RETIRED, Chef Cookbook - common OpenStack configuration
Go to file
Lance Albertson cf9da3b474 Use vault repo for RHEL 8
Train has been archived to vault for RHEL 8 and this breaks CI currently.

Change-Id: Ia77026617f993169e46ef76ced3468b5e4fa8bfc
Signed-off-by: Lance Albertson <>
2022-03-17 11:20:58 -07:00
.delivery Stein fixes 2020-03-19 10:52:29 -07:00
attributes Use vault repo for RHEL 8 2022-03-17 11:20:58 -07:00
libraries Chef 17 support 2021-10-13 23:28:32 -07:00
recipes CentOS 8 support 2021-10-22 09:46:15 -07:00
resources Chef 17 support 2021-10-13 23:28:32 -07:00
spec CentOS 8 support 2021-10-22 09:46:15 -07:00
templates/default Make configuration files more readable 2017-11-02 08:51:18 +01:00
.gitignore add a Rakefile to structure test runs 2014-09-29 13:44:38 +02:00
.gitreview OpenDev Migration Patch 2019-04-19 19:31:10 +00:00
.rubocop.yml Chef 17 support 2021-10-13 23:28:32 -07:00
.rubocop_todo.yml Chef 17 support 2021-10-13 23:28:32 -07:00
.zuul.yaml Rename openstack-chef-repo references to openstack-chef 2018-08-06 21:49:17 -07:00
Berksfile Set Berksfile to use ruby solver 2020-01-30 13:09:31 -08:00 Workflow documentation is now in infra-manual 2014-12-05 03:30:43 +00:00
LICENSE Initial commit 2012-11-07 20:52:47 -05:00
README.rst CentOS 8 support 2021-10-22 09:46:15 -07:00
Rakefile Stein fixes 2020-03-19 10:52:29 -07:00 Sync stackforge/cookbook* to openstack/cookbook* for common cookbook 2015-06-15 17:15:53 +08:00
metadata.rb CentOS 8 support 2021-10-22 09:46:15 -07:00


OpenStack Chef Cookbook - common



This cookbook provides common setup recipes, helper methods and attributes that describe an OpenStack deployment as part of the OpenStack reference deployment Chef for OpenStack.

Please relate to the official OpenStack Configuration and Installation Guides for a more detailed documentation on operating and administration of an OpenStack cluster:


  • Chef 16 or higher
  • Chef Workstation 21.10.640 for testing (also includes berkshelf for cookbook dependency resolution)


  • ubuntu
  • redhat
  • centos


The following cookbooks are dependencies:

  • 'etcd', '~> 7.0'
  • 'mariadb', '~> 5.0'
  • 'memcached', '~> 7.0'
  • 'selinux'
  • 'yum-centos', '>= 3.2.0'
  • 'yum-epel'


Please see the extensive inline documentation in attributes/*.rb for descriptions of all the settable attributes for this cookbook.

Note that all attributes are in the default["openstack"] "namespace"

Attributes to generate OpenStack service configuration files

Since the mitaka release, we moved to a completely new way to generate all OpenStack service configuration files. The base template is the openstack-service.conf.erb included in the templates of this cookbook. In each of the service cookbook (e.g. openstack-network, openstack-identity or openstack-compute), the service configuration file (e.g neutron.conf, keystone.conf or nova.conf) gets generated directly from attributes set inside the cookbook. To merge all the configuration options (including the secrets) properly, before handing them over as @service_config to the mentioned template above, we use the methods defined in libraries/config_helpers.

For examples how to use these attributes, please refer to the attribute files included in the service cookbooks (e.g. attributes/neutron_conf.rb in openstack-network or attributes/keystone_conf.rb in openstack-identity). The basic structure of all these attributes always follows this model:

# usual config option that should eventually be saved to the node object
# configuration options like passwords that should not be saved in the node
# object



  • Install the common python openstack client package


  • Install bash completions for openstack client


  • Installs/Configures common recipes


  • Installs and starts etcd


  • Installs/Configures common logging


  • Iterates over the contents of the node['openstack']['sysctl'] hash and executes the sysctl resource.

Data Bags

This cookbook contains Libraries to work with passwords and secrets in databags. Databags can be unencrypted (for dev) or encrypted (for prod). In addition to traditionally encrypted data bags they can also be created as chef-vault items. To read more about chef-vault and how to use it, go to

Documentation for Attributes for selecting databag format can be found in the attributes section of this cookbook.

Documentation for format of these Databags can be found in the Openstack Chef Repo repository.


This cookbook provides the openstack_database custom resource. When this cookbook is included as dependency, this custom resource can be used to create databases needed by the OpenStack services.

depends 'openstack-common'
openstack_database 'compute' do
  user 'nova'
  pass 'supersecret'

An example of the usage can be seen here .


This cookbook exposes a set of default library routines:

  • cli -- Used to call openstack CLIs
  • endpoint -- Used to return a ::URI object representing the named OpenStack endpoint
  • internal_endpoint -- Used to return a ::URI object representing the named OpenStack internal endpoint if one was specified. Otherwise, it will return the same value as endpoint.
  • public_endpoint -- Used to return a ::URI object representing the named OpenStack public endpoint if one was specified. Otherwise, it will return the same value as endpoint.
  • endpoints -- Useful for operating on all OpenStack endpoints
  • db -- Returns a Hash of information about a named OpenStack database
  • db_uri -- Returns the SQLAlchemy RFC-1738 DB URI (see: for a named OpenStack database
  • secret -- Returns the value of an encrypted data bag for a named OpenStack secret key and key-section
  • get_password -- Ease-of-use helper that returns the decrypted password for a named database, service or keystone user.
  • matchers -- A custom matcher(render_config_file) for testing ini format file section content by with_section_content.


The following are code examples showing the above library routines in action. Remember when using the library routines exposed by this library to include the Openstack routines in your recipe's ::Chef::Recipe namespace, like so:

class ::Chef::Recipe
  include ::Openstack

Example of using the endpoint routine:

nova_api_ep = endpoint "compute-api""Using Openstack Compute API endpoint at #{nova_api_ep.to_s}")

# Note that endpoint URIs may contain variable interpolation markers such
# as `%(tenant_id)s`, so you may need to decode them. Do so like this:

require "uri"

puts ::URI.decode nova_api_ap.to_s

Example of using the get_password and db_uri routine:

db_pass = get_password "db" "cinder"
db_user = node["cinder"]["db"]["user"]
sql_connection = db_uri "volume", db_user, db_pass

template "/etc/cinder/cinder.conf" do
  source "cinder.conf.erb"
  owner  node["cinder"]["user"]
  group  node["cinder"]["group"]
  mode   00644
    "sql_connection" => sql_connection

URI Operations

Use the Openstack::uri_from_hash routine to helpfully return a ::URI::Generic object for a hash that contains any of the following keys:

  • host
  • uri
  • port
  • path
  • scheme

If the uri key is in the hash, that will be used as the URI, otherwise the URI will be constructed from the various parts of the hash corresponding to the keys above.

# Suppose node hash contains the following subhash in the :identity_service key:
# {
#   :host => '',
#   :port => 5000,
#   :scheme => 'https'
# }
uri = ::Openstack::uri_from_hash(node[])
# uri.to_s would == ""

The routine will return nil if neither a uri or host key exists in the supplied hash.

Using the library without prefixing with ::Openstack

Don't like prefixing calls to the library's routines with ::Openstack? Do this:

class ::Chef::Recipe
  include ::Openstack

in your recipe.

License and Author

Author Jay Pipes (
Author John Dewey (
Author Matt Ray (
Author Craig Tracey (
Author Sean Gallagher (
Author Ionut Artarisi (
Author Chen Zhiwei (
Author Brett Campbell (
Author Mark Vanderwiel (
Author Jan Klare (
Author Christoph Albers (
Author Jens Harbott (
Author Lance Albertson (
Copyright Copyright (c) 2012-2013, AT&T Services, Inc.
Copyright Copyright (c) 2013, Opscode, Inc.
Copyright Copyright (c) 2013, Craig Tracey
Copyright Copyright (c) 2013-2014, SUSE Linux GmbH
Copyright Copyright (c) 2013-2015, IBM, Corp.
Copyright Copyright (c) 2013-2014, Rackspace US, Inc.
Copyright Copyright (c) 2016-2019, x-ion GmbH
Copyright Copyright (c) 2016-2021, Oregon State University

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.