Infrastructure-as-Code extension for Fuel Nailgun
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
OpenDev Sysadmins 8261c783d7 OpenDev Migration Patch 2 months ago
doc Whitelist rules bulk deletion 2 years ago
fuel_external_git User can add all outofsync tasks to whitelist 2 years ago
specs Added OSLO_PACKAGE_VERSION env variable 2 years ago
tools Prepare for using standard python tests 2 years ago
.gitignore Added spec file for rpm build 2 years ago
.gitreview OpenDev Migration Patch 2 months ago
LICENSE Initial commit 2 years ago Include all file from fuel_external_git dir 2 years ago Adjusted README file 2 years ago
requirements.txt Fixed usability issues 2 years ago
setup.cfg User can add all outofsync tasks to whitelist 2 years ago Reworked setup procedure 2 years ago
test-requirements.txt Unit tests for openstack_config and utils modules 2 years ago
tox.ini Don't include openstack/common in flake8 exclude list 2 years ago

Nailgun API Extension with External Git Server


Nailgun extension that generates deployment data based on configuration files published in external git repository


Operational Fuel 9.x (Mitaka) Master Node


Execute following commands on Fuel Master node

# yum install git python-pip
# git clone
# cd fuel-nailgun-extension-iac
# pip install -r requirements.txt
# python install
# nailgun_syncdb
# systemctl restart nailgun.service

Since the 9. version of Fuel extension should be enabled. To list all available extensions execute following command

# fuel2 extension list

Than enable extension for a particular environment

# fuel2 env extension enable <env_id> -E fuel_external_git

How to Use

This extension introduces two sets of additional Fuel CLI commands. The first set allows the operator to associate a git repo with a particular environment and preform CRUD operations on this repo. The second set allows the operator to execute audit and enforce operations on the environment as well as list the changes made to configuration. It also allows to manage white lists for these changes. See details here.

  gitrepo create
  gitrepo delete
  gitrepo get configs
  gitrepo list
  gitrepo update

  audit enforce
  audit noop
  audit list outofsync
  audit whitelist show
  audit whitelist add
  audit whitelist delete

Create repository and configure nailgun to use it.

fuel2 gitrepo create --env 1 --name oscnf1 --url --ref master \
  --key .ssh/id_rsa

In order to track configuration evolution it is possible to download all configuration files from the environment into separate branch of configured Git repository. User which has been configured to access repository must have write permissions to it

fuel2 gitrepo get configs --env 1

Git Repo structure

Here is the example repo structure

|-- cluster.yaml
|-- nodes
|   `-- node-1.domain.local.yaml
`-- roles
    |-- compute.yaml
    |-- controller.yaml
    `-- primary-controller.yaml

There are three levels of configuration: Cluster, Role, Node. Each level has higher priority in terms of configuration parameters.

  • Cluster - configuration parameters from all configs from this level will be applied to all nodes in environment.
  • Role - configuration parameters from all configs from this level will be applied to nodes with a particular role. Parameters from this level will override parameters from Global level
  • Node - configuration parameters from all configs from this level will be applied to node with a particular id. Parameters from this level will override parameters from Global and Role levels

For example we have following contents of the files

# cat cluster.yaml
            value: cluster_param
            value: another_param_value

# cat roles/primary-controller.yaml
            value: controller_param

Resulting configuration Hash will be:

            value: controller_param
            value: another_param_value

Audit and enforcement

This feature enables the operator to audit the changes made to the environment as well as enforce configuration.

fuel2 audit noop --env <env-id> || --repo <repo-id>

Audit is basically a Fuel graph run with noop flag set. This runs the whole graph and records Puppet resources, that would have changed their state. The command above is equivalent to

fuel2 env redeploy --noop <env-id>

After the audit run, the operator is able to list the changes to the state of Puppet resources on the environment via following command:

fuel2 audit list outofsync --task <noop-task-id> || --repo <repo-id>

This is a convenient alternative to the stock command:

fuel2 task history show <noop-task-id> --include-summary

To enforce configuration state, the operator can issue a stock redeploy command:

fuel2 env redeploy <env-id>

To perform the whole audit-enforce process automatically, this extension provides the following command:

fuel2 audit enforce --env <env-id> || --repo <repo-id>

This command will run audit, check the changes and will enforce configuration, if needed.

Audit changes whitelisting

Since fuel-library contains non-idempotent tasks, that contain Puppet resources, which will be triggered on each deployment run, this extension provides the operator the ability to filter such changes out.

A whitelist rule is a pair of strings. The first one is a fuel task name to match. The second one is what should be included into a Puppet report line for the whitelisted resource change, e.g. for


the whitelist rule could be


A rule with empty fuel_task filter will match to all tasks.

Whitelist rules for an environment can be listed by

fuel2 audit whitelist show <env-id>

These rules can be managed by following commands:

fuel2 audit whitelist add <env-id> --task <fuel-task> --rule <rule>
fuel2 audit whitelist delete <rule-id> [<rule-id> ...]
fuel2 audit whitelist load fromfile <env-id> <path-to-yaml>

Example YAML file with whitelist rules:

- fuel_task: netconfig
  rule: L23_stored_configs
- fuel_task: top-role-compute
  rule: Service[nova-compute]/ensure

The default whitelist can be loaded with following command

fuel2 audit whitelist load fromfile <env-id> /usr/lib/python2.7/site-packages/fuel_external_git/default_whitelist.yaml

Note: this whitelist is not complete as it has been put together on following configuration: MOS 9.1, Ubuntu, 1 controller, 1 compute+cinder lvm, Neutron GRE.


API documentation can be found here