openstack
/
openstack-virtual-baremetal
Code Issues Proposed changes

Remove non-port-security templates 

OVB 2.0 won't support clouds that lack the port-security extension,
so these are no longer needed.
This commit is contained in:
Ben Nemec 2018-12-12 20:48:06 +00:00
parent 4fd992b155
commit 247c2d02d2
28 changed files with 49 additions and 638 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bin/test-job
View File

@ -49,9 +49,9 @@ then
fi
echo 'resource_registry:' >> env.yaml
echo ' OS::OVB::UndercloudFloating: templates/undercloud-floating.yaml' >> env.yaml
echo ' OS::OVB::BaremetalPorts: templates/baremetal-ports-default-port-security.yaml' >> env.yaml
echo ' OS::OVB::BMCPort: templates/bmc-port-port-security.yaml' >> env.yaml
echo ' OS::OVB::UndercloudPorts: templates/undercloud-ports-port-security.yaml' >> env.yaml
echo ' OS::OVB::BaremetalPorts: templates/baremetal-ports-default.yaml' >> env.yaml
echo ' OS::OVB::BMCPort: templates/bmc-port.yaml' >> env.yaml
echo ' OS::OVB::UndercloudPorts: templates/undercloud-ports.yaml' >> env.yaml
echo ' OS::OVB::PrivateNetwork: templates/private-net-create.yaml' >> env.yaml
cp -r $BIN_DIR ./bin

2
bin/test-job-v2
View File

@ -52,7 +52,7 @@ fi
cp -r $BIN_DIR ./bin
cp -r $BIN_DIR/../openstack_virtual_baremetal .
STACK_NAME=$MY_ID
$BIN_DIR/deploy.py --quintupleo --id $MY_ID --name $STACK_NAME --poll -e env.yaml -e environments/create-private-network.yaml -e environments/all-networks-port-security.yaml
$BIN_DIR/deploy.py --quintupleo --id $MY_ID --name $STACK_NAME --poll -e env.yaml -e environments/create-private-network.yaml -e environments/all-networks.yaml
UNDERCLOUD_IP=$(heat output-show $STACK_NAME undercloud_host_floating_ip | sed -e 's/"//g')
bin/build-nodes-json --env env-$MY_ID.yaml --driver ipmi
SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=Verbose -o PasswordAuthentication=no -o ConnectionAttempts=32 "

3
doc/source/deploy/baremetal.rst
View File

@ -94,8 +94,7 @@ method, which creates most of the resources needed automatically.
neutron port-list
neutron floatingip-associate [floatingip uuid] [undercloud instance port id]
#. (Optional) If not using the Noop firewall driver, turn off port-security on
the undercloud provisioning port::
#. Turn off port-security on the undercloud provisioning port::
neutron port-update [UUID of undercloud port on the provision network] --no-security-groups --port-security-enabled=False

33
doc/source/deploy/environment-index.rst
View File

@ -1,30 +1,6 @@
Sample Environment Index
========================
Deploy with All Networks Enabled
--------------------------------
**File:** environments/all-networks-port-security.yaml
**Description:** Deploy an OVB stack that adds interfaces for all the standard TripleO
network isolation networks. This version uses the port-security
Neutron extension to allow OVB to be run on clouds with security
groups enabled.
Deploy with All Networks Enabled and Two Public Interfaces
----------------------------------------------------------
**File:** environments/all-networks-public-bond-port-security.yaml
**Description:** Deploy an OVB stack that adds interfaces for all the standard TripleO
network isolation networks. This version will deploy duplicate
public network interfaces on the baremetal instances so that the
public network can be configured as a bond. It will also use the
port-security Neutron extension to allow OVB to be run on clouds with
security groups enabled.
Deploy with All Networks Enabled and Two Public Interfaces
----------------------------------------------------------
@ -118,15 +94,6 @@ Create a Private Network
existing one.
Deploy a Basic OVB Environment Using Neutron port-security
----------------------------------------------------------
**File:** environments/port-security.yaml
**Description:** Deploy an OVB stack that uses the Neutron port-security extension to
allow OVB functionality in clouds with security groups enabled.
Public Network External Router
------------------------------

25
doc/source/deploy/quintupleo.rst
View File

@ -19,7 +19,7 @@ however.
with some older clouds. See below for details on customizing an OVB
deployment for your particular situation::
bin/deploy.py --quintupleo -e env.yaml -e environments/all-networks-port-security.yaml -e environments/create-private-network.yaml
bin/deploy.py --quintupleo -e env.yaml -e environments/all-networks.yaml -e environments/create-private-network.yaml
.. note:: There is a quintupleo-specific option ``--id`` in deploy.py.
It appends the value passed in to the name of all resources
@ -97,10 +97,10 @@ There are also a number of advanced options that can be enabled for a
QuintupleO deployment. For each such option there is a sample environment
to be passed to the deploy command.
For example, to deploy using the Neutron port-security extension to allow
DHCP and PXE booting, the following command could be used::
For example, to deploy all networks needed for TripleO network isolation, the
following command could be used::
bin/deploy.py --quintupleo -e env.yaml -e environments/port-security.yaml
bin/deploy.py --quintupleo -e env.yaml -e environments/all-networks.yaml
.. important:: When deploying with multiple environment files, ``env.yaml``
*must* be explicitly passed to the deploy command.
@ -110,7 +110,7 @@ DHCP and PXE booting, the following command could be used::
Some options may have additional configuration parameters. These parameters
will be listed in the environment file.
A full list of the option environments available can be found at
A full list of the environments available can be found at
:doc:`environment-index`.
Network Isolation
@ -144,19 +144,6 @@ Three primary networking layouts are included:
OVB environment. The ``bond-*`` overcloud templates must be used with this
type of environment.
Each of the networking layouts has two variations: with and without the use of
Neutron's port-security extension. The reason for this is that older releases
of OpenStack did not support port-security, so those templates cannot be used.
However, use of the port-security extension allows OVB to work on a much larger
number of clouds because it does not require insecure Neutron settings.
While the port-security extension existed as far back as the Liberty release,
it has only been successfully tested with OVB on Newton and above.
The port-security environments can be recognized by the presence of
`port-security` somewhere in the filename. Network environments without that
substring are the standard ones that require the noop Neutron firewall driver.
QuintupleO and routed networks
------------------------------
@ -195,7 +182,7 @@ OVB as well.
./bin/deploy.py --env env.yaml \
--quintupleo \
--env environments/all-networks-port-security.yaml \
--env environments/all-networks.yaml \
--env environments/routed-networks.yaml \
--env env-routed-networks.yaml \
--role env-leaf1.yaml

18
doc/source/host-cloud/configuration.rst
View File

@ -7,19 +7,8 @@ all of it will provide the optimal experience.
The changes described in this document apply to compute nodes in the
host cloud.
#. Neutron must be configured to use the NoopFirewallDriver. Edit
``/etc/neutron/plugins/ml2/ml2_conf.ini`` and set the option
``firewall_driver`` in the ``[securitygroup]`` section as follows::
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
#. In Liberty and later versions, arp spoofing must be disabled. Edit
``/etc/neutron/plugins/ml2/ml2_conf.ini`` and set the option
``prevent_arp_spoofing`` in the ``[agent]`` section as follows::
prevent_arp_spoofing = False
#. The Nova option ``force_config_drive`` must _not_ be set.
#. The Nova option ``force_config_drive`` must _not_ be set. If you have to
change this option, restart ``nova-compute`` to apply it.
#. Ideally, jumbo frames should be enabled on the host cloud. This
avoids MTU problems when deploying to instances over tunneled
@ -33,6 +22,3 @@ host cloud.
such a change on the host cloud), it will likely be necessary to
configure a smaller MTU on the deployed virtual instances. Details
on doing so can be found on the :doc:`../usage/usage` page.
#. Restart ``nova-compute`` and ``neutron-openvswitch-agent`` to apply the
changes above.

3
doc/source/host-cloud/setup.rst
View File

@ -6,9 +6,6 @@ Instructions for setting up the host cloud[1].
1: The host cloud is any OpenStack cloud providing the necessary functionality
to run OVB. The host cloud must be running on real baremetal.
.. warning:: This process requires patches and configuration settings that
may not be appropriate for production clouds.
.. toctree::
patches

15
doc/source/troubleshooting.rst
View File

@ -49,10 +49,8 @@ VM, but responses never get to the baremetal instances.
**Cause**: Neutron port security blocking DHCP from the undercloud.
**Solution**: Neutron either needs to be configured to use the Noop firewall
driver, or the port-security extension must be used to disable
port-security on the appropriate ports. As of this writing that
requires use of the port-security branch of OVB.
**Solution**: Ensure that the Neutron port-security extension is present in
the host cloud. It is required for OVB to function properly.
The BMC does not respond to IPMI requests
-----------------------------------------
@ -62,11 +60,10 @@ on arbitrary addresses. The BMC deployment may have failed for some
reason.
**Solution**: Neutron must be configured to allow the BMC to listen on
arbitrary addresses. This requires use of the Noop firewall driver
or port-security extension as in the previous solution. If this
is already configured correctly, then the BMC may have failed to
deploy properly. This can usually be determined by looking at the
nova console-log of the BMC instance. A correctly working BMC will
arbitrary addresses. This requires the port-security extension as in the
previous solution. If this is already configured correctly, then the BMC may
have failed to deploy properly. This can usually be determined by looking at
the nova console-log of the BMC instance. A correctly working BMC will
display 'Managing instance [uuid]' for each baremetal node in the
environment. If those messages are not found, then the BMC has
failed to start properly. The relevant error messages should be

9
doc/source/usage/usage.rst
View File

@ -43,15 +43,12 @@ After an OVB environment has been deployed, there are a few things to know.
this is a brief explanation of each:
- **network-templates:** IPv4 multi-nic. Usable with the network layout
deployed by the ``all-networks.yaml`` and
``all-networks-port-security.yaml`` environments.
deployed by the ``all-networks.yaml`` environment.
- **ipv6-network-templates:** IPv6 multi-nic. Usable with the network layout
deployed by the ``all-networks.yaml`` and
``all-networks-port-security.yaml`` environments.
deployed by the ``all-networks.yaml`` environment.
- **bond-network-templates:** IPv4 multi-nic, with duplicate `public`
interfaces for testing bonded nics. Usable with the network layout
deployed by the ``all-networks-public-bond.yaml`` and
``all-networks-public-bond-port-security.yaml`` environments.
deployed by the ``all-networks-public-bond.yaml`` environment.
The undercloud's ``public`` interface should be configured with the address
of the default route from the templates in use. Firewall rules for

54
environments/all-networks-port-security.yaml
View File

@ -1,54 +0,0 @@
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Deploy with All Networks Enabled
# description: |
# Deploy an OVB stack that adds interfaces for all the standard TripleO
# network isolation networks. This version uses the port-security
# Neutron extension to allow OVB to be run on clouds with security
# groups enabled.
parameter_defaults:
# Name of internal API network
# Type: string
overcloud_internal_net: overcloud_internal
# CIDR for internal API network subnet. This is typically irrelevant and
# does not need to be changed.
# Type: string
overcloud_internal_net_cidr: 172.17.0.0/24
# Name of storage management network
# Type: string
overcloud_storage_mgmt_net: overcloud_storage_mgmt
# CIDR for storage management network subnet. This is typically irrelevant
# and does not need to be changed.
# Type: string
overcloud_storage_mgmt_net_cidr: 172.19.0.0/24
# Name of storage network
# Type: string
overcloud_storage_net: overcloud_storage
# CIDR for storage network subnet. This is typically irrelevant and
# does not need to be changed.
# Type: string
overcloud_storage_net_cidr: 172.18.0.0/24
# Name of tenant network
# Type: string
overcloud_tenant_net: overcloud_tenant
# CIDR for tenant network subnet. This is typically irrelevant and
# does not need to be changed.
# Type: string
overcloud_tenant_net_cidr: 172.16.0.0/24
resource_registry:
OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml
OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-all-port-security.yaml
OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml

56
environments/all-networks-public-bond-port-security.yaml
View File

@ -1,56 +0,0 @@
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Deploy with All Networks Enabled and Two Public Interfaces
# description: |
# Deploy an OVB stack that adds interfaces for all the standard TripleO
# network isolation networks. This version will deploy duplicate
# public network interfaces on the baremetal instances so that the
# public network can be configured as a bond. It will also use the
# port-security Neutron extension to allow OVB to be run on clouds with
# security groups enabled.
parameter_defaults:
# Name of internal API network
# Type: string
overcloud_internal_net: overcloud_internal
# CIDR for internal API network subnet. This is typically irrelevant and
# does not need to be changed.
# Type: string
overcloud_internal_net_cidr: 172.17.0.0/24
# Name of storage management network
# Type: string
overcloud_storage_mgmt_net: overcloud_storage_mgmt
# CIDR for storage management network subnet. This is typically irrelevant
# and does not need to be changed.
# Type: string
overcloud_storage_mgmt_net_cidr: 172.19.0.0/24
# Name of storage network
# Type: string
overcloud_storage_net: overcloud_storage
# CIDR for storage network subnet. This is typically irrelevant and
# does not need to be changed.
# Type: string
overcloud_storage_net_cidr: 172.18.0.0/24
# Name of tenant network
# Type: string
overcloud_tenant_net: overcloud_tenant
# CIDR for tenant network subnet. This is typically irrelevant and
# does not need to be changed.
# Type: string
overcloud_tenant_net_cidr: 172.16.0.0/24
resource_registry:
OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml
OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-public-bond-port-security.yaml
OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml

2
environments/base-extra-node.yaml
View File

@ -33,4 +33,4 @@ parameter_defaults:
role: extra
resource_registry:
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node-port-security.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node.yaml

14
environments/port-security.yaml
View File

@ -1,14 +0,0 @@
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Deploy a Basic OVB Environment Using Neutron port-security
# description: |
# Deploy an OVB stack that uses the Neutron port-security extension to
# allow OVB functionality in clouds with security groups enabled.
resource_registry:
OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-default-port-security.yaml
OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml

6
openstack_virtual_baremetal/tests/test_deploy.py
View File

@ -205,7 +205,7 @@ role_base_data = {
'OS::OVB::BaremetalNetworks': 'templates/baremetal-networks-all.yaml',
'OS::OVB::BaremetalPorts':
'templates/baremetal-ports-public-bond.yaml',
'OS::OVB::BMCPort': 'templates/bmc-port-port-security.yaml'
'OS::OVB::BMCPort': 'templates/bmc-port.yaml'
}
}
role_specific_data = {
@ -251,7 +251,7 @@ role_original_data = {
'OS::OVB::BaremetalNetworks': 'templates/baremetal-networks-all.yaml',
'OS::OVB::BaremetalPorts':
'templates/baremetal-ports-public-bond.yaml',
'OS::OVB::BMCPort': 'templates/bmc-port-port-security.yaml'
'OS::OVB::BMCPort': 'templates/bmc-port.yaml'
}
}
# end _process_role test data
@ -397,7 +397,7 @@ class TestDeploy(testtools.TestCase):
'templates/baremetal-ports-all.yaml',
output['resource_registry']['OS::OVB::BaremetalPorts'])
# This should be inherited from the base env
self.assertEqual('templates/bmc-port-port-security.yaml',
self.assertEqual('templates/bmc-port.yaml',
output['resource_registry']['OS::OVB::BMCPort'])
@mock.patch('openstack_virtual_baremetal.deploy._load_role_data')

40
sample-env-generator/environments.yaml
View File

@ -63,7 +63,7 @@ environments:
baremetal_image: CentOS-7-x86_64-GenericCloud
node_count: 1
resource_registry:
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node-port-security.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node.yaml
-
name: all-networks
title: Deploy with All Networks Enabled
@ -77,18 +77,6 @@ environments:
OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-all.yaml
children:
-
name: all-networks-port-security
description: |
Deploy an OVB stack that adds interfaces for all the standard TripleO
network isolation networks. This version uses the port-security
Neutron extension to allow OVB to be run on clouds with security
groups enabled.
resource_registry:
OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-all-port-security.yaml
OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml
OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml
-
name: all-networks-public-bond
title: Deploy with All Networks Enabled and Two Public Interfaces
@ -100,32 +88,6 @@ environments:
resource_registry:
OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-public-bond.yaml
-
name: all-networks-public-bond-port-security
title: Deploy with All Networks Enabled and Two Public Interfaces
description: |
Deploy an OVB stack that adds interfaces for all the standard TripleO
network isolation networks. This version will deploy duplicate
public network interfaces on the baremetal instances so that the
public network can be configured as a bond. It will also use the
port-security Neutron extension to allow OVB to be run on clouds with
security groups enabled.
resource_registry:
OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-public-bond-port-security.yaml
OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml
OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml
-
name: port-security
title: Deploy a Basic OVB Environment Using Neutron port-security
description: |
Deploy an OVB stack that uses the Neutron port-security extension to
allow OVB functionality in clouds with security groups enabled.
files: {}
resource_registry:
OS::OVB::BaremetalPorts: ../templates/baremetal-ports-default-port-security.yaml
OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml
OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml
-
name: create-private-network
title: Create a Private Network

115
templates/baremetal-ports-all-port-security.yaml
View File

@ -1,115 +0,0 @@
heat_template_version: 2015-10-15
parameters:
baremetal_prefix:
type: string
networks:
type: json
suffix:
type: string
overcloud_internal_net:
type: string
description: Name of internal API network
default: overcloud_internal
overcloud_storage_net:
type: string
description: Name of storage network
default: overcloud_storage
overcloud_storage_mgmt_net:
type: string
description: Name of storage management network
default: overcloud_storage_mgmt
overcloud_tenant_net:
type: string
description: Name of tenant network
default: overcloud_tenant
resources:
provision_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, provision]}
port_security_enabled: False
internal_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - internal_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_internal_net}
port_security_enabled: False
storage_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - storage_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_net}
port_security_enabled: False
storage_mgmt_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - storage_mgmt_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_mgmt_net}
port_security_enabled: False
tenant_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - tenant_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_tenant_net}
port_security_enabled: False
public_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - public_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, public]}
port_security_enabled: False
outputs:
ports:
value:
- {port: {get_resource: provision_port}}
- {port: {get_resource: public_port}}
- {port: {get_resource: internal_port}}
- {port: {get_resource: storage_port}}
- {port: {get_resource: storage_mgmt_port}}
- {port: {get_resource: tenant_port}}

8
templates/baremetal-ports-all.yaml
View File

@ -1,4 +1,4 @@
heat_template_version: 2014-10-16
heat_template_version: 2015-10-15
parameters:
@ -42,6 +42,7 @@ resources:
- - {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, provision]}
port_security_enabled: False
internal_port:
type: OS::Neutron::Port
@ -53,6 +54,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_internal_net}
port_security_enabled: False
storage_port:
type: OS::Neutron::Port
@ -64,6 +66,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_net}
port_security_enabled: False
storage_mgmt_port:
type: OS::Neutron::Port
@ -75,6 +78,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_mgmt_net}
port_security_enabled: False
tenant_port:
type: OS::Neutron::Port
@ -86,6 +90,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_tenant_net}
port_security_enabled: False
public_port:
type: OS::Neutron::Port
@ -97,6 +102,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, public]}
port_security_enabled: False
outputs:
ports:

30
templates/baremetal-ports-default-port-security.yaml
View File

@ -1,30 +0,0 @@
heat_template_version: 2015-10-15
parameters:
baremetal_prefix:
type: string
networks:
type: json
suffix:
type: string
resources:
provision_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, provision]}
port_security_enabled: False
outputs:
ports:
value:
- {port: {get_resource: provision_port}}

3
templates/baremetal-ports-default.yaml
View File

@ -1,4 +1,4 @@
heat_template_version: 2014-10-16
heat_template_version: 2015-10-15
parameters:
@ -22,6 +22,7 @@ resources:
- - {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, provision]}
port_security_enabled: False
outputs:
ports:

0
templates/baremetal-ports-extra-node-port-security-all.yaml → templates/baremetal-ports-extra-node-all.yaml
View File

0
templates/baremetal-ports-extra-node-fip-port-security.yaml → templates/baremetal-ports-extra-node-fip.yaml
View File

0
templates/baremetal-ports-extra-node-port-security.yaml → templates/baremetal-ports-extra-node.yaml
View File

128
templates/baremetal-ports-public-bond-port-security.yaml
View File

@ -1,128 +0,0 @@
heat_template_version: 2015-10-15
parameters:
baremetal_prefix:
type: string
networks:
type: json
suffix:
type: string
overcloud_internal_net:
type: string
description: Name of internal API network
default: overcloud_internal
overcloud_storage_net:
type: string
description: Name of storage network
default: overcloud_storage
overcloud_storage_mgmt_net:
type: string
description: Name of storage management network
default: overcloud_storage_mgmt
overcloud_tenant_net:
type: string
description: Name of tenant network
default: overcloud_tenant
resources:
provision_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, provision]}
port_security_enabled: False
internal_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - internal_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_internal_net}
port_security_enabled: False
storage_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - storage_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_net}
port_security_enabled: False
storage_mgmt_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - storage_mgmt_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_mgmt_net}
port_security_enabled: False
tenant_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - tenant_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_tenant_net}
port_security_enabled: False
public_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - public_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, public]}
port_security_enabled: False
public_bond_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- ''
- - public_
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, public]}
port_security_enabled: False
outputs:
ports:
value:
- {port: {get_resource: provision_port}}
- {port: {get_resource: public_port}}
- {port: {get_resource: public_bond_port}}
- {port: {get_resource: internal_port}}
- {port: {get_resource: storage_port}}
- {port: {get_resource: storage_mgmt_port}}
- {port: {get_resource: tenant_port}}

9
templates/baremetal-ports-public-bond.yaml
View File

@ -1,4 +1,4 @@
heat_template_version: 2014-10-16
heat_template_version: 2015-10-15
parameters:
@ -42,6 +42,7 @@ resources:
- - {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, provision]}
port_security_enabled: False
internal_port:
type: OS::Neutron::Port
@ -53,6 +54,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_internal_net}
port_security_enabled: False
storage_port:
type: OS::Neutron::Port
@ -64,6 +66,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_net}
port_security_enabled: False
storage_mgmt_port:
type: OS::Neutron::Port
@ -75,6 +78,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_storage_mgmt_net}
port_security_enabled: False
tenant_port:
type: OS::Neutron::Port
@ -86,6 +90,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: overcloud_tenant_net}
port_security_enabled: False
public_port:
type: OS::Neutron::Port
@ -97,6 +102,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, public]}
port_security_enabled: False
public_bond_port:
type: OS::Neutron::Port
@ -108,6 +114,7 @@ resources:
- {get_param: baremetal_prefix}
- {get_param: suffix}
network: {get_param: [networks, public]}
port_security_enabled: False
outputs:
ports:

29
templates/bmc-port-port-security.yaml
View File

@ -1,29 +0,0 @@
heat_template_version: 2015-10-15
parameters:
bmc_prefix:
type: string
private_net:
type: string
resources:
private_bmc_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- '_'
- - 'utility'
- {get_param: bmc_prefix}
network: {get_param: private_net}
port_security_enabled: False
outputs:
port:
value:
- {port: {get_resource: private_bmc_port}}
ip_address:
value: {get_attr: [private_bmc_port, fixed_ips, 0, ip_address]}

3
templates/bmc-port.yaml
View File

@ -1,4 +1,4 @@
heat_template_version: 2014-10-16
heat_template_version: 2015-10-15
parameters:
@ -19,6 +19,7 @@ resources:
- - 'utility'
- {get_param: bmc_prefix}
network: {get_param: private_net}
port_security_enabled: False
outputs:
port:

72
templates/undercloud-ports-port-security.yaml
View File

@ -1,72 +0,0 @@
heat_template_version: 2015-10-15
parameters:
undercloud_name:
type: string
private_net:
type: string
networks:
type: json
resources:
undercloud_sg:
type: OS::Neutron::SecurityGroup
properties:
name:
list_join:
- '_'
- - {get_param: undercloud_name}
- 'sg'
description: Ping, SSH, and TripleO UI
rules:
- protocol: icmp
- protocol: tcp
port_range_min: 22
port_range_max: 22
- protocol: tcp
port_range_min: 3000
port_range_max: 3000
private_undercloud_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- '_'
- - {get_param: undercloud_name}
- 'private'
network: {get_param: private_net}
security_groups:
- {get_resource: undercloud_sg}
provision_undercloud_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- '_'
- - {get_param: undercloud_name}
- 'provision'
network: {get_param: [networks, provision]}
port_security_enabled: False
public_undercloud_port:
type: OS::Neutron::Port
properties:
name:
list_join:
- '_'
- - {get_param: undercloud_name}
- 'public'
network: {get_param: [networks, public]}
port_security_enabled: False
outputs:
ports:
value:
- {port: {get_resource: private_undercloud_port}}
- {port: {get_resource: provision_undercloud_port}}
- {port: {get_resource: public_undercloud_port}}

4
templates/undercloud-ports.yaml
View File

@ -1,4 +1,4 @@
heat_template_version: 2014-10-16
heat_template_version: 2015-10-15
parameters:
@ -51,6 +51,7 @@ resources:
- - {get_param: undercloud_name}
- 'provision'
network: {get_param: [networks, provision]}
port_security_enabled: False
public_undercloud_port:
type: OS::Neutron::Port
@ -61,6 +62,7 @@ resources:
- - {get_param: undercloud_name}
- 'public'
network: {get_param: [networks, public]}
port_security_enabled: False
outputs:
ports: