aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/blockstorage-role.yaml39
-rw-r--r--puppet/cephstorage-role.yaml39
-rw-r--r--puppet/compute-role.yaml41
-rw-r--r--puppet/controller-role.yaml39
-rw-r--r--puppet/major_upgrade_steps.j2.yaml3
-rw-r--r--puppet/objectstorage-role.yaml39
-rw-r--r--puppet/role.role.j2.yaml39
-rw-r--r--puppet/services/external-swift-proxy.yaml70
-rw-r--r--puppet/services/glance-api.yaml14
-rw-r--r--puppet/services/keystone.yaml12
-rw-r--r--puppet/services/neutron-api.yaml23
-rw-r--r--puppet/services/neutron-base.yaml5
-rw-r--r--puppet/services/neutron-bigswitch-agent.yaml4
-rw-r--r--puppet/services/nova-api.yaml2
-rw-r--r--puppet/services/nova-compute.yaml8
-rw-r--r--puppet/services/nova-libvirt.yaml83
-rw-r--r--puppet/services/sshd.yaml29
17 files changed, 458 insertions, 31 deletions
diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml
index 51f9abac..b9e5c6fe 100644
--- a/puppet/blockstorage-role.yaml
+++ b/puppet/blockstorage-role.yaml
@@ -126,7 +126,7 @@ parameters:
resources:
BlockStorage:
- type: OS::TripleO::Server
+ type: OS::TripleO::BlockStorageServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
@@ -457,6 +457,12 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ SshHostPubKey:
+ type: OS::TripleO::Ssh::HostPubKey
+ depends_on: BlockStorageDeployment
+ properties:
+ server: {get_resource: BlockStorage}
+
outputs:
ip_address:
description: IP address of the server in the ctlplane network
@@ -504,6 +510,37 @@ outputs:
MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
CTLPLANEIP: {get_attr: [BlockStorage, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ known_hosts_entry:
+ description: Entry for ssh known hosts
+ value:
+ str_replace:
+ template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
+EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\
+INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\
+STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\
+STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\
+TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\
+MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\
+CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
+ params:
+ PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, BlockStorageHostnameResolveNetwork]}]}
+ DOMAIN: {get_param: CloudDomain}
+ PRIMARYHOST: {get_attr: [BlockStorage, name]}
+ EXTERNALIP: {get_attr: [ExternalPort, ip_address]}
+ EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]}
+ INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]}
+ INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]}
+ STORAGEIP: {get_attr: [StoragePort, ip_address]}
+ STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]}
+ STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]}
+ STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]}
+ TENANTIP: {get_attr: [TenantPort, ip_address]}
+ TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]}
+ MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]}
+ MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
+ CTLPLANEIP: {get_attr: [BlockStorage, networks, ctlplane, 0]}
+ CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
nova_server_resource:
description: Heat resource handle for the block storage server
value:
diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml
index d7d7f478..075f42ba 100644
--- a/puppet/cephstorage-role.yaml
+++ b/puppet/cephstorage-role.yaml
@@ -132,7 +132,7 @@ parameters:
resources:
CephStorage:
- type: OS::TripleO::Server
+ type: OS::TripleO::CephStorageServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
@@ -468,6 +468,12 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ SshHostPubKey:
+ type: OS::TripleO::Ssh::HostPubKey
+ depends_on: CephStorageDeployment
+ properties:
+ server: {get_resource: CephStorage}
+
outputs:
ip_address:
description: IP address of the server in the ctlplane network
@@ -515,6 +521,37 @@ outputs:
MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
CTLPLANEIP: {get_attr: [CephStorage, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ known_hosts_entry:
+ description: Entry for ssh known hosts
+ value:
+ str_replace:
+ template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
+EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\
+INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\
+STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\
+STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\
+TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\
+MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\
+CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
+ params:
+ PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CephStorageHostnameResolveNetwork]}]}
+ DOMAIN: {get_param: CloudDomain}
+ PRIMARYHOST: {get_attr: [CephStorage, name]}
+ EXTERNALIP: {get_attr: [ExternalPort, ip_address]}
+ EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]}
+ INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]}
+ INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]}
+ STORAGEIP: {get_attr: [StoragePort, ip_address]}
+ STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]}
+ STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]}
+ STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]}
+ TENANTIP: {get_attr: [TenantPort, ip_address]}
+ TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]}
+ MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]}
+ MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
+ CTLPLANEIP: {get_attr: [CephStorage, networks, ctlplane, 0]}
+ CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
nova_server_resource:
description: Heat resource handle for the ceph storage server
value:
diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml
index ebdd762d..351b3823 100644
--- a/puppet/compute-role.yaml
+++ b/puppet/compute-role.yaml
@@ -145,7 +145,7 @@ parameters:
resources:
NovaCompute:
- type: OS::TripleO::Server
+ type: OS::TripleO::ComputeServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
@@ -492,6 +492,12 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ SshHostPubKey:
+ type: OS::TripleO::Ssh::HostPubKey
+ depends_on: NovaComputeDeployment
+ properties:
+ server: {get_resource: NovaCompute}
+
outputs:
ip_address:
description: IP address of the server in the ctlplane network
@@ -559,7 +565,38 @@ outputs:
MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
CTLPLANEIP: {get_attr: [NovaCompute, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ known_hosts_entry:
+ description: Entry for ssh known hosts
+ value:
+ str_replace:
+ template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
+EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\
+INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\
+STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\
+STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\
+TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\
+MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\
+CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
+ params:
+ PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ComputeHostnameResolveNetwork]}]}
+ DOMAIN: {get_param: CloudDomain}
+ PRIMARYHOST: {get_attr: [NovaCompute, name]}
+ EXTERNALIP: {get_attr: [ExternalPort, ip_address]}
+ EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]}
+ INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]}
+ INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]}
+ STORAGEIP: {get_attr: [StoragePort, ip_address]}
+ STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]}
+ STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]}
+ STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]}
+ TENANTIP: {get_attr: [TenantPort, ip_address]}
+ TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]}
+ MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]}
+ MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
+ CTLPLANEIP: {get_attr: [NovaCompute, networks, ctlplane, 0]}
+ CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
nova_server_resource:
description: Heat resource handle for the Nova compute server
value:
- {get_resource: NovaCompute}
+ {get_resource: NovaCompute} \ No newline at end of file
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index 3d32add2..92eb70ad 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -165,7 +165,7 @@ parameter_groups:
resources:
Controller:
- type: OS::TripleO::Server
+ type: OS::TripleO::ControllerServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
@@ -531,6 +531,12 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ SshHostPubKey:
+ type: OS::TripleO::Ssh::HostPubKey
+ depends_on: ControllerDeployment
+ properties:
+ server: {get_resource: Controller}
+
outputs:
ip_address:
description: IP address of the server in the ctlplane network
@@ -598,6 +604,37 @@ outputs:
MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
CTLPLANEIP: {get_attr: [Controller, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ known_hosts_entry:
+ description: Entry for ssh known hosts
+ value:
+ str_replace:
+ template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
+EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\
+INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\
+STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\
+STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\
+TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\
+MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\
+CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
+ params:
+ PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ControllerHostnameResolveNetwork]}]}
+ DOMAIN: {get_param: CloudDomain}
+ PRIMARYHOST: {get_attr: [Controller, name]}
+ EXTERNALIP: {get_attr: [ExternalPort, ip_address]}
+ EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]}
+ INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]}
+ INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]}
+ STORAGEIP: {get_attr: [StoragePort, ip_address]}
+ STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]}
+ STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]}
+ STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]}
+ TENANTIP: {get_attr: [TenantPort, ip_address]}
+ TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]}
+ MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]}
+ MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
+ CTLPLANEIP: {get_attr: [Controller, networks, ctlplane, 0]}
+ CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
nova_server_resource:
description: Heat resource handle for the Nova compute server
value:
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index c0a0778c..28092773 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -51,10 +51,11 @@ resources:
- " crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n"
- " crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n"
- " crudini --set /etc/nova/nova.conf placement project_name service\n\n"
+ - " crudini --set /etc/nova/nova.conf placement os_interface internal\n\n"
- str_replace:
template: |
crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD'
- crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME'
+ crudini --set /etc/nova/nova.conf placement os_region_name 'REGION_NAME'
crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL'
params:
SERVICE_PASSWORD: { get_param: NovaPassword }
diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml
index 6ee06d78..84b646a2 100644
--- a/puppet/objectstorage-role.yaml
+++ b/puppet/objectstorage-role.yaml
@@ -127,7 +127,7 @@ parameters:
resources:
SwiftStorage:
- type: OS::Nova::Server
+ type: OS::Nova::ObjectStorageServer
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
@@ -455,6 +455,12 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ SshHostPubKey:
+ type: OS::TripleO::Ssh::HostPubKey
+ depends_on: SwiftStorageHieraDeploy
+ properties:
+ server: {get_resource: SwiftStorage}
+
outputs:
ip_address:
description: IP address of the server in the ctlplane network
@@ -502,6 +508,37 @@ outputs:
MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
CTLPLANEIP: {get_attr: [SwiftStorage, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ known_hosts_entry:
+ description: Entry for ssh known hosts
+ value:
+ str_replace:
+ template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
+EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\
+INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\
+STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\
+STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\
+TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\
+MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\
+CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
+ params:
+ PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ObjectStorageHostnameResolveNetwork]}]}
+ DOMAIN: {get_param: CloudDomain}
+ PRIMARYHOST: {get_attr: [SwiftStorage, name]}
+ EXTERNALIP: {get_attr: [ExternalPort, ip_address]}
+ EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]}
+ INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]}
+ INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]}
+ STORAGEIP: {get_attr: [StoragePort, ip_address]}
+ STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]}
+ STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]}
+ STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]}
+ TENANTIP: {get_attr: [TenantPort, ip_address]}
+ TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]}
+ MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]}
+ MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
+ CTLPLANEIP: {get_attr: [SwiftStorage, networks, ctlplane, 0]}
+ CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
nova_server_resource:
description: Heat resource handle for the swift storage server
value:
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 9227b527..960f0d58 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -148,7 +148,7 @@ parameters:
resources:
{{role}}:
- type: OS::TripleO::Server
+ type: OS::TripleO::{{role.name}}Server
metadata:
os-collect-config:
command: {get_param: ConfigCommand}
@@ -490,6 +490,12 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ SshHostPubKey:
+ type: OS::TripleO::Ssh::HostPubKey
+ depends_on: {{role}}Deployment
+ properties:
+ server: {get_resource: {{role}}}
+
outputs:
ip_address:
description: IP address of the server in the ctlplane network
@@ -537,6 +543,37 @@ outputs:
MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
CTLPLANEIP: {get_attr: [{{role}}, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ known_hosts_entry:
+ description: Entry for ssh known hosts
+ value:
+ str_replace:
+ template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
+EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\
+INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\
+STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\
+STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\
+TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\
+MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\
+CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
+ params:
+ PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role}}HostnameResolveNetwork]}]}
+ DOMAIN: {get_param: CloudDomain}
+ PRIMARYHOST: {get_attr: [{{role}}, name]}
+ EXTERNALIP: {get_attr: [ExternalPort, ip_address]}
+ EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]}
+ INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]}
+ INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]}
+ STORAGEIP: {get_attr: [StoragePort, ip_address]}
+ STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]}
+ STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]}
+ STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]}
+ TENANTIP: {get_attr: [TenantPort, ip_address]}
+ TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]}
+ MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]}
+ MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]}
+ CTLPLANEIP: {get_attr: [{{role}}, networks, ctlplane, 0]}
+ CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
+ HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
nova_server_resource:
description: Heat resource handle for {{role}} server
value:
diff --git a/puppet/services/external-swift-proxy.yaml b/puppet/services/external-swift-proxy.yaml
new file mode 100644
index 00000000..75f5b6a0
--- /dev/null
+++ b/puppet/services/external-swift-proxy.yaml
@@ -0,0 +1,70 @@
+heat_template_version: ocata
+
+description: >
+ External Swift Proxy endpoint configured with Puppet
+
+parameters:
+ ExternalPublicUrl:
+ description: Public endpoint url for the external swift proxy
+ type: string
+ ExternalInternalUrl:
+ description: Internal endpoint url for the external swift proxy
+ type: string
+ ExternalAdminUrl:
+ description: External endpoint url for the external swift proxy
+ type: string
+ ExternalSwiftUserTenant:
+ description: Tenant where swift user will be set as admin
+ type: string
+ default: 'service'
+ SwiftPassword:
+ description: The password for the swift service account, used by the swift proxy services.
+ type: string
+ hidden: true
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+resources:
+
+outputs:
+ role_data:
+ description: Role data for External Swift proxy.
+ value:
+ service_name: external_swift_proxy
+ config_settings:
+
+ step_config:
+
+ service_config_settings:
+ keystone:
+ swift::keystone::auth::public_url: {get_param: ExternalPublicUrl}
+ swift::keystone::auth::internal_url: {get_param: ExternalInternalUrl}
+ swift::keystone::auth::admin_url: {get_param: ExternalAdminUrl}
+ swift::keystone::auth::public_url_s3: ''
+ swift::keystone::auth::internal_url_s3: ''
+ swift::keystone::auth::admin_url_s3: ''
+ swift::keystone::auth::password: {get_param: SwiftPassword}
+ swift::keystone::auth::region: {get_param: KeystoneRegion}
+ swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant}
+ swift::keystone::auth::configure_s3_endpoint: false
+ swift::keystone::auth::operator_roles:
+ - admin
+ - swiftoperator
+ - ResellerAdmin
+
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index f61e6154..de41c0e8 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -119,6 +119,7 @@ parameters:
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+ glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']}
resources:
@@ -153,14 +154,13 @@ outputs:
- '/glance'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
- glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::enable_v1_api: false
glance::api::enable_v2_api: true
glance::api::authtoken::password: {get_param: GlancePassword}
glance::api::enable_proxy_headers_parsing: true
glance::api::debug: {get_param: Debug}
- glance::api::workers: {get_param: GlanceWorkers}
glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo.glance_api.firewall_rules:
'112 glance_api':
@@ -168,6 +168,8 @@ outputs:
- 9292
- 13292
glance::api::authtoken::project_name: 'service'
+ glance::keystone::authtoken::user_domain_name: 'Default'
+ glance::keystone::authtoken::project_domain_name: 'Default'
glance::api::pipeline: 'keystone'
glance::api::show_image_direct_url: true
# NOTE: bind IP is found in Heat replacing the network name with the
@@ -195,10 +197,11 @@ outputs:
- {get_param: [ServiceNetMap, GlanceApiNetwork]}
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
glance_log_file: {get_param: GlanceLogFile}
- glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
glance::backend::swift::swift_store_user: service:glance
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
glance::backend::swift::swift_store_create_container_on_put: true
+ glance::backend::swift::swift_store_auth_version: 3
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
glance_backend: {get_param: GlanceBackend}
@@ -210,6 +213,11 @@ outputs:
tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
+ -
+ if:
+ - glance_workers_unset
+ - {}
+ - glance::api::workers: {get_param: GlanceWorkers}
service_config_settings:
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 632d9b0b..8a0e750d 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -119,27 +119,27 @@ parameters:
Cron to purge expired tokens - Ensure
default: 'present'
KeystoneCronTokenFlushMinute:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Minute
default: '1'
KeystoneCronTokenFlushHour:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Hour
- default: '0'
+ default: '*'
KeystoneCronTokenFlushMonthday:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Month Day
default: '*'
KeystoneCronTokenFlushMonth:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Month
default: '*'
KeystoneCronTokenFlushWeekday:
- type: string
+ type: comma_delimited_list
description: >
Cron to purge expired tokens - Week Day
default: '*'
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index 9b9d1c72..a0305b81 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -21,13 +21,13 @@ parameters:
NeutronWorkers:
default: ''
description: |
- Sets the number of API and RPC workers for the Neutron service. The
- default value results in the configuration being left unset and a
- system-dependent default will be chosen (usually the number of
- processors). Please note that this can result in a large number of
- processes and memory consumption on systems with a large core count. On
- such systems it is recommended that a non-default value be selected that
- matches the load requirements.
+ Sets the number of API and RPC workers for the Neutron service.
+ The default value results in the configuration being left unset
+ and a system-dependent default will be chosen (usually the number
+ of processors). Please note that this can result in a large number
+ of processes and memory consumption on systems with a large core
+ count. On such systems it is recommended that a non-default value
+ be selected that matches the load requirements.
type: string
NeutronPassword:
description: The password for the neutron service and db account, used by neutron agents.
@@ -92,6 +92,7 @@ parameter_groups:
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+ neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
resources:
@@ -136,8 +137,6 @@ outputs:
neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
- neutron::server::api_workers: {get_param: NeutronWorkers}
- neutron::server::rpc_workers: {get_param: NeutronWorkers}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
neutron::server::enable_proxy_headers_parsing: true
neutron::keystone::authtoken::password: {get_param: NeutronPassword}
@@ -178,6 +177,12 @@ outputs:
- 'localhost'
- {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
+ -
+ if:
+ - neutron_workers_unset
+ - {}
+ - neutron::server::api_workers: {get_param: NeutronWorkers}
+ neutron::server::rpc_workers: {get_param: NeutronWorkers}
step_config: |
include tripleo::profile::base::neutron::server
service_config_settings:
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 9f605062..b41cb3cc 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -30,6 +30,10 @@ parameters:
type: number
default: 0
description: The number of neutron dhcp agents to schedule per network
+ NeutronDnsDomain:
+ type: string
+ default: openstacklocal
+ description: Domain to use for building the hostnames.
NeutronCorePlugin:
default: 'ml2'
description: |
@@ -95,6 +99,7 @@ outputs:
neutron::debug: {get_param: Debug}
neutron::purge_config: {get_param: EnableConfigPurge}
neutron::allow_overlapping_ips: true
+ neutron::dns_domain: {get_param: NeutronDnsDomain}
neutron::rabbit_heartbeat_timeout_threshold: 60
neutron::host: '%{::fqdn}'
neutron::db::database_db_max_retries: -1
diff --git a/puppet/services/neutron-bigswitch-agent.yaml b/puppet/services/neutron-bigswitch-agent.yaml
index 845f0da0..8f56e0a9 100644
--- a/puppet/services/neutron-bigswitch-agent.yaml
+++ b/puppet/services/neutron-bigswitch-agent.yaml
@@ -26,6 +26,4 @@ outputs:
value:
service_name: neutron_bigswitch_agent
step_config: |
- if hiera('step') >= 4 {
- include ::neutron::agents::bigswitch
- }
+ include ::tripleo::profile::base::neutron::agents::bigswitch
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 18d9b924..21910cc4 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -227,7 +227,7 @@ outputs:
- name: Run puppet apply to set tranport_url in nova.conf
tags: step5
when: is_bootstrap_node
- command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp
+ command: puppet apply --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes /root/nova-api_upgrade_manifest.pp
register: puppet_apply_nova_api_upgrade
failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2]
changed_when: puppet_apply_nova_api_upgrade.rc == 2
diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml
index a9737eb6..b1711436 100644
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@@ -79,6 +79,13 @@ parameters:
type: string
description: Nova Compute upgrade level
default: auto
+ MigrationSshKey:
+ type: json
+ description: >
+ SSH key for migration.
+ Expects a dictionary with keys 'public_key' and 'private_key'.
+ Values should be identical to SSH public/private key files.
+ default: {}
resources:
NovaBase:
@@ -111,6 +118,7 @@ outputs:
# we manage migration in nova common puppet profile
nova::compute::libvirt::migration_support: false
tripleo::profile::base::nova::manage_migration: true
+ tripleo::profile::base::nova::migration_ssh_key: {get_param: MigrationSshKey}
tripleo::profile::base::nova::nova_compute_enabled: true
nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName}
nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index faf1ae48..21a5e78a 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -32,6 +32,36 @@ parameters:
MonitoringSubscriptionNovaLibvirt:
default: 'overcloud-nova-libvirt'
type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ UseTLSTransportForLiveMigration:
+ type: boolean
+ default: true
+ description: If set to true and if EnableInternalTLS is enabled, it will
+ set the libvirt URI's transport to tls and configure the
+ relevant keys for libvirt.
+ LibvirtCACert:
+ type: string
+ default: '/etc/ipa/ca.crt'
+ description: This specifies the CA certificate to use for TLS in libvirt.
+ This file will be symlinked to the default CA path in libvirt,
+ which is /etc/pki/CA/cacert.pem. Note that due to limitations
+ GNU TLS, which is the TLS backend for libvirt, the file must
+ be less than 65K (so we can't use the system's CA bundle). The
+ current default reflects TripleO's default CA, which is
+ FreeIPA. It will only be used if internal TLS is enabled.
+
+conditions:
+
+ use_tls_for_live_migration:
+ and:
+ - equals:
+ - {get_param: EnableInternalTLS}
+ - true
+ - equals:
+ - {get_param: UseTLSTransportForLiveMigration}
+ - true
resources:
NovaBase:
@@ -66,10 +96,61 @@ outputs:
tripleo.nova_libvirt.firewall_rules:
'200 nova_libvirt':
dport:
- - 16509
- 16514
- '49152-49215'
- '5900-5999'
+ -
+ if:
+ - use_tls_for_live_migration
+ -
+ generate_service_certificates: true
+ tripleo::profile::base::nova::libvirt_tls: true
+ nova::migration::libvirt::live_migration_inbound_addr:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ tripleo::certmonger::ca::libvirt::origin_ca_pem:
+ get_param: LibvirtCACert
+ tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
+ tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
+ libvirt_certificates_specs:
+ libvirt-server-cert:
+ service_certificate: '/etc/pki/libvirt/servercert.pem'
+ service_key: '/etc/pki/libvirt/private/serverkey.pem'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ principal:
+ str_replace:
+ template: "libvirt/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ libvirt-client-cert:
+ service_certificate: '/etc/pki/libvirt/clientcert.pem'
+ service_key: '/etc/pki/libvirt/private/clientkey.pem'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ principal:
+ str_replace:
+ template: "libvirt/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ - {}
step_config: |
include tripleo::profile::base::nova::libvirt
+ metadata_settings:
+ if:
+ - use_tls_for_live_migration
+ -
+ - service: libvirt
+ network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+ type: node
+ - null
diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml
index 12998c33..e09a8894 100644
--- a/puppet/services/sshd.yaml
+++ b/puppet/services/sshd.yaml
@@ -22,6 +22,33 @@ parameters:
default: ''
description: Configures Banner text in sshd_config
type: string
+ MessageOfTheDay:
+ default: ''
+ description: Configures /etc/motd text
+ type: string
+ SshServerOptions:
+ default:
+ HostKey:
+ - '/etc/ssh/ssh_host_rsa_key'
+ - '/etc/ssh/ssh_host_ecdsa_key'
+ - '/etc/ssh/ssh_host_ed25519_key'
+ SyslogFacility: 'AUTHPRIV'
+ AuthorizedKeysFile: '.ssh/authorized_keys'
+ PasswordAuthentication: 'no'
+ ChallengeResponseAuthentication: 'no'
+ GSSAPIAuthentication: 'yes'
+ GSSAPICleanupCredentials: 'no'
+ UsePAM: 'yes'
+ X11Forwarding: 'yes'
+ UsePrivilegeSeparation: 'sandbox'
+ AcceptEnv:
+ - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
+ - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
+ - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
+ - 'XMODIFIERS'
+ Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
+ description: Mapping of sshd_config values
+ type: json
outputs:
role_data:
@@ -30,5 +57,7 @@ outputs:
service_name: sshd
config_settings:
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+ tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+ tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
step_config: |
include ::tripleo::profile::base::sshd