abc1663ab3
This patch adds the ability for a deployer to change the desired state for distribution packages globally through a single variable. Change-Id: Ibffe78f0d49a419259622d5080cfc763424bda4d
255 lines
10 KiB
YAML
255 lines
10 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## OpenStack Source Code Release
|
|
openstack_release: master
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
|
|
## SSH connection wait time
|
|
ssh_delay: 5
|
|
|
|
# Set the package install state for distribution packages
|
|
# Options are 'present' and 'latest'
|
|
package_state: "latest"
|
|
|
|
# Ensure that the package state matches the global setting
|
|
ceph_client_package_state: "{{ package_state }}"
|
|
galera_client_package_state: "{{ package_state }}"
|
|
pip_install_package_state: "{{ package_state }}"
|
|
rsyslog_client_package_state: "{{ package_state }}"
|
|
|
|
# These are pinned to ensure exactly the same behaviour forever!
|
|
# These pins are updated through the sources-branch-updater script
|
|
pip_packages:
|
|
- pip==8.1.2
|
|
- setuptools==25.1.1
|
|
- wheel==0.29.0
|
|
|
|
pip_links:
|
|
- { name: "openstack_release", link: "{{ openstack_repo_url }}/os-releases/{{ openstack_release }}/" }
|
|
|
|
## OpenStack source options
|
|
# URL for the frozen internal openstack repo.
|
|
repo_server_port: 8181
|
|
repo_pkg_cache_enabled: true
|
|
repo_pkg_cache_port: 3142
|
|
repo_pkg_cache_url: "http://{{ internal_lb_vip_address }}:{{ repo_pkg_cache_port }}"
|
|
openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
|
|
openstack_repo_git_url: "git://{{ internal_lb_vip_address }}"
|
|
|
|
## kernel modules for specific group hosts
|
|
# :param name: name of the kernel module
|
|
# :param pattern: pattern to search for in /boot/config-$kernel_version to check how module is configured inside kernel
|
|
# :param group: group of hosts where the module will be loaded
|
|
openstack_host_specific_kernel_modules:
|
|
- { name: "ebtables", pattern: "CONFIG_BRIDGE_NF_EBTABLES", group: "network_hosts" }
|
|
|
|
## Memcached options
|
|
memcached_port: 11211
|
|
memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
|
|
|
|
## Galera
|
|
galera_address: "{{ internal_lb_vip_address }}"
|
|
galera_root_user: "root"
|
|
|
|
## RabbitMQ
|
|
rabbitmq_port: "{{ (rabbitmq_use_ssl | bool) | ternary(5671, 5672) }}"
|
|
rabbitmq_servers: "{% for host in groups['rabbitmq_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}{% if not loop.last %},{% endif %}{% endfor %}"
|
|
# TODO(odyssey4me)
|
|
# The new transport_url configuration option is not working with SSL enabled. Revisit this ASAP.
|
|
rabbitmq_use_ssl: false
|
|
|
|
## Enable external SSL handling for general OpenStack services
|
|
openstack_external_ssl: true
|
|
|
|
## OpenStack global Endpoint Protos
|
|
openstack_service_publicuri_proto: https
|
|
#openstack_service_adminuri_proto: http
|
|
#openstack_service_internaluri_proto: http
|
|
|
|
## SSL
|
|
# These do not need to be configured unless you're creating certificates for
|
|
# services running behind Apache (currently, Horizon and Keystone).
|
|
ssl_protocol: "ALL -SSLv2 -SSLv3"
|
|
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
|
|
|
|
## Region Name
|
|
service_region: RegionOne
|
|
|
|
## OpenStack Domain
|
|
openstack_domain: openstack.local
|
|
lxc_container_domain: "{{ openstack_domain }}"
|
|
|
|
## DHCP Domain Name
|
|
dhcp_domain: openstacklocal
|
|
|
|
## LDAP enabled toggle
|
|
service_ldap_backend_enabled: "{{ keystone_ldap is defined and keystone_ldap.Default is defined }}"
|
|
|
|
## Aodh DB info
|
|
aodh_galera_user: aodh
|
|
aodh_galera_database: aodh
|
|
aodh_galera_address: "{{ internal_lb_vip_address }}"
|
|
aodh_connection_string: "mysql+pymysql://{{ aodh_galera_user }}:{{ aodh_container_db_password }}@{{ aodh_galera_address }}/{{ aodh_galera_database }}?charset=utf8"
|
|
|
|
|
|
## Ceilometer
|
|
ceilometer_service_user_name: ceilometer
|
|
ceilometer_service_tenant_name: service
|
|
ceilometer_rabbitmq_userid: ceilometer
|
|
ceilometer_rabbitmq_vhost: /ceilometer
|
|
ceilometer_rabbitmq_host_group: "rabbitmq_all"
|
|
ceilometer_rabbitmq_port: "{{ rabbitmq_port }}"
|
|
|
|
## Cinder
|
|
# cinder_backend_rbd_inuse: True if current host has an rbd backend
|
|
cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}'
|
|
# cinder_backends_rbd_inuse: true if at least 1 cinder_backend on any
|
|
# cinder_volume host uses Ceph RBD
|
|
# http://stackoverflow.com/questions/9486393/jinja2-change-the-value-of-a-variable-inside-a-loop
|
|
cinder_backends_rbd_inuse: >
|
|
{% set _var = {'rbd_inuse': False} %}{%
|
|
for host in groups.cinder_volume %}{%
|
|
if hostvars[host].cinder_backend_rbd_inuse | bool %}{%
|
|
if _var.update({'rbd_inuse': True }) %}{%
|
|
endif %}{%
|
|
endif %}{%
|
|
endfor %}{{
|
|
_var.rbd_inuse }}
|
|
cinder_ceph_client: cinder
|
|
cinder_rabbitmq_userid: cinder
|
|
cinder_rabbitmq_vhost: /cinder
|
|
cinder_rabbitmq_host_group: "rabbitmq_all"
|
|
cinder_rabbitmq_port: "{{ rabbitmq_port }}"
|
|
|
|
## Glance
|
|
glance_service_port: 9292
|
|
glance_service_proto: http
|
|
glance_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(glance_service_proto) }}"
|
|
glance_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(glance_service_proto) }}"
|
|
glance_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(glance_service_proto) }}"
|
|
glance_service_publicuri: "{{ glance_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ glance_service_port }}"
|
|
glance_service_publicurl: "{{ glance_service_publicuri }}"
|
|
glance_service_internaluri: "{{ glance_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}"
|
|
glance_service_internalurl: "{{ glance_service_internaluri }}"
|
|
glance_service_adminuri: "{{ glance_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}"
|
|
glance_service_adminurl: "{{ glance_service_adminuri }}"
|
|
glance_api_servers: "{{ glance_service_internaluri }}"
|
|
glance_service_user_name: glance
|
|
glance_rabbitmq_userid: glance
|
|
glance_rabbitmq_vhost: /glance
|
|
glance_rabbitmq_host_group: "rabbitmq_all"
|
|
glance_rabbitmq_port: "{{ rabbitmq_port }}"
|
|
|
|
## Heat
|
|
heat_rabbitmq_userid: heat
|
|
heat_rabbitmq_vhost: /heat
|
|
heat_rabbitmq_host_group: "rabbitmq_all"
|
|
heat_rabbitmq_port: "{{ rabbitmq_port }}"
|
|
|
|
## Keystone
|
|
keystone_admin_user_name: admin
|
|
keystone_admin_tenant_name: admin
|
|
keystone_admin_port: 35357
|
|
keystone_service_port: 5000
|
|
keystone_service_proto: http
|
|
keystone_service_region: "{{ service_region }}"
|
|
keystone_rabbitmq_userid: keystone
|
|
keystone_rabbitmq_vhost: /keystone
|
|
keystone_rabbitmq_host_group: "rabbitmq_all"
|
|
keystone_rabbitmq_port: "{{ rabbitmq_port }}"
|
|
|
|
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
|
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
|
|
|
|
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
|
|
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
|
|
|
|
## Neutron
|
|
neutron_service_port: 9696
|
|
neutron_service_proto: http
|
|
neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}"
|
|
neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}"
|
|
neutron_service_adminurl: "{{ neutron_service_adminuri }}"
|
|
neutron_service_user_name: neutron
|
|
neutron_service_project_name: service
|
|
neutron_service_region: "{{ service_region }}"
|
|
neutron_rabbitmq_userid: neutron
|
|
neutron_rabbitmq_vhost: /neutron
|
|
neutron_rabbitmq_host_group: "rabbitmq_all"
|
|
neutron_rabbitmq_port: "{{ rabbitmq_port }}"
|
|
neutron_plugin_type: ml2.lxb
|
|
|
|
## Nova
|
|
nova_service_port: 8774
|
|
nova_metadata_port: 8775
|
|
nova_service_proto: http
|
|
nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}"
|
|
nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}"
|
|
nova_service_adminurl: "{{ nova_service_adminuri }}/v2.1/%(tenant_id)s"
|
|
nova_service_region: "{{ service_region }}"
|
|
nova_service_user_name: nova
|
|
nova_service_project_name: service
|
|
nova_service_project_domain_id: default
|
|
nova_service_user_domain_id: default
|
|
nova_rabbitmq_userid: nova
|
|
nova_rabbitmq_vhost: /nova
|
|
nova_rabbitmq_host_group: "rabbitmq_all"
|
|
nova_rabbitmq_port: "{{ rabbitmq_port }}"
|
|
nova_keystone_auth_plugin: password
|
|
nova_console_type: spice
|
|
nova_novncproxy_port: 6080
|
|
nova_spice_html5proxy_base_port: 6082
|
|
nova_console_port: "{% if nova_console_type == 'spice' %}{{ nova_spice_html5proxy_base_port }}{% else %}{{ nova_novncproxy_port }}{% endif %}"
|
|
|
|
|
|
## Swift
|
|
swift_system_user_name: swift
|
|
swift_system_shell: /bin/bash
|
|
swift_system_comment: swift system user
|
|
swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
|
|
|
|
## OpenStack Openrc
|
|
openrc_os_auth_url: "{{ keystone_service_internalurl }}"
|
|
openrc_os_password: "{{ keystone_auth_admin_password }}"
|
|
openrc_os_domain_name: "Default"
|
|
openrc_region_name: "{{ service_region }}"
|
|
|
|
## Host security hardening
|
|
# The openstack-ansible-security role provides security hardening for hosts
|
|
# by applying security configurations from the STIG. Hardening is enabled by
|
|
# default, but an option to opt out is available by setting the following
|
|
# variable to 'false'.
|
|
# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
|
|
apply_security_hardening: true
|
|
|
|
ansible_ssh_extra_args: >
|
|
-o UserKnownHostsFile=/dev/null
|
|
-o ServerAliveInterval=64
|
|
-o ServerAliveCountMax=1024
|
|
-o Compression=no
|
|
-o TCPKeepAlive=yes
|
|
-o VerifyHostKeyDNS=no
|
|
-o ForwardX11=no
|
|
-o ForwardAgent=yes
|
|
-T
|