From d59a2ffd624cadd888cab0f6588c3db2623f7ed0 Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Wed, 1 Jun 2016 19:23:52 -0700 Subject: [PATCH] Reduce and organize group vars Variables which were not used at all or were used only within a single role and were unchanged from that role's defaults have been removed. Variables which were used only within a playbook or overrode role defaults and were only relevant to hosts applying that playbook or role have been moved into a new file for the host group. Variables which are required across multiple host groups through playbooks or roles have been moved to all.yml. The host.yml and all_containers.yml files have been removed. Change-Id: If31f0ff7ca34b0e95a5a86876ec9330dae31a4aa --- playbooks/inventory/group_vars/all.yml | 184 +++++++++- .../inventory/group_vars/all_containers.yml | 1 - playbooks/inventory/group_vars/aodh_all.yml | 17 + .../inventory/group_vars/ceilometer_all.yml | 19 + playbooks/inventory/group_vars/cinder_all.yml | 21 ++ playbooks/inventory/group_vars/glance_all.yml | 17 + .../inventory/group_vars/haproxy_all.yml | 17 + playbooks/inventory/group_vars/heat_all.yml | 17 + .../inventory/group_vars/horizon_all.yml | 26 ++ playbooks/inventory/group_vars/hosts.yml | 329 ------------------ playbooks/inventory/group_vars/ironic_all.yml | 20 ++ .../inventory/group_vars/keystone_all.yml | 20 ++ playbooks/inventory/group_vars/memcached.yml | 16 + .../inventory/group_vars/neutron_all.yml | 17 + playbooks/inventory/group_vars/nova_all.yml | 19 + .../inventory/group_vars/rabbitmq_all.yml | 16 + playbooks/inventory/group_vars/rsyslog.yml | 16 + playbooks/inventory/group_vars/swift_all.yml | 17 + .../inventory/group_vars/utility_all.yml | 16 + scripts/sources-branch-updater.sh | 2 +- 20 files changed, 473 insertions(+), 334 deletions(-) delete mode 120000 playbooks/inventory/group_vars/all_containers.yml create mode 100644 playbooks/inventory/group_vars/aodh_all.yml create mode 100644 playbooks/inventory/group_vars/ceilometer_all.yml create mode 100644 playbooks/inventory/group_vars/cinder_all.yml create mode 100644 playbooks/inventory/group_vars/glance_all.yml create mode 100644 playbooks/inventory/group_vars/haproxy_all.yml create mode 100644 playbooks/inventory/group_vars/heat_all.yml create mode 100644 playbooks/inventory/group_vars/horizon_all.yml delete mode 100644 playbooks/inventory/group_vars/hosts.yml create mode 100644 playbooks/inventory/group_vars/ironic_all.yml create mode 100644 playbooks/inventory/group_vars/keystone_all.yml create mode 100644 playbooks/inventory/group_vars/memcached.yml create mode 100644 playbooks/inventory/group_vars/neutron_all.yml create mode 100644 playbooks/inventory/group_vars/nova_all.yml create mode 100644 playbooks/inventory/group_vars/rabbitmq_all.yml create mode 100644 playbooks/inventory/group_vars/rsyslog.yml create mode 100644 playbooks/inventory/group_vars/swift_all.yml create mode 100644 playbooks/inventory/group_vars/utility_all.yml diff --git a/playbooks/inventory/group_vars/all.yml b/playbooks/inventory/group_vars/all.yml index 9f3f566988..828f8d7663 100644 --- a/playbooks/inventory/group_vars/all.yml +++ b/playbooks/inventory/group_vars/all.yml @@ -1,5 +1,5 @@ --- -# Copyright 2015, Rackspace US, Inc. +# Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,5 +16,183 @@ ## OpenStack Source Code Release openstack_release: master -# Global minimum kernel requirement -openstack_host_required_kernel: 3.13.0-34-generic +## Verbosity Options +debug: False + +## SSH connection wait time +ssh_delay: 5 + +# These are pinned to ensure exactly the same behaviour forever! +# These pins are updated through the sources-branch-updater script +pip_packages: + - pip==8.1.2 + - setuptools==22.0.0 + - wheel==0.29.0 + +pip_links: + - { name: "openstack_release", link: "{{ openstack_repo_url }}/os-releases/{{ openstack_release }}/" } + +## OpenStack source options +# URL for the frozen internal openstack repo. +repo_server_port: 8181 +openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}" +openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit" + +## kernel modules for specific group hosts +# :param name: name of the kernel module +# :param pattern: pattern to search for in /boot/config-$kernel_version to check how module is configured inside kernel +# :param group: group of hosts where the module will be loaded +openstack_host_specific_kernel_modules: + - { name: "ebtables", pattern: "CONFIG_BRIDGE_NF_EBTABLES", group: "network_hosts" } + +## Memcached options +memcached_port: 11211 +memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" + +## Galera +galera_root_user: "root" + +## RabbitMQ +rabbitmq_port: "{{ (rabbitmq_use_ssl | bool) | ternary(5671, 5672) }}" +rabbitmq_servers: "{% for host in groups['rabbitmq_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}" +rabbitmq_use_ssl: true + +## Enable external SSL handling for general OpenStack services +openstack_external_ssl: true + +## OpenStack global Endpoint Protos +openstack_service_publicuri_proto: https +#openstack_service_adminuri_proto: http +#openstack_service_internaluri_proto: http + +## SSL +# These do not need to be configured unless you're creating certificates for +# services running behind Apache (currently, Horizon and Keystone). +ssl_protocol: "ALL -SSLv2 -SSLv3" +# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ +ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" + +## Region Name +service_region: RegionOne + +## OpenStack Domain +openstack_domain: openstack.local +lxc_container_domain: "{{ openstack_domain }}" + +## DHCP Domain Name +dhcp_domain: openstacklocal + +## LDAP enabled toggle +service_ldap_backend_enabled: "{{ keystone_ldap is defined and keystone_ldap.Default is defined }}" + +## Aodh DB info +aodh_database_name: aodh +aodh_database_user: aodh +aodh_db_type: mongodb +aodh_db_ip: localhost +aodh_db_port: 27017 +aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}" + +## Ceilometer +ceilometer_service_user_name: ceilometer +ceilometer_service_tenant_name: service +ceilometer_rabbitmq_userid: ceilometer +ceilometer_rabbitmq_vhost: /ceilometer + +## Cinder +# cinder_backend_rbd_inuse: True if current host has an rbd backend +cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}' +# cinder_backends_rbd_inuse: true if at least 1 cinder_backend on any +# cinder_volume host uses Ceph RBD +# http://stackoverflow.com/questions/9486393/jinja2-change-the-value-of-a-variable-inside-a-loop +cinder_backends_rbd_inuse: > + {% set _var = {'rbd_inuse': False} %}{% + for host in groups.cinder_volume %}{% + if hostvars[host].cinder_backend_rbd_inuse | bool %}{% + if _var.update({'rbd_inuse': True }) %}{% + endif %}{% + endif %}{% + endfor %}{{ + _var.rbd_inuse }} +cinder_ceph_client: cinder +cinder_rabbitmq_userid: cinder +cinder_rabbitmq_vhost: /cinder + +## Glance +glance_service_port: 9292 +glance_api_servers: "{{ internal_lb_vip_address }}:{{ glance_service_port }}" +glance_service_user_name: glance +glance_rabbitmq_userid: glance +glance_rabbitmq_vhost: /glance + +## Heat +heat_rabbitmq_userid: heat +heat_rabbitmq_vhost: /heat + +## Keystone +keystone_admin_user_name: admin +keystone_admin_tenant_name: admin +keystone_admin_port: 35357 +keystone_service_port: 5000 +keystone_service_proto: http +keystone_service_region: "{{ service_region }}" +keystone_rabbitmq_userid: keystone +keystone_rabbitmq_vhost: /keystone + +keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}" +keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" +keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}" +keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3" + +keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}" +keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" +keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" +keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3" + +## Neutron +neutron_service_port: 9696 +neutron_service_proto: http +neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}" +neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}" +neutron_service_adminurl: "{{ neutron_service_adminuri }}" +neutron_service_user_name: neutron +neutron_service_project_name: service +neutron_service_region: "{{ service_region }}" +neutron_rabbitmq_userid: neutron +neutron_rabbitmq_vhost: /neutron +neutron_plugin_type: ml2.lxb + +## Nova +nova_service_port: 8774 +nova_metadata_port: 8775 +nova_service_proto: http +nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}" +nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}" +nova_service_adminurl: "{{ nova_service_adminuri }}/v2.1/%(tenant_id)s" +nova_service_region: "{{ service_region }}" +nova_service_user_name: nova +nova_service_project_name: service +nova_service_project_domain_id: default +nova_service_user_domain_id: default +nova_rabbitmq_userid: nova +nova_rabbitmq_vhost: /nova +nova_keystone_auth_plugin: password + +## Swift +swift_system_user_name: swift +swift_system_shell: /bin/bash +swift_system_comment: swift system user +swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}" + +## OpenStack Openrc +openrc_os_auth_url: "{{ keystone_service_internalurl }}" +openrc_os_password: "{{ keystone_auth_admin_password }}" +openrc_os_domain_name: "Default" + +## Host security hardening +# The openstack-ansible-security role provides security hardening for hosts +# by applying security configurations from the STIG. Hardening is enabled by +# default, but an option to opt out is available by setting the following +# variable to 'false'. +# Docs: http://docs.openstack.org/developer/openstack-ansible-security/ +apply_security_hardening: true diff --git a/playbooks/inventory/group_vars/all_containers.yml b/playbooks/inventory/group_vars/all_containers.yml deleted file mode 120000 index 0cc353ff40..0000000000 --- a/playbooks/inventory/group_vars/all_containers.yml +++ /dev/null @@ -1 +0,0 @@ -hosts.yml \ No newline at end of file diff --git a/playbooks/inventory/group_vars/aodh_all.yml b/playbooks/inventory/group_vars/aodh_all.yml new file mode 100644 index 0000000000..26bfe457ed --- /dev/null +++ b/playbooks/inventory/group_vars/aodh_all.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}" +aodh_service_publicuri: "{{ openstack_service_publicuri_proto|default(aodh_service_proto) }}://{{ external_lb_vip_address }}:{{ aodh_service_port }}" diff --git a/playbooks/inventory/group_vars/ceilometer_all.yml b/playbooks/inventory/group_vars/ceilometer_all.yml new file mode 100644 index 0000000000..f12ebf86f9 --- /dev/null +++ b/playbooks/inventory/group_vars/ceilometer_all.yml @@ -0,0 +1,19 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ceilometer_service_publicuri: "{{ openstack_service_publicuri_proto|default(ceilometer_service_proto) }}://{{ external_lb_vip_address }}:{{ ceilometer_service_port }}" +ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/" +ceilometer_service_region: "{{ service_region }}" +ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}" diff --git a/playbooks/inventory/group_vars/cinder_all.yml b/playbooks/inventory/group_vars/cinder_all.yml new file mode 100644 index 0000000000..f45b05d58d --- /dev/null +++ b/playbooks/inventory/group_vars/cinder_all.yml @@ -0,0 +1,21 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# cinder_backend_lvm_inuse: True if current host has an lvm backend +cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}' +cinder_service_region: "{{ service_region }}" +cinder_service_in_ldap: "{{ service_ldap_backend_enabled }}" +cinder_glance_api_servers: "{{ glance_api_servers }}" +cinder_glance_api_version: "{{ (cinder_backends_rbd_inuse|bool and glance_default_store == 'rbd') | ternary('2','1') }}" diff --git a/playbooks/inventory/group_vars/glance_all.yml b/playbooks/inventory/group_vars/glance_all.yml new file mode 100644 index 0000000000..d3ab4cd3d9 --- /dev/null +++ b/playbooks/inventory/group_vars/glance_all.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +glance_service_region: "{{ service_region }}" +glance_service_in_ldap: "{{ service_ldap_backend_enabled }}" diff --git a/playbooks/inventory/group_vars/haproxy_all.yml b/playbooks/inventory/group_vars/haproxy_all.yml new file mode 100644 index 0000000000..f3cce39a3b --- /dev/null +++ b/playbooks/inventory/group_vars/haproxy_all.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_bind_on_non_local: "{% if groups.haproxy[1] is defined and internal_lb_vip_address != external_lb_vip_address %}True{% else %}False{% endif %}" +haproxy_use_keepalived: "{% if groups.haproxy|length > 1 %}True{% else %}False{% endif %}" diff --git a/playbooks/inventory/group_vars/heat_all.yml b/playbooks/inventory/group_vars/heat_all.yml new file mode 100644 index 0000000000..6e8d15925f --- /dev/null +++ b/playbooks/inventory/group_vars/heat_all.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +heat_service_region: "{{ service_region }}" +heat_service_in_ldap: "{{ service_ldap_backend_enabled }}" diff --git a/playbooks/inventory/group_vars/horizon_all.yml b/playbooks/inventory/group_vars/horizon_all.yml new file mode 100644 index 0000000000..394113f157 --- /dev/null +++ b/playbooks/inventory/group_vars/horizon_all.yml @@ -0,0 +1,26 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +horizon_external_ssl: "{{ openstack_external_ssl }}" +horizon_service_region: "{{ service_region }}" +horizon_enable_cinder_backup: "{{ cinder_service_backup_program_enabled is defined and cinder_service_backup_program_enabled | bool }}" +# NOTE(mhayden): neutron-lbaas is a separate plugin and requires the full +# namespace to be specified. Also, LBaaS v1 was removed in Newton. +horizon_enable_neutron_lbaas: "{{ neutron_plugin_base is defined and 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2' in neutron_plugin_base }}" +horizon_enable_neutron_fwaas: "{{ neutron_plugin_base is defined and 'firewall' in neutron_plugin_base }}" +horizon_enable_neutron_vpnaas: "{{ neutron_plugin_base is defined and 'vpnaas' in neutron_plugin_base }}" +horizon_enable_ha_router: "{{ neutron_plugin_type.split('.')[0] == 'ml2' and (groups['neutron_l3_agent'] | length >= 2) }}" +horizon_rabbitmq_userid: horizon +horizon_rabbitmq_vhost: /horizon diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml deleted file mode 100644 index afe08b4d1e..0000000000 --- a/playbooks/inventory/group_vars/hosts.yml +++ /dev/null @@ -1,329 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Verbosity Options -debug: False - - -## SSH connection wait time -ssh_delay: 5 - - -## Repo server -repo_service_user_name: nginx -repo_service_home_folder: /var/www -repo_server_port: 8181 -repo_pip_default_index: "https://rpc-repo.rackspace.com/pools" - - -## Rsyslog server -rsyslog_server_storage_directory: /var/log/log-storage - - -## OpenStack source options -# URL for the frozen internal openstack repo. -openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}" -openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit" - -## Enable external SSL handling for general OpenStack services -openstack_external_ssl: true -nova_external_ssl: "{{ openstack_external_ssl }}" -keystone_external_ssl: "{{ openstack_external_ssl }}" -horizon_external_ssl: "{{ openstack_external_ssl }}" - -## LXC options -lxc_container_caches: - - url: "https://rpc-repo.rackspace.com/container_images/rpc-trusty-container.tgz" - name: "trusty.tgz" - sha256sum: "56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c" - chroot_path: trusty/rootfs-amd64 - - -## RabbitMQ -rabbitmq_cluster_name: openstack -rabbitmq_port: "{{ (rabbitmq_use_ssl | bool) | ternary(5671, 5672) }}" -rabbitmq_servers: "{% for host in groups['rabbitmq_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}" -rabbitmq_use_ssl: true - -## Galera -galera_root_user: "root" -galera_wsrep_cluster_address: "{% for host in groups['galera_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}{% if not loop.last %},{% endif %}{% endfor %}" -galera_wsrep_address: "{{ ansible_ssh_host }}" - - -pip_links: - - { name: "openstack_release", link: "{{ openstack_repo_url }}/os-releases/{{ openstack_release }}/" } - -# These are pinned to ensure exactly the same behaviour forever! -# These pins are updated through the sources-branch-updater script -pip_packages: - - pip==8.1.2 - - setuptools==22.0.0 - - wheel==0.29.0 - -## Memcached options -memcached_listen: "{{ ansible_ssh_host }}" -memcached_port: 11211 -memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" - -## Host security hardening -# The openstack-ansible-security role provides security hardening for hosts -# by applying security configurations from the STIG. Hardening is enabled by -# default, but an option to opt out is available by setting the following -# variable to 'false'. -# Docs: http://docs.openstack.org/developer/openstack-ansible-security/ -apply_security_hardening: true - -## Region Name -service_region: RegionOne - -## OpenStack Domain -openstack_domain: openstack.local -lxc_container_domain: "{{ openstack_domain }}" - -## DHCP Domain Name -dhcp_domain: openstacklocal - -## SSL: Keystone -# These do not need to be configured unless you're creating certificates for -# services running behind Apache (currently, Horizon and Keystone). -ssl_protocol: "ALL -SSLv2 -SSLv3" -# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ -ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" - -## OpenStack global Endpoint Protos -openstack_service_publicuri_proto: https -#openstack_service_adminuri_proto: http -#openstack_service_internaluri_proto: http - -## LDAP enabled toggle -service_ldap_backend_enabled: "{{ keystone_ldap is defined and keystone_ldap.Default is defined }}" - - -## Aodh -# DB info -aodh_database_name: aodh -aodh_database_user: aodh -aodh_db_type: mongodb -aodh_db_ip: localhost -aodh_db_port: 27017 -aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}" -aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}" -aodh_service_proto: http -aodh_service_publicuri: "{{ openstack_service_publicuri_proto|default(aodh_service_proto) }}://{{ external_lb_vip_address }}:{{ aodh_service_port }}" - - -## Ceilometer -ceilometer_service_port: 8777 -ceilometer_service_proto: http -ceilometer_service_user_name: ceilometer -ceilometer_service_tenant_name: service -ceilometer_service_publicuri: "{{ openstack_service_publicuri_proto|default(ceilometer_service_proto) }}://{{ external_lb_vip_address }}:{{ ceilometer_service_port }}" -ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}" -ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/" -ceilometer_service_region: "{{ service_region }}" -ceilometer_rabbitmq_userid: ceilometer -ceilometer_rabbitmq_vhost: /ceilometer -ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}" - - -## Nova -nova_service_port: 8774 -nova_service_proto: http -nova_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_service_proto) }}" -nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}" -nova_service_user_name: nova -nova_service_project_name: service -nova_service_project_domain_id: default -nova_service_user_domain_id: default -nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}" -nova_service_adminurl: "{{ nova_service_adminuri }}/v2.1/%(tenant_id)s" -nova_service_region: "{{ service_region }}" -nova_metadata_port: 8775 -nova_keystone_auth_plugin: password -nova_ceph_client: '{{ cinder_ceph_client }}' -nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}' -nova_dhcp_domain: "{{ dhcp_domain }}" -nova_service_in_ldap: "{{ service_ldap_backend_enabled }}" -nova_rabbitmq_userid: nova -nova_rabbitmq_vhost: /nova -nova_glance_api_servers: "{{ glance_api_servers }}" - - -## Neutron -neutron_service_port: 9696 -neutron_service_proto: http -neutron_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(neutron_service_proto) }}" -neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}" -neutron_service_user_name: neutron -neutron_service_project_name: service -neutron_service_project_domain_id: default -neutron_service_user_domain_id: default -neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}" -neutron_service_adminurl: "{{ neutron_service_adminuri }}" -neutron_service_region: "{{ service_region }}" -neutron_dhcp_domain: "{{ dhcp_domain }}" -neutron_service_in_ldap: "{{ service_ldap_backend_enabled }}" -neutron_rabbitmq_userid: neutron -neutron_rabbitmq_vhost: /neutron - -# Neutron Plugins -neutron_plugin_type: ml2.lxb - - -## Glance -glance_service_port: 9292 -glance_service_proto: http -glance_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(glance_service_proto) }}" -glance_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(glance_service_proto) }}" -glance_service_user_name: glance -glance_service_project_name: service -glance_service_project_domain_id: default -glance_service_user_domain_id: default -glance_service_adminurl: "{{ glance_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}" -glance_service_region: "{{ service_region }}" -glance_service_in_ldap: "{{ service_ldap_backend_enabled }}" -glance_api_servers: "{{ internal_lb_vip_address }}:{{ glance_service_port }}" -glance_rabbitmq_userid: glance -glance_rabbitmq_vhost: /glance - - -## Keystone -keystone_admin_user_name: admin -keystone_admin_tenant_name: admin -keystone_admin_port: 35357 -keystone_service_port: 5000 -keystone_service_proto: http -keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}" -keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}" -keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}" -keystone_service_user_name: keystone -keystone_service_tenant_name: service -keystone_service_region: "{{ service_region }}" -keystone_rabbitmq_userid: keystone -keystone_rabbitmq_vhost: /keystone - -keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" -keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" - -keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}" -keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" -keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}" - -keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3" -keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3" -keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3" - -keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}" -keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" -keystone_service_in_ldap: "{{ service_ldap_backend_enabled }}" - - -## Horizon -horizon_service_region: "{{ service_region }}" -horizon_enable_cinder_backup: "{{ cinder_service_backup_program_enabled is defined and cinder_service_backup_program_enabled | bool }}" -# NOTE(mhayden): neutron-lbaas is a separate plugin and requires the full -# namespace to be specified. Also, LBaaS v1 was removed in Newton. -horizon_enable_neutron_lbaas: "{{ neutron_plugin_base is defined and 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2' in neutron_plugin_base }}" -horizon_enable_neutron_fwaas: "{{ neutron_plugin_base is defined and 'firewall' in neutron_plugin_base }}" -horizon_enable_neutron_vpnaas: "{{ neutron_plugin_base is defined and 'vpnaas' in neutron_plugin_base }}" -horizon_enable_ha_router: "{{ neutron_plugin_type.split('.')[0] == 'ml2' and (groups['neutron_l3_agent'] | length >= 2) }}" -horizon_rabbitmq_userid: horizon -horizon_rabbitmq_vhost: /horizon - - -## Heat -heat_service_region: "{{ service_region }}" -heat_service_in_ldap: "{{ service_ldap_backend_enabled }}" -heat_rabbitmq_userid: heat -heat_rabbitmq_vhost: /heat -heat_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(heat_service_proto) }}" - - -## Cinder -# cinder_backend_rbd_inuse: True if current host has an rbd backend -cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}' -# cinder_backends_rbd_inuse: true if at least 1 cinder_backend on any -# cinder_volume host uses Ceph RBD -# http://stackoverflow.com/questions/9486393/jinja2-change-the-value-of-a-variable-inside-a-loop -cinder_backends_rbd_inuse: > - {% set _var = {'rbd_inuse': False} %}{% - for host in groups.cinder_volume %}{% - if hostvars[host].cinder_backend_rbd_inuse | bool %}{% - if _var.update({'rbd_inuse': True }) %}{% - endif %}{% - endif %}{% - endfor %}{{ - _var.rbd_inuse }} -cinder_ceph_client: cinder -# cinder_backend_lvm_inuse: True if current host has an lvm backend -cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}' -cinder_service_region: "{{ service_region }}" -cinder_service_in_ldap: "{{ service_ldap_backend_enabled }}" -cinder_rabbitmq_userid: cinder -cinder_rabbitmq_vhost: /cinder -cinder_glance_api_servers: "{{ glance_api_servers }}" -cinder_glance_api_version: "{{ (cinder_backends_rbd_inuse|bool and glance_default_store == 'rbd') | ternary('2','1') }}" -cinder_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(cinder_service_proto) }}" - - -## Swift -swift_system_user_name: swift -swift_system_group_name: swift -swift_system_shell: /bin/bash -swift_system_comment: swift system user -swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}" -swift_service_region: "{{ service_region }}" -swift_service_in_ldap: "{{ service_ldap_backend_enabled }}" -swift_rabbitmq_userid: swift -swift_rabbitmq_vhost: /swift -swift_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(swift_service_proto) }}" - - -## Ironic -ironic_rabbitmq_vhost: /ironic -ironic_rabbitmq_userid: ironic -ironic_galera_database: ironic -ironic_galera_user: ironic -ironic_service_name: ironic -ironic_service_project_name: service -ironic_service_port: 6385 -ironic_service_proto: http -ironic_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(ironic_service_proto) }}" -ironic_service_adminuri: "{{ ironic_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_service_port }}" -ironic_service_adminurl: "{{ ironic_service_adminuri }}/v1" - - -## OpenStack Openrc -openrc_os_auth_url: "{{ keystone_service_internalurl }}" -openrc_os_password: "{{ keystone_auth_admin_password }}" -openrc_os_domain_name: "Default" - - -## HAProxy -haproxy_bind_on_non_local: "{% if groups.haproxy[1] is defined and internal_lb_vip_address != external_lb_vip_address %}True{% else %}False{% endif %}" -haproxy_use_keepalived: "{% if groups.haproxy|length > 1 %}True{% else %}False{% endif %}" - -## kernel modules for specific group hosts -# :param name: name of the kernel module -# :param pattern: pattern to search for in /boot/config-$kernel_version to check how module is configured inside kernel -# :param group: group of hosts where the module will be loaded -openstack_host_specific_kernel_modules: - - { name: "ebtables", pattern: "CONFIG_BRIDGE_NF_EBTABLES", group: "network_hosts" } - -## Tempest -tempest_log_dir: /var/log/utility -tempest_venv_tag: "{{ tempest_git_install_branch }}" -tempest_venv_bin: "/opt/tempest_{{ tempest_venv_tag }}/bin" diff --git a/playbooks/inventory/group_vars/ironic_all.yml b/playbooks/inventory/group_vars/ironic_all.yml new file mode 100644 index 0000000000..ddb70f36af --- /dev/null +++ b/playbooks/inventory/group_vars/ironic_all.yml @@ -0,0 +1,20 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ironic_rabbitmq_vhost: /ironic +ironic_rabbitmq_userid: ironic +ironic_galera_database: ironic +ironic_galera_user: ironic +ironic_service_adminurl: "{{ ironic_service_adminuri }}/v1" diff --git a/playbooks/inventory/group_vars/keystone_all.yml b/playbooks/inventory/group_vars/keystone_all.yml new file mode 100644 index 0000000000..caf6347822 --- /dev/null +++ b/playbooks/inventory/group_vars/keystone_all.yml @@ -0,0 +1,20 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +keystone_external_ssl: "{{ openstack_external_ssl }}" + +keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}" +keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" +keystone_service_in_ldap: "{{ service_ldap_backend_enabled }}" diff --git a/playbooks/inventory/group_vars/memcached.yml b/playbooks/inventory/group_vars/memcached.yml new file mode 100644 index 0000000000..c2ccf0d4f8 --- /dev/null +++ b/playbooks/inventory/group_vars/memcached.yml @@ -0,0 +1,16 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +memcached_listen: "{{ ansible_ssh_host }}" diff --git a/playbooks/inventory/group_vars/neutron_all.yml b/playbooks/inventory/group_vars/neutron_all.yml new file mode 100644 index 0000000000..ccb9c39555 --- /dev/null +++ b/playbooks/inventory/group_vars/neutron_all.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neutron_dhcp_domain: "{{ dhcp_domain }}" +neutron_service_in_ldap: "{{ service_ldap_backend_enabled }}" diff --git a/playbooks/inventory/group_vars/nova_all.yml b/playbooks/inventory/group_vars/nova_all.yml new file mode 100644 index 0000000000..6787cafd75 --- /dev/null +++ b/playbooks/inventory/group_vars/nova_all.yml @@ -0,0 +1,19 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +nova_external_ssl: "{{ openstack_external_ssl }}" +nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}' +nova_dhcp_domain: "{{ dhcp_domain }}" +nova_service_in_ldap: "{{ service_ldap_backend_enabled }}" diff --git a/playbooks/inventory/group_vars/rabbitmq_all.yml b/playbooks/inventory/group_vars/rabbitmq_all.yml new file mode 100644 index 0000000000..e76f43308d --- /dev/null +++ b/playbooks/inventory/group_vars/rabbitmq_all.yml @@ -0,0 +1,16 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +rabbitmq_cluster_name: openstack diff --git a/playbooks/inventory/group_vars/rsyslog.yml b/playbooks/inventory/group_vars/rsyslog.yml new file mode 100644 index 0000000000..bb03423c00 --- /dev/null +++ b/playbooks/inventory/group_vars/rsyslog.yml @@ -0,0 +1,16 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +rsyslog_server_storage_directory: /var/log/log-storage diff --git a/playbooks/inventory/group_vars/swift_all.yml b/playbooks/inventory/group_vars/swift_all.yml new file mode 100644 index 0000000000..1c52344323 --- /dev/null +++ b/playbooks/inventory/group_vars/swift_all.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +swift_service_region: "{{ service_region }}" +swift_service_in_ldap: "{{ service_ldap_backend_enabled }}" diff --git a/playbooks/inventory/group_vars/utility_all.yml b/playbooks/inventory/group_vars/utility_all.yml new file mode 100644 index 0000000000..e84f00cd70 --- /dev/null +++ b/playbooks/inventory/group_vars/utility_all.yml @@ -0,0 +1,16 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +tempest_log_dir: /var/log/utility diff --git a/scripts/sources-branch-updater.sh b/scripts/sources-branch-updater.sh index 6152117e38..0f573abd88 100755 --- a/scripts/sources-branch-updater.sh +++ b/scripts/sources-branch-updater.sh @@ -187,7 +187,7 @@ sed -i.bak "s|^PIP_INSTALL_OPTIONS=.*|PIP_INSTALL_OPTIONS=\$\{PIP_INSTALL_OPTION for pin in ${PIP_CURRENT_OPTIONS}; do sed -i.bak "s|^$(echo ${pin} | cut -f1 -d=).*|${pin}|" *requirements.txt - sed -i.bak "s|^ - $(echo ${pin} | cut -f1 -d=).*| - ${pin}|" playbooks/inventory/group_vars/hosts.yml + sed -i.bak "s|^ - $(echo ${pin} | cut -f1 -d=).*| - ${pin}|" playbooks/inventory/group_vars/all.yml done echo "Updated pip install options/pins"