Lightweight composition layer for Puppet TripleO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

218 lines
6.9 KiB

# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::nova
#
# Nova base profile for tripleo
#
# === Parameters
#
# [*bootstrap_node*]
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
# [*libvirt_enabled*]
# (Optional) Whether or not Libvirt is enabled.
# Defaults to false
#
# [*manage_migration*]
# (Optional) Whether or not manage Nova Live migration
# Defaults to false
#
# [*nova_compute_enabled*]
# (Optional) Whether or not nova-compute is enabled.
# Defaults to false
#
# [*step*]
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
# [*rabbit_hosts*]
# list of the rabbbit host IPs
# Defaults to hiera('rabbitmq_node_ips')
#
# [*rabbit_port*]
# IP port for rabbitmq service
# Defaults to hiera('nova::rabbit_port', 5672)
#
# [*migration_ssh_key*]
# (Optional) SSH key pair for migration SSH tunnel.
# Expects a hash with keys 'private_key' and 'public_key'.
# Defaults to {}
#
# [*migration_ssh_localaddrs*]
# (Optional) Restrict ssh migration to clients connecting via this list of
# IPs.
# Defaults to [] (no restriction)
#
# [*libvirt_tls*]
# (Optional) Whether or not libvird TLS service is enabled.
# Defaults to false
class tripleo::profile::base::nova (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$libvirt_enabled = false,
$manage_migration = false,
$nova_compute_enabled = false,
$step = hiera('step'),
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
$rabbit_port = hiera('nova::rabbit_port', 5672),
$migration_ssh_key = {},
$migration_ssh_localaddrs = [],
$libvirt_tls = false
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
$sync_db = false
}
if hiera('nova::use_ipv6', false) {
$memcache_servers = suffix(hiera('memcached_node_ips_v6'), ':11211')
} else {
$memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
}
validate_array($migration_ssh_localaddrs)
validate_array_of_ips($migration_ssh_localaddrs)
$migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
if $step >= 4 or ($step >= 3 and $sync_db) {
if hiera('stack_action', undef) == 'UPDATE' {
if empty($::current_nova_host) {
# We fail instead of blindly changing that value as it can
# break the overcloud.
fail("We couldn't get the live value of the nova agent, please contact support.")
} else {
$host_real = $::current_nova_host
}
} else {
$host_real = hiera('nova::host')
}
$rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}")
class { '::nova' :
host => $host_real,
rabbit_hosts => $rabbit_endpoints,
}
include ::nova::config
class { '::nova::cache':
enabled => true,
backend => 'oslo_cache.memcache_pool',
memcache_servers => $memcache_servers,
}
}
if $step >= 4 {
if $manage_migration {
# Libvirt setup (live-migration)
if $libvirt_tls {
class { '::nova::migration::libvirt':
transport => 'tls',
configure_libvirt => $libvirt_enabled,
configure_nova => $nova_compute_enabled,
}
} else {
# Reuse the cold-migration SSH tunnel when TLS is not enabled
class { '::nova::migration::libvirt':
transport => 'ssh',
configure_libvirt => $libvirt_enabled,
configure_nova => $nova_compute_enabled,
client_user => 'nova_migration',
client_extraparams => {
'keyfile' => '/etc/nova/migration/identity'
}
}
}
$services_enabled = hiera('service_names', [])
if !empty($migration_ssh_key) and 'sshd' in $services_enabled {
# Nova SSH tunnel setup (cold-migration)
# Server side
if !empty($migration_ssh_localaddrs_real) {
$allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
$deny_type = 'LocalAddress'
$deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
ssh::server::match_block { 'nova_migration deny':
name => $deny_name,
type => $deny_type,
order => 2,
options => {
'DenyUsers' => 'nova_migration'
},
notify => Service['sshd']
}
}
else {
$allow_type = 'User'
}
$allow_name = 'nova_migration'
ssh::server::match_block { 'nova_migration allow':
name => $allow_name,
type => $allow_type,
order => 1,
options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
},
notify => Service['sshd']
}
$migration_authorized_keys = $migration_ssh_key['public_key']
$migration_identity = $migration_ssh_key['private_key']
$migration_user_shell = '/bin/bash'
}
else {
# Remove the keys and prevent login when migration over SSH is not enabled
$migration_authorized_keys = '# Migration over SSH disabled by TripleO'
$migration_identity = '# Migration over SSH disabled by TripleO'
$migration_user_shell = '/sbin/nologin'
}
package { 'openstack-nova-migration':
ensure => present,
tag => ['openstack', 'nova-package'],
}
file { '/etc/nova/migration/authorized_keys':
content => $migration_authorized_keys,
mode => '0640',
owner => 'root',
group => 'nova_migration',
require => Package['openstack-nova-migration']
}
file { '/etc/nova/migration/identity':
content => $migration_identity,
mode => '0600',
owner => 'nova',
group => 'nova',
require => Package['openstack-nova-migration']
}
user {'nova_migration':
shell => $migration_user_shell,
require => Package['openstack-nova-migration']
}
}
}
}