diff options
Diffstat (limited to 'puppet')
23 files changed, 1274 insertions, 826 deletions
diff --git a/puppet/ceph-cluster-config.yaml b/puppet/ceph-cluster-config.yaml index 99265493..96198c3f 100644 --- a/puppet/ceph-cluster-config.yaml +++ b/puppet/ceph-cluster-config.yaml @@ -13,7 +13,7 @@ parameters: ceph_client_key: default: '' type: string - description: Ceph key used to create the 'openstack' user keyring. + description: Ceph key used to create the client user keyring. ceph_fsid: default: '' type: string @@ -27,6 +27,18 @@ parameters: type: comma_delimited_list ceph_mon_ips: type: comma_delimited_list + NovaRbdPoolName: + default: vms + type: string + CinderRbdPoolName: + default: volumes + type: string + GlanceRbdPoolName: + default: images + type: string + CephClientUserName: + default: openstack + type: string resources: CephClusterConfigImpl: @@ -65,15 +77,34 @@ resources: keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring', cap_mon: 'allow profile bootstrap-osd' }, - client.openstack: { + client.CLIENT_USER: { secret: 'ADMIN_KEY', mode: '0644', cap_mon: 'allow r', - cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rwx pool=images' + cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL' } }" params: + CLIENT_USER: {get_param: CephClientUserName} ADMIN_KEY: {get_param: ceph_admin_key} + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName} + cinder_rbd_pool_name: {get_param: CinderRbdPoolName} + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + nova::compute::rbd::rbd_keyring: + list_join: + - '.' + - - 'client' + - {get_param: CephClientUserName} + ceph_client_user_name: {get_param: CephClientUserName} + ceph_pools: + - {get_param: CinderRbdPoolName} + - {get_param: NovaRbdPoolName} + - {get_param: GlanceRbdPoolName} outputs: config_id: diff --git a/puppet/ceph-storage.yaml b/puppet/ceph-storage.yaml index 75294599..1dc20a50 100644 --- a/puppet/ceph-storage.yaml +++ b/puppet/ceph-storage.yaml @@ -22,8 +22,9 @@ parameters: constraints: - custom_constraint: nova.keypair NtpServer: - type: string default: '' + description: Comma-separated list of ntp servers + type: comma_delimited_list EnablePackageInstall: default: 'false' description: Set to true to enable package installation via Puppet @@ -53,6 +54,17 @@ parameters: description: | Role specific additional hiera configuration to inject into the cluster. type: json + NetworkDeploymentActions: + type: comma_delimited_list + description: > + Heat action when to apply network configuration changes + default: ['CREATE'] + CloudDomain: + default: '' + type: string + description: > + The DNS domain used for the hosts. This should match the dhcp_domain + configured in the Undercloud neutron. Defaults to localdomain. resources: @@ -125,6 +137,7 @@ resources: properties: config: {get_resource: NetworkConfig} server: {get_resource: CephStorage} + actions: {get_param: NetworkDeploymentActions} CephStorageDeployment: type: OS::Heat::StructuredDeployment @@ -133,11 +146,7 @@ resources: config: {get_resource: CephStorageConfig} server: {get_resource: CephStorage} input_values: - ntp_servers: - str_replace: - template: '["server"]' - params: - server: {get_param: NtpServer} + ntp_servers: {get_param: NtpServer} enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} ceph_cluster_network: {get_attr: [NetIpSubnetMap, net_ip_subnet_map, {get_param: [ServiceNetMap, CephClusterNetwork]}]} @@ -174,6 +183,13 @@ resources: ceph::profile::params::cluster_network: {get_input: ceph_cluster_network} ceph::profile::params::public_network: {get_input: ceph_public_network} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: CephStorageDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: CephStorage} + # Hook for site-specific additional pre-deployment config, e.g extra hieradata CephStorageExtraConfigPre: depends_on: CephStorageDeployment @@ -184,7 +200,7 @@ resources: # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: CephStorageExtraConfigPre + depends_on: [CephStorageExtraConfigPre, NodeTLSCAData] type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: CephStorage} @@ -205,9 +221,10 @@ outputs: hosts_entry: value: str_replace: - template: "IP HOST.localdomain HOST" + template: "IP HOST.DOMAIN HOST" params: IP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CephStorageHostnameResolveNetwork]}]} + DOMAIN: {get_param: CloudDomain} HOST: {get_attr: [CephStorage, name]} nova_server_resource: description: Heat resource handle for the ceph storage server @@ -225,5 +242,6 @@ outputs: list_join: - ',' - - {get_attr: [CephStorageDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_attr: [CephStorageExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} diff --git a/puppet/cinder-storage.yaml b/puppet/cinder-storage.yaml index 6a869219..f1d25e78 100644 --- a/puppet/cinder-storage.yaml +++ b/puppet/cinder-storage.yaml @@ -44,14 +44,6 @@ parameters: type: string constraints: - custom_constraint: nova.flavor - GlancePort: - default: "9292" - description: Glance port. - type: string - GlanceProtocol: - default: http - description: Protocol to use when connecting to glance, set to https for SSL. - type: string KeyName: default: default description: Name of an existing EC2 KeyPair to enable SSH access to the instances @@ -83,8 +75,9 @@ parameters: type: string hidden: true NtpServer: - type: string default: '' + description: Comma-separated list of ntp servers + type: comma_delimited_list EnablePackageInstall: default: 'false' description: Set to true to enable package installation via Puppet @@ -103,12 +96,29 @@ parameters: description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json GlanceApiVirtualIP: type: string default: '' MysqlVirtualIP: type: string default: '' + NetworkDeploymentActions: + type: comma_delimited_list + description: > + Heat action when to apply network configuration changes + default: ['CREATE'] + CloudDomain: + default: '' + type: string + description: > + The DNS domain used for the hosts. This should match the dhcp_domain + configured in the Undercloud neutron. Defaults to localdomain. + resources: BlockStorage: @@ -180,6 +190,7 @@ resources: properties: config: {get_resource: NetworkConfig} server: {get_resource: BlockStorage} + actions: {get_param: NetworkDeploymentActions} BlockStorageDeployment: type: OS::Heat::StructuredDeployment @@ -200,23 +211,12 @@ resources: cinder_enable_iscsi_backend: {get_param: CinderEnableIscsiBackend} cinder_iscsi_helper: {get_param: CinderISCSIHelper} cinder_iscsi_ip_address: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CinderIscsiNetwork]}]} - glance_api_servers: - list_join: - - '' - - - {get_param: GlanceProtocol} - - '://' - - {get_param: GlanceApiVirtualIP} - - ':' - - {get_param: GlancePort} + glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} rabbit_username: {get_param: RabbitUserName} rabbit_password: {get_param: RabbitPassword} rabbit_client_use_ssl: {get_param: RabbitClientUseSSL} rabbit_client_port: {get_param: RabbitClientPort} - ntp_servers: - str_replace: - template: '["server"]' - params: - server: {get_param: NtpServer} + ntp_servers: {get_param: NtpServer} enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} @@ -264,10 +264,17 @@ resources: snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: BlockStorageDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: BlockStorage} + # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: BlockStorageDeployment + depends_on: NodeTLSCAData type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: BlockStorage} @@ -288,9 +295,10 @@ outputs: hosts_entry: value: str_replace: - template: "IP HOST.localdomain HOST" + template: "IP HOST.DOMAIN HOST" params: IP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, BlockStorageHostnameResolveNetwork]}]} + DOMAIN: {get_param: CloudDomain} HOST: {get_attr: [BlockStorage, name]} nova_server_resource: description: Heat resource handle for the block storage server @@ -311,4 +319,5 @@ outputs: list_join: - '' - - {get_attr: [BlockStorageDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_param: UpdateIdentifier} diff --git a/puppet/compute.yaml b/puppet/compute.yaml index 2b635357..c33373d1 100644 --- a/puppet/compute.yaml +++ b/puppet/compute.yaml @@ -51,14 +51,6 @@ parameters: GlanceHost: type: string default: '' # Has to be here because of the ignored empty value bug - GlancePort: - default: "9292" - description: Glance port. - type: string - GlanceProtocol: - default: http - description: Protocol to use when connecting to glance, set to https for SSL. - type: string Image: type: string default: overcloud-compute @@ -93,6 +85,11 @@ parameters: NeutronEnableTunnelling: type: string default: "True" + NeutronEnableL2Pop: + type: string + description: > + Enable/disable the L2 population feature in the Neutron agents. + default: "False" NeutronFlatNetworks: type: string default: 'datacentre' @@ -206,6 +203,10 @@ parameters: NovaComputeLibvirtType: type: string default: '' + NovaComputeLibvirtVifDriver: + default: '' + description: Libvirt VIF driver configuration for the network + type: string NovaEnableRbdBackend: default: false description: Whether to enable or not the Rbd backend for Nova @@ -218,9 +219,18 @@ parameters: NovaPublicIP: type: string default: '' # Has to be here because of the ignored empty value bug - NtpServer: + NovaOVSBridge: + default: 'br-int' + description: Name of integration bridge used by Open vSwitch type: string + NovaSecurityGroupAPI: + default: 'neutron' + description: The full class name of the security API class + type: string + NtpServer: default: '' + description: Comma-separated list of ntp servers + type: comma_delimited_list RabbitHost: type: string default: '' # Has to be here because of the ignored empty value bug @@ -261,6 +271,11 @@ parameters: description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json UpdateIdentifier: default: '' type: string @@ -270,6 +285,18 @@ parameters: Hostname: type: string default: '' # Defaults to Heat created hostname + NetworkDeploymentActions: + type: comma_delimited_list + description: > + Heat action when to apply network configuration changes + default: ['CREATE'] + CloudDomain: + default: '' + type: string + description: > + The DNS domain used for the hosts. This should match the dhcp_domain + configured in the Undercloud neutron. Defaults to localdomain. + resources: @@ -344,6 +371,7 @@ resources: properties: config: {get_resource: NetworkConfig} server: {get_resource: NovaCompute} + actions: {get_param: NetworkDeploymentActions} input_values: bridge_name: {get_param: NeutronPhysicalBridge} interface_name: {get_param: NeutronPublicInterface} @@ -366,6 +394,7 @@ resources: - '"%{::osfamily}"' - common - cisco_n1kv_data # Optionally provided by ComputeExtraConfigPre + - nova_nuage_data # Optionally provided by ComputeExtraConfigPre datafiles: compute_extraconfig: mapped_data: {get_param: NovaComputeExtraConfig} @@ -386,12 +415,15 @@ resources: nova::rabbit_port: {get_input: rabbit_client_port} nova_compute_driver: {get_input: nova_compute_driver} nova::compute::libvirt::libvirt_virt_type: {get_input: nova_compute_libvirt_type} + nova::compute::neutron::libvirt_vif_driver: {get_input: nova_compute_libvirt_vif_driver} nova_api_host: {get_input: nova_api_host} nova::compute::vncproxy_host: {get_input: nova_public_ip} nova::compute::rbd::ephemeral_storage: {get_input: nova_enable_rbd_backend} rbd_persistent_storage: {get_input: cinder_enable_rbd_backend} nova_password: {get_input: nova_password} nova::compute::vncserver_proxyclient_address: {get_input: nova_vnc_proxyclient_address} + nova::network::neutron::neutron_ovs_bridge: {get_input: nova_ovs_bridge} + nova::network::neutron::security_group_api: {get_input: nova_security_group_api} ceilometer::debug: {get_input: debug} ceilometer::rabbit_userid: {get_input: rabbit_username} ceilometer::rabbit_password: {get_input: rabbit_password} @@ -406,7 +438,7 @@ resources: nova::glance_api_servers: {get_input: glance_api_servers} neutron::debug: {get_input: debug} neutron::rabbit_password: {get_input: rabbit_password} - neutron::rabbit_user: {get_input: rabbit_user} + neutron::rabbit_user: {get_input: rabbit_username} neutron::rabbit_use_ssl: {get_input: rabbit_client_use_ssl} neutron::rabbit_port: {get_input: rabbit_client_port} neutron_flat_networks: {get_input: neutron_flat_networks} @@ -420,10 +452,11 @@ resources: neutron::plugins::ml2::vni_ranges: {get_input: neutron_vni_ranges} neutron_bridge_mappings: {get_input: neutron_bridge_mappings} neutron::agents::ml2::ovs::enable_tunneling: {get_input: neutron_enable_tunneling} + neutron::agents::ml2::ovs::l2_population: {get_input: neutron_enable_l2pop} neutron_physical_bridge: {get_input: neutron_physical_bridge} neutron_public_interface: {get_input: neutron_public_interface} nova::network::neutron::neutron_admin_password: {get_input: neutron_password} - nova::network::neutron::neutron_url: {get_input: neutron_url} + nova::network::neutron::neutron_url: {get_input: neutron_internal_url} nova::network::neutron::neutron_admin_auth_url: {get_input: neutron_admin_auth_url} neutron_router_distributed: {get_input: neutron_router_distributed} neutron_agent_mode: {get_input: neutron_agent_mode} @@ -449,31 +482,22 @@ resources: debug: {get_param: Debug} nova_compute_driver: {get_param: NovaComputeDriver} nova_compute_libvirt_type: {get_param: NovaComputeLibvirtType} + nova_compute_libvirt_vif_driver: {get_param: NovaComputeLibvirtVifDriver} nova_public_ip: {get_param: NovaPublicIP} nova_api_host: {get_param: NovaApiHost} nova_password: {get_param: NovaPassword} nova_enable_rbd_backend: {get_param: NovaEnableRbdBackend} cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend} nova_vnc_proxyclient_address: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaVncProxyNetwork]}]} + nova_ovs_bridge: {get_param: NovaOVSBridge} + nova_security_group_api: {get_param: NovaSecurityGroupAPI} ceilometer_metering_secret: {get_param: CeilometerMeteringSecret} ceilometer_password: {get_param: CeilometerPassword} ceilometer_compute_agent: {get_param: CeilometerComputeAgent} - ceilometer_agent_auth_url: - list_join: - - '' - - - 'http://' - - {get_param: KeystonePublicApiVirtualIP} - - ':5000/v2.0' + ceilometer_agent_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName} snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} - glance_api_servers: - list_join: - - '' - - - {get_param: GlanceProtocol} - - '://' - - {get_param: GlanceHost} - - ':' - - {get_param: GlancePort} + glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} neutron_flat_networks: {get_param: NeutronFlatNetworks} neutron_host: {get_param: NeutronHost} neutron_local_ip: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronTenantNetwork]}]} @@ -505,6 +529,7 @@ resources: - {get_param: NeutronNetworkVLANRanges} neutron_bridge_mappings: {get_param: NeutronBridgeMappings} neutron_enable_tunneling: {get_param: NeutronEnableTunnelling} + neutron_enable_l2pop: {get_param: NeutronEnableL2Pop} neutron_physical_bridge: {get_param: NeutronPhysicalBridge} neutron_public_interface: {get_param: NeutronPublicInterface} neutron_password: {get_param: NeutronPassword} @@ -530,31 +555,24 @@ resources: - {get_param: NeutronTypeDrivers} neutron_mechanism_drivers: {get_param: NeutronMechanismDrivers} neutron_public_interface_raw_device: {get_param: NeutronPublicInterfaceRawDevice} - neutron_url: - list_join: - - '' - - - 'http://' - - {get_param: NeutronHost} - - ':9696' - neutron_admin_auth_url: - list_join: - - '' - - - 'http://' - - {get_param: KeystoneAdminApiVirtualIP} - - ':35357/v2.0' + neutron_internal_url: {get_param: [EndpointMap, NeutronInternal, uri]} + neutron_admin_auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri]} admin_password: {get_param: AdminPassword} rabbit_username: {get_param: RabbitUserName} rabbit_password: {get_param: RabbitPassword} rabbit_client_use_ssl: {get_param: RabbitClientUseSSL} rabbit_client_port: {get_param: RabbitClientPort} - ntp_servers: - str_replace: - template: '["server"]' - params: - server: {get_param: NtpServer} + ntp_servers: {get_param: NtpServer} enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: NovaComputeDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: NovaCompute} + # Hook for site-specific additional pre-deployment config, e.g extra hieradata ComputeExtraConfigPre: depends_on: NovaComputeDeployment @@ -565,7 +583,7 @@ resources: # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: ComputeExtraConfigPre + depends_on: [ComputeExtraConfigPre, NodeTLSCAData] type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: NovaCompute} @@ -603,9 +621,10 @@ outputs: Server's IP address and hostname in the /etc/hosts format value: str_replace: - template: "IP HOST.localdomain HOST" + template: "IP HOST.DOMAIN HOST" params: IP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ComputeHostnameResolveNetwork]}]} + DOMAIN: {get_param: CloudDomain} HOST: {get_attr: [NovaCompute, name]} nova_server_resource: description: Heat resource handle for the Nova compute server @@ -617,5 +636,6 @@ outputs: list_join: - ',' - - {get_attr: [NovaComputeDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_attr: [ComputeExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 009199d4..2c1c18a3 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -106,6 +106,10 @@ parameters: default: true description: Whether to use Galera instead of regular MariaDB. type: boolean + EnableLoadBalancer: + default: true + description: Whether to deploy a LoadBalancer on the Controller + type: boolean EnableCephStorage: default: false description: Whether to deploy Ceph Storage (OSD) on the Controller @@ -170,14 +174,6 @@ parameters: description: The password for the glance service and db account, used by the glance services. type: string hidden: true - GlancePort: - default: "9292" - description: Glance port. - type: string - GlanceProtocol: - default: http - description: Protocol to use when connecting to glance, set to https for SSL. - type: string GlanceBackend: default: swift description: The short name of the Glance backend to use. Should be one @@ -286,6 +282,14 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + ManageFirewall: + default: false + description: Whether to manage IPtables rules. + type: boolean + PurgeFirewallRules: + default: false + description: Whether IPtables rules should be purged before setting up the new ones. + type: boolean MysqlClusterUniquePart: description: A unique identifier of the MySQL cluster the controller is in. type: string @@ -326,6 +330,22 @@ parameters: default: 'dhcp-option-force=26,1400' description: Dnsmasq options for neutron-dhcp-agent. The default value here forces MTU to be set to 1400 to account for the gre tunnel overhead. type: string + NeutronEnableDHCPAgent: + description: Knob to enable/disable DHCP Agent + type: boolean + default: true + NeutronEnableL3Agent: + description: Knob to enable/disable L3 agent + type: boolean + default: true + NeutronEnableMetadataAgent: + description: Knob to enable/disable Metadata agent + type: boolean + default: true + NeutronEnableOVSAgent: + description: Knob to enable/disable OVS Agent + type: boolean + default: true NeutronAgentMode: default: 'dvr_snat' description: Agent mode for the neutron-l3-agent on the controller hosts @@ -374,9 +394,18 @@ parameters: default: 'True' description: Allow automatic l3-agent failover type: string + NeutronEnableIsolatedMetadata: + default: 'False' + description: If True, DHCP provide metadata route to VM. + type: string NeutronEnableTunnelling: type: string default: "True" + NeutronEnableL2Pop: + type: string + description: > + Enable/disable the L2 population feature in the Neutron agents. + default: "False" NeutronFlatNetworks: type: string default: 'datacentre' @@ -458,8 +487,9 @@ parameters: description: Should MongoDb journaling be disabled type: boolean NtpServer: - type: string default: '' + description: Comma-separated list of ntp servers + type: comma_delimited_list PcsdPassword: type: string description: The password for the 'pcsd' user. @@ -512,20 +542,6 @@ parameters: description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true - SSLCACertificate: - default: '' - description: If set, the contents of an SSL certificate authority file. - type: string - SSLCertificate: - default: '' - description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints. - type: string - hidden: true - SSLKey: - default: '' - description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints. - type: string - hidden: true SwiftHashSuffix: default: unset description: A random string to be used as a salt when hashing to determine mappings @@ -590,6 +606,11 @@ parameters: description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json UpdateIdentifier: default: '' type: string @@ -599,6 +620,20 @@ parameters: Hostname: type: string default: '' # Defaults to Heat created hostname + NetworkDeploymentActions: + type: comma_delimited_list + description: > + Heat action when to apply network configuration changes + default: ['CREATE'] + NodeIndex: + type: number + default: 0 + CloudDomain: + default: '' + type: string + description: > + The DNS domain used for the hosts. This should match the dhcp_domain + configured in the Undercloud neutron. Defaults to localdomain. resources: @@ -695,10 +730,26 @@ resources: properties: config: {get_resource: NetworkConfig} server: {get_resource: Controller} + actions: {get_param: NetworkDeploymentActions} input_values: bridge_name: br-ex interface_name: {get_param: NeutronPublicInterface} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: NetworkDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: Controller} + + # Resource for site-specific passing of private keys/certificates + NodeTLSData: + depends_on: NodeTLSCAData + type: OS::TripleO::NodeTLSData + properties: + server: {get_resource: Controller} + NodeIndex: {get_param: NodeIndex} + ControllerDeployment: type: OS::TripleO::SoftwareDeployment depends_on: NetworkDeployment @@ -708,6 +759,8 @@ resources: input_values: bootstack_nodeid: {get_attr: [Controller, name]} neutron_enable_tunneling: {get_param: NeutronEnableTunnelling} + neutron_enable_l2pop: {get_param: NeutronEnableL2Pop} + neutron_enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} haproxy_log_address: {get_param: HAProxySyslogAddress} heat.watch_server_url: list_join: @@ -727,24 +780,6 @@ resources: - - 'http://' - {get_param: HeatApiVirtualIP} - ':8000/v1/waitcondition' - heat_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8004/v1/%(tenant_id)s' - heat_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: HeatApiVirtualIP} - - ':8004/v1/%(tenant_id)s' - heat_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: HeatApiVirtualIP} - - ':8004/v1/%(tenant_id)s' heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey} horizon_allowed_hosts: {get_param: HorizonAllowedHosts} horizon_secret: {get_param: HorizonSecret} @@ -777,43 +812,7 @@ resources: - '@' - {get_param: MysqlVirtualIP} - '/cinder' - cinder_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8776/v1/%(tenant_id)s' - cinder_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: CinderApiVirtualIP} - - ':8776/v1/%(tenant_id)s' - cinder_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: CinderApiVirtualIP} - - ':8776/v1/%(tenant_id)s' - cinder_public_url_v2: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8776/v2/%(tenant_id)s' - cinder_internal_url_v2: - list_join: - - '' - - - 'http://' - - {get_param: CinderApiVirtualIP} - - ':8776/v2/%(tenant_id)s' - cinder_admin_url_v2: - list_join: - - '' - - - 'http://' - - {get_param: CinderApiVirtualIP} - - ':8776/v2/%(tenant_id)s' - glance_port: {get_param: GlancePort} + glance_port: {get_param: [EndpointMap, GlanceInternal, port]} glance_password: {get_param: GlancePassword} glance_backend: {get_param: GlanceBackend} glance_file_pcmk_device: {get_param: GlanceFilePcmkDevice} @@ -840,7 +839,6 @@ resources: - '@' - {get_param: MysqlVirtualIP} - '/heat' - keystone_auth_address: {list_join: ['', ['http://', {get_param: KeystonePublicApiVirtualIP} , ':5000/v2.0']]} keystone_ca_certificate: {get_param: KeystoneCACertificate} keystone_signing_key: {get_param: KeystoneSigningKey} keystone_signing_certificate: {get_param: KeystoneSigningCertificate} @@ -856,40 +854,18 @@ resources: - '@' - {get_param: MysqlVirtualIP} - '/keystone' - keystone_identity_uri: - list_join: - - '' - - - 'http://' - - {get_param: KeystoneAdminApiVirtualIP} - - ':35357' - keystone_auth_uri: - list_join: - - '' - - - 'http://' - - {get_param: KeystonePublicApiVirtualIP} - - ':5000/v2.0/' - keystone_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':5000' - keystone_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: KeystonePublicApiVirtualIP} - - ':5000' - keystone_ec2_uri: - list_join: - - '' - - - 'http://' - - {get_param: KeystonePublicApiVirtualIP} - - ':5000/v2.0/ec2tokens' + keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + keystone_public_url: { get_param: [EndpointMap, KeystonePublic, uri_no_suffix] } + keystone_internal_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] } enable_fencing: {get_param: EnableFencing} enable_galera: {get_param: EnableGalera} + enable_load_balancer: {get_param: EnableLoadBalancer} enable_ceph_storage: {get_param: EnableCephStorage} enable_swift_storage: {get_param: EnableSwiftStorage} + manage_firewall: {get_param: ManageFirewall} + purge_firewall_rules: {get_param: PurgeFirewallRules} mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize} mysql_max_connections: {get_param: MysqlMaxConnections} mysql_root_password: {get_param: MysqlRootPassword} @@ -919,6 +895,10 @@ resources: list_join: - "','" - {get_param: NeutronTypeDrivers} + neutron_enable_dhcp_agent: {get_param: NeutronEnableDHCPAgent} + neutron_enable_l3_agent: {get_param: NeutronEnableL3Agent} + neutron_enable_metadata_agent: {get_param: NeutronEnableMetadataAgent} + neutron_enable_ovs_agent: {get_param: NeutronEnableOVSAgent} neutron_mechanism_drivers: {get_param: NeutronMechanismDrivers} neutron_allow_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron_l3_ha: {get_param: NeutronL3HA} @@ -965,30 +945,11 @@ resources: - '@' - {get_param: MysqlVirtualIP} - '/ovs_neutron?charset=utf8' - neutron_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: NeutronApiVirtualIP} - - ':9696' - neutron_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':9696' - neutron_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: NeutronApiVirtualIP} - - ':9696' - neutron_admin_auth_url: - list_join: - - '' - - - 'http://' - - {get_param: KeystoneAdminApiVirtualIP} - - ':35357/v2.0' + neutron_internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] } + neutron_public_url: { get_param: [ EndpointMap, NeutronPublic, uri ] } + neutron_admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] } + neutron_admin_auth_url: { get_param: [ EndpointMap, KeystoneAdmin, uri ] } + nova_internal_url: { get_param: [ EndpointMap, NovaInternal, uri ] } ceilometer_backend: {get_param: CeilometerBackend} ceilometer_metering_secret: {get_param: CeilometerMeteringSecret} ceilometer_password: {get_param: CeilometerPassword} @@ -1006,24 +967,6 @@ resources: - '@' - {get_param: MysqlVirtualIP} - '/ceilometer' - ceilometer_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8777' - ceilometer_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: CeilometerApiVirtualIP} - - ':8777' - ceilometer_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: CeilometerApiVirtualIP} - - ':8777' snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName} snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} nova_password: {get_param: NovaPassword} @@ -1035,60 +978,6 @@ resources: - '@' - {get_param: MysqlVirtualIP} - '/nova' - nova_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8774/v2/%(tenant_id)s' - nova_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: NovaApiVirtualIP} - - ':8774/v2/%(tenant_id)s' - nova_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: NovaApiVirtualIP} - - ':8774/v2/%(tenant_id)s' - nova_v3_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8774/v3' - nova_v3_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: NovaApiVirtualIP} - - ':8774/v3' - nova_v3_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: NovaApiVirtualIP} - - ':8774/v3' - nova_ec2_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8773/services/Cloud' - nova_ec2_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: NovaApiVirtualIP} - - ':8773/services/Cloud' - nova_ec2_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: NovaApiVirtualIP} - - ':8773/services/Admin' fencing_config: {get_param: FencingConfig} pcsd_password: {get_param: PcsdPassword} rabbit_username: {get_param: RabbitUserName} @@ -1105,11 +994,7 @@ resources: template: "'LIMIT'" params: LIMIT: {get_param: RabbitFDLimit} - ntp_servers: - str_replace: - template: '["server"]' - params: - server: {get_param: NtpServer} + ntp_servers: {get_param: NtpServer} control_virtual_interface: {get_param: ControlVirtualInterface} public_virtual_interface: {get_param: PublicVirtualInterface} swift_hash_suffix: {get_param: SwiftHashSuffix} @@ -1118,42 +1003,6 @@ resources: swift_replicas: {get_param: SwiftReplicas} swift_min_part_hours: {get_param: SwiftMinPartHours} swift_mount_check: {get_param: SwiftMountCheck} - swift_public_url: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8080/v1/AUTH_%(tenant_id)s' - swift_internal_url: - list_join: - - '' - - - 'http://' - - {get_param: SwiftProxyVirtualIP} - - ':8080/v1/AUTH_%(tenant_id)s' - swift_admin_url: - list_join: - - '' - - - 'http://' - - {get_param: SwiftProxyVirtualIP} - - ':8080' - swift_public_url_s3: - list_join: - - '' - - - 'http://' - - {get_param: PublicVirtualIP} - - ':8080' - swift_internal_url_s3: - list_join: - - '' - - - 'http://' - - {get_param: SwiftProxyVirtualIP} - - ':8080' - swift_admin_url_s3: - list_join: - - '' - - - 'http://' - - {get_param: SwiftProxyVirtualIP} - - ':8080' enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} swift_proxy_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftProxyNetwork]}]} @@ -1162,39 +1011,8 @@ resources: cinder_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CinderApiNetwork]}]} glance_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, GlanceApiNetwork]}]} glance_registry_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, GlanceRegistryNetwork]}]} - glance_api_servers: - list_join: - - '' - - - {get_param: GlanceProtocol} - - '://' - - {get_param: GlanceApiVirtualIP} - - ':' - - {get_param: GlancePort} + glance_api_servers: { get_param: [EndpointMap, GlanceInternal, uri]} glance_registry_host: {get_param: GlanceRegistryVirtualIP} - glance_public_url: - list_join: - - '' - - - {get_param: GlanceProtocol} - - '://' - - {get_param: PublicVirtualIP} - - ':' - - {get_param: GlancePort} - glance_internal_url: - list_join: - - '' - - - {get_param: GlanceProtocol} - - '://' - - {get_param: GlanceApiVirtualIP} - - ':' - - {get_param: GlancePort} - glance_admin_url: - list_join: - - '' - - - {get_param: GlanceProtocol} - - '://' - - {get_param: GlanceApiVirtualIP} - - ':' - - {get_param: GlancePort} heat_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]} keystone_public_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]} keystone_admin_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]} @@ -1243,6 +1061,7 @@ resources: - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre + - neutron_nuage_data # Optionally provided by ControllerExtraConfigPre datafiles: controller_extraconfig: mapped_data: {get_param: ControllerExtraConfig} @@ -1267,6 +1086,7 @@ resources: # Pacemaker enable_fencing: {get_input: enable_fencing} + enable_load_balancer: {get_input: enable_load_balancer} hacluster_pwd: {get_input: pcsd_password} tripleo::fencing::config: {get_input: fencing_config} @@ -1281,14 +1101,6 @@ resources: tripleo::ringbuilder::replicas: {get_input: swift_replicas} tripleo::ringbuilder::min_part_hours: {get_input: swift_min_part_hours} swift_mount_check: {get_input: swift_mount_check} - swift::keystone::auth::public_url: {get_input: swift_public_url } - swift::keystone::auth::internal_url: {get_input: swift_internal_url } - swift::keystone::auth::admin_url: {get_input: swift_admin_url } - swift::keystone::auth::public_url_s3: {get_input: swift_public_url_v3 } - swift::keystone::auth::internal_url_s3: {get_input: swift_internal_url_v3 } - swift::keystone::auth::admin_url_s3: {get_input: swift_admin_url_v3 } - swift::keystone::auth::password: {get_input: swift_password } - swift::keystone::auth::region: {get_input: keystone_region} # NOTE(dprince): build_ring support is currently not wired in. # See: https://review.openstack.org/#/c/109225/ @@ -1316,14 +1128,6 @@ resources: cinder::glance::glance_api_servers: {get_input: glance_api_servers} cinder_backend_config: {get_input: CinderBackendConfig} cinder::db::mysql::password: {get_input: cinder_password} - cinder::keystone::auth::public_url: {get_input: cinder_public_url } - cinder::keystone::auth::internal_url: {get_input: cinder_internal_url } - cinder::keystone::auth::admin_url: {get_input: cinder_admin_url } - cinder::keystone::auth::public_url_v2: {get_input: cinder_public_url_v2 } - cinder::keystone::auth::internal_url_v2: {get_input: cinder_internal_url_v2 } - cinder::keystone::auth::admin_url_v2: {get_input: cinder_admin_url_v2 } - cinder::keystone::auth::password: {get_input: cinder_password } - cinder::keystone::auth::region: {get_input: keystone_region} # Glance glance::api::bind_port: {get_input: glance_port} @@ -1343,16 +1147,11 @@ resources: glance::registry::auth_uri: {get_input: keystone_auth_uri} glance::registry::identity_uri: {get_input: keystone_identity_uri} glance::registry::debug: {get_input: debug} - glance::backend::swift::swift_store_auth_address: {get_input: keystone_auth_address} + glance::backend::swift::swift_store_auth_address: {get_input: keystone_auth_uri} glance::backend::swift::swift_store_user: service:glance glance::backend::swift::swift_store_key: {get_input: glance_password} glance_backend: {get_input: glance_backend} glance::db::mysql::password: {get_input: glance_password} - glance::keystone::auth::public_url: {get_input: glance_public_url } - glance::keystone::auth::internal_url: {get_input: glance_internal_url } - glance::keystone::auth::admin_url: {get_input: glance_admin_url } - glance::keystone::auth::password: {get_input: glance_password } - glance::keystone::auth::region: {get_input: keystone_region} glance_file_pcmk_device: {get_input: glance_file_pcmk_device} glance_file_pcmk_fstype: {get_input: glance_file_pcmk_fstype} glance_file_pcmk_manage: {get_input: glance_file_pcmk_manage} @@ -1378,11 +1177,6 @@ resources: heat::database_connection: {get_input: heat_dsn} heat::debug: {get_input: debug} heat::db::mysql::password: {get_input: heat_password} - heat::keystone::auth::public_url: {get_input: heat_public_url } - heat::keystone::auth::internal_url: {get_input: heat_internal_url } - heat::keystone::auth::admin_url: {get_input: heat_admin_url } - heat::keystone::auth::password: {get_input: heat_password } - heat::keystone::auth::region: {get_input: keystone_region} # Keystone keystone::admin_token: {get_input: admin_token} @@ -1426,7 +1220,7 @@ resources: # Neutron neutron::bind_host: {get_input: neutron_api_network} neutron::rabbit_password: {get_input: rabbit_password} - neutron::rabbit_user: {get_input: rabbit_user} + neutron::rabbit_user: {get_input: rabbit_username} neutron::rabbit_use_ssl: {get_input: rabbit_client_use_ssl} neutron::rabbit_port: {get_input: rabbit_client_port} neutron::debug: {get_input: debug} @@ -1435,6 +1229,8 @@ resources: neutron::server::database_connection: {get_input: neutron_dsn} neutron::agents::l3::external_network_bridge: {get_input: neutron_external_network_bridge} neutron::agents::ml2::ovs::enable_tunneling: {get_input: neutron_enable_tunneling} + neutron::agents::ml2::ovs::l2_population: {get_input: neutron_enable_l2pop} + neutron::agents::dhcp::enable_isolated_metadata: {get_input: neutron_enable_isolated_metadata} neutron::agents::ml2::ovs::local_ip: {get_input: neutron_local_ip} neutron_flat_networks: {get_input: neutron_flat_networks} neutron::agents::metadata::shared_secret: {get_input: neutron_metadata_proxy_shared_secret} @@ -1443,6 +1239,10 @@ resources: neutron_router_distributed: {get_input: neutron_router_distributed} neutron::core_plugin: {get_input: neutron_core_plugin} neutron::service_plugins: {get_input: neutron_service_plugins} + neutron::enable_dhcp_agent: {get_input: neutron_enable_dhcp_agent} + neutron::enable_l3_agent: {get_input: neutron_enable_l3_agent} + neutron::enable_metadata_agent: {get_input: neutron_enable_metadata_agent} + neutron::enable_ovs_agent: {get_input: neutron_enable_ovs_agent} neutron::plugins::ml2::type_drivers: {get_input: neutron_type_drivers} neutron_mechanism_drivers: {get_input: neutron_mechanism_drivers} neutron::server::allow_automatic_l3agent_failover: {get_input: neutron_allow_l3agent_failover} @@ -1469,6 +1269,10 @@ resources: neutron::keystone::auth::admin_url: {get_input: neutron_admin_url } neutron::keystone::auth::password: {get_input: neutron_password } neutron::keystone::auth::region: {get_input: keystone_region} + neutron::server::notifications::nova_url: {get_input: nova_internal_url} + neutron::server::notifications::auth_url: {get_input: neutron_admin_auth_url} + neutron::server::notifications::tenant_name: 'service' + neutron::server::notifications::password: {get_input: nova_password} # Ceilometer ceilometer_backend: {get_input: ceilometer_backend} @@ -1484,14 +1288,9 @@ resources: ceilometer::api::keystone_auth_uri: {get_input: keystone_auth_uri} ceilometer::api::keystone_identity_uri: {get_input: keystone_identity_uri} ceilometer::agent::auth::auth_password: {get_input: ceilometer_password} - ceilometer::agent::auth::auth_url: {get_input: keystone_auth_address} + ceilometer::agent::auth::auth_url: {get_input: keystone_auth_uri} ceilometer::agent::central::coordination_url: {get_input: ceilometer_coordination_url} ceilometer::db::mysql::password: {get_input: ceilometer_password} - ceilometer::keystone::auth::public_url: {get_input: ceilometer_public_url } - ceilometer::keystone::auth::internal_url: {get_input: ceilometer_internal_url } - ceilometer::keystone::auth::admin_url: {get_input: ceilometer_admin_url } - ceilometer::keystone::auth::password: {get_input: ceilometer_password } - ceilometer::keystone::auth::region: {get_input: keystone_region} snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} @@ -1514,17 +1313,6 @@ resources: nova::network::neutron::neutron_admin_auth_url: {get_input: neutron_admin_auth_url} nova::vncproxy::host: {get_input: nova_api_network} nova::db::mysql::password: {get_input: nova_password} - nova::keystone::auth::public_url: {get_input: nova_public_url} - nova::keystone::auth::internal_url: {get_input: nova_internal_url} - nova::keystone::auth::admin_url: {get_input: nova_admin_url} - nova::keystone::auth::public_url_v3: {get_input: nova_v3_public_url} - nova::keystone::auth::internal_url_v3: {get_input: nova_v3_internal_url} - nova::keystone::auth::admin_url_v3: {get_input: nova_v3_admin_url} - nova::keystone::auth::ec2_public_url: {get_input: nova_ec2_public_url} - nova::keystone::auth::ec2_internal_url: {get_input: nova_ec2_internal_url} - nova::keystone::auth::ec2_admin_url: {get_input: nova_ec2_admin_url} - nova::keystone::auth::password: {get_input: nova_password } - nova::keystone::auth::region: {get_input: keystone_region} # Horizon apache::ip: {get_input: horizon_network} @@ -1538,9 +1326,14 @@ resources: rabbitmq::node_ip_address: {get_input: rabbitmq_network} rabbitmq::erlang_cookie: {get_input: rabbit_cookie} rabbitmq::file_limit: {get_input: rabbit_fd_limit} + rabbitmq::default_user: {get_input: rabbit_username} + rabbitmq::default_pass: {get_input: rabbit_password} # Redis redis::bind: {get_input: redis_network} redis_vip: {get_input: redis_vip} + # Firewall + tripleo::firewall::manage_firewall: {get_input: manage_firewall} + tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules} # Misc memcached::listen_ip: {get_input: memcached_network} neutron_public_interface_ip: {get_input: neutron_public_interface_ip} @@ -1550,6 +1343,12 @@ resources: tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface} tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface} tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address} + # NOTE(jaosorior): The service certificate configuration for + # HAProxy was left commented because to properly use this, we + # need to be able to set up the keystone endpoints. And + # currently that is not possible, but is being addressed by + # other commits. A subsequent commit will uncomment this. + #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::packages::enable_install: {get_input: enable_package_install} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} @@ -1563,7 +1362,7 @@ resources: # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: ControllerExtraConfigPre + depends_on: [ControllerExtraConfigPre, NodeTLSData] type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: Controller} @@ -1614,9 +1413,10 @@ outputs: Server's IP address and hostname in the /etc/hosts format value: str_replace: - template: IP HOST.localdomain HOST CLOUDNAME + template: IP HOST.DOMAIN HOST CLOUDNAME params: IP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ControllerHostnameResolveNetwork]}]} + DOMAIN: {get_param: CloudDomain} HOST: {get_attr: [Controller, name]} CLOUDNAME: {get_param: CloudName} nova_server_resource: @@ -1643,5 +1443,13 @@ outputs: list_join: - ',' - - {get_attr: [ControllerDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} + - {get_attr: [NodeTLSData, deploy_stdout]} - {get_attr: [ControllerExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} + tls_key_modulus_md5: + description: MD5 checksum of the TLS Key Modulus + value: {get_attr: [NodeTLSData, key_modulus_md5]} + tls_cert_modulus_md5: + description: MD5 checksum of the TLS Certificate Modulus + value: {get_attr: [NodeTLSData, cert_modulus_md5]} diff --git a/puppet/extraconfig/ceph/ceph-external-config.yaml b/puppet/extraconfig/ceph/ceph-external-config.yaml index 62907104..7cefc24b 100644 --- a/puppet/extraconfig/ceph/ceph-external-config.yaml +++ b/puppet/extraconfig/ceph/ceph-external-config.yaml @@ -29,6 +29,18 @@ parameters: type: comma_delimited_list ceph_mon_ips: type: comma_delimited_list + NovaRbdPoolName: + default: vms + type: string + CinderRbdPoolName: + default: volumes + type: string + GlanceRbdPoolName: + default: images + type: string + CephClientUserName: + default: openstack + type: string resources: CephClusterConfigImpl: @@ -47,16 +59,34 @@ resources: ceph::profile::params::client_keys: str_replace: template: "{ - client.openstack: { + client.CLIENT_USER: { secret: 'CLIENT_KEY', mode: '0644', cap_mon: 'allow r', - cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rwx pool=images' + cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL' } }" params: + CLIENT_USER: {get_param: CephClientUserName} CLIENT_KEY: {get_param: ceph_client_key} - + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName} + cinder_rbd_pool_name: {get_param: CinderRbdPoolName} + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} + glance::backend::rbd::rbd_store_pool: {get_param: CephClientUserName} + nova::compute::rbd::rbd_keyring: + list_join: + - '.' + - - 'client' + - {get_param: CephClientUserName} + ceph_client_user_name: {get_param: CephClientUserName} + ceph_pools: + - {get_param: CinderRbdPoolName} + - {get_param: NovaRbdPoolName} + - {get_param: GlanceRbdPoolName} outputs: config_id: diff --git a/puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml b/puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml new file mode 100644 index 00000000..96368e37 --- /dev/null +++ b/puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml @@ -0,0 +1,92 @@ +heat_template_version: 2015-04-30 + +description: Configure hieradata for Nuage configuration on the Compute + +parameters: + server: + description: ID of the compute node to apply this config to + type: string + + NuageActiveController: + description: IP address of the Active Virtualized Services Controller (VSC) + type: string + NuageStandbyController: + description: IP address of the Standby Virtualized Services Controller (VSC) + type: string + NuageMetadataPort: + description: TCP Port to listen for metadata server requests + type: string + default: '9697' + NuageNovaMetadataPort: + description: TCP Port used by Nova metadata server + type: string + default: '8775' + NuageMetadataProxySharedSecret: + description: Shared secret to sign the instance-id request + type: string + NuageNovaClientVersion: + description: Client Version Nova + type: string + default: '2' + NuageNovaOsUsername: + description: Nova username in keystone_authtoken + type: string + default: 'nova' + NuageMetadataAgentStartWithOvs: + description: Set to True if nuage-metadata-agent needs to be started with nuage-openvswitch-switch + type: string + default: 'True' + NuageNovaApiEndpoint: + description: One of publicURL, internalURL, adminURL in "keystone endpoint-list" + type: string + default: 'publicURL' + NuageNovaRegionName: + description: Region name in "keystone endpoint-list" + type: string + default: 'regionOne' + +# Declaration of resources for the template. +resources: + NovaNuageConfig: + type: OS::Heat::StructuredConfig + properties: + group: os-apply-config + config: + hiera: + datafiles: + nova_nuage_data: + mapped_data: + nuage::vrs::active_controller: {get_input: ActiveController} + nuage::vrs::standby_controller: {get_input: StandbyController} + nuage::metadataagent::metadata_port: {get_input: MetadataPort} + nuage::metadataagent::nova_metadata_port: {get_input: NovaMetadataPort} + nuage::metadataagent::metadata_secret: {get_input: SharedSecret} + nuage::metadataagent::nova_client_version: {get_input: NovaClientVersion} + nuage::metadataagent::nova_os_username: {get_input: NovaOsUsername} + nuage::metadataagent::metadata_agent_start_with_ovs: {get_input: MetadataAgentStartWithOvs} + nuage::metadataagent::nova_api_endpoint_type: {get_input: NovaApiEndpointType} + nuage::metadataagent::nova_region_name: {get_input: NovaRegionName} + + NovaNuageDeployment: + type: OS::Heat::StructuredDeployment + properties: + config: {get_resource: NovaNuageConfig} + server: {get_param: server} + input_values: + ActiveController: {get_param: NuageActiveController} + StandbyController: {get_param: NuageStandbyController} + MetadataPort: {get_param: NuageMetadataPort} + NovaMetadataPort: {get_param: NuageNovaMetadataPort} + SharedSecret: {get_param: NuageMetadataProxySharedSecret} + NovaClientVersion: {get_param: NuageNovaClientVersion} + NovaOsUsername: {get_param: NuageNovaOsUsername} + MetadataAgentStartWithOvs: {get_param: NuageMetadataAgentStartWithOvs} + NovaApiEndpointType: {get_param: NuageNovaApiEndpoint} + NovaRegionName: {get_param: NuageNovaRegionName} + +# Specify output parameters that will be available +# after the template is instantiated. +outputs: + deploy_stdout: + description: Deployment reference, used to trigger puppet apply on changes + value: {get_attr: [NovaNuageDeployment, deploy_stdout]} diff --git a/puppet/extraconfig/pre_deploy/controller/neutron-nuage.yaml b/puppet/extraconfig/pre_deploy/controller/neutron-nuage.yaml new file mode 100644 index 00000000..60f02bf8 --- /dev/null +++ b/puppet/extraconfig/pre_deploy/controller/neutron-nuage.yaml @@ -0,0 +1,83 @@ +heat_template_version: 2015-04-30 + +description: Configure hieradata for Nuage configuration on the Controller + +parameters: + server: + description: ID of the controller node to apply this config to + type: string + + # Config specific parameters, to be provided via parameter_defaults + NeutronNuageOSControllerIp: + description: IP address of the OpenStack Controller + type: string + + NeutronNuageNetPartitionName: + description: Specifies the title that you will see on the VSD + type: string + default: 'default_name' + + NeutronNuageVSDIp: + description: IP address and port of the Virtual Services Directory + type: string + + NeutronNuageVSDUsername: + description: Username to be used to log into VSD + type: string + + NeutronNuageVSDPassword: + description: Password to be used to log into VSD + type: string + + NeutronNuageVSDOrganization: + description: Organization parameter required to log into VSD + type: string + default: 'organization' + + NeutronNuageBaseURIVersion: + description: URI version to be used based on the VSD release + type: string + default: 'default_uri_version' + + NeutronNuageCMSId: + description: Cloud Management System ID (CMS ID) to distinguish between OS instances on the same VSD + type: string + +resources: + NeutronNuageConfig: + type: OS::Heat::StructuredConfig + properties: + group: os-apply-config + config: + hiera: + datafiles: + neutron_nuage_data: + mapped_data: + neutron::plugins::nuage::nuage_oscontroller_ip: {get_input: NuageOSControllerIp} + neutron::plugins::nuage::nuage_net_partition_name: {get_input: NuageNetPartitionName} + neutron::plugins::nuage::nuage_vsd_ip: {get_input: NuageVSDIp} + neutron::plugins::nuage::nuage_vsd_username: {get_input: NuageVSDUsername} + neutron::plugins::nuage::nuage_vsd_password: {get_input: NuageVSDPassword} + neutron::plugins::nuage::nuage_vsd_organization: {get_input: NuageVSDOrganization} + neutron::plugins::nuage::nuage_base_uri_version: {get_input: NuageBaseURIVersion} + neutron::plugins::nuage::nuage_cms_id: {get_input: NuageCMSId} + + NeutronNuageDeployment: + type: OS::Heat::StructuredDeployment + properties: + config: {get_resource: NeutronNuageConfig} + server: {get_param: server} + input_values: + NuageOSControllerIp: {get_param: NeutronNuageOSControllerIp} + NuageNetPartitionName: {get_param: NeutronNuageNetPartitionName} + NuageVSDIp: {get_param: NeutronNuageVSDIp} + NuageVSDUsername: {get_param: NeutronNuageVSDUsername} + NuageVSDPassword: {get_param: NeutronNuageVSDPassword} + NuageVSDOrganization: {get_param: NeutronNuageVSDOrganization} + NuageBaseURIVersion: {get_param: NeutronNuageBaseURIVersion} + NuageCMSId: {get_param: NeutronNuageCMSId} + +outputs: + deploy_stdout: + description: Deployment reference, used to trigger puppet apply on changes + value: {get_attr: [NeutronNuageDeployment, deploy_stdout]} diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml new file mode 100644 index 00000000..7e34f071 --- /dev/null +++ b/puppet/extraconfig/tls/ca-inject.yaml @@ -0,0 +1,66 @@ +heat_template_version: 2015-04-30 + +description: > + This is a template which will inject the trusted anchor. + +parameters: + # Can be overriden via parameter_defaults in the environment + SSLRootCertificate: + description: > + The content of a CA's SSL certificate file in PEM format. + This is evaluated on the client side. + type: string + SSLRootCertificatePath: + default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem' + description: > + The filepath of the root certificate as it will be stored in the nodes. + Note that the path has to be one that can be picked up by the update + trust anchor command. e.g. in RHEL it would be + /etc/pki/ca-trust/source/anchors/ca.crt.pem + type: string + UpdateTrustAnchorsCommand: + default: update-ca-trust extract + description: > + command that will be executed to update the trust anchors. + type: string + + # Passed in by controller.yaml + server: + description: ID of the node to apply this config to + type: string + +resources: + CAConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: cacert_path + - name: cacert_content + - name: update_anchor_command + outputs: + - name: root_cert_md5sum + config: | + #!/bin/sh + cat > ${cacert_path} << EOF + ${cacert_content} + EOF + chmod 0440 ${cacert_path} + chown root:root ${cacert_path} + ${update_anchor_command} + md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum + + CADeployment: + type: OS::Heat::SoftwareDeployment + properties: + config: {get_resource: CAConfig} + server: {get_param: server} + input_values: + cacert_path: {get_param: SSLRootCertificatePath} + cacert_content: {get_param: SSLRootCertificate} + update_anchor_command: {get_param: UpdateTrustAnchorsCommand} + +outputs: + deploy_stdout: + description: Deployment reference + value: {get_attr: [CADeployment, root_cert_md5sum]} diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml new file mode 100644 index 00000000..5862a85c --- /dev/null +++ b/puppet/extraconfig/tls/no-ca.yaml @@ -0,0 +1,17 @@ +heat_template_version: 2015-04-30 + +description: > + This is a default no-op template which can be passed to the + OS::Nova::Server resources. This template can be replaced with + a different implementation via the resource registry, such that + deployers may customize their configuration. + +parameters: + server: # Here for compatibility with controller.yaml + description: ID of the controller node to apply this config to + type: string + +outputs: + deploy_stdout: + description: Deployment reference, used to trigger puppet apply on changes + value: 'Root CA cert injection not enabled.' diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml new file mode 100644 index 00000000..a2b5c569 --- /dev/null +++ b/puppet/extraconfig/tls/no-tls.yaml @@ -0,0 +1,34 @@ +heat_template_version: 2015-04-30 + +description: > + This is a default no-op template. This defines the parameters that + need to be passed in order to have TLS enabled in the controller + nodes. This template can be replaced with a different + implementation via the resource registry, such that deployers + may customize their configuration. + +parameters: + DeployedSSLCertificatePath: + default: '' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string + NodeIndex: # Here for compatibility with puppet/controller.yaml + default: 0 + type: number + server: # Here for compatibility with puppet/controller.yaml + description: ID of the controller node to apply this config to + type: string + +outputs: + deploy_stdout: + description: Deployment reference, used to trigger puppet apply on changes + value: 'TLS not enabled.' + deployed_ssl_certificate_path: + value: '' + key_modulus_md5: + description: Key SSL Modulus + value: '' + cert_modulus_md5: + description: Certificate SSL Modulus + value: '' diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml new file mode 100644 index 00000000..ce524ba9 --- /dev/null +++ b/puppet/extraconfig/tls/tls-cert-inject.yaml @@ -0,0 +1,93 @@ +heat_template_version: 2015-04-30 + +description: > + This is a template which will build the TLS Certificates necessary + for the load balancer using the given parameters. + +parameters: + # Can be overriden via parameter_defaults in the environment + SSLCertificate: + description: > + The content of the SSL certificate (without Key) in PEM format. + type: string + SSLIntermediateCertificate: + default: '' + description: > + The content of an SSL intermediate CA certificate in PEM format. + type: string + SSLKey: + description: > + The content of the SSL Key in PEM format. + type: string + hidden: true + + # Can be overriden by parameter_defaults if the user wants to try deploying + # this in a distro that doesn't support this path. + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string + + # Passed in by the controller + NodeIndex: + default: 0 + type: number + server: + description: ID of the controller node to apply this config to + type: string + +resources: + ControllerTLSConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: cert_path + - name: cert_chain_content + outputs: + - name: chain_md5sum + - name: cert_modulus + - name: key_modulus + config: | + #!/bin/sh + cat > ${cert_path} << EOF + ${cert_chain_content} + EOF + chmod 0440 ${cert_path} + chown root:haproxy ${cert_path} + md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum + openssl x509 -noout -modulus -in ${cert_path} \ + | openssl md5 | cut -c 10- \ + > ${heat_outputs_path}.cert_modulus + openssl rsa -noout -modulus -in ${cert_path} \ + | openssl md5 | cut -c 10- \ + > ${heat_outputs_path}.key_modulus + + ControllerTLSDeployment: + type: OS::Heat::SoftwareDeployment + properties: + config: {get_resource: ControllerTLSConfig} + server: {get_param: server} + input_values: + cert_path: {get_param: DeployedSSLCertificatePath} + cert_chain_content: + list_join: + - '' + - - {get_param: SSLCertificate} + - {get_param: SSLIntermediateCertificate} + - {get_param: SSLKey} + +outputs: + deploy_stdout: + description: Deployment reference + value: {get_attr: [ControllerTLSDeployment, chain_md5sum]} + deployed_ssl_certificate_path: + description: The location that the TLS certificate was deployed to. + value: {get_param: DeployedSSLCertificatePath} + key_modulus_md5: + description: MD5 checksum of the Key SSL Modulus + value: {get_attr: [ControllerTLSDeployment, key_modulus]} + cert_modulus_md5: + description: MD5 checksum of the Certificate SSL Modulus + value: {get_attr: [ControllerTLSDeployment, cert_modulus]} diff --git a/puppet/hieradata/ceph.yaml b/puppet/hieradata/ceph.yaml index 18a48622..1e480e60 100644 --- a/puppet/hieradata/ceph.yaml +++ b/puppet/hieradata/ceph.yaml @@ -1,17 +1,12 @@ ceph::profile::params::osd_journal_size: 1024 -ceph::profile::params::osd_pool_default_pg_num: 128 -ceph::profile::params::osd_pool_default_pgp_num: 128 +ceph::profile::params::osd_pool_default_pg_num: 32 +ceph::profile::params::osd_pool_default_pgp_num: 32 ceph::profile::params::osd_pool_default_size: 3 ceph::profile::params::osd_pool_default_min_size: 1 ceph::profile::params::osds: {/srv/data: {}} ceph::profile::params::manage_repo: false ceph::profile::params::authentication_type: cephx -ceph_pools: - - volumes - - vms - - images - ceph_classes: [] ceph_osd_selinux_permissive: true diff --git a/puppet/hieradata/common.yaml b/puppet/hieradata/common.yaml index 030f661d..95f5ccb8 100644 --- a/puppet/hieradata/common.yaml +++ b/puppet/hieradata/common.yaml @@ -9,8 +9,6 @@ ceilometer::agent::auth::auth_tenant_name: 'admin' nova::network::neutron::neutron_admin_tenant_name: 'service' nova::network::neutron::neutron_admin_username: 'neutron' -nova::network::neutron::vif_plugging_is_fatal: false -nova::network::neutron::vif_plugging_timeout: 30 nova::network::neutron::dhcp_domain: '' neutron::allow_overlapping_ips: true diff --git a/puppet/hieradata/compute.yaml b/puppet/hieradata/compute.yaml index 16aeb98c..fa8dcc81 100644 --- a/puppet/hieradata/compute.yaml +++ b/puppet/hieradata/compute.yaml @@ -10,11 +10,14 @@ nova::compute::vnc_enabled: true nova::compute::libvirt::vncserver_listen: '0.0.0.0' nova::compute::libvirt::migration_support: true -nova::compute::rbd::libvirt_rbd_user: 'openstack' -nova::compute::rbd::rbd_keyring: 'client.openstack' -nova::compute::rbd::libvirt_images_rbd_pool: 'vms' nova::compute::rbd::libvirt_rbd_secret_uuid: "%{hiera('ceph::profile::params::fsid')}" +# Changing the default from 512MB. The current templates can not deploy +# overclouds with swap. On an idle compute node, we see ~1024MB of RAM +# used. 2048 is suggested to account for other possible operations for +# example openvswitch. +nova::compute::reserved_host_memory: 2048 + ceilometer::agent::auth::auth_tenant_name: 'service' ceilometer::agent::auth::auth_endpoint_type: 'internalURL' diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml index 07bfe543..f42ddf6c 100644 --- a/puppet/hieradata/controller.yaml +++ b/puppet/hieradata/controller.yaml @@ -39,13 +39,6 @@ cinder::api::keystone_tenant: 'service' swift::proxy::authtoken::admin_tenant_name: 'service' ceilometer::api::keystone_tenant: 'service' heat::keystone_tenant: 'service' -glance::keystone::auth::tenant: 'service' -nova::keystone::auth::tenant: 'service' -neutron::keystone::auth::tenant: 'service' -cinder::keystone::auth::tenant: 'service' -swift::keystone::auth::tenant: 'service' -ceilometer::keystone::auth::tenant: 'service' -heat::keystone::auth::tenant: 'service' # keystone keystone::cron::token_flush::maxdelay: 3600 @@ -67,13 +60,10 @@ swift::proxy::pipeline: - 'proxy-server' swift::proxy::account_autocreate: true -swift::keystone::auth::configure_s3_endpoint: false -swift::keystone::auth::operator_roles: - - admin - - swiftoperator # glance glance::api::pipeline: 'keystone' +glance::api::show_image_direct_url: true glance::registry::pipeline: 'keystone' glance::backend::swift::swift_store_create_container_on_put: true glance::backend::rbd::rbd_store_user: 'openstack' @@ -88,7 +78,6 @@ nova::notify_on_state_change: 'vm_and_task_state' nova::api::default_floating_pool: 'public' nova::api::osapi_v3: true nova::scheduler::filter::ram_allocation_ratio: '1.0' -nova::keystone::auth::configure_ec2_endpoint: false # ceilometer ceilometer::agent::auth::auth_endpoint_type: 'internalURL' @@ -138,3 +127,109 @@ tripleo::loadbalancer::heat_cfn: true tripleo::loadbalancer::horizon: true controller_classes: [] +# firewall +tripleo::firewall::firewall_rules: + '101 mongodb_config': + port: 27019 + '102 mongodb_sharding': + port: 27018 + '103 mongod': + port: 27017 + '104 mysql galera': + port: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 + '105 ntp': + port: 123 + proto: udp + '106 vrrp': + proto: vrrp + '107 haproxy stats': + port: 1993 + '108 redis': + port: + - 6379 + - 26379 + '109 rabbitmq': + port: + - 5672 + - 35672 + '110 ceph': + port: + - 6789 + - '6800-6810' + '111 keystone': + port: + - 5000 + - 13000 + - 35357 + - 13357 + '112 glance': + port: + - 9292 + - 9191 + - 13292 + '113 nova': + port: + - 6080 + - 13080 + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 + '114 neutron server': + port: + - 9696 + - 13696 + '115 neutron dhcp input': + proto: 'udp' + port: 67 + '116 neutron dhcp output': + proto: 'udp' + chain: 'OUTPUT' + port: 68 + '118 neutron vxlan networks': + proto: 'udp' + port: 4789 + '119 cinder': + port: + - 8776 + - 13776 + '120 iscsi initiator': + port: 3260 + '121 memcached': + port: 11211 + '122 swift proxy': + port: + - 8080 + - 13808 + '123 swift storage': + port: + - 873 + - 6000 + - 6001 + - 6002 + '124 ceilometer': + port: + - 8777 + - 13777 + '125 heat': + port: + - 8000 + - 13800 + - 8003 + - 13003 + - 8004 + - 13004 + '126 horizon': + port: + - 80 + - 443 + '127 snmp': + port: 161 + proto: 'udp' diff --git a/puppet/manifests/overcloud_cephstorage.pp b/puppet/manifests/overcloud_cephstorage.pp index 51f5e88d..7f8970cc 100644 --- a/puppet/manifests/overcloud_cephstorage.pp +++ b/puppet/manifests/overcloud_cephstorage.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) diff --git a/puppet/manifests/overcloud_compute.pp b/puppet/manifests/overcloud_compute.pp index 4c927569..f3a02eba 100644 --- a/puppet/manifests/overcloud_compute.pp +++ b/puppet/manifests/overcloud_compute.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) @@ -49,8 +50,9 @@ if $rbd_ephemeral_storage or $rbd_persistent_storage { include ::ceph::profile::client $client_keys = hiera('ceph::profile::params::client_keys') + $client_user = join(['client.', hiera('ceph_client_user_name')]) class { '::nova::compute::rbd': - libvirt_rbd_secret_key => $client_keys['client.openstack']['secret'], + libvirt_rbd_secret_key => $client_keys[$client_user]['secret'], } } @@ -69,20 +71,35 @@ include ::nova::compute::libvirt include ::nova::network::neutron include ::neutron -class { '::neutron::plugins::ml2': - flat_networks => split(hiera('neutron_flat_networks'), ','), - tenant_network_types => [hiera('neutron_tenant_network_type')], -} +# If the value of core plugin is set to 'nuage', +# include nuage agent, +# else use the default value of 'ml2' +if hiera('neutron::core_plugin') == 'neutron.plugins.nuage.plugin.NuagePlugin' { + include ::nuage::vrs + include ::nova::compute::neutron + + class { '::nuage::metadataagent': + nova_os_tenant_name => hiera('nova::api::admin_tenant_name'), + nova_os_password => hiera('nova_password'), + nova_metadata_ip => hiera('nova_metadata_node_ips'), + nova_auth_ip => hiera('keystone_public_api_virtual_ip'), + } +} else { + class { '::neutron::plugins::ml2': + flat_networks => split(hiera('neutron_flat_networks'), ','), + tenant_network_types => [hiera('neutron_tenant_network_type')], + } -class { '::neutron::agents::ml2::ovs': - bridge_mappings => split(hiera('neutron_bridge_mappings'), ','), - tunnel_types => split(hiera('neutron_tunnel_types'), ','), -} + class { '::neutron::agents::ml2::ovs': + bridge_mappings => split(hiera('neutron_bridge_mappings'), ','), + tunnel_types => split(hiera('neutron_tunnel_types'), ','), + } -if 'cisco_n1kv' in hiera('neutron_mechanism_drivers') { - class { '::neutron::agents::n1kv_vem': - n1kv_source => hiera('n1kv_vem_source', undef), - n1kv_version => hiera('n1kv_vem_version', undef), + if 'cisco_n1kv' in hiera('neutron_mechanism_drivers') { + class { '::neutron::agents::n1kv_vem': + n1kv_source => hiera('n1kv_vem_source', undef), + n1kv_version => hiera('n1kv_vem_version', undef), + } } } diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp index 14044789..a8abbb77 100644 --- a/puppet/manifests/overcloud_controller.pp +++ b/puppet/manifests/overcloud_controller.pp @@ -14,6 +14,9 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall + +$enable_load_balancer = hiera('enable_load_balancer', true) if hiera('step') >= 1 { @@ -21,9 +24,11 @@ if hiera('step') >= 1 { $controller_node_ips = split(hiera('controller_node_ips'), ',') - class { '::tripleo::loadbalancer' : - controller_hosts => $controller_node_ips, - manage_vip => true, + if $enable_load_balancer { + class { '::tripleo::loadbalancer' : + controller_hosts => $controller_node_ips, + manage_vip => true, + } } } @@ -227,64 +232,73 @@ if hiera('step') >= 3 { include ::neutron include ::neutron::server - include ::neutron::agents::l3 - include ::neutron::agents::dhcp - include ::neutron::agents::metadata + include ::neutron::server::notifications - file { '/etc/neutron/dnsmasq-neutron.conf': - content => hiera('neutron_dnsmasq_options'), - owner => 'neutron', - group => 'neutron', - notify => Service['neutron-dhcp-service'], - require => Package['neutron'], - } + # If the value of core plugin is set to 'nuage', + # include nuage core plugin, + # else use the default value of 'ml2' + if hiera('neutron::core_plugin') == 'neutron.plugins.nuage.plugin.NuagePlugin' { + include ::neutron::plugins::nuage + } else { + include ::neutron::agents::l3 + include ::neutron::agents::dhcp + include ::neutron::agents::metadata + + file { '/etc/neutron/dnsmasq-neutron.conf': + content => hiera('neutron_dnsmasq_options'), + owner => 'neutron', + group => 'neutron', + notify => Service['neutron-dhcp-service'], + require => Package['neutron'], + } - class { '::neutron::plugins::ml2': - flat_networks => split(hiera('neutron_flat_networks'), ','), - tenant_network_types => [hiera('neutron_tenant_network_type')], - mechanism_drivers => [hiera('neutron_mechanism_drivers')], - } - class { '::neutron::agents::ml2::ovs': - bridge_mappings => split(hiera('neutron_bridge_mappings'), ','), - tunnel_types => split(hiera('neutron_tunnel_types'), ','), - } - if 'cisco_n1kv' in hiera('neutron_mechanism_drivers') { - include ::neutron::plugins::ml2::cisco::nexus1000v + class { '::neutron::plugins::ml2': + flat_networks => split(hiera('neutron_flat_networks'), ','), + tenant_network_types => [hiera('neutron_tenant_network_type')], + mechanism_drivers => [hiera('neutron_mechanism_drivers')], + } + class { '::neutron::agents::ml2::ovs': + bridge_mappings => split(hiera('neutron_bridge_mappings'), ','), + tunnel_types => split(hiera('neutron_tunnel_types'), ','), + } + if 'cisco_n1kv' in hiera('neutron_mechanism_drivers') { + include ::neutron::plugins::ml2::cisco::nexus1000v - class { '::neutron::agents::n1kv_vem': - n1kv_source => hiera('n1kv_vem_source', undef), - n1kv_version => hiera('n1kv_vem_version', undef), + class { '::neutron::agents::n1kv_vem': + n1kv_source => hiera('n1kv_vem_source', undef), + n1kv_version => hiera('n1kv_vem_version', undef), + } + + class { '::n1k_vsm': + n1kv_source => hiera('n1kv_vsm_source', undef), + n1kv_version => hiera('n1kv_vsm_version', undef), + pacemaker_control => false, + } } - class { '::n1k_vsm': - n1kv_source => hiera('n1kv_vsm_source', undef), - n1kv_version => hiera('n1kv_vsm_version', undef), - pacemaker_control => false, + if 'cisco_ucsm' in hiera('neutron_mechanism_drivers') { + include ::neutron::plugins::ml2::cisco::ucsm + } + if 'cisco_nexus' in hiera('neutron_mechanism_drivers') { + include ::neutron::plugins::ml2::cisco::nexus + include ::neutron::plugins::ml2::cisco::type_nexus_vxlan } - } - if 'cisco_ucsm' in hiera('neutron_mechanism_drivers') { - include ::neutron::plugins::ml2::cisco::ucsm - } - if 'cisco_nexus' in hiera('neutron_mechanism_drivers') { - include ::neutron::plugins::ml2::cisco::nexus - include ::neutron::plugins::ml2::cisco::type_nexus_vxlan - } + if hiera('neutron_enable_bigswitch_ml2', false) { + include ::neutron::plugins::ml2::bigswitch::restproxy + } + neutron_l3_agent_config { + 'DEFAULT/ovs_use_veth': value => hiera('neutron_ovs_use_veth', false); + } + neutron_dhcp_agent_config { + 'DEFAULT/ovs_use_veth': value => hiera('neutron_ovs_use_veth', false); + } - if hiera('neutron_enable_bigswitch_ml2', false) { - include ::neutron::plugins::ml2::bigswitch::restproxy - } - neutron_l3_agent_config { - 'DEFAULT/ovs_use_veth': value => hiera('neutron_ovs_use_veth', false); + Service['neutron-server'] -> Service['neutron-dhcp-service'] + Service['neutron-server'] -> Service['neutron-l3'] + Service['neutron-server'] -> Service['neutron-ovs-agent-service'] + Service['neutron-server'] -> Service['neutron-metadata'] } - neutron_dhcp_agent_config { - 'DEFAULT/ovs_use_veth': value => hiera('neutron_ovs_use_veth', false); - } - - Service['neutron-server'] -> Service['neutron-dhcp-service'] - Service['neutron-server'] -> Service['neutron-l3'] - Service['neutron-server'] -> Service['neutron-ovs-agent-service'] - Service['neutron-server'] -> Service['neutron-metadata'] include ::cinder include ::cinder::api @@ -307,16 +321,14 @@ if hiera('step') >= 3 { if $enable_ceph { - Ceph_pool { + $ceph_pools = hiera('ceph_pools') + ceph::pool { $ceph_pools : pg_num => hiera('ceph::profile::params::osd_pool_default_pg_num'), pgp_num => hiera('ceph::profile::params::osd_pool_default_pgp_num'), size => hiera('ceph::profile::params::osd_pool_default_size'), } - $ceph_pools = hiera('ceph_pools') - ceph::pool { $ceph_pools : } - - $cinder_pool_requires = [Ceph::Pool['volumes']] + $cinder_pool_requires = [Ceph::Pool[hiera('cinder_rbd_pool_name')]] } else { $cinder_pool_requires = [] @@ -326,8 +338,8 @@ if hiera('step') >= 3 { $cinder_rbd_backend = 'tripleo_ceph' cinder::backend::rbd { $cinder_rbd_backend : - rbd_pool => 'volumes', - rbd_user => 'openstack', + rbd_pool => hiera('cinder_rbd_pool_name'), + rbd_user => hiera('ceph_client_user_name'), rbd_secret_uuid => hiera('ceph::profile::params::fsid'), require => $cinder_pool_requires, } @@ -381,7 +393,7 @@ if hiera('step') >= 3 { package {'nfs-utils': } -> cinder::backend::nfs { $cinder_nfs_backend : nfs_servers => hiera('cinder_nfs_servers'), - nfs_mount_options => hiera('cinder_nfs_mount_options'), + nfs_mount_options => hiera('cinder_nfs_mount_options',''), nfs_shares_config => '/etc/cinder/shares-nfs.conf', } } @@ -485,15 +497,6 @@ if hiera('step') >= 3 { if hiera('step') >= 4 { include ::keystone::cron::token_flush - - include ::ceilometer::keystone::auth - include ::cinder::keystone::auth - include ::glance::keystone::auth - include ::heat::keystone::auth - include ::neutron::keystone::auth - include ::nova::keystone::auth - include ::swift::keystone::auth - } #END STEP 4 $package_manifest_name = join(['/var/lib/tripleo/installed-packages/overcloud_controller', hiera('step')]) diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp index 5cadc6dd..8459f1a3 100644 --- a/puppet/manifests/overcloud_controller_pacemaker.pp +++ b/puppet/manifests/overcloud_controller_pacemaker.pp @@ -19,6 +19,7 @@ Pcmk_resource <| |> { } include ::tripleo::packages +include ::tripleo::firewall if $::hostname == downcase(hiera('bootstrap_nodeid')) { $pacemaker_master = true @@ -29,6 +30,7 @@ if $::hostname == downcase(hiera('bootstrap_nodeid')) { } $enable_fencing = str2bool(hiera('enable_fencing', false)) and hiera('step') >= 5 +$enable_load_balancer = hiera('enable_load_balancer', true) # When to start and enable services which haven't been Pacemakerized # FIXME: remove when we start all OpenStack services using Pacemaker @@ -45,12 +47,14 @@ if hiera('step') >= 1 { $controller_node_ips = split(hiera('controller_node_ips'), ',') $controller_node_names = split(downcase(hiera('controller_node_names')), ',') - class { '::tripleo::loadbalancer' : - controller_hosts => $controller_node_ips, - controller_hosts_names => $controller_node_names, - manage_vip => false, - mysql_clustercheck => true, - haproxy_service_manage => false, + if $enable_load_balancer { + class { '::tripleo::loadbalancer' : + controller_hosts => $controller_node_ips, + controller_hosts_names => $controller_node_names, + manage_vip => false, + mysql_clustercheck => true, + haproxy_service_manage => false, + } } $pacemaker_cluster_members = downcase(regsubst(hiera('controller_node_names'), ',', ' ', 'G')) @@ -74,11 +78,11 @@ if hiera('step') >= 1 { Class['tripleo::fencing'] -> Class['pacemaker::stonith'] } - # FIXME(gfidente): sets 90secs as default start timeout op + # FIXME(gfidente): sets 100secs as default start timeout op # param; until we can use pcmk global defaults we'll still # need to add it to every resource which redefines op params Pacemaker::Resource::Service { - op_params => 'start timeout=90s', + op_params => 'start timeout=100s stop timeout=100s', } # Only configure RabbitMQ in this step, don't start it yet to @@ -178,156 +182,160 @@ if hiera('step') >= 2 { if $pacemaker_master { - include ::pacemaker::resource_defaults - - # FIXME: we should not have to access tripleo::loadbalancer class - # parameters here to configure pacemaker VIPs. The configuration - # of pacemaker VIPs could move into puppet-tripleo or we should - # make use of less specific hiera parameters here for the settings. - pacemaker::resource::service { 'haproxy': - clone_params => true, - } + if $enable_load_balancer { - $control_vip = hiera('tripleo::loadbalancer::controller_virtual_ip') - pacemaker::resource::ip { 'control_vip': - ip_address => $control_vip, - } - pacemaker::constraint::base { 'control_vip-then-haproxy': - constraint_type => 'order', - first_resource => "ip-${control_vip}", - second_resource => 'haproxy-clone', - first_action => 'start', - second_action => 'start', - constraint_params => 'kind=Optional', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['control_vip']], - } - pacemaker::constraint::colocation { 'control_vip-with-haproxy': - source => "ip-${control_vip}", - target => 'haproxy-clone', - score => 'INFINITY', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['control_vip']], - } + include ::pacemaker::resource_defaults - $public_vip = hiera('tripleo::loadbalancer::public_virtual_ip') - if $public_vip and $public_vip != $control_vip { - pacemaker::resource::ip { 'public_vip': - ip_address => $public_vip, - } - pacemaker::constraint::base { 'public_vip-then-haproxy': - constraint_type => 'order', - first_resource => "ip-${public_vip}", - second_resource => 'haproxy-clone', - first_action => 'start', - second_action => 'start', - constraint_params => 'kind=Optional', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['public_vip']], - } - pacemaker::constraint::colocation { 'public_vip-with-haproxy': - source => "ip-${public_vip}", - target => 'haproxy-clone', - score => 'INFINITY', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['public_vip']], + # FIXME: we should not have to access tripleo::loadbalancer class + # parameters here to configure pacemaker VIPs. The configuration + # of pacemaker VIPs could move into puppet-tripleo or we should + # make use of less specific hiera parameters here for the settings. + pacemaker::resource::service { 'haproxy': + clone_params => true, } - } - $redis_vip = hiera('redis_vip') - if $redis_vip and $redis_vip != $control_vip { - pacemaker::resource::ip { 'redis_vip': - ip_address => $redis_vip, + $control_vip = hiera('tripleo::loadbalancer::controller_virtual_ip') + pacemaker::resource::ip { 'control_vip': + ip_address => $control_vip, } - pacemaker::constraint::base { 'redis_vip-then-haproxy': + pacemaker::constraint::base { 'control_vip-then-haproxy': constraint_type => 'order', - first_resource => "ip-${redis_vip}", + first_resource => "ip-${control_vip}", second_resource => 'haproxy-clone', first_action => 'start', second_action => 'start', constraint_params => 'kind=Optional', require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['redis_vip']], + Pacemaker::Resource::Ip['control_vip']], } - pacemaker::constraint::colocation { 'redis_vip-with-haproxy': - source => "ip-${redis_vip}", + pacemaker::constraint::colocation { 'control_vip-with-haproxy': + source => "ip-${control_vip}", target => 'haproxy-clone', score => 'INFINITY', require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['redis_vip']], + Pacemaker::Resource::Ip['control_vip']], } - } - $internal_api_vip = hiera('tripleo::loadbalancer::internal_api_virtual_ip') - if $internal_api_vip and $internal_api_vip != $control_vip { - pacemaker::resource::ip { 'internal_api_vip': - ip_address => $internal_api_vip, - } - pacemaker::constraint::base { 'internal_api_vip-then-haproxy': - constraint_type => 'order', - first_resource => "ip-${internal_api_vip}", - second_resource => 'haproxy-clone', - first_action => 'start', - second_action => 'start', - constraint_params => 'kind=Optional', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['internal_api_vip']], - } - pacemaker::constraint::colocation { 'internal_api_vip-with-haproxy': - source => "ip-${internal_api_vip}", - target => 'haproxy-clone', - score => 'INFINITY', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['internal_api_vip']], + $public_vip = hiera('tripleo::loadbalancer::public_virtual_ip') + if $public_vip and $public_vip != $control_vip { + pacemaker::resource::ip { 'public_vip': + ip_address => $public_vip, + } + pacemaker::constraint::base { 'public_vip-then-haproxy': + constraint_type => 'order', + first_resource => "ip-${public_vip}", + second_resource => 'haproxy-clone', + first_action => 'start', + second_action => 'start', + constraint_params => 'kind=Optional', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['public_vip']], + } + pacemaker::constraint::colocation { 'public_vip-with-haproxy': + source => "ip-${public_vip}", + target => 'haproxy-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['public_vip']], + } } - } - $storage_vip = hiera('tripleo::loadbalancer::storage_virtual_ip') - if $storage_vip and $storage_vip != $control_vip { - pacemaker::resource::ip { 'storage_vip': - ip_address => $storage_vip, - } - pacemaker::constraint::base { 'storage_vip-then-haproxy': - constraint_type => 'order', - first_resource => "ip-${storage_vip}", - second_resource => 'haproxy-clone', - first_action => 'start', - second_action => 'start', - constraint_params => 'kind=Optional', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['storage_vip']], - } - pacemaker::constraint::colocation { 'storage_vip-with-haproxy': - source => "ip-${storage_vip}", - target => 'haproxy-clone', - score => 'INFINITY', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['storage_vip']], + $redis_vip = hiera('redis_vip') + if $redis_vip and $redis_vip != $control_vip { + pacemaker::resource::ip { 'redis_vip': + ip_address => $redis_vip, + } + pacemaker::constraint::base { 'redis_vip-then-haproxy': + constraint_type => 'order', + first_resource => "ip-${redis_vip}", + second_resource => 'haproxy-clone', + first_action => 'start', + second_action => 'start', + constraint_params => 'kind=Optional', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['redis_vip']], + } + pacemaker::constraint::colocation { 'redis_vip-with-haproxy': + source => "ip-${redis_vip}", + target => 'haproxy-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['redis_vip']], + } } - } - $storage_mgmt_vip = hiera('tripleo::loadbalancer::storage_mgmt_virtual_ip') - if $storage_mgmt_vip and $storage_mgmt_vip != $control_vip { - pacemaker::resource::ip { 'storage_mgmt_vip': - ip_address => $storage_mgmt_vip, + $internal_api_vip = hiera('tripleo::loadbalancer::internal_api_virtual_ip') + if $internal_api_vip and $internal_api_vip != $control_vip { + pacemaker::resource::ip { 'internal_api_vip': + ip_address => $internal_api_vip, + } + pacemaker::constraint::base { 'internal_api_vip-then-haproxy': + constraint_type => 'order', + first_resource => "ip-${internal_api_vip}", + second_resource => 'haproxy-clone', + first_action => 'start', + second_action => 'start', + constraint_params => 'kind=Optional', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['internal_api_vip']], + } + pacemaker::constraint::colocation { 'internal_api_vip-with-haproxy': + source => "ip-${internal_api_vip}", + target => 'haproxy-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['internal_api_vip']], + } } - pacemaker::constraint::base { 'storage_mgmt_vip-then-haproxy': - constraint_type => 'order', - first_resource => "ip-${storage_mgmt_vip}", - second_resource => 'haproxy-clone', - first_action => 'start', - second_action => 'start', - constraint_params => 'kind=Optional', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['storage_mgmt_vip']], + + $storage_vip = hiera('tripleo::loadbalancer::storage_virtual_ip') + if $storage_vip and $storage_vip != $control_vip { + pacemaker::resource::ip { 'storage_vip': + ip_address => $storage_vip, + } + pacemaker::constraint::base { 'storage_vip-then-haproxy': + constraint_type => 'order', + first_resource => "ip-${storage_vip}", + second_resource => 'haproxy-clone', + first_action => 'start', + second_action => 'start', + constraint_params => 'kind=Optional', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['storage_vip']], + } + pacemaker::constraint::colocation { 'storage_vip-with-haproxy': + source => "ip-${storage_vip}", + target => 'haproxy-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['storage_vip']], + } } - pacemaker::constraint::colocation { 'storage_mgmt_vip-with-haproxy': - source => "ip-${storage_mgmt_vip}", - target => 'haproxy-clone', - score => 'INFINITY', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Ip['storage_mgmt_vip']], + + $storage_mgmt_vip = hiera('tripleo::loadbalancer::storage_mgmt_virtual_ip') + if $storage_mgmt_vip and $storage_mgmt_vip != $control_vip { + pacemaker::resource::ip { 'storage_mgmt_vip': + ip_address => $storage_mgmt_vip, + } + pacemaker::constraint::base { 'storage_mgmt_vip-then-haproxy': + constraint_type => 'order', + first_resource => "ip-${storage_mgmt_vip}", + second_resource => 'haproxy-clone', + first_action => 'start', + second_action => 'start', + constraint_params => 'kind=Optional', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['storage_mgmt_vip']], + } + pacemaker::constraint::colocation { 'storage_mgmt_vip-with-haproxy': + source => "ip-${storage_mgmt_vip}", + target => 'haproxy-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip['storage_mgmt_vip']], + } } + } pacemaker::resource::service { $::memcached::params::service_name : @@ -344,7 +352,7 @@ if hiera('step') >= 2 { if downcase(hiera('ceilometer_backend')) == 'mongodb' { pacemaker::resource::service { $::mongodb::params::service_name : - op_params => 'start timeout=120s', + op_params => 'start timeout=120s stop timeout=100s', clone_params => true, require => Class['::mongodb::server'], } @@ -591,37 +599,48 @@ if hiera('step') >= 3 { manage_service => false, enabled => false, } - class { '::neutron::agents::dhcp' : - manage_service => false, - enabled => false, - } - class { '::neutron::agents::l3' : - manage_service => false, - enabled => false, + include ::neutron::server::notifications + if hiera('neutron::core_plugin') == 'neutron.plugins.nuage.plugin.NuagePlugin' { + include ::neutron::plugins::nuage } - class { '::neutron::agents::metadata': - manage_service => false, - enabled => false, + if hiera('neutron::enable_dhcp_agent',true) { + class { '::neutron::agents::dhcp' : + manage_service => false, + enabled => false, + } + file { '/etc/neutron/dnsmasq-neutron.conf': + content => hiera('neutron_dnsmasq_options'), + owner => 'neutron', + group => 'neutron', + notify => Service['neutron-dhcp-service'], + require => Package['neutron'], + } } - file { '/etc/neutron/dnsmasq-neutron.conf': - content => hiera('neutron_dnsmasq_options'), - owner => 'neutron', - group => 'neutron', - notify => Service['neutron-dhcp-service'], - require => Package['neutron'], + if hiera('neutron::enable_l3_agent',true) { + class { '::neutron::agents::l3' : + manage_service => false, + enabled => false, + } } - class { '::neutron::plugins::ml2': - flat_networks => split(hiera('neutron_flat_networks'), ','), - tenant_network_types => [hiera('neutron_tenant_network_type')], - mechanism_drivers => [hiera('neutron_mechanism_drivers')], + if hiera('neutron::enable_metadata_agent',true) { + class { '::neutron::agents::metadata': + manage_service => false, + enabled => false, + } } - class { '::neutron::agents::ml2::ovs': - manage_service => false, - enabled => false, - bridge_mappings => split(hiera('neutron_bridge_mappings'), ','), - tunnel_types => split(hiera('neutron_tunnel_types'), ','), + if hiera('neutron::core_plugin') == 'ml2' { + class { '::neutron::plugins::ml2': + flat_networks => split(hiera('neutron_flat_networks'), ','), + tenant_network_types => [hiera('neutron_tenant_network_type')], + mechanism_drivers => [hiera('neutron_mechanism_drivers')], + } + class { '::neutron::agents::ml2::ovs': + manage_service => false, + enabled => false, + bridge_mappings => split(hiera('neutron_bridge_mappings'), ','), + tunnel_types => split(hiera('neutron_tunnel_types'), ','), + } } - if 'cisco_ucsm' in hiera('neutron_mechanism_drivers') { include ::neutron::plugins::ml2::cisco::ucsm } @@ -684,16 +703,14 @@ if hiera('step') >= 3 { if $enable_ceph { - Ceph_pool { + $ceph_pools = hiera('ceph_pools') + ceph::pool { $ceph_pools : pg_num => hiera('ceph::profile::params::osd_pool_default_pg_num'), pgp_num => hiera('ceph::profile::params::osd_pool_default_pgp_num'), size => hiera('ceph::profile::params::osd_pool_default_size'), } - $ceph_pools = hiera('ceph_pools') - ceph::pool { $ceph_pools : } - - $cinder_pool_requires = [Ceph::Pool['volumes']] + $cinder_pool_requires = [Ceph::Pool[hiera('cinder_rbd_pool_name')]] } else { $cinder_pool_requires = [] @@ -703,8 +720,8 @@ if hiera('step') >= 3 { $cinder_rbd_backend = 'tripleo_ceph' cinder::backend::rbd { $cinder_rbd_backend : - rbd_pool => 'volumes', - rbd_user => 'openstack', + rbd_pool => hiera('cinder_rbd_pool_name'), + rbd_user => hiera('ceph_client_user_name'), rbd_secret_uuid => hiera('ceph::profile::params::fsid'), require => $cinder_pool_requires, } @@ -758,7 +775,7 @@ if hiera('step') >= 3 { package { 'nfs-utils': } -> cinder::backend::nfs { $cinder_nfs_backend: nfs_servers => hiera('cinder_nfs_servers'), - nfs_mount_options => hiera('cinder_nfs_mount_options'), + nfs_mount_options => hiera('cinder_nfs_mount_options',''), nfs_shares_config => '/etc/cinder/shares-nfs.conf', } } @@ -925,15 +942,16 @@ if hiera('step') >= 4 { File['/etc/keystone/ssl/private/signing_key.pem'], File['/etc/keystone/ssl/certs/signing_cert.pem']], } - - pacemaker::constraint::base { 'haproxy-then-keystone-constraint': - constraint_type => 'order', - first_resource => 'haproxy-clone', - second_resource => "${::keystone::params::service_name}-clone", - first_action => 'start', - second_action => 'start', - require => [Pacemaker::Resource::Service['haproxy'], - Pacemaker::Resource::Service[$::keystone::params::service_name]], + if $enable_load_balancer { + pacemaker::constraint::base { 'haproxy-then-keystone-constraint': + constraint_type => 'order', + first_resource => 'haproxy-clone', + second_resource => "${::keystone::params::service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Service[$::keystone::params::service_name]], + } } pacemaker::constraint::base { 'rabbitmq-then-keystone-constraint': constraint_type => 'order', @@ -1060,59 +1078,69 @@ if hiera('step') >= 4 { clone_params => 'interleave=true', require => Pacemaker::Resource::Service[$::keystone::params::service_name], } - pacemaker::resource::service { $::neutron::params::l3_agent_service: - clone_params => 'interleave=true', - } - pacemaker::resource::service { $::neutron::params::dhcp_agent_service: - clone_params => 'interleave=true', - } - pacemaker::resource::service { $::neutron::params::ovs_agent_service: - clone_params => 'interleave=true', + if hiera('neutron::enable_l3_agent', true) { + pacemaker::resource::service { $::neutron::params::l3_agent_service: + clone_params => 'interleave=true', + } } - pacemaker::resource::service { $::neutron::params::metadata_agent_service: - clone_params => 'interleave=true', + if hiera('neutron::enable_dhcp_agent', true) { + pacemaker::resource::service { $::neutron::params::dhcp_agent_service: + clone_params => 'interleave=true', + } } - pacemaker::resource::ocf { $::neutron::params::ovs_cleanup_service: - ocf_agent_name => 'neutron:OVSCleanup', - clone_params => 'interleave=true', + if hiera('neutron::enable_ovs_agent', true) { + pacemaker::resource::service { $::neutron::params::ovs_agent_service: + clone_params => 'interleave=true', + } } - pacemaker::resource::ocf { 'neutron-netns-cleanup': - ocf_agent_name => 'neutron:NetnsCleanup', - clone_params => 'interleave=true', + if hiera('neutron::enable_metadata_agent', true) { + pacemaker::resource::service { $::neutron::params::metadata_agent_service: + clone_params => 'interleave=true', + } } + if hiera('neutron::enable_ovs_agent', true) { + pacemaker::resource::ocf { $::neutron::params::ovs_cleanup_service: + ocf_agent_name => 'neutron:OVSCleanup', + clone_params => 'interleave=true', + } + pacemaker::resource::ocf { 'neutron-netns-cleanup': + ocf_agent_name => 'neutron:NetnsCleanup', + clone_params => 'interleave=true', + } - # neutron - one chain ovs-cleanup-->netns-cleanup-->ovs-agent - pacemaker::constraint::base { 'neutron-ovs-cleanup-to-netns-cleanup-constraint': - constraint_type => 'order', - first_resource => "${::neutron::params::ovs_cleanup_service}-clone", - second_resource => 'neutron-netns-cleanup-clone', - first_action => 'start', - second_action => 'start', - require => [Pacemaker::Resource::Ocf[$::neutron::params::ovs_cleanup_service], - Pacemaker::Resource::Ocf['neutron-netns-cleanup']], - } - pacemaker::constraint::colocation { 'neutron-ovs-cleanup-to-netns-cleanup-colocation': - source => 'neutron-netns-cleanup-clone', - target => "${::neutron::params::ovs_cleanup_service}-clone", - score => 'INFINITY', - require => [Pacemaker::Resource::Ocf[$::neutron::params::ovs_cleanup_service], - Pacemaker::Resource::Ocf['neutron-netns-cleanup']], - } - pacemaker::constraint::base { 'neutron-netns-cleanup-to-openvswitch-agent-constraint': - constraint_type => 'order', - first_resource => 'neutron-netns-cleanup-clone', - second_resource => "${::neutron::params::ovs_agent_service}-clone", - first_action => 'start', - second_action => 'start', - require => [Pacemaker::Resource::Ocf['neutron-netns-cleanup'], - Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service]], - } - pacemaker::constraint::colocation { 'neutron-netns-cleanup-to-openvswitch-agent-colocation': - source => "${::neutron::params::ovs_agent_service}-clone", - target => 'neutron-netns-cleanup-clone', - score => 'INFINITY', - require => [Pacemaker::Resource::Ocf['neutron-netns-cleanup'], - Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service]], + # neutron - one chain ovs-cleanup-->netns-cleanup-->ovs-agent + pacemaker::constraint::base { 'neutron-ovs-cleanup-to-netns-cleanup-constraint': + constraint_type => 'order', + first_resource => "${::neutron::params::ovs_cleanup_service}-clone", + second_resource => 'neutron-netns-cleanup-clone', + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Ocf[$::neutron::params::ovs_cleanup_service], + Pacemaker::Resource::Ocf['neutron-netns-cleanup']], + } + pacemaker::constraint::colocation { 'neutron-ovs-cleanup-to-netns-cleanup-colocation': + source => 'neutron-netns-cleanup-clone', + target => "${::neutron::params::ovs_cleanup_service}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Ocf[$::neutron::params::ovs_cleanup_service], + Pacemaker::Resource::Ocf['neutron-netns-cleanup']], + } + pacemaker::constraint::base { 'neutron-netns-cleanup-to-openvswitch-agent-constraint': + constraint_type => 'order', + first_resource => 'neutron-netns-cleanup-clone', + second_resource => "${::neutron::params::ovs_agent_service}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Ocf['neutron-netns-cleanup'], + Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service]], + } + pacemaker::constraint::colocation { 'neutron-netns-cleanup-to-openvswitch-agent-colocation': + source => "${::neutron::params::ovs_agent_service}-clone", + target => 'neutron-netns-cleanup-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Ocf['neutron-netns-cleanup'], + Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service]], + } } #another chain keystone-->neutron-server-->ovs-agent-->dhcp-->l3 @@ -1125,86 +1153,94 @@ if hiera('step') >= 4 { require => [Pacemaker::Resource::Service[$::keystone::params::service_name], Pacemaker::Resource::Service[$::neutron::params::server_service]], } - pacemaker::constraint::base { 'neutron-server-to-openvswitch-agent-constraint': - constraint_type => 'order', - first_resource => "${::neutron::params::server_service}-clone", - second_resource => "${::neutron::params::ovs_agent_service}-clone", - first_action => 'start', - second_action => 'start', - require => [Pacemaker::Resource::Service[$::neutron::params::server_service], - Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service]], + if hiera('neutron::enable_ovs_agent',true) { + pacemaker::constraint::base { 'neutron-server-to-openvswitch-agent-constraint': + constraint_type => 'order', + first_resource => "${::neutron::params::server_service}-clone", + second_resource => "${::neutron::params::ovs_agent_service}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::neutron::params::server_service], + Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service]], + } } - pacemaker::constraint::base { 'neutron-openvswitch-agent-to-dhcp-agent-constraint': - constraint_type => 'order', - first_resource => "${::neutron::params::ovs_agent_service}-clone", - second_resource => "${::neutron::params::dhcp_agent_service}-clone", - first_action => 'start', - second_action => 'start', - require => [Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service], - Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service]], + if hiera('neutron::enable_dhcp_agent',true) and hiera('neutron::enable_ovs_agent',true) { + pacemaker::constraint::base { 'neutron-openvswitch-agent-to-dhcp-agent-constraint': + constraint_type => 'order', + first_resource => "${::neutron::params::ovs_agent_service}-clone", + second_resource => "${::neutron::params::dhcp_agent_service}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service], + Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service]], + } + pacemaker::constraint::colocation { 'neutron-openvswitch-agent-to-dhcp-agent-colocation': + source => "${::neutron::params::dhcp_agent_service}-clone", + target => "${::neutron::params::ovs_agent_service}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service], + Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service]], + } } - pacemaker::constraint::colocation { 'neutron-openvswitch-agent-to-dhcp-agent-colocation': - source => "${::neutron::params::dhcp_agent_service}-clone", - target => "${::neutron::params::ovs_agent_service}-clone", - score => 'INFINITY', - require => [Pacemaker::Resource::Service[$::neutron::params::ovs_agent_service], - Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service]], - } - pacemaker::constraint::base { 'neutron-dhcp-agent-to-l3-agent-constraint': - constraint_type => 'order', - first_resource => "${::neutron::params::dhcp_agent_service}-clone", - second_resource => "${::neutron::params::l3_agent_service}-clone", - first_action => 'start', - second_action => 'start', - require => [Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service], - Pacemaker::Resource::Service[$::neutron::params::l3_agent_service]], - } - pacemaker::constraint::colocation { 'neutron-dhcp-agent-to-l3-agent-colocation': - source => "${::neutron::params::l3_agent_service}-clone", - target => "${::neutron::params::dhcp_agent_service}-clone", - score => 'INFINITY', - require => [Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service], - Pacemaker::Resource::Service[$::neutron::params::l3_agent_service]], - } - pacemaker::constraint::base { 'neutron-l3-agent-to-metadata-agent-constraint': - constraint_type => 'order', - first_resource => "${::neutron::params::l3_agent_service}-clone", - second_resource => "${::neutron::params::metadata_agent_service}-clone", - first_action => 'start', - second_action => 'start', - require => [Pacemaker::Resource::Service[$::neutron::params::l3_agent_service], - Pacemaker::Resource::Service[$::neutron::params::metadata_agent_service]], + if hiera('neutron::enable_dhcp_agent',true) and hiera('l3_agent_service',true) { + pacemaker::constraint::base { 'neutron-dhcp-agent-to-l3-agent-constraint': + constraint_type => 'order', + first_resource => "${::neutron::params::dhcp_agent_service}-clone", + second_resource => "${::neutron::params::l3_agent_service}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service], + Pacemaker::Resource::Service[$::neutron::params::l3_agent_service]] + } + pacemaker::constraint::colocation { 'neutron-dhcp-agent-to-l3-agent-colocation': + source => "${::neutron::params::l3_agent_service}-clone", + target => "${::neutron::params::dhcp_agent_service}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service], + Pacemaker::Resource::Service[$::neutron::params::l3_agent_service]] + } } - pacemaker::constraint::colocation { 'neutron-l3-agent-to-metadata-agent-colocation': - source => "${::neutron::params::metadata_agent_service}-clone", - target => "${::neutron::params::l3_agent_service}-clone", - score => 'INFINITY', - require => [Pacemaker::Resource::Service[$::neutron::params::l3_agent_service], - Pacemaker::Resource::Service[$::neutron::params::metadata_agent_service]], + if hiera('neutron::enable_l3_agent',true) and hiera('neutron::enable_metadata_agent',true) { + pacemaker::constraint::base { 'neutron-l3-agent-to-metadata-agent-constraint': + constraint_type => 'order', + first_resource => "${::neutron::params::l3_agent_service}-clone", + second_resource => "${::neutron::params::metadata_agent_service}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::neutron::params::l3_agent_service], + Pacemaker::Resource::Service[$::neutron::params::metadata_agent_service]] + } + pacemaker::constraint::colocation { 'neutron-l3-agent-to-metadata-agent-colocation': + source => "${::neutron::params::metadata_agent_service}-clone", + target => "${::neutron::params::l3_agent_service}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::neutron::params::l3_agent_service], + Pacemaker::Resource::Service[$::neutron::params::metadata_agent_service]] + } } # Nova pacemaker::resource::service { $::nova::params::api_service_name : clone_params => 'interleave=true', - op_params => 'start timeout=90s monitor start-delay=10s', + op_params => 'start timeout=100s stop timeout=100s monitor start-delay=10s', } pacemaker::resource::service { $::nova::params::conductor_service_name : clone_params => 'interleave=true', - op_params => 'start timeout=90s monitor start-delay=10s', + op_params => 'start timeout=100s stop timeout=100s monitor start-delay=10s', } pacemaker::resource::service { $::nova::params::consoleauth_service_name : clone_params => 'interleave=true', - op_params => 'start timeout=90s monitor start-delay=10s', + op_params => 'start timeout=100s stop timeout=100s monitor start-delay=10s', require => Pacemaker::Resource::Service[$::keystone::params::service_name], } pacemaker::resource::service { $::nova::params::vncproxy_service_name : clone_params => 'interleave=true', - op_params => 'start timeout=90s monitor start-delay=10s', + op_params => 'start timeout=100s stop timeout=100s monitor start-delay=10s', } pacemaker::resource::service { $::nova::params::scheduler_service_name : clone_params => 'interleave=true', - op_params => 'start timeout=90s monitor start-delay=10s', + op_params => 'start timeout=100s stop timeout=100s monitor start-delay=10s', } pacemaker::constraint::base { 'keystone-then-nova-consoleauth-constraint': @@ -1566,27 +1602,6 @@ if hiera('step') >= 5 { } -> class {'::keystone::endpoint' : require => Pacemaker::Resource::Service[$::keystone::params::service_name], - } -> - class { '::ceilometer::keystone::auth' : - require => Pacemaker::Resource::Service[$::keystone::params::service_name], - } -> - class { '::cinder::keystone::auth' : - require => Pacemaker::Resource::Service[$::keystone::params::service_name], - } -> - class { '::glance::keystone::auth' : - require => Pacemaker::Resource::Service[$::keystone::params::service_name], - } -> - class { '::heat::keystone::auth' : - require => Pacemaker::Resource::Service[$::keystone::params::service_name], - } -> - class { '::neutron::keystone::auth' : - require => Pacemaker::Resource::Service[$::keystone::params::service_name], - } -> - class { '::nova::keystone::auth' : - require => Pacemaker::Resource::Service[$::keystone::params::service_name], - } -> - class { '::swift::keystone::auth' : - require => Pacemaker::Resource::Service[$::keystone::params::service_name], } } diff --git a/puppet/manifests/overcloud_object.pp b/puppet/manifests/overcloud_object.pp index 5f0b4c82..1eabddf1 100644 --- a/puppet/manifests/overcloud_object.pp +++ b/puppet/manifests/overcloud_object.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) diff --git a/puppet/manifests/overcloud_volume.pp b/puppet/manifests/overcloud_volume.pp index 7f24959a..2bdd8a9c 100644 --- a/puppet/manifests/overcloud_volume.pp +++ b/puppet/manifests/overcloud_volume.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml index 22ec6096..fbb2b878 100644 --- a/puppet/swift-storage.yaml +++ b/puppet/swift-storage.yaml @@ -45,8 +45,9 @@ parameters: type: string hidden: true NtpServer: - type: string default: '' + description: Comma-separated list of ntp servers + type: comma_delimited_list EnablePackageInstall: default: 'false' description: Set to true to enable package installation via Puppet @@ -76,6 +77,17 @@ parameters: description: | Role specific additional hiera configuration to inject into the cluster. type: json + NetworkDeploymentActions: + type: comma_delimited_list + description: > + Heat action when to apply network configuration changes + default: ['CREATE'] + CloudDomain: + default: '' + type: string + description: > + The DNS domain used for the hosts. This should match the dhcp_domain + configured in the Undercloud neutron. Defaults to localdomain. resources: @@ -148,6 +160,7 @@ resources: properties: config: {get_resource: NetworkConfig} server: {get_resource: SwiftStorage} + actions: {get_param: NetworkDeploymentActions} SwiftStorageHieraConfig: type: OS::Heat::StructuredConfig @@ -207,19 +220,22 @@ resources: swift_min_part_hours: {get_param: MinPartHours} swift_part_power: {get_param: PartPower} swift_replicas: { get_param: Replicas} - ntp_servers: - str_replace: - template: '["server"]' - params: - server: {get_param: NtpServer} + ntp_servers: {get_param: NtpServer} enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: SwiftStorageHieraDeploy + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: SwiftStorage} + # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: SwiftStorageHieraDeploy + depends_on: NodeTLSCAData type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: SwiftStorage} @@ -240,9 +256,10 @@ outputs: hosts_entry: value: str_replace: - template: "IP HOST.localdomain HOST" + template: "IP HOST.DOMAIN HOST" params: IP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ObjectStorageHostnameResolveNetwork]}]} + DOMAIN: {get_param: CloudDomain} HOST: {get_attr: [SwiftStorage, name]} nova_server_resource: description: Heat resource handle for the swift storage server @@ -270,4 +287,5 @@ outputs: list_join: - ',' - - {get_attr: [SwiftStorageHieraDeploy, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_param: UpdateIdentifier} |