summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/all-nodes-config.yaml18
-rw-r--r--puppet/blockstorage-role.yaml10
-rw-r--r--puppet/cephstorage-role.yaml10
-rw-r--r--puppet/compute-role.yaml10
-rw-r--r--puppet/controller-role.yaml10
-rw-r--r--puppet/deploy-artifacts.sh2
-rw-r--r--puppet/objectstorage-role.yaml10
-rw-r--r--puppet/role.role.j2.yaml10
-rw-r--r--puppet/services/cinder-backend-dellsc.yaml4
-rw-r--r--puppet/services/cinder-backend-netapp.yaml8
-rw-r--r--puppet/services/cinder-volume.yaml16
-rw-r--r--puppet/services/database/mysql.yaml13
-rw-r--r--puppet/services/database/redis.yaml20
-rw-r--r--puppet/services/gnocchi-base.yaml10
-rw-r--r--puppet/services/horizon.yaml3
-rw-r--r--puppet/services/ironic-api.yaml31
-rw-r--r--puppet/services/ironic-conductor.yaml6
-rw-r--r--puppet/services/ironic-inspector.yaml151
-rw-r--r--puppet/services/keystone.yaml41
-rw-r--r--puppet/services/neutron-sriov-agent.yaml22
-rw-r--r--puppet/services/nova-api.yaml2
-rw-r--r--puppet/services/ovn-dbs.yaml1
-rw-r--r--puppet/services/pacemaker/database/mysql.yaml7
-rw-r--r--puppet/services/pacemaker/ovn-dbs.yaml61
-rw-r--r--puppet/services/panko-api.yaml4
-rw-r--r--puppet/services/services.yaml129
26 files changed, 438 insertions, 171 deletions
diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml
index baafe03d..b1284452 100644
--- a/puppet/all-nodes-config.yaml
+++ b/puppet/all-nodes-config.yaml
@@ -12,10 +12,8 @@ parameters:
type: string
cloud_name_ctlplane:
type: string
- # FIXME(shardy) this can be comma_delimited_list when
- # https://bugs.launchpad.net/heat/+bug/1617019 is fixed
enabled_services:
- type: string
+ type: comma_delimited_list
controller_ips:
type: comma_delimited_list
logging_groups:
@@ -118,7 +116,10 @@ resources:
map_merge:
- tripleo::profile::base::logging::fluentd::fluentd_sources: {get_param: logging_sources}
- tripleo::profile::base::logging::fluentd::fluentd_groups: {get_param: logging_groups}
- - enabled_services: {get_param: enabled_services}
+ - enabled_services:
+ yaql:
+ expression: $.data.distinct()
+ data: {get_param: enabled_services}
# This writes out a mapping of service_name_enabled: 'true'
# For any services not enabled, hiera foo_enabled will
# return nil, as it's undefined
@@ -129,8 +130,7 @@ resources:
# https://bugs.launchpad.net/heat/+bug/1617203
SERVICE_enabled: 'true'
for_each:
- SERVICE:
- str_split: [',', {get_param: enabled_services}]
+ SERVICE: {get_param: enabled_services}
# Dynamically generate per-service network data
# This works as follows (outer->inner functions)
# yaql - filters services where no mapping exists in ServiceNetMap
@@ -150,8 +150,7 @@ resources:
template:
SERVICE_network: SERVICE_network
for_each:
- SERVICE:
- str_split: [',', {get_param: enabled_services}]
+ SERVICE: {get_param: enabled_services}
- values: {get_param: ServiceNetMap}
# Keystone doesn't provide separate entries for the public
# and admin endpoints, so we need to add them here manually
@@ -203,8 +202,7 @@ resources:
template:
SERVICE_vip: SERVICE_network
for_each:
- SERVICE:
- str_split: [',', {get_param: enabled_services}]
+ SERVICE: {get_param: enabled_services}
- values: {get_param: ServiceNetMap}
- values: {get_param: NetVipMap}
- keystone_admin_api_vip:
diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml
index 60ddeb8a..551a88ca 100644
--- a/puppet/blockstorage-role.yaml
+++ b/puppet/blockstorage-role.yaml
@@ -69,8 +69,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
BlockStorageServerMetadata:
default: {}
description: >
@@ -139,6 +139,10 @@ parameters:
Map of server hostnames to blacklist from any triggered
deployments. If the value is 1, the server will be blacklisted. This
parameter is generated from the parent template.
+ RoleParameters:
+ type: json
+ description: Role Specific Parameters
+ default: {}
conditions:
server_not_blacklisted:
@@ -372,6 +376,7 @@ resources:
type: OS::TripleO::BlockStorage::PreNetworkConfig
properties:
server: {get_resource: BlockStorage}
+ RoleParameters: {get_param: RoleParameters}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -466,6 +471,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml
index 9d30ab29..4336f3e7 100644
--- a/puppet/cephstorage-role.yaml
+++ b/puppet/cephstorage-role.yaml
@@ -75,8 +75,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
CephStorageServerMetadata:
default: {}
description: >
@@ -145,6 +145,10 @@ parameters:
Map of server hostnames to blacklist from any triggered
deployments. If the value is 1, the server will be blacklisted. This
parameter is generated from the parent template.
+ RoleParameters:
+ type: json
+ description: Role Specific Parameters
+ default: {}
conditions:
server_not_blacklisted:
@@ -378,6 +382,7 @@ resources:
type: OS::TripleO::CephStorage::PreNetworkConfig
properties:
server: {get_resource: CephStorage}
+ RoleParameters: {get_param: RoleParameters}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -471,6 +476,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml
index 06a31ec9..7bcee47d 100644
--- a/puppet/compute-role.yaml
+++ b/puppet/compute-role.yaml
@@ -90,8 +90,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
NovaComputeServerMetadata:
default: {}
description: >
@@ -157,6 +157,10 @@ parameters:
Map of server hostnames to blacklist from any triggered
deployments. If the value is 1, the server will be blacklisted. This
parameter is generated from the parent template.
+ RoleParameters:
+ type: json
+ description: Role Specific Parameters
+ default: {}
conditions:
server_not_blacklisted:
@@ -381,6 +385,7 @@ resources:
type: OS::TripleO::Compute::PreNetworkConfig
properties:
server: {get_resource: NovaCompute}
+ RoleParameters: {get_param: RoleParameters}
NetworkConfig:
type: OS::TripleO::Compute::Net::SoftwareConfig
@@ -479,6 +484,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
NovaComputeDeployment:
type: OS::TripleO::SoftwareDeployment
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index cccfdef1..6a032656 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -104,8 +104,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
ControllerServerMetadata:
default: {}
description: >
@@ -171,6 +171,10 @@ parameters:
Map of server hostnames to blacklist from any triggered
deployments. If the value is 1, the server will be blacklisted. This
parameter is generated from the parent template.
+ RoleParameters:
+ type: json
+ description: Role Specific Parameters
+ default: {}
parameter_groups:
- label: deprecated
@@ -401,6 +405,7 @@ resources:
type: OS::TripleO::Controller::PreNetworkConfig
properties:
server: {get_resource: Controller}
+ RoleParameters: {get_param: RoleParameters}
NetworkConfig:
type: OS::TripleO::Controller::Net::SoftwareConfig
@@ -541,6 +546,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
ControllerExtraConfigPre:
diff --git a/puppet/deploy-artifacts.sh b/puppet/deploy-artifacts.sh
index 4e1ad89f..6e7f0ec1 100644
--- a/puppet/deploy-artifacts.sh
+++ b/puppet/deploy-artifacts.sh
@@ -16,7 +16,7 @@ if [ -n "$artifact_urls" ]; then
tar xvzf $TMP_DATA/file_data
popd
else
- echo "ERROR: Unsupported file format."
+ echo "ERROR: Unsupported file format: $URL"
exit 1
fi
rm $TMP_DATA/file_data
diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml
index 19ea1b65..40a5d441 100644
--- a/puppet/objectstorage-role.yaml
+++ b/puppet/objectstorage-role.yaml
@@ -69,8 +69,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
SwiftStorageServerMetadata:
default: {}
description: >
@@ -139,6 +139,10 @@ parameters:
Map of server hostnames to blacklist from any triggered
deployments. If the value is 1, the server will be blacklisted. This
parameter is generated from the parent template.
+ RoleParameters:
+ type: json
+ description: Role Specific Parameters
+ default: {}
conditions:
server_not_blacklisted:
@@ -372,6 +376,7 @@ resources:
type: OS::TripleO::ObjectStorage::PreNetworkConfig
properties:
server: {get_resource: SwiftStorage}
+ RoleParameters: {get_param: RoleParameters}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -451,6 +456,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
SwiftStorageHieraDeploy:
type: OS::Heat::StructuredDeployment
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 7af90e24..f3b4b6b8 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -85,8 +85,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
{{role}}ServerMetadata:
default: {}
description: >
@@ -161,6 +161,10 @@ parameters:
Map of server hostnames to blacklist from any triggered
deployments. If the value is 1, the server will be blacklisted. This
parameter is generated from the parent template.
+ RoleParameters:
+ type: json
+ description: Role Specific Parameters
+ default: {}
conditions:
server_not_blacklisted:
@@ -394,6 +398,7 @@ resources:
type: OS::TripleO::{{role}}::PreNetworkConfig
properties:
server: {get_resource: {{role}}}
+ RoleParameters: {get_param: RoleParameters}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -493,6 +498,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
diff --git a/puppet/services/cinder-backend-dellsc.yaml b/puppet/services/cinder-backend-dellsc.yaml
index a201134c..c0bffb18 100644
--- a/puppet/services/cinder-backend-dellsc.yaml
+++ b/puppet/services/cinder-backend-dellsc.yaml
@@ -61,6 +61,9 @@ parameters:
CinderDellScSecondaryScApiPort:
type: number
default: 3033
+ CinderDellScExcludedDomainIp:
+ type: string
+ default: ''
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
@@ -105,5 +108,6 @@ outputs:
cinder::backend::dellsc_iscsi::secondary_san_login: {get_param: CinderDellScSecondarySanLogin}
cinder::backend::dellsc_iscsi::secondary_san_password: {get_param: CinderDellScSecondarySanPassword}
cinder::backend::dellsc_iscsi::secondary_sc_api_port: {get_param: CinderDellScSecondaryScApiPort}
+ cinder::backend::dellsc_iscsi::excluded_domain_ip: {get_param: CinderDellScExcludedDomainIp}
step_config: |
include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/cinder-backend-netapp.yaml b/puppet/services/cinder-backend-netapp.yaml
index bddc8e1a..fbde4c0a 100644
--- a/puppet/services/cinder-backend-netapp.yaml
+++ b/puppet/services/cinder-backend-netapp.yaml
@@ -93,6 +93,12 @@ parameters:
CinderNetappWebservicePath:
type: string
default: '/devmgr/v2'
+ CinderNetappNasSecureFileOperations:
+ type: string
+ default: 'false'
+ CinderNetappNasSecureFilePermissions:
+ type: string
+ default: 'false'
# DEPRECATED options for compatibility with older versions
CinderNetappEseriesHostType:
type: string
@@ -133,5 +139,7 @@ outputs:
cinder::backend::netapp::netapp_storage_pools: {get_param: CinderNetappStoragePools}
cinder::backend::netapp::netapp_host_type: {get_param: CinderNetappHostType}
cinder::backend::netapp::netapp_webservice_path: {get_param: CinderNetappWebservicePath}
+ cinder::backend::netapp::nas_secure_file_operations: {get_param: CinderNetappNasSecureFileOperations}
+ cinder::backend::netapp::nas_secure_file_permissions: {get_param: CinderNetappNasSecureFilePermissions}
step_config: |
include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index fe95222b..1f8c345d 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -40,6 +40,20 @@ parameters:
NFS servers used by Cinder NFS backend. Effective when
CinderEnableNfsBackend is true.
type: comma_delimited_list
+ CinderNasSecureFileOperations:
+ default: false
+ description: >
+ Controls whether security enhanced NFS file operations are enabled.
+ Valid values are 'auto', 'true' or 'false'. Effective when
+ CinderEnableNfsBackend is true.
+ type: string
+ CinderNasSecureFilePermissions:
+ default: false
+ description: >
+ Controls whether security enhanced NFS file permissions are enabled.
+ Valid values are 'auto', 'true' or 'false'. Effective when
+ CinderEnableNfsBackend is true.
+ type: string
CinderRbdPoolName:
default: volumes
type: string
@@ -105,6 +119,8 @@ outputs:
tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend}
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions}
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers}
+ tripleo::profile::base::cinder::volume::nfs::cinder_nas_secure_file_operations: {get_param: CinderNasSecureFileOperations}
+ tripleo::profile::base::cinder::volume::nfs::cinder_nas_secure_file_permissions: {get_param: CinderNasSecureFilePermissions}
tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol}
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 2bde9033..882ba299 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -118,6 +118,16 @@ outputs:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ dnsnames:
+ - str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ - str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
@@ -132,6 +142,9 @@ outputs:
- service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: vip
+ - service: mysql
+ network: {get_param: [ServiceNetMap, MysqlNetwork]}
+ type: node
- null
upgrade_tasks:
- name: Check for galera root password
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index df406a8c..9567a73f 100644
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -52,3 +52,23 @@ outputs:
- 26379
step_config: |
include ::tripleo::profile::base::database::redis
+ upgrade_tasks:
+ - name: Check if redis is deployed
+ command: systemctl is-enabled redis
+ tags: common
+ ignore_errors: True
+ register: redis_enabled
+ - name: "PreUpgrade step0,validation: Check if redis is running"
+ shell: >
+ /usr/bin/systemctl show 'redis' --property ActiveState |
+ grep '\bactive\b'
+ when: redis_enabled.rc == 0
+ tags: step0,validation
+ - name: Stop redis service
+ tags: step1
+ when: redis_enabled.rc == 0
+ service: name=redis state=stopped
+ - name: Install redis package if it was disabled
+ tags: step3
+ yum: name=redis state=latest
+ when: redis_enabled.rc != 0
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index f4067ef6..b4af7e85 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -34,6 +34,10 @@ parameters:
default: 30
description: Delay between processing metrics.
type: number
+ NumberOfStorageSacks:
+ default: 128
+ description: Number of storage sacks to create.
+ type: number
GnocchiPassword:
description: The password for the gnocchi service and db account.
type: string
@@ -87,7 +91,11 @@ outputs:
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
- gnocchi::db::sync::extra_opts: ''
+ gnocchi::db::sync::extra_opts:
+ str_replace:
+ template: " --sacks-number NUM_SACKS"
+ params:
+ NUM_SACKS: {get_param: NumberOfStorageSacks}
gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay}
gnocchi::storage::swift::swift_user: 'service:gnocchi'
gnocchi::storage::swift::swift_auth_version: 3
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 93bced8b..1f97b8ba 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -55,7 +55,7 @@ parameters:
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
- default: true
+ default: false
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
@@ -89,7 +89,6 @@ outputs:
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params:
- add_listen: false
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index 945033a1..0e8eacf1 100644
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -43,8 +43,21 @@ parameters:
e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
IronicBase:
type: ./ironic-base.yaml
properties:
@@ -63,6 +76,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [IronicBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
- ironic::api::authtoken::password: {get_param: IronicPassword}
ironic::api::authtoken::project_name: 'service'
ironic::api::authtoken::user_domain_name: 'Default'
@@ -80,7 +94,17 @@ outputs:
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
# This is used to build links in responses
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
+ ironic::api::service_name: 'httpd'
ironic::policy::policies: {get_param: IronicApiPolicies}
+ ironic::wsgi::apache::bind_host: {get_param: [ServiceNetMap, IronicApiNetwork]}
+ ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]}
+ ironic::wsgi::apache::servername:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
+ ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS}
tripleo.ironic_api.firewall_rules:
'133 ironic api':
dport:
@@ -106,6 +130,9 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
upgrade_tasks:
- - name: Stop ironic_api service
+ - name: Stop ironic_api service (before httpd support)
+ tags: step1
+ service: name=openstack-ironic-api state=stopped enabled=no
+ - name: Stop ironic_api service (running under httpd)
tags: step1
- service: name=openstack-ironic-api state=stopped
+ service: name=httpd state=stopped
diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml
index b1676715..0e8c8e12 100644
--- a/puppet/services/ironic-conductor.yaml
+++ b/puppet/services/ironic-conductor.yaml
@@ -164,6 +164,12 @@ outputs:
ironic::my_ip: {get_param: [ServiceNetMap, IronicNetwork]}
ironic::pxe::common::http_port: {get_param: IronicIPXEPort}
# Credentials to access other services
+ ironic::cinder::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::cinder::username: 'ironic'
+ ironic::cinder::password: {get_param: IronicPassword}
+ ironic::cinder::project_name: 'service'
+ ironic::cinder::user_domain_name: 'Default'
+ ironic::cinder::project_domain_name: 'Default'
ironic::glance::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::glance::username: 'ironic'
ironic::glance::password: {get_param: IronicPassword}
diff --git a/puppet/services/ironic-inspector.yaml b/puppet/services/ironic-inspector.yaml
new file mode 100644
index 00000000..e8537a29
--- /dev/null
+++ b/puppet/services/ironic-inspector.yaml
@@ -0,0 +1,151 @@
+heat_template_version: ocata
+
+description: >
+ OpenStack Ironic Inspector configured with Puppet (EXPERIMENTAL)
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ MonitoringSubscriptionIronicInspector:
+ default: 'overcloud-ironic-inspector'
+ type: string
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ IronicInspectorInterface:
+ default: br-ex
+ description: |
+ Network interface on which inspection dnsmasq will listen. Should allow
+ access to untagged traffic from nodes booted for inspection. The default
+ value only makes sense if you don't modify any networking configuration.
+ type: string
+ IronicInspectorIPXEEnabled:
+ default: true
+ description: Whether to use iPXE for inspection.
+ type: boolean
+ IronicInspectorIpRange:
+ description: |
+ Temporary IP range that will be given to nodes during the inspection
+ process. This should not overlap with any range that Neutron's DHCP
+ gives away, but it has to be routeable back to ironic-inspector API.
+ This option has no meaningful defaults, and thus is required.
+ type: string
+ IronicInspectorUseSwift:
+ default: true
+ description: Whether to use Swift for storing introspection data.
+ type: boolean
+ IronicIPXEPort:
+ default: 8088
+ description: Port to use for serving images when iPXE is used.
+ type: string
+ IronicPassword:
+ description: The password for the Ironic service and db account, used by the Ironic services
+ type: string
+ hidden: true
+
+conditions:
+ enable_ipxe: {equals : [{get_param: IronicInspectorIPXEEnabled}, true]}
+ use_swift: {equals : [{get_param: IronicInspectorUseSwift}, true]}
+
+outputs:
+ role_data:
+ description: Role data for the Ironic Inspector role.
+ value:
+ service_name: ironic_inspector
+ monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
+ config_settings:
+ map_merge:
+ - ironic::inspector::listen_address: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
+ ironic::inspector::dnsmasq_local_ip: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
+ ironic::inspector::dnsmasq_ip_range: {get_param: IronicInspectorIpRange}
+ ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
+ ironic::inspector::debug: {get_param: Debug}
+ ironic::inspector::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::inspector::authtoken::username: 'ironic'
+ ironic::inspector::authtoken::password: {get_param: IronicPassword}
+ ironic::inspector::authtoken::project_name: 'service'
+ ironic::inspector::authtoken::user_domain_name: 'Default'
+ ironic::inspector::authtoken::project_domain_name: 'Default'
+ tripleo.ironic_inspector.firewall_rules:
+ '137 ironic-inspector':
+ dport:
+ - 5050
+ ironic::inspector::ironic_username: 'ironic'
+ ironic::inspector::ironic_password: {get_param: IronicPassword}
+ ironic::inspector::ironic_tenant_name: 'service'
+ ironic::inspector::ironic_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::inspector::ironic_max_retries: 6
+ ironic::inspector::ironic_retry_interval: 10
+ ironic::inspector::ironic_user_domain_name: 'Default'
+ ironic::inspector::ironic_project_domain_name: 'Default'
+ ironic::inspector::http_port: {get_param: IronicIPXEPort}
+ ironic::inspector::db::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://ironic-inspector:'
+ - {get_param: IronicPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/ironic-inspector'
+ - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+ -
+ if:
+ - enable_ipxe
+ - ironic::inspector::pxe_transfer_protocol: 'http'
+ - {}
+ -
+ if:
+ - use_swift
+ - ironic::inspector::store_data: 'swift'
+ ironic::inspector::swift_username: 'ironic'
+ ironic::inspector::swift_password: {get_param: IronicPassword}
+ ironic::inspector::swift_tenant_name: 'service'
+ ironic::inspector::swift_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::inspector::swift_user_domain_name: 'Default'
+ ironic::inspector::swift_project_domain_name: 'Default'
+ - {}
+ step_config: |
+ include ::tripleo::profile::base::ironic_inspector
+ service_config_settings:
+ keystone:
+ ironic::keystone::auth_inspector::tenant: 'service'
+ ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
+ ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
+ ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
+ ironic::keystone::auth_inspector::password: {get_param: IronicPassword}
+ ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion}
+ mysql:
+ ironic::inspector::db::mysql::password: {get_param: IronicPassword}
+ ironic::inspector::db::mysql::user: ironic-inspector
+ ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ ironic::inspector::db::mysql::dbname: ironic-inspector
+ ironic::inspector::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index f3a9cbc4..60d194bc 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -113,10 +113,27 @@ parameters:
description: The second Keystone credential key. Must be a valid key.
KeystoneFernetKey0:
type: string
- description: The first Keystone fernet key. Must be a valid key.
+ default: ''
+ description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
KeystoneFernetKey1:
type: string
- description: The second Keystone fernet key. Must be a valid key.
+ default: ''
+ description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
+ KeystoneFernetKeys:
+ type: json
+ description: Mapping containing keystone's fernet keys and their paths.
+ KeystoneFernetMaxActiveKeys:
+ type: number
+ description: The maximum active keys in the keystone fernet key repository.
+ default: 5
+ ManageKeystoneFernetKeys:
+ type: boolean
+ default: true
+ description: Whether TripleO should manage the keystone fernet keys or not.
+ If set to true, the fernet keys will get the values from the
+ saved keys repository in mistral (the KeystoneFernetKeys
+ variable). If set to false, only the stack creation
+ initializes the keys, but subsequent updates won't touch them.
KeystoneLoggingSource:
type: json
default:
@@ -187,6 +204,17 @@ parameters:
default: {}
hidden: true
+parameter_groups:
+- label: deprecated
+ description: |
+ The following parameters are deprecated and will be removed. They should not
+ be relied on for new deployments. If you have concerns regarding deprecated
+ parameters, please contact the TripleO development team on IRC or the
+ OpenStack mailing list.
+ parameters:
+ - KeystoneFernetKey0
+ - KeystoneFernetKey1
+
resources:
ApacheServiceBase:
@@ -234,6 +262,7 @@ outputs:
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
+ keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
keystone::enable_proxy_headers_parsing: true
keystone::enable_credential_setup: true
keystone::credential_keys:
@@ -241,12 +270,8 @@ outputs:
content: {get_param: KeystoneCredential0}
'/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1}
- keystone::fernet_keys:
- '/etc/keystone/fernet-keys/0':
- content: {get_param: KeystoneFernetKey0}
- '/etc/keystone/fernet-keys/1':
- content: {get_param: KeystoneFernetKey1}
- keystone::fernet_replace_keys: false
+ keystone::fernet_keys: {get_param: KeystoneFernetKeys}
+ keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
keystone::debug:
if:
- service_debug_unset
diff --git a/puppet/services/neutron-sriov-agent.yaml b/puppet/services/neutron-sriov-agent.yaml
index c124d1e6..090640ed 100644
--- a/puppet/services/neutron-sriov-agent.yaml
+++ b/puppet/services/neutron-sriov-agent.yaml
@@ -65,6 +65,24 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+ # Merging role-specific parameters (RoleParameters) with the default parameters.
+ # RoleParameters will have the precedence over the default parameters.
+ RoleParametersValue:
+ type: OS::Heat::Value
+ properties:
+ type: json
+ value:
+ map_replace:
+ - map_replace:
+ - neutron::agents::ml2::sriov::physical_device_mappings: NeutronPhysicalDevMappings
+ neutron::agents::ml2::sriov::exclude_devices: NeutronExcludeDevices
+ tripleo::host::sriov::number_of_vfs: NeutronSriovNumVFs
+ - values: {get_param: [RoleParameters]}
+ - values:
+ NeutronPhysicalDevMappings: {get_param: NeutronPhysicalDevMappings}
+ NeutronExcludeDevices: {get_param: NeutronExcludeDevices}
+ NeutronSriovNumVFs: {get_param: NeutronSriovNumVFs}
+
outputs:
role_data:
description: Role data for the Neutron SR-IOV nic agent service.
@@ -73,8 +91,6 @@ outputs:
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- - neutron::agents::ml2::sriov::physical_device_mappings: {get_param: NeutronPhysicalDevMappings}
- neutron::agents::ml2::sriov::exclude_devices: {get_param: NeutronExcludeDevices}
- tripleo::host::sriov::number_of_vfs: {get_param: NeutronSriovNumVFs}
+ - get_attr: [RoleParametersValue, value]
step_config: |
include ::tripleo::profile::base::neutron::sriov
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 835edf0a..fe2f2946 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -210,7 +210,7 @@ outputs:
register: bootstrap_node
- name: set is_bootstrap_node fact
tags: common
- set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}}
+ set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}}
- name: Extra migration for nova tripleo/+bug/1656791
tags: step0,pre-upgrade
when: is_bootstrap_node
diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml
index 20c38d8a..df234c77 100644
--- a/puppet/services/ovn-dbs.yaml
+++ b/puppet/services/ovn-dbs.yaml
@@ -44,6 +44,7 @@ outputs:
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
ovn::northd::dbs_listen_ip: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+ tripleo::haproxy::ovn_dbs_manage_lb: true
tripleo.ovn_dbs.firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml
index d8e942d0..0a7659e0 100644
--- a/puppet/services/pacemaker/database/mysql.yaml
+++ b/puppet/services/pacemaker/database/mysql.yaml
@@ -27,6 +27,11 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
@@ -61,6 +66,8 @@ outputs:
# internal_api_subnet - > IP/CIDR
tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr:
get_param: [ServiceNetMap, MysqlNetwork]
+ tripleo::profile::pacemaker::database::mysql::ca_file:
+ get_param: InternalTLSCAFile
step_config: |
include ::tripleo::profile::pacemaker::database::mysql
metadata_settings:
diff --git a/puppet/services/pacemaker/ovn-dbs.yaml b/puppet/services/pacemaker/ovn-dbs.yaml
new file mode 100644
index 00000000..1cbb4763
--- /dev/null
+++ b/puppet/services/pacemaker/ovn-dbs.yaml
@@ -0,0 +1,61 @@
+heat_template_version: ocata
+
+description: >
+ OVN databases configured with puppet in HA mode
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ OVNNorthboundServerPort:
+ description: Port of the OVN Northbound DB server
+ type: number
+ default: 6641
+ OVNSouthboundServerPort:
+ description: Port of the OVN Southbound DB server
+ type: number
+ default: 6642
+
+resources:
+
+ OVNDBsBase:
+ type: ../ovn-dbs.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the OVN northd service
+ value:
+ service_name: ovn_dbs
+ config_settings:
+ map_merge:
+ - get_attr: [OVNDBsBase, role_data, config_settings]
+ - tripleo::haproxy::ovn_dbs_manage_lb: false
+ tripleo::profile::pacemaker::ovn_northd::nb_db_port: {get_param: OVNNorthboundServerPort}
+ tripleo::profile::pacemaker::ovn_northd::sb_db_port: {get_param: OVNSouthboundServerPort}
+ step_config: |
+ include ::tripleo::profile::pacemaker::ovn_northd
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
index a41e34f7..0289b7a7 100644
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@@ -84,8 +84,8 @@ outputs:
tripleo.panko_api.firewall_rules:
'140 panko-api':
dport:
- - 8779
- - 13779
+ - 8977
+ - 13977
panko::api::host:
str_replace:
template:
diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml
deleted file mode 100644
index 0e7b6d2b..00000000
--- a/puppet/services/services.yaml
+++ /dev/null
@@ -1,129 +0,0 @@
-heat_template_version: pike
-
-description: >
- Utility stack to convert an array of services into a set of combined
- role configs.
-
-parameters:
- Services:
- default: []
- description: |
- List nested stack service templates.
- type: comma_delimited_list
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
- DefaultPasswords:
- default: {}
- description: Mapping of service -> default password. Used to help
- pass top level passwords managed by Heat into services.
- type: json
- RoleName:
- default: ''
- description: Role name on which the service is applied
- type: string
- RoleParameters:
- description: Role Specific parameters to be provided to service
- default: {}
- type: json
-
-resources:
-
- ServiceChain:
- type: OS::Heat::ResourceChain
- properties:
- resources: {get_param: Services}
- concurrent: true
- resource_properties:
- ServiceNetMap: {get_param: ServiceNetMap}
- EndpointMap: {get_param: EndpointMap}
- DefaultPasswords: {get_param: DefaultPasswords}
- RoleName: {get_param: RoleName}
- RoleParameters: {get_param: RoleParameters}
-
- LoggingConfiguration:
- type: OS::TripleO::LoggingConfiguration
-
- ServiceServerMetadataHook:
- type: OS::TripleO::ServiceServerMetadataHook
- properties:
- RoleData: {get_attr: [ServiceChain, role_data]}
-
-outputs:
- role_data:
- description: Combined Role data for this set of services.
- value:
- service_names:
- {get_attr: [ServiceChain, role_data, service_name]}
- monitoring_subscriptions:
- yaql:
- expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- logging_sources:
- # Transform the individual logging_source configuration from
- # each service in the chain into a global list, adding some
- # default configuration at the same time.
- yaql:
- expression: >
- let(
- default_format => $.data.default_format,
- pos_file_path => $.data.pos_file_path,
- sources => $.data.sources.flatten()
- ) ->
- $sources.where($ != null).select({
- 'type' => 'tail',
- 'tag' => $.tag,
- 'path' => $.path,
- 'format' => $.get('format', $default_format),
- 'pos_file' => $.get('pos_file', $pos_file_path + '/' + $.tag + '.pos')
- })
- data:
- sources:
- - {get_attr: [LoggingConfiguration, LoggingDefaultSources]}
- - yaql:
- expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
-
- - {get_attr: [LoggingConfiguration, LoggingExtraSources]}
- default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]}
- pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]}
- logging_groups:
- # Build a list of unique groups to which we should add the
- # fluentd user.
- yaql:
- expression: >
- set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($)
- data:
- default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]}
- extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]}
- role_data: {get_attr: [ServiceChain, role_data]}
- config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}}
- global_config_settings:
- map_merge:
- yaql:
- expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- service_config_settings:
- yaql:
- expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {})
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- step_config: {get_attr: [ServiceChain, role_data, step_config]}
- upgrade_tasks:
- yaql:
- # Note we use distinct() here to filter any identical tasks, e.g yum update for all services
- expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct()
- data: {get_attr: [ServiceChain, role_data]}
- upgrade_batch_tasks:
- yaql:
- # Note we use distinct() here to filter any identical tasks, e.g yum update for all services
- expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct()
- data: {get_attr: [ServiceChain, role_data]}
- service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]}