30c59b297d
This patch updates all the roles to the latest available stable SHA's, updates all the OpenStack Service SHA's and also updates the appropriate python requirements pins. Note that 'ceilometer_api' has been removed from the standard tempest testing in the integrated build as the tests have been removed from the tempest repository with I0775bcc15dc9cbae6e075fe92f44b5f6c9b9d5d2 The ceilometer testing will have to be re-introduced using the tempest plugin framework. Change-Id: Iea7e4213893fb331c410c2d09e3258493f4643f3
323 lines
14 KiB
YAML
323 lines
14 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
verbose: True
|
|
|
|
|
|
## SSH connection wait time
|
|
ssh_delay: 5
|
|
|
|
|
|
## Repo server
|
|
repo_service_user_name: nginx
|
|
repo_service_home_folder: /var/www
|
|
repo_server_port: 8181
|
|
repo_pip_default_index: "https://rpc-repo.rackspace.com/pools"
|
|
|
|
|
|
## Rsyslog server
|
|
rsyslog_server_storage_directory: /var/log/log-storage
|
|
|
|
|
|
## OpenStack source options
|
|
# URL for the frozen internal openstack repo.
|
|
openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
|
|
openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit"
|
|
|
|
## Enable external SSL handling for general OpenStack services
|
|
openstack_external_ssl: true
|
|
nova_external_ssl: "{{ openstack_external_ssl }}"
|
|
keystone_external_ssl: "{{ openstack_external_ssl }}"
|
|
horizon_external_ssl: "{{ openstack_external_ssl }}"
|
|
|
|
## LXC options
|
|
lxc_container_caches:
|
|
- url: "https://rpc-repo.rackspace.com/container_images/rpc-trusty-container.tgz"
|
|
name: "trusty.tgz"
|
|
sha256sum: "56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c"
|
|
chroot_path: trusty/rootfs-amd64
|
|
|
|
|
|
## RabbitMQ
|
|
rabbitmq_cluster_name: openstack
|
|
rabbitmq_port: "{{ (rabbitmq_use_ssl | bool) | ternary(5671, 5672) }}"
|
|
rabbitmq_servers: "{% for host in groups['rabbitmq_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}"
|
|
rabbitmq_use_ssl: true
|
|
|
|
## Galera
|
|
galera_root_user: "root"
|
|
galera_wsrep_cluster_address: "{% for host in groups['galera_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}{% if not loop.last %},{% endif %}{% endfor %}"
|
|
galera_wsrep_address: "{{ ansible_ssh_host }}"
|
|
|
|
|
|
pip_links:
|
|
- { name: "openstack_release", link: "{{ openstack_repo_url }}/os-releases/{{ openstack_release }}/" }
|
|
|
|
# These are pinned to ensure exactly the same behaviour forever!
|
|
# These pins are updated through the sources-branch-updater script
|
|
pip_packages:
|
|
- pip==8.1.2
|
|
- setuptools==21.1.0
|
|
- wheel==0.29.0
|
|
|
|
## Memcached options
|
|
memcached_listen: "{{ ansible_ssh_host }}"
|
|
memcached_port: 11211
|
|
memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
|
|
|
|
## Host security hardening
|
|
# The openstack-ansible-security role provides security hardening for hosts
|
|
# by applying security configurations from the STIG. Hardening is enabled by
|
|
# default, but an option to opt out is available by setting the following
|
|
# variable to 'false'.
|
|
# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
|
|
apply_security_hardening: true
|
|
|
|
## Region Name
|
|
service_region: RegionOne
|
|
|
|
## DHCP Domain Name
|
|
dhcp_domain: openstacklocal
|
|
|
|
## SSL: Keystone
|
|
# These do not need to be configured unless you're creating certificates for
|
|
# services running behind Apache (currently, Horizon and Keystone).
|
|
ssl_protocol: "ALL -SSLv2 -SSLv3"
|
|
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
|
|
|
|
## OpenStack global Endpoint Protos
|
|
openstack_service_publicuri_proto: https
|
|
#openstack_service_adminuri_proto: http
|
|
#openstack_service_internaluri_proto: http
|
|
|
|
## LDAP enabled toggle
|
|
service_ldap_backend_enabled: "{{ keystone_ldap is defined and keystone_ldap.Default is defined }}"
|
|
|
|
|
|
## Aodh
|
|
# DB info
|
|
aodh_database_name: aodh
|
|
aodh_database_user: aodh
|
|
aodh_db_type: mongodb
|
|
aodh_db_ip: localhost
|
|
aodh_db_port: 27017
|
|
aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}"
|
|
aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
aodh_service_proto: http
|
|
aodh_service_publicuri: "{{ openstack_service_publicuri_proto|default(aodh_service_proto) }}://{{ external_lb_vip_address }}:{{ aodh_service_port }}"
|
|
|
|
|
|
## Ceilometer
|
|
ceilometer_service_port: 8777
|
|
ceilometer_service_proto: http
|
|
ceilometer_service_user_name: ceilometer
|
|
ceilometer_service_tenant_name: service
|
|
ceilometer_service_publicuri: "{{ openstack_service_publicuri_proto|default(ceilometer_service_proto) }}://{{ external_lb_vip_address }}:{{ ceilometer_service_port }}"
|
|
ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
|
|
ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
|
|
ceilometer_service_region: "{{ service_region }}"
|
|
ceilometer_rabbitmq_userid: ceilometer
|
|
ceilometer_rabbitmq_vhost: /ceilometer
|
|
ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
|
|
|
|
## Nova
|
|
nova_service_port: 8774
|
|
nova_service_proto: http
|
|
nova_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_service_proto) }}"
|
|
nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}"
|
|
nova_service_user_name: nova
|
|
nova_service_project_name: service
|
|
nova_service_project_domain_id: default
|
|
nova_service_user_domain_id: default
|
|
nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}"
|
|
nova_service_adminurl: "{{ nova_service_adminuri }}/v2/%(tenant_id)s"
|
|
nova_service_region: "{{ service_region }}"
|
|
nova_metadata_port: 8775
|
|
nova_keystone_auth_plugin: password
|
|
nova_ceph_client: '{{ cinder_ceph_client }}'
|
|
nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}'
|
|
nova_dhcp_domain: "{{ dhcp_domain }}"
|
|
nova_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
nova_rabbitmq_userid: nova
|
|
nova_rabbitmq_vhost: /nova
|
|
nova_glance_api_servers: "{{ glance_api_servers }}"
|
|
|
|
|
|
## Neutron
|
|
neutron_service_port: 9696
|
|
neutron_service_proto: http
|
|
neutron_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(neutron_service_proto) }}"
|
|
neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}"
|
|
neutron_service_user_name: neutron
|
|
neutron_service_project_name: service
|
|
neutron_service_project_domain_id: default
|
|
neutron_service_user_domain_id: default
|
|
neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}"
|
|
neutron_service_adminurl: "{{ neutron_service_adminuri }}"
|
|
neutron_service_region: "{{ service_region }}"
|
|
neutron_dhcp_domain: "{{ dhcp_domain }}"
|
|
neutron_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
neutron_rabbitmq_userid: neutron
|
|
neutron_rabbitmq_vhost: /neutron
|
|
|
|
|
|
## Glance
|
|
glance_service_port: 9292
|
|
glance_service_proto: http
|
|
glance_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(glance_service_proto) }}"
|
|
glance_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(glance_service_proto) }}"
|
|
glance_service_user_name: glance
|
|
glance_service_project_name: service
|
|
glance_service_project_domain_id: default
|
|
glance_service_user_domain_id: default
|
|
glance_service_adminurl: "{{ glance_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}"
|
|
glance_service_region: "{{ service_region }}"
|
|
glance_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
glance_api_servers: "{{ internal_lb_vip_address }}:{{ glance_service_port }}"
|
|
glance_rabbitmq_userid: glance
|
|
glance_rabbitmq_vhost: /glance
|
|
|
|
|
|
## Keystone
|
|
keystone_admin_user_name: admin
|
|
keystone_admin_tenant_name: admin
|
|
keystone_admin_port: 35357
|
|
keystone_service_port: 5000
|
|
keystone_service_proto: http
|
|
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_user_name: keystone
|
|
keystone_service_tenant_name: service
|
|
keystone_service_region: "{{ service_region }}"
|
|
keystone_rabbitmq_userid: keystone
|
|
keystone_rabbitmq_vhost: /keystone
|
|
|
|
keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
|
|
keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
|
|
|
|
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
|
|
keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3"
|
|
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
|
|
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
|
|
|
|
keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}"
|
|
keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
|
|
keystone_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
|
|
|
|
## Horizon
|
|
horizon_service_region: "{{ service_region }}"
|
|
horizon_enable_cinder_backup: "{% if cinder_service_backup_program_enabled is defined and cinder_service_backup_program_enabled | bool %}True{% else %}False{% endif %}"
|
|
# LBaaS panels are working only for LBaaS v1 at this time.
|
|
#TODO(odyssey4me): Remove the classpath from this conditional in the Newton cycle.
|
|
horizon_enable_neutron_lbaas: "{% if neutron_plugin_base is defined and ('lbaas' in neutron_plugin_base or 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPlugin' in neutron_plugin_base) %}True{% else %}False{% endif %}"
|
|
horizon_enable_neutron_fwaas: "{% if neutron_plugin_base is defined and 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
|
|
horizon_enable_neutron_vpnaas: "{% if neutron_plugin_base is defined and 'vpnaas' in neutron_plugin_base %}True{% else %}False{% endif %}"
|
|
horizon_rabbitmq_userid: horizon
|
|
horizon_rabbitmq_vhost: /horizon
|
|
|
|
|
|
## Heat
|
|
heat_service_region: "{{ service_region }}"
|
|
heat_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
heat_rabbitmq_userid: heat
|
|
heat_rabbitmq_vhost: /heat
|
|
heat_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(heat_service_proto) }}"
|
|
|
|
|
|
## Cinder
|
|
# cinder_backend_rbd_inuse: True if current host has an rbd backend
|
|
cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}'
|
|
# cinder_backends_rbd_inuse: true if at least 1 cinder_backend on any
|
|
# cinder_volume host uses Ceph RBD
|
|
# http://stackoverflow.com/questions/9486393/jinja2-change-the-value-of-a-variable-inside-a-loop
|
|
cinder_backends_rbd_inuse: >
|
|
{% set _var = {'rbd_inuse': False} %}{%
|
|
for host in groups.cinder_volume %}{%
|
|
if hostvars[host].cinder_backend_rbd_inuse | bool %}{%
|
|
if _var.update({'rbd_inuse': True }) %}{%
|
|
endif %}{%
|
|
endif %}{%
|
|
endfor %}{{
|
|
_var.rbd_inuse }}
|
|
cinder_ceph_client: cinder
|
|
# cinder_backend_lvm_inuse: True if current host has an lvm backend
|
|
cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}'
|
|
cinder_service_region: "{{ service_region }}"
|
|
cinder_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
cinder_rabbitmq_userid: cinder
|
|
cinder_rabbitmq_vhost: /cinder
|
|
cinder_glance_api_servers: "{{ glance_api_servers }}"
|
|
cinder_glance_api_version: "{{ (cinder_backends_rbd_inuse|bool and glance_default_store == 'rbd') | ternary('2','1') }}"
|
|
cinder_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(cinder_service_proto) }}"
|
|
|
|
|
|
## Swift
|
|
swift_system_user_name: swift
|
|
swift_system_group_name: swift
|
|
swift_system_shell: /bin/bash
|
|
swift_system_comment: swift system user
|
|
swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
|
|
swift_service_region: "{{ service_region }}"
|
|
swift_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|
swift_rabbitmq_userid: swift
|
|
swift_rabbitmq_vhost: /swift
|
|
swift_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(swift_service_proto) }}"
|
|
|
|
|
|
## Ironic
|
|
ironic_rabbitmq_vhost: /ironic
|
|
ironic_rabbitmq_userid: ironic
|
|
ironic_galera_database: ironic
|
|
ironic_galera_user: ironic
|
|
ironic_service_name: ironic
|
|
ironic_service_project_name: service
|
|
ironic_service_port: 6385
|
|
ironic_service_proto: http
|
|
ironic_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(ironic_service_proto) }}"
|
|
ironic_service_adminuri: "{{ ironic_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_service_port }}"
|
|
ironic_service_adminurl: "{{ ironic_service_adminuri }}/v1"
|
|
|
|
|
|
## OpenStack Openrc
|
|
openrc_os_auth_url: "{{ keystone_service_internalurl }}"
|
|
openrc_os_password: "{{ keystone_auth_admin_password }}"
|
|
openrc_os_domain_name: "Default"
|
|
|
|
|
|
## HAProxy
|
|
haproxy_bind_on_non_local: "{% if groups.haproxy[1] is defined and internal_lb_vip_address != external_lb_vip_address %}True{% else %}False{% endif %}"
|
|
haproxy_use_keepalived: "{% if groups.haproxy|length > 1 %}True{% else %}False{% endif %}"
|
|
|
|
## kernel modules for specific group hosts
|
|
# :param name: name of the kernel module
|
|
# :param pattern: pattern to search for in /boot/config-$kernel_version to check how module is configured inside kernel
|
|
# :param group: group of hosts where the module will be loaded
|
|
openstack_host_specific_kernel_modules:
|
|
- { name: "ebtables", pattern: "CONFIG_BRIDGE_NF_EBTABLES", group: "network_hosts" }
|
|
|
|
## Tempest
|
|
tempest_log_dir: /var/log/utility
|
|
tempest_venv_tag: "{{ tempest_git_install_branch }}"
|
|
tempest_venv_bin: "/opt/tempest_{{ tempest_venv_tag }}/bin"
|