aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJonas Bjurel <jonas.bjurel@ericsson.com>2015-10-03 17:34:24 +0200
committerJonas Bjurel <jonas.bjurel@ericsson.com>2015-10-03 17:34:24 +0200
commit543130927ba40a174e8674cca66ae442d5056d76 (patch)
treeee497cf48d8f31e998b48c6ae54fc625b852b20d
parent11dbe27afb96c5b54b9f4f0a1c8b21194f59dc7b (diff)
Moving tag arno.2015.2.0 from genesis to fuel/stable/arnoarno.2015.2.0stable/arno
Change-Id: I01b5f9f9125756d80d7ca666bb6d994f2b13d2a0 Signed-off-by: Jonas Bjurel <jonas.bjurel@ericsson.com>
-rwxr-xr-xcommon/ci/clean.sh326
-rwxr-xr-xcommon/ci/setup.sh270
-rw-r--r--common/docs/user-guide.rst19
-rw-r--r--common/puppet-opnfv/manifests/compute.pp43
-rw-r--r--common/puppet-opnfv/manifests/controller_networker.pp92
-rw-r--r--common/puppet-opnfv/manifests/external_net_presetup.pp15
-rw-r--r--common/puppet-opnfv/manifests/external_net_setup.pp5
-rw-r--r--common/puppet-opnfv/manifests/init.pp1
-rw-r--r--common/puppet-opnfv/manifests/odl_docker.pp50
-rw-r--r--common/puppet-opnfv/manifests/templates/br_ex.erb10
-rw-r--r--common/puppet-opnfv/manifests/templates/dockerfile/Dockerfile82
-rw-r--r--common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/check_feature.sh18
-rw-r--r--common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/speak.sh20
-rw-r--r--common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/start_odl_docker_container.sh48
-rwxr-xr-xcompass/ci/build.sh26
-rwxr-xr-xcompass/ci/deploy.sh14
-rwxr-xr-xcompass/ci/launch.sh65
-rwxr-xr-xcompass/ci/log.sh22
-rw-r--r--compass/deploy/ansible/openstack_juno/HA-ansible-multinodes.yml42
-rw-r--r--compass/deploy/ansible/openstack_juno/allinone.yml38
-rw-r--r--compass/deploy/ansible/openstack_juno/compute.yml9
-rw-r--r--compass/deploy/ansible/openstack_juno/controller.yml15
-rw-r--r--compass/deploy/ansible/openstack_juno/group_vars/all54
-rw-r--r--compass/deploy/ansible/openstack_juno/multinodes.yml75
-rw-r--r--compass/deploy/ansible/openstack_juno/network.yml8
-rw-r--r--compass/deploy/ansible/openstack_juno/single-controller.yml38
-rw-r--r--compass/deploy/ansible/openstack_juno/storage.yml8
-rw-r--r--compass/deploy/ansible/roles/cinder-controller/handlers/main.yml6
-rw-r--r--compass/deploy/ansible/roles/cinder-controller/tasks/cinder_config.yml20
-rw-r--r--compass/deploy/ansible/roles/cinder-controller/tasks/cinder_install.yml20
-rw-r--r--compass/deploy/ansible/roles/cinder-controller/tasks/main.yml13
-rw-r--r--compass/deploy/ansible/roles/cinder-controller/templates/api-paste.ini71
-rw-r--r--compass/deploy/ansible/roles/cinder-controller/templates/cinder.conf63
-rw-r--r--compass/deploy/ansible/roles/cinder-controller/templates/cinder_init.sh6
-rw-r--r--compass/deploy/ansible/roles/cinder-volume/files/loop.yml1
-rw-r--r--compass/deploy/ansible/roles/cinder-volume/handlers/main.yml3
-rw-r--r--compass/deploy/ansible/roles/cinder-volume/tasks/main.yml55
-rw-r--r--compass/deploy/ansible/roles/cinder-volume/templates/cinder.conf62
-rw-r--r--compass/deploy/ansible/roles/common/files/sources.list.d/cloudarchive-juno.list1
-rw-r--r--compass/deploy/ansible/roles/common/tasks/main.yml28
-rw-r--r--compass/deploy/ansible/roles/common/templates/hosts22
-rw-r--r--compass/deploy/ansible/roles/common/templates/ntp.conf56
-rw-r--r--compass/deploy/ansible/roles/dashboard/tasks/main.yml30
-rw-r--r--compass/deploy/ansible/roles/dashboard/templates/local_settings.py511
-rw-r--r--compass/deploy/ansible/roles/dashboard/templates/openstack-dashboard.conf14
-rw-r--r--compass/deploy/ansible/roles/database/files/my.cnf131
-rw-r--r--compass/deploy/ansible/roles/database/tasks/main.yml12
-rw-r--r--compass/deploy/ansible/roles/database/tasks/mariadb.yml46
-rw-r--r--compass/deploy/ansible/roles/database/tasks/mysql.yml22
-rw-r--r--compass/deploy/ansible/roles/database/templates/data.j239
-rw-r--r--compass/deploy/ansible/roles/database/templates/my.cnf134
-rw-r--r--compass/deploy/ansible/roles/database/templates/wsrep.cnf126
-rw-r--r--compass/deploy/ansible/roles/glance/handlers/main.yml6
-rw-r--r--compass/deploy/ansible/roles/glance/tasks/glance_config.yml29
-rw-r--r--compass/deploy/ansible/roles/glance/tasks/glance_install.yml26
-rw-r--r--compass/deploy/ansible/roles/glance/tasks/main.yml18
-rw-r--r--compass/deploy/ansible/roles/glance/tasks/nfs.yml41
-rw-r--r--compass/deploy/ansible/roles/glance/templates/glance-api.conf677
-rw-r--r--compass/deploy/ansible/roles/glance/templates/glance-registry.conf190
-rw-r--r--compass/deploy/ansible/roles/glance/templates/image_upload.sh2
-rw-r--r--compass/deploy/ansible/roles/ha/files/galera_chk10
-rw-r--r--compass/deploy/ansible/roles/ha/files/mysqlchk15
-rw-r--r--compass/deploy/ansible/roles/ha/files/notify.sh4
-rw-r--r--compass/deploy/ansible/roles/ha/handlers/main.yml9
-rw-r--r--compass/deploy/ansible/roles/ha/tasks/main.yml94
-rw-r--r--compass/deploy/ansible/roles/ha/templates/failover.j265
-rw-r--r--compass/deploy/ansible/roles/ha/templates/haproxy.cfg133
-rw-r--r--compass/deploy/ansible/roles/ha/templates/keepalived.conf42
-rw-r--r--compass/deploy/ansible/roles/keystone/tasks/keystone_config.yml16
-rw-r--r--compass/deploy/ansible/roles/keystone/tasks/keystone_install.yml29
-rw-r--r--compass/deploy/ansible/roles/keystone/tasks/main.yml13
-rw-r--r--compass/deploy/ansible/roles/keystone/templates/admin-openrc.sh6
-rw-r--r--compass/deploy/ansible/roles/keystone/templates/demo-openrc.sh5
-rw-r--r--compass/deploy/ansible/roles/keystone/templates/keystone.conf1317
-rw-r--r--compass/deploy/ansible/roles/keystone/templates/keystone_init43
-rw-r--r--compass/deploy/ansible/roles/monitor/files/check_service.sh7
-rw-r--r--compass/deploy/ansible/roles/monitor/files/root1
-rw-r--r--compass/deploy/ansible/roles/monitor/tasks/main.yml11
-rw-r--r--compass/deploy/ansible/roles/mq/tasks/main.yml5
-rw-r--r--compass/deploy/ansible/roles/mq/tasks/rabbitmq.yml45
-rw-r--r--compass/deploy/ansible/roles/mq/tasks/rabbitmq_cluster.yml27
-rw-r--r--compass/deploy/ansible/roles/mq/templates/rabbitmq-env.conf1
-rw-r--r--compass/deploy/ansible/roles/neutron-common/handlers/main.yml13
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/defaults/main.yml2
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/handlers/main.yml13
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/tasks/main.yml55
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/dhcp_agent.ini90
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/dnsmasq-neutron.conf2
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/etc/xorp/config.boot25
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/l3_agent.ini81
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/metadata_agent.ini46
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/ml2_conf.ini108
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/neutron-network.conf465
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/neutron.conf466
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/neutron_init.sh4
-rw-r--r--compass/deploy/ansible/roles/neutron-compute/templates/nova.conf73
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/handlers/main.yml24
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/tasks/main.yml13
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/tasks/neutron_config.yml10
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/tasks/neutron_install.yml29
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/dhcp_agent.ini90
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/dnsmasq-neutron.conf2
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/etc/xorp/config.boot25
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/l3_agent.ini81
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/metadata_agent.ini46
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/ml2_conf.ini108
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/neutron-network.conf465
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/neutron.conf466
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/neutron_init.sh4
-rw-r--r--compass/deploy/ansible/roles/neutron-controller/templates/nova.conf69
-rw-r--r--compass/deploy/ansible/roles/neutron-network/handlers/main.yml21
-rw-r--r--compass/deploy/ansible/roles/neutron-network/tasks/igmp-router.yml20
-rw-r--r--compass/deploy/ansible/roles/neutron-network/tasks/main.yml114
-rw-r--r--compass/deploy/ansible/roles/neutron-network/tasks/odl.yml13
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/dhcp_agent.ini90
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/dnsmasq-neutron.conf2
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/etc/xorp/config.boot25
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/l3_agent.ini81
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/metadata_agent.ini46
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/ml2_conf.ini108
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/neutron-network.conf465
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/neutron.conf466
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/neutron_init.sh4
-rw-r--r--compass/deploy/ansible/roles/neutron-network/templates/nova.conf69
-rw-r--r--compass/deploy/ansible/roles/nova-compute/handlers/main.yml3
-rw-r--r--compass/deploy/ansible/roles/nova-compute/tasks/main.yml21
-rw-r--r--compass/deploy/ansible/roles/nova-compute/templates/nova-compute.conf7
-rw-r--r--compass/deploy/ansible/roles/nova-compute/templates/nova.conf73
-rw-r--r--compass/deploy/ansible/roles/nova-controller/handlers/main.yml24
-rw-r--r--compass/deploy/ansible/roles/nova-controller/tasks/main.yml13
-rw-r--r--compass/deploy/ansible/roles/nova-controller/tasks/nova_config.yml16
-rw-r--r--compass/deploy/ansible/roles/nova-controller/tasks/nova_install.yml35
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/dhcp_agent.ini90
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/dnsmasq-neutron.conf2
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/etc/xorp/config.boot25
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/l3_agent.ini81
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/metadata_agent.ini46
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/ml2_conf.ini108
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/neutron-network.conf465
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/neutron.conf466
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/neutron_init.sh4
-rw-r--r--compass/deploy/ansible/roles/nova-controller/templates/nova.conf72
-rw-r--r--compass/deploy/ansible/roles/repo/tasks/main.yml6
-rw-r--r--compass/deploy/ansible/roles/repo/templates/sources.list1
-rw-r--r--compass/deploy/compass_vm.sh103
-rw-r--r--compass/deploy/conf/baremetal.conf20
-rw-r--r--compass/deploy/conf/base.conf24
-rw-r--r--compass/deploy/conf/cluster.conf20
-rw-r--r--compass/deploy/conf/five.conf4
-rw-r--r--compass/deploy/deploy-vm.sh9
-rw-r--r--compass/deploy/deploy_host.sh40
-rwxr-xr-x[-rw-r--r--]compass/deploy/func.sh17
-rw-r--r--compass/deploy/host_baremetal.sh9
-rw-r--r--compass/deploy/host_vm.sh59
-rwxr-xr-xcompass/deploy/network.sh70
-rw-r--r--compass/deploy/prepare.sh66
-rw-r--r--compass/deploy/remote_excute.exp23
-rw-r--r--compass/deploy/status_callback.py174
-rw-r--r--compass/deploy/template/network/bridge.xml5
-rw-r--r--compass/deploy/template/network/nat.xml10
-rw-r--r--compass/deploy/template/vm/compass.xml64
-rw-r--r--compass/deploy/template/vm/host.xml67
-rw-r--r--foreman/build/Makefile6
-rw-r--r--foreman/build/cache.mk2
-rw-r--r--foreman/build/opnfv-genesis.spec17
-rw-r--r--foreman/ci/Vagrantfile13
-rwxr-xr-xforeman/ci/bootstrap.sh5
-rwxr-xr-xforeman/ci/clean.sh217
-rwxr-xr-xforeman/ci/deploy.sh1672
-rw-r--r--foreman/ci/inventory/lf_pod2_ksgen_settings.yml36
-rw-r--r--foreman/ci/opnfv_ksgen_settings.yml35
-rw-r--r--foreman/ci/opnfv_ksgen_settings_no_HA.yml272
-rw-r--r--foreman/ci/reload_playbook.yml1
-rwxr-xr-xforeman/ci/resize_lvm.sh37
-rwxr-xr-xforeman/ci/resize_partition.sh33
-rwxr-xr-xforeman/ci/vm_nodes_provision.sh59
-rw-r--r--foreman/docs/src/installation-instructions.rst448
-rw-r--r--foreman/docs/src/release-notes.rst161
-rw-r--r--fuel/TODO5
-rw-r--r--fuel/build/Makefile49
-rw-r--r--fuel/build/README1
-rw-r--r--fuel/build/cache.mk18
-rw-r--r--fuel/build/config.mk9
-rw-r--r--fuel/build/docker/ubuntu-builder/Dockerfile5
-rwxr-xr-xfuel/build/docker/ubuntu-builder/install.sh25
-rw-r--r--fuel/build/f_isoroot/Makefile2
-rwxr-xr-xfuel/build/f_isoroot/f_bootstrap/bootstrap_admin_node.sh107
-rwxr-xr-xfuel/build/f_isoroot/f_bootstrap/bootstrap_admin_node.sh.orig108
-rwxr-xr-xfuel/build/f_isoroot/f_bootstrap/post-scripts/01_fix_iommubug.sh9
-rwxr-xr-xfuel/build/f_isoroot/f_bootstrap/post-scripts/02_fix_console_speed.sh15
-rwxr-xr-xfuel/build/f_isoroot/f_bootstrap/post-scripts/03_install_repo.sh19
-rw-r--r--[-rwxr-xr-x]fuel/build/f_isoroot/f_kscfg/ks.cfg122
-rw-r--r--fuel/build/f_isoroot/f_kscfg/ks.cfg.orig120
-rw-r--r--fuel/build/f_isoroot/f_odlpluginbuild/Makefile38
-rw-r--r--fuel/build/f_isoroot/f_predeployment/Makefile28
-rw-r--r--fuel/build/f_isoroot/f_predeployment/README18
-rwxr-xr-xfuel/build/f_isoroot/f_predeployment/pre-deploy.sh401
-rwxr-xr-xfuel/build/f_isoroot/f_predeployment/sysinfo.sh12
-rwxr-xr-xfuel/build/f_isoroot/f_predeployment/transform_yaml.py68
-rw-r--r--fuel/build/f_isoroot/f_repobuild/Makefile56
-rw-r--r--fuel/build/f_l23network/Makefile28
-rw-r--r--fuel/build/f_l23network/README35
-rw-r--r--fuel/build/f_l23network/puppet/modules/l23network/lib/puppet/parser/functions/extras_to_hosts.rb21
-rw-r--r--fuel/build/f_l23network/puppet/modules/l23network/manifests/hosts_file.pp18
-rw-r--r--fuel/build/f_l23network/puppet/modules/l23network/manifests/hosts_file.pp.orig16
-rw-r--r--fuel/build/f_l23network/testing/README12
-rw-r--r--fuel/build/f_l23network/testing/fake_init.pp13
-rw-r--r--fuel/build/f_ntp/Makefile28
-rw-r--r--fuel/build/f_ntp/README33
-rw-r--r--fuel/build/f_ntp/puppet/modules/opnfv/manifests/ntp.pp80
-rw-r--r--fuel/build/f_ntp/puppet/modules/opnfv/templates/ntp.conf.compute.erb21
-rw-r--r--fuel/build/f_ntp/puppet/modules/opnfv/templates/ntp.conf.controller.erb21
-rw-r--r--fuel/build/f_ntp/testing/README12
-rwxr-xr-xfuel/build/f_odl_docker/Makefile51
-rwxr-xr-xfuel/build/f_odl_docker/dockerfile/Dockerfile72
-rwxr-xr-xfuel/build/f_odl_docker/dockerfile/container_scripts/check_feature.sh8
-rwxr-xr-xfuel/build/f_odl_docker/dockerfile/container_scripts/speak.sh17
-rwxr-xr-xfuel/build/f_odl_docker/dockerfile/container_scripts/start_odl_docker.sh38
-rw-r--r--fuel/build/f_odl_docker/puppet/modules/opnfv/manifests/odl_docker.pp77
-rw-r--r--fuel/build/f_odl_docker/puppet/modules/opnfv/scripts/change.sh219
-rwxr-xr-xfuel/build/f_odl_docker/puppet/modules/opnfv/scripts/config_net_odl.sh192
-rwxr-xr-xfuel/build/f_odl_docker/puppet/modules/opnfv/scripts/stage_odl.sh54
-rwxr-xr-xfuel/build/f_odl_docker/puppet/modules/opnfv/scripts/start_odl_container.sh95
-rw-r--r--fuel/build/f_odl_docker/scripts/config_net_odl.sh164
-rw-r--r--fuel/build/f_odl_docker/scripts/config_neutron_for_odl.sh146
-rwxr-xr-xfuel/build/f_odl_docker/scripts/prep_nets_for_odl.sh90
-rw-r--r--fuel/build/f_odl_docker/scripts/setup_ovs_for_odl.sh23
-rw-r--r--fuel/build/f_opnfv_puppet/Makefile28
-rw-r--r--fuel/build/f_opnfv_puppet/README12
-rw-r--r--fuel/build/f_opnfv_puppet/puppet/modules/opnfv/manifests/add_packages.pp9
-rw-r--r--fuel/build/f_opnfv_puppet/puppet/modules/opnfv/manifests/init.pp28
-rw-r--r--fuel/build/f_opnfv_puppet/puppet/modules/opnfv/manifests/opncheck.pp21
-rw-r--r--fuel/build/f_osnaily/Makefile28
-rw-r--r--fuel/build/f_osnaily/puppet/modules/osnailyfacter/examples/site.pp366
-rw-r--r--fuel/build/f_osnaily/puppet/modules/osnailyfacter/examples/site.pp.orig353
-rw-r--r--fuel/build/f_resolvconf/Makefile28
-rw-r--r--fuel/build/f_resolvconf/README36
-rw-r--r--fuel/build/f_resolvconf/puppet/modules/opnfv/manifests/resolver.pp73
-rw-r--r--fuel/build/f_resolvconf/puppet/modules/opnfv/templates/resolv.conf.erb15
-rw-r--r--fuel/build/f_resolvconf/testing/README13
-rw-r--r--fuel/build/f_resolvconf/testing/fake_init.pp13
-rw-r--r--fuel/build/fuel-agent_1.patch36
-rw-r--r--fuel/build/fuel-main_1.patch104
-rw-r--r--fuel/build/fuel-main_2.patch18
-rw-r--r--fuel/build/fuel-main_3.patch19
-rw-r--r--fuel/build/fuel-main_5.patch19
-rw-r--r--fuel/build/install/apt-ftparchive-deb.conf6
-rw-r--r--fuel/build/install/apt-ftparchive-release.conf8
-rw-r--r--fuel/build/install/apt-ftparchive-udeb.conf4
-rwxr-xr-xfuel/build/install/install.sh84
-rwxr-xr-xfuel/build/install/uninstall.sh16
-rw-r--r--fuel/build/opendaylight/Makefile102
-rw-r--r--fuel/build/opendaylight/README52
-rw-r--r--fuel/build/opendaylight/f_odl/Makefile49
-rw-r--r--fuel/build/opendaylight/f_odl/README49
-rw-r--r--fuel/build/opendaylight/f_odl/puppet/modules/opnfv/manifests/odl.pp13
-rw-r--r--fuel/build/opendaylight/f_odl/testing/README12
-rw-r--r--fuel/build/opendaylight/f_odl/testing/fake_init.pp13
-rwxr-xr-xfuel/build/opendaylight/make-odl-deb.sh314
-rw-r--r--fuel/build/opendaylight/odl_maven/settings.xml46
-rw-r--r--fuel/build/patch-packages/Makefile2
-rw-r--r--fuel/build/patch-packages/debootstrap/Makefile28
-rw-r--r--fuel/build/patch-packages/debootstrap/debootstrap.patch12
-rw-r--r--fuel/build/patch-packages/neutron-common/Makefile19
-rw-r--r--fuel/build/patch-packages/neutron-common/quota.patch67
-rw-r--r--fuel/build/patch-packages/novnc/Makefile22
-rwxr-xr-xfuel/build/patch-packages/novnc/fix-missing.sh9
-rw-r--r--fuel/ci/README89
-rwxr-xr-xfuel/ci/build.sh358
-rwxr-xr-xfuel/ci/deploy.sh18
-rw-r--r--fuel/deploy/README186
-rw-r--r--fuel/deploy/README.txt71
-rw-r--r--fuel/deploy/__init__.py8
-rw-r--r--fuel/deploy/baremetal/dea.yaml982
-rw-r--r--fuel/deploy/baremetal/dha.yaml53
-rw-r--r--fuel/deploy/cloud/configure_environment.py41
-rw-r--r--fuel/deploy/cloud/configure_network.py15
-rw-r--r--fuel/deploy/cloud/configure_nodes.py40
-rw-r--r--fuel/deploy/cloud/configure_settings.py12
-rw-r--r--fuel/deploy/cloud/deploy.py213
-rw-r--r--fuel/deploy/cloud/deployment.py60
-rw-r--r--fuel/deploy/common.py77
-rw-r--r--fuel/deploy/dea.py39
-rw-r--r--fuel/deploy/deploy.py263
-rw-r--r--fuel/deploy/deploy_env.py207
-rw-r--r--fuel/deploy/dha.py21
-rw-r--r--fuel/deploy/dha_adapters/__init__.py8
-rw-r--r--fuel/deploy/dha_adapters/hardware_adapter.py20
-rw-r--r--fuel/deploy/dha_adapters/hp_adapter.py17
-rw-r--r--fuel/deploy/dha_adapters/ipmi_adapter.py59
-rw-r--r--fuel/deploy/dha_adapters/libvirt_adapter.py23
-rw-r--r--fuel/deploy/environments/__init__.py (renamed from fuel/build/f_ntp/testing/fake_init.pp)11
-rw-r--r--fuel/deploy/environments/execution_environment.py78
-rw-r--r--fuel/deploy/environments/libvirt_environment.py107
-rw-r--r--fuel/deploy/environments/virtual_fuel.py70
-rw-r--r--fuel/deploy/execution_environment.py46
-rw-r--r--fuel/deploy/fuel_patch/ks.cfg.patch19
-rwxr-xr-xfuel/deploy/install-ubuntu-packages.sh18
-rw-r--r--fuel/deploy/install_fuel_master.py137
-rw-r--r--fuel/deploy/libvirt/dha.yaml80
-rw-r--r--fuel/deploy/reap.py339
-rw-r--r--fuel/deploy/setup_environment.py165
-rw-r--r--fuel/deploy/setup_vfuel.py143
-rw-r--r--fuel/deploy/ssh_client.py23
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/ericsson_montreal_lab/dea.yaml844
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/ericsson_montreal_lab/dha.yaml54
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/linux_foundation_lab/pod1/dea.yaml841
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/linux_foundation_lab/pod1/dha.yaml49
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/linux_foundation_lab/pod2/dea.yaml (renamed from fuel/deploy/libvirt/dea.yaml)941
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/linux_foundation_lab/pod2/dha.yaml49
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/opnfv_box/dea.yaml842
-rw-r--r--fuel/deploy/templates/hardware_environment/conf/opnfv_box/dha.yaml49
-rw-r--r--fuel/deploy/templates/hardware_environment/vms/fuel.xml (renamed from fuel/deploy/baremetal/vm/vFuel)32
-rw-r--r--fuel/deploy/templates/virtual_environment/conf/dea.yaml838
-rw-r--r--fuel/deploy/templates/virtual_environment/conf/dha.yaml38
-rw-r--r--fuel/deploy/templates/virtual_environment/networks/fuel1.xml (renamed from fuel/deploy/libvirt/networks/fuel1)0
-rw-r--r--fuel/deploy/templates/virtual_environment/networks/fuel2.xml (renamed from fuel/deploy/libvirt/networks/fuel2)0
-rw-r--r--fuel/deploy/templates/virtual_environment/networks/fuel3.xml (renamed from fuel/deploy/libvirt/networks/fuel3)0
-rw-r--r--fuel/deploy/templates/virtual_environment/networks/fuel4.xml (renamed from fuel/deploy/libvirt/networks/fuel4)0
-rw-r--r--fuel/deploy/templates/virtual_environment/vms/compute.xml (renamed from fuel/deploy/libvirt/vms/compute)4
-rw-r--r--fuel/deploy/templates/virtual_environment/vms/controller.xml (renamed from fuel/deploy/libvirt/vms/controller)7
-rw-r--r--fuel/deploy/templates/virtual_environment/vms/fuel.xml (renamed from fuel/deploy/libvirt/vms/fuel-master)2
-rw-r--r--fuel/deploy/transplant_fuel_settings.py25
-rw-r--r--fuel/docs/src/build-instructions.rst37
-rw-r--r--fuel/docs/src/installation-instructions.rst361
-rw-r--r--fuel/docs/src/release-notes.rst111
-rw-r--r--fuel/prototypes/auto-deploy/configs/lf_pod1/dea_ha.yaml2
-rw-r--r--fuel/prototypes/auto-deploy/configs/lf_pod1/dea_no-ha.yaml2
-rw-r--r--fuel/prototypes/auto-deploy/examples/libvirt/conf/vms/compute41
-rw-r--r--fuel/prototypes/auto-deploy/examples/libvirt/conf/vms/compute51
-rw-r--r--fuel/prototypes/auto-deploy/examples/libvirt/conf/vms/controller11
-rw-r--r--fuel/prototypes/auto-deploy/examples/libvirt/conf/vms/fuel-master1
-rw-r--r--opensteak/ci/build.sh19
-rw-r--r--opensteak/ci/deploy.sh28
-rw-r--r--opensteak/config/common.yaml119
-rw-r--r--opensteak/config/infra.yaml81
-rw-r--r--opensteak/tools/README.rst52
-rw-r--r--opensteak/tools/config.yaml78
-rw-r--r--opensteak/tools/create_foreman.py236
-rw-r--r--opensteak/tools/files_foreman/id_rsa27
-rw-r--r--opensteak/tools/files_foreman/id_rsa.pub1
-rw-r--r--opensteak/tools/opensteak/__init__.py18
-rw-r--r--opensteak/tools/opensteak/argparser.py46
-rw-r--r--opensteak/tools/opensteak/conf.py72
-rw-r--r--opensteak/tools/opensteak/foreman.py60
-rw-r--r--opensteak/tools/opensteak/foreman_objects/__init__.py18
-rw-r--r--opensteak/tools/opensteak/foreman_objects/api.py197
-rw-r--r--opensteak/tools/opensteak/foreman_objects/architectures.py49
-rw-r--r--opensteak/tools/opensteak/foreman_objects/compute_resources.py62
-rw-r--r--opensteak/tools/opensteak/foreman_objects/domains.py44
-rw-r--r--opensteak/tools/opensteak/foreman_objects/freeip.py79
-rw-r--r--opensteak/tools/opensteak/foreman_objects/hostgroups.py103
-rw-r--r--opensteak/tools/opensteak/foreman_objects/hosts.py142
-rw-r--r--opensteak/tools/opensteak/foreman_objects/item.py135
-rw-r--r--opensteak/tools/opensteak/foreman_objects/itemHost.py141
-rw-r--r--opensteak/tools/opensteak/foreman_objects/itemHostsGroup.py50
-rw-r--r--opensteak/tools/opensteak/foreman_objects/itemOverrideValues.py61
-rw-r--r--opensteak/tools/opensteak/foreman_objects/itemSmartClassParameter.py62
-rw-r--r--opensteak/tools/opensteak/foreman_objects/objects.py136
-rw-r--r--opensteak/tools/opensteak/foreman_objects/operatingsystems.py66
-rw-r--r--opensteak/tools/opensteak/foreman_objects/puppetClasses.py46
-rw-r--r--opensteak/tools/opensteak/foreman_objects/smart_proxies.py36
-rw-r--r--opensteak/tools/opensteak/foreman_objects/subnets.py67
-rw-r--r--opensteak/tools/opensteak/printer.py141
-rw-r--r--opensteak/tools/opensteak/templateparser.py34
-rw-r--r--opensteak/tools/opensteak/virsh.py174
-rw-r--r--opensteak/tools/templates_foreman/install.sh216
-rw-r--r--opensteak/tools/templates_foreman/kvm-config65
-rw-r--r--opensteak/tools/templates_foreman/meta-data12
-rw-r--r--opensteak/tools/templates_foreman/user-data25
370 files changed, 24488 insertions, 8270 deletions
diff --git a/common/ci/clean.sh b/common/ci/clean.sh
new file mode 100755
index 0000000..cc116e8
--- /dev/null
+++ b/common/ci/clean.sh
@@ -0,0 +1,326 @@
+#!/usr/bin/env bash
+
+#Common clean script to uninstall provisioning server
+#author: Tim Rozet (trozet@redhat.com)
+#
+#Removes Libvirt, KVM, Vagrant, VirtualBox
+#
+#Destroys Vagrant VMs running in $vm_dir/
+#Shuts down all nodes found in Khaleesi settings
+#Removes hypervisor kernel modules (VirtualBox & KVM/Libvirt)
+
+##VARS
+reset=`tput sgr0`
+blue=`tput setaf 4`
+red=`tput setaf 1`
+green=`tput setaf 2`
+pxe_bridge='pxebr'
+vm_dir=/var/opt/opnfv
+first_interface='enp6s0'
+second_interface='enp7s0'
+management_vid=300
+management_interface="${first_interface}.${management_vid}"
+##END VARS
+
+##FUNCTIONS
+display_usage() {
+ echo -e "\n\n${blue}This script is used to uninstall and clean the OPNFV Target System${reset}\n\n"
+ echo -e "\nUsage:\n$0 [arguments] \n"
+ echo -e "\n -no_parse : No variable parsing into config. Flag. \n"
+ echo -e "\n -base_config : Full path of ksgen settings file to parse. Required. Will provide BMC info to shutdown hosts. Example: -base_config /opt/myinventory.yml \n"
+}
+
+remove_interface_with_name_pattern() {
+ if [ -z $1 ]; then
+ echo "${red}Cannot remove interface. No interface name pattern specified!${reset}"
+ exit 1
+ fi
+ local interface_name_pattern=$1
+ echo "${blue} Looking for interface with name pattern: ${interface_name_pattern}${reset}"
+ interface=$(ip link show | grep -oP ${interface_name_pattern})
+ if [ ! -z "${interface}" ]; then
+ echo "${blue}Interface ${interface} detected! Removing...${reset}"
+ ip link del ${interface}
+ if ip link show | grep -oP ${interface_name_pattern}; then
+ echo "${red}Could not remove interface ${interface} ${reset}"
+ exit 1
+ else
+ echo "${blue}Interface ${interface} successfully removed${reset}"
+ fi
+ else
+ echo "${blue}Interface with name pattern ${interface_name_pattern} does not exist, nothing to remove${reset}"
+ fi
+}
+##END FUNCTIONS
+
+if [[ ( $1 == "--help") || $1 == "-h" ]]; then
+ display_usage
+ exit 0
+fi
+
+echo -e "\n\n${blue}This script is used to uninstall and clean the OPNFV Target System${reset}\n\n"
+echo "Use -h to display help"
+sleep 2
+
+while [ "`echo $1 | cut -c1`" = "-" ]
+do
+ echo $1
+ case "$1" in
+ -base_config)
+ base_config=$2
+ shift 2
+ ;;
+ *)
+ display_usage
+ exit 1
+ ;;
+esac
+done
+
+if [ ! -z "$base_config" ]; then
+ # Install ipmitool
+ # Major version is pinned to force some consistency for Arno
+ if ! yum list installed | grep -i ipmitool; then
+ if ! yum -y install ipmitool-1*; then
+ echo "${red}Unable to install ipmitool!${reset}"
+ exit 1
+ fi
+ else
+ echo "${blue}Skipping ipmitool as it is already installed!${reset}"
+ fi
+
+ ###find all the bmc IPs and number of nodes
+ node_counter=0
+ output=`grep bmc_ip $base_config | grep -Eo '[0-9]+.[0-9]+.[0-9]+.[0-9]+'`
+ for line in ${output} ; do
+ bmc_ip[$node_counter]=$line
+ ((node_counter++))
+ done
+
+ max_nodes=$((node_counter-1))
+
+ ###find bmc_users per node
+ node_counter=0
+ output=`grep bmc_user $base_config | sed 's/\s*bmc_user:\s*//'`
+ for line in ${output} ; do
+ bmc_user[$node_counter]=$line
+ ((node_counter++))
+ done
+
+ ###find bmc_pass per node
+ node_counter=0
+ output=`grep bmc_pass $base_config | sed 's/\s*bmc_pass:\s*//'`
+ for line in ${output} ; do
+ bmc_pass[$node_counter]=$line
+ ((node_counter++))
+ done
+ for mynode in `seq 0 $max_nodes`; do
+ echo "${blue}Node: ${bmc_ip[$mynode]} ${bmc_user[$mynode]} ${bmc_pass[$mynode]} ${reset}"
+ if ipmitool -I lanplus -P ${bmc_pass[$mynode]} -U ${bmc_user[$mynode]} -H ${bmc_ip[$mynode]} chassis power off; then
+ echo "${blue}Node: $mynode, ${bmc_ip[$mynode]} powered off!${reset}"
+ else
+ echo "${red}Error: Unable to power off $mynode, ${bmc_ip[$mynode]} ${reset}"
+ exit 1
+ fi
+ done
+else
+ echo "${blue}Skipping Baremetal node poweroff as base_config was not provided${reset}"
+fi
+###check to see if vbox is installed
+vboxpkg=`rpm -qa | grep VirtualBox`
+if [ $? -eq 0 ]; then
+ skip_vagrant=0
+else
+ skip_vagrant=1
+fi
+
+###legacy VM location check
+###remove me later
+if [ -d /tmp/bgs_vagrant ]; then
+ cd /tmp/bgs_vagrant
+ vagrant destroy -f
+ rm -rf /tmp/bgs_vagrant
+fi
+
+###destroy vagrant
+if [ $skip_vagrant -eq 0 ]; then
+ if [ -d $vm_dir ]; then
+ ##all vm directories
+ for vm in $( ls $vm_dir ); do
+ cd $vm_dir/$vm
+ if vagrant destroy -f; then
+ echo "${blue}Successfully destroyed $vm Vagrant VM ${reset}"
+ else
+ echo "${red}Unable to destroy $vm Vagrant VM! Attempting to killall vagrant if process is hung ${reset}"
+ killall vagrant
+ echo "${blue}Checking if vagrant was already destroyed and no process is active...${reset}"
+ if ps axf | grep vagrant; then
+ echo "${red}Vagrant process still exists after kill...exiting ${reset}"
+ exit 1
+ else
+ echo "${blue}Vagrant process doesn't exist. Moving on... ${reset}"
+ fi
+ fi
+
+ ##Vagrant boxes appear as VboxHeadless processes
+ ##try to gracefully destroy the VBox VM if it still exists
+ if vboxmanage list runningvms | grep $vm; then
+ echo "${red} $vm VBoxHeadless process still exists...Removing${reset}"
+ vbox_id=$(vboxmanage list runningvms | grep $vm | awk '{print $1}' | sed 's/"//g')
+ vboxmanage controlvm $vbox_id poweroff
+ if vboxmanage unregistervm --delete $vbox_id; then
+ echo "${blue}$vm VM is successfully deleted! ${reset}"
+ else
+ echo "${red} Unable to delete VM $vm ...Exiting ${reset}"
+ exit 1
+ fi
+ else
+ echo "${blue}$vm VM is successfully deleted! ${reset}"
+ fi
+ done
+ else
+ echo "${blue}${vm_dir} doesn't exist, no VMs in OPNFV directory to destroy! ${reset}"
+ fi
+
+ echo "${blue}Checking for any remaining virtual box processes...${reset}"
+ ###kill virtualbox
+ if ps axf | grep virtualbox; then
+ echo "${blue}virtualbox processes are still running. Killing any remaining VirtualBox processes...${reset}"
+ killall virtualbox
+ fi
+
+ ###kill any leftover VMs (brute force)
+ if ps axf | grep VBoxHeadless; then
+ echo "${blue}VBoxHeadless processes are still running. Killing any remaining VBoxHeadless processes...${reset}"
+ killall VBoxHeadless
+ fi
+
+ ###remove virtualbox
+ echo "${blue}Removing VirtualBox... ${reset}"
+ yum -y remove $vboxpkg
+
+else
+ echo "${blue}Skipping Vagrant destroy + VBox Removal as VirtualBox package is already removed ${reset}"
+fi
+
+###remove working vm directory
+echo "${blue}Removing working VM directory: $vm_dir ${reset}"
+rm -rf $vm_dir
+
+###check to see if libvirt is installed
+echo "${blue}Checking if libvirt/KVM is installed"
+if rpm -qa | grep -iE 'libvirt|kvm'; then
+ echo "${blue}Libvirt/KVM is installed${reset}"
+ echo "${blue}Checking for any QEMU/KVM VMs...${reset}"
+ vm_count=0
+ while read -r line; do ((vm_count++)); done < <(virsh list --all | sed 1,2d | head -n -1)
+ if [ $vm_count -gt 0 ]; then
+ echo "${blue}VMs Found: $vm_count${reset}"
+ vm_runnning=0
+ while read -r line; do ((vm_running++)); done < <(virsh list --all | sed 1,2d | head -n -1| grep -i running)
+ echo "${blue}Powering off $vm_running VM(s)${reset}"
+ while read -r vm; do
+ if ! virsh destroy $vm; then
+ echo "${red}WARNING: Unable to power off VM ${vm}${reset}"
+ else
+ echo "${blue}VM $vm powered off!${reset}"
+ fi
+ done < <(virsh list --all | sed 1,2d | head -n -1| grep -i running | sed 's/^[ \t]*//' | awk '{print $2}')
+ echo "${blue}Destroying libvirt VMs...${reset}"
+ while read -r vm; do
+ if ! virsh undefine --remove-all-storage $vm; then
+ echo "${red}ERROR: Unable to remove the VM ${vm}${reset}"
+ exit 1
+ else
+ echo "${blue}VM $vm removed!${reset}"
+ fi
+ done < <(virsh list --all | sed 1,2d | head -n -1| awk '{print $2}')
+ else
+ echo "${blue}No VMs found for removal"
+ fi
+ echo "${blue}Removing libvirt and kvm packages"
+ yum -y remove libvirt-*
+ yum -y remove *qemu*
+else
+ echo "${blue}libvirt/KVM is not installed${reset}"
+fi
+
+###remove possible VMs (needed for 'rmmod kvm_intel')
+if [ -n "$(ps -ef | grep qemu-kvm | grep -v grep)" ]; then
+ echo "${blue}Removing existing VMs ${reset}"
+ killall -9 qemu-kvm
+fi
+
+###remove kernel modules
+echo "${blue}Removing kernel modules ${reset}"
+for kernel_mod in vboxnetadp vboxnetflt vboxpci vboxdrv kvm_intel kvm; do
+ if ! rmmod $kernel_mod; then
+ if rmmod $kernel_mod 2>&1 | grep -i 'not currently loaded'; then
+ echo "${blue} $kernel_mod is not currently loaded! ${reset}"
+ else
+ echo "${red}Error trying to remove Kernel Module: $kernel_mod ${reset}"
+ exit 1
+ fi
+ else
+ echo "${blue}Removed Kernel Module: $kernel_mod ${reset}"
+ fi
+done
+
+###remove PXE bridge
+echo "${blue}Checking whether PXE bridge ${pxe_bridge} exists${reset}"
+if ! brctl show ${pxe_bridge} 2>&1 | grep -i 'No such device'; then
+ echo "${blue}PXE bridge ${pxe_bridge} detected! Removing...${reset}"
+ link_state=$(ip link show ${pxe_bridge} | grep -oP 'state \K[^ ]+')
+ if [[ ${link_state} != 'DOWN' ]]; then
+ ip link set dev ${pxe_bridge} down
+ sleep 5
+ link_state=$(ip link show ${pxe_bridge} | grep -oP 'state \K[^ ]+')
+ if [[ ${link_state} != 'DOWN' ]]; then
+ echo "${red}Could not bring DOWN bridge ${pxe_bridge} link state is ${link_state}${reset}"
+ exit 1
+ fi
+ fi
+ brctl delbr ${pxe_bridge}
+ if ifconfig | grep ${pxe_bridge} || brctl show | grep ${pxe_bridge}; then
+ echo "${red}Error trying to remove ${pxe_bridge}${reset}"
+ exit 1
+ else
+ echo "${blue}PXE bridge ${pxe_bridge} removed${reset}"
+ fi
+else
+ echo "${blue}PXE bridge ${pxe_bridge} does not exist${reset}"
+fi
+
+###remove PXE interface (VLAN 0)
+echo "${blue}Checking whether PXE interface (VLAN 0) exists and remove it${reset}"
+remove_interface_with_name_pattern "enp.+s.+\.0"
+
+###remove Openstack Management interface (VLAN 300)
+echo "${blue}Checking whether Openstack Management interface (VLAN 300) exists and remove it${reset}"
+remove_interface_with_name_pattern "enp.+s.+\.${management_vid}"
+
+###bounce interfaces to restore default IP config
+echo "${blue}Bouncing interfaces to restore IP config${reset}"
+for interface in $first_interface $second_interface; do
+ echo "${blue}Bouncing interface: ${interface}${reset}"
+ ifdown $interface
+ sleep 5
+ ifup $interface
+ tries=5
+ counter=0
+ while [ $counter -lt $tries ]; do
+ if ip addr show $interface | grep -Eo "inet [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"; then
+ temp_ip=$(ip addr show $interface | grep -Eo "inet [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | awk '{print $2}')
+ echo "${blue}IP found on ${interface}. IP is ${temp_ip}${reset}"
+ break
+ else
+ ((counter++))
+ sleep 2
+ fi
+ done
+
+ if [ "$counter" -ge 5 ]; then
+ echo "${red}Error: Unable to get IP address on ${interface}${reset}"
+ exit 1
+ fi
+done
diff --git a/common/ci/setup.sh b/common/ci/setup.sh
new file mode 100755
index 0000000..bb54147
--- /dev/null
+++ b/common/ci/setup.sh
@@ -0,0 +1,270 @@
+#!/usr/bin/env bash
+
+#Script that install prerequisites
+#author: Szilard Cserey (szilard.cserey@ericsson.com)
+#
+#Installs qemu-kvm, libvirt and prepares networking for Fuel VM
+
+##VARS
+reset=`tput sgr0`
+blue=`tput setaf 4`
+red=`tput setaf 1`
+green=`tput setaf 2`
+private_interface='enp6s0'
+public_interface='enp8s0'
+pxe_bridge='pxebr'
+fuel_gw_ip='10.20.0.1/16'
+management_vid=300
+management_interface="${private_interface}.${management_vid}"
+##END VARS
+
+##FUNCTIONS
+###check whether qemu-kvm is installed, otherwise install it
+install_qemu_kvm() {
+ echo "${blue}Checking whether qemu-kvm is installed, otherwise install it${reset}"
+ if ! rpm -qa | grep -iE 'qemu-kvm'; then
+ echo "${blue}qemu-kvm is not installed, installing...${reset}"
+ yum -y install qemu-kvm
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+###check whether libvirt is installed, otherwise install it
+install_libvirt() {
+ echo "${blue}Checking whether libvirt is installed, otherwise install it${reset}"
+ if ! rpm -qa | grep -iE 'libvirt'; then
+ echo "${blue}libvirt is not installed, installing...${reset}"
+ yum -y install libvirt
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+###check whether kvm kernel module is loaded, otherwise load it
+load_kvm_kernel_mod() {
+ echo "${blue}Checking whether kvm kernel module is loaded, otherwise load it${reset}"
+ if ! lsmod | grep -iE 'kvm'; then
+ if [[ `lscpu | grep 'Vendor ID' | awk 'BEGIN { FS = ":" } ; {print $2}' | tr -d ' '` == 'GenuineIntel' ]]; then
+ echo "${blue}Intel processor identified, loading kernel module kvm-intel${reset}"
+ kernel_mod='kvm-intel'
+ modprobe ${kernel_mod}
+ fi
+ if [[ `lscpu | grep 'Vendor ID' | awk 'BEGIN { FS = ":" } ; {print $2}' | tr -d ' '` == 'AuthenticAMD' ]]; then
+ echo "${blue}AMD processor identified, loading kernel module kvm-amd${reset}"
+ kernel_mod='kvm-amd'
+ modprobe ${kernel_mod}
+ fi
+ if ! lsmod | grep -iE 'kvm'; then
+ echo "${red}Failed to load kernel module ${kernel_mod}!${reset}"
+ exit 1
+ fi
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+###check whether libvirtd service is running otherwise start it
+start_libvirtd_service() {
+ echo "${blue}Checking whether libvirtd service is running otherwise start it${reset}"
+ if ! sudo systemctl status libvirtd | grep -iE 'active \(running\)'; then
+ echo "${blue}starting libvirtd service${reset}"
+ systemctl start libvirtd
+ if ! sudo systemctl status libvirtd | grep -iE 'active \(running\)'; then
+ echo "${red}Failed to start libvirtd service!${reset}"
+ exit 1
+ fi
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+
+#Check whether interface exists
+check_interface_exists() {
+ if [ -z $1 ]; then
+ echo "${red}Cannot check whether interface exists! No interface specified!${reset}"
+ exit 1
+ fi
+ local interface=$1
+ #Check whether interface exists
+ echo "${blue}Checking whether interface ${interface} exists${reset}"
+ if ! ip link show ${interface}; then
+ echo "${red}Interface ${interface} does not exists!${reset}"
+ exit 1
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+#Check whether interface is UP
+check_interface_up() {
+ if [ -z $1 ]; then
+ echo "${red}Cannot check whether interface is UP! No interface specified!${reset}"
+ exit 1
+ fi
+ local interface=$1
+
+ #Check whether interface is UP
+ echo "${blue}Checking whether interface ${interface} is UP${reset}"
+ link_state=$(ip link show ${interface} | grep -oP 'state \K[^ ]+')
+ if [[ ${link_state} != 'UP' ]]; then
+ echo "${blue}${interface} state is ${link_state}. Bringing it UP!${reset}"
+ ip link set dev ${interface} up
+ sleep 5
+ link_state=$(ip link show ${interface} | grep -oP 'state \K[^ ]+')
+ if [[ ${link_state} == 'DOWN' ]]; then
+ echo "${red}Could not bring UP interface ${interface} link state is ${link_state}${reset}"
+ exit 1
+ fi
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+#Create VLAN interface
+create_vlan_interface() {
+ if [ -z $1 ]; then
+ echo "${red}Cannot create VLAN interface. No base interface specified!${reset}"
+ exit 1
+ fi
+ if [ -z $2 ]; then
+ echo "${red}Cannot create VLAN interface. No VLAN ID specified!${reset}"
+ exit 1
+ fi
+
+ local base_interface=$1
+ local vid=$2
+ local interface="${base_interface}.${vid}"
+
+ echo "${blue}Checking whether VLAN ${vid} interface ${interface} exists, otherwise create it${reset}"
+ if ! ip link show ${interface}; then
+ echo "${blue}Creating VLAN ${vid} interface ${interface}${reset}"
+ ip link add link ${base_interface} name ${interface} type vlan id ${vid}
+ else
+ echo "${green}OK!${reset}"
+ fi
+
+ #Check whether VLAN interface is UP
+ check_interface_up ${interface}
+}
+
+###setup PXE Bridge
+setup_pxe_bridge() {
+ pxe_vid=0
+ pxe_interface="${private_interface}.${pxe_vid}"
+ #Check whether VLAN 0 (PXE) interface exists, otherwise create it
+ create_vlan_interface ${private_interface} ${pxe_vid}
+
+ #Check whether PXE bridge exists
+ echo "${blue}Checking whether PXE bridge ${pxe_bridge} exists${reset}"
+ if brctl show ${pxe_bridge} 2>&1 | grep 'No such device'; then
+ echo "${blue}Creating PXE bridge ${pxe_bridge}${reset}"
+ brctl addbr ${pxe_bridge}
+ else
+ echo "${green}OK!${reset}"
+ fi
+
+ #Add VLAN 0 (PXE) interface to PXE bridge
+ echo "${blue}Checking whether VLAN 0 (PXE) interface ${pxe_interface} is added to PXE bridge ${pxe_bridge} exists${reset}"
+ if ! brctl show ${pxe_bridge} 2>&1 | grep ${pxe_interface}; then
+ echo "${blue}Adding VLAN 0 (PXE) interface ${pxe_interface} to PXE bridge ${pxe_bridge}${reset}"
+ brctl addif ${pxe_bridge} ${pxe_interface}
+ if ! brctl show ${pxe_bridge} 2>&1 | grep ${pxe_interface}; then
+ echo "${red}Could not add VLAN 0 (PXE) interface ${pxe_interface} to PXE bridge ${pxe_bridge}${reset}"
+ exit 1
+ fi
+ else
+ echo "${green}OK!${reset}"
+ fi
+
+ #Check whether PXE bridge is UP
+ check_interface_up ${pxe_bridge}
+
+ #Add Fuel Gateway IP Address to PXE bridge
+ echo "${blue}Checking whether Fuel Gateway IP Address ${fuel_gw_ip} is assigned to PXE bridge ${pxe_bridge}${reset}"
+ if ! ip addr show ${pxe_bridge} | grep ${fuel_gw_ip}; then
+ echo "${blue}Adding Fuel Gateway IP Address ${fuel_gw_ip} to PXE bridge ${pxe_bridge}${reset}"
+ sudo ip addr add ${fuel_gw_ip} dev ${pxe_bridge}
+ if ! ip addr show ${pxe_bridge} | grep ${fuel_gw_ip}; then
+ echo "${red}Could not add Fuel Gateway IP Address ${fuel_gw_ip} to PXE bridge ${pxe_bridge}${reset}"
+ exit 1
+ fi
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+###check whether access to public network is granted
+check_access_enabled_to_public_network() {
+ #Check whether IP forwarding is enabled
+ echo "${blue}Checking whether IP Forwarding is enabled ${reset}"
+ if ! sysctl net.ipv4.ip_forward | grep "net.ipv4.ip_forward = 1"; then
+ sysctl -w net.ipv4.ip_forward=1
+ if ! sysctl net.ipv4.ip_forward | grep "net.ipv4.ip_forward = 1"; then
+ echo "${red}IP Forwarding could not be enabled!${reset}"
+ exit 1
+ fi
+ else
+ echo "${green}OK!${reset}"
+ fi
+
+ echo "${blue}Checking whether access is granted to public network through interface ${public_interface}${reset}"
+ if ! sudo iptables -t nat -L POSTROUTING -v | grep "MASQUERADE.*${public_interface}.*anywhere.*anywhere"; then
+ echo "${blue}Enable access to public network through interface ${public_interface}${reset}"
+ iptables -t nat -A POSTROUTING -o ${public_interface} -j MASQUERADE
+ else
+ echo "${green}OK!${reset}"
+ fi
+}
+
+###setup Openstack Management Interface
+create_openstack_management_interface() {
+ #Check whether Openstack Management interface exists, otherwise create it
+ create_vlan_interface ${private_interface} ${management_vid}
+
+ echo "${blue}Moving IP addresses from interface ${private_interface} to VLAN ${management_vid} interface ${management_interface}${reset}"
+ private_interface_ip_addr_list=$(ip addr show ${private_interface} | grep -oP 'inet \K[^ ]+')
+ if [[ ! -z ${private_interface_ip_addr_list} ]]; then
+ echo -e "${blue}Found IP addresses on interface ${private_interface}:\n${private_interface_ip_addr_list}${reset}"
+ for private_interface_ip_addr in ${private_interface_ip_addr_list}
+ do
+ echo "${blue}Removing IP address ${private_interface_ip_addr} from interface ${private_interface}${reset}"
+ ip addr del ${private_interface_ip_addr} dev ${private_interface}
+ if ip addr show ${private_interface} | grep ${private_interface_ip_addr}; then
+ echo "${red}Could not remove IP address ${private_interface_ip_addr} from interface ${private_interface}${reset}"
+ exit 1
+ fi
+ if ! ip addr show ${management_interface} | grep ${private_interface_ip_addr}; then
+ echo "${blue}Adding IP address ${private_interface_ip_addr} to VLAN ${management_vid} interface ${management_interface}${reset}"
+ ip addr add ${private_interface_ip_addr} dev ${management_interface}
+ if ! ip addr show ${management_interface} | grep ${private_interface_ip_addr}; then
+ echo "${red}Could not set IP address ${private_interface_ip_addr} to VLAN ${management_vid} interface ${management_interface}${reset}"
+ exit 1
+ fi
+ else
+ echo "${blue}VLAN ${management_vid} interface ${management_interface} already has assigned to itself this IP address ${private_interface_ip_addr}${reset}"
+ fi
+ done
+ else
+ echo "${red}No IP Address is assigned to interface ${private_interface}, there isn't any IP address to move to interface ${management_interface}${reset}"
+ fi
+}
+
+##END FUNCTIONS
+
+main() {
+ install_qemu_kvm
+ install_libvirt
+ load_kvm_kernel_mod
+ start_libvirtd_service
+ check_interface_exists ${private_interface}
+ check_interface_up ${private_interface}
+ check_interface_exists ${public_interface}
+ check_interface_up ${public_interface}
+ setup_pxe_bridge
+ check_access_enabled_to_public_network
+ create_openstack_management_interface
+}
+
+main "$@"
diff --git a/common/docs/user-guide.rst b/common/docs/user-guide.rst
index 8e02224..08b2767 100644
--- a/common/docs/user-guide.rst
+++ b/common/docs/user-guide.rst
@@ -21,14 +21,13 @@ Version history
| **Date** | **Ver.** | **Author** | **Comment** |
| | | | |
+--------------------+--------------------+--------------------+--------------------+
-| 2015-05-28 | 0.0.1 | Christopher Price | Initial version |
+| 2015-06-04 | 1.0.0 | Christopher Price | Initial revision |
| | | (Ericsson AB) | |
+--------------------+--------------------+--------------------+--------------------+
-| 2015-06-02 | 0.0.2 | Christopher Price | Minor Updates |
-| | | (Ericsson AB) | |
+| 2015-06-05 | 1.0.1 | Christopher Price | Corrected links & |
+| | | (Ericsson AB) | e-mail address |
+--------------------+--------------------+--------------------+--------------------+
-
.. contents:: Table of Contents
:backlinks: none
@@ -60,16 +59,16 @@ Hardware Requirements
The Arno release of OPNFV is intended to be run as a baremetal deployment on a "Pharos compliant" lab infrastructure. The Pharos project in OPNFV is a community activity to provide guidance and establish requirements on hardware platforms supporting the Arno virtualisation platform.
-Prior to deploying the OPNFV platform it is important that the hardware infrastructure be configured according to the Pharos specification: http://artifacts.opnfv.org/pharos/docs/spec.html
+Prior to deploying the OPNFV platform it is important that the hardware infrastructure be configured according to the Pharos specification: https://www.opnfv.org/sites/opnfv/files/release/pharos-spec.arno.2015.1.0.pdf
Arno Platform Deployment
------------------------
The Arno platform supports installation and deployment using two deployment tools; a Foreman based deployment toolchain and a Fuel based deployment toolchain.
-In order to deploy the Arno release on a Pharos compliant lab using the Foreman deployment toolchain you should follow in the Foreman installation guide: http://artifacts.opnfv.org/genesis/foreman/docs/installation-instructions.html
+In order to deploy the Arno release on a Pharos compliant lab using the Foreman deployment toolchain you should follow in the Foreman installation guide: https://www.opnfv.org/sites/opnfv/files/release/foreman_install-guide.arno.2015.1.0.pdf
-In order to deploy the Arno release on a Pharos compliant lab using the Fuel deployment toolchain you should follow in the Fuel installation guide: http://artifacts.opnfv.org/genesis/fuel/docs/installation-instructions.html
+In order to deploy the Arno release on a Pharos compliant lab using the Fuel deployment toolchain you should follow in the Fuel installation guide: https://www.opnfv.org/sites/opnfv/files/release/install-guide.arno.2015.1.0.pdf
Enabling or disabling OpenDaylight and the native Neutron driver
----------------------------------------------------------------
@@ -79,7 +78,7 @@ You may find that you wish to adjust the system by enabling or disabling the nat
Deployment Validation
---------------------
-Once installed you should validate the deployment completed successfully by executing the automated basic platform validation routines outlined in the Arno testing documentation: http://artifacts.opnfv.org/functest/docs/functest.html
+Once installed you should validate the deployment completed successfully by executing the automated basic platform validation routines outlined in the Arno testing documentation: https://www.opnfv.org/sites/opnfv/files/release/functest.arno.2015.1.0.pdf
Operating the Arno platform
===========================
@@ -117,7 +116,7 @@ You can engage with the community to help us improve and further develop the OPN
- To access Jira for issue reporting or improvement proposals head to: https://jira.opnfv.org/
- To get started helping out developing the platform head to: https://wiki.opnfv.org/developer
-Alternatively if you are intending to invest your time as a user of the platform you can ask questions and request help from our mailing list at: mailto://support@opnfv.org
+Alternatively if you are intending to invest your time as a user of the platform you can ask questions and request help from our mailing list at: mailto://opnfv-users@lists.opnfv.org
License
=======
@@ -149,7 +148,7 @@ Fuel
`Fuel User Guide <http://docs.fuel-infra.org/openstack/fuel/fuel-6.0/user-guide.html>`_
:Authors: Christopher Price (christopher.price@ericsson.com)
-:Version: 0.0.2
+:Version: 1.0.1
**Documentation tracking**
diff --git a/common/puppet-opnfv/manifests/compute.pp b/common/puppet-opnfv/manifests/compute.pp
index 0b81757..2fed241 100644
--- a/common/puppet-opnfv/manifests/compute.pp
+++ b/common/puppet-opnfv/manifests/compute.pp
@@ -51,11 +51,11 @@ class opnfv::compute {
if !$ceilometer_metering_secret { $ceilometer_metering_secret = $single_password }
##HA Global params
- if $ha_flag {
+ if $ha_flag and str2bool($ha_flag) {
if $private_network == '' { fail('private_network is empty') }
if !$keystone_private_vip { fail('keystone_private_vip is empty') }
if !$glance_private_vip { fail('glance_private_vip is empty') }
- if !$nova_private_vip { fail('nova_private_vip is empty') }
+ if !$nova_public_vip { fail('nova_public_vip is empty') }
if !$nova_db_password { $nova_db_password = $single_password }
if !$nova_user_password { $nova_user_password = $single_password }
if !$controllers_ip_array { fail('controllers_ip_array is empty') }
@@ -78,19 +78,30 @@ class opnfv::compute {
} else {
##non HA params
- if $ovs_tunnel_if == '' { fail('ovs_tunnel_if is empty') }
- if !$private_ip { fail('private_ip is empty') }
- $keystone_private_vip = $private_ip
- $glance_private_vip = $private_ip
- $nova_private_vip = $private_ip
- $neutron_private_vip = $private_ip
- if !$nova_db_password { fail('nova_db_password is empty') }
- if !$nova_user_password { fail('nova_user_password is empty') }
- if !$odl_control_ip { $odl_control_ip = $private_ip }
- if !$mysql_ip { $mysql_ip = $private_ip }
- if !$amqp_ip { $amqp_ip = $private_ip }
- if !$amqp_username { $amqp_username = 'guest' }
- if !$amqp_password { $amqp_password = 'guest' }
+ ##Mandatory
+ if $private_network == '' { fail('private_network is empty') }
+ if ($odl_flag != '') and str2bool($odl_flag) {
+ if $odl_control_ip == '' { fail('odl_control_ip is empty') }
+ }
+ if $controller_ip == '' { fail('controller_ip is empty') }
+
+ ##Optional
+ ##Find private interface
+ $ovs_tunnel_if = get_nic_from_network("$private_network")
+ ##Find private ip
+ $private_ip = get_ip_from_nic("$ovs_tunnel_if")
+
+ $keystone_private_vip = $controller_ip
+ $glance_private_vip = $controller_ip
+ $nova_public_vip = $controller_ip
+ $neutron_private_vip = $controller_ip
+
+ if !$nova_db_password { $nova_db_password = $single_password }
+ if !$nova_user_password { $nova_user_password = $single_password }
+ if !$mysql_ip { $mysql_ip = $controller_ip }
+ if !$amqp_ip { $amqp_ip = $controller_ip }
+ if !$amqp_username { $amqp_username = $single_username }
+ if !$amqp_password { $amqp_password = $single_password }
if !$ceph_mon_host { $ceph_mon_host= ["$private_ip"] }
if !$ceph_mon_initial_members { $ceph_mon_initial_members = ["$::hostname"] }
}
@@ -103,7 +114,7 @@ class opnfv::compute {
libvirt_inject_password => 'false',
libvirt_inject_key => 'false',
libvirt_images_type => 'rbd',
- nova_host => $nova_private_vip,
+ nova_host => $nova_public_vip,
nova_db_password => $nova_db_password,
nova_user_password => $nova_user_password,
private_network => '',
diff --git a/common/puppet-opnfv/manifests/controller_networker.pp b/common/puppet-opnfv/manifests/controller_networker.pp
index 157bc8f..60cae34 100644
--- a/common/puppet-opnfv/manifests/controller_networker.pp
+++ b/common/puppet-opnfv/manifests/controller_networker.pp
@@ -302,6 +302,7 @@ class opnfv::controller_networker {
class { "quickstack::pacemaker::neutron":
agent_type => $this_agent,
enable_tunneling => 'true',
+ external_network_bridge => 'br-ex',
ml2_mechanism_drivers => $ml2_mech_drivers,
ml2_network_vlan_ranges => ["physnet1:10:50"],
odl_controller_ip => $odl_control_ip,
@@ -309,6 +310,18 @@ class opnfv::controller_networker {
ovs_tunnel_iface => $ovs_tunnel_if,
ovs_tunnel_types => ["vxlan"],
verbose => 'true',
+ neutron_conf_additional_params => { default_quota => 'default',
+ quota_network => '50',
+ quota_subnet => '50',
+ quota_port => 'default',
+ quota_security_group => '50',
+ quota_security_group_rule => 'default',
+ quota_vip => 'default',
+ quota_pool => 'default',
+ quota_router => '50',
+ quota_floatingip => '100',
+ network_auto_schedule => 'default',
+ },
}
if ($external_network_flag != '') and str2bool($external_network_flag) {
@@ -316,50 +329,47 @@ class opnfv::controller_networker {
}
} else {
- if $ovs_tunnel_if == '' { fail('ovs_tunnel_if is empty') }
- if $public_ip == '' { fail('public_ip is empty') }
- if $private_ip == '' { fail('private_ip is empty') }
-
- if $odl_control_ip == '' { $odl_control_ip = $private_ip }
-
- if $mysql_ip == '' { fail('mysql_ip is empty') }
- if $mysql_root_password == '' { fail('mysql_root_password is empty') }
- if $amqp_ip == '' { fail('amqp_ip is empty') }
-
- if $memcache_ip == '' { fail('memcache_ip is empty') }
- if $neutron_ip == '' { fail('neutron_ip is empty') }
-
- if $keystone_db_password == '' { fail('keystone_db_password is empty') }
-
- if $horizon_secret_key == '' { fail('horizon_secret_key is empty') }
-
- if $nova_user_password == '' { fail('nova_user_password is empty') }
- if $nova_db_password == '' { fail('nova_db_password is empty') }
-
- if $cinder_user_password == '' { fail('cinder_user_password is empty') }
- if $cinder_db_password == '' { fail('cinder_db_password is empty') }
-
- if $glance_user_password == '' { fail('glance_user_password is empty') }
- if $glance_db_password == '' { fail('glance_db_password is empty') }
-
- if $neutron_user_password == '' { fail('neutron_user_password is empty') }
- if $neutron_db_password == '' { fail('neutron_db_password is empty') }
- if $neutron_metadata_shared_secret == '' { fail('neutron_metadata_shared_secret is empty') }
-
- if $ceilometer_user_password == '' { fail('ceilometer_user_password is empty') }
- if $ceilometer_metering_secret == '' { fail('ceilometer_user_password is empty') }
-
- if $heat_user_password == '' { fail('heat_user_password is empty') }
- if $heat_db_password == '' { fail('heat_db_password is empty') }
- if $heat_auth_encrypt_key == '' { fail('heat_auth_encrypt_key is empty') }
-
- if $swift_user_password == '' { fail('swift_user_password is empty') }
- if $swift_shared_secret == '' { fail('swift_shared_secret is empty') }
- if $swift_admin_password == '' { fail('swift_admin_password is empty') }
+ ##Mandatory Non-HA parameters
+ if $private_network == '' { fail('private_network is empty') }
+ if $public_network == '' { fail('public_network is empty') }
+ ##Optional Non-HA parameters
if !$amqp_username { $amqp_username = $single_username }
if !$amqp_password { $amqp_password = $single_password }
+ if !$mysql_root_password { $mysql_root_password = $single_password }
+ if !$keystone_db_password { $keystone_db_password = $single_password }
+ if !$horizon_secret_key { $horizon_secret_key = $single_password }
+ if !$nova_db_password { $nova_db_password = $single_password }
+ if !$nova_user_password { $nova_user_password = $single_password }
+ if !$cinder_db_password { $cinder_db_password = $single_password }
+ if !$cinder_user_password { $cinder_user_password = $single_password }
+ if !$glance_db_password { $glance_db_password = $single_password }
+ if !$glance_user_password { $glance_user_password = $single_password }
+ if !$neutron_db_password { $neutron_db_password = $single_password }
+ if !$neutron_user_password { $neutron_user_password = $single_password }
+ if !$neutron_metadata_shared_secret { $neutron_metadata_shared_secret = $single_password }
+ if !$ceilometer_user_password { $ceilometer_user_password = $single_password }
+ if !$ceilometer_metering_secret { $ceilometer_metering_secret = $single_password }
+ if !$heat_user_password { $heat_user_password = $single_password }
+ if !$heat_db_password { $heat_db_password = $single_password }
+ if !$heat_auth_encryption_key { $heat_auth_encryption_key = 'octopus1octopus1' }
+ if !$swift_user_password { $swift_user_password = $single_password }
+ if !$swift_shared_secret { $swift_shared_secret = $single_password }
+ if !$swift_admin_password { $swift_admin_password = $single_password }
+ ##Find private interface
+ $ovs_tunnel_if = get_nic_from_network("$private_network")
+ ##Find private ip
+ $private_ip = get_ip_from_nic("$ovs_tunnel_if")
+ #Find public NIC
+ $public_nic = get_nic_from_network("$public_network")
+ $public_ip = get_ip_from_nic("$public_nic")
+
+ if !$mysql_ip { $mysql_ip = $private_ip }
+ if !$amqp_ip { $amqp_ip = $private_ip }
+ if !$memcache_ip { $memcache_ip = $private_ip }
+ if !$neutron_ip { $neutron_ip = $private_ip }
+ if !$odl_control_ip { $odl_control_ip = $private_ip }
class { "quickstack::neutron::controller_networker":
admin_email => $admin_email,
@@ -414,6 +424,8 @@ class opnfv::controller_networker {
horizon_cert => $quickstack::params::horizon_cert,
horizon_key => $quickstack::params::horizon_key,
+ keystonerc => true,
+
ml2_mechanism_drivers => $ml2_mech_drivers,
#neutron => true,
diff --git a/common/puppet-opnfv/manifests/external_net_presetup.pp b/common/puppet-opnfv/manifests/external_net_presetup.pp
index b7c7c5f..f52b903 100644
--- a/common/puppet-opnfv/manifests/external_net_presetup.pp
+++ b/common/puppet-opnfv/manifests/external_net_presetup.pp
@@ -24,13 +24,24 @@ class opnfv::external_net_presetup {
$controllers_hostnames_array_str = $controllers_hostnames_array
$controllers_hostnames_array = split($controllers_hostnames_array, ',')
+ if ($admin_network != '') and ($admin_network != 'false') {
+ $admin_nic = get_nic_from_network("$admin_network")
+ if $admin_nic == '' { fail('admin_nic was not found') }
+ #Disable defalute route on Admin network
+ file_line { 'disable-defroute-admin':
+ path => "/etc/sysconfig/network-scripts/ifcfg-$admin_nic",
+ line => 'DEFROUTE=no',
+ match => '^DEFROUTE',
+ }
+ }
+
#find public NIC
$public_nic = get_nic_from_network("$public_network")
$public_nic_ip = get_ip_from_nic("$public_nic")
$public_nic_netmask = get_netmask_from_nic("$public_nic")
if ($public_nic == '') or ($public_nic_ip == '') or ($public_nic == "br-ex") or ($public_nic == "br_ex") {
- notify {"Skipping augeas, public_nic ${public_nic}, public_nic_ip ${public_nic_ip}":}
+ notify {"Skipping augeas, public_nic ${public_nic}, public_nic_ip ${public_nic_ip}":}
exec {'ovs-vsctl -t 10 -- --may-exist add-br br-ex':
path => ["/usr/sbin/", "/usr/bin/"],
@@ -85,7 +96,7 @@ class opnfv::external_net_presetup {
owner => 'root',
group => 'root',
mode => '0644',
- content => template('trystack/br_ex.erb'),
+ content => template('opnfv/br_ex.erb'),
before => Class["quickstack::pacemaker::params"],
}
->
diff --git a/common/puppet-opnfv/manifests/external_net_setup.pp b/common/puppet-opnfv/manifests/external_net_setup.pp
index af00f20..fc014d4 100644
--- a/common/puppet-opnfv/manifests/external_net_setup.pp
+++ b/common/puppet-opnfv/manifests/external_net_setup.pp
@@ -60,7 +60,7 @@ class opnfv::external_net_setup {
provider_network_type => flat,
provider_physical_network => 'physnet1',
router_external => true,
- tenant_name => 'admin',
+ tenant_name => 'services',
}
->
neutron_subnet { 'provider_subnet':
@@ -70,8 +70,9 @@ class opnfv::external_net_setup {
gateway_ip => $public_gateway,
allocation_pools => [ "start=${public_allocation_start},end=${public_allocation_end}" ],
dns_nameservers => $public_dns,
+ enable_dhcp => false,
network_name => 'provider_network',
- tenant_name => 'admin',
+ tenant_name => 'services',
}
->
neutron_router { 'provider_router':
diff --git a/common/puppet-opnfv/manifests/init.pp b/common/puppet-opnfv/manifests/init.pp
index 7b68df5..d26bd7a 100644
--- a/common/puppet-opnfv/manifests/init.pp
+++ b/common/puppet-opnfv/manifests/init.pp
@@ -18,7 +18,6 @@ class opnfv {
include opnfv::resolver
include opnfv::ntp
include opnfv::add_packages
- include opnfv::odl_docker
include opnfv::opncheck
}
diff --git a/common/puppet-opnfv/manifests/odl_docker.pp b/common/puppet-opnfv/manifests/odl_docker.pp
deleted file mode 100644
index 6e70ba0..0000000
--- a/common/puppet-opnfv/manifests/odl_docker.pp
+++ /dev/null
@@ -1,50 +0,0 @@
-##############################################################################
-# Copyright (c) 2015 Ericsson AB and others.
-# daniel.smith@ericsson.com
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Apache License, Version 2.0
-# which accompanies this distribution, and is available at
-# http://www.apache.org/licenses/LICENSE-2.0
-##############################################################################
-
-class opnfv::odl_docker
-{
- case $::fuel_settings['role'] {
- /controller/: {
-
- file { "/opt":
- ensure => "directory",
- }
-
- file { "/opt/opnfv":
- ensure => "directory",
- owner => "root",
- group => "root",
- mode => 777,
- }
-
- file { "/opt/opnfv/odl":
- ensure => "directory",
- }
-
- file { "/opt/opnfv/odl/odl_docker_image.tar":
- ensure => present,
- source => "/etc/puppet/modules/opnfv/odl_docker/odl_docker_image.tar",
- mode => 750,
- }
-
- file { "/opt/opnfv/odl/docker-latest":
- ensure => present,
- source => "/etc/puppet/modules/opnfv/odl_docker/docker-latest",
- mode => 750,
- }
-
- file { "/opt/opnfv/odl/start_odl_conatiner.sh":
- ensure => present,
- source => "/etc/puppet/modules/opnfv/scripts/start_odl_container.sh",
- mode => 750,
- }
- }
- }
-}
-
diff --git a/common/puppet-opnfv/manifests/templates/br_ex.erb b/common/puppet-opnfv/manifests/templates/br_ex.erb
new file mode 100644
index 0000000..6c0e7e7
--- /dev/null
+++ b/common/puppet-opnfv/manifests/templates/br_ex.erb
@@ -0,0 +1,10 @@
+DEVICE=br-ex
+DEVICETYPE=ovs
+IPADDR=<%= @public_nic_ip %>
+NETMASK=<%= @public_nic_netmask %>
+GATEWAY=<%= @public_gateway %>
+BOOTPROTO=static
+ONBOOT=yes
+TYPE=OVSBridge
+PROMISC=yes
+PEERDNS=no
diff --git a/common/puppet-opnfv/manifests/templates/dockerfile/Dockerfile b/common/puppet-opnfv/manifests/templates/dockerfile/Dockerfile
deleted file mode 100644
index 80a92d8..0000000
--- a/common/puppet-opnfv/manifests/templates/dockerfile/Dockerfile
+++ /dev/null
@@ -1,82 +0,0 @@
-####################################################################
-# Copyright (c) 2015 Ericsson AB and others.
-# daniel.smith@ericsson.com
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Apache License, Version 2.0
-# which accompanies this distribution, and is available at
-# http://www.apache.org/licenses/LICENSE-2.0
-##############################################################################
-#
-# DOCKERFILE TO CREATE ODL IN CONTAINER AND EXPOSE DLUX AND OVSDB TO ODL
-#
-#############################################################################
-
-
-#Set the base image - note: the current release of Karaf is using Jdk7 and alot of 12.04, so we will use it rather than 14.04 and backport a ton of stuff
-FROM ubuntu:12.04
-
-# Maintainer Info
-MAINTAINER Daniel Smith
-
-
-#Run apt-get update one start just to check for updates when building
-RUN echo "Updating APT"
-RUN apt-get update
-RUN echo "Adding wget"
-RUN apt-get install -y wget
-RUN apt-get install -y net-tools
-RUN apt-get install -y openjdk-7-jre
-RUN apt-get install -y openjdk-7-jdk
-RUN apt-get install -y openssh-server
-RUN apt-get install -y vim
-RUN apt-get install -y expect
-RUN apt-get install -y daemontools
-RUN mkdir -p /opt/odl_source
-RUN bash -c 'echo "export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64" >> ~/.bashrc'
-
-
-
-#Now lets got and fetch the ODL distribution
-RUN echo "Fetching ODL"
-RUN wget https://nexus.opendaylight.org/content/groups/public/org/opendaylight/integration/distribution-karaf/0.2.3-Helium-SR3/distribution-karaf-0.2.3-Helium-SR3.tar.gz -O /opt/odl_source/distribution-karaf-0.2.3-Helium-SR3.tar.gz
-
-RUN echo "Untarring ODL inplace"
-RUN mkdir -p /opt/odl
-RUN tar zxvf /opt/odl_source/distribution-karaf-0.2.3-Helium-SR3.tar.gz -C /opt/odl
-
-RUN echo "Installing DLUX and other features into ODL"
-#COPY dockerfile/container_scripts/start_odl_docker.sh /etc/init.d/start_odl_docker.sh
-COPY container_scripts/start_odl_docker_container.sh /etc/init.d/
-COPY container_scripts/speak.sh /etc/init.d/
-#COPY dockerfile/container_scripts/speak.sh /etc/init.d/speak.sh
-RUN chmod 777 /etc/init.d/start_odl_docker_container.sh
-RUN chmod 777 /etc/init.d/speak.sh
-
-
-
-# Expose the ports
-
-# PORTS FOR BASE SYSTEM AND DLUX
-EXPOSE 8101
-EXPOSE 6633
-EXPOSE 1099
-EXPOSE 43506
-EXPOSE 8181
-EXPOSE 8185
-EXPOSE 9000
-EXPOSE 39378
-EXPOSE 33714
-EXPOSE 44444
-EXPOSE 6653
-
-# PORTS FOR OVSDB AND ODL CONTROL
-EXPOSE 12001
-EXPOSE 6640
-EXPOSE 8080
-EXPOSE 7800
-EXPOSE 55130
-EXPOSE 52150
-EXPOSE 36826
-
-# set the ENTRYPOINT - An entry point allows us to run this container as an exectuable
-CMD ["/etc/init.d/start_odl_docker_container.sh"]
diff --git a/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/check_feature.sh b/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/check_feature.sh
deleted file mode 100644
index 533942e..0000000
--- a/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/check_feature.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-##############################################################################
-# Copyright (c) 2015 Ericsson AB and others.
-# daniel.smith@ericsson.com
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Apache License, Version 2.0
-# which accompanies this distribution, and is available at
-# http://www.apache.org/licenses/LICENSE-2.0
-##############################################################################
-
-#!/usr/bin/expect
-spawn /opt/odl/distribution-karaf-0.2.3-Helium-SR3/bin/client
-expect "root>"
-send "feature:list | grep -i odl-restconf\r"
-send "\r\r\r"
-expect "root>"
-send "logout\r"
-
-
diff --git a/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/speak.sh b/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/speak.sh
deleted file mode 100644
index 95bbaf4..0000000
--- a/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/speak.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/expect
-##############################################################################
-# Copyright (c) 2015 Ericsson AB and others.
-# daniel.smith@ericsson.com
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Apache License, Version 2.0
-# which accompanies this distribution, and is available at
-# http://www.apache.org/licenses/LICENSE-2.0
-##############################################################################
-#
-# Simple expect script to start up ODL client and load feature set for DLUX and OVSDB
-# NOTE: THIS WILL BE REPLACED WITH A PROGRAMATIC METHOD SHORTLY
-#################################################################################
-
-spawn /opt/odl/distribution-karaf-0.2.3-Helium-SR3/bin/client
-expect "root>"
-send "feature:install odl-base-all odl-aaa-authn odl-restconf odl-nsf-all odl-adsal-northbound odl-mdsal-apidocs odl-ovsdb-openstack odl-ovsdb-northbound odl-dlux-core"
-send "\r\r\r"
-expect "root>"
-send "logout\r"
diff --git a/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/start_odl_docker_container.sh b/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/start_odl_docker_container.sh
deleted file mode 100644
index 8ae05f7..0000000
--- a/common/puppet-opnfv/manifests/templates/dockerfile/container_scripts/start_odl_docker_container.sh
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-##############################################################################
-# Copyright (c) 2015 Ericsson AB and others.
-# daniel.smith@ericsson.com
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Apache License, Version 2.0
-# which accompanies this distribution, and is available at
-# http://www.apache.org/licenses/LICENSE-2.0
-##############################################################################
-#
-# Simple expect script to start up ODL client and load feature set for DLUX and OVSDB
-# NOTE: THIS WILL BE REPLACED WITH A PROGRAMATIC METHOD SHORTLY
-#################################################################################
-# Start up script for calling karaf / ODL inside a docker container.
-#
-# This script will also call a couple expect scripts to load the feature set that we want
-
-
-#ENV
-export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64
-
-#MAIN
-echo "Starting up the da Sheilds..."
-/opt/odl/distribution-karaf-0.2.3-Helium-SR3/bin/karaf server &
-echo "Sleeping 5 bad hack"
-sleep 10
-echo "should see stuff listening now"
-netstat -na
-echo " should see proess running for karaf"
-ps -efa
-echo " Starting the packages we want"
-/etc/init.d/speak.sh
-echo "Printout the status - if its right, you should see 8181 appear now"
-netstat -na
-ps -efa
-
-
-
-## This is a loop that keeps our container going currently, prinout the "status of karaf" to the docker logs every minute
-## Cheap - but effective
-while true;
-do
- echo "Checking status of ODL:"
- /opt/odl/distribution-karaf-0.2.3-Helium-SR3/bin/status
- sleep 60
-done
-
-
diff --git a/compass/ci/build.sh b/compass/ci/build.sh
index 4e5b87b..2b7fd9a 100755
--- a/compass/ci/build.sh
+++ b/compass/ci/build.sh
@@ -84,7 +84,7 @@ EOF
# BEGIN of variables to customize
#
BUILD_BASE=$(readlink -e ../build/)
-RESULT_DIR="${BUILD_BASE}/release"
+export RESULT_DIR="${BUILD_BASE}/release"
BUILD_SPEC="${BUILD_BASE}/config.mk"
CACHE_DIR="cache"
LOCAL_CACHE_ARCH_NAME="compass-cache"
@@ -112,11 +112,11 @@ DEBUG=0
INTEGRATION_TEST=0
FULL_INTEGRATION_TEST=0
INTERACTIVE=0
-BUILD_CACHE_URI=
+export BUILD_CACHE_URI=
BUILD_SPEC=
BUILD_DIR=
BUILD_LOG=
-BUILD_VERSION=
+export BUILD_VERSION=
MAKE_ARGS=
#
# END of script assigned variables
@@ -133,6 +133,8 @@ source ${INCLUDE_DIR}/build.sh.debug
############################################################################
# BEGIN of main
#
+build_prepare
+
while getopts "s:c:v:f:l:r:RtTh" OPTION
do
case $OPTION in
@@ -376,15 +378,15 @@ mkdir -p ${BUILD_DIR}
cp ${BUILD_BASE}/.versions ${BUILD_DIR}
cp ${RESULT_DIR}/*.iso* ${BUILD_DIR}
-if [ $POPULATE_CACHE -eq 1 ]; then
- if [ ! -z ${BUILD_CACHE_URI} ]; then
- echo "Building cache ..."
- tar --dereference -C ${BUILD_BASE} -caf ${BUILD_BASE}/${LOCAL_CACHE_ARCH_NAME}.tgz ${CACHE_DIR}
- echo "Uploading cache ${BUILD_CACHE_URI}/${REMOTE_CACHE_ARCH_NAME}"
- ${REMOTE_ACCESS_METHD} -T ${BUILD_BASE}/${LOCAL_CACHE_ARCH_NAME}.tgz ${BUILD_CACHE_URI}/${REMOTE_CACHE_ARCH_NAME}.tgz
- rm ${BUILD_BASE}/${LOCAL_CACHE_ARCH_NAME}.tgz
- fi
-fi
+#if [ $POPULATE_CACHE -eq 1 ]; then
+# if [ ! -z ${BUILD_CACHE_URI} ]; then
+# echo "Building cache ..."
+# tar --dereference -C ${BUILD_BASE} -caf ${BUILD_BASE}/${LOCAL_CACHE_ARCH_NAME}.tgz ${CACHE_DIR}
+# echo "Uploading cache ${BUILD_CACHE_URI}/${REMOTE_CACHE_ARCH_NAME}"
+# ${REMOTE_ACCESS_METHD} -T ${BUILD_BASE}/${LOCAL_CACHE_ARCH_NAME}.tgz ${BUILD_CACHE_URI}/${REMOTE_CACHE_ARCH_NAME}.tgz
+# rm ${BUILD_BASE}/${LOCAL_CACHE_ARCH_NAME}.tgz
+# fi
+#fi
echo "Success!!!"
exit 0
#
diff --git a/compass/ci/deploy.sh b/compass/ci/deploy.sh
index fe754aa..197bf63 100755
--- a/compass/ci/deploy.sh
+++ b/compass/ci/deploy.sh
@@ -1,5 +1,9 @@
-SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-CONF_NAME=$1
-source ${SCRIPT_DIR}/../deploy/prepare.sh || exit $?
-source ${SCRIPT_DIR}/../deploy/setup-env.sh || exit $?
-source ${SCRIPT_DIR}/../deploy/deploy-vm.sh || exit $?
+#set -x
+COMPASS_DIR=`cd ${BASH_SOURCE[0]%/*}/../;pwd`
+export COMPASS_DIR
+
+apt-get install screen
+screen -ls |grep deploy|awk -F. '{print $1}'|xargs kill -9
+screen -wipe
+#screen -dmSL deploy bash $COMPASS_DIR/ci/launch.sh $*
+$COMPASS_DIR/ci/launch.sh $*
diff --git a/compass/ci/launch.sh b/compass/ci/launch.sh
new file mode 100755
index 0000000..316b06f
--- /dev/null
+++ b/compass/ci/launch.sh
@@ -0,0 +1,65 @@
+#set -x
+WORK_DIR=$COMPASS_DIR/ci/work
+
+if [[ $# -ge 1 ]];then
+ CONF_NAME=$1
+else
+ CONF_NAME=cluster
+fi
+
+source ${COMPASS_DIR}/ci/log.sh
+source ${COMPASS_DIR}/deploy/conf/${CONF_NAME}.conf
+source ${COMPASS_DIR}/deploy/prepare.sh
+source ${COMPASS_DIR}/deploy/network.sh
+
+if [[ ! -z $VIRT_NUMBER ]];then
+ source ${COMPASS_DIR}/deploy/host_vm.sh
+else
+ source ${COMPASS_DIR}/deploy/host_baremetal.sh
+fi
+
+source ${COMPASS_DIR}/deploy/compass_vm.sh
+source ${COMPASS_DIR}/deploy/deploy_host.sh
+
+######################### main process
+
+if ! prepare_env;then
+ echo "prepare_env failed"
+ exit 1
+fi
+
+log_info "########## get host mac begin #############"
+machines=`get_host_macs`
+if [[ -z $machines ]];then
+ log_error "get_host_macs failed"
+ exit 1
+fi
+
+log_info "deploy host macs: $machines"
+export machines
+
+log_info "########## set up network begin #############"
+if ! create_nets;then
+ log_error "create_nets failed"
+ exit 1
+fi
+
+if ! launch_compass;then
+ log_error "launch_compass failed"
+ exit 1
+fi
+if [[ ! -z $VIRT_NUMBER ]];then
+ if ! launch_host_vms;then
+ log_error "launch_host_vms failed"
+ exit 1
+ fi
+fi
+if ! deploy_host;then
+ #tear_down_machines
+ #tear_down_compass
+ exit 1
+else
+ #tear_down_machines
+ #tear_down_compass
+ exit 0
+fi
diff --git a/compass/ci/log.sh b/compass/ci/log.sh
new file mode 100755
index 0000000..f54fdca
--- /dev/null
+++ b/compass/ci/log.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+reset=`tput sgr0`
+red=`tput setaf 1`
+green=`tput setaf 2`
+yellow=`tput setaf 3`
+
+function log_info() {
+ echo -e "${green}$*${reset}"
+}
+
+function log_warn() {
+ echo -e "${yellow}$*${reset}"
+}
+
+function log_error() {
+ echo -e "${red}$*${reset}"
+}
+
+function log_progress() {
+ echo -en "${yellow}$*\r${reset}"
+}
+
diff --git a/compass/deploy/ansible/openstack_juno/HA-ansible-multinodes.yml b/compass/deploy/ansible/openstack_juno/HA-ansible-multinodes.yml
new file mode 100644
index 0000000..9c1d7e7
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/HA-ansible-multinodes.yml
@@ -0,0 +1,42 @@
+---
+- hosts: all
+ remote_user: root
+ sudo: true
+ roles:
+ - repo
+ - common
+
+- hosts: ha
+ remote_user: root
+ sudo: True
+ roles:
+ - ha
+
+- hosts: controller
+ remote_user: root
+ sudo: True
+ roles:
+ - database
+ - mq
+ - keystone
+ - nova-controller
+ - neutron-controller
+ - cinder-controller
+ - glance
+ - neutron-common
+ - neutron-network
+ - dashboard
+
+- hosts: compute
+ remote_user: root
+ sudo: True
+ roles:
+ - nova-compute
+ - neutron-compute
+ - cinder-volume
+
+- hosts: all
+ remote_user: root
+ sudo: True
+ roles:
+ - monitor
diff --git a/compass/deploy/ansible/openstack_juno/allinone.yml b/compass/deploy/ansible/openstack_juno/allinone.yml
new file mode 100644
index 0000000..15220ca
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/allinone.yml
@@ -0,0 +1,38 @@
+---
+- hosts: all
+ remote_user: root
+ sudo: true
+ roles:
+ - repo
+
+- hosts: controller
+ sudo: True
+ roles:
+ - common
+ - database
+ - mq
+ - keystone
+ - nova-controller
+ - neutron-controller
+ - dashboard
+ - cinder-controller
+ - glance
+
+- hosts: network
+ sudo: True
+ roles:
+ - common
+ - neutron-network
+
+- hosts: storage
+ sudo: True
+ roles:
+ - common
+ - cinder-volume
+
+- hosts: compute
+ sudo: True
+ roles:
+ - common
+ - nova-compute
+ - neutron-compute
diff --git a/compass/deploy/ansible/openstack_juno/compute.yml b/compass/deploy/ansible/openstack_juno/compute.yml
new file mode 100644
index 0000000..b2679c0
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/compute.yml
@@ -0,0 +1,9 @@
+---
+- hosts: all
+ remote_user: vagrant
+ sudo: True
+ roles:
+ - repo
+ - common
+ - nova-compute
+ - neutron-compute
diff --git a/compass/deploy/ansible/openstack_juno/controller.yml b/compass/deploy/ansible/openstack_juno/controller.yml
new file mode 100644
index 0000000..7f4a10e
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/controller.yml
@@ -0,0 +1,15 @@
+---
+- hosts: controller
+ remote_user: root
+ sudo: True
+ roles:
+ - repo
+ - common
+ - database
+ - mq
+ - keystone
+ - nova-controller
+ - neutron-controller
+ - dashboard
+ - cinder-controller
+ - glance
diff --git a/compass/deploy/ansible/openstack_juno/group_vars/all b/compass/deploy/ansible/openstack_juno/group_vars/all
new file mode 100644
index 0000000..5643fcd
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/group_vars/all
@@ -0,0 +1,54 @@
+controller_host: 10.1.0.11
+network_host: 10.1.0.12
+compute_host: 10.1.0.13
+storage_host: 10.1.0.14
+odl_controller: 10.1.0.15
+
+DEBUG: False
+VERBOSE: False
+NTP_SERVER_LOCAL: controller
+DB_HOST: "{{ controller_host }}"
+MQ_BROKER: rabbitmq
+
+OPENSTACK_REPO: cloudarchive-juno.list
+ADMIN_TOKEN: admin
+CEILOMETER_TOKEN: c095d479023a0fd58a54
+RABBIT_PASS: guest
+KEYSTONE_DBPASS: keystone_db_secret
+DEMO_PASS: demo_secret
+ADMIN_PASS: admin_secret
+GLANCE_DBPASS: glance_db_secret
+GLANCE_PASS: glance_secret
+NOVA_DBPASS: nova_db_secret
+NOVA_PASS: nova_secret
+DASH_DBPASS: dash_db_secret
+CINDER_DBPASS: cinder_db_secret
+CINDER_PASS: cinder_secret
+NEUTRON_DBPASS: neutron_db_secret
+NEUTRON_PASS: netron_secret
+NEUTRON_TYPE_DRIVERS: ['flat', 'gre', 'vxlan']
+NEUTRON_TENANT_NETWORK_TYPES: ['vxlan']
+#NEUTRON_MECHANISM_DRIVERS: ['opendaylight']
+NEUTRON_MECHANISM_DRIVERS: ['openvswitch']
+NEUTRON_TUNNEL_TYPES: ['vxlan']
+METADATA_SECRET: metadata_secret
+INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS: 10.1.1.21
+INTERFACE_NAME: eth2
+
+EXTERNAL_NETWORK_CIDR: 203.0.113.0/24
+EXTERNAL_NETWORK_GATEWAY: 203.0.113.1
+FLOATING_IP_START: 203.0.113.101
+FLOATING_IP_END: 203.0.113.200
+
+juno_cloud_archive: deb http://ubuntu-cloud.archive.canonical.com/ubuntu trusty-updates/juno main
+build_in_image: http://cdn.download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-disk.img
+build_in_image_name: cirros-0.3.3-x86_64-disk.img
+
+physical_device: /dev/sdb
+
+internal_interface: ansible_eth1
+internal_ip: "{{ hostvars[inventory_hostname][internal_interface]['ipv4']['address'] }}"
+
+odl_username: admin
+odl_password: admin
+odl_api_port: 8080
diff --git a/compass/deploy/ansible/openstack_juno/multinodes.yml b/compass/deploy/ansible/openstack_juno/multinodes.yml
new file mode 100644
index 0000000..ffd29d5
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/multinodes.yml
@@ -0,0 +1,75 @@
+---
+- hosts: all
+ remote_user: root
+ sudo: true
+ roles:
+ - repo
+
+- hosts: database
+ sudo: True
+ roles:
+ - common
+ - database
+
+- hosts: messaging
+ sudo: True
+ roles:
+ - common
+ - mq
+
+- hosts: identity
+ sudo: True
+ roles:
+ - common
+ - keystone
+
+- hosts: compute-controller
+ sudo: True
+ roles:
+ - common
+ - nova-controller
+
+- hosts: network-server
+ sudo: True
+ roles:
+ - common
+ - neutron-controller
+
+- hosts: storage-controller
+ sudo: True
+ roles:
+ - common
+ - cinder-controller
+
+- hosts: image
+ sudo: True
+ roles:
+ - common
+ - glance
+
+- hosts: dashboard
+ sudo: True
+ roles:
+ - common
+ - dashboard
+
+- hosts: network-worker
+ sudo: True
+ roles:
+ - common
+ - neutron-network
+
+- hosts: storage-volume
+ sudo: True
+ roles:
+ - common
+ - cinder-volume
+
+- hosts: compute-worker
+ sudo: True
+ roles:
+ - common
+ - nova-compute
+ - neutron-compute
+
+
diff --git a/compass/deploy/ansible/openstack_juno/network.yml b/compass/deploy/ansible/openstack_juno/network.yml
new file mode 100644
index 0000000..558f317
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/network.yml
@@ -0,0 +1,8 @@
+---
+- hosts: all
+ remote_user: vagrant
+ sudo: True
+ roles:
+ - repo
+ - common
+ - neutron-network
diff --git a/compass/deploy/ansible/openstack_juno/single-controller.yml b/compass/deploy/ansible/openstack_juno/single-controller.yml
new file mode 100644
index 0000000..15220ca
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/single-controller.yml
@@ -0,0 +1,38 @@
+---
+- hosts: all
+ remote_user: root
+ sudo: true
+ roles:
+ - repo
+
+- hosts: controller
+ sudo: True
+ roles:
+ - common
+ - database
+ - mq
+ - keystone
+ - nova-controller
+ - neutron-controller
+ - dashboard
+ - cinder-controller
+ - glance
+
+- hosts: network
+ sudo: True
+ roles:
+ - common
+ - neutron-network
+
+- hosts: storage
+ sudo: True
+ roles:
+ - common
+ - cinder-volume
+
+- hosts: compute
+ sudo: True
+ roles:
+ - common
+ - nova-compute
+ - neutron-compute
diff --git a/compass/deploy/ansible/openstack_juno/storage.yml b/compass/deploy/ansible/openstack_juno/storage.yml
new file mode 100644
index 0000000..3c0aa41
--- /dev/null
+++ b/compass/deploy/ansible/openstack_juno/storage.yml
@@ -0,0 +1,8 @@
+---
+- hosts: all
+ remote_user: vagrant
+ sudo: True
+ roles:
+ - repo
+ - common
+ - cinder-volume
diff --git a/compass/deploy/ansible/roles/cinder-controller/handlers/main.yml b/compass/deploy/ansible/roles/cinder-controller/handlers/main.yml
new file mode 100644
index 0000000..ef671dd
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-controller/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart cinder-scheduler
+ service: name=cinder-scheduler state=restarted enabled=yes
+- name: restart cinder-api
+ service: name=cinder-api state=restarted enabled=yes
+
diff --git a/compass/deploy/ansible/roles/cinder-controller/tasks/cinder_config.yml b/compass/deploy/ansible/roles/cinder-controller/tasks/cinder_config.yml
new file mode 100644
index 0000000..7796cf7
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-controller/tasks/cinder_config.yml
@@ -0,0 +1,20 @@
+---
+- name: sync cinder db
+ shell: su -s /bin/sh -c "cinder-manage db sync" cinder && cinder
+ register: result
+ until: result.rc == 0
+ retries: 5
+ delay: 3
+ notify:
+ - restart cinder-scheduler
+ - restart cinder-api
+
+- meta: flush_handlers
+
+- name: upload cinder keystone register script
+ template: src=cinder_init.sh dest=/opt/cinder_init.sh mode=0744
+
+- name: run cinder register script
+ shell: for i in {0..5}; do /opt/cinder_init.sh && touch cinder_init_complete; if [ $? != 0 ]; then sleep 5; else break; fi; done
+ args:
+ creates: cinder_init_complete
diff --git a/compass/deploy/ansible/roles/cinder-controller/tasks/cinder_install.yml b/compass/deploy/ansible/roles/cinder-controller/tasks/cinder_install.yml
new file mode 100644
index 0000000..03ad432
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-controller/tasks/cinder_install.yml
@@ -0,0 +1,20 @@
+---
+- name: install cinder packages
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - cinder-api
+ - cinder-scheduler
+ - python-cinderclient
+
+- name: generate cinder service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - cinder-api
+ - cinder-scheduler
+
+- name: upload cinder conf
+ template: src=cinder.conf dest=/etc/cinder/cinder.conf
+ notify:
+ - restart cinder-scheduler
+ - restart cinder-api
+
diff --git a/compass/deploy/ansible/roles/cinder-controller/tasks/main.yml b/compass/deploy/ansible/roles/cinder-controller/tasks/main.yml
new file mode 100644
index 0000000..1dbe91f
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-controller/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- include: cinder_install.yml
+ tags:
+ - install
+ - cinder-install
+ - cinder
+
+- include: cinder_config.yml
+ when: HA_CLUSTER is not defined or HA_CLUSTER[inventory_hostname] == ''
+ tags:
+ - config
+ - cinder-config
+ - cinder
diff --git a/compass/deploy/ansible/roles/cinder-controller/templates/api-paste.ini b/compass/deploy/ansible/roles/cinder-controller/templates/api-paste.ini
new file mode 100644
index 0000000..b568a17
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-controller/templates/api-paste.ini
@@ -0,0 +1,71 @@
+#############
+# OpenStack #
+#############
+
+[composite:osapi_volume]
+use = call:cinder.api:root_app_factory
+/: apiversions
+/v1: openstack_volume_api_v1
+/v2: openstack_volume_api_v2
+
+[composite:openstack_volume_api_v1]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = request_id faultwrap sizelimit osprofiler noauth apiv1
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+
+[composite:openstack_volume_api_v2]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = request_id faultwrap sizelimit osprofiler noauth apiv2
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+
+[filter:request_id]
+paste.filter_factory = cinder.openstack.common.middleware.request_id:RequestIdMiddleware.factory
+
+[filter:faultwrap]
+paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = SECRET_KEY
+enabled = yes
+
+[filter:noauth]
+paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
+
+[app:apiv1]
+paste.app_factory = cinder.api.v1.router:APIRouter.factory
+
+[app:apiv2]
+paste.app_factory = cinder.api.v2.router:APIRouter.factory
+
+[pipeline:apiversions]
+pipeline = faultwrap osvolumeversionapp
+
+[app:osvolumeversionapp]
+paste.app_factory = cinder.api.versions:Versions.factory
+
+[filter:authtoken]
+paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
+# auth_host = 127.0.0.1
+# auth_port = 35357
+# auth_protocol = http
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = cinder
+admin_password = {{ CINDER_PASS }}
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
diff --git a/compass/deploy/ansible/roles/cinder-controller/templates/cinder.conf b/compass/deploy/ansible/roles/cinder-controller/templates/cinder.conf
new file mode 100644
index 0000000..e34fd2f
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-controller/templates/cinder.conf
@@ -0,0 +1,63 @@
+[DEFAULT]
+rootwrap_config = /etc/cinder/rootwrap.conf
+api_paste_confg = /etc/cinder/api-paste.ini
+iscsi_helper = tgtadm
+volume_name_template = volume-%s
+volume_group = cinder-volumes
+verbose = {{ VERBOSE }}
+debug = {{ DEBUG }}
+auth_strategy = keystone
+state_path = /var/lib/cinder
+lock_path = /var/lock/cinder
+notification_driver=cinder.openstack.common.notifier.rpc_notifier
+volumes_dir = /var/lib/cinder/volumes
+
+log_file=/var/log/cinder/cinder.log
+
+control_exchange = cinder
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_port = 5672
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+my_ip = {{ storage_controller_host }}
+
+glance_host = {{ HA_VIP }}
+glance_port = 9292
+api_rate_limit = False
+storage_availability_zone = nova
+
+quota_volumes = 10
+quota_gigabytes=1000
+quota_driver=cinder.quota.DbQuotaDriver
+
+osapi_volume_listen = {{ storage_controller_host }}
+osapi_volume_listen_port = 8776
+
+db_backend = sqlalchemy
+volume_name_template = volume-%s
+snapshot_name_template = snapshot-%s
+
+max_gigabytes=10000
+volume_group=cinder-volumes
+
+volume_clear=zero
+volume_clear_size=10
+
+iscsi_ip_address={{ storage_controller_host }}
+iscsi_port=3260
+iscsi_helper=tgtadm
+
+volumes_dir=/var/lib/cinder/volumes
+
+volume_driver=cinder.volume.drivers.lvm.LVMISCSIDriver
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = cinder
+admin_password = {{ CINDER_PASS }}
+
+[database]
+connection = mysql://cinder:{{ CINDER_DBPASS }}@{{ db_host }}/cinder
diff --git a/compass/deploy/ansible/roles/cinder-controller/templates/cinder_init.sh b/compass/deploy/ansible/roles/cinder-controller/templates/cinder_init.sh
new file mode 100644
index 0000000..0ec61b6
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-controller/templates/cinder_init.sh
@@ -0,0 +1,6 @@
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-create --name=cinder --pass={{ CINDER_PASS }} --email=cinder@example.com
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-role-add --user=cinder --tenant=service --role=admin
+
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-create --name=cinder --type=volume --description="OpenStack Block Storage"
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 endpoint-create --service-id=$(keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-list | awk '/ volume / {print $2}') --publicurl=http://{{ HA_VIP }}:8776/v1/%\(tenant_id\)s --internalurl=http://{{ HA_VIP }}:8776/v1/%\(tenant_id\)s --adminurl=http://{{ HA_VIP }}:8776/v1/%\(tenant_id\)s
+
diff --git a/compass/deploy/ansible/roles/cinder-volume/files/loop.yml b/compass/deploy/ansible/roles/cinder-volume/files/loop.yml
new file mode 100644
index 0000000..e872652
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-volume/files/loop.yml
@@ -0,0 +1 @@
+physical_device: /dev/loop0
diff --git a/compass/deploy/ansible/roles/cinder-volume/handlers/main.yml b/compass/deploy/ansible/roles/cinder-volume/handlers/main.yml
new file mode 100644
index 0000000..ad917ce
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-volume/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart cinder-volume
+ service: name=cinder-volume state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/cinder-volume/tasks/main.yml b/compass/deploy/ansible/roles/cinder-volume/tasks/main.yml
new file mode 100644
index 0000000..8c0e626
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-volume/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+- name: install cinder-volume and lvm2 packages
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - cinder-volume
+ - lvm2
+
+- name: generate cinder volume service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - cinder-volume
+
+- name: check if physical device exists
+ stat: path={{ physical_device }}
+ register: st
+
+- name: repace physical_device if st is false
+ local_action: copy src=loop.yml dest=/tmp/loop.yml
+ when: st.stat.exists == False
+
+- name: load loop.yml
+ include_vars: /tmp/loop.yml
+ when: st.stat.exists == False
+
+- name: check if cinder-volumes is mounted
+ shell: ls /mnt
+ register: cindervolumes
+
+- name: get available partition size
+ shell: df / | awk '$3 ~ /[0-9]+/ { print $4 }'
+ register: partition_size
+
+- name: if not mounted, mount it
+ shell: dd if=/dev/zero of=/mnt/cinder-volumes
+ bs=1 count=0 seek={{ partition_size.stdout }}
+ when: cindervolumes.stdout != 'cinder-volumes'
+
+- name: get first lo device
+ shell: ls /dev/loop* | egrep 'loop[0-9]+'|sed -n 1p
+ register: first_lo
+ when: cindervolumes.stdout != 'cinder-volumes'
+
+- name: do a losetup on /mnt/cinder-volumes
+ shell: losetup {{ first_lo.stdout }} /mnt/cinder-volumes
+ when: cindervolumes.stdout != 'cinder-volumes'
+
+- name: create physical and group volumes
+ lvg: vg=cinder-volumes pvs={{ physical_device }}
+ vg_options=--force
+
+- name: upload cinder-volume configuration
+ template: src=cinder.conf dest=/etc/cinder/cinder.conf
+ backup=yes
+ notify:
+ - restart cinder-volume
diff --git a/compass/deploy/ansible/roles/cinder-volume/templates/cinder.conf b/compass/deploy/ansible/roles/cinder-volume/templates/cinder.conf
new file mode 100644
index 0000000..aa3b8cc
--- /dev/null
+++ b/compass/deploy/ansible/roles/cinder-volume/templates/cinder.conf
@@ -0,0 +1,62 @@
+[DEFAULT]
+rootwrap_config = /etc/cinder/rootwrap.conf
+api_paste_confg = /etc/cinder/api-paste.ini
+iscsi_helper = tgtadm
+volume_name_template = volume-%s
+volume_group = cinder-volumes
+verbose = True
+auth_strategy = keystone
+state_path = /var/lib/cinder
+lock_path = /var/lock/cinder
+notification_driver=cinder.openstack.common.notifier.rpc_notifier
+volumes_dir = /var/lib/cinder/volumes
+
+log_file=/var/log/cinder/cinder.log
+
+control_exchange = cinder
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_port = 5672
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+my_ip = {{ storage_controller_host }}
+
+glance_host = {{ HA_VIP }}
+glance_port = 9292
+api_rate_limit = False
+storage_availability_zone = nova
+
+quota_volumes = 10
+quota_gigabytes=1000
+quota_driver=cinder.quota.DbQuotaDriver
+
+osapi_volume_listen = {{ storage_controller_host }}
+osapi_volume_listen_port = 8776
+
+db_backend = sqlalchemy
+volume_name_template = volume-%s
+snapshot_name_template = snapshot-%s
+
+max_gigabytes=10000
+volume_group=cinder-volumes
+
+volume_clear=zero
+volume_clear_size=10
+
+iscsi_ip_address={{ storage_controller_host }}
+iscsi_port=3260
+iscsi_helper=tgtadm
+
+volumes_dir=/var/lib/cinder/volumes
+
+volume_driver=cinder.volume.drivers.lvm.LVMISCSIDriver
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = cinder
+admin_password = {{ CINDER_PASS }}
+
+[database]
+connection = mysql://cinder:{{ CINDER_DBPASS }}@{{ db_host }}/cinder
diff --git a/compass/deploy/ansible/roles/common/files/sources.list.d/cloudarchive-juno.list b/compass/deploy/ansible/roles/common/files/sources.list.d/cloudarchive-juno.list
new file mode 100644
index 0000000..920f3d2
--- /dev/null
+++ b/compass/deploy/ansible/roles/common/files/sources.list.d/cloudarchive-juno.list
@@ -0,0 +1 @@
+deb http://ubuntu-cloud.archive.canonical.com/ubuntu trusty-updates/juno main
diff --git a/compass/deploy/ansible/roles/common/tasks/main.yml b/compass/deploy/ansible/roles/common/tasks/main.yml
new file mode 100644
index 0000000..ce595f5
--- /dev/null
+++ b/compass/deploy/ansible/roles/common/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- name: install ubuntu-cloud-keyring(ubuntu)
+ apt: name={{ item }} state=latest
+ with_items:
+ - ubuntu-cloud-keyring
+
+- name: update hosts files to all hosts
+ template: src=hosts
+ dest=/etc/hosts
+ backup=yes
+
+- name: install common packages
+ apt: name={{ item }} state=latest
+ with_items:
+ - python-pip
+ - python-dev
+ - python-mysqldb
+ - ntp
+
+- name: restart ntp
+ command: su -s /bin/sh -c "service ntp stop; ntpd -gq; hwclock --systohc"
+ ignore_errors: True
+
+- name: update ntp conf
+ template: src=ntp.conf dest=/etc/ntp.conf backup=yes
+
+- name: restart ntp
+ service: name=ntp state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/common/templates/hosts b/compass/deploy/ansible/roles/common/templates/hosts
new file mode 100644
index 0000000..9d27c0a
--- /dev/null
+++ b/compass/deploy/ansible/roles/common/templates/hosts
@@ -0,0 +1,22 @@
+# compute-controller
+10.145.89.136 host-136
+# database
+10.145.89.136 host-136
+# messaging
+10.145.89.136 host-136
+# storage-controller
+10.145.89.138 host-138
+# image
+10.145.89.138 host-138
+# identity
+10.145.89.136 host-136
+# network-server
+10.145.89.138 host-138
+# dashboard
+10.145.89.136 host-136
+# storage-volume
+10.145.89.139 host-139
+# network-worker
+10.145.89.139 host-139
+# compute-worker
+10.145.89.137 host-137
diff --git a/compass/deploy/ansible/roles/common/templates/ntp.conf b/compass/deploy/ansible/roles/common/templates/ntp.conf
new file mode 100644
index 0000000..c613809
--- /dev/null
+++ b/compass/deploy/ansible/roles/common/templates/ntp.conf
@@ -0,0 +1,56 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Specify one or more NTP servers.
+
+# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
+# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
+# more information.
+server {{ NTP_SERVER_LOCAL }}
+server 0.ubuntu.pool.ntp.org
+server 1.ubuntu.pool.ntp.org
+server 2.ubuntu.pool.ntp.org
+server 3.ubuntu.pool.ntp.org
+
+# Use Ubuntu's ntp server as a fallback.
+server ntp.ubuntu.com
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines. Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
diff --git a/compass/deploy/ansible/roles/dashboard/tasks/main.yml b/compass/deploy/ansible/roles/dashboard/tasks/main.yml
new file mode 100644
index 0000000..465b996
--- /dev/null
+++ b/compass/deploy/ansible/roles/dashboard/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: install dashboard packages
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - apache2
+ - memcached
+ - libapache2-mod-wsgi
+ - openstack-dashboard
+
+- name: remove ubuntu theme
+ apt: name=openstack-dashboard-ubuntu-theme
+ state=absent
+
+## horizon configuration is already enabled in apache2/conf-enabled
+## by openstack-dashboard package deploy script.
+#- name: update dashboard conf
+# template: src=openstack-dashboard.conf
+# dest=/etc/apache2/sites-available/openstack-dashboard.conf
+# backup=yes
+
+- name: update horizon settings
+ template: src=local_settings.py
+ dest=/etc/openstack-dashboard/local_settings.py
+ backup=yes
+
+- name: restart apache2
+ service: name=apache2 state=restarted enabled=yes
+
+- name: restart memcached
+ service: name=memcached state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/dashboard/templates/local_settings.py b/compass/deploy/ansible/roles/dashboard/templates/local_settings.py
new file mode 100644
index 0000000..87e06e3
--- /dev/null
+++ b/compass/deploy/ansible/roles/dashboard/templates/local_settings.py
@@ -0,0 +1,511 @@
+import os
+
+from django.utils.translation import ugettext_lazy as _
+
+from openstack_dashboard import exceptions
+
+DEBUG = True
+TEMPLATE_DEBUG = DEBUG
+
+# Required for Django 1.5.
+# If horizon is running in production (DEBUG is False), set this
+# with the list of host/domain names that the application can serve.
+# For more information see:
+# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
+#ALLOWED_HOSTS = ['horizon.example.com', ]
+
+# Set SSL proxy settings:
+# For Django 1.4+ pass this header from the proxy after terminating the SSL,
+# and don't forget to strip it from the client's request.
+# For more information see:
+# https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+
+# If Horizon is being served through SSL, then uncomment the following two
+# settings to better secure the cookies from security exploits
+#CSRF_COOKIE_SECURE = True
+#SESSION_COOKIE_SECURE = True
+
+# Overrides for OpenStack API versions. Use this setting to force the
+# OpenStack dashboard to use a specific API version for a given service API.
+# NOTE: The version should be formatted as it appears in the URL for the
+# service API. For example, The identity service APIs have inconsistent
+# use of the decimal point, so valid options would be "2.0" or "3".
+# OPENSTACK_API_VERSIONS = {
+# "identity": 3,
+# "volume": 2
+# }
+
+# Set this to True if running on multi-domain model. When this is enabled, it
+# will require user to enter the Domain name in addition to username for login.
+# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
+
+# Overrides the default domain used when running on single-domain model
+# with Keystone V3. All entities will be created in the default domain.
+# OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
+
+# Set Console type:
+# valid options would be "AUTO", "VNC", "SPICE" or "RDP"
+# CONSOLE_TYPE = "AUTO"
+
+# Default OpenStack Dashboard configuration.
+HORIZON_CONFIG = {
+ 'dashboards': ('project', 'admin', 'settings',),
+ 'default_dashboard': 'project',
+ 'user_home': 'openstack_dashboard.views.get_user_home',
+ 'ajax_queue_limit': 10,
+ 'auto_fade_alerts': {
+ 'delay': 3000,
+ 'fade_duration': 1500,
+ 'types': ['alert-success', 'alert-info']
+ },
+ 'help_url': "http://docs.openstack.org",
+ 'exceptions': {'recoverable': exceptions.RECOVERABLE,
+ 'not_found': exceptions.NOT_FOUND,
+ 'unauthorized': exceptions.UNAUTHORIZED},
+}
+
+# Specify a regular expression to validate user passwords.
+# HORIZON_CONFIG["password_validator"] = {
+# "regex": '.*',
+# "help_text": _("Your password does not meet the requirements.")
+# }
+
+# Disable simplified floating IP address management for deployments with
+# multiple floating IP pools or complex network requirements.
+# HORIZON_CONFIG["simple_ip_management"] = False
+
+# Turn off browser autocompletion for the login form if so desired.
+# HORIZON_CONFIG["password_autocomplete"] = "off"
+
+LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
+
+# Set custom secret key:
+# You can either set it to a specific value or you can let horizion generate a
+# default secret key that is unique on this machine, e.i. regardless of the
+# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, there
+# may be situations where you would want to set this explicitly, e.g. when
+# multiple dashboard instances are distributed on different machines (usually
+# behind a load-balancer). Either you have to make sure that a session gets all
+# requests routed to the same dashboard instance or you set the same SECRET_KEY
+# for all of them.
+from horizon.utils import secret_key
+SECRET_KEY = 'AJDSKLAJDKASJDKASJDKSAJDKSJAKDSA'
+# We recommend you use memcached for development; otherwise after every reload
+# of the django development server, you will have to login again. To use
+# memcached set CACHES to something like
+CACHES = {
+ 'default': {
+ 'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
+ 'LOCATION' : '127.0.0.1:11211',
+ }
+}
+
+#CACHES = {
+# 'default': {
+# 'BACKEND' : 'django.core.cache.backends.locmem.LocMemCache'
+# }
+#}
+
+# Enable the Ubuntu theme if it is present.
+try:
+ from ubuntu_theme import *
+except ImportError:
+ pass
+
+# Default Ubuntu apache configuration uses /horizon as the application root.
+# Configure auth redirects here accordingly.
+LOGIN_URL='/horizon/auth/login/'
+LOGOUT_URL='/horizon/auth/logout/'
+LOGIN_REDIRECT_URL='/horizon'
+
+# The Ubuntu package includes pre-compressed JS and compiled CSS to allow
+# offline compression by default. To enable online compression, install
+# the node-less package and enable the following option.
+COMPRESS_OFFLINE = True
+
+# By default, validation of the HTTP Host header is disabled. Production
+# installations should have this set accordingly. For more information
+# see https://docs.djangoproject.com/en/dev/ref/settings/.
+ALLOWED_HOSTS = ['{{ dashboard_host }}']
+
+# Send email to the console by default
+EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+# Or send them to /dev/null
+#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
+
+# Configure these for your outgoing email host
+# EMAIL_HOST = 'smtp.my-company.com'
+# EMAIL_PORT = 25
+# EMAIL_HOST_USER = 'djangomail'
+# EMAIL_HOST_PASSWORD = 'top-secret!'
+
+# For multiple regions uncomment this configuration, and add (endpoint, title).
+# AVAILABLE_REGIONS = [
+# ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
+# ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
+# ]
+
+OPENSTACK_HOST = "{{ HA_VIP }}"
+OPENSTACK_KEYSTONE_URL = "http://%s:5000/v2.0" % OPENSTACK_HOST
+OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
+
+# Disable SSL certificate checks (useful for self-signed certificates):
+# OPENSTACK_SSL_NO_VERIFY = True
+
+# The CA certificate to use to verify SSL connections
+# OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
+
+# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
+# capabilities of the auth backend for Keystone.
+# If Keystone has been configured to use LDAP as the auth backend then set
+# can_edit_user to False and name to 'ldap'.
+#
+# TODO(tres): Remove these once Keystone has an API to identify auth backend.
+OPENSTACK_KEYSTONE_BACKEND = {
+ 'name': 'native',
+ 'can_edit_user': True,
+ 'can_edit_group': True,
+ 'can_edit_project': True,
+ 'can_edit_domain': True,
+ 'can_edit_role': True
+}
+
+#Setting this to True, will add a new "Retrieve Password" action on instance,
+#allowing Admin session password retrieval/decryption.
+#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
+
+# The Xen Hypervisor has the ability to set the mount point for volumes
+# attached to instances (other Hypervisors currently do not). Setting
+# can_set_mount_point to True will add the option to set the mount point
+# from the UI.
+OPENSTACK_HYPERVISOR_FEATURES = {
+ 'can_set_mount_point': False,
+ 'can_set_password': False,
+}
+
+# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
+# services provided by neutron. Options currently available are load
+# balancer service, security groups, quotas, VPN service.
+OPENSTACK_NEUTRON_NETWORK = {
+ 'enable_lb': False,
+ 'enable_firewall': False,
+ 'enable_quotas': True,
+ 'enable_vpn': False,
+ # The profile_support option is used to detect if an external router can be
+ # configured via the dashboard. When using specific plugins the
+ # profile_support can be turned on if needed.
+ 'profile_support': None,
+ #'profile_support': 'cisco',
+}
+
+# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
+# in the OpenStack Dashboard related to the Image service, such as the list
+# of supported image formats.
+# OPENSTACK_IMAGE_BACKEND = {
+# 'image_formats': [
+# ('', ''),
+# ('aki', _('AKI - Amazon Kernel Image')),
+# ('ami', _('AMI - Amazon Machine Image')),
+# ('ari', _('ARI - Amazon Ramdisk Image')),
+# ('iso', _('ISO - Optical Disk Image')),
+# ('qcow2', _('QCOW2 - QEMU Emulator')),
+# ('raw', _('Raw')),
+# ('vdi', _('VDI')),
+# ('vhd', _('VHD')),
+# ('vmdk', _('VMDK'))
+# ]
+# }
+
+# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
+# image custom property attributes that appear on image detail pages.
+IMAGE_CUSTOM_PROPERTY_TITLES = {
+ "architecture": _("Architecture"),
+ "kernel_id": _("Kernel ID"),
+ "ramdisk_id": _("Ramdisk ID"),
+ "image_state": _("Euca2ools state"),
+ "project_id": _("Project ID"),
+ "image_type": _("Image Type")
+}
+
+# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
+# in the Keystone service catalog. Use this setting when Horizon is running
+# external to the OpenStack environment. The default is 'publicURL'.
+#OPENSTACK_ENDPOINT_TYPE = "publicURL"
+
+# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
+# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
+# in the Keystone service catalog. Use this setting when Horizon is running
+# external to the OpenStack environment. The default is None. This
+# value should differ from OPENSTACK_ENDPOINT_TYPE if used.
+#SECONDARY_ENDPOINT_TYPE = "publicURL"
+
+# The number of objects (Swift containers/objects or images) to display
+# on a single page before providing a paging element (a "more" link)
+# to paginate results.
+API_RESULT_LIMIT = 1000
+API_RESULT_PAGE_SIZE = 20
+
+# The timezone of the server. This should correspond with the timezone
+# of your entire OpenStack installation, and hopefully be in UTC.
+TIME_ZONE = "UTC"
+
+# When launching an instance, the menu of available flavors is
+# sorted by RAM usage, ascending. If you would like a different sort order,
+# you can provide another flavor attribute as sorting key. Alternatively, you
+# can provide a custom callback method to use for sorting. You can also provide
+# a flag for reverse sort. For more info, see
+# http://docs.python.org/2/library/functions.html#sorted
+# CREATE_INSTANCE_FLAVOR_SORT = {
+# 'key': 'name',
+# # or
+# 'key': my_awesome_callback_method,
+# 'reverse': False,
+# }
+
+# The Horizon Policy Enforcement engine uses these values to load per service
+# policy rule files. The content of these files should match the files the
+# OpenStack services are using to determine role based access control in the
+# target installation.
+
+# Path to directory containing policy.json files
+#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
+# Map of local copy of service policy files
+#POLICY_FILES = {
+# 'identity': 'keystone_policy.json',
+# 'compute': 'nova_policy.json',
+# 'volume': 'cinder_policy.json',
+# 'image': 'glance_policy.json',
+#}
+
+# Trove user and database extension support. By default support for
+# creating users and databases on database instances is turned on.
+# To disable these extensions set the permission here to something
+# unusable such as ["!"].
+# TROVE_ADD_USER_PERMS = []
+# TROVE_ADD_DATABASE_PERMS = []
+
+LOGGING = {
+ 'version': 1,
+ # When set to True this will disable all logging except
+ # for loggers specified in this configuration dictionary. Note that
+ # if nothing is specified here and disable_existing_loggers is True,
+ # django.db.backends will still log unless it is disabled explicitly.
+ 'disable_existing_loggers': False,
+ 'handlers': {
+ 'null': {
+ 'level': 'DEBUG',
+ 'class': 'django.utils.log.NullHandler',
+ },
+ 'console': {
+ # Set the level to "DEBUG" for verbose output logging.
+ 'level': 'INFO',
+ 'class': 'logging.StreamHandler',
+ },
+ },
+ 'loggers': {
+ # Logging from django.db.backends is VERY verbose, send to null
+ # by default.
+ 'django.db.backends': {
+ 'handlers': ['null'],
+ 'propagate': False,
+ },
+ 'requests': {
+ 'handlers': ['null'],
+ 'propagate': False,
+ },
+ 'horizon': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'openstack_dashboard': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'novaclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'cinderclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'keystoneclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'glanceclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'neutronclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'heatclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'ceilometerclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'troveclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'swiftclient': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'openstack_auth': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'nose.plugins.manager': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'django': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ 'iso8601': {
+ 'handlers': ['null'],
+ 'propagate': False,
+ },
+ }
+}
+
+# 'direction' should not be specified for all_tcp/udp/icmp.
+# It is specified in the form.
+SECURITY_GROUP_RULES = {
+ 'all_tcp': {
+ 'name': 'ALL TCP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '1',
+ 'to_port': '65535',
+ },
+ 'all_udp': {
+ 'name': 'ALL UDP',
+ 'ip_protocol': 'udp',
+ 'from_port': '1',
+ 'to_port': '65535',
+ },
+ 'all_icmp': {
+ 'name': 'ALL ICMP',
+ 'ip_protocol': 'icmp',
+ 'from_port': '-1',
+ 'to_port': '-1',
+ },
+ 'ssh': {
+ 'name': 'SSH',
+ 'ip_protocol': 'tcp',
+ 'from_port': '22',
+ 'to_port': '22',
+ },
+ 'smtp': {
+ 'name': 'SMTP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '25',
+ 'to_port': '25',
+ },
+ 'dns': {
+ 'name': 'DNS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '53',
+ 'to_port': '53',
+ },
+ 'http': {
+ 'name': 'HTTP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '80',
+ 'to_port': '80',
+ },
+ 'pop3': {
+ 'name': 'POP3',
+ 'ip_protocol': 'tcp',
+ 'from_port': '110',
+ 'to_port': '110',
+ },
+ 'imap': {
+ 'name': 'IMAP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '143',
+ 'to_port': '143',
+ },
+ 'ldap': {
+ 'name': 'LDAP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '389',
+ 'to_port': '389',
+ },
+ 'https': {
+ 'name': 'HTTPS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '443',
+ 'to_port': '443',
+ },
+ 'smtps': {
+ 'name': 'SMTPS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '465',
+ 'to_port': '465',
+ },
+ 'imaps': {
+ 'name': 'IMAPS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '993',
+ 'to_port': '993',
+ },
+ 'pop3s': {
+ 'name': 'POP3S',
+ 'ip_protocol': 'tcp',
+ 'from_port': '995',
+ 'to_port': '995',
+ },
+ 'ms_sql': {
+ 'name': 'MS SQL',
+ 'ip_protocol': 'tcp',
+ 'from_port': '1433',
+ 'to_port': '1433',
+ },
+ 'mysql': {
+ 'name': 'MYSQL',
+ 'ip_protocol': 'tcp',
+ 'from_port': '3306',
+ 'to_port': '3306',
+ },
+ 'rdp': {
+ 'name': 'RDP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '3389',
+ 'to_port': '3389',
+ },
+}
+
+FLAVOR_EXTRA_KEYS = {
+ 'flavor_keys': [
+ ('quota:read_bytes_sec', _('Quota: Read bytes')),
+ ('quota:write_bytes_sec', _('Quota: Write bytes')),
+ ('quota:cpu_quota', _('Quota: CPU')),
+ ('quota:cpu_period', _('Quota: CPU period')),
+ ('quota:inbound_average', _('Quota: Inbound average')),
+ ('quota:outbound_average', _('Quota: Outbound average')),
+ ]
+}
+
diff --git a/compass/deploy/ansible/roles/dashboard/templates/openstack-dashboard.conf b/compass/deploy/ansible/roles/dashboard/templates/openstack-dashboard.conf
new file mode 100644
index 0000000..a5a791a
--- /dev/null
+++ b/compass/deploy/ansible/roles/dashboard/templates/openstack-dashboard.conf
@@ -0,0 +1,14 @@
+<VirtualHost *:80>
+
+WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
+WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
+Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
+
+<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
+Order allow,deny
+Allow from all
+</Directory>
+
+
+</VirtualHost>
+
diff --git a/compass/deploy/ansible/roles/database/files/my.cnf b/compass/deploy/ansible/roles/database/files/my.cnf
new file mode 100644
index 0000000..d61f947
--- /dev/null
+++ b/compass/deploy/ansible/roles/database/files/my.cnf
@@ -0,0 +1,131 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+#
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+[client]
+port = 3306
+socket = /var/run/mysqld/mysqld.sock
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket = /var/run/mysqld/mysqld.sock
+nice = 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user = mysql
+pid-file = /var/run/mysqld/mysqld.pid
+socket = /var/run/mysqld/mysqld.sock
+port = 3306
+basedir = /usr
+datadir = /var/lib/mysql
+tmpdir = /tmp
+lc-messages-dir = /usr/share/mysql
+skip-external-locking
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address = 0.0.0.0
+#
+# * Fine Tuning
+#
+key_buffer = 16M
+max_allowed_packet = 16M
+thread_stack = 192K
+thread_cache_size = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam-recover = BACKUP
+#max_connections = 100
+#table_cache = 64
+#thread_concurrency = 10
+#
+# * Query Cache Configuration
+#
+query_cache_limit = 1M
+query_cache_size = 16M
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file = /var/log/mysql/mysql.log
+#general_log = 1
+#
+# Error log - should be very few entries.
+#
+log_error = /var/log/mysql/error.log
+#
+# Here you can see queries with especially long duration
+#log_slow_queries = /var/log/mysql/mysql-slow.log
+#long_query_time = 2
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+# other settings you may need to change.
+#server-id = 1
+#log_bin = /var/log/mysql/mysql-bin.log
+expire_logs_days = 10
+max_binlog_size = 100M
+#binlog_do_db = include_database_name
+#binlog_ignore_db = include_database_name
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+default-storage-engine = innodb
+innodb_file_per_table
+collation-server = utf8_general_ci
+init-connect = 'SET NAMES utf8'
+character-set-server = utf8
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet = 16M
+
+[mysql]
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer = 16M
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+# The files must end with '.cnf', otherwise they'll be ignored.
+#
+!includedir /etc/mysql/conf.d/
+
diff --git a/compass/deploy/ansible/roles/database/tasks/main.yml b/compass/deploy/ansible/roles/database/tasks/main.yml
new file mode 100644
index 0000000..e66f0cd
--- /dev/null
+++ b/compass/deploy/ansible/roles/database/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: copy data.sh
+ template: src=data.j2 dest=/opt/data.sh mode=777
+ tags:
+ - mysql_user
+
+- include: mysql.yml
+ when: HA_CLUSTER is not defined
+
+- include: mariadb.yml
+ when: HA_CLUSTER is defined
+
diff --git a/compass/deploy/ansible/roles/database/tasks/mariadb.yml b/compass/deploy/ansible/roles/database/tasks/mariadb.yml
new file mode 100644
index 0000000..093dfd1
--- /dev/null
+++ b/compass/deploy/ansible/roles/database/tasks/mariadb.yml
@@ -0,0 +1,46 @@
+---
+- name: install python-mysqldb
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - libaio1
+ - libssl0.9.8
+ #- mariadb-client-5.5
+ - mysql-client-5.5
+ - python-mysqldb
+ - mysql-server-wsrep
+ - galera
+
+- name: create mysql log directy
+ file: path=/var/log/mysql state=directory owner=mysql group=mysql mode=0755
+
+- name: update mariadb my.cnf
+ template: src=my.cnf dest=/etc/mysql/my.cnf backup=yes
+
+- name: update galera wsrep.cnf
+ template: src=wsrep.cnf dest=/etc/mysql/conf.d/wsrep.cnf backup=yes
+
+- name: update wsrep_sst_rsync uid
+ lineinfile: dest=/usr/bin/wsrep_sst_rsync state=absent regexp="\s*uid = \$MYUID$" backup=yes
+
+- name: update wsrep_sst_rsync gid
+ lineinfile: dest=/usr/bin/wsrep_sst_rsync state=absent regexp="\s*gid = \$MYGID$" backup=yes
+
+- name: manually restart mysql server
+ service: name=mysql state=restarted enabled=yes
+ register: result
+ until: result|success
+ retries: 5
+ delay: 5
+ tags:
+ - mysql_restart
+
+- name: generate mysql service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - mysql
+
+- name: create database/user
+ shell: /opt/data.sh
+ when: HA_CLUSTER[inventory_hostname] == ''
+ tags:
+ - mysql_user
diff --git a/compass/deploy/ansible/roles/database/tasks/mysql.yml b/compass/deploy/ansible/roles/database/tasks/mysql.yml
new file mode 100644
index 0000000..327b656
--- /dev/null
+++ b/compass/deploy/ansible/roles/database/tasks/mysql.yml
@@ -0,0 +1,22 @@
+---
+- name: install mysql client and server packages
+ apt: name={{ item }} state=present
+ with_items:
+ - python-mysqldb
+ - mysql-server
+
+- name: create mysql log directy
+ file: path=/var/log/mysql state=directory owner=mysql group=mysql mode=0755
+
+- name: update mysql my.cnf
+ copy: src=my.cnf
+ dest=/etc/mysql/my.cnf
+ backup=yes
+
+- name: manually restart mysql server
+ shell: service mysql restart
+
+- name: create database/user
+ shell: /opt/data.sh
+ tags:
+ - mysql_user
diff --git a/compass/deploy/ansible/roles/database/templates/data.j2 b/compass/deploy/ansible/roles/database/templates/data.j2
new file mode 100644
index 0000000..c894b32
--- /dev/null
+++ b/compass/deploy/ansible/roles/database/templates/data.j2
@@ -0,0 +1,39 @@
+#!/bin/sh
+mysql -uroot -Dmysql <<EOF
+drop database if exists keystone;
+drop database if exists glance;
+drop database if exists neutron;
+drop database if exists nova;
+drop database if exists cinder;
+
+CREATE DATABASE keystone;
+{% for host in ['%', 'localhost', inventory_hostname] %}
+GRANT ALL ON keystone.* TO 'keystone'@'{{ host }}' IDENTIFIED BY '{{ KEYSTONE_DBPASS }}';
+{% endfor %}
+
+CREATE DATABASE glance;
+{% for host in ['%', 'localhost', inventory_hostname] %}
+GRANT ALL ON glance.* TO 'glance'@'{{ host }}' IDENTIFIED BY '{{ GLANCE_DBPASS }}';
+{% endfor %}
+
+CREATE DATABASE neutron;
+{% for host in ['%', 'localhost', inventory_hostname] %}
+GRANT ALL ON neutron.* TO 'neutron'@'{{ host }}' IDENTIFIED BY '{{ NEUTRON_DBPASS }}';
+{% endfor %}
+
+CREATE DATABASE nova;
+{% for host in ['%', 'localhost', inventory_hostname] %}
+GRANT ALL ON nova.* TO 'nova'@'{{ host }}' IDENTIFIED BY '{{ NOVA_DBPASS }}';
+{% endfor %}
+
+CREATE DATABASE cinder;
+{% for host in ['%', 'localhost', inventory_hostname] %}
+GRANT ALL ON cinder.* TO 'cinder'@'{{ host }}' IDENTIFIED BY '{{ CINDER_DBPASS }}';
+{% endfor %}
+
+{% if WSREP_SST_USER is defined %}
+{% for host in ['%', 'localhost', inventory_hostname] %}
+GRANT ALL ON *.* TO '{{ WSREP_SST_USER }}'@'{{ host }}' IDENTIFIED BY '{{ WSREP_SST_PASS }}';
+{% endfor %}
+{% endif %}
+EOF
diff --git a/compass/deploy/ansible/roles/database/templates/my.cnf b/compass/deploy/ansible/roles/database/templates/my.cnf
new file mode 100644
index 0000000..165d619
--- /dev/null
+++ b/compass/deploy/ansible/roles/database/templates/my.cnf
@@ -0,0 +1,134 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+#
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+[client]
+port = 3306
+socket = /var/run/mysqld/mysqld.sock
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket = /var/run/mysqld/mysqld.sock
+nice = 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user = mysql
+pid-file = /var/run/mysqld/mysqld.pid
+socket = /var/run/mysqld/mysqld.sock
+port = 3306
+basedir = /usr
+datadir = /var/lib/mysql
+tmpdir = /tmp
+lc-messages-dir = /usr/share/mysql
+skip-external-locking
+skip-name-resolve
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+#bind-address = {{ hostvars[inventory_hostname]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}
+bind-address = {{ HA_VIP }}
+#
+# * Fine Tuning
+#
+key_buffer = 16M
+max_allowed_packet = 16M
+thread_stack = 192K
+thread_cache_size = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam-recover = BACKUP
+max_connections = 2000
+max_connect_errors = 8000
+#table_cache = 64
+#thread_concurrency = 10
+#
+# * Query Cache Configuration
+#
+query_cache_limit = 1M
+query_cache_size = 16M
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+general_log_file = /var/log/mysql/mysql.log
+#general_log = 1
+#
+# Error log - should be very few entries.
+#
+log_error = /var/log/mysql/error.log
+#
+# Here you can see queries with especially long duration
+#log_slow_queries = /var/log/mysql/mysql-slow.log
+#long_query_time = 2
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+# other settings you may need to change.
+#server-id = 1
+#log_bin = /var/log/mysql/mysql-bin.log
+expire_logs_days = 10
+max_binlog_size = 100M
+#binlog_do_db = include_database_name
+#binlog_ignore_db = include_database_name
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+default-storage-engine = innodb
+innodb_file_per_table
+collation-server = utf8_general_ci
+init-connect = 'SET NAMES utf8'
+character-set-server = utf8
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet = 16M
+
+[mysql]
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer = 16M
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+# The files must end with '.cnf', otherwise they'll be ignored.
+#
+!includedir /etc/mysql/conf.d/
+
diff --git a/compass/deploy/ansible/roles/database/templates/wsrep.cnf b/compass/deploy/ansible/roles/database/templates/wsrep.cnf
new file mode 100644
index 0000000..b9e9424
--- /dev/null
+++ b/compass/deploy/ansible/roles/database/templates/wsrep.cnf
@@ -0,0 +1,126 @@
+# This file contains wsrep-related mysqld options. It should be included
+# in the main MySQL configuration file.
+#
+# Options that need to be customized:
+# - wsrep_provider
+# - wsrep_cluster_address
+# - wsrep_sst_auth
+# The rest of defaults should work out of the box.
+
+##
+## mysqld options _MANDATORY_ for correct opration of the cluster
+##
+[mysqld]
+
+# (This must be substituted by wsrep_format)
+binlog_format=ROW
+
+# Currently only InnoDB storage engine is supported
+default-storage-engine=innodb
+
+# to avoid issues with 'bulk mode inserts' using autoinc
+innodb_autoinc_lock_mode=2
+
+# This is a must for paralell applying
+innodb_locks_unsafe_for_binlog=1
+
+# Query Cache is not supported with wsrep
+query_cache_size=0
+query_cache_type=0
+
+# Override bind-address
+# In some systems bind-address defaults to 127.0.0.1, and with mysqldump SST
+# it will have (most likely) disastrous consequences on donor node
+#bind-address={{ hostvars[inventory_hostname]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}
+bind-address={{ HA_VIP }}
+
+##
+## WSREP options
+##
+
+# Full path to wsrep provider library or 'none'
+wsrep_provider=/usr/lib/galera/libgalera_smm.so
+
+# Provider specific configuration options
+#wsrep_provider_options=
+
+# Logical cluster name. Should be the same for all nodes.
+wsrep_cluster_name="my_wsrep_cluster"
+
+# Group communication system handle
+wsrep_cluster_address=gcomm://{{ HA_CLUSTER[inventory_hostname] }}
+
+# Human-readable node name (non-unique). Hostname by default.
+#wsrep_node_name=
+
+# Base replication <address|hostname>[:port] of the node.
+# The values supplied will be used as defaults for state transfer receiving,
+# listening ports and so on. Default: address of the first network interface.
+wsrep_node_address={{ hostvars[inventory_hostname]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}
+
+# Address for incoming client connections. Autodetect by default.
+#wsrep_node_incoming_address=
+
+# How many threads will process writesets from other nodes
+wsrep_slave_threads=1
+
+# DBUG options for wsrep provider
+#wsrep_dbug_option
+
+# Generate fake primary keys for non-PK tables (required for multi-master
+# and parallel applying operation)
+wsrep_certify_nonPK=1
+
+# Maximum number of rows in write set
+wsrep_max_ws_rows=131072
+
+# Maximum size of write set
+wsrep_max_ws_size=1073741824
+
+# to enable debug level logging, set this to 1
+wsrep_debug=1
+
+# convert locking sessions into transactions
+wsrep_convert_LOCK_to_trx=0
+
+# how many times to retry deadlocked autocommits
+wsrep_retry_autocommit=1
+
+# change auto_increment_increment and auto_increment_offset automatically
+wsrep_auto_increment_control=1
+
+# retry autoinc insert, which failed for duplicate key error
+wsrep_drupal_282555_workaround=0
+
+# enable "strictly synchronous" semantics for read operations
+wsrep_causal_reads=0
+
+# Command to call when node status or cluster membership changes.
+# Will be passed all or some of the following options:
+# --status - new status of this node
+# --uuid - UUID of the cluster
+# --primary - whether the component is primary or not ("yes"/"no")
+# --members - comma-separated list of members
+# --index - index of this node in the list
+wsrep_notify_cmd=
+
+##
+## WSREP State Transfer options
+##
+
+# State Snapshot Transfer method
+wsrep_sst_method=rsync
+
+# Address on THIS node to receive SST at. DON'T SET IT TO DONOR ADDRESS!!!
+# (SST method dependent. Defaults to the first IP of the first interface)
+#wsrep_sst_receive_address=
+
+# SST authentication string. This will be used to send SST to joining nodes.
+# Depends on SST method. For mysqldump method it is root:<root password>
+wsrep_sst_auth={{ WSREP_SST_USER }}:{{ WSREP_SST_PASS }}
+
+# Desired SST donor name.
+#wsrep_sst_donor=
+
+# Protocol version to use
+# wsrep_protocol_version=
diff --git a/compass/deploy/ansible/roles/glance/handlers/main.yml b/compass/deploy/ansible/roles/glance/handlers/main.yml
new file mode 100644
index 0000000..d8eaa44
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart glance-api
+ service: name=glance-api state=restarted enabled=yes
+
+- name: restart glance-registry
+ service: name=glance-registry state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/glance/tasks/glance_config.yml b/compass/deploy/ansible/roles/glance/tasks/glance_config.yml
new file mode 100644
index 0000000..28392a3
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/tasks/glance_config.yml
@@ -0,0 +1,29 @@
+---
+- name: init glance db version
+ shell: glance-manage db_version_control 0
+
+- name: sync glance db
+ shell: sleep 15; su -s /bin/sh -c "glance-manage db_sync" glance
+ register: result
+ until: result.rc == 0
+ retries: 5
+ delay: 3
+ notify:
+ - restart glance-registry
+ - restart glance-api
+
+- meta: flush_handlers
+
+- name: place image upload script
+ template: src=image_upload.sh dest=/opt/image_upload.sh mode=0744
+
+- name: download cirros image file
+ get_url: url={{ build_in_image }} dest=/opt/{{ build_in_image_name }}
+
+- name: wait for 9292 port to become available
+ wait_for: host={{ image_host }} port=9292 delay=5
+
+- name: run image upload
+ shell: for i in {0..5}; do /opt/image_upload.sh && touch image_upload_completed; if [ $? != 0 ] ;then sleep 5; else break;fi;done
+ args:
+ creates: image_upload_completed
diff --git a/compass/deploy/ansible/roles/glance/tasks/glance_install.yml b/compass/deploy/ansible/roles/glance/tasks/glance_install.yml
new file mode 100644
index 0000000..505b3b0
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/tasks/glance_install.yml
@@ -0,0 +1,26 @@
+---
+- name: install glance packages
+ apt: name={{ item }} state=latest force=yes
+ with_items:
+ - glance
+ - python-glanceclient
+
+- name: generate glance service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - glance-registry
+ - glance-api
+
+- name: update glance conf
+ template: src={{ item }} dest=/etc/glance/{{ item }}
+ backup=yes
+ with_items:
+ - glance-api.conf
+ - glance-registry.conf
+ notify:
+ - restart glance-registry
+ - restart glance-api
+
+- name: remove default sqlite db
+ shell: rm /var/lib/glance/glance.sqlite || touch glance.sqllite.db.removed
+
diff --git a/compass/deploy/ansible/roles/glance/tasks/main.yml b/compass/deploy/ansible/roles/glance/tasks/main.yml
new file mode 100644
index 0000000..296f0dc
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- include: glance_install.yml
+ tags:
+ - install
+ - glance_install
+ - glance
+
+- include: nfs.yml
+ tags:
+ - nfs
+
+- include: glance_config.yml
+ when: HA_CLUSTER is not defined or HA_CLUSTER[inventory_hostname] == ''
+ tags:
+ - config
+ - glance_config
+ - glance
+
diff --git a/compass/deploy/ansible/roles/glance/tasks/nfs.yml b/compass/deploy/ansible/roles/glance/tasks/nfs.yml
new file mode 100644
index 0000000..c03ab4d
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/tasks/nfs.yml
@@ -0,0 +1,41 @@
+---
+- name: get nfs server
+ local_action: shell /sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6| grep "10" -m 1 |awk '{print $2}'|tr -d "addr:"
+ register: ip_info
+ run_once: True
+
+- name: install nfs
+ local_action: yum name=nfs-utils state=present
+ run_once: True
+
+- name: create image directory
+ local_action: file path=/opt/images state=directory mode=0777
+ run_once: True
+
+- name: update nfs config
+ local_action: lineinfile dest=/etc/exports state=present
+ regexp="/opt/images *(rw,insecure,sync,all_squash)"
+ line="/opt/images *(rw,insecure,sync,all_squash)"
+ run_once: True
+
+- name: restart nfs service
+ local_action: service name=nfs state=restarted enabled=yes
+ run_once: True
+
+- name: install nfs comm
+ apt: name=nfs-common state=present
+
+- name: get mount info
+ command: mount
+ register: mount_info
+
+- name: mount image directory
+ shell: |
+ mount -t nfs -onfsvers=3 {{ item }}:/opt/images /var/lib/glance/images
+ sed -i '/\/var\/lib\/glance\/images/d' /etc/fstab
+ echo {{ item }}:/opt/images /var/lib/glance/images/ nfs nfsvers=3 >> /etc/fstab
+ when: mount_info.stdout.find('images') == -1
+ with_items:
+ ip_info.stdout_lines
+ retries: 5
+ delay: 3
diff --git a/compass/deploy/ansible/roles/glance/templates/glance-api.conf b/compass/deploy/ansible/roles/glance/templates/glance-api.conf
new file mode 100644
index 0000000..763539e
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/templates/glance-api.conf
@@ -0,0 +1,677 @@
+[DEFAULT]
+# Show more verbose log output (sets INFO log level output)
+#verbose = False
+
+# Show debugging output in logs (sets DEBUG log level output)
+#debug = False
+
+# Which backend scheme should Glance use by default is not specified
+# in a request to add a new image to Glance? Known schemes are determined
+# by the known_stores option below.
+# Default: 'file'
+# "default_store" option has been moved to [glance_store] section in
+# Juno release
+
+# List of which store classes and store class locations are
+# currently known to glance at startup.
+# Existing but disabled stores:
+# glance.store.rbd.Store,
+# glance.store.s3.Store,
+# glance.store.swift.Store,
+# glance.store.sheepdog.Store,
+# glance.store.cinder.Store,
+# glance.store.gridfs.Store,
+# glance.store.vmware_datastore.Store,
+#known_stores = glance.store.filesystem.Store,
+# glance.store.http.Store
+
+
+# Maximum image size (in bytes) that may be uploaded through the
+# Glance API server. Defaults to 1 TB.
+# WARNING: this value should only be increased after careful consideration
+# and must be set to a value under 8 EB (9223372036854775808).
+#image_size_cap = 1099511627776
+
+# Address to bind the API server
+bind_host = {{ image_host }}
+
+# Port the bind the API server to
+bind_port = 9292
+
+# Log to this file. Make sure you do not set the same log file for both the API
+# and registry servers!
+#
+# If `log_file` is omitted and `use_syslog` is false, then log messages are
+# sent to stdout as a fallback.
+log_file = /var/log/glance/api.log
+
+# Backlog requests when creating socket
+backlog = 4096
+
+# TCP_KEEPIDLE value in seconds when creating socket.
+# Not supported on OS X.
+#tcp_keepidle = 600
+
+# API to use for accessing data. Default value points to sqlalchemy
+# package, it is also possible to use: glance.db.registry.api
+# data_api = glance.db.sqlalchemy.api
+
+# Number of Glance API worker processes to start.
+# On machines with more than one CPU increasing this value
+# may improve performance (especially if using SSL with
+# compression turned on). It is typically recommended to set
+# this value to the number of CPUs present on your machine.
+workers = 1
+
+# Maximum line size of message headers to be accepted.
+# max_header_line may need to be increased when using large tokens
+# (typically those generated by the Keystone v3 API with big service
+# catalogs)
+# max_header_line = 16384
+
+# Role used to identify an authenticated user as administrator
+#admin_role = admin
+
+# Allow unauthenticated users to access the API with read-only
+# privileges. This only applies when using ContextMiddleware.
+#allow_anonymous_access = False
+
+# Allow access to version 1 of glance api
+#enable_v1_api = True
+
+# Allow access to version 2 of glance api
+#enable_v2_api = True
+
+# Return the URL that references where the data is stored on
+# the backend storage system. For example, if using the
+# file system store a URL of 'file:///path/to/image' will
+# be returned to the user in the 'direct_url' meta-data field.
+# The default value is false.
+#show_image_direct_url = False
+
+# Send headers containing user and tenant information when making requests to
+# the v1 glance registry. This allows the registry to function as if a user is
+# authenticated without the need to authenticate a user itself using the
+# auth_token middleware.
+# The default value is false.
+#send_identity_headers = False
+
+# Supported values for the 'container_format' image attribute
+#container_formats=ami,ari,aki,bare,ovf,ova
+
+# Supported values for the 'disk_format' image attribute
+#disk_formats=ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso
+
+# Directory to use for lock files. Default to a temp directory
+# (string value). This setting needs to be the same for both
+# glance-scrubber and glance-api.
+#lock_path=<None>
+
+# Property Protections config file
+# This file contains the rules for property protections and the roles/policies
+# associated with it.
+# If this config value is not specified, by default, property protections
+# won't be enforced.
+# If a value is specified and the file is not found, then the glance-api
+# service will not start.
+#property_protection_file =
+
+# Specify whether 'roles' or 'policies' are used in the
+# property_protection_file.
+# The default value for property_protection_rule_format is 'roles'.
+#property_protection_rule_format = roles
+
+# Specifies how long (in hours) a task is supposed to live in the tasks DB
+# after succeeding or failing before getting soft-deleted.
+# The default value for task_time_to_live is 48 hours.
+# task_time_to_live = 48
+
+# This value sets what strategy will be used to determine the image location
+# order. Currently two strategies are packaged with Glance 'location_order'
+# and 'store_type'.
+#location_strategy = location_order
+
+# ================= Syslog Options ============================
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+#use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+#syslog_log_facility = LOG_LOCAL0
+
+# ================= SSL Options ===============================
+
+# Certificate file to use when starting API server securely
+#cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+#key_file = /path/to/keyfile
+
+# CA certificate file to use to verify connecting clients
+#ca_file = /path/to/cafile
+
+# ================= Security Options ==========================
+
+# AES key for encrypting store 'location' metadata, including
+# -- if used -- Swift or S3 credentials
+# Should be set to a random string of length 16, 24 or 32 bytes
+#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
+
+# ============ Registry Options ===============================
+
+# Address to find the registry server
+registry_host = {{ internal_ip }}
+
+# Port the registry server is listening on
+registry_port = 9191
+
+# What protocol to use when connecting to the registry server?
+# Set to https for secure HTTP communication
+registry_client_protocol = http
+
+# The path to the key file to use in SSL connections to the
+# registry server, if any. Alternately, you may set the
+# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file
+#registry_client_key_file = /path/to/key/file
+
+# The path to the cert file to use in SSL connections to the
+# registry server, if any. Alternately, you may set the
+# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file
+#registry_client_cert_file = /path/to/cert/file
+
+# The path to the certifying authority cert file to use in SSL connections
+# to the registry server, if any. Alternately, you may set the
+# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file
+#registry_client_ca_file = /path/to/ca/file
+
+# When using SSL in connections to the registry server, do not require
+# validation via a certifying authority. This is the registry's equivalent of
+# specifying --insecure on the command line using glanceclient for the API
+# Default: False
+#registry_client_insecure = False
+
+# The period of time, in seconds, that the API server will wait for a registry
+# request to complete. A value of '0' implies no timeout.
+# Default: 600
+#registry_client_timeout = 600
+
+# Whether to automatically create the database tables.
+# Default: False
+#db_auto_create = False
+
+# Enable DEBUG log messages from sqlalchemy which prints every database
+# query and response.
+# Default: False
+#sqlalchemy_debug = True
+
+# Pass the user's token through for API requests to the registry.
+# Default: True
+#use_user_token = True
+
+# If 'use_user_token' is not in effect then admin credentials
+# can be specified. Requests to the registry on behalf of
+# the API will use these credentials.
+# Admin user name
+#admin_user = None
+# Admin password
+#admin_password = None
+# Admin tenant name
+#admin_tenant_name = None
+# Keystone endpoint
+#auth_url = None
+# Keystone region
+#auth_region = None
+# Auth strategy
+#auth_strategy = keystone
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when images are create, updated or deleted.
+# There are three methods of sending notifications, logging (via the
+# log_file directive), rabbit (via a rabbitmq queue), qpid (via a Qpid
+# message queue), or noop (no notifications sent, the default)
+# NOTE: THIS CONFIGURATION OPTION HAS BEEN DEPRECATED IN FAVOR OF `notification_driver`
+# notifier_strategy = default
+
+# Driver or drivers to handle sending notifications
+# notification_driver = noop
+
+# Default publisher_id for outgoing notifications.
+# default_publisher_id = image.localhost
+
+# Configuration options if sending notifications via rabbitmq (these are
+# the defaults)
+rabbit_host = localhost
+rabbit_port = 5672
+rabbit_use_ssl = false
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+rabbit_virtual_host = /
+rabbit_notification_exchange = glance
+rabbit_notification_topic = notifications
+rabbit_durable_queues = False
+
+# Configuration options if sending notifications via Qpid (these are
+# the defaults)
+qpid_notification_exchange = glance
+qpid_notification_topic = notifications
+qpid_hostname = localhost
+qpid_port = 5672
+qpid_username =
+qpid_password =
+qpid_sasl_mechanisms =
+qpid_reconnect_timeout = 0
+qpid_reconnect_limit = 0
+qpid_reconnect_interval_min = 0
+qpid_reconnect_interval_max = 0
+qpid_reconnect_interval = 0
+qpid_heartbeat = 5
+# Set to 'ssl' to enable SSL
+qpid_protocol = tcp
+qpid_tcp_nodelay = True
+
+# ============ Filesystem Store Options ========================
+
+# Directory that the Filesystem backend store
+# writes image data to
+# this option has been moved to [glance_store] for Juno release
+# filesystem_store_datadir = /var/lib/glance/images/
+
+# A list of directories where image data can be stored.
+# This option may be specified multiple times for specifying multiple store
+# directories. Either one of filesystem_store_datadirs or
+# filesystem_store_datadir option is required. A priority number may be given
+# after each directory entry, separated by a ":".
+# When adding an image, the highest priority directory will be selected, unless
+# there is not enough space available in cases where the image size is already
+# known. If no priority is given, it is assumed to be zero and the directory
+# will be considered for selection last. If multiple directories have the same
+# priority, then the one with the most free space available is selected.
+# If same store is specified multiple times then BadStoreConfiguration
+# exception will be raised.
+#filesystem_store_datadirs = /var/lib/glance/images/:1
+
+# A path to a JSON file that contains metadata describing the storage
+# system. When show_multiple_locations is True the information in this
+# file will be returned with any location that is contained in this
+# store.
+#filesystem_store_metadata_file = None
+
+# ============ Swift Store Options =============================
+
+# Version of the authentication service to use
+# Valid versions are '2' for keystone and '1' for swauth and rackspace
+swift_store_auth_version = 2
+
+# Address where the Swift authentication service lives
+# Valid schemes are 'http://' and 'https://'
+# If no scheme specified, default to 'https://'
+# For swauth, use something like '127.0.0.1:8080/v1.0/'
+swift_store_auth_address = 127.0.0.1:5000/v2.0/
+
+# User to authenticate against the Swift authentication service
+# If you use Swift authentication service, set it to 'account':'user'
+# where 'account' is a Swift storage account and 'user'
+# is a user in that account
+swift_store_user = jdoe:jdoe
+
+# Auth key for the user authenticating against the
+# Swift authentication service
+swift_store_key = a86850deb2742ec3cb41518e26aa2d89
+
+# Container within the account that the account should use
+# for storing images in Swift
+swift_store_container = glance
+
+# Do we create the container if it does not exist?
+swift_store_create_container_on_put = False
+
+# What size, in MB, should Glance start chunking image files
+# and do a large object manifest in Swift? By default, this is
+# the maximum object size in Swift, which is 5GB
+swift_store_large_object_size = 5120
+
+# When doing a large object manifest, what size, in MB, should
+# Glance write chunks to Swift? This amount of data is written
+# to a temporary disk buffer during the process of chunking
+# the image file, and the default is 200MB
+swift_store_large_object_chunk_size = 200
+
+# Whether to use ServiceNET to communicate with the Swift storage servers.
+# (If you aren't RACKSPACE, leave this False!)
+#
+# To use ServiceNET for authentication, prefix hostname of
+# `swift_store_auth_address` with 'snet-'.
+# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/
+swift_enable_snet = False
+
+# If set to True enables multi-tenant storage mode which causes Glance images
+# to be stored in tenant specific Swift accounts.
+#swift_store_multi_tenant = False
+
+# A list of swift ACL strings that will be applied as both read and
+# write ACLs to the containers created by Glance in multi-tenant
+# mode. This grants the specified tenants/users read and write access
+# to all newly created image objects. The standard swift ACL string
+# formats are allowed, including:
+# <tenant_id>:<username>
+# <tenant_name>:<username>
+# *:<username>
+# Multiple ACLs can be combined using a comma separated list, for
+# example: swift_store_admin_tenants = service:glance,*:admin
+#swift_store_admin_tenants =
+
+# The region of the swift endpoint to be used for single tenant. This setting
+# is only necessary if the tenant has multiple swift endpoints.
+#swift_store_region =
+
+# If set to False, disables SSL layer compression of https swift requests.
+# Setting to 'False' may improve performance for images which are already
+# in a compressed format, eg qcow2. If set to True, enables SSL layer
+# compression (provided it is supported by the target swift proxy).
+#swift_store_ssl_compression = True
+
+# The number of times a Swift download will be retried before the
+# request fails
+#swift_store_retry_get_count = 0
+
+# ============ S3 Store Options =============================
+
+# Address where the S3 authentication service lives
+# Valid schemes are 'http://' and 'https://'
+# If no scheme specified, default to 'http://'
+s3_store_host = 127.0.0.1:8080/v1.0/
+
+# User to authenticate against the S3 authentication service
+s3_store_access_key = <20-char AWS access key>
+
+# Auth key for the user authenticating against the
+# S3 authentication service
+s3_store_secret_key = <40-char AWS secret key>
+
+# Container within the account that the account should use
+# for storing images in S3. Note that S3 has a flat namespace,
+# so you need a unique bucket name for your glance images. An
+# easy way to do this is append your AWS access key to "glance".
+# S3 buckets in AWS *must* be lowercased, so remember to lowercase
+# your AWS access key if you use it in your bucket name below!
+s3_store_bucket = <lowercased 20-char aws access key>glance
+
+# Do we create the bucket if it does not exist?
+s3_store_create_bucket_on_put = False
+
+# When sending images to S3, the data will first be written to a
+# temporary buffer on disk. By default the platform's temporary directory
+# will be used. If required, an alternative directory can be specified here.
+#s3_store_object_buffer_dir = /path/to/dir
+
+# When forming a bucket url, boto will either set the bucket name as the
+# subdomain or as the first token of the path. Amazon's S3 service will
+# accept it as the subdomain, but Swift's S3 middleware requires it be
+# in the path. Set this to 'path' or 'subdomain' - defaults to 'subdomain'.
+#s3_store_bucket_url_format = subdomain
+
+# ============ RBD Store Options =============================
+
+# Ceph configuration file path
+# If using cephx authentication, this file should
+# include a reference to the right keyring
+# in a client.<USER> section
+#rbd_store_ceph_conf = /etc/ceph/ceph.conf
+
+# RADOS user to authenticate as (only applicable if using cephx)
+# If <None>, a default will be chosen based on the client. section
+# in rbd_store_ceph_conf
+#rbd_store_user = <None>
+
+# RADOS pool in which images are stored
+#rbd_store_pool = images
+
+# RADOS images will be chunked into objects of this size (in megabytes).
+# For best performance, this should be a power of two
+#rbd_store_chunk_size = 8
+
+# ============ Sheepdog Store Options =============================
+
+sheepdog_store_address = localhost
+
+sheepdog_store_port = 7000
+
+# Images will be chunked into objects of this size (in megabytes).
+# For best performance, this should be a power of two
+sheepdog_store_chunk_size = 64
+
+# ============ Cinder Store Options ===============================
+
+# Info to match when looking for cinder in the service catalog
+# Format is : separated values of the form:
+# <service_type>:<service_name>:<endpoint_type> (string value)
+#cinder_catalog_info = volume:cinder:publicURL
+
+# Override service catalog lookup with template for cinder endpoint
+# e.g. http://localhost:8776/v1/%(project_id)s (string value)
+#cinder_endpoint_template = <None>
+
+# Region name of this node (string value)
+#os_region_name = <None>
+
+# Location of ca certicates file to use for cinder client requests
+# (string value)
+#cinder_ca_certificates_file = <None>
+
+# Number of cinderclient retries on failed http calls (integer value)
+#cinder_http_retries = 3
+
+# Allow to perform insecure SSL requests to cinder (boolean value)
+#cinder_api_insecure = False
+
+# ============ VMware Datastore Store Options =====================
+
+# ESX/ESXi or vCenter Server target system.
+# The server value can be an IP address or a DNS name
+# e.g. 127.0.0.1, 127.0.0.1:443, www.vmware-infra.com
+#vmware_server_host = <None>
+
+# Server username (string value)
+#vmware_server_username = <None>
+
+# Server password (string value)
+#vmware_server_password = <None>
+
+# Inventory path to a datacenter (string value)
+# Value optional when vmware_server_ip is an ESX/ESXi host: if specified
+# should be `ha-datacenter`.
+#vmware_datacenter_path = <None>
+
+# Datastore associated with the datacenter (string value)
+#vmware_datastore_name = <None>
+
+# The number of times we retry on failures
+# e.g., socket error, etc (integer value)
+#vmware_api_retry_count = 10
+
+# The interval used for polling remote tasks
+# invoked on VMware ESX/VC server in seconds (integer value)
+#vmware_task_poll_interval = 5
+
+# Absolute path of the folder containing the images in the datastore
+# (string value)
+#vmware_store_image_dir = /openstack_glance
+
+# Allow to perform insecure SSL requests to the target system (boolean value)
+#vmware_api_insecure = False
+
+# ============ Delayed Delete Options =============================
+
+# Turn on/off delayed delete
+delayed_delete = False
+
+# Delayed delete time in seconds
+scrub_time = 43200
+
+# Directory that the scrubber will use to remind itself of what to delete
+# Make sure this is also set in glance-scrubber.conf
+scrubber_datadir = /var/lib/glance/scrubber
+
+# =============== Quota Options ==================================
+
+# The maximum number of image members allowed per image
+#image_member_quota = 128
+
+# The maximum number of image properties allowed per image
+#image_property_quota = 128
+
+# The maximum number of tags allowed per image
+#image_tag_quota = 128
+
+# The maximum number of locations allowed per image
+#image_location_quota = 10
+
+# Set a system wide quota for every user. This value is the total number
+# of bytes that a user can use across all storage systems. A value of
+# 0 means unlimited.
+#user_storage_quota = 0
+
+# =============== Image Cache Options =============================
+
+# Base directory that the Image Cache uses
+image_cache_dir = /var/lib/glance/image-cache/
+
+# =============== Manager Options =================================
+
+# DEPRECATED. TO BE REMOVED IN THE JUNO RELEASE.
+# Whether or not to enforce that all DB tables have charset utf8.
+# If your database tables do not have charset utf8 you will
+# need to convert before this option is removed. This option is
+# only relevant if your database engine is MySQL.
+#db_enforce_mysql_charset = True
+
+# =============== Glance Store ====================================
+[glance_store]
+# Moved from [DEFAULT], for Juno release
+default_store = file
+filesystem_store_datadir = /var/lib/glance/images/
+
+# =============== Database Options =================================
+
+[database]
+# The file name to use with SQLite (string value)
+sqlite_db = /var/lib/glance/glance.sqlite
+
+# If True, SQLite uses synchronous mode (boolean value)
+#sqlite_synchronous = True
+
+# The backend to use for db (string value)
+# Deprecated group/name - [DEFAULT]/db_backend
+backend = sqlalchemy
+
+# The SQLAlchemy connection string used to connect to the
+# database (string value)
+# Deprecated group/name - [DEFAULT]/sql_connection
+# Deprecated group/name - [DATABASE]/sql_connection
+# Deprecated group/name - [sql]/connection
+#connection = <None>
+connection = mysql://glance:{{ GLANCE_DBPASS }}@{{ db_host }}/glance
+
+# The SQL mode to be used for MySQL sessions. This option,
+# including the default, overrides any server-set SQL mode. To
+# use whatever SQL mode is set by the server configuration,
+# set this to no value. Example: mysql_sql_mode= (string
+# value)
+#mysql_sql_mode = TRADITIONAL
+
+# Timeout before idle sql connections are reaped (integer
+# value)
+# Deprecated group/name - [DEFAULT]/sql_idle_timeout
+# Deprecated group/name - [DATABASE]/sql_idle_timeout
+# Deprecated group/name - [sql]/idle_timeout
+#idle_timeout = 3600
+
+# Minimum number of SQL connections to keep open in a pool
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_min_pool_size
+# Deprecated group/name - [DATABASE]/sql_min_pool_size
+#min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_pool_size
+# Deprecated group/name - [DATABASE]/sql_max_pool_size
+#max_pool_size = <None>
+
+# Maximum db connection retries during startup. (setting -1
+# implies an infinite retry count) (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_retries
+# Deprecated group/name - [DATABASE]/sql_max_retries
+#max_retries = 10
+
+# Interval between retries of opening a sql connection
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_retry_interval
+# Deprecated group/name - [DATABASE]/reconnect_interval
+#retry_interval = 10
+
+# If set, use this value for max_overflow with sqlalchemy
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_overflow
+# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
+#max_overflow = <None>
+
+# Verbosity of SQL debugging information. 0=None,
+# 100=Everything (integer value)
+# Deprecated group/name - [DEFAULT]/sql_connection_debug
+#connection_debug = 0
+
+# Add python stack traces to SQL as comment strings (boolean
+# value)
+# Deprecated group/name - [DEFAULT]/sql_connection_trace
+#connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+# (integer value)
+# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
+#pool_timeout = <None>
+
+# Enable the experimental use of database reconnect on
+# connection lost (boolean value)
+#use_db_reconnect = False
+
+# seconds between db connection retries (integer value)
+#db_retry_interval = 1
+
+# Whether to increase interval between db connection retries,
+# up to db_max_retry_interval (boolean value)
+#db_inc_retry_interval = True
+
+# max seconds between db connection retries, if
+# db_inc_retry_interval is enabled (integer value)
+#db_max_retry_interval = 10
+
+# maximum db connection retries before error is raised.
+# (setting -1 implies an infinite retry count) (integer value)
+#db_max_retries = 20
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = glance
+admin_password = {{ GLANCE_PASS }}
+
+[paste_deploy]
+# Name of the paste configuration file that defines the available pipelines
+#config_file = glance-api-paste.ini
+
+# Partial name of a pipeline in your paste configuration file with the
+# service name removed. For example, if your paste section name is
+# [pipeline:glance-api-keystone], you would configure the flavor below
+# as 'keystone'.
+flavor= keystone
+
+[store_type_location_strategy]
+# The scheme list to use to get store preference order. The scheme must be
+# registered by one of the stores defined by the 'known_stores' config option.
+# This option will be applied when you using 'store_type' option as image
+# location strategy defined by the 'location_strategy' config option.
+#store_type_preference =
diff --git a/compass/deploy/ansible/roles/glance/templates/glance-registry.conf b/compass/deploy/ansible/roles/glance/templates/glance-registry.conf
new file mode 100644
index 0000000..8d731a2
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/templates/glance-registry.conf
@@ -0,0 +1,190 @@
+[DEFAULT]
+# Show more verbose log output (sets INFO log level output)
+#verbose = False
+
+# Show debugging output in logs (sets DEBUG log level output)
+#debug = False
+
+# Address to bind the registry server
+bind_host = {{ internal_ip }}
+
+# Port the bind the registry server to
+bind_port = 9191
+
+# Log to this file. Make sure you do not set the same log file for both the API
+# and registry servers!
+#
+# If `log_file` is omitted and `use_syslog` is false, then log messages are
+# sent to stdout as a fallback.
+log_file = /var/log/glance/registry.log
+
+# Backlog requests when creating socket
+backlog = 4096
+
+# TCP_KEEPIDLE value in seconds when creating socket.
+# Not supported on OS X.
+#tcp_keepidle = 600
+
+# API to use for accessing data. Default value points to sqlalchemy
+# package.
+#data_api = glance.db.sqlalchemy.api
+
+# Enable Registry API versions individually or simultaneously
+#enable_v1_registry = True
+#enable_v2_registry = True
+
+# Limit the api to return `param_limit_max` items in a call to a container. If
+# a larger `limit` query param is provided, it will be reduced to this value.
+api_limit_max = 1000
+
+# If a `limit` query param is not provided in an api request, it will
+# default to `limit_param_default`
+limit_param_default = 25
+
+# Role used to identify an authenticated user as administrator
+#admin_role = admin
+
+# Whether to automatically create the database tables.
+# Default: False
+#db_auto_create = False
+
+# Enable DEBUG log messages from sqlalchemy which prints every database
+# query and response.
+# Default: False
+#sqlalchemy_debug = True
+
+# ================= Syslog Options ============================
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+#use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+#syslog_log_facility = LOG_LOCAL1
+
+# ================= SSL Options ===============================
+
+# Certificate file to use when starting registry server securely
+#cert_file = /path/to/certfile
+
+# Private key file to use when starting registry server securely
+#key_file = /path/to/keyfile
+
+# CA certificate file to use to verify connecting clients
+#ca_file = /path/to/cafile
+
+# ================= Database Options ==========================
+
+[database]
+# The file name to use with SQLite (string value)
+sqlite_db = /var/lib/glance/glance.sqlite
+
+# If True, SQLite uses synchronous mode (boolean value)
+#sqlite_synchronous = True
+
+# The backend to use for db (string value)
+# Deprecated group/name - [DEFAULT]/db_backend
+backend = sqlalchemy
+
+# The SQLAlchemy connection string used to connect to the
+# database (string value)
+# Deprecated group/name - [DEFAULT]/sql_connection
+# Deprecated group/name - [DATABASE]/sql_connection
+# Deprecated group/name - [sql]/connection
+#connection = <None>
+connection = mysql://glance:{{ GLANCE_DBPASS }}@{{ db_host }}/glance
+
+# The SQL mode to be used for MySQL sessions. This option,
+# including the default, overrides any server-set SQL mode. To
+# use whatever SQL mode is set by the server configuration,
+# set this to no value. Example: mysql_sql_mode= (string
+# value)
+#mysql_sql_mode = TRADITIONAL
+
+# Timeout before idle sql connections are reaped (integer
+# value)
+# Deprecated group/name - [DEFAULT]/sql_idle_timeout
+# Deprecated group/name - [DATABASE]/sql_idle_timeout
+# Deprecated group/name - [sql]/idle_timeout
+#idle_timeout = 3600
+
+# Minimum number of SQL connections to keep open in a pool
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_min_pool_size
+# Deprecated group/name - [DATABASE]/sql_min_pool_size
+#min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_pool_size
+# Deprecated group/name - [DATABASE]/sql_max_pool_size
+#max_pool_size = <None>
+
+# Maximum db connection retries during startup. (setting -1
+# implies an infinite retry count) (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_retries
+# Deprecated group/name - [DATABASE]/sql_max_retries
+#max_retries = 10
+
+# Interval between retries of opening a sql connection
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_retry_interval
+# Deprecated group/name - [DATABASE]/reconnect_interval
+#retry_interval = 10
+
+# If set, use this value for max_overflow with sqlalchemy
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_overflow
+# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
+#max_overflow = <None>
+
+# Verbosity of SQL debugging information. 0=None,
+# 100=Everything (integer value)
+# Deprecated group/name - [DEFAULT]/sql_connection_debug
+#connection_debug = 0
+
+# Add python stack traces to SQL as comment strings (boolean
+# value)
+# Deprecated group/name - [DEFAULT]/sql_connection_trace
+#connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+# (integer value)
+# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
+#pool_timeout = <None>
+
+# Enable the experimental use of database reconnect on
+# connection lost (boolean value)
+#use_db_reconnect = False
+
+# seconds between db connection retries (integer value)
+#db_retry_interval = 1
+
+# Whether to increase interval between db connection retries,
+# up to db_max_retry_interval (boolean value)
+#db_inc_retry_interval = True
+
+# max seconds between db connection retries, if
+# db_inc_retry_interval is enabled (integer value)
+#db_max_retry_interval = 10
+
+# maximum db connection retries before error is raised.
+# (setting -1 implies an infinite retry count) (integer value)
+#db_max_retries = 20
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = glance
+admin_password = {{ GLANCE_PASS }}
+
+[paste_deploy]
+# Name of the paste configuration file that defines the available pipelines
+#config_file = glance-registry-paste.ini
+
+# Partial name of a pipeline in your paste configuration file with the
+# service name removed. For example, if your paste section name is
+# [pipeline:glance-registry-keystone], you would configure the flavor below
+# as 'keystone'.
+flavor= keystone
diff --git a/compass/deploy/ansible/roles/glance/templates/image_upload.sh b/compass/deploy/ansible/roles/glance/templates/image_upload.sh
new file mode 100644
index 0000000..9dd1fa8
--- /dev/null
+++ b/compass/deploy/ansible/roles/glance/templates/image_upload.sh
@@ -0,0 +1,2 @@
+sleep 10
+glance --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ HA_VIP }}:35357/v2.0 image-create --name="cirros" --disk-format=qcow2 --container-format=bare --is-public=true < /opt/{{ build_in_image_name }} && touch glance.import.completed
diff --git a/compass/deploy/ansible/roles/ha/files/galera_chk b/compass/deploy/ansible/roles/ha/files/galera_chk
new file mode 100644
index 0000000..9fd165c
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/files/galera_chk
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+code=`mysql -uroot -e "show status" | awk '/Threads_running/{print $2}'`
+
+if [ "$code"=="1" ]
+then
+ echo "HTTP/1.1 200 OK\r\n"
+else
+ echo "HTTP/1.1 503 Service Unavailable\r\n"
+fi
diff --git a/compass/deploy/ansible/roles/ha/files/mysqlchk b/compass/deploy/ansible/roles/ha/files/mysqlchk
new file mode 100644
index 0000000..2c03f19
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/files/mysqlchk
@@ -0,0 +1,15 @@
+# default: off
+# description: An xinetd internal service which echo's characters back to
+# clients.
+# This is the tcp version.
+service mysqlchk
+{
+ disable = no
+ flags = REUSE
+ socket_type = stream
+ protocol = tcp
+ user = root
+ wait = no
+ server = /usr/local/bin/galera_chk
+ port = 9200
+}
diff --git a/compass/deploy/ansible/roles/ha/files/notify.sh b/compass/deploy/ansible/roles/ha/files/notify.sh
new file mode 100644
index 0000000..5edffe8
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/files/notify.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+python /usr/local/bin/failover.py $1
+mysql -uroot -e"flush hosts"
+service mysql restart
diff --git a/compass/deploy/ansible/roles/ha/handlers/main.yml b/compass/deploy/ansible/roles/ha/handlers/main.yml
new file mode 100644
index 0000000..a02c686
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: restart haproxy
+ service: name=haproxy state=restarted enabled=yes
+
+- name: restart xinetd
+ service: name=xinetd state=restarted enabled=yes
+
+- name: restart keepalived
+ service: name=keepalived state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/ha/tasks/main.yml b/compass/deploy/ansible/roles/ha/tasks/main.yml
new file mode 100644
index 0000000..a00c21a
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/tasks/main.yml
@@ -0,0 +1,94 @@
+---
+- name: install keepalived xinet haproxy
+ apt: name={{ item }} state=present
+ with_items:
+ - keepalived
+ - xinetd
+ - haproxy
+
+- name: generate ha service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - keepalived
+ - xinetd
+ - haproxy
+
+- name: install pexpect
+ pip: name=pexpect state=present
+
+- name: activate ip_nonlocal_bind
+ sysctl: name=net.ipv4.ip_nonlocal_bind value=1
+ state=present reload=yes
+
+- name: set net.ipv4.tcp_keepalive_intvl
+ sysctl: name=net.ipv4.tcp_keepalive_intvl value=1
+ state=present reload=yes
+
+- name: set net.ipv4.tcp_keepalive_probes
+ sysctl: name=net.ipv4.tcp_keepalive_probes value=5
+ state=present reload=yes
+
+- name: set net.ipv4.tcp_keepalive_time
+ sysctl: name=net.ipv4.tcp_keepalive_time value=5
+ state=present reload=yes
+
+- name: update haproxy cfg
+ template: src=haproxy.cfg dest=/etc/haproxy/haproxy.cfg
+ notify: restart haproxy
+
+- name: set haproxy enable flag
+ lineinfile: dest=/etc/default/haproxy state=present
+ regexp="ENABLED=*"
+ line="ENABLED=1"
+ notify: restart haproxy
+
+- name: set haproxy log
+ lineinfile: dest=/etc/rsyslog.conf state=present
+ regexp="local0.* /var/log/haproxy.log"
+ line="local0.* /var/log/haproxy.log"
+
+- name: set rsyslog udp module
+ lineinfile: dest=/etc/rsyslog.conf state=present
+ regexp="^#$ModLoad imudp"
+ line="$ModLoad imudp"
+
+- name: set rsyslog udp port
+ lineinfile: dest=/etc/rsyslog.conf state=present
+ regexp="^#$UDPServerRun 514"
+ line="$UDPServerRun 514"
+
+- name: copy galera_chk file
+ copy: src=galera_chk dest=/usr/local/bin/galera_chk mode=0777
+
+- name: copy notify file
+ copy: src=notify.sh dest=/usr/local/bin/notify.sh mode=0777
+
+- name: copy notify template file
+ template: src=failover.j2 dest=/usr/local/bin/failover.py mode=0777
+
+- name: add network service
+ lineinfile: dest=/etc/services state=present
+ line="mysqlchk 9200/tcp"
+ insertafter="Local services"
+ notify: restart xinetd
+
+- name: copy mysqlchk file
+ copy: src=mysqlchk dest=/etc/xinetd.d/mysqlchk mode=0777
+ notify: restart xinetd
+
+- name: set keepalived start param
+ lineinfile: dest=/etc/default/keepalived state=present
+ regexp="^DAEMON_ARGS=*"
+ line="DAEMON_ARGS=\"-D -d -S 1\""
+
+- name: set keepalived log
+ lineinfile: dest=/etc/rsyslog.conf state=present
+ regexp="local1.* /var/log/keepalived.log"
+ line="local1.* /var/log/keepalived.log"
+
+- name: update keepalived info
+ template: src=keepalived.conf dest=/etc/keepalived/keepalived.conf
+ notify: restart keepalived
+
+- name: restart rsyslog
+ shell: service rsyslog restart
diff --git a/compass/deploy/ansible/roles/ha/templates/failover.j2 b/compass/deploy/ansible/roles/ha/templates/failover.j2
new file mode 100644
index 0000000..b03c737
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/templates/failover.j2
@@ -0,0 +1,65 @@
+import ConfigParser, os, socket
+import logging as LOG
+import pxssh
+import sys
+import re
+
+LOG_FILE="/var/log/mysql_failover"
+try:
+ os.remove(LOG_FILE)
+except:
+ pass
+
+LOG.basicConfig(format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p', filename=LOG_FILE,level=LOG.DEBUG)
+ha_vip = {{ HA_VIP }}
+LOG.info("ha_vip: %s" % ha_vip)
+
+#ha_vip = "10.1.0.50"
+galera_path = '/etc/mysql/conf.d/wsrep.cnf'
+pattern = re.compile(r"gcomm://(?P<prev_ip>.*)")
+
+def ssh_get_hostname(ip):
+ try:
+ s = pxssh.pxssh()
+ s.login("%s" % ip, "root", "root")
+ s.sendline('hostname') # run a command
+ s.prompt() # match the prompt
+ result = s.before.strip() # print everything before the prompt.
+ return result.split(os.linesep)[1]
+ except pxssh.ExceptionPxssh as e:
+ LOG.error("pxssh failed on login.")
+ raise
+
+def failover(mode):
+ config = ConfigParser.ConfigParser()
+ config.optionxform = str
+ config.readfp(open(galera_path))
+ wsrep_cluster_address = config.get("mysqld", "wsrep_cluster_address")
+ wsrep_cluster_address = pattern.match(wsrep_cluster_address).groupdict()["prev_ip"]
+
+ LOG.info("old wsrep_cluster_address = %s" % wsrep_cluster_address)
+
+ if mode == "master":
+ # refresh wsrep_cluster_address to null
+ LOG.info("I'm being master, set wsrep_cluster_address to null")
+ wsrep_cluster_address = ""
+
+ elif mode == "backup":
+ # refresh wsrep_cluster_address to master int ip
+ hostname = ssh_get_hostname(ha_vip)
+ wsrep_cluster_address = socket.gethostbyname(hostname)
+ LOG.info("I'm being slave, set wsrep_cluster_address to master internal ip")
+
+ LOG.info("new wsrep_cluster_address = %s" % wsrep_cluster_address)
+ wsrep_cluster_address = "gcomm://%s" % wsrep_cluster_address
+ config.set("mysqld", "wsrep_cluster_address", wsrep_cluster_address)
+ with open(galera_path, 'wb') as fp:
+ #config.write(sys.stdout)
+ config.write(fp)
+
+ os.system("service mysql restart")
+ LOG.info("failover success!!!")
+
+if __name__ == "__main__":
+ LOG.debug("call me: %s" % sys.argv)
+ failover(sys.argv[1])
diff --git a/compass/deploy/ansible/roles/ha/templates/haproxy.cfg b/compass/deploy/ansible/roles/ha/templates/haproxy.cfg
new file mode 100644
index 0000000..4ed528a
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/templates/haproxy.cfg
@@ -0,0 +1,133 @@
+
+global
+ #chroot /var/run/haproxy
+ daemon
+ user haproxy
+ group haproxy
+ maxconn 4000
+ pidfile /var/run/haproxy/haproxy.pid
+ #log 127.0.0.1 local0
+ tune.bufsize 1000000
+ stats socket /var/run/haproxy.sock
+ stats timeout 2m
+
+defaults
+ log global
+ maxconn 8000
+ option redispatch
+ option dontlognull
+ option splice-auto
+ timeout http-request 10s
+ timeout queue 1m
+ timeout connect 10s
+ timeout client 6m
+ timeout server 6m
+ timeout check 10s
+ retries 5
+
+listen proxy-glance_registry_cluster
+ bind {{ HA_VIP }}:9191
+ option tcpka
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:9191 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-glance_api_cluster
+ bind {{ HA_VIP }}:9292
+ option tcpka
+ option httpchk
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:9292 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-nova-novncproxy
+ bind {{ HA_VIP }}:6080
+ option tcpka
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:6080 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-network
+ bind {{ HA_VIP }}:9696
+ option tcpka
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:9696 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-volume
+ bind {{ HA_VIP }}:8776
+ option tcpka
+ option httpchk
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:8776 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-keystone_admin_cluster
+ bind {{ HA_VIP }}:35357
+ option tcpka
+ option httpchk
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:35357 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-keystone_public_internal_cluster
+ bind {{ HA_VIP }}:5000
+ option tcpka
+ option httpchk
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:5000 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-nova_compute_api_cluster
+ bind {{ HA_VIP }}:8774
+ mode tcp
+ option httpchk
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:8774 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-nova_metadata_api_cluster
+ bind {{ HA_VIP }}:8775
+ option tcpka
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:8775 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-cinder_api_cluster
+ bind {{ HA_VIP }}:8776
+ mode tcp
+ option httpchk
+ option tcplog
+ balance source
+{% for host in groups['controller'] %}
+ server {{ host }} {{ hostvars[host]['ansible_' + INTERNAL_INTERFACE].ipv4.address }}:8776 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen stats
+ mode http
+ bind 0.0.0.0:8888
+ stats enable
+ stats refresh 30s
+ stats uri /
+ stats realm Global\ statistics
+ stats auth admin:admin
+
+
diff --git a/compass/deploy/ansible/roles/ha/templates/keepalived.conf b/compass/deploy/ansible/roles/ha/templates/keepalived.conf
new file mode 100644
index 0000000..0b49137
--- /dev/null
+++ b/compass/deploy/ansible/roles/ha/templates/keepalived.conf
@@ -0,0 +1,42 @@
+global_defs {
+
+ notification_email{
+ root@huawei.com
+ }
+
+ notification_email_from keepalived@huawei.com
+
+ smtp_server localhost
+
+ smtp_connect_timeout 30
+
+ router_id NodeA
+
+}
+
+vrrp_instance VI_1 {
+
+ interface {{ INTERNAL_INTERFACE }}
+ virtual_router_id 51
+ state BACKUP
+ nopreempt
+ advert_int 1
+{% for host in groups['controller'] %}
+{% if host == inventory_hostname %}
+ priority {{ 100 - loop.index0 * 5 }}
+{% endif %}
+{% endfor %}
+
+ authentication {
+ auth_type PASS
+ auth_pass 1111
+ }
+
+ virtual_ipaddress {
+ {{ HA_VIP }} dev {{ INTERNAL_INTERFACE }}
+ }
+
+ notify_master "/usr/local/bin/notify.sh master"
+ notify_backup "/usr/local/bin/notify.sh backup"
+}
+
diff --git a/compass/deploy/ansible/roles/keystone/tasks/keystone_config.yml b/compass/deploy/ansible/roles/keystone/tasks/keystone_config.yml
new file mode 100644
index 0000000..3203b26
--- /dev/null
+++ b/compass/deploy/ansible/roles/keystone/tasks/keystone_config.yml
@@ -0,0 +1,16 @@
+---
+- name: keystone-manage db-sync
+ shell: su -s /bin/sh -c "keystone-manage db_sync"
+ register: result
+ until: result.rc == 0
+ retries: 5
+ delay: 3
+
+- name: place keystone init script under /opt/
+ template: src=keystone_init dest=/opt/keystone_init mode=0744
+
+- name: run keystone_init
+ shell: /opt/keystone_init && touch keystone_init_complete || keystone_init_failed
+ args:
+ creates: keystone_init_complete
+
diff --git a/compass/deploy/ansible/roles/keystone/tasks/keystone_install.yml b/compass/deploy/ansible/roles/keystone/tasks/keystone_install.yml
new file mode 100644
index 0000000..e69c069
--- /dev/null
+++ b/compass/deploy/ansible/roles/keystone/tasks/keystone_install.yml
@@ -0,0 +1,29 @@
+---
+- name: install keystone packages
+ apt: name=keystone state=present force=yes
+
+- name: generate keystone service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - keystone
+
+- name: update keystone conf
+ template: src=keystone.conf dest=/etc/keystone/keystone.conf backup=yes
+
+- name: delete sqlite database
+ shell: rm /var/lib/keystone/keystone.db || echo sqllite database already removed
+
+- name: cron job to purge expired tokens hourly
+ shell: (crontab -l -u keystone 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/crontabs/keystone
+
+- name: modify keystone cron rights
+ file: path=/var/spool/cron/crontabs/keystone mode=0600
+
+- name: keystone source files
+ template: src={{ item }} dest=/opt/{{ item }}
+ with_items:
+ - admin-openrc.sh
+ - demo-openrc.sh
+
+- name: manually start keystone
+ service: name=keystone state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/keystone/tasks/main.yml b/compass/deploy/ansible/roles/keystone/tasks/main.yml
new file mode 100644
index 0000000..2f36e91
--- /dev/null
+++ b/compass/deploy/ansible/roles/keystone/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- include: keystone_install.yml
+ tags:
+ - install
+ - keystone_install
+ - keystone
+
+- include: keystone_config.yml
+ when: HA_CLUSTER is not defined or HA_CLUSTER[inventory_hostname] == ''
+ tags:
+ - config
+ - keystone_config
+ - keystone
diff --git a/compass/deploy/ansible/roles/keystone/templates/admin-openrc.sh b/compass/deploy/ansible/roles/keystone/templates/admin-openrc.sh
new file mode 100644
index 0000000..f2e0d61
--- /dev/null
+++ b/compass/deploy/ansible/roles/keystone/templates/admin-openrc.sh
@@ -0,0 +1,6 @@
+# Verify the Identity Service installation
+export OS_PASSWORD={{ ADMIN_PASS }}
+export OS_TENANT_NAME=admin
+export OS_AUTH_URL=http://{{ HA_VIP }}:35357/v2.0
+export OS_USERNAME=ADMIN
+
diff --git a/compass/deploy/ansible/roles/keystone/templates/demo-openrc.sh b/compass/deploy/ansible/roles/keystone/templates/demo-openrc.sh
new file mode 100644
index 0000000..8bdc51b
--- /dev/null
+++ b/compass/deploy/ansible/roles/keystone/templates/demo-openrc.sh
@@ -0,0 +1,5 @@
+export OS_USERNAME=demo
+export OS_PASSWORD={{ DEMO_PASS }}
+export OS_TENANT_NAME=demo
+export OS_AUTH_URL=http://{{ HA_VIP }}:35357/v2.0
+
diff --git a/compass/deploy/ansible/roles/keystone/templates/keystone.conf b/compass/deploy/ansible/roles/keystone/templates/keystone.conf
new file mode 100644
index 0000000..fc8bf1f
--- /dev/null
+++ b/compass/deploy/ansible/roles/keystone/templates/keystone.conf
@@ -0,0 +1,1317 @@
+[DEFAULT]
+
+admin_token={{ ADMIN_TOKEN }}
+
+public_bind_host= {{ identity_host }}
+
+admin_bind_host= {{ identity_host }}
+
+#compute_port=8774
+
+#admin_port=35357
+
+#public_port=5000
+
+# The base public endpoint URL for keystone that are
+# advertised to clients (NOTE: this does NOT affect how
+# keystone listens for connections) (string value).
+# Defaults to the base host URL of the request. Eg a
+# request to http://server:5000/v2.0/users will
+# default to http://server:5000. You should only need
+# to set this value if the base URL contains a path
+# (eg /prefix/v2.0) or the endpoint should be found on
+# a different server.
+#public_endpoint=http://localhost:%(public_port)s/
+
+# The base admin endpoint URL for keystone that are advertised
+# to clients (NOTE: this does NOT affect how keystone listens
+# for connections) (string value).
+# Defaults to the base host URL of the request. Eg a
+# request to http://server:35357/v2.0/users will
+# default to http://server:35357. You should only need
+# to set this value if the base URL contains a path
+# (eg /prefix/v2.0) or the endpoint should be found on
+# a different server.
+#admin_endpoint=http://localhost:%(admin_port)s/
+
+# onready allows you to send a notification when the process
+# is ready to serve For example, to have it notify using
+# systemd, one could set shell command: "onready = systemd-
+# notify --ready" or a module with notify() method: "onready =
+# keystone.common.systemd". (string value)
+#onready=<None>
+
+# enforced by optional sizelimit middleware
+# (keystone.middleware:RequestBodySizeLimiter). (integer
+# value)
+#max_request_body_size=114688
+
+# limit the sizes of user & tenant ID/names. (integer value)
+#max_param_size=64
+
+# similar to max_param_size, but provides an exception for
+# token values. (integer value)
+#max_token_size=8192
+
+# During a SQL upgrade member_role_id will be used to create a
+# new role that will replace records in the
+# user_tenant_membership table with explicit role grants.
+# After migration, the member_role_id will be used in the API
+# add_user_to_project. (string value)
+#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
+
+# During a SQL upgrade member_role_id will be used to create a
+# new role that will replace records in the
+# user_tenant_membership table with explicit role grants.
+# After migration, member_role_name will be ignored. (string
+# value)
+#member_role_name=_member_
+
+# The value passed as the keyword "rounds" to passlib encrypt
+# method. (integer value)
+#crypt_strength=40000
+
+# Set this to True if you want to enable TCP_KEEPALIVE on
+# server sockets i.e. sockets used by the keystone wsgi server
+# for client connections. (boolean value)
+#tcp_keepalive=false
+
+# Sets the value of TCP_KEEPIDLE in seconds for each server
+# socket. Only applies if tcp_keepalive is True. Not supported
+# on OS X. (integer value)
+#tcp_keepidle=600
+
+# The maximum number of entities that will be returned in a
+# collection can be set with list_limit, with no limit set by
+# default. This global limit may be then overridden for a
+# specific driver, by specifying a list_limit in the
+# appropriate section (e.g. [assignment]). (integer value)
+#list_limit=<None>
+
+# Set this to false if you want to enable the ability for
+# user, group and project entities to be moved between domains
+# by updating their domain_id. Allowing such movement is not
+# recommended if the scope of a domain admin is being
+# restricted by use of an appropriate policy file (see
+# policy.v3cloudsample as an example). (boolean value)
+#domain_id_immutable=true
+
+
+#
+# Options defined in oslo.messaging
+#
+
+# Use durable queues in amqp. (boolean value)
+# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
+#amqp_durable_queues=false
+
+# Auto-delete queues in amqp. (boolean value)
+#amqp_auto_delete=false
+
+# Size of RPC connection pool. (integer value)
+#rpc_conn_pool_size=30
+
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call. (list value)
+#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions
+# Qpid broker hostname. (string value)
+#qpid_hostname=localhost
+
+# Qpid broker port. (integer value)
+#qpid_port=5672
+
+# Qpid HA cluster host:port pairs. (list value)
+#qpid_hosts=$qpid_hostname:$qpid_port
+
+# Username for Qpid connection. (string value)
+#qpid_username=
+
+# Password for Qpid connection. (string value)
+#qpid_password=
+
+# Space separated list of SASL mechanisms to use for auth.
+# (string value)
+#qpid_sasl_mechanisms=
+
+# Seconds between connection keepalive heartbeats. (integer
+# value)
+#qpid_heartbeat=60
+
+# Transport to use, either 'tcp' or 'ssl'. (string value)
+#qpid_protocol=tcp
+
+# Whether to disable the Nagle algorithm. (boolean value)
+#qpid_tcp_nodelay=true
+
+# The qpid topology version to use. Version 1 is what was
+# originally used by impl_qpid. Version 2 includes some
+# backwards-incompatible changes that allow broker federation
+# to work. Users should update to version 2 when they are
+# able to take everything down, as it requires a clean break.
+# (integer value)
+#qpid_topology_version=1
+
+# SSL version to use (valid only if SSL enabled). valid values
+# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
+# distributions. (string value)
+#kombu_ssl_version=
+
+# SSL key file (valid only if SSL enabled). (string value)
+#kombu_ssl_keyfile=
+
+# SSL cert file (valid only if SSL enabled). (string value)
+#kombu_ssl_certfile=
+
+# SSL certification authority file (valid only if SSL
+# enabled). (string value)
+#kombu_ssl_ca_certs=
+
+# How long to wait before reconnecting in response to an AMQP
+# consumer cancel notification. (floating point value)
+#kombu_reconnect_delay=1.0
+
+# The RabbitMQ broker address where a single node is used.
+# (string value)
+#rabbit_host=localhost
+
+# The RabbitMQ broker port where a single node is used.
+# (integer value)
+#rabbit_port=5672
+
+# RabbitMQ HA cluster host:port pairs. (list value)
+#rabbit_hosts=$rabbit_host:$rabbit_port
+
+# Connect over SSL for RabbitMQ. (boolean value)
+#rabbit_use_ssl=false
+
+# The RabbitMQ userid. (string value)
+rabbit_userid={{ RABBIT_USER }}
+
+# The RabbitMQ password. (string value)
+rabbit_password={{ RABBIT_PASS }}
+
+# the RabbitMQ login method (string value)
+#rabbit_login_method=AMQPLAIN
+
+# The RabbitMQ virtual host. (string value)
+#rabbit_virtual_host=/
+
+# How frequently to retry connecting with RabbitMQ. (integer
+# value)
+#rabbit_retry_interval=1
+
+# How long to backoff for between retries when connecting to
+# RabbitMQ. (integer value)
+#rabbit_retry_backoff=2
+
+# Maximum number of RabbitMQ connection retries. Default is 0
+# (infinite retry count). (integer value)
+#rabbit_max_retries=0
+
+# Use HA queues in RabbitMQ (x-ha-policy: all). If you change
+# this option, you must wipe the RabbitMQ database. (boolean
+# value)
+#rabbit_ha_queues=false
+
+# If passed, use a fake RabbitMQ provider. (boolean value)
+#fake_rabbit=false
+
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet
+# interface, or IP. The "host" option should point or resolve
+# to this address. (string value)
+#rpc_zmq_bind_address=*
+
+# MatchMaker driver. (string value)
+#rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
+
+# ZeroMQ receiver listening port. (integer value)
+#rpc_zmq_port=9501
+
+# Number of ZeroMQ contexts, defaults to 1. (integer value)
+#rpc_zmq_contexts=1
+
+# Maximum number of ingress messages to locally buffer per
+# topic. Default is unlimited. (integer value)
+#rpc_zmq_topic_backlog=<None>
+
+# Directory for holding IPC sockets. (string value)
+#rpc_zmq_ipc_dir=/var/run/openstack
+
+# Name of this node. Must be a valid hostname, FQDN, or IP
+# address. Must match "host" option, if running Nova. (string
+# value)
+#rpc_zmq_host=keystone
+
+# Seconds to wait before a cast expires (TTL). Only supported
+# by impl_zmq. (integer value)
+#rpc_cast_timeout=30
+
+# Heartbeat frequency. (integer value)
+#matchmaker_heartbeat_freq=300
+
+# Heartbeat time-to-live. (integer value)
+#matchmaker_heartbeat_ttl=600
+
+# Host to locate redis. (string value)
+#host=127.0.0.1
+
+# Use this port to connect to redis host. (integer value)
+#port=6379
+
+# Password for Redis server (optional). (string value)
+#password=<None>
+
+# Size of RPC greenthread pool. (integer value)
+#rpc_thread_pool_size=64
+
+# Driver or drivers to handle sending notifications. (multi
+# valued)
+#notification_driver=
+
+# AMQP topic used for OpenStack notifications. (list value)
+# Deprecated group/name - [rpc_notifier2]/topics
+#notification_topics=notifications
+
+# Seconds to wait for a response from a call. (integer value)
+#rpc_response_timeout=60
+
+# A URL representing the messaging driver to use and its full
+# configuration. If not set, we fall back to the rpc_backend
+# option and driver specific configuration. (string value)
+#transport_url=<None>
+
+# The messaging driver to use, defaults to rabbit. Other
+# drivers include qpid and zmq. (string value)
+#rpc_backend=rabbit
+
+# The default exchange under which topics are scoped. May be
+# overridden by an exchange name specified in the
+# transport_url option. (string value)
+#control_exchange=openstack
+
+
+#
+# Options defined in keystone.notifications
+#
+
+# Default publisher_id for outgoing notifications (string
+# value)
+#default_publisher_id=<None>
+
+
+#
+# Options defined in keystone.middleware.ec2_token
+#
+
+# URL to get token from ec2 request. (string value)
+#keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens
+
+# Required if EC2 server requires client certificate. (string
+# value)
+#keystone_ec2_keyfile=<None>
+
+# Client certificate key filename. Required if EC2 server
+# requires client certificate. (string value)
+#keystone_ec2_certfile=<None>
+
+# A PEM encoded certificate authority to use when verifying
+# HTTPS connections. Defaults to the system CAs. (string
+# value)
+#keystone_ec2_cafile=<None>
+
+# Disable SSL certificate verification. (boolean value)
+#keystone_ec2_insecure=false
+
+
+#
+# Options defined in keystone.openstack.common.eventlet_backdoor
+#
+
+# Enable eventlet backdoor. Acceptable values are 0, <port>,
+# and <start>:<end>, where 0 results in listening on a random
+# tcp port number; <port> results in listening on the
+# specified port number (and not enabling backdoor if that
+# port is in use); and <start>:<end> results in listening on
+# the smallest unused port number within the specified range
+# of port numbers. The chosen port is displayed in the
+# service's log file. (string value)
+#backdoor_port=<None>
+
+
+#
+# Options defined in keystone.openstack.common.lockutils
+#
+
+# Whether to disable inter-process locks (boolean value)
+#disable_process_locking=false
+
+# Directory to use for lock files. (string value)
+#lock_path=<None>
+
+
+#
+# Options defined in keystone.openstack.common.log
+#
+
+# Print debugging output (set logging level to DEBUG instead
+# of default WARNING level). (boolean value)
+debug={{ DEBUG }}
+
+# Print more verbose output (set logging level to INFO instead
+# of default WARNING level). (boolean value)
+verbose={{ VERBOSE }}
+
+# Log output to standard error (boolean value)
+#use_stderr=true
+
+# Format string to use for log messages with context (string
+# value)
+#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages without context
+# (string value)
+#logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Data to append to log format when level is DEBUG (string
+# value)
+#logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format
+# (string value)
+#logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
+
+# List of logger=LEVEL pairs (list value)
+#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN
+
+# Publish error events (boolean value)
+#publish_errors=false
+
+# Make deprecations fatal (boolean value)
+#fatal_deprecations=false
+
+# If an instance is passed with the log message, format it
+# like this (string value)
+#instance_format="[instance: %(uuid)s] "
+
+# If an instance UUID is passed with the log message, format
+# it like this (string value)
+#instance_uuid_format="[instance: %(uuid)s] "
+
+# The name of logging configuration file. It does not disable
+# existing loggers, but just appends specified logging
+# configuration to any other existing logging options. Please
+# see the Python logging module documentation for details on
+# logging configuration files. (string value)
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append=<None>
+
+# DEPRECATED. A logging.Formatter log message format string
+# which may use any of the available logging.LogRecord
+# attributes. This option is deprecated. Please use
+# logging_context_format_string and
+# logging_default_format_string instead. (string value)
+#log_format=<None>
+
+# Format string for %%(asctime)s in log records. Default:
+# %(default)s (string value)
+#log_date_format=%Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to output to. If no default is
+# set, logging will go to stdout. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+#log_file=<None>
+
+# (Optional) The base directory used for relative --log-file
+# paths (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+log_dir = /var/log/keystone
+
+# Use syslog for logging. Existing syslog format is DEPRECATED
+# during I, and then will be changed in J to honor RFC5424
+# (boolean value)
+#use_syslog=false
+
+# (Optional) Use syslog rfc5424 format for logging. If
+# enabled, will add APP-NAME (RFC5424) before the MSG part of
+# the syslog message. The old format without APP-NAME is
+# deprecated in I, and will be removed in J. (boolean value)
+#use_syslog_rfc_format=false
+
+# Syslog facility to receive log lines (string value)
+#syslog_log_facility=LOG_USER
+
+
+#
+# Options defined in keystone.openstack.common.policy
+#
+
+# JSON file containing policy (string value)
+#policy_file=policy.json
+
+# Rule enforced when requested rule is not found (string
+# value)
+#policy_default_rule=default
+
+
+[assignment]
+
+#
+# Options defined in keystone
+#
+
+# Keystone Assignment backend driver. (string value)
+#driver=<None>
+
+# Toggle for assignment caching. This has no effect unless
+# global caching is enabled. (boolean value)
+#caching=true
+
+# TTL (in seconds) to cache assignment data. This has no
+# effect unless global caching is enabled. (integer value)
+#cache_time=<None>
+
+# Maximum number of entities that will be returned in an
+# assignment collection. (integer value)
+#list_limit=<None>
+
+
+[auth]
+
+#
+# Options defined in keystone
+#
+
+# Default auth methods. (list value)
+#methods=external,password,token
+
+# The password auth plugin module. (string value)
+#password=keystone.auth.plugins.password.Password
+
+# The token auth plugin module. (string value)
+#token=keystone.auth.plugins.token.Token
+
+# The external (REMOTE_USER) auth plugin module. (string
+# value)
+#external=keystone.auth.plugins.external.DefaultDomain
+
+
+[cache]
+
+#
+# Options defined in keystone
+#
+
+# Prefix for building the configuration dictionary for the
+# cache region. This should not need to be changed unless
+# there is another dogpile.cache region with the same
+# configuration name. (string value)
+#config_prefix=cache.keystone
+
+# Default TTL, in seconds, for any cached item in the
+# dogpile.cache region. This applies to any cached method that
+# doesn't have an explicit cache expiration time defined for
+# it. (integer value)
+#expiration_time=600
+
+# Dogpile.cache backend module. It is recommended that
+# Memcache (dogpile.cache.memcache) or Redis
+# (dogpile.cache.redis) be used in production deployments.
+# Small workloads (single process) like devstack can use the
+# dogpile.cache.memory backend. (string value)
+#backend=keystone.common.cache.noop
+
+# Use a key-mangling function (sha1) to ensure fixed length
+# cache-keys. This is toggle-able for debugging purposes, it
+# is highly recommended to always leave this set to True.
+# (boolean value)
+#use_key_mangler=true
+
+# Arguments supplied to the backend module. Specify this
+# option once per argument to be passed to the dogpile.cache
+# backend. Example format: "<argname>:<value>". (multi valued)
+#backend_argument=
+
+# Proxy Classes to import that will affect the way the
+# dogpile.cache backend functions. See the dogpile.cache
+# documentation on changing-backend-behavior. Comma delimited
+# list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2.
+# (list value)
+#proxies=
+
+# Global toggle for all caching using the should_cache_fn
+# mechanism. (boolean value)
+#enabled=false
+
+# Extra debugging from the cache backend (cache keys,
+# get/set/delete/etc calls) This is only really useful if you
+# need to see the specific cache-backend get/set/delete calls
+# with the keys/values. Typically this should be left set to
+# False. (boolean value)
+#debug_cache_backend=false
+
+
+[catalog]
+
+#
+# Options defined in keystone
+#
+
+# Catalog template file name for use with the template catalog
+# backend. (string value)
+#template_file=default_catalog.templates
+
+# Keystone catalog backend driver. (string value)
+#driver=keystone.catalog.backends.sql.Catalog
+
+# Maximum number of entities that will be returned in a
+# catalog collection. (integer value)
+#list_limit=<None>
+
+
+[credential]
+
+#
+# Options defined in keystone
+#
+
+# Keystone Credential backend driver. (string value)
+#driver=keystone.credential.backends.sql.Credential
+
+
+[database]
+
+#
+# Options defined in keystone.openstack.common.db.options
+#
+
+# The file name to use with SQLite (string value)
+#sqlite_db=keystone.sqlite
+
+# If True, SQLite uses synchronous mode (boolean value)
+#sqlite_synchronous=true
+
+# The backend to use for db (string value)
+# Deprecated group/name - [DEFAULT]/db_backend
+#backend=sqlalchemy
+
+# The SQLAlchemy connection string used to connect to the
+# database (string value)
+# Deprecated group/name - [DEFAULT]/sql_connection
+# Deprecated group/name - [DATABASE]/sql_connection
+# Deprecated group/name - [sql]/connection
+#connection=<None>
+connection = mysql://keystone:{{ KEYSTONE_DBPASS }}@{{ db_host }}/keystone
+
+# The SQL mode to be used for MySQL sessions. This option,
+# including the default, overrides any server-set SQL mode. To
+# use whatever SQL mode is set by the server configuration,
+# set this to no value. Example: mysql_sql_mode= (string
+# value)
+#mysql_sql_mode=TRADITIONAL
+
+# Timeout before idle sql connections are reaped (integer
+# value)
+# Deprecated group/name - [DEFAULT]/sql_idle_timeout
+# Deprecated group/name - [DATABASE]/sql_idle_timeout
+# Deprecated group/name - [sql]/idle_timeout
+#idle_timeout=3600
+
+# Minimum number of SQL connections to keep open in a pool
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_min_pool_size
+# Deprecated group/name - [DATABASE]/sql_min_pool_size
+#min_pool_size=1
+
+# Maximum number of SQL connections to keep open in a pool
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_pool_size
+# Deprecated group/name - [DATABASE]/sql_max_pool_size
+#max_pool_size=<None>
+
+# Maximum db connection retries during startup. (setting -1
+# implies an infinite retry count) (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_retries
+# Deprecated group/name - [DATABASE]/sql_max_retries
+#max_retries=10
+
+# Interval between retries of opening a sql connection
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_retry_interval
+# Deprecated group/name - [DATABASE]/reconnect_interval
+#retry_interval=10
+
+# If set, use this value for max_overflow with sqlalchemy
+# (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_overflow
+# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
+#max_overflow=<None>
+
+# Verbosity of SQL debugging information. 0=None,
+# 100=Everything (integer value)
+# Deprecated group/name - [DEFAULT]/sql_connection_debug
+#connection_debug=0
+
+# Add python stack traces to SQL as comment strings (boolean
+# value)
+# Deprecated group/name - [DEFAULT]/sql_connection_trace
+#connection_trace=false
+
+# If set, use this value for pool_timeout with sqlalchemy
+# (integer value)
+# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
+#pool_timeout=<None>
+
+# Enable the experimental use of database reconnect on
+# connection lost (boolean value)
+#use_db_reconnect=false
+
+# seconds between db connection retries (integer value)
+#db_retry_interval=1
+
+# Whether to increase interval between db connection retries,
+# up to db_max_retry_interval (boolean value)
+#db_inc_retry_interval=true
+
+# max seconds between db connection retries, if
+# db_inc_retry_interval is enabled (integer value)
+#db_max_retry_interval=10
+
+# maximum db connection retries before error is raised.
+# (setting -1 implies an infinite retry count) (integer value)
+#db_max_retries=20
+
+
+[ec2]
+
+#
+# Options defined in keystone
+#
+
+# Keystone EC2Credential backend driver. (string value)
+#driver=keystone.contrib.ec2.backends.kvs.Ec2
+
+
+[endpoint_filter]
+
+#
+# Options defined in keystone
+#
+
+# Keystone Endpoint Filter backend driver (string value)
+#driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
+
+# Toggle to return all active endpoints if no filter exists.
+# (boolean value)
+#return_all_endpoints_if_no_filter=true
+
+
+[federation]
+
+#
+# Options defined in keystone
+#
+
+# Keystone Federation backend driver. (string value)
+#driver=keystone.contrib.federation.backends.sql.Federation
+
+# Value to be used when filtering assertion parameters from
+# the environment. (string value)
+#assertion_prefix=
+
+
+[identity]
+
+#
+# Options defined in keystone
+#
+
+# This references the domain to use for all Identity API v2
+# requests (which are not aware of domains). A domain with
+# this ID will be created for you by keystone-manage db_sync
+# in migration 008. The domain referenced by this ID cannot
+# be deleted on the v3 API, to prevent accidentally breaking
+# the v2 API. There is nothing special about this domain,
+# other than the fact that it must exist to order to maintain
+# support for your v2 clients. (string value)
+#default_domain_id=default
+
+# A subset (or all) of domains can have their own identity
+# driver, each with their own partial configuration file in a
+# domain configuration directory. Only values specific to the
+# domain need to be placed in the domain specific
+# configuration file. This feature is disabled by default; set
+# to True to enable. (boolean value)
+#domain_specific_drivers_enabled=false
+
+# Path for Keystone to locate the domain specificidentity
+# configuration files if domain_specific_drivers_enabled is
+# set to true. (string value)
+#domain_config_dir=/etc/keystone/domains
+
+# Keystone Identity backend driver. (string value)
+#driver=keystone.identity.backends.sql.Identity
+
+# Maximum supported length for user passwords; decrease to
+# improve performance. (integer value)
+#max_password_length=4096
+
+# Maximum number of entities that will be returned in an
+# identity collection. (integer value)
+#list_limit=<None>
+
+
+[kvs]
+
+#
+# Options defined in keystone
+#
+
+# Extra dogpile.cache backend modules to register with the
+# dogpile.cache library. (list value)
+#backends=
+
+# Prefix for building the configuration dictionary for the KVS
+# region. This should not need to be changed unless there is
+# another dogpile.cache region with the same configuration
+# name. (string value)
+#config_prefix=keystone.kvs
+
+# Toggle to disable using a key-mangling function to ensure
+# fixed length keys. This is toggle-able for debugging
+# purposes, it is highly recommended to always leave this set
+# to True. (boolean value)
+#enable_key_mangler=true
+
+# Default lock timeout for distributed locking. (integer
+# value)
+#default_lock_timeout=5
+
+
+[ldap]
+
+#
+# Options defined in keystone
+#
+
+# URL for connecting to the LDAP server. (string value)
+#url=ldap://localhost
+
+# User BindDN to query the LDAP server. (string value)
+#user=<None>
+
+# Password for the BindDN to query the LDAP server. (string
+# value)
+#password=<None>
+
+# LDAP server suffix (string value)
+#suffix=cn=example,cn=com
+
+# If true, will add a dummy member to groups. This is required
+# if the objectclass for groups requires the "member"
+# attribute. (boolean value)
+#use_dumb_member=false
+
+# DN of the "dummy member" to use when "use_dumb_member" is
+# enabled. (string value)
+#dumb_member=cn=dumb,dc=nonexistent
+
+# allow deleting subtrees. (boolean value)
+#allow_subtree_delete=false
+
+# The LDAP scope for queries, this can be either "one"
+# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).
+# (string value)
+#query_scope=one
+
+# Maximum results per page; a value of zero ("0") disables
+# paging. (integer value)
+#page_size=0
+
+# The LDAP dereferencing option for queries. This can be
+# either "never", "searching", "always", "finding" or
+# "default". The "default" option falls back to using default
+# dereferencing configured by your ldap.conf. (string value)
+#alias_dereferencing=default
+
+# Override the system's default referral chasing behavior for
+# queries. (boolean value)
+#chase_referrals=<None>
+
+# Search base for users. (string value)
+#user_tree_dn=<None>
+
+# LDAP search filter for users. (string value)
+#user_filter=<None>
+
+# LDAP objectClass for users. (string value)
+#user_objectclass=inetOrgPerson
+
+# LDAP attribute mapped to user id. (string value)
+#user_id_attribute=cn
+
+# LDAP attribute mapped to user name. (string value)
+#user_name_attribute=sn
+
+# LDAP attribute mapped to user email. (string value)
+#user_mail_attribute=email
+
+# LDAP attribute mapped to password. (string value)
+#user_pass_attribute=userPassword
+
+# LDAP attribute mapped to user enabled flag. (string value)
+#user_enabled_attribute=enabled
+
+# Bitmask integer to indicate the bit that the enabled value
+# is stored in if the LDAP server represents "enabled" as a
+# bit on an integer rather than a boolean. A value of "0"
+# indicates the mask is not used. If this is not set to "0"
+# the typical value is "2". This is typically used when
+# "user_enabled_attribute = userAccountControl". (integer
+# value)
+#user_enabled_mask=0
+
+# Default value to enable users. This should match an
+# appropriate int value if the LDAP server uses non-boolean
+# (bitmask) values to indicate if a user is enabled or
+# disabled. If this is not set to "True"the typical value is
+# "512". This is typically used when "user_enabled_attribute =
+# userAccountControl". (string value)
+#user_enabled_default=True
+
+# List of attributes stripped off the user on update. (list
+# value)
+#user_attribute_ignore=default_project_id,tenants
+
+# LDAP attribute mapped to default_project_id for users.
+# (string value)
+#user_default_project_id_attribute=<None>
+
+# Allow user creation in LDAP backend. (boolean value)
+#user_allow_create=true
+
+# Allow user updates in LDAP backend. (boolean value)
+#user_allow_update=true
+
+# Allow user deletion in LDAP backend. (boolean value)
+#user_allow_delete=true
+
+# If True, Keystone uses an alternative method to determine if
+# a user is enabled or not by checking if they are a member of
+# the "user_enabled_emulation_dn" group. (boolean value)
+#user_enabled_emulation=false
+
+# DN of the group entry to hold enabled users when using
+# enabled emulation. (string value)
+#user_enabled_emulation_dn=<None>
+
+# List of additional LDAP attributes used for mapping
+# Additional attribute mappings for users. Attribute mapping
+# format is <ldap_attr>:<user_attr>, where ldap_attr is the
+# attribute in the LDAP entry and user_attr is the Identity
+# API attribute. (list value)
+#user_additional_attribute_mapping=
+
+# Search base for projects (string value)
+#tenant_tree_dn=<None>
+
+# LDAP search filter for projects. (string value)
+#tenant_filter=<None>
+
+# LDAP objectClass for projects. (string value)
+#tenant_objectclass=groupOfNames
+
+# LDAP attribute mapped to project id. (string value)
+#tenant_id_attribute=cn
+
+# LDAP attribute mapped to project membership for user.
+# (string value)
+#tenant_member_attribute=member
+
+# LDAP attribute mapped to project name. (string value)
+#tenant_name_attribute=ou
+
+# LDAP attribute mapped to project description. (string value)
+#tenant_desc_attribute=description
+
+# LDAP attribute mapped to project enabled. (string value)
+#tenant_enabled_attribute=enabled
+
+# LDAP attribute mapped to project domain_id. (string value)
+#tenant_domain_id_attribute=businessCategory
+
+# List of attributes stripped off the project on update. (list
+# value)
+#tenant_attribute_ignore=
+
+# Allow tenant creation in LDAP backend. (boolean value)
+#tenant_allow_create=true
+
+# Allow tenant update in LDAP backend. (boolean value)
+#tenant_allow_update=true
+
+# Allow tenant deletion in LDAP backend. (boolean value)
+#tenant_allow_delete=true
+
+# If True, Keystone uses an alternative method to determine if
+# a project is enabled or not by checking if they are a member
+# of the "tenant_enabled_emulation_dn" group. (boolean value)
+#tenant_enabled_emulation=false
+
+# DN of the group entry to hold enabled projects when using
+# enabled emulation. (string value)
+#tenant_enabled_emulation_dn=<None>
+
+# Additional attribute mappings for projects. Attribute
+# mapping format is <ldap_attr>:<user_attr>, where ldap_attr
+# is the attribute in the LDAP entry and user_attr is the
+# Identity API attribute. (list value)
+#tenant_additional_attribute_mapping=
+
+# Search base for roles. (string value)
+#role_tree_dn=<None>
+
+# LDAP search filter for roles. (string value)
+#role_filter=<None>
+
+# LDAP objectClass for roles. (string value)
+#role_objectclass=organizationalRole
+
+# LDAP attribute mapped to role id. (string value)
+#role_id_attribute=cn
+
+# LDAP attribute mapped to role name. (string value)
+#role_name_attribute=ou
+
+# LDAP attribute mapped to role membership. (string value)
+#role_member_attribute=roleOccupant
+
+# List of attributes stripped off the role on update. (list
+# value)
+#role_attribute_ignore=
+
+# Allow role creation in LDAP backend. (boolean value)
+#role_allow_create=true
+
+# Allow role update in LDAP backend. (boolean value)
+#role_allow_update=true
+
+# Allow role deletion in LDAP backend. (boolean value)
+#role_allow_delete=true
+
+# Additional attribute mappings for roles. Attribute mapping
+# format is <ldap_attr>:<user_attr>, where ldap_attr is the
+# attribute in the LDAP entry and user_attr is the Identity
+# API attribute. (list value)
+#role_additional_attribute_mapping=
+
+# Search base for groups. (string value)
+#group_tree_dn=<None>
+
+# LDAP search filter for groups. (string value)
+#group_filter=<None>
+
+# LDAP objectClass for groups. (string value)
+#group_objectclass=groupOfNames
+
+# LDAP attribute mapped to group id. (string value)
+#group_id_attribute=cn
+
+# LDAP attribute mapped to group name. (string value)
+#group_name_attribute=ou
+
+# LDAP attribute mapped to show group membership. (string
+# value)
+#group_member_attribute=member
+
+# LDAP attribute mapped to group description. (string value)
+#group_desc_attribute=description
+
+# List of attributes stripped off the group on update. (list
+# value)
+#group_attribute_ignore=
+
+# Allow group creation in LDAP backend. (boolean value)
+#group_allow_create=true
+
+# Allow group update in LDAP backend. (boolean value)
+#group_allow_update=true
+
+# Allow group deletion in LDAP backend. (boolean value)
+#group_allow_delete=true
+
+# Additional attribute mappings for groups. Attribute mapping
+# format is <ldap_attr>:<user_attr>, where ldap_attr is the
+# attribute in the LDAP entry and user_attr is the Identity
+# API attribute. (list value)
+#group_additional_attribute_mapping=
+
+# CA certificate file path for communicating with LDAP
+# servers. (string value)
+#tls_cacertfile=<None>
+
+# CA certificate directory path for communicating with LDAP
+# servers. (string value)
+#tls_cacertdir=<None>
+
+# Enable TLS for communicating with LDAP servers. (boolean
+# value)
+#use_tls=false
+
+# valid options for tls_req_cert are demand, never, and allow.
+# (string value)
+#tls_req_cert=demand
+
+
+[matchmaker_ring]
+
+#
+# Options defined in oslo.messaging
+#
+
+# Matchmaker ring file (JSON). (string value)
+# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
+#ringfile=/etc/oslo/matchmaker_ring.json
+
+
+[memcache]
+
+#
+# Options defined in keystone
+#
+
+# Memcache servers in the format of "host:port" (list value)
+#servers=localhost:11211
+
+# Number of compare-and-set attempts to make when using
+# compare-and-set in the token memcache back end. (integer
+# value)
+#max_compare_and_set_retry=16
+
+
+[oauth1]
+
+#
+# Options defined in keystone
+#
+
+# Keystone Credential backend driver. (string value)
+#driver=keystone.contrib.oauth1.backends.sql.OAuth1
+
+# Duration (in seconds) for the OAuth Request Token. (integer
+# value)
+#request_token_duration=28800
+
+# Duration (in seconds) for the OAuth Access Token. (integer
+# value)
+#access_token_duration=86400
+
+
+[os_inherit]
+
+#
+# Options defined in keystone
+#
+
+# role-assignment inheritance to projects from owning domain
+# can be optionally enabled. (boolean value)
+#enabled=false
+
+
+[paste_deploy]
+
+#
+# Options defined in keystone
+#
+
+# Name of the paste configuration file that defines the
+# available pipelines. (string value)
+#config_file=keystone-paste.ini
+
+
+[policy]
+
+#
+# Options defined in keystone
+#
+
+# Keystone Policy backend driver. (string value)
+#driver=keystone.policy.backends.sql.Policy
+
+# Maximum number of entities that will be returned in a policy
+# collection. (integer value)
+#list_limit=<None>
+
+
+[revoke]
+
+#
+# Options defined in keystone
+#
+
+# An implementation of the backend for persisting revocation
+# events. (string value)
+#driver=keystone.contrib.revoke.backends.kvs.Revoke
+
+# This value (calculated in seconds) is added to token
+# expiration before a revocation event may be removed from the
+# backend. (integer value)
+#expiration_buffer=1800
+
+# Toggle for revocation event cacheing. This has no effect
+# unless global caching is enabled. (boolean value)
+#caching=true
+
+
+[signing]
+
+#
+# Options defined in keystone
+#
+
+# Deprecated in favor of provider in the [token] section.
+# (string value)
+#token_format=<None>
+
+# Path of the certfile for token signing. (string value)
+#certfile=/etc/keystone/ssl/certs/signing_cert.pem
+
+# Path of the keyfile for token signing. (string value)
+#keyfile=/etc/keystone/ssl/private/signing_key.pem
+
+# Path of the CA for token signing. (string value)
+#ca_certs=/etc/keystone/ssl/certs/ca.pem
+
+# Path of the CA Key for token signing. (string value)
+#ca_key=/etc/keystone/ssl/private/cakey.pem
+
+# Key Size (in bits) for token signing cert (auto generated
+# certificate). (integer value)
+#key_size=2048
+
+# Day the token signing cert is valid for (auto generated
+# certificate). (integer value)
+#valid_days=3650
+
+# Certificate Subject (auto generated certificate) for token
+# signing. (string value)
+#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
+
+
+[ssl]
+
+#
+# Options defined in keystone
+#
+
+# Toggle for SSL support on the keystone eventlet servers.
+# (boolean value)
+#enable=false
+
+# Path of the certfile for SSL. (string value)
+#certfile=/etc/keystone/ssl/certs/keystone.pem
+
+# Path of the keyfile for SSL. (string value)
+#keyfile=/etc/keystone/ssl/private/keystonekey.pem
+
+# Path of the ca cert file for SSL. (string value)
+#ca_certs=/etc/keystone/ssl/certs/ca.pem
+
+# Path of the CA key file for SSL. (string value)
+#ca_key=/etc/keystone/ssl/private/cakey.pem
+
+# Require client certificate. (boolean value)
+#cert_required=false
+
+# SSL Key Length (in bits) (auto generated certificate).
+# (integer value)
+#key_size=1024
+
+# Days the certificate is valid for once signed (auto
+# generated certificate). (integer value)
+#valid_days=3650
+
+# SSL Certificate Subject (auto generated certificate).
+# (string value)
+#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
+
+
+[stats]
+
+#
+# Options defined in keystone
+#
+
+# Keystone stats backend driver. (string value)
+#driver=keystone.contrib.stats.backends.kvs.Stats
+
+
+[token]
+
+#
+# Options defined in keystone
+#
+
+# External auth mechanisms that should add bind information to
+# token e.g. kerberos, x509. (list value)
+#bind=
+
+# Enforcement policy on tokens presented to keystone with bind
+# information. One of disabled, permissive, strict, required
+# or a specifically required bind mode e.g. kerberos or x509
+# to require binding to that authentication. (string value)
+#enforce_token_bind=permissive
+
+# Amount of time a token should remain valid (in seconds).
+# (integer value)
+#expiration=3600
+
+# Controls the token construction, validation, and revocation
+# operations. Core providers are
+# "keystone.token.providers.[pki|uuid].Provider". (string
+# value)
+provider=keystone.token.providers.uuid.Provider
+
+# Keystone Token persistence backend driver. (string value)
+driver=keystone.token.persistence.backends.sql.Token
+
+# Toggle for token system cacheing. This has no effect unless
+# global caching is enabled. (boolean value)
+#caching=true
+
+# Time to cache the revocation list and the revocation events
+# if revoke extension is enabled (in seconds). This has no
+# effect unless global and token caching are enabled. (integer
+# value)
+revocation_cache_time=3600
+
+# Time to cache tokens (in seconds). This has no effect unless
+# global and token caching are enabled. (integer value)
+#cache_time=<None>
+
+# Revoke token by token identifier. Setting revoke_by_id to
+# True enables various forms of enumerating tokens, e.g. `list
+# tokens for user`. These enumerations are processed to
+# determine the list of tokens to revoke. Only disable if
+# you are switching to using the Revoke extension with a
+# backend other than KVS, which stores events in memory.
+# (boolean value)
+#revoke_by_id=true
+
+
+[trust]
+
+#
+# Options defined in keystone
+#
+
+# delegation and impersonation features can be optionally
+# disabled. (boolean value)
+#enabled=true
+
+# Keystone Trust backend driver. (string value)
+#driver=keystone.trust.backends.sql.Trust
+
+
+[extra_headers]
+Distribution = Ubuntu
+
diff --git a/compass/deploy/ansible/roles/keystone/templates/keystone_init b/compass/deploy/ansible/roles/keystone/templates/keystone_init
new file mode 100644
index 0000000..729669b
--- /dev/null
+++ b/compass/deploy/ansible/roles/keystone/templates/keystone_init
@@ -0,0 +1,43 @@
+# create an administrative user
+
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-create --name=admin --pass={{ ADMIN_PASS }} --email=admin@admin.com
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 role-create --name=admin
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-create --name=admin --pass={{ ADMIN_PASS }} --email=admin@admin.com
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 tenant-create --name=admin --description="Admin Tenant"
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-role-add --user=admin --tenant=admin --role=admin
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-role-add --user=admin --role=_member_ --tenant=admin
+
+# create a normal user
+
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-create --name=demo --pass={{ DEMO_PASS }} --email=DEMO_EMAIL
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 tenant-create --name=demo --description="Demo Tenant"
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-role-add --user=demo --role=_member_ --tenant=demo
+
+# create a service tenant
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 tenant-create --name=service --description="Service Tenant"
+
+# regist keystone
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-create --name=keystone --type=identity --description="OpenStack Identity"
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 endpoint-create --service_id=$(keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-list | awk '/ identity / {print $2}') --publicurl=http://{{ HA_VIP }}:5000/v2.0 --internalurl=http://{{ HA_VIP }}:5000/v2.0 --adminurl=http://{{ HA_VIP }}:35357/v2.0
+
+# Create a glance user that the Image Service can use to authenticate with the Identity service
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-create --name=glance --pass={{ GLANCE_PASS }} --email=glance@example.com
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-role-add --user=glance --tenant=service --role=admin
+
+#Register the Image Service with the Identity service so that other OpenStack services can locate it
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-create --name=glance --type=image --description="OpenStack Image Service"
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 endpoint-create --service-id=$(keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-list | awk '/ image / {print $2}') --publicurl=http://{{ HA_VIP }}:9292 --internalurl=http://{{ HA_VIP }}:9292 --adminurl=http://{{ HA_VIP }}:9292
+
+#Create a nova user that Compute uses to authenticate with the Identity Service
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-create --name=nova --pass={{ NOVA_PASS }} --email=nova@example.com
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-role-add --user=nova --tenant=service --role=admin
+
+# register Compute with the Identity Service so that other OpenStack services can locate it
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-create --name=nova --type=compute --description="OpenStack Compute"
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 endpoint-create --service-id=$(keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-list | awk '/ compute / {print $2}') --publicurl=http://{{ HA_VIP }}:8774/v2/%\(tenant_id\)s --internalurl=http://{{ HA_VIP }}:8774/v2/%\(tenant_id\)s --adminurl=http://{{ HA_VIP }}:8774/v2/%\(tenant_id\)s
+
+# register netron user, role and service
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-create --name neutron --pass {{ NEUTRON_PASS }} --email neutron@example.com
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 user-role-add --user neutron --tenant service --role admin
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-create --name neutron --type network --description "OpenStack Networking"
+keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 endpoint-create --service-id $(keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 service-list | awk '/ network / {print $2}') --publicurl http://{{ HA_VIP }}:9696 --adminurl http://{{ HA_VIP }}:9696 --internalurl http://{{ HA_VIP }}:9696
diff --git a/compass/deploy/ansible/roles/monitor/files/check_service.sh b/compass/deploy/ansible/roles/monitor/files/check_service.sh
new file mode 100644
index 0000000..d309673
--- /dev/null
+++ b/compass/deploy/ansible/roles/monitor/files/check_service.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+services=`cat /opt/service | uniq`
+for service in $services; do
+ if [ `/sbin/initctl list|awk '/stop\/waiting/{print $1}'|uniq | grep $service` ]; then
+ /sbin/start $service
+ fi
+done
diff --git a/compass/deploy/ansible/roles/monitor/files/root b/compass/deploy/ansible/roles/monitor/files/root
new file mode 100644
index 0000000..9c55c4f
--- /dev/null
+++ b/compass/deploy/ansible/roles/monitor/files/root
@@ -0,0 +1 @@
+* * * * * /usr/local/bin/check_service.sh >> /var/log/check_service.log 2>&1
diff --git a/compass/deploy/ansible/roles/monitor/tasks/main.yml b/compass/deploy/ansible/roles/monitor/tasks/main.yml
new file mode 100644
index 0000000..e5b93f3
--- /dev/null
+++ b/compass/deploy/ansible/roles/monitor/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: copy service check file
+ copy: src=check_service.sh dest=/usr/local/bin/check_service.sh mode=0777
+
+- name: copy cron file
+ copy: src=root dest=/var/spool/cron/crontabs/root mode=0600
+
+- name: restart cron
+ service: name=cron state=restarted
+
+
diff --git a/compass/deploy/ansible/roles/mq/tasks/main.yml b/compass/deploy/ansible/roles/mq/tasks/main.yml
new file mode 100644
index 0000000..4ae4065
--- /dev/null
+++ b/compass/deploy/ansible/roles/mq/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- include: rabbitmq.yml
+
+#- include: rabbitmq_cluster.yml
+# when: HA_CLUSTER is defined
diff --git a/compass/deploy/ansible/roles/mq/tasks/rabbitmq.yml b/compass/deploy/ansible/roles/mq/tasks/rabbitmq.yml
new file mode 100644
index 0000000..5714406
--- /dev/null
+++ b/compass/deploy/ansible/roles/mq/tasks/rabbitmq.yml
@@ -0,0 +1,45 @@
+---
+- name: create rabbitmq directory
+ file: path=/etc/rabbitmq state=directory mode=0755
+
+- name: copy rabbitmq config file
+ template: src=rabbitmq-env.conf dest=/etc/rabbitmq/rabbitmq-env.conf mode=0755
+
+- name: install rabbitmq-server
+ apt: name=rabbitmq-server state=present
+
+- name: stop rabbitmq-server
+ service: name=rabbitmq-server
+ state=stopped
+
+- name: update .erlang.cookie
+ template: src=.erlang.cookie dest=/var/lib/rabbitmq/.erlang.cookie
+ group=rabbitmq
+ owner=rabbitmq
+ mode=0400
+ when: ERLANG_TOKEN is defined
+
+- name: start and enable rabbitmq-server
+ service: name=rabbitmq-server
+ state=started
+ enabled=yes
+
+- name: generate mq service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - rabbitmq-server
+
+- name: modify rabbitmq password
+ command: rabbitmqctl change_password guest {{ RABBIT_PASS }}
+ when: "RABBIT_USER is defined and RABBIT_USER == 'guest'"
+ ignore_errors: True
+
+- name: add rabbitmq user
+ command: rabbitmqctl add_user {{ RABBIT_USER }} {{ RABBIT_PASS }}
+ when: "RABBIT_USER is defined and RABBIT_USER != 'guest'"
+ ignore_errors: True
+
+- name: set rabbitmq user permission
+ command: rabbitmqctl set_permissions -p / {{ RABBIT_USER }} ".*" ".*" ".*"
+ when: "RABBIT_USER is defined and RABBIT_USER != 'guest'"
+
diff --git a/compass/deploy/ansible/roles/mq/tasks/rabbitmq_cluster.yml b/compass/deploy/ansible/roles/mq/tasks/rabbitmq_cluster.yml
new file mode 100644
index 0000000..afd4c77
--- /dev/null
+++ b/compass/deploy/ansible/roles/mq/tasks/rabbitmq_cluster.yml
@@ -0,0 +1,27 @@
+---
+- name: stop rabbitmq app
+ command: rabbitmqctl stop_app
+ when: HA_CLUSTER[inventory_hostname] != ''
+
+- name: rabbitmqctl reset
+ command: rabbitmqctl reset
+ when: HA_CLUSTER[inventory_hostname] != ''
+
+- name: stop rabbitmq
+ shell: rabbitmqctl stop
+
+- name: set detach
+ shell: rabbitmq-server -detached
+
+- name: join cluster
+ command: rabbitmqctl join_cluster rabbit@{{ item }}
+ when: item != inventory_hostname and HA_CLUSTER[item] == ''
+ with_items:
+ groups['controller']
+
+- name: start rabbitmq app
+ command: rabbitmqctl start_app
+
+- name: set the HA policy
+ rabbitmq_policy: name=ha-all pattern='^(?!amq\.).*' tags="ha-mode=all"
+
diff --git a/compass/deploy/ansible/roles/mq/templates/rabbitmq-env.conf b/compass/deploy/ansible/roles/mq/templates/rabbitmq-env.conf
new file mode 100644
index 0000000..6dd7349
--- /dev/null
+++ b/compass/deploy/ansible/roles/mq/templates/rabbitmq-env.conf
@@ -0,0 +1 @@
+RABBITMQ_NODE_IP_ADDRESS={{ HA_VIP }}
diff --git a/compass/deploy/ansible/roles/neutron-common/handlers/main.yml b/compass/deploy/ansible/roles/neutron-common/handlers/main.yml
new file mode 100644
index 0000000..36d779d
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-common/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+- name: restart neutron-plugin-openvswitch-agent
+ service: name=neutron-plugin-openvswitch-agent state=restarted enabled=yes
+ when: "'opendaylight' not in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: restart neutron-l3-agent
+ service: name=neutron-l3-agent state=restarted enabled=yes
+
+- name: restart neutron-dhcp-agent
+ service: name=neutron-dhcp-agent state=restarted enabled=yes
+
+- name: restart neutron-metadata-agent
+ service: name=neutron-metadata-agent state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/neutron-compute/defaults/main.yml b/compass/deploy/ansible/roles/neutron-compute/defaults/main.yml
new file mode 100644
index 0000000..825178b
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+neutron_ovs_bridge_mappings: ""
diff --git a/compass/deploy/ansible/roles/neutron-compute/handlers/main.yml b/compass/deploy/ansible/roles/neutron-compute/handlers/main.yml
new file mode 100644
index 0000000..36d779d
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+- name: restart neutron-plugin-openvswitch-agent
+ service: name=neutron-plugin-openvswitch-agent state=restarted enabled=yes
+ when: "'opendaylight' not in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: restart neutron-l3-agent
+ service: name=neutron-l3-agent state=restarted enabled=yes
+
+- name: restart neutron-dhcp-agent
+ service: name=neutron-dhcp-agent state=restarted enabled=yes
+
+- name: restart neutron-metadata-agent
+ service: name=neutron-metadata-agent state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/neutron-compute/tasks/main.yml b/compass/deploy/ansible/roles/neutron-compute/tasks/main.yml
new file mode 100644
index 0000000..93ee46f
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+
+- name: activate ipv4 forwarding
+ sysctl: name=net.ipv4.ip_forward value=1
+ state=present reload=yes
+
+- name: deactivate ipv4 rp filter
+ sysctl: name=net.ipv4.conf.all.rp_filter value=0
+ state=present reload=yes
+
+- name: deactivate ipv4 default rp filter
+ sysctl: name=net.ipv4.conf.default.rp_filter
+ value=0 state=present reload=yes
+
+- name: install compute-related neutron packages
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - neutron-common
+ - neutron-plugin-ml2
+ - openvswitch-datapath-dkms
+ - openvswitch-switch
+
+- name: generate neutron computer service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - neutron-plugin-openvswitch-agent
+
+- name: install neutron openvswitch agent
+ apt: name=neutron-plugin-openvswitch-agent
+ state=present force=yes
+ when: "'opendaylight' not in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: config neutron
+ template: src=neutron-network.conf
+ dest=/etc/neutron/neutron.conf backup=yes
+ notify:
+ - restart neutron-plugin-openvswitch-agent
+
+- name: config ml2 plugin
+ template: src=ml2_conf.ini
+ dest=/etc/neutron/plugins/ml2/ml2_conf.ini
+ backup=yes
+ notify:
+ - restart neutron-plugin-openvswitch-agent
+
+- name: add br-int
+ openvswitch_bridge: bridge=br-int state=present
+ notify:
+ - restart neutron-plugin-openvswitch-agent
+ - restart nova-compute
+
+- include: ../../neutron-network/tasks/odl.yml
+ when: "'opendaylight' in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- meta: flush_handlers
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/dhcp_agent.ini b/compass/deploy/ansible/roles/neutron-compute/templates/dhcp_agent.ini
new file mode 100644
index 0000000..19eb62e
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/dhcp_agent.ini
@@ -0,0 +1,90 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# The DHCP agent will resync its state with Neutron to recover from any
+# transient notification or rpc errors. The interval is number of
+# seconds between attempts.
+resync_interval = 5
+
+# The DHCP agent requires an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP,
+# BigSwitch/Floodlight)
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Name of Open vSwitch bridge to use
+# ovs_integration_bridge = br-int
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires
+# no additional setup of the DHCP server.
+dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# The DHCP server can assist with providing metadata support on isolated
+# networks. Setting this value to True will cause the DHCP server to append
+# specific host routes to the DHCP request. The metadata service will only
+# be activated when the subnet does not contain any router port. The guest
+# instance must be configured to request host routes via DHCP (Option 121).
+enable_isolated_metadata = False
+
+# Allows for serving metadata requests coming from a dedicated metadata
+# access network whose cidr is 169.254.169.254/16 (or larger prefix), and
+# is connected to a Neutron router from which the VMs send metadata
+# request. In this case DHCP Option 121 will not be injected in VMs, as
+# they will be able to reach 169.254.169.254 through a router.
+# This option requires enable_isolated_metadata = True
+enable_metadata_network = False
+
+# Number of threads to use during sync process. Should not exceed connection
+# pool size configured on server.
+# num_sync_threads = 4
+
+# Location to store DHCP server config files
+# dhcp_confs = $state_path/dhcp
+
+# Domain to use for building the hostnames
+dhcp_domain = openstacklocal
+
+# Override the default dnsmasq settings with this file
+# dnsmasq_config_file =
+dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
+
+# Comma-separated list of DNS servers which will be used by dnsmasq
+# as forwarders.
+# dnsmasq_dns_servers =
+
+# Limit number of leases to prevent a denial-of-service.
+dnsmasq_lease_max = 16777216
+
+# Location to DHCP lease relay UNIX domain socket
+# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# dhcp_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the dhcp agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a dhcp server is disabled.
+# dhcp_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/dnsmasq-neutron.conf b/compass/deploy/ansible/roles/neutron-compute/templates/dnsmasq-neutron.conf
new file mode 100644
index 0000000..7bcbd9d
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/dnsmasq-neutron.conf
@@ -0,0 +1,2 @@
+dhcp-option-force=26,1454
+
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/etc/xorp/config.boot b/compass/deploy/ansible/roles/neutron-compute/templates/etc/xorp/config.boot
new file mode 100644
index 0000000..32caf96
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/etc/xorp/config.boot
@@ -0,0 +1,25 @@
+interfaces {
+ restore-original-config-on-shutdown: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ description: "Internal pNodes interface"
+ disable: false
+ default-system-config
+ }
+}
+
+protocols {
+ igmp {
+ disable: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ vif {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ disable: false
+ version: 3
+ }
+ }
+ traceoptions {
+ flag all {
+ disable: false
+ }
+ }
+ }
+}
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/l3_agent.ini b/compass/deploy/ansible/roles/neutron-compute/templates/l3_agent.ini
new file mode 100644
index 0000000..b394c00
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/l3_agent.ini
@@ -0,0 +1,81 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# L3 requires that an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC)
+# that supports L3 agent
+# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+# ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# If use_namespaces is set as False then the agent can only configure one router.
+
+# This is done by setting the specific router_id.
+# router_id =
+
+# When external_network_bridge is set, each L3 agent can be associated
+# with no more than one external network. This value should be set to the UUID
+# of that external network. To allow L3 agent support multiple external
+# networks, both the external_network_bridge and gateway_external_network_id
+# must be left empty.
+# gateway_external_network_id =
+
+# Indicates that this L3 agent should also handle routers that do not have
+# an external network gateway configured. This option should be True only
+# for a single agent in a Neutron deployment, and may be False for all agents
+# if all routers must have an external network gateway
+handle_internal_only_routers = True
+
+# Name of bridge used for external network traffic. This should be set to
+# empty value for the linux bridge. when this parameter is set, each L3 agent
+# can be associated with no more than one external network.
+external_network_bridge = br-ex
+
+# TCP Port used by Neutron metadata server
+metadata_port = 9697
+
+# Send this many gratuitous ARPs for HA setup. Set it below or equal to 0
+# to disable this feature.
+send_arp_for_ha = 3
+
+# seconds between re-sync routers' data if needed
+periodic_interval = 40
+
+# seconds to start to sync routers' data after
+# starting agent
+periodic_fuzzy_delay = 5
+
+# enable_metadata_proxy, which is true by default, can be set to False
+# if the Nova metadata server is not available
+# enable_metadata_proxy = True
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# router_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the L3 agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a router is destroyed.
+# router_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/metadata_agent.ini b/compass/deploy/ansible/roles/neutron-compute/templates/metadata_agent.ini
new file mode 100644
index 0000000..6badf28
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/metadata_agent.ini
@@ -0,0 +1,46 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+debug = True
+
+# The Neutron user information for accessing the Neutron API.
+auth_url = http://{{ HA_VIP }}:5000/v2.0
+auth_region = RegionOne
+# Turn off verification of the certificate for ssl
+# auth_insecure = False
+# Certificate Authority public key (CA cert) file for ssl
+# auth_ca_cert =
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+
+# Network service endpoint type to pull from the keystone catalog
+# endpoint_type = adminURL
+
+# IP address used by Nova metadata server
+nova_metadata_ip = {{ HA_VIP }}
+
+# TCP Port used by Nova metadata server
+nova_metadata_port = 8775
+
+# When proxying metadata requests, Neutron signs the Instance-ID header with a
+# shared secret to prevent spoofing. You may select any string for a secret,
+# but it must match here and in the configuration used by the Nova Metadata
+# Server. NOTE: Nova uses a different key: neutron_metadata_proxy_shared_secret
+metadata_proxy_shared_secret = {{ METADATA_SECRET }}
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# Number of separate worker processes for metadata server
+# metadata_workers = 0
+
+# Number of backlog requests to configure the metadata server socket with
+# metadata_backlog = 128
+
+# URL to connect to the cache backend.
+# Example of URL using memory caching backend
+# with ttl set to 5 seconds: cache_url = memory://?default_ttl=5
+# default_ttl=0 parameter will cause cache entries to never expire.
+# Otherwise default_ttl specifies time in seconds a cache entry is valid for.
+# No cache is used in case no value is passed.
+# cache_url =
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/ml2_conf.ini b/compass/deploy/ansible/roles/neutron-compute/templates/ml2_conf.ini
new file mode 100644
index 0000000..a790069
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/ml2_conf.ini
@@ -0,0 +1,108 @@
+[ml2]
+# (ListOpt) List of network type driver entrypoints to be loaded from
+# the neutron.ml2.type_drivers namespace.
+#
+# type_drivers = local,flat,vlan,gre,vxlan
+# Example: type_drivers = flat,vlan,gre,vxlan
+type_drivers = {{ NEUTRON_TYPE_DRIVERS |join(",") }}
+
+# (ListOpt) Ordered list of network_types to allocate as tenant
+# networks. The default value 'local' is useful for single-box testing
+# but provides no connectivity between hosts.
+#
+# tenant_network_types = local
+# Example: tenant_network_types = vlan,gre,vxlan
+tenant_network_types = {{ NEUTRON_TENANT_NETWORK_TYPES |join(",") }}
+
+# (ListOpt) Ordered list of networking mechanism driver entrypoints
+# to be loaded from the neutron.ml2.mechanism_drivers namespace.
+# mechanism_drivers =
+# Example: mechanism_drivers = openvswitch,mlnx
+# Example: mechanism_drivers = arista
+# Example: mechanism_drivers = cisco,logger
+# Example: mechanism_drivers = openvswitch,brocade
+# Example: mechanism_drivers = linuxbridge,brocade
+mechanism_drivers = {{ NEUTRON_MECHANISM_DRIVERS |join(",") }}
+
+[ml2_type_flat]
+# (ListOpt) List of physical_network names with which flat networks
+# can be created. Use * to allow flat networks with arbitrary
+# physical_network names.
+#
+flat_networks = external
+# Example:flat_networks = physnet1,physnet2
+# Example:flat_networks = *
+
+[ml2_type_vlan]
+# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples
+# specifying physical_network names usable for VLAN provider and
+# tenant networks, as well as ranges of VLAN tags on each
+# physical_network available for allocation as tenant networks.
+#
+network_vlan_ranges =
+# Example: network_vlan_ranges = physnet1:1000:2999,physnet2
+
+[ml2_type_gre]
+# (ListOpt) Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation
+tunnel_id_ranges = 1:1000
+
+[ml2_type_vxlan]
+# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating
+# ranges of VXLAN VNI IDs that are available for tenant network allocation.
+#
+vni_ranges = 1001:4095
+
+# (StrOpt) Multicast group for the VXLAN interface. When configured, will
+# enable sending all broadcast traffic to this multicast group. When left
+# unconfigured, will disable multicast VXLAN mode.
+#
+vxlan_group = 239.1.1.1
+# Example: vxlan_group = 239.1.1.1
+
+[securitygroup]
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = True
+
+[database]
+connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron?charset=utf8
+
+[ovs]
+local_ip = {{ internal_ip }}
+{% if 'openvswitch' in NEUTRON_MECHANISM_DRIVERS %}
+integration_bridge = br-int
+tunnel_bridge = br-tun
+tunnel_id_ranges = 1001:4095
+tunnel_type = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+bridge_mappings = {{ neutron_ovs_bridge_mappings | default("external:br-ex") }}
+{% endif %}
+
+[agent]
+root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
+tunnel_types = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+{% if 'vxlan' in NEUTRON_TUNNEL_TYPES %}
+vxlan_udp_port = 4789
+{% endif %}
+l2_population = False
+
+[odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+network_vlan_ranges = 1001:4095
+tunnel_id_ranges = 1001:4095
+tun_peer_patch_port = patch-int
+int_peer_patch_port = patch-tun
+tenant_network_type = vxlan
+tunnel_bridge = br-tun
+integration_bridge = br-int
+controllers = 10.1.0.15:8080:admin:admin
+{% endif %}
+
+[ml2_odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+username = {{ odl_username }}
+password = {{ odl_password }}
+url = http://{{ controller }}:{{ odl_api_port }}/controller/nb/v2/neutron
+{% endif %}
+
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/neutron-network.conf b/compass/deploy/ansible/roles/neutron-compute/templates/neutron-network.conf
new file mode 100644
index 0000000..93be9cb
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/neutron-network.conf
@@ -0,0 +1,465 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ DEBUG }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/neutron.conf b/compass/deploy/ansible/roles/neutron-compute/templates/neutron.conf
new file mode 100644
index 0000000..1575367
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/neutron.conf
@@ -0,0 +1,466 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ VERBOSE }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+nova_admin_tenant_id = {{ NOVA_ADMIN_TENANT_ID.stdout_lines[0] }}
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/neutron_init.sh b/compass/deploy/ansible/roles/neutron-compute/templates/neutron_init.sh
new file mode 100644
index 0000000..b92e202
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/neutron_init.sh
@@ -0,0 +1,4 @@
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 net-create ext-net --shared --router:external=True
+
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 subnet-create ext-net --name ext-subnet --allocation-pool start={{ FLOATING_IP_START }},end={{ FLOATING_IP_END}} --disable-dhcp --gateway {{EXTERNAL_NETWORK_GATEWAY}} {{EXTERNAL_NETWORK_CIDR}}
+
diff --git a/compass/deploy/ansible/roles/neutron-compute/templates/nova.conf b/compass/deploy/ansible/roles/neutron-compute/templates/nova.conf
new file mode 100644
index 0000000..4988cb0
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-compute/templates/nova.conf
@@ -0,0 +1,73 @@
+[DEFAULT]
+dhcpbridge_flagfile=/etc/nova/nova.conf
+dhcpbridge=/usr/bin/nova-dhcpbridge
+logdir=/var/log/nova
+state_path=/var/lib/nova
+lock_path=/var/lock/nova
+force_dhcp_release=True
+iscsi_helper=tgtadm
+libvirt_use_virtio_for_bridges=True
+connection_type=libvirt
+root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+verbose={{ VERBOSE}}
+debug={{ DEBUG }}
+ec2_private_dns_show_ip=True
+api_paste_config=/etc/nova/api-paste.ini
+volumes_path=/var/lib/nova/volumes
+enabled_apis=ec2,osapi_compute,metadata
+
+vif_plugging_is_fatal: false
+vif_plugging_timeout: 0
+
+auth_strategy = keystone
+
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+
+my_ip = {{ internal_ip }}
+vnc_enabled = True
+vncserver_listen = {{ internal_ip }}
+vncserver_proxyclient_address = {{ internal_ip }}
+novncproxy_base_url = http://{{ HA_VIP }}:6080/vnc_auto.html
+
+novncproxy_host = {{ internal_ip }}
+novncproxy_port = 6080
+
+network_api_class = nova.network.neutronv2.api.API
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = neutron
+
+instance_usage_audit = True
+instance_usage_audit_period = hour
+notify_on_state_change = vm_and_task_state
+notification_driver = nova.openstack.common.notifier.rpc_notifier
+notification_driver = ceilometer.compute.nova_notifier
+
+[database]
+# The SQLAlchemy connection string used to connect to the database
+connection = mysql://nova:{{ NOVA_DBPASS }}@{{ db_host }}/nova
+
+[conductor]
+manager = nova.conductor.manager.ConductorManager
+topic = conductor
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = nova
+admin_password = {{ NOVA_PASS }}
+
+[glance]
+host = {{ HA_VIP }}
+
+[neutron]
+url = http://{{ HA_VIP }}:9696
+auth_strategy = keystone
+admin_tenant_name = service
+admin_username = neutron
+admin_password = {{ NEUTRON_PASS }}
+admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
diff --git a/compass/deploy/ansible/roles/neutron-controller/handlers/main.yml b/compass/deploy/ansible/roles/neutron-controller/handlers/main.yml
new file mode 100644
index 0000000..b4c1585
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/handlers/main.yml
@@ -0,0 +1,24 @@
+---
+- name: restart nova-api
+ service: name=nova-api state=restarted enabled=yes
+
+- name: restart nova-cert
+ service: name=nova-cert state=restarted enabled=yes
+
+- name: restart nova-consoleauth
+ service: name=nova-consoleauth state=restarted enabled=yes
+
+- name: restart nova-scheduler
+ service: name=nova-scheduler state=restarted enabled=yes
+
+- name: restart nova-conductor
+ service: name=nova-conductor state=restarted enabled=yes
+
+- name: restart nova-novncproxy
+ service: name=nova-novncproxy state=restarted enabled=yes
+
+- name: remove nova-sqlite-db
+ shell: rm /var/lib/nova/nova.sqlite || touch nova.sqlite.db.removed
+
+- name: restart neutron-server
+ service: name=neutron-server state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/neutron-controller/tasks/main.yml b/compass/deploy/ansible/roles/neutron-controller/tasks/main.yml
new file mode 100644
index 0000000..9c04d74
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- include: neutron_install.yml
+ tags:
+ - install
+ - neutron_install
+ - neutron
+
+- include: neutron_config.yml
+ when: HA_CLUSTER is not defined or HA_CLUSTER[inventory_hostname] == ''
+ tags:
+ - config
+ - neutron_config
+ - neutron
diff --git a/compass/deploy/ansible/roles/neutron-controller/tasks/neutron_config.yml b/compass/deploy/ansible/roles/neutron-controller/tasks/neutron_config.yml
new file mode 100644
index 0000000..77cc29a
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/tasks/neutron_config.yml
@@ -0,0 +1,10 @@
+---
+- name: neutron-db-manage upgrade to Juno
+ shell: neutron-db-manage --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/plugins/ml2/ml2_conf.ini upgrade head
+ register: result
+ until: result.rc == 0
+ retries: 5
+ delay: 3
+ notify:
+ - restart neutron-server
+
diff --git a/compass/deploy/ansible/roles/neutron-controller/tasks/neutron_install.yml b/compass/deploy/ansible/roles/neutron-controller/tasks/neutron_install.yml
new file mode 100644
index 0000000..6165299
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/tasks/neutron_install.yml
@@ -0,0 +1,29 @@
+---
+- name: install controller-related neutron packages
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - neutron-server
+ - neutron-plugin-ml2
+
+- name: generate neutron controll service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - neutron-server
+ - neutron-plugin-ml2
+
+- name: get tenant id to fill neutron.conf
+ shell: keystone --os-token={{ ADMIN_TOKEN }} --os-endpoint=http://{{ HA_VIP }}:35357/v2.0 tenant-get service | grep id | awk '{print $4}'
+ register: NOVA_ADMIN_TENANT_ID
+
+- name: update neutron conf
+ template: src=neutron.conf dest=/etc/neutron/neutron.conf backup=yes
+ notify:
+ - restart neutron-server
+
+- name: update ml2 plugin conf
+ template: src=ml2_conf.ini dest=/etc/neutron/plugins/ml2/ml2_conf.ini backup=yes
+ notify:
+ - restart neutron-server
+
+- meta: flush_handlers
+
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/dhcp_agent.ini b/compass/deploy/ansible/roles/neutron-controller/templates/dhcp_agent.ini
new file mode 100644
index 0000000..19eb62e
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/dhcp_agent.ini
@@ -0,0 +1,90 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# The DHCP agent will resync its state with Neutron to recover from any
+# transient notification or rpc errors. The interval is number of
+# seconds between attempts.
+resync_interval = 5
+
+# The DHCP agent requires an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP,
+# BigSwitch/Floodlight)
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Name of Open vSwitch bridge to use
+# ovs_integration_bridge = br-int
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires
+# no additional setup of the DHCP server.
+dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# The DHCP server can assist with providing metadata support on isolated
+# networks. Setting this value to True will cause the DHCP server to append
+# specific host routes to the DHCP request. The metadata service will only
+# be activated when the subnet does not contain any router port. The guest
+# instance must be configured to request host routes via DHCP (Option 121).
+enable_isolated_metadata = False
+
+# Allows for serving metadata requests coming from a dedicated metadata
+# access network whose cidr is 169.254.169.254/16 (or larger prefix), and
+# is connected to a Neutron router from which the VMs send metadata
+# request. In this case DHCP Option 121 will not be injected in VMs, as
+# they will be able to reach 169.254.169.254 through a router.
+# This option requires enable_isolated_metadata = True
+enable_metadata_network = False
+
+# Number of threads to use during sync process. Should not exceed connection
+# pool size configured on server.
+# num_sync_threads = 4
+
+# Location to store DHCP server config files
+# dhcp_confs = $state_path/dhcp
+
+# Domain to use for building the hostnames
+dhcp_domain = openstacklocal
+
+# Override the default dnsmasq settings with this file
+# dnsmasq_config_file =
+dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
+
+# Comma-separated list of DNS servers which will be used by dnsmasq
+# as forwarders.
+# dnsmasq_dns_servers =
+
+# Limit number of leases to prevent a denial-of-service.
+dnsmasq_lease_max = 16777216
+
+# Location to DHCP lease relay UNIX domain socket
+# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# dhcp_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the dhcp agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a dhcp server is disabled.
+# dhcp_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/dnsmasq-neutron.conf b/compass/deploy/ansible/roles/neutron-controller/templates/dnsmasq-neutron.conf
new file mode 100644
index 0000000..7bcbd9d
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/dnsmasq-neutron.conf
@@ -0,0 +1,2 @@
+dhcp-option-force=26,1454
+
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/etc/xorp/config.boot b/compass/deploy/ansible/roles/neutron-controller/templates/etc/xorp/config.boot
new file mode 100644
index 0000000..32caf96
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/etc/xorp/config.boot
@@ -0,0 +1,25 @@
+interfaces {
+ restore-original-config-on-shutdown: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ description: "Internal pNodes interface"
+ disable: false
+ default-system-config
+ }
+}
+
+protocols {
+ igmp {
+ disable: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ vif {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ disable: false
+ version: 3
+ }
+ }
+ traceoptions {
+ flag all {
+ disable: false
+ }
+ }
+ }
+}
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/l3_agent.ini b/compass/deploy/ansible/roles/neutron-controller/templates/l3_agent.ini
new file mode 100644
index 0000000..b394c00
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/l3_agent.ini
@@ -0,0 +1,81 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# L3 requires that an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC)
+# that supports L3 agent
+# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+# ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# If use_namespaces is set as False then the agent can only configure one router.
+
+# This is done by setting the specific router_id.
+# router_id =
+
+# When external_network_bridge is set, each L3 agent can be associated
+# with no more than one external network. This value should be set to the UUID
+# of that external network. To allow L3 agent support multiple external
+# networks, both the external_network_bridge and gateway_external_network_id
+# must be left empty.
+# gateway_external_network_id =
+
+# Indicates that this L3 agent should also handle routers that do not have
+# an external network gateway configured. This option should be True only
+# for a single agent in a Neutron deployment, and may be False for all agents
+# if all routers must have an external network gateway
+handle_internal_only_routers = True
+
+# Name of bridge used for external network traffic. This should be set to
+# empty value for the linux bridge. when this parameter is set, each L3 agent
+# can be associated with no more than one external network.
+external_network_bridge = br-ex
+
+# TCP Port used by Neutron metadata server
+metadata_port = 9697
+
+# Send this many gratuitous ARPs for HA setup. Set it below or equal to 0
+# to disable this feature.
+send_arp_for_ha = 3
+
+# seconds between re-sync routers' data if needed
+periodic_interval = 40
+
+# seconds to start to sync routers' data after
+# starting agent
+periodic_fuzzy_delay = 5
+
+# enable_metadata_proxy, which is true by default, can be set to False
+# if the Nova metadata server is not available
+# enable_metadata_proxy = True
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# router_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the L3 agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a router is destroyed.
+# router_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/metadata_agent.ini b/compass/deploy/ansible/roles/neutron-controller/templates/metadata_agent.ini
new file mode 100644
index 0000000..6badf28
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/metadata_agent.ini
@@ -0,0 +1,46 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+debug = True
+
+# The Neutron user information for accessing the Neutron API.
+auth_url = http://{{ HA_VIP }}:5000/v2.0
+auth_region = RegionOne
+# Turn off verification of the certificate for ssl
+# auth_insecure = False
+# Certificate Authority public key (CA cert) file for ssl
+# auth_ca_cert =
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+
+# Network service endpoint type to pull from the keystone catalog
+# endpoint_type = adminURL
+
+# IP address used by Nova metadata server
+nova_metadata_ip = {{ HA_VIP }}
+
+# TCP Port used by Nova metadata server
+nova_metadata_port = 8775
+
+# When proxying metadata requests, Neutron signs the Instance-ID header with a
+# shared secret to prevent spoofing. You may select any string for a secret,
+# but it must match here and in the configuration used by the Nova Metadata
+# Server. NOTE: Nova uses a different key: neutron_metadata_proxy_shared_secret
+metadata_proxy_shared_secret = {{ METADATA_SECRET }}
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# Number of separate worker processes for metadata server
+# metadata_workers = 0
+
+# Number of backlog requests to configure the metadata server socket with
+# metadata_backlog = 128
+
+# URL to connect to the cache backend.
+# Example of URL using memory caching backend
+# with ttl set to 5 seconds: cache_url = memory://?default_ttl=5
+# default_ttl=0 parameter will cause cache entries to never expire.
+# Otherwise default_ttl specifies time in seconds a cache entry is valid for.
+# No cache is used in case no value is passed.
+# cache_url =
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/ml2_conf.ini b/compass/deploy/ansible/roles/neutron-controller/templates/ml2_conf.ini
new file mode 100644
index 0000000..a790069
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/ml2_conf.ini
@@ -0,0 +1,108 @@
+[ml2]
+# (ListOpt) List of network type driver entrypoints to be loaded from
+# the neutron.ml2.type_drivers namespace.
+#
+# type_drivers = local,flat,vlan,gre,vxlan
+# Example: type_drivers = flat,vlan,gre,vxlan
+type_drivers = {{ NEUTRON_TYPE_DRIVERS |join(",") }}
+
+# (ListOpt) Ordered list of network_types to allocate as tenant
+# networks. The default value 'local' is useful for single-box testing
+# but provides no connectivity between hosts.
+#
+# tenant_network_types = local
+# Example: tenant_network_types = vlan,gre,vxlan
+tenant_network_types = {{ NEUTRON_TENANT_NETWORK_TYPES |join(",") }}
+
+# (ListOpt) Ordered list of networking mechanism driver entrypoints
+# to be loaded from the neutron.ml2.mechanism_drivers namespace.
+# mechanism_drivers =
+# Example: mechanism_drivers = openvswitch,mlnx
+# Example: mechanism_drivers = arista
+# Example: mechanism_drivers = cisco,logger
+# Example: mechanism_drivers = openvswitch,brocade
+# Example: mechanism_drivers = linuxbridge,brocade
+mechanism_drivers = {{ NEUTRON_MECHANISM_DRIVERS |join(",") }}
+
+[ml2_type_flat]
+# (ListOpt) List of physical_network names with which flat networks
+# can be created. Use * to allow flat networks with arbitrary
+# physical_network names.
+#
+flat_networks = external
+# Example:flat_networks = physnet1,physnet2
+# Example:flat_networks = *
+
+[ml2_type_vlan]
+# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples
+# specifying physical_network names usable for VLAN provider and
+# tenant networks, as well as ranges of VLAN tags on each
+# physical_network available for allocation as tenant networks.
+#
+network_vlan_ranges =
+# Example: network_vlan_ranges = physnet1:1000:2999,physnet2
+
+[ml2_type_gre]
+# (ListOpt) Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation
+tunnel_id_ranges = 1:1000
+
+[ml2_type_vxlan]
+# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating
+# ranges of VXLAN VNI IDs that are available for tenant network allocation.
+#
+vni_ranges = 1001:4095
+
+# (StrOpt) Multicast group for the VXLAN interface. When configured, will
+# enable sending all broadcast traffic to this multicast group. When left
+# unconfigured, will disable multicast VXLAN mode.
+#
+vxlan_group = 239.1.1.1
+# Example: vxlan_group = 239.1.1.1
+
+[securitygroup]
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = True
+
+[database]
+connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron?charset=utf8
+
+[ovs]
+local_ip = {{ internal_ip }}
+{% if 'openvswitch' in NEUTRON_MECHANISM_DRIVERS %}
+integration_bridge = br-int
+tunnel_bridge = br-tun
+tunnel_id_ranges = 1001:4095
+tunnel_type = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+bridge_mappings = {{ neutron_ovs_bridge_mappings | default("external:br-ex") }}
+{% endif %}
+
+[agent]
+root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
+tunnel_types = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+{% if 'vxlan' in NEUTRON_TUNNEL_TYPES %}
+vxlan_udp_port = 4789
+{% endif %}
+l2_population = False
+
+[odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+network_vlan_ranges = 1001:4095
+tunnel_id_ranges = 1001:4095
+tun_peer_patch_port = patch-int
+int_peer_patch_port = patch-tun
+tenant_network_type = vxlan
+tunnel_bridge = br-tun
+integration_bridge = br-int
+controllers = 10.1.0.15:8080:admin:admin
+{% endif %}
+
+[ml2_odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+username = {{ odl_username }}
+password = {{ odl_password }}
+url = http://{{ controller }}:{{ odl_api_port }}/controller/nb/v2/neutron
+{% endif %}
+
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/neutron-network.conf b/compass/deploy/ansible/roles/neutron-controller/templates/neutron-network.conf
new file mode 100644
index 0000000..93be9cb
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/neutron-network.conf
@@ -0,0 +1,465 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ DEBUG }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/neutron.conf b/compass/deploy/ansible/roles/neutron-controller/templates/neutron.conf
new file mode 100644
index 0000000..2a66e94
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/neutron.conf
@@ -0,0 +1,466 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ VERBOSE }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+nova_admin_tenant_id = {{ NOVA_ADMIN_TENANT_ID.stdout_lines[0] }}
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/neutron_init.sh b/compass/deploy/ansible/roles/neutron-controller/templates/neutron_init.sh
new file mode 100644
index 0000000..b92e202
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/neutron_init.sh
@@ -0,0 +1,4 @@
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 net-create ext-net --shared --router:external=True
+
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 subnet-create ext-net --name ext-subnet --allocation-pool start={{ FLOATING_IP_START }},end={{ FLOATING_IP_END}} --disable-dhcp --gateway {{EXTERNAL_NETWORK_GATEWAY}} {{EXTERNAL_NETWORK_CIDR}}
+
diff --git a/compass/deploy/ansible/roles/neutron-controller/templates/nova.conf b/compass/deploy/ansible/roles/neutron-controller/templates/nova.conf
new file mode 100644
index 0000000..9587073
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-controller/templates/nova.conf
@@ -0,0 +1,69 @@
+[DEFAULT]
+dhcpbridge_flagfile=/etc/nova/nova.conf
+dhcpbridge=/usr/bin/nova-dhcpbridge
+logdir=/var/log/nova
+state_path=/var/lib/nova
+lock_path=/var/lock/nova
+force_dhcp_release=True
+iscsi_helper=tgtadm
+libvirt_use_virtio_for_bridges=True
+connection_type=libvirt
+root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+verbose={{ VERBOSE}}
+debug={{ DEBUG }}
+ec2_private_dns_show_ip=True
+api_paste_config=/etc/nova/api-paste.ini
+volumes_path=/var/lib/nova/volumes
+enabled_apis=ec2,osapi_compute,metadata
+
+vif_plugging_is_fatal: false
+vif_plugging_timeout: 0
+
+auth_strategy = keystone
+
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+
+my_ip = {{ internal_ip }}
+vnc_enabled = True
+vncserver_listen = {{ internal_ip }}
+vncserver_proxyclient_address = {{ internal_ip }}
+novncproxy_base_url = http://{{ HA_VIP }}:6080/vnc_auto.html
+
+novncproxy_host = {{ internal_ip }}
+novncproxy_port = 6080
+
+network_api_class = nova.network.neutronv2.api.API
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = neutron
+
+instance_usage_audit = True
+instance_usage_audit_period = hour
+notify_on_state_change = vm_and_task_state
+notification_driver = nova.openstack.common.notifier.rpc_notifier
+notification_driver = ceilometer.compute.nova_notifier
+
+[database]
+# The SQLAlchemy connection string used to connect to the database
+connection = mysql://nova:{{ NOVA_DBPASS }}@{{ db_host }}/nova
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = nova
+admin_password = {{ NOVA_PASS }}
+
+[glance]
+host = {{ HA_VIP }}
+
+[neutron]
+url = http://{{ HA_VIP }}:9696
+auth_strategy = keystone
+admin_tenant_name = service
+admin_username = neutron
+admin_password = {{ NEUTRON_PASS }}
+admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
diff --git a/compass/deploy/ansible/roles/neutron-network/handlers/main.yml b/compass/deploy/ansible/roles/neutron-network/handlers/main.yml
new file mode 100644
index 0000000..d6c5cc8
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/handlers/main.yml
@@ -0,0 +1,21 @@
+---
+- name: restart neutron-plugin-openvswitch-agent
+ service: name=neutron-plugin-openvswitch-agent state=restarted enabled=yes
+ when: "'opendaylight' not in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: restart neutron-l3-agent
+ service: name=neutron-l3-agent state=restarted enabled=yes
+
+- name: kill dnsmasq
+ command: killall dnsmasq
+ ignore_errors: True
+
+- name: restart neutron-dhcp-agent
+ service: name=neutron-dhcp-agent state=restarted enabled=yes
+
+- name: restart neutron-metadata-agent
+ service: name=neutron-metadata-agent state=restarted enabled=yes
+
+- name: restart xorp
+ service: name=xorp state=restarted enabled=yes sleep=10
+ ignore_errors: True
diff --git a/compass/deploy/ansible/roles/neutron-network/tasks/igmp-router.yml b/compass/deploy/ansible/roles/neutron-network/tasks/igmp-router.yml
new file mode 100644
index 0000000..d6f38a0
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/tasks/igmp-router.yml
@@ -0,0 +1,20 @@
+---
+- name: Install XORP to provide IGMP router functionality
+ apt: pkg=xorp
+
+- name: configure xorp
+ template: src=etc/xorp/config.boot dest=/etc/xorp/config.boot
+ notify:
+ - restart xorp
+
+- name: set xorp defaults
+ lineinfile: dest=/etc/default/xorp regexp=^RUN= line=RUN=yes
+ notify:
+ - restart xorp
+
+- meta: flush_handlers
+
+- name: start and enable xorp service
+ service: name=xorp state=started enabled=yes
+ retries: 2
+ delay: 10
diff --git a/compass/deploy/ansible/roles/neutron-network/tasks/main.yml b/compass/deploy/ansible/roles/neutron-network/tasks/main.yml
new file mode 100644
index 0000000..1d4b591
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/tasks/main.yml
@@ -0,0 +1,114 @@
+---
+- name: activate ipv4 forwarding
+ sysctl: name=net.ipv4.ip_forward value=1
+ state=present reload=yes
+
+- name: deactivate ipv4 rp filter
+ sysctl: name=net.ipv4.conf.all.rp_filter value=0
+ state=present reload=yes
+
+- name: deactivate ipv4 default rp filter
+ sysctl: name=net.ipv4.conf.default.rp_filter
+ value=0 state=present reload=yes
+
+- name: install neutron network related packages
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - neutron-plugin-ml2
+ - openvswitch-datapath-dkms
+ - openvswitch-switch
+ - neutron-l3-agent
+ - neutron-dhcp-agent
+
+- name: generate neutron service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - openvswitch-switch
+ - neutron-l3-agent
+ - neutron-dhcp-agent
+ - neutron-plugin-openvswitch-agent
+ - neutron-metadata-agent
+ - xorp
+
+- name: install neutron openvswitch agent
+ apt: name=neutron-plugin-openvswitch-agent
+ state=present force=yes
+ when: "'openvswitch' in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: config neutron
+ template: src=neutron-network.conf
+ dest=/etc/neutron/neutron.conf backup=yes
+ notify:
+ - restart neutron-plugin-openvswitch-agent
+ - restart neutron-l3-agent
+ - kill dnsmasq
+ - restart neutron-dhcp-agent
+ - restart neutron-metadata-agent
+
+- name: config l3 agent
+ template: src=l3_agent.ini dest=/etc/neutron/l3_agent.ini
+ backup=yes
+ notify:
+ - restart neutron-l3-agent
+
+- name: config dhcp agent
+ template: src=dhcp_agent.ini dest=/etc/neutron/dhcp_agent.ini
+ backup=yes
+ notify:
+ - kill dnsmasq
+ - restart neutron-dhcp-agent
+
+- name: update dnsmasq-neutron.conf
+ template: src=dnsmasq-neutron.conf
+ dest=/etc/neutron/dnsmasq-neutron.conf
+ notify:
+ - kill dnsmasq
+ - restart neutron-dhcp-agent
+
+- name: config metadata agent
+ template: src=metadata_agent.ini
+ dest=/etc/neutron/metadata_agent.ini backup=yes
+ notify:
+ - restart neutron-metadata-agent
+
+- name: config ml2 plugin
+ template: src=ml2_conf.ini
+ dest=/etc/neutron/plugins/ml2/ml2_conf.ini
+ backup=yes
+ notify:
+ - restart neutron-plugin-openvswitch-agent
+
+- meta: flush_handlers
+
+- name: add br-int
+ openvswitch_bridge: bridge=br-int state=present
+
+- name: add br-ex
+ openvswitch_bridge: bridge=br-ex state=present
+ when: "'openvswitch' in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: assign a port to br-ex for physical ext interface
+ openvswitch_port: bridge=br-ex port={{ INTERFACE_NAME }}
+ state=present
+ when: "'openvswitch' in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- include: igmp-router.yml
+ when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}"
+
+- name: assert kernel support for vxlan
+ command: modinfo -F version vxlan
+ when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}"
+
+- name: assert iproute2 suppport for vxlan
+ command: ip link add type vxlan help
+ register: iproute_out
+ failed_when: iproute_out.rc == 255
+ when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}"
+
+- include: odl.yml
+ when: "'opendaylight' in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: restart ovs service
+ service: name=openvswitch-switch state=restarted enabled=yes
+
+- meta: flush_handlers
diff --git a/compass/deploy/ansible/roles/neutron-network/tasks/odl.yml b/compass/deploy/ansible/roles/neutron-network/tasks/odl.yml
new file mode 100644
index 0000000..a2b449c
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/tasks/odl.yml
@@ -0,0 +1,13 @@
+---
+- name: ovs set manager
+ command: ovs-vsctl set-manager tcp:{{ controller }}:6640
+
+- name: get ovs uuid
+ shell: ovs-vsctl get Open_vSwitch . _uuid
+ register: ovs_uuid
+
+- name: set bridge_mappings
+ command: ovs-vsctl set Open_vSwitch {{ ovs_uuid.stdout }} other_config:bridge_mappings=physnet1:{{ INTERFACE_NAME }}
+
+- name: set local ip
+ command: ovs-vsctl set Open_vSwitch {{ ovs_uuid.stdout }} other_config:local_ip={{ internal_ip }}
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/dhcp_agent.ini b/compass/deploy/ansible/roles/neutron-network/templates/dhcp_agent.ini
new file mode 100644
index 0000000..19eb62e
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/dhcp_agent.ini
@@ -0,0 +1,90 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# The DHCP agent will resync its state with Neutron to recover from any
+# transient notification or rpc errors. The interval is number of
+# seconds between attempts.
+resync_interval = 5
+
+# The DHCP agent requires an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP,
+# BigSwitch/Floodlight)
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Name of Open vSwitch bridge to use
+# ovs_integration_bridge = br-int
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires
+# no additional setup of the DHCP server.
+dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# The DHCP server can assist with providing metadata support on isolated
+# networks. Setting this value to True will cause the DHCP server to append
+# specific host routes to the DHCP request. The metadata service will only
+# be activated when the subnet does not contain any router port. The guest
+# instance must be configured to request host routes via DHCP (Option 121).
+enable_isolated_metadata = False
+
+# Allows for serving metadata requests coming from a dedicated metadata
+# access network whose cidr is 169.254.169.254/16 (or larger prefix), and
+# is connected to a Neutron router from which the VMs send metadata
+# request. In this case DHCP Option 121 will not be injected in VMs, as
+# they will be able to reach 169.254.169.254 through a router.
+# This option requires enable_isolated_metadata = True
+enable_metadata_network = False
+
+# Number of threads to use during sync process. Should not exceed connection
+# pool size configured on server.
+# num_sync_threads = 4
+
+# Location to store DHCP server config files
+# dhcp_confs = $state_path/dhcp
+
+# Domain to use for building the hostnames
+dhcp_domain = openstacklocal
+
+# Override the default dnsmasq settings with this file
+# dnsmasq_config_file =
+dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
+
+# Comma-separated list of DNS servers which will be used by dnsmasq
+# as forwarders.
+# dnsmasq_dns_servers =
+
+# Limit number of leases to prevent a denial-of-service.
+dnsmasq_lease_max = 16777216
+
+# Location to DHCP lease relay UNIX domain socket
+# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# dhcp_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the dhcp agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a dhcp server is disabled.
+# dhcp_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/dnsmasq-neutron.conf b/compass/deploy/ansible/roles/neutron-network/templates/dnsmasq-neutron.conf
new file mode 100644
index 0000000..7bcbd9d
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/dnsmasq-neutron.conf
@@ -0,0 +1,2 @@
+dhcp-option-force=26,1454
+
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/etc/xorp/config.boot b/compass/deploy/ansible/roles/neutron-network/templates/etc/xorp/config.boot
new file mode 100644
index 0000000..32caf96
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/etc/xorp/config.boot
@@ -0,0 +1,25 @@
+interfaces {
+ restore-original-config-on-shutdown: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ description: "Internal pNodes interface"
+ disable: false
+ default-system-config
+ }
+}
+
+protocols {
+ igmp {
+ disable: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ vif {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ disable: false
+ version: 3
+ }
+ }
+ traceoptions {
+ flag all {
+ disable: false
+ }
+ }
+ }
+}
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/l3_agent.ini b/compass/deploy/ansible/roles/neutron-network/templates/l3_agent.ini
new file mode 100644
index 0000000..b394c00
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/l3_agent.ini
@@ -0,0 +1,81 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# L3 requires that an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC)
+# that supports L3 agent
+# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+# ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# If use_namespaces is set as False then the agent can only configure one router.
+
+# This is done by setting the specific router_id.
+# router_id =
+
+# When external_network_bridge is set, each L3 agent can be associated
+# with no more than one external network. This value should be set to the UUID
+# of that external network. To allow L3 agent support multiple external
+# networks, both the external_network_bridge and gateway_external_network_id
+# must be left empty.
+# gateway_external_network_id =
+
+# Indicates that this L3 agent should also handle routers that do not have
+# an external network gateway configured. This option should be True only
+# for a single agent in a Neutron deployment, and may be False for all agents
+# if all routers must have an external network gateway
+handle_internal_only_routers = True
+
+# Name of bridge used for external network traffic. This should be set to
+# empty value for the linux bridge. when this parameter is set, each L3 agent
+# can be associated with no more than one external network.
+external_network_bridge = br-ex
+
+# TCP Port used by Neutron metadata server
+metadata_port = 9697
+
+# Send this many gratuitous ARPs for HA setup. Set it below or equal to 0
+# to disable this feature.
+send_arp_for_ha = 3
+
+# seconds between re-sync routers' data if needed
+periodic_interval = 40
+
+# seconds to start to sync routers' data after
+# starting agent
+periodic_fuzzy_delay = 5
+
+# enable_metadata_proxy, which is true by default, can be set to False
+# if the Nova metadata server is not available
+# enable_metadata_proxy = True
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# router_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the L3 agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a router is destroyed.
+# router_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/metadata_agent.ini b/compass/deploy/ansible/roles/neutron-network/templates/metadata_agent.ini
new file mode 100644
index 0000000..6badf28
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/metadata_agent.ini
@@ -0,0 +1,46 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+debug = True
+
+# The Neutron user information for accessing the Neutron API.
+auth_url = http://{{ HA_VIP }}:5000/v2.0
+auth_region = RegionOne
+# Turn off verification of the certificate for ssl
+# auth_insecure = False
+# Certificate Authority public key (CA cert) file for ssl
+# auth_ca_cert =
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+
+# Network service endpoint type to pull from the keystone catalog
+# endpoint_type = adminURL
+
+# IP address used by Nova metadata server
+nova_metadata_ip = {{ HA_VIP }}
+
+# TCP Port used by Nova metadata server
+nova_metadata_port = 8775
+
+# When proxying metadata requests, Neutron signs the Instance-ID header with a
+# shared secret to prevent spoofing. You may select any string for a secret,
+# but it must match here and in the configuration used by the Nova Metadata
+# Server. NOTE: Nova uses a different key: neutron_metadata_proxy_shared_secret
+metadata_proxy_shared_secret = {{ METADATA_SECRET }}
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# Number of separate worker processes for metadata server
+# metadata_workers = 0
+
+# Number of backlog requests to configure the metadata server socket with
+# metadata_backlog = 128
+
+# URL to connect to the cache backend.
+# Example of URL using memory caching backend
+# with ttl set to 5 seconds: cache_url = memory://?default_ttl=5
+# default_ttl=0 parameter will cause cache entries to never expire.
+# Otherwise default_ttl specifies time in seconds a cache entry is valid for.
+# No cache is used in case no value is passed.
+# cache_url =
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/ml2_conf.ini b/compass/deploy/ansible/roles/neutron-network/templates/ml2_conf.ini
new file mode 100644
index 0000000..a790069
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/ml2_conf.ini
@@ -0,0 +1,108 @@
+[ml2]
+# (ListOpt) List of network type driver entrypoints to be loaded from
+# the neutron.ml2.type_drivers namespace.
+#
+# type_drivers = local,flat,vlan,gre,vxlan
+# Example: type_drivers = flat,vlan,gre,vxlan
+type_drivers = {{ NEUTRON_TYPE_DRIVERS |join(",") }}
+
+# (ListOpt) Ordered list of network_types to allocate as tenant
+# networks. The default value 'local' is useful for single-box testing
+# but provides no connectivity between hosts.
+#
+# tenant_network_types = local
+# Example: tenant_network_types = vlan,gre,vxlan
+tenant_network_types = {{ NEUTRON_TENANT_NETWORK_TYPES |join(",") }}
+
+# (ListOpt) Ordered list of networking mechanism driver entrypoints
+# to be loaded from the neutron.ml2.mechanism_drivers namespace.
+# mechanism_drivers =
+# Example: mechanism_drivers = openvswitch,mlnx
+# Example: mechanism_drivers = arista
+# Example: mechanism_drivers = cisco,logger
+# Example: mechanism_drivers = openvswitch,brocade
+# Example: mechanism_drivers = linuxbridge,brocade
+mechanism_drivers = {{ NEUTRON_MECHANISM_DRIVERS |join(",") }}
+
+[ml2_type_flat]
+# (ListOpt) List of physical_network names with which flat networks
+# can be created. Use * to allow flat networks with arbitrary
+# physical_network names.
+#
+flat_networks = external
+# Example:flat_networks = physnet1,physnet2
+# Example:flat_networks = *
+
+[ml2_type_vlan]
+# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples
+# specifying physical_network names usable for VLAN provider and
+# tenant networks, as well as ranges of VLAN tags on each
+# physical_network available for allocation as tenant networks.
+#
+network_vlan_ranges =
+# Example: network_vlan_ranges = physnet1:1000:2999,physnet2
+
+[ml2_type_gre]
+# (ListOpt) Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation
+tunnel_id_ranges = 1:1000
+
+[ml2_type_vxlan]
+# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating
+# ranges of VXLAN VNI IDs that are available for tenant network allocation.
+#
+vni_ranges = 1001:4095
+
+# (StrOpt) Multicast group for the VXLAN interface. When configured, will
+# enable sending all broadcast traffic to this multicast group. When left
+# unconfigured, will disable multicast VXLAN mode.
+#
+vxlan_group = 239.1.1.1
+# Example: vxlan_group = 239.1.1.1
+
+[securitygroup]
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = True
+
+[database]
+connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron?charset=utf8
+
+[ovs]
+local_ip = {{ internal_ip }}
+{% if 'openvswitch' in NEUTRON_MECHANISM_DRIVERS %}
+integration_bridge = br-int
+tunnel_bridge = br-tun
+tunnel_id_ranges = 1001:4095
+tunnel_type = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+bridge_mappings = {{ neutron_ovs_bridge_mappings | default("external:br-ex") }}
+{% endif %}
+
+[agent]
+root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
+tunnel_types = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+{% if 'vxlan' in NEUTRON_TUNNEL_TYPES %}
+vxlan_udp_port = 4789
+{% endif %}
+l2_population = False
+
+[odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+network_vlan_ranges = 1001:4095
+tunnel_id_ranges = 1001:4095
+tun_peer_patch_port = patch-int
+int_peer_patch_port = patch-tun
+tenant_network_type = vxlan
+tunnel_bridge = br-tun
+integration_bridge = br-int
+controllers = 10.1.0.15:8080:admin:admin
+{% endif %}
+
+[ml2_odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+username = {{ odl_username }}
+password = {{ odl_password }}
+url = http://{{ controller }}:{{ odl_api_port }}/controller/nb/v2/neutron
+{% endif %}
+
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/neutron-network.conf b/compass/deploy/ansible/roles/neutron-network/templates/neutron-network.conf
new file mode 100644
index 0000000..93be9cb
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/neutron-network.conf
@@ -0,0 +1,465 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ DEBUG }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/neutron.conf b/compass/deploy/ansible/roles/neutron-network/templates/neutron.conf
new file mode 100644
index 0000000..1575367
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/neutron.conf
@@ -0,0 +1,466 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ VERBOSE }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+nova_admin_tenant_id = {{ NOVA_ADMIN_TENANT_ID.stdout_lines[0] }}
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/neutron_init.sh b/compass/deploy/ansible/roles/neutron-network/templates/neutron_init.sh
new file mode 100644
index 0000000..b92e202
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/neutron_init.sh
@@ -0,0 +1,4 @@
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 net-create ext-net --shared --router:external=True
+
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 subnet-create ext-net --name ext-subnet --allocation-pool start={{ FLOATING_IP_START }},end={{ FLOATING_IP_END}} --disable-dhcp --gateway {{EXTERNAL_NETWORK_GATEWAY}} {{EXTERNAL_NETWORK_CIDR}}
+
diff --git a/compass/deploy/ansible/roles/neutron-network/templates/nova.conf b/compass/deploy/ansible/roles/neutron-network/templates/nova.conf
new file mode 100644
index 0000000..9587073
--- /dev/null
+++ b/compass/deploy/ansible/roles/neutron-network/templates/nova.conf
@@ -0,0 +1,69 @@
+[DEFAULT]
+dhcpbridge_flagfile=/etc/nova/nova.conf
+dhcpbridge=/usr/bin/nova-dhcpbridge
+logdir=/var/log/nova
+state_path=/var/lib/nova
+lock_path=/var/lock/nova
+force_dhcp_release=True
+iscsi_helper=tgtadm
+libvirt_use_virtio_for_bridges=True
+connection_type=libvirt
+root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+verbose={{ VERBOSE}}
+debug={{ DEBUG }}
+ec2_private_dns_show_ip=True
+api_paste_config=/etc/nova/api-paste.ini
+volumes_path=/var/lib/nova/volumes
+enabled_apis=ec2,osapi_compute,metadata
+
+vif_plugging_is_fatal: false
+vif_plugging_timeout: 0
+
+auth_strategy = keystone
+
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+
+my_ip = {{ internal_ip }}
+vnc_enabled = True
+vncserver_listen = {{ internal_ip }}
+vncserver_proxyclient_address = {{ internal_ip }}
+novncproxy_base_url = http://{{ HA_VIP }}:6080/vnc_auto.html
+
+novncproxy_host = {{ internal_ip }}
+novncproxy_port = 6080
+
+network_api_class = nova.network.neutronv2.api.API
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = neutron
+
+instance_usage_audit = True
+instance_usage_audit_period = hour
+notify_on_state_change = vm_and_task_state
+notification_driver = nova.openstack.common.notifier.rpc_notifier
+notification_driver = ceilometer.compute.nova_notifier
+
+[database]
+# The SQLAlchemy connection string used to connect to the database
+connection = mysql://nova:{{ NOVA_DBPASS }}@{{ db_host }}/nova
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = nova
+admin_password = {{ NOVA_PASS }}
+
+[glance]
+host = {{ HA_VIP }}
+
+[neutron]
+url = http://{{ HA_VIP }}:9696
+auth_strategy = keystone
+admin_tenant_name = service
+admin_username = neutron
+admin_password = {{ NEUTRON_PASS }}
+admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
diff --git a/compass/deploy/ansible/roles/nova-compute/handlers/main.yml b/compass/deploy/ansible/roles/nova-compute/handlers/main.yml
new file mode 100644
index 0000000..c135003
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-compute/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart nova-compute
+ service: name=nova-compute state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/nova-compute/tasks/main.yml b/compass/deploy/ansible/roles/nova-compute/tasks/main.yml
new file mode 100644
index 0000000..51c8dfa
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-compute/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+- name: install nova-compute related packages
+ apt: name=nova-compute-kvm state=present force=yes
+
+- name: update nova-compute conf
+ template: src={{ item }} dest=/etc/nova/{{ item }}
+ with_items:
+ - nova.conf
+ - nova-compute.conf
+ notify:
+ - restart nova-compute
+
+- name: generate neutron controll service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - nova-compute
+
+- meta: flush_handlers
+
+- name: remove nova sqlite db
+ shell: rm /var/lib/nova/nova.sqlite || touch nova.sqlite.removed
diff --git a/compass/deploy/ansible/roles/nova-compute/templates/nova-compute.conf b/compass/deploy/ansible/roles/nova-compute/templates/nova-compute.conf
new file mode 100644
index 0000000..401dee7
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-compute/templates/nova-compute.conf
@@ -0,0 +1,7 @@
+[DEFAULT]
+compute_driver=libvirt.LibvirtDriver
+force_raw_images = true
+[libvirt]
+virt_type=qemu
+images_type = raw
+mem_stats_period_seconds=0
diff --git a/compass/deploy/ansible/roles/nova-compute/templates/nova.conf b/compass/deploy/ansible/roles/nova-compute/templates/nova.conf
new file mode 100644
index 0000000..4988cb0
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-compute/templates/nova.conf
@@ -0,0 +1,73 @@
+[DEFAULT]
+dhcpbridge_flagfile=/etc/nova/nova.conf
+dhcpbridge=/usr/bin/nova-dhcpbridge
+logdir=/var/log/nova
+state_path=/var/lib/nova
+lock_path=/var/lock/nova
+force_dhcp_release=True
+iscsi_helper=tgtadm
+libvirt_use_virtio_for_bridges=True
+connection_type=libvirt
+root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+verbose={{ VERBOSE}}
+debug={{ DEBUG }}
+ec2_private_dns_show_ip=True
+api_paste_config=/etc/nova/api-paste.ini
+volumes_path=/var/lib/nova/volumes
+enabled_apis=ec2,osapi_compute,metadata
+
+vif_plugging_is_fatal: false
+vif_plugging_timeout: 0
+
+auth_strategy = keystone
+
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+
+my_ip = {{ internal_ip }}
+vnc_enabled = True
+vncserver_listen = {{ internal_ip }}
+vncserver_proxyclient_address = {{ internal_ip }}
+novncproxy_base_url = http://{{ HA_VIP }}:6080/vnc_auto.html
+
+novncproxy_host = {{ internal_ip }}
+novncproxy_port = 6080
+
+network_api_class = nova.network.neutronv2.api.API
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = neutron
+
+instance_usage_audit = True
+instance_usage_audit_period = hour
+notify_on_state_change = vm_and_task_state
+notification_driver = nova.openstack.common.notifier.rpc_notifier
+notification_driver = ceilometer.compute.nova_notifier
+
+[database]
+# The SQLAlchemy connection string used to connect to the database
+connection = mysql://nova:{{ NOVA_DBPASS }}@{{ db_host }}/nova
+
+[conductor]
+manager = nova.conductor.manager.ConductorManager
+topic = conductor
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = nova
+admin_password = {{ NOVA_PASS }}
+
+[glance]
+host = {{ HA_VIP }}
+
+[neutron]
+url = http://{{ HA_VIP }}:9696
+auth_strategy = keystone
+admin_tenant_name = service
+admin_username = neutron
+admin_password = {{ NEUTRON_PASS }}
+admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
diff --git a/compass/deploy/ansible/roles/nova-controller/handlers/main.yml b/compass/deploy/ansible/roles/nova-controller/handlers/main.yml
new file mode 100644
index 0000000..b4c1585
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/handlers/main.yml
@@ -0,0 +1,24 @@
+---
+- name: restart nova-api
+ service: name=nova-api state=restarted enabled=yes
+
+- name: restart nova-cert
+ service: name=nova-cert state=restarted enabled=yes
+
+- name: restart nova-consoleauth
+ service: name=nova-consoleauth state=restarted enabled=yes
+
+- name: restart nova-scheduler
+ service: name=nova-scheduler state=restarted enabled=yes
+
+- name: restart nova-conductor
+ service: name=nova-conductor state=restarted enabled=yes
+
+- name: restart nova-novncproxy
+ service: name=nova-novncproxy state=restarted enabled=yes
+
+- name: remove nova-sqlite-db
+ shell: rm /var/lib/nova/nova.sqlite || touch nova.sqlite.db.removed
+
+- name: restart neutron-server
+ service: name=neutron-server state=restarted enabled=yes
diff --git a/compass/deploy/ansible/roles/nova-controller/tasks/main.yml b/compass/deploy/ansible/roles/nova-controller/tasks/main.yml
new file mode 100644
index 0000000..72a9f4d
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- include: nova_install.yml
+ tags:
+ - install
+ - nova_install
+ - nova
+
+- include: nova_config.yml
+ when: HA_CLUSTER is not defined or HA_CLUSTER[inventory_hostname] == ''
+ tags:
+ - config
+ - nova_config
+ - nova
diff --git a/compass/deploy/ansible/roles/nova-controller/tasks/nova_config.yml b/compass/deploy/ansible/roles/nova-controller/tasks/nova_config.yml
new file mode 100644
index 0000000..62351fa
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/tasks/nova_config.yml
@@ -0,0 +1,16 @@
+---
+- name: nova db sync
+ command: su -s /bin/sh -c "nova-manage db sync" nova
+ register: result
+ until: result.rc == 0
+ retries: 5
+ delay: 3
+ notify:
+ - restart nova-api
+ - restart nova-cert
+ - restart nova-consoleauth
+ - restart nova-scheduler
+ - restart nova-conductor
+ - restart nova-novncproxy
+
+- meta: flush_handlers
diff --git a/compass/deploy/ansible/roles/nova-controller/tasks/nova_install.yml b/compass/deploy/ansible/roles/nova-controller/tasks/nova_install.yml
new file mode 100644
index 0000000..a1cded5
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/tasks/nova_install.yml
@@ -0,0 +1,35 @@
+---
+- name: install nova related packages
+ apt: name={{ item }} state=present force=yes
+ with_items:
+ - nova-api
+ - nova-cert
+ - nova-conductor
+ - nova-consoleauth
+ - nova-novncproxy
+ - nova-scheduler
+ - python-novaclient
+ - python-oslo.rootwrap
+
+- name: generate nova controll service list
+ shell: echo {{ item }} >> /opt/service
+ with_items:
+ - nova-api
+ - nova-cert
+ - nova-conductor
+ - nova-consoleauth
+ - nova-novncproxy
+ - nova-scheduler
+
+- name: update nova conf
+ template: src=nova.conf
+ dest=/etc/nova/nova.conf
+ backup=yes
+ notify:
+ - restart nova-api
+ - restart nova-cert
+ - restart nova-consoleauth
+ - restart nova-scheduler
+ - restart nova-conductor
+ - restart nova-novncproxy
+ - remove nova-sqlite-db
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/dhcp_agent.ini b/compass/deploy/ansible/roles/nova-controller/templates/dhcp_agent.ini
new file mode 100644
index 0000000..19eb62e
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/dhcp_agent.ini
@@ -0,0 +1,90 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# The DHCP agent will resync its state with Neutron to recover from any
+# transient notification or rpc errors. The interval is number of
+# seconds between attempts.
+resync_interval = 5
+
+# The DHCP agent requires an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP,
+# BigSwitch/Floodlight)
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Name of Open vSwitch bridge to use
+# ovs_integration_bridge = br-int
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires
+# no additional setup of the DHCP server.
+dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# The DHCP server can assist with providing metadata support on isolated
+# networks. Setting this value to True will cause the DHCP server to append
+# specific host routes to the DHCP request. The metadata service will only
+# be activated when the subnet does not contain any router port. The guest
+# instance must be configured to request host routes via DHCP (Option 121).
+enable_isolated_metadata = False
+
+# Allows for serving metadata requests coming from a dedicated metadata
+# access network whose cidr is 169.254.169.254/16 (or larger prefix), and
+# is connected to a Neutron router from which the VMs send metadata
+# request. In this case DHCP Option 121 will not be injected in VMs, as
+# they will be able to reach 169.254.169.254 through a router.
+# This option requires enable_isolated_metadata = True
+enable_metadata_network = False
+
+# Number of threads to use during sync process. Should not exceed connection
+# pool size configured on server.
+# num_sync_threads = 4
+
+# Location to store DHCP server config files
+# dhcp_confs = $state_path/dhcp
+
+# Domain to use for building the hostnames
+dhcp_domain = openstacklocal
+
+# Override the default dnsmasq settings with this file
+# dnsmasq_config_file =
+dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
+
+# Comma-separated list of DNS servers which will be used by dnsmasq
+# as forwarders.
+# dnsmasq_dns_servers =
+
+# Limit number of leases to prevent a denial-of-service.
+dnsmasq_lease_max = 16777216
+
+# Location to DHCP lease relay UNIX domain socket
+# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# dhcp_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the dhcp agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a dhcp server is disabled.
+# dhcp_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/dnsmasq-neutron.conf b/compass/deploy/ansible/roles/nova-controller/templates/dnsmasq-neutron.conf
new file mode 100644
index 0000000..7bcbd9d
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/dnsmasq-neutron.conf
@@ -0,0 +1,2 @@
+dhcp-option-force=26,1454
+
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/etc/xorp/config.boot b/compass/deploy/ansible/roles/nova-controller/templates/etc/xorp/config.boot
new file mode 100644
index 0000000..32caf96
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/etc/xorp/config.boot
@@ -0,0 +1,25 @@
+interfaces {
+ restore-original-config-on-shutdown: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ description: "Internal pNodes interface"
+ disable: false
+ default-system-config
+ }
+}
+
+protocols {
+ igmp {
+ disable: false
+ interface {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ vif {{ hostvars[inventory_hostname][neutron_vxlan_interface|default(internal_interface)]['device'] }} {
+ disable: false
+ version: 3
+ }
+ }
+ traceoptions {
+ flag all {
+ disable: false
+ }
+ }
+ }
+}
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/l3_agent.ini b/compass/deploy/ansible/roles/nova-controller/templates/l3_agent.ini
new file mode 100644
index 0000000..b394c00
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/l3_agent.ini
@@ -0,0 +1,81 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+# debug = False
+verbose = True
+
+# L3 requires that an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+
+# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC)
+# that supports L3 agent
+# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+# ovs_use_veth = False
+
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+
+# If use_namespaces is set as False then the agent can only configure one router.
+
+# This is done by setting the specific router_id.
+# router_id =
+
+# When external_network_bridge is set, each L3 agent can be associated
+# with no more than one external network. This value should be set to the UUID
+# of that external network. To allow L3 agent support multiple external
+# networks, both the external_network_bridge and gateway_external_network_id
+# must be left empty.
+# gateway_external_network_id =
+
+# Indicates that this L3 agent should also handle routers that do not have
+# an external network gateway configured. This option should be True only
+# for a single agent in a Neutron deployment, and may be False for all agents
+# if all routers must have an external network gateway
+handle_internal_only_routers = True
+
+# Name of bridge used for external network traffic. This should be set to
+# empty value for the linux bridge. when this parameter is set, each L3 agent
+# can be associated with no more than one external network.
+external_network_bridge = br-ex
+
+# TCP Port used by Neutron metadata server
+metadata_port = 9697
+
+# Send this many gratuitous ARPs for HA setup. Set it below or equal to 0
+# to disable this feature.
+send_arp_for_ha = 3
+
+# seconds between re-sync routers' data if needed
+periodic_interval = 40
+
+# seconds to start to sync routers' data after
+# starting agent
+periodic_fuzzy_delay = 5
+
+# enable_metadata_proxy, which is true by default, can be set to False
+# if the Nova metadata server is not available
+# enable_metadata_proxy = True
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# router_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the L3 agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a router is destroyed.
+# router_delete_namespaces = False
+
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/metadata_agent.ini b/compass/deploy/ansible/roles/nova-controller/templates/metadata_agent.ini
new file mode 100644
index 0000000..6badf28
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/metadata_agent.ini
@@ -0,0 +1,46 @@
+[DEFAULT]
+# Show debugging output in log (sets DEBUG log level output)
+debug = True
+
+# The Neutron user information for accessing the Neutron API.
+auth_url = http://{{ HA_VIP }}:5000/v2.0
+auth_region = RegionOne
+# Turn off verification of the certificate for ssl
+# auth_insecure = False
+# Certificate Authority public key (CA cert) file for ssl
+# auth_ca_cert =
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+
+# Network service endpoint type to pull from the keystone catalog
+# endpoint_type = adminURL
+
+# IP address used by Nova metadata server
+nova_metadata_ip = {{ HA_VIP }}
+
+# TCP Port used by Nova metadata server
+nova_metadata_port = 8775
+
+# When proxying metadata requests, Neutron signs the Instance-ID header with a
+# shared secret to prevent spoofing. You may select any string for a secret,
+# but it must match here and in the configuration used by the Nova Metadata
+# Server. NOTE: Nova uses a different key: neutron_metadata_proxy_shared_secret
+metadata_proxy_shared_secret = {{ METADATA_SECRET }}
+
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+
+# Number of separate worker processes for metadata server
+# metadata_workers = 0
+
+# Number of backlog requests to configure the metadata server socket with
+# metadata_backlog = 128
+
+# URL to connect to the cache backend.
+# Example of URL using memory caching backend
+# with ttl set to 5 seconds: cache_url = memory://?default_ttl=5
+# default_ttl=0 parameter will cause cache entries to never expire.
+# Otherwise default_ttl specifies time in seconds a cache entry is valid for.
+# No cache is used in case no value is passed.
+# cache_url =
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/ml2_conf.ini b/compass/deploy/ansible/roles/nova-controller/templates/ml2_conf.ini
new file mode 100644
index 0000000..a790069
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/ml2_conf.ini
@@ -0,0 +1,108 @@
+[ml2]
+# (ListOpt) List of network type driver entrypoints to be loaded from
+# the neutron.ml2.type_drivers namespace.
+#
+# type_drivers = local,flat,vlan,gre,vxlan
+# Example: type_drivers = flat,vlan,gre,vxlan
+type_drivers = {{ NEUTRON_TYPE_DRIVERS |join(",") }}
+
+# (ListOpt) Ordered list of network_types to allocate as tenant
+# networks. The default value 'local' is useful for single-box testing
+# but provides no connectivity between hosts.
+#
+# tenant_network_types = local
+# Example: tenant_network_types = vlan,gre,vxlan
+tenant_network_types = {{ NEUTRON_TENANT_NETWORK_TYPES |join(",") }}
+
+# (ListOpt) Ordered list of networking mechanism driver entrypoints
+# to be loaded from the neutron.ml2.mechanism_drivers namespace.
+# mechanism_drivers =
+# Example: mechanism_drivers = openvswitch,mlnx
+# Example: mechanism_drivers = arista
+# Example: mechanism_drivers = cisco,logger
+# Example: mechanism_drivers = openvswitch,brocade
+# Example: mechanism_drivers = linuxbridge,brocade
+mechanism_drivers = {{ NEUTRON_MECHANISM_DRIVERS |join(",") }}
+
+[ml2_type_flat]
+# (ListOpt) List of physical_network names with which flat networks
+# can be created. Use * to allow flat networks with arbitrary
+# physical_network names.
+#
+flat_networks = external
+# Example:flat_networks = physnet1,physnet2
+# Example:flat_networks = *
+
+[ml2_type_vlan]
+# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples
+# specifying physical_network names usable for VLAN provider and
+# tenant networks, as well as ranges of VLAN tags on each
+# physical_network available for allocation as tenant networks.
+#
+network_vlan_ranges =
+# Example: network_vlan_ranges = physnet1:1000:2999,physnet2
+
+[ml2_type_gre]
+# (ListOpt) Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation
+tunnel_id_ranges = 1:1000
+
+[ml2_type_vxlan]
+# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating
+# ranges of VXLAN VNI IDs that are available for tenant network allocation.
+#
+vni_ranges = 1001:4095
+
+# (StrOpt) Multicast group for the VXLAN interface. When configured, will
+# enable sending all broadcast traffic to this multicast group. When left
+# unconfigured, will disable multicast VXLAN mode.
+#
+vxlan_group = 239.1.1.1
+# Example: vxlan_group = 239.1.1.1
+
+[securitygroup]
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = True
+
+[database]
+connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron?charset=utf8
+
+[ovs]
+local_ip = {{ internal_ip }}
+{% if 'openvswitch' in NEUTRON_MECHANISM_DRIVERS %}
+integration_bridge = br-int
+tunnel_bridge = br-tun
+tunnel_id_ranges = 1001:4095
+tunnel_type = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+bridge_mappings = {{ neutron_ovs_bridge_mappings | default("external:br-ex") }}
+{% endif %}
+
+[agent]
+root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
+tunnel_types = {{ NEUTRON_TUNNEL_TYPES |join(",") }}
+{% if 'vxlan' in NEUTRON_TUNNEL_TYPES %}
+vxlan_udp_port = 4789
+{% endif %}
+l2_population = False
+
+[odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+network_vlan_ranges = 1001:4095
+tunnel_id_ranges = 1001:4095
+tun_peer_patch_port = patch-int
+int_peer_patch_port = patch-tun
+tenant_network_type = vxlan
+tunnel_bridge = br-tun
+integration_bridge = br-int
+controllers = 10.1.0.15:8080:admin:admin
+{% endif %}
+
+[ml2_odl]
+{% if 'opendaylight' in NEUTRON_MECHANISM_DRIVERS %}
+username = {{ odl_username }}
+password = {{ odl_password }}
+url = http://{{ controller }}:{{ odl_api_port }}/controller/nb/v2/neutron
+{% endif %}
+
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/neutron-network.conf b/compass/deploy/ansible/roles/nova-controller/templates/neutron-network.conf
new file mode 100644
index 0000000..93be9cb
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/neutron-network.conf
@@ -0,0 +1,465 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ DEBUG }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/neutron.conf b/compass/deploy/ansible/roles/nova-controller/templates/neutron.conf
new file mode 100644
index 0000000..1575367
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/neutron.conf
@@ -0,0 +1,466 @@
+[DEFAULT]
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = {{ VERBOSE }}
+
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = {{ VERBOSE }}
+
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+
+# Where to store lock files
+lock_path = $state_path/lock
+
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+
+# use_stderr = True
+# log_file =
+log_dir = /var/log/neutron
+
+# publish_errors = False
+
+# Address to bind the API server to
+bind_host = {{ network_server_host }}
+
+# Port the bind the API server to
+bind_port = 9696
+
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+#
+#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
+core_plugin = ml2
+# Example: core_plugin = ml2
+
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+#
+# service_plugins =
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+service_plugins = router
+
+# Paste configuration file
+api_paste_config = api-paste.ini
+
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+
+# DHCP Lease duration (in seconds)
+dhcp_lease_duration = 86400
+
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet
+# force_gateway_on_subnet = False
+
+
+# RPC configuration options. Defined in rpc __init__
+# The messaging module to use, defaults to kombu.
+# rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_password = {{ RABBIT_PASS }}
+
+# Size of RPC thread pool
+rpc_thread_pool_size = 240
+# Size of RPC connection pool
+rpc_conn_pool_size = 100
+# Seconds to wait for a response from call or multicall
+rpc_response_timeout = 300
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+rpc_cast_timeout = 300
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call.
+# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception
+# AMQP exchange to connect to if using RabbitMQ or QPID
+# control_exchange = neutron
+
+# If passed, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# Configuration options if sending notifications via kombu rpc (these are
+# the defaults)
+# SSL version to use (valid only if SSL enabled)
+# kombu_ssl_version =
+# SSL key file (valid only if SSL enabled)
+# kombu_ssl_keyfile =
+# SSL cert file (valid only if SSL enabled)
+# kombu_ssl_certfile =
+# SSL certification authority file (valid only if SSL enabled)
+# kombu_ssl_ca_certs =
+# Port where RabbitMQ server is running/listening
+rabbit_port = 5672
+# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
+# rabbit_hosts = localhost:5672
+# User ID used for RabbitMQ connections
+rabbit_userid = {{ RABBIT_USER }}
+# Location of a virtual RabbitMQ installation.
+# rabbit_virtual_host = /
+# Maximum retries with trying to connect to RabbitMQ
+# (the default of 0 implies an infinite retry count)
+# rabbit_max_retries = 0
+# RabbitMQ connection retry interval
+# rabbit_retry_interval = 1
+# Use HA queues in RabbitMQ (x-ha-policy: all). You need to
+# wipe RabbitMQ database when changing this option. (boolean value)
+# rabbit_ha_queues = false
+# QPID
+# rpc_backend=neutron.openstack.common.rpc.impl_qpid
+# Qpid broker hostname
+# qpid_hostname = localhost
+# Qpid broker port
+# qpid_port = 5672
+# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
+# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
+# qpid_hosts = localhost:5672
+# Username for qpid connection
+# qpid_username = ''
+# Password for qpid connection
+# qpid_password = ''
+# Space separated list of SASL mechanisms to use for auth
+# qpid_sasl_mechanisms = ''
+# Seconds between connection keepalive heartbeats
+# qpid_heartbeat = 60
+# Transport to use, either 'tcp' or 'ssl'
+# qpid_protocol = tcp
+# Disable Nagle algorithm
+# qpid_tcp_nodelay = True
+
+# ZMQ
+# rpc_backend=neutron.openstack.common.rpc.impl_zmq
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
+# The "host" option should point or resolve to this address.
+# rpc_zmq_bind_address = *
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when network/subnet/port are created, updated or deleted.
+# There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and
+# noop (no notifications sent, the default)
+
+# Notification_driver can be defined multiple times
+# Do nothing driver
+# notification_driver = neutron.openstack.common.notifier.no_op_notifier
+# Logging driver
+# notification_driver = neutron.openstack.common.notifier.log_notifier
+# RPC driver.
+notification_driver = neutron.openstack.common.notifier.rpc_notifier
+
+# default_notification_level is used to form actual topic name(s) or to set logging level
+default_notification_level = INFO
+
+# default_publisher_id is a part of the notification payload
+# host = myhost.com
+# default_publisher_id = $host
+
+# Defined in rpc_notifier, can be comma separated values.
+# The actual topic names will be %s.%(default_notification_level)s
+notification_topics = notifications
+
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+agent_down_time = 75
+# =========== end of items for agent management extension =====
+
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
+
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+
+# =========== end of items for agent scheduler extension =====
+
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+api_workers = 8
+
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+rpc_workers = 8
+
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+
+# Enable SSL on the API server
+# use_ssl = False
+
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+
+
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://{{ HA_VIP }}:8774/v2
+
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = RegionOne
+
+# Username for connection to nova in admin context
+nova_admin_username = nova
+
+# The uuid of the admin nova tenant
+nova_admin_tenant_id = {{ NOVA_ADMIN_TENANT_ID.stdout_lines[0] }}
+
+# Password for connection to nova in admin context.
+nova_admin_password = {{ NOVA_PASS }}
+
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
+
+# Number of seconds between sending events to nova if there are any events to send
+send_events_interval = 2
+
+# ======== end of neutron nova interactions ==========
+
+[quotas]
+# Default driver to use for quota checks
+quota_driver = neutron.db.quota_db.DbQuotaDriver
+
+# Resource name(s) that are supported in quota features
+quota_items = network,subnet,port
+
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+default_quota = -1
+
+# Number of networks allowed per tenant. A negative value means unlimited.
+quota_network = 100
+
+# Number of subnets allowed per tenant. A negative value means unlimited.
+quota_subnet = 100
+
+# Number of ports allowed per tenant. A negative value means unlimited.
+quota_port = 8000
+
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+quota_security_group = 1000
+
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+quota_security_group_rule = 1000
+
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitors = -1
+
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+
+[agent]
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
+
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+report_interval = 30
+
+# =========== end of items for agent management extension =====
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/v2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = {{ NEUTRON_PASS }}
+signing_dir = $state_path/keystone-signing
+
+[database]
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@127.0.0.1:3306/neutron
+# Replace 127.0.0.1 above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite:////var/lib/neutron/neutron.sqlite
+#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron
+
+# The SQLAlchemy connection string used to connect to the slave database
+slave_connection =
+
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+max_retries = 10
+
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+retry_interval = 10
+
+# Minimum number of SQL connections to keep open in a pool
+min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool
+max_pool_size = 100
+
+# Timeout in seconds before idle sql connections are reaped
+idle_timeout = 3600
+
+# If set, use this value for max_overflow with sqlalchemy
+max_overflow = 100
+
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+connection_debug = 0
+
+# Add python stack traces to SQL as comment strings
+connection_trace = False
+
+# If set, use this value for pool_timeout with sqlalchemy
+pool_timeout = 10
+
+[service_providers]
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/neutron_init.sh b/compass/deploy/ansible/roles/nova-controller/templates/neutron_init.sh
new file mode 100644
index 0000000..b92e202
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/neutron_init.sh
@@ -0,0 +1,4 @@
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 net-create ext-net --shared --router:external=True
+
+# neutron --os-username=admin --os-password={{ ADMIN_PASS }} --os-tenant-name=admin --os-auth-url=http://{{ identity_host }}:35357/v2.0 subnet-create ext-net --name ext-subnet --allocation-pool start={{ FLOATING_IP_START }},end={{ FLOATING_IP_END}} --disable-dhcp --gateway {{EXTERNAL_NETWORK_GATEWAY}} {{EXTERNAL_NETWORK_CIDR}}
+
diff --git a/compass/deploy/ansible/roles/nova-controller/templates/nova.conf b/compass/deploy/ansible/roles/nova-controller/templates/nova.conf
new file mode 100644
index 0000000..c8991a3
--- /dev/null
+++ b/compass/deploy/ansible/roles/nova-controller/templates/nova.conf
@@ -0,0 +1,72 @@
+[DEFAULT]
+dhcpbridge_flagfile=/etc/nova/nova.conf
+dhcpbridge=/usr/bin/nova-dhcpbridge
+logdir=/var/log/nova
+state_path=/var/lib/nova
+lock_path=/var/lock/nova
+force_dhcp_release=True
+iscsi_helper=tgtadm
+libvirt_use_virtio_for_bridges=True
+connection_type=libvirt
+root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+verbose={{ VERBOSE}}
+debug={{ DEBUG }}
+ec2_private_dns_show_ip=True
+api_paste_config=/etc/nova/api-paste.ini
+volumes_path=/var/lib/nova/volumes
+enabled_apis=osapi_compute,metadata
+
+vif_plugging_is_fatal: false
+vif_plugging_timeout: 0
+
+auth_strategy = keystone
+
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+
+osapi_compute_listen={{ internal_ip }}
+metadata_listen={{ internal_ip }}
+
+my_ip = {{ internal_ip }}
+vnc_enabled = True
+vncserver_listen = {{ internal_ip }}
+vncserver_proxyclient_address = {{ internal_ip }}
+novncproxy_base_url = http://{{ HA_VIP }}:6080/vnc_auto.html
+
+novncproxy_host = {{ internal_ip }}
+novncproxy_port = 6080
+
+network_api_class = nova.network.neutronv2.api.API
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = neutron
+
+instance_usage_audit = True
+instance_usage_audit_period = hour
+notify_on_state_change = vm_and_task_state
+notification_driver = nova.openstack.common.notifier.rpc_notifier
+notification_driver = ceilometer.compute.nova_notifier
+
+[database]
+# The SQLAlchemy connection string used to connect to the database
+connection = mysql://nova:{{ NOVA_DBPASS }}@{{ db_host }}/nova
+
+[keystone_authtoken]
+auth_uri = http://{{ HA_VIP }}:5000/2.0
+identity_uri = http://{{ HA_VIP }}:35357
+admin_tenant_name = service
+admin_user = nova
+admin_password = {{ NOVA_PASS }}
+
+[glance]
+host = {{ HA_VIP }}
+
+[neutron]
+url = http://{{ HA_VIP }}:9696
+auth_strategy = keystone
+admin_tenant_name = service
+admin_username = neutron
+admin_password = {{ NEUTRON_PASS }}
+admin_auth_url = http://{{ HA_VIP }}:35357/v2.0
diff --git a/compass/deploy/ansible/roles/repo/tasks/main.yml b/compass/deploy/ansible/roles/repo/tasks/main.yml
new file mode 100644
index 0000000..9476f80
--- /dev/null
+++ b/compass/deploy/ansible/roles/repo/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: add juno cloudarchive
+ apt_repository: repo="{{ juno_cloud_archive }}" state=present
+
+- name: first update pkgs
+ apt: update_cache=yes
diff --git a/compass/deploy/ansible/roles/repo/templates/sources.list b/compass/deploy/ansible/roles/repo/templates/sources.list
new file mode 100644
index 0000000..8b062e7
--- /dev/null
+++ b/compass/deploy/ansible/roles/repo/templates/sources.list
@@ -0,0 +1 @@
+{{ LOCAL_REPO }}
diff --git a/compass/deploy/compass_vm.sh b/compass/deploy/compass_vm.sh
new file mode 100644
index 0000000..0764917
--- /dev/null
+++ b/compass/deploy/compass_vm.sh
@@ -0,0 +1,103 @@
+compass_vm_dir=$WORK_DIR/vm/compass
+rsa_file=$compass_vm_dir/boot.rsa
+ssh_args="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i $rsa_file"
+function tear_down_compass() {
+ sudo virsh destroy compass > /dev/null 2>&1
+ sudo virsh undefine compass > /dev/null 2>&1
+
+ sudo umount $compass_vm_dir/old > /dev/null 2>&1
+ sudo umount $compass_vm_dir/new > /dev/null 2>&1
+
+ sudo rm -rf $compass_vm_dir
+
+ log_info "tear_down_compass success!!!"
+}
+
+function install_compass_core() {
+ local inventory_file=$compass_vm_dir/inventory.file
+ log_info "install_compass_core enter"
+ sed -i "s/mgmt_next_ip:.*/mgmt_next_ip: ${COMPASS_SERVER}/g" $WORK_DIR/installer/compass-install/install/group_vars/all
+ echo "compass_nodocker ansible_ssh_host=$MGMT_IP ansible_ssh_port=22" > $inventory_file
+ PYTHONUNBUFFERED=1 ANSIBLE_FORCE_COLOR=true ANSIBLE_HOST_KEY_CHECKING=false ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s' ansible-playbook -e pipeline=true --private-key=$rsa_file --user=root --connection=ssh --inventory-file=$inventory_file $WORK_DIR/installer/compass-install/install/compass_nodocker.yml
+ exit_status=$?
+ rm $inventory_file
+ log_info "install_compass_core exit"
+ if [[ $exit_status != 0 ]];then
+ /bin/false
+ fi
+}
+
+function wait_ok() {
+ log_info "wait_compass_ok enter"
+ retry=0
+ until timeout 1s ssh $ssh_args root@$MGMT_IP "exit" 2>/dev/null
+ do
+ log_progress "os install time used: $((retry*100/$1))%"
+ sleep 1
+ let retry+=1
+ if [[ $retry -ge $1 ]];then
+ log_error "os install time out"
+ tear_down_compass
+ exit 1
+ fi
+ done
+
+ log_warn "os install time used: 100%"
+ log_info "wait_compass_ok exit"
+}
+
+function launch_compass() {
+ local old_mnt=$compass_vm_dir/old
+ local new_mnt=$compass_vm_dir/new
+ local old_iso=$WORK_DIR/iso/centos.iso
+ local new_iso=$compass_vm_dir/centos.iso
+
+ log_info "launch_compass enter"
+ tear_down_compass
+
+ set -e
+ mkdir -p $compass_vm_dir $old_mnt
+ sudo mount -o loop $old_iso $old_mnt
+ cd $old_mnt;find .|cpio -pd $new_mnt;cd -
+
+ sudo umount $old_mnt
+
+ chmod 755 -R $new_mnt
+ sed -i -e "s/REPLACE_MGMT_IP/$MGMT_IP/g" -e "s/REPLACE_MGMT_NETMASK/$MGMT_MASK/g" -e "s/REPLACE_INSTALL_IP/$COMPASS_SERVER/g" -e "s/REPLACE_INSTALL_NETMASK/$INSTALL_MASK/g" -e "s/REPLACE_GW/$MGMT_GW/g" $new_mnt/isolinux/isolinux.cfg
+
+ sudo ssh-keygen -f $new_mnt/bootstrap/boot.rsa -t rsa -N ''
+ cp $new_mnt/bootstrap/boot.rsa $rsa_file
+
+ rm -rf $new_mnt/.rr_moved $new_mnt/rr_moved
+ sudo mkisofs -quiet -r -J -R -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -hide-rr-moved -x "lost+found:" -o $new_iso $new_mnt
+
+ rm -rf $old_mnt $new_mnt
+
+ qemu-img create -f qcow2 $compass_vm_dir/disk.img 100G
+
+ # create vm xml
+ sed -e "s/REPLACE_MEM/$COMPASS_VIRT_MEM/g" \
+ -e "s/REPLACE_CPU/$COMPASS_VIRT_CPUS/g" \
+ -e "s#REPLACE_IMAGE#$compass_vm_dir/disk.img#g" \
+ -e "s#REPLACE_ISO#$compass_vm_dir/centos.iso#g" \
+ -e "s/REPLACE_NET_MGMT/mgmt/g" \
+ -e "s/REPLACE_BRIDGE_INSTALL/br_install/g" \
+ $COMPASS_DIR/deploy/template/vm/compass.xml \
+ > $WORK_DIR/vm/compass/libvirt.xml
+
+ sudo virsh define $compass_vm_dir/libvirt.xml
+ sudo virsh start compass
+
+ if ! wait_ok 300;then
+ log_error "install os timeout"
+ exit 1
+ fi
+
+ if ! install_compass_core;then
+ log_error "install compass core failed"
+ exit 1
+ fi
+
+ set +e
+ log_info "launch_compass exit"
+}
diff --git a/compass/deploy/conf/baremetal.conf b/compass/deploy/conf/baremetal.conf
new file mode 100644
index 0000000..317d561
--- /dev/null
+++ b/compass/deploy/conf/baremetal.conf
@@ -0,0 +1,20 @@
+export VIRT_CPUS=4
+export HOST_MACS="'64:3e:8c:4c:6d:a3' '64:3e:8c:4c:6d:37' '64:3e:8c:4c:6c:d7' '64:3e:8c:4c:6b:7b' '64:3e:8c:4c:68:2b'"
+export VIRT_MEM=16384
+export VIRT_DISK=30G
+export 'ADAPTER_OS_PATTERN=(?i)ubuntu-14\.04.*'
+#export 'ADAPTER_OS_PATTERN=(?i)centos-6\.5.*'
+export ADAPTER_NAME="openstack_juno"
+export ADAPTER_TARGET_SYSTEM_PATTERN="^openstack$"
+export ADAPTER_FLAVOR_PATTERN="HA-ansible-multinodes"
+export HOSTNAMES="host1,host2,host3,host4,host5"
+export HOST_ROLES="host1=controller,ha;host2=controller,ha;host3=controller,ha;host4=compute;host5=compute"
+export DEFAULT_ROLES=""
+export SWITCH_IPS="172.29.1.166"
+export SWITCH_CREDENTIAL="version=2c,community=public"
+export DEPLOYMENT_TIMEOUT="150"
+export POLL_SWITCHES_FLAG="nopoll_switches"
+export DASHBOARD_URL=""
+export REGTEST_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${REGTEST_DIR}/base.conf
+export VIP="10.1.0.222"
diff --git a/compass/deploy/conf/base.conf b/compass/deploy/conf/base.conf
index 8362b9a..d8e8d51 100644
--- a/compass/deploy/conf/base.conf
+++ b/compass/deploy/conf/base.conf
@@ -1,11 +1,28 @@
-export COMPASS_SERVER_URL="http://10.1.0.12/api"
+export ISO_URL=http://192.168.123.11:9999/xh/work/build/work/compass.iso
+export INSTALL_IP=${INSTALL_IP:-10.1.0.12}
+export INSTALL_MASK=${INSTALL_MASK:-255.255.255.0}
+export INSTALL_GW=${INSTALL_GW:-10.1.0.1}
+export INSTALL_IP_START=${INSTALL_IP_START:-10.1.0.1}
+export INSTALL_IP_END=${INSTALL_IP_END:-10.1.0.254}
+export MGMT_IP=${MGMT_IP:-192.168.200.2}
+export MGMT_MASK=${MAGMT_MASK:-255.255.252.0}
+export MGMT_GW=${MAGMT_GW:-192.168.200.1}
+export MGMT_IP_START=${MGMT_IP_START:-192.168.200.3}
+export MGMT_IP_END=${MGMT_IP_END:-192.168.200.254}
+export OM_NIC=${OM_NIC:-eth3}
+export OM_IP=${OM_IP:-192.168.123.11/22}
+export OM_GW=${OM_GW:-192.168.120.1}
+export COMPASS_VIRT_CPUS=4
+export COMPASS_VIRT_MEM=4096
+export COMPASS_SERVER=$INSTALL_IP
+export COMPASS_SERVER_URL="http://$COMPASS_SERVER/api"
export COMPASS_USER_EMAIL="admin@huawei.com"
export COMPASS_USER_PASSWORD="admin"
export CLUSTER_NAME="opnfv2"
export LANGUAGE="EN"
export TIMEZONE="America/Los_Angeles"
-export NTP_SERVER="10.1.0.12"
-export NAMESERVERS="10.1.0.12"
+export NTP_SERVER="$COMPASS_SERVER"
+export NAMESERVERS="$COMPASS_SERVER"
export DOMAIN="ods.com"
export PARTITIONS="/home=5%,/tmp=5%,/var=20%"
export SUBNETS="10.1.0.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24"
@@ -18,6 +35,7 @@ export TENANT_INTERFACE=${TENANT_INTERFACE:-eth1}
export STORAGE_INTERFACE=${STORAGE_INTERFACE:-eth3}
export PUBLIC_INTERFACE=${PUBLIC_INTERFACE:-eth2}
+
function next_ip {
ip_addr=$1
ip_base="$(echo $ip_addr | cut -d. -f'1 2 3')"
diff --git a/compass/deploy/conf/cluster.conf b/compass/deploy/conf/cluster.conf
new file mode 100644
index 0000000..4f43027
--- /dev/null
+++ b/compass/deploy/conf/cluster.conf
@@ -0,0 +1,20 @@
+export VIRT_NUMBER=5
+export VIRT_CPUS=4
+export VIRT_MEM=16384
+export VIRT_DISK=30G
+export 'ADAPTER_OS_PATTERN=(?i)ubuntu-14\.04.*'
+#export 'ADAPTER_OS_PATTERN=(?i)centos-6\.5.*'
+export ADAPTER_NAME="openstack_juno"
+export ADAPTER_TARGET_SYSTEM_PATTERN="^openstack$"
+export ADAPTER_FLAVOR_PATTERN="HA-ansible-multinodes"
+export HOSTNAMES="host1,host2,host3,host4,host5"
+export HOST_ROLES="host1=controller,ha;host2=controller,ha;host3=controller,ha;host4=compute;host5=compute"
+export DEFAULT_ROLES=""
+export SWITCH_IPS="1.1.1.1"
+export SWITCH_CREDENTIAL="version=2c,community=public"
+export DEPLOYMENT_TIMEOUT="150"
+export POLL_SWITCHES_FLAG="nopoll_switches"
+export DASHBOARD_URL=""
+export REGTEST_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${REGTEST_DIR}/base.conf
+export VIP="10.1.0.222"
diff --git a/compass/deploy/conf/five.conf b/compass/deploy/conf/five.conf
index e63e514..f32411b 100644
--- a/compass/deploy/conf/five.conf
+++ b/compass/deploy/conf/five.conf
@@ -1,6 +1,6 @@
export VIRT_NUMBER=5
export VIRT_CPUS=4
-export VIRT_MEM=4096
+export VIRT_MEM=16384
export VIRT_DISK=30G
export 'ADAPTER_OS_PATTERN=(?i)ubuntu-14\.04.*'
#export 'ADAPTER_OS_PATTERN=(?i)centos-6\.5.*'
@@ -12,7 +12,7 @@ export HOST_ROLES="host1=controller,network;host2=compute,storage;host3=compute,
export DEFAULT_ROLES=""
export SWITCH_IPS="1.1.1.1"
export SWITCH_CREDENTIAL="version=2c,community=public"
-export DEPLOYMENT_TIMEOUT="90"
+export DEPLOYMENT_TIMEOUT="150"
export POLL_SWITCHES_FLAG="nopoll_switches"
export DASHBOARD_URL=""
export REGTEST_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
diff --git a/compass/deploy/deploy-vm.sh b/compass/deploy/deploy-vm.sh
index 18857cd..41ef209 100644
--- a/compass/deploy/deploy-vm.sh
+++ b/compass/deploy/deploy-vm.sh
@@ -16,6 +16,12 @@ fi
cp bin/switch_virtualenv.py.template bin/switch_virtualenv.py
sed -i "s|\$PythonHome|$VIRTUAL_ENV|g" bin/switch_virtualenv.py
#source ../compass-install/ci/allinone.conf
+/usr/bin/expect ${SCRIPT_DIR}/../deploy/remote_excute.exp \
+ "ssh root@${COMPASS_SERVER} mkdir -p /opt/compass/bin/ansible_callbacks" vagrant
+
+/usr/bin/expect ${SCRIPT_DIR}/../deploy/remote_excute.exp \
+ "scp -r ${SCRIPT_DIR}/../deploy/status_callback.py root@${COMPASS_SERVER}:/opt/compass/bin/ansible_callbacks/status_callback.py" \
+ vagrant
bin/client.py --logfile= --loglevel=debug --logdir= --compass_server="${COMPASS_SERVER_URL}" \
--compass_user_email="${COMPASS_USER_EMAIL}" --compass_user_password="${COMPASS_USER_PASSWORD}" \
--cluster_name="${CLUSTER_NAME}" --language="${LANGUAGE}" --timezone="${TIMEZONE}" \
@@ -32,7 +38,8 @@ bin/client.py --logfile= --loglevel=debug --logdir= --compass_server="${COMPASS_
--network_mapping="${NETWORK_MAPPING}" --package_config_json_file="${PACKAGE_CONFIG_FILENAME}" \
--host_roles="${HOST_ROLES}" --default_roles="${DEFAULT_ROLES}" --switch_ips="${SWITCH_IPS}" \
--machines=${machines//\'} --switch_credential="${SWITCH_CREDENTIAL}" \
---deployment_timeout="${DEPLOYMENT_TIMEOUT}" --${POLL_SWITCHES_FLAG} --dashboard_url="${DASHBOARD_URL}"
+--deployment_timeout="${DEPLOYMENT_TIMEOUT}" --${POLL_SWITCHES_FLAG} --dashboard_url="${DASHBOARD_URL}" \
+--cluster_vip="${VIP}"
deploy_result=$?
tear_down_machines
cd ../compass-install
diff --git a/compass/deploy/deploy_host.sh b/compass/deploy/deploy_host.sh
new file mode 100644
index 0000000..d08a821
--- /dev/null
+++ b/compass/deploy/deploy_host.sh
@@ -0,0 +1,40 @@
+function deploy_host(){
+ cd $WORK_DIR/installer/compass-core
+ source $WORK_DIR/venv/bin/activate
+ if pip --help | grep -q trusted; then
+ pip install -i http://pypi.douban.com/simple -e . --trusted-host pypi.douban.com
+ else
+ pip install -i http://pypi.douban.com/simple -e .
+ fi
+
+ sudo mkdir -p /var/log/compass
+ sudo chown -R 777 /var/log/compass
+
+ sudo mkdir -p /etc/compass
+ sudo cp -rf conf/setting /etc/compass/.
+
+ cp bin/switch_virtualenv.py.template bin/switch_virtualenv.py
+ sed -i "s|\$PythonHome|$VIRTUAL_ENV|g" bin/switch_virtualenv.py
+ ssh $ssh_args root@${COMPASS_SERVER} mkdir -p /opt/compass/bin/ansible_callbacks
+ scp $ssh_args -r ${COMPASS_DIR}/deploy/status_callback.py root@${COMPASS_SERVER}:/opt/compass/bin/ansible_callbacks/status_callback.py
+
+ (sleep 15;reboot_hosts ) &
+ bin/client.py --logfile= --loglevel=debug --logdir= --compass_server="${COMPASS_SERVER_URL}" \
+ --compass_user_email="${COMPASS_USER_EMAIL}" --compass_user_password="${COMPASS_USER_PASSWORD}" \
+ --cluster_name="${CLUSTER_NAME}" --language="${LANGUAGE}" --timezone="${TIMEZONE}" \
+ --hostnames="${HOSTNAMES}" --partitions="${PARTITIONS}" --subnets="${SUBNETS}" \
+ --adapter_os_pattern="${ADAPTER_OS_PATTERN}" --adapter_name="${ADAPTER_NAME}" \
+ --adapter_target_system_pattern="${ADAPTER_TARGET_SYSTEM_PATTERN}" \
+ --adapter_flavor_pattern="${ADAPTER_FLAVOR_PATTERN}" \
+ --http_proxy="${PROXY}" --https_proxy="${PROXY}" --no_proxy="${IGNORE_PROXY}" \
+ --ntp_server="${NTP_SERVER}" --dns_servers="${NAMESERVERS}" --domain="${DOMAIN}" \
+ --search_path="${SEARCH_PATH}" --default_gateway="${GATEWAY}" \
+ --server_credential="${SERVER_CREDENTIAL}" --local_repo_url="${LOCAL_REPO_URL}" \
+ --os_config_json_file="${OS_CONFIG_FILENAME}" --service_credentials="${SERVICE_CREDENTIALS}" \
+ --console_credentials="${CONSOLE_CREDENTIALS}" --host_networks="${HOST_NETWORKS}" \
+ --network_mapping="${NETWORK_MAPPING}" --package_config_json_file="${PACKAGE_CONFIG_FILENAME}" \
+ --host_roles="${HOST_ROLES}" --default_roles="${DEFAULT_ROLES}" --switch_ips="${SWITCH_IPS}" \
+ --machines=${machines//\'} --switch_credential="${SWITCH_CREDENTIAL}" \
+ --deployment_timeout="${DEPLOYMENT_TIMEOUT}" --${POLL_SWITCHES_FLAG} --dashboard_url="${DASHBOARD_URL}" \
+ --cluster_vip="${VIP}"
+}
diff --git a/compass/deploy/func.sh b/compass/deploy/func.sh
index 29c2c23..49ea947 100644..100755
--- a/compass/deploy/func.sh
+++ b/compass/deploy/func.sh
@@ -1,19 +1,22 @@
function tear_down_machines() {
- virtmachines=$(virsh list --name |grep pxe)
+ virtmachines=$(sudo virsh list --name |grep pxe)
for virtmachine in $virtmachines; do
echo "destroy $virtmachine"
- virsh destroy $virtmachine
+ sudo virsh destroy $virtmachine
if [[ "$?" != "0" ]]; then
echo "destroy instance $virtmachine failed"
exit 1
fi
done
- virtmachines=$(virsh list --all --name |grep pxe)
- for virtmachine in $virtmachines; do
- echo "undefine $virtmachine"
- virsh undefine $virtmachine
+
+ sudo virsh list --all|grep shut|awk '{print $2}'|xargs -n 1 sudo virsh undefine
+
+ vol_names=$(sudo virsh vol-list default |grep .img | awk '{print $1}')
+ for vol_name in $vol_names; do
+ echo "virsh vol-delete $vol_name"
+ sudo virsh vol-delete $vol_name --pool default
if [[ "$?" != "0" ]]; then
- echo "undefine instance $virtmachine failed"
+ echo "vol-delete $vol_name failed!"
exit 1
fi
done
diff --git a/compass/deploy/host_baremetal.sh b/compass/deploy/host_baremetal.sh
new file mode 100644
index 0000000..26238e0
--- /dev/null
+++ b/compass/deploy/host_baremetal.sh
@@ -0,0 +1,9 @@
+function get_host_macs() {
+ local config_file=$WORK_DIR/installer/compass-install/install/group_vars/all
+ local machines=`echo $HOST_MACS|sed 's/ /,/g'`
+
+ echo "test: true" >> $config_file
+ echo "pxe_boot_macs: [${machines}]" >> $config_file
+
+ echo $machines
+}
diff --git a/compass/deploy/host_vm.sh b/compass/deploy/host_vm.sh
new file mode 100644
index 0000000..cf9a757
--- /dev/null
+++ b/compass/deploy/host_vm.sh
@@ -0,0 +1,59 @@
+host_vm_dir=$WORK_DIR/vm
+function tear_down_machines() {
+ for i in host{0..4}
+ do
+ sudo virsh destroy $i 1>/dev/null 2>/dev/null
+ sudo virsh undefine $i 1>/dev/null 2>/dev/null
+ rm -rf $host_vm_dir/host$i
+ done
+}
+
+function reboot_hosts() {
+ log_warn "reboot_hosts do nothing"
+}
+
+function launch_host_vms() {
+ tear_down_machines
+ #function_bod
+ mac_array=`echo $machines|sed 's/,/ /g'`
+ log_info "bringing up pxe boot vms"
+ i=0
+ for mac in $mac_array; do
+ log_info "creating vm disk for instance host${i}"
+ vm_dir=$host_vm_dir/host$i
+ mkdir -p $vm_dir
+ sudo qemu-img create -f raw $vm_dir/disk.img ${VIRT_DISK}
+ # create vm xml
+ sed -e "s/REPLACE_MEM/$VIRT_MEM/g" \
+ -e "s/REPLACE_CPU/$VIRT_CPUS/g" \
+ -e "s/REPLACE_NAME/host$i/g" \
+ -e "s#REPLACE_IMAGE#$vm_dir/disk.img#g" \
+ -e "s/REPLACE_BOOT_MAC/$mac/g" \
+ -e "s/REPLACE_BRIDGE_MGMT/br_install/g" \
+ -e "s/REPLACE_BRIDGE_TENANT/br_install/g" \
+ -e "s/REPLACE_BRIDGE_PUBLIC/br_install/g" \
+ -e "s/REPLACE_BRIDGE_STORAGE/br_install/g" \
+ $COMPASS_DIR/deploy/template/vm/host.xml\
+ > $vm_dir/libvirt.xml
+
+ sudo virsh define $vm_dir/libvirt.xml
+ sudo virsh start host$i
+ let i=i+1
+ done
+}
+
+function get_host_macs() {
+ local config_file=$WORK_DIR/installer/compass-install/install/group_vars/all
+ local mac_generator=${COMPASS_DIR}/deploy/mac_generator.sh
+ local machines=
+
+ chmod +x $mac_generator
+ mac_array=`$mac_generator $VIRT_NUMBER`
+ machines=`echo $mac_array|sed 's/ /,/g'`
+
+ echo "test: true" >> $config_file
+ echo "pxe_boot_macs: [${machines}]" >> $config_file
+
+ echo $machines
+}
+
diff --git a/compass/deploy/network.sh b/compass/deploy/network.sh
new file mode 100755
index 0000000..c60607e
--- /dev/null
+++ b/compass/deploy/network.sh
@@ -0,0 +1,70 @@
+function destroy_nets() {
+ sudo virsh net-destroy mgmt > /dev/null 2>&1
+ sudo virsh net-undefine mgmt > /dev/null 2>&1
+
+ sudo virsh net-destroy install > /dev/null 2>&1
+ sudo virsh net-undefine install > /dev/null 2>&1
+ rm -rf $COMPASS_DIR/deploy/work/network/*.xml
+}
+
+function setup_om_bridge() {
+ local device=$1
+ local gw=$2
+ ip link set br_install down
+ ip addr flush $device
+ brctl delbr br_install
+
+ brctl addbr br_install
+ brctl addif br_install $device
+ ip link set br_install up
+
+ shift;shift
+ for ip in $*;do
+ ip addr add $ip dev br_install
+ done
+
+ route add default gw $gw
+}
+
+function setup_om_nat() {
+ # create install network
+ sed -e "s/REPLACE_BRIDGE/br_install/g" \
+ -e "s/REPLACE_NAME/install/g" \
+ -e "s/REPLACE_GATEWAY/$INSTALL_GW/g" \
+ -e "s/REPLACE_MASK/$INSTALL_MASK/g" \
+ -e "s/REPLACE_START/$INSTALL_IP_START/g" \
+ -e "s/REPLACE_END/$INSTALL_IP_END/g" \
+ $COMPASS_DIR/deploy/template/network/nat.xml \
+ > $WORK_DIR/network/install.xml
+
+ sudo virsh net-define $WORK_DIR/network/install.xml
+ sudo virsh net-start install
+}
+
+function create_nets() {
+ destroy_nets
+
+ # create mgmt network
+ sed -e "s/REPLACE_BRIDGE/br_mgmt/g" \
+ -e "s/REPLACE_NAME/mgmt/g" \
+ -e "s/REPLACE_GATEWAY/$MGMT_GW/g" \
+ -e "s/REPLACE_MASK/$MGMT_MASK/g" \
+ -e "s/REPLACE_START/$MGMT_IP_START/g" \
+ -e "s/REPLACE_END/$MGMT_IP_END/g" \
+ $COMPASS_DIR/deploy/template/network/nat.xml \
+ > $WORK_DIR/network/mgmt.xml
+
+ sudo virsh net-define $WORK_DIR/network/mgmt.xml
+ sudo virsh net-start mgmt
+
+ # create install network
+ if [[ ! -z $VIRT_NUMBER ]];then
+ setup_om_nat
+ else
+ mask=`echo $INSTALL_MASK | awk -F'.' '{print ($1*(2^24)+$2*(2^16)+$3*(2^8)+$4)}'`
+ mask_len=`echo "obase=2;${mask}"|bc|awk -F'0' '{print length($1)}'`
+ setup_om_bridge $OM_NIC $OM_GW $INSTALL_GW/$mask_len $OM_IP
+ fi
+
+}
+
diff --git a/compass/deploy/prepare.sh b/compass/deploy/prepare.sh
index 2086c5d..9ec15f8 100644
--- a/compass/deploy/prepare.sh
+++ b/compass/deploy/prepare.sh
@@ -1,35 +1,35 @@
-sudo apt-get update -y
-sudo apt-get install git python-pip python-dev -y
-vagrant --version
-if [[ $? != 0 ]]; then
- vagrant_pkg_url=https://dl.bintray.com/mitchellh/vagrant/vagrant_1.7.2_x86_64.deb
- wget ${vagrant_pkg_url}
- sudo dpkg -i $(basename ${vagrant_pkg_url})
-else
- echo "vagrant is already installed"
-fi
-sudo apt-get install libxslt-dev libxml2-dev libvirt-dev build-essential qemu-utils qemu-kvm libvirt-bin virtinst libmysqld-dev -y
-sudo service libvirt-bin restart
+function prepare_env() {
+ export PYTHONPATH=/usr/lib/python2.7/dist-packages:/usr/local/lib/python2.7/dist-packages
+ sudo apt-get update -y
+ sudo apt-get install mkisofs bc
+ sudo apt-get install git python-pip python-dev -y
+ sudo apt-get install libxslt-dev libxml2-dev libvirt-dev build-essential qemu-utils qemu-kvm libvirt-bin virtinst libmysqld-dev -y
+ sudo pip install --upgrade pip
+ sudo pip install --upgrade ansible
+ sudo pip install --upgrade virtualenv
+ sudo service libvirt-bin restart
+
+ # prepare work dir
+ sudo rm -rf $WORK_DIR
+ mkdir -p $WORK_DIR
+ mkdir -p $WORK_DIR/installer
+ mkdir -p $WORK_DIR/vm
+ mkdir -p $WORK_DIR/network
+ mkdir -p $WORK_DIR/iso
+ mkdir -p $WORK_DIR/venv
-for plugin in vagrant-libvirt vagrant-mutate; do
- vagrant plugin list |grep $plugin
- if [[ $? != 0 ]]; then
- vagrant plugin install $plugin --plugin-source https://ruby.taobao.org
- else
- echo "$plugin plugin is already installed"
+ if [[ ! -f centos.iso ]];then
+ wget -O $WORK_DIR/iso/centos.iso $ISO_URL
fi
-done
-sudo pip install --upgrade ansible virtualenv
-#precise_box_vb_url=https://cloud-images.ubuntu.com/vagrant/precise/current/precise-server-cloudimg-amd64-vagrant-disk1.box
-#precise_box_vb_filename=$(basename ${precise_box_vb_url})
-centos65_box_vb_url=https://developer.nrel.gov/downloads/vagrant-boxes/CentOS-6.5-x86_64-v20140504.box
-centos65_box_vb_filename=$(basename ${centos65_box_vb_url})
-#wget ${precise_box_vb_url}
-vagrant box list |grep centos65
-if [[ $? != 0 ]]; then
- wget ${centos65_box_vb_url}
- mv ${centos65_box_vb_filename} centos65.box
- vagrant mutate centos65.box libvirt
-else
- echo "centos65 box already exists"
-fi
+
+ # copy compass
+ mkdir -p $WORK_DIR/mnt
+ sudo mount -o loop $WORK_DIR/iso/centos.iso $WORK_DIR/mnt
+ cp -rf $WORK_DIR/mnt/compass/compass-core $WORK_DIR/installer/
+ cp -rf $WORK_DIR/mnt/compass/compass-install $WORK_DIR/installer/
+ sudo umount $WORK_DIR/mnt
+ rm -rf $WORK_DIR/mnt
+
+ chmod 755 $WORK_DIR -R
+ virtualenv $WORK_DIR/venv
+}
diff --git a/compass/deploy/remote_excute.exp b/compass/deploy/remote_excute.exp
new file mode 100644
index 0000000..9dd112b
--- /dev/null
+++ b/compass/deploy/remote_excute.exp
@@ -0,0 +1,23 @@
+#!/usr/bin/expect
+
+set command [lindex $argv 0]
+set passwd [lindex $argv 1]
+
+eval spawn "$command"
+set timeout 60
+
+expect {
+ -re ".*es.*o.*"
+ {
+ exp_send "yes\r"
+ exp_continue
+ }
+
+ -re ".*sword:" {
+ exp_send "$passwd\r"
+
+ }
+
+}
+
+interact
diff --git a/compass/deploy/status_callback.py b/compass/deploy/status_callback.py
new file mode 100644
index 0000000..8619132
--- /dev/null
+++ b/compass/deploy/status_callback.py
@@ -0,0 +1,174 @@
+# (C) 2012, Michael DeHaan, <michael.dehaan@gmail.com>
+
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
+
+import httplib
+import json
+import sys
+import logging
+
+def task_error(host, data):
+ logging.info("task_error: host=%s,data=%s" % (host, data))
+
+ if type(data) == dict:
+ invocation = data.pop('invocation', {})
+
+ notify_host("localhost", host, "failed")
+
+class CallbackModule(object):
+ """
+ logs playbook results, per host, in /var/log/ansible/hosts
+ """
+
+ def on_any(self, *args, **kwargs):
+ pass
+
+ def runner_on_failed(self, host, res, ignore_errors=False):
+ task_error(host, res)
+
+ def runner_on_ok(self, host, res):
+ pass
+
+ def runner_on_skipped(self, host, item=None):
+ pass
+
+ def runner_on_unreachable(self, host, res):
+ pass
+
+ def runner_on_no_hosts(self):
+ pass
+
+ def runner_on_async_poll(self, host, res, jid, clock):
+ pass
+
+ def runner_on_async_ok(self, host, res, jid):
+ pass
+
+ def runner_on_async_failed(self, host, res, jid):
+ task_error(host, res)
+
+ def playbook_on_start(self):
+ pass
+
+ def playbook_on_notify(self, host, handler):
+ pass
+
+ def playbook_on_no_hosts_matched(self):
+ pass
+
+ def playbook_on_no_hosts_remaining(self):
+ pass
+
+ def playbook_on_task_start(self, name, is_conditional):
+ pass
+
+ def playbook_on_vars_prompt(self, varname, private=True, prompt=None, encrypt=None, confirm=False, salt_size=None, salt=None, default=None):
+ pass
+
+ def playbook_on_setup(self):
+ pass
+
+ def playbook_on_import_for_host(self, host, imported_file):
+ pass
+
+ def playbook_on_not_import_for_host(self, host, missing_file):
+ pass
+
+ def playbook_on_play_start(self, name):
+ pass
+
+ def playbook_on_stats(self, stats):
+ logging.info("playbook_on_stats enter")
+ hosts = sorted(stats.processed.keys())
+ host_vars = self.playbook.inventory.get_variables(hosts[0])
+ cluster_name = host_vars['cluster_name']
+ failures = False
+ unreachable = False
+
+ for host in hosts:
+ summary = stats.summarize(host)
+
+ if summary['failures'] > 0:
+ failures = True
+ if summary['unreachable'] > 0:
+ unreachable = True
+
+ if failures or unreachable:
+ for host in hosts:
+ notify_host("localhost", host, "error")
+ return
+
+ for host in hosts:
+ clusterhost_name = host + "." + cluster_name
+ notify_host("localhost", clusterhost_name, "succ")
+
+
+def raise_for_status(resp):
+ if resp.status < 200 or resp.status > 300:
+ raise RuntimeError("%s, %s, %s" % (resp.status, resp.reason, resp.read()))
+
+def auth(conn):
+ credential = {}
+ credential['email'] = "admin@huawei.com"
+ credential['password'] = "admin"
+ url = "/api/users/token"
+ headers = {"Content-type": "application/json",
+ "Accept": "*/*"}
+ conn.request("POST", url, json.dumps(credential), headers)
+ resp = conn.getresponse()
+
+ raise_for_status(resp)
+ return json.loads(resp.read())["token"]
+
+def notify_host(compass_host, host, status):
+ if status == "succ":
+ body = {"ready": True}
+ url = "/api/clusterhosts/%s/state_internal" % host
+ elif status == "error":
+ body = {"state": "ERROR"}
+ host = host.strip("host")
+ url = "/api/clusterhosts/%s/state" % host
+ else:
+ logging.error("notify_host: host %s with status %s is not supported" \
+ % (host, status))
+ return
+
+ headers = {"Content-type": "application/json",
+ "Accept": "*/*"}
+
+ conn = httplib.HTTPConnection(compass_host, 80)
+ token = auth(conn)
+ headers["X-Auth-Token"] = token
+ logging.info("host=%s,url=%s,body=%s,headers=%s" % (compass_host,url,json.dumps(body),headers))
+ conn.request("POST", url, json.dumps(body), headers)
+ resp = conn.getresponse()
+ try:
+ raise_for_status(resp)
+ logging.info("notify host status success!!! status=%s, body=%s" % (resp.status, resp.read()))
+ except Exception as e:
+ logging.error("http request failed %s" % str(e))
+ raise
+ finally:
+ conn.close()
+
+if __name__ == "__main__":
+ if len(sys.argv) != 3:
+ logging.error("params: host, status is need")
+ sys.exit(1)
+
+ host = sys.argv[1]
+ status = sys.argv[2]
+ notify_host(host, status)
diff --git a/compass/deploy/template/network/bridge.xml b/compass/deploy/template/network/bridge.xml
new file mode 100644
index 0000000..6202cf1
--- /dev/null
+++ b/compass/deploy/template/network/bridge.xml
@@ -0,0 +1,5 @@
+<network ipv6='no'>
+ <name>REPLACE_NAME</name>
+ <forward mode='bridge'>
+ </forward>
+</network>
diff --git a/compass/deploy/template/network/nat.xml b/compass/deploy/template/network/nat.xml
new file mode 100644
index 0000000..90ce888
--- /dev/null
+++ b/compass/deploy/template/network/nat.xml
@@ -0,0 +1,10 @@
+<network ipv6='yes'>
+ <name>REPLACE_NAME</name>
+ <forward mode='nat'/>
+ <bridge name='REPLACE_BRIDGE'/>
+ <ip address='REPLACE_GATEWAY' netmask='REPLACE_MASK'>
+ <!--dhcp>
+ <range start='REPLACE_START' end='REPLACE_END'/>
+ </dhcp-->
+ </ip>
+</network>
diff --git a/compass/deploy/template/vm/compass.xml b/compass/deploy/template/vm/compass.xml
new file mode 100644
index 0000000..918a9f2
--- /dev/null
+++ b/compass/deploy/template/vm/compass.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+ <name>compass</name>
+ <memory unit='MiB'>REPLACE_MEM</memory>
+ <currentMemory unit='MiB'>REPLACE_MEM</currentMemory>
+ <vcpu placement='static'>REPLACE_CPU</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
+ <boot dev='hd'/>
+ <boot dev='cdrom'/>
+ </os>
+ <features>
+ <acpi/>
+ <apic/>
+ <pae/>
+ </features>
+ <cpu mode='host-model'>
+ <model fallback='allow'/>
+ <feature policy='optional' name='vmx'/>
+ <feature policy='optional' name='svm'/>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/kvm-spice</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='qcow2'/>
+ <source file='REPLACE_IMAGE'/>
+ <target dev='vda' bus='ide'/>
+ </disk>
+ <disk type='file' device='cdrom'>
+ <driver name='qemu' type='raw'/>
+ <source file='REPLACE_ISO'/>
+ <target dev='hdc' bus='ide'/>
+ <readonly/>
+ </disk>
+ <controller type='pci' index='0' model='pci-root'/>
+ <interface type='network'>
+ <source network='REPLACE_NET_MGMT'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+ </interface>
+ <interface type='bridge'>
+ <source bridge='REPLACE_BRIDGE_INSTALL'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+ </interface>
+ <serial type='pty'>
+ <target port='0'/>
+ </serial>
+ <console type='pty'>
+ <target type='serial' port='0'/>
+ </console>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' keymap='en-us'>
+ <listen type='address' address='0.0.0.0'/>
+ </graphics>
+ <video>
+ <model type='cirrus' vram='9216' heads='1'/>
+ </video>
+ </devices>
+</domain>
diff --git a/compass/deploy/template/vm/host.xml b/compass/deploy/template/vm/host.xml
new file mode 100644
index 0000000..b399e6f
--- /dev/null
+++ b/compass/deploy/template/vm/host.xml
@@ -0,0 +1,67 @@
+<domain type='kvm'>
+ <name>REPLACE_NAME</name>
+ <memory unit='MiB'>REPLACE_MEM</memory>
+ <currentMemory unit='MiB'>REPLACE_MEM</currentMemory>
+ <vcpu placement='static'>REPLACE_CPU</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
+ <boot dev='hd'/>
+ <boot dev='network'/>
+ <bios useserial='yes' rebootTimeout='0'/>
+ </os>
+ <features>
+ <acpi/>
+ <apic/>
+ <pae/>
+ </features>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>restart</on_crash>
+ <devices>
+ <emulator>/usr/bin/kvm-spice</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='REPLACE_IMAGE'/>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <interface type='bridge'>
+ <mac address=REPLACE_BOOT_MAC/>
+ <source bridge='REPLACE_BRIDGE_MGMT'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </interface>
+ <interface type='bridge'>
+ <source bridge='REPLACE_BRIDGE_TENANT'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+ </interface>
+ <interface type='bridge'>
+ <source bridge='REPLACE_BRIDGE_PUBLIC'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+ </interface>
+ <interface type='bridge'>
+ <source bridge='REPLACE_BRIDGE_STORAGE'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+ </interface>
+ <serial type='pty'>
+ <source path='/dev/pts/0'/>
+ </serial>
+ <console type='pty' tty='/dev/pts/0'>
+ <source path='/dev/pts/0'/>
+ <target type='serial' port='0'/>
+ </console>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <graphics type='vnc' port='5901' autoport='yes' listen='0.0.0.0'>
+ <listen type='address' address='0.0.0.0'/>
+ </graphics>
+ <video>
+ <model type='cirrus' vram='9216' heads='1'/>
+ <alias name='video0'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+ </video>
+ </devices>
+</domain>
diff --git a/foreman/build/Makefile b/foreman/build/Makefile
index 8b87ce6..2d2a2a7 100644
--- a/foreman/build/Makefile
+++ b/foreman/build/Makefile
@@ -26,7 +26,7 @@ export VBOXDNLD = http://download.virtualbox.org/virtualbox/rpm/el/7.1/x86_64/Vi
export VBOXRPM = $(shell pwd)/VirtualBox-4.3-4.3.26_98988_el7-1.x86_64.rpm
export VAGRANTDNLD = https://dl.bintray.com/mitchellh/vagrant/vagrant_1.7.2_x86_64.rpm
export VAGRANTRPM = $(shell pwd)/vagrant_1.7.2_x86_64.rpm
-export GENESISRPM = $(shell pwd)/x86_64/opnfv-genesis-0.1-1.x86_64.rpm
+export GENESISRPM = $(shell pwd)/x86_64/opnfv-genesis-0.2-1.x86_64.rpm
# Note! Invoke with "make REVSTATE=RXXXX all" to make release build!
# Invoke with ICOCACHE=/full/path/to/iso if cached ISO is in non-standard location.
@@ -106,8 +106,8 @@ rpm-clean:
.PHONY: rpm
rpm:
- pushd ../../ && git archive --format=tar --prefix=opnfv-genesis-0.1/ HEAD | gzip > foreman/build/opnfv-genesis.tar.gz
- rpmbuild -ba opnfv-genesis.spec -D '_topdir %(echo `pwd`)' -D '_builddir %(echo `pwd`)' -D '_sourcedir %(echo `pwd`)' -D '_rpmdir %(echo `pwd`)' -D '_specdir %(echo `pwd`)' -D '_srcrpmdir %(echo `pwd`)'
+ pushd ../../ && git archive --format=tar --prefix=opnfv-genesis-0.2/ HEAD | gzip > foreman/build/opnfv-genesis.tar.gz
+ rpmbuild -ba opnfv-genesis.spec -D '_topdir %(echo `pwd`)' -D '_builddir %(echo `pwd`)' -D '_sourcedir %(echo `pwd`)' -D '_rpmdir %(echo `pwd`)' -D '_specdir %(echo `pwd`)' -D '_srcrpmdir %(echo `pwd`)'
@make rpm-clean
diff --git a/foreman/build/cache.mk b/foreman/build/cache.mk
index fdfd003..56b7273 100644
--- a/foreman/build/cache.mk
+++ b/foreman/build/cache.mk
@@ -16,6 +16,8 @@ CACHECLEAN := $(addsuffix .clean,$(CACHEFILES) $(CACHEDIRS))
# BEGIN of variables to customize
#
CACHEFILES += .versions
+CACHEFILES += $(shell basename $(VAGRANTRPM))
+CACHEFILES += $(shell basename $(VBOXRPM))
CACHEFILES += $(shell basename $(ISOSRC))
#
# END of variables to customize
diff --git a/foreman/build/opnfv-genesis.spec b/foreman/build/opnfv-genesis.spec
index 674760f..30692b4 100644
--- a/foreman/build/opnfv-genesis.spec
+++ b/foreman/build/opnfv-genesis.spec
@@ -1,5 +1,5 @@
Name: opnfv-genesis
-Version: 0.1
+Version: 0.2
Release: 1
Summary: The files from the OPNFV genesis repo
@@ -8,8 +8,8 @@ License: Apache 2.0
URL: https://gerrit.opnfv.org/gerrit/genesis.git
Source0: opnfv-genesis.tar.gz
-#BuildRequires:
-Requires: vagrant, VirtualBox-4.3
+#BuildRequires:
+Requires: vagrant, VirtualBox-4.3, net-tools
%description
The files from the OPNFV genesis repo
@@ -21,13 +21,16 @@ The files from the OPNFV genesis repo
%build
%install
-mkdir -p %{buildroot}/usr/bin/
-cp foreman/ci/deploy.sh %{buildroot}/usr/bin/
+mkdir -p %{buildroot}/root/genesis
+cp -r foreman/ %{buildroot}/root/genesis
+cp -r common/ %{buildroot}/root/genesis
%files
-/usr/bin/deploy.sh
+/root/genesis
%changelog
-* Fri Apr 24 2015 Dan Radez <dradez@redhatcom> - 0.1-1
+* Tue Sep 15 2015 Dan Radez <dradez@redhat.com> - 0.2-1
+- Updating the install files and cleaning up white space
+* Fri Apr 24 2015 Dan Radez <dradez@redhat.com> - 0.1-1
- Initial Packaging
diff --git a/foreman/ci/Vagrantfile b/foreman/ci/Vagrantfile
index 100e12d..c7dfc03 100644
--- a/foreman/ci/Vagrantfile
+++ b/foreman/ci/Vagrantfile
@@ -12,7 +12,7 @@ Vagrant.configure(2) do |config|
# Every Vagrant development environment requires a box. You can search for
# boxes at https://atlas.hashicorp.com/search.
- config.vm.box = "chef/centos-7.0"
+ config.vm.box = "opnfv/centos-7.0"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
@@ -41,6 +41,9 @@ Vagrant.configure(2) do |config|
default_gw = ""
nat_flag = false
+ # Disable dhcp flag
+ disable_dhcp_flag = false
+
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
@@ -77,10 +80,11 @@ Vagrant.configure(2) do |config|
# sudo apt-get update
# sudo apt-get install -y apache2
# SHELL
-
+
config.ssh.username = 'root'
config.ssh.password = 'vagrant'
config.ssh.insert_key = 'true'
+ config.vm.provision :shell, path: "resize_partition.sh"
config.vm.provision "ansible" do |ansible|
ansible.playbook = "reload_playbook.yml"
end
@@ -90,4 +94,9 @@ Vagrant.configure(2) do |config|
config.vm.provision :shell, path: "nat_setup.sh"
end
config.vm.provision :shell, path: "bootstrap.sh"
+ if disable_dhcp_flag
+ config.vm.provision :shell, :inline => "systemctl stop dhcpd"
+ config.vm.provision :shell, :inline => "systemctl disable dhcpd"
+ end
+ config.vm.provision :shell, path: "resize_lvm.sh"
end
diff --git a/foreman/ci/bootstrap.sh b/foreman/ci/bootstrap.sh
index 4bc22ed..c98f00e 100755
--- a/foreman/ci/bootstrap.sh
+++ b/foreman/ci/bootstrap.sh
@@ -25,8 +25,7 @@ green=`tput setaf 2`
yum install -y epel-release-7*
# Install other required packages
-# Major version is pinned to force some consistency for Arno
-if ! yum -y install python-pip-1* python-virtualenv-1* gcc-4* git-1* sshpass-1* ansible-1* python-requests-1*; then
+if ! yum -y install python-pip python-virtualenv gcc git sshpass ansible python-requests; then
printf '%s\n' 'bootstrap.sh: failed to install required packages' >&2
exit 1
fi
@@ -36,7 +35,7 @@ cd /opt
echo "Cloning khaleesi to /opt"
if [ ! -d khaleesi ]; then
- if ! git clone -b v1.0 https://github.com/trozet/khaleesi.git; then
+ if ! git clone -b opnfv https://github.com/trozet/khaleesi.git; then
printf '%s\n' 'bootstrap.sh: Unable to git clone khaleesi' >&2
exit 1
fi
diff --git a/foreman/ci/clean.sh b/foreman/ci/clean.sh
index f61ac93..345864b 100755
--- a/foreman/ci/clean.sh
+++ b/foreman/ci/clean.sh
@@ -3,22 +3,23 @@
#Clean script to uninstall provisioning server for Foreman/QuickStack
#author: Tim Rozet (trozet@redhat.com)
#
-#Uses Vagrant and VirtualBox
+#Removes Libvirt, KVM, Vagrant, VirtualBox
#
-#Destroys Vagrant VM running in /tmp/bgs_vagrant
+#Destroys Vagrant VMs running in $vm_dir/
#Shuts down all nodes found in Khaleesi settings
-#Removes hypervisor kernel modules (VirtualBox)
+#Removes hypervisor kernel modules (VirtualBox & KVM/Libvirt)
##VARS
reset=`tput sgr0`
blue=`tput setaf 4`
red=`tput setaf 1`
green=`tput setaf 2`
+vm_dir=/var/opt/opnfv
##END VARS
##FUNCTIONS
display_usage() {
- echo -e "\n\n${blue}This script is used to uninstall Foreman/QuickStack Installer and Clean OPNFV Target System${reset}\n\n"
+ echo -e "\n\n${blue}This script is used to uninstall and clean the OPNFV Target System${reset}\n\n"
echo -e "\nUsage:\n$0 [arguments] \n"
echo -e "\n -no_parse : No variable parsing into config. Flag. \n"
echo -e "\n -base_config : Full path of ksgen settings file to parse. Required. Will provide BMC info to shutdown hosts. Example: -base_config /opt/myinventory.yml \n"
@@ -31,7 +32,7 @@ if [[ ( $1 == "--help") || $1 == "-h" ]]; then
exit 0
fi
-echo -e "\n\n${blue}This script is used to uninstall Foreman/QuickStack Installer and Clean OPNFV Target System${reset}\n\n"
+echo -e "\n\n${blue}This script is used to uninstall and clean the OPNFV Target System${reset}\n\n"
echo "Use -h to display help"
sleep 2
@@ -50,54 +51,55 @@ do
esac
done
-
-# Install ipmitool
-# Major version is pinned to force some consistency for Arno
-if ! yum list installed | grep -i ipmitool; then
- if ! yum -y install ipmitool-1*; then
- echo "${red}Unable to install ipmitool!${reset}"
- exit 1
- fi
-else
- echo "${blue}Skipping ipmitool as it is already installed!${reset}"
-fi
-
-###find all the bmc IPs and number of nodes
-node_counter=0
-output=`grep bmc_ip $base_config | grep -Eo '[0-9]+.[0-9]+.[0-9]+.[0-9]+'`
-for line in ${output} ; do
- bmc_ip[$node_counter]=$line
- ((node_counter++))
-done
-
-max_nodes=$((node_counter-1))
-
-###find bmc_users per node
-node_counter=0
-output=`grep bmc_user $base_config | sed 's/\s*bmc_user:\s*//'`
-for line in ${output} ; do
- bmc_user[$node_counter]=$line
- ((node_counter++))
-done
-
-###find bmc_pass per node
-node_counter=0
-output=`grep bmc_pass $base_config | sed 's/\s*bmc_pass:\s*//'`
-for line in ${output} ; do
- bmc_pass[$node_counter]=$line
- ((node_counter++))
-done
-
-for mynode in `seq 0 $max_nodes`; do
- echo "${blue}Node: ${bmc_ip[$mynode]} ${bmc_user[$mynode]} ${bmc_pass[$mynode]} ${reset}"
- if ipmitool -I lanplus -P ${bmc_pass[$mynode]} -U ${bmc_user[$mynode]} -H ${bmc_ip[$mynode]} chassis power off; then
- echo "${blue}Node: $mynode, ${bmc_ip[$mynode]} powered off!${reset}"
+if [ ! -z "$base_config" ]; then
+ # Install ipmitool
+ # Major version is pinned to force some consistency for Arno
+ if ! yum list installed | grep -i ipmitool; then
+ if ! yum -y install ipmitool-1*; then
+ echo "${red}Unable to install ipmitool!${reset}"
+ exit 1
+ fi
else
- echo "${red}Error: Unable to power off $mynode, ${bmc_ip[$mynode]} ${reset}"
- exit 1
+ echo "${blue}Skipping ipmitool as it is already installed!${reset}"
fi
-done
+ ###find all the bmc IPs and number of nodes
+ node_counter=0
+ output=`grep bmc_ip $base_config | grep -Eo '[0-9]+.[0-9]+.[0-9]+.[0-9]+'`
+ for line in ${output} ; do
+ bmc_ip[$node_counter]=$line
+ ((node_counter++))
+ done
+
+ max_nodes=$((node_counter-1))
+
+ ###find bmc_users per node
+ node_counter=0
+ output=`grep bmc_user $base_config | sed 's/\s*bmc_user:\s*//'`
+ for line in ${output} ; do
+ bmc_user[$node_counter]=$line
+ ((node_counter++))
+ done
+
+ ###find bmc_pass per node
+ node_counter=0
+ output=`grep bmc_pass $base_config | sed 's/\s*bmc_pass:\s*//'`
+ for line in ${output} ; do
+ bmc_pass[$node_counter]=$line
+ ((node_counter++))
+ done
+ for mynode in `seq 0 $max_nodes`; do
+ echo "${blue}Node: ${bmc_ip[$mynode]} ${bmc_user[$mynode]} ${bmc_pass[$mynode]} ${reset}"
+ if ipmitool -I lanplus -P ${bmc_pass[$mynode]} -U ${bmc_user[$mynode]} -H ${bmc_ip[$mynode]} chassis power off; then
+ echo "${blue}Node: $mynode, ${bmc_ip[$mynode]} powered off!${reset}"
+ else
+ echo "${red}Error: Unable to power off $mynode, ${bmc_ip[$mynode]} ${reset}"
+ exit 1
+ fi
+ done
+else
+ echo "${blue}Skipping Baremetal node poweroff as base_config was not provided${reset}"
+fi
###check to see if vbox is installed
vboxpkg=`rpm -qa | grep VirtualBox`
if [ $? -eq 0 ]; then
@@ -106,39 +108,120 @@ else
skip_vagrant=1
fi
+###legacy VM location check
+###remove me later
+if [ -d /tmp/bgs_vagrant ]; then
+ cd /tmp/bgs_vagrant
+ vagrant destroy -f
+ rm -rf /tmp/bgs_vagrant
+fi
+
###destroy vagrant
if [ $skip_vagrant -eq 0 ]; then
- cd /tmp/bgs_vagrant
- if vagrant destroy -f; then
- echo "${blue}Successfully destroyed Foreman VM ${reset}"
+ if [ -d $vm_dir ]; then
+ ##all vm directories
+ for vm in $( ls $vm_dir ); do
+ cd $vm_dir/$vm
+ if vagrant destroy -f; then
+ echo "${blue}Successfully destroyed $vm Vagrant VM ${reset}"
+ else
+ echo "${red}Unable to destroy $vm Vagrant VM! Attempting to killall vagrant if process is hung ${reset}"
+ killall vagrant
+ echo "${blue}Checking if vagrant was already destroyed and no process is active...${reset}"
+ if ps axf | grep vagrant | grep -v 'grep'; then
+ echo "${red}Vagrant process still exists after kill...exiting ${reset}"
+ exit 1
+ else
+ echo "${blue}Vagrant process doesn't exist. Moving on... ${reset}"
+ fi
+ fi
+
+ ##Vagrant boxes appear as VboxHeadless processes
+ ##try to gracefully destroy the VBox VM if it still exists
+ if vboxmanage list runningvms | grep $vm; then
+ echo "${red} $vm VBoxHeadless process still exists...Removing${reset}"
+ vbox_id=$(vboxmanage list runningvms | grep $vm | awk '{print $1}' | sed 's/"//g')
+ vboxmanage controlvm $vbox_id poweroff
+ if vboxmanage unregistervm --delete $vbox_id; then
+ echo "${blue}$vm VM is successfully deleted! ${reset}"
+ else
+ echo "${red} Unable to delete VM $vm ...Exiting ${reset}"
+ exit 1
+ fi
+ else
+ echo "${blue}$vm VM is successfully deleted! ${reset}"
+ fi
+ done
else
- echo "${red}Unable to destroy Foreman VM ${reset}"
- echo "${blue}Checking if vagrant was already destroyed and no process is active...${reset}"
- if ps axf | grep vagrant; then
- echo "${red}Vagrant VM still exists...exiting ${reset}"
- exit 1
- else
- echo "${blue}Vagrant process doesn't exist. Moving on... ${reset}"
- fi
+ echo "${blue}${vm_dir} doesn't exist, no VMs in OPNFV directory to destroy! ${reset}"
fi
+ echo "${blue}Checking for any remaining virtual box processes...${reset}"
###kill virtualbox
- echo "${blue}Killing VirtualBox ${reset}"
- killall virtualbox
- killall VBoxHeadless
+ if ps axf | grep virtualbox | grep -v 'grep'; then
+ echo "${blue}virtualbox processes are still running. Killing any remaining VirtualBox processes...${reset}"
+ killall virtualbox
+ fi
+
+ ###kill any leftover VMs (brute force)
+ if ps axf | grep VBoxHeadless | grep -v 'grep'; then
+ echo "${blue}VBoxHeadless processes are still running. Killing any remaining VBoxHeadless processes...${reset}"
+ killall VBoxHeadless
+ fi
###remove virtualbox
- echo "${blue}Removing VirtualBox ${reset}"
+ echo "${blue}Removing VirtualBox... ${reset}"
yum -y remove $vboxpkg
else
- echo "${blue}Skipping Vagrant destroy + Vbox Removal as VirtualBox package is already removed ${reset}"
+ echo "${blue}Skipping Vagrant destroy + VBox Removal as VirtualBox package is already removed ${reset}"
fi
+###remove working vm directory
+echo "${blue}Removing working VM directory: $vm_dir ${reset}"
+rm -rf $vm_dir
+
+###check to see if libvirt is installed
+echo "${blue}Checking if libvirt/KVM is installed"
+if rpm -qa | grep -iE 'libvirt|kvm'; then
+ echo "${blue}Libvirt/KVM is installed${reset}"
+ echo "${blue}Checking for any QEMU/KVM VMs...${reset}"
+ vm_count=0
+ while read -r line; do ((vm_count++)); done < <(virsh list --all | sed 1,2d | head -n -1)
+ if [ $vm_count -gt 0 ]; then
+ echo "${blue}VMs Found: $vm_count${reset}"
+ vm_runnning=0
+ while read -r line; do ((vm_running++)); done < <(virsh list --all | sed 1,2d | head -n -1| grep -i running)
+ echo "${blue}Powering off $vm_running VM(s)${reset}"
+ while read -r vm; do
+ if ! virsh destroy $vm; then
+ echo "${red}WARNING: Unable to power off VM ${vm}${reset}"
+ else
+ echo "${blue}VM $vm powered off!${reset}"
+ fi
+ done < <(virsh list --all | sed 1,2d | head -n -1| grep -i running | sed 's/^[ \t]*//' | awk '{print $2}')
+ echo "${blue}Destroying libvirt VMs...${reset}"
+ while read -r vm; do
+ if ! virsh undefine --remove-all-storage $vm; then
+ echo "${red}ERROR: Unable to remove the VM ${vm}${reset}"
+ exit 1
+ else
+ echo "${blue}VM $vm removed!${reset}"
+ fi
+ done < <(virsh list --all | sed 1,2d | head -n -1| awk '{print $2}')
+ else
+ echo "${blue}No VMs found for removal"
+ fi
+ echo "${blue}Removing libvirt and kvm packages"
+ yum -y remove libvirt-*
+ yum -y remove *qemu*
+else
+ echo "${blue}libvirt/KVM is not installed${reset}"
+fi
###remove kernel modules
echo "${blue}Removing kernel modules ${reset}"
-for kernel_mod in vboxnetadp vboxnetflt vboxpci vboxdrv; do
+for kernel_mod in vboxnetadp vboxnetflt vboxpci vboxdrv kvm_intel kvm; do
if ! rmmod $kernel_mod; then
if rmmod $kernel_mod 2>&1 | grep -i 'not currently loaded'; then
echo "${blue} $kernel_mod is not currently loaded! ${reset}"
diff --git a/foreman/ci/deploy.sh b/foreman/ci/deploy.sh
index 86f03a7..6bf8f12 100755
--- a/foreman/ci/deploy.sh
+++ b/foreman/ci/deploy.sh
@@ -25,6 +25,14 @@ red=`tput setaf 1`
green=`tput setaf 2`
declare -A interface_arr
+declare -A controllers_ip_arr
+declare -A admin_ip_arr
+declare -A public_ip_arr
+
+vagrant_box_dir=~/.vagrant.d/boxes/opnfv-VAGRANTSLASH-centos-7.0/1.0.0/virtualbox/
+vagrant_box_vmdk=box-disk1.vmdk
+vm_dir=/var/opt/opnfv
+script=`realpath $0`
##END VARS
##FUNCTIONS
@@ -35,6 +43,38 @@ display_usage() {
echo -e "\n -no_parse : No variable parsing into config. Flag. \n"
echo -e "\n -base_config : Full path of settings file to parse. Optional. Will provide a new base settings file rather than the default. Example: -base_config /opt/myinventory.yml \n"
echo -e "\n -virtual : Node virtualization instead of baremetal. Flag. \n"
+ echo -e "\n -enable_virtual_dhcp : Run dhcp server instead of using static IPs. Use this with -virtual only. \n"
+ echo -e "\n -static_ip_range : static IP range to define when using virtual and when dhcp is not being used (default), must at least a 20 IP block. Format: '192.168.1.1,192.168.1.20' \n"
+ echo -e "\n -ping_site : site to use to verify IP connectivity from the VM when -virtual is used. Format: -ping_site www.blah.com \n"
+ echo -e "\n -floating_ip_count : number of IP address from the public range to be used for floating IP. Default is 20.\n"
+ echo -e "\n -admin_nic : Baremetal NIC for the admin network. Required if other "nic" arguments are used. \
+Not applicable with -virtual. Example: -admin_nic em1"
+ echo -e "\n -private_nic : Baremetal NIC for the private network. Required if other "nic" arguments are used. \
+Not applicable with -virtual. Example: -private_nic em2"
+ echo -e "\n -public_nic : Baremetal NIC for the public network. Required if other "nic" arguments are used. \
+Can also be used with -virtual. Example: -public_nic em3"
+ echo -e "\n -storage_nic : Baremetal NIC for the storage network. Optional. Not applicable with -virtual. \
+Private NIC will be used for storage if not specified. Example: -storage_nic em4"
+ echo -e "\n -single_baremetal_nic : Baremetal NIC for the all in one network. Optional. Not applicable with -virtual. \
+Example: -single_baremetal_nic em1"
+}
+
+##verify vm dir exists
+##params: none
+function verify_vm_dir {
+ if [ -d "$vm_dir" ]; then
+ echo -e "\n\n${red}ERROR: VM Directory: $vm_dir already exists. Environment not clean. Please use clean.sh. Exiting${reset}\n\n"
+ exit 1
+ else
+ mkdir -p $vm_dir
+ fi
+
+ chmod 700 $vm_dir
+
+ if [ ! -d $vm_dir ]; then
+ echo -e "\n\n${red}ERROR: Unable to create VM Directory: $vm_dir Exiting${reset}\n\n"
+ exit -1
+ fi
}
##find ip of interface
@@ -51,6 +91,41 @@ function find_subnet {
printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))"
}
+##verify subnet has at least n IPs
+##params: subnet mask, n IPs
+function verify_subnet_size {
+ IFS=. read -r i1 i2 i3 i4 <<< "$1"
+ num_ips_required=$2
+
+ ##this function assumes you would never need more than 254
+ ##we check here to make sure
+ if [ "$num_ips_required" -ge 254 ]; then
+ echo -e "\n\n${red}ERROR: allocating more than 254 IPs is unsupported...Exiting${reset}\n\n"
+ return 1
+ fi
+
+ ##we just return if 3rd octet is not 255
+ ##because we know the subnet is big enough
+ if [ "$i3" -ne 255 ]; then
+ return 0
+ elif [ $((254-$i4)) -ge "$num_ips_required" ]; then
+ return 0
+ else
+ echo -e "\n\n${red}ERROR: Subnet is too small${reset}\n\n"
+ return 1
+ fi
+}
+
+##finds last usable ip (broadcast minus 1) of a subnet from an IP and netmask
+## Warning: This function only works for IPv4 at the moment.
+##params: ip, netmask
+function find_last_ip_subnet {
+ IFS=. read -r i1 i2 i3 i4 <<< "$1"
+ IFS=. read -r m1 m2 m3 m4 <<< "$2"
+ IFS=. read -r s1 s2 s3 s4 <<< "$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).$((i4 & m4))"
+ printf "%d.%d.%d.%d\n" "$((255 - $m1 + $s1))" "$((255 - $m2 + $s2))" "$((255 - $m3 + $s3))" "$((255 - $m4 + $s4 - 1))"
+}
+
##increments subnet by a value
##params: ip, value
##assumes low value
@@ -87,6 +162,19 @@ function next_ip {
echo $baseaddr.$lsv
}
+##subtracts a value from an IP address
+##params: last ip, ip_count
+##assumes ip_count is less than the last octect of the address
+subtract_ip() {
+ IFS=. read -r i1 i2 i3 i4 <<< "$1"
+ ip_count=$2
+ if [ $i4 -lt $ip_count ]; then
+ echo -e "\n\n${red}ERROR: Can't subtract $ip_count from IP address $1 Exiting${reset}\n\n"
+ exit 1
+ fi
+ printf "%d.%d.%d.%d\n" "$i1" "$i2" "$i3" "$((i4 - $ip_count ))"
+}
+
##removes the network interface config from Vagrantfile
##params: interface
##assumes you are in the directory of Vagrantfile
@@ -149,19 +237,21 @@ parse_yaml() {
}'
}
-##END FUNCTIONS
-
-if [[ ( $1 == "--help") || $1 == "-h" ]]; then
+##translates the command line paramaters into variables
+##params: $@ the entire command line is passed
+##usage: parse_cmd_line() "$@"
+parse_cmdline() {
+ if [[ ( $1 == "--help") || $1 == "-h" ]]; then
display_usage
exit 0
-fi
+ fi
-echo -e "\n\n${blue}This script is used to deploy Foreman/QuickStack Installer and Provision OPNFV Target System${reset}\n\n"
-echo "Use -h to display help"
-sleep 2
+ echo -e "\n\n${blue}This script is used to deploy Foreman/QuickStack Installer and Provision OPNFV Target System${reset}\n\n"
+ echo "Use -h to display help"
+ sleep 2
-while [ "`echo $1 | cut -c1`" = "-" ]
-do
+ while [ "`echo $1 | cut -c1`" = "-" ]
+ do
echo $1
case "$1" in
-base_config)
@@ -176,35 +266,152 @@ do
virtual="TRUE"
shift 1
;;
+ -enable_virtual_dhcp)
+ enable_virtual_dhcp="TRUE"
+ shift 1
+ ;;
+ -static_ip_range)
+ static_ip_range=$2
+ shift 2
+ ;;
+ -ping_site)
+ ping_site=$2
+ shift 2
+ ;;
+ -floating_ip_count)
+ floating_ip_count=$2
+ shift 2
+ ;;
+ -admin_nic)
+ admin_nic=$2
+ shift 2
+ nic_arg_flag=1
+ ;;
+ -private_nic)
+ private_nic=$2
+ shift 2
+ nic_arg_flag=1
+ ;;
+ -public_nic)
+ public_nic=$2
+ shift 2
+ nic_arg_flag=1
+ ;;
+ -storage_nic)
+ storage_nic=$2
+ shift 2
+ nic_arg_flag=1
+ ;;
+ -single_baremetal_nic)
+ single_baremetal_nic=$2
+ shift 2
+ ;;
*)
display_usage
exit 1
;;
-esac
-done
+ esac
+ done
+
+ if [ ! -z "$enable_virtual_dhcp" ] && [ ! -z "$static_ip_range" ]; then
+ echo -e "\n\n${red}ERROR: Incorrect Usage. Static IP range cannot be set when using DHCP!. Exiting${reset}\n\n"
+ exit 1
+ fi
+
+ if [ -z "$virtual" ]; then
+ if [ ! -z "$enable_virtual_dhcp" ]; then
+ echo -e "\n\n${red}ERROR: Incorrect Usage. enable_virtual_dhcp can only be set when using -virtual!. Exiting${reset}\n\n"
+ exit 1
+ elif [ ! -z "$static_ip_range" ]; then
+ echo -e "\n\n${red}ERROR: Incorrect Usage. static_ip_range can only be set when using -virtual!. Exiting${reset}\n\n"
+ exit 1
+ fi
+ fi
+
+ if [ -z "$floating_ip_count" ]; then
+ floating_ip_count=20
+ fi
+
+ ##Validate nic args
+ if [[ $nic_arg_flag -eq 1 ]]; then
+ if [ ! -z "$single_baremetal_nic" ]; then
+ echo "${red}Please do not specify other nic types along with single_baremetal_nic!${reset}"
+ exit 1
+ fi
+
+ if [ -z "$virtual" ]; then
+ for nic_type in admin_nic private_nic public_nic; do
+ eval "nic_value=\$$nic_type"
+ if [ -z "$nic_value" ]; then
+ echo "${red}$nic_type is empty or not defined. Required when other nic args are given!${reset}"
+ exit 1
+ fi
+ interface_ip=$(find_ip $nic_value)
+ if [ ! "$interface_ip" ]; then
+ echo "${red}$nic_value does not have an IP address! Exiting... ${reset}"
+ exit 1
+ fi
+ done
+ else
+ ##if virtual only public_nic should be specified
+ for nic_type in admin_nic private_nic storage_nic single_baremetal_nic; do
+ eval "nic_value=\$$nic_type"
+ if [ ! -z "$nic_value" ]; then
+ echo "${red}$nic_type is not a valid argument using -virtual. Please only specify public_nic!${reset}"
+ exit 1
+ fi
+ done
+
+ interface_ip=$(find_ip $public_nic)
+ if [ ! "$interface_ip" ]; then
+ echo "${red}Public NIC: $public_nic does not have an IP address! Exiting... ${reset}"
+ exit 1
+ fi
+ fi
+ elif [ ! -z "$single_baremetal_nic" ]; then
+ interface_ip=$(find_ip $single_baremetal_nic)
+ if [ ! "$interface_ip" ]; then
+ echo "${red}Single Baremetal NIC: $single_baremetal_nic does not have an IP address! Exiting... ${reset}"
+ exit 1
+ fi
+ fi
+}
##disable selinux
-/sbin/setenforce 0
-
-# Install EPEL repo for access to many other yum repos
-# Major version is pinned to force some consistency for Arno
-yum install -y epel-release-7*
-
-# Install other required packages
-# Major versions are pinned to force some consistency for Arno
-if ! yum install -y binutils-2* gcc-4* make-3* patch-2* libgomp-4* glibc-headers-2* glibc-devel-2* kernel-headers-3* kernel-devel-3* dkms-2* psmisc-22*; then
- printf '%s\n' 'deploy.sh: Unable to install depdency packages' >&2
- exit 1
-fi
-
-##install VirtualBox repo
-if cat /etc/*release | grep -i "Fedora release"; then
- vboxurl=http://download.virtualbox.org/virtualbox/rpm/fedora/\$releasever/\$basearch
-else
- vboxurl=http://download.virtualbox.org/virtualbox/rpm/el/\$releasever/\$basearch
-fi
-
-cat > /etc/yum.repos.d/virtualbox.repo << EOM
+##params: none
+##usage: disable_selinux()
+disable_selinux() {
+ /sbin/setenforce 0
+}
+
+##Install the EPEL repository and additional packages
+##params: none
+##usage: install_EPEL()
+install_EPEL() {
+ # Install EPEL repo for access to many other yum repos
+ # Major version is pinned to force some consistency for Arno
+ yum install -y epel-release-7*
+
+ # Install other required packages
+ # Major versions are pinned to force some consistency for Arno
+ if ! yum install -y binutils-2* gcc-4* make-3* patch-2* libgomp-4* glibc-headers-2* glibc-devel-2* kernel-headers-3* kernel-devel-3* dkms-2* psmisc-22*; then
+ printf '%s\n' 'deploy.sh: Unable to install depdency packages' >&2
+ exit 1
+ fi
+}
+
+##Download and install virtual box
+##params: none
+##usage: install_vbox()
+install_vbox() {
+ ##install VirtualBox repo
+ if cat /etc/*release | grep -i "Fedora release"; then
+ vboxurl=http://download.virtualbox.org/virtualbox/rpm/fedora/\$releasever/\$basearch
+ else
+ vboxurl=http://download.virtualbox.org/virtualbox/rpm/el/\$releasever/\$basearch
+ fi
+
+ cat > /etc/yum.repos.d/virtualbox.repo << EOM
[virtualbox]
name=Oracle Linux / RHEL / CentOS-\$releasever / \$basearch - VirtualBox
baseurl=$vboxurl
@@ -215,364 +422,374 @@ skip_if_unavailable = 1
keepcache = 0
EOM
-##install VirtualBox
-if ! yum list installed | grep -i virtualbox; then
- if ! yum -y install VirtualBox-4.3; then
- printf '%s\n' 'deploy.sh: Unable to install virtualbox package' >&2
- exit 1
+ ##install VirtualBox
+ if ! yum list installed | grep -i virtualbox; then
+ if ! yum -y install VirtualBox-4.3; then
+ printf '%s\n' 'deploy.sh: Unable to install virtualbox package' >&2
+ exit 1
+ fi
fi
-fi
-##install kmod-VirtualBox
-if ! lsmod | grep vboxdrv; then
- if ! sudo /etc/init.d/vboxdrv setup; then
- printf '%s\n' 'deploy.sh: Unable to install kernel module for virtualbox' >&2
- exit 1
+ ##install kmod-VirtualBox
+ if ! lsmod | grep vboxdrv; then
+ sudo /etc/init.d/vboxdrv setup
+ if ! lsmod | grep vboxdrv; then
+ printf '%s\n' 'deploy.sh: Unable to install kernel module for virtualbox' >&2
+ exit 1
+ fi
+ else
+ printf '%s\n' 'deploy.sh: Skipping kernel module for virtualbox. Already Installed'
fi
-else
- printf '%s\n' 'deploy.sh: Skipping kernel module for virtualbox. Already Installed'
-fi
+}
-##install Ansible
-if ! yum list installed | grep -i ansible; then
- if ! yum -y install ansible-1*; then
- printf '%s\n' 'deploy.sh: Unable to install Ansible package' >&2
- exit 1
+##install Ansible using yum
+##params: none
+##usage: install_ansible()
+install_ansible() {
+ if ! yum list installed | grep -i ansible; then
+ if ! yum -y install ansible-1*; then
+ printf '%s\n' 'deploy.sh: Unable to install Ansible package' >&2
+ exit 1
+ fi
fi
-fi
+}
-##install Vagrant
-if ! rpm -qa | grep vagrant; then
- if ! rpm -Uvh https://dl.bintray.com/mitchellh/vagrant/vagrant_1.7.2_x86_64.rpm; then
- printf '%s\n' 'deploy.sh: Unable to install vagrant package' >&2
- exit 1
+##install Vagrant RPM directly with the bintray.com site
+##params: none
+##usage: install_vagrant()
+install_vagrant() {
+ if ! rpm -qa | grep vagrant; then
+ if ! rpm -Uvh https://dl.bintray.com/mitchellh/vagrant/vagrant_1.7.2_x86_64.rpm; then
+ printf '%s\n' 'deploy.sh: Unable to install vagrant package' >&2
+ exit 1
+ fi
+ else
+ printf '%s\n' 'deploy.sh: Skipping Vagrant install as it is already installed.'
fi
-else
- printf '%s\n' 'deploy.sh: Skipping Vagrant install as it is already installed.'
-fi
-##add centos 7 box to vagrant
-if ! vagrant box list | grep chef/centos-7.0; then
- if ! vagrant box add chef/centos-7.0 --provider virtualbox; then
- printf '%s\n' 'deploy.sh: Unable to download centos7 box for Vagrant' >&2
- exit 1
+ ##add centos 7 box to vagrant
+ if ! vagrant box list | grep opnfv/centos-7.0; then
+ if ! vagrant box add opnfv/centos-7.0 --provider virtualbox; then
+ printf '%s\n' 'deploy.sh: Unable to download centos7 box for Vagrant' >&2
+ exit 1
+ fi
+ else
+ printf '%s\n' 'deploy.sh: Skipping Vagrant box add as centos-7.0 is already installed.'
fi
-else
- printf '%s\n' 'deploy.sh: Skipping Vagrant box add as centos-7.0 is already installed.'
-fi
-##install workaround for centos7
-if ! vagrant plugin list | grep vagrant-centos7_fix; then
- if ! vagrant plugin install vagrant-centos7_fix; then
- printf '%s\n' 'deploy.sh: Warning: unable to install vagrant centos7 workaround' >&2
+ ##install workaround for centos7
+ if ! vagrant plugin list | grep vagrant-centos7_fix; then
+ if ! vagrant plugin install vagrant-centos7_fix; then
+ printf '%s\n' 'deploy.sh: Warning: unable to install vagrant centos7 workaround' >&2
+ fi
+ else
+ printf '%s\n' 'deploy.sh: Skipping Vagrant plugin as centos7 workaround is already installed.'
fi
-else
- printf '%s\n' 'deploy.sh: Skipping Vagrant plugin as centos7 workaround is already installed.'
-fi
+}
-cd /tmp/
##remove bgs vagrant incase it wasn't cleaned up
-rm -rf /tmp/bgs_vagrant
-
-##clone bgs vagrant
-##will change this to be opnfv repo when commit is done
-if ! git clone -b v1.0 https://github.com/trozet/bgs_vagrant.git; then
- printf '%s\n' 'deploy.sh: Unable to clone vagrant repo' >&2
- exit 1
-fi
-
-cd bgs_vagrant
-
-echo "${blue}Detecting network configuration...${reset}"
-##detect host 1 or 3 interface configuration
-#output=`ip link show | grep -E "^[0-9]" | grep -Ev ": lo|tun|virbr|vboxnet" | awk '{print $2}' | sed 's/://'`
-output=`ifconfig | grep -E "^[a-zA-Z0-9]+:"| grep -Ev "lo|tun|virbr|vboxnet" | awk '{print $1}' | sed 's/://'`
-
-if [ ! "$output" ]; then
- printf '%s\n' 'deploy.sh: Unable to detect interfaces to bridge to' >&2
- exit 1
-fi
-
-##find number of interfaces with ip and substitute in VagrantFile
-if_counter=0
-for interface in ${output}; do
-
- if [ "$if_counter" -ge 4 ]; then
- break
- fi
- interface_ip=$(find_ip $interface)
- if [ ! "$interface_ip" ]; then
- continue
- fi
- new_ip=$(next_usable_ip $interface_ip)
- if [ ! "$new_ip" ]; then
- continue
- fi
- interface_arr[$interface]=$if_counter
- interface_ip_arr[$if_counter]=$new_ip
- subnet_mask=$(find_netmask $interface)
- if [ "$if_counter" -eq 1 ]; then
- private_subnet_mask=$subnet_mask
- private_short_subnet_mask=$(find_short_netmask $interface)
- fi
- if [ "$if_counter" -eq 2 ]; then
- public_subnet_mask=$subnet_mask
- public_short_subnet_mask=$(find_short_netmask $interface)
- fi
- if [ "$if_counter" -eq 3 ]; then
- storage_subnet_mask=$subnet_mask
- fi
- sed -i 's/^.*eth_replace'"$if_counter"'.*$/ config.vm.network "public_network", ip: '\""$new_ip"\"', bridge: '\'"$interface"\'', netmask: '\""$subnet_mask"\"'/' Vagrantfile
- ((if_counter++))
-done
-
-##now remove interface config in Vagrantfile for 1 node
-##if 1, 3, or 4 interfaces set deployment type
-##if 2 interfaces remove 2nd interface and set deployment type
-if [ "$if_counter" == 1 ]; then
- deployment_type="single_network"
- remove_vagrant_network eth_replace1
- remove_vagrant_network eth_replace2
- remove_vagrant_network eth_replace3
-elif [ "$if_counter" == 2 ]; then
- deployment_type="single_network"
- second_interface=`echo $output | awk '{print $2}'`
- remove_vagrant_network $second_interface
- remove_vagrant_network eth_replace2
-elif [ "$if_counter" == 3 ]; then
- deployment_type="three_network"
- remove_vagrant_network eth_replace3
-else
- deployment_type="multi_network"
-fi
-
-echo "${blue}Network detected: ${deployment_type}! ${reset}"
-
-if route | grep default; then
- echo "${blue}Default Gateway Detected ${reset}"
- host_default_gw=$(ip route | grep default | awk '{print $3}')
- echo "${blue}Default Gateway: $host_default_gw ${reset}"
- default_gw_interface=$(ip route get $host_default_gw | awk '{print $3}')
- case "${interface_arr[$default_gw_interface]}" in
- 0)
- echo "${blue}Default Gateway Detected on Admin Interface!${reset}"
- sed -i 's/^.*default_gw =.*$/ default_gw = '\""$host_default_gw"\"'/' Vagrantfile
- node_default_gw=$host_default_gw
- ;;
- 1)
- echo "${red}Default Gateway Detected on Private Interface!${reset}"
- echo "${red}Private subnet should be private and not have Internet access!${reset}"
- exit 1
- ;;
- 2)
- echo "${blue}Default Gateway Detected on Public Interface!${reset}"
- sed -i 's/^.*default_gw =.*$/ default_gw = '\""$host_default_gw"\"'/' Vagrantfile
- echo "${blue}Will setup NAT from Admin -> Public Network on VM!${reset}"
- sed -i 's/^.*nat_flag =.*$/ nat_flag = true/' Vagrantfile
- echo "${blue}Setting node gateway to be VM Admin IP${reset}"
- node_default_gw=${interface_ip_arr[0]}
- public_gateway=$default_gw
- ;;
- 3)
- echo "${red}Default Gateway Detected on Storage Interface!${reset}"
- echo "${red}Storage subnet should be private and not have Internet access!${reset}"
- exit 1
- ;;
- *)
- echo "${red}Unable to determine which interface default gateway is on..Exiting!${reset}"
- exit 1
- ;;
- esac
-else
- #assumes 24 bit mask
- defaultgw=`echo ${interface_ip_arr[0]} | cut -d. -f1-3`
- firstip=.1
- defaultgw=$defaultgw$firstip
- echo "${blue}Unable to find default gateway. Assuming it is $defaultgw ${reset}"
- sed -i 's/^.*default_gw =.*$/ default_gw = '\""$defaultgw"\"'/' Vagrantfile
- node_default_gw=$defaultgw
-fi
-
-if [ $base_config ]; then
- if ! cp -f $base_config opnfv_ksgen_settings.yml; then
- echo "{red}ERROR: Unable to copy $base_config to opnfv_ksgen_settings.yml${reset}"
- exit 1
- fi
-fi
-
-if [ $no_parse ]; then
-echo "${blue}Skipping parsing variables into settings file as no_parse flag is set${reset}"
-
-else
-
-echo "${blue}Gathering network parameters for Target System...this may take a few minutes${reset}"
-##Edit the ksgen settings appropriately
-##ksgen settings will be stored in /vagrant on the vagrant machine
-##if single node deployment all the variables will have the same ip
-##interface names will be enp0s3, enp0s8, enp0s9 in chef/centos7
-
-sed -i 's/^.*default_gw:.*$/default_gw:'" $node_default_gw"'/' opnfv_ksgen_settings.yml
+##params: none
+##usage: clean_tmp()
+clean_tmp() {
+ rm -rf $vm_dir/foreman_vm
+}
-##replace private interface parameter
-##private interface will be of hosts, so we need to know the provisioned host interface name
-##we add biosdevname=0, net.ifnames=0 to the kickstart to use regular interface naming convention on hosts
-##replace IP for parameters with next IP that will be given to controller
-if [ "$deployment_type" == "single_network" ]; then
- ##we also need to assign IP addresses to nodes
- ##for single node, foreman is managing the single network, so we can't reserve them
- ##not supporting single network anymore for now
- echo "{blue}Single Network type is unsupported right now. Please check your interface configuration. Exiting. ${reset}"
- exit 0
+##clone genesis and move to node vm dir
+##params: destination directory
+##usage: clone_bgs /tmp/myvm/
+clone_bgs() {
+ script_dir="`dirname "$script"`"
+ cp -fr $script_dir/ $1
+ cp -fr $script_dir/../../common/puppet-opnfv $1
+}
-elif [[ "$deployment_type" == "multi_network" || "$deployment_type" == "three_network" ]]; then
+##validates the network settings and update VagrantFile with network settings
+##params: none
+##usage: configure_network()
+configure_network() {
+ cd $vm_dir/foreman_vm
+
+ ##if nic_arg_flag is set, then we don't figure out
+ ##NICs dynamically
+ if [[ $nic_arg_flag -eq 1 ]]; then
+ echo "${blue}Static Network Interfaces Defined. Updating Vagrantfile...${reset}"
+ if [ $virtual ]; then
+ nic_list="$public_nic"
+ elif [ -z "$storage_nic" ]; then
+ echo "${blue}storage_nic not defined, will combine storage into private VLAN ${reset}"
+ nic_list="$admin_nic $private_nic $public_nic"
+ else
+ nic_list="$admin_nic $private_nic $public_nic $storage_nic"
+ fi
+ nic_array=( $nic_list )
+ output=$nic_list
+ elif [ ! -z "$single_baremetal_nic" ]; then
+ output=$single_baremetal_nic
+ else
+ echo "${blue}Detecting network configuration...${reset}"
+ ##detect host 1 or 3 interface configuration
+ #output=`ip link show | grep -E "^[0-9]" | grep -Ev ": lo|tun|virbr|vboxnet" | awk '{print $2}' | sed 's/://'`
+ #output=`/bin/ls -l /sys/class/net | tail -n +2 | grep -v virtual | cut -d " " -f10`
+ output=`/bin/ls -l /sys/class/net | tail -n +2 | grep -v virtual | awk {'print $9'}`
+ fi
- if [ "$deployment_type" == "three_network" ]; then
- sed -i 's/^.*network_type:.*$/network_type: three_network/' opnfv_ksgen_settings.yml
+ if [ ! "$output" ]; then
+ printf '%s\n' 'deploy.sh: Unable to detect interfaces to bridge to' >&2
+ exit 1
fi
- sed -i 's/^.*deployment_type:.*$/ deployment_type: '"$deployment_type"'/' opnfv_ksgen_settings.yml
+ ##virtual we only find 1 interface
+ if [ $virtual ]; then
+ if [ ! -z "${nic_array[0]}" ]; then
+ echo "${blue}Public Interface specified: ${nic_array[0]}${reset}"
+ this_default_gw_interface=${nic_array[0]}
+ else
+ ##find interface with default gateway
+ this_default_gw=$(ip route | grep default | awk '{print $3}')
+ echo "${blue}Default Gateway: $this_default_gw ${reset}"
+ this_default_gw_interface=$(ip route get $this_default_gw | awk '{print $3}')
+ fi
- ##get ip addresses for private network on controllers to make dhcp entries
- ##required for controllers_ip_array global param
- next_private_ip=${interface_ip_arr[1]}
- type=_private
- for node in controller1 controller2 controller3; do
- next_private_ip=$(next_usable_ip $next_private_ip)
- if [ ! "$next_private_ip" ]; then
- printf '%s\n' 'deploy.sh: Unable to find next ip for private network for control nodes' >&2
- exit 1
+ ##find interface IP, make sure its valid
+ interface_ip=$(find_ip $this_default_gw_interface)
+ if [ ! "$interface_ip" ]; then
+ echo "${red}Interface ${this_default_gw_interface} does not have an IP: $interface_ip ! Exiting ${reset}"
+ exit 1
fi
- sed -i 's/'"$node$type"'/'"$next_private_ip"'/g' opnfv_ksgen_settings.yml
- controller_ip_array=$controller_ip_array$next_private_ip,
- done
- ##replace global param for contollers_ip_array
- controller_ip_array=${controller_ip_array%?}
- sed -i 's/^.*controllers_ip_array:.*$/ controllers_ip_array: '"$controller_ip_array"'/' opnfv_ksgen_settings.yml
+ ##set variable info
+ if [ ! -z "$static_ip_range" ]; then
+ new_ip=$(echo $static_ip_range | cut -d , -f1)
+ subnet_mask=$(find_netmask $this_default_gw_interface)
+ host_subnet=$(find_subnet $interface_ip $subnet_mask)
+ ip_range_subnet=$(find_subnet $new_ip $subnet_mask)
+ if [ "$ip_range_subnet" != "$host_subnet" ]; then
+ echo "${red}static_ip_range: ${static_ip_range} is not in the same subnet as your default gateway interface: ${host_subnet}. Please use a correct range!${reset}"
+ exit 1
+ fi
+ else
+ new_ip=$(next_usable_ip $interface_ip)
+ if [ ! "$new_ip" ]; then
+ echo "${red} Cannot find next IP on interface ${this_default_gw_interface} new_ip: $new_ip ! Exiting ${reset}"
+ exit 1
+ fi
+ fi
+ interface=$this_default_gw_interface
+ public_interface=$interface
+ interface_arr[$interface]=2
+ interface_ip_arr[2]=$new_ip
+ subnet_mask=$(find_netmask $interface)
+ public_subnet_mask=$subnet_mask
+ public_short_subnet_mask=$(find_short_netmask $interface)
- ##now replace all the VIP variables. admin//private can be the same IP
- ##we have to use IP's here that won't be allocated to hosts at provisioning time
- ##therefore we increment the ip by 10 to make sure we have a safe buffer
- next_private_ip=$(increment_ip $next_private_ip 10)
+ if ! verify_subnet_size $public_subnet_mask 25; then
+ echo "${red} Not enough IPs in public subnet: $interface_ip_arr[2] ${public_subnet_mask}. Need at least 25 IPs. Please resize subnet! Exiting ${reset}"
+ exit 1
+ fi
- grep -E '*private_vip|loadbalancer_vip|db_vip|amqp_vip|*admin_vip' opnfv_ksgen_settings.yml | while read -r line ; do
- sed -i 's/^.*'"$line"'.*$/ '"$line $next_private_ip"'/' opnfv_ksgen_settings.yml
- next_private_ip=