diff options
Diffstat (limited to 'puppet/services')
122 files changed, 3079 insertions, 494 deletions
diff --git a/puppet/services/README.rst b/puppet/services/README.rst index 6e4e9c1d..223c3ed0 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -19,8 +19,21 @@ environment to set per service parameters. Config Settings --------------- -Each service may define a config_settings output variable which returns -Hiera settings to be configured. +Each service may define three ways in which to output variables to configure Hiera +settings on the nodes. + + * config_settings: the hiera keys will be pushed on all roles of which the service + is a part of. + + * global_config_settings: the hiera keys will be distributed to all roles + + * service_config_settings: Takes an extra key to wire in values that are + defined for a service that need to be consumed by some other service. + For example: + service_config_settings: + haproxy: + foo: bar + This will set the hiera key 'foo' on all roles where haproxy is included. Deployment Steps ---------------- @@ -49,6 +62,32 @@ are re-asserted when applying latter ones. 5) Service activation (Pacemaker) +Batch Upgrade Steps +------------------- + +Each service template may optionally define a `upgrade_batch_tasks` key, which +is a list of ansible tasks to be performed during the upgrade process. + +Similar to the step_config, we allow a series of steps for the per-service +upgrade sequence, defined as ansible tasks with a tag e.g "step1" for the first +step, "step2" for the second, etc (currently only two steps are supported, but +more may be added when required as additional services get converted to batched +upgrades). + +Note that each step is performed in batches, then we move on to the next step +which is also performed in batches (we don't perform all steps on one node, +then move on to the next one which means you can sequence rolling upgrades of +dependent services via the step value). + +The tasks performed at each step is service specific, but note that all batch +upgrade steps are performed before the `upgrade_tasks` described below. This +means that all services that support rolling upgrades can be upgraded without +downtime during `upgrade_batch_tasks`, then any remaining services are stopped +and upgraded during `upgrade_tasks` + +The default batch size is 1, but this can be overridden for each role via the +`upgrade_batch_size` option in roles_data.yaml + Upgrade Steps ------------- @@ -65,15 +104,17 @@ step, "step2" for the second, etc. 2) Stop all control-plane services, ready for upgrade - 3) Perform a package update, (either specific packages or the whole system) + 3) Perform a package update and install new packages: A general + upgrade is done, and only new package should go into service + ansible tasks. 4) Start services needed for migration tasks (e.g DB) 5) Perform any migration tasks, e.g DB sync commands - 6) Start control-plane services - - 7) Any additional online migration tasks (e.g data migrations) +Note that the services are not started in the upgrade tasks - we instead re-run +puppet which does any reconfiguration required for the new version, then starts +the services. Nova Server Metadata Settings ----------------------------- diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4e735b45..4bd9fc47 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -83,3 +83,9 @@ outputs: get_attr: [AodhBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::aodh::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop aodh_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index 8648a971..c2c2d023 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -69,8 +69,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/aodh' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' aodh::debug: {get_param: Debug} aodh::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::rabbit_userid: {get_param: RabbitUserName} @@ -80,7 +79,7 @@ outputs: aodh::keystone::authtoken::project_name: 'service' aodh::keystone::authtoken::password: {get_param: AodhPassword} aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::auth::auth_password: {get_param: AodhPassword} aodh::auth::auth_region: 'regionOne' aodh::auth::auth_tenant_name: 'service' diff --git a/puppet/services/aodh-evaluator.yaml b/puppet/services/aodh-evaluator.yaml index 61f8c23f..56dbb558 100644 --- a/puppet/services/aodh-evaluator.yaml +++ b/puppet/services/aodh-evaluator.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::evaluator + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-evaluator is running" + shell: /usr/bin/systemctl show 'openstack-aodh-evaluator' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_evaluator service + tags: step2 + service: name=openstack-aodh-evaluator state=stopped diff --git a/puppet/services/aodh-listener.yaml b/puppet/services/aodh-listener.yaml index 715165b3..76db0ca8 100644 --- a/puppet/services/aodh-listener.yaml +++ b/puppet/services/aodh-listener.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::listener + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-listener is running" + shell: /usr/bin/systemctl show 'openstack-aodh-listener' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_listener service + tags: step2 + service: name=openstack-aodh-listener state=stopped diff --git a/puppet/services/aodh-notifier.yaml b/puppet/services/aodh-notifier.yaml index da85581b..30c67635 100644 --- a/puppet/services/aodh-notifier.yaml +++ b/puppet/services/aodh-notifier.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::notifier + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-notifier is running" + shell: /usr/bin/systemctl show 'openstack-aodh-notifier' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_notifier service + tags: step2 + service: name=openstack-aodh-notifier state=stopped diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml index 07ec1b3c..4c21e02a 100644 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -21,6 +21,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + ApacheNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the Apache role. @@ -38,13 +54,16 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [ApacheNetworks, value]} + metadata_settings: + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service httpd is running" + shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2e95dcb0..74ddbde8 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -64,3 +64,9 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + metadata_settings: + get_attr: [ApacheTLS, role_data, metadata_settings] + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service httpd is running" + shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/auditd.yaml b/puppet/services/auditd.yaml new file mode 100644 index 00000000..639631e1 --- /dev/null +++ b/puppet/services/auditd.yaml @@ -0,0 +1,34 @@ +heat_template_version: ocata + +description: > + AuditD configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + AuditdRules: + description: Mapping of auditd rules + type: json + default: {} + +outputs: + role_data: + description: Role data for the auditd service + value: + service_name: auditd + config_settings: + auditd::rules: {get_param: AuditdRules} + step_config: | + include ::tripleo::profile::base::auditd diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 000a744c..ffc4c83a 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -75,7 +75,7 @@ outputs: - get_attr: [ApacheServiceBase, role_data, config_settings] - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false @@ -105,8 +105,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/barbican' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' tripleo.barbican_api.firewall_rules: '117 barbican': dport: @@ -136,11 +135,17 @@ outputs: nova::compute::barbican_endpoint: get_param: [EndpointMap, BarbicanInternal, uri] nova::compute::barbican_auth_endpoint: - get_param: [EndpointMap, KeystoneV3Internal, uri] + get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] cinder_api: cinder::api::keymgr_api_class: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager cinder::api::keymgr_encryption_api_url: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: - get_param: [EndpointMap, KeystoneV3Internal, uri] + get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running" + shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index b9d8966c..cf8a8a8e 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -54,3 +54,10 @@ outputs: - ceilometer_redis_password: {get_param: RedisPassword} step_config: | include ::tripleo::profile::base::ceilometer::agent::central + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-central is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-central' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_central service + tags: step2 + service: name=openstack-ceilometer-central state=stopped diff --git a/puppet/services/ceilometer-agent-compute.yaml b/puppet/services/ceilometer-agent-compute.yaml index b1d36c94..00042914 100644 --- a/puppet/services/ceilometer-agent-compute.yaml +++ b/puppet/services/ceilometer-agent-compute.yaml @@ -21,6 +21,12 @@ parameters: MonitoringSubscriptionCeilometerCompute: default: 'overcloud-ceilometer-agent-compute' type: string + InstanceDiscoveryMethod: + default: 'libvirt_metadata' + description: Method used to discover instances running on compute node + type: string + constraints: + - allowed_values: ['naive', 'libvirt_metadata', 'workload_partitioning'] resources: CeilometerServiceBase: @@ -37,6 +43,15 @@ outputs: service_name: ceilometer_agent_compute monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCompute} config_settings: - get_attr: [CeilometerServiceBase, role_data, config_settings] + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - ceilometer::agent::compute::instance_discovery_method: {get_param: InstanceDiscoveryMethod} step_config: | include ::tripleo::profile::base::ceilometer::agent::compute + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-compute is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-compute' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_compute service + tags: step2 + service: name=openstack-ceilometer-compute state=stopped diff --git a/puppet/services/ceilometer-agent-notification.yaml b/puppet/services/ceilometer-agent-notification.yaml index 9c9a3bd9..760acd65 100644 --- a/puppet/services/ceilometer-agent-notification.yaml +++ b/puppet/services/ceilometer-agent-notification.yaml @@ -49,3 +49,10 @@ outputs: get_attr: [CeilometerServiceBase, role_data, config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::notification + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-notification is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-notification' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_notification service + tags: step2 + service: name=openstack-ceilometer-notification state=stopped diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 63e02d4f..741f8da1 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -90,3 +90,9 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop ceilometer_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index a86a0cdf..874c6893 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -93,16 +93,14 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ceilometer' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' ceilometer_backend: {get_param: CeilometerBackend} - ceilometer::metering_secret: {get_param: CeilometerMeteringSecret} # we include db_sync class in puppet-tripleo ceilometer::db::sync_db: false ceilometer::keystone::authtoken::project_name: 'service' ceilometer::keystone::authtoken::password: {get_param: CeilometerPassword} ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword} ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::notification::event_pipeline_publishers: {get_param: EventPipelinePublishers} diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index 88e7d781..a219f9eb 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -59,3 +59,10 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::collector + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-collector is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-collector' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_collector service + tags: step2 + service: name=openstack-ceilometer-collector state=stopped diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index aaa9b039..134f47c4 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -89,23 +89,23 @@ outputs: ceph::profile::params::fsid: {get_param: CephClusterFSID} ceph::profile::params::rbd_default_features: {get_param: RbdDefaultFeatures} ceph::profile::params::client_keys: - str_replace: - template: "{ - client.CLIENT_USER: { - secret: 'CLIENT_KEY', - mode: '0644', - cap_mon: 'allow r', - cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' - } - }" - params: - CLIENT_USER: {get_param: CephClientUserName} - CLIENT_KEY: {get_param: CephClientKey} - NOVA_POOL: {get_param: NovaRbdPoolName} - CINDER_POOL: {get_param: CinderRbdPoolName} - CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} - GLANCE_POOL: {get_param: GlanceRbdPoolName} - GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + map_replace: + - CEPH_CLIENT_KEY: + secret: {get_param: CephClientKey} + mode: '0644' + cap_mon: 'allow r' + cap_osd: + str_replace: + template: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' + params: + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + - keys: + CEPH_CLIENT_KEY: + list_join: ['.', ['client', {get_param: CephClientUserName}]] ceph::profile::params::manage_repo: false # FIXME(gfidente): we should not have to list the packages explicitly in # the templates, but this should stay until the following is fixed: diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 68ad69b7..d589ef89 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -59,6 +59,14 @@ parameters: } default: {} type: json + CephValidationRetries: + type: number + default: 5 + description: Number of retry attempts for Ceph validation + CephValidationDelay: + type: number + default: 10 + description: Interval (in seconds) in between validation checks MonitoringSubscriptionCephMon: default: 'overcloud-ceph-mon' type: string @@ -113,3 +121,38 @@ outputs: get_attr: [CephBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceph::mon + upgrade_batch_tasks: + # Note we perform these tasks in list order, but they are all step0 so + # we can perform a rolling upgrade of all mon nodes in step0, then a + # rolling upgrade of all osd nodes in step1 + - name: Check status + tags: step0,validation + shell: ceph health | egrep -sq "HEALTH_OK|HEALTH_WARN" + - name: Stop CephMon + tags: step0 + service: + name: ceph-mon@{{ ansible_hostname }} + state: stopped + - name: Update Ceph packages + tags: step0 + yum: + name: ceph-mon + state: latest + - name: Start CephMon + tags: step0 + service: + name: ceph-mon@{{ ansible_hostname }} + state: started + # ceph-ansible + # https://github.com/ceph/ceph-ansible/blob/master/infrastructure-playbooks/rolling_update.yml#L149-L157 + - name: Wait for the monitor to join the quorum... + tags: step0,ceph_quorum_validation + shell: | + ceph -s | grep monmap | sed 's/.*quorum//' | egrep -sq {{ ansible_hostname }} + register: ceph_quorum_nodecheck + until: ceph_quorum_nodecheck.rc == 0 + retries: {get_param: CephValidationRetries} + delay: {get_param: CephValidationDelay} + - name: ceph osd crush tunables default + tags: step0 + shell: ceph osd crush tunables default diff --git a/puppet/services/ceph-osd.yaml b/puppet/services/ceph-osd.yaml index df0ee6c3..a97fa116 100644 --- a/puppet/services/ceph-osd.yaml +++ b/puppet/services/ceph-osd.yaml @@ -21,6 +21,24 @@ parameters: MonitoringSubscriptionCephOsd: default: 'overcloud-ceph-osd' type: string + CephValidationRetries: + type: number + default: 40 + description: Number of retry attempts for Ceph validation + CephValidationDelay: + type: number + default: 30 + description: Interval (in seconds) in between validation checks + IgnoreCephUpgradeWarnings: + type: boolean + default: false + description: If enabled, Ceph upgrade will be forced even though cluster or PGs status is not clean + +parameter_groups: +- label: deprecated + description: Do not use deprecated params, they will be removed. + parameters: + - IgnoreCephUpgradeWarnings resources: CephBase: @@ -45,3 +63,67 @@ outputs: - '6800-7300' step_config: | include ::tripleo::profile::base::ceph::osd + upgrade_batch_tasks: + - name: Check status + tags: step1,validation + shell: ceph health | grep -qv HEALTH_ERR + - name: Get OSD IDs + tags: step1 + shell: ls /var/lib/ceph/osd | awk 'BEGIN { FS = "-" } ; { print $2 }' + register: osd_ids + # "so that mirrors aren't rebalanced as if the OSD died" - gfidente / leseb + - name: ceph osd set noout + tags: step1 + command: ceph osd set noout + - name: ceph osd set norebalance + tags: step1 + command: ceph osd set norebalance + - name: ceph osd set nodeep-scrub + tags: step1 + command: ceph osd set nodeep-scrub + - name: ceph osd set noscrub + tags: step1 + command: ceph osd set noscrub + - name: Stop CephOSD + tags: step1 + service: + name: ceph-osd@{{ item }} + state: stopped + with_items: "{{osd_ids.stdout.strip().split()}}" + - name: Update Ceph packages + tags: step1 + yum: + name: ceph-osd + state: latest + - name: Start CephOSD + tags: step1 + service: + name: ceph-osd@{{ item }} + state: started + with_items: "{{osd_ids.stdout.strip().split()}}" + # with awk we are meant to check if $2 and $4 are *the same* but it returns 1 when + # they are, so the check is inverted to produce an useful exit code + - name: Wait for clean pgs... + tags: step1,ceph_pgs_clean_validation + vars: + ignore_warnings: {get_param: IgnoreCephUpgradeWarnings} + shell: | + ceph pg stat | awk '{exit($2!=$4)}' && ceph health | egrep -sq "HEALTH_OK|HEALTH_WARN" + register: ceph_pgs_healthcheck + until: ceph_pgs_healthcheck.rc == 0 + retries: {get_param: CephValidationRetries} + delay: {get_param: CephValidationDelay} + when: + - not ignore_warnings + - name: ceph osd unset noout + tags: step1 + command: ceph osd unset noout + - name: ceph osd unset norebalance + tags: step1 + command: ceph osd unset norebalance + - name: ceph osd unset nodeep-scrub + tags: step1 + command: ceph osd unset nodeep-scrub + - name: ceph osd unset noscrub + tags: step1 + command: ceph osd unset noscrub diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 6448387c..c5b29c7e 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -54,10 +54,14 @@ outputs: - get_attr: [CephBase, role_data, config_settings] - tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey} tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken} - tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} - ceph::params::user_radosgw: ceph + tripleo::profile::base::ceph::rgw::rgw_keystone_version: v3 + ceph::profile::params::rgw_keystone_admin_domain: default + ceph::profile::params::rgw_keystone_admin_project: service + ceph::profile::params::rgw_keystone_admin_user: swift + ceph::profile::params::rgw_keystone_admin_password: {get_param: SwiftPassword} tripleo.ceph_rgw.firewall_rules: '122 ceph rgw': dport: {get_param: [EndpointMap, CephRgwInternal, port]} @@ -68,7 +72,21 @@ outputs: ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} - ceph::rgw::keystone::auth::user: 'swift' - ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} - ceph::rgw::keystone::auth::tenant: 'service' + ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ] + ceph::rgw::keystone::auth::tenant: service + ceph::rgw::keystone::auth::user: swift + ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} + upgrade_tasks: + - name: Gather RGW instance ID + tags: step0 + shell: hiera -c /etc/puppet/hiera.yaml ceph::profile::params::rgw_name radosgw.gateway + register: rgw_id + - name: Check status + shell: /usr/bin/systemctl show ceph-radosgw@{{rgw_id.stdout}} --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop RGW instance + tags: step1 + service: + name: ceph-radosgw@{{rgw_id.stdout}} + state: stopped diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 7d197831..8c5a07ac 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -81,7 +81,7 @@ outputs: - get_attr: [CinderBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} cinder::keystone::authtoken::project_name: 'service' cinder::api::enable_proxy_headers_parsing: true @@ -91,7 +91,6 @@ outputs: cinder::config: DEFAULT/swift_catalog_info: value: 'object-store:swift:internalURL' - cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} tripleo.cinder_api.firewall_rules: '119 cinder': @@ -147,7 +146,12 @@ outputs: cinder::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running" + shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: check for cinder running under apache (post upgrade) tags: step2 shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder" @@ -160,6 +164,3 @@ outputs: - name: Stop and disable cinder_api service (pre-upgrade not under httpd) tags: step2 service: name=openstack-cinder-api state=stopped enabled=no - - name: Start cinder_api service (running under httpd) - tags: step6 - service: name=httpd state=started diff --git a/puppet/services/cinder-backend-dellps.yaml b/puppet/services/cinder-backend-dellps.yaml new file mode 100644 index 00000000..1f15c53e --- /dev/null +++ b/puppet/services/cinder-backend-dellps.yaml @@ -0,0 +1,85 @@ +# Copyright (c) 2017 Dell Inc. or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +heat_template_version: ocata + +description: > + Openstack Cinder Dell EMC PS Series backend + +parameters: + CinderEnableDellPsBackend: + type: boolean + default: true + CinderDellPsBackendName: + type: string + default: 'tripleo_dellps' + CinderDellPsSanIp: + type: string + CinderDellPsSanLogin: + type: string + CinderDellPsSanPassword: + type: string + hidden: true + CinderDellPsSanThinProvision: + type: boolean + default: true + CinderDellPsGroupname: + type: string + default: 'group-0' + CinderDellPsPool: + type: string + default: 'default' + CinderDellPsChapLogin: + type: string + default: '' + CinderDellPsChapPassword: + type: string + default: '' + CinderDellPsUseChap: + type: boolean + default: false + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC PS Series backend. + value: + service_name: cinder_backend_dellps + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_dellps_backend: {get_param: CinderEnableDellPsBackend} + cinder::backend::eqlx::volume_backend_name: {get_param: CinderDellPsBackendName} + cinder::backend::eqlx::san_ip: {get_param: CinderDellPsSanIp} + cinder::backend::eqlx::san_login: {get_param: CinderDellPsSanLogin} + cinder::backend::eqlx::san_password: {get_param: CinderDellPsSanPassword} + cinder::backend::eqlx::san_thin_provision: {get_param: CinderDellPsSanThinProvision} + cinder::backend::eqlx::eqlx_group_name: {get_param: CinderDellPsGroupname} + cinder::backend::eqlx::eqlx_pool: {get_param: CinderDellPsPool} + cinder::backend::eqlx::eqlx_use_chap: {get_param: CinderDellPsUseChap} + cinder::backend::eqlx::eqlx_chap_login: {get_param: CinderDellPsChapLogin} + cinder::backend::eqlx::eqlx_chap_password: {get_param: CinderDellPsChapPassword} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-backend-dellsc.yaml b/puppet/services/cinder-backend-dellsc.yaml new file mode 100644 index 00000000..6a6196ac --- /dev/null +++ b/puppet/services/cinder-backend-dellsc.yaml @@ -0,0 +1,85 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +heat_template_version: ocata + +description: > + Openstack Cinder Dell EMC Storage Center backend + +parameters: + CinderEnableDellScBackend: + type: boolean + default: true + CinderDellScBackendName: + type: string + default: 'tripleo_dellsc' + CinderDellScSanIp: + type: string + CinderDellScSanLogin: + type: string + default: 'Admin' + CinderDellScSanPassword: + type: string + hidden: true + CinderDellScSsn: + type: number + default: 64702 + CinderDellScIscsiIpAddress: + type: string + default: '' + CinderDellScIscsiPort: + type: number + default: 3260 + CinderDellScApiPort: + type: number + default: 3033 + CinderDellScServerFolder: + type: string + default: 'dellsc_server' + CinderDellScVolumeFolder: + type: string + default: 'dellsc_volume' + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC Storage Center backend. + value: + service_name: cinder_backend_dellsc + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_dellsc_backend: {get_param: CinderEnableDellScBackend} + cinder::backend::dellsc_iscsi::volume_backend_name: {get_param: CinderDellScBackendName} + cinder::backend::dellsc_iscsi::san_ip: {get_param: CinderDellScSanIp} + cinder::backend::dellsc_iscsi::san_login: {get_param: CinderDellScSanLogin} + cinder::backend::dellsc_iscsi::san_password: {get_param: CinderDellScSanPassword} + cinder::backend::dellsc_iscsi::dell_sc_ssn: {get_param: CinderDellScSsn} + cinder::backend::dellsc_iscsi::iscsi_ip_address: {get_param: CinderDellScIscsiIpAddress} + cinder::backend::dellsc_iscsi::iscsi_port: {get_param: CinderDellScIscsiPort} + cinder::backend::dellsc_iscsi::dell_sc_api_port: {get_param: CinderDellScApiPort} + cinder::backend::dellsc_iscsi::dell_sc_server_folder: {get_param: CinderDellScServerFolder} + cinder::backend::dellsc_iscsi::dell_sc_volume_folder: {get_param: CinderDellScVolumeFolder} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-backend-scaleio.yaml b/puppet/services/cinder-backend-scaleio.yaml new file mode 100644 index 00000000..eb709cd5 --- /dev/null +++ b/puppet/services/cinder-backend-scaleio.yaml @@ -0,0 +1,111 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +heat_template_version: ocata + +description: > + Openstack Cinder Dell EMC ScaleIO backend + +parameters: + CinderEnableScaleIOBackend: + type: boolean + default: true + CinderScaleIOBackendName: + type: string + default: 'tripleo_scaleio' + CinderScaleIOSanIp: + type: string + default: '' + CinderScaleIOSanLogin: + type: string + default: '' + CinderScaleIOSanPassword: + type: string + default: '' + hidden: true + CinderScaleIORestServerPort: + type: number + default: 443 + CinderScaleIOVerifyServerCertificate: + type: boolean + default: false + CinderScaleIOServerCertificatePath: + type: string + default: '' + CinderScaleIOProtectionDomainId: + type: string + default: '' + CinderScaleIOProtectionDomainName: + type: string + default: '' + CinderScaleIOStoragePoolId: + type: string + default: '' + CinderScaleIOStoragePoolName: + type: string + default: '' + CinderScaleIOStoragePools: + type: string + default: '' + CinderScaleIORoundVolumeCapacity: + type: boolean + default: true + CinderScaleIOUnmapVolumeBeforeDeletion: + type: boolean + default: false + CinderScaleIOMaxOverSubscriptionRatio: + type: string + default: '' + CinderScaleIOSanThinProvision: + type: boolean + default: true + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC ScaleIO backend. + value: + service_name: cinder_backend_scaleio + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_scaleio_backend: {get_param: CinderEnableScaleIOBackend} + cinder::backend::scaleio::volume_backend_name: {get_param: CinderScaleIOBackendName} + cinder::backend::scaleio::sio_login: {get_param: CinderScaleIOSanLogin} + cinder::backend::scaleio::sio_password: {get_param: CinderScaleIOSanPassword} + cinder::backend::scaleio::sio_server_hostname: {get_param: CinderScaleIOSanIp} + cinder::backend::scaleio::sio_server_port: {get_param: CinderScaleIORestServerPort} + cinder::backend::scaleio::sio_verify_server_certificate: {get_param: CinderScaleIOVerifyServerCertificate} + cinder::backend::scaleio::sio_server_certificate_path: {get_param: CinderScaleIOServerCertificatePath} + cinder::backend::scaleio::sio_protection_domain_name: {get_param: CinderScaleIOProtectionDomainName} + cinder::backend::scaleio::sio_protection_domain_id: {get_param: CinderScaleIOProtectionDomainId} + cinder::backend::scaleio::sio_storage_pool_id: {get_param: CinderScaleIOStoragePoolId} + cinder::backend::scaleio::sio_storage_pool_name: {get_param: CinderScaleIOStoragePoolName} + cinder::backend::scaleio::sio_storage_pools: {get_param: CinderScaleIOStoragePools} + cinder::backend::scaleio::sio_round_volume_capacity: {get_param: CinderScaleIORoundVolumeCapacity} + cinder::backend::scaleio::sio_unmap_volume_before_deletion: {get_param: CinderScaleIOUnmapVolumeBeforeDeletion} + cinder::backend::scaleio::sio_max_over_subscription_ratio: {get_param: CinderScaleIOMaxOverSubscriptionRatio} + cinder::backend::scaleio::sio_thin_provision: {get_param: CinderScaleIOThinProvision} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-base.yaml b/puppet/services/cinder-base.yaml index be4b4af2..88e7edb7 100644 --- a/puppet/services/cinder-base.yaml +++ b/puppet/services/cinder-base.yaml @@ -44,6 +44,46 @@ parameters: default: guest description: The username for RabbitMQ type: string + CinderCronDbPurgeMinute: + type: string + description: > + Cron to move deleted instances to another table - Minute + default: '1' + CinderCronDbPurgeHour: + type: string + description: > + Cron to move deleted instances to another table - Hour + default: '0' + CinderCronDbPurgeMonthday: + type: string + description: > + Cron to move deleted instances to another table - Month Day + default: '*' + CinderCronDbPurgeMonth: + type: string + description: > + Cron to move deleted instances to another table - Month + default: '*' + CinderCronDbPurgeWeekday: + type: string + description: > + Cron to move deleted instances to another table - Week Day + default: '*' + CinderCronDbPurgeUser: + type: string + description: > + Cron to move deleted instances to another table - User + default: 'keystone' + CinderCronDbPurgeAge: + type: string + description: > + Cron to move deleted instances to another table - Age + default: '0' + CinderCronDbPurgeDestination: + type: string + description: > + Cron to move deleted instances to another table - Log destination + default: '/var/log/cinder/cinder-rowsflush.log' outputs: role_data: @@ -60,8 +100,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/cinder' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' cinder::debug: {get_param: Debug} cinder::rabbit_use_ssl: {get_param: RabbitClientUseSSL} cinder::rabbit_userid: {get_param: RabbitUserName} @@ -71,3 +110,12 @@ outputs: cinder::cron::db_purge::destination: '/dev/null' cinder::db::database_db_max_retries: -1 cinder::db::database_max_retries: -1 + cinder::cron::db_purge::minute: {get_param: CinderCronDbPurgeMinute} + cinder::cron::db_purge::hour: {get_param: CinderCronDbPurgeHour} + cinder::cron::db_purge::monthday: {get_param: CinderCronDbPurgeMonthday} + cinder::cron::db_purge::month: {get_param: CinderCronDbPurgeMonth} + cinder::cron::db_purge::weekday: {get_param: CinderCronDbPurgeWeekday} + cinder::cron::db_purge::user: {get_param: CinderCronDbPurgeUser} + cinder::cron::db_purge::age: {get_param: CinderCronDbPurgeAge} + cinder::cron::db_purge::destination: {get_param: CinderCronDbPurgeDestination} + cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} diff --git a/puppet/services/cinder-scheduler.yaml b/puppet/services/cinder-scheduler.yaml index e12af631..f102810e 100644 --- a/puppet/services/cinder-scheduler.yaml +++ b/puppet/services/cinder-scheduler.yaml @@ -52,9 +52,9 @@ outputs: step_config: | include ::tripleo::profile::base::cinder::scheduler upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-scheduler is running" + shell: /usr/bin/systemctl show 'openstack-cinder-scheduler' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop cinder_scheduler service tags: step2 service: name=openstack-cinder-scheduler state=stopped - - name: Start cinder_scheduler service - tags: step6 - service: name=openstack-cinder-scheduler state=started diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index cc06d87b..3a06afb8 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -20,6 +20,10 @@ parameters: default: lioadm description: The iSCSI helper to use with cinder. type: string + CinderISCSIProtocol: + default: iscsi + description: Whether to use TCP ('iscsi') or iSER RDMA ('iser') for iSCSI + type: string CinderLVMLoopDeviceSize: default: 10280 description: The size of the loopback file used by the cinder LVM driver. @@ -97,6 +101,7 @@ outputs: SERVERS: {get_param: CinderNfsServers} tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} + tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName} tripleo.cinder_volume.firewall_rules: @@ -111,13 +116,9 @@ outputs: step_config: | include ::tripleo::profile::base::cinder::volume upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-volume is running" + shell: /usr/bin/systemctl show 'openstack-cinder-volume' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop cinder_volume service tags: step2 service: name=openstack-cinder-volume state=stopped - - name: Sync cinder_volume DB - tags: step5 - command: cinder-manage db sync - - name: Start cinder_volume service - tags: step6 - service: name=openstack-cinder-volume state=started - diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml new file mode 100644 index 00000000..6855a838 --- /dev/null +++ b/puppet/services/congress.yaml @@ -0,0 +1,97 @@ +heat_template_version: ocata + +description: > + OpenStack Congress service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CongressPassword: + description: The password for the congress service account. + type: string + hidden: true + Debug: + type: string + default: '' + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Role data for the Congress role. + value: + service_name: congress + config_settings: + congress_password: {get_param: CongressPassword} + congress::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://congress:' + - {get_param: CongressPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/congress' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + congress::keystone::auth::tenant: 'service' + congress::keystone::auth::password: {get_param: CongressPassword} + congress::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + congress::debug: {get_param: Debug} + congress::rpc_backend: rabbit + congress::rabbit_userid: {get_param: RabbitUserName} + congress::rabbit_password: {get_param: RabbitPassword} + congress::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + congress::rabbit_port: {get_param: RabbitClientPort} + congress::server::bind_host: {get_param: [ServiceNetMap, CongressApiNetwork]} + + congress::db::mysql::password: {get_param: CongressPassword} + congress::db::mysql::user: congress + congress::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + congress::db::mysql::dbname: congress + congress::db::mysql::allowed_hosts: + - '%' + - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + + + step_config: | + include ::tripleo::profile::base::congress + + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-congress-server is running" + shell: /usr/bin/systemctl show 'openstack-congress-server' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop congress service + tags: step2 + service: name=openstack-congress-server state=stopped diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 8290cae7..63ec4446 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -66,3 +66,10 @@ outputs: mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]} step_config: | include ::tripleo::profile::base::database::mongodb + upgrade_tasks: + - name: Stop mongodb service + tags: step2 + service: name=mongod state=stopped + - name: Start mongodb service + tags: step4 + service: name=mongod state=started diff --git a/puppet/services/database/mysql-client.yaml b/puppet/services/database/mysql-client.yaml new file mode 100644 index 00000000..1415391c --- /dev/null +++ b/puppet/services/database/mysql-client.yaml @@ -0,0 +1,30 @@ +heat_template_version: ocata + +description: > + Mysql client settings + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role for setting mysql client parameters + value: + service_name: mysql_client + config_settings: + tripleo::profile::base:database::mysql::client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]} + step_config: | + include ::tripleo::profile::base::database::mysql::client diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml index 56d037e7..9f7eaf57 100644 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -41,3 +41,7 @@ outputs: template: "mysql/%{hiera('cloud_name_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + metadata_settings: + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 7e12894f..808f1353 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -34,6 +34,10 @@ parameters: default: true description: Whether to use Galera instead of regular MariaDB. type: boolean + NovaPassword: + description: The password for the nova db account + type: string + hidden: true resources: @@ -94,6 +98,8 @@ outputs: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql + metadata_settings: + get_attr: [MySQLTLS, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 @@ -104,4 +110,15 @@ outputs: - name: Start service tags: step4 service: name=mariadb state=started - + - name: Setup cell_v2 (create cell0 database) + tags: step4 + mysql_db: + name: nova_cell0 + state: present + - name: Setup cell_v2 (grant access to the nova DB user) + tags: step4 + mysql_user: + str_replace: + template: "name=nova password=PASSWORD host=\"%\" priv=\"nova.*:ALL/nova_cell0.*:ALL,GRANT\" state=present" + params: + PASSWORD: {get_param: NovaPassword} diff --git a/puppet/services/disabled/glance-registry.yaml b/puppet/services/disabled/glance-registry.yaml new file mode 100644 index 00000000..4d22bddc --- /dev/null +++ b/puppet/services/disabled/glance-registry.yaml @@ -0,0 +1,30 @@ +heat_template_version: ocata + +description: > + OpenStack Glance Registry service, disabled since ocata + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the disabled Glance Registry role. + value: + service_name: glance_registry + upgrade_tasks: + - name: Stop and disable glance_registry service on upgrade + tags: step2 + service: name=openstack-glance-registry state=stopped enabled=no diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml new file mode 100644 index 00000000..bb10140e --- /dev/null +++ b/puppet/services/ec2-api.yaml @@ -0,0 +1,117 @@ +heat_template_version: ocata + +description: > + OpenStack EC2-API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Ec2ApiWorkers: + default: 0 + description: Number of workers for EC2-API service. + type: number + Ec2ApiPassword: + description: The password for the nova service and db account, used by nova-api. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionEc2Api: + default: 'overcloud-ec2-api' + type: string + Ec2ApiLoggingSource: + type: json + default: + tag: openstack.ec2.api + path: /var/log/ec2api/ec2api.log + EnablePackageInstall: + default: 'false' + description: Set to true to enable package installation via Puppet + type: boolean + + +conditions: + nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]} + +outputs: + role_data: + description: Role data for the EC2-API service. + value: + service_name: ec2_api + monitoring_subscription: {get_param: MonitoringSubscriptionEc2Api} + logging_source: {get_param: Ec2ApiLoggingSource} + logging_groups: + - nova + config_settings: + map_merge: + - tripleo.ec2_api.firewall_rules: + '113 ec2_api': + dport: + - 8788 + - 13788 + ec2api::keystone::authtoken::project_name: 'service' + ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} + ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ec2api::api::enabled: true + ec2api::package_manage: {get_param: EnablePackageInstall} + ec2api::api::ec2api_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiNetwork]} + ec2api::metadata::metadata_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiMetadataNetwork]} + ec2api::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://ec2_api:' + - {get_param: Ec2ApiPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/ec2_api' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + - + if: + - nova_workers_zero + - {} + - ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers} + ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers} + step_config: | + include tripleo::profile::base::nova::ec2api + service_config_settings: + keystone: + ec2api::keystone::auth::tenant: 'service' + ec2api::keystone::auth::public_url: {get_param: [EndpointMap, Ec2ApiPublic, uri]} + ec2api::keystone::auth::internal_url: {get_param: [EndpointMap, Ec2ApiInternal, uri]} + ec2api::keystone::auth::admin_url: {get_param: [EndpointMap, Ec2ApiAdmin, uri]} + ec2api::keystone::auth::password: {get_param: Ec2ApiPassword} + ec2api::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + ec2api::db::mysql::password: {get_param: Ec2ApiPassword} + ec2api::db::mysql::user: ec2_api + ec2api::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ec2api::db::mysql::dbname: ec2_api + ec2api::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/etcd.yaml b/puppet/services/etcd.yaml new file mode 100644 index 00000000..f96fa723 --- /dev/null +++ b/puppet/services/etcd.yaml @@ -0,0 +1,58 @@ +heat_template_version: ocata + +description: > + Etcd service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + EtcdInitialClusterToken: + default: 'etcd-tripleo' + description: Initial cluster token for the etcd cluster during bootstrap. + type: string + MonitoringSubscriptionEtcd: + default: 'overcloud-etcd' + type: string + +outputs: + role_data: + description: Role data for the Etcd role. + value: + service_name: etcd + monitoring_subscription: {get_param: MonitoringSubscriptionEtcd} + config_settings: + etcd::etcd_name: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + tripleo::profile::base::etcd::bind_ip: {get_param: [ServiceNetMap, EtcdNetwork]} + tripleo::profile::base::etcd::client_port: '2379' + tripleo::profile::base::etcd::peer_port: '2380' + etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken} + etcd::manage_package: false + tripleo.etcd.firewall_rules: + '141 etcd': + dport: + - 2379 + - 2380 + step_config: | + include ::tripleo::profile::base::etcd diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 6d01bd48..d26d96aa 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -45,8 +45,23 @@ parameters: default: tag: openstack.glance.api path: /var/log/glance/api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: + + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + GlanceBase: type: ./glance-base.yaml properties: @@ -66,6 +81,7 @@ outputs: config_settings: map_merge: - get_attr: [GlanceBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: list_join: - '' @@ -75,11 +91,10 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/glance' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} @@ -100,18 +115,34 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_bind_ip: + get_param: [ServiceNetMap, GlanceApiNetwork] + tripleo::profile::base::glance::api::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_port: + get_param: [EndpointMap, GlanceInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + glance::api::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: get_attr: [GlanceBase, role_data, service_config_settings] upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-glance-api is running" + shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop glance_api service tags: step2 service: name=openstack-glance-api state=stopped - - name: Sync glance_api DB - tags: step5 - command: glance-manage --config-file=/etc/glance/glance-api.conf db_sync - - name: Start glance_api service - tags: step6 - service: name=openstack-glance-api state=started + - name: Stop and disable glance registry (removed for Ocata) + tags: step2 + service: name=openstack-glance-registry state=stopped enabled=no diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 3929e005..22c0967e 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -84,7 +84,7 @@ outputs: gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} @@ -103,15 +103,9 @@ outputs: # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi' - gnocchi::api::host: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri]} step_config: | include ::tripleo::profile::base::gnocchi::api @@ -131,3 +125,9 @@ outputs: gnocchi::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop gnocchi_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index d92b1766..c6310056 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -67,9 +67,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/gnocchi' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" - gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + gnocchi::db::sync::extra_opts: '--skip-storage' gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 2 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} diff --git a/puppet/services/gnocchi-metricd.yaml b/puppet/services/gnocchi-metricd.yaml index e5f9a8e7..1337b0cb 100644 --- a/puppet/services/gnocchi-metricd.yaml +++ b/puppet/services/gnocchi-metricd.yaml @@ -22,7 +22,7 @@ parameters: default: 'overcloud-gnocchi-metricd' type: string GnocchiMetricdWorkers: - default: '' + default: '%{::os_workers}' description: Number of workers for Gnocchi MetricD type: string @@ -46,3 +46,10 @@ outputs: - gnocchi::metricd::workers: {get_param: GnocchiMetricdWorkers} step_config: | include ::tripleo::profile::base::gnocchi::metricd + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-gnocchi-metricd is running" + shell: /usr/bin/systemctl show 'openstack-gnocchi-metricd' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop gnocchi_metricd service + tags: step2 + service: name=openstack-gnocchi-metricd state=stopped diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index df438b37..41222a79 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -45,3 +45,10 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::gnocchi::statsd + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-gnocchi-statsd is running" + shell: /usr/bin/systemctl show 'openstack-gnocchi-statsd' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop gnocchi_statsd service + tags: step2 + service: name=openstack-gnocchi-statsd state=stopped diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index 77457593..ae226163 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -19,6 +19,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + HAProxyNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the HAProxy internal TLS via certmonger role. @@ -39,13 +55,12 @@ outputs: postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [HAProxyNetworks, value]} + metadata_settings: + repeat: + template: + - service: haproxy + network: $NETWORK + type: vip + for_each: + $NETWORK: {get_attr: [HAProxyNetworks, value]} diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index 227697b9..6013b026 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -35,3 +35,7 @@ outputs: hostname: "%{hiera('cloud_name_external')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_external')}" + metadata_settings: + - service: haproxy + network: external + type: vip diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 9049c901..358698dd 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -78,9 +78,18 @@ outputs: step_config: | include ::tripleo::profile::base::haproxy upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service haproxy is running" + shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop haproxy service tags: step1 service: name=haproxy state=stopped - name: Start haproxy service tags: step4 # Needed at step 4 for mysql service: name=haproxy state=started + metadata_settings: + yaql: + expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))' + data: + public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} + internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index f4d3cad3..3ae4cc70 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -85,10 +85,9 @@ outputs: heat::keystone::auth_cfn::password: {get_param: HeatPassword} heat::keystone::auth_cfn::region: {get_param: KeystoneRegion} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api-cfn is running" + shell: /usr/bin/systemctl show 'openstack-heat-api-cfn' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api_cfn service tags: step2 service: name=openstack-heat-api-cfn state=stopped - - name: Start heat_api_cfn service - tags: step6 - service: name=openstack-heat-api-cfn state=started - diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index ba4a287a..56183535 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -67,9 +67,9 @@ outputs: step_config: | include ::tripleo::profile::base::heat::api_cloudwatch upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api-cloudwatch is running" + shell: /usr/bin/systemctl show 'openstack-heat-api-cloudwatch' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api_cloudwatch service tags: step2 service: name=openstack-heat-api-cloudwatch state=stopped - - name: Start heat_api_cloudwatch service - tags: step6 - service: name=openstack-heat-api state=started diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 7ec9d6d4..38c5b479 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -85,9 +85,9 @@ outputs: heat::keystone::auth::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api is running" + shell: /usr/bin/systemctl show 'openstack-heat-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api service tags: step2 service: name=openstack-heat-api state=stopped - - name: Start heat_api service - tags: step6 - service: name=openstack-heat-api state=started diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml index a933a94b..b4d314f4 100644 --- a/puppet/services/heat-base.yaml +++ b/puppet/services/heat-base.yaml @@ -44,6 +44,61 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HeatCronPurgeDeletedEnsure: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Ensure + default: 'present' + HeatCronPurgeDeletedMinute: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Minute + default: '1' + HeatCronPurgeDeletedHour: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Hour + default: '0' + HeatCronPurgeDeletedMonthday: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Month Day + default: '*' + HeatCronPurgeDeletedMonth: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Month + default: '*' + HeatCronPurgeDeletedWeekday: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Week Day + default: '*' + HeatCronPurgeDeletedMaxDelay: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Max Delay + default: '3600' + HeatCronPurgeDeletedUser: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - User + default: 'heat' + HeatCronPurgeDeletedAge: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Age + default: '30' + HeatCronPurgeDeletedAgeType: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Age type + default: 'days' + HeatCronPurgeDeletedDestination: + type: string + description: > + Cron to purge db entries marked as deleted and older than $age - Log destination + default: '/dev/null' outputs: role_data: @@ -67,19 +122,26 @@ outputs: heat::rabbit_heartbeat_timeout_threshold: 60 heat::keystone::authtoken::project_name: 'service' heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } heat::keystone::authtoken::password: {get_param: HeatPassword} heat::keystone::domain::domain_name: 'heat_stack' heat::keystone::domain::domain_admin: 'heat_stack_domain_admin' heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost' - heat::cron::purge_deleted::age: 30 - heat::cron::purge_deleted::age_type: 'days' - heat::cron::purge_deleted::maxdelay: 3600 - heat::cron::purge_deleted::destination: '/dev/null' heat::db::database_db_max_retries: -1 heat::db::database_max_retries: -1 heat::yaql_memory_quota: 100000 heat::yaql_limit_iterators: 1000 + heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure} + heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute} + heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour} + heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday} + heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth} + heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday} + heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay} + heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser} + heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge} + heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType} + heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination} service_config_settings: keystone: tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack' diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index 6efb0653..7787d0a7 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -111,8 +111,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/heat' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} heat::engine::auth_encryption_key: @@ -138,12 +137,9 @@ outputs: # This is needed because the keystone profile handles creating the domain tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-engine is running" + shell: /usr/bin/systemctl show 'openstack-heat-engine' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_engine service tags: step2 service: name=openstack-heat-engine state=stopped - - name: Sync heat_engine DB - tags: step5 - command: heat-manage --config-file /etc/heat/heat.conf db_sync - - name: Start heat_engine service - tags: step6 - service: name=openstack-heat-engine state=started diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index cf35d202..2111021b 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -27,6 +27,14 @@ parameters: description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list + HorizonPasswordValidator: + description: Regex for password validation + type: string + default: '' + HorizonPasswordValidatorHelp: + description: Help text for password validation + type: string + default: '' HorizonSecret: description: Secret key for Django type: string @@ -71,6 +79,8 @@ outputs: options: ['FollowSymLinks','MultiViews'] horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::password_validator: {get_param: [HorizonPasswordValidator]} + horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index aebb37b2..a84df538 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -25,6 +25,10 @@ parameters: MonitoringSubscriptionIronicApi: default: 'overcloud-ironic-api' type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint resources: IronicBase: @@ -47,7 +51,7 @@ outputs: ironic::api::authtoken::project_name: 'service' ironic::api::authtoken::username: 'ironic' ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): @@ -73,6 +77,7 @@ outputs: ironic::keystone::auth::auth_name: 'ironic' ironic::keystone::auth::password: {get_param: IronicPassword } ironic::keystone::auth::tenant: 'service' + ironic::keystone::auth::region: {get_param: KeystoneRegion} mysql: ironic::db::mysql::password: {get_param: IronicPassword} ironic::db::mysql::user: ironic @@ -81,3 +86,7 @@ outputs: ironic::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop ironic_api service + tags: step2 + service: name=openstack-ironic-api state=stopped diff --git a/puppet/services/ironic-base.yaml b/puppet/services/ironic-base.yaml index ad7ef6ea..d186b047 100644 --- a/puppet/services/ironic-base.yaml +++ b/puppet/services/ironic-base.yaml @@ -60,8 +60,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ironic' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' ironic::debug: {get_param: Debug} ironic::rabbit_userid: {get_param: RabbitUserName} ironic::rabbit_password: {get_param: RabbitPassword} diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 194afec7..739db13c 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -24,6 +24,14 @@ parameters: "full" for full cleaning, "metadata" to clean only disk metadata (partition table). type: string + IronicCleaningNetwork: + default: 'provisioning' + description: Name or UUID of the *overcloud* network used for cleaning + bare metal nodes. The default value of "provisioning" can be + left during the initial deployment (when no networks are + created yet) and should be changed to an actual UUID in + a post-deployment stack update. + type: string IronicEnabledDrivers: default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo'] description: Enabled Ironic drivers @@ -61,6 +69,7 @@ outputs: - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase} + ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} # We need an endpoint containing a real IP, not a VIP here ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]} @@ -98,3 +107,7 @@ outputs: step_config: | include ::tripleo::profile::base::ironic::conductor + upgrade_tasks: + - name: Stop ironic_conductor service + tags: step2 + service: name=openstack-ironic-conductor state=stopped diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 29157959..fec455d1 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -31,6 +31,7 @@ outputs: config_settings: kernel_modules: nf_conntrack: {} + ip_conntrack_proto_sctp: {} sysctl_settings: net.ipv4.tcp_keepalive_intvl: value: 1 diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index f69e20b4..9c4cc60f 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -113,6 +113,51 @@ parameters: EnableInternalTLS: type: boolean default: false + KeystoneCronTokenFlushEnsure: + type: string + description: > + Cron to purge expired tokens - Ensure + default: 'present' + KeystoneCronTokenFlushMinute: + type: string + description: > + Cron to purge expired tokens - Minute + default: '1' + KeystoneCronTokenFlushHour: + type: string + description: > + Cron to purge expired tokens - Hour + default: '0' + KeystoneCronTokenFlushMonthday: + type: string + description: > + Cron to purge expired tokens - Month Day + default: '*' + KeystoneCronTokenFlushMonth: + type: string + description: > + Cron to purge expired tokens - Month + default: '*' + KeystoneCronTokenFlushWeekday: + type: string + description: > + Cron to purge expired tokens - Week Day + default: '*' + KeystoneCronTokenFlushMaxDelay: + type: string + description: > + Cron to purge expired tokens - Max Delay + default: '0' + KeystoneCronTokenFlushDestination: + type: string + description: > + Cron to purge expired tokens - Log destination + default: '/var/log/keystone/keystone-tokenflush.log' + KeystoneCronTokenFlushUser: + type: string + description: > + Cron to purge expired tokens - User + default: 'keystone' resources: @@ -148,8 +193,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/keystone' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' keystone::admin_token: {get_param: AdminToken} keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} @@ -239,6 +283,16 @@ outputs: # NOTE: this applies to all 2 bind IP settings below... keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure} + keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute} + keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour} + keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday} + keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth} + keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday} + keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay} + keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination} + keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser} + step_config: | include ::tripleo::profile::base::keystone service_config_settings: @@ -255,9 +309,5 @@ outputs: - name: Stop keystone service (running under httpd) tags: step2 service: name=httpd state=stopped - - name: Sync keystone DB - tags: step5 - command: keystone-manage db_sync - - name: Start keystone service (running under httpd) - tags: step6 - service: name=httpd state=started + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/logging/fluentd-client.yaml b/puppet/services/logging/fluentd-client.yaml index 769ab68f..94c63d33 100644 --- a/puppet/services/logging/fluentd-client.yaml +++ b/puppet/services/logging/fluentd-client.yaml @@ -62,3 +62,12 @@ outputs: get_attr: [LoggingConfiguration, LoggingSharedKey] step_config: | include ::tripleo::profile::base::logging::fluentd + upgrade_tasks: + - name: Check status of fluentd service + shell: > + /usr/bin/systemctl show fluentd --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop fluentd service + tags: step2 + service: name=fluentd state=stopped diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index b7c64823..7b78c82e 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -49,7 +49,7 @@ outputs: - get_attr: [ManilaBase, role_data, config_settings] - manila::keystone::authtoken::password: {get_param: ManilaPassword} manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' tripleo.manila_api.firewall_rules: '150 manila': @@ -64,6 +64,7 @@ outputs: # internal_api_subnet - > IP/CIDR manila::api::bind_host: {get_param: [ServiceNetMap, ManilaApiNetwork]} manila::api::enable_proxy_headers_parsing: true + manila::api::default_share_type: 'default' step_config: | include ::tripleo::profile::base::manila::api service_config_settings: diff --git a/puppet/services/manila-base.yaml b/puppet/services/manila-base.yaml index 2a9745a2..c183bc08 100644 --- a/puppet/services/manila-base.yaml +++ b/puppet/services/manila-base.yaml @@ -67,8 +67,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/manila' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' service_config_settings: mysql: manila::db::mysql::password: {get_param: ManilaPassword} diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml index e38fe675..6ac0d2cf 100644 --- a/puppet/services/manila-share.yaml +++ b/puppet/services/manila-share.yaml @@ -46,7 +46,7 @@ outputs: - manila::volume::cinder::cinder_admin_tenant_name: 'service' manila::keystone::authtoken::password: {get_param: ManilaPassword} manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' service_config_settings: get_attr: [ManilaBase, role_data, service_config_settings] diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index ffa969e0..146cc306 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -18,6 +18,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MemcachedMaxMemory: + default: '50%' + description: The maximum amount of memory for memcached to be configured + to use when installed. This can be either a percentage ('50%') + or a fixed value ('2048'). + type: string MonitoringSubscriptionMemcached: default: 'overcloud-memcached' type: string @@ -35,8 +41,17 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR memcached::listen_ip: {get_param: [ServiceNetMap, MemcachedNetwork]} + memcached::max_memory: {get_param: MemcachedMaxMemory} tripleo.memcached.firewall_rules: '121 memcached': dport: 11211 step_config: | include ::tripleo::profile::base::memcached + service_config_settings: + collectd: + tripleo.collectd.plugins.memcached: + - memcached + collectd::plugin::memcached::instances: + local: + host: "%{hiera('memcached::listen_ip')}" + port: 11211 diff --git a/puppet/services/metrics/collectd.yaml b/puppet/services/metrics/collectd.yaml new file mode 100644 index 00000000..a3e3b842 --- /dev/null +++ b/puppet/services/metrics/collectd.yaml @@ -0,0 +1,120 @@ +heat_template_version: ocata + +description: Collectd client service + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + DefaultPasswords: + default: {} + type: json + CollectdDefaultPlugins: + default: + - disk + - interface + - load + - memory + - processes + - tcpconns + type: comma_delimited_list + description: > + List of collectd plugins to activate on all overcloud hosts. See + the documentation for the puppet-collectd module for a list plugins + supported by the module (https://github.com/voxpupuli/puppet-collectd). + Set this key to override the default list of plugins. Use + CollectdExtraPlugins if you want to load additional plugins without + overriding the defaults. + CollectdExtraPlugins: + default: [] + type: comma_delimited_list + description: > + List of collectd plugins to activate on all overcloud hosts. See + the documentation for the puppet-collectd module for a list plugins + supported by the module (https://github.com/voxpupuli/puppet-collectd). + Set this key to load plugins in addition to those in + CollectdDefaultPlugins. + CollectdServer: + type: string + description: > + Address of remote collectd server to which we will send + metrics. + default: '' + CollectdServerPort: + type: number + default: 25826 + description: > + Port on remote collectd server to which we will send + metrics. + CollectdUsername: + type: string + description: > + Username for authenticating to the remote collectd server. The default + is to not configure any authentication. + default: '' + CollectdPassword: + type: string + hidden: true + description: > + Password for authenticating to the remote collectd server. The + default is to not configure any authentication. + default: '' + CollectdSecurityLevel: + type: string + description: > + Security level setting for remote collectd connection. + default: 'None' + constraints: + - allowed_values: + - None + - Sign + - Encrypt + +outputs: + role_data: + description: Role data for the Collectd client role. + value: + service_name: collectd + config_settings: + collectd::manage_repo: false + collectd::purge: true + collectd::recurse: true + collectd::purge_config: true + collectd::minimum_version: "5.7" + tripleo::profile::base::metrics::collectd::collectd_server: + get_param: CollectdServer + tripleo::profile::base::metrics::collectd::collectd_port: + get_param: CollectdServerPort + tripleo::profile::base::metrics::collectd::collectd_username: + get_param: CollectdUsername + tripleo::profile::base::metrics::collectd::collectd_password: + get_param: CollectdPassword + tripleo::profile::base::metrics::collectd::collectd_securitylevel: + get_param: CollectdSecurityLevel + tripleo.collectd.plugins.collectd: + yaql: + data: + default_plugins: {get_param: CollectdDefaultPlugins} + extra_plugins: {get_param: CollectdExtraPlugins} + expression: > + ($.data.default_plugins + $.data.extra_plugins) + .flatten().distinct() + step_config: | + include ::tripleo::profile::base::metrics::collectd + upgrade_tasks: + - name: Check status of collectd service + shell: > + /usr/bin/systemctl show collectd --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop collectd service + tags: step2 + service: name=collectd state=stopped diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index e678b14f..e1030346 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -65,8 +65,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/mistral' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' mistral::rabbit_userid: {get_param: RabbitUserName} mistral::rabbit_password: {get_param: RabbitPassword} mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL} @@ -76,7 +75,7 @@ outputs: mistral::keystone_tenant: 'service' mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} - mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} service_config_settings: keystone: mistral::keystone::auth::tenant: 'service' diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index 76ba59c1..d74a68a2 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -62,3 +62,12 @@ outputs: region: {get_param: KeystoneRegion} step_config: | include ::tripleo::profile::base::monitoring::sensu + upgrade_tasks: + - name: Check status of sensu-client service + shell: > + /usr/bin/systemctl show sensu-client --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop sensu-client service + tags: step2 + service: name=sensu-client state=stopped diff --git a/puppet/services/network/contrail-analytics-database.yaml b/puppet/services/network/contrail-analytics-database.yaml new file mode 100644 index 00000000..67341ed3 --- /dev/null +++ b/puppet/services/network/contrail-analytics-database.yaml @@ -0,0 +1,43 @@ +heat_template_version: ocata + +description: > + Contrail Analytics Database service deployment using puppet, this YAML file + creates the interface between the HOT template + and the puppet manifest that actually installs + and configures Contrail Analytics Database. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role Contrail Analytics Database using composable services. + value: + service_name: contrail_analytics_database + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::analytics::database::host_ip: {get_param: [ServiceNetMap, ContrailAnalyticsDatabaseNetwork]} + step_config: | + include ::tripleo::network::contrail::analyticsdatabase diff --git a/puppet/services/network/contrail-analytics.yaml b/puppet/services/network/contrail-analytics.yaml index ad14d315..e3e0ec4b 100644 --- a/puppet/services/network/contrail-analytics.yaml +++ b/puppet/services/network/contrail-analytics.yaml @@ -21,44 +21,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailAnalyticsHostIP: - description: host IP address of Analytics - type: string - ContrailAnalyticsRedisServerIp: - description: Redis server ip address - type: string - ContrailAnalyticsCollectorServerHttpPort: - description: Collector http port - type: number - default: 8089 - ContrailAnalyticsCollectorSandeshPort: - description: Collector sandesh port - type: number - default: 8086 - ContrailAnalyticsHttpServerPort: - description: Analytics http port - type: number - default: 8090 - ContrailAnalyticsListenAddress: - default: '0.0.0.0' - description: IP address Config API is listening on - type: string - ContrailAnalyticsListenPort: - default: 8082 - description: Port Config API is listening on - type: number - ContrailAnalyticsRedisServerPort: - description: Redis server port - type: number - default: 6379 - ContrailAnalyticsRestApiIp: - description: IP address Analytics rest interface listens on - type: string - default: '0.0.0.0' - ContrailAnalyticsRestApiPort: - description: Analytics rest port - type: number - default: 8081 resources: ContrailBase: @@ -76,15 +38,14 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::analytics::collector_http_server_port: {get_param: ContrailAnalyticsCollectorServerHttpPort} - contrail::analytics::collector_sandesh_port: {get_param: ContrailAnalyticsCollectorSandeshPort} - contrail::analytics::host_ip: {get_param: ContrailAnalyticsHostIP} - contrail::analytics::http_server_port: {get_param: ContrailAnalyticsHttpServerPort} - contrail::analytics::listen_ip_address: {get_param: ContrailAnalyticsListenAddress} - contrail::analytics::listen_port: {get_param: ContrailAnalyticsListenPort} - contrail::analytics::redis_server: {get_param: ContrailAnalyticsRedisServerIp} - contrail::analytics::redis_server_port: {get_param: ContrailAnalyticsRedisServerPort} - contrail::analytics::rest_api_ip: {get_param: ContrailAnalyticsRestApiIp} - contrail::analytics::rest_api_port: {get_param: ContrailAnalyticsRestApiPort} + - contrail::analytics::collector_http_server_port: {get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, port]} + contrail::analytics::collector_sandesh_port: {get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, port]} + contrail::analytics::host_ip: {get_param: [ServiceNetMap, ContrailAnalyticsNetwork]} + contrail::analytics::http_server_port: {get_param: [EndpointMap, ContrailAnalyticsHttpInternal, port]} + contrail::analytics::listen_ip_address: {get_param: [ServiceNetMap, ContrailAnalyticsNetwork]} + contrail::analytics::redis_server: '127.0.0.1' + contrail::analytics::redis_server_port: {get_param: [EndpointMap, ContrailAnalyticsRedisInternal, port]} + contrail::analytics::rest_api_ip: {get_param: [ServiceNetMap, ContrailAnalyticsNetwork]} + contrail::analytics::rest_api_port: {get_param: [EndpointMap, ContrailAnalyticsApiInternal, port]} step_config: | include ::tripleo::network::contrail::analytics diff --git a/puppet/services/network/contrail-base.yaml b/puppet/services/network/contrail-base.yaml index b49b2add..bc56a3ca 100644 --- a/puppet/services/network/contrail-base.yaml +++ b/puppet/services/network/contrail-base.yaml @@ -18,47 +18,42 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + ContrailAAAMode: + description: AAAmode can be no-auth, cloud-admin or rbac + type: string + default: 'rbac' + ContrailAAAModeAnalytics: + description: AAAmode for analytics can be no-auth, cloud-admin or rbac + type: string + default: 'no-auth' AdminPassword: description: Keystone admin user password type: string + hidden: true AdminTenantName: description: Keystone admin tenant name type: string + default: 'admin' AdminToken: description: Keystone admin token type: string + hidden: true AdminUser: description: Keystone admin user name type: string - AuthHost: - description: Keystone host IP address - type: string - AuthPort: - default: 35357 - description: Keystone port + default: 'admin' + AuthPortSSL: + default: 13357 + description: Keystone SSL port + type: number + AuthPortSSLPublic: + default: 13000 + description: Keystone Public SSL port type: number - AuthProtocol: - default: 'http' - description: Keystone authentication protocol - type: string - ContrailDiscoveryServerIp: - description: Discovery server ip address - type: string - ContrailKafkaBrokerList: - description: List of kafka servers - type: comma_delimited_list ContrailAuth: default: 'keystone' description: Keystone authentication method type: string - ContrailCassandraServerList: - default: [] - description: List of cassandra servers - type: comma_delimited_list - ContrailDiscoveryServerPort: - description: Discovery server port - type: number - default: 5998 ContrailInsecure: default: false description: Keystone insecure mode @@ -67,14 +62,18 @@ parameters: default: '127.0.0.1:12111' description: Memcached server type: string - ContrailMultiTenancy: - default: true - description: Turn on/off multi-tenancy - type: boolean - ContrailZkServerIp: - default: [] - description: List of zookeeper servers - type: comma_delimited_list + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number outputs: role_data: @@ -82,19 +81,23 @@ outputs: value: service_name: contrail_base config_settings: + contrail::aaa_mode: {get_param: ContrailAAAMode} + contrail::analytics_aaa_mode: {get_param: ContrailAAAModeAnalytics} contrail::admin_password: {get_param: AdminPassword} contrail::admin_tenant_name: {get_param: AdminTenantName} contrail::admin_token: {get_param: AdminToken} contrail::admin_user: {get_param: AdminUser} - contrail::auth_host: {get_param: [EndpointMap, KeystoneInternal, host] } - contrail::auth_port: {get_param: [EndpointMap, KeystoneInternal, port] } - contrail::auth_protocol: {get_param: [EndpointMap, KeystoneInternal, protocol] } - contrail::disc_server_ip: {get_param: ContrailDiscoveryServerIp} - contrail::kafka_broker_list: {get_param: ContrailKafkaBrokerList} contrail::auth: {get_param: ContrailAuth} - contrail::cassandra_server_list: {get_param: ContrailCassandraServerList} - contrail::disc_server_port: {get_param: ContrailDiscoveryServerPort} + contrail::auth_host: {get_param: [EndpointMap, KeystonePublic, host] } + contrail::auth_port: {get_param: [EndpointMap, KeystoneAdmin, port] } + contrail::auth_port_ssl: {get_param: AuthPortSSL } + contrail::auth_port_public: {get_param: [EndpointMap, KeystonePublic, port] } + contrail::auth_port_ssl_public: {get_param: AuthPortSSLPublic } + contrail::auth_protocol: {get_param: [EndpointMap, KeystoneInternal, protocol] } + contrail::api_port: {get_param: [EndpointMap, ContrailConfigInternal, port] } + contrail::disc_server_port: {get_param: [EndpointMap, ContrailDiscoveryInternal, port] } contrail::insecure: {get_param: ContrailInsecure} contrail::memcached_server: {get_param: ContrailMemcachedServer} - contrail::multi_tenancy: {get_param: ContrailMultiTenancy} - contrail::zk_server_ip: {get_param: ContrailZkServerIp} + contrail::rabbit_password: {get_param: RabbitPassword} + contrail::rabbit_user: {get_param: RabbitUserName} + contrail::rabbit_port: {get_param: RabbitClientPort} diff --git a/puppet/services/network/contrail-config.yaml b/puppet/services/network/contrail-config.yaml index 03774480..185b6094 100644 --- a/puppet/services/network/contrail-config.yaml +++ b/puppet/services/network/contrail-config.yaml @@ -21,29 +21,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailConfigIfmapServerIp: - description: Ifmap server ip address - type: string ContrailConfigIfmapUserName: description: Ifmap user name type: string + default: 'api-server' ContrailConfigIfmapUserPassword: description: Ifmap user password type: string - ContrailConfigRabbitServerIp: - description: RabbitMq server ip address - type: string - ContrailConfigRedisServerIp: - description: Redis server ip address - type: string - ContrailConfigListenAddress: - default: '0.0.0.0' - description: IP address Config API is listening on - type: string - ContrailConfigListenPort: - default: 8082 - description: Port Config API is listening on - type: number + default: 'api-server' resources: ContrailBase: @@ -62,11 +47,10 @@ outputs: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - contrail::config::ifmap_password: {get_param: ContrailConfigIfmapUserPassword} - contrail::config::ifmap_server_ip: {get_param: ContrailConfigIfmapServerIp} contrail::config::ifmap_username: {get_param: ContrailConfigIfmapUserName} - contrail::config::listen_ip_address: {get_param: ContrailConfigListenAddress} - contrail::config::listen_port: {get_param: ContrailConfigListenPort} - contrail::config::rabbit_server: {get_param: ContrailConfigRabbitServerIp} - contrail::config::redis_server: {get_param: ContrailConfigRedisServerIp} + contrail::config::listen_ip_address: {get_param: [ServiceNetMap, ContrailConfigNetwork]} + contrail::config::listen_port: {get_param: [EndpointMap, ContrailConfigInternal, port] } + contrail::config::redis_server: '127.0.0.1' + contrail::config::host_ip: {get_param: [ServiceNetMap, ContrailConfigNetwork] } step_config: | include ::tripleo::network::contrail::config diff --git a/puppet/services/network/contrail-control.yaml b/puppet/services/network/contrail-control.yaml index 7c28d283..0964989b 100644 --- a/puppet/services/network/contrail-control.yaml +++ b/puppet/services/network/contrail-control.yaml @@ -21,15 +21,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailControlHostIP: - description: host IP address of Analytics - type: string - ContrailControlIfmapUserName: - description: Ifmap user name - type: string - ContrailControlIfmapUserPassword: - description: Ifmap user password + ContrailControlASN: + description: Autonomous System Number + type: number + default: 64512 + ContrailControlRNDCSecret: + description: sda1/256 hmac key, e.g. echo -n "values" | openssl dgst -sha256 -hmac key -binary | base64 type: string + hidden: true resources: ContrailBase: @@ -47,8 +46,8 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::control::host_ip: {get_param: ContrailControlHostIP} - contrail::control::ifmap_username: {get_param: ContrailControlIfmapUserName} - contrail::control::ifmap_password: {get_param: ContrailControlIfmapUserPassword} + - contrail::control::asn: {get_param: ContrailControlASN } + contrail::control::host_ip: {get_param: [ServiceNetMap, ContrailControlNetwork]} + contrail::control::rndc_secret: {get_param: ContrailControlRNDCSecret} step_config: | include ::tripleo::network::contrail::control diff --git a/puppet/services/network/contrail-database.yaml b/puppet/services/network/contrail-database.yaml index c56b90a2..b47c2c36 100644 --- a/puppet/services/network/contrail-database.yaml +++ b/puppet/services/network/contrail-database.yaml @@ -21,13 +21,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailDatabaseHostIP: - description: host IP address of Database node - type: string - ContrailDatabaseMinDisk: - description: Minimum disk size for database - type: number - default: 64 resources: ContrailBase: @@ -45,7 +38,6 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::database::host_ip: {get_param: ContrailDatabaseHostIP} - contrail::database::minimum_diskGB: {get_param: ContrailDatabaseMinDisk} + - contrail::database::host_ip: {get_param: [ServiceNetMap, ContrailDatabaseNetwork]} step_config: | - include ::tripleo::profile::contrail::database + include ::tripleo::network::contrail::database diff --git a/puppet/services/network/contrail-heat.yaml b/puppet/services/network/contrail-heat.yaml new file mode 100644 index 00000000..4dfc6579 --- /dev/null +++ b/puppet/services/network/contrail-heat.yaml @@ -0,0 +1,40 @@ +heat_template_version: ocata + +description: > + Contrail Heat plugin adds Contrail specific heat resources enabling heat + to orchestrate Contrail + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Contrail Heat plugin + value: + service_name: contrail_heat + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + step_config: | + include ::tripleo::network::contrail::heat diff --git a/puppet/services/network/contrail-neutron-plugin.yaml b/puppet/services/network/contrail-neutron-plugin.yaml new file mode 100644 index 00000000..2f2ceb37 --- /dev/null +++ b/puppet/services/network/contrail-neutron-plugin.yaml @@ -0,0 +1,45 @@ +heat_template_version: ocata + +description: > + OpenStack Neutron Opencontrail plugin + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ContrailExtensions: + description: List of OpenContrail extensions to be enabled + type: comma_delimited_list + default: '' + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron Opencontrail plugin + value: + service_name: contrail_neutron_plugin + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions + contrail::vrouter::contrail_extensions: {get_param: ContrailExtensions} + step_config: | + include tripleo::network::contrail::neutron_plugin diff --git a/puppet/services/network/contrail-provision.yaml b/puppet/services/network/contrail-provision.yaml new file mode 100644 index 00000000..765be9a9 --- /dev/null +++ b/puppet/services/network/contrail-provision.yaml @@ -0,0 +1,39 @@ +heat_template_version: ocata + +description: > + Provision Contrail services after deployment + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Contrail provisioning role + value: + service_name: contrail_provision + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + step_config: | + include ::tripleo::network::contrail::provision diff --git a/puppet/services/network/contrail-tsn.yaml b/puppet/services/network/contrail-tsn.yaml new file mode 100644 index 00000000..88adc4a5 --- /dev/null +++ b/puppet/services/network/contrail-tsn.yaml @@ -0,0 +1,64 @@ +heat_template_version: ocata + +description: > + Contrail TSN Service + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronMetadataProxySharedSecret: + description: Metadata Secret + type: string + VrouterPhysicalInterface: + default: 'eth0' + description: vRouter physical interface + type: string + VrouterGateway: + default: '192.168.24.1' + description: vRouter default gateway + type: string + VrouterNetmask: + default: '255.255.255.0' + description: vRouter netmask + type: string + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Contrail TSN Service + value: + service_name: contrail_tsn + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::vrouter::host_ip: {get_param: [ServiceNetMap, NeutronCorePluginOpencontrailNetwork]} + contrail::vrouter::physical_interface: {get_param: VrouterPhysicalInterface} + contrail::vrouter::gateway: {get_param: VrouterGateway} + contrail::vrouter::netmask: {get_param: VrouterNetmask} + contrail::vrouter::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + contrail::vrouter::is_tsn: 'true' + tripleo.neutron_compute_plugin_opencontrail.firewall_rules: + '111 neutron_compute_plugin_opencontrail proxy': + dport: 8097 + proto: tcp + step_config: | + include ::tripleo::network::contrail::vrouter diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml new file mode 100644 index 00000000..db9f0836 --- /dev/null +++ b/puppet/services/network/contrail-vrouter.yaml @@ -0,0 +1,64 @@ +heat_template_version: ocata + +description: > + OpenStack Neutron Compute OpenContrail plugin + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronMetadataProxySharedSecret: + description: Metadata Secret + type: string + hidden: true + ContrailVrouterPhysicalInterface: + default: 'eth0' + description: vRouter physical interface + type: string + ContrailVrouterGateway: + default: '192.0.2.1' + description: vRouter default gateway + type: string + ContrailVrouterNetmask: + default: '255.255.255.0' + description: vRouter netmask + type: string + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron Compute OpenContrail plugin + value: + service_name: contrail_vrouter + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::vrouter::host_ip: {get_param: [ServiceNetMap, NeutronCorePluginOpencontrailNetwork]} + contrail::vrouter::physical_interface: {get_param: ContrailVrouterPhysicalInterface} + contrail::vrouter::gateway: {get_param: ContrailVrouterGateway} + contrail::vrouter::netmask: {get_param: ContrailVrouterNetmask} + contrail::vrouter::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + tripleo.neutron_compute_plugin_opencontrail.firewall_rules: + '111 neutron_compute_plugin_opencontrail proxy': + dport: 8097 + proto: tcp + step_config: | + include ::tripleo::network::contrail::vrouter diff --git a/puppet/services/network/contrail-webui.yaml b/puppet/services/network/contrail-webui.yaml index 72cc6fa5..3786cdd1 100644 --- a/puppet/services/network/contrail-webui.yaml +++ b/puppet/services/network/contrail-webui.yaml @@ -21,27 +21,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailWebUiAnalyticsVip: - description: Contrail Analytics VIP - type: string - ContrailWebUiConfigVip: - description: Contrail Config VIP - type: string - ContrailWebUiNeutronVip: - description: Neutron VIP - type: string - ContrailWebuiHttpPort: - default: 8080 - description: HTTP Port of Webui - type: number - ContrailWebuiHttpsPort: - default: 8143 - description: HTTPS Port of Webui - type: number - ContrailWebUiRedisIp: - description: Redis IP - type: string - default: '127.0.0.1' resources: ContrailBase: @@ -59,11 +38,8 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::webui::contrail_analytics_vip: {get_param: ContrailWebUiAnalyticsVip} - contrail::webui::contrail_config_vip: {get_param: ContrailWebUiConfigVip} - contrail::webui::contrail_webui_http_port: {get_param: ContrailWebuiHttpPort} - contrail::webui::contrail_webui_https_port: {get_param: ContrailWebuiHttpsPort} - contrail::webui::neutron_vip: {get_param: ContrailWebUiNeutronVip} - contrail::webui::redis_ip: {get_param: ContrailWebUiRedisIp} + - contrail::webui::http_port: {get_param: [EndpointMap, ContrailWebuiHttpInternal, port] } + contrail::webui::https_port: {get_param: [EndpointMap, ContrailWebuiHttpsInternal, port] } + contrail::webui::redis_ip: '127.0.0.1' step_config: | include ::tripleo::network::contrail::webui diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index bbb79bba..4d671e15 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -71,6 +71,9 @@ parameters: removed in Ocata. Future releases will enable L3 HA by default if it is appropriate for the deployment type. Alternate mechanisms will be available to override. + EnableInternalTLS: + type: boolean + default: false parameter_groups: - label: deprecated @@ -82,8 +85,19 @@ parameter_groups: parameters: - NeutronL3HA +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + resources: + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + NeutronBase: type: ./neutron-base.yaml properties: @@ -103,6 +117,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - neutron::server::database_connection: list_join: - '' @@ -112,17 +127,14 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} - - neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] } neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneV3Admin, uri ] } neutron::server::notifications::tenant_name: 'service' neutron::server::notifications::project_name: 'service' @@ -140,7 +152,23 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::tls_proxy_bind_ip: + get_param: [ServiceNetMap, NeutronApiNetwork] + tripleo::profile::base::neutron::server::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::tls_proxy_port: + get_param: [EndpointMap, NeutronInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLS + # proxy in front. + neutron::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, NeutronApiNetwork]} tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} step_config: | include tripleo::profile::base::neutron::server @@ -161,13 +189,9 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-server is running" + shell: /usr/bin/systemctl show 'neutron-server' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_api service tags: step2 service: name=neutron-server state=stopped - - name: Sync neutron_api DB - tags: step5 - command: neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head - - name: Start neutron_api service - tags: step6 - service: name=neutron-server state=started - diff --git a/puppet/services/neutron-compute-plugin-ovn.yaml b/puppet/services/neutron-compute-plugin-ovn.yaml index ce28b5c3..e3a4da99 100644 --- a/puppet/services/neutron-compute-plugin-ovn.yaml +++ b/puppet/services/neutron-compute-plugin-ovn.yaml @@ -18,9 +18,6 @@ parameters: via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json - OVNDbHost: - description: IP address on which the OVN DB servers are listening - type: string OVNSouthboundServerPort: description: Port of the Southbound DB Server type: number @@ -29,6 +26,16 @@ parameters: description: Tunnel encapsulation type type: string default: geneve + NeutronBridgeMappings: + description: > + The OVS logical->physical bridge mappings to use. See the Neutron + documentation for details. Defaults to mapping br-ex - the external + bridge on hosts - to a physical name 'datacentre' which can be used + to create provider networks (and we use this for the default floating + network) - if changing this either use different post-install network + scripts or be sure to keep 'datacentre' as a mapping network name + type: comma_delimited_list + default: "datacentre:br-ex" outputs: @@ -37,9 +44,16 @@ outputs: value: service_name: neutron_compute_plugin_ovn config_settings: - tripleo::profile::base::neutron::agents::ovn::ovn_db_host: {get_param: OVNDbHost} ovn::southbound::port: {get_param: OVNSouthboundServerPort} - ovn::southbound::encap_type: {get_param: OVNTunnelEncapType} + ovn::controller::ovn_encap_type: {get_param: OVNTunnelEncapType} ovn::controller::ovn_encap_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} + ovn::controller::ovn_bridge_mappings: {get_param: NeutronBridgeMappings} + tripleo.neutron_compute_plugin_ovn.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '119 neutron geneve networks': + proto: 'udp' + dport: 6081 step_config: | include ::tripleo::profile::base::neutron::agents::ovn diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index c7965a64..062edaa4 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -39,6 +39,10 @@ parameters: default: tag: openstack.neutron.agent.dhcp path: /var/log/neutron/dhcp-agent.log + NeutronDhcpAgentDnsmasqDnsServers: + default: [] + description: List of servers to use as dnsmasq forwarders + type: comma_delimited_list resources: @@ -64,6 +68,7 @@ outputs: - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} neutron::agents::dhcp::enable_force_metadata: {get_param: NeutronEnableForceMetadata} neutron::agents::dhcp::enable_metadata_network: {get_param: NeutronEnableMetadataNetwork} + neutron::agents::dhcp::dnsmasq_dns_servers: {get_param: NeutronDhcpAgentDnsmasqDnsServers} tripleo.neutron_dhcp.firewall_rules: '115 neutron dhcp input': proto: 'udp' @@ -75,9 +80,9 @@ outputs: step_config: | include tripleo::profile::base::neutron::dhcp upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-dhcp-agent is running" + shell: /usr/bin/systemctl show 'neutron-dhcp-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_dhcp service tags: step2 service: name=neutron-dhcp-agent state=stopped - - name: Start neutron_dhcp service - tags: step6 - service: name=neutron-dhcp-agent state=started diff --git a/puppet/services/neutron-l3-compute-dvr.yaml b/puppet/services/neutron-l3-compute-dvr.yaml index 06927fe0..1d6a2371 100644 --- a/puppet/services/neutron-l3-compute-dvr.yaml +++ b/puppet/services/neutron-l3-compute-dvr.yaml @@ -22,10 +22,6 @@ parameters: Debug: type: string default: '' - NeutronExternalNetworkBridge: - description: Name of bridge used for external network traffic. - type: string - default: 'br-ex' MonitoringSubscriptionNeutronL3Dvr: default: 'overcloud-neutron-l3-dvr' type: string @@ -35,6 +31,19 @@ parameters: tag: openstack.neutron.agent.l3-compute path: /var/log/neutron/l3-agent.log + # DEPRECATED: the following options are deprecated and are currently maintained + # for backwards compatibility. They will be removed in the Pike cycle. + NeutronExternalNetworkBridge: + description: Name of bridge used for external network traffic. Usually L2 + agent handles port wiring into external bridge, and hence the + parameter should be unset. + type: string + default: '' + +conditions: + + external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]} + resources: NeutronBase: @@ -56,7 +65,11 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge} - neutron::agents::l3::agent_mode : 'dvr' + - neutron::agents::l3::agent_mode : 'dvr' + - + if: + - external_network_bridge_empty + - {} + - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge} step_config: | include tripleo::profile::base::neutron::l3 diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index b3d7b3bf..4fa49275 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -21,10 +21,6 @@ parameters: Debug: type: string default: '' - NeutronExternalNetworkBridge: - description: Name of bridge used for external network traffic. - type: string - default: 'br-ex' NeutronL3AgentMode: description: | Agent mode for L3 agent. Must be one of legacy or dvr_snat. @@ -43,6 +39,15 @@ parameters: tag: openstack.neutron.agent.l3 path: /var/log/neutron/l3-agent.log + # DEPRECATED: the following options are deprecated and are currently maintained + # for backwards compatibility. They will be removed in the Pike cycle. + NeutronExternalNetworkBridge: + description: Name of bridge used for external network traffic. Usually L2 + agent handles port wiring into external bridge, and hence the + parameter should be unset. + type: string + default: '' + conditions: external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]} @@ -80,9 +85,9 @@ outputs: step_config: | include tripleo::profile::base::neutron::l3 upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-l3-agent is running" + shell: /usr/bin/systemctl show 'neutron-l3-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_l3 service tags: step2 service: name=neutron-l3-agent state=stopped - - name: Start neutron_l3 service - tags: step6 - service: name=neutron-l3-agent state=started diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 68d7110a..6f5debdd 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -70,15 +70,15 @@ outputs: - neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret} neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers} neutron::agents::metadata::auth_password: {get_param: NeutronPassword} - neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}" step_config: | include tripleo::profile::base::neutron::metadata upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-metadata-agent is running" + shell: /usr/bin/systemctl show 'neutron-metadata-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_metadata service tags: step2 service: name=neutron-metadata-agent state=stopped - - name: Start neutron_metadata service - tags: step6 - service: name=neutron-metadata-agent state=started diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index e24fae7c..c27bb909 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -121,10 +121,9 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::ovs upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" + shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_ovs_agent service tags: step2 service: name=neutron-openvswitch-agent state=stopped - - name: Start neutron_ovs_agent service - tags: step6 - service: name=neutron-openvswitch-agent state=started - diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index 5c77e35d..e25bc495 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -18,6 +18,11 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HostCpusList: + description: List of cores to be used for host process + type: string + constraints: + - allowed_pattern: "'[0-9,-]+'" NeutronDpdkCoreList: description: List of cores to be used for DPDK Poll Mode Driver type: string @@ -68,7 +73,8 @@ outputs: - neutron::agents::ml2::ovs::enable_dpdk: true neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} - vswitch::dpdk::core_list: {get_param: NeutronDpdkCoreList} + vswitch::dpdk::host_core_list: {get_param: HostCpusList} + vswitch::dpdk::pmd_core_list: {get_param: NeutronDpdkCoreList} vswitch::dpdk::memory_channels: {get_param: NeutronDpdkMemoryChannels} vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory} vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType} diff --git a/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml new file mode 100644 index 00000000..85971f17 --- /dev/null +++ b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml @@ -0,0 +1,78 @@ +heat_template_version: ocata + +description: Configure hieradata for Fujitsu fossw plugin configuration + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronFujitsuFosswIps: + description: 'The List of IP address of all fos switches.' + type: comma_delimited_list + NeutronFujitsuFosswUserName: + description: 'The username of the fos switches.' + type: string + NeutronFujitsuFosswPassword: + description: 'The password of the fos switches.' + type: string + hidden: true + NeutronFujitsuFosswPort: + description: 'The port number used for SSH connection.' + type: number + default: 22 + NeutronFujitsuFosswTimeout: + description: 'The timeout os SSH connection.' + type: number + default: 30 + NeutronFujitsuFosswUdpDestPort: + description: 'The port number of VXLAN UDP destination on the fos switches.' + type: number + default: 4789 + NeutronFujitsuFosswOvsdbVlanidRangeMin: + description: 'The minimum VLAN ID in the range that is used for binding VNI and physical port.' + type: number + default: 2 + NeutronFujitsuFosswOvsdbPort: + description: 'The port number which OVSDB server on the fos switches listen.' + type: number + default: 6640 + +resources: + + NeutronMl2Base: + type: ./neutron-plugin-ml2.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for Fujitsu Fossw ML2 Driver + value: + service_name: neutron_plugin_ml2_fujitsu_fossw + config_settings: + map_merge: + - get_attr: [NeutronMl2Base, role_data, config_settings] + - neutron::plugins::ml2::fujitsu::fossw::fossw_ips: {get_param: NeutronFujitsuFosswIps} + neutron::plugins::ml2::fujitsu::fossw::username: {get_param: NeutronFujitsuFosswUserName} + neutron::plugins::ml2::fujitsu::fossw::password: {get_param: NeutronFujitsuFosswPassword} + neutron::plugins::ml2::fujitsu::fossw::port: {get_param: NeutronFujitsuFosswPort} + neutron::plugins::ml2::fujitsu::fossw::timeout: {get_param: NeutronFujitsuFosswTimeout} + neutron::plugins::ml2::fujitsu::fossw::udp_dest_port: {get_param: NeutronFujitsuFosswUdpDestPort} + neutron::plugins::ml2::fujitsu::fossw::ovsdb_vlanid_range_min: {get_param: NeutronFujitsuFosswOvsdbVlanidRangeMin} + neutron::plugins::ml2::fujitsu::fossw::ovsdb_port: {get_param: NeutronFujitsuFosswOvsdbPort} + step_config: | + include ::tripleo::profile::base::neutron::plugins::ml2 + diff --git a/puppet/services/neutron-plugin-ml2-ovn.yaml b/puppet/services/neutron-plugin-ml2-ovn.yaml index 59346edc..4d4c3900 100644 --- a/puppet/services/neutron-plugin-ml2-ovn.yaml +++ b/puppet/services/neutron-plugin-ml2-ovn.yaml @@ -18,10 +18,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + OVNSouthboundServerPort: + description: Port of the OVN Southbound DB server + type: number + default: 6642 OVNDbConnectionTimeout: description: Timeout in seconds for the OVSDB connection transaction type: number - default: 60 + default: 180 OVNVifType: description: Type of VIF to be used for ports type: string @@ -43,6 +47,10 @@ parameters: description: OVN notification driver for Neutron QOS service plugin type: string default: NULL + NeutronGeneveMaxHeaderSize: + description: Geneve encapsulation header size + type: number + default: 38 resources: @@ -61,10 +69,12 @@ outputs: config_settings: map_merge: - get_attr: [NeutronMl2Base, role_data, config_settings] - - neutron::plugins::ovn::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout} - neutron::plugins::ovn::neutron_sync_mode: {get_param: OVNNeutronSyncMode} - neutron::plugins::ovn::ovn_l3_mode: true - neutron::plugins::ovn::vif_type: {get_param: OVNVifType} + - ovn::southbound::port: {get_param: OVNSouthboundServerPort} + neutron::plugins::ml2::ovn::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout} + neutron::plugins::ml2::ovn::neutron_sync_mode: {get_param: OVNNeutronSyncMode} + neutron::plugins::ml2::ovn::ovn_l3_mode: true + neutron::plugins::ml2::ovn::vif_type: {get_param: OVNVifType} neutron::server::qos_notification_drivers: {get_param: OVNQosDriver} + neutron::plugins::ml2::max_header_size: {get_param: NeutronGeneveMaxHeaderSize} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 407ce6ba..3abd04f3 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -60,12 +60,6 @@ parameters: default: 'vxlan' description: The tenant network type for Neutron. type: comma_delimited_list - NeutronSupportedPCIVendorDevs: - description: | - List of supported pci vendor devices in the format VendorID:ProductID. - By default Intel & Mellanox SR-IOV capable NICs are supported. - type: comma_delimited_list - default: ['15b3:1004','8086:10ca'] resources: NeutronBase: @@ -91,7 +85,9 @@ outputs: neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges} neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges} neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType} - neutron::plugins::ml2::supported_pci_vendor_devs: {get_param: NeutronSupportedPCIVendorDevs} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 + service_config_settings: + horizon: + neutron::plugins::ml2::mechanism_drivers: {get_param: NeutronMechanismDrivers} diff --git a/puppet/services/neutron-plugin-opencontrail.yaml b/puppet/services/neutron-plugin-opencontrail.yaml deleted file mode 100644 index 976e5f19..00000000 --- a/puppet/services/neutron-plugin-opencontrail.yaml +++ /dev/null @@ -1,74 +0,0 @@ -heat_template_version: ocata - -description: > - OpenStack Neutron Opencontrail plugin - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - AdminPassword: - description: The password for the keystone admin account, used for monitoring, querying neutron etc. - type: string - hidden: true - AdminToken: - description: The keystone auth secret and db password. - type: string - hidden: true - ContrailApiServerIp: - description: IP address of the OpenContrail API server - type: string - ContrailApiServerPort: - description: Port of the OpenContrail API - type: string - default: 8082 - ContrailMultiTenancy: - description: Whether to enable multi tenancy - type: boolean - default: false - ContrailExtensions: - description: List of OpenContrail extensions to be enabled - type: comma_delimited_list - default: '' - -resources: - - NeutronBase: - type: ./neutron-base.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - -outputs: - role_data: - description: Role data for the Neutron Opencontrail plugin - value: - service_name: neutron_plugin_opencontrail - config_settings: - map_merge: - - get_attr: [NeutronBase, role_data, config_settings] - - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions,/usr/lib/python2.7/site-packages/neutron_lbaas/extensions - - neutron::plugins::opencontrail::api_server_ip: {get_param: ContrailApiServerIp} - neutron::plugins::opencontrail::api_server_port: {get_param: ContrailApiServerPort} - neutron::plugins::opencontrail::multi_tenancy: {get_param: ContrailMultiTenancy} - neutron::plugins::opencontrail::contrail_extensions: {get_param: ContrailExtensions} - neutron::plugins::opencontrail::keystone_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri] } - neutron::plugins::opencontrail::keystone_admin_user: admin - neutron::plugins::opencontrail::keystone_admin_tenant_name: admin - neutron::plugins::opencontrail::keystone_admin_password: {get_param: AdminPassword} - neutron::plugins::opencontrail::keystone_admin_token: {get_param: AdminToken} - step_config: | - include tripleo::profile::base::neutron::plugins::opencontrail diff --git a/puppet/services/neutron-plugin-plumgrid.yaml b/puppet/services/neutron-plugin-plumgrid.yaml index bd078074..f948dd07 100644 --- a/puppet/services/neutron-plugin-plumgrid.yaml +++ b/puppet/services/neutron-plugin-plumgrid.yaml @@ -100,9 +100,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" - neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneAdmin, host]} + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneInternal, host]} neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword} neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} neutron::plugins::plumgrid::director_server: {get_param: PLUMgridDirectorServer} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 36ac3e08..f27b53f2 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -58,18 +58,24 @@ parameters: default: 'public' description: Default pool for floating IP addresses type: string + NovaDbSyncTimeout: + default: 300 + description: Timeout for Nova db sync + type: number conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} resources: - ApacheServiceBase: - type: ./apache.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - EnableInternalTLS: {get_param: EnableInternalTLS} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # ApacheServiceBase: + # type: ./apache.yaml + # properties: + # ServiceNetMap: {get_param: ServiceNetMap} + # DefaultPasswords: {get_param: DefaultPasswords} + # EndpointMap: {get_param: EndpointMap} + # EnableInternalTLS: {get_param: EnableInternalTLS} NovaBase: type: ./nova-base.yaml @@ -90,7 +96,9 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - - get_attr: [ApacheServiceBase, role_data, config_settings] + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # - get_attr: [ApacheServiceBase, role_data, config_settings] - nova::cron::archive_deleted_rows::hour: '*/12' nova::cron::archive_deleted_rows::destination: '/dev/null' tripleo.nova_api.firewall_rules: @@ -104,7 +112,7 @@ outputs: nova::keystone::authtoken::project_name: 'service' nova::keystone::authtoken::password: {get_param: NovaPassword} nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::api::enabled: true nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool} nova::api::sync_db_api: true @@ -115,20 +123,23 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::api::service_name: 'httpd' - nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + nova_wsgi_enabled: false + # nova::api::service_name: 'httpd' + # nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - nova::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::wsgi::apache_api::servername: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + # nova::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + # nova::wsgi::apache_api::servername: + # str_replace: + # template: + # "%{hiera('fqdn_$NETWORK')}" + # params: + # $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} nova::api::instance_name_template: {get_param: InstanceNameTemplate} nova_enable_db_purge: {get_param: NovaEnableDBPurge} @@ -137,7 +148,9 @@ outputs: - nova_workers_zero - {} - nova::api::osapi_compute_workers: {get_param: NovaWorkers} - nova::wsgi::apache_api::workers: {get_param: NovaWorkers} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # nova::wsgi::apache_api::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::api service_config_settings: @@ -165,3 +178,87 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # metadata_settings: + # get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: get bootstrap nodeid + tags: common + command: hiera bootstrap_nodeid + register: bootstrap_node + - name: set is_bootstrap_node fact + tags: common + set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}} + - name: Extra migration for nova tripleo/+bug/1656791 + tags: step0,pre-upgrade + when: is_bootstrap_node + command: nova-manage db online_data_migrations + - name: Stop and disable nova_api service (pre-upgrade not under httpd) + tags: step2 + service: name=openstack-nova-api state=stopped enabled=no + - name: Create puppet manifest to set transport_url in nova.conf + tags: step5 + when: is_bootstrap_node + copy: + dest: /root/nova-api_upgrade_manifest.pp + mode: 0600 + content: > + $transport_url = os_transport_url({ + 'transport' => hiera('messaging_service_name', 'rabbit'), + 'hosts' => any2array(hiera('rabbitmq_node_names', undef)), + 'port' => sprintf('%s',hiera('nova::rabbit_port', '5672') ), + 'username' => hiera('nova::rabbit_userid', 'guest'), + 'password' => hiera('nova::rabbit_password'), + 'ssl' => sprintf('%s', bool2num(str2bool(hiera('nova::rabbit_use_ssl', '0')))) + }) + oslo::messaging::default { 'nova_config': + transport_url => $transport_url + } + - name: Run puppet apply to set tranport_url in nova.conf + tags: step5 + when: is_bootstrap_node + command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp + register: puppet_apply_nova_api_upgrade + failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] + changed_when: puppet_apply_nova_api_upgrade.rc == 2 + - name: Setup cell_v2 (map cell0) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_cell0 + - name: Setup cell_v2 (create default cell) + tags: step5 + when: is_bootstrap_node + # (owalsh) puppet-nova expects the cell name 'default' + # (owalsh) pass the db uri explicitly to avoid https://bugs.launchpad.net/tripleo/+bug/1662344 + shell: nova-manage cell_v2 create_cell --name='default' --database_connection=$(hiera nova::database_connection) + register: nova_api_create_cell + failed_when: nova_api_create_cell.rc not in [0,2] + changed_when: nova_api_create_cell.rc == 0 + - name: Setup cell_v2 (sync nova/cell DB) + tags: step5 + when: is_bootstrap_node + command: nova-manage db sync + async: {get_param: NovaDbSyncTimeout} + poll: 10 + - name: Setup cell_v2 (migrate hosts) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_cell_and_hosts + - name: Setup cell_v2 (get cell uuid) + tags: step5 + when: is_bootstrap_node + shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' + register: nova_api_cell_uuid + - name: Setup cell_v2 (migrate instances) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_instances --cell_uuid {{nova_api_cell_uuid.stdout}} + - name: Sync nova_api DB + tags: step5 + command: nova-manage api_db sync + when: is_bootstrap_node + - name: Online data migration for nova + tags: step5 + when: is_bootstrap_node + command: nova-manage db online_data_migrations diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index d70e66a0..ceacb0b2 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -18,6 +18,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint NovaPassword: description: The password for the nova service and db account, used by nova-api. type: string @@ -66,6 +70,57 @@ parameters: type: string description: Nova Compute upgrade level default: '' + NovaCronArchiveDeleteRowsMinute: + type: string + description: > + Cron to move deleted instances to another table - Minute + default: '1' + NovaCronArchiveDeleteRowsHour: + type: string + description: > + Cron to move deleted instances to another table - Hour + default: '0' + NovaCronArchiveDeleteRowsMonthday: + type: string + description: > + Cron to move deleted instances to another table - Month Day + default: '*' + NovaCronArchiveDeleteRowsMonth: + type: string + description: > + Cron to move deleted instances to another table - Month + default: '*' + NovaCronArchiveDeleteRowsWeekday: + type: string + description: > + Cron to move deleted instances to another table - Week Day + default: '*' + NovaCronArchiveDeleteRowsMaxRows: + type: string + description: > + Cron to move deleted instances to another table - Max Rows + default: '100' + NovaCronArchiveDeleteRowsUser: + type: string + description: > + Cron to move deleted instances to another table - User + default: 'nova' + NovaCronArchiveDeleteRowsDestination: + type: string + description: > + Cron to move deleted instances to another table - Log destination + default: '/var/log/nova/nova-rowsflush.log' + NovaCronArchiveDeleteRowsUntilComplete: + type: boolean + description: > + Cron to move deleted instances to another table - Until complete + default: false + NovaPlacementAPIInterface: + type: string + description: > + Endpoint interface to be used for the placement API. + default: 'internal' + conditions: compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']} @@ -81,6 +136,11 @@ outputs: nova::rabbit_userid: {get_param: RabbitUserName} nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL} nova::rabbit_port: {get_param: RabbitClientPort} + nova::placement::project_name: 'service' + nova::placement::password: {get_param: NovaPassword} + nova::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + nova::placement::os_region_name: {get_param: KeystoneRegion} + nova::placement::os_interface: {get_param: NovaPlacementAPIInterface} nova::database_connection: list_join: - '' @@ -90,8 +150,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' nova::api_database_connection: list_join: - '' @@ -101,8 +160,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' nova::placement_database_connection: list_join: - '' @@ -112,12 +170,12 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_placement' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' nova::debug: {get_param: Debug} nova::purge_config: {get_param: EnableConfigPurge} nova::network::neutron::neutron_project_name: 'service' nova::network::neutron::neutron_username: 'neutron' + nova::network::neutron::neutron_region_name: {get_param: KeystoneRegion} nova::network::neutron::dhcp_domain: '' nova::network::neutron::neutron_password: {get_param: NeutronPassword} nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} @@ -133,13 +191,26 @@ outputs: nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} nova::use_ipv6: {get_param: NovaIPv6} nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} - - + nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute} + nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour} + nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday} + nova::cron::archive_deleted_rows::month: {get_param: NovaCronArchiveDeleteRowsMonth} + nova::cron::archive_deleted_rows::weekday: {get_param: NovaCronArchiveDeleteRowsWeekday} + nova::cron::archive_deleted_rows::max_rows: {get_param: NovaCronArchiveDeleteRowsMaxRows} + nova::cron::archive_deleted_rows::user: {get_param: NovaCronArchiveDeleteRowsUser} + nova::cron::archive_deleted_rows::destination: {get_param: NovaCronArchiveDeleteRowsDestination} + nova::cron::archive_deleted_rows::until_complete: {get_param: NovaCronArchiveDeleteRowsUntilComplete} + - if: - compute_upgrade_level_empty - {} - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} service_config_settings: mysql: + # NOTE(aschultz): this should be configurable if/when we support more + # complex cell v2 configurations. For now, this is the default cell + # created for the cell v2 configuration + nova::db::mysql_api::setup_cell0: true nova::rabbit_password: {get_param: RabbitPassword} nova::rabbit_userid: {get_param: RabbitUserName} nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 2312b635..9923e833 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -75,6 +75,10 @@ parameters: default: tag: openstack.nova.compute path: /var/log/nova/nova-compute.log + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: auto resources: NovaBase: @@ -141,3 +145,24 @@ outputs: # We'll probably treat it like we do with Neutron plugins. # Until then, just include it in the default nova-compute role. include tripleo::profile::base::nova::compute::libvirt + service_config_settings: + collectd: + tripleo.collectd.plugins.nova_compute: + - virt + collectd::plugins::virt::connection: "qemu:///system" + upgrade_tasks: + - name: Stop nova-compute service + tags: step2 + service: name=openstack-nova-compute state=stopped + # If not already set by puppet (e.g a pre-ocata version), set the + # upgrade_level for compute to "auto" + - name: Set compute upgrade level to auto + tags: step3 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} + - name: Start nova-compute service + tags: step6 + service: name=openstack-nova-compute state=started diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index b96bf6e6..a19d0f8d 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -30,6 +30,10 @@ parameters: default: tag: openstack.nova.scheduler path: /var/log/nova/nova-scheduler.log + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: auto conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -61,3 +65,16 @@ outputs: - nova::conductor::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::conductor + upgrade_tasks: + - name: Stop nova_conductor service + tags: step2 + service: name=openstack-nova-conductor state=stopped + # If not already set by puppet (e.g a pre-ocata version), set the + # upgrade_level for compute to "auto" + - name: Set compute upgrade level to auto + tags: step2 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} diff --git a/puppet/services/nova-consoleauth.yaml b/puppet/services/nova-consoleauth.yaml index 79969ded..b5a1312a 100644 --- a/puppet/services/nova-consoleauth.yaml +++ b/puppet/services/nova-consoleauth.yaml @@ -48,3 +48,7 @@ outputs: get_attr: [NovaBase, role_data, config_settings] step_config: | include tripleo::profile::base::nova::consoleauth + upgrade_tasks: + - name: Stop nova_consoleauth service + tags: step2 + service: name=openstack-nova-consoleauth state=stopped diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml index 306c6b6f..5eb2170a 100644 --- a/puppet/services/nova-ironic.yaml +++ b/puppet/services/nova-ironic.yaml @@ -42,10 +42,10 @@ outputs: - nova::compute::force_config_drive: true nova::compute::reserved_host_memory: '0' nova::compute::vnc_enabled: false - nova::ironic::common::admin_password: {get_param: IronicPassword} - nova::ironic::common::admin_tenant_name: 'service' - nova::ironic::common::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri]} - nova::ironic::common::admin_username: 'ironic' + nova::ironic::common::password: {get_param: IronicPassword} + nova::ironic::common::project_name: 'service' + nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + nova::ironic::common::username: 'ironic' nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]} nova::network::neutron::dhcp_domain: '' nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager' diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index a9b2b3f9..faf1ae48 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -62,6 +62,7 @@ outputs: nova::compute::libvirt::qemu::configure_qemu: true nova::compute::libvirt::qemu::max_files: 32768 nova::compute::libvirt::qemu::max_processes: 131072 + nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} tripleo.nova_libvirt.firewall_rules: '200 nova_libvirt': dport: diff --git a/puppet/services/nova-placement.yaml b/puppet/services/nova-placement.yaml index 9b7120d8..3ae19a67 100644 --- a/puppet/services/nova-placement.yaml +++ b/puppet/services/nova-placement.yaml @@ -79,10 +79,10 @@ outputs: dport: - 8778 - 13778 - nova::placement::project_name: 'service' - nova::placement::password: {get_param: NovaPassword} - nova::placement::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - nova::placement::os_region_name: {get_param: KeystoneRegion} + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} nova::wsgi::apache_placement::api_port: '8778' nova::wsgi::apache_placement::ssl: {get_param: EnableInternalTLS} # NOTE: bind IP is found in Heat replacing the network name with the local node IP @@ -90,13 +90,13 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - nova::wsgi::apache_placement::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::wsgi::apache_placement::bind_host: {get_param: [ServiceNetMap, NovaPlacementNetwork]} nova::wsgi::apache_placement::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + $NETWORK: {get_param: [ServiceNetMap, NovaPlacementNetwork]} - if: - nova_workers_zero @@ -122,3 +122,12 @@ outputs: nova::db::mysql_placement::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop nova_placement service (running under httpd) + tags: step2 + service: name=httpd state=stopped + # The nova placement API isn't installed in newton images, so install + # it on upgrade + - name: Install nova-placement packages on upgrade + tags: step3 + yum: name=openstack-nova-placement-api state=latest diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index 353a75ac..e08bf182 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -63,3 +63,7 @@ outputs: nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} step_config: | include tripleo::profile::base::nova::scheduler + upgrade_tasks: + - name: Stop nova_scheduler service + tags: step2 + service: name=openstack-nova-scheduler state=stopped diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index bf244943..f6cf9649 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -64,3 +64,7 @@ outputs: - 13080 step_config: | include tripleo::profile::base::nova::vncproxy + upgrade_tasks: + - name: Stop nova_vnc_proxy service + tags: step2 + service: name=openstack-nova-consoleauth state=stopped diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml new file mode 100644 index 00000000..909a3030 --- /dev/null +++ b/puppet/services/octavia-api.yaml @@ -0,0 +1,98 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia API service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaPassword: + description: The password for the Octavia's database account. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionOctaviaApi: + default: 'overcloud-octavia-api' + type: string + OctaviaApiLoggingSource: + type: json + default: + tag: openstack.octavia.api + path: /var/log/octavia/api.log + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia API service. + value: + service_name: octavia_api + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} + logging_source: {get_param: OctaviaApiLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://octavia:' + - {get_param: OctaviaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/octavia' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + octavia::keystone::authtoken::project_name: 'service' + octavia::keystone::authtoken::password: {get_param: OctaviaPassword} + octavia::api::sync_db: true + tripleo.octavia_api.firewall_rules: + '120 octavia api': + dport: + - 9876 + - 13876 + octavia::api::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]} + neutron::server::service_providers: ['LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default'] + step_config: | + include tripleo::profile::base::octavia::api + service_config_settings: + keystone: + octavia::keystone::auth::tenant: 'service' + octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]} + octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] } + octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] } + octavia::keystone::auth::password: {get_param: OctaviaPassword} + octavia::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + octavia::db::mysql::password: {get_param: OctaviaPassword} + octavia::db::mysql::user: octavia + octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + octavia::db::mysql::dbname: octavia + octavia::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml new file mode 100644 index 00000000..b537a2bc --- /dev/null +++ b/puppet/services/octavia-base.yaml @@ -0,0 +1,62 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia base service. Shared for all Octavia services + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Debug: + type: string + default: '' + description: Set to True to enable debugging on all services. + EnableConfigPurge: + type: boolean + default: true + description: > + Remove configuration that is not generated by TripleO. Setting + to false may result in configuration remnants after updates/upgrades. + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Base role data for Octavia services + value: + service_name: octavia_base + config_settings: + octavia::debug: {get_param: Debug} + octavia::purge_config: {get_param: EnableConfigPurge} + octavia::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + tripleo::profile::base::octavia::rabbit_user: {get_param: RabbitUserName} + tripleo::profile::base::octavia::rabbit_password: {get_param: RabbitPassword} + tripleo::profile::base::octavia::rabbit_port: {get_param: RabbitClientPort} + diff --git a/puppet/services/octavia-health-manager.yaml b/puppet/services/octavia-health-manager.yaml new file mode 100644 index 00000000..51d32f23 --- /dev/null +++ b/puppet/services/octavia-health-manager.yaml @@ -0,0 +1,61 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Health Manager service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionOctaviaHealthManager: + default: 'overcloud-octavia-health-manager' + type: string + OctaviaHealthManagerLoggingSource: + type: json + default: + tag: openstack.octavia.health-manager + path: /var/log/octavia/health-manager.log + OctaviaHeartbeatKey: + type: string + description: Key to identify heartbeat messages for amphorae. + hidden: true + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia Health Manager service. + value: + service_name: octavia_health_manager + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager} + logging_source: {get_param: OctaviaHealthManagerLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey} + octavia::health_manager::event_streamer_driver: 'queue_event_streamer' + step_config: | + include tripleo::profile::base::octavia::health_manager + + + diff --git a/puppet/services/octavia-housekeeping.yaml b/puppet/services/octavia-housekeeping.yaml new file mode 100644 index 00000000..84c33433 --- /dev/null +++ b/puppet/services/octavia-housekeeping.yaml @@ -0,0 +1,70 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Housekeeping service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaAmphoraExpiryAge: + default: 0 + description: The interval in seconds after which an unused Amphora will + be considered expired and cleaned up. If left to 0, the + configuration will not be set and the system will use + the service defaults. + type: number + MonitoringSubscriptionOctaviaHousekeeping: + default: 'overcloud-octavia-housekeeping' + type: string + OctaviaHousekeepingLoggingSource: + type: json + default: + tag: openstack.octavia.housekeeping + path: /var/log/octavia/housekeeping.log + +conditions: + amphora_expiry_is_zero: {equals: [{get_param: OctaviaAmphoraExpiryAge}, 0]} + + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia Housekeeping service. + value: + service_name: octavia_housekeeping + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHousekeeping} + logging_source: {get_param: OctaviaHousekeepingLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - + if: + - amphora_expiry_is_zero + - {} + - octavia::worker::amphora_expiry_age: {get_param: OctaviaAmphoraExpiryAge} + step_config: | + include tripleo::profile::base::octavia::housekeeping + + diff --git a/puppet/services/octavia-worker.yaml b/puppet/services/octavia-worker.yaml new file mode 100644 index 00000000..9212b76b --- /dev/null +++ b/puppet/services/octavia-worker.yaml @@ -0,0 +1,102 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Worker service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionOctaviaWorker: + default: 'overcloud-octavia-worker' + type: string + OctaviaWorkerLoggingSource: + type: json + default: + tag: openstack.octavia.worker + path: /var/log/octavia/worker.log + OctaviaAmphoraImageTag: + default: '' + description: Glance image tag for identifying the amphora image. + type: string + OctaviaAmphoraNetworkList: + default: [] + description: List of networks to attach to amphorae. + type: comma_delimited_list + OctaviaLoadBalancerTopology: + default: '' + description: Load balancer topology configuration. + type: string + OctaviaFlavorId: + default: 65 + description: Nova flavor ID to be used when creating the nova flavor for + amphora. + type: number + OctaviaFlavorProperties: + default: {} + description: Dictionary describing the nova flavor for amphora. + type: json + OctaviaManageNovaFlavor: + default: false + description: Configure the nova flavor for the amphora. + type: boolean + OctaviaSSHKeyName: + default: 'octavia-ssh-key' + description: name for ssh key to be configured so the amphora can + be logged into. + type: string + +conditions: + octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]} + octavia_amphora_tag_unset: {equals: [{get_param: OctaviaAmphoraImageTag}, ""]} + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia WoWorker service. + value: + service_name: octavia_worker + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaWorker} + logging_source: {get_param: OctaviaWorkerLoggingSource} + logging_groups: + -octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::worker::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList} + octavia::worker::amp_flavor_id: {get_param: OctaviaFlavorId} + octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties} + octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor} + octavia::worker::ssh_key_name: {get_param: OctaviaSSHKeyName} + - + if: + - octavia_amphora_tag_unset + - {} + - octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag} + - + if: + - octavia_topology_unset + - {} + - octavia::worker::loadbalancer_topology: {get_param: OctaviaLoadBalancerTopology} + step_config: | + include tripleo::profile::base::octavia::worker + diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 9adf1bdb..9398d6b5 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -29,11 +29,22 @@ parameters: default: false description: Whether to enable fencing in Pacemaker or not. type: boolean + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' PcsdPassword: type: string description: The password for the 'pcsd' user for pacemaker. hidden: true default: '' + CorosyncSettleTries: + type: number + description: Number of tries for cluster settling. This has the + same default as the pacemaker puppet module. Override + to a smaller value when in need to replace a controller node. + default: 360 FencingConfig: default: {} description: | @@ -76,6 +87,10 @@ parameters: \[(?<pid>[^ ]*)\] (?<host>[^ ]*) (?<message>.*)$/ + PacemakerResources: + type: comma_delimited_list + description: List of resources managed by pacemaker + default: ['rabbitmq','haproxy'] outputs: role_data: @@ -92,6 +107,7 @@ outputs: pacemaker::resource_defaults::defaults: resource-stickiness: { value: INFINITY } corosync_token_timeout: 10000 + pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries} tripleo.pacemaker.firewall_rules: '130 pacemaker tcp': proto: 'tcp' @@ -112,5 +128,20 @@ outputs: passwords: - {get_param: PcsdPassword} - {get_param: [DefaultPasswords, pcsd_password]} + tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey} step_config: | include ::tripleo::profile::base::pacemaker + upgrade_tasks: + - name: Check pacemaker cluster running before upgrade + tags: step0,validation + pacemaker_cluster: state=online check_and_fail=true + - name: Stop pacemaker cluster + tags: step1 + pacemaker_cluster: state=offline + - name: Start pacemaker cluster + tags: step4 + pacemaker_cluster: state=online + - name: Check pacemaker resource + tags: step4 + pacemaker_resource: state=started resource={{item}} check_mode=true wait_for_resource=true timeout=500 + with_items: {get_param: PacemakerResources} diff --git a/puppet/services/pacemaker/ceph-rbdmirror.yaml b/puppet/services/pacemaker/ceph-rbdmirror.yaml new file mode 100644 index 00000000..7686028d --- /dev/null +++ b/puppet/services/pacemaker/ceph-rbdmirror.yaml @@ -0,0 +1,47 @@ +heat_template_version: ocata + +description: > + Ceph RBD mirror service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + +resources: + CephBase: + type: ../ceph-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Ceph RBD mirrror service. + value: + service_name: ceph_rbdmirror + config_settings: + map_merge: + - get_attr: [CephBase, role_data, config_settings] + - tripleo::profile::pacemaker::ceph::rbdmirror::client_name: {get_param: CephClientUserName} + tripleo.ceph_rbdmirror.firewall_rules: + '113 ceph_rbdmirror': + dport: + - '6800-7300' + step_config: | + include ::tripleo::profile::pacemaker::ceph::rbdmirror
\ No newline at end of file diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 511a01ab..93bf5967 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -53,6 +53,8 @@ outputs: get_param: [ServiceNetMap, MysqlNetwork] step_config: | include ::tripleo::profile::pacemaker::database::mysql + metadata_settings: + get_attr: [MysqlBase, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 50da4119..598deaef 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -40,3 +40,5 @@ outputs: tripleo::haproxy::mysql_clustercheck: true step_config: | include ::tripleo::profile::pacemaker::haproxy + metadata_settings: + get_attr: [LoadbalancerServiceBase, role_data, metadata_settings] diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml new file mode 100644 index 00000000..daee43e6 --- /dev/null +++ b/puppet/services/pacemaker_remote.yaml @@ -0,0 +1,57 @@ +heat_template_version: ocata + +description: > + Pacemaker remote service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' + MonitoringSubscriptionPacemakerRemote: + default: 'overcloud-pacemaker_remote' + type: string + PacemakerRemoteLoggingSource: + type: json + default: + tag: system.pacemaker_remote + path: /var/log/pacemaker.log + format: >- + /^(?<time>[^ ]*\s*[^ ]* [^ ]*) + \[(?<pid>[^ ]*)\] + (?<host>[^ ]*) + (?<message>.*)$/ + +outputs: + role_data: + description: Role data for the Pacemaker remote role. + value: + service_name: pacemaker_remote + monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote} + logging_groups: + - haclient + logging_source: {get_param: PacemakerRemoteLoggingSource} + config_settings: + tripleo.pacemaker_remote.firewall_rules: + '130 pacemaker_remote tcp': + proto: 'tcp' + dport: + - 3121 + tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey} + step_config: | + include ::tripleo::profile::base::pacemaker_remote diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index 06284fb2..4b74ad45 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -82,3 +82,5 @@ outputs: get_attr: [PankoBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::panko::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml index 6e25d796..998e64ee 100644 --- a/puppet/services/panko-base.yaml +++ b/puppet/services/panko-base.yaml @@ -46,14 +46,13 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/panko' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' panko::debug: {get_param: Debug} panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::keystone::authtoken::project_name: 'service' panko::keystone::authtoken::password: {get_param: PankoPassword} panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::auth::auth_password: {get_param: PankoPassword} panko::auth::auth_region: 'regionOne' panko::auth::auth_tenant_name: 'service' diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index ab9dad46..2c4ccbc9 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -78,6 +78,7 @@ outputs: NODE_IP_ADDRESS: '' RABBITMQ_NODENAME: "rabbit@%{::hostname}" RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' + 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}" rabbitmq_kernel_variables: inet_dist_listen_min: '25672' inet_dist_listen_max: '25672' diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 9e494385..8573ea81 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -90,3 +90,7 @@ outputs: sahara::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop sahara_api service + tags: step2 + service: name=openstack-sahara-api state=stopped diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index b4307053..224989be 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -64,8 +64,7 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/sahara' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' sahara::rabbit_password: {get_param: RabbitPassword} sahara::rabbit_user: {get_param: RabbitUserName} sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL} @@ -73,7 +72,7 @@ outputs: sahara::debug: {get_param: Debug} sahara::admin_password: {get_param: SaharaPassword} sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + sahara::identity_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } sahara::use_neutron: true sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit diff --git a/puppet/services/sahara-engine.yaml b/puppet/services/sahara-engine.yaml index a1521c28..176514ec 100644 --- a/puppet/services/sahara-engine.yaml +++ b/puppet/services/sahara-engine.yaml @@ -49,3 +49,7 @@ outputs: - get_attr: [SaharaBase, role_data, config_settings] step_config: | include ::tripleo::profile::base::sahara::engine + upgrade_tasks: + - name: Stop sahara_engine service + tags: step2 + service: name=openstack-sahara-engine state=stopped diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index 90268c78..a2286d16 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -52,11 +52,7 @@ outputs: description: Combined Role data for this set of services. value: service_names: - # Filter any null/None service_names which may be present due to mapping - # of services to OS::Heat::None - yaql: - expression: list($.data.s_names.where($ != null)) - data: {s_names: {get_attr: [ServiceChain, role_data, service_name]}} + {get_attr: [ServiceChain, role_data, service_name]} monitoring_subscriptions: yaql: expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) @@ -112,10 +108,15 @@ outputs: yaql: expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) data: {role_data: {get_attr: [ServiceChain, role_data]}} - step_config: {list_join: ["\n", {get_attr: [ServiceChain, role_data, step_config]}]} + step_config: {get_attr: [ServiceChain, role_data, step_config]} upgrade_tasks: yaql: # Note we use distinct() here to filter any identical tasks, e.g yum update for all services expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() data: {get_attr: [ServiceChain, role_data]} + upgrade_batch_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index be9d143e..fd6ed818 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -43,3 +43,7 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::snmp + upgrade_tasks: + - name: Stop snmp service + tags: step2 + service: name=snmpd state=stopped diff --git a/puppet/services/neutron-compute-plugin-opencontrail.yaml b/puppet/services/sshd.yaml index bbe4a051..41e144a0 100644 --- a/puppet/services/neutron-compute-plugin-opencontrail.yaml +++ b/puppet/services/sshd.yaml @@ -1,7 +1,7 @@ heat_template_version: ocata description: > - OpenStack Neutron Compute OpenContrail plugin + Configure sshd_config parameters: ServiceNetMap: @@ -18,12 +18,17 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + BannerText: + default: '' + description: Configures Banner text in sshd_config + type: string outputs: role_data: - description: Role data for the Neutron Compute OpenContrail plugin + description: Role data for the ssh value: - service_name: neutron_compute_plugin_opencontrail + service_name: sshd config_settings: + BannerText: {get_param: BannerText} step_config: | - include ::tripleo::profile::base::neutron::opencontrail::vrouter + include ::tripleo::profile::base::sshd diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 6ccfe7a2..c941b598 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -57,6 +57,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string conditions: @@ -81,7 +87,7 @@ outputs: - get_attr: [SwiftBase, role_data, config_settings] - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} swift::proxy::authtoken::project_name: 'service' swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} @@ -91,6 +97,7 @@ outputs: swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} swift::proxy::ceilometer::nonblocking_notify: true tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort} + tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL} tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled} tripleo.swift_proxy.firewall_rules: '122 swift proxy': @@ -119,8 +126,8 @@ outputs: - 'keystone' - 'staticweb' - 'copy' - - 'container-quotas' - - 'account-quotas' + - 'container_quotas' + - 'account_quotas' - 'slo' - 'dlo' - 'versioned_writes' @@ -131,6 +138,7 @@ outputs: - '' - 'proxy-logging' - 'proxy-server' + swift::proxy::ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL} swift::proxy::account_autocreate: true # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples @@ -157,3 +165,7 @@ outputs: - admin - swiftoperator - ResellerAdmin + upgrade_tasks: + - name: Stop swift_proxy service + tags: step2 + service: name=openstack-swift-proxy state=stopped diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index a7ba7bad..2e3c818f 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -43,6 +43,16 @@ parameters: description: 'Use a local directory for Swift storage services when building rings' type: boolean +conditions: + swift_use_local_dir: + and: + - equals: + - get_param: SwiftUseLocalDir + - true + - equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for Swift Ringbuilder configuration. @@ -59,7 +69,7 @@ outputs: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} + - {if: [swift_use_local_dir, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 00ae9c35..247b23ff 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -56,6 +56,17 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} +conditions: + swift_mount_check: + or: + - equals: + - get_param: SwiftMountCheck + - true + - not: + equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for the Swift Proxy role. @@ -65,7 +76,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - - swift::storage::all::mount_check: {get_param: SwiftMountCheck} + - swift::storage::all::mount_check: {if: [swift_mount_check, true, false]} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} tripleo.swift_storage.firewall_rules: '123 swift storage': @@ -90,3 +101,20 @@ outputs: swift::storage::all::storage_local_net_ip: {get_param: [ServiceNetMap, SwiftStorageNetwork]} step_config: | include ::tripleo::profile::base::swift::storage + upgrade_tasks: + - name: Stop swift storage services + tags: step2 + service: name={{ item }} state=stopped + with_items: + - openstack-swift-account-auditor + - openstack-swift-account-reaper + - openstack-swift-account-replicator + - openstack-swift-account + - openstack-swift-container-auditor + - openstack-swift-container-replicator + - openstack-swift-container-updater + - openstack-swift-container + - openstack-swift-object-auditor + - openstack-swift-object-replicator + - openstack-swift-object-updater + - openstack-swift-object diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml new file mode 100644 index 00000000..6ceb9f19 --- /dev/null +++ b/puppet/services/tacker.yaml @@ -0,0 +1,97 @@ +heat_template_version: ocata + +description: > + OpenStack Tacker service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + TackerPassword: + description: The password for the tacker service account. + type: string + hidden: true + Debug: + type: string + default: '' + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Role data for the Tacker role. + value: + service_name: tacker + config_settings: + tacker_password: {get_param: TackerPassword} + tacker::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://tacker:' + - {get_param: TackerPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/tacker' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + + tacker::keystone::auth::tenant: 'service' + tacker::keystone::auth::password: {get_param: TackerPassword} + tacker::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + tacker::debug: {get_param: Debug} + tacker::rpc_backend: rabbit + tacker::rabbit_userid: {get_param: RabbitUserName} + tacker::rabbit_password: {get_param: RabbitPassword} + tacker::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + tacker::rabbit_port: {get_param: RabbitClientPort} + tacker::server::bind_host: {get_param: [ServiceNetMap, TackerApiNetwork]} + + tacker::db::mysql::password: {get_param: TackerPassword} + tacker::db::mysql::user: tacker + tacker::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + tacker::db::mysql::dbname: tacker + tacker::db::mysql::allowed_hosts: + - '%' + - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + + + step_config: | + include ::tripleo::profile::base::tacker + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-tacker-server is running" + shell: /usr/bin/systemctl show 'openstack-tacker-server' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop tacker service + tags: step2 + service: name=openstack-tacker-server state=stopped diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml index 7c3a19a9..b14d7bcc 100644 --- a/puppet/services/time/ntp.yaml +++ b/puppet/services/time/ntp.yaml @@ -22,8 +22,10 @@ parameters: via parameter_defaults in the resource registry. type: json NtpServer: - default: [] - description: NTP servers + default: ['pool.ntp.org'] + description: NTP servers list. Defaulted to pool.ntp.org in order to + have a sane default for Pacemaker deployments when + not configuring this parameter by default. type: comma_delimited_list outputs: @@ -38,4 +40,4 @@ outputs: dport: 123 proto: udp step_config: | - include ::ntp + include ::tripleo::profile::base::time::ntp diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index 0224ac13..cb860fa8 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -40,7 +40,7 @@ outputs: config_settings: zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} zaqar::keystone::authtoken::project_name: 'service' - zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} zaqar::debug: {get_param: Debug} zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} |