diff options
Diffstat (limited to 'puppet')
61 files changed, 886 insertions, 303 deletions
diff --git a/puppet/config.role.j2.yaml b/puppet/config.role.j2.yaml index 7337d062..cdbc76f0 100644 --- a/puppet/config.role.j2.yaml +++ b/puppet/config.role.j2.yaml @@ -38,7 +38,7 @@ resources: - '' - list_join: - ',' - - ['file,concat,file_line', {get_param: PuppetTags}] + - ['file,concat,file_line,augeas', {get_param: PuppetTags}] outputs: - name: result inputs: diff --git a/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml b/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml index 533c0ee9..e3f4cce6 100644 --- a/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml +++ b/puppet/extraconfig/pre_deploy/compute/neutron-ml2-bigswitch.yaml @@ -27,6 +27,15 @@ resources: mapped_data: neutron::agents::bigswitch::agent_enabled: {get_input: neutron_enable_bigswitch_agent} neutron::agents::bigswitch::lldp_enabled: {get_input: neutron_enable_bigswitch_lldp} + # NOTE(aschultz): required for the puppet module but we don't + # actually want them defined on the compute nodes so we're + # relying on the puppet module's handling of <SERVICE DEFAULT> + # to just not set these but still accept that they were defined. + # This will should be fixed in puppet-neutron and removed here, + # but for backportability, we need to define something. + neutron::plugins::ml2::bigswitch::restproxy::servers: '<SERVICE DEFAULT>' + neutron::plugins::ml2::bigswitch::restproxy::server_auth: '<SERVICE DEFAULT>' + NeutronBigswitchDeployment: type: OS::Heat::StructuredDeployment diff --git a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml index 1456337f..e7d0b830 100644 --- a/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml +++ b/puppet/extraconfig/pre_deploy/controller/neutron-ml2-bigswitch.yaml @@ -6,6 +6,14 @@ parameters: server: description: ID of the controller node to apply this config to type: string + NeutronBigswitchAgentEnabled: + description: The state of the neutron-bsn-agent service. + type: boolean + default: true + NeutronBigswitchLLDPEnabled: + description: The state of the neutron-bsn-lldp service. + type: boolean + default: false NeutronBigswitchRestproxyServers: description: 'Big Switch controllers ("IP:port,IP:port")' type: string @@ -43,6 +51,8 @@ resources: datafiles: neutron_bigswitch_data: mapped_data: + neutron::agents::bigswitch::agent_enabled: {get_input: neutron_enable_bigswitch_agent} + neutron::agents::bigswitch::lldp_enabled: {get_input: neutron_enable_bigswitch_lldp} neutron::plugins::ml2::bigswitch::restproxy::servers: {get_input: restproxy_servers} neutron::plugins::ml2::bigswitch::restproxy::server_auth: {get_input: restproxy_server_auth} neutron::plugins::ml2::bigswitch::restproxy::auto_sync_on_failure: {get_input: restproxy_auto_sync_on_failure} @@ -58,6 +68,8 @@ resources: config: {get_resource: NeutronBigswitchConfig} server: {get_param: server} input_values: + neutron_enable_bigswitch_agent: {get_param: NeutronBigswitchAgentEnabled} + neutron_enable_bigswitch_lldp: {get_param: NeutronBigswitchLLDPEnabled} restproxy_servers: {get_param: NeutronBigswitchRestproxyServers} restproxy_server_auth: {get_param: NeutronBigswitchRestproxyServerAuth } restproxy_auto_sync_on_failure: {get_param: NeutronBigswitchRestproxyAutoSyncOnFailure} diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 6f2dd684..c0a0778c 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -32,20 +32,6 @@ parameters: type: string hidden: true -conditions: - # Conditions to disable any steps where the task list is empty -{%- for role in roles %} - {{role.name}}UpgradeBatchConfigEnabled: - not: - equals: - - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} - - [] - {{role.name}}UpgradeConfigEnabled: - not: - equals: - - {get_param: [role_data, {{role.name}}, upgrade_tasks]} - - [] -{%- endfor %} resources: @@ -65,18 +51,21 @@ resources: - " crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n" - " crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n" - " crudini --set /etc/nova/nova.conf placement project_name service\n\n" - - " systemctl restart openstack-nova-compute\n\n" - - "fi\n\n" - str_replace: template: | crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD' crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME' crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL' - ROLE='ROLE_NAME' params: SERVICE_PASSWORD: { get_param: NovaPassword } REGION_NAME: { get_param: KeystoneRegion } AUTH_URL: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + - " systemctl restart openstack-nova-compute\n\n" + - "fi\n\n" + - str_replace: + template: | + ROLE='ROLE_NAME' + params: ROLE_NAME: {{role.name}} - get_file: ../extraconfig/tasks/pacemaker_common_functions.sh - get_file: ../extraconfig/tasks/run_puppet.sh @@ -100,12 +89,11 @@ resources: {{role.name}}UpgradeBatchConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig {%- if step > 0 %} - condition: {{role.name}}UpgradeBatchConfigEnabled - {% if role.name in enabled_roles %} + {%- if role in enabled_roles %} depends_on: - {{role.name}}UpgradeBatch_Step{{step -1}} {%- endif %} - {% else %} + {%- else %} {% for role in roles if role.disable_upgrade_deployment|default(false) %} {% if deliver_script.update({'deliver': True}) %} {% endif %} {% endfor %} @@ -125,13 +113,11 @@ resources: {%- for role in enabled_roles %} {{role.name}}UpgradeBatch_Step{{step}}: type: OS::Heat::SoftwareDeploymentGroup - condition: {{role.name}}UpgradeBatchConfigEnabled {%- if step > 0 %} depends_on: - - {{role.name}}UpgradeBatch_Step{{step -1}} - {% else %} - depends_on: - - {{role.name}}UpgradeBatchConfig_Step{{step}} + {%- for role_inside in enabled_roles %} + - {{role_inside.name}}UpgradeBatch_Step{{step -1}} + {%- endfor %} {%- endif %} update_policy: batch_create: @@ -185,11 +171,10 @@ resources: # do, and there should be minimal performance hit (creating the # config is cheap compared to the time to apply the deployment). {%- if step > 0 %} - condition: {{role.name}}UpgradeConfigEnabled - {% if role.name in enabled_roles %} + {%- if role in enabled_roles %} depends_on: - {{role.name}}Upgrade_Step{{step -1}} - {% endif %} + {%- endif %} {%- endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} @@ -201,9 +186,18 @@ resources: {{role.name}}Upgrade_Step{{step}}: type: OS::Heat::SoftwareDeploymentGroup {%- if step > 0 %} - condition: {{role.name}}UpgradeConfigEnabled + # Make sure we wait that all roles have finished their own + # previous step before going to the next, so we can guarantee + # state for each steps. depends_on: - - {{role.name}}Upgrade_Step{{step -1}} + {%- for role_inside in enabled_roles %} + - {{role_inside.name}}Upgrade_Step{{step -1}} + {%- endfor %} + {%- else %} + depends_on: + {%- for role_inside in enabled_roles %} + - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} + {%- endfor %} {%- endif %} properties: name: {{role.name}}Upgrade_Step{{step}} diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2 index 581c4f0d..86af6114 100644 --- a/puppet/puppet-steps.j2 +++ b/puppet/puppet-steps.j2 @@ -42,7 +42,7 @@ {{role.name}}Deployment_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup {% if step == 1 %} - depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] + depends_on: [{{role.name}}PrePuppet, {{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] {% else %} depends_on: {% for dep in roles %} diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index d7c87b61..7cc6e4c6 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -24,6 +24,12 @@ parameters: EnableInternalTLS: type: boolean default: false + AodhApiPolicies: + description: | + A hash of policies to configure for Aodh API. + e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: AodhBase: @@ -61,6 +67,7 @@ outputs: aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi' aodh::api::service_name: 'httpd' aodh::api::enable_proxy_headers_parsing: true + aodh::policy::policies: {get_param: AodhApiPolicies} tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml deleted file mode 100644 index 4c94f440..00000000 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ /dev/null @@ -1,75 +0,0 @@ -heat_template_version: ocata - -description: > - Apache service TLS configurations. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -resources: - - ApacheNetworks: - type: OS::Heat::Value - properties: - value: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap - -outputs: - role_data: - description: Role data for the Apache role. - value: - service_name: apache_internal_tls_certmonger - config_settings: - generate_service_certificates: true - apache_certificates_specs: - map_merge: - repeat: - template: - httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd-NETWORK.key' - hostname: "%{hiera('fqdn_NETWORK')}" - principal: "HTTP/%{hiera('fqdn_NETWORK')}" - for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} - metadata_settings: - repeat: - template: - - service: HTTP - network: $NETWORK - type: node - for_each: - $NETWORK: {get_attr: [ApacheNetworks, value]} - upgrade_tasks: - - name: Check if httpd is deployed - command: systemctl is-enabled httpd - tags: common - ignore_errors: True - register: httpd_enabled - - name: "PreUpgrade step0,validation: Check service httpd is running" - shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' - when: httpd_enabled.rc == 0 - tags: step0,validation diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2d950151..9bd282f8 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -31,13 +31,25 @@ parameters: type: boolean default: false +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: - ApacheTLS: - type: OS::TripleO::Services::ApacheTLS + ApacheNetworks: + type: OS::Heat::Value properties: - ServiceNetMap: {get_param: ServiceNetMap} + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # is for HAProxy so it isn't used for apache either. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap outputs: role_data: @@ -46,7 +58,6 @@ outputs: service_name: apache config_settings: map_merge: - - get_attr: [ApacheTLS, role_data, config_settings] - # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -64,8 +75,31 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + - + generate_service_certificates: true + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + hostname: "%{hiera('fqdn_NETWORK')}" + principal: "HTTP/%{hiera('fqdn_NETWORK')}" + for_each: + NETWORK: {get_attr: [ApacheNetworks, value]} metadata_settings: - get_attr: [ApacheTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} + - null upgrade_tasks: - name: Check if httpd is deployed command: systemctl is-enabled httpd diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index d8787c87..91a5b01c 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -55,6 +55,12 @@ parameters: EnableInternalTLS: type: boolean default: false + BarbicanPolicies: + description: | + A hash of policies to configure for Barbican. + e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -77,6 +83,7 @@ outputs: barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' + barbican::policy::policies: {get_param: BarbicanPolicies} barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false barbican::api::enabled_certificate_plugins: ['simple_certificate'] diff --git a/puppet/services/ceilometer-agent-ipmi.yaml b/puppet/services/ceilometer-agent-ipmi.yaml new file mode 100644 index 00000000..26647dfd --- /dev/null +++ b/puppet/services/ceilometer-agent-ipmi.yaml @@ -0,0 +1,77 @@ +heat_template_version: ocata + +description: > + OpenStack Ceilometer Ipmi Agent service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RedisPassword: + description: The password for the redis service account. + type: string + hidden: true + MonitoringSubscriptionCeilometerIpmi: + default: 'overcloud-ceilometer-agent-ipmi' + type: string + CeilometerAgentIpmiLoggingSource: + type: json + default: + tag: openstack.ceilometer.agent.ipmi + path: /var/log/ceilometer/ipmi.log + +resources: + CeilometerServiceBase: + type: ./ceilometer-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Ceilometer Agent Ipmi role. + value: + service_name: ceilometer_agent_ipmi + monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerIpmi} + logging_source: {get_param: CeilometerAgentIpmiLoggingSource} + logging_groups: + - ceilometer + config_settings: + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - ceilometer_redis_password: {get_param: RedisPassword} + ipmi_namespace: true + step_config: | + include ::tripleo::profile::base::ceilometer::agent::polling + upgrade_tasks: + - name: Check if ceilometer-agent-ipmi is deployed + command: systemctl is-enabled openstack-ceilometer-ipmi + tags: common + ignore_errors: True + register: ceilometer_ipmi_enabled + - name: "PreUpgrade step0,validation: Check if openstack-ceilometer-ipmi is running" + shell: > + /usr/bin/systemctl show 'openstack-ceilometer-ipmi' --property ActiveState | + grep '\bactive\b' + when: ceilometer_ipmi_enabled.rc == 0 + tags: step0,validation + - name: Stop openstack-ceilometer-ipmi service + tags: step1 + when: ceilometer_ipmi_enabled.rc == 0 + service: name=openstack-ceilometer-ipmi state=stopped + - name: Install openstack-ceilometer-ipmi package if it was disabled + tags: step3 + yum: name=openstack-ceilometer-ipmi state=latest + when: ceilometer_ipmi_enabled.rc != 0 diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index f5ee9d40..ba94b451 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -29,6 +29,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CeilometerApiPolicies: + description: | + A hash of policies to configure for Ceilometer API. + e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: CeilometerServiceBase: @@ -78,6 +84,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + ceilometer::policy::policies: {get_param: CeilometerApiPolicies} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS} ceilometer::wsgi::apache::servername: diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index a9c84289..185ffdc3 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -37,7 +37,7 @@ parameters: constraints: - allowed_values: ['gnocchi', 'database'] CeilometerEventDispatcher: - default: ['gnocchi'] + default: ['panko', 'gnocchi'] description: Comma-separated list of Dispatchers to process events data type: comma_delimited_list constraints: @@ -76,6 +76,11 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + CeilometerApiEndpoint: + default: true + description: Whether to create or skip API endpoint. Set this to + false, if you choose to disable Ceilometer API service. + type: boolean outputs: role_data: @@ -83,6 +88,7 @@ outputs: value: service_name: ceilometer_base config_settings: + ceilometer_auth_enabled: true ceilometer::debug: {get_param: Debug} ceilometer::db::database_connection: list_join: @@ -133,6 +139,7 @@ outputs: ceilometer::keystone::auth::password: {get_param: CeilometerPassword} ceilometer::keystone::auth::region: {get_param: KeystoneRegion} ceilometer::keystone::auth::tenant: 'service' + ceilometer::keystone::auth::configure_endpoint: {get_param: CeilometerApiEndpoint} mysql: ceilometer::db::mysql::password: {get_param: CeilometerPassword} ceilometer::db::mysql::user: ceilometer diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml new file mode 100644 index 00000000..af9802b0 --- /dev/null +++ b/puppet/services/certmonger-user.yaml @@ -0,0 +1,28 @@ +heat_template_version: ocata + +description: > + Requests certificates using certmonger through Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the certmonger-user service + value: + service_name: certmonger_user + step_config: | + include ::tripleo::profile::base::certmonger_user diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 958b0e7d..c1e6b0b0 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -46,6 +46,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CinderApiPolicies: + description: | + A hash of policies to configure for Cinder API. + e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} @@ -86,6 +92,7 @@ outputs: cinder::keystone::authtoken::project_name: 'service' cinder::keystone::authtoken::user_domain_name: 'Default' cinder::keystone::authtoken::project_domain_name: 'Default' + cinder::policy::policies: {get_param: CinderApiPolicies} cinder::api::enable_proxy_headers_parsing: true cinder::api::nova_catalog_info: 'compute:nova:internalURL' diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index b52955ef..26f1a96f 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -94,11 +94,7 @@ outputs: tripleo::profile::base::cinder::volume::cinder_enable_nfs_backend: {get_param: CinderEnableNfsBackend} tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend} tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions} - tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: - str_replace: - template: SERVERS - params: - SERVERS: {get_param: CinderNfsServers} + tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers} tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol} diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml index fd1ee24b..1d9eecb1 100644 --- a/puppet/services/congress.yaml +++ b/puppet/services/congress.yaml @@ -47,6 +47,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + CongressPolicies: + description: | + A hash of policies to configure for Congress. + e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -86,10 +92,12 @@ outputs: congress::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + congress::policy::policies: {get_param: CongressPolicies} service_config_settings: keystone: congress::keystone::auth::tenant: 'service' + congress::keystone::auth::region: {get_param: KeystoneRegion} congress::keystone::auth::password: {get_param: CongressPassword} congress::keystone::auth::public_url: {get_param: [EndpointMap, CongressPublic, uri]} congress::keystone::auth::internal_url: {get_param: [EndpointMap, CongressInternal, uri]} diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 63ec4446..50597216 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -19,6 +19,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MongodbMemoryLimit: + default: '20G' + description: Limit the amount of memory mongodb uses with systemd. + type: string MongoDbLoggingSource: type: json description: Fluentd logging configuration for mongodb. @@ -49,6 +53,7 @@ outputs: map_merge: - get_attr: [MongoDbBase, role_data, config_settings] - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]} + tripleo::profile::base::database::mongodb::memory_limit: {get_param: MongodbMemoryLimit} mongodb::server::service_manage: True tripleo.mongodb.firewall_rules: '101 mongodb_config': diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml deleted file mode 100644 index 9f7eaf57..00000000 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ /dev/null @@ -1,47 +0,0 @@ -heat_template_version: ocata - -description: > - MySQL configurations for using TLS via certmonger. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: MySQL configurations for using TLS via certmonger. - value: - service_name: mysql_internal_tls_certmonger - config_settings: - generate_service_certificates: true - tripleo::profile::base::database::mysql::certificate_specs: - service_certificate: '/etc/pki/tls/certs/mysql.crt' - service_key: '/etc/pki/tls/private/mysql.key' - hostname: - str_replace: - template: "%{hiera('cloud_name_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - principal: - str_replace: - template: "mysql/%{hiera('cloud_name_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - metadata_settings: - - service: mysql - network: {get_param: [ServiceNetMap, MysqlNetwork]} - type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 808f1353..da55da3c 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -23,6 +23,10 @@ parameters: description: Configures MySQL max_connections config setting type: number default: 4096 + MysqlIncreaseFileLimit: + description: Flag to increase MySQL open-files-limit to 16384 + type: boolean + default: true MysqlRootPassword: type: string hidden: true @@ -38,13 +42,13 @@ parameters: description: The password for the nova db account type: string hidden: true + EnableInternalTLS: + type: boolean + default: false -resources: +conditions: - MySQLTLS: - type: OS::TripleO::Services::MySQLTLS - properties: - ServiceNetMap: {get_param: ServiceNetMap} + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -53,7 +57,6 @@ outputs: service_name: mysql config_settings: map_merge: - - get_attr: [MySQLTLS, role_data, config_settings] - # The Galera package should work in cluster and # non-cluster modes based on the config file. @@ -96,10 +99,32 @@ outputs: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} tripleo::profile::base::database::mysql::client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::generate_dropin_file_limit: + {get_param: MysqlIncreaseFileLimit} + - generate_service_certificates: true + tripleo::profile::base::database::mysql::certificate_specs: + service_certificate: '/etc/pki/tls/certs/mysql.crt' + service_key: '/etc/pki/tls/private/mysql.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + principal: + str_replace: + template: "mysql/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql metadata_settings: - get_attr: [MySQLTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip + - null upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 2b7dd430..af89ffb1 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -42,3 +42,4 @@ outputs: redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}" redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' + redis::sentinel::sentinel_bind: {get_param: [ServiceNetMap, RedisNetwork]} diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml index 10f6d311..d1adefe5 100644 --- a/puppet/services/ec2-api.yaml +++ b/puppet/services/ec2-api.yaml @@ -42,6 +42,12 @@ parameters: default: 'false' description: Set to true to enable package installation via Puppet type: boolean + Ec2ApiPolicies: + description: | + A hash of policies to configure for EC2-API. + e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: @@ -67,6 +73,7 @@ outputs: ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ec2api::policy::policies: {get_param: Ec2ApiPolicies} ec2api::api::enabled: true ec2api::package_manage: {get_param: EnablePackageInstall} ec2api::api::ec2api_listen: @@ -91,6 +98,11 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/ec2_api' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + ec2api::api::keystone_ec2_tokens_url: + list_join: + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' - if: - nova_workers_zero diff --git a/puppet/services/etcd.yaml b/puppet/services/etcd.yaml index 7cdd8451..5db8bec0 100644 --- a/puppet/services/etcd.yaml +++ b/puppet/services/etcd.yaml @@ -19,9 +19,9 @@ parameters: via parameter_defaults in the resource registry. type: json EtcdInitialClusterToken: - default: 'etcd-tripleo' description: Initial cluster token for the etcd cluster during bootstrap. type: string + hidden: true MonitoringSubscriptionEtcd: default: 'overcloud-etcd' type: string diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index b06f9993..f61e6154 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -110,6 +110,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + GlanceApiPolicies: + description: | + A hash of policies to configure for Glance API. + e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} @@ -155,6 +161,7 @@ outputs: glance::api::enable_proxy_headers_parsing: true glance::api::debug: {get_param: Debug} glance::api::workers: {get_param: GlanceWorkers} + glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': dport: diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index f4629917..cd323703 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -44,6 +44,12 @@ parameters: EnableInternalTLS: type: boolean default: false + GnocchiApiPolicies: + description: | + A hash of policies to configure for Gnocchi API. + e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -83,6 +89,7 @@ outputs: gnocchi::api::enabled: true gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' + gnocchi::policy::policies: {get_param: GnocchiApiPolicies} gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index d7555561..dc6daece 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -32,10 +32,6 @@ parameters: CephClientUserName: default: openstack type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint RedisPassword: description: The password for the redis service account. type: string @@ -72,7 +68,7 @@ outputs: gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 3 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} - gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneV3Internal, uri]} gnocchi::storage::ceph::ceph_pool: {get_param: GnocchiRbdPoolName} gnocchi::storage::ceph::ceph_username: {get_param: CephClientUserName} gnocchi::storage::ceph::ceph_keyring: diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index e21369e8..f8128bb8 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -41,6 +41,12 @@ parameters: EnableInternalTLS: type: boolean default: false + HeatApiPolicies: + description: | + A hash of policies to configure for Heat API. + e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} @@ -82,6 +88,7 @@ outputs: - 13004 heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + heat::policy::policies: {get_param: HeatApiPolicies} heat::api::service_name: 'httpd' # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index a166f3a7..98dac4c9 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -112,7 +112,11 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/heat' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' - heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + heat::keystone_ec2_uri: + list_join: + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} heat::engine::auth_encryption_key: yaql: diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index e24d0de6..1f18cb1b 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -29,6 +29,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + IronicApiPolicies: + description: | + A hash of policies to configure for Ironic API. + e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: IronicBase: @@ -64,6 +70,7 @@ outputs: ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} # This is used to build links in responses ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::policy::policies: {get_param: IronicApiPolicies} tripleo.ironic_api.firewall_rules: '133 ironic api': dport: diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index f9547bef..56e1a90b 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -44,6 +44,10 @@ parameters: default: 8088 description: Port to use for serving images when iPXE is used. type: string + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true MonitoringSubscriptionIronicConductor: default: 'overcloud-ironic-conductor' type: string @@ -65,9 +69,7 @@ outputs: config_settings: map_merge: - get_attr: [IronicBase, role_data, config_settings] - # FIXME: I have no idea why neutron_url is in "api" manifest - - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} - ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} + - ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase} ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} @@ -104,7 +106,40 @@ outputs: # the VIP, but rather a real IP of the host. ironic::my_ip: {get_param: [ServiceNetMap, IronicNetwork]} ironic::pxe::common::http_port: {get_param: IronicIPXEPort} - + # Credentials to access other services + ironic::glance::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::glance::username: 'ironic' + ironic::glance::password: {get_param: IronicPassword} + ironic::glance::project_name: 'service' + ironic::glance::user_domain_name: 'Default' + ironic::glance::project_domain_name: 'Default' + ironic::neutron::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::neutron::username: 'ironic' + ironic::neutron::password: {get_param: IronicPassword} + ironic::neutron::project_name: 'service' + ironic::neutron::user_domain_name: 'Default' + ironic::neutron::project_domain_name: 'Default' + ironic::service_catalog::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::service_catalog::username: 'ironic' + ironic::service_catalog::password: {get_param: IronicPassword} + ironic::service_catalog::project_name: 'service' + ironic::service_catalog::user_domain_name: 'Default' + ironic::service_catalog::project_domain_name: 'Default' + ironic::swift::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::swift::username: 'ironic' + ironic::swift::password: {get_param: IronicPassword} + ironic::swift::project_name: 'service' + ironic::swift::user_domain_name: 'Default' + ironic::swift::project_domain_name: 'Default' + # ironic-inspector support is not implemented, but let's configure + # the credentials for consistency. + ironic::drivers::inspector::enabled: false + ironic::drivers::inspector::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::drivers::inspector::username: 'ironic' + ironic::drivers::inspector::password: {get_param: IronicPassword} + ironic::drivers::inspector::project_name: 'service' + ironic::drivers::inspector::user_domain_name: 'Default' + ironic::drivers::inspector::project_domain_name: 'Default' step_config: | include ::tripleo::profile::base::ironic::conductor upgrade_tasks: diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index fec455d1..9b314b2a 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -39,6 +39,20 @@ outputs: value: 5 net.ipv4.tcp_keepalive_time: value: 5 + net.ipv4.conf.default.send_redirects: + value: 0 + net.ipv4.conf.all.send_redirects: + value: 0 + net.ipv4.conf.default.accept_redirects: + value: 0 + net.ipv4.conf.default.secure_redirects: + value: 0 + net.ipv4.conf.all.secure_redirects: + value: 0 + net.ipv4.conf.default.log_martians: + value: 1 + net.ipv4.conf.all.log_martians: + value: 1 net.nf_conntrack_max: value: 500000 net.netfilter.nf_conntrack_max: @@ -52,9 +66,17 @@ outputs: value: 0 net.ipv6.conf.default.autoconf: value: 0 + net.ipv6.conf.default.accept_redirects: + value: 0 + net.ipv6.conf.all.accept_redirects: + value: 0 net.core.netdev_max_backlog: value: 10000 kernel.pid_max: value: {get_param: KernelPidMax} + kernel.dmesg_restrict: + value: 1 + fs.suid_dumpable: + value: 0 step_config: | include ::tripleo::profile::base::kernel diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 17616867..0976b97c 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -158,6 +158,12 @@ parameters: description: > Cron to purge expired tokens - User default: 'keystone' + KeystonePolicies: + description: | + A hash of policies to configure for Keystone. + e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -197,6 +203,7 @@ outputs: keystone::admin_token: {get_param: AdminToken} keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} + keystone::policy::policies: {get_param: KeystonePolicies} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml index 1c7d6bd3..02c69392 100644 --- a/puppet/services/mistral-api.yaml +++ b/puppet/services/mistral-api.yaml @@ -22,6 +22,12 @@ parameters: default: 1 description: The number of workers for the mistral-api. type: number + MistralApiPolicies: + description: | + A hash of policies to configure for Mistral API. + e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: MistralBase: @@ -41,6 +47,7 @@ outputs: - get_attr: [MistralBase, role_data, config_settings] - mistral::api::api_workers: {get_param: MistralWorkers} mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]} + mistral::policy::policies: {get_param: MistralApiPolicies} tripleo.mistral_api.firewall_rules: '133 mistral': dport: diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index e1030346..d5c21694 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -74,7 +74,11 @@ outputs: mistral::keystone_password: {get_param: MistralPassword} mistral::keystone_tenant: 'service' mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + mistral::keystone_ec2_uri: + list_join: + - '' + - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} + - '/ec2tokens' mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} service_config_settings: keystone: diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index bb102c08..9b9d1c72 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -57,6 +57,15 @@ parameters: default: tag: openstack.neutron.api path: /var/log/neutron/server.log + EnableInternalTLS: + type: boolean + default: false + NeutronApiPolicies: + description: | + A hash of policies to configure for Neutron API. + e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. @@ -71,10 +80,6 @@ parameters: removed in Ocata. Future releases will enable L3 HA by default if it is appropriate for the deployment type. Alternate mechanisms will be available to override. - EnableInternalTLS: - type: boolean - default: false - parameter_groups: - label: deprecated description: | @@ -128,6 +133,7 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + neutron::policy::policies: {get_param: NeutronApiPolicies} neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} @@ -204,3 +210,5 @@ outputs: tags: step1 when: neutron_server_enabled.rc == 0 service: name=neutron-server state=stopped + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 55361939..9f605062 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -22,6 +22,10 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + DatabaseSyncTimeout: + default: 300 + description: DB Sync Timeout default + type: number NeutronDhcpAgentsPerNetwork: type: number default: 0 @@ -44,10 +48,10 @@ parameters: description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. NeutronGlobalPhysnetMtu: type: number default: 1500 @@ -95,6 +99,7 @@ outputs: neutron::host: '%{::fqdn}' neutron::db::database_db_max_retries: -1 neutron::db::database_max_retries: -1 + neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} - if: - dhcp_agents_zero diff --git a/puppet/services/neutron-bigswitch-agent.yaml b/puppet/services/neutron-bigswitch-agent.yaml new file mode 100644 index 00000000..845f0da0 --- /dev/null +++ b/puppet/services/neutron-bigswitch-agent.yaml @@ -0,0 +1,31 @@ +heat_template_version: ocata + +description: > + Installs bigswitch agent and enables the services + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + +outputs: + role_data: + description: Configure the bigswitch agent services + value: + service_name: neutron_bigswitch_agent + step_config: | + if hiera('step') >= 4 { + include ::neutron::agents::bigswitch + } diff --git a/puppet/services/neutron-compute-plugin-nuage.yaml b/puppet/services/neutron-compute-plugin-nuage.yaml index 04431e28..ea717690 100644 --- a/puppet/services/neutron-compute-plugin-nuage.yaml +++ b/puppet/services/neutron-compute-plugin-nuage.yaml @@ -22,6 +22,10 @@ parameters: description: The password for the nova service account, used by nova-api. type: string hidden: true + NuageMetadataPort: + description: TCP Port to listen for metadata server requests + type: string + default: '9697' outputs: role_data: @@ -32,5 +36,11 @@ outputs: tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service' tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword} tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]} + tripleo.neutron_compute_plugin_nuage.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '100 metadata agent': + dport: {get_param: NuageMetadataPort} step_config: | include ::tripleo::profile::base::neutron::agents::nuage diff --git a/puppet/services/neutron-l2gw-api.yaml b/puppet/services/neutron-l2gw-api.yaml new file mode 100644 index 00000000..b6f0d281 --- /dev/null +++ b/puppet/services/neutron-l2gw-api.yaml @@ -0,0 +1,54 @@ +heat_template_version: ocata + +description: > + L2 Gateway service plugin configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + L2gwServiceDefaultInterfaceName: + default: 'FortyGigE1/0/1' + description: default interface name of the L2 gateway + type: string + L2gwServiceDefaultDeviceName: + default: 'Switch1' + description: default device name of the L2 gateway + type: string + L2gwServiceQuotaL2Gateway: + default: 5 + description: quota of the L2 gateway + type: number + L2gwServicePeriodicMonitoringInterval: + default: 5 + description: The periodic interval at which the plugin + type: number + L2gwServiceProvider: + default: ["L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default"] + description: Backend to use as a service provider for L2 Gateway + type: comma_delimited_list + +outputs: + role_data: + description: Role data for the L2 Gateway role. + value: + service_name: neutron_l2gw_api + config_settings: + neutron::services::l2gw::default_interface_name: {get_param: L2gwServiceDefaultInterfaceName} + neutron::services::l2gw::default_device_name: {get_param: L2gwServiceDefaultDeviceName} + neutron::services::l2gw::quota_l2_gateway: {get_param: L2gwServiceQuotaL2Gateway} + neutron::services::l2gw::periodic_monitoring_interval: {get_param: L2gwServicePeriodicMonitoringInterval} + neutron::services::l2gw::service_providers: {get_param: L2gwServiceProvider} + step_config: | + include tripleo::profile::base::neutron::l2gw diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index 01471ba2..ef2485d4 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -82,6 +82,9 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml + outputs: role_data: description: Role data for the Neutron OVS agent service. @@ -121,16 +124,22 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::ovs upgrade_tasks: - - name: Check if neutron_ovs_agent is deployed - command: systemctl is-enabled neutron-openvswitch-agent - tags: common - ignore_errors: True - register: neutron_ovs_agent_enabled - - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" - shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' - when: neutron_ovs_agent_enabled.rc == 0 - tags: step0,validation - - name: Stop neutron_ovs_agent service - tags: step1 - when: neutron_ovs_agent_enabled.rc == 0 - service: name=neutron-openvswitch-agent state=stopped + yaql: + expression: $.data.ovs_upgrade + $.data.neutron_ovs_upgrade + data: + ovs_upgrade: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] + neutron_ovs_upgrade: + - name: Check if neutron_ovs_agent is deployed + command: systemctl is-enabled neutron-openvswitch-agent + tags: common + ignore_errors: True + register: neutron_ovs_agent_enabled + - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" + shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' + when: neutron_ovs_agent_enabled.rc == 0 + tags: step0,validation + - name: Stop neutron_ovs_agent service + tags: step1 + when: neutron_ovs_agent_enabled.rc == 0 + service: name=neutron-openvswitch-agent state=stopped diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index e25bc495..80516fe6 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -62,6 +62,9 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml + outputs: role_data: description: Role data for the Neutron OVS DPDK Agent service. @@ -69,7 +72,10 @@ outputs: service_name: neutron_ovs_dpdk_agent config_settings: map_merge: - - get_attr: [NeutronOvsAgent, role_data, config_settings] + - map_replace: + - get_attr: [NeutronOvsAgent, role_data, config_settings] + - keys: + tripleo.neutron_ovs_agent.firewall_rules: tripleo.neutron_ovs_dpdk_agent.firewall_rules - neutron::agents::ml2::ovs::enable_dpdk: true neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} @@ -79,3 +85,5 @@ outputs: vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory} vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType} step_config: {get_attr: [NeutronOvsAgent, role_data, step_config]} + upgrade_tasks: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] diff --git a/puppet/services/neutron-plugin-ml2-odl.yaml b/puppet/services/neutron-plugin-ml2-odl.yaml new file mode 100644 index 00000000..acacadfa --- /dev/null +++ b/puppet/services/neutron-plugin-ml2-odl.yaml @@ -0,0 +1,45 @@ +heat_template_version: ocata + +description: > + OpenStack Neutron ML2/OpenDaylight plugin configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OpenDaylightPortBindingController: + description: OpenDaylight port binding controller + type: string + default: 'network-topology' + +resources: + + NeutronMl2Base: + type: ./neutron-plugin-ml2.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron ML2/ODL plugin. + value: + service_name: neutron_plugin_ml2_odl + config_settings: + map_merge: + - get_attr: [NeutronMl2Base, role_data, config_settings] + - neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController} + step_config: | + include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-nuage.yaml b/puppet/services/neutron-plugin-nuage.yaml index e09cd704..6229a3f1 100644 --- a/puppet/services/neutron-plugin-nuage.yaml +++ b/puppet/services/neutron-plugin-nuage.yaml @@ -19,10 +19,6 @@ parameters: via parameter_defaults in the resource registry. type: json # Config specific parameters, to be provided via parameter_defaults - NeutronNuageOSControllerIp: - description: IP address of the OpenStack Controller - type: string - NeutronNuageNetPartitionName: description: Specifies the title that you will see on the VSD type: string @@ -76,8 +72,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::plugins::nuage::nuage_oscontroller_ip: {get_param: NeutronNuageOSControllerIp} - neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} + - neutron::plugins::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} neutron::plugins::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp} neutron::plugins::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername} neutron::plugins::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 473c24b4..18d9b924 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -62,6 +62,12 @@ parameters: default: 300 description: Timeout for Nova db sync type: number + NovaApiPolicies: + description: | + A hash of policies to configure for Nova API. + e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -145,6 +151,7 @@ outputs: nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} nova::api::instance_name_template: {get_param: InstanceNameTemplate} nova_enable_db_purge: {get_param: NovaEnableDBPurge} + nova::policy::policies: {get_param: NovaApiPolicies} - if: - nova_workers_zero @@ -227,7 +234,7 @@ outputs: - name: Setup cell_v2 (map cell0) tags: step5 when: is_bootstrap_node - command: nova-manage cell_v2 map_cell0 + shell: nova-manage cell_v2 map_cell0 --database_connection=$(hiera nova::cell0_database_connection) - name: Setup cell_v2 (create default cell) tags: step5 when: is_bootstrap_node @@ -243,15 +250,15 @@ outputs: command: nova-manage db sync async: {get_param: NovaDbSyncTimeout} poll: 10 - - name: Setup cell_v2 (migrate hosts) - tags: step5 - when: is_bootstrap_node - command: nova-manage cell_v2 map_cell_and_hosts - name: Setup cell_v2 (get cell uuid) tags: step5 when: is_bootstrap_node shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' register: nova_api_cell_uuid + - name: Setup cell_v2 (migrate hosts) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 discover_hosts --cell_uuid {{nova_api_cell_uuid.stdout}} --verbose - name: Setup cell_v2 (migrate instances) tags: step5 when: is_bootstrap_node diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index ceacb0b2..9e7f0145 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -52,16 +52,20 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + DatabaseSyncTimeout: + default: 300 + description: DB Sync Timeout default + type: number Debug: type: string default: '' description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. NovaIPv6: default: false description: Enable IPv6 features in Nova @@ -151,6 +155,16 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + nova::cell0_database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://nova:' + - {get_param: NovaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/nova_cell0' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' nova::api_database_connection: list_join: - '' @@ -188,6 +202,8 @@ outputs: nova::network::neutron::neutron_auth_type: 'v3password' nova::db::database_db_max_retries: -1 nova::db::database_max_retries: -1 + nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} + nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout} nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} nova::use_ipv6: {get_param: NovaIPv6} nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index d208bede..a9737eb6 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -52,7 +52,7 @@ parameters: For different formats, refer to the nova.conf documentation for pci_passthrough_whitelist configuration type: json - default: {} + default: '' NovaVcpuPinSet: description: > A list or range of physical CPU cores to reserve for virtual machine @@ -101,7 +101,11 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::compute::libvirt::manage_libvirt_services: false - nova::compute::pci_passthrough: {get_param: NovaPCIPassthrough} + nova::compute::pci_passthrough: + str_replace: + template: "JSON_PARAM" + params: + JSON_PARAM: {get_param: NovaPCIPassthrough} nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet} nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory} # we manage migration in nova common puppet profile diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml index 843f44c5..f1d8dff7 100644 --- a/puppet/services/nova-ironic.yaml +++ b/puppet/services/nova-ironic.yaml @@ -51,3 +51,7 @@ outputs: nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager' step_config: | include tripleo::profile::base::nova::compute::ironic + upgrade_tasks: + - name: Stop openstack-nova-compute service + tags: step1 + service: name=openstack-nova-compute state=stopped enabled=no diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml index 909a3030..2f898a67 100644 --- a/puppet/services/octavia-api.yaml +++ b/puppet/services/octavia-api.yaml @@ -34,6 +34,12 @@ parameters: default: tag: openstack.octavia.api path: /var/log/octavia/api.log + OctaviaApiPolicies: + description: | + A hash of policies to configure for Octavia API. + e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -57,6 +63,7 @@ outputs: map_merge: - get_attr: [OctaviaBase, role_data, config_settings] - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::db::database_connection: list_join: - '' diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml index a3f616ff..db15aa15 100644 --- a/puppet/services/octavia-base.yaml +++ b/puppet/services/octavia-base.yaml @@ -24,10 +24,10 @@ parameters: description: Set to True to enable debugging on all services. EnableConfigPurge: type: boolean - default: true + default: false description: > - Remove configuration that is not generated by TripleO. Setting - to false may result in configuration remnants after updates/upgrades. + Remove configuration that is not generated by TripleO. Used to avoid + configuration remnants after upgrades. RabbitPassword: description: The password for RabbitMQ type: string diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index e55cd2ee..6882aeff 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -28,7 +28,7 @@ parameters: OpenDaylightFeatures: description: List of features to install with ODL type: comma_delimited_list - default: ["odl-netvirt-openstack","odl-netvirt-ui"] + default: ["odl-netvirt-openstack","odl-netvirt-ui","odl-jolokia"] OpenDaylightApiVirtualIP: type: string default: '' @@ -66,6 +66,7 @@ outputs: - {get_param: OpenDaylightPort} - 6640 - 6653 + - 2550 step_config: | include tripleo::profile::base::neutron::opendaylight upgrade_tasks: diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 3db0848e..ed572b4d 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -48,6 +48,10 @@ parameters: default: {} type: json +resources: + OpenVswitchUpgrade: + type: ./openvswitch-upgrade.yaml + outputs: role_data: description: Role data for the OpenDaylight service. @@ -60,11 +64,7 @@ outputs: opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} - neutron::plugins::ovs::opendaylight::provider_mappings: - str_replace: - template: MAPPINGS - params: - MAPPINGS: {get_param: OpenDaylightProviderMappings} + neutron::plugins::ovs::opendaylight::provider_mappings: {get_param: OpenDaylightProviderMappings} tripleo.opendaylight_ovs.firewall_rules: '118 neutron vxlan networks': proto: 'udp' @@ -74,16 +74,22 @@ outputs: step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight upgrade_tasks: - - name: Check if openvswitch is deployed - command: systemctl is-enabled openvswitch - tags: common - ignore_errors: True - register: openvswitch_enabled - - name: "PreUpgrade step0,validation: Check service openvswitch is running" - shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b' - when: openvswitch_enabled.rc == 0 - tags: step0,validation - - name: Stop openvswitch service - tags: step1 - when: openvswitch_enabled.rc == 0 - service: name=openvswitch state=stopped + yaql: + expression: $.data.ovs_upgrade + $.data.opendaylight_upgrade + data: + ovs_upgrade: + get_attr: [OpenVswitchUpgrade, role_data, upgrade_tasks] + opendaylight_upgrade: + - name: Check if openvswitch is deployed + command: systemctl is-enabled openvswitch + tags: common + ignore_errors: True + register: openvswitch_enabled + - name: "PreUpgrade step0,validation: Check service openvswitch is running" + shell: /usr/bin/systemctl show 'openvswitch' --property ActiveState | grep '\bactive\b' + when: openvswitch_enabled.rc == 0 + tags: step0,validation + - name: Stop openvswitch service + tags: step1 + when: openvswitch_enabled.rc == 0 + service: name=openvswitch state=stopped diff --git a/puppet/services/openvswitch-upgrade.yaml b/puppet/services/openvswitch-upgrade.yaml new file mode 100644 index 00000000..fea1ba96 --- /dev/null +++ b/puppet/services/openvswitch-upgrade.yaml @@ -0,0 +1,50 @@ +heat_template_version: ocata + +description: > + Openvswitch package special handling for upgrade. + +outputs: + role_data: + description: Upgrade task for special handling of Openvswitch (OVS) upgrade. + value: + service_name: openvswitch_upgrade + upgrade_tasks: + - name: Check openvswitch version. + tags: step2 + register: ovs_version + ignore_errors: true + shell: rpm -qa | awk -F- '/^openvswitch-2/{print $2 "-" $3}' + - name: Check openvswitch packaging. + tags: step2 + shell: rpm -q --scripts openvswitch | awk '/postuninstall/,/*/' | grep -q "systemctl.*try-restart" + register: ovs_packaging_issue + ignore_errors: true + - block: + - name: "Ensure empty directory: emptying." + file: + state: absent + path: /root/OVS_UPGRADE + - name: "Ensure empty directory: creating." + file: + state: directory + path: /root/OVS_UPGRADE + owner: root + group: root + mode: 0750 + - name: Download OVS packages. + command: yumdownloader --destdir /root/OVS_UPGRADE --resolve openvswitch + - name: Get rpm list for manual upgrade of OVS. + shell: ls -1 /root/OVS_UPGRADE/*.rpm + register: ovs_list_of_rpms + - name: Manual upgrade of OVS + shell: | + rpm -U --test {{item}} 2>&1 | grep "already installed" || \ + rpm -U --replacepkgs --notriggerun --nopostun {{item}}; + args: + chdir: /root/OVS_UPGRADE + with_items: + - "{{ovs_list_of_rpms.stdout_lines}}" + tags: step2 + when: "'2.5.0-14' in '{{ovs_version.stdout}}' + or + ovs_packaging_issue|succeeded" diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 762d0092..28fcbd6f 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -87,10 +87,16 @@ parameters: \[(?<pid>[^ ]*)\] (?<host>[^ ]*) (?<message>.*)$/ + + EnableLoadBalancer: + default: true + description: Whether to deploy a LoadBalancer on the Controller + type: boolean + PacemakerResources: type: comma_delimited_list description: List of resources managed by pacemaker - default: ['rabbitmq','haproxy','galera'] + default: ['rabbitmq', 'galera'] outputs: role_data: @@ -147,3 +153,9 @@ outputs: resource: "{{ item }}" max_wait: 500 with_items: {get_param: PacemakerResources} + - name: Check pacemaker haproxy resource + tags: step4 + pacemaker_is_active: + resource: haproxy + max_wait: 500 + when: {get_param: EnableLoadBalancer} diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index eed98257..43e7aa18 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -24,6 +24,12 @@ parameters: EnableInternalTLS: type: boolean default: false + PankoApiPolicies: + description: | + A hash of policies to configure for Panko API. + e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: PankoBase: @@ -58,6 +64,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + panko::policy::policies: {get_param: PankoApiPolicies} panko::api::service_name: 'httpd' panko::api::enable_proxy_headers_parsing: true tripleo.panko_api.firewall_rules: diff --git a/puppet/services/qdr.yaml b/puppet/services/qdr.yaml new file mode 100644 index 00000000..f8746cec --- /dev/null +++ b/puppet/services/qdr.yaml @@ -0,0 +1,60 @@ +heat_template_version: ocata + +description: > + Qpid dispatch router service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RabbitUserName: + default: guest + description: The username for Qdr + type: string + RabbitPassword: + description: The password for Qdr + type: string + hidden: true + RabbitClientPort: + description: Listening port for Qdr + default: 5672 + type: number + MonitoringSubscriptionQdr: + default: 'overcloud-qdr' + type: string + +outputs: + role_data: + description: Role data for the Qdr role. + value: + service_name: rabbitmq + monitoring_subscription: {get_param: MonitoringSubscriptionQdr} + global_config_settings: + messaging_notify_service_name: 'amqp' + messaging_rpc_service_name: 'amqp' + keystone::messaging::amqp::amqp_pre_settled: 'notify' + config_settings: + tripleo.rabbitmq.firewall_rules: + '109 qdr': + dport: + - {get_param: RabbitClientPort} + qdr::listener_addr: {get_param: [ServiceNetMap, QdrNetwork]} + # cannot pass qdr::listener_port directly because it needs to be a string + # we do the conversion in the puppet layer + tripleo::profile::base::qdr::qdr_listener_port: {get_param: RabbitClientPort} + tripleo::profile::base::qdr::qdr_username: {get_param: RabbitUserName} + tripleo::profile::base::qdr::qdr_password: {get_param: RabbitPassword} + + step_config: | + include ::tripleo::profile::base::qdr diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml deleted file mode 100644 index 39d6b903..00000000 --- a/puppet/services/rabbitmq-internal-tls-certmonger.yaml +++ /dev/null @@ -1,47 +0,0 @@ -heat_template_version: ocata - -description: > - RabbitMQ configurations for using TLS via certmonger. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: RabbitMQ configurations for using TLS via certmonger. - value: - service_name: rabbitmq_internal_tls_certmonger - config_settings: - generate_service_certificates: true - tripleo::profile::base::rabbitmq::certificate_specs: - service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - service_key: '/etc/pki/tls/private/rabbitmq.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - principal: - str_replace: - template: "rabbitmq/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - metadata_settings: - - service: rabbitmq - network: {get_param: [ServiceNetMap, RabbitmqNetwork]} - type: node diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 92a0015a..47479783 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -52,14 +52,8 @@ parameters: type: boolean default: false -resources: - - RabbitMQTLS: - type: OS::TripleO::Services::RabbitMQTLS - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} +conditions: + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -69,7 +63,6 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} config_settings: map_merge: - - get_attr: [RabbitMQTLS, role_data, config_settings] - rabbitmq::file_limit: {get_param: RabbitFDLimit} rabbitmq::default_user: {get_param: RabbitUserName} @@ -124,6 +117,24 @@ outputs: # TODO(jaosorior): Remove this once we set a proper default in # puppet-tripleo tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::rabbitmq::certificate_specs: + service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + service_key: '/etc/pki/tls/private/rabbitmq.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + principal: + str_replace: + template: "rabbitmq/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + - {} step_config: | include ::tripleo::profile::base::rabbitmq upgrade_tasks: @@ -134,4 +145,10 @@ outputs: tags: step4 service: name=rabbitmq-server state=started metadata_settings: - get_attr: [RabbitMQTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: rabbitmq + network: {get_param: [ServiceNetMap, RabbitmqNetwork]} + type: node + - null diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 96b3d6e3..d9f2115a 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -38,6 +38,12 @@ parameters: default: tag: openstack.sahara.api path: /var/log/sahara/sahara-api.log + SaharaApiPolicies: + description: | + A hash of policies to configure for Sahara API. + e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: SaharaBase: @@ -60,6 +66,7 @@ outputs: map_merge: - get_attr: [SaharaBase, role_data, config_settings] - sahara::port: {get_param: [EndpointMap, SaharaInternal, port]} + sahara::policy::policies: {get_param: SaharaApiPolicies} sahara::service::api::api_workers: {get_param: SaharaWorkers} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 0c3cc1ec..0ecc942c 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -63,10 +63,14 @@ parameters: Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host. type: string + EnableInternalTLS: + type: boolean + default: false conditions: ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]} + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: SwiftBase: @@ -76,6 +80,14 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + outputs: role_data: description: Role data for the Swift proxy service. @@ -85,7 +97,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - + - get_attr: [TLSProxyBase, role_data, config_settings] - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} @@ -146,7 +158,22 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_bind_ip: + get_param: [ServiceNetMap, SwiftProxyNetwork] + tripleo::profile::base::swift::proxy::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_port: + get_param: [EndpointMap, SwiftInternal, port] + swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]} + swift::proxy::proxy_local_net_ip: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, SwiftProxyNetwork]} step_config: | include ::tripleo::profile::base::swift::proxy service_config_settings: @@ -169,3 +196,5 @@ outputs: - name: Stop swift_proxy service tags: step1 service: name=openstack-swift-proxy state=stopped + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml index a4c139b5..c14e061b 100644 --- a/puppet/services/tacker.yaml +++ b/puppet/services/tacker.yaml @@ -47,6 +47,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + TackerPolicies: + description: | + A hash of policies to configure for Tacker. + e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -87,10 +93,12 @@ outputs: tacker::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + tacker::policy::policies: {get_param: TackerPolicies} service_config_settings: keystone: tacker::keystone::auth::tenant: 'service' + tacker::keystone::auth::region: {get_param: KeystoneRegion} tacker::keystone::auth::password: {get_param: TackerPassword} tacker::keystone::auth::public_url: {get_param: [EndpointMap, TackerPublic, uri]} tacker::keystone::auth::internal_url: {get_param: [EndpointMap, TackerInternal, uri]} diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index 67e14d9c..ff2b067f 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -37,3 +37,9 @@ outputs: tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules} step_config: | include ::tripleo::firewall + upgrade_tasks: + - name: blank ipv6 rule before activating ipv6 firewall. + tags: step3 + shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables + args: + creates: /etc/sysconfig/ip6tables.n-o-upgrade diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index a320f694..33769d02 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -30,6 +30,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + ZaqarPolicies: + description: | + A hash of policies to configure for Zaqar. + e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: @@ -38,6 +44,7 @@ outputs: value: service_name: zaqar config_settings: + zaqar::policy::policies: {get_param: ZaqarPolicies} zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} zaqar::keystone::authtoken::project_name: 'service' zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} |