + map_merge: + - get_attr: [ManilaBase, role_data, service_config_settings] + - keystone: + manila::keystone::auth::tenant: 'service' + manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} + manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} + manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} + manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]} + manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]} + manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} + manila::keystone::auth::password: {get_param: ManilaPassword} + manila::keystone::auth::region: {get_param: KeystoneRegion} diff --git a/puppet/services/manila-backend-cephfs.yaml b/puppet/services/manila-backend-cephfs.yaml index 89a36d21..0fc39e2a 100644 --- a/puppet/services/manila-backend-cephfs.yaml +++ b/puppet/services/manila-backend-cephfs.yaml @@ -19,9 +19,6 @@ parameters: via parameter_defaults in the resource registry. type: json # CephFS Native backend params: - ManilaCephFSNativeEnableBackend: - type: boolean - default: false ManilaCephFSNativeBackendName: type: string default: cephfsnative @@ -33,7 +30,7 @@ parameters: default: 'cephfs' ManilaCephFSNativeCephFSConfPath: type: string - default: '/etc/ceph/cephfs.conf' + default: '/etc/ceph/ceph.conf' ManilaCephFSNativeCephFSAuthId: type: string default: 'manila' @@ -50,7 +47,6 @@ outputs: value: service_name: manila_backend_cephfs config_settings: - manila::backend::cephfsnative::enable_backend: {get_param: ManilaCephFSNativeEnableBackend} manila::backend::cephfsnative::title: {get_param: ManilaCephFSNativeBackendName} manila::backend::cephfsnative::driver_handles_share_servers: {get_param: ManilaCephFSNativeDriverHandlesShareServers} manila::backend::cephfsnative::share_backend_name: {get_param: ManilaCephFSNativeShareBackendName} diff --git a/puppet/services/manila-backend-generic.yaml b/puppet/services/manila-backend-generic.yaml index 5c001c82..c527666e 100644 --- a/puppet/services/manila-backend-generic.yaml +++ b/puppet/services/manila-backend-generic.yaml @@ -4,9 +4,6 @@ description: > Openstack Manila generic backend. parameters: - ManilaGenericEnableBackend: - type: boolean - default: false ManilaGenericBackendName: type: string default: tripleo_generic @@ -73,7 +70,6 @@ outputs: value: service_name: manila_backend_generic config_settings: - manila_generic_enable_backend: {get_param: ManilaGenericEnableBackend} manila::backend::generic::title: {get_param: ManilaGenericBackendName} manila::backend::generic::driver_handles_share_servers: {get_param: ManilaGenericDriverHandlesShareServers} manila::backend::generic::smb_template_config_path: {get_param: ManilaGenericSmbTemplateConfigPath} diff --git a/puppet/services/manila-backend-netapp.yaml b/puppet/services/manila-backend-netapp.yaml index c95a8da7..e6d2f250 100644 --- a/puppet/services/manila-backend-netapp.yaml +++ b/puppet/services/manila-backend-netapp.yaml @@ -4,9 +4,6 @@ description: > Openstack Manila netapp backend. parameters: - ManilaNetappEnableBackend: - type: boolean - default: false ManilaNetappDriverHandlesShareServers: type: string default: true @@ -88,7 +85,6 @@ outputs: value: service_name: manila_backend_netapp config_settings: - manila_netapp_enable_backend: {get_param: ManilaNetappEnableBackend} manila::backend::netapp::title: {get_param: ManilaNetappBackendName} manila::backend::netapp::netapp_login: {get_param: ManilaNetappLogin} manila::backend::netapp::driver_handles_share_servers: {get_param: ManilaNetappDriverHandlesShareServers} diff --git a/puppet/services/manila-base.yaml b/puppet/services/manila-base.yaml index f4ec88c1..844bd3a3 100644 --- a/puppet/services/manila-base.yaml +++ b/puppet/services/manila-base.yaml @@ -40,6 +40,10 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + ManilaPassword: + description: The password for the manila service account. + type: string + hidden: true outputs: role_data: @@ -52,11 +56,23 @@ outputs: manila::rabbit_use_ssl: {get_param: RabbitClientUseSSL} manila::rabbit_port: {get_param: RabbitClientPort} manila::debug: {get_param: Debug} - manila::db::mysql::user: manila - manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - manila::db::mysql::dbname: manila manila::db::database_db_max_retries: -1 manila::db::database_max_retries: -1 - manila::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" + manila::sql_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://manila:' + - {get_param: ManilaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/manila' + service_config_settings: + mysql: + manila::db::mysql::password: {get_param: ManilaPassword} + manila::db::mysql::user: manila + manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + manila::db::mysql::dbname: manila + manila::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/manila-scheduler.yaml b/puppet/services/manila-scheduler.yaml index 28addd68..d96b677b 100644 --- a/puppet/services/manila-scheduler.yaml +++ b/puppet/services/manila-scheduler.yaml @@ -54,18 +54,8 @@ outputs: - manila::compute::nova::nova_admin_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} manila::compute::nova::nova_admin_password: {get_param: NovaPassword} manila::compute::nova::nova_admin_tenant_name: 'service' - manila::db::mysql::password: {get_param: ManilaPassword} manila::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} manila::network::neutron::neutron_admin_auth_url: {get_param: [EndpointMap, NeutronAdmin, uri]} manila::network::neutron::neutron_admin_password: {get_param: NeutronPassword} - manila::sql_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://manila:' - - {get_param: ManilaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/manila' step_config: | include ::tripleo::profile::base::manila::scheduler diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml index e42d2fae..49c69fc1 100644 --- a/puppet/services/manila-share.yaml +++ b/puppet/services/manila-share.yaml @@ -21,6 +21,10 @@ parameters: MonitoringSubscriptionManilaShare: default: 'overcloud-manila-share' type: string + ManilaPassword: + description: The password for the manila service account. + type: string + hidden: true resources: ManilaBase: @@ -40,5 +44,11 @@ outputs: map_merge: - get_attr: [ManilaBase, role_data, config_settings] - manila::volume::cinder::cinder_admin_tenant_name: 'service' + manila::keystone::authtoken::password: {get_param: ManilaPassword} + manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::project_name: 'service' + service_config_settings: + get_attr: [ManilaBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::manila::share diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml new file mode 100644 index 00000000..44d30358 --- /dev/null +++ b/puppet/services/mistral-api.yaml @@ -0,0 +1,52 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MistralWorkers: + default: 1 + description: The number of workers for the mistral-api. + type: number + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral API role. + value: + service_name: mistral_api + config_settings: + map_merge: + - get_attr: [MistralBase, role_data, config_settings] + - mistral::api::api_workers: {get_param: MistralWorkers} + mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]} + tripleo.mistral_api.firewall_rules: + '133 mistral': + dport: + - 8989 + - 13989 + service_config_settings: + get_attr: [MistralBase, role_data, service_config_settings] + step_config: | + include ::tripleo::profile::base::mistral::api diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml new file mode 100644 index 00000000..a11624c0 --- /dev/null +++ b/puppet/services/mistral-base.yaml @@ -0,0 +1,93 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral base service. Shared for all Mistral services. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + MistralPassword: + description: The password for the Mistral service and db account, used by the Mistral services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Shared role data for the Mistral services. + value: + service_name: mistral_base + config_settings: + mistral::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://mistral:' + - {get_param: MistralPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/mistral' + mistral::rabbit_userid: {get_param: RabbitUserName} + mistral::rabbit_password: {get_param: RabbitPassword} + mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + mistral::rabbit_port: {get_param: RabbitClientPort} + mistral::debug: {get_param: Debug} + mistral::keystone_password: {get_param: MistralPassword} + mistral::keystone_tenant: 'service' + mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + service_config_settings: + keystone: + mistral::keystone::auth::tenant: 'service' + mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]} + mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]} + mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]} + mistral::keystone::auth::password: {get_param: MistralPassword} + mistral::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + mistral::db::mysql::user: mistral + mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + mistral::db::mysql::dbname: mistral + mistral::db::mysql::password: {get_param: MistralPassword} + mistral::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/mistral-engine.yaml b/puppet/services/mistral-engine.yaml new file mode 100644 index 00000000..10af670d --- /dev/null +++ b/puppet/services/mistral-engine.yaml @@ -0,0 +1,38 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral Engine service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral Engine role. + value: + service_name: mistral_engine + config_settings: + get_attr: [MistralBase, role_data, config_settings] + step_config: | + include ::tripleo::profile::base::mistral::engine diff --git a/puppet/services/mistral-executor.yaml b/puppet/services/mistral-executor.yaml new file mode 100644 index 00000000..7afaf0db --- /dev/null +++ b/puppet/services/mistral-executor.yaml @@ -0,0 +1,38 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral Executor role. + value: + service_name: mistral_executor + config_settings: + get_attr: [MistralBase, role_data, config_settings] + step_config: | + include ::tripleo::profile::base::mistral::executor diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml index d7350d07..ea23b8b6 100644 --- a/puppet/services/monitoring/sensu-base.yaml +++ b/puppet/services/monitoring/sensu-base.yaml @@ -43,7 +43,19 @@ parameters: description: The RabbitMQ vhost used for monitoring purposes. type: string default: '/sensu' - + SensuRedactVariables: + description: Variables from Sensu configuration, which have to be redacted. + type: comma_delimited_list + default: + - password + - passwd + - pass + - api_key + - api_token + - access_key + - secret_key + - private_key + - secret outputs: role_data: @@ -61,8 +73,7 @@ outputs: sensu::rabbitmq_ssl: {get_param: MonitoringRabbitUseSSL} sensu::rabbitmq_user: {get_param: MonitoringRabbitUserName} sensu::rabbitmq_vhost: {get_param: MonitoringRabbitVhost} - #sensu::redis_host: {get_param: MonitoringRedisHost} - #sensu::redis_password: {get_param: MonitoringRedisPassword} + sensu::redact: {get_param: SensuRedactVariables} sensu::sensu_plugin_provider: 'yum' sensu::sensu_plugin_name: 'rubygem-sensu-plugin' sensu::version: 'present' diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index 3f37e750..a26c7458 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -18,6 +18,13 @@ parameters: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + AdminPassword: + description: Keystone admin user password + type: string + KeystoneRegion: + default: 'regionOne' + description: Keystone region for endpoint + type: string SensuClientCustomConfig: default: {} description: Hash containing custom sensu-client variables. @@ -44,6 +51,14 @@ outputs: - sensu::api: false sensu::client: true sensu::server: false - sensu::client_custom: {get_param: SensuClientCustomConfig} + sensu::client_custom: + map_merge: + - {get_param: SensuClientCustomConfig} + - openstack: + username: 'admin' + password: {get_param: AdminPassword} + auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + tenant_name: 'admin' + region: {get_param: KeystoneRegion} step_config: | include ::tripleo::profile::base::monitoring::sensu diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 8cfa20bd..5fd9d7a2 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -37,13 +37,6 @@ parameters: default: 'True' description: Allow automatic l3-agent failover type: string - NeutronL3HA: - default: false - description: | - Whether to enable HA for virtual routers. While the default value is - 'false', L3 HA will be automatically enabled if the number of nodes hosting - controller configurations and DVR is disabled. - type: boolean NovaPassword: description: The password for the nova service and db account, used by nova-api. type: string @@ -64,13 +57,30 @@ parameters: default: tag: openstack.neutron.api path: /var/log/neutron/server.log - ControllerCount: + + # DEPRECATED: the following options are deprecated and are currently maintained + # for backwards compatibility. They will be removed in the Ocata cycle. + NeutronL3HA: + default: '' + type: string description: | - Under normal conditions, this should not be overridden manually and is - set at deployment time. The default value is present to allow the - template to be used in environments that do not override it. - default: 1 - type: number + Whether to enable HA for virtual routers. When not set, L3 HA will be + automatically enabled if the number of nodes hosting controller + configurations and DVR is disabled. Valid values are 'true' or 'false' + This parameter is being deprecated in Newton and is scheduled to be + removed in Ocata. Future releases will enable L3 HA by default if it is + appropriate for the deployment type. Alternate mechanisms will be + available to override. + +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - NeutronL3HA resources: @@ -81,18 +91,6 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} -conditions: - - auto_enable_l3_ha: - and: - - not: - equals: - - get_param: ControllerCount - - 1 - - equals: - - get_param: NeutronEnableDVR - - false - outputs: role_data: description: Role data for the Neutron Server agent service. @@ -119,7 +117,7 @@ outputs: neutron::server::api_workers: {get_param: NeutronWorkers} neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} - neutron::server::l3_ha: {if: ["auto_enable_l3_ha", true, {get_param: NeutronL3HA}]} + neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] } @@ -129,23 +127,11 @@ outputs: neutron::server::notifications::password: {get_param: NovaPassword} neutron::keystone::authtoken::project_name: 'service' neutron::server::sync_db: true - neutron::db::mysql::password: {get_param: NeutronPassword} - neutron::db::mysql::user: neutron - neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - neutron::db::mysql::dbname: ovs_neutron - neutron::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - tripleo.neutron_server.firewall_rules: - '114 neutron server': + tripleo.neutron_api.firewall_rules: + '114 neutron api': dport: - 9696 - 13696 - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '106 vrrp': - proto: vrrp neutron::server::router_distributed: {get_param: NeutronEnableDVR} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): @@ -153,6 +139,7 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} step_config: | include tripleo::profile::base::neutron::server service_config_settings: @@ -163,3 +150,11 @@ outputs: neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] } neutron::keystone::auth::password: {get_param: NeutronPassword} neutron::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + neutron::db::mysql::password: {get_param: NeutronPassword} + neutron::db::mysql::user: neutron + neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + neutron::db::mysql::dbname: ovs_neutron + neutron::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 32d50d41..3d03c313 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -33,7 +33,7 @@ parameters: from neutron.core_plugins namespace. type: string NeutronServicePlugins: - default: "router,qos" + default: "router,qos,trunk" description: | Comma-separated list of service plugin entrypoints to be loaded from the neutron.service_plugins namespace. @@ -50,16 +50,13 @@ parameters: to false may result in configuration remnants after updates/upgrades. NeutronGlobalPhysnetMtu: type: number - default: 1496 + default: 1500 description: | MTU of the underlying physical network. Neutron uses this value to calculate MTU for all virtual network components. For flat and VLAN networks, neutron uses this value without modification. For overlay networks such as VXLAN, neutron automatically subtracts the overlay - protocol overhead from this value. The default value of 1496 is - currently in effect to compensate for some additional overhead when - deploying with some network configurations (e.g. network isolation over - single network interfaces) + protocol overhead from this value. ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -87,16 +84,12 @@ outputs: neutron::rabbit_port: {get_param: RabbitClientPort} neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork} neutron::core_plugin: {get_param: NeutronCorePlugin} - neutron::service_plugins: - str_replace: - template: PLUGINS - params: - PLUGINS: {get_param: NeutronServicePlugins} + neutron::service_plugins: {get_param: NeutronServicePlugins} neutron::debug: {get_param: Debug} neutron::purge_config: {get_param: EnableConfigPurge} neutron::allow_overlapping_ips: true neutron::rabbit_heartbeat_timeout_threshold: 60 - neutron::host: '"%{::fqdn}"' #NOTE: extra quoting is needed + neutron::host: '%{::fqdn}' neutron::db::database_db_max_retries: -1 neutron::db::database_max_retries: -1 neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index 9e223374..dfa8c062 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Neutron L3 agent configured with Puppet @@ -43,6 +43,10 @@ parameters: tag: openstack.neutron.agent.l3 path: /var/log/neutron/l3-agent.log +conditions: + + external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]} + resources: NeutronBase: @@ -63,9 +67,15 @@ outputs: - neutron config_settings: map_merge: - - get_attr: [NeutronBase, role_data, config_settings] + - get_attr: [NeutronBase, role_data, config_settings] + - neutron::agents::l3::agent_mode: {get_param: NeutronL3AgentMode} + tripleo.neutron_l3.firewall_rules: + '106 neutron_l3 vrrp': + proto: vrrp + - + if: + - external_network_bridge_empty + - {} - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge} - neutron::agents::l3::router_delete_namespaces: True - neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode} step_config: | include tripleo::profile::base::neutron::l3 diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 8be4c6d6..c87de285 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -72,6 +72,6 @@ outputs: neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' - neutron::agents::metadata::metadata_ip: '"%{hiera(\"nova_metadata_vip\")}"' + neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}" step_config: | include tripleo::profile::base::neutron::metadata diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index cbe65638..e2b90b7b 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -94,21 +94,9 @@ outputs: - neutron::agents::ml2::ovs::l2_population: {get_param: NeutronEnableL2Pop} neutron::agents::ml2::ovs::enable_distributed_routing: {get_param: NeutronEnableDVR} neutron::agents::ml2::ovs::arp_responder: {get_param: NeutronEnableARPResponder} - neutron::agents::ml2::ovs::bridge_mappings: - str_replace: - template: MAPPINGS - params: - MAPPINGS: {get_param: NeutronBridgeMappings} - neutron::agents::ml2::ovs::tunnel_types: - str_replace: - template: TYPES - params: - TYPES: {get_param: NeutronTunnelTypes} - neutron::agents::ml2::ovs::extensions: - str_replace: - template: AGENT_EXTENSIONS - params: - AGENT_EXTENSIONS: {get_param: NeutronAgentExtensions} + neutron::agents::ml2::ovs::bridge_mappings: {get_param: NeutronBridgeMappings} + neutron::agents::ml2::ovs::tunnel_types: {get_param: NeutronTunnelTypes} + neutron::agents::ml2::ovs::extensions: {get_param: NeutronAgentExtensions} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): @@ -117,5 +105,11 @@ outputs: # internal_api_subnet - > IP/CIDR neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver} + tripleo.neutron_ovs_agent.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' step_config: | include ::tripleo::profile::base::neutron::ovs diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index cc772c9d..fdfa1c03 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -22,7 +22,7 @@ parameters: description: List of cores to be used for DPDK Poll Mode Driver type: string constraints: - - allowed_pattern: "[0-9,-]+" + - allowed_pattern: "'[0-9,-]+'" NeutronDpdkMemoryChannels: description: Number of memory channels to be used for DPDK type: string diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 17e8bca1..88b5064c 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -33,7 +33,7 @@ parameters: default: 'datacentre' description: If set, flat networks to configure in neutron plugins. NeutronPluginExtensions: - default: "qos,port_security,trunk" + default: "qos,port_security" description: | Comma-separated list of extensions enabled for the Neutron plugin. type: comma_delimited_list @@ -83,46 +83,14 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::plugins::ml2::mechanism_drivers: - str_replace: - template: MECHANISMS - params: - MECHANISMS: {get_param: NeutronMechanismDrivers} - neutron::plugins::ml2::type_drivers: - str_replace: - template: DRIVERS - params: - DRIVERS: {get_param: NeutronTypeDrivers} - neutron::plugins::ml2::flat_networks: - str_replace: - template: NETWORKS - params: - NETWORKS: {get_param: NeutronFlatNetworks} - neutron::plugins::ml2::extension_drivers: - str_replace: - template: PLUGIN_EXTENSIONS - params: - PLUGIN_EXTENSIONS: {get_param: NeutronPluginExtensions} - neutron::plugins::ml2::network_vlan_ranges: - str_replace: - template: RANGES - params: - RANGES: {get_param: NeutronNetworkVLANRanges} - neutron::plugins::ml2::tunnel_id_ranges: - str_replace: - template: RANGES - params: - RANGES: {get_param: NeutronTunnelIdRanges} - neutron::plugins::ml2::vni_ranges: - str_replace: - template: RANGES - params: - RANGES: {get_param: NeutronVniRanges} - neutron::plugins::ml2::tenant_network_types: - str_replace: - template: TYPES - params: - TYPES: {get_param: NeutronNetworkType} + - neutron::plugins::ml2::mechanism_drivers: {get_param: NeutronMechanismDrivers} + neutron::plugins::ml2::type_drivers: {get_param: NeutronTypeDrivers} + neutron::plugins::ml2::flat_networks: {get_param: NeutronFlatNetworks} + neutron::plugins::ml2::extension_drivers: {get_param: NeutronPluginExtensions} + neutron::plugins::ml2::network_vlan_ranges: {get_param: NeutronNetworkVLANRanges} + neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges} + neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges} + neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType} neutron::plugins::ml2::supported_pci_vendor_devs: {get_param: NeutronSupportedPCIVendorDevs} step_config: | diff --git a/puppet/services/neutron-plugin-opencontrail.yaml b/puppet/services/neutron-plugin-opencontrail.yaml index 4e294965..098c9d05 100644 --- a/puppet/services/neutron-plugin-opencontrail.yaml +++ b/puppet/services/neutron-plugin-opencontrail.yaml @@ -59,7 +59,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions + - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions,/usr/lib/python2.7/site-packages/neutron_lbaas/extensions neutron::plugins::opencontrail::api_server_ip: {get_param: ContrailApiServerIp} neutron::plugins::opencontrail::api_server_port: {get_param: ContrailApiServerPort} diff --git a/puppet/services/neutron-sriov-agent.yaml b/puppet/services/neutron-sriov-agent.yaml index 44f7f242..0ab066d7 100644 --- a/puppet/services/neutron-sriov-agent.yaml +++ b/puppet/services/neutron-sriov-agent.yaml @@ -25,6 +25,7 @@ parameters: All physical networks listed in network_vlan_ranges on the server should have mappings to appropriate interfaces on each agent. + Example "tenant0:ens2f0,tenant1:ens2f1" type: comma_delimited_list default: "" NeutronExcludeDevices: @@ -40,8 +41,8 @@ parameters: NeutronSriovNumVFs: description: > Provide the list of VFs to be reserved for each SR-IOV interface. - Format "<interface_name1>:<numvfs1>","<interface_name2>:<numvfs2>" - Example "eth1:4096","eth2:128" + Format "<interface_name1>:<numvfs1>,<interface_name2>:<numvfs2>" + Example "eth1:4096,eth2:128" type: comma_delimited_list default: "" diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 25ae0176..50e4c996 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova API service configured with Puppet @@ -51,8 +51,22 @@ parameters: default: tag: openstack.nova.api path: /var/log/nova/nova-api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + NovaBase: type: ./nova-base.yaml properties: @@ -71,40 +85,55 @@ outputs: - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - nova::cron::archive_deleted_rows::hour: '*/12' + nova::cron::archive_deleted_rows::destination: '/dev/null' + tripleo.nova_api.firewall_rules: + '113 nova_api': + dport: + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::api::enabled: true + nova::api::default_floating_pool: 'public' + nova::api::sync_db_api: true + nova::api::enable_proxy_headers_parsing: true + nova::api::api_bind_address: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::service_name: 'httpd' + nova::wsgi::apache::ssl: {get_param: EnableInternalTLS} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::api::instance_name_template: {get_param: InstanceNameTemplate} + nova_enable_db_purge: {get_param: NovaEnableDBPurge} + - + if: + - nova_workers_zero + - {} - nova::api::osapi_compute_workers: {get_param: NovaWorkers} - nova::api::metadata_workers: {get_param: NovaWorkers} - nova::cron::archive_deleted_rows::hour: '"*/12"' - nova::cron::archive_deleted_rows::destination: '"/dev/null"' - tripleo.nova_api.firewall_rules: - '113 nova_api': - dport: - - 6080 - - 13080 - - 8773 - - 3773 - - 8774 - - 13774 - - 8775 - nova::keystone::authtoken::project_name: 'service' - nova::keystone::authtoken::password: {get_param: NovaPassword} - nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - nova::api::enabled: true - nova::api::default_floating_pool: 'public' - nova::api::sync_db_api: true - nova::api::enable_proxy_headers_parsing: true - # NOTE: bind IP is found in Heat replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} - nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - nova::api::instance_name_template: {get_param: InstanceNameTemplate} - nova_enable_db_purge: {get_param: NovaEnableDBPurge} - + nova::wsgi::apache::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::api service_config_settings: @@ -115,3 +144,18 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + nova::db::mysql::password: {get_param: NovaPassword} + nova::db::mysql::user: nova + nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql::dbname: nova + nova::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + nova::db::mysql_api::password: {get_param: NovaPassword} + nova::db::mysql_api::user: nova_api + nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql_api::dbname: nova_api + nova::db::mysql_api::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 24a63bb4..20bf2e42 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova base service. Shared for all Nova services. @@ -66,6 +66,9 @@ parameters: type: string description: Nova Compute upgrade level default: '' +conditions: + + compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']} outputs: role_data: @@ -73,71 +76,50 @@ outputs: value: service_name: nova_base config_settings: - nova::rabbit_password: {get_param: RabbitPassword} - nova::rabbit_userid: {get_param: RabbitUserName} - nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - nova::rabbit_port: {get_param: RabbitClientPort} - nova::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://nova:' - - {get_param: NovaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/nova' - nova::api_database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://nova_api:' - - {get_param: NovaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/nova_api' - nova::db::mysql::password: {get_param: NovaPassword} - nova::db::mysql::user: nova - nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql::dbname: nova - nova::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - nova::db::mysql_api::password: {get_param: NovaPassword} - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - nova::debug: {get_param: Debug} - nova::purge_config: {get_param: EnableConfigPurge} - nova::network::neutron::neutron_project_name: 'service' - nova::network::neutron::neutron_username: 'neutron' - nova::network::neutron::dhcp_domain: '' - nova::network::neutron::neutron_password: {get_param: NeutronPassword} - nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} - nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]} - nova::rabbit_heartbeat_timeout_threshold: 60 - nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL' - nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed. - nova::notify_on_state_change: 'vm_and_task_state' - nova::notification_driver: messagingv2 - nova::network::neutron::neutron_auth_type: 'v3password' - nova::db::mysql::user: nova - nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql::dbname: nova - nova::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - nova::db::database_db_max_retries: -1 - nova::db::database_max_retries: -1 - nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} - nova::use_ipv6: {get_param: NovaIPv6} - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} - nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} + map_merge: + - nova::rabbit_password: {get_param: RabbitPassword} + nova::rabbit_userid: {get_param: RabbitUserName} + nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + nova::rabbit_port: {get_param: RabbitClientPort} + nova::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://nova:' + - {get_param: NovaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/nova' + nova::api_database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://nova_api:' + - {get_param: NovaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/nova_api' + nova::debug: {get_param: Debug} + nova::purge_config: {get_param: EnableConfigPurge} + nova::network::neutron::neutron_project_name: 'service' + nova::network::neutron::neutron_username: 'neutron' + nova::network::neutron::dhcp_domain: '' + nova::network::neutron::neutron_password: {get_param: NeutronPassword} + nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} + nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]} + nova::rabbit_heartbeat_timeout_threshold: 60 + nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL' + nova::host: '%{::fqdn}' + nova::notify_on_state_change: 'vm_and_task_state' + nova::notification_driver: messagingv2 + nova::network::neutron::neutron_auth_type: 'v3password' + nova::db::database_db_max_retries: -1 + nova::db::database_max_retries: -1 + nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} + nova::use_ipv6: {get_param: NovaIPv6} + nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} + - + if: + - compute_upgrade_level_empty + - {} + - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index f7f2510e..908b676e 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -52,7 +52,7 @@ parameters: For different formats, refer to the nova.conf documentation for pci_passthrough_whitelist configuration type: json - default: '' + default: {} NovaVcpuPinSet: description: > A list or range of physical CPU cores to reserve for virtual machine @@ -97,11 +97,7 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::compute::libvirt::manage_libvirt_services: false - nova::compute::pci_passthrough: - str_replace: - template: "'JSON_PARAM'" - params: - JSON_PARAM: {get_param: NovaPCIPassthrough} + nova::compute::pci_passthrough: {get_param: NovaPCIPassthrough} nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet} nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory} # we manage migration in nova common puppet profile @@ -117,7 +113,7 @@ outputs: - '.' - - 'client' - {get_param: CephClientUserName} - nova::compute::rbd::libvirt_rbd_secret_uuid: '"%{hiera(\"ceph::profile::params::fsid\")}"' + nova::compute::rbd::libvirt_rbd_secret_uuid: "%{hiera('ceph::profile::params::fsid')}" nova::compute::instance_usage_audit: true nova::compute::instance_usage_audit_period: 'hour' nova::compute::rbd::ephemeral_storage: {get_param: NovaEnableRbdBackend} diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index 2671cdd3..a10d9560 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova Conductor service configured with Puppet @@ -31,6 +31,9 @@ parameters: tag: openstack.nova.scheduler path: /var/log/nova/nova-scheduler.log +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + resources: NovaBase: type: ./nova-base.yaml @@ -50,7 +53,11 @@ outputs: - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - + if: + - nova_workers_zero + - {} - nova::conductor::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::conductor diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index b5ca2437..70774bac 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -50,6 +50,13 @@ outputs: tripleo::profile::base::nova::libvirt_enabled: true nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType} nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType} + tripleo.nova_libvirt.firewall_rules: + '200 nova_libvirt': + dport: + - 16509 + - 16514 + - '49152-49215' + - '5900-5999' step_config: | include tripleo::profile::base::nova::libvirt diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml index 92373c56..40931da6 100644 --- a/puppet/services/nova-metadata.yaml +++ b/puppet/services/nova-metadata.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova API service configured with Puppet @@ -23,12 +23,20 @@ parameters: description: Number of workers for Nova API service. type: number +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + outputs: role_data: description: Role data for the Nova Metadata service. value: service_name: nova_metadata config_settings: - nova::api::metadata_workers: {get_param: NovaWorkers} - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + map_merge: + - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - + if: + - nova_workers_zero + - {} + - nova::api::metadata_workers: {get_param: NovaWorkers} step_config: "" diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index d89e3e11..d4e5fff6 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -58,7 +58,7 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - - nova::scheduler::filter::ram_allocation_ratio: '1.0' + - nova::ram_allocation_ratio: '1.0' nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters} nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} step_config: | diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index 85d59ae6..e6b0703f 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -57,5 +57,10 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]} + tripleo.nova_vnc_proxy.firewall_rules: + '137 nova_vnc_proxy': + dport: + - 6080 + - 13080 step_config: | include tripleo::profile::base::nova::vncproxy diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index d2ee036e..253d63ef 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -8,10 +8,6 @@ parameters: default: 8081 description: Set opendaylight service port type: number - EnableOpenDaylightOnController: - default: false - description: Whether to install OpenDaylight on control nodes. - type: boolean OpenDaylightUsername: default: 'admin' description: The username for the opendaylight server. @@ -33,14 +29,6 @@ parameters: description: List of features to install with ODL type: comma_delimited_list default: ["odl-netvirt-openstack","odl-netvirt-ui"] - OpenDaylightConnectionProtocol: - description: L7 protocol used for REST access - type: string - default: 'http' - OpenDaylightCheckURL: - description: URL postfix to verify ODL has finished starting up - type: string - default: 'restconf/operational/network-topology:network-topology/topology/netvirt:1' OpenDaylightApiVirtualIP: type: string default: '' @@ -66,15 +54,11 @@ outputs: service_name: opendaylight_api config_settings: opendaylight::odl_rest_port: {get_param: OpenDaylightPort} - odl_on_controller: {get_param: EnableOpenDaylightOnController} - opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::username: {get_param: OpenDaylightUsername} opendaylight::password: {get_param: OpenDaylightPassword} opendaylight::enable_l3: {get_param: OpenDaylightEnableL3} opendaylight::extra_features: {get_param: OpenDaylightFeatures} opendaylight::enable_dhcp: {get_param: OpenDaylightEnableDHCP} - opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} - opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpenDaylightApiNetwork]} + opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} step_config: | include tripleo::profile::base::neutron::opendaylight - include tripleo::profile::base::neutron::plugins::ovs::opendaylight diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 8bcb72f7..63d12fe2 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -8,6 +8,15 @@ parameters: default: 8081 description: Set opendaylight service port type: number + OpenDaylightUsername: + default: 'admin' + description: The username for the opendaylight server. + type: string + OpenDaylightPassword: + default: 'admin' + type: string + description: The password for the opendaylight server. + hidden: true OpenDaylightConnectionProtocol: description: L7 protocol used for REST access type: string @@ -19,6 +28,11 @@ parameters: OpenDaylightApiVirtualIP: type: string default: '' + OpenDaylightProviderMappings: + description: Mappings between logical networks and physical interfaces. + Required for VLAN deployments. For example physnet1 -> eth1. + type: comma_delimited_list + default: "datacentre:br-ex" EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -41,7 +55,21 @@ outputs: service_name: opendaylight_ovs config_settings: opendaylight::odl_rest_port: {get_param: OpenDaylightPort} + opendaylight::username: {get_param: OpenDaylightUsername} + opendaylight::password: {get_param: OpenDaylightPassword} opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} + neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} + neutron::plugins::ovs::opendaylight::provider_mappings: + str_replace: + template: MAPPINGS + params: + MAPPINGS: {get_param: OpenDaylightProviderMappings} + tripleo.opendaylight_ovs.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight diff --git a/puppet/services/pacemaker/cinder-volume.yaml b/puppet/services/pacemaker/cinder-volume.yaml index 11b9bf8f..d91a0181 100644 --- a/puppet/services/pacemaker/cinder-volume.yaml +++ b/puppet/services/pacemaker/cinder-volume.yaml @@ -41,5 +41,6 @@ outputs: - get_attr: [CinderVolumeBase, role_data, config_settings] - cinder::volume::manage_service: false cinder::volume::enabled: false + cinder::host: hostgroup step_config: include ::tripleo::profile::pacemaker::cinder::volume diff --git a/puppet/services/pacemaker/database/mongodb.yaml b/puppet/services/pacemaker/database/mongodb.yaml index 64ae2e91..982b6064 100644 --- a/puppet/services/pacemaker/database/mongodb.yaml +++ b/puppet/services/pacemaker/database/mongodb.yaml @@ -22,7 +22,7 @@ parameters: resources: MongoDbBase: - type: ../../database/mongodb-base.yaml + type: ../../database/mongodb.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 7deaf0ca..f2905903 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -40,7 +40,7 @@ outputs: - tripleo::profile::pacemaker::database::mysql::bind_address: str_replace: template: - '"%{::fqdn_$NETWORK}"' + "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml index d9156e67..196754eb 100644 --- a/puppet/services/pacemaker/database/redis.yaml +++ b/puppet/services/pacemaker/database/redis.yaml @@ -21,7 +21,7 @@ parameters: resources: RedisBase: - type: ../../database/redis-base.yaml + type: ../../database/redis.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 52104a71..e4115d64 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -38,7 +38,5 @@ outputs: - get_attr: [LoadbalancerServiceBase, role_data, config_settings] - tripleo::haproxy::haproxy_service_manage: false tripleo::haproxy::mysql_clustercheck: true - enable_keepalived: false - tripleo::haproxy::keepalived: false step_config: | include ::tripleo::profile::pacemaker::haproxy diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml new file mode 100644 index 00000000..a8bd5e8a --- /dev/null +++ b/puppet/services/panko-api.yaml @@ -0,0 +1,84 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Panko API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionPankoApi: + default: 'overcloud-ceilometer-panko-api' + type: string + EnableInternalTLS: + type: boolean + default: false + +resources: + PankoBase: + type: ./panko-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + +outputs: + role_data: + description: Role data for the Panko API service. + value: + service_name: panko_api + monitoring_subscription: {get_param: MonitoringSubscriptionPankoApi} + config_settings: + map_merge: + - get_attr: [PankoBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - panko::wsgi::apache::ssl: {get_param: EnableInternalTLS} + panko::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + panko::api::service_name: 'httpd' + panko::api::enable_proxy_headers_parsing: true + tripleo.panko_api.firewall_rules: + '140 panko-api': + dport: + - 8779 + - 13779 + panko::api::host: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + panko::wsgi::apache::bind_host: {get_param: [ServiceNetMap, PankoApiNetwork]} + service_config_settings: + get_attr: [PankoBase, role_data, service_config_settings] + step_config: | + include tripleo::profile::base::panko::api diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml new file mode 100644 index 00000000..af9c5353 --- /dev/null +++ b/puppet/services/panko-base.yaml @@ -0,0 +1,73 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Panko service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PankoPassword: + description: The password for the panko services. + type: string + hidden: true + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Panko role. + value: + service_name: panko_base + config_settings: + panko::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://panko:' + - {get_param: PankoPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/panko' + panko::debug: {get_param: Debug} + panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + panko::keystone::authtoken::project_name: 'service' + panko::keystone::authtoken::password: {get_param: PankoPassword} + panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + panko::auth::auth_password: {get_param: PankoPassword} + panko::auth::auth_region: 'regionOne' + panko::auth::auth_tenant_name: 'service' + service_config_settings: + keystone: + panko::keystone::auth::public_url: {get_param: [EndpointMap, PankoPublic, uri]} + panko::keystone::auth::internal_url: {get_param: [EndpointMap, PankoInternal, uri]} + panko::keystone::auth::admin_url: {get_param: [EndpointMap, PankoAdmin, uri]} + panko::keystone::auth::password: {get_param: PankoPassword} + panko::keystone::auth::region: {get_param: KeystoneRegion} + panko::keystone::auth::tenant: 'service' + mysql: + panko::db::mysql::user: panko + panko::db::mysql::password: {get_param: PankoPassword} + panko::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + panko::db::mysql::dbname: panko + panko::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 52300a2f..08f3f6bc 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -38,6 +38,13 @@ parameters: type: string default: '' hidden: true + RabbitHAQueues: + description: + The number of HA queues to be configured in rabbit. The default is 0 which will + be automatically overridden to CEIL(N/2) where N is the number of nodes running + rabbitmq. + default: 0 + type: number MonitoringSubscriptionRabbitmq: default: 'overcloud-rabbitmq' type: string @@ -64,15 +71,18 @@ outputs: rabbitmq::port: '5672' rabbitmq::package_source: undef rabbitmq::repos_ensure: false + rabbitmq::tcp_keepalive: true rabbitmq_environment: + NODE_PORT: '' + NODE_IP_ADDRESS: '' RABBITMQ_NODENAME: "rabbit@%{::hostname}" RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' rabbitmq_kernel_variables: inet_dist_listen_min: '25672' inet_dist_listen_max: '25672' rabbitmq_config_variables: - tcp_listen_options: '[binary, {packet, raw}, {reuseaddr, true}, {backlog, 128}, {nodelay, true}, {exit_on_close, false}, {keepalive, true}]' cluster_partition_handling: 'pause_minority' + queue_master_locator: '<<"min-masters">>' loopback_users: '[]' rabbitmq::erlang_cookie: yaql: @@ -87,6 +97,15 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - rabbitmq::node_ip_address: {get_param: [ServiceNetMap, RabbitmqNetwork]} + rabbitmq::interface: {get_param: [ServiceNetMap, RabbitmqNetwork]} + rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} step_config: | include ::tripleo::profile::base::rabbitmq + upgrade_tasks: + - name: Stop rabbitmq service + tags: step2 + service: name=rabbitmq-server state=stopped + - name: Start rabbitmq service + tags: step6 + service: name=rabbitmq-server state=started + diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 4f139b5f..54e63df4 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -82,3 +82,11 @@ outputs: sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} sahara::keystone::auth::password: {get_param: SaharaPassword } sahara::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + sahara::db::mysql::password: {get_param: SaharaPassword} + sahara::db::mysql::user: sahara + sahara::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + sahara::db::mysql::dbname: sahara + sahara::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index c3986b77..4072a150 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -44,6 +44,10 @@ parameters: type: string default: '' description: Set to True to enable debugging on all services. + SaharaPlugins: + default: ["ambari","cdh","mapr","vanilla","spark","storm"] + description: Sahara enabled plugin list + type: comma_delimited_list outputs: role_data: @@ -60,13 +64,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/sahara' - sahara::db::mysql::password: {get_param: SaharaPassword} - sahara::db::mysql::user: sahara - sahara::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - sahara::db::mysql::dbname: sahara - sahara::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" sahara::rabbit_password: {get_param: RabbitPassword} sahara::rabbit_user: {get_param: RabbitUserName} sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL} @@ -76,13 +73,7 @@ outputs: sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } sahara::use_neutron: true - sahara::plugins: - - ambari - - cdh - - mapr - - vanilla - - spark - - storm + sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit sahara::admin_tenant_name: 'service' sahara::db::database_db_max_retries: -1 diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index 7b5fa40c..97f87061 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -42,6 +42,11 @@ resources: LoggingConfiguration: type: OS::TripleO::LoggingConfiguration + ServiceServerMetadataHook: + type: OS::TripleO::ServiceServerMetadataHook + properties: + RoleData: {get_attr: [ServiceChain, role_data]} + outputs: role_data: description: Combined Role data for this set of services. @@ -54,8 +59,8 @@ outputs: data: {s_names: {get_attr: [ServiceChain, role_data, service_name]}} monitoring_subscriptions: yaql: - expression: list($.data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} logging_sources: # Transform the individual logging_source configuration from # each service in the chain into a global list, adding some @@ -78,8 +83,9 @@ outputs: sources: - {get_attr: [LoggingConfiguration, LoggingDefaultSources]} - yaql: - expression: list($.data.where($ != null).select($.get('logging_sources')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + - {get_attr: [LoggingConfiguration, LoggingExtraSources]} default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]} pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]} @@ -93,17 +99,23 @@ outputs: groups: - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}] - yaql: - expression: list($.data.where($ != null).select($.get('logging_groups')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}] config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: map_merge: yaql: - expression: list($.data.where($ != null).select($.get('global_config_settings')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} service_config_settings: yaql: - expression: $.data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) - data: {get_attr: [ServiceChain, role_data]} + expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) + data: {role_data: {get_attr: [ServiceChain, role_data]}} step_config: {list_join: ["\n", {get_attr: [ServiceChain, role_data, step_config]}]} + upgrade_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} + service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 8b990bcd..94db9e41 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Swift Proxy service configured with Puppet @@ -41,6 +41,26 @@ parameters: MonitoringSubscriptionSwiftProxy: default: 'overcloud-swift-proxy' type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + SwiftCeilometerPipelineEnabled: + description: Set to False to disable the swift proxy ceilometer pipeline. + default: True + type: boolean + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +conditions: + + ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]} resources: SwiftBase: @@ -66,6 +86,12 @@ outputs: swift::proxy::authtoken::project_name: 'service' swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} swift::proxy::workers: {get_param: SwiftWorkers} + swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName} + swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword} + swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} + swift::proxy::ceilometer::nonblocking_notify: true + tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort} + tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled} tripleo.swift_proxy.firewall_rules: '122 swift proxy': dport: @@ -75,20 +101,36 @@ outputs: - admin - swiftoperator - ResellerAdmin + swift::proxy::versioned_writes::allow_versioned_writes: true swift::proxy::pipeline: - - 'catch_errors' - - 'healthcheck' - - 'proxy-logging' - - 'cache' - - 'ratelimit' - - 'bulk' - - 'tempurl' - - 'formpost' - - 'authtoken' - - 'keystone' - - 'staticweb' - - 'proxy-logging' - - 'proxy-server' + yaql: + expression: $.data.pipeline.where($ != '') + data: + pipeline: + - 'catch_errors' + - 'healthcheck' + - 'proxy-logging' + - 'cache' + - 'ratelimit' + - 'bulk' + - 'tempurl' + - 'formpost' + - 'authtoken' + - 'keystone' + - 'staticweb' + - 'copy' + - 'container-quotas' + - 'account-quotas' + - 'slo' + - 'dlo' + - 'versioned_writes' + - + if: + - ceilometer_pipeline_enabled + - 'ceilometer' + - '' + - 'proxy-logging' + - 'proxy-server' swift::proxy::account_autocreate: true # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index e151d185..5c70b6ab 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -38,7 +38,10 @@ parameters: default: {} description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' type: json - + SwiftUseLocalDir: + default: true + description: 'Use a local directory for Swift storage services when building rings' + type: boolean outputs: role_data: @@ -48,18 +51,18 @@ outputs: config_settings: tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} + tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower} + tripleo::profile::base::swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours} tripleo::profile::base::swift::ringbuilder::raw_disk_prefix: 'r1z1-' tripleo::profile::base::swift::ringbuilder::raw_disks: yaql: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - [':%PORT%/d1'] + - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: DEVICE: {get_param: SwiftRawDisks} - swift::ringbuilder::part_power: {get_param: SwiftPartPower} - swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours} step_config: | include ::tripleo::profile::base::swift::ringbuilder diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 7fbb8d90..cffe78f5 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -86,7 +86,7 @@ outputs: swift::storage::all::account_pipeline: - healthcheck - account-server - swift::storage::disks: {get_param: SwiftRawDisks} + swift::storage::disks::args: {get_param: SwiftRawDisks} swift::storage::all::storage_local_net_ip: {get_param: [ServiceNetMap, SwiftStorageNetwork]} step_config: | include ::tripleo::profile::base::swift::storage diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index f6ec458f..7eb39905 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -19,7 +19,7 @@ parameters: via parameter_defaults in the resource registry. type: json ManageFirewall: - default: false + default: true description: Whether to manage IPtables rules. type: boolean PurgeFirewallRules: diff --git a/puppet/services/tripleo-packages.yaml b/puppet/services/tripleo-packages.yaml index 124f5fe8..69912fa5 100644 --- a/puppet/services/tripleo-packages.yaml +++ b/puppet/services/tripleo-packages.yaml @@ -32,3 +32,7 @@ outputs: tripleo::packages::enable_install: {get_param: EnablePackageInstall} step_config: | include ::tripleo::packages + upgrade_tasks: + - name: Update all packages + tags: step3 + yum: name=* state=latest diff --git a/puppet/services/vip-hosts.yaml b/puppet/services/vip-hosts.yaml deleted file mode 100644 index a9d757ee..00000000 --- a/puppet/services/vip-hosts.yaml +++ /dev/null @@ -1,56 +0,0 @@ -heat_template_version: 2016-04-08 - -description: > - If the deployer doesn't have a DNS server for the overcloud nodes. This will - populate the node-names and IPs for the VIPs of the overcloud. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: role data for the VIP hosts role - value: - service_name: vip_hosts - config_settings: - tripleo::vip_hosts::hosts_spec: - external: - name: "%{hiera('cloud_name_external')}" - ip: "%{hiera('public_virtual_ip')}" - ensure: present - comment: FQDN of the external VIP - internal_api: - name: "%{hiera('cloud_name_internal_api')}" - ip: "%{hiera('internal_api_virtual_ip')}" - ensure: present - comment: FQDN of the internal api VIP - storage: - name: "%{hiera('cloud_name_storage')}" - ip: "%{hiera('storage_virtual_ip')}" - ensure: present - comment: FQDN of the storage VIP - storage_mgmt: - name: "%{hiera('cloud_name_storage_mgmt')}" - ip: "%{hiera('storage_mgmt_virtual_ip')}" - ensure: present - comment: FQDN of the storage mgmt VIP - ctlplane: - name: "%{hiera('cloud_name_ctlplane')}" - ip: "%{hiera('controller_virtual_ip')}" - ensure: present - comment: FQDN of the ctlplane VIP - step_config: | - include ::tripleo::vip_hosts diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml new file mode 100644 index 00000000..77240c3c --- /dev/null +++ b/puppet/services/zaqar.yaml @@ -0,0 +1,66 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Zaqar service. Shared for all Heat services. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + DefaultPasswords: + default: {} + type: json + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + ZaqarPassword: + description: The password for Zaqar + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + + +outputs: + role_data: + description: Shared role data for the Heat services. + value: + service_name: zaqar + config_settings: + zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} + zaqar::keystone::authtoken::project_name: 'service' + zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + zaqar::debug: {get_param: Debug} + zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} + zaqar::transport::wsgi::bind: {get_param: [ServiceNetMap, ZaqarApiNetwork]} + zaqar::message_pipeline: 'zaqar.notification.notifier' + zaqar::unreliable: true + service_config_settings: + keystone: + zaqar::keystone::auth::password: {get_param: ZaqarPassword} + zaqar::keystone::auth::public_url: {get_param: [EndpointMap, ZaqarPublic, uri]} + zaqar::keystone::auth::admin_url: {get_param: [EndpointMap, ZaqarAdmin, uri]} + zaqar::keystone::auth::internal_url: {get_param: [EndpointMap, ZaqarInternal, uri]} + zaqar::keystone::auth::region: {get_param: KeystoneRegion} + zaqar::keystone::auth::tenant: 'service' + zaqar::keystone::auth_websocket::password: {get_param: ZaqarPassword} + zaqar::keystone::auth_websocket::public_url: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]} + zaqar::keystone::auth_websocket::admin_url: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]} + zaqar::keystone::auth_websocket::internal_url: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]} + zaqar::keystone::auth_websocket::region: {get_param: KeystoneRegion} + zaqar::keystone::auth_websocket::tenant: 'service' + + step_config: | + include ::tripleo::profile::base::zaqar |